go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00
Code Issues Releases Activity

Add binary native AES CFB encryption helpers.

Browse Source 
These will take in []byte and not automatically
Base64 encode/decode.
This commit is contained in:
Nick Meves 2020-05-04 11:21:25 -07:00
parent 1683aa5978
commit f9025a8f8f
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
1 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
pkg/encryption/cipher.go
View File

@ -125,15 +125,12 @@ func NewCipher(secret []byte) (*Cipher, error) {
// Encrypt a value for use in a cookie // Encrypt a value for use in a cookie
func (c *Cipher) Encrypt(value string) (string, error) { func (c *Cipher) Encrypt(value string) (string, error) {
ciphertext := make([]byte, aes.BlockSize+len(value)) encrypted, err := c.EncryptCFB([]byte(value))
iv := ciphertext[:aes.BlockSize] if err != nil {
if _, err := io.ReadFull(rand.Reader, iv); err != nil { return "", err
return "", fmt.Errorf("failed to create initialization vector %s", err)
} }
stream := cipher.NewCFBEncrypter(c.Block, iv) return base64.StdEncoding.EncodeToString(encrypted), nil
stream.XORKeyStream(ciphertext[aes.BlockSize:], []byte(value))
return base64.StdEncoding.EncodeToString(ciphertext), nil
} }
// Decrypt a value from a cookie to it's original string // Decrypt a value from a cookie to it's original string
@ -143,18 +140,41 @@ func (c *Cipher) Decrypt(s string) (string, error) {
return "", fmt.Errorf("failed to decrypt cookie value %s", err) return "", fmt.Errorf("failed to decrypt cookie value %s", err)
} }
if len(encrypted) < aes.BlockSize { decrypted, err := c.DecryptCFB(encrypted)
return "", fmt.Errorf("encrypted cookie value should be "+ if err != nil {
"at least %d bytes, but is only %d bytes", return "", err
aes.BlockSize, len(encrypted))
} }
iv := encrypted[:aes.BlockSize] return string(decrypted), nil
encrypted = encrypted[aes.BlockSize:] }
stream := cipher.NewCFBDecrypter(c.Block, iv)
stream.XORKeyStream(encrypted, encrypted)
return string(encrypted), nil // Encrypt with AES CFB on raw bytes
func (c *Cipher) EncryptCFB(value []byte) ([]byte, error) {
ciphertext := make([]byte, aes.BlockSize+len(value))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, fmt.Errorf("failed to create initialization vector %s", err)
}
stream := cipher.NewCFBEncrypter(c.Block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], value)
return ciphertext, nil
}
// Decrypt a AES CFB ciphertext
func (c *Cipher) DecryptCFB(ciphertext []byte) ([]byte, error) {
if len(ciphertext) < aes.BlockSize {
return nil, fmt.Errorf("encrypted value should be "+
"at least %d bytes, but is only %d bytes",
aes.BlockSize, len(ciphertext))
}
iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(c.Block, iv)
stream.XORKeyStream(ciphertext, ciphertext)
return ciphertext, nil
} }
// EncryptInto encrypts the value and stores it back in the string pointer // EncryptInto encrypts the value and stores it back in the string pointer