public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add binary native AES CFB encryption helpers. 

These will take in []byte and not automatically
Base64 encode/decode.
This commit is contained in:
Nick Meves 2020-05-04 11:21:25 -07:00
parent 1683aa5978
commit f9025a8f8f
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
1 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
pkg/encryption/cipher.go
View File

@ -125,15 +125,12 @@ func NewCipher(secret []byte) (*Cipher, error) {
// Encrypt a value for use in a cookie
func (c *Cipher) Encrypt(value string) (string, error) {
ciphertext := make([]byte, aes.BlockSize+len(value))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return "", fmt.Errorf("failed to create initialization vector %s", err)
encrypted, err := c.EncryptCFB([]byte(value))
if err != nil {
return "", err
}
stream := cipher.NewCFBEncrypter(c.Block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], []byte(value))
return base64.StdEncoding.EncodeToString(ciphertext), nil
return base64.StdEncoding.EncodeToString(encrypted), nil
}
// Decrypt a value from a cookie to it's original string
@ -143,18 +140,41 @@ func (c *Cipher) Decrypt(s string) (string, error) {
return "", fmt.Errorf("failed to decrypt cookie value %s", err)
}
if len(encrypted) < aes.BlockSize {
return "", fmt.Errorf("encrypted cookie value should be "+
"at least %d bytes, but is only %d bytes",
aes.BlockSize, len(encrypted))
decrypted, err := c.DecryptCFB(encrypted)
if err != nil {
return "", err
}
iv := encrypted[:aes.BlockSize]
encrypted = encrypted[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(c.Block, iv)
stream.XORKeyStream(encrypted, encrypted)
return string(decrypted), nil
}
return string(encrypted), nil
// Encrypt with AES CFB on raw bytes
func (c *Cipher) EncryptCFB(value []byte) ([]byte, error) {
ciphertext := make([]byte, aes.BlockSize+len(value))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
return nil, fmt.Errorf("failed to create initialization vector %s", err)
}
stream := cipher.NewCFBEncrypter(c.Block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], value)
return ciphertext, nil
}
// Decrypt a AES CFB ciphertext
func (c *Cipher) DecryptCFB(ciphertext []byte) ([]byte, error) {
if len(ciphertext) < aes.BlockSize {
return nil, fmt.Errorf("encrypted value should be "+
"at least %d bytes, but is only %d bytes",
aes.BlockSize, len(ciphertext))
}
iv := ciphertext[:aes.BlockSize]
ciphertext = ciphertext[aes.BlockSize:]
stream := cipher.NewCFBDecrypter(c.Block, iv)
stream.XORKeyStream(ciphertext, ciphertext)
return ciphertext, nil
}
// EncryptInto encrypts the value and stores it back in the string pointer