authelia/internal/utils/aes.go

package utils

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"errors"
	"io"
)

// Encrypt encrypts data using 256-bit AES-GCM.  This both hides the content of
// the data and provides a check that it hasn't been altered. Output takes the
// form nonce|ciphertext|tag where '|' indicates concatenation.
func Encrypt(plaintext []byte, key *[32]byte) (ciphertext []byte, err error) {
	block, err := aes.NewCipher(key[:])
	if err != nil {
		return nil, err
	}

	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return nil, err
	}

	nonce := make([]byte, gcm.NonceSize())
	_, err = io.ReadFull(rand.Reader, nonce)
	if err != nil {
		return nil, err
	}

	return gcm.Seal(nonce, nonce, plaintext, nil), nil
}

// Decrypt decrypts data using 256-bit AES-GCM.  This both hides the content of
// the data and provides a check that it hasn't been altered. Expects input
// form nonce|ciphertext|tag where '|' indicates concatenation.
func Decrypt(ciphertext []byte, key *[32]byte) (plaintext []byte, err error) {
	block, err := aes.NewCipher(key[:])
	if err != nil {
		return nil, err
	}

	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return nil, err
	}

	if len(ciphertext) < gcm.NonceSize() {
		return nil, errors.New("malformed ciphertext")
	}

	return gcm.Open(nil,
		ciphertext[:gcm.NonceSize()],
		ciphertext[gcm.NonceSize():],
		nil,
	)
}
[MISC] Encrypt session data in redis store. (#789) This is a regression from v3. With this change session data is encrypted with AES-GCM using a 256-bit key derived from the provided secret. Fixes #652. 2020-03-28 06:10:39 +00:00			`package utils`

			`import (`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"crypto/rand"`
			`"errors"`
			`"io"`
			`)`

			`// Encrypt encrypts data using 256-bit AES-GCM. This both hides the content of`
			`// the data and provides a check that it hasn't been altered. Output takes the`
			`// form nonce\|ciphertext\|tag where '\|' indicates concatenation.`
			`func Encrypt(plaintext []byte, key *[32]byte) (ciphertext []byte, err error) {`
			`block, err := aes.NewCipher(key[:])`
			`if err != nil {`
			`return nil, err`
			`}`

			`gcm, err := cipher.NewGCM(block)`
			`if err != nil {`
			`return nil, err`
			`}`

			`nonce := make([]byte, gcm.NonceSize())`
			`_, err = io.ReadFull(rand.Reader, nonce)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return gcm.Seal(nonce, nonce, plaintext, nil), nil`
			`}`

			`// Decrypt decrypts data using 256-bit AES-GCM. This both hides the content of`
			`// the data and provides a check that it hasn't been altered. Expects input`
			`// form nonce\|ciphertext\|tag where '\|' indicates concatenation.`
			`func Decrypt(ciphertext []byte, key *[32]byte) (plaintext []byte, err error) {`
			`block, err := aes.NewCipher(key[:])`
			`if err != nil {`
			`return nil, err`
			`}`

			`gcm, err := cipher.NewGCM(block)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if len(ciphertext) < gcm.NonceSize() {`
			`return nil, errors.New("malformed ciphertext")`
			`}`

			`return gcm.Open(nil,`
			`ciphertext[:gcm.NonceSize()],`
			`ciphertext[gcm.NonceSize():],`
			`nil,`
			`)`
			`}`