func CreateExchangedCipher(peerPub, priv []byte) (Cipher, Cipher, error) { x, y := elliptic.Unmarshal(curve, peerPub) sx, _ := curve.ScalarMult(x, y, priv) secret := cryptohash(sx.Bytes()) aesKey1 := secret[0:aes.BlockSize] aesKey2 := secret[aes.BlockSize : 2*aes.BlockSize] vector1 := secret[2*aes.BlockSize : 3*aes.BlockSize] vector2 := secret[3*aes.BlockSize : 4*aes.BlockSize] block1, err := aes.NewCipher(aesKey1) if err != nil { return nil, nil, err } block2, err := aes.NewCipher(aesKey2) if err != nil { return nil, nil, err } stream1 := cipher.NewOFB(block1, vector1) stream2 := cipher.NewOFB(block2, vector2) return stream1, stream2, nil }
func main() { encoded := util.ReadFile("25.txt") bytes, err := base64.StdEncoding.DecodeString(string(encoded)) if err != nil { log.Fatal(err) } oldAes, err := aes.NewCipher([]byte("YELLOW SUBMARINE")) if err != nil { log.Fatal(err) } util.ECBDecrypt(oldAes, bytes, bytes) // we have plaintext in bytes // encrypt it in CTR mode block, err := aes.NewCipher(key) if err != nil { log.Fatal(err) } util.CTREncrypt(block, nonce, bytes, bytes) // save the copy ct := make([]byte, len(bytes)) copy(ct, bytes) // let's prepare sequence of 0 bytes and replace the text with it zeroes := make([]byte, len(bytes)) edit(bytes, 0, zeroes) // result in bytes contains the key // let's recover the original plain text: for i := 0; i < len(ct); i++ { bytes[i] = ct[i] ^ bytes[i] } fmt.Println(string(bytes)) }
func newEncryptedStream(conn io.ReadWriter, key []byte) (s *encryptedStream, err error) { rcipher, err := aes.NewCipher(key) if err != nil { return nil, err } wcipher, err := aes.NewCipher(key) if err != nil { return nil, err } rstream := cipher.NewCFBDecrypter(rcipher, key) wstream := cipher.NewCFBEncrypter(wcipher, key) return &encryptedStream{ StreamReader: cipher.StreamReader{ S: rstream, R: conn, }, StreamWriter: cipher.StreamWriter{ S: wstream, W: conn, }, }, nil }
func (conn *obfs3Conn) kdf(sharedSecret []byte) error { // Using that shared-secret each party derives its encryption keys as // follows: // // INIT_SECRET = HMAC(SHARED_SECRET, "Initiator obfuscated data") // RESP_SECRET = HMAC(SHARED_SECRET, "Responder obfuscated data") // INIT_KEY = INIT_SECRET[:KEYLEN] // INIT_COUNTER = INIT_SECRET[KEYLEN:] // RESP_KEY = RESP_SECRET[:KEYLEN] // RESP_COUNTER = RESP_SECRET[KEYLEN:] initHmac := hmac.New(sha256.New, sharedSecret) initHmac.Write([]byte(initiatorKdfString)) initSecret := initHmac.Sum(nil) initHmac.Reset() initHmac.Write([]byte(initiatorMagicString)) initMagic := initHmac.Sum(nil) respHmac := hmac.New(sha256.New, sharedSecret) respHmac.Write([]byte(responderKdfString)) respSecret := respHmac.Sum(nil) respHmac.Reset() respHmac.Write([]byte(responderMagicString)) respMagic := respHmac.Sum(nil) // The INIT_KEY value keys a block cipher (in CTR mode) used to // encrypt values from initiator to responder thereafter. The counter // mode's initial counter value is INIT_COUNTER. The RESP_KEY value // keys a block cipher (in CTR mode) used to encrypt values from // responder to initiator thereafter. That counter mode's initial // counter value is RESP_COUNTER. // // Note: To have this be the last place where the shared secret is used, // also generate the magic value to send/scan for here. initBlock, err := aes.NewCipher(initSecret[:keyLen]) if err != nil { return err } initStream := cipher.NewCTR(initBlock, initSecret[keyLen:]) respBlock, err := aes.NewCipher(respSecret[:keyLen]) if err != nil { return err } respStream := cipher.NewCTR(respBlock, respSecret[keyLen:]) if conn.isInitiator { conn.tx = &cipher.StreamWriter{S: initStream, W: conn.Conn} conn.rx = &cipher.StreamReader{S: respStream, R: conn.rxBuf} conn.txMagic = initMagic conn.rxMagic = respMagic } else { conn.tx = &cipher.StreamWriter{S: respStream, W: conn.Conn} conn.rx = &cipher.StreamReader{S: initStream, R: conn.rxBuf} conn.txMagic = respMagic conn.rxMagic = initMagic } return nil }
func create_ciphers() *[]block.Cipher { ciphers := make([]block.Cipher, 6) ciphers[0], _ = des.NewDESCipher(key) ciphers[1], _ = des.NewDES2Cipher(key2) ciphers[2], _ = des.NewDES3Cipher(key3) ciphers[3], _ = aes.NewCipher(aes128key) ciphers[4], _ = aes.NewCipher(aes192key) ciphers[5], _ = aes.NewCipher(aes256key) return &ciphers }
func TestAesKeyWrap(t *testing.T) { // Test vectors from: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf kek0, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F") cek0, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF") expected0, _ := hex.DecodeString("1FA68B0A8112B447AEF34BD8FB5A7B829D3E862371D2CFE5") kek1, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F1011121314151617") cek1, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF") expected1, _ := hex.DecodeString("96778B25AE6CA435F92B5B97C050AED2468AB8A17AD84E5D") kek2, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F") cek2, _ := hex.DecodeString("00112233445566778899AABBCCDDEEFF0001020304050607") expected2, _ := hex.DecodeString("A8F9BC1612C68B3FF6E6F4FBE30E71E4769C8B80A32CB8958CD5D17D6B254DA1") block0, _ := aes.NewCipher(kek0) block1, _ := aes.NewCipher(kek1) block2, _ := aes.NewCipher(kek2) out0, _ := KeyWrap(block0, cek0) out1, _ := KeyWrap(block1, cek1) out2, _ := KeyWrap(block2, cek2) if bytes.Compare(out0, expected0) != 0 { t.Error("output 0 not as expected, got", out0, "wanted", expected0) } if bytes.Compare(out1, expected1) != 0 { t.Error("output 1 not as expected, got", out1, "wanted", expected1) } if bytes.Compare(out2, expected2) != 0 { t.Error("output 2 not as expected, got", out2, "wanted", expected2) } unwrap0, _ := KeyUnwrap(block0, out0) unwrap1, _ := KeyUnwrap(block1, out1) unwrap2, _ := KeyUnwrap(block2, out2) if bytes.Compare(unwrap0, cek0) != 0 { t.Error("key unwrap did not return original input, got", unwrap0, "wanted", cek0) } if bytes.Compare(unwrap1, cek1) != 0 { t.Error("key unwrap did not return original input, got", unwrap1, "wanted", cek1) } if bytes.Compare(unwrap2, cek2) != 0 { t.Error("key unwrap did not return original input, got", unwrap2, "wanted", cek2) } }
func newBlockCipher(name string, key []byte) (cipher.Block, error) { switch name { case "aes128": return aes.NewCipher(key) case "aes256": return aes.NewCipher(key) case "3des": return des.NewTripleDESCipher(key) default: return nil, fmt.Errorf("unknown cipher '%s'", name) } }
func TestEncoder(t *testing.T) { b, err := aes.NewCipher([]byte("1234567890123456")) if err != nil { t.Error(err) } e1 := Encoder{ Hash: hmac.NewSHA256([]byte("secret-key1")), Block: b, } b, err = aes.NewCipher([]byte("0123456789012345")) if err != nil { t.Error(err) } e2 := Encoder{ Hash: hmac.NewSHA256([]byte("secret-key2")), Block: b, } value := make(SessionData) value["foo"] = "bar" value["baz"] = 128 var count int for i := 0; i < 50; i++ { // Running this multiple times to check if any special character // breaks encoding/decoding. value := make(SessionData) value["foo"] = "bar" value["baz"] = 128 encoded, err2 := e1.Encode("sid", value) if err2 != nil { t.Error(err2) } decoded, err3 := e1.Decode("sid", encoded) if err3 != nil { t.Errorf("%v: %v", err3, encoded) count++ } if fmt.Sprintf("%v", decoded) != fmt.Sprintf("%v", value) { t.Errorf("Expected %v, got %v.", value, decoded) } _, err4 := e2.Decode("sid", encoded) if err4 == nil { t.Errorf("Expected failure decoding.") } } if count > 0 { t.Errorf("%d errors out of 100.", count) } }
func NewTunnelCrypto(layerKey, ivKey TunnelKey) (t *Tunnel, err error) { t = new(Tunnel) t.layerKey, err = aes.NewCipher(layerKey[:]) if err == nil { t.ivKey, err = aes.NewCipher(ivKey[:]) } if err != nil { // error happened we don't need t t = nil } return }
func (e *aesEngine) SetKey(encrypt, decrypt []byte) (err error) { var ecb, dcb cipher.Block if len(encrypt) != AESBlockSize { return errors.New("encrypt.bad key size") } else if ecb, err = aes.NewCipher(encrypt); err != nil { return errors.New("encrypt.create error") } if len(decrypt) != AESBlockSize { return errors.New("decrypt.bad key size") } else if dcb, err = aes.NewCipher(decrypt); err != nil { return errors.New("decrypt.create error") } e.ecb, e.dcb = ecb, dcb return }
func generateStream(seed, label []byte) io.Reader { // Generate sub-key subKey := make([]byte, 16) c, _ := aes.NewCipher(seed) c.Encrypt(subKey, label) // Create pseudo-random byte stream keyed by sub-key. block, _ := aes.NewCipher(subKey) stream := cipher.StreamReader{ cipher.NewCTR(block, label), devNull{}, } return stream }
func encrypt(key []byte, text string) (string, error) { if text == "" || text == "{}" { return "", nil } plaintext := []byte(text) skey := sha512.Sum512(key) ekey, akey := skey[:32], skey[32:] block, err := aes.NewCipher(ekey) if err != nil { return "", err } macfn := hmac.New(sha256.New, akey) ciphertext := make([]byte, aes.BlockSize+macfn.Size()+len(plaintext)) iv := ciphertext[:aes.BlockSize] if _, err := io.ReadFull(crand.Reader, iv); err != nil { return "", err } stream := cipher.NewCFBEncrypter(block, iv) stream.XORKeyStream(ciphertext[aes.BlockSize+macfn.Size():], plaintext) macfn.Write(ciphertext[aes.BlockSize+macfn.Size():]) mac := macfn.Sum(nil) copy(ciphertext[aes.BlockSize:aes.BlockSize+macfn.Size()], mac) return base64.URLEncoding.EncodeToString(ciphertext), nil }
func decryptAES(src, key, privParam []byte, engineBoots, engineTime int32) ( dst []byte, err error) { if len(privParam) != 8 { err = ArgumentError{ Value: len(privParam), Message: "Invalid AES PrivParameter length", } return } block, err := aes.NewCipher(key[:16]) if err != nil { return } var buf bytes.Buffer binary.Write(&buf, binary.BigEndian, engineBoots) binary.Write(&buf, binary.BigEndian, engineTime) iv := append(buf.Bytes(), privParam...) dst = make([]byte, len(src)) mode := cipher.NewCFBDecrypter(block, iv) mode.XORKeyStream(dst, src) return }
func cipherAES(key, iv []byte, isRead bool) interface{} { block, _ := aes.NewCipher(key) if isRead { return cipher.NewCBCDecrypter(block, iv) } return cipher.NewCBCEncrypter(block, iv) }
func streamCipherReaderForKeyData(keyType byte, keyData []byte, r io.ReadCloser) (io.ReadCloser, error) { switch keyType { case keyTypeAES: if len(keyData) != keyTypeAESKeySize { return nil, ErrInvalidKey } // Ignore error below, aes will fail only if the size of key is // invalid. We fully control it and pass valid value. block, _ := aes.NewCipher(keyData) var iv [aes.BlockSize]byte stream := cipher.NewCTR(block, iv[:]) return &streamReader{cipher.StreamReader{S: stream, R: r}}, nil case keyTypeChaCha20: if len(keyData) != chacha20.KeySize { return nil, ErrInvalidKey } var nonce [chacha20.NonceSize]byte // Ignore error below, chacha20 will fail only if the size of key or // nonce are invalid. We fully control those and pass valid values. stream, _ := chacha20.NewCipher(keyData, nonce[:]) return &streamReader{cipher.StreamReader{S: stream, R: r}}, nil default: return nil, ErrInvalidKey } }
func (c *Conversation) generateDHCommit() []byte { _, err := io.ReadFull(c.rand(), c.r[:]) if err != nil { panic("otr: short read from random source") } var xBytes [dhPrivateBytes]byte c.x = c.randMPI(xBytes[:]) c.gx = new(big.Int).Exp(g, c.x, p) c.gy = nil c.gxBytes = appendMPI(nil, c.gx) h := sha256.New() h.Write(c.gxBytes) h.Sum(c.digest[:0]) aesCipher, err := aes.NewCipher(c.r[:]) if err != nil { panic(err.Error()) } var iv [aes.BlockSize]byte ctr := cipher.NewCTR(aesCipher, iv[:]) ctr.XORKeyStream(c.gxBytes, c.gxBytes) return c.serializeDHCommit() }
func TestOFB(t *testing.T) { for _, tt := range ofbTests { test := tt.name c, err := aes.NewCipher(tt.key) if err != nil { t.Errorf("%s: NewCipher(%d bytes) = %s", test, len(tt.key), err) continue } for j := 0; j <= 5; j += 5 { plaintext := tt.in[0 : len(tt.in)-j] ofb := cipher.NewOFB(c, tt.iv) ciphertext := make([]byte, len(plaintext)) ofb.XORKeyStream(ciphertext, plaintext) if !bytes.Equal(ciphertext, tt.out[:len(plaintext)]) { t.Errorf("%s/%d: encrypting\ninput % x\nhave % x\nwant % x", test, len(plaintext), plaintext, ciphertext, tt.out) } } for j := 0; j <= 5; j += 5 { ciphertext := tt.out[0 : len(tt.in)-j] ofb := cipher.NewOFB(c, tt.iv) plaintext := make([]byte, len(ciphertext)) ofb.XORKeyStream(plaintext, ciphertext) if !bytes.Equal(plaintext, tt.in[:len(ciphertext)]) { t.Errorf("%s/%d: decrypting\nhave % x\nwant % x", test, len(ciphertext), plaintext, tt.in) } } if t.Failed() { break } } }
func main() { plainText := []byte("Bob loves Alice. But Alice hate Bob...") key := []byte("passw0rdpassw0rdpassw0rdpassw0rd") // Create new AES cipher block block, err := aes.NewCipher(key) if err != nil { fmt.Printf("err: %s\n", err) } // The IV (Initialization Vector) need to be unique, but not secure. // Therefore, it's common to include it at the beginning of the cipher text. cipherText := make([]byte, aes.BlockSize+len(plainText)) // Create IV iv := cipherText[:aes.BlockSize] if _, err := io.ReadFull(rand.Reader, iv); err != nil { fmt.Printf("err: %s\n", err) } // Encrypt encryptStream := cipher.NewCTR(block, iv) encryptStream.XORKeyStream(cipherText[aes.BlockSize:], plainText) fmt.Printf("Cipher text: %x \n", cipherText) // Decrpt decryptedText := make([]byte, len(cipherText[aes.BlockSize:])) decryptStream := cipher.NewCTR(block, cipherText[:aes.BlockSize]) decryptStream.XORKeyStream(decryptedText, cipherText[aes.BlockSize:]) fmt.Printf("Decrypted text: %s\n", string(decryptedText)) }
func TestCBC(t *testing.T) { msg := []byte("12345678901234567890") key := RandAes128() iv := RandBytes(16) block, _ := aes.NewCipher(key) padded := PadTo(msg, 16) ct := make([]byte, len(padded)) CBCEncrypt(block, iv, ct, padded) block, _ = aes.NewCipher(key) padded2 := make([]byte, len(ct)) CBCDecrypt(block, iv, padded2, ct) if bytes.Compare(padded, padded2) != 0 { t.Errorf("expected %x, got %x", padded, padded2) } }
func (v *Vault) DecryptEnvironments(password string) (map[string]Environment, error) { if v.MACDigest != "sha-256" && v.Cipher != "aes" && v.CipherMode != "ctr" { return nil, ErrInvalidEncryptionConfig } // derive the key key, err := v.KeyDetails.key(password) if err != nil { return nil, err } // validate the mac if !hmac.Equal(v.mac(key), v.MAC) { return nil, ErrInvalidPassword } // decrypt the environments plaintext := make([]byte, len(v.Environments)) block, err := aes.NewCipher(key) decrypter := cipher.NewCTR(block, v.IV) decrypter.XORKeyStream(plaintext, v.Environments) // unmarshal the environments environments := map[string]Environment{} err = json.Unmarshal(plaintext, &environments) if err != nil { return nil, err } return environments, nil }
func newAESCTR(key, iv []byte) (cipher.Stream, error) { c, err := aes.NewCipher(key) if err != nil { return nil, err } return cipher.NewCTR(c, iv), nil }
func DecryptIO(reader io.Reader, writer io.Writer, passphrase string) (mac []byte, e error) { key := PassphraseToKey(passphrase) hashMac := hmac.New(sha256.New, key) block, err := aes.NewCipher(key) if err != nil { return nil, err } iv := make([]byte, aes.BlockSize) if _, err = io.ReadFull(reader, iv); err != nil { return nil, err } stream := cipher.NewOFB(block, iv) cipherReader := &cipher.StreamReader{S: stream, R: reader} pp := make([]byte, len([]byte(passphrase))) if _, err = io.ReadFull(cipherReader, pp); err != nil { return nil, err } if passphrase != string(pp) { return nil, errors.New("Incorrect passphrase") } mw := io.MultiWriter(writer, hashMac) if _, err = io.Copy(mw, cipherReader); err != nil { return nil, err } return hashMac.Sum(nil), nil }
func EncryptIO(reader io.Reader, writer io.Writer, passphrase string) (mac []byte, e error) { key := PassphraseToKey(passphrase) hashMac := hmac.New(sha256.New, key) block, err := aes.NewCipher(key) if err != nil { return nil, err } iv := make([]byte, aes.BlockSize) if _, err = io.ReadFull(rand.Reader, iv); err != nil { return nil, err } stream := cipher.NewOFB(block, iv) _, err = writer.Write(iv) if err != nil { return nil, err } cipherWriter := &cipher.StreamWriter{S: stream, W: writer} _, err = cipherWriter.Write([]byte(passphrase)) if err != nil { return nil, err } mw := io.MultiWriter(cipherWriter, hashMac) if _, err = io.Copy(mw, reader); err != nil { return nil, err } return hashMac.Sum(nil), nil }
func (alg *AesGcm) Encrypt(aad, plainText, cek []byte) (iv, cipherText, authTag []byte, err error) { cekSizeBits := len(cek) << 3 if cekSizeBits != alg.keySizeBits { return nil, nil, nil, errors.New(fmt.Sprintf("AesGcm.Encrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits)) } if iv, err = arrays.Random(12); err != nil { return nil, nil, nil, err } var block cipher.Block if block, err = aes.NewCipher(cek); err != nil { return nil, nil, nil, err } var aesgcm cipher.AEAD if aesgcm, err = cipher.NewGCM(block); err != nil { return nil, nil, nil, err } cipherWithTag := aesgcm.Seal(nil, iv, plainText, aad) cipherText = cipherWithTag[:len(cipherWithTag)-aesgcm.Overhead()] authTag = cipherWithTag[len(cipherWithTag)-aesgcm.Overhead():] return iv, cipherText, authTag, nil }
func (alg *AesGcm) Decrypt(aad, cek, iv, cipherText, authTag []byte) (plainText []byte, err error) { cekSizeBits := len(cek) << 3 if cekSizeBits != alg.keySizeBits { return nil, errors.New(fmt.Sprintf("AesGcm.Decrypt(): expected key of size %v bits, but was given %v bits.", alg.keySizeBits, cekSizeBits)) } var block cipher.Block if block, err = aes.NewCipher(cek); err != nil { return nil, err } var aesgcm cipher.AEAD if aesgcm, err = cipher.NewGCM(block); err != nil { return nil, err } cipherWithTag := append(cipherText, authTag...) if plainText, err = aesgcm.Open(nil, iv, cipherWithTag, aad); err != nil { return nil, err } return plainText, nil }
func TestAesKeyWrapInvalid(t *testing.T) { kek, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F") // Invalid unwrap input (bit flipped) input0, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CFE5") block, _ := aes.NewCipher(kek) _, err := KeyUnwrap(block, input0) if err == nil { t.Error("key unwrap failed to detect invalid input") } // Invalid unwrap input (truncated) input1, _ := hex.DecodeString("1EA68C1A8112B447AEF34BD8FB5A7B828D3E862371D2CF") _, err = KeyUnwrap(block, input1) if err == nil { t.Error("key unwrap failed to detect truncated input") } // Invalid wrap input (not multiple of 8) input2, _ := hex.DecodeString("0123456789ABCD") _, err = KeyWrap(block, input2) if err == nil { t.Error("key wrap accepted invalid input") } }
// Method Close encrypts and writes the encrypted data to the key file func (k *KeyStore) Close(secret []byte) { // Encode a gob of the keystore var buff bytes.Buffer enc := gob.NewEncoder(&buff) enc.Encode(k) buffString := buff.String() // Encrypt the data block, err := aes.NewCipher(secret) if err != nil { panic(err) } ciphertext := make([]byte, aes.BlockSize+len(buffString)) iv := ciphertext[:aes.BlockSize] if _, err := io.ReadFull(rand.Reader, iv); err != nil { panic(err) } stream := cipher.NewCFBEncrypter(block, iv) stream.XORKeyStream(ciphertext[aes.BlockSize:], []byte(buffString)) // Write the encrypted data to the file kFile, err := os.OpenFile(kf, os.O_WRONLY, 0644) if err != nil { panic(err) } bytesWritten, err := kFile.Write(ciphertext) if err != nil || bytesWritten == 0 { panic(err) } }
// Decrypt decrypts a value using the given key with AES. // // The value to be decrypted must be prepended by a initialization vector // (http://goo.gl/zF67k) with the length of the block size. func Decrypt(blockKey []byte, value []byte) ([]byte, error) { block, err := aes.NewCipher(blockKey) if err != nil { return nil, err } size := block.BlockSize() if len(value) > size { // Extract iv. iv := value[:size] // Extract ciphertext. value = value[size:] // Decrypt it. stream := cipher.NewCTR(block, iv) stream.XORKeyStream(value, value) // Return on success return value, nil } return nil, errors.New("the value could not be decrypted") }
func TestCookieEncodeDecode(t *testing.T) { hashKey := "testhashKey" blockkey := generateRandomKey(16) block, err := aes.NewCipher(blockkey) if err != nil { t.Fatal("NewCipher:", err) } securityName := string(generateRandomKey(20)) val := make(map[interface{}]interface{}) val["name"] = "mikeqian" val["gender"] = "male" str, err := encodeCookie(block, hashKey, securityName, val) if err != nil { t.Fatal("encodeCookie:", err) } dst := make(map[interface{}]interface{}) dst, err = decodeCookie(block, hashKey, securityName, str, 3600) if err != nil { t.Fatal("decodeCookie", err) } if dst["name"] != "mikeqian" { t.Fatal("dst get map error") } if dst["gender"] != "male" { t.Fatal("dst get map error") } }
func (c *Conn) decryptTicket(encrypted []byte) (*sessionState, bool) { if len(encrypted) < aes.BlockSize+sha256.Size { return nil, false } iv := encrypted[:aes.BlockSize] macBytes := encrypted[len(encrypted)-sha256.Size:] mac := hmac.New(sha256.New, c.config.SessionTicketKey[16:32]) mac.Write(encrypted[:len(encrypted)-sha256.Size]) expected := mac.Sum(nil) if subtle.ConstantTimeCompare(macBytes, expected) != 1 { return nil, false } block, err := aes.NewCipher(c.config.SessionTicketKey[:16]) if err != nil { return nil, false } ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size] plaintext := make([]byte, len(ciphertext)) cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext) state := new(sessionState) ok := state.unmarshal(plaintext) return state, ok }