rename the CookieSource to CookieProtector

conn.go

@@ -79,15 +79,15 @@ type Config struct {
 	// Require the client to echo a cookie.
 	RequireCookie bool
 	// A CookieHandler can be used to set and validate a cookie.
-	// The cookie returned by the CookieHandler will be part of the cookie sent on the wire, and encoded using the CookieSource.
+	// The cookie returned by the CookieHandler will be part of the cookie sent on the wire, and encoded using the CookieProtector.
 	// If no CookieHandler is set, mint will always send a cookie.
 	// The CookieHandler can be used to decide on a per-connection basis, if a cookie should be sent.
 	CookieHandler CookieHandler
-	// The CookieSource is used to encrypt / decrypt cookies.
+	// The CookieProtector is used to encrypt / decrypt cookies.
 	// It should make sure that the Cookie cannot be read and tampered with by the client.
 	// If non-blocking mode is used, and cookies are required, this field has to be set.
-	// In blocking mode, a default cookie source is used, if this is unused.
-	CookieSource      CookieSource
+	// In blocking mode, a default cookie protector is used, if this is unused.
+	CookieProtector   CookieProtector
 	RequireClientAuth bool
 
 	// Shared fields
@@ -122,7 +122,7 @@ func (c *Config) Clone() *Config {
 		AllowEarlyData:     c.AllowEarlyData,
 		RequireCookie:      c.RequireCookie,
 		CookieHandler:      c.CookieHandler,
-		CookieSource:       c.CookieSource,
+		CookieProtector:    c.CookieProtector,
 		RequireClientAuth:  c.RequireClientAuth,
 
 		Certificates:     c.Certificates,
@@ -624,7 +624,7 @@ func (c *Conn) HandshakeSetup() Alert {
 		PSKModes:          c.config.PSKModes,
 		AllowEarlyData:    c.config.AllowEarlyData,
 		RequireCookie:     c.config.RequireCookie,
-		CookieSource:      c.config.CookieSource,
+		CookieProtector:   c.config.CookieProtector,
 		CookieHandler:     c.config.CookieHandler,
 		RequireClientAuth: c.config.RequireClientAuth,
 		NextProtos:        c.config.NextProtos,
@@ -652,14 +652,14 @@ func (c *Conn) HandshakeSetup() Alert {
 			}
 		}
 	} else {
-		if c.config.RequireCookie && c.config.CookieSource == nil {
-			logf(logTypeHandshake, "RequireCookie set, but no CookieSource provided. Using default cookie source. Stateless Retry not possible.")
+		if c.config.RequireCookie && c.config.CookieProtector == nil {
+			logf(logTypeHandshake, "RequireCookie set, but no CookieProtector provided. Using default cookie protector. Stateless Retry not possible.")
 			if c.config.NonBlocking {
 				logf(logTypeHandshake, "Not possible in non-blocking mode.")
 				return AlertInternalError
 			}
 			var err error
-			caps.CookieSource, err = NewDefaultCookieSource()
+			caps.CookieProtector, err = NewDefaultCookieProtector()
 			if err != nil {
 				logf(logTypeHandshake, "Error initializing cookie source: %v", alert)
 				return AlertInternalError

cookie-source.go → cookie-protector.go

@@ -11,8 +11,8 @@ import (
 	"golang.org/x/crypto/hkdf"
 )
 
-// CookieSource is used to create and verify a cookie
-type CookieSource interface {
+// CookieProtector is used to create and verify a cookie
+type CookieProtector interface {
 	// NewToken creates a new token
 	NewToken([]byte) ([]byte, error)
 	// DecodeToken decodes a token
@@ -22,24 +22,24 @@ type CookieSource interface {
 const cookieSecretSize = 32
 const cookieNonceSize = 32
 
-// The DefaultCookieSource is a simple implementation for the CookieSource.
-type DefaultCookieSource struct {
+// The DefaultCookieProtector is a simple implementation for the CookieProtector.
+type DefaultCookieProtector struct {
 	secret []byte
 }
 
-var _ CookieSource = &DefaultCookieSource{}
+var _ CookieProtector = &DefaultCookieProtector{}
 
-// NewDefaultCookieSource creates a source for source address tokens
-func NewDefaultCookieSource() (CookieSource, error) {
+// NewDefaultCookieProtector creates a source for source address tokens
+func NewDefaultCookieProtector() (CookieProtector, error) {
 	secret := make([]byte, cookieSecretSize)
 	if _, err := rand.Read(secret); err != nil {
 		return nil, err
 	}
-	return &DefaultCookieSource{secret: secret}, nil
+	return &DefaultCookieProtector{secret: secret}, nil
 }
 
 // NewToken encodes data into a new token.
-func (s *DefaultCookieSource) NewToken(data []byte) ([]byte, error) {
+func (s *DefaultCookieProtector) NewToken(data []byte) ([]byte, error) {
 	nonce := make([]byte, cookieNonceSize)
 	if _, err := rand.Read(nonce); err != nil {
 		return nil, err
@@ -52,7 +52,7 @@ func (s *DefaultCookieSource) NewToken(data []byte) ([]byte, error) {
 }
 
 // DecodeToken decodes a token.
-func (s *DefaultCookieSource) DecodeToken(p []byte) ([]byte, error) {
+func (s *DefaultCookieProtector) DecodeToken(p []byte) ([]byte, error) {
 	if len(p) < cookieNonceSize {
 		return nil, fmt.Errorf("Token too short: %d", len(p))
 	}
@@ -64,7 +64,7 @@ func (s *DefaultCookieSource) DecodeToken(p []byte) ([]byte, error) {
 	return aead.Open(nil, aeadNonce, p[cookieNonceSize:], nil)
 }
 
-func (s *DefaultCookieSource) createAEAD(nonce []byte) (cipher.AEAD, []byte, error) {
+func (s *DefaultCookieProtector) createAEAD(nonce []byte) (cipher.AEAD, []byte, error) {
 	h := hkdf.New(sha256.New, s.secret, nonce, []byte("mint cookie source"))
 	key := make([]byte, 32) // use a 32 byte key, in order to select AES-256
 	if _, err := io.ReadFull(h, key); err != nil {

cookie-source_test.go → cookie-protector_test.go

@@ -5,8 +5,8 @@ import (
 	"testing"
 )
 
-func TestCookieSource(t *testing.T) {
-	cs, err := NewDefaultCookieSource()
+func TestCookieProtector(t *testing.T) {
+	cs, err := NewDefaultCookieProtector()
 	assertNotError(t, err, "creating the cookie source failed")
 
 	t.Run("handling valid tokens", func(t *testing.T) {

server-state-machine.go

@@ -144,7 +144,7 @@ func (state ServerStateStart) Next(hm *HandshakeMessage) (HandshakeState, []Hand
 	var firstClientHello *HandshakeMessage
 	var initialCipherSuite CipherSuiteParams // the cipher suite that was negotiated when sending the HelloRetryRequest
 	if clientSentCookie {
-		plainCookie, err := state.Caps.CookieSource.DecodeToken(clientCookie.Cookie)
+		plainCookie, err := state.Caps.CookieProtector.DecodeToken(clientCookie.Cookie)
 		if err != nil {
 			logf(logTypeHandshake, fmt.Sprintf("[ServerStateStart] Error decoding token [%v]", err))
 			return nil, nil, AlertDecryptError
@@ -257,7 +257,7 @@ func (state ServerStateStart) Next(hm *HandshakeMessage) (HandshakeState, []Hand
 					logf(logTypeHandshake, "[ServerStateStart] Error marshalling cookie [%v]", err)
 					return nil, nil, AlertInternalError
 				}
-				cookieData, err := state.Caps.CookieSource.NewToken(plainCookie)
+				cookieData, err := state.Caps.CookieProtector.NewToken(plainCookie)
 				if err != nil {
 					logf(logTypeHandshake, "[ServerStateStart] Error encoding cookie [%v]", err)
 					return nil, nil, AlertInternalError

state-machine.go

@@ -60,7 +60,7 @@ type Capabilities struct {
 	NextProtos        []string
 	AllowEarlyData    bool
 	RequireCookie     bool
-	CookieSource      CookieSource
+	CookieProtector   CookieProtector
 	CookieHandler     CookieHandler
 	RequireClientAuth bool
 }

state-machine_test.go

@@ -21,7 +21,7 @@ func messagesFromActions(instructions []HandshakeAction) []*HandshakeMessage {
 
 // TODO: Unit tests for individual states
 func TestStateMachineIntegration(t *testing.T) {
-	cookieSource, err := NewDefaultCookieSource()
+	cookieProtector, err := NewDefaultCookieProtector()
 	assertNotError(t, err, "error creating cookie source")
 
 	var (
@@ -51,7 +51,7 @@ func TestStateMachineIntegration(t *testing.T) {
 					CipherSuites:     []CipherSuite{TLS_AES_128_GCM_SHA256},
 					PSKs:             &PSKMapCache{},
 					Certificates:     certificates,
-					CookieSource:     cookieSource,
+					CookieProtector:  cookieProtector,
 				},
 				clientStateSequence: []HandshakeState{
 					ClientStateStart{},
@@ -89,7 +89,7 @@ func TestStateMachineIntegration(t *testing.T) {
 					PSKs:             &PSKMapCache{},
 					Certificates:     certificates,
 					RequireCookie:    true,
-					CookieSource:     cookieSource,
+					CookieProtector:  cookieProtector,
 				},
 				clientStateSequence: []HandshakeState{
 					ClientStateStart{},