openssl-pkey-ec-ies 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7e357d7daaae0ec18393048a55006ec136786c9d
+  data.tar.gz: 452ec98344bb5d933bb09fd7256a87cf1290ad73
+SHA512:
+  metadata.gz: c15155f099791b242ee0d95fe7ea8e5227e88f532d6e150c40a33d299ffb302d4525796f80135d53b4fd3853dd5e5a15f1a5abd93f20c40abb58b96cce64349a
+  data.tar.gz: 3fd6b9c90b847f875736f5502411109dbaab91445d6b3babb6ed3502ef398a3b9d9b8a636867578211549799b2548409e624810d645a610ec78c82dc426871d2

data/.gitignore

@@ -0,0 +1,24 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+/ext/ies/Makefile
+/ext/ies/extconf.h

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in openssl-pkey-ec-ies.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 webpay
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,42 @@
+# OpenSSL::PKey::EC::IES
+
+IES implementation following ECIES-KEM specification in [ISO 18033-2](http://www.shoup.net/iso/).
+
+This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'openssl-pkey-ec-ies'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install openssl-pkey-ec-ies
+
+## Usage
+
+Prepare secret key using OpenSSL.
+
+```
+openssl ecparam -genkey -out ec_key.pem -name prime192v1
+```
+
+```ruby
+ec = OpenSSL::PKey::EC::IES.new(test_key, "placeholder")
+source = 'my secret'
+cryptogram = ec.public_encrypt(source)  # => cryptogram in string
+result = ec.private_decrypt(cryptogram) # => 'my secret'
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/webpay/openssl-pkey-ec-ies/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,15 @@
+require 'bundler/gem_tasks'
+require 'rake/extensiontask'
+require 'rake/testtask'
+
+Rake::ExtensionTask.new 'ies' do |ext|
+  ext.lib_dir = 'lib/openssl/pkey/ec'
+end
+
+Rake::TestTask.new do |t|
+  t.libs << 'test'
+  t.test_files = FileList['test/test*.rb']
+  t.verbose = true
+end
+
+Rake::Task[:test].prerequisites << :compile

data/ext/ies/cryptogram.c

@@ -0,0 +1,65 @@
+/**
+ * @file /cryptron/secure.c
+ *
+ * @brief Functions for handling the secure data type.
+ *
+ * $Author: Ladar Levison $
+ * $Website: http://lavabit.com $
+ *
+ */
+
+#include "ies.h"
+#define HEADSIZE (sizeof(cryptogram_head_t))
+
+size_t cryptogram_key_length(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return head->length.key;
+}
+
+size_t cryptogram_mac_length(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return head->length.mac;
+}
+
+size_t cryptogram_body_length(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return head->length.body;
+}
+
+size_t cryptogram_data_sum_length(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return (head->length.key + head->length.mac + head->length.body);
+}
+
+size_t cryptogram_total_length(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return HEADSIZE + (head->length.key + head->length.mac + head->length.body);
+}
+
+unsigned char * cryptogram_key_data(const cryptogram_t *cryptogram) {
+	return (unsigned char *)cryptogram + HEADSIZE;
+}
+
+unsigned char * cryptogram_mac_data(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return (unsigned char *)cryptogram + (HEADSIZE + head->length.key + head->length.body);
+}
+
+unsigned char * cryptogram_body_data(const cryptogram_t *cryptogram) {
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	return (unsigned char *)cryptogram + (HEADSIZE + head->length.key);
+}
+
+cryptogram_t * cryptogram_alloc(size_t key, size_t mac, size_t body) {
+	cryptogram_t *cryptogram = malloc(HEADSIZE + key + mac + body);
+	cryptogram_head_t *head = (cryptogram_head_t *)cryptogram;
+	head->length.key = key;
+	head->length.mac = mac;
+	head->length.body = body;
+	return cryptogram;
+}
+
+void cryptogram_free(cryptogram_t *cryptogram) {
+	free(cryptogram);
+	return;
+}

data/ext/ies/ecies.c

@@ -0,0 +1,555 @@
+/**
+ * @file /cryptron/ecies.c
+ *
+ * @brief ECIES encryption/decryption functions.
+ *
+ * $Author: Ladar Levison $
+ * $Website: http://lavabit.com $
+ *
+ */
+
+#include "ies.h"
+#include <openssl/ecdh.h>
+
+#define SET_ERROR(string) \
+    sprintf(error, "%s %s:%d", (string), __FILE__, __LINE__)
+#define SET_OSSL_ERROR(string) \
+    sprintf(error, "%s {error = %s} %s:%d", (string), ERR_error_string(ERR_get_error(), NULL), __FILE__, __LINE__)
+
+/* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
+ * Taken from openssl/crypto/ecdh/ech_kdf.c in github:openssl/openssl
+ * ffa08b3242e0f10f1fef3c93ef3f0b51de8c27a9 */
+
+/* Key derivation function from X9.62/SECG */
+/* Way more than we will ever need */
+#define ECDH_KDF_MAX (1 << 30)
+int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
+		   const unsigned char *Z, size_t Zlen,
+		   const unsigned char *sinfo, size_t sinfolen,
+		   const EVP_MD *md)
+{
+    EVP_MD_CTX mctx;
+    int rv = 0;
+    unsigned int i;
+    size_t mdlen;
+    unsigned char ctr[4];
+    if (sinfolen > ECDH_KDF_MAX || outlen > ECDH_KDF_MAX || Zlen > ECDH_KDF_MAX)
+	return 0;
+    mdlen = EVP_MD_size(md);
+    EVP_MD_CTX_init(&mctx);
+    for (i = 1;;i++)
+    {
+	unsigned char mtmp[EVP_MAX_MD_SIZE];
+	EVP_DigestInit_ex(&mctx, md, NULL);
+	ctr[3] = i & 0xFF;
+	ctr[2] = (i >> 8) & 0xFF;
+	ctr[1] = (i >> 16) & 0xFF;
+	ctr[0] = (i >> 24) & 0xFF;
+	if (!EVP_DigestUpdate(&mctx, Z, Zlen))
+	    goto err;
+	if (!EVP_DigestUpdate(&mctx, ctr, sizeof(ctr)))
+	    goto err;
+	if (!EVP_DigestUpdate(&mctx, sinfo, sinfolen))
+	    goto err;
+	if (outlen >= mdlen)
+	{
+	    if (!EVP_DigestFinal(&mctx, out, NULL))
+		goto err;
+	    outlen -= mdlen;
+	    if (outlen == 0)
+		break;
+	    out += mdlen;
+	}
+	else
+	{
+	    if (!EVP_DigestFinal(&mctx, mtmp, NULL))
+		goto err;
+	    memcpy(out, mtmp, outlen);
+	    OPENSSL_cleanse(mtmp, mdlen);
+	    break;
+	}
+    }
+    rv = 1;
+  err:
+    EVP_MD_CTX_cleanup(&mctx);
+    return rv;
+}
+
+static size_t envelope_key_len(const ies_ctx_t *ctx)
+{
+    return EVP_CIPHER_key_length(ctx->cipher) + EVP_MD_size(ctx->md);
+}
+
+static EC_KEY * ecies_key_create(const EC_KEY *user, char *error) {
+
+    const EC_GROUP *group;
+    EC_KEY *key = NULL;
+
+    if (!(key = EC_KEY_new())) {
+	SET_OSSL_ERROR("EC_KEY_new failed");
+	return NULL;
+    }
+
+    if (!(group = EC_KEY_get0_group(user))) {
+	SET_ERROR("The user key does not have group");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (EC_KEY_set_group(key, group) != 1) {
+	SET_OSSL_ERROR("EC_KEY_set_group failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (EC_KEY_generate_key(key) != 1) {
+	SET_OSSL_ERROR("EC_KEY_generate_key failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    return key;
+}
+
+static unsigned char *prepare_envelope_key(const ies_ctx_t *ctx, cryptogram_t *cryptogram, char *error)
+{
+
+    const size_t key_buf_len = envelope_key_len(ctx);
+    const size_t ecdh_key_len = (EC_GROUP_get_degree(EC_KEY_get0_group(ctx->user_key)) + 7) / 8;
+    unsigned char *envelope_key = NULL, *ktmp = NULL;
+    EC_KEY *ephemeral = NULL;
+    size_t written_length;
+
+    /* High-level ECDH via EVP does not allow use of arbitrary KDF function.
+     * We should use low-level API for KDF2
+     * c.f. openssl/crypto/ec/ec_pmeth.c */
+    if ((envelope_key = OPENSSL_malloc(key_buf_len)) == NULL) {
+	SET_ERROR("Failed to allocate memory for envelope_key");
+	goto err;
+    }
+
+    if (!(ephemeral = ecies_key_create(ctx->user_key, error))) {
+	goto err;
+    }
+
+    /* key agreement and KDF
+     * reference: openssl/crypto/ec/ec_pmeth.c */
+    ktmp = OPENSSL_malloc(ecdh_key_len);
+    if (ktmp == NULL) {
+	SET_ERROR("No memory for ECDH temporary key");
+	goto err;
+    }
+
+    if (ECDH_compute_key(ktmp, ecdh_key_len, EC_KEY_get0_public_key(ctx->user_key), ephemeral, NULL)
+	!= (int)ecdh_key_len) {
+	SET_OSSL_ERROR("An error occurred while ECDH_compute_key");
+	goto err;
+    }
+
+    /* equals to ISO 18033-2 KDF2 */
+    if (!ECDH_KDF_X9_62(envelope_key, key_buf_len, ktmp, ecdh_key_len, 0, 0, ctx->kdf_md)) {
+	SET_OSSL_ERROR("Failed to stretch with KDF2");
+	goto err;
+    }
+
+    /* Store the public key portion of the ephemeral key. */
+    written_length = EC_POINT_point2oct(
+	EC_KEY_get0_group(ephemeral),
+	EC_KEY_get0_public_key(ephemeral),
+	POINT_CONVERSION_COMPRESSED,
+	(void *)cryptogram_key_data(cryptogram),
+	ctx->stored_key_length,
+	NULL);
+    if (written_length == 0) {
+	SET_OSSL_ERROR("Error while recording the public portion of the envelope key");
+	goto err;
+    }
+    if (written_length != ctx->stored_key_length) {
+	SET_ERROR("Written envelope key length does not match with expected");
+	goto err;
+    }
+
+    EC_KEY_free(ephemeral);
+    OPENSSL_cleanse(ktmp, ecdh_key_len);
+    OPENSSL_free(ktmp);
+
+    return envelope_key;
+
+  err:
+    if (ephemeral)
+	EC_KEY_free(ephemeral);
+    if (envelope_key) {
+	OPENSSL_cleanse(envelope_key, key_buf_len);
+	OPENSSL_free(envelope_key);
+    }
+    if (ktmp) {
+	OPENSSL_cleanse(ktmp, ecdh_key_len);
+	OPENSSL_free(ktmp);
+    }
+    return NULL;
+}
+
+static int store_cipher_body(
+    const ies_ctx_t *ctx,
+    const unsigned char *envelope_key,
+    const unsigned char *data,
+    size_t length,
+    cryptogram_t *cryptogram,
+    char *error)
+{
+    int out_len, len_sum = 0;
+    size_t expected_len = cryptogram_body_length(cryptogram);
+    unsigned char iv[EVP_MAX_IV_LENGTH];
+    EVP_CIPHER_CTX cipher;
+    unsigned char *body;
+
+    /* For now we use an empty initialization vector. */
+    memset(iv, 0, EVP_MAX_IV_LENGTH);
+
+    EVP_CIPHER_CTX_init(&cipher);
+    body = cryptogram_body_data(cryptogram);
+
+    if (EVP_EncryptInit_ex(&cipher, ctx->cipher, NULL, envelope_key, iv) != 1
+	|| EVP_EncryptUpdate(&cipher, body, &out_len, data, length) != 1) {
+	SET_OSSL_ERROR("Error while trying to secure the data using the symmetric cipher");
+	EVP_CIPHER_CTX_cleanup(&cipher);
+	return 0;
+    }
+
+    if (expected_len < (size_t)out_len) {
+	SET_ERROR("The symmetric cipher overflowed");
+	EVP_CIPHER_CTX_cleanup(&cipher);
+	return 0;
+    }
+
+    body += out_len;
+    len_sum += out_len;
+    if (EVP_EncryptFinal_ex(&cipher, body, &out_len) != 1) {
+	SET_OSSL_ERROR("Error while finalizing the data using the symmetric cipher");
+	EVP_CIPHER_CTX_cleanup(&cipher);
+	cryptogram_free(cryptogram);
+	return 0;
+    }
+
+    EVP_CIPHER_CTX_cleanup(&cipher);
+
+    if (expected_len < (size_t)len_sum) {
+	SET_ERROR("The symmetric cipher overflowed");
+	return 0;
+    }
+
+    return 1;
+}
+
+static int store_mac_tag(const ies_ctx_t *ctx, const unsigned char *envelope_key, cryptogram_t *cryptogram, char *error) {
+    const size_t key_offset = EVP_CIPHER_key_length(ctx->cipher);
+    const size_t key_length = EVP_MD_size(ctx->md);
+    const size_t mac_length = cryptogram_mac_length(cryptogram);
+    unsigned int out_len;
+    HMAC_CTX hmac;
+
+    HMAC_CTX_init(&hmac);
+
+    /* Generate hash tag using encrypted data */
+    if (HMAC_Init_ex(&hmac, envelope_key + key_offset, key_length, ctx->md, NULL) != 1
+	|| HMAC_Update(&hmac, cryptogram_body_data(cryptogram), cryptogram_body_length(cryptogram)) != 1
+	|| HMAC_Final(&hmac, cryptogram_mac_data(cryptogram), &out_len) != 1) {
+	SET_OSSL_ERROR("Unable to generate tag");
+	HMAC_CTX_cleanup(&hmac);
+	return 0;
+    }
+
+    HMAC_CTX_cleanup(&hmac);
+
+    if (out_len != mac_length) {
+	SET_ERROR("MAC length expectation does not meet");
+	return 0;
+    }
+
+    return 1;
+}
+
+cryptogram_t * ecies_encrypt(const ies_ctx_t *ctx, const unsigned char *data, size_t length, char *error) {
+
+    const size_t block_length = EVP_CIPHER_block_size(ctx->cipher);
+    const size_t mac_length = EVP_MD_size(ctx->md);
+    cryptogram_t *cryptogram = NULL;
+    unsigned char *envelope_key = NULL;
+
+    if (!ctx || !data || !length) {
+	SET_ERROR("Invalid arguments");
+	return NULL;
+    }
+
+    if (block_length == 0 || block_length > EVP_MAX_BLOCK_LENGTH) {
+	SET_ERROR("Derived block size is incorrect");
+	return NULL;
+    }
+
+    cryptogram = cryptogram_alloc(ctx->stored_key_length,
+				  mac_length,
+				  length + (length % block_length ? (block_length - (length % block_length)) : 0));
+    if (!cryptogram) {
+	SET_ERROR("Unable to allocate a cryptogram_t buffer to hold the encrypted result.");
+	goto err;
+    }
+
+    if ((envelope_key = prepare_envelope_key(ctx, cryptogram, error)) == NULL) {
+	goto err;
+    }
+
+    if (!store_cipher_body(ctx, envelope_key, data, length, cryptogram, error)) {
+	goto err;
+    }
+
+    if (!store_mac_tag(ctx, envelope_key, cryptogram, error)) {
+	goto err;
+    }
+
+    OPENSSL_cleanse(envelope_key, envelope_key_len(ctx));
+    OPENSSL_free(envelope_key);
+
+    return cryptogram;
+
+  err:
+    if (cryptogram)
+	cryptogram_free(cryptogram);
+    if (envelope_key) {
+	OPENSSL_cleanse(envelope_key, envelope_key_len(ctx));
+	OPENSSL_free(envelope_key);
+    }
+    return NULL;
+}
+
+static EC_KEY *ecies_key_create_public_octets(EC_KEY *user, unsigned char *octets, size_t length, char *error) {
+
+    EC_KEY *key = NULL;
+    EC_POINT *point = NULL;
+    const EC_GROUP *group = NULL;
+
+    if (!(key = EC_KEY_new())) {
+	SET_OSSL_ERROR("Cannot create instance for ephemeral key");
+	return NULL;
+    }
+
+    if (!(group = EC_KEY_get0_group(user))) {
+	SET_ERROR("Cannot get group from user key");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (EC_KEY_set_group(key, group) != 1) {
+	SET_OSSL_ERROR("EC_KEY_set_group failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (!(point = EC_POINT_new(group))) {
+	SET_OSSL_ERROR("EC_POINT_new failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (EC_POINT_oct2point(group, point, octets, length, NULL) != 1) {
+	SET_OSSL_ERROR("EC_POINT_oct2point failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    if (EC_KEY_set_public_key(key, point) != 1) {
+	SET_OSSL_ERROR("EC_KEY_set_public_key failed");
+	EC_POINT_free(point);
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    EC_POINT_free(point);
+
+    if (EC_KEY_check_key(key) != 1) {
+	SET_OSSL_ERROR("EC_KEY_check_key failed");
+	EC_KEY_free(key);
+	return NULL;
+    }
+
+    return key;
+}
+
+unsigned char *restore_envelope_key(const ies_ctx_t *ctx, const cryptogram_t *cryptogram, char *error)
+{
+
+    const size_t key_buf_len = envelope_key_len(ctx);
+    const size_t ecdh_key_len = (EC_GROUP_get_degree(EC_KEY_get0_group(ctx->user_key)) + 7) / 8;
+    EC_KEY *ephemeral = NULL, *user_copy = NULL;
+    unsigned char *envelope_key = NULL, *ktmp = NULL;
+
+    if ((envelope_key = OPENSSL_malloc(key_buf_len)) == NULL) {
+	SET_ERROR("Failed to allocate memory for envelope_key");
+	goto err;
+    }
+
+    if (!(user_copy = EC_KEY_new())) {
+	SET_OSSL_ERROR("Failed to create instance for user key copy");
+	goto err;
+    }
+
+    if (!(EC_KEY_copy(user_copy, ctx->user_key))) {
+	SET_OSSL_ERROR("Failed to copy user key");
+	goto err;
+    }
+
+    if (!(ephemeral = ecies_key_create_public_octets(user_copy, cryptogram_key_data(cryptogram), cryptogram_key_length(cryptogram), error))) {
+	goto err;
+    }
+
+    /* key agreement and KDF
+     * reference: openssl/crypto/ec/ec_pmeth.c */
+    ktmp = OPENSSL_malloc(ecdh_key_len);
+    if (ktmp == NULL) {
+	SET_ERROR("No memory for ECDH temporary key");
+	goto err;
+    }
+
+    if (ECDH_compute_key(ktmp, ecdh_key_len, EC_KEY_get0_public_key(ephemeral), user_copy, NULL)
+	!= (int)ecdh_key_len) {
+	SET_OSSL_ERROR("An error occurred while ECDH_compute_key");
+	goto err;
+    }
+
+    /* equals to ISO 18033-2 KDF2 */
+    if (!ECDH_KDF_X9_62(envelope_key, key_buf_len, ktmp, ecdh_key_len, 0, 0, ctx->kdf_md)) {
+	SET_OSSL_ERROR("Failed to stretch with KDF2");
+	goto err;
+    }
+
+    EC_KEY_free(user_copy);
+    EC_KEY_free(ephemeral);
+    OPENSSL_cleanse(ktmp, ecdh_key_len);
+    OPENSSL_free(ktmp);
+
+    return envelope_key;
+
+  err:
+    if (ephemeral)
+	EC_KEY_free(ephemeral);
+    if (user_copy)
+	EC_KEY_free(user_copy);
+    if (envelope_key) {
+	OPENSSL_cleanse(envelope_key, key_buf_len);
+	OPENSSL_free(envelope_key);
+    }
+    if (ktmp) {
+	OPENSSL_cleanse(ktmp, ecdh_key_len);
+	OPENSSL_free(ktmp);
+    }
+    return NULL;
+}
+
+static int verify_mac(const ies_ctx_t *ctx, const cryptogram_t *cryptogram, const unsigned char * envelope_key, char *error)
+{
+    const size_t key_offset = EVP_CIPHER_key_length(ctx->cipher);
+    const size_t key_length = EVP_MD_size(ctx->md);
+    const size_t mac_length = cryptogram_mac_length(cryptogram);
+    unsigned int out_len;
+    HMAC_CTX hmac;
+    unsigned char md[EVP_MAX_MD_SIZE];
+
+    HMAC_CTX_init(&hmac);
+
+    /* Generate hash tag using encrypted data */
+    if (HMAC_Init_ex(&hmac, envelope_key + key_offset, key_length, ctx->md, NULL) != 1
+	|| HMAC_Update(&hmac, cryptogram_body_data(cryptogram), cryptogram_body_length(cryptogram)) != 1
+	|| HMAC_Final(&hmac, md, &out_len) != 1) {
+	SET_OSSL_ERROR("Unable to generate tag");
+	HMAC_CTX_cleanup(&hmac);
+	return 0;
+    }
+
+    HMAC_CTX_cleanup(&hmac);
+
+    if (out_len != mac_length) {
+	SET_ERROR("MAC length expectation does not meet");
+	return 0;
+    }
+
+    if (memcmp(md, cryptogram_mac_data(cryptogram), mac_length) != 0) {
+	SET_ERROR("MAC tag verification failed");
+	return 0;
+    }
+
+    return 1;
+}
+
+unsigned char *decrypt_body(const ies_ctx_t *ctx, const cryptogram_t *cryptogram, const unsigned char *envelope_key, size_t *length, char *error)
+{
+    int out_len;
+    size_t output_sum;
+    const size_t body_length = cryptogram_body_length(cryptogram);
+    unsigned char iv[EVP_MAX_IV_LENGTH], *block, *output;
+    EVP_CIPHER_CTX cipher;
+
+    if (!(output = malloc(body_length + 1))) {
+	SET_ERROR("Failed to allocate memory for clear text");
+	return NULL;
+    }
+
+    /* For now we use an empty initialization vector */
+    memset(iv, 0, EVP_MAX_IV_LENGTH);
+    memset(output, 0, body_length + 1);
+
+    EVP_CIPHER_CTX_init(&cipher);
+
+    block = output;
+    if (EVP_DecryptInit_ex(&cipher, ctx->cipher, NULL, envelope_key, iv) != 1
+	|| EVP_DecryptUpdate(&cipher, block, &out_len, cryptogram_body_data(cryptogram), body_length) != 1) {
+	SET_OSSL_ERROR("Unable to decrypt");
+	EVP_CIPHER_CTX_cleanup(&cipher);
+	free(output);
+	return NULL;
+    }
+    output_sum = out_len;
+
+    block += output_sum;
+    if (EVP_DecryptFinal_ex(&cipher, block, &out_len) != 1) {
+	printf("Unable to decrypt the data using the chosen symmetric cipher. {error = %s}\n", ERR_error_string(ERR_get_error(), NULL));
+	EVP_CIPHER_CTX_cleanup(&cipher);
+	free(output);
+	return NULL;
+    }
+    output_sum += out_len;
+
+    EVP_CIPHER_CTX_cleanup(&cipher);
+
+    *length = output_sum;
+
+    return output;
+}
+
+unsigned char * ecies_decrypt(const ies_ctx_t *ctx, const cryptogram_t *cryptogram, size_t *length, char *error)
+{
+
+    unsigned char *envelope_key = NULL, *output = NULL;
+
+    if (!ctx || !cryptogram || !length || !error) {
+	SET_ERROR("Invalid argument");
+	goto err;
+    }
+
+    envelope_key = restore_envelope_key(ctx, cryptogram, error);
+    if (envelope_key == NULL) {
+	goto err;
+    }
+
+    if (!verify_mac(ctx, cryptogram, envelope_key, error)) {
+	goto err;
+    }
+
+    if ((output = decrypt_body(ctx, cryptogram, envelope_key, length, error)) == NULL) {
+	goto err;
+    }
+
+  err:
+    OPENSSL_cleanse(envelope_key, envelope_key_len(ctx));
+    OPENSSL_free(envelope_key);
+
+    return output;
+}

data/ext/ies/extconf.rb

@@ -0,0 +1,34 @@
+require "mkmf"
+
+Logging::message "=== OpenSSL ECIES extension configurator ===\n"
+
+##
+# Adds -DOSSL_DEBUG for compilation and some more targets when GCC is used
+# To turn it on, use: --with-debug or --enable-debug
+#
+if with_config("debug") or enable_config("debug")
+  $defs.push("-DOSSL_ECIES_DEBUG") unless $defs.include? "-DOSSL_ECIES_DEBUG"
+end
+
+result = pkg_config("openssl") && have_header("openssl/ssl.h")
+
+unless result
+  result = have_header("openssl/ssl.h")
+  result &&= %w[crypto libeay32].any? {|lib| have_library(lib, "OpenSSL_add_all_digests")}
+  result &&= %w[ssl ssleay32].any? {|lib| have_library(lib, "SSL_library_init")}
+  unless result
+    Logging::message "=== Checking for required stuff failed. ===\n"
+    Logging::message "Makefile wasn't created. Fix the errors above.\n"
+    exit 1
+  end
+end
+
+unless have_header("openssl/conf_api.h")
+  raise "OpenSSL 0.9.6 or later required."
+end
+
+create_header
+create_makefile("openssl/pkey/ec/ies") {|conf|
+  conf << "THREAD_MODEL = #{CONFIG["THREAD_MODEL"]}\n"
+}
+Logging::message "Done.\n"

data/ext/ies/ies.c

@@ -0,0 +1,159 @@
+#include "ies.h"
+
+static VALUE eIESError;
+
+static EC_KEY *require_ec_key(VALUE self)
+{
+    const EVP_PKEY *pkey;
+    const EC_KEY *ec;
+    Data_Get_Struct(self, EVP_PKEY, pkey);
+    if (!pkey) {
+	rb_raise(rb_eRuntimeError, "PKEY wasn't initialized!");
+    }
+    if (EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) {
+	rb_raise(rb_eRuntimeError, "THIS IS NOT A EC PKEY!");
+    }
+    ec = pkey->pkey.ec;
+    if (ec == NULL)
+	rb_raise(eIESError, "EC_KEY is not initialized");
+    return ec;
+}
+
+static ies_ctx_t *create_context(VALUE self)
+{
+    ies_ctx_t* ctx = malloc(sizeof(ies_ctx_t));
+    ctx->cipher = EVP_aes_128_cbc();
+    ctx->md = EVP_sha1();
+    ctx->kdf_md = EVP_sha1();
+    ctx->stored_key_length = 25;
+    ctx->user_key = require_ec_key(self);
+
+    return ctx;
+}
+
+static VALUE ies_cryptogram_to_rb_string(const ies_ctx_t *ctx,const cryptogram_t *cryptogram)
+{
+    return rb_str_new((char *)cryptogram_key_data(cryptogram), cryptogram_data_sum_length(cryptogram));
+}
+
+static cryptogram_t *ies_rb_string_to_cryptogram(const ies_ctx_t *ctx, const VALUE string)
+{
+    size_t data_len = RSTRING_LEN(string);
+    const char * data = RSTRING_PTR(string);
+
+    size_t key_length = ctx->stored_key_length;
+    size_t mac_length = EVP_MD_size(ctx->md);
+    const cryptogram_t *cryptogram = cryptogram_alloc(key_length, mac_length, data_len - key_length - mac_length);
+
+    memcpy(cryptogram_key_data(cryptogram), data, data_len);
+
+    return cryptogram;
+}
+
+/*
+ *  call-seq:
+ *     OpenSSL::PKey::EC::IES.new(key, algorithm_spec)
+ *
+ *  Algorithm spec is currently ignored.
+ */
+static VALUE ies_initialize(VALUE self, VALUE key, VALUE algo)
+{
+    VALUE args[1];
+
+    rb_iv_set(self, "@algorithm", algo);
+
+    args[0] = key;
+    return rb_call_super(1, args);
+}
+
+/*
+ *  call-seq:
+ *     ecies.public_encrypt(plaintext) => String
+ *
+ *  The pem_string given in init must contain public key.
+ */
+static VALUE ies_public_encrypt(VALUE self, VALUE clear_text)
+{
+    ies_ctx_t *ctx;
+    char error[1024] = "Unknown error";
+    VALUE cipher_text;
+    cryptogram_t *cryptogram;
+
+    StringValue(clear_text);
+
+    ctx = create_context(self);
+    if (!EC_KEY_get0_public_key(ctx->user_key))
+	rb_raise(eIESError, "Given EC key is not public key");
+
+    cryptogram = ecies_encrypt(ctx, (unsigned char*)RSTRING_PTR(clear_text), RSTRING_LEN(clear_text), error);
+    if (cryptogram == NULL) {
+	free(ctx);
+	ctx = NULL;
+	rb_raise(eIESError, "Error in encryption: %s", error);
+    }
+    cipher_text = ies_cryptogram_to_rb_string(ctx, cryptogram);
+    cryptogram_free(cryptogram);
+    free(ctx);
+    return cipher_text;
+}
+
+/*
+ *  call-seq:
+ *     ecies.private_decrypt(plaintext) => String
+ *
+ *  The pem_string given in init must contain private key.
+ */
+static VALUE ies_private_decrypt(VALUE self, VALUE cipher_text)
+{
+    ies_ctx_t *ctx;
+    char error[1024] = "Unknown error";
+    VALUE clear_text;
+    cryptogram_t *cryptogram;
+    size_t length;
+    unsigned char *data;
+
+    StringValue(cipher_text);
+
+    ctx = create_context(self);
+    if (!EC_KEY_get0_private_key(ctx->user_key))
+	rb_raise(eIESError, "Given EC key is not private key");
+
+    cryptogram = ies_rb_string_to_cryptogram(ctx, cipher_text);
+    data = ecies_decrypt(ctx, cryptogram, &length, error);
+    cryptogram_free(cryptogram);
+    free(ctx);
+
+    if (data == NULL) {
+	rb_raise(eIESError, "Error in decryption: %s", error);
+    }
+
+    clear_text = rb_str_new((char *)data, length);
+    free(data);
+
+    return clear_text;
+}
+
+/*
+ * INIT
+ */
+void
+Init_ies(void)
+{
+    static VALUE cIES;
+    VALUE cEC;
+
+    rb_require("openssl");
+    cEC = rb_path2class("OpenSSL::PKey::EC");
+
+    /* Document-class: OpenSSL::PKey::EC::IES
+     *
+     * An implementation of ECIES cryptography.
+     */
+    cIES = rb_define_class_under(cEC, "IES", cEC);
+
+    rb_define_method(cIES, "initialize", ies_initialize, 2);
+    rb_define_method(cIES, "public_encrypt", ies_public_encrypt, 1);
+    rb_define_method(cIES, "private_decrypt", ies_private_decrypt, 1);
+
+    eIESError = rb_define_class_under(cIES, "IESError", rb_eRuntimeError);
+}

data/ext/ies/ies.h

@@ -0,0 +1,46 @@
+/**
+ * reference: ecies.h
+ */
+
+#ifndef _IES_H_
+#define _IES_H_
+
+#include <openssl/ssl.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+
+#include <ruby.h>
+
+typedef struct {
+    const EVP_CIPHER *cipher;
+    const EVP_MD *md; 		/* for mac tag */
+    const EVP_MD *kdf_md; 	/* for KDF */
+    size_t stored_key_length;
+    const EC_KEY *user_key;
+} ies_ctx_t;
+
+typedef struct {
+    struct {
+	size_t key;
+	size_t mac;
+	size_t body;
+    } length;
+} cryptogram_head_t;
+
+typedef unsigned char * cryptogram_t;
+
+void cryptogram_free(cryptogram_t *cryptogram);
+unsigned char * cryptogram_key_data(const cryptogram_t *cryptogram);
+unsigned char * cryptogram_mac_data(const cryptogram_t *cryptogram);
+unsigned char * cryptogram_body_data(const cryptogram_t *cryptogram);
+size_t cryptogram_key_length(const cryptogram_t *cryptogram);
+size_t cryptogram_mac_length(const cryptogram_t *cryptogram);
+size_t cryptogram_body_length(const cryptogram_t *cryptogram);
+size_t cryptogram_data_sum_length(const cryptogram_t *cryptogram);
+size_t cryptogram_total_length(const cryptogram_t *cryptogram);
+cryptogram_t * cryptogram_alloc(size_t key, size_t mac, size_t body);
+
+cryptogram_t * ecies_encrypt(const ies_ctx_t *ctx, const unsigned char *data, size_t length, char *error);
+unsigned char * ecies_decrypt(const ies_ctx_t *ctx, const cryptogram_t *cryptogram, size_t *length, char *error);
+
+#endif /* _IES_H_ */

data/openssl-pkey-ec-ies.gemspec

@@ -0,0 +1,24 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+
+Gem::Specification.new do |spec|
+  spec.name          = 'openssl-pkey-ec-ies'
+  spec.version       = '0.0.1'
+  spec.authors       = ['webpay', 'tomykaira']
+  spec.email         = ['administrators@webpay.jp']
+  spec.summary       = %q{ECIES implementation}
+  spec.description   = %q{IES implementation following ECIES-KEM specification in ISO 18033-2}
+  spec.homepage      = ''
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.extensions    = %w[ext/ies/extconf.rb]
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rake-compiler', '~> 0.9.3'
+end

data/test/test_ies.rb

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+require 'minitest/unit'
+require 'openssl/pkey/ec/ies'
+
+Minitest::Unit.autorun
+
+class TestIES < Minitest::Unit::TestCase
+  def setup
+    test_key = File.read(File.expand_path(File.join(__FILE__, '..', 'test_key.pem')))
+    @ec = OpenSSL::PKey::EC::IES.new(test_key, "placeholder")
+  end
+
+  def test_ec_has_private_and_public_keys
+    assert @ec.private_key?
+    assert @ec.public_key?
+  end
+
+  def test_encrypt_then_decrypt_get_the_source_text
+    source = 'いろはにほへと ちるぬるを わかよたれそ つねならむ うゐのおくやま けふこえて あさきゆめみし ゑひもせすん'
+    cryptogram = @ec.public_encrypt(source)
+    result = @ec.private_decrypt(cryptogram)
+    assert_equal source, result.force_encoding('UTF-8')
+  end
+end

data/test/test_key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBAQ==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MF8CAQEEGN4sOUixZfhhfyR6/9IESuEgMy692DmuJqAKBggqhkjOPQMBAaE0AzIA
+BCpR0j5VZmqU2R/PFE9dttlCHJMZEYY7XmYRU77U3trXSo0QPrYgDzCwFqVLEfqQ
+hQ==
+-----END EC PRIVATE KEY-----

metadata

@@ -0,0 +1,103 @@
+--- !ruby/object:Gem::Specification
+name: openssl-pkey-ec-ies
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- webpay
+- tomykaira
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.3
+description: IES implementation following ECIES-KEM specification in ISO 18033-2
+email:
+- administrators@webpay.jp
+executables: []
+extensions:
+- ext/ies/extconf.rb
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- ext/ies/cryptogram.c
+- ext/ies/ecies.c
+- ext/ies/extconf.rb
+- ext/ies/ies.c
+- ext/ies/ies.h
+- openssl-pkey-ec-ies.gemspec
+- test/test_ies.rb
+- test/test_key.pem
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: ECIES implementation
+test_files:
+- test/test_ies.rb
+- test/test_key.pem