From 2467e668acc591a70449cc55f591b4d92e72a6c9 Mon Sep 17 00:00:00 2001
From: JoelKatz <DavidJoelSchwartz@GMail.com>
Date: Sat, 7 Apr 2012 04:13:22 -0700
Subject: [PATCH] Cleanup. Minor bugfixes. Better documentation.

---
 src/ECIES.cpp | 88 ++++++++++++++++++++++++++++++++-------------------
 1 file changed, 56 insertions(+), 32 deletions(-)

diff --git a/src/ECIES.cpp b/src/ECIES.cpp
index d51119aac..894c0dbb1 100644
--- a/src/ECIES.cpp
+++ b/src/ECIES.cpp
@@ -11,17 +11,38 @@
 
 #include "key.h"
 
-#define ECIES_KEY_HASH		SHA256
-#define ECIES_KEY_LENGTH	(256/8)
-#define ECIES_KEY_TYPE		uint256
-#define ECIES_ENC_ALGO		EVP_aes_256_cbc()
-#define ECIES_ENC_KEY_SIZE 	(256/8)
-#define ECIES_ENC_BLK_SIZE	(128/8)
-#define ECIES_ENC_KEY_TYPE	uint256
-#define ECIES_ENC_IV_TYPE	uint128
-#define ECIES_HMAC_ALGO		EVP_sha256()
-#define ECIES_HMAC_SIZE		(256/8)
-#define ECIES_HMAC_TYPE		uint256
+// ECIES uses elliptic curve keys to send an encrypted message.
+
+// A shared secret is generated from one public key and one private key.
+// The same key results regardless of which key is public and which private.
+
+// Anonymous messages can be sent by generating an ephemeral public/private
+// key pair, using that private key with the recipient's public key to
+// encrypt and publishing the ephemeral public key. Non-anonymous messages
+// can be sent by using your own private key with the recipeint's public key.
+
+// A random IV is used to encrypt the message and an HMAC is used to ensure
+// message integrity. If you need timestamps or need to tell the recipient
+// which key to use (his, yours, or ephemeral) you must add that data.
+// (Obviously, it can't go in the encrypted portion anyway.)
+
+// Our ciphertext is all encrypted except the IV. The encrypted data decodes as follows:
+// 1) IV (unencrypted)
+// 2) Encrypted: HMAC of original plaintext
+// 3) Encrypted: Original plaintext
+// 4) Encrypted: Rest of block/padding
+
+// Algorithmic choices:
+#define ECIES_KEY_HASH		SHA256				// Hash used to generate shared secret
+#define ECIES_KEY_LENGTH	(256/8)				// Size of shared secret
+#define ECIES_KEY_TYPE		uint256				// Type used to hold shared secret
+#define ECIES_ENC_ALGO		EVP_aes_256_cbc()	// Encryption algorithm
+#define ECIES_ENC_KEY_SIZE 	(256/8)				// Encryption key size
+#define ECIES_ENC_BLK_SIZE	(128/8)				// Encryption block size
+#define ECIES_ENC_IV_TYPE	uint128				// Type used to hold IV
+#define ECIES_HMAC_ALGO		EVP_sha256()		// HMAC algorithm
+#define ECIES_HMAC_SIZE		(256/8)				// Size of HMAC
+#define ECIES_HMAC_TYPE		uint256				// Type used to hold HMAC
 
 static void* ecies_key_derivation(const void *input, size_t ilen, void *output, size_t *olen)
 { // This function must not be changed as it must be what ECDH_compute_key expects
@@ -59,13 +80,7 @@ ECIES_KEY_TYPE CKey::getECIESSecret(CKey& otherKey)
 	return key;
 }
 
-// Our ciphertext is all encrypted except the IV. The encrypted data decodes as follows:
-// 1) IV (unencrypted)
-// 2) Encrypted: HMAC of original plaintext
-// 3) Encrypted: Original plaintext
-// 4) Encrypted: Rest of block/padding
-
-static ECIES_HMAC_TYPE makeHMAC(ECIES_KEY_TYPE secret, const std::vector<unsigned char> data)
+static ECIES_HMAC_TYPE makeHMAC(const ECIES_KEY_TYPE& secret, const std::vector<unsigned char> data)
 {
 	HMAC_CTX ctx;
 	HMAC_CTX_init(&ctx);
@@ -82,37 +97,39 @@ static ECIES_HMAC_TYPE makeHMAC(ECIES_KEY_TYPE secret, const std::vector<unsigne
 		throw std::runtime_error("update hmac");
 	}
 
-	unsigned int ml=EVP_MAX_MD_SIZE;
-	std::vector<unsigned char> hmac(ml);
-	if(HMAC_Final(&ctx, &(hmac.front()), &ml) != 1)
+	ECIES_HMAC_TYPE ret;
+	unsigned int ml = ECIES_HMAC_SIZE;
+	if(HMAC_Final(&ctx, ret.begin(), &ml) != 1)
 	{
 		HMAC_CTX_cleanup(&ctx);
 		throw std::runtime_error("finalize hmac");
 	}
-
-	ECIES_HMAC_TYPE ret;
-	memcpy(ret.begin(), &(hmac.front()), ECIES_HMAC_SIZE);
+	assert(ml == ECIES_HMAC_SIZE);
+	HMAC_CTX_cleanup(&ctx);
 
 	return ret;
 }
 
 std::vector<unsigned char> CKey::encryptECIES(CKey& otherKey, const std::vector<unsigned char>& plaintext)
 {
-	ECIES_KEY_TYPE secret=getECIESSecret(otherKey);
-	ECIES_HMAC_TYPE hmac=makeHMAC(secret, plaintext);
 
 	ECIES_ENC_IV_TYPE iv;
 	if(RAND_bytes(static_cast<unsigned char *>(iv.begin()), ECIES_ENC_BLK_SIZE) != 1)
 		throw std::runtime_error("insufficient entropy");
 
+	ECIES_KEY_TYPE secret=getECIESSecret(otherKey);
+	ECIES_HMAC_TYPE hmac=makeHMAC(secret, plaintext);
+
 	EVP_CIPHER_CTX ctx;
 	EVP_CIPHER_CTX_init(&ctx);
 
 	if (EVP_EncryptInit_ex(&ctx, ECIES_ENC_ALGO, NULL, secret.begin(), iv.begin()) != 1)
 	{
 		EVP_CIPHER_CTX_cleanup(&ctx);
+		secret.zero();
 		throw std::runtime_error("init cipher ctx");
 	}
+	secret.zero();
 
 	std::vector<unsigned char> out(plaintext.size() + ECIES_HMAC_SIZE + ECIES_ENC_KEY_SIZE + ECIES_ENC_BLK_SIZE, 0);
 	int len=0, bytesWritten;
@@ -160,10 +177,9 @@ std::vector<unsigned char> CKey::encryptECIES(CKey& otherKey, const std::vector<
 
 std::vector<unsigned char> CKey::decryptECIES(CKey& otherKey, const std::vector<unsigned char>& ciphertext)
 {
-	ECIES_KEY_TYPE secret=getECIESSecret(otherKey);
 
 	// minimum ciphertext = IV + HMAC + 1 block
-	if(ciphertext.size() < ((2*ECIES_ENC_BLK_SIZE) + ECIES_HMAC_SIZE) )
+	if(ciphertext.size() < ((2 * ECIES_ENC_BLK_SIZE) + ECIES_HMAC_SIZE) )
 		throw std::runtime_error("ciphertext too short");
 
 	// extract IV
@@ -173,9 +189,10 @@ std::vector<unsigned char> CKey::decryptECIES(CKey& otherKey, const std::vector<
 	// begin decrypting
 	EVP_CIPHER_CTX ctx;
 	EVP_CIPHER_CTX_init(&ctx);
-
+	ECIES_KEY_TYPE secret=getECIESSecret(otherKey);
 	if(EVP_DecryptInit_ex(&ctx, ECIES_ENC_ALGO, NULL, secret.begin(), iv.begin()) != 1)
 	{
+		secret.zero();
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		throw std::runtime_error("unable to init cipher");
 	}
@@ -184,8 +201,9 @@ std::vector<unsigned char> CKey::decryptECIES(CKey& otherKey, const std::vector<
 	ECIES_HMAC_TYPE hmac;
 	int outlen=ECIES_HMAC_SIZE;
 	if( (EVP_DecryptUpdate(&ctx, hmac.begin(), &outlen,
-		&(ciphertext.front()) + ECIES_ENC_BLK_SIZE,	ECIES_HMAC_SIZE+1) != 1) || (outlen != ECIES_HMAC_SIZE) )
+		&(ciphertext.front()) + ECIES_ENC_BLK_SIZE,	ECIES_HMAC_SIZE + 1) != 1) || (outlen != ECIES_HMAC_SIZE) )
 	{
+		secret.zero();
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		throw std::runtime_error("unable to extract hmac");
 	}
@@ -194,26 +212,32 @@ std::vector<unsigned char> CKey::decryptECIES(CKey& otherKey, const std::vector<
 	std::vector<unsigned char> plaintext(ciphertext.size() - ECIES_HMAC_SIZE - ECIES_ENC_BLK_SIZE);
 	outlen=plaintext.size();
 	if(EVP_DecryptUpdate(&ctx, &(plaintext.front()), &outlen,
-		&(ciphertext.front())+ECIES_ENC_BLK_SIZE+ECIES_HMAC_SIZE+1,
-		ciphertext.size()-ECIES_ENC_BLK_SIZE-ECIES_HMAC_SIZE-1) != 1)
+		&(ciphertext.front()) + ECIES_ENC_BLK_SIZE + ECIES_HMAC_SIZE + 1,
+		ciphertext.size() - ECIES_ENC_BLK_SIZE - ECIES_HMAC_SIZE - 1) != 1)
 	{
+		secret.zero();
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		throw std::runtime_error("unable to extract plaintext");
 	}
 
+	// decrypt padding
 	int flen = 0;
 	if(EVP_DecryptFinal(&ctx, &(plaintext.front()) + outlen, &flen) != 1)
 	{
+		secret.zero();
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		throw std::runtime_error("plaintext had bad padding");
 	}
 	plaintext.resize(flen + outlen);
 
+	// verify integrity
 	if(hmac != makeHMAC(secret, plaintext))
 	{
+		secret.zero();
 		EVP_CIPHER_CTX_cleanup(&ctx);
 		throw std::runtime_error("plaintext had bad hmac");
 	}
+	secret.zero();
 
 	EVP_CIPHER_CTX_cleanup(&ctx);
 	return plaintext;