zaru
diff --git a/‎lib/webpush/encryption.rb
+14-35 b/‎lib/webpush/encryption.rb
+14-35
diff --git a/‎lib/webpush/request.rb
+11-23 b/‎lib/webpush/request.rb
+11-23
diff --git a/‎spec/webpush/encryption_spec.rb
+54-39 b/‎spec/webpush/encryption_spec.rb
+54-39
@@ -23,64 +23,43 @@ def encrypt(message, p256dh, auth)
 
       client_auth_token = Webpush.decode64(auth)
 
-      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: "Content-Encoding: auth\0").next_bytes(32)
+      info = "WebPush: info\0" + client_public_key_bn.to_s(2) + server_public_key_bn.to_s(2)
+      content_encryption_key_info = "Content-Encoding: aes128gcm\0"
+      nonce_info = "Content-Encoding: nonce\0"
 
-      context = create_context(client_public_key_bn, server_public_key_bn)
+      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).next_bytes(32)
 
-      content_encryption_key_info = create_info('aesgcm', context)
       content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).next_bytes(16)
 
-      nonce_info = create_info('nonce', context)
       nonce = HKDF.new(prk, salt: salt, info: nonce_info).next_bytes(12)
 
       ciphertext = encrypt_payload(message, content_encryption_key, nonce)
 
-      {
-        ciphertext: ciphertext,
-        salt: salt,
-        server_public_key_bn: convert16bit(server_public_key_bn),
-        server_public_key: server_public_key_bn.to_s(2),
-        shared_secret: shared_secret
-      }
+      serverkey16bn = convert16bit(server_public_key_bn)
+      rs = ciphertext.bytesize
+      raise ArgumentError, "encrypted payload is too big" if rs > 4096
+
+      aes128gcmheader = "#{salt}" + [rs].pack('N*') + [serverkey16bn.bytesize].pack('C*') + serverkey16bn
+
+      aes128gcmheader + ciphertext
     end
     # rubocop:enable Metrics/AbcSize, Metrics/MethodLength
 
     private
 
-    def create_context(client_public_key, server_public_key)
-      c = convert16bit(client_public_key)
-      s = convert16bit(server_public_key)
-      context = "\0"
-      context += [c.bytesize].pack('n*')
-      context += c
-      context += [s.bytesize].pack('n*')
-      context += s
-      context
-    end
-
     def encrypt_payload(plaintext, content_encryption_key, nonce)
       cipher = OpenSSL::Cipher.new('aes-128-gcm')
       cipher.encrypt
       cipher.key = content_encryption_key
       cipher.iv = nonce
-      padding = cipher.update("\0\0")
       text = cipher.update(plaintext)
-
-      e_text = padding + text + cipher.final
+      padding = cipher.update("\2\0")
+      e_text = text + padding + cipher.final
       e_tag = cipher.auth_tag
 
       e_text + e_tag
     end
 
-    def create_info(type, context)
-      info = 'Content-Encoding: '
-      info += type
-      info += "\0"
-      info += 'P-256'
-      info += context
-      info
-    end
-
     def convert16bit(key)
       [key.to_s(16)].pack('H*')
     end
@@ -95,4 +74,4 @@ def blank?(value)
       value.nil? || value.empty?
     end
   end
-end
+end
@@ -42,37 +42,33 @@ def headers
       headers['Ttl']          = ttl
       headers['Urgency']      = urgency
 
-      if @payload.key?(:server_public_key)
-        headers['Content-Encoding'] = 'aesgcm'
-        headers['Encryption'] = "salt=#{salt_param}"
-        headers['Crypto-Key'] = "dh=#{dh_param}"
+      if @payload
+        headers['Content-Encoding'] = 'aes128gcm'
+        headers["Content-Length"] = @payload.length.to_s
       end
 
       if api_key?
         headers['Authorization'] = "key=#{api_key}"
       elsif vapid?
-        vapid_headers = build_vapid_headers
-        headers['Authorization'] = vapid_headers['Authorization']
-        headers['Crypto-Key'] = [headers['Crypto-Key'], vapid_headers['Crypto-Key']].compact.join(';')
+        headers["Authorization"] = build_vapid_header
       end
 
       headers
     end
     # rubocop:enable Metrics/MethodLength
 
-    def build_vapid_headers
+    def build_vapid_header
+      # https://tools.ietf.org/id/draft-ietf-webpush-vapid-03.html
+
       vapid_key = vapid_pem ? VapidKey.from_pem(vapid_pem) : VapidKey.from_keys(vapid_public_key, vapid_private_key)
       jwt = JWT.encode(jwt_payload, vapid_key.curve, 'ES256', jwt_header_fields)
       p256ecdsa = vapid_key.public_key_for_push_header
 
-      {
-        'Authorization' => 'WebPush ' + jwt,
-        'Crypto-Key' => 'p256ecdsa=' + p256ecdsa
-      }
+       "vapid t=#{jwt},k=#{p256ecdsa}"
     end
 
     def body
-      @payload.fetch(:ciphertext, '')
+      @payload || ''
     end
 
     private
@@ -89,14 +85,6 @@ def urgency
       @options.fetch(:urgency).to_s
     end
 
-    def dh_param
-      trim_encode64(@payload.fetch(:server_public_key))
-    end
-
-    def salt_param
-      trim_encode64(@payload.fetch(:salt))
-    end
-
     def jwt_payload
       {
         aud: audience,
@@ -106,7 +94,7 @@ def jwt_payload
     end
 
     def jwt_header_fields
-      { 'typ' => 'JWT' }
+      { "typ": "JWT", "alg": "ES256" }
     end
 
     def audience
@@ -141,7 +129,7 @@ def default_options
     end
 
     def build_payload(message, subscription)
-      return {} if message.nil? || message.empty?
+      return nil if message.nil? || message.empty?
 
       encrypt_payload(message, subscription.fetch(:keys))
     end
 
@@ -1,27 +1,24 @@
 require 'spec_helper'
-require 'ece'
 
 describe Webpush::Encryption do
   describe '#encrypt' do
+    let(:curve) do
+      group = 'prime256v1'
+      curve = OpenSSL::PKey::EC.new(group)
+      curve.generate_key
+      curve
+    end
+
     let(:p256dh) do
-      encode64(generate_ecdh_key)
+      ecdh_key = curve.public_key.to_bn.to_s(2)
+      Base64.urlsafe_encode64(ecdh_key)
     end
 
-    let(:auth) { encode64(Random.new.bytes(16)) }
+    let(:auth) { Base64.urlsafe_encode64(Random.new.bytes(16)) }
 
     it 'returns ECDH encrypted cipher text, salt, and server_public_key' do
       payload = Webpush::Encryption.encrypt('Hello World', p256dh, auth)
-
-      encrypted = payload.fetch(:ciphertext)
-
-      decrypted_data = ECE.decrypt(encrypted,
-                                   key: payload.fetch(:shared_secret),
-                                   salt: payload.fetch(:salt),
-                                   server_public_key: payload.fetch(:server_public_key_bn),
-                                   user_public_key: decode64(p256dh),
-                                   auth: decode64(auth))
-
-      expect(decrypted_data).to eq('Hello World')
+      expect(decrypt(payload)).to eq('Hello World')
     end
 
     it 'returns error when message is blank' do
@@ -41,40 +38,58 @@
 
     # Bug fix for https://github.com/zaru/webpush/issues/22
     it 'handles unpadded base64 encoded subscription keys' do
-      unpadded_p256dh = 'BK74n-ZA6kfMDEuCFbQH1Y5T33p39PvnzNeuD5LqTs8cF-uaQFUHn_v5kwV6dYIIL4nFabxghQNF_vlnAXX7OiU'
-      unpadded_auth = '1C1PBkJQsVwD9tkuLR1x5A'
+      unpadded_p256dh = p256dh.gsub(/=*\Z/, '')
+      unpadded_auth = auth.gsub(/=*\Z/, '')
 
       payload = Webpush::Encryption.encrypt('Hello World', unpadded_p256dh, unpadded_auth)
-      encrypted = payload.fetch(:ciphertext)
+      expect(decrypt(payload)).to eq('Hello World')
+    end
 
-      decrypted_data = ECE.decrypt(encrypted,
-                                   key: payload.fetch(:shared_secret),
-                                   salt: payload.fetch(:salt),
-                                   server_public_key: payload.fetch(:server_public_key_bn),
-                                   user_public_key: decode64(pad64(unpadded_p256dh)),
-                                   auth: decode64(pad64(unpadded_auth)))
+    def decrypt payload
+      salt = payload.byteslice(0, 16)
+      rs = payload.byteslice(16, 4).unpack("N*").first
+      idlen = payload.byteslice(20).unpack("C*").first
+      serverkey16bn = payload.byteslice(21, idlen)
+      ciphertext = payload.byteslice(21 + idlen, rs)
 
-      expect(decrypted_data).to eq('Hello World')
-    end
+      expect(payload.bytesize).to eq(21 + idlen + rs)
 
-    def generate_ecdh_key
-      group = 'prime256v1'
-      curve = OpenSSL::PKey::EC.new(group)
-      curve.generate_key
-      curve.public_key.to_bn.to_s(2)
-    end
+      group_name = 'prime256v1'
+      group = OpenSSL::PKey::EC::Group.new(group_name)
+      server_public_key_bn = OpenSSL::BN.new(serverkey16bn.unpack('H*').first, 16)
+      server_public_key = OpenSSL::PKey::EC::Point.new(group, server_public_key_bn)
+      shared_secret = curve.dh_compute_key(server_public_key)
 
-    def encode64(bytes)
-      Base64.urlsafe_encode64(bytes)
-    end
+      client_public_key_bn = curve.public_key.to_bn
+      client_auth_token = Webpush.decode64(auth)
+
+      info = "WebPush: info\0" + client_public_key_bn.to_s(2) + server_public_key_bn.to_s(2)
+      content_encryption_key_info = "Content-Encoding: aes128gcm\0"
+      nonce_info = "Content-Encoding: nonce\0"
 
-    def decode64(str)
-      Base64.urlsafe_decode64(str)
+      prk = HKDF.new(shared_secret, salt: client_auth_token, algorithm: 'SHA256', info: info).next_bytes(32)
+
+      content_encryption_key = HKDF.new(prk, salt: salt, info: content_encryption_key_info).next_bytes(16)
+      nonce = HKDF.new(prk, salt: salt, info: nonce_info).next_bytes(12)
+
+      decrypt_ciphertext(ciphertext, content_encryption_key, nonce)
     end
 
-    def pad64(str)
-      str = str.ljust((str.length + 3) & ~3, '=') if !str.end_with?('=') && str.length % 4 != 0
-      str
+    def decrypt_ciphertext(ciphertext, content_encryption_key, nonce)
+      secret_data = ciphertext.byteslice(0, ciphertext.bytesize-16)
+      auth = ciphertext.byteslice(ciphertext.bytesize-16, ciphertext.bytesize)
+      decipher = OpenSSL::Cipher.new('aes-128-gcm')
+      decipher.decrypt
+      decipher.key = content_encryption_key
+      decipher.iv = nonce
+      decipher.auth_tag = auth
+
+      decrypted = decipher.update(secret_data) + decipher.final
+
+      e = decrypted.byteslice(-2, decrypted.bytesize)
+      expect(e).to eq("\2\0")
+
+      decrypted.byteslice(0, decrypted.bytesize-2)
     end
   end
 end