1  /*************************************************************************
  2   * Written in 2020-2022 by Elichai Turkel                                *
  3   * To the extent possible under law, the author(s) have dedicated all    *
  4   * copyright and related and neighboring rights to the software in this  *
  5   * file to the public domain worldwide. This software is distributed     *
  6   * without any warranty. For the CC0 Public Domain Dedication, see       *
  7   * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
  8   *************************************************************************/
  9  
 10  #include <stdio.h>
 11  #include <stdlib.h>
 12  #include <assert.h>
 13  #include <string.h>
 14  
 15  #include <secp256k1.h>
 16  #include <secp256k1_ecdh.h>
 17  
 18  #include "examples_util.h"
 19  
 20  int main(void) {
 21      unsigned char seckey1[32];
 22      unsigned char seckey2[32];
 23      unsigned char compressed_pubkey1[33];
 24      unsigned char compressed_pubkey2[33];
 25      unsigned char shared_secret1[32];
 26      unsigned char shared_secret2[32];
 27      unsigned char randomize[32];
 28      int return_val;
 29      size_t len;
 30      secp256k1_pubkey pubkey1;
 31      secp256k1_pubkey pubkey2;
 32  
 33      /* Before we can call actual API functions, we need to create a "context". */
 34      secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
 35      if (!fill_random(randomize, sizeof(randomize))) {
 36          printf("Failed to generate randomness\n");
 37          return EXIT_FAILURE;
 38      }
 39      /* Randomizing the context is recommended to protect against side-channel
 40       * leakage See `secp256k1_context_randomize` in secp256k1.h for more
 41       * information about it. This should never fail. */
 42      return_val = secp256k1_context_randomize(ctx, randomize);
 43      assert(return_val);
 44  
 45      /*** Key Generation ***/
 46      if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) {
 47          printf("Failed to generate randomness\n");
 48          return EXIT_FAILURE;
 49      }
 50      /* If the secret key is zero or out of range (greater than secp256k1's
 51      * order), we fail. Note that the probability of this occurring is negligible
 52      * with a properly functioning random number generator. */
 53      if (!secp256k1_ec_seckey_verify(ctx, seckey1) || !secp256k1_ec_seckey_verify(ctx, seckey2)) {
 54          printf("Generated secret key is invalid. This indicates an issue with the random number generator.\n");
 55          return EXIT_FAILURE;
 56      }
 57  
 58      /* Public key creation using a valid context with a verified secret key should never fail */
 59      return_val = secp256k1_ec_pubkey_create(ctx, &pubkey1, seckey1);
 60      assert(return_val);
 61      return_val = secp256k1_ec_pubkey_create(ctx, &pubkey2, seckey2);
 62      assert(return_val);
 63  
 64      /* Serialize pubkey1 in a compressed form (33 bytes), should always return 1 */
 65      len = sizeof(compressed_pubkey1);
 66      return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey1, &len, &pubkey1, SECP256K1_EC_COMPRESSED);
 67      assert(return_val);
 68      /* Should be the same size as the size of the output, because we passed a 33 byte array. */
 69      assert(len == sizeof(compressed_pubkey1));
 70  
 71      /* Serialize pubkey2 in a compressed form (33 bytes) */
 72      len = sizeof(compressed_pubkey2);
 73      return_val = secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey2, &len, &pubkey2, SECP256K1_EC_COMPRESSED);
 74      assert(return_val);
 75      /* Should be the same size as the size of the output, because we passed a 33 byte array. */
 76      assert(len == sizeof(compressed_pubkey2));
 77  
 78      /*** Creating the shared secret ***/
 79  
 80      /* Perform ECDH with seckey1 and pubkey2. Should never fail with a verified
 81       * seckey and valid pubkey */
 82      return_val = secp256k1_ecdh(ctx, shared_secret1, &pubkey2, seckey1, NULL, NULL);
 83      assert(return_val);
 84  
 85      /* Perform ECDH with seckey2 and pubkey1. Should never fail with a verified
 86       * seckey and valid pubkey */
 87      return_val = secp256k1_ecdh(ctx, shared_secret2, &pubkey1, seckey2, NULL, NULL);
 88      assert(return_val);
 89  
 90      /* Both parties should end up with the same shared secret */
 91      return_val = memcmp(shared_secret1, shared_secret2, sizeof(shared_secret1));
 92      assert(return_val == 0);
 93  
 94      printf("Secret Key1: ");
 95      print_hex(seckey1, sizeof(seckey1));
 96      printf("Compressed Pubkey1: ");
 97      print_hex(compressed_pubkey1, sizeof(compressed_pubkey1));
 98      printf("\nSecret Key2: ");
 99      print_hex(seckey2, sizeof(seckey2));
100      printf("Compressed Pubkey2: ");
101      print_hex(compressed_pubkey2, sizeof(compressed_pubkey2));
102      printf("\nShared Secret: ");
103      print_hex(shared_secret1, sizeof(shared_secret1));
104  
105      /* This will clear everything from the context and free the memory */
106      secp256k1_context_destroy(ctx);
107  
108      /* It's best practice to try to clear secrets from memory after using them.
109       * This is done because some bugs can allow an attacker to leak memory, for
110       * example through "out of bounds" array access (see Heartbleed), or the OS
111       * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
112       *
113       * Here we are preventing these writes from being optimized out, as any good compiler
114       * will remove any writes that aren't used. */
115      secure_erase(seckey1, sizeof(seckey1));
116      secure_erase(seckey2, sizeof(seckey2));
117      secure_erase(shared_secret1, sizeof(shared_secret1));
118      secure_erase(shared_secret2, sizeof(shared_secret2));
119  
120      return EXIT_SUCCESS;
121  }