/*
 *  Copyright (C) 2017 - This file is part of libecc project
 *
 *  Authors:
 *      Ryad BENADJILA <ryadbenadjila@gmail.com>
 *      Arnaud EBALARD <arnaud.ebalard@ssi.gouv.fr>
 *      Jean-Pierre FLORI <jean-pierre.flori@ssi.gouv.fr>
 *
 *  Contributors:
 *      Nicolas VIVET <nicolas.vivet@ssi.gouv.fr>
 *      Karim KHALFALLAH <karim.khalfallah@ssi.gouv.fr>
 *
 *  This software is licensed under a dual BSD and GPL v2 license.
 *  See LICENSE file at the root folder of the project.
 */
#include <libecc/lib_ecc_config.h>
#include <libecc/libec.h>

/* We include the printf external dependency for printf output */
#include <libecc/external_deps/print.h>

/*
 * The purpose of this example is to implement a 'toy'
 * ECDH (Elliptic curve Diffie-Hellman) protocol. Alice
 * and Bob want to derive a secret 'x' without sharing the
 * same secret key (using asymmetric cryptography). In order
 * to do this, they agree upon a public Elliptic Curve with
 * a generator G. Alice (resp. Bob) generates a private value
 * d_Alice (resp. d_Bob) < q, where q is the order of G.
 * Alice (resp. Bob) computes and shares Q_Alice = d_Alice x G
 * (resp. Q_Bob = d_Bob x G) over a public channel. Alice
 * and Bob now both can compute the same point Q such that
 * Q = d_Alice x Q_Bob = d_Bob x Q_Alice, and the shared
 * secret 'x' is the first coordinate of the curve point Q.
 * External passive observers cannot compute 'x'.
 *
 * NOTE: We don't seek for communication bandwidth
 *       optimization here, this is why we use arrays to
 *       exchange affine coordinates points (and not
 *       the compressed x coordinate since the
 *	 curve equation can be used).
 *
 * XXX NOTE: for a robust implementation of the ECDH
 * primitives, please use the APIs provided in src/ecdh
 * of libecc as they are suitable for "production". The
 * purpose of the current toy example is only to show how
 * one can manipulate the curve level APIs.
 *
 */

/* Zero buffer to detect empty buffers */
static u8 zero[2 * NN_MAX_BYTE_LEN] = { 0 };

/*
 * The following global variables simulate our shared "data bus"
 * where Alice and Bob exchange data.
 */

/* Global array holding Alice to Bob public value
 * Q_Alice = d_Alice x G.
 * This is a serialized affine EC point, holding
 * 2 coordinates, meaning that its maximum size is
 * 2 * NN_MAX_BYTE_LEN (i.e. this will work for
 * all our curves).
 */
static u8 Alice_to_Bob[2 * NN_MAX_BYTE_LEN] = { 0 };

/* Global array holding Bob to Alice public value
 * Q_Bob = d_Bob x G.
 * This is a serialized affine EC point, holding
 * 2 coordinates, meaning that its maximum size is
 * 2 * NN_MAX_BYTE_LEN. (i.e. this will work for
 * all our curves).
 */
static u8 Bob_to_Alice[2 * NN_MAX_BYTE_LEN] = { 0 };

static const u8 Alice[] = "Alice";
static const u8 Bob[] = "Bob";
#define CHECK_SIZE LOCAL_MIN(sizeof(Alice), sizeof(Bob))

ATTRIBUTE_WARN_UNUSED_RET int ECDH_helper(const u8 *curve_name, const u8 *role);
int ECDH_helper(const u8 *curve_name, const u8 *role)
{
	int ret, check1, check2;
	/* The projective point we will use */
	prj_pt Q;
	/* The private scalar value for Alice and Bob, as well as their
	 * respective shared secrets.
	 * These are 'static' in order to keep them across multiple calls
	 * of the function.
	 */
	static nn d_Alice, d_Bob;
	nn_t d = NULL;
	static fp x_Alice, x_Bob;
	fp_t x = NULL;
	const char *x_str;
	/* Pointers to the communication buffers */
	u8 *our_public_buffer, *other_public_buffer;
	u32 len;

	const ec_str_params *the_curve_const_parameters;
	/* libecc internal structure holding the curve parameters */
	ec_params curve_params;

	Q.magic = WORD(0);

	MUST_HAVE((curve_name != NULL) && (role != NULL), ret, err);

	/****** Alice => Bob *********************************************************/
	ret = are_equal(role, Alice, CHECK_SIZE, &check1); EG(ret, err);
	ret = are_equal(role, Bob, CHECK_SIZE, &check2); EG(ret, err);
	if (check1) {
		our_public_buffer = Alice_to_Bob;
		other_public_buffer = Bob_to_Alice;
		d = &d_Alice;
		x = &x_Alice;
		x_str = "  x_Alice";
	}
	/****** Bob => Alice *********************************************************/
	else if (check2) {
		our_public_buffer = Bob_to_Alice;
		other_public_buffer = Alice_to_Bob;
		d = &d_Bob;
		x = &x_Bob;
		x_str = "  x_Bob  ";
	}
	else {
		/* Unknown role, get out */
		ext_printf("  Error: unknown role %s for ECDH\n", role);
		ret = -1;
		goto err;
	}

	/* Importing specific curve parameters from the constant static
	 * buffers describing it:
	 * It is possible to import a curve set of parameters by its name.
	 */
	ret = local_strnlen((const char *)curve_name, MAX_CURVE_NAME_LEN, &len); EG(ret, err);
	len += 1;
	MUST_HAVE((len < 256), ret, err);
	ret =	ec_get_curve_params_by_name(curve_name,
					    (u8)len, &the_curve_const_parameters); EG(ret, err);
	/* Get out if getting the parameters went wrong */
	if (the_curve_const_parameters == NULL) {
		ext_printf("  Error: error when importing curve %s "
			   "parameters ...\n", curve_name);
		ret = -1;
		goto err;
	}
	/* Now map the curve parameters to our libecc internal representation */
	ret = import_params(&curve_params, the_curve_const_parameters); EG(ret, err);

	/* Initialize our projective point with the curve parameters */
	ret = prj_pt_init(&Q, &(curve_params.ec_curve)); EG(ret, err);
	ret = are_equal(our_public_buffer, zero, sizeof(zero), &check1); EG(ret, err);
	if (!check1) {
		/* We have already generated and sent our parameters, skip to
		 * the state where we wait for the other party to generate and
		 * send us data.
		 */
		goto generate_shared_secret;
	}

	/* Generate our ECDH parameters: a private scalar d and a public value Q = dG where G is the
	 * curve generator.
	 * d = random mod (q) where q is the order of the generator G.
	 */
	ret = nn_init(d, 0); EG(ret, err);
	ret = nn_get_random_mod(d, &(curve_params.ec_gen_order)); EG(ret, err);

	/* Q = dG */
	ret = prj_pt_mul(&Q, d, &(curve_params.ec_gen)); EG(ret, err);

	/* Now send the public value Q to the other party, get the other party
	 * public value and compute the shared secret.
	 * Our export size is exactly 2 coordinates in Fp (affine point representation),
	 * so this should be 2 times the size of an element in Fp.
	 */
	ret = prj_pt_export_to_aff_buf(&Q, our_public_buffer,
			     (u32)(2 * BYTECEIL(curve_params.ec_fp.p_bitlen))); EG(ret, err);

 generate_shared_secret:
	/* Now (non blocking) wait for the other party to send us its public value */
	ret = are_equal(other_public_buffer, zero, sizeof(zero), &check1); EG(ret, err);
	if (check1) {
		/* Other party has not sent its public value yet! */
		ret = 0;
		goto err;
	}
	/* If our private value d is not initialized, this means that we have already
	 * done the job of computing the shared secret!
	 */
	if (nn_check_initialized(d)) {
		ret = 1;
		goto err;
	}
	/* Import the shared value as a projective point from an affine point buffer
	 */
	ret = prj_pt_import_from_aff_buf(&Q, other_public_buffer,
			       (u16)(2 * BYTECEIL(curve_params.ec_fp.p_bitlen)),
			       &(curve_params.ec_curve)); EG(ret, err);
	/* Compute the shared value = first coordinate of dQ */
	ret = prj_pt_mul(&Q, d, &Q); EG(ret, err);
	/* Move to the unique representation */
	/* Compute the affine coordinates to get the unique (x, y) representation
	 * (projective points are equivalent by a z scalar)
	 */
	ret = prj_pt_unique(&Q, &Q); EG(ret, err);
	ext_printf("  ECDH shared secret computed by %s:\n", role);
	/* The shared secret 'x' is the first coordinate of Q */
	ret = fp_init(x, &(curve_params.ec_fp)); EG(ret, err);
	ret = fp_copy(x, &(Q.X)); EG(ret, err);
	fp_print(x_str, x);

	ret = 1;

	/* Uninit local variables */
	prj_pt_uninit(&Q);
	if(x != NULL){
		fp_uninit(x);
	}
	if(d != NULL){
		nn_uninit(d);
	}

err:
	return ret;
}

#ifdef CURVE_ECDH
int main(int argc, char *argv[])
{
	unsigned int i;
	u8 curve_name[MAX_CURVE_NAME_LEN] = { 0 };
	int ret;
	FORCE_USED_VAR(argc);
	FORCE_USED_VAR(argv);

	/* Traverse all the possible curves we have at our disposal (known curves and
	 * user defined curves).
	 */
	for (i = 0; i < EC_CURVES_NUM; i++) {
		ret = local_memset(Alice_to_Bob, 0, sizeof(Alice_to_Bob)); EG(ret, err);
		ret = local_memset(Bob_to_Alice, 0, sizeof(Bob_to_Alice)); EG(ret, err);
		/* All our possible curves are in ../curves/curves_list.h
		 * We can get the curve name from its internal type.
		 */
		if(ec_get_curve_name_by_type(ec_maps[i].type, curve_name,
					  sizeof(curve_name))){
			ret = -1;
			ext_printf("Error: error when treating %s\n", curve_name);
			goto err;
		}
		/* Perform ECDH between Alice and Bob! */
		ext_printf("[+] ECDH on curve %s\n", curve_name);
		if(ECDH_helper(curve_name, Alice) != 0){
			ret = -1;
			ext_printf("Error: error in ECDH_helper\n");
			goto err;
		}
		if(ECDH_helper(curve_name, Bob) != 1){
			ret = -1;
			ext_printf("Error: error in ECDH_helper\n");
			goto err;
		}
		/* We have to call our ECDH helper again for Alice
		 * since she was waiting for Bob to send his public data.
		 * This is our loose way of dealing with 'concurrency'
		 * without threads ...
		 */
		if(ECDH_helper(curve_name, Alice) != 1){
			ret = -1;
			ext_printf("Error: error in ECDH_helper\n");
			goto err;
		}
		ext_printf("==================================\n");
	}

	ret = 0;

err:
	return ret;
}
#endif /* CURVE_ECDH */