SharedSecret v1.5, March 2022
http://sectools.free.fr

Here is just a pratical implementation of the Diffie-Hellman key exchange : 
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

    Client                    Server

   ShrSecClt.exe  <------->  ShrSecSrv.exe
       |                         |
       |                         |
       v                         v
   ShrSecClt.dat             ShrSecSrv.dat           keys
   ShrSecClt.bat             ShrSecSrv.bat           commands for decoding and/or decrypting
   
General use :

Launch the server, and then the client.
For a quick test, they can be run on the same host without any argument.

Optional arguments :

ShrSecClt.exe :

 -HostAddr=...  destination address (default to localhost) 
 -HostPort=...  destination port    (default to 6600) 
 -TimeOut=...   connection, send and receive timeout  
 -Seed=...      value involved in secret generation
 -Pass[=...]    [allow to input a] passphrase 
 -DH            use DH group : 2048 MODP 256 RFC 5114
 -EC[=...]      use Elliptic Curve, default=prime256v1
 -X25519        use X25519 Curve                      
 -X448          use X448 Curve                        
 -h             display this help                     
 
'-DH', '-EC', '-X25519' or '-X448' are mutually exclusive : only one of them (if any) can be used.
In this case, the same option is needed for the server.
Available curves are listed in file listcurves.txt
 
If a seed is supplied, the same value must be given on the other side.
The seed should be kept secret in order to offer a basic authentification mechanism,
and could be exchanged using an alternative channel, for example by means of a phone call.
 
If -Pass is NOT used, the shared secret generated will be stored unencrypted in the ShrSecClt.dat file,
but base64 encoded. The ShrSecClt.bat file will contain the OpenSSL command just to extract
the raw (binary) secret [/key].

If -Pass IS used with a value (-Pass=testpass), then this value is used to encrypt the key.
The ShrSecClt.dat file contains the encrypted and base64 encoded key. 
The ShrSecClt.bat will contain the OpenSSL command to decode AND decrypt the key.
(the passphrase will be needed again).
It also contains, commented, the command to retrieve IV et key (still knowing the passphrase)
in case you would like to decrypt with another software.

If -Pass IS used but WITHOUT value (-Pass[=]), then you will be prompted to enter the passphrase without 
echo on your console. It is less pratical but more secure.

ShrSecSrv.exe :

 -LisPort=...   port to listen (default to 6600)
 -ClientIP=...  IP address of client to accept
 -TimeOut=...   send and receive timeout
 -DH, EC,       use Elliptic Curve DH instead of DH
  ...           as for the client
 
When launched, the server awaits for a client to connect. To stop it, give it a "Ctrl+C".

If ClientIP is used, then only incomming client FROM this IP address will be accepted.

Examples : 
ShrSecSrv -LisPort=54321 -Seed="graine de voyou" -Pass="garder secret"
ShrSecClt -HostAddr=MonAutreOrdi -HostPort=54321 -Seed="graine de voyou" -Pass

***

Technical note : sniffing the network it is possible to verify that what is transmited is just a 
DER encoded ephemeral public key, preceeded by a 6 bytes header.