int attacker_key_item_havege_random_stub(void *havege_state,
char *output, size_t len)
//@ requires PRG_PRECONDITION(havege_state_initialized, havege_state);
//@ ensures PRG_POSTCONDITION(havege_state_initialized, havege_state);
{
return havege_random(havege_state, output, len);
}
int get_iv(havege_state *state, char* iv)
/*@ requires [_]public_invar(?pub) &*&
havege_state_initialized(state) &*&
random_permission(?p, ?c) &*& true == bad(p) &*&
is_bad_nonce_is_public(?proof, pub, ?pred) &*&
pred() &*& chars(iv, 16, _);@*/
/*@ ensures havege_state_initialized(state) &*&
random_permission(p, c + 1) &*&
is_bad_nonce_is_public(proof, pub, pred) &*&
pred() &*& crypto_chars(normal, iv, 16, ?ccs) &*&
result != 0 || ccs == ccs_for_cg(cg_nonce(p, c + 1));@*/
{
int result = -1;
//@ close random_request(p, 0, false);
if (havege_random(state, iv, 16) == 0)
{
//@ open cryptogram(iv, 16, ?ccs_iv, ?cg_iv);
//@ close cryptogram(iv, 16, ccs_iv, cg_iv);
//@ proof(cg_iv);
//@ public_cryptogram(iv, cg_iv);
result = 0;
}
//@ chars_to_crypto_chars(iv, 16);
return result;
}
void attacker_send_random(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size;
char buffer[MAX_MESSAGE_SIZE];
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ close_havege_util(pub, pred, attacker);
r_int_with_bounds(havege_state, &temp, MIN_RANDOM_SIZE, MAX_MESSAGE_SIZE);
size = temp;
r_int_with_bounds(havege_state, &temp, 0, INT_MAX);
//@ open_havege_util(pub, pred, attacker);
//@ close random_request(attacker, temp, false);
if (havege_random(havege_state, buffer, (unsigned int) size) == 0)
{
//@ assert cryptogram(buffer, size, ?ccs, ?cg);
//@ assert is_bad_nonce_is_public(?proof, pub, pred);
//@ proof(cg);
//@ public_cryptogram(buffer, cg);
net_send(socket, buffer, (unsigned int) size);
}
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
}
result_t crypto_base::randomBytes(int32_t size, obj_ptr<Buffer_base> &retVal,
exlib::AsyncEvent *ac)
{
if (!ac)
return CHECK_ERROR(CALL_E_NOSYNC);
time_t t;
int i, ret;
havege_state hs;
unsigned char buf[1024];
std::string strBuf;
strBuf.resize(size);
havege_init(&hs);
t = time(NULL);
for (i = 0; i < size; i += sizeof(buf))
{
ret = havege_random(&hs, buf, sizeof(buf));
if (ret != 0)
return CHECK_ERROR(_ssl::setError(ret));
memcpy(&strBuf[i], buf, size - i > (int)sizeof(buf) ? (int)sizeof(buf) : size - i);
}
if (t == time(NULL))
t--;
retVal = new Buffer(strBuf);
return 0;
}
std::string Config::getChallenge()
{
unsigned char challenge[32];
unsigned char challenge64[64];
size_t challenge64Size = 64;
havege_random((void*)&(this->havegeState), challenge, 32);
base64_encode(challenge64, &challenge64Size,challenge, 32);
challenge64[challenge64Size] = 0;
std::string ret = (char *) challenge64;
return ret;
}
int havege_poll( void *data,
unsigned char *output, size_t len, size_t *olen )
{
havege_state *hs = (havege_state *) data;
*olen = 0;
if( havege_random( hs, output, len ) != 0 )
return( POLARSSL_ERR_ENTROPY_SOURCE_FAILED );
*olen = len;
return( 0 );
}
int asym_enc_havege_random_stub(void *havege_state, char *output, size_t len)
/*@ requires [?f]havege_state_initialized(havege_state) &*&
random_request(?principal, ?info, ?key_request) &*&
random_permission(principal, ?count) &*&
chars(output, len, _) &*& len >= MIN_RANDOM_SIZE;
@*/
/*@ ensures [f]havege_state_initialized(havege_state) &*&
random_permission(principal, count + 1) &*&
result == 0 ?
cryptogram(output, len, ?cs, ?cg) &*&
info == cg_info(cg) &*&
key_request ?
cg == cg_symmetric_key(principal, count + 1)
:
cg == cg_nonce(principal, count + 1)
:
chars(output, len, _);
@*/
{
return havege_random(havege_state, output, len);
}
void Config::setAuth(bool _useAuth, const char *pass)
{
size_t passLength = strlen(pass);
this->useAuth = _useAuth;
if(useAuth)
{
unsigned char salt[32];
unsigned char salt64[64];
size_t salt64Size = 64;
havege_random((void*)&(this->havegeState), salt, 32);
base64_encode(salt64, &salt64Size, salt, 32);
salt64[salt64Size] = 0;
int saltPlusPassSize = salt64Size + passLength;
char* saltPlusPass = (char*)malloc(saltPlusPassSize);
memcpy(saltPlusPass, pass, passLength);
memcpy(saltPlusPass + passLength, salt64, salt64Size);
unsigned char passHash[32];
unsigned char passHash64[64];
size_t passHash64Size = 64;
sha2((unsigned char *)saltPlusPass, saltPlusPassSize, passHash, 0);
zero(saltPlusPass, saltPlusPassSize);
free(saltPlusPass);
base64_encode(passHash64, &passHash64Size, passHash, 32);
passHash64[passHash64Size] = 0;
this->authHash = (char *)passHash64;
this->authSalt = (char *)salt64;
}
}
int gen_key( unsigned char *key, int key_lenght){
int i = 0;
int ret = 1;
havege_state *hs = malloc(sizeof( havege_state)) ;
if( hs == NULL )
return -1;
havege_init(hs);
ret = havege_random( hs, key, key_lenght);
for( i= 0; i < key_lenght; i++)
printf("%c",key[i]);
free(hs);
return ret;
}
int main( int argc, char *argv[] )
{
int keysize;
unsigned long i, j, tsc;
unsigned char tmp[64];
#if defined(POLARSSL_ARC4_C)
arc4_context arc4;
#endif
#if defined(POLARSSL_DES_C)
des3_context des3;
des_context des;
#endif
#if defined(POLARSSL_AES_C)
aes_context aes;
#endif
#if defined(POLARSSL_CAMELLIA_C)
camellia_context camellia;
#endif
#if defined(POLARSSL_RSA_C) && defined(POLARSSL_BIGNUM_C) && \
defined(POLARSSL_GENPRIME)
rsa_context rsa;
#endif
#if defined(POLARSSL_HAVEGE_C)
havege_state hs;
#endif
#if defined(POLARSSL_CTR_DRBG_C)
ctr_drbg_context ctr_drbg;
#endif
((void) argc);
((void) argv);
memset( buf, 0xAA, sizeof( buf ) );
printf( "\n" );
#if defined(POLARSSL_MD4_C)
printf( HEADER_FORMAT, "MD4" );
fflush( stdout );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
md4( buf, BUFSIZE, tmp );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
md4( buf, BUFSIZE, tmp );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_MD5_C)
printf( HEADER_FORMAT, "MD5" );
fflush( stdout );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
md5( buf, BUFSIZE, tmp );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
md5( buf, BUFSIZE, tmp );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_SHA1_C)
printf( HEADER_FORMAT, "SHA-1" );
fflush( stdout );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
sha1( buf, BUFSIZE, tmp );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
sha1( buf, BUFSIZE, tmp );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_SHA2_C)
printf( HEADER_FORMAT, "SHA-256" );
fflush( stdout );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
sha2( buf, BUFSIZE, tmp, 0 );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
sha2( buf, BUFSIZE, tmp, 0 );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_SHA4_C)
printf( HEADER_FORMAT, "SHA-512" );
fflush( stdout );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
sha4( buf, BUFSIZE, tmp, 0 );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
sha4( buf, BUFSIZE, tmp, 0 );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_ARC4_C)
printf( HEADER_FORMAT, "ARC4" );
fflush( stdout );
arc4_setup( &arc4, tmp, 32 );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
arc4_crypt( &arc4, BUFSIZE, buf, buf );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
arc4_crypt( &arc4, BUFSIZE, buf, buf );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_DES_C)
printf( HEADER_FORMAT, "3DES" );
fflush( stdout );
des3_set3key_enc( &des3, tmp );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
printf( HEADER_FORMAT, "DES" );
fflush( stdout );
des_setkey_enc( &des, tmp );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
tsc = hardclock();
for( j = 0; j < 1024; j++ )
des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_AES_C)
for( keysize = 128; keysize <= 256; keysize += 64 )
{
printf( " AES-%d : ", keysize );
fflush( stdout );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
aes_setkey_enc( &aes, tmp, keysize );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf );
tsc = hardclock();
for( j = 0; j < 4096; j++ )
aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
}
#endif
#if defined(POLARSSL_CAMELLIA_C)
for( keysize = 128; keysize <= 256; keysize += 64 )
{
printf( " CAMELLIA-%d : ", keysize );
fflush( stdout );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
camellia_setkey_enc( &camellia, tmp, keysize );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT, BUFSIZE, tmp, buf, buf );
tsc = hardclock();
for( j = 0; j < 4096; j++ )
camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT, BUFSIZE, tmp, buf, buf );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
}
#endif
#if defined(POLARSSL_HAVEGE_C)
printf( HEADER_FORMAT, "HAVEGE" );
fflush( stdout );
havege_init( &hs );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
havege_random( &hs, buf, BUFSIZE );
tsc = hardclock();
for( j = 1; j < 1024; j++ )
havege_random( &hs, buf, BUFSIZE );
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_CTR_DRBG_C)
printf( HEADER_FORMAT, "CTR_DRBG (NOPR)" );
fflush( stdout );
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1);
tsc = hardclock();
for( j = 1; j < 1024; j++ )
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1);
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
printf( HEADER_FORMAT, "CTR_DRBG (PR)" );
fflush( stdout );
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
ctr_drbg_set_prediction_resistance( &ctr_drbg, CTR_DRBG_PR_ON );
set_alarm( 1 );
for( i = 1; ! alarmed; i++ )
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1);
tsc = hardclock();
for( j = 1; j < 1024; j++ )
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1);
printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
( hardclock() - tsc ) / ( j * BUFSIZE ) );
#endif
#if defined(POLARSSL_RSA_C) && defined(POLARSSL_BIGNUM_C) && \
defined(POLARSSL_GENPRIME)
rsa_init( &rsa, RSA_PKCS_V15, 0 );
rsa_gen_key( &rsa, myrand, NULL, 1024, 65537 );
printf( HEADER_FORMAT, "RSA-1024" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_public( &rsa, buf, buf );
}
printf( "%9lu public/s\n", i / 3 );
printf( HEADER_FORMAT, "RSA-1024" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_private( &rsa, buf, buf );
}
printf( "%9lu private/s\n", i / 3 );
rsa_free( &rsa );
rsa_init( &rsa, RSA_PKCS_V15, 0 );
rsa_gen_key( &rsa, myrand, NULL, 2048, 65537 );
printf( HEADER_FORMAT, "RSA-2048" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_public( &rsa, buf, buf );
}
printf( "%9lu public/s\n", i / 3 );
printf( HEADER_FORMAT, "RSA-2048" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_private( &rsa, buf, buf );
}
printf( "%9lu private/s\n", i / 3 );
rsa_free( &rsa );
rsa_init( &rsa, RSA_PKCS_V15, 0 );
rsa_gen_key( &rsa, myrand, NULL, 4096, 65537 );
printf( HEADER_FORMAT, "RSA-4096" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_public( &rsa, buf, buf );
}
printf( "%9lu public/s\n", i / 3 );
printf( HEADER_FORMAT, "RSA-4096" );
fflush( stdout );
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
{
buf[0] = 0;
rsa_private( &rsa, buf, buf );
}
printf( "%9lu private/s\n", i / 3 );
rsa_free( &rsa );
#endif
printf( "\n" );
#if defined(_WIN32)
printf( " Press Enter to exit this program.\n" );
fflush( stdout ); getchar();
#endif
return( 0 );
}
void app_send(char *key, char *message, int message_len)
/*@ requires polarssl_generated_values(?creator, ?count1) &*&
[?f0]polarssl_world(sc_auth_polarssl_pub) &*&
[?f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs, ?key_cg) &*&
key_cg == polarssl_symmetric_key(creator, ?key_id) &*&
[?f2]chars(message, message_len, ?m_cs) &*&
message_len >= POLARSSL_MIN_ENCRYPTED_BYTE_SIZE &*&
message_len < POLARSSL_MAX_MESSAGE_BYTE_SIZE - 84 &*&
bad(creator) ?
[_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(m_cs)
:
true == app_send_event(creator, m_cs);
@*/
/*@ ensures polarssl_generated_values(creator, ?count2) &*& count2 > count1 &*&
[f0]polarssl_world(sc_auth_polarssl_pub) &*&
[f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg) &*&
[f2]chars(message, message_len, m_cs);
@*/
{
int socket;
havege_state havege_state;
char iv[16];
// init
{
net_usleep(20000);
if(net_connect(&socket, NULL, APP_RECEIVE_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
//@ close havege_state(&havege_state);
havege_init(&havege_state);
}
// iv stuff
{
//@ close random_request(creator, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
}
//@ open polarssl_cryptogram(iv, 16, ?iv_cs, _);
char* m = malloc(16 + message_len + 16);
if (m == 0) abort();
memcpy(m, iv, 16);
//@ assert chars(m, 16, iv_cs);
//@ assert chars(m + 16, message_len + 16, ?cs1);
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, iv_cs);
// encrypt message
{
unsigned int temp;
gcm_context gcm_context;
//@ close gcm_context(&gcm_context);
//@ open [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ close polarssl_key_id(creator, key_id);
if (gcm_init(&gcm_context, POLARSSL_AES_CIPHER_ID, key,
(unsigned int) KEY_BYTE_SIZE * 8) != 0) abort();
//@ close [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ chars_split(m + 16, message_len);
if (gcm_crypt_and_tag(&gcm_context, POLARSSL_GCM_ENCRYPT,
(unsigned int) message_len,
iv, 16, NULL, 0, message, m + 16, 16,
(char*) ((m + 16) + message_len)) != 0)
abort();
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
//@ assert polarssl_cryptogram(m + 16, message_len, ?e_cs, ?e_cg);
/*@ assert e_cg == polarssl_auth_encrypted(
creator, key_id, ?t_cs, m_cs, iv_cs); @*/
//@ close sc_auth_polarssl_pub(e_cg);
//@ leak sc_auth_polarssl_pub(e_cg);
/*@ polarssl_public_message_from_cryptogram(
sc_auth_polarssl_pub, m + 16, message_len, e_cs, e_cg); @*/
/*@ open polarssl_public_message(sc_auth_polarssl_pub)
(m + 16, message_len, e_cs); @*/
//@ assert chars(m + 16 + message_len, 16, t_cs);
//@ chars_join(m);
//@ chars_join(m);
//@ assert chars(m, 16 + message_len + 16, ?cs);
//@ append_assoc(iv_cs, e_cs, t_cs);
//@ assert cs == append(iv_cs, append(e_cs, t_cs));
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, t_cs);
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, iv_cs, e_cs); @*/
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, append(iv_cs, e_cs), t_cs); @*/
/*@ close polarssl_public_message(sc_auth_polarssl_pub)
(m, 16 + message_len + 16,
append(iv_cs, append(e_cs, t_cs))); @*/
net_send(&socket, m, (unsigned int) 16 + (unsigned int) message_len + 16);
//@ open polarssl_public_message(sc_auth_polarssl_pub)(m, _, _);
{
free(m);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
net_close(socket);
}
}
int main( int argc, char *argv[] )
{
int keysize, i;
unsigned char tmp[200];
char title[TITLE_LEN];
todo_list todo;
if( argc == 1 )
memset( &todo, 1, sizeof( todo ) );
else
{
memset( &todo, 0, sizeof( todo ) );
for( i = 1; i < argc; i++ )
{
if( strcmp( argv[i], "md4" ) == 0 )
todo.md4 = 1;
else if( strcmp( argv[i], "md5" ) == 0 )
todo.md5 = 1;
else if( strcmp( argv[i], "ripemd160" ) == 0 )
todo.ripemd160 = 1;
else if( strcmp( argv[i], "sha1" ) == 0 )
todo.sha1 = 1;
else if( strcmp( argv[i], "sha256" ) == 0 )
todo.sha256 = 1;
else if( strcmp( argv[i], "sha512" ) == 0 )
todo.sha512 = 1;
else if( strcmp( argv[i], "arc4" ) == 0 )
todo.arc4 = 1;
else if( strcmp( argv[i], "des3" ) == 0 )
todo.des3 = 1;
else if( strcmp( argv[i], "des" ) == 0 )
todo.des = 1;
else if( strcmp( argv[i], "aes_cbc" ) == 0 )
todo.aes_cbc = 1;
else if( strcmp( argv[i], "aes_gcm" ) == 0 )
todo.aes_gcm = 1;
else if( strcmp( argv[i], "camellia" ) == 0 )
todo.camellia = 1;
else if( strcmp( argv[i], "blowfish" ) == 0 )
todo.blowfish = 1;
else if( strcmp( argv[i], "havege" ) == 0 )
todo.havege = 1;
else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
todo.ctr_drbg = 1;
else if( strcmp( argv[i], "hmac_drbg" ) == 0 )
todo.hmac_drbg = 1;
else if( strcmp( argv[i], "rsa" ) == 0 )
todo.rsa = 1;
else if( strcmp( argv[i], "dhm" ) == 0 )
todo.dhm = 1;
else if( strcmp( argv[i], "ecdsa" ) == 0 )
todo.ecdsa = 1;
else if( strcmp( argv[i], "ecdh" ) == 0 )
todo.ecdh = 1;
else
{
printf( "Unrecognized option: %s\n", argv[i] );
printf( "Available options:" OPTIONS );
}
}
}
printf( "\n" );
memset( buf, 0xAA, sizeof( buf ) );
#if defined(POLARSSL_MD4_C)
if( todo.md4 )
TIME_AND_TSC( "MD4", md4( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_MD5_C)
if( todo.md5 )
TIME_AND_TSC( "MD5", md5( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_RIPEMD160_C)
if( todo.ripemd160 )
TIME_AND_TSC( "RIPEMD160", ripemd160( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA1_C)
if( todo.sha1 )
TIME_AND_TSC( "SHA-1", sha1( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA256_C)
if( todo.sha256 )
TIME_AND_TSC( "SHA-256", sha256( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_SHA512_C)
if( todo.sha512 )
TIME_AND_TSC( "SHA-512", sha512( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_ARC4_C)
if( todo.arc4 )
{
arc4_context arc4;
arc4_setup( &arc4, tmp, 32 );
TIME_AND_TSC( "ARC4", arc4_crypt( &arc4, BUFSIZE, buf, buf ) );
}
#endif
#if defined(POLARSSL_DES_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.des3 )
{
des3_context des3;
des3_set3key_enc( &des3, tmp );
TIME_AND_TSC( "3DES",
des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
if( todo.des )
{
des_context des;
des_setkey_enc( &des, tmp );
TIME_AND_TSC( "DES",
des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.aes_cbc )
{
aes_context aes;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
aes_setkey_enc( &aes, tmp, keysize );
TIME_AND_TSC( title,
aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_GCM_C)
if( todo.aes_gcm )
{
gcm_context gcm;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-GCM-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
gcm_init( &gcm, POLARSSL_CIPHER_ID_AES, tmp, keysize );
TIME_AND_TSC( title,
gcm_crypt_and_tag( &gcm, GCM_ENCRYPT, BUFSIZE, tmp,
12, NULL, 0, buf, buf, 16, tmp ) );
gcm_free( &gcm );
}
}
#endif
#endif
#if defined(POLARSSL_CAMELLIA_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.camellia )
{
camellia_context camellia;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "CAMELLIA-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
camellia_setkey_enc( &camellia, tmp, keysize );
TIME_AND_TSC( title,
camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT,
BUFSIZE, tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_BLOWFISH_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.blowfish )
{
blowfish_context blowfish;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "BLOWFISH-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
blowfish_setkey( &blowfish, tmp, keysize );
TIME_AND_TSC( title,
blowfish_crypt_cbc( &blowfish, BLOWFISH_ENCRYPT, BUFSIZE,
tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_HAVEGE_C)
if( todo.havege )
{
havege_state hs;
havege_init( &hs );
TIME_AND_TSC( "HAVEGE", havege_random( &hs, buf, BUFSIZE ) );
}
#endif
#if defined(POLARSSL_CTR_DRBG_C)
if( todo.ctr_drbg )
{
ctr_drbg_context ctr_drbg;
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
TIME_AND_TSC( "CTR_DRBG (NOPR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
ctr_drbg_set_prediction_resistance( &ctr_drbg, CTR_DRBG_PR_ON );
TIME_AND_TSC( "CTR_DRBG (PR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("yahalom protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(yahalom)
//@ int server = principal_create();
//@ assert server == 1;
//@ int sender = principal_create();
//@ assert sender == 2;
//@ int receiver = principal_create();
//@ assert receiver == 3;
//@ int attacker = principal_create();
//@ assume (bad(attacker));
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(yahalom_pub) &*&
[_]decryption_key_classifier(yahalom_public_key) &*&
havege_state_initialized(&havege_state) &*&
principal(server, ?serv_count) &*&
principal(sender, ?send_count) &*&
principal(receiver, ?rcvr_count);
@*/
{
char s_key[KEY_SIZE];
char r_key[KEY_SIZE];
char key1[KEY_SIZE];
char key2[KEY_SIZE];
//@ open principal(sender, _);
//@ close random_request(sender, int_pair(3, server), true);
if (havege_random(&havege_state, s_key, KEY_SIZE) != 0) abort();
//@ close principal(sender, _);
//@ assert cryptogram(s_key, KEY_SIZE, ?cs_s_key, ?cg_s_key);
//@ assert cg_s_key == cg_symmetric_key(sender, send_count + 1);
//@ open principal(receiver, _);
//@ close random_request(receiver, int_pair(3, server), true);
if (havege_random(&havege_state, r_key, KEY_SIZE) != 0) abort();
//@ close principal(receiver, _);
//@ assert cryptogram(r_key, KEY_SIZE, ?cs_r_key, ?cg_r_key);
//@ assert cg_r_key == cg_symmetric_key(receiver, rcvr_count + 1);
{
pthread_t serv_thread, s_thread, r_thread;
struct yahalom_args serv_args, s_args, r_args;
serv_args.server = 1;
serv_args.sender = 2;
serv_args.receiver = 3;
serv_args.s_key = s_key;
serv_args.r_key = r_key;
s_args.server = 1;
s_args.sender = 2;
s_args.receiver = 3;
s_args.s_key = s_key;
s_args.key = key1;
r_args.server = 1;
r_args.sender = 2;
r_args.receiver = 3;
r_args.r_key = r_key;
r_args.key = key2;
//@ close pthread_run_pre(server_t)(&serv_args, ?serv_data);
pthread_create(&serv_thread, NULL, &server_t, &serv_args);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_join(serv_thread, NULL);
//@ open pthread_run_post(server_t)(&serv_args, serv_data);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
}
//@ open cryptogram(key1, KEY_SIZE, ?cs_key1, _);
zeroize(key1, KEY_SIZE);
//@ open cryptogram(key2, KEY_SIZE, ?cs_key2, _);
zeroize(key2, KEY_SIZE);
//@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
//@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
zeroize(s_key, KEY_SIZE);
//@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
//@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
zeroize(r_key, KEY_SIZE);
printf(" |%i| ", i);
}
printf("\n\n\t\tDone\n");
return 0;
}
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
principal(?sender, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*&
[?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*&
MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*&
bad(sender) || bad(shared_with(sender, enc_id)) ?
[_]public_ccs(msg_ccs)
:
true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
[f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/
{
//@ open principal(sender, _);
int socket;
havege_state havege_state;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
{
int message_len = 16 + (int) msg_len + 64;
char* message = malloc(message_len);
if (message == 0) abort();
// IV stuff
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
//@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg);
//@ close enc_then_hmac_pub(iv_cg);
//@ leak enc_then_hmac_pub(iv_cg);
memcpy(message, iv, 16);
//@ close cryptogram(message, 16, iv_ccs, iv_cg);
//@ public_cryptogram(message, iv_cg);
//@ assert chars(message, 16, ?iv_cs);
//@ public_chars(message, 16);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
// encrypt
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len,
&iv_off, iv, msg, message + 16) != 0)
abort();
//@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg);
//@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg);
//@ close enc_then_hmac_pub(enc_cg);
//@ leak enc_then_hmac_pub(enc_cg);
//@ public_cryptogram(message + 16, enc_cg);
//@ assert chars(message + 16, msg_len, ?enc_cs);
//@ public_chars(message + 16, msg_len);
//@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs));
//@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
// hmac
//@ chars_to_crypto_chars(message, 16 + msg_len);
//@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs))
sha512_hmac(hmac_key, KEY_SIZE, message,
(unsigned int) (16 + (int) msg_len),
message + 16 + (int) msg_len, 0);
//@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg);
//@ cs_to_ccs_append(iv_cs, enc_cs);
//@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs));
/*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true))
close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/
/*@ if (col || enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]public_ccs(iv_ccs);
assert [_]public_ccs(enc_ccs);
public_ccs_join(iv_ccs, enc_ccs);
}
@*/
//@ close enc_then_hmac_pub(hmac_cg);
//@ leak enc_then_hmac_pub(hmac_cg);
//@ public_cryptogram(message + 16 + msg_len, hmac_cg);
//@ assert chars(message + 16 + msg_len, 64, ?hmac_cs);
//@ append_assoc(iv_ccs, enc_ccs, hmac_ccs);
//@ append_assoc(iv_cs, enc_cs, hmac_cs);
//@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs));
/*@ assert chars(message, message_len,
append(iv_cs, append(enc_cs, hmac_cs))); @*/
net_send(&socket, message, (unsigned int) message_len);
free(message);
}
net_close(socket);
//@ close principal(sender, _);
}
void attacker_send_keys(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
pk_context context;
pk_context context_pub;
pk_context context_priv;
unsigned int key_size;
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
unsigned int temp;
//@ close_havege_util(pub, pred, attacker);
r_u_int_with_bounds(havege_state, &temp, 1024, 8192);
//@ open_havege_util(pub, pred, attacker);
key_size = temp;
char* key = malloc((int) key_size);
if ((key) == 0) abort();
char* pub_key = malloc((int) key_size);
if ((pub_key) == 0) abort();
char* priv_key = malloc((int) key_size);
if ((priv_key) == 0) abort();
//@ close random_request(attacker, temp, true);
if (havege_random(havege_state, key, key_size) != 0) abort();
//@ close pk_context(&context);
pk_init(&context);
//@ close pk_context(&context_pub);
pk_init(&context_pub);
//@ close pk_context(&context_priv);
pk_init(&context_priv);
if (pk_init_ctx(&context, pk_info_from_type(POLARSSL_PK_RSA)) != 0)
abort();
//@ close rsa_key_request(attacker, 0);
//@ close random_state_predicate(havege_state_initialized);
/*@ produce_function_pointer_chunk random_function(
attacker_key_item_havege_random_stub)
(havege_state_initialized)(state, out, len) { call(); } @*/
if (rsa_gen_key(context.pk_ctx, attacker_key_item_havege_random_stub,
havege_state, key_size, 65537) != 0) abort();
if (pk_write_pubkey_pem(&context, pub_key, key_size) != 0) abort();
if (pk_write_key_pem(&context, priv_key, key_size) != 0) abort();
if (pk_parse_public_key(&context_pub, pub_key, key_size) != 0) abort();
if (pk_parse_key(&context_priv, priv_key, key_size, NULL, 0) != 0) abort();
//@ assert is_bad_key_is_public(?proof1, pub, pred);
//@ assert cryptogram(key, key_size, ?key_ccs, ?key_cg);
//@ proof1(key_cg);
//@ public_cryptogram(key, key_cg);
net_send(socket, key, key_size);
//@ assert is_public_key_is_public(?proof2, pub, pred);
//@ assert cryptogram(pub_key, key_size, ?pub_key_ccs, ?pub_key_cg);
//@ proof2(pub_key_cg);
//@ public_cryptogram(pub_key, pub_key_cg);
net_send(socket, pub_key, key_size);
//@ assert is_bad_private_key_is_public(?proof3, pub, pred);
//@ assert cryptogram(priv_key, key_size, ?priv_key_ccs, ?priv_key_cg);
//@ proof3(priv_key_cg);
//@ public_cryptogram(priv_key, priv_key_cg);
net_send(socket, priv_key, key_size);
//@ open random_state_predicate(havege_state_initialized);
//@ pk_release_context_with_keys(&context);
pk_free(&context);
//@ open pk_context(&context);
//@ pk_release_context_with_key(&context_pub);
pk_free(&context_pub);
//@ open pk_context(&context_pub);
//@ pk_release_context_with_key(&context_priv);
pk_free(&context_priv);
//@ open pk_context(&context_priv);
free(key);
free(pub_key);
free(priv_key);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
}
void sender(int sender, int receiver,
char *s_priv_key, char *r_pub_key,
char *s_nonce, char *r_nonce)
/*@ requires [_]public_invar(nsl_pub) &*&
[_]decryption_key_classifier(nsl_public_key) &*&
principal(sender, _) &*&
[?f1]cryptogram(s_priv_key, 8 * KEY_SIZE,
?s_priv_key_ccs, ?s_priv_key_cg) &*&
s_priv_key_cg == cg_private_key(sender, ?s_id) &*&
[?f2]cryptogram(r_pub_key, 8 * KEY_SIZE,
?r_pub_key_ccs, ?r_pub_key_cg) &*&
r_pub_key_cg == cg_public_key(receiver, ?r_id) &*&
chars(s_nonce, NONCE_SIZE, _) &*&
chars(r_nonce, NONCE_SIZE, _); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(s_priv_key, 8 * KEY_SIZE,
s_priv_key_ccs, s_priv_key_cg) &*&
[f2]cryptogram(r_pub_key, 8 * KEY_SIZE,
r_pub_key_ccs, r_pub_key_cg) &*&
cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
s_nonce_cg == cg_nonce(sender, _) &*&
cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)) &*&
col || bad(sender) || bad(receiver) ?
chars(r_nonce, NONCE_SIZE, _)
:
cryptogram(r_nonce, NONCE_SIZE, _, ?r_nonce_cg) &*&
r_nonce_cg == cg_nonce(receiver, _) &*&
cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(sender,
int_pair(receiver, r_id)))); @*/
{
int socket;
pk_context s_context;
pk_context r_context;
havege_state havege_state;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
//@ close pk_context(&s_context);
pk_init(&s_context);
if (pk_parse_key(&s_context, s_priv_key,
(unsigned int) 8 * KEY_SIZE, NULL, 0) != 0)
abort();
//@ close pk_context(&r_context);
pk_init(&r_context);
if (pk_parse_public_key(&r_context, r_pub_key,
(unsigned int) 8 * KEY_SIZE) != 0)
abort();
// Generate NA
//@ open principal(sender, _);
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, int_pair(1, int_pair(receiver, r_id)), false);
if (havege_random(&havege_state, s_nonce, NONCE_SIZE) != 0) abort();
//@ assert cryptogram(s_nonce, NONCE_SIZE, ?cs_s_nonce, ?cg_s_nonce);
//@ close principal(sender, _);
sender_msg1(&socket, &havege_state, &r_context, sender, s_nonce);
sender_msg2(&socket, &havege_state, &s_context, sender, receiver,
s_nonce, r_nonce);
sender_msg3(&socket, &havege_state, &r_context, sender, r_nonce);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
//@ pk_release_context_with_key(&s_context);
pk_free(&s_context);
//@ open pk_context(&s_context);
//@ pk_release_context_with_key(&r_context);
pk_free(&r_context);
//@ open pk_context(&r_context);
net_close(socket);
}
void receiver(int sender, int receiver,
char *s_pub_key, char *r_priv_key,
char *s_nonce, char *r_nonce)
/*@ requires [_]public_invar(nsl_pub) &*&
[_]decryption_key_classifier(nsl_public_key) &*&
principal(receiver, _) &*&
[?f1]cryptogram(s_pub_key, 8 * KEY_SIZE,
?s_pub_key_ccs, ?s_pub_key_cg) &*&
s_pub_key_cg == cg_public_key(sender, ?s_id) &*&
[?f2]cryptogram(r_priv_key, 8 * KEY_SIZE,
?r_priv_key_ccs, ?r_priv_key_cg) &*&
r_priv_key_cg == cg_private_key(receiver, ?r_id) &*&
chars(s_nonce, NONCE_SIZE, _) &*&
chars(r_nonce, NONCE_SIZE, _); @*/
/*@ ensures principal(receiver, _) &*&
[f1]cryptogram(s_pub_key, 8 * KEY_SIZE,
s_pub_key_ccs, s_pub_key_cg) &*&
[f2]cryptogram(r_priv_key, 8 * KEY_SIZE,
r_priv_key_ccs, r_priv_key_cg) &*&
cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*&
r_nonce_cg == cg_nonce(receiver, _) &*&
(
col || bad(sender) || bad(receiver) ?
chars(s_nonce, NONCE_SIZE, _)
:
cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
s_nonce_cg == cg_nonce(sender, _) &*&
cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)) &*&
cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(sender,
int_pair(receiver, r_id))))
); @*/
{
//@ open principal(receiver, _);
int socket1;
int socket2;
pk_context s_context;
pk_context r_context;
havege_state havege_state;
if(net_bind(&socket1, NULL, SERVER_PORT) != 0)
abort();
if(net_accept(socket1, &socket2, NULL) != 0)
abort();
if(net_set_block(socket2) != 0)
abort();
//@ close pk_context(&s_context);
pk_init(&s_context);
if (pk_parse_public_key(&s_context, s_pub_key,
(unsigned int) 8 * KEY_SIZE) != 0)
abort();
//@ close pk_context(&r_context);
pk_init(&r_context);
if (pk_parse_key(&r_context, r_priv_key,
(unsigned int) 8 * KEY_SIZE, NULL, 0) != 0)
abort();
// Generate NB
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close principal(receiver, _);
receiver_msg1(&socket2, &havege_state, &r_context, sender, receiver, s_nonce);
//@ open principal(receiver, _);
//@ assert receiver_inter(?p_orig, ?c_orig, ?p_inst, ?s_nonce_ccs, ?s_nonce_cg);
//@ int info = int_pair(sender, int_pair(p_inst, int_pair(p_orig, c_orig)));
//@ close random_request(receiver, int_pair(2, info), false);
if (havege_random(&havege_state, r_nonce, NONCE_SIZE) != 0) abort();
//@ close principal(receiver, _);
receiver_msg2(&socket2, &havege_state, &s_context, receiver,
s_nonce, r_nonce);
//@ if (col || bad(p_inst) || bad(receiver)) chars_to_crypto_chars(s_nonce, NONCE_SIZE);
//@ close receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg);
receiver_msg3(&socket2, &havege_state, &r_context, sender, receiver,
s_nonce, r_nonce);
/*@ if (col || bad(sender) || bad(receiver))
crypto_chars_to_chars(s_nonce, NONCE_SIZE); @*/
havege_free(&havege_state);
//@ open havege_state(&havege_state);
//@ pk_release_context_with_key(&s_context);
pk_free(&s_context);
//@ open pk_context(&s_context);
//@ pk_release_context_with_key(&r_context);
pk_free(&r_context);
//@ open pk_context(&r_context);
net_close(socket2);
net_close(socket1);
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("enc_then_hmac protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(enc_then_hmac)
//@ int attacker = principal_create();
//@ int sender = principal_create();
//@ int receiver = principal_create();
//@ assume (!bad(sender) && !bad(receiver));
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(enc_then_hmac_pub) &*&
[_]decryption_key_classifier(enc_then_hmac_public_key) &*&
!bad(sender) && !bad(receiver) &*&
havege_state_initialized(&havege_state) &*&
principal(sender, ?count) &*& principal(receiver, _);
@*/
{
char* enc_key;
char* hmac_key;
int temp;
enc_key = malloc(KEY_SIZE);
if (enc_key == 0) abort();
hmac_key = malloc(KEY_SIZE);
if (hmac_key == 0) abort();
//@ open principal(sender, _);
//@ close random_request(sender, 0, true);
if (havege_random(&havege_state, enc_key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 1) == receiver);
//@ assert cryptogram(enc_key, KEY_SIZE, ?enc_cs_key, ?enc_cg_key);
//@ assert enc_cg_key == cg_symmetric_key(sender, count + 1);
//@ close random_request(sender, count + 1, true);
if (havege_random(&havege_state, hmac_key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 2) == receiver);
//@ assert cryptogram(hmac_key, KEY_SIZE, ?hmac_cs_key, ?hmac_cg_key);
//@ assert hmac_cg_key == cg_symmetric_key(sender, count + 2);
{
pthread_t s_thread, r_thread;
struct enc_then_hmac_args s_args;
struct enc_then_hmac_args r_args;
char s_message[MSG_LEN];
char r_message[MAX_SIZE];
//@ assert chars(s_message, MSG_LEN, ?msg_cs);
//@ public_chars(s_message, MSG_LEN);
//@ chars_to_secret_crypto_chars(s_message, MSG_LEN);
//@ s_args.sender = sender;
//@ s_args.receiver = receiver;
s_args.enc_key = enc_key;
s_args.hmac_key = hmac_key;
s_args.msg = s_message;
//@ assume (send(sender, receiver, msg_cs) == true);
//@ r_args.sender = sender;
//@ r_args.receiver = receiver;
r_args.enc_key = enc_key;
r_args.hmac_key = hmac_key;
r_args.msg = r_message;
//@ close principal(sender, _);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
//@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
//@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
//@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);
//@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);
if (r_args.length != MSG_LEN)
abort();
//@ public_crypto_chars(s_message, MSG_LEN);
#ifdef EXECUTE
if (memcmp(s_message, r_message, MSG_LEN) != 0)
abort();
#endif
//@ open principal(sender, _);
//@ close principal(sender, _);
zeroize(r_message, r_args.length);
}
zeroize(enc_key, KEY_SIZE);
free((void*) enc_key);
zeroize(hmac_key, KEY_SIZE);
free((void*) hmac_key);
printf(" |%i| ", i);
}
printf("\n\n\t\tDone\n");
return 0;
}
int main() //@ : main
//@ requires true;
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
int* principals = malloc(sizeof(int));
if (principals == 0) abort();
*principals = 0;
printf("\n\tExecuting \"");
printf("secure_storage");
printf(" protocol");
printf("\" ... \n\n");
//@ PACK_PROOF_OBLIGATIONS(ss)
//@ close exists(ss_polarssl_pub);
//@ polarssl_init();
//@ int sender = polarssl_create_principal();
(*principals)++;
//@ int receiver = polarssl_create_principal();
(*principals)++;
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close pthread_run_pre(attacker_t)(principals, _);
pthread_create(&a_thread, NULL, &attacker_t, principals);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [2/3]polarssl_world(ss_polarssl_pub) &*&
havege_state_initialized(&havege_state) &*&
polarssl_generated_values(sender, ?count_s);
@*/
{
char* key;
char* message;
int temp;
int message_len;
//@ close random_request(sender, 0, true);
key = malloc(KEY_BYTE_SIZE);
if (key == 0) abort();
if (havege_random(&havege_state, key, KEY_BYTE_SIZE) != 0) abort();
r_int_with_bounds(&havege_state, &temp,
POLARSSL_MIN_HMAC_INPUT_BYTE_SIZE,
POLARSSL_MAX_MESSAGE_BYTE_SIZE - 65);
message_len = temp;
message = malloc(message_len);
if (message == 0) abort();
//@ assert chars(message, message_len, ?msg_cs);
//@ polarssl_public_generated_chars_assume(ss_polarssl_pub, msg_cs);
{
pthread_t s_thread, r_thread;
struct ss_args s_args;
struct ss_args r_args;
/*@ open polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs,
polarssl_symmetric_key(sender, count_s + 1)); @*/
//@ assert chars(key, KEY_BYTE_SIZE, ?cs_key);
s_args.key_len = KEY_BYTE_SIZE;
s_args.key = key;
s_args.message_len = message_len;
s_args.message = malloc(message_len);
if (s_args.message == 0) abort();
memcpy(s_args.message, message, (unsigned int) message_len);
/*@ close polarssl_public_message(ss_polarssl_pub)
(s_args.message, message_len, msg_cs); @*/
r_args.key_len = KEY_BYTE_SIZE;
r_args.key = key;
/*@ close polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs,
polarssl_symmetric_key(sender, count_s + 1)); @*/
//@ assume (app_send_event(sender, msg_cs));
//@ close pthread_run_pre(sender_t)(&s_args, _);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
//@ close pthread_run_pre(receiver_t)(&r_args, _);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, _);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, _);
/*@ open polarssl_public_message(ss_polarssl_pub)
(s_args.message, _, ?s_cs); @*/
//@ assert true == app_send_event(sender, s_cs);
free(s_args.message);
/*@ open polarssl_public_message(ss_polarssl_pub)
(r_args.message, _, ?r_cs); @*/
/*@ if (!bad(sender))
{
assert true == app_send_event(sender, r_cs);
}
@*/
free(r_args.message);
//@ open [1/2]polarssl_cryptogram(key, _, _, _);
//@ open [1/2]polarssl_cryptogram(key, _, _, _);
}
free(key);
free(message);
}
//@ havege_exit(&havege_state);
//@ open havege_state(&havege_state);
//@ destroy_polarssl_principal(sender);
//@ destroy_polarssl_principal(receiver);
printf("Done\n");
//@ leak malloc_block_ints(principals, 1);
//@ leak [_]polarssl_world(_);
return 0;
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("hmac protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(hmac)
//@ int attacker = principal_create();
//@ int sender = principal_create();
//@ int receiver = principal_create();
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(hmac_pub) &*&
havege_state_initialized(&havege_state) &*&
principal(sender, ?count) &*& principal(receiver, _);
@*/
{
//@ open principal(sender, _);
char* key;
int temp;
//@ close random_request(sender, 0, true);
key = malloc(KEY_SIZE);
if (key == 0) abort();
if (havege_random(&havege_state, key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 1) == receiver);
//@ assert cryptogram(key, KEY_SIZE, ?cs_key, ?cg_key);
//@ assert cg_key == cg_symmetric_key(sender, count + 1);
{
pthread_t s_thread, r_thread;
struct hmac_args s_args;
struct hmac_args r_args;
char s_message[MESSAGE_SIZE];
char r_message[MESSAGE_SIZE];
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, s_message, MESSAGE_SIZE) != 0) abort();
//@ assert cryptogram(s_message, MESSAGE_SIZE, ?cs, ?cg);
//@ close hmac_pub(cg);
//@ leak hmac_pub(cg);
//@ public_cryptogram(s_message, cg);
//@ s_args.sender = sender;
//@ s_args.receiver = receiver;
s_args.key = key;
s_args.message = s_message;
//@ assume (send(sender, receiver, cs) == true);
//@ r_args.sender = sender;
//@ r_args.receiver = receiver;
r_args.key = key;
r_args.message = r_message;
//@ close principal(sender, _);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
//@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
//@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
//@ chars_to_crypto_chars(r_message, MESSAGE_SIZE);
//@ chars_to_crypto_chars(s_message, MESSAGE_SIZE);
//@ open principal(sender, _);
if (memcmp(s_message, r_message, MESSAGE_SIZE) != 0)
abort();
//@ close principal(sender, _);
printf(" |%i| ", i);
}
//@ assert malloc_block(key, KEY_SIZE);
zeroize(key, KEY_SIZE);
free((void*) key);
}
printf("\n\n\t\tDone\n");
return 0;
}