void HMACSHA256Init(HMACSHA256CTX* context, const uint8_t* key,
size_t key_length)
{
size_t i;
uint8_t pad[SHA256_BLOCK_LENGTH];
uint8_t key_hash[SHA256_DIGEST_LENGTH];
if (key_length > SHA256_BLOCK_LENGTH)
{
SHA256Init(&context->ictx);
SHA256Update(&context->ictx, key, key_length);
SHA256Final(&context->ictx, key_hash);
key = key_hash;
key_length = SHA256_DIGEST_LENGTH;
}
SHA256Init(&context->ictx);
memset(pad, 0x36, SHA256_BLOCK_LENGTH);
for (i = 0; i < key_length; i++)
pad[i] ^= key[i];
SHA256Update(&context->ictx, pad, SHA256_BLOCK_LENGTH);
SHA256Init(&context->octx);
memset(pad, 0x5c, SHA256_BLOCK_LENGTH);
for (i = 0; i < key_length; i++)
pad[i] ^= key[i];
SHA256Update(&context->octx, pad, SHA256_BLOCK_LENGTH);
zeroize((void*)key_hash, sizeof key_hash);
}
void RMD160Final(RMD160CTX* context, uint8_t digest[RMD160_DIGEST_LENGTH])
{
int i;
RMD160Pad(context);
for (i = 0; i < 5; i++)
{
PUT_32BIT_LE(digest + i * 4, context->state[i]);
}
zeroize(context, sizeof *context);
}
void HMACSHA256Final(HMACSHA256CTX* context,
uint8_t digest[HMACSHA256_DIGEST_LENGTH])
{
uint8_t hash[HMACSHA256_DIGEST_LENGTH];
SHA256Final(&context->ictx, hash);
SHA256Update(&context->octx, hash, HMACSHA256_DIGEST_LENGTH);
SHA256Final(&context->octx, digest);
zeroize((void*)hash, sizeof hash);
}
int xed25519_sign(unsigned char* signature_out,
const unsigned char* curve25519_privkey,
const unsigned char* msg, const unsigned long msg_len,
const unsigned char* random)
{
unsigned char a[32], aneg[32];
unsigned char A[32];
ge_p3 ed_pubkey_point;
unsigned char *sigbuf; /* working buffer */
unsigned char sign_bit = 0;
if ((sigbuf = malloc(msg_len + 128)) == 0) {
memset(signature_out, 0, 64);
return -1;
}
/* Convert the Curve25519 privkey to an Ed25519 public key */
ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
ge_p3_tobytes(A, &ed_pubkey_point);
/* Force Edwards sign bit to zero */
sign_bit = (A[31] & 0x80) >> 7;
memcpy(a, curve25519_privkey, 32);
sc_neg(aneg, a);
sc_cmov(a, aneg, sign_bit);
A[31] &= 0x7F;
/* Perform an Ed25519 signature with explicit private key */
crypto_sign_modified(sigbuf, msg, msg_len, a, A, random);
memmove(signature_out, sigbuf, 64);
zeroize(a, 32);
zeroize(aneg, 32);
free(sigbuf);
return 0;
}
/* NEW: Compare to pristine crypto_sign()
Uses explicit private key for nonce derivation and as scalar,
instead of deriving both from a master key.
*/
int crypto_sign_modified(
unsigned char *sm,
const unsigned char *m,unsigned long long mlen,
const unsigned char *sk, const unsigned char* pk,
const unsigned char* random
)
{
unsigned char nonce[64];
unsigned char hram[64];
ge_p3 R;
int count=0;
memmove(sm + 64,m,mlen);
memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */
/* NEW : add prefix to separate hash uses - see .h */
sm[0] = 0xFE;
for (count = 1; count < 32; count++)
sm[count] = 0xFF;
/* NEW: add suffix of random data */
memmove(sm + mlen + 64, random, 64);
crypto_hash_sha512(nonce,sm,mlen + 128);
memmove(sm + 32,pk,32);
sc_reduce(nonce);
ge_scalarmult_base(&R,nonce);
ge_p3_tobytes(sm,&R);
crypto_hash_sha512(hram,sm,mlen + 64);
sc_reduce(hram);
sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */
/* NEW: Try to erase any traces of privkey or
nonce left in the stack from sc_muladd. */
zeroize_stack();
zeroize(nonce, 64);
return 0;
}
void receiver_msg1(int* socket, havege_state* havege_state,
pk_context* r_context, int sender, int receiver,
char* s_nonce)
/*@ requires GENERAL_PRE(receiver) &*&
pk_context_with_key(r_context, pk_private,
receiver, ?r_id, 8 * KEY_SIZE) &*&
chars(s_nonce, NONCE_SIZE, _); @*/
/*@ ensures GENERAL_POST(receiver) &*&
pk_context_with_key(r_context, pk_private,
receiver, r_id, 8 * KEY_SIZE) &*&
RECEIVER_INTER; @*/
{
//@ open principal(receiver, _);
unsigned int size;
char message[MSG1_SIZE];
char encrypted[KEY_SIZE];
// Receive the message
net_recv(socket, encrypted, KEY_SIZE);
//@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
//@ interpret_asym_encrypted(encrypted, KEY_SIZE);
//@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);
//@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);
// Decrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
//@ structure st = known_value(0, cs_to_ccs(identifier(sender)));
//@ close decryption_pre(false, false, receiver, st, enc_ccs);
if (pk_decrypt(r_context, encrypted, KEY_SIZE, message,
&size, MSG1_SIZE, random_stub_nsl, havege_state) != 0)
abort();
if (size != MSG1_SIZE)
abort();
//@ assert u_integer(&size, MSG1_SIZE);
//@ assert crypto_chars(?kind, message, MSG1_SIZE, ?dec_ccs);
/*@ open decryption_post(false, ?garbage, receiver,
st, receiver, r_id, dec_ccs); @*/
//@ crypto_chars_split(message, ID_SIZE);
//@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs);
/*@ assert crypto_chars(kind, (void*) message + ID_SIZE,
NONCE_SIZE, ?s_nonce_ccs); @*/
//@ assert dec_ccs == append(id_ccs, s_nonce_ccs);
//@ open [_]nsl_pub(enc_cg);
//@ assert [_]nsl_pub_msg_sender(?p_instigator2);
/*@ if (col || garbage)
{
crypto_chars_to_chars(message, ID_SIZE);
}
else
{
if (bad(receiver) || bad(p_instigator2))
{
assert [_]public_ccs(dec_ccs);
public_ccs_split(dec_ccs, ID_SIZE);
}
else
{
assert [_]nsl_pub_msg1(_, _, ?s_nonce_cg);
take_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)),
ccs_for_cg(s_nonce_cg));
drop_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)),
ccs_for_cg(s_nonce_cg));
}
public_crypto_chars(message, ID_SIZE);
}
@*/
//@ chars_to_crypto_chars(message, ID_SIZE);
/*@ close check_identifier_ghost_args(false, garbage, receiver,
r_id, s_nonce_ccs); @*/
check_identifier(message, sender);
//@ assert id_ccs == cs_to_ccs(identifier(sender));
memcpy(s_nonce, (void*) message + ID_SIZE, NONCE_SIZE);
// Interpret message
//@ cryptogram s_nonce_cg;
//@ int p_inst;
/*@ if (!col && !garbage)
{
p_inst = p_instigator2;
if (bad(p_inst) || bad(receiver))
{
public_crypto_chars(s_nonce, NONCE_SIZE);
chars_to_crypto_chars(s_nonce, NONCE_SIZE);
crypto_chars_to_chars(message, ID_SIZE);
chars_to_crypto_chars(message, ID_SIZE);
public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
}
else
{
assert [_]nsl_pub_msg1(p_inst, receiver, ?s_nonce_cg2);
s_nonce_cg = s_nonce_cg2;
assert s_nonce_cg == cg_nonce(p_inst, _);
s_nonce_ccs = ccs_for_cg(s_nonce_cg);
assert dec_ccs == append(cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
take_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
drop_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
cs_to_ccs_inj(identifier(p_inst), identifier(sender));
assert identifier(p_inst) == identifier(sender);
equal_identifiers(p_inst, sender);
close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
}
}
else
{
crypto_chars_to_chars(s_nonce, NONCE_SIZE);
chars_to_crypto_chars(s_nonce, NONCE_SIZE);
}
@*/
//@ close receiver_inter(p, c, p_inst, s_nonce_ccs, s_nonce_cg);
//@ crypto_chars_to_chars(message, ID_SIZE);
zeroize((void*) message + ID_SIZE, NONCE_SIZE);
//@ public_cryptogram(encrypted, enc_cg);
//@ close principal(receiver, _);
}
void sender_msg1(int* socket, havege_state* havege_state, pk_context* r_context,
int sender, char* s_nonce)
/*@ requires GENERAL_PRE(sender) &*&
pk_context_with_key(r_context, pk_public,
?receiver, ?r_id, 8 * KEY_SIZE) &*&
cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
s_nonce_cg == cg_nonce(sender, _) &*&
cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)); @*/
/*@ ensures GENERAL_POST(sender) &*&
pk_context_with_key(r_context, pk_public,
receiver, r_id, 8 * KEY_SIZE) &*&
cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); @*/
{
//@ open principal(sender, _);
unsigned int size;
char message[MSG1_SIZE];
char encrypted[KEY_SIZE];
// Construct the message
write_identifier(message, sender);
//@ list<crypto_char> sid_ccs = cs_to_ccs(identifier(sender));
//@ assert crypto_chars(normal, message, ID_SIZE, sid_ccs);
//@ cs_to_ccs_crypto_chars(message, identifier(sender));
//@ public_chars(message, ID_SIZE);
//@ chars_to_secret_crypto_chars(message, ID_SIZE);
//@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE);
//@ crypto_chars_join(message);
//@ list<crypto_char> msg1 = append(sid_ccs, s_nonce_ccs);
//@ assert crypto_chars(secret, message, MSG1_SIZE, msg1);
// Encrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
if (pk_encrypt(r_context, message, MSG1_SIZE, encrypted, &size,
KEY_SIZE, random_stub_nsl, havege_state) != 0)
abort();
//@ assert u_integer(&size, ?size_val);
//@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);
// Proof the message is public
//@ take_append(ID_SIZE, sid_ccs, s_nonce_ccs);
//@ drop_append(ID_SIZE, sid_ccs, s_nonce_ccs);
//@ close nsl_pub_msg_sender(sender);
//@ leak nsl_pub_msg_sender(sender);
/*@ if (col || bad(sender) || bad(receiver))
{
assert crypto_chars(secret, message, MSG1_SIZE, msg1);
crypto_chars_split(message, ID_SIZE);
public_crypto_chars(message, ID_SIZE);
assert chars(message, ID_SIZE, ?sid_cs);
cs_to_ccs_inj(sid_cs, identifier(sender));
assert chars(message, ID_SIZE, identifier(sender));
close nsl_pub(s_nonce_cg);
leak nsl_pub(s_nonce_cg);
close cryptogram((void*) message + ID_SIZE, NONCE_SIZE,
s_nonce_ccs, s_nonce_cg);
public_cryptogram((void*) message + ID_SIZE, s_nonce_cg);
assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs');
cs_to_ccs_append(identifier(sender), s_nonce_cs');
chars_join(message);
public_chars(message, MSG1_SIZE);
chars_to_crypto_chars(message, MSG1_SIZE);
}
else
{
close nsl_pub_msg1(sender, receiver, s_nonce_cg);
}
@*/
//@ close nsl_pub(cg_enc);
//@ leak nsl_pub(cg_enc);
//@ public_cryptogram(encrypted, cg_enc);
// Send the message
net_send(socket, encrypted, size);
zeroize(message, MSG1_SIZE);
//@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
//@ close principal(sender, _);
}
void sender_msg2(int* socket, havege_state* havege_state, pk_context* s_context,
int sender, int recvr, char* s_nonce, char* r_nonce)
/*@ requires GENERAL_PRE(sender) &*&
pk_context_with_key(s_context, pk_private,
sender, ?s_id, 8 * KEY_SIZE) &*&
pk_context_with_key(?r_context, pk_public,
recvr, ?r_id, 8 * KEY_SIZE) &*&
cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
s_nonce_cg == cg_nonce(sender, _) &*&
cg_info(s_nonce_cg) == int_pair(1, int_pair(recvr, r_id)) &*&
chars(r_nonce, NONCE_SIZE, _); @*/
/*@ ensures GENERAL_POST(sender) &*&
pk_context_with_key(s_context, pk_private,
sender, s_id, 8 * KEY_SIZE) &*&
pk_context_with_key(r_context, pk_public,
recvr, r_id, 8 * KEY_SIZE) &*&
cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg) &*&
SENDER_INTER; @*/
{
//@ open principal(sender, _);
unsigned int size;
char message[MSG2_SIZE];
char encrypted[KEY_SIZE];
// Receive the message
net_recv(socket, encrypted, KEY_SIZE);
//@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
//@ interpret_asym_encrypted(encrypted, KEY_SIZE);
//@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);
// Decrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
//@ structure st = known_value(0, cs_to_ccs(identifier(recvr)));
//@ close decryption_pre(false, false, sender, st, enc_ccs);
if (pk_decrypt(s_context, encrypted, KEY_SIZE, message,
&size, MSG2_SIZE, random_stub_nsl, havege_state) != 0)
abort();
if (size != MSG2_SIZE)
abort();
//@ public_cryptogram(encrypted, enc_cg);
//@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);
//@ assert u_integer(&size, MSG2_SIZE);
/*@ open decryption_post(false, ?garbage, sender,
st, sender, s_id, ?dec_ccs); @*/
//@ assert crypto_chars(?kind, message, MSG2_SIZE, dec_ccs);
//@ crypto_chars_split(message, ID_SIZE);
//@ crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE);
//@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs);
//@ assert crypto_chars(kind, (void*) message + ID_SIZE, NONCE_SIZE, ?s_ccs);
/*@ assert crypto_chars(kind, (void*) message + ID_SIZE + NONCE_SIZE,
NONCE_SIZE, ?r_ccs); @*/
//@ append_assoc(id_ccs, s_ccs, r_ccs);
//@ take_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs));
//@ drop_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs));
//@ take_append(NONCE_SIZE, s_ccs, r_ccs);
//@ drop_append(NONCE_SIZE, s_ccs, r_ccs);
// Interpret the message
//@ open [_]nsl_pub(enc_cg);
//@ assert [_]nsl_pub_msg_sender(?recvr2);
/*@ if (col || garbage)
{
crypto_chars_to_chars(message, ID_SIZE);
crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE);
chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
crypto_chars_to_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
chars_to_crypto_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
}
else
{
if (bad(sender) || bad(recvr2))
{
assert [_]public_ccs(dec_ccs);
public_ccs_split(dec_ccs, ID_SIZE);
public_ccs_split(append(s_ccs, r_ccs), NONCE_SIZE);
public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
}
else
{
assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2,
?r_nonce_cg, _, _, _, ?pub_ns);
take_append(ID_SIZE, cs_to_ccs(identifier(recvr2)),
append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg)));
drop_append(ID_SIZE, cs_to_ccs(identifier(recvr2)),
append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg)));
take_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg));
drop_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg));
if (pub_ns)
{
public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
}
else
{
close memcmp_secret((void*) message + ID_SIZE, NONCE_SIZE,
ccs_for_cg(s_nonce_cg2), s_nonce_cg2);
}
}
public_crypto_chars(message, ID_SIZE);
}
@*/
//@ chars_to_crypto_chars(message, ID_SIZE);
/*@ close check_identifier_ghost_args(false, garbage, sender,
s_id, append(s_ccs, r_ccs)); @*/
check_identifier(message, recvr);
//@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
//@ close memcmp_secret(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
if (memcmp((void*) message + ID_SIZE, s_nonce, NONCE_SIZE) != 0) abort();
memcpy(r_nonce, (void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
//@ assert id_ccs == cs_to_ccs(identifier(recvr));
//@ assert s_ccs == s_nonce_ccs;
//@ cryptogram r_nonce_cg = ccs_for_cg_sur(r_ccs, tag_nonce);
//@ close sender_inter(r_ccs, r_nonce_cg);
/*@ if (!col && !garbage)
{
if (bad(sender) || bad(recvr2))
{
assert [_]public_ccs(dec_ccs);
public_ccs_split(dec_ccs, ID_SIZE);
public_ccs_split(append(s_nonce_ccs, r_ccs), NONCE_SIZE);
public_crypto_chars(r_nonce, NONCE_SIZE);
chars_to_crypto_chars(r_nonce, NONCE_SIZE);
public_ccs_cg(s_nonce_cg);
open [_]nsl_pub(s_nonce_cg);
crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE);
chars_to_secret_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
}
else
{
assert dec_ccs == pay;
assert sender == p;
assert s_id == c;
assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2,
?r_nonce_cg2, ?p_inst, ?p2, ?c2, ?pub_ns);
cs_to_ccs_inj(identifier(recvr2), identifier(recvr));
assert identifier(recvr) == identifier(recvr2);
equal_identifiers(recvr, recvr2);
if (pub_ns)
{
public_ccs_cg(s_nonce_cg);
open [_]nsl_pub(s_nonce_cg);
assert false;
}
ccs_for_cg_inj(r_nonce_cg2, r_nonce_cg);
close cryptogram(r_nonce, NONCE_SIZE, r_ccs, r_nonce_cg2);
ccs_for_cg_inj(s_nonce_cg, s_nonce_cg2);
assert c2 == r_id;
}
}
@*/
//@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
//@ crypto_chars_join((void*) message + ID_SIZE);
zeroize((void*) message + ID_SIZE, 2 * NONCE_SIZE);
//@ crypto_chars_to_chars(message, ID_SIZE);
//@ chars_join(message);
//@ close principal(sender, _);
}
void sender_msg3(int* socket, havege_state* havege_state, pk_context* r_context,
int sender, char* r_nonce)
/*@ requires GENERAL_PRE(sender) &*&
pk_context_with_key(r_context, pk_public,
?recvr, ?r_id, 8 * KEY_SIZE) &*&
SENDER_INTER; @*/
/*@ ensures GENERAL_POST(sender) &*&
pk_context_with_key(r_context, pk_public,
recvr, r_id, 8 * KEY_SIZE) &*&
col || bad(sender) || bad(recvr) ?
chars(r_nonce, NONCE_SIZE, ?r_nonce_cs) &*&
r_nonce_ccs == cs_to_ccs(r_nonce_cs)
:
cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/
{
//@ open principal(sender, _);
unsigned int size;
char message[MSG3_SIZE];
char encrypted[KEY_SIZE];
// Construct the message
//@ open sender_inter(r_nonce_ccs, r_nonce_cg);
//@ bool condition = col || bad(sender) || bad(recvr);
/*@ if (!condition)
open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
else
{
crypto_chars_to_chars(r_nonce, NONCE_SIZE);
public_chars(r_nonce, NONCE_SIZE);
chars_to_secret_crypto_chars(r_nonce, NONCE_SIZE);
}
@*/
memcpy((void*) message, r_nonce, NONCE_SIZE);
/*@ if (!condition)
close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
else
public_crypto_chars(r_nonce, NONCE_SIZE);
@*/
// Encrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
if (pk_encrypt(r_context, message, MSG3_SIZE, encrypted, &size,
KEY_SIZE, random_stub_nsl, havege_state) != 0)
abort();
//@ assert u_integer(&size, ?size_val);
//@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);
// Proof the message is public
//@ close nsl_pub_msg_sender(sender);
//@ leak nsl_pub_msg_sender(sender);
//@ if (!condition) close nsl_pub_msg3(sender, recvr, r_nonce_cg);
//@ close nsl_pub(cg_enc);
//@ leak nsl_pub(cg_enc);
//@ public_cryptogram(encrypted, cg_enc);
// Send the message
net_send(socket, encrypted, size);
zeroize(message, MSG3_SIZE);
//@ close principal(sender, _);
}
struct item *asymmetric_decryption(struct item *key, struct item *item, char tag)
/*@ requires [?f]world(?pub, ?key_clsfy) &*& true == valid_tag(tag) &*&
principal(?principal1, ?count1) &*&
item(item, ?enc, pub) &*& item(key, ?k, pub) &*&
enc == asymmetric_encrypted_item(?principal2, ?count2,
?pay, ?ent) &*&
k == private_key_item(?principal3, ?count3); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
principal(principal1, count1 + 1) &*&
item(item, enc, pub) &*& item(key, k, pub) &*&
item(result, ?dec, pub) &*& tag_for_item(dec) == tag &*&
col ?
[_]pub(dec)
: principal2 != principal3 || count2 != count3 ?
true == key_clsfy(principal3, count3, false) &*&
[_]pub(dec)
:
switch(pay)
{
case some(dec2):
return dec == dec2;
case none:
return false;
}; @*/
{
struct item* result = 0;
debug_print("DECRYPTING:\n");
print_item(item);
check_is_asymmetric_encrypted(item);
{
pk_context context;
unsigned int olen;
char output[MAX_PACKAGE_SIZE];
// Key
//@ close pk_context(&context);
//@ open [f]world(pub, key_clsfy);
pk_init(&context);
//@ close [f]world(pub, key_clsfy);
set_private_key(&context, key);
//@ open [f]world(pub, key_clsfy);
/*@ assert pk_context_with_key(&context, pk_private,
?principal, ?count, RSA_BIT_KEY_SIZE); @*/
// Decryption
//@ open item(item, enc, pub);
/*@ assert enc == asymmetric_encrypted_item(principal2, count2,
pay, ent); @*/
//@ open [_]item_constraints(enc, ?enc_cs, pub);
//@ assert [_]ic_parts(enc)(?enc_tag, ?enc_cont);
//@ assert enc_cs == append(enc_tag, enc_cont);
//@ open [_]ic_cg(enc)(_, ?enc_cg);
//@ assert enc_cg == cg_asym_encrypted(principal2, count2, ?cs_pay, ent);
if (item->size - TAG_LENGTH > RSA_KEY_SIZE ||
item->size - TAG_LENGTH < MINIMAL_STRING_SIZE)
abort_crypto_lib("Asymmetric decryption failed: incorrect sizes");
//@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size;
//@ crypto_chars_split(i_cont, TAG_LENGTH);
//@ drop_append(TAG_LENGTH, enc_tag, enc_cont);
//@ assert crypto_chars(secret, i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont);
//@ if (col) enc_cg = chars_for_cg_sur(enc_cont, tag_asym_encrypted);
//@ if (col) public_crypto_chars_extract(i_cont + TAG_LENGTH, enc_cg);
//@ close cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg);
void *random_state = nonces_expose_state();
//@ close random_state_predicate(havege_state_initialized);
/*@ produce_function_pointer_chunk random_function(
asym_enc_havege_random_stub)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ open principal(principal1, count1);
//@ structure s = known_value(0, full_tag(tag));
//@ close decryption_pre(false, false, principal1, s, enc_cont);
if(pk_decrypt(&context, item->content + TAG_LENGTH,
(unsigned int) item->size - TAG_LENGTH,
output, &olen, MAX_PACKAGE_SIZE,
asym_enc_havege_random_stub, random_state) != 0)
abort_crypto_lib("Decryption failed");
/*@ open decryption_post(false, ?garbage, principal1,
s, ?p_key, ?c_key, ?cs_out); @*/
//@ assert u_integer(&olen, ?size_out);
//@ pk_release_context_with_key(&context);
//@ open cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg);
pk_free(&context);
//@ open pk_context(&context);
nonces_hide_state(random_state);
//@ assert chars((void*)output + size_out, MAX_PACKAGE_SIZE - size_out, ?cs_rest);
result = malloc(sizeof(struct item));
if (result == 0) {abort_crypto_lib("Malloc failed");}
result->size = (int) olen;
if ((int) olen <= MINIMAL_STRING_SIZE)
abort_crypto_lib("Decryption: Incorrect size");
result->content = malloc(result->size);
if (result->content == 0) {abort_crypto_lib("Malloc failed");}
//@ close [f]world(pub, key_clsfy);
//@ assert u_integer(&olen, ?olen_val);
//@ assert crypto_chars(_, output, olen_val, cs_out);
//@ crypto_chars_split(output, TAG_LENGTH);
//@ assert crypto_chars(_, output, TAG_LENGTH, ?cs_tag);
//@ assert crypto_chars(_, (void*) output + TAG_LENGTH, olen_val - TAG_LENGTH, ?cs_i);
/*@ if (col)
{
crypto_chars_to_chars(output, TAG_LENGTH);
chars_to_crypto_chars(output, TAG_LENGTH);
}
else if (!garbage)
{
switch(pay)
{
case some(pay1):
open [_]item_constraints(pay1, cs_out, pub);
case none:
open [_]ill_formed_item_chars(enc)(cs_out);
public_generated_split(polarssl_pub(pub), cs_out, TAG_LENGTH);
}
public_crypto_chars(output, TAG_LENGTH);
}
@*/
//@ close check_tag2_ghost_args(false, garbage, p_key, c_key, cs_i);
check_tag2(output, tag);
//@ if (!garbage) chars_to_secret_crypto_chars(output, TAG_LENGTH);
//@ crypto_chars_join(output);
memcpy(result->content, output, olen);
//@ assert result->content |-> ?cont;
//@ assert crypto_chars(?kind, cont, olen_val, cs_out);
zeroize(output, (int) olen);
//@ close item(item, enc, pub);
//@ assert enc == asymmetric_encrypted_item(principal2, count2, pay, ent);
//@ assert col || enc_cg == cg_asym_encrypted(principal2, count2, cs_pay, ent);
/*@ if (col)
{
crypto_chars_to_chars(cont, olen_val);
public_chars(cont, olen_val);
chars_to_crypto_chars(cont, olen_val);
}
else if (garbage)
{
assert true == key_clsfy(principal3, count3, false);
public_chars(cont, olen_val);
chars_to_crypto_chars(cont, olen_val);
}
else
{
assert principal2 == principal3;
assert count2 == count3;
assert cs_out == cs_pay;
switch(pay)
{
case some(pay1):
assert [_]item_constraints(pay1, cs_out, pub);
case none:
open [_]ill_formed_item_chars(enc)(cs_out);
assert [_]public_generated(polarssl_pub(pub))(cs_out);
public_crypto_chars(cont, olen_val);
chars_to_crypto_chars(cont, olen_val);
}
}
@*/
parse_item(result->content, (int) olen);
/*@ if (col || garbage)
{
retreive_proof_obligations();
deserialize_item(cs_out, pub);
leak proof_obligations(pub);
chars_to_secret_crypto_chars(cont, olen_val);
}
@*/
//@ open [_]item_constraints(?dec, cs_out, pub);
//@ assert [_]ic_parts(dec)(?dec_tag, ?dec_cont);
//@ take_append(TAG_LENGTH, dec_tag, dec_cont);
//@ drop_append(TAG_LENGTH, dec_tag, dec_cont);
//@ assert dec_tag == full_tag(tag);
//@ assert tag_for_item(dec) == tag;
//@ close item(result, dec, pub);
}
return result;
}
void attacker_send_decrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
aes_context aes_context;
char iv[16];
size_t iv_off = 0;
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ close aes_context(&aes_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
//@ interpret_encrypted(buffer2, size2);
//@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
//@ close cryptogram(buffer2, size2, ccs2, cg_enc);
//@ assert cg_enc == cg_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
//@ structure s = known_value(0, nil);
//@ close decryption_pre(true, false, attacker, s, ccs2);
int success = aes_crypt_cfb128(&aes_context, AES_DECRYPT,
(unsigned int) size2, &iv_off, iv,
buffer2, buffer3);
if (success == 0) zeroize(iv, 16);
//@ if (success == 0) chars_to_crypto_chars(iv, 16);
//@ open decryption_post(true, ?garbage, attacker, s, p, c, ?ccs_output);
/*@ if (garbage)
{
assert is_public_key_classifier(?proof, _, _, _);
proof(cg_key, p, c, true);
decryption_garbage(buffer3, size2, s);
}
else if (success == 0)
{
assert crypto_chars(secret, buffer3, size2, ccs_output);
assert ccs_output == ccs_output2;
assert ccs_iv == ccs_iv2;
assert ccs2 == ccs_for_cg(cg_enc);
public_ccs_cg(cg_enc);
assert [_]pub(cg_enc);
assert is_public_decryption_is_public(?proof2, pub, pred);
proof2(cg_key, cg_enc);
public_crypto_chars(buffer3, size2);
chars_to_crypto_chars(buffer3, size2);
}
@*/
//@ crypto_chars_to_chars(buffer3, size2);
net_send(socket, buffer3, (unsigned int) size2);
//@ public_cryptogram(buffer2, cg_enc);
}
aes_free(&aes_context);
//@ crypto_chars_to_chars(iv, 16);
}
//@ open aes_context(&aes_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_key);
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("enc_then_hmac protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(enc_then_hmac)
//@ int attacker = principal_create();
//@ int sender = principal_create();
//@ int receiver = principal_create();
//@ assume (!bad(sender) && !bad(receiver));
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(enc_then_hmac_pub) &*&
[_]decryption_key_classifier(enc_then_hmac_public_key) &*&
!bad(sender) && !bad(receiver) &*&
havege_state_initialized(&havege_state) &*&
principal(sender, ?count) &*& principal(receiver, _);
@*/
{
char* enc_key;
char* hmac_key;
int temp;
enc_key = malloc(KEY_SIZE);
if (enc_key == 0) abort();
hmac_key = malloc(KEY_SIZE);
if (hmac_key == 0) abort();
//@ open principal(sender, _);
//@ close random_request(sender, 0, true);
if (havege_random(&havege_state, enc_key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 1) == receiver);
//@ assert cryptogram(enc_key, KEY_SIZE, ?enc_cs_key, ?enc_cg_key);
//@ assert enc_cg_key == cg_symmetric_key(sender, count + 1);
//@ close random_request(sender, count + 1, true);
if (havege_random(&havege_state, hmac_key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 2) == receiver);
//@ assert cryptogram(hmac_key, KEY_SIZE, ?hmac_cs_key, ?hmac_cg_key);
//@ assert hmac_cg_key == cg_symmetric_key(sender, count + 2);
{
pthread_t s_thread, r_thread;
struct enc_then_hmac_args s_args;
struct enc_then_hmac_args r_args;
char s_message[MSG_LEN];
char r_message[MAX_SIZE];
//@ assert chars(s_message, MSG_LEN, ?msg_cs);
//@ public_chars(s_message, MSG_LEN);
//@ chars_to_secret_crypto_chars(s_message, MSG_LEN);
//@ s_args.sender = sender;
//@ s_args.receiver = receiver;
s_args.enc_key = enc_key;
s_args.hmac_key = hmac_key;
s_args.msg = s_message;
//@ assume (send(sender, receiver, msg_cs) == true);
//@ r_args.sender = sender;
//@ r_args.receiver = receiver;
r_args.enc_key = enc_key;
r_args.hmac_key = hmac_key;
r_args.msg = r_message;
//@ close principal(sender, _);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
//@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
//@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
//@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);
//@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);
if (r_args.length != MSG_LEN)
abort();
//@ public_crypto_chars(s_message, MSG_LEN);
#ifdef EXECUTE
if (memcmp(s_message, r_message, MSG_LEN) != 0)
abort();
#endif
//@ open principal(sender, _);
//@ close principal(sender, _);
zeroize(r_message, r_args.length);
}
zeroize(enc_key, KEY_SIZE);
free((void*) enc_key);
zeroize(hmac_key, KEY_SIZE);
free((void*) hmac_key);
printf(" |%i| ", i);
}
printf("\n\n\t\tDone\n");
return 0;
}
struct item *asymmetric_signature(struct item *key, struct item *payload)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
principal(?principal1, ?count1) &*&
item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
k == private_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
principal(principal1, count1 + 1) &*&
item(payload, pay, pub) &*& item(key, k, pub) &*&
item(result, ?sig, pub) &*&
col ? true :
sig == asymmetric_signature_item(principal2, count2,
some(pay), ?ent); @*/
{
debug_print("ASYM SIGNING:\n");
print_item(payload);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
debug_print("signing item\n");
print_item(payload);
print_item(key);
{
pk_context context;
unsigned int olen;
char* output;
// Key
//@ close pk_context(&context);
//@ open [f]world(pub, key_clsfy);
pk_init(&context);
//@ close [f]world(pub, key_clsfy);
set_private_key(&context, key);
//@ open [f]world(pub, key_clsfy);
/*@ assert pk_context_with_key(&context, pk_private,
?principal, ?count, RSA_BIT_KEY_SIZE); @*/
//@ assert col || principal == principal2;
//@ assert col || count == count2;
// Payload
//@ open item(payload, pay, pub);
//@ open [_]item_constraints(pay, ?pay_cs, pub);
//@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size;
if (payload->size > RSA_KEY_SIZE)
abort_crypto_lib("Assymetric signing failed: incorrect size");
output = malloc(RSA_KEY_SIZE);
if (output == 0) abort_crypto_lib("Malloc failed");
void *random_state = nonces_expose_state();
//@ close random_state_predicate(havege_state_initialized);
/*@ produce_function_pointer_chunk random_function(
asym_sig_havege_random_stub)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ open principal(principal1, count1);
if(pk_sign(&context, POLARSSL_MD_NONE,
payload->content, (unsigned int) payload->size,
output, &olen,
asym_sig_havege_random_stub, random_state) != 0)
abort_crypto_lib("Signing failed");
//@ open principal(principal1, count1 + 1);
//@ open cryptogram(output, ?sig_length, ?sig_cs, ?sig_cg);
//@ assert sig_cg == cg_asym_signature(principal, count, pay_cs, ?ent);
//@ assert u_integer(&olen, sig_length);
//@ assert sig_length > 0 &*& sig_length <= RSA_KEY_SIZE;
nonces_hide_state(random_state);
//@ pk_release_context_with_key(&context);
pk_free(&context);
//@ open pk_context(&context);
//@ close [f]world(pub, key_clsfy);
debug_print("signed item\n");
print_buffer(output, (int) olen);
// Create item
if (olen < MINIMAL_STRING_SIZE)
abort_crypto_lib("Assymetric signing failed: output to small");
result->size = TAG_LENGTH + (int) olen;
result->content = malloc(result->size);
if (result->content == 0) {abort_crypto_lib("Malloc failed");}
write_tag(result->content, TAG_ASYMMETRIC_SIG);
//@ assert result->content |-> ?cont &*& result->size |-> ?size;
//@ assert chars(cont, TAG_LENGTH, ?tag_cs);
//@ assert tag_cs == full_tag(TAG_ASYMMETRIC_SIG);
//@ public_chars(cont, TAG_LENGTH);
//@ chars_to_secret_crypto_chars(cont, TAG_LENGTH);
memcpy(result->content + TAG_LENGTH, output, olen);
//@ crypto_chars_join(cont);
//@ list<char> cs = append(tag_cs, sig_cs);
//@ assert crypto_chars(secret, cont, size, cs);
//@ item e = asymmetric_signature_item(principal, count, some(pay), ent);
//@ close ic_cg(e)(sig_cs, sig_cg);
/*@ if (col)
{
public_chars(cont, size);
public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
}
@*/
//@ close item(payload, pay, pub);
zeroize(output, (int) olen);
//@ chars_join(output);
free(output);
//@ WELL_FORMED(tag_cs, sig_cs, TAG_ASYMMETRIC_SIG)
//@ close ic_parts(e)(tag_cs, sig_cs);
//@ close well_formed_item_chars(e)(pay_cs);
//@ leak well_formed_item_chars(e)(pay_cs);
//@ close item_constraints(e, cs, pub);
//@ leak item_constraints(e, cs, pub);
//@ close item(result, e, pub);
}
debug_print("SINGING RESULT:\n");
print_item(result);
return result;
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("yahalom protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(yahalom)
//@ int server = principal_create();
//@ assert server == 1;
//@ int sender = principal_create();
//@ assert sender == 2;
//@ int receiver = principal_create();
//@ assert receiver == 3;
//@ int attacker = principal_create();
//@ assume (bad(attacker));
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(yahalom_pub) &*&
[_]decryption_key_classifier(yahalom_public_key) &*&
havege_state_initialized(&havege_state) &*&
principal(server, ?serv_count) &*&
principal(sender, ?send_count) &*&
principal(receiver, ?rcvr_count);
@*/
{
char s_key[KEY_SIZE];
char r_key[KEY_SIZE];
char key1[KEY_SIZE];
char key2[KEY_SIZE];
//@ open principal(sender, _);
//@ close random_request(sender, int_pair(3, server), true);
if (havege_random(&havege_state, s_key, KEY_SIZE) != 0) abort();
//@ close principal(sender, _);
//@ assert cryptogram(s_key, KEY_SIZE, ?cs_s_key, ?cg_s_key);
//@ assert cg_s_key == cg_symmetric_key(sender, send_count + 1);
//@ open principal(receiver, _);
//@ close random_request(receiver, int_pair(3, server), true);
if (havege_random(&havege_state, r_key, KEY_SIZE) != 0) abort();
//@ close principal(receiver, _);
//@ assert cryptogram(r_key, KEY_SIZE, ?cs_r_key, ?cg_r_key);
//@ assert cg_r_key == cg_symmetric_key(receiver, rcvr_count + 1);
{
pthread_t serv_thread, s_thread, r_thread;
struct yahalom_args serv_args, s_args, r_args;
serv_args.server = 1;
serv_args.sender = 2;
serv_args.receiver = 3;
serv_args.s_key = s_key;
serv_args.r_key = r_key;
s_args.server = 1;
s_args.sender = 2;
s_args.receiver = 3;
s_args.s_key = s_key;
s_args.key = key1;
r_args.server = 1;
r_args.sender = 2;
r_args.receiver = 3;
r_args.r_key = r_key;
r_args.key = key2;
//@ close pthread_run_pre(server_t)(&serv_args, ?serv_data);
pthread_create(&serv_thread, NULL, &server_t, &serv_args);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_join(serv_thread, NULL);
//@ open pthread_run_post(server_t)(&serv_args, serv_data);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
}
//@ open cryptogram(key1, KEY_SIZE, ?cs_key1, _);
zeroize(key1, KEY_SIZE);
//@ open cryptogram(key2, KEY_SIZE, ?cs_key2, _);
zeroize(key2, KEY_SIZE);
//@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
//@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
zeroize(s_key, KEY_SIZE);
//@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
//@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
zeroize(r_key, KEY_SIZE);
printf(" |%i| ", i);
}
printf("\n\n\t\tDone\n");
return 0;
}
void zeroize_stack(void)
{
unsigned char m[ZEROIZE_STACK_SIZE];
zeroize(m, sizeof m);
}
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
principal(?sender, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*&
[?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*&
MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*&
bad(sender) || bad(shared_with(sender, enc_id)) ?
[_]public_ccs(msg_ccs)
:
true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
[f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/
{
//@ open principal(sender, _);
int socket;
havege_state havege_state;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
{
int message_len = 16 + (int) msg_len + 64;
char* message = malloc(message_len);
if (message == 0) abort();
// IV stuff
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
//@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg);
//@ close enc_then_hmac_pub(iv_cg);
//@ leak enc_then_hmac_pub(iv_cg);
memcpy(message, iv, 16);
//@ close cryptogram(message, 16, iv_ccs, iv_cg);
//@ public_cryptogram(message, iv_cg);
//@ assert chars(message, 16, ?iv_cs);
//@ public_chars(message, 16);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
// encrypt
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len,
&iv_off, iv, msg, message + 16) != 0)
abort();
//@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg);
//@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg);
//@ close enc_then_hmac_pub(enc_cg);
//@ leak enc_then_hmac_pub(enc_cg);
//@ public_cryptogram(message + 16, enc_cg);
//@ assert chars(message + 16, msg_len, ?enc_cs);
//@ public_chars(message + 16, msg_len);
//@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs));
//@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
// hmac
//@ chars_to_crypto_chars(message, 16 + msg_len);
//@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs))
sha512_hmac(hmac_key, KEY_SIZE, message,
(unsigned int) (16 + (int) msg_len),
message + 16 + (int) msg_len, 0);
//@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg);
//@ cs_to_ccs_append(iv_cs, enc_cs);
//@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs));
/*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true))
close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/
/*@ if (col || enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]public_ccs(iv_ccs);
assert [_]public_ccs(enc_ccs);
public_ccs_join(iv_ccs, enc_ccs);
}
@*/
//@ close enc_then_hmac_pub(hmac_cg);
//@ leak enc_then_hmac_pub(hmac_cg);
//@ public_cryptogram(message + 16 + msg_len, hmac_cg);
//@ assert chars(message + 16 + msg_len, 64, ?hmac_cs);
//@ append_assoc(iv_ccs, enc_ccs, hmac_ccs);
//@ append_assoc(iv_cs, enc_cs, hmac_cs);
//@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs));
/*@ assert chars(message, message_len,
append(iv_cs, append(enc_cs, hmac_cs))); @*/
net_send(&socket, message, (unsigned int) message_len);
free(message);
}
net_close(socket);
//@ close principal(sender, _);
}
int receiver(char *enc_key, char *hmac_key, char *msg)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
[_]decryption_key_classifier(enc_then_hmac_public_key) &*&
principal(?receiver, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(?sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
receiver == shared_with(sender, enc_id) &*&
receiver == shared_with(sender, hmac_id) &*&
chars(msg, MAX_SIZE, _); @*/
/*@ ensures principal(receiver, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
chars(msg + result, MAX_SIZE - result, _) &*&
crypto_chars(?kind, msg, result, ?msg_ccs) &*&
col || bad(sender) || bad(receiver) ||
(kind == secret && send(sender, receiver, msg_ccs)); @*/
{
//@ open principal(receiver, _);
int socket1;
int socket2;
int size;
int enc_size;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
if(net_bind(&socket1, NULL, SERVER_PORT) != 0)
abort();
if(net_accept(socket1, &socket2, NULL) != 0)
abort();
if(net_set_block(socket2) != 0)
abort();
{
int max_size = 16 + MAX_SIZE + 64;
char *buffer = malloc (max_size); if (buffer == 0) abort();
size = net_recv(&socket2, buffer, (unsigned int) max_size);
if (size <= 16 + 64) abort();
enc_size = size - 16 - 64;
if (enc_size < MINIMAL_STRING_SIZE) abort();
//@ chars_split(buffer, size);
//@ assert chars(buffer, size, ?all_cs);
//@ close hide_chars((void*) buffer + size, max_size - size, _);
//Verify the hmac
//@ chars_split(buffer, size - 64);
//@ public_chars(buffer + size - 64, 64);
//@ assert chars(buffer + size - 64, 64, ?hmac_cs);
//@ assert chars(buffer, size - 64, ?pay_cs);
//@ chars_to_crypto_chars(buffer, size - 64);
//@ HASH_PUB_PAYLOAD(pay_cs)
sha512_hmac(hmac_key, KEY_SIZE, buffer,
(unsigned int) (size - 64), hmac, 0);
//@ open cryptogram(hmac, 64, ?hmac_ccs, ?hmac_cg);
//@ chars_to_crypto_chars((void*) buffer + size - 64, 64);
//@ close memcmp_secret(hmac, 64, hmac_ccs, hmac_cg);
if (memcmp((void*) buffer + size - 64, hmac, 64) != 0) abort();
/*@ if (!col)
{
public_ccs_cg(hmac_cg);
public_crypto_chars(hmac, 64);
}
else
{
crypto_chars_to_chars(hmac, 64);
}
@*/
//@ assert all_cs == append(pay_cs, hmac_cs);
// IV stuff
//@ cs_to_ccs_crypto_chars(buffer, pay_cs);
//@ chars_split(buffer, 16);
//@ assert chars(buffer, 16, ?iv_cs);
//@ chars_to_crypto_chars(buffer, 16);
//@ assert crypto_chars(normal, buffer, 16, ?iv_ccs);
memcpy(iv, buffer, 16);
//@ cs_to_ccs_crypto_chars(iv, iv_cs);
//@ interpret_nonce(iv, 16);
//@ open cryptogram(iv, 16, iv_ccs, ?iv_cg);
//Decrypt
//@ assert chars(buffer + 16, enc_size, ?enc_cs);
//@ interpret_encrypted(buffer + 16, enc_size);
//@ open cryptogram(buffer + 16, enc_size, ?enc_ccs, ?enc_cg);
//@ close cryptogram(buffer + 16, enc_size, enc_ccs, enc_cg);
//@ assert enc_cg == cg_encrypted(?p2, ?c2, ?dec_ccs2, ?iv_ccs2);
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
//@ structure s = known_value(0, dec_ccs2);
//@ close decryption_pre(true, false, receiver, s, enc_ccs);
if (aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) enc_size,
&iv_off, iv, buffer + 16, msg) != 0)
abort();
//@ assert pay_cs == append(iv_cs, enc_cs);
//@ cs_to_ccs_append(iv_cs, enc_cs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
//@ public_cg_ccs(enc_cg);
//@ public_cryptogram(buffer + 16, enc_cg);
/*@ open decryption_post(true, ?garbage, receiver,
s, sender, enc_id, ?dec_ccs); @*/
/*@ if (!col)
{
open [_]enc_then_hmac_pub(hmac_cg);
open [_]enc_then_hmac_pub(enc_cg);
if (!enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]enc_then_hmac_pub_1(?id, ?dec_ccs3, ?ent);
cryptogram enc_cg3 = cg_encrypted(sender, id, dec_ccs3, ent);
take_append(16, iv_ccs, ccs_for_cg(enc_cg));
take_append(16, ent, ccs_for_cg(enc_cg3));
assert ent == iv_ccs;
drop_append(16, iv_ccs, ccs_for_cg(enc_cg));
drop_append(16, ent, ccs_for_cg(enc_cg3));
assert ccs_for_cg(enc_cg) == ccs_for_cg(enc_cg3);
ccs_for_cg_inj(enc_cg, enc_cg3);
assert dec_ccs2 == dec_ccs3;
close exists(pair(nil, nil));
close has_structure(dec_ccs2, s);
leak has_structure(dec_ccs2, s);
}
}
else
{
crypto_chars_to_chars(msg, enc_size);
chars_to_secret_crypto_chars(msg, enc_size);
}
@*/
//@ if (garbage) decryption_garbage(msg, enc_size, s);
//@ open hide_chars((void*) buffer + size, max_size - size, _);
//@ crypto_chars_to_chars(buffer, 16);
//@ crypto_chars_to_chars(buffer + size - 64, 64);
//@ chars_join(buffer);
//@ chars_join(buffer);
free(buffer);
}
net_close(socket2);
net_close(socket1);
return enc_size;
//@ close principal(receiver, _);
}
void attacker_send_auth_decrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
gcm_context gcm_context;
char iv[16];
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 16 || size2 <= 16 ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ close gcm_context(&gcm_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES,
buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
//@ assert chars(buffer2, size2, ?cs2);
//@ interpret_auth_encrypted(buffer2, size2);
//@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
//@ cs_to_ccs_crypto_chars(buffer2, cs2);
//@ chars_to_crypto_chars(buffer2, size2);
//@ close exists(cg_enc);
//@ assert cg_enc == cg_auth_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
//@ crypto_chars_split(buffer2, 16);
if (gcm_auth_decrypt(&gcm_context, (unsigned int) size2 - 16,
iv, 16, NULL, 0, buffer2, 16,
(void*) buffer2 + 16, buffer3) == 0)
{
/*@ if (!col)
{
assert crypto_chars(secret, buffer3, size2 - 16, ?ccs_output);
ccs_output == ccs_output2;
ccs_iv == ccs_iv2;
assert ccs2 == ccs_for_cg(cg_enc);
assert [_]pub(cg_enc);
assert is_public_auth_decryption_is_public(?proof3, pub, pred);
proof3(cg_key, cg_enc);
public_crypto_chars(buffer3, size2 - 16);
chars_to_crypto_chars(buffer3, size2 - 16);
}
@*/
zeroize(iv, 16);
//@ chars_to_crypto_chars(iv, 16);
}
//@ crypto_chars_to_chars(buffer3, size2 - 16);
net_send(socket, buffer3, (unsigned int) size2 - 16);
//@ crypto_chars_to_chars(buffer2, 16);
//@ crypto_chars_to_chars((void*) buffer2 + 16, size2 - 16);
//@ chars_join(buffer2);
}
//@ crypto_chars_to_chars(iv, 16);
gcm_free(&gcm_context);
}
//@ open gcm_context(&gcm_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_key);
}
void receiver_msg2(int* socket, havege_state* havege_state,
pk_context* s_context, int receiver,
char* s_nonce, char* r_nonce)
/*@ requires GENERAL_PRE(receiver) &*&
pk_context_with_key(?r_context, pk_private,
receiver, ?r_id, 8 * KEY_SIZE) &*&
pk_context_with_key(s_context, pk_public,
?sender, ?s_id, 8 * KEY_SIZE) &*&
RECEIVER_INTER &*&
cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*&
r_nonce_cg == cg_nonce(receiver, _) &*&
cg_info(r_nonce_cg) == int_pair(2, int_pair(sender,
int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/
/*@ ensures GENERAL_POST(receiver) &*&
pk_context_with_key(r_context, pk_private,
receiver, r_id, 8 * KEY_SIZE) &*&
pk_context_with_key(s_context, pk_public,
sender, s_id, 8 * KEY_SIZE) &*&
(
col || bad(p_inst) || bad(receiver) ?
chars(s_nonce, NONCE_SIZE, ?s_nonce_cs) &*&
s_nonce_ccs == cs_to_ccs(s_nonce_cs)
:
cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg)
) &*&
cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/
{
//@ open principal(receiver, _);
unsigned int size;
char message[MSG2_SIZE];
char encrypted[KEY_SIZE];
//@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg);
// Construct the message
write_identifier(message, receiver);
//@ list<crypto_char> rid_ccs = cs_to_ccs(identifier(receiver));
//@ assert crypto_chars(normal, message, ID_SIZE, rid_ccs);
//@ cs_to_ccs_crypto_chars(message, identifier(receiver));
//@ public_chars(message, ID_SIZE);
//@ chars_to_secret_crypto_chars(message, ID_SIZE);
//@ bool condition = col || bad(p_inst) || bad(receiver);
/*@ if (!condition)
open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
else
{
crypto_chars_to_chars(s_nonce, NONCE_SIZE);
public_chars(s_nonce, NONCE_SIZE);
chars_to_secret_crypto_chars(s_nonce, NONCE_SIZE);
}
@*/
//@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE);
memcpy((void*) message + ID_SIZE + NONCE_SIZE, r_nonce, NONCE_SIZE);
//@ crypto_chars_join(message);
//@ crypto_chars_join(message);
//@ list<crypto_char> msg2 = append(rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
//@ append_assoc(rid_ccs, s_nonce_ccs, r_nonce_ccs);
//@ assert crypto_chars(secret, message, MSG2_SIZE, msg2);
// Encrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
if (pk_encrypt(s_context, message, MSG2_SIZE, encrypted, &size,
KEY_SIZE, random_stub_nsl, havege_state) != 0)
abort();
//@ assert u_integer(&size, ?size_val);
//@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);
//@ take_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
//@ drop_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
//@ take_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs);
//@ drop_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs);
// Proof the message is public
/*@ if (col || bad(sender) || bad(receiver))
{
assert crypto_chars(secret, message, MSG2_SIZE, msg2);
crypto_chars_split(message, ID_SIZE);
crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE);
public_crypto_chars((void*) message, ID_SIZE);
public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
close nsl_pub(r_nonce_cg);
leak nsl_pub(r_nonce_cg);
close cryptogram((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE,
r_nonce_ccs, r_nonce_cg);
public_cryptogram((void*) message + ID_SIZE + NONCE_SIZE, r_nonce_cg);
assert chars((void*) message, ID_SIZE, ?rid_cs);
assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs);
assert chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE, ?r_nonce_cs);
cs_to_ccs_append(rid_cs, s_nonce_cs);
cs_to_ccs_append(append(rid_cs, s_nonce_cs), r_nonce_cs);
chars_join(message);
chars_join(message);
public_chars(message, MSG2_SIZE);
chars_to_secret_crypto_chars(message, MSG2_SIZE);
}
else
{
close nsl_pub_msg2(sender, receiver, s_nonce_cg, s_nonce_ccs, r_nonce_cg,
p_inst, p_orig, c_orig, condition);
}
@*/
//@ close nsl_pub_msg_sender(receiver);
//@ leak nsl_pub_msg_sender(receiver);
//@ close nsl_pub(cg_enc);
//@ leak nsl_pub(cg_enc);
//@ public_cryptogram(encrypted, cg_enc);
// Send the message
net_send(socket, encrypted, size);
zeroize(message, MSG2_SIZE);
/*@ if (!condition)
close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
else
public_crypto_chars(s_nonce, NONCE_SIZE);
@*/
//@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
//@ close principal(receiver, _);
}
inline ~element()
{
zeroize(n, sizeof(n));
}
void receiver_msg3(int* socket, havege_state* havege_state,
pk_context* r_context, int sender, int receiver,
char* s_nonce, char* r_nonce)
/*@ requires GENERAL_PRE(receiver) &*&
pk_context_with_key(r_context, pk_private,
receiver, ?r_id, 8 * KEY_SIZE) &*&
RECEIVER_INTER &*&
cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*&
r_nonce_cg == cg_nonce(receiver, _) &*&
cg_info(r_nonce_cg) == int_pair(2, int_pair(sender,
int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/
/*@ ensures GENERAL_POST(receiver) &*&
pk_context_with_key(r_context, pk_private,
receiver, r_id, 8 * KEY_SIZE) &*&
(
col || bad(p_inst) || bad(receiver) ?
crypto_chars(normal, s_nonce, NONCE_SIZE, s_nonce_ccs)
:
cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg)
) &*&
cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg) &*&
col || bad(sender) || bad(receiver) ||
(receiver == p_orig && r_id == c_orig && sender == p_inst); @*/
{
//@ open principal(receiver, _);
unsigned int size;
char message[MSG3_SIZE];
char encrypted[KEY_SIZE];
//@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg);
// Receive the message
net_recv(socket, encrypted, KEY_SIZE);
//@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
//@ interpret_asym_encrypted(encrypted, KEY_SIZE);
//@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);
//@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);
// Decrypt the message
/*@ produce_function_pointer_chunk random_function(random_stub_nsl)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ close random_state_predicate(havege_state_initialized);
//@ structure st = known_value(0, r_nonce_ccs);
//@ close decryption_pre(false, false, receiver, st, enc_ccs);
if (pk_decrypt(r_context, encrypted, KEY_SIZE, message,
&size, MSG3_SIZE, random_stub_nsl, havege_state) != 0)
abort();
if (size != MSG3_SIZE)
abort();
//@ assert u_integer(&size, MSG3_SIZE);
//@ assert crypto_chars(?kind, message, NONCE_SIZE, ?dec_ccs);
/*@ open decryption_post(false, ?garbage, receiver,
st, receiver, r_id, dec_ccs); @*/
// Interpret the message
//@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
//@ open [_]nsl_pub(enc_cg);
//@ assert [_]nsl_pub_msg_sender(?sender2);
/*@ if (col || garbage)
{
crypto_chars_to_chars(message, NONCE_SIZE);
chars_to_crypto_chars(message, NONCE_SIZE);
}
else
{
if (bad(receiver) || bad(sender2))
{
public_crypto_chars(message, NONCE_SIZE);
chars_to_crypto_chars(message, NONCE_SIZE);
}
else
{
assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2);
close memcmp_secret(message, NONCE_SIZE, dec_ccs, r_nonce_cg2);
}
}
@*/
//@ close memcmp_secret(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
if (memcmp((void*) message, r_nonce, NONCE_SIZE) != 0) abort();
//@ assert dec_ccs == r_nonce_ccs;
/*@ if (garbage)
{
close exists(pair(nil, nil));
close has_structure(r_nonce_ccs, st);
leak has_structure(r_nonce_ccs, st);
decryption_garbage(message, NONCE_SIZE, st);
crypto_chars_to_chars(message, NONCE_SIZE);
chars_to_secret_crypto_chars(message, NONCE_SIZE);
}
else if (!col && !bad(sender) && !bad(receiver))
{
if (bad(receiver) || bad(sender2))
{
public_crypto_chars(r_nonce, NONCE_SIZE);
public_ccs_cg(r_nonce_cg);
open [_]nsl_pub(r_nonce_cg);
assert false;
}
else if (bad(p_inst))
{
assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2);
int p1_1 = int_pair(p_orig, c_orig);
int p1_2 = int_pair(p_inst, p1_1);
int p1_3 = int_pair(sender, p1_2);
int p2_1 = int_pair(receiver, r_id);
int p2_2 = int_pair(sender2, p2_1);
int p2_3 = int_pair(sender2, p2_2);
assert cg_info(r_nonce_cg) == int_pair(2, p1_3);
assert cg_info(r_nonce_cg2) == int_pair(2, p2_3);
ccs_for_cg_inj(r_nonce_cg, r_nonce_cg2);
int_right_int_pair(2, p1_3);
int_right_int_pair(2, p2_3);
int_left_int_pair(sender, p1_2);
int_left_int_pair(sender2, p2_2);
int_right_int_pair(sender, p1_2);
int_right_int_pair(sender2, p2_2);
int_left_int_pair(p_inst, p1_1);
assert false;
}
}
@*/
zeroize(message, MSG3_SIZE);
//@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
//@ public_cryptogram(encrypted, enc_cg);
//@ close principal(receiver, _);
}
struct item *symmetric_decryption(struct item *key, struct item *item)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
item(item, ?enc, pub) &*&
enc == symmetric_encrypted_item(?principal1, ?count1,
?pay, ?ent) &*&
item(key, ?k, pub) &*&
k == symmetric_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
item(item, enc, pub) &*& item(key, k, pub) &*&
item(result, ?dec, pub) &*&
col ? [_]pub(dec) :
switch(pay)
{
case some(dec2):
return principal1 == principal2 &&
count1 == count2 && dec == dec2;
case none:
return false;
}; @*/
{
debug_print("DECRYPTING:\n");
print_item(item);
check_is_symmetric_encrypted(item);
//@ open [f]world(pub, key_clsfy);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
{
gcm_context gcm_context;
char *iv;
char iv_buffer[GCM_IV_SIZE];
char *encrypted;
//@ open item(key, k, pub);
//@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
check_valid_symmetric_key_item_size(key->size);
//@ open [_]item_constraints(k, ?k_cs0, pub);
//@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
//@ crypto_chars_limits(k_cont);
//@ crypto_chars_split(k_cont, TAG_LENGTH);
//@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
//@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
//@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
//@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
//@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
//@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
//@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ close gcm_context(&gcm_context);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
(unsigned int) GCM_KEY_SIZE * 8) != 0)
abort_crypto_lib("Init gcm failed");
//@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
//@ assert col || (p == principal2 && c == count2);
//@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ crypto_chars_join(k_cont);
//@ close item(key, k, pub);
//@ open item(item, enc, pub);
//@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size;
//@ open [_]item_constraints(enc, ?cs, pub);
//@ open [_]ic_parts(enc)(?enc_tag, ?enc_cont);
//@ open [_]ic_cg(enc)(_, ?enc_cg);
//@ take_append(TAG_LENGTH, enc_tag, enc_cont);
//@ drop_append(TAG_LENGTH, enc_tag, enc_cont);
//@ open [_]ic_sym_enc(enc)(?enc_iv, ?cg_cs);
//@ assert true == well_formed(cs, nat_length(cs));
//@ close [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
check_valid_symmetric_encrypted_item_size(item->size);
//@ assert length(cs) > TAG_LENGTH + GCM_IV_SIZE;
int size = item->size - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE;
if (size <= MINIMAL_STRING_SIZE) abort_crypto_lib("Gcm decryption failed");
//@ crypto_chars_limits(i_cont);
//@ crypto_chars_split(i_cont, TAG_LENGTH);
iv = item->content + TAG_LENGTH;
//@ crypto_chars_split(iv, GCM_IV_SIZE);
//@ assert [1/2]crypto_chars(secret, iv, GCM_IV_SIZE, ?iv_cs);
memcpy(iv_buffer, iv, GCM_IV_SIZE);
//@ assert cs == append(enc_tag, enc_cont);
//@ assert enc_cont == append(iv_cs, cg_cs);
//@ public_crypto_chars(iv, GCM_IV_SIZE);
//@ chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
encrypted = iv + GCM_IV_SIZE;
//@ crypto_chars_limits(encrypted);
//@ crypto_chars_split(encrypted, GCM_MAC_SIZE);
//@ assert [1/2]crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
/*@ assert [1/2]crypto_chars(secret, encrypted + GCM_MAC_SIZE,
size, ?enc_cs); @*/
//@ assert cg_cs == append(mac_cs, enc_cs);
result->size = size;
result->content = malloc(size);
if (result->content == 0) abort_crypto_lib("Malloc failed");
//@ assert result->content |-> ?r_cont &*& result->size |-> size;
//@ if (col) enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
//@ close exists(enc_cg);
if (gcm_auth_decrypt(&gcm_context, (unsigned int) size,
iv_buffer, GCM_IV_SIZE, NULL, 0, encrypted,
GCM_MAC_SIZE, encrypted + GCM_MAC_SIZE,
result->content) != 0)
abort_crypto_lib("Gcm decryption failed");
//@ assert crypto_chars(secret, r_cont, size, ?dec_cs);
//@ assert col || enc_cg == cg_auth_encrypted(principal1, count1, dec_cs, iv_cs);
//@ crypto_chars_join(encrypted);
//@ crypto_chars_join(iv);
//@ crypto_chars_join(i_cont);
//@ open [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
//@ close item(item, enc, pub);
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
zeroize(iv_buffer, GCM_IV_SIZE);
//@ close [f]world(pub, key_clsfy);
/*@ if (col)
{
crypto_chars_to_chars(r_cont, size);
chars_to_crypto_chars(r_cont, size);
}
else
{
assert enc == symmetric_encrypted_item(principal1, count1,
pay, ent);
assert enc_cg == cg_auth_encrypted(principal1, count1,
dec_cs, enc_iv);
switch(pay)
{
case some(pay1):
assert [_]item_constraints(pay1, dec_cs, pub);
case none:
open [_]ill_formed_item_chars(enc)(dec_cs);
assert [_]public_generated(polarssl_pub(pub))(dec_cs);
public_crypto_chars(r_cont, size);
chars_to_crypto_chars(r_cont, size);
}
}
@*/
parse_item(result->content, size);
/*@ if (col)
{
public_chars(r_cont, size);
chars_to_secret_crypto_chars(r_cont, size);
retreive_proof_obligations();
deserialize_item(dec_cs, pub);
leak proof_obligations(pub);
}
@*/
//@ assert crypto_chars(secret, r_cont, size, dec_cs);
//@ assert [_]item_constraints(?r, dec_cs, pub);
//@ close item(result, r, pub);
}
debug_print("DECRYPTING RESULT:\n");
print_item(result);
return result;
}
int main(int argc, char **argv) //@ : main_full(main_app)
//@ requires module(main_app, true);
//@ ensures true;
{
pthread_t a_thread;
havege_state havege_state;
printf("\n\tExecuting \"");
printf("hmac protocol");
printf("\" ... \n\n");
//@ PROTOCOL_INIT(hmac)
//@ int attacker = principal_create();
//@ int sender = principal_create();
//@ int receiver = principal_create();
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ assume (bad(attacker));
//@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
pthread_create(&a_thread, NULL, &attacker_t, NULL);
int i = 0;
#ifdef EXECUTE
while (i++ < 10)
#else
while (true)
#endif
/*@ invariant [_]public_invar(hmac_pub) &*&
havege_state_initialized(&havege_state) &*&
principal(sender, ?count) &*& principal(receiver, _);
@*/
{
//@ open principal(sender, _);
char* key;
int temp;
//@ close random_request(sender, 0, true);
key = malloc(KEY_SIZE);
if (key == 0) abort();
if (havege_random(&havege_state, key, KEY_SIZE) != 0) abort();
//@ assume (shared_with(sender, count + 1) == receiver);
//@ assert cryptogram(key, KEY_SIZE, ?cs_key, ?cg_key);
//@ assert cg_key == cg_symmetric_key(sender, count + 1);
{
pthread_t s_thread, r_thread;
struct hmac_args s_args;
struct hmac_args r_args;
char s_message[MESSAGE_SIZE];
char r_message[MESSAGE_SIZE];
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, s_message, MESSAGE_SIZE) != 0) abort();
//@ assert cryptogram(s_message, MESSAGE_SIZE, ?cs, ?cg);
//@ close hmac_pub(cg);
//@ leak hmac_pub(cg);
//@ public_cryptogram(s_message, cg);
//@ s_args.sender = sender;
//@ s_args.receiver = receiver;
s_args.key = key;
s_args.message = s_message;
//@ assume (send(sender, receiver, cs) == true);
//@ r_args.sender = sender;
//@ r_args.receiver = receiver;
r_args.key = key;
r_args.message = r_message;
//@ close principal(sender, _);
//@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
//@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
pthread_create(&r_thread, NULL, &receiver_t, &r_args);
pthread_create(&s_thread, NULL, &sender_t, &s_args);
pthread_join(s_thread, NULL);
//@ open pthread_run_post(sender_t)(&s_args, s_data);
pthread_join(r_thread, NULL);
//@ open pthread_run_post(receiver_t)(&r_args, r_data);
//@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
//@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
//@ chars_to_crypto_chars(r_message, MESSAGE_SIZE);
//@ chars_to_crypto_chars(s_message, MESSAGE_SIZE);
//@ open principal(sender, _);
if (memcmp(s_message, r_message, MESSAGE_SIZE) != 0)
abort();
//@ close principal(sender, _);
printf(" |%i| ", i);
}
//@ assert malloc_block(key, KEY_SIZE);
zeroize(key, KEY_SIZE);
free((void*) key);
}
printf("\n\n\t\tDone\n");
return 0;
}
struct item *symmetric_encryption(struct item *key, struct item *payload)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
principal(?principal1, ?count1) &*&
[_]pub(nonce_item(principal1, count1 + 1, 0)) &*&
item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
k == symmetric_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
principal(principal1, count1 + 2) &*&
item(payload, pay, pub) &*& item(key, k, pub) &*&
item(result, ?enc, pub) &*&
col ? true :
enc == symmetric_encrypted_item(principal2, count2,
some(pay), ?ent); @*/
{
//@ open [f]world(pub, key_clsfy);
debug_print("ENCRYPTING:\n");
print_item(payload);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
{
gcm_context gcm_context;
char iv_buffer[GCM_IV_SIZE];
char *iv;
char *result_cs;
char *encrypted;
//@ open item(key, k, pub);
//@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
check_valid_symmetric_key_item_size(key->size);
//@ open [_]item_constraints(k, ?k_cs0, pub);
//@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
//@ crypto_chars_limits(k_cont);
//@ crypto_chars_split(k_cont, TAG_LENGTH);
//@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
//@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
//@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
//@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
//@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
//@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
//@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ close gcm_context(&gcm_context);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
(unsigned int) GCM_KEY_SIZE * 8) != 0)
abort_crypto_lib("Init gcm failed");
//@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
//@ assert col || (p == principal2 && c == count2);
//@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ crypto_chars_join(k_cont);
//@ close item(key, k, pub);
//@ open item(payload, pay, pub);
//@ open [_]item_constraints(pay, ?pay_cs, pub);
//@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size;
//@ crypto_chars_limits(p_cont);
if (payload->size >= INT_MAX - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE ||
payload->size < MINIMAL_STRING_SIZE)
abort_crypto_lib("Gcm encryption failed: incorrect sizes");
result->size = TAG_LENGTH + GCM_IV_SIZE + GCM_MAC_SIZE + payload->size;
result->content = malloc(result->size);
//@ assert result->content |-> ?r_cont &*& result->size |-> ?r_size;
if (result->content == 0)
abort_crypto_lib("Malloc failed");
//@ chars_split(r_cont, TAG_LENGTH);
write_tag(result->content, TAG_SYMMETRIC_ENC);
//@ assert chars(r_cont, TAG_LENGTH, ?tag_cs);
//@ public_chars(r_cont, TAG_LENGTH);
//@ assert tag_cs == full_tag(TAG_SYMMETRIC_ENC);
//@ assert chars(r_cont + TAG_LENGTH, GCM_IV_SIZE + p_size, _);
//@ chars_split(r_cont + TAG_LENGTH, GCM_IV_SIZE);
iv = result->content + TAG_LENGTH;
//@ close nonce_request(principal1, 0);
//@ close [f]world(pub, key_clsfy);
create_havege_random(iv, GCM_IV_SIZE);
//@ open cryptogram(iv, GCM_IV_SIZE, ?iv_cs, ?iv_cg);
memcpy(iv_buffer, iv, GCM_IV_SIZE);
//@ close cryptogram(iv, GCM_IV_SIZE, iv_cs, iv_cg);
//@ close polarssl_pub(pub)(iv_cg);
//@ leak polarssl_pub(pub)(iv_cg);
//@ public_cryptogram(iv, iv_cg);
//@ public_chars(iv, GCM_IV_SIZE);
encrypted = iv + GCM_IV_SIZE;
//@ chars_split(encrypted, GCM_MAC_SIZE);
//@ open principal(principal1, count1 + 1);
if (gcm_crypt_and_tag(&gcm_context, GCM_ENCRYPT,
(unsigned int) payload->size, iv_buffer,
GCM_IV_SIZE, NULL, 0, payload->content,
encrypted + GCM_MAC_SIZE,
GCM_MAC_SIZE, encrypted) != 0)
abort_crypto_lib("Gcm encryption failed");
//@ close principal(principal1, count1 + 2);
zeroize(iv_buffer, GCM_IV_SIZE);
//@ assert crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
//@ assert crypto_chars(secret, encrypted + GCM_MAC_SIZE, p_size, ?enc_cs);
//@ crypto_chars_join(encrypted);
//@ assert exists(?enc_cg);
//@ list<char> cg_cs = append(mac_cs, enc_cs);
//@ assert cg_cs == chars_for_cg(enc_cg);
//@ list<char> cont_cs = append(iv_cs, cg_cs);
//@ take_append(GCM_IV_SIZE, iv_cs, cg_cs);
//@ drop_append(GCM_IV_SIZE, iv_cs, cg_cs);
//@ list<char> cs = append(tag_cs, cont_cs);
//@ take_append(TAG_LENGTH, tag_cs, cont_cs);
//@ drop_append(TAG_LENGTH, tag_cs, cont_cs);
//@ item enc;
//@ list<char> ent = append(iv_cs, iv_cs);
//@ take_append(GCM_IV_SIZE, iv_cs, iv_cs);
//@ drop_append(GCM_IV_SIZE, iv_cs, iv_cs);
/*@ if (col)
{
enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
assert enc_cg == cg_auth_encrypted(?p0, ?c0, ?pay0, ?iv0);
ent = append(iv_cs, iv0);
take_append(GCM_IV_SIZE, iv_cs, iv0);
drop_append(GCM_IV_SIZE, iv_cs, iv0);
enc = symmetric_encrypted_item(p0, c0, some(pay), ent);
public_chars(encrypted, GCM_MAC_SIZE + p_size);
assert chars(encrypted, GCM_MAC_SIZE + p_size, cg_cs);
chars_join(iv);
chars_join(r_cont);
assert chars(r_cont, r_size, cs);
public_chars(r_cont, r_size);
public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
close ic_sym_enc(enc)(iv0, cg_cs);
}
else
{
assert enc_cg == cg_auth_encrypted(principal2, count2, pay_cs, iv_cs);
enc = symmetric_encrypted_item(principal2, count2, some(pay), ent);
close polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
leak polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
public_generated(polarssl_pub(pub), cg_nonce(principal1, count1 + 1));
chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
crypto_chars_join(iv);
chars_to_secret_crypto_chars(r_cont, TAG_LENGTH);
crypto_chars_join(r_cont);
assert crypto_chars(secret, r_cont, r_size, cs);
close ic_sym_enc(enc)(iv_cs, cg_cs);
}
@*/
//@ well_formed_item_constraints(pay, enc);
//@ close ic_cg(enc)(cg_cs, enc_cg);
//@ close ic_parts(enc)(tag_cs, cont_cs);
//@ WELL_FORMED(tag_cs, cont_cs, TAG_SYMMETRIC_ENC)
//@ close item_constraints(enc, cs, pub);
//@ leak item_constraints(enc, cs, pub);
//@ close item(result, enc, pub);
//@ close item(payload, pay, pub);
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
debug_print("ENCRYPTING RESULT:\n");
print_item(result);
return result;
}
struct item *asymmetric_encryption(struct item *key, struct item *payload)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
principal(?principal1, ?count1) &*&
item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
k == public_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
principal(principal1, count1 + 1) &*&
item(payload, pay, pub) &*& item(key, k, pub) &*&
item(result, ?enc, pub) &*&
col ? true :
enc == asymmetric_encrypted_item(principal2, count2,
some(pay), ?ent); @*/
{
debug_print("ASYM ENCRYPTING:\n");
print_item(payload);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
{
pk_context context;
unsigned int olen;
char output[MAX_PACKAGE_SIZE];
// Key
//@ close pk_context(&context);
//@ open [f]world(pub, key_clsfy);
pk_init(&context);
//@ close [f]world(pub, key_clsfy);
set_public_key(&context, key);
//@ open [f]world(pub, key_clsfy);
/*@ assert pk_context_with_key(&context, pk_public,
?principal, ?count, RSA_BIT_KEY_SIZE); @*/
//@ assert col || principal == principal2;
//@ assert col || count == count2;
// Encryption
//@ open item(payload, pay, pub);
//@ assert [_]item_constraints(pay, ?pay_cs, pub);
if (payload->size > RSA_KEY_SIZE)
abort_crypto_lib("Asymmetric encryption failed: incorrect sizes");
void *random_state = nonces_expose_state();
//@ close random_state_predicate(havege_state_initialized);
/*@ produce_function_pointer_chunk random_function(
asym_enc_havege_random_stub)
(havege_state_initialized)(state, out, len) { call(); } @*/
//@ open principal(principal1, count1);
if(pk_encrypt(&context, payload->content, (unsigned int) payload->size,
output, &olen, MAX_PACKAGE_SIZE,
asym_enc_havege_random_stub, random_state) != 0)
abort_crypto_lib("Encryption failed");
//@ close principal(principal1, count1 + 1);
//@ open cryptogram(output, ?enc_length, ?enc_cs, ?enc_cg);
//@ assert enc_cg == cg_asym_encrypted(principal, count, pay_cs, ?ent);
//@ assert u_integer(&olen, enc_length);
//@ assert enc_length > 0 &*& enc_length < MAX_PACKAGE_SIZE;
//@ assert enc_length > 0 &*& enc_length <= RSA_SERIALIZED_KEY_SIZE;
nonces_hide_state(random_state);
//@ pk_release_context_with_key(&context);
pk_free(&context);
//@ open pk_context(&context);
//@ close [f]world(pub, key_clsfy);
// Create item
result->size = TAG_LENGTH + (int) olen;
result->content = malloc(result->size);
if (result->content == 0) {abort_crypto_lib("Malloc failed");}
write_tag(result->content, TAG_ASYMMETRIC_ENC);
//@ assert result->content |-> ?cont &*& result->size |-> ?size;
if (olen < MINIMAL_STRING_SIZE) {abort_crypto_lib("Asymmetric encryption failed: to small");}
memcpy(result->content + TAG_LENGTH, output, olen);
//@ assert chars(cont, TAG_LENGTH, ?cs_tag);
//@ public_chars(cont, TAG_LENGTH);
//@ chars_to_secret_crypto_chars(cont, TAG_LENGTH);
//@ assert cs_tag == full_tag(TAG_ASYMMETRIC_ENC);
//@ crypto_chars_join(cont);
//@ item enc = asymmetric_encrypted_item(principal, count, some(pay), ent);
//@ list<char> cs = append(cs_tag, enc_cs);
//@ WELL_FORMED(cs_tag, enc_cs, TAG_ASYMMETRIC_ENC)
//@ close ic_parts(enc)(cs_tag, enc_cs);
//@ close ic_cg(enc)(enc_cs, enc_cg);
/*@ if (col)
{
crypto_chars_to_chars(cont, size);
public_chars(cont, size);
chars_to_secret_crypto_chars(cont, size);
public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
}
@*/
//@ well_formed_item_constraints(pay, enc);
//@ close item_constraints(enc, cs, pub);
//@ leak item_constraints(enc, cs, pub);
//@ close item(result, enc, pub);
zeroize(output, (int) olen);
//@ chars_join(output);
//@ close item(payload, pay, pub);
}
debug_print("ENCRYPTING RESULT:\n");
print_item(result);
return result;
}
void GxEngine::initEngine(int samplingFreq)
{
// initialize all variables for audio, midi and interface
fSamplingFreq = samplingFreq;
//----- tone
fslider_tone0 = 0.0f;
fConst_tone0 = (15079.645508f / fSamplingFreq);
fConst_tone1 = cosf(fConst_tone0);
fConst_tone2 = (1.414214f * sinf(fConst_tone0));
fslider_tone1 = 0.0f;
fConst_tone3 = (3769.911377f / fSamplingFreq);
fConst_tone4 = cosf(fConst_tone3);
fConst_tone5 = (1.414214f * sinf(fConst_tone3));
fslider_tone2 = 0.0f;
zeroize(fVec_tone0, 3);
zeroize(fRec_tone3, 3);
zeroize(fRec_tone2, 3);
zeroize(fRec_tone1, 3);
zeroize(fRec_tone0, 3);
// tone end
zeroize(fVec_ltone0, 3);
zeroize(fRec_ltone3, 3);
zeroize(fRec_ltone2, 3);
zeroize(fRec_ltone1, 3);
zeroize(fRec_ltone0, 3);
// engine state
checky = (float)kEngineOn;
fslider17 = 0.0f;
zeroize(fRec46, 2);
zeroize(fRec47, 2);
fslider24 = 0.0f;
fslider25 = 0.0f;
// lets init the variables for the tonesettings
fSlow_mid_tone = (fslider_tone1*0.5);
fSlow_tone0 = powf(10, (2.500000e-02f * (fslider_tone0- fSlow_mid_tone)));
fSlow_tone1 = (1 + fSlow_tone0);
fSlow_tone2 = (fConst_tone1 * fSlow_tone1);
fSlow_tone3 = (2 * (0 - ((1 + fSlow_tone2) - fSlow_tone0)));
fSlow_tone4 = (fConst_tone1 * (fSlow_tone0 - 1));
fSlow_tone5 = (fConst_tone2 * sqrtf(fSlow_tone0));
fSlow_tone6 = (fSlow_tone1 - (fSlow_tone5 + fSlow_tone4));
fSlow_tone7 = powf(10, (2.500000e-02f * fSlow_mid_tone));
fSlow_tone8 = (1 + fSlow_tone7);
fSlow_tone9 = (fConst_tone4 * fSlow_tone8);
fSlow_tone10 = (2 * (0 - ((1 + fSlow_tone9) - fSlow_tone7)));
fSlow_tone11 = (fSlow_tone7 - 1);
fSlow_tone12 = (fConst_tone4 * fSlow_tone11);
fSlow_tone13 = sqrtf(fSlow_tone7);
fSlow_tone14 = (fConst_tone5 * fSlow_tone13);
fSlow_tone15 = (fSlow_tone8 - (fSlow_tone14 + fSlow_tone12));
fSlow_tone16 = (fConst_tone1 * fSlow_tone8);
fSlow_tone17 = (0 - (2 * ((fSlow_tone7 + fSlow_tone16) - 1)));
fSlow_tone18 = (fConst_tone2 * fSlow_tone13);
fSlow_tone19 = (fConst_tone1 * fSlow_tone11);
fSlow_tone20 = ((1 + (fSlow_tone7 + fSlow_tone19)) - fSlow_tone18);
fSlow_tone21 = powf(10, (2.500000e-02f * (fslider_tone2-fSlow_mid_tone)));
fSlow_tone22 = (1 + fSlow_tone21);
fSlow_tone23 = (fConst_tone4 * fSlow_tone22);
fSlow_tone24 = (0 - (2 * ((fSlow_tone21 + fSlow_tone23) - 1)));
fSlow_tone25 = (fConst_tone5 * sqrtf(fSlow_tone21));
fSlow_tone26 = (fConst_tone4 * (fSlow_tone21 - 1));
fSlow_tone27 = ((1 + (fSlow_tone21 + fSlow_tone26)) - fSlow_tone25);
fSlow_tone28 = (2 * (0 - ((1 + fSlow_tone23) - fSlow_tone21)));
fSlow_tone29 = (fSlow_tone21 + fSlow_tone25);
fSlow_tone30 = ((1 + fSlow_tone29) - fSlow_tone26);
fSlow_tone31 = (fSlow_tone22 - (fSlow_tone25 + fSlow_tone26));
fSlow_tone32 = (1.0f / (1 + (fSlow_tone26 + fSlow_tone29)));
fSlow_tone33 = (fSlow_tone8 - (fSlow_tone18 + fSlow_tone19));
fSlow_tone34 = (2 * (0 - ((1 + fSlow_tone16) - fSlow_tone7)));
fSlow_tone35 = (fSlow_tone7 + fSlow_tone18);
fSlow_tone36 = ((1 + fSlow_tone35) - fSlow_tone19);
fSlow_tone37 = (1.0f / (1 + (fSlow_tone19 + fSlow_tone35)));
fSlow_tone38 = (fSlow_tone7 * ((1 + (fSlow_tone7 + fSlow_tone12)) - fSlow_tone14));
fSlow_tone39 = (fSlow_tone7 + fSlow_tone14);
fSlow_tone40 = (fSlow_tone7 * (1 + (fSlow_tone12 + fSlow_tone39)));
fSlow_tone41 = (((fSlow_tone7 + fSlow_tone9) - 1) * (0 - (2 * fSlow_tone7)));
fSlow_tone42 = (1.0f / ((1 + fSlow_tone39) - fSlow_tone12));
fSlow_tone43 = (fSlow_tone0 * ((1 + (fSlow_tone0 + fSlow_tone4)) - fSlow_tone5));
fSlow_tone44 = (fSlow_tone0 + fSlow_tone5);
fSlow_tone45 = (fSlow_tone0 * (1 + (fSlow_tone4 + fSlow_tone44)));
fSlow_tone46 = (((fSlow_tone0 + fSlow_tone2) - 1) * (0 - (2 * fSlow_tone0)));
fSlow_tone47 = (1.0f / ((1 + fSlow_tone44) - fSlow_tone4));
fslider_tone_check = (fslider_tone1+fslider_tone0+fslider_tone2)*100;
fslider_tone_check1 = 0;
gx_jconv::checkbox7 = 1.0;
fjc_ingain = 0;
zeroize(fRecinjc, 2);
zeroize(fRecinjcr, 2);
IOTAdel = 0;
zeroize(fVecdel0,262144);
fsliderdel0 = 0.0f;
fConstdel0 = (1.000000e-03f * fSamplingFreq);
zeroize(fVecdel1,262144);
fsliderdel1 = 0.0f;
fjc_ingain1 = 0.0f;
filebutton = 0;
fwarn = 0;
// end engine init
}
