Ejemplo n.º 1
0
void HMACSHA256Init(HMACSHA256CTX* context, const uint8_t* key, 
    size_t key_length)
{
    size_t i;
    uint8_t pad[SHA256_BLOCK_LENGTH];
    uint8_t key_hash[SHA256_DIGEST_LENGTH];

    if (key_length > SHA256_BLOCK_LENGTH)
    {
        SHA256Init(&context->ictx);
        SHA256Update(&context->ictx, key, key_length);
        SHA256Final(&context->ictx, key_hash);
        key = key_hash;
        key_length = SHA256_DIGEST_LENGTH;
    }

    SHA256Init(&context->ictx);
    memset(pad, 0x36, SHA256_BLOCK_LENGTH);

    for (i = 0; i < key_length; i++) 
        pad[i] ^= key[i];

    SHA256Update(&context->ictx, pad, SHA256_BLOCK_LENGTH);
    SHA256Init(&context->octx);
    memset(pad, 0x5c, SHA256_BLOCK_LENGTH);

    for (i = 0; i < key_length; i++) 
        pad[i] ^= key[i];

    SHA256Update(&context->octx, pad, SHA256_BLOCK_LENGTH);
    zeroize((void*)key_hash, sizeof key_hash);
}
Ejemplo n.º 2
0
void RMD160Final(RMD160CTX* context, uint8_t digest[RMD160_DIGEST_LENGTH])
{
    int i;
    RMD160Pad(context);
    for (i = 0; i < 5; i++)
    {
        PUT_32BIT_LE(digest + i * 4, context->state[i]);
    }

    zeroize(context, sizeof *context);
}
Ejemplo n.º 3
0
void HMACSHA256Final(HMACSHA256CTX* context, 
    uint8_t digest[HMACSHA256_DIGEST_LENGTH])
{
    uint8_t hash[HMACSHA256_DIGEST_LENGTH];

    SHA256Final(&context->ictx, hash);
    SHA256Update(&context->octx, hash, HMACSHA256_DIGEST_LENGTH);
    SHA256Final(&context->octx, digest);

    zeroize((void*)hash, sizeof hash);
}
Ejemplo n.º 4
0
int xed25519_sign(unsigned char* signature_out,
                  const unsigned char* curve25519_privkey,
                  const unsigned char* msg, const unsigned long msg_len,
                  const unsigned char* random)
{
  unsigned char a[32], aneg[32];
  unsigned char A[32];
  ge_p3 ed_pubkey_point;
  unsigned char *sigbuf; /* working buffer */
  unsigned char sign_bit = 0;

  if ((sigbuf = malloc(msg_len + 128)) == 0) {
    memset(signature_out, 0, 64);
    return -1;
  }

  /* Convert the Curve25519 privkey to an Ed25519 public key */
  ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey);
  ge_p3_tobytes(A, &ed_pubkey_point);

  /* Force Edwards sign bit to zero */
  sign_bit = (A[31] & 0x80) >> 7;
  memcpy(a, curve25519_privkey, 32);
  sc_neg(aneg, a);
  sc_cmov(a, aneg, sign_bit); 
  A[31] &= 0x7F;

  /* Perform an Ed25519 signature with explicit private key */
  crypto_sign_modified(sigbuf, msg, msg_len, a, A, random);
  memmove(signature_out, sigbuf, 64);

  zeroize(a, 32);
  zeroize(aneg, 32);
  free(sigbuf);
  return 0;
}
Ejemplo n.º 5
0
/* NEW: Compare to pristine crypto_sign() 
   Uses explicit private key for nonce derivation and as scalar,
   instead of deriving both from a master key.
*/
int crypto_sign_modified(
  unsigned char *sm,
  const unsigned char *m,unsigned long long mlen,
  const unsigned char *sk, const unsigned char* pk,
  const unsigned char* random
)
{
  unsigned char nonce[64];
  unsigned char hram[64];
  ge_p3 R;
  int count=0;

  memmove(sm + 64,m,mlen);
  memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */

  /* NEW : add prefix to separate hash uses - see .h */
  sm[0] = 0xFE;
  for (count = 1; count < 32; count++)
    sm[count] = 0xFF;

  /* NEW: add suffix of random data */
  memmove(sm + mlen + 64, random, 64);

  crypto_hash_sha512(nonce,sm,mlen + 128);
  memmove(sm + 32,pk,32);

  sc_reduce(nonce);
  ge_scalarmult_base(&R,nonce);
  ge_p3_tobytes(sm,&R);

  crypto_hash_sha512(hram,sm,mlen + 64);
  sc_reduce(hram);
  sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */

  /* NEW: Try to erase any traces of privkey or 
     nonce left in the stack from sc_muladd. */
  zeroize_stack();

  zeroize(nonce, 64);
  return 0;
}
Ejemplo n.º 6
0
void receiver_msg1(int* socket, havege_state* havege_state,
                   pk_context* r_context, int sender, int receiver,
                   char* s_nonce)
  /*@ requires GENERAL_PRE(receiver) &*&
               pk_context_with_key(r_context, pk_private,
                                   receiver, ?r_id, 8 * KEY_SIZE)  &*&
               chars(s_nonce, NONCE_SIZE, _); @*/
  /*@ ensures  GENERAL_POST(receiver) &*&
               pk_context_with_key(r_context, pk_private,
                                   receiver, r_id, 8 * KEY_SIZE) &*&
               RECEIVER_INTER; @*/
{
  //@ open principal(receiver, _);
  unsigned int size;
  char message[MSG1_SIZE];
  char encrypted[KEY_SIZE];

  // Receive the message
  net_recv(socket, encrypted, KEY_SIZE);
  //@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
  //@ interpret_asym_encrypted(encrypted, KEY_SIZE);
  //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);
  //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);

  // Decrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  //@ structure st = known_value(0, cs_to_ccs(identifier(sender)));
  //@ close decryption_pre(false, false, receiver, st, enc_ccs);
  if (pk_decrypt(r_context, encrypted, KEY_SIZE, message,
                  &size, MSG1_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  if (size != MSG1_SIZE)
    abort();
  //@ assert u_integer(&size, MSG1_SIZE);
  //@ assert crypto_chars(?kind, message, MSG1_SIZE, ?dec_ccs);
  /*@ open decryption_post(false, ?garbage, receiver,
                           st, receiver, r_id, dec_ccs); @*/
  //@ crypto_chars_split(message, ID_SIZE);
  //@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs);
  /*@ assert crypto_chars(kind, (void*) message + ID_SIZE,
                          NONCE_SIZE, ?s_nonce_ccs); @*/
  //@ assert dec_ccs == append(id_ccs, s_nonce_ccs);

  //@ open [_]nsl_pub(enc_cg);
  //@ assert [_]nsl_pub_msg_sender(?p_instigator2);
  /*@ if (col || garbage)
      {
        crypto_chars_to_chars(message, ID_SIZE);
      }
      else
      {
        if (bad(receiver) || bad(p_instigator2))
        {
          assert [_]public_ccs(dec_ccs);
          public_ccs_split(dec_ccs, ID_SIZE);
        }
        else
        {
          assert [_]nsl_pub_msg1(_, _, ?s_nonce_cg);
          take_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)),
                      ccs_for_cg(s_nonce_cg));
          drop_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)),
                      ccs_for_cg(s_nonce_cg));
        }
        public_crypto_chars(message, ID_SIZE);
      }
  @*/
  //@ chars_to_crypto_chars(message, ID_SIZE);
  /*@ close check_identifier_ghost_args(false, garbage, receiver,
                                        r_id, s_nonce_ccs); @*/
  check_identifier(message, sender);
  //@ assert id_ccs == cs_to_ccs(identifier(sender));
  memcpy(s_nonce, (void*) message + ID_SIZE, NONCE_SIZE);

  // Interpret message
  //@ cryptogram s_nonce_cg;
  //@ int p_inst;
  /*@ if (!col && !garbage)
      {
        p_inst = p_instigator2;
        if (bad(p_inst) || bad(receiver))
        {
          public_crypto_chars(s_nonce, NONCE_SIZE);
          chars_to_crypto_chars(s_nonce, NONCE_SIZE);
          crypto_chars_to_chars(message, ID_SIZE);
          chars_to_crypto_chars(message, ID_SIZE);
          public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
          chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
        }
        else
        {
          assert [_]nsl_pub_msg1(p_inst, receiver, ?s_nonce_cg2);
          s_nonce_cg = s_nonce_cg2;
          assert s_nonce_cg == cg_nonce(p_inst, _);
          s_nonce_ccs = ccs_for_cg(s_nonce_cg);
          assert dec_ccs == append(cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
          take_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
          drop_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs);
          cs_to_ccs_inj(identifier(p_inst), identifier(sender));
          assert identifier(p_inst) == identifier(sender);
          equal_identifiers(p_inst, sender);
          close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
        }
      }
      else
      {
        crypto_chars_to_chars(s_nonce, NONCE_SIZE);
        chars_to_crypto_chars(s_nonce, NONCE_SIZE);
      }
  @*/
  //@ close receiver_inter(p, c, p_inst, s_nonce_ccs, s_nonce_cg);
  //@ crypto_chars_to_chars(message, ID_SIZE);
  zeroize((void*) message + ID_SIZE, NONCE_SIZE);
  //@ public_cryptogram(encrypted, enc_cg);
  //@ close principal(receiver, _);
}
Ejemplo n.º 7
0
void sender_msg1(int* socket, havege_state* havege_state, pk_context* r_context,
                 int sender, char* s_nonce)
  /*@ requires GENERAL_PRE(sender) &*&
               pk_context_with_key(r_context, pk_public,
                                   ?receiver, ?r_id, 8 * KEY_SIZE) &*&
               cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
                 s_nonce_cg == cg_nonce(sender, _) &*&
                 cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)); @*/
  /*@ ensures  GENERAL_POST(sender) &*&
               pk_context_with_key(r_context, pk_public,
                                   receiver, r_id, 8 * KEY_SIZE) &*&
               cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); @*/
{
  //@ open principal(sender, _);
  unsigned int size;
  char message[MSG1_SIZE];
  char encrypted[KEY_SIZE];

  // Construct the message
  write_identifier(message, sender);
  //@ list<crypto_char> sid_ccs = cs_to_ccs(identifier(sender));
  //@ assert crypto_chars(normal, message, ID_SIZE, sid_ccs);
  //@ cs_to_ccs_crypto_chars(message, identifier(sender));
  //@ public_chars(message, ID_SIZE);
  //@ chars_to_secret_crypto_chars(message, ID_SIZE);

  //@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
  memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE);
  //@ crypto_chars_join(message);
  //@ list<crypto_char> msg1 = append(sid_ccs, s_nonce_ccs);
  //@ assert crypto_chars(secret, message, MSG1_SIZE, msg1);

   // Encrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  if (pk_encrypt(r_context, message, MSG1_SIZE, encrypted, &size,
                  KEY_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  //@ assert u_integer(&size, ?size_val);
  //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);

  // Proof the message is public
  //@ take_append(ID_SIZE, sid_ccs, s_nonce_ccs);
  //@ drop_append(ID_SIZE, sid_ccs, s_nonce_ccs);
  //@ close nsl_pub_msg_sender(sender);
  //@ leak nsl_pub_msg_sender(sender);
  /*@ if (col || bad(sender) || bad(receiver))
      {
        assert crypto_chars(secret, message, MSG1_SIZE, msg1);
        crypto_chars_split(message, ID_SIZE);
        public_crypto_chars(message, ID_SIZE);
        assert chars(message, ID_SIZE, ?sid_cs);
        cs_to_ccs_inj(sid_cs, identifier(sender));
        assert chars(message, ID_SIZE, identifier(sender));
        close nsl_pub(s_nonce_cg);
        leak nsl_pub(s_nonce_cg);

        close cryptogram((void*) message + ID_SIZE, NONCE_SIZE,
                          s_nonce_ccs, s_nonce_cg);
        public_cryptogram((void*) message + ID_SIZE, s_nonce_cg);
        assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs');
        cs_to_ccs_append(identifier(sender), s_nonce_cs');
        chars_join(message);
        public_chars(message, MSG1_SIZE);
        chars_to_crypto_chars(message, MSG1_SIZE);
      }
      else
      {
        close nsl_pub_msg1(sender, receiver, s_nonce_cg);
      }
  @*/
  //@ close nsl_pub(cg_enc);
  //@ leak nsl_pub(cg_enc);
  //@ public_cryptogram(encrypted, cg_enc);

  // Send the message
  net_send(socket, encrypted, size);
  zeroize(message, MSG1_SIZE);
  //@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
  //@ close principal(sender, _);
}
Ejemplo n.º 8
0
void sender_msg2(int* socket, havege_state* havege_state, pk_context* s_context,
                 int sender, int recvr, char* s_nonce, char* r_nonce)
  /*@ requires GENERAL_PRE(sender) &*&
               pk_context_with_key(s_context, pk_private,
                                   sender, ?s_id, 8 * KEY_SIZE)  &*&
               pk_context_with_key(?r_context, pk_public,
                                   recvr, ?r_id, 8 * KEY_SIZE)  &*&
               cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
                 s_nonce_cg == cg_nonce(sender, _) &*&
                 cg_info(s_nonce_cg) == int_pair(1, int_pair(recvr, r_id)) &*&
               chars(r_nonce, NONCE_SIZE, _); @*/
  /*@ ensures  GENERAL_POST(sender) &*&
               pk_context_with_key(s_context, pk_private,
                                   sender, s_id, 8 * KEY_SIZE) &*&
               pk_context_with_key(r_context, pk_public,
                                   recvr, r_id, 8 * KEY_SIZE)  &*&
               cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg) &*&
               SENDER_INTER; @*/
{
  //@ open principal(sender, _);
  unsigned int size;
  char message[MSG2_SIZE];
  char encrypted[KEY_SIZE];

  // Receive the message
  net_recv(socket, encrypted, KEY_SIZE);
  //@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
  //@ interpret_asym_encrypted(encrypted, KEY_SIZE);
  //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);

  // Decrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  //@ structure st = known_value(0, cs_to_ccs(identifier(recvr)));
  //@ close decryption_pre(false, false, sender, st, enc_ccs);
  if (pk_decrypt(s_context, encrypted, KEY_SIZE, message,
                  &size, MSG2_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  if (size != MSG2_SIZE)
    abort();
  //@ public_cryptogram(encrypted, enc_cg);
  //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);
  //@ assert u_integer(&size, MSG2_SIZE);
  /*@ open decryption_post(false, ?garbage, sender,
                           st, sender, s_id, ?dec_ccs); @*/
  //@ assert crypto_chars(?kind, message, MSG2_SIZE, dec_ccs);
  //@ crypto_chars_split(message, ID_SIZE);
  //@ crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE);
  //@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs);
  //@ assert crypto_chars(kind, (void*) message + ID_SIZE, NONCE_SIZE, ?s_ccs);
  /*@ assert crypto_chars(kind, (void*) message + ID_SIZE + NONCE_SIZE,
                          NONCE_SIZE, ?r_ccs); @*/
  //@ append_assoc(id_ccs, s_ccs, r_ccs);
  //@ take_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs));
  //@ drop_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs));
  //@ take_append(NONCE_SIZE, s_ccs, r_ccs);
  //@ drop_append(NONCE_SIZE, s_ccs, r_ccs);

  // Interpret the message
  //@ open [_]nsl_pub(enc_cg);
  //@ assert [_]nsl_pub_msg_sender(?recvr2);
  /*@ if (col || garbage)
      {
        crypto_chars_to_chars(message, ID_SIZE);
        crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE);
        chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
        crypto_chars_to_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
        chars_to_crypto_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
      }
      else
      {
        if (bad(sender) || bad(recvr2))
        {
          assert [_]public_ccs(dec_ccs);
          public_ccs_split(dec_ccs, ID_SIZE);
          public_ccs_split(append(s_ccs, r_ccs), NONCE_SIZE);
          public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
          chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
        }
        else
        {
          assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2,
                                 ?r_nonce_cg, _, _, _, ?pub_ns);
          take_append(ID_SIZE, cs_to_ccs(identifier(recvr2)),
                      append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg)));
          drop_append(ID_SIZE, cs_to_ccs(identifier(recvr2)),
                      append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg)));
          take_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg));
          drop_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg));
          if (pub_ns)
          {
            public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
            chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
          }
          else
          {
            close memcmp_secret((void*) message + ID_SIZE, NONCE_SIZE,
                                ccs_for_cg(s_nonce_cg2), s_nonce_cg2);
          }
        }
        public_crypto_chars(message, ID_SIZE);
      }
  @*/
  //@ chars_to_crypto_chars(message, ID_SIZE);
  /*@ close check_identifier_ghost_args(false, garbage, sender,
                                        s_id, append(s_ccs, r_ccs)); @*/
  check_identifier(message, recvr);
  //@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
  //@ close memcmp_secret(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
  if (memcmp((void*) message + ID_SIZE, s_nonce, NONCE_SIZE) != 0) abort();
  memcpy(r_nonce, (void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE);
  //@ assert id_ccs == cs_to_ccs(identifier(recvr));
  //@ assert s_ccs == s_nonce_ccs;
  //@ cryptogram r_nonce_cg = ccs_for_cg_sur(r_ccs, tag_nonce);
  //@ close sender_inter(r_ccs, r_nonce_cg);

  /*@ if (!col && !garbage)
      {
        if (bad(sender) || bad(recvr2))
        {
          assert [_]public_ccs(dec_ccs);
          public_ccs_split(dec_ccs, ID_SIZE);
          public_ccs_split(append(s_nonce_ccs, r_ccs), NONCE_SIZE);
          public_crypto_chars(r_nonce, NONCE_SIZE);
          chars_to_crypto_chars(r_nonce, NONCE_SIZE);
          public_ccs_cg(s_nonce_cg);
          open [_]nsl_pub(s_nonce_cg);
          crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE);
          chars_to_secret_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
        }
        else
        {
          assert dec_ccs == pay;
          assert sender == p;
          assert s_id == c;
          assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2,
                                 ?r_nonce_cg2, ?p_inst, ?p2, ?c2, ?pub_ns);
          cs_to_ccs_inj(identifier(recvr2), identifier(recvr));
          assert identifier(recvr) == identifier(recvr2);
          equal_identifiers(recvr, recvr2);
          if (pub_ns)
          {
            public_ccs_cg(s_nonce_cg);
            open [_]nsl_pub(s_nonce_cg);
            assert false;
          }
          ccs_for_cg_inj(r_nonce_cg2, r_nonce_cg);
          close cryptogram(r_nonce, NONCE_SIZE, r_ccs, r_nonce_cg2);
          ccs_for_cg_inj(s_nonce_cg, s_nonce_cg2);
          assert c2 == r_id;
        }
      }
  @*/

  //@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
  //@ crypto_chars_join((void*) message + ID_SIZE);
  zeroize((void*) message + ID_SIZE, 2 * NONCE_SIZE);
  //@ crypto_chars_to_chars(message, ID_SIZE);
  //@ chars_join(message);
  //@ close principal(sender, _);
}
Ejemplo n.º 9
0
void sender_msg3(int* socket, havege_state* havege_state, pk_context* r_context,
                 int sender, char* r_nonce)
  /*@ requires GENERAL_PRE(sender) &*&
               pk_context_with_key(r_context, pk_public,
                                   ?recvr, ?r_id, 8 * KEY_SIZE) &*&
               SENDER_INTER; @*/
  /*@ ensures  GENERAL_POST(sender) &*&
               pk_context_with_key(r_context, pk_public,
                                   recvr, r_id, 8 * KEY_SIZE) &*&
               col || bad(sender) || bad(recvr) ?
                 chars(r_nonce, NONCE_SIZE, ?r_nonce_cs) &*&
                 r_nonce_ccs == cs_to_ccs(r_nonce_cs)
               :
                 cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/
{
  //@ open principal(sender, _);
  unsigned int size;
  char message[MSG3_SIZE];
  char encrypted[KEY_SIZE];

  // Construct the message
  //@ open sender_inter(r_nonce_ccs, r_nonce_cg);
  //@ bool condition = col || bad(sender) || bad(recvr);
  /*@ if (!condition)
        open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
      else
      {
        crypto_chars_to_chars(r_nonce, NONCE_SIZE);
        public_chars(r_nonce, NONCE_SIZE);
        chars_to_secret_crypto_chars(r_nonce, NONCE_SIZE);
      }
  @*/
  memcpy((void*) message, r_nonce, NONCE_SIZE);
  /*@ if (!condition)
        close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
      else
        public_crypto_chars(r_nonce, NONCE_SIZE);
  @*/

  // Encrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  if (pk_encrypt(r_context, message, MSG3_SIZE, encrypted, &size,
                 KEY_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  //@ assert u_integer(&size, ?size_val);
  //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);

  // Proof the message is public
  //@ close nsl_pub_msg_sender(sender);
  //@ leak nsl_pub_msg_sender(sender);
  //@ if (!condition) close nsl_pub_msg3(sender, recvr, r_nonce_cg);
  //@ close nsl_pub(cg_enc);
  //@ leak nsl_pub(cg_enc);
  //@ public_cryptogram(encrypted, cg_enc);

  // Send the message
  net_send(socket, encrypted, size);
  zeroize(message, MSG3_SIZE);
  //@ close principal(sender, _);
}
Ejemplo n.º 10
0
struct item *asymmetric_decryption(struct item *key, struct item *item, char tag)
  /*@ requires [?f]world(?pub, ?key_clsfy) &*& true == valid_tag(tag) &*&
               principal(?principal1, ?count1) &*&
               item(item, ?enc, pub) &*& item(key, ?k, pub) &*&
                 enc == asymmetric_encrypted_item(?principal2, ?count2,
                                                  ?pay, ?ent) &*&
               k == private_key_item(?principal3, ?count3); @*/
  /*@ ensures  [f]world(pub, key_clsfy) &*&
               principal(principal1, count1 + 1) &*&
               item(item, enc, pub) &*& item(key, k, pub) &*&
               item(result, ?dec, pub) &*& tag_for_item(dec) == tag &*&
               col ? 
                 [_]pub(dec) 
               : principal2 != principal3 || count2 != count3 ? 
                 true == key_clsfy(principal3, count3, false) &*& 
                 [_]pub(dec) 
               :
                 switch(pay)
                 {
                   case some(dec2):
                     return dec == dec2;
                   case none:
                     return false;
                 }; @*/
{
  struct item* result = 0;
  debug_print("DECRYPTING:\n");
  print_item(item);
  check_is_asymmetric_encrypted(item);

  {
    pk_context context;
    unsigned int olen;
    char output[MAX_PACKAGE_SIZE];

    // Key
    //@ close pk_context(&context);
    //@ open [f]world(pub, key_clsfy);
    pk_init(&context);
    //@ close [f]world(pub, key_clsfy);
    set_private_key(&context, key);
    //@ open [f]world(pub, key_clsfy);
    /*@ assert pk_context_with_key(&context, pk_private,
                                   ?principal, ?count, RSA_BIT_KEY_SIZE); @*/

    // Decryption
    //@ open item(item, enc, pub);
    /*@ assert enc == asymmetric_encrypted_item(principal2, count2,
                                                pay, ent); @*/
    //@ open [_]item_constraints(enc, ?enc_cs, pub);
    //@ assert [_]ic_parts(enc)(?enc_tag, ?enc_cont);
    //@ assert enc_cs == append(enc_tag, enc_cont);
    //@ open [_]ic_cg(enc)(_, ?enc_cg);
    //@ assert enc_cg == cg_asym_encrypted(principal2, count2, ?cs_pay, ent);
    if (item->size - TAG_LENGTH > RSA_KEY_SIZE ||
        item->size - TAG_LENGTH < MINIMAL_STRING_SIZE)
      abort_crypto_lib("Asymmetric decryption failed: incorrect sizes");
    //@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size;
    //@ crypto_chars_split(i_cont, TAG_LENGTH);
    //@ drop_append(TAG_LENGTH, enc_tag, enc_cont);
    //@ assert crypto_chars(secret, i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont);
    //@ if (col) enc_cg = chars_for_cg_sur(enc_cont, tag_asym_encrypted);
    //@ if (col) public_crypto_chars_extract(i_cont + TAG_LENGTH, enc_cg);
    //@ close cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg);
    void *random_state = nonces_expose_state();
    //@ close random_state_predicate(havege_state_initialized);
    /*@ produce_function_pointer_chunk random_function(
                      asym_enc_havege_random_stub)
                     (havege_state_initialized)(state, out, len) { call(); } @*/
    //@ open principal(principal1, count1);
    //@ structure s = known_value(0, full_tag(tag));
    //@ close decryption_pre(false, false, principal1, s, enc_cont);
    if(pk_decrypt(&context, item->content + TAG_LENGTH,
                  (unsigned int) item->size - TAG_LENGTH,
                  output, &olen, MAX_PACKAGE_SIZE,
                  asym_enc_havege_random_stub, random_state) != 0)
      abort_crypto_lib("Decryption failed");
    /*@ open decryption_post(false, ?garbage, principal1, 
                             s, ?p_key, ?c_key, ?cs_out); @*/
    //@ assert u_integer(&olen, ?size_out);
    //@ pk_release_context_with_key(&context);
    //@ open cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg);
    pk_free(&context);
    //@ open pk_context(&context);
    nonces_hide_state(random_state);
    //@ assert chars((void*)output + size_out, MAX_PACKAGE_SIZE - size_out, ?cs_rest);
    result = malloc(sizeof(struct item));
    if (result == 0) {abort_crypto_lib("Malloc failed");}
    result->size = (int) olen;
    if ((int) olen <= MINIMAL_STRING_SIZE)
      abort_crypto_lib("Decryption: Incorrect size");
    result->content = malloc(result->size);
    if (result->content == 0) {abort_crypto_lib("Malloc failed");}
    //@ close [f]world(pub, key_clsfy);
    //@ assert u_integer(&olen, ?olen_val);
    //@ assert crypto_chars(_, output, olen_val, cs_out);
    //@ crypto_chars_split(output, TAG_LENGTH);
    //@ assert crypto_chars(_, output, TAG_LENGTH, ?cs_tag);
    //@ assert crypto_chars(_, (void*) output + TAG_LENGTH, olen_val - TAG_LENGTH, ?cs_i);
    /*@ if (col)
        {
          crypto_chars_to_chars(output, TAG_LENGTH);
          chars_to_crypto_chars(output, TAG_LENGTH);
        }
        else if (!garbage)
        {
          switch(pay)
          {
            case some(pay1):
              open [_]item_constraints(pay1, cs_out, pub);
            case none:
              open [_]ill_formed_item_chars(enc)(cs_out);
              public_generated_split(polarssl_pub(pub), cs_out, TAG_LENGTH);
          }
          public_crypto_chars(output, TAG_LENGTH);
        }
    @*/
    //@ close check_tag2_ghost_args(false, garbage, p_key, c_key, cs_i);
    check_tag2(output, tag);
    //@ if (!garbage) chars_to_secret_crypto_chars(output, TAG_LENGTH);
    //@ crypto_chars_join(output);
    memcpy(result->content, output, olen);
    //@ assert result->content |-> ?cont;
    //@ assert crypto_chars(?kind, cont, olen_val, cs_out);
    zeroize(output, (int) olen);
    //@ close item(item, enc, pub);
    //@ assert enc == asymmetric_encrypted_item(principal2, count2, pay, ent);
    //@ assert col || enc_cg == cg_asym_encrypted(principal2, count2, cs_pay, ent);
    
    /*@ if (col)
        {
          crypto_chars_to_chars(cont, olen_val);
          public_chars(cont, olen_val);
          chars_to_crypto_chars(cont, olen_val);
        }
        else if (garbage)
        {
          assert true == key_clsfy(principal3, count3, false);
          public_chars(cont, olen_val);
          chars_to_crypto_chars(cont, olen_val);
        }
        else
        {
          assert principal2 == principal3;
          assert count2 == count3;
          assert cs_out == cs_pay;
          switch(pay)
          {
            case some(pay1):
              assert [_]item_constraints(pay1, cs_out, pub);
            case none:
              open [_]ill_formed_item_chars(enc)(cs_out);
              assert [_]public_generated(polarssl_pub(pub))(cs_out);
              public_crypto_chars(cont, olen_val);
              chars_to_crypto_chars(cont, olen_val);
          }
        }
    @*/
    parse_item(result->content, (int) olen);
    /*@ if (col || garbage)
        {
          retreive_proof_obligations();
          deserialize_item(cs_out, pub);
          leak proof_obligations(pub);
          chars_to_secret_crypto_chars(cont, olen_val);
        }
    @*/
    //@ open [_]item_constraints(?dec, cs_out, pub);
    //@ assert [_]ic_parts(dec)(?dec_tag, ?dec_cont);
    //@ take_append(TAG_LENGTH, dec_tag, dec_cont);
    //@ drop_append(TAG_LENGTH, dec_tag, dec_cont);
    //@ assert dec_tag == full_tag(tag);
    //@ assert tag_for_item(dec) == tag;
    //@ close item(result, dec, pub);
  }
  return result;
}
Ejemplo n.º 11
0
void attacker_send_decrypted(havege_state *havege_state, void* socket)
  //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
  //@ ensures  attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
  int temp;
  int size1;
  int size2;
  char buffer1[MAX_MESSAGE_SIZE];
  char buffer2[MAX_MESSAGE_SIZE];
  char buffer3[MAX_MESSAGE_SIZE];
  aes_context aes_context;
  char iv[16];
  size_t iv_off = 0;

  //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);

  size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
  size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
  if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE ||
       (size1 != 16 && size1 != 24 && size1 != 32))
  {
    //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
    return;
  }

  //@ close aes_context(&aes_context);
  //@ interpret_symmetric_key(buffer1, size1);
  //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
  //@ assert cg_key == cg_symmetric_key(?p, ?c);
  if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0)
  {
    if (get_iv(havege_state, iv) == 0)
    {
      //@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
      //@ interpret_encrypted(buffer2, size2);
      //@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
      //@ close cryptogram(buffer2, size2, ccs2, cg_enc);
      //@ assert cg_enc == cg_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
      //@ structure s = known_value(0, nil);
      //@ close decryption_pre(true, false, attacker, s, ccs2);
      int success = aes_crypt_cfb128(&aes_context, AES_DECRYPT,
                                     (unsigned int) size2, &iv_off, iv,
                                     buffer2, buffer3);
      if (success == 0) zeroize(iv, 16); 
      //@ if (success == 0) chars_to_crypto_chars(iv, 16);
      //@ open decryption_post(true, ?garbage, attacker, s, p, c, ?ccs_output);
      /*@ if (garbage)
          {
            assert is_public_key_classifier(?proof, _, _, _);
            proof(cg_key, p, c, true);
            decryption_garbage(buffer3, size2, s);
          }
          else if (success == 0)
          {
            assert crypto_chars(secret, buffer3, size2, ccs_output);
            assert ccs_output == ccs_output2;
            assert ccs_iv == ccs_iv2;
            assert ccs2 == ccs_for_cg(cg_enc);
            public_ccs_cg(cg_enc);
            assert [_]pub(cg_enc);
            assert is_public_decryption_is_public(?proof2, pub, pred);
            proof2(cg_key, cg_enc);
            public_crypto_chars(buffer3, size2);
            chars_to_crypto_chars(buffer3, size2);
          }
      @*/
      //@ crypto_chars_to_chars(buffer3, size2);
      net_send(socket, buffer3, (unsigned int) size2);
      //@ public_cryptogram(buffer2, cg_enc);
    }
    aes_free(&aes_context);
    //@ crypto_chars_to_chars(iv, 16);
  }
  //@ open aes_context(&aes_context);
  //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
  //@ public_cryptogram(buffer1, cg_key);
}
Ejemplo n.º 12
0
int main(int argc, char **argv) //@ : main_full(main_app)
    //@ requires module(main_app, true);
    //@ ensures true;
{
  pthread_t a_thread;
  havege_state havege_state;
  
  printf("\n\tExecuting \"");
  printf("enc_then_hmac protocol");
  printf("\" ... \n\n");
  
  //@ PROTOCOL_INIT(enc_then_hmac)
  //@ int attacker = principal_create();
  //@ int sender = principal_create();
  //@ int receiver = principal_create();
  //@ assume (!bad(sender) && !bad(receiver));
  
  //@ close havege_state(&havege_state);
  havege_init(&havege_state);
  //@ assume (bad(attacker));
  //@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
  pthread_create(&a_thread, NULL, &attacker_t, NULL);
  
  int i = 0;
#ifdef EXECUTE
  while (i++ < 10)
#else
  while (true)
#endif
    /*@ invariant [_]public_invar(enc_then_hmac_pub) &*&
                  [_]decryption_key_classifier(enc_then_hmac_public_key) &*&
                  !bad(sender) && !bad(receiver) &*&
                  havege_state_initialized(&havege_state) &*&
                  principal(sender, ?count) &*& principal(receiver, _);
    @*/
  {
    char* enc_key;
    char* hmac_key;
    int temp;
    
    enc_key = malloc(KEY_SIZE);
    if (enc_key == 0) abort();
    hmac_key = malloc(KEY_SIZE);
    if (hmac_key == 0) abort();
    //@ open principal(sender, _);
    //@ close random_request(sender, 0, true);
    if (havege_random(&havege_state, enc_key, KEY_SIZE) != 0) abort();
    //@ assume (shared_with(sender, count + 1) == receiver);
    //@ assert cryptogram(enc_key, KEY_SIZE, ?enc_cs_key, ?enc_cg_key);
    //@ assert enc_cg_key == cg_symmetric_key(sender, count + 1);
    
    //@ close random_request(sender, count + 1, true);
    if (havege_random(&havege_state, hmac_key, KEY_SIZE) != 0) abort();
    //@ assume (shared_with(sender, count + 2) == receiver);
    //@ assert cryptogram(hmac_key, KEY_SIZE, ?hmac_cs_key, ?hmac_cg_key);
    //@ assert hmac_cg_key == cg_symmetric_key(sender, count + 2);
    {
      pthread_t s_thread, r_thread;

      struct enc_then_hmac_args s_args;
      struct enc_then_hmac_args r_args;
      char s_message[MSG_LEN];
      char r_message[MAX_SIZE];
    
      //@ assert chars(s_message, MSG_LEN, ?msg_cs);
      //@ public_chars(s_message, MSG_LEN);
      //@ chars_to_secret_crypto_chars(s_message, MSG_LEN);
      //@ s_args.sender = sender;
      //@ s_args.receiver = receiver;
      s_args.enc_key = enc_key;
      s_args.hmac_key = hmac_key;
      s_args.msg = s_message;
      
      //@ assume (send(sender, receiver, msg_cs) == true);      
      //@ r_args.sender = sender;
      //@ r_args.receiver = receiver;
      r_args.enc_key = enc_key;
      r_args.hmac_key = hmac_key;
      r_args.msg = r_message;
      
      //@ close principal(sender, _);
      //@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
      //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
      pthread_create(&r_thread, NULL, &receiver_t, &r_args);
      pthread_create(&s_thread, NULL, &sender_t, &s_args);
      
      pthread_join(s_thread, NULL);
      //@ open pthread_run_post(sender_t)(&s_args, s_data);
      pthread_join(r_thread, NULL);
      //@ open pthread_run_post(receiver_t)(&r_args, r_data);  
      //@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
      //@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _);
      //@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);
      //@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _);

      if (r_args.length != MSG_LEN)
        abort();
      //@ public_crypto_chars(s_message, MSG_LEN);
#ifdef EXECUTE
      if (memcmp(s_message, r_message, MSG_LEN) != 0)
        abort();
#endif
      //@ open principal(sender, _);
      //@ close principal(sender, _);
      zeroize(r_message, r_args.length);
    }
    zeroize(enc_key, KEY_SIZE);
    free((void*) enc_key);
    zeroize(hmac_key, KEY_SIZE);
    free((void*) hmac_key);
    
    printf(" |%i| ", i);
  }
  
  printf("\n\n\t\tDone\n");
  return 0;
}
Ejemplo n.º 13
0
struct item *asymmetric_signature(struct item *key, struct item *payload)
  /*@ requires [?f]world(?pub, ?key_clsfy) &*&
               principal(?principal1, ?count1) &*&
               item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
               k == private_key_item(?principal2, ?count2); @*/
  /*@ ensures  [f]world(pub, key_clsfy) &*&
               principal(principal1, count1 + 1) &*&
               item(payload, pay, pub) &*& item(key, k, pub) &*&
               item(result, ?sig, pub) &*&
               col ? true :
                 sig == asymmetric_signature_item(principal2, count2,
                                                  some(pay), ?ent); @*/
{
  debug_print("ASYM SIGNING:\n");
  print_item(payload);

  struct item* result;
  result = malloc(sizeof(struct item));
  if (result == 0) abort_crypto_lib("Malloc failed");

  debug_print("signing item\n");
  print_item(payload);
  print_item(key);

  {
    pk_context context;
    unsigned int olen;
    char* output;

    // Key
    //@ close pk_context(&context);
    //@ open [f]world(pub, key_clsfy);
    pk_init(&context);
    //@ close [f]world(pub, key_clsfy);
    set_private_key(&context, key);
    //@ open [f]world(pub, key_clsfy);
    /*@ assert pk_context_with_key(&context, pk_private,
                                   ?principal, ?count, RSA_BIT_KEY_SIZE); @*/
    //@ assert col || principal == principal2;
    //@ assert col || count == count2;

    // Payload
    //@ open item(payload, pay, pub);
    //@ open [_]item_constraints(pay, ?pay_cs, pub);
    //@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size;
    if (payload->size > RSA_KEY_SIZE)
      abort_crypto_lib("Assymetric signing failed: incorrect size");
    output = malloc(RSA_KEY_SIZE);
    if (output == 0) abort_crypto_lib("Malloc failed");

    void *random_state = nonces_expose_state();
    //@ close random_state_predicate(havege_state_initialized);
    /*@ produce_function_pointer_chunk random_function(
                      asym_sig_havege_random_stub)
                     (havege_state_initialized)(state, out, len) { call(); } @*/
    //@ open principal(principal1, count1);
    if(pk_sign(&context, POLARSSL_MD_NONE,
               payload->content, (unsigned int) payload->size,
               output, &olen,
               asym_sig_havege_random_stub, random_state) != 0)
      abort_crypto_lib("Signing failed");
    //@ open principal(principal1, count1 + 1);
    //@ open cryptogram(output, ?sig_length, ?sig_cs, ?sig_cg);
    //@ assert sig_cg == cg_asym_signature(principal, count, pay_cs, ?ent);
    //@ assert u_integer(&olen, sig_length);
    //@ assert sig_length > 0 &*& sig_length <= RSA_KEY_SIZE;
    nonces_hide_state(random_state);
    //@ pk_release_context_with_key(&context);
    pk_free(&context);
    //@ open pk_context(&context);
    //@ close [f]world(pub, key_clsfy);
    debug_print("signed item\n");
    print_buffer(output, (int) olen);

    // Create item
    if (olen < MINIMAL_STRING_SIZE)
      abort_crypto_lib("Assymetric signing failed: output to small");
    result->size = TAG_LENGTH + (int) olen;
    result->content = malloc(result->size);
    if (result->content == 0) {abort_crypto_lib("Malloc failed");}
    write_tag(result->content, TAG_ASYMMETRIC_SIG);
    //@ assert result->content |-> ?cont &*& result->size |-> ?size;
    //@ assert chars(cont, TAG_LENGTH, ?tag_cs);
    //@ assert tag_cs == full_tag(TAG_ASYMMETRIC_SIG);
    //@ public_chars(cont, TAG_LENGTH);
    //@ chars_to_secret_crypto_chars(cont, TAG_LENGTH);
    memcpy(result->content + TAG_LENGTH, output, olen);

    //@ crypto_chars_join(cont);
    //@ list<char> cs = append(tag_cs, sig_cs);
    //@ assert crypto_chars(secret, cont, size, cs);

    //@ item e = asymmetric_signature_item(principal, count, some(pay), ent);
    //@ close ic_cg(e)(sig_cs, sig_cg);
    /*@ if (col)
        {
          public_chars(cont, size);
          public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
        }
    @*/
    //@ close item(payload, pay, pub);
    zeroize(output, (int) olen);
    //@ chars_join(output);
    free(output);
    //@ WELL_FORMED(tag_cs, sig_cs, TAG_ASYMMETRIC_SIG)
    //@ close ic_parts(e)(tag_cs, sig_cs);
    //@ close well_formed_item_chars(e)(pay_cs);
    //@ leak well_formed_item_chars(e)(pay_cs);
    //@ close item_constraints(e, cs, pub);
    //@ leak item_constraints(e, cs, pub);
    //@ close item(result, e, pub);
  }
  debug_print("SINGING RESULT:\n");
  print_item(result);

  return result;
}
Ejemplo n.º 14
0
int main(int argc, char **argv) //@ : main_full(main_app)
    //@ requires module(main_app, true);
    //@ ensures true;
{
  pthread_t a_thread;
  havege_state havege_state;

  printf("\n\tExecuting \"");
  printf("yahalom protocol");
  printf("\" ... \n\n");

  //@ PROTOCOL_INIT(yahalom)
  //@ int server = principal_create();
  //@ assert server == 1;
  //@ int sender = principal_create();
  //@ assert sender == 2;
  //@ int receiver = principal_create();
  //@ assert receiver == 3;

  //@ int attacker = principal_create();
  //@ assume (bad(attacker));
  //@ close havege_state(&havege_state);
  havege_init(&havege_state);
  //@ assume (bad(attacker));
  //@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
  pthread_create(&a_thread, NULL, &attacker_t, NULL);

  int i = 0;
#ifdef EXECUTE
  while (i++ < 10)
#else
  while (true)
#endif
    /*@ invariant [_]public_invar(yahalom_pub) &*&
                  [_]decryption_key_classifier(yahalom_public_key) &*&
                  havege_state_initialized(&havege_state) &*&
                  principal(server, ?serv_count) &*&
                  principal(sender, ?send_count) &*&
                  principal(receiver, ?rcvr_count);
    @*/
  {
    char s_key[KEY_SIZE];
    char r_key[KEY_SIZE];
    char key1[KEY_SIZE];
    char key2[KEY_SIZE];

    //@ open principal(sender, _);
    //@ close random_request(sender, int_pair(3, server), true);
    if (havege_random(&havege_state, s_key, KEY_SIZE) != 0) abort();
    //@ close principal(sender, _);
    //@ assert cryptogram(s_key, KEY_SIZE, ?cs_s_key, ?cg_s_key);
    //@ assert cg_s_key == cg_symmetric_key(sender, send_count + 1);

    //@ open principal(receiver, _);
    //@ close random_request(receiver, int_pair(3, server), true);
    if (havege_random(&havege_state, r_key, KEY_SIZE) != 0) abort();
    //@ close principal(receiver, _);
    //@ assert cryptogram(r_key, KEY_SIZE, ?cs_r_key, ?cg_r_key);
    //@ assert cg_r_key == cg_symmetric_key(receiver, rcvr_count + 1);

    {
      pthread_t serv_thread, s_thread, r_thread;
      struct yahalom_args serv_args, s_args, r_args;

      serv_args.server = 1;
      serv_args.sender = 2;
      serv_args.receiver = 3;
      serv_args.s_key = s_key;
      serv_args.r_key = r_key;

      s_args.server = 1;
      s_args.sender = 2;
      s_args.receiver = 3;
      s_args.s_key = s_key;
      s_args.key = key1;

      r_args.server = 1;
      r_args.sender = 2;
      r_args.receiver = 3;
      r_args.r_key = r_key;
      r_args.key = key2;

      //@ close pthread_run_pre(server_t)(&serv_args, ?serv_data);
      pthread_create(&serv_thread, NULL, &server_t, &serv_args);
      //@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
      pthread_create(&s_thread, NULL, &sender_t, &s_args);
      //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
      pthread_create(&r_thread, NULL, &receiver_t, &r_args);

      pthread_join(serv_thread, NULL);
      //@ open pthread_run_post(server_t)(&serv_args, serv_data);
      pthread_join(s_thread, NULL);
      //@ open pthread_run_post(sender_t)(&s_args, s_data);
      pthread_join(r_thread, NULL);
      //@ open pthread_run_post(receiver_t)(&r_args, r_data);
    }

    //@ open cryptogram(key1, KEY_SIZE, ?cs_key1, _);
    zeroize(key1, KEY_SIZE);
    //@ open cryptogram(key2, KEY_SIZE, ?cs_key2, _);
    zeroize(key2, KEY_SIZE);
    //@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
    //@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _);
    zeroize(s_key, KEY_SIZE);
    //@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
    //@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _);
    zeroize(r_key, KEY_SIZE);
    printf(" |%i| ", i);
  }

  printf("\n\n\t\tDone\n");
  return 0;
}
Ejemplo n.º 15
0
void zeroize_stack(void)
{
  unsigned char m[ZEROIZE_STACK_SIZE];
  zeroize(m, sizeof m);
}
Ejemplo n.º 16
0
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
             principal(?sender, _) &*&
             [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
             [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
               enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*&
               hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
                 cg_info(hmac_key_cg) == enc_id &*&
               shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*&
             [?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*&
               MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*&
               bad(sender) || bad(shared_with(sender, enc_id)) ?
                 [_]public_ccs(msg_ccs)
               :
                 true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/
/*@ ensures  principal(sender, _) &*&
             [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
             [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
             [f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/
{
  //@ open principal(sender, _);
  int socket;
  havege_state havege_state;

  char iv[16];
  unsigned int iv_off = 0;
  char hmac[64];
  aes_context aes_context;
  
  net_usleep(20000);
  if(net_connect(&socket, NULL, SERVER_PORT) != 0)
    abort();
  if(net_set_block(socket) != 0)
    abort();
  {
    int message_len = 16 + (int) msg_len + 64;
    char* message = malloc(message_len);
    if (message == 0) abort();

    // IV stuff
    //@ close havege_state(&havege_state);
    havege_init(&havege_state);
    //@ close random_request(sender, 0, false);
    if (havege_random(&havege_state, iv, 16) != 0) abort();
    //@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg);
    //@ close enc_then_hmac_pub(iv_cg);
    //@ leak enc_then_hmac_pub(iv_cg);
    memcpy(message, iv, 16);
    //@ close cryptogram(message, 16, iv_ccs, iv_cg);
    //@ public_cryptogram(message, iv_cg);
    //@ assert chars(message, 16, ?iv_cs);
    //@ public_chars(message, 16);
    havege_free(&havege_state);
    //@ open havege_state(&havege_state);

    // encrypt
    //@ close aes_context(&aes_context);
    if (aes_setkey_enc(&aes_context, enc_key,
                        (unsigned int) (KEY_SIZE * 8)) != 0)
      abort();
    if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len,
                         &iv_off, iv, msg, message + 16) != 0)
      abort();
    //@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg);
    //@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg);
    //@ close enc_then_hmac_pub(enc_cg);
    //@ leak enc_then_hmac_pub(enc_cg);
    //@ public_cryptogram(message + 16, enc_cg);
    //@ assert chars(message + 16, msg_len, ?enc_cs);
    //@ public_chars(message + 16, msg_len);
    //@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs));
    //@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs);
    zeroize(iv, 16);
    aes_free(&aes_context);
    //@ open aes_context(&aes_context);
    
    // hmac
    //@ chars_to_crypto_chars(message, 16 + msg_len);
    //@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs))
    sha512_hmac(hmac_key, KEY_SIZE, message,
                (unsigned int) (16 + (int) msg_len),
                message + 16 + (int) msg_len, 0);
    //@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg);
    //@ cs_to_ccs_append(iv_cs, enc_cs);
    //@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs));
    /*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true))
          close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/
    /*@ if (col || enc_then_hmac_public_key(sender, enc_id, true))
        { 
          assert [_]public_ccs(iv_ccs);
          assert [_]public_ccs(enc_ccs);
          public_ccs_join(iv_ccs, enc_ccs);
        }
    @*/
    //@ close enc_then_hmac_pub(hmac_cg);
    //@ leak enc_then_hmac_pub(hmac_cg);
    //@ public_cryptogram(message + 16 + msg_len, hmac_cg);
    //@ assert chars(message + 16 + msg_len, 64, ?hmac_cs);
    //@ append_assoc(iv_ccs, enc_ccs, hmac_ccs);
    //@ append_assoc(iv_cs, enc_cs, hmac_cs);
    //@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs));
    /*@ assert chars(message, message_len,
                     append(iv_cs, append(enc_cs, hmac_cs))); @*/
    net_send(&socket, message, (unsigned int) message_len);
    
    free(message);
  }
  net_close(socket);
  //@ close principal(sender, _);
}
Ejemplo n.º 17
0
int receiver(char *enc_key, char *hmac_key, char *msg)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
             [_]decryption_key_classifier(enc_then_hmac_public_key) &*&
             principal(?receiver, _) &*&
             [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
             [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
               enc_key_cg == cg_symmetric_key(?sender, ?enc_id) &*&
               hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
                 cg_info(hmac_key_cg) == enc_id &*&
               receiver == shared_with(sender, enc_id) &*&
               receiver == shared_with(sender, hmac_id) &*&
             chars(msg, MAX_SIZE, _); @*/
/*@ ensures  principal(receiver, _) &*&
             [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
             [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
             chars(msg + result, MAX_SIZE - result, _) &*&
             crypto_chars(?kind, msg, result, ?msg_ccs) &*&
             col || bad(sender) || bad(receiver) ||
               (kind == secret && send(sender, receiver, msg_ccs)); @*/
{
  //@ open principal(receiver, _);
  int socket1;
  int socket2;

  int size;
  int enc_size;
  char iv[16];
  unsigned int iv_off = 0;
  char hmac[64];
  aes_context aes_context;

  if(net_bind(&socket1, NULL, SERVER_PORT) != 0)
    abort();
  if(net_accept(socket1, &socket2, NULL) != 0)
    abort();
  if(net_set_block(socket2) != 0)
    abort();

  {
    int max_size = 16 + MAX_SIZE + 64;
    char *buffer = malloc (max_size); if (buffer == 0) abort();
    size = net_recv(&socket2, buffer, (unsigned int) max_size);
    if (size <= 16 + 64) abort();
    enc_size = size - 16 - 64;
    if (enc_size < MINIMAL_STRING_SIZE) abort();
    //@ chars_split(buffer, size);
    //@ assert chars(buffer, size, ?all_cs);
    //@ close hide_chars((void*) buffer + size, max_size - size, _);

    //Verify the hmac
    //@ chars_split(buffer, size - 64);
    //@ public_chars(buffer + size - 64, 64);
    //@ assert chars(buffer + size - 64, 64, ?hmac_cs);
    //@ assert chars(buffer, size - 64, ?pay_cs);
    //@ chars_to_crypto_chars(buffer, size - 64);
    //@ HASH_PUB_PAYLOAD(pay_cs)
    sha512_hmac(hmac_key, KEY_SIZE, buffer,
                (unsigned int) (size - 64), hmac, 0);
    //@ open cryptogram(hmac, 64, ?hmac_ccs, ?hmac_cg);
    //@ chars_to_crypto_chars((void*) buffer + size - 64, 64);
    //@ close memcmp_secret(hmac, 64, hmac_ccs, hmac_cg);
    if (memcmp((void*) buffer + size - 64, hmac, 64) != 0) abort();
    /*@ if (!col) 
        {
          public_ccs_cg(hmac_cg);
          public_crypto_chars(hmac, 64);
        }
        else
        {
          crypto_chars_to_chars(hmac, 64);
        }
    @*/
    //@ assert all_cs == append(pay_cs, hmac_cs);

    // IV stuff
    //@ cs_to_ccs_crypto_chars(buffer, pay_cs);
    //@ chars_split(buffer, 16);
    //@ assert chars(buffer, 16, ?iv_cs);
    //@ chars_to_crypto_chars(buffer, 16);
    //@ assert crypto_chars(normal, buffer, 16, ?iv_ccs);
    memcpy(iv, buffer, 16);
    //@ cs_to_ccs_crypto_chars(iv, iv_cs);
    //@ interpret_nonce(iv, 16);
    //@ open cryptogram(iv, 16, iv_ccs, ?iv_cg);

    //Decrypt
    //@ assert chars(buffer + 16, enc_size, ?enc_cs);
    //@ interpret_encrypted(buffer + 16, enc_size);
    //@ open cryptogram(buffer + 16, enc_size, ?enc_ccs, ?enc_cg);
    //@ close cryptogram(buffer + 16, enc_size, enc_ccs, enc_cg);
    //@ assert enc_cg == cg_encrypted(?p2, ?c2, ?dec_ccs2, ?iv_ccs2);
    //@ close aes_context(&aes_context);
    if (aes_setkey_enc(&aes_context, enc_key,
                        (unsigned int) (KEY_SIZE * 8)) != 0)
      abort();
    //@ structure s = known_value(0, dec_ccs2);
    //@ close decryption_pre(true, false, receiver, s, enc_ccs);
    if (aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) enc_size,
                         &iv_off, iv, buffer + 16, msg) != 0)
      abort();
    //@ assert pay_cs == append(iv_cs, enc_cs);
    //@ cs_to_ccs_append(iv_cs, enc_cs);
    zeroize(iv, 16);
    aes_free(&aes_context);
    
    //@ open aes_context(&aes_context);
    //@ public_cg_ccs(enc_cg);
    //@ public_cryptogram(buffer + 16, enc_cg);
    /*@ open decryption_post(true, ?garbage, receiver,
                             s, sender, enc_id, ?dec_ccs); @*/
    /*@ if (!col)
        {
          open [_]enc_then_hmac_pub(hmac_cg);
          open [_]enc_then_hmac_pub(enc_cg);
          if (!enc_then_hmac_public_key(sender, enc_id, true))
          {
            assert [_]enc_then_hmac_pub_1(?id, ?dec_ccs3, ?ent);
            cryptogram enc_cg3 = cg_encrypted(sender, id, dec_ccs3, ent);
            take_append(16, iv_ccs, ccs_for_cg(enc_cg));
            take_append(16, ent, ccs_for_cg(enc_cg3));
            assert ent == iv_ccs;
            drop_append(16, iv_ccs, ccs_for_cg(enc_cg));
            drop_append(16, ent, ccs_for_cg(enc_cg3));
            assert ccs_for_cg(enc_cg) == ccs_for_cg(enc_cg3);
            ccs_for_cg_inj(enc_cg, enc_cg3);
            assert dec_ccs2 == dec_ccs3;
            close exists(pair(nil, nil));
            close has_structure(dec_ccs2, s);
            leak has_structure(dec_ccs2, s);
          }
        }
        else
        {
          crypto_chars_to_chars(msg, enc_size);
          chars_to_secret_crypto_chars(msg, enc_size);
        }
    @*/
    //@ if (garbage) decryption_garbage(msg, enc_size, s);
    //@ open hide_chars((void*) buffer + size, max_size - size, _);
    //@ crypto_chars_to_chars(buffer, 16);
    //@ crypto_chars_to_chars(buffer + size - 64, 64);
    //@ chars_join(buffer);
    //@ chars_join(buffer);
    free(buffer);
  }
  net_close(socket2);
  net_close(socket1);
  return enc_size;
  //@ close principal(receiver, _);
}
Ejemplo n.º 18
0
void attacker_send_auth_decrypted(havege_state *havege_state, void* socket)
  //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
  //@ ensures  attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
  int temp;
  int size1;
  int size2;
  char buffer1[MAX_MESSAGE_SIZE];
  char buffer2[MAX_MESSAGE_SIZE];
  char buffer3[MAX_MESSAGE_SIZE];
  gcm_context gcm_context;
  char iv[16];

  //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);

  size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
  size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
  if (size1 <= 16 || size2 <= 16 ||
      (size1 != 16 && size1 != 24 && size1 != 32))
  {
    //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
    return;
  }

  //@ close gcm_context(&gcm_context);
  //@ interpret_symmetric_key(buffer1, size1);
  //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
  //@ assert cg_key == cg_symmetric_key(?p, ?c);
  if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES,
      buffer1, (unsigned int) size1 * 8) == 0)
  {
    if (get_iv(havege_state, iv) == 0)
    {
      //@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
      //@ assert chars(buffer2, size2, ?cs2);
      //@ interpret_auth_encrypted(buffer2, size2);
      //@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
      //@ cs_to_ccs_crypto_chars(buffer2, cs2);
      //@ chars_to_crypto_chars(buffer2, size2);
      //@ close exists(cg_enc);
      //@ assert cg_enc == cg_auth_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
      //@ crypto_chars_split(buffer2, 16);
      if (gcm_auth_decrypt(&gcm_context, (unsigned int) size2 - 16,
                            iv, 16, NULL, 0, buffer2, 16,
                            (void*) buffer2 + 16, buffer3) == 0)
      {
        /*@ if (!col)
            {
              assert crypto_chars(secret, buffer3, size2 - 16, ?ccs_output);
              ccs_output == ccs_output2;
              ccs_iv == ccs_iv2;
              assert ccs2 == ccs_for_cg(cg_enc);
              assert [_]pub(cg_enc);
              assert is_public_auth_decryption_is_public(?proof3, pub, pred);
              proof3(cg_key, cg_enc);
              public_crypto_chars(buffer3, size2 - 16);
              chars_to_crypto_chars(buffer3, size2 - 16);
            }
        @*/
        zeroize(iv, 16);
        //@ chars_to_crypto_chars(iv, 16);
      }
      //@ crypto_chars_to_chars(buffer3, size2 - 16);
      net_send(socket, buffer3, (unsigned int) size2 - 16);
      //@ crypto_chars_to_chars(buffer2, 16);
      //@ crypto_chars_to_chars((void*) buffer2 + 16, size2 - 16);
      //@ chars_join(buffer2);
    }
    //@ crypto_chars_to_chars(iv, 16);
    gcm_free(&gcm_context);
  }
  //@ open gcm_context(&gcm_context);
  //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
  //@ public_cryptogram(buffer1, cg_key);
}
Ejemplo n.º 19
0
void receiver_msg2(int* socket, havege_state* havege_state,
                   pk_context* s_context, int receiver,
                   char* s_nonce, char* r_nonce)
  /*@ requires GENERAL_PRE(receiver) &*&
               pk_context_with_key(?r_context, pk_private,
                                   receiver, ?r_id, 8 * KEY_SIZE)  &*&
               pk_context_with_key(s_context, pk_public,
                                   ?sender, ?s_id, 8 * KEY_SIZE) &*&
               RECEIVER_INTER &*&
               cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*&
                 r_nonce_cg == cg_nonce(receiver, _) &*&
                 cg_info(r_nonce_cg) == int_pair(2, int_pair(sender,
                               int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/
  /*@ ensures  GENERAL_POST(receiver) &*&
               pk_context_with_key(r_context, pk_private,
                                   receiver, r_id, 8 * KEY_SIZE)  &*&
               pk_context_with_key(s_context, pk_public,
                                   sender, s_id, 8 * KEY_SIZE) &*&
               (
                  col || bad(p_inst) || bad(receiver) ?
                    chars(s_nonce, NONCE_SIZE, ?s_nonce_cs) &*&
                    s_nonce_ccs == cs_to_ccs(s_nonce_cs)
                  :
                    cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg)
               ) &*&
               cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/
{
  //@ open principal(receiver, _);
  unsigned int size;
  char message[MSG2_SIZE];
  char encrypted[KEY_SIZE];
  //@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg);

  // Construct the message
  write_identifier(message, receiver);
  //@ list<crypto_char> rid_ccs = cs_to_ccs(identifier(receiver));
  //@ assert crypto_chars(normal, message, ID_SIZE, rid_ccs);
  //@ cs_to_ccs_crypto_chars(message, identifier(receiver));
  //@ public_chars(message, ID_SIZE);
  //@ chars_to_secret_crypto_chars(message, ID_SIZE);
  //@ bool condition =  col || bad(p_inst) || bad(receiver);
  /*@ if (!condition)
        open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
      else
      {
        crypto_chars_to_chars(s_nonce, NONCE_SIZE);
        public_chars(s_nonce, NONCE_SIZE);
        chars_to_secret_crypto_chars(s_nonce, NONCE_SIZE);
      }
  @*/
  //@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
  memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE);
  memcpy((void*) message + ID_SIZE + NONCE_SIZE, r_nonce, NONCE_SIZE);
  //@ crypto_chars_join(message);
  //@ crypto_chars_join(message);
  //@ list<crypto_char> msg2 = append(rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
  //@ append_assoc(rid_ccs, s_nonce_ccs, r_nonce_ccs);
  //@ assert crypto_chars(secret, message, MSG2_SIZE, msg2);

  // Encrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  if (pk_encrypt(s_context, message, MSG2_SIZE, encrypted, &size,
                  KEY_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  //@ assert u_integer(&size, ?size_val);
  //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc);
  //@ take_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
  //@ drop_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs));
  //@ take_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs);
  //@ drop_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs);

  // Proof the message is public
  /*@ if (col || bad(sender) || bad(receiver))
      {
        assert crypto_chars(secret, message, MSG2_SIZE, msg2);
        crypto_chars_split(message, ID_SIZE);
        crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE);
        public_crypto_chars((void*) message, ID_SIZE);
        public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE);
        close nsl_pub(r_nonce_cg);
        leak nsl_pub(r_nonce_cg);
        close cryptogram((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE,
                         r_nonce_ccs, r_nonce_cg);
        public_cryptogram((void*) message + ID_SIZE + NONCE_SIZE, r_nonce_cg);
        
        assert chars((void*) message, ID_SIZE, ?rid_cs);
        assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs);
        assert chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE, ?r_nonce_cs);        
        cs_to_ccs_append(rid_cs, s_nonce_cs);
        cs_to_ccs_append(append(rid_cs, s_nonce_cs), r_nonce_cs);

        chars_join(message);
        chars_join(message);
        public_chars(message, MSG2_SIZE);
        chars_to_secret_crypto_chars(message, MSG2_SIZE);
      }
      else
      {
        close nsl_pub_msg2(sender, receiver, s_nonce_cg, s_nonce_ccs, r_nonce_cg,
                           p_inst, p_orig, c_orig, condition);
      }
  @*/
  //@ close nsl_pub_msg_sender(receiver);
  //@ leak nsl_pub_msg_sender(receiver);
  //@ close nsl_pub(cg_enc);
  //@ leak nsl_pub(cg_enc);
  //@ public_cryptogram(encrypted, cg_enc);

  // Send the message
  net_send(socket, encrypted, size);
  zeroize(message, MSG2_SIZE);

  /*@ if (!condition)
        close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg);
      else
        public_crypto_chars(s_nonce, NONCE_SIZE);
  @*/
  //@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
  //@ close principal(receiver, _);
}
Ejemplo n.º 20
0
		inline ~element()
		{
			zeroize(n, sizeof(n));
		}
Ejemplo n.º 21
0
void receiver_msg3(int* socket, havege_state* havege_state,
                   pk_context* r_context, int sender, int receiver,
                   char* s_nonce, char* r_nonce)
  /*@ requires GENERAL_PRE(receiver) &*&
               pk_context_with_key(r_context, pk_private,
                                   receiver, ?r_id, 8 * KEY_SIZE)  &*&
               RECEIVER_INTER &*&
               cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*&
                 r_nonce_cg == cg_nonce(receiver, _) &*&
                 cg_info(r_nonce_cg) == int_pair(2, int_pair(sender,
                               int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/
  /*@ ensures  GENERAL_POST(receiver) &*&
               pk_context_with_key(r_context, pk_private,
                                   receiver, r_id, 8 * KEY_SIZE) &*&
               (
                 col || bad(p_inst) || bad(receiver) ?
                   crypto_chars(normal, s_nonce, NONCE_SIZE, s_nonce_ccs)
                 :
                   cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg)
               ) &*&
               cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg) &*&
               col || bad(sender) || bad(receiver) ||
                 (receiver == p_orig && r_id == c_orig && sender == p_inst); @*/
{
  //@ open principal(receiver, _);
  unsigned int size;
  char message[MSG3_SIZE];
  char encrypted[KEY_SIZE];
  //@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg);

  // Receive the message
  net_recv(socket, encrypted, KEY_SIZE);
  //@ assert chars(encrypted, KEY_SIZE, ?enc_cs);
  //@ interpret_asym_encrypted(encrypted, KEY_SIZE);
  //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg);
  //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent);

  // Decrypt the message
  /*@ produce_function_pointer_chunk random_function(random_stub_nsl)
                    (havege_state_initialized)(state, out, len) { call(); } @*/
  //@ close random_state_predicate(havege_state_initialized);
  //@ structure st = known_value(0, r_nonce_ccs);
  //@ close decryption_pre(false, false, receiver, st, enc_ccs);
  if (pk_decrypt(r_context, encrypted, KEY_SIZE, message,
                  &size, MSG3_SIZE, random_stub_nsl, havege_state) != 0)
    abort();
  if (size != MSG3_SIZE)
    abort();
  //@ assert u_integer(&size, MSG3_SIZE);
  //@ assert crypto_chars(?kind, message, NONCE_SIZE, ?dec_ccs);
  /*@ open decryption_post(false, ?garbage, receiver,
                           st, receiver, r_id, dec_ccs); @*/

  // Interpret the message
  //@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
  //@ open [_]nsl_pub(enc_cg);
  //@ assert [_]nsl_pub_msg_sender(?sender2);
  /*@ if (col || garbage)
      {
        crypto_chars_to_chars(message, NONCE_SIZE);
        chars_to_crypto_chars(message, NONCE_SIZE);
      }
      else
      {
        if (bad(receiver) || bad(sender2))
        {
          public_crypto_chars(message, NONCE_SIZE);
          chars_to_crypto_chars(message, NONCE_SIZE);
        }
        else
        {
          assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2);
          close memcmp_secret(message, NONCE_SIZE, dec_ccs, r_nonce_cg2);
        }
      }
  @*/
  //@ close memcmp_secret(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
  if (memcmp((void*) message, r_nonce, NONCE_SIZE) != 0) abort();
  //@ assert dec_ccs == r_nonce_ccs;
  /*@ if (garbage)
      {
        close exists(pair(nil, nil));
        close has_structure(r_nonce_ccs, st);
        leak has_structure(r_nonce_ccs, st);
        decryption_garbage(message, NONCE_SIZE, st);
        crypto_chars_to_chars(message, NONCE_SIZE);
        chars_to_secret_crypto_chars(message, NONCE_SIZE);
      }
      else if (!col && !bad(sender) && !bad(receiver))
      {
        if (bad(receiver) || bad(sender2))
        {
          public_crypto_chars(r_nonce, NONCE_SIZE);
          public_ccs_cg(r_nonce_cg);
          open [_]nsl_pub(r_nonce_cg);
          assert false;
        }
        else if (bad(p_inst))
        {
          assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2);
          int p1_1 = int_pair(p_orig, c_orig);
          int p1_2 = int_pair(p_inst, p1_1);
          int p1_3 = int_pair(sender, p1_2);
          int p2_1 = int_pair(receiver, r_id);
          int p2_2 = int_pair(sender2, p2_1);
          int p2_3 = int_pair(sender2, p2_2);
          assert cg_info(r_nonce_cg) == int_pair(2, p1_3);
          assert cg_info(r_nonce_cg2) == int_pair(2, p2_3);
          ccs_for_cg_inj(r_nonce_cg, r_nonce_cg2);
          int_right_int_pair(2, p1_3);
          int_right_int_pair(2, p2_3);
          int_left_int_pair(sender, p1_2);
          int_left_int_pair(sender2, p2_2);
          int_right_int_pair(sender, p1_2);
          int_right_int_pair(sender2, p2_2);
          int_left_int_pair(p_inst, p1_1);
          assert false;
        }
      }
  @*/
  zeroize(message, MSG3_SIZE);
  //@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg);
  //@ public_cryptogram(encrypted, enc_cg);
  //@ close principal(receiver, _);
}
Ejemplo n.º 22
0
struct item *symmetric_decryption(struct item *key, struct item *item)
  /*@ requires [?f]world(?pub, ?key_clsfy) &*&
               item(item, ?enc, pub) &*&
                 enc == symmetric_encrypted_item(?principal1, ?count1,
                                                 ?pay, ?ent) &*&
               item(key, ?k, pub) &*&
                 k == symmetric_key_item(?principal2, ?count2); @*/
  /*@ ensures  [f]world(pub, key_clsfy) &*&
               item(item, enc, pub) &*& item(key, k, pub) &*&
               item(result, ?dec, pub) &*&
               col ? [_]pub(dec) :
               switch(pay)
               {
                 case some(dec2):
                   return principal1 == principal2 &&
                          count1 == count2 && dec == dec2;
                 case none:
                   return false;
               }; @*/
{
  debug_print("DECRYPTING:\n");
  print_item(item);
  check_is_symmetric_encrypted(item);

  //@ open [f]world(pub, key_clsfy);
  struct item* result;
  result = malloc(sizeof(struct item));
  if (result == 0) abort_crypto_lib("Malloc failed");

  {
    gcm_context gcm_context;
    char *iv;
    char iv_buffer[GCM_IV_SIZE];
    char *encrypted;

    //@ open item(key, k, pub);
    //@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
    check_valid_symmetric_key_item_size(key->size);
    //@ open [_]item_constraints(k, ?k_cs0, pub);
    //@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
    //@ crypto_chars_limits(k_cont);
    //@ crypto_chars_split(k_cont, TAG_LENGTH);
    //@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
    //@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
    //@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
    //@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
    //@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
    //@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
    //@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
    //@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
    //@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
    //@ close gcm_context(&gcm_context);
    if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
                (unsigned int) GCM_KEY_SIZE * 8) != 0)
      abort_crypto_lib("Init gcm failed");
    //@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
    //@ assert col || (p == principal2 && c == count2);
    //@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
    //@ crypto_chars_join(k_cont);
    //@ close item(key, k, pub);

    //@ open item(item, enc, pub);
    //@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size;
    //@ open [_]item_constraints(enc, ?cs, pub);
    //@ open [_]ic_parts(enc)(?enc_tag, ?enc_cont);
    //@ open [_]ic_cg(enc)(_, ?enc_cg);
    //@ take_append(TAG_LENGTH, enc_tag, enc_cont);
    //@ drop_append(TAG_LENGTH, enc_tag, enc_cont);
    //@ open [_]ic_sym_enc(enc)(?enc_iv, ?cg_cs);
    //@ assert true == well_formed(cs, nat_length(cs));
    //@ close [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
    check_valid_symmetric_encrypted_item_size(item->size);
    //@ assert length(cs) > TAG_LENGTH + GCM_IV_SIZE;
    int size = item->size - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE;
    if (size <= MINIMAL_STRING_SIZE) abort_crypto_lib("Gcm decryption failed");
    //@ crypto_chars_limits(i_cont);
    //@ crypto_chars_split(i_cont, TAG_LENGTH);
    iv = item->content + TAG_LENGTH;
    //@ crypto_chars_split(iv, GCM_IV_SIZE);
    //@ assert [1/2]crypto_chars(secret, iv, GCM_IV_SIZE, ?iv_cs);
    memcpy(iv_buffer, iv, GCM_IV_SIZE);
    //@ assert cs == append(enc_tag, enc_cont);
    //@ assert enc_cont == append(iv_cs, cg_cs);
    //@ public_crypto_chars(iv, GCM_IV_SIZE);
    //@ chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
    encrypted = iv + GCM_IV_SIZE;
    //@ crypto_chars_limits(encrypted);
    //@ crypto_chars_split(encrypted, GCM_MAC_SIZE);
    //@ assert [1/2]crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
    /*@ assert [1/2]crypto_chars(secret, encrypted + GCM_MAC_SIZE, 
                                 size, ?enc_cs); @*/
    //@ assert cg_cs == append(mac_cs, enc_cs);                             
    result->size = size;
    result->content = malloc(size);
    if (result->content == 0) abort_crypto_lib("Malloc failed");
    //@ assert result->content |-> ?r_cont &*& result->size |-> size;
    //@ if (col) enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
    //@ close exists(enc_cg);
    if (gcm_auth_decrypt(&gcm_context, (unsigned int) size,
                         iv_buffer, GCM_IV_SIZE, NULL, 0, encrypted, 
                         GCM_MAC_SIZE, encrypted + GCM_MAC_SIZE,
                         result->content) != 0)
      abort_crypto_lib("Gcm decryption failed");
    //@ assert crypto_chars(secret, r_cont, size, ?dec_cs);
    //@ assert col || enc_cg == cg_auth_encrypted(principal1, count1, dec_cs, iv_cs);
    //@ crypto_chars_join(encrypted);
    //@ crypto_chars_join(iv);
    //@ crypto_chars_join(i_cont);
    //@ open [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
    //@ close item(item, enc, pub);
    gcm_free(&gcm_context);
    //@ open gcm_context(&gcm_context);
    zeroize(iv_buffer, GCM_IV_SIZE);
    //@ close [f]world(pub, key_clsfy);
    
    /*@ if (col)
        {
          crypto_chars_to_chars(r_cont, size);
          chars_to_crypto_chars(r_cont, size);
        }
        else
        {
          assert enc == symmetric_encrypted_item(principal1, count1,
                                                 pay, ent);
          assert enc_cg == cg_auth_encrypted(principal1, count1, 
                                             dec_cs, enc_iv);
          switch(pay)
          {
            case some(pay1):
              assert [_]item_constraints(pay1, dec_cs, pub);
            case none:
              open [_]ill_formed_item_chars(enc)(dec_cs);
              assert [_]public_generated(polarssl_pub(pub))(dec_cs);
              public_crypto_chars(r_cont, size);
              chars_to_crypto_chars(r_cont, size);
          }
        }
    @*/
    parse_item(result->content, size);
    /*@ if (col)
        {
          public_chars(r_cont, size);
          chars_to_secret_crypto_chars(r_cont, size);
          retreive_proof_obligations();
          deserialize_item(dec_cs, pub);
          leak proof_obligations(pub);
        }
    @*/
    //@ assert crypto_chars(secret, r_cont, size, dec_cs);
    //@ assert [_]item_constraints(?r, dec_cs, pub);
    //@ close item(result, r, pub);
  }

  debug_print("DECRYPTING RESULT:\n");
  print_item(result);

  return result;
}
Ejemplo n.º 23
0
int main(int argc, char **argv) //@ : main_full(main_app)
    //@ requires module(main_app, true);
    //@ ensures true;
{
  pthread_t a_thread;
  havege_state havege_state;
  
  printf("\n\tExecuting \"");
  printf("hmac protocol");
  printf("\" ... \n\n");
  
  //@ PROTOCOL_INIT(hmac)
  //@ int attacker = principal_create();
  //@ int sender = principal_create();
  //@ int receiver = principal_create();
  
  //@ close havege_state(&havege_state);
  havege_init(&havege_state);
  //@ assume (bad(attacker));
  //@ close pthread_run_pre(attacker_t)(NULL, some(attacker));
  pthread_create(&a_thread, NULL, &attacker_t, NULL);
  
  int i = 0;
#ifdef EXECUTE
  while (i++ < 10)
#else
  while (true)
#endif
    /*@ invariant [_]public_invar(hmac_pub) &*&
                  havege_state_initialized(&havege_state) &*&
                  principal(sender, ?count) &*& principal(receiver, _);
    @*/
  {
    //@ open principal(sender, _);
    char* key;
    int temp;
    
    //@ close random_request(sender, 0, true);
    key = malloc(KEY_SIZE);
    if (key == 0) abort();
    if (havege_random(&havege_state, key, KEY_SIZE) != 0) abort();
    //@ assume (shared_with(sender, count + 1) == receiver);
    //@ assert cryptogram(key, KEY_SIZE, ?cs_key, ?cg_key);
    //@ assert cg_key == cg_symmetric_key(sender, count + 1);
    {
      pthread_t s_thread, r_thread;

      struct hmac_args s_args;
      struct hmac_args r_args;
      char s_message[MESSAGE_SIZE];
      char r_message[MESSAGE_SIZE];
      
      //@ close random_request(sender, 0, false);
      if (havege_random(&havege_state, s_message, MESSAGE_SIZE) != 0) abort();
      //@ assert cryptogram(s_message, MESSAGE_SIZE, ?cs, ?cg);
      //@ close hmac_pub(cg);
      //@ leak hmac_pub(cg);
      //@ public_cryptogram(s_message, cg);
    
      //@ s_args.sender = sender;
      //@ s_args.receiver = receiver;
      s_args.key = key;
      s_args.message = s_message;
      
      //@ assume (send(sender, receiver, cs) == true);      
      //@ r_args.sender = sender;
      //@ r_args.receiver = receiver;
      r_args.key = key;
      r_args.message = r_message;
      
      //@ close principal(sender, _);
      //@ close pthread_run_pre(sender_t)(&s_args, ?s_data);
      //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data);
      pthread_create(&r_thread, NULL, &receiver_t, &r_args);
      pthread_create(&s_thread, NULL, &sender_t, &s_args);
      
      pthread_join(s_thread, NULL);
      //@ open pthread_run_post(sender_t)(&s_args, s_data);
      pthread_join(r_thread, NULL);
      //@ open pthread_run_post(receiver_t)(&r_args, r_data);  
      //@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
      //@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _);
      
      //@ chars_to_crypto_chars(r_message, MESSAGE_SIZE);
      //@ chars_to_crypto_chars(s_message, MESSAGE_SIZE);
      //@ open principal(sender, _);
      if (memcmp(s_message, r_message, MESSAGE_SIZE) != 0)
        abort();
      //@ close principal(sender, _);
      printf(" |%i| ", i);
    }
    //@ assert malloc_block(key, KEY_SIZE);
    zeroize(key, KEY_SIZE);
    free((void*) key);
  }
  
  printf("\n\n\t\tDone\n");
  return 0;
}
Ejemplo n.º 24
0
struct item *symmetric_encryption(struct item *key, struct item *payload)
  /*@ requires [?f]world(?pub, ?key_clsfy) &*&
               principal(?principal1, ?count1) &*&
                 [_]pub(nonce_item(principal1, count1 + 1, 0)) &*&
               item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
                 k == symmetric_key_item(?principal2, ?count2); @*/
  /*@ ensures  [f]world(pub, key_clsfy) &*&
               principal(principal1, count1 + 2) &*&
               item(payload, pay, pub) &*& item(key, k, pub) &*&
               item(result, ?enc, pub) &*&
               col ? true :
                 enc == symmetric_encrypted_item(principal2, count2,
                                                 some(pay), ?ent); @*/
{
  //@ open [f]world(pub, key_clsfy);
  debug_print("ENCRYPTING:\n");
  print_item(payload);

  struct item* result;
  result = malloc(sizeof(struct item));
  if (result == 0) abort_crypto_lib("Malloc failed");

  {
    gcm_context gcm_context;
    char iv_buffer[GCM_IV_SIZE];
    char *iv;
    char *result_cs;
    char *encrypted;

    //@ open item(key, k, pub);
    //@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
    check_valid_symmetric_key_item_size(key->size);
    //@ open [_]item_constraints(k, ?k_cs0, pub);
    //@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
    //@ crypto_chars_limits(k_cont);
    //@ crypto_chars_split(k_cont, TAG_LENGTH);
    //@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
    //@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
    //@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
    //@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
    //@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
    //@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
    //@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
    //@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
    //@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
    //@ close gcm_context(&gcm_context);
    if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
                (unsigned int) GCM_KEY_SIZE * 8) != 0)
      abort_crypto_lib("Init gcm failed");
    //@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
    //@ assert col || (p == principal2 && c == count2);
    //@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
    //@ crypto_chars_join(k_cont);
    //@ close item(key, k, pub);

    //@ open item(payload, pay, pub);
    //@ open [_]item_constraints(pay, ?pay_cs, pub);
    //@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size;
    //@ crypto_chars_limits(p_cont);
    if (payload->size >= INT_MAX - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE ||
        payload->size < MINIMAL_STRING_SIZE)
      abort_crypto_lib("Gcm encryption failed: incorrect sizes");
    result->size = TAG_LENGTH + GCM_IV_SIZE + GCM_MAC_SIZE + payload->size;
    result->content = malloc(result->size);

    //@ assert result->content |-> ?r_cont &*& result->size |-> ?r_size;
    if (result->content == 0)
      abort_crypto_lib("Malloc failed");
    //@ chars_split(r_cont, TAG_LENGTH);
    write_tag(result->content, TAG_SYMMETRIC_ENC);
    //@ assert chars(r_cont, TAG_LENGTH, ?tag_cs);
    //@ public_chars(r_cont, TAG_LENGTH);
    //@ assert tag_cs == full_tag(TAG_SYMMETRIC_ENC);
    //@ assert chars(r_cont + TAG_LENGTH, GCM_IV_SIZE + p_size, _);
    //@ chars_split(r_cont + TAG_LENGTH, GCM_IV_SIZE);
    iv = result->content + TAG_LENGTH;
    //@ close nonce_request(principal1, 0);
    //@ close [f]world(pub, key_clsfy);
    create_havege_random(iv, GCM_IV_SIZE);
    //@ open cryptogram(iv, GCM_IV_SIZE, ?iv_cs, ?iv_cg);
    memcpy(iv_buffer, iv, GCM_IV_SIZE);
    //@ close cryptogram(iv, GCM_IV_SIZE, iv_cs, iv_cg);
    //@ close polarssl_pub(pub)(iv_cg);
    //@ leak polarssl_pub(pub)(iv_cg);
    //@ public_cryptogram(iv, iv_cg);
    //@ public_chars(iv, GCM_IV_SIZE);
    encrypted = iv + GCM_IV_SIZE;
    //@ chars_split(encrypted, GCM_MAC_SIZE);
    //@ open principal(principal1, count1 + 1);
    if (gcm_crypt_and_tag(&gcm_context, GCM_ENCRYPT,
                          (unsigned int) payload->size, iv_buffer, 
                          GCM_IV_SIZE, NULL, 0, payload->content, 
                          encrypted + GCM_MAC_SIZE,
                          GCM_MAC_SIZE, encrypted) != 0)
      abort_crypto_lib("Gcm encryption failed");
    //@ close principal(principal1, count1 + 2);
    zeroize(iv_buffer, GCM_IV_SIZE);
    //@ assert crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
    //@ assert crypto_chars(secret, encrypted + GCM_MAC_SIZE, p_size, ?enc_cs);
    //@ crypto_chars_join(encrypted);
    //@ assert exists(?enc_cg);
    //@ list<char> cg_cs = append(mac_cs, enc_cs);
    //@ assert cg_cs == chars_for_cg(enc_cg);
    //@ list<char> cont_cs = append(iv_cs, cg_cs);
    //@ take_append(GCM_IV_SIZE, iv_cs, cg_cs);
    //@ drop_append(GCM_IV_SIZE, iv_cs, cg_cs);
    //@ list<char> cs = append(tag_cs, cont_cs);
    //@ take_append(TAG_LENGTH, tag_cs, cont_cs);
    //@ drop_append(TAG_LENGTH, tag_cs, cont_cs);
    
    //@ item enc;
    //@ list<char> ent = append(iv_cs, iv_cs);
    //@ take_append(GCM_IV_SIZE, iv_cs, iv_cs);
    //@ drop_append(GCM_IV_SIZE, iv_cs, iv_cs);
    /*@ if (col)
        {
          enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
          assert enc_cg == cg_auth_encrypted(?p0, ?c0, ?pay0, ?iv0);
          ent = append(iv_cs, iv0);
          take_append(GCM_IV_SIZE, iv_cs, iv0);
          drop_append(GCM_IV_SIZE, iv_cs, iv0);
          enc = symmetric_encrypted_item(p0, c0, some(pay), ent);
          public_chars(encrypted, GCM_MAC_SIZE + p_size);
          assert chars(encrypted, GCM_MAC_SIZE + p_size, cg_cs);
          chars_join(iv);
          chars_join(r_cont);
          assert chars(r_cont, r_size, cs);
          public_chars(r_cont, r_size);
          public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
          close ic_sym_enc(enc)(iv0, cg_cs);
        }
        else
        {
          assert enc_cg == cg_auth_encrypted(principal2, count2, pay_cs, iv_cs);
          enc = symmetric_encrypted_item(principal2, count2, some(pay), ent);
          close polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
          leak  polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
          public_generated(polarssl_pub(pub), cg_nonce(principal1, count1 + 1));
          chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
          crypto_chars_join(iv);
          chars_to_secret_crypto_chars(r_cont, TAG_LENGTH);
          crypto_chars_join(r_cont);
          assert crypto_chars(secret, r_cont, r_size, cs);
          close ic_sym_enc(enc)(iv_cs, cg_cs);
        }
    @*/
    //@ well_formed_item_constraints(pay, enc);
    //@ close ic_cg(enc)(cg_cs, enc_cg);
    //@ close ic_parts(enc)(tag_cs, cont_cs);
    //@ WELL_FORMED(tag_cs, cont_cs, TAG_SYMMETRIC_ENC)
    //@ close item_constraints(enc, cs, pub);
    //@ leak item_constraints(enc, cs, pub);
    //@ close item(result, enc, pub);
    //@ close item(payload, pay, pub);
    gcm_free(&gcm_context);
    //@ open gcm_context(&gcm_context);
  }

  debug_print("ENCRYPTING RESULT:\n");
  print_item(result);

  return result;
}
Ejemplo n.º 25
0
struct item *asymmetric_encryption(struct item *key, struct item *payload)
  /*@ requires [?f]world(?pub, ?key_clsfy) &*&
               principal(?principal1, ?count1) &*&
               item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
               k == public_key_item(?principal2, ?count2); @*/
  /*@ ensures  [f]world(pub, key_clsfy) &*&
               principal(principal1, count1 + 1) &*&
               item(payload, pay, pub) &*& item(key, k, pub) &*&
               item(result, ?enc, pub) &*&
               col ? true :
                 enc == asymmetric_encrypted_item(principal2, count2,
                                                  some(pay), ?ent); @*/
{
  debug_print("ASYM ENCRYPTING:\n");
  print_item(payload);

  struct item* result;
  result = malloc(sizeof(struct item));
  if (result == 0) abort_crypto_lib("Malloc failed");

  {
    pk_context context;
    unsigned int olen;
    char output[MAX_PACKAGE_SIZE];

    // Key
    //@ close pk_context(&context);
    //@ open [f]world(pub, key_clsfy);
    pk_init(&context);
    //@ close [f]world(pub, key_clsfy);
    set_public_key(&context, key);
    //@ open [f]world(pub, key_clsfy);
    /*@ assert pk_context_with_key(&context, pk_public,
                                   ?principal, ?count, RSA_BIT_KEY_SIZE); @*/
    //@ assert col || principal == principal2;
    //@ assert col || count == count2;

    // Encryption
    //@ open item(payload, pay, pub);
    //@ assert [_]item_constraints(pay, ?pay_cs, pub);
    if (payload->size > RSA_KEY_SIZE)
      abort_crypto_lib("Asymmetric encryption failed: incorrect sizes");
    void *random_state = nonces_expose_state();
    //@ close random_state_predicate(havege_state_initialized);
    /*@ produce_function_pointer_chunk random_function(
                      asym_enc_havege_random_stub)
                     (havege_state_initialized)(state, out, len) { call(); } @*/
    //@ open principal(principal1, count1);
    if(pk_encrypt(&context, payload->content, (unsigned int) payload->size,
                  output, &olen, MAX_PACKAGE_SIZE,
                  asym_enc_havege_random_stub, random_state) != 0)
      abort_crypto_lib("Encryption failed");
    //@ close principal(principal1, count1 + 1);
    //@ open cryptogram(output, ?enc_length, ?enc_cs, ?enc_cg);
    //@ assert enc_cg == cg_asym_encrypted(principal, count, pay_cs, ?ent);
    //@ assert u_integer(&olen, enc_length);
    //@ assert enc_length > 0 &*& enc_length < MAX_PACKAGE_SIZE;
    //@ assert enc_length > 0 &*& enc_length <= RSA_SERIALIZED_KEY_SIZE;
    nonces_hide_state(random_state);
    //@ pk_release_context_with_key(&context);
    pk_free(&context);
    //@ open pk_context(&context);
    //@ close [f]world(pub, key_clsfy);

    // Create item
    result->size = TAG_LENGTH + (int) olen;
    result->content = malloc(result->size);
    if (result->content == 0) {abort_crypto_lib("Malloc failed");}
    write_tag(result->content, TAG_ASYMMETRIC_ENC);
    //@ assert result->content |-> ?cont &*& result->size |-> ?size;
    if (olen < MINIMAL_STRING_SIZE) {abort_crypto_lib("Asymmetric encryption failed: to small");}
    memcpy(result->content + TAG_LENGTH, output, olen);
    //@ assert chars(cont, TAG_LENGTH, ?cs_tag);
    //@ public_chars(cont, TAG_LENGTH);
    //@ chars_to_secret_crypto_chars(cont, TAG_LENGTH);
    //@ assert cs_tag == full_tag(TAG_ASYMMETRIC_ENC);
    //@ crypto_chars_join(cont);

    //@ item enc = asymmetric_encrypted_item(principal, count, some(pay), ent);
    //@ list<char> cs = append(cs_tag, enc_cs);
    //@ WELL_FORMED(cs_tag, enc_cs, TAG_ASYMMETRIC_ENC)
    //@ close ic_parts(enc)(cs_tag, enc_cs);
    //@ close ic_cg(enc)(enc_cs, enc_cg);
    /*@ if (col)
      {
        crypto_chars_to_chars(cont, size);
        public_chars(cont, size);
        chars_to_secret_crypto_chars(cont, size);
        public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
      }
    @*/
    //@ well_formed_item_constraints(pay, enc);
    //@ close item_constraints(enc, cs, pub);
    //@ leak item_constraints(enc, cs, pub);
    //@ close item(result, enc, pub);
    zeroize(output, (int) olen);
    //@ chars_join(output);
    //@ close item(payload, pay, pub);
  }

  debug_print("ENCRYPTING RESULT:\n");
  print_item(result);

  return result;
}
Ejemplo n.º 26
0
    void GxEngine::initEngine(int samplingFreq)
    {
      // initialize all variables for audio, midi and interface
      fSamplingFreq = samplingFreq;

      //----- tone
      fslider_tone0 = 0.0f;
      fConst_tone0 = (15079.645508f / fSamplingFreq);
      fConst_tone1 = cosf(fConst_tone0);
      fConst_tone2 = (1.414214f * sinf(fConst_tone0));
      fslider_tone1 = 0.0f;
      fConst_tone3 = (3769.911377f / fSamplingFreq);
      fConst_tone4 = cosf(fConst_tone3);
      fConst_tone5 = (1.414214f * sinf(fConst_tone3));
      fslider_tone2 = 0.0f;
      zeroize(fVec_tone0, 3);
      zeroize(fRec_tone3, 3);
      zeroize(fRec_tone2, 3);
      zeroize(fRec_tone1, 3);
      zeroize(fRec_tone0, 3);
      // tone end
      zeroize(fVec_ltone0, 3);
      zeroize(fRec_ltone3, 3);
      zeroize(fRec_ltone2, 3);
      zeroize(fRec_ltone1, 3);
      zeroize(fRec_ltone0, 3);
      // engine state
      checky = (float)kEngineOn;
      fslider17 = 0.0f;
      zeroize(fRec46, 2);
      zeroize(fRec47, 2);

      fslider24 = 0.0f;
      fslider25 = 0.0f;
      // lets init the variables for the tonesettings
      fSlow_mid_tone = (fslider_tone1*0.5);
      fSlow_tone0  = powf(10, (2.500000e-02f * (fslider_tone0- fSlow_mid_tone)));
      fSlow_tone1  = (1 + fSlow_tone0);
      fSlow_tone2  = (fConst_tone1 * fSlow_tone1);
      fSlow_tone3  = (2 * (0 - ((1 + fSlow_tone2) - fSlow_tone0)));
      fSlow_tone4  = (fConst_tone1 * (fSlow_tone0 - 1));
      fSlow_tone5  = (fConst_tone2 * sqrtf(fSlow_tone0));
      fSlow_tone6  = (fSlow_tone1 - (fSlow_tone5 + fSlow_tone4));
      fSlow_tone7  = powf(10, (2.500000e-02f * fSlow_mid_tone));
      fSlow_tone8  = (1 + fSlow_tone7);
      fSlow_tone9  = (fConst_tone4 * fSlow_tone8);
      fSlow_tone10 = (2 * (0 - ((1 + fSlow_tone9) - fSlow_tone7)));
      fSlow_tone11 = (fSlow_tone7 - 1);
      fSlow_tone12 = (fConst_tone4 * fSlow_tone11);
      fSlow_tone13 = sqrtf(fSlow_tone7);
      fSlow_tone14 = (fConst_tone5 * fSlow_tone13);
      fSlow_tone15 = (fSlow_tone8 - (fSlow_tone14 + fSlow_tone12));
      fSlow_tone16 = (fConst_tone1 * fSlow_tone8);
      fSlow_tone17 = (0 - (2 * ((fSlow_tone7 + fSlow_tone16) - 1)));
      fSlow_tone18 = (fConst_tone2 * fSlow_tone13);
      fSlow_tone19 = (fConst_tone1 * fSlow_tone11);
      fSlow_tone20 = ((1 + (fSlow_tone7 + fSlow_tone19)) - fSlow_tone18);
      fSlow_tone21 = powf(10, (2.500000e-02f * (fslider_tone2-fSlow_mid_tone)));
      fSlow_tone22 = (1 + fSlow_tone21);
      fSlow_tone23 = (fConst_tone4 * fSlow_tone22);
      fSlow_tone24 = (0 - (2 * ((fSlow_tone21 + fSlow_tone23) - 1)));
      fSlow_tone25 = (fConst_tone5 * sqrtf(fSlow_tone21));
      fSlow_tone26 = (fConst_tone4 * (fSlow_tone21 - 1));
      fSlow_tone27 = ((1 + (fSlow_tone21 + fSlow_tone26)) - fSlow_tone25);
      fSlow_tone28 = (2 * (0 - ((1 + fSlow_tone23) - fSlow_tone21)));
      fSlow_tone29 = (fSlow_tone21 + fSlow_tone25);
      fSlow_tone30 = ((1 + fSlow_tone29) - fSlow_tone26);
      fSlow_tone31 = (fSlow_tone22 - (fSlow_tone25 + fSlow_tone26));
      fSlow_tone32 = (1.0f / (1 + (fSlow_tone26 + fSlow_tone29)));
      fSlow_tone33 = (fSlow_tone8 - (fSlow_tone18 + fSlow_tone19));
      fSlow_tone34 = (2 * (0 - ((1 + fSlow_tone16) - fSlow_tone7)));
      fSlow_tone35 = (fSlow_tone7 + fSlow_tone18);
      fSlow_tone36 = ((1 + fSlow_tone35) - fSlow_tone19);
      fSlow_tone37 = (1.0f / (1 + (fSlow_tone19 + fSlow_tone35)));
      fSlow_tone38 = (fSlow_tone7 * ((1 + (fSlow_tone7 + fSlow_tone12)) - fSlow_tone14));
      fSlow_tone39 = (fSlow_tone7 + fSlow_tone14);
      fSlow_tone40 = (fSlow_tone7 * (1 + (fSlow_tone12 + fSlow_tone39)));
      fSlow_tone41 = (((fSlow_tone7 + fSlow_tone9) - 1) * (0 - (2 * fSlow_tone7)));
      fSlow_tone42 = (1.0f / ((1 + fSlow_tone39) - fSlow_tone12));
      fSlow_tone43 = (fSlow_tone0 * ((1 + (fSlow_tone0 + fSlow_tone4)) - fSlow_tone5));
      fSlow_tone44 = (fSlow_tone0 + fSlow_tone5);
      fSlow_tone45 = (fSlow_tone0 * (1 + (fSlow_tone4 + fSlow_tone44)));
      fSlow_tone46 = (((fSlow_tone0 + fSlow_tone2) - 1) * (0 - (2 * fSlow_tone0)));
      fSlow_tone47 = (1.0f / ((1 + fSlow_tone44) - fSlow_tone4));

      fslider_tone_check = (fslider_tone1+fslider_tone0+fslider_tone2)*100;
      fslider_tone_check1 = 0;

      gx_jconv::checkbox7 = 1.0;
      fjc_ingain = 0;
      zeroize(fRecinjc, 2);
      zeroize(fRecinjcr, 2);
      IOTAdel = 0;
      zeroize(fVecdel0,262144);
      fsliderdel0 = 0.0f;
      fConstdel0 = (1.000000e-03f * fSamplingFreq);
      zeroize(fVecdel1,262144);
      fsliderdel1 = 0.0f;
      fjc_ingain1 = 0.0f;
      filebutton = 0;
      fwarn = 0;
      // end engine init
    }