void HMACSHA256Init(HMACSHA256CTX* context, const uint8_t* key, size_t key_length) { size_t i; uint8_t pad[SHA256_BLOCK_LENGTH]; uint8_t key_hash[SHA256_DIGEST_LENGTH]; if (key_length > SHA256_BLOCK_LENGTH) { SHA256Init(&context->ictx); SHA256Update(&context->ictx, key, key_length); SHA256Final(&context->ictx, key_hash); key = key_hash; key_length = SHA256_DIGEST_LENGTH; } SHA256Init(&context->ictx); memset(pad, 0x36, SHA256_BLOCK_LENGTH); for (i = 0; i < key_length; i++) pad[i] ^= key[i]; SHA256Update(&context->ictx, pad, SHA256_BLOCK_LENGTH); SHA256Init(&context->octx); memset(pad, 0x5c, SHA256_BLOCK_LENGTH); for (i = 0; i < key_length; i++) pad[i] ^= key[i]; SHA256Update(&context->octx, pad, SHA256_BLOCK_LENGTH); zeroize((void*)key_hash, sizeof key_hash); }
void RMD160Final(RMD160CTX* context, uint8_t digest[RMD160_DIGEST_LENGTH]) { int i; RMD160Pad(context); for (i = 0; i < 5; i++) { PUT_32BIT_LE(digest + i * 4, context->state[i]); } zeroize(context, sizeof *context); }
void HMACSHA256Final(HMACSHA256CTX* context, uint8_t digest[HMACSHA256_DIGEST_LENGTH]) { uint8_t hash[HMACSHA256_DIGEST_LENGTH]; SHA256Final(&context->ictx, hash); SHA256Update(&context->octx, hash, HMACSHA256_DIGEST_LENGTH); SHA256Final(&context->octx, digest); zeroize((void*)hash, sizeof hash); }
int xed25519_sign(unsigned char* signature_out, const unsigned char* curve25519_privkey, const unsigned char* msg, const unsigned long msg_len, const unsigned char* random) { unsigned char a[32], aneg[32]; unsigned char A[32]; ge_p3 ed_pubkey_point; unsigned char *sigbuf; /* working buffer */ unsigned char sign_bit = 0; if ((sigbuf = malloc(msg_len + 128)) == 0) { memset(signature_out, 0, 64); return -1; } /* Convert the Curve25519 privkey to an Ed25519 public key */ ge_scalarmult_base(&ed_pubkey_point, curve25519_privkey); ge_p3_tobytes(A, &ed_pubkey_point); /* Force Edwards sign bit to zero */ sign_bit = (A[31] & 0x80) >> 7; memcpy(a, curve25519_privkey, 32); sc_neg(aneg, a); sc_cmov(a, aneg, sign_bit); A[31] &= 0x7F; /* Perform an Ed25519 signature with explicit private key */ crypto_sign_modified(sigbuf, msg, msg_len, a, A, random); memmove(signature_out, sigbuf, 64); zeroize(a, 32); zeroize(aneg, 32); free(sigbuf); return 0; }
/* NEW: Compare to pristine crypto_sign() Uses explicit private key for nonce derivation and as scalar, instead of deriving both from a master key. */ int crypto_sign_modified( unsigned char *sm, const unsigned char *m,unsigned long long mlen, const unsigned char *sk, const unsigned char* pk, const unsigned char* random ) { unsigned char nonce[64]; unsigned char hram[64]; ge_p3 R; int count=0; memmove(sm + 64,m,mlen); memmove(sm + 32,sk,32); /* NEW: Use privkey directly for nonce derivation */ /* NEW : add prefix to separate hash uses - see .h */ sm[0] = 0xFE; for (count = 1; count < 32; count++) sm[count] = 0xFF; /* NEW: add suffix of random data */ memmove(sm + mlen + 64, random, 64); crypto_hash_sha512(nonce,sm,mlen + 128); memmove(sm + 32,pk,32); sc_reduce(nonce); ge_scalarmult_base(&R,nonce); ge_p3_tobytes(sm,&R); crypto_hash_sha512(hram,sm,mlen + 64); sc_reduce(hram); sc_muladd(sm + 32,hram,sk,nonce); /* NEW: Use privkey directly */ /* NEW: Try to erase any traces of privkey or nonce left in the stack from sc_muladd. */ zeroize_stack(); zeroize(nonce, 64); return 0; }
void receiver_msg1(int* socket, havege_state* havege_state, pk_context* r_context, int sender, int receiver, char* s_nonce) /*@ requires GENERAL_PRE(receiver) &*& pk_context_with_key(r_context, pk_private, receiver, ?r_id, 8 * KEY_SIZE) &*& chars(s_nonce, NONCE_SIZE, _); @*/ /*@ ensures GENERAL_POST(receiver) &*& pk_context_with_key(r_context, pk_private, receiver, r_id, 8 * KEY_SIZE) &*& RECEIVER_INTER; @*/ { //@ open principal(receiver, _); unsigned int size; char message[MSG1_SIZE]; char encrypted[KEY_SIZE]; // Receive the message net_recv(socket, encrypted, KEY_SIZE); //@ assert chars(encrypted, KEY_SIZE, ?enc_cs); //@ interpret_asym_encrypted(encrypted, KEY_SIZE); //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg); //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent); // Decrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); //@ structure st = known_value(0, cs_to_ccs(identifier(sender))); //@ close decryption_pre(false, false, receiver, st, enc_ccs); if (pk_decrypt(r_context, encrypted, KEY_SIZE, message, &size, MSG1_SIZE, random_stub_nsl, havege_state) != 0) abort(); if (size != MSG1_SIZE) abort(); //@ assert u_integer(&size, MSG1_SIZE); //@ assert crypto_chars(?kind, message, MSG1_SIZE, ?dec_ccs); /*@ open decryption_post(false, ?garbage, receiver, st, receiver, r_id, dec_ccs); @*/ //@ crypto_chars_split(message, ID_SIZE); //@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs); /*@ assert crypto_chars(kind, (void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_ccs); @*/ //@ assert dec_ccs == append(id_ccs, s_nonce_ccs); //@ open [_]nsl_pub(enc_cg); //@ assert [_]nsl_pub_msg_sender(?p_instigator2); /*@ if (col || garbage) { crypto_chars_to_chars(message, ID_SIZE); } else { if (bad(receiver) || bad(p_instigator2)) { assert [_]public_ccs(dec_ccs); public_ccs_split(dec_ccs, ID_SIZE); } else { assert [_]nsl_pub_msg1(_, _, ?s_nonce_cg); take_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)), ccs_for_cg(s_nonce_cg)); drop_append(ID_SIZE, cs_to_ccs(identifier(p_instigator2)), ccs_for_cg(s_nonce_cg)); } public_crypto_chars(message, ID_SIZE); } @*/ //@ chars_to_crypto_chars(message, ID_SIZE); /*@ close check_identifier_ghost_args(false, garbage, receiver, r_id, s_nonce_ccs); @*/ check_identifier(message, sender); //@ assert id_ccs == cs_to_ccs(identifier(sender)); memcpy(s_nonce, (void*) message + ID_SIZE, NONCE_SIZE); // Interpret message //@ cryptogram s_nonce_cg; //@ int p_inst; /*@ if (!col && !garbage) { p_inst = p_instigator2; if (bad(p_inst) || bad(receiver)) { public_crypto_chars(s_nonce, NONCE_SIZE); chars_to_crypto_chars(s_nonce, NONCE_SIZE); crypto_chars_to_chars(message, ID_SIZE); chars_to_crypto_chars(message, ID_SIZE); public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); } else { assert [_]nsl_pub_msg1(p_inst, receiver, ?s_nonce_cg2); s_nonce_cg = s_nonce_cg2; assert s_nonce_cg == cg_nonce(p_inst, _); s_nonce_ccs = ccs_for_cg(s_nonce_cg); assert dec_ccs == append(cs_to_ccs(identifier(p_inst)), s_nonce_ccs); take_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs); drop_append(ID_SIZE, cs_to_ccs(identifier(p_inst)), s_nonce_ccs); cs_to_ccs_inj(identifier(p_inst), identifier(sender)); assert identifier(p_inst) == identifier(sender); equal_identifiers(p_inst, sender); close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); } } else { crypto_chars_to_chars(s_nonce, NONCE_SIZE); chars_to_crypto_chars(s_nonce, NONCE_SIZE); } @*/ //@ close receiver_inter(p, c, p_inst, s_nonce_ccs, s_nonce_cg); //@ crypto_chars_to_chars(message, ID_SIZE); zeroize((void*) message + ID_SIZE, NONCE_SIZE); //@ public_cryptogram(encrypted, enc_cg); //@ close principal(receiver, _); }
void sender_msg1(int* socket, havege_state* havege_state, pk_context* r_context, int sender, char* s_nonce) /*@ requires GENERAL_PRE(sender) &*& pk_context_with_key(r_context, pk_public, ?receiver, ?r_id, 8 * KEY_SIZE) &*& cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*& s_nonce_cg == cg_nonce(sender, _) &*& cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)); @*/ /*@ ensures GENERAL_POST(sender) &*& pk_context_with_key(r_context, pk_public, receiver, r_id, 8 * KEY_SIZE) &*& cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); @*/ { //@ open principal(sender, _); unsigned int size; char message[MSG1_SIZE]; char encrypted[KEY_SIZE]; // Construct the message write_identifier(message, sender); //@ list<crypto_char> sid_ccs = cs_to_ccs(identifier(sender)); //@ assert crypto_chars(normal, message, ID_SIZE, sid_ccs); //@ cs_to_ccs_crypto_chars(message, identifier(sender)); //@ public_chars(message, ID_SIZE); //@ chars_to_secret_crypto_chars(message, ID_SIZE); //@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE); //@ crypto_chars_join(message); //@ list<crypto_char> msg1 = append(sid_ccs, s_nonce_ccs); //@ assert crypto_chars(secret, message, MSG1_SIZE, msg1); // Encrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); if (pk_encrypt(r_context, message, MSG1_SIZE, encrypted, &size, KEY_SIZE, random_stub_nsl, havege_state) != 0) abort(); //@ assert u_integer(&size, ?size_val); //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc); // Proof the message is public //@ take_append(ID_SIZE, sid_ccs, s_nonce_ccs); //@ drop_append(ID_SIZE, sid_ccs, s_nonce_ccs); //@ close nsl_pub_msg_sender(sender); //@ leak nsl_pub_msg_sender(sender); /*@ if (col || bad(sender) || bad(receiver)) { assert crypto_chars(secret, message, MSG1_SIZE, msg1); crypto_chars_split(message, ID_SIZE); public_crypto_chars(message, ID_SIZE); assert chars(message, ID_SIZE, ?sid_cs); cs_to_ccs_inj(sid_cs, identifier(sender)); assert chars(message, ID_SIZE, identifier(sender)); close nsl_pub(s_nonce_cg); leak nsl_pub(s_nonce_cg); close cryptogram((void*) message + ID_SIZE, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); public_cryptogram((void*) message + ID_SIZE, s_nonce_cg); assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs'); cs_to_ccs_append(identifier(sender), s_nonce_cs'); chars_join(message); public_chars(message, MSG1_SIZE); chars_to_crypto_chars(message, MSG1_SIZE); } else { close nsl_pub_msg1(sender, receiver, s_nonce_cg); } @*/ //@ close nsl_pub(cg_enc); //@ leak nsl_pub(cg_enc); //@ public_cryptogram(encrypted, cg_enc); // Send the message net_send(socket, encrypted, size); zeroize(message, MSG1_SIZE); //@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); //@ close principal(sender, _); }
void sender_msg2(int* socket, havege_state* havege_state, pk_context* s_context, int sender, int recvr, char* s_nonce, char* r_nonce) /*@ requires GENERAL_PRE(sender) &*& pk_context_with_key(s_context, pk_private, sender, ?s_id, 8 * KEY_SIZE) &*& pk_context_with_key(?r_context, pk_public, recvr, ?r_id, 8 * KEY_SIZE) &*& cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*& s_nonce_cg == cg_nonce(sender, _) &*& cg_info(s_nonce_cg) == int_pair(1, int_pair(recvr, r_id)) &*& chars(r_nonce, NONCE_SIZE, _); @*/ /*@ ensures GENERAL_POST(sender) &*& pk_context_with_key(s_context, pk_private, sender, s_id, 8 * KEY_SIZE) &*& pk_context_with_key(r_context, pk_public, recvr, r_id, 8 * KEY_SIZE) &*& cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg) &*& SENDER_INTER; @*/ { //@ open principal(sender, _); unsigned int size; char message[MSG2_SIZE]; char encrypted[KEY_SIZE]; // Receive the message net_recv(socket, encrypted, KEY_SIZE); //@ assert chars(encrypted, KEY_SIZE, ?enc_cs); //@ interpret_asym_encrypted(encrypted, KEY_SIZE); //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg); // Decrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); //@ structure st = known_value(0, cs_to_ccs(identifier(recvr))); //@ close decryption_pre(false, false, sender, st, enc_ccs); if (pk_decrypt(s_context, encrypted, KEY_SIZE, message, &size, MSG2_SIZE, random_stub_nsl, havege_state) != 0) abort(); if (size != MSG2_SIZE) abort(); //@ public_cryptogram(encrypted, enc_cg); //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent); //@ assert u_integer(&size, MSG2_SIZE); /*@ open decryption_post(false, ?garbage, sender, st, sender, s_id, ?dec_ccs); @*/ //@ assert crypto_chars(?kind, message, MSG2_SIZE, dec_ccs); //@ crypto_chars_split(message, ID_SIZE); //@ crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE); //@ assert crypto_chars(kind, message, ID_SIZE, ?id_ccs); //@ assert crypto_chars(kind, (void*) message + ID_SIZE, NONCE_SIZE, ?s_ccs); /*@ assert crypto_chars(kind, (void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE, ?r_ccs); @*/ //@ append_assoc(id_ccs, s_ccs, r_ccs); //@ take_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs)); //@ drop_append(ID_SIZE, id_ccs, append(s_ccs, r_ccs)); //@ take_append(NONCE_SIZE, s_ccs, r_ccs); //@ drop_append(NONCE_SIZE, s_ccs, r_ccs); // Interpret the message //@ open [_]nsl_pub(enc_cg); //@ assert [_]nsl_pub_msg_sender(?recvr2); /*@ if (col || garbage) { crypto_chars_to_chars(message, ID_SIZE); crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE); chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); crypto_chars_to_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE); chars_to_crypto_chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE); } else { if (bad(sender) || bad(recvr2)) { assert [_]public_ccs(dec_ccs); public_ccs_split(dec_ccs, ID_SIZE); public_ccs_split(append(s_ccs, r_ccs), NONCE_SIZE); public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); } else { assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2, ?r_nonce_cg, _, _, _, ?pub_ns); take_append(ID_SIZE, cs_to_ccs(identifier(recvr2)), append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg))); drop_append(ID_SIZE, cs_to_ccs(identifier(recvr2)), append(s_nonce_ccs2, ccs_for_cg(r_nonce_cg))); take_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg)); drop_append(NONCE_SIZE, s_nonce_ccs2, ccs_for_cg(r_nonce_cg)); if (pub_ns) { public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); chars_to_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); } else { close memcmp_secret((void*) message + ID_SIZE, NONCE_SIZE, ccs_for_cg(s_nonce_cg2), s_nonce_cg2); } } public_crypto_chars(message, ID_SIZE); } @*/ //@ chars_to_crypto_chars(message, ID_SIZE); /*@ close check_identifier_ghost_args(false, garbage, sender, s_id, append(s_ccs, r_ccs)); @*/ check_identifier(message, recvr); //@ open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); //@ close memcmp_secret(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); if (memcmp((void*) message + ID_SIZE, s_nonce, NONCE_SIZE) != 0) abort(); memcpy(r_nonce, (void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE); //@ assert id_ccs == cs_to_ccs(identifier(recvr)); //@ assert s_ccs == s_nonce_ccs; //@ cryptogram r_nonce_cg = ccs_for_cg_sur(r_ccs, tag_nonce); //@ close sender_inter(r_ccs, r_nonce_cg); /*@ if (!col && !garbage) { if (bad(sender) || bad(recvr2)) { assert [_]public_ccs(dec_ccs); public_ccs_split(dec_ccs, ID_SIZE); public_ccs_split(append(s_nonce_ccs, r_ccs), NONCE_SIZE); public_crypto_chars(r_nonce, NONCE_SIZE); chars_to_crypto_chars(r_nonce, NONCE_SIZE); public_ccs_cg(s_nonce_cg); open [_]nsl_pub(s_nonce_cg); crypto_chars_to_chars((void*) message + ID_SIZE, NONCE_SIZE); chars_to_secret_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); } else { assert dec_ccs == pay; assert sender == p; assert s_id == c; assert [_]nsl_pub_msg2(sender, recvr2, ?s_nonce_cg2, ?s_nonce_ccs2, ?r_nonce_cg2, ?p_inst, ?p2, ?c2, ?pub_ns); cs_to_ccs_inj(identifier(recvr2), identifier(recvr)); assert identifier(recvr) == identifier(recvr2); equal_identifiers(recvr, recvr2); if (pub_ns) { public_ccs_cg(s_nonce_cg); open [_]nsl_pub(s_nonce_cg); assert false; } ccs_for_cg_inj(r_nonce_cg2, r_nonce_cg); close cryptogram(r_nonce, NONCE_SIZE, r_ccs, r_nonce_cg2); ccs_for_cg_inj(s_nonce_cg, s_nonce_cg2); assert c2 == r_id; } } @*/ //@ close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); //@ crypto_chars_join((void*) message + ID_SIZE); zeroize((void*) message + ID_SIZE, 2 * NONCE_SIZE); //@ crypto_chars_to_chars(message, ID_SIZE); //@ chars_join(message); //@ close principal(sender, _); }
void sender_msg3(int* socket, havege_state* havege_state, pk_context* r_context, int sender, char* r_nonce) /*@ requires GENERAL_PRE(sender) &*& pk_context_with_key(r_context, pk_public, ?recvr, ?r_id, 8 * KEY_SIZE) &*& SENDER_INTER; @*/ /*@ ensures GENERAL_POST(sender) &*& pk_context_with_key(r_context, pk_public, recvr, r_id, 8 * KEY_SIZE) &*& col || bad(sender) || bad(recvr) ? chars(r_nonce, NONCE_SIZE, ?r_nonce_cs) &*& r_nonce_ccs == cs_to_ccs(r_nonce_cs) : cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/ { //@ open principal(sender, _); unsigned int size; char message[MSG3_SIZE]; char encrypted[KEY_SIZE]; // Construct the message //@ open sender_inter(r_nonce_ccs, r_nonce_cg); //@ bool condition = col || bad(sender) || bad(recvr); /*@ if (!condition) open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); else { crypto_chars_to_chars(r_nonce, NONCE_SIZE); public_chars(r_nonce, NONCE_SIZE); chars_to_secret_crypto_chars(r_nonce, NONCE_SIZE); } @*/ memcpy((void*) message, r_nonce, NONCE_SIZE); /*@ if (!condition) close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); else public_crypto_chars(r_nonce, NONCE_SIZE); @*/ // Encrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); if (pk_encrypt(r_context, message, MSG3_SIZE, encrypted, &size, KEY_SIZE, random_stub_nsl, havege_state) != 0) abort(); //@ assert u_integer(&size, ?size_val); //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc); // Proof the message is public //@ close nsl_pub_msg_sender(sender); //@ leak nsl_pub_msg_sender(sender); //@ if (!condition) close nsl_pub_msg3(sender, recvr, r_nonce_cg); //@ close nsl_pub(cg_enc); //@ leak nsl_pub(cg_enc); //@ public_cryptogram(encrypted, cg_enc); // Send the message net_send(socket, encrypted, size); zeroize(message, MSG3_SIZE); //@ close principal(sender, _); }
struct item *asymmetric_decryption(struct item *key, struct item *item, char tag) /*@ requires [?f]world(?pub, ?key_clsfy) &*& true == valid_tag(tag) &*& principal(?principal1, ?count1) &*& item(item, ?enc, pub) &*& item(key, ?k, pub) &*& enc == asymmetric_encrypted_item(?principal2, ?count2, ?pay, ?ent) &*& k == private_key_item(?principal3, ?count3); @*/ /*@ ensures [f]world(pub, key_clsfy) &*& principal(principal1, count1 + 1) &*& item(item, enc, pub) &*& item(key, k, pub) &*& item(result, ?dec, pub) &*& tag_for_item(dec) == tag &*& col ? [_]pub(dec) : principal2 != principal3 || count2 != count3 ? true == key_clsfy(principal3, count3, false) &*& [_]pub(dec) : switch(pay) { case some(dec2): return dec == dec2; case none: return false; }; @*/ { struct item* result = 0; debug_print("DECRYPTING:\n"); print_item(item); check_is_asymmetric_encrypted(item); { pk_context context; unsigned int olen; char output[MAX_PACKAGE_SIZE]; // Key //@ close pk_context(&context); //@ open [f]world(pub, key_clsfy); pk_init(&context); //@ close [f]world(pub, key_clsfy); set_private_key(&context, key); //@ open [f]world(pub, key_clsfy); /*@ assert pk_context_with_key(&context, pk_private, ?principal, ?count, RSA_BIT_KEY_SIZE); @*/ // Decryption //@ open item(item, enc, pub); /*@ assert enc == asymmetric_encrypted_item(principal2, count2, pay, ent); @*/ //@ open [_]item_constraints(enc, ?enc_cs, pub); //@ assert [_]ic_parts(enc)(?enc_tag, ?enc_cont); //@ assert enc_cs == append(enc_tag, enc_cont); //@ open [_]ic_cg(enc)(_, ?enc_cg); //@ assert enc_cg == cg_asym_encrypted(principal2, count2, ?cs_pay, ent); if (item->size - TAG_LENGTH > RSA_KEY_SIZE || item->size - TAG_LENGTH < MINIMAL_STRING_SIZE) abort_crypto_lib("Asymmetric decryption failed: incorrect sizes"); //@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size; //@ crypto_chars_split(i_cont, TAG_LENGTH); //@ drop_append(TAG_LENGTH, enc_tag, enc_cont); //@ assert crypto_chars(secret, i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont); //@ if (col) enc_cg = chars_for_cg_sur(enc_cont, tag_asym_encrypted); //@ if (col) public_crypto_chars_extract(i_cont + TAG_LENGTH, enc_cg); //@ close cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg); void *random_state = nonces_expose_state(); //@ close random_state_predicate(havege_state_initialized); /*@ produce_function_pointer_chunk random_function( asym_enc_havege_random_stub) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ open principal(principal1, count1); //@ structure s = known_value(0, full_tag(tag)); //@ close decryption_pre(false, false, principal1, s, enc_cont); if(pk_decrypt(&context, item->content + TAG_LENGTH, (unsigned int) item->size - TAG_LENGTH, output, &olen, MAX_PACKAGE_SIZE, asym_enc_havege_random_stub, random_state) != 0) abort_crypto_lib("Decryption failed"); /*@ open decryption_post(false, ?garbage, principal1, s, ?p_key, ?c_key, ?cs_out); @*/ //@ assert u_integer(&olen, ?size_out); //@ pk_release_context_with_key(&context); //@ open cryptogram(i_cont + TAG_LENGTH, i_size - TAG_LENGTH, enc_cont, enc_cg); pk_free(&context); //@ open pk_context(&context); nonces_hide_state(random_state); //@ assert chars((void*)output + size_out, MAX_PACKAGE_SIZE - size_out, ?cs_rest); result = malloc(sizeof(struct item)); if (result == 0) {abort_crypto_lib("Malloc failed");} result->size = (int) olen; if ((int) olen <= MINIMAL_STRING_SIZE) abort_crypto_lib("Decryption: Incorrect size"); result->content = malloc(result->size); if (result->content == 0) {abort_crypto_lib("Malloc failed");} //@ close [f]world(pub, key_clsfy); //@ assert u_integer(&olen, ?olen_val); //@ assert crypto_chars(_, output, olen_val, cs_out); //@ crypto_chars_split(output, TAG_LENGTH); //@ assert crypto_chars(_, output, TAG_LENGTH, ?cs_tag); //@ assert crypto_chars(_, (void*) output + TAG_LENGTH, olen_val - TAG_LENGTH, ?cs_i); /*@ if (col) { crypto_chars_to_chars(output, TAG_LENGTH); chars_to_crypto_chars(output, TAG_LENGTH); } else if (!garbage) { switch(pay) { case some(pay1): open [_]item_constraints(pay1, cs_out, pub); case none: open [_]ill_formed_item_chars(enc)(cs_out); public_generated_split(polarssl_pub(pub), cs_out, TAG_LENGTH); } public_crypto_chars(output, TAG_LENGTH); } @*/ //@ close check_tag2_ghost_args(false, garbage, p_key, c_key, cs_i); check_tag2(output, tag); //@ if (!garbage) chars_to_secret_crypto_chars(output, TAG_LENGTH); //@ crypto_chars_join(output); memcpy(result->content, output, olen); //@ assert result->content |-> ?cont; //@ assert crypto_chars(?kind, cont, olen_val, cs_out); zeroize(output, (int) olen); //@ close item(item, enc, pub); //@ assert enc == asymmetric_encrypted_item(principal2, count2, pay, ent); //@ assert col || enc_cg == cg_asym_encrypted(principal2, count2, cs_pay, ent); /*@ if (col) { crypto_chars_to_chars(cont, olen_val); public_chars(cont, olen_val); chars_to_crypto_chars(cont, olen_val); } else if (garbage) { assert true == key_clsfy(principal3, count3, false); public_chars(cont, olen_val); chars_to_crypto_chars(cont, olen_val); } else { assert principal2 == principal3; assert count2 == count3; assert cs_out == cs_pay; switch(pay) { case some(pay1): assert [_]item_constraints(pay1, cs_out, pub); case none: open [_]ill_formed_item_chars(enc)(cs_out); assert [_]public_generated(polarssl_pub(pub))(cs_out); public_crypto_chars(cont, olen_val); chars_to_crypto_chars(cont, olen_val); } } @*/ parse_item(result->content, (int) olen); /*@ if (col || garbage) { retreive_proof_obligations(); deserialize_item(cs_out, pub); leak proof_obligations(pub); chars_to_secret_crypto_chars(cont, olen_val); } @*/ //@ open [_]item_constraints(?dec, cs_out, pub); //@ assert [_]ic_parts(dec)(?dec_tag, ?dec_cont); //@ take_append(TAG_LENGTH, dec_tag, dec_cont); //@ drop_append(TAG_LENGTH, dec_tag, dec_cont); //@ assert dec_tag == full_tag(tag); //@ assert tag_for_item(dec) == tag; //@ close item(result, dec, pub); } return result; }
void attacker_send_decrypted(havege_state *havege_state, void* socket) //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker); //@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker); { int temp; int size1; int size2; char buffer1[MAX_MESSAGE_SIZE]; char buffer2[MAX_MESSAGE_SIZE]; char buffer3[MAX_MESSAGE_SIZE]; aes_context aes_context; char iv[16]; size_t iv_off = 0; //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker); size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE); size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE); if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE || (size1 != 16 && size1 != 24 && size1 != 32)) { //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); return; } //@ close aes_context(&aes_context); //@ interpret_symmetric_key(buffer1, size1); //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key); //@ assert cg_key == cg_symmetric_key(?p, ?c); if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0) { if (get_iv(havege_state, iv) == 0) { //@ assert crypto_chars(normal, iv, 16, ?ccs_iv); //@ interpret_encrypted(buffer2, size2); //@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc); //@ close cryptogram(buffer2, size2, ccs2, cg_enc); //@ assert cg_enc == cg_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2); //@ structure s = known_value(0, nil); //@ close decryption_pre(true, false, attacker, s, ccs2); int success = aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) size2, &iv_off, iv, buffer2, buffer3); if (success == 0) zeroize(iv, 16); //@ if (success == 0) chars_to_crypto_chars(iv, 16); //@ open decryption_post(true, ?garbage, attacker, s, p, c, ?ccs_output); /*@ if (garbage) { assert is_public_key_classifier(?proof, _, _, _); proof(cg_key, p, c, true); decryption_garbage(buffer3, size2, s); } else if (success == 0) { assert crypto_chars(secret, buffer3, size2, ccs_output); assert ccs_output == ccs_output2; assert ccs_iv == ccs_iv2; assert ccs2 == ccs_for_cg(cg_enc); public_ccs_cg(cg_enc); assert [_]pub(cg_enc); assert is_public_decryption_is_public(?proof2, pub, pred); proof2(cg_key, cg_enc); public_crypto_chars(buffer3, size2); chars_to_crypto_chars(buffer3, size2); } @*/ //@ crypto_chars_to_chars(buffer3, size2); net_send(socket, buffer3, (unsigned int) size2); //@ public_cryptogram(buffer2, cg_enc); } aes_free(&aes_context); //@ crypto_chars_to_chars(iv, 16); } //@ open aes_context(&aes_context); //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); //@ public_cryptogram(buffer1, cg_key); }
int main(int argc, char **argv) //@ : main_full(main_app) //@ requires module(main_app, true); //@ ensures true; { pthread_t a_thread; havege_state havege_state; printf("\n\tExecuting \""); printf("enc_then_hmac protocol"); printf("\" ... \n\n"); //@ PROTOCOL_INIT(enc_then_hmac) //@ int attacker = principal_create(); //@ int sender = principal_create(); //@ int receiver = principal_create(); //@ assume (!bad(sender) && !bad(receiver)); //@ close havege_state(&havege_state); havege_init(&havege_state); //@ assume (bad(attacker)); //@ close pthread_run_pre(attacker_t)(NULL, some(attacker)); pthread_create(&a_thread, NULL, &attacker_t, NULL); int i = 0; #ifdef EXECUTE while (i++ < 10) #else while (true) #endif /*@ invariant [_]public_invar(enc_then_hmac_pub) &*& [_]decryption_key_classifier(enc_then_hmac_public_key) &*& !bad(sender) && !bad(receiver) &*& havege_state_initialized(&havege_state) &*& principal(sender, ?count) &*& principal(receiver, _); @*/ { char* enc_key; char* hmac_key; int temp; enc_key = malloc(KEY_SIZE); if (enc_key == 0) abort(); hmac_key = malloc(KEY_SIZE); if (hmac_key == 0) abort(); //@ open principal(sender, _); //@ close random_request(sender, 0, true); if (havege_random(&havege_state, enc_key, KEY_SIZE) != 0) abort(); //@ assume (shared_with(sender, count + 1) == receiver); //@ assert cryptogram(enc_key, KEY_SIZE, ?enc_cs_key, ?enc_cg_key); //@ assert enc_cg_key == cg_symmetric_key(sender, count + 1); //@ close random_request(sender, count + 1, true); if (havege_random(&havege_state, hmac_key, KEY_SIZE) != 0) abort(); //@ assume (shared_with(sender, count + 2) == receiver); //@ assert cryptogram(hmac_key, KEY_SIZE, ?hmac_cs_key, ?hmac_cg_key); //@ assert hmac_cg_key == cg_symmetric_key(sender, count + 2); { pthread_t s_thread, r_thread; struct enc_then_hmac_args s_args; struct enc_then_hmac_args r_args; char s_message[MSG_LEN]; char r_message[MAX_SIZE]; //@ assert chars(s_message, MSG_LEN, ?msg_cs); //@ public_chars(s_message, MSG_LEN); //@ chars_to_secret_crypto_chars(s_message, MSG_LEN); //@ s_args.sender = sender; //@ s_args.receiver = receiver; s_args.enc_key = enc_key; s_args.hmac_key = hmac_key; s_args.msg = s_message; //@ assume (send(sender, receiver, msg_cs) == true); //@ r_args.sender = sender; //@ r_args.receiver = receiver; r_args.enc_key = enc_key; r_args.hmac_key = hmac_key; r_args.msg = r_message; //@ close principal(sender, _); //@ close pthread_run_pre(sender_t)(&s_args, ?s_data); //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data); pthread_create(&r_thread, NULL, &receiver_t, &r_args); pthread_create(&s_thread, NULL, &sender_t, &s_args); pthread_join(s_thread, NULL); //@ open pthread_run_post(sender_t)(&s_args, s_data); pthread_join(r_thread, NULL); //@ open pthread_run_post(receiver_t)(&r_args, r_data); //@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _); //@ open [1/2]cryptogram(enc_key, KEY_SIZE, enc_cs_key, _); //@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _); //@ open [1/2]cryptogram(hmac_key, KEY_SIZE, hmac_cs_key, _); if (r_args.length != MSG_LEN) abort(); //@ public_crypto_chars(s_message, MSG_LEN); #ifdef EXECUTE if (memcmp(s_message, r_message, MSG_LEN) != 0) abort(); #endif //@ open principal(sender, _); //@ close principal(sender, _); zeroize(r_message, r_args.length); } zeroize(enc_key, KEY_SIZE); free((void*) enc_key); zeroize(hmac_key, KEY_SIZE); free((void*) hmac_key); printf(" |%i| ", i); } printf("\n\n\t\tDone\n"); return 0; }
struct item *asymmetric_signature(struct item *key, struct item *payload) /*@ requires [?f]world(?pub, ?key_clsfy) &*& principal(?principal1, ?count1) &*& item(payload, ?pay, pub) &*& item(key, ?k, pub) &*& k == private_key_item(?principal2, ?count2); @*/ /*@ ensures [f]world(pub, key_clsfy) &*& principal(principal1, count1 + 1) &*& item(payload, pay, pub) &*& item(key, k, pub) &*& item(result, ?sig, pub) &*& col ? true : sig == asymmetric_signature_item(principal2, count2, some(pay), ?ent); @*/ { debug_print("ASYM SIGNING:\n"); print_item(payload); struct item* result; result = malloc(sizeof(struct item)); if (result == 0) abort_crypto_lib("Malloc failed"); debug_print("signing item\n"); print_item(payload); print_item(key); { pk_context context; unsigned int olen; char* output; // Key //@ close pk_context(&context); //@ open [f]world(pub, key_clsfy); pk_init(&context); //@ close [f]world(pub, key_clsfy); set_private_key(&context, key); //@ open [f]world(pub, key_clsfy); /*@ assert pk_context_with_key(&context, pk_private, ?principal, ?count, RSA_BIT_KEY_SIZE); @*/ //@ assert col || principal == principal2; //@ assert col || count == count2; // Payload //@ open item(payload, pay, pub); //@ open [_]item_constraints(pay, ?pay_cs, pub); //@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size; if (payload->size > RSA_KEY_SIZE) abort_crypto_lib("Assymetric signing failed: incorrect size"); output = malloc(RSA_KEY_SIZE); if (output == 0) abort_crypto_lib("Malloc failed"); void *random_state = nonces_expose_state(); //@ close random_state_predicate(havege_state_initialized); /*@ produce_function_pointer_chunk random_function( asym_sig_havege_random_stub) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ open principal(principal1, count1); if(pk_sign(&context, POLARSSL_MD_NONE, payload->content, (unsigned int) payload->size, output, &olen, asym_sig_havege_random_stub, random_state) != 0) abort_crypto_lib("Signing failed"); //@ open principal(principal1, count1 + 1); //@ open cryptogram(output, ?sig_length, ?sig_cs, ?sig_cg); //@ assert sig_cg == cg_asym_signature(principal, count, pay_cs, ?ent); //@ assert u_integer(&olen, sig_length); //@ assert sig_length > 0 &*& sig_length <= RSA_KEY_SIZE; nonces_hide_state(random_state); //@ pk_release_context_with_key(&context); pk_free(&context); //@ open pk_context(&context); //@ close [f]world(pub, key_clsfy); debug_print("signed item\n"); print_buffer(output, (int) olen); // Create item if (olen < MINIMAL_STRING_SIZE) abort_crypto_lib("Assymetric signing failed: output to small"); result->size = TAG_LENGTH + (int) olen; result->content = malloc(result->size); if (result->content == 0) {abort_crypto_lib("Malloc failed");} write_tag(result->content, TAG_ASYMMETRIC_SIG); //@ assert result->content |-> ?cont &*& result->size |-> ?size; //@ assert chars(cont, TAG_LENGTH, ?tag_cs); //@ assert tag_cs == full_tag(TAG_ASYMMETRIC_SIG); //@ public_chars(cont, TAG_LENGTH); //@ chars_to_secret_crypto_chars(cont, TAG_LENGTH); memcpy(result->content + TAG_LENGTH, output, olen); //@ crypto_chars_join(cont); //@ list<char> cs = append(tag_cs, sig_cs); //@ assert crypto_chars(secret, cont, size, cs); //@ item e = asymmetric_signature_item(principal, count, some(pay), ent); //@ close ic_cg(e)(sig_cs, sig_cg); /*@ if (col) { public_chars(cont, size); public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH); } @*/ //@ close item(payload, pay, pub); zeroize(output, (int) olen); //@ chars_join(output); free(output); //@ WELL_FORMED(tag_cs, sig_cs, TAG_ASYMMETRIC_SIG) //@ close ic_parts(e)(tag_cs, sig_cs); //@ close well_formed_item_chars(e)(pay_cs); //@ leak well_formed_item_chars(e)(pay_cs); //@ close item_constraints(e, cs, pub); //@ leak item_constraints(e, cs, pub); //@ close item(result, e, pub); } debug_print("SINGING RESULT:\n"); print_item(result); return result; }
int main(int argc, char **argv) //@ : main_full(main_app) //@ requires module(main_app, true); //@ ensures true; { pthread_t a_thread; havege_state havege_state; printf("\n\tExecuting \""); printf("yahalom protocol"); printf("\" ... \n\n"); //@ PROTOCOL_INIT(yahalom) //@ int server = principal_create(); //@ assert server == 1; //@ int sender = principal_create(); //@ assert sender == 2; //@ int receiver = principal_create(); //@ assert receiver == 3; //@ int attacker = principal_create(); //@ assume (bad(attacker)); //@ close havege_state(&havege_state); havege_init(&havege_state); //@ assume (bad(attacker)); //@ close pthread_run_pre(attacker_t)(NULL, some(attacker)); pthread_create(&a_thread, NULL, &attacker_t, NULL); int i = 0; #ifdef EXECUTE while (i++ < 10) #else while (true) #endif /*@ invariant [_]public_invar(yahalom_pub) &*& [_]decryption_key_classifier(yahalom_public_key) &*& havege_state_initialized(&havege_state) &*& principal(server, ?serv_count) &*& principal(sender, ?send_count) &*& principal(receiver, ?rcvr_count); @*/ { char s_key[KEY_SIZE]; char r_key[KEY_SIZE]; char key1[KEY_SIZE]; char key2[KEY_SIZE]; //@ open principal(sender, _); //@ close random_request(sender, int_pair(3, server), true); if (havege_random(&havege_state, s_key, KEY_SIZE) != 0) abort(); //@ close principal(sender, _); //@ assert cryptogram(s_key, KEY_SIZE, ?cs_s_key, ?cg_s_key); //@ assert cg_s_key == cg_symmetric_key(sender, send_count + 1); //@ open principal(receiver, _); //@ close random_request(receiver, int_pair(3, server), true); if (havege_random(&havege_state, r_key, KEY_SIZE) != 0) abort(); //@ close principal(receiver, _); //@ assert cryptogram(r_key, KEY_SIZE, ?cs_r_key, ?cg_r_key); //@ assert cg_r_key == cg_symmetric_key(receiver, rcvr_count + 1); { pthread_t serv_thread, s_thread, r_thread; struct yahalom_args serv_args, s_args, r_args; serv_args.server = 1; serv_args.sender = 2; serv_args.receiver = 3; serv_args.s_key = s_key; serv_args.r_key = r_key; s_args.server = 1; s_args.sender = 2; s_args.receiver = 3; s_args.s_key = s_key; s_args.key = key1; r_args.server = 1; r_args.sender = 2; r_args.receiver = 3; r_args.r_key = r_key; r_args.key = key2; //@ close pthread_run_pre(server_t)(&serv_args, ?serv_data); pthread_create(&serv_thread, NULL, &server_t, &serv_args); //@ close pthread_run_pre(sender_t)(&s_args, ?s_data); pthread_create(&s_thread, NULL, &sender_t, &s_args); //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data); pthread_create(&r_thread, NULL, &receiver_t, &r_args); pthread_join(serv_thread, NULL); //@ open pthread_run_post(server_t)(&serv_args, serv_data); pthread_join(s_thread, NULL); //@ open pthread_run_post(sender_t)(&s_args, s_data); pthread_join(r_thread, NULL); //@ open pthread_run_post(receiver_t)(&r_args, r_data); } //@ open cryptogram(key1, KEY_SIZE, ?cs_key1, _); zeroize(key1, KEY_SIZE); //@ open cryptogram(key2, KEY_SIZE, ?cs_key2, _); zeroize(key2, KEY_SIZE); //@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _); //@ open [1/2]cryptogram(s_key, KEY_SIZE, _, _); zeroize(s_key, KEY_SIZE); //@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _); //@ open [1/2]cryptogram(r_key, KEY_SIZE, _, _); zeroize(r_key, KEY_SIZE); printf(" |%i| ", i); } printf("\n\n\t\tDone\n"); return 0; }
void zeroize_stack(void) { unsigned char m[ZEROIZE_STACK_SIZE]; zeroize(m, sizeof m); }
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len) /*@ requires [_]public_invar(enc_then_hmac_pub) &*& principal(?sender, _) &*& [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*& [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*& enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*& hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*& cg_info(hmac_key_cg) == enc_id &*& shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*& [?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*& MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*& bad(sender) || bad(shared_with(sender, enc_id)) ? [_]public_ccs(msg_ccs) : true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/ /*@ ensures principal(sender, _) &*& [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*& [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*& [f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/ { //@ open principal(sender, _); int socket; havege_state havege_state; char iv[16]; unsigned int iv_off = 0; char hmac[64]; aes_context aes_context; net_usleep(20000); if(net_connect(&socket, NULL, SERVER_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); { int message_len = 16 + (int) msg_len + 64; char* message = malloc(message_len); if (message == 0) abort(); // IV stuff //@ close havege_state(&havege_state); havege_init(&havege_state); //@ close random_request(sender, 0, false); if (havege_random(&havege_state, iv, 16) != 0) abort(); //@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg); //@ close enc_then_hmac_pub(iv_cg); //@ leak enc_then_hmac_pub(iv_cg); memcpy(message, iv, 16); //@ close cryptogram(message, 16, iv_ccs, iv_cg); //@ public_cryptogram(message, iv_cg); //@ assert chars(message, 16, ?iv_cs); //@ public_chars(message, 16); havege_free(&havege_state); //@ open havege_state(&havege_state); // encrypt //@ close aes_context(&aes_context); if (aes_setkey_enc(&aes_context, enc_key, (unsigned int) (KEY_SIZE * 8)) != 0) abort(); if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len, &iv_off, iv, msg, message + 16) != 0) abort(); //@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg); //@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg); //@ close enc_then_hmac_pub(enc_cg); //@ leak enc_then_hmac_pub(enc_cg); //@ public_cryptogram(message + 16, enc_cg); //@ assert chars(message + 16, msg_len, ?enc_cs); //@ public_chars(message + 16, msg_len); //@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs)); //@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs); zeroize(iv, 16); aes_free(&aes_context); //@ open aes_context(&aes_context); // hmac //@ chars_to_crypto_chars(message, 16 + msg_len); //@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs)) sha512_hmac(hmac_key, KEY_SIZE, message, (unsigned int) (16 + (int) msg_len), message + 16 + (int) msg_len, 0); //@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg); //@ cs_to_ccs_append(iv_cs, enc_cs); //@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs)); /*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true)) close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/ /*@ if (col || enc_then_hmac_public_key(sender, enc_id, true)) { assert [_]public_ccs(iv_ccs); assert [_]public_ccs(enc_ccs); public_ccs_join(iv_ccs, enc_ccs); } @*/ //@ close enc_then_hmac_pub(hmac_cg); //@ leak enc_then_hmac_pub(hmac_cg); //@ public_cryptogram(message + 16 + msg_len, hmac_cg); //@ assert chars(message + 16 + msg_len, 64, ?hmac_cs); //@ append_assoc(iv_ccs, enc_ccs, hmac_ccs); //@ append_assoc(iv_cs, enc_cs, hmac_cs); //@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs)); /*@ assert chars(message, message_len, append(iv_cs, append(enc_cs, hmac_cs))); @*/ net_send(&socket, message, (unsigned int) message_len); free(message); } net_close(socket); //@ close principal(sender, _); }
int receiver(char *enc_key, char *hmac_key, char *msg) /*@ requires [_]public_invar(enc_then_hmac_pub) &*& [_]decryption_key_classifier(enc_then_hmac_public_key) &*& principal(?receiver, _) &*& [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*& [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*& enc_key_cg == cg_symmetric_key(?sender, ?enc_id) &*& hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*& cg_info(hmac_key_cg) == enc_id &*& receiver == shared_with(sender, enc_id) &*& receiver == shared_with(sender, hmac_id) &*& chars(msg, MAX_SIZE, _); @*/ /*@ ensures principal(receiver, _) &*& [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*& [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*& chars(msg + result, MAX_SIZE - result, _) &*& crypto_chars(?kind, msg, result, ?msg_ccs) &*& col || bad(sender) || bad(receiver) || (kind == secret && send(sender, receiver, msg_ccs)); @*/ { //@ open principal(receiver, _); int socket1; int socket2; int size; int enc_size; char iv[16]; unsigned int iv_off = 0; char hmac[64]; aes_context aes_context; if(net_bind(&socket1, NULL, SERVER_PORT) != 0) abort(); if(net_accept(socket1, &socket2, NULL) != 0) abort(); if(net_set_block(socket2) != 0) abort(); { int max_size = 16 + MAX_SIZE + 64; char *buffer = malloc (max_size); if (buffer == 0) abort(); size = net_recv(&socket2, buffer, (unsigned int) max_size); if (size <= 16 + 64) abort(); enc_size = size - 16 - 64; if (enc_size < MINIMAL_STRING_SIZE) abort(); //@ chars_split(buffer, size); //@ assert chars(buffer, size, ?all_cs); //@ close hide_chars((void*) buffer + size, max_size - size, _); //Verify the hmac //@ chars_split(buffer, size - 64); //@ public_chars(buffer + size - 64, 64); //@ assert chars(buffer + size - 64, 64, ?hmac_cs); //@ assert chars(buffer, size - 64, ?pay_cs); //@ chars_to_crypto_chars(buffer, size - 64); //@ HASH_PUB_PAYLOAD(pay_cs) sha512_hmac(hmac_key, KEY_SIZE, buffer, (unsigned int) (size - 64), hmac, 0); //@ open cryptogram(hmac, 64, ?hmac_ccs, ?hmac_cg); //@ chars_to_crypto_chars((void*) buffer + size - 64, 64); //@ close memcmp_secret(hmac, 64, hmac_ccs, hmac_cg); if (memcmp((void*) buffer + size - 64, hmac, 64) != 0) abort(); /*@ if (!col) { public_ccs_cg(hmac_cg); public_crypto_chars(hmac, 64); } else { crypto_chars_to_chars(hmac, 64); } @*/ //@ assert all_cs == append(pay_cs, hmac_cs); // IV stuff //@ cs_to_ccs_crypto_chars(buffer, pay_cs); //@ chars_split(buffer, 16); //@ assert chars(buffer, 16, ?iv_cs); //@ chars_to_crypto_chars(buffer, 16); //@ assert crypto_chars(normal, buffer, 16, ?iv_ccs); memcpy(iv, buffer, 16); //@ cs_to_ccs_crypto_chars(iv, iv_cs); //@ interpret_nonce(iv, 16); //@ open cryptogram(iv, 16, iv_ccs, ?iv_cg); //Decrypt //@ assert chars(buffer + 16, enc_size, ?enc_cs); //@ interpret_encrypted(buffer + 16, enc_size); //@ open cryptogram(buffer + 16, enc_size, ?enc_ccs, ?enc_cg); //@ close cryptogram(buffer + 16, enc_size, enc_ccs, enc_cg); //@ assert enc_cg == cg_encrypted(?p2, ?c2, ?dec_ccs2, ?iv_ccs2); //@ close aes_context(&aes_context); if (aes_setkey_enc(&aes_context, enc_key, (unsigned int) (KEY_SIZE * 8)) != 0) abort(); //@ structure s = known_value(0, dec_ccs2); //@ close decryption_pre(true, false, receiver, s, enc_ccs); if (aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) enc_size, &iv_off, iv, buffer + 16, msg) != 0) abort(); //@ assert pay_cs == append(iv_cs, enc_cs); //@ cs_to_ccs_append(iv_cs, enc_cs); zeroize(iv, 16); aes_free(&aes_context); //@ open aes_context(&aes_context); //@ public_cg_ccs(enc_cg); //@ public_cryptogram(buffer + 16, enc_cg); /*@ open decryption_post(true, ?garbage, receiver, s, sender, enc_id, ?dec_ccs); @*/ /*@ if (!col) { open [_]enc_then_hmac_pub(hmac_cg); open [_]enc_then_hmac_pub(enc_cg); if (!enc_then_hmac_public_key(sender, enc_id, true)) { assert [_]enc_then_hmac_pub_1(?id, ?dec_ccs3, ?ent); cryptogram enc_cg3 = cg_encrypted(sender, id, dec_ccs3, ent); take_append(16, iv_ccs, ccs_for_cg(enc_cg)); take_append(16, ent, ccs_for_cg(enc_cg3)); assert ent == iv_ccs; drop_append(16, iv_ccs, ccs_for_cg(enc_cg)); drop_append(16, ent, ccs_for_cg(enc_cg3)); assert ccs_for_cg(enc_cg) == ccs_for_cg(enc_cg3); ccs_for_cg_inj(enc_cg, enc_cg3); assert dec_ccs2 == dec_ccs3; close exists(pair(nil, nil)); close has_structure(dec_ccs2, s); leak has_structure(dec_ccs2, s); } } else { crypto_chars_to_chars(msg, enc_size); chars_to_secret_crypto_chars(msg, enc_size); } @*/ //@ if (garbage) decryption_garbage(msg, enc_size, s); //@ open hide_chars((void*) buffer + size, max_size - size, _); //@ crypto_chars_to_chars(buffer, 16); //@ crypto_chars_to_chars(buffer + size - 64, 64); //@ chars_join(buffer); //@ chars_join(buffer); free(buffer); } net_close(socket2); net_close(socket1); return enc_size; //@ close principal(receiver, _); }
void attacker_send_auth_decrypted(havege_state *havege_state, void* socket) //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker); //@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker); { int temp; int size1; int size2; char buffer1[MAX_MESSAGE_SIZE]; char buffer2[MAX_MESSAGE_SIZE]; char buffer3[MAX_MESSAGE_SIZE]; gcm_context gcm_context; char iv[16]; //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker); size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE); size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE); if (size1 <= 16 || size2 <= 16 || (size1 != 16 && size1 != 24 && size1 != 32)) { //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); return; } //@ close gcm_context(&gcm_context); //@ interpret_symmetric_key(buffer1, size1); //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key); //@ assert cg_key == cg_symmetric_key(?p, ?c); if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, buffer1, (unsigned int) size1 * 8) == 0) { if (get_iv(havege_state, iv) == 0) { //@ assert crypto_chars(normal, iv, 16, ?ccs_iv); //@ assert chars(buffer2, size2, ?cs2); //@ interpret_auth_encrypted(buffer2, size2); //@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc); //@ cs_to_ccs_crypto_chars(buffer2, cs2); //@ chars_to_crypto_chars(buffer2, size2); //@ close exists(cg_enc); //@ assert cg_enc == cg_auth_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2); //@ crypto_chars_split(buffer2, 16); if (gcm_auth_decrypt(&gcm_context, (unsigned int) size2 - 16, iv, 16, NULL, 0, buffer2, 16, (void*) buffer2 + 16, buffer3) == 0) { /*@ if (!col) { assert crypto_chars(secret, buffer3, size2 - 16, ?ccs_output); ccs_output == ccs_output2; ccs_iv == ccs_iv2; assert ccs2 == ccs_for_cg(cg_enc); assert [_]pub(cg_enc); assert is_public_auth_decryption_is_public(?proof3, pub, pred); proof3(cg_key, cg_enc); public_crypto_chars(buffer3, size2 - 16); chars_to_crypto_chars(buffer3, size2 - 16); } @*/ zeroize(iv, 16); //@ chars_to_crypto_chars(iv, 16); } //@ crypto_chars_to_chars(buffer3, size2 - 16); net_send(socket, buffer3, (unsigned int) size2 - 16); //@ crypto_chars_to_chars(buffer2, 16); //@ crypto_chars_to_chars((void*) buffer2 + 16, size2 - 16); //@ chars_join(buffer2); } //@ crypto_chars_to_chars(iv, 16); gcm_free(&gcm_context); } //@ open gcm_context(&gcm_context); //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); //@ public_cryptogram(buffer1, cg_key); }
void receiver_msg2(int* socket, havege_state* havege_state, pk_context* s_context, int receiver, char* s_nonce, char* r_nonce) /*@ requires GENERAL_PRE(receiver) &*& pk_context_with_key(?r_context, pk_private, receiver, ?r_id, 8 * KEY_SIZE) &*& pk_context_with_key(s_context, pk_public, ?sender, ?s_id, 8 * KEY_SIZE) &*& RECEIVER_INTER &*& cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*& r_nonce_cg == cg_nonce(receiver, _) &*& cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/ /*@ ensures GENERAL_POST(receiver) &*& pk_context_with_key(r_context, pk_private, receiver, r_id, 8 * KEY_SIZE) &*& pk_context_with_key(s_context, pk_public, sender, s_id, 8 * KEY_SIZE) &*& ( col || bad(p_inst) || bad(receiver) ? chars(s_nonce, NONCE_SIZE, ?s_nonce_cs) &*& s_nonce_ccs == cs_to_ccs(s_nonce_cs) : cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg) ) &*& cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); @*/ { //@ open principal(receiver, _); unsigned int size; char message[MSG2_SIZE]; char encrypted[KEY_SIZE]; //@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg); // Construct the message write_identifier(message, receiver); //@ list<crypto_char> rid_ccs = cs_to_ccs(identifier(receiver)); //@ assert crypto_chars(normal, message, ID_SIZE, rid_ccs); //@ cs_to_ccs_crypto_chars(message, identifier(receiver)); //@ public_chars(message, ID_SIZE); //@ chars_to_secret_crypto_chars(message, ID_SIZE); //@ bool condition = col || bad(p_inst) || bad(receiver); /*@ if (!condition) open cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); else { crypto_chars_to_chars(s_nonce, NONCE_SIZE); public_chars(s_nonce, NONCE_SIZE); chars_to_secret_crypto_chars(s_nonce, NONCE_SIZE); } @*/ //@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); memcpy((void*) message + ID_SIZE, s_nonce, NONCE_SIZE); memcpy((void*) message + ID_SIZE + NONCE_SIZE, r_nonce, NONCE_SIZE); //@ crypto_chars_join(message); //@ crypto_chars_join(message); //@ list<crypto_char> msg2 = append(rid_ccs, append(s_nonce_ccs, r_nonce_ccs)); //@ append_assoc(rid_ccs, s_nonce_ccs, r_nonce_ccs); //@ assert crypto_chars(secret, message, MSG2_SIZE, msg2); // Encrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); if (pk_encrypt(s_context, message, MSG2_SIZE, encrypted, &size, KEY_SIZE, random_stub_nsl, havege_state) != 0) abort(); //@ assert u_integer(&size, ?size_val); //@ assert cryptogram(encrypted, size_val, ?cs_enc, ?cg_enc); //@ take_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs)); //@ drop_append(ID_SIZE, rid_ccs, append(s_nonce_ccs, r_nonce_ccs)); //@ take_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs); //@ drop_append(NONCE_SIZE, s_nonce_ccs, r_nonce_ccs); // Proof the message is public /*@ if (col || bad(sender) || bad(receiver)) { assert crypto_chars(secret, message, MSG2_SIZE, msg2); crypto_chars_split(message, ID_SIZE); crypto_chars_split((void*) message + ID_SIZE, NONCE_SIZE); public_crypto_chars((void*) message, ID_SIZE); public_crypto_chars((void*) message + ID_SIZE, NONCE_SIZE); close nsl_pub(r_nonce_cg); leak nsl_pub(r_nonce_cg); close cryptogram((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); public_cryptogram((void*) message + ID_SIZE + NONCE_SIZE, r_nonce_cg); assert chars((void*) message, ID_SIZE, ?rid_cs); assert chars((void*) message + ID_SIZE, NONCE_SIZE, ?s_nonce_cs); assert chars((void*) message + ID_SIZE + NONCE_SIZE, NONCE_SIZE, ?r_nonce_cs); cs_to_ccs_append(rid_cs, s_nonce_cs); cs_to_ccs_append(append(rid_cs, s_nonce_cs), r_nonce_cs); chars_join(message); chars_join(message); public_chars(message, MSG2_SIZE); chars_to_secret_crypto_chars(message, MSG2_SIZE); } else { close nsl_pub_msg2(sender, receiver, s_nonce_cg, s_nonce_ccs, r_nonce_cg, p_inst, p_orig, c_orig, condition); } @*/ //@ close nsl_pub_msg_sender(receiver); //@ leak nsl_pub_msg_sender(receiver); //@ close nsl_pub(cg_enc); //@ leak nsl_pub(cg_enc); //@ public_cryptogram(encrypted, cg_enc); // Send the message net_send(socket, encrypted, size); zeroize(message, MSG2_SIZE); /*@ if (!condition) close cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg); else public_crypto_chars(s_nonce, NONCE_SIZE); @*/ //@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); //@ close principal(receiver, _); }
inline ~element() { zeroize(n, sizeof(n)); }
void receiver_msg3(int* socket, havege_state* havege_state, pk_context* r_context, int sender, int receiver, char* s_nonce, char* r_nonce) /*@ requires GENERAL_PRE(receiver) &*& pk_context_with_key(r_context, pk_private, receiver, ?r_id, 8 * KEY_SIZE) &*& RECEIVER_INTER &*& cryptogram(r_nonce, NONCE_SIZE, ?r_nonce_ccs, ?r_nonce_cg) &*& r_nonce_cg == cg_nonce(receiver, _) &*& cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(p_inst, int_pair(p_orig, c_orig)))); @*/ /*@ ensures GENERAL_POST(receiver) &*& pk_context_with_key(r_context, pk_private, receiver, r_id, 8 * KEY_SIZE) &*& ( col || bad(p_inst) || bad(receiver) ? crypto_chars(normal, s_nonce, NONCE_SIZE, s_nonce_ccs) : cryptogram(s_nonce, NONCE_SIZE, s_nonce_ccs, s_nonce_cg) ) &*& cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg) &*& col || bad(sender) || bad(receiver) || (receiver == p_orig && r_id == c_orig && sender == p_inst); @*/ { //@ open principal(receiver, _); unsigned int size; char message[MSG3_SIZE]; char encrypted[KEY_SIZE]; //@ open receiver_inter(p_orig, c_orig, p_inst, s_nonce_ccs, s_nonce_cg); // Receive the message net_recv(socket, encrypted, KEY_SIZE); //@ assert chars(encrypted, KEY_SIZE, ?enc_cs); //@ interpret_asym_encrypted(encrypted, KEY_SIZE); //@ assert cryptogram(encrypted, KEY_SIZE, ?enc_ccs, ?enc_cg); //@ assert enc_cg == cg_asym_encrypted(?p, ?c, ?pay, ?ent); // Decrypt the message /*@ produce_function_pointer_chunk random_function(random_stub_nsl) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ close random_state_predicate(havege_state_initialized); //@ structure st = known_value(0, r_nonce_ccs); //@ close decryption_pre(false, false, receiver, st, enc_ccs); if (pk_decrypt(r_context, encrypted, KEY_SIZE, message, &size, MSG3_SIZE, random_stub_nsl, havege_state) != 0) abort(); if (size != MSG3_SIZE) abort(); //@ assert u_integer(&size, MSG3_SIZE); //@ assert crypto_chars(?kind, message, NONCE_SIZE, ?dec_ccs); /*@ open decryption_post(false, ?garbage, receiver, st, receiver, r_id, dec_ccs); @*/ // Interpret the message //@ open cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); //@ open [_]nsl_pub(enc_cg); //@ assert [_]nsl_pub_msg_sender(?sender2); /*@ if (col || garbage) { crypto_chars_to_chars(message, NONCE_SIZE); chars_to_crypto_chars(message, NONCE_SIZE); } else { if (bad(receiver) || bad(sender2)) { public_crypto_chars(message, NONCE_SIZE); chars_to_crypto_chars(message, NONCE_SIZE); } else { assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2); close memcmp_secret(message, NONCE_SIZE, dec_ccs, r_nonce_cg2); } } @*/ //@ close memcmp_secret(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); if (memcmp((void*) message, r_nonce, NONCE_SIZE) != 0) abort(); //@ assert dec_ccs == r_nonce_ccs; /*@ if (garbage) { close exists(pair(nil, nil)); close has_structure(r_nonce_ccs, st); leak has_structure(r_nonce_ccs, st); decryption_garbage(message, NONCE_SIZE, st); crypto_chars_to_chars(message, NONCE_SIZE); chars_to_secret_crypto_chars(message, NONCE_SIZE); } else if (!col && !bad(sender) && !bad(receiver)) { if (bad(receiver) || bad(sender2)) { public_crypto_chars(r_nonce, NONCE_SIZE); public_ccs_cg(r_nonce_cg); open [_]nsl_pub(r_nonce_cg); assert false; } else if (bad(p_inst)) { assert [_]nsl_pub_msg3(sender2, receiver, ?r_nonce_cg2); int p1_1 = int_pair(p_orig, c_orig); int p1_2 = int_pair(p_inst, p1_1); int p1_3 = int_pair(sender, p1_2); int p2_1 = int_pair(receiver, r_id); int p2_2 = int_pair(sender2, p2_1); int p2_3 = int_pair(sender2, p2_2); assert cg_info(r_nonce_cg) == int_pair(2, p1_3); assert cg_info(r_nonce_cg2) == int_pair(2, p2_3); ccs_for_cg_inj(r_nonce_cg, r_nonce_cg2); int_right_int_pair(2, p1_3); int_right_int_pair(2, p2_3); int_left_int_pair(sender, p1_2); int_left_int_pair(sender2, p2_2); int_right_int_pair(sender, p1_2); int_right_int_pair(sender2, p2_2); int_left_int_pair(p_inst, p1_1); assert false; } } @*/ zeroize(message, MSG3_SIZE); //@ close cryptogram(r_nonce, NONCE_SIZE, r_nonce_ccs, r_nonce_cg); //@ public_cryptogram(encrypted, enc_cg); //@ close principal(receiver, _); }
struct item *symmetric_decryption(struct item *key, struct item *item) /*@ requires [?f]world(?pub, ?key_clsfy) &*& item(item, ?enc, pub) &*& enc == symmetric_encrypted_item(?principal1, ?count1, ?pay, ?ent) &*& item(key, ?k, pub) &*& k == symmetric_key_item(?principal2, ?count2); @*/ /*@ ensures [f]world(pub, key_clsfy) &*& item(item, enc, pub) &*& item(key, k, pub) &*& item(result, ?dec, pub) &*& col ? [_]pub(dec) : switch(pay) { case some(dec2): return principal1 == principal2 && count1 == count2 && dec == dec2; case none: return false; }; @*/ { debug_print("DECRYPTING:\n"); print_item(item); check_is_symmetric_encrypted(item); //@ open [f]world(pub, key_clsfy); struct item* result; result = malloc(sizeof(struct item)); if (result == 0) abort_crypto_lib("Malloc failed"); { gcm_context gcm_context; char *iv; char iv_buffer[GCM_IV_SIZE]; char *encrypted; //@ open item(key, k, pub); //@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size; check_valid_symmetric_key_item_size(key->size); //@ open [_]item_constraints(k, ?k_cs0, pub); //@ assert [_]ic_parts(k)(?k_tag, ?k_cs); //@ crypto_chars_limits(k_cont); //@ crypto_chars_split(k_cont, TAG_LENGTH); //@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY) //@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag); //@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs); //@ cryptogram k_cg = cg_symmetric_key(principal2, count2); //@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key); //@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE); //@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg); //@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE); //@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg); //@ close gcm_context(&gcm_context); if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH), (unsigned int) GCM_KEY_SIZE * 8) != 0) abort_crypto_lib("Init gcm failed"); //@ assert gcm_context_initialized(&gcm_context, ?p, ?c); //@ assert col || (p == principal2 && c == count2); //@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg); //@ crypto_chars_join(k_cont); //@ close item(key, k, pub); //@ open item(item, enc, pub); //@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size; //@ open [_]item_constraints(enc, ?cs, pub); //@ open [_]ic_parts(enc)(?enc_tag, ?enc_cont); //@ open [_]ic_cg(enc)(_, ?enc_cg); //@ take_append(TAG_LENGTH, enc_tag, enc_cont); //@ drop_append(TAG_LENGTH, enc_tag, enc_cont); //@ open [_]ic_sym_enc(enc)(?enc_iv, ?cg_cs); //@ assert true == well_formed(cs, nat_length(cs)); //@ close [1/2]hide_crypto_chars(_, i_cont, i_size, cs); check_valid_symmetric_encrypted_item_size(item->size); //@ assert length(cs) > TAG_LENGTH + GCM_IV_SIZE; int size = item->size - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE; if (size <= MINIMAL_STRING_SIZE) abort_crypto_lib("Gcm decryption failed"); //@ crypto_chars_limits(i_cont); //@ crypto_chars_split(i_cont, TAG_LENGTH); iv = item->content + TAG_LENGTH; //@ crypto_chars_split(iv, GCM_IV_SIZE); //@ assert [1/2]crypto_chars(secret, iv, GCM_IV_SIZE, ?iv_cs); memcpy(iv_buffer, iv, GCM_IV_SIZE); //@ assert cs == append(enc_tag, enc_cont); //@ assert enc_cont == append(iv_cs, cg_cs); //@ public_crypto_chars(iv, GCM_IV_SIZE); //@ chars_to_secret_crypto_chars(iv, GCM_IV_SIZE); encrypted = iv + GCM_IV_SIZE; //@ crypto_chars_limits(encrypted); //@ crypto_chars_split(encrypted, GCM_MAC_SIZE); //@ assert [1/2]crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs); /*@ assert [1/2]crypto_chars(secret, encrypted + GCM_MAC_SIZE, size, ?enc_cs); @*/ //@ assert cg_cs == append(mac_cs, enc_cs); result->size = size; result->content = malloc(size); if (result->content == 0) abort_crypto_lib("Malloc failed"); //@ assert result->content |-> ?r_cont &*& result->size |-> size; //@ if (col) enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted); //@ close exists(enc_cg); if (gcm_auth_decrypt(&gcm_context, (unsigned int) size, iv_buffer, GCM_IV_SIZE, NULL, 0, encrypted, GCM_MAC_SIZE, encrypted + GCM_MAC_SIZE, result->content) != 0) abort_crypto_lib("Gcm decryption failed"); //@ assert crypto_chars(secret, r_cont, size, ?dec_cs); //@ assert col || enc_cg == cg_auth_encrypted(principal1, count1, dec_cs, iv_cs); //@ crypto_chars_join(encrypted); //@ crypto_chars_join(iv); //@ crypto_chars_join(i_cont); //@ open [1/2]hide_crypto_chars(_, i_cont, i_size, cs); //@ close item(item, enc, pub); gcm_free(&gcm_context); //@ open gcm_context(&gcm_context); zeroize(iv_buffer, GCM_IV_SIZE); //@ close [f]world(pub, key_clsfy); /*@ if (col) { crypto_chars_to_chars(r_cont, size); chars_to_crypto_chars(r_cont, size); } else { assert enc == symmetric_encrypted_item(principal1, count1, pay, ent); assert enc_cg == cg_auth_encrypted(principal1, count1, dec_cs, enc_iv); switch(pay) { case some(pay1): assert [_]item_constraints(pay1, dec_cs, pub); case none: open [_]ill_formed_item_chars(enc)(dec_cs); assert [_]public_generated(polarssl_pub(pub))(dec_cs); public_crypto_chars(r_cont, size); chars_to_crypto_chars(r_cont, size); } } @*/ parse_item(result->content, size); /*@ if (col) { public_chars(r_cont, size); chars_to_secret_crypto_chars(r_cont, size); retreive_proof_obligations(); deserialize_item(dec_cs, pub); leak proof_obligations(pub); } @*/ //@ assert crypto_chars(secret, r_cont, size, dec_cs); //@ assert [_]item_constraints(?r, dec_cs, pub); //@ close item(result, r, pub); } debug_print("DECRYPTING RESULT:\n"); print_item(result); return result; }
int main(int argc, char **argv) //@ : main_full(main_app) //@ requires module(main_app, true); //@ ensures true; { pthread_t a_thread; havege_state havege_state; printf("\n\tExecuting \""); printf("hmac protocol"); printf("\" ... \n\n"); //@ PROTOCOL_INIT(hmac) //@ int attacker = principal_create(); //@ int sender = principal_create(); //@ int receiver = principal_create(); //@ close havege_state(&havege_state); havege_init(&havege_state); //@ assume (bad(attacker)); //@ close pthread_run_pre(attacker_t)(NULL, some(attacker)); pthread_create(&a_thread, NULL, &attacker_t, NULL); int i = 0; #ifdef EXECUTE while (i++ < 10) #else while (true) #endif /*@ invariant [_]public_invar(hmac_pub) &*& havege_state_initialized(&havege_state) &*& principal(sender, ?count) &*& principal(receiver, _); @*/ { //@ open principal(sender, _); char* key; int temp; //@ close random_request(sender, 0, true); key = malloc(KEY_SIZE); if (key == 0) abort(); if (havege_random(&havege_state, key, KEY_SIZE) != 0) abort(); //@ assume (shared_with(sender, count + 1) == receiver); //@ assert cryptogram(key, KEY_SIZE, ?cs_key, ?cg_key); //@ assert cg_key == cg_symmetric_key(sender, count + 1); { pthread_t s_thread, r_thread; struct hmac_args s_args; struct hmac_args r_args; char s_message[MESSAGE_SIZE]; char r_message[MESSAGE_SIZE]; //@ close random_request(sender, 0, false); if (havege_random(&havege_state, s_message, MESSAGE_SIZE) != 0) abort(); //@ assert cryptogram(s_message, MESSAGE_SIZE, ?cs, ?cg); //@ close hmac_pub(cg); //@ leak hmac_pub(cg); //@ public_cryptogram(s_message, cg); //@ s_args.sender = sender; //@ s_args.receiver = receiver; s_args.key = key; s_args.message = s_message; //@ assume (send(sender, receiver, cs) == true); //@ r_args.sender = sender; //@ r_args.receiver = receiver; r_args.key = key; r_args.message = r_message; //@ close principal(sender, _); //@ close pthread_run_pre(sender_t)(&s_args, ?s_data); //@ close pthread_run_pre(receiver_t)(&r_args, ?r_data); pthread_create(&r_thread, NULL, &receiver_t, &r_args); pthread_create(&s_thread, NULL, &sender_t, &s_args); pthread_join(s_thread, NULL); //@ open pthread_run_post(sender_t)(&s_args, s_data); pthread_join(r_thread, NULL); //@ open pthread_run_post(receiver_t)(&r_args, r_data); //@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _); //@ open [1/2]cryptogram(key, KEY_SIZE, cs_key, _); //@ chars_to_crypto_chars(r_message, MESSAGE_SIZE); //@ chars_to_crypto_chars(s_message, MESSAGE_SIZE); //@ open principal(sender, _); if (memcmp(s_message, r_message, MESSAGE_SIZE) != 0) abort(); //@ close principal(sender, _); printf(" |%i| ", i); } //@ assert malloc_block(key, KEY_SIZE); zeroize(key, KEY_SIZE); free((void*) key); } printf("\n\n\t\tDone\n"); return 0; }
struct item *symmetric_encryption(struct item *key, struct item *payload) /*@ requires [?f]world(?pub, ?key_clsfy) &*& principal(?principal1, ?count1) &*& [_]pub(nonce_item(principal1, count1 + 1, 0)) &*& item(payload, ?pay, pub) &*& item(key, ?k, pub) &*& k == symmetric_key_item(?principal2, ?count2); @*/ /*@ ensures [f]world(pub, key_clsfy) &*& principal(principal1, count1 + 2) &*& item(payload, pay, pub) &*& item(key, k, pub) &*& item(result, ?enc, pub) &*& col ? true : enc == symmetric_encrypted_item(principal2, count2, some(pay), ?ent); @*/ { //@ open [f]world(pub, key_clsfy); debug_print("ENCRYPTING:\n"); print_item(payload); struct item* result; result = malloc(sizeof(struct item)); if (result == 0) abort_crypto_lib("Malloc failed"); { gcm_context gcm_context; char iv_buffer[GCM_IV_SIZE]; char *iv; char *result_cs; char *encrypted; //@ open item(key, k, pub); //@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size; check_valid_symmetric_key_item_size(key->size); //@ open [_]item_constraints(k, ?k_cs0, pub); //@ assert [_]ic_parts(k)(?k_tag, ?k_cs); //@ crypto_chars_limits(k_cont); //@ crypto_chars_split(k_cont, TAG_LENGTH); //@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY) //@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag); //@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs); //@ cryptogram k_cg = cg_symmetric_key(principal2, count2); //@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key); //@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE); //@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg); //@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE); //@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg); //@ close gcm_context(&gcm_context); if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH), (unsigned int) GCM_KEY_SIZE * 8) != 0) abort_crypto_lib("Init gcm failed"); //@ assert gcm_context_initialized(&gcm_context, ?p, ?c); //@ assert col || (p == principal2 && c == count2); //@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg); //@ crypto_chars_join(k_cont); //@ close item(key, k, pub); //@ open item(payload, pay, pub); //@ open [_]item_constraints(pay, ?pay_cs, pub); //@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size; //@ crypto_chars_limits(p_cont); if (payload->size >= INT_MAX - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE || payload->size < MINIMAL_STRING_SIZE) abort_crypto_lib("Gcm encryption failed: incorrect sizes"); result->size = TAG_LENGTH + GCM_IV_SIZE + GCM_MAC_SIZE + payload->size; result->content = malloc(result->size); //@ assert result->content |-> ?r_cont &*& result->size |-> ?r_size; if (result->content == 0) abort_crypto_lib("Malloc failed"); //@ chars_split(r_cont, TAG_LENGTH); write_tag(result->content, TAG_SYMMETRIC_ENC); //@ assert chars(r_cont, TAG_LENGTH, ?tag_cs); //@ public_chars(r_cont, TAG_LENGTH); //@ assert tag_cs == full_tag(TAG_SYMMETRIC_ENC); //@ assert chars(r_cont + TAG_LENGTH, GCM_IV_SIZE + p_size, _); //@ chars_split(r_cont + TAG_LENGTH, GCM_IV_SIZE); iv = result->content + TAG_LENGTH; //@ close nonce_request(principal1, 0); //@ close [f]world(pub, key_clsfy); create_havege_random(iv, GCM_IV_SIZE); //@ open cryptogram(iv, GCM_IV_SIZE, ?iv_cs, ?iv_cg); memcpy(iv_buffer, iv, GCM_IV_SIZE); //@ close cryptogram(iv, GCM_IV_SIZE, iv_cs, iv_cg); //@ close polarssl_pub(pub)(iv_cg); //@ leak polarssl_pub(pub)(iv_cg); //@ public_cryptogram(iv, iv_cg); //@ public_chars(iv, GCM_IV_SIZE); encrypted = iv + GCM_IV_SIZE; //@ chars_split(encrypted, GCM_MAC_SIZE); //@ open principal(principal1, count1 + 1); if (gcm_crypt_and_tag(&gcm_context, GCM_ENCRYPT, (unsigned int) payload->size, iv_buffer, GCM_IV_SIZE, NULL, 0, payload->content, encrypted + GCM_MAC_SIZE, GCM_MAC_SIZE, encrypted) != 0) abort_crypto_lib("Gcm encryption failed"); //@ close principal(principal1, count1 + 2); zeroize(iv_buffer, GCM_IV_SIZE); //@ assert crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs); //@ assert crypto_chars(secret, encrypted + GCM_MAC_SIZE, p_size, ?enc_cs); //@ crypto_chars_join(encrypted); //@ assert exists(?enc_cg); //@ list<char> cg_cs = append(mac_cs, enc_cs); //@ assert cg_cs == chars_for_cg(enc_cg); //@ list<char> cont_cs = append(iv_cs, cg_cs); //@ take_append(GCM_IV_SIZE, iv_cs, cg_cs); //@ drop_append(GCM_IV_SIZE, iv_cs, cg_cs); //@ list<char> cs = append(tag_cs, cont_cs); //@ take_append(TAG_LENGTH, tag_cs, cont_cs); //@ drop_append(TAG_LENGTH, tag_cs, cont_cs); //@ item enc; //@ list<char> ent = append(iv_cs, iv_cs); //@ take_append(GCM_IV_SIZE, iv_cs, iv_cs); //@ drop_append(GCM_IV_SIZE, iv_cs, iv_cs); /*@ if (col) { enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted); assert enc_cg == cg_auth_encrypted(?p0, ?c0, ?pay0, ?iv0); ent = append(iv_cs, iv0); take_append(GCM_IV_SIZE, iv_cs, iv0); drop_append(GCM_IV_SIZE, iv_cs, iv0); enc = symmetric_encrypted_item(p0, c0, some(pay), ent); public_chars(encrypted, GCM_MAC_SIZE + p_size); assert chars(encrypted, GCM_MAC_SIZE + p_size, cg_cs); chars_join(iv); chars_join(r_cont); assert chars(r_cont, r_size, cs); public_chars(r_cont, r_size); public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH); close ic_sym_enc(enc)(iv0, cg_cs); } else { assert enc_cg == cg_auth_encrypted(principal2, count2, pay_cs, iv_cs); enc = symmetric_encrypted_item(principal2, count2, some(pay), ent); close polarssl_pub(pub)(cg_nonce(principal1, count1 + 1)); leak polarssl_pub(pub)(cg_nonce(principal1, count1 + 1)); public_generated(polarssl_pub(pub), cg_nonce(principal1, count1 + 1)); chars_to_secret_crypto_chars(iv, GCM_IV_SIZE); crypto_chars_join(iv); chars_to_secret_crypto_chars(r_cont, TAG_LENGTH); crypto_chars_join(r_cont); assert crypto_chars(secret, r_cont, r_size, cs); close ic_sym_enc(enc)(iv_cs, cg_cs); } @*/ //@ well_formed_item_constraints(pay, enc); //@ close ic_cg(enc)(cg_cs, enc_cg); //@ close ic_parts(enc)(tag_cs, cont_cs); //@ WELL_FORMED(tag_cs, cont_cs, TAG_SYMMETRIC_ENC) //@ close item_constraints(enc, cs, pub); //@ leak item_constraints(enc, cs, pub); //@ close item(result, enc, pub); //@ close item(payload, pay, pub); gcm_free(&gcm_context); //@ open gcm_context(&gcm_context); } debug_print("ENCRYPTING RESULT:\n"); print_item(result); return result; }
struct item *asymmetric_encryption(struct item *key, struct item *payload) /*@ requires [?f]world(?pub, ?key_clsfy) &*& principal(?principal1, ?count1) &*& item(payload, ?pay, pub) &*& item(key, ?k, pub) &*& k == public_key_item(?principal2, ?count2); @*/ /*@ ensures [f]world(pub, key_clsfy) &*& principal(principal1, count1 + 1) &*& item(payload, pay, pub) &*& item(key, k, pub) &*& item(result, ?enc, pub) &*& col ? true : enc == asymmetric_encrypted_item(principal2, count2, some(pay), ?ent); @*/ { debug_print("ASYM ENCRYPTING:\n"); print_item(payload); struct item* result; result = malloc(sizeof(struct item)); if (result == 0) abort_crypto_lib("Malloc failed"); { pk_context context; unsigned int olen; char output[MAX_PACKAGE_SIZE]; // Key //@ close pk_context(&context); //@ open [f]world(pub, key_clsfy); pk_init(&context); //@ close [f]world(pub, key_clsfy); set_public_key(&context, key); //@ open [f]world(pub, key_clsfy); /*@ assert pk_context_with_key(&context, pk_public, ?principal, ?count, RSA_BIT_KEY_SIZE); @*/ //@ assert col || principal == principal2; //@ assert col || count == count2; // Encryption //@ open item(payload, pay, pub); //@ assert [_]item_constraints(pay, ?pay_cs, pub); if (payload->size > RSA_KEY_SIZE) abort_crypto_lib("Asymmetric encryption failed: incorrect sizes"); void *random_state = nonces_expose_state(); //@ close random_state_predicate(havege_state_initialized); /*@ produce_function_pointer_chunk random_function( asym_enc_havege_random_stub) (havege_state_initialized)(state, out, len) { call(); } @*/ //@ open principal(principal1, count1); if(pk_encrypt(&context, payload->content, (unsigned int) payload->size, output, &olen, MAX_PACKAGE_SIZE, asym_enc_havege_random_stub, random_state) != 0) abort_crypto_lib("Encryption failed"); //@ close principal(principal1, count1 + 1); //@ open cryptogram(output, ?enc_length, ?enc_cs, ?enc_cg); //@ assert enc_cg == cg_asym_encrypted(principal, count, pay_cs, ?ent); //@ assert u_integer(&olen, enc_length); //@ assert enc_length > 0 &*& enc_length < MAX_PACKAGE_SIZE; //@ assert enc_length > 0 &*& enc_length <= RSA_SERIALIZED_KEY_SIZE; nonces_hide_state(random_state); //@ pk_release_context_with_key(&context); pk_free(&context); //@ open pk_context(&context); //@ close [f]world(pub, key_clsfy); // Create item result->size = TAG_LENGTH + (int) olen; result->content = malloc(result->size); if (result->content == 0) {abort_crypto_lib("Malloc failed");} write_tag(result->content, TAG_ASYMMETRIC_ENC); //@ assert result->content |-> ?cont &*& result->size |-> ?size; if (olen < MINIMAL_STRING_SIZE) {abort_crypto_lib("Asymmetric encryption failed: to small");} memcpy(result->content + TAG_LENGTH, output, olen); //@ assert chars(cont, TAG_LENGTH, ?cs_tag); //@ public_chars(cont, TAG_LENGTH); //@ chars_to_secret_crypto_chars(cont, TAG_LENGTH); //@ assert cs_tag == full_tag(TAG_ASYMMETRIC_ENC); //@ crypto_chars_join(cont); //@ item enc = asymmetric_encrypted_item(principal, count, some(pay), ent); //@ list<char> cs = append(cs_tag, enc_cs); //@ WELL_FORMED(cs_tag, enc_cs, TAG_ASYMMETRIC_ENC) //@ close ic_parts(enc)(cs_tag, enc_cs); //@ close ic_cg(enc)(enc_cs, enc_cg); /*@ if (col) { crypto_chars_to_chars(cont, size); public_chars(cont, size); chars_to_secret_crypto_chars(cont, size); public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH); } @*/ //@ well_formed_item_constraints(pay, enc); //@ close item_constraints(enc, cs, pub); //@ leak item_constraints(enc, cs, pub); //@ close item(result, enc, pub); zeroize(output, (int) olen); //@ chars_join(output); //@ close item(payload, pay, pub); } debug_print("ENCRYPTING RESULT:\n"); print_item(result); return result; }
void GxEngine::initEngine(int samplingFreq) { // initialize all variables for audio, midi and interface fSamplingFreq = samplingFreq; //----- tone fslider_tone0 = 0.0f; fConst_tone0 = (15079.645508f / fSamplingFreq); fConst_tone1 = cosf(fConst_tone0); fConst_tone2 = (1.414214f * sinf(fConst_tone0)); fslider_tone1 = 0.0f; fConst_tone3 = (3769.911377f / fSamplingFreq); fConst_tone4 = cosf(fConst_tone3); fConst_tone5 = (1.414214f * sinf(fConst_tone3)); fslider_tone2 = 0.0f; zeroize(fVec_tone0, 3); zeroize(fRec_tone3, 3); zeroize(fRec_tone2, 3); zeroize(fRec_tone1, 3); zeroize(fRec_tone0, 3); // tone end zeroize(fVec_ltone0, 3); zeroize(fRec_ltone3, 3); zeroize(fRec_ltone2, 3); zeroize(fRec_ltone1, 3); zeroize(fRec_ltone0, 3); // engine state checky = (float)kEngineOn; fslider17 = 0.0f; zeroize(fRec46, 2); zeroize(fRec47, 2); fslider24 = 0.0f; fslider25 = 0.0f; // lets init the variables for the tonesettings fSlow_mid_tone = (fslider_tone1*0.5); fSlow_tone0 = powf(10, (2.500000e-02f * (fslider_tone0- fSlow_mid_tone))); fSlow_tone1 = (1 + fSlow_tone0); fSlow_tone2 = (fConst_tone1 * fSlow_tone1); fSlow_tone3 = (2 * (0 - ((1 + fSlow_tone2) - fSlow_tone0))); fSlow_tone4 = (fConst_tone1 * (fSlow_tone0 - 1)); fSlow_tone5 = (fConst_tone2 * sqrtf(fSlow_tone0)); fSlow_tone6 = (fSlow_tone1 - (fSlow_tone5 + fSlow_tone4)); fSlow_tone7 = powf(10, (2.500000e-02f * fSlow_mid_tone)); fSlow_tone8 = (1 + fSlow_tone7); fSlow_tone9 = (fConst_tone4 * fSlow_tone8); fSlow_tone10 = (2 * (0 - ((1 + fSlow_tone9) - fSlow_tone7))); fSlow_tone11 = (fSlow_tone7 - 1); fSlow_tone12 = (fConst_tone4 * fSlow_tone11); fSlow_tone13 = sqrtf(fSlow_tone7); fSlow_tone14 = (fConst_tone5 * fSlow_tone13); fSlow_tone15 = (fSlow_tone8 - (fSlow_tone14 + fSlow_tone12)); fSlow_tone16 = (fConst_tone1 * fSlow_tone8); fSlow_tone17 = (0 - (2 * ((fSlow_tone7 + fSlow_tone16) - 1))); fSlow_tone18 = (fConst_tone2 * fSlow_tone13); fSlow_tone19 = (fConst_tone1 * fSlow_tone11); fSlow_tone20 = ((1 + (fSlow_tone7 + fSlow_tone19)) - fSlow_tone18); fSlow_tone21 = powf(10, (2.500000e-02f * (fslider_tone2-fSlow_mid_tone))); fSlow_tone22 = (1 + fSlow_tone21); fSlow_tone23 = (fConst_tone4 * fSlow_tone22); fSlow_tone24 = (0 - (2 * ((fSlow_tone21 + fSlow_tone23) - 1))); fSlow_tone25 = (fConst_tone5 * sqrtf(fSlow_tone21)); fSlow_tone26 = (fConst_tone4 * (fSlow_tone21 - 1)); fSlow_tone27 = ((1 + (fSlow_tone21 + fSlow_tone26)) - fSlow_tone25); fSlow_tone28 = (2 * (0 - ((1 + fSlow_tone23) - fSlow_tone21))); fSlow_tone29 = (fSlow_tone21 + fSlow_tone25); fSlow_tone30 = ((1 + fSlow_tone29) - fSlow_tone26); fSlow_tone31 = (fSlow_tone22 - (fSlow_tone25 + fSlow_tone26)); fSlow_tone32 = (1.0f / (1 + (fSlow_tone26 + fSlow_tone29))); fSlow_tone33 = (fSlow_tone8 - (fSlow_tone18 + fSlow_tone19)); fSlow_tone34 = (2 * (0 - ((1 + fSlow_tone16) - fSlow_tone7))); fSlow_tone35 = (fSlow_tone7 + fSlow_tone18); fSlow_tone36 = ((1 + fSlow_tone35) - fSlow_tone19); fSlow_tone37 = (1.0f / (1 + (fSlow_tone19 + fSlow_tone35))); fSlow_tone38 = (fSlow_tone7 * ((1 + (fSlow_tone7 + fSlow_tone12)) - fSlow_tone14)); fSlow_tone39 = (fSlow_tone7 + fSlow_tone14); fSlow_tone40 = (fSlow_tone7 * (1 + (fSlow_tone12 + fSlow_tone39))); fSlow_tone41 = (((fSlow_tone7 + fSlow_tone9) - 1) * (0 - (2 * fSlow_tone7))); fSlow_tone42 = (1.0f / ((1 + fSlow_tone39) - fSlow_tone12)); fSlow_tone43 = (fSlow_tone0 * ((1 + (fSlow_tone0 + fSlow_tone4)) - fSlow_tone5)); fSlow_tone44 = (fSlow_tone0 + fSlow_tone5); fSlow_tone45 = (fSlow_tone0 * (1 + (fSlow_tone4 + fSlow_tone44))); fSlow_tone46 = (((fSlow_tone0 + fSlow_tone2) - 1) * (0 - (2 * fSlow_tone0))); fSlow_tone47 = (1.0f / ((1 + fSlow_tone44) - fSlow_tone4)); fslider_tone_check = (fslider_tone1+fslider_tone0+fslider_tone2)*100; fslider_tone_check1 = 0; gx_jconv::checkbox7 = 1.0; fjc_ingain = 0; zeroize(fRecinjc, 2); zeroize(fRecinjcr, 2); IOTAdel = 0; zeroize(fVecdel0,262144); fsliderdel0 = 0.0f; fConstdel0 = (1.000000e-03f * fSamplingFreq); zeroize(fVecdel1,262144); fsliderdel1 = 0.0f; fjc_ingain1 = 0.0f; filebutton = 0; fwarn = 0; // end engine init }