void AES_GCM_DECRYPT(octet *K,octet *IV,octet *H,octet *C,octet *P,octet *T)
{
gcm g;
gcm_init(&g,K->len,K->val,IV->len,IV->val);
gcm_add_header(&g,H->val,H->len);
gcm_add_cipher(&g,GCM_DECRYPTING,P->val,C->len,C->val);
P->len=C->len;
gcm_finish(&g,T->val);
T->len=16;
}
ret_code_t pm_init(void)
{
ret_code_t err_code;
err_code = pdb_register(pdb_evt_handler);
if (err_code != NRF_SUCCESS)
{
if (err_code != NRF_ERROR_INVALID_STATE)
{
err_code = NRF_ERROR_INTERNAL;
}
return err_code;
}
err_code = sm_register(sm_evt_handler);
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = gcm_init(gcm_evt_handler);
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = im_register(im_evt_handler);
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
m_pm.pairing_flag_id = ble_conn_state_user_flag_acquire();
if (m_pm.pairing_flag_id == BLE_CONN_STATE_USER_FLAG_INVALID)
{
return NRF_ERROR_INTERNAL;
}
m_pm.bonding_flag_id = ble_conn_state_user_flag_acquire();
if (m_pm.bonding_flag_id == BLE_CONN_STATE_USER_FLAG_INVALID)
{
return NRF_ERROR_INTERNAL;
}
m_pm.initialized = true;
return NRF_SUCCESS;
}
/**
* @Brief AES-GCM encrypt and tag buffer
*
* @param[in] key Encryption key
* @param[in] keyLength Key buffer length, in bytes, must be 16,24 or 32
* @param[in] plainText Buffer to be encrypted
* @param[in] plainTextLength Length in bytes of buffer to be encrypted
* @param[in] authenticatedData Buffer holding additional data to be used in tag computation
* @param[in] authenticatedDataLength Additional data length in bytes
* @param[in] initializationVector Buffer holding the initialisation vector
* @param[in] initializationVectorLength Initialisation vector length in bytes
* @param[out] tag Buffer holding the generated tag
* @param[in] tagLength Requested length for the generated tag
* @param[out] output Buffer holding the output, shall be at least the length of plainText buffer
*/
int32_t bctbx_aes_gcm_encrypt_and_tag(const uint8_t *key, size_t keyLength,
const uint8_t *plainText, size_t plainTextLength,
const uint8_t *authenticatedData, size_t authenticatedDataLength,
const uint8_t *initializationVector, size_t initializationVectorLength,
uint8_t *tag, size_t tagLength,
uint8_t *output) {
gcm_context gcmContext;
int ret;
ret = gcm_init(&gcmContext, key, keyLength*8);
if (ret != 0) return ret;
ret = gcm_crypt_and_tag(&gcmContext, GCM_ENCRYPT, plainTextLength, initializationVector, initializationVectorLength, authenticatedData, authenticatedDataLength, plainText, output, tagLength, tag);
return ret;
}
/**
* @Brief AES-GCM decrypt, compute authentication tag and compare it to the one provided
*
* @param[in] key Encryption key
* @param[in] keyLength Key buffer length, in bytes, must be 16,24 or 32
* @param[in] cipherText Buffer to be decrypted
* @param[in] cipherTextLength Length in bytes of buffer to be decrypted
* @param[in] authenticatedData Buffer holding additional data to be used in auth tag computation
* @param[in] authenticatedDataLength Additional data length in bytes
* @param[in] initializationVector Buffer holding the initialisation vector
* @param[in] initializationVectorLength Initialisation vector length in bytes
* @param[in] tag Buffer holding the authentication tag
* @param[in] tagLength Length in bytes for the authentication tag
* @param[out] output Buffer holding the output, shall be at least the length of cipherText buffer
*
* @return 0 on succes, BCTBX_ERROR_AUTHENTICATION_FAILED if tag doesn't match or polarssl error code
*/
int32_t bctbx_aes_gcm_decrypt_and_auth(const uint8_t *key, size_t keyLength,
const uint8_t *cipherText, size_t cipherTextLength,
const uint8_t *authenticatedData, size_t authenticatedDataLength,
const uint8_t *initializationVector, size_t initializationVectorLength,
const uint8_t *tag, size_t tagLength,
uint8_t *output) {
gcm_context gcmContext;
int ret;
ret = gcm_init(&gcmContext, key, keyLength*8);
if (ret != 0) return ret;
ret = gcm_auth_decrypt(&gcmContext, cipherTextLength, initializationVector, initializationVectorLength, authenticatedData, authenticatedDataLength, tag, tagLength, cipherText, output);
if (ret == POLARSSL_ERR_GCM_AUTH_FAILED) {
return BCTBX_ERROR_AUTHENTICATION_FAILED;
}
return ret;
}
/*! \brief Decrypt data using AES GCM
*
* AES is run as a block cypher in the GCM mode of operation. The key size is 128 bits.
* This function will decrypt any data length.
*
* @param key 128 bit secret key
* @param IV 96 bit initialization vector
* @param header Additional authenticated data (AAD). This data is authenticated, but not decrypted.
* @param ciphertext Encrypted data.
* @return plaintext Decrypted data. It is the same length as the ciphertext.
* @return tag 128 bit authentication tag.
* @return rtn Returns 0 if successful or else an error code
*/
AESGCM_EXPORT int aesGcmDecrypt(char* key, char* IV, char* header, int headerLength,
char* ciphertext, int ciphertextLength, char* plaintext,
char* tag)
{
gcm g;
int keyLength=AS;
int tagLength=AS;
gcm_init(&g,keyLength,key,IVLength,IV);
if(!gcm_add_header(&g,header,headerLength))
{
return AES_INIT_ERROR;
}
if(!gcm_add_cipher(&g,GCM_DECRYPTING,plaintext,ciphertextLength,ciphertext))
{
return AES_DECRYPT_ERROR;
}
gcm_finish(&g,tag);
tagLength=16;
return 0;
}
TEE_Result tee_authenc_init(
void *ctx, uint32_t algo, TEE_OperationMode mode, const uint8_t *key,
size_t key_len, const uint8_t *nonce,
size_t nonce_len, size_t tag_len, size_t aad_len, size_t payload_len)
{
TEE_Result res;
int ltc_res;
int ltc_cipherindex;
unsigned char *payload, *res_payload;
struct tee_ccm_state *ccm;
struct tee_gcm_state *gcm;
res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex);
if (res != TEE_SUCCESS)
return TEE_ERROR_NOT_SUPPORTED;
switch (algo) {
case TEE_ALG_AES_CCM:
/* Check the key length */
if ((!key) || (key_len > TEE_CCM_KEY_MAX_LENGTH))
return TEE_ERROR_BAD_PARAMETERS;
/* check the nonce */
if (nonce_len > TEE_CCM_NONCE_MAX_LENGTH)
return TEE_ERROR_BAD_PARAMETERS;
/* check the tag len */
if ((tag_len < 4) ||
(tag_len > TEE_CCM_TAG_MAX_LENGTH) ||
(tag_len % 2 != 0))
return TEE_ERROR_NOT_SUPPORTED;
/* allocate payload */
payload = malloc(payload_len + TEE_CCM_KEY_MAX_LENGTH);
if (!payload)
return TEE_ERROR_OUT_OF_MEMORY;
res_payload = malloc(payload_len + TEE_CCM_KEY_MAX_LENGTH);
if (!res_payload) {
free(payload);
return TEE_ERROR_OUT_OF_MEMORY;
}
/* initialize the structure */
ccm = ctx;
memset(ccm, 0, sizeof(struct tee_ccm_state));
memcpy(ccm->key, key, key_len);
ccm->key_len = key_len; /* the key length */
if (nonce && nonce_len) {
memcpy(ccm->nonce, nonce, nonce_len);
ccm->nonce_len = nonce_len;
} else {
ccm->nonce_len = 0;
}
ccm->tag_len = tag_len;
ccm->aad_len = aad_len;
ccm->payload_len = payload_len;
ccm->payload = payload;
ccm->res_payload = res_payload;
ccm->ltc_cipherindex = ltc_cipherindex;
if (ccm->aad_len) {
ccm->header = malloc(ccm->aad_len);
if (!ccm->header) {
free(payload);
free(res_payload);
return TEE_ERROR_OUT_OF_MEMORY;
}
}
/* memset the payload to 0 that will be used for padding */
memset(ccm->payload, 0, payload_len + TEE_CCM_KEY_MAX_LENGTH);
break;
case TEE_ALG_AES_GCM:
/* reset the state */
gcm = ctx;
memset(gcm, 0, sizeof(struct tee_gcm_state));
gcm->tag_len = tag_len;
ltc_res = gcm_init(
&gcm->ctx, ltc_cipherindex, key, key_len);
if (ltc_res != CRYPT_OK)
return TEE_ERROR_BAD_STATE;
/* Add the IV */
ltc_res = gcm_add_iv(&gcm->ctx, nonce, nonce_len);
if (ltc_res != CRYPT_OK)
return TEE_ERROR_BAD_STATE;
break;
default:
return TEE_ERROR_NOT_SUPPORTED;
}
return TEE_SUCCESS;
}
PlaintextMessage EncryptedMessage::decrypt(const G2& P, const G2& Ppub, G1 D, PFC *pfc) {
G2 uCalc;
G2 U = (*autData).getU();
Big ud_hash = (*pfc).hash_to_aes_key((*pfc).pairing(U,D));
Big ses_key;
Big r;
int nbOfRecipients = (*autData).getNbOfRecipients();
Big W;
Big V = (*autData).getV();
Big rho, rho_hash;
vector <Big> ws = (*autData).getEncryptedRecipientKeys();
char P_text[Clen];
bool integrity = false;
time_t begin_time = clock();
int i = 0;
while(U != uCalc && i < nbOfRecipients){
// rho = V XOR Hash(e(D,U))
W=ws.at(i);
rho = lxor(W, ud_hash);
// M = W XOR Hash(rho)
(*pfc).start_hash();
(*pfc).add_to_hash(rho);
rho_hash = (*pfc).finish_hash_to_group();
ses_key = lxor(V, rho_hash);
// r = Hash(rho,M)
(*pfc).start_hash();
(*pfc).add_to_hash(rho);
(*pfc).add_to_hash(ses_key);
r = (*pfc).finish_hash_to_group();
uCalc = (*pfc).mult(P,r);
i++;
}
cout << "ses_key is " << endl << ses_key << endl;
/*************************************************
* AES GCM part of the decryption step *
**************************************************/
to_binary(ses_key, HASH_LEN, sessionKey, TRUE);
char k1[HASH_LEN/2];
char iv[HASH_LEN/2];
char Tdec[TAG_LEN];
memset(P_text, 0, Clen+1);
getIV(iv);
getK1(k1);
int Alen = (*autData).getLength();
char A[Alen];
(*autData).encodeTo(A);
gcm g;
gcm_init(&g, HASH_LEN/2, k1, HASH_LEN/2, iv);
gcm_add_header(&g, A, Alen);
gcm_add_cipher(&g, GCM_DECRYPTING, P_text, Clen, C);
gcm_finish(&g, Tdec);
integrity = true;
for (int j = 0; j < TAG_LEN; j++) {
if(Tdec[j] != T[j]) {
integrity = false;
}
}
if(integrity == false) {
cout << "Received tag T does not correspond to decrypted T. There are some integrity issues here." << endl;
} else {
cout << "Successful integrity check!" << endl;
}
message = (string)P_text;
return PlaintextMessage(message);
}
struct item *symmetric_encryption(struct item *key, struct item *payload)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
principal(?principal1, ?count1) &*&
[_]pub(nonce_item(principal1, count1 + 1, 0)) &*&
item(payload, ?pay, pub) &*& item(key, ?k, pub) &*&
k == symmetric_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
principal(principal1, count1 + 2) &*&
item(payload, pay, pub) &*& item(key, k, pub) &*&
item(result, ?enc, pub) &*&
col ? true :
enc == symmetric_encrypted_item(principal2, count2,
some(pay), ?ent); @*/
{
//@ open [f]world(pub, key_clsfy);
debug_print("ENCRYPTING:\n");
print_item(payload);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
{
gcm_context gcm_context;
char iv_buffer[GCM_IV_SIZE];
char *iv;
char *result_cs;
char *encrypted;
//@ open item(key, k, pub);
//@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
check_valid_symmetric_key_item_size(key->size);
//@ open [_]item_constraints(k, ?k_cs0, pub);
//@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
//@ crypto_chars_limits(k_cont);
//@ crypto_chars_split(k_cont, TAG_LENGTH);
//@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
//@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
//@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
//@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
//@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
//@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
//@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ close gcm_context(&gcm_context);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
(unsigned int) GCM_KEY_SIZE * 8) != 0)
abort_crypto_lib("Init gcm failed");
//@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
//@ assert col || (p == principal2 && c == count2);
//@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ crypto_chars_join(k_cont);
//@ close item(key, k, pub);
//@ open item(payload, pay, pub);
//@ open [_]item_constraints(pay, ?pay_cs, pub);
//@ assert payload->content |-> ?p_cont &*& payload->size |-> ?p_size;
//@ crypto_chars_limits(p_cont);
if (payload->size >= INT_MAX - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE ||
payload->size < MINIMAL_STRING_SIZE)
abort_crypto_lib("Gcm encryption failed: incorrect sizes");
result->size = TAG_LENGTH + GCM_IV_SIZE + GCM_MAC_SIZE + payload->size;
result->content = malloc(result->size);
//@ assert result->content |-> ?r_cont &*& result->size |-> ?r_size;
if (result->content == 0)
abort_crypto_lib("Malloc failed");
//@ chars_split(r_cont, TAG_LENGTH);
write_tag(result->content, TAG_SYMMETRIC_ENC);
//@ assert chars(r_cont, TAG_LENGTH, ?tag_cs);
//@ public_chars(r_cont, TAG_LENGTH);
//@ assert tag_cs == full_tag(TAG_SYMMETRIC_ENC);
//@ assert chars(r_cont + TAG_LENGTH, GCM_IV_SIZE + p_size, _);
//@ chars_split(r_cont + TAG_LENGTH, GCM_IV_SIZE);
iv = result->content + TAG_LENGTH;
//@ close nonce_request(principal1, 0);
//@ close [f]world(pub, key_clsfy);
create_havege_random(iv, GCM_IV_SIZE);
//@ open cryptogram(iv, GCM_IV_SIZE, ?iv_cs, ?iv_cg);
memcpy(iv_buffer, iv, GCM_IV_SIZE);
//@ close cryptogram(iv, GCM_IV_SIZE, iv_cs, iv_cg);
//@ close polarssl_pub(pub)(iv_cg);
//@ leak polarssl_pub(pub)(iv_cg);
//@ public_cryptogram(iv, iv_cg);
//@ public_chars(iv, GCM_IV_SIZE);
encrypted = iv + GCM_IV_SIZE;
//@ chars_split(encrypted, GCM_MAC_SIZE);
//@ open principal(principal1, count1 + 1);
if (gcm_crypt_and_tag(&gcm_context, GCM_ENCRYPT,
(unsigned int) payload->size, iv_buffer,
GCM_IV_SIZE, NULL, 0, payload->content,
encrypted + GCM_MAC_SIZE,
GCM_MAC_SIZE, encrypted) != 0)
abort_crypto_lib("Gcm encryption failed");
//@ close principal(principal1, count1 + 2);
zeroize(iv_buffer, GCM_IV_SIZE);
//@ assert crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
//@ assert crypto_chars(secret, encrypted + GCM_MAC_SIZE, p_size, ?enc_cs);
//@ crypto_chars_join(encrypted);
//@ assert exists(?enc_cg);
//@ list<char> cg_cs = append(mac_cs, enc_cs);
//@ assert cg_cs == chars_for_cg(enc_cg);
//@ list<char> cont_cs = append(iv_cs, cg_cs);
//@ take_append(GCM_IV_SIZE, iv_cs, cg_cs);
//@ drop_append(GCM_IV_SIZE, iv_cs, cg_cs);
//@ list<char> cs = append(tag_cs, cont_cs);
//@ take_append(TAG_LENGTH, tag_cs, cont_cs);
//@ drop_append(TAG_LENGTH, tag_cs, cont_cs);
//@ item enc;
//@ list<char> ent = append(iv_cs, iv_cs);
//@ take_append(GCM_IV_SIZE, iv_cs, iv_cs);
//@ drop_append(GCM_IV_SIZE, iv_cs, iv_cs);
/*@ if (col)
{
enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
assert enc_cg == cg_auth_encrypted(?p0, ?c0, ?pay0, ?iv0);
ent = append(iv_cs, iv0);
take_append(GCM_IV_SIZE, iv_cs, iv0);
drop_append(GCM_IV_SIZE, iv_cs, iv0);
enc = symmetric_encrypted_item(p0, c0, some(pay), ent);
public_chars(encrypted, GCM_MAC_SIZE + p_size);
assert chars(encrypted, GCM_MAC_SIZE + p_size, cg_cs);
chars_join(iv);
chars_join(r_cont);
assert chars(r_cont, r_size, cs);
public_chars(r_cont, r_size);
public_generated_split(polarssl_pub(pub), cs, TAG_LENGTH);
close ic_sym_enc(enc)(iv0, cg_cs);
}
else
{
assert enc_cg == cg_auth_encrypted(principal2, count2, pay_cs, iv_cs);
enc = symmetric_encrypted_item(principal2, count2, some(pay), ent);
close polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
leak polarssl_pub(pub)(cg_nonce(principal1, count1 + 1));
public_generated(polarssl_pub(pub), cg_nonce(principal1, count1 + 1));
chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
crypto_chars_join(iv);
chars_to_secret_crypto_chars(r_cont, TAG_LENGTH);
crypto_chars_join(r_cont);
assert crypto_chars(secret, r_cont, r_size, cs);
close ic_sym_enc(enc)(iv_cs, cg_cs);
}
@*/
//@ well_formed_item_constraints(pay, enc);
//@ close ic_cg(enc)(cg_cs, enc_cg);
//@ close ic_parts(enc)(tag_cs, cont_cs);
//@ WELL_FORMED(tag_cs, cont_cs, TAG_SYMMETRIC_ENC)
//@ close item_constraints(enc, cs, pub);
//@ leak item_constraints(enc, cs, pub);
//@ close item(result, enc, pub);
//@ close item(payload, pay, pub);
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
debug_print("ENCRYPTING RESULT:\n");
print_item(result);
return result;
}
struct item *symmetric_decryption(struct item *key, struct item *item)
/*@ requires [?f]world(?pub, ?key_clsfy) &*&
item(item, ?enc, pub) &*&
enc == symmetric_encrypted_item(?principal1, ?count1,
?pay, ?ent) &*&
item(key, ?k, pub) &*&
k == symmetric_key_item(?principal2, ?count2); @*/
/*@ ensures [f]world(pub, key_clsfy) &*&
item(item, enc, pub) &*& item(key, k, pub) &*&
item(result, ?dec, pub) &*&
col ? [_]pub(dec) :
switch(pay)
{
case some(dec2):
return principal1 == principal2 &&
count1 == count2 && dec == dec2;
case none:
return false;
}; @*/
{
debug_print("DECRYPTING:\n");
print_item(item);
check_is_symmetric_encrypted(item);
//@ open [f]world(pub, key_clsfy);
struct item* result;
result = malloc(sizeof(struct item));
if (result == 0) abort_crypto_lib("Malloc failed");
{
gcm_context gcm_context;
char *iv;
char iv_buffer[GCM_IV_SIZE];
char *encrypted;
//@ open item(key, k, pub);
//@ assert key->content |-> ?k_cont &*& key->size |-> ?k_size;
check_valid_symmetric_key_item_size(key->size);
//@ open [_]item_constraints(k, ?k_cs0, pub);
//@ assert [_]ic_parts(k)(?k_tag, ?k_cs);
//@ crypto_chars_limits(k_cont);
//@ crypto_chars_split(k_cont, TAG_LENGTH);
//@ WELL_FORMED(k_tag, k_cs, TAG_SYMMETRIC_KEY)
//@ assert crypto_chars(secret, k_cont, TAG_LENGTH, k_tag);
//@ assert crypto_chars(secret, k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs);
//@ cryptogram k_cg = cg_symmetric_key(principal2, count2);
//@ if (col) k_cg = chars_for_cg_sur(k_cs, tag_symmetric_key);
//@ if (col) crypto_chars_to_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ if (col) public_chars_extract(k_cont + TAG_LENGTH, k_cg);
//@ if (col) chars_to_secret_crypto_chars(k_cont + TAG_LENGTH, GCM_KEY_SIZE);
//@ close cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ close gcm_context(&gcm_context);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES, (key->content + TAG_LENGTH),
(unsigned int) GCM_KEY_SIZE * 8) != 0)
abort_crypto_lib("Init gcm failed");
//@ assert gcm_context_initialized(&gcm_context, ?p, ?c);
//@ assert col || (p == principal2 && c == count2);
//@ open cryptogram(k_cont + TAG_LENGTH, GCM_KEY_SIZE, k_cs, k_cg);
//@ crypto_chars_join(k_cont);
//@ close item(key, k, pub);
//@ open item(item, enc, pub);
//@ assert item->content |-> ?i_cont &*& item->size |-> ?i_size;
//@ open [_]item_constraints(enc, ?cs, pub);
//@ open [_]ic_parts(enc)(?enc_tag, ?enc_cont);
//@ open [_]ic_cg(enc)(_, ?enc_cg);
//@ take_append(TAG_LENGTH, enc_tag, enc_cont);
//@ drop_append(TAG_LENGTH, enc_tag, enc_cont);
//@ open [_]ic_sym_enc(enc)(?enc_iv, ?cg_cs);
//@ assert true == well_formed(cs, nat_length(cs));
//@ close [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
check_valid_symmetric_encrypted_item_size(item->size);
//@ assert length(cs) > TAG_LENGTH + GCM_IV_SIZE;
int size = item->size - TAG_LENGTH - GCM_IV_SIZE - GCM_MAC_SIZE;
if (size <= MINIMAL_STRING_SIZE) abort_crypto_lib("Gcm decryption failed");
//@ crypto_chars_limits(i_cont);
//@ crypto_chars_split(i_cont, TAG_LENGTH);
iv = item->content + TAG_LENGTH;
//@ crypto_chars_split(iv, GCM_IV_SIZE);
//@ assert [1/2]crypto_chars(secret, iv, GCM_IV_SIZE, ?iv_cs);
memcpy(iv_buffer, iv, GCM_IV_SIZE);
//@ assert cs == append(enc_tag, enc_cont);
//@ assert enc_cont == append(iv_cs, cg_cs);
//@ public_crypto_chars(iv, GCM_IV_SIZE);
//@ chars_to_secret_crypto_chars(iv, GCM_IV_SIZE);
encrypted = iv + GCM_IV_SIZE;
//@ crypto_chars_limits(encrypted);
//@ crypto_chars_split(encrypted, GCM_MAC_SIZE);
//@ assert [1/2]crypto_chars(secret, encrypted, GCM_MAC_SIZE, ?mac_cs);
/*@ assert [1/2]crypto_chars(secret, encrypted + GCM_MAC_SIZE,
size, ?enc_cs); @*/
//@ assert cg_cs == append(mac_cs, enc_cs);
result->size = size;
result->content = malloc(size);
if (result->content == 0) abort_crypto_lib("Malloc failed");
//@ assert result->content |-> ?r_cont &*& result->size |-> size;
//@ if (col) enc_cg = chars_for_cg_sur(cg_cs, tag_auth_encrypted);
//@ close exists(enc_cg);
if (gcm_auth_decrypt(&gcm_context, (unsigned int) size,
iv_buffer, GCM_IV_SIZE, NULL, 0, encrypted,
GCM_MAC_SIZE, encrypted + GCM_MAC_SIZE,
result->content) != 0)
abort_crypto_lib("Gcm decryption failed");
//@ assert crypto_chars(secret, r_cont, size, ?dec_cs);
//@ assert col || enc_cg == cg_auth_encrypted(principal1, count1, dec_cs, iv_cs);
//@ crypto_chars_join(encrypted);
//@ crypto_chars_join(iv);
//@ crypto_chars_join(i_cont);
//@ open [1/2]hide_crypto_chars(_, i_cont, i_size, cs);
//@ close item(item, enc, pub);
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
zeroize(iv_buffer, GCM_IV_SIZE);
//@ close [f]world(pub, key_clsfy);
/*@ if (col)
{
crypto_chars_to_chars(r_cont, size);
chars_to_crypto_chars(r_cont, size);
}
else
{
assert enc == symmetric_encrypted_item(principal1, count1,
pay, ent);
assert enc_cg == cg_auth_encrypted(principal1, count1,
dec_cs, enc_iv);
switch(pay)
{
case some(pay1):
assert [_]item_constraints(pay1, dec_cs, pub);
case none:
open [_]ill_formed_item_chars(enc)(dec_cs);
assert [_]public_generated(polarssl_pub(pub))(dec_cs);
public_crypto_chars(r_cont, size);
chars_to_crypto_chars(r_cont, size);
}
}
@*/
parse_item(result->content, size);
/*@ if (col)
{
public_chars(r_cont, size);
chars_to_secret_crypto_chars(r_cont, size);
retreive_proof_obligations();
deserialize_item(dec_cs, pub);
leak proof_obligations(pub);
}
@*/
//@ assert crypto_chars(secret, r_cont, size, dec_cs);
//@ assert [_]item_constraints(?r, dec_cs, pub);
//@ close item(result, r, pub);
}
debug_print("DECRYPTING RESULT:\n");
print_item(result);
return result;
}
ret_code_t pm_init(void)
{
ret_code_t err_code;
err_code = pds_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = pdb_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = sm_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = smd_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = gcm_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = gscm_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
err_code = im_init();
if (err_code != NRF_SUCCESS)
{
return NRF_ERROR_INTERNAL;
}
internal_state_reset();
m_pairing_flag_id = ble_conn_state_user_flag_acquire();
if (m_pairing_flag_id == BLE_CONN_STATE_USER_FLAG_INVALID)
{
return NRF_ERROR_INTERNAL;
}
m_bonding_flag_id = ble_conn_state_user_flag_acquire();
if (m_bonding_flag_id == BLE_CONN_STATE_USER_FLAG_INVALID)
{
return NRF_ERROR_INTERNAL;
}
m_peer_rank_initialized = false;
m_module_initialized = true;
return NRF_SUCCESS;
}
static int gcm_camellia_setkey_wrap( void *ctx, const unsigned char *key,
unsigned int key_length )
{
return gcm_init( (gcm_context *) ctx, POLARSSL_CIPHER_ID_CAMELLIA,
key, key_length );
}
void app_send(char *key, char *message, int message_len)
/*@ requires polarssl_generated_values(?creator, ?count1) &*&
[?f0]polarssl_world(sc_auth_polarssl_pub) &*&
[?f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs, ?key_cg) &*&
key_cg == polarssl_symmetric_key(creator, ?key_id) &*&
[?f2]chars(message, message_len, ?m_cs) &*&
message_len >= POLARSSL_MIN_ENCRYPTED_BYTE_SIZE &*&
message_len < POLARSSL_MAX_MESSAGE_BYTE_SIZE - 84 &*&
bad(creator) ?
[_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(m_cs)
:
true == app_send_event(creator, m_cs);
@*/
/*@ ensures polarssl_generated_values(creator, ?count2) &*& count2 > count1 &*&
[f0]polarssl_world(sc_auth_polarssl_pub) &*&
[f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg) &*&
[f2]chars(message, message_len, m_cs);
@*/
{
int socket;
havege_state havege_state;
char iv[16];
// init
{
net_usleep(20000);
if(net_connect(&socket, NULL, APP_RECEIVE_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
//@ close havege_state(&havege_state);
havege_init(&havege_state);
}
// iv stuff
{
//@ close random_request(creator, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
}
//@ open polarssl_cryptogram(iv, 16, ?iv_cs, _);
char* m = malloc(16 + message_len + 16);
if (m == 0) abort();
memcpy(m, iv, 16);
//@ assert chars(m, 16, iv_cs);
//@ assert chars(m + 16, message_len + 16, ?cs1);
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, iv_cs);
// encrypt message
{
unsigned int temp;
gcm_context gcm_context;
//@ close gcm_context(&gcm_context);
//@ open [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ close polarssl_key_id(creator, key_id);
if (gcm_init(&gcm_context, POLARSSL_AES_CIPHER_ID, key,
(unsigned int) KEY_BYTE_SIZE * 8) != 0) abort();
//@ close [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ chars_split(m + 16, message_len);
if (gcm_crypt_and_tag(&gcm_context, POLARSSL_GCM_ENCRYPT,
(unsigned int) message_len,
iv, 16, NULL, 0, message, m + 16, 16,
(char*) ((m + 16) + message_len)) != 0)
abort();
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
//@ assert polarssl_cryptogram(m + 16, message_len, ?e_cs, ?e_cg);
/*@ assert e_cg == polarssl_auth_encrypted(
creator, key_id, ?t_cs, m_cs, iv_cs); @*/
//@ close sc_auth_polarssl_pub(e_cg);
//@ leak sc_auth_polarssl_pub(e_cg);
/*@ polarssl_public_message_from_cryptogram(
sc_auth_polarssl_pub, m + 16, message_len, e_cs, e_cg); @*/
/*@ open polarssl_public_message(sc_auth_polarssl_pub)
(m + 16, message_len, e_cs); @*/
//@ assert chars(m + 16 + message_len, 16, t_cs);
//@ chars_join(m);
//@ chars_join(m);
//@ assert chars(m, 16 + message_len + 16, ?cs);
//@ append_assoc(iv_cs, e_cs, t_cs);
//@ assert cs == append(iv_cs, append(e_cs, t_cs));
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, t_cs);
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, iv_cs, e_cs); @*/
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, append(iv_cs, e_cs), t_cs); @*/
/*@ close polarssl_public_message(sc_auth_polarssl_pub)
(m, 16 + message_len + 16,
append(iv_cs, append(e_cs, t_cs))); @*/
net_send(&socket, m, (unsigned int) 16 + (unsigned int) message_len + 16);
//@ open polarssl_public_message(sc_auth_polarssl_pub)(m, _, _);
{
free(m);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
net_close(socket);
}
}
int app_receive(char *key, char **message)
/*@ requires [?f0]polarssl_world(sc_auth_polarssl_pub) &*&
[?f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs, ?key_cg) &*&
key_cg == polarssl_symmetric_key(?creator, ?key_id) &*&
pointer(message, _);
@*/
/*@ ensures [f0]polarssl_world(sc_auth_polarssl_pub) &*&
[f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg) &*&
pointer(message, ?message_p) &*&
malloc_block(message_p, result) &*&
chars(message_p, result, ?m_cs) &*&
bad(creator) ?
[_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(m_cs)
:
true == app_send_event(creator, m_cs);
@*/
{
int socket1;
int socket2;
int size;
int result_size;
char buffer[POLARSSL_MAX_MESSAGE_BYTE_SIZE];
char iv[16];
char tag[16];
char* encrypted;
char* decrypted;
// Receive message
if(net_bind(&socket1, NULL, APP_RECEIVE_PORT) != 0)
abort();
if(net_accept(socket1, &socket2, NULL) != 0)
abort();
if(net_set_block(socket2) != 0)
abort();
size = net_recv(&socket2, buffer, POLARSSL_MAX_MESSAGE_BYTE_SIZE);
if (size < 16 + POLARSSL_MIN_ENCRYPTED_BYTE_SIZE + 16)
abort();
//@ open polarssl_public_message(sc_auth_polarssl_pub)(buffer, size, ?cs);
//@ close [1/2]hide_chars(buffer, size, cs);
result_size = size - 16 - 16;
encrypted = malloc(result_size);
if (encrypted == 0) abort();
decrypted = malloc(result_size);
if (decrypted == 0) abort();
// Extract parts of message
memcpy(iv, buffer, 16);
memcpy(encrypted, (void*) buffer + 16, (unsigned int) result_size);
memcpy(tag, (void*) buffer + 16 + result_size, 16);
//@ assert chars(iv, 16, ?iv_cs);
//@ assert chars(encrypted, result_size, ?e_cs);
//@ assert chars(tag, 16, ?t_cs);
//@ chars_join(buffer);
//@ chars_join(buffer);
//@ open [1/2]hide_chars(buffer, size, cs);
//@ close [1/2]hide_chars(buffer, size, cs);
//@ assert cs == append(iv_cs, append(e_cs, t_cs));
// Decrypt message
{
gcm_context gcm_context;
//@ close gcm_context(&gcm_context);
//@ open [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ close polarssl_key_id(creator, key_id);
if (gcm_init(&gcm_context, POLARSSL_AES_CIPHER_ID, key,
(unsigned int) KEY_BYTE_SIZE * 8) != 0) abort();
/*@ assert gcm_context_initialized(&gcm_context,
some(pair(creator, key_id))); @*/
//@ close [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ polarssl_public_generated_chars_split(sc_auth_polarssl_pub, cs, 16);
/*@ polarssl_public_generated_chars_split(
sc_auth_polarssl_pub, append(e_cs, t_cs), result_size); @*/
//@ assert chars(encrypted, result_size, e_cs);
if (gcm_auth_decrypt(&gcm_context, (unsigned int) result_size,
iv, 16, NULL, 0, tag, 16,
encrypted, decrypted) != 0) abort();
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
//@ assert chars(decrypted, result_size, ?dec_cs);
//@ chars_join(buffer);
//@ open [1/2]hide_chars(buffer, size, cs);
/*@ polarssl_cryptogram e_cg = polarssl_auth_encrypted(
creator, key_id, t_cs, dec_cs, iv_cs); @*/
//@ assert e_cs == polarssl_chars_for_cryptogram(e_cg);
//@ polarssl_cryptogram_constraints(e_cs, e_cg);
/*@ polarssl_public_generated_chars_extract(
sc_auth_polarssl_pub, e_cs, e_cg); @*/
//@ open [_]sc_auth_polarssl_pub(e_cg);
/*@ if (!bad(creator))
{
assert true == app_send_event(creator, dec_cs);
}
else
{
assert [_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(dec_cs);
}
@*/
net_close(socket1);
net_close(socket2);
free(encrypted);
*message = decrypted;
return result_size;
}
int main( int argc, char *argv[] )
{
int keysize, i;
unsigned char tmp[200];
char title[TITLE_LEN];
todo_list todo;
if( argc == 1 )
memset( &todo, 1, sizeof( todo ) );
else
{
memset( &todo, 0, sizeof( todo ) );
for( i = 1; i < argc; i++ )
{
if( strcmp( argv[i], "md4" ) == 0 )
todo.md4 = 1;
else if( strcmp( argv[i], "md5" ) == 0 )
todo.md5 = 1;
else if( strcmp( argv[i], "ripemd160" ) == 0 )
todo.ripemd160 = 1;
else if( strcmp( argv[i], "sha1" ) == 0 )
todo.sha1 = 1;
else if( strcmp( argv[i], "sha256" ) == 0 )
todo.sha256 = 1;
else if( strcmp( argv[i], "sha512" ) == 0 )
todo.sha512 = 1;
else if( strcmp( argv[i], "arc4" ) == 0 )
todo.arc4 = 1;
else if( strcmp( argv[i], "des3" ) == 0 )
todo.des3 = 1;
else if( strcmp( argv[i], "des" ) == 0 )
todo.des = 1;
else if( strcmp( argv[i], "aes_cbc" ) == 0 )
todo.aes_cbc = 1;
else if( strcmp( argv[i], "aes_gcm" ) == 0 )
todo.aes_gcm = 1;
else if( strcmp( argv[i], "camellia" ) == 0 )
todo.camellia = 1;
else if( strcmp( argv[i], "blowfish" ) == 0 )
todo.blowfish = 1;
else if( strcmp( argv[i], "havege" ) == 0 )
todo.havege = 1;
else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
todo.ctr_drbg = 1;
else if( strcmp( argv[i], "hmac_drbg" ) == 0 )
todo.hmac_drbg = 1;
else if( strcmp( argv[i], "rsa" ) == 0 )
todo.rsa = 1;
else if( strcmp( argv[i], "dhm" ) == 0 )
todo.dhm = 1;
else if( strcmp( argv[i], "ecdsa" ) == 0 )
todo.ecdsa = 1;
else if( strcmp( argv[i], "ecdh" ) == 0 )
todo.ecdh = 1;
else
{
printf( "Unrecognized option: %s\n", argv[i] );
printf( "Available options:" OPTIONS );
}
}
}
printf( "\n" );
memset( buf, 0xAA, sizeof( buf ) );
#if defined(POLARSSL_MD4_C)
if( todo.md4 )
TIME_AND_TSC( "MD4", md4( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_MD5_C)
if( todo.md5 )
TIME_AND_TSC( "MD5", md5( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_RIPEMD160_C)
if( todo.ripemd160 )
TIME_AND_TSC( "RIPEMD160", ripemd160( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA1_C)
if( todo.sha1 )
TIME_AND_TSC( "SHA-1", sha1( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA256_C)
if( todo.sha256 )
TIME_AND_TSC( "SHA-256", sha256( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_SHA512_C)
if( todo.sha512 )
TIME_AND_TSC( "SHA-512", sha512( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_ARC4_C)
if( todo.arc4 )
{
arc4_context arc4;
arc4_setup( &arc4, tmp, 32 );
TIME_AND_TSC( "ARC4", arc4_crypt( &arc4, BUFSIZE, buf, buf ) );
}
#endif
#if defined(POLARSSL_DES_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.des3 )
{
des3_context des3;
des3_set3key_enc( &des3, tmp );
TIME_AND_TSC( "3DES",
des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
if( todo.des )
{
des_context des;
des_setkey_enc( &des, tmp );
TIME_AND_TSC( "DES",
des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.aes_cbc )
{
aes_context aes;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
aes_setkey_enc( &aes, tmp, keysize );
TIME_AND_TSC( title,
aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_GCM_C)
if( todo.aes_gcm )
{
gcm_context gcm;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-GCM-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
gcm_init( &gcm, POLARSSL_CIPHER_ID_AES, tmp, keysize );
TIME_AND_TSC( title,
gcm_crypt_and_tag( &gcm, GCM_ENCRYPT, BUFSIZE, tmp,
12, NULL, 0, buf, buf, 16, tmp ) );
gcm_free( &gcm );
}
}
#endif
#endif
#if defined(POLARSSL_CAMELLIA_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.camellia )
{
camellia_context camellia;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "CAMELLIA-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
camellia_setkey_enc( &camellia, tmp, keysize );
TIME_AND_TSC( title,
camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT,
BUFSIZE, tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_BLOWFISH_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.blowfish )
{
blowfish_context blowfish;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "BLOWFISH-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
blowfish_setkey( &blowfish, tmp, keysize );
TIME_AND_TSC( title,
blowfish_crypt_cbc( &blowfish, BLOWFISH_ENCRYPT, BUFSIZE,
tmp, buf, buf ) );
}
}
#endif
#if defined(POLARSSL_HAVEGE_C)
if( todo.havege )
{
havege_state hs;
havege_init( &hs );
TIME_AND_TSC( "HAVEGE", havege_random( &hs, buf, BUFSIZE ) );
}
#endif
#if defined(POLARSSL_CTR_DRBG_C)
if( todo.ctr_drbg )
{
ctr_drbg_context ctr_drbg;
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
TIME_AND_TSC( "CTR_DRBG (NOPR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
ctr_drbg_set_prediction_resistance( &ctr_drbg, CTR_DRBG_PR_ON );
TIME_AND_TSC( "CTR_DRBG (PR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
}
void attacker_send_auth_decrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
gcm_context gcm_context;
char iv[16];
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 16 || size2 <= 16 ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ close gcm_context(&gcm_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES,
buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
//@ assert chars(buffer2, size2, ?cs2);
//@ interpret_auth_encrypted(buffer2, size2);
//@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
//@ cs_to_ccs_crypto_chars(buffer2, cs2);
//@ chars_to_crypto_chars(buffer2, size2);
//@ close exists(cg_enc);
//@ assert cg_enc == cg_auth_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
//@ crypto_chars_split(buffer2, 16);
if (gcm_auth_decrypt(&gcm_context, (unsigned int) size2 - 16,
iv, 16, NULL, 0, buffer2, 16,
(void*) buffer2 + 16, buffer3) == 0)
{
/*@ if (!col)
{
assert crypto_chars(secret, buffer3, size2 - 16, ?ccs_output);
ccs_output == ccs_output2;
ccs_iv == ccs_iv2;
assert ccs2 == ccs_for_cg(cg_enc);
assert [_]pub(cg_enc);
assert is_public_auth_decryption_is_public(?proof3, pub, pred);
proof3(cg_key, cg_enc);
public_crypto_chars(buffer3, size2 - 16);
chars_to_crypto_chars(buffer3, size2 - 16);
}
@*/
zeroize(iv, 16);
//@ chars_to_crypto_chars(iv, 16);
}
//@ crypto_chars_to_chars(buffer3, size2 - 16);
net_send(socket, buffer3, (unsigned int) size2 - 16);
//@ crypto_chars_to_chars(buffer2, 16);
//@ crypto_chars_to_chars((void*) buffer2 + 16, size2 - 16);
//@ chars_join(buffer2);
}
//@ crypto_chars_to_chars(iv, 16);
gcm_free(&gcm_context);
}
//@ open gcm_context(&gcm_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_key);
}
void attacker_send_auth_encrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
gcm_context gcm_context;
char iv[16];
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 0 || size2 <= 16 || size2 > MAX_MESSAGE_SIZE - 16 ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ assert chars(buffer1, size1, ?cs1);
//@ assert chars(buffer2, size2, ?cs2);
//@ close gcm_context(&gcm_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, cs_to_ccs(cs1), ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (gcm_init(&gcm_context, POLARSSL_CIPHER_ID_AES,
buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ chars_to_crypto_chars(buffer2, size2);
//@ chars_split(buffer3, 16);
if (gcm_crypt_and_tag(&gcm_context, GCM_ENCRYPT,
(unsigned int) size2, iv, 16, NULL, 0,
buffer2, (void*) buffer3 + 16, 16, buffer3) == 0)
{
/*@
{
crypto_chars_to_chars(buffer2, size2);
public_chars(buffer2, size2);
chars_to_crypto_chars(buffer2, size2);
assert exists(?cg_enc);
assert is_public_auth_encryption_is_public(?proof2, pub, pred);
proof2(cg_enc);
assert crypto_chars(secret, buffer3, 16, ?ccs_tag);
assert crypto_chars(secret, (void*) buffer3 + 16, size2, ?ccs_enc);
public_cg_ccs(cg_enc);
public_ccs_split(append(ccs_tag, ccs_enc), 16);
take_append(16, ccs_tag, ccs_enc);
drop_append(16, ccs_tag, ccs_enc);
public_crypto_chars(buffer3, 16);
public_crypto_chars((void*) buffer3 + 16, size2);
}
@*/
net_send(socket, buffer3, (unsigned int) size2 + 16);
//@ chars_to_crypto_chars(buffer3, 16);
//@ chars_to_crypto_chars((void*) buffer3 + 16, size2);
}
//@ crypto_chars_to_chars(buffer2, size2);
//@ crypto_chars_join(buffer3);
//@ crypto_chars_to_chars(buffer3, size2 + 16);
}
gcm_free(&gcm_context);
//@ crypto_chars_to_chars(iv, 16);
}
//@ open gcm_context(&gcm_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_key);
}
/**
Process an entire GCM packet in one call.
@param cipher Index of cipher to use
@param key The secret key
@param keylen The length of the secret key
@param IV The initial vector
@param IVlen The length of the initial vector
@param adata The additional authentication data (header)
@param adatalen The length of the adata
@param pt The plaintext
@param ptlen The length of the plaintext (ciphertext length is the same)
@param ct The ciphertext
@param tag [out] The MAC tag
@param taglen [in/out] The MAC tag length
@param direction Encrypt or Decrypt mode (GCM_ENCRYPT or GCM_DECRYPT)
@return CRYPT_OK on success
*/
int gcm_memory( int cipher,
const unsigned char *key, unsigned long keylen,
const unsigned char *IV, unsigned long IVlen,
const unsigned char *adata, unsigned long adatalen,
unsigned char *pt, unsigned long ptlen,
unsigned char *ct,
unsigned char *tag, unsigned long *taglen,
int direction)
{
void *orig;
gcm_state *gcm;
int err;
if ((err = cipher_is_valid(cipher)) != CRYPT_OK) {
return err;
}
if (cipher_descriptor[cipher].accel_gcm_memory != NULL) {
return
cipher_descriptor[cipher].accel_gcm_memory
(key, keylen,
IV, IVlen,
adata, adatalen,
pt, ptlen,
ct,
tag, taglen,
direction);
}
#ifndef LTC_GCM_TABLES_SSE2
orig = gcm = XMALLOC(sizeof(*gcm));
#else
orig = gcm = XMALLOC(sizeof(*gcm) + 16);
#endif
if (gcm == NULL) {
return CRYPT_MEM;
}
/* Force GCM to be on a multiple of 16 so we can use 128-bit aligned operations
* note that we only modify gcm and keep orig intact. This code is not portable
* but again it's only for SSE2 anyways, so who cares?
*/
#ifdef LTC_GCM_TABLES_SSE2
if ((unsigned long)gcm & 15) {
gcm = (gcm_state *)((unsigned long)gcm + (16 - ((unsigned long)gcm & 15)));
}
#endif
if ((err = gcm_init(gcm, cipher, key, keylen)) != CRYPT_OK) {
goto LTC_ERR;
}
if ((err = gcm_add_iv(gcm, IV, IVlen)) != CRYPT_OK) {
goto LTC_ERR;
}
if ((err = gcm_add_aad(gcm, adata, adatalen)) != CRYPT_OK) {
goto LTC_ERR;
}
if ((err = gcm_process(gcm, pt, ptlen, ct, direction)) != CRYPT_OK) {
goto LTC_ERR;
}
err = gcm_done(gcm, tag, taglen);
LTC_ERR:
XFREE(orig);
return err;
}
static int gcm_aes_setkey_wrap( void *ctx, const unsigned char *key,
unsigned int key_length )
{
return gcm_init( (gcm_context *) ctx, POLARSSL_CIPHER_ID_AES,
key, key_length );
}
