int main(int argc, char ** argv) {
entropy_context entropy;
// initialize our AES context
aes_init(&aes);
entropy_init(&entropy);
//int ret;
if (argc != 2) {
printf("usage: %s client\n", argv[0]);
return 0;
}
if(__init()) {
printf(" * Exiting \n");
goto exit;
}
if(kvstore_dhm(pfd, &aes, argv[1], enckey, KVSTORE_AESKEY_LEN)) {
printf("\n ! DHM failed... Exiting");
goto exit;
}
// to derive the IV, we just hash the key
// assumed safe, the key IV is updated on each encryption
entropy_func(&entropy, iv, KVSTORE_AESIV_LEN);
send_commands();
exit:
aes_free(&aes);
printf("\n");
return 0;
}
/**
* \brief Function to encrypt or decrypt bytes.
*
* \param[in] enc_mode Set whether to encrypt or decrypt
* \param[in] aes_key The bytes to encrypt
* \param[in] plain_txt The bytes to encrypt
* \param[in] plain_txt_size The number of bytes to encrypt
* \param[in] cypher_txt The encryption of plain_text
* \param[in] iv The initialization vector
*
* \return Status of execution. Return 0 for success.
*/
uint8_t cademo_aes_crypt(uint8_t enc_mode, uint8_t* aes_key, uint8_t* plain_txt, uint16_t* plain_txt_size, uint8_t* cypher_txt, uint8_t* iv)
{
uint8_t ret = ATCA_SUCCESS;
uint16_t keysize = AES_KEY_SIZE;
aes_context aes_ctx;
/* Initialize the AES context */
aes_init(&aes_ctx);
/* Set the encryption key */
if (enc_mode == MODE_ENCRYPT) ret = aes_setkey_enc(&aes_ctx, aes_key, keysize * 8);
/* Set the decryption key */
if (enc_mode == MODE_DECRYPT) ret = aes_setkey_dec(&aes_ctx, aes_key, keysize * 8);
/* Call the AES function to encrypt or decrypt */
ret = aes_crypt_cbc(&aes_ctx, enc_mode, *plain_txt_size, iv, plain_txt, cypher_txt);
aes_free(&aes_ctx);
return ret;
}
static void aes_ctx_free( void *ctx )
{
aes_free( (aes_context *) ctx );
polarssl_free( ctx );
}
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
principal(?sender, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*&
[?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*&
MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*&
bad(sender) || bad(shared_with(sender, enc_id)) ?
[_]public_ccs(msg_ccs)
:
true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
[f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/
{
//@ open principal(sender, _);
int socket;
havege_state havege_state;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
{
int message_len = 16 + (int) msg_len + 64;
char* message = malloc(message_len);
if (message == 0) abort();
// IV stuff
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
//@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg);
//@ close enc_then_hmac_pub(iv_cg);
//@ leak enc_then_hmac_pub(iv_cg);
memcpy(message, iv, 16);
//@ close cryptogram(message, 16, iv_ccs, iv_cg);
//@ public_cryptogram(message, iv_cg);
//@ assert chars(message, 16, ?iv_cs);
//@ public_chars(message, 16);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
// encrypt
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len,
&iv_off, iv, msg, message + 16) != 0)
abort();
//@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg);
//@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg);
//@ close enc_then_hmac_pub(enc_cg);
//@ leak enc_then_hmac_pub(enc_cg);
//@ public_cryptogram(message + 16, enc_cg);
//@ assert chars(message + 16, msg_len, ?enc_cs);
//@ public_chars(message + 16, msg_len);
//@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs));
//@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
// hmac
//@ chars_to_crypto_chars(message, 16 + msg_len);
//@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs))
sha512_hmac(hmac_key, KEY_SIZE, message,
(unsigned int) (16 + (int) msg_len),
message + 16 + (int) msg_len, 0);
//@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg);
//@ cs_to_ccs_append(iv_cs, enc_cs);
//@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs));
/*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true))
close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/
/*@ if (col || enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]public_ccs(iv_ccs);
assert [_]public_ccs(enc_ccs);
public_ccs_join(iv_ccs, enc_ccs);
}
@*/
//@ close enc_then_hmac_pub(hmac_cg);
//@ leak enc_then_hmac_pub(hmac_cg);
//@ public_cryptogram(message + 16 + msg_len, hmac_cg);
//@ assert chars(message + 16 + msg_len, 64, ?hmac_cs);
//@ append_assoc(iv_ccs, enc_ccs, hmac_ccs);
//@ append_assoc(iv_cs, enc_cs, hmac_cs);
//@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs));
/*@ assert chars(message, message_len,
append(iv_cs, append(enc_cs, hmac_cs))); @*/
net_send(&socket, message, (unsigned int) message_len);
free(message);
}
net_close(socket);
//@ close principal(sender, _);
}
int receiver(char *enc_key, char *hmac_key, char *msg)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
[_]decryption_key_classifier(enc_then_hmac_public_key) &*&
principal(?receiver, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(?sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
receiver == shared_with(sender, enc_id) &*&
receiver == shared_with(sender, hmac_id) &*&
chars(msg, MAX_SIZE, _); @*/
/*@ ensures principal(receiver, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
chars(msg + result, MAX_SIZE - result, _) &*&
crypto_chars(?kind, msg, result, ?msg_ccs) &*&
col || bad(sender) || bad(receiver) ||
(kind == secret && send(sender, receiver, msg_ccs)); @*/
{
//@ open principal(receiver, _);
int socket1;
int socket2;
int size;
int enc_size;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
if(net_bind(&socket1, NULL, SERVER_PORT) != 0)
abort();
if(net_accept(socket1, &socket2, NULL) != 0)
abort();
if(net_set_block(socket2) != 0)
abort();
{
int max_size = 16 + MAX_SIZE + 64;
char *buffer = malloc (max_size); if (buffer == 0) abort();
size = net_recv(&socket2, buffer, (unsigned int) max_size);
if (size <= 16 + 64) abort();
enc_size = size - 16 - 64;
if (enc_size < MINIMAL_STRING_SIZE) abort();
//@ chars_split(buffer, size);
//@ assert chars(buffer, size, ?all_cs);
//@ close hide_chars((void*) buffer + size, max_size - size, _);
//Verify the hmac
//@ chars_split(buffer, size - 64);
//@ public_chars(buffer + size - 64, 64);
//@ assert chars(buffer + size - 64, 64, ?hmac_cs);
//@ assert chars(buffer, size - 64, ?pay_cs);
//@ chars_to_crypto_chars(buffer, size - 64);
//@ HASH_PUB_PAYLOAD(pay_cs)
sha512_hmac(hmac_key, KEY_SIZE, buffer,
(unsigned int) (size - 64), hmac, 0);
//@ open cryptogram(hmac, 64, ?hmac_ccs, ?hmac_cg);
//@ chars_to_crypto_chars((void*) buffer + size - 64, 64);
//@ close memcmp_secret(hmac, 64, hmac_ccs, hmac_cg);
if (memcmp((void*) buffer + size - 64, hmac, 64) != 0) abort();
/*@ if (!col)
{
public_ccs_cg(hmac_cg);
public_crypto_chars(hmac, 64);
}
else
{
crypto_chars_to_chars(hmac, 64);
}
@*/
//@ assert all_cs == append(pay_cs, hmac_cs);
// IV stuff
//@ cs_to_ccs_crypto_chars(buffer, pay_cs);
//@ chars_split(buffer, 16);
//@ assert chars(buffer, 16, ?iv_cs);
//@ chars_to_crypto_chars(buffer, 16);
//@ assert crypto_chars(normal, buffer, 16, ?iv_ccs);
memcpy(iv, buffer, 16);
//@ cs_to_ccs_crypto_chars(iv, iv_cs);
//@ interpret_nonce(iv, 16);
//@ open cryptogram(iv, 16, iv_ccs, ?iv_cg);
//Decrypt
//@ assert chars(buffer + 16, enc_size, ?enc_cs);
//@ interpret_encrypted(buffer + 16, enc_size);
//@ open cryptogram(buffer + 16, enc_size, ?enc_ccs, ?enc_cg);
//@ close cryptogram(buffer + 16, enc_size, enc_ccs, enc_cg);
//@ assert enc_cg == cg_encrypted(?p2, ?c2, ?dec_ccs2, ?iv_ccs2);
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
//@ structure s = known_value(0, dec_ccs2);
//@ close decryption_pre(true, false, receiver, s, enc_ccs);
if (aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) enc_size,
&iv_off, iv, buffer + 16, msg) != 0)
abort();
//@ assert pay_cs == append(iv_cs, enc_cs);
//@ cs_to_ccs_append(iv_cs, enc_cs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
//@ public_cg_ccs(enc_cg);
//@ public_cryptogram(buffer + 16, enc_cg);
/*@ open decryption_post(true, ?garbage, receiver,
s, sender, enc_id, ?dec_ccs); @*/
/*@ if (!col)
{
open [_]enc_then_hmac_pub(hmac_cg);
open [_]enc_then_hmac_pub(enc_cg);
if (!enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]enc_then_hmac_pub_1(?id, ?dec_ccs3, ?ent);
cryptogram enc_cg3 = cg_encrypted(sender, id, dec_ccs3, ent);
take_append(16, iv_ccs, ccs_for_cg(enc_cg));
take_append(16, ent, ccs_for_cg(enc_cg3));
assert ent == iv_ccs;
drop_append(16, iv_ccs, ccs_for_cg(enc_cg));
drop_append(16, ent, ccs_for_cg(enc_cg3));
assert ccs_for_cg(enc_cg) == ccs_for_cg(enc_cg3);
ccs_for_cg_inj(enc_cg, enc_cg3);
assert dec_ccs2 == dec_ccs3;
close exists(pair(nil, nil));
close has_structure(dec_ccs2, s);
leak has_structure(dec_ccs2, s);
}
}
else
{
crypto_chars_to_chars(msg, enc_size);
chars_to_secret_crypto_chars(msg, enc_size);
}
@*/
//@ if (garbage) decryption_garbage(msg, enc_size, s);
//@ open hide_chars((void*) buffer + size, max_size - size, _);
//@ crypto_chars_to_chars(buffer, 16);
//@ crypto_chars_to_chars(buffer + size - 64, 64);
//@ chars_join(buffer);
//@ chars_join(buffer);
free(buffer);
}
net_close(socket2);
net_close(socket1);
return enc_size;
//@ close principal(receiver, _);
}
int main( int argc, char *argv[] )
{
int keysize, i;
unsigned char tmp[200];
char title[TITLE_LEN];
todo_list todo;
if( argc == 1 )
memset( &todo, 1, sizeof( todo ) );
else
{
memset( &todo, 0, sizeof( todo ) );
for( i = 1; i < argc; i++ )
{
if( strcmp( argv[i], "md4" ) == 0 )
todo.md4 = 1;
else if( strcmp( argv[i], "md5" ) == 0 )
todo.md5 = 1;
else if( strcmp( argv[i], "ripemd160" ) == 0 )
todo.ripemd160 = 1;
else if( strcmp( argv[i], "sha1" ) == 0 )
todo.sha1 = 1;
else if( strcmp( argv[i], "sha256" ) == 0 )
todo.sha256 = 1;
else if( strcmp( argv[i], "sha512" ) == 0 )
todo.sha512 = 1;
else if( strcmp( argv[i], "arc4" ) == 0 )
todo.arc4 = 1;
else if( strcmp( argv[i], "des3" ) == 0 )
todo.des3 = 1;
else if( strcmp( argv[i], "des" ) == 0 )
todo.des = 1;
else if( strcmp( argv[i], "aes_cbc" ) == 0 )
todo.aes_cbc = 1;
else if( strcmp( argv[i], "aes_gcm" ) == 0 )
todo.aes_gcm = 1;
else if( strcmp( argv[i], "aes_ccm" ) == 0 )
todo.aes_ccm = 1;
else if( strcmp( argv[i], "camellia" ) == 0 )
todo.camellia = 1;
else if( strcmp( argv[i], "blowfish" ) == 0 )
todo.blowfish = 1;
else if( strcmp( argv[i], "havege" ) == 0 )
todo.havege = 1;
else if( strcmp( argv[i], "ctr_drbg" ) == 0 )
todo.ctr_drbg = 1;
else if( strcmp( argv[i], "hmac_drbg" ) == 0 )
todo.hmac_drbg = 1;
else if( strcmp( argv[i], "rsa" ) == 0 )
todo.rsa = 1;
else if( strcmp( argv[i], "dhm" ) == 0 )
todo.dhm = 1;
else if( strcmp( argv[i], "ecdsa" ) == 0 )
todo.ecdsa = 1;
else if( strcmp( argv[i], "ecdh" ) == 0 )
todo.ecdh = 1;
else
{
polarssl_printf( "Unrecognized option: %s\n", argv[i] );
polarssl_printf( "Available options: " OPTIONS );
}
}
}
polarssl_printf( "\n" );
memset( buf, 0xAA, sizeof( buf ) );
memset( tmp, 0xBB, sizeof( tmp ) );
#if defined(POLARSSL_MD4_C)
if( todo.md4 )
TIME_AND_TSC( "MD4", md4( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_MD5_C)
if( todo.md5 )
TIME_AND_TSC( "MD5", md5( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_RIPEMD160_C)
if( todo.ripemd160 )
TIME_AND_TSC( "RIPEMD160", ripemd160( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA1_C)
if( todo.sha1 )
TIME_AND_TSC( "SHA-1", sha1( buf, BUFSIZE, tmp ) );
#endif
#if defined(POLARSSL_SHA256_C)
if( todo.sha256 )
TIME_AND_TSC( "SHA-256", sha256( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_SHA512_C)
if( todo.sha512 )
TIME_AND_TSC( "SHA-512", sha512( buf, BUFSIZE, tmp, 0 ) );
#endif
#if defined(POLARSSL_ARC4_C)
if( todo.arc4 )
{
arc4_context arc4;
arc4_init( &arc4 );
arc4_setup( &arc4, tmp, 32 );
TIME_AND_TSC( "ARC4", arc4_crypt( &arc4, BUFSIZE, buf, buf ) );
arc4_free( &arc4 );
}
#endif
#if defined(POLARSSL_DES_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.des3 )
{
des3_context des3;
des3_init( &des3 );
des3_set3key_enc( &des3, tmp );
TIME_AND_TSC( "3DES",
des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
des3_free( &des3 );
}
if( todo.des )
{
des_context des;
des_init( &des );
des_setkey_enc( &des, tmp );
TIME_AND_TSC( "DES",
des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
des_free( &des );
}
#endif
#if defined(POLARSSL_AES_C)
#if defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.aes_cbc )
{
aes_context aes;
aes_init( &aes );
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
aes_setkey_enc( &aes, tmp, keysize );
TIME_AND_TSC( title,
aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf ) );
}
aes_free( &aes );
}
#endif
#if defined(POLARSSL_GCM_C)
if( todo.aes_gcm )
{
gcm_context gcm;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-GCM-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
gcm_init( &gcm, POLARSSL_CIPHER_ID_AES, tmp, keysize );
TIME_AND_TSC( title,
gcm_crypt_and_tag( &gcm, GCM_ENCRYPT, BUFSIZE, tmp,
12, NULL, 0, buf, buf, 16, tmp ) );
gcm_free( &gcm );
}
}
#endif
#if defined(POLARSSL_CCM_C)
if( todo.aes_ccm )
{
ccm_context ccm;
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "AES-CCM-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
ccm_init( &ccm, POLARSSL_CIPHER_ID_AES, tmp, keysize );
TIME_AND_TSC( title,
ccm_encrypt_and_tag( &ccm, BUFSIZE, tmp,
12, NULL, 0, buf, buf, tmp, 16 ) );
ccm_free( &ccm );
}
}
#endif
#endif
#if defined(POLARSSL_CAMELLIA_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.camellia )
{
camellia_context camellia;
camellia_init( &camellia );
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "CAMELLIA-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
camellia_setkey_enc( &camellia, tmp, keysize );
TIME_AND_TSC( title,
camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT,
BUFSIZE, tmp, buf, buf ) );
}
camellia_free( &camellia );
}
#endif
#if defined(POLARSSL_BLOWFISH_C) && defined(POLARSSL_CIPHER_MODE_CBC)
if( todo.blowfish )
{
blowfish_context blowfish;
blowfish_init( &blowfish );
for( keysize = 128; keysize <= 256; keysize += 64 )
{
snprintf( title, sizeof( title ), "BLOWFISH-CBC-%d", keysize );
memset( buf, 0, sizeof( buf ) );
memset( tmp, 0, sizeof( tmp ) );
blowfish_setkey( &blowfish, tmp, keysize );
TIME_AND_TSC( title,
blowfish_crypt_cbc( &blowfish, BLOWFISH_ENCRYPT, BUFSIZE,
tmp, buf, buf ) );
}
blowfish_free( &blowfish );
}
#endif
#if defined(POLARSSL_HAVEGE_C)
if( todo.havege )
{
havege_state hs;
havege_init( &hs );
TIME_AND_TSC( "HAVEGE", havege_random( &hs, buf, BUFSIZE ) );
havege_free( &hs );
}
#endif
#if defined(POLARSSL_CTR_DRBG_C)
if( todo.ctr_drbg )
{
ctr_drbg_context ctr_drbg;
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
TIME_AND_TSC( "CTR_DRBG (NOPR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
exit(1);
ctr_drbg_set_prediction_resistance( &ctr_drbg, CTR_DRBG_PR_ON );
TIME_AND_TSC( "CTR_DRBG (PR)",
if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 )
exit(1) );
ctr_drbg_free( &ctr_drbg );
}
void attacker_send_decrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
aes_context aes_context;
char iv[16];
size_t iv_off = 0;
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ close aes_context(&aes_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
//@ interpret_encrypted(buffer2, size2);
//@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc);
//@ close cryptogram(buffer2, size2, ccs2, cg_enc);
//@ assert cg_enc == cg_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2);
//@ structure s = known_value(0, nil);
//@ close decryption_pre(true, false, attacker, s, ccs2);
int success = aes_crypt_cfb128(&aes_context, AES_DECRYPT,
(unsigned int) size2, &iv_off, iv,
buffer2, buffer3);
if (success == 0) zeroize(iv, 16);
//@ if (success == 0) chars_to_crypto_chars(iv, 16);
//@ open decryption_post(true, ?garbage, attacker, s, p, c, ?ccs_output);
/*@ if (garbage)
{
assert is_public_key_classifier(?proof, _, _, _);
proof(cg_key, p, c, true);
decryption_garbage(buffer3, size2, s);
}
else if (success == 0)
{
assert crypto_chars(secret, buffer3, size2, ccs_output);
assert ccs_output == ccs_output2;
assert ccs_iv == ccs_iv2;
assert ccs2 == ccs_for_cg(cg_enc);
public_ccs_cg(cg_enc);
assert [_]pub(cg_enc);
assert is_public_decryption_is_public(?proof2, pub, pred);
proof2(cg_key, cg_enc);
public_crypto_chars(buffer3, size2);
chars_to_crypto_chars(buffer3, size2);
}
@*/
//@ crypto_chars_to_chars(buffer3, size2);
net_send(socket, buffer3, (unsigned int) size2);
//@ public_cryptogram(buffer2, cg_enc);
}
aes_free(&aes_context);
//@ crypto_chars_to_chars(iv, 16);
}
//@ open aes_context(&aes_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_key);
}
void attacker_send_encrypted(havege_state *havege_state, void* socket)
//@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker);
//@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
{
int temp;
int size1;
int size2;
char buffer1[MAX_MESSAGE_SIZE];
char buffer2[MAX_MESSAGE_SIZE];
char buffer3[MAX_MESSAGE_SIZE];
aes_context aes_context;
size_t iv_off = 0;
char iv[16];
//@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE);
size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE);
if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE ||
(size1 != 16 && size1 != 24 && size1 != 32))
{
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
return;
}
//@ close aes_context(&aes_context);
//@ interpret_symmetric_key(buffer1, size1);
//@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key);
//@ assert cg_key == cg_symmetric_key(?p, ?c);
if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0)
{
if (get_iv(havege_state, iv) == 0)
{
//@ assert crypto_chars(normal, iv, 16, ?ccs_iv);
//@ chars_to_crypto_chars(buffer2, size2);
if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT,
(unsigned int) size2, &iv_off, iv, buffer2,
buffer3) == 0)
{
/*@
{
assert cryptogram(buffer3, size2, ?ccs_enc, ?cg_enc);
assert cg_enc == cg_encrypted(p, c, ?cs2, ccs_iv);
assert [_]pub(cg_key);
assert is_public_encryption_is_public(?proof2, pub, pred);
crypto_chars_to_chars(buffer2, size2);
public_chars(buffer2, size2);
proof2(cg_enc);
public_cryptogram(buffer3, cg_enc);
chars_to_crypto_chars(buffer2, size2);
}
@*/
net_send(socket, buffer3, (unsigned int) size2);
}
//@ crypto_chars_to_chars(buffer2, size2);
}
aes_free(&aes_context);
//@ open aes_context(&aes_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_symmetric_key(p, c));
//@ crypto_chars_to_chars(iv, 16);
return;
}
//@ open aes_context(&aes_context);
//@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker);
//@ public_cryptogram(buffer1, cg_symmetric_key(p, c));
return;
}
