int main(int argc, char ** argv) { entropy_context entropy; // initialize our AES context aes_init(&aes); entropy_init(&entropy); //int ret; if (argc != 2) { printf("usage: %s client\n", argv[0]); return 0; } if(__init()) { printf(" * Exiting \n"); goto exit; } if(kvstore_dhm(pfd, &aes, argv[1], enckey, KVSTORE_AESKEY_LEN)) { printf("\n ! DHM failed... Exiting"); goto exit; } // to derive the IV, we just hash the key // assumed safe, the key IV is updated on each encryption entropy_func(&entropy, iv, KVSTORE_AESIV_LEN); send_commands(); exit: aes_free(&aes); printf("\n"); return 0; }
/** * \brief Function to encrypt or decrypt bytes. * * \param[in] enc_mode Set whether to encrypt or decrypt * \param[in] aes_key The bytes to encrypt * \param[in] plain_txt The bytes to encrypt * \param[in] plain_txt_size The number of bytes to encrypt * \param[in] cypher_txt The encryption of plain_text * \param[in] iv The initialization vector * * \return Status of execution. Return 0 for success. */ uint8_t cademo_aes_crypt(uint8_t enc_mode, uint8_t* aes_key, uint8_t* plain_txt, uint16_t* plain_txt_size, uint8_t* cypher_txt, uint8_t* iv) { uint8_t ret = ATCA_SUCCESS; uint16_t keysize = AES_KEY_SIZE; aes_context aes_ctx; /* Initialize the AES context */ aes_init(&aes_ctx); /* Set the encryption key */ if (enc_mode == MODE_ENCRYPT) ret = aes_setkey_enc(&aes_ctx, aes_key, keysize * 8); /* Set the decryption key */ if (enc_mode == MODE_DECRYPT) ret = aes_setkey_dec(&aes_ctx, aes_key, keysize * 8); /* Call the AES function to encrypt or decrypt */ ret = aes_crypt_cbc(&aes_ctx, enc_mode, *plain_txt_size, iv, plain_txt, cypher_txt); aes_free(&aes_ctx); return ret; }
static void aes_ctx_free( void *ctx ) { aes_free( (aes_context *) ctx ); polarssl_free( ctx ); }
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len) /*@ requires [_]public_invar(enc_then_hmac_pub) &*& principal(?sender, _) &*& [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*& [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*& enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*& hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*& cg_info(hmac_key_cg) == enc_id &*& shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*& [?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*& MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*& bad(sender) || bad(shared_with(sender, enc_id)) ? [_]public_ccs(msg_ccs) : true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/ /*@ ensures principal(sender, _) &*& [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*& [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*& [f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/ { //@ open principal(sender, _); int socket; havege_state havege_state; char iv[16]; unsigned int iv_off = 0; char hmac[64]; aes_context aes_context; net_usleep(20000); if(net_connect(&socket, NULL, SERVER_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); { int message_len = 16 + (int) msg_len + 64; char* message = malloc(message_len); if (message == 0) abort(); // IV stuff //@ close havege_state(&havege_state); havege_init(&havege_state); //@ close random_request(sender, 0, false); if (havege_random(&havege_state, iv, 16) != 0) abort(); //@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg); //@ close enc_then_hmac_pub(iv_cg); //@ leak enc_then_hmac_pub(iv_cg); memcpy(message, iv, 16); //@ close cryptogram(message, 16, iv_ccs, iv_cg); //@ public_cryptogram(message, iv_cg); //@ assert chars(message, 16, ?iv_cs); //@ public_chars(message, 16); havege_free(&havege_state); //@ open havege_state(&havege_state); // encrypt //@ close aes_context(&aes_context); if (aes_setkey_enc(&aes_context, enc_key, (unsigned int) (KEY_SIZE * 8)) != 0) abort(); if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len, &iv_off, iv, msg, message + 16) != 0) abort(); //@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg); //@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg); //@ close enc_then_hmac_pub(enc_cg); //@ leak enc_then_hmac_pub(enc_cg); //@ public_cryptogram(message + 16, enc_cg); //@ assert chars(message + 16, msg_len, ?enc_cs); //@ public_chars(message + 16, msg_len); //@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs)); //@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs); zeroize(iv, 16); aes_free(&aes_context); //@ open aes_context(&aes_context); // hmac //@ chars_to_crypto_chars(message, 16 + msg_len); //@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs)) sha512_hmac(hmac_key, KEY_SIZE, message, (unsigned int) (16 + (int) msg_len), message + 16 + (int) msg_len, 0); //@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg); //@ cs_to_ccs_append(iv_cs, enc_cs); //@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs)); /*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true)) close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/ /*@ if (col || enc_then_hmac_public_key(sender, enc_id, true)) { assert [_]public_ccs(iv_ccs); assert [_]public_ccs(enc_ccs); public_ccs_join(iv_ccs, enc_ccs); } @*/ //@ close enc_then_hmac_pub(hmac_cg); //@ leak enc_then_hmac_pub(hmac_cg); //@ public_cryptogram(message + 16 + msg_len, hmac_cg); //@ assert chars(message + 16 + msg_len, 64, ?hmac_cs); //@ append_assoc(iv_ccs, enc_ccs, hmac_ccs); //@ append_assoc(iv_cs, enc_cs, hmac_cs); //@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs)); /*@ assert chars(message, message_len, append(iv_cs, append(enc_cs, hmac_cs))); @*/ net_send(&socket, message, (unsigned int) message_len); free(message); } net_close(socket); //@ close principal(sender, _); }
int receiver(char *enc_key, char *hmac_key, char *msg) /*@ requires [_]public_invar(enc_then_hmac_pub) &*& [_]decryption_key_classifier(enc_then_hmac_public_key) &*& principal(?receiver, _) &*& [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*& [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*& enc_key_cg == cg_symmetric_key(?sender, ?enc_id) &*& hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*& cg_info(hmac_key_cg) == enc_id &*& receiver == shared_with(sender, enc_id) &*& receiver == shared_with(sender, hmac_id) &*& chars(msg, MAX_SIZE, _); @*/ /*@ ensures principal(receiver, _) &*& [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*& [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*& chars(msg + result, MAX_SIZE - result, _) &*& crypto_chars(?kind, msg, result, ?msg_ccs) &*& col || bad(sender) || bad(receiver) || (kind == secret && send(sender, receiver, msg_ccs)); @*/ { //@ open principal(receiver, _); int socket1; int socket2; int size; int enc_size; char iv[16]; unsigned int iv_off = 0; char hmac[64]; aes_context aes_context; if(net_bind(&socket1, NULL, SERVER_PORT) != 0) abort(); if(net_accept(socket1, &socket2, NULL) != 0) abort(); if(net_set_block(socket2) != 0) abort(); { int max_size = 16 + MAX_SIZE + 64; char *buffer = malloc (max_size); if (buffer == 0) abort(); size = net_recv(&socket2, buffer, (unsigned int) max_size); if (size <= 16 + 64) abort(); enc_size = size - 16 - 64; if (enc_size < MINIMAL_STRING_SIZE) abort(); //@ chars_split(buffer, size); //@ assert chars(buffer, size, ?all_cs); //@ close hide_chars((void*) buffer + size, max_size - size, _); //Verify the hmac //@ chars_split(buffer, size - 64); //@ public_chars(buffer + size - 64, 64); //@ assert chars(buffer + size - 64, 64, ?hmac_cs); //@ assert chars(buffer, size - 64, ?pay_cs); //@ chars_to_crypto_chars(buffer, size - 64); //@ HASH_PUB_PAYLOAD(pay_cs) sha512_hmac(hmac_key, KEY_SIZE, buffer, (unsigned int) (size - 64), hmac, 0); //@ open cryptogram(hmac, 64, ?hmac_ccs, ?hmac_cg); //@ chars_to_crypto_chars((void*) buffer + size - 64, 64); //@ close memcmp_secret(hmac, 64, hmac_ccs, hmac_cg); if (memcmp((void*) buffer + size - 64, hmac, 64) != 0) abort(); /*@ if (!col) { public_ccs_cg(hmac_cg); public_crypto_chars(hmac, 64); } else { crypto_chars_to_chars(hmac, 64); } @*/ //@ assert all_cs == append(pay_cs, hmac_cs); // IV stuff //@ cs_to_ccs_crypto_chars(buffer, pay_cs); //@ chars_split(buffer, 16); //@ assert chars(buffer, 16, ?iv_cs); //@ chars_to_crypto_chars(buffer, 16); //@ assert crypto_chars(normal, buffer, 16, ?iv_ccs); memcpy(iv, buffer, 16); //@ cs_to_ccs_crypto_chars(iv, iv_cs); //@ interpret_nonce(iv, 16); //@ open cryptogram(iv, 16, iv_ccs, ?iv_cg); //Decrypt //@ assert chars(buffer + 16, enc_size, ?enc_cs); //@ interpret_encrypted(buffer + 16, enc_size); //@ open cryptogram(buffer + 16, enc_size, ?enc_ccs, ?enc_cg); //@ close cryptogram(buffer + 16, enc_size, enc_ccs, enc_cg); //@ assert enc_cg == cg_encrypted(?p2, ?c2, ?dec_ccs2, ?iv_ccs2); //@ close aes_context(&aes_context); if (aes_setkey_enc(&aes_context, enc_key, (unsigned int) (KEY_SIZE * 8)) != 0) abort(); //@ structure s = known_value(0, dec_ccs2); //@ close decryption_pre(true, false, receiver, s, enc_ccs); if (aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) enc_size, &iv_off, iv, buffer + 16, msg) != 0) abort(); //@ assert pay_cs == append(iv_cs, enc_cs); //@ cs_to_ccs_append(iv_cs, enc_cs); zeroize(iv, 16); aes_free(&aes_context); //@ open aes_context(&aes_context); //@ public_cg_ccs(enc_cg); //@ public_cryptogram(buffer + 16, enc_cg); /*@ open decryption_post(true, ?garbage, receiver, s, sender, enc_id, ?dec_ccs); @*/ /*@ if (!col) { open [_]enc_then_hmac_pub(hmac_cg); open [_]enc_then_hmac_pub(enc_cg); if (!enc_then_hmac_public_key(sender, enc_id, true)) { assert [_]enc_then_hmac_pub_1(?id, ?dec_ccs3, ?ent); cryptogram enc_cg3 = cg_encrypted(sender, id, dec_ccs3, ent); take_append(16, iv_ccs, ccs_for_cg(enc_cg)); take_append(16, ent, ccs_for_cg(enc_cg3)); assert ent == iv_ccs; drop_append(16, iv_ccs, ccs_for_cg(enc_cg)); drop_append(16, ent, ccs_for_cg(enc_cg3)); assert ccs_for_cg(enc_cg) == ccs_for_cg(enc_cg3); ccs_for_cg_inj(enc_cg, enc_cg3); assert dec_ccs2 == dec_ccs3; close exists(pair(nil, nil)); close has_structure(dec_ccs2, s); leak has_structure(dec_ccs2, s); } } else { crypto_chars_to_chars(msg, enc_size); chars_to_secret_crypto_chars(msg, enc_size); } @*/ //@ if (garbage) decryption_garbage(msg, enc_size, s); //@ open hide_chars((void*) buffer + size, max_size - size, _); //@ crypto_chars_to_chars(buffer, 16); //@ crypto_chars_to_chars(buffer + size - 64, 64); //@ chars_join(buffer); //@ chars_join(buffer); free(buffer); } net_close(socket2); net_close(socket1); return enc_size; //@ close principal(receiver, _); }
int main( int argc, char *argv[] ) { int keysize, i; unsigned char tmp[200]; char title[TITLE_LEN]; todo_list todo; if( argc == 1 ) memset( &todo, 1, sizeof( todo ) ); else { memset( &todo, 0, sizeof( todo ) ); for( i = 1; i < argc; i++ ) { if( strcmp( argv[i], "md4" ) == 0 ) todo.md4 = 1; else if( strcmp( argv[i], "md5" ) == 0 ) todo.md5 = 1; else if( strcmp( argv[i], "ripemd160" ) == 0 ) todo.ripemd160 = 1; else if( strcmp( argv[i], "sha1" ) == 0 ) todo.sha1 = 1; else if( strcmp( argv[i], "sha256" ) == 0 ) todo.sha256 = 1; else if( strcmp( argv[i], "sha512" ) == 0 ) todo.sha512 = 1; else if( strcmp( argv[i], "arc4" ) == 0 ) todo.arc4 = 1; else if( strcmp( argv[i], "des3" ) == 0 ) todo.des3 = 1; else if( strcmp( argv[i], "des" ) == 0 ) todo.des = 1; else if( strcmp( argv[i], "aes_cbc" ) == 0 ) todo.aes_cbc = 1; else if( strcmp( argv[i], "aes_gcm" ) == 0 ) todo.aes_gcm = 1; else if( strcmp( argv[i], "aes_ccm" ) == 0 ) todo.aes_ccm = 1; else if( strcmp( argv[i], "camellia" ) == 0 ) todo.camellia = 1; else if( strcmp( argv[i], "blowfish" ) == 0 ) todo.blowfish = 1; else if( strcmp( argv[i], "havege" ) == 0 ) todo.havege = 1; else if( strcmp( argv[i], "ctr_drbg" ) == 0 ) todo.ctr_drbg = 1; else if( strcmp( argv[i], "hmac_drbg" ) == 0 ) todo.hmac_drbg = 1; else if( strcmp( argv[i], "rsa" ) == 0 ) todo.rsa = 1; else if( strcmp( argv[i], "dhm" ) == 0 ) todo.dhm = 1; else if( strcmp( argv[i], "ecdsa" ) == 0 ) todo.ecdsa = 1; else if( strcmp( argv[i], "ecdh" ) == 0 ) todo.ecdh = 1; else { polarssl_printf( "Unrecognized option: %s\n", argv[i] ); polarssl_printf( "Available options: " OPTIONS ); } } } polarssl_printf( "\n" ); memset( buf, 0xAA, sizeof( buf ) ); memset( tmp, 0xBB, sizeof( tmp ) ); #if defined(POLARSSL_MD4_C) if( todo.md4 ) TIME_AND_TSC( "MD4", md4( buf, BUFSIZE, tmp ) ); #endif #if defined(POLARSSL_MD5_C) if( todo.md5 ) TIME_AND_TSC( "MD5", md5( buf, BUFSIZE, tmp ) ); #endif #if defined(POLARSSL_RIPEMD160_C) if( todo.ripemd160 ) TIME_AND_TSC( "RIPEMD160", ripemd160( buf, BUFSIZE, tmp ) ); #endif #if defined(POLARSSL_SHA1_C) if( todo.sha1 ) TIME_AND_TSC( "SHA-1", sha1( buf, BUFSIZE, tmp ) ); #endif #if defined(POLARSSL_SHA256_C) if( todo.sha256 ) TIME_AND_TSC( "SHA-256", sha256( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(POLARSSL_SHA512_C) if( todo.sha512 ) TIME_AND_TSC( "SHA-512", sha512( buf, BUFSIZE, tmp, 0 ) ); #endif #if defined(POLARSSL_ARC4_C) if( todo.arc4 ) { arc4_context arc4; arc4_init( &arc4 ); arc4_setup( &arc4, tmp, 32 ); TIME_AND_TSC( "ARC4", arc4_crypt( &arc4, BUFSIZE, buf, buf ) ); arc4_free( &arc4 ); } #endif #if defined(POLARSSL_DES_C) && defined(POLARSSL_CIPHER_MODE_CBC) if( todo.des3 ) { des3_context des3; des3_init( &des3 ); des3_set3key_enc( &des3, tmp ); TIME_AND_TSC( "3DES", des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) ); des3_free( &des3 ); } if( todo.des ) { des_context des; des_init( &des ); des_setkey_enc( &des, tmp ); TIME_AND_TSC( "DES", des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf ) ); des_free( &des ); } #endif #if defined(POLARSSL_AES_C) #if defined(POLARSSL_CIPHER_MODE_CBC) if( todo.aes_cbc ) { aes_context aes; aes_init( &aes ); for( keysize = 128; keysize <= 256; keysize += 64 ) { snprintf( title, sizeof( title ), "AES-CBC-%d", keysize ); memset( buf, 0, sizeof( buf ) ); memset( tmp, 0, sizeof( tmp ) ); aes_setkey_enc( &aes, tmp, keysize ); TIME_AND_TSC( title, aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf ) ); } aes_free( &aes ); } #endif #if defined(POLARSSL_GCM_C) if( todo.aes_gcm ) { gcm_context gcm; for( keysize = 128; keysize <= 256; keysize += 64 ) { snprintf( title, sizeof( title ), "AES-GCM-%d", keysize ); memset( buf, 0, sizeof( buf ) ); memset( tmp, 0, sizeof( tmp ) ); gcm_init( &gcm, POLARSSL_CIPHER_ID_AES, tmp, keysize ); TIME_AND_TSC( title, gcm_crypt_and_tag( &gcm, GCM_ENCRYPT, BUFSIZE, tmp, 12, NULL, 0, buf, buf, 16, tmp ) ); gcm_free( &gcm ); } } #endif #if defined(POLARSSL_CCM_C) if( todo.aes_ccm ) { ccm_context ccm; for( keysize = 128; keysize <= 256; keysize += 64 ) { snprintf( title, sizeof( title ), "AES-CCM-%d", keysize ); memset( buf, 0, sizeof( buf ) ); memset( tmp, 0, sizeof( tmp ) ); ccm_init( &ccm, POLARSSL_CIPHER_ID_AES, tmp, keysize ); TIME_AND_TSC( title, ccm_encrypt_and_tag( &ccm, BUFSIZE, tmp, 12, NULL, 0, buf, buf, tmp, 16 ) ); ccm_free( &ccm ); } } #endif #endif #if defined(POLARSSL_CAMELLIA_C) && defined(POLARSSL_CIPHER_MODE_CBC) if( todo.camellia ) { camellia_context camellia; camellia_init( &camellia ); for( keysize = 128; keysize <= 256; keysize += 64 ) { snprintf( title, sizeof( title ), "CAMELLIA-CBC-%d", keysize ); memset( buf, 0, sizeof( buf ) ); memset( tmp, 0, sizeof( tmp ) ); camellia_setkey_enc( &camellia, tmp, keysize ); TIME_AND_TSC( title, camellia_crypt_cbc( &camellia, CAMELLIA_ENCRYPT, BUFSIZE, tmp, buf, buf ) ); } camellia_free( &camellia ); } #endif #if defined(POLARSSL_BLOWFISH_C) && defined(POLARSSL_CIPHER_MODE_CBC) if( todo.blowfish ) { blowfish_context blowfish; blowfish_init( &blowfish ); for( keysize = 128; keysize <= 256; keysize += 64 ) { snprintf( title, sizeof( title ), "BLOWFISH-CBC-%d", keysize ); memset( buf, 0, sizeof( buf ) ); memset( tmp, 0, sizeof( tmp ) ); blowfish_setkey( &blowfish, tmp, keysize ); TIME_AND_TSC( title, blowfish_crypt_cbc( &blowfish, BLOWFISH_ENCRYPT, BUFSIZE, tmp, buf, buf ) ); } blowfish_free( &blowfish ); } #endif #if defined(POLARSSL_HAVEGE_C) if( todo.havege ) { havege_state hs; havege_init( &hs ); TIME_AND_TSC( "HAVEGE", havege_random( &hs, buf, BUFSIZE ) ); havege_free( &hs ); } #endif #if defined(POLARSSL_CTR_DRBG_C) if( todo.ctr_drbg ) { ctr_drbg_context ctr_drbg; if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) exit(1); TIME_AND_TSC( "CTR_DRBG (NOPR)", if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 ) exit(1) ); if( ctr_drbg_init( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 ) exit(1); ctr_drbg_set_prediction_resistance( &ctr_drbg, CTR_DRBG_PR_ON ); TIME_AND_TSC( "CTR_DRBG (PR)", if( ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) != 0 ) exit(1) ); ctr_drbg_free( &ctr_drbg ); }
void attacker_send_decrypted(havege_state *havege_state, void* socket) //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker); //@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker); { int temp; int size1; int size2; char buffer1[MAX_MESSAGE_SIZE]; char buffer2[MAX_MESSAGE_SIZE]; char buffer3[MAX_MESSAGE_SIZE]; aes_context aes_context; char iv[16]; size_t iv_off = 0; //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker); size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE); size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE); if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE || (size1 != 16 && size1 != 24 && size1 != 32)) { //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); return; } //@ close aes_context(&aes_context); //@ interpret_symmetric_key(buffer1, size1); //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key); //@ assert cg_key == cg_symmetric_key(?p, ?c); if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0) { if (get_iv(havege_state, iv) == 0) { //@ assert crypto_chars(normal, iv, 16, ?ccs_iv); //@ interpret_encrypted(buffer2, size2); //@ open cryptogram(buffer2, size2, ?ccs2, ?cg_enc); //@ close cryptogram(buffer2, size2, ccs2, cg_enc); //@ assert cg_enc == cg_encrypted(?p2, ?c2, ?ccs_output2, ?ccs_iv2); //@ structure s = known_value(0, nil); //@ close decryption_pre(true, false, attacker, s, ccs2); int success = aes_crypt_cfb128(&aes_context, AES_DECRYPT, (unsigned int) size2, &iv_off, iv, buffer2, buffer3); if (success == 0) zeroize(iv, 16); //@ if (success == 0) chars_to_crypto_chars(iv, 16); //@ open decryption_post(true, ?garbage, attacker, s, p, c, ?ccs_output); /*@ if (garbage) { assert is_public_key_classifier(?proof, _, _, _); proof(cg_key, p, c, true); decryption_garbage(buffer3, size2, s); } else if (success == 0) { assert crypto_chars(secret, buffer3, size2, ccs_output); assert ccs_output == ccs_output2; assert ccs_iv == ccs_iv2; assert ccs2 == ccs_for_cg(cg_enc); public_ccs_cg(cg_enc); assert [_]pub(cg_enc); assert is_public_decryption_is_public(?proof2, pub, pred); proof2(cg_key, cg_enc); public_crypto_chars(buffer3, size2); chars_to_crypto_chars(buffer3, size2); } @*/ //@ crypto_chars_to_chars(buffer3, size2); net_send(socket, buffer3, (unsigned int) size2); //@ public_cryptogram(buffer2, cg_enc); } aes_free(&aes_context); //@ crypto_chars_to_chars(iv, 16); } //@ open aes_context(&aes_context); //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); //@ public_cryptogram(buffer1, cg_key); }
void attacker_send_encrypted(havege_state *havege_state, void* socket) //@ requires attacker_invariant(?pub, ?pred, ?kc, havege_state, socket, ?attacker); //@ ensures attacker_invariant(pub, pred, kc, havege_state, socket, attacker); { int temp; int size1; int size2; char buffer1[MAX_MESSAGE_SIZE]; char buffer2[MAX_MESSAGE_SIZE]; char buffer3[MAX_MESSAGE_SIZE]; aes_context aes_context; size_t iv_off = 0; char iv[16]; //@ open attacker_invariant(pub, pred, kc, havege_state, socket, attacker); size1 = net_recv(socket, buffer1, MAX_MESSAGE_SIZE); size2 = net_recv(socket, buffer2, MAX_MESSAGE_SIZE); if (size1 <= 0 || size2 < MINIMAL_STRING_SIZE || (size1 != 16 && size1 != 24 && size1 != 32)) { //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); return; } //@ close aes_context(&aes_context); //@ interpret_symmetric_key(buffer1, size1); //@ assert cryptogram(buffer1, size1, ?ccs1, ?cg_key); //@ assert cg_key == cg_symmetric_key(?p, ?c); if (aes_setkey_enc(&aes_context, buffer1, (unsigned int) size1 * 8) == 0) { if (get_iv(havege_state, iv) == 0) { //@ assert crypto_chars(normal, iv, 16, ?ccs_iv); //@ chars_to_crypto_chars(buffer2, size2); if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, (unsigned int) size2, &iv_off, iv, buffer2, buffer3) == 0) { /*@ { assert cryptogram(buffer3, size2, ?ccs_enc, ?cg_enc); assert cg_enc == cg_encrypted(p, c, ?cs2, ccs_iv); assert [_]pub(cg_key); assert is_public_encryption_is_public(?proof2, pub, pred); crypto_chars_to_chars(buffer2, size2); public_chars(buffer2, size2); proof2(cg_enc); public_cryptogram(buffer3, cg_enc); chars_to_crypto_chars(buffer2, size2); } @*/ net_send(socket, buffer3, (unsigned int) size2); } //@ crypto_chars_to_chars(buffer2, size2); } aes_free(&aes_context); //@ open aes_context(&aes_context); //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); //@ public_cryptogram(buffer1, cg_symmetric_key(p, c)); //@ crypto_chars_to_chars(iv, 16); return; } //@ open aes_context(&aes_context); //@ close attacker_invariant(pub, pred, kc, havege_state, socket, attacker); //@ public_cryptogram(buffer1, cg_symmetric_key(p, c)); return; }