void sender(char *key, int key_len, char *message) /*@ requires [_]public_invar(hmac_pub) &*& principal(?sender, _) &*& [?f1]cryptogram(key, key_len, ?key_cs, ?key_cg) &*& key_cg == cg_symmetric_key(sender, ?id) &*& [?f2]chars(message, MESSAGE_SIZE, ?msg_cs) &*& true == send(sender, shared_with(sender, id), msg_cs); @*/ /*@ ensures principal(sender, _) &*& [f1]cryptogram(key, key_len, key_cs, key_cg) &*& [f2]chars(message, MESSAGE_SIZE, msg_cs); @*/ { //@ open principal(sender, _); int socket; char hmac[64]; net_usleep(20000); if(net_connect(&socket, NULL, SERVER_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); { int message_len = MESSAGE_SIZE + 64; char* M = malloc(message_len); if (M == 0) abort(); //@ chars_to_crypto_chars(message, MESSAGE_SIZE); memcpy(M, message, MESSAGE_SIZE); sha512_hmac(key, (unsigned int) key_len, M, (unsigned int) MESSAGE_SIZE, hmac, 0); //@ assert cryptogram(hmac, 64, ?hmac_cs, ?hmac_cg); //@ close hmac_pub(hmac_cg); //@ leak hmac_pub(hmac_cg); //@ public_cryptogram(hmac, hmac_cg); //@ chars_to_crypto_chars(hmac, 64); memcpy(M + MESSAGE_SIZE, hmac, 64); //@ crypto_chars_to_chars(M, MESSAGE_SIZE); //@ crypto_chars_to_chars(M + MESSAGE_SIZE, 64); //@ chars_join(M); net_send(&socket, M, (unsigned int) message_len); free(M); } net_close(socket); //@ close principal(sender, _); }
void app_send(char *key, char *message, int message_len) /*@ requires polarssl_generated_values(?creator, ?count1) &*& [?f0]polarssl_world(sc_auth_polarssl_pub) &*& [?f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs, ?key_cg) &*& key_cg == polarssl_symmetric_key(creator, ?key_id) &*& [?f2]chars(message, message_len, ?m_cs) &*& message_len >= POLARSSL_MIN_ENCRYPTED_BYTE_SIZE &*& message_len < POLARSSL_MAX_MESSAGE_BYTE_SIZE - 84 &*& bad(creator) ? [_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(m_cs) : true == app_send_event(creator, m_cs); @*/ /*@ ensures polarssl_generated_values(creator, ?count2) &*& count2 > count1 &*& [f0]polarssl_world(sc_auth_polarssl_pub) &*& [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg) &*& [f2]chars(message, message_len, m_cs); @*/ { int socket; havege_state havege_state; char iv[16]; // init { net_usleep(20000); if(net_connect(&socket, NULL, APP_RECEIVE_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); //@ close havege_state(&havege_state); havege_init(&havege_state); } // iv stuff { //@ close random_request(creator, 0, false); if (havege_random(&havege_state, iv, 16) != 0) abort(); } //@ open polarssl_cryptogram(iv, 16, ?iv_cs, _); char* m = malloc(16 + message_len + 16); if (m == 0) abort(); memcpy(m, iv, 16); //@ assert chars(m, 16, iv_cs); //@ assert chars(m + 16, message_len + 16, ?cs1); //@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, iv_cs); // encrypt message { unsigned int temp; gcm_context gcm_context; //@ close gcm_context(&gcm_context); //@ open [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg); //@ close polarssl_key_id(creator, key_id); if (gcm_init(&gcm_context, POLARSSL_AES_CIPHER_ID, key, (unsigned int) KEY_BYTE_SIZE * 8) != 0) abort(); //@ close [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg); //@ chars_split(m + 16, message_len); if (gcm_crypt_and_tag(&gcm_context, POLARSSL_GCM_ENCRYPT, (unsigned int) message_len, iv, 16, NULL, 0, message, m + 16, 16, (char*) ((m + 16) + message_len)) != 0) abort(); gcm_free(&gcm_context); //@ open gcm_context(&gcm_context); } //@ assert polarssl_cryptogram(m + 16, message_len, ?e_cs, ?e_cg); /*@ assert e_cg == polarssl_auth_encrypted( creator, key_id, ?t_cs, m_cs, iv_cs); @*/ //@ close sc_auth_polarssl_pub(e_cg); //@ leak sc_auth_polarssl_pub(e_cg); /*@ polarssl_public_message_from_cryptogram( sc_auth_polarssl_pub, m + 16, message_len, e_cs, e_cg); @*/ /*@ open polarssl_public_message(sc_auth_polarssl_pub) (m + 16, message_len, e_cs); @*/ //@ assert chars(m + 16 + message_len, 16, t_cs); //@ chars_join(m); //@ chars_join(m); //@ assert chars(m, 16 + message_len + 16, ?cs); //@ append_assoc(iv_cs, e_cs, t_cs); //@ assert cs == append(iv_cs, append(e_cs, t_cs)); //@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, t_cs); /*@ polarssl_public_generated_chars_join( sc_auth_polarssl_pub, iv_cs, e_cs); @*/ /*@ polarssl_public_generated_chars_join( sc_auth_polarssl_pub, append(iv_cs, e_cs), t_cs); @*/ /*@ close polarssl_public_message(sc_auth_polarssl_pub) (m, 16 + message_len + 16, append(iv_cs, append(e_cs, t_cs))); @*/ net_send(&socket, m, (unsigned int) 16 + (unsigned int) message_len + 16); //@ open polarssl_public_message(sc_auth_polarssl_pub)(m, _, _); { free(m); havege_free(&havege_state); //@ open havege_state(&havege_state); net_close(socket); } }
void sender(int sender, int receiver, char *s_priv_key, char *r_pub_key, char *s_nonce, char *r_nonce) /*@ requires [_]public_invar(nsl_pub) &*& [_]decryption_key_classifier(nsl_public_key) &*& principal(sender, _) &*& [?f1]cryptogram(s_priv_key, 8 * KEY_SIZE, ?s_priv_key_ccs, ?s_priv_key_cg) &*& s_priv_key_cg == cg_private_key(sender, ?s_id) &*& [?f2]cryptogram(r_pub_key, 8 * KEY_SIZE, ?r_pub_key_ccs, ?r_pub_key_cg) &*& r_pub_key_cg == cg_public_key(receiver, ?r_id) &*& chars(s_nonce, NONCE_SIZE, _) &*& chars(r_nonce, NONCE_SIZE, _); @*/ /*@ ensures principal(sender, _) &*& [f1]cryptogram(s_priv_key, 8 * KEY_SIZE, s_priv_key_ccs, s_priv_key_cg) &*& [f2]cryptogram(r_pub_key, 8 * KEY_SIZE, r_pub_key_ccs, r_pub_key_cg) &*& cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*& s_nonce_cg == cg_nonce(sender, _) &*& cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)) &*& col || bad(sender) || bad(receiver) ? chars(r_nonce, NONCE_SIZE, _) : cryptogram(r_nonce, NONCE_SIZE, _, ?r_nonce_cg) &*& r_nonce_cg == cg_nonce(receiver, _) &*& cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(sender, int_pair(receiver, r_id)))); @*/ { int socket; pk_context s_context; pk_context r_context; havege_state havege_state; net_usleep(20000); if(net_connect(&socket, NULL, SERVER_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); //@ close pk_context(&s_context); pk_init(&s_context); if (pk_parse_key(&s_context, s_priv_key, (unsigned int) 8 * KEY_SIZE, NULL, 0) != 0) abort(); //@ close pk_context(&r_context); pk_init(&r_context); if (pk_parse_public_key(&r_context, r_pub_key, (unsigned int) 8 * KEY_SIZE) != 0) abort(); // Generate NA //@ open principal(sender, _); //@ close havege_state(&havege_state); havege_init(&havege_state); //@ close random_request(sender, int_pair(1, int_pair(receiver, r_id)), false); if (havege_random(&havege_state, s_nonce, NONCE_SIZE) != 0) abort(); //@ assert cryptogram(s_nonce, NONCE_SIZE, ?cs_s_nonce, ?cg_s_nonce); //@ close principal(sender, _); sender_msg1(&socket, &havege_state, &r_context, sender, s_nonce); sender_msg2(&socket, &havege_state, &s_context, sender, receiver, s_nonce, r_nonce); sender_msg3(&socket, &havege_state, &r_context, sender, r_nonce); havege_free(&havege_state); //@ open havege_state(&havege_state); //@ pk_release_context_with_key(&s_context); pk_free(&s_context); //@ open pk_context(&s_context); //@ pk_release_context_with_key(&r_context); pk_free(&r_context); //@ open pk_context(&r_context); net_close(socket); }
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len) /*@ requires [_]public_invar(enc_then_hmac_pub) &*& principal(?sender, _) &*& [?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*& [?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*& enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*& hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*& cg_info(hmac_key_cg) == enc_id &*& shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*& [?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*& MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*& bad(sender) || bad(shared_with(sender, enc_id)) ? [_]public_ccs(msg_ccs) : true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/ /*@ ensures principal(sender, _) &*& [f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*& [f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*& [f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/ { //@ open principal(sender, _); int socket; havege_state havege_state; char iv[16]; unsigned int iv_off = 0; char hmac[64]; aes_context aes_context; net_usleep(20000); if(net_connect(&socket, NULL, SERVER_PORT) != 0) abort(); if(net_set_block(socket) != 0) abort(); { int message_len = 16 + (int) msg_len + 64; char* message = malloc(message_len); if (message == 0) abort(); // IV stuff //@ close havege_state(&havege_state); havege_init(&havege_state); //@ close random_request(sender, 0, false); if (havege_random(&havege_state, iv, 16) != 0) abort(); //@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg); //@ close enc_then_hmac_pub(iv_cg); //@ leak enc_then_hmac_pub(iv_cg); memcpy(message, iv, 16); //@ close cryptogram(message, 16, iv_ccs, iv_cg); //@ public_cryptogram(message, iv_cg); //@ assert chars(message, 16, ?iv_cs); //@ public_chars(message, 16); havege_free(&havege_state); //@ open havege_state(&havege_state); // encrypt //@ close aes_context(&aes_context); if (aes_setkey_enc(&aes_context, enc_key, (unsigned int) (KEY_SIZE * 8)) != 0) abort(); if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len, &iv_off, iv, msg, message + 16) != 0) abort(); //@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg); //@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg); //@ close enc_then_hmac_pub(enc_cg); //@ leak enc_then_hmac_pub(enc_cg); //@ public_cryptogram(message + 16, enc_cg); //@ assert chars(message + 16, msg_len, ?enc_cs); //@ public_chars(message + 16, msg_len); //@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs)); //@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs); zeroize(iv, 16); aes_free(&aes_context); //@ open aes_context(&aes_context); // hmac //@ chars_to_crypto_chars(message, 16 + msg_len); //@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs)) sha512_hmac(hmac_key, KEY_SIZE, message, (unsigned int) (16 + (int) msg_len), message + 16 + (int) msg_len, 0); //@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg); //@ cs_to_ccs_append(iv_cs, enc_cs); //@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs)); /*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true)) close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/ /*@ if (col || enc_then_hmac_public_key(sender, enc_id, true)) { assert [_]public_ccs(iv_ccs); assert [_]public_ccs(enc_ccs); public_ccs_join(iv_ccs, enc_ccs); } @*/ //@ close enc_then_hmac_pub(hmac_cg); //@ leak enc_then_hmac_pub(hmac_cg); //@ public_cryptogram(message + 16 + msg_len, hmac_cg); //@ assert chars(message + 16 + msg_len, 64, ?hmac_cs); //@ append_assoc(iv_ccs, enc_ccs, hmac_ccs); //@ append_assoc(iv_cs, enc_cs, hmac_cs); //@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs)); /*@ assert chars(message, message_len, append(iv_cs, append(enc_cs, hmac_cs))); @*/ net_send(&socket, message, (unsigned int) message_len); free(message); } net_close(socket); //@ close principal(sender, _); }