void sender(char *key, int key_len, char *message)
/*@ requires [_]public_invar(hmac_pub) &*&
principal(?sender, _) &*&
[?f1]cryptogram(key, key_len, ?key_cs, ?key_cg) &*&
key_cg == cg_symmetric_key(sender, ?id) &*&
[?f2]chars(message, MESSAGE_SIZE, ?msg_cs) &*&
true == send(sender, shared_with(sender, id), msg_cs); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(key, key_len, key_cs, key_cg) &*&
[f2]chars(message, MESSAGE_SIZE, msg_cs); @*/
{
//@ open principal(sender, _);
int socket;
char hmac[64];
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
{
int message_len = MESSAGE_SIZE + 64;
char* M = malloc(message_len);
if (M == 0) abort();
//@ chars_to_crypto_chars(message, MESSAGE_SIZE);
memcpy(M, message, MESSAGE_SIZE);
sha512_hmac(key, (unsigned int) key_len, M,
(unsigned int) MESSAGE_SIZE, hmac, 0);
//@ assert cryptogram(hmac, 64, ?hmac_cs, ?hmac_cg);
//@ close hmac_pub(hmac_cg);
//@ leak hmac_pub(hmac_cg);
//@ public_cryptogram(hmac, hmac_cg);
//@ chars_to_crypto_chars(hmac, 64);
memcpy(M + MESSAGE_SIZE, hmac, 64);
//@ crypto_chars_to_chars(M, MESSAGE_SIZE);
//@ crypto_chars_to_chars(M + MESSAGE_SIZE, 64);
//@ chars_join(M);
net_send(&socket, M, (unsigned int) message_len);
free(M);
}
net_close(socket);
//@ close principal(sender, _);
}
void app_send(char *key, char *message, int message_len)
/*@ requires polarssl_generated_values(?creator, ?count1) &*&
[?f0]polarssl_world(sc_auth_polarssl_pub) &*&
[?f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, ?key_cs, ?key_cg) &*&
key_cg == polarssl_symmetric_key(creator, ?key_id) &*&
[?f2]chars(message, message_len, ?m_cs) &*&
message_len >= POLARSSL_MIN_ENCRYPTED_BYTE_SIZE &*&
message_len < POLARSSL_MAX_MESSAGE_BYTE_SIZE - 84 &*&
bad(creator) ?
[_]polarssl_public_generated_chars(sc_auth_polarssl_pub)(m_cs)
:
true == app_send_event(creator, m_cs);
@*/
/*@ ensures polarssl_generated_values(creator, ?count2) &*& count2 > count1 &*&
[f0]polarssl_world(sc_auth_polarssl_pub) &*&
[f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg) &*&
[f2]chars(message, message_len, m_cs);
@*/
{
int socket;
havege_state havege_state;
char iv[16];
// init
{
net_usleep(20000);
if(net_connect(&socket, NULL, APP_RECEIVE_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
//@ close havege_state(&havege_state);
havege_init(&havege_state);
}
// iv stuff
{
//@ close random_request(creator, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
}
//@ open polarssl_cryptogram(iv, 16, ?iv_cs, _);
char* m = malloc(16 + message_len + 16);
if (m == 0) abort();
memcpy(m, iv, 16);
//@ assert chars(m, 16, iv_cs);
//@ assert chars(m + 16, message_len + 16, ?cs1);
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, iv_cs);
// encrypt message
{
unsigned int temp;
gcm_context gcm_context;
//@ close gcm_context(&gcm_context);
//@ open [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ close polarssl_key_id(creator, key_id);
if (gcm_init(&gcm_context, POLARSSL_AES_CIPHER_ID, key,
(unsigned int) KEY_BYTE_SIZE * 8) != 0) abort();
//@ close [f1]polarssl_cryptogram(key, KEY_BYTE_SIZE, key_cs, key_cg);
//@ chars_split(m + 16, message_len);
if (gcm_crypt_and_tag(&gcm_context, POLARSSL_GCM_ENCRYPT,
(unsigned int) message_len,
iv, 16, NULL, 0, message, m + 16, 16,
(char*) ((m + 16) + message_len)) != 0)
abort();
gcm_free(&gcm_context);
//@ open gcm_context(&gcm_context);
}
//@ assert polarssl_cryptogram(m + 16, message_len, ?e_cs, ?e_cg);
/*@ assert e_cg == polarssl_auth_encrypted(
creator, key_id, ?t_cs, m_cs, iv_cs); @*/
//@ close sc_auth_polarssl_pub(e_cg);
//@ leak sc_auth_polarssl_pub(e_cg);
/*@ polarssl_public_message_from_cryptogram(
sc_auth_polarssl_pub, m + 16, message_len, e_cs, e_cg); @*/
/*@ open polarssl_public_message(sc_auth_polarssl_pub)
(m + 16, message_len, e_cs); @*/
//@ assert chars(m + 16 + message_len, 16, t_cs);
//@ chars_join(m);
//@ chars_join(m);
//@ assert chars(m, 16 + message_len + 16, ?cs);
//@ append_assoc(iv_cs, e_cs, t_cs);
//@ assert cs == append(iv_cs, append(e_cs, t_cs));
//@ polarssl_public_generated_chars_assume(sc_auth_polarssl_pub, t_cs);
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, iv_cs, e_cs); @*/
/*@ polarssl_public_generated_chars_join(
sc_auth_polarssl_pub, append(iv_cs, e_cs), t_cs); @*/
/*@ close polarssl_public_message(sc_auth_polarssl_pub)
(m, 16 + message_len + 16,
append(iv_cs, append(e_cs, t_cs))); @*/
net_send(&socket, m, (unsigned int) 16 + (unsigned int) message_len + 16);
//@ open polarssl_public_message(sc_auth_polarssl_pub)(m, _, _);
{
free(m);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
net_close(socket);
}
}
void sender(int sender, int receiver,
char *s_priv_key, char *r_pub_key,
char *s_nonce, char *r_nonce)
/*@ requires [_]public_invar(nsl_pub) &*&
[_]decryption_key_classifier(nsl_public_key) &*&
principal(sender, _) &*&
[?f1]cryptogram(s_priv_key, 8 * KEY_SIZE,
?s_priv_key_ccs, ?s_priv_key_cg) &*&
s_priv_key_cg == cg_private_key(sender, ?s_id) &*&
[?f2]cryptogram(r_pub_key, 8 * KEY_SIZE,
?r_pub_key_ccs, ?r_pub_key_cg) &*&
r_pub_key_cg == cg_public_key(receiver, ?r_id) &*&
chars(s_nonce, NONCE_SIZE, _) &*&
chars(r_nonce, NONCE_SIZE, _); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(s_priv_key, 8 * KEY_SIZE,
s_priv_key_ccs, s_priv_key_cg) &*&
[f2]cryptogram(r_pub_key, 8 * KEY_SIZE,
r_pub_key_ccs, r_pub_key_cg) &*&
cryptogram(s_nonce, NONCE_SIZE, ?s_nonce_ccs, ?s_nonce_cg) &*&
s_nonce_cg == cg_nonce(sender, _) &*&
cg_info(s_nonce_cg) == int_pair(1, int_pair(receiver, r_id)) &*&
col || bad(sender) || bad(receiver) ?
chars(r_nonce, NONCE_SIZE, _)
:
cryptogram(r_nonce, NONCE_SIZE, _, ?r_nonce_cg) &*&
r_nonce_cg == cg_nonce(receiver, _) &*&
cg_info(r_nonce_cg) == int_pair(2, int_pair(sender, int_pair(sender,
int_pair(receiver, r_id)))); @*/
{
int socket;
pk_context s_context;
pk_context r_context;
havege_state havege_state;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
//@ close pk_context(&s_context);
pk_init(&s_context);
if (pk_parse_key(&s_context, s_priv_key,
(unsigned int) 8 * KEY_SIZE, NULL, 0) != 0)
abort();
//@ close pk_context(&r_context);
pk_init(&r_context);
if (pk_parse_public_key(&r_context, r_pub_key,
(unsigned int) 8 * KEY_SIZE) != 0)
abort();
// Generate NA
//@ open principal(sender, _);
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, int_pair(1, int_pair(receiver, r_id)), false);
if (havege_random(&havege_state, s_nonce, NONCE_SIZE) != 0) abort();
//@ assert cryptogram(s_nonce, NONCE_SIZE, ?cs_s_nonce, ?cg_s_nonce);
//@ close principal(sender, _);
sender_msg1(&socket, &havege_state, &r_context, sender, s_nonce);
sender_msg2(&socket, &havege_state, &s_context, sender, receiver,
s_nonce, r_nonce);
sender_msg3(&socket, &havege_state, &r_context, sender, r_nonce);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
//@ pk_release_context_with_key(&s_context);
pk_free(&s_context);
//@ open pk_context(&s_context);
//@ pk_release_context_with_key(&r_context);
pk_free(&r_context);
//@ open pk_context(&r_context);
net_close(socket);
}
void sender(char *enc_key, char *hmac_key, char *msg, unsigned int msg_len)
/*@ requires [_]public_invar(enc_then_hmac_pub) &*&
principal(?sender, _) &*&
[?f1]cryptogram(enc_key, KEY_SIZE, ?enc_key_ccs, ?enc_key_cg) &*&
[?f2]cryptogram(hmac_key, KEY_SIZE, ?hmac_key_ccs, ?hmac_key_cg) &*&
enc_key_cg == cg_symmetric_key(sender, ?enc_id) &*&
hmac_key_cg == cg_symmetric_key(sender, ?hmac_id) &*&
cg_info(hmac_key_cg) == enc_id &*&
shared_with(sender, enc_id) == shared_with(sender, hmac_id) &*&
[?f3]crypto_chars(secret, msg, msg_len, ?msg_ccs) &*&
MAX_SIZE >= msg_len &*& msg_len >= MINIMAL_STRING_SIZE &*&
bad(sender) || bad(shared_with(sender, enc_id)) ?
[_]public_ccs(msg_ccs)
:
true == send(sender, shared_with(sender, enc_id), msg_ccs); @*/
/*@ ensures principal(sender, _) &*&
[f1]cryptogram(enc_key, KEY_SIZE, enc_key_ccs, enc_key_cg) &*&
[f2]cryptogram(hmac_key, KEY_SIZE, hmac_key_ccs, hmac_key_cg) &*&
[f3]crypto_chars(secret, msg, msg_len, msg_ccs); @*/
{
//@ open principal(sender, _);
int socket;
havege_state havege_state;
char iv[16];
unsigned int iv_off = 0;
char hmac[64];
aes_context aes_context;
net_usleep(20000);
if(net_connect(&socket, NULL, SERVER_PORT) != 0)
abort();
if(net_set_block(socket) != 0)
abort();
{
int message_len = 16 + (int) msg_len + 64;
char* message = malloc(message_len);
if (message == 0) abort();
// IV stuff
//@ close havege_state(&havege_state);
havege_init(&havege_state);
//@ close random_request(sender, 0, false);
if (havege_random(&havege_state, iv, 16) != 0) abort();
//@ open cryptogram(iv, 16, ?iv_ccs, ?iv_cg);
//@ close enc_then_hmac_pub(iv_cg);
//@ leak enc_then_hmac_pub(iv_cg);
memcpy(message, iv, 16);
//@ close cryptogram(message, 16, iv_ccs, iv_cg);
//@ public_cryptogram(message, iv_cg);
//@ assert chars(message, 16, ?iv_cs);
//@ public_chars(message, 16);
havege_free(&havege_state);
//@ open havege_state(&havege_state);
// encrypt
//@ close aes_context(&aes_context);
if (aes_setkey_enc(&aes_context, enc_key,
(unsigned int) (KEY_SIZE * 8)) != 0)
abort();
if (aes_crypt_cfb128(&aes_context, AES_ENCRYPT, msg_len,
&iv_off, iv, msg, message + 16) != 0)
abort();
//@ open cryptogram(message + 16, msg_len, ?enc_ccs, ?enc_cg);
//@ close cryptogram(message + 16, msg_len, enc_ccs, enc_cg);
//@ close enc_then_hmac_pub(enc_cg);
//@ leak enc_then_hmac_pub(enc_cg);
//@ public_cryptogram(message + 16, enc_cg);
//@ assert chars(message + 16, msg_len, ?enc_cs);
//@ public_chars(message + 16, msg_len);
//@ assert chars(message, 16 + msg_len, append(iv_cs, enc_cs));
//@ assert enc_cg == cg_encrypted(sender, enc_id, msg_ccs, iv_ccs);
zeroize(iv, 16);
aes_free(&aes_context);
//@ open aes_context(&aes_context);
// hmac
//@ chars_to_crypto_chars(message, 16 + msg_len);
//@ HASH_PUB_PAYLOAD(append(iv_cs, enc_cs))
sha512_hmac(hmac_key, KEY_SIZE, message,
(unsigned int) (16 + (int) msg_len),
message + 16 + (int) msg_len, 0);
//@ assert cryptogram(message + 16 + msg_len, 64, ?hmac_ccs, ?hmac_cg);
//@ cs_to_ccs_append(iv_cs, enc_cs);
//@ assert hmac_cg == cg_hmac(sender, hmac_id, append(iv_ccs, enc_ccs));
/*@ if (!col && !enc_then_hmac_public_key(sender, enc_id, true))
close enc_then_hmac_pub_1(enc_id, msg_ccs, iv_ccs); @*/
/*@ if (col || enc_then_hmac_public_key(sender, enc_id, true))
{
assert [_]public_ccs(iv_ccs);
assert [_]public_ccs(enc_ccs);
public_ccs_join(iv_ccs, enc_ccs);
}
@*/
//@ close enc_then_hmac_pub(hmac_cg);
//@ leak enc_then_hmac_pub(hmac_cg);
//@ public_cryptogram(message + 16 + msg_len, hmac_cg);
//@ assert chars(message + 16 + msg_len, 64, ?hmac_cs);
//@ append_assoc(iv_ccs, enc_ccs, hmac_ccs);
//@ append_assoc(iv_cs, enc_cs, hmac_cs);
//@ cs_to_ccs_crypto_chars(message, append(iv_cs, enc_cs));
/*@ assert chars(message, message_len,
append(iv_cs, append(enc_cs, hmac_cs))); @*/
net_send(&socket, message, (unsigned int) message_len);
free(message);
}
net_close(socket);
//@ close principal(sender, _);
}
