def specification(self) -> None: message = self.alloc(alias_ty("struct.signal_message")) (_, sender_identity_key_data, sender_identity_key) = alloc_ec_public_key(self) (_, receiver_identity_key_data, receiver_identity_key) = alloc_ec_public_key(self) (mac_key_data, mac_key) = ptr_to_fresh(self, array_ty(self.mac_key_len, i8), "mac_key_data") global_context_unused_as_far_as_i_can_tell = self.alloc( signal_context_ty, read_only=True) base = self.fresh_var(alias_ty("struct.signal_type_base"), "base") message_type = self.fresh_var(i32, "message_type") global_context = self.alloc(signal_context_ty, read_only=True) self.points_to(global_context["crypto_provider"], dummy_signal_crypto_provider) serialized_message_len = self.serialized_len - SIGNAL_MESSAGE_MAC_LENGTH serialized_message_data = self.fresh_var( array_ty(serialized_message_len, i8), "serialized_message_data") expected_mac_data = mk_hmac(serialized_message_len, serialized_message_data, receiver_identity_key_data, sender_identity_key_data, self.mac_key_len, mac_key_data) serialized = alloc_buffer_aligned(self, self.serialized_len) self.points_to(serialized[0], int_to_64_cryptol(self.serialized_len), check_target_type=None) self.points_to(serialized[8], serialized_message_data, check_target_type=None) self.points_to(serialized[8 + serialized_message_len], expected_mac_data, check_target_type=None) base_message = struct(base, message_type, global_context, serialized) self.points_to(message["base_message"], base_message) self.points_to(message["message_version"], int_to_8_cryptol(message_version)) self.execute_func(message, sender_identity_key, receiver_identity_key, mac_key, int_to_64_cryptol(self.mac_key_len), global_context_unused_as_far_as_i_can_tell) self.returns(int_to_32_cryptol(1))
def specification(self): (x, x_p) = ptr_to_fresh(self, array_ty(2, i32), "x") p = self.alloc(alias_ty('struct.s'), points_to=struct(x_p)) self.execute_func(p) self.returns(p)
def specification(self) -> None: ec_public_key = alias_ty("struct.ec_public_key") buffer_ = self.alloc(ptr_ty(buffer_type(SIGNAL_MESSAGE_MAC_LENGTH))) (_, sender_identity_key_data, sender_identity_key) = alloc_ec_public_key(self) (_, receiver_identity_key_data, receiver_identity_key) = alloc_ec_public_key(self) (mac_key_data, mac_key) = ptr_to_fresh(self, array_ty(self.mac_key_len, i8), "mac_key_data") (serialized_data, serialized) = ptr_to_fresh(self, array_ty(self.serialized_len, i8), "serialized_data") global_context = self.alloc(signal_context_ty, read_only=True) self.points_to(global_context["crypto_provider"], dummy_signal_crypto_provider) self.execute_func(buffer_, int_to_8_cryptol(message_version), sender_identity_key, receiver_identity_key, mac_key, int_to_64_cryptol(self.mac_key_len), serialized, int_to_64_cryptol(self.serialized_len), global_context) expected = mk_hmac(self.serialized_len, serialized_data, receiver_identity_key_data, sender_identity_key_data, self.mac_key_len, mac_key_data) # buffer_buf = alloc_buffer_aligned(self, SIGNAL_MESSAGE_MAC_LENGTH) # self.points_to(buffer_buf[0], int_to_64_cryptol(SIGNAL_MESSAGE_MAC_LENGTH), check_target_type = i64) buffer_buf = alloc_pointsto_buffer(self, SIGNAL_MESSAGE_MAC_LENGTH, expected) self.points_to(buffer_, buffer_buf) self.returns(int_to_32_cryptol(0))
def specification(self): tp = self.alloc(alias_ty('struct.t')) b = self.fresh_var(i32, "b") self.points_to(tp['n']['b'], b) self.execute_func(tp) self.returns(b)
def alloc_ec_public_key(spec: Contract) -> Tuple[FreshVar, FreshVar, SetupVal]: signal_type_base_ty = alias_ty("struct.signal_type_base") djb_array_ty = array_ty(DJB_KEY_LEN, i8) key_base = spec.fresh_var(signal_type_base_ty, "key_base") key_data = spec.fresh_var(djb_array_ty, "key_data") key = spec.alloc(struct_ty(signal_type_base_ty, djb_array_ty), points_to=struct(key_base, key_data)) return (key_base, key_data, key)
def y_spec(c: Contract) -> None: ss = c.alloc(alias_ty('struct.s')) z = c.fresh_var(i1, 'z') c.execute_func(ss, z) c.points_to_bitfield(ss, 'y', z) c.returns(void)
def specification(self): ss = self.alloc(alias_ty('struct.s')) z = self.fresh_var(i2, 'z') self.execute_func(ss, cry_f('zext {z} : [8]')) self.points_to_bitfield(ss, 'x2', z) self.returns(void)
def specification(self): ss = self.alloc(alias_ty('struct.s')) z = self.fresh_var(i1, 'z') self.points_to_bitfield(ss, 'y', z) self.execute_func(ss) self.returns(z)
def specification(self): tp = self.alloc(alias_ty('struct.t')) b = self.fresh_var(i32, "b") self.points_to(field(field(tp, "n"), "b"), b) self.execute_func(tp) self.returns(b)
def specification(self): (_, x_p) = ptr_to_fresh(self, array_ty(2, i32), "x") p = self.alloc(alias_ty('struct.s'), points_to=struct(x_p)) self.execute_func(p) self.points_to(p, struct(x_p)) self.points_to(x_p, cry('[0, 0] : [2][32]')) self.returns(void)
def drbg_state(spec, n): state = spec.alloc(alias_ty("struct.s2n_drbg")) (key, keyp) = ptr_to_fresh(spec, "key", ctx_type) bytes_used = spec.fresh_var(i64, n + "bytes_used") mixes = spec.fresh_var(i64, n + "mixes") v = spec.fresh_var(bytes_type(blocksize), n + "v") spec.points_to(llvm.field(state, "bytes_used"), bytes_used) spec.points_to(llvm.field(state, "mixes"), mixes) spec.points_to(llvm.field(state, "ctx"), keyp) spec.points_to(llvm.field(state, "v"), v) return ( state, keyp, cry_f( "{{ bytes_used = {bytes_used}, ctx = {{ key = join {key} }}, v = join {v} }}" ))
cryptol_load_file(cryname) cryptol_load_file(drbghelpers) mod = llvm_load_module(bcname) def bytes_type(size): return array_ty(size, i8) blocksize = 16 # blocklen / 8 keysize = 16 # keylen / 8 seedsize = 32 blob_type = alias_ty('struct.s2n_blob') ctx_type = bytes_type(keysize) def alloc_bytes(spec, n): return spec.alloc(bytes_type(n)) def alloc_blob(spec, n): p = spec.alloc(type=blob_type, read_only=True) datap = alloc_bytes(spec, n) spec.points_to(llvm.field(p, "data"), datap) spec.points_to(llvm.field(p, "size"), cry_f("`{n}:[32]")) spec.points_to(llvm.field(p, "allocated"), cry("0:[32]")) spec.points_to(llvm.field(p, "growable"), cry("0:[8]")) return (p, datap)
import os import os.path from saw_client import cryptol_load_file, llvm_assume, llvm_verify from saw_client.llvm import Contract, alias_ty, array, array_ty, cryptol, elem, field, global_var, i8, i32, i64, null, ptr_ty, struct, void from saw_client.proofscript import ProofScript, z3 from buffer_helpers import * from curve import * from load import * from saw_helpers import * cryptol_load_file("cryptol/HMAC.cry") signal_context_ty = alias_ty("struct.signal_context") message_version = 3 HMAC_CONTEXT_LENGTH = 1 RATCHET_MAC_KEY_LENGTH = 32 SERIALIZED_LENGTH = 42 SIGNAL_MESSAGE_MAC_LENGTH = 8 dummy_signal_crypto_provider = struct( global_var("dummy_random_func"), global_var("dummy_hmac_sha256_init_func"), global_var("dummy_hmac_sha256_update_func"), global_var("dummy_hmac_sha256_final_func"), global_var("dummy_hmac_sha256_cleanup_func"), global_var("dummy_sha512_digest_init_func"), global_var("dummy_sha512_digest_update_func"), global_var("dummy_sha512_digest_final_func"),