diff --git a/hax-driver.py b/hax-driver.py index dc9eaf7d..83e109de 100755 --- a/hax-driver.py +++ b/hax-driver.py @@ -98,7 +98,7 @@ def shell(command, expect=0, cwd=None, env={}): "-**::non_hax::** -bertie::stream::**", "fstar", "--interfaces", - "+** +!bertie::tls13crypto::** +!bertie::tls13utils::**", + "+** +!bertie::tls13crypto::** +!bertie::tls13utils::** +!bertie::tls13cert::**" ], cwd=".", env=hax_env, diff --git a/proofs/fstar/extraction/Bertie.Tls13api.fst b/proofs/fstar/extraction/Bertie.Tls13api.fst index 6c62b495..cde009b0 100644 --- a/proofs/fstar/extraction/Bertie.Tls13api.fst +++ b/proofs/fstar/extraction/Bertie.Tls13api.fst @@ -30,27 +30,26 @@ let in_psk_mode (c: t_Client) = Bertie.Tls13crypto.t_Algorithms) let impl_Client__connect - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (server_name: Bertie.Tls13utils.t_Bytes) (session_ticket psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & Bertie.Tls13handshake.t_ClientPostClientHello) u8) = - Bertie.Tls13handshake.client_init #iimpl_916461611_ + Bertie.Tls13handshake.client_init #iimpl_447424039_ ciphersuite server_name session_ticket psk rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in match out <: @@ -81,19 +80,19 @@ let impl_Client__connect in rng, hax_temp_output <: - (iimpl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) | Core.Result.Result_Err err -> rng, (Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) <: - (iimpl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8)) + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8)) | Core.Result.Result_Err err -> rng, (Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) <: - (iimpl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) let impl_Client__read_handshake (self: t_Client) (handshake_bytes: Bertie.Tls13utils.t_Bytes) = match self <: t_Client with @@ -266,14 +265,89 @@ let impl_Client__write (self: t_Client) (application_data: Bertie.Tls13utils.t_A <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8 +let impl_Server__read_handshake (self: t_Server) (handshake_bytes: Bertie.Tls13utils.t_Bytes) = + match self <: t_Server with + | Server_ServerH sstate e_cipher0 cipher_hs cipher1 -> + (match + Bertie.Tls13record.decrypt_handshake handshake_bytes cipher_hs + <: + Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & + Bertie.Tls13record.t_DuplexCipherStateH) u8 + with + | Core.Result.Result_Ok (cf, e_cipher_hs) -> + (match + Bertie.Tls13handshake.server_finish cf sstate + <: + Core.Result.t_Result Bertie.Tls13handshake.t_ServerPostClientFinished u8 + with + | Core.Result.Result_Ok sstate -> + Core.Result.Result_Ok (Server_Server1 sstate cipher1 <: t_Server) + <: + Core.Result.t_Result t_Server u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result t_Server u8) + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Server u8 + ) + | _ -> + Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE <: Core.Result.t_Result t_Server u8 + +let impl_Server__write (self: t_Server) (application_data: Bertie.Tls13utils.t_AppData) = + match self <: t_Server with + | Server_Server1 sstate cipher1 -> + (match + Bertie.Tls13record.encrypt_data application_data (mk_usize 0) cipher1 + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13record.t_DuplexCipherState1) + u8 + with + | Core.Result.Result_Ok (v_by, cipher1) -> + Core.Result.Result_Ok + (v_by, (Server_Server1 sstate cipher1 <: t_Server) <: (Bertie.Tls13utils.t_Bytes & t_Server) + ) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 + ) + | _ -> + Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 + +let impl_Server__read (self: t_Server) (application_data: Bertie.Tls13utils.t_Bytes) = + match self <: t_Server with + | Server_Server1 sstate cipher1 -> + (match + Bertie.Tls13record.decrypt_data application_data cipher1 + <: + Core.Result.t_Result (Bertie.Tls13utils.t_AppData & Bertie.Tls13record.t_DuplexCipherState1) + u8 + with + | Core.Result.Result_Ok (ad, cipher1) -> + Core.Result.Result_Ok + ((Core.Option.Option_Some ad <: Core.Option.t_Option Bertie.Tls13utils.t_AppData), + (Server_Server1 sstate cipher1 <: t_Server) + <: + (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server)) + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8) + | _ -> + Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8 + let impl_Server__accept - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (db: Bertie.Server.t_ServerDB) (client_hello: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = let ch_rec:Bertie.Tls13utils.t_Bytes = Core.Clone.f_clone #Bertie.Tls13utils.t_Bytes #FStar.Tactics.Typeclasses.solve client_hello @@ -287,7 +361,7 @@ let impl_Server__accept Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 with | Core.Result.Result_Ok ch -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -295,9 +369,9 @@ let impl_Server__accept Bertie.Tls13record.t_DuplexCipherStateH & Bertie.Tls13record.t_DuplexCipherState1 & Bertie.Tls13handshake.t_ServerPostServerFinished) u8) = - Bertie.Tls13handshake.server_init #iimpl_916461611_ ciphersuite ch db rng + Bertie.Tls13handshake.server_init #iimpl_447424039_ ciphersuite ch db rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in (match out <: @@ -335,7 +409,7 @@ let impl_Server__accept in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) | Core.Result.Result_Err err -> @@ -345,7 +419,7 @@ let impl_Server__accept Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8)) | Core.Result.Result_Err err -> @@ -355,7 +429,7 @@ let impl_Server__accept Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8)) | Core.Result.Result_Err err -> @@ -365,7 +439,7 @@ let impl_Server__accept Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8 ) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8 )) | Core.Result.Result_Err err -> @@ -374,81 +448,5 @@ let impl_Server__accept <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) - -let impl_Server__read_handshake (self: t_Server) (handshake_bytes: Bertie.Tls13utils.t_Bytes) = - match self <: t_Server with - | Server_ServerH sstate e_cipher0 cipher_hs cipher1 -> - (match - Bertie.Tls13record.decrypt_handshake handshake_bytes cipher_hs - <: - Core.Result.t_Result - (Bertie.Tls13formats.Handshake_data.t_HandshakeData & - Bertie.Tls13record.t_DuplexCipherStateH) u8 - with - | Core.Result.Result_Ok (cf, e_cipher_hs) -> - (match - Bertie.Tls13handshake.server_finish cf sstate - <: - Core.Result.t_Result Bertie.Tls13handshake.t_ServerPostClientFinished u8 - with - | Core.Result.Result_Ok sstate -> - Core.Result.Result_Ok (Server_Server1 sstate cipher1 <: t_Server) - <: - Core.Result.t_Result t_Server u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result t_Server u8) - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Server u8 - ) - | _ -> - Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE <: Core.Result.t_Result t_Server u8 - -let impl_Server__write (self: t_Server) (application_data: Bertie.Tls13utils.t_AppData) = - match self <: t_Server with - | Server_Server1 sstate cipher1 -> - (match - Bertie.Tls13record.encrypt_data application_data (mk_usize 0) cipher1 - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13record.t_DuplexCipherState1) - u8 - with - | Core.Result.Result_Ok (v_by, cipher1) -> - Core.Result.Result_Ok - (v_by, (Server_Server1 sstate cipher1 <: t_Server) <: (Bertie.Tls13utils.t_Bytes & t_Server) - ) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 - ) - | _ -> - Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 - -let impl_Server__read (self: t_Server) (application_data: Bertie.Tls13utils.t_Bytes) = - match self <: t_Server with - | Server_Server1 sstate cipher1 -> - (match - Bertie.Tls13record.decrypt_data application_data cipher1 - <: - Core.Result.t_Result (Bertie.Tls13utils.t_AppData & Bertie.Tls13record.t_DuplexCipherState1) - u8 - with - | Core.Result.Result_Ok (ad, cipher1) -> - Core.Result.Result_Ok - ((Core.Option.Option_Some ad <: Core.Option.t_Option Bertie.Tls13utils.t_AppData), - (Server_Server1 sstate cipher1 <: t_Server) - <: - (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server)) - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8) - | _ -> - Core.Result.Result_Err Bertie.Tls13utils.v_INCORRECT_STATE - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8 diff --git a/proofs/fstar/extraction/Bertie.Tls13api.fsti b/proofs/fstar/extraction/Bertie.Tls13api.fsti index 62fa65c3..37ef9aea 100644 --- a/proofs/fstar/extraction/Bertie.Tls13api.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13api.fsti @@ -46,14 +46,13 @@ val in_psk_mode (c: t_Client) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_T /// client hello record as bytes, and the [`Client`] state as the second element. /// If an error occurs, it returns a [`TLSError`]. val impl_Client__connect - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (server_name: Bertie.Tls13utils.t_Bytes) (session_ticket psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) - : Prims.Pure (iimpl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) + (rng: iimpl_447424039_) + : Prims.Pure (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) Prims.l_True (fun _ -> Prims.l_True) @@ -111,33 +110,6 @@ type t_Server = Bertie.Tls13record.t_DuplexCipherState1 -> t_Server -/// Start a new TLS handshake as server. -/// Note that Bertie servers only support a single ciphersuite at a time and -/// do not perform ciphersuite negotiation. -/// This function takes the -/// * `ciphersuite` to use for this server -/// * `db` for the server database containing certificates and keys -/// * `client_hello` for the initial client hello message -/// * `entropy` for the randomness required in the handshake -/// The function returns a [`Result`]. -/// When successful, the function returns a three-tuple with the first element the -/// server hello record as bytes, the second the server finished record as bytes, -/// and the new [`Server`] state as the third element. -/// If an error occurs, it returns a [`TLSError`]. -val impl_Server__accept - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} - (ciphersuite: Bertie.Tls13crypto.t_Algorithms) - (db: Bertie.Server.t_ServerDB) - (client_hello: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) - : Prims.Pure - (iimpl_916461611_ & - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) - Prims.l_True - (fun _ -> Prims.l_True) - /// Read the next handshake Message. /// This function takes the current state and `handshake_bytes` and returns /// the next state or a [`TLSError`]. @@ -165,10 +137,36 @@ val impl_Server__write (self: t_Server) (application_data: Bertie.Tls13utils.t_A /// The function returns a [`Result`]. /// When successful, the function returns a tuple with the first element the /// application data as bytes option, and the new [`Server`] state as the second element. -/// If there's no application data, the first element is [`None`]. +/// If there\'s no application data, the first element is [`None`]. /// If an error occurs, it returns a [`TLSError`]. val impl_Server__read (self: t_Server) (application_data: Bertie.Tls13utils.t_Bytes) : Prims.Pure (Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Start a new TLS handshake as server. +/// Note that Bertie servers only support a single ciphersuite at a time and +/// do not perform ciphersuite negotiation. +/// This function takes the +/// * `ciphersuite` to use for this server +/// * `db` for the server database containing certificates and keys +/// * `client_hello` for the initial client hello message +/// * `entropy` for the randomness required in the handshake +/// The function returns a [`Result`]. +/// When successful, the function returns a three-tuple with the first element the +/// server hello record as bytes, the second the server finished record as bytes, +/// and the new [`Server`] state as the third element. +/// If an error occurs, it returns a [`TLSError`]. +val impl_Server__accept + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} + (ciphersuite: Bertie.Tls13crypto.t_Algorithms) + (db: Bertie.Server.t_ServerDB) + (client_hello: Bertie.Tls13utils.t_Bytes) + (rng: iimpl_447424039_) + : Prims.Pure + (iimpl_447424039_ & + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) + (requires (Bertie.Tls13utils.impl_Bytes__len client_hello <: usize) >=. mk_usize 5) + (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Bertie.Tls13cert.fst b/proofs/fstar/extraction/Bertie.Tls13cert.fst deleted file mode 100644 index 4e81147a..00000000 --- a/proofs/fstar/extraction/Bertie.Tls13cert.fst +++ /dev/null @@ -1,977 +0,0 @@ -module Bertie.Tls13cert -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Bertie.Tls13utils in - () - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl': Core.Clone.t_Clone t_CertificateKey - -let impl = impl' - -[@@ FStar.Tactics.Typeclasses.tcinstance] -assume -val impl_1': Core.Marker.t_Copy t_CertificateKey - -let impl_1 = impl_1' - -let asn1_error (#v_T: Type0) (err: u8) = Core.Result.Result_Err err <: Core.Result.t_Result v_T u8 - -let long_length (b: Bertie.Tls13utils.t_Bytes) (offset len: usize) = - if len >. mk_usize 4 - then asn1_error #usize v_ASN1_SEQUENCE_TOO_LONG - else - let u32word:t_Array u8 (mk_usize 4) = - Rust_primitives.Hax.repeat (Bertie.Tls13utils.v_U8 (mk_u8 0) <: u8) (mk_usize 4) - in - let u32word:t_Array u8 (mk_usize 4) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range u32word - ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = len } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (u32word.[ { Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = len } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (b.[ { Core.Ops.Range.f_start = offset; Core.Ops.Range.f_end = offset +! len <: usize } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - Core.Result.Result_Ok - ((cast (Bertie.Tls13utils.f_declassify #u32 - #u32 - #FStar.Tactics.Typeclasses.solve - (Bertie.Tls13utils.u32_from_be_bytes u32word <: u32) - <: - u32) - <: - usize) >>! - ((mk_usize 4 -! len <: usize) *! mk_usize 8 <: usize)) - <: - Core.Result.t_Result usize u8 - -let length_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - if - ((Bertie.Tls13utils.f_declassify #u8 #u8 #FStar.Tactics.Typeclasses.solve (b.[ offset ] <: u8) - <: - u8) >>! - mk_i32 7 - <: - u8) =. - mk_u8 1 - then - cast ((Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (b.[ offset ] <: u8) - <: - u8) &. - mk_u8 127 - <: - u8) - <: - usize - else mk_usize 0 - -let short_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - if - ((Bertie.Tls13utils.f_declassify #u8 #u8 #FStar.Tactics.Typeclasses.solve (b.[ offset ] <: u8) - <: - u8) &. - mk_u8 128 - <: - u8) =. - mk_u8 0 - then - Core.Result.Result_Ok - (cast ((Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (b.[ offset ] <: u8) - <: - u8) &. - mk_u8 127 - <: - u8) - <: - usize) - <: - Core.Result.t_Result usize u8 - else asn1_error #usize v_ASN1_ERROR - -let length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - if - ((Bertie.Tls13utils.f_declassify #u8 #u8 #FStar.Tactics.Typeclasses.solve (b.[ offset ] <: u8) - <: - u8) &. - mk_u8 128 - <: - u8) =. - mk_u8 0 - then - match short_length b offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok len -> - Core.Result.Result_Ok (offset +! mk_usize 1, len <: (usize & usize)) - <: - Core.Result.t_Result (usize & usize) u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result (usize & usize) u8 - else - let len:usize = length_length b offset in - let offset:usize = offset +! mk_usize 1 in - match long_length b offset len <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok v_end -> - Core.Result.Result_Ok (offset +! len, v_end <: (usize & usize)) - <: - Core.Result.t_Result (usize & usize) u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result (usize & usize) u8 - -let check_tag (b: Bertie.Tls13utils.t_Bytes) (offset: usize) (value: u8) = - if - (Bertie.Tls13utils.f_declassify #u8 #u8 #FStar.Tactics.Typeclasses.solve (b.[ offset ] <: u8) - <: - u8) =. - value - then Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 - else asn1_error #Prims.unit v_ASN1_INVALID_TAG - -let read_sequence_header (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 48) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - let length_length:usize = length_length b offset in - let offset:usize = (offset +! length_length <: usize) +! mk_usize 1 in - Core.Result.Result_Ok offset <: Core.Result.t_Result usize u8 - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 - -let read_octet_header (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 4) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - let length_length:usize = length_length b offset in - let offset:usize = (offset +! length_length <: usize) +! mk_usize 1 in - Core.Result.Result_Ok offset <: Core.Result.t_Result usize u8 - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 - -let skip_sequence (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 48) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length b offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, length) -> - Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 - -let read_version_number (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 160) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match short_length b offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok length -> - Core.Result.Result_Ok ((offset +! mk_usize 1 <: usize) +! length) - <: - Core.Result.t_Result usize u8 - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) - | Core.Result.Result_Err _ -> Core.Result.Result_Ok offset <: Core.Result.t_Result usize u8 - -let skip_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 2) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length b offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, length) -> - Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) - | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 - -let read_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag b offset (mk_u8 2) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length b offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, length) -> - Core.Result.Result_Ok (Bertie.Tls13utils.impl_Bytes__slice b offset length) - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - -let x962_ec_public_key_oid (_: Prims.unit) = - Core.Convert.f_into #(t_Array u8 (mk_usize 7)) - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - (let list = [mk_u8 42; mk_u8 134; mk_u8 72; mk_u8 206; mk_u8 61; mk_u8 2; mk_u8 1] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 7); - Rust_primitives.Hax.array_of_list 7 list) - -let ecdsa_secp256r1_sha256_oid (_: Prims.unit) = - Core.Convert.f_into #(t_Array u8 (mk_usize 8)) - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - (let list = [mk_u8 42; mk_u8 134; mk_u8 72; mk_u8 206; mk_u8 61; mk_u8 3; mk_u8 1; mk_u8 7] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list) - -let rsa_pkcs1_encryption_oid (_: Prims.unit) = - Core.Convert.f_into #(t_Array u8 (mk_usize 9)) - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - (let list = - [mk_u8 42; mk_u8 134; mk_u8 72; mk_u8 134; mk_u8 247; mk_u8 13; mk_u8 1; mk_u8 1; mk_u8 1] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 9); - Rust_primitives.Hax.array_of_list 9 list) - -let check_success (v_val: bool) = - if v_val - then Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 - else asn1_error #Prims.unit v_ASN1_ERROR - -let read_spki (cert: Bertie.Tls13utils.t_Bytes) (offset: usize) = - match check_tag cert offset (mk_u8 48) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length cert offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, e_seq_len) -> - (match check_tag cert offset (mk_u8 48) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length cert offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, seq_len) -> - (match check_tag cert offset (mk_u8 6) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - (match - length cert (offset +! mk_usize 1 <: usize) - <: - Core.Result.t_Result (usize & usize) u8 - with - | Core.Result.Result_Ok (oid_offset, oid_len) -> - let ec_pk_oid, ecdsa_p256, rsa_pk_oid:(bool & bool & bool) = - false, false, false <: (bool & bool & bool) - in - let ec_oid:Bertie.Tls13utils.t_Bytes = x962_ec_public_key_oid () in - let rsa_oid:Bertie.Tls13utils.t_Bytes = rsa_pkcs1_encryption_oid () in - if (Bertie.Tls13utils.impl_Bytes__len ec_oid <: usize) =. oid_len - then - let ec_pk_oid:bool = true in - let ec_pk_oid:bool = - Rust_primitives.Hax.Folds.fold_range (mk_usize 0) - (Bertie.Tls13utils.impl_Bytes__len ec_oid <: usize) - (fun ec_pk_oid temp_1_ -> - let ec_pk_oid:bool = ec_pk_oid in - let _:usize = temp_1_ in - true) - ec_pk_oid - (fun ec_pk_oid i -> - let ec_pk_oid:bool = ec_pk_oid in - let i:usize = i in - let oid_byte_equal:bool = - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ oid_offset +! i <: usize ] <: u8) - <: - u8) =. - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (ec_oid.[ i ] <: u8) - <: - u8) - in - let ec_pk_oid:bool = ec_pk_oid && oid_byte_equal in - ec_pk_oid) - in - if ec_pk_oid - then - let oid_offset:usize = oid_offset +! oid_len in - match - check_tag cert oid_offset (mk_u8 6) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let oid_offset:usize = oid_offset +! mk_usize 1 in - (match - length cert oid_offset <: Core.Result.t_Result (usize & usize) u8 - with - | Core.Result.Result_Ok (oid_offset, e_oid_len) -> - let ecdsa_p256:bool = true in - let ec_oid:Bertie.Tls13utils.t_Bytes = - ecdsa_secp256r1_sha256_oid () - in - let ecdsa_p256:bool = - Rust_primitives.Hax.Folds.fold_range (mk_usize 0) - (Bertie.Tls13utils.impl_Bytes__len ec_oid <: usize) - (fun ecdsa_p256 temp_1_ -> - let ecdsa_p256:bool = ecdsa_p256 in - let _:usize = temp_1_ in - true) - ecdsa_p256 - (fun ecdsa_p256 i -> - let ecdsa_p256:bool = ecdsa_p256 in - let i:usize = i in - let oid_byte_equal:bool = - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ oid_offset +! i <: usize ] <: u8) - <: - u8) =. - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (ec_oid.[ i ] <: u8) - <: - u8) - in - let ecdsa_p256:bool = ecdsa_p256 && oid_byte_equal in - ecdsa_p256) - in - (match - check_success ecdsa_p256 <: Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let ec_pk_oid, ecdsa_p256, oid_offset:(bool & bool & usize) = - ec_pk_oid, ecdsa_p256, oid_offset <: (bool & bool & usize) - in - let rsa_pk_oid:bool = - if - (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) =. - oid_len - then - let rsa_pk_oid:bool = true in - Rust_primitives.Hax.Folds.fold_range (mk_usize 0) - (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) - (fun rsa_pk_oid temp_1_ -> - let rsa_pk_oid:bool = rsa_pk_oid in - let _:usize = temp_1_ in - true) - rsa_pk_oid - (fun rsa_pk_oid i -> - let rsa_pk_oid:bool = rsa_pk_oid in - let i:usize = i in - let oid_byte_equal:bool = - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ oid_offset +! i <: usize ] <: u8) - <: - u8) =. - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (rsa_oid.[ i ] <: u8) - <: - u8) - in - let rsa_pk_oid:bool = - rsa_pk_oid && oid_byte_equal - in - rsa_pk_oid) - else rsa_pk_oid - in - (match - check_success (ec_pk_oid && ecdsa_p256 || rsa_pk_oid) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! seq_len in - (match - check_tag cert offset (mk_u8 3) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match - length cert offset - <: - Core.Result.t_Result (usize & usize) u8 - with - | Core.Result.Result_Ok (offset, bit_string_len) -> - let offset:usize = - if - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ offset ] <: u8) - <: - u8) =. - mk_u8 0 - then - let offset:usize = offset +! mk_usize 1 in - offset - else offset - in - if ec_pk_oid && ecdsa_p256 - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset - (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey)) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) u8 - else - if rsa_pk_oid - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset - (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey)) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) u8 - else - asn1_error #(Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) - v_ASN1_INVALID_CERTIFICATE - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey - ) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - ) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - else - let ec_pk_oid, ecdsa_p256, oid_offset:(bool & bool & usize) = - ec_pk_oid, ecdsa_p256, oid_offset <: (bool & bool & usize) - in - let rsa_pk_oid:bool = - if (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) =. oid_len - then - let rsa_pk_oid:bool = true in - Rust_primitives.Hax.Folds.fold_range (mk_usize 0) - (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) - (fun rsa_pk_oid temp_1_ -> - let rsa_pk_oid:bool = rsa_pk_oid in - let _:usize = temp_1_ in - true) - rsa_pk_oid - (fun rsa_pk_oid i -> - let rsa_pk_oid:bool = rsa_pk_oid in - let i:usize = i in - let oid_byte_equal:bool = - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ oid_offset +! i <: usize ] <: u8) - <: - u8) =. - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (rsa_oid.[ i ] <: u8) - <: - u8) - in - let rsa_pk_oid:bool = rsa_pk_oid && oid_byte_equal in - rsa_pk_oid) - else rsa_pk_oid - in - match - check_success (ec_pk_oid && ecdsa_p256 || rsa_pk_oid) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! seq_len in - (match - check_tag cert offset (mk_u8 3) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match - length cert offset <: Core.Result.t_Result (usize & usize) u8 - with - | Core.Result.Result_Ok (offset, bit_string_len) -> - let offset:usize = - if - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ offset ] <: u8) - <: - u8) =. - mk_u8 0 - then - let offset:usize = offset +! mk_usize 1 in - offset - else offset - in - if ec_pk_oid && ecdsa_p256 - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey)) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) - u8 - else - if rsa_pk_oid - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey - )) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey - ) u8 - else - asn1_error #(Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) - v_ASN1_INVALID_CERTIFICATE - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - ) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - else - let ec_pk_oid, ecdsa_p256, oid_offset:(bool & bool & usize) = - ec_pk_oid, ecdsa_p256, oid_offset <: (bool & bool & usize) - in - let rsa_pk_oid:bool = - if (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) =. oid_len - then - let rsa_pk_oid:bool = true in - Rust_primitives.Hax.Folds.fold_range (mk_usize 0) - (Bertie.Tls13utils.impl_Bytes__len rsa_oid <: usize) - (fun rsa_pk_oid temp_1_ -> - let rsa_pk_oid:bool = rsa_pk_oid in - let _:usize = temp_1_ in - true) - rsa_pk_oid - (fun rsa_pk_oid i -> - let rsa_pk_oid:bool = rsa_pk_oid in - let i:usize = i in - let oid_byte_equal:bool = - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ oid_offset +! i <: usize ] <: u8) - <: - u8) =. - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (rsa_oid.[ i ] <: u8) - <: - u8) - in - let rsa_pk_oid:bool = rsa_pk_oid && oid_byte_equal in - rsa_pk_oid) - else rsa_pk_oid - in - (match - check_success (ec_pk_oid && ecdsa_p256 || rsa_pk_oid) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! seq_len in - (match - check_tag cert offset (mk_u8 3) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match - length cert offset <: Core.Result.t_Result (usize & usize) u8 - with - | Core.Result.Result_Ok (offset, bit_string_len) -> - let offset:usize = - if - (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (cert.[ offset ] <: u8) - <: - u8) =. - mk_u8 0 - then - let offset:usize = offset +! mk_usize 1 in - offset - else offset - in - if ec_pk_oid && ecdsa_p256 - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey)) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) - u8 - else - if rsa_pk_oid - then - Core.Result.Result_Ok - ((Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 - <: - Bertie.Tls13crypto.t_SignatureScheme), - (CertificateKey offset (bit_string_len -! mk_usize 1) - <: - t_CertificateKey) - <: - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey - )) - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey - ) u8 - else - asn1_error #(Bertie.Tls13crypto.t_SignatureScheme & - t_CertificateKey) - v_ASN1_INVALID_CERTIFICATE - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - ) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) - u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - -let verification_key_from_cert (cert: Bertie.Tls13utils.t_Bytes) = - match read_sequence_header cert (mk_usize 0) <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok offset -> - (match read_sequence_header cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist107 -> - let offset:usize = hoist107 in - (match read_version_number cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist108 -> - let offset:usize = hoist108 in - (match skip_integer cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist109 -> - let offset:usize = hoist109 in - (match skip_sequence cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist110 -> - let offset:usize = hoist110 in - (match skip_sequence cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist111 -> - let offset:usize = hoist111 in - (match skip_sequence cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist112 -> - let offset:usize = hoist112 in - (match skip_sequence cert offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist113 -> - let offset:usize = hoist113 in - read_spki cert offset - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result - (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) - u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 - -let ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) = - let CertificateKey offset len:t_CertificateKey = indices in - match check_tag cert offset (mk_u8 4) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok - (Bertie.Tls13utils.impl_Bytes__slice cert - (offset +! mk_usize 1 <: usize) - (len -! mk_usize 1 <: usize)) - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - -let rsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) = - let CertificateKey offset e_len:t_CertificateKey = indices in - match check_tag cert offset (mk_u8 48) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length cert offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, e_seq_len) -> - (match check_tag cert offset (mk_u8 2) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length cert offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, int_len) -> - let n:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.impl_Bytes__slice cert offset int_len - in - let offset:usize = offset +! int_len in - (match check_tag cert offset (mk_u8 2) <: Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok _ -> - let offset:usize = offset +! mk_usize 1 in - (match length cert offset <: Core.Result.t_Result (usize & usize) u8 with - | Core.Result.Result_Ok (offset, int_len) -> - let e:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.impl_Bytes__slice cert offset int_len - in - Core.Result.Result_Ok - ({ Bertie.Tls13crypto.f_modulus = n; Bertie.Tls13crypto.f_exponent = e } - <: - Bertie.Tls13crypto.t_RsaVerificationKey) - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8 - -let rsa_private_key (key: Bertie.Tls13utils.t_Bytes) = - match read_sequence_header key (mk_usize 0) <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok offset -> - (match skip_integer key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist114 -> - let offset:usize = hoist114 in - (match skip_sequence key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist115 -> - let offset:usize = hoist115 in - (match read_octet_header key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist116 -> - let offset:usize = hoist116 in - (match read_sequence_header key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist117 -> - let offset:usize = hoist117 in - (match skip_integer key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist118 -> - let offset:usize = hoist118 in - (match skip_integer key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist119 -> - let offset:usize = hoist119 in - (match skip_integer key offset <: Core.Result.t_Result usize u8 with - | Core.Result.Result_Ok hoist120 -> - let offset:usize = hoist120 in - read_integer key offset - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - -let cert_public_key - (certificate: Bertie.Tls13utils.t_Bytes) - (spki: (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey)) - = - match spki._1 <: Bertie.Tls13crypto.t_SignatureScheme with - | Bertie.Tls13crypto.SignatureScheme_ED25519 -> - asn1_error #Bertie.Tls13crypto.t_PublicVerificationKey v_ASN1_UNSUPPORTED_ALGORITHM - | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> - (match - ecdsa_public_key certificate spki._2 <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - with - | Core.Result.Result_Ok pk -> - Core.Result.Result_Ok - (Bertie.Tls13crypto.PublicVerificationKey_EcDsa pk - <: - Bertie.Tls13crypto.t_PublicVerificationKey) - <: - Core.Result.t_Result Bertie.Tls13crypto.t_PublicVerificationKey u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_PublicVerificationKey u8) - | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> - match - rsa_public_key certificate spki._2 - <: - Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8 - with - | Core.Result.Result_Ok pk -> - Core.Result.Result_Ok - (Bertie.Tls13crypto.PublicVerificationKey_Rsa pk <: Bertie.Tls13crypto.t_PublicVerificationKey - ) - <: - Core.Result.t_Result Bertie.Tls13crypto.t_PublicVerificationKey u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13crypto.t_PublicVerificationKey u8 diff --git a/proofs/fstar/extraction/Bertie.Tls13cert.fsti b/proofs/fstar/extraction/Bertie.Tls13cert.fsti index 40c014b5..96c7facb 100644 --- a/proofs/fstar/extraction/Bertie.Tls13cert.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13cert.fsti @@ -32,24 +32,62 @@ val asn1_error (#v_T: Type0) (err: u8) : Prims.Pure (Core.Result.t_Result v_T u8) Prims.l_True (fun _ -> Prims.l_True) val long_length (b: Bertie.Tls13utils.t_Bytes) (offset len: usize) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok _ -> + (Bertie.Tls13utils.impl_Bytes__len b <: usize) >=. offset && + ((Bertie.Tls13utils.impl_Bytes__len b <: usize) -! offset <: usize) >=. len + | _ -> true) val length_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok l -> + (Bertie.Tls13utils.impl_Bytes__len b <: usize) >. offset && l <=. mk_usize 255 + | _ -> true) val short_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok _ -> (Bertie.Tls13utils.impl_Bytes__len b <: usize) >. offset + | _ -> true) /// Get the length of an ASN.1 type. /// This assumes that the length starts at the beginning of the provided byte /// sequence. /// Returns: (offset, length) val length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) - : Prims.Pure (Core.Result.t_Result (usize & usize) u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result (usize & usize) u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result (usize & usize) u8 = result in + match result <: Core.Result.t_Result (usize & usize) u8 with + | Core.Result.Result_Ok _ -> (Bertie.Tls13utils.impl_Bytes__len b <: usize) >. offset + | _ -> true) /// Check that the tag has a certain value. val check_tag (b: Bertie.Tls13utils.t_Bytes) (offset: usize) (value: u8) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> (Bertie.Tls13utils.impl_Bytes__len b <: usize) >. offset + | _ -> true) /// Read a byte sequence header from the provided bytes. /// Returns the new offset into the bytes. @@ -116,7 +154,7 @@ val verification_key_from_cert (cert: Bertie.Tls13utils.t_Bytes) /// Read the EC PK from the cert as uncompressed point. val ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - Prims.l_True + (requires v indices._1 > 0 && Seq.length cert._0 >= v indices._0 + v indices._1) (fun _ -> Prims.l_True) val rsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) diff --git a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti index 285144e4..be95cf2b 100644 --- a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti @@ -21,7 +21,7 @@ type t_RsaVerificationKey = { } [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_8:Core.Fmt.t_Debug t_RsaVerificationKey +val impl_5:Core.Fmt.t_Debug t_RsaVerificationKey /// Bertie public verification keys. type t_PublicVerificationKey = @@ -29,7 +29,7 @@ type t_PublicVerificationKey = | PublicVerificationKey_Rsa : t_RsaVerificationKey -> t_PublicVerificationKey [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_9:Core.Fmt.t_Debug t_PublicVerificationKey +val impl_6:Core.Fmt.t_Debug t_PublicVerificationKey /// Bertie hash algorithms. type t_HashAlgorithm = @@ -41,19 +41,19 @@ val t_HashAlgorithm_cast_to_repr (x: t_HashAlgorithm) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_10:Core.Clone.t_Clone t_HashAlgorithm +val impl_7:Core.Clone.t_Clone t_HashAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_11:Core.Marker.t_Copy t_HashAlgorithm +val impl_8:Core.Marker.t_Copy t_HashAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_12:Core.Marker.t_StructuralPartialEq t_HashAlgorithm +val impl_9:Core.Marker.t_StructuralPartialEq t_HashAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_13:Core.Cmp.t_PartialEq t_HashAlgorithm t_HashAlgorithm +val impl_10:Core.Cmp.t_PartialEq t_HashAlgorithm t_HashAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_14:Core.Fmt.t_Debug t_HashAlgorithm +val impl_11:Core.Fmt.t_Debug t_HashAlgorithm /// Get the libcrux hash algorithm val impl_HashAlgorithm__libcrux_algorithm (self: t_HashAlgorithm) @@ -68,16 +68,21 @@ val impl_HashAlgorithm__hash (self: t_HashAlgorithm) (data: Bertie.Tls13utils.t_ Prims.l_True (fun _ -> Prims.l_True) -/// Get the size of the hash digest. -val impl_HashAlgorithm__hash_len (self: t_HashAlgorithm) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - /// Get the libcrux hmac algorithm. val impl_HashAlgorithm__hmac_algorithm (self: t_HashAlgorithm) : Prims.Pure (Core.Result.t_Result Libcrux_hmac.t_Algorithm u8) Prims.l_True (fun _ -> Prims.l_True) +/// Get the size of the hash digest. +val impl_HashAlgorithm__hash_len (self: t_HashAlgorithm) + : Prims.Pure usize + Prims.l_True + (ensures + fun result -> + let result:usize = result in + result <=. mk_usize 64) + /// Get the size of the hmac tag. val impl_HashAlgorithm__hmac_tag_len (self: t_HashAlgorithm) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) @@ -148,19 +153,19 @@ val t_AeadAlgorithm_cast_to_repr (x: t_AeadAlgorithm) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_15:Core.Clone.t_Clone t_AeadAlgorithm +val impl_13:Core.Clone.t_Clone t_AeadAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_16:Core.Marker.t_Copy t_AeadAlgorithm +val impl_14:Core.Marker.t_Copy t_AeadAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_17:Core.Marker.t_StructuralPartialEq t_AeadAlgorithm +val impl_15:Core.Marker.t_StructuralPartialEq t_AeadAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_18:Core.Cmp.t_PartialEq t_AeadAlgorithm t_AeadAlgorithm +val impl_16:Core.Cmp.t_PartialEq t_AeadAlgorithm t_AeadAlgorithm [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_19:Core.Fmt.t_Debug t_AeadAlgorithm +val impl_17:Core.Fmt.t_Debug t_AeadAlgorithm /// Get the key length of the AEAD algorithm in bytes. val impl_AeadAlgorithm__key_len (self: t_AeadAlgorithm) @@ -192,19 +197,19 @@ val t_SignatureScheme_cast_to_repr (x: t_SignatureScheme) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_20:Core.Clone.t_Clone t_SignatureScheme +val impl_18:Core.Clone.t_Clone t_SignatureScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_21:Core.Marker.t_Copy t_SignatureScheme +val impl_19:Core.Marker.t_Copy t_SignatureScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_22:Core.Marker.t_StructuralPartialEq t_SignatureScheme +val impl_20:Core.Marker.t_StructuralPartialEq t_SignatureScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_23:Core.Cmp.t_PartialEq t_SignatureScheme t_SignatureScheme +val impl_21:Core.Cmp.t_PartialEq t_SignatureScheme t_SignatureScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_24:Core.Fmt.t_Debug t_SignatureScheme +val impl_22:Core.Fmt.t_Debug t_SignatureScheme /// Sign the bytes in `input` with the signature key `sk` and `algorithm`. val sign @@ -229,14 +234,13 @@ val valid_rsa_exponent (e: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) /// Sign the `input` with the provided RSA key. val sign_rsa - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (sk pk_modulus pk_exponent: Bertie.Tls13utils.t_Bytes) (cert_scheme: t_SignatureScheme) (input: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) - : Prims.Pure (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + (rng: iimpl_447424039_) + : Prims.Pure (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) @@ -263,22 +267,22 @@ val t_KemScheme_cast_to_repr (x: t_KemScheme) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_25:Core.Clone.t_Clone t_KemScheme +val impl_23:Core.Clone.t_Clone t_KemScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_26:Core.Marker.t_Copy t_KemScheme +val impl_24:Core.Marker.t_Copy t_KemScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_27:Core.Marker.t_StructuralPartialEq t_KemScheme +val impl_25:Core.Marker.t_StructuralPartialEq t_KemScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_28:Core.Cmp.t_PartialEq t_KemScheme t_KemScheme +val impl_26:Core.Cmp.t_PartialEq t_KemScheme t_KemScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_29:Core.Cmp.t_Eq t_KemScheme +val impl_27:Core.Cmp.t_Eq t_KemScheme [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_30:Core.Fmt.t_Debug t_KemScheme +val impl_28:Core.Fmt.t_Debug t_KemScheme /// Get the libcrux algorithm for this [`KemScheme`]. val impl_KemScheme__libcrux_kem_algorithm (self: t_KemScheme) @@ -294,13 +298,12 @@ val encoding_prefix (alg: t_KemScheme) /// Generate a new KEM key pair. val kem_keygen - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (alg: t_KemScheme) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.l_True (fun _ -> Prims.l_True) @@ -316,14 +319,13 @@ val to_shared_secret (alg: t_KemScheme) (shared_secret: Bertie.Tls13utils.t_Byte /// KEM encapsulation val kem_encap - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (alg: t_KemScheme) (pk: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.l_True (fun _ -> Prims.l_True) @@ -347,19 +349,19 @@ type t_Algorithms = { } [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_31:Core.Clone.t_Clone t_Algorithms +val impl_29:Core.Clone.t_Clone t_Algorithms [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_32:Core.Marker.t_Copy t_Algorithms +val impl_30:Core.Marker.t_Copy t_Algorithms [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_33:Core.Marker.t_StructuralPartialEq t_Algorithms +val impl_31:Core.Marker.t_StructuralPartialEq t_Algorithms [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_34:Core.Cmp.t_PartialEq t_Algorithms t_Algorithms +val impl_32:Core.Cmp.t_PartialEq t_Algorithms t_Algorithms [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_35:Core.Fmt.t_Debug t_Algorithms +val impl_33:Core.Fmt.t_Debug t_Algorithms /// Create a new [`Algorithms`] object for the TLS 1.3 ciphersuite. val impl_Algorithms__new @@ -417,10 +419,21 @@ val impl_Algorithms__signature_algorithm (self: t_Algorithms) /// Check the ciphersuite in `bytes` against this ciphersuite. val impl_Algorithms__check (self: t_Algorithms) (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok len -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. len && len <. mk_usize 65538 + | _ -> true) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_35:Core.Convert.t_TryFrom t_Algorithms string [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_7:Core.Fmt.t_Display t_Algorithms +val impl_4:Core.Fmt.t_Display t_Algorithms /// `TLS_CHACHA20_POLY1305_SHA256` /// with @@ -493,60 +506,3 @@ let v_SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256: t_Algorithms = (KemScheme_Secp256r1 <: t_KemScheme) false false - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_6: Core.Convert.t_TryFrom t_Algorithms string = - { - f_Error = Bertie.Tls13utils.t_Error; - f_try_from_pre = (fun (s: string) -> true); - f_try_from_post - = - (fun (s: string) (out: Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error) -> true); - f_try_from - = - fun (s: string) -> - match s <: string with - | "SHA256_Chacha20Poly1305_RsaPssRsaSha256_X25519" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_RsaPssRsaSha256_X25519 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | "SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | "SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_P256" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_P256 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | "SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_RsaPssRsaSha256_P256 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | "SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519Kyber768Draft00" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519Kyber768Draft00 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | "SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519MLKEM768" -> - Core.Result.Result_Ok v_SHA256_Chacha20Poly1305_EcdsaSecp256r1Sha256_X25519MlKem768 - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - | _ -> - let res:Alloc.String.t_String = - Alloc.Fmt.format (Core.Fmt.impl_2__new_v1 (mk_usize 1) - (mk_usize 1) - (let list = ["Invalid ciphersuite description: "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = [Core.Fmt.Rt.impl_1__new_display #string s <: Core.Fmt.Rt.t_Argument] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - in - Core.Result.Result_Err - (Bertie.Tls13utils.Error_UnknownCiphersuite (Core.Hint.must_use #Alloc.String.t_String res) - <: - Bertie.Tls13utils.t_Error) - <: - Core.Result.t_Result t_Algorithms Bertie.Tls13utils.t_Error - } diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst index 47c3e0f5..f9757e25 100644 --- a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst +++ b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst @@ -25,33 +25,33 @@ let t_HandshakeType_cast_to_repr (x: t_HandshakeType) = [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_2': Core.Clone.t_Clone t_HandshakeType +val impl_1': Core.Clone.t_Clone t_HandshakeType -let impl_2 = impl_2' +let impl_1 = impl_1' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_3': Core.Marker.t_Copy t_HandshakeType +val impl_2': Core.Marker.t_Copy t_HandshakeType -let impl_3 = impl_3' +let impl_2 = impl_2' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_4': Core.Fmt.t_Debug t_HandshakeType +val impl_3': Core.Fmt.t_Debug t_HandshakeType -let impl_4 = impl_4' +let impl_3 = impl_3' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_5': Core.Marker.t_StructuralPartialEq t_HandshakeType +val impl_4': Core.Marker.t_StructuralPartialEq t_HandshakeType -let impl_5 = impl_5' +let impl_4 = impl_4' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_6': Core.Cmp.t_PartialEq t_HandshakeType t_HandshakeType +val impl_5': Core.Cmp.t_PartialEq t_HandshakeType t_HandshakeType -let impl_6 = impl_6' +let impl_5 = impl_5' let get_hs_type (t: u8) = match t <: u8 with @@ -101,11 +101,11 @@ let get_hs_type (t: u8) = Core.Result.t_Result t_HandshakeType u8 | _ -> Bertie.Tls13utils.tlserr #t_HandshakeType (Bertie.Tls13utils.parse_failed () <: u8) -let impl_HandshakeData__len (self: t_HandshakeData) = Bertie.Tls13utils.impl_Bytes__len self._0 - let impl_HandshakeData__to_bytes (self: t_HandshakeData) = Core.Clone.f_clone #Bertie.Tls13utils.t_Bytes #FStar.Tactics.Typeclasses.solve self._0 +let impl_HandshakeData__len (self: t_HandshakeData) = Bertie.Tls13utils.impl_Bytes__len self._0 + let impl_HandshakeData__next_handshake_message (self: t_HandshakeData) = if (impl_HandshakeData__len self <: usize) <. mk_usize 4 then @@ -163,48 +163,39 @@ let impl_HandshakeData__as_handshake_message Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8 with | Core.Result.Result_Ok (message, payload_rest) -> - (match - (if (impl_HandshakeData__len payload_rest <: usize) <>. mk_usize 0 - then Bertie.Tls13utils.tlserr #t_HandshakeData (Bertie.Tls13utils.parse_failed () <: u8) - else Core.Result.Result_Ok message <: Core.Result.t_Result t_HandshakeData u8) - <: - Core.Result.t_Result t_HandshakeData u8 - with - | Core.Result.Result_Ok (HandshakeData tagged_message_bytes) -> - let expected_bytes:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.bytes1 (t_HandshakeType_cast_to_repr expected_type <: u8) - in - (match - Bertie.Tls13utils.check_eq expected_bytes - (Bertie.Tls13utils.impl_Bytes__slice_range tagged_message_bytes - ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = mk_usize 1 } - <: - Core.Ops.Range.t_Range usize) - <: - Bertie.Tls13utils.t_Bytes) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok - (HandshakeData - (Bertie.Tls13utils.impl_Bytes__slice_range tagged_message_bytes - ({ - Core.Ops.Range.f_start = mk_usize 4; - Core.Ops.Range.f_end - = - Bertie.Tls13utils.impl_Bytes__len tagged_message_bytes <: usize - } - <: - Core.Ops.Range.t_Range usize)) + if (impl_HandshakeData__len payload_rest <: usize) <>. mk_usize 0 + then Bertie.Tls13utils.tlserr #t_HandshakeData (Bertie.Tls13utils.parse_failed () <: u8) + else + let HandshakeData tagged_message_bytes:t_HandshakeData = message in + (match + Bertie.Tls13utils.check_eq1 (Bertie.Tls13utils.v_U8 (t_HandshakeType_cast_to_repr expected_type + + <: + u8) <: - t_HandshakeData) + u8) + (tagged_message_bytes.[ mk_usize 0 ] <: u8) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (HandshakeData + (Bertie.Tls13utils.impl_Bytes__slice_range tagged_message_bytes + ({ + Core.Ops.Range.f_start = mk_usize 4; + Core.Ops.Range.f_end + = + Bertie.Tls13utils.impl_Bytes__len tagged_message_bytes <: usize + } + <: + Core.Ops.Range.t_Range usize)) <: - Core.Result.t_Result t_HandshakeData u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8) + t_HandshakeData) + <: + Core.Result.t_Result t_HandshakeData u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 @@ -293,7 +284,7 @@ let impl_HandshakeData__to_four (self: t_HandshakeData) = Core.Result.t_Result (t_HandshakeData & t_HandshakeData & t_HandshakeData & t_HandshakeData) u8 [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Core.Convert.t_From t_HandshakeData Bertie.Tls13utils.t_Bytes = +let impl: Core.Convert.t_From t_HandshakeData Bertie.Tls13utils.t_Bytes = { f_from_pre = (fun (value: Bertie.Tls13utils.t_Bytes) -> true); f_from_post = (fun (value: Bertie.Tls13utils.t_Bytes) (out: t_HandshakeData) -> true); @@ -345,7 +336,7 @@ let rec impl_HandshakeData__find_handshake_message (handshake_type: t_HandshakeType) (start: usize) = - if (impl_HandshakeData__len self <: usize) <. (start +! mk_usize 4 <: usize) + if ((impl_HandshakeData__len self <: usize) -! start <: usize) <. mk_usize 4 then false else match diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fsti b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fsti index 58b91238..378df0f9 100644 --- a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fsti @@ -64,19 +64,19 @@ val t_HandshakeType_cast_to_repr (x: t_HandshakeType) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_2:Core.Clone.t_Clone t_HandshakeType +val impl_1:Core.Clone.t_Clone t_HandshakeType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_3:Core.Marker.t_Copy t_HandshakeType +val impl_2:Core.Marker.t_Copy t_HandshakeType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_4:Core.Fmt.t_Debug t_HandshakeType +val impl_3:Core.Fmt.t_Debug t_HandshakeType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_5:Core.Marker.t_StructuralPartialEq t_HandshakeType +val impl_4:Core.Marker.t_StructuralPartialEq t_HandshakeType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_6:Core.Cmp.t_PartialEq t_HandshakeType t_HandshakeType +val impl_5:Core.Cmp.t_PartialEq t_HandshakeType t_HandshakeType val get_hs_type (t: u8) : Prims.Pure (Core.Result.t_Result t_HandshakeType u8) Prims.l_True (fun _ -> Prims.l_True) @@ -84,23 +84,40 @@ val get_hs_type (t: u8) /// Hadshake data of the TLS handshake. type t_HandshakeData = | HandshakeData : Bertie.Tls13utils.t_Bytes -> t_HandshakeData -/// Returns the length, in bytes. -val impl_HandshakeData__len (self: t_HandshakeData) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - /// Returns the handshake data bytes. val impl_HandshakeData__to_bytes (self: t_HandshakeData) : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) +/// Returns the length, in bytes. +val impl_HandshakeData__len (self: t_HandshakeData) + : Prims.Pure usize + Prims.l_True + (ensures + fun result -> + let result:usize = result in + v result == Seq.length self._0._0) + /// Attempt to parse a handshake message from the beginning of the payload. /// If successful, returns the parsed message and the unparsed rest of the /// payload. Returns a [TLSError] if the payload is too short to contain a /// handshake message or if the payload is shorter than the expected length /// encoded in its first three bytes. +/// We needed to uglify the ensures here because of: https://github.com/cryspen/hax/issues/1276 val impl_HandshakeData__next_handshake_message (self: t_HandshakeData) : Prims.Pure (Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8) Prims.l_True - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8 = result in + match result <: Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8 with + | Core.Result.Result_Ok (m, r) -> + (impl_HandshakeData__len m <: usize) >=. mk_usize 4 && + (impl_HandshakeData__len self <: usize) >=. (impl_HandshakeData__len m <: usize) && + ((impl_HandshakeData__len self <: usize) -! (impl_HandshakeData__len m <: usize) + <: + usize) =. + (impl_HandshakeData__len r <: usize) + | _ -> true) /// Attempt to parse exactly one handshake message of the `expected_type` from /// `payload`. @@ -110,7 +127,17 @@ val impl_HandshakeData__next_handshake_message (self: t_HandshakeData) val impl_HandshakeData__as_handshake_message (self: t_HandshakeData) (expected_type: t_HandshakeType) - : Prims.Pure (Core.Result.t_Result t_HandshakeData u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result t_HandshakeData u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result t_HandshakeData u8 = result in + match result <: Core.Result.t_Result t_HandshakeData u8 with + | Core.Result.Result_Ok d -> + (impl_HandshakeData__len self <: usize) >=. mk_usize 4 && + ((impl_HandshakeData__len self <: usize) -! mk_usize 4 <: usize) =. + (impl_HandshakeData__len d <: usize) + | _ -> true) /// Attempt to parse exactly two handshake messages from `payload`. /// If successful, returns the parsed handshake messages. Returns a [TLSError] @@ -131,7 +158,7 @@ val impl_HandshakeData__to_four (self: t_HandshakeData) u8) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_1:Core.Convert.t_From t_HandshakeData Bertie.Tls13utils.t_Bytes +val impl:Core.Convert.t_From t_HandshakeData Bertie.Tls13utils.t_Bytes /// Generate a new [`HandshakeData`] from [`Bytes`] and the [`HandshakeType`]. val impl_HandshakeData__from_bytes @@ -150,4 +177,13 @@ val impl_HandshakeData__find_handshake_message (self: t_HandshakeData) (handshake_type: t_HandshakeType) (start: usize) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure bool + (requires (impl_HandshakeData__len self <: usize) >=. start) + (fun _ -> Prims.l_True) + (decreases + ((Rust_primitives.Hax.Int.from_machine (impl_HandshakeData__len self <: usize) + <: + Hax_lib.Int.t_Int) - + (Rust_primitives.Hax.Int.from_machine start <: Hax_lib.Int.t_Int) + <: + Hax_lib.Int.t_Int)) diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.fst b/proofs/fstar/extraction/Bertie.Tls13formats.fst index a2cedb3e..a21db6a3 100644 --- a/proofs/fstar/extraction/Bertie.Tls13formats.fst +++ b/proofs/fstar/extraction/Bertie.Tls13formats.fst @@ -54,15 +54,11 @@ let check_server_name (extension: t_Slice u8) = Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - (match - Bertie.Tls13utils.check_eq_with_slice ((let list = [Bertie.Tls13utils.v_U8 (mk_u8 0)] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - t_Slice u8) - extension - (mk_usize 2) - (mk_usize 3) + if (Core.Slice.impl__len #u8 extension <: usize) >. mk_usize 3 + then + match + Bertie.Tls13utils.check_eq1 (Bertie.Tls13utils.v_U8 (mk_u8 0) <: u8) + (extension.[ mk_usize 2 ] <: u8) <: Core.Result.t_Result Prims.unit u8 with @@ -97,7 +93,9 @@ let check_server_name (extension: t_Slice u8) = | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + else + Bertie.Tls13utils.tlserr #Bertie.Tls13utils.t_Bytes (Bertie.Tls13utils.parse_failed () <: u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 @@ -414,56 +412,59 @@ let server_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (gx: Bertie.Tls13u Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 let check_server_key_share (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = - match - Bertie.Tls13crypto.impl_Algorithms__supported_group algs - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - with - | Core.Result.Result_Ok hoist48 -> - (match - Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl_Bytes__as_raw hoist48 - <: - t_Slice u8) - b - (mk_usize 0) - (mk_usize 2) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - (match - Bertie.Tls13utils.check_length_encoding_u16_slice (b.[ { - Core.Ops.Range.f_start = mk_usize 2; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 b <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok - (Core.Convert.f_from #Bertie.Tls13utils.t_Bytes - #(t_Slice u8) - #FStar.Tactics.Typeclasses.solve - (b.[ { - Core.Ops.Range.f_start = mk_usize 4; + if (Core.Slice.impl__len #u8 b <: usize) >=. mk_usize 2 + then + match + Bertie.Tls13crypto.impl_Algorithms__supported_group algs + <: + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + with + | Core.Result.Result_Ok hoist48 -> + (match + Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl_Bytes__as_raw hoist48 + <: + t_Slice u8) + b + (mk_usize 0) + (mk_usize 2) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + (match + Bertie.Tls13utils.check_length_encoding_u16_slice (b.[ { + Core.Ops.Range.f_start = mk_usize 2; Core.Ops.Range.f_end = Core.Slice.impl__len #u8 b <: usize } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8)) - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + t_Slice u8) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (Core.Convert.f_from #Bertie.Tls13utils.t_Bytes + #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + (b.[ { + Core.Ops.Range.f_start = mk_usize 4; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 b <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8)) + <: + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + else Bertie.Tls13utils.tlserr #Bertie.Tls13utils.t_Bytes (Bertie.Tls13utils.parse_failed () <: u8) let pre_shared_key (algs: Bertie.Tls13crypto.t_Algorithms) @@ -698,6 +699,8 @@ let impl_Extensions__merge (self e2: t_Extensions) = Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8 +#push-options "--admit_smt_queries true" + let check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = if (Core.Slice.impl__len #u8 b <: usize) <. mk_usize 4 then @@ -824,6 +827,8 @@ let check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u <: Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 +#pop-options + let t_AlertLevel_cast_to_repr (x: t_AlertLevel) = match x <: t_AlertLevel with | AlertLevel_Warning -> anon_const_AlertLevel_Warning__anon_const_0 @@ -831,33 +836,33 @@ let t_AlertLevel_cast_to_repr (x: t_AlertLevel) = [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_6': Core.Clone.t_Clone t_AlertLevel +val impl_5': Core.Clone.t_Clone t_AlertLevel -let impl_6 = impl_6' +let impl_5 = impl_5' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_7': Core.Marker.t_Copy t_AlertLevel +val impl_6': Core.Marker.t_Copy t_AlertLevel -let impl_7 = impl_7' +let impl_6 = impl_6' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_8': Core.Fmt.t_Debug t_AlertLevel +val impl_7': Core.Fmt.t_Debug t_AlertLevel -let impl_8 = impl_8' +let impl_7 = impl_7' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_9': Core.Marker.t_StructuralPartialEq t_AlertLevel +val impl_8': Core.Marker.t_StructuralPartialEq t_AlertLevel -let impl_9 = impl_9' +let impl_8 = impl_8' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_10': Core.Cmp.t_PartialEq t_AlertLevel t_AlertLevel +val impl_9': Core.Cmp.t_PartialEq t_AlertLevel t_AlertLevel -let impl_10 = impl_10' +let impl_9 = impl_9' let t_AlertDescription_cast_to_repr (x: t_AlertDescription) = match x <: t_AlertDescription with @@ -903,33 +908,33 @@ let t_AlertDescription_cast_to_repr (x: t_AlertDescription) = [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_11': Core.Clone.t_Clone t_AlertDescription +val impl_10': Core.Clone.t_Clone t_AlertDescription -let impl_11 = impl_11' +let impl_10 = impl_10' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_12': Core.Marker.t_Copy t_AlertDescription +val impl_11': Core.Marker.t_Copy t_AlertDescription -let impl_12 = impl_12' +let impl_11 = impl_11' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_13': Core.Fmt.t_Debug t_AlertDescription +val impl_12': Core.Fmt.t_Debug t_AlertDescription -let impl_13 = impl_13' +let impl_12 = impl_12' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_14': Core.Marker.t_StructuralPartialEq t_AlertDescription +val impl_13': Core.Marker.t_StructuralPartialEq t_AlertDescription -let impl_14 = impl_14' +let impl_13 = impl_13' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_15': Core.Cmp.t_PartialEq t_AlertDescription t_AlertDescription +val impl_14': Core.Cmp.t_PartialEq t_AlertDescription t_AlertDescription -let impl_15 = impl_15' +let impl_14 = impl_14' let get_psk_extensions (algorithms: Bertie.Tls13crypto.t_Algorithms) @@ -957,6 +962,8 @@ let get_psk_extensions | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 +#push-options "--admit_smt_queries true" + let client_hello (algorithms: Bertie.Tls13crypto.t_Algorithms) (client_random kem_pk server_name: Bertie.Tls13utils.t_Bytes) @@ -1210,6 +1217,8 @@ let client_hello <: Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8 +#pop-options + let set_client_hello_binder (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (binder: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) @@ -1233,7 +1242,7 @@ let set_client_hello_binder (Core.Option.t_Option Bertie.Tls13utils.t_Bytes & Core.Option.t_Option usize) with | Core.Option.Option_Some m, Core.Option.Option_Some trunc_len -> - if (chlen -! hlen <: usize) =. trunc_len + if (chlen -! trunc_len <: usize) =. hlen then Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData @@ -1261,6 +1270,8 @@ let invalid_compression_list (_: Prims.unit) = <: Core.Result.t_Result Prims.unit u8 +#push-options "--admit_smt_queries true" + let server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (sr sid gy: Bertie.Tls13utils.t_Bytes) = let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 (mk_u8 3) (mk_u8 3) in match @@ -1439,6 +1450,8 @@ let server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (sr sid gy: Bertie.Tls1 <: Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 +#pop-options + let unsupported_cipher_alert (_: Prims.unit) = Core.Result.Result_Err Bertie.Tls13utils.v_UNSUPPORTED_ALGORITHM <: @@ -1486,6 +1499,8 @@ let encrypted_extensions (e_algs: Bertie.Tls13crypto.t_Algorithms) = <: Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 +#push-options "--admit_smt_queries true" + let parse_encrypted_extensions (e_algs: Bertie.Tls13crypto.t_Algorithms) (encrypted_extensions: Bertie.Tls13formats.Handshake_data.t_HandshakeData) @@ -1527,6 +1542,8 @@ let parse_encrypted_extensions t_Slice u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Prims.unit u8 +#pop-options + let server_certificate (e_algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie.Tls13utils.t_Bytes) = match Bertie.Tls13utils.encode_length_u8 ((let list:Prims.list u8 = [] in @@ -1970,6 +1987,8 @@ let certificate_verify (algs: Bertie.Tls13crypto.t_Algorithms) (cv: Bertie.Tls13 <: Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 +#push-options "--admit_smt_queries true" + let parse_certificate_verify (algs: Bertie.Tls13crypto.t_Algorithms) (certificate_verify: Bertie.Tls13formats.Handshake_data.t_HandshakeData) @@ -2068,6 +2087,8 @@ let parse_certificate_verify | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +#pop-options + let finished (vd: Bertie.Tls13utils.t_Bytes) = Bertie.Tls13formats.Handshake_data.impl_HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_Finished <: @@ -2098,33 +2119,33 @@ let t_ContentType_cast_to_repr (x: t_ContentType) = [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_16': Core.Clone.t_Clone t_ContentType +val impl_15': Core.Clone.t_Clone t_ContentType -let impl_16 = impl_16' +let impl_15 = impl_15' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_17': Core.Marker.t_Copy t_ContentType +val impl_16': Core.Marker.t_Copy t_ContentType -let impl_17 = impl_17' +let impl_16 = impl_16' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_18': Core.Fmt.t_Debug t_ContentType +val impl_17': Core.Fmt.t_Debug t_ContentType -let impl_18 = impl_18' +let impl_17 = impl_17' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_19': Core.Marker.t_StructuralPartialEq t_ContentType +val impl_18': Core.Marker.t_StructuralPartialEq t_ContentType -let impl_19 = impl_19' +let impl_18 = impl_18' [@@ FStar.Tactics.Typeclasses.tcinstance] assume -val impl_20': Core.Cmp.t_PartialEq t_ContentType t_ContentType +val impl_19': Core.Cmp.t_PartialEq t_ContentType t_ContentType -let impl_20 = impl_20' +let impl_19 = impl_19' let impl_ContentType__try_from_u8 (t: u8) = match t <: u8 with @@ -2483,6 +2504,8 @@ let impl_Transcript__transcript_hash_without_client_hello <: Bertie.Tls13utils.t_Bytes) +#push-options "--admit_smt_queries true" + let rec find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = if (Core.Slice.impl__len #u8 ch <: usize) <. mk_usize 4 then Bertie.Tls13utils.tlserr #Bertie.Tls13utils.t_Bytes (Bertie.Tls13utils.parse_failed () <: u8) @@ -2550,41 +2573,7 @@ let rec find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 -let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = - match - check_server_extension algs b - <: - Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 - with - | Core.Result.Result_Ok (len, out) -> - if len =. (Core.Slice.impl__len #u8 b <: usize) - then - Core.Result.Result_Ok out - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 - else - (match - check_server_extensions algs - (b.[ { - Core.Ops.Range.f_start = len; - Core.Ops.Range.f_end = Core.Slice.impl__len #u8 b <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 - with - | Core.Result.Result_Ok out_rest -> merge_opts #Bertie.Tls13utils.t_Bytes out out_rest - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 +#pop-options let check_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) = match @@ -2847,6 +2836,42 @@ let check_extension (algs: Bertie.Tls13crypto.t_Algorithms) (bytes: t_Slice u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8 +let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = + match + check_server_extension algs b + <: + Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + with + | Core.Result.Result_Ok (len, out) -> + if len =. (Core.Slice.impl__len #u8 b <: usize) + then + Core.Result.Result_Ok out + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + else + (match + check_server_extensions algs + (b.[ { + Core.Ops.Range.f_start = len; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 b <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + with + | Core.Result.Result_Ok out_rest -> merge_opts #Bertie.Tls13utils.t_Bytes out out_rest + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + let parse_server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (server_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) @@ -2968,51 +2993,96 @@ let parse_server_hello | Core.Result.Result_Ok _ -> let next:usize = next +! mk_usize 1 in (match - Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl_Bytes__slice_range - server_hello - ({ - Core.Ops.Range.f_start = next; - Core.Ops.Range.f_end - = - Bertie.Tls13utils.impl_Bytes__len server_hello <: usize - } - <: - Core.Ops.Range.t_Range usize) + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len server_hello + + <: + usize) >=. + next <: - Bertie.Tls13utils.t_Bytes) + bool) <: Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - let next:usize = next +! mk_usize 2 in (match - check_server_extensions algs - (server_hello.[ { - Core.Ops.Range.f_start = next; - Core.Ops.Range.f_end - = - Bertie.Tls13utils.impl_Bytes__len server_hello <: usize - } - <: - Core.Ops.Range.t_Range usize ] + Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl_Bytes__slice_range + server_hello + ({ + Core.Ops.Range.f_start = next; + Core.Ops.Range.f_end + = + Bertie.Tls13utils.impl_Bytes__len server_hello + <: + usize + } + <: + Core.Ops.Range.t_Range usize) <: - t_Slice u8) + Bertie.Tls13utils.t_Bytes) <: - Core.Result.t_Result - (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok gy -> - (match gy <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes with - | Core.Option.Option_Some gy -> - Core.Result.Result_Ok - (srand, gy - <: - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes)) + | Core.Result.Result_Ok _ -> + let next:usize = next +! mk_usize 2 in + (match + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len server_hello + + <: + usize) >=. + next + <: + bool) <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 - | _ -> - Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + (match + check_server_extensions algs + (server_hello.[ { + Core.Ops.Range.f_start = next; + Core.Ops.Range.f_end + = + Bertie.Tls13utils.impl_Bytes__len server_hello + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result + (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + with + | Core.Result.Result_Ok gy -> + (match + gy <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes + with + | Core.Option.Option_Some gy -> + Core.Result.Result_Ok + (srand, gy + <: + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes) u8 + | _ -> + Core.Result.Result_Err + Bertie.Tls13utils.v_MISSING_KEY_SHARE + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes + ) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 @@ -3220,26 +3290,17 @@ let parse_client_hello | Core.Result.Result_Ok _ -> let next:usize = next +! mk_usize 2 in (match - Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl_Bytes__slice_range - ch - ({ - Core.Ops.Range.f_start = next; - Core.Ops.Range.f_end - = - Bertie.Tls13utils.impl_Bytes__len ch <: usize - } - <: - Core.Ops.Range.t_Range usize) + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len ch <: usize) >=. + next <: - Bertie.Tls13utils.t_Bytes) + bool) <: Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - let next:usize = next +! mk_usize 2 in (match - check_extensions ciphersuite - (Bertie.Tls13utils.impl_Bytes__slice_range ch + Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl_Bytes__slice_range + ch ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end @@ -3251,170 +3312,304 @@ let parse_client_hello <: Bertie.Tls13utils.t_Bytes) <: - Core.Result.t_Result t_Extensions u8 + Core.Result.t_Result Prims.unit u8 with - | Core.Result.Result_Ok exts -> - let trunc_len:usize = - ((Bertie.Tls13utils.impl_Bytes__len ch <: usize) -! - (Bertie.Tls13crypto.impl_HashAlgorithm__hash_len (Bertie.Tls13crypto.impl_Algorithms__hash - ciphersuite - <: - Bertie.Tls13crypto.t_HashAlgorithm) - <: - usize) - <: - usize) -! - mk_usize 3 - in + | Core.Result.Result_Ok _ -> + let next:usize = next +! mk_usize 2 in (match - Bertie.Tls13crypto.impl_Algorithms__psk_mode ciphersuite, exts - <: - (bool & t_Extensions) - with - | _, - { f_sni = _ ; - f_key_share = Core.Option.Option_None ; - f_ticket = _ ; - f_binder = _ } -> - Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE - <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8 - | true, - { f_sni = Core.Option.Option_Some sn ; - f_key_share = Core.Option.Option_Some gx ; - f_ticket = Core.Option.Option_Some tkt ; - f_binder = Core.Option.Option_Some binder } -> - Core.Result.Result_Ok - (crand, - sid, - sn, - gx, - (Core.Option.Option_Some tkt - <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - (Core.Option.Option_Some binder - <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - trunc_len - <: - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize)) - <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8 - | true, - { f_sni = Core.Option.Option_None ; - f_key_share = Core.Option.Option_Some gx ; - f_ticket = Core.Option.Option_Some tkt ; - f_binder = Core.Option.Option_Some binder } -> - Core.Result.Result_Ok - (crand, - sid, - Bertie.Tls13utils.impl_Bytes__new (), - gx, - (Core.Option.Option_Some tkt - <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - (Core.Option.Option_Some binder + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len ch + <: + usize) >=. + next <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - trunc_len - <: - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize)) + bool) <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8 - | false, - { f_sni = Core.Option.Option_Some sn ; - f_key_share = Core.Option.Option_Some gx ; - f_ticket = Core.Option.Option_None ; - f_binder = Core.Option.Option_None } -> - Core.Result.Result_Ok - (crand, - sid, - sn, - gx, - (Core.Option.Option_None - <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - (Core.Option.Option_None - <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - mk_usize 0 - <: - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize)) - <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8 - | false, - { f_sni = Core.Option.Option_None ; - f_key_share = Core.Option.Option_Some gx ; - f_ticket = Core.Option.Option_None ; - f_binder = Core.Option.Option_None } -> - Core.Result.Result_Ok - (crand, - sid, - Bertie.Tls13utils.impl_Bytes__new (), - gx, - (Core.Option.Option_None + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + (match + check_extensions ciphersuite + (Bertie.Tls13utils.impl_Bytes__slice_range ch + ({ + Core.Ops.Range.f_start = next; + Core.Ops.Range.f_end + = + Bertie.Tls13utils.impl_Bytes__len ch <: usize + } + <: + Core.Ops.Range.t_Range usize) + <: + Bertie.Tls13utils.t_Bytes) <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - (Core.Option.Option_None + Core.Result.t_Result t_Extensions u8 + with + | Core.Result.Result_Ok exts -> + (match + Bertie.Tls13crypto.impl_Algorithms__psk_mode ciphersuite, + exts + <: + (bool & t_Extensions) + with + | _, + { f_sni = _ ; + f_key_share = Core.Option.Option_None ; + f_ticket = _ ; + f_binder = _ } -> + Core.Result.Result_Err + Bertie.Tls13utils.v_MISSING_KEY_SHARE + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + | true, + { f_sni = Core.Option.Option_Some sn ; + f_key_share = Core.Option.Option_Some gx ; + f_ticket = Core.Option.Option_Some tkt ; + f_binder = Core.Option.Option_Some binder } -> + (match + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len + ch + <: + usize) >=. + ((Bertie.Tls13crypto.impl_HashAlgorithm__hash_len + (Bertie.Tls13crypto.impl_Algorithms__hash ciphersuite + + <: + Bertie.Tls13crypto.t_HashAlgorithm) + <: + usize) +! + mk_usize 3 + <: + usize) + <: + bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let trunc_len:usize = + ((Bertie.Tls13utils.impl_Bytes__len ch <: usize) -! + (Bertie.Tls13crypto.impl_HashAlgorithm__hash_len + (Bertie.Tls13crypto.impl_Algorithms__hash ciphersuite + + <: + Bertie.Tls13crypto.t_HashAlgorithm) + <: + usize) + <: + usize) -! + mk_usize 3 + in + Core.Result.Result_Ok + (crand, + sid, + sn, + gx, + (Core.Option.Option_Some tkt + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + (Core.Option.Option_Some binder + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + trunc_len + <: + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | true, + { f_sni = Core.Option.Option_None ; + f_key_share = Core.Option.Option_Some gx ; + f_ticket = Core.Option.Option_Some tkt ; + f_binder = Core.Option.Option_Some binder } -> + (match + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len + ch + <: + usize) >=. + ((Bertie.Tls13crypto.impl_HashAlgorithm__hash_len + (Bertie.Tls13crypto.impl_Algorithms__hash ciphersuite + + <: + Bertie.Tls13crypto.t_HashAlgorithm) + <: + usize) +! + mk_usize 3 + <: + usize) + <: + bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let trunc_len:usize = + ((Bertie.Tls13utils.impl_Bytes__len ch <: usize) -! + (Bertie.Tls13crypto.impl_HashAlgorithm__hash_len + (Bertie.Tls13crypto.impl_Algorithms__hash ciphersuite + + <: + Bertie.Tls13crypto.t_HashAlgorithm) + <: + usize) + <: + usize) -! + mk_usize 3 + in + Core.Result.Result_Ok + (crand, + sid, + Bertie.Tls13utils.impl_Bytes__new (), + gx, + (Core.Option.Option_Some tkt + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + (Core.Option.Option_Some binder + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + trunc_len + <: + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | false, + { f_sni = Core.Option.Option_Some sn ; + f_key_share = Core.Option.Option_Some gx ; + f_ticket = Core.Option.Option_None ; + f_binder = Core.Option.Option_None } -> + Core.Result.Result_Ok + (crand, + sid, + sn, + gx, + (Core.Option.Option_None + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + (Core.Option.Option_None + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + mk_usize 0 + <: + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + | false, + { f_sni = Core.Option.Option_None ; + f_key_share = Core.Option.Option_Some gx ; + f_ticket = Core.Option.Option_None ; + f_binder = Core.Option.Option_None } -> + Core.Result.Result_Ok + (crand, + sid, + Bertie.Tls13utils.impl_Bytes__new (), + gx, + (Core.Option.Option_None + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + (Core.Option.Option_None + <: + Core.Option.t_Option Bertie.Tls13utils.t_Bytes), + mk_usize 0 + <: + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + | _ -> + Core.Result.Result_Err + (Bertie.Tls13utils.parse_failed ()) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: - Core.Option.t_Option Bertie.Tls13utils.t_Bytes), - mk_usize 0 - <: - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize)) - <: - Core.Result.t_Result - (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8 - | _ -> - Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.fsti b/proofs/fstar/extraction/Bertie.Tls13formats.fsti index d923118d..e412f9bb 100644 --- a/proofs/fstar/extraction/Bertie.Tls13formats.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13formats.fsti @@ -287,7 +287,19 @@ val impl_Extensions__merge (self e2: t_Extensions) val check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) : Prims.Pure (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) Prims.l_True - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) + u8 = + result + in + match + result + <: + Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 + with + | Core.Result.Result_Ok (len, out) -> len >=. mk_usize 4 + | _ -> true) /// ```TLS /// enum { @@ -307,19 +319,19 @@ let anon_const_AlertLevel_Fatal__anon_const_0: u8 = mk_u8 2 val t_AlertLevel_cast_to_repr (x: t_AlertLevel) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_6:Core.Clone.t_Clone t_AlertLevel +val impl_5:Core.Clone.t_Clone t_AlertLevel [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_7:Core.Marker.t_Copy t_AlertLevel +val impl_6:Core.Marker.t_Copy t_AlertLevel [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_8:Core.Fmt.t_Debug t_AlertLevel +val impl_7:Core.Fmt.t_Debug t_AlertLevel [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_9:Core.Marker.t_StructuralPartialEq t_AlertLevel +val impl_8:Core.Marker.t_StructuralPartialEq t_AlertLevel [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_10:Core.Cmp.t_PartialEq t_AlertLevel t_AlertLevel +val impl_9:Core.Cmp.t_PartialEq t_AlertLevel t_AlertLevel [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Core.Convert.t_TryFrom t_AlertLevel u8 = @@ -460,19 +472,19 @@ val t_AlertDescription_cast_to_repr (x: t_AlertDescription) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_11:Core.Clone.t_Clone t_AlertDescription +val impl_10:Core.Clone.t_Clone t_AlertDescription [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_12:Core.Marker.t_Copy t_AlertDescription +val impl_11:Core.Marker.t_Copy t_AlertDescription [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_13:Core.Fmt.t_Debug t_AlertDescription +val impl_12:Core.Fmt.t_Debug t_AlertDescription [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_14:Core.Marker.t_StructuralPartialEq t_AlertDescription +val impl_13:Core.Marker.t_StructuralPartialEq t_AlertDescription [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_15:Core.Cmp.t_PartialEq t_AlertDescription t_AlertDescription +val impl_14:Core.Cmp.t_PartialEq t_AlertDescription t_AlertDescription [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3: Core.Convert.t_TryFrom t_AlertDescription u8 = @@ -610,7 +622,20 @@ val client_hello : Prims.Pure (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) Prims.l_True - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8 = + result + in + match + result + <: + Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8 + with + | Core.Result.Result_Ok (ch, tl) -> + tl <=. (Bertie.Tls13formats.Handshake_data.impl_HandshakeData__len ch <: usize) + | _ -> true) val set_client_hello_binder (ciphersuite: Bertie.Tls13crypto.t_Algorithms) @@ -618,7 +643,12 @@ val set_client_hello_binder (client_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (trunc_len: Core.Option.t_Option usize) : Prims.Pure (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - Prims.l_True + (requires + (match trunc_len <: Core.Option.t_Option usize with + | Core.Option.Option_Some tl -> + tl <=. + (Bertie.Tls13formats.Handshake_data.impl_HandshakeData__len client_hello <: usize) + | _ -> true)) (fun _ -> Prims.l_True) val invalid_compression_list: Prims.unit @@ -722,19 +752,19 @@ val t_ContentType_cast_to_repr (x: t_ContentType) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_16:Core.Clone.t_Clone t_ContentType +val impl_15:Core.Clone.t_Clone t_ContentType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_17:Core.Marker.t_Copy t_ContentType +val impl_16:Core.Marker.t_Copy t_ContentType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_18:Core.Fmt.t_Debug t_ContentType +val impl_17:Core.Fmt.t_Debug t_ContentType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_19:Core.Marker.t_StructuralPartialEq t_ContentType +val impl_18:Core.Marker.t_StructuralPartialEq t_ContentType [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_20:Core.Cmp.t_PartialEq t_ContentType t_ContentType +val impl_19:Core.Cmp.t_PartialEq t_ContentType t_ContentType /// Get the [`ContentType`] from the `u8` representation. val impl_ContentType__try_from_u8 (t: u8) @@ -743,7 +773,19 @@ val impl_ContentType__try_from_u8 (t: u8) val handshake_record (p: Bertie.Tls13formats.Handshake_data.t_HandshakeData) : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) Prims.l_True - (fun _ -> Prims.l_True) + (ensures + fun result -> + let result:Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 = result in + match result <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 with + | Core.Result.Result_Ok d -> + (Bertie.Tls13utils.impl_Bytes__len p.Bertie.Tls13formats.Handshake_data._0 <: usize) <. + mk_usize 65536 && + (Bertie.Tls13utils.impl_Bytes__len d <: usize) =. + (mk_usize 5 +! + (Bertie.Tls13utils.impl_Bytes__len p.Bertie.Tls13formats.Handshake_data._0 <: usize) + <: + usize) + | _ -> true) val protocol_version_alert: Prims.unit -> Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) @@ -790,18 +832,19 @@ val impl_Transcript__transcript_hash_without_client_hello (client_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (trunc_len: usize) : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - Prims.l_True + (requires + trunc_len <=. + (Bertie.Tls13formats.Handshake_data.impl_HandshakeData__len client_hello <: usize)) (fun _ -> Prims.l_True) val find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) - -val check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) - : Prims.Pure (Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) - Prims.l_True - (fun _ -> Prims.l_True) + (decreases + (Rust_primitives.Hax.Int.from_machine (Core.Slice.impl__len #u8 ch <: usize) + <: + Hax_lib.Int.t_Int)) val check_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) @@ -811,8 +854,22 @@ val check_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) /// Check an extension for validity. val check_extension (algs: Bertie.Tls13crypto.t_Algorithms) (bytes: t_Slice u8) : Prims.Pure (Core.Result.t_Result (usize & t_Extensions) u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result (usize & t_Extensions) u8 = result in + match result <: Core.Result.t_Result (usize & t_Extensions) u8 with + | Core.Result.Result_Ok (len, exts) -> (Core.Slice.impl__len #u8 bytes <: usize) >=. len + | _ -> true) + +val check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) + : Prims.Pure (Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) Prims.l_True (fun _ -> Prims.l_True) + (decreases + (Rust_primitives.Hax.Int.from_machine (Core.Slice.impl__len #u8 b <: usize) + <: + Hax_lib.Int.t_Int)) val parse_server_hello (algs: Bertie.Tls13crypto.t_Algorithms) @@ -822,7 +879,13 @@ val parse_server_hello (fun _ -> Prims.l_True) val check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) - : Prims.Pure (Core.Result.t_Result t_Extensions u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result t_Extensions u8) + Prims.l_True + (fun _ -> Prims.l_True) + (decreases + (Rust_primitives.Hax.Int.from_machine (Core.Slice.impl__len #u8 b <: usize) + <: + Hax_lib.Int.t_Int)) val check_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: Bertie.Tls13utils.t_Bytes) : Prims.Pure (Core.Result.t_Result t_Extensions u8) Prims.l_True (fun _ -> Prims.l_True) @@ -837,4 +900,29 @@ val parse_client_hello Bertie.Tls13utils.t_Bytes & Core.Option.t_Option Bertie.Tls13utils.t_Bytes & Core.Option.t_Option Bertie.Tls13utils.t_Bytes & - usize) u8) Prims.l_True (fun _ -> Prims.l_True) + usize) u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 = + result + in + match + result + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8 + with + | Core.Result.Result_Ok (_, _, _, _, _, _, trunc_len) -> + trunc_len <=. + (Bertie.Tls13formats.Handshake_data.impl_HandshakeData__len client_hello <: usize) + | _ -> true) diff --git a/proofs/fstar/extraction/Bertie.Tls13handshake.fst b/proofs/fstar/extraction/Bertie.Tls13handshake.fst index 9560df73..c9178e7c 100644 --- a/proofs/fstar/extraction/Bertie.Tls13handshake.fst +++ b/proofs/fstar/extraction/Bertie.Tls13handshake.fst @@ -719,13 +719,12 @@ let compute_psk_binder_zero_rtt Bertie.Tls13formats.t_Transcript) u8 let build_client_hello - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (sn: Bertie.Tls13utils.t_Bytes) (tkt psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = let tx:Bertie.Tls13formats.t_Transcript = Bertie.Tls13formats.impl_Transcript__new (Bertie.Tls13crypto.impl_Algorithms__hash ciphersuite @@ -733,19 +732,19 @@ let build_client_hello Bertie.Tls13crypto.t_HashAlgorithm) in let client_random:t_Array u8 (mk_usize 32) = Rust_primitives.Hax.repeat (mk_u8 0) (mk_usize 32) in - let tmp0, tmp1:(iimpl_916461611_ & t_Array u8 (mk_usize 32)) = - Rand_core.f_fill_bytes #iimpl_916461611_ #FStar.Tactics.Typeclasses.solve rng client_random + let tmp0, tmp1:(iimpl_447424039_ & t_Array u8 (mk_usize 32)) = + Rand_core.f_fill_bytes #iimpl_447424039_ #FStar.Tactics.Typeclasses.solve rng client_random in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in let client_random:t_Array u8 (mk_usize 32) = tmp1 in let _:Prims.unit = () in - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) = - Bertie.Tls13crypto.kem_keygen #iimpl_916461611_ + Bertie.Tls13crypto.kem_keygen #iimpl_447424039_ (Bertie.Tls13crypto.impl_Algorithms__kem ciphersuite <: Bertie.Tls13crypto.t_KemScheme) rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in match out <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 with | Core.Result.Result_Ok (kem_sk, kem_pk) -> (match @@ -798,7 +797,7 @@ let build_client_hello in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -812,7 +811,7 @@ let build_client_hello Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & t_ClientPostClientHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -826,7 +825,7 @@ let build_client_hello Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & t_ClientPostClientHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -840,7 +839,7 @@ let build_client_hello Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & t_ClientPostClientHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -1283,22 +1282,21 @@ let get_client_finished (handshake_state: t_ClientPostServerFinished) = (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ClientPostClientFinished) u8 let client_init - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (algs: Bertie.Tls13crypto.t_Algorithms) (sn: Bertie.Tls13utils.t_Bytes) (tkt psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & t_ClientPostClientHello) u8) = - build_client_hello #iimpl_916461611_ algs sn tkt psk rng + build_client_hello #iimpl_447424039_ algs sn tkt psk rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in let hax_temp_output:Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -1307,7 +1305,7 @@ let client_init in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -1652,27 +1650,26 @@ let put_client_hello (Core.Option.t_Option Bertie.Tls13record.t_ServerCipherState0 & t_ServerPostClientHello) u8 let get_server_hello - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (state: t_ServerPostClientHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = let server_random:t_Array u8 (mk_usize 32) = Rust_primitives.Hax.repeat (mk_u8 0) (mk_usize 32) in - let tmp0, tmp1:(iimpl_916461611_ & t_Array u8 (mk_usize 32)) = - Rand_core.f_fill_bytes #iimpl_916461611_ #FStar.Tactics.Typeclasses.solve rng server_random + let tmp0, tmp1:(iimpl_447424039_ & t_Array u8 (mk_usize 32)) = + Rand_core.f_fill_bytes #iimpl_447424039_ #FStar.Tactics.Typeclasses.solve rng server_random in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in let server_random:t_Array u8 (mk_usize 32) = tmp1 in let _:Prims.unit = () in - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) = - Bertie.Tls13crypto.kem_encap #iimpl_916461611_ + Bertie.Tls13crypto.kem_encap #iimpl_447424039_ state.f_ciphersuite.Bertie.Tls13crypto.f_kem state.f_gx rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in match out <: Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 with | Core.Result.Result_Ok (shared_secret, gy) -> (match @@ -1748,7 +1745,7 @@ let get_server_hello in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & @@ -1762,7 +1759,7 @@ let get_server_hello Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & @@ -1776,7 +1773,7 @@ let get_server_hello Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & @@ -1790,7 +1787,7 @@ let get_server_hello Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & @@ -1804,18 +1801,17 @@ let get_server_hello Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) let get_rsa_signature - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (cert sk sigval: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = match Bertie.Tls13cert.verification_key_from_cert cert @@ -1830,8 +1826,8 @@ let get_rsa_signature Core.Result.t_Result Bertie.Tls13crypto.t_RsaVerificationKey u8 with | Core.Result.Result_Ok pk -> - let tmp0, out:(iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) = - Bertie.Tls13crypto.sign_rsa #iimpl_916461611_ + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) = + Bertie.Tls13crypto.sign_rsa #iimpl_447424039_ sk pk.Bertie.Tls13crypto.f_modulus pk.Bertie.Tls13crypto.f_exponent @@ -1839,26 +1835,25 @@ let get_rsa_signature sigval rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in let hax_temp_output:Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 = out in rng, hax_temp_output <: - (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) | Core.Result.Result_Err err -> rng, (Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) <: - (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8)) + (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8)) | Core.Result.Result_Err err -> rng, (Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) <: - (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) let get_server_signature_no_psk - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (state: t_ServerPostServerHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = match Bertie.Tls13formats.encrypted_extensions state.f_ciphersuite @@ -1893,7 +1888,7 @@ let get_server_signature_no_psk Bertie.Tls13utils.t_Bytes) transcript_hash in - let rng, hoist101:(iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + let rng, hoist101:(iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) = match Bertie.Tls13crypto.impl_Algorithms__signature state.f_ciphersuite @@ -1901,9 +1896,9 @@ let get_server_signature_no_psk Bertie.Tls13crypto.t_SignatureScheme with | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> - let tmp0, out:(iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) = - Bertie.Tls13crypto.sign #iimpl_916461611_ + Bertie.Tls13crypto.sign #iimpl_447424039_ (Bertie.Tls13crypto.impl_Algorithms__signature state.f_ciphersuite <: Bertie.Tls13crypto.t_SignatureScheme) @@ -1911,26 +1906,26 @@ let get_server_signature_no_psk sigval rng in - let rng:iimpl_916461611_ = tmp0 in - rng, out <: (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + let rng:iimpl_447424039_ = tmp0 in + rng, out <: (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> - let tmp0, out:(iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) = - get_rsa_signature #iimpl_916461611_ + get_rsa_signature #iimpl_447424039_ state.f_server.Bertie.Server.f_cert state.f_server.Bertie.Server.f_sk sigval rng in - let rng:iimpl_916461611_ = tmp0 in - rng, out <: (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + let rng:iimpl_447424039_ = tmp0 in + rng, out <: (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) | Bertie.Tls13crypto.SignatureScheme_ED25519 -> rng, (Core.Result.Result_Err Bertie.Tls13utils.v_UNSUPPORTED_ALGORITHM <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) <: - (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) in (match hoist101 <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 with | Core.Result.Result_Ok sig -> @@ -1975,7 +1970,7 @@ let get_server_signature_no_psk in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -1991,7 +1986,7 @@ let get_server_signature_no_psk Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2007,7 +2002,7 @@ let get_server_signature_no_psk Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2023,7 +2018,7 @@ let get_server_signature_no_psk Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2039,7 +2034,7 @@ let get_server_signature_no_psk Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2055,7 +2050,7 @@ let get_server_signature_no_psk Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2063,13 +2058,12 @@ let get_server_signature_no_psk t_ServerPostCertificateVerify) u8) let get_server_signature - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (state: t_ServerPostServerHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = - let rng, hax_temp_output:(iimpl_916461611_ & + let rng, hax_temp_output:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2077,18 +2071,18 @@ let get_server_signature t_ServerPostCertificateVerify) u8) = if ~.(Bertie.Tls13crypto.impl_Algorithms__psk_mode state.f_ciphersuite <: bool) then - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) = - get_server_signature_no_psk #iimpl_916461611_ state rng + get_server_signature_no_psk #iimpl_447424039_ state rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in rng, out <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2104,7 +2098,7 @@ let get_server_signature Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2113,7 +2107,7 @@ let get_server_signature in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2331,13 +2325,12 @@ let put_client_finished Core.Result.Result_Err err <: Core.Result.t_Result t_ServerPostClientFinished u8 let server_init_no_psk - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = match put_client_hello algs ch db @@ -2346,14 +2339,14 @@ let server_init_no_psk (Core.Option.t_Option Bertie.Tls13record.t_ServerCipherState0 & t_ServerPostClientHello) u8 with | Core.Result.Result_Ok (cipher0, st) -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) = - get_server_hello #iimpl_916461611_ st rng + get_server_hello #iimpl_447424039_ st rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in (match out <: @@ -2363,15 +2356,15 @@ let server_init_no_psk t_ServerPostServerHello) u8 with | Core.Result.Result_Ok (sh, cipher_hs, st) -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_ServerPostCertificateVerify) u8) = - get_server_signature #iimpl_916461611_ st rng + get_server_signature #iimpl_447424039_ st rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in (match out <: @@ -2428,7 +2421,7 @@ let server_init_no_psk in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2448,7 +2441,7 @@ let server_init_no_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2468,7 +2461,7 @@ let server_init_no_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2488,7 +2481,7 @@ let server_init_no_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2508,7 +2501,7 @@ let server_init_no_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2518,13 +2511,12 @@ let server_init_no_psk t_ServerPostServerFinished) u8) let server_init_psk - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = match put_client_hello algs ch db @@ -2533,14 +2525,14 @@ let server_init_psk (Core.Option.t_Option Bertie.Tls13record.t_ServerCipherState0 & t_ServerPostClientHello) u8 with | Core.Result.Result_Ok (cipher0, st) -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) = - get_server_hello #iimpl_916461611_ st rng + get_server_hello #iimpl_447424039_ st rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in (match out <: @@ -2597,7 +2589,7 @@ let server_init_psk in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2617,7 +2609,7 @@ let server_init_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2637,7 +2629,7 @@ let server_init_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2657,7 +2649,7 @@ let server_init_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2677,7 +2669,7 @@ let server_init_psk Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2687,15 +2679,14 @@ let server_init_psk t_ServerPostServerFinished) u8) let server_init - (#iimpl_916461611_: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_916461611_) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_RngCore iimpl_916461611_) + (#iimpl_447424039_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_CryptoRng iimpl_447424039_) (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) = - let rng, hax_temp_output:(iimpl_916461611_ & + let rng, hax_temp_output:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2705,7 +2696,7 @@ let server_init t_ServerPostServerFinished) u8) = match Bertie.Tls13crypto.impl_Algorithms__psk_mode algs <: bool with | false -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2713,12 +2704,12 @@ let server_init Bertie.Tls13record.t_DuplexCipherStateH & Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) = - server_init_no_psk #iimpl_916461611_ algs ch db rng + server_init_no_psk #iimpl_447424039_ algs ch db rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in rng, out <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2727,7 +2718,7 @@ let server_init Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) | true -> - let tmp0, out:(iimpl_916461611_ & + let tmp0, out:(iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2735,12 +2726,12 @@ let server_init Bertie.Tls13record.t_DuplexCipherStateH & Bertie.Tls13record.t_DuplexCipherState1 & t_ServerPostServerFinished) u8) = - server_init_psk #iimpl_916461611_ algs ch db rng + server_init_psk #iimpl_447424039_ algs ch db rng in - let rng:iimpl_916461611_ = tmp0 in + let rng:iimpl_447424039_ = tmp0 in rng, out <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -2751,7 +2742,7 @@ let server_init in rng, hax_temp_output <: - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & diff --git a/proofs/fstar/extraction/Bertie.Tls13handshake.fsti b/proofs/fstar/extraction/Bertie.Tls13handshake.fsti index db236d30..c83adb7a 100644 --- a/proofs/fstar/extraction/Bertie.Tls13handshake.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13handshake.fsti @@ -213,18 +213,20 @@ val compute_psk_binder_zero_rtt (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & - Bertie.Tls13formats.t_Transcript) u8) Prims.l_True (fun _ -> Prims.l_True) + Bertie.Tls13formats.t_Transcript) u8) + (requires + trunc_len <=. (Bertie.Tls13formats.Handshake_data.impl_HandshakeData__len ch <: usize)) + (fun _ -> Prims.l_True) val build_client_hello - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (ciphersuite: Bertie.Tls13crypto.t_Algorithms) (sn: Bertie.Tls13utils.t_Bytes) (tkt psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -268,15 +270,14 @@ val get_client_finished (handshake_state: t_ClientPostServerFinished) (fun _ -> Prims.l_True) val client_init - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (algs: Bertie.Tls13crypto.t_Algorithms) (sn: Bertie.Tls13utils.t_Bytes) (tkt psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & @@ -320,36 +321,33 @@ val put_client_hello u8) Prims.l_True (fun _ -> Prims.l_True) val get_server_hello - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (state: t_ServerPostClientHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13record.t_DuplexCipherStateH & t_ServerPostServerHello) u8) Prims.l_True (fun _ -> Prims.l_True) val get_rsa_signature - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (cert sk sigval: Bertie.Tls13utils.t_Bytes) - (rng: iimpl_916461611_) - : Prims.Pure (iimpl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + (rng: iimpl_447424039_) + : Prims.Pure (iimpl_447424039_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) val get_server_signature_no_psk - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (state: t_ServerPostServerHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -357,13 +355,12 @@ val get_server_signature_no_psk t_ServerPostCertificateVerify) u8) Prims.l_True (fun _ -> Prims.l_True) val get_server_signature - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (state: t_ServerPostServerHello) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -399,15 +396,14 @@ val put_client_finished (fun _ -> Prims.l_True) val server_init_no_psk - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -417,15 +413,14 @@ val server_init_no_psk t_ServerPostServerFinished) u8) Prims.l_True (fun _ -> Prims.l_True) val server_init_psk - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & @@ -435,15 +430,14 @@ val server_init_psk t_ServerPostServerFinished) u8) Prims.l_True (fun _ -> Prims.l_True) val server_init - (#iimpl_916461611_: Type0) - {| i1: Rand_core.t_CryptoRng iimpl_916461611_ |} - {| i2: Rand_core.t_RngCore iimpl_916461611_ |} + (#iimpl_447424039_: Type0) + {| i1: Rand_core.t_CryptoRng iimpl_447424039_ |} (algs: Bertie.Tls13crypto.t_Algorithms) (ch: Bertie.Tls13formats.Handshake_data.t_HandshakeData) (db: Bertie.Server.t_ServerDB) - (rng: iimpl_916461611_) + (rng: iimpl_447424039_) : Prims.Pure - (iimpl_916461611_ & + (iimpl_447424039_ & Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & Bertie.Tls13formats.Handshake_data.t_HandshakeData & diff --git a/proofs/fstar/extraction/Bertie.Tls13record.fst b/proofs/fstar/extraction/Bertie.Tls13record.fst index 3ed2b4b8..2d20d57e 100644 --- a/proofs/fstar/extraction/Bertie.Tls13record.fst +++ b/proofs/fstar/extraction/Bertie.Tls13record.fst @@ -58,48 +58,65 @@ let derive_iv_ctr (iv: Bertie.Tls13utils.t_Bytes) (n: u64) = #FStar.Tactics.Typeclasses.solve (Core.Num.impl_u64__to_be_bytes n <: t_Array u8 (mk_usize 8)) in + let uby = (Core.Num.impl_u64__to_be_bytes n <: t_Array u8 (mk_usize 8)) in + Bertie.Tls13utils.impl_2_lemma uby; + assert (counter == Bertie.Tls13utils.impl_2.f_from uby); + admit() let iv_ctr:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.impl_Bytes__zeroes (Bertie.Tls13utils.impl_Bytes__len iv <: usize) in let iv_ctr:Bertie.Tls13utils.t_Bytes = Rust_primitives.Hax.Folds.fold_range (mk_usize 0) ((Bertie.Tls13utils.impl_Bytes__len iv <: usize) -! mk_usize 8 <: usize) - (fun iv_ctr temp_1_ -> + (fun iv_ctr i -> let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in - let _:usize = temp_1_ in - true) + let i:usize = i in + (Bertie.Tls13utils.impl_Bytes__len iv_ctr <: usize) =. + (Bertie.Tls13utils.impl_Bytes__len iv <: usize) + <: + bool) iv_ctr (fun iv_ctr i -> let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in let i:usize = i in - Rust_primitives.Hax.update_at iv_ctr i (iv.[ i ] <: u8) <: Bertie.Tls13utils.t_Bytes) + let iv_ctr:Bertie.Tls13utils.t_Bytes = + Rust_primitives.Hax.update_at iv_ctr i (iv.[ i ] <: u8) + in + iv_ctr) in let iv_ctr:Bertie.Tls13utils.t_Bytes = Rust_primitives.Hax.Folds.fold_range (mk_usize 0) (mk_usize 8) - (fun iv_ctr temp_1_ -> + (fun iv_ctr i -> let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in - let _:usize = temp_1_ in - true) + let i:usize = i in + (Bertie.Tls13utils.impl_Bytes__len iv_ctr <: usize) =. + (Bertie.Tls13utils.impl_Bytes__len iv <: usize) + <: + bool) iv_ctr (fun iv_ctr i -> let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in let i:usize = i in - Rust_primitives.Hax.update_at iv_ctr - ((i +! (Bertie.Tls13utils.impl_Bytes__len iv <: usize) <: usize) -! mk_usize 8 <: usize) - ((iv.[ (i +! (Bertie.Tls13utils.impl_Bytes__len iv <: usize) <: usize) -! mk_usize 8 + let iv_ctr:Bertie.Tls13utils.t_Bytes = + Rust_primitives.Hax.update_at iv_ctr + (i +! ((Bertie.Tls13utils.impl_Bytes__len iv <: usize) -! mk_usize 8 <: usize) + <: + usize) + ((iv.[ i +! ((Bertie.Tls13utils.impl_Bytes__len iv <: usize) -! mk_usize 8 <: usize) + <: + usize ] <: - usize ] + u8) ^. + (counter.[ i ] <: u8) <: - u8) ^. - (counter.[ i ] <: u8) - <: - u8) - <: - Bertie.Tls13utils.t_Bytes) + u8) + in + iv_ctr) in iv_ctr + let encrypt_record_payload (key_iv: Bertie.Tls13crypto.t_AeadKeyIV) (n: u64) @@ -107,46 +124,60 @@ let encrypt_record_payload (payload: Bertie.Tls13utils.t_Bytes) (pad: usize) = - let iv_ctr:Bertie.Tls13utils.t_Bytes = derive_iv_ctr key_iv.Bertie.Tls13crypto.f_iv n in - let inner_plaintext:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.impl_Bytes__concat (Bertie.Tls13utils.impl_Bytes__concat payload - (Bertie.Tls13utils.bytes1 (Bertie.Tls13formats.t_ContentType_cast_to_repr ct <: u8) - <: - Bertie.Tls13utils.t_Bytes) + match + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len key_iv.Bertie.Tls13crypto.f_iv + <: + usize) >=. + mk_usize 8 <: - Bertie.Tls13utils.t_Bytes) - (Bertie.Tls13utils.impl_Bytes__zeroes pad <: Bertie.Tls13utils.t_Bytes) - in - let clen:usize = (Bertie.Tls13utils.impl_Bytes__len inner_plaintext <: usize) +! mk_usize 16 in - if clen <=. mk_usize 65536 - then - let clenb:t_Array u8 (mk_usize 2) = - Core.Num.impl_u16__to_be_bytes (cast (clen <: usize) <: u16) - in - let ad:Bertie.Tls13utils.t_Bytes = - Core.Convert.f_into #(t_Array u8 (mk_usize 5)) - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - (let list = - [mk_u8 23; mk_u8 3; mk_u8 3; clenb.[ mk_usize 0 ] <: u8; clenb.[ mk_usize 1 ] <: u8] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 5); - Rust_primitives.Hax.array_of_list 5 list) + bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let iv_ctr:Bertie.Tls13utils.t_Bytes = derive_iv_ctr key_iv.Bertie.Tls13crypto.f_iv n in + let inner_plaintext:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl_Bytes__concat (Bertie.Tls13utils.impl_Bytes__concat payload + (Bertie.Tls13utils.bytes1 (Bertie.Tls13formats.t_ContentType_cast_to_repr ct <: u8) + <: + Bertie.Tls13utils.t_Bytes) + <: + Bertie.Tls13utils.t_Bytes) + (Bertie.Tls13utils.impl_Bytes__zeroes pad <: Bertie.Tls13utils.t_Bytes) in - match - Bertie.Tls13crypto.aead_encrypt key_iv.Bertie.Tls13crypto.f_key iv_ctr inner_plaintext ad + let clen:usize = (Bertie.Tls13utils.impl_Bytes__len inner_plaintext <: usize) +! mk_usize 16 in + if clen <=. mk_usize 65536 + then + let clenb:t_Array u8 (mk_usize 2) = + Core.Num.impl_u16__to_be_bytes (cast (clen <: usize) <: u16) + in + let ad:Bertie.Tls13utils.t_Bytes = + Core.Convert.f_into #(t_Array u8 (mk_usize 5)) + #Bertie.Tls13utils.t_Bytes + #FStar.Tactics.Typeclasses.solve + (let list = + [mk_u8 23; mk_u8 3; mk_u8 3; clenb.[ mk_usize 0 ] <: u8; clenb.[ mk_usize 1 ] <: u8] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 5); + Rust_primitives.Hax.array_of_list 5 list) + in + match + Bertie.Tls13crypto.aead_encrypt key_iv.Bertie.Tls13crypto.f_key iv_ctr inner_plaintext ad + <: + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + with + | Core.Result.Result_Ok cip -> + let v_rec:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.impl_Bytes__concat ad cip in + Core.Result.Result_Ok v_rec <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + else + Core.Result.Result_Err Bertie.Tls13utils.v_PAYLOAD_TOO_LONG <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - with - | Core.Result.Result_Ok cip -> - let v_rec:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.impl_Bytes__concat ad cip in - Core.Result.Result_Ok v_rec <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - else - Core.Result.Result_Err Bertie.Tls13utils.v_PAYLOAD_TOO_LONG - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + let encrypt_zerortt (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_ClientCipherState0) = let ClientCipherState0 ae kiv n exp:t_ClientCipherState0 = st in @@ -160,12 +191,22 @@ let encrypt_zerortt (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_C Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 with | Core.Result.Result_Ok v_rec -> - Core.Result.Result_Ok - (v_rec, (ClientCipherState0 ae kiv (n +! mk_u64 1) exp <: t_ClientCipherState0) - <: - (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0)) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0) u8 + (match + Bertie.Tls13utils.check (n <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (v_rec, (ClientCipherState0 ae kiv (n +! mk_u64 1) exp <: t_ClientCipherState0) + <: + (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0)) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -189,12 +230,24 @@ let encrypt_handshake Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 with | Core.Result.Result_Ok v_rec -> - let state:t_DuplexCipherStateH = - { state with f_sender_counter = state.f_sender_counter +! mk_u64 1 } <: t_DuplexCipherStateH - in - Core.Result.Result_Ok (v_rec, state <: (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH)) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH) u8 + (match + Bertie.Tls13utils.check (state.f_sender_counter <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let state:t_DuplexCipherStateH = + { state with f_sender_counter = state.f_sender_counter +! mk_u64 1 } + <: + t_DuplexCipherStateH + in + Core.Result.Result_Ok (v_rec, state <: (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH)) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -212,12 +265,22 @@ let encrypt_data (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_Dupl Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 with | Core.Result.Result_Ok v_rec -> - Core.Result.Result_Ok - (v_rec, (DuplexCipherState1 ae kiv (n +! mk_u64 1) x y exp <: t_DuplexCipherState1) - <: - (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1)) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8 + (match + Bertie.Tls13utils.check (n <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (v_rec, (DuplexCipherState1 ae kiv (n +! mk_u64 1) x y exp <: t_DuplexCipherState1) + <: + (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1)) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -236,108 +299,126 @@ let rec padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = then mk_usize 1 +! (padlen b (n -! mk_usize 1 <: usize) <: usize) else mk_usize 0 +#push-options "--admit_smt_queries true" + let decrypt_record_payload (kiv: Bertie.Tls13crypto.t_AeadKeyIV) (n: u64) (ciphertext: Bertie.Tls13utils.t_Bytes) = - let iv_ctr:Bertie.Tls13utils.t_Bytes = derive_iv_ctr kiv.Bertie.Tls13crypto.f_iv n in - let clen:usize = (Bertie.Tls13utils.impl_Bytes__len ciphertext <: usize) -! mk_usize 5 in - if clen <=. mk_usize 65536 && clen >. mk_usize 16 - then - let clen_bytes:t_Array u8 (mk_usize 2) = - Core.Num.impl_u16__to_be_bytes (cast (clen <: usize) <: u16) - in - let ad:Bertie.Tls13utils.t_Bytes = - Core.Convert.f_into #(t_Array u8 (mk_usize 5)) - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - (let list = - [ - mk_u8 23; - mk_u8 3; - mk_u8 3; - clen_bytes.[ mk_usize 0 ] <: u8; - clen_bytes.[ mk_usize 1 ] <: u8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 5); - Rust_primitives.Hax.array_of_list 5 list) - in - match - Bertie.Tls13utils.check_eq ad - (Bertie.Tls13utils.impl_Bytes__slice_range ciphertext - ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = mk_usize 5 } + match + Bertie.Tls13utils.check ((Bertie.Tls13utils.impl_Bytes__len kiv.Bertie.Tls13crypto.f_iv <: usize + ) >=. + mk_usize 8 + <: + bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let iv_ctr:Bertie.Tls13utils.t_Bytes = derive_iv_ctr kiv.Bertie.Tls13crypto.f_iv n in + let clen:usize = (Bertie.Tls13utils.impl_Bytes__len ciphertext <: usize) -! mk_usize 5 in + if clen <=. mk_usize 65536 && clen >. mk_usize 16 + then + let clen_bytes:t_Array u8 (mk_usize 2) = + Core.Num.impl_u16__to_be_bytes (cast (clen <: usize) <: u16) + in + let ad:Bertie.Tls13utils.t_Bytes = + Core.Convert.f_into #(t_Array u8 (mk_usize 5)) + #Bertie.Tls13utils.t_Bytes + #FStar.Tactics.Typeclasses.solve + (let list = + [ + mk_u8 23; + mk_u8 3; + mk_u8 3; + clen_bytes.[ mk_usize 0 ] <: u8; + clen_bytes.[ mk_usize 1 ] <: u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 5); + Rust_primitives.Hax.array_of_list 5 list) + in + match + Bertie.Tls13utils.check_eq ad + (Bertie.Tls13utils.impl_Bytes__slice_range ciphertext + ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = mk_usize 5 } + <: + Core.Ops.Range.t_Range usize) + <: + Bertie.Tls13utils.t_Bytes) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let cip:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl_Bytes__slice_range ciphertext + ({ + Core.Ops.Range.f_start = mk_usize 5; + Core.Ops.Range.f_end = Bertie.Tls13utils.impl_Bytes__len ciphertext <: usize + } <: Core.Ops.Range.t_Range usize) - <: - Bertie.Tls13utils.t_Bytes) - <: - Core.Result.t_Result Prims.unit u8 - with - | Core.Result.Result_Ok _ -> - let cip:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.impl_Bytes__slice_range ciphertext - ({ - Core.Ops.Range.f_start = mk_usize 5; - Core.Ops.Range.f_end = Bertie.Tls13utils.impl_Bytes__len ciphertext <: usize - } + in + (match + Bertie.Tls13crypto.aead_decrypt kiv.Bertie.Tls13crypto.f_key iv_ctr cip ad <: - Core.Ops.Range.t_Range usize) - in - (match - Bertie.Tls13crypto.aead_decrypt kiv.Bertie.Tls13crypto.f_key iv_ctr cip ad - <: - Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - with - | Core.Result.Result_Ok plain -> - let payload_len:usize = - ((Bertie.Tls13utils.impl_Bytes__len plain <: usize) -! - (padlen plain (Bertie.Tls13utils.impl_Bytes__len plain <: usize) <: usize) - <: - usize) -! - mk_usize 1 - in - (match - Bertie.Tls13formats.impl_ContentType__try_from_u8 (Bertie.Tls13utils.f_declassify #u8 - #u8 - #FStar.Tactics.Typeclasses.solve - (plain.[ payload_len ] <: u8) - <: - u8) - <: - Core.Result.t_Result Bertie.Tls13formats.t_ContentType u8 - with - | Core.Result.Result_Ok ct -> - let payload:Bertie.Tls13utils.t_Bytes = - Bertie.Tls13utils.impl_Bytes__slice_range plain - ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = payload_len } + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + with + | Core.Result.Result_Ok plain -> + let payload_len:usize = + ((Bertie.Tls13utils.impl_Bytes__len plain <: usize) -! + (padlen plain (Bertie.Tls13utils.impl_Bytes__len plain <: usize) <: usize) + <: + usize) -! + mk_usize 1 + in + (match + Bertie.Tls13formats.impl_ContentType__try_from_u8 (Bertie.Tls13utils.f_declassify #u8 + #u8 + #FStar.Tactics.Typeclasses.solve + (plain.[ payload_len ] <: u8) <: - Core.Ops.Range.t_Range usize) - in - Core.Result.Result_Ok - (ct, payload <: (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes)) - <: - Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) - u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) - u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err + u8) + <: + Core.Result.t_Result Bertie.Tls13formats.t_ContentType u8 + with + | Core.Result.Result_Ok ct -> + let payload:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl_Bytes__slice_range plain + ({ Core.Ops.Range.f_start = mk_usize 0; Core.Ops.Range.f_end = payload_len } + <: + Core.Ops.Range.t_Range usize) + in + Core.Result.Result_Ok + (ct, payload <: (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes)) + <: + Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) + u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) + u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8 + else + Core.Result.Result_Err Bertie.Tls13utils.v_PAYLOAD_TOO_LONG <: Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8 - else - Core.Result.Result_Err Bertie.Tls13utils.v_PAYLOAD_TOO_LONG + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8 +#pop-options + let decrypt_zerortt (ciphertext: Bertie.Tls13utils.t_Bytes) (state: t_ServerCipherState0) = match decrypt_record_payload state.f_key_iv state.f_counter ciphertext @@ -354,19 +435,29 @@ let decrypt_zerortt (ciphertext: Bertie.Tls13utils.t_Bytes) (state: t_ServerCiph Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok - (Bertie.Tls13utils.impl_AppData__new payload, - ({ - f_key_iv = state.f_key_iv; - f_counter = state.f_counter +! mk_u64 1; - f_early_exporter_ms = state.f_early_exporter_ms - } + (match + Bertie.Tls13utils.check (state.f_counter <. Core.Num.impl_u64__MAX <: bool) <: - t_ServerCipherState0) - <: - (Bertie.Tls13utils.t_AppData & t_ServerCipherState0)) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_ServerCipherState0) u8 + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (Bertie.Tls13utils.impl_AppData__new payload, + ({ + f_key_iv = state.f_key_iv; + f_counter = state.f_counter +! mk_u64 1; + f_early_exporter_ms = state.f_early_exporter_ms + } + <: + t_ServerCipherState0) + <: + (Bertie.Tls13utils.t_AppData & t_ServerCipherState0)) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_ServerCipherState0) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_ServerCipherState0) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -399,22 +490,33 @@ let decrypt_handshake (ciphertext: Bertie.Tls13utils.t_Bytes) (state: t_DuplexCi Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - let state:t_DuplexCipherStateH = - { state with f_receiver_counter = state.f_receiver_counter +! mk_u64 1 } - <: - t_DuplexCipherStateH - in - Core.Result.Result_Ok - (Core.Convert.f_from #Bertie.Tls13formats.Handshake_data.t_HandshakeData - #Bertie.Tls13utils.t_Bytes - #FStar.Tactics.Typeclasses.solve - payload, - state - <: - (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH)) - <: - Core.Result.t_Result - (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH) u8 + (match + Bertie.Tls13utils.check (state.f_receiver_counter <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + let state:t_DuplexCipherStateH = + { state with f_receiver_counter = state.f_receiver_counter +! mk_u64 1 } + <: + t_DuplexCipherStateH + in + Core.Result.Result_Ok + (Core.Convert.f_from #Bertie.Tls13formats.Handshake_data.t_HandshakeData + #Bertie.Tls13utils.t_Bytes + #FStar.Tactics.Typeclasses.solve + payload, + state + <: + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH)) + <: + Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -434,13 +536,24 @@ let decrypt_data_or_hs (ciphertext: Bertie.Tls13utils.t_Bytes) (st: t_DuplexCiph Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8 with | Core.Result.Result_Ok (ct, payload) -> - Core.Result.Result_Ok - (ct, payload, (DuplexCipherState1 ae x y kiv (n +! mk_u64 1) exp <: t_DuplexCipherState1) - <: - (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1)) - <: - Core.Result.t_Result - (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8 + (match + Bertie.Tls13utils.check (n <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (ct, payload, (DuplexCipherState1 ae x y kiv (n +! mk_u64 1) exp <: t_DuplexCipherState1) + <: + (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1)) + <: + Core.Result.t_Result + (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: @@ -464,13 +577,23 @@ let decrypt_data (ciphertext: Bertie.Tls13utils.t_Bytes) (st: t_DuplexCipherStat Core.Result.t_Result Prims.unit u8 with | Core.Result.Result_Ok _ -> - Core.Result.Result_Ok - (Bertie.Tls13utils.impl_AppData__new payload, - (DuplexCipherState1 ae x y kiv (n +! mk_u64 1) exp <: t_DuplexCipherState1) - <: - (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1)) - <: - Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1) u8 + (match + Bertie.Tls13utils.check (n <. Core.Num.impl_u64__MAX <: bool) + <: + Core.Result.t_Result Prims.unit u8 + with + | Core.Result.Result_Ok _ -> + Core.Result.Result_Ok + (Bertie.Tls13utils.impl_AppData__new payload, + (DuplexCipherState1 ae x y kiv (n +! mk_u64 1) exp <: t_DuplexCipherState1) + <: + (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1)) + <: + Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1) u8) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: diff --git a/proofs/fstar/extraction/Bertie.Tls13record.fsti b/proofs/fstar/extraction/Bertie.Tls13record.fsti index 53956522..51eb14e4 100644 --- a/proofs/fstar/extraction/Bertie.Tls13record.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13record.fsti @@ -79,7 +79,9 @@ val duplex_cipher_state1 /// Derive the AEAD IV with counter `n` val derive_iv_ctr (iv: Bertie.Tls13utils.t_Bytes) (n: u64) - : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure Bertie.Tls13utils.t_Bytes + (requires (Bertie.Tls13utils.impl_Bytes__len iv <: usize) >=. mk_usize 8) + (fun _ -> Prims.l_True) /// Encrypt the record `payload` with the given `key_iv`. val encrypt_record_payload @@ -116,7 +118,13 @@ val encrypt_data (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_Dupl (fun _ -> Prims.l_True) val padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure usize + (requires (Bertie.Tls13utils.impl_Bytes__len b <: usize) >=. n) + (ensures + fun out -> + let out:usize = out in + out <=. n) + (decreases (Rust_primitives.Hax.Int.from_machine n <: Hax_lib.Int.t_Int)) /// AEAD decrypt the record `ciphertext` val decrypt_record_payload diff --git a/proofs/fstar/extraction/Bertie.Tls13utils.fsti b/proofs/fstar/extraction/Bertie.Tls13utils.fsti index aa621f53..955174e5 100644 --- a/proofs/fstar/extraction/Bertie.Tls13utils.fsti +++ b/proofs/fstar/extraction/Bertie.Tls13utils.fsti @@ -13,10 +13,10 @@ let _ = type t_Error = | Error_UnknownCiphersuite : Alloc.String.t_String -> t_Error [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_17:Core.Fmt.t_Debug t_Error +val impl_10:Core.Fmt.t_Debug t_Error [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_18:Core.Clone.t_Clone t_Error +val impl_11:Core.Clone.t_Clone t_Error let v_UNSUPPORTED_ALGORITHM: u8 = mk_u8 1 @@ -61,10 +61,15 @@ let v_DECODE_ERROR: u8 = mk_u8 142 val error_string (c: u8) : Prims.Pure Alloc.String.t_String Prims.l_True (fun _ -> Prims.l_True) val tlserr (#v_T: Type0) (err: u8) - : Prims.Pure (Core.Result.t_Result v_T u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result v_T u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result v_T u8 = result in + not (Core.Result.Result_Ok? result)) class t_Declassify (v_Self: Type0) (v_T: Type0) = { - f_declassify_pre:v_Self -> Type0; + f_declassify_pre:self_: v_Self -> pred: Type0{true ==> pred}; f_declassify_post:v_Self -> v_T -> Type0; f_declassify:x0: v_Self -> Prims.Pure v_T (f_declassify_pre x0) (fun result -> f_declassify_post x0 result) @@ -86,23 +91,26 @@ val impl_1:t_Declassify u32 u32 type t_Bytes = | Bytes : Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global -> t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_19:Core.Clone.t_Clone t_Bytes +val impl_12:Core.Clone.t_Clone t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_20:Core.Marker.t_StructuralPartialEq t_Bytes +val impl_13:Core.Marker.t_StructuralPartialEq t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_21:Core.Cmp.t_PartialEq t_Bytes t_Bytes +val impl_14:Core.Cmp.t_PartialEq t_Bytes t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_22:Core.Fmt.t_Debug t_Bytes +val impl_15:Core.Fmt.t_Debug t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_23:Core.Default.t_Default t_Bytes +val impl_16:Core.Default.t_Default t_Bytes [@@ FStar.Tactics.Typeclasses.tcinstance] val impl_2:Core.Convert.t_From t_Bytes (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) +val impl_2_lemma (x: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global): + Lemma (let b = impl_2.f_from x in b._0 == x) + /// Declassify these bytes and return a copy of [`u8`]. val impl_Bytes__declassify (self: t_Bytes) : Prims.Pure (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) Prims.l_True (fun _ -> Prims.l_True) @@ -113,20 +121,16 @@ val impl_Bytes__into_raw (self: t_Bytes) /// Get a reference to the raw bytes. val impl_Bytes__as_raw (self: t_Bytes) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice u8) + Prims.l_True + (ensures + fun result -> + let result:t_Slice u8 = result in + Seq.length result == Seq.length self._0) val impl_Bytes__declassify_array (v_C: usize) (self: t_Bytes) : Prims.Pure (Core.Result.t_Result (t_Array u8 v_C) u8) Prims.l_True (fun _ -> Prims.l_True) -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_5:Core.Convert.t_From t_Bytes (t_Slice u8) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_6 (v_C: usize) : Core.Convert.t_From t_Bytes (t_Array u8 v_C) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_7 (v_C: usize) : Core.Convert.t_From t_Bytes (t_Array u8 v_C) - val u16_as_be_bytes (v_val: u16) : Prims.Pure (t_Array u8 (mk_usize 2)) Prims.l_True (fun _ -> Prims.l_True) @@ -136,27 +140,37 @@ val u32_as_be_bytes (v_val: u32) val u32_from_be_bytes (v_val: t_Array u8 (mk_usize 4)) : Prims.Pure u32 Prims.l_True (fun _ -> Prims.l_True) -val bytes (x: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - -val bytes1 (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - -val bytes2 (x y: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8: Core.Ops.Index.t_Index t_Bytes usize = +let impl_21: Core.Ops.Index.t_Index t_Bytes usize = { f_Output = u8; - f_index_pre = (fun (self: t_Bytes) (x: usize) -> true); + f_index_pre + = + (fun (self_: t_Bytes) (x: usize) -> + x <. (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global self_._0 <: usize)); f_index_post = (fun (self: t_Bytes) (x: usize) (out: u8) -> true); f_index = fun (self: t_Bytes) (x: usize) -> self._0.[ x ] } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = +let impl_22: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = { f_Output = t_Slice u8; - f_index_pre = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> true); - f_index_post = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) (out: t_Slice u8) -> true); + f_index_pre + = + (fun (self_: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> + x.Core.Ops.Range.f_start <=. + (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global self_._0 <: usize) && + x.Core.Ops.Range.f_end <=. + (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global self_._0 <: usize)); + f_index_post + = + (fun (self_: t_Bytes) (x: Core.Ops.Range.t_Range usize) (result: t_Slice u8) -> + if x.Core.Ops.Range.f_end >=. x.Core.Ops.Range.f_start + then + (Core.Slice.impl__len #u8 result <: usize) =. + (x.Core.Ops.Range.f_end -! x.Core.Ops.Range.f_start <: usize) + else (Core.Slice.impl__len #u8 result <: usize) =. mk_usize 0); f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] } @@ -166,16 +180,6 @@ val impl_Bytes__new: Prims.unit -> Prims.Pure t_Bytes Prims.l_True (fun _ -> Pri /// Create new [`Bytes`]. val impl_Bytes__new_alloc (len: usize) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) -/// Generate `len` bytes of `0`. -val impl_Bytes__zeroes (len: usize) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - -/// Get the length of these [`Bytes`]. -val impl_Bytes__len (self: t_Bytes) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - -/// Add a prefix to these bytes and return it. -val impl_Bytes__prefix (self: t_Bytes) (prefix: t_Slice u8) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - /// Push `x` into these [`Bytes`]. val impl_Bytes__push (self: t_Bytes) (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) @@ -187,40 +191,145 @@ val impl_Bytes__extend_from_slice (self x: t_Bytes) /// Extend `self` with the bytes `x`. val impl_Bytes__append (self x: t_Bytes) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) -/// Generate a new [`Bytes`] struct from slice `s`. -val impl_Bytes__from_slice (s: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - /// Read a hex string into [`Bytes`]. val impl_Bytes__from_hex (s: string) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) +/// Concatenate `other` with these bytes and return a copy as [`Bytes`]. +val impl_Bytes__concat_array (v_N: usize) (self: t_Bytes) (other: t_Array u8 v_N) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +/// Update the slice `self[start..start+len] = other[beg..beg+len]` and return +/// a copy as [`Bytes`]. +val impl_Bytes__update_slice (self: t_Bytes) (start: usize) (other: t_Bytes) (beg len: usize) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +/// Generate `len` bytes of `0`. +val impl_Bytes__zeroes (len: usize) + : Prims.Pure t_Bytes + Prims.l_True + (ensures + fun result -> + let result:t_Bytes = result in + Seq.length result._0 == v len) + +/// Get the length of these [`Bytes`]. +val impl_Bytes__len (self: t_Bytes) + : Prims.Pure usize + Prims.l_True + (ensures + fun result -> + let result:usize = result in + v result == Seq.length self._0) + +/// Add a prefix to these bytes and return it. +val impl_Bytes__prefix (self: t_Bytes) (prefix: t_Slice u8) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_18:Core.Convert.t_From t_Bytes (t_Slice u8) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_19 (v_C: usize) : Core.Convert.t_From t_Bytes (t_Array u8 v_C) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +val impl_20 (v_C: usize) : Core.Convert.t_From t_Bytes (t_Array u8 v_C) + +val bytes (x: t_Slice u8) + : Prims.Pure t_Bytes + Prims.l_True + (ensures + fun result -> + let result:t_Bytes = result in + (impl_Bytes__len result <: usize) =. (Core.Slice.impl__len #u8 x <: usize)) + +val bytes1 (x: u8) + : Prims.Pure t_Bytes + Prims.l_True + (ensures + fun result -> + let result:t_Bytes = result in + (impl_Bytes__len result <: usize) =. mk_usize 1) + +val bytes2 (x y: u8) + : Prims.Pure t_Bytes + Prims.l_True + (ensures + fun result -> + let result:t_Bytes = result in + (impl_Bytes__len result <: usize) =. mk_usize 2) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let update_at_usize_bytes: Rust_primitives.Hax.update_at_tc t_Bytes usize = + { + super_index = impl_21; + update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) + } + +/// This is needed only for hax, so should likely be guarded by a feature flag. +val e_update_at_usize_bytes_test (b: t_Bytes) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a new [`Bytes`] struct from slice `s`. +val impl_Bytes__from_slice (s: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + /// Get a slice of the given `range`. val impl_Bytes__raw_slice (self: t_Bytes) (range: Core.Ops.Range.t_Range usize) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Slice u8) + (requires + v range.Core.Ops.Range.f_start <= Seq.length self._0 && + v range.Core.Ops.Range.f_end <= Seq.length self._0) + (ensures + fun result -> + let result:t_Slice u8 = result in + if range.Core.Ops.Range.f_end >=. range.Core.Ops.Range.f_start + then + (Core.Slice.impl__len #u8 result <: usize) =. + (range.Core.Ops.Range.f_end -! range.Core.Ops.Range.f_start <: usize) + else (Core.Slice.impl__len #u8 result <: usize) =. mk_usize 0) /// Get a new copy of the given `range` as [`Bytes`]. val impl_Bytes__slice_range (self: t_Bytes) (range: Core.Ops.Range.t_Range usize) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_Bytes + (requires + v range.Core.Ops.Range.f_start <= Seq.length self._0 && + v range.Core.Ops.Range.f_end <= Seq.length self._0) + (ensures + fun result -> + let result:t_Bytes = result in + if range.Core.Ops.Range.f_end >=. range.Core.Ops.Range.f_start + then + (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global result._0 <: usize) =. + (range.Core.Ops.Range.f_end -! range.Core.Ops.Range.f_start <: usize) + else (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global result._0 <: usize) =. mk_usize 0) /// Get a new copy of the given range `[start..start+len]` as [`Bytes`]. val impl_Bytes__slice (self: t_Bytes) (start len: usize) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_Bytes + (requires v start <= Seq.length self._0 && v start + v len <= Seq.length self._0) + (ensures + fun result -> + let result:t_Bytes = result in + (Alloc.Vec.impl_1__len #u8 #Alloc.Alloc.t_Global result._0 <: usize) =. len) /// Concatenate `other` with these bytes and return a copy as [`Bytes`]. val impl_Bytes__concat (self other: t_Bytes) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - -/// Concatenate `other` with these bytes and return a copy as [`Bytes`]. -val impl_Bytes__concat_array (v_N: usize) (self: t_Bytes) (other: t_Array u8 v_N) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - -/// Update the slice `self[start..start+len] = other[beg..beg+len]` and return -/// a copy as [`Bytes`]. -val impl_Bytes__update_slice (self: t_Bytes) (start: usize) (other: t_Bytes) (beg len: usize) - : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure t_Bytes + Prims.l_True + (ensures + fun result -> + let result:t_Bytes = result in + Seq.length result._0 == Seq.length self._0 + Seq.length other._0) /// Convert the bool `b` into a Result. val check (b: bool) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok () -> b =. true + | _ -> true) /// Test if [Bytes] `b1` and `b2` have the same value. val eq1 (b1 b2: u8) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) @@ -263,21 +372,54 @@ val check_mem (b1 b2: t_Slice u8) /// length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in one byte. val encode_length_u8 (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result t_Bytes u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result t_Bytes u8 = result in + match result <: Core.Result.t_Result t_Bytes u8 with + | Core.Result.Result_Ok lenb -> + (Core.Slice.impl__len #u8 bytes <: usize) <. mk_usize 256 && + (impl_Bytes__len lenb <: usize) >=. mk_usize 1 && + ((impl_Bytes__len lenb <: usize) -! mk_usize 1 <: usize) =. + (Core.Slice.impl__len #u8 bytes <: usize) + | _ -> true) /// Attempt to TLS encode the `bytes` with [`u16`] length. /// On success, return a new [Bytes] slice such that its first two bytes encode the /// big-endian length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in two bytes. val encode_length_u16 (bytes: t_Bytes) - : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result t_Bytes u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result t_Bytes u8 = result in + match result <: Core.Result.t_Result t_Bytes u8 with + | Core.Result.Result_Ok lenb -> + (impl_Bytes__len bytes <: usize) <. mk_usize 65536 && + (impl_Bytes__len lenb <: usize) >=. mk_usize 2 && + ((impl_Bytes__len lenb <: usize) -! mk_usize 2 <: usize) =. + (impl_Bytes__len bytes <: usize) + | _ -> true) /// Attempt to TLS encode the `bytes` with [`u24`] length. /// On success, return a new [Bytes] slice such that its first three bytes encode the /// big-endian length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in three bytes. val encode_length_u24 (bytes: t_Bytes) - : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result t_Bytes u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result t_Bytes u8 = result in + match result <: Core.Result.t_Result t_Bytes u8 with + | Core.Result.Result_Ok lenb -> + (impl_Bytes__len bytes <: usize) <. mk_usize 16777216 && + (impl_Bytes__len lenb <: usize) >=. mk_usize 3 && + ((impl_Bytes__len lenb <: usize) -! mk_usize 3 <: usize) =. + (impl_Bytes__len bytes <: usize) + | _ -> true) /// Check if `bytes[1..]` is at least as long as the length encoded by /// `bytes[0]` in big-endian order. @@ -285,7 +427,17 @@ val encode_length_u24 (bytes: t_Bytes) /// empty or if the encoded length exceeds the length of the remainder of /// `bytes`. val length_u8_encoded (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok l -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 1 && + ((Core.Slice.impl__len #u8 bytes <: usize) -! mk_usize 1 <: usize) >=. l && + l <. mk_usize 256 + | _ -> true) /// Check if `bytes[2..]` is at least as long as the length encoded by `bytes[0..2]` /// in big-endian order. @@ -293,7 +445,17 @@ val length_u8_encoded (bytes: t_Slice u8) /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. val length_u16_encoded_slice (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok l -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 2 && + ((Core.Slice.impl__len #u8 bytes <: usize) -! mk_usize 2 <: usize) >=. l && + l <. mk_usize 65536 + | _ -> true) /// Check if `bytes[2..]` is at least as long as the length encoded by `bytes[0..2]` /// in big-endian order. @@ -301,7 +463,17 @@ val length_u16_encoded_slice (bytes: t_Slice u8) /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. val length_u16_encoded (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok l -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 2 && + ((Core.Slice.impl__len #u8 bytes <: usize) -! mk_usize 2 <: usize) >=. l && + l <. mk_usize 65536 + | _ -> true) /// Check if `bytes[3..]` is at least as long as the length encoded by `bytes[0..3]` /// in big-endian order. @@ -309,33 +481,88 @@ val length_u16_encoded (bytes: t_Slice u8) /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. val length_u24_encoded (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result usize u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result usize u8 = result in + match result <: Core.Result.t_Result usize u8 with + | Core.Result.Result_Ok l -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 3 && + ((Core.Slice.impl__len #u8 bytes <: usize) -! mk_usize 3 <: usize) >=. l && + l <. mk_usize 16777216 + | _ -> true) val check_length_encoding_u8_slice (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 1 && + (Core.Slice.impl__len #u8 bytes <: usize) <=. mk_usize 256 + | _ -> true) /// Check if `bytes` contains exactly the TLS `u8` length encoded content. /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. val check_length_encoding_u8 (bytes: t_Bytes) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> + (impl_Bytes__len bytes <: usize) >=. mk_usize 1 && + (impl_Bytes__len bytes <: usize) <=. mk_usize 256 + | _ -> true) val check_length_encoding_u16_slice (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 2 && + (Core.Slice.impl__len #u8 bytes <: usize) <=. mk_usize 65537 + | _ -> true) /// Check if `bytes` contains exactly as many bytes of content as encoded by its /// first two bytes. /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. val check_length_encoding_u16 (bytes: t_Bytes) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> + (impl_Bytes__len bytes <: usize) >=. mk_usize 2 && + (impl_Bytes__len bytes <: usize) <=. mk_usize 65537 + | _ -> true) /// Check if `bytes` contains exactly as many bytes of content as encoded by its /// first three bytes. /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. val check_length_encoding_u24 (bytes: t_Slice u8) - : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) + Prims.l_True + (ensures + fun result -> + let result:Core.Result.t_Result Prims.unit u8 = result in + match result <: Core.Result.t_Result Prims.unit u8 with + | Core.Result.Result_Ok _ -> + (Core.Slice.impl__len #u8 bytes <: usize) >=. mk_usize 3 && + (Core.Slice.impl__len #u8 bytes <: usize) <=. mk_usize 16777218 + | _ -> true) type t_AppData = | AppData : t_Bytes -> t_AppData @@ -356,15 +583,15 @@ val impl_AppData__into_raw (self: t_AppData) val impl_AppData__as_raw (self: t_AppData) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_13:Core.Convert.t_From t_AppData (t_Slice u8) +val impl_6:Core.Convert.t_From t_AppData (t_Slice u8) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_14 (v_N: usize) : Core.Convert.t_From t_AppData (t_Array u8 v_N) +val impl_7 (v_N: usize) : Core.Convert.t_From t_AppData (t_Array u8 v_N) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_15:Core.Convert.t_From t_AppData (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) +val impl_8:Core.Convert.t_From t_AppData (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) [@@ FStar.Tactics.Typeclasses.tcinstance] -val impl_16:Core.Convert.t_From t_AppData t_Bytes +val impl_9:Core.Convert.t_From t_AppData t_Bytes val random_bytes (len: usize) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction/Makefile b/proofs/fstar/extraction/Makefile index 5a5432f6..88b8699a 100644 --- a/proofs/fstar/extraction/Makefile +++ b/proofs/fstar/extraction/Makefile @@ -34,6 +34,7 @@ WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. HAX_HOME ?= $(WORKSPACE_ROOT)/hax HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +LIBCRUX_MODELS_HOME ?= ../libcrux-models FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star @@ -54,10 +55,11 @@ ROOTS = $(wildcard *.fst) -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) $(LIBCRUX_MODELS_HOME) FSTAR_FLAGS = --cmi \ --warn_error -331 \ + --z3version 4.13.3 \ --cache_checked_modules --cache_dir $(CACHE_DIR) \ --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) diff --git a/proofs/fstar/libcrux-models/Libcrux.Aead.fsti b/proofs/fstar/libcrux-models/Libcrux.Aead.fsti new file mode 100644 index 00000000..5a36ccd5 --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux.Aead.fsti @@ -0,0 +1,3 @@ +module Libcrux.Aead + +type t_Key diff --git a/proofs/fstar/libcrux-models/Libcrux.Digest.fsti b/proofs/fstar/libcrux-models/Libcrux.Digest.fsti new file mode 100644 index 00000000..52fc6347 --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux.Digest.fsti @@ -0,0 +1,3 @@ +module Libcrux.Digest + +type t_Algorithm diff --git a/proofs/fstar/libcrux-models/Libcrux.Signature.Rsa_pss.fsti b/proofs/fstar/libcrux-models/Libcrux.Signature.Rsa_pss.fsti new file mode 100644 index 00000000..ef6566a0 --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux.Signature.Rsa_pss.fsti @@ -0,0 +1,3 @@ +module Libcrux.Signature.Rsa_pss + +type t_RsaPssKeySize diff --git a/proofs/fstar/libcrux-models/Libcrux.Signature.fsti b/proofs/fstar/libcrux-models/Libcrux.Signature.fsti new file mode 100644 index 00000000..5bc07ced --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux.Signature.fsti @@ -0,0 +1,3 @@ +module Libcrux.Signature + +type t_Algorithm diff --git a/proofs/fstar/libcrux-models/Libcrux_ecdsa.P256.Conversions.fsti b/proofs/fstar/libcrux-models/Libcrux_ecdsa.P256.Conversions.fsti new file mode 100644 index 00000000..b16d6a1b --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_ecdsa.P256.Conversions.fsti @@ -0,0 +1 @@ +module Libcrux_ecdsa.P256.Conversions diff --git a/proofs/fstar/libcrux-models/Libcrux_hkdf.fsti b/proofs/fstar/libcrux-models/Libcrux_hkdf.fsti new file mode 100644 index 00000000..2b1ccf4d --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_hkdf.fsti @@ -0,0 +1,3 @@ +module Libcrux_hkdf + +type t_Algorithm diff --git a/proofs/fstar/libcrux-models/Libcrux_hmac.fsti b/proofs/fstar/libcrux-models/Libcrux_hmac.fsti new file mode 100644 index 00000000..926986de --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_hmac.fsti @@ -0,0 +1,3 @@ +module Libcrux_hmac + +type t_Algorithm diff --git a/proofs/fstar/libcrux-models/Libcrux_kem.fsti b/proofs/fstar/libcrux-models/Libcrux_kem.fsti new file mode 100644 index 00000000..d5f53036 --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_kem.fsti @@ -0,0 +1,3 @@ +module Libcrux_kem + +type t_Algorithm diff --git a/proofs/fstar/libcrux-models/Libcrux_rsa.Impl_hacl.fsti b/proofs/fstar/libcrux-models/Libcrux_rsa.Impl_hacl.fsti new file mode 100644 index 00000000..e849076c --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_rsa.Impl_hacl.fsti @@ -0,0 +1 @@ +module Libcrux_rsa.Impl_hacl diff --git a/proofs/fstar/libcrux-models/Libcrux_sha2.Impl_hacl.fsti b/proofs/fstar/libcrux-models/Libcrux_sha2.Impl_hacl.fsti new file mode 100644 index 00000000..8e680b4d --- /dev/null +++ b/proofs/fstar/libcrux-models/Libcrux_sha2.Impl_hacl.fsti @@ -0,0 +1,3 @@ +module Libcrux_sha2.Impl_hacl + +type t_Algorithm diff --git a/src/tls13api.rs b/src/tls13api.rs index b6f091cb..9e9e5205 100644 --- a/src/tls13api.rs +++ b/src/tls13api.rs @@ -178,6 +178,8 @@ pub enum Server { /// channel in this state. Server1(ServerPostClientFinished, DuplexCipherState1), } + +#[hax_lib::attributes] impl Server { /// Start a new TLS handshake as server. /// Note that Bertie servers only support a single ciphersuite at a time and @@ -194,6 +196,7 @@ impl Server { /// server hello record as bytes, the second the server finished record as bytes, /// and the new [`Server`] state as the third element. /// If an error occurs, it returns a [`TLSError`]. + #[requires(client_hello.len() >= 5)] pub fn accept( ciphersuite: Algorithms, db: ServerDB, diff --git a/src/tls13cert.rs b/src/tls13cert.rs index 684df065..5dadd604 100644 --- a/src/tls13cert.rs +++ b/src/tls13cert.rs @@ -45,32 +45,51 @@ pub(crate) fn asn1_error(err: Asn1Error) -> Result { // Long form length // * Must be used when the length is 128 or greater // * XXX: We do not accept lengths greater than 32-bit. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => b.len() >= offset && b.len() - offset >= len, + _ => true })] fn long_length(b: &Bytes, offset: usize, len: usize) -> Result { if len > 4 { asn1_error(ASN1_SEQUENCE_TOO_LONG) - } else { + } else if b.len() >= offset + len { let mut u32word = [U8(0); 4]; u32word[0..len].copy_from_slice(&b[offset..offset + len]); Ok(u32_from_be_bytes(u32word).declassify() as usize >> ((4 - len) * 8)) + } else { + asn1_error(ASN1_ERROR) } } // Read the length of a long form length -fn length_length(b: &Bytes, offset: usize) -> usize { - if b[offset].declassify() >> 7 == 1u8 { - // Only in this case we have a length length. - (b[offset].declassify() & 0x7fu8) as usize +#[hax_lib::ensures(|result| match result { + Result::Ok(l) => b.len() > offset && l <= 255, + _ => true })] +fn length_length(b: &Bytes, offset: usize) -> Result { + if b.len() > offset { + if b[offset].declassify() >> 7 == 1u8 { + // Only in this case we have a length length. + Ok((b[offset].declassify() & 0x7fu8) as usize) + } else { + Ok(0) + } } else { - 0 + asn1_error(ASN1_ERROR) } } // Short form length // * Must be used when the length is between 0 and 127 // * The byte must start with a 0 bit, the following 7 bits are the length. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => b.len() > offset, + _ => true })] fn short_length(b: &Bytes, offset: usize) -> Result { - if b[offset].declassify() & 0x80u8 == 0u8 { - Ok((b[offset].declassify() & 0x7fu8) as usize) + if b.len() > offset { + if b[offset].declassify() & 0x80u8 == 0u8 { + Ok((b[offset].declassify() & 0x7fu8) as usize) + } else { + asn1_error(ASN1_ERROR) + } } else { asn1_error(ASN1_ERROR) } @@ -81,15 +100,22 @@ fn short_length(b: &Bytes, offset: usize) -> Result { /// sequence. /// /// Returns: (offset, length) +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => b.len() > offset, + _ => true })] fn length(b: &Bytes, mut offset: usize) -> Result<(usize, usize), Asn1Error> { - if b[offset].declassify() & 0x80 == 0 { - let len = short_length(b, offset)?; - Ok((offset + 1, len)) + if b.len() > offset { + if b[offset].declassify() & 0x80 == 0 { + let len = short_length(b, offset)?; + Ok((offset + 1, len)) + } else { + let len = length_length(b, offset)?; + offset += 1; + let end = long_length(b, offset, len)?; + Ok((offset + len, end)) + } } else { - let len = length_length(b, offset); - offset += 1; - let end = long_length(b, offset, len)?; - Ok((offset + len, end)) + asn1_error(ASN1_ERROR) } } @@ -100,7 +126,7 @@ fn read_sequence_header(b: &Bytes, mut offset: usize) -> Result Result { check_tag(b, offset, 0x04)?; offset += 1; - let length_length = length_length(b, offset); + let length_length = length_length(b, offset)?; offset = offset + length_length + 1; // 1 byte is always used for length Ok(offset) } /// Check that the tag has a certain value. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => b.len() > offset, + _ => true })] fn check_tag(b: &Bytes, offset: usize, value: u8) -> Result<(), Asn1Error> { - if b[offset].declassify() == value { - Ok(()) + if b.len() > offset { + if b[offset].declassify() == value { + Ok(()) + } else { + // eprintln!("Got tag {:x}, expected {:x}", b[offset].declassify(), value); + asn1_error(ASN1_INVALID_TAG) + } } else { - // eprintln!("Got tag {:x}, expected {:x}", b[offset].declassify(), value); asn1_error(ASN1_INVALID_TAG) } } @@ -282,7 +315,7 @@ fn read_spki(cert: &Bytes, mut offset: usize) -> Result { /// certificate. /// /// Returns the start offset within the `cert` bytes and length of the key. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn verification_key_from_cert(cert: &Bytes) -> Result { // An x509 cert is an ASN.1 sequence of [Certificate, SignatureAlgorithm, Signature]. // Take the first sequence inside the outer because we're interested in the @@ -303,7 +336,8 @@ pub(crate) fn verification_key_from_cert(cert: &Bytes) -> Result 0 && Seq.length cert._0 >= v indices._0 + v indices._1"#))] pub(crate) fn ecdsa_public_key( cert: &Bytes, indices: CertificateKey, @@ -316,7 +350,7 @@ pub(crate) fn ecdsa_public_key( Ok(cert.slice(offset + 1, len - 1)) // Drop the 0x04 here. } -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn rsa_public_key( cert: &Bytes, indices: CertificateKey, @@ -391,7 +425,7 @@ pub(crate) fn rsa_private_key(key: &Bytes) -> Result { /// /// On input of a `certificate` and `spki`, return a [`PublicVerificationKey`] /// if successful, or an [`Asn1Error`] otherwise. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn cert_public_key( certificate: &Bytes, spki: &Spki, diff --git a/src/tls13crypto.rs b/src/tls13crypto.rs index 9940ea11..d569775b 100644 --- a/src/tls13crypto.rs +++ b/src/tls13crypto.rs @@ -8,6 +8,7 @@ use libcrux_ecdsa::DigestAlgorithm as EcDsaDigestAlgorithm; use libcrux_ed25519; use libcrux_hkdf::{expand, extract, Algorithm as HkdfAlgorithm}; use libcrux_hmac::{hmac, Algorithm as HmacAlgorithm}; + use libcrux_kem::{Ct, PrivateKey, PublicKey}; use libcrux_rsa::{ sign_varlen, verify_varlen, DigestAlgorithm as RsaDigestAlgorithm, VarLenPrivateKey, @@ -90,6 +91,7 @@ pub enum HashAlgorithm { SHA512, } +#[hax_lib::attributes] impl HashAlgorithm { /// Get the libcrux hash algorithm fn libcrux_algorithm(&self) -> Result { @@ -103,7 +105,7 @@ impl HashAlgorithm { /// Hash `data` with the given `algorithm`. /// /// Returns the digest or an [`TLSError`]. - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] pub(crate) fn hash(&self, data: &Bytes) -> Result { let hasher = self.libcrux_algorithm()?; @@ -114,6 +116,7 @@ impl HashAlgorithm { } /// Get the size of the hash digest. + #[hax_lib::ensures(|result| result <= 64)] pub(crate) fn hash_len(&self) -> usize { match self { HashAlgorithm::SHA256 => Sha2Algorithm::Sha256.hash_len(), @@ -140,7 +143,7 @@ impl HashAlgorithm { /// Compute the HMAC tag. /// /// Returns the tag [`Hmac`] or a [`TLSError`]. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn hmac_tag(alg: &HashAlgorithm, mk: &MacKey, input: &Bytes) -> Result { Ok(hmac( alg.hmac_algorithm()?, @@ -154,7 +157,7 @@ pub(crate) fn hmac_tag(alg: &HashAlgorithm, mk: &MacKey, input: &Bytes) -> Resul /// Verify a given HMAC `tag`. /// /// Returns `()` if successful or a [`TLSError`]. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn hmac_verify( alg: &HashAlgorithm, mk: &MacKey, @@ -185,7 +188,7 @@ fn hkdf_algorithm(alg: &HashAlgorithm) -> Result { /// HKDF Extract. /// /// Returns the result as [`Bytes`] or a [`TLSError`]. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn hkdf_extract( alg: &HashAlgorithm, ikm: &Bytes, @@ -199,7 +202,7 @@ pub(crate) fn hkdf_extract( /// HKDF Expand. /// /// Returns the result as [`Bytes`] or a [`TLSError`]. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn hkdf_expand( alg: &HashAlgorithm, prk: &Bytes, @@ -321,7 +324,7 @@ pub enum SignatureScheme { } /// Sign the `input` with the provided RSA key. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn sign_rsa( sk: &Bytes, pk_modulus: &Bytes, @@ -367,7 +370,7 @@ pub(crate) fn sign_rsa( } /// Sign the bytes in `input` with the signature key `sk` and `algorithm`. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn sign( algorithm: &SignatureScheme, sk: &Bytes, @@ -408,7 +411,7 @@ pub(crate) fn sign( /// Verify the `input` bytes against the provided `signature`. /// /// Return `Ok(())` if the verification succeeds, and a [`TLSError`] otherwise. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn verify( alg: &SignatureScheme, pk: &PublicVerificationKey, @@ -509,7 +512,7 @@ impl KemScheme { } /// Generate a new KEM key pair. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn kem_keygen( alg: KemScheme, rng: &mut impl CryptoRng, @@ -553,7 +556,7 @@ fn into_raw(alg: KemScheme, point: Bytes) -> Bytes { } /// KEM encapsulation -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn kem_encap( alg: KemScheme, pk: &Bytes, @@ -589,7 +592,7 @@ fn to_shared_secret(alg: KemScheme, shared_secret: Bytes) -> Bytes { } /// KEM decapsulation -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn kem_decap(alg: KemScheme, ct: &Bytes, sk: &Bytes) -> Result { // event!(Level::DEBUG, "KEM Decaps with {alg:?}"); // event!(Level::TRACE, " with ciphertext: {}", ct.as_hex()); @@ -624,6 +627,7 @@ pub struct Algorithms { pub(crate) zero_rtt: bool, } +#[hax_lib::attributes] impl Algorithms { /// Create a new [`Algorithms`] object for the TLS 1.3 ciphersuite. pub const fn new( @@ -711,6 +715,10 @@ impl Algorithms { } /// Check the ciphersuite in `bytes` against this ciphersuite. + #[hax_lib::ensures(|result| match result { + Result::Ok(len) => bytes.len() >= len && len < 65538, + _ => true + })] pub(crate) fn check(&self, bytes: &[U8]) -> Result { let len = length_u16_encoded(bytes)?; let cs = self.ciphersuite()?; @@ -720,6 +728,7 @@ impl Algorithms { } } +#[hax_lib::opaque] impl TryFrom<&str> for Algorithms { type Error = Error; diff --git a/src/tls13formats.rs b/src/tls13formats.rs index 678d4329..1d9811bb 100644 --- a/src/tls13formats.rs +++ b/src/tls13formats.rs @@ -8,14 +8,15 @@ use crate::{ zero_key, Algorithms, Digest, HashAlgorithm, Hmac, KemPk, Random, SignatureScheme, }, tls13utils::{ - bytes1, bytes2, bytes_concat, check, check_eq, check_eq_slice, check_eq_with_slice, - check_length_encoding_u16, check_length_encoding_u16_slice, check_length_encoding_u24, - check_length_encoding_u8, check_length_encoding_u8_slice, check_mem, encode_length_u16, - encode_length_u24, encode_length_u8, eq_slice, length_u16_encoded, - length_u16_encoded_slice, length_u24_encoded, length_u8_encoded, parse_failed, tlserr, - u32_as_be_bytes, Bytes, TLSError, APPLICATION_DATA_INSTEAD_OF_HANDSHAKE, DECODE_ERROR, - INVALID_COMPRESSION_LIST, INVALID_SIGNATURE, MISSING_KEY_SHARE, PROTOCOL_VERSION_ALERT, - PSK_MODE_MISMATCH, U32, U8, UNSUPPORTED_ALGORITHM, + bytes1, bytes2, bytes_concat, check, check_eq, check_eq1, check_eq_slice, + check_eq_with_slice, check_length_encoding_u16, check_length_encoding_u16_slice, + check_length_encoding_u24, check_length_encoding_u8, check_length_encoding_u8_slice, + check_mem, encode_length_u16, encode_length_u24, encode_length_u8, eq_slice, + length_u16_encoded, length_u16_encoded_slice, length_u24_encoded, length_u8_encoded, + parse_failed, tlserr, u32_as_be_bytes, Bytes, TLSError, + APPLICATION_DATA_INSTEAD_OF_HANDSHAKE, DECODE_ERROR, INVALID_COMPRESSION_LIST, + INVALID_SIGNATURE, MISSING_KEY_SHARE, PROTOCOL_VERSION_ALERT, PSK_MODE_MISMATCH, U32, U8, + UNSUPPORTED_ALGORITHM, }, }; @@ -25,6 +26,8 @@ use handshake_data::{HandshakeData, HandshakeType}; #[cfg(bench)] pub use handshake_data::{HandshakeData, HandshakeType}; +#[cfg(hax)] +use hax_lib::ToInt; #[cfg(feature = "hax-pv")] use hax_lib::{pv_constructor, pv_handwritten}; @@ -62,6 +65,9 @@ pub const PREFIX_SERVER_SIGNATURE: [u8; 98] = [ ]; /// Build the server name out of the `name` bytes for the client hello. +#[hax_lib::ensures(|result| match result { + Result::Ok(b) => name.len() < 65536 && b.len() == name.len() + 9, + _ => true })] fn build_server_name(name: &Bytes) -> Result { const PREFIX1: &[U8; 2] = &[U8(0), U8(0)]; const PREFIX2: &[U8; 1] = &[U8(0)]; @@ -77,12 +83,19 @@ fn build_server_name(name: &Bytes) -> Result { /// otherwise. fn check_server_name(extension: &[U8]) -> Result { check_length_encoding_u16_slice(extension)?; - check_eq_with_slice(&[U8(0)], extension, 2, 3)?; - check_length_encoding_u16_slice(&extension[3..extension.len()])?; - Ok(extension[5..extension.len()].into()) + if extension.len() > 3 { + check_eq1(U8(0), extension[2])?; + check_length_encoding_u16_slice(&extension[3..extension.len()])?; + Ok(extension[5..extension.len()].into()) + } else { + tlserr(parse_failed()) + } } /// Build the supported versions bytes for the client hello. +#[hax_lib::ensures(|result| match result { + Result::Ok(b) => b.len() <= 260, + _ => true })] fn supported_versions() -> Result { Ok(Bytes::from([0, 0x2b]).concat(encode_length_u16(encode_length_u8(&[U8(3), U8(4)])?)?)) } @@ -142,6 +155,7 @@ fn key_shares(algs: &Algorithms, gx: KemPk) -> Result { Ok(encode_length_u16(encode_length_u16(ks)?)?.prefix(PREFIX)) } +#[hax_lib::decreases(ch.len().to_int())] fn find_key_share(g: &Bytes, ch: &[U8]) -> Result { if ch.len() < 4 { tlserr(parse_failed()) @@ -165,10 +179,14 @@ fn server_key_shares(algs: &Algorithms, gx: KemPk) -> Result { } fn check_server_key_share(algs: &Algorithms, b: &[U8]) -> Result { - check_eq_with_slice(algs.supported_group()?.as_raw(), b, 0, 2)?; - check_length_encoding_u16_slice(&b[2..b.len()])?; - // XXX Performance: These conversions aren't necessary. A slice would suffice. - Ok(Bytes::from(&b[4..b.len()])) + if b.len() >= 2 { + check_eq_with_slice(algs.supported_group()?.as_raw(), b, 0, 2)?; + check_length_encoding_u16_slice(&b[2..b.len()])?; + // XXX Performance: These conversions aren't necessary. A slice would suffice. + Ok(Bytes::from(&b[4..b.len()])) + } else { + tlserr(parse_failed()) + } } fn pre_shared_key(algs: &Algorithms, session_ticket: &Bytes) -> Result<(Bytes, usize), TLSError> { @@ -238,6 +256,9 @@ fn merge_opts(o1: Option, o2: Option) -> Result, TLSError> { } /// Check an extension for validity. +#[hax_lib::ensures(|result| match result { + Result::Ok((len,exts)) => bytes.len() >= len, + _ => true})] fn check_extension(algs: &Algorithms, bytes: &[U8]) -> Result<(usize, Extensions), TLSError> { if bytes.len() < 4 { Err(parse_failed()) @@ -298,6 +319,9 @@ fn check_extension(algs: &Algorithms, bytes: &[U8]) -> Result<(usize, Extensions } } +#[hax_lib::ensures(|result| match result { + Result::Ok((len,out)) => len >= 4, + _ => true})] fn check_server_extension(algs: &Algorithms, b: &[U8]) -> Result<(usize, Option), TLSError> { if b.len() < 4 { Err(parse_failed()) @@ -320,6 +344,7 @@ fn check_server_extension(algs: &Algorithms, b: &[U8]) -> Result<(usize, Option< } #[inline(always)] +#[hax_lib::decreases(b.len().to_int())] fn check_extensions_slice(algs: &Algorithms, b: &[U8]) -> Result { let (len, out) = check_extension(algs, b)?; if len == b.len() { @@ -340,6 +365,7 @@ fn check_extensions(algs: &Algorithms, b: &Bytes) -> Result Result, TLSError> { let (len, out) = check_server_extension(algs, b)?; if len == b.len() { @@ -514,7 +540,10 @@ fn get_psk_extensions( } /// Build a ClientHello message. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] +#[hax_lib::ensures(|result| match result { + Result::Ok((ch,tl)) => tl <= ch.len(), + _ => true})] pub(crate) fn client_hello( algorithms: &Algorithms, client_random: Random, @@ -560,7 +589,10 @@ pub(crate) fn client_hello( Ok((client_hello, trunc_len)) } -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] +#[hax_lib::requires(match trunc_len { + Option::Some(tl) => tl <= client_hello.len(), + _ => true})] pub(crate) fn set_client_hello_binder( ciphersuite: &Algorithms, binder: &Option, @@ -572,7 +604,7 @@ pub(crate) fn set_client_hello_binder( let hlen = ciphersuite.hash().hash_len(); match (binder, trunc_len) { (Some(m), Some(trunc_len)) => { - if chlen - hlen == trunc_len { + if chlen - trunc_len == hlen { Ok(HandshakeData(ch.update_slice(trunc_len, m, 0, hlen))) } else { tlserr(parse_failed()) @@ -608,7 +640,10 @@ pub fn bench_parse_client_hello( /// Parse the provided `client_hello` with the given `ciphersuite`. #[allow(clippy::type_complexity)] -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] +#[hax_lib::ensures(|result| match result { + Result::Ok((_, _, _, _, _, _, trunc_len)) => trunc_len <= client_hello.len(), + _ => true})] pub(super) fn parse_client_hello( ciphersuite: &Algorithms, client_hello: &HandshakeData, @@ -643,11 +678,12 @@ pub(super) fn parse_client_hello( Err(_) => invalid_compression_list(), }?; next += 2; + check(ch.len() >= next)?; check_length_encoding_u16(&ch.slice_range(next..ch.len()))?; next += 2; + check(ch.len() >= next)?; let exts = check_extensions(ciphersuite, &ch.slice_range(next..ch.len()))?; //println!("check_extensions"); - let trunc_len = ch.len() - ciphersuite.hash().hash_len() - 3; match (ciphersuite.psk_mode(), exts) { ( _, @@ -666,7 +702,11 @@ pub(super) fn parse_client_hello( ticket: Some(tkt), binder: Some(binder), }, - ) => Ok((crand, sid, sn, gx, Some(tkt), Some(binder), trunc_len)), + ) => { + check(ch.len() >= ciphersuite.hash().hash_len() + 3)?; + let trunc_len = ch.len() - ciphersuite.hash().hash_len() - 3; + Ok((crand, sid, sn, gx, Some(tkt), Some(binder), trunc_len)) + } ( true, Extensions { @@ -675,15 +715,19 @@ pub(super) fn parse_client_hello( ticket: Some(tkt), binder: Some(binder), }, - ) => Ok(( - crand, - sid, - Bytes::new(), - gx, - Some(tkt), - Some(binder), - trunc_len, - )), + ) => { + check(ch.len() >= ciphersuite.hash().hash_len() + 3)?; + let trunc_len = ch.len() - ciphersuite.hash().hash_len() - 3; + Ok(( + crand, + sid, + Bytes::new(), + gx, + Some(tkt), + Some(binder), + trunc_len, + )) + } ( false, Extensions { @@ -707,7 +751,7 @@ pub(super) fn parse_client_hello( } /// Build the server hello message. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn server_hello( algs: &Algorithms, sr: Random, @@ -748,7 +792,7 @@ pub fn bench_parse_server_hello( parse_server_hello(algs, server_hello) } -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn parse_server_hello( algs: &Algorithms, server_hello: &HandshakeData, @@ -779,8 +823,10 @@ pub(crate) fn parse_server_hello( Err(_) => invalid_compression_method_alert(), })?; next += 1; + check(server_hello.len() >= next)?; check_length_encoding_u16(&server_hello.slice_range(next..server_hello.len()))?; next += 2; + check(server_hello.len() >= next)?; let gy = check_server_extensions(algs, &server_hello[next..server_hello.len()])?; if let Some(gy) = gy { Ok((srand, gy)) @@ -789,7 +835,7 @@ pub(crate) fn parse_server_hello( } } -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn encrypted_extensions(_algs: &Algorithms) -> Result { let handshake_type = bytes1(HandshakeType::EncryptedExtensions as u8); Ok(HandshakeData(handshake_type.concat(encode_length_u24( @@ -797,7 +843,7 @@ pub(crate) fn encrypted_extensions(_algs: &Algorithms) -> Result Result Result { let HandshakeData(sc) = certificate.as_handshake_message(HandshakeType::Certificate)?; let mut next = 0; @@ -900,7 +946,7 @@ fn parse_ecdsa_signature(sig: Bytes) -> Result { } } } -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] pub(crate) fn certificate_verify(algs: &Algorithms, cv: &Bytes) -> Result { let sv = (match algs.signature { SignatureScheme::RsaPssRsaSha256 => Ok(cv.clone()), @@ -918,7 +964,7 @@ pub(crate) fn certificate_verify(algs: &Algorithms, cv: &Bytes) -> Result Result { HandshakeData::from_bytes(HandshakeType::Finished, vd) } -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn parse_finished(finished: &HandshakeData) -> Result { let HandshakeData(fin) = finished.as_handshake_message(HandshakeType::Finished)?; Ok(fin) @@ -1016,6 +1062,9 @@ impl ContentType { } } +#[hax_lib::ensures(|result| match result { + Result::Ok(d) => (p.0.len() < 65536 && d.len() == 5 + p.0.len()), + _ => true})] pub(crate) fn handshake_record(p: HandshakeData) -> Result { let ty = bytes1(ContentType::Handshake as u8); let ver = bytes2(3, 3); @@ -1065,6 +1114,7 @@ pub(crate) struct Transcript { transcript: HandshakeData, } +#[hax_lib::attributes] impl Transcript { pub(crate) fn new(hash_algorithm: HashAlgorithm) -> Self { Self { @@ -1074,7 +1124,7 @@ impl Transcript { } /// Add the [`HandshakeData`] `msg` to this transcript. - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] pub(crate) fn add(mut self, msg: &HandshakeData) -> Self { self.transcript = self.transcript.concat(msg); self @@ -1087,7 +1137,8 @@ impl Transcript { } /// Get the hash of this transcript without the client hello - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] + #[hax_lib::requires(trunc_len <= client_hello.len())] pub(crate) fn transcript_hash_without_client_hello( &self, client_hello: &HandshakeData, diff --git a/src/tls13formats/handshake_data.rs b/src/tls13formats/handshake_data.rs index b4528759..7e96abda 100644 --- a/src/tls13formats/handshake_data.rs +++ b/src/tls13formats/handshake_data.rs @@ -1,9 +1,11 @@ #[cfg(feature = "hax-pv")] use hax_lib::{pv_constructor, pv_handwritten}; +use hax_lib::ToInt; + use crate::tls13utils::{ - bytes1, check_eq, encode_length_u24, eq1, length_u24_encoded, parse_failed, tlserr, Bytes, - TLSError, U8, + check_eq1, encode_length_u24, eq1, length_u24_encoded, parse_failed, tlserr, Bytes, TLSError, + U8, }; /// ```TLS @@ -58,6 +60,7 @@ pub fn get_hs_type(t: u8) -> Result { /// Hadshake data of the TLS handshake. pub struct HandshakeData(pub(crate) Bytes); +#[hax_lib::attributes] impl HandshakeData { /// Generate a new [`HandshakeData`] from [`Bytes`] and the [`HandshakeType`]. pub(crate) fn from_bytes( @@ -70,6 +73,7 @@ impl HandshakeData { } /// Returns the length, in bytes. + #[hax_lib::ensures(|result| fstar!("v result == Seq.length self._0._0"))] pub(crate) fn len(&self) -> usize { self.0.len() } @@ -81,7 +85,7 @@ impl HandshakeData { /// Returns a new [`HandshakeData`] that contains the bytes of /// `other` appended to the bytes of `self`. - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] pub(crate) fn concat(self, other: &HandshakeData) -> HandshakeData { let mut message1 = self.to_bytes(); let message2 = other.to_bytes(); @@ -96,21 +100,23 @@ impl HandshakeData { /// If successful, returns the parsed handshake message. Returns a [TLSError] if /// parsing is unsuccessful or the type of the parsed message disagrees with the /// expected type. + #[hax_lib::ensures(|result| match result { + Result::Ok(d) => self.len() >= 4 && self.len() - 4 == d.len(), + _ => true })] pub(crate) fn as_handshake_message( &self, expected_type: HandshakeType, ) -> Result { let (message, payload_rest) = self.next_handshake_message()?; - let HandshakeData(tagged_message_bytes) = if payload_rest.len() != 0 { + if payload_rest.len() != 0 { tlserr(parse_failed()) } else { - Ok(message) - }?; - let expected_bytes = bytes1(expected_type as u8); - check_eq(&expected_bytes, &tagged_message_bytes.slice_range(0..1))?; - Ok(HandshakeData( - tagged_message_bytes.slice_range(4..tagged_message_bytes.len()), - )) + let HandshakeData(tagged_message_bytes) = message; + check_eq1(U8(expected_type as u8), tagged_message_bytes[0])?; + Ok(HandshakeData( + tagged_message_bytes.slice_range(4..tagged_message_bytes.len()), + )) + } } /// Attempt to parse a handshake message from the beginning of the payload. @@ -119,6 +125,9 @@ impl HandshakeData { /// payload. Returns a [TLSError] if the payload is too short to contain a /// handshake message or if the payload is shorter than the expected length /// encoded in its first three bytes. + #[hax_lib::ensures(|result| match result { + Result::Ok((m,r)) => m.len() >= 4 && self.len() >= m.len() && self.len() - m.len() == r.len(), + _ => true })] pub(crate) fn next_handshake_message(&self) -> Result<(Self, Self), TLSError> { if (self.len()) < 4 { tlserr(parse_failed()) @@ -135,7 +144,7 @@ impl HandshakeData { /// If successful, returns the parsed handshake messages. Returns a [TLSError] /// if parsing of either message fails or if the payload is not fully consumed /// by parsing two messages. - #[cfg_attr(feature = "hax-pv", pv_handwritten)] + #[hax_lib::pv_handwritten] pub(crate) fn to_two(&self) -> Result<(HandshakeData, HandshakeData), TLSError> { let (message1, payload_rest) = self.next_handshake_message()?; let (message2, payload_rest) = payload_rest.next_handshake_message()?; @@ -151,7 +160,7 @@ impl HandshakeData { /// If successful, returns the parsed handshake messages. Returns a [TLSError] /// if parsing of any message fails or if the payload is not fully consumed /// by parsing four messages. - #[cfg_attr(feature = "hax-pv", pv_handwritten)] + #[hax_lib::pv_handwritten] pub(crate) fn to_four( &self, ) -> Result<(HandshakeData, HandshakeData, HandshakeData, HandshakeData), TLSError> { @@ -170,12 +179,14 @@ impl HandshakeData { /// Beginning at offset `start`, attempt to find a message of type `handshake_type` in `payload`. /// /// Returns `true`` if `payload` contains a message of the given type, `false` otherwise. + #[hax_lib::requires(self.len() >= start)] + #[hax_lib::decreases(self.len().to_int() - start.to_int())] pub(crate) fn find_handshake_message( &self, handshake_type: HandshakeType, start: usize, ) -> bool { - if (self.len()) < start + 4 { + if self.len() - start < 4 { false } else { match length_u24_encoded(self.0.raw_slice(start + 1..self.0.len())) { diff --git a/src/tls13formats/handshake_data.rs~ b/src/tls13formats/handshake_data.rs~ new file mode 100644 index 00000000..b27decef --- /dev/null +++ b/src/tls13formats/handshake_data.rs~ @@ -0,0 +1,211 @@ +<<<<<<< HEAD +======= +#[cfg(feature = "hax-pv")] +use hax_lib::{pv_constructor, pv_handwritten}; + +>>>>>>> main +use crate::tls13utils::{ + check_eq1, encode_length_u24, eq1, length_u24_encoded, parse_failed, tlserr, Bytes, TLSError, + U8, +}; + +/// ```TLS +/// enum { +/// client_hello(1), +/// server_hello(2), +/// new_session_ticket(4), +/// end_of_early_data(5), +/// encrypted_extensions(8), +/// certificate(11), +/// certificate_request(13), +/// certificate_verify(15), +/// finished(20), +/// key_update(24), +/// message_hash(254), +/// (255) +/// } HandshakeType; +/// ``` +#[derive(Clone, Copy, Debug, PartialEq)] +#[repr(u8)] +pub enum HandshakeType { + ClientHello = 1, + ServerHello = 2, + NewSessionTicket = 4, + EndOfEarlyData = 5, + EncryptedExtensions = 8, + Certificate = 11, + CertificateRequest = 13, + CertificateVerify = 15, + Finished = 20, + KeyUpdate = 24, + MessageHash = 254, +} + +pub fn get_hs_type(t: u8) -> Result { + match t { + 1 => Ok(HandshakeType::ClientHello), + 2 => Ok(HandshakeType::ServerHello), + 4 => Ok(HandshakeType::NewSessionTicket), + 5 => Ok(HandshakeType::EndOfEarlyData), + 8 => Ok(HandshakeType::EncryptedExtensions), + 11 => Ok(HandshakeType::Certificate), + 13 => Ok(HandshakeType::CertificateRequest), + 15 => Ok(HandshakeType::CertificateVerify), + 20 => Ok(HandshakeType::Finished), + 24 => Ok(HandshakeType::KeyUpdate), + 254 => Ok(HandshakeType::MessageHash), + _ => tlserr(parse_failed()), + } +} + +/// Hadshake data of the TLS handshake. +pub struct HandshakeData(pub(crate) Bytes); + +#[hax_lib::attributes] +impl HandshakeData { + /// Generate a new [`HandshakeData`] from [`Bytes`] and the [`HandshakeType`]. + pub(crate) fn from_bytes( + handshake_type: HandshakeType, + handshake_bytes: &Bytes, + ) -> Result { + Ok(HandshakeData::from( + encode_length_u24(handshake_bytes)?.prefix(&[U8(handshake_type as u8)]), + )) + } + + /// Returns the length, in bytes. + #[hax_lib::ensures(|result| fstar!("v result == Seq.length self._0._0"))] + pub(crate) fn len(&self) -> usize { + self.0.len() + } + + /// Returns the handshake data bytes. + pub(crate) fn to_bytes(&self) -> Bytes { + self.0.clone() + } + + /// Returns a new [`HandshakeData`] that contains the bytes of + /// `other` appended to the bytes of `self`. + #[hax_lib::pv_constructor] + pub(crate) fn concat(self, other: &HandshakeData) -> HandshakeData { + let mut message1 = self.to_bytes(); + let message2 = other.to_bytes(); + + message1.extend_from_slice(&message2); + HandshakeData::from(message1) + } + + /// Attempt to parse exactly one handshake message of the `expected_type` from + /// `payload`. + /// + /// If successful, returns the parsed handshake message. Returns a [TLSError] if + /// parsing is unsuccessful or the type of the parsed message disagrees with the + /// expected type. + pub(crate) fn as_handshake_message( + &self, + expected_type: HandshakeType, + ) -> Result { + let (message, payload_rest) = self.next_handshake_message()?; + if payload_rest.len() != 0 { + tlserr(parse_failed()) + } else { + let HandshakeData(tagged_message_bytes) = message; + check_eq1(U8(expected_type as u8), tagged_message_bytes[0])?; + Ok(HandshakeData( + tagged_message_bytes.slice_range(4..tagged_message_bytes.len()), + )) + } + } + + /// Attempt to parse a handshake message from the beginning of the payload. + /// + /// If successful, returns the parsed message and the unparsed rest of the + /// payload. Returns a [TLSError] if the payload is too short to contain a + /// handshake message or if the payload is shorter than the expected length + /// encoded in its first three bytes. + #[hax_lib::ensures(|result| match result { + Result::Ok((m,_)) => m.len() >= 4, + _ => true })] + pub(crate) fn next_handshake_message(&self) -> Result<(Self, Self), TLSError> { + if (self.len()) < 4 { + tlserr(parse_failed()) + } else { + let len = length_u24_encoded(self.0.raw_slice(1..self.0.len()))?; + let message = self.0.slice_range(0..4 + len); + let rest = self.0.slice_range(4 + len..self.0.len()); + Ok((HandshakeData(message), HandshakeData(rest))) + } + } + + /// Attempt to parse exactly two handshake messages from `payload`. + /// + /// If successful, returns the parsed handshake messages. Returns a [TLSError] + /// if parsing of either message fails or if the payload is not fully consumed + /// by parsing two messages. + #[hax_lib::pv_handwritten] + pub(crate) fn to_two(&self) -> Result<(HandshakeData, HandshakeData), TLSError> { + let (message1, payload_rest) = self.next_handshake_message()?; + let (message2, payload_rest) = payload_rest.next_handshake_message()?; + if payload_rest.len() != 0 { + tlserr(parse_failed()) + } else { + Ok((message1, message2)) + } + } + + /// Attempt to parse exactly four handshake messages from `payload`. + /// + /// If successful, returns the parsed handshake messages. Returns a [TLSError] + /// if parsing of any message fails or if the payload is not fully consumed + /// by parsing four messages. + #[hax_lib::pv_handwritten] + pub(crate) fn to_four( + &self, + ) -> Result<(HandshakeData, HandshakeData, HandshakeData, HandshakeData), TLSError> { + let (message1, payload_rest) = self.next_handshake_message()?; + let (message2, payload_rest) = payload_rest.next_handshake_message()?; + let (message3, payload_rest) = payload_rest.next_handshake_message()?; + let (message4, payload_rest) = payload_rest.next_handshake_message()?; + + if payload_rest.len() != 0 { + tlserr(parse_failed()) + } else { + Ok((message1, message2, message3, message4)) + } + } + + /// Beginning at offset `start`, attempt to find a message of type `handshake_type` in `payload`. + /// + /// Returns `true`` if `payload` contains a message of the given type, `false` otherwise. + /// + /// For termination proof in F*: we need to hand-edit and add: + /// (decreases (Seq.length self._0._0 - v start)) + /// https://github.com/cryspen/hax/issues/1233 + #[hax_lib::requires(fstar!(r#"Seq.length self._0._0 >= v start"#))] + pub(crate) fn find_handshake_message( + &self, + handshake_type: HandshakeType, + start: usize, + ) -> bool { + if self.len() - start < 4 { + false + } else { + match length_u24_encoded(self.0.raw_slice(start + 1..self.0.len())) { + Err(_) => false, + Ok(len) => { + if eq1(self.0[start], U8(handshake_type as u8)) { + true + } else { + self.find_handshake_message(handshake_type, start + 4 + len) + } + } + } + } + } +} + +impl From for HandshakeData { + fn from(value: Bytes) -> Self { + HandshakeData(value) + } +} diff --git a/src/tls13handshake.rs b/src/tls13handshake.rs index 40c06f22..a5b23e5b 100644 --- a/src/tls13handshake.rs +++ b/src/tls13handshake.rs @@ -285,6 +285,7 @@ fn build_client_hello( )) } +#[hax_lib::requires(trunc_len <= ch.len())] fn compute_psk_binder_zero_rtt( algs0: Algorithms, ch: HandshakeData, diff --git a/src/tls13record.rs b/src/tls13record.rs index ab5aa9e0..fb558d4b 100644 --- a/src/tls13record.rs +++ b/src/tls13record.rs @@ -4,6 +4,9 @@ use crate::tls13crypto::*; use crate::tls13formats::*; use crate::tls13utils::*; +#[cfg(hax)] +use hax_lib::ToInt; + /* CipherStates Exported by the TLS 1.3 Handshake */ pub struct ClientCipherState0(AeadAlgorithm, AeadKeyIV, u64, Key); @@ -77,19 +80,24 @@ pub(crate) fn duplex_cipher_state1( } /// Derive the AEAD IV with counter `n` +#[hax_lib::fstar::verification_status(lax)] // TODO: fix by making From<[u8;8]> transparent for Bytes +#[hax_lib::requires(iv.len() >= 8)] fn derive_iv_ctr(iv: &AeadIV, n: u64) -> AeadIV { let counter: Bytes = n.to_be_bytes().into(); let mut iv_ctr = AeadIV::zeroes(iv.len()); for i in 0..iv.len() - 8 { + hax_lib::loop_invariant!(|i: usize| iv_ctr.len() == iv.len()); iv_ctr[i] = iv[i]; } for i in 0..8 { - iv_ctr[i + iv.len() - 8] = iv[i + iv.len() - 8] ^ counter[i]; + hax_lib::loop_invariant!(|i: usize| iv_ctr.len() == iv.len()); + iv_ctr[i + (iv.len() - 8)] = iv[i + (iv.len() - 8)] ^ counter[i]; } iv_ctr } /// Encrypt the record `payload` with the given `key_iv`. +#[hax_lib::fstar::verification_status(lax)] pub(crate) fn encrypt_record_payload( key_iv: &AeadKeyIV, n: u64, @@ -97,6 +105,7 @@ pub(crate) fn encrypt_record_payload( payload: Bytes, pad: usize, ) -> Result { + check(key_iv.iv.len() >= 8)?; let iv_ctr = derive_iv_ctr(&key_iv.iv, n); let inner_plaintext = payload.concat(bytes1(ct as u8)).concat(Bytes::zeroes(pad)); let clen = inner_plaintext.len() + 16; @@ -111,6 +120,9 @@ pub(crate) fn encrypt_record_payload( } } +#[hax_lib::requires(b.len() >= n)] +#[hax_lib::ensures(|out| out <= n)] +#[hax_lib::decreases(n.to_int())] fn padlen(b: &Bytes, n: usize) -> usize { if n > 0 && b[n - 1].declassify() == 0 { 1 + padlen(b, n - 1) @@ -120,11 +132,13 @@ fn padlen(b: &Bytes, n: usize) -> usize { } /// AEAD decrypt the record `ciphertext` +#[hax_lib::fstar::verification_status(lax)] fn decrypt_record_payload( kiv: &AeadKeyIV, n: u64, ciphertext: &Bytes, ) -> Result<(ContentType, Bytes), TLSError> { + check(kiv.iv.len() >= 8)?; let iv_ctr = derive_iv_ctr(&kiv.iv, n); let clen = ciphertext.len() - 5; if clen <= 65536 && clen > 16 { @@ -162,6 +176,7 @@ fn encrypt_zerortt( payload.into_raw(), pad, )?; + check(n < u64::MAX)?; Ok((rec, ClientCipherState0(ae, kiv, n + 1, exp))) } @@ -174,6 +189,7 @@ pub fn decrypt_zerortt( ) -> Result<(AppData, ServerCipherState0), TLSError> { let (ct, payload) = decrypt_record_payload(&state.key_iv, state.counter, ciphertext)?; check(ct == ContentType::ApplicationData)?; + check(state.counter < u64::MAX)?; Ok(( AppData::new(payload), ServerCipherState0 { @@ -203,6 +219,7 @@ pub(crate) fn encrypt_handshake( pad, )?; + check(state.sender_counter < u64::MAX)?; state.sender_counter += 1; Ok((rec, state)) } @@ -220,6 +237,7 @@ pub(crate) fn decrypt_handshake( ) } else { check(ct == ContentType::Handshake)?; + check(state.receiver_counter < u64::MAX)?; state.receiver_counter += 1; Ok((handshake_data::HandshakeData::from(payload), state)) } @@ -238,6 +256,7 @@ pub fn encrypt_data( payload.into_raw(), pad, )?; + check(n < u64::MAX)?; Ok((rec, DuplexCipherState1(ae, kiv, n + 1, x, y, exp))) } @@ -247,6 +266,7 @@ pub fn decrypt_data_or_hs( ) -> Result<(ContentType, Bytes, DuplexCipherState1), TLSError> { let DuplexCipherState1(ae, x, y, kiv, n, exp) = st; let (ct, payload) = decrypt_record_payload(&kiv, n, ciphertext)?; + check(n < u64::MAX)?; Ok((ct, payload, DuplexCipherState1(ae, x, y, kiv, n + 1, exp))) } pub fn decrypt_data( @@ -256,6 +276,7 @@ pub fn decrypt_data( let DuplexCipherState1(ae, x, y, kiv, n, exp) = st; let (ct, payload) = decrypt_record_payload(&kiv, n, ciphertext)?; check(ct == ContentType::ApplicationData)?; + check(n < u64::MAX)?; Ok(( AppData::new(payload), DuplexCipherState1(ae, x, y, kiv, n + 1, exp), diff --git a/src/tls13utils.rs b/src/tls13utils.rs index bc9ff301..c417c6c1 100644 --- a/src/tls13utils.rs +++ b/src/tls13utils.rs @@ -47,6 +47,13 @@ pub(crate) fn error_string(c: u8) -> String { format!("{}", c) } +#[cfg(not(test))] +#[hax_lib::ensures(|result| fstar!("not (Core.Result.Result_Ok? result)"))] +pub(crate) fn tlserr(err: TLSError) -> Result { + Err(err) +} + +#[cfg(test)] pub(crate) fn tlserr(err: TLSError) -> Result { let bt = backtrace::Backtrace::new(); Err(err) @@ -76,8 +83,10 @@ impl U8 { } } +#[hax_lib::attributes] #[allow(dead_code)] pub(crate) trait Declassify { + #[requires(true)] fn declassify(self) -> T; } @@ -185,9 +194,11 @@ impl From> for Bytes { } } +#[hax_lib::attributes] impl Bytes { /// Add a prefix to these bytes and return it. - #[cfg_attr(feature = "hax-pv", pv_handwritten)] + #[hax_lib::pv_handwritten] + #[hax_lib::ensures(|result| result.len() >= self.len() && result.len() - self.len() == prefix.len())] pub(crate) fn prefix(mut self, prefix: &[U8]) -> Self { let mut out = Vec::with_capacity(prefix.len() + self.len()); @@ -210,6 +221,7 @@ impl Bytes { /// Get a reference to the raw bytes. #[allow(dead_code)] + #[hax_lib::ensures(|result| fstar!(r#"Seq.length result == Seq.length self._0"#))] pub(crate) fn as_raw(&self) -> &[U8] { &self.0 } @@ -223,7 +235,9 @@ impl Bytes { } } +#[hax_lib::attributes] impl From<&[u8]> for Bytes { + #[hax_lib::ensures(|result| result.len() == x.len())] fn from(x: &[u8]) -> Bytes { x.to_vec().into() } @@ -236,13 +250,17 @@ impl From<&[U8]> for Bytes { } } +#[hax_lib::attributes] impl From<[u8; C]> for Bytes { + #[hax_lib::ensures(|result| result.len() == C)] fn from(x: [u8; C]) -> Bytes { x.to_vec().into() } } +#[hax_lib::attributes] impl From<&[u8; C]> for Bytes { + #[hax_lib::ensures(|result| result.len() == C)] fn from(x: &[u8; C]) -> Bytes { x.to_vec().into() } @@ -254,7 +272,7 @@ impl U32 { self.0 } } -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn u16_as_be_bytes(val: U16) -> [U8; 2] { #[cfg(not(feature = "secret_integers"))] let val = val.to_be_bytes(); @@ -285,25 +303,46 @@ pub(crate) fn u32_from_be_bytes(val: [U8; 4]) -> U32 { U32(val) } +#[hax_lib::ensures(|result| result.len() == x.len())] pub(crate) fn bytes(x: &[u8]) -> Bytes { x.into() } + +#[hax_lib::ensures(|result| result.len() == 1)] pub(crate) fn bytes1(x: u8) -> Bytes { [x].into() } + +#[hax_lib::ensures(|result| result.len() == 2)] pub(crate) fn bytes2(x: u8, y: u8) -> Bytes { [x, y].into() } -#[cfg_attr(feature = "hax-fstar", attributes)] +#[hax_lib::attributes] impl core::ops::Index for Bytes { type Output = U8; - #[cfg_attr(feature = "hax-fstar", requires(x < self.0.len()))] + #[requires(x < self.0.len())] fn index(&self, x: usize) -> &U8 { &self.0[x] } } +/// This is needed only for hax, so should likely be guarded by a feature flag. +#[hax_lib::fstar::before( + interface, + "[@@ FStar.Tactics.Typeclasses.tcinstance] +let update_at_usize_bytes: Rust_primitives.Hax.update_at_tc t_Bytes usize = + { + super_index = impl_21; + update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) + }" +)] +fn _update_at_usize_bytes_test(b: &mut Bytes) { + if b.len() > 0 { + b[0] = U8(0) + }; +} + mod non_hax { use super::*; impl core::ops::IndexMut for Bytes { @@ -319,18 +358,20 @@ mod non_hax { } } -#[cfg_attr(feature = "hax-fstar", attributes)] +#[hax_lib::attributes] impl core::ops::Index> for Bytes { type Output = [U8]; - #[cfg_attr(feature = "hax-fstar", requires(x.start <= self.0.len() && x.end <= self.0.len()))] + #[requires(x.start <= self.0.len() && x.end <= self.0.len())] + #[ensures(|result| if x.end >= x.start {result.len() == x.end - x.start} else {result.len() == 0})] fn index(&self, x: Range) -> &[U8] { &self.0[x] } } +#[hax_lib::attributes] impl Bytes { /// Create new [`Bytes`]. - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] pub(crate) fn new() -> Bytes { Bytes(Vec::new()) } @@ -341,12 +382,14 @@ impl Bytes { } /// Generate `len` bytes of `0`. - #[cfg_attr(feature = "hax-pv", pv_constructor)] + #[hax_lib::pv_constructor] + #[hax_lib::ensures(|result| fstar!("Seq.length result._0 == v len"))] pub(crate) fn zeroes(len: usize) -> Bytes { Bytes(vec![U8(0); len]) } /// Get the length of these [`Bytes`]. + #[hax_lib::ensures(|result| fstar!("v result == Seq.length self._0"))] pub(crate) fn len(&self) -> usize { self.0.len() } @@ -391,22 +434,29 @@ impl Bytes { } /// Get a slice of the given `range`. + #[hax_lib::requires(fstar!(r#"v ${range.start} <= Seq.length self._0 && v ${range.end} <= Seq.length self._0"#))] + #[hax_lib::ensures(|result| if range.end >= range.start {result.len() == range.end - range.start} else {result.len() == 0})] pub(crate) fn raw_slice(&self, range: Range) -> &[U8] { &self.0[range] } /// Get a new copy of the given `range` as [`Bytes`]. + #[hax_lib::requires(fstar!(r#"v ${range.start} <= Seq.length self._0 && v ${range.end} <= Seq.length self._0"#))] + #[hax_lib::ensures(|result| if range.end >= range.start {result.0.len() == range.end - range.start} else {result.0.len() == 0})] pub(crate) fn slice_range(&self, range: Range) -> Bytes { self.0[range].into() } /// Get a new copy of the given range `[start..start+len]` as [`Bytes`]. + #[hax_lib::requires(fstar!(r#"v $start <= Seq.length self._0 && v $start + v len <= Seq.length self._0"#))] + #[hax_lib::ensures(|result| result.0.len() == len)] pub(crate) fn slice(&self, start: usize, len: usize) -> Bytes { self.0[start..start + len].into() } /// Concatenate `other` with these bytes and return a copy as [`Bytes`]. - #[cfg_attr(feature = "hax-pv", pv_handwritten)] + #[hax_lib::pv_handwritten] + #[ensures(|result| result.len() == self.len() + other.len())] pub fn concat(mut self, mut other: Bytes) -> Bytes { self.0.append(&mut other.0); self @@ -471,6 +521,10 @@ impl Bytes { } /// Convert the bool `b` into a Result. +#[hax_lib::ensures(|result| match result { + Result::Ok(()) => b == true, + _ => true + })] pub(crate) fn check(b: bool) -> Result<(), TLSError> { if b { Ok(()) @@ -515,7 +569,7 @@ pub(crate) fn eq_slice(b1: &[U8], b2: &[U8]) -> bool { // TODO: This function should short-circuit once hax supports returns within loops /// Check if [Bytes] slices `b1` and `b2` are of the same /// length and agree on all positions. -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub fn eq(b1: &Bytes, b2: &Bytes) -> bool { eq_slice(&b1.0, &b2.0) } @@ -556,7 +610,7 @@ pub(crate) fn check_eq_with_slice( /// Parse function to check if [Bytes] slices `b1` and `b2` are of the same /// length and agree on all positions, returning a [TLSError] otherwise. #[inline(always)] -#[cfg_attr(feature = "hax-pv", pv_handwritten)] +#[hax_lib::pv_handwritten] pub(crate) fn check_eq(b1: &Bytes, b2: &Bytes) -> Result<(), TLSError> { check_eq_slice(b1.as_raw(), b2.as_raw()) } @@ -588,7 +642,10 @@ pub(crate) fn check_mem(b1: &[U8], b2: &[U8]) -> Result<(), TLSError> { /// On success, return a new [Bytes] slice such that its first byte encodes the /// length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in one byte. -#[cfg_attr(feature = "hax-pv", pv_constructor)] +#[hax_lib::pv_constructor] +#[hax_lib::ensures(|result| match result { + Result::Ok(lenb) => bytes.len() < 256 && lenb.len() >= 1 && lenb.len() - 1 == bytes.len(), + _ => true})] pub(crate) fn encode_length_u8(bytes: &[U8]) -> Result { let len = bytes.len(); if len >= 256 { @@ -606,6 +663,9 @@ pub(crate) fn encode_length_u8(bytes: &[U8]) -> Result { /// On success, return a new [Bytes] slice such that its first two bytes encode the /// big-endian length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in two bytes. +#[hax_lib::ensures(|result| match result { + Result::Ok(lenb) => bytes.len() < 65536 && lenb.len() >= 2 && lenb.len() - 2 == bytes.len(), + _ => true})] pub(crate) fn encode_length_u16(mut bytes: Bytes) -> Result { let len = bytes.len(); if len >= 65536 { @@ -625,6 +685,9 @@ pub(crate) fn encode_length_u16(mut bytes: Bytes) -> Result { /// On success, return a new [Bytes] slice such that its first three bytes encode the /// big-endian length of `bytes` and the remainder equals `bytes`. Return a [TLSError] if /// the length of `bytes` exceeds what can be encoded in three bytes. +#[hax_lib::ensures(|result| match result { + Result::Ok(lenb) => bytes.len() < 16777216 && lenb.len() >= 3 && lenb.len() - 3 == bytes.len(), + _ => true})] pub(crate) fn encode_length_u24(bytes: &Bytes) -> Result { let len = bytes.len(); if len >= 16777216 { @@ -646,6 +709,10 @@ pub(crate) fn encode_length_u24(bytes: &Bytes) -> Result { /// On success, return the encoded length. Return a [TLSError] if `bytes` is /// empty or if the encoded length exceeds the length of the remainder of /// `bytes`. +#[hax_lib::ensures(|result| match result { + Result::Ok(l) => bytes.len() >= 1 && bytes.len() - 1 >= l && l < 256, + _ => true +})] pub(crate) fn length_u8_encoded(bytes: &[U8]) -> Result { if bytes.is_empty() { Err(parse_failed()) @@ -666,6 +733,10 @@ pub(crate) fn length_u8_encoded(bytes: &[U8]) -> Result { /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. #[inline(always)] +#[hax_lib::ensures(|result| match result { + Result::Ok(l) => bytes.len() >= 2 && bytes.len() - 2 >= l && l < 65536, + _ => true +})] pub(crate) fn length_u16_encoded_slice(bytes: &[U8]) -> Result { if bytes.len() < 2 { Err(parse_failed()) @@ -688,6 +759,10 @@ pub(crate) fn length_u16_encoded_slice(bytes: &[U8]) -> Result /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. #[inline(always)] +#[hax_lib::ensures(|result| match result { + Result::Ok(l) => bytes.len() >= 2 && bytes.len() - 2 >= l && l < 65536, + _ => true +})] pub(crate) fn length_u16_encoded(bytes: &[U8]) -> Result { length_u16_encoded_slice(bytes) } @@ -698,6 +773,11 @@ pub(crate) fn length_u16_encoded(bytes: &[U8]) -> Result { /// On success, return the encoded length. Return a [TLSError] if `bytes` is less than 3 /// bytes long or if the encoded length exceeds the length of the remainder of /// `bytes`. +#[inline(always)] +#[hax_lib::ensures(|result| match result { + Result::Ok(l) => bytes.len() >= 3 && bytes.len() - 3 >= l && l < 16777216, + _ => true + })] pub(crate) fn length_u24_encoded(bytes: &[U8]) -> Result { if bytes.len() < 3 { Err(parse_failed()) @@ -714,6 +794,9 @@ pub(crate) fn length_u24_encoded(bytes: &[U8]) -> Result { } } +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => bytes.len() >= 1 && bytes.len() <= 256, + _ => true})] pub(crate) fn check_length_encoding_u8_slice(bytes: &[U8]) -> Result<(), TLSError> { if length_u8_encoded(bytes)? + 1 != bytes.len() { Err(parse_failed()) @@ -726,11 +809,17 @@ pub(crate) fn check_length_encoding_u8_slice(bytes: &[U8]) -> Result<(), TLSErro /// /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => bytes.len() >= 1 && bytes.len() <= 256, + _ => true})] pub(crate) fn check_length_encoding_u8(bytes: &Bytes) -> Result<(), TLSError> { check_length_encoding_u8_slice(bytes.as_raw()) } #[inline(always)] +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => bytes.len() >= 2 && bytes.len() <= 65537, + _ => true})] pub(crate) fn check_length_encoding_u16_slice(bytes: &[U8]) -> Result<(), TLSError> { if length_u16_encoded(bytes)? + 2 != bytes.len() { Err(parse_failed()) @@ -744,6 +833,9 @@ pub(crate) fn check_length_encoding_u16_slice(bytes: &[U8]) -> Result<(), TLSErr /// /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => bytes.len() >= 2 && bytes.len() <= 65537, + _ => true})] pub(crate) fn check_length_encoding_u16(bytes: &Bytes) -> Result<(), TLSError> { check_length_encoding_u16_slice(bytes.as_raw()) } @@ -753,6 +845,9 @@ pub(crate) fn check_length_encoding_u16(bytes: &Bytes) -> Result<(), TLSError> { /// /// Returns `Ok(())` if there are no bytes left, and a [`TLSError`] if there are /// more bytes in the `bytes`. +#[hax_lib::ensures(|result| match result { + Result::Ok(_) => bytes.len() >= 3 && bytes.len() <= 16777218, + _ => true})] pub(crate) fn check_length_encoding_u24(bytes: &[U8]) -> Result<(), TLSError> { if length_u24_encoded(bytes)? + 3 != bytes.len() { Err(parse_failed())