forked from awslabs/aws-lc-verification
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathevp-function-specs.saw
343 lines (267 loc) · 13.8 KB
/
evp-function-specs.saw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
* SPDX-License-Identifier: Apache-2.0
*/
// Specification of EVP_sha512_init and EVP_sha384_init, the initialization
// functions for EVP_sha512_storage and EVP_sha384_storage respectively
let EVP_sha_init_spec = do {
// Precondition: The global variable `EVP_SHA_STORAGE` exists
crucible_alloc_global EVP_SHA_STORAGE;
// Call function with no arguments
crucible_execute_func [];
// Postcondition: `EVP_SHA_STORAGE` global variable satisfies the
// `points_to_env_md_st` specification
points_to_env_md_st (crucible_global EVP_SHA_STORAGE);
};
/*
* Specifications of EVP_Digest, EVP_DigestInit, EVP_DigestUpdate, and
* EVP_DigestFinal functions for SHA512.
*/
let EVP_DigestInit_spec = do {
// Precondition: `ctx_ptr` is a pointer to an `env_md_ctx_st` struct
ctx_ptr <- crucible_alloc (llvm_struct "struct.env_md_ctx_st");
// Precondition: `type_ptr` is a pointer to a const `env_md_ctx_st` struct
// satisfying the `points_to_env_md_st` specification
type_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st type_ptr;
// Call function with `ctx_ptr` and `type_ptr`
crucible_execute_func [ctx_ptr, type_ptr];
// Postcondition: `ctx_ptr->digest == type_ptr` and `ctx_ptr->md_data`
// holds an initialized SHA512 context
sha512_ctx_ptr <- crucible_alloc (llvm_struct "struct.sha512_state_st");
points_to_sha512_state_st
sha512_ctx_ptr
{{ { h = SHAH0, block = zero : [SHA512_CBLOCK][8], n = 0 : [32], sz = 0 : [128] } }}
0;
points_to_env_md_ctx_st ctx_ptr type_ptr sha512_ctx_ptr;
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestUpdate_spec num len = do {
// Precondition: The function uses the AVX+shrd code path
global_alloc_init "OPENSSL_ia32cap_P" {{ ia32cap }};
// Precondition: `ctx_ptr` is a pointer to an `env_md_ctx_st` struct
ctx_ptr <- crucible_alloc (llvm_struct "struct.env_md_ctx_st");
// Precondition: `digest_ptr` is a pointer to a const `env_md_st` struct
// satisfying the `points_to_env_md_st` specification
digest_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st digest_ptr;
// Precondition: `sha512_ctx_ptr` is a pointer to a `sha512_state_st` struct
sha512_ctx_ptr <- crucible_alloc (llvm_struct "struct.sha512_state_st");
// Precondition: `sha512_ctx` is a fresh Cryptol SHAState
sha512_ctx <- fresh_sha512_state_st "sha512_ctx" num;
// Precondition: `sha512_ctx_ptr` matches `sha512_ctx`. The message blocks
// of the two must only match up to the first `num` bits
points_to_sha512_state_st sha512_ctx_ptr sha512_ctx num;
// Precondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Precondition: `data` is a fresh array of `len` bytes, and `data_ptr`
// points to `data`.
(data, data_ptr) <- ptr_to_fresh_readonly "data" (llvm_array len i8);
// Call function with `ctx_ptr`, `data_ptr`, and `len` as arguments.
crucible_execute_func [ctx_ptr, data_ptr, crucible_term {{ `len : [64] }}];
// Postcondition: The function has not changed the variable that decides the AVX+shrd code path
global_points_to "OPENSSL_ia32cap_P" {{ ia32cap }};
// Postcondition: The context `sha512_ctx_ptr` points to matches the result
// of executing the cryptol function `SHAUpdate` on `sha512_ctx` and
// `data`, with the exception of the message block, which must only match up
// to the first `(num + len) % SHA512_CBLOCK` bytes. This is because the
// C implementation does not clear the unused bytes of message block, and
// therefore the tail end of the block contains garbage.
points_to_sha512_state_st sha512_ctx_ptr {{ SHAUpdate sha512_ctx data }} (eval_size {| (num + len) % SHA512_CBLOCK |});
// Postcondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let digestOut_pre withLength = do {
// Precondition: `md_out_ptr` points to an array of `SHA_DIGEST_LENGTH` bytes
md_out_ptr <- crucible_alloc (llvm_array SHA_DIGEST_LENGTH i8);
// Precondition: The last parameter points to an integer or is null
s_ptr <-
if withLength then do {
crucible_alloc i32;
} else do {
return crucible_null;
};
return (md_out_ptr, s_ptr);
};
let digestOut_post withLength out_ptr s_ptr out_value = do {
crucible_points_to out_ptr out_value;
if withLength then do {
// Postcondition: The output length is correct
crucible_points_to s_ptr (crucible_term {{`SHA_DIGEST_LENGTH : [32]}} );
} else do {
// No postcondition on the output length pointer
return ();
};
};
let EVP_DigestFinalCommon_spec is_ex withLength num = do {
global_alloc_init "OPENSSL_ia32cap_P" {{ ia32cap }};
// Precondition: md_out_ptr is allocated and correct length, and
// s_ptr is null or points to an int.
(md_out_ptr, s_ptr) <- digestOut_pre withLength;
// Precondition: `ctx_ptr` points to an `env_md_ctx_st` struct
ctx_ptr <- if is_ex then do {
crucible_alloc_readonly (llvm_struct "struct.env_md_ctx_st");
} else do {
crucible_alloc (llvm_struct "struct.env_md_ctx_st");
};
// Precondition: `digest_ptr` points to a const `env_md_st` struct satisfying
// the `digest_ptr` specification.
digest_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st digest_ptr;
// Precondition: `sha512_ctx_ptr` is a pointer to a `sha512_state_st` struct
// Precondition: `sha512_ctx` is a fresh Cryptol SHAState
// Precondition: `sha512_ctx_ptr` matches `sha512_ctx`. The message blocks
// of the two must only match up to the first `num` bits
(sha512_ctx, sha512_ctx_ptr) <- pointer_to_fresh_sha512_state_st "sha512_ctx" num;
// Precondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Call function with `ctx_ptr`, `md_out_ptr`, and `s_ptr`
crucible_execute_func [ctx_ptr, md_out_ptr, s_ptr];
global_points_to "OPENSSL_ia32cap_P" {{ ia32cap }};
// Postcondition: The data pointed to by `md_out_ptr` matches the message
// digest returned by the Cryptol function `SHAFinal`. The reverses,
// splits, and joins transform the Cryptol function's big endian output to
// little endian.
// If length output is used, s_ptr points to correct length.
digestOut_post withLength md_out_ptr s_ptr
(crucible_term {{ split`{SHA_DIGEST_LENGTH} (SHAFinal sha512_ctx) }});
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestFinal_ex_spec = EVP_DigestFinalCommon_spec true;
let EVP_DigestFinal_spec = EVP_DigestFinalCommon_spec false;
let EVP_Digest_spec withLength len = do {
// Precondition: The function uses the AVX+shrd code path
global_alloc_init "OPENSSL_ia32cap_P" {{ ia32cap }};
// Precondition: `data` is a fresh const array of `len` bytes, and `data_ptr`
// points to `data`.
(data, data_ptr) <- ptr_to_fresh_readonly "data" (llvm_array len i8);
// Precondition: md_out_ptr is allocated and correct length, and
// size_ptr is null or points to an int.
(md_out_ptr, size_ptr) <- digestOut_pre withLength;
// Precondition: `type_ptr` is a pointer to a const `env_md_ctx_st` struct
// satisfying the `points_to_env_md_st` specification
type_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st type_ptr;
// Call function with arguments data_ptr, len, md_out_ptr, size_ptr, type_ptr,
// and NULL
crucible_execute_func
[ data_ptr
, crucible_term {{ `len : [64] }}
, md_out_ptr
, size_ptr
, type_ptr
, crucible_null
];
// Postcondition: The function has not changed the variable that decides the AVX+shrd code path
global_points_to "OPENSSL_ia32cap_P" {{ ia32cap }};
// Postcondition: The data pointed to by `md_out_ptr` matches the message
// digest returned by the Cryptol function `SHAImp`. The reverses,
// splits, and joins transform the Cryptol function's big endian output to
// little endian.
// If length output is used, s_ptr points to correct length.
digestOut_post withLength md_out_ptr size_ptr
(crucible_term {{ split`{SHA_DIGEST_LENGTH} (SHAImp data) }});
// Postcondition: The function returns the value `1`
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestInit_array_spec = do {
// Precondition: `ctx_ptr` is a pointer to an `env_md_ctx_st` struct
ctx_ptr <- crucible_alloc (llvm_struct "struct.env_md_ctx_st");
// Precondition: `type_ptr` is a pointer to a const `env_md_ctx_st` struct
// satisfying the `points_to_env_md_st` specification
type_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st type_ptr;
// Call function with `ctx_ptr` and `type_ptr`
crucible_execute_func [ctx_ptr, type_ptr];
// Postcondition: `ctx_ptr->digest == type_ptr` and `ctx_ptr->md_data`
// holds an initialized SHA512 context
sha512_ctx_ptr <- llvm_alloc_sym_init (llvm_struct "struct.sha512_state_st");
block' <- crucible_fresh_cryptol_var "block'" {| ByteArray |};
points_to_sha512_state_st_array sha512_ctx_ptr {{ { h = SHAInit_Array.h, block = block', n = SHAInit_Array.n, sz = SHAInit_Array.sz } }};
points_to_env_md_ctx_st ctx_ptr type_ptr sha512_ctx_ptr;
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestUpdate_array_spec = do {
// Precondition: The function uses the AVX+shrd code path
global_alloc_init "OPENSSL_ia32cap_P" {{ ia32cap }};
// Precondition: `ctx_ptr` is a pointer to an `env_md_ctx_st` struct
ctx_ptr <- crucible_alloc (llvm_struct "struct.env_md_ctx_st");
// Precondition: `digest_ptr` is a pointer to a const `env_md_st` struct
// satisfying the `points_to_env_md_st` specification
digest_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st digest_ptr;
// Precondition: `sha512_ctx_ptr` is a pointer to a `sha512_state_st` struct
// Precondition: `sha512_ctx` is a fresh Cryptol SHAState
// Precondition: `sha512_ctx_ptr` matches `sha512_ctx`.
(sha512_ctx, sha512_ctx_ptr) <- pointer_to_fresh_sha512_state_st_array "sha512_ctx";
crucible_precond {{ sha512_ctx.n < `SHA512_CBLOCK }};
// Precondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Precondition: `data` is a fresh array of `len` bytes, and `data_ptr`
// points to `data`.
len <- crucible_fresh_var "len" i64;
(data, data_ptr) <- ptr_to_fresh_array_readonly "data" len;
// Call function with `ctx_ptr`, `data_ptr`, and `len` as arguments.
crucible_execute_func [ctx_ptr, data_ptr, (crucible_term len)];
// Postcondition: The function has not changed the variable that decides the AVX+shrd code path
global_points_to "OPENSSL_ia32cap_P" {{ ia32cap }};
// Postcondition: The context `sha512_ctx_ptr` points to matches the result
// of executing the cryptol function `SHAUpdate` on `sha512_ctx` and
// `data`.
let res = {{ SHAUpdate_Array sha512_ctx data len }};
block' <- crucible_fresh_cryptol_var "block'" {| ByteArray |};
points_to_sha512_state_st_array sha512_ctx_ptr {{ { h = res.h, block = block', n = res.n, sz = res.sz } }};
crucible_postcond {{ arrayRangeEq block' 0 res.block 0 `SHA512_CBLOCK }};
// Postcondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestFinalCommon_array_spec is_ex withLength = do {
global_alloc_init "OPENSSL_ia32cap_P" {{ ia32cap }};
// Precondition: md_out_ptr is allocated and correct length, and
// s_ptr is null or points to an int.
(md_out_ptr, s_ptr) <- digestOut_pre withLength;
// Precondition: `ctx_ptr` points to an `env_md_ctx_st` struct
ctx_ptr <- if is_ex then do {
crucible_alloc_readonly (llvm_struct "struct.env_md_ctx_st");
} else do {
crucible_alloc (llvm_struct "struct.env_md_ctx_st");
};
// Precondition: `digest_ptr` points to a const `env_md_st` struct satisfying
// the `digest_ptr` specification.
digest_ptr <- crucible_alloc_readonly (llvm_struct "struct.env_md_st");
points_to_env_md_st digest_ptr;
// Precondition: `sha512_ctx_ptr` is a pointer to a `sha512_state_st` struct
// Precondition: `sha512_ctx` is a fresh Cryptol SHAState
// Precondition: `sha512_ctx_ptr` matches `sha512_ctx`.
(sha512_ctx, sha512_ctx_ptr) <- pointer_to_fresh_sha512_state_st_array "sha512_ctx";
crucible_precond {{ sha512_ctx.n < `SHA512_CBLOCK }};
// Precondition: Struct pointed to by `ctx_ptr` points to `digest_ptr` and
// `sha512_ctx_ptr`.
points_to_env_md_ctx_st ctx_ptr digest_ptr sha512_ctx_ptr;
// Call function with `ctx_ptr`, `md_out_ptr`, and `s_ptr`
crucible_execute_func [ctx_ptr, md_out_ptr, s_ptr];
global_points_to "OPENSSL_ia32cap_P" {{ ia32cap }};
// Postcondition: The data pointed to by `md_out_ptr` matches the message
// digest returned by the Cryptol function `SHAFinal`. The reverses,
// splits, and joins transform the Cryptol function's big endian output to
// little endian.
// If length output is used, s_ptr points to correct length.
digestOut_post withLength md_out_ptr s_ptr
(crucible_term {{ split`{SHA_DIGEST_LENGTH} (SHAFinal_Array sha512_ctx) }});
// Postcondition: The function returns 1
crucible_return (crucible_term {{ 1 : [32] }});
};
let EVP_DigestFinal_ex_array_spec = EVP_DigestFinalCommon_array_spec true;
let EVP_DigestFinal_array_spec = EVP_DigestFinalCommon_array_spec false;