m

Author: ajewellamz

DynamoDbEncryption/dafny/DynamoDbEncryption/src/DDBSupport.dfy

@@ -266,7 +266,7 @@ module DynamoDBSupport {
         req.FilterExpression,
         req.ExpressionAttributeNames,
         req.ExpressionAttributeValues);
-        SequenceIsSafeBecauseItIsInMemory(newItems);
+      SequenceIsSafeBecauseItIsInMemory(newItems);
       :- Need(|newItems| as uint64 < INT32_MAX_LIMIT as uint64, DynamoDbEncryptionUtil.E("This is impossible."));
       var trimmedItems := Seq.Map(i => DoRemoveBeacons(i), newItems);
       var count :=
@@ -336,7 +336,7 @@ module DynamoDBSupport {
         req.FilterExpression,
         req.ExpressionAttributeNames,
         req.ExpressionAttributeValues);
-        SequenceIsSafeBecauseItIsInMemory(newItems);
+      SequenceIsSafeBecauseItIsInMemory(newItems);
       :- Need(|newItems| as uint64 < INT32_MAX_LIMIT as uint64, DynamoDbEncryptionUtil.E("This is impossible."));
       var trimmedItems := Seq.Map(i => DoRemoveBeacons(i), newItems);
       var count :=

DynamoDbEncryption/dafny/DynamoDbEncryption/src/DynamoToStruct.dfy

@@ -596,7 +596,7 @@ module DynamoToStruct {
     ensures ret.Success? ==> |ret.value| == LENGTH_LEN
     ensures ret == U32ToBigEndian(x as nat)
   {
-    if !HasUint32Size(x) then
+    if x > 0xffff_ffff then
       Failure("Length was too big")
     else
       Success(UInt32ToSeq(x as uint32))

DynamoDbEncryption/dafny/DynamoDbEncryption/src/TermLoc.dfy

@@ -45,38 +45,40 @@ module TermLoc {
   type TermLoc = x : seq<Selector> | ValidTermLoc(x) witness *
   predicate method ValidTermLoc(s : seq<Selector>)
   {
-    && 0 < |s|
-    && s[0].Map?
+    SequenceIsSafeBecauseItIsInMemory(s);
+    && 0 < |s| as uint64
+    && s[0 as uint32].Map?
   }
 
   function method TermLocToString(t : TermLoc) : string
   {
-    t[0].key + SelectorListToString(t[1..])
+    t[0 as uint32].key + SelectorListToString(t[1 as uint32..])
   }
   function method SelectorListToString(s : SelectorList) : string
   {
-    if |s| == 0 then
+    SequenceIsSafeBecauseItIsInMemory(s);
+    if |s| as uint64 == 0 then
       ""
-    else if s[0].Map? then
-      "." + s[0].key + SelectorListToString(s[1..])
+    else if s[0 as uint32].Map? then
+      "." + s[0 as uint32].key + SelectorListToString(s[1 as uint32..])
     else
-      "[" + String.Base10Int2String(s[0].pos as int) + "]" + SelectorListToString(s[1..])
+      "[" + String.Base10Int2String(s[0 as uint32].pos as int) + "]" + SelectorListToString(s[1 as uint32..])
   }
 
   // return true if item does not have the given terminal
   predicate method LacksAttribute(t : TermLoc, item : DDB.AttributeMap)
   {
-    t[0].key !in item
+    t[0 as uint32].key !in item
   }
 
   // return the AttributeValue for the given terminal in the given item
   function method TermToAttr(t : TermLoc, item : DDB.AttributeMap, names : Option<DDB.ExpressionAttributeNameMap>)
     : Option<DDB.AttributeValue>
   {
-    if t[0].key !in item then
+    if t[0 as uint32].key !in item then
       None
     else
-      var res := GetTerminal(item[t[0].key], t[1..], names);
+      var res := GetTerminal(item[t[0 as uint32].key], t[1 as uint32..], names);
       if res.Success? then
         Some(res.value)
       else
@@ -115,7 +117,8 @@ module TermLoc {
   )
     : Result<DDB.AttributeValue, Error>
   {
-    if |parts| == 0 then
+    SequenceIsSafeBecauseItIsInMemory(parts);
+    if |parts| as uint64 == 0 then
       Success(v)
     else
       match v {
@@ -128,22 +131,23 @@ module TermLoc {
         case BOOL(b) => Failure(E("Found boolean with parts left over."))
         case NULL(n) => Failure(E("Found null with parts left over."))
         case L(l) =>
-          if !parts[0].List? then
+          SequenceIsSafeBecauseItIsInMemory(l);
+          if !parts[0 as uint32].List? then
             Failure(E("Tried to access list with key"))
-          else if |l| <= parts[0].pos as int then
+          else if |l| as uint64 <= parts[0 as uint32].pos then
             Failure(E("Tried to access beyond the end of the list"))
           else
-            GetTerminal(l[parts[0].pos], parts[1..], names)
+            GetTerminal(l[parts[0 as uint32].pos], parts[1 as uint32..], names)
         case M(m) =>
-          if !parts[0].Map? then
+          if !parts[0 as uint32].Map? then
             Failure(E("Tried to access map with index"))
-          else if parts[0].key !in m then
-            if names.Some? && parts[0].key in names.value && names.value[parts[0].key] in m then
-              GetTerminal(m[names.value[parts[0].key]], parts[1..], names)
+          else if parts[0 as uint32].key !in m then
+            if names.Some? && parts[0 as uint32].key in names.value && names.value[parts[0 as uint32].key] in m then
+              GetTerminal(m[names.value[parts[0 as uint32].key]], parts[1 as uint32..], names)
             else
-              Failure(E("Tried to access " + parts[0].key + " which is not in the map."))
+              Failure(E("Tried to access " + parts[0 as uint32].key + " which is not in the map."))
           else
-            GetTerminal(m[parts[0].key], parts[1..], names)
+            GetTerminal(m[parts[0 as uint32].key], parts[1 as uint32..], names)
       }
   }
 
@@ -207,13 +211,13 @@ module TermLoc {
     SequenceIsSafeBecauseItIsInMemory(s);
     if |s| as uint64 == pos then
       Success(acc)
-    else if '0' <= s[0] <= '9' then
+    else if '0' <= s[0 as uint32] <= '9' then
       if acc < 0xfff_ffff_ffff_ffff then
-        GetNumber(s, acc * 10 + s[0] as uint64 - '0' as uint64, Add(pos, 1))
+        GetNumber(s, acc * 10 + s[0 as uint32] as uint64 - '0' as uint64, Add(pos, 1))
       else
         Failure(E("Number is too big for list index : " + s))
     else
-      Failure(E("Unexpected character in number : " + [s[0]]))
+      Failure(E("Unexpected character in number : " + [s[0 as uint32]]))
   }
 
   // convert string to Selector
@@ -231,15 +235,15 @@ module TermLoc {
               && (s[0] == '.' ==> ret.value.Map?)
               && (s[0] == '[' ==> ret.value.List?)
   {
-    if s[0] == '.' then
-      Success(Map(s[1..]))
+    SequenceIsSafeBecauseItIsInMemory(s);
+    if s[0 as uint32] == '.' then
+      Success(Map(s[1 as uint32..]))
     else
-    if s[|s|-1] != ']' then
+    if s[|s| as uint64 - 1] != ']' then
       Failure(E("List index must end with ]"))
     else
-      var num :- GetNumber(s[1..|s|-1]);
-      :- Need(num < UINT64_LIMIT, E("Array selector exceeds maximum."));
-      Success(List(num as uint64))
+      var num :- GetNumber(s[1 as uint32..|s| as uint64 - 1]);
+      Success(List(num))
   }
 
   // convert string to SelectorList
@@ -248,10 +252,9 @@ module TermLoc {
     requires |s| > 0 && (s[0] == '.' || s[0] == '[')
   {
     SequenceIsSafeBecauseItIsInMemory(s);
-    var pos := FindStartOfNext(s[1..]);
+    var pos := FindStartOfNext(s[1 as uint32..]);
     var end := if pos.None? then |s| as uint64 else Add(pos.value, 1);
     var sel : Selector :- GetSelector(s[..end]);
-    :- Need(HasUint64Size(|acc|+1), E("Selector Overflow"));
     if pos.None? then
       Success(acc + [sel])
     else
@@ -263,15 +266,15 @@ module TermLoc {
     : (ret : Result<TermLoc, Error>)
     ensures ret.Success? ==> 0 < |ret.value|
   {
-    :- Need(0 < |s|, E("Path specification must not be empty."));
+    SequenceIsSafeBecauseItIsInMemory(s);
+    :- Need(0 < |s| as uint64, E("Path specification must not be empty."));
     var pos := FindStartOfNext(s);
     if pos.None? then
       var m := Map(s);
       Success([Map(s)])
     else
       var name := s[..pos.value];
       var selectors :- GetSelectors(s[pos.value..]);
-      :- Need(HasUint64Size(|selectors|+1), E("Selector Overflow"));
       Success([Map(name)] + selectors)
   }
 

DynamoDbEncryption/dafny/StructuredEncryption/src/AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations.dfy

@@ -824,8 +824,8 @@ module AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations refines Abst
       cmm,
       Some(encryptionContext),
       input.algorithmSuiteId,
-      CountEncrypted(canonData) as nat,
-      SumValueSize(canonData) as nat);
+      CountEncrypted(canonData),
+      SumValueSize(canonData));
 
     var key : Key := mat.plaintextDataKey.value;
     var alg := mat.algorithmSuite;
@@ -854,7 +854,7 @@ module AwsCryptographyDbEncryptionSdkStructuredEncryptionOperations refines Abst
     var headerAttribute := ValueToData(headerSerialized, BYTES_TYPE_ID);
 
     SequenceIsSafeBecauseItIsInMemory(canonData);
-    :- Need(|canonData| as uint64 < Crypt.ONE_THIRD_MAX_INT32 as uint64, E("Too many encrypted fields"));
+    :- Need(|canonData| as uint64 < Crypt.ONE_THIRD_MAX_INT as uint64, E("Too many encrypted fields"));
     // input canonData has all input fields, none encrypted
     // output canonData has all input fields, some encrypted
     var encryptedItems : CanonCryptoList :- Crypt.Encrypt(config.primitives, alg, key, head, canonData, input.tableName, input.plaintextStructure);

DynamoDbEncryption/dafny/StructuredEncryption/src/Crypt.dfy

@@ -30,9 +30,8 @@ module StructuredEncryptionCrypt {
     // import Relations
   import opened Canonize
 
-  const ONE_THIRD_MAX_INT := 1431655765
-  const ONE_THIRD_MAX_INT32 : uint32 := ONE_THIRD_MAX_INT as uint32
-  
+  const ONE_THIRD_MAX_INT : uint32 := 1431655765
+
   function method FieldKey(HKDFOutput : Bytes, offset : uint32)
     : (ret : Result<Bytes, Error>)
     requires |HKDFOutput| == KeySize
@@ -42,13 +41,13 @@ module StructuredEncryptionCrypt {
               //# The `FieldKey` for a given key and offset MUST be the first 44 bytes
               //# of the aes256ctr_stream
               //# of the `FieldRootKey` and the `FieldKeyNonce` of three times the given offset.
-              && offset < ONE_THIRD_MAX_INT32
+              && offset < ONE_THIRD_MAX_INT
               && |ret.value| == KeySize+NonceSize
               && |ret.value| == 44
               && AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).Success?
               && ret.value == AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize+NonceSize) as uint32).value
   {
-    :- Need(offset < ONE_THIRD_MAX_INT32, E("Too many encrypted fields."));
+    :- Need(offset < ONE_THIRD_MAX_INT, E("Too many encrypted fields."));
     var keyR := AesKdfCtr.Stream(FieldKeyNonce(offset * 3), HKDFOutput, (KeySize64+NonceSize64) as uint32);
     keyR.MapFailure(e => AwsCryptographyPrimitives(e))
   }
@@ -399,10 +398,11 @@ module StructuredEncryptionCrypt {
   {
     var result : CanonCryptoList := [];
     var pos : uint32 := 0;
-    :- Need(|data| < UINT32_LIMIT, E("Too many fields."));
-    for i := 0 to |data|
+    SequenceIsSafeBecauseItIsInMemory(data);
+    :- Need(|data| as uint64 < UINT32_LIMIT as uint64, E("Too many fields."));
+    for i : uint64 := 0 to |data| as uint64
       invariant pos <= (i as uint32)
-      invariant |result| == i
+      invariant |result| == i as nat
       invariant forall x | 0 <= x < |result| :: Updated(data[x], result[x], mode)
     {
       if data[i].action == ENCRYPT_AND_SIGN {

DynamoDbEncryption/dafny/StructuredEncryption/src/Footer.dfy

@@ -159,8 +159,8 @@ module StructuredEncryptionFooter {
   function method GetCanonicalType(value : StructuredDataTerminal, isEncrypted : bool)
     : Result<Bytes, Error>
   {
-      SequenceIsSafeBecauseItIsInMemory(value.value);
-      var value_len : uint64 := |value.value| as uint64;
+    SequenceIsSafeBecauseItIsInMemory(value.value);
+    var value_len : uint64 := |value.value| as uint64;
     if isEncrypted then
       :- Need(2 <= value_len, E("Bad length."));
       Success(UInt64ToSeq((value_len - 2) as uint64) + ENCRYPTED)

DynamoDbEncryption/dafny/StructuredEncryption/src/Paths.dfy

@@ -58,22 +58,22 @@ module StructuredEncryptionPaths {
     requires ValidPath(path)
 
     ensures  HasUint64Len(path) && ret ==
-            //= specification/structured-encryption/header.md#canonical-path
-            //= type=implication
-            //# The canonical path MUST start with the UTF8 encoded table name.
-            UTF8.Encode(table).value
-            //= specification/structured-encryption/header.md#canonical-path
-            //= type=implication
-            //# This MUST be followed by the depth of the Terminal within Structured Data.
-            + UInt64ToSeq(|path| as uint64)
-            //= specification/structured-encryption/header.md#canonical-path
-            //= type=implication
-            //# This MUST be followed by the encoding for each Structured Data in the path, including the Terminal itself.
-            + MakeCanonicalPath(path)
+                                   //= specification/structured-encryption/header.md#canonical-path
+                                   //= type=implication
+                                   //# The canonical path MUST start with the UTF8 encoded table name.
+                                   UTF8.Encode(table).value
+                                   //= specification/structured-encryption/header.md#canonical-path
+                                   //= type=implication
+                                   //# This MUST be followed by the depth of the Terminal within Structured Data.
+                                   + UInt64ToSeq(|path| as uint64)
+                                   //= specification/structured-encryption/header.md#canonical-path
+                                   //= type=implication
+                                   //# This MUST be followed by the encoding for each Structured Data in the path, including the Terminal itself.
+                                   + MakeCanonicalPath(path)
   {
     SequenceIsSafeBecauseItIsInMemory(path);
     var tableName := UTF8.Encode(table).value;
-    var depth := UInt64ToSeq(|path| as uint64);  
+    var depth := UInt64ToSeq(|path| as uint64);
     var path := MakeCanonicalPath(path);
     tableName + depth + path
   }