firedancer/src/disco/keyguard/fd_keyguard_proofs.c at 962e442d97c5108d2a665ba56768448f7fa7b8fe · firedancer-io/firedancer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#include <stdlib.h>
#include "../../util/fd_util.h"
#include "fd_keyguard_authorize.c"
#include "fd_keyguard_match.c"

#if !defined(CBMC)
#error "Intended to only be used from CBMC"
#endif

void
fd_log_private_1( int          level,
                  long         now,
                  char const * path,
                  char const * file_name,
                  int          line,
                  char const * func,
                  char const * msg ) {}


void
fd_log_private_2( int          level,
                  long         now,
                  char const * path,
                  char const * file_name,
                  int          line,
                  char const * func,
                  char const * msg ) __attribute__((noreturn)) {
  __CPROVER_assert( 0, "Error log used" );
}

long
fd_log_wallclock( void ) {
  long t;
  return t;
}

char const *
fd_log_private_0( char const * fmt, ... ) {
  (void)fmt;
  return "";
}

/* Formally shows how, given any input (within the size constraint),
  fd_keyguard_payload_match() will not match two payload types,
  with the exception of known ambiguity of [gossip,repair] and
  [shred,ping]. */
void
match( void ) {
  uchar data[ FD_KEYGUARD_SIGN_REQ_MTU ];
  ulong sz;

  __CPROVER_assume( sz >= 0 && sz <= FD_KEYGUARD_SIGN_REQ_MTU );

  int sign_type;
  ulong payload_mask = fd_keyguard_payload_match( data, sz, sign_type );

  int matches = fd_ulong_popcnt( payload_mask );

  /* Matches the special casing done in fd_keyguard_payload_authorize() */
  int is_gossip_repair =
    0==( payload_mask &
        (~( FD_KEYGUARD_PAYLOAD_GOSSIP |
            FD_KEYGUARD_PAYLOAD_REPAIR ) ) );
  int is_shred_ping =
    0==( payload_mask &
        (~( FD_KEYGUARD_PAYLOAD_SHRED |
            FD_KEYGUARD_PAYLOAD_PING  ) ) );

  if     ( is_gossip_repair ) __CPROVER_assert( matches <= 2, "gossip conflict");
  else if( is_shred_ping    ) __CPROVER_assert( matches <= 2, "shred conflict");
  else                        __CPROVER_assert( matches <= 1, "no conflicts" );
}

/* Shows how given any input of any size, fd_keyguard_payload_authorize() will
  have defined behaviour and return a sane result. */
void
authorize( void ) {
  ulong size;
  int sign_type;
  int role;
  uchar * data = malloc( size );
  __CPROVER_assume( data != NULL );

  fd_keyguard_authority_t authority;
  int res = fd_keyguard_payload_authorize( &authority, data, size, role, sign_type );
  __CPROVER_assert( res==0 || res==1, "authorize proof" );
}


void
cbmc_main( void ) {
  match();
  authorize();
}