12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034(* Copyright 2021 Diskuv, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. *)(* Auto-generated using code from <dirsp-exchange>/src-proscript/proscript-messaging/ps2pv/ast2ocaml.ml *)includeKobeissi_bhargavan_blanchet_intfmoduleMake(ProScript:Dirsp_proscript.S):PROTOCOLwithtypet=ProScript.t=structtypet=ProScript.ttypet_aes_decrypted=ProScript.Crypto.aes_decryptedincludeKobeissi_bhargavan_blanchet_shims.Make(ProScript)moduleType_key=structletconstruct=(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:11.18-11.22: <unknown expression>
The resolution to the problem was:
The ps2ocaml translator has automatically inserted a call to a 'shim'
function. The shim function will be defined in the accompanying
_shims.ml file. Since that function is hand-written, please be sure
to review the full definition of that shim function.
*)shim_Type_key_constructlettoBitstringa=ProScript.concat[ProScript.of_string"";ProScript.Encoding.b2h(ProScript.elem_ata0);ProScript.Encoding.b2h(ProScript.elem_ata1);ProScript.Encoding.b2h(ProScript.elem_ata2);ProScript.Encoding.b2h(ProScript.elem_ata3);ProScript.Encoding.b2h(ProScript.elem_ata4);ProScript.Encoding.b2h(ProScript.elem_ata5);ProScript.Encoding.b2h(ProScript.elem_ata6);ProScript.Encoding.b2h(ProScript.elem_ata7);ProScript.Encoding.b2h(ProScript.elem_ata8);ProScript.Encoding.b2h(ProScript.elem_ata9);ProScript.Encoding.b2h(ProScript.elem_ata10);ProScript.Encoding.b2h(ProScript.elem_ata11);ProScript.Encoding.b2h(ProScript.elem_ata12);ProScript.Encoding.b2h(ProScript.elem_ata13);ProScript.Encoding.b2h(ProScript.elem_ata14);ProScript.Encoding.b2h(ProScript.elem_ata15);ProScript.Encoding.b2h(ProScript.elem_ata16);ProScript.Encoding.b2h(ProScript.elem_ata17);ProScript.Encoding.b2h(ProScript.elem_ata18);ProScript.Encoding.b2h(ProScript.elem_ata19);ProScript.Encoding.b2h(ProScript.elem_ata20);ProScript.Encoding.b2h(ProScript.elem_ata21);ProScript.Encoding.b2h(ProScript.elem_ata22);ProScript.Encoding.b2h(ProScript.elem_ata23);ProScript.Encoding.b2h(ProScript.elem_ata24);ProScript.Encoding.b2h(ProScript.elem_ata25);ProScript.Encoding.b2h(ProScript.elem_ata26);ProScript.Encoding.b2h(ProScript.elem_ata27);ProScript.Encoding.b2h(ProScript.elem_ata28);ProScript.Encoding.b2h(ProScript.elem_ata29);ProScript.Encoding.b2h(ProScript.elem_ata30);ProScript.Encoding.b2h(ProScript.elem_ata31)]letfromBitstringa=ProScript.Encoding.hexStringTo32ByteArrayaletxasserta=ProScript.of_elem_list[ProScript.elem_ata0;ProScript.elem_ata1;ProScript.elem_ata2;ProScript.elem_ata3;ProScript.elem_ata4;ProScript.elem_ata5;ProScript.elem_ata6;ProScript.elem_ata7;ProScript.elem_ata8;ProScript.elem_ata9;ProScript.elem_ata10;ProScript.elem_ata11;ProScript.elem_ata12;ProScript.elem_ata13;ProScript.elem_ata14;ProScript.elem_ata15;ProScript.elem_ata16;ProScript.elem_ata17;ProScript.elem_ata18;ProScript.elem_ata19;ProScript.elem_ata20;ProScript.elem_ata21;ProScript.elem_ata22;ProScript.elem_ata23;ProScript.elem_ata24;ProScript.elem_ata25;ProScript.elem_ata26;ProScript.elem_ata27;ProScript.elem_ata28;ProScript.elem_ata29;ProScript.elem_ata30;ProScript.elem_ata31]letclonea=ProScript.of_elem_list[ProScript.elem_ata0;ProScript.elem_ata1;ProScript.elem_ata2;ProScript.elem_ata3;ProScript.elem_ata4;ProScript.elem_ata5;ProScript.elem_ata6;ProScript.elem_ata7;ProScript.elem_ata8;ProScript.elem_ata9;ProScript.elem_ata10;ProScript.elem_ata11;ProScript.elem_ata12;ProScript.elem_ata13;ProScript.elem_ata14;ProScript.elem_ata15;ProScript.elem_ata16;ProScript.elem_ata17;ProScript.elem_ata18;ProScript.elem_ata19;ProScript.elem_ata20;ProScript.elem_ata21;ProScript.elem_ata22;ProScript.elem_ata23;ProScript.elem_ata24;ProScript.elem_ata25;ProScript.elem_ata26;ProScript.elem_ata27;ProScript.elem_ata28;ProScript.elem_ata29;ProScript.elem_ata30;ProScript.elem_ata31]endmoduleType_iv=structletconstruct=(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:84.18-84.22: <unknown expression>
The resolution to the problem was:
The ps2ocaml translator has automatically inserted a call to a 'shim'
function. The shim function will be defined in the accompanying
_shims.ml file. Since that function is hand-written, please be sure
to review the full definition of that shim function.
*)shim_Type_iv_constructlettoBitstringa=ProScript.concat[ProScript.of_string"";ProScript.Encoding.b2h(ProScript.elem_ata0);ProScript.Encoding.b2h(ProScript.elem_ata1);ProScript.Encoding.b2h(ProScript.elem_ata2);ProScript.Encoding.b2h(ProScript.elem_ata3);ProScript.Encoding.b2h(ProScript.elem_ata4);ProScript.Encoding.b2h(ProScript.elem_ata5);ProScript.Encoding.b2h(ProScript.elem_ata6);ProScript.Encoding.b2h(ProScript.elem_ata7);ProScript.Encoding.b2h(ProScript.elem_ata8);ProScript.Encoding.b2h(ProScript.elem_ata9);ProScript.Encoding.b2h(ProScript.elem_ata10);ProScript.Encoding.b2h(ProScript.elem_ata11)]letfromBitstringa=ProScript.Encoding.hexStringTo12ByteArrayaletxasserta=ProScript.of_elem_list[ProScript.elem_ata0;ProScript.elem_ata1;ProScript.elem_ata2;ProScript.elem_ata3;ProScript.elem_ata4;ProScript.elem_ata5;ProScript.elem_ata6;ProScript.elem_ata7;ProScript.elem_ata8;ProScript.elem_ata9;ProScript.elem_ata10;ProScript.elem_ata11]endmoduleType_msg=structletconstruct()={valid=false;ephemeralKey=Type_key.construct();initEphemeralKey=Type_key.construct();ciphertext=ProScript.of_string"";iv=Type_iv.construct();tag=ProScript.of_string"";preKeyId=0}letxasserta=let(_:bool)=(* no-op statement-by-statement equivalence *)a.validin();a.ephemeralKey<-Type_key.xasserta.ephemeralKey;a.initEphemeralKey<-Type_key.xasserta.initEphemeralKey;let(_:t)=(* no-op statement-by-statement equivalence *)a.ciphertextin();a.iv<-Type_iv.xasserta.iv;let(_:t)=(* no-op statement-by-statement equivalence *)a.tagin();(*check s+t for overflow and underflow*)lets=a.preKeyIdinlett=1inifs>0thenift<=Int.max_int-sthen()elseraise(Invalid_argument(Format.sprintf"(a.preKeyId+1)=(%d+%d) will overflow"st))elseifs<0thenift>=Int.min_int-sthen()elseraise(Invalid_argument(Format.sprintf"(a.preKeyId+1)=(%d+%d) will underflow"st));aendmoduleType_keypair=structletconstruct()={priv=Type_key.construct();pub=Type_key.construct()}letxasserta=a.priv<-Type_key.xasserta.priv;a.pub<-Type_key.xasserta.pub;aletclonea=letb=construct()inb.priv<-Type_key.clonea.priv;b.pub<-Type_key.clonea.pub;bendmoduleType_them=structletconstruct()={signedPreKey=Type_key.construct();signedPreKeySignature=ProScript.of_string"";identityKey=Type_key.construct();identityDHKey=Type_key.construct();myEphemeralKeyP0=Type_keypair.construct();myEphemeralKeyP1=Type_keypair.construct();ephemeralKey=Type_key.construct();myPreKey=Type_keypair.construct();preKey=Type_key.construct();preKeyId=0;recvKeys=[|Type_key.construct();Type_key.construct()|];sendKeys=[|Type_key.construct();Type_key.construct()|];shared=Type_key.construct();established=false}letxasserta=a.signedPreKey<-Type_key.xasserta.signedPreKey;a.signedPreKeySignature<-ProScript.concat[a.signedPreKeySignature;ProScript.of_string""];a.identityKey<-Type_key.xasserta.identityKey;a.identityDHKey<-Type_key.xasserta.identityDHKey;a.myEphemeralKeyP0<-Type_keypair.xasserta.myEphemeralKeyP0;a.myEphemeralKeyP1<-Type_keypair.xasserta.myEphemeralKeyP1;a.ephemeralKey<-Type_key.xasserta.ephemeralKey;a.myPreKey<-Type_keypair.xasserta.myPreKey;a.preKey<-Type_key.xasserta.preKey;(*check s+t for overflow and underflow*)lets=a.preKeyIdinlett=1inifs>0thenift<=Int.max_int-sthen()elseraise(Invalid_argument(Format.sprintf"(a.preKeyId+1)=(%d+%d) will overflow"st))elseifs<0thenift>=Int.min_int-sthen()elseraise(Invalid_argument(Format.sprintf"(a.preKeyId+1)=(%d+%d) will underflow"st));Array.seta.recvKeys0(Type_key.xasserta.recvKeys.(0));Array.seta.recvKeys1(Type_key.xasserta.recvKeys.(1));Array.seta.sendKeys0(Type_key.xasserta.sendKeys.(0));Array.seta.sendKeys1(Type_key.xasserta.sendKeys.(1));a.shared<-Type_key.xasserta.shared;let(_:bool)=(* no-op statement-by-statement equivalence *)a.establishedin();aendmoduleType_sendoutput=structletconstruct()={them=Type_them.construct();output=Type_msg.construct()}letxassert(a:trecord_sendoutput)=a.them<-Type_them.xasserta.them;a.output<-Type_msg.xasserta.output;aendmoduleType_recvoutput=structletconstruct()={them=Type_them.construct();output=Type_msg.construct();plaintext=ProScript.of_string""}letxasserta=a.them<-Type_them.xasserta.them;a.output<-Type_msg.xasserta.output;let(_:t)=(* no-op statement-by-statement equivalence *)a.plaintextin();aendmoduleUTIL=structletxHKDFikmsaltinfo=letprk=ProScript.Crypto.xHMACSHA256salt(Type_key.toBitstringikm)inletk0=ProScript.Crypto.xHMACSHA256prk(ProScript.concat[info;ProScript.of_string"01"])inletk1=ProScript.Crypto.xHMACSHA256prk(ProScript.concat[Type_key.toBitstringk0;info;ProScript.of_string"02"])in[|k0;k1|]letxQDHInitmyIdentityKeyPrivmyInitEphemeralKeyPrivtheirIdentityKeyPubtheirSignedPreKeyPubtheirPreKeyPub=Type_key.fromBitstring(ProScript.Crypto.xSHA256(ProScript.concat[Type_key.toBitstring(ProScript.Crypto.xDH25519myIdentityKeyPrivtheirSignedPreKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519myInitEphemeralKeyPrivtheirIdentityKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519myInitEphemeralKeyPrivtheirSignedPreKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519myInitEphemeralKeyPrivtheirPreKeyPub)]))letxQDHRespmyIdentityKeyPrivmySignedPreKeyPrivmyPreKeyPrivtheirIdentityKeyPubtheirEphemeralKeyPub=Type_key.fromBitstring(ProScript.Crypto.xSHA256(ProScript.concat[Type_key.toBitstring(ProScript.Crypto.xDH25519mySignedPreKeyPrivtheirIdentityKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519myIdentityKeyPrivtheirEphemeralKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519mySignedPreKeyPrivtheirEphemeralKeyPub);Type_key.toBitstring(ProScript.Crypto.xDH25519myPreKeyPrivtheirEphemeralKeyPub)]))letnewIdentityKeyid=letidentityKeyPriv=ProScript.Crypto.random32Bytes(ProScript.concat[ProScript.of_string"aID";id])inType_keypair.xassert{priv=identityKeyPriv;pub=ProScript.Crypto.ED25519.publicKeyidentityKeyPriv}letnewKeyPair=(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:301.42-301.46: <unknown expression>
The resolution to the problem was:
The ps2ocaml translator has automatically inserted a call to a 'shim'
function. The shim function will be defined in the accompanying
_shims.ml file. Since that function is hand-written, please be sure
to review the full definition of that shim function.
*)shim_UTIL_newKeyPairletgetDHPublicKey=(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:310.42-310.46: <unknown expression>
The resolution to the problem was:
The ps2ocaml translator has automatically inserted a call to a 'shim'
function. The shim function will be defined in the accompanying
_shims.ml file. Since that function is hand-written, please be sure
to review the full definition of that shim function.
*)shim_UTIL_getDHPublicKeyendmoduleRATCHET=structletderiveSendKeys(them:trecord_them)myEphemeralKeyPriv=letkShared=ProScript.Crypto.xDH25519myEphemeralKeyPrivthem.ephemeralKeyinletsendKeys=UTIL.xHKDFkSharedthem.recvKeys.(0)(ProScript.of_string"WhisperRatchet")inletkKeys=UTIL.xHKDF(ProScript.Crypto.xHMACSHA256sendKeys.(1)(ProScript.of_string"1"))(Type_key.construct())(ProScript.of_string"WhisperMessageKeys")in{sendKeys;kENC=kKeys.(0)}letderiveRecvKeysmyShare(them:trecord_them)theirEphemeralKeyPub=letkShared=ProScript.Crypto.xDH25519mySharetheirEphemeralKeyPubinletrecvKeys=UTIL.xHKDFkSharedthem.sendKeys.(0)(ProScript.of_string"WhisperRatchet")inletkKeys=UTIL.xHKDF(ProScript.Crypto.xHMACSHA256recvKeys.(1)(ProScript.of_string"1"))(Type_key.construct())(ProScript.of_string"WhisperMessageKeys")in{recvKeys;kENC=kKeys.(0)}lettryDecryptmyIdentityKeymyEphemeralKey(them:trecord_them)(msg:trecord_msg)=letkeys=deriveRecvKeysmyEphemeralKey.priv(Type_them.xassertthem)msg.ephemeralKeyinlethENC=Type_key.fromBitstring(ProScript.Crypto.xSHA256(ProScript.concat[Type_key.toBitstringkeys.kENC;Type_iv.toBitstringmsg.iv]))inletaes=ProScript.Crypto.xAESGCMDecrypthENCmsg.iv{ciphertext=msg.ciphertext;tag=msg.tag}(ProScript.concat[Type_key.toBitstringmsg.initEphemeralKey;Type_key.toBitstringmsg.ephemeralKey;Type_key.toBitstringmyEphemeralKey.pub;Type_key.toBitstringthem.identityKey;Type_key.toBitstringmyIdentityKey.pub])inaesendmoduleHANDLE=structletxAKENeededmyIdentityKeyinitEphemeralKey(them:trecord_them)=letshared=UTIL.xQDHInitmyIdentityKey.privinitEphemeralKey.privthem.identityDHKeythem.signedPreKeythem.preKeyinletrecvKeys=UTIL.xHKDFshared(Type_key.construct())(ProScript.of_string"WhisperRatchet")inletvalidSig=ProScript.Crypto.ED25519.checkValidthem.signedPreKeySignature(Type_key.toBitstringthem.signedPreKey)them.identityKeyin{signedPreKey=them.signedPreKey;signedPreKeySignature=them.signedPreKeySignature;identityKey=them.identityKey;identityDHKey=them.identityDHKey;myEphemeralKeyP0=them.myEphemeralKeyP0;myEphemeralKeyP1=them.myEphemeralKeyP1;ephemeralKey=them.ephemeralKey;myPreKey=them.myPreKey;preKey=them.preKey;preKeyId=them.preKeyId;recvKeys;sendKeys=them.sendKeys;shared;established=validSig}letxAKEInitmyIdentityKeymySignedPreKey(them:trecord_them)(msg:trecord_msg)=letshared=UTIL.xQDHRespmyIdentityKey.privmySignedPreKey.privthem.myPreKey.privthem.identityDHKeymsg.initEphemeralKeyinletsendKeys=UTIL.xHKDFshared(Type_key.construct())(ProScript.of_string"WhisperRatchet")in{signedPreKey=them.signedPreKey;signedPreKeySignature=them.signedPreKeySignature;identityKey=them.identityKey;identityDHKey=them.identityDHKey;myEphemeralKeyP0=them.myEphemeralKeyP0;myEphemeralKeyP1=them.myEphemeralKeyP1;ephemeralKey=them.ephemeralKey;myPreKey=them.myPreKey;preKey=them.preKey;preKeyId=msg.preKeyId;recvKeys=them.recvKeys;sendKeys;shared;established=true}letsendingmyIdentityKey(them:trecord_them)initEphemeralKeyPubplaintext=letkeys=RATCHET.deriveSendKeys(Type_them.xassertthem)them.myEphemeralKeyP1.privinletiv=Type_iv.xassert(ProScript.Crypto.random12Bytes(ProScript.of_string"a1"))inlethENC=Type_key.fromBitstring(ProScript.Crypto.xSHA256(ProScript.concat[Type_key.toBitstringkeys.kENC;Type_iv.toBitstringiv]))inletenc=ProScript.Crypto.xAESGCMEncrypthENCivplaintext(ProScript.concat[Type_key.toBitstringinitEphemeralKeyPub;Type_key.toBitstringthem.myEphemeralKeyP1.pub;Type_key.toBitstringthem.ephemeralKey;Type_key.toBitstringmyIdentityKey.pub;Type_key.toBitstringthem.identityKey])in{them={signedPreKey=them.signedPreKey;signedPreKeySignature=them.signedPreKeySignature;identityKey=them.identityKey;identityDHKey=them.identityDHKey;myEphemeralKeyP0=them.myEphemeralKeyP0;myEphemeralKeyP1=them.myEphemeralKeyP1;ephemeralKey=them.ephemeralKey;myPreKey=them.myPreKey;preKey=them.preKey;preKeyId=them.preKeyId;recvKeys=them.recvKeys;sendKeys=them.sendKeys;shared=them.shared;established=them.established};output={valid=them.established;ephemeralKey=them.myEphemeralKeyP1.pub;initEphemeralKey=initEphemeralKeyPub;ciphertext=enc.ciphertext;iv;tag=enc.tag;preKeyId=them.preKeyId}}letreceivingmyIdentityKey(them:trecord_them)(msg:trecord_msg)=letthem=Type_them.xassertthemin(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:478.0-480.3: The ProScript function could not be automatically
translated. The local variable mutations used in this function were
too complex for ps2ocaml to handle; ps2ocaml is intentionally kept
simple (auditable) and will fail with this error for safety. The
ps2ocaml user can 1. Rewrite the offending ProScript code in static
single assignment style so the assignment counts = [ dec=2 them=1 ]
is either empty or all ones. Offending problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml variable mutation
immediately below and compare it to the original ProScript.
ProScript/JavaScript mutations change the value of variables, but
ps2ocaml will only generate OCaml code that creats a new variable. So
if there are _any_ conditional jumps over a mutation statement (ex.
a=a+1 within a loop) then the OCaml code will be unsafe and you
should fail the review
*)letdec=RATCHET.tryDecryptmyIdentityKeythem.myEphemeralKeyP1themmsginifdec.validthen(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:482.0-509.4: The ProScript 'return' statement could not be
automatically translated because ps2ocaml applies conservative
rules to detect whether a translation can occur. The rule for
'return' statements is that the enclosing function must be either
'let in' or sequential semicolon safe. To detect 'let in' safety
the return value must be a terminal expression. To detect
sequential semicolon safety, there can be no local variable
mutations in the enclosing function and it must also satisfy the
'let in' conditions. The ps2ocaml user can 1. Switch your ProScript
code to have the return statement as the last statement -or- 2.
Rewrite the offending ProScript code in static single assignment
style so the assignment counts = [ dec=2 them=1 ] is either empty
or all ones. Offending problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml expression immediately
below to make sure it RETURNS the expression result from the
function. If there is _any_ subsequent expression executed _after_
the OCaml expression, then fail the review. Formatting the code
with ocp-indent or ocamlformat will help visually separate the
expressions
*){them={signedPreKey=them.signedPreKey;signedPreKeySignature=them.signedPreKeySignature;identityKey=them.identityKey;identityDHKey=them.identityDHKey;myEphemeralKeyP0=them.myEphemeralKeyP1;myEphemeralKeyP1=UTIL.newKeyPair(ProScript.of_string"a4");ephemeralKey=msg.ephemeralKey;myPreKey=them.myPreKey;preKey=them.preKey;preKeyId=msg.preKeyId;recvKeys=them.recvKeys;sendKeys=them.sendKeys;shared=them.shared;established=them.established};output={valid=dec.valid&&them.established;ephemeralKey=Type_key.construct();initEphemeralKey=Type_key.construct();ciphertext=ProScript.of_string"";iv=Type_iv.construct();tag=ProScript.of_string"";preKeyId=msg.preKeyId};plaintext=dec.plaintext}else(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:512.3-512.6: The ProScript function could not be
automatically translated. The local variable mutations used in this
function were too complex for ps2ocaml to handle; ps2ocaml is
intentionally kept simple (auditable) and will fail with this error
for safety. The ps2ocaml user can 1. Rewrite the offending
ProScript code in static single assignment style so the assignment
counts = [ dec=2 them=1 ] is either empty or all ones. Offending
problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml variable mutation
immediately below and compare it to the original ProScript.
ProScript/JavaScript mutations change the value of variables, but
ps2ocaml will only generate OCaml code that creats a new variable.
So if there are _any_ conditional jumps over a mutation statement
(ex. a=a+1 within a loop) then the OCaml code will be unsafe and
you should fail the review
*)letdec=RATCHET.tryDecryptmyIdentityKeythem.myEphemeralKeyP0themmsgin(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:515.0-542.4: The ProScript 'return' statement could not be
automatically translated because ps2ocaml applies conservative
rules to detect whether a translation can occur. The rule for
'return' statements is that the enclosing function must be either
'let in' or sequential semicolon safe. To detect 'let in' safety
the return value must be a terminal expression. To detect
sequential semicolon safety, there can be no local variable
mutations in the enclosing function and it must also satisfy the
'let in' conditions. The ps2ocaml user can 1. Switch your ProScript
code to have the return statement as the last statement -or- 2.
Rewrite the offending ProScript code in static single assignment
style so the assignment counts = [ dec=2 them=1 ] is either empty
or all ones. Offending problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml expression immediately
below to make sure it RETURNS the expression result from the
function. If there is _any_ subsequent expression executed _after_
the OCaml expression, then fail the review. Formatting the code
with ocp-indent or ocamlformat will help visually separate the
expressions
*){them={signedPreKey=them.signedPreKey;signedPreKeySignature=them.signedPreKeySignature;identityKey=them.identityKey;identityDHKey=them.identityDHKey;myEphemeralKeyP0=them.myEphemeralKeyP0;myEphemeralKeyP1=them.myEphemeralKeyP1;ephemeralKey=msg.ephemeralKey;myPreKey=them.myPreKey;preKey=them.preKey;preKeyId=msg.preKeyId;recvKeys=them.recvKeys;sendKeys=them.sendKeys;shared=them.shared;established=them.established};output={valid=dec.valid&&them.established;ephemeralKey=Type_key.construct();initEphemeralKey=Type_key.construct();ciphertext=ProScript.of_string"";iv=Type_iv.construct();tag=ProScript.of_string"";preKeyId=msg.preKeyId};plaintext=dec.plaintext}endmoduleTOPLEVEL=structletnewSessionmySignedPreKeymyPreKeytheirIdentityKeyPubtheirIdentityDHKeyPubtheirSignedPreKeyPubtheirSignedPreKeySignaturetheirPreKeyPubpreKeyId={signedPreKey=Type_key.fromBitstringtheirSignedPreKeyPub;signedPreKeySignature=theirSignedPreKeySignature;identityKey=Type_key.fromBitstringtheirIdentityKeyPub;identityDHKey=Type_key.fromBitstringtheirIdentityDHKeyPub;myEphemeralKeyP0=Type_keypair.xassertmySignedPreKey;myEphemeralKeyP1=UTIL.newKeyPair(ProScript.of_string"a2");ephemeralKey=Type_key.fromBitstringtheirSignedPreKeyPub;myPreKey=Type_keypair.xassertmyPreKey;preKey=Type_key.fromBitstringtheirPreKeyPub;preKeyId=preKeyId+0;recvKeys=[|Type_key.construct();Type_key.construct()|];sendKeys=[|Type_key.construct();Type_key.construct()|];shared=Type_key.construct();established=false}letsendmyIdentityKey(them:trecord_them)plaintext=letmyIdentityKey=Type_keypair.xassertmyIdentityKeyinletthem=Type_them.xassertthemin(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:574.0-577.3: The ProScript function could not be automatically
translated. The local variable mutations used in this function were
too complex for ps2ocaml to handle; ps2ocaml is intentionally kept
simple (auditable) and will fail with this error for safety. The
ps2ocaml user can 1. Rewrite the offending ProScript code in static
single assignment style so the assignment counts = [
initEphemeralKey=2 myIdentityKey=1 them=1 ] is either empty or all
ones. Offending problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml variable mutation
immediately below and compare it to the original ProScript.
ProScript/JavaScript mutations change the value of variables, but
ps2ocaml will only generate OCaml code that creats a new variable. So
if there are _any_ conditional jumps over a mutation statement (ex.
a=a+1 within a loop) then the OCaml code will be unsafe and you
should fail the review
*)letinitEphemeralKey={priv=Type_key.construct();pub=Type_key.construct()}inifthem.established=falsethen(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:579.16-579.19: The ProScript function could not be
automatically translated. The local variable mutations used in this
function were too complex for ps2ocaml to handle; ps2ocaml is
intentionally kept simple (auditable) and will fail with this error
for safety. The ps2ocaml user can 1. Rewrite the offending
ProScript code in static single assignment style so the assignment
counts = [ initEphemeralKey=2 myIdentityKey=1 them=1 ] is either
empty or all ones. Offending problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml variable mutation
immediately below and compare it to the original ProScript.
ProScript/JavaScript mutations change the value of variables, but
ps2ocaml will only generate OCaml code that creats a new variable.
So if there are _any_ conditional jumps over a mutation statement
(ex. a=a+1 within a loop) then the OCaml code will be unsafe and
you should fail the review
*)letinitEphemeralKey=UTIL.newKeyPair(ProScript.of_string"a3")in(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:580.0-585.4: The ProScript 'return' statement could not be
automatically translated because ps2ocaml applies conservative
rules to detect whether a translation can occur. The rule for
'return' statements is that the enclosing function must be either
'let in' or sequential semicolon safe. To detect 'let in' safety
the return value must be a terminal expression. To detect
sequential semicolon safety, there can be no local variable
mutations in the enclosing function and it must also satisfy the
'let in' conditions. The ps2ocaml user can 1. Switch your ProScript
code to have the return statement as the last statement -or- 2.
Rewrite the offending ProScript code in static single assignment
style so the assignment counts = [ initEphemeralKey=2
myIdentityKey=1 them=1 ] is either empty or all ones. Offending
problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml expression immediately
below to make sure it RETURNS the expression result from the
function. If there is _any_ subsequent expression executed _after_
the OCaml expression, then fail the review. Formatting the code
with ocp-indent or ocamlformat will help visually separate the
expressions
*)HANDLE.sendingmyIdentityKey(HANDLE.xAKENeededmyIdentityKeyinitEphemeralKeythem)initEphemeralKey.pubplaintextelse(*
----------------
AUDIT NOTICE
----------------
The line and column of the original text that caused the problem with its programmatic description is:
sp.js:587.0-592.4: The ProScript 'return' statement could not be
automatically translated because ps2ocaml applies conservative
rules to detect whether a translation can occur. The rule for
'return' statements is that the enclosing function must be either
'let in' or sequential semicolon safe. To detect 'let in' safety
the return value must be a terminal expression. To detect
sequential semicolon safety, there can be no local variable
mutations in the enclosing function and it must also satisfy the
'let in' conditions. The ps2ocaml user can 1. Switch your ProScript
code to have the return statement as the last statement -or- 2.
Rewrite the offending ProScript code in static single assignment
style so the assignment counts = [ initEphemeralKey=2
myIdentityKey=1 them=1 ] is either empty or all ones. Offending
problem location
The resolution to the problem was:
The ps2ocaml user has chosen to override the above problem. If you
are auditing or reviewing, review the OCaml expression immediately
below to make sure it RETURNS the expression result from the
function. If there is _any_ subsequent expression executed _after_
the OCaml expression, then fail the review. Formatting the code
with ocp-indent or ocamlformat will help visually separate the
expressions
*)HANDLE.sendingmyIdentityKeythem(Type_key.construct())plaintextletrecvmyIdentityKeymySignedPreKey(them:trecord_them)(msg:trecord_msg)=letmyIdentityKey=Type_keypair.xassertmyIdentityKeyinletmySignedPreKey=Type_keypair.xassertmySignedPreKeyinletthem=Type_them.xasserttheminletmsg=Type_msg.xassertmsginifthem.established=falsethenHANDLE.receivingmyIdentityKey(HANDLE.xAKEInitmyIdentityKeymySignedPreKeythemmsg)msgelseHANDLE.receivingmyIdentityKeythemmsgendend