From 39c45ce83357da202151d7919293f3e5f83c345b Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 5 Apr 2024 08:35:55 +0200 Subject: [PATCH] patches --- proofs/fstar/bertie-lax.patch | 787 ----- proofs/fstar/extraction-lax.patch | 2225 ++++++++++++ proofs/fstar/extraction-panic-free.patch | 3948 ++++++++++++++++++++++ proofs/fstar/patches.sh | 85 + 4 files changed, 6258 insertions(+), 787 deletions(-) delete mode 100644 proofs/fstar/bertie-lax.patch create mode 100644 proofs/fstar/extraction-lax.patch create mode 100644 proofs/fstar/extraction-panic-free.patch create mode 100755 proofs/fstar/patches.sh diff --git a/proofs/fstar/bertie-lax.patch b/proofs/fstar/bertie-lax.patch deleted file mode 100644 index e64b82b..0000000 --- a/proofs/fstar/bertie-lax.patch +++ /dev/null @@ -1,787 +0,0 @@ -diff --git a/proofs/fstar/bertie-lax.patch b/proofs/fstar/bertie-lax.patch -index 5a9461a..e69de29 100644 ---- a/proofs/fstar/bertie-lax.patch -+++ b/proofs/fstar/bertie-lax.patch -@@ -1,150 +0,0 @@ --diff --git a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti --index 70b4e34..4e2e9ce 100644 ----- a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti --+++ b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti --@@ -46,10 +46,12 @@ val t_SignatureScheme_cast_to_repr (x: t_SignatureScheme) -- val valid_rsa_exponent (e: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) -- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -- --+(* -- val impl__HashAlgorithm__libcrux_algorithm (self: t_HashAlgorithm) -- : Prims.Pure (Core.Result.t_Result Libcrux.Digest.t_Algorithm u8) -- Prims.l_True -- (fun _ -> Prims.l_True) --+*) -- -- val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) -- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) --@@ -57,6 +59,7 @@ val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) -- val impl__HashAlgorithm__hmac_tag_len (self: t_HashAlgorithm) -- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) -- --+(* -- val hkdf_algorithm (alg: t_HashAlgorithm) -- : Prims.Pure (Core.Result.t_Result Libcrux.Hkdf.t_Algorithm u8) -- Prims.l_True --@@ -76,6 +79,7 @@ val impl__KemScheme__libcrux_algorithm (self: t_KemScheme) -- : Prims.Pure (Core.Result.t_Result Libcrux.Kem.t_Algorithm u8) -- Prims.l_True -- (fun _ -> Prims.l_True) --+*) -- -- type t_Algorithms = { -- f_hash:t_HashAlgorithm; --@@ -336,10 +340,12 @@ val sign -- Prims.l_True -- (fun _ -> Prims.l_True) -- --+(* -- val supported_rsa_key_size (n: Bertie.Tls13utils.t_Bytes) -- : Prims.Pure (Core.Result.t_Result Libcrux.Signature.Rsa_pss.t_RsaPssKeySize u8) -- Prims.l_True -- (fun _ -> Prims.l_True) --+*) -- -- val sign_rsa -- (#impl_916461611_: Type) --@@ -488,9 +494,10 @@ type t_AeadKey = { -- f_alg:t_AeadAlgorithm -- } -- --+(* -- val impl__AeadKey__as_libcrux_key (self: t_AeadKey) -- : Prims.Pure (Core.Result.t_Result Libcrux.Aead.t_Key u8) Prims.l_True (fun _ -> Prims.l_True) --- --+*) -- val impl__AeadKey__new (bytes: Bertie.Tls13utils.t_Bytes) (alg: t_AeadAlgorithm) -- : Prims.Pure t_AeadKey Prims.l_True (fun _ -> Prims.l_True) -- --diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst --index 94b6b13..5bbc6f1 100644 ----- a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst --+++ b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst --@@ -244,8 +244,8 @@ let impl__HandshakeData__from_bytes -- Core.Result.t_Result t_HandshakeData u8 -- | Core.Result.Result_Err err -> -- Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 --- ---let impl__HandshakeData__find_handshake_message --+ --+let rec impl__HandshakeData__find_handshake_message -- (self: t_HandshakeData) -- (handshake_type: t_HandshakeType) -- (start: usize) --diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.fst b/proofs/fstar/extraction/Bertie.Tls13formats.fst --index d5e231f..40e68b3 100644 ----- a/proofs/fstar/extraction/Bertie.Tls13formats.fst --+++ b/proofs/fstar/extraction/Bertie.Tls13formats.fst --@@ -1190,7 +1190,7 @@ let check_handshake_record (p: Bertie.Tls13utils.t_Bytes) = -- (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) -- (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8)) -- ---let check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = --+let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = -- match check_server_extension algs b with -- | Core.Result.Result_Ok (len, out) -> -- if len =. (Core.Slice.impl__len b <: usize) --@@ -1440,7 +1440,7 @@ let encrypted_extensions (v__algs: Bertie.Tls13crypto.t_Algorithms) = -- <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 -- ---let find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = --+let rec find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = -- if (Core.Slice.impl__len ch <: usize) <. sz 4 -- then Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) -- else --@@ -2209,7 +2209,7 @@ let parse_server_hello -- -- let server_certificate (v__algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie.Tls13utils.t_Bytes) = -- match --- Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list = [] in --+ Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list : list u8 = [] in -- FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 0); -- Rust_primitives.Hax.array_of_list 0 list) -- <: --@@ -2437,7 +2437,7 @@ let impl__Transcript__transcript_hash_without_client_hello -- <: -- Bertie.Tls13utils.t_Bytes) -- ---let check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = --+let rec check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = -- match check_extension algs b with -- | Core.Result.Result_Ok (len, out) -> -- if len =. (Core.Slice.impl__len b <: usize) --@@ -2949,3 +2949,4 @@ let parse_client_hello -- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & -- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & -- usize) u8)) --+ --diff --git a/proofs/fstar/extraction/Bertie.Tls13record.fst b/proofs/fstar/extraction/Bertie.Tls13record.fst --index a15f719..6f434c9 100644 ----- a/proofs/fstar/extraction/Bertie.Tls13record.fst --+++ b/proofs/fstar/extraction/Bertie.Tls13record.fst --@@ -54,7 +54,7 @@ let derive_iv_ctr (iv: Bertie.Tls13utils.t_Bytes) (n: u64) = -- in -- iv_ctr -- ---let padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = --+let rec padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = -- if n >. sz 0 && (Bertie.Tls13utils.f_declassify (b.[ n -! sz 1 <: usize ] <: u8) <: u8) =. 0uy -- then sz 1 +! (padlen b (n -! sz 1 <: usize) <: usize) -- else sz 0 --diff --git a/proofs/fstar/extraction/Bertie.Tls13utils.fsti b/proofs/fstar/extraction/Bertie.Tls13utils.fsti --index f839107..f6973d6 100644 ----- a/proofs/fstar/extraction/Bertie.Tls13utils.fsti --+++ b/proofs/fstar/extraction/Bertie.Tls13utils.fsti --@@ -262,6 +262,14 @@ let impl_22: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = -- f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] -- } -- --+[@@ FStar.Tactics.Typeclasses.tcinstance] --+let upd_22: Rust_primitives.Hax.update_at_tc t_Bytes usize = --+ { --+ super_index = impl_21; --+ update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) --+ } --+ --+ -- val bytes (x: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) -- -- val bytes1 (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) -diff --git a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti -index 70b4e34..4e2e9ce 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13crypto.fsti -+++ b/proofs/fstar/extraction/Bertie.Tls13crypto.fsti -@@ -46,10 +46,12 @@ val t_SignatureScheme_cast_to_repr (x: t_SignatureScheme) - val valid_rsa_exponent (e: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -+(* - val impl__HashAlgorithm__libcrux_algorithm (self: t_HashAlgorithm) - : Prims.Pure (Core.Result.t_Result Libcrux.Digest.t_Algorithm u8) - Prims.l_True - (fun _ -> Prims.l_True) -+*) - - val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) -@@ -57,6 +59,7 @@ val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) - val impl__HashAlgorithm__hmac_tag_len (self: t_HashAlgorithm) - : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) - -+(* - val hkdf_algorithm (alg: t_HashAlgorithm) - : Prims.Pure (Core.Result.t_Result Libcrux.Hkdf.t_Algorithm u8) - Prims.l_True -@@ -76,6 +79,7 @@ val impl__KemScheme__libcrux_algorithm (self: t_KemScheme) - : Prims.Pure (Core.Result.t_Result Libcrux.Kem.t_Algorithm u8) - Prims.l_True - (fun _ -> Prims.l_True) -+*) - - type t_Algorithms = { - f_hash:t_HashAlgorithm; -@@ -336,10 +340,12 @@ val sign - Prims.l_True - (fun _ -> Prims.l_True) - -+(* - val supported_rsa_key_size (n: Bertie.Tls13utils.t_Bytes) - : Prims.Pure (Core.Result.t_Result Libcrux.Signature.Rsa_pss.t_RsaPssKeySize u8) - Prims.l_True - (fun _ -> Prims.l_True) -+*) - - val sign_rsa - (#impl_916461611_: Type) -@@ -488,9 +494,10 @@ type t_AeadKey = { - f_alg:t_AeadAlgorithm - } - -+(* - val impl__AeadKey__as_libcrux_key (self: t_AeadKey) - : Prims.Pure (Core.Result.t_Result Libcrux.Aead.t_Key u8) Prims.l_True (fun _ -> Prims.l_True) -- -+*) - val impl__AeadKey__new (bytes: Bertie.Tls13utils.t_Bytes) (alg: t_AeadAlgorithm) - : Prims.Pure t_AeadKey Prims.l_True (fun _ -> Prims.l_True) - -diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst -index 94b6b13..5bbc6f1 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst -+++ b/proofs/fstar/extraction/Bertie.Tls13formats.Handshake_data.fst -@@ -244,8 +244,8 @@ let impl__HandshakeData__from_bytes - Core.Result.t_Result t_HandshakeData u8 - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 -- --let impl__HandshakeData__find_handshake_message -+ -+let rec impl__HandshakeData__find_handshake_message - (self: t_HandshakeData) - (handshake_type: t_HandshakeType) - (start: usize) -diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.fst b/proofs/fstar/extraction/Bertie.Tls13formats.fst -index d5e231f..7d3782e 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13formats.fst -+++ b/proofs/fstar/extraction/Bertie.Tls13formats.fst -@@ -47,8 +47,6 @@ let t_ContentType_cast_to_repr (x: t_ContentType) = - | ContentType_Handshake -> discriminant_ContentType_Handshake - | ContentType_ApplicationData -> discriminant_ContentType_ApplicationData - --let foofoooo (_: Prims.unit) = cast (discriminant_ContentType_Handshake +! 0uy <: u8) <: u8 -- - let application_data_instead_of_handshake (_: Prims.unit) = - Core.Result.Result_Err Bertie.Tls13utils.v_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE - <: -@@ -935,6 +933,29 @@ let psk_key_exchange_modes (_: Prims.unit) = - | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 - -+let get_psk_extensions -+ (algorithms: Bertie.Tls13crypto.t_Algorithms) -+ (session_ticket extensions: Bertie.Tls13utils.t_Bytes) -+ = -+ match psk_key_exchange_modes () with -+ | Core.Result.Result_Ok pskm -> -+ (match pre_shared_key algorithms session_ticket with -+ | Core.Result.Result_Ok (psk, len) -> -+ let extensions:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__concat (Bertie.Tls13utils.impl__Bytes__concat extensions -+ pskm -+ <: -+ Bertie.Tls13utils.t_Bytes) -+ psk -+ in -+ Core.Result.Result_Ok (len, extensions <: (usize & Bertie.Tls13utils.t_Bytes)) -+ <: -+ Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 -+ | Core.Result.Result_Err err -> -+ Core.Result.Result_Err err <: Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8) -+ | Core.Result.Result_Err err -> -+ Core.Result.Result_Err err <: Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 -+ - let supported_versions (_: Prims.unit) = - match - Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list = -@@ -1190,7 +1211,7 @@ let check_handshake_record (p: Bertie.Tls13utils.t_Bytes) = - (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) - (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8)) - --let check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = -+let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = - match check_server_extension algs b with - | Core.Result.Result_Ok (len, out) -> - if len =. (Core.Slice.impl__len b <: usize) -@@ -1290,73 +1311,102 @@ let client_hello - Bertie.Tls13utils.impl__Bytes__append out key_shares - in - let extensions:Bertie.Tls13utils.t_Bytes = out in -- let trunc_len:usize = sz 0 in -- (match Bertie.Tls13utils.encode_length_u16 extensions with -- | Core.Result.Result_Ok encoded_extensions -> -- let len:usize = -- (Bertie.Tls13utils.impl__Bytes__len version <: usize) +! -- (Bertie.Tls13utils.impl__Bytes__len client_random <: usize) -- in -- let len:usize = -- len +! -- (Bertie.Tls13utils.impl__Bytes__len legacy_session_id <: usize -- ) -- in -- let len:usize = -- len +! -- (Bertie.Tls13utils.impl__Bytes__len cipher_suites <: usize) -- in -- let len:usize = -- len +! -- (Bertie.Tls13utils.impl__Bytes__len compression_methods -- <: -- usize) -- in -- let len:usize = -- len +! -- (Bertie.Tls13utils.impl__Bytes__len encoded_extensions -- <: -- usize) -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__new_alloc len -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out version -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out client_random -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out legacy_session_id -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out cipher_suites -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out compression_methods -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out encoded_extensions -- in -- let handshake_bytes:Bertie.Tls13utils.t_Bytes = out in -- (match -- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes -- (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello -+ (match -+ match -+ Bertie.Tls13crypto.impl__Algorithms__psk_mode algorithms, -+ session_ticket -+ <: -+ (bool & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) -+ with -+ | true, Core.Option.Option_Some session_ticket -> -+ get_psk_extensions algorithms session_ticket extensions -+ | false, Core.Option.Option_None -> -+ Core.Result.Result_Ok -+ (sz 0, extensions <: (usize & Bertie.Tls13utils.t_Bytes)) -+ <: -+ Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 -+ | _ -> -+ Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_PSK_MODE_MISMATCH -+ with -+ | Core.Result.Result_Ok (trunc_len, extensions) -> -+ (match Bertie.Tls13utils.encode_length_u16 extensions with -+ | Core.Result.Result_Ok encoded_extensions -> -+ let len:usize = -+ (Bertie.Tls13utils.impl__Bytes__len version <: usize) +! -+ (Bertie.Tls13utils.impl__Bytes__len client_random <: usize -+ ) -+ in -+ let len:usize = -+ len +! -+ (Bertie.Tls13utils.impl__Bytes__len legacy_session_id - <: -- Bertie.Tls13formats.Handshake_data.t_HandshakeType) -- handshake_bytes -- with -- | Core.Result.Result_Ok client_hello -> -- Core.Result.Result_Ok -- (client_hello, trunc_len -- <: -- (Bertie.Tls13formats.Handshake_data.t_HandshakeData & -- usize)) -- <: -- Core.Result.t_Result -- (Bertie.Tls13formats.Handshake_data.t_HandshakeData & -- usize) u8 -+ usize) -+ in -+ let len:usize = -+ len +! -+ (Bertie.Tls13utils.impl__Bytes__len cipher_suites <: usize -+ ) -+ in -+ let len:usize = -+ len +! -+ (Bertie.Tls13utils.impl__Bytes__len compression_methods -+ <: -+ usize) -+ in -+ let len:usize = -+ len +! -+ (Bertie.Tls13utils.impl__Bytes__len encoded_extensions -+ <: -+ usize) -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__new_alloc len -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out version -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out client_random -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out -+ legacy_session_id -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out cipher_suites -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out -+ compression_methods -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out -+ encoded_extensions -+ in -+ let handshake_bytes:Bertie.Tls13utils.t_Bytes = out in -+ (match -+ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes -+ (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello -+ <: -+ Bertie.Tls13formats.Handshake_data.t_HandshakeType) -+ handshake_bytes -+ with -+ | Core.Result.Result_Ok client_hello -> -+ Core.Result.Result_Ok -+ (client_hello, trunc_len -+ <: -+ (Bertie.Tls13formats.Handshake_data.t_HandshakeData & -+ usize)) -+ <: -+ Core.Result.t_Result -+ (Bertie.Tls13formats.Handshake_data.t_HandshakeData & -+ usize) u8 -+ | Core.Result.Result_Err err -> -+ Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result -+ (Bertie.Tls13formats.Handshake_data.t_HandshakeData & -+ usize) u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: -@@ -1440,7 +1490,7 @@ let encrypted_extensions (v__algs: Bertie.Tls13crypto.t_Algorithms) = - <: - Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 - --let find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = -+let rec find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = - if (Core.Slice.impl__len ch <: usize) <. sz 4 - then Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) - else -@@ -2209,7 +2259,7 @@ let parse_server_hello - - let server_certificate (v__algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie.Tls13utils.t_Bytes) = - match -- Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list = [] in -+ Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list: list u8 = [] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 0); - Rust_primitives.Hax.array_of_list 0 list) - <: -@@ -2252,86 +2302,155 @@ let server_certificate (v__algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie. - Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 - - let server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (sr sid gy: Bertie.Tls13utils.t_Bytes) = -- let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in -- match -- Bertie.Tls13utils.encode_length_u8 (Bertie.Tls13utils.impl__Bytes__as_raw sid <: t_Slice u8) -- with -- | Core.Result.Result_Ok sid -> -- (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with -- | Core.Result.Result_Ok cip -> -- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in -- (match server_key_shares algs (Core.Clone.f_clone gy <: Bertie.Tls13utils.t_Bytes) with -- | Core.Result.Result_Ok ks -> -- (match server_supported_version algs with -- | Core.Result.Result_Ok sv -> -- let exts:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.impl__Bytes__concat ks sv in -- (match Bertie.Tls13utils.encode_length_u16 exts with -- | Core.Result.Result_Ok encoded_extensions -> -- let len:usize = -- (Bertie.Tls13utils.impl__Bytes__len ver <: usize) +! -- (Bertie.Tls13utils.impl__Bytes__len sr <: usize) -- in -- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len sid <: usize) in -- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len cip <: usize) in -- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len comp <: usize) in -- let len:usize = -- len +! (Bertie.Tls13utils.impl__Bytes__len encoded_extensions <: usize) -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__new_alloc len -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out ver -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out sr -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out sid -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out cip -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out comp -- in -- let out:Bertie.Tls13utils.t_Bytes = -- Bertie.Tls13utils.impl__Bytes__append out encoded_extensions -+ Rust_primitives.Hax.Control_flow_monad.Mexception.run (let ver:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.bytes2 3uy 3uy -+ in -+ match -+ Bertie.Tls13utils.encode_length_u8 (Bertie.Tls13utils.impl__Bytes__as_raw sid <: t_Slice u8) -+ with -+ | Core.Result.Result_Ok sid -> -+ (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with -+ | Core.Result.Result_Ok cip -> -+ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in -+ (match server_key_shares algs (Core.Clone.f_clone gy <: Bertie.Tls13utils.t_Bytes) with -+ | Core.Result.Result_Ok ks -> -+ (match server_supported_version algs with -+ | Core.Result.Result_Ok sv -> -+ let exts:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__concat ks sv - in -- (match -- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello -+ let! exts:Bertie.Tls13utils.t_Bytes = -+ match Bertie.Tls13crypto.impl__Algorithms__psk_mode algs with -+ | true -> -+ (match server_pre_shared_key algs with -+ | Core.Result.Result_Ok hoist160 -> -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (Bertie.Tls13utils.impl__Bytes__concat exts hoist160) - <: -- Bertie.Tls13formats.Handshake_data.t_HandshakeType) -- out -- with -- | Core.Result.Result_Ok sh -> -- Core.Result.Result_Ok sh -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result -+ Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Bertie.Tls13utils.t_Bytes -+ | Core.Result.Result_Err err -> -+ let! _:Prims.unit = -+ Core.Ops.Control_flow.ControlFlow_Break -+ (Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result -+ Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ <: -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result -+ Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Prims.unit -+ in -+ Core.Ops.Control_flow.ControlFlow_Continue exts -+ <: -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result -+ Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Bertie.Tls13utils.t_Bytes) -+ | false -> -+ Core.Ops.Control_flow.ControlFlow_Continue exts - <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData -+ u8) Bertie.Tls13utils.t_Bytes -+ in -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (match Bertie.Tls13utils.encode_length_u16 exts with -+ | Core.Result.Result_Ok encoded_extensions -> -+ let len:usize = -+ (Bertie.Tls13utils.impl__Bytes__len ver <: usize) +! -+ (Bertie.Tls13utils.impl__Bytes__len sr <: usize) -+ in -+ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len sid <: usize) in -+ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len cip <: usize) in -+ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len comp <: usize) in -+ let len:usize = -+ len +! (Bertie.Tls13utils.impl__Bytes__len encoded_extensions <: usize) -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__new_alloc len -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out ver -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out sr -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out sid -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out cip -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out comp -+ in -+ let out:Bertie.Tls13utils.t_Bytes = -+ Bertie.Tls13utils.impl__Bytes__append out encoded_extensions -+ in -+ (match -+ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello -+ <: -+ Bertie.Tls13formats.Handshake_data.t_HandshakeType) -+ out -+ with -+ | Core.Result.Result_Ok sh -> -+ Core.Result.Result_Ok sh -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData -+ u8 -+ | Core.Result.Result_Err err -> -+ Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData -+ u8) - | Core.Result.Result_Err err -> - Core.Result.Result_Err err - <: - Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ <: -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - | Core.Result.Result_Err err -> -- Core.Result.Result_Err err -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) - | Core.Result.Result_Err err -> -- Core.Result.Result_Err err -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) - | Core.Result.Result_Err err -> -- Core.Result.Result_Err err -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) - | Core.Result.Result_Err err -> -- Core.Result.Result_Err err -+ Core.Ops.Control_flow.ControlFlow_Continue -+ (Core.Result.Result_Err err -+ <: -+ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) - <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -- | Core.Result.Result_Err err -> -- Core.Result.Result_Err err -- <: -- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 -+ Core.Ops.Control_flow.t_ControlFlow -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) -+ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) - - let set_client_hello_binder - (ciphersuite: Bertie.Tls13crypto.t_Algorithms) -@@ -2437,7 +2556,7 @@ let impl__Transcript__transcript_hash_without_client_hello - <: - Bertie.Tls13utils.t_Bytes) - --let check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = -+let rec check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = - match check_extension algs b with - | Core.Result.Result_Ok (len, out) -> - if len =. (Core.Slice.impl__len b <: usize) -diff --git a/proofs/fstar/extraction/Bertie.Tls13formats.fsti b/proofs/fstar/extraction/Bertie.Tls13formats.fsti -index fa0cb99..575995c 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13formats.fsti -+++ b/proofs/fstar/extraction/Bertie.Tls13formats.fsti -@@ -234,8 +234,6 @@ let supported_groups__SUPPORTED_GROUPS_PREFIX: t_Array u8 (sz 2) = - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - --val foofoooo: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -- - val application_data_instead_of_handshake: Prims.unit - -> Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) - -@@ -497,6 +495,13 @@ val psk_key_exchange_modes: Prims.unit - Prims.l_True - (fun _ -> Prims.l_True) - -+val get_psk_extensions -+ (algorithms: Bertie.Tls13crypto.t_Algorithms) -+ (session_ticket extensions: Bertie.Tls13utils.t_Bytes) -+ : Prims.Pure (Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8) -+ Prims.l_True -+ (fun _ -> Prims.l_True) -+ - val supported_versions: Prims.unit - -> Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - Prims.l_True -diff --git a/proofs/fstar/extraction/Bertie.Tls13handshake.fst b/proofs/fstar/extraction/Bertie.Tls13handshake.fst -index 23d43dd..7de7057 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13handshake.fst -+++ b/proofs/fstar/extraction/Bertie.Tls13handshake.fst -@@ -654,7 +654,7 @@ let get_server_signature_no_psk - Bertie.Tls13utils.t_Bytes) - transcript_hash - in -- let rng, hoist162:(impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) -+ let rng, hoist164:(impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - = - match Bertie.Tls13crypto.impl__Algorithms__signature state.f_ciphersuite with - | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> -@@ -688,7 +688,7 @@ let get_server_signature_no_psk - <: - (impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) - in -- (match hoist162 with -+ (match hoist164 with - | Core.Result.Result_Ok sig -> - (match Bertie.Tls13formats.certificate_verify state.f_ciphersuite sig with - | Core.Result.Result_Ok scv -> -diff --git a/proofs/fstar/extraction/Bertie.Tls13record.fst b/proofs/fstar/extraction/Bertie.Tls13record.fst -index a15f719..6f434c9 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13record.fst -+++ b/proofs/fstar/extraction/Bertie.Tls13record.fst -@@ -54,7 +54,7 @@ let derive_iv_ctr (iv: Bertie.Tls13utils.t_Bytes) (n: u64) = - in - iv_ctr - --let padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = -+let rec padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = - if n >. sz 0 && (Bertie.Tls13utils.f_declassify (b.[ n -! sz 1 <: usize ] <: u8) <: u8) =. 0uy - then sz 1 +! (padlen b (n -! sz 1 <: usize) <: usize) - else sz 0 -diff --git a/proofs/fstar/extraction/Bertie.Tls13utils.fsti b/proofs/fstar/extraction/Bertie.Tls13utils.fsti -index f839107..ea32944 100644 ---- a/proofs/fstar/extraction/Bertie.Tls13utils.fsti -+++ b/proofs/fstar/extraction/Bertie.Tls13utils.fsti -@@ -61,8 +61,6 @@ let v_UNSUPPORTED_ALGORITHM: u8 = 1uy - - let v_ZERO_RTT_DISABLED: u8 = 129uy - --val dummy_fn: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -- - val parse_failed: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - - class t_Declassify (v_Self: Type) (v_T: Type) = { -@@ -262,6 +260,14 @@ let impl_22: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = - f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] - } - -+[@@ FStar.Tactics.Typeclasses.tcinstance] -+let upd_22: Rust_primitives.Hax.update_at_tc t_Bytes usize = -+ { -+ super_index = impl_21; -+ update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) -+ } -+ -+ - val bytes (x: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) - - val bytes1 (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) diff --git a/proofs/fstar/extraction-lax.patch b/proofs/fstar/extraction-lax.patch new file mode 100644 index 0000000..610024d --- /dev/null +++ b/proofs/fstar/extraction-lax.patch @@ -0,0 +1,2225 @@ +diff -ruN extraction/Bertie.Tls13crypto.fsti extraction-lax/Bertie.Tls13crypto.fsti +--- extraction/Bertie.Tls13crypto.fsti 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13crypto.fsti 2024-04-05 08:35:03 +@@ -46,10 +46,12 @@ + val valid_rsa_exponent (e: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + ++(* + val impl__HashAlgorithm__libcrux_algorithm (self: t_HashAlgorithm) + : Prims.Pure (Core.Result.t_Result Libcrux.Digest.t_Algorithm u8) + Prims.l_True + (fun _ -> Prims.l_True) ++*) + + val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +@@ -57,6 +59,7 @@ + val impl__HashAlgorithm__hmac_tag_len (self: t_HashAlgorithm) + : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + ++(* + val hkdf_algorithm (alg: t_HashAlgorithm) + : Prims.Pure (Core.Result.t_Result Libcrux.Hkdf.t_Algorithm u8) + Prims.l_True +@@ -76,6 +79,7 @@ + : Prims.Pure (Core.Result.t_Result Libcrux.Kem.t_Algorithm u8) + Prims.l_True + (fun _ -> Prims.l_True) ++*) + + type t_Algorithms = { + f_hash:t_HashAlgorithm; +@@ -336,10 +340,12 @@ + Prims.l_True + (fun _ -> Prims.l_True) + ++(* + val supported_rsa_key_size (n: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Libcrux.Signature.Rsa_pss.t_RsaPssKeySize u8) + Prims.l_True + (fun _ -> Prims.l_True) ++*) + + val sign_rsa + (#impl_916461611_: Type) +@@ -488,9 +494,10 @@ + f_alg:t_AeadAlgorithm + } + ++(* + val impl__AeadKey__as_libcrux_key (self: t_AeadKey) + : Prims.Pure (Core.Result.t_Result Libcrux.Aead.t_Key u8) Prims.l_True (fun _ -> Prims.l_True) +- ++*) + val impl__AeadKey__new (bytes: Bertie.Tls13utils.t_Bytes) (alg: t_AeadAlgorithm) + : Prims.Pure t_AeadKey Prims.l_True (fun _ -> Prims.l_True) + +diff -ruN extraction/Bertie.Tls13formats.Handshake_data.fst extraction-lax/Bertie.Tls13formats.Handshake_data.fst +--- extraction/Bertie.Tls13formats.Handshake_data.fst 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13formats.Handshake_data.fst 2024-04-05 08:35:03 +@@ -245,7 +245,7 @@ + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 + +-let impl__HandshakeData__find_handshake_message ++let rec impl__HandshakeData__find_handshake_message + (self: t_HandshakeData) + (handshake_type: t_HandshakeType) + (start: usize) +diff -ruN extraction/Bertie.Tls13formats.fst extraction-lax/Bertie.Tls13formats.fst +--- extraction/Bertie.Tls13formats.fst 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13formats.fst 2024-04-05 08:35:03 +@@ -104,16 +104,18 @@ + let check_psk_key_exchange_modes (client_hello: t_Slice u8) = + match Bertie.Tls13utils.check_length_encoding_u8_slice client_hello with + | Core.Result.Result_Ok _ -> +- Bertie.Tls13utils.check_eq_with_slice (Rust_primitives.unsize (let list = ++ Bertie.Tls13utils.check_eq_slice (Rust_primitives.unsize (let list = + [Bertie.Tls13utils.v_U8 1uy <: u8] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) +- client_hello +- (sz 1) +- (sz 2) ++ (client_hello.[ { Core.Ops.Range.f_start = sz 1; Core.Ops.Range.f_end = sz 2 } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Prims.unit u8 + + let check_supported_versions (client_hello: t_Slice u8) = +@@ -152,7 +154,7 @@ + Core.Result.t_Result (Core.Option.t_Option v_T) u8 + | _ -> Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) + +-let check_psk_shared_key (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) = ++let check_psk_shared_key (v__algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) = + match Bertie.Tls13utils.length_u16_encoded ch with + | Core.Result.Result_Ok len_id -> + (match +@@ -191,13 +193,8 @@ + with + | Core.Result.Result_Ok _ -> + if +- (((Core.Slice.impl__len ch <: usize) -! sz 5 <: usize) -! len_id <: usize) <>. +- (Bertie.Tls13crypto.impl__HashAlgorithm__hash_len (Bertie.Tls13crypto.impl__Algorithms__hash +- algs +- <: +- Bertie.Tls13crypto.t_HashAlgorithm) +- <: +- usize) ++ (((Core.Slice.impl__len ch <: usize) -! sz 6 <: usize) -! len_id <: usize) <>. ++ sz 32 + then Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) + else Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 + | Core.Result.Result_Err err -> +@@ -233,16 +230,18 @@ + match Bertie.Tls13utils.check_length_encoding_u16_slice extension with + | Core.Result.Result_Ok _ -> + (match +- Bertie.Tls13utils.check_eq_with_slice (Rust_primitives.unsize (let list = ++ Bertie.Tls13utils.check_eq_slice (Rust_primitives.unsize (let list = + [Bertie.Tls13utils.v_U8 0uy <: u8] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) +- extension +- (sz 2) +- (sz 3) ++ (extension.[ { Core.Ops.Range.f_start = sz 2; Core.Ops.Range.f_end = sz 3 } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) + with + | Core.Result.Result_Ok _ -> + (match +@@ -278,12 +277,14 @@ + match Bertie.Tls13crypto.impl__Algorithms__supported_group algs with + | Core.Result.Result_Ok hoist21 -> + (match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist21 ++ Bertie.Tls13utils.check_eq_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist21 + <: + t_Slice u8) +- b +- (sz 0) +- (sz 2) ++ (b.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 2 } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) + with + | Core.Result.Result_Ok _ -> + (match +@@ -316,167 +317,157 @@ + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + + let check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (if +- (Core.Slice.impl__len b <: usize) <. sz 4 <: bool +- then +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err (Bertie.Tls13utils.parse_failed () <: u8) +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- else +- let l0:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 0 ] <: u8) <: u8) <: usize in +- let l1:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 1 ] <: u8) <: u8) <: usize in +- match +- Bertie.Tls13utils.length_u16_encoded (b.[ { +- Core.Ops.Range.f_start = sz 2; +- Core.Ops.Range.f_end = Core.Slice.impl__len b <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ Rust_primitives.Hax.Control_flow_monad.Mexception.run (let l0:usize = ++ cast (Bertie.Tls13utils.f_declassify (b.[ sz 0 ] <: u8) <: u8) <: usize ++ in ++ let l1:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 1 ] <: u8) <: u8) <: usize in ++ match ++ Bertie.Tls13utils.length_u16_encoded (b.[ { ++ Core.Ops.Range.f_start = sz 2; ++ Core.Ops.Range.f_end = Core.Slice.impl__len b <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok len -> +- let out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- in +- let! out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = +- match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with +- | 0uy, 43uy -> +- (match +- check_server_supported_version algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok len -> ++ let out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ in ++ let! out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = ++ match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with ++ | 0uy, 43uy -> ++ (match ++ check_server_supported_version algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 ++ ) + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | 0uy, 51uy -> +- (match +- check_server_key_share algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | 0uy, 51uy -> ++ (match ++ check_server_key_share algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok gx -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok gx -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 ++ ) + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | 0uy, 41uy -> +- (match +- check_server_psk_shared_key algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | 0uy, 41uy -> ++ (match ++ check_server_psk_shared_key algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 ++ ) + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | _ -> +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- in +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Ok +- (sz 4 +! len, out <: (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | _ -> ++ Core.Ops.Control_flow.ControlFlow_Continue out + <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Ok ++ (sz 4 +! len, out <: (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8)) ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8)) + + let check_signature_algorithms (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) = + match Bertie.Tls13utils.check_length_encoding_u16_slice ch with +@@ -1021,48 +1012,83 @@ + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8 + + let certificate_verify (algs: Bertie.Tls13crypto.t_Algorithms) (cv: Bertie.Tls13utils.t_Bytes) = +- match +- match algs.Bertie.Tls13crypto.f_signature with +- | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> +- Core.Result.Result_Ok (Core.Clone.f_clone cv) +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> +- if (Bertie.Tls13utils.impl__Bytes__len cv <: usize) <>. sz 64 +- then +- Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- else ecdsa_signature cv +- | Bertie.Tls13crypto.SignatureScheme_ED25519 -> +- Core.Result.Result_Err Bertie.Tls13utils.v_UNSUPPORTED_ALGORITHM +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- with +- | Core.Result.Result_Ok sv -> +- (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with +- | Core.Result.Result_Ok hoist142 -> +- (match Bertie.Tls13utils.encode_length_u16 sv with +- | Core.Result.Result_Ok hoist141 -> +- let sig:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__concat hoist142 hoist141 +- in +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_CertificateVerify ++ Rust_primitives.Hax.Control_flow_monad.Mexception.run (let! sv:Bertie.Tls13utils.t_Bytes = ++ match algs.Bertie.Tls13crypto.f_signature with ++ | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> ++ Core.Ops.Control_flow.ControlFlow_Continue (Core.Clone.f_clone cv) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Bertie.Tls13utils.t_Bytes ++ | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> ++ if (Bertie.Tls13utils.impl__Bytes__len cv <: usize) <>. sz 64 ++ then ++ let! hoist141:Rust_primitives.Hax.t_Never = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) + <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- sig +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Rust_primitives.Hax.t_Never ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist141) + <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Bertie.Tls13utils.t_Bytes ++ else ++ (match ecdsa_signature cv with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue ok ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Bertie.Tls13utils.t_Bytes ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Bertie.Tls13utils.t_Bytes) ++ | Bertie.Tls13crypto.SignatureScheme_ED25519 -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" ++ <: ++ Rust_primitives.Hax.t_Never)) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Bertie.Tls13utils.t_Bytes ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with ++ | Core.Result.Result_Ok hoist143 -> ++ (match Bertie.Tls13utils.encode_length_u16 sv with ++ | Core.Result.Result_Ok hoist142 -> ++ let sig:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__concat hoist143 hoist142 ++ in ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_CertificateVerify ++ <: ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ sig ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) + + let check_handshake_record (p: Bertie.Tls13utils.t_Bytes) = + Rust_primitives.Hax.Control_flow_monad.Mexception.run (if +@@ -1185,7 +1211,7 @@ + (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) + (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8)) + +-let check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = ++let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = + match check_server_extension algs b with + | Core.Result.Result_Ok (len, out) -> + if len =. (Core.Slice.impl__len b <: usize) +@@ -1235,8 +1261,8 @@ + with + | Core.Result.Result_Ok legacy_session_id -> + (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algorithms with +- | Core.Result.Result_Ok hoist143 -> +- (match Bertie.Tls13utils.encode_length_u16 hoist143 with ++ | Core.Result.Result_Ok hoist144 -> ++ (match Bertie.Tls13utils.encode_length_u16 hoist144 with + | Core.Result.Result_Ok cipher_suites -> + (match build_server_name server_name with + | Core.Result.Result_Ok server_name -> +@@ -1445,12 +1471,12 @@ + <: + Bertie.Tls13utils.t_Bytes) + with +- | Core.Result.Result_Ok hoist145 -> +- (match Bertie.Tls13utils.encode_length_u24 hoist145 with +- | Core.Result.Result_Ok hoist147 -> ++ | Core.Result.Result_Ok hoist146 -> ++ (match Bertie.Tls13utils.encode_length_u24 hoist146 with ++ | Core.Result.Result_Ok hoist148 -> + Core.Result.Result_Ok + (Bertie.Tls13formats.Handshake_data.HandshakeData +- (Bertie.Tls13utils.impl__Bytes__concat handshake_type hoist147) ++ (Bertie.Tls13utils.impl__Bytes__concat handshake_type hoist148) + <: + Bertie.Tls13formats.Handshake_data.t_HandshakeData) + <: +@@ -1464,7 +1490,7 @@ + <: + Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + +-let find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = ++let rec find_key_share (g: Bertie.Tls13utils.t_Bytes) (ch: t_Slice u8) = + if (Core.Slice.impl__len ch <: usize) <. sz 4 + then Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) + else +@@ -1528,8 +1554,8 @@ + match Bertie.Tls13utils.check_length_encoding_u16_slice ch with + | Core.Result.Result_Ok _ -> + (match Bertie.Tls13crypto.impl__Algorithms__supported_group algs with +- | Core.Result.Result_Ok hoist150 -> +- find_key_share hoist150 ++ | Core.Result.Result_Ok hoist151 -> ++ find_key_share hoist151 + (ch.[ { + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = Core.Slice.impl__len ch <: usize +@@ -1544,205 +1570,195 @@ + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + + let check_extension (algs: Bertie.Tls13crypto.t_Algorithms) (bytes: t_Slice u8) = +- if (Core.Slice.impl__len bytes <: usize) <. sz 4 +- then +- Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- else +- let l0:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 0 ] <: u8) <: u8) <: usize in +- let l1:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 1 ] <: u8) <: u8) <: usize in +- match +- Bertie.Tls13utils.length_u16_encoded_slice (bytes.[ { +- Core.Ops.Range.f_start = sz 2; +- Core.Ops.Range.f_end = Core.Slice.impl__len bytes <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ let l0:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 0 ] <: u8) <: u8) <: usize in ++ let l1:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 1 ] <: u8) <: u8) <: usize in ++ match ++ Bertie.Tls13utils.length_u16_encoded_slice (bytes.[ { ++ Core.Ops.Range.f_start = sz 2; ++ Core.Ops.Range.f_end = Core.Slice.impl__len bytes <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok len -> +- let out:t_Extensions = +- { +- f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- } ++ Core.Ops.Range.t_Range usize ] + <: +- t_Extensions +- in +- (match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with +- | 0uy, 0uy -> +- (match +- check_server_name (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok hoist151 -> +- Core.Result.Result_Ok +- (sz 4 +! len, +- ({ +- f_sni +- = +- Core.Option.Option_Some hoist151 +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok len -> ++ let out:t_Extensions = ++ { ++ f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ } ++ <: ++ t_Extensions ++ in ++ (match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with ++ | 0uy, 0uy -> ++ (match ++ check_server_name (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize + } + <: +- t_Extensions) ++ Core.Ops.Range.t_Range usize ] + <: +- (usize & t_Extensions)) ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok hoist152 -> ++ Core.Result.Result_Ok ++ (sz 4 +! len, ++ ({ ++ f_sni ++ = ++ Core.Option.Option_Some hoist152 <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ } ++ <: ++ t_Extensions) + <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 45uy -> +- (match +- check_psk_key_exchange_modes (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 45uy -> ++ (match ++ check_psk_key_exchange_modes (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 43uy -> +- (match +- check_supported_versions (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 43uy -> ++ (match ++ check_supported_versions (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 10uy -> +- (match +- check_supported_groups algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 10uy -> ++ (match ++ check_supported_groups algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 13uy -> +- (match +- check_signature_algorithms algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 13uy -> ++ (match ++ check_signature_algorithms algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 51uy -> +- (match +- check_key_shares algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok gx -> +- Core.Result.Result_Ok +- (sz 4 +! len, +- ({ +- f_sni +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share +- = +- Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 51uy -> ++ (match ++ check_key_shares algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize + } + <: +- t_Extensions) ++ Core.Ops.Range.t_Range usize ] + <: +- (usize & t_Extensions)) ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok gx -> ++ Core.Result.Result_Ok ++ (sz 4 +! len, ++ ({ ++ f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share ++ = ++ Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ } ++ <: ++ t_Extensions) + <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err _ -> +- Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_MISSING_KEY_SHARE) +- | 0uy, 41uy -> +- (match +- check_psk_shared_key algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err _ -> ++ Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_MISSING_KEY_SHARE) ++ | 0uy, 41uy -> ++ (match ++ check_psk_shared_key algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8 ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8 + + let finished (vd: Bertie.Tls13utils.t_Bytes) = + Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_Finished +@@ -1773,12 +1789,12 @@ + in + let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in + match Bertie.Tls13utils.encode_length_u16 p.Bertie.Tls13formats.Handshake_data._0 with +- | Core.Result.Result_Ok hoist155 -> ++ | Core.Result.Result_Ok hoist156 -> + Core.Result.Result_Ok + (Bertie.Tls13utils.impl__Bytes__concat (Bertie.Tls13utils.impl__Bytes__concat ty ver + <: + Bertie.Tls13utils.t_Bytes) +- hoist155) ++ hoist156) + <: + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + | Core.Result.Result_Err err -> +@@ -1799,14 +1815,15 @@ + Bertie.Tls13crypto.impl__Algorithms__signature algs + in + (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with +- | Core.Result.Result_Ok hoist157 -> ++ | Core.Result.Result_Ok hoist158 -> + (match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist157 ++ Bertie.Tls13utils.check_eq hoist158 ++ (Bertie.Tls13utils.impl__Bytes__slice_range cv ++ ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 2 } ++ <: ++ Core.Ops.Range.t_Range usize) + <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw cv <: t_Slice u8) +- (sz 0) +- (sz 2) ++ Bertie.Tls13utils.t_Bytes) + with + | Core.Result.Result_Ok _ -> + (match +@@ -1850,7 +1867,7 @@ + Core.Result.Result_Ok + (Bertie.Tls13utils.impl__Bytes__slice_range cv + ({ +- Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = Bertie.Tls13utils.impl__Bytes__len cv <: usize + } + <: +@@ -1887,13 +1904,13 @@ + u8) + in + match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw expected_handshake_type +- ++ Bertie.Tls13utils.check_eq expected_handshake_type ++ (Bertie.Tls13utils.impl__Bytes__slice_range encrypted_extension_bytes ++ ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 1 } ++ <: ++ Core.Ops.Range.t_Range usize) + <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw encrypted_extension_bytes <: t_Slice u8) +- (sz 0) +- (sz 1) ++ Bertie.Tls13utils.t_Bytes) + with + | Core.Result.Result_Ok _ -> + Bertie.Tls13utils.check_length_encoding_u24 (Bertie.Tls13utils.impl__Bytes__raw_slice encrypted_extension_bytes +@@ -1932,7 +1949,7 @@ + let next:usize = sz 0 in + (match + Bertie.Tls13utils.length_u8_encoded (sc.[ { +- Core.Ops.Range.f_start = sz 0; ++ Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = Bertie.Tls13utils.impl__Bytes__len sc <: usize + } + <: +@@ -2005,159 +2022,199 @@ + (algs: Bertie.Tls13crypto.t_Algorithms) + (server_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) + = +- match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message server_hello +- (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello ++ Rust_primitives.Hax.Control_flow_monad.Mexception.run (match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message server_hello ++ (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello ++ <: ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) + <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- with +- | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData server_hello) -> +- let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in +- (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with +- | Core.Result.Result_Ok cip -> +- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in +- let next:usize = sz 0 in +- (match +- match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ver +- <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) +- next +- (next +! sz 2 <: usize) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 +- | Core.Result.Result_Err _ -> protocol_version_alert () +- with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in +- (match +- Bertie.Tls13utils.check ((Bertie.Tls13utils.impl__Bytes__len server_hello <: usize) >=. +- (next +! sz 32 <: usize) ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 ++ with ++ | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData server_hello) -> ++ let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in ++ (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with ++ | Core.Result.Result_Ok cip -> ++ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in ++ let next:usize = sz 0 in ++ let! _:Prims.unit = ++ match ++ Bertie.Tls13utils.check_eq ver ++ (Bertie.Tls13utils.impl__Bytes__slice_range server_hello ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end = next +! sz 2 <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) + <: +- bool) ++ Bertie.Tls13utils.t_Bytes) + with + | Core.Result.Result_Ok _ -> +- let srand:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__slice_range server_hello +- ({ ++ Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Prims.unit ++ | Core.Result.Result_Err _ -> ++ match protocol_version_alert () with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue ok ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ ) Prims.unit ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ ) Prims.unit ++ in ++ let next:usize = next +! sz 2 in ++ let srand:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__slice_range server_hello ++ ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 32 <: usize } ++ <: ++ Core.Ops.Range.t_Range usize) ++ in ++ let next:usize = next +! sz 32 in ++ (match ++ Bertie.Tls13utils.length_u8_encoded (server_hello.[ { + Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end = next +! sz 32 <: usize ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize + } + <: +- Core.Ops.Range.t_Range usize) ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok sidlen -> ++ let next:usize = (next +! sz 1 <: usize) +! sidlen in ++ let! _:Prims.unit = ++ match ++ Bertie.Tls13utils.check_eq cip ++ (Bertie.Tls13utils.impl__Bytes__slice_range server_hello ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end = next +! sz 2 <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) ++ u8) Prims.unit ++ | Core.Result.Result_Err _ -> ++ match unsupported_cipher_alert () with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue ok ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) ++ u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit + in +- let next:usize = next +! sz 32 in +- (match +- Bertie.Tls13utils.length_u8_encoded (server_hello.[ { +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] ++ let next:usize = next +! sz 2 in ++ let! _:Prims.unit = ++ match ++ Bertie.Tls13utils.check_eq comp ++ (Bertie.Tls13utils.impl__Bytes__slice_range server_hello ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end = next +! sz 1 <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) + <: +- t_Slice u8) ++ Bertie.Tls13utils.t_Bytes) + with +- | Core.Result.Result_Ok sidlen -> +- let next:usize = (next +! sz 1 <: usize) +! sidlen in ++ | Core.Result.Result_Ok _ -> ++ Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) ++ u8) Prims.unit ++ | Core.Result.Result_Err _ -> ++ match invalid_compression_method_alert () with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue ok ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) ++ u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (let next:usize = next +! sz 1 in ++ match ++ Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range ++ server_hello ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) ++ with ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in + (match +- match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw +- cip ++ check_server_extensions algs ++ (server_hello.[ { ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ } + <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) +- next +- (next +! sz 2 <: usize) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (() <: Prims.unit) +- <: +- Core.Result.t_Result Prims.unit u8 +- | Core.Result.Result_Err _ -> unsupported_cipher_alert () ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) + with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in +- (match +- match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw +- comp +- <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) +- next +- (next +! sz 1 <: usize) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (() <: Prims.unit) +- <: +- Core.Result.t_Result Prims.unit u8 +- | Core.Result.Result_Err _ -> invalid_compression_method_alert () +- with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 1 in +- (match +- Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range +- server_hello +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) +- with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in +- (match +- check_server_extensions algs +- (server_hello.[ { +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize +- } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok gy -> +- (match gy with +- | Core.Option.Option_Some gy -> +- Core.Result.Result_Ok +- (srand, gy +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes)) +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 +- | _ -> +- Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 +- ) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ | Core.Result.Result_Ok gy -> ++ (match gy with ++ | Core.Option.Option_Some gy -> ++ Core.Result.Result_Ok ++ (srand, gy <: (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes)) + <: + Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ | _ -> ++ Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE ++ <: ++ Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err +@@ -2168,26 +2225,41 @@ + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) + | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) + | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) + + let server_certificate (v__algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie.Tls13utils.t_Bytes) = + match +- Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list = [] in ++ Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list : list u8 = [] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 0); + Rust_primitives.Hax.array_of_list 0 list) + <: +@@ -2484,7 +2556,7 @@ + <: + Bertie.Tls13utils.t_Bytes) + +-let check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = ++let rec check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = + match check_extension algs b with + | Core.Result.Result_Ok (len, out) -> + if len =. (Core.Slice.impl__len b <: usize) +@@ -2533,33 +2605,29 @@ + (ciphersuite: Bertie.Tls13crypto.t_Algorithms) + (client_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) + = +- match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message client_hello +- (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- with +- | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData ch) -> +- let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in +- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 1uy 0uy in +- let next:usize = sz 0 in +- (match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ver ++ Rust_primitives.Hax.Control_flow_monad.Mexception.run (match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message client_hello ++ (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello + <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw ch <: t_Slice u8) +- next +- (next +! sz 2 <: usize) ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in ++ | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData ch) -> ++ let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in ++ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 1uy 0uy in ++ let next:usize = sz 0 in + (match +- Bertie.Tls13utils.check ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) >=. +- (next +! sz 32 <: usize) ++ Bertie.Tls13utils.check_eq ver ++ (Bertie.Tls13utils.impl__Bytes__slice_range ch ++ ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 2 <: usize } ++ <: ++ Core.Ops.Range.t_Range usize) + <: +- bool) ++ Bertie.Tls13utils.t_Bytes) + with + | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in + let crand:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl__Bytes__slice_range ch + ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 32 <: usize } +@@ -2602,27 +2670,85 @@ + with + | Core.Result.Result_Ok cslen -> + let next:usize = next +! cslen in +- (match +- match +- Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw +- comp +- <: +- t_Slice u8) +- (Bertie.Tls13utils.impl__Bytes__as_raw ch <: t_Slice u8) +- next +- (next +! sz 2 <: usize) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (() <: Prims.unit) ++ let! _:Prims.unit = ++ match ++ Bertie.Tls13utils.check_eq comp ++ (Bertie.Tls13utils.impl__Bytes__slice_range ch ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end = next +! sz 2 <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) Prims.unit ++ | Core.Result.Result_Err _ -> ++ match invalid_compression_list () with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue ok + <: +- Core.Result.t_Result Prims.unit u8 +- | Core.Result.Result_Err _ -> invalid_compression_list () ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) Prims.unit ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (let next:usize = next +! sz 2 in ++ match ++ Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range ++ ch ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len ch <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) + with + | Core.Result.Result_Ok _ -> + let next:usize = next +! sz 2 in + (match +- Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range +- ch ++ check_extensions ciphersuite ++ (Bertie.Tls13utils.impl__Bytes__slice_range ch + ({ + Core.Ops.Range.f_start = next; + Core.Ops.Range.f_end +@@ -2634,194 +2760,158 @@ + <: + Bertie.Tls13utils.t_Bytes) + with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in ++ | Core.Result.Result_Ok exts -> ++ let trunc_len:usize = ++ ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) -! ++ (Bertie.Tls13crypto.impl__HashAlgorithm__hash_len (Bertie.Tls13crypto.impl__Algorithms__hash ++ ciphersuite ++ <: ++ Bertie.Tls13crypto.t_HashAlgorithm) ++ <: ++ usize) ++ <: ++ usize) -! ++ sz 3 ++ in + (match +- check_extensions ciphersuite +- (Bertie.Tls13utils.impl__Bytes__slice_range ch +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len ch <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) ++ Bertie.Tls13crypto.impl__Algorithms__psk_mode ciphersuite, exts ++ <: ++ (bool & t_Extensions) + with +- | Core.Result.Result_Ok exts -> +- let trunc_len:usize = +- ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) -! +- (Bertie.Tls13crypto.impl__HashAlgorithm__hash_len (Bertie.Tls13crypto.impl__Algorithms__hash +- ciphersuite +- <: +- Bertie.Tls13crypto.t_HashAlgorithm) +- <: +- usize) ++ | _, ++ { f_sni = _ ; ++ f_key_share = Core.Option.Option_None ; ++ f_ticket = _ ; ++ f_binder = _ } -> ++ Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | true, ++ { f_sni = Core.Option.Option_Some sn ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_Some tkt ; ++ f_binder = Core.Option.Option_Some binder } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ sn, ++ gx, ++ (Core.Option.Option_Some tkt + <: +- usize) -! +- sz 3 +- in +- (match +- Bertie.Tls13crypto.impl__Algorithms__psk_mode ciphersuite, exts ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_Some binder + <: +- (bool & t_Extensions) +- with +- | _, +- { f_sni = _ ; +- f_key_share = Core.Option.Option_None ; +- f_ticket = _ ; +- f_binder = _ } -> +- Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ trunc_len ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | true, ++ { f_sni = Core.Option.Option_None ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_Some tkt ; ++ f_binder = Core.Option.Option_Some binder } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ Bertie.Tls13utils.impl__Bytes__new (), ++ gx, ++ (Core.Option.Option_Some tkt + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | true, +- { f_sni = Core.Option.Option_Some sn ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_Some tkt ; +- f_binder = Core.Option.Option_Some binder } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- sn, +- gx, +- (Core.Option.Option_Some tkt +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_Some binder +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- trunc_len +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_Some binder + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | true, +- { f_sni = Core.Option.Option_None ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_Some tkt ; +- f_binder = Core.Option.Option_Some binder } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- Bertie.Tls13utils.impl__Bytes__new (), +- gx, +- (Core.Option.Option_Some tkt +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_Some binder +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- trunc_len +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ trunc_len ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | false, ++ { f_sni = Core.Option.Option_Some sn ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_None ; ++ f_binder = Core.Option.Option_None } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ sn, ++ gx, ++ (Core.Option.Option_None + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | false, +- { f_sni = Core.Option.Option_Some sn ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_None ; +- f_binder = Core.Option.Option_None } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- sn, +- gx, +- (Core.Option.Option_None +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_None +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- sz 0 +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_None + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | false, +- { f_sni = Core.Option.Option_None ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_None ; +- f_binder = Core.Option.Option_None } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- Bertie.Tls13utils.impl__Bytes__new (), +- gx, +- (Core.Option.Option_None +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_None +- <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- sz 0 +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ sz 0 ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | false, ++ { f_sni = Core.Option.Option_None ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_None ; ++ f_binder = Core.Option.Option_None } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ Bertie.Tls13utils.impl__Bytes__new (), ++ gx, ++ (Core.Option.Option_None + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | _ -> +- Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_None + <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ sz 0 ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +@@ -2829,6 +2919,16 @@ + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | _ -> ++ Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err +@@ -2850,49 +2950,121 @@ + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) + | Core.Result.Result_Err err -> +- Core.Result.Result_Err err ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) + <: +- Core.Result.t_Result ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8)) ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8)) ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8)) ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 ++ (Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8)) +diff -ruN extraction/Bertie.Tls13formats.fsti extraction-lax/Bertie.Tls13formats.fsti +--- extraction/Bertie.Tls13formats.fsti 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13formats.fsti 2024-04-05 08:35:03 +@@ -408,7 +408,7 @@ + | _ -> Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) + } + +-val check_psk_shared_key (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) ++val check_psk_shared_key (v__algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + + val check_server_psk_shared_key (v__algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) +diff -ruN extraction/Bertie.Tls13record.fst extraction-lax/Bertie.Tls13record.fst +--- extraction/Bertie.Tls13record.fst 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13record.fst 2024-04-05 08:35:03 +@@ -54,7 +54,7 @@ + in + iv_ctr + +-let padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = ++let rec padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = + if n >. sz 0 && (Bertie.Tls13utils.f_declassify (b.[ n -! sz 1 <: usize ] <: u8) <: u8) =. 0uy + then sz 1 +! (padlen b (n -! sz 1 <: usize) <: usize) + else sz 0 +diff -ruN extraction/Bertie.Tls13utils.fsti extraction-lax/Bertie.Tls13utils.fsti +--- extraction/Bertie.Tls13utils.fsti 2024-04-05 08:35:02 ++++ extraction-lax/Bertie.Tls13utils.fsti 2024-04-05 08:35:03 +@@ -129,9 +129,6 @@ + val check_eq_slice (b1 b2: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + +-val check_eq_with_slice (b1 b2: t_Slice u8) (start v_end: usize) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) +- + val check_mem (b1 b2: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + +@@ -203,7 +200,7 @@ + let impl_8: Core.Ops.Index.t_Index t_Bytes usize = + { + f_Output = u8; +- f_index_pre = (fun (self: t_Bytes) (x: usize) -> true); ++ f_index_pre = (fun (self: t_Bytes) (x: usize) -> x <. (Alloc.Vec.impl_1__len self._0 <: usize)); + f_index_post = (fun (self: t_Bytes) (x: usize) (out: u8) -> true); + f_index = fun (self: t_Bytes) (x: usize) -> self._0.[ x ] + } +@@ -212,10 +209,22 @@ + let impl_9: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = + { + f_Output = t_Slice u8; +- f_index_pre = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> true); ++ f_index_pre ++ = ++ (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> ++ x.Core.Ops.Range.f_start <=. (Alloc.Vec.impl_1__len self._0 <: usize) && ++ x.Core.Ops.Range.f_end <=. (Alloc.Vec.impl_1__len self._0 <: usize)); + f_index_post = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) (out: t_Slice u8) -> true); + f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] + } ++ ++[@@ FStar.Tactics.Typeclasses.tcinstance] ++let upd_10: Rust_primitives.Hax.update_at_tc t_Bytes usize = ++ { ++ super_index = impl_8; ++ update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) ++ } ++ + + val impl__Bytes__append (self x: t_Bytes) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + diff --git a/proofs/fstar/extraction-panic-free.patch b/proofs/fstar/extraction-panic-free.patch new file mode 100644 index 0000000..211b919 --- /dev/null +++ b/proofs/fstar/extraction-panic-free.patch @@ -0,0 +1,3948 @@ +diff -ruN extraction-lax/Bertie.Tls13api.fst extraction-panic-free/Bertie.Tls13api.fst +--- extraction-lax/Bertie.Tls13api.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13api.fst 2024-04-05 08:35:03 +@@ -72,6 +72,7 @@ + (impl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) + + let impl__Server__read (self: t_Server) (application_data: Bertie.Tls13utils.t_Bytes) = ++ assume(Seq.length application_data._0 >= 5); + match self with + | Server_Server1 sstate cipher1 -> + (match Bertie.Tls13record.decrypt_data application_data cipher1 with +@@ -93,6 +94,7 @@ + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Server) u8 + + let impl__Client__read (self: t_Client) (message_bytes: Bertie.Tls13utils.t_Bytes) = ++ assume(Seq.length message_bytes._0 >= 5); + match self with + | Client_Client1 state cipher1 -> + (match Bertie.Tls13record.decrypt_data_or_hs message_bytes cipher1 with +@@ -142,6 +144,7 @@ + Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_AppData & t_Client) u8 + + let impl__Server__read_handshake (self: t_Server) (handshake_bytes: Bertie.Tls13utils.t_Bytes) = ++ assume(Seq.length handshake_bytes._0 >= 5); + match self with + | Server_ServerH sstate v__cipher0 cipher_hs cipher1 -> + (match Bertie.Tls13record.decrypt_handshake handshake_bytes cipher_hs with +@@ -195,6 +198,7 @@ + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8 + + let impl__Client__read_handshake (self: t_Client) (handshake_bytes: Bertie.Tls13utils.t_Bytes) = ++ assume(Seq.length handshake_bytes._0 >= 5); + match self with + | Client_Client0 state cipher_state -> + (match Bertie.Tls13formats.get_handshake_record handshake_bytes with +@@ -235,8 +239,9 @@ + (sz 0) + then + match Bertie.Tls13handshake.client_finish buf cstate with +- | Core.Result.Result_Ok (cfin, cipher1, cstate) -> +- (match Bertie.Tls13record.encrypt_handshake cfin (sz 0) cipher_hs with ++ | Core.Result.Result_Ok (cfin, cipher1, cstate) -> ++ (assume (Seq.length cfin._0._0 < 65536); ++ match Bertie.Tls13record.encrypt_handshake cfin (sz 0) cipher_hs with + | Core.Result.Result_Ok (cf_rec, v__cipher_hs) -> + Core.Result.Result_Ok + ((Core.Option.Option_Some cf_rec <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +@@ -300,7 +305,8 @@ + | Core.Result.Result_Ok (server_hello, server_finished, cipher0, cipher_hs, cipher1, sstate) -> + (match Bertie.Tls13formats.handshake_record server_hello with + | Core.Result.Result_Ok sh_rec -> +- (match Bertie.Tls13record.encrypt_handshake server_finished (sz 0) cipher_hs with ++ (assume (Seq.length server_finished._0._0 < 65536); ++ match Bertie.Tls13record.encrypt_handshake server_finished (sz 0) cipher_hs with + | Core.Result.Result_Ok (sf_rec, cipher_hs) -> + let hax_temp_output:Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8 = +diff -ruN extraction-lax/Bertie.Tls13api.fsti extraction-panic-free/Bertie.Tls13api.fsti +--- extraction-lax/Bertie.Tls13api.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13api.fsti 2024-04-05 08:35:03 +@@ -42,7 +42,7 @@ + (session_ticket psk: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) + (rng: impl_916461611_) + : Prims.Pure (impl_916461611_ & Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) +- Prims.l_True ++ (Seq.length server_name._0 < 65536) + (fun _ -> Prims.l_True) + + val impl__Server__read (self: t_Server) (application_data: Bertie.Tls13utils.t_Bytes) +@@ -62,12 +62,12 @@ + + val impl__Client__write (self: t_Client) (application_data: Bertie.Tls13utils.t_AppData) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Client) u8) +- Prims.l_True ++ (Seq.length application_data._0._0 < 65536) + (fun _ -> Prims.l_True) + + val impl__Server__write (self: t_Server) (application_data: Bertie.Tls13utils.t_AppData) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_Server) u8) +- Prims.l_True ++ (Seq.length application_data._0._0 < 65536) + (fun _ -> Prims.l_True) + + val impl__Client__read_handshake (self: t_Client) (handshake_bytes: Bertie.Tls13utils.t_Bytes) +@@ -87,5 +87,5 @@ + : Prims.Pure + (impl_916461611_ & + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & t_Server) u8) +- Prims.l_True ++ (Seq.length client_hello._0 >= 3) + (fun _ -> Prims.l_True) +diff -ruN extraction-lax/Bertie.Tls13cert.fst extraction-panic-free/Bertie.Tls13cert.fst +--- extraction-lax/Bertie.Tls13cert.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13cert.fst 2024-04-05 08:35:03 +@@ -1,5 +1,5 @@ + module Bertie.Tls13cert +-#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" ++#set-options "--fuel 0 --ifuel 1 --z3rlimit 15 --admit_smt_queries true" + open Core + open FStar.Mul + +@@ -30,9 +30,22 @@ + then Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 + else asn1_error v_ASN1_INVALID_TAG + ++let ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) = ++ let CertificateKey offset len:t_CertificateKey = indices in ++ match check_tag cert offset 4uy with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok ++ (Bertie.Tls13utils.impl__Bytes__slice cert (offset +! sz 1 <: usize) (len -! sz 1 <: usize)) ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ + let length_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = + if ((Bertie.Tls13utils.f_declassify (b.[ offset ] <: u8) <: u8) >>! 7l <: u8) =. 1uy +- then cast ((Bertie.Tls13utils.f_declassify (b.[ offset ] <: u8) <: u8) &. 127uy <: u8) <: usize ++ then ( ++ logand_lemma (b.[offset] <: u8) 127uy; ++ cast ((Bertie.Tls13utils.f_declassify (b.[ offset ] <: u8) <: u8) &. 127uy <: u8) <: usize) + else sz 0 + + let read_octet_header (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = +@@ -52,7 +65,7 @@ + let offset:usize = (offset +! length_length <: usize) +! sz 1 in + Core.Result.Result_Ok offset <: Core.Result.t_Result usize u8 + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 +- ++ + let short_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = + if ((Bertie.Tls13utils.f_declassify (b.[ offset ] <: u8) <: u8) &. 128uy <: u8) =. 0uy + then +@@ -131,26 +144,20 @@ + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (usize & usize) u8 + +-let skip_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = ++let read_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = + match check_tag b offset 2uy with + | Core.Result.Result_Ok _ -> + let offset:usize = offset +! sz 1 in + (match length b offset with + | Core.Result.Result_Ok (offset, length) -> +- Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 +- | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) +- | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 ++ Core.Result.Result_Ok (Bertie.Tls13utils.impl__Bytes__slice b offset length) ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + +-let skip_sequence (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = +- match check_tag b offset 48uy with +- | Core.Result.Result_Ok _ -> +- let offset:usize = offset +! sz 1 in +- (match length b offset with +- | Core.Result.Result_Ok (offset, length) -> +- Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 +- | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) +- | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 +- + let read_spki (cert: Bertie.Tls13utils.t_Bytes) (offset: usize) = + Rust_primitives.Hax.Control_flow_monad.Mexception.run (match + check_tag cert offset 48uy <: Core.Result.t_Result Prims.unit u8 +@@ -527,30 +534,98 @@ + (Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) + (Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8)) + ++let skip_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = ++ match check_tag b offset 2uy with ++ | Core.Result.Result_Ok _ -> ++ let offset:usize = offset +! sz 1 in ++ (match length b offset with ++ | Core.Result.Result_Ok (offset, length) -> ++ Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 ++ | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) ++ | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 ++ ++let skip_sequence (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = ++ match check_tag b offset 48uy with ++ | Core.Result.Result_Ok _ -> ++ let offset:usize = offset +! sz 1 in ++ (match length b offset with ++ | Core.Result.Result_Ok (offset, length) -> ++ Core.Result.Result_Ok (offset +! length) <: Core.Result.t_Result usize u8 ++ | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8) ++ | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result usize u8 ++ ++let rsa_private_key (key: Bertie.Tls13utils.t_Bytes) = ++ match read_sequence_header key (sz 0) with ++ | Core.Result.Result_Ok offset -> ++ (match skip_integer key offset with ++ | Core.Result.Result_Ok hoist36 -> ++ let offset:usize = hoist36 in ++ (match skip_sequence key offset with ++ | Core.Result.Result_Ok hoist37 -> ++ let offset:usize = hoist37 in ++ (match read_octet_header key offset with ++ | Core.Result.Result_Ok hoist38 -> ++ let offset:usize = hoist38 in ++ (match read_sequence_header key offset with ++ | Core.Result.Result_Ok hoist39 -> ++ let offset:usize = hoist39 in ++ (match skip_integer key offset with ++ | Core.Result.Result_Ok hoist40 -> ++ let offset:usize = hoist40 in ++ (match skip_integer key offset with ++ | Core.Result.Result_Ok hoist41 -> ++ let offset:usize = hoist41 in ++ (match skip_integer key offset with ++ | Core.Result.Result_Ok hoist42 -> ++ let offset:usize = hoist42 in ++ read_integer key offset ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ + let verification_key_from_cert (cert: Bertie.Tls13utils.t_Bytes) = + match read_sequence_header cert (sz 0) with + | Core.Result.Result_Ok offset -> + (match read_sequence_header cert offset with +- | Core.Result.Result_Ok hoist30 -> +- let offset:usize = hoist30 in ++ | Core.Result.Result_Ok hoist43 -> ++ let offset:usize = hoist43 in + (match read_version_number cert offset with +- | Core.Result.Result_Ok hoist31 -> +- let offset:usize = hoist31 in ++ | Core.Result.Result_Ok hoist44 -> ++ let offset:usize = hoist44 in + (match skip_integer cert offset with +- | Core.Result.Result_Ok hoist32 -> +- let offset:usize = hoist32 in ++ | Core.Result.Result_Ok hoist45 -> ++ let offset:usize = hoist45 in + (match skip_sequence cert offset with +- | Core.Result.Result_Ok hoist33 -> +- let offset:usize = hoist33 in ++ | Core.Result.Result_Ok hoist46 -> ++ let offset:usize = hoist46 in + (match skip_sequence cert offset with +- | Core.Result.Result_Ok hoist34 -> +- let offset:usize = hoist34 in ++ | Core.Result.Result_Ok hoist47 -> ++ let offset:usize = hoist47 in + (match skip_sequence cert offset with +- | Core.Result.Result_Ok hoist35 -> +- let offset:usize = hoist35 in ++ | Core.Result.Result_Ok hoist48 -> ++ let offset:usize = hoist48 in + (match skip_sequence cert offset with +- | Core.Result.Result_Ok hoist36 -> +- let offset:usize = hoist36 in ++ | Core.Result.Result_Ok hoist49 -> ++ let offset:usize = hoist49 in + read_spki cert offset + | Core.Result.Result_Err err -> + Core.Result.Result_Err err +@@ -588,79 +663,6 @@ + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8 +- +-let ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) = +- let CertificateKey offset len:t_CertificateKey = indices in +- match check_tag cert offset 4uy with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok +- (Bertie.Tls13utils.impl__Bytes__slice cert (offset +! sz 1 <: usize) (len -! sz 1 <: usize)) +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- +-let read_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) = +- match check_tag b offset 2uy with +- | Core.Result.Result_Ok _ -> +- let offset:usize = offset +! sz 1 in +- (match length b offset with +- | Core.Result.Result_Ok (offset, length) -> +- Core.Result.Result_Ok (Bertie.Tls13utils.impl__Bytes__slice b offset length) +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- +-let rsa_private_key (key: Bertie.Tls13utils.t_Bytes) = +- match read_sequence_header key (sz 0) with +- | Core.Result.Result_Ok offset -> +- (match skip_integer key offset with +- | Core.Result.Result_Ok hoist41 -> +- let offset:usize = hoist41 in +- (match skip_sequence key offset with +- | Core.Result.Result_Ok hoist42 -> +- let offset:usize = hoist42 in +- (match read_octet_header key offset with +- | Core.Result.Result_Ok hoist43 -> +- let offset:usize = hoist43 in +- (match read_sequence_header key offset with +- | Core.Result.Result_Ok hoist44 -> +- let offset:usize = hoist44 in +- (match skip_integer key offset with +- | Core.Result.Result_Ok hoist45 -> +- let offset:usize = hoist45 in +- (match skip_integer key offset with +- | Core.Result.Result_Ok hoist46 -> +- let offset:usize = hoist46 in +- (match skip_integer key offset with +- | Core.Result.Result_Ok hoist47 -> +- let offset:usize = hoist47 in +- read_integer key offset +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + + let rsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) = + let CertificateKey offset v__len:t_CertificateKey = indices in +diff -ruN extraction-lax/Bertie.Tls13cert.fsti extraction-panic-free/Bertie.Tls13cert.fsti +--- extraction-lax/Bertie.Tls13cert.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13cert.fsti 2024-04-05 08:35:03 +@@ -37,16 +37,30 @@ + -> Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) + + val check_tag (b: Bertie.Tls13utils.t_Bytes) (offset: usize) (value: u8) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) ++ (v offset < Seq.length b._0) ++ (fun _ -> Prims.l_True) + ++val ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) ++ : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ (v indices._0 < Seq.length cert._0 /\ ++ v indices._0 < pow2 31 - 1 /\ v indices._1 > 0) ++ (fun _ -> Prims.l_True) ++ + val length_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure usize ++ (v offset < Seq.length b._0) ++ (fun res -> v res < 128) + + val read_octet_header (b: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) ++ (v offset + 128 < Seq.length b._0) ++ (fun _ -> Prims.l_True) + + val read_sequence_header (b: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) ++ (v offset + 1 < Seq.length b._0 /\ v offset + 129 < pow2 32) ++ (fun _ -> Prims.l_True) + + val short_length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) + : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) +@@ -60,34 +74,29 @@ + val length (b: Bertie.Tls13utils.t_Bytes) (offset: usize) + : Prims.Pure (Core.Result.t_Result (usize & usize) u8) Prims.l_True (fun _ -> Prims.l_True) + +-val skip_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) +- +-val skip_sequence (b: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) +- +-val read_spki (cert: Bertie.Tls13utils.t_Bytes) (offset: usize) +- : Prims.Pure (Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) ++val read_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) ++ : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True + (fun _ -> Prims.l_True) + +-val verification_key_from_cert (cert: Bertie.Tls13utils.t_Bytes) ++val read_spki (cert: Bertie.Tls13utils.t_Bytes) (offset: usize) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) + Prims.l_True + (fun _ -> Prims.l_True) + +-val ecdsa_public_key (cert: Bertie.Tls13utils.t_Bytes) (indices: t_CertificateKey) +- : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True +- (fun _ -> Prims.l_True) ++val skip_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) + +-val read_integer (b: Bertie.Tls13utils.t_Bytes) (offset: usize) ++val skip_sequence (b: Bertie.Tls13utils.t_Bytes) (offset: usize) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ ++val rsa_private_key (key: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True + (fun _ -> Prims.l_True) + +-val rsa_private_key (key: Bertie.Tls13utils.t_Bytes) +- : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++val verification_key_from_cert (cert: Bertie.Tls13utils.t_Bytes) ++ : Prims.Pure (Core.Result.t_Result (Bertie.Tls13crypto.t_SignatureScheme & t_CertificateKey) u8) + Prims.l_True + (fun _ -> Prims.l_True) + +diff -ruN extraction-lax/Bertie.Tls13crypto.fsti extraction-panic-free/Bertie.Tls13crypto.fsti +--- extraction-lax/Bertie.Tls13crypto.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13crypto.fsti 2024-04-05 08:35:03 +@@ -54,10 +54,12 @@ + *) + + val impl__HashAlgorithm__hash_len (self: t_HashAlgorithm) +- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure usize Prims.l_True ++ (fun res -> v res <= 64) + + val impl__HashAlgorithm__hmac_tag_len (self: t_HashAlgorithm) +- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure usize Prims.l_True ++ (fun res -> v res <= 64) + + (* + val hkdf_algorithm (alg: t_HashAlgorithm) +@@ -294,7 +296,9 @@ + val impl__HashAlgorithm__hash (self: t_HashAlgorithm) (data: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok h -> Seq.length h._0 <= 64 ++ | _ -> True) + + val hkdf_expand (alg: t_HashAlgorithm) (prk info: Bertie.Tls13utils.t_Bytes) (len: usize) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +@@ -314,21 +318,32 @@ + val impl__Algorithms__ciphersuite (self: t_Algorithms) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length b._0 == 2 ++ | _ -> True) + + val impl__Algorithms__check (self: t_Algorithms) (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok len -> v len < 256 /\ Seq.length bytes >= v len ++ | _ -> True) + ++ + val impl__Algorithms__signature_algorithm (self: t_Algorithms) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length b._0 == 2 ++ | _ -> True) + + val impl__Algorithms__supported_group (self: t_Algorithms) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length b._0 == 2 ++ | _ -> True) + ++ + val sign + (#impl_916461611_: Type) + {| i1: Rand_core.t_CryptoRng impl_916461611_ |} +@@ -372,7 +387,9 @@ + (impl_916461611_ & + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun (_,res) -> match res with ++ | Core.Result.Result_Ok (sk,pk) -> Seq.length pk._0 < 65536 ++ | _ -> True) + + val into_raw (alg: t_KemScheme) (point: Bertie.Tls13utils.t_Bytes) + : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) +@@ -396,10 +413,13 @@ + (impl_916461611_ & + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun (_,res) -> match res with ++ | Core.Result.Result_Ok (ss,gy) -> Seq.length gy._0 < 65536 ++ | _ -> True) + + val zero_key (alg: t_HashAlgorithm) +- : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True ++ (fun res -> Seq.length res._0 == v (impl__HashAlgorithm__hash_len alg)) + + val hmac_verify (alg: t_HashAlgorithm) (mk input tag: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) +@@ -518,7 +538,9 @@ + val aead_encrypt (k: t_AeadKey) (iv plain aad: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok cip -> Seq.length cip._0 = Seq.length plain._0 + 16 ++ | _ -> True) + + val verify + (alg: t_SignatureScheme) +@@ -528,7 +550,7 @@ + + type t_AeadKeyIV = { + f_key:t_AeadKey; +- f_iv:Bertie.Tls13utils.t_Bytes ++ f_iv:x:Bertie.Tls13utils.t_Bytes{Seq.length x._0 >= 8 /\ Seq.length x._0 <= 32} + } + + val impl__AeadKeyIV__new (key: t_AeadKey) (iv: Bertie.Tls13utils.t_Bytes) +diff -ruN extraction-lax/Bertie.Tls13formats.Handshake_data.fst extraction-panic-free/Bertie.Tls13formats.Handshake_data.fst +--- extraction-lax/Bertie.Tls13formats.Handshake_data.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13formats.Handshake_data.fst 2024-04-05 08:35:03 +@@ -82,7 +82,7 @@ + <: + t_Slice u8) + with +- | Core.Result.Result_Ok len -> ++ | Core.Result.Result_Ok len -> ( + let message:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl__Bytes__slice_range self._0 + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 +! len <: usize } +@@ -103,7 +103,7 @@ + <: + (t_HandshakeData & t_HandshakeData)) + <: +- Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8 ++ Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result (t_HandshakeData & t_HandshakeData) u8 + +@@ -154,7 +154,6 @@ + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 + +-let impl__HandshakeData__to_bytes (self: t_HandshakeData) = Core.Clone.f_clone self._0 + + let impl__HandshakeData__to_four (self: t_HandshakeData) = + match impl__HandshakeData__next_handshake_message self with +@@ -244,12 +243,13 @@ + Core.Result.t_Result t_HandshakeData u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result t_HandshakeData u8 +- ++ + let rec impl__HandshakeData__find_handshake_message + (self: t_HandshakeData) + (handshake_type: t_HandshakeType) + (start: usize) + = ++ assume (v start + 4 < max_usize); + if (impl__HandshakeData__len self <: usize) <. (start +! sz 4 <: usize) + then false + else +diff -ruN extraction-lax/Bertie.Tls13formats.Handshake_data.fsti extraction-panic-free/Bertie.Tls13formats.Handshake_data.fsti +--- extraction-lax/Bertie.Tls13formats.Handshake_data.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13formats.Handshake_data.fsti 2024-04-05 08:35:03 +@@ -57,10 +57,9 @@ + val impl__HandshakeData__as_handshake_message + (self: t_HandshakeData) + (expected_type: t_HandshakeType) +- : Prims.Pure (Core.Result.t_Result t_HandshakeData u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result t_HandshakeData u8) Prims.l_True (fun _ -> Prims.l_True) + +-val impl__HandshakeData__to_bytes (self: t_HandshakeData) +- : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__HandshakeData__to_bytes (self: t_HandshakeData) = self._0 + + val impl__HandshakeData__to_four (self: t_HandshakeData) + : Prims.Pure +@@ -92,4 +91,7 @@ + (self: t_HandshakeData) + (handshake_type: t_HandshakeType) + (start: usize) +- : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure bool ++ (v start <= v (impl__HandshakeData__len self)) ++ (fun _ -> Prims.l_True) ++ (decreases (v (impl__HandshakeData__len self) - v start)) +diff -ruN extraction-lax/Bertie.Tls13formats.fst extraction-panic-free/Bertie.Tls13formats.fst +--- extraction-lax/Bertie.Tls13formats.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13formats.fst 2024-04-05 08:35:03 +@@ -47,6 +47,8 @@ + | ContentType_Handshake -> discriminant_ContentType_Handshake + | ContentType_ApplicationData -> discriminant_ContentType_ApplicationData + ++let foofoooo (_: Prims.unit) = cast (discriminant_ContentType_Handshake +! 0uy <: u8) <: u8 ++ + let application_data_instead_of_handshake (_: Prims.unit) = + Core.Result.Result_Err Bertie.Tls13utils.v_APPLICATION_DATA_INSTEAD_OF_HANDSHAKE + <: +@@ -104,18 +106,16 @@ + let check_psk_key_exchange_modes (client_hello: t_Slice u8) = + match Bertie.Tls13utils.check_length_encoding_u8_slice client_hello with + | Core.Result.Result_Ok _ -> +- Bertie.Tls13utils.check_eq_slice (Rust_primitives.unsize (let list = ++ Bertie.Tls13utils.check_eq_with_slice (Rust_primitives.unsize (let list = + [Bertie.Tls13utils.v_U8 1uy <: u8] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) +- (client_hello.[ { Core.Ops.Range.f_start = sz 1; Core.Ops.Range.f_end = sz 2 } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) ++ client_hello ++ (sz 1) ++ (sz 2) + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result Prims.unit u8 + + let check_supported_versions (client_hello: t_Slice u8) = +@@ -193,8 +193,8 @@ + with + | Core.Result.Result_Ok _ -> + if +- (((Core.Slice.impl__len ch <: usize) -! sz 6 <: usize) -! len_id <: usize) <>. +- sz 32 ++ (((Core.Slice.impl__len ch <: usize) -! sz 5 <: usize) -! len_id <: usize) <>. ++ sz 33 + then Bertie.Tls13utils.tlserr (Bertie.Tls13utils.parse_failed () <: u8) + else Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 + | Core.Result.Result_Err err -> +@@ -230,18 +230,16 @@ + match Bertie.Tls13utils.check_length_encoding_u16_slice extension with + | Core.Result.Result_Ok _ -> + (match +- Bertie.Tls13utils.check_eq_slice (Rust_primitives.unsize (let list = ++ Bertie.Tls13utils.check_eq_with_slice (Rust_primitives.unsize (let list = + [Bertie.Tls13utils.v_U8 0uy <: u8] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) +- (extension.[ { Core.Ops.Range.f_start = sz 2; Core.Ops.Range.f_end = sz 3 } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) ++ extension ++ (sz 2) ++ (sz 3) + with + | Core.Result.Result_Ok _ -> + (match +@@ -277,14 +275,12 @@ + match Bertie.Tls13crypto.impl__Algorithms__supported_group algs with + | Core.Result.Result_Ok hoist21 -> + (match +- Bertie.Tls13utils.check_eq_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist21 ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist21 + <: + t_Slice u8) +- (b.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 2 } +- <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) ++ b ++ (sz 0) ++ (sz 2) + with + | Core.Result.Result_Ok _ -> + (match +@@ -317,157 +313,167 @@ + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + + let check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (let l0:usize = +- cast (Bertie.Tls13utils.f_declassify (b.[ sz 0 ] <: u8) <: u8) <: usize +- in +- let l1:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 1 ] <: u8) <: u8) <: usize in +- match +- Bertie.Tls13utils.length_u16_encoded (b.[ { +- Core.Ops.Range.f_start = sz 2; +- Core.Ops.Range.f_end = Core.Slice.impl__len b <: usize +- } ++ Rust_primitives.Hax.Control_flow_monad.Mexception.run (if ++ (Core.Slice.impl__len b <: usize) <. sz 4 <: bool ++ then ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err (Bertie.Tls13utils.parse_failed () <: u8) ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ else ++ let l0:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 0 ] <: u8) <: u8) <: usize in ++ let l1:usize = cast (Bertie.Tls13utils.f_declassify (b.[ sz 1 ] <: u8) <: u8) <: usize in ++ match ++ Bertie.Tls13utils.length_u16_encoded (b.[ { ++ Core.Ops.Range.f_start = sz 2; ++ Core.Ops.Range.f_end = Core.Slice.impl__len b <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok len -> +- let out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- in +- let! out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = +- match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with +- | 0uy, 43uy -> +- (match +- check_server_supported_version algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok len -> ++ let out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ in ++ let! out:Core.Option.t_Option Bertie.Tls13utils.t_Bytes = ++ match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with ++ | 0uy, 43uy -> ++ (match ++ check_server_supported_version algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 +- ) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | 0uy, 51uy -> +- (match +- check_server_key_share algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | 0uy, 51uy -> ++ (match ++ check_server_key_share algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok gx -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok gx -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 +- ) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | 0uy, 41uy -> +- (match +- check_server_psk_shared_key algs +- (b.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | 0uy, 41uy -> ++ (match ++ check_server_psk_shared_key algs ++ (b.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok ok -> ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ | Core.Result.Result_Err err -> ++ let! _:Prims.unit = ++ Core.Ops.Control_flow.ControlFlow_Break ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8 +- ) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ u8) Prims.unit ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue out + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue out +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) +- | _ -> +- Core.Ops.Control_flow.ControlFlow_Continue out ++ u8) (Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ | _ -> ++ Core.Ops.Control_flow.ControlFlow_Continue out ++ <: ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) ++ in ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Ok ++ (sz 4 +! len, out <: (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- in +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Ok +- (sz 4 +! len, out <: (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes)) ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) + <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ | Core.Result.Result_Err err -> ++ Core.Ops.Control_flow.ControlFlow_Continue ++ (Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) + <: +- Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8)) ++ Core.Ops.Control_flow.t_ControlFlow ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) ++ (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8)) + + let check_signature_algorithms (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) = + match Bertie.Tls13utils.check_length_encoding_u16_slice ch with +@@ -781,7 +787,10 @@ + Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) + <: + Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 +- else ++ else ( ++ assert((Bertie.Tls13utils.impl__Bytes__len sv <: usize) == sz 64); ++ assert(v (Bertie.Tls13utils.impl__Bytes__len sv <: usize) == 64); ++ assert (Seq.length sv._0 == 64); + let b0:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in + let b1:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 48uy in + let b2:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 2uy in +@@ -841,7 +850,7 @@ + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + + let pre_shared_key + (algs: Bertie.Tls13crypto.t_Algorithms) +@@ -933,29 +942,6 @@ + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + +-let get_psk_extensions +- (algorithms: Bertie.Tls13crypto.t_Algorithms) +- (session_ticket extensions: Bertie.Tls13utils.t_Bytes) +- = +- match psk_key_exchange_modes () with +- | Core.Result.Result_Ok pskm -> +- (match pre_shared_key algorithms session_ticket with +- | Core.Result.Result_Ok (psk, len) -> +- let extensions:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__concat (Bertie.Tls13utils.impl__Bytes__concat extensions +- pskm +- <: +- Bertie.Tls13utils.t_Bytes) +- psk +- in +- Core.Result.Result_Ok (len, extensions <: (usize & Bertie.Tls13utils.t_Bytes)) +- <: +- Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 +- + let supported_versions (_: Prims.unit) = + match + Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list = +@@ -1012,83 +998,48 @@ + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8 + + let certificate_verify (algs: Bertie.Tls13crypto.t_Algorithms) (cv: Bertie.Tls13utils.t_Bytes) = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (let! sv:Bertie.Tls13utils.t_Bytes = +- match algs.Bertie.Tls13crypto.f_signature with +- | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> +- Core.Ops.Control_flow.ControlFlow_Continue (Core.Clone.f_clone cv) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes +- | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> +- if (Bertie.Tls13utils.impl__Bytes__len cv <: usize) <>. sz 64 +- then +- let! hoist141:Rust_primitives.Hax.t_Never = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Rust_primitives.Hax.t_Never ++ match ++ match algs.Bertie.Tls13crypto.f_signature with ++ | Bertie.Tls13crypto.SignatureScheme_RsaPssRsaSha256 -> ++ Core.Result.Result_Ok (Core.Clone.f_clone cv) ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> ++ if (Bertie.Tls13utils.impl__Bytes__len cv <: usize) <>. sz 64 ++ then ++ Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ else ecdsa_signature cv ++ | Bertie.Tls13crypto.SignatureScheme_ED25519 -> ++ Core.Result.Result_Err Bertie.Tls13utils.v_UNSUPPORTED_ALGORITHM ++ <: ++ Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 ++ with ++ | Core.Result.Result_Ok sv -> ++ (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with ++ | Core.Result.Result_Ok hoist142 -> ++ (match Bertie.Tls13utils.encode_length_u16 sv with ++ | Core.Result.Result_Ok hoist141 -> ++ let sig:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__concat hoist142 hoist141 + in +- Core.Ops.Control_flow.ControlFlow_Continue (Rust_primitives.Hax.never_to_any hoist141) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes +- else +- (match ecdsa_signature cv with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue ok ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_CertificateVerify + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes) +- | Bertie.Tls13crypto.SignatureScheme_ED25519 -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not implemented" +- <: +- Rust_primitives.Hax.t_Never)) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes +- in +- Core.Ops.Control_flow.ControlFlow_Continue +- (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with +- | Core.Result.Result_Ok hoist143 -> +- (match Bertie.Tls13utils.encode_length_u16 sv with +- | Core.Result.Result_Ok hoist142 -> +- let sig:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__concat hoist143 hoist142 +- in +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_CertificateVerify +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- sig +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ sig ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + + let check_handshake_record (p: Bertie.Tls13utils.t_Bytes) = + Rust_primitives.Hax.Control_flow_monad.Mexception.run (if +@@ -1209,7 +1160,7 @@ + <: + Core.Ops.Control_flow.t_ControlFlow + (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) +- (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8)) ++ (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8)) + + let rec check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) = + match check_server_extension algs b with +@@ -1311,102 +1262,73 @@ + Bertie.Tls13utils.impl__Bytes__append out key_shares + in + let extensions:Bertie.Tls13utils.t_Bytes = out in +- (match +- match +- Bertie.Tls13crypto.impl__Algorithms__psk_mode algorithms, +- session_ticket +- <: +- (bool & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) +- with +- | true, Core.Option.Option_Some session_ticket -> +- get_psk_extensions algorithms session_ticket extensions +- | false, Core.Option.Option_None -> +- Core.Result.Result_Ok +- (sz 0, extensions <: (usize & Bertie.Tls13utils.t_Bytes)) +- <: +- Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8 +- | _ -> +- Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_PSK_MODE_MISMATCH +- with +- | Core.Result.Result_Ok (trunc_len, extensions) -> +- (match Bertie.Tls13utils.encode_length_u16 extensions with +- | Core.Result.Result_Ok encoded_extensions -> +- let len:usize = +- (Bertie.Tls13utils.impl__Bytes__len version <: usize) +! +- (Bertie.Tls13utils.impl__Bytes__len client_random <: usize +- ) +- in +- let len:usize = +- len +! +- (Bertie.Tls13utils.impl__Bytes__len legacy_session_id ++ let trunc_len:usize = sz 0 in ++ (match Bertie.Tls13utils.encode_length_u16 extensions with ++ | Core.Result.Result_Ok encoded_extensions -> ++ let len:usize = ++ (Bertie.Tls13utils.impl__Bytes__len version <: usize) +! ++ (Bertie.Tls13utils.impl__Bytes__len client_random <: usize) ++ in ++ let len:usize = ++ len +! ++ (Bertie.Tls13utils.impl__Bytes__len legacy_session_id <: usize ++ ) ++ in ++ let len:usize = ++ len +! ++ (Bertie.Tls13utils.impl__Bytes__len cipher_suites <: usize) ++ in ++ let len:usize = ++ len +! ++ (Bertie.Tls13utils.impl__Bytes__len compression_methods ++ <: ++ usize) ++ in ++ let len:usize = ++ len +! ++ (Bertie.Tls13utils.impl__Bytes__len encoded_extensions ++ <: ++ usize) ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__new_alloc len ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out version ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out client_random ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out legacy_session_id ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out cipher_suites ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out compression_methods ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out encoded_extensions ++ in ++ let handshake_bytes:Bertie.Tls13utils.t_Bytes = out in ++ (match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes ++ (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello + <: +- usize) +- in +- let len:usize = +- len +! +- (Bertie.Tls13utils.impl__Bytes__len cipher_suites <: usize +- ) +- in +- let len:usize = +- len +! +- (Bertie.Tls13utils.impl__Bytes__len compression_methods +- <: +- usize) +- in +- let len:usize = +- len +! +- (Bertie.Tls13utils.impl__Bytes__len encoded_extensions +- <: +- usize) +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__new_alloc len +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out version +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out client_random +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out +- legacy_session_id +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out cipher_suites +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out +- compression_methods +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out +- encoded_extensions +- in +- let handshake_bytes:Bertie.Tls13utils.t_Bytes = out in +- (match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes +- (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- handshake_bytes +- with +- | Core.Result.Result_Ok client_hello -> +- Core.Result.Result_Ok +- (client_hello, trunc_len +- <: +- (Bertie.Tls13formats.Handshake_data.t_HandshakeData & +- usize)) +- <: +- Core.Result.t_Result +- (Bertie.Tls13formats.Handshake_data.t_HandshakeData & +- usize) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13formats.Handshake_data.t_HandshakeData & +- usize) u8) ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ handshake_bytes ++ with ++ | Core.Result.Result_Ok client_hello -> ++ Core.Result.Result_Ok ++ (client_hello, trunc_len ++ <: ++ (Bertie.Tls13formats.Handshake_data.t_HandshakeData & ++ usize)) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13formats.Handshake_data.t_HandshakeData & ++ usize) u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: +@@ -1570,196 +1492,207 @@ + Core.Result.Result_Err err <: Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8 + + let check_extension (algs: Bertie.Tls13crypto.t_Algorithms) (bytes: t_Slice u8) = +- let l0:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 0 ] <: u8) <: u8) <: usize in +- let l1:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 1 ] <: u8) <: u8) <: usize in +- match +- Bertie.Tls13utils.length_u16_encoded_slice (bytes.[ { +- Core.Ops.Range.f_start = sz 2; +- Core.Ops.Range.f_end = Core.Slice.impl__len bytes <: usize +- } ++ if (Core.Slice.impl__len bytes <: usize) <. sz 4 ++ then ++ Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ else ++ let l0:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 0 ] <: u8) <: u8) <: usize in ++ let l1:usize = cast (Bertie.Tls13utils.f_declassify (bytes.[ sz 1 ] <: u8) <: u8) <: usize in ++ match ++ Bertie.Tls13utils.length_u16_encoded_slice (bytes.[ { ++ Core.Ops.Range.f_start = sz 2; ++ Core.Ops.Range.f_end = Core.Slice.impl__len bytes <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok len -> ++ let out:t_Extensions = ++ { ++ f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes ++ } + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok len -> +- let out:t_Extensions = +- { +- f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- } +- <: +- t_Extensions +- in +- (match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with +- | 0uy, 0uy -> +- (match +- check_server_name (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize ++ t_Extensions ++ in ++ (match (cast (l0 <: usize) <: u8), (cast (l1 <: usize) <: u8) <: (u8 & u8) with ++ | 0uy, 0uy -> ++ (match ++ check_server_name (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok hoist151 -> ++ Core.Result.Result_Ok ++ (sz 4 +! len, ++ ({ ++ f_sni ++ = ++ Core.Option.Option_Some hoist151 ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes + } + <: +- Core.Ops.Range.t_Range usize ] ++ t_Extensions) + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok hoist152 -> +- Core.Result.Result_Ok +- (sz 4 +! len, +- ({ +- f_sni +- = +- Core.Option.Option_Some hoist152 <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- } +- <: +- t_Extensions) ++ (usize & t_Extensions)) + <: +- (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 45uy -> +- (match +- check_psk_key_exchange_modes (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 45uy -> ++ (match ++ check_psk_key_exchange_modes (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 43uy -> +- (match +- check_supported_versions (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 43uy -> ++ (match ++ check_supported_versions (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 10uy -> +- (match +- check_supported_groups algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 10uy -> ++ (match ++ check_supported_groups algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 13uy -> +- (match +- check_signature_algorithms algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 13uy -> ++ (match ++ check_signature_algorithms algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | 0uy, 51uy -> +- (match +- check_key_shares algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | 0uy, 51uy -> ++ (match ++ check_key_shares algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok gx -> ++ Core.Result.Result_Ok ++ (sz 4 +! len, ++ ({ ++ f_sni ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_key_share ++ = ++ Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_ticket ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; ++ f_binder ++ = ++ Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes + } + <: +- Core.Ops.Range.t_Range usize ] ++ t_Extensions) + <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok gx -> +- Core.Result.Result_Ok +- (sz 4 +! len, +- ({ +- f_sni = Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_key_share +- = +- Core.Option.Option_Some gx <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_ticket +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +- f_binder +- = +- Core.Option.Option_None <: Core.Option.t_Option Bertie.Tls13utils.t_Bytes +- } +- <: +- t_Extensions) ++ (usize & t_Extensions)) + <: +- (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err _ -> +- Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_MISSING_KEY_SHARE) +- | 0uy, 41uy -> +- (match +- check_psk_shared_key algs +- (bytes.[ { +- Core.Ops.Range.f_start = sz 4; +- Core.Ops.Range.f_end = sz 4 +! len <: usize +- } ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err _ -> ++ Bertie.Tls13utils.tlserr Bertie.Tls13utils.v_MISSING_KEY_SHARE) ++ | 0uy, 41uy -> ++ (match ++ check_psk_shared_key algs ++ (bytes.[ { ++ Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_end = sz 4 +! len <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) +- | _ -> +- Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) +- <: +- Core.Result.t_Result (usize & t_Extensions) u8) +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8 ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8 ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8) ++ | _ -> ++ Core.Result.Result_Ok (sz 4 +! len, out <: (usize & t_Extensions)) ++ <: ++ Core.Result.t_Result (usize & t_Extensions) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err <: Core.Result.t_Result (usize & t_Extensions) u8 + ++ + let finished (vd: Bertie.Tls13utils.t_Bytes) = + Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_Finished + <: +@@ -1815,15 +1748,14 @@ + Bertie.Tls13crypto.impl__Algorithms__signature algs + in + (match Bertie.Tls13crypto.impl__Algorithms__signature_algorithm algs with +- | Core.Result.Result_Ok hoist158 -> ++ | Core.Result.Result_Ok hoist157 -> + (match +- Bertie.Tls13utils.check_eq hoist158 +- (Bertie.Tls13utils.impl__Bytes__slice_range cv +- ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 2 } +- <: +- Core.Ops.Range.t_Range usize) ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw hoist157 + <: +- Bertie.Tls13utils.t_Bytes) ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw cv <: t_Slice u8) ++ (sz 0) ++ (sz 2) + with + | Core.Result.Result_Ok _ -> + (match +@@ -1867,7 +1799,7 @@ + Core.Result.Result_Ok + (Bertie.Tls13utils.impl__Bytes__slice_range cv + ({ +- Core.Ops.Range.f_start = sz 8; ++ Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = Bertie.Tls13utils.impl__Bytes__len cv <: usize + } + <: +@@ -1904,13 +1836,13 @@ + u8) + in + match +- Bertie.Tls13utils.check_eq expected_handshake_type +- (Bertie.Tls13utils.impl__Bytes__slice_range encrypted_extension_bytes +- ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 1 } +- <: +- Core.Ops.Range.t_Range usize) ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw expected_handshake_type ++ + <: +- Bertie.Tls13utils.t_Bytes) ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw encrypted_extension_bytes <: t_Slice u8) ++ (sz 0) ++ (sz 1) + with + | Core.Result.Result_Ok _ -> + Bertie.Tls13utils.check_length_encoding_u24 (Bertie.Tls13utils.impl__Bytes__raw_slice encrypted_extension_bytes +@@ -1949,7 +1881,7 @@ + let next:usize = sz 0 in + (match + Bertie.Tls13utils.length_u8_encoded (sc.[ { +- Core.Ops.Range.f_start = sz 4; ++ Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Bertie.Tls13utils.impl__Bytes__len sc <: usize + } + <: +@@ -2022,199 +1954,159 @@ + (algs: Bertie.Tls13crypto.t_Algorithms) + (server_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) + = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message server_hello +- (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message server_hello ++ (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello + <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 +- with +- | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData server_hello) -> +- let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in +- (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with +- | Core.Result.Result_Ok cip -> +- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in +- let next:usize = sz 0 in +- let! _:Prims.unit = +- match +- Bertie.Tls13utils.check_eq ver +- (Bertie.Tls13utils.impl__Bytes__slice_range server_hello +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end = next +! sz 2 <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) +- with +- | Core.Result.Result_Ok _ -> +- Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- Prims.unit +- | Core.Result.Result_Err _ -> +- match protocol_version_alert () with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue ok ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ with ++ | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData server_hello) -> ++ let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in ++ (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with ++ | Core.Result.Result_Ok cip -> ++ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in ++ let next:usize = sz 0 in ++ (match ++ match ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ver + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 +- ) Prims.unit +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 +- ) Prims.unit +- in ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) ++ next ++ (next +! sz 2 <: usize) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (() <: Prims.unit) <: Core.Result.t_Result Prims.unit u8 ++ | Core.Result.Result_Err _ -> protocol_version_alert () ++ with ++ | Core.Result.Result_Ok _ -> + let next:usize = next +! sz 2 in +- let srand:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__slice_range server_hello +- ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 32 <: usize } +- <: +- Core.Ops.Range.t_Range usize) +- in +- let next:usize = next +! sz 32 in + (match +- Bertie.Tls13utils.length_u8_encoded (server_hello.[ { ++ Bertie.Tls13utils.check ((Bertie.Tls13utils.impl__Bytes__len server_hello <: usize) >=. ++ (next +! sz 32 <: usize) ++ <: ++ bool) ++ with ++ | Core.Result.Result_Ok _ -> ++ let srand:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__slice_range server_hello ++ ({ + Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ Core.Ops.Range.f_end = next +! sz 32 <: usize + } + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) +- with +- | Core.Result.Result_Ok sidlen -> +- let next:usize = (next +! sz 1 <: usize) +! sidlen in +- let! _:Prims.unit = +- match +- Bertie.Tls13utils.check_eq cip +- (Bertie.Tls13utils.impl__Bytes__slice_range server_hello +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end = next +! sz 2 <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) +- with +- | Core.Result.Result_Ok _ -> +- Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- | Core.Result.Result_Err _ -> +- match unsupported_cipher_alert () with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue ok +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) +- u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit ++ Core.Ops.Range.t_Range usize) + in +- let next:usize = next +! sz 2 in +- let! _:Prims.unit = +- match +- Bertie.Tls13utils.check_eq comp +- (Bertie.Tls13utils.impl__Bytes__slice_range server_hello +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end = next +! sz 1 <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) ++ let next:usize = next +! sz 32 in ++ (match ++ Bertie.Tls13utils.length_u8_encoded (server_hello.[ { ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] + <: +- Bertie.Tls13utils.t_Bytes) ++ t_Slice u8) + with +- | Core.Result.Result_Ok _ -> +- Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) +- u8) Prims.unit +- | Core.Result.Result_Err _ -> +- match invalid_compression_method_alert () with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue ok +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) +- u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue +- (let next:usize = next +! sz 1 in +- match +- Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range +- server_hello +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) +- with +- | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in ++ | Core.Result.Result_Ok sidlen -> ++ let next:usize = (next +! sz 1 <: usize) +! sidlen in + (match +- check_server_extensions algs +- (server_hello.[ { +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len server_hello <: usize +- } ++ match ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ++ cip + <: +- Core.Ops.Range.t_Range usize ] +- <: +- t_Slice u8) ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) ++ next ++ (next +! sz 2 <: usize) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (() <: Prims.unit) ++ <: ++ Core.Result.t_Result Prims.unit u8 ++ | Core.Result.Result_Err _ -> unsupported_cipher_alert () + with +- | Core.Result.Result_Ok gy -> +- (match gy with +- | Core.Option.Option_Some gy -> +- Core.Result.Result_Ok +- (srand, gy <: (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes)) ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in ++ (match ++ match ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ++ comp ++ <: ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw server_hello <: t_Slice u8) ++ next ++ (next +! sz 1 <: usize) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (() <: Prims.unit) ++ <: ++ Core.Result.t_Result Prims.unit u8 ++ | Core.Result.Result_Err _ -> invalid_compression_method_alert () ++ with ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 1 in ++ (match ++ Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range ++ server_hello ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) ++ with ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in ++ (match ++ check_server_extensions algs ++ (server_hello.[ { ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len server_hello <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize ] ++ <: ++ t_Slice u8) ++ with ++ | Core.Result.Result_Ok gy -> ++ (match gy with ++ | Core.Option.Option_Some gy -> ++ Core.Result.Result_Ok ++ (srand, gy ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes)) ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ | _ -> ++ Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 ++ ) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err + <: + Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 +- | _ -> +- Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE +- <: +- Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err +@@ -2225,38 +2117,24 @@ + Core.Result.Result_Err err + <: + Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) +- (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8)) ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes) u8 + ++ + let server_certificate (v__algs: Bertie.Tls13crypto.t_Algorithms) (cert: Bertie.Tls13utils.t_Bytes) = + match + Bertie.Tls13utils.encode_length_u8 (Rust_primitives.unsize (let list : list u8 = [] in +@@ -2302,155 +2180,86 @@ + Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + + let server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (sr sid gy: Bertie.Tls13utils.t_Bytes) = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (let ver:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.bytes2 3uy 3uy +- in +- match +- Bertie.Tls13utils.encode_length_u8 (Bertie.Tls13utils.impl__Bytes__as_raw sid <: t_Slice u8) +- with +- | Core.Result.Result_Ok sid -> +- (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with +- | Core.Result.Result_Ok cip -> +- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in +- (match server_key_shares algs (Core.Clone.f_clone gy <: Bertie.Tls13utils.t_Bytes) with +- | Core.Result.Result_Ok ks -> +- (match server_supported_version algs with +- | Core.Result.Result_Ok sv -> +- let exts:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__concat ks sv ++ let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in ++ match ++ Bertie.Tls13utils.encode_length_u8 (Bertie.Tls13utils.impl__Bytes__as_raw sid <: t_Slice u8) ++ with ++ | Core.Result.Result_Ok sid -> ++ (match Bertie.Tls13crypto.impl__Algorithms__ciphersuite algs with ++ | Core.Result.Result_Ok cip -> ++ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes1 0uy in ++ (match server_key_shares algs (Core.Clone.f_clone gy <: Bertie.Tls13utils.t_Bytes) with ++ | Core.Result.Result_Ok ks -> ++ (match server_supported_version algs with ++ | Core.Result.Result_Ok sv -> ++ let exts:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.impl__Bytes__concat ks sv in ++ (match Bertie.Tls13utils.encode_length_u16 exts with ++ | Core.Result.Result_Ok encoded_extensions -> ++ let len:usize = ++ (Bertie.Tls13utils.impl__Bytes__len ver <: usize) +! ++ (Bertie.Tls13utils.impl__Bytes__len sr <: usize) + in +- let! exts:Bertie.Tls13utils.t_Bytes = +- match Bertie.Tls13crypto.impl__Algorithms__psk_mode algs with +- | true -> +- (match server_pre_shared_key algs with +- | Core.Result.Result_Ok hoist160 -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Bertie.Tls13utils.impl__Bytes__concat exts hoist160) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes +- | Core.Result.Result_Err err -> +- let! _:Prims.unit = +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue exts +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Bertie.Tls13utils.t_Bytes) +- | false -> +- Core.Ops.Control_flow.ControlFlow_Continue exts +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData +- u8) Bertie.Tls13utils.t_Bytes ++ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len sid <: usize) in ++ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len cip <: usize) in ++ let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len comp <: usize) in ++ let len:usize = ++ len +! (Bertie.Tls13utils.impl__Bytes__len encoded_extensions <: usize) + in +- Core.Ops.Control_flow.ControlFlow_Continue +- (match Bertie.Tls13utils.encode_length_u16 exts with +- | Core.Result.Result_Ok encoded_extensions -> +- let len:usize = +- (Bertie.Tls13utils.impl__Bytes__len ver <: usize) +! +- (Bertie.Tls13utils.impl__Bytes__len sr <: usize) +- in +- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len sid <: usize) in +- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len cip <: usize) in +- let len:usize = len +! (Bertie.Tls13utils.impl__Bytes__len comp <: usize) in +- let len:usize = +- len +! (Bertie.Tls13utils.impl__Bytes__len encoded_extensions <: usize) +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__new_alloc len +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out ver +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out sr +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out sid +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out cip +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out comp +- in +- let out:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__append out encoded_extensions +- in +- (match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) +- out +- with +- | Core.Result.Result_Ok sh -> +- Core.Result.Result_Ok sh ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__new_alloc len ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out ver ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out sr ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out sid ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out cip ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out comp ++ in ++ let out:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__append out encoded_extensions ++ in ++ (match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__from_bytes (Bertie.Tls13formats.Handshake_data.HandshakeType_ServerHello + <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData +- u8 +- | Core.Result.Result_Err err -> +- Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData +- u8) ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ out ++ with ++ | Core.Result.Result_Ok sh -> ++ Core.Result.Result_Ok sh ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8)) ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 + + let set_client_hello_binder + (ciphersuite: Bertie.Tls13crypto.t_Algorithms) +@@ -2475,6 +2284,8 @@ + (Core.Option.t_Option Bertie.Tls13utils.t_Bytes & Core.Option.t_Option usize) + with + | Core.Option.Option_Some m, Core.Option.Option_Some trunc_len -> ++ assume(v chlen >= v trunc_len + v hlen); ++ assume(Seq.length m._0 == v hlen); + if (chlen -! hlen <: usize) =. trunc_len + then + Core.Result.Result_Ok +@@ -2541,6 +2352,8 @@ + = + client_hello + in ++ assume(Seq.length self.f_transcript._0._0 + Seq.length client_hello._0._0 <= max_usize); ++ assume(Seq.length client_hello._0._0 >= v trunc_len); + Bertie.Tls13crypto.impl__HashAlgorithm__hash self.f_hash_algorithm + (Bertie.Tls13utils.impl__Bytes__concat (Core.Clone.f_clone self.f_transcript + .Bertie.Tls13formats.Handshake_data._0 +@@ -2562,7 +2375,8 @@ + if len =. (Core.Slice.impl__len b <: usize) + then Core.Result.Result_Ok out <: Core.Result.t_Result t_Extensions u8 + else +- (match ++ ( ++ match + check_extensions_slice algs + (b.[ { + Core.Ops.Range.f_start = len; +@@ -2584,7 +2398,8 @@ + if len =. (Bertie.Tls13utils.impl__Bytes__len b <: usize) + then Core.Result.Result_Ok out <: Core.Result.t_Result t_Extensions u8 + else +- (match ++ ( ++ match + check_extensions_slice algs + (Bertie.Tls13utils.impl__Bytes__raw_slice b + ({ +@@ -2601,33 +2416,38 @@ + Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8) + | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result t_Extensions u8 + ++#push-options "--z3rlimit 300" + let parse_client_hello + (ciphersuite: Bertie.Tls13crypto.t_Algorithms) + (client_hello: Bertie.Tls13formats.Handshake_data.t_HandshakeData) + = +- Rust_primitives.Hax.Control_flow_monad.Mexception.run (match +- Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message client_hello +- (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello +- <: +- Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ match ++ Bertie.Tls13formats.Handshake_data.impl__HandshakeData__as_handshake_message client_hello ++ (Bertie.Tls13formats.Handshake_data.HandshakeType_ClientHello + <: +- Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8 ++ Bertie.Tls13formats.Handshake_data.t_HandshakeType) ++ with ++ | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData ch) -> ++ let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in ++ let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 1uy 0uy in ++ let next:usize = sz 0 in ++ (match ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ver ++ <: ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw ch <: t_Slice u8) ++ next ++ (next +! sz 2 <: usize) + with +- | Core.Result.Result_Ok (Bertie.Tls13formats.Handshake_data.HandshakeData ch) -> +- let ver:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 3uy 3uy in +- let comp:Bertie.Tls13utils.t_Bytes = Bertie.Tls13utils.bytes2 1uy 0uy in +- let next:usize = sz 0 in ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in + (match +- Bertie.Tls13utils.check_eq ver +- (Bertie.Tls13utils.impl__Bytes__slice_range ch +- ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 2 <: usize } +- <: +- Core.Ops.Range.t_Range usize) ++ Bertie.Tls13utils.check ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) >=. ++ (next +! sz 32 <: usize) + <: +- Bertie.Tls13utils.t_Bytes) ++ bool) + with + | Core.Result.Result_Ok _ -> +- let next:usize = next +! sz 2 in + let crand:Bertie.Tls13utils.t_Bytes = + Bertie.Tls13utils.impl__Bytes__slice_range ch + ({ Core.Ops.Range.f_start = next; Core.Ops.Range.f_end = next +! sz 32 <: usize } +@@ -2670,85 +2490,27 @@ + with + | Core.Result.Result_Ok cslen -> + let next:usize = next +! cslen in +- let! _:Prims.unit = +- match +- Bertie.Tls13utils.check_eq comp +- (Bertie.Tls13utils.impl__Bytes__slice_range ch +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end = next +! sz 2 <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) +- with +- | Core.Result.Result_Ok _ -> +- Core.Ops.Control_flow.ControlFlow_Continue (() <: Prims.unit) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) Prims.unit +- | Core.Result.Result_Err _ -> +- match invalid_compression_list () with +- | Core.Result.Result_Ok ok -> +- Core.Ops.Control_flow.ControlFlow_Continue ok ++ (match ++ match ++ Bertie.Tls13utils.check_eq_with_slice (Bertie.Tls13utils.impl__Bytes__as_raw ++ comp ++ <: ++ t_Slice u8) ++ (Bertie.Tls13utils.impl__Bytes__as_raw ch <: t_Slice u8) ++ next ++ (next +! sz 2 <: usize) ++ with ++ | Core.Result.Result_Ok _ -> ++ Core.Result.Result_Ok (() <: Prims.unit) + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) Prims.unit +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Break +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) Prims.unit +- in +- Core.Ops.Control_flow.ControlFlow_Continue +- (let next:usize = next +! sz 2 in +- match +- Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range +- ch +- ({ +- Core.Ops.Range.f_start = next; +- Core.Ops.Range.f_end +- = +- Bertie.Tls13utils.impl__Bytes__len ch <: usize +- } +- <: +- Core.Ops.Range.t_Range usize) +- <: +- Bertie.Tls13utils.t_Bytes) ++ Core.Result.t_Result Prims.unit u8 ++ | Core.Result.Result_Err _ -> invalid_compression_list () + with + | Core.Result.Result_Ok _ -> + let next:usize = next +! sz 2 in + (match +- check_extensions ciphersuite +- (Bertie.Tls13utils.impl__Bytes__slice_range ch ++ Bertie.Tls13utils.check_length_encoding_u16 (Bertie.Tls13utils.impl__Bytes__slice_range ++ ch + ({ + Core.Ops.Range.f_start = next; + Core.Ops.Range.f_end +@@ -2760,158 +2522,195 @@ + <: + Bertie.Tls13utils.t_Bytes) + with +- | Core.Result.Result_Ok exts -> +- let trunc_len:usize = +- ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) -! +- (Bertie.Tls13crypto.impl__HashAlgorithm__hash_len (Bertie.Tls13crypto.impl__Algorithms__hash +- ciphersuite +- <: +- Bertie.Tls13crypto.t_HashAlgorithm) +- <: +- usize) +- <: +- usize) -! +- sz 3 +- in ++ | Core.Result.Result_Ok _ -> ++ let next:usize = next +! sz 2 in + (match +- Bertie.Tls13crypto.impl__Algorithms__psk_mode ciphersuite, exts +- <: +- (bool & t_Extensions) ++ check_extensions ciphersuite ++ (Bertie.Tls13utils.impl__Bytes__slice_range ch ++ ({ ++ Core.Ops.Range.f_start = next; ++ Core.Ops.Range.f_end ++ = ++ Bertie.Tls13utils.impl__Bytes__len ch <: usize ++ } ++ <: ++ Core.Ops.Range.t_Range usize) ++ <: ++ Bertie.Tls13utils.t_Bytes) + with +- | _, +- { f_sni = _ ; +- f_key_share = Core.Option.Option_None ; +- f_ticket = _ ; +- f_binder = _ } -> +- Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | true, +- { f_sni = Core.Option.Option_Some sn ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_Some tkt ; +- f_binder = Core.Option.Option_Some binder } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- sn, +- gx, +- (Core.Option.Option_Some tkt ++ | Core.Result.Result_Ok exts -> ++ (assume (Seq.length ch._0 >= 64 + 3); ++ let trunc_len:usize = ++ ((Bertie.Tls13utils.impl__Bytes__len ch <: usize) -! ++ (Bertie.Tls13crypto.impl__HashAlgorithm__hash_len (Bertie.Tls13crypto.impl__Algorithms__hash ++ ciphersuite ++ <: ++ Bertie.Tls13crypto.t_HashAlgorithm) ++ <: ++ usize) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_Some binder ++ usize) -! ++ sz 3 ++ in ++ (match ++ Bertie.Tls13crypto.impl__Algorithms__psk_mode ciphersuite, exts + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- trunc_len +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | true, +- { f_sni = Core.Option.Option_None ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_Some tkt ; +- f_binder = Core.Option.Option_Some binder } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- Bertie.Tls13utils.impl__Bytes__new (), +- gx, +- (Core.Option.Option_Some tkt ++ (bool & t_Extensions) ++ with ++ | _, ++ { f_sni = _ ; ++ f_key_share = Core.Option.Option_None ; ++ f_ticket = _ ; ++ f_binder = _ } -> ++ Core.Result.Result_Err Bertie.Tls13utils.v_MISSING_KEY_SHARE + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_Some binder ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | true, ++ { f_sni = Core.Option.Option_Some sn ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_Some tkt ; ++ f_binder = Core.Option.Option_Some binder } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ sn, ++ gx, ++ (Core.Option.Option_Some tkt ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_Some binder ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ trunc_len ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- trunc_len +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | false, +- { f_sni = Core.Option.Option_Some sn ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_None ; +- f_binder = Core.Option.Option_None } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- sn, +- gx, +- (Core.Option.Option_None ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | true, ++ { f_sni = Core.Option.Option_None ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_Some tkt ; ++ f_binder = Core.Option.Option_Some binder } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ Bertie.Tls13utils.impl__Bytes__new (), ++ gx, ++ (Core.Option.Option_Some tkt ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_Some binder ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ trunc_len ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_None ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | false, ++ { f_sni = Core.Option.Option_Some sn ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_None ; ++ f_binder = Core.Option.Option_None } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ sn, ++ gx, ++ (Core.Option.Option_None ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_None ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ sz 0 ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- sz 0 +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | false, +- { f_sni = Core.Option.Option_None ; +- f_key_share = Core.Option.Option_Some gx ; +- f_ticket = Core.Option.Option_None ; +- f_binder = Core.Option.Option_None } -> +- Core.Result.Result_Ok +- (crand, +- sid, +- Bertie.Tls13utils.impl__Bytes__new (), +- gx, +- (Core.Option.Option_None ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | false, ++ { f_sni = Core.Option.Option_None ; ++ f_key_share = Core.Option.Option_Some gx ; ++ f_ticket = Core.Option.Option_None ; ++ f_binder = Core.Option.Option_None } -> ++ Core.Result.Result_Ok ++ (crand, ++ sid, ++ Bertie.Tls13utils.impl__Bytes__new (), ++ gx, ++ (Core.Option.Option_None ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ (Core.Option.Option_None ++ <: ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes), ++ sz 0 ++ <: ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize)) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- (Core.Option.Option_None ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ | _ -> ++ Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) + <: +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes), +- sz 0 +- <: +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize)) ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8)) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err + <: + Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +@@ -2919,16 +2718,6 @@ + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8 +- | _ -> +- Core.Result.Result_Err (Bertie.Tls13utils.parse_failed ()) +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err +@@ -2950,121 +2739,50 @@ + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) + | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) ++ Core.Result.Result_Err err + <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8)) +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result ++ Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8)) +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8)) +- | Core.Result.Result_Err err -> +- Core.Ops.Control_flow.ControlFlow_Continue +- (Core.Result.Result_Err err +- <: +- Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8) +- <: +- Core.Ops.Control_flow.t_ControlFlow +- (Core.Result.t_Result ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result + (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & + Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + Core.Option.t_Option Bertie.Tls13utils.t_Bytes & + usize) u8) +- (Core.Result.t_Result +- (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & +- Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- Core.Option.t_Option Bertie.Tls13utils.t_Bytes & +- usize) u8)) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8) ++ | Core.Result.Result_Err err -> ++ Core.Result.Result_Err err ++ <: ++ Core.Result.t_Result ++ (Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & Bertie.Tls13utils.t_Bytes & ++ Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ Core.Option.t_Option Bertie.Tls13utils.t_Bytes & ++ usize) u8 ++ +diff -ruN extraction-lax/Bertie.Tls13formats.fsti extraction-panic-free/Bertie.Tls13formats.fsti +--- extraction-lax/Bertie.Tls13formats.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13formats.fsti 2024-04-05 08:35:03 +@@ -234,6 +234,8 @@ + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + ++val foofoooo: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) ++ + val application_data_instead_of_handshake: Prims.unit + -> Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + +@@ -256,7 +258,8 @@ + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + + val check_psk_key_exchange_modes (client_hello: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) ++ True (fun _ -> Prims.l_True) + + val check_supported_versions (client_hello: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) +@@ -424,13 +427,15 @@ + + val check_server_key_share (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ True + (fun _ -> Prims.l_True) + + val check_server_extension (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) + : Prims.Pure (Core.Result.t_Result (usize & Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok (len,out) -> Seq.length b >= v len ++ | _ -> True) + + val check_signature_algorithms (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) +@@ -446,16 +451,18 @@ + val build_server_name (name: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length b._0 == 9 + Seq.length name._0 ++ | _ -> True) + + val key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (gx: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ (Seq.length gx._0 < 65536) + (fun _ -> Prims.l_True) + + val server_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (gx: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ (Seq.length gx._0 < 65536) + (fun _ -> Prims.l_True) + + val server_pre_shared_key (v__algs: Bertie.Tls13crypto.t_Algorithms) +@@ -495,17 +502,12 @@ + Prims.l_True + (fun _ -> Prims.l_True) + +-val get_psk_extensions +- (algorithms: Bertie.Tls13crypto.t_Algorithms) +- (session_ticket extensions: Bertie.Tls13utils.t_Bytes) +- : Prims.Pure (Core.Result.t_Result (usize & Bertie.Tls13utils.t_Bytes) u8) +- Prims.l_True +- (fun _ -> Prims.l_True) +- + val supported_versions: Prims.unit + -> Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length b._0 == 7 ++ | _ -> True) + + type t_Extensions = { + f_sni:Core.Option.t_Option Bertie.Tls13utils.t_Bytes; +@@ -526,12 +528,13 @@ + : Prims.Pure + (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> True) + + val check_server_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) + : Prims.Pure (Core.Result.t_Result (Core.Option.t_Option Bertie.Tls13utils.t_Bytes) u8) + Prims.l_True + (fun _ -> Prims.l_True) ++ (decreases Seq.length b) + + val client_hello + (algorithms: Bertie.Tls13crypto.t_Algorithms) +@@ -539,7 +542,7 @@ + (session_ticket: Core.Option.t_Option Bertie.Tls13utils.t_Bytes) + : Prims.Pure + (Core.Result.t_Result (Bertie.Tls13formats.Handshake_data.t_HandshakeData & usize) u8) +- Prims.l_True ++ (Seq.length client_random._0 == 32 /\ Seq.length kem_pk._0 < 65536 /\ Seq.length server_name._0 < 65536) + (fun _ -> Prims.l_True) + + val encrypted_extensions (v__algs: Bertie.Tls13crypto.t_Algorithms) +@@ -551,6 +554,7 @@ + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True + (fun _ -> Prims.l_True) ++ (decreases Seq.length ch) + + val check_key_shares (algs: Bertie.Tls13crypto.t_Algorithms) (ch: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +@@ -560,7 +564,9 @@ + val check_extension (algs: Bertie.Tls13crypto.t_Algorithms) (bytes: t_Slice u8) + : Prims.Pure (Core.Result.t_Result (usize & t_Extensions) u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok (len,out) -> Seq.length bytes >= v len /\ v len >= 4 ++ | _ -> True) + + val finished (vd: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +@@ -570,12 +576,14 @@ + val get_handshake_record (p: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> True) + + val handshake_record (p: Bertie.Tls13formats.Handshake_data.t_HandshakeData) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok x -> Seq.length x._0 >= 3 ++ | _ -> True) + + val parse_certificate_verify + (algs: Bertie.Tls13crypto.t_Algorithms) +@@ -613,7 +621,7 @@ + + val server_hello (algs: Bertie.Tls13crypto.t_Algorithms) (sr sid gy: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13formats.Handshake_data.t_HandshakeData u8) +- Prims.l_True ++ (Seq.length sr._0 == 32 /\ Seq.length gy._0 < 65536) + (fun _ -> Prims.l_True) + + val set_client_hello_binder +@@ -641,7 +649,9 @@ + val impl__Transcript__transcript_hash (self: t_Transcript) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + Prims.l_True +- (fun _ -> Prims.l_True) ++ (fun res -> match res with ++ | Core.Result.Result_Ok h -> Seq.length h._0 <= 64 ++ | _ -> True) + + val impl__Transcript__transcript_hash_without_client_hello + (self: t_Transcript) +@@ -653,6 +663,7 @@ + + val check_extensions_slice (algs: Bertie.Tls13crypto.t_Algorithms) (b: t_Slice u8) + : Prims.Pure (Core.Result.t_Result t_Extensions u8) Prims.l_True (fun _ -> Prims.l_True) ++ (decreases (Seq.length b)) + + val check_extensions (algs: Bertie.Tls13crypto.t_Algorithms) (b: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result t_Extensions u8) Prims.l_True (fun _ -> Prims.l_True) +diff -ruN extraction-lax/Bertie.Tls13handshake.fst extraction-panic-free/Bertie.Tls13handshake.fst +--- extraction-lax/Bertie.Tls13handshake.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13handshake.fst 2024-04-05 08:35:03 +@@ -22,13 +22,14 @@ + Bertie.Tls13utils.u16_as_be_bytes (Bertie.Tls13utils.v_U16 (cast (len <: usize) <: u16) <: u16 + ) + in +- let tls13_label:Bertie.Tls13utils.t_Bytes = +- Bertie.Tls13utils.impl__Bytes__concat (Bertie.Tls13utils.impl__Bytes__from_slice (Rust_primitives.unsize ++ let x = (Bertie.Tls13utils.impl__Bytes__from_slice (Rust_primitives.unsize + Bertie.Tls13formats.v_LABEL_TLS13 + <: + t_Slice u8) + <: +- Bertie.Tls13utils.t_Bytes) ++ Bertie.Tls13utils.t_Bytes) in ++ let tls13_label:Bertie.Tls13utils.t_Bytes = ++ Bertie.Tls13utils.impl__Bytes__concat x + label + in + match +@@ -654,7 +655,7 @@ + Bertie.Tls13utils.t_Bytes) + transcript_hash + in +- let rng, hoist164:(impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) ++ let rng, hoist162:(impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + = + match Bertie.Tls13crypto.impl__Algorithms__signature state.f_ciphersuite with + | Bertie.Tls13crypto.SignatureScheme_EcdsaSecp256r1Sha256 -> +@@ -688,7 +689,7 @@ + <: + (impl_916461611_ & Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) + in +- (match hoist164 with ++ (match hoist162 with + | Core.Result.Result_Ok sig -> + (match Bertie.Tls13formats.certificate_verify state.f_ciphersuite sig with + | Core.Result.Result_Ok scv -> +@@ -1960,8 +1961,8 @@ + | Core.Result.Result_Ok server -> + (match + process_psk_binder_zero_rtt ciphersuite +- th_trunc + th ++ th_trunc + server.Bertie.Server.f_psk_opt + bindero + with +diff -ruN extraction-lax/Bertie.Tls13handshake.fsti extraction-panic-free/Bertie.Tls13handshake.fsti +--- extraction-lax/Bertie.Tls13handshake.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13handshake.fsti 2024-04-05 08:35:03 +@@ -13,7 +13,7 @@ + (key label context: Bertie.Tls13utils.t_Bytes) + (len: usize) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ (Seq.length label._0 < 65536) + (fun _ -> Prims.l_True) + + val derive_finished_key (ha: Bertie.Tls13crypto.t_HashAlgorithm) (k: Bertie.Tls13utils.t_Bytes) +@@ -25,7 +25,7 @@ + (hash_algorithm: Bertie.Tls13crypto.t_HashAlgorithm) + (key label transcript_hash: Bertie.Tls13utils.t_Bytes) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ (Seq.length label._0 < 65536) + (fun _ -> Prims.l_True) + + val derive_binder_key (ha: Bertie.Tls13crypto.t_HashAlgorithm) (k: Bertie.Tls13utils.t_Bytes) +@@ -330,7 +330,9 @@ + Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & + Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & +- t_ClientPostClientHello) u8) Prims.l_True (fun _ -> Prims.l_True) ++ t_ClientPostClientHello) u8) ++ (Seq.length sn._0 < 65536) ++ (fun _ -> Prims.l_True) + + val client_init + (#impl_916461611_: Type) +@@ -345,8 +347,10 @@ + Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & + Core.Option.t_Option Bertie.Tls13record.t_ClientCipherState0 & +- t_ClientPostClientHello) u8) Prims.l_True (fun _ -> Prims.l_True) +- ++ t_ClientPostClientHello) u8) ++ (Seq.length sn._0 < 65536) ++ (fun _ -> Prims.l_True) ++ + val get_server_finished (st: t_ServerPostCertificateVerify) + : Prims.Pure + (Core.Result.t_Result +diff -ruN extraction-lax/Bertie.Tls13record.fst extraction-panic-free/Bertie.Tls13record.fst +--- extraction-lax/Bertie.Tls13record.fst 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13record.fst 2024-04-05 08:35:03 +@@ -7,10 +7,11 @@ + let (counter: Bertie.Tls13utils.t_Bytes):Bertie.Tls13utils.t_Bytes = + Core.Convert.f_into (Core.Num.impl__u64__to_be_bytes n <: t_Array u8 (sz 8)) + in +- let iv_ctr:Bertie.Tls13utils.t_Bytes = ++ let iv_t = x:Bertie.Tls13utils.t_Bytes{Seq.length x._0 == Seq.length iv._0} in ++ let iv_ctr:iv_t = + Bertie.Tls13utils.impl__Bytes__zeroes (Bertie.Tls13utils.impl__Bytes__len iv <: usize) + in +- let iv_ctr:Bertie.Tls13utils.t_Bytes = ++ let iv_ctr:iv_t = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end +@@ -23,11 +24,13 @@ + Core.Ops.Range.t_Range usize) + iv_ctr + (fun iv_ctr i -> +- let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in ++ assert (v #usize_inttype i >= 0 /\ v #usize_inttype i < Seq.length iv._0 - 8); ++ let iv_ctr : iv_t = iv_ctr in ++ assert (Bertie.Tls13utils.impl__Bytes__len iv_ctr == Bertie.Tls13utils.impl__Bytes__len iv); + let i:usize = i in + Rust_primitives.Hax.update_at iv_ctr i (iv.[ i ] <: u8) <: Bertie.Tls13utils.t_Bytes) + in +- let iv_ctr:Bertie.Tls13utils.t_Bytes = ++ let iv_ctr:iv_t = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 +@@ -38,7 +41,8 @@ + Core.Ops.Range.t_Range usize) + iv_ctr + (fun iv_ctr i -> +- let iv_ctr:Bertie.Tls13utils.t_Bytes = iv_ctr in ++ let iv_ctr:iv_t = iv_ctr in ++ assert (Bertie.Tls13utils.impl__Bytes__len iv_ctr == Bertie.Tls13utils.impl__Bytes__len iv); + let i:usize = i in + Rust_primitives.Hax.update_at iv_ctr + ((i +! (Bertie.Tls13utils.impl__Bytes__len iv <: usize) <: usize) -! sz 8 <: usize) +@@ -53,11 +57,11 @@ + Bertie.Tls13utils.t_Bytes) + in + iv_ctr +- ++ + let rec padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) = + if n >. sz 0 && (Bertie.Tls13utils.f_declassify (b.[ n -! sz 1 <: usize ] <: u8) <: u8) =. 0uy + then sz 1 +! (padlen b (n -! sz 1 <: usize) <: usize) +- else sz 0 ++ else sz 0 + + let decrypt_record_payload + (kiv: Bertie.Tls13crypto.t_AeadKeyIV) +@@ -99,6 +103,8 @@ + in + (match Bertie.Tls13crypto.aead_decrypt kiv.Bertie.Tls13crypto.f_key iv_ctr cip ad with + | Core.Result.Result_Ok plain -> ++ assume ((padlen plain (Bertie.Tls13utils.impl__Bytes__len plain <: usize) <: usize) <. ++ (Bertie.Tls13utils.impl__Bytes__len plain <: usize)); + let payload_len:usize = + ((Bertie.Tls13utils.impl__Bytes__len plain <: usize) -! + (padlen plain (Bertie.Tls13utils.impl__Bytes__len plain <: usize) <: usize) +@@ -218,6 +224,7 @@ + bool) + with + | Core.Result.Result_Ok _ -> ++ assume (v n < maxint u64_inttype); + Core.Result.Result_Ok + (Bertie.Tls13utils.impl__AppData__new payload, + (DuplexCipherState1 ae x y kiv (n +! 1uL) exp <: t_DuplexCipherState1) +@@ -238,6 +245,7 @@ + let DuplexCipherState1 ae x y kiv n exp:t_DuplexCipherState1 = st in + match decrypt_record_payload kiv n ciphertext with + | Core.Result.Result_Ok (ct, payload) -> ++ assume (v n < maxint u64_inttype); + Core.Result.Result_Ok + (ct, payload, (DuplexCipherState1 ae x y kiv (n +! 1uL) exp <: t_DuplexCipherState1) + <: +@@ -268,6 +276,7 @@ + bool) + with + | Core.Result.Result_Ok _ -> ++ assume (v state.f_receiver_counter < maxint u64_inttype); + let state:t_DuplexCipherStateH = + { state with f_receiver_counter = state.f_receiver_counter +! 1uL } + <: +@@ -301,6 +310,7 @@ + bool) + with + | Core.Result.Result_Ok _ -> ++ assume (v state.f_counter < maxint u64_inttype); + Core.Result.Result_Ok + (Bertie.Tls13utils.impl__AppData__new payload, + ({ +@@ -342,6 +352,7 @@ + pad + with + | Core.Result.Result_Ok v_rec -> ++ assume (v n + 1 < maxint u64_inttype); + Core.Result.Result_Ok + (v_rec, (DuplexCipherState1 ae kiv (n +! 1uL) x y exp <: t_DuplexCipherState1) + <: +@@ -369,6 +380,7 @@ + pad + with + | Core.Result.Result_Ok v_rec -> ++ assume (v state.f_sender_counter < maxint u64_inttype); + let state:t_DuplexCipherStateH = + { state with f_sender_counter = state.f_sender_counter +! 1uL } <: t_DuplexCipherStateH + in +@@ -390,6 +402,7 @@ + pad + with + | Core.Result.Result_Ok v_rec -> ++ assume (v n < maxint u64_inttype); + Core.Result.Result_Ok + (v_rec, (ClientCipherState0 ae kiv (n +! 1uL) exp <: t_ClientCipherState0) + <: +diff -ruN extraction-lax/Bertie.Tls13record.fsti extraction-panic-free/Bertie.Tls13record.fsti +--- extraction-lax/Bertie.Tls13record.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13record.fsti 2024-04-05 08:35:03 +@@ -4,10 +4,15 @@ + open FStar.Mul + + val derive_iv_ctr (iv: Bertie.Tls13utils.t_Bytes) (n: u64) +- : Prims.Pure Bertie.Tls13utils.t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure Bertie.Tls13utils.t_Bytes ++ (Seq.length iv._0 >= 8 /\ Seq.length iv._0 <= 32) ++ (fun _ -> Prims.l_True) + + val padlen (b: Bertie.Tls13utils.t_Bytes) (n: usize) +- : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure usize ++ (v n <= Seq.length b._0) ++ (fun r -> v r <= v n) ++ (decreases (v n)) + + val decrypt_record_payload + (kiv: Bertie.Tls13crypto.t_AeadKeyIV) +@@ -15,7 +20,7 @@ + (ciphertext: Bertie.Tls13utils.t_Bytes) + : Prims.Pure + (Core.Result.t_Result (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes) u8) +- Prims.l_True ++ (Seq.length ciphertext._0 >= 5) + (fun _ -> Prims.l_True) + + val encrypt_record_payload +@@ -25,7 +30,7 @@ + (payload: Bertie.Tls13utils.t_Bytes) + (pad: usize) + : Prims.Pure (Core.Result.t_Result Bertie.Tls13utils.t_Bytes u8) +- Prims.l_True ++ (Seq.length payload._0 < 65536 /\ v pad < 4096) + (fun _ -> Prims.l_True) + + type t_ClientCipherState0 = +@@ -75,26 +80,26 @@ + + val decrypt_data (ciphertext: Bertie.Tls13utils.t_Bytes) (st: t_DuplexCipherState1) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_DuplexCipherState1) u8) +- Prims.l_True ++ (Seq.length ciphertext._0 >= 5) + (fun _ -> Prims.l_True) + + val decrypt_data_or_hs (ciphertext: Bertie.Tls13utils.t_Bytes) (st: t_DuplexCipherState1) + : Prims.Pure + (Core.Result.t_Result + (Bertie.Tls13formats.t_ContentType & Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8) +- Prims.l_True ++ (Seq.length ciphertext._0 >= 5) + (fun _ -> Prims.l_True) + + val decrypt_handshake (ciphertext: Bertie.Tls13utils.t_Bytes) (state: t_DuplexCipherStateH) + : Prims.Pure + (Core.Result.t_Result + (Bertie.Tls13formats.Handshake_data.t_HandshakeData & t_DuplexCipherStateH) u8) +- Prims.l_True ++ (Seq.length ciphertext._0 >= 5) + (fun _ -> Prims.l_True) + + val decrypt_zerortt (ciphertext: Bertie.Tls13utils.t_Bytes) (state: t_ServerCipherState0) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_AppData & t_ServerCipherState0) u8) +- Prims.l_True ++ (Seq.length ciphertext._0 >= 5) + (fun _ -> Prims.l_True) + + val duplex_cipher_state1 +@@ -108,7 +113,7 @@ + + val encrypt_data (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_DuplexCipherState1) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherState1) u8) +- Prims.l_True ++ (Seq.length payload._0._0 < 65536 /\ v pad < 4096) + (fun _ -> Prims.l_True) + + val encrypt_handshake +@@ -116,12 +121,12 @@ + (pad: usize) + (state: t_DuplexCipherStateH) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_DuplexCipherStateH) u8) +- Prims.l_True ++ (Seq.length payload._0._0 < 65536 /\ v pad < 4096) + (fun _ -> Prims.l_True) + + val encrypt_zerortt (payload: Bertie.Tls13utils.t_AppData) (pad: usize) (st: t_ClientCipherState0) + : Prims.Pure (Core.Result.t_Result (Bertie.Tls13utils.t_Bytes & t_ClientCipherState0) u8) +- Prims.l_True ++ (Seq.length payload._0._0 < 65536 /\ v pad < 4096) + (fun _ -> Prims.l_True) + + val server_cipher_state0 +diff -ruN extraction-lax/Bertie.Tls13utils.fsti extraction-panic-free/Bertie.Tls13utils.fsti +--- extraction-lax/Bertie.Tls13utils.fsti 2024-04-05 08:35:03 ++++ extraction-panic-free/Bertie.Tls13utils.fsti 2024-04-05 08:35:03 +@@ -61,6 +61,8 @@ + + let v_ZERO_RTT_DISABLED: u8 = 129uy + ++val dummy_fn: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) ++ + val parse_failed: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + + class t_Declassify (v_Self: Type) (v_T: Type) = { +@@ -98,44 +100,88 @@ + : Prims.Pure (t_Array u8 (sz 4)) Prims.l_True (fun _ -> Prims.l_True) + + val check (b: bool) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok l -> b == true ++ | _ -> True) + ++ + val check_eq1 (b1 b2: u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + + val length_u16_encoded_slice (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok l -> v l + 2 <= Seq.length bytes ++ | _ -> True) + + val length_u16_encoded (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok l -> v l <= 65536 /\ v l + 2 <= Seq.length bytes ++ | _ -> True) + ++ + val length_u24_encoded (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) ++ Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok l -> v l <= 16777216 /\ v l + 3 <= Seq.length bytes ++ | _ -> True) + + val length_u8_encoded (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result usize u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok l -> v l <= 256 /\ v l + 1 <= Seq.length bytes ++ | _ -> True) + ++ + val check_length_encoding_u16_slice (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> ++ Seq.length bytes >= 2 /\ ++ v (Seq.index bytes 0) * 256 + v (Seq.index bytes 1) + 2 == Seq.length bytes ++ | _ -> True) + + val check_length_encoding_u24 (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> ++ Seq.length bytes >= 3 /\ ++ v (Seq.index bytes 0) * 65536 + v (Seq.index bytes 1) * 256 + v (Seq.index bytes 2) + 3 == Seq.length bytes ++ | _ -> True) + + val check_length_encoding_u8_slice (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> ++ Seq.length bytes > 0 /\ ++ v (Seq.index bytes 0) + 1 == Seq.length bytes ++ | _ -> True) + ++ + val eq_slice (b1 b2: t_Slice u8) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + + val check_eq_slice (b1 b2: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + ++val check_eq_with_slice (b1 b2: t_Slice u8) (start v_end: usize) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> Seq.length b2 >= v v_end ++ | _ -> True) ++ + val check_mem (b1 b2: t_Slice u8) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + + val error_string (c: u8) : Prims.Pure Alloc.String.t_String Prims.l_True (fun _ -> Prims.l_True) + + val tlserr (#v_T: Type) (err: u8) +- : Prims.Pure (Core.Result.t_Result v_T u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result v_T u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> False ++ | Core.Result.Result_Err _ -> True) + + type t_Bytes = | Bytes : Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global -> t_Bytes + +@@ -148,7 +194,7 @@ + } + + val impl__Bytes__as_raw (self: t_Bytes) +- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (t_Slice u8) Prims.l_True (fun res -> res == self._0) + + val impl__Bytes__declassify (self: t_Bytes) + : Prims.Pure (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) Prims.l_True (fun _ -> Prims.l_True) +@@ -196,101 +242,123 @@ + Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) + } + +-[@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_8: Core.Ops.Index.t_Index t_Bytes usize = +- { +- f_Output = u8; +- f_index_pre = (fun (self: t_Bytes) (x: usize) -> x <. (Alloc.Vec.impl_1__len self._0 <: usize)); +- f_index_post = (fun (self: t_Bytes) (x: usize) (out: u8) -> true); +- f_index = fun (self: t_Bytes) (x: usize) -> self._0.[ x ] +- } +- +-[@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_9: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = +- { +- f_Output = t_Slice u8; +- f_index_pre +- = +- (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> +- x.Core.Ops.Range.f_start <=. (Alloc.Vec.impl_1__len self._0 <: usize) && +- x.Core.Ops.Range.f_end <=. (Alloc.Vec.impl_1__len self._0 <: usize)); +- f_index_post = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) (out: t_Slice u8) -> true); +- f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] +- } +- +-[@@ FStar.Tactics.Typeclasses.tcinstance] +-let upd_10: Rust_primitives.Hax.update_at_tc t_Bytes usize = +- { +- super_index = impl_8; +- update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) +- } +- +- + val impl__Bytes__append (self x: t_Bytes) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +-val impl__Bytes__concat (self other: t_Bytes) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__Bytes__concat self (other:t_Bytes{Seq.length self._0 + Seq.length other._0 <= max_usize}) = Bytes (concat self._0 other._0) + +-val impl__Bytes__concat_array (v_N: usize) (self: t_Bytes) (other: t_Array u8 v_N) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + ++val impl__Bytes__concat_array (v_N: usize) (self: t_Bytes{Seq.length self._0 + v v_N <= max_usize}) (other: t_Array u8 v_N) ++ : Prims.Pure t_Bytes Prims.l_True ++ (fun res -> Seq.length res._0 == Seq.length self._0 + v v_N) ++ + val impl__Bytes__extend_from_slice (self x: t_Bytes) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + + val impl__Bytes__from_hex (s: string) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +-val impl__Bytes__from_slice (s: t_Slice u8) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__Bytes__from_slice (s: t_Slice u8) = Bytes s + +-val impl__Bytes__len (self: t_Bytes) : Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ++let impl__Bytes__len (self: t_Bytes) = Alloc.Vec.impl_1__len self._0 <: usize + +-val impl__Bytes__prefix (self: t_Bytes) (prefix: t_Slice u8) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__Bytes__prefix (self: t_Bytes) (prefix: t_Slice u8{Seq.length self._0 + Seq.length prefix <= max_usize}) = ++ Bytes (concat prefix self._0) + +-val impl__Bytes__new: Prims.unit -> Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++val impl__Bytes__new: Prims.unit -> Prims.Pure t_Bytes Prims.l_True (fun res -> Seq.length res._0 == 0) + + val impl__Bytes__new_alloc (len: usize) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + + val impl__Bytes__push (self: t_Bytes) (x: u8) + : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +-val impl__Bytes__raw_slice (self: t_Bytes) (range: Core.Ops.Range.t_Range usize) +- : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) ++let impl__Bytes__raw_slice (self: t_Bytes) (range: Core.Ops.Range.t_Range usize{Core.Ops.Index.f_index_pre self._0 range}) = ++ self._0.[ range ] + + val impl__Bytes__slice (self: t_Bytes) (start len: usize) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure t_Bytes (v start + v len <= Seq.length self._0) ++ (fun res -> Seq.length res._0 == v len) + +-val impl__Bytes__slice_range (self: t_Bytes) (range: Core.Ops.Range.t_Range usize) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++val impl__Bytes__slice_range (self: t_Bytes) (range: Core.Ops.Range.t_Range usize{Core.Ops.Index.f_index_pre self._0 range}) ++ : Prims.Pure t_Bytes Prims.l_True ++ (fun res -> res == Bytes (self._0.[ range ])) + ++val impl__Bytes__zeroes (len: usize) : Prims.Pure t_Bytes Prims.l_True ++ (fun res -> Seq.length res._0 == v len) ++ ++[@@ FStar.Tactics.Typeclasses.tcinstance] ++let impl_21: Core.Ops.Index.t_Index t_Bytes usize = ++ { ++ f_Output = u8; ++ f_index_pre = (fun (self: t_Bytes) (x: usize) -> x <. (Alloc.Vec.impl_1__len self._0 <: usize)); ++ f_index_post = (fun (self: t_Bytes) (x: usize) (out: u8) -> true); ++ f_index = fun (self: t_Bytes) (x: usize) -> self._0.[ x ] ++ } ++ + val impl__Bytes__update_slice (self: t_Bytes) (start: usize) (other: t_Bytes) (beg len: usize) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure t_Bytes ++ (v start + v len <= Seq.length self._0 /\ v beg + v len <= Seq.length other._0) ++ (fun res -> Seq.length res._0 == Seq.length self._0) + +-val impl__Bytes__zeroes (len: usize) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++[@@ FStar.Tactics.Typeclasses.tcinstance] ++let impl_22: Core.Ops.Index.t_Index t_Bytes (Core.Ops.Range.t_Range usize) = ++ { ++ f_Output = t_Slice u8; ++ f_index_pre ++ = ++ (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> ++ x.Core.Ops.Range.f_start <=. (Alloc.Vec.impl_1__len self._0 <: usize) && ++ x.Core.Ops.Range.f_end <=. (Alloc.Vec.impl_1__len self._0 <: usize)); ++ f_index_post = (fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) (out: t_Slice u8) -> true); ++ f_index = fun (self: t_Bytes) (x: Core.Ops.Range.t_Range usize) -> self._0.[ x ] ++ } + +-val bytes (x: t_Slice u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++[@@ FStar.Tactics.Typeclasses.tcinstance] ++let upd_22: Rust_primitives.Hax.update_at_tc t_Bytes usize = ++ { ++ super_index = impl_21; ++ update_at = fun s (i:usize{v i < Seq.length s._0}) x -> Bytes (Seq.upd s._0 (v i) x) ++ } + +-val bytes1 (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) + +-val bytes2 (x y: u8) : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let bytes (x: t_Slice u8) = Bytes x + ++val bytes1 (x: u8) : Prims.Pure t_Bytes Prims.l_True (fun res -> Seq.length res._0 == 1) ++ ++val bytes2 (x y: u8) : Prims.Pure t_Bytes Prims.l_True (fun res -> Seq.length res._0 == 2) ++ + val check_eq (b1 b2: t_Bytes) + : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) + + val check_length_encoding_u16 (bytes: t_Bytes) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> Seq.length bytes._0 >= 2 ++ | _ -> True) + ++ + val check_length_encoding_u8 (bytes: t_Bytes) +- : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result Prims.unit u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok _ -> Seq.length bytes._0 >= 1 ++ | _ -> True) + + val encode_length_u16 (bytes: t_Bytes) +- : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result t_Bytes u8) ++ Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length bytes._0 < 65536 /\ Seq.length b._0 == Seq.length bytes._0 + 2 ++ | _ -> True) + + val encode_length_u24 (bytes: t_Bytes) +- : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length bytes._0 < 16777216 /\ Seq.length b._0 == Seq.length bytes._0 + 3 ++ | _ -> True) + + val encode_length_u8 (bytes: t_Slice u8) +- : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True (fun _ -> Prims.l_True) ++ : Prims.Pure (Core.Result.t_Result t_Bytes u8) Prims.l_True ++ (fun res -> match res with ++ | Core.Result.Result_Ok b -> Seq.length bytes < 256 /\ Seq.length b._0 == Seq.length bytes + 1 ++ | _ -> True) + + val eq (b1 b2: t_Bytes) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +@@ -298,16 +366,14 @@ + + type t_AppData = | AppData : t_Bytes -> t_AppData + +-val impl__AppData__as_raw (self: t_AppData) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__AppData__as_raw (self: t_AppData) = self._0 + +-val impl__AppData__into_raw (self: t_AppData) +- : Prims.Pure t_Bytes Prims.l_True (fun _ -> Prims.l_True) ++let impl__AppData__into_raw (self: t_AppData) = self._0 + + val impl__AppData__new (b: t_Bytes) : Prims.Pure t_AppData Prims.l_True (fun _ -> Prims.l_True) + + [@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_12: Core.Convert.t_From t_AppData (t_Slice u8) = ++let impl_10: Core.Convert.t_From t_AppData (t_Slice u8) = + { + f_from_pre = (fun (value: t_Slice u8) -> true); + f_from_post = (fun (value: t_Slice u8) (out: t_AppData) -> true); +@@ -315,7 +381,7 @@ + } + + [@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_13 (v_N: usize) : Core.Convert.t_From t_AppData (t_Array u8 v_N) = ++let impl_11 (v_N: usize) : Core.Convert.t_From t_AppData (t_Array u8 v_N) = + { + f_from_pre = (fun (value: t_Array u8 v_N) -> true); + f_from_post = (fun (value: t_Array u8 v_N) (out: t_AppData) -> true); +@@ -323,7 +389,7 @@ + } + + [@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_14: Core.Convert.t_From t_AppData (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) = ++let impl_12: Core.Convert.t_From t_AppData (Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) = + { + f_from_pre = (fun (value: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) -> true); + f_from_post = (fun (value: Alloc.Vec.t_Vec u8 Alloc.Alloc.t_Global) (out: t_AppData) -> true); +@@ -334,7 +400,7 @@ + } + + [@@ FStar.Tactics.Typeclasses.tcinstance] +-let impl_15: Core.Convert.t_From t_AppData t_Bytes = ++let impl_13: Core.Convert.t_From t_AppData t_Bytes = + { + f_from_pre = (fun (value: t_Bytes) -> true); + f_from_post = (fun (value: t_Bytes) (out: t_AppData) -> true); diff --git a/proofs/fstar/patches.sh b/proofs/fstar/patches.sh new file mode 100755 index 0000000..17576f0 --- /dev/null +++ b/proofs/fstar/patches.sh @@ -0,0 +1,85 @@ +#!/usr/bin/env bash + +set -e + +SCRIPTPATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" +cd "$SCRIPTPATH" + +DENYLIST="" + +# `prepare_folder SRC DEST` copies F* files from SRC to DEST/ +prepare_folder() { + original="$1" + workdir="$2" + find "$original" \( -name '*.fst' -o -name '*.fsti' \) -exec gcp --parents \{\} "$workdir" \; +} + +# `patch_folder ORIGINAL DESTINATION PATCH` creates the folder +# `DESTINATION` out of the folder `ORIGINAL` given the patch `PATCH` +patch_folder() { + original="$1" + destination="$2" + patch="$3" + TEMPDIR=$(mktemp -d) + + prepare_folder $original "$TEMPDIR" + + original_basename=$(basename "$original") + patch --directory="$TEMPDIR/$original_basename" -s -p1 < "$patch" || { + cd "$TEMPDIR/$original_basename" + echo '::error::Patches don'"'"'t apply. Keep in mind the CI regenerates `extraction` using the latest hax on `main`.' + for rejection in *.rej; do + echo "::group::cat $rejection" + cat "$rejection" + echo '::endgroup::' + done + exit 1 + } + + DIR="$TEMPDIR/$original_basename" + cp -rfT "$DIR" "$destination" + + rm -rf "$TEMPDIR" +} + +case $1 in + apply) + for target in extraction-lax extraction-panic-free; do + find "$target" \ + \( -name '*.fst' -o -name '*.fsti' \) \ + -type f \ + -exec rm -f {} + + done + + patch_folder extraction extraction-lax \ + extraction-lax.patch + patch_folder extraction-lax extraction-panic-free \ + extraction-panic-free.patch + ;; + + create) + TEMPDIR=$(mktemp -d) + + for i in extraction extraction-lax extraction-panic-free; do + prepare_folder "$i" "$TEMPDIR" + done + + ( + cd "$TEMPDIR" + diff -ruN extraction extraction-lax > extraction-lax.patch || true + diff -ruN extraction-lax extraction-panic-free > extraction-panic-free.patch || true + + + ) + mv "$TEMPDIR/extraction-lax.patch" extraction-lax.patch + mv "$TEMPDIR/extraction-panic-free.patch" extraction-panic-free.patch + + rm -rf "$TEMPDIR" + ;; + + *) + echo 'Usage: `'"$0"' COMMAND`' + echo ' - `'"$0"' apply`: recreate `extraction-*` folders from the `*.patch` files' + echo ' - `'"$0"' create`: recreate `*.patch` files from the `extraction-*` folders' + ;; +esac