Merge pull request #74 from slyubomirsky/more-jml-specs

SalusaSecondus · web-flow · commit 9c61fccc2275 · 2018-10-29T15:12:35.000-07:00
JML Specifications for CipherBlockHeaders
diff --git a/src/main/java/com/amazonaws/encryptionsdk/model/CipherBlockHeaders.java b/src/main/java/com/amazonaws/encryptionsdk/model/CipherBlockHeaders.java
@@ -34,19 +34,30 @@
  * <li>length of content</li>
  * </ol>
  */
+//@ non_null_by_default
 public final class CipherBlockHeaders {
+    //@ spec_public nullable
     private byte[] nonce_;
+    //@ spec_public 
     private long contentLength_ = -1;
 
     // This is set after the nonce length is parsed in the CiphertextHeaders
     // during decryption. This can be set only using its setter.
+    //@ spec_public
     private short nonceLength_ = 0;
+    //@ public invariant nonceLength_ >= 0;
 
+    //@ spec_public 
     private boolean isComplete_;
 
     /**
      * Default constructor.
      */
+    //@ public normal_behavior
+    //@   ensures nonce_ == null;
+    //@   ensures contentLength_ == -1;
+    //@   ensures nonceLength_ == 0;
+    //@   ensures isComplete_ == false;
     public CipherBlockHeaders() {
     }
 
@@ -59,7 +70,18 @@ public CipherBlockHeaders() {
      * @param contentLen
      *            the length of the content in the block.
      */
-    public CipherBlockHeaders(final byte[] nonce, final long contentLen) {
+    //@ public normal_behavior
+    //@   requires nonce != null && nonce.length <= Constants.MAX_NONCE_LENGTH;
+    //@   ensures \fresh(nonce_) && nonce_.length == nonce.length;
+    //@   ensures Arrays.equalArrays(nonce_, nonce);
+    //@   ensures contentLength_ == contentLen;
+    //@   ensures nonceLength_ == 0;
+    //@   ensures isComplete_ == false;
+    //@ also private exceptional_behavior
+    //@   requires nonce == null || nonce.length > Constants.MAX_NONCE_LENGTH;
+    //@   signals_only AwsCryptoException;
+    //@ pure
+    public CipherBlockHeaders(/*@ nullable @*/ final byte[] nonce, final long contentLen) {
         if (nonce == null) {
             throw new AwsCryptoException("Nonce cannot be null.");
         }
@@ -78,6 +100,17 @@ public CipherBlockHeaders(final byte[] nonce, final long contentLen) {
      * @return
      *         the serialized bytes of the header.
      */
+    /*@ public normal_behavior
+      @   requires nonce_ != null;
+      @   old int nLen = nonce_.length;
+      @   requires nonce_.length <= Integer.MAX_VALUE - (Long.SIZE / Byte.SIZE);
+      @   ensures \result.length == nonce_.length + (Long.SIZE / Byte.SIZE);
+      @   ensures (\forall int i; 0<=i && i<nonce_.length; \result[i] == nonce_[i]);
+      @   ensures contentLength_ == Long.asLong(\result[nLen], \result[nLen+1], \result[nLen+2], 
+      @                                         \result[nLen+3], \result[nLen+4], \result[nLen+5], 
+      @                                         \result[nLen+6], \result[nLen+7]);
+      @ pure
+      @*/
     public byte[] toByteArray() {
         final int outLen = nonce_.length + (Long.SIZE / Byte.SIZE);
         final ByteBuffer out = ByteBuffer.allocate(outLen);
@@ -106,6 +139,19 @@ public byte[] toByteArray() {
      * @throws ParseException
      *             if there are not sufficient bytes to parse the nonce.
      */
+    //@ private normal_behavior
+    //@   requires nonceLength_ > 0;
+    //@   requires 0 <= off;
+    //@   requires b.length - off >= nonceLength_;
+    //@   assignable nonce_;
+    //@   ensures nonce_ != null && \fresh(nonce_);
+    //@   ensures Arrays.equalArrays(b, off, nonce_, 0, nonceLength_);
+    //@   ensures \result == nonceLength_;
+    //@ also private exceptional_behavior
+    //@   // add exceptions from arrays.copyofrange
+    //@   requires b.length - off < nonceLength_;
+    //@   assignable \nothing;
+    //@   signals_only ParseException;
     private int parseNonce(final byte[] b, final int off) throws ParseException {
         final int bytesToParseLen = b.length - off;
         if (bytesToParseLen >= nonceLength_) {
@@ -136,6 +182,20 @@ private int parseNonce(final byte[] b, final int off) throws ParseException {
      *             if there are not sufficient bytes to parse the content
      *             length.
      */
+    //@ private behavior
+    //@   requires off >= 0;
+    //@   requires b.length - off >= Long.BYTES;
+    //@   old long len = Long.asLong(b[off],b[off+1],b[off+2],b[off+3],b[off+4],b[off+5],b[off+6],b[off+7]);
+    //@   assignable contentLength_;
+    //@   ensures len >= 0;
+    //@   ensures contentLength_ == len;
+    //@   ensures \result == Long.BYTES;
+    //@   signals_only BadCiphertextException;
+    //@   signals (BadCiphertextException) len < 0 && contentLength_ == len;
+    //@ also private exceptional_behavior
+    //@   requires b.length - off < Long.BYTES;
+    //@   assignable \nothing;
+    //@   signals_only ParseException;
     private int parseContentLength(final byte[] b, final int off) throws ParseException {
         contentLength_ = PrimitivesParser.parseLong(b, off);
         if (contentLength_ < 0) {
@@ -160,11 +220,93 @@ private int parseContentLength(final byte[] b, final int off) throws ParseExcept
      * @return
      *         the number of bytes consumed in deserialization.
      */
-    public int deserialize(final byte[] b, final int off) {
+    /*@ public normal_behavior
+      @   requires b == null;
+      @   assignable \nothing;
+      @   ensures \result == 0;
+      @ also
+      @ // case: do not need to parse either value
+      @ public normal_behavior
+      @   requires b != null && contentLength_ >= 0 && (nonce_ != null || nonceLength_ == 0);
+      @   assignable isComplete_;
+      @   ensures \result == 0;
+      @   ensures isComplete_;
+      @ also
+      @ // case: parse nonce (parse exception)
+      @ public normal_behavior
+      @   requires b != null && nonce_ == null && nonceLength_ > 0;
+      @   requires b.length - off < nonceLength_;
+      @   assignable \nothing;
+      @   ensures \result == 0;
+      @ also
+      @ // case: parse nonce (normally) and not content length
+      @ public normal_behavior
+      @   requires b != null && nonce_ == null && nonceLength_ > 0;
+      @   requires off >= 0 && b.length - off >= nonceLength_;
+      @   requires contentLength_ >= 0;
+      @   assignable nonce_, isComplete_;
+      @   ensures nonce_ != null && \fresh(nonce_);
+      @   ensures Arrays.equalArrays(b, off, nonce_, 0, nonceLength_);
+      @   ensures \result == nonceLength_;
+      @   ensures isComplete_;
+      @ also
+      @ // case: do not parse nonce and parse content length (parse exception)
+      @ public normal_behavior
+      @   requires b != null && (nonce_ != null || nonceLength_ == 0);
+      @   requires contentLength_ < 0;
+      @   requires b.length - off < Long.BYTES;
+      @   assignable \nothing;
+      @   ensures \result == 0;
+      @ also
+      @ // case: parse nonce (normally) and parse content length (parse exception)
+      @ public normal_behavior
+      @   requires b != null && nonce_ == null && nonceLength_ > 0;
+      @   requires off >= 0 && b.length - off >= nonceLength_;
+      @   requires contentLength_ < 0;
+      @   requires b.length - (off + nonceLength_) < Long.BYTES;
+      @   assignable nonce_;
+      @   ensures Arrays.equalArrays(b, off, nonce_, 0, nonceLength_);
+      @   ensures \result == nonceLength_;
+      @ also
+      @ // case: do not parse nonce and parse content length (normally)
+      @ public behavior
+      @   requires b != null && (nonce_ != null || nonceLength_ == 0);
+      @   requires contentLength_ < 0;
+      @   requires off >= 0;
+      @   requires b.length - off >= Long.BYTES;
+      @   assignable contentLength_, isComplete_;
+      @   ensures isComplete_ && contentLength_ >= 0;
+      @   ensures contentLength_ == Long.asLong(b[off],   b[off+1], b[off+2], b[off+3],
+      @                                         b[off+4], b[off+5], b[off+6], b[off+7]);
+      @   ensures \result == Long.BYTES;
+      @   signals_only BadCiphertextException;
+      @   signals (BadCiphertextException) contentLength_ < 0 && isComplete_ == \old(isComplete_);
+      @ also
+      @ // case: parse both normally
+      @ public behavior
+      @   old int nLen = nonceLength_;
+      @   requires b != null;
+      @   requires nonce_ == null && nonceLength_ > 0 && contentLength_ < 0;
+      @   requires off >= 0 && b.length - off >= nonceLength_;
+      @   requires b.length - (off + nonceLength_) >= Long.BYTES;
+      @   requires nonceLength_ <= Integer.MAX_VALUE - Long.BYTES;
+      @   assignable nonce_, contentLength_, isComplete_;
+      @   ensures isComplete_ && contentLength_ >= 0;
+      @   ensures Arrays.equalArrays(b, off, nonce_, 0, nonceLength_);
+      @   ensures contentLength_ == Long.asLong(b[nLen+off],   b[nLen+off+1], b[nLen+off+2], 
+      @                                         b[nLen+off+3], b[nLen+off+4], b[nLen+off+5], 
+      @                                         b[nLen+off+6], b[nLen+off+7]);
+      @   ensures \result == nonceLength_ + Long.BYTES;
+      @   signals_only BadCiphertextException;
+      @   signals (BadCiphertextException) (contentLength_ < 0 && isComplete_ == \old(isComplete_)
+      @                                     && Arrays.equalArrays(b, off, nonce_, 0, nonceLength_));
+      @*/
+    public int deserialize(/*@ nullable */ final byte[] b, final int off) {
         if (b == null) {
             return 0;
         }
-
+                
+        //@ assert b != null;
         int parsedBytes = 0;
         try {
             if (nonceLength_ > 0 && nonce_ == null) {
@@ -192,6 +334,9 @@ public int deserialize(final byte[] b, final int off) {
      *         true if this object containing the single block header fields
      *         is complete; false otherwise.
      */
+    //@ public normal_behavior
+    //@   ensures \result == isComplete_;
+    //@ pure
     public boolean isComplete() {
         return isComplete_;
     }
@@ -202,6 +347,17 @@ public boolean isComplete() {
      * @return
      *         the bytes containing the nonce set in the single block header.
      */
+    //@ public normal_behavior
+    //@   requires nonce_ == null;
+    //@   ensures \result == null;
+    //@ also public normal_behavior
+    //@   requires nonce_ != null;
+    //@   ensures \result != null;
+    //@   ensures \fresh(\result);
+    //@   ensures \result != null;
+    //@   ensures \result.length == nonce_.length;
+    //@   ensures java.util.Arrays.equalArrays(\result,nonce_);
+    //@ pure nullable
     public byte[] getNonce() {
         return nonce_ != null ? nonce_.clone() : null;
     }
@@ -212,6 +368,9 @@ public byte[] getNonce() {
      * @return
      *         the content length set in the single block header.
      */
+    //@ public normal_behavior
+    //@   ensures \result == contentLength_;
+    //@ pure
     public long getContentLength() {
         return contentLength_;
     }
@@ -224,7 +383,11 @@ public long getContentLength() {
      *            the length of the nonce used in the encryption of the content
      *            stored in the single block.
      */
+    //@ public normal_behavior
+    //@   requires nonceLength >= 0;
+    //@   assignable nonceLength_;
+    //@   ensures nonceLength_ == nonceLength;
     public void setNonceLength(final short nonceLength) {
         nonceLength_ = nonceLength;
     }
-}
+}
