The implementations of the tls client and server applications can now be formally verified by the SPARK tools.

Author: joakim-strandberg

wrapper/Ada/spark_sockets.adb

@@ -0,0 +1,138 @@
+-- spark_sockets.adb
+--
+-- Copyright (C) 2006-2023 wolfSSL Inc.
+--
+-- This file is part of wolfSSL.
+--
+-- wolfSSL is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- wolfSSL is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program; if not, write to the Free Software
+-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+--
+
+with Interfaces.C;
+
+package body SPARK_Sockets is
+
+   function Inet_Addr (Image : String) return Optional_Inet_Addr is
+      A : Inet_Addr_Type;
+   begin
+      A := GNAT.Sockets.Inet_Addr (Image);
+      return (Exists => True, Addr => A);
+   exception
+      when others =>
+         return (Exists => False);
+   end Inet_Addr;
+
+   procedure Create_Socket (Socket : in out Optional_Socket) is
+      S : Socket_Type;
+   begin
+      GNAT.Sockets.Create_Socket (S);
+      Socket := (Exists => True, Socket => S);
+   exception
+      when others =>
+         Socket := (Exists => False);
+   end Create_Socket;
+
+   function Connect_Socket (Socket : Socket_Type;
+                            Server : Sock_Addr_Type)
+                            return Subprogram_Result is
+   begin
+      GNAT.Sockets.Connect_Socket (Socket, Server);
+      return Success;
+   exception
+      when others =>
+         return Failure;
+   end Connect_Socket;
+
+   function To_C (Socket : Socket_Type) return Integer is
+   begin
+      --  The call to GNAT.Sockets.To_C can never raise an exception.
+      return GNAT.Sockets.To_C (Socket);
+   end To_C;
+
+   procedure Close_Socket (Socket : in out Optional_Socket) is
+   begin
+      GNAT.Sockets.Close_Socket (Socket.Socket);
+      Socket := (Exists => False);
+   end Close_Socket;
+
+   function Set_Socket_Option (Socket : Socket_Type;
+                               Level  : Level_Type;
+                               Option : Option_Type)
+                               return Subprogram_Result is
+   begin
+      GNAT.Sockets.Set_Socket_Option (Socket, Level, Option);
+      return Success;
+   exception
+      when others =>
+         return Failure;
+   end Set_Socket_Option;
+
+   function Bind_Socket (Socket  : Socket_Type;
+                         Address : Sock_Addr_Type)
+                         return Subprogram_Result is
+   begin
+      GNAT.Sockets.Bind_Socket (Socket, Address);
+      return Success;
+   exception
+      when others =>
+         return Failure;
+   end Bind_Socket;
+
+   function Listen_Socket (Socket : Socket_Type;
+                           Length : Natural) return Subprogram_Result is
+   begin
+      GNAT.Sockets.Listen_Socket (Socket, Length);
+      return Success;
+   exception
+      when others =>
+         return Failure;
+   end Listen_Socket;
+
+   procedure Accept_Socket (Server  : Socket_Type;
+                            Socket  : out Optional_Socket;
+                            Address : out Sock_Addr_Type;
+                            Result  : out Subprogram_Result) is
+      C : Socket_Type;
+   begin
+      GNAT.Sockets.Accept_Socket (Server, C, Address);
+      Socket := (Exists => True, Socket => C);
+      Result := Success;
+   exception
+      when others =>
+         Socket := (Exists => False);
+         Address := (Family => GNAT.Sockets.Family_Unspec);
+         Result := Failure;
+   end Accept_Socket;
+
+   procedure To_C (Item       : String;
+                   Target     : out Byte_Array;
+                   Count      : out Byte_Index) is
+   begin
+      Interfaces.C.To_C (Item       => Item,
+                         Target     => Target,
+                         Count      => Count,
+                         Append_Nul => False);
+   end To_C;
+
+   procedure To_Ada (Item     : Byte_Array;
+                     Target   : out String;
+                     Count    : out Natural) is
+   begin
+      Interfaces.C.To_Ada (Item     => Item,
+                           Target   => Target,
+                           Count    => Count,
+                           Trim_Nul => False);
+   end To_Ada;
+
+end SPARK_Sockets;

wrapper/Ada/spark_sockets.ads

@@ -0,0 +1,137 @@
+-- spark_sockets.ads
+--
+-- Copyright (C) 2006-2023 wolfSSL Inc.
+--
+-- This file is part of wolfSSL.
+--
+-- wolfSSL is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- wolfSSL is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program; if not, write to the Free Software
+-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+--
+
+--  GNAT Library packages.
+with GNAT.Sockets;
+
+--  The WolfSSL package.
+with WolfSSL;
+
+--  This is a wrapper package around the GNAT.Sockets package.
+--  GNAT.Sockets raises exceptions to signal errors but exceptions
+--  are not supported by SPARK. This package converts raised exceptions
+--  into returned enumeration values by functions indicating success
+--  or failure.
+--
+--  The intended use of this package is to demonstrate the usage
+--  of the WolfSSL Ada binding in Ada/SPARK code.
+package SPARK_Sockets with SPARK_Mode is
+
+   subtype Byte_Array is WolfSSL.Byte_Array;
+   subtype Byte_Index is WolfSSL.Byte_Index; use type Byte_Index;
+
+   subtype Port_Type is GNAT.Sockets.Port_Type;
+
+   subtype Level_Type is GNAT.Sockets.Level_Type;
+
+   subtype Socket_Type is GNAT.Sockets.Socket_Type;
+   subtype Option_Name is GNAT.Sockets.Option_Name;
+   subtype Option_Type is GNAT.Sockets.Option_Type;
+   subtype Family_Type is GNAT.Sockets.Family_Type;
+
+   subtype Sock_Addr_Type is GNAT.Sockets.Sock_Addr_Type;
+   subtype Inet_Addr_Type is GNAT.Sockets.Inet_Addr_Type;
+
+   Socket_Error : exception renames GNAT.Sockets.Socket_Error;
+
+   Reuse_Address : Option_Name renames GNAT.Sockets.Reuse_Address;
+
+   Socket_Level : Level_Type renames GNAT.Sockets.Socket_Level;
+
+   Family_Inet : Family_Type renames GNAT.Sockets.Family_Inet;
+   use type GNAT.Sockets.Family_Type;
+
+   Any_Inet_Addr : Inet_Addr_Type renames GNAT.Sockets.Any_Inet_Addr;
+
+   subtype Subprogram_Result is WolfSSL.Subprogram_Result;
+   use type Subprogram_Result;
+
+   Success : Subprogram_Result renames WolfSSL.Success;
+   Failure : Subprogram_Result renames WolfSSL.Failure;
+
+   type Optional_Inet_Addr (Exists : Boolean := False) is record
+      case Exists is
+         when True  => Addr : Inet_Addr_Type;
+         when False => null;
+      end case;
+   end record;
+
+   function Inet_Addr (Image : String) return Optional_Inet_Addr;
+
+   type Optional_Socket (Exists : Boolean := False) is record
+      case Exists is
+         when True  => Socket : Socket_Type;
+         when False => null;
+      end case;
+   end record;
+
+   procedure Create_Socket (Socket : in out Optional_Socket) with
+      Pre => not Socket.Exists;
+
+   function Connect_Socket (Socket : Socket_Type;
+                            Server : Sock_Addr_Type)
+                            return Subprogram_Result;
+
+   function To_C (Socket : Socket_Type) return Integer with Inline;
+
+   --  Close a socket and more specifically a non-connected socket.
+   procedure Close_Socket (Socket : in out Optional_Socket) with
+      Pre  => Socket.Exists,
+      Post => not Socket.Exists;
+
+   function Set_Socket_Option (Socket : Socket_Type;
+                               Level  : Level_Type;
+                               Option : Option_Type)
+                               return Subprogram_Result;
+   --  Manipulate socket options.
+
+   function Bind_Socket (Socket  : Socket_Type;
+                         Address : Sock_Addr_Type)
+                         return Subprogram_Result;
+
+   function Listen_Socket (Socket : Socket_Type;
+                           Length : Natural) return Subprogram_Result;
+   --  To accept connections, a socket is first created with
+   --  Create_Socket, a willingness to accept incoming connections and
+   --  a queue Length for incoming connections are specified.
+   --  The queue length of 15 is an example value that should be
+   --  appropriate in usual cases. It can be adjusted according to each
+   --  application's particular requirements.
+
+   procedure Accept_Socket (Server  : Socket_Type;
+                            Socket  : out Optional_Socket;
+                            Address : out Sock_Addr_Type;
+                            Result  : out Subprogram_Result) with
+      Post => (if Result = Success then Socket.Exists else not Socket.Exists);
+
+   procedure To_C (Item       : String;
+                   Target     : out Byte_Array;
+                   Count      : out Byte_Index) with
+      Pre  => Item'Length <= Target'Length,
+      Post => Count <= Target'Last;
+
+   procedure To_Ada (Item     : Byte_Array;
+                     Target   : out String;
+                     Count    : out Natural) with
+      Pre  => Item'Length <= Target'Length,
+      Post => Count <= Target'Last;
+
+end SPARK_Sockets;

wrapper/Ada/spark_terminal.adb

@@ -0,0 +1,18 @@
+package body SPARK_Terminal is
+
+   procedure Set_Exit_Status (Status : Exit_Status) is
+   begin
+      Ada.Command_Line.Set_Exit_Status (Status);
+   end Set_Exit_Status;
+
+   function Argument_Count return Natural is
+   begin
+      return Ada.Command_Line.Argument_Count;
+   end Argument_Count;
+
+   function Argument (Number : Positive) return String is
+   begin
+      return Ada.Command_Line.Argument (Number);
+   end Argument;
+
+end SPARK_Terminal;

wrapper/Ada/spark_terminal.ads

@@ -0,0 +1,43 @@
+-- spark_sockets.ads
+--
+-- Copyright (C) 2006-2023 wolfSSL Inc.
+--
+-- This file is part of wolfSSL.
+--
+-- wolfSSL is free software; you can redistribute it and/or modify
+-- it under the terms of the GNU General Public License as published by
+-- the Free Software Foundation; either version 2 of the License, or
+-- (at your option) any later version.
+--
+-- wolfSSL is distributed in the hope that it will be useful,
+-- but WITHOUT ANY WARRANTY; without even the implied warranty of
+-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-- GNU General Public License for more details.
+--
+-- You should have received a copy of the GNU General Public License
+-- along with this program; if not, write to the Free Software
+-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+--
+
+with Ada.Command_Line;
+
+--  SPARK wrapper package around Ada.Command_Line and Interfaces.C
+--  packages because these packages lack contracts in their specification
+--  files that SPARK can use to verify the context in which
+--  subprograms can safely be called.
+package SPARK_Terminal with SPARK_Mode is
+
+   subtype Exit_Status is Ada.Command_Line.Exit_Status;
+
+   Exit_Status_Success : Exit_Status renames Ada.Command_Line.Success;
+   Exit_Status_Failure : Exit_Status renames Ada.Command_Line.Failure;
+
+   procedure Set_Exit_Status (Status : Exit_Status) with
+      Global => null;
+
+   function Argument_Count return Natural;
+
+   function Argument (Number : Positive) return String with
+      Pre => Number <= Argument_Count;
+
+end SPARK_Terminal;