free C,S.
free c.

free hello,ack.

private free m.

fun vk/1.
fun ek/1.
fun h/1.

fun sign/2.
reduc checksign(sign(m,k),vk(k)) = m.

fun aenc/2.
reduc adec(aenc(m,ek(k)),k) = m.

fun senc/2.
reduc sdec(senc(m,k),k) = m.

query ev:endServerAuth(x,y) ==> ev:beginServerAuth(x,y).
query ev:endClientAuth(x,y,z) ==> ev:beginClientAuth(x,y,z).

let client =
    in(d,(idC,idS));
    new nC;
    out(c,(hello,nC));
    in(c,(=hello,nS));
    in(c,(cert,vkS));
    let (=vkS,ekS)=checksign(cert,vkS) in
    new secret;
    out(c,aenc(secret,ekS));
    event beginClientAuth(nC,nS,secret);
    let k=h((secret,nC,nS)) in
    out(c,senc((m),k));
    in(c,x);
    let (=ack)=sdec(x,k) in
    event endServerAuth(nC,nS).

let server =
    in(d,(idC,idS));
    new dkS;
    in(c,(hello,nC));
    new nS;
    event beginServerAuth(nC,nS);
    out(c,(hello,nS));
    out(c,(sign((vk(dkS),ek(dkS)),dkS),vk(dkS)));
    in(c,x);
    let secret=adec(x,dkS) in
    let k=h((secret,nC,nS)) in
    in(c,y);
    let (=m)=sdec(y,k) in
    event endClientAuth(nC,nS,secret);
    out(c,senc((ack),k)).

process
    new d;
    ! (out(d,(C,S)) | client | server)