diff --git a/src/DataProtection/Abstractions/src/IDataProtector.cs b/src/DataProtection/Abstractions/src/IDataProtector.cs
index af02695d85a0..1731170e95c2 100644
--- a/src/DataProtection/Abstractions/src/IDataProtector.cs
+++ b/src/DataProtection/Abstractions/src/IDataProtector.cs
@@ -1,6 +1,7 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System;
using System.Diagnostics.CodeAnalysis;
namespace Microsoft.AspNetCore.DataProtection;
diff --git a/src/DataProtection/Abstractions/src/ISpanDataProtector.cs b/src/DataProtection/Abstractions/src/ISpanDataProtector.cs
new file mode 100644
index 000000000000..c0f49a3a598b
--- /dev/null
+++ b/src/DataProtection/Abstractions/src/ISpanDataProtector.cs
@@ -0,0 +1,33 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection;
+
+///
+/// An interface that can provide data protection services.
+/// Is an optimized version of .
+///
+public interface ISpanDataProtector : IDataProtector
+{
+ ///
+ /// Determines the size of the protected data in order to then use ."/>.
+ ///
+ /// The plain text that will be encrypted later
+ /// The size of the protected data.
+ int GetProtectedSize(ReadOnlySpan plainText);
+
+ ///
+ /// Attempts to encrypt and tamper-proof a piece of data.
+ ///
+ /// The input to encrypt.
+ /// The ciphertext blob, including authentication tag.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if destination is long enough to receive the encrypted data; otherwise, false.
+ bool TryProtect(ReadOnlySpan plainText, Span destination, out int bytesWritten);
+}
diff --git a/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 1fe6c9dd19ba..694e0a251ed0 100644
--- a/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -22,6 +22,10 @@ Microsoft.AspNetCore.DataProtection.IDataProtector
+
+
+
+
diff --git a/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt b/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..298b91c52e76 100644
--- a/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
+++ b/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
@@ -1 +1,4 @@
#nullable enable
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetProtectedSize(System.ReadOnlySpan plainText) -> int
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryProtect(System.ReadOnlySpan plainText, System.Span destination, out int bytesWritten) -> bool
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs
new file mode 100644
index 000000000000..8371161aa44b
--- /dev/null
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs
@@ -0,0 +1,46 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+
+///
+/// Provides an authenticated encryption and decryption routine via a span-based API.
+///
+public interface ISpanAuthenticatedEncryptor : IAuthenticatedEncryptor
+{
+ ///
+ /// Returns the size of the encrypted data for a given plaintext length.
+ ///
+ /// Length of the plain text that will be encrypted later
+ /// The length of the encrypted data
+ int GetEncryptedSize(int plainTextLength);
+
+ ///
+ /// Returns the size of the decrypted data for a given ciphertext length.
+ ///
+ /// Length of the cipher text that will be decrypted later
+ /// The length of the decrypted data
+ int GetDecryptedSize(int cipherTextLength);
+
+ ///
+ /// Attempts to encrypt and tamper-proof a piece of data.
+ ///
+ /// The input to encrypt.
+ ///
+ /// A piece of data which will not be included in
+ /// the returned ciphertext but which will still be covered by the authentication tag.
+ /// This input may be zero bytes in length. The same AAD must be specified in the corresponding decryption call.
+ ///
+ /// The ciphertext blob, including authentication tag.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if destination is long enough to receive the encrypted data; otherwise, false.
+ bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten);
+
+ bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten);
+}
diff --git a/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
index c77f84671f38..3cc9ab3b7fcb 100644
--- a/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,11 +2,11 @@
// The .NET Foundation licenses this file to you under the MIT license.
using System;
+using System.Runtime.CompilerServices;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.Cryptography.Cng;
using Microsoft.AspNetCore.Cryptography.SafeHandles;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
using Microsoft.AspNetCore.DataProtection.SP800_108;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng;
// An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
// The payloads produced by this encryptor should be compatible with the payloads
// produced by the managed Encrypt(CBC) + HMAC encryptor.
-internal sealed unsafe class CbcAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CbcAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
// key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
@@ -56,158 +56,141 @@ public CbcAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle
_contextHeader = CreateContextHeader();
}
- private byte[] CreateContextHeader()
+ public int GetDecryptedSize(int cipherTextLength)
{
- var retVal = new byte[checked(
- 1 /* KDF alg */
- + 1 /* chaining mode */
- + sizeof(uint) /* sym alg key size */
- + sizeof(uint) /* sym alg block size */
- + sizeof(uint) /* hmac alg key size */
- + sizeof(uint) /* hmac alg digest size */
- + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
- + _hmacAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
-
- fixed (byte* pbRetVal = retVal)
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherTextLength < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes))
{
- byte* ptr = pbRetVal;
+ throw Error.CryptCommon_PayloadInvalid();
+ }
- // First is the two-byte header
- *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
- *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
+ return checked(cipherTextLength - (int)(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
+ }
- // Next is information about the symmetric algorithm (key size followed by block size)
- BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmBlockSizeInBytes);
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
- // Next is information about the HMAC algorithm (key size followed by digest size)
- BitHelpers.WriteTo(ref ptr, _hmacAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
+ try
+ {
+ var cbEncryptedData = GetDecryptedSize(cipherText.Length);
- // See the design document for an explanation of the following code.
- var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
- fixed (byte* pbTempKeys = tempKeys)
+ // Assumption: cipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+ fixed (byte* pbCiphertext = cipherText)
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ fixed (byte* pbDestination = destination)
{
- byte dummy;
-
- // Derive temporary keys for encryption + HMAC.
- using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+ // Calculate offsets
+ byte* pbKeyModifier = pbCiphertext;
+ byte* pbIV = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbEncryptedData = &pbIV[_symmetricAlgorithmBlockSizeInBytes];
+ byte* pbActualHmac = &pbEncryptedData[cbEncryptedData];
+
+ // Use the KDF to recreate the symmetric encryption and HMAC subkeys
+ // We'll need a temporary buffer to hold them
+ var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+ byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+ try
{
- provider.DeriveKey(
- pbLabel: &dummy,
- cbLabel: 0,
- pbContext: &dummy,
- cbContext: 0,
- pbDerivedKey: pbTempKeys,
- cbDerivedKey: (uint)tempKeys.Length);
- }
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbTempSubkeys,
+ cbDerivedKey: cbTempSubkeys);
- // At this point, tempKeys := { K_E || K_H }.
- byte* pbSymmetricEncryptionSubkey = pbTempKeys;
- byte* pbHmacSubkey = &pbTempKeys[_symmetricAlgorithmSubkeyLengthInBytes];
+ // Calculate offsets
+ byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
+ byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
- // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
- using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
- {
- fixed (byte* pbIV = new byte[_symmetricAlgorithmBlockSizeInBytes] /* will be zero-initialized */)
+ // First, perform an explicit integrity check over (iv | encryptedPayload) to ensure the
+ // data hasn't been tampered with. The integrity check is also implicitly performed over
+ // keyModifier since that value was provided to the KDF earlier.
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
{
- DoCbcEncrypt(
- symmetricKeyHandle: symmetricKeyHandle,
- pbIV: pbIV,
- pbInput: &dummy,
- cbInput: 0,
- pbOutput: ptr,
- cbOutput: _symmetricAlgorithmBlockSizeInBytes);
+ if (!ValidateHash(hashHandle, pbIV, _symmetricAlgorithmBlockSizeInBytes + (uint)cbEncryptedData, pbActualHmac))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
}
- }
- ptr += _symmetricAlgorithmBlockSizeInBytes;
- // MAC a zero-length input string and copy the digest to the return buffer.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ // If the integrity check succeeded, decrypt the payload.
+ using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ {
+ // BCryptDecrypt mutates the provided IV; we need to clone it to prevent mutation of the original value
+ byte* pbClonedIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+ UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
+
+ // Perform the decryption directly into destination
+ uint dwActualDecryptedByteCount;
+ byte dummy;
+ var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+ hKey: decryptionSubkeyHandle,
+ pbInput: pbEncryptedData,
+ cbInput: (uint)cbEncryptedData,
+ pPaddingInfo: null,
+ pbIV: pbClonedIV,
+ cbIV: _symmetricAlgorithmBlockSizeInBytes,
+ pbOutput: (destination.Length > 0) ? pbDestination : &dummy,
+ cbOutput: (uint)destination.Length,
+ pcbResult: out dwActualDecryptedByteCount,
+ dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+
+ // Check for buffer too small before throwing other exceptions
+ // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
+ if (ntstatus == unchecked((int)0xC0000023)) // STATUS_BUFFER_TOO_SMALL
+ {
+ return false;
+ }
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+ bytesWritten = checked((int)dwActualDecryptedByteCount);
+ return true;
+ }
+ }
+ finally
{
- hashHandle.HashData(
- pbInput: &dummy,
- cbInput: 0,
- pbHashDigest: ptr,
- cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ // Buffer contains sensitive key material; delete.
+ UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
}
-
- ptr += _hmacAlgorithmDigestLengthInBytes;
- CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
}
}
-
- // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || hmacAlgKeySize || hmacAlgDigestSize || E("") || MAC("") }.
- return retVal;
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
+ }
}
- protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
{
- // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
- if (cbCiphertext < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes))
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetDecryptedSize(ciphertext.Count);
+ var plaintext = new byte[size];
+ var destination = plaintext.AsSpan();
+
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
{
- throw Error.CryptCommon_PayloadInvalid();
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
}
- // Assumption: pbCipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
-
- var cbEncryptedData = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
-
- // Calculate offsets
- byte* pbKeyModifier = pbCiphertext;
- byte* pbIV = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbEncryptedData = &pbIV[_symmetricAlgorithmBlockSizeInBytes];
- byte* pbActualHmac = &pbEncryptedData[cbEncryptedData];
-
- // Use the KDF to recreate the symmetric encryption and HMAC subkeys
- // We'll need a temporary buffer to hold them
- var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
- byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
- try
- {
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbTempSubkeys,
- cbDerivedKey: cbTempSubkeys);
-
- // Calculate offsets
- byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
- byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
-
- // First, perform an explicit integrity check over (iv | encryptedPayload) to ensure the
- // data hasn't been tampered with. The integrity check is also implicitly performed over
- // keyModifier since that value was provided to the KDF earlier.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
- {
- if (!ValidateHash(hashHandle, pbIV, _symmetricAlgorithmBlockSizeInBytes + cbEncryptedData, pbActualHmac))
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
- }
-
- // If the integrity check succeeded, decrypt the payload.
- using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
- {
- return DoCbcDecrypt(decryptionSubkeyHandle, pbIV, pbEncryptedData, cbEncryptedData);
- }
- }
- finally
+ // Resize array if needed (due to padding)
+ if (bytesWritten < size)
{
- // Buffer contains sensitive key material; delete.
- UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
+ var resized = new byte[bytesWritten];
+ Array.Copy(plaintext, resized, bytesWritten);
+ return resized;
}
- }
- public override void Dispose()
- {
- _sp800_108_ctr_hmac_provider.Dispose();
-
- // We don't want to dispose of the underlying algorithm instances because they
- // might be reused.
+ return plaintext;
}
// 'pbIV' must be a pointer to a buffer equal in length to the symmetric algorithm block size.
@@ -223,6 +206,7 @@ private byte[] DoCbcDecrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte
// know the actual padding scheme being used under the covers (we can't
// assume PKCS#7). So unfortunately we're stuck with the temporary buffer.
// (Querying the output size won't mutate the IV.)
+
uint dwEstimatedDecryptedByteCount;
var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
hKey: symmetricKeyHandle,
@@ -299,92 +283,169 @@ private void DoCbcEncrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte*
CryptoUtil.Assert(dwEncryptedBytes == cbOutput, "dwEncryptedBytes == cbOutput");
}
- protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+ public int GetEncryptedSize(int plainTextLength)
{
- // This buffer will be used to hold the symmetric encryption and HMAC subkeys
- // used in the generation of this payload.
- var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
- byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+ uint paddedCiphertextLength = GetCbcEncryptedOutputSizeWithPadding((uint)plainTextLength);
+ return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + paddedCiphertextLength + _hmacAlgorithmDigestLengthInBytes));
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
try
{
- // Randomly generate the key modifier and IV.
- var cbKeyModifierAndIV = checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes);
- byte* pbKeyModifierAndIV = stackalloc byte[checked((int)cbKeyModifierAndIV)];
- _genRandom.GenRandom(pbKeyModifierAndIV, cbKeyModifierAndIV);
-
- // Calculate offsets
- byte* pbKeyModifier = pbKeyModifierAndIV;
- byte* pbIV = &pbKeyModifierAndIV[KEY_MODIFIER_SIZE_IN_BYTES];
-
- // Use the KDF to generate a new symmetric encryption and HMAC subkey
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbTempSubkeys,
- cbDerivedKey: cbTempSubkeys);
-
- // Calculate offsets
- byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
- byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
-
- using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
- {
- // We can't assume PKCS#7 padding (maybe the underlying provider is really using CTS),
- // so we need to query the padded output size before we can allocate the return value array.
- var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
+ // This buffer will be used to hold the symmetric encryption and HMAC subkeys
+ // used in the generation of this payload.
+ var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+ byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
- // Allocate return value array and start copying some data
- var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes + cbPostBuffer)];
- fixed (byte* pbRetVal = retVal)
- {
- // Calculate offsets
- byte* pbOutputKeyModifier = &pbRetVal[cbPreBuffer];
- byte* pbOutputIV = &pbOutputKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbOutputCiphertext = &pbOutputIV[_symmetricAlgorithmBlockSizeInBytes];
- byte* pbOutputHmac = &pbOutputCiphertext[cbOutputCiphertext];
-
- UnsafeBufferUtil.BlockCopy(from: pbKeyModifierAndIV, to: pbOutputKeyModifier, byteCount: cbKeyModifierAndIV);
+ try
+ {
+ // Randomly generate the key modifier and IV.
+ var cbKeyModifierAndIV = checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes);
+ byte* pbKeyModifierAndIV = stackalloc byte[checked((int)cbKeyModifierAndIV)];
+ _genRandom.GenRandom(pbKeyModifierAndIV, cbKeyModifierAndIV);
- // retVal will eventually contain { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
- // At this point, retVal := { preBuffer | keyModifier | iv | _____ | _____ | postBuffer }
+ // Calculate offsets
+ byte* pbKeyModifier = pbKeyModifierAndIV;
+ byte* pbIV = &pbKeyModifierAndIV[KEY_MODIFIER_SIZE_IN_BYTES];
- DoCbcEncrypt(
- symmetricKeyHandle: symmetricKeyHandle,
- pbIV: pbIV,
- pbInput: pbPlaintext,
- cbInput: cbPlaintext,
- pbOutput: pbOutputCiphertext,
- cbOutput: cbOutputCiphertext);
+ // Use the KDF to generate a new symmetric encryption and HMAC subkey
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ {
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbTempSubkeys,
+ cbDerivedKey: cbTempSubkeys);
+ }
- // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | _____ | postBuffer }
+ // Calculate offsets
+ byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
+ byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
- // Compute the HMAC over the IV and the ciphertext (prevents IV tampering).
- // The HMAC is already implicitly computed over the key modifier since the key
- // modifier is used as input to the KDF.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ {
+ // Get the padded output size
+ byte dummy;
+ fixed (byte* pbPlaintextArray = plaintext)
{
- hashHandle.HashData(
- pbInput: pbOutputIV,
- cbInput: checked(_symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext),
- pbHashDigest: pbOutputHmac,
- cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+ var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, (uint)plaintext.Length);
+
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets in destination
+ byte* pbOutputKeyModifier = pbDestination;
+ byte* pbOutputIV = &pbOutputKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbOutputCiphertext = &pbOutputIV[_symmetricAlgorithmBlockSizeInBytes];
+ byte* pbOutputHmac = &pbOutputCiphertext[cbOutputCiphertext];
+
+ // Copy key modifier and IV to destination
+ Unsafe.CopyBlock(pbOutputKeyModifier, pbKeyModifierAndIV, cbKeyModifierAndIV);
+ bytesWritten += checked((int)cbKeyModifierAndIV);
+
+ // Perform CBC encryption directly into destination
+ DoCbcEncrypt(
+ symmetricKeyHandle: symmetricKeyHandle,
+ pbIV: pbIV,
+ pbInput: pbPlaintext,
+ cbInput: (uint)plaintext.Length,
+ pbOutput: pbOutputCiphertext,
+ cbOutput: cbOutputCiphertext);
+ bytesWritten += checked((int)cbOutputCiphertext);
+
+ // Compute the HMAC over the IV and the ciphertext
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ {
+ hashHandle.HashData(
+ pbInput: pbOutputIV,
+ cbInput: checked(_symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext),
+ pbHashDigest: pbOutputHmac,
+ cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ }
+ bytesWritten += checked((int)_hmacAlgorithmDigestLengthInBytes);
+
+ return true;
+ }
}
-
- // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
- // And we're done!
- return retVal;
}
}
+ finally
+ {
+ // Buffer contains sensitive material; delete it.
+ UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
}
- finally
+ }
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+ {
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
{
- // Buffer contains sensitive material; delete it.
- UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
}
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
+ ///
+ /// Should be used only for expected encrypt/decrypt size calculation,
+ /// use the other overload
+ /// for the actual encryption algorithm
+ ///
+ private uint GetCbcEncryptedOutputSizeWithPadding(uint cbInput)
+ {
+ // Create a temporary key with dummy data for size calculation only
+ // The actual key material doesn't matter for size calculation
+ byte* pbDummyKey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+ // Leave pbDummyKey uninitialized (all zeros) - BCrypt doesn't care for size queries
+
+ using var tempKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbDummyKey, _symmetricAlgorithmSubkeyLengthInBytes);
+
+ // Use uninitialized IV and input data - only the lengths matter
+ byte* pbDummyIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+ byte* pbDummyInput = stackalloc byte[checked((int)cbInput)];
+
+
+ var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+ hKey: tempKeyHandle,
+ pbInput: pbDummyInput,
+ cbInput: cbInput,
+ pPaddingInfo: null,
+ pbIV: pbDummyIV,
+ cbIV: _symmetricAlgorithmBlockSizeInBytes,
+ pbOutput: null, // NULL output = size query only
+ cbOutput: 0,
+ pcbResult: out var dwResult,
+ dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+ return dwResult;
}
private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHandle, byte* pbInput, uint cbInput)
@@ -394,7 +455,6 @@ private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHa
// Calling BCryptEncrypt with a null output pointer will cause it to return the total number
// of bytes required for the output buffer.
- uint dwResult;
var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
hKey: symmetricKeyHandle,
pbInput: pbInput,
@@ -404,7 +464,7 @@ private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHa
cbIV: _symmetricAlgorithmBlockSizeInBytes,
pbOutput: null,
cbOutput: 0,
- pcbResult: out dwResult,
+ pcbResult: out var dwResult,
dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
@@ -418,4 +478,97 @@ private bool ValidateHash(BCryptHashHandle hashHandle, byte* pbInput, uint cbInp
hashHandle.HashData(pbInput, cbInput, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
return CryptoUtil.TimeConstantBuffersAreEqual(pbExpectedDigest, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
}
+
+ private byte[] CreateContextHeader()
+ {
+ var retVal = new byte[checked(
+ 1 /* KDF alg */
+ + 1 /* chaining mode */
+ + sizeof(uint) /* sym alg key size */
+ + sizeof(uint) /* sym alg block size */
+ + sizeof(uint) /* hmac alg key size */
+ + sizeof(uint) /* hmac alg digest size */
+ + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+ + _hmacAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+ fixed (byte* pbRetVal = retVal)
+ {
+ byte* ptr = pbRetVal;
+
+ // First is the two-byte header
+ *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+ *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
+
+ // Next is information about the symmetric algorithm (key size followed by block size)
+ BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmBlockSizeInBytes);
+
+ // Next is information about the HMAC algorithm (key size followed by digest size)
+ BitHelpers.WriteTo(ref ptr, _hmacAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
+
+ // See the design document for an explanation of the following code.
+ var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
+ fixed (byte* pbTempKeys = tempKeys)
+ {
+ byte dummy;
+
+ // Derive temporary keys for encryption + HMAC.
+ using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+ {
+ provider.DeriveKey(
+ pbLabel: &dummy,
+ cbLabel: 0,
+ pbContext: &dummy,
+ cbContext: 0,
+ pbDerivedKey: pbTempKeys,
+ cbDerivedKey: (uint)tempKeys.Length);
+ }
+
+ // At this point, tempKeys := { K_E || K_H }.
+ byte* pbSymmetricEncryptionSubkey = pbTempKeys;
+ byte* pbHmacSubkey = &pbTempKeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+ // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+ using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ {
+ fixed (byte* pbIV = new byte[_symmetricAlgorithmBlockSizeInBytes] /* will be zero-initialized */)
+ {
+ DoCbcEncrypt(
+ symmetricKeyHandle: symmetricKeyHandle,
+ pbIV: pbIV,
+ pbInput: &dummy,
+ cbInput: 0,
+ pbOutput: ptr,
+ cbOutput: _symmetricAlgorithmBlockSizeInBytes);
+ }
+ }
+ ptr += _symmetricAlgorithmBlockSizeInBytes;
+
+ // MAC a zero-length input string and copy the digest to the return buffer.
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ {
+ hashHandle.HashData(
+ pbInput: &dummy,
+ cbInput: 0,
+ pbHashDigest: ptr,
+ cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ }
+
+ ptr += _hmacAlgorithmDigestLengthInBytes;
+ CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+ }
+ }
+
+ // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || hmacAlgKeySize || hmacAlgDigestSize || E("") || MAC("") }.
+ return retVal;
+ }
+
+ public void Dispose()
+ {
+ _sp800_108_ctr_hmac_provider.Dispose();
+
+ // We don't want to dispose of the underlying algorithm instances because they
+ // might be reused.
+ }
}
diff --git a/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
index bf08a886e1f5..f8625781597f 100644
--- a/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
@@ -1,11 +1,11 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.Cryptography.Cng;
using Microsoft.AspNetCore.Cryptography.SafeHandles;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
using Microsoft.AspNetCore.DataProtection.SP800_108;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -20,7 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng;
// going to the IV. This means that we'll only hit the 2^-32 probability limit after 2^96 encryption
// operations, which will realistically never happen. (At the absurd rate of one encryption operation
// per nanosecond, it would still take 180 times the age of the universe to hit 2^96 operations.)
-internal sealed unsafe class CngGcmAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CngGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Having a key modifier ensures with overwhelming probability that no two encryption operations
// will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
@@ -50,6 +50,260 @@ public CngGcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHand
_contextHeader = CreateContextHeader();
}
+ public int GetDecryptedSize(int cipherTextLength)
+ {
+ // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
+ if (cipherTextLength < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
+
+ return checked(cipherTextLength - (int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
+ }
+
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
+ try
+ {
+ var plaintextLength = GetDecryptedSize(cipherText.Length);
+
+ // Check if destination is large enough
+ if (destination.Length < plaintextLength)
+ {
+ return false;
+ }
+
+ // Assumption: cipherText := { keyModifier || nonce || encryptedData || authenticationTag }
+ fixed (byte* pbCiphertext = cipherText)
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets
+ byte* pbKeyModifier = pbCiphertext;
+ byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+ byte* pbAuthTag = &pbEncryptedData[plaintextLength];
+
+ // Use the KDF to recreate the symmetric block cipher key
+ // We'll need a temporary buffer to hold the symmetric encryption subkey
+ byte* pbSymmetricDecryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+ try
+ {
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbSymmetricDecryptionSubkey,
+ cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+
+ // Perform the decryption operation
+ using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ {
+ byte dummy;
+ byte* pbPlaintext = (plaintextLength > 0) ? pbDestination : &dummy; // CLR doesn't like pinning empty buffers
+
+ BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
+ BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
+ authInfo.pbNonce = pbNonce;
+ authInfo.cbNonce = NONCE_SIZE_IN_BYTES;
+ authInfo.pbTag = pbAuthTag;
+ authInfo.cbTag = TAG_SIZE_IN_BYTES;
+
+ // The call to BCryptDecrypt will also validate the authentication tag
+ uint cbDecryptedBytesWritten;
+ var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+ hKey: decryptionSubkeyHandle,
+ pbInput: pbEncryptedData,
+ cbInput: (uint)plaintextLength,
+ pPaddingInfo: &authInfo,
+ pbIV: null, // IV not used; nonce provided in pPaddingInfo
+ cbIV: 0,
+ pbOutput: pbPlaintext,
+ cbOutput: (uint)plaintextLength,
+ pcbResult: out cbDecryptedBytesWritten,
+ dwFlags: 0);
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+ CryptoUtil.Assert(cbDecryptedBytesWritten == plaintextLength, "cbDecryptedBytesWritten == plaintextLength");
+
+ // At this point, retVal := { decryptedPayload }
+ // And we're done!
+ bytesWritten = (int)cbDecryptedBytesWritten;
+ return true;
+ }
+ }
+ finally
+ {
+ // The buffer contains key material, so delete it.
+ UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ throw Error.CryptCommon_GenericError(ex);
+ }
+ }
+
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
+ {
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetDecryptedSize(ciphertext.Count);
+ var plaintext = new byte[size];
+ var destination = plaintext.AsSpan();
+
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return plaintext;
+ }
+
+ // 'pbNonce' must point to a 96-bit buffer.
+ // 'pbTag' must point to a 128-bit buffer.
+ // 'pbEncryptedData' must point to a buffer the same length as 'pbPlaintextData'.
+ private void DoGcmEncrypt(byte* pbKey, uint cbKey, byte* pbNonce, byte* pbPlaintextData, uint cbPlaintextData, byte* pbEncryptedData, byte* pbTag)
+ {
+ BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authCipherInfo;
+ BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authCipherInfo);
+ authCipherInfo.pbNonce = pbNonce;
+ authCipherInfo.cbNonce = NONCE_SIZE_IN_BYTES;
+ authCipherInfo.pbTag = pbTag;
+ authCipherInfo.cbTag = TAG_SIZE_IN_BYTES;
+
+ using (var keyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbKey, cbKey))
+ {
+ uint cbResult;
+ var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+ hKey: keyHandle,
+ pbInput: pbPlaintextData,
+ cbInput: cbPlaintextData,
+ pPaddingInfo: &authCipherInfo,
+ pbIV: null,
+ cbIV: 0,
+ pbOutput: pbEncryptedData,
+ cbOutput: cbPlaintextData,
+ pcbResult: out cbResult,
+ dwFlags: 0);
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+ CryptoUtil.Assert(cbResult == cbPlaintextData, "cbResult == cbPlaintextData");
+ }
+ }
+
+ public int GetEncryptedSize(int plainTextLength)
+ {
+ // A buffer to hold the key modifier, nonce, encrypted data, and tag.
+ // In GCM, the encrypted output will be the same length as the plaintext input.
+ return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
+ try
+ {
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets
+ byte* pbKeyModifier = pbDestination;
+ byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+ byte* pbAuthTag = &pbEncryptedData[plaintext.Length];
+
+ // Randomly generate the key modifier and nonce
+ _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
+ bytesWritten += checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES));
+
+ // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+
+ // Use the KDF to generate a new symmetric block cipher key
+ // We'll need a temporary buffer to hold the symmetric encryption subkey
+ byte* pbSymmetricEncryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+ try
+ {
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ {
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbSymmetricEncryptionSubkey,
+ cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+ }
+
+ // Perform the encryption operation
+ byte dummy;
+ fixed (byte* pbPlaintextArray = plaintext)
+ {
+ var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+
+ DoGcmEncrypt(
+ pbKey: pbSymmetricEncryptionSubkey,
+ cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
+ pbNonce: pbNonce,
+ pbPlaintextData: pbPlaintext,
+ cbPlaintextData: (uint)plaintext.Length,
+ pbEncryptedData: pbEncryptedData,
+ pbTag: pbAuthTag);
+ }
+
+ // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+ // And we're done!
+ bytesWritten += plaintext.Length + checked((int)TAG_SIZE_IN_BYTES);
+ return true;
+ }
+ finally
+ {
+ // The buffer contains key material, so delete it.
+ UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ throw Error.CryptCommon_GenericError(ex);
+ }
+ }
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+ {
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
private byte[] CreateContextHeader()
{
var retVal = new byte[checked(
@@ -114,173 +368,11 @@ private byte[] CreateContextHeader()
return retVal;
}
- protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
- {
- // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
- if (cbCiphertext < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
-
- // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
-
- var cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
-
- var retVal = new byte[cbPlaintext];
- fixed (byte* pbRetVal = retVal)
- {
- // Calculate offsets
- byte* pbKeyModifier = pbCiphertext;
- byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
- byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
-
- // Use the KDF to recreate the symmetric block cipher key
- // We'll need a temporary buffer to hold the symmetric encryption subkey
- byte* pbSymmetricDecryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
- try
- {
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbSymmetricDecryptionSubkey,
- cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
-
- // Perform the decryption operation
- using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
- {
- byte dummy;
- byte* pbPlaintext = (pbRetVal != null) ? pbRetVal : &dummy; // CLR doesn't like pinning empty buffers
-
- BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
- BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
- authInfo.pbNonce = pbNonce;
- authInfo.cbNonce = NONCE_SIZE_IN_BYTES;
- authInfo.pbTag = pbAuthTag;
- authInfo.cbTag = TAG_SIZE_IN_BYTES;
-
- // The call to BCryptDecrypt will also validate the authentication tag
- uint cbDecryptedBytesWritten;
- var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
- hKey: decryptionSubkeyHandle,
- pbInput: pbEncryptedData,
- cbInput: cbPlaintext,
- pPaddingInfo: &authInfo,
- pbIV: null, // IV not used; nonce provided in pPaddingInfo
- cbIV: 0,
- pbOutput: pbPlaintext,
- cbOutput: cbPlaintext,
- pcbResult: out cbDecryptedBytesWritten,
- dwFlags: 0);
- UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
- CryptoUtil.Assert(cbDecryptedBytesWritten == cbPlaintext, "cbDecryptedBytesWritten == cbPlaintext");
-
- // At this point, retVal := { decryptedPayload }
- // And we're done!
- return retVal;
- }
- }
- finally
- {
- // The buffer contains key material, so delete it.
- UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
- }
- }
- }
-
- public override void Dispose()
+ public void Dispose()
{
_sp800_108_ctr_hmac_provider.Dispose();
// We don't want to dispose of the underlying algorithm instances because they
// might be reused.
}
-
- // 'pbNonce' must point to a 96-bit buffer.
- // 'pbTag' must point to a 128-bit buffer.
- // 'pbEncryptedData' must point to a buffer the same length as 'pbPlaintextData'.
- private void DoGcmEncrypt(byte* pbKey, uint cbKey, byte* pbNonce, byte* pbPlaintextData, uint cbPlaintextData, byte* pbEncryptedData, byte* pbTag)
- {
- BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authCipherInfo;
- BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authCipherInfo);
- authCipherInfo.pbNonce = pbNonce;
- authCipherInfo.cbNonce = NONCE_SIZE_IN_BYTES;
- authCipherInfo.pbTag = pbTag;
- authCipherInfo.cbTag = TAG_SIZE_IN_BYTES;
-
- using (var keyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbKey, cbKey))
- {
- uint cbResult;
- var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
- hKey: keyHandle,
- pbInput: pbPlaintextData,
- cbInput: cbPlaintextData,
- pPaddingInfo: &authCipherInfo,
- pbIV: null,
- cbIV: 0,
- pbOutput: pbEncryptedData,
- cbOutput: cbPlaintextData,
- pcbResult: out cbResult,
- dwFlags: 0);
- UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
- CryptoUtil.Assert(cbResult == cbPlaintextData, "cbResult == cbPlaintextData");
- }
- }
-
- protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
- {
- // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
- // In GCM, the encrypted output will be the same length as the plaintext input.
- var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + cbPlaintext + TAG_SIZE_IN_BYTES + cbPostBuffer)];
- fixed (byte* pbRetVal = retVal)
- {
- // Calculate offsets
- byte* pbKeyModifier = &pbRetVal[cbPreBuffer];
- byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
- byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
-
- // Randomly generate the key modifier and nonce
- _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
-
- // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
-
- // Use the KDF to generate a new symmetric block cipher key
- // We'll need a temporary buffer to hold the symmetric encryption subkey
- byte* pbSymmetricEncryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
- try
- {
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbSymmetricEncryptionSubkey,
- cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
-
- // Perform the encryption operation
- DoGcmEncrypt(
- pbKey: pbSymmetricEncryptionSubkey,
- cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
- pbNonce: pbNonce,
- pbPlaintextData: pbPlaintext,
- cbPlaintextData: cbPlaintext,
- pbEncryptedData: pbEncryptedData,
- pbTag: pbAuthTag);
-
- // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
- // And we're done!
- return retVal;
- }
- finally
- {
- // The buffer contains key material, so delete it.
- UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
- }
- }
- }
}
diff --git a/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs
deleted file mode 100644
index 3875f9e6c303..000000000000
--- a/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs
+++ /dev/null
@@ -1,86 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-
-namespace Microsoft.AspNetCore.DataProtection.Cng.Internal;
-
-///
-/// Base class used for all CNG-related authentication encryption operations.
-///
-internal abstract unsafe class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
-{
- public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
- {
- // This wrapper simply converts ArraySegment to byte* and calls the impl method.
-
- // Input validation
- ciphertext.Validate();
- additionalAuthenticatedData.Validate();
-
- byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
- fixed (byte* pbCiphertextArray = ciphertext.Array)
- {
- fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
- {
- try
- {
- return DecryptImpl(
- pbCiphertext: (pbCiphertextArray != null) ? &pbCiphertextArray[ciphertext.Offset] : &dummy,
- cbCiphertext: (uint)ciphertext.Count,
- pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
- cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count);
- }
- catch (Exception ex) when (ex.RequiresHomogenization())
- {
- // Homogenize to CryptographicException.
- throw Error.CryptCommon_GenericError(ex);
- }
- }
- }
- }
-
- protected abstract byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
-
- public abstract void Dispose();
-
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
- {
- return Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
- }
-
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
- {
- // This wrapper simply converts ArraySegment to byte* and calls the impl method.
-
- // Input validation
- plaintext.Validate();
- additionalAuthenticatedData.Validate();
-
- byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
- fixed (byte* pbPlaintextArray = plaintext.Array)
- {
- fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
- {
- try
- {
- return EncryptImpl(
- pbPlaintext: (pbPlaintextArray != null) ? &pbPlaintextArray[plaintext.Offset] : &dummy,
- cbPlaintext: (uint)plaintext.Count,
- pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
- cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count,
- cbPreBuffer: preBufferSize,
- cbPostBuffer: postBufferSize);
- }
- catch (Exception ex) when (ex.RequiresHomogenization())
- {
- // Homogenize to CryptographicException.
- throw Error.CryptCommon_GenericError(ex);
- }
- }
- }
- }
-
- protected abstract byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
-}
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index dd28c84db68d..738d7135935e 100644
--- a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,6 +2,7 @@
// The .NET Foundation licenses this file to you under the MIT license.
using System;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
using Microsoft.AspNetCore.Shared;
using Microsoft.Extensions.Logging;
@@ -23,6 +24,17 @@ public IDataProtector CreateProtector(string purpose)
{
ArgumentNullThrowHelper.ThrowIfNull(purpose);
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var encryptor = currentKeyRing.DefaultAuthenticatedEncryptor;
+ if (encryptor is ISpanAuthenticatedEncryptor)
+ {
+ return new KeyRingBasedSpanDataProtector(
+ logger: _logger,
+ keyRingProvider: _keyRingProvider,
+ originalPurposes: null,
+ newPurpose: purpose);
+ }
+
return new KeyRingBasedDataProtector(
logger: _logger,
keyRingProvider: _keyRingProvider,
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
index 9f19e137a48f..cb667432aa81 100644
--- a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
@@ -21,18 +21,19 @@
namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
-internal sealed unsafe class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
+internal unsafe class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
{
// This magic header identifies a v0 protected data blob. It's the high 28 bits of the SHA1 hash of
// "Microsoft.AspNet.DataProtection.KeyManagement.KeyRingBasedDataProtector" [US-ASCII], big-endian.
// The last nibble reserved for version information. There's also the nice property that "F0 C9"
// can never appear in a well-formed UTF8 sequence, so attempts to treat a protected payload as a
// UTF8-encoded string will fail, and devs can catch the mistake early.
- private const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
+ protected const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
+ protected static readonly int _magicHeaderKeyIdSize = sizeof(uint) + sizeof(Guid);
- private AdditionalAuthenticatedDataTemplate _aadTemplate;
- private readonly IKeyRingProvider _keyRingProvider;
- private readonly ILogger? _logger;
+ protected AdditionalAuthenticatedDataTemplate _aadTemplate;
+ protected readonly IKeyRingProvider _keyRingProvider;
+ protected readonly ILogger? _logger;
public KeyRingBasedDataProtector(IKeyRingProvider keyRingProvider, ILogger? logger, string[]? originalPurposes, string newPurpose)
{
@@ -65,6 +66,17 @@ public IDataProtector CreateProtector(string purpose)
{
ArgumentNullThrowHelper.ThrowIfNull(purpose);
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var encryptor = currentKeyRing.DefaultAuthenticatedEncryptor;
+ if (encryptor is ISpanAuthenticatedEncryptor)
+ {
+ return new KeyRingBasedSpanDataProtector(
+ logger: _logger,
+ keyRingProvider: _keyRingProvider,
+ originalPurposes: Purposes,
+ newPurpose: purpose);
+ }
+
return new KeyRingBasedDataProtector(
logger: _logger,
keyRingProvider: _keyRingProvider,
@@ -72,7 +84,7 @@ public IDataProtector CreateProtector(string purpose)
newPurpose: purpose);
}
- private static string JoinPurposesForLog(IEnumerable purposes)
+ protected static string JoinPurposesForLog(IEnumerable purposes)
{
return "(" + String.Join(", ", purposes.Select(p => "'" + p + "'")) + ")";
}
@@ -293,7 +305,7 @@ private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevoked
}
}
- private static void WriteGuid(void* ptr, Guid value)
+ protected static void WriteGuid(void* ptr, Guid value)
{
#if NETCOREAPP
var span = new Span(ptr, sizeof(Guid));
@@ -309,7 +321,7 @@ private static void WriteGuid(void* ptr, Guid value)
#endif
}
- private static void WriteBigEndianInteger(byte* ptr, uint value)
+ protected static void WriteBigEndianInteger(byte* ptr, uint value)
{
ptr[0] = (byte)(value >> 24);
ptr[1] = (byte)(value >> 16);
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs
new file mode 100644
index 000000000000..21ed225d7d79
--- /dev/null
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs
@@ -0,0 +1,86 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers.Binary;
+using System.Diagnostics;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Shared;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
+
+internal unsafe class KeyRingBasedSpanDataProtector : KeyRingBasedDataProtector, ISpanDataProtector, IPersistedDataProtector
+{
+ public KeyRingBasedSpanDataProtector(IKeyRingProvider keyRingProvider, ILogger? logger, string[]? originalPurposes, string newPurpose)
+ : base(keyRingProvider, logger, originalPurposes, newPurpose)
+ {
+ }
+
+ public int GetProtectedSize(ReadOnlySpan plainText)
+ {
+ // Get the current key ring to access the encryptor
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+ CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+ // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
+ // See Protect() / TryProtect() for details
+ return _magicHeaderKeyIdSize + defaultEncryptor.GetEncryptedSize(plainText.Length);
+ }
+
+ public bool TryProtect(ReadOnlySpan plaintext, Span destination, out int bytesWritten)
+ {
+ try
+ {
+ // Perform the encryption operation using the current default encryptor.
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var defaultKeyId = currentKeyRing.DefaultKeyId;
+ var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+ CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+ if (_logger.IsDebugLevelEnabled())
+ {
+ _logger.PerformingProtectOperationToKeyWithPurposes(defaultKeyId, JoinPurposesForLog(Purposes));
+ }
+
+ // We'll need to apply the default key id to the template if it hasn't already been applied.
+ // If the default key id has been updated since the last call to Protect, also write back the updated template.
+ var aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
+
+ var preBufferSize = _magicHeaderKeyIdSize;
+ var postBufferSize = 0;
+ var destinationBufferOffsets = destination.Slice(preBufferSize, destination.Length - (preBufferSize + postBufferSize));
+ var success = defaultEncryptor.TryEncrypt(plaintext, aad, destinationBufferOffsets, out bytesWritten);
+
+ // At this point: destination := { 000..000 || encryptorSpecificProtectedPayload },
+ // where 000..000 is a placeholder for our magic header and key id.
+
+ // Write out the magic header and key id
+#if NET10_0_OR_GREATER
+ BinaryPrimitives.WriteUInt32BigEndian(destination.Slice(0, sizeof(uint)), MAGIC_HEADER_V0);
+ var writeKeyIdResult = defaultKeyId.TryWriteBytes(destination.Slice(sizeof(uint), sizeof(Guid)));
+ Debug.Assert(writeKeyIdResult, "Failed to write Guid to destination.");
+#else
+ fixed (byte* pbRetVal = destination)
+ {
+ WriteBigEndianInteger(pbRetVal, MAGIC_HEADER_V0);
+ WriteGuid(&pbRetVal[sizeof(uint)], defaultKeyId);
+ }
+#endif
+
+ bytesWritten += _magicHeaderKeyIdSize;
+
+ // At this point, destination := { magicHeader || keyId || encryptorSpecificProtectedPayload }
+ // And we're done!
+ return success;
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // homogenize all errors to CryptographicException
+ throw Error.Common_EncryptionFailed(ex);
+ }
+ }
+}
diff --git a/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
index 413adfb4825f..abed2cb9b40d 100644
--- a/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
@@ -13,7 +13,7 @@
namespace Microsoft.AspNetCore.DataProtection.Managed;
// An encryptor that uses AesGcm to do encryption
-internal sealed unsafe class AesGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, IDisposable
+internal sealed unsafe class AesGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Having a key modifier ensures with overwhelming probability that no two encryption operations
// will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
@@ -64,73 +64,80 @@ public AesGcmAuthenticatedEncryptor(ISecret keyDerivationKey, int derivedKeySize
_genRandom = genRandom ?? ManagedGenRandomImpl.Instance;
}
- public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
+ public int GetDecryptedSize(int cipherTextLength)
{
- ciphertext.Validate();
- additionalAuthenticatedData.Validate();
-
// Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
- if (ciphertext.Count < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+ if (cipherTextLength < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
{
throw Error.CryptCommon_PayloadInvalid();
}
- // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
- var plaintextBytes = ciphertext.Count - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES);
- var plaintext = new byte[plaintextBytes];
+ return cipherTextLength - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES);
+ }
+
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
try
{
- // Step 1: Extract the key modifier from the payload.
-
- int keyModifierOffset; // position in ciphertext.Array where key modifier begins
- int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
- int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
- int tagOffset; // position in ciphertext.Array where encrypted data ends
-
- checked
+ var plaintextBytes = GetDecryptedSize(cipherText.Length);
+ if (destination.Length < plaintextBytes)
{
- keyModifierOffset = ciphertext.Offset;
- nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
- tagOffset = encryptedDataOffset + plaintextBytes;
+ return false;
}
- var keyModifier = new ArraySegment(ciphertext.Array!, keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
-
- // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
- // We pin all unencrypted keys to limit their exposure via GC relocation.
-
- var decryptedKdk = new byte[_keyDerivationKey.Length];
- var derivedKey = new byte[_derivedkeySizeInBytes];
-
- fixed (byte* __unused__1 = decryptedKdk)
- fixed (byte* __unused__2 = derivedKey)
+ // Calculate offsets in the cipherText
+ var keyModifierOffset = 0;
+ var nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ var encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
+ var tagOffset = encryptedDataOffset + plaintextBytes;
+
+ // Extract spans for each component
+ var keyModifier = cipherText.Slice(keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
+ var nonce = cipherText.Slice(nonceOffset, NONCE_SIZE_IN_BYTES);
+ var encrypted = cipherText.Slice(encryptedDataOffset, plaintextBytes);
+ var tag = cipherText.Slice(tagOffset, TAG_SIZE_IN_BYTES);
+
+ // Get the plaintext destination
+ var plaintext = destination.Slice(0, plaintextBytes);
+
+ // Decrypt the KDK and use it to restore the original encryption key
+ // We pin all unencrypted keys to limit their exposure via GC relocation
+ Span decryptedKdk = _keyDerivationKey.Length <= 256
+ ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+ : new byte[_keyDerivationKey.Length];
+
+ Span derivedKey = _derivedkeySizeInBytes <= 256
+ ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
+ : new byte[_derivedkeySizeInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* derivedKeyUnsafe = derivedKey)
{
try
{
- _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment(decryptedKdk));
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
kdk: decryptedKdk,
label: additionalAuthenticatedData,
contextHeader: _contextHeader,
contextData: keyModifier,
operationSubkey: derivedKey,
- validationSubkey: Span.Empty /* filling in derivedKey only */ );
+ validationSubkey: Span.Empty /* filling in derivedKey only */);
- // Perform the decryption operation
- var nonce = new Span(ciphertext.Array, nonceOffset, NONCE_SIZE_IN_BYTES);
- var tag = new Span(ciphertext.Array, tagOffset, TAG_SIZE_IN_BYTES);
- var encrypted = new Span(ciphertext.Array, encryptedDataOffset, plaintextBytes);
+ // Perform the decryption operation directly into destination
using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
aes.Decrypt(nonce, encrypted, tag, plaintext);
- return plaintext;
+
+ bytesWritten = plaintextBytes;
+ return true;
}
finally
{
// delete since these contain secret material
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
- Array.Clear(derivedKey, 0, derivedKey.Length);
+ decryptedKdk.Clear();
+ derivedKey.Clear();
}
}
}
@@ -141,48 +148,93 @@ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment addition
}
}
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
+ {
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetDecryptedSize(ciphertext.Count);
+ var plaintext = new byte[size];
+ var destination = plaintext.AsSpan();
+
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return plaintext;
+ }
+
public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
{
plaintext.Validate();
additionalAuthenticatedData.Validate();
- try
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
{
- // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
- // In GCM, the encrypted output will be the same length as the plaintext input.
- var retVal = new byte[checked(preBufferSize + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Count + TAG_SIZE_IN_BYTES + postBufferSize)];
- int keyModifierOffset; // position in ciphertext.Array where key modifier begins
- int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
- int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
- int tagOffset; // position in ciphertext.Array where encrypted data ends
-
- checked
- {
- keyModifierOffset = plaintext.Offset + (int)preBufferSize;
- nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
- tagOffset = encryptedDataOffset + plaintext.Count;
- }
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
- // Randomly generate the key modifier and nonce
+ public int GetEncryptedSize(int plainTextLength)
+ {
+ // A buffer to hold the key modifier, nonce, encrypted data, and tag.
+ // In GCM, the encrypted output will be the same length as the plaintext input.
+ return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
+ try
+ {
+ // Generate random key modifier and nonce
var keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
var nonceBytes = _genRandom.GenRandom(NONCE_SIZE_IN_BYTES);
- Buffer.BlockCopy(keyModifier, 0, retVal, (int)preBufferSize, keyModifier.Length);
- Buffer.BlockCopy(nonceBytes, 0, retVal, (int)preBufferSize + keyModifier.Length, nonceBytes.Length);
+ // KeyModifier and nonce to destination
+ keyModifier.CopyTo(destination.Slice(bytesWritten, KEY_MODIFIER_SIZE_IN_BYTES));
+ bytesWritten += KEY_MODIFIER_SIZE_IN_BYTES;
+ nonceBytes.CopyTo(destination.Slice(bytesWritten, NONCE_SIZE_IN_BYTES));
+ bytesWritten += NONCE_SIZE_IN_BYTES;
- // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+ // At this point, destination := { keyModifier | nonce | _____ | _____ }
// Use the KDF to generate a new symmetric block cipher key
// We'll need a temporary buffer to hold the symmetric encryption subkey
- var decryptedKdk = new byte[_keyDerivationKey.Length];
- var derivedKey = new byte[_derivedkeySizeInBytes];
- fixed (byte* __unused__1 = decryptedKdk)
+ Span decryptedKdk = _keyDerivationKey.Length <= 256
+ ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+ : new byte[_keyDerivationKey.Length];
+ var derivedKey = _derivedkeySizeInBytes <= 256
+ ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
+ : new byte[_derivedkeySizeInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__2 = derivedKey)
{
try
{
- _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment(decryptedKdk));
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
kdk: decryptedKdk,
label: additionalAuthenticatedData,
@@ -191,22 +243,25 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
operationSubkey: derivedKey,
validationSubkey: Span.Empty /* filling in derivedKey only */ );
- // do gcm
- var nonce = new Span(retVal, nonceOffset, NONCE_SIZE_IN_BYTES);
- var tag = new Span(retVal, tagOffset, TAG_SIZE_IN_BYTES);
- var encrypted = new Span(retVal, encryptedDataOffset, plaintext.Count);
+ // Perform GCM encryption. Destination buffer expected structure:
+ // { keyModifier | nonce | encryptedData | authenticationTag }
+ var nonce = destination.Slice(KEY_MODIFIER_SIZE_IN_BYTES, NONCE_SIZE_IN_BYTES);
+ var encrypted = destination.Slice(bytesWritten, plaintext.Length);
+ var tag = destination.Slice(bytesWritten + plaintext.Length, TAG_SIZE_IN_BYTES);
+
using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
aes.Encrypt(nonce, plaintext, encrypted, tag);
- // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+ // At this point, destination := { keyModifier | nonce | encryptedData | authenticationTag }
// And we're done!
- return retVal;
+ bytesWritten += plaintext.Length + TAG_SIZE_IN_BYTES;
+ return true;
}
finally
{
// delete since these contain secret material
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
- Array.Clear(derivedKey, 0, derivedKey.Length);
+ decryptedKdk.Clear();
+ derivedKey.Clear();
}
}
}
@@ -217,9 +272,6 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
}
}
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
- => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
-
public void Dispose()
{
_keyDerivationKey.Dispose();
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
index e11e3862b53e..017c638521f8 100644
--- a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
@@ -18,6 +18,9 @@ namespace Microsoft.AspNetCore.DataProtection.Managed;
// The payloads produced by this encryptor should be compatible with the payloads
// produced by the CNG-based Encrypt(CBC) + HMAC authenticated encryptor.
internal sealed unsafe class ManagedAuthenticatedEncryptor : IAuthenticatedEncryptor, IDisposable
+#if NET10_0_OR_GREATER
+ , ISpanAuthenticatedEncryptor
+#endif
{
// Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
// key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
@@ -69,155 +72,62 @@ public ManagedAuthenticatedEncryptor(Secret keyDerivationKey, Func();
- var EMPTY_ARRAY_SEGMENT = new ArraySegment(EMPTY_ARRAY);
-
- var retVal = new byte[checked(
- 1 /* KDF alg */
- + 1 /* chaining mode */
- + sizeof(uint) /* sym alg key size */
- + sizeof(uint) /* sym alg block size */
- + sizeof(uint) /* hmac alg key size */
- + sizeof(uint) /* hmac alg digest size */
- + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
- + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
-
- var idx = 0;
-
- // First is the two-byte header
- retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
- retVal[idx++] = 0; // 0x00 = CBC encryption + HMAC authentication
-
- // Next is information about the symmetric algorithm (key size followed by block size)
- BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmBlockSizeInBytes);
-
- // Next is information about the keyed hash algorithm (key size followed by digest size)
- BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
-
- // See the design document for an explanation of the following code.
- var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
- ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
- kdk: EMPTY_ARRAY,
- label: EMPTY_ARRAY_SEGMENT,
- contextHeader: EMPTY_ARRAY_SEGMENT,
- contextData: EMPTY_ARRAY_SEGMENT,
- operationSubkey: tempKeys.AsSpan(0, _symmetricAlgorithmSubkeyLengthInBytes),
- validationSubkey: tempKeys.AsSpan(_symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes));
-
- // At this point, tempKeys := { K_E || K_H }.
-
- // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
- using (var symmetricAlg = CreateSymmetricAlgorithm())
- {
- using (var cryptoTransform = symmetricAlg.CreateEncryptor(
- rgbKey: new ArraySegment(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
- rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
- {
- var ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
- CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
- Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
- }
- }
-
- idx += _symmetricAlgorithmBlockSizeInBytes;
-
- // MAC a zero-length input string and copy the digest to the return buffer.
- using (var hashAlg = CreateValidationAlgorithm(new ArraySegment(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherTextLength < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
{
- var digest = hashAlg.ComputeHash(EMPTY_ARRAY);
- CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
- Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
+ throw Error.CryptCommon_PayloadInvalid();
}
- idx += _validationAlgorithmDigestLengthInBytes;
- CryptoUtil.Assert(idx == retVal.Length, "idx == retVal.Length");
-
- // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || macAlgKeySize || macAlgDigestSize || E("") || MAC("") }.
- return retVal;
- }
-
- private SymmetricAlgorithm CreateSymmetricAlgorithm()
- {
- var retVal = _symmetricAlgorithmFactory();
- CryptoUtil.Assert(retVal != null, "retVal != null");
-
- retVal.Mode = CipherMode.CBC;
- retVal.Padding = PaddingMode.PKCS7;
-
- return retVal;
- }
-
- private KeyedHashAlgorithm CreateValidationAlgorithm(byte[]? key = null)
- {
- var retVal = _validationAlgorithmFactory();
- CryptoUtil.Assert(retVal != null, "retVal != null");
-
- if (key is not null)
- {
- retVal.Key = key;
- }
- return retVal;
+ // For CBC mode with padding, the decrypted size is at most the encrypted data size
+ // We return an over-estimation since we can't know the exact padding without decrypting
+ return checked(cipherTextLength - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes));
}
- public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment additionalAuthenticatedData)
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
{
- // Assumption: protectedPayload := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
- protectedPayload.Validate();
- additionalAuthenticatedData.Validate();
-
- // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
- if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
+ bytesWritten = 0;
try
{
- // Step 1: Extract the key modifier and IV from the payload.
- int keyModifierOffset; // position in protectedPayload.Array where key modifier begins
- int ivOffset; // position in protectedPayload.Array where key modifier ends / IV begins
- int ciphertextOffset; // position in protectedPayload.Array where IV ends / ciphertext begins
- int macOffset; // position in protectedPayload.Array where ciphertext ends / MAC begins
- int eofOffset; // position in protectedPayload.Array where MAC ends
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherText.Length < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
- checked
+ // Calculate the maximum possible plaintext size and check destination buffer
+ var estimatedDecryptedSize = GetDecryptedSize(cipherText.Length);
+ if (destination.Length < estimatedDecryptedSize)
{
- keyModifierOffset = protectedPayload.Offset;
- ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ return false;
}
- ReadOnlySpan keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
+ // Calculate offsets in the cipherText
+ var keyModifierOffset = 0;
+ var ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ var ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ var macOffset = cipherText.Length - _validationAlgorithmDigestLengthInBytes;
- // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
-#if NET10_0_OR_GREATER
+ // Extract spans for each component
+ var keyModifier = cipherText.Slice(keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
+
+ // Decrypt the KDK and use it to restore the original encryption and MAC keys
Span decryptedKdk = _keyDerivationKey.Length <= 256
? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
: new byte[_keyDerivationKey.Length];
-#else
- var decryptedKdk = new byte[_keyDerivationKey.Length];
-#endif
byte[]? validationSubkeyArray = null;
var validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
: (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
-#if NET10_0_OR_GREATER
- Span decryptionSubkey =
- _symmetricAlgorithmSubkeyLengthInBytes <= 128
+ Span decryptionSubkey = _symmetricAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
- : new byte[_symmetricAlgorithmBlockSizeInBytes];
-#else
- byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#endif
+ : new byte[_symmetricAlgorithmSubkeyLengthInBytes];
- // calling "fixed" is basically pinning the array, meaning the GC won't move it around. (Also for safety concerns)
- // note: it is safe to call `fixed` on null - it is just a no-op
fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__2 = decryptionSubkey)
fixed (byte* __unused__3 = validationSubkeyArray)
@@ -233,57 +143,35 @@ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment ad
operationSubkey: decryptionSubkey,
validationSubkey: validationSubkey);
- // Step 3: Calculate the correct MAC for this payload.
- // correctHash := MAC(IV || ciphertext)
- checked
+ // Validate the MAC provided as part of the payload
+ var ivAndCiphertextSpan = cipherText.Slice(ivOffset, macOffset - ivOffset);
+ var providedMac = cipherText.Slice(macOffset, _validationAlgorithmDigestLengthInBytes);
+
+ if (!ValidateMac(ivAndCiphertextSpan, providedMac, validationSubkey, validationSubkeyArray))
{
- eofOffset = protectedPayload.Offset + protectedPayload.Count;
- macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+ throw Error.CryptCommon_PayloadInvalid();
}
- // Step 4: Validate the MAC provided as part of the payload.
- CalculateAndValidateMac(protectedPayload.Array!, ivOffset, macOffset, eofOffset, validationSubkey, validationSubkeyArray);
-
- // Step 5: Decipher the ciphertext and return it to the caller.
-#if NET10_0_OR_GREATER
- using var symmetricAlgorithm = CreateSymmetricAlgorithm();
- symmetricAlgorithm.SetKey(decryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
-
- // note: here protectedPayload.Array is taken without an offset (can't use AsSpan() on ArraySegment)
- var ciphertext = protectedPayload.Array.AsSpan(ciphertextOffset, macOffset - ciphertextOffset);
- var iv = protectedPayload.Array.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
+ // If the integrity check succeeded, decrypt the payload directly into destination
+ var ciphertextSpan = cipherText.Slice(ciphertextOffset, macOffset - ciphertextOffset);
+ var iv = cipherText.Slice(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
- // symmetricAlgorithm is created with CBC mode (see CreateSymmetricAlgorithm())
- return symmetricAlgorithm.DecryptCbc(ciphertext, iv);
-#else
- var iv = protectedPayload.Array!.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes).ToArray();
- using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
- using (var cryptoTransform = symmetricAlgorithm.CreateDecryptor(decryptionSubkey, iv))
- {
- var outputStream = new MemoryStream();
- using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
- {
- cryptoStream.Write(protectedPayload.Array!, ciphertextOffset, macOffset - ciphertextOffset);
- cryptoStream.FlushFinalBlock();
+ using var symmetricAlgorithm = CreateSymmetricAlgorithm();
+ symmetricAlgorithm.SetKey(decryptionSubkey);
- // At this point, outputStream := { plaintext }, and we're done!
- return outputStream.ToArray();
- }
- }
-#endif
+ // Decrypt directly into destination
+ var actualDecryptedBytes = symmetricAlgorithm.DecryptCbc(ciphertextSpan, iv, destination);
+ bytesWritten = actualDecryptedBytes;
+ return true;
}
finally
{
// delete since these contain secret material
validationSubkey.Clear();
-#if NET10_0_OR_GREATER
decryptedKdk.Clear();
decryptionSubkey.Clear();
-#else
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-#endif
}
}
}
@@ -294,58 +182,45 @@ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment ad
}
}
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ public int GetEncryptedSize(int plainTextLength)
{
- plaintext.Validate();
- additionalAuthenticatedData.Validate();
- var plainTextSpan = plaintext.AsSpan();
+ var symmetricAlgorithm = CreateSymmetricAlgorithm();
+ var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainTextLength);
+ return KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes /* IV */ + cipherTextLength + _validationAlgorithmDigestLengthInBytes /* MAC */;
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plainText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
try
{
var keyModifierLength = KEY_MODIFIER_SIZE_IN_BYTES;
var ivLength = _symmetricAlgorithmBlockSizeInBytes;
-#if NET10_0_OR_GREATER
Span decryptedKdk = _keyDerivationKey.Length <= 256
? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
: new byte[_keyDerivationKey.Length];
-#else
- var decryptedKdk = new byte[_keyDerivationKey.Length];
-#endif
-#if NET10_0_OR_GREATER
byte[]? validationSubkeyArray = null;
Span validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
: (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
-#else
- var validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes];
- var validationSubkey = validationSubkeyArray.AsSpan();
-#endif
-#if NET10_0_OR_GREATER
Span encryptionSubkey = _symmetricAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
: new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#else
- byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#endif
fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__1 = encryptionSubkey)
fixed (byte* __unused__2 = validationSubkeyArray)
{
// Step 1: Generate a random key modifier and IV for this operation.
- // Both will be equal to the block size of the block cipher algorithm.
-#if NET10_0_OR_GREATER
Span keyModifier = keyModifierLength <= 128
? stackalloc byte[128].Slice(0, keyModifierLength)
: new byte[keyModifierLength];
_genRandom.GenRandom(keyModifier);
-#else
- var keyModifier = _genRandom.GenRandom(keyModifierLength);
-#endif
try
{
@@ -359,61 +234,34 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
operationSubkey: encryptionSubkey,
validationSubkey: validationSubkey);
-#if NET10_0_OR_GREATER
- // idea of optimization here is firstly get all the types preset
- // for calculating length of the output array and allocating it.
- // then we are filling it with the data directly, without any additional copying
-
using var symmetricAlgorithm = CreateSymmetricAlgorithm();
- symmetricAlgorithm.SetKey(encryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
+ symmetricAlgorithm.SetKey(encryptionSubkey);
using var validationAlgorithm = CreateValidationAlgorithm();
- // Later framework has an API to pre-calculate optimal length of the ciphertext.
- // That means we can avoid allocating more data than we need.
-
- var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainTextSpan.Length); // CBC because symmetricAlgorithm is created with CBC mode
+ // Calculate ciphertext length for CBC mode
+ var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainText.Length);
var macLength = _validationAlgorithmDigestLengthInBytes;
- // allocating an array of a specific required length
- var outputArray = new byte[keyModifierLength + ivLength + cipherTextLength + macLength];
- var outputSpan = outputArray.AsSpan();
-#else
- var outputStream = new MemoryStream();
-#endif
-
-#if NET10_0_OR_GREATER
- // Step 2: Copy the key modifier to the output stream (part of a header)
- keyModifier.CopyTo(outputSpan.Slice(start: 0, length: keyModifierLength));
+ // Step 3: Copy the key modifier to the destination
+ keyModifier.CopyTo(destination.Slice(bytesWritten, keyModifierLength));
+ bytesWritten += keyModifierLength;
- // Step 3: Generate IV for this operation right into the output stream (no allocation)
- // key modifier and IV together act as a header.
- var iv = outputSpan.Slice(start: keyModifierLength, length: ivLength);
+ // Step 4: Generate IV directly into the destination
+ var iv = destination.Slice(bytesWritten, ivLength);
_genRandom.GenRandom(iv);
-#else
- // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
- outputStream.Write(keyModifier, 0, keyModifier.Length);
-
- // Step 3: Generate IV for this operation right into the result array
- var iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
- outputStream.Write(iv, 0, iv.Length);
-#endif
-
-#if NET10_0_OR_GREATER
- // Step 4: Perform the encryption operation.
- // encrypting plaintext into the target array directly
- symmetricAlgorithm.EncryptCbc(plainTextSpan, iv, outputSpan.Slice(start: keyModifierLength + ivLength, length: cipherTextLength));
-
- // At this point, outputStream := { keyModifier || IV || ciphertext }
+ bytesWritten += ivLength;
- // Step 5: Calculate the digest over the IV and ciphertext.
- // We don't need to calculate the digest over the key modifier since that
- // value has already been mixed into the KDF used to generate the MAC key.
+ // Step 5: Perform the encryption operation
+ var ciphertextDestination = destination.Slice(bytesWritten, cipherTextLength);
+ symmetricAlgorithm.EncryptCbc(plainText, iv, ciphertextDestination);
+ bytesWritten += cipherTextLength;
- var ivAndCipherTextSpan = outputSpan.Slice(start: keyModifierLength, length: ivLength + cipherTextLength);
- var macDestinationSpan = outputSpan.Slice(keyModifierLength + ivLength + cipherTextLength, macLength);
+ // Step 6: Calculate the digest over the IV and ciphertext
+ var ivAndCipherTextSpan = destination.Slice(keyModifierLength, ivLength + cipherTextLength);
+ var macDestinationSpan = destination.Slice(bytesWritten, macLength);
- // if we can use an optimized method for specific algorithm - we use it (no extra alloc for subKey)
+ // Use optimized method for specific algorithms when possible
if (validationAlgorithm is HMACSHA256)
{
HMACSHA256.HashData(key: validationSubkey, source: ivAndCipherTextSpan, destination: macDestinationSpan);
@@ -425,49 +273,19 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
else
{
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
- validationAlgorithm.TryComputeHash(source: ivAndCipherTextSpan, destination: macDestinationSpan, bytesWritten: out _);
- }
-
- // At this point, outputArray := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
- return outputArray;
-#else
- // Step 4: Perform the encryption operation.
- using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
- using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
- using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
- {
- cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
- cryptoStream.FlushFinalBlock();
-
- // At this point, outputStream := { keyModifier || IV || ciphertext }
-
- // Step 5: Calculate the digest over the IV and ciphertext.
- // We don't need to calculate the digest over the key modifier since that
- // value has already been mixed into the KDF used to generate the MAC key.
- using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkeyArray))
+ if (!validationAlgorithm.TryComputeHash(source: ivAndCipherTextSpan, destination: macDestinationSpan, out _))
{
- // As an optimization, avoid duplicating the underlying buffer
- var underlyingBuffer = outputStream.GetBuffer();
-
- var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
- outputStream.Write(mac, 0, mac.Length);
-
- // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
- // And we're done!
- return outputStream.ToArray();
+ return false;
}
}
-#endif
+ bytesWritten += macLength;
+
+ return true;
}
finally
{
-#if NET10_0_OR_GREATER
keyModifier.Clear();
decryptedKdk.Clear();
-#else
- Array.Clear(keyModifier, 0, keyModifierLength);
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-#endif
}
}
}
@@ -477,49 +295,164 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
throw Error.CryptCommon_GenericError(ex);
}
}
+#endif
- private void CalculateAndValidateMac(
- byte[] payloadArray,
- int ivOffset, int macOffset, int eofOffset, // offsets to slice the payload array
- ReadOnlySpan validationSubkey,
- byte[]? validationSubkeyArray)
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
{
- using var validationAlgorithm = CreateValidationAlgorithm();
- var hashSize = validationAlgorithm.GetDigestSizeInBytes();
-
- byte[]? correctHashArray = null;
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+ var plainTextSpan = plaintext.AsSpan();
+
+#if NET10_0_OR_GREATER
+ var size = GetEncryptedSize(plainTextSpan.Length);
+ var retVal = new byte[size];
+
+ if (!TryEncrypt(plainTextSpan, additionalAuthenticatedData, retVal, out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ return retVal;
+#else
+ try
+ {
+ var keyModifierLength = KEY_MODIFIER_SIZE_IN_BYTES;
+ var ivLength = _symmetricAlgorithmBlockSizeInBytes;
+
+ var decryptedKdk = new byte[_keyDerivationKey.Length];
+ var validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes];
+ var validationSubkey = validationSubkeyArray.AsSpan();
+ byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* __unused__1 = encryptionSubkey)
+ fixed (byte* __unused__2 = validationSubkeyArray)
+ {
+ // Step 1: Generate a random key modifier and IV for this operation.
+ // Both will be equal to the block size of the block cipher algorithm.
+ var keyModifier = _genRandom.GenRandom(keyModifierLength);
+
+ try
+ {
+ // Step 2: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: decryptedKdk,
+ label: additionalAuthenticatedData,
+ contextHeader: _contextHeader,
+ contextData: keyModifier,
+ operationSubkey: encryptionSubkey,
+ validationSubkey: validationSubkey);
+
+ var outputStream = new MemoryStream();
+
+ // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
+ outputStream.Write(keyModifier, 0, keyModifier.Length);
+
+ // Step 3: Generate IV for this operation right into the result array
+ var iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
+ outputStream.Write(iv, 0, iv.Length);
+
+ // Step 4: Perform the encryption operation.
+ using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+ using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
+ using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+ {
+ cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
+ cryptoStream.FlushFinalBlock();
+
+ // At this point, outputStream := { keyModifier || IV || ciphertext }
+
+ // Step 5: Calculate the digest over the IV and ciphertext.
+ // We don't need to calculate the digest over the key modifier since that
+ // value has already been mixed into the KDF used to generate the MAC key.
+ using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkeyArray))
+ {
+ // As an optimization, avoid duplicating the underlying buffer
+ var underlyingBuffer = outputStream.GetBuffer();
+
+ var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
+ outputStream.Write(mac, 0, mac.Length);
+
+ // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
+ // And we're done!
+ return outputStream.ToArray();
+ }
+ }
+ }
+ finally
+ {
+ Array.Clear(keyModifier, 0, keyModifierLength);
+ Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
+ }
+#endif
+ }
+
+#if NET10_0_OR_GREATER
+ private bool ValidateMac(ReadOnlySpan dataToValidate, ReadOnlySpan providedMac, ReadOnlySpan validationSubkey, byte[]? validationSubkeyArray)
+ {
+ using var validationAlgorithm = CreateValidationAlgorithm();
+ var hashSize = validationAlgorithm.GetDigestSizeInBytes();
+
+ byte[]? correctHashArray = null;
Span correctHash = hashSize <= 128
? stackalloc byte[128].Slice(0, hashSize)
: (correctHashArray = new byte[hashSize]);
try
{
-#if NET10_0_OR_GREATER
- var hashSource = payloadArray!.AsSpan(ivOffset, macOffset - ivOffset);
-
int bytesWritten;
if (validationAlgorithm is HMACSHA256)
{
- bytesWritten = HMACSHA256.HashData(key: validationSubkey, source: hashSource, destination: correctHash);
+ bytesWritten = HMACSHA256.HashData(key: validationSubkey, source: dataToValidate, destination: correctHash);
}
else if (validationAlgorithm is HMACSHA512)
{
- bytesWritten = HMACSHA512.HashData(key: validationSubkey, source: hashSource, destination: correctHash);
+ bytesWritten = HMACSHA512.HashData(key: validationSubkey, source: dataToValidate, destination: correctHash);
}
else
{
// if validationSubkey is stackalloc'ed, there is no way we avoid an alloc here
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
- var success = validationAlgorithm.TryComputeHash(hashSource, correctHash, out bytesWritten);
+ var success = validationAlgorithm.TryComputeHash(dataToValidate, correctHash, out bytesWritten);
Debug.Assert(success);
}
-
Debug.Assert(bytesWritten == hashSize);
+
+ return CryptoUtil.TimeConstantBuffersAreEqual(correctHash, providedMac);
+ }
+ finally
+ {
+ correctHash.Clear();
+ }
+ }
#else
+ private void CalculateAndValidateMac(
+ byte[] payloadArray,
+ int ivOffset, int macOffset, int eofOffset, // offsets to slice the payload array
+ ReadOnlySpan validationSubkey,
+ byte[]? validationSubkeyArray)
+ {
+ using var validationAlgorithm = CreateValidationAlgorithm();
+ var hashSize = validationAlgorithm.GetDigestSizeInBytes();
+
+ byte[]? correctHashArray = null;
+ Span correctHash = hashSize <= 128
+ ? stackalloc byte[128].Slice(0, hashSize)
+ : (correctHashArray = new byte[hashSize]);
+
+ try
+ {
// if validationSubkey is stackalloc'ed, there is no way we avoid an alloc here
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
correctHashArray = validationAlgorithm.ComputeHash(payloadArray, macOffset, eofOffset - macOffset);
-#endif
// Step 4: Validate the MAC provided as part of the payload.
var payloadMacSpan = payloadArray!.AsSpan(macOffset, eofOffset - macOffset);
@@ -533,6 +466,241 @@ private void CalculateAndValidateMac(
correctHash.Clear();
}
}
+#endif
+
+ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment additionalAuthenticatedData)
+ {
+ // Assumption: protectedPayload := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+ protectedPayload.Validate();
+ additionalAuthenticatedData.Validate();
+
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
+
+ try
+ {
+ // Step 1: Extract the key modifier and IV from the payload.
+ int keyModifierOffset; // position in protectedPayload.Array where key modifier begins
+ int ivOffset; // position in protectedPayload.Array where key modifier ends / IV begins
+ int ciphertextOffset; // position in protectedPayload.Array where IV ends / ciphertext begins
+ int macOffset; // position in protectedPayload.Array where ciphertext ends / MAC begins
+ int eofOffset; // position in protectedPayload.Array where MAC ends
+
+ checked
+ {
+ keyModifierOffset = protectedPayload.Offset;
+ ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ }
+
+ ReadOnlySpan keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
+
+ // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
+#if NET10_0_OR_GREATER
+ Span decryptedKdk = _keyDerivationKey.Length <= 256
+ ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+ : new byte[_keyDerivationKey.Length];
+#else
+ var decryptedKdk = new byte[_keyDerivationKey.Length];
+#endif
+
+ byte[]? validationSubkeyArray = null;
+ var validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
+ ? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
+ : (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
+
+#if NET10_0_OR_GREATER
+ Span decryptionSubkey =
+ _symmetricAlgorithmSubkeyLengthInBytes <= 128
+ ? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
+ : new byte[_symmetricAlgorithmBlockSizeInBytes];
+#else
+ byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+#endif
+
+ // calling "fixed" is basically pinning the array, meaning the GC won't move it around. (Also for safety concerns)
+ // note: it is safe to call `fixed` on null - it is just a no-op
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* __unused__2 = decryptionSubkey)
+ fixed (byte* __unused__3 = validationSubkeyArray)
+ {
+ try
+ {
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: decryptedKdk,
+ label: additionalAuthenticatedData,
+ contextHeader: _contextHeader,
+ contextData: keyModifier,
+ operationSubkey: decryptionSubkey,
+ validationSubkey: validationSubkey);
+
+ // Step 3: Calculate the correct MAC for this payload.
+ // correctHash := MAC(IV || ciphertext)
+ checked
+ {
+ eofOffset = protectedPayload.Offset + protectedPayload.Count;
+ macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+ }
+
+ // Step 4: Validate the MAC provided as part of the payload.
+#if NET10_0_OR_GREATER
+ var ivAndCiphertextSpan = protectedPayload.Slice(ivOffset, macOffset - ivOffset);
+ var providedMac = protectedPayload.Slice(macOffset, _validationAlgorithmDigestLengthInBytes);
+ if (!ValidateMac(ivAndCiphertextSpan, providedMac, validationSubkey, validationSubkeyArray))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
+#else
+ CalculateAndValidateMac(protectedPayload.Array!, ivOffset, macOffset, eofOffset, validationSubkey, validationSubkeyArray);
+#endif
+
+ // Step 5: Decipher the ciphertext and return it to the caller.
+#if NET10_0_OR_GREATER
+ using var symmetricAlgorithm = CreateSymmetricAlgorithm();
+ symmetricAlgorithm.SetKey(decryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
+
+ // note: here protectedPayload.Array is taken without an offset (can't use AsSpan() on ArraySegment)
+ var ciphertext = protectedPayload.Array.AsSpan(ciphertextOffset, macOffset - ciphertextOffset);
+ var iv = protectedPayload.Array.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
+
+ // symmetricAlgorithm is created with CBC mode (see CreateSymmetricAlgorithm())
+ return symmetricAlgorithm.DecryptCbc(ciphertext, iv);
+#else
+ var iv = protectedPayload.Array!.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes).ToArray();
+
+ using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+ using (var cryptoTransform = symmetricAlgorithm.CreateDecryptor(decryptionSubkey, iv))
+ {
+ var outputStream = new MemoryStream();
+ using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+ {
+ cryptoStream.Write(protectedPayload.Array!, ciphertextOffset, macOffset - ciphertextOffset);
+ cryptoStream.FlushFinalBlock();
+
+ // At this point, outputStream := { plaintext }, and we're done!
+ return outputStream.ToArray();
+ }
+ }
+#endif
+ }
+ finally
+ {
+ // delete since these contain secret material
+ validationSubkey.Clear();
+
+#if NET10_0_OR_GREATER
+ decryptedKdk.Clear();
+ decryptionSubkey.Clear();
+#else
+ Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+#endif
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
+ }
+ }
+
+ private byte[] CreateContextHeader()
+ {
+ var EMPTY_ARRAY = Array.Empty();
+ var EMPTY_ARRAY_SEGMENT = new ArraySegment(EMPTY_ARRAY);
+
+ var retVal = new byte[checked(
+ 1 /* KDF alg */
+ + 1 /* chaining mode */
+ + sizeof(uint) /* sym alg key size */
+ + sizeof(uint) /* sym alg block size */
+ + sizeof(uint) /* hmac alg key size */
+ + sizeof(uint) /* hmac alg digest size */
+ + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+ + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+ var idx = 0;
+
+ // First is the two-byte header
+ retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+ retVal[idx++] = 0; // 0x00 = CBC encryption + HMAC authentication
+
+ // Next is information about the symmetric algorithm (key size followed by block size)
+ BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmBlockSizeInBytes);
+
+ // Next is information about the keyed hash algorithm (key size followed by digest size)
+ BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
+
+ // See the design document for an explanation of the following code.
+ var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: EMPTY_ARRAY,
+ label: EMPTY_ARRAY_SEGMENT,
+ contextHeader: EMPTY_ARRAY_SEGMENT,
+ contextData: EMPTY_ARRAY_SEGMENT,
+ operationSubkey: tempKeys.AsSpan(0, _symmetricAlgorithmSubkeyLengthInBytes),
+ validationSubkey: tempKeys.AsSpan(_symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes));
+
+ // At this point, tempKeys := { K_E || K_H }.
+
+ // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+ using (var symmetricAlg = CreateSymmetricAlgorithm())
+ {
+ using (var cryptoTransform = symmetricAlg.CreateEncryptor(
+ rgbKey: new ArraySegment(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
+ rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
+ {
+ var ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
+ CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
+ Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
+ }
+ }
+
+ idx += _symmetricAlgorithmBlockSizeInBytes;
+
+ // MAC a zero-length input string and copy the digest to the return buffer.
+ using (var hashAlg = CreateValidationAlgorithm(new ArraySegment(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
+ {
+ var digest = hashAlg.ComputeHash(EMPTY_ARRAY);
+ CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
+ Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
+ }
+
+ idx += _validationAlgorithmDigestLengthInBytes;
+ CryptoUtil.Assert(idx == retVal.Length, "idx == retVal.Length");
+
+ // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || macAlgKeySize || macAlgDigestSize || E("") || MAC("") }.
+ return retVal;
+ }
+
+ private SymmetricAlgorithm CreateSymmetricAlgorithm()
+ {
+ var retVal = _symmetricAlgorithmFactory();
+ CryptoUtil.Assert(retVal != null, "retVal != null");
+
+ retVal.Mode = CipherMode.CBC;
+ retVal.Padding = PaddingMode.PKCS7;
+
+ return retVal;
+ }
+
+ private KeyedHashAlgorithm CreateValidationAlgorithm(byte[]? key = null)
+ {
+ var retVal = _validationAlgorithmFactory();
+ CryptoUtil.Assert(retVal != null, "retVal != null");
+
+ if (key is not null)
+ {
+ retVal.Key = key;
+ }
+ return retVal;
+ }
public void Dispose()
{
diff --git a/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt b/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..884daed93d57 100644
--- a/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
+++ b/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
@@ -1 +1,4 @@
#nullable enable
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.GetEncryptedSize(int plainTextLength) -> int
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.TryEncrypt(System.ReadOnlySpan plaintext, System.ReadOnlySpan additionalAuthenticatedData, System.Span destination, out int bytesWritten) -> bool
diff --git a/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index cd20c176b67a..31c64b6a18af 100644
--- a/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -1,6 +1,7 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Runtime.CompilerServices;
using Microsoft.AspNetCore.Cryptography;
namespace Microsoft.AspNetCore.DataProtection.SP800_108;
@@ -24,9 +25,9 @@ public static void DeriveKeyWithContextHeader(this ISP800_108_CTR_HMACSHA512Prov
fixed (byte* pbContextHeader = contextHeader)
{
- UnsafeBufferUtil.BlockCopy(from: pbContextHeader, to: pbCombinedContext, byteCount: contextHeader.Length);
+ Unsafe.CopyBlock(pbCombinedContext, pbContextHeader, (uint)contextHeader.Length);
}
- UnsafeBufferUtil.BlockCopy(from: pbContext, to: &pbCombinedContext[contextHeader.Length], byteCount: cbContext);
+ Unsafe.CopyBlock(&pbCombinedContext[contextHeader.Length], pbContext, cbContext);
// At this point, combinedContext := { contextHeader || context }
provider.DeriveKey(pbLabel, cbLabel, pbCombinedContext, cbCombinedContext, pbDerivedKey, cbDerivedKey);
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs
new file mode 100644
index 000000000000..458205fe40c9
--- /dev/null
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs
@@ -0,0 +1,27 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
+
+namespace Microsoft.AspNetCore.DataProtection.Tests.Aes;
+public class AesAuthenticatedEncryptorTests
+{
+ [Theory]
+ [InlineData(128)]
+ [InlineData(192)]
+ [InlineData(256)]
+ public void Roundtrip_AesGcm_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new AesGcmAuthenticatedEncryptor(kdk, derivedKeySizeInBytes: symmetricKeySizeBits / 8);
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
+}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index e8131de80b71..f0f812c42917 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -39,13 +39,13 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_CngCbcImplementation(Enc
symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8),
hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hmac: true));
- var test = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
+ var encryptor = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
// Act & assert - data round trips properly from control to test
byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
byte[] ciphertext = control.Encrypt(new ArraySegment(plaintext), new ArraySegment(aad));
- byte[] roundTripPlaintext = test.Decrypt(new ArraySegment(ciphertext), new ArraySegment(aad));
+ byte[] roundTripPlaintext = encryptor.Decrypt(new ArraySegment(ciphertext), new ArraySegment(aad));
Assert.Equal(plaintext, roundTripPlaintext);
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
index ef8a921f2bae..fde038e4b423 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -1,10 +1,14 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers;
using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
using Microsoft.AspNetCore.InternalTesting;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -113,4 +117,37 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAAAAAAA", retValAsString);
}
+
+ [ConditionalTheory]
+ [ConditionalRunTestOnlyOnWindows]
+ [InlineData(128, "SHA256", "")]
+ [InlineData(128, "SHA256", "This is a small text")]
+ [InlineData(128, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(192, "SHA256", "")]
+ [InlineData(192, "SHA256", "This is a small text")]
+ [InlineData(192, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(256, "SHA256", "")]
+ [InlineData(256, "SHA256", "This is a small text")]
+ [InlineData(256, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(128, "SHA512", "")]
+ [InlineData(128, "SHA512", "This is a small text")]
+ [InlineData(128, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(192, "SHA512", "")]
+ [InlineData(192, "SHA512", "This is a small text")]
+ [InlineData(192, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(256, "SHA512", "")]
+ [InlineData(256, "SHA512", "This is a small text")]
+ [InlineData(256, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm, string plainText)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+ symmetricAlgorithmKeySizeInBytes: (uint)(symmetricKeySizeBits / 8),
+ hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hmacAlgorithm, hmac: true));
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes(plainText));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs
deleted file mode 100644
index 8357894f8a01..000000000000
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ /dev/null
@@ -1,105 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using Moq;
-
-namespace Microsoft.AspNetCore.DataProtection.Cng.Internal;
-
-public unsafe class CngAuthenticatedEncryptorBaseTests
-{
- [Fact]
- public void Decrypt_ForwardsArraySegment()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
- var aad = new ArraySegment(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 2, It.IsAny(), 4))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
- Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- [Fact]
- public void Decrypt_HandlesEmptyAADPointerFixup()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
- var aad = new ArraySegment(new byte[0]);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 2, It.IsAny(), 0))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
- Assert.NotEqual(IntPtr.Zero, pbAdditionalAuthenticatedData); // CNG will complain if this pointer is zero
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- [Fact]
- public void Decrypt_HandlesEmptyCiphertextPointerFixup()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[0]);
- var aad = new ArraySegment(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 0, It.IsAny(), 4))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.NotEqual(IntPtr.Zero, pbCiphertext); // CNG will complain if this pointer is zero
- Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
- {
- public override void Dispose()
- {
- }
-
- public abstract byte[] DecryptHook(IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
-
- protected sealed override unsafe byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
- {
- return DecryptHook((IntPtr)pbCiphertext, cbCiphertext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData);
- }
-
- public abstract byte[] EncryptHook(IntPtr pbPlaintext, uint cbPlaintext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
-
- protected sealed override unsafe byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
- {
- return EncryptHook((IntPtr)pbPlaintext, cbPlaintext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData, cbPreBuffer, cbPostBuffer);
- }
- }
-}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
index 15b8a2fd1bb1..5c9ff8124149 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -4,7 +4,10 @@
using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Managed;
using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
using Microsoft.AspNetCore.InternalTesting;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -102,4 +105,21 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaG0O2kY0NZtmh2UQtXY5B2jlgnOgAAAAA", retValAsString);
}
+
+ [ConditionalTheory]
+ [ConditionalRunTestOnlyOnWindows]
+ [InlineData(128)]
+ [InlineData(192)]
+ [InlineData(256)]
+ public void Roundtrip_CngGcm_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new CngGcmAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_GCM,
+ symmetricAlgorithmKeySizeInBytes: (uint)(symmetricKeySizeBits / 8));
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
new file mode 100644
index 000000000000..dfd8688318f8
--- /dev/null
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
@@ -0,0 +1,73 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNetCore.DataProtection.Tests.Internal;
+
+internal static class RoundtripEncryptionHelpers
+{
+ ///
+ /// and APIs should do the same steps
+ /// as and APIs.
+ ///
+ /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip encrypt-decrypt test.
+ ///
+ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encryptor, ArraySegment plaintext, ArraySegment aad)
+ {
+ var spanAuthenticatedEncryptor = encryptor as ISpanAuthenticatedEncryptor;
+ Debug.Assert(spanAuthenticatedEncryptor != null, "ISpanDataProtector is not supported by the encryptor");
+
+ // assert "allocatey" Encrypt/Decrypt APIs roundtrip correctly
+ byte[] ciphertext = encryptor.Encrypt(plaintext, aad);
+ byte[] decipheredtext = encryptor.Decrypt(new ArraySegment(ciphertext), aad);
+ Assert.Equal(plaintext.AsSpan(), decipheredtext.AsSpan());
+
+ // assert calculated sizes are correct
+ var expectedEncryptedSize = spanAuthenticatedEncryptor.GetEncryptedSize(plaintext.Count);
+ Assert.Equal(expectedEncryptedSize, ciphertext.Length);
+ var expectedDecryptedSize = spanAuthenticatedEncryptor.GetDecryptedSize(ciphertext.Length);
+
+ // note: for decryption we cant know for sure how many bytes will be written.
+ // so we cant assert equality, but we can check if expected decrypted size is greater or equal than original deciphered text
+ Assert.True(expectedDecryptedSize >= decipheredtext.Length);
+
+ // perform TryEncrypt and Decrypt roundtrip - ensures cross operation compatibility
+ var cipherTextPooled = ArrayPool.Shared.Rent(expectedEncryptedSize);
+ try
+ {
+ var tryEncryptResult = spanAuthenticatedEncryptor.TryEncrypt(plaintext, aad, cipherTextPooled, out var bytesWritten);
+ Assert.Equal(expectedEncryptedSize, bytesWritten);
+ Assert.True(tryEncryptResult);
+
+ var decipheredTryEncrypt = spanAuthenticatedEncryptor.Decrypt(new ArraySegment(cipherTextPooled, 0, expectedEncryptedSize), aad);
+ Assert.Equal(plaintext.AsSpan(), decipheredTryEncrypt.AsSpan());
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(cipherTextPooled);
+ }
+
+ // perform Encrypt and TryDecrypt roundtrip - ensures cross operation compatibility
+ var plainTextPooled = ArrayPool.Shared.Rent(expectedDecryptedSize);
+ try
+ {
+ var encrypted = spanAuthenticatedEncryptor.Encrypt(plaintext, aad);
+ var decipheredTryDecrypt = spanAuthenticatedEncryptor.TryDecrypt(encrypted, aad, plainTextPooled, out var bytesWritten);
+ Assert.Equal(plaintext.AsSpan(), plainTextPooled.AsSpan(0, bytesWritten));
+ Assert.True(decipheredTryDecrypt);
+
+ // now we should know that bytesWritten is STRICTLY equal to the deciphered text
+ Assert.Equal(decipheredtext.Length, bytesWritten);
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(plainTextPooled);
+ }
+ }
+}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 1a17c3b44215..013d10953ee5 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -1,12 +1,16 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers.Binary;
+using System.Diagnostics;
using System.Globalization;
using System.Net;
+using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Managed;
using Microsoft.AspNetCore.InternalTesting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
@@ -619,6 +623,121 @@ public void CreateProtector_ChainsPurposes()
Assert.Equal(expectedProtectedData, retVal);
}
+ [Theory]
+ [InlineData("", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("small", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("small", EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
+ [InlineData("small", EncryptionAlgorithm.AES_128_GCM, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_256_GCM, ValidationAlgorithm.HMACSHA256)]
+ public void GetProtectedSize_TryProtect_CorrectlyEstimatesDataLength_MultipleScenarios(string plaintextStr, EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+ {
+ // Arrange
+ byte[] plaintext = Encoding.UTF8.GetBytes(plaintextStr);
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+ // Create a configuration for the specified encryption and validation algorithms
+ var configuration = new AuthenticatedEncryptorConfiguration
+ {
+ EncryptionAlgorithm = encryptionAlgorithm,
+ ValidationAlgorithm = validationAlgorithm
+ };
+
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, configuration.CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, new[] { key });
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ // Act - get estimated size
+ var estimatedSize = protector.GetProtectedSize(plaintext);
+ Assert.True(estimatedSize != 0);
+
+ // verify simple protect works
+ var protectedData = protector.Protect(plaintext);
+
+ // Act - allocate buffer and try protect
+ byte[] destination = new byte[estimatedSize];
+ bool success = protector.TryProtect(plaintext, destination, out int bytesWritten);
+
+ // Assert
+ Assert.True(success, $"TryProtect should succeed with estimated buffer size for {encryptionAlgorithm}");
+ Assert.Equal(estimatedSize, bytesWritten);
+ Assert.True(bytesWritten > 0, "Should write some bytes");
+ Assert.True(bytesWritten >= plaintext.Length, "Protected data should be at least as large as plaintext");
+
+ // Verify the protected data can be unprotected to get original plaintext
+ byte[] actualDestination = new byte[bytesWritten];
+ Array.Copy(destination, actualDestination, bytesWritten);
+ byte[] unprotectedData = protector.Unprotect(actualDestination);
+ Assert.Equal(plaintext, unprotectedData);
+
+ // Additional verification: test with regular Protect method to ensure consistency
+ byte[] protectedDataRegular = protector.Protect(plaintext);
+ Assert.Equal(estimatedSize, protectedDataRegular.Length);
+ byte[] unprotectedDataRegular = protector.Unprotect(protectedDataRegular);
+ Assert.Equal(plaintext, unprotectedDataRegular);
+ }
+
+ [Theory]
+ [InlineData(16)] // 16 bytes
+ [InlineData(32)] // 32 bytes
+ [InlineData(64)] // 64 bytes
+ [InlineData(128)] // 128 bytes
+ [InlineData(256)] // 256 bytes
+ [InlineData(512)] // 512 bytes
+ [InlineData(1024)] // 1 KB
+ [InlineData(4096)] // 4 KB
+ public void GetProtectedSize_TryProtect_VariousPlaintextSizes(int plaintextSize)
+ {
+ // Arrange
+ byte[] plaintext = new byte[plaintextSize];
+ // Fill with a pattern to make debugging easier if needed
+ for (int i = 0; i < plaintextSize; i++)
+ {
+ plaintext[i] = (byte)(i % 256);
+ }
+
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, new[] { key });
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ // Act - get estimated size
+ var estimatedSize = protector.GetProtectedSize(plaintext);
+ Assert.True(estimatedSize != 0);
+
+ // Act - allocate buffer and try protect
+ byte[] destination = new byte[estimatedSize];
+ bool success = protector.TryProtect(plaintext, destination, out int bytesWritten);
+
+ // Assert
+ Assert.True(success, $"TryProtect should succeed with estimated buffer size for {plaintextSize} byte plaintext");
+ Assert.Equal(estimatedSize, bytesWritten);
+ Assert.True(bytesWritten > 0, "Should write some bytes");
+ Assert.True(bytesWritten >= plaintext.Length, "Protected data should be at least as large as plaintext");
+
+ // Verify the protected data can be unprotected to get original plaintext
+ byte[] actualDestination = new byte[bytesWritten];
+ Array.Copy(destination, actualDestination, bytesWritten);
+ byte[] unprotectedData = protector.Unprotect(actualDestination);
+ Assert.Equal(plaintext, unprotectedData);
+ }
+
private static byte[] BuildAadFromPurposeStrings(Guid keyId, params string[] purposes)
{
var expectedAad = new byte[] { 0x09, 0xF0, 0xC9, 0xF0 } // magic header
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
index e49a4ef4cfa8..deaa07a244bc 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -1,8 +1,11 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers;
using System.Security.Cryptography;
using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
namespace Microsoft.AspNetCore.DataProtection.Managed;
@@ -103,4 +106,33 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAA=", retValAsString);
}
+
+ [Theory]
+ [InlineData(128, "SHA256")]
+ [InlineData(192, "SHA256")]
+ [InlineData(256, "SHA256")]
+ [InlineData(128, "SHA512")]
+ [InlineData(192, "SHA512")]
+ [InlineData(256, "SHA512")]
+ public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+
+ Func validationAlgorithmFactory = hmacAlgorithm switch
+ {
+ "SHA256" => () => new HMACSHA256(),
+ "SHA512" => () => new HMACSHA512(),
+ _ => throw new ArgumentException($"Unsupported HMAC algorithm: {hmacAlgorithm}")
+ };
+
+ IAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmFactory: Aes.Create,
+ symmetricAlgorithmKeySizeInBytes: symmetricKeySizeBits / 8,
+ validationAlgorithmFactory: validationAlgorithmFactory);
+
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
index ca7b11a50c55..22cad1bc2158 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
@@ -1,4 +1,4 @@
-
+
$(DefaultNetCoreTargetFramework)
diff --git a/src/DataProtection/Extensions/src/BitHelpers.cs b/src/DataProtection/Extensions/src/BitHelpers.cs
index 0a204c4db846..7ecad57e9aa3 100644
--- a/src/DataProtection/Extensions/src/BitHelpers.cs
+++ b/src/DataProtection/Extensions/src/BitHelpers.cs
@@ -1,6 +1,8 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System;
+
namespace Microsoft.AspNetCore.DataProtection;
internal static class BitHelpers
@@ -36,4 +38,20 @@ public static void WriteUInt64(byte[] buffer, int offset, ulong value)
buffer[offset + 6] = (byte)(value >> 8);
buffer[offset + 7] = (byte)(value);
}
+
+ ///
+ /// Writes an unsigned 64-bit integer to starting at
+ /// offset . Data is written big-endian.
+ ///
+ public static void WriteUInt64(Span buffer, int offset, ulong value)
+ {
+ buffer[offset + 0] = (byte)(value >> 56);
+ buffer[offset + 1] = (byte)(value >> 48);
+ buffer[offset + 2] = (byte)(value >> 40);
+ buffer[offset + 3] = (byte)(value >> 32);
+ buffer[offset + 4] = (byte)(value >> 24);
+ buffer[offset + 5] = (byte)(value >> 16);
+ buffer[offset + 6] = (byte)(value >> 8);
+ buffer[offset + 7] = (byte)(value);
+ }
}
diff --git a/src/DataProtection/Extensions/src/DataProtectionAdvancedExtensions.cs b/src/DataProtection/Extensions/src/DataProtectionAdvancedExtensions.cs
index 2b318cd1e8db..4440972c3f38 100644
--- a/src/DataProtection/Extensions/src/DataProtectionAdvancedExtensions.cs
+++ b/src/DataProtection/Extensions/src/DataProtectionAdvancedExtensions.cs
@@ -96,10 +96,10 @@ public static string Unprotect(this ITimeLimitedDataProtector protector, string
return retVal;
}
- private sealed class TimeLimitedWrappingProtector : IDataProtector
+ private class TimeLimitedWrappingProtector : IDataProtector
{
public DateTimeOffset Expiration;
- private readonly ITimeLimitedDataProtector _innerProtector;
+ protected readonly ITimeLimitedDataProtector _innerProtector;
public TimeLimitedWrappingProtector(ITimeLimitedDataProtector innerProtector)
{
@@ -127,4 +127,23 @@ public byte[] Unprotect(byte[] protectedData)
return _innerProtector.Unprotect(protectedData, out Expiration);
}
}
+
+ private class TimeLimitedWrappingSpanProtector : TimeLimitedWrappingProtector, ISpanDataProtector
+ {
+ public TimeLimitedWrappingSpanProtector(ITimeLimitedDataProtector innerProtector) : base(innerProtector)
+ {
+ }
+
+ public int GetProtectedSize(ReadOnlySpan plainText)
+ {
+ var inner = (ISpanDataProtector)_innerProtector;
+ return inner.GetProtectedSize(plainText);
+ }
+
+ public bool TryProtect(ReadOnlySpan plainText, Span destination, out int bytesWritten)
+ {
+ var inner = (ISpanDataProtector)_innerProtector;
+ return inner.TryProtect(plainText, destination, out bytesWritten);
+ }
+ }
}
diff --git a/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs b/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
index 6cdddd7c88b6..7646af88b6be 100644
--- a/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
+++ b/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
@@ -2,7 +2,9 @@
// The .NET Foundation licenses this file to you under the MIT license.
using System;
+using System.Buffers;
using System.Diagnostics.CodeAnalysis;
+using System.Linq;
using System.Security.Cryptography;
using System.Threading;
using Microsoft.AspNetCore.DataProtection.Extensions;
@@ -14,12 +16,14 @@ namespace Microsoft.AspNetCore.DataProtection;
/// Wraps an existing and appends a purpose that allows
/// protecting data with a finite lifetime.
///
-internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
+internal class TimeLimitedDataProtector : ITimeLimitedDataProtector
{
private const string MyPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
- private readonly IDataProtector _innerProtector;
private IDataProtector? _innerProtectorWithTimeLimitedPurpose; // created on-demand
+ protected readonly IDataProtector _innerProtector;
+
+ protected const int ExpirationTimeHeaderSize = 8; // size of the expiration time header in bytes (64-bit UTC tick count)
public TimeLimitedDataProtector(IDataProtector innerProtector)
{
@@ -30,10 +34,16 @@ public ITimeLimitedDataProtector CreateProtector(string purpose)
{
ArgumentNullThrowHelper.ThrowIfNull(purpose);
- return new TimeLimitedDataProtector(_innerProtector.CreateProtector(purpose));
+ var protector = _innerProtector.CreateProtector(purpose);
+ if (protector is ISpanDataProtector spanDataProtector)
+ {
+ return new TimeLimitedSpanDataProtector(spanDataProtector);
+ }
+
+ return new TimeLimitedDataProtector(protector);
}
- private IDataProtector GetInnerProtectorWithTimeLimitedPurpose()
+ protected IDataProtector GetInnerProtectorWithTimeLimitedPurpose()
{
// thread-safe lazy init pattern with multi-execution and single publication
var retVal = Volatile.Read(ref _innerProtectorWithTimeLimitedPurpose);
@@ -50,9 +60,9 @@ public byte[] Protect(byte[] plaintext, DateTimeOffset expiration)
ArgumentNullThrowHelper.ThrowIfNull(plaintext);
// We prepend the expiration time (as a 64-bit UTC tick count) to the unprotected data.
- byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
+ byte[] plaintextWithHeader = new byte[checked(ExpirationTimeHeaderSize + plaintext.Length)];
BitHelpers.WriteUInt64(plaintextWithHeader, 0, (ulong)expiration.UtcTicks);
- Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, 8, plaintext.Length);
+ Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, ExpirationTimeHeaderSize, plaintext.Length);
return GetInnerProtectorWithTimeLimitedPurpose().Protect(plaintextWithHeader);
}
@@ -71,7 +81,7 @@ internal byte[] UnprotectCore(byte[] protectedData, DateTimeOffset now, out Date
try
{
byte[] plaintextWithHeader = GetInnerProtectorWithTimeLimitedPurpose().Unprotect(protectedData);
- if (plaintextWithHeader.Length < 8)
+ if (plaintextWithHeader.Length < ExpirationTimeHeaderSize)
{
// header isn't present
throw new CryptographicException(Resources.TimeLimitedDataProtector_PayloadInvalid);
@@ -88,8 +98,8 @@ internal byte[] UnprotectCore(byte[] protectedData, DateTimeOffset now, out Date
}
// Not expired - split and return payload
- byte[] retVal = new byte[plaintextWithHeader.Length - 8];
- Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
+ byte[] retVal = new byte[plaintextWithHeader.Length - ExpirationTimeHeaderSize];
+ Buffer.BlockCopy(plaintextWithHeader, ExpirationTimeHeaderSize, retVal, 0, retVal.Length);
expiration = embeddedExpiration;
return retVal;
}
diff --git a/src/DataProtection/Extensions/src/TimeLimitedSpanDataProtector.cs b/src/DataProtection/Extensions/src/TimeLimitedSpanDataProtector.cs
new file mode 100644
index 000000000000..db958cefbc93
--- /dev/null
+++ b/src/DataProtection/Extensions/src/TimeLimitedSpanDataProtector.cs
@@ -0,0 +1,61 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using System.Security.Cryptography;
+using System.Threading;
+using Microsoft.AspNetCore.DataProtection.Extensions;
+using Microsoft.AspNetCore.Shared;
+
+namespace Microsoft.AspNetCore.DataProtection;
+
+///
+/// Wraps an existing and appends a purpose that allows
+/// protecting data with a finite lifetime.
+///
+internal sealed class TimeLimitedSpanDataProtector : TimeLimitedDataProtector, ISpanDataProtector
+{
+ public TimeLimitedSpanDataProtector(ISpanDataProtector innerProtector) : base(innerProtector)
+ {
+ }
+
+ public int GetProtectedSize(ReadOnlySpan plainText)
+ {
+ var dataProtector = (ISpanDataProtector)GetInnerProtectorWithTimeLimitedPurpose();
+ return dataProtector.GetProtectedSize(plainText) + ExpirationTimeHeaderSize;
+ }
+
+ public bool TryProtect(ReadOnlySpan plaintext, Span destination, out int bytesWritten)
+ => TryProtect(plaintext, destination, DateTimeOffset.MaxValue, out bytesWritten);
+
+ public bool TryProtect(ReadOnlySpan plaintext, Span destination, DateTimeOffset expiration, out int bytesWritten)
+ {
+ var innerProtector = (ISpanDataProtector)_innerProtector;
+
+ // we need to prepend the expiration time, so we need to allocate a buffer for the plaintext with header
+ byte[]? plainTextWithHeader = null;
+ try
+ {
+ plainTextWithHeader = ArrayPool.Shared.Rent(plaintext.Length + ExpirationTimeHeaderSize);
+ var plainTextWithHeaderSpan = plainTextWithHeader.AsSpan(0, plaintext.Length + ExpirationTimeHeaderSize);
+
+ // We prepend the expiration time (as a 64-bit UTC tick count) to the unprotected data.
+ BitHelpers.WriteUInt64(plainTextWithHeaderSpan, 0, (ulong)expiration.UtcTicks);
+
+ // and copy the plaintext into the buffer
+ plaintext.CopyTo(plainTextWithHeaderSpan.Slice(ExpirationTimeHeaderSize));
+
+ return innerProtector.TryProtect(plainTextWithHeaderSpan, destination, out bytesWritten);
+ }
+ finally
+ {
+ if (plainTextWithHeader is not null)
+ {
+ ArrayPool.Shared.Return(plainTextWithHeader);
+ }
+ }
+ }
+}
diff --git a/src/DataProtection/samples/KeyManagementSimulator/Program.cs b/src/DataProtection/samples/KeyManagementSimulator/Program.cs
index 44622358227e..d2d428d2d7ca 100644
--- a/src/DataProtection/samples/KeyManagementSimulator/Program.cs
+++ b/src/DataProtection/samples/KeyManagementSimulator/Program.cs
@@ -277,10 +277,27 @@ sealed class MockActivator(IXmlDecryptor decryptor, IAuthenticatedEncryptorDescr
///
/// A mock authenticated encryptor that only applies the identity function (i.e. does nothing).
///
-sealed class MockAuthenticatedEncryptor : IAuthenticatedEncryptor
+sealed class MockAuthenticatedEncryptor : ISpanAuthenticatedEncryptor
{
- byte[] IAuthenticatedEncryptor.Decrypt(ArraySegment ciphertext, ArraySegment _additionalAuthenticatedData) => ciphertext.ToArray();
- byte[] IAuthenticatedEncryptor.Encrypt(ArraySegment plaintext, ArraySegment _additionalAuthenticatedData) => plaintext.ToArray();
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment _additionalAuthenticatedData) => ciphertext.ToArray();
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment _additionalAuthenticatedData) => plaintext.ToArray();
+
+ public int GetDecryptedSize(int cipherTextLength) => cipherTextLength;
+ public int GetEncryptedSize(int plainTextLength) => plainTextLength;
+
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ var result = cipherText.TryCopyTo(destination);
+ bytesWritten = destination.Length;
+ return result;
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plainText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ var result = plainText.TryCopyTo(destination);
+ bytesWritten = destination.Length;
+ return result;
+ }
}
///