feat: Add support for overlapping output and info buffers in Hkdf.Expand

Author: HMBSbige

src/CryptoBase/KDF/Hkdf.cs

@@ -1,6 +1,7 @@
 using CryptoBase.Abstractions;
 using CryptoBase.Digests;
 using CryptoBase.Macs.Hmac;
+using System.Security.Cryptography;
 
 namespace CryptoBase.KDF;
 
@@ -14,11 +15,6 @@ public static int Extract(DigestType type, ReadOnlySpan<byte> ikm, ReadOnlySpan<
 		int hashLength = HashLength(type);
 		ArgumentOutOfRangeException.ThrowIfLessThan(prk.Length, hashLength, nameof(prk));
 
-		if (prk.Length > hashLength)
-		{
-			prk = prk[..hashLength];
-		}
-
 		ExtractInternal(type, ikm, salt, prk);
 
 		return hashLength;
@@ -38,6 +34,8 @@ public static void Expand(DigestType type, ReadOnlySpan<byte> prk, Span<byte> ou
 
 		ArgumentOutOfRangeException.ThrowIfZero(output.Length, nameof(output));
 
+		ArgumentOutOfRangeException.ThrowIfLessThan(prk.Length, hashLength, nameof(prk));
+
 		int maxOkmLength = 255 * hashLength;
 		ArgumentOutOfRangeException.ThrowIfGreaterThan(output.Length, maxOkmLength, nameof(output));
 
@@ -46,46 +44,68 @@ public static void Expand(DigestType type, ReadOnlySpan<byte> prk, Span<byte> ou
 
 	private static void ExpandInternal(DigestType type, int hashLength, ReadOnlySpan<byte> prk, Span<byte> output, ReadOnlySpan<byte> info)
 	{
-		ArgumentOutOfRangeException.ThrowIfLessThan(prk.Length, hashLength, nameof(prk));
-
-		if (output.Overlaps(info))
-		{
-			throw new InvalidOperationException(@"the info input overlaps with the output destination");
-		}
-
-		Span<byte> counterSpan = stackalloc byte[1];
-		ref byte counter = ref counterSpan[0];
+		byte counter = 0;
+		Span<byte> counterSpan = new(ref counter);
 		Span<byte> t = Span<byte>.Empty;
 		Span<byte> remainingOutput = output;
 
-		using IMac hmac = HmacUtils.Create(type, prk);
+		const int maxStackInfoBuffer = 64;
+		Span<byte> tempInfoBuffer = stackalloc byte[maxStackInfoBuffer];
+		scoped ReadOnlySpan<byte> infoBuffer;
+		byte[]? rentedTempInfoBuffer = null;
 
-		for (int i = 1; ; ++i)
+		if (output.Overlaps(info))
 		{
-			hmac.Update(t);
-			hmac.Update(info);
-			counter = (byte)i;
-			hmac.Update(counterSpan);
-
-			if (remainingOutput.Length >= hashLength)
+			if (info.Length > maxStackInfoBuffer)
 			{
-				t = remainingOutput[..hashLength];
-				remainingOutput = remainingOutput[hashLength..];
-				hmac.GetMac(t);
+				rentedTempInfoBuffer = ArrayPool<byte>.Shared.Rent(info.Length);
+				tempInfoBuffer = rentedTempInfoBuffer;
 			}
-			else
+
+			tempInfoBuffer = tempInfoBuffer.Slice(0, info.Length);
+			info.CopyTo(tempInfoBuffer);
+			infoBuffer = tempInfoBuffer;
+		}
+		else
+		{
+			infoBuffer = info;
+		}
+
+		using (IMac hmac = HmacUtils.Create(type, prk))
+		{
+			for (int i = 1; ; ++i)
 			{
-				if (remainingOutput.Length > 0)
+				hmac.Update(t);
+				hmac.Update(infoBuffer);
+				counter = (byte)i;
+				hmac.Update(counterSpan);
+
+				if (remainingOutput.Length >= hashLength)
 				{
-					// ReSharper disable once StackAllocInsideLoop
-					Span<byte> lastChunk = stackalloc byte[hashLength];
-					hmac.GetMac(lastChunk);
-					lastChunk[..remainingOutput.Length].CopyTo(remainingOutput);
+					t = remainingOutput.Slice(0, hashLength);
+					remainingOutput = remainingOutput.Slice(hashLength);
+					hmac.GetMac(t);
+				}
+				else
+				{
+					if (remainingOutput.Length > 0)
+					{
+						// ReSharper disable once StackAllocInsideLoop
+						Span<byte> lastChunk = stackalloc byte[hashLength];
+						hmac.GetMac(lastChunk);
+						lastChunk.Slice(0, remainingOutput.Length).CopyTo(remainingOutput);
+					}
+
+					break;
 				}
-
-				break;
 			}
 		}
+
+		if (rentedTempInfoBuffer is not null)
+		{
+			CryptographicOperations.ZeroMemory(rentedTempInfoBuffer.AsSpan(0, info.Length));
+			ArrayPool<byte>.Shared.Return(rentedTempInfoBuffer);
+		}
 	}
 
 	public static void DeriveKey(DigestType type, ReadOnlySpan<byte> ikm, Span<byte> output, ReadOnlySpan<byte> salt, ReadOnlySpan<byte> info)
@@ -97,10 +117,16 @@ public static void DeriveKey(DigestType type, ReadOnlySpan<byte> ikm, Span<byte>
 		int maxOkmLength = 255 * hashLength;
 		ArgumentOutOfRangeException.ThrowIfGreaterThan(output.Length, maxOkmLength, nameof(output));
 
+		DeriveKeyInternal(type, hashLength, ikm, output, salt, info);
+	}
+
+	private static void DeriveKeyInternal(DigestType type, int hashLength, ReadOnlySpan<byte> ikm, Span<byte> output, ReadOnlySpan<byte> salt, ReadOnlySpan<byte> info)
+	{
 		Span<byte> prk = stackalloc byte[hashLength];
 
 		ExtractInternal(type, ikm, salt, prk);
 		ExpandInternal(type, hashLength, prk, output, info);
+		CryptographicOperations.ZeroMemory(prk);
 	}
 
 	private static int HashLength(DigestType type)

src/CryptoBase/Macs/Hmac/HmacUtils.cs

@@ -16,7 +16,6 @@ public static IMac Create(ReadOnlySpan<byte> key, HashAlgorithmName name)
 		return new DefaultHmac(key, name);
 	}
 
-	[MethodImpl(MethodImplOptions.AggressiveInlining)]
 	public static IMac Create(DigestType type, ReadOnlySpan<byte> key)
 	{
 		return type switch

test/CryptoBase.Benchmark/HKDFBenchmark.cs

@@ -8,7 +8,7 @@ namespace CryptoBase.Benchmark;
 [MemoryDiagnoser]
 public class HKDFBenchmark
 {
-	[Params(1)]
+	[Params(10)]
 	public int Max { get; set; }
 
 	private byte[] _ikm = null!;
@@ -23,23 +23,25 @@ public void Setup()
 		_info = RandomNumberGenerator.GetBytes(80);
 	}
 
-	[Benchmark]
-	public void Default()
+	[Benchmark(Baseline = true)]
+	public void NET()
 	{
 		Span<byte> output = stackalloc byte[82];
-		for (var i = 0; i < Max; ++i)
+
+		for (int i = 0; i < Max; ++i)
 		{
-			Hkdf.DeriveKey(DigestType.Sha256, _ikm, output, _salt, _info);
+			HKDF.DeriveKey(HashAlgorithmName.SHA256, _ikm, output, _salt, _info);
 		}
 	}
 
-	[Benchmark(Baseline = true)]
-	public void NET()
+	[Benchmark]
+	public void Default()
 	{
 		Span<byte> output = stackalloc byte[82];
-		for (var i = 0; i < Max; ++i)
+
+		for (int i = 0; i < Max; ++i)
 		{
-			HKDF.DeriveKey(HashAlgorithmName.SHA256, _ikm, output, _salt, _info);
+			Hkdf.DeriveKey(DigestType.Sha256, _ikm, output, _salt, _info);
 		}
 	}
 }

test/CryptoBase.Tests/HkdfTest.cs

@@ -20,14 +20,18 @@ public class HkdfTest
 	public void Test(DigestType type, string ikmHex, string saltHex, string infoHex, string prkHex, string okmHex)
 	{
 		Span<byte> prk = stackalloc byte[255];
+		Span<byte> info = infoHex.FromHex();
 
 		int length = Hkdf.Extract(type, ikmHex.FromHex(), saltHex.FromHex(), prk);
-		Assert.Equal(prkHex, prk[..length].ToHex());
+		Assert.Equal(prkHex, prk.Slice(0, length).ToHex());
 
 		Span<byte> okm = stackalloc byte[okmHex.FromHex().Length];
-		Hkdf.Expand(type, prkHex.FromHex(), okm, infoHex.FromHex());
+		Hkdf.Expand(type, prkHex.FromHex(), okm, info);
 		Assert.Equal(okmHex, okm.ToHex());
 
-		Hkdf.DeriveKey(type, ikmHex.FromHex(), okm, saltHex.FromHex(), infoHex.FromHex());
+		Hkdf.DeriveKey(type, ikmHex.FromHex(), okm, saltHex.FromHex(), info);
+
+		info.CopyTo(okm);
+		Hkdf.DeriveKey(type, ikmHex.FromHex(), okm, saltHex.FromHex(), okm.Slice(0, info.Length));
 	}
 }