correctHash as rented

DeagleGross · DeagleGross · commit 2524a15d63c7 · 2024-12-18T19:32:55.000+01:00
diff --git a/src/DataProtection/Cryptography.Internal/src/CryptoUtil.cs b/src/DataProtection/Cryptography.Internal/src/CryptoUtil.cs
@@ -91,6 +91,21 @@ public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint coun
 #endif
     }
 
+#if NET10_0_OR_GREATER
+    [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+    public static bool TimeConstantBuffersAreEqual(ReadOnlySpan<byte> bufA, ReadOnlySpan<byte> bufB)
+    {
+        // Technically this is an early exit scenario, but it means that the caller did something bizarre.
+        // An error at the call site isn't usable for timing attacks.
+        Assert(bufA.Length == bufB.Length, "bufA.Length == bufB.Length");
+
+        unsafe
+        {
+            return CryptographicOperations.FixedTimeEquals(bufA, bufB);
+        }
+    }
+#endif
+
     [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
     public static bool TimeConstantBuffersAreEqual(byte[] bufA, int offsetA, int countA, byte[] bufB, int offsetB, int countB)
     {
diff --git a/src/DataProtection/DataProtection/src/Internal/DataProtectionPool.cs b/src/DataProtection/DataProtection/src/Internal/DataProtectionPool.cs
@@ -0,0 +1,18 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal;
+internal static class DataProtectionPool
+{
+    private static readonly ArrayPool<byte> _pool = ArrayPool<byte>.Create();
+
+    public static byte[] Rent(int length) => _pool.Rent(length);
+    public static void Return(byte[] array, bool clearArray = false) => _pool.Return(array, clearArray);
+}
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
@@ -8,6 +8,7 @@
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.SP800_108;
 
 namespace Microsoft.AspNetCore.DataProtection.Managed;
@@ -195,8 +196,10 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
             ReadOnlySpan<byte> keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
 
             // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
-            // We pin all unencrypted keys to limit their exposure via GC relocation.
 
+            // The best optimization is to stackalloc. If the size is too big, we would want to rent from the pool,
+            // but we can't due to the HashAlgorithm, ValidationAlgorithm and SymmetricAlgorithm requiring a byte[] instead of a Span<byte>
+            // in the constructor / Key property.
             var decryptedKdk = new byte[_keyDerivationKey.Length];
             var decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
             var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
@@ -219,16 +222,44 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
 
                     // Step 3: Calculate the correct MAC for this payload.
                     // correctHash := MAC(IV || ciphertext)
-                    byte[] correctHash;
+                    checked
+                    {
+                        eofOffset = protectedPayload.Offset + protectedPayload.Count;
+                        macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+                    }
+#if NET10_0_OR_GREATER
+                    using var hashAlgorithm = CreateValidationAlgorithm(validationSubkey);
+                    var hashSize = hashAlgorithm.GetDigestSizeInBytes();
+
+                    byte[]? correctHashLease = null;
+                    Span<byte> correctHash = hashSize <= 128
+                        ? stackalloc byte[hashSize]
+                        : (correctHashLease = DataProtectionPool.Rent(hashSize)).AsSpan(0, hashSize);
+                    try
+                    {
+                        var hashSource = protectedPayload.Array!.AsSpan(ivOffset, macOffset - ivOffset);
+                        hashAlgorithm.TryComputeHash(hashSource, correctHash, out _);
 
-                    using (var hashAlgorithm = CreateValidationAlgorithm(validationSubkey))
+                        // Step 4: Validate the MAC provided as part of the payload.
+                        var payloadMacPart = protectedPayload.Array!.AsSpan(macOffset, eofOffset - macOffset);
+                        if (!CryptoUtil.TimeConstantBuffersAreEqual(correctHash, payloadMacPart))
+                        {
+                            throw Error.CryptCommon_PayloadInvalid(); // integrity check failure
+                        }
+                    }
+                    finally
                     {
-                        checked
+                        if (correctHashLease is not null)
                         {
-                            eofOffset = protectedPayload.Offset + protectedPayload.Count;
-                            macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+                            // it was not cleaned in previous implementation (var correctHash = new byte[])
+                            DataProtectionPool.Return(correctHashLease, clearArray: false);
                         }
+                    }
+#else
+                    byte[] correctHash;
 
+                    using (var hashAlgorithm = CreateValidationAlgorithm(validationSubkey))
+                    {
                         correctHash = hashAlgorithm.ComputeHash(protectedPayload.Array!, ivOffset, macOffset - ivOffset);
                     }
 
@@ -237,12 +268,13 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
                     {
                         throw Error.CryptCommon_PayloadInvalid(); // integrity check failure
                     }
+#endif
 
                     // Step 5: Decipher the ciphertext and return it to the caller.
 #if NET10_0_OR_GREATER
                     using var symmetricAlgorithm = CreateSymmetricAlgorithm(key: decryptionSubkey);
 
-                    // note: here protectedPayload.Array is taken without an offset (cant use AsSpan() on ArraySegment)
+                    // note: here protectedPayload.Array is taken without an offset (can't use AsSpan() on ArraySegment)
                     var ciphertext = protectedPayload.Array.AsSpan(ciphertextOffset, macOffset - ciphertextOffset);
                     var iv = protectedPayload.Array.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
 
