correct empty plain text scenario

Author: DeagleGross

src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs

@@ -306,7 +306,7 @@ public override int GetEncryptedSize(int plainTextLength)
         return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + paddedCiphertextLength + _hmacAlgorithmDigestLengthInBytes));
     }
 
-    public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    public override bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
     {
         bytesWritten = 0;
 
@@ -348,9 +348,11 @@ public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte>
                 using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
                 {
                     // Get the padded output size
-                    fixed (byte* pbPlainText = plainText)
+                    byte dummy;
+                    fixed (byte* pbPlaintextArray = plaintext)
                     {
-                        var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlainText, (uint)plainText.Length);
+                        var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+                        var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, (uint)plaintext.Length);
 
                         fixed (byte* pbDestination = destination)
                         {
@@ -368,8 +370,8 @@ public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte>
                             DoCbcEncrypt(
                                 symmetricKeyHandle: symmetricKeyHandle,
                                 pbIV: pbIV,
-                                pbInput: pbPlainText,
-                                cbInput: (uint)plainText.Length,
+                                pbInput: pbPlaintext,
+                                cbInput: (uint)plaintext.Length,
                                 pbOutput: pbOutputCiphertext,
                                 cbOutput: cbOutputCiphertext);
                             bytesWritten += checked((int)cbOutputCiphertext);

src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs

@@ -239,7 +239,7 @@ public override int GetEncryptedSize(int plainTextLength)
         return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
     }
 
-    public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    public override bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
     {
         bytesWritten = 0;
 
@@ -251,7 +251,7 @@ public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte>
                 byte* pbKeyModifier = pbDestination;
                 byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
                 byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
-                byte* pbAuthTag = &pbEncryptedData[plainText.Length];
+                byte* pbAuthTag = &pbEncryptedData[plaintext.Length];
 
                 // Randomly generate the key modifier and nonce
                 _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
@@ -277,21 +277,24 @@ public override bool TryEncrypt(ReadOnlySpan<byte> plainText, ReadOnlySpan<byte>
                     }
 
                     // Perform the encryption operation
-                    fixed (byte* pbPlainText = plainText)
+                    byte dummy;
+                    fixed (byte* pbPlaintextArray = plaintext)
                     {
+                        var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+
                         DoGcmEncrypt(
                             pbKey: pbSymmetricEncryptionSubkey,
                             cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
                             pbNonce: pbNonce,
-                            pbPlaintextData: pbPlainText,
-                            cbPlaintextData: (uint)plainText.Length,
+                            pbPlaintextData: pbPlaintext,
+                            cbPlaintextData: (uint)plaintext.Length,
                             pbEncryptedData: pbEncryptedData,
                             pbTag: pbAuthTag);
                     }
 
                     // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
                     // And we're done!
-                    bytesWritten += plainText.Length + checked((int)TAG_SIZE_IN_BYTES);
+                    bytesWritten += plaintext.Length + checked((int)TAG_SIZE_IN_BYTES);
                     return true;
                 }
                 finally

src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs

@@ -120,20 +120,32 @@ public void Encrypt_KnownKey()
 
     [ConditionalTheory]
     [ConditionalRunTestOnlyOnWindows]
-    [InlineData(128, "SHA256")]
-    [InlineData(192, "SHA256")]
-    [InlineData(256, "SHA256")]
-    [InlineData(128, "SHA512")]
-    [InlineData(192, "SHA512")]
-    [InlineData(256, "SHA512")]
-    public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm)
+    [InlineData(128, "SHA256", "")]
+    [InlineData(128, "SHA256", "This is a small text")]
+    [InlineData(128, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    [InlineData(192, "SHA256", "")]
+    [InlineData(192, "SHA256", "This is a small text")]
+    [InlineData(192, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    [InlineData(256, "SHA256", "")]
+    [InlineData(256, "SHA256", "This is a small text")]
+    [InlineData(256, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    [InlineData(128, "SHA512", "")]
+    [InlineData(128, "SHA512", "This is a small text")]
+    [InlineData(128, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    [InlineData(192, "SHA512", "")]
+    [InlineData(192, "SHA512", "This is a small text")]
+    [InlineData(192, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    [InlineData(256, "SHA512", "")]
+    [InlineData(256, "SHA512", "This is a small text")]
+    [InlineData(256, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+    public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm, string plainText)
     {
         Secret kdk = new Secret(new byte[512 / 8]);
         IAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
             symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
             symmetricAlgorithmKeySizeInBytes: (uint)(symmetricKeySizeBits / 8),
             hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hmacAlgorithm, hmac: true));
-        ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes("plaintext"));
+        ArraySegment<byte> plaintext = new ArraySegment<byte>(Encoding.UTF8.GetBytes(plainText));
         ArraySegment<byte> aad = new ArraySegment<byte>(Encoding.UTF8.GetBytes("aad"));
 
         RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);