prfInput and prfOutput rented

DeagleGross · DeagleGross · commit 87d118b7d6d9 · 2024-12-18T17:34:53.000+01:00
diff --git a/src/DataProtection/DataProtection/src/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/DataProtection/DataProtection/src/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -5,6 +5,7 @@
 using System.Buffers;
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.Managed;
 
 namespace Microsoft.AspNetCore.DataProtection.SP800_108;
@@ -71,67 +72,99 @@ public static void DeriveKeys(
 
         using (var prf = prfFactory(kdk))
         {
-            // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
-            var prfInput = new byte[checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */)];
-            //var prfInputLength = checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */);
-            //var prfInput = ArrayPool<byte>.Shared.Rent(prfInputLength);
+            byte[]? prfOutput = null;
 
-            // Copy [L]_2 to prfInput since it's stable over all iterations
-            uint outputSizeInBits = (uint)checked((int)outputCount * 8);
-            prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
-            prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
-            prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
-            prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+            // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
+            var prfInputLength = checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */);
 
-            // Copy label and context to prfInput since they're stable over all iterations
-            label.CopyTo(prfInput.AsSpan(sizeof(uint)));
-            contextHeader.CopyTo(prfInput.AsSpan(sizeof(uint) + label.Length + 1));
-            contextData.CopyTo(prfInput.AsSpan(sizeof(uint) + label.Length + 1 + contextHeader.Length));
+#if NET10_0_OR_GREATER
+            byte[]? prfInputLease = null;
+            Span<byte> prfInput = prfInputLength <= 128
+                ? stackalloc byte[prfInputLength]
+                : (prfInputLease = DataProtectionPool.Rent(prfInputLength)).AsSpan(0, prfInputLength);
+#else
+            var prfInputArray = new byte[prfInputLength];
+            var prfInput = prfInputArray.AsSpan();
+#endif
 
-            var prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
-            for (uint i = 1; outputCount > 0; i++)
+            try
             {
-                // Copy [i]_2 to prfInput since it mutates with each iteration
-                prfInput[0] = (byte)(i >> 24);
-                prfInput[1] = (byte)(i >> 16);
-                prfInput[2] = (byte)(i >> 8);
-                prfInput[3] = (byte)(i);
+                // Copy [L]_2 to prfInput since it's stable over all iterations
+                uint outputSizeInBits = (uint)checked((int)outputCount * 8);
+                prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
+                prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
+                prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
+                prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+
+                // Copy label and context to prfInput since they're stable over all iterations
+                label.CopyTo(prfInput.Slice(sizeof(uint)));
+                contextHeader.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1));
+                contextData.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1 + contextHeader.Length));
+
+                var prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
+                for (uint i = 1; outputCount > 0; i++)
+                {
+                    // Copy [i]_2 to prfInput since it mutates with each iteration
+                    prfInput[0] = (byte)(i >> 24);
+                    prfInput[1] = (byte)(i >> 16);
+                    prfInput[2] = (byte)(i >> 8);
+                    prfInput[3] = (byte)(i);
 
-                // Run the PRF and copy the results to the output buffer
+                    // Run the PRF and copy the results to the output buffer
 #if NET10_0_OR_GREATER
-                var prfOutput = ArrayPool<byte>.Shared.Rent(prfOutputSizeInBytes);
-                prf.TryComputeHash(prfInput, prfOutput, out _);
+                    // not using stackalloc here, because we are in a loop
+                    // and potentially can exhaust the stack memory: https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2014
+                    prfOutput = DataProtectionPool.Rent(prfOutputSizeInBytes);
+                    prf.TryComputeHash(prfInput, prfOutput, out _);
 #else
-                var prfOutput = prf.ComputeHash(prfInput);
+                    prfOutput = prf.ComputeHash(prfInputArray);
 #endif
 
-                CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
-                var numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
-
-                // we need to write into the operationSubkey
-                // but it may be the case that we need to split the output
-                // so lets count how many bytes we can write into the operationSubKey
-                var bytesToWrite = Math.Min(numBytesToCopyThisIteration, operationSubKey.Length - operationSubKeyIndex);
-                var leftOverBytes = numBytesToCopyThisIteration - bytesToWrite;
-                if (operationSubKeyIndex < operationSubKey.Length) // meaning we need to write to operationSubKey
+                    CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
+                    var numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
+
+                    // we need to write into the operationSubkey
+                    // but it may be the case that we need to split the output
+                    // so lets count how many bytes we can write into the operationSubKey
+                    var bytesToWrite = Math.Min(numBytesToCopyThisIteration, operationSubKey.Length - operationSubKeyIndex);
+                    var leftOverBytes = numBytesToCopyThisIteration - bytesToWrite;
+                    if (operationSubKeyIndex < operationSubKey.Length) // meaning we need to write to operationSubKey
+                    {
+                        var destination = operationSubKey.Slice(operationSubKeyIndex, bytesToWrite);
+                        prfOutput.AsSpan(0, bytesToWrite).CopyTo(destination);
+                        operationSubKeyIndex += bytesToWrite;
+                    }
+                    if (operationSubKeyIndex == operationSubKey.Length && leftOverBytes != 0) // we have filled the operationSubKey. It's time for the validationSubKey
+                    {
+                        var destination = validationSubKey.Slice(validationSubKeyIndex, leftOverBytes);
+                        prfOutput.AsSpan(bytesToWrite, leftOverBytes).CopyTo(destination);
+                        validationSubKeyIndex += leftOverBytes;
+                    }
+
+                    outputCount -= numBytesToCopyThisIteration;
+                }
+            }
+            finally
+            {
+#if NET10_0_OR_GREATER
+                if (prfOutput is not null)
                 {
-                    var destination = operationSubKey.Slice(operationSubKeyIndex, bytesToWrite);
-                    prfOutput.AsSpan(0, bytesToWrite).CopyTo(destination);
-                    operationSubKeyIndex += bytesToWrite;
+                    DataProtectionPool.Return(prfOutput, clearArray: true); // contains key material, so delete it
                 }
-                if (operationSubKeyIndex == operationSubKey.Length && leftOverBytes != 0) // we have filled the operationSubKey. It's time for the validationSubKey
+                
+                if (prfInputLease is not null)
                 {
-                    var destination = validationSubKey.Slice(validationSubKeyIndex, leftOverBytes);
-                    prfOutput.AsSpan(bytesToWrite, leftOverBytes).CopyTo(destination);
-                    validationSubKeyIndex += leftOverBytes;
+                    DataProtectionPool.Return(prfInputLease, clearArray: true); // contains key material, so delete it
+                }
+                else
+                {
+                    // to be extra careful - clear the stackalloc memory
+                    prfInput.Clear();
                 }
-
-#if NET10_0_OR_GREATER
-                ArrayPool<byte>.Shared.Return(prfOutput, clearArray: true); // contains key material, so delete it
 #else
+                Array.Clear(prfInputArray, 0, prfInputArray.Length); // contains key material, so delete it
                 Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so delete it
 #endif
-                outputCount -= numBytesToCopyThisIteration;
             }
         }
     }
