init decrypt

Author: DeagleGross

src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs

@@ -21,6 +21,13 @@ public interface ISpanAuthenticatedEncryptor : IAuthenticatedEncryptor
     /// <returns>The length of the encrypted data</returns>
     int GetEncryptedSize(int plainTextLength);
 
+    /// <summary>
+    /// Returns the size of the decrypted data for a given ciphertext length.
+    /// </summary>
+    /// <param name="cipherTextLength">Length of the cipher text that will be decrypted later</param>
+    /// <returns>The length of the decrypted data</returns>
+    int GetDecryptedSize(int cipherTextLength);
+
     /// <summary>
     /// Attempts to encrypt and tamper-proof a piece of data.
     /// </summary>
@@ -34,4 +41,6 @@ public interface ISpanAuthenticatedEncryptor : IAuthenticatedEncryptor
     /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
     /// <returns>true if destination is long enough to receive the encrypted data; otherwise, false.</returns>
     bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
+
+    bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
 }

src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs

@@ -7,15 +7,14 @@
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
 using Microsoft.AspNetCore.DataProtection.SP800_108;
 
 namespace Microsoft.AspNetCore.DataProtection.Cng;
 
 // An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
 // The payloads produced by this encryptor should be compatible with the payloads
 // produced by the managed Encrypt(CBC) + HMAC encryptor.
-internal sealed unsafe class CbcAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CbcAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
 {
     // Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
     // key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block

src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs

@@ -6,7 +6,6 @@
 using Microsoft.AspNetCore.Cryptography.Cng;
 using Microsoft.AspNetCore.Cryptography.SafeHandles;
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
 using Microsoft.AspNetCore.DataProtection.SP800_108;
 
 namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -21,7 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng;
 // going to the IV. This means that we'll only hit the 2^-32 probability limit after 2^96 encryption
 // operations, which will realistically never happen. (At the absurd rate of one encryption operation
 // per nanosecond, it would still take 180 times the age of the universe to hit 2^96 operations.)
-internal sealed unsafe class CngGcmAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CngGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
 {
     // Having a key modifier ensures with overwhelming probability that no two encryption operations
     // will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
@@ -51,71 +50,22 @@ public CngGcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHand
         _contextHeader = CreateContextHeader();
     }
 
-    private byte[] CreateContextHeader()
+    public int GetDecryptedSize(int cipherTextLength)
     {
-        var retVal = new byte[checked(
-            1 /* KDF alg */
-            + 1 /* chaining mode */
-            + sizeof(uint) /* sym alg key size */
-            + sizeof(uint) /* GCM nonce size */
-            + sizeof(uint) /* sym alg block size */
-            + sizeof(uint) /* GCM tag size */
-            + TAG_SIZE_IN_BYTES /* tag of GCM-encrypted empty string */)];
-
-        fixed (byte* pbRetVal = retVal)
-        {
-            byte* ptr = pbRetVal;
-
-            // First is the two-byte header
-            *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
-            *(ptr++) = 1; // 0x01 = GCM encryption + authentication
-
-            // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
-            BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
-            BitHelpers.WriteTo(ref ptr, NONCE_SIZE_IN_BYTES);
-            BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES); // block size = tag size
-            BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
-
-            // See the design document for an explanation of the following code.
-            var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-            fixed (byte* pbTempKeys = tempKeys)
-            {
-                byte dummy;
-
-                // Derive temporary key for encryption.
-                using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
-                {
-                    provider.DeriveKey(
-                        pbLabel: &dummy,
-                        cbLabel: 0,
-                        pbContext: &dummy,
-                        cbContext: 0,
-                        pbDerivedKey: pbTempKeys,
-                        cbDerivedKey: (uint)tempKeys.Length);
-                }
-
-                // Encrypt a zero-length input string with an all-zero nonce and copy the tag to the return buffer.
-                byte* pbNonce = stackalloc byte[(int)NONCE_SIZE_IN_BYTES];
-                UnsafeBufferUtil.SecureZeroMemory(pbNonce, NONCE_SIZE_IN_BYTES);
-                DoGcmEncrypt(
-                    pbKey: pbTempKeys,
-                    cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
-                    pbNonce: pbNonce,
-                    pbPlaintextData: &dummy,
-                    cbPlaintextData: 0,
-                    pbEncryptedData: &dummy,
-                    pbTag: ptr);
-            }
+        throw new NotImplementedException();
+    }
 
-            ptr += TAG_SIZE_IN_BYTES;
-            CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
-        }
+    public bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    {
+        throw new NotImplementedException();
+    }
 
-        // retVal := { version || chainingMode || symAlgKeySize || nonceSize || symAlgBlockSize || symAlgTagSize || TAG-of-E("") }.
-        return retVal;
+    public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
+    {
+        throw new NotImplementedException();
     }
 
-    protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+    protected byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
     {
         // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
         if (cbCiphertext < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
@@ -192,14 +142,6 @@ protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byt
         }
     }
 
-    public override void Dispose()
-    {
-        _sp800_108_ctr_hmac_provider.Dispose();
-
-        // We don't want to dispose of the underlying algorithm instances because they
-        // might be reused.
-    }
-
     // 'pbNonce' must point to a 96-bit buffer.
     // 'pbTag' must point to a 128-bit buffer.
     // 'pbEncryptedData' must point to a buffer the same length as 'pbPlaintextData'.
@@ -231,14 +173,14 @@ private void DoGcmEncrypt(byte* pbKey, uint cbKey, byte* pbNonce, byte* pbPlaint
         }
     }
 
-    public override int GetEncryptedSize(int plainTextLength)
+    public int GetEncryptedSize(int plainTextLength)
     {
         // A buffer to hold the key modifier, nonce, encrypted data, and tag.
         // In GCM, the encrypted output will be the same length as the plaintext input.
         return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
     }
 
-    public override bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
     {
         bytesWritten = 0;
 
@@ -309,7 +251,10 @@ public override bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte>
         }
     }
 
-    public override byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
+        => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
     {
         plaintext.Validate();
         additionalAuthenticatedData.Validate();
@@ -330,4 +275,76 @@ public override byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte>
         CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
         return ciphertext;
     }
+
+    private byte[] CreateContextHeader()
+    {
+        var retVal = new byte[checked(
+            1 /* KDF alg */
+            + 1 /* chaining mode */
+            + sizeof(uint) /* sym alg key size */
+            + sizeof(uint) /* GCM nonce size */
+            + sizeof(uint) /* sym alg block size */
+            + sizeof(uint) /* GCM tag size */
+            + TAG_SIZE_IN_BYTES /* tag of GCM-encrypted empty string */)];
+
+        fixed (byte* pbRetVal = retVal)
+        {
+            byte* ptr = pbRetVal;
+
+            // First is the two-byte header
+            *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+            *(ptr++) = 1; // 0x01 = GCM encryption + authentication
+
+            // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
+            BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+            BitHelpers.WriteTo(ref ptr, NONCE_SIZE_IN_BYTES);
+            BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES); // block size = tag size
+            BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
+
+            // See the design document for an explanation of the following code.
+            var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+            fixed (byte* pbTempKeys = tempKeys)
+            {
+                byte dummy;
+
+                // Derive temporary key for encryption.
+                using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+                {
+                    provider.DeriveKey(
+                        pbLabel: &dummy,
+                        cbLabel: 0,
+                        pbContext: &dummy,
+                        cbContext: 0,
+                        pbDerivedKey: pbTempKeys,
+                        cbDerivedKey: (uint)tempKeys.Length);
+                }
+
+                // Encrypt a zero-length input string with an all-zero nonce and copy the tag to the return buffer.
+                byte* pbNonce = stackalloc byte[(int)NONCE_SIZE_IN_BYTES];
+                UnsafeBufferUtil.SecureZeroMemory(pbNonce, NONCE_SIZE_IN_BYTES);
+                DoGcmEncrypt(
+                    pbKey: pbTempKeys,
+                    cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
+                    pbNonce: pbNonce,
+                    pbPlaintextData: &dummy,
+                    cbPlaintextData: 0,
+                    pbEncryptedData: &dummy,
+                    pbTag: ptr);
+            }
+
+            ptr += TAG_SIZE_IN_BYTES;
+            CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+        }
+
+        // retVal := { version || chainingMode || symAlgKeySize || nonceSize || symAlgBlockSize || symAlgTagSize || TAG-of-E("") }.
+        return retVal;
+    }
+
+    public void Dispose()
+    {
+        _sp800_108_ctr_hmac_provider.Dispose();
+
+        // We don't want to dispose of the underlying algorithm instances because they
+        // might be reused.
+    }
 }

src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 using Moq;
 
 namespace Microsoft.AspNetCore.DataProtection.Cng.Internal;
@@ -82,19 +83,46 @@ public void Decrypt_HandlesEmptyCiphertextPointerFixup()
         Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
     }
 
-    internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
+    internal abstract class MockableEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
     {
-        public override void Dispose()
+        public abstract byte[] DecryptHook(IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
+        public abstract byte[] EncryptHook(IntPtr pbPlaintext, uint cbPlaintext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
+
+        public int GetEncryptedSize(int plainTextLength)
         {
+            throw new NotImplementedException();
         }
 
-        public abstract byte[] DecryptHook(IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
+        public int GetDecryptedSize(int cipherTextLength)
+        {
+            throw new NotImplementedException();
+        }
 
-        protected sealed override unsafe byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+        public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
         {
-            return DecryptHook((IntPtr)pbCiphertext, cbCiphertext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData);
+            throw new NotImplementedException();
         }
 
-        public abstract byte[] EncryptHook(IntPtr pbPlaintext, uint cbPlaintext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
+        public bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+        {
+            throw new NotImplementedException();
+        }
+
+        public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            throw new NotImplementedException();
+        }
+
+        public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
+        {
+            throw new NotImplementedException();
+        }
+
+        public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+        {
+            throw new NotImplementedException();
+        }
+
+        public void Dispose() { }
     }
 }