-10% so far

Author: DeagleGross

src/Antiforgery/src/Internal/DefaultAntiforgeryTokenSerializer.cs

@@ -1,6 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
+using System.Diagnostics;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.ObjectPool;
@@ -30,26 +32,30 @@ public AntiforgeryToken Deserialize(string serializedToken)
     {
         var serializationContext = _pool.Get();
 
+        byte[]? rented = null;
         Exception? innerException = null;
         try
         {
-            var count = serializedToken.Length;
-            var charsRequired = WebEncoders.GetArraySizeRequiredToDecode(count);
-            var chars = serializationContext.GetChars(charsRequired);
-            var tokenBytes = WebEncoders.Base64UrlDecode(
+            var tokenLength = serializedToken.Length;
+            var charsRequired = WebEncoders.GetArraySizeRequiredToDecode(tokenLength);
+
+            var chars = charsRequired < 128 ? stackalloc byte[128] : (rented = ArrayPool<byte>.Shared.Rent(charsRequired));
+            chars = chars[..charsRequired];
+
+            var decodedResult = WebEncoders.TryBase64UrlDecode(
                 serializedToken,
                 offset: 0,
-                buffer: chars,
-                bufferOffset: 0,
-                count: count);
-
+                count: tokenLength,
+                destination: chars,
+                out var bytesWritten);
+            Debug.Assert(decodedResult is true);
+
+            // when DataProtection obtains Span<>'ish APIs,
+            // we will just pass in chars directly. For now we need to allocate.
+            var tokenBytes = chars.Slice(0, bytesWritten).ToArray();
             var unprotectedBytes = _cryptoSystem.Unprotect(tokenBytes);
-            var stream = serializationContext.Stream;
-            stream.Write(unprotectedBytes, offset: 0, count: unprotectedBytes.Length);
-            stream.Position = 0L;
 
-            var reader = serializationContext.Reader;
-            var token = Deserialize(reader);
+            var token = Deserialize(unprotectedBytes);
             if (token != null)
             {
                 return token;
@@ -63,6 +69,11 @@ public AntiforgeryToken Deserialize(string serializedToken)
         finally
         {
             _pool.Return(serializationContext);
+
+            if (rented is not null)
+            {
+                ArrayPool<byte>.Shared.Return(rented);
+            }
         }
 
         // if we reached this point, something went wrong deserializing
@@ -81,39 +92,49 @@ public AntiforgeryToken Deserialize(string serializedToken)
      *   |    `- Username: UTF-8 string with 7-bit integer length prefix
      *   `- AdditionalData: UTF-8 string with 7-bit integer length prefix
      */
-    private static AntiforgeryToken? Deserialize(BinaryReader reader)
+    private static AntiforgeryToken? Deserialize(ReadOnlySpan<byte> unprotectedBytes)
     {
+        // pointer to current byte at unprotectedBytes
+        var pointer = 0;
+
         // we can only consume tokens of the same serialized version that we generate
-        var embeddedVersion = reader.ReadByte();
+        var embeddedVersion = unprotectedBytes[pointer++];
         if (embeddedVersion != TokenVersion)
         {
             return null;
         }
 
         var deserializedToken = new AntiforgeryToken();
-        var securityTokenBytes = reader.ReadBytes(AntiforgeryToken.SecurityTokenBitLength / 8);
-        deserializedToken.SecurityToken =
-            new BinaryBlob(AntiforgeryToken.SecurityTokenBitLength, securityTokenBytes);
-        deserializedToken.IsCookieToken = reader.ReadBoolean();
 
+        var securityTokenBytesLength = AntiforgeryToken.SecurityTokenBitLength / 8;
+        var securityTokenBytes = unprotectedBytes.Slice(pointer, securityTokenBytesLength).ToArray();
+        pointer += securityTokenBytesLength;
+        deserializedToken.SecurityToken = new BinaryBlob(AntiforgeryToken.SecurityTokenBitLength, securityTokenBytes);
+
+        deserializedToken.IsCookieToken = unprotectedBytes.BinaryReadBoolean(ref pointer);
         if (!deserializedToken.IsCookieToken)
         {
-            var isClaimsBased = reader.ReadBoolean();
+            var isClaimsBased = unprotectedBytes.BinaryReadBoolean(ref pointer);
             if (isClaimsBased)
             {
-                var claimUidBytes = reader.ReadBytes(AntiforgeryToken.ClaimUidBitLength / 8);
+                var claimUidBytesLength = AntiforgeryToken.ClaimUidBitLength / 8;
+                var claimUidBytes = unprotectedBytes.Slice(pointer, claimUidBytesLength).ToArray();
+                pointer += claimUidBytesLength;
                 deserializedToken.ClaimUid = new BinaryBlob(AntiforgeryToken.ClaimUidBitLength, claimUidBytes);
             }
             else
             {
-                deserializedToken.Username = reader.ReadString();
+                deserializedToken.Username = unprotectedBytes.Slice(pointer).BinaryReadString(out var usernameBytesRead);
+                pointer += usernameBytesRead;
             }
 
-            deserializedToken.AdditionalData = reader.ReadString();
+            deserializedToken.AdditionalData = unprotectedBytes.Slice(pointer).BinaryReadString(out var addDataBytesRead);
+            pointer += addDataBytesRead;
+
         }
 
         // if there's still unconsumed data in the stream, fail
-        if (reader.BaseStream.ReadByte() != -1)
+        if (pointer < unprotectedBytes.Length && unprotectedBytes[pointer] != 0x00)
         {
             return null;
         }

src/Antiforgery/src/Internal/DefaultClaimUidExtractor.cs

@@ -1,9 +1,12 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Buffers;
+using System.Buffers.Binary;
 using System.Diagnostics;
 using System.Security.Claims;
 using System.Security.Cryptography;
+using System.Text;
 using Microsoft.Extensions.ObjectPool;
 
 namespace Microsoft.AspNetCore.Antiforgery;
@@ -32,8 +35,11 @@ public DefaultClaimUidExtractor(ObjectPool<AntiforgerySerializationContext> pool
             return null;
         }
 
+        // todo skip allocations here as well
         var claimUidBytes = ComputeSha256(uniqueIdentifierParameters);
-        return Convert.ToBase64String(claimUidBytes);
+
+        Convert.TryToBase64Chars(claimUidBytes, out var str, out int charsWritten);
+        return str.ToString;
     }
 
     public static IList<string>? GetUniqueIdentifierParameters(IEnumerable<ClaimsIdentity> claimsIdentities)
@@ -119,7 +125,53 @@ public DefaultClaimUidExtractor(ObjectPool<AntiforgerySerializationContext> pool
         return identifierParameters;
     }
 
-    private byte[] ComputeSha256(IEnumerable<string> parameters)
+    private void ComputeSha256(IEnumerable<string> parameters, Span<byte> output)
+    {
+        // compute total size
+        int totalSize = 0;
+        foreach (var param in parameters)
+        {
+            int byteCount = Encoding.UTF8.GetByteCount(param);
+            totalSize += 4 + byteCount; // 4 bytes for length prefix
+        }
+
+        byte[]? rented = null;
+        var buffer = totalSize <= 256
+            ? stackalloc byte[256]
+            : (rented = ArrayPool<byte>.Shared.Rent(totalSize));
+        buffer = buffer[..totalSize];
+
+        try
+        {
+            int offset = 0;
+
+            foreach (var param in parameters)
+            {
+                int byteCount = Encoding.UTF8.GetByteCount(param);
+
+                // Write 4-byte length prefix
+                BinaryPrimitives.WriteInt32LittleEndian(buffer.Slice(offset, 4), byteCount);
+                offset += 4;
+
+                // Write UTF-8 bytes
+                Encoding.UTF8.GetBytes(param, buffer.Slice(offset, byteCount));
+                offset += byteCount;
+            }
+
+            SHA256.TryHashData(buffer.Slice(0, totalSize), output, out int bytesWritten);
+            Debug.Assert(bytesWritten == 32);
+        }
+        finally
+        {
+            buffer.Clear(); // security ?
+            if (rented is not null)
+            {
+                ArrayPool<byte>.Shared.Return(rented);
+            }
+        }
+    }
+
+    private byte[] ComputeSha256StreamWriter(IEnumerable<string> parameters)
     {
         var serializationContext = _pool.Get();
 

src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <Description>An antiforgery system for ASP.NET Core designed to generate and validate tokens to prevent Cross-Site Request Forgery attacks.</Description>
@@ -26,5 +26,7 @@
 
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)HttpExtensions.cs" LinkBase="Shared"/>
+    <Compile Include="$(SharedSourceRoot)ReadOnlySpanExtensions.cs" LinkBase="Shared"/>
+    <Compile Include="$(SharedSourceRoot)Encoding\Int7BitEncodingUtils.cs" LinkBase="Shared"/>
   </ItemGroup>
 </Project>

src/Http/WebUtilities/src/PublicAPI.Unshipped.txt

@@ -1 +1,2 @@
 #nullable enable
+static Microsoft.AspNetCore.WebUtilities.WebEncoders.TryBase64UrlDecode(string! input, int offset, int count, System.Span<byte> destination, out int bytesWritten) -> bool

src/Shared/Encoding/Int7BitEncodingUtils.cs

@@ -28,6 +28,37 @@ public static int Measure7BitEncodedUIntLength(this uint value)
 #endif
     }
 
+    public static int Read7BitEncodedInt(this ReadOnlySpan<byte> span, out int bytesRead)
+    {
+        int result = 0;
+        int shift = 0;
+        bytesRead = 0;
+
+        while (true)
+        {
+            if (bytesRead >= span.Length)
+            {
+                throw new InvalidOperationException("Invalid 7-bit encoded int.");
+            }
+
+            byte b = span[bytesRead++];
+            result |= (b & 0x7F) << shift;
+
+            if ((b & 0x80) == 0)
+            {
+                break;
+            }
+
+            shift += 7;
+            if (shift > 35)
+            {
+                throw new FormatException("7-bit encoded int too large.");
+            }
+        }
+
+        return result;
+    }
+
     public static int Write7BitEncodedInt(this Span<byte> target, int value)
         => Write7BitEncodedInt(target, (uint)value);
 

src/Shared/ReadOnlySpanExtensions.cs

@@ -0,0 +1,33 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.IO;
+using System.Reflection;
+using System.Text;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Features;
+using Microsoft.AspNetCore.Shared;
+
+internal static class ReadOnlySpanExtensions
+{
+    public static bool BinaryReadBoolean(this ReadOnlySpan<byte> span, ref int offset)
+    {
+        return span[offset++] != 0;
+    }
+
+    public static string BinaryReadString(this ReadOnlySpan<byte> span, out int totalBytesRead)
+    {
+        int length = span.Read7BitEncodedInt(out int prefixLength);
+        int stringEnd = prefixLength + length;
+
+        if (span.Length < stringEnd)
+        {
+            throw new InvalidOperationException("Not enough data to read the string.");
+        }
+
+        var strBytes = span.Slice(prefixLength, length);
+        totalBytesRead = stringEnd;
+
+        return Encoding.UTF8.GetString(strBytes);
+    }
+}

src/Shared/WebEncoders/Properties/EncoderResources.cs

@@ -9,6 +9,11 @@ namespace Microsoft.Extensions.WebEncoders.Sources;
 // in the contentFiles section. Revisit once we convert repos to MSBuild
 internal static class EncoderResources
 {
+    /// <summary>
+    /// Invalid {0}, {1} or {2} length.
+    /// </summary>
+    internal const string WebEncoders_InvalidCountOrLength = "Invalid {0} or {1} length.";
+
     /// <summary>
     /// Invalid {0}, {1} or {2} length.
     /// </summary>