finish encrypt

Author: DeagleGross

src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs

@@ -2,6 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Buffers;
 using System.IO;
 using System.Linq;
 using System.Security.Cryptography;
@@ -153,15 +154,12 @@ private SymmetricAlgorithm CreateSymmetricAlgorithm(byte[]? key = null)
         return retVal;
     }
 
-    private KeyedHashAlgorithm CreateValidationAlgorithm(byte[]? key = null)
+    private KeyedHashAlgorithm CreateValidationAlgorithm(byte[] key)
     {
         var retVal = _validationAlgorithmFactory();
         CryptoUtil.Assert(retVal != null, "retVal != null");
 
-        if (key is not null)
-        {
-            retVal.Key = key;
-        }
+        retVal.Key = key;
         return retVal;
     }
 
@@ -298,29 +296,7 @@ public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additiona
 
         try
         {
-            var decryptedKdk = new byte[_keyDerivationKey.Length];
-            var encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-            var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
-            var derivedKeysBuffer = new byte[checked(encryptionSubkey.Length + validationSubkey.Length)];
-
-            fixed (byte* __unused__1 = decryptedKdk)
-            fixed (byte* __unused__2 = encryptionSubkey)
-            fixed (byte* __unused__3 = validationSubkey)
-            fixed (byte* __unused__4 = derivedKeysBuffer)
-            {
-                try
-                {
-                    return EncryptImpl(plaintext, additionalAuthenticatedData.AsSpan(), decryptedKdk, encryptionSubkey, validationSubkey, derivedKeysBuffer);
-                }
-                finally
-                {
-                    // delete since these contain secret material
-                    Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-                    Array.Clear(encryptionSubkey, 0, encryptionSubkey.Length);
-                    Array.Clear(validationSubkey, 0, validationSubkey.Length);
-                    Array.Clear(derivedKeysBuffer, 0, derivedKeysBuffer.Length);
-                }
-            }
+            return EncryptImpl(plaintext, additionalAuthenticatedData);
         }
         catch (Exception ex) when (ex.RequiresHomogenization())
         {
@@ -331,75 +307,79 @@ public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additiona
 
 #if NET10_0_OR_GREATER
     private byte[] EncryptImpl(
-        ArraySegment<byte> plaintextArraySegment,
-        ReadOnlySpan<byte> additionalAuthenticatedData,
-        byte[] decryptedKdk,
-        byte[] encryptionSubkey,
-        byte[] validationSubkey,
-        byte[] derivedKeysBuffer)
+        ReadOnlySpan<byte> plainText,
+        ReadOnlySpan<byte> additionalAuthenticatedData)
     {
-        var plainText = plaintextArraySegment.AsSpan();
-
-        // Step 4: Perform the encryption operation.
-
-        using var symmetricAlgorithm = CreateSymmetricAlgorithm(key: encryptionSubkey);
-        using var validationAlgorithm = CreateValidationAlgorithm(key: null!); // we dont care now, because we are only interested in the hash size property
-
-        var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainText.Length);
         var keyModifierLength = KEY_MODIFIER_SIZE_IN_BYTES;
         var ivLength = _symmetricAlgorithmBlockSizeInBytes;
-        var macLength = validationAlgorithm.HashSize * 8;
-
-        // allocating an array of a specific required length:
-        var outputArray = new byte[keyModifierLength + ivLength + cipherTextLength + macLength];
-        var outputSpan = outputArray.AsSpan();
-
-        // Step 1: Generate a random key modifier and IV for this operation.
-        // Both will be equal to the block size of the block cipher algorithm.
-        // note: we are generating it right into the result array
-        _genRandom.GenRandom(outputSpan.Slice(start: 0, length: keyModifierLength));
-        _genRandom.GenRandom(outputSpan.Slice(start: keyModifierLength, length: ivLength));
 
-        var keyModifier = outputSpan.Slice(start: 0, length: keyModifierLength);
-        var iv = outputSpan.Slice(start: keyModifierLength, length: ivLength);
-
-        _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-        ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
-            kdk: decryptedKdk,
-            label: additionalAuthenticatedData,
-            contextHeader: _contextHeader,
-            contextData: keyModifier,
-            prfFactory: _kdkPrfFactory,
-            output: new ArraySegment<byte>(derivedKeysBuffer));
-
-        Buffer.BlockCopy(derivedKeysBuffer, 0, encryptionSubkey, 0, encryptionSubkey.Length);
-        Buffer.BlockCopy(derivedKeysBuffer, encryptionSubkey.Length, validationSubkey, 0, validationSubkey.Length);
+        // Step 1: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
+        // We pin all unencrypted keys to limit their exposure via GC relocation.
+        var decryptedKdk = new byte[_keyDerivationKey.Length];
+        var encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+        var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
 
-        // encrypting plaintext into the target array directly
-        symmetricAlgorithm.EncryptCbc(plainText, iv, outputSpan.Slice(start: KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes, length: cipherTextLength));
+        fixed (byte* __unused__1 = decryptedKdk)
+        fixed (byte* __unused__2 = encryptionSubkey)
+        fixed (byte* __unused__3 = validationSubkey)
+        {
+            var keyModifier = ArrayPool<byte>.Shared.Rent(keyModifierLength);
+            _genRandom.GenRandom(keyModifier);
+
+            _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
+            ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+                kdk: decryptedKdk,
+                label: additionalAuthenticatedData,
+                contextHeader: _contextHeader,
+                contextData: keyModifier,
+                prfFactory: _kdkPrfFactory,
+                operationSubKey: encryptionSubkey,
+                validationSubKey: validationSubkey);
+
+            // idea of optimization here is firstly get all the types preset
+            // for calculating length of the output array and allocating it.
+            // then we are filling it with the data directly, without any additional copying
+            using var symmetricAlgorithm = CreateSymmetricAlgorithm(key: encryptionSubkey);
+            using var validationAlgorithm = CreateValidationAlgorithm(key: validationSubkey);
+
+            var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainText.Length); // CBC because symmetricAlgorithm is created with CBC mode
+            var macLength = _validationAlgorithmDigestLengthInBytes;
+
+            // allocating an array of a specific required length
+            var outputArray = new byte[keyModifierLength + ivLength + cipherTextLength + macLength];
+            var outputSpan = outputArray.AsSpan();
+
+            // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
+            keyModifier.CopyTo(outputSpan.Slice(start: 0, length: keyModifierLength));
+
+            // Step 3: Generate IV for this operation right into the result array (no allocation)
+            _genRandom.GenRandom(outputSpan.Slice(start: keyModifierLength, length: ivLength));
+            var iv = outputSpan.Slice(start: keyModifierLength, length: ivLength);
+
+            // encrypting plaintext into the target array directly
+            symmetricAlgorithm.EncryptCbc(plainText, iv, outputSpan.Slice(start: keyModifierLength + ivLength, length: cipherTextLength));
 
-        // At this point, outputStream := { keyModifier || IV || ciphertext }
+            // At this point, outputStream := { keyModifier || IV || ciphertext }
 
-        // Step 5: Calculate the digest over the IV and ciphertext.
-        // We don't need to calculate the digest over the key modifier since that
-        // value has already been mixed into the KDF used to generate the MAC key.
+            // Step 4: Calculate the digest over the IV and ciphertext.
+            // We don't need to calculate the digest over the key modifier since that
+            // value has already been mixed into the KDF used to generate the MAC key.
 
-        validationAlgorithm.Key = validationSubkey; // crucial: finally set the key
-        validationAlgorithm.TryComputeHash(source: outputSpan, destination: outputSpan.Slice(start: keyModifierLength, length: ivLength + cipherTextLength), bytesWritten: out _);
+            var ivAndCipherTextSpan = outputSpan.Slice(start: keyModifierLength, length: ivLength + cipherTextLength);
+            var macDestinationSpan = outputSpan.Slice(keyModifierLength + ivLength + cipherTextLength, macLength);
+            validationAlgorithm.TryComputeHash(source: ivAndCipherTextSpan, destination: macDestinationSpan, bytesWritten: out _);
+            // At this point, outputArray := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
 
-        // At this point, outputArray := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
-        // And we're done!
+            // returning whatever was pooled back with clear (secret data to be cleaned)
+            ArrayPool<byte>.Shared.Return(keyModifier, clearArray: true);
 
-        return outputArray;
+            return outputArray;
+        }
     }
 #else
     private byte[] EncryptImpl(
         ArraySegment<byte> plaintext,
-        ReadOnlySpan<byte> additionalAuthenticatedData,
-        byte[] decryptedKdk,
-        byte[] encryptionSubkey,
-        byte[] validationSubkey,
-        byte[] derivedKeysBuffer)
+        ArraySegment<byte> additionalAuthenticatedData)
     {
         var outputStream = new MemoryStream();
 
@@ -415,46 +395,70 @@ private byte[] EncryptImpl(
         outputStream.Write(iv, 0, iv.Length);
 
         // At this point, outputStream := { keyModifier || IV }.
+
         // Step 3: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
         // We pin all unencrypted keys to limit their exposure via GC relocation.
-        _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-        ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
-            kdk: decryptedKdk,
-            label: additionalAuthenticatedData,
-            contextHeader: _contextHeader,
-            contextData: new ArraySegment<byte>(keyModifier),
-            prfFactory: _kdkPrfFactory,
-            output: new ArraySegment<byte>(derivedKeysBuffer));
-
-        Buffer.BlockCopy(derivedKeysBuffer, 0, encryptionSubkey, 0, encryptionSubkey.Length);
-        Buffer.BlockCopy(derivedKeysBuffer, encryptionSubkey.Length, validationSubkey, 0, validationSubkey.Length);
 
-        // Step 4: Perform the encryption operation.
+        var decryptedKdk = new byte[_keyDerivationKey.Length];
+        var encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+        var validationSubkey = new byte[_validationAlgorithmSubkeyLengthInBytes];
+        var derivedKeysBuffer = new byte[checked(encryptionSubkey.Length + validationSubkey.Length)];
 
-        using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
-        using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
-        using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+        fixed (byte* __unused__1 = decryptedKdk)
+        fixed (byte* __unused__2 = encryptionSubkey)
+        fixed (byte* __unused__3 = validationSubkey)
+        fixed (byte* __unused__4 = derivedKeysBuffer)
         {
-            cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
-            cryptoStream.FlushFinalBlock();
+            try
+            {
+                _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
+                ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(
+                    kdk: decryptedKdk,
+                    label: additionalAuthenticatedData,
+                    contextHeader: _contextHeader,
+                    context: new ArraySegment<byte>(keyModifier),
+                    prfFactory: _kdkPrfFactory,
+                    output: new ArraySegment<byte>(derivedKeysBuffer));
+
+                Buffer.BlockCopy(derivedKeysBuffer, 0, encryptionSubkey, 0, encryptionSubkey.Length);
+                Buffer.BlockCopy(derivedKeysBuffer, encryptionSubkey.Length, validationSubkey, 0, validationSubkey.Length);
+
+                // Step 4: Perform the encryption operation.
+
+                using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+                using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
+                using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+                {
+                    cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
+                    cryptoStream.FlushFinalBlock();
 
-            // At this point, outputStream := { keyModifier || IV || ciphertext }
+                    // At this point, outputStream := { keyModifier || IV || ciphertext }
 
-            // Step 5: Calculate the digest over the IV and ciphertext.
-            // We don't need to calculate the digest over the key modifier since that
-            // value has already been mixed into the KDF used to generate the MAC key.
+                    // Step 5: Calculate the digest over the IV and ciphertext.
+                    // We don't need to calculate the digest over the key modifier since that
+                    // value has already been mixed into the KDF used to generate the MAC key.
 
-            using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
-            {
-                // As an optimization, avoid duplicating the underlying buffer
-                var underlyingBuffer = outputStream.GetBuffer();
+                    using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkey))
+                    {
+                        // As an optimization, avoid duplicating the underlying buffer
+                        var underlyingBuffer = outputStream.GetBuffer();
 
-                var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
-                outputStream.Write(mac, 0, mac.Length);
+                        var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
+                        outputStream.Write(mac, 0, mac.Length);
 
-                // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
-                // And we're done!
-                return outputStream.ToArray();
+                        // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
+                        // And we're done!
+                        return outputStream.ToArray();
+                    }
+                }
+            }
+            finally
+            {
+                // delete since these contain secret material
+                Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+                Array.Clear(encryptionSubkey, 0, encryptionSubkey.Length);
+                Array.Clear(validationSubkey, 0, validationSubkey.Length);
+                Array.Clear(derivedKeysBuffer, 0, derivedKeysBuffer.Length);
             }
         }
     }

src/DataProtection/DataProtection/src/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs

@@ -104,6 +104,74 @@ public static void DeriveKeys(byte[] kdk, ReadOnlySpan<byte> label, ReadOnlySpan
         }
     }
 
+    public static void DeriveKeys(
+        byte[] kdk,
+        ReadOnlySpan<byte> label,
+        ReadOnlySpan<byte> contextHeader,
+        ReadOnlySpan<byte> contextData,
+        Func<byte[], HashAlgorithm> prfFactory,
+        Span<byte> operationSubKey,
+        Span<byte> validationSubKey)
+    {
+        var operationSubKeyIndex = 0;
+        var validationSubKeyIndex = 0;
+        var outputCount = operationSubKey.Length + validationSubKey.Length;
+
+        using (var prf = prfFactory(kdk))
+        {
+            // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
+            var prfInput = new byte[checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */)];
+
+            // Copy [L]_2 to prfInput since it's stable over all iterations
+            uint outputSizeInBits = (uint)checked((int)outputCount * 8);
+            prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
+            prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
+            prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
+            prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+
+            // Copy label and context to prfInput since they're stable over all iterations
+            label.CopyTo(prfInput.AsSpan(sizeof(uint)));
+            contextHeader.CopyTo(prfInput.AsSpan(sizeof(uint) + label.Length + 1));
+            contextData.CopyTo(prfInput.AsSpan(sizeof(uint) + label.Length + 1 + contextHeader.Length));
+
+            var prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
+            for (uint i = 1; outputCount > 0; i++)
+            {
+                // Copy [i]_2 to prfInput since it mutates with each iteration
+                prfInput[0] = (byte)(i >> 24);
+                prfInput[1] = (byte)(i >> 16);
+                prfInput[2] = (byte)(i >> 8);
+                prfInput[3] = (byte)(i);
+
+                // Run the PRF and copy the results to the output buffer
+                var prfOutput = prf.ComputeHash(prfInput);
+                CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
+                var numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
+
+                // we need to write into the operationSubkey
+                // but it may be the case that we need to split the output
+                // so lets count how many bytes we can write into the operationSubKey
+                var bytesToWrite = Math.Min(numBytesToCopyThisIteration, operationSubKey.Length - operationSubKeyIndex);
+                var leftOverBytes = numBytesToCopyThisIteration - bytesToWrite;
+                if (operationSubKeyIndex < operationSubKey.Length) // meaning we need to write to operationSubKey
+                {
+                    var destination = operationSubKey.Slice(operationSubKeyIndex, bytesToWrite);
+                    prfOutput.AsSpan().Slice(0, bytesToWrite).CopyTo(destination);
+                    operationSubKeyIndex += bytesToWrite;
+                }
+                if (operationSubKeyIndex == operationSubKey.Length && leftOverBytes != 0) // we have filled the operationSubKey. It's time for the validationSubKey
+                {
+                    var destination = validationSubKey.Slice(validationSubKeyIndex, leftOverBytes);
+                    prfOutput.AsSpan().Slice(bytesToWrite, leftOverBytes).CopyTo(destination);
+                    validationSubKeyIndex += leftOverBytes;
+                }
+
+                Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so delete it
+                outputCount -= numBytesToCopyThisIteration;
+            }
+        }
+    }
+
     public static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
     {
         var combinedContext = new byte[checked(contextHeader.Length + context.Count)];