fix slices everywhere + rollback managedauth to a proper impl

DeagleGross · DeagleGross · commit f561796c0a36 · 2025-08-04T11:57:21.000+02:00
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
@@ -474,23 +474,6 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
         protectedPayload.Validate();
         additionalAuthenticatedData.Validate();
 
-#if NET10_0_OR_GREATER
-        var size = GetDecryptedSize(protectedPayload.Count);
-        var plaintext = new byte[size];
-        var destination = plaintext.AsSpan();
-
-        if (!TryDecrypt(
-            cipherText: protectedPayload,
-            additionalAuthenticatedData: additionalAuthenticatedData,
-            destination: destination,
-            out var bytesWritten))
-        {
-            throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
-        }
-
-        CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
-        return plaintext;
-#else
         // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
         if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
         {
@@ -516,14 +499,27 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
             ReadOnlySpan<byte> keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
 
             // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
+#if NET10_0_OR_GREATER
+            Span<byte> decryptedKdk = _keyDerivationKey.Length <= 256
+                ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+                : new byte[_keyDerivationKey.Length];
+#else
             var decryptedKdk = new byte[_keyDerivationKey.Length];
+#endif
 
             byte[]? validationSubkeyArray = null;
             var validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
                 ? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
                 : (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
 
+#if NET10_0_OR_GREATER
+            Span<byte> decryptionSubkey =
+                _symmetricAlgorithmSubkeyLengthInBytes <= 128
+                ? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
+                : new byte[_symmetricAlgorithmBlockSizeInBytes];
+#else
             byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+#endif
 
             // calling "fixed" is basically pinning the array, meaning the GC won't move it around. (Also for safety concerns)
             // note: it is safe to call `fixed` on null - it is just a no-op
@@ -551,9 +547,29 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
                     }
 
                     // Step 4: Validate the MAC provided as part of the payload.
+#if NET10_0_OR_GREATER
+                    var ivAndCiphertextSpan = protectedPayload.Slice(ivOffset, macOffset - ivOffset);
+                    var providedMac = protectedPayload.Slice(macOffset, _validationAlgorithmDigestLengthInBytes);
+                    if (!ValidateMac(ivAndCiphertextSpan, providedMac, validationSubkey, validationSubkeyArray))
+                    {
+                        throw Error.CryptCommon_PayloadInvalid();
+                    }
+#else
                     CalculateAndValidateMac(protectedPayload.Array!, ivOffset, macOffset, eofOffset, validationSubkey, validationSubkeyArray);
+#endif
 
                     // Step 5: Decipher the ciphertext and return it to the caller.
+#if NET10_0_OR_GREATER
+                    using var symmetricAlgorithm = CreateSymmetricAlgorithm();
+                    symmetricAlgorithm.SetKey(decryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
+
+                    // note: here protectedPayload.Array is taken without an offset (can't use AsSpan() on ArraySegment)
+                    var ciphertext = protectedPayload.Array.AsSpan(ciphertextOffset, macOffset - ciphertextOffset);
+                    var iv = protectedPayload.Array.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
+
+                    // symmetricAlgorithm is created with CBC mode (see CreateSymmetricAlgorithm())
+                    return symmetricAlgorithm.DecryptCbc(ciphertext, iv);
+#else
                     var iv = protectedPayload.Array!.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes).ToArray();
 
                     using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
@@ -569,13 +585,19 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
                             return outputStream.ToArray();
                         }
                     }
+#endif
                 }
                 finally
                 {
                     // delete since these contain secret material
                     validationSubkey.Clear();
 
+#if NET10_0_OR_GREATER
+                    decryptedKdk.Clear();
+                    decryptionSubkey.Clear();
+#else
                     Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+#endif
                 }
             }
         }
@@ -584,7 +606,6 @@ public byte[] Decrypt(ArraySegment<byte> protectedPayload, ArraySegment<byte> ad
             // Homogenize all exceptions to CryptographicException.
             throw Error.CryptCommon_GenericError(ex);
         }
-#endif
     }
 
     private byte[] CreateContextHeader()
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
@@ -13,16 +13,7 @@ namespace Microsoft.AspNetCore.DataProtection.Tests.Internal;
 internal static class RoundtripEncryptionHelpers
 {
     /// <summary>
-    /// <see cref="IAuthenticatedEncryptor.TryEncrypt"/> and <see cref="IAuthenticatedEncryptor.TryDecrypt"/> APIs should do the same steps
-    /// as <see cref="IAuthenticatedEncryptor.Encrypt"/> and <see cref="IAuthenticatedEncryptor.Decrypt"/> APIs.
-    /// <br/>
-    /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip encrypt-decrypt test.
-    /// </summary>
-    public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encryptor, ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> aad)
-        => AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
-
-    /// <summary>
-    /// <see cref="IAuthenticatedEncryptor.TryEncrypt"/> and <see cref="IAuthenticatedEncryptor.TryDecrypt"/> APIs should do the same steps
+    /// <see cref="ISpanAuthenticatedEncryptor.TryEncrypt"/> and <see cref="ISpanAuthenticatedEncryptor.TryDecrypt"/> APIs should do the same steps
     /// as <see cref="IAuthenticatedEncryptor.Encrypt"/> and <see cref="IAuthenticatedEncryptor.Decrypt"/> APIs.
     /// <br/>
     /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip encrypt-decrypt test.
@@ -41,7 +32,10 @@ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encr
         var expectedEncryptedSize = spanAuthenticatedEncryptor.GetEncryptedSize(plaintext.Count);
         Assert.Equal(expectedEncryptedSize, ciphertext.Length);
         var expectedDecryptedSize = spanAuthenticatedEncryptor.GetDecryptedSize(ciphertext.Length);
-        Assert.Equal(expectedDecryptedSize, decipheredtext.Length);
+
+        // note: for decryption we cant know for sure how many bytes will be written.
+        // so we cant assert equality, but we can check if expected decrypted size is greater or equal than original deciphered text
+        Assert.True(expectedDecryptedSize >= decipheredtext.Length);
 
         // perform TryEncrypt and Decrypt roundtrip - ensures cross operation compatibility
         var cipherTextPooled = ArrayPool<byte>.Shared.Rent(expectedEncryptedSize);
@@ -65,12 +59,15 @@ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encr
         {
             var encrypted = spanAuthenticatedEncryptor.Encrypt(plaintext, aad);
             var decipheredTryDecrypt = spanAuthenticatedEncryptor.TryDecrypt(encrypted, aad, plainTextPooled, out var bytesWritten);
-            Assert.Equal(plaintext.AsSpan(), plainTextPooled.AsSpan());
+            Assert.Equal(plaintext.AsSpan(), plainTextPooled.AsSpan(0, bytesWritten));
             Assert.True(decipheredTryDecrypt);
+
+            // now we should know that bytesWritten is STRICTLY equal to the deciphered text
+            Assert.Equal(decipheredtext.Length, bytesWritten);
         }
         finally
         {
-            ArrayPool<byte>.Shared.Return(cipherTextPooled);
+            ArrayPool<byte>.Shared.Return(plainTextPooled);
         }
     }
 }
