cnggcm

DeagleGross · DeagleGross · commit fe478d23e3cb · 2025-08-04T09:52:51.000+02:00
diff --git a/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
@@ -51,95 +51,123 @@ public CngGcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHand
     }
 
     public int GetDecryptedSize(int cipherTextLength)
-    {
-        throw new NotImplementedException();
-    }
-
-    public bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
-    {
-        throw new NotImplementedException();
-    }
-
-    public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
-    {
-        throw new NotImplementedException();
-    }
-
-    protected byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
     {
         // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
-        if (cbCiphertext < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+        if (cipherTextLength < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
         {
             throw Error.CryptCommon_PayloadInvalid();
         }
 
-        // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
+        return checked(cipherTextLength - (int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
+    }
 
-        var cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
+    public bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    {
+        bytesWritten = 0;
 
-        var retVal = new byte[cbPlaintext];
-        fixed (byte* pbRetVal = retVal)
+        try
         {
-            // Calculate offsets
-            byte* pbKeyModifier = pbCiphertext;
-            byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
-            byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
-            byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
-
-            // Use the KDF to recreate the symmetric block cipher key
-            // We'll need a temporary buffer to hold the symmetric encryption subkey
-            byte* pbSymmetricDecryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
-            try
+            var plaintextLength = GetDecryptedSize(cipherText.Length);
+            
+            // Check if destination is large enough
+            if (destination.Length < plaintextLength)
             {
-                _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
-                    pbLabel: pbAdditionalAuthenticatedData,
-                    cbLabel: cbAdditionalAuthenticatedData,
-                    contextHeader: _contextHeader,
-                    pbContext: pbKeyModifier,
-                    cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
-                    pbDerivedKey: pbSymmetricDecryptionSubkey,
-                    cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
-
-                // Perform the decryption operation
-                using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
-                {
-                    byte dummy;
-                    byte* pbPlaintext = (pbRetVal != null) ? pbRetVal : &dummy; // CLR doesn't like pinning empty buffers
-
-                    BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
-                    BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
-                    authInfo.pbNonce = pbNonce;
-                    authInfo.cbNonce = NONCE_SIZE_IN_BYTES;
-                    authInfo.pbTag = pbAuthTag;
-                    authInfo.cbTag = TAG_SIZE_IN_BYTES;
-
-                    // The call to BCryptDecrypt will also validate the authentication tag
-                    uint cbDecryptedBytesWritten;
-                    var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
-                        hKey: decryptionSubkeyHandle,
-                        pbInput: pbEncryptedData,
-                        cbInput: cbPlaintext,
-                        pPaddingInfo: &authInfo,
-                        pbIV: null, // IV not used; nonce provided in pPaddingInfo
-                        cbIV: 0,
-                        pbOutput: pbPlaintext,
-                        cbOutput: cbPlaintext,
-                        pcbResult: out cbDecryptedBytesWritten,
-                        dwFlags: 0);
-                    UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
-                    CryptoUtil.Assert(cbDecryptedBytesWritten == cbPlaintext, "cbDecryptedBytesWritten == cbPlaintext");
-
-                    // At this point, retVal := { decryptedPayload }
-                    // And we're done!
-                    return retVal;
-                }
+                return false;
             }
-            finally
+
+            // Assumption: cipherText := { keyModifier || nonce || encryptedData || authenticationTag }
+            fixed (byte* pbCiphertext = cipherText)
+            fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+            fixed (byte* pbDestination = destination)
             {
-                // The buffer contains key material, so delete it.
-                UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+                // Calculate offsets
+                byte* pbKeyModifier = pbCiphertext;
+                byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+                byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+                byte* pbAuthTag = &pbEncryptedData[plaintextLength];
+
+                // Use the KDF to recreate the symmetric block cipher key
+                // We'll need a temporary buffer to hold the symmetric encryption subkey
+                byte* pbSymmetricDecryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+                try
+                {
+                    _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+                        pbLabel: pbAdditionalAuthenticatedData,
+                        cbLabel: (uint)additionalAuthenticatedData.Length,
+                        contextHeader: _contextHeader,
+                        pbContext: pbKeyModifier,
+                        cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+                        pbDerivedKey: pbSymmetricDecryptionSubkey,
+                        cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+
+                    // Perform the decryption operation
+                    using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+                    {
+                        byte dummy;
+                        byte* pbPlaintext = (plaintextLength > 0) ? pbDestination : &dummy; // CLR doesn't like pinning empty buffers
+
+                        BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
+                        BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
+                        authInfo.pbNonce = pbNonce;
+                        authInfo.cbNonce = NONCE_SIZE_IN_BYTES;
+                        authInfo.pbTag = pbAuthTag;
+                        authInfo.cbTag = TAG_SIZE_IN_BYTES;
+
+                        // The call to BCryptDecrypt will also validate the authentication tag
+                        uint cbDecryptedBytesWritten;
+                        var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+                            hKey: decryptionSubkeyHandle,
+                            pbInput: pbEncryptedData,
+                            cbInput: (uint)plaintextLength,
+                            pPaddingInfo: &authInfo,
+                            pbIV: null, // IV not used; nonce provided in pPaddingInfo
+                            cbIV: 0,
+                            pbOutput: pbPlaintext,
+                            cbOutput: (uint)plaintextLength,
+                            pcbResult: out cbDecryptedBytesWritten,
+                            dwFlags: 0);
+                        UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+                        CryptoUtil.Assert(cbDecryptedBytesWritten == plaintextLength, "cbDecryptedBytesWritten == plaintextLength");
+
+                        // At this point, retVal := { decryptedPayload }
+                        // And we're done!
+                        bytesWritten = (int)cbDecryptedBytesWritten;
+                        return true;
+                    }
+                }
+                finally
+                {
+                    // The buffer contains key material, so delete it.
+                    UnsafeBufferUtil.SecureZeroMemory(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+                }
             }
         }
+        catch (Exception ex) when (ex.RequiresHomogenization())
+        {
+            throw Error.CryptCommon_GenericError(ex);
+        }
+    }
+
+    public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
+    {
+        ciphertext.Validate();
+        additionalAuthenticatedData.Validate();
+
+        var size = GetDecryptedSize(ciphertext.Count);
+        var plaintext = new byte[size];
+        var destination = plaintext.AsSpan();
+
+        if (!TryDecrypt(
+            cipherText: ciphertext,
+            additionalAuthenticatedData: additionalAuthenticatedData,
+            destination: destination,
+            out var bytesWritten))
+        {
+            throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+        }
+
+        CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+        return plaintext;
     }
 
     // 'pbNonce' must point to a 96-bit buffer.
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
@@ -37,24 +37,40 @@ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encr
         byte[] decipheredtext = encryptor.Decrypt(new ArraySegment<byte>(ciphertext), aad);
         Assert.Equal(plaintext.AsSpan(), decipheredtext.AsSpan());
 
-        // assert calculated size is correct
-        var expectedSize = spanAuthenticatedEncryptor.GetEncryptedSize(plaintext.Count);
-        Assert.Equal(expectedSize, ciphertext.Length);
+        // assert calculated sizes are correct
+        var expectedEncryptedSize = spanAuthenticatedEncryptor.GetEncryptedSize(plaintext.Count);
+        Assert.Equal(expectedEncryptedSize, ciphertext.Length);
+        var expectedDecryptedSize = spanAuthenticatedEncryptor.GetDecryptedSize(ciphertext.Length);
+        Assert.Equal(expectedDecryptedSize, decipheredtext.Length);
 
         // perform TryEncrypt and Decrypt roundtrip - ensures cross operation compatibility
-        var cipherTextPooled = ArrayPool<byte>.Shared.Rent(expectedSize);
+        var cipherTextPooled = ArrayPool<byte>.Shared.Rent(expectedEncryptedSize);
         try
         {
             var tryEncryptResult = spanAuthenticatedEncryptor.TryEncrypt(plaintext, aad, cipherTextPooled, out var bytesWritten);
-            Assert.Equal(expectedSize, bytesWritten);
+            Assert.Equal(expectedEncryptedSize, bytesWritten);
             Assert.True(tryEncryptResult);
 
-            var decipheredTryEncrypt = encryptor.Decrypt(new ArraySegment<byte>(cipherTextPooled, 0, expectedSize), aad);
+            var decipheredTryEncrypt = spanAuthenticatedEncryptor.Decrypt(new ArraySegment<byte>(cipherTextPooled, 0, expectedEncryptedSize), aad);
             Assert.Equal(plaintext.AsSpan(), decipheredTryEncrypt.AsSpan());
         }
         finally
         {
             ArrayPool<byte>.Shared.Return(cipherTextPooled);
         }
+
+        // perform Encrypt and TryDecrypt roundtrip - ensures cross operation compatibility
+        var plainTextPooled = ArrayPool<byte>.Shared.Rent(expectedDecryptedSize);
+        try
+        {
+            var encrypted = spanAuthenticatedEncryptor.Encrypt(plaintext, aad);
+            var decipheredTryDecrypt = spanAuthenticatedEncryptor.TryDecrypt(encrypted, aad, plainTextPooled, out var bytesWritten);
+            Assert.Equal(plaintext.AsSpan(), plainTextPooled.AsSpan());
+            Assert.True(decipheredTryDecrypt);
+        }
+        finally
+        {
+            ArrayPool<byte>.Shared.Return(cipherTextPooled);
+        }
     }
 }
