diff --git a/AspNetCore.slnx b/AspNetCore.slnx
index 60f5ca0d74fc..04b830ca5ad3 100644
--- a/AspNetCore.slnx
+++ b/AspNetCore.slnx
@@ -161,6 +161,9 @@
+
+
+
@@ -1143,6 +1146,7 @@
+
@@ -1190,8 +1194,8 @@
-
+
diff --git a/src/DataProtection/Abstractions/src/ISpanDataProtector.cs b/src/DataProtection/Abstractions/src/ISpanDataProtector.cs
new file mode 100644
index 000000000000..cec7f20db679
--- /dev/null
+++ b/src/DataProtection/Abstractions/src/ISpanDataProtector.cs
@@ -0,0 +1,50 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection;
+
+///
+/// An interface that can provide data protection services.
+/// Is an optimized version of .
+///
+public interface ISpanDataProtector : IDataProtector
+{
+ ///
+ /// Determines the size of the protected data in order to then use ."/>.
+ ///
+ /// The plain text length which will be encrypted later.
+ /// The size of the protected data.
+ int GetProtectedSize(int plainTextLength);
+
+ ///
+ /// Returns the size of the decrypted data for a given ciphertext length.
+ /// Size can be an over-estimation, the specific size will be written in bytesWritten parameter of the
+ ///
+ /// Length of the cipher text that will be decrypted later.
+ /// The length of the decrypted data.
+ int GetUnprotectedSize(int cipherTextLength);
+
+ ///
+ /// Attempts to encrypt and tamper-proof a piece of data.
+ ///
+ /// The input to encrypt.
+ /// The ciphertext blob, including authentication tag.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if destination is long enough to receive the encrypted data; otherwise, false.
+ bool TryProtect(ReadOnlySpan plainText, Span destination, out int bytesWritten);
+
+ ///
+ /// Attempts to validate the authentication tag of and decrypt a blob of encrypted data.
+ ///
+ /// The encrypted data to decrypt.
+ /// The decrypted output.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if decryption was successful; otherwise, false.
+ bool TryUnprotect(ReadOnlySpan cipherText, Span destination, out int bytesWritten);
+}
diff --git a/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj b/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
index 1fe6c9dd19ba..694e0a251ed0 100644
--- a/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
+++ b/src/DataProtection/Abstractions/src/Microsoft.AspNetCore.DataProtection.Abstractions.csproj
@@ -22,6 +22,10 @@ Microsoft.AspNetCore.DataProtection.IDataProtector
+
+
+
+
diff --git a/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt b/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..e84f81ef9927 100644
--- a/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
+++ b/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
@@ -1 +1,6 @@
#nullable enable
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetProtectedSize(int plainTextLength) -> int
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.GetUnprotectedSize(int cipherTextLength) -> int
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryProtect(System.ReadOnlySpan plainText, System.Span destination, out int bytesWritten) -> bool
+Microsoft.AspNetCore.DataProtection.ISpanDataProtector.TryUnprotect(System.ReadOnlySpan cipherText, System.Span destination, out int bytesWritten) -> bool
diff --git a/src/DataProtection/DataProtection.slnf b/src/DataProtection/DataProtection.slnf
index dafc26b7f42a..cd4ecbfc4810 100644
--- a/src/DataProtection/DataProtection.slnf
+++ b/src/DataProtection/DataProtection.slnf
@@ -16,6 +16,7 @@
"src\\DataProtection\\Extensions\\test\\Microsoft.AspNetCore.DataProtection.Extensions.Tests.csproj",
"src\\DataProtection\\StackExchangeRedis\\src\\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.csproj",
"src\\DataProtection\\StackExchangeRedis\\test\\Microsoft.AspNetCore.DataProtection.StackExchangeRedis.Tests.csproj",
+ "src\\DataProtection\\benchmarks\\Microsoft.AspNetCore.DataProtection.MicroBenchmarks\\Microsoft.AspNetCore.DataProtection.MicroBenchmarks.csproj",
"src\\DataProtection\\samples\\CustomEncryptorSample\\CustomEncryptorSample.csproj",
"src\\DataProtection\\samples\\EntityFrameworkCoreSample\\EntityFrameworkCoreSample.csproj",
"src\\DataProtection\\samples\\KeyManagementSample\\KeyManagementSample.csproj",
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs
new file mode 100644
index 000000000000..3fc03c9576e0
--- /dev/null
+++ b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ISpanAuthenticatedEncryptor.cs
@@ -0,0 +1,58 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+
+///
+/// Provides an authenticated encryption and decryption routine via a span-based API.
+///
+public interface ISpanAuthenticatedEncryptor : IAuthenticatedEncryptor
+{
+ ///
+ /// Returns the size of the encrypted data for a given plaintext length.
+ ///
+ /// Length of the plain text that will be encrypted later
+ /// The length of the encrypted data
+ int GetEncryptedSize(int plainTextLength);
+
+ ///
+ /// Returns the size of the decrypted data for a given ciphertext length.
+ /// Size can be an over-estimation, the specific size will be written in bytesWritten parameter of the
+ ///
+ /// Length of the cipher text that will be decrypted later.
+ /// The length of the decrypted data.
+ int GetDecryptedSize(int cipherTextLength);
+
+ ///
+ /// Attempts to encrypt and tamper-proof a piece of data.
+ ///
+ /// The input to encrypt.
+ ///
+ /// A piece of data which will not be included in
+ /// the returned ciphertext but which will still be covered by the authentication tag.
+ /// This input may be zero bytes in length. The same AAD must be specified in the corresponding decryption call.
+ ///
+ /// The ciphertext blob, including authentication tag.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if destination is long enough to receive the encrypted data; otherwise, false.
+ bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten);
+
+ ///
+ /// Attempts to validate the authentication tag of and decrypt a blob of encrypted data.
+ ///
+ /// The encrypted data to decrypt.
+ ///
+ /// A piece of data which was included in the authentication tag during encryption.
+ /// This input may be zero bytes in length. The same AAD must be specified in the corresponding encryption call.
+ ///
+ /// The decrypted output.
+ /// When this method returns, the total number of bytes written into destination
+ /// true if decryption was successful; otherwise, false.
+ bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten);
+}
diff --git a/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
index c77f84671f38..65631399e7df 100644
--- a/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs
@@ -2,11 +2,12 @@
// The .NET Foundation licenses this file to you under the MIT license.
using System;
+using System.Buffers;
+using System.Runtime.CompilerServices;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.Cryptography.Cng;
using Microsoft.AspNetCore.Cryptography.SafeHandles;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
using Microsoft.AspNetCore.DataProtection.SP800_108;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -14,7 +15,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng;
// An encryptor which does Encrypt(CBC) + HMAC using the Windows CNG (BCrypt*) APIs.
// The payloads produced by this encryptor should be compatible with the payloads
// produced by the managed Encrypt(CBC) + HMAC encryptor.
-internal sealed unsafe class CbcAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CbcAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
// key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
@@ -56,221 +57,133 @@ public CbcAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHandle
_contextHeader = CreateContextHeader();
}
- private byte[] CreateContextHeader()
+ public int GetDecryptedSize(int cipherTextLength)
{
- var retVal = new byte[checked(
- 1 /* KDF alg */
- + 1 /* chaining mode */
- + sizeof(uint) /* sym alg key size */
- + sizeof(uint) /* sym alg block size */
- + sizeof(uint) /* hmac alg key size */
- + sizeof(uint) /* hmac alg digest size */
- + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
- + _hmacAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
-
- fixed (byte* pbRetVal = retVal)
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherTextLength < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes))
{
- byte* ptr = pbRetVal;
-
- // First is the two-byte header
- *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
- *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
+ throw Error.CryptCommon_PayloadInvalid();
+ }
- // Next is information about the symmetric algorithm (key size followed by block size)
- BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmBlockSizeInBytes);
+ return checked(cipherTextLength - (int)(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
+ }
- // Next is information about the HMAC algorithm (key size followed by digest size)
- BitHelpers.WriteTo(ref ptr, _hmacAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+ var cbEncryptedData = GetDecryptedSize(cipherText.Length);
- // See the design document for an explanation of the following code.
- var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
- fixed (byte* pbTempKeys = tempKeys)
+ // Assumption: cipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+ fixed (byte* pbCiphertext = cipherText)
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets
+ byte* pbKeyModifier = pbCiphertext;
+ byte* pbIV = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbEncryptedData = &pbIV[_symmetricAlgorithmBlockSizeInBytes];
+ byte* pbActualHmac = &pbEncryptedData[cbEncryptedData];
+
+ // Use the KDF to recreate the symmetric encryption and HMAC subkeys
+ // We'll need a temporary buffer to hold them
+ var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
+ byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+ try
{
- byte dummy;
-
- // Derive temporary keys for encryption + HMAC.
- using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbTempSubkeys,
+ cbDerivedKey: cbTempSubkeys);
+
+ // Calculate offsets
+ byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
+ byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+ // First, perform an explicit integrity check over (iv | encryptedPayload) to ensure the
+ // data hasn't been tampered with. The integrity check is also implicitly performed over
+ // keyModifier since that value was provided to the KDF earlier.
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
{
- provider.DeriveKey(
- pbLabel: &dummy,
- cbLabel: 0,
- pbContext: &dummy,
- cbContext: 0,
- pbDerivedKey: pbTempKeys,
- cbDerivedKey: (uint)tempKeys.Length);
+ if (!ValidateHash(hashHandle, pbIV, _symmetricAlgorithmBlockSizeInBytes + (uint)cbEncryptedData, pbActualHmac))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
}
- // At this point, tempKeys := { K_E || K_H }.
- byte* pbSymmetricEncryptionSubkey = pbTempKeys;
- byte* pbHmacSubkey = &pbTempKeys[_symmetricAlgorithmSubkeyLengthInBytes];
-
- // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
- using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ // If the integrity check succeeded, decrypt the payload.
+ using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
{
- fixed (byte* pbIV = new byte[_symmetricAlgorithmBlockSizeInBytes] /* will be zero-initialized */)
+ // BCryptDecrypt mutates the provided IV; we need to clone it to prevent mutation of the original value
+ byte* pbClonedIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+ UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
+
+ // Perform the decryption directly into destination
+ uint dwActualDecryptedByteCount;
+ byte dummy;
+ var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
+ hKey: decryptionSubkeyHandle,
+ pbInput: pbEncryptedData,
+ cbInput: (uint)cbEncryptedData,
+ pPaddingInfo: null,
+ pbIV: pbClonedIV,
+ cbIV: _symmetricAlgorithmBlockSizeInBytes,
+ pbOutput: (destination.Length > 0) ? pbDestination : &dummy,
+ cbOutput: (uint)destination.Length,
+ pcbResult: out dwActualDecryptedByteCount,
+ dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+
+ // Check for buffer too small before throwing other exceptions
+ // https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
+ if (ntstatus == unchecked((int)0xC0000023)) // STATUS_BUFFER_TOO_SMALL
{
- DoCbcEncrypt(
- symmetricKeyHandle: symmetricKeyHandle,
- pbIV: pbIV,
- pbInput: &dummy,
- cbInput: 0,
- pbOutput: ptr,
- cbOutput: _symmetricAlgorithmBlockSizeInBytes);
+ return false;
}
- }
- ptr += _symmetricAlgorithmBlockSizeInBytes;
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
- // MAC a zero-length input string and copy the digest to the return buffer.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
- {
- hashHandle.HashData(
- pbInput: &dummy,
- cbInput: 0,
- pbHashDigest: ptr,
- cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ bytesWritten = checked((int)dwActualDecryptedByteCount);
+ return true;
}
-
- ptr += _hmacAlgorithmDigestLengthInBytes;
- CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+ }
+ finally
+ {
+ // Buffer contains sensitive key material; delete.
+ UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
}
}
-
- // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || hmacAlgKeySize || hmacAlgDigestSize || E("") || MAC("") }.
- return retVal;
}
- protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
{
- // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
- if (cbCiphertext < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes))
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
-
- // Assumption: pbCipherText := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
-
- var cbEncryptedData = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _hmacAlgorithmDigestLengthInBytes));
-
- // Calculate offsets
- byte* pbKeyModifier = pbCiphertext;
- byte* pbIV = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbEncryptedData = &pbIV[_symmetricAlgorithmBlockSizeInBytes];
- byte* pbActualHmac = &pbEncryptedData[cbEncryptedData];
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
- // Use the KDF to recreate the symmetric encryption and HMAC subkeys
- // We'll need a temporary buffer to hold them
- var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
- byte* pbTempSubkeys = stackalloc byte[checked((int)cbTempSubkeys)];
+ var size = GetDecryptedSize(ciphertext.Count);
+ var rentedArray = ArrayPool.Shared.Rent(size);
try
{
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbTempSubkeys,
- cbDerivedKey: cbTempSubkeys);
-
- // Calculate offsets
- byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
- byte* pbHmacSubkey = &pbTempSubkeys[_symmetricAlgorithmSubkeyLengthInBytes];
+ var destination = rentedArray.AsSpan(0, size);
- // First, perform an explicit integrity check over (iv | encryptedPayload) to ensure the
- // data hasn't been tampered with. The integrity check is also implicitly performed over
- // keyModifier since that value was provided to the KDF earlier.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
{
- if (!ValidateHash(hashHandle, pbIV, _symmetricAlgorithmBlockSizeInBytes + cbEncryptedData, pbActualHmac))
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
}
- // If the integrity check succeeded, decrypt the payload.
- using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
- {
- return DoCbcDecrypt(decryptionSubkeyHandle, pbIV, pbEncryptedData, cbEncryptedData);
- }
+ // in CBC we dont know the exact size of the decrypted data beforehand,
+ // so we firstly use rented array and then allocate with the exact size
+ var result = destination.Slice(0, bytesWritten).ToArray();
+ return result;
}
finally
{
- // Buffer contains sensitive key material; delete.
- UnsafeBufferUtil.SecureZeroMemory(pbTempSubkeys, cbTempSubkeys);
- }
- }
-
- public override void Dispose()
- {
- _sp800_108_ctr_hmac_provider.Dispose();
-
- // We don't want to dispose of the underlying algorithm instances because they
- // might be reused.
- }
-
- // 'pbIV' must be a pointer to a buffer equal in length to the symmetric algorithm block size.
- private byte[] DoCbcDecrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte* pbInput, uint cbInput)
- {
- // BCryptDecrypt mutates the provided IV; we need to clone it to prevent mutation of the original value
- byte* pbClonedIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
- UnsafeBufferUtil.BlockCopy(from: pbIV, to: pbClonedIV, byteCount: _symmetricAlgorithmBlockSizeInBytes);
-
- // First, figure out how large an output buffer we require.
- // Ideally we'd be able to transform the last block ourselves and strip
- // off the padding before creating the return value array, but we don't
- // know the actual padding scheme being used under the covers (we can't
- // assume PKCS#7). So unfortunately we're stuck with the temporary buffer.
- // (Querying the output size won't mutate the IV.)
- uint dwEstimatedDecryptedByteCount;
- var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
- hKey: symmetricKeyHandle,
- pbInput: pbInput,
- cbInput: cbInput,
- pPaddingInfo: null,
- pbIV: pbClonedIV,
- cbIV: _symmetricAlgorithmBlockSizeInBytes,
- pbOutput: null,
- cbOutput: 0,
- pcbResult: out dwEstimatedDecryptedByteCount,
- dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
- UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
-
- var decryptedPayload = new byte[dwEstimatedDecryptedByteCount];
- uint dwActualDecryptedByteCount;
- fixed (byte* pbDecryptedPayload = decryptedPayload)
- {
- byte dummy;
-
- // Perform the actual decryption.
- ntstatus = UnsafeNativeMethods.BCryptDecrypt(
- hKey: symmetricKeyHandle,
- pbInput: pbInput,
- cbInput: cbInput,
- pPaddingInfo: null,
- pbIV: pbClonedIV,
- cbIV: _symmetricAlgorithmBlockSizeInBytes,
- pbOutput: (pbDecryptedPayload != null) ? pbDecryptedPayload : &dummy, // CLR won't pin zero-length arrays
- cbOutput: dwEstimatedDecryptedByteCount,
- pcbResult: out dwActualDecryptedByteCount,
- dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
- UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
- }
-
- // Decryption finished!
- CryptoUtil.Assert(dwActualDecryptedByteCount <= dwEstimatedDecryptedByteCount, "dwActualDecryptedByteCount <= dwEstimatedDecryptedByteCount");
- if (dwActualDecryptedByteCount == dwEstimatedDecryptedByteCount)
- {
- // payload takes up the entire buffer
- return decryptedPayload;
- }
- else
- {
- // payload takes up only a partial buffer
- var resizedDecryptedPayload = new byte[dwActualDecryptedByteCount];
- Buffer.BlockCopy(decryptedPayload, 0, resizedDecryptedPayload, 0, resizedDecryptedPayload.Length);
- return resizedDecryptedPayload;
+ ArrayPool.Shared.Return(rentedArray);
}
}
@@ -299,8 +212,16 @@ private void DoCbcEncrypt(BCryptKeyHandle symmetricKeyHandle, byte* pbIV, byte*
CryptoUtil.Assert(dwEncryptedBytes == cbOutput, "dwEncryptedBytes == cbOutput");
}
- protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+ public int GetEncryptedSize(int plainTextLength)
{
+ uint paddedCiphertextLength = GetCbcEncryptedOutputSizeWithPadding((uint)plainTextLength);
+ return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + paddedCiphertextLength + _hmacAlgorithmDigestLengthInBytes));
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
// This buffer will be used to hold the symmetric encryption and HMAC subkeys
// used in the generation of this payload.
var cbTempSubkeys = checked(_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes);
@@ -318,14 +239,17 @@ protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte*
byte* pbIV = &pbKeyModifierAndIV[KEY_MODIFIER_SIZE_IN_BYTES];
// Use the KDF to generate a new symmetric encryption and HMAC subkey
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbTempSubkeys,
- cbDerivedKey: cbTempSubkeys);
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ {
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbTempSubkeys,
+ cbDerivedKey: cbTempSubkeys);
+ }
// Calculate offsets
byte* pbSymmetricEncryptionSubkey = pbTempSubkeys;
@@ -333,50 +257,52 @@ protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte*
using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
{
- // We can't assume PKCS#7 padding (maybe the underlying provider is really using CTS),
- // so we need to query the padded output size before we can allocate the return value array.
- var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, cbPlaintext);
-
- // Allocate return value array and start copying some data
- var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes + cbPostBuffer)];
- fixed (byte* pbRetVal = retVal)
+ // Get the padded output size
+ byte dummy;
+ fixed (byte* pbPlaintextArray = plaintext)
{
- // Calculate offsets
- byte* pbOutputKeyModifier = &pbRetVal[cbPreBuffer];
- byte* pbOutputIV = &pbOutputKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbOutputCiphertext = &pbOutputIV[_symmetricAlgorithmBlockSizeInBytes];
- byte* pbOutputHmac = &pbOutputCiphertext[cbOutputCiphertext];
-
- UnsafeBufferUtil.BlockCopy(from: pbKeyModifierAndIV, to: pbOutputKeyModifier, byteCount: cbKeyModifierAndIV);
-
- // retVal will eventually contain { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
- // At this point, retVal := { preBuffer | keyModifier | iv | _____ | _____ | postBuffer }
-
- DoCbcEncrypt(
- symmetricKeyHandle: symmetricKeyHandle,
- pbIV: pbIV,
- pbInput: pbPlaintext,
- cbInput: cbPlaintext,
- pbOutput: pbOutputCiphertext,
- cbOutput: cbOutputCiphertext);
-
- // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | _____ | postBuffer }
-
- // Compute the HMAC over the IV and the ciphertext (prevents IV tampering).
- // The HMAC is already implicitly computed over the key modifier since the key
- // modifier is used as input to the KDF.
- using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+ var cbOutputCiphertext = GetCbcEncryptedOutputSizeWithPadding(symmetricKeyHandle, pbPlaintext, (uint)plaintext.Length);
+
+ // Calculate total required size and validate destination buffer BEFORE any pointer calculations
+ var totalRequiredSize = checked(cbKeyModifierAndIV + cbOutputCiphertext + _hmacAlgorithmDigestLengthInBytes);
+ if (destination.Length < totalRequiredSize)
{
- hashHandle.HashData(
- pbInput: pbOutputIV,
- cbInput: checked(_symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext),
- pbHashDigest: pbOutputHmac,
- cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ return false;
}
- // At this point, retVal := { preBuffer | keyModifier | iv | encryptedData | HMAC(iv | encryptedData) | postBuffer }
- // And we're done!
- return retVal;
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets in destination
+ byte* pbOutputKeyModifier = pbDestination;
+ byte* pbOutputIV = &pbOutputKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbOutputCiphertext = &pbOutputIV[_symmetricAlgorithmBlockSizeInBytes];
+ byte* pbOutputHmac = &pbOutputCiphertext[cbOutputCiphertext];
+
+ Unsafe.CopyBlock(pbOutputKeyModifier, pbKeyModifierAndIV, cbKeyModifierAndIV);
+ bytesWritten += checked((int)cbKeyModifierAndIV);
+
+ DoCbcEncrypt(
+ symmetricKeyHandle: symmetricKeyHandle,
+ pbIV: pbIV,
+ pbInput: pbPlaintext,
+ cbInput: (uint)plaintext.Length,
+ pbOutput: pbOutputCiphertext,
+ cbOutput: cbOutputCiphertext);
+ bytesWritten += checked((int)cbOutputCiphertext);
+
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ {
+ hashHandle.HashData(
+ pbInput: pbOutputIV,
+ cbInput: checked(_symmetricAlgorithmBlockSizeInBytes + cbOutputCiphertext),
+ pbHashDigest: pbOutputHmac,
+ cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ }
+ bytesWritten += checked((int)_hmacAlgorithmDigestLengthInBytes);
+
+ return true;
+ }
}
}
}
@@ -387,6 +313,65 @@ protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte*
}
}
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+ {
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
+ ///
+ /// Should be used only for expected encrypt/decrypt size calculation,
+ /// use the other overload
+ /// for the actual encryption algorithm
+ ///
+ private uint GetCbcEncryptedOutputSizeWithPadding(uint cbInput)
+ {
+ // Create a temporary key with dummy data for size calculation only
+ // The actual key material doesn't matter for size calculation
+ byte* pbDummyKey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+ // Leave pbDummyKey uninitialized (all zeros) - BCrypt doesn't care for size queries
+
+ using var tempKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbDummyKey, _symmetricAlgorithmSubkeyLengthInBytes);
+
+ // Use uninitialized IV and input data - only the lengths matter
+ byte* pbDummyIV = stackalloc byte[checked((int)_symmetricAlgorithmBlockSizeInBytes)];
+ byte* pbDummyInput = stackalloc byte[checked((int)cbInput)];
+
+ var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
+ hKey: tempKeyHandle,
+ pbInput: pbDummyInput,
+ cbInput: cbInput,
+ pPaddingInfo: null,
+ pbIV: pbDummyIV,
+ cbIV: _symmetricAlgorithmBlockSizeInBytes,
+ pbOutput: null, // NULL output = size query only
+ cbOutput: 0,
+ pcbResult: out var dwResult,
+ dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
+ UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
+
+ return dwResult;
+ }
+
private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHandle, byte* pbInput, uint cbInput)
{
// ok for this memory to remain uninitialized since nobody depends on it
@@ -394,7 +379,6 @@ private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHa
// Calling BCryptEncrypt with a null output pointer will cause it to return the total number
// of bytes required for the output buffer.
- uint dwResult;
var ntstatus = UnsafeNativeMethods.BCryptEncrypt(
hKey: symmetricKeyHandle,
pbInput: pbInput,
@@ -404,7 +388,7 @@ private uint GetCbcEncryptedOutputSizeWithPadding(BCryptKeyHandle symmetricKeyHa
cbIV: _symmetricAlgorithmBlockSizeInBytes,
pbOutput: null,
cbOutput: 0,
- pcbResult: out dwResult,
+ pcbResult: out var dwResult,
dwFlags: BCryptEncryptFlags.BCRYPT_BLOCK_PADDING);
UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
@@ -418,4 +402,97 @@ private bool ValidateHash(BCryptHashHandle hashHandle, byte* pbInput, uint cbInp
hashHandle.HashData(pbInput, cbInput, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
return CryptoUtil.TimeConstantBuffersAreEqual(pbExpectedDigest, pbActualDigest, _hmacAlgorithmDigestLengthInBytes);
}
+
+ private byte[] CreateContextHeader()
+ {
+ var retVal = new byte[checked(
+ 1 /* KDF alg */
+ + 1 /* chaining mode */
+ + sizeof(uint) /* sym alg key size */
+ + sizeof(uint) /* sym alg block size */
+ + sizeof(uint) /* hmac alg key size */
+ + sizeof(uint) /* hmac alg digest size */
+ + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+ + _hmacAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+ fixed (byte* pbRetVal = retVal)
+ {
+ byte* ptr = pbRetVal;
+
+ // First is the two-byte header
+ *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+ *(ptr++) = 0; // 0x00 = CBC encryption + HMAC authentication
+
+ // Next is information about the symmetric algorithm (key size followed by block size)
+ BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmBlockSizeInBytes);
+
+ // Next is information about the HMAC algorithm (key size followed by digest size)
+ BitHelpers.WriteTo(ref ptr, _hmacAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(ref ptr, _hmacAlgorithmDigestLengthInBytes);
+
+ // See the design document for an explanation of the following code.
+ var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _hmacAlgorithmSubkeyLengthInBytes];
+ fixed (byte* pbTempKeys = tempKeys)
+ {
+ byte dummy;
+
+ // Derive temporary keys for encryption + HMAC.
+ using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+ {
+ provider.DeriveKey(
+ pbLabel: &dummy,
+ cbLabel: 0,
+ pbContext: &dummy,
+ cbContext: 0,
+ pbDerivedKey: pbTempKeys,
+ cbDerivedKey: (uint)tempKeys.Length);
+ }
+
+ // At this point, tempKeys := { K_E || K_H }.
+ byte* pbSymmetricEncryptionSubkey = pbTempKeys;
+ byte* pbHmacSubkey = &pbTempKeys[_symmetricAlgorithmSubkeyLengthInBytes];
+
+ // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+ using (var symmetricKeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
+ {
+ fixed (byte* pbIV = new byte[_symmetricAlgorithmBlockSizeInBytes] /* will be zero-initialized */)
+ {
+ DoCbcEncrypt(
+ symmetricKeyHandle: symmetricKeyHandle,
+ pbIV: pbIV,
+ pbInput: &dummy,
+ cbInput: 0,
+ pbOutput: ptr,
+ cbOutput: _symmetricAlgorithmBlockSizeInBytes);
+ }
+ }
+ ptr += _symmetricAlgorithmBlockSizeInBytes;
+
+ // MAC a zero-length input string and copy the digest to the return buffer.
+ using (var hashHandle = _hmacAlgorithmHandle.CreateHmac(pbHmacSubkey, _hmacAlgorithmSubkeyLengthInBytes))
+ {
+ hashHandle.HashData(
+ pbInput: &dummy,
+ cbInput: 0,
+ pbHashDigest: ptr,
+ cbHashDigest: _hmacAlgorithmDigestLengthInBytes);
+ }
+
+ ptr += _hmacAlgorithmDigestLengthInBytes;
+ CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+ }
+ }
+
+ // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || hmacAlgKeySize || hmacAlgDigestSize || E("") || MAC("") }.
+ return retVal;
+ }
+
+ public void Dispose()
+ {
+ _sp800_108_ctr_hmac_provider.Dispose();
+
+ // We don't want to dispose of the underlying algorithm instances because they
+ // might be reused.
+ }
}
diff --git a/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
index bf08a886e1f5..615f44fe61a0 100644
--- a/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs
@@ -1,11 +1,11 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System;
using Microsoft.AspNetCore.Cryptography;
using Microsoft.AspNetCore.Cryptography.Cng;
using Microsoft.AspNetCore.Cryptography.SafeHandles;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-using Microsoft.AspNetCore.DataProtection.Cng.Internal;
using Microsoft.AspNetCore.DataProtection.SP800_108;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -20,7 +20,7 @@ namespace Microsoft.AspNetCore.DataProtection.Cng;
// going to the IV. This means that we'll only hit the 2^-32 probability limit after 2^96 encryption
// operations, which will realistically never happen. (At the absurd rate of one encryption operation
// per nanosecond, it would still take 180 times the age of the universe to hit 2^96 operations.)
-internal sealed unsafe class CngGcmAuthenticatedEncryptor : CngAuthenticatedEncryptorBase
+internal sealed unsafe class CngGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Having a key modifier ensures with overwhelming probability that no two encryption operations
// will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
@@ -50,90 +50,39 @@ public CngGcmAuthenticatedEncryptor(Secret keyDerivationKey, BCryptAlgorithmHand
_contextHeader = CreateContextHeader();
}
- private byte[] CreateContextHeader()
+ public int GetDecryptedSize(int cipherTextLength)
{
- var retVal = new byte[checked(
- 1 /* KDF alg */
- + 1 /* chaining mode */
- + sizeof(uint) /* sym alg key size */
- + sizeof(uint) /* GCM nonce size */
- + sizeof(uint) /* sym alg block size */
- + sizeof(uint) /* GCM tag size */
- + TAG_SIZE_IN_BYTES /* tag of GCM-encrypted empty string */)];
-
- fixed (byte* pbRetVal = retVal)
+ // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
+ if (cipherTextLength < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
{
- byte* ptr = pbRetVal;
-
- // First is the two-byte header
- *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
- *(ptr++) = 1; // 0x01 = GCM encryption + authentication
-
- // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
- BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(ref ptr, NONCE_SIZE_IN_BYTES);
- BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES); // block size = tag size
- BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
-
- // See the design document for an explanation of the following code.
- var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
- fixed (byte* pbTempKeys = tempKeys)
- {
- byte dummy;
-
- // Derive temporary key for encryption.
- using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
- {
- provider.DeriveKey(
- pbLabel: &dummy,
- cbLabel: 0,
- pbContext: &dummy,
- cbContext: 0,
- pbDerivedKey: pbTempKeys,
- cbDerivedKey: (uint)tempKeys.Length);
- }
-
- // Encrypt a zero-length input string with an all-zero nonce and copy the tag to the return buffer.
- byte* pbNonce = stackalloc byte[(int)NONCE_SIZE_IN_BYTES];
- UnsafeBufferUtil.SecureZeroMemory(pbNonce, NONCE_SIZE_IN_BYTES);
- DoGcmEncrypt(
- pbKey: pbTempKeys,
- cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
- pbNonce: pbNonce,
- pbPlaintextData: &dummy,
- cbPlaintextData: 0,
- pbEncryptedData: &dummy,
- pbTag: ptr);
- }
-
- ptr += TAG_SIZE_IN_BYTES;
- CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
+ throw Error.CryptCommon_PayloadInvalid();
}
- // retVal := { version || chainingMode || symAlgKeySize || nonceSize || symAlgBlockSize || symAlgTagSize || TAG-of-E("") }.
- return retVal;
+ // in GCM ciphertext is of exactly the same length as plaintext
+ return checked(cipherTextLength - (int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
}
- protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
{
- // Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
- if (cbCiphertext < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+ bytesWritten = 0;
+ var plaintextLength = GetDecryptedSize(cipherText.Length);
+
+ // Check if destination is large enough
+ if (destination.Length < plaintextLength)
{
- throw Error.CryptCommon_PayloadInvalid();
+ return false;
}
- // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
-
- var cbPlaintext = checked(cbCiphertext - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES));
-
- var retVal = new byte[cbPlaintext];
- fixed (byte* pbRetVal = retVal)
+ // Assumption: cipherText := { keyModifier || nonce || encryptedData || authenticationTag }
+ fixed (byte* pbCiphertext = cipherText)
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ fixed (byte* pbDestination = destination)
{
// Calculate offsets
byte* pbKeyModifier = pbCiphertext;
byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
- byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
+ byte* pbAuthTag = &pbEncryptedData[plaintextLength];
// Use the KDF to recreate the symmetric block cipher key
// We'll need a temporary buffer to hold the symmetric encryption subkey
@@ -142,7 +91,7 @@ protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byt
{
_sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
contextHeader: _contextHeader,
pbContext: pbKeyModifier,
cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
@@ -153,7 +102,7 @@ protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byt
using (var decryptionSubkeyHandle = _symmetricAlgorithmHandle.GenerateSymmetricKey(pbSymmetricDecryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes))
{
byte dummy;
- byte* pbPlaintext = (pbRetVal != null) ? pbRetVal : &dummy; // CLR doesn't like pinning empty buffers
+ byte* pbPlaintext = (plaintextLength > 0) ? pbDestination : &dummy; // CLR doesn't like pinning empty buffers
BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO authInfo;
BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.Init(out authInfo);
@@ -167,20 +116,21 @@ protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byt
var ntstatus = UnsafeNativeMethods.BCryptDecrypt(
hKey: decryptionSubkeyHandle,
pbInput: pbEncryptedData,
- cbInput: cbPlaintext,
+ cbInput: (uint)plaintextLength,
pPaddingInfo: &authInfo,
pbIV: null, // IV not used; nonce provided in pPaddingInfo
cbIV: 0,
pbOutput: pbPlaintext,
- cbOutput: cbPlaintext,
+ cbOutput: (uint)plaintextLength,
pcbResult: out cbDecryptedBytesWritten,
dwFlags: 0);
UnsafeNativeMethods.ThrowExceptionForBCryptStatus(ntstatus);
- CryptoUtil.Assert(cbDecryptedBytesWritten == cbPlaintext, "cbDecryptedBytesWritten == cbPlaintext");
+ CryptoUtil.Assert(cbDecryptedBytesWritten == plaintextLength, "cbDecryptedBytesWritten == plaintextLength");
// At this point, retVal := { decryptedPayload }
// And we're done!
- return retVal;
+ bytesWritten = (int)cbDecryptedBytesWritten;
+ return true;
}
}
finally
@@ -191,12 +141,26 @@ protected override byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byt
}
}
- public override void Dispose()
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
{
- _sp800_108_ctr_hmac_provider.Dispose();
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetDecryptedSize(ciphertext.Count);
+ var plaintext = new byte[size];
+ var destination = plaintext.AsSpan();
+
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
- // We don't want to dispose of the underlying algorithm instances because they
- // might be reused.
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return plaintext;
}
// 'pbNonce' must point to a 96-bit buffer.
@@ -230,57 +194,185 @@ private void DoGcmEncrypt(byte* pbKey, uint cbKey, byte* pbNonce, byte* pbPlaint
}
}
- protected override byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
+ public int GetEncryptedSize(int plainTextLength)
{
- // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
+ // A buffer to hold the key modifier, nonce, encrypted data, and tag.
// In GCM, the encrypted output will be the same length as the plaintext input.
- var retVal = new byte[checked(cbPreBuffer + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + cbPlaintext + TAG_SIZE_IN_BYTES + cbPostBuffer)];
+ return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
+ // before performing steps, make sure destination is large enough to hold the output
+ var totalRequiredSize = checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Length + TAG_SIZE_IN_BYTES));
+ if (destination.Length < totalRequiredSize)
+ {
+ return false;
+ }
+
+ try
+ {
+ fixed (byte* pbDestination = destination)
+ {
+ // Calculate offsets
+ byte* pbKeyModifier = pbDestination;
+ byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
+ byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
+ byte* pbAuthTag = &pbEncryptedData[plaintext.Length];
+
+ // Randomly generate the key modifier and nonce
+ _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
+ bytesWritten += checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES));
+
+ // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+
+ // Use the KDF to generate a new symmetric block cipher key
+ // We'll need a temporary buffer to hold the symmetric encryption subkey
+ byte* pbSymmetricEncryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
+ try
+ {
+ fixed (byte* pbAdditionalAuthenticatedData = additionalAuthenticatedData)
+ {
+ _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
+ pbLabel: pbAdditionalAuthenticatedData,
+ cbLabel: (uint)additionalAuthenticatedData.Length,
+ contextHeader: _contextHeader,
+ pbContext: pbKeyModifier,
+ cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
+ pbDerivedKey: pbSymmetricEncryptionSubkey,
+ cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+ }
+
+ // Perform the encryption operation
+ byte dummy;
+ fixed (byte* pbPlaintextArray = plaintext)
+ {
+ var pbPlaintext = (pbPlaintextArray != null) ? pbPlaintextArray : &dummy;
+
+ DoGcmEncrypt(
+ pbKey: pbSymmetricEncryptionSubkey,
+ cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
+ pbNonce: pbNonce,
+ pbPlaintextData: pbPlaintext,
+ cbPlaintextData: (uint)plaintext.Length,
+ pbEncryptedData: pbEncryptedData,
+ pbTag: pbAuthTag);
+ }
+
+ // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+ // And we're done!
+ bytesWritten += plaintext.Length + checked((int)TAG_SIZE_IN_BYTES);
+ return true;
+ }
+ finally
+ {
+ // The buffer contains key material, so delete it.
+ UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ throw Error.CryptCommon_GenericError(ex);
+ }
+ }
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+ {
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
+ private byte[] CreateContextHeader()
+ {
+ var retVal = new byte[checked(
+ 1 /* KDF alg */
+ + 1 /* chaining mode */
+ + sizeof(uint) /* sym alg key size */
+ + sizeof(uint) /* GCM nonce size */
+ + sizeof(uint) /* sym alg block size */
+ + sizeof(uint) /* GCM tag size */
+ + TAG_SIZE_IN_BYTES /* tag of GCM-encrypted empty string */)];
+
fixed (byte* pbRetVal = retVal)
{
- // Calculate offsets
- byte* pbKeyModifier = &pbRetVal[cbPreBuffer];
- byte* pbNonce = &pbKeyModifier[KEY_MODIFIER_SIZE_IN_BYTES];
- byte* pbEncryptedData = &pbNonce[NONCE_SIZE_IN_BYTES];
- byte* pbAuthTag = &pbEncryptedData[cbPlaintext];
+ byte* ptr = pbRetVal;
- // Randomly generate the key modifier and nonce
- _genRandom.GenRandom(pbKeyModifier, KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES);
+ // First is the two-byte header
+ *(ptr++) = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+ *(ptr++) = 1; // 0x01 = GCM encryption + authentication
- // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+ // Next is information about the symmetric algorithm (key size, nonce size, block size, tag size)
+ BitHelpers.WriteTo(ref ptr, _symmetricAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(ref ptr, NONCE_SIZE_IN_BYTES);
+ BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES); // block size = tag size
+ BitHelpers.WriteTo(ref ptr, TAG_SIZE_IN_BYTES);
- // Use the KDF to generate a new symmetric block cipher key
- // We'll need a temporary buffer to hold the symmetric encryption subkey
- byte* pbSymmetricEncryptionSubkey = stackalloc byte[checked((int)_symmetricAlgorithmSubkeyLengthInBytes)];
- try
+ // See the design document for an explanation of the following code.
+ var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+ fixed (byte* pbTempKeys = tempKeys)
{
- _sp800_108_ctr_hmac_provider.DeriveKeyWithContextHeader(
- pbLabel: pbAdditionalAuthenticatedData,
- cbLabel: cbAdditionalAuthenticatedData,
- contextHeader: _contextHeader,
- pbContext: pbKeyModifier,
- cbContext: KEY_MODIFIER_SIZE_IN_BYTES,
- pbDerivedKey: pbSymmetricEncryptionSubkey,
- cbDerivedKey: _symmetricAlgorithmSubkeyLengthInBytes);
+ byte dummy;
- // Perform the encryption operation
+ // Derive temporary key for encryption.
+ using (var provider = SP800_108_CTR_HMACSHA512Util.CreateEmptyProvider())
+ {
+ provider.DeriveKey(
+ pbLabel: &dummy,
+ cbLabel: 0,
+ pbContext: &dummy,
+ cbContext: 0,
+ pbDerivedKey: pbTempKeys,
+ cbDerivedKey: (uint)tempKeys.Length);
+ }
+
+ // Encrypt a zero-length input string with an all-zero nonce and copy the tag to the return buffer.
+ byte* pbNonce = stackalloc byte[(int)NONCE_SIZE_IN_BYTES];
+ UnsafeBufferUtil.SecureZeroMemory(pbNonce, NONCE_SIZE_IN_BYTES);
DoGcmEncrypt(
- pbKey: pbSymmetricEncryptionSubkey,
+ pbKey: pbTempKeys,
cbKey: _symmetricAlgorithmSubkeyLengthInBytes,
pbNonce: pbNonce,
- pbPlaintextData: pbPlaintext,
- cbPlaintextData: cbPlaintext,
- pbEncryptedData: pbEncryptedData,
- pbTag: pbAuthTag);
-
- // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
- // And we're done!
- return retVal;
- }
- finally
- {
- // The buffer contains key material, so delete it.
- UnsafeBufferUtil.SecureZeroMemory(pbSymmetricEncryptionSubkey, _symmetricAlgorithmSubkeyLengthInBytes);
+ pbPlaintextData: &dummy,
+ cbPlaintextData: 0,
+ pbEncryptedData: &dummy,
+ pbTag: ptr);
}
+
+ ptr += TAG_SIZE_IN_BYTES;
+ CryptoUtil.Assert(ptr - pbRetVal == retVal.Length, "ptr - pbRetVal == retVal.Length");
}
+
+ // retVal := { version || chainingMode || symAlgKeySize || nonceSize || symAlgBlockSize || symAlgTagSize || TAG-of-E("") }.
+ return retVal;
+ }
+
+ public void Dispose()
+ {
+ _sp800_108_ctr_hmac_provider.Dispose();
+
+ // We don't want to dispose of the underlying algorithm instances because they
+ // might be reused.
}
}
diff --git a/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs b/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs
deleted file mode 100644
index 3875f9e6c303..000000000000
--- a/src/DataProtection/DataProtection/src/Cng/Internal/CngAuthenticatedEncryptorBase.cs
+++ /dev/null
@@ -1,86 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using System;
-using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
-
-namespace Microsoft.AspNetCore.DataProtection.Cng.Internal;
-
-///
-/// Base class used for all CNG-related authentication encryption operations.
-///
-internal abstract unsafe class CngAuthenticatedEncryptorBase : IOptimizedAuthenticatedEncryptor, IDisposable
-{
- public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
- {
- // This wrapper simply converts ArraySegment to byte* and calls the impl method.
-
- // Input validation
- ciphertext.Validate();
- additionalAuthenticatedData.Validate();
-
- byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
- fixed (byte* pbCiphertextArray = ciphertext.Array)
- {
- fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
- {
- try
- {
- return DecryptImpl(
- pbCiphertext: (pbCiphertextArray != null) ? &pbCiphertextArray[ciphertext.Offset] : &dummy,
- cbCiphertext: (uint)ciphertext.Count,
- pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
- cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count);
- }
- catch (Exception ex) when (ex.RequiresHomogenization())
- {
- // Homogenize to CryptographicException.
- throw Error.CryptCommon_GenericError(ex);
- }
- }
- }
- }
-
- protected abstract byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
-
- public abstract void Dispose();
-
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
- {
- return Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
- }
-
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
- {
- // This wrapper simply converts ArraySegment to byte* and calls the impl method.
-
- // Input validation
- plaintext.Validate();
- additionalAuthenticatedData.Validate();
-
- byte dummy; // used only if plaintext or AAD is empty, since otherwise 'fixed' returns null pointer
- fixed (byte* pbPlaintextArray = plaintext.Array)
- {
- fixed (byte* pbAdditionalAuthenticatedDataArray = additionalAuthenticatedData.Array)
- {
- try
- {
- return EncryptImpl(
- pbPlaintext: (pbPlaintextArray != null) ? &pbPlaintextArray[plaintext.Offset] : &dummy,
- cbPlaintext: (uint)plaintext.Count,
- pbAdditionalAuthenticatedData: (pbAdditionalAuthenticatedDataArray != null) ? &pbAdditionalAuthenticatedDataArray[additionalAuthenticatedData.Offset] : &dummy,
- cbAdditionalAuthenticatedData: (uint)additionalAuthenticatedData.Count,
- cbPreBuffer: preBufferSize,
- cbPostBuffer: postBufferSize);
- }
- catch (Exception ex) when (ex.RequiresHomogenization())
- {
- // Homogenize to CryptographicException.
- throw Error.CryptCommon_GenericError(ex);
- }
- }
- }
- }
-
- protected abstract byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
-}
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
index dd28c84db68d..7ecf458f620c 100644
--- a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtectionProvider.cs
@@ -2,6 +2,7 @@
// The .NET Foundation licenses this file to you under the MIT license.
using System;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
using Microsoft.AspNetCore.Shared;
using Microsoft.Extensions.Logging;
@@ -23,6 +24,19 @@ public IDataProtector CreateProtector(string purpose)
{
ArgumentNullThrowHelper.ThrowIfNull(purpose);
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var encryptor = currentKeyRing.DefaultAuthenticatedEncryptor;
+ if (encryptor is ISpanAuthenticatedEncryptor)
+ {
+ // allows caller to check if dataProtector supports Span APIs
+ // and use more performant APIs
+ return new KeyRingBasedSpanDataProtector(
+ logger: _logger,
+ keyRingProvider: _keyRingProvider,
+ originalPurposes: null,
+ newPurpose: purpose);
+ }
+
return new KeyRingBasedDataProtector(
logger: _logger,
keyRingProvider: _keyRingProvider,
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
index 9f19e137a48f..b27c74484344 100644
--- a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs
@@ -21,18 +21,19 @@
namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
-internal sealed unsafe class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
+internal unsafe class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
{
// This magic header identifies a v0 protected data blob. It's the high 28 bits of the SHA1 hash of
// "Microsoft.AspNet.DataProtection.KeyManagement.KeyRingBasedDataProtector" [US-ASCII], big-endian.
// The last nibble reserved for version information. There's also the nice property that "F0 C9"
// can never appear in a well-formed UTF8 sequence, so attempts to treat a protected payload as a
// UTF8-encoded string will fail, and devs can catch the mistake early.
- private const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
+ protected const uint MAGIC_HEADER_V0 = 0x09F0C9F0;
+ protected static readonly int _magicHeaderKeyIdSize = sizeof(uint) + sizeof(Guid);
- private AdditionalAuthenticatedDataTemplate _aadTemplate;
- private readonly IKeyRingProvider _keyRingProvider;
- private readonly ILogger? _logger;
+ protected AdditionalAuthenticatedDataTemplate _aadTemplate;
+ protected readonly IKeyRingProvider _keyRingProvider;
+ protected readonly ILogger? _logger;
public KeyRingBasedDataProtector(IKeyRingProvider keyRingProvider, ILogger? logger, string[]? originalPurposes, string newPurpose)
{
@@ -65,6 +66,19 @@ public IDataProtector CreateProtector(string purpose)
{
ArgumentNullThrowHelper.ThrowIfNull(purpose);
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var encryptor = currentKeyRing.DefaultAuthenticatedEncryptor;
+ if (encryptor is ISpanAuthenticatedEncryptor)
+ {
+ // allows caller to check if dataProtector supports Span APIs
+ // and use more performant APIs
+ return new KeyRingBasedSpanDataProtector(
+ logger: _logger,
+ keyRingProvider: _keyRingProvider,
+ originalPurposes: Purposes,
+ newPurpose: purpose);
+ }
+
return new KeyRingBasedDataProtector(
logger: _logger,
keyRingProvider: _keyRingProvider,
@@ -72,24 +86,11 @@ public IDataProtector CreateProtector(string purpose)
newPurpose: purpose);
}
- private static string JoinPurposesForLog(IEnumerable purposes)
+ protected static string JoinPurposesForLog(IEnumerable purposes)
{
return "(" + String.Join(", ", purposes.Select(p => "'" + p + "'")) + ")";
}
- // allows decrypting payloads whose keys have been revoked
- public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
- {
- // argument & state checking
- ArgumentNullThrowHelper.ThrowIfNull(protectedData);
-
- UnprotectStatus status;
- var retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
- requiresMigration = (status != UnprotectStatus.Ok);
- wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
- return retVal;
- }
-
public byte[] Protect(byte[] plaintext)
{
ArgumentNullThrowHelper.ThrowIfNull(plaintext);
@@ -140,7 +141,7 @@ public byte[] Protect(byte[] plaintext)
}
}
- private static Guid ReadGuid(void* ptr)
+ protected static Guid ReadGuid(void* ptr)
{
#if NETCOREAPP
// Performs appropriate endianness fixups
@@ -153,15 +154,7 @@ private static Guid ReadGuid(void* ptr)
#endif
}
- private static uint ReadBigEndian32BitInteger(byte* ptr)
- {
- return ((uint)ptr[0] << 24)
- | ((uint)ptr[1] << 16)
- | ((uint)ptr[2] << 8)
- | ((uint)ptr[3]);
- }
-
- private static bool TryGetVersionFromMagicHeader(uint magicHeader, out int version)
+ protected static bool TryGetVersionFromMagicHeader(uint magicHeader, out int version)
{
const uint MAGIC_HEADER_VERSION_MASK = 0xFU;
if ((magicHeader & ~MAGIC_HEADER_VERSION_MASK) == MAGIC_HEADER_V0)
@@ -187,14 +180,26 @@ public byte[] Unprotect(byte[] protectedData)
wasRevoked: out _);
}
+ // allows decrypting payloads whose keys have been revoked
+ public byte[] DangerousUnprotect(byte[] protectedData, bool ignoreRevocationErrors, out bool requiresMigration, out bool wasRevoked)
+ {
+ // argument & state checking
+ ArgumentNullThrowHelper.ThrowIfNull(protectedData);
+
+ UnprotectStatus status;
+ var retVal = UnprotectCore(protectedData, ignoreRevocationErrors, status: out status);
+ requiresMigration = (status != UnprotectStatus.Ok);
+ wasRevoked = (status == UnprotectStatus.DecryptionKeyWasRevoked);
+ return retVal;
+ }
+
private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevokedKeys, out UnprotectStatus status)
{
Debug.Assert(protectedData != null);
try
{
- // argument & state checking
- if (protectedData.Length < sizeof(uint) /* magic header */ + sizeof(Guid) /* key id */)
+ if (protectedData.Length < _magicHeaderKeyIdSize)
{
// payload must contain at least the magic header and key id
throw Error.ProtectionProvider_BadMagicHeader();
@@ -203,17 +208,15 @@ private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevoked
// Need to check that protectedData := { magicHeader || keyId || encryptorSpecificProtectedPayload }
// Parse the payload version number and key id.
- uint magicHeaderFromPayload;
+ var magicHeaderFromPayload = BinaryPrimitives.ReadUInt32BigEndian(protectedData.AsSpan(0, sizeof(uint)));
Guid keyIdFromPayload;
fixed (byte* pbInput = protectedData)
{
- magicHeaderFromPayload = ReadBigEndian32BitInteger(pbInput);
keyIdFromPayload = ReadGuid(&pbInput[sizeof(uint)]);
}
// Are the magic header and version information correct?
- int payloadVersion;
- if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out payloadVersion))
+ if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out var payloadVersion))
{
throw Error.ProtectionProvider_BadMagicHeader();
}
@@ -293,7 +296,7 @@ private byte[] UnprotectCore(byte[] protectedData, bool allowOperationsOnRevoked
}
}
- private static void WriteGuid(void* ptr, Guid value)
+ protected static void WriteGuid(void* ptr, Guid value)
{
#if NETCOREAPP
var span = new Span(ptr, sizeof(Guid));
@@ -309,7 +312,7 @@ private static void WriteGuid(void* ptr, Guid value)
#endif
}
- private static void WriteBigEndianInteger(byte* ptr, uint value)
+ protected static void WriteBigEndianInteger(byte* ptr, uint value)
{
ptr[0] = (byte)(value >> 24);
ptr[1] = (byte)(value >> 16);
diff --git a/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs
new file mode 100644
index 000000000000..5425266e36c5
--- /dev/null
+++ b/src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedSpanDataProtector.cs
@@ -0,0 +1,194 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers.Binary;
+using System.Diagnostics;
+using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.Shared;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
+
+internal unsafe class KeyRingBasedSpanDataProtector : KeyRingBasedDataProtector, ISpanDataProtector
+{
+ public KeyRingBasedSpanDataProtector(IKeyRingProvider keyRingProvider, ILogger? logger, string[]? originalPurposes, string newPurpose)
+ : base(keyRingProvider, logger, originalPurposes, newPurpose)
+ {
+ }
+
+ public int GetProtectedSize(int plainTextLength)
+ {
+ // Get the current key ring to access the encryptor
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+ CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+ // We allocate a 20-byte pre-buffer so that we can inject the magic header and key id into the return value.
+ // See Protect() / TryProtect() for details
+ return _magicHeaderKeyIdSize + defaultEncryptor.GetEncryptedSize(plainTextLength);
+ }
+
+ public bool TryProtect(ReadOnlySpan plaintext, Span destination, out int bytesWritten)
+ {
+ try
+ {
+ // Perform the encryption operation using the current default encryptor.
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var defaultKeyId = currentKeyRing.DefaultKeyId;
+ var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+ CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+ if (_logger.IsDebugLevelEnabled())
+ {
+ _logger.PerformingProtectOperationToKeyWithPurposes(defaultKeyId, JoinPurposesForLog(Purposes));
+ }
+
+ // We'll need to apply the default key id to the template if it hasn't already been applied.
+ // If the default key id has been updated since the last call to Protect, also write back the updated template.
+ var aad = _aadTemplate.GetAadForKey(defaultKeyId, isProtecting: true);
+
+ var preBufferSize = _magicHeaderKeyIdSize;
+ // postBufferSize is 0
+ if (destination.Length < preBufferSize)
+ {
+ bytesWritten = default;
+ return false;
+ }
+
+ var destinationBufferOffsets = destination.Slice(preBufferSize, destination.Length - preBufferSize);
+ var success = defaultEncryptor.TryEncrypt(plaintext, aad, destinationBufferOffsets, out bytesWritten);
+
+ // At this point: destination := { 000..000 || encryptorSpecificProtectedPayload },
+ // where 000..000 is a placeholder for our magic header and key id.
+
+ // Write out the magic header and key id
+#if NET10_0_OR_GREATER
+ BinaryPrimitives.WriteUInt32BigEndian(destination.Slice(0, sizeof(uint)), MAGIC_HEADER_V0);
+ var writeKeyIdResult = defaultKeyId.TryWriteBytes(destination.Slice(sizeof(uint), sizeof(Guid)));
+ Debug.Assert(writeKeyIdResult, "Failed to write Guid to destination.");
+#else
+ fixed (byte* pbRetVal = destination)
+ {
+ WriteBigEndianInteger(pbRetVal, MAGIC_HEADER_V0);
+ WriteGuid(&pbRetVal[sizeof(uint)], defaultKeyId);
+ }
+#endif
+ bytesWritten += _magicHeaderKeyIdSize;
+
+ // At this point, destination := { magicHeader || keyId || encryptorSpecificProtectedPayload }
+ // And we're done!
+ return success;
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // homogenize all errors to CryptographicException
+ throw Error.Common_EncryptionFailed(ex);
+ }
+ }
+
+ public int GetUnprotectedSize(int cipherTextLength)
+ {
+ // The ciphertext includes the magic header and key id, so we need to subtract those
+ if (cipherTextLength < _magicHeaderKeyIdSize)
+ {
+ throw Error.ProtectionProvider_BadMagicHeader();
+ }
+
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var defaultEncryptor = (ISpanAuthenticatedEncryptor)currentKeyRing.DefaultAuthenticatedEncryptor!;
+ CryptoUtil.Assert(defaultEncryptor != null, "DefaultAuthenticatedEncryptor != null");
+
+ return defaultEncryptor.GetDecryptedSize(cipherTextLength - _magicHeaderKeyIdSize);
+ }
+
+ public bool TryUnprotect(ReadOnlySpan cipherText, Span destination, out int bytesWritten)
+ {
+ try
+ {
+ if (cipherText.Length < _magicHeaderKeyIdSize)
+ {
+ // payload must contain at least the magic header and key id
+ bytesWritten = default;
+ return false;
+ }
+
+ // Parse the payload version number and key id.
+ var magicHeaderFromPayload = BinaryPrimitives.ReadUInt32BigEndian(cipherText.Slice(0, sizeof(uint)));
+#if NET10_0_OR_GREATER
+ var keyIdFromPayload = new Guid(cipherText.Slice(sizeof(uint), sizeof(Guid)));
+#else
+ Guid keyIdFromPayload;
+ fixed (byte* pbCipherText = cipherText)
+ {
+ keyIdFromPayload = ReadGuid(&pbCipherText[sizeof(uint)]);
+ }
+#endif
+
+ // Are the magic header and version information correct?
+ if (!TryGetVersionFromMagicHeader(magicHeaderFromPayload, out var payloadVersion))
+ {
+ throw Error.ProtectionProvider_BadMagicHeader();
+ }
+
+ if (payloadVersion != 0)
+ {
+ throw Error.ProtectionProvider_BadVersion();
+ }
+
+ if (_logger.IsDebugLevelEnabled())
+ {
+ _logger.PerformingUnprotectOperationToKeyWithPurposes(keyIdFromPayload, JoinPurposesForLog(Purposes));
+ }
+
+ // Find the correct encryptor in the keyring.
+ var currentKeyRing = _keyRingProvider.GetCurrentKeyRing();
+ var requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out bool keyWasRevoked);
+ if (requestedEncryptor is null)
+ {
+ if (_keyRingProvider is KeyRingProvider provider && provider.InAutoRefreshWindow())
+ {
+ currentKeyRing = provider.RefreshCurrentKeyRing();
+ requestedEncryptor = currentKeyRing.GetAuthenticatedEncryptorByKeyId(keyIdFromPayload, out keyWasRevoked);
+ }
+
+ if (requestedEncryptor is null)
+ {
+ if (_logger.IsTraceLevelEnabled())
+ {
+ _logger.KeyWasNotFoundInTheKeyRingUnprotectOperationCannotProceed(keyIdFromPayload);
+ }
+
+ throw Error.Common_KeyNotFound(keyIdFromPayload);
+ }
+ }
+
+ // Check if key was revoked - for simplified version, we disallow revoked keys
+ if (keyWasRevoked)
+ {
+ if (_logger.IsDebugLevelEnabled())
+ {
+ _logger.KeyWasRevokedUnprotectOperationCannotProceed(keyIdFromPayload);
+ }
+
+ throw Error.Common_KeyRevoked(keyIdFromPayload);
+ }
+
+ // Perform the decryption operation.
+ ReadOnlySpan actualCiphertext = cipherText.Slice(sizeof(uint) + sizeof(Guid)); // chop off magic header + encryptor id
+ ReadOnlySpan aad = _aadTemplate.GetAadForKey(keyIdFromPayload, isProtecting: false);
+
+ // At this point, actualCiphertext := { encryptorSpecificPayload },
+ // so all that's left is to invoke the decryption routine directly.
+ var spanEncryptor = (ISpanAuthenticatedEncryptor)requestedEncryptor;
+ return spanEncryptor.TryDecrypt(actualCiphertext, aad, destination, out bytesWritten);
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // homogenize all errors to CryptographicException
+ throw Error.DecryptionFailed(ex);
+ }
+ }
+}
diff --git a/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
index 413adfb4825f..de829e47fcc3 100644
--- a/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
@@ -13,7 +13,7 @@
namespace Microsoft.AspNetCore.DataProtection.Managed;
// An encryptor that uses AesGcm to do encryption
-internal sealed unsafe class AesGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, IDisposable
+internal sealed unsafe class AesGcmAuthenticatedEncryptor : IOptimizedAuthenticatedEncryptor, ISpanAuthenticatedEncryptor, IDisposable
{
// Having a key modifier ensures with overwhelming probability that no two encryption operations
// will ever derive the same (encryption subkey, MAC subkey) pair. This limits an attacker's
@@ -64,73 +64,81 @@ public AesGcmAuthenticatedEncryptor(ISecret keyDerivationKey, int derivedKeySize
_genRandom = genRandom ?? ManagedGenRandomImpl.Instance;
}
- public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
+ public int GetDecryptedSize(int cipherTextLength)
{
- ciphertext.Validate();
- additionalAuthenticatedData.Validate();
-
// Argument checking: input must at the absolute minimum contain a key modifier, nonce, and tag
- if (ciphertext.Count < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
+ if (cipherTextLength < KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES)
{
throw Error.CryptCommon_PayloadInvalid();
}
- // Assumption: pbCipherText := { keyModifier || nonce || encryptedData || authenticationTag }
- var plaintextBytes = ciphertext.Count - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES);
- var plaintext = new byte[plaintextBytes];
+ // in GCM cipher text length is the same as the plain text length
+ return cipherTextLength - (KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + TAG_SIZE_IN_BYTES);
+ }
+
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
try
{
- // Step 1: Extract the key modifier from the payload.
-
- int keyModifierOffset; // position in ciphertext.Array where key modifier begins
- int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
- int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
- int tagOffset; // position in ciphertext.Array where encrypted data ends
-
- checked
+ var plaintextBytes = GetDecryptedSize(cipherText.Length);
+ if (destination.Length < plaintextBytes)
{
- keyModifierOffset = ciphertext.Offset;
- nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
- tagOffset = encryptedDataOffset + plaintextBytes;
+ return false;
}
- var keyModifier = new ArraySegment(ciphertext.Array!, keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
-
- // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
- // We pin all unencrypted keys to limit their exposure via GC relocation.
-
- var decryptedKdk = new byte[_keyDerivationKey.Length];
- var derivedKey = new byte[_derivedkeySizeInBytes];
-
- fixed (byte* __unused__1 = decryptedKdk)
- fixed (byte* __unused__2 = derivedKey)
+ // Calculate offsets in the cipherText
+ var keyModifierOffset = 0;
+ var nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ var encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
+ var tagOffset = encryptedDataOffset + plaintextBytes;
+
+ // Extract spans for each component
+ var keyModifier = cipherText.Slice(keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
+ var nonce = cipherText.Slice(nonceOffset, NONCE_SIZE_IN_BYTES);
+ var encrypted = cipherText.Slice(encryptedDataOffset, plaintextBytes);
+ var tag = cipherText.Slice(tagOffset, TAG_SIZE_IN_BYTES);
+
+ // Get the plaintext destination
+ var plaintext = destination.Slice(0, plaintextBytes);
+
+ // Decrypt the KDK and use it to restore the original encryption key
+ // We pin all unencrypted keys to limit their exposure via GC relocation
+ Span decryptedKdk = _keyDerivationKey.Length <= 256
+ ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+ : new byte[_keyDerivationKey.Length];
+
+ Span derivedKey = _derivedkeySizeInBytes <= 256
+ ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
+ : new byte[_derivedkeySizeInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* derivedKeyUnsafe = derivedKey)
{
try
{
- _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment(decryptedKdk));
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
kdk: decryptedKdk,
label: additionalAuthenticatedData,
contextHeader: _contextHeader,
contextData: keyModifier,
operationSubkey: derivedKey,
- validationSubkey: Span.Empty /* filling in derivedKey only */ );
+ validationSubkey: Span.Empty /* filling in derivedKey only */);
- // Perform the decryption operation
- var nonce = new Span(ciphertext.Array, nonceOffset, NONCE_SIZE_IN_BYTES);
- var tag = new Span(ciphertext.Array, tagOffset, TAG_SIZE_IN_BYTES);
- var encrypted = new Span(ciphertext.Array, encryptedDataOffset, plaintextBytes);
+ // Perform the decryption operation directly into destination
using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
aes.Decrypt(nonce, encrypted, tag, plaintext);
- return plaintext;
+
+ bytesWritten = plaintextBytes;
+ return true;
}
finally
{
// delete since these contain secret material
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
- Array.Clear(derivedKey, 0, derivedKey.Length);
+ decryptedKdk.Clear();
+ derivedKey.Clear();
}
}
}
@@ -141,48 +149,100 @@ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment addition
}
}
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment additionalAuthenticatedData)
+ {
+ ciphertext.Validate();
+ additionalAuthenticatedData.Validate();
+
+ var size = GetDecryptedSize(ciphertext.Count);
+ var plaintext = new byte[size];
+ var destination = plaintext.AsSpan();
+
+ if (!TryDecrypt(
+ cipherText: ciphertext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return plaintext;
+ }
+
public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
{
plaintext.Validate();
additionalAuthenticatedData.Validate();
- try
+ var size = GetEncryptedSize(plaintext.Count);
+ var ciphertext = new byte[preBufferSize + size + postBufferSize];
+ var destination = ciphertext.AsSpan((int)preBufferSize, size);
+
+ if (!TryEncrypt(
+ plaintext: plaintext,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
{
- // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
- // In GCM, the encrypted output will be the same length as the plaintext input.
- var retVal = new byte[checked(preBufferSize + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Count + TAG_SIZE_IN_BYTES + postBufferSize)];
- int keyModifierOffset; // position in ciphertext.Array where key modifier begins
- int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
- int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
- int tagOffset; // position in ciphertext.Array where encrypted data ends
-
- checked
- {
- keyModifierOffset = plaintext.Offset + (int)preBufferSize;
- nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
- tagOffset = encryptedDataOffset + plaintext.Count;
- }
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
- // Randomly generate the key modifier and nonce
+ CryptoUtil.Assert(bytesWritten == size, "bytesWritten == size");
+ return ciphertext;
+ }
+
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+ public int GetEncryptedSize(int plainTextLength)
+ {
+ // A buffer to hold the key modifier, nonce, encrypted data, and tag.
+ // In GCM, the encrypted output will be the same length as the plaintext input.
+ return checked(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES);
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plaintext, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
+
+ // Calculate total required size and validate destination buffer BEFORE any operations
+ var totalRequiredSize = checked(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Length + TAG_SIZE_IN_BYTES);
+ if (destination.Length < totalRequiredSize)
+ {
+ return false;
+ }
+
+ try
+ {
+ // Generate random key modifier and nonce
var keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
var nonceBytes = _genRandom.GenRandom(NONCE_SIZE_IN_BYTES);
- Buffer.BlockCopy(keyModifier, 0, retVal, (int)preBufferSize, keyModifier.Length);
- Buffer.BlockCopy(nonceBytes, 0, retVal, (int)preBufferSize + keyModifier.Length, nonceBytes.Length);
+ // KeyModifier and nonce to destination
+ keyModifier.CopyTo(destination.Slice(bytesWritten, KEY_MODIFIER_SIZE_IN_BYTES));
+ bytesWritten += KEY_MODIFIER_SIZE_IN_BYTES;
+ nonceBytes.CopyTo(destination.Slice(bytesWritten, NONCE_SIZE_IN_BYTES));
+ bytesWritten += NONCE_SIZE_IN_BYTES;
- // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+ // At this point, destination := { keyModifier | nonce | _____ | _____ }
// Use the KDF to generate a new symmetric block cipher key
// We'll need a temporary buffer to hold the symmetric encryption subkey
- var decryptedKdk = new byte[_keyDerivationKey.Length];
- var derivedKey = new byte[_derivedkeySizeInBytes];
- fixed (byte* __unused__1 = decryptedKdk)
+ Span decryptedKdk = _keyDerivationKey.Length <= 256
+ ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+ : new byte[_keyDerivationKey.Length];
+ var derivedKey = _derivedkeySizeInBytes <= 256
+ ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
+ : new byte[_derivedkeySizeInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__2 = derivedKey)
{
try
{
- _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment(decryptedKdk));
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
kdk: decryptedKdk,
label: additionalAuthenticatedData,
@@ -191,22 +251,25 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
operationSubkey: derivedKey,
validationSubkey: Span.Empty /* filling in derivedKey only */ );
- // do gcm
- var nonce = new Span(retVal, nonceOffset, NONCE_SIZE_IN_BYTES);
- var tag = new Span(retVal, tagOffset, TAG_SIZE_IN_BYTES);
- var encrypted = new Span(retVal, encryptedDataOffset, plaintext.Count);
+ // Perform GCM encryption. Destination buffer expected structure:
+ // { keyModifier | nonce | encryptedData | authenticationTag }
+ var nonce = destination.Slice(KEY_MODIFIER_SIZE_IN_BYTES, NONCE_SIZE_IN_BYTES);
+ var encrypted = destination.Slice(bytesWritten, plaintext.Length);
+ var tag = destination.Slice(bytesWritten + plaintext.Length, TAG_SIZE_IN_BYTES);
+
using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
aes.Encrypt(nonce, plaintext, encrypted, tag);
- // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+ // At this point, destination := { keyModifier | nonce | encryptedData | authenticationTag }
// And we're done!
- return retVal;
+ bytesWritten += plaintext.Length + TAG_SIZE_IN_BYTES;
+ return true;
}
finally
{
// delete since these contain secret material
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
- Array.Clear(derivedKey, 0, derivedKey.Length);
+ decryptedKdk.Clear();
+ derivedKey.Clear();
}
}
}
@@ -217,9 +280,6 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
}
}
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
- => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
-
public void Dispose()
{
_keyDerivationKey.Dispose();
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
index e11e3862b53e..6edff9858229 100644
--- a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
+++ b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
@@ -18,6 +18,9 @@ namespace Microsoft.AspNetCore.DataProtection.Managed;
// The payloads produced by this encryptor should be compatible with the payloads
// produced by the CNG-based Encrypt(CBC) + HMAC authenticated encryptor.
internal sealed unsafe class ManagedAuthenticatedEncryptor : IAuthenticatedEncryptor, IDisposable
+#if NET10_0_OR_GREATER
+ , ISpanAuthenticatedEncryptor
+#endif
{
// Even when IVs are chosen randomly, CBC is susceptible to IV collisions within a single
// key. For a 64-bit block cipher (like 3DES), we'd expect a collision after 2^32 block
@@ -69,155 +72,62 @@ public ManagedAuthenticatedEncryptor(Secret keyDerivationKey, Func();
- var EMPTY_ARRAY_SEGMENT = new ArraySegment(EMPTY_ARRAY);
-
- var retVal = new byte[checked(
- 1 /* KDF alg */
- + 1 /* chaining mode */
- + sizeof(uint) /* sym alg key size */
- + sizeof(uint) /* sym alg block size */
- + sizeof(uint) /* hmac alg key size */
- + sizeof(uint) /* hmac alg digest size */
- + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
- + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
-
- var idx = 0;
-
- // First is the two-byte header
- retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
- retVal[idx++] = 0; // 0x00 = CBC encryption + HMAC authentication
-
- // Next is information about the symmetric algorithm (key size followed by block size)
- BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmBlockSizeInBytes);
-
- // Next is information about the keyed hash algorithm (key size followed by digest size)
- BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmSubkeyLengthInBytes);
- BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
-
- // See the design document for an explanation of the following code.
- var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
- ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
- kdk: EMPTY_ARRAY,
- label: EMPTY_ARRAY_SEGMENT,
- contextHeader: EMPTY_ARRAY_SEGMENT,
- contextData: EMPTY_ARRAY_SEGMENT,
- operationSubkey: tempKeys.AsSpan(0, _symmetricAlgorithmSubkeyLengthInBytes),
- validationSubkey: tempKeys.AsSpan(_symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes));
-
- // At this point, tempKeys := { K_E || K_H }.
-
- // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
- using (var symmetricAlg = CreateSymmetricAlgorithm())
- {
- using (var cryptoTransform = symmetricAlg.CreateEncryptor(
- rgbKey: new ArraySegment(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
- rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
- {
- var ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
- CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
- Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
- }
- }
-
- idx += _symmetricAlgorithmBlockSizeInBytes;
-
- // MAC a zero-length input string and copy the digest to the return buffer.
- using (var hashAlg = CreateValidationAlgorithm(new ArraySegment(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherTextLength < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
{
- var digest = hashAlg.ComputeHash(EMPTY_ARRAY);
- CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
- Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
+ throw Error.CryptCommon_PayloadInvalid();
}
- idx += _validationAlgorithmDigestLengthInBytes;
- CryptoUtil.Assert(idx == retVal.Length, "idx == retVal.Length");
-
- // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || macAlgKeySize || macAlgDigestSize || E("") || MAC("") }.
- return retVal;
- }
-
- private SymmetricAlgorithm CreateSymmetricAlgorithm()
- {
- var retVal = _symmetricAlgorithmFactory();
- CryptoUtil.Assert(retVal != null, "retVal != null");
-
- retVal.Mode = CipherMode.CBC;
- retVal.Padding = PaddingMode.PKCS7;
-
- return retVal;
- }
-
- private KeyedHashAlgorithm CreateValidationAlgorithm(byte[]? key = null)
- {
- var retVal = _validationAlgorithmFactory();
- CryptoUtil.Assert(retVal != null, "retVal != null");
-
- if (key is not null)
- {
- retVal.Key = key;
- }
- return retVal;
+ // For CBC mode with padding, the decrypted size is at most the encrypted data size
+ // We return an over-estimation since we can't know the exact padding without decrypting
+ return checked(cipherTextLength - (KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes));
}
- public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment additionalAuthenticatedData)
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
{
- // Assumption: protectedPayload := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
- protectedPayload.Validate();
- additionalAuthenticatedData.Validate();
-
- // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
- if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
- {
- throw Error.CryptCommon_PayloadInvalid();
- }
+ bytesWritten = 0;
try
{
- // Step 1: Extract the key modifier and IV from the payload.
- int keyModifierOffset; // position in protectedPayload.Array where key modifier begins
- int ivOffset; // position in protectedPayload.Array where key modifier ends / IV begins
- int ciphertextOffset; // position in protectedPayload.Array where IV ends / ciphertext begins
- int macOffset; // position in protectedPayload.Array where ciphertext ends / MAC begins
- int eofOffset; // position in protectedPayload.Array where MAC ends
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (cipherText.Length < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
- checked
+ // Calculate the maximum possible plaintext size and check destination buffer
+ var estimatedDecryptedSize = GetDecryptedSize(cipherText.Length);
+ if (destination.Length < estimatedDecryptedSize)
{
- keyModifierOffset = protectedPayload.Offset;
- ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
- ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ return false;
}
- ReadOnlySpan keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
+ // Calculate offsets in the cipherText
+ var keyModifierOffset = 0;
+ var ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ var ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ var macOffset = cipherText.Length - _validationAlgorithmDigestLengthInBytes;
- // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
-#if NET10_0_OR_GREATER
+ // Extract spans for each component
+ var keyModifier = cipherText.Slice(keyModifierOffset, KEY_MODIFIER_SIZE_IN_BYTES);
+
+ // Decrypt the KDK and use it to restore the original encryption and MAC keys
Span decryptedKdk = _keyDerivationKey.Length <= 256
? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
: new byte[_keyDerivationKey.Length];
-#else
- var decryptedKdk = new byte[_keyDerivationKey.Length];
-#endif
byte[]? validationSubkeyArray = null;
var validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
: (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
-#if NET10_0_OR_GREATER
- Span decryptionSubkey =
- _symmetricAlgorithmSubkeyLengthInBytes <= 128
+ Span decryptionSubkey = _symmetricAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
- : new byte[_symmetricAlgorithmBlockSizeInBytes];
-#else
- byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#endif
+ : new byte[_symmetricAlgorithmSubkeyLengthInBytes];
- // calling "fixed" is basically pinning the array, meaning the GC won't move it around. (Also for safety concerns)
- // note: it is safe to call `fixed` on null - it is just a no-op
fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__2 = decryptionSubkey)
fixed (byte* __unused__3 = validationSubkeyArray)
@@ -233,57 +143,34 @@ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment ad
operationSubkey: decryptionSubkey,
validationSubkey: validationSubkey);
- // Step 3: Calculate the correct MAC for this payload.
- // correctHash := MAC(IV || ciphertext)
- checked
+ // Validate the MAC provided as part of the payload
+ var ivAndCiphertextSpan = cipherText.Slice(ivOffset, macOffset - ivOffset);
+ var providedMac = cipherText.Slice(macOffset, _validationAlgorithmDigestLengthInBytes);
+
+ if (!ValidateMac(ivAndCiphertextSpan, providedMac, validationSubkey, validationSubkeyArray))
{
- eofOffset = protectedPayload.Offset + protectedPayload.Count;
- macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+ throw Error.CryptCommon_PayloadInvalid();
}
- // Step 4: Validate the MAC provided as part of the payload.
- CalculateAndValidateMac(protectedPayload.Array!, ivOffset, macOffset, eofOffset, validationSubkey, validationSubkeyArray);
+ // If the integrity check succeeded, decrypt the payload directly into destination
+ var ciphertextSpan = cipherText.Slice(ciphertextOffset, macOffset - ciphertextOffset);
+ var iv = cipherText.Slice(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
- // Step 5: Decipher the ciphertext and return it to the caller.
-#if NET10_0_OR_GREATER
using var symmetricAlgorithm = CreateSymmetricAlgorithm();
- symmetricAlgorithm.SetKey(decryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
-
- // note: here protectedPayload.Array is taken without an offset (can't use AsSpan() on ArraySegment)
- var ciphertext = protectedPayload.Array.AsSpan(ciphertextOffset, macOffset - ciphertextOffset);
- var iv = protectedPayload.Array.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes);
-
- // symmetricAlgorithm is created with CBC mode (see CreateSymmetricAlgorithm())
- return symmetricAlgorithm.DecryptCbc(ciphertext, iv);
-#else
- var iv = protectedPayload.Array!.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes).ToArray();
-
- using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
- using (var cryptoTransform = symmetricAlgorithm.CreateDecryptor(decryptionSubkey, iv))
- {
- var outputStream = new MemoryStream();
- using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
- {
- cryptoStream.Write(protectedPayload.Array!, ciphertextOffset, macOffset - ciphertextOffset);
- cryptoStream.FlushFinalBlock();
+ symmetricAlgorithm.SetKey(decryptionSubkey);
- // At this point, outputStream := { plaintext }, and we're done!
- return outputStream.ToArray();
- }
- }
-#endif
+ // Decrypt directly into destination
+ var actualDecryptedBytes = symmetricAlgorithm.DecryptCbc(ciphertextSpan, iv, destination);
+ bytesWritten = actualDecryptedBytes;
+ return true;
}
finally
{
// delete since these contain secret material
validationSubkey.Clear();
-#if NET10_0_OR_GREATER
decryptedKdk.Clear();
decryptionSubkey.Clear();
-#else
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-#endif
}
}
}
@@ -294,58 +181,56 @@ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment ad
}
}
- public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
+ public int GetEncryptedSize(int plainTextLength)
{
- plaintext.Validate();
- additionalAuthenticatedData.Validate();
- var plainTextSpan = plaintext.AsSpan();
+ var symmetricAlgorithm = CreateSymmetricAlgorithm();
+ var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainTextLength);
+ return KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes /* IV */ + cipherTextLength + _validationAlgorithmDigestLengthInBytes /* MAC */;
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plainText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ bytesWritten = 0;
try
{
var keyModifierLength = KEY_MODIFIER_SIZE_IN_BYTES;
var ivLength = _symmetricAlgorithmBlockSizeInBytes;
-#if NET10_0_OR_GREATER
+ // Calculate the required total size upfront and validate destination buffer
+ using var symmetricAlgorithmForSizing = CreateSymmetricAlgorithm();
+ var cipherTextLength = symmetricAlgorithmForSizing.GetCiphertextLengthCbc(plainText.Length);
+ var macLength = _validationAlgorithmDigestLengthInBytes;
+ var totalRequiredSize = keyModifierLength + ivLength + cipherTextLength + macLength;
+
+ if (destination.Length < totalRequiredSize)
+ {
+ return false;
+ }
+
Span decryptedKdk = _keyDerivationKey.Length <= 256
? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
: new byte[_keyDerivationKey.Length];
-#else
- var decryptedKdk = new byte[_keyDerivationKey.Length];
-#endif
-#if NET10_0_OR_GREATER
byte[]? validationSubkeyArray = null;
Span validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
: (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
-#else
- var validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes];
- var validationSubkey = validationSubkeyArray.AsSpan();
-#endif
-#if NET10_0_OR_GREATER
Span encryptionSubkey = _symmetricAlgorithmSubkeyLengthInBytes <= 128
? stackalloc byte[128].Slice(0, _symmetricAlgorithmSubkeyLengthInBytes)
: new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#else
- byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
-#endif
fixed (byte* decryptedKdkUnsafe = decryptedKdk)
fixed (byte* __unused__1 = encryptionSubkey)
fixed (byte* __unused__2 = validationSubkeyArray)
{
// Step 1: Generate a random key modifier and IV for this operation.
- // Both will be equal to the block size of the block cipher algorithm.
-#if NET10_0_OR_GREATER
Span keyModifier = keyModifierLength <= 128
? stackalloc byte[128].Slice(0, keyModifierLength)
: new byte[keyModifierLength];
_genRandom.GenRandom(keyModifier);
-#else
- var keyModifier = _genRandom.GenRandom(keyModifierLength);
-#endif
try
{
@@ -359,61 +244,30 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
operationSubkey: encryptionSubkey,
validationSubkey: validationSubkey);
-#if NET10_0_OR_GREATER
- // idea of optimization here is firstly get all the types preset
- // for calculating length of the output array and allocating it.
- // then we are filling it with the data directly, without any additional copying
-
using var symmetricAlgorithm = CreateSymmetricAlgorithm();
- symmetricAlgorithm.SetKey(encryptionSubkey); // setKey is a single-shot usage of symmetricAlgorithm. Not allocatey
+ symmetricAlgorithm.SetKey(encryptionSubkey);
using var validationAlgorithm = CreateValidationAlgorithm();
- // Later framework has an API to pre-calculate optimal length of the ciphertext.
- // That means we can avoid allocating more data than we need.
+ // Step 3: Copy the key modifier to the destination
+ keyModifier.CopyTo(destination.Slice(bytesWritten, keyModifierLength));
+ bytesWritten += keyModifierLength;
- var cipherTextLength = symmetricAlgorithm.GetCiphertextLengthCbc(plainTextSpan.Length); // CBC because symmetricAlgorithm is created with CBC mode
- var macLength = _validationAlgorithmDigestLengthInBytes;
-
- // allocating an array of a specific required length
- var outputArray = new byte[keyModifierLength + ivLength + cipherTextLength + macLength];
- var outputSpan = outputArray.AsSpan();
-#else
- var outputStream = new MemoryStream();
-#endif
-
-#if NET10_0_OR_GREATER
- // Step 2: Copy the key modifier to the output stream (part of a header)
- keyModifier.CopyTo(outputSpan.Slice(start: 0, length: keyModifierLength));
-
- // Step 3: Generate IV for this operation right into the output stream (no allocation)
- // key modifier and IV together act as a header.
- var iv = outputSpan.Slice(start: keyModifierLength, length: ivLength);
+ // Step 4: Generate IV directly into the destination
+ var iv = destination.Slice(bytesWritten, ivLength);
_genRandom.GenRandom(iv);
-#else
- // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
- outputStream.Write(keyModifier, 0, keyModifier.Length);
-
- // Step 3: Generate IV for this operation right into the result array
- var iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
- outputStream.Write(iv, 0, iv.Length);
-#endif
-
-#if NET10_0_OR_GREATER
- // Step 4: Perform the encryption operation.
- // encrypting plaintext into the target array directly
- symmetricAlgorithm.EncryptCbc(plainTextSpan, iv, outputSpan.Slice(start: keyModifierLength + ivLength, length: cipherTextLength));
+ bytesWritten += ivLength;
- // At this point, outputStream := { keyModifier || IV || ciphertext }
+ // Step 5: Perform the encryption operation
+ var ciphertextDestination = destination.Slice(bytesWritten, cipherTextLength);
+ symmetricAlgorithm.EncryptCbc(plainText, iv, ciphertextDestination);
+ bytesWritten += cipherTextLength;
- // Step 5: Calculate the digest over the IV and ciphertext.
- // We don't need to calculate the digest over the key modifier since that
- // value has already been mixed into the KDF used to generate the MAC key.
+ // Step 6: Calculate the digest over the IV and ciphertext
+ var ivAndCipherTextSpan = destination.Slice(keyModifierLength, ivLength + cipherTextLength);
+ var macDestinationSpan = destination.Slice(bytesWritten, macLength);
- var ivAndCipherTextSpan = outputSpan.Slice(start: keyModifierLength, length: ivLength + cipherTextLength);
- var macDestinationSpan = outputSpan.Slice(keyModifierLength + ivLength + cipherTextLength, macLength);
-
- // if we can use an optimized method for specific algorithm - we use it (no extra alloc for subKey)
+ // Use optimized method for specific algorithms when possible
if (validationAlgorithm is HMACSHA256)
{
HMACSHA256.HashData(key: validationSubkey, source: ivAndCipherTextSpan, destination: macDestinationSpan);
@@ -425,49 +279,19 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
else
{
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
- validationAlgorithm.TryComputeHash(source: ivAndCipherTextSpan, destination: macDestinationSpan, bytesWritten: out _);
- }
-
- // At this point, outputArray := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
- return outputArray;
-#else
- // Step 4: Perform the encryption operation.
- using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
- using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
- using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
- {
- cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
- cryptoStream.FlushFinalBlock();
-
- // At this point, outputStream := { keyModifier || IV || ciphertext }
-
- // Step 5: Calculate the digest over the IV and ciphertext.
- // We don't need to calculate the digest over the key modifier since that
- // value has already been mixed into the KDF used to generate the MAC key.
- using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkeyArray))
+ if (!validationAlgorithm.TryComputeHash(source: ivAndCipherTextSpan, destination: macDestinationSpan, out _))
{
- // As an optimization, avoid duplicating the underlying buffer
- var underlyingBuffer = outputStream.GetBuffer();
-
- var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
- outputStream.Write(mac, 0, mac.Length);
-
- // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
- // And we're done!
- return outputStream.ToArray();
+ return false;
}
}
-#endif
+ bytesWritten += macLength;
+
+ return true;
}
finally
{
-#if NET10_0_OR_GREATER
keyModifier.Clear();
decryptedKdk.Clear();
-#else
- Array.Clear(keyModifier, 0, keyModifierLength);
- Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-#endif
}
}
}
@@ -477,49 +301,164 @@ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additiona
throw Error.CryptCommon_GenericError(ex);
}
}
+#endif
- private void CalculateAndValidateMac(
- byte[] payloadArray,
- int ivOffset, int macOffset, int eofOffset, // offsets to slice the payload array
- ReadOnlySpan validationSubkey,
- byte[]? validationSubkeyArray)
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment additionalAuthenticatedData)
{
- using var validationAlgorithm = CreateValidationAlgorithm();
- var hashSize = validationAlgorithm.GetDigestSizeInBytes();
+ plaintext.Validate();
+ additionalAuthenticatedData.Validate();
+ var plainTextSpan = plaintext.AsSpan();
- byte[]? correctHashArray = null;
- Span correctHash = hashSize <= 128
- ? stackalloc byte[128].Slice(0, hashSize)
- : (correctHashArray = new byte[hashSize]);
+#if NET10_0_OR_GREATER
+ var size = GetEncryptedSize(plainTextSpan.Length);
+ var retVal = new byte[size];
+
+ if (!TryEncrypt(plainTextSpan, additionalAuthenticatedData, retVal, out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array."));
+ }
+ return retVal;
+#else
try
{
+ var keyModifierLength = KEY_MODIFIER_SIZE_IN_BYTES;
+ var ivLength = _symmetricAlgorithmBlockSizeInBytes;
+
+ var decryptedKdk = new byte[_keyDerivationKey.Length];
+ var validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes];
+ var validationSubkey = validationSubkeyArray.AsSpan();
+ byte[] encryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* __unused__1 = encryptionSubkey)
+ fixed (byte* __unused__2 = validationSubkeyArray)
+ {
+ // Step 1: Generate a random key modifier and IV for this operation.
+ // Both will be equal to the block size of the block cipher algorithm.
+ var keyModifier = _genRandom.GenRandom(keyModifierLength);
+
+ try
+ {
+ // Step 2: Decrypt the KDK, and use it to generate new encryption and HMAC keys.
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: decryptedKdk,
+ label: additionalAuthenticatedData,
+ contextHeader: _contextHeader,
+ contextData: keyModifier,
+ operationSubkey: encryptionSubkey,
+ validationSubkey: validationSubkey);
+
+ var outputStream = new MemoryStream();
+
+ // Step 2: Copy the key modifier and the IV to the output stream since they'll act as a header.
+ outputStream.Write(keyModifier, 0, keyModifier.Length);
+
+ // Step 3: Generate IV for this operation right into the result array
+ var iv = _genRandom.GenRandom(_symmetricAlgorithmBlockSizeInBytes);
+ outputStream.Write(iv, 0, iv.Length);
+
+ // Step 4: Perform the encryption operation.
+ using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+ using (var cryptoTransform = symmetricAlgorithm.CreateEncryptor(encryptionSubkey, iv))
+ using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+ {
+ cryptoStream.Write(plaintext.Array!, plaintext.Offset, plaintext.Count);
+ cryptoStream.FlushFinalBlock();
+
+ // At this point, outputStream := { keyModifier || IV || ciphertext }
+
+ // Step 5: Calculate the digest over the IV and ciphertext.
+ // We don't need to calculate the digest over the key modifier since that
+ // value has already been mixed into the KDF used to generate the MAC key.
+ using (var validationAlgorithm = CreateValidationAlgorithm(validationSubkeyArray))
+ {
+ // As an optimization, avoid duplicating the underlying buffer
+ var underlyingBuffer = outputStream.GetBuffer();
+
+ var mac = validationAlgorithm.ComputeHash(underlyingBuffer, KEY_MODIFIER_SIZE_IN_BYTES, checked((int)outputStream.Length - KEY_MODIFIER_SIZE_IN_BYTES));
+ outputStream.Write(mac, 0, mac.Length);
+
+ // At this point, outputStream := { keyModifier || IV || ciphertext || MAC(IV || ciphertext) }
+ // And we're done!
+ return outputStream.ToArray();
+ }
+ }
+ }
+ finally
+ {
+ Array.Clear(keyModifier, 0, keyModifierLength);
+ Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
+ }
+#endif
+ }
+
#if NET10_0_OR_GREATER
- var hashSource = payloadArray!.AsSpan(ivOffset, macOffset - ivOffset);
+ private bool ValidateMac(ReadOnlySpan dataToValidate, ReadOnlySpan providedMac, ReadOnlySpan validationSubkey, byte[]? validationSubkeyArray)
+ {
+ using var validationAlgorithm = CreateValidationAlgorithm();
+ var hashSize = validationAlgorithm.GetDigestSizeInBytes();
+ byte[]? correctHashArray = null;
+ Span correctHash = hashSize <= 128
+ ? stackalloc byte[128].Slice(0, hashSize)
+ : (correctHashArray = new byte[hashSize]);
+
+ try
+ {
int bytesWritten;
if (validationAlgorithm is HMACSHA256)
{
- bytesWritten = HMACSHA256.HashData(key: validationSubkey, source: hashSource, destination: correctHash);
+ bytesWritten = HMACSHA256.HashData(key: validationSubkey, source: dataToValidate, destination: correctHash);
}
else if (validationAlgorithm is HMACSHA512)
{
- bytesWritten = HMACSHA512.HashData(key: validationSubkey, source: hashSource, destination: correctHash);
+ bytesWritten = HMACSHA512.HashData(key: validationSubkey, source: dataToValidate, destination: correctHash);
}
else
{
// if validationSubkey is stackalloc'ed, there is no way we avoid an alloc here
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
- var success = validationAlgorithm.TryComputeHash(hashSource, correctHash, out bytesWritten);
+ var success = validationAlgorithm.TryComputeHash(dataToValidate, correctHash, out bytesWritten);
Debug.Assert(success);
}
-
Debug.Assert(bytesWritten == hashSize);
+
+ return CryptoUtil.TimeConstantBuffersAreEqual(correctHash, providedMac);
+ }
+ finally
+ {
+ correctHash.Clear();
+ }
+ }
#else
+ private void CalculateAndValidateMac(
+ byte[] payloadArray,
+ int ivOffset, int macOffset, int eofOffset, // offsets to slice the payload array
+ ReadOnlySpan validationSubkey,
+ byte[]? validationSubkeyArray)
+ {
+ using var validationAlgorithm = CreateValidationAlgorithm();
+ var hashSize = validationAlgorithm.GetDigestSizeInBytes();
+
+ byte[]? correctHashArray = null;
+ Span correctHash = hashSize <= 128
+ ? stackalloc byte[128].Slice(0, hashSize)
+ : (correctHashArray = new byte[hashSize]);
+
+ try
+ {
// if validationSubkey is stackalloc'ed, there is no way we avoid an alloc here
validationAlgorithm.Key = validationSubkeyArray ?? validationSubkey.ToArray();
correctHashArray = validationAlgorithm.ComputeHash(payloadArray, macOffset, eofOffset - macOffset);
-#endif
// Step 4: Validate the MAC provided as part of the payload.
var payloadMacSpan = payloadArray!.AsSpan(macOffset, eofOffset - macOffset);
@@ -533,6 +472,227 @@ private void CalculateAndValidateMac(
correctHash.Clear();
}
}
+#endif
+
+ public byte[] Decrypt(ArraySegment protectedPayload, ArraySegment additionalAuthenticatedData)
+ {
+ // Assumption: protectedPayload := { keyModifier | IV | encryptedData | MAC(IV | encryptedPayload) }
+ protectedPayload.Validate();
+ additionalAuthenticatedData.Validate();
+
+#if NET10_0_OR_GREATER
+ var size = GetDecryptedSize(protectedPayload.Count);
+ var rentedArray = ArrayPool.Shared.Rent(size);
+ try
+ {
+ var destination = rentedArray.AsSpan(0, size);
+
+ if (!TryDecrypt(
+ cipherText: protectedPayload,
+ additionalAuthenticatedData: additionalAuthenticatedData,
+ destination: destination,
+ out var bytesWritten))
+ {
+ throw Error.CryptCommon_GenericError(new ArgumentException("Not enough space in destination array"));
+ }
+
+ // we don't know the exact size of the decrypted data beforehand,
+ // so we firstly use rented array and then allocate with the exact size
+ var result = destination.Slice(0, bytesWritten).ToArray();
+ return result;
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(rentedArray);
+ }
+#else
+ // Argument checking - input must at the absolute minimum contain a key modifier, IV, and MAC
+ if (protectedPayload.Count < checked(KEY_MODIFIER_SIZE_IN_BYTES + _symmetricAlgorithmBlockSizeInBytes + _validationAlgorithmDigestLengthInBytes))
+ {
+ throw Error.CryptCommon_PayloadInvalid();
+ }
+
+ try
+ {
+ // Step 1: Extract the key modifier and IV from the payload.
+ int keyModifierOffset; // position in protectedPayload.Array where key modifier begins
+ int ivOffset; // position in protectedPayload.Array where key modifier ends / IV begins
+ int ciphertextOffset; // position in protectedPayload.Array where IV ends / ciphertext begins
+ int macOffset; // position in protectedPayload.Array where ciphertext ends / MAC begins
+ int eofOffset; // position in protectedPayload.Array where MAC ends
+
+ checked
+ {
+ keyModifierOffset = protectedPayload.Offset;
+ ivOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+ ciphertextOffset = ivOffset + _symmetricAlgorithmBlockSizeInBytes;
+ }
+
+ ReadOnlySpan keyModifier = protectedPayload.Array!.AsSpan(keyModifierOffset, ivOffset - keyModifierOffset);
+
+ // Step 2: Decrypt the KDK and use it to restore the original encryption and MAC keys.
+ var decryptedKdk = new byte[_keyDerivationKey.Length];
+
+ byte[]? validationSubkeyArray = null;
+ var validationSubkey = _validationAlgorithmSubkeyLengthInBytes <= 128
+ ? stackalloc byte[128].Slice(0, _validationAlgorithmSubkeyLengthInBytes)
+ : (validationSubkeyArray = new byte[_validationAlgorithmSubkeyLengthInBytes]);
+
+ byte[] decryptionSubkey = new byte[_symmetricAlgorithmSubkeyLengthInBytes];
+ // calling "fixed" is basically pinning the array, meaning the GC won't move it around. (Also for safety concerns)
+ // note: it is safe to call `fixed` on null - it is just a no-op
+ fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+ fixed (byte* __unused__2 = decryptionSubkey)
+ fixed (byte* __unused__3 = validationSubkeyArray)
+ {
+ try
+ {
+ _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: decryptedKdk,
+ label: additionalAuthenticatedData,
+ contextHeader: _contextHeader,
+ contextData: keyModifier,
+ operationSubkey: decryptionSubkey,
+ validationSubkey: validationSubkey);
+
+ // Step 3: Calculate the correct MAC for this payload.
+ // correctHash := MAC(IV || ciphertext)
+ checked
+ {
+ eofOffset = protectedPayload.Offset + protectedPayload.Count;
+ macOffset = eofOffset - _validationAlgorithmDigestLengthInBytes;
+ }
+
+ // Step 4: Validate the MAC provided as part of the payload.
+ CalculateAndValidateMac(protectedPayload.Array!, ivOffset, macOffset, eofOffset, validationSubkey, validationSubkeyArray);
+
+ // Step 5: Decipher the ciphertext and return it to the caller.
+ var iv = protectedPayload.Array!.AsSpan(ivOffset, _symmetricAlgorithmBlockSizeInBytes).ToArray();
+
+ using (var symmetricAlgorithm = CreateSymmetricAlgorithm())
+ using (var cryptoTransform = symmetricAlgorithm.CreateDecryptor(decryptionSubkey, iv))
+ {
+ var outputStream = new MemoryStream();
+ using (var cryptoStream = new CryptoStream(outputStream, cryptoTransform, CryptoStreamMode.Write))
+ {
+ cryptoStream.Write(protectedPayload.Array!, ciphertextOffset, macOffset - ciphertextOffset);
+ cryptoStream.FlushFinalBlock();
+
+ // At this point, outputStream := { plaintext }, and we're done!
+ return outputStream.ToArray();
+ }
+ }
+ }
+ finally
+ {
+ // delete since these contain secret material
+ validationSubkey.Clear();
+ Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+ }
+ }
+ }
+ catch (Exception ex) when (ex.RequiresHomogenization())
+ {
+ // Homogenize all exceptions to CryptographicException.
+ throw Error.CryptCommon_GenericError(ex);
+ }
+#endif
+ }
+
+ private byte[] CreateContextHeader()
+ {
+ var EMPTY_ARRAY = Array.Empty();
+ var EMPTY_ARRAY_SEGMENT = new ArraySegment(EMPTY_ARRAY);
+
+ var retVal = new byte[checked(
+ 1 /* KDF alg */
+ + 1 /* chaining mode */
+ + sizeof(uint) /* sym alg key size */
+ + sizeof(uint) /* sym alg block size */
+ + sizeof(uint) /* hmac alg key size */
+ + sizeof(uint) /* hmac alg digest size */
+ + _symmetricAlgorithmBlockSizeInBytes /* ciphertext of encrypted empty string */
+ + _validationAlgorithmDigestLengthInBytes /* digest of HMACed empty string */)];
+
+ var idx = 0;
+
+ // First is the two-byte header
+ retVal[idx++] = 0; // 0x00 = SP800-108 CTR KDF w/ HMACSHA512 PRF
+ retVal[idx++] = 0; // 0x00 = CBC encryption + HMAC authentication
+
+ // Next is information about the symmetric algorithm (key size followed by block size)
+ BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(retVal, ref idx, _symmetricAlgorithmBlockSizeInBytes);
+
+ // Next is information about the keyed hash algorithm (key size followed by digest size)
+ BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmSubkeyLengthInBytes);
+ BitHelpers.WriteTo(retVal, ref idx, _validationAlgorithmDigestLengthInBytes);
+
+ // See the design document for an explanation of the following code.
+ var tempKeys = new byte[_symmetricAlgorithmSubkeyLengthInBytes + _validationAlgorithmSubkeyLengthInBytes];
+ ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
+ kdk: EMPTY_ARRAY,
+ label: EMPTY_ARRAY_SEGMENT,
+ contextHeader: EMPTY_ARRAY_SEGMENT,
+ contextData: EMPTY_ARRAY_SEGMENT,
+ operationSubkey: tempKeys.AsSpan(0, _symmetricAlgorithmSubkeyLengthInBytes),
+ validationSubkey: tempKeys.AsSpan(_symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes));
+
+ // At this point, tempKeys := { K_E || K_H }.
+
+ // Encrypt a zero-length input string with an all-zero IV and copy the ciphertext to the return buffer.
+ using (var symmetricAlg = CreateSymmetricAlgorithm())
+ {
+ using (var cryptoTransform = symmetricAlg.CreateEncryptor(
+ rgbKey: new ArraySegment(tempKeys, 0, _symmetricAlgorithmSubkeyLengthInBytes).AsStandaloneArray(),
+ rgbIV: new byte[_symmetricAlgorithmBlockSizeInBytes]))
+ {
+ var ciphertext = cryptoTransform.TransformFinalBlock(EMPTY_ARRAY, 0, 0);
+ CryptoUtil.Assert(ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes, "ciphertext != null && ciphertext.Length == _symmetricAlgorithmBlockSizeInBytes");
+ Buffer.BlockCopy(ciphertext, 0, retVal, idx, ciphertext.Length);
+ }
+ }
+
+ idx += _symmetricAlgorithmBlockSizeInBytes;
+
+ // MAC a zero-length input string and copy the digest to the return buffer.
+ using (var hashAlg = CreateValidationAlgorithm(new ArraySegment(tempKeys, _symmetricAlgorithmSubkeyLengthInBytes, _validationAlgorithmSubkeyLengthInBytes).AsStandaloneArray()))
+ {
+ var digest = hashAlg.ComputeHash(EMPTY_ARRAY);
+ CryptoUtil.Assert(digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes, "digest != null && digest.Length == _validationAlgorithmDigestLengthInBytes");
+ Buffer.BlockCopy(digest, 0, retVal, idx, digest.Length);
+ }
+
+ idx += _validationAlgorithmDigestLengthInBytes;
+ CryptoUtil.Assert(idx == retVal.Length, "idx == retVal.Length");
+
+ // retVal := { version || chainingMode || symAlgKeySize || symAlgBlockSize || macAlgKeySize || macAlgDigestSize || E("") || MAC("") }.
+ return retVal;
+ }
+
+ private SymmetricAlgorithm CreateSymmetricAlgorithm()
+ {
+ var retVal = _symmetricAlgorithmFactory();
+ CryptoUtil.Assert(retVal != null, "retVal != null");
+
+ retVal.Mode = CipherMode.CBC;
+ retVal.Padding = PaddingMode.PKCS7;
+
+ return retVal;
+ }
+
+ private KeyedHashAlgorithm CreateValidationAlgorithm(byte[]? key = null)
+ {
+ var retVal = _validationAlgorithmFactory();
+ CryptoUtil.Assert(retVal != null, "retVal != null");
+
+ if (key is not null)
+ {
+ retVal.Key = key;
+ }
+ return retVal;
+ }
public void Dispose()
{
diff --git a/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt b/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
index 7dc5c58110bf..20bebb9a3e97 100644
--- a/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
+++ b/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
@@ -1 +1,6 @@
#nullable enable
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.GetDecryptedSize(int cipherTextLength) -> int
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.GetEncryptedSize(int plainTextLength) -> int
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.TryDecrypt(System.ReadOnlySpan cipherText, System.ReadOnlySpan additionalAuthenticatedData, System.Span destination, out int bytesWritten) -> bool
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ISpanAuthenticatedEncryptor.TryEncrypt(System.ReadOnlySpan plaintext, System.ReadOnlySpan additionalAuthenticatedData, System.Span destination, out int bytesWritten) -> bool
diff --git a/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs b/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
index cd20c176b67a..31c64b6a18af 100644
--- a/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
+++ b/src/DataProtection/DataProtection/src/SP800_108/SP800_108_CTR_HMACSHA512Extensions.cs
@@ -1,6 +1,7 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Runtime.CompilerServices;
using Microsoft.AspNetCore.Cryptography;
namespace Microsoft.AspNetCore.DataProtection.SP800_108;
@@ -24,9 +25,9 @@ public static void DeriveKeyWithContextHeader(this ISP800_108_CTR_HMACSHA512Prov
fixed (byte* pbContextHeader = contextHeader)
{
- UnsafeBufferUtil.BlockCopy(from: pbContextHeader, to: pbCombinedContext, byteCount: contextHeader.Length);
+ Unsafe.CopyBlock(pbCombinedContext, pbContextHeader, (uint)contextHeader.Length);
}
- UnsafeBufferUtil.BlockCopy(from: pbContext, to: &pbCombinedContext[contextHeader.Length], byteCount: cbContext);
+ Unsafe.CopyBlock(&pbCombinedContext[contextHeader.Length], pbContext, cbContext);
// At this point, combinedContext := { contextHeader || context }
provider.DeriveKey(pbLabel, cbLabel, pbCombinedContext, cbCombinedContext, pbDerivedKey, cbDerivedKey);
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs
new file mode 100644
index 000000000000..458205fe40c9
--- /dev/null
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Aes/AesAuthenticatedEncryptorTests.cs
@@ -0,0 +1,27 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
+
+namespace Microsoft.AspNetCore.DataProtection.Tests.Aes;
+public class AesAuthenticatedEncryptorTests
+{
+ [Theory]
+ [InlineData(128)]
+ [InlineData(192)]
+ [InlineData(256)]
+ public void Roundtrip_AesGcm_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new AesGcmAuthenticatedEncryptor(kdk, derivedKeySizeInBytes: symmetricKeySizeBits / 8);
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
+}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
index e8131de80b71..f0f812c42917 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorDescriptorTests.cs
@@ -39,13 +39,13 @@ public void CreateAuthenticatedEncryptor_RoundTripsData_CngCbcImplementation(Enc
symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
symmetricAlgorithmKeySizeInBytes: (uint)(keyLengthInBits / 8),
hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hashAlgorithm, hmac: true));
- var test = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
+ var encryptor = CreateEncryptorInstanceFromDescriptor(CreateDescriptor(encryptionAlgorithm, validationAlgorithm, masterKey));
// Act & assert - data round trips properly from control to test
byte[] plaintext = new byte[] { 1, 2, 3, 4, 5 };
byte[] aad = new byte[] { 2, 4, 6, 8, 0 };
byte[] ciphertext = control.Encrypt(new ArraySegment(plaintext), new ArraySegment(aad));
- byte[] roundTripPlaintext = test.Decrypt(new ArraySegment(ciphertext), new ArraySegment(aad));
+ byte[] roundTripPlaintext = encryptor.Decrypt(new ArraySegment(ciphertext), new ArraySegment(aad));
Assert.Equal(plaintext, roundTripPlaintext);
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
index ef8a921f2bae..fde038e4b423 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CbcAuthenticatedEncryptorTests.cs
@@ -1,10 +1,14 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers;
using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.Cryptography.SafeHandles;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
using Microsoft.AspNetCore.InternalTesting;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -113,4 +117,37 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAAAAAAA", retValAsString);
}
+
+ [ConditionalTheory]
+ [ConditionalRunTestOnlyOnWindows]
+ [InlineData(128, "SHA256", "")]
+ [InlineData(128, "SHA256", "This is a small text")]
+ [InlineData(128, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(192, "SHA256", "")]
+ [InlineData(192, "SHA256", "This is a small text")]
+ [InlineData(192, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(256, "SHA256", "")]
+ [InlineData(256, "SHA256", "This is a small text")]
+ [InlineData(256, "SHA256", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(128, "SHA512", "")]
+ [InlineData(128, "SHA512", "This is a small text")]
+ [InlineData(128, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(192, "SHA512", "")]
+ [InlineData(192, "SHA512", "This is a small text")]
+ [InlineData(192, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ [InlineData(256, "SHA512", "")]
+ [InlineData(256, "SHA512", "This is a small text")]
+ [InlineData(256, "SHA512", "This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly")]
+ public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm, string plainText)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new CbcAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_CBC,
+ symmetricAlgorithmKeySizeInBytes: (uint)(symmetricKeySizeBits / 8),
+ hmacAlgorithmHandle: BCryptAlgorithmHandle.OpenAlgorithmHandle(hmacAlgorithm, hmac: true));
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes(plainText));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs
deleted file mode 100644
index 8357894f8a01..000000000000
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/CngAuthenticatedEncryptorBaseTests.cs
+++ /dev/null
@@ -1,105 +0,0 @@
-// Licensed to the .NET Foundation under one or more agreements.
-// The .NET Foundation licenses this file to you under the MIT license.
-
-using Moq;
-
-namespace Microsoft.AspNetCore.DataProtection.Cng.Internal;
-
-public unsafe class CngAuthenticatedEncryptorBaseTests
-{
- [Fact]
- public void Decrypt_ForwardsArraySegment()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
- var aad = new ArraySegment(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 2, It.IsAny(), 4))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
- Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- [Fact]
- public void Decrypt_HandlesEmptyAADPointerFixup()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[] { 0x00, 0x01, 0x02, 0x03, 0x04 }, 3, 2);
- var aad = new ArraySegment(new byte[0]);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 2, It.IsAny(), 0))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.Equal((byte)0x03, *(byte*)pbCiphertext);
- Assert.NotEqual(IntPtr.Zero, pbAdditionalAuthenticatedData); // CNG will complain if this pointer is zero
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- [Fact]
- public void Decrypt_HandlesEmptyCiphertextPointerFixup()
- {
- // Arrange
- var ciphertext = new ArraySegment(new byte[0]);
- var aad = new ArraySegment(new byte[] { 0x10, 0x11, 0x12, 0x13, 0x14 }, 1, 4);
-
- var encryptorMock = new Mock();
- encryptorMock
- .Setup(o => o.DecryptHook(It.IsAny(), 0, It.IsAny(), 4))
- .Returns((IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData) =>
- {
- // ensure that pointers started at the right place
- Assert.NotEqual(IntPtr.Zero, pbCiphertext); // CNG will complain if this pointer is zero
- Assert.Equal((byte)0x11, *(byte*)pbAdditionalAuthenticatedData);
- return new byte[] { 0x20, 0x21, 0x22 };
- });
-
- // Act
- var retVal = encryptorMock.Object.Decrypt(ciphertext, aad);
-
- // Assert
- Assert.Equal(new byte[] { 0x20, 0x21, 0x22 }, retVal);
- }
-
- internal abstract class MockableEncryptor : CngAuthenticatedEncryptorBase
- {
- public override void Dispose()
- {
- }
-
- public abstract byte[] DecryptHook(IntPtr pbCiphertext, uint cbCiphertext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData);
-
- protected sealed override unsafe byte[] DecryptImpl(byte* pbCiphertext, uint cbCiphertext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData)
- {
- return DecryptHook((IntPtr)pbCiphertext, cbCiphertext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData);
- }
-
- public abstract byte[] EncryptHook(IntPtr pbPlaintext, uint cbPlaintext, IntPtr pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer);
-
- protected sealed override unsafe byte[] EncryptImpl(byte* pbPlaintext, uint cbPlaintext, byte* pbAdditionalAuthenticatedData, uint cbAdditionalAuthenticatedData, uint cbPreBuffer, uint cbPostBuffer)
- {
- return EncryptHook((IntPtr)pbPlaintext, cbPlaintext, (IntPtr)pbAdditionalAuthenticatedData, cbAdditionalAuthenticatedData, cbPreBuffer, cbPostBuffer);
- }
- }
-}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
index 15b8a2fd1bb1..5c9ff8124149 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Cng/GcmAuthenticatedEncryptorTests.cs
@@ -4,7 +4,10 @@
using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.Cryptography.Cng;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Managed;
using Microsoft.AspNetCore.DataProtection.Test.Shared;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
using Microsoft.AspNetCore.InternalTesting;
namespace Microsoft.AspNetCore.DataProtection.Cng;
@@ -102,4 +105,21 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaG0O2kY0NZtmh2UQtXY5B2jlgnOgAAAAA", retValAsString);
}
+
+ [ConditionalTheory]
+ [ConditionalRunTestOnlyOnWindows]
+ [InlineData(128)]
+ [InlineData(192)]
+ [InlineData(256)]
+ public void Roundtrip_CngGcm_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+ IAuthenticatedEncryptor encryptor = new CngGcmAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmHandle: CachedAlgorithmHandles.AES_GCM,
+ symmetricAlgorithmKeySizeInBytes: (uint)(symmetricKeySizeBits / 8));
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
new file mode 100644
index 000000000000..d3d5158c9999
--- /dev/null
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Internal/RoundtripEncryptionHelpers.cs
@@ -0,0 +1,130 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+
+namespace Microsoft.AspNetCore.DataProtection.Tests.Internal;
+
+internal static class RoundtripEncryptionHelpers
+{
+ ///
+ /// and APIs should do the same steps
+ /// as and APIs.
+ ///
+ /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip encrypt-decrypt test.
+ ///
+ public static void AssertTryEncryptTryDecryptParity(IAuthenticatedEncryptor encryptor, ArraySegment plaintext, ArraySegment aad)
+ {
+ var spanAuthenticatedEncryptor = encryptor as ISpanAuthenticatedEncryptor;
+ Debug.Assert(spanAuthenticatedEncryptor != null, "ISpanDataProtector is not supported by the encryptor");
+
+ // assert "allocatey" Encrypt/Decrypt APIs roundtrip correctly
+ byte[] ciphertext = encryptor.Encrypt(plaintext, aad);
+ byte[] decipheredtext = encryptor.Decrypt(new ArraySegment(ciphertext), aad);
+ Assert.Equal(plaintext.AsSpan(), decipheredtext.AsSpan());
+
+ // assert calculated sizes are correct
+ var expectedEncryptedSize = spanAuthenticatedEncryptor.GetEncryptedSize(plaintext.Count);
+ Assert.Equal(expectedEncryptedSize, ciphertext.Length);
+ var expectedDecryptedSize = spanAuthenticatedEncryptor.GetDecryptedSize(ciphertext.Length);
+
+ // note: for decryption we cant know for sure how many bytes will be written.
+ // so we cant assert equality, but we can check if expected decrypted size is greater or equal than original deciphered text
+ Assert.True(expectedDecryptedSize >= decipheredtext.Length);
+
+ // perform TryEncrypt and Decrypt roundtrip - ensures cross operation compatibility
+ var cipherTextPooled = ArrayPool.Shared.Rent(expectedEncryptedSize);
+ try
+ {
+ var tryEncryptResult = spanAuthenticatedEncryptor.TryEncrypt(plaintext, aad, cipherTextPooled, out var bytesWritten);
+ Assert.Equal(expectedEncryptedSize, bytesWritten);
+ Assert.True(tryEncryptResult);
+
+ var decipheredTryEncrypt = spanAuthenticatedEncryptor.Decrypt(new ArraySegment(cipherTextPooled, 0, expectedEncryptedSize), aad);
+ Assert.Equal(plaintext.AsSpan(), decipheredTryEncrypt.AsSpan());
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(cipherTextPooled);
+ }
+
+ // perform Encrypt and TryDecrypt roundtrip - ensures cross operation compatibility
+ var plainTextPooled = ArrayPool.Shared.Rent(expectedDecryptedSize);
+ try
+ {
+ var encrypted = spanAuthenticatedEncryptor.Encrypt(plaintext, aad);
+ var decipheredTryDecrypt = spanAuthenticatedEncryptor.TryDecrypt(encrypted, aad, plainTextPooled, out var bytesWritten);
+ Assert.Equal(plaintext.AsSpan(), plainTextPooled.AsSpan(0, bytesWritten));
+ Assert.True(decipheredTryDecrypt);
+
+ // now we should know that bytesWritten is STRICTLY equal to the deciphered text
+ Assert.Equal(decipheredtext.Length, bytesWritten);
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(plainTextPooled);
+ }
+ }
+
+ ///
+ /// and APIs should do the same steps
+ /// as and APIs.
+ ///
+ /// Method ensures that the two APIs are equivalent in terms of their behavior by performing a roundtrip protect-unprotect test.
+ ///
+ public static void AssertTryProtectTryUnprotectParity(ISpanDataProtector protector, ReadOnlySpan plaintext)
+ {
+ // assert "allocatey" Protect/Unprotect APIs roundtrip correctly
+ byte[] protectedData = protector.Protect(plaintext.ToArray());
+ byte[] unprotectedData = protector.Unprotect(protectedData);
+ Assert.Equal(plaintext, unprotectedData.AsSpan());
+
+ // assert calculated sizes are correct
+ var expectedProtectedSize = protector.GetProtectedSize(plaintext.Length);
+ Assert.Equal(expectedProtectedSize, protectedData.Length);
+ var expectedUnprotectedSize = protector.GetUnprotectedSize(protectedData.Length);
+
+ // note: for unprotection we can't know exactly how many bytes will be written since it's the original plaintext
+ Assert.True(expectedUnprotectedSize >= unprotectedData.Length);
+
+ // perform TryProtect and Unprotect roundtrip - ensures cross operation compatibility
+ var protectedPooled = ArrayPool.Shared.Rent(expectedProtectedSize);
+ try
+ {
+ var tryProtectResult = protector.TryProtect(plaintext, protectedPooled, out var bytesWritten);
+ Assert.Equal(expectedProtectedSize, bytesWritten);
+ Assert.True(tryProtectResult);
+
+ var unprotectedTryProtect = protector.Unprotect(protectedPooled.AsSpan(0, expectedProtectedSize).ToArray());
+ Assert.Equal(plaintext, unprotectedTryProtect.AsSpan());
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(protectedPooled);
+ }
+
+ // perform Protect and TryUnprotect roundtrip - ensures cross operation compatibility
+ // Note: This test is limited because we can't easily access the correct AAD from outside the protector
+ // But we can test basic functionality with empty AAD and expect it to fail gracefully
+ var unprotectedPooled = ArrayPool.Shared.Rent(expectedUnprotectedSize);
+ try
+ {
+ var protectedByProtect = protector.Protect(plaintext.ToArray());
+ var unprotectedTryUnprotect = protector.TryUnprotect(protectedByProtect, unprotectedPooled, out var bytesWritten);
+ Assert.Equal(plaintext, unprotectedPooled.AsSpan(0, bytesWritten));
+ Assert.True(unprotectedTryUnprotect);
+
+ // now we should know that bytesWritten is STRICTLY equal to the deciphered text
+ Assert.Equal(unprotectedData.Length, bytesWritten);
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(unprotectedPooled);
+ }
+ }
+}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
index 1a17c3b44215..b073a24a9bfd 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -1,12 +1,17 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers.Binary;
+using System.Diagnostics;
using System.Globalization;
using System.Net;
+using System.Security.Cryptography;
using System.Text;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
+using Microsoft.AspNetCore.DataProtection.Managed;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
using Microsoft.AspNetCore.InternalTesting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
@@ -619,6 +624,161 @@ public void CreateProtector_ChainsPurposes()
Assert.Equal(expectedProtectedData, retVal);
}
+ [Theory]
+ [InlineData("", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("small", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a very long plaintext message that spans multiple blocks and should test the encryption and size estimation with larger payloads to ensure everything works correctly", EncryptionAlgorithm.AES_128_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("small", EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_256_CBC, ValidationAlgorithm.HMACSHA512)]
+ [InlineData("small", EncryptionAlgorithm.AES_128_GCM, ValidationAlgorithm.HMACSHA256)]
+ [InlineData("This is a medium length plaintext message", EncryptionAlgorithm.AES_256_GCM, ValidationAlgorithm.HMACSHA256)]
+ public void GetProtectedSize_TryProtectUnprotect_CorrectlyEstimatesDataLength_MultipleScenarios(string plaintextStr, EncryptionAlgorithm encryptionAlgorithm, ValidationAlgorithm validationAlgorithm)
+ {
+ byte[] plaintext = Encoding.UTF8.GetBytes(plaintextStr);
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+
+ var configuration = new AuthenticatedEncryptorConfiguration
+ {
+ EncryptionAlgorithm = encryptionAlgorithm,
+ ValidationAlgorithm = validationAlgorithm
+ };
+
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, configuration.CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, [ key ]);
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ RoundtripEncryptionHelpers.AssertTryProtectTryUnprotectParity(protector, plaintext);
+ }
+
+ [Theory]
+ [InlineData(16)] // 16 bytes
+ [InlineData(32)] // 32 bytes
+ [InlineData(64)] // 64 bytes
+ [InlineData(128)] // 128 bytes
+ [InlineData(256)] // 256 bytes
+ [InlineData(512)] // 512 bytes
+ [InlineData(1024)] // 1 KB
+ [InlineData(4096)] // 4 KB
+ public void GetProtectedSize_TryProtect_VariousPlaintextSizes(int plaintextSize)
+ {
+ byte[] plaintext = new byte[plaintextSize];
+ for (int i = 0; i < plaintextSize; i++)
+ {
+ plaintext[i] = (byte)(i % 256);
+ }
+
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, new[] { key });
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ RoundtripEncryptionHelpers.AssertTryProtectTryUnprotectParity(protector, plaintext);
+ }
+
+ [Theory]
+ [InlineData(16)] // 16 bytes
+ [InlineData(32)] // 32 bytes
+ [InlineData(64)] // 64 bytes
+ [InlineData(128)] // 128 bytes
+ [InlineData(256)] // 256 bytes
+ [InlineData(512)] // 512 bytes
+ [InlineData(1024)] // 1 KB
+ [InlineData(4096)] // 4 KB
+ public void GetUnprotectedSize_EstimatesCorrectly_VariousPlaintextSizes(int plaintextSize)
+ {
+ // Arrange
+ byte[] plaintext = new byte[plaintextSize];
+ // Fill with a pattern to make debugging easier if needed
+ for (int i = 0; i < plaintextSize; i++)
+ {
+ plaintext[i] = (byte)(i % 256);
+ }
+
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, new[] { key });
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ // Act - first protect the data
+ byte[] protectedData = protector.Protect(plaintext);
+
+ // Act - get estimated unprotected size
+ var estimatedUnprotectedSize = protector.GetUnprotectedSize(protectedData.Length);
+
+ // Assert
+ Assert.True(estimatedUnprotectedSize >= plaintext.Length, $"Estimated unprotected size should be at least as large as original plaintext for {plaintextSize} byte plaintext");
+
+ // Verify we can actually unprotect the data
+ byte[] unprotectedData = protector.Unprotect(protectedData);
+ Assert.Equal(plaintext, unprotectedData);
+ Assert.True(unprotectedData.Length <= estimatedUnprotectedSize, "Actual unprotected size should not exceed estimate");
+ }
+
+ [Fact]
+ public void TryUnprotect_WithTooShortCiphertext_ReturnsFalse()
+ {
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, new[] { key });
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ // Act - try to unprotect with too short ciphertext (shorter than magic header + key id)
+ byte[] shortCiphertext = new byte[10]; // Less than 20 bytes (magic header + key id)
+ byte[] destination = new byte[100];
+
+ var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.TryUnprotect(shortCiphertext, destination, out int bytesWritten));
+ Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
+ }
+
+ [Fact]
+ public void GetUnprotectedSize_WithTooShortCiphertext_ThrowsException()
+ {
+ var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
+ Key key = new Key(Guid.NewGuid(), DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, new AuthenticatedEncryptorConfiguration().CreateNewDescriptor(), new[] { encryptorFactory });
+ var keyRing = new KeyRing(key, [ key ]);
+ var mockKeyRingProvider = new Mock();
+ mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
+
+ var protector = new KeyRingBasedSpanDataProtector(
+ keyRingProvider: mockKeyRingProvider.Object,
+ logger: GetLogger(),
+ originalPurposes: null,
+ newPurpose: "purpose");
+
+ // Less than magic header + key id size
+ var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.GetUnprotectedSize(10));
+ Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
+ }
+
private static byte[] BuildAadFromPurposeStrings(Guid keyId, params string[] purposes)
{
var expectedAad = new byte[] { 0x09, 0xF0, 0xC9, 0xF0 } // magic header
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
index e49a4ef4cfa8..deaa07a244bc 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Managed/ManagedAuthenticatedEncryptorTests.cs
@@ -1,8 +1,11 @@
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
+using System.Buffers;
using System.Security.Cryptography;
using System.Text;
+using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
+using Microsoft.AspNetCore.DataProtection.Tests.Internal;
namespace Microsoft.AspNetCore.DataProtection.Managed;
@@ -103,4 +106,33 @@ public void Encrypt_KnownKey()
string retValAsString = Convert.ToBase64String(retVal);
Assert.Equal("AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh+36j4yWJOjBgOJxmYDYwhLnYqFxw+9mNh/cudyPrWmJmw4d/dmGaLJLLut2udiAAA=", retValAsString);
}
+
+ [Theory]
+ [InlineData(128, "SHA256")]
+ [InlineData(192, "SHA256")]
+ [InlineData(256, "SHA256")]
+ [InlineData(128, "SHA512")]
+ [InlineData(192, "SHA512")]
+ [InlineData(256, "SHA512")]
+ public void Roundtrip_TryEncryptDecrypt_CorrectlyEstimatesDataLength(int symmetricKeySizeBits, string hmacAlgorithm)
+ {
+ Secret kdk = new Secret(new byte[512 / 8]);
+
+ Func validationAlgorithmFactory = hmacAlgorithm switch
+ {
+ "SHA256" => () => new HMACSHA256(),
+ "SHA512" => () => new HMACSHA512(),
+ _ => throw new ArgumentException($"Unsupported HMAC algorithm: {hmacAlgorithm}")
+ };
+
+ IAuthenticatedEncryptor encryptor = new ManagedAuthenticatedEncryptor(kdk,
+ symmetricAlgorithmFactory: Aes.Create,
+ symmetricAlgorithmKeySizeInBytes: symmetricKeySizeBits / 8,
+ validationAlgorithmFactory: validationAlgorithmFactory);
+
+ ArraySegment plaintext = new ArraySegment(Encoding.UTF8.GetBytes("plaintext"));
+ ArraySegment aad = new ArraySegment(Encoding.UTF8.GetBytes("aad"));
+
+ RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity(encryptor, plaintext, aad);
+ }
}
diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
index ca7b11a50c55..22cad1bc2158 100644
--- a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
+++ b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/Microsoft.AspNetCore.DataProtection.Tests.csproj
@@ -1,4 +1,4 @@
-
+
$(DefaultNetCoreTargetFramework)
diff --git a/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs b/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
index 6cdddd7c88b6..e60a464c1acf 100644
--- a/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
+++ b/src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs
@@ -17,6 +17,7 @@ namespace Microsoft.AspNetCore.DataProtection;
internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
{
private const string MyPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
+ private const int ExpirationTimeHeaderSize = 8; // size of the expiration time header in bytes (64-bit UTC tick count)
private readonly IDataProtector _innerProtector;
private IDataProtector? _innerProtectorWithTimeLimitedPurpose; // created on-demand
@@ -50,9 +51,9 @@ public byte[] Protect(byte[] plaintext, DateTimeOffset expiration)
ArgumentNullThrowHelper.ThrowIfNull(plaintext);
// We prepend the expiration time (as a 64-bit UTC tick count) to the unprotected data.
- byte[] plaintextWithHeader = new byte[checked(8 + plaintext.Length)];
+ byte[] plaintextWithHeader = new byte[checked(ExpirationTimeHeaderSize + plaintext.Length)];
BitHelpers.WriteUInt64(plaintextWithHeader, 0, (ulong)expiration.UtcTicks);
- Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, 8, plaintext.Length);
+ Buffer.BlockCopy(plaintext, 0, plaintextWithHeader, ExpirationTimeHeaderSize, plaintext.Length);
return GetInnerProtectorWithTimeLimitedPurpose().Protect(plaintextWithHeader);
}
@@ -71,7 +72,7 @@ internal byte[] UnprotectCore(byte[] protectedData, DateTimeOffset now, out Date
try
{
byte[] plaintextWithHeader = GetInnerProtectorWithTimeLimitedPurpose().Unprotect(protectedData);
- if (plaintextWithHeader.Length < 8)
+ if (plaintextWithHeader.Length < ExpirationTimeHeaderSize)
{
// header isn't present
throw new CryptographicException(Resources.TimeLimitedDataProtector_PayloadInvalid);
@@ -88,8 +89,8 @@ internal byte[] UnprotectCore(byte[] protectedData, DateTimeOffset now, out Date
}
// Not expired - split and return payload
- byte[] retVal = new byte[plaintextWithHeader.Length - 8];
- Buffer.BlockCopy(plaintextWithHeader, 8, retVal, 0, retVal.Length);
+ byte[] retVal = new byte[plaintextWithHeader.Length - ExpirationTimeHeaderSize];
+ Buffer.BlockCopy(plaintextWithHeader, ExpirationTimeHeaderSize, retVal, 0, retVal.Length);
expiration = embeddedExpiration;
return retVal;
}
diff --git a/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/AssemblyInfo.cs b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/AssemblyInfo.cs
new file mode 100644
index 000000000000..09f49228e9e6
--- /dev/null
+++ b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/AssemblyInfo.cs
@@ -0,0 +1,4 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+[assembly: BenchmarkDotNet.Attributes.AspNetCoreBenchmark]
diff --git a/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Benchmarks/SpanDataProtectorComparison.cs b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Benchmarks/SpanDataProtectorComparison.cs
new file mode 100644
index 000000000000..f4b231e59262
--- /dev/null
+++ b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Benchmarks/SpanDataProtectorComparison.cs
@@ -0,0 +1,111 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Buffers;
+using BenchmarkDotNet.Attributes;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.DataProtection.MicroBenchmarks.Benchmarks;
+
+[SimpleJob, MemoryDiagnoser]
+public class SpanDataProtectorComparison
+{
+ private IDataProtector _dataProtector = null!;
+ private ISpanDataProtector _spanDataProtector = null!;
+
+ private byte[] _plaintext5 = null!;
+ private byte[] _plaintext50 = null!;
+ private byte[] _plaintext100 = null!;
+
+ [Params(5, 50, 100)]
+ public int PlaintextLength { get; set; }
+
+ [GlobalSetup]
+ public void Setup()
+ {
+ // Setup DataProtection as in DI
+ var services = new ServiceCollection();
+ services.AddDataProtection();
+ var serviceProvider = services.BuildServiceProvider();
+
+ _dataProtector = serviceProvider.GetDataProtector("benchmark", "test");
+ _spanDataProtector = (ISpanDataProtector)_dataProtector;
+
+ // Setup test data for different lengths
+ var random = new Random(42); // Fixed seed for consistent results
+
+ _plaintext5 = new byte[5];
+ random.NextBytes(_plaintext5);
+
+ _plaintext50 = new byte[50];
+ random.NextBytes(_plaintext50);
+
+ _plaintext100 = new byte[100];
+ random.NextBytes(_plaintext100);
+ }
+
+ private byte[] GetPlaintext()
+ {
+ return PlaintextLength switch
+ {
+ 5 => _plaintext5,
+ 50 => _plaintext50,
+ 100 => _plaintext100,
+ _ => throw new ArgumentException("Invalid plaintext length")
+ };
+ }
+
+ [Benchmark]
+ public void ProtectUnprotectRoundtrip()
+ {
+ var plaintext = GetPlaintext();
+
+ // Traditional approach with allocations
+ var protectedData = _dataProtector.Protect(plaintext);
+ var unprotectedData = _dataProtector.Unprotect(protectedData);
+ _ = unprotectedData.Length;
+ }
+
+ [Benchmark]
+ public void TryProtectTryUnprotectRoundtrip()
+ {
+ var plaintext = GetPlaintext();
+
+ // Span-based approach with minimal allocations
+ var protectedSize = _spanDataProtector.GetProtectedSize(plaintext.Length);
+ var protectedBuffer = ArrayPool.Shared.Rent(protectedSize);
+
+ try
+ {
+ var protectSuccess = _spanDataProtector.TryProtect(plaintext, protectedBuffer, out var protectedBytesWritten);
+ if (!protectSuccess)
+ {
+ throw new InvalidOperationException("TryProtect failed");
+ }
+
+ var unprotectedSize = _spanDataProtector.GetUnprotectedSize(protectedBytesWritten);
+ var unprotectedBuffer = ArrayPool.Shared.Rent(unprotectedSize);
+
+ try
+ {
+ var unprotectSuccess = _spanDataProtector.TryUnprotect(
+ protectedBuffer.AsSpan(0, protectedBytesWritten),
+ unprotectedBuffer,
+ out var unprotectedBytesWritten);
+
+ if (!unprotectSuccess)
+ {
+ throw new InvalidOperationException("TryUnprotect failed");
+ }
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(unprotectedBuffer);
+ }
+ }
+ finally
+ {
+ ArrayPool.Shared.Return(protectedBuffer);
+ }
+ }
+}
diff --git a/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks.csproj b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks.csproj
new file mode 100644
index 000000000000..8c039bbedf80
--- /dev/null
+++ b/src/DataProtection/benchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks/Microsoft.AspNetCore.DataProtection.MicroBenchmarks.csproj
@@ -0,0 +1,24 @@
+
+
+
+ $(DefaultNetCoreTargetFramework)
+ Exe
+ true
+ true
+ false
+ $(DefineConstants);IS_BENCHMARKS
+ true
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/src/DataProtection/samples/KeyManagementSimulator/Program.cs b/src/DataProtection/samples/KeyManagementSimulator/Program.cs
index 44622358227e..d2d428d2d7ca 100644
--- a/src/DataProtection/samples/KeyManagementSimulator/Program.cs
+++ b/src/DataProtection/samples/KeyManagementSimulator/Program.cs
@@ -277,10 +277,27 @@ sealed class MockActivator(IXmlDecryptor decryptor, IAuthenticatedEncryptorDescr
///
/// A mock authenticated encryptor that only applies the identity function (i.e. does nothing).
///
-sealed class MockAuthenticatedEncryptor : IAuthenticatedEncryptor
+sealed class MockAuthenticatedEncryptor : ISpanAuthenticatedEncryptor
{
- byte[] IAuthenticatedEncryptor.Decrypt(ArraySegment ciphertext, ArraySegment _additionalAuthenticatedData) => ciphertext.ToArray();
- byte[] IAuthenticatedEncryptor.Encrypt(ArraySegment plaintext, ArraySegment _additionalAuthenticatedData) => plaintext.ToArray();
+ public byte[] Decrypt(ArraySegment ciphertext, ArraySegment _additionalAuthenticatedData) => ciphertext.ToArray();
+ public byte[] Encrypt(ArraySegment plaintext, ArraySegment _additionalAuthenticatedData) => plaintext.ToArray();
+
+ public int GetDecryptedSize(int cipherTextLength) => cipherTextLength;
+ public int GetEncryptedSize(int plainTextLength) => plainTextLength;
+
+ public bool TryDecrypt(ReadOnlySpan cipherText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ var result = cipherText.TryCopyTo(destination);
+ bytesWritten = destination.Length;
+ return result;
+ }
+
+ public bool TryEncrypt(ReadOnlySpan plainText, ReadOnlySpan additionalAuthenticatedData, Span destination, out int bytesWritten)
+ {
+ var result = plainText.TryCopyTo(destination);
+ bytesWritten = destination.Length;
+ return result;
+ }
}
///
diff --git a/src/Shared/BenchmarkRunner/AspNetCoreBenchmarkAttribute.cs b/src/Shared/BenchmarkRunner/AspNetCoreBenchmarkAttribute.cs
index 4920778550c1..05c03a56f209 100644
--- a/src/Shared/BenchmarkRunner/AspNetCoreBenchmarkAttribute.cs
+++ b/src/Shared/BenchmarkRunner/AspNetCoreBenchmarkAttribute.cs
@@ -53,7 +53,7 @@ public IConfig Config
throw new InvalidOperationException(message);
}
- return (IConfig)Activator.CreateInstance(configType, Array.Empty