dotnet · DeagleGross · Dec 9, 2024 · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024
diff --git a/src/DataProtection/Cryptography.Internal/src/CryptoUtil.cs b/src/DataProtection/Cryptography.Internal/src/CryptoUtil.cs
@@ -91,6 +91,21 @@ public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint coun
 #endif
     }
 
+#if NET10_0_OR_GREATER
+    [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
+    public static bool TimeConstantBuffersAreEqual(ReadOnlySpan<byte> bufA, ReadOnlySpan<byte> bufB)
+    {
+        // Technically this is an early exit scenario, but it means that the caller did something bizarre.
+        // An error at the call site isn't usable for timing attacks.
+        Assert(bufA.Length == bufB.Length, "bufA.Length == bufB.Length");
+
+        unsafe
+        {
+            return CryptographicOperations.FixedTimeEquals(bufA, bufB);
+        }
+    }
+#endif
+
     [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
     public static bool TimeConstantBuffersAreEqual(byte[] bufA, int offsetA, int countA, byte[] bufB, int offsetB, int countB)
     {

diff --git a/src/DataProtection/DataProtection/src/Internal/DataProtectionPool.cs b/src/DataProtection/DataProtection/src/Internal/DataProtectionPool.cs
@@ -0,0 +1,23 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Buffers;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection.Internal;
+
+/// <summary>
+/// Used for pooling secret data (e.g. Protect()/Unprotect() flow).
+/// Main goal is not to intersect with the <see cref="ArrayPool{T}.Shared"/>
+/// </summary>
+internal static class DataProtectionPool
+{
+    private static readonly ArrayPool<byte> _pool = ArrayPool<byte>.Create();
+
+    public static byte[] Rent(int length) => _pool.Rent(length);
+    public static void Return(byte[] array, bool clearArray = false) => _pool.Return(array, clearArray);
+}
diff --git a/src/DataProtection/DataProtection/src/Managed/IManagedGenRandom.cs b/src/DataProtection/DataProtection/src/Managed/IManagedGenRandom.cs
@@ -1,9 +1,15 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
+
 namespace Microsoft.AspNetCore.DataProtection.Managed;
 
 internal interface IManagedGenRandom
 {
     byte[] GenRandom(int numBytes);
+
+#if NET10_0_OR_GREATER
+    void GenRandom(Span<byte> target);
+#endif
 }
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
diff --git a/src/DataProtection/DataProtection/src/Managed/ManagedGenRandomImpl.cs b/src/DataProtection/DataProtection/src/Managed/ManagedGenRandomImpl.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
 using System.Security.Cryptography;
 
 namespace Microsoft.AspNetCore.DataProtection.Managed;
@@ -16,6 +17,10 @@ private ManagedGenRandomImpl()
     {
     }
 
+#if NET10_0_OR_GREATER
+    public void GenRandom(Span<byte> target) => RandomNumberGenerator.Fill(target);
+#endif
+
     public byte[] GenRandom(int numBytes)
     {
         var bytes = new byte[numBytes];

diff --git a/src/DataProtection/DataProtection/src/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs b/src/DataProtection/DataProtection/src/SP800_108/ManagedSP800_108_CTR_HMACSHA512.cs
@@ -2,8 +2,10 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System;
+using System.Buffers;
 using System.Security.Cryptography;
 using Microsoft.AspNetCore.Cryptography;
+using Microsoft.AspNetCore.DataProtection.Internal;
 using Microsoft.AspNetCore.DataProtection.Managed;
 
 namespace Microsoft.AspNetCore.DataProtection.SP800_108;
@@ -55,6 +57,217 @@ public static void DeriveKeys(byte[] kdk, ArraySegment<byte> label, ArraySegment
         }
     }
 
+#if NET10_0_OR_GREATER
+    public static void DeriveKeysHMACSHA512(
+        ReadOnlySpan<byte> kdk,
+        ReadOnlySpan<byte> label,
+        ReadOnlySpan<byte> contextHeader,
+        ReadOnlySpan<byte> contextData,
+        Span<byte> operationSubKey,
+        Span<byte> validationSubKey)
+    {
+        var operationSubKeyIndex = 0;
+        var validationSubKeyIndex = 0;
+        var outputCount = operationSubKey.Length + validationSubKey.Length;
+
+        byte[]? prfOutput = null;
+
+        // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
+        var prfInputLength = checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */);
+
+        byte[]? prfInputLease = null;
+        Span<byte> prfInput = prfInputLength <= 128
+            ? stackalloc byte[prfInputLength]
+            : (prfInputLease = DataProtectionPool.Rent(prfInputLength)).AsSpan(0, prfInputLength);
+
+        try
+        {
+            // Copy [L]_2 to prfInput since it's stable over all iterations
+            uint outputSizeInBits = (uint)checked((int)outputCount * 8);
+            prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
+            prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
+            prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
+            prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+
+            // Copy label and context to prfInput since they're stable over all iterations
+            label.CopyTo(prfInput.Slice(sizeof(uint)));
+            contextHeader.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1));
+            contextData.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1 + contextHeader.Length));
+
+            for (uint i = 1; outputCount > 0; i++)
+            {
+                // Copy [i]_2 to prfInput since it mutates with each iteration
+                prfInput[0] = (byte)(i >> 24);
+                prfInput[1] = (byte)(i >> 16);
+                prfInput[2] = (byte)(i >> 8);
+                prfInput[3] = (byte)(i);
+
+                // Run the PRF and copy the results to the output buffer
+                // not using stackalloc here, because we are in a loop
+                // and potentially can exhaust the stack memory: https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2014
+                prfOutput = DataProtectionPool.Rent(HMACSHA512.HashSizeInBytes);
+                HMACSHA512.TryHashData(kdk, prfInput, prfOutput, out _);
+
+                CryptoUtil.Assert(HMACSHA512.HashSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
+                var numBytesToCopyThisIteration = Math.Min(HMACSHA512.HashSizeInBytes, outputCount);
+
+                // we need to write into the operationSubkey
+                // but it may be the case that we need to split the output
+                // so lets count how many bytes we can write into the operationSubKey
+                var bytesToWrite = Math.Min(numBytesToCopyThisIteration, operationSubKey.Length - operationSubKeyIndex);
+                var leftOverBytes = numBytesToCopyThisIteration - bytesToWrite;
+                if (operationSubKeyIndex < operationSubKey.Length) // meaning we need to write to operationSubKey
+                {
+                    var destination = operationSubKey.Slice(operationSubKeyIndex, bytesToWrite);
+                    prfOutput.AsSpan(0, bytesToWrite).CopyTo(destination);
+                    operationSubKeyIndex += bytesToWrite;
+                }
+                if (operationSubKeyIndex == operationSubKey.Length && leftOverBytes != 0) // we have filled the operationSubKey. It's time for the validationSubKey
+                {
+                    var destination = validationSubKey.Slice(validationSubKeyIndex, leftOverBytes);
+                    prfOutput.AsSpan(bytesToWrite, leftOverBytes).CopyTo(destination);
+                    validationSubKeyIndex += leftOverBytes;
+                }
+
+                outputCount -= numBytesToCopyThisIteration;
+            }
+        }
+        finally
+        {
+            if (prfOutput is not null)
+            {
+                DataProtectionPool.Return(prfOutput, clearArray: true); // contains key material, so delete it
+            }
+
+            if (prfInputLease is not null)
+            {
+                DataProtectionPool.Return(prfInputLease, clearArray: true); // contains key material, so delete it
+            }
+            else
+            {
+                // to be extra careful - clear the stackalloc memory
+                prfInput.Clear();
+            }
+        }
+    }
+#endif
+
+    public static void DeriveKeys(
+        byte[] kdk,
+        ReadOnlySpan<byte> label,
+        ReadOnlySpan<byte> contextHeader,
+        ReadOnlySpan<byte> contextData,
+        Func<byte[], HashAlgorithm> prfFactory,
+        Span<byte> operationSubKey,
+        Span<byte> validationSubKey)
+    {
+        var operationSubKeyIndex = 0;
+        var validationSubKeyIndex = 0;
+        var outputCount = operationSubKey.Length + validationSubKey.Length;
+
+        using (var prf = prfFactory(kdk))
+        {
+            byte[]? prfOutput = null;
+
+            // See SP800-108, Sec. 5.1 for the format of the input to the PRF routine.
+            var prfInputLength = checked(sizeof(uint) /* [i]_2 */ + label.Length + 1 /* 0x00 */ + (contextHeader.Length + contextData.Length) + sizeof(uint) /* [K]_2 */);
+
+#if NET10_0_OR_GREATER
+            byte[]? prfInputLease = null;
+            Span<byte> prfInput = prfInputLength <= 128
+                ? stackalloc byte[prfInputLength]
+                : (prfInputLease = DataProtectionPool.Rent(prfInputLength)).AsSpan(0, prfInputLength);
+#else
+            var prfInputArray = new byte[prfInputLength];
+            var prfInput = prfInputArray.AsSpan();
+#endif
+
+            try
+            {
+                // Copy [L]_2 to prfInput since it's stable over all iterations
+                uint outputSizeInBits = (uint)checked((int)outputCount * 8);
+                prfInput[prfInput.Length - 4] = (byte)(outputSizeInBits >> 24);
+                prfInput[prfInput.Length - 3] = (byte)(outputSizeInBits >> 16);
+                prfInput[prfInput.Length - 2] = (byte)(outputSizeInBits >> 8);
+                prfInput[prfInput.Length - 1] = (byte)(outputSizeInBits);
+
+                // Copy label and context to prfInput since they're stable over all iterations
+                label.CopyTo(prfInput.Slice(sizeof(uint)));
+                contextHeader.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1));
+                contextData.CopyTo(prfInput.Slice(sizeof(uint) + label.Length + 1 + contextHeader.Length));
+
+                var prfOutputSizeInBytes = prf.GetDigestSizeInBytes();
+                for (uint i = 1; outputCount > 0; i++)
+                {
+                    // Copy [i]_2 to prfInput since it mutates with each iteration
+                    prfInput[0] = (byte)(i >> 24);
+                    prfInput[1] = (byte)(i >> 16);
+                    prfInput[2] = (byte)(i >> 8);
+                    prfInput[3] = (byte)(i);
+
+                    // Run the PRF and copy the results to the output buffer
+#if NET10_0_OR_GREATER
+                    // not using stackalloc here, because we are in a loop
+                    // and potentially can exhaust the stack memory: https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca2014
+                    prfOutput = DataProtectionPool.Rent(prfOutputSizeInBytes);
+                    prf.TryComputeHash(prfInput, prfOutput, out _);
+#else
+                    prfOutput = prf.ComputeHash(prfInputArray);
+#endif
+
+                    CryptoUtil.Assert(prfOutputSizeInBytes == prfOutput.Length, "prfOutputSizeInBytes == prfOutput.Length");
+                    var numBytesToCopyThisIteration = Math.Min(prfOutputSizeInBytes, outputCount);
+
+                    // we need to write into the operationSubkey
+                    // but it may be the case that we need to split the output
+                    // so lets count how many bytes we can write into the operationSubKey
+                    var bytesToWrite = Math.Min(numBytesToCopyThisIteration, operationSubKey.Length - operationSubKeyIndex);
+                    var leftOverBytes = numBytesToCopyThisIteration - bytesToWrite;
+                    if (operationSubKeyIndex < operationSubKey.Length) // meaning we need to write to operationSubKey
+                    {
+                        var destination = operationSubKey.Slice(operationSubKeyIndex, bytesToWrite);
+                        prfOutput.AsSpan(0, bytesToWrite).CopyTo(destination);
+                        operationSubKeyIndex += bytesToWrite;
+                    }
+                    if (operationSubKeyIndex == operationSubKey.Length && leftOverBytes != 0) // we have filled the operationSubKey. It's time for the validationSubKey
+                    {
+                        var destination = validationSubKey.Slice(validationSubKeyIndex, leftOverBytes);
+                        prfOutput.AsSpan(bytesToWrite, leftOverBytes).CopyTo(destination);
+                        validationSubKeyIndex += leftOverBytes;
+                    }
+
+                    outputCount -= numBytesToCopyThisIteration;
+                }
+            }
+            finally
+            {
+#if NET10_0_OR_GREATER
+                if (prfOutput is not null)
+                {
+                    DataProtectionPool.Return(prfOutput, clearArray: true); // contains key material, so delete it
+                }
+
+                if (prfInputLease is not null)
+                {
+                    DataProtectionPool.Return(prfInputLease, clearArray: true); // contains key material, so delete it
+                }
+                else
+                {
+                    // to be extra careful - clear the stackalloc memory
+                    prfInput.Clear();
+                }
+#else
+                Array.Clear(prfInputArray, 0, prfInputArray.Length); // contains key material, so delete it
+                Array.Clear(prfOutput, 0, prfOutput.Length); // contains key material, so delete it
+#endif
+            }
+        }
+    }
+
+    /// <remarks>
+    /// Probably, you would want to use similar method <see cref="DeriveKeys(byte[], ReadOnlySpan{byte}, ReadOnlySpan{byte}, ReadOnlySpan{byte}, Func{byte[], HashAlgorithm}, Span{byte}, Span{byte})"/>.
+    /// It is more efficient allowing to skip an allocation of `combinedContext` and writing directly into passed Spans
+    /// </remarks>
     public static void DeriveKeysWithContextHeader(byte[] kdk, ArraySegment<byte> label, byte[] contextHeader, ArraySegment<byte> context, Func<byte[], HashAlgorithm> prfFactory, ArraySegment<byte> output)
     {
         var combinedContext = new byte[checked(contextHeader.Length + context.Count)];

diff --git a/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/E2ETests.cs b/src/DataProtection/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/E2ETests.cs
@@ -0,0 +1,28 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Microsoft.AspNetCore.DataProtection.Tests;
+public class E2ETests
+{
+    [Fact]
+    public void ProtectAndUnprotect_ForSampleAntiforgeryToken()
+    {
+        const string sampleToken = "CfDJ8H5oH_fp1QNBmvs-OWXxsVoV30hrXeI4-PI4p1VZytjsgd0DTstMdtTZbFtm2dKHvsBlDCv7TiEWKztZf8fb48pUgBgUE2SeYV3eOUXvSfNWU0D8SmHLy5KEnwKKkZKqudDhCnjQSIU7mhDliJJN1e4";
+
+        var dataProtector = GetServiceCollectionBuiltDataProtector();
+        var encrypted = dataProtector.Protect(sampleToken);
+        var decrypted = dataProtector.Unprotect(encrypted);
+        Assert.Equal(sampleToken, decrypted);
+    }
+
+    private static IDataProtector GetServiceCollectionBuiltDataProtector(string purpose = "samplePurpose")
+        => new ServiceCollection()
+            .AddDataProtection()
+            .Services.BuildServiceProvider()
+            .GetDataProtector(purpose);
+}
diff --git a/...Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs b/...Microsoft.AspNetCore.DataProtection.Tests/KeyManagement/KeyRingBasedDataProtectorTests.cs
@@ -8,6 +8,7 @@
 using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
 using Microsoft.AspNetCore.DataProtection.KeyManagement.Internal;
 using Microsoft.AspNetCore.InternalTesting;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;

diff --git a/...tion/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/SequentialGenRandom.cs b/...tion/DataProtection/test/Microsoft.AspNetCore.DataProtection.Tests/SequentialGenRandom.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
 using Microsoft.AspNetCore.DataProtection.Cng;
 using Microsoft.AspNetCore.DataProtection.Managed;
 
@@ -27,4 +28,12 @@ public void GenRandom(byte* pbBuffer, uint cbBuffer)
             pbBuffer[i] = _value++;
         }
     }
+
+    public void GenRandom(Span<byte> target)
+    {
+        for (var i = 0; i < target.Length; i++)
+        {
+            target[i] = _value++;
+        }
+    }
 }