perf: improve ManagedAuthenticatedEncryptor Decrypt() and Encrypt() flow (#59424)

Author: DeagleGross

eng/Dependencies.props

@@ -82,6 +82,7 @@ and are generated based on the last package release.
     <LatestPackageReference Include="System.DirectoryServices.Protocols" />
     <LatestPackageReference Include="System.IdentityModel.Tokens.Jwt" />
     <LatestPackageReference Include="System.IO.Pipelines" />
+    <LatestPackageReference Include="System.Memory" />
     <LatestPackageReference Include="System.Net.Http" />
     <LatestPackageReference Include="System.Net.Http.Json" />
     <LatestPackageReference Include="System.Net.Sockets" />

eng/Versions.props

@@ -218,6 +218,7 @@
     <SystemCommandlineExperimentalVersion>0.3.0-alpha.19317.1</SystemCommandlineExperimentalVersion>
     <SystemComponentModelVersion>4.3.0</SystemComponentModelVersion>
     <SystemNetHttpVersion>4.3.4</SystemNetHttpVersion>
+    <SystemMemoryVersion>4.6.0</SystemMemoryVersion>
     <SystemNetSocketsVersion>4.3.0</SystemNetSocketsVersion>
     <SystemSecurityCryptographyX509CertificatesVersion>4.3.2</SystemSecurityCryptographyX509CertificatesVersion>
     <SystemRuntimeInteropServicesRuntimeInformationVersion>4.3.0</SystemRuntimeInteropServicesRuntimeInformationVersion>

src/DataProtection/Cryptography.Internal/src/CryptoUtil.cs

@@ -92,24 +92,18 @@ public static bool TimeConstantBuffersAreEqual(byte* bufA, byte* bufB, uint coun
     }
 
     [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
-    public static bool TimeConstantBuffersAreEqual(byte[] bufA, int offsetA, int countA, byte[] bufB, int offsetB, int countB)
+    public static bool TimeConstantBuffersAreEqual(ReadOnlySpan<byte> bufA, ReadOnlySpan<byte> bufB)
     {
-        // Technically this is an early exit scenario, but it means that the caller did something bizarre.
-        // An error at the call site isn't usable for timing attacks.
-        Assert(countA == countB, "countA == countB");
+        // This early exit handles unexpected input without introducing timing vulnerabilities.
+        Assert(bufA.Length == bufB.Length, "countA == countB");
 
 #if NETCOREAPP
-        unsafe
-        {
-            return CryptographicOperations.FixedTimeEquals(
-                bufA.AsSpan(start: offsetA, length: countA),
-                bufB.AsSpan(start: offsetB, length: countB));
-        }
+        return CryptographicOperations.FixedTimeEquals(bufA, bufB);
 #else
         bool areEqual = true;
-        for (int i = 0; i < countA; i++)
+        for (int i = 0; i < bufA.Length; i++)
         {
-            areEqual &= (bufA[offsetA + i] == bufB[offsetB + i]);
+            areEqual &= (bufA[i] == bufB[i]);
         }
         return areEqual;
 #endif

src/DataProtection/Cryptography.Internal/src/Microsoft.AspNetCore.Cryptography.Internal.csproj

@@ -19,4 +19,8 @@
     <InternalsVisibleTo Include="Microsoft.AspNetCore.DataProtection.Extensions.Tests" />
     <InternalsVisibleTo Include="Microsoft.AspNetCore.DataProtection.Tests" />
   </ItemGroup>
+
+  <ItemGroup Condition="'$(TargetFramework)' != '$(DefaultNetCoreTargetFramework)'">
+    <Reference Include="System.Memory" />
+  </ItemGroup>
 </Project>

src/DataProtection/Cryptography.Internal/test/CryptoUtilTests.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
 using Xunit;
 
 namespace Microsoft.AspNetCore.Cryptography;
@@ -15,7 +16,7 @@ public void TimeConstantBuffersAreEqual_Array_Equal()
         byte[] b = new byte[] { 0xAB, 0xCD, 0x23, 0x45, 0x67, 0xEF };
 
         // Act & assert
-        Assert.True(CryptoUtil.TimeConstantBuffersAreEqual(a, 1, 3, b, 2, 3));
+        Assert.True(CryptoUtil.TimeConstantBuffersAreEqual(a.AsSpan(1, 3), b.AsSpan(2, 3)));
     }
 
     [Fact]
@@ -25,7 +26,7 @@ public void TimeConstantBuffersAreEqual_Array_Unequal()
         byte[] b = new byte[] { 0xAB, 0xCD, 0x23, 0xFF, 0x67, 0xEF };
 
         // Act & assert
-        Assert.False(CryptoUtil.TimeConstantBuffersAreEqual(a, 1, 3, b, 2, 3));
+        Assert.False(CryptoUtil.TimeConstantBuffersAreEqual(a.AsSpan(1, 3), b.AsSpan(2, 3)));
     }
 
     [Fact]

src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs

@@ -35,8 +35,6 @@ internal sealed unsafe class AesGcmAuthenticatedEncryptor : IOptimizedAuthentica
     // 256 00-01-00-00-00-20-00-00-00-0C-00-00-00-10-00-00-00-10-E7-DC-CE-66-DF-85-5A-32-3A-6B-B7-BD-7A-59-BE-45
     private static readonly byte[] AES_256_GCM_Header = new byte[] { 0x00, 0x01, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0xE7, 0xDC, 0xCE, 0x66, 0xDF, 0x85, 0x5A, 0x32, 0x3A, 0x6B, 0xB7, 0xBD, 0x7A, 0x59, 0xBE, 0x45 };
 
-    private static readonly Func<byte[], HashAlgorithm> _kdkPrfFactory = key => new HMACSHA512(key); // currently hardcoded to SHA512
-
     private readonly byte[] _contextHeader;
 
     private readonly Secret _keyDerivationKey;
@@ -112,13 +110,13 @@ public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> addition
                 try
                 {
                     _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-                    ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(
+                    ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
                         kdk: decryptedKdk,
                         label: additionalAuthenticatedData,
                         contextHeader: _contextHeader,
-                        context: keyModifier,
-                        prfFactory: _kdkPrfFactory,
-                        output: new ArraySegment<byte>(derivedKey));
+                        contextData: keyModifier,
+                        operationSubkey: derivedKey,
+                        validationSubkey: Span<byte>.Empty /* filling in derivedKey only */ );
 
                     // Perform the decryption operation
                     var nonce = new Span<byte>(ciphertext.Array, nonceOffset, NONCE_SIZE_IN_BYTES);
@@ -185,13 +183,13 @@ public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additiona
                 try
                 {
                     _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
-                    ManagedSP800_108_CTR_HMACSHA512.DeriveKeysWithContextHeader(
+                    ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
                         kdk: decryptedKdk,
                         label: additionalAuthenticatedData,
                         contextHeader: _contextHeader,
-                        context: keyModifier,
-                        prfFactory: _kdkPrfFactory,
-                        output: new ArraySegment<byte>(derivedKey));
+                        contextData: keyModifier,
+                        operationSubkey: derivedKey,
+                        validationSubkey: Span<byte>.Empty /* filling in derivedKey only */ );
 
                     // do gcm
                     var nonce = new Span<byte>(retVal, nonceOffset, NONCE_SIZE_IN_BYTES);

src/DataProtection/DataProtection/src/Managed/IManagedGenRandom.cs

@@ -1,9 +1,15 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System;
+
 namespace Microsoft.AspNetCore.DataProtection.Managed;
 
 internal interface IManagedGenRandom
 {
     byte[] GenRandom(int numBytes);
+
+#if NET10_0_OR_GREATER
+    void GenRandom(Span<byte> target);
+#endif
 }