private static bool TryDecrypt( SafeRsaHandle key, ReadOnlySpan <byte> data, Span <byte> destination, Interop.Crypto.RsaPadding rsaPadding, RsaPaddingProcessor rsaPaddingProcessor, out int bytesWritten) { // If rsaPadding is PKCS1 or OAEP-SHA1 then no depadding method should be present. // If rsaPadding is NoPadding then a depadding method should be present. Debug.Assert( (rsaPadding == Interop.Crypto.RsaPadding.NoPadding) == (rsaPaddingProcessor != null)); // Caller should have already checked this. Debug.Assert(!key.IsInvalid); int rsaSize = Interop.Crypto.RsaSize(key); if (data.Length > rsaSize) { throw new CryptographicException( SR.Format(SR.Cryptography_Padding_DecDataTooBig, rsaSize)); } if (destination.Length < rsaSize) { bytesWritten = 0; return(false); } Span <byte> decryptBuf = destination; byte[] paddingBuf = null; if (rsaPaddingProcessor != null) { paddingBuf = ArrayPool <byte> .Shared.Rent(rsaSize); decryptBuf = paddingBuf; } try { int returnValue = Interop.Crypto.RsaPrivateDecrypt(data.Length, data, decryptBuf, key, rsaPadding); CheckReturn(returnValue); if (rsaPaddingProcessor != null) { return(rsaPaddingProcessor.DepadOaep(paddingBuf, destination, out bytesWritten)); } else { // If the padding mode is RSA_NO_PADDING then the size of the decrypted block // will be RSA_size. If any padding was used, then some amount (determined by the padding algorithm) // will have been reduced, and only returnValue bytes were part of the decrypted // body. Either way, we can just use returnValue, but some additional bytes may have been overwritten // in the destination span. bytesWritten = returnValue; } return(true); } finally { if (paddingBuf != null) { // DecryptBuf is paddingBuf if paddingBuf is not null, erase it before returning it. // If paddingBuf IS null then decryptBuf was destination, and shouldn't be cleared. CryptographicOperations.ZeroMemory(decryptBuf); ArrayPool <byte> .Shared.Return(paddingBuf); } } }
public override bool TryDecrypt( ReadOnlySpan <byte> data, Span <byte> destination, RSAEncryptionPadding padding, out int bytesWritten) { if (padding == null) { throw new ArgumentNullException(nameof(padding)); } Interop.Crypto.RsaPadding rsaPadding = GetInteropPadding(padding, out RsaPaddingProcessor? oaepProcessor); SafeRsaHandle key = GetKey(); int keySizeBytes = Interop.Crypto.RsaSize(key); // OpenSSL does not take a length value for the destination, so it can write out of bounds. // To prevent the OOB write, decrypt into a temporary buffer. if (destination.Length < keySizeBytes) { Span <byte> tmp = stackalloc byte[0]; byte[]? rent = null; // RSA up through 4096 stackalloc if (keySizeBytes <= 512) { tmp = stackalloc byte[keySizeBytes]; } else { rent = ArrayPool <byte> .Shared.Rent(keySizeBytes); tmp = rent; } bool ret = TryDecrypt(key, data, tmp, rsaPadding, oaepProcessor, out bytesWritten); if (ret) { tmp = tmp.Slice(0, bytesWritten); if (bytesWritten > destination.Length) { ret = false; bytesWritten = 0; } else { tmp.CopyTo(destination); } CryptographicOperations.ZeroMemory(tmp); } if (rent != null) { // Already cleared ArrayPool <byte> .Shared.Return(rent); } return(ret); } return(TryDecrypt(key, data, destination, rsaPadding, oaepProcessor, out bytesWritten)); }