/// <summary>
/// Create an AuthenticatedSymmetricAlgorithm which verifies the decryption operations done on it
/// have state which matches captured encryption state. This overload does not monitor for thread
/// safe access to the object.
/// </summary>
public static AuthenticatedSymmetricAlgorithm EnableDecryptionVerification(this AuthenticatedSymmetricAlgorithm loggedAlgorithm,
AuthenticatedSymmetricEncryptionState encryptionState)
{
return(loggedAlgorithm.EnableDecryptionVerification(encryptionState,
new SymmetricAlgorithmDiagnosticOptions()
{
CheckThreadSafety = false
}));
}
internal AuthenticatedSymmetricAlgorithmVerifier(AuthenticatedSymmetricAlgorithm verificationAlgorithm,
AuthenticatedSymmetricEncryptionState encryptionState,
Predicate <CryptographyLockContext <SymmetricAlgorithm> > lockCheckCallback,
object lockCheckParameter)
: base(verificationAlgorithm, lockCheckCallback, lockCheckParameter)
{
Debug.Assert(encryptionState != null, "encryptionState != null");
m_encryptionState = encryptionState;
}
public static AuthenticatedSymmetricAlgorithm EnableDecryptionVerification(this AuthenticatedSymmetricAlgorithm loggedAlgorithm,
AuthenticatedSymmetricEncryptionState encryptionState,
SymmetricAlgorithmDiagnosticOptions options)
{
AuthenticatedSymmetricAlgorithm wrappedAlgorithm =
(loggedAlgorithm as SymmetricAlgorithm).EnableDecryptionVerification(encryptionState, options) as AuthenticatedSymmetricAlgorithm;
Debug.Assert(wrappedAlgorithm != null, "Logged authenticated algorithm did not wrap into an authenticated algortihm");
return(wrappedAlgorithm);
}
protected override void OnDecryptorCreated(byte[] key, byte[] iv, byte[] authenticatedData, byte[] tag)
{
base.OnDecryptorCreated(key, iv, authenticatedData, tag);
using (AuthenticatedSymmetricEncryptionState decryptionState =
new AuthenticatedSymmetricEncryptionState(key, iv, authenticatedData, WrappedAlgorithm))
{
m_encryptionState.VerifyDecryptionState(decryptionState);
}
}
/// <summary>
/// Make a deep copy of the authenticated encryption state
/// </summary>
private AuthenticatedSymmetricEncryptionState(AuthenticatedSymmetricEncryptionState other)
: base(other)
{
Debug.Assert(other != null, "other != null");
m_cngChainingMode = other.m_cngChainingMode;
if (other.m_authenticatedData != null)
{
m_authenticatedData = new byte[other.m_authenticatedData.Length];
Array.Copy(other.m_authenticatedData, m_authenticatedData, m_authenticatedData.Length);
}
}
/// <summary>
/// Verify that the input decryption state matches our encryption state, throwing an error if
/// they do not.
/// </summary>
internal override void VerifyDecryptionState(SymmetricEncryptionState decryptionState)
{
Debug.Assert(decryptionState != null, "decryptionState != null");
// All of the symmetric algorithm comparisons need to match
base.VerifyDecryptionState(decryptionState);
AuthenticatedSymmetricEncryptionState authenticatedDecryptionState =
decryptionState as AuthenticatedSymmetricEncryptionState;
// The base verify decryption state should have caught an algorithm mismatch, which would be the
// only way that we could be encrypting with an authenticated symmetric algortihm but decrypting
// with an unauthenticated algorithm.
Debug.Assert(authenticatedDecryptionState != null, "authenticatedDecryptionState != null");
// If we have authenticated data, make sure it matches
if (m_authenticatedData != null)
{
// If we have authenticated data, then the decryption state also needs to have authenticated
// data, and that data needs to match.
if (authenticatedDecryptionState.m_authenticatedData == null ||
!CompareBytes(m_authenticatedData, authenticatedDecryptionState.m_authenticatedData))
{
ThrowDiagnosticException(Resources.AuthenticatedDataMismatch,
m_authenticatedData.Length * 8,
HexString(m_authenticatedData),
authenticatedDecryptionState.m_authenticatedData != null ? authenticatedDecryptionState.m_authenticatedData.Length * 8 : 0,
HexString(authenticatedDecryptionState.m_authenticatedData));
}
}
else if (authenticatedDecryptionState.m_authenticatedData != null)
{
// We had no authenticated data during encryption, but we have some during decryption, so we
// have a mismatch.
ThrowDiagnosticException(Resources.AuthenticatedDataMismatch,
0,
HexString(null),
authenticatedDecryptionState.m_authenticatedData.Length * 8,
HexString(authenticatedDecryptionState.m_authenticatedData));
}
// Make sure the CNG chaining modes match
if (m_cngChainingMode != authenticatedDecryptionState.m_cngChainingMode)
{
ThrowDiagnosticException(Resources.CngChainingModeMismatch,
m_cngChainingMode,
authenticatedDecryptionState.m_cngChainingMode);
}
}
protected override void OnEncryptorCreated(byte[] key, byte[] iv, byte[] authenticatedData)
{
base.OnEncryptorCreated(key, iv, authenticatedData);
// An encryptor is being created, which means that all of the encryption parameters must be set at
// this point. Capture them so that they can be extracted for later verification.
if (m_lastCapturedEncryptionState != null)
{
m_lastCapturedEncryptionState.Dispose();
}
m_lastCapturedEncryptionState = new AuthenticatedSymmetricEncryptionState(key,
iv,
authenticatedData,
WrappedAlgorithm);
}
/// <summary>
/// Create a SymmetricAlgorithm which verifies the decryption operations done on it have state
/// which matches captured encryption state.
/// </summary>
public static SymmetricAlgorithm EnableDecryptionVerification(this SymmetricAlgorithm loggedAlgorithm,
SymmetricEncryptionState encryptionState,
SymmetricAlgorithmDiagnosticOptions options)
{
if (encryptionState == null)
{
throw new ArgumentNullException("encryptionState");
}
if (options == null)
{
throw new ArgumentNullException("options");
}
#if !FXONLY_BUILD
AuthenticatedSymmetricAlgorithm authenticatedLoggedAlgorithm =
loggedAlgorithm as AuthenticatedSymmetricAlgorithm;
if (authenticatedLoggedAlgorithm != null)
{
AuthenticatedSymmetricEncryptionState authenticatedEncryptionState =
encryptionState as AuthenticatedSymmetricEncryptionState;
if (authenticatedEncryptionState == null)
{
throw new ArgumentException(Resources.NeedAuthenticatedEncryptionState, "encryptionState");
}
return(new AuthenticatedSymmetricAlgorithmVerifier(authenticatedLoggedAlgorithm,
authenticatedEncryptionState,
options.CheckThreadSafety ? options.LockCheckCallback : null,
options.CheckThreadSafety ? options.LockCheckParameter : null));
}
else
#endif // !FXONLY_BUILD
{
return(new SymmetricAlgorithmVerifier(loggedAlgorithm,
encryptionState,
options.CheckThreadSafety ? options.LockCheckCallback : null,
options.CheckThreadSafety ? options.LockCheckParameter : null));
}
}
