From 611de0e25ef6f329f45b58a8ac7efc0ebe3365d4 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 14:05:50 -0400 Subject: [PATCH 1/7] Get HKDF Expand and DeriveKey on CNG --- .../BCrypt/Interop.BCryptAlgPseudoHandle.cs | 1 + .../Interop/Windows/BCrypt/Interop.Blobs.cs | 1 + .../src/System.Security.Cryptography.csproj | 2 +- .../Security/Cryptography/HKDF.Windows.cs | 211 ++++++++++++++++++ 4 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs diff --git a/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptAlgPseudoHandle.cs b/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptAlgPseudoHandle.cs index 1fd6bd17669038..aa58b261e6ab84 100644 --- a/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptAlgPseudoHandle.cs +++ b/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptAlgPseudoHandle.cs @@ -23,6 +23,7 @@ public enum BCryptAlgPseudoHandle : uint BCRYPT_HMAC_SHA384_ALG_HANDLE = 0x000000c1, BCRYPT_HMAC_SHA512_ALG_HANDLE = 0x000000d1, BCRYPT_PBKDF2_ALG_HANDLE = 0x00000331, + BCRYPT_HKDF_ALG_HANDLE = 0x00000391, BCRYPT_SHA3_256_ALG_HANDLE = 0x000003B1, BCRYPT_SHA3_384_ALG_HANDLE = 0x000003C1, BCRYPT_SHA3_512_ALG_HANDLE = 0x000003D1, diff --git a/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.Blobs.cs b/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.Blobs.cs index f919daf562998b..42289566281153 100644 --- a/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.Blobs.cs +++ b/src/libraries/Common/src/Interop/Windows/BCrypt/Interop.Blobs.cs @@ -302,6 +302,7 @@ internal enum CngBufferDescriptors : int KDF_CONTEXT = 14, KDF_SALT = 15, KDF_ITERATION_COUNT = 16, + KDF_HKDF_INFO = 20, NCRYPTBUFFER_ECC_CURVE_NAME = 60, } diff --git a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj index 31fab862e9ce7c..3ef51bb89ca051 100644 --- a/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj +++ b/src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj @@ -1988,7 +1988,7 @@ - + diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs new file mode 100644 index 00000000000000..be5a73b2bf5f17 --- /dev/null +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -0,0 +1,211 @@ +// Licensed to the .NET Foundation under one or more agreements. +// The .NET Foundation licenses this file to you under the MIT license. + +using System.Buffers.Binary; +using System.Diagnostics; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; +using Internal.Cryptography; +using Microsoft.Win32.SafeHandles; + +using BCryptAlgPseudoHandle = Interop.BCrypt.BCryptAlgPseudoHandle; +using BCryptBuffer = Interop.BCrypt.BCryptBuffer; +using BCryptBufferDesc = Interop.BCrypt.BCryptBufferDesc; +using BCRYPT_KEY_DATA_BLOB_HEADER = Interop.BCrypt.BCRYPT_KEY_DATA_BLOB_HEADER; +using CngBufferDescriptors = Interop.BCrypt.CngBufferDescriptors; +using NTSTATUS = Interop.BCrypt.NTSTATUS; + +namespace System.Security.Cryptography +{ + public static partial class HKDF + { + private static readonly bool s_hasCngImplementation = Interop.BCrypt.PseudoHandlesSupported; + private const string BCRYPT_HKDF_SALT_AND_FINALIZE = "HkdfSaltAndFinalize"; + private const string BCRYPT_HKDF_PRK_AND_FINALIZE = "HkdfPrkAndFinalize"; + private const string BCRYPT_HKDF_HASH_ALGORITHM = "HkdfHashAlgorithm"; + + private static void ExtractCore( + HashAlgorithmName hashAlgorithmName, + ReadOnlySpan ikm, + ReadOnlySpan salt, + Span prk) + { + // Windows does not clearly have a way to perform just the Extact step from HKDF. + HKDFManagedImplementation.Extract(hashAlgorithmName, ikm, salt, prk); + } + + private static void Expand( + HashAlgorithmName hashAlgorithmName, + int hashLength, + ReadOnlySpan prk, + Span output, + ReadOnlySpan info) + { + if (s_hasCngImplementation && !IsAlgorithmCngDoesNotSupport(hashAlgorithmName)) + { + CngDeriveKey( + hashAlgorithmName, + prk, + info, + salt: default, + output, + keyObjectIsIkm: false); + } + else + { + HKDFManagedImplementation.Expand(hashAlgorithmName, hashLength, prk, output, info); + } + } + + private static void DeriveKeyCore( + HashAlgorithmName hashAlgorithmName, + int hashLength, + ReadOnlySpan ikm, + Span output, + ReadOnlySpan salt, + ReadOnlySpan info) + { + if (s_hasCngImplementation && !IsAlgorithmCngDoesNotSupport(hashAlgorithmName)) + { + CngDeriveKey( + hashAlgorithmName, + ikm, + info, + salt, + output, + keyObjectIsIkm: true); + } + else + { + HKDFManagedImplementation.DeriveKey(hashAlgorithmName, hashLength, ikm, output, salt, info); + } + } + + private static bool IsAlgorithmCngDoesNotSupport(HashAlgorithmName hashAlgorithmName) + { + return hashAlgorithmName == HashAlgorithmName.MD5; + } + + private static unsafe void CngDeriveKey( + HashAlgorithmName hashAlgorithm, + ReadOnlySpan keyObject, + ReadOnlySpan info, + ReadOnlySpan salt, + Span destination, + bool keyObjectIsIkm) + { + Debug.Assert(hashAlgorithm.Name is not null); + byte[]? rented; + + ReadOnlySpan safeInfo; + + if (destination.Overlaps(info)) + { + rented = CryptoPool.Rent(info.Length); + info.CopyTo(rented); + safeInfo = rented.AsSpan(0, info.Length); + } + else + { + rented = null; + safeInfo = info; + } + + SafeBCryptKeyHandle? keyHandle = null; + NTSTATUS status; + + try + { + fixed (byte* pKeyObject = &Helpers.GetNonNullPinnableReference(keyObject)) + { + status = Interop.BCrypt.BCryptGenerateSymmetricKey( + (nuint)BCryptAlgPseudoHandle.BCRYPT_HKDF_ALG_HANDLE, + out keyHandle, + pbKeyObject: IntPtr.Zero, + cbKeyObject: 0, + pKeyObject, + keyObject.Length, + dwFlags: 0); + + if (status != NTSTATUS.STATUS_SUCCESS) + { + throw Interop.BCrypt.CreateCryptographicException(status); + } + + Interop.BCrypt.BCryptSetSZProperty(keyHandle, BCRYPT_HKDF_HASH_ALGORITHM, hashAlgorithm.Name); + + if (keyObjectIsIkm) + { + fixed (byte* pSalt = &Helpers.GetNonNullPinnableReference(salt)) + { + status = Interop.BCrypt.BCryptSetProperty( + keyHandle, + BCRYPT_HKDF_SALT_AND_FINALIZE, + pSalt, + (uint)salt.Length, + dwFlags: 0); + } + } + else + { + Debug.Assert(salt.IsEmpty); + + status = Interop.BCrypt.BCryptSetProperty( + keyHandle, + BCRYPT_HKDF_PRK_AND_FINALIZE, + null, + 0U, + dwFlags: 0); + } + + if (status != NTSTATUS.STATUS_SUCCESS) + { + throw Interop.BCrypt.CreateCryptographicException(status); + } + } + + fixed (byte* pDestination = destination) + fixed (byte* pSafeInfo = &Helpers.GetNonNullPinnableReference(safeInfo)) + { + BCryptBuffer infoBuffer = default; + infoBuffer.cbBuffer = safeInfo.Length; + infoBuffer.BufferType = CngBufferDescriptors.KDF_HKDF_INFO; + infoBuffer.pvBuffer = (IntPtr)pSafeInfo; + + BCryptBufferDesc bufferDesc = default; + bufferDesc.ulVersion = Interop.BCrypt.BCRYPTBUFFER_VERSION; + bufferDesc.cBuffers = 1; + bufferDesc.pBuffers = (IntPtr)(&infoBuffer); + + status = Interop.BCrypt.BCryptKeyDerivation( + keyHandle, + &bufferDesc, + pDestination, + destination.Length, + out uint resultLength, + dwFlags: 0); + + if (status != NTSTATUS.STATUS_SUCCESS) + { + throw Interop.BCrypt.CreateCryptographicException(status); + } + + if (destination.Length != resultLength) + { + Debug.Fail("HKDF resultLength != destination.Length"); + throw new CryptographicException(); + } + } + } + finally + { + if (rented is not null) + { + CryptoPool.Return(rented, clearSize: 0); // Info is not consider secret. + } + + keyHandle?.Dispose(); + } + } + } +} From f4b0ba4af4f7162a1ecc363c520f6b5f23f3b2cc Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 14:49:06 -0400 Subject: [PATCH 2/7] PNSE for SHA-3 correctly --- .../Security/Cryptography/HKDF.Windows.cs | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index be5a73b2bf5f17..5a14324612dbe5 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -30,7 +30,7 @@ private static void ExtractCore( ReadOnlySpan salt, Span prk) { - // Windows does not clearly have a way to perform just the Extact step from HKDF. + // Windows does not clearly have a way to perform just the Extact step from HKDF. So used managed, for now. HKDFManagedImplementation.Extract(hashAlgorithmName, ikm, salt, prk); } @@ -41,7 +41,7 @@ private static void Expand( Span output, ReadOnlySpan info) { - if (s_hasCngImplementation && !IsAlgorithmCngDoesNotSupport(hashAlgorithmName)) + if (s_hasCngImplementation && !IsAlgorithmRequiringManagedFallback(hashAlgorithmName)) { CngDeriveKey( hashAlgorithmName, @@ -65,7 +65,7 @@ private static void DeriveKeyCore( ReadOnlySpan salt, ReadOnlySpan info) { - if (s_hasCngImplementation && !IsAlgorithmCngDoesNotSupport(hashAlgorithmName)) + if (s_hasCngImplementation && !IsAlgorithmRequiringManagedFallback(hashAlgorithmName)) { CngDeriveKey( hashAlgorithmName, @@ -81,20 +81,32 @@ private static void DeriveKeyCore( } } - private static bool IsAlgorithmCngDoesNotSupport(HashAlgorithmName hashAlgorithmName) + private static bool IsAlgorithmRequiringManagedFallback(HashAlgorithmName hashAlgorithmName) { return hashAlgorithmName == HashAlgorithmName.MD5; } + private static void ThrowIfAlgorithmNotSupported(HashAlgorithmName hashAlgorithmName) + { + if ((hashAlgorithmName == HashAlgorithmName.SHA3_256 && !SHA3_256.IsSupported) || + (hashAlgorithmName == HashAlgorithmName.SHA3_384 && !SHA3_384.IsSupported) || + (hashAlgorithmName == HashAlgorithmName.SHA3_512 && !SHA3_512.IsSupported)) + { + throw new PlatformNotSupportedException(); + } + } + private static unsafe void CngDeriveKey( - HashAlgorithmName hashAlgorithm, + HashAlgorithmName hashAlgorithmName, ReadOnlySpan keyObject, ReadOnlySpan info, ReadOnlySpan salt, Span destination, bool keyObjectIsIkm) { - Debug.Assert(hashAlgorithm.Name is not null); + ThrowIfAlgorithmNotSupported(hashAlgorithmName); + + Debug.Assert(hashAlgorithmName.Name is not null); byte[]? rented; ReadOnlySpan safeInfo; @@ -132,7 +144,7 @@ private static unsafe void CngDeriveKey( throw Interop.BCrypt.CreateCryptographicException(status); } - Interop.BCrypt.BCryptSetSZProperty(keyHandle, BCRYPT_HKDF_HASH_ALGORITHM, hashAlgorithm.Name); + Interop.BCrypt.BCryptSetSZProperty(keyHandle, BCRYPT_HKDF_HASH_ALGORITHM, hashAlgorithmName.Name); if (keyObjectIsIkm) { From 391aed026d84f71c5c6d4ad5a6a604ff172714c0 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 14:50:29 -0400 Subject: [PATCH 3/7] Fix typo --- .../src/System/Security/Cryptography/HKDF.Windows.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index 5a14324612dbe5..2c6b4ab4d86d8b 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -213,7 +213,7 @@ private static unsafe void CngDeriveKey( { if (rented is not null) { - CryptoPool.Return(rented, clearSize: 0); // Info is not consider secret. + CryptoPool.Return(rented, clearSize: 0); // Info is not considered secret. } keyHandle?.Dispose(); From eecd2e6c1c54788ea5bbd2fa8123283b29fa7808 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 15:59:54 -0400 Subject: [PATCH 4/7] Assert some things for downlevel Windows --- .../Common/src/Interop/Windows/BCrypt/Cng.cs | 3 ++- .../Security/Cryptography/HKDF.Windows.cs | 24 +++++++++++++++---- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs b/src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs index 68738f67a1323b..6d8324b7eef531 100644 --- a/src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs +++ b/src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs @@ -29,10 +29,11 @@ internal static class AlgorithmName public const string ECDsaP256 = "ECDSA_P256"; // BCRYPT_ECDSA_P256_ALGORITHM public const string ECDsaP384 = "ECDSA_P384"; // BCRYPT_ECDSA_P384_ALGORITHM public const string ECDsaP521 = "ECDSA_P521"; // BCRYPT_ECDSA_P521_ALGORITHM - public const string RSA = "RSA"; // BCRYPT_RSA_ALGORITHM + public const string HKDF = "HKDF"; // BCRYPT_HKDF_ALGORITHM public const string MD5 = "MD5"; // BCRYPT_MD5_ALGORITHM public const string MLDsa = "ML-DSA"; // BCRYPT_MLDSA_ALGORITHM public const string MLKem = "ML-KEM"; // BCRYPT_MLKEM_ALGORITHM + public const string RSA = "RSA"; // BCRYPT_RSA_ALGORITHM public const string Sha1 = "SHA1"; // BCRYPT_SHA1_ALGORITHM public const string Sha256 = "SHA256"; // BCRYPT_SHA256_ALGORITHM public const string Sha384 = "SHA384"; // BCRYPT_SHA384_ALGORITHM diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index 2c6b4ab4d86d8b..69d07a86446df5 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -11,6 +11,7 @@ using BCryptAlgPseudoHandle = Interop.BCrypt.BCryptAlgPseudoHandle; using BCryptBuffer = Interop.BCrypt.BCryptBuffer; using BCryptBufferDesc = Interop.BCrypt.BCryptBufferDesc; +using BCryptOpenAlgorithmProviderFlags = Interop.BCrypt.BCryptOpenAlgorithmProviderFlags; using BCRYPT_KEY_DATA_BLOB_HEADER = Interop.BCrypt.BCRYPT_KEY_DATA_BLOB_HEADER; using CngBufferDescriptors = Interop.BCrypt.CngBufferDescriptors; using NTSTATUS = Interop.BCrypt.NTSTATUS; @@ -19,7 +20,7 @@ namespace System.Security.Cryptography { public static partial class HKDF { - private static readonly bool s_hasCngImplementation = Interop.BCrypt.PseudoHandlesSupported; + private static readonly bool s_hasCngImplementation = IsCngSupported(); private const string BCRYPT_HKDF_SALT_AND_FINALIZE = "HkdfSaltAndFinalize"; private const string BCRYPT_HKDF_PRK_AND_FINALIZE = "HkdfPrkAndFinalize"; private const string BCRYPT_HKDF_HASH_ALGORITHM = "HkdfHashAlgorithm"; @@ -96,6 +97,21 @@ private static void ThrowIfAlgorithmNotSupported(HashAlgorithmName hashAlgorithm } } + private static bool IsCngSupported() + { + NTSTATUS openStatus = Interop.BCrypt.BCryptOpenAlgorithmProvider( + out SafeBCryptAlgorithmHandle handle, + Internal.NativeCrypto.BCryptNative.AlgorithmName.HKDF, + null, + BCryptOpenAlgorithmProviderFlags.None); + + handle.Dispose(); + + // HKDF was added in Windows 10 1803. + Debug.Assert(!OperatingSystem.IsWindowsVersionAtLeast(10, 0, 17134) || openStatus == NTSTATUS.STATUS_SUCCESS); + return openStatus == NTSTATUS.STATUS_SUCCESS; + } + private static unsafe void CngDeriveKey( HashAlgorithmName hashAlgorithmName, ReadOnlySpan keyObject, @@ -104,11 +120,12 @@ private static unsafe void CngDeriveKey( Span destination, bool keyObjectIsIkm) { + Debug.Assert(Interop.BCrypt.PseudoHandlesSupported); + Debug.Assert(hashAlgorithmName.Name is not null); + ThrowIfAlgorithmNotSupported(hashAlgorithmName); - Debug.Assert(hashAlgorithmName.Name is not null); byte[]? rented; - ReadOnlySpan safeInfo; if (destination.Overlaps(info)) @@ -161,7 +178,6 @@ private static unsafe void CngDeriveKey( else { Debug.Assert(salt.IsEmpty); - status = Interop.BCrypt.BCryptSetProperty( keyHandle, BCRYPT_HKDF_PRK_AND_FINALIZE, From a7b2167ed7823e1b05fdf3487175a90f9342aa5d Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 17:38:20 -0400 Subject: [PATCH 5/7] Tpyos and do good grammar --- .../src/System/Security/Cryptography/HKDF.Windows.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index 69d07a86446df5..ffd3af4e9b0966 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -31,7 +31,7 @@ private static void ExtractCore( ReadOnlySpan salt, Span prk) { - // Windows does not clearly have a way to perform just the Extact step from HKDF. So used managed, for now. + // Windows does not clearly have a way to perform just the Extract step from HKDF. We'll use managed for now. HKDFManagedImplementation.Extract(hashAlgorithmName, ikm, salt, prk); } From 7d43271d2e5602a707b426dd838e8068880abf39 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 18:24:57 -0400 Subject: [PATCH 6/7] Rename keyObject to secret to avoid overloaded terminology --- .../System/Security/Cryptography/HKDF.Windows.cs | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index ffd3af4e9b0966..7224712d76e622 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -50,7 +50,7 @@ private static void Expand( info, salt: default, output, - keyObjectIsIkm: false); + secretIsIkm: false); } else { @@ -74,7 +74,7 @@ private static void DeriveKeyCore( info, salt, output, - keyObjectIsIkm: true); + secretIsIkm: true); } else { @@ -114,11 +114,11 @@ private static bool IsCngSupported() private static unsafe void CngDeriveKey( HashAlgorithmName hashAlgorithmName, - ReadOnlySpan keyObject, + ReadOnlySpan secret, ReadOnlySpan info, ReadOnlySpan salt, Span destination, - bool keyObjectIsIkm) + bool secretIsIkm) { Debug.Assert(Interop.BCrypt.PseudoHandlesSupported); Debug.Assert(hashAlgorithmName.Name is not null); @@ -145,15 +145,15 @@ private static unsafe void CngDeriveKey( try { - fixed (byte* pKeyObject = &Helpers.GetNonNullPinnableReference(keyObject)) + fixed (byte* pSecret = &Helpers.GetNonNullPinnableReference(secret)) { status = Interop.BCrypt.BCryptGenerateSymmetricKey( (nuint)BCryptAlgPseudoHandle.BCRYPT_HKDF_ALG_HANDLE, out keyHandle, pbKeyObject: IntPtr.Zero, cbKeyObject: 0, - pKeyObject, - keyObject.Length, + pSecret, + secret.Length, dwFlags: 0); if (status != NTSTATUS.STATUS_SUCCESS) @@ -163,7 +163,7 @@ private static unsafe void CngDeriveKey( Interop.BCrypt.BCryptSetSZProperty(keyHandle, BCRYPT_HKDF_HASH_ALGORITHM, hashAlgorithmName.Name); - if (keyObjectIsIkm) + if (secretIsIkm) { fixed (byte* pSalt = &Helpers.GetNonNullPinnableReference(salt)) { From 0228b439679ff07f98c5be0539bfa8e244e8d211 Mon Sep 17 00:00:00 2001 From: Kevin Jones Date: Wed, 1 Oct 2025 21:36:01 -0400 Subject: [PATCH 7/7] safeInfo -> infoBlob --- .../src/System/Security/Cryptography/HKDF.Windows.cs | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs index 7224712d76e622..60544defa60436 100644 --- a/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs +++ b/src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Windows.cs @@ -126,18 +126,18 @@ private static unsafe void CngDeriveKey( ThrowIfAlgorithmNotSupported(hashAlgorithmName); byte[]? rented; - ReadOnlySpan safeInfo; + ReadOnlySpan infoBlob; if (destination.Overlaps(info)) { rented = CryptoPool.Rent(info.Length); info.CopyTo(rented); - safeInfo = rented.AsSpan(0, info.Length); + infoBlob = rented.AsSpan(0, info.Length); } else { rented = null; - safeInfo = info; + infoBlob = info; } SafeBCryptKeyHandle? keyHandle = null; @@ -193,12 +193,12 @@ private static unsafe void CngDeriveKey( } fixed (byte* pDestination = destination) - fixed (byte* pSafeInfo = &Helpers.GetNonNullPinnableReference(safeInfo)) + fixed (byte* pInfoBlob = &Helpers.GetNonNullPinnableReference(infoBlob)) { BCryptBuffer infoBuffer = default; - infoBuffer.cbBuffer = safeInfo.Length; + infoBuffer.cbBuffer = infoBlob.Length; infoBuffer.BufferType = CngBufferDescriptors.KDF_HKDF_INFO; - infoBuffer.pvBuffer = (IntPtr)pSafeInfo; + infoBuffer.pvBuffer = (IntPtr)pInfoBlob; BCryptBufferDesc bufferDesc = default; bufferDesc.ulVersion = Interop.BCrypt.BCRYPTBUFFER_VERSION;