Dispose secret instances (#51253)

alex-inftx · web-flow · commit 7978f36a455c · 2023-11-09T15:54:33.000-08:00
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngCbcAuthenticatedEncryptorFactory.cs
@@ -55,8 +55,9 @@ public CngCbcAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
             return null;
         }
 
+        using var key = new Secret(secret);
         return new CbcAuthenticatedEncryptor(
-            keyDerivationKey: new Secret(secret),
+            keyDerivationKey: key,
             symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
             symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8),
             hmacAlgorithmHandle: GetHmacAlgorithmHandle(configuration));
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/CngGcmAuthenticatedEncryptorFactory.cs
@@ -57,8 +57,9 @@ public CngGcmAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)
             return null;
         }
 
+        using var key = new Secret(secret);
         return new CngGcmAuthenticatedEncryptor(
-            keyDerivationKey: new Secret(secret),
+            keyDerivationKey: key,
             symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),
             symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8));
     }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/AuthenticatedEncryptorConfiguration.cs
@@ -44,7 +44,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this);
+        using var secret = Secret.Random(512 / 8);
+        var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
         try
         {
             encryptor.PerformSelfTest();
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngCbcAuthenticatedEncryptorConfiguration.cs
@@ -94,9 +94,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/CngGcmAuthenticatedEncryptorConfiguration.cs
@@ -70,9 +70,8 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/ConfigurationModel/ManagedAuthenticatedEncryptorConfiguration.cs
@@ -73,10 +73,9 @@ void IInternalAlgorithmConfiguration.Validate()
     {
         var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
         // Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.
-        using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))
-        {
-            encryptor.PerformSelfTest();
-        }
+        using var secret = Secret.Random(512 / 8);
+        using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);
+        encryptor.PerformSelfTest();
     }
 
     // Any changes to this method should also be be reflected
diff --git a/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs b/src/DataProtection/DataProtection/src/Cng/DpapiSecretSerializerHelper.cs
@@ -30,7 +30,8 @@ public static bool CanProtectToCurrentUserAccount()
         try
         {
             Guid dummy;
-            ProtectWithDpapi(new Secret((byte*)&dummy, sizeof(Guid)), protectToLocalMachine: false);
+            using var secret = new Secret((byte*)&dummy, sizeof(Guid));
+            ProtectWithDpapi(secret, protectToLocalMachine: false);
             return true;
         }
         catch

Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,9 @@ public CngGcmAuthenticatedEncryptorFactory(ILoggerFactory loggerFactory)`
`57`	`57`	`return null;`
`58`	`58`	`}`
`59`	`59`
	`60`	`+ using var key = new Secret(secret);`
`60`	`61`	`return new CngGcmAuthenticatedEncryptor(`
`61`		`- keyDerivationKey: new Secret(secret),`
	`62`	`+ keyDerivationKey: key,`
`62`	`63`	`symmetricAlgorithmHandle: GetSymmetricBlockCipherAlgorithmHandle(configuration),`
`63`	`64`	`symmetricAlgorithmKeySizeInBytes: (uint)(configuration.EncryptionAlgorithmKeySize / 8));`
`64`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ void IInternalAlgorithmConfiguration.Validate()`
`44`	`44`	`{`
`45`	`45`	`var factory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);`
`46`	`46`	`// Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.`
`47`		`- var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this);`
	`47`	`+ using var secret = Secret.Random(512 / 8);`
	`48`	`+ var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);`
`48`	`49`	`try`
`49`	`50`	`{`
`50`	`51`	`encryptor.PerformSelfTest();`
Original file line number	Diff line number	Diff line change
`@@ -94,9 +94,8 @@ void IInternalAlgorithmConfiguration.Validate()`
`94`	`94`	`{`
`95`	`95`	`var factory = new CngCbcAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);`
`96`	`96`	`// Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.`
`97`		`- using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))`
`98`		`- {`
`99`		`- encryptor.PerformSelfTest();`
`100`		`- }`
	`97`	`+ using var secret = Secret.Random(512 / 8);`
	`98`	`+ using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);`
	`99`	`+ encryptor.PerformSelfTest();`
`101`	`100`	`}`
`102`	`101`	`}`
Original file line number	Diff line number	Diff line change
`@@ -70,9 +70,8 @@ void IInternalAlgorithmConfiguration.Validate()`
`70`	`70`	`{`
`71`	`71`	`var factory = new CngGcmAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);`
`72`	`72`	`// Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.`
`73`		`- using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))`
`74`		`- {`
`75`		`- encryptor.PerformSelfTest();`
`76`		`- }`
	`73`	`+ using var secret = Secret.Random(512 / 8);`
	`74`	`+ using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);`
	`75`	`+ encryptor.PerformSelfTest();`
`77`	`76`	`}`
`78`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -73,10 +73,9 @@ void IInternalAlgorithmConfiguration.Validate()`
`73`	`73`	`{`
`74`	`74`	`var factory = new ManagedAuthenticatedEncryptorFactory(NullLoggerFactory.Instance);`
`75`	`75`	`// Run a sample payload through an encrypt -> decrypt operation to make sure data round-trips properly.`
`76`		`- using (var encryptor = factory.CreateAuthenticatedEncryptorInstance(Secret.Random(512 / 8), this))`
`77`		`- {`
`78`		`- encryptor.PerformSelfTest();`
`79`		`- }`
	`76`	`+ using var secret = Secret.Random(512 / 8);`
	`77`	`+ using var encryptor = factory.CreateAuthenticatedEncryptorInstance(secret, this);`
	`78`	`+ encryptor.PerformSelfTest();`
`80`	`79`	`}`
`81`	`80`
`82`	`81`	`// Any changes to this method should also be be reflected`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,8 @@ public static bool CanProtectToCurrentUserAccount()`
`30`	`30`	`try`
`31`	`31`	`{`
`32`	`32`	`Guid dummy;`
`33`		`- ProtectWithDpapi(new Secret((byte*)&dummy, sizeof(Guid)), protectToLocalMachine: false);`
	`33`	`+ using var secret = new Secret((byte*)&dummy, sizeof(Guid));`
	`34`	`+ ProtectWithDpapi(secret, protectToLocalMachine: false);`
`34`	`35`	`return true;`
`35`	`36`	`}`
`36`	`37`	`catch`