Add concurrent guards to Shake128/256

Author: vcsjones

src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj

@@ -490,6 +490,7 @@
     <Compile Include="System\Security\Cryptography\SHA3_512.cs" />
     <Compile Include="System\Security\Cryptography\Shake128.cs" />
     <Compile Include="System\Security\Cryptography\Shake256.cs" />
+    <Compile Include="System\Security\Cryptography\ShakeCommon.cs" />
     <Compile Include="System\Security\Cryptography\SignatureDescription.cs" />
     <Compile Include="System\Security\Cryptography\SymmetricAlgorithm.cs" />
     <Compile Include="System\Security\Cryptography\SymmetricPadding.cs" />

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake128.NonWindows.cs

@@ -1,10 +1,33 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Threading;
+
 namespace System.Security.Cryptography
 {
     public sealed partial class Shake128 : IDisposable
     {
         private const string HashAlgorithmId = HashAlgorithmNames.SHAKE128;
+        private int _callOperations;
+
+        private TOut ConcurrentGuard<TIn, TOut>(TIn args, ConcurrentGuardDelegate<TIn, TOut> callback)
+        {
+            try
+            {
+                if (Interlocked.Increment(ref _callOperations) != 1)
+                {
+                    throw GetConcurrentUseException();
+                }
+
+                return callback(args, ref _hashProvider);
+            }
+            finally
+            {
+                Interlocked.Decrement(ref _callOperations);
+            }
+        }
+
+        private static CryptographicException GetConcurrentUseException() =>
+            new CryptographicException(SR.Cryptography_ConcurrentUseNotSupported);
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake128.Windows.cs

@@ -11,5 +11,9 @@ public sealed partial class Shake128 : IDisposable
         // BCRYPT_CUSTOMIZATION_STRING.
         // So for SHAKE, we create a cSHAKE instance and don't specify S or N.
         private const string HashAlgorithmId = HashAlgorithmNames.CSHAKE128;
+
+        // Windows does not need a concurrent guard, so go right to the delegate.
+        private TOut ConcurrentGuard<TIn, TOut>(TIn args, ConcurrentGuardDelegate<TIn, TOut> callback) =>
+            callback(args, ref _hashProvider);
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake128.cs

@@ -7,6 +7,8 @@
 using System.Threading;
 using System.Threading.Tasks;
 
+#pragma warning disable CS8500 // takes address of managed type
+
 namespace System.Security.Cryptography
 {
     /// <summary>
@@ -64,11 +66,16 @@ public void AppendData(byte[] data)
         /// </summary>
         /// <param name="data">The data to process.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
-        public void AppendData(ReadOnlySpan<byte> data)
+        public unsafe void AppendData(ReadOnlySpan<byte> data)
         {
             CheckDisposed();
 
-            _hashProvider.Append(data);
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&data), static (IntPtr dataPointer, ref LiteXof hashProvider) =>
+            {
+                ReadOnlySpan<byte> data = *(ReadOnlySpan<byte>*)dataPointer;
+                hashProvider.Append(data);
+                return null;
+            });
         }
 
         /// <summary>
@@ -87,10 +94,13 @@ public byte[] GetHashAndReset(int outputLength)
             ArgumentOutOfRangeException.ThrowIfNegative(outputLength);
             CheckDisposed();
 
-            byte[] output = new byte[outputLength];
-            _hashProvider.Finalize(output);
-            _hashProvider.Reset();
-            return output;
+            return ConcurrentGuard<int, byte[]>(outputLength, static (int outputLength, ref LiteXof hashProvider) =>
+            {
+                byte[] output = new byte[outputLength];
+                hashProvider.Finalize(output);
+                hashProvider.Reset();
+                return output;
+            });
         }
 
         /// <summary>
@@ -100,12 +110,17 @@ public byte[] GetHashAndReset(int outputLength)
         /// <param name="destination">The buffer to fill with the hash.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
         /// <seealso cref="GetCurrentHash(Span{byte})" />
-        public void GetHashAndReset(Span<byte> destination)
+        public unsafe void GetHashAndReset(Span<byte> destination)
         {
             CheckDisposed();
 
-            _hashProvider.Finalize(destination);
-            _hashProvider.Reset();
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&destination), static (IntPtr destinationPointer, ref LiteXof hashProvider) =>
+            {
+                Span<byte> destination = *(Span<byte>*)destinationPointer;
+                hashProvider.Finalize(destination);
+                hashProvider.Reset();
+                return null;
+            });
         }
 
         /// <summary>
@@ -124,9 +139,12 @@ public byte[] GetCurrentHash(int outputLength)
             ArgumentOutOfRangeException.ThrowIfNegative(outputLength);
             CheckDisposed();
 
-            byte[] output = new byte[outputLength];
-            _hashProvider.Current(output);
-            return output;
+            return ConcurrentGuard<int, byte[]>(outputLength, static (int outputLength, ref LiteXof hashProvider) =>
+            {
+                byte[] output = new byte[outputLength];
+                hashProvider.Current(output);
+                return output;
+            });
         }
 
         /// <summary>
@@ -136,10 +154,16 @@ public byte[] GetCurrentHash(int outputLength)
         /// <param name="destination">The buffer to fill with the hash.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
         /// <seealso cref="GetHashAndReset(Span{byte})" />
-        public void GetCurrentHash(Span<byte> destination)
+        public unsafe void GetCurrentHash(Span<byte> destination)
         {
             CheckDisposed();
-            _hashProvider.Current(destination);
+
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&destination), static (IntPtr destinationPointer, ref LiteXof hashProvider) =>
+            {
+                Span<byte> destination = *(Span<byte>*)destinationPointer;
+                hashProvider.Current(destination);
+                return null;
+            });
         }
 
         /// <summary>

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake256.NonWindows.cs

@@ -1,10 +1,33 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Threading;
+
 namespace System.Security.Cryptography
 {
     public sealed partial class Shake256 : IDisposable
     {
         private const string HashAlgorithmId = HashAlgorithmNames.SHAKE256;
+        private int _callOperations;
+
+        private TOut ConcurrentGuard<TIn, TOut>(TIn args, ConcurrentGuardDelegate<TIn, TOut> callback)
+        {
+            try
+            {
+                if (Interlocked.Increment(ref _callOperations) != 1)
+                {
+                    throw GetConcurrentUseException();
+                }
+
+                return callback(args, ref _hashProvider);
+            }
+            finally
+            {
+                Interlocked.Decrement(ref _callOperations);
+            }
+        }
+
+        private static CryptographicException GetConcurrentUseException() =>
+            new CryptographicException(SR.Cryptography_ConcurrentUseNotSupported);
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake256.Windows.cs

@@ -11,5 +11,9 @@ public sealed partial class Shake256 : IDisposable
         // BCRYPT_CUSTOMIZATION_STRING.
         // So for SHAKE, we create a cSHAKE instance and don't specify S or N.
         private const string HashAlgorithmId = HashAlgorithmNames.CSHAKE256;
+
+        // Windows does not need a concurrent guard, so go right to the delegate.
+        private TOut ConcurrentGuard<TIn, TOut>(TIn args, ConcurrentGuardDelegate<TIn, TOut> callback) =>
+            callback(args, ref _hashProvider);
     }
 }

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/Shake256.cs

@@ -7,6 +7,8 @@
 using System.Threading;
 using System.Threading.Tasks;
 
+#pragma warning disable CS8500 // takes address of managed type
+
 namespace System.Security.Cryptography
 {
     /// <summary>
@@ -64,11 +66,16 @@ public void AppendData(byte[] data)
         /// </summary>
         /// <param name="data">The data to process.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
-        public void AppendData(ReadOnlySpan<byte> data)
+        public unsafe void AppendData(ReadOnlySpan<byte> data)
         {
             CheckDisposed();
 
-            _hashProvider.Append(data);
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&data), static (IntPtr dataPointer, ref LiteXof hashProvider) =>
+            {
+                ReadOnlySpan<byte> data = *(ReadOnlySpan<byte>*)dataPointer;
+                hashProvider.Append(data);
+                return null;
+            });
         }
 
         /// <summary>
@@ -87,10 +94,13 @@ public byte[] GetHashAndReset(int outputLength)
             ArgumentOutOfRangeException.ThrowIfNegative(outputLength);
             CheckDisposed();
 
-            byte[] output = new byte[outputLength];
-            _hashProvider.Finalize(output);
-            _hashProvider.Reset();
-            return output;
+            return ConcurrentGuard<int, byte[]>(outputLength, static (int outputLength, ref LiteXof hashProvider) =>
+            {
+                byte[] output = new byte[outputLength];
+                hashProvider.Finalize(output);
+                hashProvider.Reset();
+                return output;
+            });
         }
 
         /// <summary>
@@ -100,12 +110,17 @@ public byte[] GetHashAndReset(int outputLength)
         /// <param name="destination">The buffer to fill with the hash.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
         /// <seealso cref="GetCurrentHash(Span{byte})" />
-        public void GetHashAndReset(Span<byte> destination)
+        public unsafe void GetHashAndReset(Span<byte> destination)
         {
             CheckDisposed();
 
-            _hashProvider.Finalize(destination);
-            _hashProvider.Reset();
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&destination), static (IntPtr destinationPointer, ref LiteXof hashProvider) =>
+            {
+                Span<byte> destination = *(Span<byte>*)destinationPointer;
+                hashProvider.Finalize(destination);
+                hashProvider.Reset();
+                return null;
+            });
         }
 
         /// <summary>
@@ -124,9 +139,12 @@ public byte[] GetCurrentHash(int outputLength)
             ArgumentOutOfRangeException.ThrowIfNegative(outputLength);
             CheckDisposed();
 
-            byte[] output = new byte[outputLength];
-            _hashProvider.Current(output);
-            return output;
+            return ConcurrentGuard<int, byte[]>(outputLength, static (int outputLength, ref LiteXof hashProvider) =>
+            {
+                byte[] output = new byte[outputLength];
+                hashProvider.Current(output);
+                return output;
+            });
         }
 
         /// <summary>
@@ -136,10 +154,16 @@ public byte[] GetCurrentHash(int outputLength)
         /// <param name="destination">The buffer to fill with the hash.</param>
         /// <exception cref="ObjectDisposedException">The object has already been disposed.</exception>
         /// <seealso cref="GetHashAndReset(Span{byte})" />
-        public void GetCurrentHash(Span<byte> destination)
+        public unsafe void GetCurrentHash(Span<byte> destination)
         {
             CheckDisposed();
-            _hashProvider.Current(destination);
+
+            ConcurrentGuard<IntPtr, object?>((IntPtr)(&destination), static (IntPtr destinationPointer, ref LiteXof hashProvider) =>
+            {
+                Span<byte> destination = *(Span<byte>*)destinationPointer;
+                hashProvider.Current(destination);
+                return null;
+            });
         }
 
         /// <summary>

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/ShakeCommon.cs

@@ -0,0 +1,7 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace System.Security.Cryptography
+{
+    internal delegate TOut ConcurrentGuardDelegate<in TIn, out TOut>(TIn args, ref LiteXof hashProvider);
+}

src/libraries/System.Security.Cryptography/tests/ShakeTestDriver.cs

@@ -6,6 +6,8 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.DotNet.RemoteExecutor;
+using Microsoft.DotNet.XUnitExtensions;
 using Xunit;
 
 namespace System.Security.Cryptography.Tests
@@ -536,5 +538,47 @@ public void IsSupported_AgreesWithPlatform()
         {
             Assert.Equal(TShakeTrait.IsSupported, PlatformDetection.SupportsSha3);
         }
+
+        [ConditionalFact(typeof(RemoteExecutor), nameof(RemoteExecutor.IsSupported))]
+        public void GetHashAndReset_ConcurrentUseDoesNotCrashProcess()
+        {
+            if (!IsSupported)
+            {
+                throw new SkipTestException("Algorithm is not supported on this platform.");
+            }
+
+            RemoteExecutor.Invoke(static () =>
+            {
+                using (TShake shake = TShakeTrait.Create())
+                {
+                    Thread thread1 = new(ThreadWork);
+                    Thread thread2 = new(ThreadWork);
+                    thread1.Start(shake);
+                    thread2.Start(shake);
+                    thread1.Join();
+                    thread2.Join();
+                }
+            }).Dispose();
+
+            static void ThreadWork(object obj)
+            {
+                TShake shake = (TShake)obj;
+
+                try
+                {
+                    byte[] input = new byte[128];
+
+                    for (int i = 0; i < 10_000; i++)
+                    {
+                        TShakeTrait.AppendData(shake, input);
+                        TShakeTrait.GetHashAndReset(shake, 128);
+                    }
+                }
+                catch
+                {
+                    // Ignore all managed exceptions. HashAlgorithm is not thread safe, but we don't want process crashes.
+                }
+            }
+        }
     }
 }