summaryrefslogtreecommitdiff
path: root/src/mscorlib/shared/System/Security
diff options
context:
space:
mode:
authorJiyoung Yun <jy910.yun@samsung.com>2017-04-13 14:17:19 +0900
committerJiyoung Yun <jy910.yun@samsung.com>2017-04-13 14:17:19 +0900
commita56e30c8d33048216567753d9d3fefc2152af8ac (patch)
tree7e5d979695fc4a431740982eb1cfecc2898b23a5 /src/mscorlib/shared/System/Security
parent4b11dc566a5bbfa1378d6266525c281b028abcc8 (diff)
downloadcoreclr-a56e30c8d33048216567753d9d3fefc2152af8ac.tar.gz
coreclr-a56e30c8d33048216567753d9d3fefc2152af8ac.tar.bz2
coreclr-a56e30c8d33048216567753d9d3fefc2152af8ac.zip
Imported Upstream version 2.0.0.11353upstream/2.0.0.11353
Diffstat (limited to 'src/mscorlib/shared/System/Security')
-rw-r--r--src/mscorlib/shared/System/Security/AllowPartiallyTrustedCallersAttribute.cs19
-rw-r--r--src/mscorlib/shared/System/Security/CryptographicException.cs44
-rw-r--r--src/mscorlib/shared/System/Security/PartialTrustVisibilityLevel.cs13
-rw-r--r--src/mscorlib/shared/System/Security/SafeBSTRHandle.cs81
-rw-r--r--src/mscorlib/shared/System/Security/SecureString.Unix.cs295
-rw-r--r--src/mscorlib/shared/System/Security/SecureString.Windows.cs311
-rw-r--r--src/mscorlib/shared/System/Security/SecureString.cs189
-rw-r--r--src/mscorlib/shared/System/Security/SecurityCriticalAttribute.cs36
-rw-r--r--src/mscorlib/shared/System/Security/SecurityCriticalScope.cs14
-rw-r--r--src/mscorlib/shared/System/Security/SecurityException.cs66
-rw-r--r--src/mscorlib/shared/System/Security/SecurityRuleSet.cs14
-rw-r--r--src/mscorlib/shared/System/Security/SecurityRulesAttribute.cs28
-rw-r--r--src/mscorlib/shared/System/Security/SecuritySafeCriticalAttribute.cs30
-rw-r--r--src/mscorlib/shared/System/Security/SecurityTransparentAttribute.cs19
-rw-r--r--src/mscorlib/shared/System/Security/SecurityTreatAsSafeAttribute.cs32
-rw-r--r--src/mscorlib/shared/System/Security/SuppressUnmanagedCodeSecurityAttribute.cs16
-rw-r--r--src/mscorlib/shared/System/Security/UnverifiableCodeAttribute.cs15
-rw-r--r--src/mscorlib/shared/System/Security/VerificationException.cs35
18 files changed, 1257 insertions, 0 deletions
diff --git a/src/mscorlib/shared/System/Security/AllowPartiallyTrustedCallersAttribute.cs b/src/mscorlib/shared/System/Security/AllowPartiallyTrustedCallersAttribute.cs
new file mode 100644
index 0000000000..84ad65c4c0
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/AllowPartiallyTrustedCallersAttribute.cs
@@ -0,0 +1,19 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // AllowPartiallyTrustedCallersAttribute:
+ // Indicates that the Assembly is secure and can be used by untrusted
+ // and semitrusted clients
+ // For v.1, this is valid only on Assemblies, but could be expanded to
+ // include Module, Method, class
+ [AttributeUsage(AttributeTargets.Assembly, AllowMultiple = false, Inherited = false)]
+ public sealed class AllowPartiallyTrustedCallersAttribute : Attribute
+ {
+ public AllowPartiallyTrustedCallersAttribute() { }
+ public PartialTrustVisibilityLevel PartialTrustVisibilityLevel { get; set; }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/CryptographicException.cs b/src/mscorlib/shared/System/Security/CryptographicException.cs
new file mode 100644
index 0000000000..89cb658aa9
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/CryptographicException.cs
@@ -0,0 +1,44 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Globalization;
+using System.Runtime.Serialization;
+
+namespace System.Security.Cryptography
+{
+ [Serializable]
+ public class CryptographicException : SystemException
+ {
+ public CryptographicException()
+ : base(SR.Arg_CryptographyException)
+ {
+ }
+
+ public CryptographicException(int hr)
+ : base(SR.Arg_CryptographyException)
+ {
+ HResult = hr;
+ }
+
+ public CryptographicException(string message)
+ : base(message)
+ {
+ }
+
+ public CryptographicException(string message, Exception inner)
+ : base(message, inner)
+ {
+ }
+
+ public CryptographicException(string format, string insert)
+ : base(string.Format(CultureInfo.CurrentCulture, format, insert))
+ {
+ }
+
+ protected CryptographicException(SerializationInfo info, StreamingContext context)
+ : base(info, context)
+ {
+ }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/PartialTrustVisibilityLevel.cs b/src/mscorlib/shared/System/Security/PartialTrustVisibilityLevel.cs
new file mode 100644
index 0000000000..a0cb5789ac
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/PartialTrustVisibilityLevel.cs
@@ -0,0 +1,13 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ public enum PartialTrustVisibilityLevel
+ {
+ VisibleToAllHosts = 0,
+ NotVisibleByDefault = 1
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SafeBSTRHandle.cs b/src/mscorlib/shared/System/Security/SafeBSTRHandle.cs
new file mode 100644
index 0000000000..a1164dce91
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SafeBSTRHandle.cs
@@ -0,0 +1,81 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+
+namespace System.Security
+{
+ internal sealed class SafeBSTRHandle : SafeBuffer
+ {
+ internal SafeBSTRHandle() : base(true) { }
+
+ internal static SafeBSTRHandle Allocate(uint lenInChars)
+ {
+ ulong lenInBytes = (ulong)lenInChars * sizeof(char);
+ SafeBSTRHandle bstr = Interop.OleAut32.SysAllocStringLen(IntPtr.Zero, lenInChars);
+ if (bstr.IsInvalid) // SysAllocStringLen returns a NULL ptr when there's insufficient memory
+ {
+ throw new OutOfMemoryException();
+ }
+ bstr.Initialize(lenInBytes);
+ return bstr;
+ }
+
+ override protected bool ReleaseHandle()
+ {
+ Interop.NtDll.ZeroMemory(handle, (UIntPtr)(Interop.OleAut32.SysStringLen(handle) * sizeof(char)));
+ Interop.OleAut32.SysFreeString(handle);
+ return true;
+ }
+
+ internal unsafe void ClearBuffer()
+ {
+ byte* bufferPtr = null;
+ try
+ {
+ AcquirePointer(ref bufferPtr);
+ Interop.NtDll.ZeroMemory((IntPtr)bufferPtr, (UIntPtr)(Interop.OleAut32.SysStringLen((IntPtr)bufferPtr) * sizeof(char)));
+ }
+ finally
+ {
+ if (bufferPtr != null)
+ {
+ ReleasePointer();
+ }
+ }
+ }
+
+ internal unsafe uint Length => Interop.OleAut32.SysStringLen(this);
+
+ internal unsafe static void Copy(SafeBSTRHandle source, SafeBSTRHandle target, uint bytesToCopy)
+ {
+ if (bytesToCopy == 0)
+ {
+ return;
+ }
+
+ byte* sourcePtr = null, targetPtr = null;
+ try
+ {
+ source.AcquirePointer(ref sourcePtr);
+ target.AcquirePointer(ref targetPtr);
+
+ Debug.Assert(source.ByteLength >= bytesToCopy, "Source buffer is too small.");
+ Buffer.MemoryCopy(sourcePtr, targetPtr, target.ByteLength, bytesToCopy);
+ }
+ finally
+ {
+ if (targetPtr != null)
+ {
+ target.ReleasePointer();
+ }
+ if (sourcePtr != null)
+ {
+ source.ReleasePointer();
+ }
+ }
+ }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecureString.Unix.cs b/src/mscorlib/shared/System/Security/SecureString.Unix.cs
new file mode 100644
index 0000000000..0ef38e40ee
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecureString.Unix.cs
@@ -0,0 +1,295 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System.Text;
+
+namespace System.Security
+{
+ // SecureString attempts to provide a defense-in-depth solution.
+ //
+ // On Windows, this is done with several mechanisms:
+ // 1. keeping the data in unmanaged memory so that copies of it aren't implicitly made by the GC moving it around
+ // 2. zero'ing out that unmanaged memory so that the string is reliably removed from memory when done with it
+ // 3. encrypting the data while it's not being used (it's unencrypted to manipulate and use it)
+ //
+ // On Unix, we do 1 and 2, but we don't do 3 as there's no CryptProtectData equivalent.
+
+ public sealed partial class SecureString
+ {
+ private UnmanagedBuffer _buffer;
+
+ internal SecureString(SecureString str)
+ {
+ // Allocate enough space to store the provided string
+ EnsureCapacity(str._decryptedLength);
+ _decryptedLength = str._decryptedLength;
+
+ // Copy the string into the newly allocated space
+ if (_decryptedLength > 0)
+ {
+ UnmanagedBuffer.Copy(str._buffer, _buffer, (ulong)(str._decryptedLength * sizeof(char)));
+ }
+ }
+
+ private unsafe void InitializeSecureString(char* value, int length)
+ {
+ // Allocate enough space to store the provided string
+ EnsureCapacity(length);
+ _decryptedLength = length;
+ if (length == 0)
+ {
+ return;
+ }
+
+ // Copy the string into the newly allocated space
+ byte* ptr = null;
+ try
+ {
+ _buffer.AcquirePointer(ref ptr);
+ Buffer.MemoryCopy(value, ptr, _buffer.ByteLength, (ulong)(length * sizeof(char)));
+ }
+ finally
+ {
+ if (ptr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ }
+
+ private void DisposeCore()
+ {
+ if (_buffer != null && !_buffer.IsInvalid)
+ {
+ _buffer.Dispose();
+ _buffer = null;
+ }
+ }
+
+ private void EnsureNotDisposed()
+ {
+ if (_buffer == null)
+ {
+ throw new ObjectDisposedException(GetType().Name);
+ }
+ }
+
+ private void ClearCore()
+ {
+ _decryptedLength = 0;
+ _buffer.Clear();
+ }
+
+ private unsafe void AppendCharCore(char c)
+ {
+ // Make sure we have enough space for the new character, then write it at the end.
+ EnsureCapacity(_decryptedLength + 1);
+ _buffer.Write((ulong)(_decryptedLength * sizeof(char)), c);
+ _decryptedLength++;
+ }
+
+ private unsafe void InsertAtCore(int index, char c)
+ {
+ // Make sure we have enough space for the new character, then shift all of the characters above it and insert it.
+ EnsureCapacity(_decryptedLength + 1);
+ byte* ptr = null;
+ try
+ {
+ _buffer.AcquirePointer(ref ptr);
+ ptr += index * sizeof(char);
+ long bytesToShift = (_decryptedLength - index) * sizeof(char);
+ Buffer.MemoryCopy(ptr, ptr + sizeof(char), bytesToShift, bytesToShift);
+ *((char*)ptr) = c;
+ ++_decryptedLength;
+ }
+ finally
+ {
+ if (ptr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ }
+
+ private unsafe void RemoveAtCore(int index)
+ {
+ // Shift down all values above the specified index, then null out the empty space at the end.
+ byte* ptr = null;
+ try
+ {
+ _buffer.AcquirePointer(ref ptr);
+ ptr += index * sizeof(char);
+ long bytesToShift = (_decryptedLength - index - 1) * sizeof(char);
+ Buffer.MemoryCopy(ptr + sizeof(char), ptr, bytesToShift, bytesToShift);
+ *((char*)(ptr + bytesToShift)) = (char)0;
+ --_decryptedLength;
+ }
+ finally
+ {
+ if (ptr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ }
+
+ private void SetAtCore(int index, char c)
+ {
+ // Overwrite the character at the specified index
+ _buffer.Write((ulong)(index * sizeof(char)), c);
+ }
+
+ internal unsafe IntPtr MarshalToStringCore(bool globalAlloc, bool unicode)
+ {
+ int length = _decryptedLength;
+
+ byte* bufferPtr = null;
+ IntPtr stringPtr = IntPtr.Zero, result = IntPtr.Zero;
+ try
+ {
+ _buffer.AcquirePointer(ref bufferPtr);
+ if (unicode)
+ {
+ int resultLength = (length + 1) * sizeof(char);
+ stringPtr = globalAlloc ? Marshal.AllocHGlobal(resultLength) : Marshal.AllocCoTaskMem(resultLength);
+ Buffer.MemoryCopy(
+ source: bufferPtr,
+ destination: (byte*)stringPtr.ToPointer(),
+ destinationSizeInBytes: resultLength,
+ sourceBytesToCopy: length * sizeof(char));
+ *(length + (char*)stringPtr) = '\0';
+ }
+ else
+ {
+ int resultLength = Encoding.UTF8.GetByteCount((char*)bufferPtr, length) + 1;
+ stringPtr = globalAlloc ? Marshal.AllocHGlobal(resultLength) : Marshal.AllocCoTaskMem(resultLength);
+ int encodedLength = Encoding.UTF8.GetBytes((char*)bufferPtr, length, (byte*)stringPtr, resultLength);
+ Debug.Assert(encodedLength + 1 == resultLength, $"Expected encoded length to match result, got {encodedLength} != {resultLength}");
+ *(resultLength - 1 + (byte*)stringPtr) = 0;
+ }
+
+ result = stringPtr;
+ }
+ finally
+ {
+ // If there was a failure, such that result isn't initialized,
+ // release the string if we had one.
+ if (stringPtr != IntPtr.Zero && result == IntPtr.Zero)
+ {
+ UnmanagedBuffer.ZeroMemory((byte*)stringPtr, (ulong)(length * sizeof(char)));
+ MarshalFree(stringPtr, globalAlloc);
+ }
+
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+
+ return result;
+ }
+
+ // -----------------------------
+ // ---- PAL layer ends here ----
+ // -----------------------------
+
+ private void EnsureCapacity(int capacity)
+ {
+ // Make sure the requested capacity doesn't exceed SecureString's defined limit
+ if (capacity > MaxLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(capacity), SR.ArgumentOutOfRange_Capacity);
+ }
+
+ // If we already have enough space allocated, we're done
+ if (_buffer != null && (capacity * sizeof(char)) <= (int)_buffer.ByteLength)
+ {
+ return;
+ }
+
+ // We need more space, so allocate a new buffer, copy all our data into it,
+ // and then swap the new for the old.
+ UnmanagedBuffer newBuffer = UnmanagedBuffer.Allocate(capacity * sizeof(char));
+ if (_buffer != null)
+ {
+ UnmanagedBuffer.Copy(_buffer, newBuffer, _buffer.ByteLength);
+ _buffer.Dispose();
+ }
+ _buffer = newBuffer;
+ }
+
+ /// <summary>SafeBuffer for managing memory meant to be kept confidential.</summary>
+ private sealed class UnmanagedBuffer : SafeBuffer
+ {
+ internal UnmanagedBuffer() : base(true) { }
+
+ internal static UnmanagedBuffer Allocate(int bytes)
+ {
+ Debug.Assert(bytes >= 0);
+ UnmanagedBuffer buffer = new UnmanagedBuffer();
+ buffer.SetHandle(Marshal.AllocHGlobal(bytes));
+ buffer.Initialize((ulong)bytes);
+ return buffer;
+ }
+
+ internal unsafe void Clear()
+ {
+ byte* ptr = null;
+ try
+ {
+ AcquirePointer(ref ptr);
+ ZeroMemory(ptr, ByteLength);
+ }
+ finally
+ {
+ if (ptr != null)
+ {
+ ReleasePointer();
+ }
+ }
+ }
+
+ internal static unsafe void Copy(UnmanagedBuffer source, UnmanagedBuffer destination, ulong bytesLength)
+ {
+ if (bytesLength == 0)
+ {
+ return;
+ }
+
+ byte* srcPtr = null, dstPtr = null;
+ try
+ {
+ source.AcquirePointer(ref srcPtr);
+ destination.AcquirePointer(ref dstPtr);
+ Buffer.MemoryCopy(srcPtr, dstPtr, destination.ByteLength, bytesLength);
+ }
+ finally
+ {
+ if (dstPtr != null)
+ {
+ destination.ReleasePointer();
+ }
+ if (srcPtr != null)
+ {
+ source.ReleasePointer();
+ }
+ }
+ }
+
+ protected override unsafe bool ReleaseHandle()
+ {
+ Marshal.FreeHGlobal(handle);
+ return true;
+ }
+
+ internal static unsafe void ZeroMemory(byte* ptr, ulong len)
+ {
+ for (ulong i = 0; i < len; i++) *ptr++ = 0;
+ }
+ }
+
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecureString.Windows.cs b/src/mscorlib/shared/System/Security/SecureString.Windows.cs
new file mode 100644
index 0000000000..13f75a37e9
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecureString.Windows.cs
@@ -0,0 +1,311 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+using System.Security.Cryptography;
+using Microsoft.Win32;
+
+namespace System.Security
+{
+ public sealed partial class SecureString
+ {
+ internal SecureString(SecureString str)
+ {
+ Debug.Assert(str != null, "Expected non-null SecureString");
+ Debug.Assert(str._buffer != null, "Expected other SecureString's buffer to be non-null");
+ Debug.Assert(str._encrypted, "Expected to be used only on encrypted SecureStrings");
+
+ AllocateBuffer(str._buffer.Length);
+ SafeBSTRHandle.Copy(str._buffer, _buffer, str._buffer.Length * sizeof(char));
+
+ _decryptedLength = str._decryptedLength;
+ _encrypted = str._encrypted;
+ }
+
+ private unsafe void InitializeSecureString(char* value, int length)
+ {
+ Debug.Assert(length >= 0, $"Expected non-negative length, got {length}");
+
+ AllocateBuffer((uint)length);
+ _decryptedLength = length;
+
+ byte* bufferPtr = null;
+ try
+ {
+ _buffer.AcquirePointer(ref bufferPtr);
+ Buffer.MemoryCopy((byte*)value, bufferPtr, (long)_buffer.ByteLength, length * sizeof(char));
+ }
+ finally
+ {
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+
+ ProtectMemory();
+ }
+
+ private void AppendCharCore(char c)
+ {
+ UnprotectMemory();
+ try
+ {
+ EnsureCapacity(_decryptedLength + 1);
+ _buffer.Write<char>((uint)_decryptedLength * sizeof(char), c);
+ _decryptedLength++;
+ }
+ finally
+ {
+ ProtectMemory();
+ }
+ }
+
+ private void ClearCore()
+ {
+ _decryptedLength = 0;
+ _buffer.ClearBuffer();
+ }
+
+ private void DisposeCore()
+ {
+ if (_buffer != null)
+ {
+ _buffer.Dispose();
+ _buffer = null;
+ }
+ }
+
+ private unsafe void InsertAtCore(int index, char c)
+ {
+ byte* bufferPtr = null;
+ UnprotectMemory();
+ try
+ {
+ EnsureCapacity(_decryptedLength + 1);
+
+ _buffer.AcquirePointer(ref bufferPtr);
+ char* pBuffer = (char*)bufferPtr;
+
+ for (int i = _decryptedLength; i > index; i--)
+ {
+ pBuffer[i] = pBuffer[i - 1];
+ }
+ pBuffer[index] = c;
+ ++_decryptedLength;
+ }
+ finally
+ {
+ ProtectMemory();
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ }
+
+ private unsafe void RemoveAtCore(int index)
+ {
+ byte* bufferPtr = null;
+ UnprotectMemory();
+ try
+ {
+ _buffer.AcquirePointer(ref bufferPtr);
+ char* pBuffer = (char*)bufferPtr;
+
+ for (int i = index; i < _decryptedLength - 1; i++)
+ {
+ pBuffer[i] = pBuffer[i + 1];
+ }
+ pBuffer[--_decryptedLength] = (char)0;
+ }
+ finally
+ {
+ ProtectMemory();
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ }
+
+ private void SetAtCore(int index, char c)
+ {
+ UnprotectMemory();
+ try
+ {
+ _buffer.Write<char>((uint)index * sizeof(char), c);
+ }
+ finally
+ {
+ ProtectMemory();
+ }
+ }
+
+ internal unsafe IntPtr MarshalToBSTR()
+ {
+ int length = _decryptedLength;
+ IntPtr ptr = IntPtr.Zero;
+ IntPtr result = IntPtr.Zero;
+ byte* bufferPtr = null;
+
+ UnprotectMemory();
+ try
+ {
+ _buffer.AcquirePointer(ref bufferPtr);
+ int resultByteLength = (length + 1) * sizeof(char);
+
+ ptr = Interop.OleAut32.SysAllocStringLen(null, length);
+ if (ptr == IntPtr.Zero)
+ {
+ throw new OutOfMemoryException();
+ }
+
+ Buffer.MemoryCopy(bufferPtr, (byte*)ptr, resultByteLength, length * sizeof(char));
+
+ result = ptr;
+ }
+ finally
+ {
+ ProtectMemory();
+
+ // If we failed for any reason, free the new buffer
+ if (result == IntPtr.Zero && ptr != IntPtr.Zero)
+ {
+ Interop.NtDll.ZeroMemory(ptr, (UIntPtr)(length * sizeof(char)));
+ Interop.OleAut32.SysFreeString(ptr);
+ }
+
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ return result;
+ }
+
+ internal unsafe IntPtr MarshalToStringCore(bool globalAlloc, bool unicode)
+ {
+ int length = _decryptedLength;
+ IntPtr ptr = IntPtr.Zero;
+ IntPtr result = IntPtr.Zero;
+ byte* bufferPtr = null;
+
+ UnprotectMemory();
+ try
+ {
+ _buffer.AcquirePointer(ref bufferPtr);
+ if (unicode)
+ {
+ int resultByteLength = (length + 1) * sizeof(char);
+ ptr = globalAlloc ? Marshal.AllocHGlobal(resultByteLength) : Marshal.AllocCoTaskMem(resultByteLength);
+ Buffer.MemoryCopy(bufferPtr, (byte*)ptr, resultByteLength, length * sizeof(char));
+ *(length + (char*)ptr) = '\0';
+ }
+ else
+ {
+ uint defaultChar = '?';
+ int resultByteLength = 1 + Interop.Kernel32.WideCharToMultiByte(
+ Interop.Kernel32.CP_ACP, Interop.Kernel32.WC_NO_BEST_FIT_CHARS, (char*)bufferPtr, length, null, 0, (IntPtr)(&defaultChar), IntPtr.Zero);
+ ptr = globalAlloc ? Marshal.AllocHGlobal(resultByteLength) : Marshal.AllocCoTaskMem(resultByteLength);
+ Interop.Kernel32.WideCharToMultiByte(
+ Interop.Kernel32.CP_ACP, Interop.Kernel32.WC_NO_BEST_FIT_CHARS, (char*)bufferPtr, length, (byte*)ptr, resultByteLength - 1, (IntPtr)(&defaultChar), IntPtr.Zero);
+ *(resultByteLength - 1 + (byte*)ptr) = 0;
+ }
+ result = ptr;
+ }
+ finally
+ {
+ ProtectMemory();
+
+ // If we failed for any reason, free the new buffer
+ if (result == IntPtr.Zero && ptr != IntPtr.Zero)
+ {
+ Interop.NtDll.ZeroMemory(ptr, (UIntPtr)(length * sizeof(char)));
+ MarshalFree(ptr, globalAlloc);
+ }
+
+ if (bufferPtr != null)
+ {
+ _buffer.ReleasePointer();
+ }
+ }
+ return result;
+ }
+
+ private void EnsureNotDisposed()
+ {
+ if (_buffer == null)
+ {
+ throw new ObjectDisposedException(GetType().Name);
+ }
+ }
+
+ // -----------------------------
+ // ---- PAL layer ends here ----
+ // -----------------------------
+
+ private const int BlockSize = (int)Interop.Crypt32.CRYPTPROTECTMEMORY_BLOCK_SIZE / sizeof(char);
+ private SafeBSTRHandle _buffer;
+ private bool _encrypted;
+
+ private void AllocateBuffer(uint size)
+ {
+ _buffer = SafeBSTRHandle.Allocate(GetAlignedSize(size));
+ }
+
+ private static uint GetAlignedSize(uint size) =>
+ size == 0 || size % BlockSize != 0 ?
+ BlockSize + ((size / BlockSize) * BlockSize) :
+ size;
+
+ private void EnsureCapacity(int capacity)
+ {
+ if (capacity > MaxLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(capacity), SR.ArgumentOutOfRange_Capacity);
+ }
+
+ if (((uint)capacity * sizeof(char)) <= _buffer.ByteLength)
+ {
+ return;
+ }
+
+ var oldBuffer = _buffer;
+ SafeBSTRHandle newBuffer = SafeBSTRHandle.Allocate(GetAlignedSize((uint)capacity));
+ SafeBSTRHandle.Copy(oldBuffer, newBuffer, (uint)_decryptedLength * sizeof(char));
+ _buffer = newBuffer;
+ oldBuffer.Dispose();
+ }
+
+ private void ProtectMemory()
+ {
+ Debug.Assert(!_buffer.IsInvalid, "Invalid buffer!");
+
+ if (_decryptedLength != 0 &&
+ !_encrypted &&
+ !Interop.Crypt32.CryptProtectMemory(_buffer, _buffer.Length * sizeof(char), Interop.Crypt32.CRYPTPROTECTMEMORY_SAME_PROCESS))
+ {
+ throw new CryptographicException(Marshal.GetLastWin32Error());
+ }
+
+ _encrypted = true;
+ }
+
+ private void UnprotectMemory()
+ {
+ Debug.Assert(!_buffer.IsInvalid, "Invalid buffer!");
+
+ if (_decryptedLength != 0 &&
+ _encrypted &&
+ !Interop.Crypt32.CryptUnprotectMemory(_buffer, _buffer.Length * sizeof(char), Interop.Crypt32.CRYPTPROTECTMEMORY_SAME_PROCESS))
+ {
+ throw new CryptographicException(Marshal.GetLastWin32Error());
+ }
+
+ _encrypted = false;
+ }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecureString.cs b/src/mscorlib/shared/System/Security/SecureString.cs
new file mode 100644
index 0000000000..9059f90e60
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecureString.cs
@@ -0,0 +1,189 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Diagnostics;
+using System.Runtime.InteropServices;
+
+namespace System.Security
+{
+ public sealed partial class SecureString : IDisposable
+ {
+ private const int MaxLength = 65536;
+ private readonly object _methodLock = new object();
+ private bool _readOnly;
+ private int _decryptedLength;
+
+ public unsafe SecureString()
+ {
+ InitializeSecureString(null, 0);
+ }
+
+ [CLSCompliant(false)]
+ public unsafe SecureString(char* value, int length)
+ {
+ if (value == null)
+ {
+ throw new ArgumentNullException(nameof(value));
+ }
+ if (length < 0)
+ {
+ throw new ArgumentOutOfRangeException(nameof(length), SR.ArgumentOutOfRange_NeedNonNegNum);
+ }
+ if (length > MaxLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(length), SR.ArgumentOutOfRange_Length);
+ }
+
+ InitializeSecureString(value, length);
+ }
+
+ public int Length
+ {
+ get
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ return _decryptedLength;
+ }
+ }
+ }
+
+ public void AppendChar(char c)
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ EnsureNotReadOnly();
+ AppendCharCore(c);
+ }
+ }
+
+ // clears the current contents. Only available if writable
+ public void Clear()
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ EnsureNotReadOnly();
+ ClearCore();
+ }
+ }
+
+ // Do a deep-copy of the SecureString
+ public SecureString Copy()
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ return new SecureString(this);
+ }
+ }
+
+ public void Dispose()
+ {
+ lock (_methodLock)
+ {
+ DisposeCore();
+ }
+ }
+
+ public void InsertAt(int index, char c)
+ {
+ lock (_methodLock)
+ {
+ if (index < 0 || index > _decryptedLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(index), SR.ArgumentOutOfRange_IndexString);
+ }
+
+ EnsureNotDisposed();
+ EnsureNotReadOnly();
+
+ InsertAtCore(index, c);
+ }
+ }
+
+ public bool IsReadOnly()
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ return _readOnly;
+ }
+ }
+
+ public void MakeReadOnly()
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ _readOnly = true;
+ }
+ }
+
+ public void RemoveAt(int index)
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ EnsureNotReadOnly();
+
+ if (index < 0 || index >= _decryptedLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(index), SR.ArgumentOutOfRange_IndexString);
+ }
+
+ RemoveAtCore(index);
+ }
+ }
+
+ public void SetAt(int index, char c)
+ {
+ lock (_methodLock)
+ {
+ if (index < 0 || index >= _decryptedLength)
+ {
+ throw new ArgumentOutOfRangeException(nameof(index), SR.ArgumentOutOfRange_IndexString);
+ }
+ Debug.Assert(index <= Int32.MaxValue / sizeof(char));
+
+ EnsureNotDisposed();
+ EnsureNotReadOnly();
+
+ SetAtCore(index, c);
+ }
+ }
+
+ private void EnsureNotReadOnly()
+ {
+ if (_readOnly)
+ {
+ throw new InvalidOperationException(SR.InvalidOperation_ReadOnly);
+ }
+ }
+
+ internal unsafe IntPtr MarshalToString(bool globalAlloc, bool unicode)
+ {
+ lock (_methodLock)
+ {
+ EnsureNotDisposed();
+ return MarshalToStringCore(globalAlloc, unicode);
+ }
+ }
+
+ private static void MarshalFree(IntPtr ptr, bool globalAlloc)
+ {
+ if (globalAlloc)
+ {
+ Marshal.FreeHGlobal(ptr);
+ }
+ else
+ {
+ Marshal.FreeCoTaskMem(ptr);
+ }
+ }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecurityCriticalAttribute.cs b/src/mscorlib/shared/System/Security/SecurityCriticalAttribute.cs
new file mode 100644
index 0000000000..2bf1700afb
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityCriticalAttribute.cs
@@ -0,0 +1,36 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SecurityCriticalAttribute
+ // Indicates that the decorated code or assembly performs security critical operations (e.g. Assert, "unsafe", LinkDemand, etc.)
+ // The attribute can be placed on most targets, except on arguments/return values.
+ [AttributeUsage(AttributeTargets.Assembly |
+ AttributeTargets.Class |
+ AttributeTargets.Struct |
+ AttributeTargets.Enum |
+ AttributeTargets.Constructor |
+ AttributeTargets.Method |
+ AttributeTargets.Field |
+ AttributeTargets.Interface |
+ AttributeTargets.Delegate,
+ AllowMultiple = false,
+ Inherited = false)]
+ public sealed class SecurityCriticalAttribute : Attribute
+ {
+#pragma warning disable 618 // We still use SecurityCriticalScope for v2 compat
+ public SecurityCriticalAttribute() { }
+
+ public SecurityCriticalAttribute(SecurityCriticalScope scope)
+ {
+ Scope = scope;
+ }
+
+ [Obsolete("SecurityCriticalScope is only used for .NET 2.0 transparency compatibility.")]
+ public SecurityCriticalScope Scope { get; }
+#pragma warning restore 618
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SecurityCriticalScope.cs b/src/mscorlib/shared/System/Security/SecurityCriticalScope.cs
new file mode 100644
index 0000000000..e0f5a8e2cd
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityCriticalScope.cs
@@ -0,0 +1,14 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ [Obsolete("SecurityCriticalScope is only used for .NET 2.0 transparency compatibility.")]
+ public enum SecurityCriticalScope
+ {
+ Explicit = 0,
+ Everything = 0x1
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SecurityException.cs b/src/mscorlib/shared/System/Security/SecurityException.cs
new file mode 100644
index 0000000000..86e3cd4631
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityException.cs
@@ -0,0 +1,66 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Reflection;
+using System.Runtime.Serialization;
+
+namespace System.Security
+{
+ [Serializable]
+ public class SecurityException : SystemException
+ {
+ public SecurityException()
+ : base(SR.Arg_SecurityException)
+ {
+ HResult = __HResults.COR_E_SECURITY;
+ }
+
+ public SecurityException(string message)
+ : base(message)
+ {
+ HResult = __HResults.COR_E_SECURITY;
+ }
+
+ public SecurityException(string message, Exception inner)
+ : base(message, inner)
+ {
+ HResult = __HResults.COR_E_SECURITY;
+ }
+
+ public SecurityException(string message, Type type)
+ : base(message)
+ {
+ HResult = __HResults.COR_E_SECURITY;
+ PermissionType = type;
+ }
+
+ public SecurityException(string message, Type type, string state)
+ : base(message)
+ {
+ HResult = __HResults.COR_E_SECURITY;
+ PermissionType = type;
+ PermissionState = state;
+ }
+
+ protected SecurityException(SerializationInfo info, StreamingContext context)
+ : base(info, context)
+ {
+ }
+
+ public override string ToString() => base.ToString();
+
+ public override void GetObjectData(SerializationInfo info, StreamingContext context) => base.GetObjectData(info, context);
+
+ public object Demanded { get; set; }
+ public object DenySetInstance { get; set; }
+ public AssemblyName FailedAssemblyInfo { get; set; }
+ public string GrantedSet { get; set; }
+ public MethodInfo Method { get; set; }
+ public string PermissionState { get; set; }
+ public Type PermissionType { get; set; }
+ public object PermitOnlySetInstance { get; set; }
+ public string RefusedSet { get; set; }
+ public string Url { get; set; }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecurityRuleSet.cs b/src/mscorlib/shared/System/Security/SecurityRuleSet.cs
new file mode 100644
index 0000000000..1b62fd4e7d
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityRuleSet.cs
@@ -0,0 +1,14 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ public enum SecurityRuleSet : byte
+ {
+ None = 0,
+ Level1 = 1, // v2.0 transparency model
+ Level2 = 2, // v4.0 transparency model
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SecurityRulesAttribute.cs b/src/mscorlib/shared/System/Security/SecurityRulesAttribute.cs
new file mode 100644
index 0000000000..ad17087f8b
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityRulesAttribute.cs
@@ -0,0 +1,28 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SecurityRulesAttribute
+ //
+ // Indicates which set of security rules an assembly was authored against, and therefore which set of
+ // rules the runtime should enforce on the assembly. For instance, an assembly marked with
+ // [SecurityRules(SecurityRuleSet.Level1)] will follow the v2.0 transparency rules, where transparent code
+ // can call a LinkDemand by converting it to a full demand, public critical methods are implicitly
+ // treat as safe, and the remainder of the v2.0 rules apply.
+ [AttributeUsage(AttributeTargets.Assembly, AllowMultiple = false)]
+ public sealed class SecurityRulesAttribute : Attribute
+ {
+ public SecurityRulesAttribute(SecurityRuleSet ruleSet)
+ {
+ RuleSet = ruleSet;
+ }
+
+ // Should fully trusted transparent code skip IL verification
+ public bool SkipVerificationInFullTrust { get; set; }
+
+ public SecurityRuleSet RuleSet { get; }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SecuritySafeCriticalAttribute.cs b/src/mscorlib/shared/System/Security/SecuritySafeCriticalAttribute.cs
new file mode 100644
index 0000000000..ee2e4b0499
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecuritySafeCriticalAttribute.cs
@@ -0,0 +1,30 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SecuritySafeCriticalAttribute:
+ // Indicates that the code may contain violations to the security critical rules (e.g. transitions from
+ // critical to non-public transparent, transparent to non-public critical, etc.), has been audited for
+ // security concerns and is considered security clean. Also indicates that the code is considered SecurityCritical.
+ // The effect of this attribute is as if the code was marked [SecurityCritical][SecurityTreatAsSafe].
+ // At assembly-scope, all rule checks will be suppressed within the assembly and for calls made against the assembly.
+ // At type-scope, all rule checks will be suppressed for members within the type and for calls made against the type.
+ // At member level (e.g. field and method) the code will be treated as public - i.e. no rule checks for the members.
+
+ [AttributeUsage(AttributeTargets.Class |
+ AttributeTargets.Struct |
+ AttributeTargets.Enum |
+ AttributeTargets.Constructor |
+ AttributeTargets.Method |
+ AttributeTargets.Field |
+ AttributeTargets.Interface |
+ AttributeTargets.Delegate,
+ AllowMultiple = false,
+ Inherited = false)]
+ public sealed class SecuritySafeCriticalAttribute : Attribute
+ {
+ public SecuritySafeCriticalAttribute() { }
+ }
+}
diff --git a/src/mscorlib/shared/System/Security/SecurityTransparentAttribute.cs b/src/mscorlib/shared/System/Security/SecurityTransparentAttribute.cs
new file mode 100644
index 0000000000..03f41387ae
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityTransparentAttribute.cs
@@ -0,0 +1,19 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SecurityTransparentAttribute:
+ // Indicates the assembly contains only transparent code.
+ // Security critical actions will be restricted or converted into less critical actions. For example,
+ // Assert will be restricted, SuppressUnmanagedCode, LinkDemand, unsafe, and unverifiable code will be converted
+ // into Full-Demands.
+
+ [AttributeUsage(AttributeTargets.Assembly, AllowMultiple = false, Inherited = false)]
+ public sealed class SecurityTransparentAttribute : Attribute
+ {
+ public SecurityTransparentAttribute() { }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SecurityTreatAsSafeAttribute.cs b/src/mscorlib/shared/System/Security/SecurityTreatAsSafeAttribute.cs
new file mode 100644
index 0000000000..7a95122bf0
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SecurityTreatAsSafeAttribute.cs
@@ -0,0 +1,32 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SecurityTreatAsSafeAttribute:
+ // Indicates that the code may contain violations to the security critical rules (e.g. transitions from
+ // critical to non-public transparent, transparent to non-public critical, etc.), has been audited for
+ // security concerns and is considered security clean.
+ // At assembly-scope, all rule checks will be suppressed within the assembly and for calls made against the assembly.
+ // At type-scope, all rule checks will be suppressed for members within the type and for calls made against the type.
+ // At member level (e.g. field and method) the code will be treated as public - i.e. no rule checks for the members.
+
+ [AttributeUsage(AttributeTargets.Assembly |
+ AttributeTargets.Class |
+ AttributeTargets.Struct |
+ AttributeTargets.Enum |
+ AttributeTargets.Constructor |
+ AttributeTargets.Method |
+ AttributeTargets.Field |
+ AttributeTargets.Interface |
+ AttributeTargets.Delegate,
+ AllowMultiple = false,
+ Inherited = false)]
+ [Obsolete("SecurityTreatAsSafe is only used for .NET 2.0 transparency compatibility. Please use the SecuritySafeCriticalAttribute instead.")]
+ public sealed class SecurityTreatAsSafeAttribute : Attribute
+ {
+ public SecurityTreatAsSafeAttribute() { }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/SuppressUnmanagedCodeSecurityAttribute.cs b/src/mscorlib/shared/System/Security/SuppressUnmanagedCodeSecurityAttribute.cs
new file mode 100644
index 0000000000..a60b8d3668
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/SuppressUnmanagedCodeSecurityAttribute.cs
@@ -0,0 +1,16 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // SuppressUnmanagedCodeSecurityAttribute:
+ // Indicates that the target P/Invoke method(s) should skip the per-call
+ // security checked for unmanaged code permission.
+ [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class | AttributeTargets.Interface | AttributeTargets.Delegate, AllowMultiple = true, Inherited = false)]
+ public sealed class SuppressUnmanagedCodeSecurityAttribute : Attribute
+ {
+ public SuppressUnmanagedCodeSecurityAttribute() { }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/UnverifiableCodeAttribute.cs b/src/mscorlib/shared/System/Security/UnverifiableCodeAttribute.cs
new file mode 100644
index 0000000000..1560b6617b
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/UnverifiableCodeAttribute.cs
@@ -0,0 +1,15 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+namespace System.Security
+{
+ // UnverifiableCodeAttribute:
+ // Indicates that the target module contains unverifiable code.
+ [AttributeUsage(AttributeTargets.Module, AllowMultiple = true, Inherited = false)]
+ public sealed class UnverifiableCodeAttribute : Attribute
+ {
+ public UnverifiableCodeAttribute() { }
+ }
+}
+
diff --git a/src/mscorlib/shared/System/Security/VerificationException.cs b/src/mscorlib/shared/System/Security/VerificationException.cs
new file mode 100644
index 0000000000..9641e1aa46
--- /dev/null
+++ b/src/mscorlib/shared/System/Security/VerificationException.cs
@@ -0,0 +1,35 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System.Runtime.Serialization;
+
+namespace System.Security
+{
+ [Serializable]
+ public class VerificationException : SystemException
+ {
+ public VerificationException()
+ : base(SR.Verification_Exception)
+ {
+ HResult = __HResults.COR_E_VERIFICATION;
+ }
+
+ public VerificationException(string message)
+ : base(message)
+ {
+ HResult = __HResults.COR_E_VERIFICATION;
+ }
+
+ public VerificationException(string message, Exception innerException)
+ : base(message, innerException)
+ {
+ HResult = __HResults.COR_E_VERIFICATION;
+ }
+
+ protected VerificationException(SerializationInfo info, StreamingContext context)
+ : base(info, context)
+ {
+ }
+ }
+}