Skip to content

[release/10.0-rc1] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash #118918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

[release/10.0-rc1] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash #118918

wants to merge 9 commits into from

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Aug 20, 2025
edited by jeffschwMSFT
Loading

Backport of #118880 to release/10.0-rc1

/cc @simonrozsival

Customer Impact

  • Customer reported
  • Found internally

Certain cryptographic operations (RSA.VerifyData, RSA.VerifyHash) do not work properly on some devices, for example on Samsung phones running Android 15. I am not aware of any report from a customer, but this might be because this issue can be hard to detect, as it only affects some versions of Android.

Regression

  • Yes
  • No

Testing

Manual testing - existing unit tests are now passing on the affected Android devices and emulators (specific OS versions of certain vendors). The issue was missed because it did not reproduce consistently on the android emulators used in our Helix queue. It appears that this is a change in behavior in the platform library caused by an OS update.

Risk

Low. The fix modifies crypto code but the changes are scoped just to Android and they are well tested through unit tests.

/cc @bartonjs @vcsjones @vitek-karas

MichalStrehovsky and others added 9 commits August 16, 2025 00:41
@MichalStrehovsky
Add mechanism to allow CoreLib trimming to leverage whole program ana…
e17146d 
…lysis (#118769)

A couple times in the past I needed a way to say "if X is not part of the program, eliminate the entire basic block". We can do this for allocated types (this is how branches under `is` checks elimination works), but we can't do this for more general "characteristics".

This introduces a mechanism where AOT compiler and CoreLib (or System.Private.* universe in general) can define whole program tags such as "whole program has X in it" and CoreLib can condition code on the presence of this tag.

This is easier shown than described, so I extracted the first use of this into a separate commit. In this commit, we eliminate code that tries looking for `StackTraceHiddenAttribute` if we know the whole program has no `StackTraceHiddenAttribute` in it. With this code eliminated, #118640 can then eliminate all custom attributes on methods, which in turn plays into #118718 and we can eliminate enum boxing even when StackTraceSupport is not set to false (right now #118718 really needs the StackTraceSupport=false to get rid of boxed enums; we get more boxed enums from method attributes).

We have a new node that represents the characteristic. The node can be dropped into the graph wherever needed. ILScanner then uses this to condition parts of the method body on this characteristic node. We need similar logic in the substitution IL provider because we need to guarantee that RyuJIT is not going to see basic blocks we didn't scan. So we treat it as a substitution during codegen phase too.
@jacob-crawley
SVE2 FP APIs (#118332)
ca2a98f 
Contributing towards [#115479](#115479)

Contains implementations for the set of [SVE2 FP APIs](#94018 (comment)), aside from `ConvertToSingleOdd` and `ConvertToSingleOddRoundToOdd`. This is due to concerns I have about the API proposal for these intrinsics being incorrect, when I have a resolution to [my comments](#94018 (comment)) on this they will be implemented.
@MackinnonBuck
Fix Composite ML-DSA OIDs
6edbc50
@elinor-fung
Add more info for StdErrAfter assertion in host tests (#118712)
55b6d64 
The assertion only ended up printing stderr, but it would be useful to have all the information about the command that was run (the exit code, stdout).
@Maoni0
introduce a few configs for DATAS fine tuning (#118762)
fffd8c0 
and if the GCGen0MaxBudget config is specified, always honor it including for DATAS
@jtschuster
Add limit on trim analyzer CFG convergence iterations (#118760)
c270c9e 
With large block counts, the CFG convergence takes a long time and performs a lot of Meets, allocating a new Dictionary for each Value in each block. This adds up to gigabytes of allocations in the process.

Ideally we would fix the performance issue with some optimization, but I'm still working on a proper solution. To fix the issue for .NET 10 in the meantime, we can add a limit to the number of iterations to bail out if we reach an excessively large number of iterations. The largest number of iterations in the runtime build is 2600, so 10,000 seems fairly reasonable. The build time of the project in issue #118121 is around ~20 seconds with 10,000 iterations and ~70 seconds with 20,000.
@agocke
Merge pull request #118812 from agocke/rc1-mopup
2768fd5 
Mop-up commits from the end of the merge window for RC1
@github-actions
[release/10.0-rc1] Introduce size-optimized IListSelect iterator (#11…
e2b61c7 
…8829)

This lets us keep some of the constant-time indexing advantages of the
IList iterator, without the GVM overhead of Select. There is a small
size increase here, but nowhere near the cost of the GVM.

In a pathological generated example for GVMs the cost was:

  1. .NET 9: 12 MB
  2. .NET 10 w/out this change: 2.2 MB
  3. .NET 10 w/ this change: 2.3 MB

In a real-world example (AzureMCP), the size attributed to System.Linq
was:

  1. .NET 9: 1.2 MB
  2. .NET 10 w/out this change: 340 KB
  3. .NET 10 w/ this change: 430 KB

This seems like a good tradeoff. We mostly keep the algorithmic
complexity the same across the size/speed-opt versions, and just
tradeoff on the margins. We could probably continue to improve this in
the future.
@simonrozsival
[Android] Normalize RSA no-padding output to modulus size to fix Veri…
deb788f 
…fyHash
@simonrozsival simonrozsival added area-System.Security Servicing-consider Issue for next servicing release review labels Aug 20, 2025
@simonrozsival simonrozsival modified the milestone: 10.0.0 Aug 20, 2025
jeffschwMSFT
jeffschwMSFT approved these changes Aug 20, 2025
View reviewed changes
Copy link
Member

@jeffschwMSFT jeffschwMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. we will take for consideration in 10 rc1

@simonrozsival simonrozsival changed the base branch from release/10.0-rc1 to release/10.0 August 21, 2025 07:45
@simonrozsival simonrozsival changed the title [release/10.0-rc1] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash [release/10.0] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash Aug 21, 2025
@dotnet-policy-service dotnet-policy-service bot added the linkable-framework Issues associated with delivering a linker friendly framework label Aug 21, 2025
@simonrozsival
Copy link
Member

simonrozsival commented Aug 21, 2025

@jeffschwMSFT @bartonjs we agreed to move this to RC2 instead of RC1 so I will close this PR now and open a new one.

@simonrozsival simonrozsival changed the title [release/10.0] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash [release/10.0-rc1] [Android] Normalize RSA no-padding output to modulus size to fix VerifyHash Aug 21, 2025
@simonrozsival simonrozsival mentioned this pull request Aug 21, 2025
Merged
4 tasks
This was referenced Aug 21, 2025
Open
Open
@MichalStrehovsky MichalStrehovsky deleted the backport/pr-118880-to-release/10.0-rc1 branch August 21, 2025 09:29
@build-analysis build-analysis bot mentioned this pull request Aug 21, 2025
Open
@github-actions github-actions bot locked and limited conversation to collaborators Sep 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeffschwMSFT jeffschwMSFT jeffschwMSFT approved these changes

@bartonjs bartonjs bartonjs approved these changes

@marek-safar marek-safar Awaiting requested review from marek-safar marek-safar is a code owner

@sbomer sbomer Awaiting requested review from sbomer sbomer is a code owner

@MichalStrehovsky MichalStrehovsky Awaiting requested review from MichalStrehovsky MichalStrehovsky is a code owner

Assignees

No one assigned

Labels

area-System.Security linkable-framework Issues associated with delivering a linker friendly framework Servicing-consider Issue for next servicing release review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.