Imported Upstream version 5.16.0.100

Former-commit-id: 38faa55fb9669e35e7d8448b15c25dc447f25767

external/corefx/src/System.Security.Cryptography.ProtectedData/src/System.Security.Cryptography.ProtectedData.csproj

@@ -52,6 +52,7 @@
   </ItemGroup>
   <ItemGroup Condition="'$(TargetGroup)' != 'netfx'">
     <Reference Include="System.Diagnostics.Tools" />
+    <Reference Include="System.Memory" />
     <Reference Include="System.Resources.ResourceManager" />
     <Reference Include="System.Runtime" />
     <Reference Include="System.Runtime.InteropServices" />

external/corefx/src/System.Security.Cryptography.ProtectedData/src/System/Security/Cryptography/ProtectedData.cs

@@ -2,8 +2,6 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 // See the LICENSE file in the project root for more information.
 
-using System;
-using System.Diagnostics;
 using System.Runtime.InteropServices;
 
 using Internal.Cryptography;
@@ -15,6 +13,8 @@ namespace System.Security.Cryptography
 {
     public static partial class ProtectedData
     {
+        private static readonly byte[] s_nonEmpty = new byte[1];
+
         public static byte[] Protect(byte[] userData, byte[] optionalEntropy, DataProtectionScope scope)
         {
             if (userData == null)
@@ -35,7 +35,12 @@ namespace System.Security.Cryptography
         {
             unsafe
             {
-                fixed (byte* pInputData = inputData, pOptionalEntropy = optionalEntropy)
+                // The Win32 API will reject pbData == nullptr, and the fixed statement
+                // maps empty arrays to nullptr... so when the input is empty use the address of a
+                // different array, but still assign cbData to 0.
+                byte[] relevantData = inputData.Length == 0 ? s_nonEmpty : inputData;
+
+                fixed (byte* pInputData = relevantData, pOptionalEntropy = optionalEntropy)
                 {
                     DATA_BLOB userDataBlob = new DATA_BLOB((IntPtr)pInputData, (uint)(inputData.Length));
                     DATA_BLOB optionalEntropyBlob = default(DATA_BLOB);

external/corefx/src/System.Security.Cryptography.ProtectedData/tests/ProtectedDataTests.cs

@@ -33,6 +33,24 @@ namespace System.Security.Cryptography.ProtectedDataTests
             }
         }
 
+        [Theory]
+        [InlineData(DataProtectionScope.CurrentUser, false)]
+        [InlineData(DataProtectionScope.CurrentUser, true)]
+        [InlineData(DataProtectionScope.LocalMachine, false)]
+        [InlineData(DataProtectionScope.LocalMachine, true)]
+        public static void ProtectEmptyData(DataProtectionScope scope, bool useEntropy)
+        {
+            // Use new byte[0] instead of Array.Empty<byte> to prove the implementation
+            // isn't using reference equality
+            byte[] data = new byte[0];
+            byte[] entropy = useEntropy ? new byte[] { 68, 65, 72, 72, 75 } : null;
+            byte[] encrypted = ProtectedData.Protect(data, entropy, scope);
+
+            Assert.NotEqual(data, encrypted);
+            byte[] recovered = ProtectedData.Unprotect(encrypted, entropy, scope);
+            Assert.Equal(data, recovered);
+        }
+
         [Fact]
         public static void NullEntropyEquivalence()
         {