From 75a40ae10ef9a943e46391a7d7d3cdb6d6137dfc Mon Sep 17 00:00:00 2001
From: Dennis Dyall <dennis.dyall@yubico.com>
Date: Thu, 28 Nov 2024 00:30:16 +0100
Subject: [PATCH] misc: edits to StoreDataCommand and ChannelEncryption

ChannelEncyrption: use Span<byte> instead of byte[]
StoreDataCommand: change order of fields
---
 .../YubiKey/Scp/Commands/StoreDataCommand.cs  |  3 +-
 .../YubiKey/Scp/Helpers/ChannelEncryption.cs  | 37 +++++++++++--------
 2 files changed, 22 insertions(+), 18 deletions(-)

diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs
index 2b53c626..acc236d1 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Commands/StoreDataCommand.cs
@@ -28,11 +28,10 @@ namespace Yubico.YubiKey.Scp.Commands
     /// </remarks>
     internal class StoreDataCommand : IYubiKeyCommand<StoreDataCommandResponse>
     {
+        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
         private const byte GpStoreDataIns = 0xE2;
         private readonly ReadOnlyMemory<byte> _data;
 
-        public YubiKeyApplication Application => YubiKeyApplication.SecurityDomain;
-
         /// <summary>
         /// Initializes a new instance of the <see cref="StoreDataCommand"/> class, with the given data to be stored.
         /// </summary>
diff --git a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs
index 23fd8486..671ccb84 100644
--- a/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs
+++ b/Yubico.YubiKey/src/Yubico/YubiKey/Scp/Helpers/ChannelEncryption.cs
@@ -23,7 +23,7 @@ internal static class ChannelEncryption
         /// <summary>
         /// Encrypts the provided data using AES CBC mode with the given key and encryption counter.
         /// </summary>
-        /// <param name="dataToEncrypt">The data to be encrypted.</param>
+        /// <param name="plainText">The data to be encrypted.</param>
         /// <param name="encryptionKey">The AES key to use for encryption.</param>
         /// <param name="encryptionCounter">
         /// A counter used to generate the initialization vector (IV) for encryption.
@@ -32,20 +32,23 @@ internal static class ChannelEncryption
         /// A <see cref="Memory{T}"/> containing the encrypted data.
         /// </returns>
         public static ReadOnlyMemory<byte> EncryptData(
-            ReadOnlySpan<byte> dataToEncrypt,
+            ReadOnlySpan<byte> plainText,
             ReadOnlySpan<byte> encryptionKey,
             int encryptionCounter)
         {
-            // NB: Could skip this if the payload is empty (rather than sending a 16-byte encrypted '0x800000...' payload
-            byte[] countBytes = new byte[sizeof(int)];
+            Span<byte> countBytes = stackalloc byte[sizeof(int)];
             BinaryPrimitives.WriteInt32BigEndian(countBytes, encryptionCounter);
 
-            byte[] ivInput = new byte[16];
-            countBytes.CopyTo(ivInput, 16 - countBytes.Length); // copy to rightmost part of block
-            var iv = AesUtilities.BlockCipher(encryptionKey, ivInput);
+            Span<byte> ivInput = stackalloc byte[16];
+            int offset = 16 - countBytes.Length;
+            countBytes.CopyTo(ivInput[offset..]);
 
-            var paddedPayload = Padding.PadToBlockSize(dataToEncrypt);
-            var encryptedData = AesUtilities.AesCbcEncrypt(encryptionKey, iv.Span, paddedPayload.Span);
+            var iv = AesUtilities.BlockCipher(encryptionKey, ivInput);
+            var paddedPlaintext = Padding.PadToBlockSize(plainText);
+            var encryptedData = AesUtilities.AesCbcEncrypt(
+                encryptionKey,
+                iv.Span,
+                paddedPlaintext.Span);
 
             return encryptedData;
         }
@@ -53,7 +56,7 @@ public static ReadOnlyMemory<byte> EncryptData(
         /// <summary>
         /// Decrypts the provided data using AES CBC mode with the given key and encryption counter.
         /// </summary>
-        /// <param name="dataToDecrypt">The encrypted data to be decrypted.</param>
+        /// <param name="encryptedData">The encrypted data to be decrypted.</param>
         /// <param name="key">The AES key to use for decryption.</param>
         /// <param name="encryptionCounter">
         /// A counter used to generate the initialization vector (IV) for decryption.
@@ -62,21 +65,23 @@ public static ReadOnlyMemory<byte> EncryptData(
         /// A <see cref="Memory{T}"/> containing the decrypted data with padding removed.
         /// </returns>
         public static ReadOnlyMemory<byte> DecryptData(
-            ReadOnlySpan<byte> dataToDecrypt,
+            ReadOnlySpan<byte> encryptedData,
             ReadOnlySpan<byte> key,
             int encryptionCounter)
         {
-            byte[] countBytes = new byte[sizeof(int)];
+            Span<byte> countBytes = stackalloc byte[sizeof(int)];
             BinaryPrimitives.WriteInt32BigEndian(countBytes, encryptionCounter);
 
-            byte[] ivInput = new byte[16];
-            countBytes.CopyTo(ivInput, 16 - countBytes.Length); // copy to rightmost part of block
+            Span<byte> ivInput = stackalloc byte[16];
+            int offset = 16 - countBytes.Length;
             ivInput[0] = 0x80; // to mark as RMAC calculation
+            countBytes.CopyTo(ivInput[offset..]);
 
             var iv = AesUtilities.BlockCipher(key, ivInput);
-            var decryptedData = AesUtilities.AesCbcDecrypt(key, iv.Span, dataToDecrypt);
+            var decryptedData = AesUtilities.AesCbcDecrypt(key, iv.Span, encryptedData);
 
-            return Padding.RemovePadding(decryptedData.Span);
+            var plainText = Padding.RemovePadding(decryptedData.Span);
+            return plainText;
         }
     }
 }