scd: Another fix for Curve25519 prefix handling.

* scd/app-openpgp.c (do_decipher): Check 0x02 also for 16+1 byte long
INDATA.
(do_decipher): Fix integer arithmetic in void pointer.
(do_decipher): Add missing memcpy.
--

I have not tested this fix but it is obvious.

Fixes-commit: 11b2691eddc42e91651e4f95dd2731255a3e9211
Signed-off-by: Werner Koch <[email protected]>

1 files changed, 9 insertions, 6 deletions

diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index ed1bce6b9..f8e14603d 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -4114,10 +4114,12 @@ do_decipher (app_t app, const char *keyidstr,
   if (rc)
     return rc;
 
-  if (indatalen == 16 + 1 || indatalen == 32 + 1
+  if ((indatalen == 16 + 1 || indatalen == 32 + 1)
       && ((char *)indata)[0] == 0x02)
-    /* PSO:DECIPHER with symmetric key.  */
-    padind = -1;
+    {
+      /* PSO:DECIPHER with symmetric key.  */
+      padind = -1;
+    }
   else if (app->app_local->keyattr[1].key_type == KEY_TYPE_RSA)
     {
       /* We might encounter a couple of leading zeroes in the
@@ -4179,7 +4181,7 @@ do_decipher (app_t app, const char *keyidstr,
            * Skip the prefix.  It may be 0x40 (in new format), or MPI
            * head of 0x00 (in old format).
            */
-          indata++;
+          indata = (const char *)indata + 1;
           indatalen--;
         }
 
@@ -4231,9 +4233,10 @@ do_decipher (app_t app, const char *keyidstr,
           xfree (outdata);
           return gpg_error_from_syserror ();
         }
+      fixbuf[0] = 0x40;
+      memcpy (fixbuf+1, *outdata, *outdatalen);
       xfree (outdata);
-      outdata = fixbuf;
-      outdata[0] = 0x40;
+      *outdata = fixbuf;
       *outdatalen = *outdatalen + 1;
     }