From 04a6740cecf236f3cbb5703baffda597db30c067 Mon Sep 17 00:00:00 2001
From: dangfan <dangf09@gmail.com>
Date: Sun, 20 Dec 2020 22:06:46 +0800
Subject: [PATCH] fix broken curve25519 decryption

---
 .../securitytoken/operations/PsoDecryptTokenOp.java    | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
index d0949e5f6..cb7568653 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/securitytoken/operations/PsoDecryptTokenOp.java
@@ -164,9 +164,15 @@ public class PsoDecryptTokenOp {
        */
         byte[] keyEncryptionKey = response.getData();
 
-        int xLen = (keyEncryptionKey.length - 1) / 2;
+        int xLen;
+        boolean isCurve25519 = CryptlibObjectIdentifiers.curvey25519.equals(eckf.getCurveOID());
+        if (isCurve25519) {
+            xLen = keyEncryptionKey.length;
+        } else {
+            xLen = (keyEncryptionKey.length - 1) / 2;
+        }
         final byte[] kekX = new byte[xLen];
-        System.arraycopy(keyEncryptionKey, 1, kekX, 0, xLen);
+        System.arraycopy(keyEncryptionKey, isCurve25519 ? 0 : 1, kekX, 0, xLen);
 
         final byte[] keyEnc = new byte[encryptedSessionKeyMpi[mpiLength + 2]];