From 8c3fb2360f154a971d2a390e4937acb22a44a8c2 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 14 Apr 2016 12:16:51 +0200
Subject: [PATCH] agent: Fix regression due to recent commit 4159567.

* agent/protect.c (do_encryption): Fix CBC hashing.
--

The buggy code included an extra closing parenthesis before
the (protected-at) term in the CBC hashing.  We now do it by
explicitly hashing the protected stuff and append the rest of the
expression instead of a fixed closing parenthesis.  Note that the OCB
hashing only differs that it does no include the protected part.

Fixes-commit: 4159567f7ed7a1139fdc3a6c92988e1648ad84ab
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 agent/protect.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/agent/protect.c b/agent/protect.c
index a78d5a5d9..ee08e577c 100644
--- a/agent/protect.c
+++ b/agent/protect.c
@@ -464,9 +464,11 @@ do_encryption (const unsigned char *hashbegin, size_t hashlen,
       rc = gcry_md_open (&md, GCRY_MD_SHA1, 0 );
       if (!rc)
         {
-          gcry_md_write (md, hashbegin, hashlen);
+          gcry_md_write (md, hashbegin, protbegin - hashbegin);
+          gcry_md_write (md, protbegin, protlen);
           gcry_md_write (md, timestamp_exp, timestamp_exp_len);
-          gcry_md_write (md, ")", 1);
+          gcry_md_write (md, protbegin+protlen,
+                         hashlen - (protbegin+protlen - hashbegin));
           memcpy (hashvalue, gcry_md_read (md, GCRY_MD_SHA1), 20);
           gcry_md_close (md);
         }