- jsing@cvs.openbsd.org 2014/07/03 12:42:16

[cipher-chachapoly.c]
     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
     makes it easier to verify that chacha_encrypt_bytes() is only called once
     per chacha_ivsetup() call.
     ok djm@

ChangeLog

@@ -1,3 +1,13 @@
+20140704
+ - OpenBSD CVS Sync
+   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
+     [cipher-chachapoly.c]
+     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
+     makes it easier to verify that chacha_encrypt_bytes() is only called once
+     per chacha_ivsetup() call.
+     ok djm@
+
+
 20140703
  - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
    doesn't support it.

cipher-chachapoly.c

@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
 
 #include "includes.h"
 
@@ -65,8 +65,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
 	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
 	chacha_encrypt_bytes(&ctx->main_ctx,
 	    poly_key, poly_key, sizeof(poly_key));
-	/* Set Chacha's block counter to 1 */
-	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 
 	/* If decrypting, check tag before anything else */
 	if (!do_encrypt) {
@@ -78,11 +76,15 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
 			goto out;
 		}
 	}
+
 	/* Crypt additional data */
 	if (aadlen) {
 		chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
 		chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
 	}
+
+	/* Set Chacha's block counter to 1 */
+	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 	chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
 	    dest + aadlen, len);