- jsing@cvs.openbsd.org 2014/07/03 12:42:16
[cipher-chachapoly.c]
Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
makes it easier to verify that chacha_encrypt_bytes() is only called once
per chacha_ivsetup() call.
ok djm@
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c
index 0caccd2..8665b41 100644
--- a/cipher-chachapoly.c
+++ b/cipher-chachapoly.c
@@ -14,7 +14,7 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
#include "includes.h"
@@ -65,8 +65,6 @@
chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
chacha_encrypt_bytes(&ctx->main_ctx,
poly_key, poly_key, sizeof(poly_key));
- /* Set Chacha's block counter to 1 */
- chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
/* If decrypting, check tag before anything else */
if (!do_encrypt) {
@@ -78,11 +76,15 @@
goto out;
}
}
+
/* Crypt additional data */
if (aadlen) {
chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
}
+
+ /* Set Chacha's block counter to 1 */
+ chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
dest + aadlen, len);