upstream commit

clarify ordering of subkeys; pointed out by ietf-ssh AT stbuehler.de Upstream-ID: 05ebe9f949449a555ebce8e0aad7c8c9acaf8463
author: djm@openbsd.org <djm@openbsd.org> 2016-05-03 13:10:24 +0000
committer: Damien Miller <djm@mindrot.org> 2016-05-04 00:55:21 +1000
commit: 05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d (patch)
tree: 339bbd3dc536ea026fc9714deaa6642352367a66
parent: cca3b4395807bfb7aaeb83d2838f5c062ce30566 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/PROTOCOL.chacha20poly1305 b/PROTOCOL.chacha20poly1305
index 9cf73a926..4857d3853 100644
--- a/PROTOCOL.chacha20poly1305
+++ b/PROTOCOL.chacha20poly1305
@@ -34,6 +34,8 @@ Detailed Construction
 The chacha20-poly1305@openssh.com cipher requires 512 bits of key
 material as output from the SSH key exchange. This forms two 256 bit
 keys (K_1 and K_2), used by two separate instances of chacha20.
+The first 256 bits consitute K_2 and the second 256 bits become
+K_1.
 The instance keyed by K_1 is a stream cipher that is used only
 to encrypt the 4 byte packet length field. The second instance,
@@ -101,5 +103,5 @@ References
 [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
-$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $
+$OpenBSD: PROTOCOL.chacha20poly1305,v 1.3 2016/05/03 13:10:24 djm Exp $
author	djm@openbsd.org <djm@openbsd.org>	2016-05-03 13:10:24 +0000
committer	Damien Miller <djm@mindrot.org>	2016-05-04 00:55:21 +1000
commit	05855bf2ce7d5cd0a6db18bc0b4214ed5ef7516d (patch)
tree	339bbd3dc536ea026fc9714deaa6642352367a66
parent	cca3b4395807bfb7aaeb83d2838f5c062ce30566 (diff)