2 files changed, 15 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 48f19a385..7db817c09 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+20140704
+ - OpenBSD CVS Sync
+   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
+     [cipher-chachapoly.c]
+     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
+     makes it easier to verify that chacha_encrypt_bytes() is only called once
+     per chacha_ivsetup() call.
+     ok djm@
+
+
 20140703
  - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
    doesn't support it.
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c
index 0caccd297..8665b41a3 100644
--- a/cipher-chachapoly.c
+++ b/cipher-chachapoly.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
 
 #include "includes.h"
 
@@ -65,8 +65,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
         chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
         chacha_encrypt_bytes(&ctx->main_ctx,
             poly_key, poly_key, sizeof(poly_key));
-        /* Set Chacha's block counter to 1 */
-        chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 
         /* If decrypting, check tag before anything else */
         if (!do_encrypt) {
@@ -78,11 +76,15 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
                         goto out;
                 }
         }
+
         /* Crypt additional data */
         if (aadlen) {
                 chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
                 chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
         }
+
+        /* Set Chacha's block counter to 1 */
+        chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
         chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
             dest + aadlen, len);