===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/PROTOCOL.chacha20poly1305,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- src/usr.bin/ssh/PROTOCOL.chacha20poly1305	2013/12/02 02:50:27	1.2
+++ src/usr.bin/ssh/PROTOCOL.chacha20poly1305	2016/05/03 13:10:24	1.3
@@ -34,6 +34,8 @@
 The chacha20-poly1305@openssh.com cipher requires 512 bits of key
 material as output from the SSH key exchange. This forms two 256 bit
 keys (K_1 and K_2), used by two separate instances of chacha20.
+The first 256 bits consitute K_2 and the second 256 bits become
+K_1.
 
 The instance keyed by K_1 is a stream cipher that is used only
 to encrypt the 4 byte packet length field. The second instance,
@@ -101,5 +103,5 @@
 [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
 
-$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $
+$OpenBSD: PROTOCOL.chacha20poly1305,v 1.3 2016/05/03 13:10:24 djm Exp $