===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/cipher-chachapoly.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- src/usr.bin/ssh/cipher-chachapoly.c	2014/06/24 01:13:21	1.5
+++ src/usr.bin/ssh/cipher-chachapoly.c	2014/07/03 12:42:16	1.6
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: cipher-chachapoly.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
 
 #include <sys/types.h>
 #include <stdarg.h> /* needed for log.h */
@@ -63,8 +63,6 @@
 	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
 	chacha_encrypt_bytes(&ctx->main_ctx,
 	    poly_key, poly_key, sizeof(poly_key));
-	/* Set Chacha's block counter to 1 */
-	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 
 	/* If decrypting, check tag before anything else */
 	if (!do_encrypt) {
@@ -76,11 +74,15 @@
 			goto out;
 		}
 	}
+
 	/* Crypt additional data */
 	if (aadlen) {
 		chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
 		chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
 	}
+
+	/* Set Chacha's block counter to 1 */
+	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 	chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
 	    dest + aadlen, len);