[crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEAD

BIP324 mentions K1 is used for the associated data and K2 is used for the payload. The code does the opposite. This is not a security problem but will be a problem across implementations based on the HKDF key derivations.
author: Dhruv Mehta <856960+dhruv@users.noreply.github.com> 2021-06-18 13:25:17 -0700
committer: Dhruv Mehta <856960+dhruv@users.noreply.github.com> 2021-06-23 09:46:38 -0700
commit: cd37356ff9a1a3c2365c4fe3c716d1ca74185d73 (patch)
tree: 8790c82f75da46ff8297163f5d59197e8ceac6f7 /src/crypto/chacha_poly_aead.cpp
parent: 7317e14a44c6efc545e6fb9bcedee7174e93a8fa (diff)
download: bitcoin-cd37356ff9a1a3c2365c4fe3c716d1ca74185d73.tar.xz
1 files changed, 3 insertions, 2 deletions
diff --git a/src/crypto/chacha_poly_aead.cpp b/src/crypto/chacha_poly_aead.cpp
index 0582a60c4f..b73b22a2b8 100644
--- a/src/crypto/chacha_poly_aead.cpp
+++ b/src/crypto/chacha_poly_aead.cpp
@@ -31,8 +31,9 @@ ChaCha20Poly1305AEAD::ChaCha20Poly1305AEAD(const unsigned char* K_1, size_t K_1_
 {
     assert(K_1_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
     assert(K_2_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
-    m_chacha_main.SetKey(K_1, CHACHA20_POLY1305_AEAD_KEY_LEN);
-    m_chacha_header.SetKey(K_2, CHACHA20_POLY1305_AEAD_KEY_LEN);
+
+    m_chacha_header.SetKey(K_1, CHACHA20_POLY1305_AEAD_KEY_LEN);
+    m_chacha_main.SetKey(K_2, CHACHA20_POLY1305_AEAD_KEY_LEN);
 
     // set the cached sequence number to uint64 max which hints for an unset cache.
     // we can't hit uint64 max since the rekey rule (which resets the sequence number) is 1GB
author	Dhruv Mehta <856960+dhruv@users.noreply.github.com>	2021-06-18 13:25:17 -0700
committer	Dhruv Mehta <856960+dhruv@users.noreply.github.com>	2021-06-23 09:46:38 -0700
commit	cd37356ff9a1a3c2365c4fe3c716d1ca74185d73 (patch)
tree	8790c82f75da46ff8297163f5d59197e8ceac6f7 /src/crypto/chacha_poly_aead.cpp
parent	7317e14a44c6efc545e6fb9bcedee7174e93a8fa (diff)
download	bitcoin-cd37356ff9a1a3c2365c4fe3c716d1ca74185d73.tar.xz