correctly pass counter value
diff --git a/include/picotls.h b/include/picotls.h
index c98a053..eecc56c 100644
--- a/include/picotls.h
+++ b/include/picotls.h
@@ -85,7 +85,7 @@
#define PTLS_AESCCM_INTEGRITY_LIMIT 0xB504F3 /* 2^23.5 */
#define PTLS_CHACHA20_KEY_SIZE 32
-#define PTLS_CHACHA20_IV_SIZE 16
+#define PTLS_CHACHA20_IV_SIZE 16 /* contrary to RFC 7539, follow OpenSSL way of using first 32 bits as ctr and latter 96 as IV */
#define PTLS_CHACHA20POLY1305_IV_SIZE 12
#define PTLS_CHACHA20POLY1305_TAG_SIZE 16
#define PTLS_CHACHA20POLY1305_CONFIDENTIALITY_LIMIT UINT64_MAX /* at least 2^64 */
diff --git a/lib/openssl.c b/lib/openssl.c
index 04cbca8..c509cf0 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -1025,8 +1025,9 @@
static void boringssl_chacha20_transform(ptls_cipher_context_t *_ctx, void *output, const void *input, size_t len)
{
struct boringssl_chacha20_context_t *ctx = (struct boringssl_chacha20_context_t *)_ctx;
+ uint32_t ctr = ctx->iv[0] | ((uint32_t)ctx->iv[1] << 8) | ((uint32_t)ctx->iv[2] << 16) | ((uint32_t)ctx->iv[3] << 24);
- CRYPTO_chacha_20(output, input, len, ctx->key, ctx->iv, 0);
+ CRYPTO_chacha_20(output, input, len, ctx->key, ctx->iv + 4, ctr);
}
static int boringssl_chacha20_setup_crypto(ptls_cipher_context_t *_ctx, int is_enc, const void *key)
