BIP324 mentions K1 is used for the associated data and K2 is used for
the payload. The code does the opposite. This is not a security problem
but will be a problem across implementations based on the HKDF key
derivations.
This is a backport of core#22331 and core#23271
Note: this implementation is unused in the current codebase, outside of unit tests, and will be scrapped and replaced in core#28008. I'm only backporting this fix to avoid a test failure in another pre-28008 ChaCha20 backport (core#26153). It makes reviews and merge conflicts simpler to backport this in the right order.