I am currently trying to decrypt OpenSSH packets, which are encrypted using chacha20-poly1305. Until now I can decrypt the packet length and check the MAC (I am using pycryptodome) but when I try to decrypt the payload it only return garbled output.
I am decrypting the length using:
nonce = int(seqnr).to_bytes(8, 'big')
cipher_len = ChaCha20.new(key=key1_hex, nonce=nonce)
length = cipher_len.decrypt(binascii.a2b_hex(cipher[:8]))
whereas seqnr is the packet sequence number, key1_hex is the hex representation of the second part of the encryption key and cipher[:8] is the first 4 bytes of the packet.
This works fine!
Now I continued to decrypt using the first part of the encryption key the same nonce and the payload:
cipher_chacha = ChaCha20.new(key=key2_hex, nonce=int(seqnr).to_bytes(8, 'big'))
ciphertext = cipher_chacha.decrypt(binascii.a2b_hex(cipher[8:-32]))
After this https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.chacha20poly1305 document, from the openssh github site tells me that I have to use for the decryption of the payload a block counter of 1. But in the documentation on https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20_poly1305.html#chacha20-poly1305 there does not seem to be an option to define the block counter number (It seems like it starts default at 0 because the verification of the tag worked for me).
Is this true? Or am I missing something?
Until now it does not work and I am pretty sure it has to be because of the wrong start of the block counter.
Edit: The solution is to call cipher_chacha.seek(64) before decrypting! Then it will start at block counter 1!
