From 2160001167f62454fcedab403c2c7cbca2ea514d Mon Sep 17 00:00:00 2001
From: orignal <i2porignal@yandex.ru>
Date: Mon, 4 Apr 2022 09:58:17 -0400
Subject: [PATCH] correct non for token request and retry encryption

---
 libi2pd/SSU2.cpp | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/libi2pd/SSU2.cpp b/libi2pd/SSU2.cpp
index 23a06094..2abb2d55 100644
--- a/libi2pd/SSU2.cpp
+++ b/libi2pd/SSU2.cpp
@@ -508,7 +508,7 @@ namespace transport
 		uint8_t h[32], payload[40]; 
 		// fill packet
 		header.h.connID = m_DestConnID; // dest id
-		header.h.packetNum = 0;
+		RAND_bytes (header.buf + 8, 4); // random packet num
 		header.h.type = eSSU2TokenRequest;
 		header.h.flags[0] = 2; // ver
 		header.h.flags[1] = (uint8_t)i2p::context.GetNetID (); // netID 
@@ -523,11 +523,13 @@ namespace transport
 		size_t payloadSize = 7;
 		payloadSize += CreatePaddingBlock (payload + payloadSize, 40 - payloadSize, 1);
 		// encrypt
-		const uint8_t nonce[12] = {0};
+		uint8_t nonce[12];
+		CreateNonce (be32toh (header.h.packetNum), nonce);
 		i2p::crypto::AEADChaCha20Poly1305 (payload, payloadSize, h, 32, m_Address->i, nonce, payload, payloadSize + 16, true);
 		payloadSize += 16;
 		header.ll[0] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 12));
+		memset (nonce, 0, 12);
 		i2p::crypto::ChaCha20 (h + 16, 16, m_Address->i, nonce, h + 16);
 		// send
 		m_Server.AddPendingOutgoingSession (shared_from_this ());
@@ -537,12 +539,13 @@ namespace transport
 	void SSU2Session::ProcessTokenRequest (Header& header, uint8_t * buf, size_t len)
 	{
 		// we are Bob
-		const uint8_t nonce[12] = {0};
+		uint8_t nonce[12] = {0};
 		uint8_t h[32];
 		memcpy (h, header.buf, 16);
 		i2p::crypto::ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
-		memcpy (&m_DestConnID, h, 8); 
+		memcpy (&m_DestConnID, h + 16, 8); 
 		// decrypt
+		CreateNonce (be32toh (header.h.packetNum), nonce);
 		uint8_t * payload = buf + 32;	
 		if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len - 48, h, 32, 
 			i2p::context.GetSSU2IntroKey (), nonce, payload, len - 48, false))
@@ -562,7 +565,7 @@ namespace transport
 		uint8_t h[32], payload[64]; 
 		// fill packet
 		header.h.connID = m_DestConnID; // dest id
-		header.h.packetNum = 0;
+		RAND_bytes (header.buf + 8, 4); // random packet num
 		header.h.type = eSSU2Retry;
 		header.h.flags[0] = 2; // ver
 		header.h.flags[1] = (uint8_t)i2p::context.GetNetID (); // netID 
@@ -579,11 +582,13 @@ namespace transport
 		payloadSize += CreateAddressBlock (m_RemoteEndpoint, payload + payloadSize, 64 - payloadSize);
 		payloadSize += CreatePaddingBlock (payload + payloadSize, 64 - payloadSize);
 		// encrypt
-		const uint8_t nonce[12] = {0};
+		uint8_t nonce[12];
+		CreateNonce (be32toh (header.h.packetNum), nonce);
 		i2p::crypto::AEADChaCha20Poly1305 (payload, payloadSize, h, 32, i2p::context.GetSSU2IntroKey (), nonce, payload, payloadSize + 16, true);
 		payloadSize += 16;
 		header.ll[0] ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), payload + (payloadSize - 12));
+		memset (nonce, 0, 12);
 		i2p::crypto::ChaCha20 (h + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
 		// send
 		m_Server.Send (header.buf, 16, h + 16, 16, payload, payloadSize, m_RemoteEndpoint);