invalid iv length during pairing for node 17

[mo22]

Analysis

Hi,

I get an invalid iv length error since upgraing to node 17.
I've included the args to chacha20_poly1305_decryptAndVerify in the dump as hex.

Seems like the crypto api has changed a little somehow.

node --version
v17.3.0

cat node_modules/hap-nodejs/package.json | jq -r .version
0.9.7

  HAP-NodeJS:HAPServer [17:51:07:F4:BC:8A] Pair step 3/5 +1ms
key d82372e90357c24d16d09e56a23f4880fb5421d6875f044d5af144c141ad57b2
nonce 50532d4d73673035
ciphertext a014c647f66dddf9c8491f3d3612d1350357f4ab4d8eed2c7d100b106658e3993f5999583904cfcbf178bb0b7f2cc14c9544626e893dbd4f2ec3a7244075fe2a8ea8f034fecd61d8d7f4e74c5a5d96eadee7a1c29baadbe4e1d0d0ea37cbcea68c1c52bd928c2db2db67f4987ebba4d610a72811defd33786937013980ed0f15f6365d81bdf3ca8fc5b2
authTag 979ddaf400aba0832529874fbc1af1a9
Error: error:1C80006D:Provider routines::invalid iv length
    at Decipheriv.createCipherBase (node:internal/crypto/cipher:116:19)
    at Decipheriv.createCipherWithIV (node:internal/crypto/cipher:135:3)
    at new Decipheriv (node:internal/crypto/cipher:289:3)
    at Object.createDecipheriv (node:crypto:146:10)
    at Object.chacha20_poly1305_decryptAndVerify (/home/mmoeller/homecontrol/node_modules/hap-nodejs/src/lib/util/hapCrypto.ts:84:32)
    at HAPServer.handlePairSetupM5 (/home/mmoeller/homecontrol/node_modules/hap-nodejs/src/lib/HAPServer.ts:523:29)
    at HAPServer.handlePairSetup (/home/mmoeller/homecontrol/node_modules/hap-nodejs/src/lib/HAPServer.ts:451:12)
    at IncomingMessage.<anonymous> (/home/mmoeller/homecontrol/node_modules/hap-nodejs/src/lib/HAPServer.ts:369:11)
    at IncomingMessage.emit (node:events:402:35)
    at endReadableNT (node:internal/streams/readable:1343:12) {
  library: 'Provider routines',
  reason: 'invalid iv length',
  code: 'ERR_OSSL_INVALID_IV_LENGTH'
}

Expected Behavior

see above

Steps To Reproduce

see above

Logs

see above

Configuration

see above

Environment

see above

Process Supervisor

not applicable

Additional Context

No response

[NorthernMan54]

Tks for the report, at this time node 17 is not supported, please downgrade to the LTS version of NodeJS, currently 16.13.1

PS Also reported here - homebridge/homebridge#2999

[mo22]

seems to be openssl library related
(node --version and node -p process.versions.openssl)

works on osx/node v17.3.0/openssl 1.1.1m
does not work on raspios/node v17.3.0/openssl 3.0.1+quic

[Supereg]

Is this a raspberry thing, or it reproducible on all Linux based distros? If you know by any chance.

[mo22]

seems to be all linux based and only related to the installed openssl library. as long as openssl 1.1 (and not openssl 3.0) is installed, it works, unrelated to the node.js version and operating system.

getCipherInfo('chacha20-poly1305') returns a ivLength of 12, whereas the nonce parameter I'm logging is only 8 bytes long, so I guess that is the issue.

Turns out openssl 1.1 accepted shorter IVs and pre-padded them with zeros, openssl 3.0 requires a correct length IV.

Suggested fix:

HAP-NodeJS/src/lib/util/hapCrypto.ts

Line 78 in 03431b8

export function chacha20_poly1305_decryptAndVerify(key: Buffer, nonce: Buffer, aad: Buffer | null, ciphertext: Buffer, authTag: Buffer): Buffer {

export function chacha20_poly1305_decryptAndVerify(key: Buffer, nonce: Buffer, aad: Buffer | null, ciphertext: Buffer, authTag: Buffer): Buffer {
  // add this to prefix pad the nonce to 12 bytes
  nonce = Buffer.concat([
    Buffer.alloc(12 - nonce.length, 0),
    nonce
  ]);
  // @ts-ignore types for this a really broken
  const decipher = crypto.createDecipheriv("chacha20-poly1305", key, nonce, { authTagLength:16 });
  if (aad) {
    decipher.setAAD(aad);
  }

[mo22]

diff --git a/node_modules/hap-nodejs/dist/lib/util/hapCrypto.js b/node_modules/hap-nodejs/dist/lib/util/hapCrypto.js
index cdb308c..e6bdabe 100644
--- a/node_modules/hap-nodejs/dist/lib/util/hapCrypto.js
+++ b/node_modules/hap-nodejs/dist/lib/util/hapCrypto.js
@@ -62,6 +62,10 @@ function layerDecrypt(packet, encryption) {
 }
 exports.layerDecrypt = layerDecrypt;
 function chacha20_poly1305_decryptAndVerify(key, nonce, aad, ciphertext, authTag) {
+    nonce = Buffer.concat([
+        Buffer.alloc(12 - nonce.length, 0),
+        nonce
+    ]);
     // @ts-ignore types for this a really broken
     var decipher = crypto_1.default.createDecipheriv("chacha20-poly1305", key, nonce, { authTagLength: 16 });
     if (aad) {
@@ -74,6 +78,10 @@ function chacha20_poly1305_decryptAndVerify(key, nonce, aad, ciphertext, authTag
 }
 exports.chacha20_poly1305_decryptAndVerify = chacha20_poly1305_decryptAndVerify;
 function chacha20_poly1305_encryptAndSeal(key, nonce, aad, plaintext) {
+    nonce = Buffer.concat([
+        Buffer.alloc(12 - nonce.length, 0),
+        nonce
+    ]);
     // @ts-ignore types for this a really broken
     var cipher = crypto_1.default.createCipheriv("chacha20-poly1305", key, nonce, { authTagLength: 16 });
     if (aad) {

[Supereg]

Thanks for the detailed analysis. Well appreciated.

Also had the gut feeling that they somehow now require the 96 bits iv.

[Supereg]

The fix is live with 0.9.8-beta.0 (and a corresponding homebridge update). Would be great if you could quickly verify that everything works now.
Will aim for a release tomorrow.

[mo22]

Thank you very much! Always happy to help

[Supereg]

v0.8.9 is released now.