Crypto.php' line 149 error during Talk App

khayyen · September 25, 2024, 4:19pm

Nextcloud version: 29.0.7
Talk Server version: 19.0.9

There is a problem when a talk program logs an error message to the user:

Could not post message: Request failed with status code 500

The following error can also be seen in the log:

Exception hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149

More complete details of the log are as follows:

{
  "reqId": "hbHaAbpmiKQYoLxZqWff",
  "level": 3,
  "time": "2024-09-25T19:45:48+03:30",
  "remoteAddr": "212.86.84.121",
  "user": "mammad",
  "app": "no app in context",
  "method": "POST",
  "url": "/ocs/v2.php/apps/spreed/api/v1/chat/ry28mr9x",
  "message": "hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0",
  "version": "29.0.7.1",
  "exception": {
    "Exception": "Exception",
    "Message": "hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149",
    "Code": 0,
    "Trace": [
      {
        "file": "/var/www/nextcloud/lib/private/AppFramework/App.php",
        "line": 184,
        "function": "dispatch",
        "class": "OC\\AppFramework\\Http\\Dispatcher",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/Route/Router.php",
        "line": 331,
        "function": "main",
        "class": "OC\\AppFramework\\App",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/ocs/v1.php",
        "line": 66,
        "function": "match",
        "class": "OC\\Route\\Router",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/ocs/v2.php",
        "line": 23,
        "args": [
          "/var/www/nextcloud/ocs/v1.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
    "Line": 170,
    "Previous": {
      "Exception": "ValueError",
      "Message": "hash_hkdf(): Argument #2 ($key) cannot be empty",
      "Code": 0,
      "Trace": [
        {
          "file": "/var/www/nextcloud/lib/private/Security/Crypto.php",
          "line": 149,
          "function": "hash_hkdf"
        },
        {
          "file": "/var/www/nextcloud/lib/private/Security/Crypto.php",
          "line": 123,
          "function": "decryptWithoutSecret",
          "class": "OC\\Security\\Crypto",
          "type": "->",
          "args": [
            "*** sensitive parameters replaced ***"
          ]
        },
        {
          "file": "/var/www/nextcloud/lib/private/Security/IdentityProof/Manager.php",
          "line": 117,
          "function": "decrypt",
          "class": "OC\\Security\\Crypto",
          "type": "->",
          "args": [
            "*** sensitive parameters replaced ***"
          ]
        },
        {
          "file": "/var/www/nextcloud/lib/private/Security/IdentityProof/Manager.php",
          "line": 133,
          "function": "retrieveKey",
          "class": "OC\\Security\\IdentityProof\\Manager",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/apps/notifications/lib/Push.php",
          "line": 320,
          "function": "getKey",
          "class": "OC\\Security\\IdentityProof\\Manager",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/apps/notifications/lib/Push.php",
          "line": 192,
          "function": "pushToDevice",
          "class": "OCA\\Notifications\\Push",
          "type": "->",
          "args": [
            "*** sensitive parameters replaced ***"
          ]
        },
        {
          "file": "/var/www/nextcloud/apps/notifications/lib/App.php",
          "line": 99,
          "function": "flushPayloads",
          "class": "OCA\\Notifications\\Push",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/lib/private/Notification/Manager.php",
          "line": 276,
          "function": "flush",
          "class": "OCA\\Notifications\\App",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/apps/spreed/lib/Chat/ChatManager.php",
          "line": 399,
          "function": "flush",
          "class": "OC\\Notification\\Manager",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/apps/spreed/lib/Controller/ChatController.php",
          "line": 254,
          "function": "sendMessage",
          "class": "OCA\\Talk\\Chat\\ChatManager",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
          "line": 232,
          "function": "sendMessage",
          "class": "OCA\\Talk\\Controller\\ChatController",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php",
          "line": 138,
          "function": "executeController",
          "class": "OC\\AppFramework\\Http\\Dispatcher",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/lib/private/AppFramework/App.php",
          "line": 184,
          "function": "dispatch",
          "class": "OC\\AppFramework\\Http\\Dispatcher",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/lib/private/Route/Router.php",
          "line": 331,
          "function": "main",
          "class": "OC\\AppFramework\\App",
          "type": "::"
        },
        {
          "file": "/var/www/nextcloud/ocs/v1.php",
          "line": 66,
          "function": "match",
          "class": "OC\\Route\\Router",
          "type": "->"
        },
        {
          "file": "/var/www/nextcloud/ocs/v2.php",
          "line": 23,
          "args": [
            "/var/www/nextcloud/ocs/v1.php"
          ],
          "function": "require_once"
        }
      ],
      "File": "/var/www/nextcloud/lib/private/Security/Crypto.php",
      "Line": 149
    },
    "message": "hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149",
    "exception": [],
    "CustomMessage": "hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149"
  },
  "id": "66f43751a48a7"
}

Thank you for providing a solution for this error

khayyen · September 25, 2024, 9:49pm

Also, due to the existence of such a problem, sending push notifications on the device is having a problem and is not being sent

ernolf · September 26, 2024, 12:44am

hash_hkdf() implements the HMAC-based Key Derivation Function (HKDF) based on a cryptographic hash function. This function is used to derive a more secure key from a given secret key.
In this case it is called with two values:

the hash algorithm ‘sha512’
the password

for the other values the defaults are used.

The secret from config/config.php is used for Argument #2 (the password). Is your secret there or do you no longer have it there for some reason?

ernolf

khayyen · September 26, 2024, 5:17am

Apparently, there is no problem with the config.php file and the secret is in it
Current situation:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***",
        ],

Doesn’t changing the secret solve the problem?
Or is there a way to reset the secret?

ernolf · September 26, 2024, 8:45am

khayyen:

Current situation:

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "***REMOVED SENSITIVE VALUE***",
        ],

That output looks like generated with

occ config:list -- system

which always produces the output
"secret": "***REMOVED SENSITIVE VALUE***",
even if the value is "", i.e. an empty string.

Have you also checked the content of the secret with

occ config:list --private -- system | grep secret

or simply by looking inside the file config/config.php?

ernolf

khayyen · September 26, 2024, 9:38am

In the config.php file, the secret parameter has a value and is not empty, which I cannot complete due to security reasons

<?php
$CONFIG = array (
  'passwordsalt' => 'nTp............/Imi',
  'secret' => 'AsB...........DY+m',

command output: occ config:list --private -- system | grep secret

        "secret": "AsBO.............................VDY+m",
            "jwt_secret": "02tC............3B",

khayyen · September 26, 2024, 10:28pm

There is no solution for this problem???!!

jtr · September 26, 2024, 10:58pm

Changing the secret is a common cause for this error.

I haven’t looked too closely at your particular stack trace so there may be some difference I’m not considering involving Talk (I’m mobile at the moment and not in a good spot to dive into this), but I’m somewhat familiar with the area of code that this is running through on the crypto side.

Have you moved servers or anything like that (even in the past)?

A common cause for problems like this is people moving servers, but only migrating parts of their config rather than the entire config. This results in a secret change, which breaks existing things stored in the database that rely on the secret.

As a (partial) fallback for some old deployments that lacked any secret (really old installations), the code currently tries using an empty secret on the data in question as a last resort. That generates the message you’re seeing, but these days it’s generally not really a sign you have an empty secret… just that your secret doesn’t match what it once was.

khayyen · September 27, 2024, 1:00am

Maybe the secret was something else before
But as far as I can remember, no changes have been made in it, and even in moving the server, the same old secret was used
Unless this change happened a long time ago.

How to reset the secret for the entire NextCloud? And basically, how can this problem be solved?

jtr · September 27, 2024, 11:45am

It’s possible there’s some other underlying cause. That’s difficult to know without gathering more information.

When did you first notice this problem?

khayyen · September 27, 2024, 10:00pm

I just noticed it, but I don’t know when it started

This error keeps repeating about every 10 minutes:

 ValueError hash_hkdf(): Argument #2 ($key) cannot be empty
Error while running background job OCA\DAV\BackgroundJob\EventReminderJob (id: 21, arguments: null)

This error is repeated sometimes
For example, when a message is sent in a conversation

Exception hash_hkdf(): Argument #2 ($key) cannot be empty in file '/var/www/nextcloud/lib/private/Security/Crypto.php' line 149