From ff18283d11c072075d5237256868b53f8b165e0d Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Tue, 21 Oct 2025 12:27:38 +0300
Subject: [PATCH] Improve homekit secure conn buffers

---
 pkg/hap/client.go        |  4 +++-
 pkg/hap/secure/secure.go | 19 ++++++++-----------
 pkg/hap/server.go        |  2 +-
 3 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/pkg/hap/client.go b/pkg/hap/client.go
index 2801dd9f..bde85277 100644
--- a/pkg/hap/client.go
+++ b/pkg/hap/client.go
@@ -216,8 +216,10 @@ func (c *Client) Dial() (err error) {
 		return newResponseError(cipherM3, plainM4)
 	}
 
+	rw := bufio.NewReadWriter(c.reader, bufio.NewWriter(c.Conn))
+
 	// like tls.Client wrapper over net.Conn
-	if c.Conn, err = secure.Client(c.Conn, sessionShared, true); err != nil {
+	if c.Conn, err = secure.Client(c.Conn, rw, sessionShared, true); err != nil {
 		return
 	}
 	// new reader for new conn
diff --git a/pkg/hap/secure/secure.go b/pkg/hap/secure/secure.go
index 576ee127..a42c7dea 100644
--- a/pkg/hap/secure/secure.go
+++ b/pkg/hap/secure/secure.go
@@ -14,9 +14,7 @@ import (
 
 type Conn struct {
 	conn net.Conn
-
-	rd *bufio.Reader
-	wr *bufio.Writer
+	rw   *bufio.ReadWriter
 
 	encryptKey []byte
 	decryptKey []byte
@@ -26,7 +24,7 @@ type Conn struct {
 	SharedKey []byte
 }
 
-func Client(conn net.Conn, sharedKey []byte, isClient bool) (net.Conn, error) {
+func Client(conn net.Conn, rw *bufio.ReadWriter, sharedKey []byte, isClient bool) (*Conn, error) {
 	key1, err := hkdf.Sha512(sharedKey, "Control-Salt", "Control-Read-Encryption-Key")
 	if err != nil {
 		return nil, err
@@ -39,8 +37,7 @@ func Client(conn net.Conn, sharedKey []byte, isClient bool) (net.Conn, error) {
 
 	c := &Conn{
 		conn: conn,
-		rd:   bufio.NewReaderSize(conn, 32*1024),
-		wr:   bufio.NewWriterSize(conn, 32*1024),
+		rw:   rw,
 
 		SharedKey: sharedKey,
 	}
@@ -69,14 +66,14 @@ func (c *Conn) Read(b []byte) (n int, err error) {
 	}
 
 	verify := make([]byte, 2) // verify = plain message size
-	if _, err = io.ReadFull(c.rd, verify); err != nil {
+	if _, err = io.ReadFull(c.rw, verify); err != nil {
 		return
 	}
 
 	n = int(binary.LittleEndian.Uint16(verify))
 	ciphertext := make([]byte, n+Overhead)
 
-	if _, err = io.ReadFull(c.rd, ciphertext); err != nil {
+	if _, err = io.ReadFull(c.rw, ciphertext); err != nil {
 		return
 	}
 
@@ -100,7 +97,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		}
 
 		binary.LittleEndian.PutUint16(verify, uint16(size))
-		if _, err = c.wr.Write(verify); err != nil {
+		if _, err = c.rw.Write(verify); err != nil {
 			return
 		}
 
@@ -112,7 +109,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 			return
 		}
 
-		if _, err = c.wr.Write(buf[:size+Overhead]); err != nil {
+		if _, err = c.rw.Write(buf[:size+Overhead]); err != nil {
 			return
 		}
 
@@ -120,7 +117,7 @@ func (c *Conn) Write(b []byte) (n int, err error) {
 		n += size
 	}
 
-	err = c.wr.Flush()
+	err = c.rw.Flush()
 	return
 }
 
diff --git a/pkg/hap/server.go b/pkg/hap/server.go
index a71ab7aa..99c86f6b 100644
--- a/pkg/hap/server.go
+++ b/pkg/hap/server.go
@@ -166,7 +166,7 @@ func (s *Server) PairVerify(req *http.Request, rw *bufio.ReadWriter, conn net.Co
 		return err
 	}
 
-	if conn, err = secure.Client(conn, sessionShared, false); err != nil {
+	if conn, err = secure.Client(conn, rw, sessionShared, false); err != nil {
 		return err
 	}