Merge pull request #1457 from oltaco/remote-set-prvkey

Allow set prv.key over LoRa, clear ACL and validate key
2026-04-20 22:13:47 +00:00 · 2026-01-25 14:46:41 +11:00 · 2026-01-25 14:46:41 +11:00 · 153bcdc6a3
commit 153bcdc6a3
parent f46f0d0ed1 96ef5e5efe
13 changed files with 105 additions and 35 deletions
--- a/src/helpers/ClientACL.cpp
+++ b/src/helpers/ClientACL.cpp
@ -11,7 +11,8 @@ static File openWrite(FILESYSTEM* _fs, const char* filename) {
  #endif
 }

-void ClientACL::load(FILESYSTEM* _fs) {
+void ClientACL::load(FILESYSTEM* fs, const mesh::LocalIdentity& self_id) {
+  _fs = fs;
  num_clients = 0;
  if (_fs->exists("/s_contacts")) {
  #if defined(RP2040_PLATFORM)
@ -34,11 +35,12 @@ void ClientACL::load(FILESYSTEM* _fs) {
        success = success && (file.read(unused, 2) == 2);
        success = success && (file.read((uint8_t *)&c.out_path_len, 1) == 1);
        success = success && (file.read(c.out_path, 64) == 64);
-        success = success && (file.read(c.shared_secret, PUB_KEY_SIZE) == PUB_KEY_SIZE);
+        success = success && (file.read(c.shared_secret, PUB_KEY_SIZE) == PUB_KEY_SIZE); // will be recalculated below

        if (!success) break; // EOF

        c.id = mesh::Identity(pub_key);
+        self_id.calcSharedSecret(c.shared_secret, pub_key);  // recalculate shared secrets in case our private key changed
        if (num_clients < MAX_CLIENTS) {
          clients[num_clients++] = c;
        } else {
@ -50,7 +52,8 @@ void ClientACL::load(FILESYSTEM* _fs) {
  }
 }

-void ClientACL::save(FILESYSTEM* _fs, bool (*filter)(ClientInfo*)) {
+void ClientACL::save(FILESYSTEM* fs, bool (*filter)(ClientInfo*)) {
+  _fs = fs;
  File file = openWrite(_fs, "/s_contacts");
  if (file) {
    uint8_t unused[2];
@ -74,6 +77,16 @@ void ClientACL::save(FILESYSTEM* _fs, bool (*filter)(ClientInfo*)) {
  }
 }

+bool ClientACL::clear() {
+  if (!_fs) return false; // no filesystem, nothing to clear
+  if (_fs->exists("/s_contacts")) {
+    _fs->remove("/s_contacts");
+  }
+  memset(clients, 0, sizeof(clients));
+  num_clients = 0;
+  return true;
+}
+
 ClientInfo* ClientACL::getClient(const uint8_t* pubkey, int key_len) {
  for (int i = 0; i < num_clients; i++) {
    if (memcmp(pubkey, clients[i].id.pub_key, key_len) == 0) return &clients[i];  // already known
--- a/src/helpers/ClientACL.h
+++ b/src/helpers/ClientACL.h
@ -36,6 +36,7 @@ struct ClientInfo {
 #endif

 class ClientACL {
+  FILESYSTEM* _fs;
  ClientInfo clients[MAX_CLIENTS];
  int num_clients;

@ -44,8 +45,9 @@ public:
    memset(clients, 0, sizeof(clients));
    num_clients = 0;
  }
-  void load(FILESYSTEM* _fs);
+  void load(FILESYSTEM* _fs, const mesh::LocalIdentity& self_id);
  void save(FILESYSTEM* _fs, bool (*filter)(ClientInfo*)=NULL);
+  bool clear();

  ClientInfo* getClient(const uint8_t* pubkey, int key_len);
  ClientInfo* putClient(const mesh::Identity& id, uint8_t init_perms);
--- a/src/helpers/CommonCLI.cpp
+++ b/src/helpers/CommonCLI.cpp
@ -443,17 +443,18 @@ void CommonCLI::handleCommand(uint32_t sender_timestamp, const char* command, ch
        StrHelper::strncpy(_prefs->guest_password, &config[15], sizeof(_prefs->guest_password));
        savePrefs();
        strcpy(reply, "OK");
-      } else if (sender_timestamp == 0 &&
-                 memcmp(config, "prv.key ", 8) == 0) { // from serial command line only
+      } else if (memcmp(config, "prv.key ", 8) == 0) {
        uint8_t prv_key[PRV_KEY_SIZE];
        bool success = mesh::Utils::fromHex(prv_key, PRV_KEY_SIZE, &config[8]);
-        if (success) {
+        // only allow rekey if key is valid
+        if (success && mesh::LocalIdentity::validatePrivateKey(prv_key)) {
          mesh::LocalIdentity new_id;
          new_id.readFrom(prv_key, PRV_KEY_SIZE);
          _callbacks->saveIdentity(new_id);
-          strcpy(reply, "OK");
+          strcpy(reply, "OK, reboot to apply! New pubkey: ");
+          mesh::Utils::toHex(&reply[33], new_id.pub_key, PUB_KEY_SIZE);
        } else {
-          strcpy(reply, "Error, invalid key");
+          strcpy(reply, "Error, bad key");
        }
      } else if (memcmp(config, "name ", 5) == 0) {
        if (isValidName(&config[5])) {
--- a/src/helpers/CommonCLI.h
+++ b/src/helpers/CommonCLI.h
@ -3,6 +3,7 @@
 #include "Mesh.h"
 #include <helpers/IdentityStore.h>
 #include <helpers/SensorManager.h>
+#include <helpers/ClientACL.h>

 #if defined(WITH_RS232_BRIDGE) || defined(WITH_ESPNOW_BRIDGE)
 #define WITH_BRIDGE
@ -94,6 +95,7 @@ class CommonCLI {
  CommonCLICallbacks* _callbacks;
  mesh::MainBoard* _board;
  SensorManager* _sensors;
+  ClientACL* _acl;
  char tmp[PRV_KEY_SIZE*2 + 4];

  mesh::RTCClock* getRTCClock() { return _rtc; }
@ -101,8 +103,8 @@ class CommonCLI {
  void loadPrefsInt(FILESYSTEM* _fs, const char* filename);

 public:
-  CommonCLI(mesh::MainBoard& board, mesh::RTCClock& rtc, SensorManager& sensors, NodePrefs* prefs, CommonCLICallbacks* callbacks)
-      : _board(&board), _rtc(&rtc), _sensors(&sensors), _prefs(prefs), _callbacks(callbacks) { }
+  CommonCLI(mesh::MainBoard& board, mesh::RTCClock& rtc, SensorManager& sensors, ClientACL& acl, NodePrefs* prefs, CommonCLICallbacks* callbacks)
+      : _board(&board), _rtc(&rtc), _sensors(&sensors), _acl(&acl), _prefs(prefs), _callbacks(callbacks) { }

  void loadPrefs(FILESYSTEM* _fs);
  void savePrefs(FILESYSTEM* _fs);