feat(security): enforce packet authenticity policies#10967
Conversation
|
@coderabbitai review |
⚡ Try this PR in the Web FlasherNote Building this pull request… the flash button, badges and supported-board |
|
CI label check requires an |
✅ Action performedReview finished.
|
📝 WalkthroughWalkthroughThe PR centralizes packet authenticity decisions, adds configurable XEdDSA receive-policy enforcement, preserves signer state across warm storage, supports opaque relay, gates routing side effects, updates MQTT/UDP ingress handling, and expands packet-signing and MQTT validation coverage. ChangesPacket authenticity policy
Estimated code review effort: 5 (Critical) | ~120 minutes Sequence Diagram(s)sequenceDiagram
participant RadioOrMQTT
participant Router
participant AuthCache
participant RelayOrModule
RadioOrMQTT->>Router: submit packet
Router->>AuthCache: reuse or evaluate routing authentication
AuthCache-->>Router: ACCEPT, REJECT, or OPAQUE_RELAY_ONLY
Router->>RelayOrModule: relay opaque packet or update local routing state
Possibly related issues
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
CI dependency status: the current Native Simulator, WASM, and Docker failures all stop at |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/mesh/Router.h`:
- Around line 178-181: Shorten the API comments near the receive authentication
policy and the related declarations around `Router` to one or two concise lines
each. Retain only the essential contract; remove detailed packet-routing and
policy behavior explanations from the header comments.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 634c2153-5eb0-42bd-97e8-8d8610d3f738
📒 Files selected for processing (19)
src/main.cppsrc/mesh/FloodingRouter.cppsrc/mesh/FloodingRouter.hsrc/mesh/NextHopRouter.cppsrc/mesh/NextHopRouter.hsrc/mesh/NodeDB.cppsrc/mesh/NodeDB.hsrc/mesh/Router.cppsrc/mesh/Router.hsrc/mesh/WarmNodeStore.hsrc/mesh/udp/UdpMulticastHandler.hsrc/modules/AdminModule.cppsrc/modules/NodeInfoModule.cppsrc/mqtt/MQTT.cpptest/test_mqtt/MQTT.cpptest/test_packet_signing/test_main.cppvariants/stm32/CDEBYTE_E77-MBL/platformio.inivariants/stm32/rak3172/platformio.inivariants/stm32/stm32.ini
a2415ec to
82ad09a
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
Summary
Adds a device-owned receive policy for Meshtastic's existing XEdDSA and PKI authentication results:
Strict applies across packet types and destinations, including positions, NodeInfo, telemetry, text, routing/control, broadcasts, and unicasts. The policy is enforced before NodeDB/history storage, modules, connected clients, plaintext MQTT, ACK side effects, or rebroadcast of decryptable rejected traffic.
This PR does not add a signature version, change the existing signed tuple, change PKI/AES-CCM bytes, or make the receive policy affect outbound traffic. Licensed/ham plaintext signing is intentionally separate in design#122 / #10966.
Implementation
SecurityConfig.packet_signature_policyand reportsDeviceMetadata.has_xeddsaValidation
trunk checkandgit diff --check: cleand6b12ea3f1fc83afcff63a7fb511d54c52cc871aNo RF/BLE/serial hardware verification has been performed. This PR must remain draft until real-device verification is recorded.
Depends on meshtastic/protobufs#983.
Closes #10963
Design: meshtastic/design#121
Summary by CodeRabbit
New Features
Bug Fixes
Tests
Chores