Key regen and MQTT fix (#4585)

* Add public key regen * Properly label and handle PKI MQTT packets * Extra debug message to indicate PKI_UNKNOWN_PUBKEY * Ternary! * Don't call non-existant function on stm32 * Actually fix STM32 compilation
2025-12-31 15:10:40 +00:00 · 2024-08-29 16:28:03 -05:00
parent 22454c95c7
commit 5bc17a9911
6 changed files with 62 additions and 25 deletions
--- a/src/mesh/CryptoEngine.cpp
+++ b/src/mesh/CryptoEngine.cpp
@@ -11,6 +11,7 @@
 #include <Curve25519.h>
 #include <SHA256.h>
 #if !(MESHTASTIC_EXCLUDE_PKI_KEYGEN)
+
 /**
 * Create a public/private key pair with Curve25519.
 *
@@ -24,6 +25,30 @@ void CryptoEngine::generateKeyPair(uint8_t *pubKey, uint8_t *privKey)
    memcpy(pubKey, public_key, sizeof(public_key));
    memcpy(privKey, private_key, sizeof(private_key));
 }
+
+/**
+ * regenerate a public key with Curve25519.
+ *
+ * @param pubKey The destination for the public key.
+ * @param privKey The source for the private key.
+ */
+bool CryptoEngine::regeneratePublicKey(uint8_t *pubKey, uint8_t *privKey)
+{
+    if (!memfll(privKey, 0, sizeof(private_key))) {
+        Curve25519::eval(pubKey, privKey, 0);
+        if (Curve25519::isWeakPoint(pubKey)) {
+            LOG_ERROR("PKI key generation failed. Specified private key results in a weak\n");
+            memset(pubKey, 0, 32);
+            return false;
+        }
+        memcpy(private_key, privKey, sizeof(private_key));
+        memcpy(public_key, pubKey, sizeof(public_key));
+    } else {
+        LOG_WARN("X25519 key generation failed due to blank private key\n");
+        return false;
+    }
+    return true;
+}
 #endif
 void CryptoEngine::clearKeys()
 {
--- a/src/mesh/CryptoEngine.h
+++ b/src/mesh/CryptoEngine.h
@@ -21,6 +21,7 @@ struct CryptoKey {
 */

 #define MAX_BLOCKSIZE 256
+#define TEST_CURVE25519_FIELD_OPS // Exposes Curve25519::isWeakPoint() for testing keys

 class CryptoEngine
 {
@@ -33,6 +34,8 @@ class CryptoEngine
 #if !(MESHTASTIC_EXCLUDE_PKI)
 #if !(MESHTASTIC_EXCLUDE_PKI_KEYGEN)
    virtual void generateKeyPair(uint8_t *pubKey, uint8_t *privKey);
+    virtual bool regeneratePublicKey(uint8_t *pubKey, uint8_t *privKey);
+
 #endif
    void clearKeys();
    void setDHPrivateKey(uint8_t *_private_key);
--- a/src/mesh/NodeDB.cpp
+++ b/src/mesh/NodeDB.cpp
@@ -139,14 +139,24 @@ NodeDB::NodeDB()
        crypto->setDHPrivateKey(config.security.private_key.bytes);
    } else {
 #if !(MESHTASTIC_EXCLUDE_PKI_KEYGEN)
-        LOG_INFO("Generating new PKI keys\n");
-        crypto->generateKeyPair(config.security.public_key.bytes, config.security.private_key.bytes);
-        config.security.public_key.size = 32;
-        config.security.private_key.size = 32;
-
-        printBytes("New Pubkey", config.security.public_key.bytes, 32);
-        owner.public_key.size = 32;
-        memcpy(owner.public_key.bytes, config.security.public_key.bytes, 32);
+        bool keygenSuccess = false;
+        if (config.security.private_key.size == 32) {
+            LOG_INFO("Calculating PKI Public Key\n");
+            if (crypto->regeneratePublicKey(config.security.public_key.bytes, config.security.private_key.bytes)) {
+                keygenSuccess = true;
+            }
+        } else {
+            LOG_INFO("Generating new PKI keys\n");
+            crypto->generateKeyPair(config.security.public_key.bytes, config.security.private_key.bytes);
+            keygenSuccess = true;
+        }
+        if (keygenSuccess) {
+            config.security.public_key.size = 32;
+            config.security.private_key.size = 32;
+            printBytes("New Pubkey", config.security.public_key.bytes, 32);
+            owner.public_key.size = 32;
+            memcpy(owner.public_key.bytes, config.security.public_key.bytes, 32);
+        }
 #else
        LOG_INFO("No PKI keys set, and generation disabled!\n");
 #endif
--- a/src/mesh/ReliableRouter.cpp
+++ b/src/mesh/ReliableRouter.cpp
@@ -112,7 +112,7 @@ void ReliableRouter::sniffReceived(const meshtastic_MeshPacket *p, const meshtas
                sendAckNak(meshtastic_Routing_Error_NONE, getFrom(p), p->id, p->channel, p->hop_start, p->hop_limit);
            } else if (p->which_payload_variant == meshtastic_MeshPacket_encrypted_tag && p->channel == 0 &&
                       (nodeDB->getMeshNode(p->from) == nullptr || nodeDB->getMeshNode(p->from)->user.public_key.size == 0)) {
-                // This looks like it might be a PKI packet from an unknown node, so send PKI_UNKNOWN_PUBKEY
+                LOG_INFO("This looks like it might be a PKI packet from an unknown node, so send PKI_UNKNOWN_PUBKEY\n");
                sendAckNak(meshtastic_Routing_Error_PKI_UNKNOWN_PUBKEY, getFrom(p), p->id, channels.getPrimaryIndex(),
                           p->hop_start, p->hop_limit);
            } else {