Skip to content

[FOLLOW-UP] [ALIGNMENT]: Signed plaintext remote administration in licensed mode #123

Description

@RCGV1

[FOLLOW-UP] [ALIGNMENT]: Signed plaintext remote administration in licensed mode

Goal

Allow authenticated remote administration between licensed/ham-mode nodes while keeping every request, response, and mutation plaintext on air.

This follows the existing receive-policy work in #121 and authenticated plaintext licensed traffic in #122. It reuses the current XEdDSA signature, identity key, security.admin_key[] authorization list, and AdminModule session-passkey flow. It does not introduce an authentication version, signature tuple, certificate system, encrypted admin channel, or new wire message.

Signed plaintext direct messages are already covered by meshtastic/firmware#10969. This issue is specifically the higher-risk remote-administration authorization boundary.

Authorization rule

A remote Admin request or mutation is eligible only when all of these are true:

  1. The receiving node is in licensed mode.
  2. The decoded packet is ADMIN_APP, directed unicast, and addressed to the receiving node.
  3. Router has successfully verified the existing XEdDSA signature.
  4. The exact public key used for that verification is 32 bytes and matches one populated security.admin_key[0..2] entry.
  5. Mutations pass the existing AdminModule session-passkey check.

Unsigned, oversized-unsigned, malformed, invalid, unverifiable, broadcast, wrong-destination, or non-allowlisted Admin packets fail closed. A node number, callsign, serialized xeddsa_signed flag, or serialized public_key field never authorizes administration.

Normal mode retains its existing PKI/admin-channel authorization behavior and must not gain a signed-plaintext fallback.

Verified-key handoff

Router should carry the exact public key used during successful XEdDSA verification to AdminModule as transient authenticated packet state. AdminModule must not trust inbound serialized authentication metadata or re-read a potentially changed NodeDB key after verification.

Key discovery remains separate from authorization: the administrator and target must first exchange a verified signed NodeInfo (or retain the key in warm storage). admin_key[] authorizes an already-known signer; it does not become a new bootstrap or certificate mechanism.

Requests, responses, and replay

  • Licensed Admin requests, session requests, mutations, and replies remain plaintext and are signed when they fit.
  • Licensed remote responses must also have a Router-verified signature and be directed unicast.
  • A response sender is not checked against the receiver's local admin_key[]; that allowlist applies to administrators of the target, not targets replying to an administrator.
  • The existing weak response-correlation behavior remains documented unless outstanding (remote node, request id) tracking is added without changing the wire format.
  • The current signature tuple does not include to. The target-specific session challenge limits mutation redirection, but signatures alone do not provide permanent replay protection.

Session initialization correction

AdminModule currently initializes the session passkey buffer and timestamp to zero. During the first several minutes after boot, an eight-zero passkey can satisfy the existing comparison before any session was generated. Add explicit session-initialized state; checking only session_time != 0 is insufficient because generation can occur during uptime second zero.

Reboot must invalidate all session state. Mutations require a generated, unexpired session passkey even when the packet signature is valid.

Ingress and clients

  • Decoded/plaintext MQTT Admin injection remains rejected.
  • Binary ingress that traverses the ordinary Router verification path may qualify under the same rule.
  • Clients must send licensed remote-admin traffic with pki_encrypted=false; explicit PKI requests continue failing in licensed mode.
  • Client shield/lock semantics remain accurate: verified-signature shield, never encrypted-PKI lock.

Acceptance criteria

  • Authorized signed plaintext Admin getters and session requests work between licensed nodes.
  • Authorized mutations require both allowlisted verified signer key and a generated, current session passkey.
  • Zero, missing, stale, and replayed session values fail as specified; reboot invalidates the session.
  • Unauthorized key, unknown key, unsigned, invalid, malformed, oversized-unsigned, broadcast, and wrong-destination Admin traffic is rejected before mutation.
  • Responses are plaintext, directed, and signed; unsigned licensed responses are rejected.
  • First-contact occurs through the existing signed NodeInfo identity-binding path from [PARENT] [ALIGNMENT]: Configurable packet authenticity policy #121, not a new Admin bootstrap.
  • Normal-mode PKI remote administration is unchanged.
  • Decoded MQTT Admin remains blocked; binary ingress uses the normal verification gate.
  • Tests cover hot and warm key lookup, mode transitions, request/response, session lifetime, ingress variants, and negative cases.
  • Draft PRs remain unmerged until two-radio RF capture proves readable plaintext requests/replies, cross-device signature verification, reboot/session behavior, and absence of PKI/PSK encryption.

Operators remain responsible for their licence conditions, jurisdiction, permitted modes, and station-identification requirements.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions