Skip to content

AdminModule: don't return the device private key to remote config reads#11030

Merged
thebentern merged 1 commit into
developfrom
security-config-redact
Jul 16, 2026
Merged

AdminModule: don't return the device private key to remote config reads#11030
thebentern merged 1 commit into
developfrom
security-config-redact

Conversation

@caveman99

@caveman99 caveman99 commented Jul 16, 2026

Copy link
Copy Markdown
Member

A get_config for SECURITY_CONFIG copies config.security straight into the response:

res.get_config_response.payload_variant.security = config.security;

config.security includes private_key, the device identity key used to derive PKC shared
secrets. For a request that arrived over the mesh (from != 0), that response is sent back
over the air, so the private key leaves the device. Only the local owner needs it, and only
for backup.

Zero private_key in the SECURITY_CONFIG response when the request is remote. Local admin
clients (BLE/USB/TCP) set from == 0 and still receive the full config, so the backup/restore
path is unchanged. This mirrors the existing writeSecret() redaction used for
network.wifi_psk a few cases up.

On admin_key: I evaluated redacting it too and left it. Those entries are public keys ("the
public key authorized to send admin messages"), not secret material, and a legitimate remote
admin may want to read the configured admin set. private_key is the only field whose exposure
escalates to identity compromise. Zeroing admin_key for remote would be a one-line addition in
the same block if that trust-set disclosure is judged worth closing.

Tests (test_admin_session_repro): a remote SECURITY_CONFIG response decodes to an empty
private_key; a local (from == 0) response still carries the 32-byte key, so the redaction is
remote-specific rather than a blanket wipe.

Summary by CodeRabbit

  • Security Enhancements
    • Remote security configuration responses no longer include the device identity private key.
    • Local security configuration access continues to include the private key when authorized.
  • Tests
    • Added coverage verifying that sensitive keys are redacted for remote requests and preserved for local requests.

A SECURITY_CONFIG get_config response copied config.security verbatim, so a remote
request was answered with the device identity private_key and sent over the air.
Only the local owner needs it, for backup.

Zero private_key in the SECURITY_CONFIG response when the request is remote
(from != 0); the local BLE/USB/TCP path (from == 0) still receives it. public_key
and admin_key are public and stay as they were.
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 5924e03d-8318-4de3-8aaf-97f3f879da18

📥 Commits

Reviewing files that changed from the base of the PR and between 4308487 and 57a61c7.

📒 Files selected for processing (3)
  • src/modules/AdminModule.cpp
  • test/support/AdminModuleTestShim.h
  • test/test_admin_session_repro/test_main.cpp

📝 Walkthrough

Walkthrough

SECURITY_CONFIG responses now redact the device identity private key for remote admin requests. Test utilities and deterministic tests verify that remote replies omit the key while local replies preserve its 32-byte value.

Changes

Security Config Redaction

Layer / File(s) Summary
Remote private-key redaction
src/modules/AdminModule.cpp
Remote SECURITY_CONFIG responses zero the private-key bytes and set the field size to 0; local responses retain the existing key.
Remote and local response tests
test/support/AdminModuleTestShim.h, test/test_admin_session_repro/test_main.cpp
The test shim exposes queued replies, and tests decode SECURITY_CONFIG responses to verify remote omission and local retention of the private key.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested labels: bugfix

Suggested reviewers: jp-bennett

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: redacting the device private key from remote config reads.
Description check ✅ Passed The description covers the bug, fix, rationale, and tests, and only misses the repository's checklist-style attestations.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security-config-redact

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@caveman99
caveman99 requested review from NomDeTom, jp-bennett and thebentern and removed request for NomDeTom July 16, 2026 19:44
@github-actions

Copy link
Copy Markdown
Contributor

⚡ Try this PR in the Web Flasher

Note

Building this pull request… the flash button, badges and supported-board
list will appear here automatically once CI finishes.

@thebentern
thebentern merged commit d3d02af into develop Jul 16, 2026
87 of 90 checks passed
@thebentern
thebentern deleted the security-config-redact branch July 17, 2026 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants