From 2226c1b4ca4facbaa452f47e508ade686e2a7e43 Mon Sep 17 00:00:00 2001
From: Peter Woolery <peter@research.bike>
Date: Fri, 1 May 2026 13:19:16 -0700
Subject: [PATCH] fix(tools): validate flash_device.py HMAC secret format
 before flashing

--hmac-secret accepted any string and passed it through to NVS, silently
producing a device that cannot authenticate to the server. Reject anything
that isn't exactly 64 hex characters (32 bytes) before generating the NVS
image. Auto-generated secrets are validated too as a defensive check.

Found via adversarial review (both reviewers, run 2026-05-01-192928).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 tools/flash_device.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tools/flash_device.py b/tools/flash_device.py
index 7b1018d..f6fee27 100755
--- a/tools/flash_device.py
+++ b/tools/flash_device.py
@@ -15,11 +15,14 @@ Usage:
 """
 import argparse
 import os
+import re
 import secrets
 import subprocess
 import sys
 import tempfile
 
+HMAC_SECRET_RE = re.compile(r"^[0-9a-fA-F]{64}$")
+
 
 NVS_NAMESPACE        = "doorcounter"
 NVS_PARTITION_OFFSET = "0x9000"
@@ -63,6 +66,10 @@ def main():
     args = parser.parse_args()
 
     hmac_secret = args.hmac_secret or secrets.token_hex(32)
+    if not HMAC_SECRET_RE.match(hmac_secret):
+        print("Error: --hmac-secret must be exactly 64 hex characters (32 bytes)",
+              file=sys.stderr)
+        sys.exit(1)
     if args.hmac_secret is None:
         print(f"Generated HMAC secret: {hmac_secret}")
         print("  *** SAVE THIS — you need it to register the device on the server ***")