From bf3219d19737d64a2c59941b478fe19220f81216 Mon Sep 17 00:00:00 2001
From: Elliott Balsley <3991046+llamafilm@users.noreply.github.com>
Date: Sat, 25 Apr 2026 15:37:08 -0700
Subject: [PATCH] fix: improve error message PKI_DECRYPT_FAILED instead of
 NO_CHANNEL

---
 protobufs                               |  2 +-
 src/mesh/ReliableRouter.cpp             | 15 ++++++++++-----
 src/mesh/generated/meshtastic/mesh.pb.h | 10 +++++++---
 3 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/protobufs b/protobufs
index 249a80855a2..06334638da0 160000
--- a/protobufs
+++ b/protobufs
@@ -1 +1 @@
-Subproject commit 249a80855a2adb76fb0904dac8bf6285d45f330f
+Subproject commit 06334638da0b561eb94df89f890cc62f16299249
diff --git a/src/mesh/ReliableRouter.cpp b/src/mesh/ReliableRouter.cpp
index 42c24c783f6..24b4e3a1f48 100644
--- a/src/mesh/ReliableRouter.cpp
+++ b/src/mesh/ReliableRouter.cpp
@@ -114,11 +114,16 @@ void ReliableRouter::sniffReceived(const meshtastic_MeshPacket *p, const meshtas
                         // stop the immediate relayer's retransmissions.
                         sendAckNak(meshtastic_Routing_Error_NONE, getFrom(p), p->id, p->channel, 0);
                     }
-                } else if (p->which_payload_variant == meshtastic_MeshPacket_encrypted_tag && p->channel == 0 &&
-                           (nodeDB->getMeshNode(p->from) == nullptr || nodeDB->getMeshNode(p->from)->user.public_key.size == 0)) {
-                    LOG_INFO("PKI packet from unknown node, send PKI_UNKNOWN_PUBKEY");
-                    sendAckNak(meshtastic_Routing_Error_PKI_UNKNOWN_PUBKEY, getFrom(p), p->id, channels.getPrimaryIndex(),
-                               routingModule->getHopLimitForResponse(*p));
+                } else if (p->which_payload_variant == meshtastic_MeshPacket_encrypted_tag && p->channel == 0) {
+                    if (nodeDB->getMeshNode(p->from) == nullptr || nodeDB->getMeshNode(p->from)->user.public_key.size == 0) {
+                        LOG_INFO("PKI packet from unknown node, send PKI_UNKNOWN_PUBKEY");
+                        sendAckNak(meshtastic_Routing_Error_PKI_UNKNOWN_PUBKEY, getFrom(p), p->id, channels.getPrimaryIndex(),
+                                   routingModule->getHopLimitForResponse(*p));
+                    } else {
+                        LOG_INFO("PKI packet could not be decrypted, send PKI_DECRYPT_FAILED");
+                        sendAckNak(meshtastic_Routing_Error_PKI_DECRYPT_FAILED, getFrom(p), p->id, channels.getPrimaryIndex(),
+                                   routingModule->getHopLimitForResponse(*p));
+                    }
                 } else {
                     // Send a 'NO_CHANNEL' error on the primary channel if want_ack packet destined for us cannot be decoded
                     sendAckNak(meshtastic_Routing_Error_NO_CHANNEL, getFrom(p), p->id, channels.getPrimaryIndex(),
diff --git a/src/mesh/generated/meshtastic/mesh.pb.h b/src/mesh/generated/meshtastic/mesh.pb.h
index f228250303a..903bfa283b2 100644
--- a/src/mesh/generated/meshtastic/mesh.pb.h
+++ b/src/mesh/generated/meshtastic/mesh.pb.h
@@ -501,7 +501,11 @@ typedef enum _meshtastic_Routing_Error {
     meshtastic_Routing_Error_RATE_LIMIT_EXCEEDED = 38,
     /* PKI encryption failed, due to no public key for the remote node
  This is different from PKI_UNKNOWN_PUBKEY which indicates a failure upon receiving a packet */
-    meshtastic_Routing_Error_PKI_SEND_FAIL_PUBLIC_KEY = 39
+    meshtastic_Routing_Error_PKI_SEND_FAIL_PUBLIC_KEY = 39,
+    /* PKI packet could not be decrypted, even though the sender's public key is in NodeDB.
+ Typically happens after the sender rotated keys; may also happen due to RF corruption or
+ builds without PKI support (MESHTASTIC_EXCLUDE_PKI). */
+    meshtastic_Routing_Error_PKI_DECRYPT_FAILED = 40
 } meshtastic_Routing_Error;
 
 /* Enum of message types */
@@ -1431,8 +1435,8 @@ extern "C" {
 #define _meshtastic_Position_AltSource_ARRAYSIZE ((meshtastic_Position_AltSource)(meshtastic_Position_AltSource_ALT_BAROMETRIC+1))
 
 #define _meshtastic_Routing_Error_MIN meshtastic_Routing_Error_NONE
-#define _meshtastic_Routing_Error_MAX meshtastic_Routing_Error_PKI_SEND_FAIL_PUBLIC_KEY
-#define _meshtastic_Routing_Error_ARRAYSIZE ((meshtastic_Routing_Error)(meshtastic_Routing_Error_PKI_SEND_FAIL_PUBLIC_KEY+1))
+#define _meshtastic_Routing_Error_MAX meshtastic_Routing_Error_PKI_DECRYPT_FAILED
+#define _meshtastic_Routing_Error_ARRAYSIZE ((meshtastic_Routing_Error)(meshtastic_Routing_Error_PKI_DECRYPT_FAILED+1))
 
 #define _meshtastic_StoreForwardPlusPlus_SFPP_message_type_MIN meshtastic_StoreForwardPlusPlus_SFPP_message_type_CANON_ANNOUNCE
 #define _meshtastic_StoreForwardPlusPlus_SFPP_message_type_MAX meshtastic_StoreForwardPlusPlus_SFPP_message_type_LINK_PROVIDE_SECONDHALF