mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
protocomm: Added option to enable/disable supported security versions.
This commit is contained in:
parent
15531e1023
commit
6222d43984
@ -143,20 +143,35 @@ esp_err_t esp_local_ctrl_start(const esp_local_ctrl_config_t *config)
|
||||
return ret;
|
||||
}
|
||||
|
||||
protocomm_security_t *proto_sec_handle;
|
||||
protocomm_security_t *proto_sec_handle = NULL;
|
||||
switch (local_ctrl_inst_ctx->config.proto_sec.version) {
|
||||
case PROTOCOM_SEC_CUSTOM:
|
||||
proto_sec_handle = local_ctrl_inst_ctx->config.proto_sec.custom_handle;
|
||||
break;
|
||||
case PROTOCOM_SEC1:
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
|
||||
proto_sec_handle = (protocomm_security_t *) &protocomm_security1;
|
||||
#else
|
||||
// Enable SECURITY_VERSION_1 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
break;
|
||||
case PROTOCOM_SEC2:
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
|
||||
proto_sec_handle = (protocomm_security_t *) &protocomm_security2;
|
||||
break;
|
||||
#else
|
||||
// Enable SECURITY_VERSION_2 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
case PROTOCOM_SEC0:
|
||||
default:
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
|
||||
proto_sec_handle = (protocomm_security_t *) &protocomm_security0;
|
||||
#else
|
||||
// Enable SECURITY_VERSION_0 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
break;
|
||||
}
|
||||
ret = protocomm_set_security(local_ctrl_inst_ctx->pc, "esp_local_ctrl/session",
|
||||
|
@ -4,18 +4,30 @@ set(include_dirs include/common
|
||||
set(priv_include_dirs proto-c src/common src/crypto/srp6a/include)
|
||||
set(srcs
|
||||
"src/common/protocomm.c"
|
||||
"src/security/security0.c"
|
||||
"src/security/security1.c"
|
||||
"src/security/security2.c"
|
||||
"proto-c/constants.pb-c.c"
|
||||
"proto-c/sec0.pb-c.c"
|
||||
"proto-c/sec1.pb-c.c"
|
||||
"proto-c/sec2.pb-c.c"
|
||||
"proto-c/session.pb-c.c"
|
||||
"src/transports/protocomm_console.c"
|
||||
"src/transports/protocomm_httpd.c"
|
||||
"src/crypto/srp6a/esp_srp.c"
|
||||
"src/crypto/srp6a/esp_srp_mpi.c")
|
||||
"src/transports/protocomm_httpd.c")
|
||||
|
||||
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0)
|
||||
list(APPEND srcs
|
||||
"src/security/security0.c")
|
||||
endif()
|
||||
|
||||
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1)
|
||||
list(APPEND srcs
|
||||
"src/security/security1.c")
|
||||
endif()
|
||||
|
||||
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2)
|
||||
list(APPEND srcs
|
||||
"src/security/security2.c"
|
||||
"src/crypto/srp6a/esp_srp.c"
|
||||
"src/crypto/srp6a/esp_srp_mpi.c")
|
||||
endif()
|
||||
|
||||
if(CONFIG_BT_ENABLED)
|
||||
if(CONFIG_BT_BLUEDROID_ENABLED)
|
||||
|
29
components/protocomm/Kconfig
Normal file
29
components/protocomm/Kconfig
Normal file
@ -0,0 +1,29 @@
|
||||
menu "Protocomm"
|
||||
|
||||
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
|
||||
bool "Support protocomm security version 0 (no security)"
|
||||
default y
|
||||
help
|
||||
Enable support of security version 0.
|
||||
Disabling this option saves some code size.
|
||||
Consult the Enabling protocomm security version section of the
|
||||
Protocomm documentation in ESP-IDF Programming guide for more details.
|
||||
|
||||
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
|
||||
bool "Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption)"
|
||||
default y
|
||||
help
|
||||
Enable support of security version 1.
|
||||
Disabling this option saves some code size.
|
||||
Consult the Enabling protocomm security version section of the
|
||||
Protocomm documentation in ESP-IDF Programming guide for more details.
|
||||
|
||||
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
|
||||
bool "Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption)"
|
||||
default n
|
||||
help
|
||||
Enable support of security version 2.
|
||||
Disabling this option saves some code size.
|
||||
Consult the Enabling protocomm security version section of the
|
||||
Protocomm documentation in ESP-IDF Programming guide for more details.
|
||||
endmenu
|
@ -1,16 +1,8 @@
|
||||
// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
@ -20,6 +12,7 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
|
||||
/**
|
||||
* @brief Protocomm security version 0 implementation
|
||||
*
|
||||
@ -27,6 +20,7 @@ extern "C" {
|
||||
* security is required for the protocomm instance
|
||||
*/
|
||||
extern const protocomm_security_t protocomm_security0;
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
@ -1,16 +1,8 @@
|
||||
// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#pragma once
|
||||
|
||||
@ -20,6 +12,7 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
|
||||
/**
|
||||
* @brief Protocomm security version 1 implementation
|
||||
*
|
||||
@ -27,6 +20,7 @@ extern "C" {
|
||||
* Curve25519 key exchange and AES-256-CTR encryption
|
||||
*/
|
||||
extern const protocomm_security_t protocomm_security1;
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
@ -12,6 +12,7 @@
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
|
||||
/**
|
||||
* @brief Protocomm security version 2 implementation
|
||||
*
|
||||
@ -20,6 +21,7 @@ extern "C" {
|
||||
* and AES-GCM encryption/decryption
|
||||
*/
|
||||
extern const protocomm_security_t protocomm_security2;
|
||||
#endif
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
@ -307,14 +307,29 @@ static esp_err_t wifi_prov_mgr_start_service(const char *service_name, const cha
|
||||
|
||||
/* Set protocomm security type for endpoint */
|
||||
if (prov_ctx->security == 0) {
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
|
||||
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
|
||||
&protocomm_security0, NULL);
|
||||
#else
|
||||
// Enable SECURITY_VERSION_0 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
} else if (prov_ctx->security == 1) {
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
|
||||
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
|
||||
&protocomm_security1, prov_ctx->protocomm_sec_params);
|
||||
#else
|
||||
// Enable SECURITY_VERSION_1 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
} else if (prov_ctx->security == 2) {
|
||||
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
|
||||
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
|
||||
&protocomm_security2, prov_ctx->protocomm_sec_params);
|
||||
#else
|
||||
// Enable SECURITY_VERSION_2 in Protocomm configuration menu
|
||||
return ESP_ERR_NOT_SUPPORTED;
|
||||
#endif
|
||||
} else {
|
||||
ESP_LOGE(TAG, "Unsupported protocomm security version %d", prov_ctx->security);
|
||||
ret = ESP_ERR_INVALID_ARG;
|
||||
|
@ -91,9 +91,12 @@ Similarly for HTTPS transport:
|
||||
|
||||
You may set security for transport in ESP local control using following options:
|
||||
|
||||
1. `PROTOCOM_SEC1`: specifies that end to end encryption is used.
|
||||
2. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text.
|
||||
3. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
|
||||
1. `PROTOCOM_SEC2`: specifies that SRP6a based key exchange and end to end encryption based on AES-GCM is used. This is the most preffered option as it adds a robust security with Augmented PAKE protocol i.e. SRP6a.
|
||||
2. `PROTOCOM_SEC1`: specifies that Curve25519 based key exchange and end to end encryption based on AES-CTR is used.
|
||||
3. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text (no security).
|
||||
4. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
|
||||
|
||||
.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`Protocol Communication </api-reference/provisioning/protocomm>` for more details.
|
||||
|
||||
Creating a property
|
||||
-------------------
|
||||
|
@ -19,6 +19,17 @@ Protocomm provides framework for various transports - WiFi (SoftAP+HTTPD), BLE,
|
||||
|
||||
Note that the client still needs to establish session (for protocomm_security1 and protocomm_security2) by performing the two way handshake. See :doc:`provisioning` for more details about the secure handshake logic.
|
||||
|
||||
Enabling protocomm security version
|
||||
-----------------------------------
|
||||
Protocomm component provides project configuration menu to enable/disable support of respective security versions.
|
||||
The respective configuration options can be found as follows:
|
||||
|
||||
* Support protocomm security version 1 (no security): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` (this option is enabled by default)
|
||||
* Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` (this option is enabled by default)
|
||||
* Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2`
|
||||
|
||||
.. note:: Enabling multiple security versions allow to control them dynamically but also increases firmware size.
|
||||
|
||||
Transport Example (SoftAP + HTTP) with Security 2
|
||||
-------------------------------------------------
|
||||
For sample usage, see :component_file:`wifi_provisioning/src/scheme_softap.c`
|
||||
|
@ -107,6 +107,8 @@ At present, unified provisioning supports the following security schemes:
|
||||
b. No Auth (Null PoP) - Shared key derived through key exchange only
|
||||
3. Security2 - SRP6a-based shared key derivation and AES256-GCM mode encryption of the data.
|
||||
|
||||
.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`protocomm` (Protocol Communication) for more details.
|
||||
|
||||
Security1 Scheme
|
||||
>>>>>>>>>>>>>>>>
|
||||
|
||||
|
@ -24,9 +24,11 @@ menu "Example Configuration"
|
||||
|
||||
config EXAMPLE_PROV_SECURITY_VERSION_1
|
||||
bool "Security version 1"
|
||||
select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
|
||||
|
||||
config EXAMPLE_PROV_SECURITY_VERSION_2
|
||||
bool "Security version 2"
|
||||
select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
|
||||
endchoice
|
||||
|
||||
choice EXAMPLE_PROV_MODE
|
||||
|
@ -1070,8 +1070,6 @@ components/nvs_flash/test_nvs_host/test_spi_flash_emulation.cpp
|
||||
components/openthread/include/esp_openthread.h
|
||||
components/openthread/include/esp_openthread_lock.h
|
||||
components/openthread/include/esp_openthread_netif_glue.h
|
||||
components/protocomm/include/security/protocomm_security0.h
|
||||
components/protocomm/include/security/protocomm_security1.h
|
||||
components/protocomm/include/transports/protocomm_console.h
|
||||
components/protocomm/include/transports/protocomm_httpd.h
|
||||
components/protocomm/proto-c/constants.pb-c.c
|
||||
|
Loading…
Reference in New Issue
Block a user