protocomm: Added option to enable/disable supported security versions.

components/esp_local_ctrl/src/esp_local_ctrl.c

@@ -143,20 +143,35 @@ esp_err_t esp_local_ctrl_start(const esp_local_ctrl_config_t *config)
         return ret;
     }
 
-    protocomm_security_t *proto_sec_handle;
+    protocomm_security_t *proto_sec_handle = NULL;
     switch (local_ctrl_inst_ctx->config.proto_sec.version) {
         case PROTOCOM_SEC_CUSTOM:
             proto_sec_handle = local_ctrl_inst_ctx->config.proto_sec.custom_handle;
             break;
         case PROTOCOM_SEC1:
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
             proto_sec_handle = (protocomm_security_t *) &protocomm_security1;
+#else
+            // Enable SECURITY_VERSION_1 in Protocomm configuration menu
+            return ESP_ERR_NOT_SUPPORTED;
+#endif
             break;
         case PROTOCOM_SEC2:
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
             proto_sec_handle = (protocomm_security_t *) &protocomm_security2;
             break;
+#else
+            // Enable SECURITY_VERSION_2 in Protocomm configuration menu
+            return ESP_ERR_NOT_SUPPORTED;
+#endif
         case PROTOCOM_SEC0:
         default:
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
             proto_sec_handle = (protocomm_security_t *) &protocomm_security0;
+#else
+            // Enable SECURITY_VERSION_0 in Protocomm configuration menu
+            return ESP_ERR_NOT_SUPPORTED;
+#endif
             break;
     }
     ret = protocomm_set_security(local_ctrl_inst_ctx->pc, "esp_local_ctrl/session",

components/protocomm/CMakeLists.txt

@@ -4,18 +4,30 @@ set(include_dirs include/common
 set(priv_include_dirs proto-c src/common src/crypto/srp6a/include)
 set(srcs
     "src/common/protocomm.c"
-    "src/security/security0.c"
-    "src/security/security1.c"
-    "src/security/security2.c"
     "proto-c/constants.pb-c.c"
     "proto-c/sec0.pb-c.c"
     "proto-c/sec1.pb-c.c"
     "proto-c/sec2.pb-c.c"
     "proto-c/session.pb-c.c"
     "src/transports/protocomm_console.c"
-    "src/transports/protocomm_httpd.c"
+    "src/transports/protocomm_httpd.c")
-    "src/crypto/srp6a/esp_srp.c"
+
-    "src/crypto/srp6a/esp_srp_mpi.c")
+if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0)
+    list(APPEND srcs
+        "src/security/security0.c")
+endif()
+
+if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1)
+    list(APPEND srcs
+        "src/security/security1.c")
+endif()
+
+if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2)
+    list(APPEND srcs
+        "src/security/security2.c"
+        "src/crypto/srp6a/esp_srp.c"
+        "src/crypto/srp6a/esp_srp_mpi.c")
+endif()
 
 if(CONFIG_BT_ENABLED)
     if(CONFIG_BT_BLUEDROID_ENABLED)

components/protocomm/Kconfig

@@ -0,0 +1,29 @@
+menu "Protocomm"
+
+    config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
+        bool "Support protocomm security version 0 (no security)"
+        default y
+        help
+            Enable support of security version 0.
+            Disabling this option saves some code size.
+            Consult the Enabling protocomm security version section of the
+            Protocomm documentation in ESP-IDF Programming guide for more details.
+
+    config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
+        bool "Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption)"
+        default y
+        help
+            Enable support of security version 1.
+            Disabling this option saves some code size.
+            Consult the Enabling protocomm security version section of the
+            Protocomm documentation in ESP-IDF Programming guide for more details.
+
+    config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
+        bool "Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption)"
+        default n
+        help
+            Enable support of security version 2.
+            Disabling this option saves some code size.
+            Consult the Enabling protocomm security version section of the
+            Protocomm documentation in ESP-IDF Programming guide for more details.
+endmenu

components/protocomm/include/security/protocomm_security0.h

@@ -1,16 +1,8 @@
-// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
+/*
-//
+ * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
-// Licensed under the Apache License, Version 2.0 (the "License");
+ *
-// you may not use this file except in compliance with the License.
+ * SPDX-License-Identifier: Apache-2.0
-// You may obtain a copy of the License at
+ */
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 
 #pragma once
 
@@ -20,6 +12,7 @@
 extern "C" {
 #endif
 
+#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
 /**
  * @brief   Protocomm security version 0 implementation
  *
@@ -27,6 +20,7 @@ extern "C" {
  * security is required for the protocomm instance
  */
 extern const protocomm_security_t protocomm_security0;
+#endif
 
 #ifdef __cplusplus
 }

components/protocomm/include/security/protocomm_security1.h

@@ -1,16 +1,8 @@
-// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
+/*
-//
+ * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
-// Licensed under the Apache License, Version 2.0 (the "License");
+ *
-// you may not use this file except in compliance with the License.
+ * SPDX-License-Identifier: Apache-2.0
-// You may obtain a copy of the License at
+ */
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
 
 #pragma once
 
@@ -20,6 +12,7 @@
 extern "C" {
 #endif
 
+#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
 /**
  * @brief   Protocomm security version 1 implementation
  *
@@ -27,6 +20,7 @@ extern "C" {
  * Curve25519 key exchange and AES-256-CTR encryption
  */
 extern const protocomm_security_t protocomm_security1;
+#endif
 
 #ifdef __cplusplus
 }

components/protocomm/include/security/protocomm_security2.h

@@ -12,6 +12,7 @@
 extern "C" {
 #endif
 
+#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
 /**
  * @brief   Protocomm security version 2 implementation
  *
@@ -20,6 +21,7 @@ extern "C" {
  * and AES-GCM encryption/decryption
  */
 extern const protocomm_security_t protocomm_security2;
+#endif
 
 #ifdef __cplusplus
 }

components/wifi_provisioning/src/manager.c

@@ -307,14 +307,29 @@ static esp_err_t wifi_prov_mgr_start_service(const char *service_name, const cha
 
     /* Set protocomm security type for endpoint */
     if (prov_ctx->security == 0) {
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
         ret = protocomm_set_security(prov_ctx->pc, "prov-session",
                                      &protocomm_security0, NULL);
+#else
+        // Enable SECURITY_VERSION_0 in Protocomm configuration menu
+        return ESP_ERR_NOT_SUPPORTED;
+#endif
     } else if (prov_ctx->security == 1) {
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
         ret = protocomm_set_security(prov_ctx->pc, "prov-session",
                                      &protocomm_security1, prov_ctx->protocomm_sec_params);
+#else
+        // Enable SECURITY_VERSION_1 in Protocomm configuration menu
+        return ESP_ERR_NOT_SUPPORTED;
+#endif
     } else if (prov_ctx->security == 2) {
+#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
         ret = protocomm_set_security(prov_ctx->pc, "prov-session",
                                      &protocomm_security2, prov_ctx->protocomm_sec_params);
+#else
+        // Enable SECURITY_VERSION_2 in Protocomm configuration menu
+        return ESP_ERR_NOT_SUPPORTED;
+#endif
     } else {
         ESP_LOGE(TAG, "Unsupported protocomm security version %d", prov_ctx->security);
         ret = ESP_ERR_INVALID_ARG;

docs/en/api-reference/protocols/esp_local_ctrl.rst

@@ -91,9 +91,12 @@ Similarly for HTTPS transport:
 
 You may set security for transport in ESP local control using following options:
 
-1. `PROTOCOM_SEC1`: specifies that end to end encryption is used.
+1. `PROTOCOM_SEC2`: specifies that SRP6a based key exchange and end to end encryption based on AES-GCM is used. This is the most preffered option as it adds a robust security with Augmented PAKE protocol i.e. SRP6a.
-2. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text.
+2. `PROTOCOM_SEC1`: specifies that Curve25519 based key exchange and end to end encryption based on AES-CTR is used.
-3. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
+3. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text (no security).
+4. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
+
+.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`Protocol Communication </api-reference/provisioning/protocomm>` for more details.
 
 Creating a property
 -------------------

docs/en/api-reference/provisioning/protocomm.rst

@@ -19,6 +19,17 @@ Protocomm provides framework for various transports - WiFi (SoftAP+HTTPD), BLE,
 
 Note that the client still needs to establish session (for protocomm_security1 and protocomm_security2) by performing the two way handshake. See :doc:`provisioning` for more details about the secure handshake logic.
 
+Enabling protocomm security version
+-----------------------------------
+Protocomm component provides project configuration menu to enable/disable support of respective security versions.
+The respective configuration options can be found as follows:
+
+    * Support protocomm security version 1 (no security): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` (this option is enabled by default)
+    * Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` (this option is enabled by default)
+    * Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2`
+
+.. note:: Enabling multiple security versions allow to control them dynamically but also increases firmware size.
+
 Transport Example (SoftAP + HTTP) with Security 2
 -------------------------------------------------
 For sample usage, see :component_file:`wifi_provisioning/src/scheme_softap.c`

docs/en/api-reference/provisioning/provisioning.rst

@@ -107,6 +107,8 @@ At present, unified provisioning supports the following security schemes:
     b. No Auth (Null PoP) - Shared key derived through key exchange only
 3. Security2 - SRP6a-based shared key derivation and AES256-GCM mode encryption of the data.
 
+.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`protocomm` (Protocol Communication) for more details.
+
 Security1 Scheme
 >>>>>>>>>>>>>>>>
 

examples/provisioning/wifi_prov_mgr/main/Kconfig.projbuild

@@ -24,9 +24,11 @@ menu "Example Configuration"
 
         config EXAMPLE_PROV_SECURITY_VERSION_1
             bool "Security version 1"
+            select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
 
         config EXAMPLE_PROV_SECURITY_VERSION_2
             bool "Security version 2"
+            select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
     endchoice
 
     choice EXAMPLE_PROV_MODE

tools/ci/check_copyright_ignore.txt

@@ -1070,8 +1070,6 @@ components/nvs_flash/test_nvs_host/test_spi_flash_emulation.cpp
 components/openthread/include/esp_openthread.h
 components/openthread/include/esp_openthread_lock.h
 components/openthread/include/esp_openthread_netif_glue.h
-components/protocomm/include/security/protocomm_security0.h
-components/protocomm/include/security/protocomm_security1.h
 components/protocomm/include/transports/protocomm_console.h
 components/protocomm/include/transports/protocomm_httpd.h
 components/protocomm/proto-c/constants.pb-c.c