alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

protocomm: Added option to enable/disable supported security versions.

Browse Source
This commit is contained in:
Aditya Patwardhan 2022-06-15 23:48:01 +05:30 committed by BOT
parent 15531e1023
commit 6222d43984
12 changed files with 115 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
components/esp_local_ctrl/src/esp_local_ctrl.c
View File

@ -143,20 +143,35 @@ esp_err_t esp_local_ctrl_start(const esp_local_ctrl_config_t *config)
return ret;
}
protocomm_security_t *proto_sec_handle;
protocomm_security_t *proto_sec_handle = NULL;
switch (local_ctrl_inst_ctx->config.proto_sec.version) {
case PROTOCOM_SEC_CUSTOM:
proto_sec_handle = local_ctrl_inst_ctx->config.proto_sec.custom_handle;
break;
case PROTOCOM_SEC1:
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
proto_sec_handle = (protocomm_security_t *) &protocomm_security1;
#else
// Enable SECURITY_VERSION_1 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
break;
case PROTOCOM_SEC2:
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
proto_sec_handle = (protocomm_security_t *) &protocomm_security2;
break;
#else
// Enable SECURITY_VERSION_2 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
case PROTOCOM_SEC0:
default:
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
proto_sec_handle = (protocomm_security_t *) &protocomm_security0;
#else
// Enable SECURITY_VERSION_0 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
break;
}
ret = protocomm_set_security(local_ctrl_inst_ctx->pc, "esp_local_ctrl/session",

20
components/protocomm/CMakeLists.txt
View File

@ -4,18 +4,30 @@ set(include_dirs include/common
set(priv_include_dirs proto-c src/common src/crypto/srp6a/include)
set(srcs
"src/common/protocomm.c"
"src/security/security0.c"
"src/security/security1.c"
"src/security/security2.c"
"proto-c/constants.pb-c.c"
"proto-c/sec0.pb-c.c"
"proto-c/sec1.pb-c.c"
"proto-c/sec2.pb-c.c"
"proto-c/session.pb-c.c"
"src/transports/protocomm_console.c"
"src/transports/protocomm_httpd.c"
"src/transports/protocomm_httpd.c")
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0)
list(APPEND srcs
"src/security/security0.c")
endif()
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1)
list(APPEND srcs
"src/security/security1.c")
endif()
if(CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2)
list(APPEND srcs
"src/security/security2.c"
"src/crypto/srp6a/esp_srp.c"
"src/crypto/srp6a/esp_srp_mpi.c")
endif()
if(CONFIG_BT_ENABLED)
if(CONFIG_BT_BLUEDROID_ENABLED)

29
components/protocomm/Kconfig Normal file
View File

@ -0,0 +1,29 @@
menu "Protocomm"
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
bool "Support protocomm security version 0 (no security)"
default y
help
Enable support of security version 0.
Disabling this option saves some code size.
Consult the Enabling protocomm security version section of the
Protocomm documentation in ESP-IDF Programming guide for more details.
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
bool "Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption)"
default y
help
Enable support of security version 1.
Disabling this option saves some code size.
Consult the Enabling protocomm security version section of the
Protocomm documentation in ESP-IDF Programming guide for more details.
config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
bool "Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption)"
default n
help
Enable support of security version 2.
Disabling this option saves some code size.
Consult the Enabling protocomm security version section of the
Protocomm documentation in ESP-IDF Programming guide for more details.
endmenu

20
components/protocomm/include/security/protocomm_security0.h
View File

@ -1,16 +1,8 @@
// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/*
* SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
@ -20,6 +12,7 @@
extern "C" {
#endif
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
/**
* @brief Protocomm security version 0 implementation
*
@ -27,6 +20,7 @@ extern "C" {
* security is required for the protocomm instance
*/
extern const protocomm_security_t protocomm_security0;
#endif
#ifdef __cplusplus
}

20
components/protocomm/include/security/protocomm_security1.h
View File

@ -1,16 +1,8 @@
// Copyright 2018 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/*
* SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
@ -20,6 +12,7 @@
extern "C" {
#endif
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
/**
* @brief Protocomm security version 1 implementation
*
@ -27,6 +20,7 @@ extern "C" {
* Curve25519 key exchange and AES-256-CTR encryption
*/
extern const protocomm_security_t protocomm_security1;
#endif
#ifdef __cplusplus
}

2
components/protocomm/include/security/protocomm_security2.h
View File

@ -12,6 +12,7 @@
extern "C" {
#endif
#if CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
/**
* @brief Protocomm security version 2 implementation
*
@ -20,6 +21,7 @@ extern "C" {
* and AES-GCM encryption/decryption
*/
extern const protocomm_security_t protocomm_security2;
#endif
#ifdef __cplusplus
}

15
components/wifi_provisioning/src/manager.c
View File

@ -307,14 +307,29 @@ static esp_err_t wifi_prov_mgr_start_service(const char *service_name, const cha
/* Set protocomm security type for endpoint */
if (prov_ctx->security == 0) {
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
&protocomm_security0, NULL);
#else
// Enable SECURITY_VERSION_0 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
} else if (prov_ctx->security == 1) {
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
&protocomm_security1, prov_ctx->protocomm_sec_params);
#else
// Enable SECURITY_VERSION_1 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
} else if (prov_ctx->security == 2) {
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
ret = protocomm_set_security(prov_ctx->pc, "prov-session",
&protocomm_security2, prov_ctx->protocomm_sec_params);
#else
// Enable SECURITY_VERSION_2 in Protocomm configuration menu
return ESP_ERR_NOT_SUPPORTED;
#endif
} else {
ESP_LOGE(TAG, "Unsupported protocomm security version %d", prov_ctx->security);
ret = ESP_ERR_INVALID_ARG;

9
docs/en/api-reference/protocols/esp_local_ctrl.rst
View File

@ -91,9 +91,12 @@ Similarly for HTTPS transport:
You may set security for transport in ESP local control using following options:
1. `PROTOCOM_SEC1`: specifies that end to end encryption is used.
2. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text.
3. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
1. `PROTOCOM_SEC2`: specifies that SRP6a based key exchange and end to end encryption based on AES-GCM is used. This is the most preffered option as it adds a robust security with Augmented PAKE protocol i.e. SRP6a.
2. `PROTOCOM_SEC1`: specifies that Curve25519 based key exchange and end to end encryption based on AES-CTR is used.
3. `PROTOCOM_SEC0`: specifies that data will be exchanged as a plain text (no security).
4. `PROTOCOM_SEC_CUSTOM`: you can define your own security requirement. Please note that you will also have to provide `custom_handle` of type `protocomm_security_t *` in this context.
.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`Protocol Communication </api-reference/provisioning/protocomm>` for more details.
Creating a property
-------------------

11
docs/en/api-reference/provisioning/protocomm.rst
View File

@ -19,6 +19,17 @@ Protocomm provides framework for various transports - WiFi (SoftAP+HTTPD), BLE,
Note that the client still needs to establish session (for protocomm_security1 and protocomm_security2) by performing the two way handshake. See :doc:`provisioning` for more details about the secure handshake logic.
Enabling protocomm security version
-----------------------------------
Protocomm component provides project configuration menu to enable/disable support of respective security versions.
The respective configuration options can be found as follows:
* Support protocomm security version 1 (no security): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` (this option is enabled by default)
* Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` (this option is enabled by default)
* Support protocomm security version 2 (SRP6a-based key exchange + AES-GCM encryption/decryption): :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2`
.. note:: Enabling multiple security versions allow to control them dynamically but also increases firmware size.
Transport Example (SoftAP + HTTP) with Security 2
-------------------------------------------------
For sample usage, see :component_file:`wifi_provisioning/src/scheme_softap.c`

2
docs/en/api-reference/provisioning/provisioning.rst
View File

@ -107,6 +107,8 @@ At present, unified provisioning supports the following security schemes:
b. No Auth (Null PoP) - Shared key derived through key exchange only
3. Security2 - SRP6a-based shared key derivation and AES256-GCM mode encryption of the data.
.. note:: The respective security schemes need to be enabled through the project configuration menu. Please refer to the Enabling protocom security version section in :doc:`protocomm` (Protocol Communication) for more details.
Security1 Scheme
>>>>>>>>>>>>>>>>

2
examples/provisioning/wifi_prov_mgr/main/Kconfig.projbuild
View File

@ -24,9 +24,11 @@ menu "Example Configuration"
config EXAMPLE_PROV_SECURITY_VERSION_1
bool "Security version 1"
select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
config EXAMPLE_PROV_SECURITY_VERSION_2
bool "Security version 2"
select ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
endchoice
choice EXAMPLE_PROV_MODE

2
tools/ci/check_copyright_ignore.txt
View File

@ -1070,8 +1070,6 @@ components/nvs_flash/test_nvs_host/test_spi_flash_emulation.cpp
components/openthread/include/esp_openthread.h
components/openthread/include/esp_openthread_lock.h
components/openthread/include/esp_openthread_netif_glue.h
components/protocomm/include/security/protocomm_security0.h
components/protocomm/include/security/protocomm_security1.h
components/protocomm/include/transports/protocomm_console.h
components/protocomm/include/transports/protocomm_httpd.h
components/protocomm/proto-c/constants.pb-c.c