Skip to content

Commit

Permalink
Merge branch 'feature/wifi_prov_event_security_session' into 'master'
Browse files Browse the repository at this point in the history
wifi_prov: Exposed events for secure session establishment and credential mismatch

Closes IDF-7358

See merge request espressif/esp-idf!23821
  • Loading branch information
mahavirj committed May 24, 2023
2 parents 7a462d8 + 596b83f commit ff024dc
Show file tree
Hide file tree
Showing 5 changed files with 62 additions and 2 deletions.
14 changes: 14 additions & 0 deletions components/protocomm/include/security/protocomm_security.h
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,25 @@
#pragma once

#include <esp_err.h>
#include "esp_event.h"

#ifdef __cplusplus
extern "C" {
#endif

ESP_EVENT_DECLARE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT);

/**
* @brief Events generated by the protocomm security layer
*
* These events are generated while establishing secured session.
*/
typedef enum {
PROTOCOMM_SECURITY_SESSION_SETUP_OK, /**< Secured session established successfully */
PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, /**< Received invalid (NULL) security parameters (username / client public-key) */
PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, /**< Received incorrect credentials (username / PoP) */
} protocomm_security_session_event_t;

/**
* @brief Protocomm Security 1 parameters: Proof Of Possession
*/
Expand Down
17 changes: 17 additions & 0 deletions components/protocomm/src/security/security1.c
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,13 @@

static const char* TAG = "security1";

/*NOTE: As both the security schemes share the events,
* we need to define the event base only once.
*/
#ifndef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
ESP_EVENT_DEFINE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT);
#endif

#define PUBLIC_KEY_LEN 32
#define SZ_RANDOM 16

Expand Down Expand Up @@ -127,6 +134,9 @@ static esp_err_t handle_session_command1(session_t *cur_session,
sizeof(cur_session->device_pubkey)) != 0) {
ESP_LOGE(TAG, "Key mismatch. Close connection");
mbedtls_aes_free(&cur_session->ctx_aes);
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post credential mismatch event");
}
return ESP_FAIL;
}

Expand Down Expand Up @@ -178,6 +188,10 @@ static esp_err_t handle_session_command1(session_t *cur_session,
resp->sec1 = out;

cur_session->state = SESSION_STATE_DONE;
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_SETUP_OK, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post secure session setup success event");
}

ESP_LOGD(TAG, "Secure session established successfully");
return ESP_OK;
}
Expand All @@ -202,6 +216,9 @@ static esp_err_t handle_session_command0(session_t *cur_session,

if (in->sc0->client_pubkey.len != PUBLIC_KEY_LEN) {
ESP_LOGE(TAG, "Invalid public key length");
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post secure session invalid security params event");
}
return ESP_ERR_INVALID_ARG;
}

Expand Down
14 changes: 14 additions & 0 deletions components/protocomm/src/security/security2.c
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@

static const char *TAG = "security2";

ESP_EVENT_DEFINE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT);

#define SALT_LEN (16)
#define PUBLIC_KEY_LEN (384)
#define CLIENT_PROOF_LEN (64)
Expand Down Expand Up @@ -81,11 +83,17 @@ static esp_err_t handle_session_command0(session_t *cur_session,

if (in->sc0->client_pubkey.len != PUBLIC_KEY_LEN) {
ESP_LOGE(TAG, "Invalid public key length");
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post secure session invalid security params event");
}
return ESP_ERR_INVALID_ARG;
}

if (in->sc0->client_username.len <= 0) {
ESP_LOGE(TAG, "Invalid username");
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post secure session invalid security params event");
}
return ESP_ERR_INVALID_ARG;
}

Expand Down Expand Up @@ -214,6 +222,9 @@ static esp_err_t handle_session_command1(session_t *cur_session,
if (esp_srp_exchange_proofs(cur_session->srp_hd, cur_session->username, cur_session->username_len, (char * ) in->sc1->client_proof.data, device_proof) != ESP_OK) {
ESP_LOGE(TAG, "Failed to authenticate client proof!");
free(device_proof);
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post credential mismatch event");
}
return ESP_FAIL;
}
hexdump("Device proof", device_proof, CLIENT_PROOF_LEN);
Expand Down Expand Up @@ -265,6 +276,9 @@ static esp_err_t handle_session_command1(session_t *cur_session,
resp->sec2 = out;

cur_session->state = SESSION_STATE_DONE;
if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_SETUP_OK, NULL, 0, portMAX_DELAY) != ESP_OK) {
ESP_LOGE(TAG, "Failed to post secure session setup success event");
}
ESP_LOGD(TAG, "Secure session established successfully");
return ESP_OK;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -201,15 +201,15 @@ typedef enum wifi_prov_security {
* + proof of possession (pop) based authentication
* + AES-CTR encryption
*/
WIFI_PROV_SECURITY_1,
WIFI_PROV_SECURITY_1 = 1,
#endif
#ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2
/**
* This secure communication mode consists of
* SRP6a based authentication and key exchange
* + AES-GCM encryption/decryption
*/
WIFI_PROV_SECURITY_2
WIFI_PROV_SECURITY_2 = 2
#endif
} wifi_prov_security_t;

Expand Down
15 changes: 15 additions & 0 deletions examples/provisioning/wifi_prov_mgr/main/app_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,20 @@ static void event_handler(void* arg, esp_event_base_t event_base,
break;
}
#endif
} else if (event_base == PROTOCOMM_SECURITY_SESSION_EVENT) {
switch (event_id) {
case PROTOCOMM_SECURITY_SESSION_SETUP_OK:
ESP_LOGI(TAG, "Secured session established!");
break;
case PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS:
ESP_LOGE(TAG, "Received invalid security parameters for establishing secure session!");
break;
case PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH:
ESP_LOGE(TAG, "Received incorrect username and/or PoP for establishing secure session!");
break;
default:
break;
}
}
}

Expand Down Expand Up @@ -289,6 +303,7 @@ void app_main(void)
#ifdef CONFIG_EXAMPLE_PROV_TRANSPORT_BLE
ESP_ERROR_CHECK(esp_event_handler_register(PROTOCOMM_TRANSPORT_BLE_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL));
#endif
ESP_ERROR_CHECK(esp_event_handler_register(PROTOCOMM_SECURITY_SESSION_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL));
ESP_ERROR_CHECK(esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL));
ESP_ERROR_CHECK(esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL));

Expand Down

0 comments on commit ff024dc

Please sign in to comment.