feat(protocomm): disable security version 0 and 1 by default

Change default values for protocomm security configuration options to improve
security:
- CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0 now defaults to 'n'
- CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1 now defaults to 'n'

This reduces code size by default and encourages use of more secure protocomm
implementations.
Projects using these security versions must explicitly enable them in their
configuration.

components/protocomm/Kconfig

@@ -2,7 +2,7 @@ menu "Protocomm"
 
     config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0
         bool "Support protocomm security version 0 (no security)"
-        default y
+        default n
         help
             Enable support of security version 0.
             Disabling this option saves some code size.
@@ -11,7 +11,7 @@ menu "Protocomm"
 
     config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1
         bool "Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption)"
-        default y
+        default n
         help
             Enable support of security version 1.
             Disabling this option saves some code size.

components/protocomm/test_apps/sdkconfig.defaults

@@ -7,3 +7,7 @@ CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y
 CONFIG_COMPILER_STACK_CHECK=y
 
 CONFIG_ESP_TASK_WDT_EN=n
+
+# Enable all protocomm security versions for testing
+CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0=y
+CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1=y

docs/en/migration-guides/release-6.x/6.0/provisioning.rst

@@ -7,3 +7,21 @@ Breaking Changes
 ----------------
 
 The return type of :cpp:func:`wifi_prov_mgr_deinit` has been changed from ``void`` to :cpp:type:`esp_err_t`. This change allows applications to properly handle potential failures during provisioning manager deinitialization.
+
+Configuration Changes
+---------------------
+
+Protocomm Security Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The default values for protocomm security configuration options have been changed to improve security by default:
+
+- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` now defaults to ``n`` (previously ``y``)
+- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` now defaults to ``n`` (previously ``y``)
+
+Projects that rely on protocomm security versions 0 or 1 will need to explicitly enable these options in their configuration. If your application uses protocomm security version 0 (no security) or version 1 (Curve25519 + AES-CTR), you must explicitly enable the corresponding configuration option in your project's ``sdkconfig`` or through ``menuconfig``:
+
+- For security version 0: Enable :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0`
+- For security version 1: Enable :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1`
+
+This change was made to reduce code size by default and encourage the use of more secure protocomm implementations.

docs/zh_CN/migration-guides/release-6.x/6.0/provisioning.rst

@@ -7,3 +7,21 @@
 --------
 
 函数 :cpp:func:`wifi_prov_mgr_deinit` 的返回值类型已从 ``void`` 变更为 :cpp:type:`esp_err_t`。此项变更使应用程序在反初始化配网管理器时能够妥善处理可能出现的故障。
+
+配置变更
+--------
+
+Protocomm 安全配置
+~~~~~~~~~~~~~~~~~~
+
+为了默认提高安全性，protocomm 安全配置选项的默认值已更改：
+
+- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` 现在默认为 ``n`` （原为 ``y`` ）
+- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` 现在默认为 ``n`` （原为 ``y`` ）
+
+依赖 protocomm 安全版本 0 或 1 的项目需要在其配置中显式启用这些选项。如果您的应用程序使用 protocomm 安全版本 0（无安全）或版本 1（Curve25519 + AES-CTR），则必须在项目的 ``sdkconfig`` 中或通过 ``menuconfig`` 显式启用相应的配置选项：
+
+- 对于安全版本 0：启用 :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0`
+- 对于安全版本 1：启用 :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1`
+
+此项变更旨在默认减少代码大小，并鼓励使用更安全的 protocomm 实现。