diff --git a/components/protocomm/include/security/protocomm_security.h b/components/protocomm/include/security/protocomm_security.h index 48bf06ab63..fb3c491497 100644 --- a/components/protocomm/include/security/protocomm_security.h +++ b/components/protocomm/include/security/protocomm_security.h @@ -7,11 +7,25 @@ #pragma once #include +#include "esp_event.h" #ifdef __cplusplus extern "C" { #endif +ESP_EVENT_DECLARE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT); + +/** + * @brief Events generated by the protocomm security layer + * + * These events are generated while establishing secured session. + */ +typedef enum { + PROTOCOMM_SECURITY_SESSION_SETUP_OK, /**< Secured session established successfully */ + PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, /**< Received invalid (NULL) security parameters (username / client public-key) */ + PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, /**< Received incorrect credentials (username / PoP) */ +} protocomm_security_session_event_t; + /** * @brief Protocomm Security 1 parameters: Proof Of Possession */ diff --git a/components/protocomm/src/security/security1.c b/components/protocomm/src/security/security1.c index dbc62383fc..08911df4fd 100644 --- a/components/protocomm/src/security/security1.c +++ b/components/protocomm/src/security/security1.c @@ -42,6 +42,13 @@ static const char* TAG = "security1"; +/*NOTE: As both the security schemes share the events, + * we need to define the event base only once. + */ +#ifndef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2 +ESP_EVENT_DEFINE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT); +#endif + #define PUBLIC_KEY_LEN 32 #define SZ_RANDOM 16 @@ -127,6 +134,9 @@ static esp_err_t handle_session_command1(session_t *cur_session, sizeof(cur_session->device_pubkey)) != 0) { ESP_LOGE(TAG, "Key mismatch. Close connection"); mbedtls_aes_free(&cur_session->ctx_aes); + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post credential mismatch event"); + } return ESP_FAIL; } @@ -178,6 +188,10 @@ static esp_err_t handle_session_command1(session_t *cur_session, resp->sec1 = out; cur_session->state = SESSION_STATE_DONE; + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_SETUP_OK, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post secure session setup success event"); + } + ESP_LOGD(TAG, "Secure session established successfully"); return ESP_OK; } @@ -202,6 +216,9 @@ static esp_err_t handle_session_command0(session_t *cur_session, if (in->sc0->client_pubkey.len != PUBLIC_KEY_LEN) { ESP_LOGE(TAG, "Invalid public key length"); + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post secure session invalid security params event"); + } return ESP_ERR_INVALID_ARG; } diff --git a/components/protocomm/src/security/security2.c b/components/protocomm/src/security/security2.c index fe1250019a..8256114ad7 100644 --- a/components/protocomm/src/security/security2.c +++ b/components/protocomm/src/security/security2.c @@ -27,6 +27,8 @@ static const char *TAG = "security2"; +ESP_EVENT_DEFINE_BASE(PROTOCOMM_SECURITY_SESSION_EVENT); + #define SALT_LEN (16) #define PUBLIC_KEY_LEN (384) #define CLIENT_PROOF_LEN (64) @@ -81,11 +83,17 @@ static esp_err_t handle_session_command0(session_t *cur_session, if (in->sc0->client_pubkey.len != PUBLIC_KEY_LEN) { ESP_LOGE(TAG, "Invalid public key length"); + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post secure session invalid security params event"); + } return ESP_ERR_INVALID_ARG; } if (in->sc0->client_username.len <= 0) { ESP_LOGE(TAG, "Invalid username"); + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post secure session invalid security params event"); + } return ESP_ERR_INVALID_ARG; } @@ -214,6 +222,9 @@ static esp_err_t handle_session_command1(session_t *cur_session, if (esp_srp_exchange_proofs(cur_session->srp_hd, cur_session->username, cur_session->username_len, (char * ) in->sc1->client_proof.data, device_proof) != ESP_OK) { ESP_LOGE(TAG, "Failed to authenticate client proof!"); free(device_proof); + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post credential mismatch event"); + } return ESP_FAIL; } hexdump("Device proof", device_proof, CLIENT_PROOF_LEN); @@ -265,6 +276,9 @@ static esp_err_t handle_session_command1(session_t *cur_session, resp->sec2 = out; cur_session->state = SESSION_STATE_DONE; + if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT, PROTOCOMM_SECURITY_SESSION_SETUP_OK, NULL, 0, portMAX_DELAY) != ESP_OK) { + ESP_LOGE(TAG, "Failed to post secure session setup success event"); + } ESP_LOGD(TAG, "Secure session established successfully"); return ESP_OK; } diff --git a/components/wifi_provisioning/include/wifi_provisioning/manager.h b/components/wifi_provisioning/include/wifi_provisioning/manager.h index 7d1f12f352..72c6d6d50b 100644 --- a/components/wifi_provisioning/include/wifi_provisioning/manager.h +++ b/components/wifi_provisioning/include/wifi_provisioning/manager.h @@ -201,7 +201,7 @@ typedef enum wifi_prov_security { * + proof of possession (pop) based authentication * + AES-CTR encryption */ - WIFI_PROV_SECURITY_1, + WIFI_PROV_SECURITY_1 = 1, #endif #ifdef CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_2 /** @@ -209,7 +209,7 @@ typedef enum wifi_prov_security { * SRP6a based authentication and key exchange * + AES-GCM encryption/decryption */ - WIFI_PROV_SECURITY_2 + WIFI_PROV_SECURITY_2 = 2 #endif } wifi_prov_security_t; diff --git a/examples/provisioning/wifi_prov_mgr/main/app_main.c b/examples/provisioning/wifi_prov_mgr/main/app_main.c index 985acc1216..f6c0232872 100644 --- a/examples/provisioning/wifi_prov_mgr/main/app_main.c +++ b/examples/provisioning/wifi_prov_mgr/main/app_main.c @@ -194,6 +194,20 @@ static void event_handler(void* arg, esp_event_base_t event_base, break; } #endif + } else if (event_base == PROTOCOMM_SECURITY_SESSION_EVENT) { + switch (event_id) { + case PROTOCOMM_SECURITY_SESSION_SETUP_OK: + ESP_LOGI(TAG, "Secured session established!"); + break; + case PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS: + ESP_LOGE(TAG, "Received invalid security parameters for establishing secure session!"); + break; + case PROTOCOMM_SECURITY_SESSION_CREDENTIALS_MISMATCH: + ESP_LOGE(TAG, "Received incorrect username and/or PoP for establishing secure session!"); + break; + default: + break; + } } } @@ -289,6 +303,7 @@ void app_main(void) #ifdef CONFIG_EXAMPLE_PROV_TRANSPORT_BLE ESP_ERROR_CHECK(esp_event_handler_register(PROTOCOMM_TRANSPORT_BLE_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL)); #endif + ESP_ERROR_CHECK(esp_event_handler_register(PROTOCOMM_SECURITY_SESSION_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL)); ESP_ERROR_CHECK(esp_event_handler_register(WIFI_EVENT, ESP_EVENT_ANY_ID, &event_handler, NULL)); ESP_ERROR_CHECK(esp_event_handler_register(IP_EVENT, IP_EVENT_STA_GOT_IP, &event_handler, NULL));