protocomm_httpd: Restart security session if request is received on a new session

This commit fixes a bug as well as changes a behaviour. Bugfix: During softap/httpd based provisioning, if a session was closed midway and a new one started, it would never proceed if the http server assigns same socket number to the new session (which happens almost always). Now, if a session is closed, using the http callbacks, the older session data is cleared so that a new one can be created. Behavioural change: If a client (mobile app particularly) does not use persistent http session i.e. all provisioning communication on the same socket, the provisioning may fail. Earlier, since the session context was not getting cleared, even if the client closed a session and continued on a new one, it would go through if the socket number assigned was same (which happens almost always). Ideally, from a security perspective, all communication related to secure provisioning must happen on the same socket, and so, this change is required.
2020-05-06 20:14:52 +05:30 · 2020-05-06 20:14:52 +05:30 · 52c089fba7
parent aa6730f0e2
commit 52c089fba7
1 changed files with 14 additions and 0 deletions
--- a/components/protocomm/src/transports/protocomm_httpd.c
+++ b/components/protocomm/src/transports/protocomm_httpd.c
@ -31,6 +31,17 @@ static uint32_t session_id = PROTOCOMM_NO_SESSION_ID;

 #define MAX_REQ_BODY_LEN 4096

+static void protocomm_httpd_session_close(void *ctx)
+{
+    if (pc_httpd->sec && pc_httpd->sec->close_transport_session) {
+        ESP_LOGW(TAG, "Closing session as socket %d was closed", session_id);
+        if (pc_httpd->sec->close_transport_session(session_id) != ESP_OK) {
+            ESP_LOGW(TAG, "Error closing session with ID: %d", session_id);
+        }
+    }
+    session_id = PROTOCOMM_NO_SESSION_ID;
+}
+
 static esp_err_t common_post_handler(httpd_req_t *req)
 {
    esp_err_t ret;
@ -42,6 +53,7 @@ static esp_err_t common_post_handler(httpd_req_t *req)
    int cur_session_id = httpd_req_to_sockfd(req);

    if (cur_session_id != session_id) {
+        ESP_LOGI(TAG, "Creating new session: %d", cur_session_id);
        /* Initialize new security session */
        if (session_id != PROTOCOMM_NO_SESSION_ID) {
            ESP_LOGD(TAG, "Closing session with ID: %d", session_id);
@ -62,6 +74,8 @@ static esp_err_t common_post_handler(httpd_req_t *req)
                ret = ESP_FAIL;
                goto out;
            }
+            req->free_ctx = protocomm_httpd_session_close;
+
        }
        session_id = cur_session_id;
        ESP_LOGD(TAG, "New session with ID: %d", cur_session_id);