protocomm_httpd: Restart security session if request is received on a new session

shahpiyushv · espressif-bot · commit 05852bc4aa43 · 2020-05-11T13:01:13.000Z
This commit fixes a bug as well as changes a behaviour.

Bugfix: During softap/httpd based provisioning, if a session was closed
midway and a new one started, it would never proceed if the http server
assigns same socket number to the new session (which happens almost always).
Now, if a session is closed, using the http callbacks, the older session
data is cleared so that a new one can be created.

Behavioural change: If a client (mobile app particularly) does not use
persistent http session i.e. all provisioning communication on the same
socket, the provisioning may fail. Earlier, since the session context was
not getting cleared, even if the client closed a session and continued
on a new one, it would go through if the socket number assigned was same
(which happens almost always).

Ideally, from a security perspective, all communication related
to secure provisioning must happen on the same socket, and so, this
change is required.
diff --git a/components/protocomm/src/transports/protocomm_httpd.c b/components/protocomm/src/transports/protocomm_httpd.c
@@ -31,6 +31,17 @@ static uint32_t session_id = PROTOCOMM_NO_SESSION_ID;
 
 #define MAX_REQ_BODY_LEN 4096
 
+static void protocomm_httpd_session_close(void *ctx)
+{
+    if (pc_httpd->sec && pc_httpd->sec->close_transport_session) {
+        ESP_LOGW(TAG, "Closing session as socket %d was closed", session_id);
+        if (pc_httpd->sec->close_transport_session((protocomm_security_handle_t)ctx, session_id) != ESP_OK) {
+            ESP_LOGW(TAG, "Error closing session with ID: %d", session_id);
+        }
+    }
+    session_id = PROTOCOMM_NO_SESSION_ID;
+}
+
 static esp_err_t common_post_handler(httpd_req_t *req)
 {
     esp_err_t ret;
@@ -42,6 +53,7 @@ static esp_err_t common_post_handler(httpd_req_t *req)
     int cur_session_id = httpd_req_to_sockfd(req);
 
     if (cur_session_id != session_id) {
+        ESP_LOGI(TAG, "Creating new session: %d", cur_session_id);
         /* Initialize new security session */
         if (session_id != PROTOCOMM_NO_SESSION_ID) {
             ESP_LOGD(TAG, "Closing session with ID: %d", session_id);
@@ -62,6 +74,9 @@ static esp_err_t common_post_handler(httpd_req_t *req)
                 ret = ESP_FAIL;
                 goto out;
             }
+            req->sess_ctx = pc_httpd->sec_inst;
+            req->free_ctx = protocomm_httpd_session_close;
+
         }
         session_id = cur_session_id;
         ESP_LOGD(TAG, "New session with ID: %d", cur_session_id);
