From f677655fcbe5485d32188d0532b532ef5e16a083 Mon Sep 17 00:00:00 2001 From: Piyush Shah Date: Wed, 6 May 2020 20:14:52 +0530 Subject: [PATCH] protocomm_httpd: Restart security session if request is received on a new session This commit fixes a bug as well as changes a behaviour. Bugfix: During softap/httpd based provisioning, if a session was closed midway and a new one started, it would never proceed if the http server assigns same socket number to the new session (which happens almost always). Now, if a session is closed, using the http callbacks, the older session data is cleared so that a new one can be created. Behavioural change: If a client (mobile app particularly) does not use persistent http session i.e. all provisioning communication on the same socket, the provisioning may fail. Earlier, since the session context was not getting cleared, even if the client closed a session and continued on a new one, it would go through if the socket number assigned was same (which happens almost always). Ideally, from a security perspective, all communication related to secure provisioning must happen on the same socket, and so, this change is required. --- .../protocomm/src/transports/protocomm_httpd.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/components/protocomm/src/transports/protocomm_httpd.c b/components/protocomm/src/transports/protocomm_httpd.c index 9c48396b2c..a8ee22790d 100644 --- a/components/protocomm/src/transports/protocomm_httpd.c +++ b/components/protocomm/src/transports/protocomm_httpd.c @@ -31,6 +31,17 @@ static uint32_t session_id = PROTOCOMM_NO_SESSION_ID; #define MAX_REQ_BODY_LEN 4096 +static void protocomm_httpd_session_close(void *ctx) +{ + if (pc_httpd->sec && pc_httpd->sec->close_transport_session) { + ESP_LOGW(TAG, "Closing session as socket %d was closed", session_id); + if (pc_httpd->sec->close_transport_session((protocomm_security_handle_t)ctx, session_id) != ESP_OK) { + ESP_LOGW(TAG, "Error closing session with ID: %d", session_id); + } + } + session_id = PROTOCOMM_NO_SESSION_ID; +} + static esp_err_t common_post_handler(httpd_req_t *req) { esp_err_t ret; @@ -42,6 +53,7 @@ static esp_err_t common_post_handler(httpd_req_t *req) int cur_session_id = httpd_req_to_sockfd(req); if (cur_session_id != session_id) { + ESP_LOGI(TAG, "Creating new session: %d", cur_session_id); /* Initialize new security session */ if (session_id != PROTOCOMM_NO_SESSION_ID) { ESP_LOGD(TAG, "Closing session with ID: %d", session_id); @@ -62,6 +74,9 @@ static esp_err_t common_post_handler(httpd_req_t *req) ret = ESP_FAIL; goto out; } + req->sess_ctx = pc_httpd->sec_inst; + req->free_ctx = protocomm_httpd_session_close; + } session_id = cur_session_id; ESP_LOGD(TAG, "New session with ID: %d", cur_session_id);