Mitigation to unauthenticated TCP support advertisement in DNS-SD

pidarped · pidarped · commit 114ea1a4a8ae · 2024-08-19T11:56:20.000-07:00
that made it susceptible to potential DoS attacks.

As part of this resolution,
Add TCP support and Max receive size info within negotiated CASE
Session parameters.

--Nodes publish TCP support information during CASE session(over MRP)
  negotiations.
--Add TCP param storage logic to persist received TCP support info
  to storage during CASE session establishment and retrieve it during
  future TCP session setup.
--During TCP session setup, first check if the TCP support info
  for peer is available in storage before, going to the DNS-SD
  advertised values.
diff --git a/src/app/OperationalSessionSetup.cpp b/src/app/OperationalSessionSetup.cpp
@@ -33,6 +33,7 @@
 #include <lib/address_resolve/AddressResolve.h>
 #include <lib/core/CHIPCore.h>
 #include <lib/core/CHIPEncoding.h>
+#include <lib/dnssd/Advertiser.h>
 #include <lib/dnssd/Resolver.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/logging/CHIPLogging.h>
@@ -300,19 +301,40 @@ CHIP_ERROR OperationalSessionSetup::EstablishConnection(const ResolveResult & re
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
     if (mTransportPayloadCapability == TransportPayloadCapability::kLargePayload)
     {
-        if (result.supportsTcpServer)
+        // First check if the TCPSupport information is available from prior
+        // CASE session negotiations with peer.
+        // Else, fall back to TCP support information from DNS-SD
+        // advertisements.
+        uint16_t supportedTransports;
+        uint32_t maxTCPMessageSize;
+        VerifyOrDie(mInitParams.sessionManager != nullptr);
+        CHIP_ERROR err = mInitParams.sessionManager->GetPeerTCPParamsStorage().FindByScopedNodeId(mPeerId, supportedTransports,
+                                                                                                  maxTCPMessageSize);
+        if (err == CHIP_NO_ERROR)
         {
-            // Set the transport type for carrying large payloads
-            mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            if ((supportedTransports & to_underlying(Dnssd::TCPModeAdvertise::kTCPServer)) != 0)
+            {
+                // Set the transport type for carrying large payloads
+                mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            }
         }
-        else
+        else // Failed to retrieve TCP Params from storage
         {
-            // we should not set the large payload while the TCP support is not enabled
-            ChipLogError(
-                Discovery,
-                "LargePayload session requested but peer does not support TCP server, PeerNodeId=" ChipLogFormatScopedNodeId,
-                ChipLogValueScopedNodeId(mPeerId));
-            return CHIP_ERROR_INTERNAL;
+            // Check DNS-SD advertisement values if information not available via CASE session parameters
+            if (result.supportsTcpServer)
+            {
+                // Set the transport type for carrying large payloads
+                mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            }
+            else
+            {
+                // we should not set the large payload while the TCP support is not enabled from the peer's side.
+                ChipLogError(
+                    Discovery,
+                    "LargePayload session requested but peer does not support TCP server, PeerNodeId=" ChipLogFormatScopedNodeId,
+                    ChipLogValueScopedNodeId(mPeerId));
+                return CHIP_ERROR_INTERNAL;
+            }
         }
     }
 #endif
diff --git a/src/controller/python/chip/utils/DeviceProxyUtils.cpp b/src/controller/python/chip/utils/DeviceProxyUtils.cpp
@@ -44,6 +44,10 @@ struct __attribute__((packed)) SessionParametersStruct
     uint16_t interactionModelRevision = 0;
     uint32_t specificationVersion     = 0;
     uint16_t maxPathsPerInvoke        = 0;
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    uint16_t supportedTransports = 0;
+    uint32_t maxTCPMessageSize   = 0;
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 };
 
 } // namespace python
@@ -99,6 +103,11 @@ PyChipError pychip_DeviceProxy_GetRemoteSessionParameters(DeviceProxy * device,
     sessionParam->interactionModelRevision = remoteSessionParameters.GetInteractionModelRevision().ValueOr(0);
     sessionParam->specificationVersion     = remoteSessionParameters.GetSpecificationVersion().ValueOr(0);
     sessionParam->maxPathsPerInvoke        = remoteSessionParameters.GetMaxPathsPerInvoke();
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    sessionParam->supportedTransports = remoteSessionParameters.GetSupportedTransports().ValueOr(0);
+    sessionParam->maxTCPMessageSize =
+        remoteSessionParameters.GetMaxTCPMessageSize().ValueOr(System::PacketBuffer::kLargeBufMaxSizeWithoutReserve - 4);
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     return ToPyChipError(CHIP_NO_ERROR);
 }
 }
diff --git a/src/lib/support/DefaultStorageKeyAllocator.h b/src/lib/support/DefaultStorageKeyAllocator.h
@@ -256,6 +256,14 @@ class DefaultStorageKeyAllocator
     // when new fabric is created, this list needs to be updated,
     // when client init DefaultICDClientStorage, this table needs to be loaded.
     static StorageKeyName ICDFabricList() { return StorageKeyName::FromConst("g/icdfl"); }
+
+    // TCP peer parameters
+    static StorageKeyName TCPPeerParams(FabricIndex fabric, NodeId nodeId)
+    {
+        return StorageKeyName::Formatted("f/%x/tcp/%08" PRIX32 "%08" PRIX32, fabric, static_cast<uint32_t>(nodeId >> 32),
+                                         static_cast<uint32_t>(nodeId));
+    }
+    static StorageKeyName TCPPeerList() { return StorageKeyName::FromConst("g/tcpl"); }
 };
 
 } // namespace chip
diff --git a/src/messaging/SessionParameters.h b/src/messaging/SessionParameters.h
@@ -41,10 +41,19 @@ class SessionParameters
     static constexpr size_t kSizeOfInteractionModelRevision = sizeof(uint16_t);
     static constexpr size_t kSizeOfSpecificationVersion     = sizeof(uint32_t);
     static constexpr size_t kSizeOfMaxPathsPerInvoke        = sizeof(uint16_t);
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    static constexpr size_t kSizeOfSupportedTransports = sizeof(uint16_t);
+    static constexpr size_t kSizeOfMaxTCPMessageSize   = sizeof(uint32_t);
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     static constexpr size_t kEstimatedTLVSize = TLV::EstimateStructOverhead(
         kSizeOfSessionIdleInterval, kSizeOfSessionActiveInterval, kSizeOfSessionActiveThreshold, kSizeOfDataModelRevision,
-        kSizeOfInteractionModelRevision, kSizeOfSpecificationVersion, kSizeOfMaxPathsPerInvoke);
+        kSizeOfInteractionModelRevision, kSizeOfSpecificationVersion, kSizeOfMaxPathsPerInvoke
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ,
+        kSizeOfSupportedTransports, kSizeOfMaxTCPMessageSize
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+    );
 
     // From Section 4.12.8 "Parameters and Constants" in chapter "Secure Channel".
     enum Tag : uint32_t
@@ -56,6 +65,8 @@ class SessionParameters
         kInteractionModelRevision = 5,
         kSpecificationVersion     = 6,
         kMaxPathsPerInvoke        = 7,
+        kSupportedTransports      = 8,
+        kMaxTCPMessageSize        = 9,
     };
 
     const ReliableMessageProtocolConfig & GetMRPConfig() const { return mMRPConfig; }
@@ -91,6 +102,13 @@ class SessionParameters
     uint16_t GetMaxPathsPerInvoke() const { return mMaxPathsPerInvoke; }
     void SetMaxPathsPerInvoke(const uint16_t maxPathsPerInvoke) { mMaxPathsPerInvoke = maxPathsPerInvoke; }
 
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    const Optional<uint16_t> & GetSupportedTransports() const { return mSupportedTransports; }
+    void SetSupportedTransports(const uint16_t supportedTransports) { mSupportedTransports = MakeOptional(supportedTransports); }
+
+    const Optional<uint32_t> & GetMaxTCPMessageSize() const { return mMaxTCPMessageSize; }
+    void SetMaxTCPMessageSize(const uint32_t maxTCPMessageSize) { mMaxTCPMessageSize = MakeOptional(maxTCPMessageSize); }
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 private:
     ReliableMessageProtocolConfig mMRPConfig;
     // For legacy reasons if we do not get DataModelRevision it means either 16 or 17. But there isn't
@@ -104,6 +122,11 @@ class SessionParameters
     Optional<uint32_t> mSpecificationVersion;
     // When maxPathsPerInvoke is not provided legacy is always 1
     uint16_t mMaxPathsPerInvoke = 1;
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    Optional<uint16_t> mSupportedTransports;
+    Optional<uint32_t> mMaxTCPMessageSize;
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 };
 
 } // namespace chip
diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
@@ -49,6 +49,7 @@
 #include <tracing/macros.h>
 #include <tracing/metric_event.h>
 #include <transport/SessionManager.h>
+#include <transport/raw/PeerTCPParamsStorage.h>
 
 namespace {
 
@@ -696,6 +697,25 @@ CHIP_ERROR CASESession::RecoverInitiatorIpk()
 }
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
+CHIP_ERROR CASESession::SaveTCPInfoFromRemoteSessionParams()
+{
+    if (GetRemoteSessionParameters().GetSupportedTransports().HasValue() &&
+        GetRemoteSessionParameters().GetMaxTCPMessageSize().HasValue())
+    {
+        ReturnErrorOnFailure(mSessionManager->GetPeerTCPParamsStorage().SaveTCPParams(
+            GetPeer(), GetRemoteSessionParameters().GetSupportedTransports().Value(),
+            GetRemoteSessionParameters().GetMaxTCPMessageSize().Value()));
+    }
+    else
+    {
+        // Store zeroes for the TCP parameters as sentinel values from CASE
+        // session for no TCP support.
+        ReturnErrorOnFailure(mSessionManager->GetPeerTCPParamsStorage().SaveTCPParams(GetPeer(), 0, 0));
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 void CASESession::HandleConnectionAttemptComplete(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR err)
 {
     VerifyOrReturn(conn != nullptr);
@@ -1298,6 +1318,10 @@ CHIP_ERROR CASESession::HandleSigma2Resume(System::PacketBufferHandle && msg)
         SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(4), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     }
 
     ChipLogDetail(SecureChannel, "Peer assigned session session ID %d", responderSessionId);
@@ -1500,6 +1524,10 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg)
         SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(kTag_Sigma2_ResponderMRPParams), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     }
 
 exit:
@@ -2198,6 +2226,11 @@ CHIP_ERROR CASESession::ParseSigma1(TLV::ContiguousBufferTLVReader & tlvReader,
         ReturnErrorOnFailure(DecodeMRPParametersIfPresent(TLV::ContextTag(kInitiatorMRPParamsTag), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
         err = tlvReader.Next();
     }
 
diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h
@@ -287,6 +287,7 @@ class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler,
     void InvalidateIfPendingEstablishmentOnFabric(FabricIndex fabricIndex);
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    CHIP_ERROR SaveTCPInfoFromRemoteSessionParams();
     static void HandleConnectionAttemptComplete(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
     static void HandleConnectionClosed(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
 
diff --git a/src/protocols/secure_channel/PairingSession.cpp b/src/protocols/secure_channel/PairingSession.cpp
@@ -21,6 +21,7 @@
 #include <app/SpecificationDefinedRevisions.h>
 #include <lib/core/CHIPConfig.h>
 #include <lib/core/TLVTypes.h>
+#include <lib/dnssd/Advertiser.h>
 #include <lib/support/SafeInt.h>
 #include <lib/support/TypeTraits.h>
 #include <platform/CHIPDeviceEvent.h>
@@ -142,6 +143,16 @@ CHIP_ERROR PairingSession::EncodeSessionParameters(TLV::Tag tag, const ReliableM
 
     uint16_t maxPathsPerInvoke = CHIP_CONFIG_MAX_PATHS_PER_INVOKE;
     ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kMaxPathsPerInvoke), maxPathsPerInvoke));
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    // Support for both TCP CLient and Server(0x06)
+    uint16_t supportedTransports = to_underlying(Dnssd::TCPModeAdvertise::kTCPClientServer);
+    ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kSupportedTransports), supportedTransports));
+
+    uint32_t maxTCPMessageSize = System::PacketBuffer::kLargeBufMaxSizeWithoutReserve - 4 /* Framing length field of 4 bytes */;
+    ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kMaxTCPMessageSize), maxTCPMessageSize));
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
     return tlvWriter.EndContainer(mrpParamsContainer);
 }
 
@@ -234,6 +245,31 @@ CHIP_ERROR PairingSession::DecodeMRPParametersIfPresent(TLV::Tag expectedTag, TL
         SuccessOrExit(err = tlvReader.Next());
     }
 
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+
+    if (TLV::TagNumFromTag(tlvReader.GetTag()) == SessionParameters::Tag::kSupportedTransports)
+    {
+        ChipLogDetail(SecureChannel, "Found TCPSupport parameter in the message");
+        uint16_t supportedTransports;
+        ReturnErrorOnFailure(tlvReader.Get(supportedTransports));
+        mRemoteSessionParams.SetSupportedTransports(supportedTransports);
+
+        // The next element is optional. If it's not present, return CHIP_NO_ERROR.
+        SuccessOrExit(err = tlvReader.Next());
+    }
+
+    if (TLV::TagNumFromTag(tlvReader.GetTag()) == SessionParameters::Tag::kMaxTCPMessageSize)
+    {
+        ChipLogDetail(SecureChannel, "Found TCP Max message size parameter in the message");
+        uint32_t maxTCPMessageSize;
+        ReturnErrorOnFailure(tlvReader.Get(maxTCPMessageSize));
+        mRemoteSessionParams.SetMaxTCPMessageSize(maxTCPMessageSize);
+
+        // The next element is optional. If it's not present, return CHIP_NO_ERROR.
+        SuccessOrExit(err = tlvReader.Next());
+    }
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
     // Future proofing - Don't error out if there are other tags
 exit:
     if (err == CHIP_END_OF_TLV)
diff --git a/src/transport/SessionManager.cpp b/src/transport/SessionManager.cpp
@@ -150,6 +150,8 @@ CHIP_ERROR SessionManager::Init(System::Layer * systemLayer, TransportMgrBase *
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
     mConnCompleteCb = nullptr;
     mConnClosedCb   = nullptr;
+
+    ReturnErrorOnFailure(mPeerTCPParamsStorage.Init(storageDelegate));
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     return CHIP_NO_ERROR;
diff --git a/src/transport/SessionManager.h b/src/transport/SessionManager.h
@@ -54,6 +54,7 @@
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
 #include <transport/SessionConnectionDelegate.h>
+#include <transport/raw/PeerTCPParamsStorage.h>
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
 namespace chip {
@@ -494,6 +495,7 @@ class DLL_EXPORT SessionManager : public TransportMgrDelegate, public FabricTabl
 
     using OnTCPConnectionClosedCallback = void (*)(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
 
+    Transport::PeerTCPParamsStorage & GetPeerTCPParamsStorage() { return mPeerTCPParamsStorage; }
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     Optional<SessionHandle> CreateUnauthenticatedSession(const Transport::PeerAddress & peerAddress,
@@ -566,6 +568,7 @@ class DLL_EXPORT SessionManager : public TransportMgrDelegate, public FabricTabl
     // Hold the TCPConnection callback context for the receiver application in the SessionManager.
     // On receipt of a connection from a peer, the SessionManager
     Transport::AppTCPConnectionCallbackCtxt * mServerTCPConnCbCtxt = nullptr;
+    Transport::PeerTCPParamsStorage mPeerTCPParamsStorage;
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     SessionMessageDelegate * mCB = nullptr;
diff --git a/src/transport/raw/BUILD.gn b/src/transport/raw/BUILD.gn
@@ -33,6 +33,8 @@ static_library("raw") {
   if (chip_inet_config_enable_tcp_endpoint) {
     sources += [
       "ActiveTCPConnectionState.h",
+      "PeerTCPParamsStorage.cpp",
+      "PeerTCPParamsStorage.h",
       "TCP.cpp",
       "TCP.h",
       "TCPConfig.h",
diff --git a/src/transport/raw/PeerTCPParamsStorage.cpp b/src/transport/raw/PeerTCPParamsStorage.cpp
diff --git a/src/transport/raw/PeerTCPParamsStorage.h b/src/transport/raw/PeerTCPParamsStorage.h
diff --git a/src/transport/raw/TCPConfig.h b/src/transport/raw/TCPConfig.h
diff --git a/src/transport/raw/tests/BUILD.gn b/src/transport/raw/tests/BUILD.gn
diff --git a/src/transport/raw/tests/TestPeerTCPParamsStorage.cpp b/src/transport/raw/tests/TestPeerTCPParamsStorage.cpp
