Mitigation to unauthenticated TCP support advertisement in DNS-SD

that made it susceptible to potential DoS attacks.

As part of this resolution,
Add TCP support and Max receive size info within negotiated CASE
Session parameters.

--Nodes publish TCP support information during CASE session(over MRP)
  negotiations.
--Add TCP param storage logic to persist received TCP support info
  to storage during CASE session establishment and retrieve it during
  future TCP session setup.
--During TCP session setup, first check if the TCP support info
  for peer is available in storage before, going to the DNS-SD
  advertised values.

Author: pidarped

src/app/OperationalSessionSetup.cpp

@@ -33,6 +33,7 @@
 #include <lib/address_resolve/AddressResolve.h>
 #include <lib/core/CHIPCore.h>
 #include <lib/core/CHIPEncoding.h>
+#include <lib/dnssd/Advertiser.h>
 #include <lib/dnssd/Resolver.h>
 #include <lib/support/CodeUtils.h>
 #include <lib/support/logging/CHIPLogging.h>
@@ -300,19 +301,40 @@ CHIP_ERROR OperationalSessionSetup::EstablishConnection(const ResolveResult & re
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
     if (mTransportPayloadCapability == TransportPayloadCapability::kLargePayload)
     {
-        if (result.supportsTcpServer)
+        // First check if the TCPSupport information is available from prior
+        // CASE session negotiations with peer.
+        // Else, fall back to TCP support information from DNS-SD
+        // advertisements.
+        uint16_t supportedTransports;
+        uint32_t maxTCPMessageSize;
+        VerifyOrDie(mInitParams.sessionManager != nullptr);
+        CHIP_ERROR err =
+            mInitParams.sessionManager->GetPeerTCPParamsStorage().FindByScopedNodeId(mPeerId, supportedTransports, maxTCPMessageSize);
+        if (err == CHIP_NO_ERROR)
         {
-            // Set the transport type for carrying large payloads
-            mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            if ((supportedTransports & to_underlying(Dnssd::TCPModeAdvertise::kTCPServer)) != 0)
+            {
+                // Set the transport type for carrying large payloads
+                mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            }
         }
-        else
+        else // Failed to retrieve TCP Params from storage
         {
-            // we should not set the large payload while the TCP support is not enabled
-            ChipLogError(
-                Discovery,
-                "LargePayload session requested but peer does not support TCP server, PeerNodeId=" ChipLogFormatScopedNodeId,
-                ChipLogValueScopedNodeId(mPeerId));
-            return CHIP_ERROR_INTERNAL;
+            // Check DNS-SD advertisement values if information not available via CASE session parameters
+            if (result.supportsTcpServer)
+            {
+                // Set the transport type for carrying large payloads
+                mDeviceAddress.SetTransportType(chip::Transport::Type::kTcp);
+            }
+            else
+            {
+                // we should not set the large payload while the TCP support is not enabled from the peer's side.
+                ChipLogError(
+                    Discovery,
+                    "LargePayload session requested but peer does not support TCP server, PeerNodeId=" ChipLogFormatScopedNodeId,
+                    ChipLogValueScopedNodeId(mPeerId));
+                return CHIP_ERROR_INTERNAL;
+            }
         }
     }
 #endif

src/controller/python/chip/utils/DeviceProxyUtils.cpp

@@ -44,6 +44,10 @@ struct __attribute__((packed)) SessionParametersStruct
     uint16_t interactionModelRevision = 0;
     uint32_t specificationVersion     = 0;
     uint16_t maxPathsPerInvoke        = 0;
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    uint16_t supportedTransports      = 0;
+    uint32_t maxTCPMessageSize        = 0;
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 };
 
 } // namespace python
@@ -99,6 +103,10 @@ PyChipError pychip_DeviceProxy_GetRemoteSessionParameters(DeviceProxy * device,
     sessionParam->interactionModelRevision = remoteSessionParameters.GetInteractionModelRevision().ValueOr(0);
     sessionParam->specificationVersion     = remoteSessionParameters.GetSpecificationVersion().ValueOr(0);
     sessionParam->maxPathsPerInvoke        = remoteSessionParameters.GetMaxPathsPerInvoke();
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    sessionParam->supportedTransports      = remoteSessionParameters.GetSupportedTransports().ValueOr(0);
+    sessionParam->maxTCPMessageSize        = remoteSessionParameters.GetMaxTCPMessageSize().ValueOr(System::PacketBuffer::kLargeBufMaxSizeWithoutReserve - 4);
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     return ToPyChipError(CHIP_NO_ERROR);
 }
 }

src/lib/support/DefaultStorageKeyAllocator.h

@@ -256,6 +256,15 @@ class DefaultStorageKeyAllocator
     // when new fabric is created, this list needs to be updated,
     // when client init DefaultICDClientStorage, this table needs to be loaded.
     static StorageKeyName ICDFabricList() { return StorageKeyName::FromConst("g/icdfl"); }
+
+    // TCP peer parameters
+    static StorageKeyName TCPPeerParams(FabricIndex fabric, NodeId nodeId)
+    {
+        return StorageKeyName::Formatted("f/%x/tcp/%08" PRIX32 "%08" PRIX32, fabric, static_cast<uint32_t>(nodeId >> 32),
+                                         static_cast<uint32_t>(nodeId));
+    }
+    static StorageKeyName TCPPeerList() { return StorageKeyName::FromConst("g/tcpl"); }
+
 };
 
 } // namespace chip

src/messaging/SessionParameters.h

@@ -41,10 +41,18 @@ class SessionParameters
     static constexpr size_t kSizeOfInteractionModelRevision = sizeof(uint16_t);
     static constexpr size_t kSizeOfSpecificationVersion     = sizeof(uint32_t);
     static constexpr size_t kSizeOfMaxPathsPerInvoke        = sizeof(uint16_t);
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    static constexpr size_t kSizeOfSupportedTransports      = sizeof(uint16_t);
+    static constexpr size_t kSizeOfMaxTCPMessageSize        = sizeof(uint32_t);
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     static constexpr size_t kEstimatedTLVSize = TLV::EstimateStructOverhead(
         kSizeOfSessionIdleInterval, kSizeOfSessionActiveInterval, kSizeOfSessionActiveThreshold, kSizeOfDataModelRevision,
-        kSizeOfInteractionModelRevision, kSizeOfSpecificationVersion, kSizeOfMaxPathsPerInvoke);
+        kSizeOfInteractionModelRevision, kSizeOfSpecificationVersion, kSizeOfMaxPathsPerInvoke
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        , kSizeOfSupportedTransports, kSizeOfMaxTCPMessageSize
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+        );
 
     // From Section 4.12.8 "Parameters and Constants" in chapter "Secure Channel".
     enum Tag : uint32_t
@@ -56,6 +64,8 @@ class SessionParameters
         kInteractionModelRevision = 5,
         kSpecificationVersion     = 6,
         kMaxPathsPerInvoke        = 7,
+        kSupportedTransports      = 8,
+        kMaxTCPMessageSize        = 9,
     };
 
     const ReliableMessageProtocolConfig & GetMRPConfig() const { return mMRPConfig; }
@@ -91,6 +101,13 @@ class SessionParameters
     uint16_t GetMaxPathsPerInvoke() const { return mMaxPathsPerInvoke; }
     void SetMaxPathsPerInvoke(const uint16_t maxPathsPerInvoke) { mMaxPathsPerInvoke = maxPathsPerInvoke; }
 
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    const Optional<uint16_t> & GetSupportedTransports() const { return mSupportedTransports; }
+    void SetSupportedTransports(const uint16_t supportedTransports) { mSupportedTransports = MakeOptional(supportedTransports); }
+
+    const Optional<uint32_t> & GetMaxTCPMessageSize() const { return mMaxTCPMessageSize; }
+    void SetMaxTCPMessageSize(const uint32_t maxTCPMessageSize) { mMaxTCPMessageSize = MakeOptional(maxTCPMessageSize); }
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 private:
     ReliableMessageProtocolConfig mMRPConfig;
     // For legacy reasons if we do not get DataModelRevision it means either 16 or 17. But there isn't
@@ -104,6 +121,11 @@ class SessionParameters
     Optional<uint32_t> mSpecificationVersion;
     // When maxPathsPerInvoke is not provided legacy is always 1
     uint16_t mMaxPathsPerInvoke = 1;
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    Optional<uint16_t> mSupportedTransports;
+    Optional<uint32_t> mMaxTCPMessageSize;
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 };
 
 } // namespace chip

src/protocols/secure_channel/CASESession.cpp

@@ -49,6 +49,7 @@
 #include <tracing/macros.h>
 #include <tracing/metric_event.h>
 #include <transport/SessionManager.h>
+#include <transport/raw/PeerTCPParamsStorage.h>
 
 namespace {
 
@@ -696,6 +697,24 @@ CHIP_ERROR CASESession::RecoverInitiatorIpk()
 }
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
+CHIP_ERROR CASESession::SaveTCPInfoFromRemoteSessionParams()
+{
+    if (GetRemoteSessionParameters().GetSupportedTransports().HasValue() && GetRemoteSessionParameters().GetMaxTCPMessageSize().HasValue())
+    {
+        ReturnErrorOnFailure(mSessionManager->GetPeerTCPParamsStorage().SaveTCPParams(GetPeer(),
+                                                                                      GetRemoteSessionParameters().GetSupportedTransports().Value(),
+                                                                                      GetRemoteSessionParameters().GetMaxTCPMessageSize().Value()));
+    }
+    else
+    {
+        // Store zeroes for the TCP parameters as sentinel values from CASE
+        // session for no TCP support.
+        ReturnErrorOnFailure(mSessionManager->GetPeerTCPParamsStorage().SaveTCPParams(GetPeer(), 0, 0));
+    }
+
+    return CHIP_NO_ERROR;
+}
+
 void CASESession::HandleConnectionAttemptComplete(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR err)
 {
     VerifyOrReturn(conn != nullptr);
@@ -1298,6 +1317,10 @@ CHIP_ERROR CASESession::HandleSigma2Resume(System::PacketBufferHandle && msg)
         SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(4), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     }
 
     ChipLogDetail(SecureChannel, "Peer assigned session session ID %d", responderSessionId);
@@ -1500,6 +1523,10 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg)
         SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(kTag_Sigma2_ResponderMRPParams), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
     }
 
 exit:
@@ -2198,6 +2225,11 @@ CHIP_ERROR CASESession::ParseSigma1(TLV::ContiguousBufferTLVReader & tlvReader,
         ReturnErrorOnFailure(DecodeMRPParametersIfPresent(TLV::ContextTag(kInitiatorMRPParamsTag), tlvReader));
         mExchangeCtxt.Value()->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteSessionParameters(
             GetRemoteSessionParameters());
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+        ReturnErrorOnFailure(SaveTCPInfoFromRemoteSessionParams());
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
         err = tlvReader.Next();
     }
 

src/protocols/secure_channel/CASESession.h

@@ -287,6 +287,7 @@ class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler,
     void InvalidateIfPendingEstablishmentOnFabric(FabricIndex fabricIndex);
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    CHIP_ERROR SaveTCPInfoFromRemoteSessionParams();
     static void HandleConnectionAttemptComplete(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
     static void HandleConnectionClosed(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
 

src/protocols/secure_channel/PairingSession.cpp

@@ -142,6 +142,16 @@ CHIP_ERROR PairingSession::EncodeSessionParameters(TLV::Tag tag, const ReliableM
 
     uint16_t maxPathsPerInvoke = CHIP_CONFIG_MAX_PATHS_PER_INVOKE;
     ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kMaxPathsPerInvoke), maxPathsPerInvoke));
+
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+    // Support for both TCP CLient and Server(0x06)
+    uint16_t supportedTransports = 0x06;
+    ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kSupportedTransports), supportedTransports));
+
+    uint32_t maxTCPMessageSize = System::PacketBuffer::kLargeBufMaxSizeWithoutReserve - 4/* Framing length field of 4 bytes */;
+    ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(SessionParameters::Tag::kMaxTCPMessageSize), maxTCPMessageSize));
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
     return tlvWriter.EndContainer(mrpParamsContainer);
 }
 
@@ -234,6 +244,31 @@ CHIP_ERROR PairingSession::DecodeMRPParametersIfPresent(TLV::Tag expectedTag, TL
         SuccessOrExit(err = tlvReader.Next());
     }
 
+#if INET_CONFIG_ENABLE_TCP_ENDPOINT
+
+    if (TLV::TagNumFromTag(tlvReader.GetTag()) == SessionParameters::Tag::kSupportedTransports)
+    {
+        ChipLogDetail(SecureChannel, "Found TCPSupport parameter in the message");
+        uint16_t supportedTransports;
+        ReturnErrorOnFailure(tlvReader.Get(supportedTransports));
+        mRemoteSessionParams.SetSupportedTransports(supportedTransports);
+
+        // The next element is optional. If it's not present, return CHIP_NO_ERROR.
+        SuccessOrExit(err = tlvReader.Next());
+    }
+
+    if (TLV::TagNumFromTag(tlvReader.GetTag()) == SessionParameters::Tag::kMaxTCPMessageSize)
+    {
+        ChipLogDetail(SecureChannel, "Found TCP Max message size parameter in the message");
+        uint32_t maxTCPMessageSize;
+        ReturnErrorOnFailure(tlvReader.Get(maxTCPMessageSize));
+        mRemoteSessionParams.SetMaxTCPMessageSize(maxTCPMessageSize);
+
+        // The next element is optional. If it's not present, return CHIP_NO_ERROR.
+        SuccessOrExit(err = tlvReader.Next());
+    }
+#endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
+
     // Future proofing - Don't error out if there are other tags
 exit:
     if (err == CHIP_END_OF_TLV)

src/transport/SessionManager.cpp

@@ -150,6 +150,8 @@ CHIP_ERROR SessionManager::Init(System::Layer * systemLayer, TransportMgrBase *
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
     mConnCompleteCb = nullptr;
     mConnClosedCb   = nullptr;
+
+    ReturnErrorOnFailure(mPeerTCPParamsStorage.Init(storageDelegate));
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     return CHIP_NO_ERROR;

src/transport/SessionManager.h

@@ -54,6 +54,7 @@
 
 #if INET_CONFIG_ENABLE_TCP_ENDPOINT
 #include <transport/SessionConnectionDelegate.h>
+#include <transport/raw/PeerTCPParamsStorage.h>
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
 namespace chip {
@@ -494,6 +495,7 @@ class DLL_EXPORT SessionManager : public TransportMgrDelegate, public FabricTabl
 
     using OnTCPConnectionClosedCallback = void (*)(Transport::ActiveTCPConnectionState * conn, CHIP_ERROR conErr);
 
+    Transport::PeerTCPParamsStorage & GetPeerTCPParamsStorage() { return mPeerTCPParamsStorage; }
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     Optional<SessionHandle> CreateUnauthenticatedSession(const Transport::PeerAddress & peerAddress,
@@ -566,6 +568,7 @@ class DLL_EXPORT SessionManager : public TransportMgrDelegate, public FabricTabl
     // Hold the TCPConnection callback context for the receiver application in the SessionManager.
     // On receipt of a connection from a peer, the SessionManager
     Transport::AppTCPConnectionCallbackCtxt * mServerTCPConnCbCtxt = nullptr;
+    Transport::PeerTCPParamsStorage mPeerTCPParamsStorage;
 #endif // INET_CONFIG_ENABLE_TCP_ENDPOINT
 
     SessionMessageDelegate * mCB = nullptr;

src/transport/raw/BUILD.gn

@@ -32,6 +32,8 @@ static_library("raw") {
   if (chip_inet_config_enable_tcp_endpoint) {
     sources += [
       "ActiveTCPConnectionState.h",
+      "PeerTCPParamsStorage.h",
+      "PeerTCPParamsStorage.cpp",
       "TCP.cpp",
       "TCP.h",
       "TCPConfig.h",