1 /* Copyright (C) 2020 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
18 // written by Sascha Steinbiss <sascha@steinbiss.name>
20 use super::mqtt_message::*;
22 use crate::applayer::{self, LoggerFlags};
23 use crate::applayer::*;
24 use crate::core::{self, AppProto, Flow, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_TCP};
25 use num_traits::FromPrimitive;
28 use std::ffi::{CStr,CString};
30 // Used as a special pseudo packet identifier to denote the first CONNECT
31 // packet in a connection. Note that there is no risk of collision with a
32 // parsed packet identifier because in the protocol these are only 16 bit
34 const MQTT_CONNECT_PKT_ID: u32 = std::u32::MAX;
35 // Maximum message length in bytes. If the length of a message exceeds
36 // this value, it will be truncated. Default: 1MB.
37 static mut MAX_MSG_LEN: u32 = 1048576;
39 static mut ALPROTO_MQTT: AppProto = ALPROTO_UNKNOWN;
41 #[derive(FromPrimitive, Debug)]
56 pub struct MQTTTransaction {
59 pub msg: Vec<MQTTMessage>,
65 de_state: Option<*mut core::DetectEngineState>,
66 events: *mut core::AppLayerDecoderEvents,
67 tx_data: applayer::AppLayerTxData,
70 impl MQTTTransaction {
71 pub fn new(msg: MQTTMessage) -> MQTTTransaction {
72 let mut m = MQTTTransaction {
76 logged: LoggerFlags::new(),
81 events: std::ptr::null_mut(),
82 tx_data: applayer::AppLayerTxData::new(),
88 pub fn free(&mut self) {
89 if self.events != std::ptr::null_mut() {
90 core::sc_app_layer_decoder_events_free_events(&mut self.events);
92 if let Some(state) = self.de_state {
93 core::sc_detect_engine_state_free(state);
98 impl Drop for MQTTTransaction {
104 pub struct MQTTState {
106 pub protocol_version: u8,
107 transactions: Vec<MQTTTransaction>,
110 skip_response: usize,
115 pub fn new() -> Self {
119 transactions: Vec::new(),
123 max_msg_len: unsafe { MAX_MSG_LEN as usize },
127 fn free_tx(&mut self, tx_id: u64) {
128 let len = self.transactions.len();
129 let mut found = false;
132 let tx = &self.transactions[i];
133 if tx.tx_id == tx_id + 1 {
140 self.transactions.remove(index);
144 pub fn get_tx(&mut self, tx_id: u64) -> Option<&MQTTTransaction> {
145 for tx in &mut self.transactions {
146 if tx.tx_id == tx_id + 1 {
153 pub fn get_tx_by_pkt_id(&mut self, pkt_id: u32) -> Option<&mut MQTTTransaction> {
154 for tx in &mut self.transactions {
156 if let Some(mpktid) = tx.pkt_id {
157 if mpktid == pkt_id {
166 fn new_tx(&mut self, msg: MQTTMessage, toclient: bool) -> MQTTTransaction {
167 let mut tx = MQTTTransaction::new(msg);
169 tx.tx_id = self.tx_id;
178 // Handle a MQTT message depending on the direction and state.
179 // Note that we are trying to only have one mutable reference to msg
180 // and its components, however, since we are in a large match operation,
181 // we cannot pass around and/or store more references or move things
182 // without having to introduce lifetimes etc.
183 // This is the reason for the code duplication below. Maybe there is a
184 // more concise way to do it, but this works for now.
185 fn handle_msg(&mut self, msg: MQTTMessage, toclient: bool) {
187 MQTTOperation::CONNECT(ref conn) => {
188 self.protocol_version = conn.protocol_version;
190 let mut tx = self.new_tx(msg, toclient);
191 MQTTState::set_event(&mut tx, MQTTEvent::DoubleConnect);
192 self.transactions.push(tx);
194 let mut tx = self.new_tx(msg, toclient);
195 tx.pkt_id = Some(MQTT_CONNECT_PKT_ID);
196 self.transactions.push(tx);
199 MQTTOperation::PUBLISH(ref publish) => {
201 let mut tx = self.new_tx(msg, toclient);
202 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
203 self.transactions.push(tx);
206 match msg.header.qos_level {
208 // with QOS level 0, we do not need to wait for a
210 let mut tx = self.new_tx(msg, toclient);
212 self.transactions.push(tx);
215 if let Some(pkt_id) = publish.message_id {
216 let mut tx = self.new_tx(msg, toclient);
217 tx.pkt_id = Some(pkt_id as u32);
218 self.transactions.push(tx);
220 let mut tx = self.new_tx(msg, toclient);
221 MQTTState::set_event(&mut tx, MQTTEvent::MissingMsgId);
222 self.transactions.push(tx);
226 let mut tx = self.new_tx(msg, toclient);
227 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
228 self.transactions.push(tx);
232 MQTTOperation::SUBSCRIBE(ref subscribe) => {
234 let mut tx = self.new_tx(msg, toclient);
235 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
236 self.transactions.push(tx);
239 let pkt_id = subscribe.message_id as u32;
240 match msg.header.qos_level {
242 // with QOS level 0, we do not need to wait for a
244 let mut tx = self.new_tx(msg, toclient);
246 self.transactions.push(tx);
249 let mut tx = self.new_tx(msg, toclient);
250 tx.pkt_id = Some(pkt_id);
251 self.transactions.push(tx);
254 let mut tx = self.new_tx(msg, toclient);
255 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
256 self.transactions.push(tx);
260 MQTTOperation::UNSUBSCRIBE(ref unsubscribe) => {
262 let mut tx = self.new_tx(msg, toclient);
263 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
264 self.transactions.push(tx);
267 let pkt_id = unsubscribe.message_id as u32;
268 match msg.header.qos_level {
270 // with QOS level 0, we do not need to wait for a
272 let mut tx = self.new_tx(msg, toclient);
274 self.transactions.push(tx);
277 let mut tx = self.new_tx(msg, toclient);
278 tx.pkt_id = Some(pkt_id);
279 self.transactions.push(tx);
282 let mut tx = self.new_tx(msg, toclient);
283 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
284 self.transactions.push(tx);
288 MQTTOperation::CONNACK(ref _connack) => {
289 if let Some(tx) = self.get_tx_by_pkt_id(MQTT_CONNECT_PKT_ID) {
291 (*tx).complete = true;
293 self.connected = true;
295 let mut tx = self.new_tx(msg, toclient);
296 MQTTState::set_event(&mut tx, MQTTEvent::MissingConnect);
297 self.transactions.push(tx);
300 MQTTOperation::PUBREC(ref v)
301 | MQTTOperation::PUBREL(ref v) => {
303 let mut tx = self.new_tx(msg, toclient);
304 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
305 self.transactions.push(tx);
308 if let Some(tx) = self.get_tx_by_pkt_id(v.message_id as u32) {
311 let mut tx = self.new_tx(msg, toclient);
312 MQTTState::set_event(&mut tx, MQTTEvent::MissingPublish);
313 self.transactions.push(tx);
316 MQTTOperation::PUBACK(ref v)
317 | MQTTOperation::PUBCOMP(ref v) => {
319 let mut tx = self.new_tx(msg, toclient);
320 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
321 self.transactions.push(tx);
324 if let Some(tx) = self.get_tx_by_pkt_id(v.message_id as u32) {
326 (*tx).complete = true;
329 let mut tx = self.new_tx(msg, toclient);
330 MQTTState::set_event(&mut tx, MQTTEvent::MissingPublish);
331 self.transactions.push(tx);
334 MQTTOperation::SUBACK(ref suback) => {
336 let mut tx = self.new_tx(msg, toclient);
337 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
338 self.transactions.push(tx);
341 if let Some(tx) = self.get_tx_by_pkt_id(suback.message_id as u32) {
343 (*tx).complete = true;
346 let mut tx = self.new_tx(msg, toclient);
347 MQTTState::set_event(&mut tx, MQTTEvent::MissingSubscribe);
348 self.transactions.push(tx);
351 MQTTOperation::UNSUBACK(ref unsuback) => {
353 let mut tx = self.new_tx(msg, toclient);
354 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
355 self.transactions.push(tx);
358 if let Some(tx) = self.get_tx_by_pkt_id(unsuback.message_id as u32) {
360 (*tx).complete = true;
363 let mut tx = self.new_tx(msg, toclient);
364 MQTTState::set_event(&mut tx, MQTTEvent::MissingUnsubscribe);
365 self.transactions.push(tx);
368 MQTTOperation::UNASSIGNED => {
369 let mut tx = self.new_tx(msg, toclient);
371 MQTTState::set_event(&mut tx, MQTTEvent::UnassignedMsgtype);
372 self.transactions.push(tx);
374 MQTTOperation::TRUNCATED(_) => {
375 let mut tx = self.new_tx(msg, toclient);
377 self.transactions.push(tx);
379 MQTTOperation::AUTH(_)
380 | MQTTOperation::DISCONNECT(_) => {
382 let mut tx = self.new_tx(msg, toclient);
383 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
384 self.transactions.push(tx);
387 let mut tx = self.new_tx(msg, toclient);
389 self.transactions.push(tx);
391 MQTTOperation::PINGREQ
392 | MQTTOperation::PINGRESP => {
394 let mut tx = self.new_tx(msg, toclient);
395 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
396 self.transactions.push(tx);
399 let mut tx = self.new_tx(msg, toclient);
401 self.transactions.push(tx);
406 fn parse_request(&mut self, input: &[u8]) -> AppLayerResult {
407 let mut current = input;
408 if input.len() == 0 {
409 return AppLayerResult::ok();
412 let mut consumed = 0;
413 SCLogDebug!("skip_request {} input len {}", self.skip_request, input.len());
414 if self.skip_request > 0 {
415 if input.len() <= self.skip_request {
416 SCLogDebug!("reducing skip_request by {}", input.len());
417 self.skip_request -= input.len();
418 return AppLayerResult::ok();
420 current = &input[self.skip_request..];
421 SCLogDebug!("skip end reached, skipping {} :{:?}", self.skip_request, current);
422 consumed = self.skip_request;
423 self.skip_request = 0;
428 while current.len() > 0 {
429 let mut skipped = false;
430 SCLogDebug!("request: handling {}", current.len());
431 match parse_message(current, self.protocol_version, self.max_msg_len) {
433 SCLogDebug!("request msg {:?}", msg);
434 if let MQTTOperation::TRUNCATED(ref trunc) = msg.op {
435 SCLogDebug!("found truncated with skipped {} current len {}", trunc.skipped_length, current.len());
436 if trunc.skipped_length >= current.len() {
438 self.skip_request = trunc.skipped_length - current.len();
440 current = ¤t[trunc.skipped_length..];
441 self.skip_request = 0;
444 self.handle_msg(msg, false);
446 return AppLayerResult::ok();
448 consumed += current.len() - rem.len();
451 Err(nom::Err::Incomplete(_)) => {
452 SCLogDebug!("incomplete request: consumed {} needed {} (input len {})", consumed, (current.len() + 1), input.len());
453 return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
456 return AppLayerResult::err();
461 return AppLayerResult::ok();
464 fn parse_response(&mut self, input: &[u8]) -> AppLayerResult {
465 let mut current = input;
466 if input.len() == 0 {
467 return AppLayerResult::ok();
470 let mut consumed = 0;
471 SCLogDebug!("skip_response {} input len {}", self.skip_response, current.len());
472 if self.skip_response > 0 {
473 if input.len() <= self.skip_response {
474 self.skip_response -= current.len();
475 return AppLayerResult::ok();
477 current = &input[self.skip_response..];
478 SCLogDebug!("skip end reached, skipping {} :{:?}", self.skip_request, current);
479 consumed = self.skip_response;
480 self.skip_response = 0;
484 while current.len() > 0 {
485 let mut skipped = false;
486 SCLogDebug!("response: handling {}", current.len());
487 match parse_message(current, self.protocol_version, self.max_msg_len as usize) {
489 SCLogDebug!("response msg {:?}", msg);
490 if let MQTTOperation::TRUNCATED(ref trunc) = msg.op {
491 SCLogDebug!("found truncated with skipped {} current len {}", trunc.skipped_length, current.len());
492 if trunc.skipped_length >= current.len() {
494 self.skip_response = trunc.skipped_length - current.len();
496 current = ¤t[trunc.skipped_length..];
497 self.skip_response = 0;
499 SCLogDebug!("skip_response now {}", self.skip_response);
501 self.handle_msg(msg, true);
503 return AppLayerResult::ok();
505 consumed += current.len() - rem.len();
508 Err(nom::Err::Incomplete(_)) => {
509 SCLogDebug!("incomplete response: consumed {} needed {} (input len {})", consumed, (current.len() + 1), input.len());
510 return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
513 return AppLayerResult::err();
518 return AppLayerResult::ok();
521 fn set_event(tx: &mut MQTTTransaction, event: MQTTEvent) {
522 let ev = event as u8;
523 core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev);
530 ) -> Option<(&MQTTTransaction, u64, bool)> {
531 let mut index = *state as usize;
532 let len = self.transactions.len();
535 let tx = &self.transactions[index];
536 if tx.tx_id < min_tx_id + 1 {
540 *state = index as u64;
541 return Some((tx, tx.tx_id - 1, (len - index) > 1));
550 export_tx_get_detect_state!(rs_mqtt_tx_get_detect_state, MQTTTransaction);
551 export_tx_set_detect_state!(rs_mqtt_tx_set_detect_state, MQTTTransaction);
554 pub unsafe extern "C" fn rs_mqtt_probing_parser(
561 let buf = build_slice!(input, input_len as usize);
562 match parse_fixed_header(buf) {
564 // reject unassigned message type
565 if hdr.message_type == MQTTTypeCode::UNASSIGNED {
566 return ALPROTO_FAILED;
568 // with 2 being the highest valid QoS level
569 if hdr.qos_level > 2 {
570 return ALPROTO_FAILED;
574 Err(nom::Err::Incomplete(_)) => ALPROTO_UNKNOWN,
575 Err(_) => ALPROTO_FAILED
580 pub extern "C" fn rs_mqtt_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void {
581 let state = MQTTState::new();
582 let boxed = Box::new(state);
583 return Box::into_raw(boxed) as *mut _;
587 pub extern "C" fn rs_mqtt_state_free(state: *mut std::os::raw::c_void) {
588 std::mem::drop(unsafe { Box::from_raw(state as *mut MQTTState) });
592 pub unsafe extern "C" fn rs_mqtt_state_tx_free(state: *mut std::os::raw::c_void, tx_id: u64) {
593 let state = cast_pointer!(state, MQTTState);
594 state.free_tx(tx_id);
598 pub unsafe extern "C" fn rs_mqtt_parse_request(
600 state: *mut std::os::raw::c_void,
601 _pstate: *mut std::os::raw::c_void,
604 _data: *const std::os::raw::c_void,
606 ) -> AppLayerResult {
607 let state = cast_pointer!(state, MQTTState);
608 let buf = build_slice!(input, input_len as usize);
609 return state.parse_request(buf).into();
613 pub unsafe extern "C" fn rs_mqtt_parse_response(
615 state: *mut std::os::raw::c_void,
616 _pstate: *mut std::os::raw::c_void,
619 _data: *const std::os::raw::c_void,
621 ) -> AppLayerResult {
622 let state = cast_pointer!(state, MQTTState);
623 let buf = build_slice!(input, input_len as usize);
624 return state.parse_response(buf).into();
628 pub unsafe extern "C" fn rs_mqtt_state_get_tx(
629 state: *mut std::os::raw::c_void,
631 ) -> *mut std::os::raw::c_void {
632 let state = cast_pointer!(state, MQTTState);
633 match state.get_tx(tx_id) {
635 return tx as *const _ as *mut _;
638 return std::ptr::null_mut();
644 pub unsafe extern "C" fn rs_mqtt_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 {
645 let state = cast_pointer!(state, MQTTState);
650 pub unsafe extern "C" fn rs_mqtt_tx_is_toclient(tx: *const std::os::raw::c_void) -> std::os::raw::c_int {
651 let tx = cast_pointer!(tx, MQTTTransaction);
659 pub unsafe extern "C" fn rs_mqtt_tx_get_alstate_progress(
660 tx: *mut std::os::raw::c_void,
662 ) -> std::os::raw::c_int {
663 let tx = cast_pointer!(tx, MQTTTransaction);
665 if direction == core::STREAM_TOSERVER {
669 } else if direction == core::STREAM_TOCLIENT {
679 pub unsafe extern "C" fn rs_mqtt_tx_get_logged(
680 _state: *mut std::os::raw::c_void,
681 tx: *mut std::os::raw::c_void,
683 let tx = cast_pointer!(tx, MQTTTransaction);
684 return tx.logged.get();
688 pub unsafe extern "C" fn rs_mqtt_tx_set_logged(
689 _state: *mut std::os::raw::c_void,
690 tx: *mut std::os::raw::c_void,
693 let tx = cast_pointer!(tx, MQTTTransaction);
694 tx.logged.set(logged);
698 pub unsafe extern "C" fn rs_mqtt_state_get_events(
699 tx: *mut std::os::raw::c_void,
700 ) -> *mut core::AppLayerDecoderEvents {
701 let tx = cast_pointer!(tx, MQTTTransaction);
706 pub unsafe extern "C" fn rs_mqtt_state_get_event_info_by_id(event_id: std::os::raw::c_int,
707 event_name: *mut *const std::os::raw::c_char,
708 event_type: *mut core::AppLayerEventType)
711 if let Some(e) = FromPrimitive::from_i32(event_id as i32) {
713 MQTTEvent::MissingConnect => { "missing_connect\0" },
714 MQTTEvent::MissingPublish => { "missing_publish\0" },
715 MQTTEvent::MissingSubscribe => { "missing_subscribe\0" },
716 MQTTEvent::MissingUnsubscribe => { "missing_unsubscribe\0" },
717 MQTTEvent::DoubleConnect => { "double_connect\0" },
718 MQTTEvent::UnintroducedMessage => { "unintroduced_message\0" },
719 MQTTEvent::InvalidQosLevel => { "invalid_qos_level\0" },
720 MQTTEvent::MissingMsgId => { "missing_msg_id\0" },
721 MQTTEvent::UnassignedMsgtype => { "unassigned_msg_type\0" },
723 *event_name = estr.as_ptr() as *const std::os::raw::c_char;
724 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
732 pub unsafe extern "C" fn rs_mqtt_state_get_event_info(event_name: *const std::os::raw::c_char,
733 event_id: *mut std::os::raw::c_int,
734 event_type: *mut core::AppLayerEventType)
735 -> std::os::raw::c_int
737 if event_name == std::ptr::null() { return -1; }
738 let c_event_name: &CStr = CStr::from_ptr(event_name);
739 let event = match c_event_name.to_str() {
742 "missing_connect" => MQTTEvent::MissingConnect as i32,
743 "missing_publish" => MQTTEvent::MissingPublish as i32,
744 "missing_subscribe" => MQTTEvent::MissingSubscribe as i32,
745 "missing_unsubscribe" => MQTTEvent::MissingUnsubscribe as i32,
746 "double_connect" => MQTTEvent::DoubleConnect as i32,
747 "unintroduced_message" => MQTTEvent::UnintroducedMessage as i32,
748 "invalid_qos_level" => MQTTEvent::InvalidQosLevel as i32,
749 "missing_msg_id" => MQTTEvent::MissingMsgId as i32,
750 "unassigned_msg_type" => MQTTEvent::UnassignedMsgtype as i32,
751 _ => -1, // unknown event
754 Err(_) => -1, // UTF-8 conversion failed
756 *event_type = core::APP_LAYER_EVENT_TYPE_TRANSACTION;
757 *event_id = event as std::os::raw::c_int;
762 pub unsafe extern "C" fn rs_mqtt_state_get_tx_iterator(
765 state: *mut std::os::raw::c_void,
769 ) -> applayer::AppLayerGetTxIterTuple {
770 let state = cast_pointer!(state, MQTTState);
771 match state.tx_iterator(min_tx_id, istate) {
772 Some((tx, out_tx_id, has_next)) => {
773 let c_tx = tx as *const _ as *mut _;
774 let ires = applayer::AppLayerGetTxIterTuple::with_values(c_tx, out_tx_id, has_next);
778 return applayer::AppLayerGetTxIterTuple::not_found();
783 // Parser name as a C style string.
784 const PARSER_NAME: &'static [u8] = b"mqtt\0";
786 export_tx_data_get!(rs_mqtt_get_tx_data, MQTTTransaction);
789 pub unsafe extern "C" fn rs_mqtt_register_parser(cfg_max_msg_len: u32) {
790 let default_port = CString::new("[1883]").unwrap();
791 let max_msg_len = &mut MAX_MSG_LEN;
792 *max_msg_len = cfg_max_msg_len;
793 let parser = RustParser {
794 name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
795 default_port: default_port.as_ptr(),
796 ipproto: IPPROTO_TCP,
797 probe_ts: Some(rs_mqtt_probing_parser),
798 probe_tc: Some(rs_mqtt_probing_parser),
801 state_new: rs_mqtt_state_new,
802 state_free: rs_mqtt_state_free,
803 tx_free: rs_mqtt_state_tx_free,
804 parse_ts: rs_mqtt_parse_request,
805 parse_tc: rs_mqtt_parse_response,
806 get_tx_count: rs_mqtt_state_get_tx_count,
807 get_tx: rs_mqtt_state_get_tx,
810 tx_get_progress: rs_mqtt_tx_get_alstate_progress,
811 get_de_state: rs_mqtt_tx_get_detect_state,
812 set_de_state: rs_mqtt_tx_set_detect_state,
813 get_events: Some(rs_mqtt_state_get_events),
814 get_eventinfo: Some(rs_mqtt_state_get_event_info),
815 get_eventinfo_byid: Some(rs_mqtt_state_get_event_info_by_id),
816 localstorage_new: None,
817 localstorage_free: None,
819 get_tx_iterator: Some(rs_mqtt_state_get_tx_iterator),
820 get_tx_data: rs_mqtt_get_tx_data,
821 apply_tx_config: None,
822 flags: APP_LAYER_PARSER_OPT_UNIDIR_TXS,
826 let ip_proto_str = CString::new("tcp").unwrap();
828 if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
829 let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
830 ALPROTO_MQTT = alproto;
831 if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
832 let _ = AppLayerRegisterParser(&parser, alproto);
835 SCLogDebug!("Protocol detector and parser disabled for MQTT.");