1 /* Copyright (C) 2020 Open Information Security Foundation
3 * You can copy, redistribute or modify this Program under the terms of
4 * the GNU General Public License version 2 as published by the Free
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * version 2 along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
18 // written by Sascha Steinbiss <sascha@steinbiss.name>
20 use super::mqtt_message::*;
22 use crate::applayer::{self, LoggerFlags};
23 use crate::applayer::*;
24 use crate::core::{self, AppProto, Flow, ALPROTO_FAILED, ALPROTO_UNKNOWN, IPPROTO_TCP};
27 use std::ffi::CString;
29 // Used as a special pseudo packet identifier to denote the first CONNECT
30 // packet in a connection. Note that there is no risk of collision with a
31 // parsed packet identifier because in the protocol these are only 16 bit
33 const MQTT_CONNECT_PKT_ID: u32 = std::u32::MAX;
34 // Maximum message length in bytes. If the length of a message exceeds
35 // this value, it will be truncated. Default: 1MB.
36 static mut MAX_MSG_LEN: u32 = 1048576;
38 static mut ALPROTO_MQTT: AppProto = ALPROTO_UNKNOWN;
40 #[derive(FromPrimitive, Debug, AppLayerEvent)]
54 pub struct MQTTTransaction {
57 pub msg: Vec<MQTTMessage>,
63 de_state: Option<*mut core::DetectEngineState>,
64 events: *mut core::AppLayerDecoderEvents,
65 tx_data: applayer::AppLayerTxData,
68 impl MQTTTransaction {
69 pub fn new(msg: MQTTMessage) -> MQTTTransaction {
70 let mut m = MQTTTransaction {
74 logged: LoggerFlags::new(),
79 events: std::ptr::null_mut(),
80 tx_data: applayer::AppLayerTxData::new(),
86 pub fn free(&mut self) {
87 if !self.events.is_null() {
88 core::sc_app_layer_decoder_events_free_events(&mut self.events);
90 if let Some(state) = self.de_state {
91 core::sc_detect_engine_state_free(state);
96 impl Drop for MQTTTransaction {
102 pub struct MQTTState {
104 pub protocol_version: u8,
105 transactions: Vec<MQTTTransaction>,
108 skip_response: usize,
113 pub fn new() -> Self {
117 transactions: Vec::new(),
121 max_msg_len: unsafe { MAX_MSG_LEN as usize },
125 fn free_tx(&mut self, tx_id: u64) {
126 let len = self.transactions.len();
127 let mut found = false;
130 let tx = &self.transactions[i];
131 if tx.tx_id == tx_id + 1 {
138 self.transactions.remove(index);
142 pub fn get_tx(&mut self, tx_id: u64) -> Option<&MQTTTransaction> {
143 for tx in &mut self.transactions {
144 if tx.tx_id == tx_id + 1 {
151 pub fn get_tx_by_pkt_id(&mut self, pkt_id: u32) -> Option<&mut MQTTTransaction> {
152 for tx in &mut self.transactions {
154 if let Some(mpktid) = tx.pkt_id {
155 if mpktid == pkt_id {
164 fn new_tx(&mut self, msg: MQTTMessage, toclient: bool) -> MQTTTransaction {
165 let mut tx = MQTTTransaction::new(msg);
167 tx.tx_id = self.tx_id;
176 // Handle a MQTT message depending on the direction and state.
177 // Note that we are trying to only have one mutable reference to msg
178 // and its components, however, since we are in a large match operation,
179 // we cannot pass around and/or store more references or move things
180 // without having to introduce lifetimes etc.
181 // This is the reason for the code duplication below. Maybe there is a
182 // more concise way to do it, but this works for now.
183 fn handle_msg(&mut self, msg: MQTTMessage, toclient: bool) {
185 MQTTOperation::CONNECT(ref conn) => {
186 self.protocol_version = conn.protocol_version;
188 let mut tx = self.new_tx(msg, toclient);
189 MQTTState::set_event(&mut tx, MQTTEvent::DoubleConnect);
190 self.transactions.push(tx);
192 let mut tx = self.new_tx(msg, toclient);
193 tx.pkt_id = Some(MQTT_CONNECT_PKT_ID);
194 self.transactions.push(tx);
197 MQTTOperation::PUBLISH(ref publish) => {
199 let mut tx = self.new_tx(msg, toclient);
200 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
201 self.transactions.push(tx);
204 match msg.header.qos_level {
206 // with QOS level 0, we do not need to wait for a
208 let mut tx = self.new_tx(msg, toclient);
210 self.transactions.push(tx);
213 if let Some(pkt_id) = publish.message_id {
214 let mut tx = self.new_tx(msg, toclient);
215 tx.pkt_id = Some(pkt_id as u32);
216 self.transactions.push(tx);
218 let mut tx = self.new_tx(msg, toclient);
219 MQTTState::set_event(&mut tx, MQTTEvent::MissingMsgId);
220 self.transactions.push(tx);
224 let mut tx = self.new_tx(msg, toclient);
225 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
226 self.transactions.push(tx);
230 MQTTOperation::SUBSCRIBE(ref subscribe) => {
232 let mut tx = self.new_tx(msg, toclient);
233 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
234 self.transactions.push(tx);
237 let pkt_id = subscribe.message_id as u32;
238 match msg.header.qos_level {
240 // with QOS level 0, we do not need to wait for a
242 let mut tx = self.new_tx(msg, toclient);
244 self.transactions.push(tx);
247 let mut tx = self.new_tx(msg, toclient);
248 tx.pkt_id = Some(pkt_id);
249 self.transactions.push(tx);
252 let mut tx = self.new_tx(msg, toclient);
253 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
254 self.transactions.push(tx);
258 MQTTOperation::UNSUBSCRIBE(ref unsubscribe) => {
260 let mut tx = self.new_tx(msg, toclient);
261 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
262 self.transactions.push(tx);
265 let pkt_id = unsubscribe.message_id as u32;
266 match msg.header.qos_level {
268 // with QOS level 0, we do not need to wait for a
270 let mut tx = self.new_tx(msg, toclient);
272 self.transactions.push(tx);
275 let mut tx = self.new_tx(msg, toclient);
276 tx.pkt_id = Some(pkt_id);
277 self.transactions.push(tx);
280 let mut tx = self.new_tx(msg, toclient);
281 MQTTState::set_event(&mut tx, MQTTEvent::InvalidQosLevel);
282 self.transactions.push(tx);
286 MQTTOperation::CONNACK(ref _connack) => {
287 if let Some(tx) = self.get_tx_by_pkt_id(MQTT_CONNECT_PKT_ID) {
289 (*tx).complete = true;
291 self.connected = true;
293 let mut tx = self.new_tx(msg, toclient);
294 MQTTState::set_event(&mut tx, MQTTEvent::MissingConnect);
295 self.transactions.push(tx);
298 MQTTOperation::PUBREC(ref v)
299 | MQTTOperation::PUBREL(ref v) => {
301 let mut tx = self.new_tx(msg, toclient);
302 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
303 self.transactions.push(tx);
306 if let Some(tx) = self.get_tx_by_pkt_id(v.message_id as u32) {
309 let mut tx = self.new_tx(msg, toclient);
310 MQTTState::set_event(&mut tx, MQTTEvent::MissingPublish);
311 self.transactions.push(tx);
314 MQTTOperation::PUBACK(ref v)
315 | MQTTOperation::PUBCOMP(ref v) => {
317 let mut tx = self.new_tx(msg, toclient);
318 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
319 self.transactions.push(tx);
322 if let Some(tx) = self.get_tx_by_pkt_id(v.message_id as u32) {
324 (*tx).complete = true;
327 let mut tx = self.new_tx(msg, toclient);
328 MQTTState::set_event(&mut tx, MQTTEvent::MissingPublish);
329 self.transactions.push(tx);
332 MQTTOperation::SUBACK(ref suback) => {
334 let mut tx = self.new_tx(msg, toclient);
335 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
336 self.transactions.push(tx);
339 if let Some(tx) = self.get_tx_by_pkt_id(suback.message_id as u32) {
341 (*tx).complete = true;
344 let mut tx = self.new_tx(msg, toclient);
345 MQTTState::set_event(&mut tx, MQTTEvent::MissingSubscribe);
346 self.transactions.push(tx);
349 MQTTOperation::UNSUBACK(ref unsuback) => {
351 let mut tx = self.new_tx(msg, toclient);
352 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
353 self.transactions.push(tx);
356 if let Some(tx) = self.get_tx_by_pkt_id(unsuback.message_id as u32) {
358 (*tx).complete = true;
361 let mut tx = self.new_tx(msg, toclient);
362 MQTTState::set_event(&mut tx, MQTTEvent::MissingUnsubscribe);
363 self.transactions.push(tx);
366 MQTTOperation::UNASSIGNED => {
367 let mut tx = self.new_tx(msg, toclient);
369 MQTTState::set_event(&mut tx, MQTTEvent::UnassignedMsgType);
370 self.transactions.push(tx);
372 MQTTOperation::TRUNCATED(_) => {
373 let mut tx = self.new_tx(msg, toclient);
375 self.transactions.push(tx);
377 MQTTOperation::AUTH(_)
378 | MQTTOperation::DISCONNECT(_) => {
380 let mut tx = self.new_tx(msg, toclient);
381 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
382 self.transactions.push(tx);
385 let mut tx = self.new_tx(msg, toclient);
387 self.transactions.push(tx);
389 MQTTOperation::PINGREQ
390 | MQTTOperation::PINGRESP => {
392 let mut tx = self.new_tx(msg, toclient);
393 MQTTState::set_event(&mut tx, MQTTEvent::UnintroducedMessage);
394 self.transactions.push(tx);
397 let mut tx = self.new_tx(msg, toclient);
399 self.transactions.push(tx);
404 fn parse_request(&mut self, input: &[u8]) -> AppLayerResult {
405 let mut current = input;
406 if input.len() == 0 {
407 return AppLayerResult::ok();
410 let mut consumed = 0;
411 SCLogDebug!("skip_request {} input len {}", self.skip_request, input.len());
412 if self.skip_request > 0 {
413 if input.len() <= self.skip_request {
414 SCLogDebug!("reducing skip_request by {}", input.len());
415 self.skip_request -= input.len();
416 return AppLayerResult::ok();
418 current = &input[self.skip_request..];
419 SCLogDebug!("skip end reached, skipping {} :{:?}", self.skip_request, current);
420 consumed = self.skip_request;
421 self.skip_request = 0;
426 while current.len() > 0 {
427 let mut skipped = false;
428 SCLogDebug!("request: handling {}", current.len());
429 match parse_message(current, self.protocol_version, self.max_msg_len) {
431 SCLogDebug!("request msg {:?}", msg);
432 if let MQTTOperation::TRUNCATED(ref trunc) = msg.op {
433 SCLogDebug!("found truncated with skipped {} current len {}", trunc.skipped_length, current.len());
434 if trunc.skipped_length >= current.len() {
436 self.skip_request = trunc.skipped_length - current.len();
438 current = ¤t[trunc.skipped_length..];
439 self.skip_request = 0;
442 self.handle_msg(msg, false);
444 return AppLayerResult::ok();
446 consumed += current.len() - rem.len();
449 Err(Err::Incomplete(_)) => {
450 SCLogDebug!("incomplete request: consumed {} needed {} (input len {})", consumed, (current.len() + 1), input.len());
451 return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
454 return AppLayerResult::err();
459 return AppLayerResult::ok();
462 fn parse_response(&mut self, input: &[u8]) -> AppLayerResult {
463 let mut current = input;
464 if input.len() == 0 {
465 return AppLayerResult::ok();
468 let mut consumed = 0;
469 SCLogDebug!("skip_response {} input len {}", self.skip_response, current.len());
470 if self.skip_response > 0 {
471 if input.len() <= self.skip_response {
472 self.skip_response -= current.len();
473 return AppLayerResult::ok();
475 current = &input[self.skip_response..];
476 SCLogDebug!("skip end reached, skipping {} :{:?}", self.skip_request, current);
477 consumed = self.skip_response;
478 self.skip_response = 0;
482 while current.len() > 0 {
483 let mut skipped = false;
484 SCLogDebug!("response: handling {}", current.len());
485 match parse_message(current, self.protocol_version, self.max_msg_len as usize) {
487 SCLogDebug!("response msg {:?}", msg);
488 if let MQTTOperation::TRUNCATED(ref trunc) = msg.op {
489 SCLogDebug!("found truncated with skipped {} current len {}", trunc.skipped_length, current.len());
490 if trunc.skipped_length >= current.len() {
492 self.skip_response = trunc.skipped_length - current.len();
494 current = ¤t[trunc.skipped_length..];
495 self.skip_response = 0;
497 SCLogDebug!("skip_response now {}", self.skip_response);
499 self.handle_msg(msg, true);
501 return AppLayerResult::ok();
503 consumed += current.len() - rem.len();
506 Err(Err::Incomplete(_)) => {
507 SCLogDebug!("incomplete response: consumed {} needed {} (input len {})", consumed, (current.len() + 1), input.len());
508 return AppLayerResult::incomplete(consumed as u32, (current.len() + 1) as u32);
511 return AppLayerResult::err();
516 return AppLayerResult::ok();
519 fn set_event(tx: &mut MQTTTransaction, event: MQTTEvent) {
520 let ev = event as u8;
521 core::sc_app_layer_decoder_events_set_event_raw(&mut tx.events, ev);
528 ) -> Option<(&MQTTTransaction, u64, bool)> {
529 let mut index = *state as usize;
530 let len = self.transactions.len();
533 let tx = &self.transactions[index];
534 if tx.tx_id < min_tx_id + 1 {
538 *state = index as u64;
539 return Some((tx, tx.tx_id - 1, (len - index) > 1));
548 export_tx_get_detect_state!(rs_mqtt_tx_get_detect_state, MQTTTransaction);
549 export_tx_set_detect_state!(rs_mqtt_tx_set_detect_state, MQTTTransaction);
552 pub unsafe extern "C" fn rs_mqtt_probing_parser(
559 let buf = build_slice!(input, input_len as usize);
560 match parse_fixed_header(buf) {
562 // reject unassigned message type
563 if hdr.message_type == MQTTTypeCode::UNASSIGNED {
564 return ALPROTO_FAILED;
566 // with 2 being the highest valid QoS level
567 if hdr.qos_level > 2 {
568 return ALPROTO_FAILED;
572 Err(Err::Incomplete(_)) => ALPROTO_UNKNOWN,
573 Err(_) => ALPROTO_FAILED
578 pub extern "C" fn rs_mqtt_state_new(_orig_state: *mut std::os::raw::c_void, _orig_proto: AppProto) -> *mut std::os::raw::c_void {
579 let state = MQTTState::new();
580 let boxed = Box::new(state);
581 return Box::into_raw(boxed) as *mut _;
585 pub extern "C" fn rs_mqtt_state_free(state: *mut std::os::raw::c_void) {
586 std::mem::drop(unsafe { Box::from_raw(state as *mut MQTTState) });
590 pub unsafe extern "C" fn rs_mqtt_state_tx_free(state: *mut std::os::raw::c_void, tx_id: u64) {
591 let state = cast_pointer!(state, MQTTState);
592 state.free_tx(tx_id);
596 pub unsafe extern "C" fn rs_mqtt_parse_request(
598 state: *mut std::os::raw::c_void,
599 _pstate: *mut std::os::raw::c_void,
602 _data: *const std::os::raw::c_void,
604 ) -> AppLayerResult {
605 let state = cast_pointer!(state, MQTTState);
606 let buf = build_slice!(input, input_len as usize);
607 return state.parse_request(buf);
611 pub unsafe extern "C" fn rs_mqtt_parse_response(
613 state: *mut std::os::raw::c_void,
614 _pstate: *mut std::os::raw::c_void,
617 _data: *const std::os::raw::c_void,
619 ) -> AppLayerResult {
620 let state = cast_pointer!(state, MQTTState);
621 let buf = build_slice!(input, input_len as usize);
622 return state.parse_response(buf);
626 pub unsafe extern "C" fn rs_mqtt_state_get_tx(
627 state: *mut std::os::raw::c_void,
629 ) -> *mut std::os::raw::c_void {
630 let state = cast_pointer!(state, MQTTState);
631 match state.get_tx(tx_id) {
633 return tx as *const _ as *mut _;
636 return std::ptr::null_mut();
642 pub unsafe extern "C" fn rs_mqtt_state_get_tx_count(state: *mut std::os::raw::c_void) -> u64 {
643 let state = cast_pointer!(state, MQTTState);
648 pub unsafe extern "C" fn rs_mqtt_tx_is_toclient(tx: *const std::os::raw::c_void) -> std::os::raw::c_int {
649 let tx = cast_pointer!(tx, MQTTTransaction);
657 pub unsafe extern "C" fn rs_mqtt_tx_get_alstate_progress(
658 tx: *mut std::os::raw::c_void,
660 ) -> std::os::raw::c_int {
661 let tx = cast_pointer!(tx, MQTTTransaction);
663 if direction == core::STREAM_TOSERVER {
667 } else if direction == core::STREAM_TOCLIENT {
677 pub unsafe extern "C" fn rs_mqtt_tx_get_logged(
678 _state: *mut std::os::raw::c_void,
679 tx: *mut std::os::raw::c_void,
681 let tx = cast_pointer!(tx, MQTTTransaction);
682 return tx.logged.get();
686 pub unsafe extern "C" fn rs_mqtt_tx_set_logged(
687 _state: *mut std::os::raw::c_void,
688 tx: *mut std::os::raw::c_void,
691 let tx = cast_pointer!(tx, MQTTTransaction);
692 tx.logged.set(logged);
696 pub unsafe extern "C" fn rs_mqtt_state_get_events(
697 tx: *mut std::os::raw::c_void,
698 ) -> *mut core::AppLayerDecoderEvents {
699 let tx = cast_pointer!(tx, MQTTTransaction);
704 pub unsafe extern "C" fn rs_mqtt_state_get_tx_iterator(
707 state: *mut std::os::raw::c_void,
711 ) -> applayer::AppLayerGetTxIterTuple {
712 let state = cast_pointer!(state, MQTTState);
713 match state.tx_iterator(min_tx_id, istate) {
714 Some((tx, out_tx_id, has_next)) => {
715 let c_tx = tx as *const _ as *mut _;
716 let ires = applayer::AppLayerGetTxIterTuple::with_values(c_tx, out_tx_id, has_next);
720 return applayer::AppLayerGetTxIterTuple::not_found();
725 // Parser name as a C style string.
726 const PARSER_NAME: &'static [u8] = b"mqtt\0";
728 export_tx_data_get!(rs_mqtt_get_tx_data, MQTTTransaction);
731 pub unsafe extern "C" fn rs_mqtt_register_parser(cfg_max_msg_len: u32) {
732 let default_port = CString::new("[1883]").unwrap();
733 let max_msg_len = &mut MAX_MSG_LEN;
734 *max_msg_len = cfg_max_msg_len;
735 let parser = RustParser {
736 name: PARSER_NAME.as_ptr() as *const std::os::raw::c_char,
737 default_port: default_port.as_ptr(),
738 ipproto: IPPROTO_TCP,
739 probe_ts: Some(rs_mqtt_probing_parser),
740 probe_tc: Some(rs_mqtt_probing_parser),
743 state_new: rs_mqtt_state_new,
744 state_free: rs_mqtt_state_free,
745 tx_free: rs_mqtt_state_tx_free,
746 parse_ts: rs_mqtt_parse_request,
747 parse_tc: rs_mqtt_parse_response,
748 get_tx_count: rs_mqtt_state_get_tx_count,
749 get_tx: rs_mqtt_state_get_tx,
752 tx_get_progress: rs_mqtt_tx_get_alstate_progress,
753 get_de_state: rs_mqtt_tx_get_detect_state,
754 set_de_state: rs_mqtt_tx_set_detect_state,
755 get_events: Some(rs_mqtt_state_get_events),
756 get_eventinfo: Some(MQTTEvent::get_event_info),
757 get_eventinfo_byid: Some(MQTTEvent::get_event_info_by_id),
758 localstorage_new: None,
759 localstorage_free: None,
761 get_tx_iterator: Some(rs_mqtt_state_get_tx_iterator),
762 get_tx_data: rs_mqtt_get_tx_data,
763 apply_tx_config: None,
764 flags: APP_LAYER_PARSER_OPT_UNIDIR_TXS,
768 let ip_proto_str = CString::new("tcp").unwrap();
770 if AppLayerProtoDetectConfProtoDetectionEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
771 let alproto = AppLayerRegisterProtocolDetection(&parser, 1);
772 ALPROTO_MQTT = alproto;
773 if AppLayerParserConfParserEnabled(ip_proto_str.as_ptr(), parser.name) != 0 {
774 let _ = AppLayerRegisterParser(&parser, alproto);
777 SCLogDebug!("Protocol detector and parser disabled for MQTT.");