MQTT Protocol Analysis of Himqtt Source Code

This article is an excellent piece from the KX Forum

Author ID on KX Forum: xiaoduoduo

himqtt is the first complete source high-performance MQTT IoT firewall – MQTT Application FireWall, written in C language, using epoll mode to support hundreds of thousands of high concurrent connections for IoT, and is compatible with some ModSecurity rules.

The code is excellent and worth collecting and learning. Today, I will analyze the MQTT protocol based on the himqtt source code.

1. Summary of MQTT Protocol Commands

There are a total of 14 commands in the MQTT protocol, as shown in the table below:Among them, 9 messages are fixed at 2-4 bytes, which is very simple and suitable for small IoT devices.

The MQTT protocol consists of a command number (1 byte) + length (1-4 bytes variable) + content, for example, the first byte 0x30 indicates the publish message command, and 0x26 indicates that the following content length is 38 bytes.

---------------MQTT PUBLISH- ------40bytes-------------------------------------------

| 30 26 00 14 68 6f 6d 65 2f 67 61 72 64 65 6e 2f   |0&amp;..home/garden/|

| 66 6f 75 6e 74 61 69 6e 31 32 33 34 35 36 37 38  |fountain12345678|

| 39 30 61 62 63 64 65 66                        |90abcdef

First, download the latest source code of himqtt from GitHub:

https://github.com/qq4108863/himqtt/

Open the src/waf/mqtt.c file.

Note that:the number of bytes occupied by the length is variable (1-4 bytes), and the specific calculation method is in the process_mqtt_msg function. Theoretically, this algorithm allows the maximum length of subsequent message content to be 268435455 bytes (about 255M).

static void process_mqtt_msg(mqtt_waf_msg *req)
{
......
/* decode mqtt variable length */
  len = len_len = 0;
  p = req-&gt;buf + 1;
  eop = &amp;req-&gt;buf[req-&gt;pos];
  while (p &lt; eop) {
    lc = *((const unsigned char *) p++);
    len += (lc &amp; 0x7f) &lt;&lt; 7 * len_len;
    len_len++;
    if (!(lc &amp; 0x80)) break;
    if (len_len &gt; 4){
req-&gt;msg_state = MQTT_MSG_ERROR;
return;
    }
  }
.....
}
......

After verifying the length and protocol correctness, the code logic is very clear for processing different commands based on the received message type:

switch (mqtt_msg_type)
{
case MQTT_CONNECT:
req-&gt;msg_state = mqtt_connect(req,p,end,&amp;mm);
break;
case MQTT_CONNACK:
break;
case MQTT_PUBLISH:
req-&gt;msg_state = mqtt_publish(req,p,end,&amp;mm);
break;
case MQTT_SUBSCRIBE:
req-&gt;msg_state = mqtt_subscribe(req,p,end,&amp;mm);
break;
case MQTT_UNSUBSCRIBE:
req-&gt;msg_state = mqtt_unsubscribe(req,p,end,&amp;mm);
......

Next, we mainly focus on the more complex message protocols: CONNECT, PUBLISH, SUBSCRIBE, UNSUBSCRIBE.

2. HiMQTT Protocol Analysis

>>>>

1. CONNECT to the Server

CONNECT is the first message sent from the client to the server after establishing a network connection, which must be a CONNECT message. The identity authentication such as username and password is included in this instruction. The message protocol is as follows:

--------------MQTT CONNECT-----105bytes-----------------------------
| 10 67 00 04 4d 51 54 54 04 c2 00 3c 00 19 4d 51 |.g..MQTT...&lt;..MQ|
| 54 54 5f 46 58 5f 43 6c 69 65 6e 74 5f 39 69 75  |TT_FX_Client_9iu|
| 79 38 37 36 35 35 35 00 12 69 6f 74 66 72 65 65 |y876555..iotfree|
| 74 65 73 74 2f 74 68 69 6e 67 30 00 2c 59 55 37 |test/thing0.,YU7|
| 54 6f 76 38 7a 46 57 2b 57 75 61 4c 78 39 73 39 |Tov8zFW+WuaLx9s9|
| 49 33 4d 4b 79 63 6c 69 65 39 53 47 44 75 75 4e |I3MKyclie9SGDuuN|
| 6b 6c 36 6f 39 4c 58 6f 3d                      |kl6o9LXo=
10 //CONNECT指令号
67 //长度103字节
00 04 //MQTT协议长度为4字节
4d 51 54 54 //MQTT固定字符串
04 //版本3.1.1
c2 //连接标记，是否由用户名/密码等
00 3c //心跳间隔时间60秒
00 19 //用户名长度25字节，后面是用户名
4d 51 54 54 5f 46 58 5f 43 6c 69 65 6e 74 5f 39 69 75 79 38 37 36 35 35 35
00 12 //密码18字节
69 6f 74 66 72 65 65 74 65 73 74 2f 74 68 69 6e 67 30//密码
00 2c //will message长度。
59 55 37 ......6f 3d//will message内容

>>>>

2. PUBLISH Message

PUBLISH is used to transmit an application message from the client to the server or from the server to the client, which is the core of communication, similar to the GET method in the HTTP protocol. The message protocol analysis is as follows:

/*
---------------MQTT PUBLISH-------40bytes-----------------------------
| 30 26 00 14 68 6f 6d 65 2f 67 61 72 64 65 6e 2f |0&amp;..home/garden/|
| 66 6f 75 6e 74 61 69 6e 31 32 33 34 35 36 37 38 |fountain12345678|
| 39 30 61 62 63 64 65 66 |90abcdef
*/
30 //PUBLISH指令号
26 //长度39字节
00 14 //TOPIC长度20字节
68 6f 6d 65 2f 67 61 72 64 65 6e 2f 66 6f 75 6e //TOPIC
31 32 33 34 35 36 37 38 39 30 61 62 63 64 65 66 //发布的消息

In actual programming, this part is mostly submitted to the server in JSON format. SQL injection/XSS attacks are likely to be initiated from here against IoT devices, so it is essential to perform attack checks. For some reason, himqtt has commented out the ngx_http_dummy_json_parse function that parses JSON format.

>>>>

3. SUBSCRIBE to Messages

SUBSCRIBE is sent from the client to the server to create one or more subscriptions.Each subscription is one or more topics that the client is interested in.The server matches topics based on the client’s subscription and sends the corresponding PUBLISH message to the client.The message protocol analysis is as follows:

---------------MQTT SUBSCRIBE------33bytes-----------------------------
| 82 1f 00 01 00 1a 68 6f 6d 65 2f 67 61 72 64 65 |......home/garde|
| 6e 2f 66 6f 75 6e 74 61 69 6e 64 65 6c 65 74 65 |n/fountaindelete|
| 00  
82 //SUBSCRIBE指令
1f //长度31字节
00 01 //Message Identifier
00 1a //TOPIC长度26
68 6f 6d 65 2f 67 61 72 64 65 6e 2f 66 6f 75 6e 74 61 69 6e 64 65 6c 65 74 65 //TOPIC
00 //request QOS

>>>>

4. UNSUBSCRIBE Message

UNSUBSCRIBE is the message sent by the client to the server to cancel the subscription to a topic.The message protocol analysis is as follows:

---------------MQTT UNSUBSCRIBE-------32bytes-----------------------------
| a2 1e 00 02 00 1a 68 6f 6d 65 2f 67 61 72 64 65 |......home/garde|
| 6e 2f 66 6f 75 6e 74 61 69 6e 64 65 6c 65 74 65 |n/fountaindelete|
a2 //SUBSCRIBE指令
1e //长度30字节
00 02 //Message Identifier
00 1a //TOPIC长度26
68 6f 6d 65 2f 67 61 72 64 65 6e 2f 66 6f 75 6e 74 61 69 6e 64 65 6c 65 74 65 //TOPIC

Overall, the MQTT protocol is much simpler than the HTTP protocol, making it very suitable for IoT devices.Additionally, himqtt is also a powerful WEB application firewall. We will introduce other source codes in another article.

Perhaps in the coming years, after the widespread adoption of IPV6, hundreds of billions of powered objects will be connected to the internet. We look forward to himqtt and similar high-concurrency IoT firewalls to uphold the banner of information security and completely block hacker attacks.

– End –

KX ID:xiaoduoduo

https://bbs.pediy.com/user-10578.htm

*This article is original by KX Forum xiaoduoduo, please indicate the source when reprinting from KX Community

>>>> 1. CONNECT to the Server

>>>> 2. PUBLISH Message

>>>> 3. SUBSCRIBE to Messages

>>>> 4. UNSUBSCRIBE Message

Related posts

Leave a Comment Cancel reply

>>>>

1. CONNECT to the Server

>>>>

2. PUBLISH Message

>>>>

3. SUBSCRIBE to Messages

>>>>

4. UNSUBSCRIBE Message