Dear Wireshark Developers! I have come across the following issue when analyzing a Goose pcap. I wanted to reconstruct, which BER Identifiers would be allowed in certain positions using the (goose).asn file.
By following the x.690 encoding rules (BER) the only allowed flag for a
Sequence_of would result in a constructed type.
Sequence shall be constructed type too, by definition.
IECGoosePdu ::= SEQUENCE {
gocbRef [0] IMPLICIT VisibleString,
timeAllowedtoLive [1] IMPLICIT INTEGER,
datSet [2] IMPLICIT VisibleString,
goID [3] IMPLICIT VisibleString OPTIONAL,
t [4] IMPLICIT UtcTime,
stNum [5] IMPLICIT INTEGER,
sqNum [6] IMPLICIT INTEGER,
test [7] IMPLICIT BOOLEAN DEFAULT FALSE,
confRev [8] IMPLICIT INTEGER,
ndsCom [9] IMPLICIT BOOLEAN DEFAULT FALSE,
numDatSetEntries [10] IMPLICIT INTEGER,
allData [11] IMPLICIT SEQUENCE OF Data --,
-- security [12] ANY OPTIONAL
-- reserved for digital signature
}
Since the IECGoosePdu would be constructed type and so the chosen type for the
goosePdu would be a constructed type, and application class with value 1, so=>
0x61
GOOSEpdu ::= CHOICE {
gseMngtPdu [APPLICATION 0] IMPLICIT GSEMngtPdu,
goosePdu [APPLICATION 1] IMPLICIT IECGoosePdu,
...
}
Wireshark does not check, if the the value should be primitive or constructed
type, allowing by this incorrect values for the BER Identifiers.
The same issue occurs for the (BER) INTEGER type, which by definition should be
primitive, but Wireshark allows it to be constructed.
I have added the pcap files:
* Goose_correct.pcap is the one following the ASN1 Rules
* Goose_sequence_of_primitive_2.pcap file, the Ber Identifier for the all
Data entry is set to primitive.
* Goose_choice_primitive.pcap file, at offset 23 the Ber Identifier should
be constructed type, but primitive is allowed.
is there a possibility that this check of the expected flag will be added to
Wireshark?
Or if I misunderstood the BER_Identifier flag for constructed and primitive
type I would really appreciate any feedback.
I have tested the pcaps on Ubuntu, Windows 7 and Windows 10:
Wireshark 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)
Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.9.5, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.14.0, with Lua 5.2.4, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with LZ4, with Snappy,
with libxml2 2.9.4, with QtMultimedia, with SBC, with SpanDSP, without bcg729.
Running on Linux 5.3.0-46-generic, with Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz
(with SSE4.2), with 5188 MB of physical memory, with locale en_US.UTF-8, with
libpcap version 1.8.1, with GnuTLS 3.5.18, with Gcrypt 1.8.1, with zlib 1.2.11,
binary plugins supported (0 loaded).
Built using gcc 7.4.0.
C:\Program Files\Wireshark>wireshark -v
Wireshark 3.2.3 (v3.2.3-0-gf39b50865a13)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0
.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.6, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with Intel(R) Core(TM)
i5-6300U CPU @ 2.40GHz (with SSE4.2), with 8191 MB of physical memory, with
locale English_United States.1252, with Npcap version 0.9989, based on libpcap
version 1.9.1, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without
AirPcap, binary plugins supported (0 loaded).
Built using Microsoft Visual Studio 2019 (VC++ 14.24, build 28316).
C:\Program Files\Wireshark>wireshark -v
Wireshark 3.1.0 (v3.1.0-0-g414ca80b2168)
Copyright 1998-2019 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.12.4, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.14.0, with brotli, with LZ4, with
Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SpeexDSP
(using bundled resampler), with SBC, with SpanDSP, with bcg729.
Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Core(TM)
i5-6300U CPU @ 2.40GHz (with SSE4.2), with 16264 MB of physical memory, with
locale German_Germany.1252, with Npcap version 0.996, based on libpcap version
1.9.1-PRE-GIT, with GnuTLS 3.6.3, with Gcrypt 1.8.3, with brotli 1.0.2, without
AirPcap, binary plugins supported (0 loaded).
Built using Microsoft Visual Studio 2017 (VC++ 14.16, build 27032).
Best Regards
Balazs
Goose_choice_primitive.pcap
Description: Goose_choice_primitive.pcap
Goose_correct.pcap
Description: Goose_correct.pcap
Goose_sequence_of_primitive_2.pcap
Description: Goose_sequence_of_primitive_2.pcap
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
