Merge remote-tracking branch 'origin/topic/jsiwek/bit-1343'

* origin/topic/jsiwek/bit-1343: BIT-1343: factor common ASN.1 code from RDP and SNMP analyzer. BIT-1343 #merged
2025-10-08 09:38:19 +00:00 · 2015-04-21 13:46:26 -07:00 · 2015-04-21 13:46:26 -07:00 · cb767b9336
commit cb767b9336
parent 4e68ce4726 6af87dc2c8
4 changed files with 71 additions and 119 deletions
--- a/aux/binpac
+++ b/aux/binpac
@ -1 +1 @@
-Subproject commit 544330932e7cd4615d6d19f63907e8aa2acebb9e
+Subproject commit a1dddbb780bc45e1fb2ec3d7f11bec7a512c070d
--- a/src/analyzer/protocol/asn1/asn1.pac
+++ b/src/analyzer/protocol/asn1/asn1.pac
@ -0,0 +1,62 @@
+############################## ASN.1 Encodings
+
+enum ASN1TypeTag {
+	ASN1_INTEGER_TAG           = 0x02,
+	ASN1_OCTET_STRING_TAG      = 0x04,
+	ASN1_NULL_TAG              = 0x05,
+	ASN1_OBJECT_IDENTIFIER_TAG = 0x06,
+	ASN1_SEQUENCE_TAG          = 0x30,
+};
+
+type ASN1Encoding = record {
+	meta:    ASN1EncodingMeta;
+	content: bytestring &length = meta.length;
+};
+
+type ASN1EncodingMeta = record {
+	tag:      uint8;
+	len:      uint8;
+	more_len: bytestring &length = long_len ? len & 0x7f : 0;
+} &let {
+	long_len: bool = len & 0x80;
+	length:   uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
+};
+
+type ASN1SequenceMeta = record {
+	encoding: ASN1EncodingMeta;
+};
+
+type ASN1Integer = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1OctetString = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1ObjectIdentifier = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1Boolean = record {
+	encoding: ASN1Encoding;
+};
+
+type ASN1Enumerated = record {
+	encoding: ASN1Encoding;
+};
+
+############################## ASN.1 Conversion Functions
+
+function binary_to_int64(bs: bytestring): int64
+	%{
+	int64 rval = 0;
+
+	for ( int i = 0; i < bs.length(); ++i )
+		{
+		uint64 byte = bs[i];
+		rval |= byte << (8 * (bs.length() - (i + 1)));
+		}
+
+	return rval;
+	%}
--- a/src/analyzer/protocol/rdp/rdp-protocol.pac
+++ b/src/analyzer/protocol/rdp/rdp-protocol.pac
@ -1,3 +1,4 @@
+%include ../asn1/asn1.pac

 type TPKT(is_orig: bool) = record {
 	version:  uint8;
@ -5,7 +6,7 @@ type TPKT(is_orig: bool) = record {
 	tpkt_len: uint16;

 # These data structures are merged together into TPKT
-# because there are packets that report incorrect 
+# because there are packets that report incorrect
 # lengths in the tpkt length field.  No clue why.

 	cotp:     COTP(this);
@ -129,7 +130,7 @@ type RDP_Negotiation_Response = record {
 	length:              uint16; # must be set to 8
 	selected_protocol:   uint32;
 } &let {
-	# Seems to be SSL encrypted (maybe CredSSP also?) 
+	# Seems to be SSL encrypted (maybe CredSSP also?)
 	# after this message if the selected_protocol is > 0.
 	enc_ssl: bool = $context.connection.go_encrypted(selected_protocol) &if(selected_protocol > 0);
 } &byteorder=littleendian;
@ -204,7 +205,7 @@ type Client_Core_Data = record {
 	supported_color_depths:   uint16;
 	early_capability_flags:   uint16;
 	dig_product_id:           bytestring &length=64;
-	# There are more optional fields here but they are  
+	# There are more optional fields here but they are
 	# annoying to optionally parse in binpac.
 	# Documented here: https://msdn.microsoft.com/en-us/library/cc240510.aspx
 } &let {
@ -280,7 +281,7 @@ type Server_Security_Data = record {
 	server_random:          bytestring &length=server_random_length;
 	server_certificate:     Server_Certificate &length=server_cert_length;
 } &let {
-	# Seems to be encrypted after this message if 
+	# Seems to be encrypted after this message if
 	# encryption level is >0
 	# 0 means RDP encryption.
 	enc: bool = $context.connection.go_encrypted(0) &if(encryption_method > 0 && encryption_level > 0);
@ -326,64 +327,6 @@ type X509_Cert_Data = record {
 	cert: bytestring &length=cert_len;
 } &byteorder=littleendian;

-######################################################################
-# ASN.1 Encodings
-######################################################################
-
-type ASN1Encoding = record {
-	meta:    ASN1EncodingMeta;
-	content: bytestring &length = meta.length;
-};
-
-type ASN1EncodingMeta = record {
-	tag:      uint8;
-	len:      uint8;
-	more_len: bytestring &length = long_len ? len & 0x7f : 0;
-} &let {
-	long_len: bool = (len & 0x80) > 0;
-	length:   uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
-};
-
-type ASN1SequenceMeta = record {
-	encoding: ASN1EncodingMeta;
-};
-
-type ASN1Integer = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1OctetString = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1ObjectIdentifier = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1Boolean = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1Enumerated = record {
-	encoding: ASN1Encoding;
-};
-
-######################################################################
-# ASN.1 Conversion Functions
-######################################################################
-
-function binary_to_int64(bs: bytestring): int64
-	%{
-	int64 rval = 0;
-	for ( int i = 0; i < bs.length(); ++i )
-		{
-		uint64 byte = bs[i];
-		rval |= byte << (8 * (bs.length() - (i + 1)));
-		}
-
-	return rval;
-	%}
-
 refine connection RDP_Conn += {

 	%member{
@ -420,4 +363,4 @@ refine connection RDP_Conn += {
 		%{
 		return encryption_method_;
 		%}
-};
+};
--- a/src/analyzer/protocol/snmp/snmp-protocol.pac
+++ b/src/analyzer/protocol/snmp/snmp-protocol.pac
@ -8,6 +8,8 @@
 # used.  Primitive or non-constructor encodings are preferred over
 # constructor encodings.

+%include ../asn1/asn1.pac
+
 type TopLevelMessage(is_orig: bool) = record {
 	asn1_sequence_meta: ASN1SequenceMeta;
 	version:            ASN1Integer;
@ -215,58 +217,3 @@ enum VarBindNullTag {
 	VARBIND_NOSUCHINSTANCE_TAG = 0x81,
 	VARBIND_ENDOFMIBVIEW_TAG   = 0x82,
 };
-
-############################## ASN.1 Encodings
-
-enum ASN1TypeTag {
-	ASN1_INTEGER_TAG           = 0x02,
-	ASN1_OCTET_STRING_TAG      = 0x04,
-	ASN1_NULL_TAG              = 0x05,
-	ASN1_OBJECT_IDENTIFIER_TAG = 0x06,
-	ASN1_SEQUENCE_TAG          = 0x30,
-};
-
-type ASN1Encoding = record {
-	meta:    ASN1EncodingMeta;
-	content: bytestring &length = meta.length;
-};
-
-type ASN1EncodingMeta = record {
-	tag:      uint8;
-	len:      uint8;
-	more_len: bytestring &length = long_len ? len & 0x7f : 0;
-} &let {
-	long_len: bool = len & 0x80;
-	length:   uint64 = long_len ? binary_to_int64(more_len) : len & 0x7f;
-};
-
-type ASN1SequenceMeta = record {
-	encoding: ASN1EncodingMeta;
-};
-
-type ASN1Integer = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1OctetString = record {
-	encoding: ASN1Encoding;
-};
-
-type ASN1ObjectIdentifier = record {
-	encoding: ASN1Encoding;
-};
-
-############################## ASN.1 Conversion Functions
-
-function binary_to_int64(bs: bytestring): int64
-	%{
-	int64 rval = 0;
-
-	for ( int i = 0; i < bs.length(); ++i )
-		{
-		uint64 byte = bs[i];
-		rval |= byte << (8 * (bs.length() - (i + 1)));
-		}
-
-	return rval;
-	%}