From ca25516e0330279ea9f6f8c7cde890beeb4756e2 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Fri, 19 Jul 2024 17:28:40 +0200
Subject: [PATCH] ldap: Ignore ec/rrc for sealed wrap tokens

It shouldn't matter for the encrypted payload that we'll
just consume and ignore.
---
 src/analyzer/protocol/ldap/ldap.spicy | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/analyzer/protocol/ldap/ldap.spicy b/src/analyzer/protocol/ldap/ldap.spicy
index a2878aad84..3226b6e7cc 100644
--- a/src/analyzer/protocol/ldap/ldap.spicy
+++ b/src/analyzer/protocol/ldap/ldap.spicy
@@ -228,7 +228,10 @@ type KrbWrapToken = unit {
     } else if ( self.rrc == 0 ) {
         self.trailer_ec = self.ec;
     } else {
-      throw "Unhandled rc %s and ec %s" % (self.ec, self.rrc);
+      if ( ! self.ctx_flags.sealed )
+        # If it's sealed, we'll consume until &eod anyhow
+        # and ec/rrc shouldn't apply, otherwise, bail.
+        throw "Unhandled rc %s and ec %s" % (self.ec, self.rrc);
     }
   }