Merge remote-tracking branch 'origin/topic/awelzel/spicy-ldap-krb-wrap-tokens'

* origin/topic/awelzel/spicy-ldap-krb-wrap-tokens: ldap: Remove MessageWrapper with magic 0x30 searching ldap: Harden parsing a bit ldap: Handle integrity-only KRB wrap tokens (cherry picked from commit 2ea3a651bd)
2025-10-05 08:08:19 +00:00 · 2024-07-17 16:45:13 +02:00 · 2024-07-17 16:45:13 +02:00 · cfe47f40a4
commit cfe47f40a4
parent 0fd6672dde
15 changed files with 357 additions and 106 deletions
--- a/testing/btest/scripts/base/protocols/ldap/add.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/add.zeek
@ -0,0 +1,11 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/ldap-add.pcap %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: ! test -f dpd.log
+# @TEST-EXEC: ! test -f analyzer.log
+#
+# @TEST-DOC: The addRequest/addResponse operation is not implemented, yet we process it.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear-2.zeek
@ -0,0 +1,11 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/missing_krbtgt_ldap_request.pcapng %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: btest-diff ldap_search.log
+# @TEST-EXEC: ! test -f dpd.log
+#
+# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.
--- a/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
+++ b/testing/btest/scripts/base/protocols/ldap/sasl-signed-clear.zeek
@ -0,0 +1,11 @@
+# Copyright (c) 2024 by the Zeek Project. See LICENSE for details.
+
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/missing_ldap_logs.pcapng %INPUT
+# @TEST-EXEC: cat conn.log | zeek-cut -Cn local_orig local_resp > conn.log2 && mv conn.log2 conn.log
+# @TEST-EXEC: btest-diff conn.log
+# @TEST-EXEC: btest-diff ldap.log
+# @TEST-EXEC: btest-diff ldap_search.log
+# @TEST-EXEC: ! test -f dpd.log
+#
+# @TEST-DOC: Test LDAP analyzer with GSS-API integrity traffic where we can still peak into LDAP wrapped into WRAP tokens.