ldap: Only switch into MS_KRB5 mode if responseToken exists

If the server doesn't include a responseToken within negTokenResp,
assume there won't be signing or sealing happening on the
connection. Don't switch into MS_KRB5 mode.

Closes #4275

src/analyzer/protocol/ldap/ldap.spicy

@@ -423,6 +423,7 @@ type GSS_SPNEGO_Subsequent = unit {
 type GSS_SPNEGO_negTokenResp = unit {
   var accepted: bool;
   var supportedMech: ASN1::ASN1Message;
+  var responseToken: optional<bytes>;
 
   # Parse the contained Sequence.
   seq: ASN1::ASN1Message(True) {
@@ -433,7 +434,7 @@ type GSS_SPNEGO_negTokenResp = unit {
       } else if ( msg.application_id == 1 ) {
         self.supportedMech = msg;
       } else if ( msg.application_id == 2 ) {
-        # ignore responseToken
+        self.responseToken = msg.application_data;
       } else if ( msg.application_id == 3 ) {
         # ignore mechListMec
       } else {
@@ -523,7 +524,7 @@ type BindResponse = unit(inout message: Message, ctx: Ctx&) {
     if ( $$?.negTokenResp ) {
       local token = $$.negTokenResp;
       if ( token.accepted && token?.supportedMechOid ) {
-        if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 ) {
+        if ( token.supportedMechOid == GSSAPI_MECH_MS_KRB5 && token.responseToken ) {
           ctx.messageMode = MessageMode::MS_KRB5;
         }
       }

testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ldap
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.226.131	54544	192.168.226.136	389	1440128865	3	bind SASL	success	-	User1	GSS-SPNEGO
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/krb.ldap_search.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ldap_search
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.226.131	54544	192.168.226.136	389	1319382063	tree	never	dc=ADHACKING,dc=LOCAL	3	success	-	(&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap.log

@@ -0,0 +1,12 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ldap
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	version	opcode	result	diagnostic_message	object	argument
+#types	time	string	addr	port	addr	port	int	int	string	string	string	string	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	173945320	3	<undefined>	success	-	User1	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	1489001992	3	<undefined>	success	-	User1	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.ldap.aduser1/ntlm.ldap_search.log

@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ldap_search
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	message_id	scope	deref_aliases	base_object	result_count	result	diagnostic_message	filter	attributes
+#types	time	string	addr	port	addr	port	int	string	string	string	count	string	string	string	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.226.131	37618	192.168.226.136	389	1673297393	tree	never	dc=ADHACKING,dc=LOCAL	3	success	-	(&(&(sAMAccountName=*)(mail=*))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))	-
+#close XXXX-XX-XX-XX-XX-XX

testing/btest/Traces/README

@@ -49,4 +49,7 @@ Trace Index/Sources:
 - tunnels/geneve-tagged-udp-packet.pcap
   Provided by Eldon Koyle Corelight for testing.
 - cdp-v1.pcap
-  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
+  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
+- ldap/adduser1.pcap ldap/adduser1-ntlm.pcap
+  Provided by Mohan-Dhawan on #4275
+  https://github.com/zeek/zeek/issues/4275

testing/btest/scripts/base/protocols/ldap/aduser1.zeek

@@ -0,0 +1,11 @@
+# @TEST-REQUIRES: have-spicy
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1.pcap %INPUT
+# @TEST-EXEC: mkdir krb && mv *.log krb
+# @TEST-EXEC: zeek -C -r ${TRACES}/ldap/aduser1-ntlm.pcap %INPUT
+# @TEST-EXEC: mkdir ntlm && mv *.log ntlm
+# @TEST-EXEC: btest-diff krb/ldap.log
+# @TEST-EXEC: btest-diff krb/ldap_search.log
+# @TEST-EXEC: btest-diff ntlm/ldap.log
+# @TEST-EXEC: btest-diff ntlm/ldap_search.log
+#
+# @TEST-DOC: Check two traces using different authentication mechanisms, but the same search request.