From 3bbd598a647fc79d4888bcf1407cf854d7d554cb Mon Sep 17 00:00:00 2001
From: "Remi GASCOU (Podalirius)"
 <79218792+p0dalirius@users.noreply.github.com>
Date: Mon, 18 Nov 2024 10:41:33 +0100
Subject: [PATCH] Moving APOptions to GSSAPIBindRequest struct for coherence
 and to avoid changing the func prototypes

---
 bind.go             |  8 +++++---
 gssapi/client.go    | 39 +++++++++++++++++++--------------------
 v3/bind.go          |  8 +++++---
 v3/gssapi/client.go | 39 ++++++++++++++++++++-------------------
 4 files changed, 49 insertions(+), 45 deletions(-)

diff --git a/bind.go b/bind.go
index b7011bd..07e1167 100644
--- a/bind.go
+++ b/bind.go
@@ -602,6 +602,8 @@ type GSSAPIBindRequest struct {
 	AuthZID string
 	// (Optional) Controls to send with the bind request
 	Controls []Control
+	// (Optional) APOptions
+	APOptions []int
 }
 
 // GSSAPIBind performs the GSSAPI SASL bind using the provided GSSAPI client.
@@ -611,13 +613,13 @@ func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string)
 		&GSSAPIBindRequest{
 			ServicePrincipalName: servicePrincipal,
 			AuthZID:              authzid,
+			APOptions:            []int{},
 		},
-		[]int{},
 	)
 }
 
 // GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
-func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest, APOptions []int) error {
+func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest) error {
 	//nolint:errcheck
 	defer client.DeleteSecContext()
 
@@ -628,7 +630,7 @@ func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest, AP
 	for {
 		if needInit {
 			// Establish secure context between client and server.
-			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken, APOptions)
+			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken, req.APOptions)
 			if err != nil {
 				return err
 			}
diff --git a/gssapi/client.go b/gssapi/client.go
index 2ae2c00..2f234fb 100644
--- a/gssapi/client.go
+++ b/gssapi/client.go
@@ -217,23 +217,20 @@ func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, e
 	return output, nil
 }
 
-func getGssWrapTokenId() *[2]byte {
-	return &[2]byte{0x05, 0x04}
-}
-
-func UnmarshalWrapToken(wt *gssapi.WrapToken, b []byte, expectFromAcceptor bool) error {
+func UnmarshalWrapToken(wt *gssapi.WrapToken, data []byte, expectFromAcceptor bool) error {
 	// Check if we can read a whole header
-	if len(b) < 16 {
+	if len(data) < 16 {
 		return errors.New("bytes shorter than header length")
 	}
+
 	// Is the Token ID correct?
-	if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
-		return fmt.Errorf("wrong Token ID. Expected %s, was %s",
-			hex.EncodeToString(getGssWrapTokenId()[:]),
-			hex.EncodeToString(b[0:2]))
+	expectedWrapTokenId := [2]byte{0x05, 0x04}
+	if !bytes.Equal(expectedWrapTokenId[:], data[0:2]) {
+		return fmt.Errorf("wrong Token ID. Expected %s, was %s", hex.EncodeToString(expectedWrapTokenId[:]), hex.EncodeToString(data[0:2]))
 	}
+
 	// Check the acceptor flag
-	flags := b[2]
+	flags := data[2]
 	isFromAcceptor := flags&0x01 == 1
 	if isFromAcceptor && !expectFromAcceptor {
 		return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
@@ -241,24 +238,26 @@ func UnmarshalWrapToken(wt *gssapi.WrapToken, b []byte, expectFromAcceptor bool)
 	if !isFromAcceptor && expectFromAcceptor {
 		return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
 	}
+
 	// Check the filler byte
-	if b[3] != gssapi.FillerByte {
-		return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
+	if data[3] != gssapi.FillerByte {
+		return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(data[3:4]))
 	}
-	checksumL := binary.BigEndian.Uint16(b[4:6])
+	checksumL := binary.BigEndian.Uint16(data[4:6])
+
 	// Sanity check on the checksum length
-	if int(checksumL) > len(b)-gssapi.HdrLen {
-		return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
+	if int(checksumL) > len(data)-gssapi.HdrLen {
+		return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(data), checksumL)
 	}
 
 	payloadStart := 16 + checksumL
 
 	wt.Flags = flags
 	wt.EC = checksumL
-	wt.RRC = binary.BigEndian.Uint16(b[6:8])
-	wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
-	wt.CheckSum = b[16:payloadStart]
-	wt.Payload = b[payloadStart:]
+	wt.RRC = binary.BigEndian.Uint16(data[6:8])
+	wt.SndSeqNum = binary.BigEndian.Uint64(data[8:16])
+	wt.CheckSum = data[16:payloadStart]
+	wt.Payload = data[payloadStart:]
 
 	return nil
 }
diff --git a/v3/bind.go b/v3/bind.go
index b7011bd..07e1167 100644
--- a/v3/bind.go
+++ b/v3/bind.go
@@ -602,6 +602,8 @@ type GSSAPIBindRequest struct {
 	AuthZID string
 	// (Optional) Controls to send with the bind request
 	Controls []Control
+	// (Optional) APOptions
+	APOptions []int
 }
 
 // GSSAPIBind performs the GSSAPI SASL bind using the provided GSSAPI client.
@@ -611,13 +613,13 @@ func (l *Conn) GSSAPIBind(client GSSAPIClient, servicePrincipal, authzid string)
 		&GSSAPIBindRequest{
 			ServicePrincipalName: servicePrincipal,
 			AuthZID:              authzid,
+			APOptions:            []int{},
 		},
-		[]int{},
 	)
 }
 
 // GSSAPIBindRequest performs the GSSAPI SASL bind using the provided GSSAPI client.
-func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest, APOptions []int) error {
+func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest) error {
 	//nolint:errcheck
 	defer client.DeleteSecContext()
 
@@ -628,7 +630,7 @@ func (l *Conn) GSSAPIBindRequest(client GSSAPIClient, req *GSSAPIBindRequest, AP
 	for {
 		if needInit {
 			// Establish secure context between client and server.
-			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken, APOptions)
+			reqToken, needInit, err = client.InitSecContext(req.ServicePrincipalName, recvToken, req.APOptions)
 			if err != nil {
 				return err
 			}
diff --git a/v3/gssapi/client.go b/v3/gssapi/client.go
index 2ae2c00..6d115d4 100644
--- a/v3/gssapi/client.go
+++ b/v3/gssapi/client.go
@@ -217,23 +217,22 @@ func (client *Client) NegotiateSaslAuth(input []byte, authzid string) ([]byte, e
 	return output, nil
 }
 
-func getGssWrapTokenId() *[2]byte {
-	return &[2]byte{0x05, 0x04}
-}
-
-func UnmarshalWrapToken(wt *gssapi.WrapToken, b []byte, expectFromAcceptor bool) error {
+func UnmarshalWrapToken(wt *gssapi.WrapToken, data []byte, expectFromAcceptor bool) error {
 	// Check if we can read a whole header
-	if len(b) < 16 {
+	if len(data) < 16 {
 		return errors.New("bytes shorter than header length")
 	}
+
 	// Is the Token ID correct?
-	if !bytes.Equal(getGssWrapTokenId()[:], b[0:2]) {
+	expectedWrapTokenId := [2]byte{0x05, 0x04}
+	if !bytes.Equal(expectedWrapTokenId[:], data[0:2]) {
 		return fmt.Errorf("wrong Token ID. Expected %s, was %s",
-			hex.EncodeToString(getGssWrapTokenId()[:]),
-			hex.EncodeToString(b[0:2]))
+			hex.EncodeToString(expectedWrapTokenId[:]),
+			hex.EncodeToString(data[0:2]))
 	}
+
 	// Check the acceptor flag
-	flags := b[2]
+	flags := data[2]
 	isFromAcceptor := flags&0x01 == 1
 	if isFromAcceptor && !expectFromAcceptor {
 		return errors.New("unexpected acceptor flag is set: not expecting a token from the acceptor")
@@ -241,24 +240,26 @@ func UnmarshalWrapToken(wt *gssapi.WrapToken, b []byte, expectFromAcceptor bool)
 	if !isFromAcceptor && expectFromAcceptor {
 		return errors.New("expected acceptor flag is not set: expecting a token from the acceptor, not the initiator")
 	}
+
 	// Check the filler byte
-	if b[3] != gssapi.FillerByte {
-		return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(b[3:4]))
+	if data[3] != gssapi.FillerByte {
+		return fmt.Errorf("unexpected filler byte: expecting 0xFF, was %s ", hex.EncodeToString(data[3:4]))
 	}
-	checksumL := binary.BigEndian.Uint16(b[4:6])
+	checksumL := binary.BigEndian.Uint16(data[4:6])
+
 	// Sanity check on the checksum length
-	if int(checksumL) > len(b)-gssapi.HdrLen {
-		return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(b), checksumL)
+	if int(checksumL) > len(data)-gssapi.HdrLen {
+		return fmt.Errorf("inconsistent checksum length: %d bytes to parse, checksum length is %d", len(data), checksumL)
 	}
 
 	payloadStart := 16 + checksumL
 
 	wt.Flags = flags
 	wt.EC = checksumL
-	wt.RRC = binary.BigEndian.Uint16(b[6:8])
-	wt.SndSeqNum = binary.BigEndian.Uint64(b[8:16])
-	wt.CheckSum = b[16:payloadStart]
-	wt.Payload = b[payloadStart:]
+	wt.RRC = binary.BigEndian.Uint16(data[6:8])
+	wt.SndSeqNum = binary.BigEndian.Uint64(data[8:16])
+	wt.CheckSum = data[16:payloadStart]
+	wt.Payload = data[payloadStart:]
 
 	return nil
 }