mentalisttraceur
commented
1 year ago Another thing I'd like to do is have the code be more explicitly clear about exactly what it's doing with the delegation flag/fields and why (but I don't fully understand it so I can't suggest the best comment for that yet)...
- It handles the "delegation" flag by adding the two uint16 fields: delegation option and delegation length, both set to zero, but it's not clear to me why this is the correct behavior?
- I haven't yet figured out what the delegation option field is supposed to contain, but the "(=1)" in RFC 4121 section 4.1.1 seems to maybe suggest that it must be hardcoded to
1? - I'm... somewhat confused about what it "means" to have delegation "on" without any actual delegated credential. Why is a zero-length delegated credential better than to just ignore/clear the delegation flag?
- I haven't yet figured out what the delegation option field is supposed to contain, but the "(=1)" in RFC 4121 section 4.1.1 seems to maybe suggest that it must be hardcoded to
- Neither code nor comment actually say what's going on: I was lucky enough to already know and remember enough of the RFC 4121 that I was able to connect the dots to the delegation fields after some re-reading and thinking.
Also, I'd like to make the code more self-describing, at least by renaming a to checksum, f to flagBits, and i to flag.
func newAuthenticatorChecksum(flags []int) []byte {
checksum = make([]byte, 24)
binary.LittleEndian.PutUint32(checksum[0:], channelBindingLength)
flagBits := uint32(0)
for _, flag := range flags {
flagBits |= uint32(flag)
}
if flagBits&gssapi.ContextFlagDeleg != 0 {
// delegation fields, if present, are blank/unused:
checksum = append(checksum, 0, 0, 0, 0)
}
// channel binding information is left blank/unused
binary.LittleEndian.PutUint32(checksum[flagsOffset:], flagBits)
return checksum
}In an earlier edit of this comment, I also wanted to add some comments or comment-like code to help explain all those magic numbers (24, 16, 4, 28, ...) and what each part of the checksum was, but on further thought I don't like how that was turning out.
So I was looking at
newAuthenticatorChksum, and I suggest improving it like this:For me the main benefit is clarity: I think it becomes much more obvious that if
gssapi.ContextFlagDelegis included one or more times inflags, the checksum just gets four zero'd bytes appended to the end.You could also see it as an optimization benefit. (Does the compiler realize that the serialization round trip between
fanda[20:24]doesn't have to happen each loop? Does the compiler realize that it could possibly save a copy of a copy-on-write page of memory if it waits to write the flag bits until after it knows to extend the checksum slice by four bytes? Well, with these changes it doesn't even have to.)(Normally I'd just make a PR with such suggested changes and discuss it there, but your contributing guidelines suggest opening an issue first.)