Small fixes

Author: rtpt-erikgeiser

.golangci.yml

@@ -28,7 +28,6 @@ linters:
     - goheader
     - gosec
     - gomodguard
-    - goprintffuncname
     - gosmopolitan
     - govet
     - grouper

credentials.go

@@ -43,7 +43,7 @@ type Credential struct {
 	// PasswordIsEmptyString is true when an empty Password field should not be
 	// interpreted as a missing password but as a password that happens to be
 	// empty.
-	PasswordIsEmtpyString bool
+	PasswordIsEmptyString bool
 	// CCacheIsFromEnv indicates whether the CCache was set explicitly or
 	// implicitly through an environment variable.
 	CCacheIsFromEnv bool
@@ -83,7 +83,7 @@ func CredentialFromPFXBytes(
 
 	rsaKey, ok := key.(*rsa.PrivateKey)
 	if !ok {
-		return nil, fmt.Errorf("PFX key is not an RSA private key but %T", rsaKey)
+		return nil, fmt.Errorf("PFX key is not an RSA private key but %T", key)
 	}
 
 	cred.ClientCert = cert

dcerpcauth/dcerpcauth.go

@@ -163,10 +163,14 @@ func DCERPCCredentials(ctx context.Context, creds *adauth.Credential, options *O
 		options.debug("Authenticating with NT hash")
 
 		return credential.NewFromNTHash(creds.LogonNameWithUpperCaseDomain(), creds.NTHash), nil
-	case creds.PasswordIsEmtpyString:
+	case creds.PasswordIsEmptyString:
 		options.debug("Authenticating with empty password")
 
-		return credential.NewFromPassword(strings.ToUpper(creds.Domain)+`\`+creds.Username, ""), nil
+		return credential.NewFromPassword(
+			strings.ToUpper(creds.Domain)+`\`+creds.Username,
+			"",
+			credential.AllowEmptyPassword(),
+		), nil
 	case creds.ClientCert != nil:
 		options.debug("Authenticating with client certificate (PKINIT)")
 

ldapauth/gssapi.go

@@ -254,7 +254,7 @@ func (client *gssapiClient) InitSecContextWithOptions(
 		}
 
 		if token.IsKRBError() {
-			return nil, !false, token.KRBError
+			return nil, true, token.KRBError
 		}
 
 		return make([]byte, 0), !completed, nil

ldapauth/ldap.go

@@ -162,6 +162,8 @@ func connect(ctx context.Context, target *adauth.Target, opts *Options) (conn *l
 
 			err = tlsConn.HandshakeContext(ctx)
 			if err != nil {
+				_ = tcpConn.Close()
+
 				return nil, err
 			}
 
@@ -217,9 +219,9 @@ func bind(
 	switch {
 	case opts.SimpleBind:
 		switch {
-		case creds.Password == "" && !creds.PasswordIsEmtpyString:
+		case creds.Password == "" && !creds.PasswordIsEmptyString:
 			return fmt.Errorf("specify a password for simple bind or -p '' for an unauthenticated simple bind")
-		case creds.Password == "" && creds.PasswordIsEmtpyString:
+		case creds.Password == "" && creds.PasswordIsEmptyString:
 			opts.Debug("using unauthenticated simple bind")
 		default:
 			opts.Debug("authenticating with simple bind")
@@ -228,15 +230,15 @@ func bind(
 		_, err = conn.SimpleBind(&ldap.SimpleBindRequest{
 			Username:           creds.UPN(),
 			Password:           creds.Password,
-			AllowEmptyPassword: creds.PasswordIsEmtpyString,
+			AllowEmptyPassword: creds.PasswordIsEmptyString,
 		})
 		if err != nil {
 			return fmt.Errorf("simple bind: %w", err)
 		}
 	case !target.UseKerberos && creds.ClientCert == nil:
 		opts.Debug("authenticating using NTLM bind")
 
-		if !creds.PasswordIsEmtpyString && (creds.Password == "" && creds.NTHash == "") {
+		if !creds.PasswordIsEmptyString && (creds.Password == "" && creds.NTHash == "") {
 			return fmt.Errorf("no credentials available for NTLM")
 		}
 
@@ -245,7 +247,7 @@ func bind(
 			Username:           creds.Username,
 			Password:           creds.Password,
 			Hash:               creds.NTHash,
-			AllowEmptyPassword: creds.PasswordIsEmtpyString,
+			AllowEmptyPassword: creds.PasswordIsEmptyString,
 		}
 
 		tlsState, ok := conn.TLSConnectionState()
@@ -347,7 +349,7 @@ func kerberosClient(
 	}
 
 	switch {
-	case creds.Password != "" || creds.PasswordIsEmtpyString:
+	case creds.Password != "" || creds.PasswordIsEmptyString:
 		opts.Debug("authenticating using GSSAPI bind (password)")
 
 		authClient = &gssapiClient{

options.go

@@ -279,7 +279,7 @@ func (opts *Options) preliminaryCredential() (*Credential, error) {
 		AESKey:                aesKey,
 		CCache:                ccache,
 		dc:                    opts.DomainController,
-		PasswordIsEmtpyString: opts.Password == "" && (opts.flagset != nil && opts.flagset.Changed("password")),
+		PasswordIsEmptyString: opts.Password == "" && (opts.flagset != nil && opts.flagset.Changed("password")),
 		CCacheIsFromEnv:       opts.CCache != "" && (opts.flagset != nil && !opts.flagset.Changed("ccache")),
 		Resolver:              opts.Resolver,
 	}

pkinit/asrep.go

@@ -85,15 +85,15 @@ func ExtractNegotiatedKey(
 		return ekey, fmt.Errorf("unmarshal key info: %w", err)
 	}
 
-	if len(keyInfo.SubjectPublicKey.Bytes) < 7 {
-		return ekey, fmt.Errorf("public key is too short")
-	}
-
 	pubkeyData, err := asn1.Marshal(keyInfo.SubjectPublicKey)
 	if err != nil {
 		return ekey, fmt.Errorf("marshal public key: %w", err)
 	}
 
+	if len(pubkeyData) < 7 {
+		return ekey, fmt.Errorf("public key is too short")
+	}
+
 	pubKey := big.NewInt(0)
 	pubKey.SetBytes(pubkeyData[7:])
 

pkinit/diffie_hellman.go

@@ -7,9 +7,9 @@ import (
 )
 
 var (
-	// DiffieHellmanPrime is the Diffie Hellman prime (P) that is acccepted by PKINIT.
+	// DiffieHellmanPrime is the Diffie Hellman prime (P) that is accepted by PKINIT.
 	DiffieHellmanPrime = big.NewInt(0)
-	// DiffieHellmanPrime is the Diffie Hellman base (G) that is acccepted by PKINIT.
+	// DiffieHellmanBase is the Diffie Hellman base (G) that is accepted by PKINIT.
 	DiffieHellmanBase = big.NewInt(2)
 )