Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add nonbase64 sha256 support [main] #3306

Merged
merged 1 commit into from
Nov 18, 2024
Merged

Add nonbase64 sha256 support [main] #3306

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions util/clissh/ssh.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ import (
"crypto/sha1"
"crypto/sha256"
"encoding/base64"
"encoding/hex"
"errors"
"fmt"
"io"
Expand All @@ -28,6 +29,7 @@ const (
md5FingerprintLength = 47 // inclusive of space between bytes
hexSha1FingerprintLength = 59 // inclusive of space between bytes
base64Sha256FingerprintLength = 43
sha256FingerprintLength = 64

DefaultKeepAliveInterval = 30 * time.Second
)
Expand Down Expand Up @@ -331,9 +333,12 @@ func (c *SecureShell) terminalType() string {
return term
}

func base64Sha256Fingerprint(key ssh.PublicKey) string {
func sha256Fingerprint(key ssh.PublicKey, encode bool) string {
sum := sha256.Sum256(key.Marshal())
return base64.RawStdEncoding.EncodeToString(sum[:])
if encode {
return base64.RawStdEncoding.EncodeToString(sum[:])
}
return hex.EncodeToString(sum[:])
}

func copyAndClose(wg *sync.WaitGroup, dest io.WriteCloser, src io.Reader) {
Expand Down Expand Up @@ -364,8 +369,10 @@ func fingerprintCallback(skipHostValidation bool, expectedFingerprint string) ss
var fingerprint string

switch len(expectedFingerprint) {
case sha256FingerprintLength:
fingerprint = sha256Fingerprint(key, false)
case base64Sha256FingerprintLength:
fingerprint = base64Sha256Fingerprint(key)
fingerprint = sha256Fingerprint(key, true)
case hexSha1FingerprintLength:
fingerprint = hexSha1Fingerprint(key)
case md5FingerprintLength:
Expand Down
22 changes: 22 additions & 0 deletions util/clissh/ssh_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,28 @@ var _ = Describe("CLI SSH", Serial, FlakeAttempts(9), func() {
})
})

Context("when the sha256 fingerprint matches", func() {
BeforeEach(func() {
sshEndpointFingerprint = "b29fe3acbba3ebaafecab2c350a65d254e6d773b789aafd469288d063a60afef"
})

It("does not return an error", func() {
Expect(callback("", addr, TestHostKey.PublicKey())).ToNot(HaveOccurred())
})
})

When("the SHA256 fingerprint does not match", func() {
BeforeEach(func() {
sshEndpointFingerprint = "0000000000000000000000000000000000000000000000000000000000000000"
})

It("returns an error'", func() {
err := callback("", addr, TestHostKey.PublicKey())
Expect(err).To(MatchError(MatchRegexp(`Host key verification failed\.`)))
Expect(err).To(MatchError(MatchRegexp("The fingerprint of the received key was \".*\"")))
})
})

When("the base64 SHA256 fingerprint does not match", func() {
BeforeEach(func() {
sshEndpointFingerprint = "0000000000000000000000000000000000000000000"
Expand Down
Loading