Check hostkey type when validating hostkey

Signed-off-by: Philip Laine <philip.laine@gmail.com>
fluxcd · Feb 11, 2021 · 72d2ef5 · 72d2ef5
1 parent c32d11c
commit 72d2ef5
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/pkg/git/libgit2/transport.go b/pkg/git/libgit2/transport.go
@@ -19,9 +19,12 @@ package libgit2
 import (
 	"bufio"
 	"bytes"
+	"crypto/md5"
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/x509"
 	"fmt"
+	"hash"
 	"net/url"
 	"strings"
 
@@ -135,7 +138,7 @@ func (s *PublicKeyAuth) Method(secret corev1.Secret) (*git.Auth, error) {
 	}
 	certCallback := func(cert *git2go.Certificate, valid bool, hostname string) git2go.ErrorCode {
 		for _, k := range kk {
-			if k.matches(hostname, cert.Hostkey.HashSHA1[:]) {
+			if k.matches(hostname, cert.Hostkey) {
 				return git2go.ErrOk
 			}
 		}
@@ -173,13 +176,28 @@ func parseKnownHosts(s string) ([]knownKey, error) {
 	return knownHosts, nil
 }
 
-func (k knownKey) matches(host string, key []byte) bool {
+func (k knownKey) matches(host string, hostkey git2go.HostkeyCertificate) bool {
 	if !containsHost(k.hosts, host) {
 		return false
 	}
 
-	hash := sha1.Sum([]byte(k.key.Marshal()))
-	if bytes.Compare(hash[:], key) != 0 {
+	var fingerprint []byte
+	var hasher hash.Hash
+	switch hostkey.Kind {
+	case git2go.HostkeyMD5:
+		fingerprint = hostkey.HashMD5[:]
+		hasher = md5.New()
+	case git2go.HostkeySHA1:
+		fingerprint = hostkey.HashSHA1[:]
+		hasher = sha1.New()
+	case git2go.HostkeySHA256:
+		fingerprint = hostkey.HashSHA256[:]
+		hasher = sha256.New()
+	default:
+		return false
+	}
+	hasher.Write(k.key.Marshal())
+	if bytes.Compare(hasher.Sum(nil), fingerprint) != 0 {
 		return false
 	}