From 711446d04e71353f0bdcaf76dc342bfd058e104d Mon Sep 17 00:00:00 2001
From: Shwetha Gururaj <shwetha.gururaj@broadcom.com>
Date: Mon, 18 Nov 2024 11:11:18 -0500
Subject: [PATCH] Add nonbase64 sha256 support [v8] (#3307)

* Add sha256 support
* Add negative test
---
 util/clissh/ssh.go      | 13 ++++++++++---
 util/clissh/ssh_test.go | 22 ++++++++++++++++++++++
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/util/clissh/ssh.go b/util/clissh/ssh.go
index a6f32ce7115..b4f29212428 100644
--- a/util/clissh/ssh.go
+++ b/util/clissh/ssh.go
@@ -5,6 +5,7 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"encoding/base64"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -28,6 +29,7 @@ const (
 	md5FingerprintLength          = 47 // inclusive of space between bytes
 	hexSha1FingerprintLength      = 59 // inclusive of space between bytes
 	base64Sha256FingerprintLength = 43
+	sha256FingerprintLength       = 64
 
 	DefaultKeepAliveInterval = 30 * time.Second
 )
@@ -331,9 +333,12 @@ func (c *SecureShell) terminalType() string {
 	return term
 }
 
-func base64Sha256Fingerprint(key ssh.PublicKey) string {
+func sha256Fingerprint(key ssh.PublicKey, encode bool) string {
 	sum := sha256.Sum256(key.Marshal())
-	return base64.RawStdEncoding.EncodeToString(sum[:])
+	if encode {
+		return base64.RawStdEncoding.EncodeToString(sum[:])
+	}
+	return hex.EncodeToString(sum[:])
 }
 
 func copyAndClose(wg *sync.WaitGroup, dest io.WriteCloser, src io.Reader) {
@@ -364,8 +369,10 @@ func fingerprintCallback(skipHostValidation bool, expectedFingerprint string) ss
 		var fingerprint string
 
 		switch len(expectedFingerprint) {
+		case sha256FingerprintLength:
+			fingerprint = sha256Fingerprint(key, false)
 		case base64Sha256FingerprintLength:
-			fingerprint = base64Sha256Fingerprint(key)
+			fingerprint = sha256Fingerprint(key, true)
 		case hexSha1FingerprintLength:
 			fingerprint = hexSha1Fingerprint(key)
 		case md5FingerprintLength:
diff --git a/util/clissh/ssh_test.go b/util/clissh/ssh_test.go
index 5b7a2a7c2a9..46a03b32181 100644
--- a/util/clissh/ssh_test.go
+++ b/util/clissh/ssh_test.go
@@ -253,6 +253,28 @@ var _ = Describe("CLI SSH", Serial, FlakeAttempts(9), func() {
 				})
 			})
 
+			Context("when the sha256 fingerprint matches", func() {
+				BeforeEach(func() {
+					sshEndpointFingerprint = "b29fe3acbba3ebaafecab2c350a65d254e6d773b789aafd469288d063a60afef"
+				})
+
+				It("does not return an error", func() {
+					Expect(callback("", addr, TestHostKey.PublicKey())).ToNot(HaveOccurred())
+				})
+			})
+
+			When("the SHA256 fingerprint does not match", func() {
+				BeforeEach(func() {
+					sshEndpointFingerprint = "0000000000000000000000000000000000000000000000000000000000000000"
+				})
+
+				It("returns an error'", func() {
+					err := callback("", addr, TestHostKey.PublicKey())
+					Expect(err).To(MatchError(MatchRegexp(`Host key verification failed\.`)))
+					Expect(err).To(MatchError(MatchRegexp("The fingerprint of the received key was \".*\"")))
+				})
+			})
+
 			When("the base64 SHA256 fingerprint does not match", func() {
 				BeforeEach(func() {
 					sshEndpointFingerprint = "0000000000000000000000000000000000000000000"