Merge pull request #539 from akutz/bugfix/known-host-order

Known Host Order Fix
thecodeteam · May 3, 2017 · 1937a13 · 1937a13
2 parents 70f37c9 + 79301d9
commit 1937a13
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 14 deletions.
diff --git a/.tls/known_hosts b/.tls/known_hosts
@@ -1 +1,4 @@
+google.com sha256 6C:50:E0:17:09:61:75:22:64:CD:36:B4:6C:37:D0:C4:A6:DA:82:3D:77:F6:21:D5:3A:EC:FE:22:D8:EE:71:B7
+utexas.edu sha256 A3:0E:DA:2D:9B:5F:25:7A:23:5C:D3:7B:A8:94:7D:FD:76:6D:05:F3:F3:D4:1F:05:F9:BA:A1:80:97:E0:8E:91
 127.0.0.1 sha256 52:C7:5D:00:1B:E7:33:66:14:3C:47:07:77:59:9C:94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:69
+dell.com sha256 71:ED:4F:CA:BC:C8:95:A8:10:B1:B5:B4:98:2D:A6:FC:E9:A7:F3:C4:08:56:59:5B:70:45:F2:D8:5D:A1:7C:47
diff --git a/drivers/storage/libstorage/libstorage_driver_tls.go b/drivers/storage/libstorage/libstorage_driver_tls.go
@@ -26,7 +26,14 @@ func verifyKnownHost(
 		return false, nil
 	}
 
-	return verifyPeerCerts(ctx, host, knownHost, peerCerts)
+	ok, err := verifyPeerCerts(ctx, host, knownHost, peerCerts)
+	if err != nil {
+		return false, err
+	}
+	if ok {
+		return true, nil
+	}
+	return false, newErrKnownHost(host, peerCerts)
 }
 
 func verifyKnownHostFiles(
@@ -128,30 +135,31 @@ func verifyPeerCerts(
 		ctx.WithFields(logFields).Debug(
 			"comparing tls known host information")
 
-		// are the fingerprints equal?
-		if bytes.EqualFold(knownHost.Fingerprint, certFP) {
+		// does the targeted host equal the saved, known host name?
+		if strings.EqualFold(host, knownHost.Host) {
+
+			// are the fingerprints equal? if so this is a validated,
+			// known host
+			if bytes.EqualFold(knownHost.Fingerprint, certFP) {
 
-			// if the targeted host equals the saved, known host name
-			// then this is a validated known host
-			if strings.EqualFold(host, knownHost.Host) {
 				ctx.WithFields(logFields).Debug(
 					"matched tls known host information")
+
 				return true, nil
 			}
 
-			// the targeted host does not equal the saved, known host
-			// name which has an associated signature that matches
-			// the remote, peer's signature. this means there is a
-			// possible mitm attack where a remote host has usurped
-			// another host's identity
+			// the saved fingerprint does not equal the remote, peer
+			// fingerprint meaning there is a possible mitm attack
+			// where a remote host has usurped another host's identity
 			ctx.WithFields(logFields).Error(
 				"known host conflict has occurred")
 
 			return false, newErrKnownHostConflict(host, knownHost)
 		}
+
 	}
 
-	return false, newErrKnownHost(host, peerCerts)
+	return false, nil
 }
 
 func newErrKnownHost(host string, peerCerts []*x509.Certificate) error {

diff --git a/drivers/storage/vfs/tests/vfs_test.go b/drivers/storage/vfs/tests/vfs_test.go
@@ -154,10 +154,10 @@ func TestClientKnownHostConflict(t *testing.T) {
 	}
 
 	const (
-		host        = "libstorage-server2"
+		host        = "127.0.0.1"
 		alg         = "sha256"
 		fingerprint = `52:C7:5D:00:1B:E7:33:66:14:3C:47:07:77:59:9C:` +
-			`94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:69`
+			`94:F1:EA:76:00:41:B1:9D:71:0B:80:05:1F:F7:2D:6B:6B`
 		knownHostEntry  = host + " " + alg + " " + fingerprint
 		knownHostConfig = `
 test: