ssh/knownhosts: fix hashed hostname component count in error message

kke · kke · commit de728eaa8be3 · 2024-04-15T10:23:04.000+03:00
Correct the component splitting in the nextWord function to omit the
initial empty element when decoding the pipe-separated hostname hash.

Previously, the error message incorrectly counted this empty element,
leading to misleading errors like:

  knownhosts: got 3 components, want 3

This change makes the component split start from index 1.

The existing tests cover the changed code.

Signed-off-by: Kimmo Lehto &lt;klehto@mirantis.com&gt;
diff --git a/ssh/knownhosts/knownhosts.go b/ssh/knownhosts/knownhosts.go
@@ -481,17 +481,17 @@ func decodeHash(encoded string) (hashType string, salt, hash []byte, err error)
 		err = errors.New("knownhosts: hashed host must start with '|'")
 		return
 	}
-	components := strings.Split(encoded, "|")
-	if len(components) != 4 {
+	components := strings.Split(encoded[1:], "|")
+	if len(components) != 3 {
 		err = fmt.Errorf("knownhosts: got %d components, want 3", len(components))
 		return
 	}
 
-	hashType = components[1]
-	if salt, err = base64.StdEncoding.DecodeString(components[2]); err != nil {
+	hashType = components[0]
+	if salt, err = base64.StdEncoding.DecodeString(components[1]); err != nil {
 		return
 	}
-	if hash, err = base64.StdEncoding.DecodeString(components[3]); err != nil {
+	if hash, err = base64.StdEncoding.DecodeString(components[2]); err != nil {
 		return
 	}
 	return
diff --git a/ssh/knownhosts/knownhosts_test.go b/ssh/knownhosts/knownhosts_test.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net"
 	"reflect"
+	"strings"
 	"testing"
 
 	"golang.org/x/crypto/ssh"
@@ -292,13 +293,27 @@ const encodedTestHostnameHash = "|1|IHXZvQMvTcZTUU29+2vXFgx8Frs=|UGccIWfRVDwilMB
 
 func TestHostHash(t *testing.T) {
 	testHostHash(t, testHostname, encodedTestHostnameHash)
+	testHostHashDecode(t)
 }
 
 func TestHashList(t *testing.T) {
 	encoded := HashHostname(testHostname)
 	testHostHash(t, testHostname, encoded)
 }
 
+func testHostHashDecode(t *testing.T) {
+	for in, want := range map[string]string{
+		"1":                    "must start with '|'",
+		"|typ|salt":            "got 2 components",
+		"|typ|salt|hash|extra": "got 4 components",
+	} {
+		_, _, _, err := decodeHash(in)
+		if err == nil || !strings.Contains(err.Error(), want) {
+			t.Fatalf("decodeHash: expected error to match %q, got %v", want, err)
+		}
+	}
+}
+
 func testHostHash(t *testing.T, hostname, encoded string) {
 	typ, salt, hash, err := decodeHash(encoded)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -481,17 +481,17 @@ func decodeHash(encoded string) (hashType string, salt, hash []byte, err error)`
`481`	`481`	`err = errors.New("knownhosts: hashed host must start with '\|'")`
`482`	`482`	`return`
`483`	`483`	`}`
`484`		`- components := strings.Split(encoded, "\|")`
`485`		`- if len(components) != 4 {`
	`484`	`+ components := strings.Split(encoded[1:], "\|")`
	`485`	`+ if len(components) != 3 {`
`486`	`486`	`err = fmt.Errorf("knownhosts: got %d components, want 3", len(components))`
`487`	`487`	`return`
`488`	`488`	`}`
`489`	`489`
`490`		`- hashType = components[1]`
`491`		`- if salt, err = base64.StdEncoding.DecodeString(components[2]); err != nil {`
	`490`	`+ hashType = components[0]`
	`491`	`+ if salt, err = base64.StdEncoding.DecodeString(components[1]); err != nil {`
`492`	`492`	`return`
`493`	`493`	`}`
`494`		`- if hash, err = base64.StdEncoding.DecodeString(components[3]); err != nil {`
	`494`	`+ if hash, err = base64.StdEncoding.DecodeString(components[2]); err != nil {`
`495`	`495`	`return`
`496`	`496`	`}`
`497`	`497`	`return`