sshwot/src/check_fingerprint.py

import enum

import entry
import hashing

# TODO: Include a thing for checking what hosts match a given fingerprint

def check_fingerprint(entries, domain, port, fingerprint):
	"""check_fingerprint([Entry], str, u16, bytes[32]) → ([str]: successes, [str]: fails)
	Checks if the given host is found with the given fingerprint.
	The successes and fails lists returned by the function have the
	comments for the hosts that match and have the same fingerpring and
	the hosts that match but have a different fingerprint, respectively"""
	assert type(entries) == list and all(type(i) == entry.Entry for i in entries)
	assert type(domain) == str
	assert type(port) == int and 0 <= port <= (1<<16) - 1
	assert type(fingerprint) == bytes and len(fingerprint) == 32

	# Normalize the host here, so we don't have to do it every time we
	# check for a possible match
	normalized_hosts = [entry.normalize_host(domain, port)]

	# If we are looking at non-22 port, also check the general form of
	# the host without a port specifier. This seems to be how OpenSSH
	# does it too
	if port != 22:
		normalized_hosts.append(entry.normalize_host(domain, 22))

	successes = []
	fails = []
	for possible_match in entries:
		for normalized_host in normalized_hosts:
			hashed_host = hashing.hash_with_salt(normalized_host, possible_match.salt)
			if hashed_host == possible_match.hashed_host:
				if fingerprint == possible_match.fingerprint:
					# Fingerprint matches, it passes
					successes.append(possible_match.comment)
				else:
					# Fingerprint different, it fails
					fails.append(possible_match.comment)

	return successes, fails