From: Viktor Szakats <commit@vsz.me>
Date: Sun, 23 Mar 2025 20:53:49 +0000 (+0100)
Subject: libssh2: fix to ignore `known_hosts` if SHA256 host public key is set
X-Git-Tag: curl-8_13_0~95
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cd7eb9e0f2063e5733e2481569bcbc2883704d20;p=thirdparty%2Fcurl.git

libssh2: fix to ignore `known_hosts` if SHA256 host public key is set

Syncing behavior with MD5 host public keys.

libcurl implemented to force a host key type for hosts is present in
`known_hosts`, and disabled this logic when an MD5 host public key is
explicitly set. libcurl later received support for SHA256 host public
keys. This update missed to extend the `known_hosts` logic with the new
key type.

This caused test 3022 to fail if a pre-existing `known_hosts` listed
the test server IP (127.0.0.1) with a non-RSA host key algo.

Follow-up to d1e7d9197b7fe417fb4d62aad5ea8f15a06d906c #7646
Follow-up to 272282a05416e42d2cc4a847a31fd457bc6cc827 #4747

Closes #16805
---

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 2447d1ddf9..c2e2223519 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -796,7 +796,9 @@ static CURLcode ssh_force_knownhost_key_type(struct Curl_easy *data)
   int port = 0;
   bool found = FALSE;
 
-  if(sshc->kh && !data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) {
+  if(sshc->kh &&
+     !data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] &&
+     !data->set.str[STRING_SSH_HOST_PUBLIC_KEY_SHA256]) {
     /* lets try to find our host in the known hosts file */
     while(!libssh2_knownhost_get(sshc->kh, &store, store)) {
       /* For non-standard ports, the name will be enclosed in */