From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 6 Feb 2025 07:16:35 +0000 (+0100)
Subject: libssh: drop support for libssh older than 0.9.0
X-Git-Tag: curl-8_12_1~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba9229627901228c2f8ce1c504196b395317ef5d;p=thirdparty%2Fcurl.git

libssh: drop support for libssh older than 0.9.0

libssh 0.9.0 was shipped on June 28 2019 and is the first version
featuring the knownhosts API

Drop libssh from the GHA/linux-old CI job since it gets a libssh 0.7.3
version, too old for us now.

Closes #16200
---

diff --git a/.github/workflows/linux-old.yml b/.github/workflows/linux-old.yml
index 3878e80862..8ad3bc00d3 100644
--- a/.github/workflows/linux-old.yml
+++ b/.github/workflows/linux-old.yml
@@ -91,12 +91,14 @@ jobs:
           echo '::group::raw'; cat bld-1/lib/curl_config.h || true; echo '::endgroup::'
           grep -F '#define' bld-1/lib/curl_config.h | sort || true
 
-      - name: 'cmake generate (out-of-tree, c-ares, libssh, zstd, gssapi)'
+      # when this job can get a libssh version 0.9.0 or later, this should get
+      # that enabled again
+      - name: 'cmake generate (out-of-tree, c-ares, zstd, gssapi)'
         run: |
           mkdir bld-cares
           cd bld-cares
           cmake .. -DCMAKE_UNITY_BUILD=ON -DCURL_TEST_BUNDLES=ON -DCURL_WERROR=ON -DBUILD_SHARED_LIBS=ON \
-            -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=ON -DUSE_LIBRTMP=ON \
+            -DENABLE_ARES=ON -DCURL_USE_GSSAPI=ON -DCURL_USE_LIBSSH2=OFF -DCURL_USE_LIBSSH=OFF -DUSE_LIBRTMP=ON \
             -DCURL_LIBCURL_VERSIONED_SYMBOLS=ON
 
       - name: 'cmake curl_config.h'
@@ -121,12 +123,12 @@ jobs:
       - name: 'autoreconf'
         run: autoreconf -if
 
-      - name: 'configure (out-of-tree, c-ares, libssh, zstd, gssapi)'
+      - name: 'configure (out-of-tree, c-ares, libssh2, zstd, gssapi)'
         run: |
           mkdir bld-am
           cd bld-am
           ../configure --disable-dependency-tracking --enable-unity --enable-test-bundles --enable-warnings --enable-werror \
-            --with-openssl --enable-ares --with-libssh --with-zstd --with-gssapi --with-librtmp \
+            --with-openssl --enable-ares --with-libssh2 --with-zstd --with-gssapi --with-librtmp \
             --prefix="$PWD"/../install-am
 
       - name: 'autoconf curl_config.h'
diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md
index 6a291f6535..620839dafe 100644
--- a/docs/INTERNALS.md
+++ b/docs/INTERNALS.md
@@ -29,6 +29,7 @@ versions of libs and build tools.
  - zlib         1.2.0.4
  - libssh2      1.2.8
  - c-ares       1.6.0
+ - libssh       0.9.0
  - libidn2      2.0.0
  - wolfSSL      3.4.6
  - OpenLDAP     2.0
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 7e2d1d7f19..2390967d91 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -342,17 +342,11 @@ static int myssh_is_known(struct Curl_easy *data)
   struct curl_khkey *knownkeyp = NULL;
   curl_sshkeycallback func =
     data->set.ssh_keyfunc;
-
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0)
   struct ssh_knownhosts_entry *knownhostsentry = NULL;
   struct curl_khkey knownkey;
-#endif
 
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,8,0)
   rc = ssh_get_server_publickey(sshc->ssh_session, &pubkey);
-#else
-  rc = ssh_get_publickey(sshc->ssh_session, &pubkey);
-#endif
+
   if(rc != SSH_OK)
     return rc;
 
@@ -388,7 +382,6 @@ static int myssh_is_known(struct Curl_easy *data)
 
   if(data->set.str[STRING_SSH_KNOWNHOSTS]) {
 
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0)
     /* Get the known_key from the known hosts file */
     vstate = ssh_session_get_known_hosts_entry(sshc->ssh_session,
                                                &knownhostsentry);
@@ -446,22 +439,6 @@ static int myssh_is_known(struct Curl_easy *data)
       break;
     }
 
-#else
-    vstate = ssh_is_server_known(sshc->ssh_session);
-    switch(vstate) {
-    case SSH_SERVER_KNOWN_OK:
-      keymatch = CURLKHMATCH_OK;
-      break;
-    case SSH_SERVER_FILE_NOT_FOUND:
-    case SSH_SERVER_NOT_KNOWN:
-      keymatch = CURLKHMATCH_MISSING;
-      break;
-    default:
-      keymatch = CURLKHMATCH_MISMATCH;
-      break;
-    }
-#endif
-
     if(func) { /* use callback to determine action */
       rc = ssh_pki_export_pubkey_base64(pubkey, &found_base64);
       if(rc != SSH_OK)
@@ -478,18 +455,14 @@ static int myssh_is_known(struct Curl_easy *data)
         foundkey.keytype = CURLKHTYPE_RSA1;
         break;
       case SSH_KEYTYPE_ECDSA:
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0)
       case SSH_KEYTYPE_ECDSA_P256:
       case SSH_KEYTYPE_ECDSA_P384:
       case SSH_KEYTYPE_ECDSA_P521:
-#endif
         foundkey.keytype = CURLKHTYPE_ECDSA;
         break;
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,7,0)
       case SSH_KEYTYPE_ED25519:
         foundkey.keytype = CURLKHTYPE_ED25519;
         break;
-#endif
       case SSH_KEYTYPE_DSS:
         foundkey.keytype = CURLKHTYPE_DSS;
         break;
@@ -506,11 +479,7 @@ static int myssh_is_known(struct Curl_easy *data)
 
       switch(rc) {
       case CURLKHSTAT_FINE_ADD_TO_FILE:
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,8,0)
         rc = ssh_session_update_known_hosts(sshc->ssh_session);
-#else
-        rc = ssh_write_knownhost(sshc->ssh_session);
-#endif
         if(rc != SSH_OK) {
           goto cleanup;
         }
@@ -541,11 +510,9 @@ cleanup:
   if(hash)
     ssh_clean_pubkey_hash(&hash);
   ssh_key_free(pubkey);
-#if LIBSSH_VERSION_INT >= SSH_VERSION_INT(0,9,0)
   if(knownhostsentry) {
     ssh_knownhosts_entry_free(knownhostsentry);
   }
-#endif
   return rc;
 }
 
diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h
index 62960fa13d..bc8214d13f 100644
--- a/lib/vssh/ssh.h
+++ b/lib/vssh/ssh.h
@@ -214,6 +214,12 @@ struct ssh_conn {
 #endif /* USE_LIBSSH */
 };
 
+#ifdef USE_LIBSSH
+#if LIBSSH_VERSION_INT < SSH_VERSION_INT(0, 9, 0)
+#  error "SCP/SFTP protocols require libssh 0.9.0 or later"
+#endif
+#endif
+
 #if defined(USE_LIBSSH2)
 
 /* Feature detection based on version numbers to better work with