libssh2: add SHA256 fingerprint support

Added support for SHA256 fingerprint in command line curl and in
libcurl.

Closes #7646

8 files changed, 122 insertions, 4 deletions

diff --git a/tests/.gitignore b/tests/.gitignore
index 00f787cc8..a8882b275 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -7,6 +7,7 @@ curl_client_knownhosts
 curl_host_rsa_key
 curl_host_rsa_key.pub
 curl_host_rsa_key.pub_md5
+curl_host_rsa_key.pub_sha256
 curl_sftp_cmds
 curl_sftp_config
 curl_ssh_config
diff --git a/tests/FILEFORMAT.md b/tests/FILEFORMAT.md
index 7a9c48204..df61c412f 100644
--- a/tests/FILEFORMAT.md
+++ b/tests/FILEFORMAT.md
@@ -148,6 +148,7 @@ Available substitute variables include:
 - `%SRCDIR` - Full path to the source dir
 - `%SSHPORT` - Port number of the SCP/SFTP server
 - `%SSHSRVMD5` - MD5 of SSH server's public key
+- `%SSHSRVSHA256` - SHA256 of SSH server's public key
 - `%SSH_PWD` - Current directory friendly for the SSH server
 - `%TESTNUMBER` - Number of the test case
 - `%TFTP6PORT` - IPv6 port number of the TFTP server
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 1f774ce4e..d906ca338 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -237,4 +237,4 @@ test2200 test2201 test2202 test2203 test2204 test2205 \
 \
 test3000 test3001 test3002 test3003 test3004 test3005 test3006 test3007 \
 test3008 test3009 test3010 test3011 test3012 test3013 test3014 test3015 \
-test3016 test3017 test3018 test3019 test3020
+test3016 test3017 test3018 test3019 test3020 test3021 test3022
diff --git a/tests/data/test3021 b/tests/data/test3021
new file mode 100644
index 000000000..0a02e1844
--- /dev/null
+++ b/tests/data/test3021
@@ -0,0 +1,44 @@
+<testcase>
+<info>
+<keywords>
+SFTP
+server sha256 key check
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+test
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+sftp
+</server>
+ <name>
+SFTP correct sha256 host key
+ </name>
+ <command>
+--hostpubsha256 %SSHSRVSHA256 --key curl_client_key --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%SSH_PWD/log/file%TESTNUMBER.txt
+</command>
+<file name="log/file%TESTNUMBER.txt">
+test
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+0
+</errorcode>
+<valgrind>
+disable
+</valgrind>
+</verify>
+</testcase>
diff --git a/tests/data/test3022 b/tests/data/test3022
new file mode 100644
index 000000000..f3477909d
--- /dev/null
+++ b/tests/data/test3022
@@ -0,0 +1,44 @@
+<testcase>
+<info>
+<keywords>
+SCP
+server sha256 key check
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+test
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+scp
+</server>
+ <name>
+SCP correct sha256 host key
+ </name>
+ <command>
+--hostpubsha256 %SSHSRVSHA256 --key curl_client_key --pubkey curl_client_key.pub -u %USER: scp://%HOSTIP:%SSHPORT%SSH_PWD/log/file%TESTNUMBER.txt
+</command>
+<file name="log/file%TESTNUMBER.txt">
+test
+</file>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+0
+</errorcode>
+<valgrind>
+disable
+</valgrind>
+</verify>
+</testcase>
diff --git a/tests/runtests.pl b/tests/runtests.pl
index 38b76e878..9a1c169b6 100755
--- a/tests/runtests.pl
+++ b/tests/runtests.pl
@@ -168,6 +168,7 @@ my $proxy_address;
 my %custom_skip_reasons;
 
 my $SSHSRVMD5 = "[uninitialized]"; # MD5 of ssh server public key
+my $SSHSRVSHA256 = "[uninitialized]"; # SHA256 of ssh server public key
 my $VERSION="";          # curl's reported version number
 
 my $srcdir = $ENV{'srcdir'} || '.';
@@ -2287,6 +2288,17 @@ sub runsshserver {
         die $msg;
     }
 
+    my $hstpubsha256f = "curl_host_rsa_key.pub_sha256";
+    if(!open(PUBSHA256FILE, "<", $hstpubsha256f) ||
+       (read(PUBSHA256FILE, $SSHSRVSHA256, 48) == 0) ||
+       !close(PUBSHA256FILE))
+    {
+        my $msg = "Fatal: $srvrname pubkey sha256 missing : \"$hstpubsha256f\" : $!";
+        logmsg "$msg\n";
+        stopservers($verbose);
+        die $msg;
+    }
+
     logmsg "RUN: $srvrname on PID $pid2 port $wport\n" if($verbose);
 
     return ($pid2, $sshpid, $wport);
@@ -3374,6 +3386,7 @@ sub subVariables {
     $$thing =~ s/${prefix}USER/$USER/g;
 
     $$thing =~ s/${prefix}SSHSRVMD5/$SSHSRVMD5/g;
+    $$thing =~ s/${prefix}SSHSRVSHA256/$SSHSRVSHA256/g;
 
     # The purpose of FTPTIME2 and FTPTIME3 is to provide times that can be
     # used for time-out tests and that would work on most hosts as these
diff --git a/tests/sshhelp.pm b/tests/sshhelp.pm
index 0f71b3079..41047e9c6 100644
--- a/tests/sshhelp.pm
+++ b/tests/sshhelp.pm
@@ -51,6 +51,7 @@ use vars qw(
     $hstprvkeyf
     $hstpubkeyf
     $hstpubmd5f
+    $hstpubsha256f
     $cliprvkeyf
     $clipubkeyf
     @sftppath
@@ -84,6 +85,7 @@ use vars qw(
     $hstprvkeyf
     $hstpubkeyf
     $hstpubmd5f
+    $hstpubsha256f
     $cliprvkeyf
     $clipubkeyf
     display_sshdconfig
@@ -125,6 +127,7 @@ $knownhosts      = 'curl_client_knownhosts'; # ssh knownhosts file
 $hstprvkeyf      = 'curl_host_rsa_key';      # host private key file
 $hstpubkeyf      = 'curl_host_rsa_key.pub';  # host public key file
 $hstpubmd5f      = 'curl_host_rsa_key.pub_md5';  # md5 hash of host public key
+$hstpubsha256f   = 'curl_host_rsa_key.pub_sha256';  # sha256 hash of host public key
 $cliprvkeyf      = 'curl_client_key';        # client private key file
 $clipubkeyf      = 'curl_client_key.pub';    # client public key file
 
diff --git a/tests/sshserver.pl b/tests/sshserver.pl
index 412cab33e..526ed099f 100644
--- a/tests/sshserver.pl
+++ b/tests/sshserver.pl
@@ -30,6 +30,8 @@ use Cwd;
 use Cwd 'abs_path';
 use Digest::MD5;
 use Digest::MD5 'md5_hex';
+use Digest::SHA;
+use Digest::SHA 'sha256_base64';
 use MIME::Base64;
 
 #***************************************************************************
@@ -52,6 +54,7 @@ use sshhelp qw(
     $hstprvkeyf
     $hstpubkeyf
     $hstpubmd5f
+    $hstpubsha256f
     $cliprvkeyf
     $clipubkeyf
     display_sshdconfig
@@ -362,10 +365,12 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
 if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
    (! -e $hstpubkeyf) || (! -s $hstpubkeyf) ||
    (! -e $hstpubmd5f) || (! -s $hstpubmd5f) ||
+   (! -e $hstpubsha256f) || (! -s $hstpubsha256f) ||
    (! -e $cliprvkeyf) || (! -s $cliprvkeyf) ||
    (! -e $clipubkeyf) || (! -s $clipubkeyf)) {
     # Make sure all files are gone so ssh-keygen doesn't complain
-    unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $cliprvkeyf, $clipubkeyf);
+    unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $hstpubsha256f,
+           $cliprvkeyf, $clipubkeyf);
     logmsg 'generating host keys...' if($verbose);
     if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") {
         logmsg 'Could not generate host key';
@@ -379,7 +384,7 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
     # Make sure that permissions are restricted so openssh doesn't complain
     system "chmod 600 $hstprvkeyf";
     system "chmod 600 $cliprvkeyf";
-    # Save md5 hash of public host key
+    # Save md5 and sha256 hashes of public host key
     open(RSAKEYFILE, "<$hstpubkeyf");
     my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> };
     close(RSAKEYFILE);
@@ -394,6 +399,13 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
         logmsg 'Failed writing md5 hash of RSA host key';
         exit 1;
     }
+    open(PUBSHA256FILE, ">$hstpubsha256f");
+    print PUBSHA256FILE sha256_base64(decode_base64($rsahostkey[1]));
+    close(PUBSHA256FILE);
+    if((! -e $hstpubsha256f) || (! -s $hstpubsha256f)) {
+        logmsg 'Failed writing sha256 hash of RSA host key';
+        exit 1;
+    }
 }
 
 
@@ -1141,7 +1153,7 @@ elsif($verbose && ($rc >> 8)) {
 #***************************************************************************
 # Clean up once the server has stopped
 #
-unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f,
+unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $hstpubsha256f,
        $cliprvkeyf, $clipubkeyf, $knownhosts,
        $sshdconfig, $sshconfig, $sftpconfig);