curl with SFTP fails to verify ECDSA keys present in known hosts files

[ansasaki]

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=1824926

When the server uses an ECDSA key, curl fails to verify it's entry in the known hosts file when accessing using SFTP.

Using RSA, ED25519, or DSA keys no error is generated and the download is successful.

I did this

In Fedora 32, using curl-7.69.1-1.fc32.x86_64

1. Create an ECDSA key pair for the SSH server:

# ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''

2. Authorize the user key to access the SSH server (assuming the user has an RSA key):

$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

3. Add the entry to the known_hosts file

$ echo 'localhost $(cat "/etc/ssh/ssh_host_ecdsa_key.pub")' >> ~/.ssh/known_hosts

4. Create a file to download:

$ dd if=/dev/zero of=~/testfile bs=1M count=1

5. Restart SSH server

$ systemctl restart sshd

6. Download using curl and SFTP

$ curl -o ./sftp_file -u testuser: --key ~/.ssh/id_rsa \
  --pubkey ~/.ssh/id_rsa.pub sftp://localhost/home/$(whoami)/testfile

Then I get the following error:

curl: (60) SSL peer certificate or SSH remote key was not OK

I expected the following

No errors and the file is successfully downloaded

curl/libcurl version

[curl -V output]

curl 7.69.1 (x86_64-redhat-linux-gnu) libcurl/7.69.1 OpenSSL/1.1.1d-fips zlib/1.2.11 brotli/1.0.7 libidn2/2.3.0 libpsl/0.21.0 (+libidn2/2.3.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0
Release-Date: 2020-03-11
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

operating system

Linux fedora32 5.6.2-301.fc32.x86_64 #1 SMP Tue Apr 7 18:23:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux