LibGit2: consult known hosts files to verify SSH server identity

[StefanKarpinski]

This also changes the error message for failed TLS host verification to match the error message when SSH host verification fails. The way I've tested this is by changing my /etc/hosts file to change the IP address of github.com and then doing ] registry add https://github.com/StefanKarpinski/General.git and ] registry add [email protected]:StefanKarpinski/General.git. I'm using arctic1.juliacomputing.io as my fake github.com server, which works because it's an SSH server (with the wrong identity, of course) and I have a man-in-the-middle HTTPS service that is proxied through to github.com setup as well (this is safe since that's the only site it goes through). You can test the case where the host is not in the known hosts file by commenting out the entry for github.com.

[Keno]

A few comments, but looks basically right to me. As I suggested elsewhere, I think it would be reasonable to ship the hostkeys for any package in the registry along with the registry to bootstrap trust that way and ensure users only see this message if they're trying to do something custom.

[StefanKarpinski]

I agree with that but I'm going to do it in a separate change. This is already primed for it with logic to look at multiple known hosts files.

[StefanKarpinski]

This turned out to be even more annoying that I originally thought because it's entirely valid to have multiple known hosts entries for the same server. So we have to use libssh2_knownhost_get in order to iterate through all the known hosts. We also can't tell if an entry is the right host and type but just has the wrong fingerprint because libgit2, even though it has that information, doesn't give it to us—the issue is we cannot tell if the host and fingerprint type match because we don't know the fingerprint type, just its hashes (why!?!? we only need one fucking hash, not three). Instead we have to do a shitty approximation of the correct behavior by looking for all entries for a host in a given file and assuming that if there are any entries for a given host then one of the entries in that file should match.

Since we're effectively forced to reimplement the full logic of libssh2_knownhost_check here but without the benefit of actually having the host fingerprint, I'm sure there's a bunch of cases that we're missing, but this works decently. We might get complaints if someone has known hosts entries with hostname and IP address, with port numbers, or hashed entries, so that will be fun to look forward to.

[StefanKarpinski]

This is good to go now. I will add a known hosts file that we ship in a separate change to NetworkOptions which will also allow config using the known hosts files to look at and then I'll look into making sure that Downloads also respects this.