diff options
| author | L. Sorin <sorin@axis.com> | 2014-01-28 14:04:11 +0100 |
|---|---|---|
| committer | Sebastian Dröge <sebastian@centricular.com> | 2014-05-20 08:58:08 +0200 |
| commit | 9c1e66302dde3fd904a83f62d29b8390d6341392 (patch) | |
| tree | 8c27de4f40a6f7a20c790f6205fd02309a635e3a /ext/curl | |
| parent | 0cdcc5a7b1585cb9961df438e014c9e43d2a17bc (diff) | |
| download | gstreamer-plugins-bad-9c1e66302dde3fd904a83f62d29b8390d6341392.tar.gz | |
curlsftpsink: authenticate remote host via public key fingerprint
Expose one more libcurl option: CURLOPT_SSH_HOST_PUBLIC_KEY_MD5.
This allows authenticating the server by the MD5 fingerprint of
the server's public key.
https://bugzilla.gnome.org/show_bug.cgi?id=723167
Diffstat (limited to 'ext/curl')
| -rw-r--r-- | ext/curl/gstcurlsshsink.c | 43 | ||||
| -rw-r--r-- | ext/curl/gstcurlsshsink.h | 2 |
2 files changed, 43 insertions, 2 deletions
diff --git a/ext/curl/gstcurlsshsink.c b/ext/curl/gstcurlsshsink.c index 91f05f983..7e06dab3d 100644 --- a/ext/curl/gstcurlsshsink.c +++ b/ext/curl/gstcurlsshsink.c @@ -48,8 +48,6 @@ /* Default values */ #define GST_CAT_DEFAULT gst_curl_ssh_sink_debug -#define DEFAULT_INSECURE TRUE - /* Plugin specific settings */ @@ -63,6 +61,7 @@ enum PROP_SSH_PRIV_KEYFILE, PROP_SSH_KEY_PASSPHRASE, PROP_SSH_KNOWNHOSTS, + PROP_SSH_HOST_PUBLIC_KEY_MD5, PROP_SSH_ACCEPT_UNKNOWNHOST }; @@ -159,6 +158,13 @@ gst_curl_ssh_sink_class_init (GstCurlSshSinkClass * klass) "The complete path & filename of the SSH 'known_hosts' file", NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); + g_object_class_install_property (gobject_class, PROP_SSH_HOST_PUBLIC_KEY_MD5, + g_param_spec_string ("ssh-host-pubkey-md5", + "MD5 checksum of the remote host's public key", + "MD5 checksum (32 hexadecimal digits, case-insensitive) of the " + "remote host's public key", + NULL, G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); + g_object_class_install_property (gobject_class, PROP_SSH_ACCEPT_UNKNOWNHOST, g_param_spec_boolean ("ssh-accept-unknownhost", "SSH accept unknown host", @@ -174,6 +180,7 @@ gst_curl_ssh_sink_init (GstCurlSshSink * sink) sink->ssh_priv_keyfile = NULL; sink->ssh_key_passphrase = NULL; sink->ssh_knownhosts = NULL; + sink->ssh_host_public_key_md5 = NULL; sink->ssh_accept_unknownhost = FALSE; } @@ -188,6 +195,7 @@ gst_curl_ssh_sink_finalize (GObject * gobject) g_free (this->ssh_priv_keyfile); g_free (this->ssh_key_passphrase); g_free (this->ssh_knownhosts); + g_free (this->ssh_host_public_key_md5); G_OBJECT_CLASS (parent_class)->finalize (gobject); } @@ -242,6 +250,13 @@ gst_curl_ssh_sink_set_property (GObject * object, guint prop_id, GST_DEBUG_OBJECT (sink, "ssh_knownhosts set to %s", sink->ssh_knownhosts); break; + case PROP_SSH_HOST_PUBLIC_KEY_MD5: + g_free (sink->ssh_host_public_key_md5); + sink->ssh_host_public_key_md5 = g_value_dup_string (value); + GST_DEBUG_OBJECT (sink, "ssh_host_public_key_md5 set to %s", + sink->ssh_host_public_key_md5); + break; + case PROP_SSH_ACCEPT_UNKNOWNHOST: sink->ssh_accept_unknownhost = g_value_get_boolean (value); GST_DEBUG_OBJECT (sink, "ssh_accept_unknownhost set to %d", @@ -285,6 +300,10 @@ gst_curl_ssh_sink_get_property (GObject * object, guint prop_id, g_value_set_string (value, sink->ssh_knownhosts); break; + case PROP_SSH_HOST_PUBLIC_KEY_MD5: + g_value_set_string (value, sink->ssh_host_public_key_md5); + break; + case PROP_SSH_ACCEPT_UNKNOWNHOST: g_value_set_boolean (value, sink->ssh_accept_unknownhost); break; @@ -329,6 +348,26 @@ gst_curl_ssh_sink_set_options_unlocked (GstCurlBaseSink * bcsink) } } + if (sink->ssh_host_public_key_md5) { + /* libcurl is freaking tricky. If the input string is not exactly 32 + * hexdigits long it silently ignores CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and + * performs the transfer without authenticating the server! */ + if (strlen (sink->ssh_host_public_key_md5) != 32) { + GST_ERROR_OBJECT (sink, + "MD5-hash string has invalid length, must be exactly 32 hexdigits!"); + return FALSE; + } + + if ((curl_err = + curl_easy_setopt (bcsink->curl, CURLOPT_SSH_HOST_PUBLIC_KEY_MD5, + sink->ssh_host_public_key_md5)) != CURLE_OK) { + GST_ERROR_OBJECT (sink, + "curl error: %d setting remote host's public key MD5: %s.", curl_err, + sink->ssh_host_public_key_md5); + return FALSE; + } + } + /* make sure we only accept PASSWORD or PUBLICKEY auth methods * (can be extended later) */ if (sink->ssh_auth_type == CURLSSH_AUTH_PASSWORD || diff --git a/ext/curl/gstcurlsshsink.h b/ext/curl/gstcurlsshsink.h index 4e502a3d3..1b56c4d5e 100644 --- a/ext/curl/gstcurlsshsink.h +++ b/ext/curl/gstcurlsshsink.h @@ -70,6 +70,8 @@ struct _GstCurlSshSink CURLOPT_SSH_KNOWN_HOSTS */ gboolean ssh_accept_unknownhost; /* accept or reject unknown public key from remote host */ + gchar *ssh_host_public_key_md5; /* MD5-hash of the remote host's public key: + CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 */ }; struct _GstCurlSshSinkClass |