[backend] add support for peer fingerprint verification

Can be used for DoD, interconnect, etc...

src/backend/BSRPC.pm

@@ -239,7 +239,14 @@ sub rpc {
       my $status = $1;
       die("proxy tunnel: CONNECT method failed: $status\n") unless $status =~ /^200[^\d]/;
     }
-    ($param->{'https'} || $tossl)->(\*S, $param->{'ssl_keyfile'}, $param->{'ssl_certfile'}, 1) if $proto eq 'https' || $proxytunnel;
+    if ($proto eq 'https' || $proxytunnel) {
+      ($param->{'https'} || $tossl)->(\*S, $param->{'ssl_keyfile'}, $param->{'ssl_certfile'}, 1);
+      if ($param->{'sslpeerfingerprint'}) {
+	die("bad sslpeerfingerprint '$param->{'sslpeerfingerprint'}'\n") unless $param->{'sslpeerfingerprint'} =~ /^(.*?):(.*)$/s;
+	my $pfp =  tied(*S)->peerfingerprint($1);
+	die("peer fingerprint does not match: $2 != $pfp\n") if $2 ne $pfp;
+      }
+    }
   }
   if (!$param->{'continuation'}) {
     if ($param->{'verbose'}) {

src/backend/BSSSL.pm

@@ -137,4 +137,15 @@ sub DESTROY {
   UNTIE($sslr) if $sslr && $sslr->[0];
 }
 
+sub peerfingerprint {
+  my ($sslr, $type) = @_;
+  my $cert = Net::SSLeay::get_peer_certificate($sslr->[0]);
+  return undef unless $cert;
+  my $fp = Net::SSLeay::X509_get_fingerprint($cert, lc($type));
+  Net::SSLeay::X509_free($cert);
+  return undef unless $fp;
+  $fp =~ s/://g;
+  return lc($fp);
+}
+
 1;

src/backend/BSWatcher.pm

@@ -727,6 +727,11 @@ sub rpc_tossl {
   fcntl($ev->{'fd'}, F_SETFL, 0);     # in danger honor...
   eval {
     ($ev->{'param'}->{'https'} || $tossl)->($ev->{'fd'}, $ev->{'param'}->{'ssl_keyfile'}, $ev->{'param'}->{'ssl_certfile'}, 1);
+    if ($ev->{'param'}->{'sslpeerfingerprint'}) {
+      die("bad sslpeerfingerprint '$ev->{'param'}->{'sslpeerfingerprint'}'\n") unless $ev->{'param'}->{'sslpeerfingerprint'} =~ /^(.*?):(.*)$/s;
+      my $pfp =  tied($ev->{'fd'})->peerfingerprint($1);
+      die("peer fingerprint does not match: $2 != $pfp\n") if $2 ne $pfp;
+    }
   };
   fcntl($ev->{'fd'}, F_SETFL, O_NONBLOCK);
   if ($@) {