diff --git a/src/main.rs b/src/main.rs index 582214c..8ca7929 100644 --- a/src/main.rs +++ b/src/main.rs @@ -134,9 +134,52 @@ impl CtrlTunnel { } let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?; - if fingerprint.is_some() { - // FIXME actually verify fingerprint via callback! - ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::NONE); + if let Some(expected) = fingerprint { + ssl_connector_builder.set_verify_callback( + openssl::ssl::SslVerifyMode::PEER, + move |_valid, ctx| { + let cert = match ctx.current_cert() { + Some(cert) => cert, + None => { + // should not happen + eprintln!("SSL context lacks current certificate."); + return false; + } + }; + + // skip CA certificates, we only care about the peer cert + let depth = ctx.error_depth(); + if depth != 0 { + return true; + } + + let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) { + Ok(fp) => fp, + Err(err) => { + // should not happen + eprintln!("failed to calculate certificate FP - {}", err); + return false; + } + }; + let fp_string = hex::encode(&fp); + let fp_string = fp_string + .as_bytes() + .chunks(2) + .map(|v| std::str::from_utf8(v).unwrap()) + .collect::>() + .join(":"); + + let expected = expected.to_lowercase(); + if expected == fp_string { + true + } else { + eprintln!("certificate fingerprint does not match expected fingerprint!"); + eprintln!("expected: {}", expected); + eprintln!("encountered: {}", fp_string); + false + } + }, + ); } else { ssl_connector_builder.set_verify(openssl::ssl::SslVerifyMode::PEER); }