From 0411724f0f2953a7ea41a1529fab10c0fe0494e9 Mon Sep 17 00:00:00 2001
From: DarthArgus <darg.us@yandex.com>
Date: Wed, 11 Jan 2017 07:36:53 +0000
Subject: [PATCH] make cert pinning work (currently only for our 30 year
 lasting cloudflare cert, can enable others later)

---
 external/3rd/library/webAPI/webAPI.cpp | 18 ++++----
 external/3rd/library/webAPI/webAPI.h   | 57 --------------------------
 2 files changed, 9 insertions(+), 66 deletions(-)

diff --git a/external/3rd/library/webAPI/webAPI.cpp b/external/3rd/library/webAPI/webAPI.cpp
index b3f75638..155e3434 100644
--- a/external/3rd/library/webAPI/webAPI.cpp
+++ b/external/3rd/library/webAPI/webAPI.cpp
@@ -17,9 +17,6 @@
 
 #include "webAPI.h"
 
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
-
 using namespace StellaBellum;
 
 webAPI::webAPI(std::string endpoint, std::string userAgent) : uri(endpoint), userAgent(userAgent), statusCode(0) {}
@@ -124,8 +121,8 @@ bool webAPI::fetch(const int &getPost, const int &mimeType) // 0 for json 1 for
             res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, writeCallback); // place the data into readBuffer using writeCallback
             res = curl_easy_setopt(curl, CURLOPT_WRITEDATA, &readBuffer); // specify readBuffer as the container for data
             res = curl_easy_setopt(curl, CURLOPT_HTTPHEADER, slist);
-
-            switch (getPost) {
+            
+	   switch (getPost) {
                 case HTTP::GET:
                     res = curl_easy_setopt(curl, CURLOPT_URL, std::string(uri + "?" + sRequest).c_str());
                     break;
@@ -137,10 +134,13 @@ bool webAPI::fetch(const int &getPost, const int &mimeType) // 0 for json 1 for
             }
 
             if (uri.find("stellabellum") != std::string::npos) {
-                res = curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
-                res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1L);
-                res = curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, *webAPI::sslctx_function);
-            } 
+		// the public one will verify but since this is pinned we don't care about the CA
+		res = curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
+
+		// cloudflare public: ***REMOVED***
+		// cloudflare private: ***REMOVED***
+                res = curl_easy_setopt(curl, CURLOPT_PINNEDPUBLICKEY, vxENCRYPT("***REMOVED***").decrypt());
+	    } 
 
 	    if (res == CURLE_OK) {
 		res = curl_easy_perform(curl); // make the request!
diff --git a/external/3rd/library/webAPI/webAPI.h b/external/3rd/library/webAPI/webAPI.h
index 8a4fe1c4..820635f9 100644
--- a/external/3rd/library/webAPI/webAPI.h
+++ b/external/3rd/library/webAPI/webAPI.h
@@ -25,8 +25,6 @@
 #else
 
 #include <unordered_map>
-#include <openssl/ssl.h>
-#include <openssl/bio.h>
 #include <curl/curl.h>
 
 #endif
@@ -115,61 +113,6 @@ namespace StellaBellum {
 
         // json processor - string to json
         bool processJSON();
-
-        // our ssl cert
-        inline static CURLcode sslctx_function(CURL *curl, void *sslctx, void *parm) {
-            X509_STORE *store;
-            X509 *cert = NULL;
-            BIO *bio;
-
-            char * ctx = "-----BEGIN CERTIFICATE-----\n"\
-				"MIIEojCCA4qgAwIBAgIUJ88p38SKi9SeyVOF0AQne1O6Vs4wDQYJKoZIhvcNAQEL\n"\
-				"BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw\n"\
-				"MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y\n"\
-				"aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh\n"\
-				"MB4XDTE2MTIzMTA1MDcwMFoXDTMxMTIyODA1MDcwMFowYjEZMBcGA1UEChMQQ2xv\n"\
-				"dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk\n"\
-				"BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG\n"\
-				"9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwv0X8DT+AvVAWeLZvBZ+uQXFA5SEmY3w47uT\n"\
-				"cwR/KCIrty7JLlswDv7iGV4f58vDAcNZq3Rs85eBY2kEatYZUBEFw+FhQDw76R9r\n"\
-				"ZRj/gRfKyjkoHmmJ9ItP6YEIGHW5GGvSsB0PqV52pAESfIc4ABSUQVghLCmXCHPv\n"\
-				"vMQjnTgAxgRQ0tvy52At9E39qClk+4uofMHzwk4bOKRUA9aLHLdZJQDEKR7EdZY1\n"\
-				"qPIh3Rkari0aTVBf+0mnXQJ0xnIvVPc+GPYVotQ0tutISUtVPzpia0PmmbhHN4uE\n"\
-				"ZVS53gOjgPz1dT/yivrsKw5i0vBqRcwMZ4dU+yfAL4uibJqwOwIDAQABo4IBJDCC\n"\
-				"ASAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB\n"\
-				"/wQCMAAwHQYDVR0OBBYEFCjf0EvN/w5pDVLXf4dk4yfU5A02MB8GA1UdIwQYMBaA\n"\
-				"FCToU1ddfDRAh6nrlNu64RZ4/CmkMEAGCCsGAQUFBwEBBDQwMjAwBggrBgEFBQcw\n"\
-				"AYYkaHR0cDovL29jc3AuY2xvdWRmbGFyZS5jb20vb3JpZ2luX2NhMC8GA1UdEQQo\n"\
-				"MCaCEiouc3RlbGxhYmVsbHVtLm5ldIIQc3RlbGxhYmVsbHVtLm5ldDA4BgNVHR8E\n"\
-				"MTAvMC2gK6AphidodHRwOi8vY3JsLmNsb3VkZmxhcmUuY29tL29yaWdpbl9jYS5j\n"\
-				"cmwwDQYJKoZIhvcNAQELBQADggEBAGXNQW26rnr4k+2hfOxkuGGMXBuYAzLcCwbg\n"\
-				"H5KRH3HoJg1FmkjGC07nptDk2EAkqp6DphwTangyw0oREEIU/l2k8AvkX0WVFXdx\n"\
-				"FnVWq5IenZF8dX0m9oQyH/CsF89dkvU+zksP4wzJAMvGiB8Tmc8bKWmIfBnusj3D\n"\
-				"npbKvZL2ch+hwY4SZspJLoKJ4iz5wWSHihwNYxm+KGsJpt2moV15gAuObmDg7nu6\n"\
-				"owOLXtbf62tQOXnXee2peBN1JX/mCHKUSL1mu+wJXjitBEgXJRGSnZl4IGv/m8Q5\n"\
-				"KDeA44tJg2f/le+MertWN/+aTYhK8exu4v/7SaEJHNCwbXCJICg=\n"\
-				"-----END CERTIFICATE-----\n";
-			
-            bio = BIO_new_mem_buf(ctx, -1);
-            PEM_read_bio_X509(bio, &cert, 0, NULL);
-            if (cert == NULL) {
-                printf("cert is null");
-		return CURLE_FAILED_INIT;
-            }
-
-            store = SSL_CTX_get_cert_store((SSL_CTX *) sslctx);
-
-            if (X509_STORE_add_cert(store, cert) == 0) {
-		printf("couldn't store cert");
-                return CURLE_FAILED_INIT;
-            }
-
-            X509_free(cert);
-            BIO_free(bio);
-
-            return CURLE_OK;
-        }
-
     protected:
         // http response code (200, 404, etc)
         long statusCode;