Merge branch 'development' of https://git01.codeplex.com/casablanca into compatclean

Author: stgates

Release/include/cpprest/ws_client.h

@@ -235,6 +235,15 @@ class _websocket_client_impl
         return m_uri;
     }
 
+    /// <summary>
+    ///  Set the base uri.
+    /// </summary>
+    /// <param name="uri"> The user specified uri. </param>
+    void set_uri(web::uri uri)
+    {
+        m_uri = std::move(uri);
+    }
+
     /// <summary>
     /// Get client configuration object
     /// </summary>
@@ -266,13 +275,15 @@ class _websocket_client_impl
         }
     }
 
+
 protected:
-    _websocket_client_impl(web::uri address, websocket_client_config client_config)
-        : m_uri(std::move(address)), m_client_config(std::move(client_config))
+    web::uri m_uri;
+
+    _websocket_client_impl(websocket_client_config client_config)
+        : m_client_config(std::move(client_config))
     {
     }
 
-    web::uri m_uri;
     websocket_client_config m_client_config;    
 };
 }
@@ -284,17 +295,15 @@ class websocket_client
 {
 public:
     /// <summary>
-    /// Creates a new websocket_client to connect to the specified uri.
+    ///  Creates a new websocket_client.
     /// </summary>
-    /// <param name="base_uri">A string representation of the base uri to be used for all messages. Must start with either "ws://" or "wss://"</param>
-    _ASYNCRTIMP websocket_client(web::uri base_uri);
+    _ASYNCRTIMP websocket_client();
 
     /// <summary>
-    /// Creates a new websocket_client to connect to the specified uri.
+    ///  Creates a new websocket_client.
     /// </summary>
-    /// <param name="base_uri">A string representation of the base uri to be used for all requests. Must start with either "ws://" or "wss://"</param>
     /// <param name="client_config">The client configuration object containing the possible configuration options to intitialize the <c>websocket_client</c>. </param>
-    _ASYNCRTIMP websocket_client(web::uri base_uri, websocket_client_config client_config);
+    _ASYNCRTIMP websocket_client(websocket_client_config client_config);
 
     /// <summary>
     /// </summary>
@@ -324,8 +333,13 @@ class websocket_client
     /// Connects to the remote network destination. The connect method initiates the websocket handshake with the 
     /// remote network destination, takes care of the protocol upgrade request.
     /// </summary>
+    /// <param name="uri">The uri address to connect. </param>
     /// <returns>An asynchronous operation that is completed once the client has successfully connected to the websocket server.</returns>
-    pplx::task<void> connect() { return m_client->connect(); }
+    pplx::task<void> connect(web::uri uri) 
+    { 
+        m_client->set_uri(std::move(uri));
+        return m_client->connect(); 
+    }
 
     /// <summary>
     /// Sends a websocket message to the server .

Release/include/cpprest/x509_cert_utilities.h

@@ -0,0 +1,37 @@
+/***
+* ==++==
+*
+* Copyright (c) Microsoft Corporation. All rights reserved. 
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* ==--==
+* =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+*
+* x509_cert_utilities.h
+*
+* Contains utility functions for helping to verify server certificates in OS X/iOS.
+*
+* For the latest on this and related APIs, please see http://casablanca.codeplex.com.
+*
+* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
+****/
+
+#pragma once
+
+#include <vector>
+#include <string>
+
+namespace web { namespace http { namespace client { namespace details {
+
+bool verify_X509_cert_chain(const std::vector<std::string> &certChain, const std::string &hostName);
+
+}}}}

Release/src/CMakeLists.txt

@@ -17,6 +17,7 @@ if(UNIX)
     http/common/http_helpers.cpp
     http/client/http_msg_client.cpp
     http/client/http_linux.cpp
+    http/client/x509_cert_utilities.cpp
     http/listener/http_linux_server.cpp
     http/listener/http_listener.cpp
     http/listener/http_msg_listen.cpp
@@ -30,7 +31,8 @@ if(UNIX)
   if(APPLE)
     set(SOURCES ${SOURCES} pplx/apple/pplxapple.cpp)
     find_library(COREFOUNDATION CoreFoundation "/")
-    set(EXTRALINKS ${COREFOUNDATION})
+    find_library(SECURITY Security "/")
+    set(EXTRALINKS ${COREFOUNDATION} ${SECURITY})
   else()
     set(SOURCES ${SOURCES} pplx/linux/pplxlinux.cpp)
   endif()
@@ -46,6 +48,7 @@ elseif(WIN32)
     http/common/http_msg.cpp
     http/common/http_helpers.cpp
     http/client/http_msg_client.cpp
+    http/client/x509_cert_utilities.cpp
     http/listener/http_listener.cpp
     http/listener/http_msg_listen.cpp
     http/listener/http_server_api.cpp
@@ -82,7 +85,6 @@ target_link_libraries(${Casablanca_LIBRARY}
   ${Boost_LOCALE_LIBRARY}
   ${Boost_REGEX_LIBRARY}
   ${Boost_RANDOM_LIBRARY}
-  ${COREFOUNDATION}
   ${EXTRALINKS}
   )
 

Release/src/http/client/http_linux.cpp

@@ -30,6 +30,7 @@
 #include "stdafx.h"
 
 #include "cpprest/http_client_impl.h"
+#include "cpprest/x509_cert_utilities.h"
 #include <unordered_set>
 
 using boost::asio::ip::tcp;
@@ -280,7 +281,7 @@ namespace web { namespace http
                 bool m_timedout;
                 boost::asio::streambuf m_body_buf;
                 boost::asio::deadline_timer m_timeout_timer;
-
+                
                 virtual ~linux_client_request_context();
 
                 void handle_timeout_timer(const boost::system::error_code& ec)
@@ -452,7 +453,10 @@ namespace web { namespace http
 
             private:
                 tcp::resolver m_resolver;
-
+#if defined(__APPLE__)
+                bool m_openssl_failed;
+#endif
+                
                 static bool _check_streambuf(std::shared_ptr<linux_client_request_context> ctx, concurrency::streams::streambuf<uint8_t> rdbuf, const utility::char_t* msg)
                 {
                     if (!rdbuf.is_open())
@@ -485,7 +489,10 @@ namespace web { namespace http
                             if(client_config().validate_certificates())
                             {
                                 ctx->m_ssl_stream->set_verify_mode(boost::asio::ssl::context::verify_peer);
-                                ctx->m_ssl_stream->set_verify_callback(boost::asio::ssl::rfc2818_verification(m_uri.host()));
+                                ctx->m_ssl_stream->set_verify_callback(boost::bind(&linux_client::handle_cert_verification, shared_from_this(), _1, _2));
+#if defined(__APPLE__)
+                                m_openssl_failed = false;
+#endif
                             }
                             else
                             {
@@ -536,7 +543,10 @@ namespace web { namespace http
                             if(client_config().validate_certificates())
                             {
                                 ctx->m_ssl_stream->set_verify_mode(boost::asio::ssl::context::verify_peer);
-                                ctx->m_ssl_stream->set_verify_callback(boost::asio::ssl::rfc2818_verification(m_uri.host()));
+                                ctx->m_ssl_stream->set_verify_callback(boost::bind(&linux_client::handle_cert_verification, shared_from_this(), _1, _2));
+#if defined(__APPLE__)
+                                m_openssl_failed = false;
+#endif
                             }
                             else
                             {
@@ -548,6 +558,72 @@ namespace web { namespace http
                     }
                 }
 
+                bool handle_cert_verification(bool preverified, boost::asio::ssl::verify_context &ctx)
+                {
+                    // OpenSSL calls the verification callback once per certificate in the chain,
+                    // starting with the root CA certificate. The 'leaf', non-Certificate Authority (CA)
+                    // certificate, i.e. actual server certificate is at the '0' position in the
+                    // certificate chain, the rest are optional intermediate certificates, followed
+                    // finally by the root CA self signed certificate.
+                    
+#if defined(__APPLE__)
+                    if(!preverified)
+                    {
+                        m_openssl_failed = true;
+                    }
+                    if(m_openssl_failed)
+                    {
+                        // On OS X, iOS, and Android, OpenSSL doesn't have access to where the OS
+                        // stores keychains. If OpenSSL fails we will doing verification at the
+                        // end using the whole certificate chain so wait until the 'leaf' cert.
+                        // For now return true so OpenSSL continues down the certificate chain.
+                        X509_STORE_CTX *storeContext = ctx.native_handle();
+                        int currentDepth = X509_STORE_CTX_get_error_depth(storeContext);
+                        if(currentDepth != 0)
+                        {
+                            return true;
+                        }
+                    
+                        STACK_OF(X509) *certStack = X509_STORE_CTX_get_chain(storeContext);
+                        const int numCerts = sk_X509_num(certStack);
+                        if(numCerts < 0)
+                        {
+                            return false;
+                        }
+                    
+                        std::vector<std::string> certChain;
+                        certChain.reserve(numCerts);
+                        for(int i = 0; i < numCerts; ++i)
+                        {
+                            X509 *cert = sk_X509_value(certStack, i);
+                                
+                            // Encode into DER format into raw memory.
+                            int len = i2d_X509(cert, nullptr);
+                            if(len < 0)
+                            {
+                                return false;
+                            }
+                        
+                            std::string certData;
+                            certData.resize(len);
+                            unsigned char * buffer = reinterpret_cast<unsigned char *>(&certData[0]);
+                            len = i2d_X509(cert, &buffer);
+                            if(len < 0)
+                            {
+                                return false;
+                            }
+                        
+                            certChain.push_back(std::move(certData));
+                        }
+                    
+                        return verify_X509_cert_chain(certChain, m_uri.host());
+                    }
+#endif
+                    
+                    boost::asio::ssl::rfc2818_verification rfc2818(m_uri.host());
+                    return rfc2818(preverified, ctx);
+                }
+
                 void handle_handshake(const boost::system::error_code& ec, std::shared_ptr<linux_client_request_context> ctx)
                 {
                     if (!ec)
@@ -556,7 +632,7 @@ namespace web { namespace http
                     }
                     else
                     {
-                        ctx->report_error("Error code in handle_handshake is ", ec, httpclient_errorcode_context::handshake);
+                        ctx->report_error("Error in SSL handshake", ec, httpclient_errorcode_context::handshake);
                     }
                 }