From 0f5c999d4b433e30f70021fb335a471b256bedd3 Mon Sep 17 00:00:00 2001
From: "A.J. Beamon" <ajbeamon@apple.com>
Date: Wed, 26 Feb 2020 12:26:43 -0800
Subject: [PATCH 1/2] Better containment of boost errors related to TLS.

---
 bindings/c/fdb_c.cpp          |  7 +---
 fdbcli/fdbcli.actor.cpp       |  3 --
 fdbserver/fdbserver.actor.cpp |  1 +
 flow/Net2.actor.cpp           | 62 +++++++++++++++++++----------------
 4 files changed, 36 insertions(+), 37 deletions(-)

diff --git a/bindings/c/fdb_c.cpp b/bindings/c/fdb_c.cpp
index 1c787f060a..e0aacf01d3 100644
--- a/bindings/c/fdb_c.cpp
+++ b/bindings/c/fdb_c.cpp
@@ -108,12 +108,7 @@ fdb_error_t fdb_network_set_option( FDBNetworkOption option,
 }
 
 fdb_error_t fdb_setup_network_impl() {
-	CATCH_AND_RETURN(
-			try {
-				API->setupNetwork();
-			} catch (boost::system::system_error& e) {
-				return error_code_tls_error;
-			} );
+	CATCH_AND_RETURN( API->setupNetwork() );
 }
 
 fdb_error_t fdb_setup_network_v13( const char* localAddress ) {
diff --git a/fdbcli/fdbcli.actor.cpp b/fdbcli/fdbcli.actor.cpp
index 223a624a75..cf76fe7ee4 100644
--- a/fdbcli/fdbcli.actor.cpp
+++ b/fdbcli/fdbcli.actor.cpp
@@ -3757,8 +3757,5 @@ int main(int argc, char **argv) {
 	} catch (Error& e) {
 		printf("ERROR: %s (%d)\n", e.what(), e.code());
 		return 1;
-	} catch (boost::system::system_error& e) {
-		printf("ERROR: %s (%d)\n", e.what(), e.code().value());
-		return 1;
 	}
 }
diff --git a/fdbserver/fdbserver.actor.cpp b/fdbserver/fdbserver.actor.cpp
index 9df3ea4cf5..08c8695af7 100644
--- a/fdbserver/fdbserver.actor.cpp
+++ b/fdbserver/fdbserver.actor.cpp
@@ -1964,6 +1964,7 @@ int main(int argc, char* argv[]) {
 		//printf("\n%d tests passed; %d tests failed\n", passCount, failCount);
 		flushAndExit(FDB_EXIT_MAIN_ERROR);
 	} catch (boost::system::system_error& e) {
+		ASSERT_WE_THINK(false); // boost errors shouldn't leak
 		fprintf(stderr, "boost::system::system_error: %s (%d)", e.what(), e.code().value());
 		TraceEvent(SevError, "MainError").error(unknown_error()).detail("RootException", e.what());
 		//printf("\n%d tests passed; %d tests failed\n", passCount, failCount);
diff --git a/flow/Net2.actor.cpp b/flow/Net2.actor.cpp
index 22a58b181e..8c234796d7 100644
--- a/flow/Net2.actor.cpp
+++ b/flow/Net2.actor.cpp
@@ -863,36 +863,42 @@ Net2::Net2(bool useThreadPool, bool useMetrics, Reference<TLSPolicy> policy, con
 	TraceEvent("Net2Starting");
 
 #ifndef TLS_DISABLED
-	sslContext.set_options(boost::asio::ssl::context::default_workarounds);
-	sslContext.set_verify_mode(boost::asio::ssl::context::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
-	if (policy) {
-		sslContext.set_verify_callback([policy](bool preverified, boost::asio::ssl::verify_context& ctx) {
-			return policy->verify_peer(preverified, ctx.native_handle());
-		});
-	} else {
-		sslContext.set_verify_callback(boost::bind(&insecurely_always_accept, _1, _2));
-	}
+	try {
+		sslContext.set_options(boost::asio::ssl::context::default_workarounds);
+		sslContext.set_verify_mode(boost::asio::ssl::context::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
+		if (policy) {
+			sslContext.set_verify_callback([policy](bool preverified, boost::asio::ssl::verify_context& ctx) {
+				return policy->verify_peer(preverified, ctx.native_handle());
+			});
+		} else {
+			sslContext.set_verify_callback(boost::bind(&insecurely_always_accept, _1, _2));
+		}
 
-	sslContext.set_password_callback(std::bind(&Net2::get_password, this));
+		sslContext.set_password_callback(std::bind(&Net2::get_password, this));
 
-	if (tlsParams.tlsCertPath.size() ) {
-		sslContext.use_certificate_chain_file(tlsParams.tlsCertPath);
+		if (tlsParams.tlsCertPath.size() ) {
+			sslContext.use_certificate_chain_file(tlsParams.tlsCertPath);
+		}
+		if (tlsParams.tlsCertBytes.size() ) {
+			sslContext.use_certificate(boost::asio::buffer(tlsParams.tlsCertBytes.data(), tlsParams.tlsCertBytes.size()), boost::asio::ssl::context::pem);
+		}
+		if (tlsParams.tlsCAPath.size()) {
+			std::string cert = readFileBytes(tlsParams.tlsCAPath, FLOW_KNOBS->CERT_FILE_MAX_SIZE);
+			sslContext.add_certificate_authority(boost::asio::buffer(cert.data(), cert.size()));
+		}
+		if (tlsParams.tlsCABytes.size()) {
+			sslContext.add_certificate_authority(boost::asio::buffer(tlsParams.tlsCABytes.data(), tlsParams.tlsCABytes.size()));
+		}
+		if (tlsParams.tlsKeyPath.size()) {
+			sslContext.use_private_key_file(tlsParams.tlsKeyPath, boost::asio::ssl::context::pem);
+		}
+		if (tlsParams.tlsKeyBytes.size()) {
+			sslContext.use_private_key(boost::asio::buffer(tlsParams.tlsKeyBytes.data(), tlsParams.tlsKeyBytes.size()), boost::asio::ssl::context::pem);
+		}
 	}
-	if (tlsParams.tlsCertBytes.size() ) {
-		sslContext.use_certificate(boost::asio::buffer(tlsParams.tlsCertBytes.data(), tlsParams.tlsCertBytes.size()), boost::asio::ssl::context::pem);
-	}
-	if (tlsParams.tlsCAPath.size()) {
-		std::string cert = readFileBytes(tlsParams.tlsCAPath, FLOW_KNOBS->CERT_FILE_MAX_SIZE);
-		sslContext.add_certificate_authority(boost::asio::buffer(cert.data(), cert.size()));
-	}
-	if (tlsParams.tlsCABytes.size()) {
-		sslContext.add_certificate_authority(boost::asio::buffer(tlsParams.tlsCABytes.data(), tlsParams.tlsCABytes.size()));
-	}
-	if (tlsParams.tlsKeyPath.size()) {
-		sslContext.use_private_key_file(tlsParams.tlsKeyPath, boost::asio::ssl::context::pem);
-	}
-	if (tlsParams.tlsKeyBytes.size()) {
-		sslContext.use_private_key(boost::asio::buffer(tlsParams.tlsKeyBytes.data(), tlsParams.tlsKeyBytes.size()), boost::asio::ssl::context::pem);
+	catch(boost::system::system_error e) {
+		TraceEvent("Net2TLSInitError").detail("Message", e.what());
+		throw tls_error();
 	}
 #endif
 
@@ -1456,7 +1462,7 @@ INetwork* newNet2(bool useThreadPool, bool useMetrics, Reference<TLSPolicy> poli
 	}
 	catch(boost::system::system_error e) {
 		TraceEvent("Net2InitError").detail("Message", e.what());
-		throw;
+		throw unknown_error();
 	}
 	catch(std::exception const& e) {
 		TraceEvent("Net2InitError").detail("Message", e.what());

From 93655c92e882f1a4bcc7b0c5a1831682b519cd6e Mon Sep 17 00:00:00 2001
From: "A.J. Beamon" <ajbeamon@apple.com>
Date: Wed, 26 Feb 2020 16:36:22 -0800
Subject: [PATCH 2/2] Add missing semicolon

---
 bindings/c/fdb_c.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bindings/c/fdb_c.cpp b/bindings/c/fdb_c.cpp
index e0aacf01d3..356c3225d5 100644
--- a/bindings/c/fdb_c.cpp
+++ b/bindings/c/fdb_c.cpp
@@ -108,7 +108,7 @@ fdb_error_t fdb_network_set_option( FDBNetworkOption option,
 }
 
 fdb_error_t fdb_setup_network_impl() {
-	CATCH_AND_RETURN( API->setupNetwork() );
+	CATCH_AND_RETURN( API->setupNetwork(); );
 }
 
 fdb_error_t fdb_setup_network_v13( const char* localAddress ) {