dart:io | Change names for SecureSocket exceptions.

runtime/bin/secure_socket.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "bin/secure_socket.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 #include <stdio.h>
@@ skipping 32 matching lines @@
 
 // Forward declaration.
 static void ProcessFilter(Dart_Port dest_port_id,
                           Dart_Port reply_port_id,
                           Dart_CObject* message);
 
 NativeService SSLFilter::filter_service_("FilterService", ProcessFilter, 16);
 
 static const int kSSLFilterNativeFieldIndex = 0;
 
+
+/* Handle an error reported from the NSS library. */
+static void ThrowPRException(const char* exception_type,
+                             const char* message,
+                             bool free_message = false) {
+  PRErrorCode error_code = PR_GetError();
+  const char* error_message = PR_ErrorToString(error_code, PR_LANGUAGE_EN);
+  OSError os_error_struct(error_code, error_message, OSError::kNSS);
+  Dart_Handle os_error = DartUtils::NewDartOSError(&os_error_struct);
+  Dart_Handle exception =
+      DartUtils::NewDartIOException(exception_type, message, os_error);
+  if (free_message) {
+    free(const_cast<char*>(message));
+  }
+  Dart_ThrowException(exception);
+}
+
+
+static void ThrowCertificateException(const char* format,

[Søren Gjesse, 2013/06/25 13:17:38]

When passing a format string you should consider adding full argv support.

+                                      const char* certificate_name) {
+  int length = strlen(certificate_name);
+  length += strlen(format);
+  char* message = reinterpret_cast<char*>(malloc(length + 1));
+  if (message == NULL) {
+    FATAL("Out of memory formatting CertificateException for throwing");
+  }
+  snprintf(message, length + 1, format, certificate_name);
+  message[length] = '\0';
+  ThrowPRException("CertificateException", message, true);
+}
+
+
 static SSLFilter* GetFilter(Dart_NativeArguments args) {
   SSLFilter* filter;
   Dart_Handle dart_this = ThrowIfError(Dart_GetNativeArgument(args, 0));
   ASSERT(Dart_IsInstance(dart_this));
   ThrowIfError(Dart_GetNativeInstanceField(
       dart_this,
       kSSLFilterNativeFieldIndex,
       reinterpret_cast<intptr_t*>(&filter)));
   return filter;
 }
@@ skipping 229 matching lines @@
 
 
 void SSLFilter::ProcessAllBuffers(int starts[kNumBuffers],
                                   int ends[kNumBuffers],
                                   bool in_handshake) {
   for (int i = 0; i < kNumBuffers; ++i) {
     if (in_handshake && (i == kReadPlaintext || i == kWritePlaintext)) continue;
     int start = starts[i];
     int end = ends[i];
     int size = isBufferEncrypted(i) ? encrypted_buffer_size_ : buffer_size_;
+    if (start < 0 || end < 0 || start >= size || end >= size) {
+      FATAL("Out-of-bounds internal buffer access in dart:io SecureSocket");
+    }
     switch (i) {
       case kReadPlaintext:
       case kWriteEncrypted:
         // Write data to the circular buffer's free space.  If the buffer
         // is full, neither if statement is executed and nothing happens.
         if (start <= end) {
           // If the free space may be split into two segments,
           // then the first is [end, size), unless start == 0.
           // Then, since the last free byte is at position start - 2,
           // the interval is [end, size - 1).
@@ skipping 50 matching lines @@
   }
 }
 
 
 static Dart_Handle X509FromCertificate(CERTCertificate* certificate) {
   PRTime start_validity;
   PRTime end_validity;
   SECStatus status =
       CERT_GetCertTimes(certificate, &start_validity, &end_validity);
   if (status != SECSuccess) {
-    ThrowPRException("Cannot get validity times from certificate");
+    ThrowPRException("CertificateException",
+                     "Cannot get validity times from certificate");
   }
   int64_t start_epoch_ms = start_validity / PR_USEC_PER_MSEC;
   int64_t end_epoch_ms = end_validity / PR_USEC_PER_MSEC;
   Dart_Handle subject_name_object =
       DartUtils::NewString(certificate->subjectName);
   Dart_Handle issuer_name_object =
       DartUtils::NewString(certificate->issuerName);
   Dart_Handle start_epoch_ms_int = Dart_NewInteger(start_epoch_ms);
   Dart_Handle end_epoch_ms_int = Dart_NewInteger(end_epoch_ms);
 
@@ skipping 43 matching lines @@
   Dart_Handle secure_filter_impl_type =
       Dart_InstanceGetType(dart_this);
   Dart_Handle dart_buffer_size = ThrowIfError(
       Dart_GetField(secure_filter_impl_type, DartUtils::NewString("SIZE")));
   int64_t buffer_size = DartUtils::GetIntegerValue(dart_buffer_size);
   Dart_Handle dart_encrypted_buffer_size = ThrowIfError(
       Dart_GetField(secure_filter_impl_type,
                     DartUtils::NewString("ENCRYPTED_SIZE")));
   int64_t encrypted_buffer_size =
       DartUtils::GetIntegerValue(dart_encrypted_buffer_size);
-  if (buffer_size <= 0 || buffer_size > 1024 * 1024) {
-    Dart_ThrowException(
-        DartUtils::NewString("Invalid buffer size in _ExternalBuffer"));
+  if (buffer_size <= 0 || buffer_size > 1 * MB) {
+    FATAL("Invalid buffer size in _ExternalBuffer");
   }
-  if (encrypted_buffer_size <= 0 || encrypted_buffer_size > 1024 * 1024) {
-    Dart_ThrowException(DartUtils::NewString(
-        "Invalid encrypted buffer size in _ExternalBuffer"));
+  if (encrypted_buffer_size <= 0 || encrypted_buffer_size > 1 * MB) {
+    FATAL("Invalid encrypted buffer size in _ExternalBuffer");
   }
   buffer_size_ = static_cast<int>(buffer_size);
   encrypted_buffer_size_ = static_cast<int>(encrypted_buffer_size);
 
 
   Dart_Handle data_identifier = DartUtils::NewString("data");
   for (int i = 0; i < kNumBuffers; ++i) {
     int size = isBufferEncrypted(i) ? encrypted_buffer_size_ : buffer_size_;
     dart_buffer_objects_[i] =
         Dart_NewPersistentHandle(Dart_ListGetAt(dart_buffers_object, i));
@@ skipping 43 matching lines @@
   MutexLocker locker(&mutex_);
   SECStatus status;
   if (!library_initialized_) {
     password_ = strdup(password);  // This one copy persists until Dart exits.
     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
     // TODO(whesse): Verify there are no UTF-8 issues here.
     if (certificate_database == NULL || certificate_database[0] == '\0') {
       status = NSS_NoDB_Init(NULL);
       if (status != SECSuccess) {
         mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-        ThrowPRException("Failed NSS_NoDB_Init call.");
+        ThrowPRException("TlsException",
+                         "Failed NSS_NoDB_Init call.");
       }
       if (use_builtin_root_certificates) {
         SECMODModule* module = SECMOD_LoadUserModule(
             const_cast<char*>(builtin_roots_module), NULL, PR_FALSE);
         if (!module) {
           mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-          ThrowPRException("Failed to load builtin root certificates.");
+          ThrowPRException("TlsException",
+                           "Failed to load builtin root certificates.");
         }
       }
     } else {
       PRUint32 init_flags = NSS_INIT_READONLY;
       if (!use_builtin_root_certificates) {
         init_flags |= NSS_INIT_NOMODDB;
       }
       status = NSS_Initialize(certificate_database,
                               "",
                               "",
                               SECMOD_DB,
                               init_flags);
       if (status != SECSuccess) {
         mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-        ThrowPRException("Failed NSS_Init call.");
+        ThrowPRException("TlsException",
+                         "Failed NSS_Init call.");
       }
     }
     library_initialized_ = true;
 
     status = NSS_SetDomesticPolicy();
     if (status != SECSuccess) {
       mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-      ThrowPRException("Failed NSS_SetDomesticPolicy call.");
+      ThrowPRException("TlsException",
+                       "Failed NSS_SetDomesticPolicy call.");
     }
     // Enable TLS, as well as SSL3 and SSL2.
     status = SSL_OptionSetDefault(SSL_ENABLE_TLS, PR_TRUE);
     if (status != SECSuccess) {
       mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-      ThrowPRException("Failed SSL_OptionSetDefault enable TLS call.");
+      ThrowPRException("TlsException",
+                       "Failed SSL_OptionSetDefault enable TLS call.");
     }
     status = SSL_ConfigServerSessionIDCache(0, 0, 0, NULL);
     if (status != SECSuccess) {
       mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-      ThrowPRException("Failed SSL_ConfigServerSessionIDCache call.");
+      ThrowPRException("TlsException",
+                       "Failed SSL_ConfigServerSessionIDCache call.");
     }
 
   } else if (report_duplicate_initialization) {
     mutex_.Unlock();  // MutexLocker destructor not called when throwing.
-    ThrowException("Called SSLFilter::InitializeLibrary more than once");
+    // Like ThrowPRException, without adding an OSError.
+    Dart_ThrowException(DartUtils::NewDartIOException("TlsException",
+        "Called SecureSocket.initialize more than once",
+        Dart_Null()));
   }
 }
 
 
 char* PasswordCallback(PK11SlotInfo* slot, PRBool retry, void* arg) {
   if (!retry) {
     return PL_strdup(static_cast<char*>(arg));  // Freed by NSS internals.
   }
   return NULL;
 }
@@ skipping 26 matching lines @@
 void SSLFilter::Connect(const char* host_name,
                         RawAddr* raw_addr,
                         int port,
                         bool is_server,
                         const char* certificate_name,
                         bool request_client_certificate,
                         bool require_client_certificate,
                         bool send_client_certificate) {
   is_server_ = is_server;
   if (in_handshake_) {
-    ThrowException("Connect called while already in handshake state.");
+    FATAL("Connect called twice on the same _SecureFilter.");
   }
 
   if (!is_server && certificate_name != NULL) {
     client_certificate_name_ = strdup(certificate_name);
   }
 
   filter_ = SSL_ImportFD(NULL, filter_);
   if (filter_ == NULL) {
-    ThrowPRException("Failed SSL_ImportFD call");
+    ThrowPRException("TlsException", "Failed SSL_ImportFD call");
   }
 
   SSLVersionRange vrange;
   vrange.min = SSL_LIBRARY_VERSION_3_0;
   vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
   SSL_VersionRangeSet(filter_, &vrange);
 
   SECStatus status;
   if (is_server) {
     PK11_SetPasswordFunc(PasswordCallback);
 
     CERTCertificate* certificate = NULL;
     if (strstr(certificate_name, "CN=") != NULL) {
       // Look up certificate using the distinguished name (DN) certificate_name.
       CERTCertDBHandle* certificate_database = CERT_GetDefaultCertDB();
       if (certificate_database == NULL) {
-        ThrowPRException("Certificate database cannot be loaded");
+        ThrowPRException("CertificateException",
+                         "Certificate database cannot be loaded");
       }
       certificate = CERT_FindCertByNameString(certificate_database,
           const_cast<char*>(certificate_name));
       if (certificate == NULL) {
-        ThrowPRException(
-            "Cannot find server certificate by distinguished name");
+        ThrowCertificateException(
+            "Cannot find server certificate by distinguished name: %s",
+            certificate_name);
       }
     } else {
       // Look up certificate using the nickname certificate_name.
       certificate = PK11_FindCertFromNickname(
           const_cast<char*>(certificate_name),
           static_cast<void*>(const_cast<char*>(password_)));
       if (certificate == NULL) {
-        ThrowPRException("Cannot find server certificate by nickname");
+        ThrowCertificateException(
+            "Cannot find server certificate by nickname: %s",
+            certificate_name);
       }
     }
     SECKEYPrivateKey* key = PK11_FindKeyByAnyCert(
         certificate,
         static_cast<void*>(const_cast<char*>(password_)));
     if (key == NULL) {
       CERT_DestroyCertificate(certificate);
       if (PR_GetError() == -8177) {
-        ThrowPRException("Certificate database password incorrect");
+        ThrowPRException("CertificateException",
+                         "Certificate database password incorrect");
       } else {
-        ThrowPRException("Failed PK11_FindKeyByAnyCert call."
-                         " Cannot find private key for certificate");
+        ThrowCertificateException(
+            "Cannot find private key for certificate %s",
+            certificate_name);
       }
     }
     // kt_rsa (key type RSA) is an enum constant from the NSS libraries.
     // TODO(whesse): Allow different key types.
     status = SSL_ConfigSecureServer(filter_, certificate, key, kt_rsa);
     CERT_DestroyCertificate(certificate);
     SECKEY_DestroyPrivateKey(key);
     if (status != SECSuccess) {
-      ThrowPRException("Failed SSL_ConfigSecureServer call");
+      ThrowCertificateException(
+          "Failed SSL_ConfigSecureServer call with certificate %s",
+          certificate_name);
     }
 
     if (request_client_certificate) {
       status = SSL_OptionSet(filter_, SSL_REQUEST_CERTIFICATE, PR_TRUE);
       if (status != SECSuccess) {
-        ThrowPRException("Failed SSL_OptionSet(REQUEST_CERTIFICATE) call");
+        ThrowPRException("TlsException",
+                         "Failed SSL_OptionSet(REQUEST_CERTIFICATE) call");
       }
       PRBool require_cert = require_client_certificate ? PR_TRUE : PR_FALSE;
       status = SSL_OptionSet(filter_, SSL_REQUIRE_CERTIFICATE, require_cert);
       if (status != SECSuccess) {
-        ThrowPRException("Failed SSL_OptionSet(REQUIRE_CERTIFICATE) call");
+        ThrowPRException("TlsException",
+                         "Failed SSL_OptionSet(REQUIRE_CERTIFICATE) call");
       }
     }
   } else {  // Client.
     if (SSL_SetURL(filter_, host_name) == -1) {
-      ThrowPRException("Failed SetURL call");
+      ThrowPRException("TlsException",
+                       "Failed SetURL call");
     }
 
     // This disables the SSL session cache for client connections.
     // This resolves issue 7208, but degrades performance.
     // TODO(7230): Reenable session cache, without breaking client connections.
     status = SSL_OptionSet(filter_, SSL_NO_CACHE, PR_TRUE);
     if (status != SECSuccess) {
-      ThrowPRException("Failed SSL_OptionSet(NO_CACHE) call");
+      ThrowPRException("TlsException",
+                       "Failed SSL_OptionSet(NO_CACHE) call");
     }
 
     if (send_client_certificate) {
       status = SSL_GetClientAuthDataHook(
           filter_,
           NSS_GetClientAuthData,
           static_cast<void*>(client_certificate_name_));
       if (status != SECSuccess) {
-        ThrowPRException("Failed SSL_GetClientAuthDataHook call");
+        ThrowPRException("TlsException",
+                         "Failed SSL_GetClientAuthDataHook call");
       }
     }
   }
 
   // Install bad certificate callback, and pass 'this' to it if it is called.
   status = SSL_BadCertHook(filter_,
                            BadCertificateCallback,
                            static_cast<void*>(this));
 
   PRBool as_server = is_server ? PR_TRUE : PR_FALSE;
   status = SSL_ResetHandshake(filter_, as_server);
   if (status != SECSuccess) {
-    ThrowPRException("Failed SSL_ResetHandshake call");
+    ThrowPRException("TlsException",
+                     "Failed SSL_ResetHandshake call");
   }
 
   // Set the peer address from the address passed. The DNS has already
   // been done in Dart code, so just use that address. This relies on
   // following about PRNetAddr: "The raw member of the union is
   // equivalent to struct sockaddr", which is stated in the NSS
   // documentation.
   PRNetAddr peername;
   memset(&peername, 0, sizeof(peername));
   intptr_t len = SocketAddress::GetAddrLength(raw_addr);
@@ skipping 19 matching lines @@
       in_handshake_ = false;
     }
   } else {
     PRErrorCode error = PR_GetError();
     if (error == PR_WOULD_BLOCK_ERROR) {
       if (!in_handshake_) {
         in_handshake_ = true;
       }
     } else {
       if (is_server_) {
-        ThrowPRException("Unexpected handshake error in server");
+        ThrowPRException("HandshakeException",
+                         "Handshake error in server");
       } else {
-        ThrowPRException("Unexpected handshake error in client");
+        ThrowPRException("HandshakeException",
+                         "Handshake error in client");
       }
     }
   }
 }
 
 
 void SSLFilter::Destroy() {
   for (int i = 0; i < kNumBuffers; ++i) {
     Dart_DeletePersistentHandle(dart_buffer_objects_[i]);
     delete[] buffers_[i];
@@ skipping 110 matching lines @@
     // Return a send port for the service port.
     Dart_Handle send_port = Dart_NewSendPort(service_port);
     Dart_SetReturnValue(args, send_port);
   }
   Dart_ExitScope();
 }
 
 
 }  // namespace bin
 }  // namespace dart