From b1e10ef14ebb91fa2ca1b61494e25fa099e85429 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Mon, 8 Mar 2021 20:41:15 +0000
Subject: [PATCH] [Minor] Make HTTP reply codes more consistent with the
 standard

Reported by: Steve Sturges
---
 src/libserver/http/http_connection.c | 31 +++++++++++++++++-----------
 src/libserver/ssl_util.c             | 19 ++++++++---------
 2 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/src/libserver/http/http_connection.c b/src/libserver/http/http_connection.c
index 050fb4285..bf4d07b72 100644
--- a/src/libserver/http/http_connection.c
+++ b/src/libserver/http/http_connection.c
@@ -820,7 +820,7 @@ rspamd_http_write_helper (struct rspamd_http_connection *conn)
 
 	if (r == -1) {
 		if (!priv->ssl) {
-			err = g_error_new (HTTP_ERROR, errno, "IO write error: %s", strerror (errno));
+			err = g_error_new (HTTP_ERROR, 500, "IO write error: %s", strerror (errno));
 			rspamd_http_connection_ref (conn);
 			conn->error_handler (conn, err);
 			rspamd_http_connection_unref (conn);
@@ -970,9 +970,16 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 					return;
 				}
 				else {
-					err = g_error_new (HTTP_ERROR, 500 + priv->parser.http_errno,
-							"HTTP parser error: %s",
-							http_errno_description (priv->parser.http_errno));
+					if (priv->parser.http_errno > HPE_CB_status) {
+						err = g_error_new (HTTP_ERROR, 400,
+								"HTTP parser error: %s",
+								http_errno_description (priv->parser.http_errno));
+					}
+					else {
+						err = g_error_new (HTTP_ERROR, 500,
+								"HTTP parser internal error: %s",
+								http_errno_description (priv->parser.http_errno));
+					}
 				}
 
 				if (!conn->finished) {
@@ -996,7 +1003,7 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 
 			if (!conn->finished) {
 				err = g_error_new (HTTP_ERROR,
-						errno,
+						400,
 						"IO read error: unexpected EOF");
 				conn->error_handler (conn, err);
 				g_error_free (err);
@@ -1009,8 +1016,8 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 		else {
 			if (!priv->ssl) {
 				err = g_error_new (HTTP_ERROR,
-						errno,
-						"IO read error: %s",
+						500,
+						"HTTP IO read error: %s",
 						strerror (errno));
 				conn->error_handler (conn, err);
 				g_error_free (err);
@@ -1029,7 +1036,7 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 		if (r > 0) {
 			if (http_parser_execute (&priv->parser, &priv->parser_cb,
 					d, r) != (size_t)r || priv->parser.http_errno != 0) {
-				err = g_error_new (HTTP_ERROR, priv->parser.http_errno,
+				err = g_error_new (HTTP_ERROR, 400,
 						"HTTP parser error: %s",
 						http_errno_description (priv->parser.http_errno));
 
@@ -1050,7 +1057,7 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 		}
 		else if (r == 0) {
 			if (!conn->finished) {
-				err = g_error_new (HTTP_ERROR, ETIMEDOUT,
+				err = g_error_new (HTTP_ERROR, 408,
 						"IO timeout");
 				conn->error_handler (conn, err);
 				g_error_free (err);
@@ -1062,7 +1069,7 @@ rspamd_http_event_handler (int fd, short what, gpointer ud)
 			return;
 		}
 		else {
-			err = g_error_new (HTTP_ERROR, ETIMEDOUT,
+			err = g_error_new (HTTP_ERROR, 408,
 					"IO timeout");
 			conn->error_handler (conn, err);
 			g_error_free (err);
@@ -2258,7 +2265,7 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
 				priv->ctx->ssl_ctx_noverify : priv->ctx->ssl_ctx;
 
 		if (!ssl_ctx) {
-			err = g_error_new (HTTP_ERROR, errno, "ssl message requested "
+			err = g_error_new (HTTP_ERROR, 400, "ssl message requested "
 					"with no ssl ctx");
 			rspamd_http_connection_ref (conn);
 			conn->error_handler (conn, err);
@@ -2281,7 +2288,7 @@ rspamd_http_connection_write_message_common (struct rspamd_http_connection *conn
 					priv->timeout, rspamd_http_event_handler,
 					rspamd_http_ssl_err_handler, conn)) {
 
-				err = g_error_new (HTTP_ERROR, errno,
+				err = g_error_new (HTTP_ERROR, 400,
 						"ssl connection error: ssl error=%s, errno=%s",
 						ERR_error_string (ERR_get_error (), NULL),
 						strerror (errno));
diff --git a/src/libserver/ssl_util.c b/src/libserver/ssl_util.c
index c01f7467f..b9fb175e5 100644
--- a/src/libserver/ssl_util.c
+++ b/src/libserver/ssl_util.c
@@ -356,7 +356,7 @@ rspamd_ssl_peer_verify (struct rspamd_ssl_connection *c)
 	ver_err = SSL_get_verify_result (c->ssl);
 
 	if (ver_err != X509_V_OK) {
-		g_set_error (&err, rspamd_ssl_quark (), ver_err, "certificate validation "
+		g_set_error (&err, rspamd_ssl_quark (), 400, "certificate validation "
 				"failed: %s", X509_verify_cert_error_string (ver_err));
 		c->err_handler (c->handler_data, err);
 		g_error_free (err);
@@ -367,7 +367,7 @@ rspamd_ssl_peer_verify (struct rspamd_ssl_connection *c)
 	/* Get server's certificate */
 	server_cert =  SSL_get_peer_certificate (c->ssl);
 	if (server_cert == NULL) {
-		g_set_error (&err, rspamd_ssl_quark (), ver_err, "peer certificate is absent");
+		g_set_error (&err, rspamd_ssl_quark (), 401, "peer certificate is absent");
 		c->err_handler (c->handler_data, err);
 		g_error_free (err);
 
@@ -377,7 +377,7 @@ rspamd_ssl_peer_verify (struct rspamd_ssl_connection *c)
 	if (c->hostname) {
 		if (!rspamd_tls_check_name (server_cert, c->hostname)) {
 			X509_free (server_cert);
-			g_set_error (&err, rspamd_ssl_quark (), ver_err, "peer certificate fails "
+			g_set_error (&err, rspamd_ssl_quark (), 403, "peer certificate fails "
 					"hostname verification for %s", c->hostname);
 			c->err_handler (c->handler_data, err);
 			g_error_free (err);
@@ -396,22 +396,21 @@ rspamd_tls_set_error (gint retcode, const gchar *stage, GError **err)
 {
 	GString *reason;
 	gchar buf[120];
-	gint err_code = 0, last_err = 0;
+	gint err_code = 0;
 
 	reason = g_string_sized_new (sizeof (buf));
 
 	if (retcode == SSL_ERROR_SYSCALL) {
 		rspamd_printf_gstring (reason, "syscall fail: %s", strerror (errno));
-		err_code = errno;
+		err_code = 500;
 	}
 	else {
 		while ((err_code = ERR_get_error()) != 0) {
-			last_err = err_code;
 			ERR_error_string (err_code, buf);
 			rspamd_printf_gstring (reason, "ssl error: %s,", buf);
 		}
 
-		err_code = last_err;
+		err_code = 400;
 
 		if (reason->len > 0 && reason->str[reason->len - 1] == ',') {
 			reason->str[reason->len - 1] = '\0';
@@ -544,7 +543,7 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
 		else {
 			conn->shut = ssl_shut_unclean;
 			rspamd_ev_watcher_stop (conn->event_loop, conn->ev);
-			g_set_error (&err, rspamd_ssl_quark (), ETIMEDOUT,
+			g_set_error (&err, rspamd_ssl_quark (), 408,
 					"ssl connection timed out");
 			conn->err_handler (conn->handler_data, err);
 			g_error_free (err);
@@ -616,7 +615,7 @@ rspamd_ssl_event_handler (gint fd, short what, gpointer ud)
 		break;
 	default:
 		rspamd_ev_watcher_stop (conn->event_loop, conn->ev);
-		g_set_error (&err, rspamd_ssl_quark (), EINVAL,
+		g_set_error (&err, rspamd_ssl_quark (), 500,
 				"ssl bad state error: %d", conn->state);
 		conn->err_handler (conn->handler_data, err);
 		g_error_free (err);
@@ -760,7 +759,7 @@ rspamd_ssl_read (struct rspamd_ssl_connection *conn, gpointer buf,
 
 	if (conn->state != ssl_conn_connected && conn->state != ssl_next_read) {
 		errno = EINVAL;
-		g_set_error (&err, rspamd_ssl_quark (), ECONNRESET,
+		g_set_error (&err, rspamd_ssl_quark (), 400,
 				"ssl state error: cannot read data");
 		conn->shut = ssl_shut_unclean;
 		conn->err_handler (conn->handler_data, err);
-- 
2.39.5