From cde393cdf50391ccac137a4cc6a9ed231ec3b6d1 Mon Sep 17 00:00:00 2001
From: tjp <tjp@ctrl-c.club>
Date: Wed, 10 Jan 2024 11:56:08 -0700
Subject: prompt to update TOFU store on violations

---
 tls.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'tls.go')

diff --git a/tls.go b/tls.go
index fa25441..d4452f2 100644
--- a/tls.go
+++ b/tls.go
@@ -8,7 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/hex"
-	"errors"
+	"fmt"
 	"math/big"
 	"os"
 	"time"
@@ -23,7 +23,15 @@ func tlsConfig(state *BrowserState) *tls.Config {
 
 var tofuStore map[string]string
 
-var ErrTOFUViolation = errors.New("certificate for this domain has changed")
+type TOFUViolation struct {
+	domain   string
+	expected string
+	got      string
+}
+
+func (tv *TOFUViolation) Error() string {
+	return fmt.Sprintf("certificate for domain %s has changed from %s to %s", tv.domain, tv.expected, tv.got)
+}
 
 var anonymousTLS = &tls.Config{
 	InsecureSkipVerify: true,
@@ -43,7 +51,11 @@ func tofuVerify(connState tls.ConnectionState) error {
 	}
 
 	if certhash != expected {
-		return ErrTOFUViolation
+		return &TOFUViolation{
+			domain:   connState.ServerName,
+			expected: expected,
+			got:      certhash,
+		}
 	}
 	return nil
 }
-- 
cgit v1.2.3