From 3f3b26d6feb0667714902e836af608094235fca2 Mon Sep 17 00:00:00 2001
From: Han Han <hhan@thousandeyes.com>
Date: Wed, 22 Aug 2018 11:13:32 -0700
Subject: ssl: deprecate CURLE_SSL_CACERT in favour of a unified error code

Long live CURLE_PEER_FAILED_VERIFICATION
---
 docs/libcurl/symbols-in-versions | 2 +-
 include/curl/curl.h              | 9 ++++++---
 lib/strerror.c                   | 9 +++------
 lib/vtls/darwinssl.c             | 2 +-
 lib/vtls/nss.c                   | 1 -
 tests/data/test1538              | 4 ++--
 tests/data/test311               | 2 +-
 tests/data/test312               | 2 +-
 tests/data/test630               | 2 +-
 tests/data/test631               | 2 +-
 10 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 7448b4f43..96fdb7f44 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -113,7 +113,7 @@ CURLE_SEND_ERROR                7.10
 CURLE_SEND_FAIL_REWIND          7.12.3
 CURLE_SHARE_IN_USE              7.9.6         7.17.0
 CURLE_SSH                       7.16.1
-CURLE_SSL_CACERT                7.10
+CURLE_SSL_CACERT                7.10          7.62.0
 CURLE_SSL_CACERT_BADFILE        7.16.0
 CURLE_SSL_CERTPROBLEM           7.10
 CURLE_SSL_CIPHER                7.10
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 067b34ded..767cb3b17 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -517,8 +517,7 @@ typedef enum {
   CURLE_UNKNOWN_OPTION,          /* 48 - User specified an unknown option */
   CURLE_TELNET_OPTION_SYNTAX,    /* 49 - Malformed telnet option */
   CURLE_OBSOLETE50,              /* 50 - NOT USED */
-  CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
-                                     wasn't verified fine */
+  CURLE_OBSOLETE51,              /* 51 - NOT USED */
   CURLE_GOT_NOTHING,             /* 52 - when this is a specific error */
   CURLE_SSL_ENGINE_NOTFOUND,     /* 53 - SSL crypto engine not found */
   CURLE_SSL_ENGINE_SETFAILED,    /* 54 - can not set SSL crypto engine as
@@ -528,7 +527,8 @@ typedef enum {
   CURLE_OBSOLETE57,              /* 57 - NOT IN USE */
   CURLE_SSL_CERTPROBLEM,         /* 58 - problem with the local certificate */
   CURLE_SSL_CIPHER,              /* 59 - couldn't use specified cipher */
-  CURLE_SSL_CACERT,              /* 60 - problem with the CA cert (path?) */
+  CURLE_PEER_FAILED_VERIFICATION, /* 60 - peer's certificate or fingerprint
+                                     wasn't verified fine */
   CURLE_BAD_CONTENT_ENCODING,    /* 61 - Unrecognized/bad encoding */
   CURLE_LDAP_INVALID_URL,        /* 62 - Invalid LDAP URL */
   CURLE_FILESIZE_EXCEEDED,       /* 63 - Maximum file size exceeded */
@@ -584,6 +584,9 @@ typedef enum {
   CURL_LAST /* never use! */
 } CURLcode;
 
+/* added in 7.62.0 */
+#define CURLE_SSL_CACERT CURLE_PEER_FAILED_VERIFICATION
+
 #ifndef CURL_NO_OLDIES /* define this to test if your app builds with all
                           the obsolete stuff removed! */
 
diff --git a/lib/strerror.c b/lib/strerror.c
index 0295d6c27..47ef44a66 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -191,9 +191,6 @@ curl_easy_strerror(CURLcode error)
   case CURLE_TELNET_OPTION_SYNTAX :
     return "Malformed telnet option";
 
-  case CURLE_PEER_FAILED_VERIFICATION:
-    return "SSL peer certificate or SSH remote key was not OK";
-
   case CURLE_GOT_NOTHING:
     return "Server returned nothing (no headers, no data)";
 
@@ -218,9 +215,8 @@ curl_easy_strerror(CURLcode error)
   case CURLE_SSL_CIPHER:
     return "Couldn't use specified SSL cipher";
 
-  case CURLE_SSL_CACERT:
-    return "Peer certificate cannot be authenticated with given CA "
-      "certificates";
+  case CURLE_PEER_FAILED_VERIFICATION:
+    return "SSL peer certificate or SSH remote key was not OK";
 
   case CURLE_SSL_CACERT_BADFILE:
     return "Problem with the SSL CA cert (path? access rights?)";
@@ -324,6 +320,7 @@ curl_easy_strerror(CURLcode error)
   case CURLE_OBSOLETE44:
   case CURLE_OBSOLETE46:
   case CURLE_OBSOLETE50:
+  case CURLE_OBSOLETE51:
   case CURLE_OBSOLETE57:
   case CURL_LAST:
     break;
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 6ea43542d..ae8a5cc1e 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -2099,7 +2099,7 @@ static int append_cert_to_array(struct Curl_easy *data,
     switch(result) {
       case CURLE_OK:
         break;
-      case CURLE_SSL_CACERT:
+      case CURLE_PEER_FAILED_VERIFICATION:
         return CURLE_SSL_CACERT_BADFILE;
       case CURLE_OUT_OF_MEMORY:
       default:
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 89f818397..4eb6a7792 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1522,7 +1522,6 @@ static bool is_nss_error(CURLcode err)
 {
   switch(err) {
   case CURLE_PEER_FAILED_VERIFICATION:
-  case CURLE_SSL_CACERT:
   case CURLE_SSL_CERTPROBLEM:
   case CURLE_SSL_CONNECT_ERROR:
   case CURLE_SSL_ISSUER_ERROR:
diff --git a/tests/data/test1538 b/tests/data/test1538
index b084dac6d..98d6731e9 100644
--- a/tests/data/test1538
+++ b/tests/data/test1538
@@ -83,7 +83,7 @@ e47: Number of redirects hit maximum amount
 e48: An unknown option was passed in to libcurl
 e49: Malformed telnet option
 e50: Unknown error
-e51: SSL peer certificate or SSH remote key was not OK
+e51: Unknown error
 e52: Server returned nothing (no headers, no data)
 e53: SSL crypto engine not found
 e54: Can not set SSL crypto engine as default
@@ -92,7 +92,7 @@ e56: Failure when receiving data from the peer
 e57: Unknown error
 e58: Problem with the local SSL certificate
 e59: Couldn't use specified SSL cipher
-e60: Peer certificate cannot be authenticated with given CA certificates
+e60: SSL peer certificate or SSH remote key was not OK
 e61: Unrecognized or bad HTTP Content or Transfer-Encoding
 e62: Invalid LDAP URL
 e63: Maximum file size exceeded
diff --git a/tests/data/test311 b/tests/data/test311
index 0465ed1d3..87f4dddce 100644
--- a/tests/data/test311
+++ b/tests/data/test311
@@ -37,7 +37,7 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 </verify>
 </testcase>
diff --git a/tests/data/test312 b/tests/data/test312
index af4422f43..6a79f59a7 100644
--- a/tests/data/test312
+++ b/tests/data/test312
@@ -37,7 +37,7 @@ perl -e "print 'Test requires default test server host' if ( '%HOSTIP' ne '127.0
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 </verify>
 </testcase>
diff --git a/tests/data/test630 b/tests/data/test630
index bb19590be..ffde8ea54 100644
--- a/tests/data/test630
+++ b/tests/data/test630
@@ -25,7 +25,7 @@ SFTP incorrect host key
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 <valgrind>
 disable
diff --git a/tests/data/test631 b/tests/data/test631
index 649fb70ac..ddb7d280d 100644
--- a/tests/data/test631
+++ b/tests/data/test631
@@ -25,7 +25,7 @@ SCP incorrect host key
 # Verify data after the test has been "shot"
 <verify>
 <errorcode>
-51
+60
 </errorcode>
 <valgrind>
 disable
-- 
cgit v1.2.1