SSL → TLS

* I have changed most user-visible strings, documentation, and
  code comments.
* I have also changed macro constants, keeping old definitions
  and matking them as deprecated.
* I have not changed function and variable names, because that
  would break compatibility.

The most debatable change would be:
	openfortivpn - Client for PPP+TLS VPN tunnel services
instead of:
        openfortivpn - Client for PPP+SSL VPN tunnel services
Indeed, "VPN SSL" remains much more used than "VPN TLS". I have
therefore kept that as is.

doc/openfortivpn.1.in

@@ -167,13 +167,13 @@ Pass phrase for the PEM-encoded key.
 Log to syslog instead of terminal.
 .TP
 \fB\-\-trusted\-cert=\fI<digest>\fR
-Trust a given gateway. If classical SSL certificate validation fails, the
+Trust a given gateway. If classical TLS certificate validation fails, the
 gateway certificate will be matched against this value. \fI<digest>\fR is the
 X509 certificate's sha256 sum. The certificate has to be encoded in DER form.
 This option can be used multiple times to trust several certificates.
 .TP
 \fB\-\-insecure\-ssl\fR
-Do not disable insecure SSL protocols/ciphers.
+Do not disable insecure TLS protocols/ciphers.
 If your server requires a specific cipher, consider using \fB\-\-cipher\-list\fR
 instead.
 .TP

src/http.c

@@ -112,9 +112,9 @@ int http_send(struct tunnel *tunnel, const char *request, ...)
 		n = safe_ssl_write(tunnel->ssl_handle, (uint8_t *) buffer,
 		                   length);
 	if (n < 0) {
-		log_debug("Error writing to SSL connection (%s).\n",
+		log_debug("Error writing to TLS connection (%s).\n",
 		          err_ssl_str(n));
-		return ERR_HTTP_SSL;
+		return ERR_HTTP_TLS;
 	}
 
 	return 1;
@@ -169,13 +169,13 @@ int http_receive(struct tunnel *tunnel,
 
 		while ((n = safe_ssl_read(tunnel->ssl_handle,
 		                          (uint8_t *) buffer + bytes_read,
-		                          capacity - bytes_read)) == ERR_SSL_AGAIN)
+		                          capacity - bytes_read)) == ERR_TLS_AGAIN)
 			;
 		if (n < 0) {
-			log_debug("Error reading from SSL connection (%s).\n",
+			log_debug("Error reading from TLS connection (%s).\n",
 			          err_ssl_str(n));
 			free(buffer);
-			return ERR_HTTP_SSL;
+			return ERR_HTTP_TLS;
 		}
 		bytes_read += n;
 
@@ -315,7 +315,7 @@ static int http_request(struct tunnel *tunnel, const char *method,
 
 	ret = do_http_request(tunnel, method, uri, data,
 	                      response, response_size);
-	if (ret == ERR_HTTP_SSL) {
+	if (ret == ERR_HTTP_TLS) {
 		ssl_connect(tunnel);
 		ret = do_http_request(tunnel, method, uri, data,
 		                      response, response_size);

src/http.h

@@ -25,7 +25,8 @@
 #define ERR_HTTP_INVALID	-1
 #define ERR_HTTP_TOO_LONG	-2
 #define ERR_HTTP_NO_MEM		-3
-#define ERR_HTTP_SSL		-4
+#define ERR_HTTP_SSL		-4  // deprecated
+#define ERR_HTTP_TLS		-4
 #define ERR_HTTP_BAD_RES_CODE	-5
 #define ERR_HTTP_PERMISSION	-6
 #define ERR_HTTP_NO_COOKIE	-7
@@ -40,8 +41,8 @@ static inline const char *err_http_str(int code)
 		return "Request too long";
 	else if (code == ERR_HTTP_NO_MEM)
 		return "Not enough memory";
-	else if (code == ERR_HTTP_SSL)
-		return "SSL error";
+	else if (code == ERR_HTTP_TLS)
+		return "TLS error";
 	else if (code == ERR_HTTP_BAD_RES_CODE)
 		return "Bad HTTP response code";
 	else if (code == ERR_HTTP_PERMISSION)

src/io.c

@@ -427,7 +427,7 @@ static void debug_bad_packet(struct tunnel *tunnel, uint8_t *header)
 }
 
 /*
- * Thread to read bytes from the SSL socket, convert them to ppp packets and add
+ * Thread to read bytes from the TLS socket, convert them to ppp packets and add
  * them to the 'ssl_to_pty' pool.
  */
 static void *ssl_read(void *arg)
@@ -446,7 +446,7 @@ static void *ssl_read(void *arg)
 
 		ret = safe_ssl_read_all(tunnel->ssl_handle, header, 6);
 		if (ret < 0) {
-			log_debug("Error reading from SSL connection (%s).\n",
+			log_debug("Error reading from TLS connection (%s).\n",
 			          err_ssl_str(ret));
 			break;
 		}
@@ -483,7 +483,7 @@ static void *ssl_read(void *arg)
 		ret = safe_ssl_read_all(tunnel->ssl_handle, pkt_data(packet),
 		                        size);
 		if (ret < 0) {
-			log_debug("Error reading from SSL connection (%s).\n",
+			log_debug("Error reading from TLS connection (%s).\n",
 			          err_ssl_str(ret));
 			free(packet);
 			break;
@@ -525,7 +525,7 @@ static void *ssl_read(void *arg)
 }
 
 /*
- * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL
+ * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS
  * socket.
  */
 static void *ssl_write(void *arg)
@@ -553,7 +553,7 @@ static void *ssl_write(void *arg)
 			                     packet->content, 6 + packet->len);
 		} while (ret == 0);
 		if (ret < 0) {
-			log_debug("Error writing to SSL connection (%s).\n",
+			log_debug("Error writing to TLS connection (%s).\n",
 			          err_ssl_str(ret));
 			free(packet);
 			break;
@@ -567,7 +567,7 @@ static void *ssl_write(void *arg)
 }
 
 /*
- * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL
+ * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS
  * socket.
  */
 static void *if_config(void *arg)

src/io.h

@@ -25,7 +25,7 @@
 #include <stdint.h>
 
 /*
- * For performance reasons, we store the 6-byte header used by the SSL
+ * For performance reasons, we store the 6-byte header used by the TLS
  * communication right in front of the real PPP packet data. This way,
  * SSL_write can be called directly on packet->content, instead of memcpy'ing
  * the header + data to a temporary buffer.

src/main.c

@@ -143,15 +143,15 @@ PPPD_USAGE \
 "                                authentication with a certificate.\n" \
 "  --pem-passphrase=<pass>       Pass phrase for the PEM-encoded key.\n" \
 "  --use-syslog                  Log to syslog instead of terminal.\n" \
-"  --trusted-cert=<digest>       Trust a given gateway. If classical SSL\n" \
+"  --trusted-cert=<digest>       Trust a given gateway. If classical TLS\n" \
 "                                certificate validation fails, the gateway\n" \
 "                                certificate will be matched against this value.\n" \
 "                                <digest> is the X509 certificate's sha256 sum.\n" \
 "                                This option can be used multiple times to trust\n" \
 "                                several certificates.\n"
 
 #define help_options_part2 \
-"  --insecure-ssl                Do not disable insecure SSL protocols/ciphers.\n" \
+"  --insecure-ssl                Do not disable insecure TLS protocols/ciphers.\n" \
 "                                Also enable TLS v1.0 if applicable.\n" \
 "                                If your server requires a specific cipher or protocol,\n" \
 "                                consider using --cipher-list and/or --min-tls instead.\n" \

src/ssl.h

@@ -54,30 +54,38 @@
 #define ERESTART -1
 #endif
 
-#define ERR_SSL_AGAIN		0
-#define ERR_SSL_CLOSED		-1
-#define ERR_SSL_CERT		-2
-#define ERR_SSL_EOF		-3
-#define ERR_SSL_PROTOCOL	-4
-#define ERR_SSL_SEE_ERRNO	-5
-#define ERR_SSL_SEE_SSLERR	-6
-#define ERR_SSL_UNKNOWN		-7
+#define ERR_SSL_AGAIN		 0 // deprecated
+#define ERR_TLS_AGAIN		 0
+#define ERR_SSL_CLOSED		-1 // deprecated
+#define ERR_TLS_CLOSED		-1
+#define ERR_SSL_CERT		-2 // deprecated
+#define ERR_TLS_CERT		-2
+#define ERR_SSL_EOF		-3 // deprecated
+#define ERR_TLS_EOF		-3
+#define ERR_SSL_PROTOCOL	-4 // deprecated
+#define ERR_TLS_PROTOCOL	-4
+#define ERR_SSL_SEE_ERRNO	-5 // deprecated
+#define ERR_TLS_SEE_ERRNO	-5
+#define ERR_SSL_SEE_TLSERR	-6 // deprecated
+#define ERR_TLS_SEE_TLSERR	-6
+#define ERR_SSL_UNKNOWN		-7 // deprecated
+#define ERR_TLS_UNKNOWN		-7
 
 static inline const char *err_ssl_str(int code)
 {
-	if (code == ERR_SSL_AGAIN)
+	if (code == ERR_TLS_AGAIN)
 		return "Try again";
-	else if (code == ERR_SSL_CLOSED)
+	else if (code == ERR_TLS_CLOSED)
 		return "Connection closed";
-	else if (code == ERR_SSL_CERT)
+	else if (code == ERR_TLS_CERT)
 		return "Want X509 lookup";
-	else if (code == ERR_SSL_EOF)
+	else if (code == ERR_TLS_EOF)
 		return "Protocol violation with EOF";
-	else if (code == ERR_SSL_PROTOCOL)
+	else if (code == ERR_TLS_PROTOCOL)
 		return "Protocol error";
-	else if (code == ERR_SSL_SEE_ERRNO)
+	else if (code == ERR_TLS_SEE_ERRNO)
 		return strerror(errno);
-	else if (code == ERR_SSL_SEE_SSLERR)
+	else if (code == ERR_TLS_SEE_TLSERR)
 		return ERR_reason_error_string(ERR_peek_last_error());
 	return "unknown";
 }
@@ -87,37 +95,37 @@ static inline int handle_ssl_error(SSL *ssl, int ret)
 	int code;
 
 	if (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN)
-		return ERR_SSL_CLOSED;
+		return ERR_TLS_CLOSED;
 
 	code = SSL_get_error(ssl, ret);
 	if (code == SSL_ERROR_WANT_READ || code == SSL_ERROR_WANT_WRITE)
-		return ERR_SSL_AGAIN; // The caller should try again
+		return ERR_TLS_AGAIN; // The caller should try again
 
 	if (code == SSL_ERROR_ZERO_RETURN)
-		return ERR_SSL_CLOSED;
+		return ERR_TLS_CLOSED;
 	if (code == SSL_ERROR_WANT_X509_LOOKUP)
-		return ERR_SSL_CERT;
+		return ERR_TLS_CERT;
 	if (code == SSL_ERROR_SYSCALL) {
 		if (ERR_peek_last_error() != 0)
-			return ERR_SSL_SEE_SSLERR;
+			return ERR_TLS_SEE_TLSERR;
 		if (ret == 0)
-			return ERR_SSL_EOF;
+			return ERR_TLS_EOF;
 		if (errno == EAGAIN || errno == ERESTART || errno == EINTR)
-			return ERR_SSL_AGAIN; // The caller should try again
+			return ERR_TLS_AGAIN; // The caller should try again
 		if (errno == EPIPE)
-			return ERR_SSL_CLOSED;
-		return ERR_SSL_SEE_ERRNO;
+			return ERR_TLS_CLOSED;
+		return ERR_TLS_SEE_ERRNO;
 	}
 	if (code == SSL_ERROR_SSL)
-		return ERR_SSL_PROTOCOL;
-	return ERR_SSL_UNKNOWN;
+		return ERR_TLS_PROTOCOL;
+	return ERR_TLS_UNKNOWN;
 }
 
 /*
- * Reads data from the SSL connection.
+ * Reads data from the TLS connection.
  *
  * @return  > 0            in case of success (number of bytes transferred)
- *          ERR_SSL_AGAIN  if the caller should try again
+ *          ERR_TLS_AGAIN  if the caller should try again
  *          < 0            in case of error
  */
 static inline int safe_ssl_read(SSL *ssl, uint8_t *buf, int bufsize)
@@ -145,7 +153,7 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize)
 		int ret;
 
 		ret = safe_ssl_read(ssl, &buf[n], bufsize - n);
-		if (ret == ERR_SSL_AGAIN)
+		if (ret == ERR_TLS_AGAIN)
 			continue;
 		else if (ret < 0)
 			return ret;
@@ -162,7 +170,7 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize)
  * has been written.
  *
  * @return  > 0            in case of success (number of bytes transferred)
- *          ERR_SSL_AGAIN  if the caller should try again
+ *          ERR_TLS_AGAIN  if the caller should try again
  *          < 0            in case of error
  */
 static inline int safe_ssl_write(SSL *ssl, const uint8_t *buf, int n)

src/tunnel.c

@@ -385,7 +385,7 @@ static int pppd_run(struct tunnel *tunnel)
 #endif
 
 		if (close(tunnel->ssl_socket))
-			log_warn("Could not close ssl socket (%s).\n", strerror(errno));
+			log_warn("Could not close TLS socket (%s).\n", strerror(errno));
 		tunnel->ssl_socket = -1;
 		execv(pppd_args.data[0], (char *const *)pppd_args.data);
 		free(pppd_args.data);
@@ -997,7 +997,7 @@ static int ssl_verify_cert(struct tunnel *tunnel)
 }
 
 /*
- * Destroy and free the SSL connection to the gateway.
+ * Destroy and free the TLS connection to the gateway.
  */
 static void ssl_disconnect(struct tunnel *tunnel)
 {
@@ -1012,7 +1012,7 @@ static void ssl_disconnect(struct tunnel *tunnel)
 	tunnel->ssl_context = NULL;
 
 	if (close(tunnel->ssl_socket))
-		log_warn("Could not close ssl socket (%s).\n", strerror(errno));
+		log_warn("Could not close TLS socket (%s).\n", strerror(errno));
 	tunnel->ssl_socket = -1;
 }
 
@@ -1052,7 +1052,7 @@ static int pem_passphrase_cb(char *buf, int size, int rwflag, void *u)
 }
 
 /*
- * Connects to the gateway and initiate an SSL session.
+ * Connects to the gateway and initiate a TLS session.
  */
 int ssl_connect(struct tunnel *tunnel)
 {
@@ -1295,7 +1295,7 @@ int ssl_connect(struct tunnel *tunnel)
 	tunnel->ssl_context = NULL;
 err_ssl_socket:
 	if (close(tunnel->ssl_socket))
-		log_warn("Could not close ssl socket (%s).\n", strerror(errno));
+		log_warn("Could not close TLS socket (%s).\n", strerror(errno));
 	tunnel->ssl_socket = -1;
 err_tcp_connect:
 	return 1;
@@ -1323,8 +1323,8 @@ int run_tunnel(struct vpn_config *config)
 	if (ret)
 		goto err_tunnel;
 
-	// Step 1: open a SSL connection to the gateway
-	log_debug("Establishing ssl connection\n");
+	// Step 1: open a TLS connection to the gateway
+	log_debug("Establishing TLS connection\n");
 	ret = ssl_connect(&tunnel);
 	if (ret)
 		goto err_tunnel;