From e74569a8335489b645fe27d6348c34f07fe65dba Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:23:28 +0100 Subject: [PATCH] =?UTF-8?q?SSL=20=E2=86=92=20TLS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * I have changed most user-visible strings, documentation, and code comments. * I have also changed macro constants, keeping old definitions and matking them as deprecated. * I have not changed function and variable names, because that would break compatibility. The most debatable change would be: openfortivpn - Client for PPP+TLS VPN tunnel services instead of: openfortivpn - Client for PPP+SSL VPN tunnel services Indeed, "VPN SSL" remains much more used than "VPN TLS". I have therefore kept that as is. --- doc/openfortivpn.1.in | 4 +-- src/http.c | 12 ++++---- src/http.h | 7 +++-- src/io.c | 12 ++++---- src/io.h | 2 +- src/main.c | 4 +-- src/ssl.h | 68 ++++++++++++++++++++++++------------------- src/tunnel.c | 14 ++++----- 8 files changed, 66 insertions(+), 57 deletions(-) diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in index f8ca9495..ffdcd74a 100644 --- a/doc/openfortivpn.1.in +++ b/doc/openfortivpn.1.in @@ -167,13 +167,13 @@ Pass phrase for the PEM-encoded key. Log to syslog instead of terminal. .TP \fB\-\-trusted\-cert=\fI\fR -Trust a given gateway. If classical SSL certificate validation fails, the +Trust a given gateway. If classical TLS certificate validation fails, the gateway certificate will be matched against this value. \fI\fR is the X509 certificate's sha256 sum. The certificate has to be encoded in DER form. This option can be used multiple times to trust several certificates. .TP \fB\-\-insecure\-ssl\fR -Do not disable insecure SSL protocols/ciphers. +Do not disable insecure TLS protocols/ciphers. If your server requires a specific cipher, consider using \fB\-\-cipher\-list\fR instead. .TP diff --git a/src/http.c b/src/http.c index 856df670..e796ef77 100644 --- a/src/http.c +++ b/src/http.c @@ -112,9 +112,9 @@ int http_send(struct tunnel *tunnel, const char *request, ...) n = safe_ssl_write(tunnel->ssl_handle, (uint8_t *) buffer, length); if (n < 0) { - log_debug("Error writing to SSL connection (%s).\n", + log_debug("Error writing to TLS connection (%s).\n", err_ssl_str(n)); - return ERR_HTTP_SSL; + return ERR_HTTP_TLS; } return 1; @@ -169,13 +169,13 @@ int http_receive(struct tunnel *tunnel, while ((n = safe_ssl_read(tunnel->ssl_handle, (uint8_t *) buffer + bytes_read, - capacity - bytes_read)) == ERR_SSL_AGAIN) + capacity - bytes_read)) == ERR_TLS_AGAIN) ; if (n < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(n)); free(buffer); - return ERR_HTTP_SSL; + return ERR_HTTP_TLS; } bytes_read += n; @@ -315,7 +315,7 @@ static int http_request(struct tunnel *tunnel, const char *method, ret = do_http_request(tunnel, method, uri, data, response, response_size); - if (ret == ERR_HTTP_SSL) { + if (ret == ERR_HTTP_TLS) { ssl_connect(tunnel); ret = do_http_request(tunnel, method, uri, data, response, response_size); diff --git a/src/http.h b/src/http.h index 23df6636..a4a07e1b 100644 --- a/src/http.h +++ b/src/http.h @@ -25,7 +25,8 @@ #define ERR_HTTP_INVALID -1 #define ERR_HTTP_TOO_LONG -2 #define ERR_HTTP_NO_MEM -3 -#define ERR_HTTP_SSL -4 +#define ERR_HTTP_SSL -4 // deprecated +#define ERR_HTTP_TLS -4 #define ERR_HTTP_BAD_RES_CODE -5 #define ERR_HTTP_PERMISSION -6 #define ERR_HTTP_NO_COOKIE -7 @@ -40,8 +41,8 @@ static inline const char *err_http_str(int code) return "Request too long"; else if (code == ERR_HTTP_NO_MEM) return "Not enough memory"; - else if (code == ERR_HTTP_SSL) - return "SSL error"; + else if (code == ERR_HTTP_TLS) + return "TLS error"; else if (code == ERR_HTTP_BAD_RES_CODE) return "Bad HTTP response code"; else if (code == ERR_HTTP_PERMISSION) diff --git a/src/io.c b/src/io.c index e9876f0f..01646c62 100644 --- a/src/io.c +++ b/src/io.c @@ -427,7 +427,7 @@ static void debug_bad_packet(struct tunnel *tunnel, uint8_t *header) } /* - * Thread to read bytes from the SSL socket, convert them to ppp packets and add + * Thread to read bytes from the TLS socket, convert them to ppp packets and add * them to the 'ssl_to_pty' pool. */ static void *ssl_read(void *arg) @@ -446,7 +446,7 @@ static void *ssl_read(void *arg) ret = safe_ssl_read_all(tunnel->ssl_handle, header, 6); if (ret < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(ret)); break; } @@ -483,7 +483,7 @@ static void *ssl_read(void *arg) ret = safe_ssl_read_all(tunnel->ssl_handle, pkt_data(packet), size); if (ret < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(ret)); free(packet); break; @@ -525,7 +525,7 @@ static void *ssl_read(void *arg) } /* - * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL + * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS * socket. */ static void *ssl_write(void *arg) @@ -553,7 +553,7 @@ static void *ssl_write(void *arg) packet->content, 6 + packet->len); } while (ret == 0); if (ret < 0) { - log_debug("Error writing to SSL connection (%s).\n", + log_debug("Error writing to TLS connection (%s).\n", err_ssl_str(ret)); free(packet); break; @@ -567,7 +567,7 @@ static void *ssl_write(void *arg) } /* - * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL + * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS * socket. */ static void *if_config(void *arg) diff --git a/src/io.h b/src/io.h index d172eea4..f99be27a 100644 --- a/src/io.h +++ b/src/io.h @@ -25,7 +25,7 @@ #include /* - * For performance reasons, we store the 6-byte header used by the SSL + * For performance reasons, we store the 6-byte header used by the TLS * communication right in front of the real PPP packet data. This way, * SSL_write can be called directly on packet->content, instead of memcpy'ing * the header + data to a temporary buffer. diff --git a/src/main.c b/src/main.c index 325d50eb..39ef604c 100644 --- a/src/main.c +++ b/src/main.c @@ -143,7 +143,7 @@ PPPD_USAGE \ " authentication with a certificate.\n" \ " --pem-passphrase= Pass phrase for the PEM-encoded key.\n" \ " --use-syslog Log to syslog instead of terminal.\n" \ -" --trusted-cert= Trust a given gateway. If classical SSL\n" \ +" --trusted-cert= Trust a given gateway. If classical TLS\n" \ " certificate validation fails, the gateway\n" \ " certificate will be matched against this value.\n" \ " is the X509 certificate's sha256 sum.\n" \ @@ -151,7 +151,7 @@ PPPD_USAGE \ " several certificates.\n" #define help_options_part2 \ -" --insecure-ssl Do not disable insecure SSL protocols/ciphers.\n" \ +" --insecure-ssl Do not disable insecure TLS protocols/ciphers.\n" \ " Also enable TLS v1.0 if applicable.\n" \ " If your server requires a specific cipher or protocol,\n" \ " consider using --cipher-list and/or --min-tls instead.\n" \ diff --git a/src/ssl.h b/src/ssl.h index 432bd6be..511429fe 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -54,30 +54,38 @@ #define ERESTART -1 #endif -#define ERR_SSL_AGAIN 0 -#define ERR_SSL_CLOSED -1 -#define ERR_SSL_CERT -2 -#define ERR_SSL_EOF -3 -#define ERR_SSL_PROTOCOL -4 -#define ERR_SSL_SEE_ERRNO -5 -#define ERR_SSL_SEE_SSLERR -6 -#define ERR_SSL_UNKNOWN -7 +#define ERR_SSL_AGAIN 0 // deprecated +#define ERR_TLS_AGAIN 0 +#define ERR_SSL_CLOSED -1 // deprecated +#define ERR_TLS_CLOSED -1 +#define ERR_SSL_CERT -2 // deprecated +#define ERR_TLS_CERT -2 +#define ERR_SSL_EOF -3 // deprecated +#define ERR_TLS_EOF -3 +#define ERR_SSL_PROTOCOL -4 // deprecated +#define ERR_TLS_PROTOCOL -4 +#define ERR_SSL_SEE_ERRNO -5 // deprecated +#define ERR_TLS_SEE_ERRNO -5 +#define ERR_SSL_SEE_TLSERR -6 // deprecated +#define ERR_TLS_SEE_TLSERR -6 +#define ERR_SSL_UNKNOWN -7 // deprecated +#define ERR_TLS_UNKNOWN -7 static inline const char *err_ssl_str(int code) { - if (code == ERR_SSL_AGAIN) + if (code == ERR_TLS_AGAIN) return "Try again"; - else if (code == ERR_SSL_CLOSED) + else if (code == ERR_TLS_CLOSED) return "Connection closed"; - else if (code == ERR_SSL_CERT) + else if (code == ERR_TLS_CERT) return "Want X509 lookup"; - else if (code == ERR_SSL_EOF) + else if (code == ERR_TLS_EOF) return "Protocol violation with EOF"; - else if (code == ERR_SSL_PROTOCOL) + else if (code == ERR_TLS_PROTOCOL) return "Protocol error"; - else if (code == ERR_SSL_SEE_ERRNO) + else if (code == ERR_TLS_SEE_ERRNO) return strerror(errno); - else if (code == ERR_SSL_SEE_SSLERR) + else if (code == ERR_TLS_SEE_TLSERR) return ERR_reason_error_string(ERR_peek_last_error()); return "unknown"; } @@ -87,37 +95,37 @@ static inline int handle_ssl_error(SSL *ssl, int ret) int code; if (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) - return ERR_SSL_CLOSED; + return ERR_TLS_CLOSED; code = SSL_get_error(ssl, ret); if (code == SSL_ERROR_WANT_READ || code == SSL_ERROR_WANT_WRITE) - return ERR_SSL_AGAIN; // The caller should try again + return ERR_TLS_AGAIN; // The caller should try again if (code == SSL_ERROR_ZERO_RETURN) - return ERR_SSL_CLOSED; + return ERR_TLS_CLOSED; if (code == SSL_ERROR_WANT_X509_LOOKUP) - return ERR_SSL_CERT; + return ERR_TLS_CERT; if (code == SSL_ERROR_SYSCALL) { if (ERR_peek_last_error() != 0) - return ERR_SSL_SEE_SSLERR; + return ERR_TLS_SEE_TLSERR; if (ret == 0) - return ERR_SSL_EOF; + return ERR_TLS_EOF; if (errno == EAGAIN || errno == ERESTART || errno == EINTR) - return ERR_SSL_AGAIN; // The caller should try again + return ERR_TLS_AGAIN; // The caller should try again if (errno == EPIPE) - return ERR_SSL_CLOSED; - return ERR_SSL_SEE_ERRNO; + return ERR_TLS_CLOSED; + return ERR_TLS_SEE_ERRNO; } if (code == SSL_ERROR_SSL) - return ERR_SSL_PROTOCOL; - return ERR_SSL_UNKNOWN; + return ERR_TLS_PROTOCOL; + return ERR_TLS_UNKNOWN; } /* - * Reads data from the SSL connection. + * Reads data from the TLS connection. * * @return > 0 in case of success (number of bytes transferred) - * ERR_SSL_AGAIN if the caller should try again + * ERR_TLS_AGAIN if the caller should try again * < 0 in case of error */ static inline int safe_ssl_read(SSL *ssl, uint8_t *buf, int bufsize) @@ -145,7 +153,7 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize) int ret; ret = safe_ssl_read(ssl, &buf[n], bufsize - n); - if (ret == ERR_SSL_AGAIN) + if (ret == ERR_TLS_AGAIN) continue; else if (ret < 0) return ret; @@ -162,7 +170,7 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize) * has been written. * * @return > 0 in case of success (number of bytes transferred) - * ERR_SSL_AGAIN if the caller should try again + * ERR_TLS_AGAIN if the caller should try again * < 0 in case of error */ static inline int safe_ssl_write(SSL *ssl, const uint8_t *buf, int n) diff --git a/src/tunnel.c b/src/tunnel.c index 5d42e42d..64a6ceb1 100644 --- a/src/tunnel.c +++ b/src/tunnel.c @@ -385,7 +385,7 @@ static int pppd_run(struct tunnel *tunnel) #endif if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; execv(pppd_args.data[0], (char *const *)pppd_args.data); free(pppd_args.data); @@ -997,7 +997,7 @@ static int ssl_verify_cert(struct tunnel *tunnel) } /* - * Destroy and free the SSL connection to the gateway. + * Destroy and free the TLS connection to the gateway. */ static void ssl_disconnect(struct tunnel *tunnel) { @@ -1012,7 +1012,7 @@ static void ssl_disconnect(struct tunnel *tunnel) tunnel->ssl_context = NULL; if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; } @@ -1052,7 +1052,7 @@ static int pem_passphrase_cb(char *buf, int size, int rwflag, void *u) } /* - * Connects to the gateway and initiate an SSL session. + * Connects to the gateway and initiate a TLS session. */ int ssl_connect(struct tunnel *tunnel) { @@ -1295,7 +1295,7 @@ int ssl_connect(struct tunnel *tunnel) tunnel->ssl_context = NULL; err_ssl_socket: if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; err_tcp_connect: return 1; @@ -1323,8 +1323,8 @@ int run_tunnel(struct vpn_config *config) if (ret) goto err_tunnel; - // Step 1: open a SSL connection to the gateway - log_debug("Establishing ssl connection\n"); + // Step 1: open a TLS connection to the gateway + log_debug("Establishing TLS connection\n"); ret = ssl_connect(&tunnel); if (ret) goto err_tunnel;