From abff429c439b6f6c664f94c7a36f6cbef28595c9 Mon Sep 17 00:00:00 2001 From: Dimitri Papadopoulos <3234522+DimitriPapadopoulos@users.noreply.github.com> Date: Mon, 6 Nov 2023 11:23:28 +0100 Subject: [PATCH] =?UTF-8?q?SSL=20=E2=86=92=20TLS?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * I have changed most user-visible strings, documentation, and code comments. * I have also changed macro constants, keeping old definitions and marking them as deprecated. * I have not changed function and variable names, because that would break compatibility. The most debatable change might be: openfortivpn - Client for PPP+TLS VPN tunnel services instead of: openfortivpn - Client for PPP+SSL VPN tunnel services Indeed, "SSL VPN" remains much more used than "TLS VPN". --- .github/workflows/coverity-scan.yml | 2 +- CHANGELOG.md | 4 +- README.md | 2 +- doc/openfortivpn.1.in | 6 +-- src/http.c | 12 ++--- src/http.h | 7 +-- src/io.c | 14 +++--- src/io.h | 2 +- src/main.c | 6 +-- src/ssl.h | 72 ++++++++++++++++------------- src/tunnel.c | 14 +++--- 11 files changed, 75 insertions(+), 66 deletions(-) diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml index a9aacd7c..d7e63fac 100644 --- a/.github/workflows/coverity-scan.yml +++ b/.github/workflows/coverity-scan.yml @@ -37,7 +37,7 @@ jobs: --form email=DimitriPapadopoulos@users.noreply.github.com \ --form file=@openfortivpn.xz \ --form version=coverity_scan \ - --form description="Client for PPP+SSL VPN tunnel services" \ + --form description="Client for PPP+TLS VPN tunnel services" \ https://scan.coverity.com/builds?project=adrienverge%2Fopenfortivpn env: TOKEN: ${{ secrets.COVERITY_SCAN_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 6798ab62..944cd1bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -98,7 +98,7 @@ On the master branch there may be changes that are not (yet) described here. * [-] improve tunnel speed on macOS * [-] modify memory allocation in the tunnel configuration structure * [+] openfortivpn returns the PPP exit status -* [+] print SSL socket options in log +* [+] print TLS socket options in log ### 1.15.0 @@ -362,7 +362,7 @@ On the master branch there may be changes that are not (yet) described here. * [+] Export the configuration of routes and gateway to environment * [~] Several improvements around establishing the tunnel connection and http traffic * [+] Allow using a custom CA -* [-] Turn on SSL verification, check the hostname at least for the CN +* [-] Turn on TLS verification, check the hostname at least for the CN * [+] Add --plugin option * [-] Fix a format string warning in do_log_packet * [~] Improved debugging output diff --git a/README.md b/README.md index 2fdc5584..53b5fb4f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ openfortivpn ============ -openfortivpn is a client for PPP+SSL VPN tunnel services. +openfortivpn is a client for PPP+TLS VPN tunnel services. It spawns a pppd process and operates the communication between the gateway and this process. diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in index f8ca9495..62e2ad1d 100644 --- a/doc/openfortivpn.1.in +++ b/doc/openfortivpn.1.in @@ -1,7 +1,7 @@ .TH OPENFORTIVPN 1 "May 4, 2020" "" .SH NAME -openfortivpn \- Client for PPP+SSL VPN tunnel services +openfortivpn \- Client for PPP+TLS VPN tunnel services .SH SYNOPSIS .B openfortivpn @@ -167,13 +167,13 @@ Pass phrase for the PEM-encoded key. Log to syslog instead of terminal. .TP \fB\-\-trusted\-cert=\fI\fR -Trust a given gateway. If classical SSL certificate validation fails, the +Trust a given gateway. If classical TLS certificate validation fails, the gateway certificate will be matched against this value. \fI\fR is the X509 certificate's sha256 sum. The certificate has to be encoded in DER form. This option can be used multiple times to trust several certificates. .TP \fB\-\-insecure\-ssl\fR -Do not disable insecure SSL protocols/ciphers. +Do not disable insecure TLS protocols/ciphers. If your server requires a specific cipher, consider using \fB\-\-cipher\-list\fR instead. .TP diff --git a/src/http.c b/src/http.c index 856df670..e796ef77 100644 --- a/src/http.c +++ b/src/http.c @@ -112,9 +112,9 @@ int http_send(struct tunnel *tunnel, const char *request, ...) n = safe_ssl_write(tunnel->ssl_handle, (uint8_t *) buffer, length); if (n < 0) { - log_debug("Error writing to SSL connection (%s).\n", + log_debug("Error writing to TLS connection (%s).\n", err_ssl_str(n)); - return ERR_HTTP_SSL; + return ERR_HTTP_TLS; } return 1; @@ -169,13 +169,13 @@ int http_receive(struct tunnel *tunnel, while ((n = safe_ssl_read(tunnel->ssl_handle, (uint8_t *) buffer + bytes_read, - capacity - bytes_read)) == ERR_SSL_AGAIN) + capacity - bytes_read)) == ERR_TLS_AGAIN) ; if (n < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(n)); free(buffer); - return ERR_HTTP_SSL; + return ERR_HTTP_TLS; } bytes_read += n; @@ -315,7 +315,7 @@ static int http_request(struct tunnel *tunnel, const char *method, ret = do_http_request(tunnel, method, uri, data, response, response_size); - if (ret == ERR_HTTP_SSL) { + if (ret == ERR_HTTP_TLS) { ssl_connect(tunnel); ret = do_http_request(tunnel, method, uri, data, response, response_size); diff --git a/src/http.h b/src/http.h index 23df6636..a4a07e1b 100644 --- a/src/http.h +++ b/src/http.h @@ -25,7 +25,8 @@ #define ERR_HTTP_INVALID -1 #define ERR_HTTP_TOO_LONG -2 #define ERR_HTTP_NO_MEM -3 -#define ERR_HTTP_SSL -4 +#define ERR_HTTP_SSL -4 // deprecated +#define ERR_HTTP_TLS -4 #define ERR_HTTP_BAD_RES_CODE -5 #define ERR_HTTP_PERMISSION -6 #define ERR_HTTP_NO_COOKIE -7 @@ -40,8 +41,8 @@ static inline const char *err_http_str(int code) return "Request too long"; else if (code == ERR_HTTP_NO_MEM) return "Not enough memory"; - else if (code == ERR_HTTP_SSL) - return "SSL error"; + else if (code == ERR_HTTP_TLS) + return "TLS error"; else if (code == ERR_HTTP_BAD_RES_CODE) return "Bad HTTP response code"; else if (code == ERR_HTTP_PERMISSION) diff --git a/src/io.c b/src/io.c index e9876f0f..d5118ae0 100644 --- a/src/io.c +++ b/src/io.c @@ -427,7 +427,7 @@ static void debug_bad_packet(struct tunnel *tunnel, uint8_t *header) } /* - * Thread to read bytes from the SSL socket, convert them to ppp packets and add + * Thread to read bytes from the TLS socket, convert them to ppp packets and add * them to the 'ssl_to_pty' pool. */ static void *ssl_read(void *arg) @@ -446,14 +446,14 @@ static void *ssl_read(void *arg) ret = safe_ssl_read_all(tunnel->ssl_handle, header, 6); if (ret < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(ret)); break; } if (memcmp(header, http_header, 6) == 0) { /* - * When the SSL-VPN portal has not been set up to allow + * When the TLS-VPN portal has not been set up to allow * tunnel mode for VPN clients, while it allows web mode * for web browsers, it returns an HTTP error instead of * a PPP packet: @@ -483,7 +483,7 @@ static void *ssl_read(void *arg) ret = safe_ssl_read_all(tunnel->ssl_handle, pkt_data(packet), size); if (ret < 0) { - log_debug("Error reading from SSL connection (%s).\n", + log_debug("Error reading from TLS connection (%s).\n", err_ssl_str(ret)); free(packet); break; @@ -525,7 +525,7 @@ static void *ssl_read(void *arg) } /* - * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL + * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS * socket. */ static void *ssl_write(void *arg) @@ -553,7 +553,7 @@ static void *ssl_write(void *arg) packet->content, 6 + packet->len); } while (ret == 0); if (ret < 0) { - log_debug("Error writing to SSL connection (%s).\n", + log_debug("Error writing to TLS connection (%s).\n", err_ssl_str(ret)); free(packet); break; @@ -567,7 +567,7 @@ static void *ssl_write(void *arg) } /* - * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the SSL + * Thread to pop packets from the 'pty_to_ssl' pool, and write them to the TLS * socket. */ static void *if_config(void *arg) diff --git a/src/io.h b/src/io.h index d172eea4..f99be27a 100644 --- a/src/io.h +++ b/src/io.h @@ -25,7 +25,7 @@ #include /* - * For performance reasons, we store the 6-byte header used by the SSL + * For performance reasons, we store the 6-byte header used by the TLS * communication right in front of the real PPP packet data. This way, * SSL_write can be called directly on packet->content, instead of memcpy'ing * the header + data to a temporary buffer. diff --git a/src/main.c b/src/main.c index 325d50eb..34fa2255 100644 --- a/src/main.c +++ b/src/main.c @@ -92,7 +92,7 @@ PPPD_USAGE \ "\n" #define summary \ -"Client for PPP+SSL VPN tunnel services.\n" \ +"Client for PPP+TLS VPN tunnel services.\n" \ "openfortivpn connects to a VPN by setting up a tunnel to the gateway at\n" \ ":. It spawns a pppd process and operates the communication between\n" \ "the gateway and this process.\n" \ @@ -143,7 +143,7 @@ PPPD_USAGE \ " authentication with a certificate.\n" \ " --pem-passphrase= Pass phrase for the PEM-encoded key.\n" \ " --use-syslog Log to syslog instead of terminal.\n" \ -" --trusted-cert= Trust a given gateway. If classical SSL\n" \ +" --trusted-cert= Trust a given gateway. If classical TLS\n" \ " certificate validation fails, the gateway\n" \ " certificate will be matched against this value.\n" \ " is the X509 certificate's sha256 sum.\n" \ @@ -151,7 +151,7 @@ PPPD_USAGE \ " several certificates.\n" #define help_options_part2 \ -" --insecure-ssl Do not disable insecure SSL protocols/ciphers.\n" \ +" --insecure-ssl Do not disable insecure TLS protocols/ciphers.\n" \ " Also enable TLS v1.0 if applicable.\n" \ " If your server requires a specific cipher or protocol,\n" \ " consider using --cipher-list and/or --min-tls instead.\n" \ diff --git a/src/ssl.h b/src/ssl.h index 432bd6be..0f9b834c 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -54,30 +54,38 @@ #define ERESTART -1 #endif -#define ERR_SSL_AGAIN 0 -#define ERR_SSL_CLOSED -1 -#define ERR_SSL_CERT -2 -#define ERR_SSL_EOF -3 -#define ERR_SSL_PROTOCOL -4 -#define ERR_SSL_SEE_ERRNO -5 -#define ERR_SSL_SEE_SSLERR -6 -#define ERR_SSL_UNKNOWN -7 +#define ERR_SSL_AGAIN 0 // deprecated +#define ERR_TLS_AGAIN 0 +#define ERR_SSL_CLOSED -1 // deprecated +#define ERR_TLS_CLOSED -1 +#define ERR_SSL_CERT -2 // deprecated +#define ERR_TLS_CERT -2 +#define ERR_SSL_EOF -3 // deprecated +#define ERR_TLS_EOF -3 +#define ERR_SSL_PROTOCOL -4 // deprecated +#define ERR_TLS_PROTOCOL -4 +#define ERR_SSL_SEE_ERRNO -5 // deprecated +#define ERR_TLS_SEE_ERRNO -5 +#define ERR_SSL_SEE_TLSERR -6 // deprecated +#define ERR_TLS_SEE_TLSERR -6 +#define ERR_SSL_UNKNOWN -7 // deprecated +#define ERR_TLS_UNKNOWN -7 static inline const char *err_ssl_str(int code) { - if (code == ERR_SSL_AGAIN) + if (code == ERR_TLS_AGAIN) return "Try again"; - else if (code == ERR_SSL_CLOSED) + else if (code == ERR_TLS_CLOSED) return "Connection closed"; - else if (code == ERR_SSL_CERT) + else if (code == ERR_TLS_CERT) return "Want X509 lookup"; - else if (code == ERR_SSL_EOF) + else if (code == ERR_TLS_EOF) return "Protocol violation with EOF"; - else if (code == ERR_SSL_PROTOCOL) + else if (code == ERR_TLS_PROTOCOL) return "Protocol error"; - else if (code == ERR_SSL_SEE_ERRNO) + else if (code == ERR_TLS_SEE_ERRNO) return strerror(errno); - else if (code == ERR_SSL_SEE_SSLERR) + else if (code == ERR_TLS_SEE_TLSERR) return ERR_reason_error_string(ERR_peek_last_error()); return "unknown"; } @@ -87,37 +95,37 @@ static inline int handle_ssl_error(SSL *ssl, int ret) int code; if (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) - return ERR_SSL_CLOSED; + return ERR_TLS_CLOSED; code = SSL_get_error(ssl, ret); if (code == SSL_ERROR_WANT_READ || code == SSL_ERROR_WANT_WRITE) - return ERR_SSL_AGAIN; // The caller should try again + return ERR_TLS_AGAIN; // The caller should try again if (code == SSL_ERROR_ZERO_RETURN) - return ERR_SSL_CLOSED; + return ERR_TLS_CLOSED; if (code == SSL_ERROR_WANT_X509_LOOKUP) - return ERR_SSL_CERT; + return ERR_TLS_CERT; if (code == SSL_ERROR_SYSCALL) { if (ERR_peek_last_error() != 0) - return ERR_SSL_SEE_SSLERR; + return ERR_TLS_SEE_TLSERR; if (ret == 0) - return ERR_SSL_EOF; + return ERR_TLS_EOF; if (errno == EAGAIN || errno == ERESTART || errno == EINTR) - return ERR_SSL_AGAIN; // The caller should try again + return ERR_TLS_AGAIN; // The caller should try again if (errno == EPIPE) - return ERR_SSL_CLOSED; - return ERR_SSL_SEE_ERRNO; + return ERR_TLS_CLOSED; + return ERR_TLS_SEE_ERRNO; } if (code == SSL_ERROR_SSL) - return ERR_SSL_PROTOCOL; - return ERR_SSL_UNKNOWN; + return ERR_TLS_PROTOCOL; + return ERR_TLS_UNKNOWN; } /* - * Reads data from the SSL connection. + * Reads data from the TLS connection. * * @return > 0 in case of success (number of bytes transferred) - * ERR_SSL_AGAIN if the caller should try again + * ERR_TLS_AGAIN if the caller should try again * < 0 in case of error */ static inline int safe_ssl_read(SSL *ssl, uint8_t *buf, int bufsize) @@ -132,7 +140,7 @@ static inline int safe_ssl_read(SSL *ssl, uint8_t *buf, int bufsize) } /* - * Reads all data from the SSL connection. + * Reads all data from the TLS connection. * * @return 1 in case of success * < 0 in case of error @@ -145,7 +153,7 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize) int ret; ret = safe_ssl_read(ssl, &buf[n], bufsize - n); - if (ret == ERR_SSL_AGAIN) + if (ret == ERR_TLS_AGAIN) continue; else if (ret < 0) return ret; @@ -155,14 +163,14 @@ static inline int safe_ssl_read_all(SSL *ssl, uint8_t *buf, int bufsize) } /* - * Writes data to the SSL connection. + * Writes data to the TLS connection. * * Since SSL_MODE_ENABLE_PARTIAL_WRITE is not set by default (see man * SSL_get_mode), SSL_write() will only report success once the complete chunk * has been written. * * @return > 0 in case of success (number of bytes transferred) - * ERR_SSL_AGAIN if the caller should try again + * ERR_TLS_AGAIN if the caller should try again * < 0 in case of error */ static inline int safe_ssl_write(SSL *ssl, const uint8_t *buf, int n) diff --git a/src/tunnel.c b/src/tunnel.c index 5d42e42d..64a6ceb1 100644 --- a/src/tunnel.c +++ b/src/tunnel.c @@ -385,7 +385,7 @@ static int pppd_run(struct tunnel *tunnel) #endif if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; execv(pppd_args.data[0], (char *const *)pppd_args.data); free(pppd_args.data); @@ -997,7 +997,7 @@ static int ssl_verify_cert(struct tunnel *tunnel) } /* - * Destroy and free the SSL connection to the gateway. + * Destroy and free the TLS connection to the gateway. */ static void ssl_disconnect(struct tunnel *tunnel) { @@ -1012,7 +1012,7 @@ static void ssl_disconnect(struct tunnel *tunnel) tunnel->ssl_context = NULL; if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; } @@ -1052,7 +1052,7 @@ static int pem_passphrase_cb(char *buf, int size, int rwflag, void *u) } /* - * Connects to the gateway and initiate an SSL session. + * Connects to the gateway and initiate a TLS session. */ int ssl_connect(struct tunnel *tunnel) { @@ -1295,7 +1295,7 @@ int ssl_connect(struct tunnel *tunnel) tunnel->ssl_context = NULL; err_ssl_socket: if (close(tunnel->ssl_socket)) - log_warn("Could not close ssl socket (%s).\n", strerror(errno)); + log_warn("Could not close TLS socket (%s).\n", strerror(errno)); tunnel->ssl_socket = -1; err_tcp_connect: return 1; @@ -1323,8 +1323,8 @@ int run_tunnel(struct vpn_config *config) if (ret) goto err_tunnel; - // Step 1: open a SSL connection to the gateway - log_debug("Establishing ssl connection\n"); + // Step 1: open a TLS connection to the gateway + log_debug("Establishing TLS connection\n"); ret = ssl_connect(&tunnel); if (ret) goto err_tunnel;