115
edits
Changes
Jump to navigation
Jump to search
Line 9:
Line 9: − + − + − + − + − + − + − + − + − + − + + − + − | This writes an output u32 to cmdreply[2](created context handle). + − + − | (u32 handle for a context) This is used for destroying a context created by command 0x00080000. − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + − + Line 178:
Line 178: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 185:
Line 233: − + + + + + + + + + + + + + + + + + + +
→SSL service "ssl:C"
|-
|-
| 0x00010002
| 0x00010002
|
| [[1.0.0-0]]
|
| Basically main-only
| (<value-0x20 kernel PID header>) Initialize
| [[SSLC:Initialize|Initialize]]
|-
|-
| 0x000200C2
| 0x000200C2
|
| [[1.0.0-0]]
|
|
| [[SSLC:CreateContext|CreateContext]]
| [[SSLC:CreateContext|CreateContext]]
|-
|-
| 0x00030000
| 0x00030000
|
| [[1.0.0-0]]
|
|
| [[SSLC:CreateRootCertChain|CreateRootCertChain]]
| [[SSLC:CreateRootCertChain|CreateRootCertChain]]
|-
|-
| 0x00040040
| 0x00040040
|
| [[1.0.0-0]]
|
|
| [[SSLC:DestroyRootCertChain|DestroyRootCertChain]]
| [[SSLC:DestroyRootCertChain|DestroyRootCertChain]]
|-
|-
| 0x00050082
| 0x00050082
|
| [[1.0.0-0]]
| Main-only
| Main-only
| [[SSLC:AddTrustedRootCA|AddTrustedRootCA]]
| [[SSLC:AddTrustedRootCA|AddTrustedRootCA]]
|-
|-
| 0x00060080
| 0x00060080
|
| [[1.0.0-0]]
| Main-only
| Main-only
| [[SSLC:RootCertChainAddDefaultCert|RootCertChainAddDefaultCert]]
| [[SSLC:RootCertChainAddDefaultCert|RootCertChainAddDefaultCert]]
|-
|-
| 0x00070080
| 0x00070080
|
| [[1.0.0-0]]
| Main-only
| Main-only
| (u32 RootCertChain_contexthandle, u32 inval)
| [[SSLC:RootCertChainRemoveCert|RootCertChainRemoveCert]]
|-
|-
| 0x00080000
| 0x00080000
| [[1.0.0-0]]
|
|
|
| CreateCrlStore. This writes an output u32 to cmdreply[2](created context handle).
|-
|-
| 0x00090040
| 0x00090040
| [[1.0.0-0]]
|
|
|
| DestroyCrlStore(u32 contexthandle)
|-
|-
| 0x000A0082
| 0x000A0082
|
| [[1.0.0-0]]
|
| Main-only
| (u32 contexthandle, u32 size, ((Size<<4) <nowiki>|</nowiki> 10), inbufptr) Writes an output u32 to cmdreply[2]. This uses a context created by command 0x00080000.
| AddCrlToCrlStore(u32 contexthandle, u32 size, ((Size<<4) <nowiki>|</nowiki> 10), inbufptr)
|-
|-
| 0x000B0080
| 0x000B0080
|
| [[1.0.0-0]]
|
| Main-only
| (u32 contexthandle, u8 inval2) Writes an output u32 to cmdreply[2]. This uses a context created by command 0x00080000.
| AddInternalCrlToCrlStore(u32 contexthandle, u8 inval2)
|-
|-
| 0x000C0080
| 0x000C0080
|
| [[1.0.0-0]]
|
| Main-only
| (u32 contexthandle, u32 inval) This uses a context created by command 0x00080000.
| RemoveCrlFromCrlStore(u32 contexthandle, u32 certcontexthandle) This removes the specified cert from the context.
|-
|-
| 0x000D0084
| 0x000D0084
|
| [[1.0.0-0]]
|
| Main-only
| (u32 size0, u32 size1, ((Size0<<4) <nowiki>|</nowiki> 10), inbufptr0, ((Size1<<4) <nowiki>|</nowiki> 10), inbufptr1) Writes an output u32 to cmdreply[2](created context handle). This is the same type of context created by command 0x000E0040.
| [[SSLC:OpenClientCertContext|OpenClientCertContext]]
|-
|-
| 0x000E0040
| 0x000E0040
|
| [[1.0.0-0]]
|
| Main-only
| (u8 inval) Writes an output u32 to cmdreply[2](created context handle).
| [[SSLC:OpenDefaultClientCertContext|OpenDefaultClientCertContext]]
|-
|-
| 0x000F0040
| 0x000F0040
|
| [[1.0.0-0]]
|
| Main-only
| (u32 handle for a context) This is used for destroying a context created by command 0x000E0040.
| [[SSLC:CloseClientCertContext|CloseClientCertContext]]
|-
|-
| 0x00100000
| 0x00100000
|
| [[1.0.0-0]]
|
| All
| ?
| [[SSLC:SeedRNG|SeedRNG]]
|-
|-
| 0x00110042
| 0x00110042
|
| [[1.0.0-0]]
|
| All
| [[SSLC:GenerateRandomData|GenerateRandomData]]
| [[SSLC:GenerateRandomData|GenerateRandomData]]
|-
|-
| 0x00120042
| 0x00120042
|
| [[1.0.0-0]]
|
|
| [[SSLC:InitializeConnectionSession|InitializeConnectionSession]]
| [[SSLC:InitializeConnectionSession|InitializeConnectionSession]]
|-
|-
| 0x00130040
| 0x00130040
|
| [[1.0.0-0]]
|
| Context-only
| (u32 [[SSLC:CreateContext|contexthandle]]) Presumably used to start the actual TLS connection(not tested).
| [[SSLC:StartConnection|StartConnection]]
|-
|-
| 0x00140040
| 0x00140040
|
| [[1.0.0-0]]
|
| Context-only
| (u32 inval) Writes two u32s to cmdreply[2] and cmdreply[3].
| [[SSLC:StartConnectionGetOut|StartConnectionGetOut]]
|-
|-
| 0x00150082
| 0x00150082
|
| [[1.0.0-0]]
| Context-only
| Context-only
| [[SSLC:Read|Read]]
| [[SSLC:Read|Read]]
|-
|-
| 0x00160082
| 0x00160082
|
| [[1.0.0-0]]
|
| Context-only
| (u32 inval, u32 size, ((Size<<4) <nowiki>|</nowiki> 12), outbufptr) Writes an output u32 to cmdreply[2].
| [[SSLC:ReadPeek|ReadPeek]]
|-
|-
| 0x00170082
| 0x00170082
|
| [[1.0.0-0]]
|
|
| [[SSLC:Write|Write]]
| [[SSLC:Write|Write]]
|-
|-
| 0x00180080
| 0x00180080
|
| [[1.0.0-0]]
|
|
| [[SSLC:ContextSetRootCertChain|ContextSetRootCertChain]]
| [[SSLC:ContextSetRootCertChain|ContextSetRootCertChain]]
|-
|-
| 0x00190080
| 0x00190080
|
| [[1.0.0-0]]
| Context-only
| Context-only
| (u32 [[SSLC:CreateContext|contexthandle]], u32 handle) This writes the specified handle into the context state, this handle is the type of context from command 0x000E0040.
| [[SSLC:ContextSetClientCert|ContextSetClientCert]]
|-
|-
| 0x001A0080
| 0x001A0080
|
| [[1.0.0-0]]
|
| Context-only
| (u32 [[SSLC:CreateContext|contexthandle]], u32 inval)
| SetCrlStore(u32 [[SSLC:CreateContext|contexthandle]], u32 handle) This writes a context handle created by command 0x00080000 into the session context.
|-
|-
| 0x001B0080
| 0x001B0080
|
| [[1.0.0-0]]
|
| Context-only
| (u32 [[SSLC:CreateContext|contexthandle]], u32 inval)
| [[SSLC:ContextClearOpt|ContextClearOpt]]
|-
|-
| 0x001C00C4
| 0x001C00C4
|
| [[1.0.0-0]]
|
| Context-only
| (u32 inval, u32 size0, u32 size1, ((Size0<<4) <nowiki>|</nowiki> 12), outbufptr0, ((Size1<<4) <nowiki>|</nowiki> 12), outbufptr1)
| [[SSLC:ContextGetProtocolCipher|ContextGetProtocolCipher]]
|-
|-
| 0x001D0040
| 0x001D0040
|
| [[1.0.0-0]]
|
| Context-only
| (u32 inval) Writes an output u32 to cmdreply[2].
| GetCertVerificationErrors(u32 [[SSLC:CreateContext|contexthandle]]) Writes an output u32 from the context state to cmdreply[2].
|-
|-
| 0x001E0040
| 0x001E0040
|
| [[1.0.0-0]]
|
| All
| [[SSLC:DestroyContext|DestroyContext]]
| [[SSLC:DestroyContext|DestroyContext]]
|-
|-
| 0x001F0082
| 0x001F0082
|
| [[1.0.0-0]]
| Context-only
| Context-only
| [[SSLC:ContextInitSharedmem|ContextInitSharedmem]]
| [[SSLC:ContextInitSharedmem|ContextInitSharedmem]]
|-
|-
| 0x00200082
| 0x00200082
|
| [[1.0.0-0]]
| Context-only
| Context-only
| ([[SSLC:CreateContext|contexthandle]], u32 size, ((Size<<4) <nowiki>|</nowiki> 10), inbufptr) Inbuf seems to be a cert?
| AddEVPolicyID([[SSLC:CreateContext|contexthandle]], u32 size, ((Size<<4) <nowiki>|</nowiki> 10), inbufptr) The input buffer is handled as a string.
|}
|}
Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.
Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.
It's unknown whether TLS server->client connections are supported.
The highest supported TLS protocol version is v1.1(this is the version used by default).
=Commands 0x00080000..0x000C0080=
These appear to be basically the same as the RootCertChain 0x00030000..0x00070080 commands, except with a different context. The equivalent of RootCertChainAddDefaultCert in this set(0x000B0080) is not usable however.
It's unknown what this context is actually used for. Trying to use this seems to have no affect on the TLS connection at all, it seems like the cert isn't even parsed.
=Cert verification=
The server TLS cert not-before/not-after timestamps are not validated using the system-date which can be set via [[System Settings]](it's possible these timestamps are not validated at all).
=SSLOpt=
{| class="wikitable" border="1"
|-
! Flag (BIT)
! Description
|-
| 0x000 (??)
| Don't verify certificate at all
|-
| 0x001 (00)
| Verify Common Name (CN)
|-
| 0x002 (01)
| Verify RootCA
|-
| 0x004 (02)
| Verify date
|-
| 0x008 (03)
| Verify cert chain
|-
| 0x010 (04)
| Verify "subject alt name" (required for multi-address certificates)
|-
| 0x020 (05)
| Verify cert EV
|-
| 0x200 (09)
| Makes certification validation always succeed
|-
| 0x800 (11)
| Disable use of TLSv1.1 (hence fallback to TLSv1.0)
|}
This is the options field initialized during [[SSLC:CreateContext]], and cleared via [[SSLC:ContextClearOpt]]. When the context is initially created, the options field initially has bitmask 0x1B set(besides the additional bits specified via [[SSLC:CreateContext]]).
= Error codes =
= Error codes =
! Description
! Description
|-
|-
| 0xd8a0b836
| 0xD8A0B801
| Generic error, it means "this is not an SSL connection"
|-
| 0xD840B802
| EWOULDBLOCK while trying to read
|-
| 0xD840B803
| EWOULDBLOCK while trying to write
|-
| 0xD8A0B805
| Syscall error, usually means there's no more data to be read because connection is closed
|-
| 0xD8A0B806
| End-of-stream reached, there is no more data to be read
|-
| 0xD8A0B814
| Server cert verification failed since the RootCA isn't trusted.
|-
| 0xD8A0B836
| The specified RootCertChain handle was not found in the linked-list.
| The specified RootCertChain handle was not found in the linked-list.
|}
|}