Difference between revisions of "SSL Services"

From 3dbrew
Jump to navigation Jump to search
(Added new error code indicating EWOULDBLOCK when calling sslcStartConnection())
 
(55 intermediate revisions by 3 users not shown)
Line 5: Line 5:
 
!  Command Header
 
!  Command Header
 
!  Available since system-version
 
!  Available since system-version
 +
!  Available from service-sessions
 
!  Description
 
!  Description
 
|-
 
|-
 
| 0x00010002
 
| 0x00010002
|  
+
| [[1.0.0-0]]
| (<value-0x20 kernel PID header>) Initialize
+
| Basically main-only
 +
| [[SSLC:Initialize|Initialize]]
 
|-
 
|-
 
| 0x000200C2
 
| 0x000200C2
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:CreateContext|CreateContext]]
 
| [[SSLC:CreateContext|CreateContext]]
 
|-
 
|-
 
| 0x00030000
 
| 0x00030000
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:CreateRootCertChain|CreateRootCertChain]]
 
| [[SSLC:CreateRootCertChain|CreateRootCertChain]]
 
|-
 
|-
 
| 0x00040040
 
| 0x00040040
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:DestroyRootCertChain|DestroyRootCertChain]]
 
| [[SSLC:DestroyRootCertChain|DestroyRootCertChain]]
 
|-
 
|-
 
| 0x00050082
 
| 0x00050082
|  
+
| [[1.0.0-0]]
 +
| Main-only
 
| [[SSLC:AddTrustedRootCA|AddTrustedRootCA]]
 
| [[SSLC:AddTrustedRootCA|AddTrustedRootCA]]
 
|-
 
|-
 
| 0x00060080
 
| 0x00060080
|  
+
| [[1.0.0-0]]
 +
| Main-only
 
| [[SSLC:RootCertChainAddDefaultCert|RootCertChainAddDefaultCert]]
 
| [[SSLC:RootCertChainAddDefaultCert|RootCertChainAddDefaultCert]]
 
|-
 
|-
 
| 0x00070080
 
| 0x00070080
|  
+
| [[1.0.0-0]]
| (u32 RootCertChain_contexthandle, u32 inval)
+
| Main-only
 +
| [[SSLC:RootCertChainRemoveCert|RootCertChainRemoveCert]]
 
|-
 
|-
 
| 0x00080000
 
| 0x00080000
 +
| [[1.0.0-0]]
 
|  
 
|  
| This writes an output u32 to cmdreply[2](created context handle).
+
| CreateCrlStore. This writes an output u32 to cmdreply[2](created context handle).
 
|-
 
|-
 
| 0x00090040
 
| 0x00090040
 +
| [[1.0.0-0]]
 
|  
 
|  
| (u32 handle for a context) This is used for destroying a context created by command 0x00080000.
+
| DestroyCrlStore(u32 contexthandle)
 
|-
 
|-
 
| 0x000A0082
 
| 0x000A0082
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 size, ((Size<<4)  <nowiki>|</nowiki> 10), inbufptr) Writes an output u32 to cmdreply[2].
+
| Main-only
 +
| AddCrlToCrlStore(u32 contexthandle, u32 size, ((Size<<4)  <nowiki>|</nowiki> 10), inbufptr)
 
|-
 
|-
 
| 0x000B0080
 
| 0x000B0080
|  
+
| [[1.0.0-0]]
| (u32 inval, u8 inval2) Writes an output u32 to cmdreply[2].
+
| Main-only
 +
| AddInternalCrlToCrlStore(u32 contexthandle, u8 inval2)
 
|-
 
|-
 
| 0x000C0080
 
| 0x000C0080
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 inval2)
+
| Main-only
 +
| RemoveCrlFromCrlStore(u32 contexthandle, u32 certcontexthandle) This removes the specified cert from the context.
 
|-
 
|-
 
| 0x000D0084
 
| 0x000D0084
|  
+
| [[1.0.0-0]]
| (u32 size0, u32 size1, ((Size0<<4)  <nowiki>|</nowiki> 10), inbufptr0, ((Size1<<4)  <nowiki>|</nowiki> 10), inbufptr1) Writes an output u32 to cmdreply[2].
+
| Main-only
 +
| [[SSLC:OpenClientCertContext|OpenClientCertContext]]
 
|-
 
|-
 
| 0x000E0040
 
| 0x000E0040
|  
+
| [[1.0.0-0]]
| (u8 inval) Writes an output u32 to cmdreply[2](created context handle).
+
| Main-only
 +
| [[SSLC:OpenDefaultClientCertContext|OpenDefaultClientCertContext]]
 
|-
 
|-
 
| 0x000F0040
 
| 0x000F0040
|  
+
| [[1.0.0-0]]
| (u32 handle for a context) This is used for destroying a context created by command 0x000E0040.
+
| Main-only
 +
| [[SSLC:CloseClientCertContext|CloseClientCertContext]]
 
|-
 
|-
 
| 0x00100000
 
| 0x00100000
|  
+
| [[1.0.0-0]]
| ?
+
| All
 +
| [[SSLC:SeedRNG|SeedRNG]]
 
|-
 
|-
 
| 0x00110042
 
| 0x00110042
|  
+
| [[1.0.0-0]]
 +
| All
 
| [[SSLC:GenerateRandomData|GenerateRandomData]]
 
| [[SSLC:GenerateRandomData|GenerateRandomData]]
 
|-
 
|-
 
| 0x00120042
 
| 0x00120042
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:InitializeConnectionSession|InitializeConnectionSession]]
 
| [[SSLC:InitializeConnectionSession|InitializeConnectionSession]]
 
|-
 
|-
 
| 0x00130040
 
| 0x00130040
|  
+
| [[1.0.0-0]]
| (u32 [[SSLC:CreateContext|contexthandle]])
+
| Context-only
 +
| [[SSLC:StartConnection|StartConnection]]
 
|-
 
|-
 
| 0x00140040
 
| 0x00140040
|  
+
| [[1.0.0-0]]
| (u32 inval) Writes two u32s to cmdreply[2] and cmdreply[3].
+
| Context-only
 +
| [[SSLC:StartConnectionGetOut|StartConnectionGetOut]]
 
|-
 
|-
 
| 0x00150082
 
| 0x00150082
|  
+
| [[1.0.0-0]]
 +
| Context-only
 
| [[SSLC:Read|Read]]
 
| [[SSLC:Read|Read]]
 
|-
 
|-
 
| 0x00160082
 
| 0x00160082
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 size, ((Size<<4)  <nowiki>|</nowiki> 12), outbufptr) Writes an output u32 to cmdreply[2].
+
| Context-only
 +
| [[SSLC:ReadPeek|ReadPeek]]
 
|-
 
|-
 
| 0x00170082
 
| 0x00170082
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:Write|Write]]
 
| [[SSLC:Write|Write]]
 
|-
 
|-
 
| 0x00180080
 
| 0x00180080
 +
| [[1.0.0-0]]
 
|  
 
|  
 
| [[SSLC:ContextSetRootCertChain|ContextSetRootCertChain]]
 
| [[SSLC:ContextSetRootCertChain|ContextSetRootCertChain]]
 
|-
 
|-
 
| 0x00190080
 
| 0x00190080
|  
+
| [[1.0.0-0]]
| (u32 [[SSLC:CreateContext|contexthandle]], u32 inval2)
+
| Context-only
 +
| [[SSLC:ContextSetClientCert|ContextSetClientCert]]
 
|-
 
|-
 
| 0x001A0080
 
| 0x001A0080
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 inval2)
+
| Context-only
 +
| SetCrlStore(u32 [[SSLC:CreateContext|contexthandle]], u32 handle) This writes a context handle created by command 0x00080000 into the session context.
 
|-
 
|-
 
| 0x001B0080
 
| 0x001B0080
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 inval2)
+
| Context-only
 +
| [[SSLC:ContextClearOpt|ContextClearOpt]]
 
|-
 
|-
 
| 0x001C00C4
 
| 0x001C00C4
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 size0, u32 size1, ((Size0<<4)  <nowiki>|</nowiki> 12), outbufptr0, ((Size1<<4)  <nowiki>|</nowiki> 12), outbufptr1)
+
| Context-only
 +
| [[SSLC:ContextGetProtocolCipher|ContextGetProtocolCipher]]
 
|-
 
|-
 
| 0x001D0040
 
| 0x001D0040
|  
+
| [[1.0.0-0]]
| (u32 inval) Writes an output u32 to cmdreply[2].
+
| Context-only
 +
| GetCertVerificationErrors(u32 [[SSLC:CreateContext|contexthandle]]) Writes an output u32 from the context state to cmdreply[2].
 
|-
 
|-
 
| 0x001E0040
 
| 0x001E0040
|  
+
| [[1.0.0-0]]
| (u32 inval)
+
| All
 +
| [[SSLC:DestroyContext|DestroyContext]]
 
|-
 
|-
 
| 0x001F0082
 
| 0x001F0082
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 inval2, <value-0x0 handle-transfer header>, handle)
+
| Context-only
 +
| [[SSLC:ContextInitSharedmem|ContextInitSharedmem]]
 
|-
 
|-
 
| 0x00200082
 
| 0x00200082
|  
+
| [[1.0.0-0]]
| (u32 inval, u32 size, ((Size<<4)  <nowiki>|</nowiki> 10), inbufptr)
+
| Context-only
 +
| AddEVPolicyID([[SSLC:CreateContext|contexthandle]], u32 size, ((Size<<4)  <nowiki>|</nowiki> 10), inbufptr) The input buffer is handled as a string.
 
|}
 
|}
  
Line 139: Line 172:
  
 
Similar to HTTPC, each SSL [[SSLC:CreateContext|context]] is used with a dedicated service session which gets opened after creating that context. Following creating the context + opening the service session, [[SSLC:InitializeConnectionSession]] is used from that service session for that context. Afterwards, all commands which require a handle for this context are done with this dedicated service session.
 
Similar to HTTPC, each SSL [[SSLC:CreateContext|context]] is used with a dedicated service session which gets opened after creating that context. Following creating the context + opening the service session, [[SSLC:InitializeConnectionSession]] is used from that service session for that context. Afterwards, all commands which require a handle for this context are done with this dedicated service session.
 +
 +
Internally there's a separate object vtable used with the above SSLC commands, for the main session(where [[SSLC:InitializeConnectionSession]] wasn't used), and context sessions where [[SSLC:InitializeConnectionSession]] was used. Error 0xD960BBF4 will be returned if a command was used with the wrong session type.
 +
 +
Like some other commands, 0x001F0082 and 0x00200082 are not used by HTTP-sysmodule.
 +
 +
Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.
 +
 +
It's unknown whether TLS server->client connections are supported.
 +
 +
The highest supported TLS protocol version is v1.1(this is the version used by default).
 +
 +
=Commands 0x00080000..0x000C0080=
 +
These appear to be basically the same as the RootCertChain 0x00030000..0x00070080 commands, except with a different context. The equivalent of RootCertChainAddDefaultCert in this set(0x000B0080) is not usable however.
 +
 +
It's unknown what this context is actually used for. Trying to use this seems to have no affect on the TLS connection at all, it seems like the cert isn't even parsed.
 +
 +
=Cert verification=
 +
The server TLS cert not-before/not-after timestamps are not validated using the system-date which can be set via [[System Settings]](it's possible these timestamps are not validated at all).
 +
 +
=SSLOpt=
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Flag (BIT)
 +
!  Description
 +
|-
 +
| 0x000 (??)
 +
| Don't verify certificate at all
 +
|-
 +
| 0x001 (00)
 +
| Verify Common Name (CN)
 +
|-
 +
| 0x002 (01)
 +
| Verify RootCA
 +
|-
 +
| 0x004 (02)
 +
| Verify date
 +
|-
 +
| 0x008 (03)
 +
| Verify cert chain
 +
|-
 +
| 0x010 (04)
 +
| Verify "subject alt name" (required for multi-address certificates)
 +
|-
 +
| 0x020 (05)
 +
| Verify cert EV
 +
|-
 +
| 0x200 (09)
 +
| Makes certification validation always succeed
 +
|-
 +
| 0x800 (11)
 +
| Disable use of TLSv1.1 (hence fallback to TLSv1.0)
 +
|}
 +
 +
This is the options field initialized during [[SSLC:CreateContext]], and cleared via [[SSLC:ContextClearOpt]]. When the context is initially created, the options field initially has bitmask 0x1B set(besides the additional bits specified via [[SSLC:CreateContext]]).
 +
 +
= Error codes =
 +
{| class="wikitable" border="1"
 +
|-
 +
!  Error code
 +
!  Description
 +
|-
 +
| 0xD8A0B801
 +
| Generic error, it means "this is not an SSL connection"
 +
|-
 +
| 0xD840B802
 +
| EWOULDBLOCK while trying to read
 +
|-
 +
| 0xD840B803
 +
| EWOULDBLOCK while trying to write
 +
|-
 +
| 0xD840B807
 +
| EWOULDBLOCK while calling sslcStartConnection()
 +
|-
 +
| 0xD8A0B805
 +
| Syscall error, usually means there's no more data to be read because connection is closed
 +
|-
 +
| 0xD8A0B806
 +
| End-of-stream reached, there is no more data to be read
 +
|-
 +
| 0xD8A0B814
 +
| Server cert verification failed since the RootCA isn't trusted.
 +
|-
 +
| 0xD8A0B836
 +
| The specified RootCertChain handle was not found in the linked-list.
 +
|}

Latest revision as of 04:47, 10 August 2021

SSL service "ssl:C"[edit]

Command Header Available since system-version Available from service-sessions Description
0x00010002 1.0.0-0 Basically main-only Initialize
0x000200C2 1.0.0-0 CreateContext
0x00030000 1.0.0-0 CreateRootCertChain
0x00040040 1.0.0-0 DestroyRootCertChain
0x00050082 1.0.0-0 Main-only AddTrustedRootCA
0x00060080 1.0.0-0 Main-only RootCertChainAddDefaultCert
0x00070080 1.0.0-0 Main-only RootCertChainRemoveCert
0x00080000 1.0.0-0 CreateCrlStore. This writes an output u32 to cmdreply[2](created context handle).
0x00090040 1.0.0-0 DestroyCrlStore(u32 contexthandle)
0x000A0082 1.0.0-0 Main-only AddCrlToCrlStore(u32 contexthandle, u32 size, ((Size<<4) | 10), inbufptr)
0x000B0080 1.0.0-0 Main-only AddInternalCrlToCrlStore(u32 contexthandle, u8 inval2)
0x000C0080 1.0.0-0 Main-only RemoveCrlFromCrlStore(u32 contexthandle, u32 certcontexthandle) This removes the specified cert from the context.
0x000D0084 1.0.0-0 Main-only OpenClientCertContext
0x000E0040 1.0.0-0 Main-only OpenDefaultClientCertContext
0x000F0040 1.0.0-0 Main-only CloseClientCertContext
0x00100000 1.0.0-0 All SeedRNG
0x00110042 1.0.0-0 All GenerateRandomData
0x00120042 1.0.0-0 InitializeConnectionSession
0x00130040 1.0.0-0 Context-only StartConnection
0x00140040 1.0.0-0 Context-only StartConnectionGetOut
0x00150082 1.0.0-0 Context-only Read
0x00160082 1.0.0-0 Context-only ReadPeek
0x00170082 1.0.0-0 Write
0x00180080 1.0.0-0 ContextSetRootCertChain
0x00190080 1.0.0-0 Context-only ContextSetClientCert
0x001A0080 1.0.0-0 Context-only SetCrlStore(u32 contexthandle, u32 handle) This writes a context handle created by command 0x00080000 into the session context.
0x001B0080 1.0.0-0 Context-only ContextClearOpt
0x001C00C4 1.0.0-0 Context-only ContextGetProtocolCipher
0x001D0040 1.0.0-0 Context-only GetCertVerificationErrors(u32 contexthandle) Writes an output u32 from the context state to cmdreply[2].
0x001E0040 1.0.0-0 All DestroyContext
0x001F0082 1.0.0-0 Context-only ContextInitSharedmem
0x00200082 1.0.0-0 Context-only AddEVPolicyID(contexthandle, u32 size, ((Size<<4) | 10), inbufptr) The input buffer is handled as a string.

Going by strings in the SSL sysmodule it appears the sysmodule uses RSA BSAFE(like certain other 3DS software), this is also likely where the "ssl:C" name comes from(RSA BSAFE "SSL-C").

Similar to HTTPC, each SSL context is used with a dedicated service session which gets opened after creating that context. Following creating the context + opening the service session, SSLC:InitializeConnectionSession is used from that service session for that context. Afterwards, all commands which require a handle for this context are done with this dedicated service session.

Internally there's a separate object vtable used with the above SSLC commands, for the main session(where SSLC:InitializeConnectionSession wasn't used), and context sessions where SSLC:InitializeConnectionSession was used. Error 0xD960BBF4 will be returned if a command was used with the wrong session type.

Like some other commands, 0x001F0082 and 0x00200082 are not used by HTTP-sysmodule.

Among commands 0x00180080..0x001B0080 none of them are completely mandatory. However, with the default settings at bare minimum a RootCertChain needs selected otherwise an untrusted-RootCA error will trigger eventually.

It's unknown whether TLS server->client connections are supported.

The highest supported TLS protocol version is v1.1(this is the version used by default).

Commands 0x00080000..0x000C0080[edit]

These appear to be basically the same as the RootCertChain 0x00030000..0x00070080 commands, except with a different context. The equivalent of RootCertChainAddDefaultCert in this set(0x000B0080) is not usable however.

It's unknown what this context is actually used for. Trying to use this seems to have no affect on the TLS connection at all, it seems like the cert isn't even parsed.

Cert verification[edit]

The server TLS cert not-before/not-after timestamps are not validated using the system-date which can be set via System Settings(it's possible these timestamps are not validated at all).

SSLOpt[edit]

Flag (BIT) Description
0x000 (??) Don't verify certificate at all
0x001 (00) Verify Common Name (CN)
0x002 (01) Verify RootCA
0x004 (02) Verify date
0x008 (03) Verify cert chain
0x010 (04) Verify "subject alt name" (required for multi-address certificates)
0x020 (05) Verify cert EV
0x200 (09) Makes certification validation always succeed
0x800 (11) Disable use of TLSv1.1 (hence fallback to TLSv1.0)

This is the options field initialized during SSLC:CreateContext, and cleared via SSLC:ContextClearOpt. When the context is initially created, the options field initially has bitmask 0x1B set(besides the additional bits specified via SSLC:CreateContext).

Error codes[edit]

Error code Description
0xD8A0B801 Generic error, it means "this is not an SSL connection"
0xD840B802 EWOULDBLOCK while trying to read
0xD840B803 EWOULDBLOCK while trying to write
0xD840B807 EWOULDBLOCK while calling sslcStartConnection()
0xD8A0B805 Syscall error, usually means there's no more data to be read because connection is closed
0xD8A0B806 End-of-stream reached, there is no more data to be read
0xD8A0B814 Server cert verification failed since the RootCA isn't trusted.
0xD8A0B836 The specified RootCertChain handle was not found in the linked-list.