Line 192: |
Line 192: |
| === ImportClientCertKeyPki === | | === ImportClientCertKeyPki === |
| Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id. | | Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id. |
| + | |
| + | This imports the specified client cert (first inbuf) and key (second inbuf). The [[#CertificateFormat]] controls the format for the cert and key. |
| | | |
| === GeneratePrivateKeyAndCert === | | === GeneratePrivateKeyAndCert === |
| Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s. | | Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s. |
| | | |
− | Official sw passes hard-coded value 1 for the u32. | + | Official sw passes hard-coded value 1 for the u32. Sysmodule will throw an error if the u32 is not value 1. |
| + | |
| + | The input buffer size must match the size of [[#KeyAndCertParams]] (0x58-bytes). |
| + | |
| + | This generates a self-signed DER cert/key with algo sha256WithRSAEncryption, with the cert expiring in exactly 30 days from the begin-timestamp. |
| + | |
| + | The first outbuf contains the cert, the second outbuf contains the key. The output u32s are the actual output size of the cert and key. |
| + | |
| + | Sample cert: |
| + | |
| + | Certificate: |
| + | Data: |
| + | Version: 1 (0x0) |
| + | Serial Number: {...} |
| + | Signature Algorithm: sha256WithRSAEncryption |
| + | Issuer: CN = {input} |
| + | Validity |
| + | Not Before: {...} |
| + | Not After : {...} |
| + | Subject: CN = {input} |
| + | Subject Public Key Info: |
| + | Public Key Algorithm: rsaEncryption |
| + | Public-Key: {input bit-size} |
| + | Modulus: |
| + | {...} |
| + | Exponent: {input} |
| + | Signature Algorithm: sha256WithRSAEncryption |
| + | Signature Value: |
| + | {...} |
| | | |
| === ISslConnection === | | === ISslConnection === |
Line 464: |
Line 494: |
| ==== SetPrivateOption ==== | | ==== SetPrivateOption ==== |
| Takes an input bool and an [[#OptionType]], no output. | | Takes an input bool and an [[#OptionType]], no output. |
| + | |
| + | [17.0.0+] Takes an input u32 value and an [[#OptionType]], no output. |
| | | |
| ==== SetSrtpCiphers ==== | | ==== SetSrtpCiphers ==== |
Line 476: |
Line 508: |
| Takes a type-0x6 output buffer and two type-0x5 input buffers. | | Takes a type-0x6 output buffer and two type-0x5 input buffers. |
| | | |
− | The first inbuf contains a string. | + | The first inbuf contains the label string. The buffer size must match the output from strnlen(inbuf0, bufsize0), therefore the buffer size must not include the NUL-terminator. |
| + | |
| + | The second inbuf is the optional context data, if specified the buffer size must be <0xFFFF. |
| + | |
| + | This is for standard TLS keying material export. |
| | | |
| ==== SetIoTimeout ==== | | ==== SetIoTimeout ==== |
| Takes an input u32, no output. | | Takes an input u32, no output. |
| + | |
| + | This sets a field in the ISslConnection object, then returns 0. |
| | | |
| ==== GetIoTimeout ==== | | ==== GetIoTimeout ==== |
| No input, returns an output u32. | | No input, returns an output u32. |
| + | |
| + | This gets the field set by [[#SetIoTimeout]], then returns 0. |
| | | |
| = ssl:s = | | = ssl:s = |
Line 520: |
Line 560: |
| |- | | |- |
| | 102 || [[#GetThreadCoreMask]] | | | 102 || [[#GetThreadCoreMask]] |
| + | |- |
| + | | 103 || [18.0.0+] VerifySignature |
| |} | | |} |
| | | |
| == CreateContextForSystem == | | == CreateContextForSystem == |
− | Unofficial name.
| |
− |
| |
| Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]]. | | Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]]. |
| | | |
Line 576: |
Line 616: |
| | 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]] | | | 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]] |
| |- | | |- |
− | | 100 || [[#CreateConnectionForSystem]] | + | | 100 || [[#CreateConnectionEx]] |
| |} | | |} |
| | | |
− | === CreateConnectionForSystem === | + | === CreateConnectionEx === |
− | Unofficial name.
| |
− | | |
| No input. Returns an [[#ISslConnection]]. | | No input. Returns an [[#ISslConnection]]. |
| | | |
Line 600: |
Line 638: |
| | | |
| [14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]]. | | [14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]]. |
| + | |
| + | [17.0.0+] ApiVersion is now 4. |
| | | |
| {| class="wikitable" border="1" | | {| class="wikitable" border="1" |
Line 985: |
Line 1,025: |
| |- | | |- |
| | 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set. | | | 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set. |
| + | |- |
| + | | 2 || [17.0.0+] This exclusively enables the cipher suite specified in the input u32 passed to [[#SetPrivateOption]] (all other ciphers disabled). |
| |} | | |} |
| | | |
− | This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these bool flags are cleared (excluding PrivateOptionType val1 above?). | + | This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these fields are cleared (excluding PrivateOptionType val1 above?). |
| | | |
| "SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]]. | | "SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]]. |
Line 1,041: |
Line 1,083: |
| ! Description | | ! Description |
| |- | | |- |
− | | 0x0 || 0x4 || | + | | 0x0 || 0x4 || Must be value 1. |
| |- | | |- |
− | | 0x4 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0. | + | | 0x4 || 0x4 || s32 Key size in bits. |
| |- | | |- |
− | | 0x8 || 0x8 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0. | + | | 0x8 || 0x8 || Public exponent, must be non-zero. Only the low 4-bytes are used. |
| |- | | |- |
− | | 0x10 || 0x40 || NUL-terminated string. | + | | 0x10 || 0x40 || CN (Common Name) NUL-terminated string. |
| |- | | |- |
− | | 0x50 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0 or >0x3F. It also verifies that this matches the output from: <code>strnlen(struct+0x10, 0x40)</code>. | + | | 0x50 || 0x4 || An error is thrown if this is value 0 or >0x3F. The official wrapper code for [[#GeneratePrivateKeyAndCert]] verifies that this matches the output from <code>strnlen(struct+0x10, 0x40)</code>, however the sysmodule version just throws an error if the strnlen output matches 0x40 (as in no NUL-terminator found). |
| |} | | |} |
| | | |