SSL services: Difference between revisions

(15 intermediate revisions by 2 users not shown)

Line 192:

=== ImportClientCertKeyPki ===

Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id.

This imports the specified client cert (first inbuf) and key (second inbuf). The [[#CertificateFormat]] controls the format for the cert and key.

=== GeneratePrivateKeyAndCert ===

Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s.

Official sw passes hard-coded value 1 for the u32.

Official sw passes hard-coded value 1 for the u32. Sysmodule will throw an error if the u32 is not value 1.

The input buffer size must match the size of [[#KeyAndCertParams]] (0x58-bytes).

This generates a self-signed DER cert/key with algo sha256WithRSAEncryption, with the cert expiring in exactly 30 days from the begin-timestamp.

The first outbuf contains the cert, the second outbuf contains the key. The output u32s are the actual output size of the cert and key.

Sample cert:

Certificate:

Data:

Version: 1 (0x0)

Serial Number: {...}

Signature Algorithm: sha256WithRSAEncryption

Issuer: CN = {input}

Validity

Not Before: {...}

Not After : {...}

Subject: CN = {input}

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: {input bit-size}

Modulus:

{...}

Exponent: {input}

Signature Algorithm: sha256WithRSAEncryption

Signature Value:

{...}

=== ISslConnection ===

Line 464:

Line 494:

==== SetPrivateOption ====

Takes an input bool and an [[#OptionType]], no output.

[17.0.0+] Takes an input u32 value and an [[#OptionType]], no output.

==== SetSrtpCiphers ====

Line 476:

Line 508:

Takes a type-0x6 output buffer and two type-0x5 input buffers.

The first inbuf contains a string.

The first inbuf contains the label string. The buffer size must match the output from strnlen(inbuf0, bufsize0), therefore the buffer size must not include the NUL-terminator.

The second inbuf is the optional context data, if specified the buffer size must be <0xFFFF.

This is for standard TLS keying material export.

==== SetIoTimeout ====

Takes an input u32, no output.

This sets a field in the ISslConnection object, then returns 0.

==== GetIoTimeout ====

No input, returns an output u32.

This gets the field set by [[#SetIoTimeout]], then returns 0.

= ssl:s =

Line 520:

Line 560:

|-

| 102 || [[#GetThreadCoreMask]]

|-

| 103 || [18.0.0+] VerifySignature

|}

== CreateContextForSystem ==

~~Unofficial name.~~

Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]].

Line 576:

Line 616:

| 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]]

|-

| 100 || [[#~~CreateConnectionForSystem~~]]

| 100 || [[#CreateConnectionEx]]

|}

=== ~~CreateConnectionForSystem~~ ===

=== CreateConnectionEx ===

~~Unofficial name.~~

No input. Returns an [[#ISslConnection]].

Line 600:

Line 638:

[14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]].

[17.0.0+] ApiVersion is now 4.

{| class="wikitable" border="1"

Line 985:

Line 1,025:

|-

| 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set.

|-

| 2 || [17.0.0+] This exclusively enables the cipher suite specified in the input u32 passed to [[#SetPrivateOption]] (all other ciphers disabled).

|}

This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these ~~bool flags~~ are cleared (excluding PrivateOptionType val1 above?).

This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these fields are cleared (excluding PrivateOptionType val1 above?).

"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].

Line 1,041:

Line 1,083:

! Description

|-

| 0x0 || 0x4 ||

| 0x0 || 0x4 || Must be value 1.

|-

| 0x4 || 0x4 || ~~The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0~~.

| 0x4 || 0x4 || s32 Key size in bits.

|-

| 0x8 || 0x8 || ~~The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0~~.

| 0x8 || 0x8 || Public exponent, must be non-zero. Only the low 4-bytes are used.

|-

| 0x10 || 0x40 || NUL-terminated string.

| 0x10 || 0x40 || CN (Common Name) NUL-terminated string.

|-

| 0x50 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] ~~throws an error if this is value 0 or >0x3F. It also~~ verifies that this matches the output from: <code>strnlen(struct+0x10, 0x40)</code>.

| 0x50 || 0x4 || An error is thrown if this is value 0 or >0x3F. The official wrapper code for [[#GeneratePrivateKeyAndCert]] verifies that this matches the output from <code>strnlen(struct+0x10, 0x40)</code>, however the sysmodule version just throws an error if the strnlen output matches 0x40 (as in no NUL-terminator found).

|}

@@ Line 192: / Line 192: @@
 === ImportClientCertKeyPki ===
 Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id.
+This imports the specified client cert (first inbuf) and key (second inbuf). The [[#CertificateFormat]] controls the format for the cert and key.
 === GeneratePrivateKeyAndCert ===
 Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s.
-Official sw passes hard-coded value 1 for the u32.
+Official sw passes hard-coded value 1 for the u32. Sysmodule will throw an error if the u32 is not value 1.
+The input buffer size must match the size of [[#KeyAndCertParams]] (0x58-bytes).
+This generates a self-signed DER cert/key with algo sha256WithRSAEncryption, with the cert expiring in exactly 30 days from the begin-timestamp.
+The first outbuf contains the cert, the second outbuf contains the key. The output u32s are the actual output size of the cert and key.
+Sample cert:
+  Certificate:
+    Data:
+        Version: 1 (0x0)
+        Serial Number: {...}
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = {input}
+        Validity
+            Not Before: {...}
+            Not After : {...}
+        Subject: CN = {input}
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: {input bit-size}
+                Modulus:
+                    {...}
+                Exponent: {input}
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        {...}
 === ISslConnection ===
@@ Line 464: / Line 494: @@
 ==== SetPrivateOption ====
 Takes an input bool and an [[#OptionType]], no output.
+[17.0.0+] Takes an input u32 value and an [[#OptionType]], no output.
 ==== SetSrtpCiphers ====
@@ Line 476: / Line 508: @@
 Takes a type-0x6 output buffer and two type-0x5 input buffers.
-The first inbuf contains a string.
+The first inbuf contains the label string. The buffer size must match the output from strnlen(inbuf0, bufsize0), therefore the buffer size must not include the NUL-terminator.
+The second inbuf is the optional context data, if specified the buffer size must be <0xFFFF.
+This is for standard TLS keying material export.
 ==== SetIoTimeout ====
 Takes an input u32, no output.
+This sets a field in the ISslConnection object, then returns 0.
 ==== GetIoTimeout ====
 No input, returns an output u32.
+This gets the field set by [[#SetIoTimeout]], then returns 0.
 = ssl:s =
@@ Line 520: / Line 560: @@
 |-
 | 102 || [[#GetThreadCoreMask]]
+|-
+| 103 || [18.0.0+] VerifySignature
 |}
 == CreateContextForSystem ==
-Unofficial name.
 Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]].
@@ Line 576: / Line 616: @@
 | 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]]
 |-
-| 100 || [[#CreateConnectionForSystem]]
+| 100 || [[#CreateConnectionEx]]
 |}
-=== CreateConnectionForSystem ===
+=== CreateConnectionEx ===
-Unofficial name.
 No input. Returns an [[#ISslConnection]].
@@ Line 600: / Line 638: @@
 [14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]].
+[17.0.0+] ApiVersion is now 4.
 {| class="wikitable" border="1"
@@ Line 985: / Line 1,025: @@
 |-
 | 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set.
+|-
+| 2 || [17.0.0+] This exclusively enables the cipher suite specified in the input u32 passed to [[#SetPrivateOption]] (all other ciphers disabled).
 |}
-This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these bool flags are cleared (excluding PrivateOptionType val1 above?).
+This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these fields are cleared (excluding PrivateOptionType val1 above?).
 "SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].
@@ Line 1,041: / Line 1,083: @@
 ! Description
 |-
-| 0x0 || 0x4 ||
+| 0x0 || 0x4 || Must be value 1.
 |-
-| 0x4 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0.
+| 0x4 || 0x4 || s32 Key size in bits.
 |-
-| 0x8 || 0x8 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0.
+| 0x8 || 0x8 || Public exponent, must be non-zero. Only the low 4-bytes are used.
 |-
-| 0x10 || 0x40 || NUL-terminated string.
+| 0x10 || 0x40 || CN (Common Name) NUL-terminated string.
 |-
-| 0x50 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0 or >0x3F. It also verifies that this matches the output from: <code>strnlen(struct+0x10, 0x40)</code>.
+| 0x50 || 0x4 || An error is thrown if this is value 0 or >0x3F. The official wrapper code for [[#GeneratePrivateKeyAndCert]] verifies that this matches the output from <code>strnlen(struct+0x10, 0x40)</code>, however the sysmodule version just throws an error if the strnlen output matches 0x40 (as in no NUL-terminator found).
 |}