2,789
edits
Changes
→ssl:s
=== ImportClientCertKeyPki ===
=== ImportClientCertKeyPki ===
Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id.
Takes two type-0x5 input buffers and a [[#CertificateFormat]], returns an output u64 Id.
This imports the specified client cert (first inbuf) and key (second inbuf). The [[#CertificateFormat]] controls the format for the cert and key.
=== GeneratePrivateKeyAndCert ===
=== GeneratePrivateKeyAndCert ===
Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s.
Takes two type-0x6 output buffers, a type-0x5 input buffer containing a [[#KeyAndCertParams]], and an u32, returns two output u32s.
Official sw passes hard-coded value 1 for the u32.
Official sw passes hard-coded value 1 for the u32. Sysmodule will throw an error if the u32 is not value 1.
The input buffer size must match the size of [[#KeyAndCertParams]] (0x58-bytes).
This generates a self-signed DER cert/key with algo sha256WithRSAEncryption, with the cert expiring in exactly 30 days from the begin-timestamp.
The first outbuf contains the cert, the second outbuf contains the key. The output u32s are the actual output size of the cert and key.
Sample cert:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: {...}
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = {input}
Validity
Not Before: {...}
Not After : {...}
Subject: CN = {input}
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: {input bit-size}
Modulus:
{...}
Exponent: {input}
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
{...}
=== ISslConnection ===
=== ISslConnection ===
==== SetPrivateOption ====
==== SetPrivateOption ====
Takes an input bool and an [[#OptionType]], no output.
Takes an input bool and an [[#OptionType]], no output.
[17.0.0+] Takes an input u32 value and an [[#OptionType]], no output.
==== SetSrtpCiphers ====
==== SetSrtpCiphers ====
Takes a type-0x6 output buffer and two type-0x5 input buffers.
Takes a type-0x6 output buffer and two type-0x5 input buffers.
The first inbuf contains a string.
The first inbuf contains the label string. The buffer size must match the output from strnlen(inbuf0, bufsize0), therefore the buffer size must not include the NUL-terminator.
The second inbuf is the optional context data, if specified the buffer size must be <0xFFFF.
This is for standard TLS keying material export.
==== SetIoTimeout ====
==== SetIoTimeout ====
Takes an input u32, no output.
Takes an input u32, no output.
This sets a field in the ISslConnection object, then returns 0.
==== GetIoTimeout ====
==== GetIoTimeout ====
No input, returns an output u32.
No input, returns an output u32.
This gets the field set by [[#SetIoTimeout]], then returns 0.
= ssl:s =
= ssl:s =
|-
|-
| 102 || [[#GetThreadCoreMask]]
| 102 || [[#GetThreadCoreMask]]
|-
| 103 || [18.0.0+] VerifySignature
|}
|}
== CreateContextForSystem ==
== CreateContextForSystem ==
Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]].
Takes a PID, an input u32 [[#SslVersion]] and an input u64 pid_placeholder. Returns an output [[#ISslContextForSystem]].
| 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]]
| 13 || [16.0.0+] [[#GeneratePrivateKeyAndCert]]
|-
|-
| 100 || [[#CreateConnectionForSystem]]
| 100 || [[#CreateConnectionEx]]
|}
|}
=== CreateConnectionForSystem ===
=== CreateConnectionEx ===
No input. Returns an [[#ISslConnection]].
No input. Returns an [[#ISslConnection]].
[14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]].
[14.0.0+] ApiVersion is now 3 and TLS 1.3 is supported again. Auto now uses min=TlsV10 max=((ApiVersion < 3) ? TlsV12 : TlsV13). If too many connection errors arise, TLS now automatically falls back to version 1.2 by setting an internal flag which can be manually cleared with [[#ClearTls12FallbackFlag]].
[17.0.0+] ApiVersion is now 4.
{| class="wikitable" border="1"
{| class="wikitable" border="1"
|-
|-
| 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set.
| 1 || [[#SetSessionCacheMode]] will throw an error if the input [[#SessionCacheMode]] is non-zero and this option flag is set.
|-
| 2 || [17.0.0+] This exclusively enables the cipher suite specified in the input u32 passed to [[#SetPrivateOption]] (all other ciphers disabled).
|}
|}
This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these bool flags are cleared (excluding PrivateOptionType val1 above?).
This corresponds to bool flags. At the time of [[#ISslConnection]] object creation, all of these fields are cleared (excluding PrivateOptionType val1 above?).
"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].
"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].
! Description
! Description
|-
|-
| 0x0 || 0x4 ||
| 0x0 || 0x4 || Must be value 1.
|-
|-
| 0x4 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0.
| 0x4 || 0x4 || s32 Key size in bits.
|-
|-
| 0x8 || 0x8 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0.
| 0x8 || 0x8 || Public exponent, must be non-zero. Only the low 4-bytes are used.
|-
|-
| 0x10 || 0x40 || NUL-terminated string.
| 0x10 || 0x40 || CN (Common Name) NUL-terminated string.
|-
|-
| 0x50 || 0x4 || The official wrapper code for [[#GeneratePrivateKeyAndCert]] throws an error if this is value 0 or >0x3F. It also verifies that this matches the output from: <code>strnlen(struct+0x10, 0x40)</code>.
| 0x50 || 0x4 || An error is thrown if this is value 0 or >0x3F. The official wrapper code for [[#GeneratePrivateKeyAndCert]] verifies that this matches the output from <code>strnlen(struct+0x10, 0x40)</code>, however the sysmodule version just throws an error if the strnlen output matches 0x40 (as in no NUL-terminator found).
|}
|}