Nintendo Switch Brew

Changes

SSL services (view source)

Revision as of 17:43, 13 April 2020

2,415 bytes added ,  17:43, 13 April 2020
no edit summary
Line 68: Line 68:     
== SetDebugOption ==
 
== SetDebugOption ==
Takes an input u32 '''DebugOptionType''' and a type-0x5 input buffer, no output.
+
Takes an input u32 [[#DebugOptionType]] and a type-0x5 input buffer, no output.
    
The input u32 value must be 0, and the buffer addr/size must not be 0.
 
The input u32 value must be 0, and the buffer addr/size must not be 0.
Line 77: Line 77:     
== GetDebugOption ==
 
== GetDebugOption ==
Takes an input u32 '''DebugOptionType''' and a type-0x6 output buffer.
+
Takes an input u32 [[#DebugOptionType]] and a type-0x6 output buffer.
    
Same as [[#SetDebugOption]] except this copies state to the buffer instead.
 
Same as [[#SetDebugOption]] except this copies state to the buffer instead.
Line 314: Line 314:     
= SslVersion =
 
= SslVersion =
This is the "nn::ssl::sf::SslVersion" / "nn::ssl::Context::SslVersion" enum.
+
This is "nn::ssl::sf::SslVersion" or "nn::ssl::Context::SslVersion".
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x1 || Auto
 +
|-
 +
| 0x8 || TlsV10
 +
|-
 +
| 0x10 || TlsV11
 +
|-
 +
| 0x20 || TlsV12
 +
|}
 +
 
 +
= DebugOptionType =
 +
This is "nn::ssl::sf::DebugOptionType" or "nn::ssl::DebugOption".
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0 || AllowDisableVerifyOption
 +
|}
    
= FlushSessionCacheOptionType =
 
= FlushSessionCacheOptionType =
This is the "nn::ssl::sf::FlushSessionCacheOptionType" / "nn::ssl::FlushSessionCacheOptionType" enum.
+
This is "nn::ssl::sf::FlushSessionCacheOptionType" or "nn::ssl::FlushSessionCacheOptionType".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 324: Line 349:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || SingleHost
 
|-
 
|-
| 1 ||  
+
| 1 || AllHosts
 
|}
 
|}
    
= BuiltInCertificateInfo =
 
= BuiltInCertificateInfo =
 +
This is "nn::ssl::BuiltInManager::BuiltInCertificateInfo".
 +
 
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 342: Line 369:  
| 0x4
 
| 0x4
 
| 0x4
 
| 0x4
| [[#BuiltinDataStatus]]
+
| [[#TrustedCertStatus]]
 
|-
 
|-
 
| 0x8
 
| 0x8
 
| 0x8
 
| 0x8
| Data size
+
| CertificateSize
 
|-
 
|-
 
| 0x10
 
| 0x10
 
| 0x8
 
| 0x8
| Data offset
+
| CertificateDataOffset
 
|}
 
|}
   −
This is the struct returned by [[#GetCertificates]]. Official sw converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" with offset converted to a ptr.
+
This is the struct returned by [[#GetCertificates]]. It is internally converted from "nn::ssl::detail::BuiltinDataInfo" by copying "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" into [[#TrustedCertStatus]] and official software then further converts this to "nn::ssl::BuiltInManager::BuiltInCertificateInfo" by transforming "CertificateDataOffset" into an actual pointer.
 +
 
 +
= TrustedCertStatus =
 +
This is "nn::ssl::TrustedCertStatus".
   −
= BuiltinDataStatus =
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 363: Line 392:  
| -1
 
| -1
 
| Invalid
 
| Invalid
 +
|-
 +
| 0
 +
| Removed
 
|-
 
|-
 
| 1
 
| 1
| Valid
+
| EnabledTrusted
 +
|-
 +
| 2
 +
| EnabledNotTrusted
 +
|-
 +
| 3
 +
| Revoked
 
|}
 
|}
   −
This is the "nn::ssl::detail::BuiltinDataInfo::BuiltinDataStatus" enum.
+
= CaCertificateId =
 +
This is "nn::ssl::CaCertificateId".
   −
= CaCertificateId =
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 376: Line 414:  
! Description
 
! Description
 
|-
 
|-
| 1 || Nintendo {...}
+
| -1 || All
 +
|-
 +
| 1 || NintendoCAG3
 +
|-
 +
| 2 || NintendoClass2CAG3
 +
|-
 +
| 1000 || AmazonRootCA1
 +
|-
 +
| 1001 || StarfieldServicesRootCertificateAuthorityG2
 +
|-
 +
| 1002 || AddTrustExternalCARoot
 +
|-
 +
| 1003 || COMODOCertificationAuthority
 +
|-
 +
| 1004 || UTNDATACorpSGC
 +
|-
 +
| 1005 || UTNUSERFirstHardware
 +
|-
 +
| 1006 || BaltimoreCyberTrustRoot
 +
|-
 +
| 1007 || CybertrustGlobalRoot
 +
|-
 +
| 1008 || VerizonGlobalRootCA
 +
|-
 +
| 1009 || DigiCertAssuredIDRootCA
 +
|-
 +
| 1010 || DigiCertAssuredIDRootG2
 +
|-
 +
| 1011 || DigiCertGlobalRootCA
 +
|-
 +
| 1012 || DigiCertGlobalRootG2
 +
|-
 +
| 1013 || DigiCertHighAssuranceEVRootCA
 +
|-
 +
| 1014 || EntrustnetCertificationAuthority2048
 +
|-
 +
| 1015 || EntrustRootCertificationAuthority
 +
|-
 +
| 1016 || EntrustRootCertificationAuthorityG2
 +
|-
 +
| 1017 || GeoTrustGlobalCA2
 +
|-
 +
| 1018 || GeoTrustGlobalCA
 +
|-
 +
| 1019 || GeoTrustPrimaryCertificationAuthorityG3
 +
|-
 +
| 1020 || GeoTrustPrimaryCertificationAuthority
 +
|-
 +
| 1021 || GlobalSignRootCA
 +
|-
 +
| 1022 || GlobalSignRootCAR2
 +
|-
 +
| 1023 || GlobalSignRootCAR3
 +
|-
 +
| 1024 || GoDaddyClass2CertificationAuthority
 +
|-
 +
| 1025 || GoDaddyRootCertificateAuthorityG2
 +
|-
 +
| 1026 || StarfieldClass2CertificationAuthority
 +
|-
 +
| 1027 || StarfieldRootCertificateAuthorityG2
 +
|-
 +
| 1028 || thawtePrimaryRootCAG3
 +
|-
 +
| 1029 || thawtePrimaryRootCA
 +
|-
 +
| 1030 || VeriSignClass3PublicPrimaryCertificationAuthorityG3
 
|-
 
|-
| 2 || Nintendo {...}
+
| 1031 || VeriSignClass3PublicPrimaryCertificationAuthorityG5
 +
|-
 +
| 1032 || VeriSignUniversalRootCertificationAuthority
 +
|-
 +
| 1033 || DSTRootCAX3
 
|}
 
|}
  −
This is the "nn::ssl::CaCertificateId" enum. Note: the above is missing the non-Nintendo certs.
      
= InternalPki =
 
= InternalPki =
This is the "nn::ssl::sf::InternalPki" / "nn::ssl::Context::InternalPki" enum.
+
This is "nn::ssl::sf::InternalPki" or "nn::ssl::Context::InternalPki".
 
  −
An error is thrown by [[#RegisterInternalPki]] when the input value does not match 1.
      
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 393: Line 497:  
! Description
 
! Description
 
|-
 
|-
| 1 ||  
+
| 0 || None
 +
|-
 +
| 1 || DeviceClientCertDefault
 
|}
 
|}
 +
 +
An error is thrown by [[#RegisterInternalPki]] when the input value does not match "DeviceClientCertDefault".
    
= ContextOption =
 
= ContextOption =
This is the "nn::ssl::sf::ContextOption" / "nn::ssl::Context::ContextOption" enum.
+
This is "nn::ssl::sf::ContextOption" or "nn::ssl::Context::ContextOption".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 404: Line 512:  
! Description
 
! Description
 
|-
 
|-
| 1 ||  
+
| 0 || None
 +
|-
 +
| 1 || CrlImportDateCheckEnable
 
|}
 
|}
    
= CertificateFormat =
 
= CertificateFormat =
This is the "nn::ssl::sf::CertificateFormat" / "nn::ssl::CertificateFormat" enum.
+
This is "nn::ssl::sf::CertificateFormat" or "nn::ssl::CertificateFormat".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 415: Line 525:  
! Description
 
! Description
 
|-
 
|-
| 1 ||  
+
| 1 || Pem
 
|-
 
|-
| 2 ||  
+
| 2 || Der
 
|}
 
|}
    
= VerifyOption =
 
= VerifyOption =
This is the "nn::ssl::sf::VerifyOption" enum. This is a bitmask.
+
This is "nn::ssl::sf::VerifyOption". This is a bitmask.
 
  −
Originally ssl-sysmodule ([[#SetVerifyOption]]) just wrote the input field to state. With [5.0.0+] there's now validation for the input, with the value written to state masked with {allowed bitmask}. When [[#SetInterfaceVersion|InterfaceVersion]] is >=0x2, the low 2-bits of VerifyOption must be set, unless {state flag for [[#OptionType]] value 2} is set or [9.0.0+] {bool [[#SetDebugOption|DebugOption]] state flag} is set, otherwise an error is thrown. [6.0.0+]: Following that, if VerifyOption bit4 is set, then VerifyOption & 0x15 must match 0x15 otherwise an error is thrown.
      
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 430: Line 538:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || PeerCa
 
|-
 
|-
| 1 ||  
+
| 1 || HostName
 
|-
 
|-
| 2 ||  
+
| 2 || DateCheck
 
|-
 
|-
| 3 ||  
+
| 3 || EvCertPartial
 
|-
 
|-
| 4 || [6.0.0+]
+
| 4 || [6.0.0+] EvPolicyOid
 
|-
 
|-
| 5 || [6.0.0+]
+
| 5 || [6.0.0+] EvCertFingerprint
 
|}
 
|}
 +
 +
Originally ssl-sysmodule ([[#SetVerifyOption]]) just wrote the input field to state. With [5.0.0+] there's now validation for the input, with the value written to state masked with {allowed bitmask}. When [[#SetInterfaceVersion|InterfaceVersion]] is >=0x2, the low 2-bits of VerifyOption must be set, unless {state flag for [[#OptionType]] value 2} is set or [9.0.0+] {bool [[#SetDebugOption|DebugOption]] state flag} is set, otherwise an error is thrown. [6.0.0+]: Following that, if VerifyOption bit4 is set, then VerifyOption & 0x15 must match 0x15 otherwise an error is thrown.
    
= IoMode =
 
= IoMode =
This is the "nn::ssl::sf::IoMode" / "nn::ssl::Connection::IoMode" enum.
+
This is "nn::ssl::sf::IoMode" or "nn::ssl::Connection::IoMode".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 451: Line 561:  
! Description
 
! Description
 
|-
 
|-
| 1 ||  
+
| 1 || Blocking
 
|-
 
|-
| 2 ||  
+
| 2 || NonBlocking
 
|}
 
|}
    
= PollEvent =
 
= PollEvent =
This is the "nn::ssl::sf::PollEvent" / "nn::ssl::Connection::PollEvent" enum. This is a bitmask.
+
This is "nn::ssl::sf::PollEvent" or "nn::ssl::Connection::PollEvent". This is a bitmask.
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 464: Line 574:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || Read
 
|-
 
|-
| 1 ||  
+
| 1 || Write
 
|-
 
|-
| 2 ||  
+
| 2 || Except
 
|}
 
|}
    
= SessionCacheMode =
 
= SessionCacheMode =
This is the "nn::ssl::sf::SessionCacheMode" / "nn::ssl::Connection::SessionCacheMode" enum.
+
This is "nn::ssl::sf::SessionCacheMode" or "nn::ssl::Connection::SessionCacheMode".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 479: Line 589:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || None
 
|-
 
|-
| 1 ||  
+
| 1 || SessionId
 
|-
 
|-
| 2 ||  
+
| 2 || SessionTicket
 
|}
 
|}
    
= RenegotiationMode =
 
= RenegotiationMode =
This is the "nn::ssl::sf::RenegotiationMode" / "nn::ssl::Connection::RenegotiationMode" enum.
+
This is "nn::ssl::sf::RenegotiationMode" or "nn::ssl::Connection::RenegotiationMode".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 494: Line 604:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || None
 
|-
 
|-
| 1 ||  
+
| 1 || Secure
 
|}
 
|}
    
= OptionType =
 
= OptionType =
This is the "nn::ssl::sf::OptionType" / "nn::ssl::Connection::OptionType" enum.
+
This is "nn::ssl::sf::OptionType" or "nn::ssl::Connection::OptionType".
 +
 
 +
{| class="wikitable" border="1"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0 || DoNotCloseSocket
 +
|-
 +
| 1 || [3.0.0+] GetServerCertChain
 +
|-
 +
| 2 || [5.0.0+] SkipDefaultVerify
 +
|-
 +
| 3 || [9.0.0+] EnableAlpn
 +
|}
    
This corresponds to bool flags.
 
This corresponds to bool flags.
 +
 +
"SkipDefaultVerify" is checked by [[#VerifyOption|SetVerifyOption]] and "EnableAlpn" is only available with [[#SetOption_2|SetOption]].
 +
 +
= AlpnProtoState =
 +
This is "nn::ssl::sf::AlpnProtoState" or "nn::ssl::Connection::AlpnProtoState".
    
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
Line 509: Line 638:  
! Description
 
! Description
 
|-
 
|-
| 0 ||  
+
| 0 || NoSupport
 
|-
 
|-
| 1 || [3.0.0+]
+
| 1 || Negotiated
 
|-
 
|-
| 2 || [5.0.0+] This flag is checked by [[#VerifyOption|SetVerifyOption]].
+
| 2 || NoOverlap
 
|-
 
|-
| 3 || [9.0.0+] Only available with [[#SetOption_2|SetOption]].
+
| 3 || Selected
 +
|-
 +
| 4 || EarlyValue
 
|}
 
|}
  −
= AlpnProtoState =
  −
This is the "nn::ssl::sf::AlpnProtoState" / "nn::ssl::Connection::AlpnProtoState" enum.
      
= CipherInfo =
 
= CipherInfo =
Line 544: Line 672:     
These have the following structure:
 
These have the following structure:
   
{| class="wikitable" border="1"
 
{| class="wikitable" border="1"
 
|-
 
|-
Line 567: Line 694:  
| 0x0
 
| 0x0
 
| 0x4
 
| 0x4
| ID
+
| Id
 
|-
 
|-
 
| 0x4
 
| 0x4
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/9104"