324
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + − + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − Open/close/21 ioctlv but not 15-18
Document /dev/net/ssl usage
{{stub}}
Handles SSL/TLS over TCP. Used for NUS/EC activities, also may be used by games if they want to do encrypted communication.
SSL encryption for wifi
== Ioctl Listing ==
All arguments should be 32-byte aligned (can be either MEM1 or MEM2), most are specified as 32 bytes long but only the first 4 bytes are relevant. The easiest way to do this in code is (for each argument) declare an aligned array of 8 ints then use the first element only.
/dev/net/ssl can remain open between ioctls but it's probably better to open/close it for each command.
All commands should be issued as ioctlvs, even if they have only one input and/or output argument.
NOTE: if the input/output arguments seem backwards, it's because they are. Somebody goofed!
{| class="wikitable"
|-
! Request number
! Name
! Input
! Output
! Notes
|-
| 1
| SSL_NEW
| s32 ssl_context[8]
| u32 verify_options[8], u8 CN[256]
| Generates a new ssl context returned in ssl_context[0]. CN should match the name of the website. verify_options[0] relates to client authentication, observed values are 0 (default), 2 and 11.
|-
| 2
| SSL_CONNECT
| s32 response[8]
| s32 ssl_context[8], s32 socket[8]
| Initialize a SSL connection. ssl_context[0] holds a ssl context id, socket[0] is the fd for an open socket that has already been connect()ed to the host.
|-
| 3
| SSL_HANDSHAKE
| s32 response[8]
| s32 ssl_context[8]
| Attempt an SSL handshake. ssl_context[0] holds a ssl context id. Possible error responses are -9 (host certificate doesn't match CN given to SSL_NEW) or -10 (unable to validate host's identity).
|-
| 4
| SSL_READ
| s32 response[8], void buffer[length]
| s32 ssl_context[8]
| Read at most length bytes from the connection in buffer. The number of bytes actually read is returned in response[0]. The maximum value for length is 32768.
|-
| 5
| SSL_WRITE
| s32 response[8]
| s32 ssl_context[8], const void buffer[length]
| Attempt to write length bytes from buffer to the connected host. The number of bytes actually written is returned in response[0].
|-
| 6
| SSL_SHUTDOWN
| s32 response[8]
| s32 ssl_context[8]
| Destroys an ssl context. The context id must be in ssl_context[0].
|-
| 7
| SSL_SETCLIENTCERT
| #1
| #3
| Unknown, probably allows associating a client certificate with an ssl context for authentication.
|-
| 8
| SSL_SETCLIENTCERTDEFAULT?
| ?
| ?
| ?
|-
| 9
| SSL_REMOVECLIENTCERT
| ?
| ?
| Unknown, probably disassociates a previously set client certificate.
|-
| 10
| SSL_SETROOTCA
| s32 response[8]
| s32 ssl_context[8], const void root[length]
| Associates a certificate for a Root CA with an ssl context. The certificate should be in binary der format.
|-
| 11
| SSL_SETROOTCADEFAULT
| ?
| ?
| ?
|-
| 12
| SSL_DOHANDSHAKEEX
| ?
| ?
| ?
|-
| 13
| SSL_SETBUILTINROOTCA
| s32 response[8]
| s32 ssl_context[8], s32 index[8]
| Use one of the built-in certificates as the Root CA for this context. index[0] specifies which built-in root cert to use.
|-
| 14
| SSL_SETBUILTINCLIENTCERT
| s32 response[8]
| s32 ssl_context[8], s32 index[8]
| Use one of the default client certificates for authentication (if required). index[0] specifies which built-in client cert to use.
|-
| 15
| SSL_DISABLEVERIFYOPTIONFORDEBUG
| s32 response[8]
| s32 ssl_context[8], ?
|
|-
| 20
| SSL_DEBUGGETVERSION
| ?
| ?
|
|-
| 21
| SSL_DEBUGGETTIME
| ?
| ?
|
|}
Normal process for establishing a connection and communicating over SSL:
* Initialize network
* Create a TCP socket using net_socket()
* Connect the socket to the desired SSL port on the host using net_connect()
* Create a new SSL context using SSL_NEW, specify 0 for verify options unless you figure out/want to use client certificate authentication
* Use SSL_SETBUILTINCLIENTCERT with index 0 (or set a specific client cert using SSL_SETCLIENTCERT)
* Use SSL_SETROOTCA with a certificate that can be used to validate the host you're connecting to (or call SSL_SETBUILTINCLIENTCERT with index 0 if you can somehow get Nintendo to validate your site's cert)
* Use SSL_CONNECT
* Use SSL_HANDSHAKE. If response[0]==-9, your site's cert doesn't match the identity given to SSL_NEW. If response[0]==-10, your site's identity couldn't be validated (wasn't signed by Root CA, expired cert, etc.)
* Use SSL_READ/SSL_WRITE as much as you want
* Use SSL_SHUTDOWN
* Call net_close() to clean-up the TCP socket
[[Category:Wii Filesystem]]
[[Category:Wii Filesystem]]