Line 1: |
Line 1: |
− | {{stub}} | + | Handles SSL/TLS over TCP. Used for NUS/EC activities, also may be used by games if they want to do encrypted communication. |
− | SSL encryption for wifi | + | |
| + | == Ioctl Listing == |
| + | |
| + | All arguments should be 32-byte aligned (can be either MEM1 or MEM2), most are specified as 32 bytes long but only the first 4 bytes are relevant. The easiest way to do this in code is (for each argument) declare an aligned array of 8 ints then use the first element only. |
| + | /dev/net/ssl can remain open between ioctls but it's probably better to open/close it for each command. |
| + | All commands should be issued as ioctlvs, even if they have only one input and/or output argument. |
| + | |
| + | NOTE: if the input/output arguments seem backwards, it's because they are. Somebody goofed! |
| + | |
| + | {| class="wikitable" |
| + | |- |
| + | ! Request number |
| + | ! Name |
| + | ! Input |
| + | ! Output |
| + | ! Notes |
| + | |- |
| + | | 1 |
| + | | SSL_NEW |
| + | | s32 ssl_context[8] |
| + | | u32 verify_options[8], u8 CN[256] |
| + | | Generates a new ssl context returned in ssl_context[0]. CN should match the name of the website. verify_options[0] relates to client authentication, observed values are 0 (default), 2 and 11. |
| + | |- |
| + | | 2 |
| + | | SSL_CONNECT |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], s32 socket[8] |
| + | | Initialize a SSL connection. ssl_context[0] holds a ssl context id, socket[0] is the fd for an open socket that has already been connect()ed to the host. |
| + | |- |
| + | | 3 |
| + | | SSL_HANDSHAKE |
| + | | s32 response[8] |
| + | | s32 ssl_context[8] |
| + | | Attempt an SSL handshake. ssl_context[0] holds a ssl context id. Possible error responses are -9 (host certificate doesn't match CN given to SSL_NEW) or -10 (unable to validate host's identity). |
| + | |- |
| + | | 4 |
| + | | SSL_READ |
| + | | s32 response[8], void buffer[length] |
| + | | s32 ssl_context[8] |
| + | | Read at most length bytes from the connection in buffer. The number of bytes actually read is returned in response[0]. The maximum value for length is 32768. |
| + | |- |
| + | | 5 |
| + | | SSL_WRITE |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], const void buffer[length] |
| + | | Attempt to write length bytes from buffer to the connected host. The number of bytes actually written is returned in response[0]. |
| + | |- |
| + | | 6 |
| + | | SSL_SHUTDOWN |
| + | | s32 response[8] |
| + | | s32 ssl_context[8] |
| + | | Destroys an ssl context. The context id must be in ssl_context[0]. |
| + | |- |
| + | | 7 |
| + | | SSL_SETCLIENTCERT |
| + | | #1 |
| + | | #3 |
| + | | Unknown, probably allows associating a client certificate with an ssl context for authentication. |
| + | |- |
| + | | 8 |
| + | | SSL_SETCLIENTCERTDEFAULT? |
| + | | ? |
| + | | ? |
| + | | ? |
| + | |- |
| + | | 9 |
| + | | SSL_REMOVECLIENTCERT |
| + | | ? |
| + | | ? |
| + | | Unknown, probably disassociates a previously set client certificate. |
| + | |- |
| + | | 10 |
| + | | SSL_SETROOTCA |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], const void root[length] |
| + | | Associates a certificate for a Root CA with an ssl context. The certificate should be in binary der format. |
| + | |- |
| + | | 11 |
| + | | SSL_SETROOTCADEFAULT |
| + | | ? |
| + | | ? |
| + | | ? |
| + | |- |
| + | | 12 |
| + | | SSL_DOHANDSHAKEEX |
| + | | ? |
| + | | ? |
| + | | ? |
| + | |- |
| + | | 13 |
| + | | SSL_SETBUILTINROOTCA |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], s32 index[8] |
| + | | Use one of the built-in certificates as the Root CA for this context. index[0] specifies which built-in root cert to use. |
| + | |- |
| + | | 14 |
| + | | SSL_SETBUILTINCLIENTCERT |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], s32 index[8] |
| + | | Use one of the default client certificates for authentication (if required). index[0] specifies which built-in client cert to use. |
| + | |- |
| + | | 15 |
| + | | SSL_DISABLEVERIFYOPTIONFORDEBUG |
| + | | s32 response[8] |
| + | | s32 ssl_context[8], ? |
| + | | |
| + | |- |
| + | | 20 |
| + | | SSL_DEBUGGETVERSION |
| + | | ? |
| + | | ? |
| + | | |
| + | |- |
| + | | 21 |
| + | | SSL_DEBUGGETTIME |
| + | | ? |
| + | | ? |
| + | | |
| + | |} |
| + | |
| + | Normal process for establishing a connection and communicating over SSL: |
| + | * Initialize network |
| + | * Create a TCP socket using net_socket() |
| + | * Connect the socket to the desired SSL port on the host using net_connect() |
| + | * Create a new SSL context using SSL_NEW, specify 0 for verify options unless you figure out/want to use client certificate authentication |
| + | * Use SSL_SETBUILTINCLIENTCERT with index 0 (or set a specific client cert using SSL_SETCLIENTCERT) |
| + | * Use SSL_SETROOTCA with a certificate that can be used to validate the host you're connecting to (or call SSL_SETBUILTINCLIENTCERT with index 0 if you can somehow get Nintendo to validate your site's cert) |
| + | * Use SSL_CONNECT |
| + | * Use SSL_HANDSHAKE. If response[0]==-9, your site's cert doesn't match the identity given to SSL_NEW. If response[0]==-10, your site's identity couldn't be validated (wasn't signed by Root CA, expired cert, etc.) |
| + | * Use SSL_READ/SSL_WRITE as much as you want |
| + | * Use SSL_SHUTDOWN |
| + | * Call net_close() to clean-up the TCP socket |
| | | |
− | Open/close/21 ioctlv but not 15-18
| |
| | | |
| [[Category:Wii Filesystem]] | | [[Category:Wii Filesystem]] |