SceLibSsl: Difference between revisions
No edit summary |
No edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
This module implements TLS for the Vita in most use cases (including PSN access). Notably, WebKit does not seem to use this but it shares the CA list in <code>vs0:data/external/cert/CA_LIST.cer</code>. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM] attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in SceLibSsl (which itself is signed). This makes | This module implements TLS for the PS Vita in most use cases (including PSN access). | ||
[[SceLibSsl]] is a port of RSA BSAFE® Crypto-C Micro Edition. See also the unstripped binaries of [https://github.com/sakata2kr/sso/tree/main/webagent/CAPKI/CAPKI5/Linux/amd64/64/lib RSA BSAFE® Crypto-C Micro Edition]. | |||
Notably, WebKit does not seem to use this but it shares the CA list in <code>vs0:data/external/cert/CA_LIST.cer</code>. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM] attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in [[SceLibSsl]] (which itself is signed). This makes impossible a theoretical attack of adding a root CA on an updated PS Vita in order to extract the platform passphrase. | |||
== Module == | == Module == | ||
{| class="wikitable" | {| class="wikitable" | ||
|- | |- | ||
! Version | ! Version !! World !! Privilege | ||
|- | |- | ||
| 3.60 | | 3.60 || Non-secure || User | ||
|} | |} | ||
Line 27: | Line 29: | ||
== SceSslInternal == | == SceSslInternal == | ||
=== | === internal_get_ca === | ||
Obtains a certificate from <code>vs0:data/external/cert/CA_LIST.cer</code>. If <code>unk</code>, <code>buf</code>, and <code>unk2</code> are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into <code>buf</code>. The file offset and size in <code>CA_LIST.cer</code> | {| class="wikitable" | ||
! Version !! NID | |||
|- | |||
| 3.60 || 0x064DFC99 | |||
|} | |||
Obtains a certificate from <code>vs0:data/external/cert/CA_LIST.cer</code>. If <code>unk</code>, <code>buf</code>, and <code>unk2</code> are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into <code>buf</code>. The file offset and size in <code>CA_LIST.cer</code> are hardcoded into the function for each given id pair. There is also a hardcoded list of SHA1 hashes for each certificate that is checked against before returning. | |||
<source lang="C">int internal_get_ca(int id1, int id2, int unk, char *buf, int unk2, size_t *size);</source> | |||
== Subroutines == | |||
=== SSL_CIPHER_description === | |||
{| class="wikitable" | {| class="wikitable" | ||
! Version !! Platform !! Offset !! Mode | |||
|- | |- | ||
! Version | | 3.60 || CEX/DEX/Tool || 0x19B92 || Thumb | ||
! | |} | ||
<source lang="C">char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);</source> | |||
=== SSL_CIPHER_get_version === | |||
{| class="wikitable" | |||
! Version !! Platform !! Offset !! Mode | |||
|- | |||
| 3.60 || CEX/DEX/Tool || 0x19E02 || Thumb | |||
|} | |||
<source lang="C">char *SSL_CIPHER_get_version(const SSL_CIPHER *c);</source> | |||
=== ERR_raise === | |||
{| class="wikitable" | |||
! Version !! Platform !! Offset !! Mode | |||
|- | |- | ||
| 3.60 | | 3.60 || CEX/DEX/Tool || 0x1B7C0 || Thumb | ||
| | |||
|} | |} | ||
[[Category:ARM]] | |||
[[Category:Usermode]] | |||
[[Category:Modules]] | [[Category:Modules]] | ||
[[Category: | [[Category:Library]] |
Latest revision as of 21:09, 1 May 2023
This module implements TLS for the PS Vita in most use cases (including PSN access).
SceLibSsl is a port of RSA BSAFE® Crypto-C Micro Edition. See also the unstripped binaries of RSA BSAFE® Crypto-C Micro Edition.
Notably, WebKit does not seem to use this but it shares the CA list in vs0:data/external/cert/CA_LIST.cer
. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a MITM attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in SceLibSsl (which itself is signed). This makes impossible a theoretical attack of adding a root CA on an updated PS Vita in order to extract the platform passphrase.
Module
Version | World | Privilege |
---|---|---|
3.60 | Non-secure | User |
Libraries
Known NIDs
Version | Name | World | Visibility | NID |
---|---|---|---|---|
3.60 | SceSsl | Non-secure | User | 0xCAF5F2E9 |
3.60 | SceSslInternal | Non-secure | User | 0x68D6C3FF |
SceSslInternal
internal_get_ca
Version | NID |
---|---|
3.60 | 0x064DFC99 |
Obtains a certificate from vs0:data/external/cert/CA_LIST.cer
. If unk
, buf
, and unk2
are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into buf
. The file offset and size in CA_LIST.cer
are hardcoded into the function for each given id pair. There is also a hardcoded list of SHA1 hashes for each certificate that is checked against before returning.
int internal_get_ca(int id1, int id2, int unk, char *buf, int unk2, size_t *size);
Subroutines
SSL_CIPHER_description
Version | Platform | Offset | Mode |
---|---|---|---|
3.60 | CEX/DEX/Tool | 0x19B92 | Thumb |
char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);
SSL_CIPHER_get_version
Version | Platform | Offset | Mode |
---|---|---|---|
3.60 | CEX/DEX/Tool | 0x19E02 | Thumb |
char *SSL_CIPHER_get_version(const SSL_CIPHER *c);
ERR_raise
Version | Platform | Offset | Mode |
---|---|---|---|
3.60 | CEX/DEX/Tool | 0x1B7C0 | Thumb |