Difference between revisions of "SceLibSsl"

Revision as of 07:48, 23 February 2022

This module implements TLS for the PS Vita in most use cases (including PSN access). Notably, WebKit does not seem to use this but it shares the CA list in vs0:data/external/cert/CA_LIST.cer. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a MITM attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in SceLibSsl (which itself is signed). This makes impossible a theoretical attack of adding a root CA on an updated PS Vita in order to extract the platform passphrase.

Module

Version	Name	World	Privilege
3.60	SceLibSsl	Non-secure	User

Libraries

Known NIDs

Version	Name	World	Visibility	NID
3.60	SceSsl	Non-secure	User	0xCAF5F2E9
3.60	SceSslInternal	Non-secure	User	0x68D6C3FF

SceSslInternal

internal_get_ca

Version	NID
3.60	0x064DFC99

Obtains a certificate from vs0:data/external/cert/CA_LIST.cer. If unk, buf, and unk2 are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into buf. The file offset and size in CA_LIST.cer are hardcoded into the function for each given id pair. There is also a hardcoded list of SHA1 hashes for each certificate that is checked against before returning.

int internal_get_ca(int id1, int id2, int unk, char *buf, int unk2, size_t *size);

Subroutines

SSL_CIPHER_description

Version	Platform	Offset	Mode
3.60	CEX/DEX/Tool	0x19B92	Thumb

char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);

SSL_CIPHER_get_version

Version	Platform	Offset	Mode
3.60	CEX/DEX/Tool	0x19E02	Thumb

char *SSL_CIPHER_get_version(const SSL_CIPHER *c);

ERR_raise

Version	Platform	Offset	Mode
3.60	CEX/DEX/Tool	0x1B7C0	Thumb

@@ Line 1: / Line 1: @@
-This module implements TLS for the Vita in most use cases (including PSN access). Notably, WebKit does not seem to use this but it shares the CA list in <code>vs0:data/external/cert/CA_LIST.cer</code>. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM] attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in SceLibSsl (which itself is signed). This makes an theoretical attack of adding a root CA on an updated Vita in order to extract the platform passphrase impossible.
+This module implements TLS for the PS Vita in most use cases (including PSN access). Notably, WebKit does not seem to use this but it shares the CA list in <code>vs0:data/external/cert/CA_LIST.cer</code>. CA_LIST.cer includes all the usual root CAs and in addition, 5 SCE signed ROOT CAs. Note that because the SCE root CAs are also used in WebKit and other apps (email for example), it is possible for Sony to do a [https://en.wikipedia.org/wiki/Man-in-the-middle_attack MITM] attack on any of their users. This is a privacy hole for users, but it seems that the same policy is in place in PSP, PS3, and likely PS4 as well. Although CA_LIST.cer is unsigned, just like in later PS3 firmwares, Sony stores the hash of all certificates in [[SceLibSsl]] (which itself is signed). This makes impossible a theoretical attack of adding a root CA on an updated PS Vita in order to extract the platform passphrase.
 == Module ==
@@ Line 25: / Line 25: @@
 == SceSslInternal ==
-=== Internal Get CA ===
+=== internal_get_ca ===
-Obtains a certificate from <code>vs0:data/external/cert/CA_LIST.cer</code>. If <code>unk</code>, <code>buf</code>, and <code>unk2</code> are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into <code>buf</code>. The file offset and size in <code>CA_LIST.cer</code> is hard coded into the function for each given id pair. There is also a hard coded list of SHA1 hashes for each certificate that is checked against before returning.
+{| class="wikitable"
+! Version !! NID
+|-
+| 3.60 || 0x064DFC99
+|}
+Obtains a certificate from <code>vs0:data/external/cert/CA_LIST.cer</code>. If <code>unk</code>, <code>buf</code>, and <code>unk2</code> are zero, then get the size of the certificate. Otherwise, load the certificate (PEM) into <code>buf</code>. The file offset and size in <code>CA_LIST.cer</code> are hardcoded into the function for each given id pair. There is also a hardcoded list of SHA1 hashes for each certificate that is checked against before returning.
+<source lang="C">int internal_get_ca(int id1, int id2, int unk, char *buf, int unk2, size_t *size);</source>
+== Subroutines ==
+=== SSL_CIPHER_description ===
+{| class="wikitable"
+! Version !! Platform !! Offset !! Mode
+|-
+| 3.60 || CEX/DEX/Tool || 0x19B92 || Thumb
+|}
+<source lang="C">char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);</source>
+=== SSL_CIPHER_get_version ===
 {| class="wikitable"
+! Version !! Platform !! Offset !! Mode
 |-
-! Version
+| 3.60 || CEX/DEX/Tool || 0x19E02 || Thumb
-! NID
+|}
+<source lang="C">char *SSL_CIPHER_get_version(const SSL_CIPHER *c);</source>
+=== ERR_raise ===
+{| class="wikitable"
+! Version !! Platform !! Offset !! Mode
 |-
-| 3.60
+| 3.60 || CEX/DEX/Tool || 0x1B7C0 || Thumb
-| 0x064DFC99
 |}
-<source lang="c">int internal_get_ca(int id1, int id2, int unk, char *buf, int unk2, size_t *size);</source>
-[[Category:Modules]]
-[[Category:Userland]]
+[[Category:Modules]][[Category:Usermode]]