From 170d0588a7260069c57bfc3bc99d08975cc0558c Mon Sep 17 00:00:00 2001 From: Sepalani Date: Tue, 16 Jun 2015 21:48:09 +0200 Subject: [PATCH 1/7] Replaced DEBUG_SSL with INI options --- Source/Core/Core/ConfigManager.cpp | 18 ++++++++++++++++++ Source/Core/Core/ConfigManager.h | 6 ++++++ Source/Core/Core/IPC_HLE/WII_Socket.cpp | 20 ++++++++++---------- 3 files changed, 34 insertions(+), 10 deletions(-) diff --git a/Source/Core/Core/ConfigManager.cpp b/Source/Core/Core/ConfigManager.cpp index 47f2abe044..a473532ca9 100644 --- a/Source/Core/Core/ConfigManager.cpp +++ b/Source/Core/Core/ConfigManager.cpp @@ -82,6 +82,7 @@ void SConfig::SaveSettings() SaveInputSettings(ini); SaveFifoPlayerSettings(ini); SaveAnalyticsSettings(ini); + SaveNetworkSettings(ini); ini.Save(File::GetUserPath(F_DOLPHINCONFIG_IDX)); m_SYSCONF->Save(); @@ -312,6 +313,14 @@ void SConfig::SaveFifoPlayerSettings(IniFile& ini) fifoplayer->Set("LoopReplay", bLoopFifoReplay); } +void SConfig::SaveNetworkSettings(IniFile& ini) +{ + IniFile::Section* network = ini.GetOrCreateSection("Network"); + + network->Set("SSLDumpRead", m_SSLDumpRead); + network->Set("SSLDumpWrite", m_SSLDumpWrite); +} + void SConfig::SaveAnalyticsSettings(IniFile& ini) { IniFile::Section* analytics = ini.GetOrCreateSection("Analytics"); @@ -336,6 +345,7 @@ void SConfig::LoadSettings() LoadDSPSettings(ini); LoadInputSettings(ini); LoadFifoPlayerSettings(ini); + LoadNetworkSettings(ini); LoadAnalyticsSettings(ini); m_SYSCONF = new SysConf(); @@ -602,6 +612,14 @@ void SConfig::LoadFifoPlayerSettings(IniFile& ini) fifoplayer->Get("LoopReplay", &bLoopFifoReplay, true); } +void SConfig::LoadNetworkSettings(IniFile& ini) +{ + IniFile::Section* network = ini.GetOrCreateSection("Network"); + + network->Get("SSLDumpRead", &m_SSLDumpRead, false); + network->Get("SSLDumpWrite", &m_SSLDumpWrite, false); +} + void SConfig::LoadAnalyticsSettings(IniFile& ini) { IniFile::Section* analytics = ini.GetOrCreateSection("Analytics"); diff --git a/Source/Core/Core/ConfigManager.h b/Source/Core/Core/ConfigManager.h index a05e93c287..642758e00c 100644 --- a/Source/Core/Core/ConfigManager.h +++ b/Source/Core/Core/ConfigManager.h @@ -273,6 +273,10 @@ struct SConfig : NonCopyable bool m_AdapterRumble[4]; bool m_AdapterKonga[4]; + // Network settings + bool m_SSLDumpRead; + bool m_SSLDumpWrite; + SysConf* m_SYSCONF; // Save settings @@ -299,6 +303,7 @@ private: void SaveInputSettings(IniFile& ini); void SaveMovieSettings(IniFile& ini); void SaveFifoPlayerSettings(IniFile& ini); + void SaveNetworkSettings(IniFile& ini); void SaveAnalyticsSettings(IniFile& ini); void LoadGeneralSettings(IniFile& ini); @@ -310,6 +315,7 @@ private: void LoadInputSettings(IniFile& ini); void LoadMovieSettings(IniFile& ini); void LoadFifoPlayerSettings(IniFile& ini); + void LoadNetworkSettings(IniFile& ini); void LoadAnalyticsSettings(IniFile& ini); static SConfig* m_Instance; diff --git a/Source/Core/Core/IPC_HLE/WII_Socket.cpp b/Source/Core/Core/IPC_HLE/WII_Socket.cpp index 1608316061..229073bbfd 100644 --- a/Source/Core/Core/IPC_HLE/WII_Socket.cpp +++ b/Source/Core/Core/IPC_HLE/WII_Socket.cpp @@ -8,6 +8,7 @@ #endif #include "Common/FileUtil.h" +#include "Core/ConfigManager.h" #include "Core/Core.h" #include "Core/IPC_HLE/WII_IPC_HLE.h" #include "Core/IPC_HLE/WII_IPC_HLE_Device.h" @@ -344,10 +345,10 @@ void WiiSocket::Update(bool read, bool write, bool except) int ret = mbedtls_ssl_write(&CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx, Memory::GetPointer(BufferOut2), BufferOutSize2); -#ifdef DEBUG_SSL - File::IOFile("ssl_write.bin", "ab") - .WriteBytes(Memory::GetPointer(BufferOut2), BufferOutSize2); -#endif + if (SConfig::GetInstance().m_SSLDumpWrite && ret > 0) + File::IOFile("ssl_write.bin", "ab") + .WriteBytes(Memory::GetPointer(BufferOut2), ret); + if (ret >= 0) { // Return bytes written or SSL_ERR_ZERO if none @@ -378,12 +379,11 @@ void WiiSocket::Update(bool read, bool write, bool except) { int ret = mbedtls_ssl_read(&CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx, Memory::GetPointer(BufferIn2), BufferInSize2); -#ifdef DEBUG_SSL - if (ret > 0) - { - File::IOFile("ssl_read.bin", "ab").WriteBytes(Memory::GetPointer(BufferIn2), ret); - } -#endif + + if (SConfig::GetInstance().m_SSLDumpRead && ret > 0) + File::IOFile("ssl_read.bin", "ab") + .WriteBytes(Memory::GetPointer(BufferIn2), ret); + if (ret >= 0) { // Return bytes read or SSL_ERR_ZERO if none From d3be9d155da6d53e5cd6fc7e2eafe2488abecdd0 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sun, 7 Jun 2015 00:49:18 +0200 Subject: [PATCH 2/7] Fixed: Allowed unknown certificates --- .../IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 2 +- Source/Core/Core/IPC_HLE/WII_Socket.cpp | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index 4a4e9823b3..bfd51243d3 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -174,7 +174,7 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) mbedtls_ssl_set_session(&ssl->ctx, &ssl->session); - mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_NONE); + mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_renegotiation(&ssl->config, MBEDTLS_SSL_RENEGOTIATION_ENABLED); ssl->hostname = hostname; diff --git a/Source/Core/Core/IPC_HLE/WII_Socket.cpp b/Source/Core/Core/IPC_HLE/WII_Socket.cpp index 229073bbfd..e956168116 100644 --- a/Source/Core/Core/IPC_HLE/WII_Socket.cpp +++ b/Source/Core/Core/IPC_HLE/WII_Socket.cpp @@ -312,7 +312,8 @@ void WiiSocket::Update(bool read, bool write, bool except) { case IOCTLV_NET_SSL_DOHANDSHAKE: { - int ret = mbedtls_ssl_handshake(&CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx); + mbedtls_ssl_context* ctx = &CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx; + int ret = mbedtls_ssl_handshake(ctx); switch (ret) { case 0: @@ -328,6 +329,25 @@ void WiiSocket::Update(bool read, bool write, bool except) if (!nonBlock) ReturnValue = SSL_ERR_WAGAIN; break; + case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: + { + int flags = ctx->session_negotiate->verify_result; + if (flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) + ret = SSL_ERR_VCOMMONNAME; + else if (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) + ret = SSL_ERR_VROOTCA; + else if (flags & MBEDTLS_X509_BADCERT_REVOKED) + ret = SSL_ERR_VCHAIN; + else if (flags & MBEDTLS_X509_BADCERT_EXPIRED || + flags & MBEDTLS_X509_BADCERT_FUTURE) + ret = SSL_ERR_VDATE; + else + ret = SSL_ERR_FAILED; + Memory::Write_U32(ret, BufferIn); + if (!nonBlock) + ReturnValue = ret; + break; + } default: Memory::Write_U32(SSL_ERR_FAILED, BufferIn); break; From 1fdf75039594a19b4918dad635aead18863f47b7 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Tue, 9 Jun 2015 20:23:56 +0200 Subject: [PATCH 3/7] Added: INI option to verify SSL cert --- Source/Core/Core/ConfigManager.cpp | 2 ++ Source/Core/Core/ConfigManager.h | 1 + Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 6 +++++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Source/Core/Core/ConfigManager.cpp b/Source/Core/Core/ConfigManager.cpp index a473532ca9..97e9d9dd20 100644 --- a/Source/Core/Core/ConfigManager.cpp +++ b/Source/Core/Core/ConfigManager.cpp @@ -319,6 +319,7 @@ void SConfig::SaveNetworkSettings(IniFile& ini) network->Set("SSLDumpRead", m_SSLDumpRead); network->Set("SSLDumpWrite", m_SSLDumpWrite); + network->Set("SSLVerifyCert", m_SSLVerifyCert); } void SConfig::SaveAnalyticsSettings(IniFile& ini) @@ -618,6 +619,7 @@ void SConfig::LoadNetworkSettings(IniFile& ini) network->Get("SSLDumpRead", &m_SSLDumpRead, false); network->Get("SSLDumpWrite", &m_SSLDumpWrite, false); + network->Get("SSLVerifyCert", &m_SSLVerifyCert, false); } void SConfig::LoadAnalyticsSettings(IniFile& ini) diff --git a/Source/Core/Core/ConfigManager.h b/Source/Core/Core/ConfigManager.h index 642758e00c..41f6cd90c3 100644 --- a/Source/Core/Core/ConfigManager.h +++ b/Source/Core/Core/ConfigManager.h @@ -276,6 +276,7 @@ struct SConfig : NonCopyable // Network settings bool m_SSLDumpRead; bool m_SSLDumpWrite; + bool m_SSLVerifyCert; SysConf* m_SYSCONF; diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index bfd51243d3..77bdc08011 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -6,6 +6,7 @@ #include "Common/FileUtil.h" #include "Common/NandPaths.h" +#include "Core/ConfigManager.h" #include "Core/Core.h" #include "Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.h" #include "Core/IPC_HLE/WII_Socket.h" @@ -174,7 +175,10 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) mbedtls_ssl_set_session(&ssl->ctx, &ssl->session); - mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_REQUIRED); + if (SConfig::GetInstance().m_SSLVerifyCert && verifyOption) + mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_REQUIRED); + else + mbedtls_ssl_conf_authmode(&ssl->config, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_renegotiation(&ssl->config, MBEDTLS_SSL_RENEGOTIATION_ENABLED); ssl->hostname = hostname; From 529ca245d74b24f5f21fb5ade2c8560f843599e7 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sat, 11 Jul 2015 10:31:03 +0200 Subject: [PATCH 4/7] Added: more SSL features, plus SSL dump folder Dump: rootca, peercert --- Source/Core/Common/CommonPaths.h | 1 + Source/Core/Common/FileUtil.cpp | 2 ++ Source/Core/Common/FileUtil.h | 1 + Source/Core/Core/ConfigManager.cpp | 5 ++++ Source/Core/Core/ConfigManager.h | 2 ++ .../IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 6 ++++ Source/Core/Core/IPC_HLE/WII_Socket.cpp | 28 ++++++++++++++++--- Source/Core/UICommon/UICommon.cpp | 1 + 8 files changed, 42 insertions(+), 4 deletions(-) diff --git a/Source/Core/Common/CommonPaths.h b/Source/Core/Common/CommonPaths.h index 916e711764..8ef6c2efce 100644 --- a/Source/Core/Common/CommonPaths.h +++ b/Source/Core/Common/CommonPaths.h @@ -64,6 +64,7 @@ #define DUMP_FRAMES_DIR "Frames" #define DUMP_AUDIO_DIR "Audio" #define DUMP_DSP_DIR "DSP" +#define DUMP_SSL_DIR "SSL" #define LOGS_DIR "Logs" #define MAIL_LOGS_DIR "Mail" #define SHADERS_DIR "Shaders" diff --git a/Source/Core/Common/FileUtil.cpp b/Source/Core/Common/FileUtil.cpp index 564ab58d8f..54b52624b4 100644 --- a/Source/Core/Common/FileUtil.cpp +++ b/Source/Core/Common/FileUtil.cpp @@ -786,6 +786,7 @@ static void RebuildUserDirectories(unsigned int dir_index) s_user_paths[D_DUMPAUDIO_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_AUDIO_DIR DIR_SEP; s_user_paths[D_DUMPTEXTURES_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_TEXTURES_DIR DIR_SEP; s_user_paths[D_DUMPDSP_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_DSP_DIR DIR_SEP; + s_user_paths[D_DUMPSSL_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_SSL_DIR DIR_SEP; s_user_paths[D_LOGS_IDX] = s_user_paths[D_USER_IDX] + LOGS_DIR DIR_SEP; s_user_paths[D_MAILLOGS_IDX] = s_user_paths[D_LOGS_IDX] + MAIL_LOGS_DIR DIR_SEP; s_user_paths[D_THEMES_IDX] = s_user_paths[D_USER_IDX] + THEMES_DIR DIR_SEP; @@ -829,6 +830,7 @@ static void RebuildUserDirectories(unsigned int dir_index) s_user_paths[D_DUMPAUDIO_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_AUDIO_DIR DIR_SEP; s_user_paths[D_DUMPTEXTURES_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_TEXTURES_DIR DIR_SEP; s_user_paths[D_DUMPDSP_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_DSP_DIR DIR_SEP; + s_user_paths[D_DUMPSSL_IDX] = s_user_paths[D_DUMP_IDX] + DUMP_SSL_DIR DIR_SEP; s_user_paths[F_RAMDUMP_IDX] = s_user_paths[D_DUMP_IDX] + RAM_DUMP; s_user_paths[F_ARAMDUMP_IDX] = s_user_paths[D_DUMP_IDX] + ARAM_DUMP; s_user_paths[F_FAKEVMEMDUMP_IDX] = s_user_paths[D_DUMP_IDX] + FAKEVMEM_DUMP; diff --git a/Source/Core/Common/FileUtil.h b/Source/Core/Common/FileUtil.h index b1168561c4..a5770bbf1a 100644 --- a/Source/Core/Common/FileUtil.h +++ b/Source/Core/Common/FileUtil.h @@ -39,6 +39,7 @@ enum D_DUMPAUDIO_IDX, D_DUMPTEXTURES_IDX, D_DUMPDSP_IDX, + D_DUMPSSL_IDX, D_LOAD_IDX, D_LOGS_IDX, D_MAILLOGS_IDX, diff --git a/Source/Core/Core/ConfigManager.cpp b/Source/Core/Core/ConfigManager.cpp index 97e9d9dd20..690075c590 100644 --- a/Source/Core/Core/ConfigManager.cpp +++ b/Source/Core/Core/ConfigManager.cpp @@ -97,6 +97,7 @@ void CreateDumpPath(const std::string& path) File::SetUserPath(D_DUMP_IDX, path + '/'); File::CreateFullPath(File::GetUserPath(D_DUMPAUDIO_IDX)); File::CreateFullPath(File::GetUserPath(D_DUMPDSP_IDX)); + File::CreateFullPath(File::GetUserPath(D_DUMPSSL_IDX)); File::CreateFullPath(File::GetUserPath(D_DUMPFRAMES_IDX)); File::CreateFullPath(File::GetUserPath(D_DUMPTEXTURES_IDX)); } @@ -320,6 +321,8 @@ void SConfig::SaveNetworkSettings(IniFile& ini) network->Set("SSLDumpRead", m_SSLDumpRead); network->Set("SSLDumpWrite", m_SSLDumpWrite); network->Set("SSLVerifyCert", m_SSLVerifyCert); + network->Set("SSLDumpRootCA", m_SSLDumpRootCA); + network->Set("SSLDumpPeerCert", m_SSLDumpPeerCert); } void SConfig::SaveAnalyticsSettings(IniFile& ini) @@ -620,6 +623,8 @@ void SConfig::LoadNetworkSettings(IniFile& ini) network->Get("SSLDumpRead", &m_SSLDumpRead, false); network->Get("SSLDumpWrite", &m_SSLDumpWrite, false); network->Get("SSLVerifyCert", &m_SSLVerifyCert, false); + network->Get("SSLDumpRootCA", &m_SSLDumpRootCA, false); + network->Get("SSLDumpPeerCert", &m_SSLDumpPeerCert, false); } void SConfig::LoadAnalyticsSettings(IniFile& ini) diff --git a/Source/Core/Core/ConfigManager.h b/Source/Core/Core/ConfigManager.h index 41f6cd90c3..44b681d0b7 100644 --- a/Source/Core/Core/ConfigManager.h +++ b/Source/Core/Core/ConfigManager.h @@ -277,6 +277,8 @@ struct SConfig : NonCopyable bool m_SSLDumpRead; bool m_SSLDumpWrite; bool m_SSLVerifyCert; + bool m_SSLDumpRootCA; + bool m_SSLDumpPeerCert; SysConf* m_SYSCONF; diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index 77bdc08011..0bcbbae0b4 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -252,6 +252,12 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) int ret = mbedtls_x509_crt_parse_der(&ssl->cacert, Memory::GetPointer(BufferOut2), BufferOutSize2); + if (SConfig::GetInstance().m_SSLDumpRootCA) + { + std::string filename = File::GetUserPath(D_DUMPSSL_IDX) + ssl->hostname + "_rootca.der"; + File::IOFile(filename, "wb").WriteBytes(Memory::GetPointer(BufferOut2), BufferOutSize2); + } + if (ret) { Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); diff --git a/Source/Core/Core/IPC_HLE/WII_Socket.cpp b/Source/Core/Core/IPC_HLE/WII_Socket.cpp index e956168116..9942554470 100644 --- a/Source/Core/Core/IPC_HLE/WII_Socket.cpp +++ b/Source/Core/Core/IPC_HLE/WII_Socket.cpp @@ -353,6 +353,20 @@ void WiiSocket::Update(bool read, bool write, bool except) break; } + // mbedtls_ssl_get_peer_cert(ctx) seems not to work if handshake failed + // Below is an alternative to dump the peer certificate + if (SConfig::GetInstance().m_SSLDumpPeerCert && ctx->session_negotiate != nullptr) + { + const mbedtls_x509_crt* cert = ctx->session_negotiate->peer_cert; + if (cert != nullptr) + { + std::string filename = File::GetUserPath(D_DUMPSSL_IDX) + + ((ctx->hostname != nullptr) ? ctx->hostname : "") + + "_peercert.der"; + File::IOFile(filename, "wb").WriteBytes(cert->raw.p, cert->raw.len); + } + } + INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_DOHANDSHAKE = (%d) " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferOut: (%08x, %i), BufferOut2: (%08x, %i)", @@ -366,8 +380,11 @@ void WiiSocket::Update(bool read, bool write, bool except) Memory::GetPointer(BufferOut2), BufferOutSize2); if (SConfig::GetInstance().m_SSLDumpWrite && ret > 0) - File::IOFile("ssl_write.bin", "ab") - .WriteBytes(Memory::GetPointer(BufferOut2), ret); + { + std::string filename = File::GetUserPath(D_DUMPSSL_IDX) + + SConfig::GetInstance().GetUniqueID() + "_write.bin"; + File::IOFile(filename, "ab").WriteBytes(Memory::GetPointer(BufferOut2), ret); + } if (ret >= 0) { @@ -401,8 +418,11 @@ void WiiSocket::Update(bool read, bool write, bool except) Memory::GetPointer(BufferIn2), BufferInSize2); if (SConfig::GetInstance().m_SSLDumpRead && ret > 0) - File::IOFile("ssl_read.bin", "ab") - .WriteBytes(Memory::GetPointer(BufferIn2), ret); + { + std::string filename = File::GetUserPath(D_DUMPSSL_IDX) + + SConfig::GetInstance().GetUniqueID() + "_read.bin"; + File::IOFile(filename, "ab").WriteBytes(Memory::GetPointer(BufferIn2), ret); + } if (ret >= 0) { diff --git a/Source/Core/UICommon/UICommon.cpp b/Source/Core/UICommon/UICommon.cpp index 0308fc42bd..0baf713b71 100644 --- a/Source/Core/UICommon/UICommon.cpp +++ b/Source/Core/UICommon/UICommon.cpp @@ -51,6 +51,7 @@ void CreateDirectories() File::CreateFullPath(File::GetUserPath(D_CACHE_IDX)); File::CreateFullPath(File::GetUserPath(D_CONFIG_IDX)); File::CreateFullPath(File::GetUserPath(D_DUMPDSP_IDX)); + File::CreateFullPath(File::GetUserPath(D_DUMPSSL_IDX)); File::CreateFullPath(File::GetUserPath(D_DUMPTEXTURES_IDX)); File::CreateFullPath(File::GetUserPath(D_GAMESETTINGS_IDX)); File::CreateFullPath(File::GetUserPath(D_GCUSER_IDX)); From 4dfad8896ae39ba1cc9bfb14a22acfbe65483ba7 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sat, 10 Oct 2015 21:53:56 +0200 Subject: [PATCH 5/7] Added: mbedtls errors log --- Source/Core/Core/IPC_HLE/WII_Socket.cpp | 38 ++++++++++++++++--------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/Source/Core/Core/IPC_HLE/WII_Socket.cpp b/Source/Core/Core/IPC_HLE/WII_Socket.cpp index 9942554470..08b54677c5 100644 --- a/Source/Core/Core/IPC_HLE/WII_Socket.cpp +++ b/Source/Core/Core/IPC_HLE/WII_Socket.cpp @@ -3,6 +3,7 @@ // Refer to the license.txt file included. #include +#include #ifndef _WIN32 #include #endif @@ -314,6 +315,12 @@ void WiiSocket::Update(bool read, bool write, bool except) { mbedtls_ssl_context* ctx = &CWII_IPC_HLE_Device_net_ssl::_SSL[sslID].ctx; int ret = mbedtls_ssl_handshake(ctx); + if (ret) + { + char error_buffer[256] = ""; + mbedtls_strerror(ret, error_buffer, sizeof(error_buffer)); + ERROR_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_DOHANDSHAKE: %s", error_buffer); + } switch (ret) { case 0: @@ -331,21 +338,26 @@ void WiiSocket::Update(bool read, bool write, bool except) break; case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: { - int flags = ctx->session_negotiate->verify_result; - if (flags & MBEDTLS_X509_BADCERT_CN_MISMATCH) - ret = SSL_ERR_VCOMMONNAME; - else if (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) - ret = SSL_ERR_VROOTCA; - else if (flags & MBEDTLS_X509_BADCERT_REVOKED) - ret = SSL_ERR_VCHAIN; - else if (flags & MBEDTLS_X509_BADCERT_EXPIRED || - flags & MBEDTLS_X509_BADCERT_FUTURE) - ret = SSL_ERR_VDATE; + char error_buffer[256] = ""; + int res = mbedtls_ssl_get_verify_result(ctx); + mbedtls_x509_crt_verify_info(error_buffer, sizeof(error_buffer), "", res); + ERROR_LOG(WII_IPC_SSL, "MBEDTLS_ERR_X509_CERT_VERIFY_FAILED (verify_result = %d): %s", + res, error_buffer); + + if (res & MBEDTLS_X509_BADCERT_CN_MISMATCH) + res = SSL_ERR_VCOMMONNAME; + else if (res & MBEDTLS_X509_BADCERT_NOT_TRUSTED) + res = SSL_ERR_VROOTCA; + else if (res & MBEDTLS_X509_BADCERT_REVOKED) + res = SSL_ERR_VCHAIN; + else if (res & MBEDTLS_X509_BADCERT_EXPIRED || res & MBEDTLS_X509_BADCERT_FUTURE) + res = SSL_ERR_VDATE; else - ret = SSL_ERR_FAILED; - Memory::Write_U32(ret, BufferIn); + res = SSL_ERR_FAILED; + + Memory::Write_U32(res, BufferIn); if (!nonBlock) - ReturnValue = ret; + ReturnValue = res; break; } default: From 1af3b51fa7e833f072f77da8339c99f0889c8370 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sat, 10 Oct 2015 22:48:13 +0200 Subject: [PATCH 6/7] Added: Wii security profile --- .../Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index 0bcbbae0b4..9d21f6f627 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -13,6 +13,16 @@ WII_SSL CWII_IPC_HLE_Device_net_ssl::_SSL[NET_SSL_MAXINSTANCES]; +static constexpr mbedtls_x509_crt_profile mbedtls_x509_crt_profile_wii = { + /* Hashes from SHA-1 and above */ + MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) | + MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) | + MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512), + 0xFFFFFFF, /* Any PK alg */ + 0xFFFFFFF, /* Any curve */ + 0, /* No RSA min key size */ +}; + CWII_IPC_HLE_Device_net_ssl::CWII_IPC_HLE_Device_net_ssl(u32 _DeviceID, const std::string& _rDeviceName) : IWII_IPC_HLE_Device(_DeviceID, _rDeviceName) @@ -172,7 +182,7 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) // For some reason we can't use TLSv1.2, v1.1 and below are fine! mbedtls_ssl_conf_max_version(&ssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2); - + mbedtls_ssl_conf_cert_profile(&ssl->config, &mbedtls_x509_crt_profile_wii); mbedtls_ssl_set_session(&ssl->ctx, &ssl->session); if (SConfig::GetInstance().m_SSLVerifyCert && verifyOption) From 99a741b4e21dc3a3e2f977b550416d98df8a4660 Mon Sep 17 00:00:00 2001 From: Sepalani Date: Sat, 25 Jun 2016 17:12:06 +0400 Subject: [PATCH 7/7] mbedTLS: missing init and free fixed --- .../IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp | 24 ++++++++++++------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp index 9d21f6f627..8f29e83ea4 100644 --- a/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp +++ b/Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_net_ssl.cpp @@ -41,13 +41,16 @@ CWII_IPC_HLE_Device_net_ssl::~CWII_IPC_HLE_Device_net_ssl() if (ssl.active) { mbedtls_ssl_close_notify(&ssl.ctx); - mbedtls_ssl_session_free(&ssl.session); - mbedtls_ssl_free(&ssl.ctx); - mbedtls_ssl_config_free(&ssl.config); mbedtls_x509_crt_free(&ssl.cacert); mbedtls_x509_crt_free(&ssl.clicert); + mbedtls_ssl_session_free(&ssl.session); + mbedtls_ssl_free(&ssl.ctx); + mbedtls_ssl_config_free(&ssl.config); + mbedtls_ctr_drbg_free(&ssl.ctr_drbg); + mbedtls_entropy_free(&ssl.entropy); + ssl.hostname.clear(); ssl.active = false; @@ -163,13 +166,14 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) WII_SSL* ssl = &_SSL[sslID]; mbedtls_ssl_init(&ssl->ctx); mbedtls_entropy_init(&ssl->entropy); - const char* pers = "dolphin-emu"; + static constexpr const char* pers = "dolphin-emu"; mbedtls_ctr_drbg_init(&ssl->ctr_drbg); int ret = mbedtls_ctr_drbg_seed(&ssl->ctr_drbg, mbedtls_entropy_func, &ssl->entropy, (const unsigned char*)pers, strlen(pers)); if (ret) { mbedtls_ssl_free(&ssl->ctx); + mbedtls_ctr_drbg_free(&ssl->ctr_drbg); mbedtls_entropy_free(&ssl->entropy); goto _SSL_NEW_ERROR; } @@ -218,16 +222,18 @@ IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; - mbedtls_ssl_close_notify(&ssl->ctx); - mbedtls_ssl_session_free(&ssl->session); - mbedtls_ssl_free(&ssl->ctx); - mbedtls_ssl_config_free(&ssl->config); - mbedtls_entropy_free(&ssl->entropy); + mbedtls_ssl_close_notify(&ssl->ctx); mbedtls_x509_crt_free(&ssl->cacert); mbedtls_x509_crt_free(&ssl->clicert); + mbedtls_ssl_session_free(&ssl->session); + mbedtls_ssl_free(&ssl->ctx); + mbedtls_ssl_config_free(&ssl->config); + mbedtls_ctr_drbg_free(&ssl->ctr_drbg); + mbedtls_entropy_free(&ssl->entropy); + ssl->hostname.clear(); ssl->active = false;