Document internal serialisation format

This mainly follows the design document (saving all fields marked "saved" in the main structure and the transform sub-structure) with two exceptions: - things related to renegotiation are excluded here (there weren't quite in the design document as the possibility of allowing renegotiation was still on the table, which is no longer is) - also, ssl.secure_renegotiation (which is not guarded by MBEDTLS_SSL_RENEGOTIATION because it's used in initial handshakes even with renegotiation disabled) is still excluded, as we don't need it after the handshake. - things related to Connection ID are added, as they weren't present at the time the design document was written. The exact format of the header (value of the bitflag indicating compile-time options, whether and how to merge it with the serialized session header) will be determined later.
2019-07-10 14:58:45 +02:00 · 2019-07-10 14:58:45 +02:00 · 00400c2bf6
commit 00400c2bf6
parent 1aaf66940e
1 changed files with 35 additions and 0 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -11286,6 +11286,41 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session )

 /*
 * Serialize a full SSL context
+ *
+ * The format of the serialized data is:
+ * (in the presentation language of TLS, RFC 8446 section 3)
+ *
+ *  // header
+ *  opaque mbedtls_version[3];   // major, minor, patch
+ *  opaque context_format[n];    // version-specific field determining
+ *                               // the format of the remaining
+ *                               // serialized data. (n TBD)
+ *  Note: When updating the format, remember to keep
+ *        these version+format bytes. (To be confirmed.)
+ *
+ *  // session sub-structure
+ *  opaque session<1..2^32-1>;  // see mbedtls_ssl_session_save()
+ *  // transform sub-structure
+ *  uint8 random[64];           // ServerHello.random+ClientHello.random
+ *  uint8 in_cid<0..2^8-1>      // Connection ID: expected incoming value
+ *  uint8 out_cid<0..2^8-1>     // Connection ID: outgoing value to use
+ *  // fields from ssl_context
+ *  uint32 badmac_seen;         // DTLS: number of records with failing MAC
+ *  uint64 in_window_top;       // DTLS: last validated record seq_num
+ *  uint64 in_window;           // DTLS: bitmask for replay protection
+ *  uint8 disable_datagram_packing; // DTLS: only one record per datagram
+ *  uint64 cur_out_ctr;         // Record layer: outgoing sequence number
+ *  uint16 mtu;                 // DTLS: path mtu (max outgoing fragment size)
+ *  uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
+ *
+ * Note that many fields of the ssl_context or sub-structures are not
+ * serialized, as they fall in one of the following categories:
+ *
+ *  1. forced value (eg in_left must be 0)
+ *  2. pointer to dynamically-allocated memory (eg session, transform)
+ *  3. value can be re-derived from other data (eg session keys from MS)
+ *  4. value was temporary (eg content of input buffer)
+ *  5. value will be provided by the user again (eg I/O callbacks and context)
 */
 int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
                              unsigned char *buf,