rfc2246.txt

中、英文RFC文档大全打包下载完全版 .

   In the following example, Datum is defined to be three consecutive
   bytes that the protocol does not interpret, while Data is three
   consecutive Datum, consuming a total of nine bytes.

       opaque Datum[3];      /* three uninterpreted bytes */
       Datum Data[9];        /* 3 consecutive 3 byte vectors */






Dierks & Allen              Standards Track                     [Page 6]

RFC 2246              The TLS Protocol Version 1.0          January 1999


   Variable length vectors are defined by specifying a subrange of legal
   lengths, inclusively, using the notation <floor..ceiling>.  When
   encoded, the actual length precedes the vector's contents in the byte
   stream. The length will be in the form of a number consuming as many
   bytes as required to hold the vector's specified maximum (ceiling)
   length. A variable length vector with an actual length field of zero
   is referred to as an empty vector.

       T T'<floor..ceiling>;

   In the following example, mandatory is a vector that must contain
   between 300 and 400 bytes of type opaque. It can never be empty. The
   actual length field consumes two bytes, a uint16, sufficient to
   represent the value 400 (see Section 4.4). On the other hand, longer
   can represent up to 800 bytes of data, or 400 uint16 elements, and it
   may be empty. Its encoding will include a two byte actual length
   field prepended to the vector. The length of an encoded vector must
   be an even multiple of the length of a single element (for example, a
   17 byte vector of uint16 would be illegal).

       opaque mandatory<300..400>;
             /* length field is 2 bytes, cannot be empty */
       uint16 longer<0..800>;
             /* zero to 400 16-bit unsigned integers */

4.4. Numbers

   The basic numeric data type is an unsigned byte (uint8). All larger
   numeric data types are formed from fixed length series of bytes
   concatenated as described in Section 4.1 and are also unsigned. The
   following numeric types are predefined.

       uint8 uint16[2];
       uint8 uint24[3];
       uint8 uint32[4];
       uint8 uint64[8];

   All values, here and elsewhere in the specification, are stored in
   "network" or "big-endian" order; the uint32 represented by the hex
   bytes 01 02 03 04 is equivalent to the decimal value 16909060.

4.5. Enumerateds

   An additional sparse data type is available called enum. A field of
   type enum can only assume the values declared in the definition.
   Each definition is a different type. Only enumerateds of the same
   type may be assigned or compared. Every element of an enumerated must




Dierks & Allen              Standards Track                     [Page 7]

RFC 2246              The TLS Protocol Version 1.0          January 1999


   be assigned a value, as demonstrated in the following example.  Since
   the elements of the enumerated are not ordered, they can be assigned
   any unique value, in any order.

       enum { e1(v1), e2(v2), ... , en(vn) [[, (n)]] } Te;

   Enumerateds occupy as much space in the byte stream as would its
   maximal defined ordinal value. The following definition would cause
   one byte to be used to carry fields of type Color.

       enum { red(3), blue(5), white(7) } Color;

   One may optionally specify a value without its associated tag to
   force the width definition without defining a superfluous element.
   In the following example, Taste will consume two bytes in the data
   stream but can only assume the values 1, 2 or 4.

       enum { sweet(1), sour(2), bitter(4), (32000) } Taste;

   The names of the elements of an enumeration are scoped within the
   defined type. In the first example, a fully qualified reference to
   the second element of the enumeration would be Color.blue. Such
   qualification is not required if the target of the assignment is well
   specified.

       Color color = Color.blue;     /* overspecified, legal */
       Color color = blue;           /* correct, type implicit */

   For enumerateds that are never converted to external representation,
   the numerical information may be omitted.

       enum { low, medium, high } Amount;

4.6. Constructed types

   Structure types may be constructed from primitive types for
   convenience. Each specification declares a new, unique type. The
   syntax for definition is much like that of C.

       struct {
         T1 f1;
         T2 f2;
         ...
         Tn fn;
       } [[T]];






Dierks & Allen              Standards Track                     [Page 8]

RFC 2246              The TLS Protocol Version 1.0          January 1999


   The fields within a structure may be qualified using the type's name
   using a syntax much like that available for enumerateds. For example,
   T.f2 refers to the second field of the previous declaration.
   Structure definitions may be embedded.

4.6.1. Variants

   Defined structures may have variants based on some knowledge that is
   available within the environment. The selector must be an enumerated
   type that defines the possible variants the structure defines. There
   must be a case arm for every element of the enumeration declared in
   the select. The body of the variant structure may be given a label
   for reference. The mechanism by which the variant is selected at
   runtime is not prescribed by the presentation language.

       struct {
           T1 f1;
           T2 f2;
           ....
           Tn fn;
           select (E) {
               case e1: Te1;
               case e2: Te2;
               ....
               case en: Ten;
           } [[fv]];
       } [[Tv]];

   For example:

       enum { apple, orange } VariantTag;
       struct {
           uint16 number;
           opaque string<0..10>; /* variable length */
       } V1;
       struct {
           uint32 number;
           opaque string[10];    /* fixed length */
       } V2;
       struct {
           select (VariantTag) { /* value of selector is implicit */
               case apple: V1;   /* VariantBody, tag = apple */
               case orange: V2;  /* VariantBody, tag = orange */
           } variant_body;       /* optional label on variant */
       } VariantRecord;

   Variant structures may be qualified (narrowed) by specifying a value
   for the selector prior to the type. For example, a



Dierks & Allen              Standards Track                     [Page 9]

RFC 2246              The TLS Protocol Version 1.0          January 1999


       orange VariantRecord

   is a narrowed type of a VariantRecord containing a variant_body of
   type V2.

4.7. Cryptographic attributes

   The four cryptographic operations digital signing, stream cipher
   encryption, block cipher encryption, and public key encryption are
   designated digitally-signed, stream-ciphered, block-ciphered, and
   public-key-encrypted, respectively. A field's cryptographic
   processing is specified by prepending an appropriate key word
   designation before the field's type specification. Cryptographic keys
   are implied by the current session state (see Section 6.1).

   In digital signing, one-way hash functions are used as input for a
   signing algorithm. A digitally-signed element is encoded as an opaque
   vector <0..2^16-1>, where the length is specified by the signing
   algorithm and key.

   In RSA signing, a 36-byte structure of two hashes (one SHA and one
   MD5) is signed (encrypted with the private key). It is encoded with
   PKCS #1 block type 0 or type 1 as described in [PKCS1].

   In DSS, the 20 bytes of the SHA hash are run directly through the
   Digital Signing Algorithm with no additional hashing. This produces
   two values, r and s. The DSS signature is an opaque vector, as above,
   the contents of which are the DER encoding of:

       Dss-Sig-Value  ::=  SEQUENCE  {
            r       INTEGER,
            s       INTEGER
       }

   In stream cipher encryption, the plaintext is exclusive-ORed with an
   identical amount of output generated from a cryptographically-secure
   keyed pseudorandom number generator.

   In block cipher encryption, every block of plaintext encrypts to a
   block of ciphertext. All block cipher encryption is done in CBC
   (Cipher Block Chaining) mode, and all items which are block-ciphered
   will be an exact multiple of the cipher block length.

   In public key encryption, a public key algorithm is used to encrypt
   data in such a way that it can be decrypted only with the matching
   private key. A public-key-encrypted element is encoded as an opaque
   vector <0..2^16-1>, where the length is specified by the signing
   algorithm and key.



Dierks & Allen              Standards Track                    [Page 10]

RFC 2246              The TLS Protocol Version 1.0          January 1999


   An RSA encrypted value is encoded with PKCS #1 block type 2 as
   described in [PKCS1].

   In the following example:

       stream-ciphered struct {
           uint8 field1;
           uint8 field2;
           digitally-signed opaque hash[20];
       } UserType;

   The contents of hash are used as input for the signing algorithm,
   then the entire structure is encrypted with a stream cipher. The
   length of this structure, in bytes would be equal to 2 bytes for
   field1 and field2, plus two bytes for the length of the signature,
   plus the length of the output of the signing algorithm. This is known
   due to the fact that the algorithm and key used for the signing are
   known prior to encoding or decoding this structure.

4.8. Constants

   Typed constants can be defined for purposes of specification by
   declaring a symbol of the desired type and assigning values to it.
   Under-specified types (opaque, variable length vectors, and
   structures that contain opaque) cannot be assigned values. No fields
   of a multi-element structure or vector may be elided.

   For example,

       struct {
           uint8 f1;
           uint8 f2;
       } Example1;

       Example1 ex1 = {1, 4};  /* assigns f1 = 1, f2 = 4 */

5. HMAC and the pseudorandom function

   A number of operations in the TLS record and handshake layer required
   a keyed MAC; this is a secure digest of some data protected by a
   secret. Forging the MAC is infeasible without knowledge of the MAC
   secret. The construction we use for this operation is known as HMAC,
   described in [HMAC].

   HMAC can be used with a variety of different hash algorithms. TLS
   uses it in the handshake with two different algorithms: MD5 and SHA-
   1, denoting these as HMAC_MD5(secret, data) and HMAC_SHA(secret,




Dierks & Allen              Standards Track                    [Page 11]

RFC 2246              The TLS Protocol Version 1.0          January 1999


   data). Additional hash algorithms can be defined by cipher suites and
   used to protect record data, but MD5 and SHA-1 are hard coded into
   the description of the handshaking for this version of the protocol.

   In addition, a construction is required to do expansion of secrets
   into blocks of data for the purposes of key generation or validation.
   This pseudo-random function (PRF) takes as input a secret, a seed,
   and an identifying label and produces an output of arbitrary length.

   In order to make the PRF as secure as possible, it uses two hash
   algorithms in a way which should guarantee its security if either
   algorithm remains secure.

   First, we define a data expansion function, P_hash(secret, data)
   which uses a single hash function to expand a secret and seed into an
   arbitrary quantity of output:

       P_hash(secret, seed) = HMAC_hash(secret, A(1) + seed) +
                              HMAC_hash(secret, A(2) + seed) +
                              HMAC_hash(secret, A(3) + seed) + ...

   Where + indicates concatenation.

   A() is defined as:
       A(0) = seed
       A(i) = HMAC_hash(secret, A(i-1))