1 files changed, 127 insertions, 18 deletions
diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go
index 2475fe8..a851560 100644
--- a/vendor/google.golang.org/grpc/credentials/credentials.go
+++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -23,6 +23,7 @@
 package credentials // import "google.golang.org/grpc/credentials"
 import (
+        "context"
        "crypto/tls"
        "crypto/x509"
        "errors"
@@ -31,13 +32,12 @@ import (
        "net"
        "strings"
-        "golang.org/x/net/context"
+        "github.com/golang/protobuf/proto"
+        "google.golang.org/grpc/credentials/internal"
 )
-var (
+// alpnProtoStr are the specified application level protocols for gRPC.
-        // alpnProtoStr are the specified application level protocols for gRPC.
+var alpnProtoStr = []string{"h2"}
-        alpnProtoStr = []string{"h2"}
-)
 // PerRPCCredentials defines the common interface for the credentials which need to
 // attach security information to every RPC (e.g., oauth2).
@@ -45,8 +45,9 @@ type PerRPCCredentials interface {
        // GetRequestMetadata gets the current request metadata, refreshing
        // tokens if required. This should be called by the transport layer on
        // each request, and the data should be populated in headers or other
-        // context. uri is the URI of the entry point for the request. When
+        // context. If a status code is returned, it will be used as the status
-        // supported by the underlying implementation, ctx can be used for
+        // for the RPC. uri is the URI of the entry point for the request.
+        // When supported by the underlying implementation, ctx can be used for
        // timeout and cancellation.
        // TODO(zhaoq): Define the set of the qualified keys instead of leaving
        // it as an arbitrary string.
@@ -74,11 +75,9 @@ type AuthInfo interface {
        AuthType() string
 }
-var (
+// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
-        // ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
+// and the caller should not close rawConn.
-        // and the caller should not close rawConn.
+var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
-        ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
-)
 // TransportCredentials defines the common interface for all the live gRPC wire
 // protocols and supported transport security protocols (e.g., TLS, SSL).
@@ -91,10 +90,14 @@ type TransportCredentials interface {
        // (io.EOF, context.DeadlineExceeded or err.Temporary() == true).
        // If the returned error is a wrapper error, implementations should make sure that
        // the error implements Temporary() to have the correct retry behaviors.
+        //
+        // If the returned net.Conn is closed, it MUST close the net.Conn provided.
        ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error)
        // ServerHandshake does the authentication handshake for servers. It returns
        // the authenticated connection and the corresponding auth information about
        // the connection.
+        //
+        // If the returned net.Conn is closed, it MUST close the net.Conn provided.
        ServerHandshake(net.Conn) (net.Conn, AuthInfo, error)
        // Info provides the ProtocolInfo of this TransportCredentials.
        Info() ProtocolInfo
@@ -106,6 +109,25 @@ type TransportCredentials interface {
        OverrideServerName(string) error
 }
+// Bundle is a combination of TransportCredentials and PerRPCCredentials.
+//
+// It also contains a mode switching method, so it can be used as a combination
+// of different credential policies.
+//
+// Bundle cannot be used together with individual TransportCredentials.
+// PerRPCCredentials from Bundle will be appended to other PerRPCCredentials.
+//
+// This API is experimental.
+type Bundle interface {
+        TransportCredentials() TransportCredentials
+        PerRPCCredentials() PerRPCCredentials
+        // NewWithMode should make a copy of Bundle, and switch mode. Modifying the
+        // existing Bundle may cause races.
+        //
+        // NewWithMode returns nil if the requested mode is not supported.
+        NewWithMode(mode string) (Bundle, error)
+}
 // TLSInfo contains the auth information for a TLS authenticated connection.
 // It implements the AuthInfo interface.
 type TLSInfo struct {
@@ -117,6 +139,18 @@ func (t TLSInfo) AuthType() string {
        return "tls"
 }
+// GetSecurityValue returns security info requested by channelz.
+func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue {
+        v := &TLSChannelzSecurityValue{
+                StandardName: cipherSuiteLookup[t.State.CipherSuite],
+        }
+        // Currently there's no way to get LocalCertificate info from tls package.
+        if len(t.State.PeerCertificates) > 0 {
+                v.RemoteCertificate = t.State.PeerCertificates[0].Raw
+        }
+        return v
+}
 // tlsCreds is the credentials required for authenticating a connection using TLS.
 type tlsCreds struct {
        // TLS configuration
@@ -131,15 +165,15 @@ func (c tlsCreds) Info() ProtocolInfo {
        }
 }
-func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
+func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
        // use local cfg to avoid clobbering ServerName if using multiple endpoints
        cfg := cloneTLSConfig(c.config)
        if cfg.ServerName == "" {
-                colonPos := strings.LastIndex(addr, ":")
+                colonPos := strings.LastIndex(authority, ":")
                if colonPos == -1 {
-                        colonPos = len(addr)
+                        colonPos = len(authority)
                }
-                cfg.ServerName = addr[:colonPos]
+                cfg.ServerName = authority[:colonPos]
        }
        conn := tls.Client(rawConn, cfg)
        errChannel := make(chan error, 1)
@@ -154,7 +188,7 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net
        case <-ctx.Done():
                return nil, nil, ctx.Err()
        }
-        return conn, TLSInfo{conn.ConnectionState()}, nil
+        return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil
 }
 func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) {
@@ -162,7 +196,7 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error)
        if err := conn.Handshake(); err != nil {
                return nil, nil, err
        }
-        return conn, TLSInfo{conn.ConnectionState()}, nil
+        return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil
 }
 func (c *tlsCreds) Clone() TransportCredentials {
@@ -217,3 +251,78 @@ func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error
        }
        return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil
 }
+// ChannelzSecurityInfo defines the interface that security protocols should implement
+// in order to provide security info to channelz.
+type ChannelzSecurityInfo interface {
+        GetSecurityValue() ChannelzSecurityValue
+}
+// ChannelzSecurityValue defines the interface that GetSecurityValue() return value
+// should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue
+// and *OtherChannelzSecurityValue.
+type ChannelzSecurityValue interface {
+        isChannelzSecurityValue()
+}
+// TLSChannelzSecurityValue defines the struct that TLS protocol should return
+// from GetSecurityValue(), containing security info like cipher and certificate used.
+type TLSChannelzSecurityValue struct {
+        StandardName      string
+        LocalCertificate  []byte
+        RemoteCertificate []byte
+}
+func (*TLSChannelzSecurityValue) isChannelzSecurityValue() {}
+// OtherChannelzSecurityValue defines the struct that non-TLS protocol should return
+// from GetSecurityValue(), which contains protocol specific security info. Note
+// the Value field will be sent to users of channelz requesting channel info, and
+// thus sensitive info should better be avoided.
+type OtherChannelzSecurityValue struct {
+        Name  string
+        Value proto.Message
+}
+func (*OtherChannelzSecurityValue) isChannelzSecurityValue() {}
+var cipherSuiteLookup = map[uint16]string{
+        tls.TLS_RSA_WITH_RC4_128_SHA:                "TLS_RSA_WITH_RC4_128_SHA",
+        tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA:           "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
+        tls.TLS_RSA_WITH_AES_128_CBC_SHA:            "TLS_RSA_WITH_AES_128_CBC_SHA",
+        tls.TLS_RSA_WITH_AES_256_CBC_SHA:            "TLS_RSA_WITH_AES_256_CBC_SHA",
+        tls.TLS_RSA_WITH_AES_128_GCM_SHA256:         "TLS_RSA_WITH_AES_128_GCM_SHA256",
+        tls.TLS_RSA_WITH_AES_256_GCM_SHA384:         "TLS_RSA_WITH_AES_256_GCM_SHA384",
+        tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
+        tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:          "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
+        tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
+        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
+        tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+        tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        tls.TLS_FALLBACK_SCSV:                       "TLS_FALLBACK_SCSV",
+        tls.TLS_RSA_WITH_AES_128_CBC_SHA256:         "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+        tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+}
+// cloneTLSConfig returns a shallow clone of the exported
+// fields of cfg, ignoring the unexported sync.Once, which
+// contains a mutex and must not be copied.
+//
+// If cfg is nil, a new zero tls.Config is returned.
+//
+// TODO: inline this function if possible.
+func cloneTLSConfig(cfg *tls.Config) *tls.Config {
+        if cfg == nil {
+                return &tls.Config{}
+        }
+        return cfg.Clone()
+}

diff --git a/vendor/google.golang.org/grpc/credentials/credentials.go b/vendor/google.golang.org/grpc/credentials/credentials.go index 2475fe8..a851560 100644 --- a/vendor/google.golang.org/grpc/credentials/credentials.go +++ b/vendor/google.golang.org/grpc/credentials/credentials.go
@@ -23,6 +23,7 @@
23	package credentials // import "google.golang.org/grpc/credentials"	23	package credentials // import "google.golang.org/grpc/credentials"
24		24
25	import (	25	import (
		26	"context"
26	"crypto/tls"	27	"crypto/tls"
27	"crypto/x509"	28	"crypto/x509"
28	"errors"	29	"errors"
@@ -31,13 +32,12 @@ import (
31	"net"	32	"net"
32	"strings"	33	"strings"
33		34
34	"golang.org/x/net/context"	35	"github.com/golang/protobuf/proto"
		36	"google.golang.org/grpc/credentials/internal"
35	)	37	)
36		38
37	var (	39	// alpnProtoStr are the specified application level protocols for gRPC.
38	// alpnProtoStr are the specified application level protocols for gRPC.	40	var alpnProtoStr = []string{"h2"}
39	alpnProtoStr = []string{"h2"}
40	)
41		41
42	// PerRPCCredentials defines the common interface for the credentials which need to	42	// PerRPCCredentials defines the common interface for the credentials which need to
43	// attach security information to every RPC (e.g., oauth2).	43	// attach security information to every RPC (e.g., oauth2).
@@ -45,8 +45,9 @@ type PerRPCCredentials interface {
45	// GetRequestMetadata gets the current request metadata, refreshing	45	// GetRequestMetadata gets the current request metadata, refreshing
46	// tokens if required. This should be called by the transport layer on	46	// tokens if required. This should be called by the transport layer on
47	// each request, and the data should be populated in headers or other	47	// each request, and the data should be populated in headers or other
48	// context. uri is the URI of the entry point for the request. When	48	// context. If a status code is returned, it will be used as the status
49	// supported by the underlying implementation, ctx can be used for	49	// for the RPC. uri is the URI of the entry point for the request.
		50	// When supported by the underlying implementation, ctx can be used for
50	// timeout and cancellation.	51	// timeout and cancellation.
51	// TODO(zhaoq): Define the set of the qualified keys instead of leaving	52	// TODO(zhaoq): Define the set of the qualified keys instead of leaving
52	// it as an arbitrary string.	53	// it as an arbitrary string.
@@ -74,11 +75,9 @@ type AuthInfo interface {
74	AuthType() string	75	AuthType() string
75	}	76	}
76		77
77	var (	78	// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC
78	// ErrConnDispatched indicates that rawConn has been dispatched out of gRPC	79	// and the caller should not close rawConn.
79	// and the caller should not close rawConn.	80	var ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
80	ErrConnDispatched = errors.New("credentials: rawConn is dispatched out of gRPC")
81	)
82		81
83	// TransportCredentials defines the common interface for all the live gRPC wire	82	// TransportCredentials defines the common interface for all the live gRPC wire
84	// protocols and supported transport security protocols (e.g., TLS, SSL).	83	// protocols and supported transport security protocols (e.g., TLS, SSL).
@@ -91,10 +90,14 @@ type TransportCredentials interface {
91	// (io.EOF, context.DeadlineExceeded or err.Temporary() == true).	90	// (io.EOF, context.DeadlineExceeded or err.Temporary() == true).
92	// If the returned error is a wrapper error, implementations should make sure that	91	// If the returned error is a wrapper error, implementations should make sure that
93	// the error implements Temporary() to have the correct retry behaviors.	92	// the error implements Temporary() to have the correct retry behaviors.
		93	//
		94	// If the returned net.Conn is closed, it MUST close the net.Conn provided.
94	ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error)	95	ClientHandshake(context.Context, string, net.Conn) (net.Conn, AuthInfo, error)
95	// ServerHandshake does the authentication handshake for servers. It returns	96	// ServerHandshake does the authentication handshake for servers. It returns
96	// the authenticated connection and the corresponding auth information about	97	// the authenticated connection and the corresponding auth information about
97	// the connection.	98	// the connection.
		99	//
		100	// If the returned net.Conn is closed, it MUST close the net.Conn provided.
98	ServerHandshake(net.Conn) (net.Conn, AuthInfo, error)	101	ServerHandshake(net.Conn) (net.Conn, AuthInfo, error)
99	// Info provides the ProtocolInfo of this TransportCredentials.	102	// Info provides the ProtocolInfo of this TransportCredentials.
100	Info() ProtocolInfo	103	Info() ProtocolInfo
@@ -106,6 +109,25 @@ type TransportCredentials interface {
106	OverrideServerName(string) error	109	OverrideServerName(string) error
107	}	110	}
108		111
		112	// Bundle is a combination of TransportCredentials and PerRPCCredentials.
		113	//
		114	// It also contains a mode switching method, so it can be used as a combination
		115	// of different credential policies.
		116	//
		117	// Bundle cannot be used together with individual TransportCredentials.
		118	// PerRPCCredentials from Bundle will be appended to other PerRPCCredentials.
		119	//
		120	// This API is experimental.
		121	type Bundle interface {
		122	TransportCredentials() TransportCredentials
		123	PerRPCCredentials() PerRPCCredentials
		124	// NewWithMode should make a copy of Bundle, and switch mode. Modifying the
		125	// existing Bundle may cause races.
		126	//
		127	// NewWithMode returns nil if the requested mode is not supported.
		128	NewWithMode(mode string) (Bundle, error)
		129	}
		130
109	// TLSInfo contains the auth information for a TLS authenticated connection.	131	// TLSInfo contains the auth information for a TLS authenticated connection.
110	// It implements the AuthInfo interface.	132	// It implements the AuthInfo interface.
111	type TLSInfo struct {	133	type TLSInfo struct {
@@ -117,6 +139,18 @@ func (t TLSInfo) AuthType() string {
117	return "tls"	139	return "tls"
118	}	140	}
119		141
		142	// GetSecurityValue returns security info requested by channelz.
		143	func (t TLSInfo) GetSecurityValue() ChannelzSecurityValue {
		144	v := &TLSChannelzSecurityValue{
		145	StandardName: cipherSuiteLookup[t.State.CipherSuite],
		146	}
		147	// Currently there's no way to get LocalCertificate info from tls package.
		148	if len(t.State.PeerCertificates) > 0 {
		149	v.RemoteCertificate = t.State.PeerCertificates[0].Raw
		150	}
		151	return v
		152	}
		153
120	// tlsCreds is the credentials required for authenticating a connection using TLS.	154	// tlsCreds is the credentials required for authenticating a connection using TLS.
121	type tlsCreds struct {	155	type tlsCreds struct {
122	// TLS configuration	156	// TLS configuration
@@ -131,15 +165,15 @@ func (c tlsCreds) Info() ProtocolInfo {
131	}	165	}
132	}	166	}
133		167
134	func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {	168	func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (_ net.Conn, _ AuthInfo, err error) {
135	// use local cfg to avoid clobbering ServerName if using multiple endpoints	169	// use local cfg to avoid clobbering ServerName if using multiple endpoints
136	cfg := cloneTLSConfig(c.config)	170	cfg := cloneTLSConfig(c.config)
137	if cfg.ServerName == "" {	171	if cfg.ServerName == "" {
138	colonPos := strings.LastIndex(addr, ":")	172	colonPos := strings.LastIndex(authority, ":")
139	if colonPos == -1 {	173	if colonPos == -1 {
140	colonPos = len(addr)	174	colonPos = len(authority)
141	}	175	}
142	cfg.ServerName = addr[:colonPos]	176	cfg.ServerName = authority[:colonPos]
143	}	177	}
144	conn := tls.Client(rawConn, cfg)	178	conn := tls.Client(rawConn, cfg)
145	errChannel := make(chan error, 1)	179	errChannel := make(chan error, 1)
@@ -154,7 +188,7 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, addr string, rawConn net
154	case <-ctx.Done():	188	case <-ctx.Done():
155	return nil, nil, ctx.Err()	189	return nil, nil, ctx.Err()
156	}	190	}
157	return conn, TLSInfo{conn.ConnectionState()}, nil	191	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil
158	}	192	}
159		193
160	func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) {	194	func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) {
@@ -162,7 +196,7 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error)
162	if err := conn.Handshake(); err != nil {	196	if err := conn.Handshake(); err != nil {
163	return nil, nil, err	197	return nil, nil, err
164	}	198	}
165	return conn, TLSInfo{conn.ConnectionState()}, nil	199	return internal.WrapSyscallConn(rawConn, conn), TLSInfo{conn.ConnectionState()}, nil
166	}	200	}
167		201
168	func (c *tlsCreds) Clone() TransportCredentials {	202	func (c *tlsCreds) Clone() TransportCredentials {
@@ -217,3 +251,78 @@ func NewServerTLSFromFile(certFile, keyFile string) (TransportCredentials, error
217	}	251	}
218	return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil	252	return NewTLS(&tls.Config{Certificates: []tls.Certificate{cert}}), nil
219	}	253	}
		254
		255	// ChannelzSecurityInfo defines the interface that security protocols should implement
		256	// in order to provide security info to channelz.
		257	type ChannelzSecurityInfo interface {
		258	GetSecurityValue() ChannelzSecurityValue
		259	}
		260
		261	// ChannelzSecurityValue defines the interface that GetSecurityValue() return value
		262	// should satisfy. This interface should only be satisfied by *TLSChannelzSecurityValue
		263	// and *OtherChannelzSecurityValue.
		264	type ChannelzSecurityValue interface {
		265	isChannelzSecurityValue()
		266	}
		267
		268	// TLSChannelzSecurityValue defines the struct that TLS protocol should return
		269	// from GetSecurityValue(), containing security info like cipher and certificate used.
		270	type TLSChannelzSecurityValue struct {
		271	StandardName string
		272	LocalCertificate []byte
		273	RemoteCertificate []byte
		274	}
		275
		276	func (*TLSChannelzSecurityValue) isChannelzSecurityValue() {}
		277
		278	// OtherChannelzSecurityValue defines the struct that non-TLS protocol should return
		279	// from GetSecurityValue(), which contains protocol specific security info. Note
		280	// the Value field will be sent to users of channelz requesting channel info, and
		281	// thus sensitive info should better be avoided.
		282	type OtherChannelzSecurityValue struct {
		283	Name string
		284	Value proto.Message
		285	}
		286
		287	func (*OtherChannelzSecurityValue) isChannelzSecurityValue() {}
		288
		289	var cipherSuiteLookup = map[uint16]string{
		290	tls.TLS_RSA_WITH_RC4_128_SHA: "TLS_RSA_WITH_RC4_128_SHA",
		291	tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
		292	tls.TLS_RSA_WITH_AES_128_CBC_SHA: "TLS_RSA_WITH_AES_128_CBC_SHA",
		293	tls.TLS_RSA_WITH_AES_256_CBC_SHA: "TLS_RSA_WITH_AES_256_CBC_SHA",
		294	tls.TLS_RSA_WITH_AES_128_GCM_SHA256: "TLS_RSA_WITH_AES_128_GCM_SHA256",
		295	tls.TLS_RSA_WITH_AES_256_GCM_SHA384: "TLS_RSA_WITH_AES_256_GCM_SHA384",
		296	tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
		297	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
		298	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
		299	tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA: "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
		300	tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
		301	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
		302	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
		303	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
		304	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
		305	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
		306	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
		307	tls.TLS_FALLBACK_SCSV: "TLS_FALLBACK_SCSV",
		308	tls.TLS_RSA_WITH_AES_128_CBC_SHA256: "TLS_RSA_WITH_AES_128_CBC_SHA256",
		309	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
		310	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
		311	tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
		312	tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
		313	}
		314
		315	// cloneTLSConfig returns a shallow clone of the exported
		316	// fields of cfg, ignoring the unexported sync.Once, which
		317	// contains a mutex and must not be copied.
		318	//
		319	// If cfg is nil, a new zero tls.Config is returned.
		320	//
		321	// TODO: inline this function if possible.
		322	func cloneTLSConfig(cfg tls.Config) tls.Config {
		323	if cfg == nil {
		324	return &tls.Config{}
		325	}
		326
		327	return cfg.Clone()
		328	}