github.com/hellobchain/newcryptosm@v0.0.0-20221019060107-edb949a317e9/tls/cipher_suites.go (about)

     1  /*
     2  Copyright Suzhou Tongji Fintech Research Institute 2017 All Rights Reserved.
     3  Licensed under the Apache License, Version 2.0 (the "License");
     4  you may not use this file except in compliance with the License.
     5  You may obtain a copy of the License at
     6  
     7  	http://www.apache.org/licenses/LICENSE-2.0
     8  
     9  Unless required by applicable law or agreed to in writing, software
    10  distributed under the License is distributed on an "AS IS" BASIS,
    11  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  See the License for the specific language governing permissions and
    13  limitations under the License.
    14  */
    15  
    16  package tls
    17  
    18  import (
    19  	"crypto/aes"
    20  	"crypto/cipher"
    21  	"crypto/des"
    22  	"crypto/hmac"
    23  	"crypto/rc4"
    24  	"crypto/sha1"
    25  	"crypto/sha256"
    26  	"fmt"
    27  	"github.com/hellobchain/newcryptosm/sm3"
    28  	"github.com/hellobchain/newcryptosm/sm4"
    29  	"github.com/hellobchain/newcryptosm/x509"
    30  	"hash"
    31  
    32  	"golang.org/x/crypto/chacha20poly1305"
    33  )
    34  
    35  // a keyAgreement implements the client and server side of a TLS key agreement
    36  // protocol by generating and processing key exchange messages.
    37  type keyAgreement interface {
    38  	// On the server side, the first two methods are called in order.
    39  
    40  	// In the case that the key agreement protocol doesn't use a
    41  	// ServerKeyExchange message, generateServerKeyExchange can return nil,
    42  	// nil.
    43  	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
    44  	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
    45  
    46  	// On the client side, the next two methods are called in order.
    47  
    48  	// This method may not be called if the server doesn't send a
    49  	// ServerKeyExchange message.
    50  	processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error
    51  	generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error)
    52  }
    53  
    54  // wsw add sm2
    55  const (
    56  	// suiteECDH indicates that the cipher suite involves elliptic curve
    57  	// Diffie-Hellman. This means that it should only be selected when the
    58  	// client indicates that it supports ECC with a curve and point format
    59  	// that we're happy with.
    60  	suiteECDHE = 1 << iota
    61  	// suiteSM2E indicates that the cipher suite involves elliptic curve
    62  	// Diffie-Hellman. This means that it should only be selected when the
    63  	// client indicates that it supports SM2 with a curve and point format
    64  	// that we're happy with.
    65  	suiteSM2E
    66  	// suiteECDSA indicates that the cipher suite involves an ECDSA
    67  	// signature and therefore may only be selected when the server's
    68  	// certificate is ECDSA. If this is not set then the cipher suite is
    69  	// RSA based.
    70  	suiteECDSA
    71  	// suiteSM2 indicates that the cipher suite involves an SM2
    72  	// signature and therefore may only be selected when the server's
    73  	// certificate is SM2.
    74  	suiteSM2
    75  	// suiteTLS12 indicates that the cipher suite should only be advertised
    76  	// and accepted when using TLS 1.2.
    77  	suiteTLS12
    78  	// suiteSHA384 indicates that the cipher suite uses SHA384 as the
    79  	// handshake hash.
    80  	suiteSHA384
    81  	// suiteDefaultOff indicates that this cipher suite is not included by
    82  	// default.
    83  	suiteDefaultOff
    84  )
    85  
    86  var mapFlags = map[int]string{
    87  	suiteECDHE:      "suiteECDHE",
    88  	suiteSM2E:       "suiteSM2E",
    89  	suiteECDSA:      "suiteECDSA",
    90  	suiteSM2:        "suiteSM2",
    91  	suiteTLS12:      "suiteTLS12",
    92  	suiteSHA384:     "suiteSHA384",
    93  	suiteDefaultOff: "suiteDefaultOff",
    94  }
    95  
    96  // A cipherSuite is a specific combination of key agreement, cipher and MAC
    97  // function. All cipher suites currently assume RSA key agreement.
    98  type cipherSuite struct {
    99  	id uint16
   100  	// the lengths, in bytes, of the key material needed for each component.
   101  	keyLen int
   102  	macLen int
   103  	ivLen  int
   104  	ka     func(version uint16) keyAgreement
   105  	// flags is a bitmask of the suite* values, above.
   106  	flags  int
   107  	cipher func(key, iv []byte, isRead bool) interface{}
   108  	mac    func(version uint16, macKey []byte) macFunction
   109  	aead   func(key, fixedNonce []byte) cipher.AEAD
   110  }
   111  
   112  func (c *cipherSuite) String() string {
   113  	var flagsStr string
   114  	var flags = []int{suiteECDHE, suiteSM2E, suiteECDSA, suiteSM2, suiteTLS12, suiteSHA384, suiteDefaultOff}
   115  	for _, flag := range flags {
   116  		if c.flags&flag != 0 {
   117  			flagsStr = fmt.Sprintf("%s|%v", flagsStr, mapFlags[flag])
   118  		}
   119  	}
   120  	return fmt.Sprintf("id:%v\nkeyLen:%v\nmacLen:%v\nivLen:%v\nflags:%v\n",
   121  		mapId[c.id], c.keyLen, c.macLen, c.ivLen, flagsStr)
   122  }
   123  
   124  var cipherSuites = []*cipherSuite{
   125  	// Ciphersuite order is chosen so that ECDHE comes before plain RSA and
   126  	// AEADs are the top preference.
   127  	{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
   128  	{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadChaCha20Poly1305},
   129  	{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM},
   130  	{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12, nil, nil, aeadAESGCM},
   131  	{TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
   132  	{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
   133  	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
   134  	{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
   135  	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
   136  	{TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
   137  	{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil},
   138  	{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECDSA, cipherAES, macSHA1, nil},
   139  	{TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM},
   140  	{TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM},
   141  	{TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12 | suiteDefaultOff, cipherAES, macSHA256, nil},
   142  	{TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
   143  	{TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil},
   144  	{TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil},
   145  	{TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil},
   146  	{TLS_ECDHE_SM2_WITH_SM4_SM3, 16, 20, 16, ecdheSM2KA, suiteECDHE | suiteSM2 | suiteTLS12, cipherSM4, macSM3, nil},
   147  	{TLS_SM2_WITH_SM4_SM3, 16, 20, 16, sm2KA, suiteSM2E | suiteSM2 | suiteTLS12, cipherSM4, macSM3, nil},
   148  	{TLS_SM4_GCM_SM3, 16, 0, 4, sm2KA, suiteSM2E | suiteSM2 | suiteTLS12, nil, nil, aeadSM4GCM},
   149  	{TLS_SM4_CCM_SM3, 16, 0, 4, sm2KA, suiteSM2E | suiteSM2 | suiteTLS12, nil, nil, aeadSM4GCM},
   150  	// RC4-based cipher suites are disabled by default.
   151  	{TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, suiteDefaultOff, cipherRC4, macSHA1, nil},
   152  	{TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE | suiteDefaultOff, cipherRC4, macSHA1, nil},
   153  	{TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECDSA | suiteDefaultOff, cipherRC4, macSHA1, nil},
   154  }
   155  
   156  func cipherRC4(key, iv []byte, isRead bool) interface{} {
   157  	cipher, _ := rc4.NewCipher(key)
   158  	return cipher
   159  }
   160  
   161  func cipher3DES(key, iv []byte, isRead bool) interface{} {
   162  	block, _ := des.NewTripleDESCipher(key)
   163  	if isRead {
   164  		return cipher.NewCBCDecrypter(block, iv)
   165  	}
   166  	return cipher.NewCBCEncrypter(block, iv)
   167  }
   168  
   169  func cipherAES(key, iv []byte, isRead bool) interface{} {
   170  	block, _ := aes.NewCipher(key)
   171  	if isRead {
   172  		return cipher.NewCBCDecrypter(block, iv)
   173  	}
   174  	return cipher.NewCBCEncrypter(block, iv)
   175  }
   176  
   177  func cipherSM4(key, iv []byte, isRead bool) interface{} {
   178  	block, _ := sm4.NewCipher(key)
   179  	if isRead {
   180  		return cipher.NewCBCDecrypter(block, iv)
   181  	}
   182  	return cipher.NewCBCEncrypter(block, iv)
   183  }
   184  
   185  // macSHA1 returns a macFunction for the given protocol version.
   186  func macSHA1(version uint16, key []byte) macFunction {
   187  	if version == VersionSSL30 {
   188  		mac := ssl30MAC{
   189  			h:   sha1.New(),
   190  			key: make([]byte, len(key)),
   191  		}
   192  		copy(mac.key, key)
   193  		return mac
   194  	}
   195  	return tls10MAC{hmac.New(newConstantTimeHash(sha1.New), key)}
   196  }
   197  
   198  // macSHA256 returns a SHA-256 based MAC. These are only supported in TLS 1.2
   199  // so the given version is ignored.
   200  func macSHA256(version uint16, key []byte) macFunction {
   201  	return tls10MAC{hmac.New(sha256.New, key)}
   202  }
   203  
   204  // macSM3 returns a SM3 based MAC. These are only supported in TLS 1.2
   205  // so the given version is ignored.
   206  func macSM3(version uint16, key []byte) macFunction {
   207  	return tls10MAC{hmac.New(sm3.New, key)}
   208  }
   209  
   210  type macFunction interface {
   211  	Size() int
   212  	MAC(digestBuf, seq, header, data, extra []byte) []byte
   213  }
   214  
   215  type aead interface {
   216  	cipher.AEAD
   217  
   218  	// explicitIVLen returns the number of bytes used by the explicit nonce
   219  	// that is included in the record. This is eight for older AEADs and
   220  	// zero for modern ones.
   221  	explicitNonceLen() int
   222  }
   223  
   224  // fixedNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to
   225  // each call.
   226  type fixedNonceAEAD struct {
   227  	// nonce contains the fixed part of the nonce in the first four bytes.
   228  	nonce [12]byte
   229  	aead  cipher.AEAD
   230  }
   231  
   232  func (f *fixedNonceAEAD) NonceSize() int        { return 8 }
   233  func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }
   234  func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
   235  
   236  func (f *fixedNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
   237  	copy(f.nonce[4:], nonce)
   238  	return f.aead.Seal(out, f.nonce[:], plaintext, additionalData)
   239  }
   240  
   241  func (f *fixedNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
   242  	copy(f.nonce[4:], nonce)
   243  	return f.aead.Open(out, f.nonce[:], plaintext, additionalData)
   244  }
   245  
   246  // xoredNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce
   247  // before each call.
   248  type xorNonceAEAD struct {
   249  	nonceMask [12]byte
   250  	aead      cipher.AEAD
   251  }
   252  
   253  func (f *xorNonceAEAD) NonceSize() int        { return 8 }
   254  func (f *xorNonceAEAD) Overhead() int         { return f.aead.Overhead() }
   255  func (f *xorNonceAEAD) explicitNonceLen() int { return 0 }
   256  
   257  func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte {
   258  	for i, b := range nonce {
   259  		f.nonceMask[4+i] ^= b
   260  	}
   261  	result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData)
   262  	for i, b := range nonce {
   263  		f.nonceMask[4+i] ^= b
   264  	}
   265  
   266  	return result
   267  }
   268  
   269  func (f *xorNonceAEAD) Open(out, nonce, plaintext, additionalData []byte) ([]byte, error) {
   270  	for i, b := range nonce {
   271  		f.nonceMask[4+i] ^= b
   272  	}
   273  	result, err := f.aead.Open(out, f.nonceMask[:], plaintext, additionalData)
   274  	for i, b := range nonce {
   275  		f.nonceMask[4+i] ^= b
   276  	}
   277  
   278  	return result, err
   279  }
   280  
   281  func aeadAESGCM(key, fixedNonce []byte) cipher.AEAD {
   282  	aes, err := aes.NewCipher(key)
   283  	if err != nil {
   284  		panic(err)
   285  	}
   286  	aead, err := cipher.NewGCM(aes)
   287  	if err != nil {
   288  		panic(err)
   289  	}
   290  
   291  	ret := &fixedNonceAEAD{aead: aead}
   292  	copy(ret.nonce[:], fixedNonce)
   293  	return ret
   294  }
   295  
   296  func aeadSM4GCM(key, fixedNonce []byte) cipher.AEAD {
   297  	sm4, err := sm4.NewCipher(key)
   298  	if err != nil {
   299  		panic(err)
   300  	}
   301  	aead, err := cipher.NewGCM(sm4)
   302  	if err != nil {
   303  		panic(err)
   304  	}
   305  
   306  	ret := &fixedNonceAEAD{aead: aead}
   307  	copy(ret.nonce[:], fixedNonce)
   308  	return ret
   309  }
   310  
   311  func aeadChaCha20Poly1305(key, fixedNonce []byte) cipher.AEAD {
   312  	aead, err := chacha20poly1305.New(key)
   313  	if err != nil {
   314  		panic(err)
   315  	}
   316  
   317  	ret := &xorNonceAEAD{aead: aead}
   318  	copy(ret.nonceMask[:], fixedNonce)
   319  	return ret
   320  }
   321  
   322  // ssl30MAC implements the SSLv3 MAC function, as defined in
   323  // www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt section 5.2.3.1
   324  type ssl30MAC struct {
   325  	h   hash.Hash
   326  	key []byte
   327  }
   328  
   329  func (s ssl30MAC) Size() int {
   330  	return s.h.Size()
   331  }
   332  
   333  var ssl30Pad1 = [48]byte{0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36}
   334  
   335  var ssl30Pad2 = [48]byte{0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c}
   336  
   337  // MAC does not offer constant timing guarantees for SSL v3.0, since it's deemed
   338  // useless considering the similar, protocol-level POODLE vulnerability.
   339  func (s ssl30MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
   340  	padLength := 48
   341  	if s.h.Size() == 20 {
   342  		padLength = 40
   343  	}
   344  
   345  	s.h.Reset()
   346  	s.h.Write(s.key)
   347  	s.h.Write(ssl30Pad1[:padLength])
   348  	s.h.Write(seq)
   349  	s.h.Write(header[:1])
   350  	s.h.Write(header[3:5])
   351  	s.h.Write(data)
   352  	digestBuf = s.h.Sum(digestBuf[:0])
   353  
   354  	s.h.Reset()
   355  	s.h.Write(s.key)
   356  	s.h.Write(ssl30Pad2[:padLength])
   357  	s.h.Write(digestBuf)
   358  	return s.h.Sum(digestBuf[:0])
   359  }
   360  
   361  type constantTimeHash interface {
   362  	hash.Hash
   363  	ConstantTimeSum(b []byte) []byte
   364  }
   365  
   366  // cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces
   367  // with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC.
   368  type cthWrapper struct {
   369  	h constantTimeHash
   370  }
   371  
   372  func (c *cthWrapper) Size() int                   { return c.h.Size() }
   373  func (c *cthWrapper) BlockSize() int              { return c.h.BlockSize() }
   374  func (c *cthWrapper) Reset()                      { c.h.Reset() }
   375  func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) }
   376  func (c *cthWrapper) Sum(b []byte) []byte         { return c.h.ConstantTimeSum(b) }
   377  
   378  func newConstantTimeHash(h func() hash.Hash) func() hash.Hash {
   379  	return func() hash.Hash {
   380  		return &cthWrapper{h().(constantTimeHash)}
   381  	}
   382  }
   383  
   384  // tls10MAC implements the TLS 1.0 MAC function. RFC 2246, section 6.2.3.
   385  type tls10MAC struct {
   386  	h hash.Hash
   387  }
   388  
   389  func (s tls10MAC) Size() int {
   390  	return s.h.Size()
   391  }
   392  
   393  // MAC is guaranteed to take constant time, as long as
   394  // len(seq)+len(header)+len(data)+len(extra) is constant. extra is not fed into
   395  // the MAC, but is only provided to make the timing profile constant.
   396  func (s tls10MAC) MAC(digestBuf, seq, header, data, extra []byte) []byte {
   397  	s.h.Reset()
   398  	s.h.Write(seq)
   399  	s.h.Write(header)
   400  	s.h.Write(data)
   401  	res := s.h.Sum(digestBuf[:0])
   402  	if extra != nil {
   403  		s.h.Write(extra)
   404  	}
   405  	return res
   406  }
   407  
   408  func rsaKA(version uint16) keyAgreement {
   409  	return rsaKeyAgreement{}
   410  }
   411  
   412  func ecdheECDSAKA(version uint16) keyAgreement {
   413  	return &ecdheKeyAgreement{
   414  		sigType: signatureECDSA,
   415  		version: version,
   416  	}
   417  }
   418  
   419  func ecdheSM2KA(version uint16) keyAgreement {
   420  	return &ecdheKeyAgreement{
   421  		sigType: signatureSM2,
   422  		version: version,
   423  	}
   424  }
   425  
   426  func ecdheRSAKA(version uint16) keyAgreement {
   427  	return &ecdheKeyAgreement{
   428  		sigType: signatureRSA,
   429  		version: version,
   430  	}
   431  }
   432  
   433  func sm2KA(version uint16) keyAgreement {
   434  	return &sm2KeyAgreement{
   435  		sigType: signatureSM2,
   436  		version: version,
   437  	}
   438  }
   439  
   440  // mutualCipherSuite returns a cipherSuite given a list of supported
   441  // ciphersuites and the id requested by the peer.
   442  func mutualCipherSuite(have []uint16, want uint16) *cipherSuite {
   443  	for _, id := range have {
   444  		if id == want {
   445  			for _, suite := range cipherSuites {
   446  				if suite.id == want {
   447  					return suite
   448  				}
   449  			}
   450  			return nil
   451  		}
   452  	}
   453  	return nil
   454  }
   455  
   456  // A list of cipher suite IDs that are, or have been, implemented by this
   457  // package.
   458  //
   459  // Taken from http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
   460  const (
   461  	TLS_RSA_WITH_RC4_128_SHA                uint16 = 0x0005
   462  	TLS_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0x000a
   463  	TLS_RSA_WITH_AES_128_CBC_SHA            uint16 = 0x002f
   464  	TLS_RSA_WITH_AES_256_CBC_SHA            uint16 = 0x0035
   465  	TLS_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0x003c
   466  	TLS_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0x009c
   467  	TLS_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0x009d
   468  	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        uint16 = 0xc007
   469  	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    uint16 = 0xc009
   470  	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    uint16 = 0xc00a
   471  	TLS_ECDHE_RSA_WITH_RC4_128_SHA          uint16 = 0xc011
   472  	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0xc012
   473  	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0xc013
   474  	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0xc014
   475  	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
   476  	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   uint16 = 0xc027
   477  	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   uint16 = 0xc02f
   478  	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
   479  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   uint16 = 0xc030
   480  	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
   481  	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    uint16 = 0xcca8
   482  	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305  uint16 = 0xcca9
   483  	TLS_ECDHE_SM2_WITH_SM4_SM3              uint16 = 0xe031 // wsw add
   484  	TLS_SM2_WITH_SM4_SM3                    uint16 = 0xe033 // wsw add
   485  	TLS_SM4_GCM_SM3                         uint16 = 0x00c6 // wsw add
   486  	TLS_SM4_CCM_SM3                         uint16 = 0x00c7 // wsw add
   487  	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
   488  	// that the client is doing version fallback. See
   489  	// https://tools.ietf.org/html/rfc7507.
   490  	TLS_FALLBACK_SCSV uint16 = 0x5600
   491  )
   492  
   493  var mapId = map[uint16]string{
   494  	TLS_RSA_WITH_RC4_128_SHA:                "TLS_RSA_WITH_RC4_128_SHA",
   495  	TLS_RSA_WITH_3DES_EDE_CBC_SHA:           "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
   496  	TLS_RSA_WITH_AES_128_CBC_SHA:            "TLS_RSA_WITH_AES_128_CBC_SHA",
   497  	TLS_RSA_WITH_AES_256_CBC_SHA:            "TLS_RSA_WITH_AES_256_CBC_SHA",
   498  	TLS_RSA_WITH_AES_128_CBC_SHA256:         "TLS_RSA_WITH_AES_128_CBC_SHA256",
   499  	TLS_RSA_WITH_AES_128_GCM_SHA256:         "TLS_RSA_WITH_AES_128_GCM_SHA256",
   500  	TLS_RSA_WITH_AES_256_GCM_SHA384:         "TLS_RSA_WITH_AES_256_GCM_SHA384",
   501  	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
   502  	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:    "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
   503  	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:    "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
   504  	TLS_ECDHE_RSA_WITH_RC4_128_SHA:          "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
   505  	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:     "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
   506  	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
   507  	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
   508  	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
   509  	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:   "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
   510  	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
   511  	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
   512  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:   "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
   513  	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
   514  	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:    "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
   515  	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:  "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
   516  	TLS_ECDHE_SM2_WITH_SM4_SM3:              "TLS_ECDHE_SM2_WITH_SM4_SM3", // wsw add
   517  	TLS_SM2_WITH_SM4_SM3:                    "TLS_SM2_WITH_SM4_SM3",       // wsw add
   518  	TLS_SM4_GCM_SM3:                         "TLS_SM4_GCM_SM3",            // wsw add
   519  	TLS_SM4_CCM_SM3:                         "TLS_SM4_CCM_SM3",            // wsw add
   520  	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
   521  	// that the client is doing version fallback. See
   522  	// https://tools.ietf.org/html/rfc7507.
   523  	TLS_FALLBACK_SCSV: "TLS_FALLBACK_SCSV",
   524  }