vendor: Updated quic-go for QUIC 39+ (#1968)

* Updated lucas-clemente/quic-go for QUIC 39+ support

* Update quic-go to latest

vendor/github.com/bifurcation/mint/LICENSE.md

+The MIT License (MIT)
+
+Copyright (c) 2016 Richard Barnes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/bifurcation/mint/alert.go

+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mint
+
+import "strconv"
+
+type Alert uint8
+
+const (
+	// alert level
+	AlertLevelWarning = 1
+	AlertLevelError   = 2
+)
+
+const (
+	AlertCloseNotify                 Alert = 0
+	AlertUnexpectedMessage           Alert = 10
+	AlertBadRecordMAC                Alert = 20
+	AlertDecryptionFailed            Alert = 21
+	AlertRecordOverflow              Alert = 22
+	AlertDecompressionFailure        Alert = 30
+	AlertHandshakeFailure            Alert = 40
+	AlertBadCertificate              Alert = 42
+	AlertUnsupportedCertificate      Alert = 43
+	AlertCertificateRevoked          Alert = 44
+	AlertCertificateExpired          Alert = 45
+	AlertCertificateUnknown          Alert = 46
+	AlertIllegalParameter            Alert = 47
+	AlertUnknownCA                   Alert = 48
+	AlertAccessDenied                Alert = 49
+	AlertDecodeError                 Alert = 50
+	AlertDecryptError                Alert = 51
+	AlertProtocolVersion             Alert = 70
+	AlertInsufficientSecurity        Alert = 71
+	AlertInternalError               Alert = 80
+	AlertInappropriateFallback       Alert = 86
+	AlertUserCanceled                Alert = 90
+	AlertNoRenegotiation             Alert = 100
+	AlertMissingExtension            Alert = 109
+	AlertUnsupportedExtension        Alert = 110
+	AlertCertificateUnobtainable     Alert = 111
+	AlertUnrecognizedName            Alert = 112
+	AlertBadCertificateStatsResponse Alert = 113
+	AlertBadCertificateHashValue     Alert = 114
+	AlertUnknownPSKIdentity          Alert = 115
+	AlertNoApplicationProtocol       Alert = 120
+	AlertWouldBlock                  Alert = 254
+	AlertNoAlert                     Alert = 255
+)
+
+var alertText = map[Alert]string{
+	AlertCloseNotify:                 "close notify",
+	AlertUnexpectedMessage:           "unexpected message",
+	AlertBadRecordMAC:                "bad record MAC",
+	AlertDecryptionFailed:            "decryption failed",
+	AlertRecordOverflow:              "record overflow",
+	AlertDecompressionFailure:        "decompression failure",
+	AlertHandshakeFailure:            "handshake failure",
+	AlertBadCertificate:              "bad certificate",
+	AlertUnsupportedCertificate:      "unsupported certificate",
+	AlertCertificateRevoked:          "revoked certificate",
+	AlertCertificateExpired:          "expired certificate",
+	AlertCertificateUnknown:          "unknown certificate",
+	AlertIllegalParameter:            "illegal parameter",
+	AlertUnknownCA:                   "unknown certificate authority",
+	AlertAccessDenied:                "access denied",
+	AlertDecodeError:                 "error decoding message",
+	AlertDecryptError:                "error decrypting message",
+	AlertProtocolVersion:             "protocol version not supported",
+	AlertInsufficientSecurity:        "insufficient security level",
+	AlertInternalError:               "internal error",
+	AlertInappropriateFallback:       "inappropriate fallback",
+	AlertUserCanceled:                "user canceled",
+	AlertMissingExtension:            "missing extension",
+	AlertUnsupportedExtension:        "unsupported extension",
+	AlertCertificateUnobtainable:     "certificate unobtainable",
+	AlertUnrecognizedName:            "unrecognized name",
+	AlertBadCertificateStatsResponse: "bad certificate status response",
+	AlertBadCertificateHashValue:     "bad certificate hash value",
+	AlertUnknownPSKIdentity:          "unknown PSK identity",
+	AlertNoApplicationProtocol:       "no application protocol",
+	AlertNoRenegotiation:             "no renegotiation",
+	AlertWouldBlock:                  "would have blocked",
+	AlertNoAlert:                     "no alert",
+}
+
+func (e Alert) String() string {
+	s, ok := alertText[e]
+	if ok {
+		return s
+	}
+	return "alert(" + strconv.Itoa(int(e)) + ")"
+}
+
+func (e Alert) Error() string {
+	return e.String()
+}

vendor/github.com/bifurcation/mint/bin/mint-client-https/main.go

+package main
+
+import (
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"os"
+
+	"github.com/bifurcation/mint"
+)
+
+var url string
+
+func main() {
+	url := flag.String("url", "https://localhost:4430", "URL to send request")
+	flag.Parse()
+	mintdial := func(network, addr string) (net.Conn, error) {
+		return mint.Dial(network, addr, nil)
+	}
+
+	tr := &http.Transport{
+		DialTLS:            mintdial,
+		DisableCompression: true,
+	}
+	client := &http.Client{Transport: tr}
+
+	response, err := client.Get(*url)
+	if err != nil {
+		fmt.Println("err:", err)
+		return
+	}
+	defer response.Body.Close()
+
+	contents, err := ioutil.ReadAll(response.Body)
+	if err != nil {
+		fmt.Printf("%s", err)
+		os.Exit(1)
+	}
+	fmt.Printf("%s\n", string(contents))
+}

vendor/github.com/bifurcation/mint/bin/mint-client/main.go

+package main
+
+import (
+	"flag"
+	"fmt"
+
+	"github.com/bifurcation/mint"
+)
+
+var addr string
+
+func main() {
+	flag.StringVar(&addr, "addr", "localhost:4430", "port")
+	flag.Parse()
+
+	conn, err := mint.Dial("tcp", addr, nil)
+
+	if err != nil {
+		fmt.Println("TLS handshake failed:", err)
+		return
+	}
+
+	request := "GET / HTTP/1.0\r\n\r\n"
+	conn.Write([]byte(request))
+
+	response := ""
+	buffer := make([]byte, 1024)
+	var read int
+	for err == nil {
+		read, err = conn.Read(buffer)
+		fmt.Println(" ~~ read: ", read)
+		response += string(buffer)
+	}
+	fmt.Println("err:", err)
+	fmt.Println("Received from server:")
+	fmt.Println(response)
+}

vendor/github.com/bifurcation/mint/bin/mint-server-https/main.go

+package main
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"flag"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+
+	"github.com/bifurcation/mint"
+	"golang.org/x/net/http2"
+)
+
+var (
+	port         string
+	serverName   string
+	certFile     string
+	keyFile      string
+	responseFile string
+	h2           bool
+	sendTickets  bool
+)
+
+type responder []byte
+
+func (rsp responder) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	w.Write(rsp)
+}
+
+// ParsePrivateKeyDER parses a PKCS #1, PKCS #8, or elliptic curve
+// PEM-encoded private key.
+// XXX: Inlined from github.com/cloudflare/cfssl because of build issues with that module
+func ParsePrivateKeyPEM(keyPEM []byte) (key crypto.Signer, err error) {
+	keyDER, _ := pem.Decode(keyPEM)
+	if keyDER == nil {
+		return nil, err
+	}
+
+	generalKey, err := x509.ParsePKCS8PrivateKey(keyDER.Bytes)
+	if err != nil {
+		generalKey, err = x509.ParsePKCS1PrivateKey(keyDER.Bytes)
+		if err != nil {
+			generalKey, err = x509.ParseECPrivateKey(keyDER.Bytes)
+			if err != nil {
+				// We don't include the actual error into
+				// the final error. The reason might be
+				// we don't want to leak any info about
+				// the private key.
+				return nil, fmt.Errorf("No successful private key decoder")
+			}
+		}
+	}
+
+	switch generalKey.(type) {
+	case *rsa.PrivateKey:
+		return generalKey.(*rsa.PrivateKey), nil
+	case *ecdsa.PrivateKey:
+		return generalKey.(*ecdsa.PrivateKey), nil
+	}
+
+	// should never reach here
+	return nil, fmt.Errorf("Should be unreachable")
+}
+
+// ParseOneCertificateFromPEM attempts to parse one PEM encoded certificate object,
+// either a raw x509 certificate or a PKCS #7 structure possibly containing
+// multiple certificates, from the top of certsPEM, which itself may
+// contain multiple PEM encoded certificate objects.
+// XXX: Inlined from github.com/cloudflare/cfssl because of build issues with that module
+func ParseOneCertificateFromPEM(certsPEM []byte) ([]*x509.Certificate, []byte, error) {
+	block, rest := pem.Decode(certsPEM)
+	if block == nil {
+		return nil, rest, nil
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	var certs = []*x509.Certificate{cert}
+	return certs, rest, err
+}
+
+// ParseCertificatesPEM parses a sequence of PEM-encoded certificate and returns them,
+// can handle PEM encoded PKCS #7 structures.
+// XXX: Inlined from github.com/cloudflare/cfssl because of build issues with that module
+func ParseCertificatesPEM(certsPEM []byte) ([]*x509.Certificate, error) {
+	var certs []*x509.Certificate
+	var err error
+	certsPEM = bytes.TrimSpace(certsPEM)
+	for len(certsPEM) > 0 {
+		var cert []*x509.Certificate
+		cert, certsPEM, err = ParseOneCertificateFromPEM(certsPEM)
+		if err != nil {
+			return nil, err
+		} else if cert == nil {
+			break
+		}
+
+		certs = append(certs, cert...)
+	}
+	if len(certsPEM) > 0 {
+		return nil, fmt.Errorf("Trailing PEM data")
+	}
+	return certs, nil
+}
+
+func main() {
+	flag.StringVar(&port, "port", "4430", "port")
+	flag.StringVar(&serverName, "host", "example.com", "hostname")
+	flag.StringVar(&certFile, "cert", "", "certificate chain in PEM or DER")
+	flag.StringVar(&keyFile, "key", "", "private key in PEM format")
+	flag.StringVar(&responseFile, "response", "", "file to serve")
+	flag.BoolVar(&h2, "h2", false, "whether to use HTTP/2 (exclusively)")
+	flag.BoolVar(&sendTickets, "tickets", true, "whether to send session tickets")
+	flag.Parse()
+
+	var certChain []*x509.Certificate
+	var priv crypto.Signer
+	var response []byte
+	var err error
+
+	// Load the key and certificate chain
+	if certFile != "" {
+		certs, err := ioutil.ReadFile(certFile)
+		if err != nil {
+			log.Fatalf("Error: %v", err)
+		} else {
+			certChain, err = ParseCertificatesPEM(certs)
+			if err != nil {
+				certChain, err = x509.ParseCertificates(certs)
+				if err != nil {
+					log.Fatalf("Error parsing certificates: %v", err)
+				}
+			}
+		}
+	}
+	if keyFile != "" {
+		keyPEM, err := ioutil.ReadFile(keyFile)
+		if err != nil {
+			log.Fatalf("Error: %v", err)
+		} else {
+			priv, err = ParsePrivateKeyPEM(keyPEM)
+			if priv == nil || err != nil {
+				log.Fatalf("Error parsing private key: %v", err)
+			}
+		}
+	}
+	if err != nil {
+		log.Fatalf("Error: %v", err)
+	}
+
+	// Load response file
+	if responseFile != "" {
+		log.Printf("Loading response file: %v", responseFile)
+		response, err = ioutil.ReadFile(responseFile)
+		if err != nil {
+			log.Fatalf("Error: %v", err)
+		}
+	} else {
+		response = []byte("Welcome to the TLS 1.3 zone!")
+	}
+	handler := responder(response)
+
+	config := mint.Config{
+		SendSessionTickets: true,
+		ServerName:         serverName,
+		NextProtos:         []string{"http/1.1"},
+	}
+
+	if h2 {
+		config.NextProtos = []string{"h2"}
+	}
+
+	config.SendSessionTickets = sendTickets
+
+	if certChain != nil && priv != nil {
+		log.Printf("Loading cert: %v key: %v", certFile, keyFile)
+		config.Certificates = []*mint.Certificate{
+			{
+				Chain:      certChain,
+				PrivateKey: priv,
+			},
+		}
+	}
+	config.Init(false)
+
+	service := "0.0.0.0:" + port
+	srv := &http.Server{Handler: handler}
+
+	log.Printf("Listening on port %v", port)
+	// Need the inner loop here because the h1 server errors on a dropped connection
+	// Need the outer loop here because the h2 server is per-connection
+	for {
+		listener, err := mint.Listen("tcp", service, &config)
+		if err != nil {
+			log.Printf("Listen Error: %v", err)
+			continue
+		}
+
+		if !h2 {
+			alert := srv.Serve(listener)
+			if alert != mint.AlertNoAlert {
+				log.Printf("Serve Error: %v", err)
+			}
+		} else {
+			srv2 := new(http2.Server)
+			opts := &http2.ServeConnOpts{
+				Handler:    handler,
+				BaseConfig: srv,
+			}
+
+			for {
+				conn, err := listener.Accept()
+				if err != nil {
+					log.Printf("Accept error: %v", err)
+					continue
+				}
+				go srv2.ServeConn(conn, opts)
+			}
+		}
+	}
+}

vendor/github.com/bifurcation/mint/bin/mint-server/main.go

+package main
+
+import (
+	"flag"
+	"log"
+	"net"
+
+	"github.com/bifurcation/mint"
+)
+
+var port string
+
+func main() {
+	var config mint.Config
+	config.SendSessionTickets = true
+	config.ServerName = "localhost"
+	config.Init(false)
+
+	flag.StringVar(&port, "port", "4430", "port")
+	flag.Parse()
+
+	service := "0.0.0.0:" + port
+	listener, err := mint.Listen("tcp", service, &config)
+
+	if err != nil {
+		log.Fatalf("server: listen: %s", err)
+	}
+	log.Print("server: listening")
+
+	for {
+		conn, err := listener.Accept()
+		if err != nil {
+			log.Printf("server: accept: %s", err)
+			break
+		}
+		defer conn.Close()
+		log.Printf("server: accepted from %s", conn.RemoteAddr())
+		go handleClient(conn)
+	}
+}
+
+func handleClient(conn net.Conn) {
+	defer conn.Close()
+	buf := make([]byte, 10)
+	for {
+		log.Print("server: conn: waiting")
+		n, err := conn.Read(buf)
+		if err != nil {
+			if err != nil {
+				log.Printf("server: conn: read: %s", err)
+			}
+			break
+		}
+
+		n, err = conn.Write([]byte("hello world"))
+		log.Printf("server: conn: wrote %d bytes", n)
+
+		if err != nil {
+			log.Printf("server: write: %s", err)
+			break
+		}
+		break
+	}
+	log.Println("server: conn: closed")
+}

vendor/github.com/bifurcation/mint/common.go

+package mint
+
+import (
+	"fmt"
+	"strconv"
+)
+
+var (
+	supportedVersion uint16 = 0x7f15 // draft-21
+
+	// Flags for some minor compat issues
+	allowWrongVersionNumber = true
+	allowPKCS1              = true
+)
+
+// enum {...} ContentType;
+type RecordType byte
+
+const (
+	RecordTypeAlert           RecordType = 21
+	RecordTypeHandshake       RecordType = 22
+	RecordTypeApplicationData RecordType = 23
+)
+
+// enum {...} HandshakeType;
+type HandshakeType byte
+
+const (
+	// Omitted: *_RESERVED
+	HandshakeTypeClientHello         HandshakeType = 1
+	HandshakeTypeServerHello         HandshakeType = 2
+	HandshakeTypeNewSessionTicket    HandshakeType = 4
+	HandshakeTypeEndOfEarlyData      HandshakeType = 5
+	HandshakeTypeHelloRetryRequest   HandshakeType = 6
+	HandshakeTypeEncryptedExtensions HandshakeType = 8
+	HandshakeTypeCertificate         HandshakeType = 11
+	HandshakeTypeCertificateRequest  HandshakeType = 13
+	HandshakeTypeCertificateVerify   HandshakeType = 15
+	HandshakeTypeServerConfiguration HandshakeType = 17
+	HandshakeTypeFinished            HandshakeType = 20
+	HandshakeTypeKeyUpdate           HandshakeType = 24
+	HandshakeTypeMessageHash         HandshakeType = 254
+)
+
+// uint8 CipherSuite[2];
+type CipherSuite uint16
+
+const (
+	// XXX: Actually TLS_NULL_WITH_NULL_NULL, but we need a way to label the zero
+	// value for this type so that we can detect when a field is set.
+	CIPHER_SUITE_UNKNOWN         CipherSuite = 0x0000
+	TLS_AES_128_GCM_SHA256       CipherSuite = 0x1301
+	TLS_AES_256_GCM_SHA384       CipherSuite = 0x1302
+	TLS_CHACHA20_POLY1305_SHA256 CipherSuite = 0x1303
+	TLS_AES_128_CCM_SHA256       CipherSuite = 0x1304
+	TLS_AES_256_CCM_8_SHA256     CipherSuite = 0x1305
+)
+
+func (c CipherSuite) String() string {
+	switch c {
+	case CIPHER_SUITE_UNKNOWN:
+		return "unknown"
+	case TLS_AES_128_GCM_SHA256:
+		return "TLS_AES_128_GCM_SHA256"
+	case TLS_AES_256_GCM_SHA384:
+		return "TLS_AES_256_GCM_SHA384"
+	case TLS_CHACHA20_POLY1305_SHA256:
+		return "TLS_CHACHA20_POLY1305_SHA256"
+	case TLS_AES_128_CCM_SHA256:
+		return "TLS_AES_128_CCM_SHA256"
+	case TLS_AES_256_CCM_8_SHA256:
+		return "TLS_AES_256_CCM_8_SHA256"
+	}
+	// cannot use %x here, since it calls String(), leading to infinite recursion
+	return fmt.Sprintf("invalid CipherSuite value: 0x%s", strconv.FormatUint(uint64(c), 16))
+}
+
+// enum {...} SignatureScheme
+type SignatureScheme uint16
+
+const (
+	// RSASSA-PKCS1-v1_5 algorithms
+	RSA_PKCS1_SHA1   SignatureScheme = 0x0201
+	RSA_PKCS1_SHA256 SignatureScheme = 0x0401
+	RSA_PKCS1_SHA384 SignatureScheme = 0x0501
+	RSA_PKCS1_SHA512 SignatureScheme = 0x0601
+	// ECDSA algorithms
+	ECDSA_P256_SHA256 SignatureScheme = 0x0403
+	ECDSA_P384_SHA384 SignatureScheme = 0x0503
+	ECDSA_P521_SHA512 SignatureScheme = 0x0603
+	// RSASSA-PSS algorithms
+	RSA_PSS_SHA256 SignatureScheme = 0x0804
+	RSA_PSS_SHA384 SignatureScheme = 0x0805
+	RSA_PSS_SHA512 SignatureScheme = 0x0806
+	// EdDSA algorithms
+	Ed25519 SignatureScheme = 0x0807
+	Ed448   SignatureScheme = 0x0808
+)
+
+// enum {...} ExtensionType
+type ExtensionType uint16
+
+const (
+	ExtensionTypeServerName          ExtensionType = 0
+	ExtensionTypeSupportedGroups     ExtensionType = 10
+	ExtensionTypeSignatureAlgorithms ExtensionType = 13
+	ExtensionTypeALPN                ExtensionType = 16
+	ExtensionTypeKeyShare            ExtensionType = 40
+	ExtensionTypePreSharedKey        ExtensionType = 41
+	ExtensionTypeEarlyData           ExtensionType = 42
+	ExtensionTypeSupportedVersions   ExtensionType = 43
+	ExtensionTypeCookie              ExtensionType = 44
+	ExtensionTypePSKKeyExchangeModes ExtensionType = 45
+	ExtensionTypeTicketEarlyDataInfo ExtensionType = 46
+)
+
+// enum {...} NamedGroup
+type NamedGroup uint16
+
+const (
+	// Elliptic Curve Groups.
+	P256 NamedGroup = 23
+	P384 NamedGroup = 24
+	P521 NamedGroup = 25
+	// ECDH functions.
+	X25519 NamedGroup = 29
+	X448   NamedGroup = 30
+	// Finite field groups.
+	FFDHE2048 NamedGroup = 256
+	FFDHE3072 NamedGroup = 257
+	FFDHE4096 NamedGroup = 258
+	FFDHE6144 NamedGroup = 259
+	FFDHE8192 NamedGroup = 260
+)
+
+// enum {...} PskKeyExchangeMode;
+type PSKKeyExchangeMode uint8
+
+const (
+	PSKModeKE    PSKKeyExchangeMode = 0
+	PSKModeDHEKE PSKKeyExchangeMode = 1
+)
+
+// enum {
+//     update_not_requested(0), update_requested(1), (255)
+// } KeyUpdateRequest;
+type KeyUpdateRequest uint8
+
+const (
+	KeyUpdateNotRequested KeyUpdateRequest = 0
+	KeyUpdateRequested    KeyUpdateRequest = 1
+)

vendor/github.com/bifurcation/mint/ffdhe.go

+package mint
+
+import (
+	"encoding/hex"
+	"math/big"
+)
+
+var (
+	finiteFieldPrime2048hex = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+		"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+		"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+		"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+		"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+		"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+		"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+		"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+		"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+		"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+		"886B423861285C97FFFFFFFFFFFFFFFF"
+	finiteFieldPrime2048bytes, _ = hex.DecodeString(finiteFieldPrime2048hex)
+	finiteFieldPrime2048         = big.NewInt(0).SetBytes(finiteFieldPrime2048bytes)
+
+	finiteFieldPrime3072hex = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+		"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+		"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+		"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+		"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+		"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+		"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+		"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+		"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+		"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+		"886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+		"61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+		"AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+		"64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+		"ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+		"3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF"
+	finiteFieldPrime3072bytes, _ = hex.DecodeString(finiteFieldPrime3072hex)
+	finiteFieldPrime3072         = big.NewInt(0).SetBytes(finiteFieldPrime3072bytes)
+
+	finiteFieldPrime4096hex = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+		"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+		"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+		"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+		"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+		"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+		"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+		"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+		"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+		"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+		"886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+		"61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+		"AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+		"64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+		"ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+		"3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+		"7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+		"87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+		"A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+		"1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+		"8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" +
+		"FFFFFFFFFFFFFFFF"
+	finiteFieldPrime4096bytes, _ = hex.DecodeString(finiteFieldPrime4096hex)
+	finiteFieldPrime4096         = big.NewInt(0).SetBytes(finiteFieldPrime4096bytes)
+
+	finiteFieldPrime6144hex = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+		"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+		"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+		"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+		"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+		"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+		"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+		"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+		"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+		"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+		"886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+		"61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+		"AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+		"64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+		"ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+		"3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+		"7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+		"87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+		"A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+		"1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+		"8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" +
+		"0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" +
+		"3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" +
+		"CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" +
+		"A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" +
+		"0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" +
+		"763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" +
+		"B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" +
+		"D72B03746AE77F5E62292C311562A846505DC82DB854338A" +
+		"E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" +
+		"5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" +
+		"A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF"
+	finiteFieldPrime6144bytes, _ = hex.DecodeString(finiteFieldPrime6144hex)
+	finiteFieldPrime6144         = big.NewInt(0).SetBytes(finiteFieldPrime6144bytes)
+
+	finiteFieldPrime8192hex = "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+		"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+		"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+		"2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+		"984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+		"30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+		"B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+		"0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+		"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+		"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+		"886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+		"61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+		"AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+		"64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+		"ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+		"3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+		"7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+		"87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+		"A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+		"1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+		"8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" +
+		"0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" +
+		"3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" +
+		"CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" +
+		"A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" +
+		"0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" +
+		"763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" +
+		"B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" +
+		"D72B03746AE77F5E62292C311562A846505DC82DB854338A" +
+		"E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" +
+		"5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" +
+		"A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" +
+		"1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" +
+		"0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" +
+		"CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" +
+		"2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" +
+		"BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" +
+		"51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" +
+		"D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" +
+		"1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" +
+		"FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" +
+		"97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" +
+		"D68C8BB7C5C6424CFFFFFFFFFFFFFFFF"
+	finiteFieldPrime8192bytes, _ = hex.DecodeString(finiteFieldPrime8192hex)
+	finiteFieldPrime8192         = big.NewInt(0).SetBytes(finiteFieldPrime8192bytes)
+)

vendor/github.com/bifurcation/mint/frame-reader.go

+// Read a generic "framed" packet consisting of a header and a
+// This is used for both TLS Records and TLS Handshake Messages
+package mint
+
+type framing interface {
+	headerLen() int
+	defaultReadLen() int
+	frameLen(hdr []byte) (int, error)
+}
+
+const (
+	kFrameReaderHdr  = 0
+	kFrameReaderBody = 1
+)
+
+type frameNextAction func(f *frameReader) error
+
+type frameReader struct {
+	details     framing
+	state       uint8
+	header      []byte
+	body        []byte
+	working     []byte
+	writeOffset int
+	remainder   []byte
+}
+
+func newFrameReader(d framing) *frameReader {
+	hdr := make([]byte, d.headerLen())
+	return &frameReader{
+		d,
+		kFrameReaderHdr,
+		hdr,
+		nil,
+		hdr,
+		0,
+		nil,
+	}
+}
+
+func dup(a []byte) []byte {
+	r := make([]byte, len(a))
+	copy(r, a)
+	return r
+}
+
+func (f *frameReader) needed() int {
+	tmp := (len(f.working) - f.writeOffset) - len(f.remainder)
+	if tmp < 0 {
+		return 0
+	}
+	return tmp
+}
+
+func (f *frameReader) addChunk(in []byte) {
+	// Append to the buffer.
+	logf(logTypeFrameReader, "Appending %v", len(in))
+	f.remainder = append(f.remainder, in...)
+}
+
+func (f *frameReader) process() (hdr []byte, body []byte, err error) {
+	for f.needed() == 0 {
+		logf(logTypeFrameReader, "%v bytes needed for next block", len(f.working)-f.writeOffset)
+		// Fill out our working block
+		copied := copy(f.working[f.writeOffset:], f.remainder)
+		f.remainder = f.remainder[copied:]
+		f.writeOffset += copied
+		if f.writeOffset < len(f.working) {
+			logf(logTypeFrameReader, "Read would have blocked 1")
+			return nil, nil, WouldBlock
+		}
+		// Reset the write offset, because we are now full.
+		f.writeOffset = 0
+
+		// We have read a full frame
+		if f.state == kFrameReaderBody {
+			logf(logTypeFrameReader, "Returning frame hdr=%#x len=%d buffered=%d", f.header, len(f.body), len(f.remainder))
+			f.state = kFrameReaderHdr
+			f.working = f.header
+			return dup(f.header), dup(f.body), nil
+		}
+
+		// We have read the header
+		bodyLen, err := f.details.frameLen(f.header)
+		if err != nil {
+			return nil, nil, err
+		}
+		logf(logTypeFrameReader, "Processed header, body len = %v", bodyLen)
+
+		f.body = make([]byte, bodyLen)
+		f.working = f.body
+		f.writeOffset = 0
+		f.state = kFrameReaderBody
+	}
+
+	logf(logTypeFrameReader, "Read would have blocked 2")
+	return nil, nil, WouldBlock
+}

vendor/github.com/bifurcation/mint/handshake-layer.go

+package mint
+
+import (
+	"fmt"
+	"io"
+	"net"
+)
+
+const (
+	handshakeHeaderLen     = 4       // handshake message header length
+	maxHandshakeMessageLen = 1 << 24 // max handshake message length
+)
+
+// struct {
+//     HandshakeType msg_type;    /* handshake type */
+//     uint24 length;             /* bytes in message */
+//     select (HandshakeType) {
+//       ...
+//     } body;
+// } Handshake;
+//
+// We do the select{...} part in a different layer, so we treat the
+// actual message body as opaque:
+//
+// struct {
+//     HandshakeType msg_type;
+//     opaque msg<0..2^24-1>
+// } Handshake;
+//
+// TODO: File a spec bug
+type HandshakeMessage struct {
+	// Omitted: length
+	msgType HandshakeType
+	body    []byte
+}
+
+// Note: This could be done with the `syntax` module, using the simplified
+// syntax as discussed above.  However, since this is so simple, there's not
+// much benefit to doing so.
+func (hm *HandshakeMessage) Marshal() []byte {
+	if hm == nil {
+		return []byte{}
+	}
+
+	msgLen := len(hm.body)
+	data := make([]byte, 4+len(hm.body))
+	data[0] = byte(hm.msgType)
+	data[1] = byte(msgLen >> 16)
+	data[2] = byte(msgLen >> 8)
+	data[3] = byte(msgLen)
+	copy(data[4:], hm.body)
+	return data
+}
+
+func (hm HandshakeMessage) ToBody() (HandshakeMessageBody, error) {
+	logf(logTypeHandshake, "HandshakeMessage.toBody [%d] [%x]", hm.msgType, hm.body)
+
+	var body HandshakeMessageBody
+	switch hm.msgType {
+	case HandshakeTypeClientHello:
+		body = new(ClientHelloBody)
+	case HandshakeTypeServerHello:
+		body = new(ServerHelloBody)
+	case HandshakeTypeHelloRetryRequest:
+		body = new(HelloRetryRequestBody)
+	case HandshakeTypeEncryptedExtensions:
+		body = new(EncryptedExtensionsBody)
+	case HandshakeTypeCertificate:
+		body = new(CertificateBody)
+	case HandshakeTypeCertificateRequest:
+		body = new(CertificateRequestBody)
+	case HandshakeTypeCertificateVerify:
+		body = new(CertificateVerifyBody)
+	case HandshakeTypeFinished:
+		body = &FinishedBody{VerifyDataLen: len(hm.body)}
+	case HandshakeTypeNewSessionTicket:
+		body = new(NewSessionTicketBody)
+	case HandshakeTypeKeyUpdate:
+		body = new(KeyUpdateBody)
+	case HandshakeTypeEndOfEarlyData:
+		body = new(EndOfEarlyDataBody)
+	default:
+		return body, fmt.Errorf("tls.handshakemessage: Unsupported body type")
+	}
+
+	_, err := body.Unmarshal(hm.body)
+	return body, err
+}
+
+func HandshakeMessageFromBody(body HandshakeMessageBody) (*HandshakeMessage, error) {
+	data, err := body.Marshal()
+	if err != nil {
+		return nil, err
+	}
+
+	return &HandshakeMessage{
+		msgType: body.Type(),
+		body:    data,
+	}, nil
+}
+
+type HandshakeLayer struct {
+	nonblocking bool         // Should we operate in nonblocking mode
+	conn        *RecordLayer // Used for reading/writing records
+	frame       *frameReader // The buffered frame reader
+}
+
+type handshakeLayerFrameDetails struct{}
+
+func (d handshakeLayerFrameDetails) headerLen() int {
+	return handshakeHeaderLen
+}
+
+func (d handshakeLayerFrameDetails) defaultReadLen() int {
+	return handshakeHeaderLen + maxFragmentLen
+}
+
+func (d handshakeLayerFrameDetails) frameLen(hdr []byte) (int, error) {
+	logf(logTypeIO, "Header=%x", hdr)
+	return (int(hdr[1]) << 16) | (int(hdr[2]) << 8) | int(hdr[3]), nil
+}
+
+func NewHandshakeLayer(r *RecordLayer) *HandshakeLayer {
+	h := HandshakeLayer{}
+	h.conn = r
+	h.frame = newFrameReader(&handshakeLayerFrameDetails{})
+	return &h
+}
+
+func (h *HandshakeLayer) readRecord() error {
+	logf(logTypeIO, "Trying to read record")
+	pt, err := h.conn.ReadRecord()
+	if err != nil {
+		return err
+	}
+
+	if pt.contentType != RecordTypeHandshake &&
+		pt.contentType != RecordTypeAlert {
+		return fmt.Errorf("tls.handshakelayer: Unexpected record type %d", pt.contentType)
+	}
+
+	if pt.contentType == RecordTypeAlert {
+		logf(logTypeIO, "read alert %v", pt.fragment[1])
+		if len(pt.fragment) < 2 {
+			h.sendAlert(AlertUnexpectedMessage)
+			return io.EOF
+		}
+		return Alert(pt.fragment[1])
+	}
+
+	logf(logTypeIO, "read handshake record of len %v", len(pt.fragment))
+	h.frame.addChunk(pt.fragment)
+
+	return nil
+}
+
+// sendAlert sends a TLS alert message.
+func (h *HandshakeLayer) sendAlert(err Alert) error {
+	tmp := make([]byte, 2)
+	tmp[0] = AlertLevelError
+	tmp[1] = byte(err)
+	h.conn.WriteRecord(&TLSPlaintext{
+		contentType: RecordTypeAlert,
+		fragment:    tmp},
+	)
+
+	// closeNotify is a special case in that it isn't an error:
+	if err != AlertCloseNotify {
+		return &net.OpError{Op: "local error", Err: err}
+	}
+	return nil
+}
+
+func (h *HandshakeLayer) ReadMessage() (*HandshakeMessage, error) {
+	var hdr, body []byte
+	var err error
+
+	for {
+		logf(logTypeHandshake, "ReadMessage() buffered=%v", len(h.frame.remainder))
+		if h.frame.needed() > 0 {
+			logf(logTypeHandshake, "Trying to read a new record")
+			err = h.readRecord()
+		}
+		if err != nil && (h.nonblocking || err != WouldBlock) {
+			return nil, err
+		}
+
+		hdr, body, err = h.frame.process()
+		if err == nil {
+			break
+		}
+		if err != nil && (h.nonblocking || err != WouldBlock) {
+			return nil, err
+		}
+	}
+
+	logf(logTypeHandshake, "read handshake message")
+
+	hm := &HandshakeMessage{}
+	hm.msgType = HandshakeType(hdr[0])
+
+	hm.body = make([]byte, len(body))
+	copy(hm.body, body)
+
+	return hm, nil
+}
+
+func (h *HandshakeLayer) WriteMessage(hm *HandshakeMessage) error {
+	return h.WriteMessages([]*HandshakeMessage{hm})
+}
+
+func (h *HandshakeLayer) WriteMessages(hms []*HandshakeMessage) error {
+	for _, hm := range hms {
+		logf(logTypeHandshake, "WriteMessage [%d] %x", hm.msgType, hm.body)
+	}
+
+	// Write out headers and bodies
+	buffer := []byte{}
+	for _, msg := range hms {
+		msgLen := len(msg.body)
+		if msgLen > maxHandshakeMessageLen {
+			return fmt.Errorf("tls.handshakelayer: Message too large to send")
+		}
+
+		buffer = append(buffer, msg.Marshal()...)
+	}
+
+	// Send full-size fragments
+	var start int
+	for start = 0; len(buffer)-start >= maxFragmentLen; start += maxFragmentLen {
+		err := h.conn.WriteRecord(&TLSPlaintext{
+			contentType: RecordTypeHandshake,
+			fragment:    buffer[start : start+maxFragmentLen],
+		})
+
+		if err != nil {
+			return err
+		}
+	}
+
+	// Send a final partial fragment if necessary
+	if start < len(buffer) {
+		err := h.conn.WriteRecord(&TLSPlaintext{
+			contentType: RecordTypeHandshake,
+			fragment:    buffer[start:],
+		})
+
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

vendor/github.com/bifurcation/mint/log.go

+package mint
+
+import (
+	"fmt"
+	"log"
+	"os"
+	"strings"
+)
+
+// We use this environment variable to control logging.  It should be a
+// comma-separated list of log tags (see below) or "*" to enable all logging.
+const logConfigVar = "MINT_LOG"
+
+// Pre-defined log types
+const (
+	logTypeCrypto      = "crypto"
+	logTypeHandshake   = "handshake"
+	logTypeNegotiation = "negotiation"
+	logTypeIO          = "io"
+	logTypeFrameReader = "frame"
+	logTypeVerbose     = "verbose"
+)
+
+var (
+	logFunction = log.Printf
+	logAll      = false
+	logSettings = map[string]bool{}
+)
+
+func init() {
+	parseLogEnv(os.Environ())
+}
+
+func parseLogEnv(env []string) {
+	for _, stmt := range env {
+		if strings.HasPrefix(stmt, logConfigVar+"=") {
+			val := stmt[len(logConfigVar)+1:]
+
+			if val == "*" {
+				logAll = true
+			} else {
+				for _, t := range strings.Split(val, ",") {
+					logSettings[t] = true
+				}
+			}
+		}
+	}
+}
+
+func logf(tag string, format string, args ...interface{}) {
+	if logAll || logSettings[tag] {
+		fullFormat := fmt.Sprintf("[%s] %s", tag, format)
+		logFunction(fullFormat, args...)
+	}
+}

vendor/github.com/bifurcation/mint/negotiation.go

+package mint
+
+import (
+	"bytes"
+	"encoding/hex"
+	"fmt"
+	"time"
+)
+
+func VersionNegotiation(offered, supported []uint16) (bool, uint16) {
+	for _, offeredVersion := range offered {
+		for _, supportedVersion := range supported {
+			logf(logTypeHandshake, "[server] version offered by client [%04x] <> [%04x]", offeredVersion, supportedVersion)
+			if offeredVersion == supportedVersion {
+				// XXX: Should probably be highest supported version, but for now, we
+				// only support one version, so it doesn't really matter.
+				return true, offeredVersion
+			}
+		}
+	}
+
+	return false, 0
+}
+
+func DHNegotiation(keyShares []KeyShareEntry, groups []NamedGroup) (bool, NamedGroup, []byte, []byte) {
+	for _, share := range keyShares {
+		for _, group := range groups {
+			if group != share.Group {
+				continue
+			}
+
+			pub, priv, err := newKeyShare(share.Group)
+			if err != nil {
+				// If we encounter an error, just keep looking
+				continue
+			}
+
+			dhSecret, err := keyAgreement(share.Group, share.KeyExchange, priv)
+			if err != nil {
+				// If we encounter an error, just keep looking
+				continue
+			}
+
+			return true, group, pub, dhSecret
+		}
+	}
+
+	return false, 0, nil, nil
+}
+
+const (
+	ticketAgeTolerance uint32 = 5 * 1000 // five seconds in milliseconds
+)
+
+func PSKNegotiation(identities []PSKIdentity, binders []PSKBinderEntry, context []byte, psks PreSharedKeyCache) (bool, int, *PreSharedKey, CipherSuiteParams, error) {
+	logf(logTypeNegotiation, "Negotiating PSK offered=[%d] supported=[%d]", len(identities), psks.Size())
+	for i, id := range identities {
+		identityHex := hex.EncodeToString(id.Identity)
+
+		psk, ok := psks.Get(identityHex)
+		if !ok {
+			logf(logTypeNegotiation, "No PSK for identity %x", identityHex)
+			continue
+		}
+
+		// For resumption, make sure the ticket age is correct
+		if psk.IsResumption {
+			extTicketAge := id.ObfuscatedTicketAge - psk.TicketAgeAdd
+			knownTicketAge := uint32(time.Since(psk.ReceivedAt) / time.Millisecond)
+			ticketAgeDelta := knownTicketAge - extTicketAge
+			if knownTicketAge < extTicketAge {
+				ticketAgeDelta = extTicketAge - knownTicketAge
+			}
+			if ticketAgeDelta > ticketAgeTolerance {
+				logf(logTypeNegotiation, "WARNING potential replay [%x]", psk.Identity)
+				logf(logTypeNegotiation, "Ticket age exceeds tolerance |%d - %d| = [%d] > [%d]",
+					extTicketAge, knownTicketAge, ticketAgeDelta, ticketAgeTolerance)
+				return false, 0, nil, CipherSuiteParams{}, fmt.Errorf("WARNING Potential replay for identity %x", psk.Identity)
+			}
+		}
+
+		params, ok := cipherSuiteMap[psk.CipherSuite]
+		if !ok {
+			err := fmt.Errorf("tls.cryptoinit: Unsupported ciphersuite from PSK [%04x]", psk.CipherSuite)
+			return false, 0, nil, CipherSuiteParams{}, err
+		}
+
+		// Compute binder
+		binderLabel := labelExternalBinder
+		if psk.IsResumption {
+			binderLabel = labelResumptionBinder
+		}
+
+		h0 := params.Hash.New().Sum(nil)
+		zero := bytes.Repeat([]byte{0}, params.Hash.Size())
+		earlySecret := HkdfExtract(params.Hash, zero, psk.Key)
+		binderKey := deriveSecret(params, earlySecret, binderLabel, h0)
+
+		// context = ClientHello[truncated]
+		// context = ClientHello1 + HelloRetryRequest + ClientHello2[truncated]
+		ctxHash := params.Hash.New()
+		ctxHash.Write(context)
+
+		binder := computeFinishedData(params, binderKey, ctxHash.Sum(nil))
+		if !bytes.Equal(binder, binders[i].Binder) {
+			logf(logTypeNegotiation, "Binder check failed for identity %x; [%x] != [%x]", psk.Identity, binder, binders[i].Binder)
+			return false, 0, nil, CipherSuiteParams{}, fmt.Errorf("Binder check failed identity %x", psk.Identity)
+		}
+
+		logf(logTypeNegotiation, "Using PSK with identity %x", psk.Identity)
+		return true, i, &psk, params, nil
+	}
+
+	logf(logTypeNegotiation, "Failed to find a usable PSK")
+	return false, 0, nil, CipherSuiteParams{}, nil
+}
+
+func PSKModeNegotiation(canDoDH, canDoPSK bool, modes []PSKKeyExchangeMode) (bool, bool) {
+	logf(logTypeNegotiation, "Negotiating PSK modes [%v] [%v] [%+v]", canDoDH, canDoPSK, modes)
+	dhAllowed := false
+	dhRequired := true
+	for _, mode := range modes {
+		dhAllowed = dhAllowed || (mode == PSKModeDHEKE)
+		dhRequired = dhRequired && (mode == PSKModeDHEKE)
+	}
+
+	// Use PSK if we can meet DH requirement and modes were provided
+	usingPSK := canDoPSK && (!dhRequired || canDoDH) && (len(modes) > 0)
+
+	// Use DH if allowed
+	usingDH := canDoDH && (dhAllowed || !usingPSK)
+
+	logf(logTypeNegotiation, "Results of PSK mode negotiation: usingDH=[%v] usingPSK=[%v]", usingDH, usingPSK)
+	return usingDH, usingPSK
+}
+
+func CertificateSelection(serverName *string, signatureSchemes []SignatureScheme, certs []*Certificate) (*Certificate, SignatureScheme, error) {
+	// Select for server name if provided
+	candidates := certs
+	if serverName != nil {
+		candidatesByName := []*Certificate{}
+		for _, cert := range certs {
+			for _, name := range cert.Chain[0].DNSNames {
+				if len(*serverName) > 0 && name == *serverName {
+					candidatesByName = append(candidatesByName, cert)
+				}
+			}
+		}
+
+		if len(candidatesByName) == 0 {
+			return nil, 0, fmt.Errorf("No certificates available for server name")
+		}
+
+		candidates = candidatesByName
+	}
+
+	// Select for signature scheme
+	for _, cert := range candidates {
+		for _, scheme := range signatureSchemes {
+			if !schemeValidForKey(scheme, cert.PrivateKey) {
+				continue
+			}
+
+			return cert, scheme, nil
+		}
+	}
+
+	return nil, 0, fmt.Errorf("No certificates compatible with signature schemes")
+}
+
+func EarlyDataNegotiation(usingPSK, gotEarlyData, allowEarlyData bool) bool {
+	usingEarlyData := gotEarlyData && usingPSK && allowEarlyData
+	logf(logTypeNegotiation, "Early data negotiation (%v, %v, %v) => %v", usingPSK, gotEarlyData, allowEarlyData, usingEarlyData)
+	return usingEarlyData
+}
+
+func CipherSuiteNegotiation(psk *PreSharedKey, offered, supported []CipherSuite) (CipherSuite, error) {
+	for _, s1 := range offered {
+		if psk != nil {
+			if s1 == psk.CipherSuite {
+				return s1, nil
+			}
+			continue
+		}
+
+		for _, s2 := range supported {
+			if s1 == s2 {
+				return s1, nil
+			}
+		}
+	}
+
+	return 0, fmt.Errorf("No overlap between offered and supproted ciphersuites (psk? [%v])", psk != nil)
+}
+
+func ALPNNegotiation(psk *PreSharedKey, offered, supported []string) (string, error) {
+	for _, p1 := range offered {
+		if psk != nil {
+			if p1 != psk.NextProto {
+				continue
+			}
+		}
+
+		for _, p2 := range supported {
+			if p1 == p2 {
+				return p1, nil
+			}
+		}
+	}
+
+	// If the client offers ALPN on resumption, it must match the earlier one
+	var err error
+	if psk != nil && psk.IsResumption && (len(offered) > 0) {
+		err = fmt.Errorf("ALPN for PSK not provided")
+	}
+	return "", err
+}

vendor/github.com/bifurcation/mint/syntax/tags.go

+package syntax
+
+import (
+	"strconv"
+	"strings"
+)
+
+// `tls:"head=2,min=2,max=255"`
+
+type tagOptions map[string]uint
+
+// parseTag parses a struct field's "tls" tag as a comma-separated list of
+// name=value pairs, where the values MUST be unsigned integers
+func parseTag(tag string) tagOptions {
+	opts := tagOptions{}
+	for _, token := range strings.Split(tag, ",") {
+		if strings.Index(token, "=") == -1 {
+			continue
+		}
+
+		parts := strings.Split(token, "=")
+		if len(parts[0]) == 0 {
+			continue
+		}
+		if val, err := strconv.Atoi(parts[1]); err == nil && val >= 0 {
+			opts[parts[0]] = uint(val)
+		}
+	}
+	return opts
+}

vendor/github.com/lucas-clemente/quic-go/ackhandler/interfaces.go

-package ackhandler
-
-import (
-	"time"
-
-	"github.com/lucas-clemente/quic-go/frames"
-	"github.com/lucas-clemente/quic-go/protocol"
-)
-
-// SentPacketHandler handles ACKs received for outgoing packets
-type SentPacketHandler interface {
-	// SentPacket may modify the packet
-	SentPacket(packet *Packet) error
-	ReceivedAck(ackFrame *frames.AckFrame, withPacketNumber protocol.PacketNumber, recvTime time.Time) error
-
-	SendingAllowed() bool
-	GetStopWaitingFrame(force bool) *frames.StopWaitingFrame
-	DequeuePacketForRetransmission() (packet *Packet)
-	GetLeastUnacked() protocol.PacketNumber
-
-	GetAlarmTimeout() time.Time
-	OnAlarm()
-}
-
-// ReceivedPacketHandler handles ACKs needed to send for incoming packets
-type ReceivedPacketHandler interface {
-	ReceivedPacket(packetNumber protocol.PacketNumber, shouldInstigateAck bool) error
-	SetLowerLimit(protocol.PacketNumber)
-
-	GetAlarmTimeout() time.Time
-	GetAckFrame() *frames.AckFrame
-}

vendor/github.com/lucas-clemente/quic-go/buffer_pool.go

@@ -3,7 +3,7 @@ package quic
 import (
 	"sync"
 
-	"github.com/lucas-clemente/quic-go/protocol"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
 )
 
 var bufferPool sync.Pool

vendor/github.com/lucas-clemente/quic-go/crypto/nonce.go

-package crypto
-
-import (
-	"encoding/binary"
-
-	"github.com/lucas-clemente/quic-go/protocol"
-)
-
-func makeNonce(iv []byte, packetNumber protocol.PacketNumber) []byte {
-	res := make([]byte, 12)
-	copy(res[0:4], iv)
-	binary.LittleEndian.PutUint64(res[4:12], uint64(packetNumber))
-	return res
-}

vendor/github.com/lucas-clemente/quic-go/crypto_stream.go

+package quic
+
+import (
+	"io"
+
+	"github.com/lucas-clemente/quic-go/internal/flowcontrol"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+	"github.com/lucas-clemente/quic-go/internal/wire"
+)
+
+type cryptoStreamI interface {
+	StreamID() protocol.StreamID
+	io.Reader
+	io.Writer
+	handleStreamFrame(*wire.StreamFrame) error
+	popStreamFrame(protocol.ByteCount) (*wire.StreamFrame, bool)
+	closeForShutdown(error)
+	setReadOffset(protocol.ByteCount)
+	// methods needed for flow control
+	getWindowUpdate() protocol.ByteCount
+	handleMaxStreamDataFrame(*wire.MaxStreamDataFrame)
+}
+
+type cryptoStream struct {
+	*stream
+}
+
+var _ cryptoStreamI = &cryptoStream{}
+
+func newCryptoStream(sender streamSender, flowController flowcontrol.StreamFlowController, version protocol.VersionNumber) cryptoStreamI {
+	str := newStream(version.CryptoStreamID(), sender, flowController, version)
+	return &cryptoStream{str}
+}
+
+// SetReadOffset sets the read offset.
+// It is only needed for the crypto stream.
+// It must not be called concurrently with any other stream methods, especially Read and Write.
+func (s *cryptoStream) setReadOffset(offset protocol.ByteCount) {
+	s.receiveStream.readOffset = offset
+	s.receiveStream.frameQueue.readPosition = offset
+}

vendor/github.com/lucas-clemente/quic-go/frames/ack_range.go

-package frames
-
-import "github.com/lucas-clemente/quic-go/protocol"
-
-// AckRange is an ACK range
-type AckRange struct {
-	FirstPacketNumber protocol.PacketNumber
-	LastPacketNumber  protocol.PacketNumber
-}

vendor/github.com/lucas-clemente/quic-go/integrationtests/chrome/chrome.go

-package chrome

vendor/github.com/lucas-clemente/quic-go/integrationtests/gquic/gquic.go

-package gquic

vendor/github.com/lucas-clemente/quic-go/integrationtests/self/self.go

-package self