Merge branch 'dev'

chain.go

@@ -53,7 +53,7 @@ func (c *Chain) NodeGroups() []*NodeGroup {
 }
 
 // LastNode returns the last node of the node list.
-// If the chain is empty, an empty node is returns.
+// If the chain is empty, an empty node will be returned.
 // If the last node is a node group, the first node in the group will be returned.
 func (c *Chain) LastNode() Node {
 	if c.IsEmpty() {

cmd/gost/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bufio"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
@@ -223,6 +224,18 @@ func parseChainNode(ns string) (nodes []gost.Node, err error) {
 			TLSConfig: tlsCfg,
 			KeepAlive: toBool(node.Values.Get("keepalive")),
 		}
+
+		timeout, _ := strconv.Atoi(node.Values.Get("timeout"))
+		config.Timeout = time.Duration(timeout) * time.Second
+
+		idle, _ := strconv.Atoi(node.Values.Get("idle"))
+		config.IdleTimeout = time.Duration(idle) * time.Second
+
+		if key := node.Values.Get("key"); key != "" {
+			sum := sha256.Sum256([]byte(key))
+			config.Key = sum[:]
+		}
+
 		tr = gost.QUICTransporter(config)
 	case "http2":
 		tr = gost.HTTP2Transporter(tlsCfg)
@@ -371,6 +384,15 @@ func (r *route) serve() error {
 			}
 			timeout, _ := strconv.Atoi(node.Values.Get("timeout"))
 			config.Timeout = time.Duration(timeout) * time.Second
+
+			idle, _ := strconv.Atoi(node.Values.Get("idle"))
+			config.IdleTimeout = time.Duration(idle) * time.Second
+
+			if key := node.Values.Get("key"); key != "" {
+				sum := sha256.Sum256([]byte(key))
+				config.Key = sum[:]
+			}
+
 			ln, err = gost.QUICListener(node.Addr, config)
 		case "http2":
 			ln, err = gost.HTTP2Listener(node.Addr, tlsCfg)

quic.go

 package gost
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
 	"crypto/tls"
 	"errors"
+	"io"
 	"net"
 	"sync"
 	"time"
@@ -55,10 +59,17 @@ func (tr *quicTransporter) Dial(addr string, options ...DialOption) (conn net.Co
 
 	session, ok := tr.sessions[addr]
 	if !ok {
-		conn, err = net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
+		var cc *net.UDPConn
+		cc, err = net.ListenUDP("udp", &net.UDPAddr{IP: net.IPv4zero, Port: 0})
 		if err != nil {
 			return
 		}
+		conn = cc
+
+		if tr.config != nil && tr.config.Key != nil {
+			conn = &quicCipherConn{UDPConn: cc, key: tr.config.Key}
+		}
+
 		session = &quicSession{conn: conn}
 		tr.sessions[addr] = session
 	}
@@ -107,7 +118,7 @@ func (tr *quicTransporter) Handshake(conn net.Conn, options ...HandshakeOption)
 }
 
 func (tr *quicTransporter) initSession(addr string, conn net.Conn, config *QUICConfig) (*quicSession, error) {
-	udpConn, ok := conn.(*net.UDPConn)
+	udpConn, ok := conn.(net.PacketConn)
 	if !ok {
 		return nil, errors.New("quic: wrong connection type")
 	}
@@ -118,6 +129,7 @@ func (tr *quicTransporter) initSession(addr string, conn net.Conn, config *QUICC
 	quicConfig := &quic.Config{
 		HandshakeTimeout: config.Timeout,
 		KeepAlive:        config.KeepAlive,
+		IdleTimeout:      config.IdleTimeout,
 	}
 	session, err := quic.Dial(udpConn, udpAddr, addr, config.TLSConfig, quicConfig)
 	if err != nil {
@@ -133,9 +145,11 @@ func (tr *quicTransporter) Multiplex() bool {
 
 // QUICConfig is the config for QUIC client and server
 type QUICConfig struct {
-	TLSConfig *tls.Config
-	Timeout   time.Duration
-	KeepAlive bool
+	TLSConfig   *tls.Config
+	Timeout     time.Duration
+	KeepAlive   bool
+	IdleTimeout time.Duration
+	Key         []byte
 }
 
 type quicListener struct {
@@ -152,13 +166,31 @@ func QUICListener(addr string, config *QUICConfig) (Listener, error) {
 	quicConfig := &quic.Config{
 		HandshakeTimeout: config.Timeout,
 		KeepAlive:        config.KeepAlive,
+		IdleTimeout:      config.IdleTimeout,
 	}
 
 	tlsConfig := config.TLSConfig
 	if tlsConfig == nil {
 		tlsConfig = DefaultTLSConfig
 	}
-	ln, err := quic.ListenAddr(addr, tlsConfig, quicConfig)
+
+	var conn net.PacketConn
+
+	udpAddr, err := net.ResolveUDPAddr("udp", addr)
+	if err != nil {
+		return nil, err
+	}
+	lconn, err := net.ListenUDP("udp", udpAddr)
+	if err != nil {
+		return nil, err
+	}
+	conn = lconn
+
+	if config.Key != nil {
+		conn = &quicCipherConn{UDPConn: lconn, key: config.Key}
+	}
+
+	ln, err := quic.Listen(conn, tlsConfig, quicConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -241,3 +273,76 @@ func (c *quicConn) LocalAddr() net.Addr {
 func (c *quicConn) RemoteAddr() net.Addr {
 	return c.raddr
 }
+
+type quicCipherConn struct {
+	*net.UDPConn
+	key []byte
+}
+
+func (conn *quicCipherConn) ReadFrom(data []byte) (n int, addr net.Addr, err error) {
+	n, addr, err = conn.UDPConn.ReadFrom(data)
+	if err != nil {
+		return
+	}
+	b, err := conn.decrypt(data[:n])
+	if err != nil {
+		return
+	}
+
+	copy(data, b)
+
+	return len(b), addr, nil
+}
+
+func (conn *quicCipherConn) WriteTo(data []byte, addr net.Addr) (n int, err error) {
+	b, err := conn.encrypt(data)
+	if err != nil {
+		return
+	}
+
+	_, err = conn.UDPConn.WriteTo(b, addr)
+	if err != nil {
+		return
+	}
+
+	return len(b), nil
+}
+
+func (conn *quicCipherConn) encrypt(data []byte) ([]byte, error) {
+	c, err := aes.NewCipher(conn.key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(c)
+	if err != nil {
+		return nil, err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+
+	return gcm.Seal(nonce, nonce, data, nil), nil
+}
+
+func (conn *quicCipherConn) decrypt(data []byte) ([]byte, error) {
+	c, err := aes.NewCipher(conn.key)
+	if err != nil {
+		return nil, err
+	}
+
+	gcm, err := cipher.NewGCM(c)
+	if err != nil {
+		return nil, err
+	}
+
+	nonceSize := gcm.NonceSize()
+	if len(data) < nonceSize {
+		return nil, errors.New("ciphertext too short")
+	}
+
+	nonce, ciphertext := data[:nonceSize], data[nonceSize:]
+	return gcm.Open(nil, nonce, ciphertext, nil)
+}

selector.go

@@ -16,7 +16,6 @@ var (
 // NodeSelector as a mechanism to pick nodes and mark their status.
 type NodeSelector interface {
 	Select(nodes []Node, opts ...SelectOption) (Node, error)
-	// Mark(node Node)
 }
 
 type defaultSelector struct {
@@ -130,7 +129,7 @@ type FailFilter struct {
 
 // Filter filters nodes.
 func (f *FailFilter) Filter(nodes []Node) []Node {
-	if f.MaxFails <= 0 {
+	if len(nodes) <= 1 || f.MaxFails <= 0 {
 		return nodes
 	}
 	nl := []Node{}

tls.go

@@ -56,6 +56,11 @@ func (tr *mtlsTransporter) Dial(addr string, options ...DialOption) (conn net.Co
 	defer tr.sessionMutex.Unlock()
 
 	session, ok := tr.sessions[addr]
+	if session != nil && session.session != nil && session.session.IsClosed() {
+		session.Close()
+		delete(tr.sessions, addr)
+		ok = false
+	}
 	if !ok {
 		if opts.Chain == nil {
 			conn, err = net.DialTimeout("tcp", addr, opts.Timeout)

vendor/github.com/aead/chacha20/LICENSE

+The MIT License (MIT)
+
+Copyright (c) 2016 Andreas Auernhammer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/aead/chacha20/README.md

+[![Godoc Reference](https://godoc.org/github.com/aead/chacha20?status.svg)](https://godoc.org/github.com/aead/chacha20)
+
+## The ChaCha20 stream cipher
+
+ChaCha is a stream cipher family created by Daniel J. Bernstein.  
+The most common ChaCha cipher is ChaCha20 (20 rounds). ChaCha20 is standardized in [RFC 7539](https://tools.ietf.org/html/rfc7539 "RFC 7539").
+
+This package provides implementations of three ChaCha versions:
+- ChaCha20 with a 64 bit nonce (can en/decrypt up to 2^64 * 64 bytes for one key-nonce combination)  
+- ChaCha20 with a 96 bit nonce (can en/decrypt up to 2^32 * 64 bytes ~ 256 GB for one key-nonce combination)  
+- XChaCha20 with a 192 bit nonce (can en/decrypt up to 2^64 * 64 bytes for one key-nonce combination)  
+
+Furthermore the chacha subpackage implements ChaCha20/12 and ChaCha20/8.
+These versions use 12 or 8 rounds instead of 20.
+But it's recommended to use ChaCha20 (with 20 rounds) - it will be fast enough for almost all purposes. 
+
+### Installation 
+Install in your GOPATH: `go get -u github.com/aead/chacha20`
+
+### Requirements
+All go versions >= 1.5.3 are supported.  
+Please notice, that the amd64 AVX2 asm implementation requires go1.7 or newer.
+
+### Performance
+
+#### AMD64
+Hardware: Intel i7-6500U 2.50GHz x 2  
+System: Linux Ubuntu 16.04 - kernel: 4.4.0-62-generic  
+Go version: 1.8.0  
+```
+AVX2
+name                        speed              cpb
+ChaCha20_64-4                573MB/s ± 0%      4.16
+ChaCha20_1K-4               2.19GB/s ± 0%      1.06
+XChaCha20_64-4               261MB/s ± 0%      9.13
+XChaCha20_1K-4              1.69GB/s ± 4%      1.37
+XORKeyStream64-4             474MB/s ± 2%      5.02
+XORKeyStream1K-4            2.09GB/s ± 1%      1.11
+XChaCha20_XORKeyStream64-4   262MB/s ± 0%      9.09
+XChaCha20_XORKeyStream1K-4  1.71GB/s ± 1%      1.36
+
+SSSE3
+name                        speed              cpb
+ChaCha20_64-4                583MB/s ± 0%      4.08
+ChaCha20_1K-4               1.15GB/s ± 1%      2.02
+XChaCha20_64-4               267MB/s ± 0%      8.92
+XChaCha20_1K-4               984MB/s ± 5%      2.42
+XORKeyStream64-4             492MB/s ± 1%      4.84
+XORKeyStream1K-4            1.10GB/s ± 5%      2.11
+XChaCha20_XORKeyStream64-4   266MB/s ± 0%      8.96
+XChaCha20_XORKeyStream1K-4  1.00GB/s ± 2%      2.32
+```
+#### 386
+Hardware: Intel i7-6500U 2.50GHz x 2  
+System: Linux Ubuntu 16.04 - kernel: 4.4.0-62-generic  
+Go version: 1.8.0  
+```
+SSSE3
+name                        speed              cpb
+ChaCha20_64-4               570MB/s ± 0%       4.18
+ChaCha20_1K-4               650MB/s ± 0%       3.66
+XChaCha20_64-4              223MB/s ± 0%      10.69
+XChaCha20_1K-4              584MB/s ± 1%       4.08
+XORKeyStream64-4            392MB/s ± 1%       6.08
+XORKeyStream1K-4            629MB/s ± 1%       3.79
+XChaCha20_XORKeyStream64-4  222MB/s ± 0%      10.73
+XChaCha20_XORKeyStream1K-4  585MB/s ± 0%       4.07
+
+SSE2
+name                        speed              cpb
+ChaCha20_64-4               509MB/s ± 0%       4.68
+ChaCha20_1K-4               553MB/s ± 2%       4.31
+XChaCha20_64-4              201MB/s ± 0%      11.86
+XChaCha20_1K-4              498MB/s ± 4%       4.78
+XORKeyStream64-4            359MB/s ± 1%       6.64
+XORKeyStream1K-4            545MB/s ± 0%       4.37
+XChaCha20_XORKeyStream64-4  201MB/s ± 1%      11.86
+XChaCha20_XORKeyStream1K-4  507MB/s ± 0%       4.70
+```

vendor/github.com/aead/chacha20/chacha/chacha.go

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// Package chacha implements some low-level functions of the
+// ChaCha cipher family.
+package chacha // import "github.com/aead/chacha20/chacha"
+
+import (
+	"encoding/binary"
+	"errors"
+)
+
+const (
+	// NonceSize is the size of the ChaCha20 nonce in bytes.
+	NonceSize = 8
+
+	// INonceSize is the size of the IETF-ChaCha20 nonce in bytes.
+	INonceSize = 12
+
+	// XNonceSize is the size of the XChaCha20 nonce in bytes.
+	XNonceSize = 24
+
+	// KeySize is the size of the key in bytes.
+	KeySize = 32
+)
+
+var (
+	useSSE2  bool
+	useSSSE3 bool
+	useAVX2  bool
+)
+
+var (
+	errKeySize      = errors.New("chacha20/chacha: bad key length")
+	errInvalidNonce = errors.New("chacha20/chacha: bad nonce length")
+)
+
+func setup(state *[64]byte, nonce, key []byte) (err error) {
+	if len(key) != KeySize {
+		err = errKeySize
+		return
+	}
+	var Nonce [16]byte
+	switch len(nonce) {
+	case NonceSize:
+		copy(Nonce[8:], nonce)
+		initialize(state, key, &Nonce)
+	case INonceSize:
+		copy(Nonce[4:], nonce)
+		initialize(state, key, &Nonce)
+	case XNonceSize:
+		var tmpKey [32]byte
+		var hNonce [16]byte
+
+		copy(hNonce[:], nonce[:16])
+		copy(tmpKey[:], key)
+		hChaCha20(&tmpKey, &hNonce, &tmpKey)
+		copy(Nonce[8:], nonce[16:])
+		initialize(state, tmpKey[:], &Nonce)
+
+		// BUG(aead): A "good" compiler will remove this (optimizations)
+		//			  But using the provided key instead of tmpKey,
+		//			  will change the key (-> probably confuses users)
+		for i := range tmpKey {
+			tmpKey[i] = 0
+		}
+	default:
+		err = errInvalidNonce
+	}
+	return
+}
+
+// XORKeyStream crypts bytes from src to dst using the given nonce and key.
+// The length of the nonce determinds the version of ChaCha20:
+// - NonceSize:  ChaCha20/r with a 64 bit nonce and a 2^64 * 64 byte period.
+// - INonceSize: ChaCha20/r as defined in RFC 7539 and a 2^32 * 64 byte period.
+// - XNonceSize: XChaCha20/r with a 192 bit nonce and a 2^64 * 64 byte period.
+// The rounds argument specifies the number of rounds performed for keystream
+// generation - valid values are 8, 12 or 20. The src and dst may be the same slice
+// but otherwise should not overlap. If len(dst) < len(src) this function panics.
+// If the nonce is neither 64, 96 nor 192 bits long, this function panics.
+func XORKeyStream(dst, src, nonce, key []byte, rounds int) {
+	if rounds != 20 && rounds != 12 && rounds != 8 {
+		panic("chacha20/chacha: bad number of rounds")
+	}
+	if len(dst) < len(src) {
+		panic("chacha20/chacha: dst buffer is to small")
+	}
+	if len(nonce) == INonceSize && uint64(len(src)) > (1<<38) {
+		panic("chacha20/chacha: src is too large")
+	}
+
+	var block, state [64]byte
+	if err := setup(&state, nonce, key); err != nil {
+		panic(err)
+	}
+	xorKeyStream(dst, src, &block, &state, rounds)
+}
+
+// Cipher implements ChaCha20/r (XChaCha20/r) for a given number of rounds r.
+type Cipher struct {
+	state, block [64]byte
+	off          int
+	rounds       int // 20 for ChaCha20
+	noncesize    int
+}
+
+// NewCipher returns a new *chacha.Cipher implementing the ChaCha20/r or XChaCha20/r
+// (r = 8, 12 or 20) stream cipher. The nonce must be unique for one key for all time.
+// The length of the nonce determinds the version of ChaCha20:
+// - NonceSize:  ChaCha20/r with a 64 bit nonce and a 2^64 * 64 byte period.
+// - INonceSize: ChaCha20/r as defined in RFC 7539 and a 2^32 * 64 byte period.
+// - XNonceSize: XChaCha20/r with a 192 bit nonce and a 2^64 * 64 byte period.
+// If the nonce is neither 64, 96 nor 192 bits long, a non-nil error is returned.
+func NewCipher(nonce, key []byte, rounds int) (*Cipher, error) {
+	if rounds != 20 && rounds != 12 && rounds != 8 {
+		panic("chacha20/chacha: bad number of rounds")
+	}
+
+	c := new(Cipher)
+	if err := setup(&(c.state), nonce, key); err != nil {
+		return nil, err
+	}
+	c.rounds = rounds
+
+	if len(nonce) == INonceSize {
+		c.noncesize = INonceSize
+	} else {
+		c.noncesize = NonceSize
+	}
+
+	return c, nil
+}
+
+// XORKeyStream crypts bytes from src to dst. Src and dst may be the same slice
+// but otherwise should not overlap. If len(dst) < len(src) the function panics.
+func (c *Cipher) XORKeyStream(dst, src []byte) {
+	if len(dst) < len(src) {
+		panic("chacha20/chacha: dst buffer is to small")
+	}
+
+	if c.off > 0 {
+		n := len(c.block[c.off:])
+		if len(src) <= n {
+			for i, v := range src {
+				dst[i] = v ^ c.block[c.off]
+				c.off++
+			}
+			if c.off == 64 {
+				c.off = 0
+			}
+			return
+		}
+
+		for i, v := range c.block[c.off:] {
+			dst[i] = src[i] ^ v
+		}
+		src = src[n:]
+		dst = dst[n:]
+		c.off = 0
+	}
+
+	c.off += xorKeyStream(dst, src, &(c.block), &(c.state), c.rounds)
+}
+
+// SetCounter skips ctr * 64 byte blocks. SetCounter(0) resets the cipher.
+// This function always skips the unused keystream of the current 64 byte block.
+func (c *Cipher) SetCounter(ctr uint64) {
+	if c.noncesize == INonceSize {
+		binary.LittleEndian.PutUint32(c.state[48:], uint32(ctr))
+	} else {
+		binary.LittleEndian.PutUint64(c.state[48:], ctr)
+	}
+	c.off = 0
+}

vendor/github.com/aead/chacha20/chacha/chacha_386.go

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// +build 386,!gccgo,!appengine,!nacl
+
+package chacha
+
+import "encoding/binary"
+
+func init() {
+	useSSE2 = supportsSSE2()
+	useSSSE3 = supportsSSSE3()
+	useAVX2 = false
+}
+
+func initialize(state *[64]byte, key []byte, nonce *[16]byte) {
+	binary.LittleEndian.PutUint32(state[0:], sigma[0])
+	binary.LittleEndian.PutUint32(state[4:], sigma[1])
+	binary.LittleEndian.PutUint32(state[8:], sigma[2])
+	binary.LittleEndian.PutUint32(state[12:], sigma[3])
+	copy(state[16:], key[:])
+	copy(state[48:], nonce[:])
+}
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func supportsSSE2() bool
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func supportsSSSE3() bool
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func hChaCha20SSE2(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func hChaCha20SSSE3(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func xorKeyStreamSSE2(dst, src []byte, block, state *[64]byte, rounds int) int
+
+// This function is implemented in chacha_386.s
+//go:noescape
+func xorKeyStreamSSSE3(dst, src []byte, block, state *[64]byte, rounds int) int
+
+func hChaCha20(out *[32]byte, nonce *[16]byte, key *[32]byte) {
+	if useSSSE3 {
+		hChaCha20SSSE3(out, nonce, key)
+	} else if useSSE2 {
+		hChaCha20SSE2(out, nonce, key)
+	} else {
+		hChaCha20Generic(out, nonce, key)
+	}
+}
+
+func xorKeyStream(dst, src []byte, block, state *[64]byte, rounds int) int {
+	if useSSSE3 {
+		return xorKeyStreamSSSE3(dst, src, block, state, rounds)
+	} else if useSSE2 {
+		return xorKeyStreamSSE2(dst, src, block, state, rounds)
+	}
+	return xorKeyStreamGeneric(dst, src, block, state, rounds)
+}

vendor/github.com/aead/chacha20/chacha/chacha_386.s

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// +build 386,!gccgo,!appengine,!nacl
+
+#include "textflag.h"
+
+DATA ·sigma<>+0x00(SB)/4, $0x61707865
+DATA ·sigma<>+0x04(SB)/4, $0x3320646e
+DATA ·sigma<>+0x08(SB)/4, $0x79622d32
+DATA ·sigma<>+0x0C(SB)/4, $0x6b206574
+GLOBL ·sigma<>(SB), (NOPTR+RODATA), $16
+
+DATA ·one<>+0x00(SB)/8, $1
+DATA ·one<>+0x08(SB)/8, $0
+GLOBL ·one<>(SB), (NOPTR+RODATA), $16
+
+DATA ·rol16<>+0x00(SB)/8, $0x0504070601000302
+DATA ·rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A
+GLOBL ·rol16<>(SB), (NOPTR+RODATA), $16
+
+DATA ·rol8<>+0x00(SB)/8, $0x0605040702010003
+DATA ·rol8<>+0x08(SB)/8, $0x0E0D0C0F0A09080B
+GLOBL ·rol8<>(SB), (NOPTR+RODATA), $16
+
+#define ROTL_SSE2(n, t, v) \
+	MOVO  v, t;       \
+	PSLLL $n, t;      \
+	PSRLL $(32-n), v; \
+	PXOR  t, v
+
+#define CHACHA_QROUND_SSE2(v0, v1, v2, v3, t0) \
+	PADDL v1, v0;          \
+	PXOR  v0, v3;          \
+	ROTL_SSE2(16, t0, v3); \
+	PADDL v3, v2;          \
+	PXOR  v2, v1;          \
+	ROTL_SSE2(12, t0, v1); \
+	PADDL v1, v0;          \
+	PXOR  v0, v3;          \
+	ROTL_SSE2(8, t0, v3);  \
+	PADDL v3, v2;          \
+	PXOR  v2, v1;          \
+	ROTL_SSE2(7, t0, v1)
+
+#define CHACHA_QROUND_SSSE3(v0, v1, v2, v3, t0, r16, r8) \
+	PADDL  v1, v0;         \
+	PXOR   v0, v3;         \
+	PSHUFB r16, v3;        \
+	PADDL  v3, v2;         \
+	PXOR   v2, v1;         \
+	ROTL_SSE2(12, t0, v1); \
+	PADDL  v1, v0;         \
+	PXOR   v0, v3;         \
+	PSHUFB r8, v3;         \
+	PADDL  v3, v2;         \
+	PXOR   v2, v1;         \
+	ROTL_SSE2(7, t0, v1)
+
+#define CHACHA_SHUFFLE(v1, v2, v3) \
+	PSHUFL $0x39, v1, v1; \
+	PSHUFL $0x4E, v2, v2; \
+	PSHUFL $0x93, v3, v3
+
+#define XOR(dst, src, off, v0, v1, v2, v3, t0) \
+	MOVOU 0+off(src), t0;  \
+	PXOR  v0, t0;          \
+	MOVOU t0, 0+off(dst);  \
+	MOVOU 16+off(src), t0; \
+	PXOR  v1, t0;          \
+	MOVOU t0, 16+off(dst); \
+	MOVOU 32+off(src), t0; \
+	PXOR  v2, t0;          \
+	MOVOU t0, 32+off(dst); \
+	MOVOU 48+off(src), t0; \
+	PXOR  v3, t0;          \
+	MOVOU t0, 48+off(dst)
+
+#define FINALIZE(dst, src, block, len, t0, t1) \
+	XORL      t0, t0;       \
+	XORL      t1, t1;       \
+	finalize:               \
+	MOVB      0(src), t0;   \
+	MOVB      0(block), t1; \
+	XORL      t0, t1;       \
+	MOVB      t1, 0(dst);   \
+	INCL      src;          \
+	INCL      block;        \
+	INCL      dst;          \
+	DECL      len;          \
+	JA        finalize      \
+
+// func xorKeyStreamSSE2(dst, src []byte, block, state *[64]byte, rounds int) int
+TEXT ·xorKeyStreamSSE2(SB), 4, $0-40
+	MOVL dst_base+0(FP), DI
+	MOVL src_base+12(FP), SI
+	MOVL src_len+16(FP), CX
+	MOVL state+28(FP), AX
+	MOVL rounds+32(FP), DX
+
+	MOVOU 0(AX), X0
+	MOVOU 16(AX), X1
+	MOVOU 32(AX), X2
+	MOVOU 48(AX), X3
+
+	TESTL CX, CX
+	JZ    done
+
+at_least_64:
+	MOVO X0, X4
+	MOVO X1, X5
+	MOVO X2, X6
+	MOVO X3, X7
+
+	MOVL DX, BX
+
+chacha_loop:
+	CHACHA_QROUND_SSE2(X4, X5, X6, X7, X0)
+	CHACHA_SHUFFLE(X5, X6, X7)
+	CHACHA_QROUND_SSE2(X4, X5, X6, X7, X0)
+	CHACHA_SHUFFLE(X7, X6, X5)
+	SUBL $2, BX
+	JA   chacha_loop
+
+	MOVOU 0(AX), X0
+	PADDL X0, X4
+	PADDL X1, X5
+	PADDL X2, X6
+	PADDL X3, X7
+	MOVOU ·one<>(SB), X0
+	PADDQ X0, X3
+
+	CMPL CX, $64
+	JB   less_than_64
+
+	XOR(DI, SI, 0, X4, X5, X6, X7, X0)
+	MOVOU 0(AX), X0
+	ADDL  $64, SI
+	ADDL  $64, DI
+	SUBL  $64, CX
+	JNZ   at_least_64
+
+less_than_64:
+	MOVL  CX, BP
+	TESTL BP, BP
+	JZ    done
+
+	MOVL  block+24(FP), BX
+	MOVOU X4, 0(BX)
+	MOVOU X5, 16(BX)
+	MOVOU X6, 32(BX)
+	MOVOU X7, 48(BX)
+	FINALIZE(DI, SI, BX, BP, AX, DX)
+
+done:
+	MOVL  state+28(FP), AX
+	MOVOU X3, 48(AX)
+	MOVL  CX, ret+36(FP)
+	RET
+
+// func xorKeyStreamSSSE3(dst, src []byte, block, state *[64]byte, rounds int) int
+TEXT ·xorKeyStreamSSSE3(SB), 4, $64-40
+	MOVL dst_base+0(FP), DI
+	MOVL src_base+12(FP), SI
+	MOVL src_len+16(FP), CX
+	MOVL state+28(FP), AX
+	MOVL rounds+32(FP), DX
+
+	MOVOU 48(AX), X3
+	TESTL CX, CX
+	JZ    done
+
+	MOVL SP, BP
+	ADDL $16, SP
+	ANDL $-16, SP
+
+	MOVOU ·one<>(SB), X0
+	MOVOU 16(AX), X1
+	MOVOU 32(AX), X2
+	MOVO  X0, 0(SP)
+	MOVO  X1, 16(SP)
+	MOVO  X2, 32(SP)
+
+	MOVOU 0(AX), X0
+	MOVOU ·rol16<>(SB), X1
+	MOVOU ·rol8<>(SB), X2
+
+at_least_64:
+	MOVO X0, X4
+	MOVO 16(SP), X5
+	MOVO 32(SP), X6
+	MOVO X3, X7
+
+	MOVL DX, BX
+
+chacha_loop:
+	CHACHA_QROUND_SSSE3(X4, X5, X6, X7, X0, X1, X2)
+	CHACHA_SHUFFLE(X5, X6, X7)
+	CHACHA_QROUND_SSSE3(X4, X5, X6, X7, X0, X1, X2)
+	CHACHA_SHUFFLE(X7, X6, X5)
+	SUBL $2, BX
+	JA   chacha_loop
+
+	MOVOU 0(AX), X0
+	PADDL X0, X4
+	PADDL 16(SP), X5
+	PADDL 32(SP), X6
+	PADDL X3, X7
+	PADDQ 0(SP), X3
+
+	CMPL CX, $64
+	JB   less_than_64
+
+	XOR(DI, SI, 0, X4, X5, X6, X7, X0)
+	MOVOU 0(AX), X0
+	ADDL  $64, SI
+	ADDL  $64, DI
+	SUBL  $64, CX
+	JNZ   at_least_64
+
+less_than_64:
+	MOVL  BP, SP
+	MOVL  CX, BP
+	TESTL BP, BP
+	JE    done
+
+	MOVL  block+24(FP), BX
+	MOVOU X4, 0(BX)
+	MOVOU X5, 16(BX)
+	MOVOU X6, 32(BX)
+	MOVOU X7, 48(BX)
+	FINALIZE(DI, SI, BX, BP, AX, DX)
+
+done:
+	MOVL  state+28(FP), AX
+	MOVOU X3, 48(AX)
+	MOVL  CX, ret+36(FP)
+	RET
+
+// func supportsSSE2() bool
+TEXT ·supportsSSE2(SB), NOSPLIT, $0-1
+	XORL AX, AX
+	INCL AX
+	CPUID
+	SHRL $26, DX
+	ANDL $1, DX
+	MOVB DX, ret+0(FP)
+	RET
+
+// func supportsSSSE3() bool
+TEXT ·supportsSSSE3(SB), NOSPLIT, $0-1
+	XORL AX, AX
+	INCL AX
+	CPUID
+	SHRL $9, CX
+	ANDL $1, CX
+	MOVB CX, ret+0(FP)
+	RET
+
+// func hChaCha20SSE2(out *[32]byte, nonce *[16]byte, key *[32]byte)
+TEXT ·hChaCha20SSE2(SB), 4, $0-12
+	MOVL out+0(FP), DI
+	MOVL nonce+4(FP), AX
+	MOVL key+8(FP), BX
+
+	MOVOU ·sigma<>(SB), X0
+	MOVOU 0(BX), X1
+	MOVOU 16(BX), X2
+	MOVOU 0(AX), X3
+
+	MOVL $20, CX
+
+chacha_loop:
+	CHACHA_QROUND_SSE2(X0, X1, X2, X3, X4)
+	CHACHA_SHUFFLE(X1, X2, X3)
+	CHACHA_QROUND_SSE2(X0, X1, X2, X3, X4)
+	CHACHA_SHUFFLE(X3, X2, X1)
+	SUBL $2, CX
+	JNZ  chacha_loop
+
+	MOVOU X0, 0(DI)
+	MOVOU X3, 16(DI)
+	RET
+
+// func hChaCha20SSSE3(out *[32]byte, nonce *[16]byte, key *[32]byte)
+TEXT ·hChaCha20SSSE3(SB), 4, $0-12
+	MOVL out+0(FP), DI
+	MOVL nonce+4(FP), AX
+	MOVL key+8(FP), BX
+
+	MOVOU ·sigma<>(SB), X0
+	MOVOU 0(BX), X1
+	MOVOU 16(BX), X2
+	MOVOU 0(AX), X3
+	MOVOU ·rol16<>(SB), X5
+	MOVOU ·rol8<>(SB), X6
+
+	MOVL $20, CX
+
+chacha_loop:
+	CHACHA_QROUND_SSSE3(X0, X1, X2, X3, X4, X5, X6)
+	CHACHA_SHUFFLE(X1, X2, X3)
+	CHACHA_QROUND_SSSE3(X0, X1, X2, X3, X4, X5, X6)
+	CHACHA_SHUFFLE(X3, X2, X1)
+	SUBL $2, CX
+	JNZ  chacha_loop
+
+	MOVOU X0, 0(DI)
+	MOVOU X3, 16(DI)
+	RET

vendor/github.com/aead/chacha20/chacha/chacha_generic.go

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+package chacha
+
+import "encoding/binary"
+
+var sigma = [4]uint32{0x61707865, 0x3320646e, 0x79622d32, 0x6b206574}
+
+func xorKeyStreamGeneric(dst, src []byte, block, state *[64]byte, rounds int) int {
+	for len(src) >= 64 {
+		chachaGeneric(block, state, rounds)
+
+		for i, v := range block {
+			dst[i] = src[i] ^ v
+		}
+		src = src[64:]
+		dst = dst[64:]
+	}
+
+	n := len(src)
+	if n > 0 {
+		chachaGeneric(block, state, rounds)
+		for i, v := range src {
+			dst[i] = v ^ block[i]
+		}
+	}
+	return n
+}
+
+func chachaGeneric(dst *[64]byte, state *[64]byte, rounds int) {
+	v00 := binary.LittleEndian.Uint32(state[0:])
+	v01 := binary.LittleEndian.Uint32(state[4:])
+	v02 := binary.LittleEndian.Uint32(state[8:])
+	v03 := binary.LittleEndian.Uint32(state[12:])
+	v04 := binary.LittleEndian.Uint32(state[16:])
+	v05 := binary.LittleEndian.Uint32(state[20:])
+	v06 := binary.LittleEndian.Uint32(state[24:])
+	v07 := binary.LittleEndian.Uint32(state[28:])
+	v08 := binary.LittleEndian.Uint32(state[32:])
+	v09 := binary.LittleEndian.Uint32(state[36:])
+	v10 := binary.LittleEndian.Uint32(state[40:])
+	v11 := binary.LittleEndian.Uint32(state[44:])
+	v12 := binary.LittleEndian.Uint32(state[48:])
+	v13 := binary.LittleEndian.Uint32(state[52:])
+	v14 := binary.LittleEndian.Uint32(state[56:])
+	v15 := binary.LittleEndian.Uint32(state[60:])
+
+	s00, s01, s02, s03, s04, s05, s06, s07 := v00, v01, v02, v03, v04, v05, v06, v07
+	s08, s09, s10, s11, s12, s13, s14, s15 := v08, v09, v10, v11, v12, v13, v14, v15
+
+	for i := 0; i < rounds; i += 2 {
+		v00 += v04
+		v12 ^= v00
+		v12 = (v12 << 16) | (v12 >> 16)
+		v08 += v12
+		v04 ^= v08
+		v04 = (v04 << 12) | (v04 >> 20)
+		v00 += v04
+		v12 ^= v00
+		v12 = (v12 << 8) | (v12 >> 24)
+		v08 += v12
+		v04 ^= v08
+		v04 = (v04 << 7) | (v04 >> 25)
+		v01 += v05
+		v13 ^= v01
+		v13 = (v13 << 16) | (v13 >> 16)
+		v09 += v13
+		v05 ^= v09
+		v05 = (v05 << 12) | (v05 >> 20)
+		v01 += v05
+		v13 ^= v01
+		v13 = (v13 << 8) | (v13 >> 24)
+		v09 += v13
+		v05 ^= v09
+		v05 = (v05 << 7) | (v05 >> 25)
+		v02 += v06
+		v14 ^= v02
+		v14 = (v14 << 16) | (v14 >> 16)
+		v10 += v14
+		v06 ^= v10
+		v06 = (v06 << 12) | (v06 >> 20)
+		v02 += v06
+		v14 ^= v02
+		v14 = (v14 << 8) | (v14 >> 24)
+		v10 += v14
+		v06 ^= v10
+		v06 = (v06 << 7) | (v06 >> 25)
+		v03 += v07
+		v15 ^= v03
+		v15 = (v15 << 16) | (v15 >> 16)
+		v11 += v15
+		v07 ^= v11
+		v07 = (v07 << 12) | (v07 >> 20)
+		v03 += v07
+		v15 ^= v03
+		v15 = (v15 << 8) | (v15 >> 24)
+		v11 += v15
+		v07 ^= v11
+		v07 = (v07 << 7) | (v07 >> 25)
+		v00 += v05
+		v15 ^= v00
+		v15 = (v15 << 16) | (v15 >> 16)
+		v10 += v15
+		v05 ^= v10
+		v05 = (v05 << 12) | (v05 >> 20)
+		v00 += v05
+		v15 ^= v00
+		v15 = (v15 << 8) | (v15 >> 24)
+		v10 += v15
+		v05 ^= v10
+		v05 = (v05 << 7) | (v05 >> 25)
+		v01 += v06
+		v12 ^= v01
+		v12 = (v12 << 16) | (v12 >> 16)
+		v11 += v12
+		v06 ^= v11
+		v06 = (v06 << 12) | (v06 >> 20)
+		v01 += v06
+		v12 ^= v01
+		v12 = (v12 << 8) | (v12 >> 24)
+		v11 += v12
+		v06 ^= v11
+		v06 = (v06 << 7) | (v06 >> 25)
+		v02 += v07
+		v13 ^= v02
+		v13 = (v13 << 16) | (v13 >> 16)
+		v08 += v13
+		v07 ^= v08
+		v07 = (v07 << 12) | (v07 >> 20)
+		v02 += v07
+		v13 ^= v02
+		v13 = (v13 << 8) | (v13 >> 24)
+		v08 += v13
+		v07 ^= v08
+		v07 = (v07 << 7) | (v07 >> 25)
+		v03 += v04
+		v14 ^= v03
+		v14 = (v14 << 16) | (v14 >> 16)
+		v09 += v14
+		v04 ^= v09
+		v04 = (v04 << 12) | (v04 >> 20)
+		v03 += v04
+		v14 ^= v03
+		v14 = (v14 << 8) | (v14 >> 24)
+		v09 += v14
+		v04 ^= v09
+		v04 = (v04 << 7) | (v04 >> 25)
+	}
+
+	v00 += s00
+	v01 += s01
+	v02 += s02
+	v03 += s03
+	v04 += s04
+	v05 += s05
+	v06 += s06
+	v07 += s07
+	v08 += s08
+	v09 += s09
+	v10 += s10
+	v11 += s11
+	v12 += s12
+	v13 += s13
+	v14 += s14
+	v15 += s15
+
+	s12++
+	binary.LittleEndian.PutUint32(state[48:], s12)
+	if s12 == 0 { // indicates overflow
+		s13++
+		binary.LittleEndian.PutUint32(state[52:], s13)
+	}
+
+	binary.LittleEndian.PutUint32(dst[0:], v00)
+	binary.LittleEndian.PutUint32(dst[4:], v01)
+	binary.LittleEndian.PutUint32(dst[8:], v02)
+	binary.LittleEndian.PutUint32(dst[12:], v03)
+	binary.LittleEndian.PutUint32(dst[16:], v04)
+	binary.LittleEndian.PutUint32(dst[20:], v05)
+	binary.LittleEndian.PutUint32(dst[24:], v06)
+	binary.LittleEndian.PutUint32(dst[28:], v07)
+	binary.LittleEndian.PutUint32(dst[32:], v08)
+	binary.LittleEndian.PutUint32(dst[36:], v09)
+	binary.LittleEndian.PutUint32(dst[40:], v10)
+	binary.LittleEndian.PutUint32(dst[44:], v11)
+	binary.LittleEndian.PutUint32(dst[48:], v12)
+	binary.LittleEndian.PutUint32(dst[52:], v13)
+	binary.LittleEndian.PutUint32(dst[56:], v14)
+	binary.LittleEndian.PutUint32(dst[60:], v15)
+}
+
+func hChaCha20Generic(out *[32]byte, nonce *[16]byte, key *[32]byte) {
+	v00 := sigma[0]
+	v01 := sigma[1]
+	v02 := sigma[2]
+	v03 := sigma[3]
+	v04 := binary.LittleEndian.Uint32(key[0:])
+	v05 := binary.LittleEndian.Uint32(key[4:])
+	v06 := binary.LittleEndian.Uint32(key[8:])
+	v07 := binary.LittleEndian.Uint32(key[12:])
+	v08 := binary.LittleEndian.Uint32(key[16:])
+	v09 := binary.LittleEndian.Uint32(key[20:])
+	v10 := binary.LittleEndian.Uint32(key[24:])
+	v11 := binary.LittleEndian.Uint32(key[28:])
+	v12 := binary.LittleEndian.Uint32(nonce[0:])
+	v13 := binary.LittleEndian.Uint32(nonce[4:])
+	v14 := binary.LittleEndian.Uint32(nonce[8:])
+	v15 := binary.LittleEndian.Uint32(nonce[12:])
+
+	for i := 0; i < 20; i += 2 {
+		v00 += v04
+		v12 ^= v00
+		v12 = (v12 << 16) | (v12 >> 16)
+		v08 += v12
+		v04 ^= v08
+		v04 = (v04 << 12) | (v04 >> 20)
+		v00 += v04
+		v12 ^= v00
+		v12 = (v12 << 8) | (v12 >> 24)
+		v08 += v12
+		v04 ^= v08
+		v04 = (v04 << 7) | (v04 >> 25)
+		v01 += v05
+		v13 ^= v01
+		v13 = (v13 << 16) | (v13 >> 16)
+		v09 += v13
+		v05 ^= v09
+		v05 = (v05 << 12) | (v05 >> 20)
+		v01 += v05
+		v13 ^= v01
+		v13 = (v13 << 8) | (v13 >> 24)
+		v09 += v13
+		v05 ^= v09
+		v05 = (v05 << 7) | (v05 >> 25)
+		v02 += v06
+		v14 ^= v02
+		v14 = (v14 << 16) | (v14 >> 16)
+		v10 += v14
+		v06 ^= v10
+		v06 = (v06 << 12) | (v06 >> 20)
+		v02 += v06
+		v14 ^= v02
+		v14 = (v14 << 8) | (v14 >> 24)
+		v10 += v14
+		v06 ^= v10
+		v06 = (v06 << 7) | (v06 >> 25)
+		v03 += v07
+		v15 ^= v03
+		v15 = (v15 << 16) | (v15 >> 16)
+		v11 += v15
+		v07 ^= v11
+		v07 = (v07 << 12) | (v07 >> 20)
+		v03 += v07
+		v15 ^= v03
+		v15 = (v15 << 8) | (v15 >> 24)
+		v11 += v15
+		v07 ^= v11
+		v07 = (v07 << 7) | (v07 >> 25)
+		v00 += v05
+		v15 ^= v00
+		v15 = (v15 << 16) | (v15 >> 16)
+		v10 += v15
+		v05 ^= v10
+		v05 = (v05 << 12) | (v05 >> 20)
+		v00 += v05
+		v15 ^= v00
+		v15 = (v15 << 8) | (v15 >> 24)
+		v10 += v15
+		v05 ^= v10
+		v05 = (v05 << 7) | (v05 >> 25)
+		v01 += v06
+		v12 ^= v01
+		v12 = (v12 << 16) | (v12 >> 16)
+		v11 += v12
+		v06 ^= v11
+		v06 = (v06 << 12) | (v06 >> 20)
+		v01 += v06
+		v12 ^= v01
+		v12 = (v12 << 8) | (v12 >> 24)
+		v11 += v12
+		v06 ^= v11
+		v06 = (v06 << 7) | (v06 >> 25)
+		v02 += v07
+		v13 ^= v02
+		v13 = (v13 << 16) | (v13 >> 16)
+		v08 += v13
+		v07 ^= v08
+		v07 = (v07 << 12) | (v07 >> 20)
+		v02 += v07
+		v13 ^= v02
+		v13 = (v13 << 8) | (v13 >> 24)
+		v08 += v13
+		v07 ^= v08
+		v07 = (v07 << 7) | (v07 >> 25)
+		v03 += v04
+		v14 ^= v03
+		v14 = (v14 << 16) | (v14 >> 16)
+		v09 += v14
+		v04 ^= v09
+		v04 = (v04 << 12) | (v04 >> 20)
+		v03 += v04
+		v14 ^= v03
+		v14 = (v14 << 8) | (v14 >> 24)
+		v09 += v14
+		v04 ^= v09
+		v04 = (v04 << 7) | (v04 >> 25)
+	}
+
+	binary.LittleEndian.PutUint32(out[0:], v00)
+	binary.LittleEndian.PutUint32(out[4:], v01)
+	binary.LittleEndian.PutUint32(out[8:], v02)
+	binary.LittleEndian.PutUint32(out[12:], v03)
+	binary.LittleEndian.PutUint32(out[16:], v12)
+	binary.LittleEndian.PutUint32(out[20:], v13)
+	binary.LittleEndian.PutUint32(out[24:], v14)
+	binary.LittleEndian.PutUint32(out[28:], v15)
+}

vendor/github.com/aead/chacha20/chacha/chacha_go16_amd64.go

+// Copyright (c) 2017 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// +build amd64,!gccgo,!appengine,!nacl,!go1.7
+
+package chacha
+
+func init() {
+	useSSE2 = true
+	useSSSE3 = supportsSSSE3()
+	useAVX2 = false
+}
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func initialize(state *[64]byte, key []byte, nonce *[16]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func supportsSSSE3() bool
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func hChaCha20SSE2(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func hChaCha20SSSE3(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func xorKeyStreamSSE2(dst, src []byte, block, state *[64]byte, rounds int) int
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func xorKeyStreamSSSE3(dst, src []byte, block, state *[64]byte, rounds int) int
+
+func hChaCha20(out *[32]byte, nonce *[16]byte, key *[32]byte) {
+	if useSSSE3 {
+		hChaCha20SSSE3(out, nonce, key)
+	} else if useSSE2 { // on amd64 this is  always true - used to test generic on amd64
+		hChaCha20SSE2(out, nonce, key)
+	} else {
+		hChaCha20Generic(out, nonce, key)
+	}
+}
+
+func xorKeyStream(dst, src []byte, block, state *[64]byte, rounds int) int {
+	if useSSSE3 {
+		return xorKeyStreamSSSE3(dst, src, block, state, rounds)
+	} else if useSSE2 { // on amd64 this is  always true - used to test generic on amd64
+		return xorKeyStreamSSE2(dst, src, block, state, rounds)
+	}
+	return xorKeyStreamGeneric(dst, src, block, state, rounds)
+}

vendor/github.com/aead/chacha20/chacha/chacha_go17_amd64.go

+// Copyright (c) 2017 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// +build go1.7,amd64,!gccgo,!appengine,!nacl
+
+package chacha
+
+func init() {
+	useSSE2 = true
+	useSSSE3 = supportsSSSE3()
+	useAVX2 = supportsAVX2()
+}
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func initialize(state *[64]byte, key []byte, nonce *[16]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func supportsSSSE3() bool
+
+// This function is implemented in chachaAVX2_amd64.s
+//go:noescape
+func supportsAVX2() bool
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func hChaCha20SSE2(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func hChaCha20SSSE3(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chachaAVX2_amd64.s
+//go:noescape
+func hChaCha20AVX(out *[32]byte, nonce *[16]byte, key *[32]byte)
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func xorKeyStreamSSE2(dst, src []byte, block, state *[64]byte, rounds int) int
+
+// This function is implemented in chacha_amd64.s
+//go:noescape
+func xorKeyStreamSSSE3(dst, src []byte, block, state *[64]byte, rounds int) int
+
+// This function is implemented in chachaAVX2_amd64.s
+//go:noescape
+func xorKeyStreamAVX2(dst, src []byte, block, state *[64]byte, rounds int) int
+
+func hChaCha20(out *[32]byte, nonce *[16]byte, key *[32]byte) {
+	if useAVX2 {
+		hChaCha20AVX(out, nonce, key)
+	} else if useSSSE3 {
+		hChaCha20SSSE3(out, nonce, key)
+	} else if useSSE2 { // on amd64 this is  always true - neccessary for testing generic on amd64
+		hChaCha20SSE2(out, nonce, key)
+	} else {
+		hChaCha20Generic(out, nonce, key)
+	}
+}
+
+func xorKeyStream(dst, src []byte, block, state *[64]byte, rounds int) int {
+	if useAVX2 {
+		return xorKeyStreamAVX2(dst, src, block, state, rounds)
+	} else if useSSSE3 {
+		return xorKeyStreamSSSE3(dst, src, block, state, rounds)
+	} else if useSSE2 { // on amd64 this is  always true - neccessary for testing generic on amd64
+		return xorKeyStreamSSE2(dst, src, block, state, rounds)
+	}
+	return xorKeyStreamGeneric(dst, src, block, state, rounds)
+}

vendor/github.com/aead/chacha20/chacha/chacha_ref.go

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// +build !amd64,!386 gccgo appengine nacl
+
+package chacha
+
+import "encoding/binary"
+
+func initialize(state *[64]byte, key []byte, nonce *[16]byte) {
+	binary.LittleEndian.PutUint32(state[0:], sigma[0])
+	binary.LittleEndian.PutUint32(state[4:], sigma[1])
+	binary.LittleEndian.PutUint32(state[8:], sigma[2])
+	binary.LittleEndian.PutUint32(state[12:], sigma[3])
+	copy(state[16:], key[:])
+	copy(state[48:], nonce[:])
+}
+
+func xorKeyStream(dst, src []byte, block, state *[64]byte, rounds int) int {
+	return xorKeyStreamGeneric(dst, src, block, state, rounds)
+}
+
+func hChaCha20(out *[32]byte, nonce *[16]byte, key *[32]byte) {
+	hChaCha20Generic(out, nonce, key)
+}

vendor/github.com/aead/chacha20/chacha20.go

+// Copyright (c) 2016 Andreas Auernhammer. All rights reserved.
+// Use of this source code is governed by a license that can be
+// found in the LICENSE file.
+
+// Package chacha20 implements the ChaCha20 / XChaCha20 stream chipher.
+// Notice that one specific key-nonce combination must be unique for all time.
+//
+// There are three versions of ChaCha20:
+// - ChaCha20 with a 64 bit nonce (en/decrypt up to 2^64 * 64 bytes for one key-nonce combination)
+// - ChaCha20 with a 96 bit nonce (en/decrypt up to 2^32 * 64 bytes (~256 GB) for one key-nonce combination)
+// - XChaCha20 with a 192 bit nonce (en/decrypt up to 2^64 * 64 bytes for one key-nonce combination)
+package chacha20 // import "github.com/aead/chacha20"
+
+import (
+	"crypto/cipher"
+
+	"github.com/aead/chacha20/chacha"
+)
+
+// XORKeyStream crypts bytes from src to dst using the given nonce and key.
+// The length of the nonce determinds the version of ChaCha20:
+// - 8 bytes:  ChaCha20 with a 64 bit nonce and a 2^64 * 64 byte period.
+// - 12 bytes: ChaCha20 as defined in RFC 7539 and a 2^32 * 64 byte period.
+// - 24 bytes: XChaCha20 with a 192 bit nonce and a 2^64 * 64 byte period.
+// Src and dst may be the same slice but otherwise should not overlap.
+// If len(dst) < len(src) this function panics.
+// If the nonce is neither 64, 96 nor 192 bits long, this function panics.
+func XORKeyStream(dst, src, nonce, key []byte) {
+	chacha.XORKeyStream(dst, src, nonce, key, 20)
+}
+
+// NewCipher returns a new cipher.Stream implementing a ChaCha20 version.
+// The nonce must be unique for one key for all time.
+// The length of the nonce determinds the version of ChaCha20:
+// - 8 bytes:  ChaCha20 with a 64 bit nonce and a 2^64 * 64 byte period.
+// - 12 bytes: ChaCha20 as defined in RFC 7539 and a 2^32 * 64 byte period.
+// - 24 bytes: XChaCha20 with a 192 bit nonce and a 2^64 * 64 byte period.
+// If the nonce is neither 64, 96 nor 192 bits long, a non-nil error is returned.
+func NewCipher(nonce, key []byte) (cipher.Stream, error) {
+	return chacha.NewCipher(nonce, key, 20)
+}

vendor/github.com/bifurcation/mint/LICENSE.md

+The MIT License (MIT)
+
+Copyright (c) 2016 Richard Barnes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

vendor/github.com/bifurcation/mint/README.md

+![A lock with a mint leaf](https://ipv.sx/mint/mint.svg)
+
+mint - A Minimal TLS 1.3 stack
+==============================
+
+[![Build Status](https://circleci.com/gh/bifurcation/mint.svg)](https://circleci.com/gh/bifurcation/mint)
+
+This project is primarily a learning effort for me to understand the [TLS
+1.3](http://tlswg.github.io/tls13-spec/) protocol.  The goal is to arrive at a
+pretty complete implementation of TLS 1.3, with minimal, elegant code that
+demonstrates how things work.  Testing is a priority to ensure correctness, but
+otherwise, the quality of the software engineering might not be at a level where
+it makes sense to integrate this with other libraries.  Backward compatibility
+is not an objective.
+
+We borrow liberally from the [Go TLS
+library](https://golang.org/pkg/crypto/tls/), especially where TLS 1.3 aligns
+with earlier TLS versions.  However, unnecessary parts will be ruthlessly cut
+off.
+
+## Quickstart
+
+Installation is the same as for any other Go package:
+
+```
+go get github.com/bifurcation/mint
+```
+
+The API is pretty much the same as for the TLS module, with `Dial` and `Listen`
+methods wrapping the underlying socket APIs.
+
+```
+conn, err := mint.Dial("tcp", "localhost:4430", &mint.Config{...})
+...
+listener, err := mint.Listen("tcp", "localhost:4430", &mint.Config{...})
+```
+
+Documentation is available on
+[godoc.org](https://godoc.org/github.com/bifurcation/mint)
+
+
+## Interoperability testing
+
+The `mint-client` and `mint-server` executables are included to make it easy to
+do basic interoperability tests with other TLS 1.3 implementations.  The steps
+for testing against NSS are as follows.
+
+```
+# Install mint
+go get github.com/bifurcation/mint
+
+# Environment for NSS (you'll probably want a new directory)
+NSS_ROOT=<whereever you want to put NSS>
+mkdir $NSS_ROOT
+cd $NSS_ROOT
+export USE_64=1
+export ENABLE_TLS_1_3=1
+export HOST=localhost
+export DOMSUF=localhost
+
+# Build NSS
+hg clone https://hg.mozilla.org/projects/nss
+hg clone https://hg.mozilla.org/projects/nspr
+cd nss
+make nss_build_all
+
+export PLATFORM=`cat $NSS_ROOT/dist/latest`
+export DYLD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
+export LD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
+
+# Run NSS tests (this creates data for the server to use)
+cd tests/ssl_gtests
+./ssl_gtests.sh
+
+# Test with client=mint server=NSS
+cd $NSS_ROOT
+./dist/$PLATFORM/bin/selfserv -d tests_results/security/$HOST.1/ssl_gtests/ -n rsa -p 4430
+# if you get `NSS_Init failed.`, check the path above, particularly around $HOST
+# ...
+go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-client/main.go
+
+# Test with client=NSS server=mint
+go run $GOPATH/src/github.com/bifurcation/mint/bin/mint-server/main.go
+# ...
+cd $NSS_ROOT
+dist/$PLATFORM/bin/tstclnt -d tests_results/security/$HOST/ssl_gtests/ -V tls1.3:tls1.3 -h 127.0.0.1 -p 4430 -o
+```
+

vendor/github.com/bifurcation/mint/alert.go

+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package mint
+
+import "strconv"
+
+type Alert uint8
+
+const (
+	// alert level
+	AlertLevelWarning = 1
+	AlertLevelError   = 2
+)
+
+const (
+	AlertCloseNotify                 Alert = 0
+	AlertUnexpectedMessage           Alert = 10
+	AlertBadRecordMAC                Alert = 20
+	AlertDecryptionFailed            Alert = 21
+	AlertRecordOverflow              Alert = 22
+	AlertDecompressionFailure        Alert = 30
+	AlertHandshakeFailure            Alert = 40
+	AlertBadCertificate              Alert = 42
+	AlertUnsupportedCertificate      Alert = 43
+	AlertCertificateRevoked          Alert = 44
+	AlertCertificateExpired          Alert = 45
+	AlertCertificateUnknown          Alert = 46
+	AlertIllegalParameter            Alert = 47
+	AlertUnknownCA                   Alert = 48
+	AlertAccessDenied                Alert = 49
+	AlertDecodeError                 Alert = 50
+	AlertDecryptError                Alert = 51
+	AlertProtocolVersion             Alert = 70
+	AlertInsufficientSecurity        Alert = 71
+	AlertInternalError               Alert = 80
+	AlertInappropriateFallback       Alert = 86
+	AlertUserCanceled                Alert = 90
+	AlertNoRenegotiation             Alert = 100
+	AlertMissingExtension            Alert = 109
+	AlertUnsupportedExtension        Alert = 110
+	AlertCertificateUnobtainable     Alert = 111
+	AlertUnrecognizedName            Alert = 112
+	AlertBadCertificateStatsResponse Alert = 113
+	AlertBadCertificateHashValue     Alert = 114
+	AlertUnknownPSKIdentity          Alert = 115
+	AlertNoApplicationProtocol       Alert = 120
+	AlertWouldBlock                  Alert = 254
+	AlertNoAlert                     Alert = 255
+)
+
+var alertText = map[Alert]string{
+	AlertCloseNotify:                 "close notify",
+	AlertUnexpectedMessage:           "unexpected message",
+	AlertBadRecordMAC:                "bad record MAC",
+	AlertDecryptionFailed:            "decryption failed",
+	AlertRecordOverflow:              "record overflow",
+	AlertDecompressionFailure:        "decompression failure",
+	AlertHandshakeFailure:            "handshake failure",
+	AlertBadCertificate:              "bad certificate",
+	AlertUnsupportedCertificate:      "unsupported certificate",
+	AlertCertificateRevoked:          "revoked certificate",
+	AlertCertificateExpired:          "expired certificate",
+	AlertCertificateUnknown:          "unknown certificate",
+	AlertIllegalParameter:            "illegal parameter",
+	AlertUnknownCA:                   "unknown certificate authority",
+	AlertAccessDenied:                "access denied",
+	AlertDecodeError:                 "error decoding message",
+	AlertDecryptError:                "error decrypting message",
+	AlertProtocolVersion:             "protocol version not supported",
+	AlertInsufficientSecurity:        "insufficient security level",
+	AlertInternalError:               "internal error",
+	AlertInappropriateFallback:       "inappropriate fallback",
+	AlertUserCanceled:                "user canceled",
+	AlertMissingExtension:            "missing extension",
+	AlertUnsupportedExtension:        "unsupported extension",
+	AlertCertificateUnobtainable:     "certificate unobtainable",
+	AlertUnrecognizedName:            "unrecognized name",
+	AlertBadCertificateStatsResponse: "bad certificate status response",
+	AlertBadCertificateHashValue:     "bad certificate hash value",
+	AlertUnknownPSKIdentity:          "unknown PSK identity",
+	AlertNoApplicationProtocol:       "no application protocol",
+	AlertNoRenegotiation:             "no renegotiation",
+	AlertWouldBlock:                  "would have blocked",
+	AlertNoAlert:                     "no alert",
+}
+
+func (e Alert) String() string {
+	s, ok := alertText[e]
+	if ok {
+		return s
+	}
+	return "alert(" + strconv.Itoa(int(e)) + ")"
+}
+
+func (e Alert) Error() string {
+	return e.String()
+}

vendor/github.com/bifurcation/mint/common.go

+package mint
+
+import (
+	"fmt"
+	"strconv"
+)
+
+var (
+	supportedVersion uint16 = 0x7f15 // draft-21
+
+	// Flags for some minor compat issues
+	allowWrongVersionNumber = true
+	allowPKCS1              = true
+)
+
+// enum {...} ContentType;
+type RecordType byte
+
+const (
+	RecordTypeAlert           RecordType = 21
+	RecordTypeHandshake       RecordType = 22
+	RecordTypeApplicationData RecordType = 23
+)
+
+// enum {...} HandshakeType;
+type HandshakeType byte
+
+const (
+	// Omitted: *_RESERVED
+	HandshakeTypeClientHello         HandshakeType = 1
+	HandshakeTypeServerHello         HandshakeType = 2
+	HandshakeTypeNewSessionTicket    HandshakeType = 4
+	HandshakeTypeEndOfEarlyData      HandshakeType = 5
+	HandshakeTypeHelloRetryRequest   HandshakeType = 6
+	HandshakeTypeEncryptedExtensions HandshakeType = 8
+	HandshakeTypeCertificate         HandshakeType = 11
+	HandshakeTypeCertificateRequest  HandshakeType = 13
+	HandshakeTypeCertificateVerify   HandshakeType = 15
+	HandshakeTypeServerConfiguration HandshakeType = 17
+	HandshakeTypeFinished            HandshakeType = 20
+	HandshakeTypeKeyUpdate           HandshakeType = 24
+	HandshakeTypeMessageHash         HandshakeType = 254
+)
+
+// uint8 CipherSuite[2];
+type CipherSuite uint16
+
+const (
+	// XXX: Actually TLS_NULL_WITH_NULL_NULL, but we need a way to label the zero
+	// value for this type so that we can detect when a field is set.
+	CIPHER_SUITE_UNKNOWN         CipherSuite = 0x0000
+	TLS_AES_128_GCM_SHA256       CipherSuite = 0x1301
+	TLS_AES_256_GCM_SHA384       CipherSuite = 0x1302
+	TLS_CHACHA20_POLY1305_SHA256 CipherSuite = 0x1303
+	TLS_AES_128_CCM_SHA256       CipherSuite = 0x1304
+	TLS_AES_256_CCM_8_SHA256     CipherSuite = 0x1305
+)
+
+func (c CipherSuite) String() string {
+	switch c {
+	case CIPHER_SUITE_UNKNOWN:
+		return "unknown"
+	case TLS_AES_128_GCM_SHA256:
+		return "TLS_AES_128_GCM_SHA256"
+	case TLS_AES_256_GCM_SHA384:
+		return "TLS_AES_256_GCM_SHA384"
+	case TLS_CHACHA20_POLY1305_SHA256:
+		return "TLS_CHACHA20_POLY1305_SHA256"
+	case TLS_AES_128_CCM_SHA256:
+		return "TLS_AES_128_CCM_SHA256"
+	case TLS_AES_256_CCM_8_SHA256:
+		return "TLS_AES_256_CCM_8_SHA256"
+	}
+	// cannot use %x here, since it calls String(), leading to infinite recursion
+	return fmt.Sprintf("invalid CipherSuite value: 0x%s", strconv.FormatUint(uint64(c), 16))
+}
+
+// enum {...} SignatureScheme
+type SignatureScheme uint16
+
+const (
+	// RSASSA-PKCS1-v1_5 algorithms
+	RSA_PKCS1_SHA1   SignatureScheme = 0x0201
+	RSA_PKCS1_SHA256 SignatureScheme = 0x0401
+	RSA_PKCS1_SHA384 SignatureScheme = 0x0501
+	RSA_PKCS1_SHA512 SignatureScheme = 0x0601
+	// ECDSA algorithms
+	ECDSA_P256_SHA256 SignatureScheme = 0x0403
+	ECDSA_P384_SHA384 SignatureScheme = 0x0503
+	ECDSA_P521_SHA512 SignatureScheme = 0x0603
+	// RSASSA-PSS algorithms
+	RSA_PSS_SHA256 SignatureScheme = 0x0804
+	RSA_PSS_SHA384 SignatureScheme = 0x0805
+	RSA_PSS_SHA512 SignatureScheme = 0x0806
+	// EdDSA algorithms
+	Ed25519 SignatureScheme = 0x0807
+	Ed448   SignatureScheme = 0x0808
+)
+
+// enum {...} ExtensionType
+type ExtensionType uint16
+
+const (
+	ExtensionTypeServerName          ExtensionType = 0
+	ExtensionTypeSupportedGroups     ExtensionType = 10
+	ExtensionTypeSignatureAlgorithms ExtensionType = 13
+	ExtensionTypeALPN                ExtensionType = 16
+	ExtensionTypeKeyShare            ExtensionType = 40
+	ExtensionTypePreSharedKey        ExtensionType = 41
+	ExtensionTypeEarlyData           ExtensionType = 42
+	ExtensionTypeSupportedVersions   ExtensionType = 43
+	ExtensionTypeCookie              ExtensionType = 44
+	ExtensionTypePSKKeyExchangeModes ExtensionType = 45
+	ExtensionTypeTicketEarlyDataInfo ExtensionType = 46
+)
+
+// enum {...} NamedGroup
+type NamedGroup uint16
+
+const (
+	// Elliptic Curve Groups.
+	P256 NamedGroup = 23
+	P384 NamedGroup = 24
+	P521 NamedGroup = 25
+	// ECDH functions.
+	X25519 NamedGroup = 29
+	X448   NamedGroup = 30
+	// Finite field groups.
+	FFDHE2048 NamedGroup = 256
+	FFDHE3072 NamedGroup = 257
+	FFDHE4096 NamedGroup = 258
+	FFDHE6144 NamedGroup = 259
+	FFDHE8192 NamedGroup = 260
+)
+
+// enum {...} PskKeyExchangeMode;
+type PSKKeyExchangeMode uint8
+
+const (
+	PSKModeKE    PSKKeyExchangeMode = 0
+	PSKModeDHEKE PSKKeyExchangeMode = 1
+)
+
+// enum {
+//     update_not_requested(0), update_requested(1), (255)
+// } KeyUpdateRequest;
+type KeyUpdateRequest uint8
+
+const (
+	KeyUpdateNotRequested KeyUpdateRequest = 0
+	KeyUpdateRequested    KeyUpdateRequest = 1
+)

vendor/github.com/bifurcation/mint/frame-reader.go

+// Read a generic "framed" packet consisting of a header and a
+// This is used for both TLS Records and TLS Handshake Messages
+package mint
+
+type framing interface {
+	headerLen() int
+	defaultReadLen() int
+	frameLen(hdr []byte) (int, error)
+}
+
+const (
+	kFrameReaderHdr  = 0
+	kFrameReaderBody = 1
+)
+
+type frameNextAction func(f *frameReader) error
+
+type frameReader struct {
+	details     framing
+	state       uint8
+	header      []byte
+	body        []byte
+	working     []byte
+	writeOffset int
+	remainder   []byte
+}
+
+func newFrameReader(d framing) *frameReader {
+	hdr := make([]byte, d.headerLen())
+	return &frameReader{
+		d,
+		kFrameReaderHdr,
+		hdr,
+		nil,
+		hdr,
+		0,
+		nil,
+	}
+}
+
+func dup(a []byte) []byte {
+	r := make([]byte, len(a))
+	copy(r, a)
+	return r
+}
+
+func (f *frameReader) needed() int {
+	tmp := (len(f.working) - f.writeOffset) - len(f.remainder)
+	if tmp < 0 {
+		return 0
+	}
+	return tmp
+}
+
+func (f *frameReader) addChunk(in []byte) {
+	// Append to the buffer.
+	logf(logTypeFrameReader, "Appending %v", len(in))
+	f.remainder = append(f.remainder, in...)
+}
+
+func (f *frameReader) process() (hdr []byte, body []byte, err error) {
+	for f.needed() == 0 {
+		logf(logTypeFrameReader, "%v bytes needed for next block", len(f.working)-f.writeOffset)
+		// Fill out our working block
+		copied := copy(f.working[f.writeOffset:], f.remainder)
+		f.remainder = f.remainder[copied:]
+		f.writeOffset += copied
+		if f.writeOffset < len(f.working) {
+			logf(logTypeFrameReader, "Read would have blocked 1")
+			return nil, nil, WouldBlock
+		}
+		// Reset the write offset, because we are now full.
+		f.writeOffset = 0
+
+		// We have read a full frame
+		if f.state == kFrameReaderBody {
+			logf(logTypeFrameReader, "Returning frame hdr=%#x len=%d buffered=%d", f.header, len(f.body), len(f.remainder))
+			f.state = kFrameReaderHdr
+			f.working = f.header
+			return dup(f.header), dup(f.body), nil
+		}
+
+		// We have read the header
+		bodyLen, err := f.details.frameLen(f.header)
+		if err != nil {
+			return nil, nil, err
+		}
+		logf(logTypeFrameReader, "Processed header, body len = %v", bodyLen)
+
+		f.body = make([]byte, bodyLen)
+		f.working = f.body
+		f.writeOffset = 0
+		f.state = kFrameReaderBody
+	}
+
+	logf(logTypeFrameReader, "Read would have blocked 2")
+	return nil, nil, WouldBlock
+}

vendor/github.com/bifurcation/mint/syntax/tags.go

+package syntax
+
+import (
+	"strconv"
+	"strings"
+)
+
+// `tls:"head=2,min=2,max=255"`
+
+type tagOptions map[string]uint
+
+// parseTag parses a struct field's "tls" tag as a comma-separated list of
+// name=value pairs, where the values MUST be unsigned integers
+func parseTag(tag string) tagOptions {
+	opts := tagOptions{}
+	for _, token := range strings.Split(tag, ",") {
+		if strings.Index(token, "=") == -1 {
+			continue
+		}
+
+		parts := strings.Split(token, "=")
+		if len(parts[0]) == 0 {
+			continue
+		}
+		if val, err := strconv.Atoi(parts[1]); err == nil && val >= 0 {
+			opts[parts[0]] = uint(val)
+		}
+	}
+	return opts
+}

vendor/github.com/lucas-clemente/aes12/cipher_generic.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !amd64,!s390x
+// +build !amd64
 
 package aes12