Update vendor directory

Re-added cobra patch 499475bb41

vendor/golang.org/x/crypto/curve25519/const_amd64.h

@@ -0,0 +1,8 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This code was translated into a form compatible with 6a from the public
+// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
+
+#define REDMASK51     0x0007FFFFFFFFFFFF

vendor/golang.org/x/crypto/curve25519/const_amd64.s

@@ -7,8 +7,8 @@
 
 // +build amd64,!gccgo,!appengine
 
-DATA ·REDMASK51(SB)/8, $0x0007FFFFFFFFFFFF
-GLOBL ·REDMASK51(SB), 8, $8
+// These constants cannot be encoded in non-MOVQ immediates.
+// We access them directly from memory instead.
 
 DATA ·_121666_213(SB)/8, $996687872
 GLOBL ·_121666_213(SB), 8, $8

vendor/golang.org/x/crypto/curve25519/curve25519_test.go

@@ -1,29 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package curve25519
-
-import (
-	"fmt"
-	"testing"
-)
-
-const expectedHex = "89161fde887b2b53de549af483940106ecc114d6982daa98256de23bdf77661a"
-
-func TestBaseScalarMult(t *testing.T) {
-	var a, b [32]byte
-	in := &a
-	out := &b
-	a[0] = 1
-
-	for i := 0; i < 200; i++ {
-		ScalarBaseMult(out, in)
-		in, out = out, in
-	}
-
-	result := fmt.Sprintf("%x", in[:])
-	if result != expectedHex {
-		t.Errorf("incorrect result: got %s, want %s", result, expectedHex)
-	}
-}

vendor/golang.org/x/crypto/curve25519/doc.go

@@ -4,7 +4,7 @@
 
 // Package curve25519 provides an implementation of scalar multiplication on
 // the elliptic curve known as curve25519. See http://cr.yp.to/ecdh.html
-package curve25519 // import "golang.org/x/crypto/curve25519"
+package curve25519
 
 // basePoint is the x coordinate of the generator of the curve.
 var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}

vendor/golang.org/x/crypto/curve25519/freeze_amd64.s

@@ -7,6 +7,8 @@
 
 // +build amd64,!gccgo,!appengine
 
+#include "const_amd64.h"
+
 // func freeze(inout *[5]uint64)
 TEXT ·freeze(SB),7,$0-8
 	MOVQ inout+0(FP), DI
@@ -16,7 +18,7 @@ TEXT ·freeze(SB),7,$0-8
 	MOVQ 16(DI),CX
 	MOVQ 24(DI),R8
 	MOVQ 32(DI),R9
-	MOVQ ·REDMASK51(SB),AX
+	MOVQ $REDMASK51,AX
 	MOVQ AX,R10
 	SUBQ $18,R10
 	MOVQ $3,R11

vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s

@@ -7,6 +7,8 @@
 
 // +build amd64,!gccgo,!appengine
 
+#include "const_amd64.h"
+
 // func ladderstep(inout *[5][5]uint64)
 TEXT ·ladderstep(SB),0,$296-8
 	MOVQ inout+0(FP),DI
@@ -118,7 +120,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 72(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -233,7 +235,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 32(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -438,7 +440,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 72(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -588,7 +590,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 32(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -728,7 +730,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 152(DI)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -843,7 +845,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 192(DI)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -993,7 +995,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 32(DI)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -1143,7 +1145,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 112(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8
@@ -1329,7 +1331,7 @@ TEXT ·ladderstep(SB),0,$296-8
 	MULQ 192(SP)
 	ADDQ AX,R12
 	ADCQ DX,R13
-	MOVQ ·REDMASK51(SB),DX
+	MOVQ $REDMASK51,DX
 	SHLQ $13,CX:SI
 	ANDQ DX,SI
 	SHLQ $13,R9:R8

vendor/golang.org/x/crypto/curve25519/mul_amd64.s

@@ -7,6 +7,8 @@
 
 // +build amd64,!gccgo,!appengine
 
+#include "const_amd64.h"
+
 // func mul(dest, a, b *[5]uint64)
 TEXT ·mul(SB),0,$16-24
 	MOVQ dest+0(FP), DI
@@ -121,7 +123,7 @@ TEXT ·mul(SB),0,$16-24
 	MULQ 32(CX)
 	ADDQ AX,R14
 	ADCQ DX,R15
-	MOVQ ·REDMASK51(SB),SI
+	MOVQ $REDMASK51,SI
 	SHLQ $13,R9:R8
 	ANDQ SI,R8
 	SHLQ $13,R11:R10

vendor/golang.org/x/crypto/curve25519/square_amd64.s

@@ -7,6 +7,8 @@
 
 // +build amd64,!gccgo,!appengine
 
+#include "const_amd64.h"
+
 // func square(out, in *[5]uint64)
 TEXT ·square(SB),7,$0-16
 	MOVQ out+0(FP), DI
@@ -84,7 +86,7 @@ TEXT ·square(SB),7,$0-16
 	MULQ 32(SI)
 	ADDQ AX,R13
 	ADCQ DX,R14
-	MOVQ ·REDMASK51(SB),SI
+	MOVQ $REDMASK51,SI
 	SHLQ $13,R8:CX
 	ANDQ SI,CX
 	SHLQ $13,R10:R9

vendor/golang.org/x/crypto/ed25519/ed25519_test.go

@@ -1,183 +0,0 @@
-// Copyright 2016 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ed25519
-
-import (
-	"bufio"
-	"bytes"
-	"compress/gzip"
-	"crypto"
-	"crypto/rand"
-	"encoding/hex"
-	"os"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ed25519/internal/edwards25519"
-)
-
-type zeroReader struct{}
-
-func (zeroReader) Read(buf []byte) (int, error) {
-	for i := range buf {
-		buf[i] = 0
-	}
-	return len(buf), nil
-}
-
-func TestUnmarshalMarshal(t *testing.T) {
-	pub, _, _ := GenerateKey(rand.Reader)
-
-	var A edwards25519.ExtendedGroupElement
-	var pubBytes [32]byte
-	copy(pubBytes[:], pub)
-	if !A.FromBytes(&pubBytes) {
-		t.Fatalf("ExtendedGroupElement.FromBytes failed")
-	}
-
-	var pub2 [32]byte
-	A.ToBytes(&pub2)
-
-	if pubBytes != pub2 {
-		t.Errorf("FromBytes(%v)->ToBytes does not round-trip, got %x\n", pubBytes, pub2)
-	}
-}
-
-func TestSignVerify(t *testing.T) {
-	var zero zeroReader
-	public, private, _ := GenerateKey(zero)
-
-	message := []byte("test message")
-	sig := Sign(private, message)
-	if !Verify(public, message, sig) {
-		t.Errorf("valid signature rejected")
-	}
-
-	wrongMessage := []byte("wrong message")
-	if Verify(public, wrongMessage, sig) {
-		t.Errorf("signature of different message accepted")
-	}
-}
-
-func TestCryptoSigner(t *testing.T) {
-	var zero zeroReader
-	public, private, _ := GenerateKey(zero)
-
-	signer := crypto.Signer(private)
-
-	publicInterface := signer.Public()
-	public2, ok := publicInterface.(PublicKey)
-	if !ok {
-		t.Fatalf("expected PublicKey from Public() but got %T", publicInterface)
-	}
-
-	if !bytes.Equal(public, public2) {
-		t.Errorf("public keys do not match: original:%x vs Public():%x", public, public2)
-	}
-
-	message := []byte("message")
-	var noHash crypto.Hash
-	signature, err := signer.Sign(zero, message, noHash)
-	if err != nil {
-		t.Fatalf("error from Sign(): %s", err)
-	}
-
-	if !Verify(public, message, signature) {
-		t.Errorf("Verify failed on signature from Sign()")
-	}
-}
-
-func TestGolden(t *testing.T) {
-	// sign.input.gz is a selection of test cases from
-	// http://ed25519.cr.yp.to/python/sign.input
-	testDataZ, err := os.Open("testdata/sign.input.gz")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer testDataZ.Close()
-	testData, err := gzip.NewReader(testDataZ)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer testData.Close()
-
-	scanner := bufio.NewScanner(testData)
-	lineNo := 0
-
-	for scanner.Scan() {
-		lineNo++
-
-		line := scanner.Text()
-		parts := strings.Split(line, ":")
-		if len(parts) != 5 {
-			t.Fatalf("bad number of parts on line %d", lineNo)
-		}
-
-		privBytes, _ := hex.DecodeString(parts[0])
-		pubKey, _ := hex.DecodeString(parts[1])
-		msg, _ := hex.DecodeString(parts[2])
-		sig, _ := hex.DecodeString(parts[3])
-		// The signatures in the test vectors also include the message
-		// at the end, but we just want R and S.
-		sig = sig[:SignatureSize]
-
-		if l := len(pubKey); l != PublicKeySize {
-			t.Fatalf("bad public key length on line %d: got %d bytes", lineNo, l)
-		}
-
-		var priv [PrivateKeySize]byte
-		copy(priv[:], privBytes)
-		copy(priv[32:], pubKey)
-
-		sig2 := Sign(priv[:], msg)
-		if !bytes.Equal(sig, sig2[:]) {
-			t.Errorf("different signature result on line %d: %x vs %x", lineNo, sig, sig2)
-		}
-
-		if !Verify(pubKey, msg, sig2) {
-			t.Errorf("signature failed to verify on line %d", lineNo)
-		}
-	}
-
-	if err := scanner.Err(); err != nil {
-		t.Fatalf("error reading test data: %s", err)
-	}
-}
-
-func BenchmarkKeyGeneration(b *testing.B) {
-	var zero zeroReader
-	for i := 0; i < b.N; i++ {
-		if _, _, err := GenerateKey(zero); err != nil {
-			b.Fatal(err)
-		}
-	}
-}
-
-func BenchmarkSigning(b *testing.B) {
-	var zero zeroReader
-	_, priv, err := GenerateKey(zero)
-	if err != nil {
-		b.Fatal(err)
-	}
-	message := []byte("Hello, world!")
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Sign(priv, message)
-	}
-}
-
-func BenchmarkVerification(b *testing.B) {
-	var zero zeroReader
-	pub, priv, err := GenerateKey(zero)
-	if err != nil {
-		b.Fatal(err)
-	}
-	message := []byte("Hello, world!")
-	signature := Sign(priv, message)
-	b.ResetTimer()
-	for i := 0; i < b.N; i++ {
-		Verify(pub, message, signature)
-	}
-}

vendor/golang.org/x/crypto/poly1305/sum_amd64.s

@@ -54,9 +54,9 @@
 	ADCQ  t3, h1;                  \
 	ADCQ  $0, h2
 
-DATA poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
-DATA poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
-GLOBL poly1305Mask<>(SB), RODATA, $16
+DATA ·poly1305Mask<>+0x00(SB)/8, $0x0FFFFFFC0FFFFFFF
+DATA ·poly1305Mask<>+0x08(SB)/8, $0x0FFFFFFC0FFFFFFC
+GLOBL ·poly1305Mask<>(SB), RODATA, $16
 
 // func poly1305(out *[16]byte, m *byte, mlen uint64, key *[32]key)
 TEXT ·poly1305(SB), $0-32
@@ -67,8 +67,8 @@ TEXT ·poly1305(SB), $0-32
 
 	MOVQ 0(AX), R11
 	MOVQ 8(AX), R12
-	ANDQ poly1305Mask<>(SB), R11   // r0
-	ANDQ poly1305Mask<>+8(SB), R12 // r1
+	ANDQ ·poly1305Mask<>(SB), R11   // r0
+	ANDQ ·poly1305Mask<>+8(SB), R12 // r1
 	XORQ R8, R8                    // h0
 	XORQ R9, R9                    // h1
 	XORQ R10, R10                  // h2

vendor/golang.org/x/crypto/poly1305/sum_arm.s

@@ -9,12 +9,12 @@
 // This code was translated into a form compatible with 5a from the public
 // domain source by Andrew Moon: github.com/floodyberry/poly1305-opt/blob/master/app/extensions/poly1305.
 
-DATA poly1305_init_constants_armv6<>+0x00(SB)/4, $0x3ffffff
-DATA poly1305_init_constants_armv6<>+0x04(SB)/4, $0x3ffff03
-DATA poly1305_init_constants_armv6<>+0x08(SB)/4, $0x3ffc0ff
-DATA poly1305_init_constants_armv6<>+0x0c(SB)/4, $0x3f03fff
-DATA poly1305_init_constants_armv6<>+0x10(SB)/4, $0x00fffff
-GLOBL poly1305_init_constants_armv6<>(SB), 8, $20
+DATA ·poly1305_init_constants_armv6<>+0x00(SB)/4, $0x3ffffff
+DATA ·poly1305_init_constants_armv6<>+0x04(SB)/4, $0x3ffff03
+DATA ·poly1305_init_constants_armv6<>+0x08(SB)/4, $0x3ffc0ff
+DATA ·poly1305_init_constants_armv6<>+0x0c(SB)/4, $0x3f03fff
+DATA ·poly1305_init_constants_armv6<>+0x10(SB)/4, $0x00fffff
+GLOBL ·poly1305_init_constants_armv6<>(SB), 8, $20
 
 // Warning: the linker may use R11 to synthesize certain instructions. Please
 // take care and verify that no synthetic instructions use it.
@@ -27,7 +27,7 @@ TEXT poly1305_init_ext_armv6<>(SB), NOSPLIT, $0
 	ADD       $4, R13, R8
 	MOVM.IB   [R4-R7], (R8)
 	MOVM.IA.W (R1), [R2-R5]
-	MOVW      $poly1305_init_constants_armv6<>(SB), R7
+	MOVW      $·poly1305_init_constants_armv6<>(SB), R7
 	MOVW      R2, R8
 	MOVW      R2>>26, R9
 	MOVW      R3>>20, g

vendor/golang.org/x/crypto/ssh/agent/client.go

@@ -9,7 +9,7 @@
 //
 // References:
 //  [PROTOCOL.agent]:    http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.agent?rev=HEAD
-package agent // import "golang.org/x/crypto/ssh/agent"
+package agent
 
 import (
 	"bytes"

vendor/golang.org/x/crypto/ssh/benchmark_test.go

@@ -1,122 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"errors"
-	"io"
-	"net"
-	"testing"
-)
-
-type server struct {
-	*ServerConn
-	chans <-chan NewChannel
-}
-
-func newServer(c net.Conn, conf *ServerConfig) (*server, error) {
-	sconn, chans, reqs, err := NewServerConn(c, conf)
-	if err != nil {
-		return nil, err
-	}
-	go DiscardRequests(reqs)
-	return &server{sconn, chans}, nil
-}
-
-func (s *server) Accept() (NewChannel, error) {
-	n, ok := <-s.chans
-	if !ok {
-		return nil, io.EOF
-	}
-	return n, nil
-}
-
-func sshPipe() (Conn, *server, error) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	clientConf := ClientConfig{
-		User: "user",
-	}
-	serverConf := ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	done := make(chan *server, 1)
-	go func() {
-		server, err := newServer(c2, &serverConf)
-		if err != nil {
-			done <- nil
-		}
-		done <- server
-	}()
-
-	client, _, reqs, err := NewClientConn(c1, "", &clientConf)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	server := <-done
-	if server == nil {
-		return nil, nil, errors.New("server handshake failed.")
-	}
-	go DiscardRequests(reqs)
-
-	return client, server, nil
-}
-
-func BenchmarkEndToEnd(b *testing.B) {
-	b.StopTimer()
-
-	client, server, err := sshPipe()
-	if err != nil {
-		b.Fatalf("sshPipe: %v", err)
-	}
-
-	defer client.Close()
-	defer server.Close()
-
-	size := (1 << 20)
-	input := make([]byte, size)
-	output := make([]byte, size)
-	b.SetBytes(int64(size))
-	done := make(chan int, 1)
-
-	go func() {
-		newCh, err := server.Accept()
-		if err != nil {
-			b.Fatalf("Client: %v", err)
-		}
-		ch, incoming, err := newCh.Accept()
-		go DiscardRequests(incoming)
-		for i := 0; i < b.N; i++ {
-			if _, err := io.ReadFull(ch, output); err != nil {
-				b.Fatalf("ReadFull: %v", err)
-			}
-		}
-		ch.Close()
-		done <- 1
-	}()
-
-	ch, in, err := client.OpenChannel("speed", nil)
-	if err != nil {
-		b.Fatalf("OpenChannel: %v", err)
-	}
-	go DiscardRequests(in)
-
-	b.ResetTimer()
-	b.StartTimer()
-	for i := 0; i < b.N; i++ {
-		if _, err := ch.Write(input); err != nil {
-			b.Fatalf("WriteFull: %v", err)
-		}
-	}
-	ch.Close()
-	b.StopTimer()
-
-	<-done
-}

vendor/golang.org/x/crypto/ssh/buffer_test.go

@@ -1,87 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"testing"
-)
-
-var alphabet = []byte("abcdefghijklmnopqrstuvwxyz")
-
-func TestBufferReadwrite(t *testing.T) {
-	b := newBuffer()
-	b.write(alphabet[:10])
-	r, _ := b.Read(make([]byte, 10))
-	if r != 10 {
-		t.Fatalf("Expected written == read == 10, written: 10, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:5])
-	r, _ = b.Read(make([]byte, 10))
-	if r != 5 {
-		t.Fatalf("Expected written == read == 5, written: 5, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:10])
-	r, _ = b.Read(make([]byte, 5))
-	if r != 5 {
-		t.Fatalf("Expected written == 10, read == 5, written: 10, read %d", r)
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:5])
-	b.write(alphabet[5:15])
-	r, _ = b.Read(make([]byte, 10))
-	r2, _ := b.Read(make([]byte, 10))
-	if r != 10 || r2 != 5 || 15 != r+r2 {
-		t.Fatal("Expected written == read == 15")
-	}
-}
-
-func TestBufferClose(t *testing.T) {
-	b := newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	_, err := b.Read(make([]byte, 5))
-	if err != nil {
-		t.Fatal("expected read of 5 to not return EOF")
-	}
-	b = newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	r, err := b.Read(make([]byte, 5))
-	r2, err2 := b.Read(make([]byte, 10))
-	if r != 5 || r2 != 5 || err != nil || err2 != nil {
-		t.Fatal("expected reads of 5 and 5")
-	}
-
-	b = newBuffer()
-	b.write(alphabet[:10])
-	b.eof()
-	r, err = b.Read(make([]byte, 5))
-	r2, err2 = b.Read(make([]byte, 10))
-	r3, err3 := b.Read(make([]byte, 10))
-	if r != 5 || r2 != 5 || r3 != 0 || err != nil || err2 != nil || err3 != io.EOF {
-		t.Fatal("expected reads of 5 and 5 and 0, with EOF")
-	}
-
-	b = newBuffer()
-	b.write(make([]byte, 5))
-	b.write(make([]byte, 10))
-	b.eof()
-	r, err = b.Read(make([]byte, 9))
-	r2, err2 = b.Read(make([]byte, 3))
-	r3, err3 = b.Read(make([]byte, 3))
-	r4, err4 := b.Read(make([]byte, 10))
-	if err != nil || err2 != nil || err3 != nil || err4 != io.EOF {
-		t.Fatalf("Expected EOF on forth read only, err=%v, err2=%v, err3=%v, err4=%v", err, err2, err3, err4)
-	}
-	if r != 9 || r2 != 3 || r3 != 3 || r4 != 0 {
-		t.Fatal("Expected written == read == 15", r, r2, r3, r4)
-	}
-}

vendor/golang.org/x/crypto/ssh/certs_test.go

@@ -1,216 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"reflect"
-	"testing"
-	"time"
-)
-
-// Cert generated by ssh-keygen 6.0p1 Debian-4.
-// % ssh-keygen -s ca-key -I test user-key
-const exampleSSHCert = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgb1srW/W3ZDjYAO45xLYAwzHBDLsJ4Ux6ICFIkTjb1LEAAAADAQABAAAAYQCkoR51poH0wE8w72cqSB8Sszx+vAhzcMdCO0wqHTj7UNENHWEXGrU0E0UQekD7U+yhkhtoyjbPOVIP7hNa6aRk/ezdh/iUnCIt4Jt1v3Z1h1P+hA4QuYFMHNB+rmjPwAcAAAAAAAAAAAAAAAEAAAAEdGVzdAAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAHcAAAAHc3NoLXJzYQAAAAMBAAEAAABhANFS2kaktpSGc+CcmEKPyw9mJC4nZKxHKTgLVZeaGbFZOvJTNzBspQHdy7Q1uKSfktxpgjZnksiu/tFF9ngyY2KFoc+U88ya95IZUycBGCUbBQ8+bhDtw/icdDGQD5WnUwAAAG8AAAAHc3NoLXJzYQAAAGC8Y9Z2LQKhIhxf52773XaWrXdxP0t3GBVo4A10vUWiYoAGepr6rQIoGGXFxT4B9Gp+nEBJjOwKDXPrAevow0T9ca8gZN+0ykbhSrXLE5Ao48rqr3zP4O1/9P7e6gp0gw8=`
-
-func TestParseCert(t *testing.T) {
-	authKeyBytes := []byte(exampleSSHCert)
-
-	key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	if len(rest) > 0 {
-		t.Errorf("rest: got %q, want empty", rest)
-	}
-
-	if _, ok := key.(*Certificate); !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-
-	marshaled := MarshalAuthorizedKey(key)
-	// Before comparison, remove the trailing newline that
-	// MarshalAuthorizedKey adds.
-	marshaled = marshaled[:len(marshaled)-1]
-	if !bytes.Equal(authKeyBytes, marshaled) {
-		t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
-	}
-}
-
-// Cert generated by ssh-keygen OpenSSH_6.8p1 OS X 10.10.3
-// % ssh-keygen -s ca -I testcert -O source-address=192.168.1.0/24 -O force-command=/bin/sleep user.pub
-// user.pub key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMN
-// Critical Options:
-//         force-command /bin/sleep
-//         source-address 192.168.1.0/24
-// Extensions:
-//         permit-X11-forwarding
-//         permit-agent-forwarding
-//         permit-port-forwarding
-//         permit-pty
-//         permit-user-rc
-const exampleSSHCertWithOptions = `ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgDyysCJY0XrO1n03EeRRoITnTPdjENFmWDs9X58PP3VUAAAADAQABAAABAQDACh1rt2DXfV3hk6fszSQcQ/rueMId0kVD9U7nl8cfEnFxqOCrNT92g4laQIGl2mn8lsGZfTLg8ksHq3gkvgO3oo/0wHy4v32JeBOHTsN5AL4gfHNEhWeWb50ev47hnTsRIt9P4dxogeUo/hTu7j9+s9lLpEQXCvq6xocXQt0j8MV9qZBBXFLXVT3cWIkSqOdwt/5ZBg+1GSrc7WfCXVWgTk4a20uPMuJPxU4RQwZW6X3+O8Pqo8C3cW0OzZRFP6gUYUKUsTI5WntlS+LAxgw1mZNsozFGdbiOPRnEryE3SRldh9vjDR3tin1fGpA5P7+CEB/bqaXtG3V+F2OkqaMNAAAAAAAAAAAAAAABAAAACHRlc3RjZXJ0AAAAAAAAAAAAAAAA//////////8AAABLAAAADWZvcmNlLWNvbW1hbmQAAAAOAAAACi9iaW4vc2xlZXAAAAAOc291cmNlLWFkZHJlc3MAAAASAAAADjE5Mi4xNjguMS4wLzI0AAAAggAAABVwZXJtaXQtWDExLWZvcndhcmRpbmcAAAAAAAAAF3Blcm1pdC1hZ2VudC1mb3J3YXJkaW5nAAAAAAAAABZwZXJtaXQtcG9ydC1mb3J3YXJkaW5nAAAAAAAAAApwZXJtaXQtcHR5AAAAAAAAAA5wZXJtaXQtdXNlci1yYwAAAAAAAAAAAAABFwAAAAdzc2gtcnNhAAAAAwEAAQAAAQEAwU+c5ui5A8+J/CFpjW8wCa52bEODA808WWQDCSuTG/eMXNf59v9Y8Pk0F1E9dGCosSNyVcB/hacUrc6He+i97+HJCyKavBsE6GDxrjRyxYqAlfcOXi/IVmaUGiO8OQ39d4GHrjToInKvExSUeleQyH4Y4/e27T/pILAqPFL3fyrvMLT5qU9QyIt6zIpa7GBP5+urouNavMprV3zsfIqNBbWypinOQAw823a5wN+zwXnhZrgQiHZ/USG09Y6k98y1dTVz8YHlQVR4D3lpTAsKDKJ5hCH9WU4fdf+lU8OyNGaJ/vz0XNqxcToe1l4numLTnaoSuH89pHryjqurB7lJKwAAAQ8AAAAHc3NoLXJzYQAAAQCaHvUIoPL1zWUHIXLvu96/HU1s/i4CAW2IIEuGgxCUCiFj6vyTyYtgxQxcmbfZf6eaITlS6XJZa7Qq4iaFZh75C1DXTX8labXhRSD4E2t//AIP9MC1rtQC5xo6FmbQ+BoKcDskr+mNACcbRSxs3IL3bwCfWDnIw2WbVox9ZdcthJKk4UoCW4ix4QwdHw7zlddlz++fGEEVhmTbll1SUkycGApPFBsAYRTMupUJcYPIeReBI/m8XfkoMk99bV8ZJQTAd7OekHY2/48Ff53jLmyDjP7kNw1F8OaPtkFs6dGJXta4krmaekPy87j+35In5hFj7yoOqvSbmYUkeX70/GGQ`
-
-func TestParseCertWithOptions(t *testing.T) {
-	opts := map[string]string{
-		"source-address": "192.168.1.0/24",
-		"force-command":  "/bin/sleep",
-	}
-	exts := map[string]string{
-		"permit-X11-forwarding":   "",
-		"permit-agent-forwarding": "",
-		"permit-port-forwarding":  "",
-		"permit-pty":              "",
-		"permit-user-rc":          "",
-	}
-	authKeyBytes := []byte(exampleSSHCertWithOptions)
-
-	key, _, _, rest, err := ParseAuthorizedKey(authKeyBytes)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	if len(rest) > 0 {
-		t.Errorf("rest: got %q, want empty", rest)
-	}
-	cert, ok := key.(*Certificate)
-	if !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-	if !reflect.DeepEqual(cert.CriticalOptions, opts) {
-		t.Errorf("unexpected critical options - got %v, want %v", cert.CriticalOptions, opts)
-	}
-	if !reflect.DeepEqual(cert.Extensions, exts) {
-		t.Errorf("unexpected Extensions - got %v, want %v", cert.Extensions, exts)
-	}
-	marshaled := MarshalAuthorizedKey(key)
-	// Before comparison, remove the trailing newline that
-	// MarshalAuthorizedKey adds.
-	marshaled = marshaled[:len(marshaled)-1]
-	if !bytes.Equal(authKeyBytes, marshaled) {
-		t.Errorf("marshaled certificate does not match original: got %q, want %q", marshaled, authKeyBytes)
-	}
-}
-
-func TestValidateCert(t *testing.T) {
-	key, _, _, _, err := ParseAuthorizedKey([]byte(exampleSSHCert))
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey: %v", err)
-	}
-	validCert, ok := key.(*Certificate)
-	if !ok {
-		t.Fatalf("got %v (%T), want *Certificate", key, key)
-	}
-	checker := CertChecker{}
-	checker.IsAuthority = func(k PublicKey) bool {
-		return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal())
-	}
-
-	if err := checker.CheckCert("user", validCert); err != nil {
-		t.Errorf("Unable to validate certificate: %v", err)
-	}
-	invalidCert := &Certificate{
-		Key:          testPublicKeys["rsa"],
-		SignatureKey: testPublicKeys["ecdsa"],
-		ValidBefore:  CertTimeInfinity,
-		Signature:    &Signature{},
-	}
-	if err := checker.CheckCert("user", invalidCert); err == nil {
-		t.Error("Invalid cert signature passed validation")
-	}
-}
-
-func TestValidateCertTime(t *testing.T) {
-	cert := Certificate{
-		ValidPrincipals: []string{"user"},
-		Key:             testPublicKeys["rsa"],
-		ValidAfter:      50,
-		ValidBefore:     100,
-	}
-
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-
-	for ts, ok := range map[int64]bool{
-		25:  false,
-		50:  true,
-		99:  true,
-		100: false,
-		125: false,
-	} {
-		checker := CertChecker{
-			Clock: func() time.Time { return time.Unix(ts, 0) },
-		}
-		checker.IsAuthority = func(k PublicKey) bool {
-			return bytes.Equal(k.Marshal(),
-				testPublicKeys["ecdsa"].Marshal())
-		}
-
-		if v := checker.CheckCert("user", &cert); (v == nil) != ok {
-			t.Errorf("Authenticate(%d): %v", ts, v)
-		}
-	}
-}
-
-// TODO(hanwen): tests for
-//
-// host keys:
-// * fallbacks
-
-func TestHostKeyCert(t *testing.T) {
-	cert := &Certificate{
-		ValidPrincipals: []string{"hostname", "hostname.domain"},
-		Key:             testPublicKeys["rsa"],
-		ValidBefore:     CertTimeInfinity,
-		CertType:        HostCert,
-	}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-
-	checker := &CertChecker{
-		IsAuthority: func(p PublicKey) bool {
-			return bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal())
-		},
-	}
-
-	certSigner, err := NewCertSigner(cert, testSigners["rsa"])
-	if err != nil {
-		t.Errorf("NewCertSigner: %v", err)
-	}
-
-	for _, name := range []string{"hostname", "otherhost"} {
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-
-		errc := make(chan error)
-
-		go func() {
-			conf := ServerConfig{
-				NoClientAuth: true,
-			}
-			conf.AddHostKey(certSigner)
-			_, _, _, err := NewServerConn(c1, &conf)
-			errc <- err
-		}()
-
-		config := &ClientConfig{
-			User:            "user",
-			HostKeyCallback: checker.CheckHostKey,
-		}
-		_, _, _, err = NewClientConn(c2, name, config)
-
-		succeed := name == "hostname"
-		if (err == nil) != succeed {
-			t.Fatalf("NewClientConn(%q): %v", name, err)
-		}
-
-		err = <-errc
-		if (err == nil) != succeed {
-			t.Fatalf("NewServerConn(%q): %v", name, err)
-		}
-	}
-}

vendor/golang.org/x/crypto/ssh/channel.go

@@ -461,8 +461,8 @@ func (m *mux) newChannel(chanType string, direction channelDirection, extraData
 		pending:          newBuffer(),
 		extPending:       newBuffer(),
 		direction:        direction,
-		incomingRequests: make(chan *Request, 16),
-		msg:              make(chan interface{}, 16),
+		incomingRequests: make(chan *Request, chanSize),
+		msg:              make(chan interface{}, chanSize),
 		chanType:         chanType,
 		extraData:        extraData,
 		mux:              m,

vendor/golang.org/x/crypto/ssh/cipher.go

@@ -135,6 +135,7 @@ const prefixLen = 5
 type streamPacketCipher struct {
 	mac    hash.Hash
 	cipher cipher.Stream
+	etm    bool
 
 	// The following members are to avoid per-packet allocations.
 	prefix      [prefixLen]byte
@@ -150,7 +151,14 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
 		return nil, err
 	}
 
-	s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
+	var encryptedPaddingLength [1]byte
+	if s.mac != nil && s.etm {
+		copy(encryptedPaddingLength[:], s.prefix[4:5])
+		s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
+	} else {
+		s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
+	}
+
 	length := binary.BigEndian.Uint32(s.prefix[0:4])
 	paddingLength := uint32(s.prefix[4])
 
@@ -159,7 +167,12 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
 		s.mac.Reset()
 		binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
 		s.mac.Write(s.seqNumBytes[:])
-		s.mac.Write(s.prefix[:])
+		if s.etm {
+			s.mac.Write(s.prefix[:4])
+			s.mac.Write(encryptedPaddingLength[:])
+		} else {
+			s.mac.Write(s.prefix[:])
+		}
 		macSize = uint32(s.mac.Size())
 	}
 
@@ -184,10 +197,17 @@ func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, err
 	}
 	mac := s.packetData[length-1:]
 	data := s.packetData[:length-1]
+
+	if s.mac != nil && s.etm {
+		s.mac.Write(data)
+	}
+
 	s.cipher.XORKeyStream(data, data)
 
 	if s.mac != nil {
-		s.mac.Write(data)
+		if !s.etm {
+			s.mac.Write(data)
+		}
 		s.macResult = s.mac.Sum(s.macResult[:0])
 		if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
 			return nil, errors.New("ssh: MAC failure")
@@ -203,7 +223,13 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea
 		return errors.New("ssh: packet too large")
 	}
 
-	paddingLength := packetSizeMultiple - (prefixLen+len(packet))%packetSizeMultiple
+	aadlen := 0
+	if s.mac != nil && s.etm {
+		// packet length is not encrypted for EtM modes
+		aadlen = 4
+	}
+
+	paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple
 	if paddingLength < 4 {
 		paddingLength += packetSizeMultiple
 	}
@@ -220,15 +246,37 @@ func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Rea
 		s.mac.Reset()
 		binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
 		s.mac.Write(s.seqNumBytes[:])
+
+		if s.etm {
+			// For EtM algorithms, the packet length must stay unencrypted,
+			// but the following data (padding length) must be encrypted
+			s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
+		}
+
 		s.mac.Write(s.prefix[:])
+
+		if !s.etm {
+			// For non-EtM algorithms, the algorithm is applied on unencrypted data
+			s.mac.Write(packet)
+			s.mac.Write(padding)
+		}
+	}
+
+	if !(s.mac != nil && s.etm) {
+		// For EtM algorithms, the padding length has already been encrypted
+		// and the packet length must remain unencrypted
+		s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
+	}
+
+	s.cipher.XORKeyStream(packet, packet)
+	s.cipher.XORKeyStream(padding, padding)
+
+	if s.mac != nil && s.etm {
+		// For EtM algorithms, packet and padding must be encrypted
 		s.mac.Write(packet)
 		s.mac.Write(padding)
 	}
 
-	s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
-	s.cipher.XORKeyStream(packet, packet)
-	s.cipher.XORKeyStream(padding, padding)
-
 	if _, err := w.Write(s.prefix[:]); err != nil {
 		return err
 	}

vendor/golang.org/x/crypto/ssh/cipher_test.go

@@ -1,127 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/aes"
-	"crypto/rand"
-	"testing"
-)
-
-func TestDefaultCiphersExist(t *testing.T) {
-	for _, cipherAlgo := range supportedCiphers {
-		if _, ok := cipherModes[cipherAlgo]; !ok {
-			t.Errorf("default cipher %q is unknown", cipherAlgo)
-		}
-	}
-}
-
-func TestPacketCiphers(t *testing.T) {
-	// Still test aes128cbc cipher although it's commented out.
-	cipherModes[aes128cbcID] = &streamCipherMode{16, aes.BlockSize, 0, nil}
-	defer delete(cipherModes, aes128cbcID)
-
-	for cipher := range cipherModes {
-		kr := &kexResult{Hash: crypto.SHA1}
-		algs := directionAlgorithms{
-			Cipher:      cipher,
-			MAC:         "hmac-sha1",
-			Compression: "none",
-		}
-		client, err := newPacketCipher(clientKeys, algs, kr)
-		if err != nil {
-			t.Errorf("newPacketCipher(client, %q): %v", cipher, err)
-			continue
-		}
-		server, err := newPacketCipher(clientKeys, algs, kr)
-		if err != nil {
-			t.Errorf("newPacketCipher(client, %q): %v", cipher, err)
-			continue
-		}
-
-		want := "bla bla"
-		input := []byte(want)
-		buf := &bytes.Buffer{}
-		if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
-			t.Errorf("writePacket(%q): %v", cipher, err)
-			continue
-		}
-
-		packet, err := server.readPacket(0, buf)
-		if err != nil {
-			t.Errorf("readPacket(%q): %v", cipher, err)
-			continue
-		}
-
-		if string(packet) != want {
-			t.Errorf("roundtrip(%q): got %q, want %q", cipher, packet, want)
-		}
-	}
-}
-
-func TestCBCOracleCounterMeasure(t *testing.T) {
-	cipherModes[aes128cbcID] = &streamCipherMode{16, aes.BlockSize, 0, nil}
-	defer delete(cipherModes, aes128cbcID)
-
-	kr := &kexResult{Hash: crypto.SHA1}
-	algs := directionAlgorithms{
-		Cipher:      aes128cbcID,
-		MAC:         "hmac-sha1",
-		Compression: "none",
-	}
-	client, err := newPacketCipher(clientKeys, algs, kr)
-	if err != nil {
-		t.Fatalf("newPacketCipher(client): %v", err)
-	}
-
-	want := "bla bla"
-	input := []byte(want)
-	buf := &bytes.Buffer{}
-	if err := client.writePacket(0, buf, rand.Reader, input); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-
-	packetSize := buf.Len()
-	buf.Write(make([]byte, 2*maxPacket))
-
-	// We corrupt each byte, but this usually will only test the
-	// 'packet too large' or 'MAC failure' cases.
-	lastRead := -1
-	for i := 0; i < packetSize; i++ {
-		server, err := newPacketCipher(clientKeys, algs, kr)
-		if err != nil {
-			t.Fatalf("newPacketCipher(client): %v", err)
-		}
-
-		fresh := &bytes.Buffer{}
-		fresh.Write(buf.Bytes())
-		fresh.Bytes()[i] ^= 0x01
-
-		before := fresh.Len()
-		_, err = server.readPacket(0, fresh)
-		if err == nil {
-			t.Errorf("corrupt byte %d: readPacket succeeded ", i)
-			continue
-		}
-		if _, ok := err.(cbcError); !ok {
-			t.Errorf("corrupt byte %d: got %v (%T), want cbcError", i, err, err)
-			continue
-		}
-
-		after := fresh.Len()
-		bytesRead := before - after
-		if bytesRead < maxPacket {
-			t.Errorf("corrupt byte %d: read %d bytes, want more than %d", i, bytesRead, maxPacket)
-			continue
-		}
-
-		if i > 0 && bytesRead != lastRead {
-			t.Errorf("corrupt byte %d: read %d bytes, want %d bytes read", i, bytesRead, lastRead)
-		}
-		lastRead = bytesRead
-	}
-}

vendor/golang.org/x/crypto/ssh/client.go

@@ -40,7 +40,7 @@ func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
 		return nil
 	}
 
-	ch = make(chan NewChannel, 16)
+	ch = make(chan NewChannel, chanSize)
 	c.channelHandlers[channelType] = ch
 	return ch
 }
@@ -97,13 +97,11 @@ func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) e
 	c.transport = newClientTransport(
 		newTransport(c.sshConn.conn, config.Rand, true /* is client */),
 		c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
-	if err := c.transport.requestInitialKeyChange(); err != nil {
+	if err := c.transport.waitSession(); err != nil {
 		return err
 	}
 
-	// We just did the key change, so the session ID is established.
 	c.sessionID = c.transport.getSessionID()
-
 	return c.clientAuthenticate(config)
 }
 

vendor/golang.org/x/crypto/ssh/client_auth.go

@@ -30,8 +30,10 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	// then any untried methods suggested by the server.
 	tried := make(map[string]bool)
 	var lastMethods []string
+
+	sessionID := c.transport.getSessionID()
 	for auth := AuthMethod(new(noneAuth)); auth != nil; {
-		ok, methods, err := auth.auth(c.transport.getSessionID(), config.User, c.transport, config.Rand)
+		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
 		if err != nil {
 			return err
 		}

vendor/golang.org/x/crypto/ssh/client_auth_test.go

@@ -1,472 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-	"testing"
-)
-
-type keyboardInteractive map[string]string
-
-func (cr keyboardInteractive) Challenge(user string, instruction string, questions []string, echos []bool) ([]string, error) {
-	var answers []string
-	for _, q := range questions {
-		answers = append(answers, cr[q])
-	}
-	return answers, nil
-}
-
-// reused internally by tests
-var clientPassword = "tiger"
-
-// tryAuth runs a handshake with a given config against an SSH server
-// with config serverConfig
-func tryAuth(t *testing.T, config *ClientConfig) error {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	certChecker := CertChecker{
-		IsAuthority: func(k PublicKey) bool {
-			return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal())
-		},
-		UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
-			if conn.User() == "testuser" && bytes.Equal(key.Marshal(), testPublicKeys["rsa"].Marshal()) {
-				return nil, nil
-			}
-
-			return nil, fmt.Errorf("pubkey for %q not acceptable", conn.User())
-		},
-		IsRevoked: func(c *Certificate) bool {
-			return c.Serial == 666
-		},
-	}
-
-	serverConfig := &ServerConfig{
-		PasswordCallback: func(conn ConnMetadata, pass []byte) (*Permissions, error) {
-			if conn.User() == "testuser" && string(pass) == clientPassword {
-				return nil, nil
-			}
-			return nil, errors.New("password auth failed")
-		},
-		PublicKeyCallback: certChecker.Authenticate,
-		KeyboardInteractiveCallback: func(conn ConnMetadata, challenge KeyboardInteractiveChallenge) (*Permissions, error) {
-			ans, err := challenge("user",
-				"instruction",
-				[]string{"question1", "question2"},
-				[]bool{true, true})
-			if err != nil {
-				return nil, err
-			}
-			ok := conn.User() == "testuser" && ans[0] == "answer1" && ans[1] == "answer2"
-			if ok {
-				challenge("user", "motd", nil, nil)
-				return nil, nil
-			}
-			return nil, errors.New("keyboard-interactive failed")
-		},
-		AuthLogCallback: func(conn ConnMetadata, method string, err error) {
-			t.Logf("user %q, method %q: %v", conn.User(), method, err)
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	go newServer(c1, serverConfig)
-	_, _, _, err = NewClientConn(c2, "", config)
-	return err
-}
-
-func TestClientAuthPublicKey(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-		},
-	}
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodPassword(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			Password(clientPassword),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodFallback(t *testing.T) {
-	var passwordCalled bool
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-			PasswordCallback(
-				func() (string, error) {
-					passwordCalled = true
-					return "WRONG", nil
-				}),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-
-	if passwordCalled {
-		t.Errorf("password auth tried before public-key auth.")
-	}
-}
-
-func TestAuthMethodWrongPassword(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			Password("wrong"),
-			PublicKeys(testSigners["rsa"]),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodKeyboardInteractive(t *testing.T) {
-	answers := keyboardInteractive(map[string]string{
-		"question1": "answer1",
-		"question2": "answer2",
-	})
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			KeyboardInteractive(answers.Challenge),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-func TestAuthMethodWrongKeyboardInteractive(t *testing.T) {
-	answers := keyboardInteractive(map[string]string{
-		"question1": "answer1",
-		"question2": "WRONG",
-	})
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			KeyboardInteractive(answers.Challenge),
-		},
-	}
-
-	if err := tryAuth(t, config); err == nil {
-		t.Fatalf("wrong answers should not have authenticated with KeyboardInteractive")
-	}
-}
-
-// the mock server will only authenticate ssh-rsa keys
-func TestAuthMethodInvalidPublicKey(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["dsa"]),
-		},
-	}
-
-	if err := tryAuth(t, config); err == nil {
-		t.Fatalf("dsa private key should not have authenticated with rsa public key")
-	}
-}
-
-// the client should authenticate with the second key
-func TestAuthMethodRSAandDSA(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["dsa"], testSigners["rsa"]),
-		},
-	}
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("client could not authenticate with rsa key: %v", err)
-	}
-}
-
-func TestClientHMAC(t *testing.T) {
-	for _, mac := range supportedMACs {
-		config := &ClientConfig{
-			User: "testuser",
-			Auth: []AuthMethod{
-				PublicKeys(testSigners["rsa"]),
-			},
-			Config: Config{
-				MACs: []string{mac},
-			},
-		}
-		if err := tryAuth(t, config); err != nil {
-			t.Fatalf("client could not authenticate with mac algo %s: %v", mac, err)
-		}
-	}
-}
-
-// issue 4285.
-func TestClientUnsupportedCipher(t *testing.T) {
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(),
-		},
-		Config: Config{
-			Ciphers: []string{"aes128-cbc"}, // not currently supported
-		},
-	}
-	if err := tryAuth(t, config); err == nil {
-		t.Errorf("expected no ciphers in common")
-	}
-}
-
-func TestClientUnsupportedKex(t *testing.T) {
-	if os.Getenv("GO_BUILDER_NAME") != "" {
-		t.Skip("skipping known-flaky test on the Go build dashboard; see golang.org/issue/15198")
-	}
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			PublicKeys(),
-		},
-		Config: Config{
-			KeyExchanges: []string{"diffie-hellman-group-exchange-sha256"}, // not currently supported
-		},
-	}
-	if err := tryAuth(t, config); err == nil || !strings.Contains(err.Error(), "common algorithm") {
-		t.Errorf("got %v, expected 'common algorithm'", err)
-	}
-}
-
-func TestClientLoginCert(t *testing.T) {
-	cert := &Certificate{
-		Key:         testPublicKeys["rsa"],
-		ValidBefore: CertTimeInfinity,
-		CertType:    UserCert,
-	}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	certSigner, err := NewCertSigner(cert, testSigners["rsa"])
-	if err != nil {
-		t.Fatalf("NewCertSigner: %v", err)
-	}
-
-	clientConfig := &ClientConfig{
-		User: "user",
-	}
-	clientConfig.Auth = append(clientConfig.Auth, PublicKeys(certSigner))
-
-	t.Log("should succeed")
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login failed: %v", err)
-	}
-
-	t.Log("corrupted signature")
-	cert.Signature.Blob[0]++
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with corrupted sig")
-	}
-
-	t.Log("revoked")
-	cert.Serial = 666
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("revoked cert login succeeded")
-	}
-	cert.Serial = 1
-
-	t.Log("sign with wrong key")
-	cert.SignCert(rand.Reader, testSigners["dsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with non-authoritative key")
-	}
-
-	t.Log("host cert")
-	cert.CertType = HostCert
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with wrong type")
-	}
-	cert.CertType = UserCert
-
-	t.Log("principal specified")
-	cert.ValidPrincipals = []string{"user"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login failed: %v", err)
-	}
-
-	t.Log("wrong principal specified")
-	cert.ValidPrincipals = []string{"fred"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with wrong principal")
-	}
-	cert.ValidPrincipals = nil
-
-	t.Log("added critical option")
-	cert.CriticalOptions = map[string]string{"root-access": "yes"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login passed with unrecognized critical option")
-	}
-
-	t.Log("allowed source address")
-	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42/24"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err != nil {
-		t.Errorf("cert login with source-address failed: %v", err)
-	}
-
-	t.Log("disallowed source address")
-	cert.CriticalOptions = map[string]string{"source-address": "127.0.0.42"}
-	cert.SignCert(rand.Reader, testSigners["ecdsa"])
-	if err := tryAuth(t, clientConfig); err == nil {
-		t.Errorf("cert login with source-address succeeded")
-	}
-}
-
-func testPermissionsPassing(withPermissions bool, t *testing.T) {
-	serverConfig := &ServerConfig{
-		PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
-			if conn.User() == "nopermissions" {
-				return nil, nil
-			} else {
-				return &Permissions{}, nil
-			}
-		},
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	clientConfig := &ClientConfig{
-		Auth: []AuthMethod{
-			PublicKeys(testSigners["rsa"]),
-		},
-	}
-	if withPermissions {
-		clientConfig.User = "permissions"
-	} else {
-		clientConfig.User = "nopermissions"
-	}
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewClientConn(c2, "", clientConfig)
-	serverConn, err := newServer(c1, serverConfig)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if p := serverConn.Permissions; (p != nil) != withPermissions {
-		t.Fatalf("withPermissions is %t, but Permissions object is %#v", withPermissions, p)
-	}
-}
-
-func TestPermissionsPassing(t *testing.T) {
-	testPermissionsPassing(true, t)
-}
-
-func TestNoPermissionsPassing(t *testing.T) {
-	testPermissionsPassing(false, t)
-}
-
-func TestRetryableAuth(t *testing.T) {
-	n := 0
-	passwords := []string{"WRONG1", "WRONG2"}
-
-	config := &ClientConfig{
-		User: "testuser",
-		Auth: []AuthMethod{
-			RetryableAuthMethod(PasswordCallback(func() (string, error) {
-				p := passwords[n]
-				n++
-				return p, nil
-			}), 2),
-			PublicKeys(testSigners["rsa"]),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-	if n != 2 {
-		t.Fatalf("Did not try all passwords")
-	}
-}
-
-func ExampleRetryableAuthMethod(t *testing.T) {
-	user := "testuser"
-	NumberOfPrompts := 3
-
-	// Normally this would be a callback that prompts the user to answer the
-	// provided questions
-	Cb := func(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
-		return []string{"answer1", "answer2"}, nil
-	}
-
-	config := &ClientConfig{
-		User: user,
-		Auth: []AuthMethod{
-			RetryableAuthMethod(KeyboardInteractiveChallenge(Cb), NumberOfPrompts),
-		},
-	}
-
-	if err := tryAuth(t, config); err != nil {
-		t.Fatalf("unable to dial remote side: %s", err)
-	}
-}
-
-// Test if username is received on server side when NoClientAuth is used
-func TestClientAuthNone(t *testing.T) {
-	user := "testuser"
-	serverConfig := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConfig.AddHostKey(testSigners["rsa"])
-
-	clientConfig := &ClientConfig{
-		User: user,
-	}
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewClientConn(c2, "", clientConfig)
-	serverConn, err := newServer(c1, serverConfig)
-	if err != nil {
-		t.Fatalf("newServer: %v", err)
-	}
-	if serverConn.User() != user {
-		t.Fatalf("server: got %q, want %q", serverConn.User(), user)
-	}
-}

vendor/golang.org/x/crypto/ssh/client_test.go

@@ -1,39 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"net"
-	"testing"
-)
-
-func testClientVersion(t *testing.T, config *ClientConfig, expected string) {
-	clientConn, serverConn := net.Pipe()
-	defer clientConn.Close()
-	receivedVersion := make(chan string, 1)
-	go func() {
-		version, err := readVersion(serverConn)
-		if err != nil {
-			receivedVersion <- ""
-		} else {
-			receivedVersion <- string(version)
-		}
-		serverConn.Close()
-	}()
-	NewClientConn(clientConn, "", config)
-	actual := <-receivedVersion
-	if actual != expected {
-		t.Fatalf("got %s; want %s", actual, expected)
-	}
-}
-
-func TestCustomClientVersion(t *testing.T) {
-	version := "Test-Client-Version-0.0"
-	testClientVersion(t, &ClientConfig{ClientVersion: version}, version)
-}
-
-func TestDefaultClientVersion(t *testing.T) {
-	testClientVersion(t, &ClientConfig{}, packageVersion)
-}

vendor/golang.org/x/crypto/ssh/common.go

@@ -56,7 +56,7 @@ var supportedHostKeyAlgos = []string{
 // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
 // because they have reached the end of their useful life.
 var supportedMACs = []string{
-	"hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
+	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
 }
 
 var supportedCompressions = []string{compressionNone}
@@ -104,6 +104,21 @@ type directionAlgorithms struct {
 	Compression string
 }
 
+// rekeyBytes returns a rekeying intervals in bytes.
+func (a *directionAlgorithms) rekeyBytes() int64 {
+	// According to RFC4344 block ciphers should rekey after
+	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
+	// 128.
+	switch a.Cipher {
+	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
+		return 16 * (1 << 32)
+
+	}
+
+	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
+	return 1 << 30
+}
+
 type algorithms struct {
 	kex     string
 	hostKey string

vendor/golang.org/x/crypto/ssh/doc.go

@@ -15,4 +15,4 @@ References:
   [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
   [SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
 */
-package ssh // import "golang.org/x/crypto/ssh"
+package ssh

vendor/golang.org/x/crypto/ssh/example_test.go

@@ -1,262 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh_test
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/terminal"
-)
-
-func ExampleNewServerConn() {
-	// Public key authentication is done by comparing
-	// the public key of a received connection
-	// with the entries in the authorized_keys file.
-	authorizedKeysBytes, err := ioutil.ReadFile("authorized_keys")
-	if err != nil {
-		log.Fatalf("Failed to load authorized_keys, err: %v", err)
-	}
-
-	authorizedKeysMap := map[string]bool{}
-	for len(authorizedKeysBytes) > 0 {
-		pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(authorizedKeysBytes)
-		if err != nil {
-			log.Fatal(err)
-		}
-
-		authorizedKeysMap[string(pubKey.Marshal())] = true
-		authorizedKeysBytes = rest
-	}
-
-	// An SSH server is represented by a ServerConfig, which holds
-	// certificate details and handles authentication of ServerConns.
-	config := &ssh.ServerConfig{
-		// Remove to disable password auth.
-		PasswordCallback: func(c ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
-			// Should use constant-time compare (or better, salt+hash) in
-			// a production setting.
-			if c.User() == "testuser" && string(pass) == "tiger" {
-				return nil, nil
-			}
-			return nil, fmt.Errorf("password rejected for %q", c.User())
-		},
-
-		// Remove to disable public key auth.
-		PublicKeyCallback: func(c ssh.ConnMetadata, pubKey ssh.PublicKey) (*ssh.Permissions, error) {
-			if authorizedKeysMap[string(pubKey.Marshal())] {
-				return nil, nil
-			}
-			return nil, fmt.Errorf("unknown public key for %q", c.User())
-		},
-	}
-
-	privateBytes, err := ioutil.ReadFile("id_rsa")
-	if err != nil {
-		log.Fatal("Failed to load private key: ", err)
-	}
-
-	private, err := ssh.ParsePrivateKey(privateBytes)
-	if err != nil {
-		log.Fatal("Failed to parse private key: ", err)
-	}
-
-	config.AddHostKey(private)
-
-	// Once a ServerConfig has been configured, connections can be
-	// accepted.
-	listener, err := net.Listen("tcp", "0.0.0.0:2022")
-	if err != nil {
-		log.Fatal("failed to listen for connection: ", err)
-	}
-	nConn, err := listener.Accept()
-	if err != nil {
-		log.Fatal("failed to accept incoming connection: ", err)
-	}
-
-	// Before use, a handshake must be performed on the incoming
-	// net.Conn.
-	_, chans, reqs, err := ssh.NewServerConn(nConn, config)
-	if err != nil {
-		log.Fatal("failed to handshake: ", err)
-	}
-	// The incoming Request channel must be serviced.
-	go ssh.DiscardRequests(reqs)
-
-	// Service the incoming Channel channel.
-
-	// Service the incoming Channel channel.
-	for newChannel := range chans {
-		// Channels have a type, depending on the application level
-		// protocol intended. In the case of a shell, the type is
-		// "session" and ServerShell may be used to present a simple
-		// terminal interface.
-		if newChannel.ChannelType() != "session" {
-			newChannel.Reject(ssh.UnknownChannelType, "unknown channel type")
-			continue
-		}
-		channel, requests, err := newChannel.Accept()
-		if err != nil {
-			log.Fatalf("Could not accept channel: %v", err)
-		}
-
-		// Sessions have out-of-band requests such as "shell",
-		// "pty-req" and "env".  Here we handle only the
-		// "shell" request.
-		go func(in <-chan *ssh.Request) {
-			for req := range in {
-				req.Reply(req.Type == "shell", nil)
-			}
-		}(requests)
-
-		term := terminal.NewTerminal(channel, "> ")
-
-		go func() {
-			defer channel.Close()
-			for {
-				line, err := term.ReadLine()
-				if err != nil {
-					break
-				}
-				fmt.Println(line)
-			}
-		}()
-	}
-}
-
-func ExampleDial() {
-	// An SSH client is represented with a ClientConn.
-	//
-	// To authenticate with the remote server you must pass at least one
-	// implementation of AuthMethod via the Auth field in ClientConfig.
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("yourpassword"),
-		},
-	}
-	client, err := ssh.Dial("tcp", "yourserver.com:22", config)
-	if err != nil {
-		log.Fatal("Failed to dial: ", err)
-	}
-
-	// Each ClientConn can support multiple interactive sessions,
-	// represented by a Session.
-	session, err := client.NewSession()
-	if err != nil {
-		log.Fatal("Failed to create session: ", err)
-	}
-	defer session.Close()
-
-	// Once a Session is created, you can execute a single command on
-	// the remote side using the Run method.
-	var b bytes.Buffer
-	session.Stdout = &b
-	if err := session.Run("/usr/bin/whoami"); err != nil {
-		log.Fatal("Failed to run: " + err.Error())
-	}
-	fmt.Println(b.String())
-}
-
-func ExamplePublicKeys() {
-	// A public key may be used to authenticate against the remote
-	// server by using an unencrypted PEM-encoded private key file.
-	//
-	// If you have an encrypted private key, the crypto/x509 package
-	// can be used to decrypt it.
-	key, err := ioutil.ReadFile("/home/user/.ssh/id_rsa")
-	if err != nil {
-		log.Fatalf("unable to read private key: %v", err)
-	}
-
-	// Create the Signer for this private key.
-	signer, err := ssh.ParsePrivateKey(key)
-	if err != nil {
-		log.Fatalf("unable to parse private key: %v", err)
-	}
-
-	config := &ssh.ClientConfig{
-		User: "user",
-		Auth: []ssh.AuthMethod{
-			// Use the PublicKeys method for remote authentication.
-			ssh.PublicKeys(signer),
-		},
-	}
-
-	// Connect to the remote server and perform the SSH handshake.
-	client, err := ssh.Dial("tcp", "host.com:22", config)
-	if err != nil {
-		log.Fatalf("unable to connect: %v", err)
-	}
-	defer client.Close()
-}
-
-func ExampleClient_Listen() {
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("password"),
-		},
-	}
-	// Dial your ssh server.
-	conn, err := ssh.Dial("tcp", "localhost:22", config)
-	if err != nil {
-		log.Fatal("unable to connect: ", err)
-	}
-	defer conn.Close()
-
-	// Request the remote side to open port 8080 on all interfaces.
-	l, err := conn.Listen("tcp", "0.0.0.0:8080")
-	if err != nil {
-		log.Fatal("unable to register tcp forward: ", err)
-	}
-	defer l.Close()
-
-	// Serve HTTP with your SSH server acting as a reverse proxy.
-	http.Serve(l, http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-		fmt.Fprintf(resp, "Hello world!\n")
-	}))
-}
-
-func ExampleSession_RequestPty() {
-	// Create client config
-	config := &ssh.ClientConfig{
-		User: "username",
-		Auth: []ssh.AuthMethod{
-			ssh.Password("password"),
-		},
-	}
-	// Connect to ssh server
-	conn, err := ssh.Dial("tcp", "localhost:22", config)
-	if err != nil {
-		log.Fatal("unable to connect: ", err)
-	}
-	defer conn.Close()
-	// Create a session
-	session, err := conn.NewSession()
-	if err != nil {
-		log.Fatal("unable to create session: ", err)
-	}
-	defer session.Close()
-	// Set up terminal modes
-	modes := ssh.TerminalModes{
-		ssh.ECHO:          0,     // disable echoing
-		ssh.TTY_OP_ISPEED: 14400, // input speed = 14.4kbaud
-		ssh.TTY_OP_OSPEED: 14400, // output speed = 14.4kbaud
-	}
-	// Request pseudo terminal
-	if err := session.RequestPty("xterm", 40, 80, modes); err != nil {
-		log.Fatal("request for pseudo terminal failed: ", err)
-	}
-	// Start remote shell
-	if err := session.Shell(); err != nil {
-		log.Fatal("failed to start shell: ", err)
-	}
-}

vendor/golang.org/x/crypto/ssh/handshake.go

@@ -19,6 +19,11 @@ import (
 // messages are wrong when using ECDH.
 const debugHandshake = false
 
+// chanSize sets the amount of buffering SSH connections. This is
+// primarily for testing: setting chanSize=0 uncovers deadlocks more
+// quickly.
+const chanSize = 16
+
 // keyingTransport is a packet based transport that supports key
 // changes. It need not be thread-safe. It should pass through
 // msgNewKeys in both directions.
@@ -53,34 +58,58 @@ type handshakeTransport struct {
 	incoming  chan []byte
 	readError error
 
+	mu             sync.Mutex
+	writeError     error
+	sentInitPacket []byte
+	sentInitMsg    *kexInitMsg
+	pendingPackets [][]byte // Used when a key exchange is in progress.
+
+	// If the read loop wants to schedule a kex, it pings this
+	// channel, and the write loop will send out a kex
+	// message.
+	requestKex chan struct{}
+
+	// If the other side requests or confirms a kex, its kexInit
+	// packet is sent here for the write loop to find it.
+	startKex chan *pendingKex
+
 	// data for host key checking
 	hostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
 	dialAddress     string
 	remoteAddr      net.Addr
 
-	readSinceKex uint64
+	// Algorithms agreed in the last key exchange.
+	algorithms *algorithms
 
-	// Protects the writing side of the connection
-	mu              sync.Mutex
-	cond            *sync.Cond
-	sentInitPacket  []byte
-	sentInitMsg     *kexInitMsg
-	writtenSinceKex uint64
-	writeError      error
+	readPacketsLeft uint32
+	readBytesLeft   int64
+
+	writePacketsLeft uint32
+	writeBytesLeft   int64
 
 	// The session ID or nil if first kex did not complete yet.
 	sessionID []byte
 }
 
+type pendingKex struct {
+	otherInit []byte
+	done      chan error
+}
+
 func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
 	t := &handshakeTransport{
 		conn:          conn,
 		serverVersion: serverVersion,
 		clientVersion: clientVersion,
-		incoming:      make(chan []byte, 16),
-		config:        config,
+		incoming:      make(chan []byte, chanSize),
+		requestKex:    make(chan struct{}, 1),
+		startKex:      make(chan *pendingKex, 1),
+
+		config: config,
 	}
-	t.cond = sync.NewCond(&t.mu)
+
+	// We always start with a mandatory key exchange.
+	t.requestKex <- struct{}{}
 	return t
 }
 
@@ -95,6 +124,7 @@ func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byt
 		t.hostKeyAlgorithms = supportedHostKeyAlgos
 	}
 	go t.readLoop()
+	go t.kexLoop()
 	return t
 }
 
@@ -102,6 +132,7 @@ func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byt
 	t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
 	t.hostKeys = config.hostKeys
 	go t.readLoop()
+	go t.kexLoop()
 	return t
 }
 
@@ -109,6 +140,20 @@ func (t *handshakeTransport) getSessionID() []byte {
 	return t.sessionID
 }
 
+// waitSession waits for the session to be established. This should be
+// the first thing to call after instantiating handshakeTransport.
+func (t *handshakeTransport) waitSession() error {
+	p, err := t.readPacket()
+	if err != nil {
+		return err
+	}
+	if p[0] != msgNewKeys {
+		return fmt.Errorf("ssh: first packet should be msgNewKeys")
+	}
+
+	return nil
+}
+
 func (t *handshakeTransport) id() string {
 	if len(t.hostKeys) > 0 {
 		return "server"
@@ -116,6 +161,20 @@ func (t *handshakeTransport) id() string {
 	return "client"
 }
 
+func (t *handshakeTransport) printPacket(p []byte, write bool) {
+	action := "got"
+	if write {
+		action = "sent"
+	}
+
+	if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
+		log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
+	} else {
+		msg, err := decode(p)
+		log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
+	}
+}
+
 func (t *handshakeTransport) readPacket() ([]byte, error) {
 	p, ok := <-t.incoming
 	if !ok {
@@ -125,8 +184,10 @@ func (t *handshakeTransport) readPacket() ([]byte, error) {
 }
 
 func (t *handshakeTransport) readLoop() {
+	first := true
 	for {
-		p, err := t.readOnePacket()
+		p, err := t.readOnePacket(first)
+		first = false
 		if err != nil {
 			t.readError = err
 			close(t.incoming)
@@ -138,67 +199,204 @@ func (t *handshakeTransport) readLoop() {
 		t.incoming <- p
 	}
 
-	// If we can't read, declare the writing part dead too.
-	t.mu.Lock()
-	defer t.mu.Unlock()
-	if t.writeError == nil {
-		t.writeError = t.readError
-	}
-	t.cond.Broadcast()
+	// Stop writers too.
+	t.recordWriteError(t.readError)
+
+	// Unblock the writer should it wait for this.
+	close(t.startKex)
+
+	// Don't close t.requestKex; it's also written to from writePacket.
 }
 
-func (t *handshakeTransport) readOnePacket() ([]byte, error) {
-	if t.readSinceKex > t.config.RekeyThreshold {
-		if err := t.requestKeyChange(); err != nil {
-			return nil, err
+func (t *handshakeTransport) pushPacket(p []byte) error {
+	if debugHandshake {
+		t.printPacket(p, true)
+	}
+	return t.conn.writePacket(p)
+}
+
+func (t *handshakeTransport) getWriteError() error {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	return t.writeError
+}
+
+func (t *handshakeTransport) recordWriteError(err error) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	if t.writeError == nil && err != nil {
+		t.writeError = err
+	}
+}
+
+func (t *handshakeTransport) requestKeyExchange() {
+	select {
+	case t.requestKex <- struct{}{}:
+	default:
+		// something already requested a kex, so do nothing.
+	}
+}
+
+func (t *handshakeTransport) kexLoop() {
+
+write:
+	for t.getWriteError() == nil {
+		var request *pendingKex
+		var sent bool
+
+		for request == nil || !sent {
+			var ok bool
+			select {
+			case request, ok = <-t.startKex:
+				if !ok {
+					break write
+				}
+			case <-t.requestKex:
+				break
+			}
+
+			if !sent {
+				if err := t.sendKexInit(); err != nil {
+					t.recordWriteError(err)
+					break
+				}
+				sent = true
+			}
 		}
+
+		if err := t.getWriteError(); err != nil {
+			if request != nil {
+				request.done <- err
+			}
+			break
+		}
+
+		// We're not servicing t.requestKex, but that is OK:
+		// we never block on sending to t.requestKex.
+
+		// We're not servicing t.startKex, but the remote end
+		// has just sent us a kexInitMsg, so it can't send
+		// another key change request, until we close the done
+		// channel on the pendingKex request.
+
+		err := t.enterKeyExchange(request.otherInit)
+
+		t.mu.Lock()
+		t.writeError = err
+		t.sentInitPacket = nil
+		t.sentInitMsg = nil
+		t.writePacketsLeft = packetRekeyThreshold
+		if t.config.RekeyThreshold > 0 {
+			t.writeBytesLeft = int64(t.config.RekeyThreshold)
+		} else if t.algorithms != nil {
+			t.writeBytesLeft = t.algorithms.w.rekeyBytes()
+		}
+
+		// we have completed the key exchange. Since the
+		// reader is still blocked, it is safe to clear out
+		// the requestKex channel. This avoids the situation
+		// where: 1) we consumed our own request for the
+		// initial kex, and 2) the kex from the remote side
+		// caused another send on the requestKex channel,
+	clear:
+		for {
+			select {
+			case <-t.requestKex:
+				//
+			default:
+				break clear
+			}
+		}
+
+		request.done <- t.writeError
+
+		// kex finished. Push packets that we received while
+		// the kex was in progress. Don't look at t.startKex
+		// and don't increment writtenSinceKex: if we trigger
+		// another kex while we are still busy with the last
+		// one, things will become very confusing.
+		for _, p := range t.pendingPackets {
+			t.writeError = t.pushPacket(p)
+			if t.writeError != nil {
+				break
+			}
+		}
+		t.pendingPackets = t.pendingPackets[:0]
+		t.mu.Unlock()
 	}
 
+	// drain startKex channel. We don't service t.requestKex
+	// because nobody does blocking sends there.
+	go func() {
+		for init := range t.startKex {
+			init.done <- t.writeError
+		}
+	}()
+
+	// Unblock reader.
+	t.conn.Close()
+}
+
+// The protocol uses uint32 for packet counters, so we can't let them
+// reach 1<<32.  We will actually read and write more packets than
+// this, though: the other side may send more packets, and after we
+// hit this limit on writing we will send a few more packets for the
+// key exchange itself.
+const packetRekeyThreshold = (1 << 31)
+
+func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
 	p, err := t.conn.readPacket()
 	if err != nil {
 		return nil, err
 	}
 
-	t.readSinceKex += uint64(len(p))
-	if debugHandshake {
-		if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
-			log.Printf("%s got data (packet %d bytes)", t.id(), len(p))
-		} else {
-			msg, err := decode(p)
-			log.Printf("%s got %T %v (%v)", t.id(), msg, msg, err)
-		}
+	if t.readPacketsLeft > 0 {
+		t.readPacketsLeft--
+	} else {
+		t.requestKeyExchange()
 	}
+
+	if t.readBytesLeft > 0 {
+		t.readBytesLeft -= int64(len(p))
+	} else {
+		t.requestKeyExchange()
+	}
+
+	if debugHandshake {
+		t.printPacket(p, false)
+	}
+
+	if first && p[0] != msgKexInit {
+		return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
+	}
+
 	if p[0] != msgKexInit {
 		return p, nil
 	}
 
-	t.mu.Lock()
-
 	firstKex := t.sessionID == nil
 
-	err = t.enterKeyExchangeLocked(p)
-	if err != nil {
-		// drop connection
-		t.conn.Close()
-		t.writeError = err
+	kex := pendingKex{
+		done:      make(chan error, 1),
+		otherInit: p,
 	}
+	t.startKex <- &kex
+	err = <-kex.done
 
 	if debugHandshake {
 		log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
 	}
 
-	// Unblock writers.
-	t.sentInitMsg = nil
-	t.sentInitPacket = nil
-	t.cond.Broadcast()
-	t.writtenSinceKex = 0
-	t.mu.Unlock()
-
 	if err != nil {
 		return nil, err
 	}
 
-	t.readSinceKex = 0
+	t.readPacketsLeft = packetRekeyThreshold
+	if t.config.RekeyThreshold > 0 {
+		t.readBytesLeft = int64(t.config.RekeyThreshold)
+	} else {
+		t.readBytesLeft = t.algorithms.r.rekeyBytes()
+	}
 
 	// By default, a key exchange is hidden from higher layers by
 	// translating it into msgIgnore.
@@ -213,61 +411,16 @@ func (t *handshakeTransport) readOnePacket() ([]byte, error) {
 	return successPacket, nil
 }
 
-// keyChangeCategory describes whether a key exchange is the first on a
-// connection, or a subsequent one.
-type keyChangeCategory bool
-
-const (
-	firstKeyExchange      keyChangeCategory = true
-	subsequentKeyExchange keyChangeCategory = false
-)
-
-// sendKexInit sends a key change message, and returns the message
-// that was sent. After initiating the key change, all writes will be
-// blocked until the change is done, and a failed key change will
-// close the underlying transport. This function is safe for
-// concurrent use by multiple goroutines.
-func (t *handshakeTransport) sendKexInit(isFirst keyChangeCategory) error {
-	var err error
-
+// sendKexInit sends a key change message.
+func (t *handshakeTransport) sendKexInit() error {
 	t.mu.Lock()
-	// If this is the initial key change, but we already have a sessionID,
-	// then do nothing because the key exchange has already completed
-	// asynchronously.
-	if !isFirst || t.sessionID == nil {
-		_, _, err = t.sendKexInitLocked(isFirst)
-	}
-	t.mu.Unlock()
-	if err != nil {
-		return err
-	}
-	if isFirst {
-		if packet, err := t.readPacket(); err != nil {
-			return err
-		} else if packet[0] != msgNewKeys {
-			return unexpectedMessageError(msgNewKeys, packet[0])
-		}
-	}
-	return nil
-}
-
-func (t *handshakeTransport) requestInitialKeyChange() error {
-	return t.sendKexInit(firstKeyExchange)
-}
-
-func (t *handshakeTransport) requestKeyChange() error {
-	return t.sendKexInit(subsequentKeyExchange)
-}
-
-// sendKexInitLocked sends a key change message. t.mu must be locked
-// while this happens.
-func (t *handshakeTransport) sendKexInitLocked(isFirst keyChangeCategory) (*kexInitMsg, []byte, error) {
-	// kexInits may be sent either in response to the other side,
-	// or because our side wants to initiate a key change, so we
-	// may have already sent a kexInit. In that case, don't send a
-	// second kexInit.
+	defer t.mu.Unlock()
 	if t.sentInitMsg != nil {
-		return t.sentInitMsg, t.sentInitPacket, nil
+		// kexInits may be sent either in response to the other side,
+		// or because our side wants to initiate a key change, so we
+		// may have already sent a kexInit. In that case, don't send a
+		// second kexInit.
+		return nil
 	}
 
 	msg := &kexInitMsg{
@@ -295,53 +448,65 @@ func (t *handshakeTransport) sendKexInitLocked(isFirst keyChangeCategory) (*kexI
 	packetCopy := make([]byte, len(packet))
 	copy(packetCopy, packet)
 
-	if err := t.conn.writePacket(packetCopy); err != nil {
-		return nil, nil, err
+	if err := t.pushPacket(packetCopy); err != nil {
+		return err
 	}
 
 	t.sentInitMsg = msg
 	t.sentInitPacket = packet
-	return msg, packet, nil
+
+	return nil
 }
 
 func (t *handshakeTransport) writePacket(p []byte) error {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-
-	if t.writtenSinceKex > t.config.RekeyThreshold {
-		t.sendKexInitLocked(subsequentKeyExchange)
-	}
-	for t.sentInitMsg != nil && t.writeError == nil {
-		t.cond.Wait()
-	}
-	if t.writeError != nil {
-		return t.writeError
-	}
-	t.writtenSinceKex += uint64(len(p))
-
 	switch p[0] {
 	case msgKexInit:
 		return errors.New("ssh: only handshakeTransport can send kexInit")
 	case msgNewKeys:
 		return errors.New("ssh: only handshakeTransport can send newKeys")
-	default:
-		return t.conn.writePacket(p)
 	}
+
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	if t.writeError != nil {
+		return t.writeError
+	}
+
+	if t.sentInitMsg != nil {
+		// Copy the packet so the writer can reuse the buffer.
+		cp := make([]byte, len(p))
+		copy(cp, p)
+		t.pendingPackets = append(t.pendingPackets, cp)
+		return nil
+	}
+
+	if t.writeBytesLeft > 0 {
+		t.writeBytesLeft -= int64(len(p))
+	} else {
+		t.requestKeyExchange()
+	}
+
+	if t.writePacketsLeft > 0 {
+		t.writePacketsLeft--
+	} else {
+		t.requestKeyExchange()
+	}
+
+	if err := t.pushPacket(p); err != nil {
+		t.writeError = err
+	}
+
+	return nil
 }
 
 func (t *handshakeTransport) Close() error {
 	return t.conn.Close()
 }
 
-// enterKeyExchange runs the key exchange. t.mu must be held while running this.
-func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) error {
+func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	if debugHandshake {
 		log.Printf("%s entered key exchange", t.id())
 	}
-	myInit, myInitPacket, err := t.sendKexInitLocked(subsequentKeyExchange)
-	if err != nil {
-		return err
-	}
 
 	otherInit := &kexInitMsg{}
 	if err := Unmarshal(otherInitPacket, otherInit); err != nil {
@@ -352,20 +517,20 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
 		clientVersion: t.clientVersion,
 		serverVersion: t.serverVersion,
 		clientKexInit: otherInitPacket,
-		serverKexInit: myInitPacket,
+		serverKexInit: t.sentInitPacket,
 	}
 
 	clientInit := otherInit
-	serverInit := myInit
+	serverInit := t.sentInitMsg
 	if len(t.hostKeys) == 0 {
-		clientInit = myInit
-		serverInit = otherInit
+		clientInit, serverInit = serverInit, clientInit
 
-		magics.clientKexInit = myInitPacket
+		magics.clientKexInit = t.sentInitPacket
 		magics.serverKexInit = otherInitPacket
 	}
 
-	algs, err := findAgreedAlgorithms(clientInit, serverInit)
+	var err error
+	t.algorithms, err = findAgreedAlgorithms(clientInit, serverInit)
 	if err != nil {
 		return err
 	}
@@ -388,16 +553,16 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
 		}
 	}
 
-	kex, ok := kexAlgoMap[algs.kex]
+	kex, ok := kexAlgoMap[t.algorithms.kex]
 	if !ok {
-		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", algs.kex)
+		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
 	}
 
 	var result *kexResult
 	if len(t.hostKeys) > 0 {
-		result, err = t.server(kex, algs, &magics)
+		result, err = t.server(kex, t.algorithms, &magics)
 	} else {
-		result, err = t.client(kex, algs, &magics)
+		result, err = t.client(kex, t.algorithms, &magics)
 	}
 
 	if err != nil {
@@ -409,7 +574,7 @@ func (t *handshakeTransport) enterKeyExchangeLocked(otherInitPacket []byte) erro
 	}
 	result.SessionID = t.sessionID
 
-	t.conn.prepareKeyChange(algs, result)
+	t.conn.prepareKeyChange(t.algorithms, result)
 	if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
 		return err
 	}

vendor/golang.org/x/crypto/ssh/handshake_test.go

@@ -1,486 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"errors"
-	"fmt"
-	"net"
-	"reflect"
-	"runtime"
-	"strings"
-	"sync"
-	"testing"
-)
-
-type testChecker struct {
-	calls []string
-}
-
-func (t *testChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error {
-	if dialAddr == "bad" {
-		return fmt.Errorf("dialAddr is bad")
-	}
-
-	if tcpAddr, ok := addr.(*net.TCPAddr); !ok || tcpAddr == nil {
-		return fmt.Errorf("testChecker: got %T want *net.TCPAddr", addr)
-	}
-
-	t.calls = append(t.calls, fmt.Sprintf("%s %v %s %x", dialAddr, addr, key.Type(), key.Marshal()))
-
-	return nil
-}
-
-// netPipe is analogous to net.Pipe, but it uses a real net.Conn, and
-// therefore is buffered (net.Pipe deadlocks if both sides start with
-// a write.)
-func netPipe() (net.Conn, net.Conn, error) {
-	listener, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		return nil, nil, err
-	}
-	defer listener.Close()
-	c1, err := net.Dial("tcp", listener.Addr().String())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c2, err := listener.Accept()
-	if err != nil {
-		c1.Close()
-		return nil, nil, err
-	}
-
-	return c1, c2, nil
-}
-
-func handshakePair(clientConf *ClientConfig, addr string) (client *handshakeTransport, server *handshakeTransport, err error) {
-	a, b, err := netPipe()
-	if err != nil {
-		return nil, nil, err
-	}
-
-	trC := newTransport(a, rand.Reader, true)
-	trS := newTransport(b, rand.Reader, false)
-	clientConf.SetDefaults()
-
-	v := []byte("version")
-	client = newClientTransport(trC, v, v, clientConf, addr, a.RemoteAddr())
-
-	serverConf := &ServerConfig{}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.SetDefaults()
-	server = newServerTransport(trS, v, v, serverConf)
-
-	return client, server, nil
-}
-
-func TestHandshakeBasic(t *testing.T) {
-	if runtime.GOOS == "plan9" {
-		t.Skip("see golang.org/issue/7237")
-	}
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	go func() {
-		// Client writes a bunch of stuff, and does a key
-		// change in the middle. This should not confuse the
-		// handshake in progress
-		for i := 0; i < 10; i++ {
-			p := []byte{msgRequestSuccess, byte(i)}
-			if err := trC.writePacket(p); err != nil {
-				t.Fatalf("sendPacket: %v", err)
-			}
-			if i == 5 {
-				// halfway through, we request a key change.
-				err := trC.sendKexInit(subsequentKeyExchange)
-				if err != nil {
-					t.Fatalf("sendKexInit: %v", err)
-				}
-			}
-		}
-		trC.Close()
-	}()
-
-	// Server checks that client messages come in cleanly
-	i := 0
-	for {
-		p, err := trS.readPacket()
-		if err != nil {
-			break
-		}
-		if p[0] == msgNewKeys {
-			continue
-		}
-		want := []byte{msgRequestSuccess, byte(i)}
-		if bytes.Compare(p, want) != 0 {
-			t.Errorf("message %d: got %q, want %q", i, p, want)
-		}
-		i++
-	}
-	if i != 10 {
-		t.Errorf("received %d messages, want 10.", i)
-	}
-
-	// If all went well, we registered exactly 1 key change.
-	if len(checker.calls) != 1 {
-		t.Fatalf("got %d host key checks, want 1", len(checker.calls))
-	}
-
-	pub := testSigners["ecdsa"].PublicKey()
-	want := fmt.Sprintf("%s %v %s %x", "addr", trC.remoteAddr, pub.Type(), pub.Marshal())
-	if want != checker.calls[0] {
-		t.Errorf("got %q want %q for host key check", checker.calls[0], want)
-	}
-}
-
-func TestHandshakeError(t *testing.T) {
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "bad")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	// send a packet
-	packet := []byte{msgRequestSuccess, 42}
-	if err := trC.writePacket(packet); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-
-	// Now request a key change.
-	err = trC.sendKexInit(subsequentKeyExchange)
-	if err != nil {
-		t.Errorf("sendKexInit: %v", err)
-	}
-
-	// the key change will fail, and afterwards we can't write.
-	if err := trC.writePacket([]byte{msgRequestSuccess, 43}); err == nil {
-		t.Errorf("writePacket after botched rekey succeeded.")
-	}
-
-	readback, err := trS.readPacket()
-	if err != nil {
-		t.Fatalf("server closed too soon: %v", err)
-	}
-	if bytes.Compare(readback, packet) != 0 {
-		t.Errorf("got %q want %q", readback, packet)
-	}
-	readback, err = trS.readPacket()
-	if err == nil {
-		t.Errorf("got a message %q after failed key change", readback)
-	}
-}
-
-func TestForceFirstKex(t *testing.T) {
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	trC.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth}))
-
-	// We setup the initial key exchange, but the remote side
-	// tries to send serviceRequestMsg in cleartext, which is
-	// disallowed.
-
-	err = trS.sendKexInit(firstKeyExchange)
-	if err == nil {
-		t.Errorf("server first kex init should reject unexpected packet")
-	}
-}
-
-func TestHandshakeTwice(t *testing.T) {
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	// Both sides should ask for the first key exchange first.
-	err = trS.sendKexInit(firstKeyExchange)
-	if err != nil {
-		t.Errorf("server sendKexInit: %v", err)
-	}
-
-	err = trC.sendKexInit(firstKeyExchange)
-	if err != nil {
-		t.Errorf("client sendKexInit: %v", err)
-	}
-
-	sent := 0
-	// send a packet
-	packet := make([]byte, 5)
-	packet[0] = msgRequestSuccess
-	if err := trC.writePacket(packet); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-	sent++
-
-	// Send another packet. Use a fresh one, since writePacket destroys.
-	packet = make([]byte, 5)
-	packet[0] = msgRequestSuccess
-	if err := trC.writePacket(packet); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-	sent++
-
-	// 2nd key change.
-	err = trC.sendKexInit(subsequentKeyExchange)
-	if err != nil {
-		t.Errorf("sendKexInit: %v", err)
-	}
-
-	packet = make([]byte, 5)
-	packet[0] = msgRequestSuccess
-	if err := trC.writePacket(packet); err != nil {
-		t.Errorf("writePacket: %v", err)
-	}
-	sent++
-
-	packet = make([]byte, 5)
-	packet[0] = msgRequestSuccess
-	for i := 0; i < sent; i++ {
-		msg, err := trS.readPacket()
-		if err != nil {
-			t.Fatalf("server closed too soon: %v", err)
-		}
-
-		if bytes.Compare(msg, packet) != 0 {
-			t.Errorf("packet %d: got %q want %q", i, msg, packet)
-		}
-	}
-	if len(checker.calls) != 2 {
-		t.Errorf("got %d key changes, want 2", len(checker.calls))
-	}
-}
-
-func TestHandshakeAutoRekeyWrite(t *testing.T) {
-	checker := &testChecker{}
-	clientConf := &ClientConfig{HostKeyCallback: checker.Check}
-	clientConf.RekeyThreshold = 500
-	trC, trS, err := handshakePair(clientConf, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	for i := 0; i < 5; i++ {
-		packet := make([]byte, 251)
-		packet[0] = msgRequestSuccess
-		if err := trC.writePacket(packet); err != nil {
-			t.Errorf("writePacket: %v", err)
-		}
-	}
-
-	j := 0
-	for ; j < 5; j++ {
-		_, err := trS.readPacket()
-		if err != nil {
-			break
-		}
-	}
-
-	if j != 5 {
-		t.Errorf("got %d, want 5 messages", j)
-	}
-
-	if len(checker.calls) != 2 {
-		t.Errorf("got %d key changes, wanted 2", len(checker.calls))
-	}
-}
-
-type syncChecker struct {
-	called chan int
-}
-
-func (t *syncChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error {
-	t.called <- 1
-	return nil
-}
-
-func TestHandshakeAutoRekeyRead(t *testing.T) {
-	sync := &syncChecker{make(chan int, 2)}
-	clientConf := &ClientConfig{
-		HostKeyCallback: sync.Check,
-	}
-	clientConf.RekeyThreshold = 500
-
-	trC, trS, err := handshakePair(clientConf, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-	defer trC.Close()
-	defer trS.Close()
-
-	packet := make([]byte, 501)
-	packet[0] = msgRequestSuccess
-	if err := trS.writePacket(packet); err != nil {
-		t.Fatalf("writePacket: %v", err)
-	}
-	// While we read out the packet, a key change will be
-	// initiated.
-	if _, err := trC.readPacket(); err != nil {
-		t.Fatalf("readPacket(client): %v", err)
-	}
-
-	<-sync.called
-}
-
-// errorKeyingTransport generates errors after a given number of
-// read/write operations.
-type errorKeyingTransport struct {
-	packetConn
-	readLeft, writeLeft int
-}
-
-func (n *errorKeyingTransport) prepareKeyChange(*algorithms, *kexResult) error {
-	return nil
-}
-func (n *errorKeyingTransport) getSessionID() []byte {
-	return nil
-}
-
-func (n *errorKeyingTransport) writePacket(packet []byte) error {
-	if n.writeLeft == 0 {
-		n.Close()
-		return errors.New("barf")
-	}
-
-	n.writeLeft--
-	return n.packetConn.writePacket(packet)
-}
-
-func (n *errorKeyingTransport) readPacket() ([]byte, error) {
-	if n.readLeft == 0 {
-		n.Close()
-		return nil, errors.New("barf")
-	}
-
-	n.readLeft--
-	return n.packetConn.readPacket()
-}
-
-func TestHandshakeErrorHandlingRead(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, i, -1)
-	}
-}
-
-func TestHandshakeErrorHandlingWrite(t *testing.T) {
-	for i := 0; i < 20; i++ {
-		testHandshakeErrorHandlingN(t, -1, i)
-	}
-}
-
-// testHandshakeErrorHandlingN runs handshakes, injecting errors. If
-// handshakeTransport deadlocks, the go runtime will detect it and
-// panic.
-func testHandshakeErrorHandlingN(t *testing.T, readLimit, writeLimit int) {
-	msg := Marshal(&serviceRequestMsg{strings.Repeat("x", int(minRekeyThreshold)/4)})
-
-	a, b := memPipe()
-	defer a.Close()
-	defer b.Close()
-
-	key := testSigners["ecdsa"]
-	serverConf := Config{RekeyThreshold: minRekeyThreshold}
-	serverConf.SetDefaults()
-	serverConn := newHandshakeTransport(&errorKeyingTransport{a, readLimit, writeLimit}, &serverConf, []byte{'a'}, []byte{'b'})
-	serverConn.hostKeys = []Signer{key}
-	go serverConn.readLoop()
-
-	clientConf := Config{RekeyThreshold: 10 * minRekeyThreshold}
-	clientConf.SetDefaults()
-	clientConn := newHandshakeTransport(&errorKeyingTransport{b, -1, -1}, &clientConf, []byte{'a'}, []byte{'b'})
-	clientConn.hostKeyAlgorithms = []string{key.PublicKey().Type()}
-	go clientConn.readLoop()
-
-	var wg sync.WaitGroup
-	wg.Add(4)
-
-	for _, hs := range []packetConn{serverConn, clientConn} {
-		go func(c packetConn) {
-			for {
-				err := c.writePacket(msg)
-				if err != nil {
-					break
-				}
-			}
-			wg.Done()
-		}(hs)
-		go func(c packetConn) {
-			for {
-				_, err := c.readPacket()
-				if err != nil {
-					break
-				}
-			}
-			wg.Done()
-		}(hs)
-	}
-
-	wg.Wait()
-}
-
-func TestDisconnect(t *testing.T) {
-	if runtime.GOOS == "plan9" {
-		t.Skip("see golang.org/issue/7237")
-	}
-	checker := &testChecker{}
-	trC, trS, err := handshakePair(&ClientConfig{HostKeyCallback: checker.Check}, "addr")
-	if err != nil {
-		t.Fatalf("handshakePair: %v", err)
-	}
-
-	defer trC.Close()
-	defer trS.Close()
-
-	trC.writePacket([]byte{msgRequestSuccess, 0, 0})
-	errMsg := &disconnectMsg{
-		Reason:  42,
-		Message: "such is life",
-	}
-	trC.writePacket(Marshal(errMsg))
-	trC.writePacket([]byte{msgRequestSuccess, 0, 0})
-
-	packet, err := trS.readPacket()
-	if err != nil {
-		t.Fatalf("readPacket 1: %v", err)
-	}
-	if packet[0] != msgRequestSuccess {
-		t.Errorf("got packet %v, want packet type %d", packet, msgRequestSuccess)
-	}
-
-	_, err = trS.readPacket()
-	if err == nil {
-		t.Errorf("readPacket 2 succeeded")
-	} else if !reflect.DeepEqual(err, errMsg) {
-		t.Errorf("got error %#v, want %#v", err, errMsg)
-	}
-
-	_, err = trS.readPacket()
-	if err == nil {
-		t.Errorf("readPacket 3 succeeded")
-	}
-}

vendor/golang.org/x/crypto/ssh/kex_test.go

@@ -1,50 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Key exchange tests.
-
-import (
-	"crypto/rand"
-	"reflect"
-	"testing"
-)
-
-func TestKexes(t *testing.T) {
-	type kexResultErr struct {
-		result *kexResult
-		err    error
-	}
-
-	for name, kex := range kexAlgoMap {
-		a, b := memPipe()
-
-		s := make(chan kexResultErr, 1)
-		c := make(chan kexResultErr, 1)
-		var magics handshakeMagics
-		go func() {
-			r, e := kex.Client(a, rand.Reader, &magics)
-			a.Close()
-			c <- kexResultErr{r, e}
-		}()
-		go func() {
-			r, e := kex.Server(b, rand.Reader, &magics, testSigners["ecdsa"])
-			b.Close()
-			s <- kexResultErr{r, e}
-		}()
-
-		clientRes := <-c
-		serverRes := <-s
-		if clientRes.err != nil {
-			t.Errorf("client: %v", clientRes.err)
-		}
-		if serverRes.err != nil {
-			t.Errorf("server: %v", serverRes.err)
-		}
-		if !reflect.DeepEqual(clientRes.result, serverRes.result) {
-			t.Errorf("kex %q: mismatch %#v, %#v", name, clientRes.result, serverRes.result)
-		}
-	}
-}

vendor/golang.org/x/crypto/ssh/keys.go

@@ -10,10 +10,13 @@ import (
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/md5"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -795,8 +798,8 @@ func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
 		P       *big.Int
 		Q       *big.Int
 		G       *big.Int
-		Priv    *big.Int
 		Pub     *big.Int
+		Priv    *big.Int
 	}
 	rest, err := asn1.Unmarshal(der, &k)
 	if err != nil {
@@ -813,9 +816,9 @@ func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
 				Q: k.Q,
 				G: k.G,
 			},
-			Y: k.Priv,
+			Y: k.Pub,
 		},
-		X: k.Pub,
+		X: k.Priv,
 	}, nil
 }
 
@@ -878,3 +881,25 @@ func parseOpenSSHPrivateKey(key []byte) (*ed25519.PrivateKey, error) {
 	copy(pk, pk1.Priv)
 	return &pk, nil
 }
+
+// FingerprintLegacyMD5 returns the user presentation of the key's
+// fingerprint as described by RFC 4716 section 4.
+func FingerprintLegacyMD5(pubKey PublicKey) string {
+	md5sum := md5.Sum(pubKey.Marshal())
+	hexarray := make([]string, len(md5sum))
+	for i, c := range md5sum {
+		hexarray[i] = hex.EncodeToString([]byte{c})
+	}
+	return strings.Join(hexarray, ":")
+}
+
+// FingerprintSHA256 returns the user presentation of the key's
+// fingerprint as unpadded base64 encoded sha256 hash.
+// This format was introduced from OpenSSH 6.8.
+// https://www.openssh.com/txt/release-6.8
+// https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)
+func FingerprintSHA256(pubKey PublicKey) string {
+	sha256sum := sha256.Sum256(pubKey.Marshal())
+	hash := base64.RawStdEncoding.EncodeToString(sha256sum[:])
+	return "SHA256:" + hash
+}

vendor/golang.org/x/crypto/ssh/keys_test.go

@@ -1,456 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/dsa"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"encoding/base64"
-	"fmt"
-	"reflect"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ed25519"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-func rawKey(pub PublicKey) interface{} {
-	switch k := pub.(type) {
-	case *rsaPublicKey:
-		return (*rsa.PublicKey)(k)
-	case *dsaPublicKey:
-		return (*dsa.PublicKey)(k)
-	case *ecdsaPublicKey:
-		return (*ecdsa.PublicKey)(k)
-	case ed25519PublicKey:
-		return (ed25519.PublicKey)(k)
-	case *Certificate:
-		return k
-	}
-	panic("unknown key type")
-}
-
-func TestKeyMarshalParse(t *testing.T) {
-	for _, priv := range testSigners {
-		pub := priv.PublicKey()
-		roundtrip, err := ParsePublicKey(pub.Marshal())
-		if err != nil {
-			t.Errorf("ParsePublicKey(%T): %v", pub, err)
-		}
-
-		k1 := rawKey(pub)
-		k2 := rawKey(roundtrip)
-
-		if !reflect.DeepEqual(k1, k2) {
-			t.Errorf("got %#v in roundtrip, want %#v", k2, k1)
-		}
-	}
-}
-
-func TestUnsupportedCurves(t *testing.T) {
-	raw, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
-	if err != nil {
-		t.Fatalf("GenerateKey: %v", err)
-	}
-
-	if _, err = NewSignerFromKey(raw); err == nil || !strings.Contains(err.Error(), "only P-256") {
-		t.Fatalf("NewPrivateKey should not succeed with P-224, got: %v", err)
-	}
-
-	if _, err = NewPublicKey(&raw.PublicKey); err == nil || !strings.Contains(err.Error(), "only P-256") {
-		t.Fatalf("NewPublicKey should not succeed with P-224, got: %v", err)
-	}
-}
-
-func TestNewPublicKey(t *testing.T) {
-	for _, k := range testSigners {
-		raw := rawKey(k.PublicKey())
-		// Skip certificates, as NewPublicKey does not support them.
-		if _, ok := raw.(*Certificate); ok {
-			continue
-		}
-		pub, err := NewPublicKey(raw)
-		if err != nil {
-			t.Errorf("NewPublicKey(%#v): %v", raw, err)
-		}
-		if !reflect.DeepEqual(k.PublicKey(), pub) {
-			t.Errorf("NewPublicKey(%#v) = %#v, want %#v", raw, pub, k.PublicKey())
-		}
-	}
-}
-
-func TestKeySignVerify(t *testing.T) {
-	for _, priv := range testSigners {
-		pub := priv.PublicKey()
-
-		data := []byte("sign me")
-		sig, err := priv.Sign(rand.Reader, data)
-		if err != nil {
-			t.Fatalf("Sign(%T): %v", priv, err)
-		}
-
-		if err := pub.Verify(data, sig); err != nil {
-			t.Errorf("publicKey.Verify(%T): %v", priv, err)
-		}
-		sig.Blob[5]++
-		if err := pub.Verify(data, sig); err == nil {
-			t.Errorf("publicKey.Verify on broken sig did not fail")
-		}
-	}
-}
-
-func TestParseRSAPrivateKey(t *testing.T) {
-	key := testPrivateKeys["rsa"]
-
-	rsa, ok := key.(*rsa.PrivateKey)
-	if !ok {
-		t.Fatalf("got %T, want *rsa.PrivateKey", rsa)
-	}
-
-	if err := rsa.Validate(); err != nil {
-		t.Errorf("Validate: %v", err)
-	}
-}
-
-func TestParseECPrivateKey(t *testing.T) {
-	key := testPrivateKeys["ecdsa"]
-
-	ecKey, ok := key.(*ecdsa.PrivateKey)
-	if !ok {
-		t.Fatalf("got %T, want *ecdsa.PrivateKey", ecKey)
-	}
-
-	if !validateECPublicKey(ecKey.Curve, ecKey.X, ecKey.Y) {
-		t.Fatalf("public key does not validate.")
-	}
-}
-
-// See Issue https://github.com/golang/go/issues/6650.
-func TestParseEncryptedPrivateKeysFails(t *testing.T) {
-	const wantSubstring = "encrypted"
-	for i, tt := range testdata.PEMEncryptedKeys {
-		_, err := ParsePrivateKey(tt.PEMBytes)
-		if err == nil {
-			t.Errorf("#%d key %s: ParsePrivateKey successfully parsed, expected an error", i, tt.Name)
-			continue
-		}
-
-		if !strings.Contains(err.Error(), wantSubstring) {
-			t.Errorf("#%d key %s: got error %q, want substring %q", i, tt.Name, err, wantSubstring)
-		}
-	}
-}
-
-func TestParseDSA(t *testing.T) {
-	// We actually exercise the ParsePrivateKey codepath here, as opposed to
-	// using the ParseRawPrivateKey+NewSignerFromKey path that testdata_test.go
-	// uses.
-	s, err := ParsePrivateKey(testdata.PEMBytes["dsa"])
-	if err != nil {
-		t.Fatalf("ParsePrivateKey returned error: %s", err)
-	}
-
-	data := []byte("sign me")
-	sig, err := s.Sign(rand.Reader, data)
-	if err != nil {
-		t.Fatalf("dsa.Sign: %v", err)
-	}
-
-	if err := s.PublicKey().Verify(data, sig); err != nil {
-		t.Errorf("Verify failed: %v", err)
-	}
-}
-
-// Tests for authorized_keys parsing.
-
-// getTestKey returns a public key, and its base64 encoding.
-func getTestKey() (PublicKey, string) {
-	k := testPublicKeys["rsa"]
-
-	b := &bytes.Buffer{}
-	e := base64.NewEncoder(base64.StdEncoding, b)
-	e.Write(k.Marshal())
-	e.Close()
-
-	return k, b.String()
-}
-
-func TestMarshalParsePublicKey(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	line := fmt.Sprintf("%s %s user@host", pub.Type(), pubSerialized)
-
-	authKeys := MarshalAuthorizedKey(pub)
-	actualFields := strings.Fields(string(authKeys))
-	if len(actualFields) == 0 {
-		t.Fatalf("failed authKeys: %v", authKeys)
-	}
-
-	// drop the comment
-	expectedFields := strings.Fields(line)[0:2]
-
-	if !reflect.DeepEqual(actualFields, expectedFields) {
-		t.Errorf("got %v, expected %v", actualFields, expectedFields)
-	}
-
-	actPub, _, _, _, err := ParseAuthorizedKey([]byte(line))
-	if err != nil {
-		t.Fatalf("cannot parse %v: %v", line, err)
-	}
-	if !reflect.DeepEqual(actPub, pub) {
-		t.Errorf("got %v, expected %v", actPub, pub)
-	}
-}
-
-type authResult struct {
-	pubKey   PublicKey
-	options  []string
-	comments string
-	rest     string
-	ok       bool
-}
-
-func testAuthorizedKeys(t *testing.T, authKeys []byte, expected []authResult) {
-	rest := authKeys
-	var values []authResult
-	for len(rest) > 0 {
-		var r authResult
-		var err error
-		r.pubKey, r.comments, r.options, rest, err = ParseAuthorizedKey(rest)
-		r.ok = (err == nil)
-		t.Log(err)
-		r.rest = string(rest)
-		values = append(values, r)
-	}
-
-	if !reflect.DeepEqual(values, expected) {
-		t.Errorf("got %#v, expected %#v", values, expected)
-	}
-}
-
-func TestAuthorizedKeyBasic(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	line := "ssh-rsa " + pubSerialized + " user@host"
-	testAuthorizedKeys(t, []byte(line),
-		[]authResult{
-			{pub, nil, "user@host", "", true},
-		})
-}
-
-func TestAuth(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithOptions := []string{
-		`# comments to ignore before any keys...`,
-		``,
-		`env="HOME=/home/root",no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host`,
-		`# comments to ignore, along with a blank line`,
-		``,
-		`env="HOME=/home/root2" ssh-rsa ` + pubSerialized + ` user2@host2`,
-		``,
-		`# more comments, plus a invalid entry`,
-		`ssh-rsa data-that-will-not-parse user@host3`,
-	}
-	for _, eol := range []string{"\n", "\r\n"} {
-		authOptions := strings.Join(authWithOptions, eol)
-		rest2 := strings.Join(authWithOptions[3:], eol)
-		rest3 := strings.Join(authWithOptions[6:], eol)
-		testAuthorizedKeys(t, []byte(authOptions), []authResult{
-			{pub, []string{`env="HOME=/home/root"`, "no-port-forwarding"}, "user@host", rest2, true},
-			{pub, []string{`env="HOME=/home/root2"`}, "user2@host2", rest3, true},
-			{nil, nil, "", "", false},
-		})
-	}
-}
-
-func TestAuthWithQuotedSpaceInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedSpaceInEnv := []byte(`env="HOME=/home/root dir",no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedSpaceInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/root dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithQuotedCommaInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedCommaInEnv := []byte(`env="HOME=/home/root,dir",no-port-forwarding ssh-rsa ` + pubSerialized + `   user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedCommaInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/root,dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithQuotedQuoteInEnv(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithQuotedQuoteInEnv := []byte(`env="HOME=/home/\"root dir",no-port-forwarding` + "\t" + `ssh-rsa` + "\t" + pubSerialized + `   user@host`)
-	authWithDoubleQuotedQuote := []byte(`no-port-forwarding,env="HOME=/home/ \"root dir\"" ssh-rsa ` + pubSerialized + "\t" + `user@host`)
-	testAuthorizedKeys(t, []byte(authWithQuotedQuoteInEnv), []authResult{
-		{pub, []string{`env="HOME=/home/\"root dir"`, "no-port-forwarding"}, "user@host", "", true},
-	})
-
-	testAuthorizedKeys(t, []byte(authWithDoubleQuotedQuote), []authResult{
-		{pub, []string{"no-port-forwarding", `env="HOME=/home/ \"root dir\""`}, "user@host", "", true},
-	})
-}
-
-func TestAuthWithInvalidSpace(t *testing.T) {
-	_, pubSerialized := getTestKey()
-	authWithInvalidSpace := []byte(`env="HOME=/home/root dir", no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host
-#more to follow but still no valid keys`)
-	testAuthorizedKeys(t, []byte(authWithInvalidSpace), []authResult{
-		{nil, nil, "", "", false},
-	})
-}
-
-func TestAuthWithMissingQuote(t *testing.T) {
-	pub, pubSerialized := getTestKey()
-	authWithMissingQuote := []byte(`env="HOME=/home/root,no-port-forwarding ssh-rsa ` + pubSerialized + ` user@host
-env="HOME=/home/root",shared-control ssh-rsa ` + pubSerialized + ` user@host`)
-
-	testAuthorizedKeys(t, []byte(authWithMissingQuote), []authResult{
-		{pub, []string{`env="HOME=/home/root"`, `shared-control`}, "user@host", "", true},
-	})
-}
-
-func TestInvalidEntry(t *testing.T) {
-	authInvalid := []byte(`ssh-rsa`)
-	_, _, _, _, err := ParseAuthorizedKey(authInvalid)
-	if err == nil {
-		t.Errorf("got valid entry for %q", authInvalid)
-	}
-}
-
-var knownHostsParseTests = []struct {
-	input string
-	err   string
-
-	marker  string
-	comment string
-	hosts   []string
-	rest    string
-}{
-	{
-		"",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"# Just a comment",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"   \t   ",
-		"EOF",
-
-		"", "", nil, "",
-	},
-	{
-		"localhost ssh-rsa {RSAPUB}",
-		"",
-
-		"", "", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}",
-		"",
-
-		"", "", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\n",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\r\n",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "",
-	},
-	{
-		"localhost\tssh-rsa {RSAPUB}\tcomment comment\r\nnext line",
-		"",
-
-		"", "comment comment", []string{"localhost"}, "next line",
-	},
-	{
-		"localhost,[host2:123]\tssh-rsa {RSAPUB}\tcomment comment",
-		"",
-
-		"", "comment comment", []string{"localhost", "[host2:123]"}, "",
-	},
-	{
-		"@marker \tlocalhost,[host2:123]\tssh-rsa {RSAPUB}",
-		"",
-
-		"marker", "", []string{"localhost", "[host2:123]"}, "",
-	},
-	{
-		"@marker \tlocalhost,[host2:123]\tssh-rsa aabbccdd",
-		"short read",
-
-		"", "", nil, "",
-	},
-}
-
-func TestKnownHostsParsing(t *testing.T) {
-	rsaPub, rsaPubSerialized := getTestKey()
-
-	for i, test := range knownHostsParseTests {
-		var expectedKey PublicKey
-		const rsaKeyToken = "{RSAPUB}"
-
-		input := test.input
-		if strings.Contains(input, rsaKeyToken) {
-			expectedKey = rsaPub
-			input = strings.Replace(test.input, rsaKeyToken, rsaPubSerialized, -1)
-		}
-
-		marker, hosts, pubKey, comment, rest, err := ParseKnownHosts([]byte(input))
-		if err != nil {
-			if len(test.err) == 0 {
-				t.Errorf("#%d: unexpectedly failed with %q", i, err)
-			} else if !strings.Contains(err.Error(), test.err) {
-				t.Errorf("#%d: expected error containing %q, but got %q", i, test.err, err)
-			}
-			continue
-		} else if len(test.err) != 0 {
-			t.Errorf("#%d: succeeded but expected error including %q", i, test.err)
-			continue
-		}
-
-		if !reflect.DeepEqual(expectedKey, pubKey) {
-			t.Errorf("#%d: expected key %#v, but got %#v", i, expectedKey, pubKey)
-		}
-
-		if marker != test.marker {
-			t.Errorf("#%d: expected marker %q, but got %q", i, test.marker, marker)
-		}
-
-		if comment != test.comment {
-			t.Errorf("#%d: expected comment %q, but got %q", i, test.comment, comment)
-		}
-
-		if !reflect.DeepEqual(test.hosts, hosts) {
-			t.Errorf("#%d: expected hosts %#v, but got %#v", i, test.hosts, hosts)
-		}
-
-		if rest := string(rest); rest != test.rest {
-			t.Errorf("#%d: expected remaining input to be %q, but got %q", i, test.rest, rest)
-		}
-	}
-}

vendor/golang.org/x/crypto/ssh/mac.go

@@ -15,6 +15,7 @@ import (
 
 type macMode struct {
 	keySize int
+	etm     bool
 	new     func(key []byte) hash.Hash
 }
 
@@ -45,13 +46,16 @@ func (t truncatingMAC) Size() int {
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
 var macModes = map[string]*macMode{
-	"hmac-sha2-256": {32, func(key []byte) hash.Hash {
+	"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
 	}},
-	"hmac-sha1": {20, func(key []byte) hash.Hash {
+	"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
+		return hmac.New(sha256.New, key)
+	}},
+	"hmac-sha1": {20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
 	}},
-	"hmac-sha1-96": {20, func(key []byte) hash.Hash {
+	"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
 	}},
 }

vendor/golang.org/x/crypto/ssh/mempipe_test.go

@@ -1,110 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"sync"
-	"testing"
-)
-
-// An in-memory packetConn. It is safe to call Close and writePacket
-// from different goroutines.
-type memTransport struct {
-	eof     bool
-	pending [][]byte
-	write   *memTransport
-	sync.Mutex
-	*sync.Cond
-}
-
-func (t *memTransport) readPacket() ([]byte, error) {
-	t.Lock()
-	defer t.Unlock()
-	for {
-		if len(t.pending) > 0 {
-			r := t.pending[0]
-			t.pending = t.pending[1:]
-			return r, nil
-		}
-		if t.eof {
-			return nil, io.EOF
-		}
-		t.Cond.Wait()
-	}
-}
-
-func (t *memTransport) closeSelf() error {
-	t.Lock()
-	defer t.Unlock()
-	if t.eof {
-		return io.EOF
-	}
-	t.eof = true
-	t.Cond.Broadcast()
-	return nil
-}
-
-func (t *memTransport) Close() error {
-	err := t.write.closeSelf()
-	t.closeSelf()
-	return err
-}
-
-func (t *memTransport) writePacket(p []byte) error {
-	t.write.Lock()
-	defer t.write.Unlock()
-	if t.write.eof {
-		return io.EOF
-	}
-	c := make([]byte, len(p))
-	copy(c, p)
-	t.write.pending = append(t.write.pending, c)
-	t.write.Cond.Signal()
-	return nil
-}
-
-func memPipe() (a, b packetConn) {
-	t1 := memTransport{}
-	t2 := memTransport{}
-	t1.write = &t2
-	t2.write = &t1
-	t1.Cond = sync.NewCond(&t1.Mutex)
-	t2.Cond = sync.NewCond(&t2.Mutex)
-	return &t1, &t2
-}
-
-func TestMemPipe(t *testing.T) {
-	a, b := memPipe()
-	if err := a.writePacket([]byte{42}); err != nil {
-		t.Fatalf("writePacket: %v", err)
-	}
-	if err := a.Close(); err != nil {
-		t.Fatal("Close: ", err)
-	}
-	p, err := b.readPacket()
-	if err != nil {
-		t.Fatal("readPacket: ", err)
-	}
-	if len(p) != 1 || p[0] != 42 {
-		t.Fatalf("got %v, want {42}", p)
-	}
-	p, err = b.readPacket()
-	if err != io.EOF {
-		t.Fatalf("got %v, %v, want EOF", p, err)
-	}
-}
-
-func TestDoubleClose(t *testing.T) {
-	a, _ := memPipe()
-	err := a.Close()
-	if err != nil {
-		t.Errorf("Close: %v", err)
-	}
-	err = a.Close()
-	if err != io.EOF {
-		t.Errorf("expect EOF on double close.")
-	}
-}

vendor/golang.org/x/crypto/ssh/messages_test.go

@@ -1,288 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"math/big"
-	"math/rand"
-	"reflect"
-	"testing"
-	"testing/quick"
-)
-
-var intLengthTests = []struct {
-	val, length int
-}{
-	{0, 4 + 0},
-	{1, 4 + 1},
-	{127, 4 + 1},
-	{128, 4 + 2},
-	{-1, 4 + 1},
-}
-
-func TestIntLength(t *testing.T) {
-	for _, test := range intLengthTests {
-		v := new(big.Int).SetInt64(int64(test.val))
-		length := intLength(v)
-		if length != test.length {
-			t.Errorf("For %d, got length %d but expected %d", test.val, length, test.length)
-		}
-	}
-}
-
-type msgAllTypes struct {
-	Bool    bool `sshtype:"21"`
-	Array   [16]byte
-	Uint64  uint64
-	Uint32  uint32
-	Uint8   uint8
-	String  string
-	Strings []string
-	Bytes   []byte
-	Int     *big.Int
-	Rest    []byte `ssh:"rest"`
-}
-
-func (t *msgAllTypes) Generate(rand *rand.Rand, size int) reflect.Value {
-	m := &msgAllTypes{}
-	m.Bool = rand.Intn(2) == 1
-	randomBytes(m.Array[:], rand)
-	m.Uint64 = uint64(rand.Int63n(1<<63 - 1))
-	m.Uint32 = uint32(rand.Intn((1 << 31) - 1))
-	m.Uint8 = uint8(rand.Intn(1 << 8))
-	m.String = string(m.Array[:])
-	m.Strings = randomNameList(rand)
-	m.Bytes = m.Array[:]
-	m.Int = randomInt(rand)
-	m.Rest = m.Array[:]
-	return reflect.ValueOf(m)
-}
-
-func TestMarshalUnmarshal(t *testing.T) {
-	rand := rand.New(rand.NewSource(0))
-	iface := &msgAllTypes{}
-	ty := reflect.ValueOf(iface).Type()
-
-	n := 100
-	if testing.Short() {
-		n = 5
-	}
-	for j := 0; j < n; j++ {
-		v, ok := quick.Value(ty, rand)
-		if !ok {
-			t.Errorf("failed to create value")
-			break
-		}
-
-		m1 := v.Elem().Interface()
-		m2 := iface
-
-		marshaled := Marshal(m1)
-		if err := Unmarshal(marshaled, m2); err != nil {
-			t.Errorf("Unmarshal %#v: %s", m1, err)
-			break
-		}
-
-		if !reflect.DeepEqual(v.Interface(), m2) {
-			t.Errorf("got: %#v\nwant:%#v\n%x", m2, m1, marshaled)
-			break
-		}
-	}
-}
-
-func TestUnmarshalEmptyPacket(t *testing.T) {
-	var b []byte
-	var m channelRequestSuccessMsg
-	if err := Unmarshal(b, &m); err == nil {
-		t.Fatalf("unmarshal of empty slice succeeded")
-	}
-}
-
-func TestUnmarshalUnexpectedPacket(t *testing.T) {
-	type S struct {
-		I uint32 `sshtype:"43"`
-		S string
-		B bool
-	}
-
-	s := S{11, "hello", true}
-	packet := Marshal(s)
-	packet[0] = 42
-	roundtrip := S{}
-	err := Unmarshal(packet, &roundtrip)
-	if err == nil {
-		t.Fatal("expected error, not nil")
-	}
-}
-
-func TestMarshalPtr(t *testing.T) {
-	s := struct {
-		S string
-	}{"hello"}
-
-	m1 := Marshal(s)
-	m2 := Marshal(&s)
-	if !bytes.Equal(m1, m2) {
-		t.Errorf("got %q, want %q for marshaled pointer", m2, m1)
-	}
-}
-
-func TestBareMarshalUnmarshal(t *testing.T) {
-	type S struct {
-		I uint32
-		S string
-		B bool
-	}
-
-	s := S{42, "hello", true}
-	packet := Marshal(s)
-	roundtrip := S{}
-	Unmarshal(packet, &roundtrip)
-
-	if !reflect.DeepEqual(s, roundtrip) {
-		t.Errorf("got %#v, want %#v", roundtrip, s)
-	}
-}
-
-func TestBareMarshal(t *testing.T) {
-	type S2 struct {
-		I uint32
-	}
-	s := S2{42}
-	packet := Marshal(s)
-	i, rest, ok := parseUint32(packet)
-	if len(rest) > 0 || !ok {
-		t.Errorf("parseInt(%q): parse error", packet)
-	}
-	if i != s.I {
-		t.Errorf("got %d, want %d", i, s.I)
-	}
-}
-
-func TestUnmarshalShortKexInitPacket(t *testing.T) {
-	// This used to panic.
-	// Issue 11348
-	packet := []byte{0x14, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0xff, 0xff, 0xff, 0xff}
-	kim := &kexInitMsg{}
-	if err := Unmarshal(packet, kim); err == nil {
-		t.Error("truncated packet unmarshaled without error")
-	}
-}
-
-func TestMarshalMultiTag(t *testing.T) {
-	var res struct {
-		A uint32 `sshtype:"1|2"`
-	}
-
-	good1 := struct {
-		A uint32 `sshtype:"1"`
-	}{
-		1,
-	}
-	good2 := struct {
-		A uint32 `sshtype:"2"`
-	}{
-		1,
-	}
-
-	if e := Unmarshal(Marshal(good1), &res); e != nil {
-		t.Errorf("error unmarshaling multipart tag: %v", e)
-	}
-
-	if e := Unmarshal(Marshal(good2), &res); e != nil {
-		t.Errorf("error unmarshaling multipart tag: %v", e)
-	}
-
-	bad1 := struct {
-		A uint32 `sshtype:"3"`
-	}{
-		1,
-	}
-	if e := Unmarshal(Marshal(bad1), &res); e == nil {
-		t.Errorf("bad struct unmarshaled without error")
-	}
-}
-
-func randomBytes(out []byte, rand *rand.Rand) {
-	for i := 0; i < len(out); i++ {
-		out[i] = byte(rand.Int31())
-	}
-}
-
-func randomNameList(rand *rand.Rand) []string {
-	ret := make([]string, rand.Int31()&15)
-	for i := range ret {
-		s := make([]byte, 1+(rand.Int31()&15))
-		for j := range s {
-			s[j] = 'a' + uint8(rand.Int31()&15)
-		}
-		ret[i] = string(s)
-	}
-	return ret
-}
-
-func randomInt(rand *rand.Rand) *big.Int {
-	return new(big.Int).SetInt64(int64(int32(rand.Uint32())))
-}
-
-func (*kexInitMsg) Generate(rand *rand.Rand, size int) reflect.Value {
-	ki := &kexInitMsg{}
-	randomBytes(ki.Cookie[:], rand)
-	ki.KexAlgos = randomNameList(rand)
-	ki.ServerHostKeyAlgos = randomNameList(rand)
-	ki.CiphersClientServer = randomNameList(rand)
-	ki.CiphersServerClient = randomNameList(rand)
-	ki.MACsClientServer = randomNameList(rand)
-	ki.MACsServerClient = randomNameList(rand)
-	ki.CompressionClientServer = randomNameList(rand)
-	ki.CompressionServerClient = randomNameList(rand)
-	ki.LanguagesClientServer = randomNameList(rand)
-	ki.LanguagesServerClient = randomNameList(rand)
-	if rand.Int31()&1 == 1 {
-		ki.FirstKexFollows = true
-	}
-	return reflect.ValueOf(ki)
-}
-
-func (*kexDHInitMsg) Generate(rand *rand.Rand, size int) reflect.Value {
-	dhi := &kexDHInitMsg{}
-	dhi.X = randomInt(rand)
-	return reflect.ValueOf(dhi)
-}
-
-var (
-	_kexInitMsg   = new(kexInitMsg).Generate(rand.New(rand.NewSource(0)), 10).Elem().Interface()
-	_kexDHInitMsg = new(kexDHInitMsg).Generate(rand.New(rand.NewSource(0)), 10).Elem().Interface()
-
-	_kexInit   = Marshal(_kexInitMsg)
-	_kexDHInit = Marshal(_kexDHInitMsg)
-)
-
-func BenchmarkMarshalKexInitMsg(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		Marshal(_kexInitMsg)
-	}
-}
-
-func BenchmarkUnmarshalKexInitMsg(b *testing.B) {
-	m := new(kexInitMsg)
-	for i := 0; i < b.N; i++ {
-		Unmarshal(_kexInit, m)
-	}
-}
-
-func BenchmarkMarshalKexDHInitMsg(b *testing.B) {
-	for i := 0; i < b.N; i++ {
-		Marshal(_kexDHInitMsg)
-	}
-}
-
-func BenchmarkUnmarshalKexDHInitMsg(b *testing.B) {
-	m := new(kexDHInitMsg)
-	for i := 0; i < b.N; i++ {
-		Unmarshal(_kexDHInit, m)
-	}
-}

vendor/golang.org/x/crypto/ssh/mux.go

@@ -116,9 +116,9 @@ func (m *mux) Wait() error {
 func newMux(p packetConn) *mux {
 	m := &mux{
 		conn:             p,
-		incomingChannels: make(chan NewChannel, 16),
+		incomingChannels: make(chan NewChannel, chanSize),
 		globalResponses:  make(chan interface{}, 1),
-		incomingRequests: make(chan *Request, 16),
+		incomingRequests: make(chan *Request, chanSize),
 		errCond:          newCond(),
 	}
 	if debugMux {

vendor/golang.org/x/crypto/ssh/mux_test.go

@@ -1,502 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"io"
-	"io/ioutil"
-	"sync"
-	"testing"
-)
-
-func muxPair() (*mux, *mux) {
-	a, b := memPipe()
-
-	s := newMux(a)
-	c := newMux(b)
-
-	return s, c
-}
-
-// Returns both ends of a channel, and the mux for the the 2nd
-// channel.
-func channelPair(t *testing.T) (*channel, *channel, *mux) {
-	c, s := muxPair()
-
-	res := make(chan *channel, 1)
-	go func() {
-		newCh, ok := <-s.incomingChannels
-		if !ok {
-			t.Fatalf("No incoming channel")
-		}
-		if newCh.ChannelType() != "chan" {
-			t.Fatalf("got type %q want chan", newCh.ChannelType())
-		}
-		ch, _, err := newCh.Accept()
-		if err != nil {
-			t.Fatalf("Accept %v", err)
-		}
-		res <- ch.(*channel)
-	}()
-
-	ch, err := c.openChannel("chan", nil)
-	if err != nil {
-		t.Fatalf("OpenChannel: %v", err)
-	}
-
-	return <-res, ch, c
-}
-
-// Test that stderr and stdout can be addressed from different
-// goroutines. This is intended for use with the race detector.
-func TestMuxChannelExtendedThreadSafety(t *testing.T) {
-	writer, reader, mux := channelPair(t)
-	defer writer.Close()
-	defer reader.Close()
-	defer mux.Close()
-
-	var wr, rd sync.WaitGroup
-	magic := "hello world"
-
-	wr.Add(2)
-	go func() {
-		io.WriteString(writer, magic)
-		wr.Done()
-	}()
-	go func() {
-		io.WriteString(writer.Stderr(), magic)
-		wr.Done()
-	}()
-
-	rd.Add(2)
-	go func() {
-		c, err := ioutil.ReadAll(reader)
-		if string(c) != magic {
-			t.Fatalf("stdout read got %q, want %q (error %s)", c, magic, err)
-		}
-		rd.Done()
-	}()
-	go func() {
-		c, err := ioutil.ReadAll(reader.Stderr())
-		if string(c) != magic {
-			t.Fatalf("stderr read got %q, want %q (error %s)", c, magic, err)
-		}
-		rd.Done()
-	}()
-
-	wr.Wait()
-	writer.CloseWrite()
-	rd.Wait()
-}
-
-func TestMuxReadWrite(t *testing.T) {
-	s, c, mux := channelPair(t)
-	defer s.Close()
-	defer c.Close()
-	defer mux.Close()
-
-	magic := "hello world"
-	magicExt := "hello stderr"
-	go func() {
-		_, err := s.Write([]byte(magic))
-		if err != nil {
-			t.Fatalf("Write: %v", err)
-		}
-		_, err = s.Extended(1).Write([]byte(magicExt))
-		if err != nil {
-			t.Fatalf("Write: %v", err)
-		}
-		err = s.Close()
-		if err != nil {
-			t.Fatalf("Close: %v", err)
-		}
-	}()
-
-	var buf [1024]byte
-	n, err := c.Read(buf[:])
-	if err != nil {
-		t.Fatalf("server Read: %v", err)
-	}
-	got := string(buf[:n])
-	if got != magic {
-		t.Fatalf("server: got %q want %q", got, magic)
-	}
-
-	n, err = c.Extended(1).Read(buf[:])
-	if err != nil {
-		t.Fatalf("server Read: %v", err)
-	}
-
-	got = string(buf[:n])
-	if got != magicExt {
-		t.Fatalf("server: got %q want %q", got, magic)
-	}
-}
-
-func TestMuxChannelOverflow(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		writer.Write(make([]byte, 1))
-		wDone <- 1
-	}()
-	writer.remoteWin.waitWriterBlocked()
-
-	// Send 1 byte.
-	packet := make([]byte, 1+4+4+1)
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], writer.remoteId)
-	marshalUint32(packet[5:], uint32(1))
-	packet[9] = 42
-
-	if err := writer.mux.conn.writePacket(packet); err != nil {
-		t.Errorf("could not send packet")
-	}
-	if _, err := reader.SendRequest("hello", true, nil); err == nil {
-		t.Errorf("SendRequest succeeded.")
-	}
-	<-wDone
-}
-
-func TestMuxChannelCloseWriteUnblock(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
-			t.Errorf("got %v, want EOF for unblock write", err)
-		}
-		wDone <- 1
-	}()
-
-	writer.remoteWin.waitWriterBlocked()
-	reader.Close()
-	<-wDone
-}
-
-func TestMuxConnectionCloseWriteUnblock(t *testing.T) {
-	reader, writer, mux := channelPair(t)
-	defer reader.Close()
-	defer writer.Close()
-	defer mux.Close()
-
-	wDone := make(chan int, 1)
-	go func() {
-		if _, err := writer.Write(make([]byte, channelWindowSize)); err != nil {
-			t.Errorf("could not fill window: %v", err)
-		}
-		if _, err := writer.Write(make([]byte, 1)); err != io.EOF {
-			t.Errorf("got %v, want EOF for unblock write", err)
-		}
-		wDone <- 1
-	}()
-
-	writer.remoteWin.waitWriterBlocked()
-	mux.Close()
-	<-wDone
-}
-
-func TestMuxReject(t *testing.T) {
-	client, server := muxPair()
-	defer server.Close()
-	defer client.Close()
-
-	go func() {
-		ch, ok := <-server.incomingChannels
-		if !ok {
-			t.Fatalf("Accept")
-		}
-		if ch.ChannelType() != "ch" || string(ch.ExtraData()) != "extra" {
-			t.Fatalf("unexpected channel: %q, %q", ch.ChannelType(), ch.ExtraData())
-		}
-		ch.Reject(RejectionReason(42), "message")
-	}()
-
-	ch, err := client.openChannel("ch", []byte("extra"))
-	if ch != nil {
-		t.Fatal("openChannel not rejected")
-	}
-
-	ocf, ok := err.(*OpenChannelError)
-	if !ok {
-		t.Errorf("got %#v want *OpenChannelError", err)
-	} else if ocf.Reason != 42 || ocf.Message != "message" {
-		t.Errorf("got %#v, want {Reason: 42, Message: %q}", ocf, "message")
-	}
-
-	want := "ssh: rejected: unknown reason 42 (message)"
-	if err.Error() != want {
-		t.Errorf("got %q, want %q", err.Error(), want)
-	}
-}
-
-func TestMuxChannelRequest(t *testing.T) {
-	client, server, mux := channelPair(t)
-	defer server.Close()
-	defer client.Close()
-	defer mux.Close()
-
-	var received int
-	var wg sync.WaitGroup
-	wg.Add(1)
-	go func() {
-		for r := range server.incomingRequests {
-			received++
-			r.Reply(r.Type == "yes", nil)
-		}
-		wg.Done()
-	}()
-	_, err := client.SendRequest("yes", false, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-	ok, err := client.SendRequest("yes", true, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-
-	if !ok {
-		t.Errorf("SendRequest(yes): %v", ok)
-
-	}
-
-	ok, err = client.SendRequest("no", true, nil)
-	if err != nil {
-		t.Fatalf("SendRequest: %v", err)
-	}
-	if ok {
-		t.Errorf("SendRequest(no): %v", ok)
-
-	}
-
-	client.Close()
-	wg.Wait()
-
-	if received != 3 {
-		t.Errorf("got %d requests, want %d", received, 3)
-	}
-}
-
-func TestMuxGlobalRequest(t *testing.T) {
-	clientMux, serverMux := muxPair()
-	defer serverMux.Close()
-	defer clientMux.Close()
-
-	var seen bool
-	go func() {
-		for r := range serverMux.incomingRequests {
-			seen = seen || r.Type == "peek"
-			if r.WantReply {
-				err := r.Reply(r.Type == "yes",
-					append([]byte(r.Type), r.Payload...))
-				if err != nil {
-					t.Errorf("AckRequest: %v", err)
-				}
-			}
-		}
-	}()
-
-	_, _, err := clientMux.SendRequest("peek", false, nil)
-	if err != nil {
-		t.Errorf("SendRequest: %v", err)
-	}
-
-	ok, data, err := clientMux.SendRequest("yes", true, []byte("a"))
-	if !ok || string(data) != "yesa" || err != nil {
-		t.Errorf("SendRequest(\"yes\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-	if ok, data, err := clientMux.SendRequest("yes", true, []byte("a")); !ok || string(data) != "yesa" || err != nil {
-		t.Errorf("SendRequest(\"yes\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-
-	if ok, data, err := clientMux.SendRequest("no", true, []byte("a")); ok || string(data) != "noa" || err != nil {
-		t.Errorf("SendRequest(\"no\", true, \"a\"): %v %v %v",
-			ok, data, err)
-	}
-
-	if !seen {
-		t.Errorf("never saw 'peek' request")
-	}
-}
-
-func TestMuxGlobalRequestUnblock(t *testing.T) {
-	clientMux, serverMux := muxPair()
-	defer serverMux.Close()
-	defer clientMux.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		_, _, err := clientMux.SendRequest("hello", true, nil)
-		result <- err
-	}()
-
-	<-serverMux.incomingRequests
-	serverMux.conn.Close()
-	err := <-result
-
-	if err != io.EOF {
-		t.Errorf("want EOF, got %v", io.EOF)
-	}
-}
-
-func TestMuxChannelRequestUnblock(t *testing.T) {
-	a, b, connB := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer connB.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		_, err := a.SendRequest("hello", true, nil)
-		result <- err
-	}()
-
-	<-b.incomingRequests
-	connB.conn.Close()
-	err := <-result
-
-	if err != io.EOF {
-		t.Errorf("want EOF, got %v", err)
-	}
-}
-
-func TestMuxCloseChannel(t *testing.T) {
-	r, w, mux := channelPair(t)
-	defer mux.Close()
-	defer r.Close()
-	defer w.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		var b [1024]byte
-		_, err := r.Read(b[:])
-		result <- err
-	}()
-	if err := w.Close(); err != nil {
-		t.Errorf("w.Close: %v", err)
-	}
-
-	if _, err := w.Write([]byte("hello")); err != io.EOF {
-		t.Errorf("got err %v, want io.EOF after Close", err)
-	}
-
-	if err := <-result; err != io.EOF {
-		t.Errorf("got %v (%T), want io.EOF", err, err)
-	}
-}
-
-func TestMuxCloseWriteChannel(t *testing.T) {
-	r, w, mux := channelPair(t)
-	defer mux.Close()
-
-	result := make(chan error, 1)
-	go func() {
-		var b [1024]byte
-		_, err := r.Read(b[:])
-		result <- err
-	}()
-	if err := w.CloseWrite(); err != nil {
-		t.Errorf("w.CloseWrite: %v", err)
-	}
-
-	if _, err := w.Write([]byte("hello")); err != io.EOF {
-		t.Errorf("got err %v, want io.EOF after CloseWrite", err)
-	}
-
-	if err := <-result; err != io.EOF {
-		t.Errorf("got %v (%T), want io.EOF", err, err)
-	}
-}
-
-func TestMuxInvalidRecord(t *testing.T) {
-	a, b := muxPair()
-	defer a.Close()
-	defer b.Close()
-
-	packet := make([]byte, 1+4+4+1)
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], 29348723 /* invalid channel id */)
-	marshalUint32(packet[5:], 1)
-	packet[9] = 42
-
-	a.conn.writePacket(packet)
-	go a.SendRequest("hello", false, nil)
-	// 'a' wrote an invalid packet, so 'b' has exited.
-	req, ok := <-b.incomingRequests
-	if ok {
-		t.Errorf("got request %#v after receiving invalid packet", req)
-	}
-}
-
-func TestZeroWindowAdjust(t *testing.T) {
-	a, b, mux := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer mux.Close()
-
-	go func() {
-		io.WriteString(a, "hello")
-		// bogus adjust.
-		a.sendMessage(windowAdjustMsg{})
-		io.WriteString(a, "world")
-		a.Close()
-	}()
-
-	want := "helloworld"
-	c, _ := ioutil.ReadAll(b)
-	if string(c) != want {
-		t.Errorf("got %q want %q", c, want)
-	}
-}
-
-func TestMuxMaxPacketSize(t *testing.T) {
-	a, b, mux := channelPair(t)
-	defer a.Close()
-	defer b.Close()
-	defer mux.Close()
-
-	large := make([]byte, a.maxRemotePayload+1)
-	packet := make([]byte, 1+4+4+1+len(large))
-	packet[0] = msgChannelData
-	marshalUint32(packet[1:], a.remoteId)
-	marshalUint32(packet[5:], uint32(len(large)))
-	packet[9] = 42
-
-	if err := a.mux.conn.writePacket(packet); err != nil {
-		t.Errorf("could not send packet")
-	}
-
-	go a.SendRequest("hello", false, nil)
-
-	_, ok := <-b.incomingRequests
-	if ok {
-		t.Errorf("connection still alive after receiving large packet.")
-	}
-}
-
-// Don't ship code with debug=true.
-func TestDebug(t *testing.T) {
-	if debugMux {
-		t.Error("mux debug switched on")
-	}
-	if debugHandshake {
-		t.Error("handshake debug switched on")
-	}
-}

vendor/golang.org/x/crypto/ssh/server.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"strings"
 )
 
 // The Permissions type holds fine-grained permissions that are
@@ -188,7 +189,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 	tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
 	s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
 
-	if err := s.transport.requestInitialKeyChange(); err != nil {
+	if err := s.transport.waitSession(); err != nil {
 		return nil, err
 	}
 
@@ -231,7 +232,7 @@ func isAcceptableAlgo(algo string) bool {
 	return false
 }
 
-func checkSourceAddress(addr net.Addr, sourceAddr string) error {
+func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
 	if addr == nil {
 		return errors.New("ssh: no address known for client, but source-address match required")
 	}
@@ -241,18 +242,20 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
 		return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
 	}
 
-	if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
-		if bytes.Equal(allowedIP, tcpAddr.IP) {
-			return nil
-		}
-	} else {
-		_, ipNet, err := net.ParseCIDR(sourceAddr)
-		if err != nil {
-			return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
-		}
+	for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
+		if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
+			if allowedIP.Equal(tcpAddr.IP) {
+				return nil
+			}
+		} else {
+			_, ipNet, err := net.ParseCIDR(sourceAddr)
+			if err != nil {
+				return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
+			}
 
-		if ipNet.Contains(tcpAddr.IP) {
-			return nil
+			if ipNet.Contains(tcpAddr.IP) {
+				return nil
+			}
 		}
 	}
 
@@ -260,7 +263,7 @@ func checkSourceAddress(addr net.Addr, sourceAddr string) error {
 }
 
 func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
-	var err error
+	sessionID := s.transport.getSessionID()
 	var cache pubKeyCache
 	var perms *Permissions
 
@@ -385,7 +388,7 @@ userAuthLoop:
 				if !isAcceptableAlgo(sig.Format) {
 					break
 				}
-				signedData := buildDataSignedForAuth(s.transport.getSessionID(), userAuthReq, algoBytes, pubKeyData)
+				signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
 
 				if err := pubKey.Verify(signedData, sig); err != nil {
 					return nil, err
@@ -421,12 +424,12 @@ userAuthLoop:
 			return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
 		}
 
-		if err = s.transport.writePacket(Marshal(&failureMsg)); err != nil {
+		if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
 			return nil, err
 		}
 	}
 
-	if err = s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
+	if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
 		return nil, err
 	}
 	return perms, nil

vendor/golang.org/x/crypto/ssh/session_test.go

@@ -1,770 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-// Session tests.
-
-import (
-	"bytes"
-	crypto_rand "crypto/rand"
-	"errors"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"net"
-	"testing"
-
-	"golang.org/x/crypto/ssh/terminal"
-)
-
-type serverType func(Channel, <-chan *Request, *testing.T)
-
-// dial constructs a new test server and returns a *ClientConn.
-func dial(handler serverType, t *testing.T) *Client {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-
-	go func() {
-		defer c1.Close()
-		conf := ServerConfig{
-			NoClientAuth: true,
-		}
-		conf.AddHostKey(testSigners["rsa"])
-
-		_, chans, reqs, err := NewServerConn(c1, &conf)
-		if err != nil {
-			t.Fatalf("Unable to handshake: %v", err)
-		}
-		go DiscardRequests(reqs)
-
-		for newCh := range chans {
-			if newCh.ChannelType() != "session" {
-				newCh.Reject(UnknownChannelType, "unknown channel type")
-				continue
-			}
-
-			ch, inReqs, err := newCh.Accept()
-			if err != nil {
-				t.Errorf("Accept: %v", err)
-				continue
-			}
-			go func() {
-				handler(ch, inReqs, t)
-			}()
-		}
-	}()
-
-	config := &ClientConfig{
-		User: "testuser",
-	}
-
-	conn, chans, reqs, err := NewClientConn(c2, "", config)
-	if err != nil {
-		t.Fatalf("unable to dial remote side: %v", err)
-	}
-
-	return NewClient(conn, chans, reqs)
-}
-
-// Test a simple string is returned to session.Stdout.
-func TestSessionShell(t *testing.T) {
-	conn := dial(shellHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	stdout := new(bytes.Buffer)
-	session.Stdout = stdout
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %s", err)
-	}
-	if err := session.Wait(); err != nil {
-		t.Fatalf("Remote command did not exit cleanly: %v", err)
-	}
-	actual := stdout.String()
-	if actual != "golang" {
-		t.Fatalf("Remote shell did not return expected string: expected=golang, actual=%s", actual)
-	}
-}
-
-// TODO(dfc) add support for Std{in,err}Pipe when the Server supports it.
-
-// Test a simple string is returned via StdoutPipe.
-func TestSessionStdoutPipe(t *testing.T) {
-	conn := dial(shellHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("Unable to request StdoutPipe(): %v", err)
-	}
-	var buf bytes.Buffer
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	done := make(chan bool, 1)
-	go func() {
-		if _, err := io.Copy(&buf, stdout); err != nil {
-			t.Errorf("Copy of stdout failed: %v", err)
-		}
-		done <- true
-	}()
-	if err := session.Wait(); err != nil {
-		t.Fatalf("Remote command did not exit cleanly: %v", err)
-	}
-	<-done
-	actual := buf.String()
-	if actual != "golang" {
-		t.Fatalf("Remote shell did not return expected string: expected=golang, actual=%s", actual)
-	}
-}
-
-// Test that a simple string is returned via the Output helper,
-// and that stderr is discarded.
-func TestSessionOutput(t *testing.T) {
-	conn := dial(fixedOutputHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	buf, err := session.Output("") // cmd is ignored by fixedOutputHandler
-	if err != nil {
-		t.Error("Remote command did not exit cleanly:", err)
-	}
-	w := "this-is-stdout."
-	g := string(buf)
-	if g != w {
-		t.Error("Remote command did not return expected string:")
-		t.Logf("want %q", w)
-		t.Logf("got  %q", g)
-	}
-}
-
-// Test that both stdout and stderr are returned
-// via the CombinedOutput helper.
-func TestSessionCombinedOutput(t *testing.T) {
-	conn := dial(fixedOutputHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	buf, err := session.CombinedOutput("") // cmd is ignored by fixedOutputHandler
-	if err != nil {
-		t.Error("Remote command did not exit cleanly:", err)
-	}
-	const stdout = "this-is-stdout."
-	const stderr = "this-is-stderr."
-	g := string(buf)
-	if g != stdout+stderr && g != stderr+stdout {
-		t.Error("Remote command did not return expected string:")
-		t.Logf("want %q, or %q", stdout+stderr, stderr+stdout)
-		t.Logf("got  %q", g)
-	}
-}
-
-// Test non-0 exit status is returned correctly.
-func TestExitStatusNonZero(t *testing.T) {
-	conn := dial(exitStatusNonZeroHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.ExitStatus() != 15 {
-		t.Fatalf("expected command to exit with 15 but got %v", e.ExitStatus())
-	}
-}
-
-// Test 0 exit status is returned correctly.
-func TestExitStatusZero(t *testing.T) {
-	conn := dial(exitStatusZeroHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err != nil {
-		t.Fatalf("expected nil but got %v", err)
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestExitSignalAndStatus(t *testing.T) {
-	conn := dial(exitSignalAndStatusHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "TERM" || e.ExitStatus() != 15 {
-		t.Fatalf("expected command to exit with signal TERM and status 15 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestKnownExitSignalOnly(t *testing.T) {
-	conn := dial(exitSignalHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "TERM" || e.ExitStatus() != 143 {
-		t.Fatalf("expected command to exit with signal TERM and status 143 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-// Test exit signal and status are both returned correctly.
-func TestUnknownExitSignal(t *testing.T) {
-	conn := dial(exitSignalUnknownHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	e, ok := err.(*ExitError)
-	if !ok {
-		t.Fatalf("expected *ExitError but got %T", err)
-	}
-	if e.Signal() != "SYS" || e.ExitStatus() != 128 {
-		t.Fatalf("expected command to exit with signal SYS and status 128 but got signal %s and status %v", e.Signal(), e.ExitStatus())
-	}
-}
-
-func TestExitWithoutStatusOrSignal(t *testing.T) {
-	conn := dial(exitWithoutSignalOrStatus, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("Unable to request new session: %v", err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err == nil {
-		t.Fatalf("expected command to fail but it didn't")
-	}
-	if _, ok := err.(*ExitMissingError); !ok {
-		t.Fatalf("got %T want *ExitMissingError", err)
-	}
-}
-
-// windowTestBytes is the number of bytes that we'll send to the SSH server.
-const windowTestBytes = 16000 * 200
-
-// TestServerWindow writes random data to the server. The server is expected to echo
-// the same data back, which is compared against the original.
-func TestServerWindow(t *testing.T) {
-	origBuf := bytes.NewBuffer(make([]byte, 0, windowTestBytes))
-	io.CopyN(origBuf, crypto_rand.Reader, windowTestBytes)
-	origBytes := origBuf.Bytes()
-
-	conn := dial(echoHandler, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	result := make(chan []byte)
-
-	go func() {
-		defer close(result)
-		echoedBuf := bytes.NewBuffer(make([]byte, 0, windowTestBytes))
-		serverStdout, err := session.StdoutPipe()
-		if err != nil {
-			t.Errorf("StdoutPipe failed: %v", err)
-			return
-		}
-		n, err := copyNRandomly("stdout", echoedBuf, serverStdout, windowTestBytes)
-		if err != nil && err != io.EOF {
-			t.Errorf("Read only %d bytes from server, expected %d: %v", n, windowTestBytes, err)
-		}
-		result <- echoedBuf.Bytes()
-	}()
-
-	serverStdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("StdinPipe failed: %v", err)
-	}
-	written, err := copyNRandomly("stdin", serverStdin, origBuf, windowTestBytes)
-	if err != nil {
-		t.Fatalf("failed to copy origBuf to serverStdin: %v", err)
-	}
-	if written != windowTestBytes {
-		t.Fatalf("Wrote only %d of %d bytes to server", written, windowTestBytes)
-	}
-
-	echoedBytes := <-result
-
-	if !bytes.Equal(origBytes, echoedBytes) {
-		t.Fatalf("Echoed buffer differed from original, orig %d, echoed %d", len(origBytes), len(echoedBytes))
-	}
-}
-
-// Verify the client can handle a keepalive packet from the server.
-func TestClientHandlesKeepalives(t *testing.T) {
-	conn := dial(channelKeepaliveSender, t)
-	defer conn.Close()
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	if err := session.Shell(); err != nil {
-		t.Fatalf("Unable to execute command: %v", err)
-	}
-	err = session.Wait()
-	if err != nil {
-		t.Fatalf("expected nil but got: %v", err)
-	}
-}
-
-type exitStatusMsg struct {
-	Status uint32
-}
-
-type exitSignalMsg struct {
-	Signal     string
-	CoreDumped bool
-	Errmsg     string
-	Lang       string
-}
-
-func handleTerminalRequests(in <-chan *Request) {
-	for req := range in {
-		ok := false
-		switch req.Type {
-		case "shell":
-			ok = true
-			if len(req.Payload) > 0 {
-				// We don't accept any commands, only the default shell.
-				ok = false
-			}
-		case "env":
-			ok = true
-		}
-		req.Reply(ok, nil)
-	}
-}
-
-func newServerShell(ch Channel, in <-chan *Request, prompt string) *terminal.Terminal {
-	term := terminal.NewTerminal(ch, prompt)
-	go handleTerminalRequests(in)
-	return term
-}
-
-func exitStatusZeroHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	// this string is returned to stdout
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(0, ch, t)
-}
-
-func exitStatusNonZeroHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(15, ch, t)
-}
-
-func exitSignalAndStatusHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendStatus(15, ch, t)
-	sendSignal("TERM", ch, t)
-}
-
-func exitSignalHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendSignal("TERM", ch, t)
-}
-
-func exitSignalUnknownHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	sendSignal("SYS", ch, t)
-}
-
-func exitWithoutSignalOrStatus(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-}
-
-func shellHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	// this string is returned to stdout
-	shell := newServerShell(ch, in, "golang")
-	readLine(shell, t)
-	sendStatus(0, ch, t)
-}
-
-// Ignores the command, writes fixed strings to stderr and stdout.
-// Strings are "this-is-stdout." and "this-is-stderr.".
-func fixedOutputHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	_, err := ch.Read(nil)
-
-	req, ok := <-in
-	if !ok {
-		t.Fatalf("error: expected channel request, got: %#v", err)
-		return
-	}
-
-	// ignore request, always send some text
-	req.Reply(true, nil)
-
-	_, err = io.WriteString(ch, "this-is-stdout.")
-	if err != nil {
-		t.Fatalf("error writing on server: %v", err)
-	}
-	_, err = io.WriteString(ch.Stderr(), "this-is-stderr.")
-	if err != nil {
-		t.Fatalf("error writing on server: %v", err)
-	}
-	sendStatus(0, ch, t)
-}
-
-func readLine(shell *terminal.Terminal, t *testing.T) {
-	if _, err := shell.ReadLine(); err != nil && err != io.EOF {
-		t.Errorf("unable to read line: %v", err)
-	}
-}
-
-func sendStatus(status uint32, ch Channel, t *testing.T) {
-	msg := exitStatusMsg{
-		Status: status,
-	}
-	if _, err := ch.SendRequest("exit-status", false, Marshal(&msg)); err != nil {
-		t.Errorf("unable to send status: %v", err)
-	}
-}
-
-func sendSignal(signal string, ch Channel, t *testing.T) {
-	sig := exitSignalMsg{
-		Signal:     signal,
-		CoreDumped: false,
-		Errmsg:     "Process terminated",
-		Lang:       "en-GB-oed",
-	}
-	if _, err := ch.SendRequest("exit-signal", false, Marshal(&sig)); err != nil {
-		t.Errorf("unable to send signal: %v", err)
-	}
-}
-
-func discardHandler(ch Channel, t *testing.T) {
-	defer ch.Close()
-	io.Copy(ioutil.Discard, ch)
-}
-
-func echoHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	if n, err := copyNRandomly("echohandler", ch, ch, windowTestBytes); err != nil {
-		t.Errorf("short write, wrote %d, expected %d: %v ", n, windowTestBytes, err)
-	}
-}
-
-// copyNRandomly copies n bytes from src to dst. It uses a variable, and random,
-// buffer size to exercise more code paths.
-func copyNRandomly(title string, dst io.Writer, src io.Reader, n int) (int, error) {
-	var (
-		buf       = make([]byte, 32*1024)
-		written   int
-		remaining = n
-	)
-	for remaining > 0 {
-		l := rand.Intn(1 << 15)
-		if remaining < l {
-			l = remaining
-		}
-		nr, er := src.Read(buf[:l])
-		nw, ew := dst.Write(buf[:nr])
-		remaining -= nw
-		written += nw
-		if ew != nil {
-			return written, ew
-		}
-		if nr != nw {
-			return written, io.ErrShortWrite
-		}
-		if er != nil && er != io.EOF {
-			return written, er
-		}
-	}
-	return written, nil
-}
-
-func channelKeepaliveSender(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	shell := newServerShell(ch, in, "> ")
-	readLine(shell, t)
-	if _, err := ch.SendRequest("keepalive@openssh.com", true, nil); err != nil {
-		t.Errorf("unable to send channel keepalive request: %v", err)
-	}
-	sendStatus(0, ch, t)
-}
-
-func TestClientWriteEOF(t *testing.T) {
-	conn := dial(simpleEchoHandler, t)
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer session.Close()
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("StdinPipe failed: %v", err)
-	}
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("StdoutPipe failed: %v", err)
-	}
-
-	data := []byte(`0000`)
-	_, err = stdin.Write(data)
-	if err != nil {
-		t.Fatalf("Write failed: %v", err)
-	}
-	stdin.Close()
-
-	res, err := ioutil.ReadAll(stdout)
-	if err != nil {
-		t.Fatalf("Read failed: %v", err)
-	}
-
-	if !bytes.Equal(data, res) {
-		t.Fatalf("Read differed from write, wrote: %v, read: %v", data, res)
-	}
-}
-
-func simpleEchoHandler(ch Channel, in <-chan *Request, t *testing.T) {
-	defer ch.Close()
-	data, err := ioutil.ReadAll(ch)
-	if err != nil {
-		t.Errorf("handler read error: %v", err)
-	}
-	_, err = ch.Write(data)
-	if err != nil {
-		t.Errorf("handler write error: %v", err)
-	}
-}
-
-func TestSessionID(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	serverID := make(chan []byte, 1)
-	clientID := make(chan []byte, 1)
-
-	serverConf := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["ecdsa"])
-	clientConf := &ClientConfig{
-		User: "user",
-	}
-
-	go func() {
-		conn, chans, reqs, err := NewServerConn(c1, serverConf)
-		if err != nil {
-			t.Fatalf("server handshake: %v", err)
-		}
-		serverID <- conn.SessionID()
-		go DiscardRequests(reqs)
-		for ch := range chans {
-			ch.Reject(Prohibited, "")
-		}
-	}()
-
-	go func() {
-		conn, chans, reqs, err := NewClientConn(c2, "", clientConf)
-		if err != nil {
-			t.Fatalf("client handshake: %v", err)
-		}
-		clientID <- conn.SessionID()
-		go DiscardRequests(reqs)
-		for ch := range chans {
-			ch.Reject(Prohibited, "")
-		}
-	}()
-
-	s := <-serverID
-	c := <-clientID
-	if bytes.Compare(s, c) != 0 {
-		t.Errorf("server session ID (%x) != client session ID (%x)", s, c)
-	} else if len(s) == 0 {
-		t.Errorf("client and server SessionID were empty.")
-	}
-}
-
-type noReadConn struct {
-	readSeen bool
-	net.Conn
-}
-
-func (c *noReadConn) Close() error {
-	return nil
-}
-
-func (c *noReadConn) Read(b []byte) (int, error) {
-	c.readSeen = true
-	return 0, errors.New("noReadConn error")
-}
-
-func TestInvalidServerConfiguration(t *testing.T) {
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	serveConn := noReadConn{Conn: c1}
-	serverConf := &ServerConfig{}
-
-	NewServerConn(&serveConn, serverConf)
-	if serveConn.readSeen {
-		t.Fatalf("NewServerConn attempted to Read() from Conn while configuration is missing host key")
-	}
-
-	serverConf.AddHostKey(testSigners["ecdsa"])
-
-	NewServerConn(&serveConn, serverConf)
-	if serveConn.readSeen {
-		t.Fatalf("NewServerConn attempted to Read() from Conn while configuration is missing authentication method")
-	}
-}
-
-func TestHostKeyAlgorithms(t *testing.T) {
-	serverConf := &ServerConfig{
-		NoClientAuth: true,
-	}
-	serverConf.AddHostKey(testSigners["rsa"])
-	serverConf.AddHostKey(testSigners["ecdsa"])
-
-	connect := func(clientConf *ClientConfig, want string) {
-		var alg string
-		clientConf.HostKeyCallback = func(h string, a net.Addr, key PublicKey) error {
-			alg = key.Type()
-			return nil
-		}
-		c1, c2, err := netPipe()
-		if err != nil {
-			t.Fatalf("netPipe: %v", err)
-		}
-		defer c1.Close()
-		defer c2.Close()
-
-		go NewServerConn(c1, serverConf)
-		_, _, _, err = NewClientConn(c2, "", clientConf)
-		if err != nil {
-			t.Fatalf("NewClientConn: %v", err)
-		}
-		if alg != want {
-			t.Errorf("selected key algorithm %s, want %s", alg, want)
-		}
-	}
-
-	// By default, we get the preferred algorithm, which is ECDSA 256.
-
-	clientConf := &ClientConfig{}
-	connect(clientConf, KeyAlgoECDSA256)
-
-	// Client asks for RSA explicitly.
-	clientConf.HostKeyAlgorithms = []string{KeyAlgoRSA}
-	connect(clientConf, KeyAlgoRSA)
-
-	c1, c2, err := netPipe()
-	if err != nil {
-		t.Fatalf("netPipe: %v", err)
-	}
-	defer c1.Close()
-	defer c2.Close()
-
-	go NewServerConn(c1, serverConf)
-	clientConf.HostKeyAlgorithms = []string{"nonexistent-hostkey-algo"}
-	_, _, _, err = NewClientConn(c2, "", clientConf)
-	if err == nil {
-		t.Fatal("succeeded connecting with unknown hostkey algorithm")
-	}
-}

vendor/golang.org/x/crypto/ssh/tcpip_test.go

@@ -1,20 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"testing"
-)
-
-func TestAutoPortListenBroken(t *testing.T) {
-	broken := "SSH-2.0-OpenSSH_5.9hh11"
-	works := "SSH-2.0-OpenSSH_6.1"
-	if !isBrokenOpenSSHVersion(broken) {
-		t.Errorf("version %q not marked as broken", broken)
-	}
-	if isBrokenOpenSSHVersion(works) {
-		t.Errorf("version %q marked as broken", works)
-	}
-}

vendor/golang.org/x/crypto/ssh/terminal/terminal.go

@@ -772,8 +772,6 @@ func (t *Terminal) readLine() (line string, err error) {
 
 		t.remainder = t.inBuf[:n+len(t.remainder)]
 	}
-
-	panic("unreachable") // for Go 1.0.
 }
 
 // SetPrompt sets the prompt to be used when reading subsequent lines.
@@ -922,3 +920,32 @@ func (s *stRingBuffer) NthPreviousEntry(n int) (value string, ok bool) {
 	}
 	return s.entries[index], true
 }
+
+// readPasswordLine reads from reader until it finds \n or io.EOF.
+// The slice returned does not include the \n.
+// readPasswordLine also ignores any \r it finds.
+func readPasswordLine(reader io.Reader) ([]byte, error) {
+	var buf [1]byte
+	var ret []byte
+
+	for {
+		n, err := reader.Read(buf[:])
+		if n > 0 {
+			switch buf[0] {
+			case '\n':
+				return ret, nil
+			case '\r':
+				// remove \r from passwords on Windows
+			default:
+				ret = append(ret, buf[0])
+			}
+			continue
+		}
+		if err != nil {
+			if err == io.EOF && len(ret) > 0 {
+				return ret, nil
+			}
+			return ret, err
+		}
+	}
+}

vendor/golang.org/x/crypto/ssh/terminal/terminal_test.go

@@ -1,291 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package terminal
-
-import (
-	"io"
-	"os"
-	"testing"
-)
-
-type MockTerminal struct {
-	toSend       []byte
-	bytesPerRead int
-	received     []byte
-}
-
-func (c *MockTerminal) Read(data []byte) (n int, err error) {
-	n = len(data)
-	if n == 0 {
-		return
-	}
-	if n > len(c.toSend) {
-		n = len(c.toSend)
-	}
-	if n == 0 {
-		return 0, io.EOF
-	}
-	if c.bytesPerRead > 0 && n > c.bytesPerRead {
-		n = c.bytesPerRead
-	}
-	copy(data, c.toSend[:n])
-	c.toSend = c.toSend[n:]
-	return
-}
-
-func (c *MockTerminal) Write(data []byte) (n int, err error) {
-	c.received = append(c.received, data...)
-	return len(data), nil
-}
-
-func TestClose(t *testing.T) {
-	c := &MockTerminal{}
-	ss := NewTerminal(c, "> ")
-	line, err := ss.ReadLine()
-	if line != "" {
-		t.Errorf("Expected empty line but got: %s", line)
-	}
-	if err != io.EOF {
-		t.Errorf("Error should have been EOF but got: %s", err)
-	}
-}
-
-var keyPressTests = []struct {
-	in             string
-	line           string
-	err            error
-	throwAwayLines int
-}{
-	{
-		err: io.EOF,
-	},
-	{
-		in:   "\r",
-		line: "",
-	},
-	{
-		in:   "foo\r",
-		line: "foo",
-	},
-	{
-		in:   "a\x1b[Cb\r", // right
-		line: "ab",
-	},
-	{
-		in:   "a\x1b[Db\r", // left
-		line: "ba",
-	},
-	{
-		in:   "a\177b\r", // backspace
-		line: "b",
-	},
-	{
-		in: "\x1b[A\r", // up
-	},
-	{
-		in: "\x1b[B\r", // down
-	},
-	{
-		in:   "line\x1b[A\x1b[B\r", // up then down
-		line: "line",
-	},
-	{
-		in:             "line1\rline2\x1b[A\r", // recall previous line.
-		line:           "line1",
-		throwAwayLines: 1,
-	},
-	{
-		// recall two previous lines and append.
-		in:             "line1\rline2\rline3\x1b[A\x1b[Axxx\r",
-		line:           "line1xxx",
-		throwAwayLines: 2,
-	},
-	{
-		// Ctrl-A to move to beginning of line followed by ^K to kill
-		// line.
-		in:   "a b \001\013\r",
-		line: "",
-	},
-	{
-		// Ctrl-A to move to beginning of line, Ctrl-E to move to end,
-		// finally ^K to kill nothing.
-		in:   "a b \001\005\013\r",
-		line: "a b ",
-	},
-	{
-		in:   "\027\r",
-		line: "",
-	},
-	{
-		in:   "a\027\r",
-		line: "",
-	},
-	{
-		in:   "a \027\r",
-		line: "",
-	},
-	{
-		in:   "a b\027\r",
-		line: "a ",
-	},
-	{
-		in:   "a b \027\r",
-		line: "a ",
-	},
-	{
-		in:   "one two thr\x1b[D\027\r",
-		line: "one two r",
-	},
-	{
-		in:   "\013\r",
-		line: "",
-	},
-	{
-		in:   "a\013\r",
-		line: "a",
-	},
-	{
-		in:   "ab\x1b[D\013\r",
-		line: "a",
-	},
-	{
-		in:   "Ξεσκεπάζω\r",
-		line: "Ξεσκεπάζω",
-	},
-	{
-		in:             "£\r\x1b[A\177\r", // non-ASCII char, enter, up, backspace.
-		line:           "",
-		throwAwayLines: 1,
-	},
-	{
-		in:             "£\r££\x1b[A\x1b[B\177\r", // non-ASCII char, enter, 2x non-ASCII, up, down, backspace, enter.
-		line:           "£",
-		throwAwayLines: 1,
-	},
-	{
-		// Ctrl-D at the end of the line should be ignored.
-		in:   "a\004\r",
-		line: "a",
-	},
-	{
-		// a, b, left, Ctrl-D should erase the b.
-		in:   "ab\x1b[D\004\r",
-		line: "a",
-	},
-	{
-		// a, b, c, d, left, left, ^U should erase to the beginning of
-		// the line.
-		in:   "abcd\x1b[D\x1b[D\025\r",
-		line: "cd",
-	},
-	{
-		// Bracketed paste mode: control sequences should be returned
-		// verbatim in paste mode.
-		in:   "abc\x1b[200~de\177f\x1b[201~\177\r",
-		line: "abcde\177",
-	},
-	{
-		// Enter in bracketed paste mode should still work.
-		in:             "abc\x1b[200~d\refg\x1b[201~h\r",
-		line:           "efgh",
-		throwAwayLines: 1,
-	},
-	{
-		// Lines consisting entirely of pasted data should be indicated as such.
-		in:   "\x1b[200~a\r",
-		line: "a",
-		err:  ErrPasteIndicator,
-	},
-}
-
-func TestKeyPresses(t *testing.T) {
-	for i, test := range keyPressTests {
-		for j := 1; j < len(test.in); j++ {
-			c := &MockTerminal{
-				toSend:       []byte(test.in),
-				bytesPerRead: j,
-			}
-			ss := NewTerminal(c, "> ")
-			for k := 0; k < test.throwAwayLines; k++ {
-				_, err := ss.ReadLine()
-				if err != nil {
-					t.Errorf("Throwaway line %d from test %d resulted in error: %s", k, i, err)
-				}
-			}
-			line, err := ss.ReadLine()
-			if line != test.line {
-				t.Errorf("Line resulting from test %d (%d bytes per read) was '%s', expected '%s'", i, j, line, test.line)
-				break
-			}
-			if err != test.err {
-				t.Errorf("Error resulting from test %d (%d bytes per read) was '%v', expected '%v'", i, j, err, test.err)
-				break
-			}
-		}
-	}
-}
-
-func TestPasswordNotSaved(t *testing.T) {
-	c := &MockTerminal{
-		toSend:       []byte("password\r\x1b[A\r"),
-		bytesPerRead: 1,
-	}
-	ss := NewTerminal(c, "> ")
-	pw, _ := ss.ReadPassword("> ")
-	if pw != "password" {
-		t.Fatalf("failed to read password, got %s", pw)
-	}
-	line, _ := ss.ReadLine()
-	if len(line) > 0 {
-		t.Fatalf("password was saved in history")
-	}
-}
-
-var setSizeTests = []struct {
-	width, height int
-}{
-	{40, 13},
-	{80, 24},
-	{132, 43},
-}
-
-func TestTerminalSetSize(t *testing.T) {
-	for _, setSize := range setSizeTests {
-		c := &MockTerminal{
-			toSend:       []byte("password\r\x1b[A\r"),
-			bytesPerRead: 1,
-		}
-		ss := NewTerminal(c, "> ")
-		ss.SetSize(setSize.width, setSize.height)
-		pw, _ := ss.ReadPassword("Password: ")
-		if pw != "password" {
-			t.Fatalf("failed to read password, got %s", pw)
-		}
-		if string(c.received) != "Password: \r\n" {
-			t.Errorf("failed to set the temporary prompt expected %q, got %q", "Password: ", c.received)
-		}
-	}
-}
-
-func TestMakeRawState(t *testing.T) {
-	fd := int(os.Stdout.Fd())
-	if !IsTerminal(fd) {
-		t.Skip("stdout is not a terminal; skipping test")
-	}
-
-	st, err := GetState(fd)
-	if err != nil {
-		t.Fatalf("failed to get terminal state from GetState: %s", err)
-	}
-	defer Restore(fd, st)
-	raw, err := MakeRaw(fd)
-	if err != nil {
-		t.Fatalf("failed to get terminal state from MakeRaw: %s", err)
-	}
-
-	if *st != *raw {
-		t.Errorf("states do not match; was %v, expected %v", raw, st)
-	}
-}

vendor/golang.org/x/crypto/ssh/terminal/util.go

@@ -14,10 +14,9 @@
 // 	        panic(err)
 // 	}
 // 	defer terminal.Restore(0, oldState)
-package terminal // import "golang.org/x/crypto/ssh/terminal"
+package terminal
 
 import (
-	"io"
 	"syscall"
 	"unsafe"
 )
@@ -72,8 +71,10 @@ func GetState(fd int) (*State, error) {
 // Restore restores the terminal connected to the given file descriptor to a
 // previous state.
 func Restore(fd int, state *State) error {
-	_, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlWriteTermios, uintptr(unsafe.Pointer(&state.termios)), 0, 0, 0)
-	return err
+	if _, _, err := syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlWriteTermios, uintptr(unsafe.Pointer(&state.termios)), 0, 0, 0); err != 0 {
+		return err
+	}
+	return nil
 }
 
 // GetSize returns the dimensions of the given terminal.
@@ -86,6 +87,13 @@ func GetSize(fd int) (width, height int, err error) {
 	return int(dimensions[1]), int(dimensions[0]), nil
 }
 
+// passwordReader is an io.Reader that reads from a specific file descriptor.
+type passwordReader int
+
+func (r passwordReader) Read(buf []byte) (int, error) {
+	return syscall.Read(int(r), buf)
+}
+
 // ReadPassword reads a line of input from a terminal without local echo.  This
 // is commonly used for inputting passwords and other sensitive data. The slice
 // returned does not include the \n.
@@ -107,27 +115,5 @@ func ReadPassword(fd int) ([]byte, error) {
 		syscall.Syscall6(syscall.SYS_IOCTL, uintptr(fd), ioctlWriteTermios, uintptr(unsafe.Pointer(&oldState)), 0, 0, 0)
 	}()
 
-	var buf [16]byte
-	var ret []byte
-	for {
-		n, err := syscall.Read(fd, buf[:])
-		if err != nil {
-			return nil, err
-		}
-		if n == 0 {
-			if len(ret) == 0 {
-				return nil, io.EOF
-			}
-			break
-		}
-		if buf[n-1] == '\n' {
-			n--
-		}
-		ret = append(ret, buf[:n]...)
-		if n < len(buf) {
-			break
-		}
-	}
-
-	return ret, nil
+	return readPasswordLine(passwordReader(fd))
 }

vendor/golang.org/x/crypto/ssh/terminal/util_solaris.go

@@ -4,7 +4,7 @@
 
 // +build solaris
 
-package terminal // import "golang.org/x/crypto/ssh/terminal"
+package terminal
 
 import (
 	"golang.org/x/sys/unix"

vendor/golang.org/x/crypto/ssh/terminal/util_windows.go

@@ -17,7 +17,6 @@
 package terminal
 
 import (
-	"io"
 	"syscall"
 	"unsafe"
 )
@@ -123,6 +122,13 @@ func GetSize(fd int) (width, height int, err error) {
 	return int(info.size.x), int(info.size.y), nil
 }
 
+// passwordReader is an io.Reader that reads from a specific Windows HANDLE.
+type passwordReader int
+
+func (r passwordReader) Read(buf []byte) (int, error) {
+	return syscall.Read(syscall.Handle(r), buf)
+}
+
 // ReadPassword reads a line of input from a terminal without local echo.  This
 // is commonly used for inputting passwords and other sensitive data. The slice
 // returned does not include the \n.
@@ -145,30 +151,5 @@ func ReadPassword(fd int) ([]byte, error) {
 		syscall.Syscall(procSetConsoleMode.Addr(), 2, uintptr(fd), uintptr(old), 0)
 	}()
 
-	var buf [16]byte
-	var ret []byte
-	for {
-		n, err := syscall.Read(syscall.Handle(fd), buf[:])
-		if err != nil {
-			return nil, err
-		}
-		if n == 0 {
-			if len(ret) == 0 {
-				return nil, io.EOF
-			}
-			break
-		}
-		if buf[n-1] == '\n' {
-			n--
-		}
-		if n > 0 && buf[n-1] == '\r' {
-			n--
-		}
-		ret = append(ret, buf[:n]...)
-		if n < len(buf) {
-			break
-		}
-	}
-
-	return ret, nil
+	return readPasswordLine(passwordReader(fd))
 }

vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go

@@ -1,59 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"bytes"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/agent"
-)
-
-func TestAgentForward(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	keyring := agent.NewKeyring()
-	if err := keyring.Add(agent.AddedKey{PrivateKey: testPrivateKeys["dsa"]}); err != nil {
-		t.Fatalf("Error adding key: %s", err)
-	}
-	if err := keyring.Add(agent.AddedKey{
-		PrivateKey:       testPrivateKeys["dsa"],
-		ConfirmBeforeUse: true,
-		LifetimeSecs:     3600,
-	}); err != nil {
-		t.Fatalf("Error adding key with constraints: %s", err)
-	}
-	pub := testPublicKeys["dsa"]
-
-	sess, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("NewSession: %v", err)
-	}
-	if err := agent.RequestAgentForwarding(sess); err != nil {
-		t.Fatalf("RequestAgentForwarding: %v", err)
-	}
-
-	if err := agent.ForwardToAgent(conn, keyring); err != nil {
-		t.Fatalf("SetupForwardKeyring: %v", err)
-	}
-	out, err := sess.CombinedOutput("ssh-add -L")
-	if err != nil {
-		t.Fatalf("running ssh-add: %v, out %s", err, out)
-	}
-	key, _, _, _, err := ssh.ParseAuthorizedKey(out)
-	if err != nil {
-		t.Fatalf("ParseAuthorizedKey(%q): %v", out, err)
-	}
-
-	if !bytes.Equal(key.Marshal(), pub.Marshal()) {
-		t.Fatalf("got key %s, want %s", ssh.MarshalAuthorizedKey(key), ssh.MarshalAuthorizedKey(pub))
-	}
-}

vendor/golang.org/x/crypto/ssh/test/cert_test.go

@@ -1,47 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"crypto/rand"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-func TestCertLogin(t *testing.T) {
-	s := newServer(t)
-	defer s.Shutdown()
-
-	// Use a key different from the default.
-	clientKey := testSigners["dsa"]
-	caAuthKey := testSigners["ecdsa"]
-	cert := &ssh.Certificate{
-		Key:             clientKey.PublicKey(),
-		ValidPrincipals: []string{username()},
-		CertType:        ssh.UserCert,
-		ValidBefore:     ssh.CertTimeInfinity,
-	}
-	if err := cert.SignCert(rand.Reader, caAuthKey); err != nil {
-		t.Fatalf("SetSignature: %v", err)
-	}
-
-	certSigner, err := ssh.NewCertSigner(cert, clientKey)
-	if err != nil {
-		t.Fatalf("NewCertSigner: %v", err)
-	}
-
-	conf := &ssh.ClientConfig{
-		User: username(),
-	}
-	conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
-	client, err := s.TryDial(conf)
-	if err != nil {
-		t.Fatalf("TryDial: %v", err)
-	}
-	client.Close()
-}

vendor/golang.org/x/crypto/ssh/test/doc.go

@@ -1,7 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This package contains integration tests for the
-// golang.org/x/crypto/ssh package.
-package test // import "golang.org/x/crypto/ssh/test"

vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go

@@ -1,160 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd
-
-package test
-
-import (
-	"bytes"
-	"io"
-	"io/ioutil"
-	"math/rand"
-	"net"
-	"testing"
-	"time"
-)
-
-func TestPortForward(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	sshListener, err := conn.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	go func() {
-		sshConn, err := sshListener.Accept()
-		if err != nil {
-			t.Fatalf("listen.Accept failed: %v", err)
-		}
-
-		_, err = io.Copy(sshConn, sshConn)
-		if err != nil && err != io.EOF {
-			t.Fatalf("ssh client copy: %v", err)
-		}
-		sshConn.Close()
-	}()
-
-	forwardedAddr := sshListener.Addr().String()
-	tcpConn, err := net.Dial("tcp", forwardedAddr)
-	if err != nil {
-		t.Fatalf("TCP dial failed: %v", err)
-	}
-
-	readChan := make(chan []byte)
-	go func() {
-		data, _ := ioutil.ReadAll(tcpConn)
-		readChan <- data
-	}()
-
-	// Invent some data.
-	data := make([]byte, 100*1000)
-	for i := range data {
-		data[i] = byte(i % 255)
-	}
-
-	var sent []byte
-	for len(sent) < 1000*1000 {
-		// Send random sized chunks
-		m := rand.Intn(len(data))
-		n, err := tcpConn.Write(data[:m])
-		if err != nil {
-			break
-		}
-		sent = append(sent, data[:n]...)
-	}
-	if err := tcpConn.(*net.TCPConn).CloseWrite(); err != nil {
-		t.Errorf("tcpConn.CloseWrite: %v", err)
-	}
-
-	read := <-readChan
-
-	if len(sent) != len(read) {
-		t.Fatalf("got %d bytes, want %d", len(read), len(sent))
-	}
-	if bytes.Compare(sent, read) != 0 {
-		t.Fatalf("read back data does not match")
-	}
-
-	if err := sshListener.Close(); err != nil {
-		t.Fatalf("sshListener.Close: %v", err)
-	}
-
-	// Check that the forward disappeared.
-	tcpConn, err = net.Dial("tcp", forwardedAddr)
-	if err == nil {
-		tcpConn.Close()
-		t.Errorf("still listening to %s after closing", forwardedAddr)
-	}
-}
-
-func TestAcceptClose(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-
-	sshListener, err := conn.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	quit := make(chan error, 1)
-	go func() {
-		for {
-			c, err := sshListener.Accept()
-			if err != nil {
-				quit <- err
-				break
-			}
-			c.Close()
-		}
-	}()
-	sshListener.Close()
-
-	select {
-	case <-time.After(1 * time.Second):
-		t.Errorf("timeout: listener did not close.")
-	case err := <-quit:
-		t.Logf("quit as expected (error %v)", err)
-	}
-}
-
-// Check that listeners exit if the underlying client transport dies.
-func TestPortForwardConnectionClose(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-
-	sshListener, err := conn.Listen("tcp", "localhost:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	quit := make(chan error, 1)
-	go func() {
-		for {
-			c, err := sshListener.Accept()
-			if err != nil {
-				quit <- err
-				break
-			}
-			c.Close()
-		}
-	}()
-
-	// It would be even nicer if we closed the server side, but it
-	// is more involved as the fd for that side is dup()ed.
-	server.clientConn.Close()
-
-	select {
-	case <-time.After(1 * time.Second):
-		t.Errorf("timeout: listener did not close.")
-	case err := <-quit:
-		t.Logf("quit as expected (error %v)", err)
-	}
-}

vendor/golang.org/x/crypto/ssh/test/session_test.go

@@ -1,365 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package test
-
-// Session functional tests.
-
-import (
-	"bytes"
-	"errors"
-	"io"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/ssh"
-)
-
-func TestRunCommandSuccess(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-	err = session.Run("true")
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-}
-
-func TestHostKeyCheck(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-
-	conf := clientConfig()
-	hostDB := hostKeyDB()
-	conf.HostKeyCallback = hostDB.Check
-
-	// change the keys.
-	hostDB.keys[ssh.KeyAlgoRSA][25]++
-	hostDB.keys[ssh.KeyAlgoDSA][25]++
-	hostDB.keys[ssh.KeyAlgoECDSA256][25]++
-
-	conn, err := server.TryDial(conf)
-	if err == nil {
-		conn.Close()
-		t.Fatalf("dial should have failed.")
-	} else if !strings.Contains(err.Error(), "host key mismatch") {
-		t.Fatalf("'host key mismatch' not found in %v", err)
-	}
-}
-
-func TestRunCommandStdin(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	r, w := io.Pipe()
-	defer r.Close()
-	defer w.Close()
-	session.Stdin = r
-
-	err = session.Run("true")
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-}
-
-func TestRunCommandStdinError(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	r, w := io.Pipe()
-	defer r.Close()
-	session.Stdin = r
-	pipeErr := errors.New("closing write end of pipe")
-	w.CloseWithError(pipeErr)
-
-	err = session.Run("true")
-	if err != pipeErr {
-		t.Fatalf("expected %v, found %v", pipeErr, err)
-	}
-}
-
-func TestRunCommandFailed(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-	err = session.Run(`bash -c "kill -9 $$"`)
-	if err == nil {
-		t.Fatalf("session succeeded: %v", err)
-	}
-}
-
-func TestRunCommandWeClosed(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	err = session.Shell()
-	if err != nil {
-		t.Fatalf("shell failed: %v", err)
-	}
-	err = session.Close()
-	if err != nil {
-		t.Fatalf("shell failed: %v", err)
-	}
-}
-
-func TestFuncLargeRead(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("unable to create new session: %s", err)
-	}
-
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdout pipe: %s", err)
-	}
-
-	err = session.Start("dd if=/dev/urandom bs=2048 count=1024")
-	if err != nil {
-		t.Fatalf("unable to execute remote command: %s", err)
-	}
-
-	buf := new(bytes.Buffer)
-	n, err := io.Copy(buf, stdout)
-	if err != nil {
-		t.Fatalf("error reading from remote stdout: %s", err)
-	}
-
-	if n != 2048*1024 {
-		t.Fatalf("Expected %d bytes but read only %d from remote command", 2048, n)
-	}
-}
-
-func TestKeyChange(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conf := clientConfig()
-	hostDB := hostKeyDB()
-	conf.HostKeyCallback = hostDB.Check
-	conf.RekeyThreshold = 1024
-	conn := server.Dial(conf)
-	defer conn.Close()
-
-	for i := 0; i < 4; i++ {
-		session, err := conn.NewSession()
-		if err != nil {
-			t.Fatalf("unable to create new session: %s", err)
-		}
-
-		stdout, err := session.StdoutPipe()
-		if err != nil {
-			t.Fatalf("unable to acquire stdout pipe: %s", err)
-		}
-
-		err = session.Start("dd if=/dev/urandom bs=1024 count=1")
-		if err != nil {
-			t.Fatalf("unable to execute remote command: %s", err)
-		}
-		buf := new(bytes.Buffer)
-		n, err := io.Copy(buf, stdout)
-		if err != nil {
-			t.Fatalf("error reading from remote stdout: %s", err)
-		}
-
-		want := int64(1024)
-		if n != want {
-			t.Fatalf("Expected %d bytes but read only %d from remote command", want, n)
-		}
-	}
-
-	if changes := hostDB.checkCount; changes < 4 {
-		t.Errorf("got %d key changes, want 4", changes)
-	}
-}
-
-func TestInvalidTerminalMode(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	if err = session.RequestPty("vt100", 80, 40, ssh.TerminalModes{255: 1984}); err == nil {
-		t.Fatalf("req-pty failed: successful request with invalid mode")
-	}
-}
-
-func TestValidTerminalMode(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	conn := server.Dial(clientConfig())
-	defer conn.Close()
-
-	session, err := conn.NewSession()
-	if err != nil {
-		t.Fatalf("session failed: %v", err)
-	}
-	defer session.Close()
-
-	stdout, err := session.StdoutPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdout pipe: %s", err)
-	}
-
-	stdin, err := session.StdinPipe()
-	if err != nil {
-		t.Fatalf("unable to acquire stdin pipe: %s", err)
-	}
-
-	tm := ssh.TerminalModes{ssh.ECHO: 0}
-	if err = session.RequestPty("xterm", 80, 40, tm); err != nil {
-		t.Fatalf("req-pty failed: %s", err)
-	}
-
-	err = session.Shell()
-	if err != nil {
-		t.Fatalf("session failed: %s", err)
-	}
-
-	stdin.Write([]byte("stty -a && exit\n"))
-
-	var buf bytes.Buffer
-	if _, err := io.Copy(&buf, stdout); err != nil {
-		t.Fatalf("reading failed: %s", err)
-	}
-
-	if sttyOutput := buf.String(); !strings.Contains(sttyOutput, "-echo ") {
-		t.Fatalf("terminal mode failure: expected -echo in stty output, got %s", sttyOutput)
-	}
-}
-
-func TestCiphers(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	cipherOrder := config.Ciphers
-	// These ciphers will not be tested when commented out in cipher.go it will
-	// fallback to the next available as per line 292.
-	cipherOrder = append(cipherOrder, "aes128-cbc", "3des-cbc")
-
-	for _, ciph := range cipherOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		conf.Ciphers = []string{ciph}
-		// Don't fail if sshd doesn't have the cipher.
-		conf.Ciphers = append(conf.Ciphers, cipherOrder...)
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Fatalf("failed for cipher %q", ciph)
-		}
-	}
-}
-
-func TestMACs(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	macOrder := config.MACs
-
-	for _, mac := range macOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		conf.MACs = []string{mac}
-		// Don't fail if sshd doesn't have the MAC.
-		conf.MACs = append(conf.MACs, macOrder...)
-		if conn, err := server.TryDial(conf); err == nil {
-			conn.Close()
-		} else {
-			t.Fatalf("failed for MAC %q", mac)
-		}
-	}
-}
-
-func TestKeyExchanges(t *testing.T) {
-	var config ssh.Config
-	config.SetDefaults()
-	kexOrder := config.KeyExchanges
-	for _, kex := range kexOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		// Don't fail if sshd doesn't have the kex.
-		conf.KeyExchanges = append([]string{kex}, kexOrder...)
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Errorf("failed for kex %q", kex)
-		}
-	}
-}
-
-func TestClientAuthAlgorithms(t *testing.T) {
-	for _, key := range []string{
-		"rsa",
-		"dsa",
-		"ecdsa",
-		"ed25519",
-	} {
-		server := newServer(t)
-		conf := clientConfig()
-		conf.SetDefaults()
-		conf.Auth = []ssh.AuthMethod{
-			ssh.PublicKeys(testSigners[key]),
-		}
-
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Errorf("failed for key %q", key)
-		}
-
-		server.Shutdown()
-	}
-}

vendor/golang.org/x/crypto/ssh/test/tcpip_test.go

@@ -1,46 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package test
-
-// direct-tcpip functional tests
-
-import (
-	"io"
-	"net"
-	"testing"
-)
-
-func TestDial(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	sshConn := server.Dial(clientConfig())
-	defer sshConn.Close()
-
-	l, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer l.Close()
-
-	go func() {
-		for {
-			c, err := l.Accept()
-			if err != nil {
-				break
-			}
-
-			io.WriteString(c, c.RemoteAddr().String())
-			c.Close()
-		}
-	}()
-
-	conn, err := sshConn.Dial("tcp", l.Addr().String())
-	if err != nil {
-		t.Fatalf("Dial: %v", err)
-	}
-	defer conn.Close()
-}

vendor/golang.org/x/crypto/ssh/test/test_unix_test.go

@@ -1,268 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build darwin dragonfly freebsd linux netbsd openbsd plan9
-
-package test
-
-// functional test harness for unix.
-
-import (
-	"bytes"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"os/exec"
-	"os/user"
-	"path/filepath"
-	"testing"
-	"text/template"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-const sshd_config = `
-Protocol 2
-HostKey {{.Dir}}/id_rsa
-HostKey {{.Dir}}/id_dsa
-HostKey {{.Dir}}/id_ecdsa
-Pidfile {{.Dir}}/sshd.pid
-#UsePrivilegeSeparation no
-KeyRegenerationInterval 3600
-ServerKeyBits 768
-SyslogFacility AUTH
-LogLevel DEBUG2
-LoginGraceTime 120
-PermitRootLogin no
-StrictModes no
-RSAAuthentication yes
-PubkeyAuthentication yes
-AuthorizedKeysFile	{{.Dir}}/authorized_keys
-TrustedUserCAKeys {{.Dir}}/id_ecdsa.pub
-IgnoreRhosts yes
-RhostsRSAAuthentication no
-HostbasedAuthentication no
-PubkeyAcceptedKeyTypes=*
-`
-
-var configTmpl = template.Must(template.New("").Parse(sshd_config))
-
-type server struct {
-	t          *testing.T
-	cleanup    func() // executed during Shutdown
-	configfile string
-	cmd        *exec.Cmd
-	output     bytes.Buffer // holds stderr from sshd process
-
-	// Client half of the network connection.
-	clientConn net.Conn
-}
-
-func username() string {
-	var username string
-	if user, err := user.Current(); err == nil {
-		username = user.Username
-	} else {
-		// user.Current() currently requires cgo. If an error is
-		// returned attempt to get the username from the environment.
-		log.Printf("user.Current: %v; falling back on $USER", err)
-		username = os.Getenv("USER")
-	}
-	if username == "" {
-		panic("Unable to get username")
-	}
-	return username
-}
-
-type storedHostKey struct {
-	// keys map from an algorithm string to binary key data.
-	keys map[string][]byte
-
-	// checkCount counts the Check calls. Used for testing
-	// rekeying.
-	checkCount int
-}
-
-func (k *storedHostKey) Add(key ssh.PublicKey) {
-	if k.keys == nil {
-		k.keys = map[string][]byte{}
-	}
-	k.keys[key.Type()] = key.Marshal()
-}
-
-func (k *storedHostKey) Check(addr string, remote net.Addr, key ssh.PublicKey) error {
-	k.checkCount++
-	algo := key.Type()
-
-	if k.keys == nil || bytes.Compare(key.Marshal(), k.keys[algo]) != 0 {
-		return fmt.Errorf("host key mismatch. Got %q, want %q", key, k.keys[algo])
-	}
-	return nil
-}
-
-func hostKeyDB() *storedHostKey {
-	keyChecker := &storedHostKey{}
-	keyChecker.Add(testPublicKeys["ecdsa"])
-	keyChecker.Add(testPublicKeys["rsa"])
-	keyChecker.Add(testPublicKeys["dsa"])
-	return keyChecker
-}
-
-func clientConfig() *ssh.ClientConfig {
-	config := &ssh.ClientConfig{
-		User: username(),
-		Auth: []ssh.AuthMethod{
-			ssh.PublicKeys(testSigners["user"]),
-		},
-		HostKeyCallback: hostKeyDB().Check,
-	}
-	return config
-}
-
-// unixConnection creates two halves of a connected net.UnixConn.  It
-// is used for connecting the Go SSH client with sshd without opening
-// ports.
-func unixConnection() (*net.UnixConn, *net.UnixConn, error) {
-	dir, err := ioutil.TempDir("", "unixConnection")
-	if err != nil {
-		return nil, nil, err
-	}
-	defer os.Remove(dir)
-
-	addr := filepath.Join(dir, "ssh")
-	listener, err := net.Listen("unix", addr)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer listener.Close()
-	c1, err := net.Dial("unix", addr)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	c2, err := listener.Accept()
-	if err != nil {
-		c1.Close()
-		return nil, nil, err
-	}
-
-	return c1.(*net.UnixConn), c2.(*net.UnixConn), nil
-}
-
-func (s *server) TryDial(config *ssh.ClientConfig) (*ssh.Client, error) {
-	sshd, err := exec.LookPath("sshd")
-	if err != nil {
-		s.t.Skipf("skipping test: %v", err)
-	}
-
-	c1, c2, err := unixConnection()
-	if err != nil {
-		s.t.Fatalf("unixConnection: %v", err)
-	}
-
-	s.cmd = exec.Command(sshd, "-f", s.configfile, "-i", "-e")
-	f, err := c2.File()
-	if err != nil {
-		s.t.Fatalf("UnixConn.File: %v", err)
-	}
-	defer f.Close()
-	s.cmd.Stdin = f
-	s.cmd.Stdout = f
-	s.cmd.Stderr = &s.output
-	if err := s.cmd.Start(); err != nil {
-		s.t.Fail()
-		s.Shutdown()
-		s.t.Fatalf("s.cmd.Start: %v", err)
-	}
-	s.clientConn = c1
-	conn, chans, reqs, err := ssh.NewClientConn(c1, "", config)
-	if err != nil {
-		return nil, err
-	}
-	return ssh.NewClient(conn, chans, reqs), nil
-}
-
-func (s *server) Dial(config *ssh.ClientConfig) *ssh.Client {
-	conn, err := s.TryDial(config)
-	if err != nil {
-		s.t.Fail()
-		s.Shutdown()
-		s.t.Fatalf("ssh.Client: %v", err)
-	}
-	return conn
-}
-
-func (s *server) Shutdown() {
-	if s.cmd != nil && s.cmd.Process != nil {
-		// Don't check for errors; if it fails it's most
-		// likely "os: process already finished", and we don't
-		// care about that. Use os.Interrupt, so child
-		// processes are killed too.
-		s.cmd.Process.Signal(os.Interrupt)
-		s.cmd.Wait()
-	}
-	if s.t.Failed() {
-		// log any output from sshd process
-		s.t.Logf("sshd: %s", s.output.String())
-	}
-	s.cleanup()
-}
-
-func writeFile(path string, contents []byte) {
-	f, err := os.OpenFile(path, os.O_WRONLY|os.O_TRUNC|os.O_CREATE, 0600)
-	if err != nil {
-		panic(err)
-	}
-	defer f.Close()
-	if _, err := f.Write(contents); err != nil {
-		panic(err)
-	}
-}
-
-// newServer returns a new mock ssh server.
-func newServer(t *testing.T) *server {
-	if testing.Short() {
-		t.Skip("skipping test due to -short")
-	}
-	dir, err := ioutil.TempDir("", "sshtest")
-	if err != nil {
-		t.Fatal(err)
-	}
-	f, err := os.Create(filepath.Join(dir, "sshd_config"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	err = configTmpl.Execute(f, map[string]string{
-		"Dir": dir,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	f.Close()
-
-	for k, v := range testdata.PEMBytes {
-		filename := "id_" + k
-		writeFile(filepath.Join(dir, filename), v)
-		writeFile(filepath.Join(dir, filename+".pub"), ssh.MarshalAuthorizedKey(testPublicKeys[k]))
-	}
-
-	var authkeys bytes.Buffer
-	for k, _ := range testdata.PEMBytes {
-		authkeys.Write(ssh.MarshalAuthorizedKey(testPublicKeys[k]))
-	}
-	writeFile(filepath.Join(dir, "authorized_keys"), authkeys.Bytes())
-
-	return &server{
-		t:          t,
-		configfile: f.Name(),
-		cleanup: func() {
-			if err := os.RemoveAll(dir); err != nil {
-				t.Error(err)
-			}
-		},
-	}
-}

vendor/golang.org/x/crypto/ssh/test/testdata_test.go

@@ -1,64 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
-// ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
-// instances.
-
-package test
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-var (
-	testPrivateKeys map[string]interface{}
-	testSigners     map[string]ssh.Signer
-	testPublicKeys  map[string]ssh.PublicKey
-)
-
-func init() {
-	var err error
-
-	n := len(testdata.PEMBytes)
-	testPrivateKeys = make(map[string]interface{}, n)
-	testSigners = make(map[string]ssh.Signer, n)
-	testPublicKeys = make(map[string]ssh.PublicKey, n)
-	for t, k := range testdata.PEMBytes {
-		testPrivateKeys[t], err = ssh.ParseRawPrivateKey(k)
-		if err != nil {
-			panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
-		}
-		testSigners[t], err = ssh.NewSignerFromKey(testPrivateKeys[t])
-		if err != nil {
-			panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
-		}
-		testPublicKeys[t] = testSigners[t].PublicKey()
-	}
-
-	// Create a cert and sign it for use in tests.
-	testCert := &ssh.Certificate{
-		Nonce:           []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
-		ValidAfter:      0,                              // unix epoch
-		ValidBefore:     ssh.CertTimeInfinity,           // The end of currently representable time.
-		Reserved:        []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		Key:             testPublicKeys["ecdsa"],
-		SignatureKey:    testPublicKeys["rsa"],
-		Permissions: ssh.Permissions{
-			CriticalOptions: map[string]string{},
-			Extensions:      map[string]string{},
-		},
-	}
-	testCert.SignCert(rand.Reader, testSigners["rsa"])
-	testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
-	testSigners["cert"], err = ssh.NewCertSigner(testCert, testSigners["ecdsa"])
-	if err != nil {
-		panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
-	}
-}

vendor/golang.org/x/crypto/ssh/testdata/doc.go

@@ -1,8 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This package contains test data shared between the various subpackages of
-// the golang.org/x/crypto/ssh package. Under no circumstance should
-// this data be used for production code.
-package testdata // import "golang.org/x/crypto/ssh/testdata"

vendor/golang.org/x/crypto/ssh/testdata/keys.go

@@ -1,120 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package testdata
-
-var PEMBytes = map[string][]byte{
-	"dsa": []byte(`-----BEGIN DSA PRIVATE KEY-----
-MIIBuwIBAAKBgQD6PDSEyXiI9jfNs97WuM46MSDCYlOqWw80ajN16AohtBncs1YB
-lHk//dQOvCYOsYaE+gNix2jtoRjwXhDsc25/IqQbU1ahb7mB8/rsaILRGIbA5WH3
-EgFtJmXFovDz3if6F6TzvhFpHgJRmLYVR8cqsezL3hEZOvvs2iH7MorkxwIVAJHD
-nD82+lxh2fb4PMsIiaXudAsBAoGAQRf7Q/iaPRn43ZquUhd6WwvirqUj+tkIu6eV
-2nZWYmXLlqFQKEy4Tejl7Wkyzr2OSYvbXLzo7TNxLKoWor6ips0phYPPMyXld14r
-juhT24CrhOzuLMhDduMDi032wDIZG4Y+K7ElU8Oufn8Sj5Wge8r6ANmmVgmFfynr
-FhdYCngCgYEA3ucGJ93/Mx4q4eKRDxcWD3QzWyqpbRVRRV1Vmih9Ha/qC994nJFz
-DQIdjxDIT2Rk2AGzMqFEB68Zc3O+Wcsmz5eWWzEwFxaTwOGWTyDqsDRLm3fD+QYj
-nOwuxb0Kce+gWI8voWcqC9cyRm09jGzu2Ab3Bhtpg8JJ8L7gS3MRZK4CFEx4UAfY
-Fmsr0W6fHB9nhS4/UXM8
------END DSA PRIVATE KEY-----
-`),
-	"ecdsa": []byte(`-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEINGWx0zo6fhJ/0EAfrPzVFyFC9s18lBt3cRoEDhS3ARooAoGCCqGSM49
-AwEHoUQDQgAEi9Hdw6KvZcWxfg2IDhA7UkpDtzzt6ZqJXSsFdLd+Kx4S3Sx4cVO+
-6/ZOXRnPmNAlLUqjShUsUBBngG0u2fqEqA==
------END EC PRIVATE KEY-----
-`),
-	"rsa": []byte(`-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQC8A6FGHDiWCSREAXCq6yBfNVr0xCVG2CzvktFNRpue+RXrGs/2
-a6ySEJQb3IYquw7HlJgu6fg3WIWhOmHCjfpG0PrL4CRwbqQ2LaPPXhJErWYejcD8
-Di00cF3677+G10KMZk9RXbmHtuBFZT98wxg8j+ZsBMqGM1+7yrWUvynswQIDAQAB
-AoGAJMCk5vqfSRzyXOTXLGIYCuR4Kj6pdsbNSeuuRGfYBeR1F2c/XdFAg7D/8s5R
-38p/Ih52/Ty5S8BfJtwtvgVY9ecf/JlU/rl/QzhG8/8KC0NG7KsyXklbQ7gJT8UT
-Ojmw5QpMk+rKv17ipDVkQQmPaj+gJXYNAHqImke5mm/K/h0CQQDciPmviQ+DOhOq
-2ZBqUfH8oXHgFmp7/6pXw80DpMIxgV3CwkxxIVx6a8lVH9bT/AFySJ6vXq4zTuV9
-6QmZcZzDAkEA2j/UXJPIs1fQ8z/6sONOkU/BjtoePFIWJlRxdN35cZjXnBraX5UR
-fFHkePv4YwqmXNqrBOvSu+w2WdSDci+IKwJAcsPRc/jWmsrJW1q3Ha0hSf/WG/Bu
-X7MPuXaKpP/DkzGoUmb8ks7yqj6XWnYkPNLjCc8izU5vRwIiyWBRf4mxMwJBAILa
-NDvRS0rjwt6lJGv7zPZoqDc65VfrK2aNyHx2PgFyzwrEOtuF57bu7pnvEIxpLTeM
-z26i6XVMeYXAWZMTloMCQBbpGgEERQpeUknLBqUHhg/wXF6+lFA+vEGnkY+Dwab2
-KCXFGd+SQ5GdUcEMe9isUH6DYj/6/yCDoFrXXmpQb+M=
------END RSA PRIVATE KEY-----
-`),
-	"ed25519": []byte(`-----BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACA+3f7hS7g5UWwXOGVTrMfhmxyrjqz7Sxxbx7I1j8DvvwAAAJhAFfkOQBX5
-DgAAAAtzc2gtZWQyNTUxOQAAACA+3f7hS7g5UWwXOGVTrMfhmxyrjqz7Sxxbx7I1j8Dvvw
-AAAEAaYmXltfW6nhRo3iWGglRB48lYq0z0Q3I3KyrdutEr6j7d/uFLuDlRbBc4ZVOsx+Gb
-HKuOrPtLHFvHsjWPwO+/AAAAE2dhcnRvbm1AZ2FydG9ubS14cHMBAg==
------END OPENSSH PRIVATE KEY-----
-`),
-	"user": []byte(`-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEILYCAeq8f7V4vSSypRw7pxy8yz3V5W4qg8kSC3zJhqpQoAoGCCqGSM49
-AwEHoUQDQgAEYcO2xNKiRUYOLEHM7VYAp57HNyKbOdYtHD83Z4hzNPVC4tM5mdGD
-PLL8IEwvYu2wq+lpXfGQnNMbzYf9gspG0w==
------END EC PRIVATE KEY-----
-`),
-}
-
-var PEMEncryptedKeys = []struct {
-	Name          string
-	EncryptionKey string
-	PEMBytes      []byte
-}{
-	0: {
-		Name:          "rsa-encrypted",
-		EncryptionKey: "r54-G0pher_t3st$",
-		PEMBytes: []byte(`-----BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,3E1714DE130BC5E81327F36564B05462
-
-MqW88sud4fnWk/Jk3fkjh7ydu51ZkHLN5qlQgA4SkAXORPPMj2XvqZOv1v2LOgUV
-dUevUn8PZK7a9zbZg4QShUSzwE5k6wdB7XKPyBgI39mJ79GBd2U4W3h6KT6jIdWA
-goQpluxkrzr2/X602IaxLEre97FT9mpKC6zxKCLvyFWVIP9n3OSFS47cTTXyFr+l
-7PdRhe60nn6jSBgUNk/Q1lAvEQ9fufdPwDYY93F1wyJ6lOr0F1+mzRrMbH67NyKs
-rG8J1Fa7cIIre7ueKIAXTIne7OAWqpU9UDgQatDtZTbvA7ciqGsSFgiwwW13N+Rr
-hN8MkODKs9cjtONxSKi05s206A3NDU6STtZ3KuPDjFE1gMJODotOuqSM+cxKfyFq
-wxpk/CHYCDdMAVBSwxb/vraOHamylL4uCHpJdBHypzf2HABt+lS8Su23uAmL87DR
-yvyCS/lmpuNTndef6qHPRkoW2EV3xqD3ovosGf7kgwGJUk2ZpCLVteqmYehKlZDK
-r/Jy+J26ooI2jIg9bjvD1PZq+Mv+2dQ1RlDrPG3PB+rEixw6vBaL9x3jatCd4ej7
-XG7lb3qO9xFpLsx89tkEcvpGR+broSpUJ6Mu5LBCVmrvqHjvnDhrZVz1brMiQtU9
-iMZbgXqDLXHd6ERWygk7OTU03u+l1gs+KGMfmS0h0ZYw6KGVLgMnsoxqd6cFSKNB
-8Ohk9ZTZGCiovlXBUepyu8wKat1k8YlHSfIHoRUJRhhcd7DrmojC+bcbMIZBU22T
-Pl2ftVRGtcQY23lYd0NNKfebF7ncjuLWQGy+vZW+7cgfI6wPIbfYfP6g7QAutk6W
-KQx0AoX5woZ6cNxtpIrymaVjSMRRBkKQrJKmRp3pC/lul5E5P2cueMs1fj4OHTbJ
-lAUv88ywr+R+mRgYQlFW/XQ653f6DT4t6+njfO9oBcPrQDASZel3LjXLpjjYG/N5
-+BWnVexuJX9ika8HJiFl55oqaKb+WknfNhk5cPY+x7SDV9ywQeMiDZpr0ffeYAEP
-LlwwiWRDYpO+uwXHSFF3+JjWwjhs8m8g99iFb7U93yKgBB12dCEPPa2ZeH9wUHMJ
-sreYhNuq6f4iWWSXpzN45inQqtTi8jrJhuNLTT543ErW7DtntBO2rWMhff3aiXbn
-Uy3qzZM1nPbuCGuBmP9L2dJ3Z5ifDWB4JmOyWY4swTZGt9AVmUxMIKdZpRONx8vz
-I9u9nbVPGZBcou50Pa0qTLbkWsSL94MNXrARBxzhHC9Zs6XNEtwN7mOuii7uMkVc
-adrxgknBH1J1N+NX/eTKzUwJuPvDtA+Z5ILWNN9wpZT/7ed8zEnKHPNUexyeT5g3
-uw9z9jH7ffGxFYlx87oiVPHGOrCXYZYW5uoZE31SCBkbtNuffNRJRKIFeipmpJ3P
-7bpAG+kGHMelQH6b+5K1Qgsv4tpuSyKeTKpPFH9Av5nN4P1ZBm9N80tzbNWqjSJm
-S7rYdHnuNEVnUGnRmEUMmVuYZnNBEVN/fP2m2SEwXcP3Uh7TiYlcWw10ygaGmOr7
-MvMLGkYgQ4Utwnd98mtqa0jr0hK2TcOSFir3AqVvXN3XJj4cVULkrXe4Im1laWgp
------END RSA PRIVATE KEY-----
-`),
-	},
-
-	1: {
-		Name:          "dsa-encrypted",
-		EncryptionKey: "qG0pher-dsa_t3st$",
-		PEMBytes: []byte(`-----BEGIN DSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: AES-128-CBC,7CE7A6E4A647DC01AF860210B15ADE3E
-
-hvnBpI99Hceq/55pYRdOzBLntIEis02JFNXuLEydWL+RJBFDn7tA+vXec0ERJd6J
-G8JXlSOAhmC2H4uK3q2xR8/Y3yL95n6OIcjvCBiLsV+o3jj1MYJmErxP6zRtq4w3
-JjIjGHWmaYFSxPKQ6e8fs74HEqaeMV9ONUoTtB+aISmgaBL15Fcoayg245dkBvVl
-h5Kqspe7yvOBmzA3zjRuxmSCqKJmasXM7mqs3vIrMxZE3XPo1/fWKcPuExgpVQoT
-HkJZEoIEIIPnPMwT2uYbFJSGgPJVMDT84xz7yvjCdhLmqrsXgs5Qw7Pw0i0c0BUJ
-b7fDJ2UhdiwSckWGmIhTLlJZzr8K+JpjCDlP+REYBI5meB7kosBnlvCEHdw2EJkH
-0QDc/2F4xlVrHOLbPRFyu1Oi2Gvbeoo9EsM/DThpd1hKAlb0sF5Y0y0d+owv0PnE
-R/4X3HWfIdOHsDUvJ8xVWZ4BZk9Zk9qol045DcFCehpr/3hslCrKSZHakLt9GI58
-vVQJ4L0aYp5nloLfzhViZtKJXRLkySMKdzYkIlNmW1oVGl7tce5UCNI8Nok4j6yn
-IiHM7GBn+0nJoKTXsOGMIBe3ulKlKVxLjEuk9yivh/8=
------END DSA PRIVATE KEY-----
-`),
-	},
-}

vendor/golang.org/x/crypto/ssh/testdata_test.go

@@ -1,63 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
-// ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
-// instances.
-
-package ssh
-
-import (
-	"crypto/rand"
-	"fmt"
-
-	"golang.org/x/crypto/ssh/testdata"
-)
-
-var (
-	testPrivateKeys map[string]interface{}
-	testSigners     map[string]Signer
-	testPublicKeys  map[string]PublicKey
-)
-
-func init() {
-	var err error
-
-	n := len(testdata.PEMBytes)
-	testPrivateKeys = make(map[string]interface{}, n)
-	testSigners = make(map[string]Signer, n)
-	testPublicKeys = make(map[string]PublicKey, n)
-	for t, k := range testdata.PEMBytes {
-		testPrivateKeys[t], err = ParseRawPrivateKey(k)
-		if err != nil {
-			panic(fmt.Sprintf("Unable to parse test key %s: %v", t, err))
-		}
-		testSigners[t], err = NewSignerFromKey(testPrivateKeys[t])
-		if err != nil {
-			panic(fmt.Sprintf("Unable to create signer for test key %s: %v", t, err))
-		}
-		testPublicKeys[t] = testSigners[t].PublicKey()
-	}
-
-	// Create a cert and sign it for use in tests.
-	testCert := &Certificate{
-		Nonce:           []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		ValidPrincipals: []string{"gopher1", "gopher2"}, // increases test coverage
-		ValidAfter:      0,                              // unix epoch
-		ValidBefore:     CertTimeInfinity,               // The end of currently representable time.
-		Reserved:        []byte{},                       // To pass reflect.DeepEqual after marshal & parse, this must be non-nil
-		Key:             testPublicKeys["ecdsa"],
-		SignatureKey:    testPublicKeys["rsa"],
-		Permissions: Permissions{
-			CriticalOptions: map[string]string{},
-			Extensions:      map[string]string{},
-		},
-	}
-	testCert.SignCert(rand.Reader, testSigners["rsa"])
-	testPrivateKeys["cert"] = testPrivateKeys["ecdsa"]
-	testSigners["cert"], err = NewCertSigner(testCert, testSigners["ecdsa"])
-	if err != nil {
-		panic(fmt.Sprintf("Unable to create certificate signer: %v", err))
-	}
-}

vendor/golang.org/x/crypto/ssh/transport.go

@@ -8,8 +8,13 @@ import (
 	"bufio"
 	"errors"
 	"io"
+	"log"
 )
 
+// debugTransport if set, will print packet types as they go over the
+// wire. No message decoding is done, to minimize the impact on timing.
+const debugTransport = false
+
 const (
 	gcmCipherID    = "aes128-gcm@openssh.com"
 	aes128cbcID    = "aes128-cbc"
@@ -22,7 +27,9 @@ type packetConn interface {
 	// Encrypt and send a packet of data to the remote peer.
 	writePacket(packet []byte) error
 
-	// Read a packet from the connection
+	// Read a packet from the connection. The read is blocking,
+	// i.e. if error is nil, then the returned byte slice is
+	// always non-empty.
 	readPacket() ([]byte, error)
 
 	// Close closes the write-side of the connection.
@@ -38,7 +45,7 @@ type transport struct {
 	bufReader *bufio.Reader
 	bufWriter *bufio.Writer
 	rand      io.Reader
-
+	isClient  bool
 	io.Closer
 }
 
@@ -84,9 +91,38 @@ func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) err
 	return nil
 }
 
+func (t *transport) printPacket(p []byte, write bool) {
+	if len(p) == 0 {
+		return
+	}
+	who := "server"
+	if t.isClient {
+		who = "client"
+	}
+	what := "read"
+	if write {
+		what = "write"
+	}
+
+	log.Println(what, who, p[0])
+}
+
 // Read and decrypt next packet.
-func (t *transport) readPacket() ([]byte, error) {
-	return t.reader.readPacket(t.bufReader)
+func (t *transport) readPacket() (p []byte, err error) {
+	for {
+		p, err = t.reader.readPacket(t.bufReader)
+		if err != nil {
+			break
+		}
+		if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
+			break
+		}
+	}
+	if debugTransport {
+		t.printPacket(p, false)
+	}
+
+	return p, err
 }
 
 func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
@@ -129,6 +165,9 @@ func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
 }
 
 func (t *transport) writePacket(packet []byte) error {
+	if debugTransport {
+		t.printPacket(packet, true)
+	}
 	return t.writer.writePacket(t.bufWriter, t.rand, packet)
 }
 
@@ -169,6 +208,8 @@ func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transp
 		},
 		Closer: rwc,
 	}
+	t.isClient = isClient
+
 	if isClient {
 		t.reader.dir = serverKeys
 		t.writer.dir = clientKeys
@@ -226,6 +267,7 @@ func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (pac
 
 	c := &streamPacketCipher{
 		mac: macModes[algs.MAC].new(macKey),
+		etm: macModes[algs.MAC].etm,
 	}
 	c.macResult = make([]byte, c.mac.Size())
 

vendor/golang.org/x/crypto/ssh/transport_test.go

@@ -1,109 +0,0 @@
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ssh
-
-import (
-	"bytes"
-	"crypto/rand"
-	"encoding/binary"
-	"strings"
-	"testing"
-)
-
-func TestReadVersion(t *testing.T) {
-	longversion := strings.Repeat("SSH-2.0-bla", 50)[:253]
-	cases := map[string]string{
-		"SSH-2.0-bla\r\n":    "SSH-2.0-bla",
-		"SSH-2.0-bla\n":      "SSH-2.0-bla",
-		longversion + "\r\n": longversion,
-	}
-
-	for in, want := range cases {
-		result, err := readVersion(bytes.NewBufferString(in))
-		if err != nil {
-			t.Errorf("readVersion(%q): %s", in, err)
-		}
-		got := string(result)
-		if got != want {
-			t.Errorf("got %q, want %q", got, want)
-		}
-	}
-}
-
-func TestReadVersionError(t *testing.T) {
-	longversion := strings.Repeat("SSH-2.0-bla", 50)[:253]
-	cases := []string{
-		longversion + "too-long\r\n",
-	}
-	for _, in := range cases {
-		if _, err := readVersion(bytes.NewBufferString(in)); err == nil {
-			t.Errorf("readVersion(%q) should have failed", in)
-		}
-	}
-}
-
-func TestExchangeVersionsBasic(t *testing.T) {
-	v := "SSH-2.0-bla"
-	buf := bytes.NewBufferString(v + "\r\n")
-	them, err := exchangeVersions(buf, []byte("xyz"))
-	if err != nil {
-		t.Errorf("exchangeVersions: %v", err)
-	}
-
-	if want := "SSH-2.0-bla"; string(them) != want {
-		t.Errorf("got %q want %q for our version", them, want)
-	}
-}
-
-func TestExchangeVersions(t *testing.T) {
-	cases := []string{
-		"not\x000allowed",
-		"not allowed\n",
-	}
-	for _, c := range cases {
-		buf := bytes.NewBufferString("SSH-2.0-bla\r\n")
-		if _, err := exchangeVersions(buf, []byte(c)); err == nil {
-			t.Errorf("exchangeVersions(%q): should have failed", c)
-		}
-	}
-}
-
-type closerBuffer struct {
-	bytes.Buffer
-}
-
-func (b *closerBuffer) Close() error {
-	return nil
-}
-
-func TestTransportMaxPacketWrite(t *testing.T) {
-	buf := &closerBuffer{}
-	tr := newTransport(buf, rand.Reader, true)
-	huge := make([]byte, maxPacket+1)
-	err := tr.writePacket(huge)
-	if err == nil {
-		t.Errorf("transport accepted write for a huge packet.")
-	}
-}
-
-func TestTransportMaxPacketReader(t *testing.T) {
-	var header [5]byte
-	huge := make([]byte, maxPacket+128)
-	binary.BigEndian.PutUint32(header[0:], uint32(len(huge)))
-	// padding.
-	header[4] = 0
-
-	buf := &closerBuffer{}
-	buf.Write(header[:])
-	buf.Write(huge)
-
-	tr := newTransport(buf, rand.Reader, true)
-	_, err := tr.readPacket()
-	if err == nil {
-		t.Errorf("transport succeeded reading huge packet.")
-	} else if !strings.Contains(err.Error(), "large") {
-		t.Errorf("got %q, should mention %q", err.Error(), "large")
-	}
-}

vendor/golang.org/x/net/context/context.go

@@ -7,7 +7,7 @@
 // and between processes.
 //
 // Incoming requests to a server should create a Context, and outgoing calls to
-// servers should accept a Context.  The chain of function calls between must
+// servers should accept a Context. The chain of function calls between must
 // propagate the Context, optionally replacing it with a modified copy created
 // using WithDeadline, WithTimeout, WithCancel, or WithValue.
 //
@@ -16,14 +16,14 @@
 // propagation:
 //
 // Do not store Contexts inside a struct type; instead, pass a Context
-// explicitly to each function that needs it.  The Context should be the first
+// explicitly to each function that needs it. The Context should be the first
 // parameter, typically named ctx:
 //
 // 	func DoSomething(ctx context.Context, arg Arg) error {
 // 		// ... use ctx ...
 // 	}
 //
-// Do not pass a nil Context, even if a function permits it.  Pass context.TODO
+// Do not pass a nil Context, even if a function permits it. Pass context.TODO
 // if you are unsure about which Context to use.
 //
 // Use context Values only for request-scoped data that transits processes and
@@ -44,13 +44,13 @@ import "time"
 // Context's methods may be called by multiple goroutines simultaneously.
 type Context interface {
 	// Deadline returns the time when work done on behalf of this context
-	// should be canceled.  Deadline returns ok==false when no deadline is
-	// set.  Successive calls to Deadline return the same results.
+	// should be canceled. Deadline returns ok==false when no deadline is
+	// set. Successive calls to Deadline return the same results.
 	Deadline() (deadline time.Time, ok bool)
 
 	// Done returns a channel that's closed when work done on behalf of this
-	// context should be canceled.  Done may return nil if this context can
-	// never be canceled.  Successive calls to Done return the same value.
+	// context should be canceled. Done may return nil if this context can
+	// never be canceled. Successive calls to Done return the same value.
 	//
 	// WithCancel arranges for Done to be closed when cancel is called;
 	// WithDeadline arranges for Done to be closed when the deadline
@@ -79,24 +79,24 @@ type Context interface {
 	// a Done channel for cancelation.
 	Done() <-chan struct{}
 
-	// Err returns a non-nil error value after Done is closed.  Err returns
+	// Err returns a non-nil error value after Done is closed. Err returns
 	// Canceled if the context was canceled or DeadlineExceeded if the
-	// context's deadline passed.  No other values for Err are defined.
+	// context's deadline passed. No other values for Err are defined.
 	// After Done is closed, successive calls to Err return the same value.
 	Err() error
 
 	// Value returns the value associated with this context for key, or nil
-	// if no value is associated with key.  Successive calls to Value with
+	// if no value is associated with key. Successive calls to Value with
 	// the same key returns the same result.
 	//
 	// Use context values only for request-scoped data that transits
 	// processes and API boundaries, not for passing optional parameters to
 	// functions.
 	//
-	// A key identifies a specific value in a Context.  Functions that wish
+	// A key identifies a specific value in a Context. Functions that wish
 	// to store values in Context typically allocate a key in a global
 	// variable then use that key as the argument to context.WithValue and
-	// Context.Value.  A key can be any type that supports equality;
+	// Context.Value. A key can be any type that supports equality;
 	// packages should define keys as an unexported type to avoid
 	// collisions.
 	//
@@ -115,7 +115,7 @@ type Context interface {
 	// 	// This prevents collisions with keys defined in other packages.
 	// 	type key int
 	//
-	// 	// userKey is the key for user.User values in Contexts.  It is
+	// 	// userKey is the key for user.User values in Contexts. It is
 	// 	// unexported; clients use user.NewContext and user.FromContext
 	// 	// instead of using this key directly.
 	// 	var userKey key = 0
@@ -134,14 +134,14 @@ type Context interface {
 }
 
 // Background returns a non-nil, empty Context. It is never canceled, has no
-// values, and has no deadline.  It is typically used by the main function,
+// values, and has no deadline. It is typically used by the main function,
 // initialization, and tests, and as the top-level Context for incoming
 // requests.
 func Background() Context {
 	return background
 }
 
-// TODO returns a non-nil, empty Context.  Code should use context.TODO when
+// TODO returns a non-nil, empty Context. Code should use context.TODO when
 // it's unclear which Context to use or it is not yet available (because the
 // surrounding function has not yet been extended to accept a Context
 // parameter).  TODO is recognized by static analysis tools that determine

vendor/golang.org/x/net/context/go17.go

@@ -35,8 +35,8 @@ func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
 }
 
 // WithDeadline returns a copy of the parent context with the deadline adjusted
-// to be no later than d.  If the parent's deadline is already earlier than d,
-// WithDeadline(parent, d) is semantically equivalent to parent.  The returned
+// to be no later than d. If the parent's deadline is already earlier than d,
+// WithDeadline(parent, d) is semantically equivalent to parent. The returned
 // context's Done channel is closed when the deadline expires, when the returned
 // cancel function is called, or when the parent context's Done channel is
 // closed, whichever happens first.

vendor/golang.org/x/net/context/pre_go17.go

@@ -13,7 +13,7 @@ import (
 	"time"
 )
 
-// An emptyCtx is never canceled, has no values, and has no deadline.  It is not
+// An emptyCtx is never canceled, has no values, and has no deadline. It is not
 // struct{}, since vars of this type must have distinct addresses.
 type emptyCtx int
 
@@ -104,7 +104,7 @@ func propagateCancel(parent Context, child canceler) {
 }
 
 // parentCancelCtx follows a chain of parent references until it finds a
-// *cancelCtx.  This function understands how each of the concrete types in this
+// *cancelCtx. This function understands how each of the concrete types in this
 // package represents its parent.
 func parentCancelCtx(parent Context) (*cancelCtx, bool) {
 	for {
@@ -134,14 +134,14 @@ func removeChild(parent Context, child canceler) {
 	p.mu.Unlock()
 }
 
-// A canceler is a context type that can be canceled directly.  The
+// A canceler is a context type that can be canceled directly. The
 // implementations are *cancelCtx and *timerCtx.
 type canceler interface {
 	cancel(removeFromParent bool, err error)
 	Done() <-chan struct{}
 }
 
-// A cancelCtx can be canceled.  When canceled, it also cancels any children
+// A cancelCtx can be canceled. When canceled, it also cancels any children
 // that implement canceler.
 type cancelCtx struct {
 	Context
@@ -193,8 +193,8 @@ func (c *cancelCtx) cancel(removeFromParent bool, err error) {
 }
 
 // WithDeadline returns a copy of the parent context with the deadline adjusted
-// to be no later than d.  If the parent's deadline is already earlier than d,
-// WithDeadline(parent, d) is semantically equivalent to parent.  The returned
+// to be no later than d. If the parent's deadline is already earlier than d,
+// WithDeadline(parent, d) is semantically equivalent to parent. The returned
 // context's Done channel is closed when the deadline expires, when the returned
 // cancel function is called, or when the parent context's Done channel is
 // closed, whichever happens first.
@@ -226,8 +226,8 @@ func WithDeadline(parent Context, deadline time.Time) (Context, CancelFunc) {
 	return c, func() { c.cancel(true, Canceled) }
 }
 
-// A timerCtx carries a timer and a deadline.  It embeds a cancelCtx to
-// implement Done and Err.  It implements cancel by stopping its timer then
+// A timerCtx carries a timer and a deadline. It embeds a cancelCtx to
+// implement Done and Err. It implements cancel by stopping its timer then
 // delegating to cancelCtx.cancel.
 type timerCtx struct {
 	*cancelCtx
@@ -281,7 +281,7 @@ func WithValue(parent Context, key interface{}, val interface{}) Context {
 	return &valueCtx{parent, key, val}
 }
 
-// A valueCtx carries a key-value pair.  It implements Value for that key and
+// A valueCtx carries a key-value pair. It implements Value for that key and
 // delegates all other calls to the embedded Context.
 type valueCtx struct {
 	Context

vendor/golang.org/x/net/http2/client_conn_pool.go

@@ -247,7 +247,7 @@ func filterOutClientConn(in []*ClientConn, exclude *ClientConn) []*ClientConn {
 }
 
 // noDialClientConnPool is an implementation of http2.ClientConnPool
-// which never dials.  We let the HTTP/1.1 client dial and use its TLS
+// which never dials. We let the HTTP/1.1 client dial and use its TLS
 // connection instead.
 type noDialClientConnPool struct{ *clientConnPool }
 

vendor/golang.org/x/net/http2/frame.go

@@ -312,7 +312,7 @@ type Framer struct {
 	MaxHeaderListSize uint32
 
 	// TODO: track which type of frame & with which flags was sent
-	// last.  Then return an error (unless AllowIllegalWrites) if
+	// last. Then return an error (unless AllowIllegalWrites) if
 	// we're in the middle of a header block and a
 	// non-Continuation or Continuation on a different stream is
 	// attempted to be written.
@@ -600,6 +600,7 @@ var (
 	errStreamID    = errors.New("invalid stream ID")
 	errDepStreamID = errors.New("invalid dependent stream ID")
 	errPadLength   = errors.New("pad length too large")
+	errPadBytes    = errors.New("padding bytes must all be zeros unless AllowIllegalWrites is enabled")
 )
 
 func validStreamIDOrZero(streamID uint32) bool {
@@ -623,6 +624,7 @@ func (f *Framer) WriteData(streamID uint32, endStream bool, data []byte) error {
 //
 // If pad is nil, the padding bit is not sent.
 // The length of pad must not exceed 255 bytes.
+// The bytes of pad must all be zero, unless f.AllowIllegalWrites is set.
 //
 // It will perform exactly one Write to the underlying Writer.
 // It is the caller's responsibility not to violate the maximum frame size
@@ -631,8 +633,18 @@ func (f *Framer) WriteDataPadded(streamID uint32, endStream bool, data, pad []by
 	if !validStreamID(streamID) && !f.AllowIllegalWrites {
 		return errStreamID
 	}
-	if len(pad) > 255 {
-		return errPadLength
+	if len(pad) > 0 {
+		if len(pad) > 255 {
+			return errPadLength
+		}
+		if !f.AllowIllegalWrites {
+			for _, b := range pad {
+				if b != 0 {
+					// "Padding octets MUST be set to zero when sending."
+					return errPadBytes
+				}
+			}
+		}
 	}
 	var flags Flags
 	if endStream {
@@ -663,7 +675,7 @@ type SettingsFrame struct {
 func parseSettingsFrame(fh FrameHeader, p []byte) (Frame, error) {
 	if fh.Flags.Has(FlagSettingsAck) && fh.Length > 0 {
 		// When this (ACK 0x1) bit is set, the payload of the
-		// SETTINGS frame MUST be empty.  Receipt of a
+		// SETTINGS frame MUST be empty. Receipt of a
 		// SETTINGS frame with the ACK flag set and a length
 		// field value other than 0 MUST be treated as a
 		// connection error (Section 5.4.1) of type
@@ -672,7 +684,7 @@ func parseSettingsFrame(fh FrameHeader, p []byte) (Frame, error) {
 	}
 	if fh.StreamID != 0 {
 		// SETTINGS frames always apply to a connection,
-		// never a single stream.  The stream identifier for a
+		// never a single stream. The stream identifier for a
 		// SETTINGS frame MUST be zero (0x0).  If an endpoint
 		// receives a SETTINGS frame whose stream identifier
 		// field is anything other than 0x0, the endpoint MUST
@@ -923,7 +935,7 @@ func parseHeadersFrame(fh FrameHeader, p []byte) (_ Frame, err error) {
 		FrameHeader: fh,
 	}
 	if fh.StreamID == 0 {
-		// HEADERS frames MUST be associated with a stream.  If a HEADERS frame
+		// HEADERS frames MUST be associated with a stream. If a HEADERS frame
 		// is received whose stream identifier field is 0x0, the recipient MUST
 		// respond with a connection error (Section 5.4.1) of type
 		// PROTOCOL_ERROR.
@@ -1045,7 +1057,7 @@ type PriorityParam struct {
 	Exclusive bool
 
 	// Weight is the stream's zero-indexed weight. It should be
-	// set together with StreamDep, or neither should be set.  Per
+	// set together with StreamDep, or neither should be set. Per
 	// the spec, "Add one to the value to obtain a weight between
 	// 1 and 256."
 	Weight uint8

vendor/golang.org/x/net/http2/hpack/encode.go

@@ -45,7 +45,7 @@ func NewEncoder(w io.Writer) *Encoder {
 
 // WriteField encodes f into a single Write to e's underlying Writer.
 // This function may also produce bytes for "Header Table Size Update"
-// if necessary.  If produced, it is done before encoding f.
+// if necessary. If produced, it is done before encoding f.
 func (e *Encoder) WriteField(f HeaderField) error {
 	e.buf = e.buf[:0]
 

vendor/golang.org/x/net/http2/hpack/hpack.go

@@ -61,7 +61,7 @@ func (hf HeaderField) String() string {
 func (hf HeaderField) Size() uint32 {
 	// http://http2.github.io/http2-spec/compression.html#rfc.section.4.1
 	// "The size of the dynamic table is the sum of the size of
-	// its entries.  The size of an entry is the sum of its name's
+	// its entries. The size of an entry is the sum of its name's
 	// length in octets (as defined in Section 5.2), its value's
 	// length in octets (see Section 5.2), plus 32.  The size of
 	// an entry is calculated using the length of the name and
@@ -307,7 +307,7 @@ func (d *Decoder) Write(p []byte) (n int, err error) {
 		err = d.parseHeaderFieldRepr()
 		if err == errNeedMore {
 			// Extra paranoia, making sure saveBuf won't
-			// get too large.  All the varint and string
+			// get too large. All the varint and string
 			// reading code earlier should already catch
 			// overlong things and return ErrStringLength,
 			// but keep this as a last resort.

vendor/golang.org/x/net/http2/pipe.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 )
 
-// pipe is a goroutine-safe io.Reader/io.Writer pair.  It's like
+// pipe is a goroutine-safe io.Reader/io.Writer pair. It's like
 // io.Pipe except there are no PipeReader/PipeWriter halves, and the
 // underlying buffer is an interface. (io.Pipe is always unbuffered)
 type pipe struct {

vendor/golang.org/x/net/http2/server.go

@@ -710,7 +710,7 @@ func (sc *serverConn) serve() {
 		return
 	}
 	// Now that we've got the preface, get us out of the
-	// "StateNew" state.  We can't go directly to idle, though.
+	// "StateNew" state. We can't go directly to idle, though.
 	// Active means we read some data and anticipate a request. We'll
 	// do another Active when we get a HEADERS frame.
 	sc.setConnState(http.StateActive)
@@ -2103,8 +2103,8 @@ func (b *requestBody) Read(p []byte) (n int, err error) {
 	return
 }
 
-// responseWriter is the http.ResponseWriter implementation.  It's
-// intentionally small (1 pointer wide) to minimize garbage.  The
+// responseWriter is the http.ResponseWriter implementation. It's
+// intentionally small (1 pointer wide) to minimize garbage. The
 // responseWriterState pointer inside is zeroed at the end of a
 // request (in handlerDone) and calls on the responseWriter thereafter
 // simply crash (caller's mistake), but the much larger responseWriterState
@@ -2278,7 +2278,7 @@ const TrailerPrefix = "Trailer:"
 // says you SHOULD (but not must) predeclare any trailers in the
 // header, the official ResponseWriter rules said trailers in Go must
 // be predeclared, and then we reuse the same ResponseWriter.Header()
-// map to mean both Headers and Trailers.  When it's time to write the
+// map to mean both Headers and Trailers. When it's time to write the
 // Trailers, we pick out the fields of Headers that were declared as
 // trailers. That worked for a while, until we found the first major
 // user of Trailers in the wild: gRPC (using them only over http2),

vendor/golang.org/x/net/http2/transport.go

@@ -575,7 +575,7 @@ func (cc *ClientConn) canTakeNewRequestLocked() bool {
 		cc.nextStreamID < math.MaxInt32
 }
 
-// onIdleTimeout is called from a time.AfterFunc goroutine.  It will
+// onIdleTimeout is called from a time.AfterFunc goroutine. It will
 // only be called when we're idle, but because we're coming from a new
 // goroutine, there could be a new request coming in at the same time,
 // so this simply calls the synchronized closeIfIdle to shut down this
@@ -658,8 +658,6 @@ func commaSeparatedTrailers(req *http.Request) (string, error) {
 	}
 	if len(keys) > 0 {
 		sort.Strings(keys)
-		// TODO: could do better allocation-wise here, but trailers are rare,
-		// so being lazy for now.
 		return strings.Join(keys, ","), nil
 	}
 	return "", nil
@@ -811,8 +809,8 @@ func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
 			// 2xx, however, then assume the server DOES potentially
 			// want our body (e.g. full-duplex streaming:
 			// golang.org/issue/13444). If it turns out the server
-			// doesn't, they'll RST_STREAM us soon enough.  This is a
-			// heuristic to avoid adding knobs to Transport.  Hopefully
+			// doesn't, they'll RST_STREAM us soon enough. This is a
+			// heuristic to avoid adding knobs to Transport. Hopefully
 			// we can keep it.
 			bodyWriter.cancel()
 			cs.abortRequestBodyWrite(errStopReqBodyWrite)

vendor/golang.org/x/net/internal/timeseries/timeseries.go

@@ -371,7 +371,7 @@ func (ts *timeSeries) ComputeRange(start, finish time.Time, num int) []Observabl
 		}
 	}
 
-	// Failed to find a level that covers the desired range.  So just
+	// Failed to find a level that covers the desired range. So just
 	// extract from the last level, even if it doesn't cover the entire
 	// desired range.
 	ts.extract(ts.levels[len(ts.levels)-1], start, finish, num, results)

vendor/golang.org/x/net/trace/events.go

@@ -21,11 +21,6 @@ import (
 	"time"
 )
 
-var eventsTmpl = template.Must(template.New("events").Funcs(template.FuncMap{
-	"elapsed":   elapsed,
-	"trimSpace": strings.TrimSpace,
-}).Parse(eventsHTML))
-
 const maxEventsPerLog = 100
 
 type bucket struct {
@@ -101,7 +96,7 @@ func RenderEvents(w http.ResponseWriter, req *http.Request, sensitive bool) {
 
 	famMu.RLock()
 	defer famMu.RUnlock()
-	if err := eventsTmpl.Execute(w, data); err != nil {
+	if err := eventsTmpl().Execute(w, data); err != nil {
 		log.Printf("net/trace: Failed executing template: %v", err)
 	}
 }
@@ -421,6 +416,19 @@ func freeEventLog(el *eventLog) {
 	}
 }
 
+var eventsTmplCache *template.Template
+var eventsTmplOnce sync.Once
+
+func eventsTmpl() *template.Template {
+	eventsTmplOnce.Do(func() {
+		eventsTmplCache = template.Must(template.New("events").Funcs(template.FuncMap{
+			"elapsed":   elapsed,
+			"trimSpace": strings.TrimSpace,
+		}).Parse(eventsHTML))
+	})
+	return eventsTmplCache
+}
+
 const eventsHTML = `
 <html>
 	<head>

vendor/golang.org/x/net/trace/histogram.go

@@ -12,6 +12,7 @@ import (
 	"html/template"
 	"log"
 	"math"
+	"sync"
 
 	"golang.org/x/net/internal/timeseries"
 )
@@ -320,15 +321,20 @@ func (h *histogram) newData() *data {
 
 func (h *histogram) html() template.HTML {
 	buf := new(bytes.Buffer)
-	if err := distTmpl.Execute(buf, h.newData()); err != nil {
+	if err := distTmpl().Execute(buf, h.newData()); err != nil {
 		buf.Reset()
 		log.Printf("net/trace: couldn't execute template: %v", err)
 	}
 	return template.HTML(buf.String())
 }
 
-// Input: data
-var distTmpl = template.Must(template.New("distTmpl").Parse(`
+var distTmplCache *template.Template
+var distTmplOnce sync.Once
+
+func distTmpl() *template.Template {
+	distTmplOnce.Do(func() {
+		// Input: data
+		distTmplCache = template.Must(template.New("distTmpl").Parse(`
 <table>
 <tr>
     <td style="padding:0.25em">Count: {{.Count}}</td>
@@ -354,3 +360,6 @@ var distTmpl = template.Must(template.New("distTmpl").Parse(`
 {{end}}
 </table>
 `))
+	})
+	return distTmplCache
+}

vendor/golang.org/x/net/trace/trace.go

@@ -238,7 +238,7 @@ func Render(w io.Writer, req *http.Request, sensitive bool) {
 
 	completedMu.RLock()
 	defer completedMu.RUnlock()
-	if err := pageTmpl.ExecuteTemplate(w, "Page", data); err != nil {
+	if err := pageTmpl().ExecuteTemplate(w, "Page", data); err != nil {
 		log.Printf("net/trace: Failed executing template: %v", err)
 	}
 }
@@ -902,10 +902,18 @@ func elapsed(d time.Duration) string {
 	return string(b)
 }
 
-var pageTmpl = template.Must(template.New("Page").Funcs(template.FuncMap{
-	"elapsed": elapsed,
-	"add":     func(a, b int) int { return a + b },
-}).Parse(pageHTML))
+var pageTmplCache *template.Template
+var pageTmplOnce sync.Once
+
+func pageTmpl() *template.Template {
+	pageTmplOnce.Do(func() {
+		pageTmplCache = template.Must(template.New("Page").Funcs(template.FuncMap{
+			"elapsed": elapsed,
+			"add":     func(a, b int) int { return a + b },
+		}).Parse(pageHTML))
+	})
+	return pageTmplCache
+}
 
 const pageHTML = `
 {{template "Prolog" .}}

vendor/golang.org/x/oauth2/internal/oauth2.go

@@ -42,7 +42,7 @@ func ParseKey(key []byte) (*rsa.PrivateKey, error) {
 
 func ParseINI(ini io.Reader) (map[string]map[string]string, error) {
 	result := map[string]map[string]string{
-		"": map[string]string{}, // root section
+		"": {}, // root section
 	}
 	scanner := bufio.NewScanner(ini)
 	currentSection := ""

vendor/golang.org/x/oauth2/internal/token.go

@@ -91,6 +91,7 @@ func (e *expirationTime) UnmarshalJSON(b []byte) error {
 
 var brokenAuthHeaderProviders = []string{
 	"https://accounts.google.com/",
+	"https://api.codeswholesale.com/oauth/token",
 	"https://api.dropbox.com/",
 	"https://api.dropboxapi.com/",
 	"https://api.instagram.com/",
@@ -101,6 +102,7 @@ var brokenAuthHeaderProviders = []string{
 	"https://api.twitch.tv/",
 	"https://app.box.com/",
 	"https://connect.stripe.com/",
+	"https://graph.facebook.com", // see https://github.com/golang/oauth2/issues/214
 	"https://login.microsoftonline.com/",
 	"https://login.salesforce.com/",
 	"https://oauth.sandbox.trainingpeaks.com/",
@@ -118,7 +120,6 @@ var brokenAuthHeaderProviders = []string{
 	"https://www.wunderlist.com/oauth/",
 	"https://api.patreon.com/",
 	"https://sandbox.codeswholesale.com/oauth/token",
-	"https://api.codeswholesale.com/oauth/token",
 }
 
 func RegisterBrokenAuthHeaderProvider(tokenURL string) {
@@ -153,9 +154,9 @@ func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string,
 	if err != nil {
 		return nil, err
 	}
-	v.Set("client_id", clientID)
 	bustedAuth := !providerAuthHeaderWorks(tokenURL)
 	if bustedAuth && clientSecret != "" {
+		v.Set("client_id", clientID)
 		v.Set("client_secret", clientSecret)
 	}
 	req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))

vendor/golang.org/x/oauth2/oauth2.go

@@ -180,7 +180,6 @@ func (c *Config) Exchange(ctx context.Context, code string) (*Token, error) {
 		"grant_type":   {"authorization_code"},
 		"code":         {code},
 		"redirect_uri": internal.CondVal(c.RedirectURL),
-		"scope":        internal.CondVal(strings.Join(c.Scopes, " ")),
 	})
 }
 

vendor/golang.org/x/sys/unix/asm.s

@@ -1,10 +0,0 @@
-// Copyright 2014 The Go Authors.  All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !gccgo
-
-#include "textflag.h"
-
-TEXT ·use(SB),NOSPLIT,$0
-	RET

vendor/golang.org/x/sys/unix/mkall.sh

@@ -89,6 +89,8 @@ case "$1" in
 -syscalls)
 	for i in zsyscall*go
 	do
+		# Run the command line that appears in the first line
+		# of the generated file to regenerate it.
 		sed 1q $i | sed 's;^// ;;' | sh > _$i && gofmt < _$i > $i
 		rm _$i
 	done
@@ -280,7 +282,7 @@ esac
 			syscall_goos="syscall_bsd.go $syscall_goos"
 			;;
 		esac
-		if [ -n "$mksyscall" ]; then echo "$mksyscall $syscall_goos $GOOSARCH_in |gofmt >zsyscall_$GOOSARCH.go"; fi
+		if [ -n "$mksyscall" ]; then echo "$mksyscall -tags $GOOS,$GOARCH $syscall_goos $GOOSARCH_in |gofmt >zsyscall_$GOOSARCH.go"; fi
 		;;
 	esac
 	if [ -n "$mksysctl" ]; then echo "$mksysctl |gofmt >$zsysctl"; fi

vendor/golang.org/x/sys/unix/mkerrors.sh

@@ -114,11 +114,13 @@ includes_Linux='
 #include <sys/time.h>
 #include <sys/socket.h>
 #include <linux/if.h>
+#include <linux/if_alg.h>
 #include <linux/if_arp.h>
 #include <linux/if_ether.h>
 #include <linux/if_tun.h>
 #include <linux/if_packet.h>
 #include <linux/if_addr.h>
+#include <linux/falloc.h>
 #include <linux/filter.h>
 #include <linux/netlink.h>
 #include <linux/reboot.h>
@@ -312,6 +314,7 @@ ccflags="$@"
 		$2 ~ /^IN_/ ||
 		$2 ~ /^LOCK_(SH|EX|NB|UN)$/ ||
 		$2 ~ /^(AF|SOCK|SO|SOL|IPPROTO|IP|IPV6|ICMP6|TCP|EVFILT|NOTE|EV|SHUT|PROT|MAP|PACKET|MSG|SCM|MCL|DT|MADV|PR)_/ ||
+		$2 ~ /^FALLOC_/ ||
 		$2 == "ICMPV6_FILTER" ||
 		$2 == "SOMAXCONN" ||
 		$2 == "NAME_MAX" ||
@@ -341,6 +344,8 @@ ccflags="$@"
 		$2 ~ /^(BPF|DLT)_/ ||
 		$2 ~ /^CLOCK_/ ||
 		$2 ~ /^CAN_/ ||
+		$2 ~ /^ALG_/ ||
+		$2 ~ /^SPLICE_/ ||
 		$2 !~ "WMESGLEN" &&
 		$2 ~ /^W[A-Z0-9]+$/ {printf("\t%s = C.%s\n", $2, $2)}
 		$2 ~ /^__WCOREFLAG$/ {next}
@@ -456,7 +461,7 @@ main(void)
 		printf("\t%d: \"%s\",\n", e, buf);
 	}
 	printf("}\n\n");
-	
+
 	printf("\n\n// Signal table\n");
 	printf("var signals = [...]string {\n");
 	qsort(signals, nelem(signals), sizeof signals[0], intcmp);

vendor/golang.org/x/sys/unix/mksyscall.pl

@@ -29,6 +29,7 @@ my $openbsd = 0;
 my $netbsd = 0;
 my $dragonfly = 0;
 my $arm = 0; # 64-bit value should use (even, odd)-pair
+my $tags = "";  # build tags
 
 if($ARGV[0] eq "-b32") {
 	$_32bit = "big-endian";
@@ -57,14 +58,14 @@ if($ARGV[0] eq "-arm") {
 	$arm = 1;
 	shift;
 }
-
-if($ARGV[0] =~ /^-/) {
-	print STDERR "usage: mksyscall.pl [-b32 | -l32] [file ...]\n";
-	exit 1;
+if($ARGV[0] eq "-tags") {
+	shift;
+	$tags = $ARGV[0];
+	shift;
 }
 
-if($ENV{'GOARCH'} eq "" || $ENV{'GOOS'} eq "") {
-	print STDERR "GOARCH or GOOS not defined in environment\n";
+if($ARGV[0] =~ /^-/) {
+	print STDERR "usage: mksyscall.pl [-b32 | -l32] [-tags x,y] [file ...]\n";
 	exit 1;
 }
 
@@ -132,7 +133,6 @@ while(<>) {
 
 	# Prepare arguments to Syscall.
 	my @args = ();
-	my @uses = ();
 	my $n = 0;
 	foreach my $p (@in) {
 		my ($name, $type) = parseparam($p);
@@ -143,14 +143,12 @@ while(<>) {
 			$text .= "\t_p$n, $errvar = BytePtrFromString($name)\n";
 			$text .= "\tif $errvar != nil {\n\t\treturn\n\t}\n";
 			push @args, "uintptr(unsafe.Pointer(_p$n))";
-			push @uses, "use(unsafe.Pointer(_p$n))";
 			$n++;
 		} elsif($type eq "string") {
 			print STDERR "$ARGV:$.: $func uses string arguments, but has no error return\n";
 			$text .= "\tvar _p$n *byte\n";
 			$text .= "\t_p$n, _ = BytePtrFromString($name)\n";
 			push @args, "uintptr(unsafe.Pointer(_p$n))";
-			push @uses, "use(unsafe.Pointer(_p$n))";
 			$n++;
 		} elsif($type =~ /^\[\](.*)/) {
 			# Convert slice into pointer, length.
@@ -185,7 +183,7 @@ while(<>) {
 			}
 		} elsif($type eq "int64" && $_32bit ne "") {
 			if(@args % 2 && $arm) {
-				# arm abi specifies 64-bit argument uses 
+				# arm abi specifies 64-bit argument uses
 				# (even, odd) pair
 				push @args, "0"
 			}
@@ -278,11 +276,8 @@ while(<>) {
 	} else {
 		$text .= "\t$ret[0], $ret[1], $ret[2] := $call\n";
 	}
-	foreach my $use (@uses) {
-		$text .= "\t$use\n";
-	}
 	$text .= $body;
-	
+
 	if ($plan9 && $ret[2] eq "e1") {
 		$text .= "\tif int32(r0) == -1 {\n";
 		$text .= "\t\terr = e1\n";
@@ -307,7 +302,7 @@ print <<EOF;
 // $cmdline
 // MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
 
-// +build $ENV{'GOARCH'},$ENV{'GOOS'}
+// +build $tags
 
 package unix
 

vendor/golang.org/x/sys/unix/mksyscall_solaris.pl

@@ -12,7 +12,7 @@
 #	* The parameter lists must give a type for each argument:
 #	  the (x, y, z int) shorthand is not allowed.
 #	* If the return parameter is an error number, it must be named err.
-#	* If go func name needs to be different than its libc name, 
+#	* If go func name needs to be different than its libc name,
 #	* or the function is not in libc, name could be specified
 #	* at the end, after "=" sign, like
 #	  //sys getsockopt(s int, level int, name int, val uintptr, vallen *_Socklen) (err error) = libsocket.getsockopt
@@ -22,6 +22,7 @@ use strict;
 my $cmdline = "mksyscall_solaris.pl " . join(' ', @ARGV);
 my $errors = 0;
 my $_32bit = "";
+my $tags = "";  # build tags
 
 binmode STDOUT;
 
@@ -32,14 +33,14 @@ if($ARGV[0] eq "-b32") {
 	$_32bit = "little-endian";
 	shift;
 }
-
-if($ARGV[0] =~ /^-/) {
-	print STDERR "usage: mksyscall_solaris.pl [-b32 | -l32] [file ...]\n";
-	exit 1;
+if($ARGV[0] eq "-tags") {
+	shift;
+	$tags = $ARGV[0];
+	shift;
 }
 
-if($ENV{'GOARCH'} eq "" || $ENV{'GOOS'} eq "") {
-	print STDERR "GOARCH or GOOS not defined in environment\n";
+if($ARGV[0] =~ /^-/) {
+	print STDERR "usage: mksyscall_solaris.pl [-b32 | -l32] [-tags x,y] [file ...]\n";
 	exit 1;
 }
 
@@ -138,7 +139,6 @@ while(<>) {
 
 	# Prepare arguments to Syscall.
 	my @args = ();
-	my @uses = ();
 	my $n = 0;
 	foreach my $p (@in) {
 		my ($name, $type) = parseparam($p);
@@ -149,14 +149,12 @@ while(<>) {
 			$text .= "\t_p$n, $errvar = $strconvfunc($name)\n";
 			$text .= "\tif $errvar != nil {\n\t\treturn\n\t}\n";
 			push @args, "uintptr(unsafe.Pointer(_p$n))";
-			push @uses, "use(unsafe.Pointer(_p$n))";
 			$n++;
 		} elsif($type eq "string") {
 			print STDERR "$ARGV:$.: $func uses string arguments, but has no error return\n";
 			$text .= "\tvar _p$n $strconvtype\n";
 			$text .= "\t_p$n, _ = $strconvfunc($name)\n";
 			push @args, "uintptr(unsafe.Pointer(_p$n))";
-			push @uses, "use(unsafe.Pointer(_p$n))";
 			$n++;
 		} elsif($type =~ /^\[\](.*)/) {
 			# Convert slice into pointer, length.
@@ -243,9 +241,6 @@ while(<>) {
 	} else {
 		$text .= "\t$ret[0], $ret[1], $ret[2] := $call\n";
 	}
-	foreach my $use (@uses) {
-		$text .= "\t$use\n";
-	}
 	$text .= $body;
 
 	if ($do_errno) {
@@ -265,7 +260,7 @@ print <<EOF;
 // $cmdline
 // MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
 
-// +build $ENV{'GOARCH'},$ENV{'GOOS'}
+// +build $tags
 
 package $package
 

vendor/golang.org/x/sys/unix/syscall.go

@@ -21,8 +21,6 @@
 // holds a value of type syscall.Errno.
 package unix
 
-import "unsafe"
-
 // ByteSliceFromString returns a NUL-terminated slice of bytes
 // containing the text of s. If s contains a NUL byte at any
 // location, it returns (nil, EINVAL).
@@ -69,8 +67,3 @@ func (tv *Timeval) Nano() int64 {
 }
 
 func TimevalToNsec(tv Timeval) int64 { return int64(tv.Sec)*1e9 + int64(tv.Usec)*1e3 }
-
-// use is a no-op, but the compiler cannot see that it is.
-// Calling use(p) ensures that p is kept live until that point.
-//go:noescape
-func use(p unsafe.Pointer)

vendor/golang.org/x/sys/unix/syscall_darwin.go

@@ -144,7 +144,6 @@ func getAttrList(path string, attrList attrList, attrBuf []byte, options uint) (
 		uintptr(options),
 		0,
 	)
-	use(unsafe.Pointer(_p0))
 	if e1 != 0 {
 		return nil, e1
 	}
@@ -197,7 +196,6 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 		bufsize = unsafe.Sizeof(Statfs_t{}) * uintptr(len(buf))
 	}
 	r0, _, e1 := Syscall(SYS_GETFSSTAT64, uintptr(_p0), bufsize, uintptr(flags))
-	use(unsafe.Pointer(_p0))
 	n = int(r0)
 	if e1 != 0 {
 		err = e1

vendor/golang.org/x/sys/unix/syscall_dragonfly.go

@@ -109,7 +109,6 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 		bufsize = unsafe.Sizeof(Statfs_t{}) * uintptr(len(buf))
 	}
 	r0, _, e1 := Syscall(SYS_GETFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
-	use(unsafe.Pointer(_p0))
 	n = int(r0)
 	if e1 != 0 {
 		err = e1

vendor/golang.org/x/sys/unix/syscall_freebsd.go

@@ -129,7 +129,6 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 		bufsize = unsafe.Sizeof(Statfs_t{}) * uintptr(len(buf))
 	}
 	r0, _, e1 := Syscall(SYS_GETFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
-	use(unsafe.Pointer(_p0))
 	n = int(r0)
 	if e1 != 0 {
 		err = e1

vendor/golang.org/x/sys/unix/syscall_linux.go

@@ -452,6 +452,105 @@ func (sa *SockaddrCAN) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrCAN, nil
 }
 
+// SockaddrALG implements the Sockaddr interface for AF_ALG type sockets.
+// SockaddrALG enables userspace access to the Linux kernel's cryptography
+// subsystem. The Type and Name fields specify which type of hash or cipher
+// should be used with a given socket.
+//
+// To create a file descriptor that provides access to a hash or cipher, both
+// Bind and Accept must be used. Once the setup process is complete, input
+// data can be written to the socket, processed by the kernel, and then read
+// back as hash output or ciphertext.
+//
+// Here is an example of using an AF_ALG socket with SHA1 hashing.
+// The initial socket setup process is as follows:
+//
+//      // Open a socket to perform SHA1 hashing.
+//      fd, _ := unix.Socket(unix.AF_ALG, unix.SOCK_SEQPACKET, 0)
+//      addr := &unix.SockaddrALG{Type: "hash", Name: "sha1"}
+//      unix.Bind(fd, addr)
+//      // Note: unix.Accept does not work at this time; must invoke accept()
+//      // manually using unix.Syscall.
+//      hashfd, _, _ := unix.Syscall(unix.SYS_ACCEPT, uintptr(fd), 0, 0)
+//
+// Once a file descriptor has been returned from Accept, it may be used to
+// perform SHA1 hashing. The descriptor is not safe for concurrent use, but
+// may be re-used repeatedly with subsequent Write and Read operations.
+//
+// When hashing a small byte slice or string, a single Write and Read may
+// be used:
+//
+//      // Assume hashfd is already configured using the setup process.
+//      hash := os.NewFile(hashfd, "sha1")
+//      // Hash an input string and read the results. Each Write discards
+//      // previous hash state. Read always reads the current state.
+//      b := make([]byte, 20)
+//      for i := 0; i < 2; i++ {
+//          io.WriteString(hash, "Hello, world.")
+//          hash.Read(b)
+//          fmt.Println(hex.EncodeToString(b))
+//      }
+//      // Output:
+//      // 2ae01472317d1935a84797ec1983ae243fc6aa28
+//      // 2ae01472317d1935a84797ec1983ae243fc6aa28
+//
+// For hashing larger byte slices, or byte streams such as those read from
+// a file or socket, use Sendto with MSG_MORE to instruct the kernel to update
+// the hash digest instead of creating a new one for a given chunk and finalizing it.
+//
+//      // Assume hashfd and addr are already configured using the setup process.
+//      hash := os.NewFile(hashfd, "sha1")
+//      // Hash the contents of a file.
+//      f, _ := os.Open("/tmp/linux-4.10-rc7.tar.xz")
+//      b := make([]byte, 4096)
+//      for {
+//          n, err := f.Read(b)
+//          if err == io.EOF {
+//              break
+//          }
+//          unix.Sendto(hashfd, b[:n], unix.MSG_MORE, addr)
+//      }
+//      hash.Read(b)
+//      fmt.Println(hex.EncodeToString(b))
+//      // Output: 85cdcad0c06eef66f805ecce353bec9accbeecc5
+//
+// For more information, see: http://www.chronox.de/crypto-API/crypto/userspace-if.html.
+type SockaddrALG struct {
+	Type    string
+	Name    string
+	Feature uint32
+	Mask    uint32
+	raw     RawSockaddrALG
+}
+
+func (sa *SockaddrALG) sockaddr() (unsafe.Pointer, _Socklen, error) {
+	// Leave room for NUL byte terminator.
+	if len(sa.Type) > 13 {
+		return nil, 0, EINVAL
+	}
+	if len(sa.Name) > 63 {
+		return nil, 0, EINVAL
+	}
+
+	sa.raw.Family = AF_ALG
+	sa.raw.Feat = sa.Feature
+	sa.raw.Mask = sa.Mask
+
+	typ, err := ByteSliceFromString(sa.Type)
+	if err != nil {
+		return nil, 0, err
+	}
+	name, err := ByteSliceFromString(sa.Name)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	copy(sa.raw.Type[:], typ)
+	copy(sa.raw.Name[:], name)
+
+	return unsafe.Pointer(&sa.raw), SizeofSockaddrALG, nil
+}
+
 func anyToSockaddr(rsa *RawSockaddrAny) (Sockaddr, error) {
 	switch rsa.Addr.Family {
 	case AF_NETLINK:
@@ -1019,6 +1118,25 @@ func Munmap(b []byte) (err error) {
 //sys	Mlockall(flags int) (err error)
 //sys	Munlockall() (err error)
 
+// Vmsplice splices user pages from a slice of Iovecs into a pipe specified by fd,
+// using the specified flags.
+func Vmsplice(fd int, iovs []Iovec, flags int) (int, error) {
+	n, _, errno := Syscall6(
+		SYS_VMSPLICE,
+		uintptr(fd),
+		uintptr(unsafe.Pointer(&iovs[0])),
+		uintptr(len(iovs)),
+		uintptr(flags),
+		0,
+		0,
+	)
+	if errno != 0 {
+		return 0, syscall.Errno(errno)
+	}
+
+	return int(n), nil
+}
+
 /*
  * Unimplemented
  */
@@ -1146,7 +1264,6 @@ func Munmap(b []byte) (err error) {
 // Utimensat
 // Vfork
 // Vhangup
-// Vmsplice
 // Vserver
 // Waitid
 // _Sysctl

vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go

@@ -73,7 +73,6 @@ func Syscall9(trap, a1, a2, a3, a4, a5, a6, a7, a8, a9 uintptr) (r1, r2 uintptr,
 
 func Fstatfs(fd int, buf *Statfs_t) (err error) {
 	_, _, e := Syscall(SYS_FSTATFS64, uintptr(fd), unsafe.Sizeof(*buf), uintptr(unsafe.Pointer(buf)))
-	use(unsafe.Pointer(buf))
 	if e != 0 {
 		err = errnoErr(e)
 	}
@@ -86,7 +85,6 @@ func Statfs(path string, buf *Statfs_t) (err error) {
 		return err
 	}
 	_, _, e := Syscall(SYS_STATFS64, uintptr(unsafe.Pointer(p)), unsafe.Sizeof(*buf), uintptr(unsafe.Pointer(buf)))
-	use(unsafe.Pointer(p))
 	if e != 0 {
 		err = errnoErr(e)
 	}

vendor/golang.org/x/sys/unix/syscall_linux_s390x.go

@@ -132,7 +132,6 @@ func (cmsg *Cmsghdr) SetLen(length int) {
 func mmap(addr uintptr, length uintptr, prot int, flags int, fd int, offset int64) (xaddr uintptr, err error) {
 	mmap_args := [6]uintptr{addr, length, uintptr(prot), uintptr(flags), uintptr(fd), uintptr(offset)}
 	r0, _, e1 := Syscall(SYS_MMAP, uintptr(unsafe.Pointer(&mmap_args[0])), 0, 0)
-	use(unsafe.Pointer(&mmap_args[0]))
 	xaddr = uintptr(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)

vendor/golang.org/x/sys/unix/syscall_openbsd.go

@@ -111,7 +111,6 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 		bufsize = unsafe.Sizeof(Statfs_t{}) * uintptr(len(buf))
 	}
 	r0, _, e1 := Syscall(SYS_GETFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
-	use(unsafe.Pointer(_p0))
 	n = int(r0)
 	if e1 != 0 {
 		err = e1

vendor/golang.org/x/sys/unix/types_linux.go

@@ -59,6 +59,7 @@ package unix
 #include <bluetooth/bluetooth.h>
 #include <bluetooth/hci.h>
 #include <linux/can.h>
+#include <linux/if_alg.h>
 
 #ifdef TCSETS2
 // On systems that have "struct termios2" use this as type Termios.
@@ -221,6 +222,8 @@ type RawSockaddrHCI C.struct_sockaddr_hci
 
 type RawSockaddrCAN C.struct_sockaddr_can
 
+type RawSockaddrALG C.struct_sockaddr_alg
+
 type RawSockaddr C.struct_sockaddr
 
 type RawSockaddrAny C.struct_sockaddr_any
@@ -262,6 +265,7 @@ const (
 	SizeofSockaddrNetlink   = C.sizeof_struct_sockaddr_nl
 	SizeofSockaddrHCI       = C.sizeof_struct_sockaddr_hci
 	SizeofSockaddrCAN       = C.sizeof_struct_sockaddr_can
+	SizeofSockaddrALG       = C.sizeof_struct_sockaddr_alg
 	SizeofLinger            = C.sizeof_struct_linger
 	SizeofIPMreq            = C.sizeof_struct_ip_mreq
 	SizeofIPMreqn           = C.sizeof_struct_ip_mreqn

vendor/golang.org/x/sys/unix/zerrors_linux_386.go

@@ -53,6 +53,13 @@ const (
 	AF_UNSPEC                        = 0x0
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -385,6 +392,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1292,6 +1305,10 @@ const (
 	SO_TIMESTAMPING                  = 0x25
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go

@@ -53,6 +53,13 @@ const (
 	AF_UNSPEC                        = 0x0
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -385,6 +392,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1293,6 +1306,10 @@ const (
 	SO_TIMESTAMPING                  = 0x25
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_arm.go

@@ -52,6 +52,13 @@ const (
 	AF_UNSPEC                        = 0x0
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -370,6 +377,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1216,6 +1229,10 @@ const (
 	SO_TIMESTAMPING                  = 0x25
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go

@@ -54,6 +54,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -399,6 +406,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1348,6 +1361,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_mips.go

@@ -52,6 +52,13 @@ const (
 	AF_UNSPEC                        = 0x0
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -375,6 +382,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1267,6 +1280,10 @@ const (
 	SO_TIMESTAMPING                  = 0x25
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x1008
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go

@@ -56,6 +56,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_6LOWPAN                   = 0x339
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
@@ -374,6 +381,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FLUSHO                           = 0x2000
@@ -1363,6 +1376,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x1008
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go

@@ -56,6 +56,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_6LOWPAN                   = 0x339
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
@@ -374,6 +381,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FLUSHO                           = 0x2000
@@ -1363,6 +1376,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x1008
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go

@@ -57,6 +57,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_6LOWPAN                   = 0x339
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
@@ -411,6 +418,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1438,6 +1451,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x1008
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go

@@ -54,6 +54,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_6LOWPAN                   = 0x339
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
@@ -401,6 +408,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1416,6 +1429,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go

@@ -54,6 +54,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
 	ARPHRD_ARCNET                    = 0x7
@@ -397,6 +404,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1415,6 +1428,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000

vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go

@@ -56,6 +56,13 @@ const (
 	AF_VSOCK                         = 0x28
 	AF_WANPIPE                       = 0x19
 	AF_X25                           = 0x9
+	ALG_OP_DECRYPT                   = 0x0
+	ALG_OP_ENCRYPT                   = 0x1
+	ALG_SET_AEAD_ASSOCLEN            = 0x4
+	ALG_SET_AEAD_AUTHSIZE            = 0x5
+	ALG_SET_IV                       = 0x2
+	ALG_SET_KEY                      = 0x1
+	ALG_SET_OP                       = 0x3
 	ARPHRD_6LOWPAN                   = 0x339
 	ARPHRD_ADAPT                     = 0x108
 	ARPHRD_APPLETLK                  = 0x8
@@ -407,6 +414,12 @@ const (
 	EXTA                             = 0xe
 	EXTB                             = 0xf
 	EXTPROC                          = 0x10000
+	FALLOC_FL_COLLAPSE_RANGE         = 0x8
+	FALLOC_FL_INSERT_RANGE           = 0x20
+	FALLOC_FL_KEEP_SIZE              = 0x1
+	FALLOC_FL_NO_HIDE_STALE          = 0x4
+	FALLOC_FL_PUNCH_HOLE             = 0x2
+	FALLOC_FL_ZERO_RANGE             = 0x10
 	FD_CLOEXEC                       = 0x1
 	FD_SETSIZE                       = 0x400
 	FF0                              = 0x0
@@ -1470,6 +1483,10 @@ const (
 	SO_TIMESTAMPNS                   = 0x23
 	SO_TYPE                          = 0x3
 	SO_WIFI_STATUS                   = 0x29
+	SPLICE_F_GIFT                    = 0x8
+	SPLICE_F_MORE                    = 0x4
+	SPLICE_F_MOVE                    = 0x1
+	SPLICE_F_NONBLOCK                = 0x2
 	S_BLKSIZE                        = 0x200
 	S_IEXEC                          = 0x40
 	S_IFBLK                          = 0x6000