use go 1.12

Signed-off-by: hongming <talonwan@yunify.com>

vendor/github.com/lucas-clemente/quic-go/internal/crypto/AEAD.go

@@ -0,0 +1,10 @@
+package crypto
+
+import "github.com/lucas-clemente/quic-go/internal/protocol"
+
+// An AEAD implements QUIC's authenticated encryption and associated data
+type AEAD interface {
+	Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error)
+	Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte
+	Overhead() int
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/aesgcm12_aead.go

@@ -0,0 +1,72 @@
+package crypto
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+
+	"github.com/lucas-clemente/aes12"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+type aeadAESGCM12 struct {
+	otherIV   []byte
+	myIV      []byte
+	encrypter cipher.AEAD
+	decrypter cipher.AEAD
+}
+
+var _ AEAD = &aeadAESGCM12{}
+
+// NewAEADAESGCM12 creates a AEAD using AES-GCM with 12 bytes tag size
+//
+// AES-GCM support is a bit hacky, since the go stdlib does not support 12 byte
+// tag size, and couples the cipher and aes packages closely.
+// See https://github.com/lucas-clemente/aes12.
+func NewAEADAESGCM12(otherKey []byte, myKey []byte, otherIV []byte, myIV []byte) (AEAD, error) {
+	if len(myKey) != 16 || len(otherKey) != 16 || len(myIV) != 4 || len(otherIV) != 4 {
+		return nil, errors.New("AES-GCM: expected 16-byte keys and 4-byte IVs")
+	}
+	encrypterCipher, err := aes12.NewCipher(myKey)
+	if err != nil {
+		return nil, err
+	}
+	encrypter, err := aes12.NewGCM(encrypterCipher)
+	if err != nil {
+		return nil, err
+	}
+	decrypterCipher, err := aes12.NewCipher(otherKey)
+	if err != nil {
+		return nil, err
+	}
+	decrypter, err := aes12.NewGCM(decrypterCipher)
+	if err != nil {
+		return nil, err
+	}
+	return &aeadAESGCM12{
+		otherIV:   otherIV,
+		myIV:      myIV,
+		encrypter: encrypter,
+		decrypter: decrypter,
+	}, nil
+}
+
+func (aead *aeadAESGCM12) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	return aead.decrypter.Open(dst, aead.makeNonce(aead.otherIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadAESGCM12) Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte {
+	return aead.encrypter.Seal(dst, aead.makeNonce(aead.myIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadAESGCM12) makeNonce(iv []byte, packetNumber protocol.PacketNumber) []byte {
+	res := make([]byte, 12)
+	copy(res[0:4], iv)
+	binary.LittleEndian.PutUint64(res[4:12], uint64(packetNumber))
+	return res
+}
+
+func (aead *aeadAESGCM12) Overhead() int {
+	return aead.encrypter.Overhead()
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/aesgcm_aead.go

@@ -0,0 +1,74 @@
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+type aeadAESGCM struct {
+	otherIV   []byte
+	myIV      []byte
+	encrypter cipher.AEAD
+	decrypter cipher.AEAD
+}
+
+var _ AEAD = &aeadAESGCM{}
+
+const ivLen = 12
+
+// NewAEADAESGCM creates a AEAD using AES-GCM
+func NewAEADAESGCM(otherKey []byte, myKey []byte, otherIV []byte, myIV []byte) (AEAD, error) {
+	// the IVs need to be at least 8 bytes long, otherwise we can't compute the nonce
+	if len(otherIV) != ivLen || len(myIV) != ivLen {
+		return nil, errors.New("AES-GCM: expected 12 byte IVs")
+	}
+
+	encrypterCipher, err := aes.NewCipher(myKey)
+	if err != nil {
+		return nil, err
+	}
+	encrypter, err := cipher.NewGCM(encrypterCipher)
+	if err != nil {
+		return nil, err
+	}
+	decrypterCipher, err := aes.NewCipher(otherKey)
+	if err != nil {
+		return nil, err
+	}
+	decrypter, err := cipher.NewGCM(decrypterCipher)
+	if err != nil {
+		return nil, err
+	}
+
+	return &aeadAESGCM{
+		otherIV:   otherIV,
+		myIV:      myIV,
+		encrypter: encrypter,
+		decrypter: decrypter,
+	}, nil
+}
+
+func (aead *aeadAESGCM) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	return aead.decrypter.Open(dst, aead.makeNonce(aead.otherIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadAESGCM) Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte {
+	return aead.encrypter.Seal(dst, aead.makeNonce(aead.myIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadAESGCM) makeNonce(iv []byte, packetNumber protocol.PacketNumber) []byte {
+	nonce := make([]byte, ivLen)
+	binary.BigEndian.PutUint64(nonce[ivLen-8:], uint64(packetNumber))
+	for i := 0; i < ivLen; i++ {
+		nonce[i] ^= iv[i]
+	}
+	return nonce
+}
+
+func (aead *aeadAESGCM) Overhead() int {
+	return aead.encrypter.Overhead()
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_cache.go

@@ -0,0 +1,48 @@
+package crypto
+
+import (
+	"fmt"
+	"hash/fnv"
+
+	"github.com/hashicorp/golang-lru"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+var (
+	compressedCertsCache *lru.Cache
+)
+
+func getCompressedCert(chain [][]byte, pCommonSetHashes, pCachedHashes []byte) ([]byte, error) {
+	// Hash all inputs
+	hasher := fnv.New64a()
+	for _, v := range chain {
+		hasher.Write(v)
+	}
+	hasher.Write(pCommonSetHashes)
+	hasher.Write(pCachedHashes)
+	hash := hasher.Sum64()
+
+	var result []byte
+
+	resultI, isCached := compressedCertsCache.Get(hash)
+	if isCached {
+		result = resultI.([]byte)
+	} else {
+		var err error
+		result, err = compressChain(chain, pCommonSetHashes, pCachedHashes)
+		if err != nil {
+			return nil, err
+		}
+		compressedCertsCache.Add(hash, result)
+	}
+
+	return result, nil
+}
+
+func init() {
+	var err error
+	compressedCertsCache, err = lru.New(protocol.NumCachedCertificates)
+	if err != nil {
+		panic(fmt.Sprintf("fatal error in quic-go: could not create lru cache: %s", err.Error()))
+	}
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_chain.go

@@ -0,0 +1,118 @@
+package crypto
+
+import (
+	"crypto/tls"
+	"errors"
+	"strings"
+)
+
+// A CertChain holds a certificate and a private key
+type CertChain interface {
+	SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error)
+	GetCertsCompressed(sni string, commonSetHashes, cachedHashes []byte) ([]byte, error)
+	GetLeafCert(sni string) ([]byte, error)
+}
+
+// proofSource stores a key and a certificate for the server proof
+type certChain struct {
+	config *tls.Config
+}
+
+var _ CertChain = &certChain{}
+
+var errNoMatchingCertificate = errors.New("no matching certificate found")
+
+// NewCertChain loads the key and cert from files
+func NewCertChain(tlsConfig *tls.Config) CertChain {
+	return &certChain{config: tlsConfig}
+}
+
+// SignServerProof signs CHLO and server config for use in the server proof
+func (c *certChain) SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error) {
+	cert, err := c.getCertForSNI(sni)
+	if err != nil {
+		return nil, err
+	}
+
+	return signServerProof(cert, chlo, serverConfigData)
+}
+
+// GetCertsCompressed gets the certificate in the format described by the QUIC crypto doc
+func (c *certChain) GetCertsCompressed(sni string, pCommonSetHashes, pCachedHashes []byte) ([]byte, error) {
+	cert, err := c.getCertForSNI(sni)
+	if err != nil {
+		return nil, err
+	}
+	return getCompressedCert(cert.Certificate, pCommonSetHashes, pCachedHashes)
+}
+
+// GetLeafCert gets the leaf certificate
+func (c *certChain) GetLeafCert(sni string) ([]byte, error) {
+	cert, err := c.getCertForSNI(sni)
+	if err != nil {
+		return nil, err
+	}
+	return cert.Certificate[0], nil
+}
+
+func (c *certChain) getCertForSNI(sni string) (*tls.Certificate, error) {
+	conf, err := maybeGetConfigForClient(c.config, sni)
+	if err != nil {
+		return nil, err
+	}
+	// The rest of this function is mostly copied from crypto/tls.getCertificate
+
+	if conf.GetCertificate != nil {
+		cert, err := conf.GetCertificate(&tls.ClientHelloInfo{ServerName: sni})
+		if cert != nil || err != nil {
+			return cert, err
+		}
+	}
+
+	if len(conf.Certificates) == 0 {
+		return nil, errNoMatchingCertificate
+	}
+
+	if len(conf.Certificates) == 1 || conf.NameToCertificate == nil {
+		// There's only one choice, so no point doing any work.
+		return &conf.Certificates[0], nil
+	}
+
+	name := strings.ToLower(sni)
+	for len(name) > 0 && name[len(name)-1] == '.' {
+		name = name[:len(name)-1]
+	}
+
+	if cert, ok := conf.NameToCertificate[name]; ok {
+		return cert, nil
+	}
+
+	// try replacing labels in the name with wildcards until we get a
+	// match.
+	labels := strings.Split(name, ".")
+	for i := range labels {
+		labels[i] = "*"
+		candidate := strings.Join(labels, ".")
+		if cert, ok := conf.NameToCertificate[candidate]; ok {
+			return cert, nil
+		}
+	}
+
+	// If nothing matches, return the first certificate.
+	return &conf.Certificates[0], nil
+}
+
+func maybeGetConfigForClient(c *tls.Config, sni string) (*tls.Config, error) {
+	if c.GetConfigForClient == nil {
+		return c, nil
+	}
+	confForClient, err := c.GetConfigForClient(&tls.ClientHelloInfo{ServerName: sni})
+	if err != nil {
+		return nil, err
+	}
+	// if GetConfigForClient returns nil, use the original config
+	if confForClient == nil {
+		return c, nil
+	}
+	return confForClient, nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_compression.go

@@ -0,0 +1,272 @@
+package crypto
+
+import (
+	"bytes"
+	"compress/flate"
+	"compress/zlib"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"hash/fnv"
+
+	"github.com/lucas-clemente/quic-go/internal/utils"
+)
+
+type entryType uint8
+
+const (
+	entryCompressed entryType = 1
+	entryCached     entryType = 2
+	entryCommon     entryType = 3
+)
+
+type entry struct {
+	t entryType
+	h uint64 // set hash
+	i uint32 // index
+}
+
+func compressChain(chain [][]byte, pCommonSetHashes, pCachedHashes []byte) ([]byte, error) {
+	res := &bytes.Buffer{}
+
+	cachedHashes, err := splitHashes(pCachedHashes)
+	if err != nil {
+		return nil, err
+	}
+
+	setHashes, err := splitHashes(pCommonSetHashes)
+	if err != nil {
+		return nil, err
+	}
+
+	chainHashes := make([]uint64, len(chain))
+	for i := range chain {
+		chainHashes[i] = HashCert(chain[i])
+	}
+
+	entries := buildEntries(chain, chainHashes, cachedHashes, setHashes)
+
+	totalUncompressedLen := 0
+	for i, e := range entries {
+		res.WriteByte(uint8(e.t))
+		switch e.t {
+		case entryCached:
+			utils.LittleEndian.WriteUint64(res, e.h)
+		case entryCommon:
+			utils.LittleEndian.WriteUint64(res, e.h)
+			utils.LittleEndian.WriteUint32(res, e.i)
+		case entryCompressed:
+			totalUncompressedLen += 4 + len(chain[i])
+		}
+	}
+	res.WriteByte(0) // end of list
+
+	if totalUncompressedLen > 0 {
+		gz, err := zlib.NewWriterLevelDict(res, flate.BestCompression, buildZlibDictForEntries(entries, chain))
+		if err != nil {
+			return nil, fmt.Errorf("cert compression failed: %s", err.Error())
+		}
+
+		utils.LittleEndian.WriteUint32(res, uint32(totalUncompressedLen))
+
+		for i, e := range entries {
+			if e.t != entryCompressed {
+				continue
+			}
+			lenCert := len(chain[i])
+			gz.Write([]byte{
+				byte(lenCert & 0xff),
+				byte((lenCert >> 8) & 0xff),
+				byte((lenCert >> 16) & 0xff),
+				byte((lenCert >> 24) & 0xff),
+			})
+			gz.Write(chain[i])
+		}
+
+		gz.Close()
+	}
+
+	return res.Bytes(), nil
+}
+
+func decompressChain(data []byte) ([][]byte, error) {
+	var chain [][]byte
+	var entries []entry
+	r := bytes.NewReader(data)
+
+	var numCerts int
+	var hasCompressedCerts bool
+	for {
+		entryTypeByte, err := r.ReadByte()
+		if entryTypeByte == 0 {
+			break
+		}
+
+		et := entryType(entryTypeByte)
+		if err != nil {
+			return nil, err
+		}
+
+		numCerts++
+
+		switch et {
+		case entryCached:
+			// we're not sending any certificate hashes in the CHLO, so there shouldn't be any cached certificates in the chain
+			return nil, errors.New("unexpected cached certificate")
+		case entryCommon:
+			e := entry{t: entryCommon}
+			e.h, err = utils.LittleEndian.ReadUint64(r)
+			if err != nil {
+				return nil, err
+			}
+			e.i, err = utils.LittleEndian.ReadUint32(r)
+			if err != nil {
+				return nil, err
+			}
+			certSet, ok := certSets[e.h]
+			if !ok {
+				return nil, errors.New("unknown certSet")
+			}
+			if e.i >= uint32(len(certSet)) {
+				return nil, errors.New("certificate not found in certSet")
+			}
+			entries = append(entries, e)
+			chain = append(chain, certSet[e.i])
+		case entryCompressed:
+			hasCompressedCerts = true
+			entries = append(entries, entry{t: entryCompressed})
+			chain = append(chain, nil)
+		default:
+			return nil, errors.New("unknown entryType")
+		}
+	}
+
+	if numCerts == 0 {
+		return make([][]byte, 0), nil
+	}
+
+	if hasCompressedCerts {
+		uncompressedLength, err := utils.LittleEndian.ReadUint32(r)
+		if err != nil {
+			fmt.Println(4)
+			return nil, err
+		}
+
+		zlibDict := buildZlibDictForEntries(entries, chain)
+		gz, err := zlib.NewReaderDict(r, zlibDict)
+		if err != nil {
+			return nil, err
+		}
+		defer gz.Close()
+
+		var totalLength uint32
+		var certIndex int
+		for totalLength < uncompressedLength {
+			lenBytes := make([]byte, 4)
+			_, err := gz.Read(lenBytes)
+			if err != nil {
+				return nil, err
+			}
+			certLen := binary.LittleEndian.Uint32(lenBytes)
+
+			cert := make([]byte, certLen)
+			n, err := gz.Read(cert)
+			if uint32(n) != certLen && err != nil {
+				return nil, err
+			}
+
+			for {
+				if certIndex >= len(entries) {
+					return nil, errors.New("CertCompression BUG: no element to save uncompressed certificate")
+				}
+				if entries[certIndex].t == entryCompressed {
+					chain[certIndex] = cert
+					certIndex++
+					break
+				}
+				certIndex++
+			}
+
+			totalLength += 4 + certLen
+		}
+	}
+
+	return chain, nil
+}
+
+func buildEntries(chain [][]byte, chainHashes, cachedHashes, setHashes []uint64) []entry {
+	res := make([]entry, len(chain))
+chainLoop:
+	for i := range chain {
+		// Check if hash is in cachedHashes
+		for j := range cachedHashes {
+			if chainHashes[i] == cachedHashes[j] {
+				res[i] = entry{t: entryCached, h: chainHashes[i]}
+				continue chainLoop
+			}
+		}
+
+		// Go through common sets and check if it's in there
+		for _, setHash := range setHashes {
+			set, ok := certSets[setHash]
+			if !ok {
+				// We don't have this set
+				continue
+			}
+			// We have this set, check if chain[i] is in the set
+			pos := set.findCertInSet(chain[i])
+			if pos >= 0 {
+				// Found
+				res[i] = entry{t: entryCommon, h: setHash, i: uint32(pos)}
+				continue chainLoop
+			}
+		}
+
+		res[i] = entry{t: entryCompressed}
+	}
+	return res
+}
+
+func buildZlibDictForEntries(entries []entry, chain [][]byte) []byte {
+	var dict bytes.Buffer
+
+	// First the cached and common in reverse order
+	for i := len(entries) - 1; i >= 0; i-- {
+		if entries[i].t == entryCompressed {
+			continue
+		}
+		dict.Write(chain[i])
+	}
+
+	dict.Write(certDictZlib)
+	return dict.Bytes()
+}
+
+func splitHashes(hashes []byte) ([]uint64, error) {
+	if len(hashes)%8 != 0 {
+		return nil, errors.New("expected a multiple of 8 bytes for CCS / CCRT hashes")
+	}
+	n := len(hashes) / 8
+	res := make([]uint64, n)
+	for i := 0; i < n; i++ {
+		res[i] = binary.LittleEndian.Uint64(hashes[i*8 : (i+1)*8])
+	}
+	return res, nil
+}
+
+func getCommonCertificateHashes() []byte {
+	ccs := make([]byte, 8*len(certSets))
+	i := 0
+	for certSetHash := range certSets {
+		binary.LittleEndian.PutUint64(ccs[i*8:(i+1)*8], certSetHash)
+		i++
+	}
+	return ccs
+}
+
+// HashCert calculates the FNV1a hash of a certificate
+func HashCert(cert []byte) uint64 {
+	h := fnv.New64a()
+	h.Write(cert)
+	return h.Sum64()
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_dict.go

@@ -0,0 +1,128 @@
+package crypto
+
+var certDictZlib = []byte{
+	0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04,
+	0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03,
+	0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30,
+	0x5f, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, 0x01,
+	0x06, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86, 0xfd, 0x6d, 0x01, 0x07,
+	0x17, 0x01, 0x30, 0x33, 0x20, 0x45, 0x78, 0x74, 0x65, 0x6e, 0x64, 0x65,
+	0x64, 0x20, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x20, 0x53, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x34,
+	0x20, 0x53, 0x53, 0x4c, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31,
+	0x32, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x53, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x20, 0x43, 0x41, 0x30, 0x2d, 0x61, 0x69, 0x61, 0x2e,
+	0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x45, 0x2d, 0x63, 0x72, 0x6c, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x73,
+	0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x45, 0x2e, 0x63, 0x65,
+	0x72, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+	0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x4a, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73,
+	0x2f, 0x63, 0x70, 0x73, 0x20, 0x28, 0x63, 0x29, 0x30, 0x30, 0x09, 0x06,
+	0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x1d, 0x30, 0x0d,
+	0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
+	0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x7b, 0x30, 0x1d, 0x06, 0x03, 0x55,
+	0x1d, 0x0e, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+	0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01,
+	0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xd2,
+	0x6f, 0x64, 0x6f, 0x63, 0x61, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x43, 0x2e,
+	0x63, 0x72, 0x6c, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16,
+	0x04, 0x14, 0xb4, 0x2e, 0x67, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x73, 0x69,
+	0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x30, 0x0b, 0x06, 0x03,
+	0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x30, 0x0d, 0x06, 0x09,
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30,
+	0x81, 0xca, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+	0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x08,
+	0x13, 0x07, 0x41, 0x72, 0x69, 0x7a, 0x6f, 0x6e, 0x61, 0x31, 0x13, 0x30,
+	0x11, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0a, 0x53, 0x63, 0x6f, 0x74,
+	0x74, 0x73, 0x64, 0x61, 0x6c, 0x65, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03,
+	0x55, 0x04, 0x0a, 0x13, 0x11, 0x47, 0x6f, 0x44, 0x61, 0x64, 0x64, 0x79,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x33,
+	0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2a, 0x68, 0x74, 0x74,
+	0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+	0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74,
+	0x6f, 0x72, 0x79, 0x31, 0x30, 0x30, 0x2e, 0x06, 0x03, 0x55, 0x04, 0x03,
+	0x13, 0x27, 0x47, 0x6f, 0x20, 0x44, 0x61, 0x64, 0x64, 0x79, 0x20, 0x53,
+	0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68,
+	0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55,
+	0x04, 0x05, 0x13, 0x08, 0x30, 0x37, 0x39, 0x36, 0x39, 0x32, 0x38, 0x37,
+	0x30, 0x1e, 0x17, 0x0d, 0x31, 0x31, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d,
+	0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x0c,
+	0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
+	0x30, 0x1d, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff,
+	0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55,
+	0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+	0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
+	0x03, 0x02, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff,
+	0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x33, 0x06, 0x03, 0x55, 0x1d,
+	0x1f, 0x04, 0x2c, 0x30, 0x2a, 0x30, 0x28, 0xa0, 0x26, 0xa0, 0x24, 0x86,
+	0x22, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e,
+	0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x67, 0x64, 0x73, 0x31, 0x2d, 0x32, 0x30, 0x2a, 0x30, 0x28, 0x06, 0x08,
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, 0x1c, 0x68, 0x74,
+	0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76, 0x65,
+	0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63,
+	0x70, 0x73, 0x30, 0x34, 0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x5a, 0x17,
+	0x0d, 0x31, 0x33, 0x30, 0x35, 0x30, 0x39, 0x06, 0x08, 0x2b, 0x06, 0x01,
+	0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x2d, 0x68, 0x74, 0x74, 0x70, 0x3a,
+	0x2f, 0x2f, 0x73, 0x30, 0x39, 0x30, 0x37, 0x06, 0x08, 0x2b, 0x06, 0x01,
+	0x05, 0x05, 0x07, 0x02, 0x30, 0x44, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04,
+	0x3d, 0x30, 0x3b, 0x30, 0x39, 0x06, 0x0b, 0x60, 0x86, 0x48, 0x01, 0x86,
+	0xf8, 0x45, 0x01, 0x07, 0x17, 0x06, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03,
+	0x55, 0x04, 0x06, 0x13, 0x02, 0x47, 0x42, 0x31, 0x1b, 0x53, 0x31, 0x17,
+	0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e, 0x56, 0x65, 0x72,
+	0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31,
+	0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x16, 0x56, 0x65,
+	0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x20, 0x54, 0x72, 0x75, 0x73, 0x74,
+	0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x3b, 0x30, 0x39,
+	0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x32, 0x54, 0x65, 0x72, 0x6d, 0x73,
+	0x20, 0x6f, 0x66, 0x20, 0x75, 0x73, 0x65, 0x20, 0x61, 0x74, 0x20, 0x68,
+	0x74, 0x74, 0x70, 0x73, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x76,
+	0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
+	0x72, 0x70, 0x61, 0x20, 0x28, 0x63, 0x29, 0x30, 0x31, 0x10, 0x30, 0x0e,
+	0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x07, 0x53, 0x31, 0x13, 0x30, 0x11,
+	0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0a, 0x47, 0x31, 0x13, 0x30, 0x11,
+	0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x3c, 0x02, 0x01,
+	0x03, 0x13, 0x02, 0x55, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04,
+	0x03, 0x14, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
+	0x31, 0x1d, 0x30, 0x1b, 0x06, 0x03, 0x55, 0x04, 0x0f, 0x13, 0x14, 0x50,
+	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x20, 0x4f, 0x72, 0x67, 0x61, 0x6e,
+	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x12, 0x31, 0x21, 0x30,
+	0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x18, 0x44, 0x6f, 0x6d, 0x61,
+	0x69, 0x6e, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x20, 0x56,
+	0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x65, 0x64, 0x31, 0x14, 0x31, 0x31,
+	0x30, 0x2f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x28, 0x53, 0x65, 0x65,
+	0x20, 0x77, 0x77, 0x77, 0x2e, 0x72, 0x3a, 0x2f, 0x2f, 0x73, 0x65, 0x63,
+	0x75, 0x72, 0x65, 0x2e, 0x67, 0x47, 0x6c, 0x6f, 0x62, 0x61, 0x6c, 0x53,
+	0x69, 0x67, 0x6e, 0x31, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x43, 0x41,
+	0x2e, 0x63, 0x72, 0x6c, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e,
+	0x20, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x33, 0x20, 0x45, 0x63, 0x72,
+	0x6c, 0x2e, 0x67, 0x65, 0x6f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x63, 0x72, 0x6c, 0x73, 0x2f, 0x73, 0x64, 0x31, 0x1a,
+	0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x68, 0x74, 0x74, 0x70, 0x3a,
+	0x2f, 0x2f, 0x45, 0x56, 0x49, 0x6e, 0x74, 0x6c, 0x2d, 0x63, 0x63, 0x72,
+	0x74, 0x2e, 0x67, 0x77, 0x77, 0x77, 0x2e, 0x67, 0x69, 0x63, 0x65, 0x72,
+	0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x31, 0x6f, 0x63, 0x73, 0x70, 0x2e,
+	0x76, 0x65, 0x72, 0x69, 0x73, 0x69, 0x67, 0x6e, 0x2e, 0x63, 0x6f, 0x6d,
+	0x30, 0x39, 0x72, 0x61, 0x70, 0x69, 0x64, 0x73, 0x73, 0x6c, 0x2e, 0x63,
+	0x6f, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64, 0x64, 0x79, 0x2e, 0x63,
+	0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f, 0x72,
+	0x79, 0x2f, 0x30, 0x81, 0x80, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05,
+	0x07, 0x01, 0x01, 0x04, 0x74, 0x30, 0x72, 0x30, 0x24, 0x06, 0x08, 0x2b,
+	0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x86, 0x18, 0x68, 0x74, 0x74,
+	0x70, 0x3a, 0x2f, 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x67, 0x6f, 0x64,
+	0x61, 0x64, 0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x30, 0x4a, 0x06,
+	0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x3e, 0x68,
+	0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
+	0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x2e, 0x67, 0x6f, 0x64, 0x61, 0x64,
+	0x64, 0x79, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73,
+	0x69, 0x74, 0x6f, 0x72, 0x79, 0x2f, 0x67, 0x64, 0x5f, 0x69, 0x6e, 0x74,
+	0x65, 0x72, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x74, 0x65, 0x2e, 0x63, 0x72,
+	0x74, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16,
+	0x80, 0x14, 0xfd, 0xac, 0x61, 0x32, 0x93, 0x6c, 0x45, 0xd6, 0xe2, 0xee,
+	0x85, 0x5f, 0x9a, 0xba, 0xe7, 0x76, 0x99, 0x68, 0xcc, 0xe7, 0x30, 0x27,
+	0x86, 0x29, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x86, 0x30,
+	0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x73,
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_manager.go

@@ -0,0 +1,135 @@
+package crypto
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
+	"hash/fnv"
+	"time"
+
+	"github.com/lucas-clemente/quic-go/qerr"
+)
+
+// CertManager manages the certificates sent by the server
+type CertManager interface {
+	SetData([]byte) error
+	GetCommonCertificateHashes() []byte
+	GetLeafCert() []byte
+	GetLeafCertHash() (uint64, error)
+	VerifyServerProof(proof, chlo, serverConfigData []byte) bool
+	Verify(hostname string) error
+	GetChain() []*x509.Certificate
+}
+
+type certManager struct {
+	chain  []*x509.Certificate
+	config *tls.Config
+}
+
+var _ CertManager = &certManager{}
+
+var errNoCertificateChain = errors.New("CertManager BUG: No certicifate chain loaded")
+
+// NewCertManager creates a new CertManager
+func NewCertManager(tlsConfig *tls.Config) CertManager {
+	return &certManager{config: tlsConfig}
+}
+
+// SetData takes the byte-slice sent in the SHLO and decompresses it into the certificate chain
+func (c *certManager) SetData(data []byte) error {
+	byteChain, err := decompressChain(data)
+	if err != nil {
+		return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid")
+	}
+
+	chain := make([]*x509.Certificate, len(byteChain))
+	for i, data := range byteChain {
+		cert, err := x509.ParseCertificate(data)
+		if err != nil {
+			return err
+		}
+		chain[i] = cert
+	}
+
+	c.chain = chain
+	return nil
+}
+
+func (c *certManager) GetChain() []*x509.Certificate {
+	return c.chain
+}
+
+func (c *certManager) GetCommonCertificateHashes() []byte {
+	return getCommonCertificateHashes()
+}
+
+// GetLeafCert returns the leaf certificate of the certificate chain
+// it returns nil if the certificate chain has not yet been set
+func (c *certManager) GetLeafCert() []byte {
+	if len(c.chain) == 0 {
+		return nil
+	}
+	return c.chain[0].Raw
+}
+
+// GetLeafCertHash calculates the FNV1a_64 hash of the leaf certificate
+func (c *certManager) GetLeafCertHash() (uint64, error) {
+	leafCert := c.GetLeafCert()
+	if leafCert == nil {
+		return 0, errNoCertificateChain
+	}
+
+	h := fnv.New64a()
+	_, err := h.Write(leafCert)
+	if err != nil {
+		return 0, err
+	}
+	return h.Sum64(), nil
+}
+
+// VerifyServerProof verifies the signature of the server config
+// it should only be called after the certificate chain has been set, otherwise it returns false
+func (c *certManager) VerifyServerProof(proof, chlo, serverConfigData []byte) bool {
+	if len(c.chain) == 0 {
+		return false
+	}
+
+	return verifyServerProof(proof, c.chain[0], chlo, serverConfigData)
+}
+
+// Verify verifies the certificate chain
+func (c *certManager) Verify(hostname string) error {
+	if len(c.chain) == 0 {
+		return errNoCertificateChain
+	}
+
+	if c.config != nil && c.config.InsecureSkipVerify {
+		return nil
+	}
+
+	leafCert := c.chain[0]
+
+	var opts x509.VerifyOptions
+	if c.config != nil {
+		opts.Roots = c.config.RootCAs
+		if c.config.Time == nil {
+			opts.CurrentTime = time.Now()
+		} else {
+			opts.CurrentTime = c.config.Time()
+		}
+	}
+	// we don't need to care about the tls.Config.ServerName here, since hostname has already been set to that value in the session setup
+	opts.DNSName = hostname
+
+	// the first certificate is the leaf certificate, all others are intermediates
+	if len(c.chain) > 1 {
+		intermediates := x509.NewCertPool()
+		for i := 1; i < len(c.chain); i++ {
+			intermediates.AddCert(c.chain[i])
+		}
+		opts.Intermediates = intermediates
+	}
+
+	_, err := leafCert.Verify(opts)
+	return err
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/cert_sets.go

@@ -0,0 +1,24 @@
+package crypto
+
+import (
+	"bytes"
+
+	"github.com/lucas-clemente/quic-go-certificates"
+)
+
+type certSet [][]byte
+
+var certSets = map[uint64]certSet{
+	certsets.CertSet2Hash: certsets.CertSet2,
+	certsets.CertSet3Hash: certsets.CertSet3,
+}
+
+// findCertInSet searches for the cert in the set. Negative return value means not found.
+func (s *certSet) findCertInSet(cert []byte) int {
+	for i, c := range *s {
+		if bytes.Equal(c, cert) {
+			return i
+		}
+	}
+	return -1
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/chacha20poly1305_aead.go

@@ -0,0 +1,61 @@
+// +build ignore
+
+package crypto
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+
+	"github.com/aead/chacha20"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+type aeadChacha20Poly1305 struct {
+	otherIV   []byte
+	myIV      []byte
+	encrypter cipher.AEAD
+	decrypter cipher.AEAD
+}
+
+// NewAEADChacha20Poly1305 creates a AEAD using chacha20poly1305
+func NewAEADChacha20Poly1305(otherKey []byte, myKey []byte, otherIV []byte, myIV []byte) (AEAD, error) {
+	if len(myKey) != 32 || len(otherKey) != 32 || len(myIV) != 4 || len(otherIV) != 4 {
+		return nil, errors.New("chacha20poly1305: expected 32-byte keys and 4-byte IVs")
+	}
+	// copy because ChaCha20Poly1305 expects array pointers
+	var MyKey, OtherKey [32]byte
+	copy(MyKey[:], myKey)
+	copy(OtherKey[:], otherKey)
+
+	encrypter, err := chacha20.NewChaCha20Poly1305WithTagSize(&MyKey, 12)
+	if err != nil {
+		return nil, err
+	}
+	decrypter, err := chacha20.NewChaCha20Poly1305WithTagSize(&OtherKey, 12)
+	if err != nil {
+		return nil, err
+	}
+	return &aeadChacha20Poly1305{
+		otherIV:   otherIV,
+		myIV:      myIV,
+		encrypter: encrypter,
+		decrypter: decrypter,
+	}, nil
+}
+
+func (aead *aeadChacha20Poly1305) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	return aead.decrypter.Open(dst, aead.makeNonce(aead.otherIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadChacha20Poly1305) Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte {
+	return aead.encrypter.Seal(dst, aead.makeNonce(aead.myIV, packetNumber), src, associatedData)
+}
+
+func (aead *aeadChacha20Poly1305) makeNonce(iv []byte, packetNumber protocol.PacketNumber) []byte {
+	res := make([]byte, 12)
+	copy(res[0:4], iv)
+	binary.LittleEndian.PutUint64(res[4:12], uint64(packetNumber))
+	return res
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/curve_25519.go

@@ -0,0 +1,41 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"errors"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+// KeyExchange manages the exchange of keys
+type curve25519KEX struct {
+	secret [32]byte
+	public [32]byte
+}
+
+var _ KeyExchange = &curve25519KEX{}
+
+// NewCurve25519KEX creates a new KeyExchange using Curve25519, see https://cr.yp.to/ecdh.html
+func NewCurve25519KEX() (KeyExchange, error) {
+	c := &curve25519KEX{}
+	if _, err := rand.Read(c.secret[:]); err != nil {
+		return nil, errors.New("Curve25519: could not create private key")
+	}
+	curve25519.ScalarBaseMult(&c.public, &c.secret)
+	return c, nil
+}
+
+func (c *curve25519KEX) PublicKey() []byte {
+	return c.public[:]
+}
+
+func (c *curve25519KEX) CalculateSharedKey(otherPublic []byte) ([]byte, error) {
+	if len(otherPublic) != 32 {
+		return nil, errors.New("Curve25519: expected public key of 32 byte")
+	}
+	var res [32]byte
+	var otherPublicArray [32]byte
+	copy(otherPublicArray[:], otherPublic)
+	curve25519.ScalarMult(&res, &c.secret, &otherPublicArray)
+	return res[:], nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/hkdf.go

@@ -0,0 +1,56 @@
+package crypto
+
+import (
+	"crypto"
+	"crypto/hmac"
+	"encoding/binary"
+)
+
+// copied from https://github.com/cloudflare/tls-tris/blob/master/hkdf.go
+func hkdfExtract(hash crypto.Hash, secret, salt []byte) []byte {
+	if salt == nil {
+		salt = make([]byte, hash.Size())
+	}
+	if secret == nil {
+		secret = make([]byte, hash.Size())
+	}
+	extractor := hmac.New(hash.New, salt)
+	extractor.Write(secret)
+	return extractor.Sum(nil)
+}
+
+// copied from https://github.com/cloudflare/tls-tris/blob/master/hkdf.go
+func hkdfExpand(hash crypto.Hash, prk, info []byte, l int) []byte {
+	var (
+		expander = hmac.New(hash.New, prk)
+		res      = make([]byte, l)
+		counter  = byte(1)
+		prev     []byte
+	)
+
+	if l > 255*expander.Size() {
+		panic("hkdf: requested too much output")
+	}
+
+	p := res
+	for len(p) > 0 {
+		expander.Reset()
+		expander.Write(prev)
+		expander.Write(info)
+		expander.Write([]byte{counter})
+		prev = expander.Sum(prev[:0])
+		counter++
+		n := copy(p, prev)
+		p = p[n:]
+	}
+
+	return res
+}
+
+func qhkdfExpand(secret []byte, label string, length int) []byte {
+	qlabel := make([]byte, 2+1+5+len(label))
+	binary.BigEndian.PutUint16(qlabel[0:2], uint16(length))
+	qlabel[2] = uint8(5 + len(label))
+	copy(qlabel[3:], []byte("QUIC "+label))
+	return hkdfExpand(crypto.SHA256, secret, qlabel, length)
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation.go

@@ -0,0 +1,49 @@
+package crypto
+
+import (
+	"github.com/bifurcation/mint"
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+const (
+	clientExporterLabel = "EXPORTER-QUIC client 1rtt"
+	serverExporterLabel = "EXPORTER-QUIC server 1rtt"
+)
+
+// A TLSExporter gets the negotiated ciphersuite and computes exporter
+type TLSExporter interface {
+	ConnectionState() mint.ConnectionState
+	ComputeExporter(label string, context []byte, keyLength int) ([]byte, error)
+}
+
+// DeriveAESKeys derives the AES keys and creates a matching AES-GCM AEAD instance
+func DeriveAESKeys(tls TLSExporter, pers protocol.Perspective) (AEAD, error) {
+	var myLabel, otherLabel string
+	if pers == protocol.PerspectiveClient {
+		myLabel = clientExporterLabel
+		otherLabel = serverExporterLabel
+	} else {
+		myLabel = serverExporterLabel
+		otherLabel = clientExporterLabel
+	}
+	myKey, myIV, err := computeKeyAndIV(tls, myLabel)
+	if err != nil {
+		return nil, err
+	}
+	otherKey, otherIV, err := computeKeyAndIV(tls, otherLabel)
+	if err != nil {
+		return nil, err
+	}
+	return NewAEADAESGCM(otherKey, myKey, otherIV, myIV)
+}
+
+func computeKeyAndIV(tls TLSExporter, label string) (key, iv []byte, err error) {
+	cs := tls.ConnectionState().CipherSuite
+	secret, err := tls.ComputeExporter(label, nil, cs.Hash.Size())
+	if err != nil {
+		return nil, nil, err
+	}
+	key = qhkdfExpand(secret, "key", cs.KeyLen)
+	iv = qhkdfExpand(secret, "iv", cs.IvLen)
+	return key, iv, nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_derivation_quic_crypto.go

@@ -0,0 +1,100 @@
+package crypto
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"io"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+
+	"golang.org/x/crypto/hkdf"
+)
+
+// DeriveKeysChacha20 derives the client and server keys and creates a matching chacha20poly1305 AEAD instance
+// func DeriveKeysChacha20(version protocol.VersionNumber, forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte, divNonce []byte) (AEAD, error) {
+// 	otherKey, myKey, otherIV, myIV, err := deriveKeys(version, forwardSecure, sharedSecret, nonces, connID, chlo, scfg, cert, divNonce, 32)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+// 	return NewAEADChacha20Poly1305(otherKey, myKey, otherIV, myIV)
+// }
+
+// DeriveQuicCryptoAESKeys derives the client and server keys and creates a matching AES-GCM AEAD instance
+func DeriveQuicCryptoAESKeys(forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte, divNonce []byte, pers protocol.Perspective) (AEAD, error) {
+	var swap bool
+	if pers == protocol.PerspectiveClient {
+		swap = true
+	}
+	otherKey, myKey, otherIV, myIV, err := deriveKeys(forwardSecure, sharedSecret, nonces, connID, chlo, scfg, cert, divNonce, 16, swap)
+	if err != nil {
+		return nil, err
+	}
+	return NewAEADAESGCM12(otherKey, myKey, otherIV, myIV)
+}
+
+// deriveKeys derives the keys and the IVs
+// swap should be set true if generating the values for the client, and false for the server
+func deriveKeys(forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo, scfg, cert, divNonce []byte, keyLen int, swap bool) ([]byte, []byte, []byte, []byte, error) {
+	var info bytes.Buffer
+	if forwardSecure {
+		info.Write([]byte("QUIC forward secure key expansion\x00"))
+	} else {
+		info.Write([]byte("QUIC key expansion\x00"))
+	}
+	info.Write(connID)
+	info.Write(chlo)
+	info.Write(scfg)
+	info.Write(cert)
+
+	r := hkdf.New(sha256.New, sharedSecret, nonces, info.Bytes())
+
+	s := make([]byte, 2*keyLen+2*4)
+	if _, err := io.ReadFull(r, s); err != nil {
+		return nil, nil, nil, nil, err
+	}
+
+	key1 := s[:keyLen]
+	key2 := s[keyLen : 2*keyLen]
+	iv1 := s[2*keyLen : 2*keyLen+4]
+	iv2 := s[2*keyLen+4:]
+
+	var otherKey, myKey []byte
+	var otherIV, myIV []byte
+
+	if !forwardSecure {
+		if err := diversify(key2, iv2, divNonce); err != nil {
+			return nil, nil, nil, nil, err
+		}
+	}
+
+	if swap {
+		otherKey = key2
+		myKey = key1
+		otherIV = iv2
+		myIV = iv1
+	} else {
+		otherKey = key1
+		myKey = key2
+		otherIV = iv1
+		myIV = iv2
+	}
+
+	return otherKey, myKey, otherIV, myIV, nil
+}
+
+func diversify(key, iv, divNonce []byte) error {
+	secret := make([]byte, len(key)+len(iv))
+	copy(secret, key)
+	copy(secret[len(key):], iv)
+
+	r := hkdf.New(sha256.New, secret, divNonce, []byte("QUIC key diversification"))
+
+	if _, err := io.ReadFull(r, key); err != nil {
+		return err
+	}
+	if _, err := io.ReadFull(r, iv); err != nil {
+		return err
+	}
+
+	return nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/key_exchange.go

@@ -0,0 +1,7 @@
+package crypto
+
+// KeyExchange manages the exchange of keys
+type KeyExchange interface {
+	PublicKey() []byte
+	CalculateSharedKey(otherPublic []byte) ([]byte, error)
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead.go

@@ -0,0 +1,11 @@
+package crypto
+
+import "github.com/lucas-clemente/quic-go/internal/protocol"
+
+// NewNullAEAD creates a NullAEAD
+func NewNullAEAD(p protocol.Perspective, connID protocol.ConnectionID, v protocol.VersionNumber) (AEAD, error) {
+	if v.UsesTLS() {
+		return newNullAEADAESGCM(connID, p)
+	}
+	return &nullAEADFNV128a{perspective: p}, nil
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_aesgcm.go

@@ -0,0 +1,40 @@
+package crypto
+
+import (
+	"crypto"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+var quicVersion1Salt = []byte{0x9c, 0x10, 0x8f, 0x98, 0x52, 0x0a, 0x5c, 0x5c, 0x32, 0x96, 0x8e, 0x95, 0x0e, 0x8a, 0x2c, 0x5f, 0xe0, 0x6d, 0x6c, 0x38}
+
+func newNullAEADAESGCM(connectionID protocol.ConnectionID, pers protocol.Perspective) (AEAD, error) {
+	clientSecret, serverSecret := computeSecrets(connectionID)
+
+	var mySecret, otherSecret []byte
+	if pers == protocol.PerspectiveClient {
+		mySecret = clientSecret
+		otherSecret = serverSecret
+	} else {
+		mySecret = serverSecret
+		otherSecret = clientSecret
+	}
+
+	myKey, myIV := computeNullAEADKeyAndIV(mySecret)
+	otherKey, otherIV := computeNullAEADKeyAndIV(otherSecret)
+
+	return NewAEADAESGCM(otherKey, myKey, otherIV, myIV)
+}
+
+func computeSecrets(connID protocol.ConnectionID) (clientSecret, serverSecret []byte) {
+	handshakeSecret := hkdfExtract(crypto.SHA256, connID, quicVersion1Salt)
+	clientSecret = qhkdfExpand(handshakeSecret, "client hs", crypto.SHA256.Size())
+	serverSecret = qhkdfExpand(handshakeSecret, "server hs", crypto.SHA256.Size())
+	return
+}
+
+func computeNullAEADKeyAndIV(secret []byte) (key, iv []byte) {
+	key = qhkdfExpand(secret, "key", 16)
+	iv = qhkdfExpand(secret, "iv", 12)
+	return
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/null_aead_fnv128a.go

@@ -0,0 +1,79 @@
+package crypto
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"hash/fnv"
+
+	"github.com/lucas-clemente/quic-go/internal/protocol"
+)
+
+// nullAEAD handles not-yet encrypted packets
+type nullAEADFNV128a struct {
+	perspective protocol.Perspective
+}
+
+var _ AEAD = &nullAEADFNV128a{}
+
+// Open and verify the ciphertext
+func (n *nullAEADFNV128a) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, error) {
+	if len(src) < 12 {
+		return nil, errors.New("NullAEAD: ciphertext cannot be less than 12 bytes long")
+	}
+
+	hash := fnv.New128a()
+	hash.Write(associatedData)
+	hash.Write(src[12:])
+	if n.perspective == protocol.PerspectiveServer {
+		hash.Write([]byte("Client"))
+	} else {
+		hash.Write([]byte("Server"))
+	}
+	sum := make([]byte, 0, 16)
+	sum = hash.Sum(sum)
+	// The tag is written in little endian, so we need to reverse the slice.
+	reverse(sum)
+
+	if !bytes.Equal(sum[:12], src[:12]) {
+		return nil, fmt.Errorf("NullAEAD: failed to authenticate received data (%#v vs %#v)", sum[:12], src[:12])
+	}
+	return src[12:], nil
+}
+
+// Seal writes hash and ciphertext to the buffer
+func (n *nullAEADFNV128a) Seal(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) []byte {
+	if cap(dst) < 12+len(src) {
+		dst = make([]byte, 12+len(src))
+	} else {
+		dst = dst[:12+len(src)]
+	}
+
+	hash := fnv.New128a()
+	hash.Write(associatedData)
+	hash.Write(src)
+
+	if n.perspective == protocol.PerspectiveServer {
+		hash.Write([]byte("Server"))
+	} else {
+		hash.Write([]byte("Client"))
+	}
+	sum := make([]byte, 0, 16)
+	sum = hash.Sum(sum)
+	// The tag is written in little endian, so we need to reverse the slice.
+	reverse(sum)
+
+	copy(dst[12:], src)
+	copy(dst, sum[:12])
+	return dst
+}
+
+func (n *nullAEADFNV128a) Overhead() int {
+	return 12
+}
+
+func reverse(a []byte) {
+	for left, right := 0, len(a)-1; left < right; left, right = left+1, right-1 {
+		a[left], a[right] = a[right], a[left]
+	}
+}

vendor/github.com/lucas-clemente/quic-go/internal/crypto/server_proof.go

@@ -0,0 +1,66 @@
+package crypto
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/asn1"
+	"errors"
+	"math/big"
+)
+
+type ecdsaSignature struct {
+	R, S *big.Int
+}
+
+// signServerProof signs CHLO and server config for use in the server proof
+func signServerProof(cert *tls.Certificate, chlo []byte, serverConfigData []byte) ([]byte, error) {
+	hash := sha256.New()
+	hash.Write([]byte("QUIC CHLO and server config signature\x00"))
+	chloHash := sha256.Sum256(chlo)
+	hash.Write([]byte{32, 0, 0, 0})
+	hash.Write(chloHash[:])
+	hash.Write(serverConfigData)
+
+	key, ok := cert.PrivateKey.(crypto.Signer)
+	if !ok {
+		return nil, errors.New("expected PrivateKey to implement crypto.Signer")
+	}
+
+	opts := crypto.SignerOpts(crypto.SHA256)
+
+	if _, ok = key.(*rsa.PrivateKey); ok {
+		opts = &rsa.PSSOptions{SaltLength: 32, Hash: crypto.SHA256}
+	}
+
+	return key.Sign(rand.Reader, hash.Sum(nil), opts)
+}
+
+// verifyServerProof verifies the server proof signature
+func verifyServerProof(proof []byte, cert *x509.Certificate, chlo []byte, serverConfigData []byte) bool {
+	hash := sha256.New()
+	hash.Write([]byte("QUIC CHLO and server config signature\x00"))
+	chloHash := sha256.Sum256(chlo)
+	hash.Write([]byte{32, 0, 0, 0})
+	hash.Write(chloHash[:])
+	hash.Write(serverConfigData)
+
+	// RSA
+	if cert.PublicKeyAlgorithm == x509.RSA {
+		opts := &rsa.PSSOptions{SaltLength: 32, Hash: crypto.SHA256}
+		err := rsa.VerifyPSS(cert.PublicKey.(*rsa.PublicKey), crypto.SHA256, hash.Sum(nil), proof, opts)
+		return err == nil
+	}
+
+	// ECDSA
+	signature := &ecdsaSignature{}
+	rest, err := asn1.Unmarshal(proof, signature)
+	if err != nil || len(rest) != 0 {
+		return false
+	}
+	return ecdsa.Verify(cert.PublicKey.(*ecdsa.PublicKey), hash.Sum(nil), signature.R, signature.S)
+}