Removes _dev

.travis.yml

@@ -18,8 +18,5 @@ matrix:
 before_install:
   - make -f _dev/Makefile fmtcheck
 
-install:
-  - sudo pip install docker
-
 script:
-  - make -f _dev/Makefile build-all && make -f _dev/Makefile "$TEST_SUITE"
+  - go test -v -r=.

_dev/.gitignore

@@ -1,6 +0,0 @@
-/GOROOT
-/go
-/tris-localserver/tris-localserver
-/tris-testclient/tris-testclient
-/caddy/caddy
-/caddy/echo

_dev/Makefile

@@ -1,140 +0,0 @@
-# Constants
-MK_FILE_PATH = $(lastword $(MAKEFILE_LIST))
-PRJ_DIR      = $(abspath $(dir $(MK_FILE_PATH))/..)
-DEV_DIR      = $(PRJ_DIR)/_dev
-# Results will be produced in this directory (can be provided by a caller)
-BUILD_DIR   ?= $(PRJ_DIR)/_dev/GOROOT
-
-# Compiler
-GO ?= go
-DOCKER ?= docker
-GIT ?= git
-
-# Build environment
-OS          ?= $(shell $(GO) env GOHOSTOS)
-ARCH        ?= $(shell $(GO) env GOHOSTARCH)
-OS_ARCH     := $(OS)_$(ARCH)
-VER_OS_ARCH := $(shell $(GO) version | cut -d' ' -f 3)_$(OS)_$(ARCH)
-GOROOT_ENV  ?= $(shell $(GO) env GOROOT)
-GOROOT_LOCAL = $(BUILD_DIR)/$(OS_ARCH)
-# Flag indicates wheter invoke "go install -race std". Supported only on amd64 with CGO enabled
-INSTALL_RACE:= $(words $(filter $(ARCH)_$(shell go env CGO_ENABLED), amd64_1))
-TMP_DIR		:= $(shell mktemp -d)
-
-# Test targets used for compatibility testing
-TARGET_TEST_COMPAT=boring picotls tstclnt
-
-# Some target-specific constants
-BORINGSSL_REVISION=ff433815b51c34496bb6bea13e73e29e5c278238
-BOGO_DOCKER_TRIS_LOCATION=/go/src/github.com/cloudflare/tls-tris
-
-# SIDH repository
-SIDH_REPO  ?= https://github.com/cloudflare/sidh.git
-SIDH_REPO_TAG ?= Release_1.0
-# NOBS repo (SIKE depends on SHA3)
-NOBS_REPO  ?= https://github.com/henrydcase/nobscrypto.git
-NOBS_REPO_TAG ?= Release_0.1
-
-###############
-#
-# Build targets
-#
-##############################
-$(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH): clean
-
-# Create clean directory structure
-	mkdir -p "$(GOROOT_LOCAL)/pkg"
-
-# Copy src/tools from system GOROOT
-	cp -Hr $(GOROOT_ENV)/src $(GOROOT_LOCAL)/src
-	cp -Hr $(GOROOT_ENV)/pkg/include $(GOROOT_LOCAL)/pkg/include
-	cp -Hr $(GOROOT_ENV)/pkg/tool $(GOROOT_LOCAL)/pkg/tool
-
-# Swap TLS implementation
-	rm -r $(GOROOT_LOCAL)/src/crypto/tls/*
-	rsync -rltgoD $(PRJ_DIR)/ $(GOROOT_LOCAL)/src/crypto/tls/ --exclude=$(lastword $(subst /, ,$(DEV_DIR)))
-
-# Apply additional patches
-	for p in $(wildcard $(DEV_DIR)/patches/*); do patch -d "$(GOROOT_LOCAL)" -p1 < "$$p"; done
-
-# Vendor NOBS library
-	$(GIT) clone $(NOBS_REPO) $(TMP_DIR)/nobs
-	cd $(TMP_DIR)/nobs; $(GIT) checkout tags/$(NOBS_REPO_TAG)
-	cd $(TMP_DIR)/nobs; make vendor-sidh-for-tls
-	cp -rf $(TMP_DIR)/nobs/tls_vendor/* $(GOROOT_LOCAL)/src/vendor/
-
-# Vendor SIDH library
-	$(GIT) clone $(SIDH_REPO) $(TMP_DIR)/sidh
-	cd $(TMP_DIR)/sidh; $(GIT) checkout tags/$(SIDH_REPO_TAG)
-	cd $(TMP_DIR)/sidh; make vendor
-	cp -rf $(TMP_DIR)/sidh/build/vendor/* $(GOROOT_LOCAL)/src/vendor/
-
-# Create go package
-	GOARCH=$(ARCH) GOROOT="$(GOROOT_LOCAL)" $(GO) install -v std
-ifeq ($(INSTALL_RACE),1)
-	GOARCH=$(ARCH) GOROOT="$(GOROOT_LOCAL)" $(GO) install -race -v std
-endif
-	rm -rf $(TMP_DIR)
-	@touch "$@"
-
-build-test-%: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
-	$(DOCKER) build $(BUILDARG) -t tls-tris:$* $(DEV_DIR)/$*
-	$(DOCKER) build $(BUILDARG) -t $(*)-localserver $(DEV_DIR)/$*
-
-build-all: \
-	build-test-tris-client \
-	build-test-tris-server \
-	build-test-bogo \
-	$(addprefix build-test-,$(TARGET_TEST_COMPAT))
-
-# Builds TRIS client
-build-test-tris-client: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
-	cd $(DEV_DIR)/tris-testclient; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
-	$(DOCKER) build -t tris-testclient $(DEV_DIR)/tris-testclient
-
-# Builds TRIS server
-build-test-tris-server: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
-	cd $(DEV_DIR)/tris-localserver; CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build -v -i .
-	$(DOCKER) build -t tris-localserver $(DEV_DIR)/tris-localserver
-
-# BoringSSL specific stuff
-build-test-boring: 	BUILDARG=--build-arg REVISION=$(BORINGSSL_REVISION)
-
-# TODO: This probably doesn't work
-build-caddy: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
-	CGO_ENABLED=0 GOROOT="$(GOROOT_LOCAL)" $(GO) build github.com/mholt/caddy
-
-###############
-#
-# Test targets
-#
-##############################
-test: \
-	test-unit \
-	test-bogo \
-	test-interop
-
-test-unit: $(BUILD_DIR)/$(OS_ARCH)/.ok_$(VER_OS_ARCH)
-	GOROOT="$(GOROOT_LOCAL)" $(GO) test -race crypto/tls
-
-test-bogo:
-	$(DOCKER) run --rm -v $(PRJ_DIR):$(BOGO_DOCKER_TRIS_LOCATION) tls-tris:bogo
-
-test-interop:
-	$(DEV_DIR)/interop_test_runner -v
-
-###############
-#
-# Utils
-#
-##############################
-clean:
-	rm -rf $(BUILD_DIR)/$(OS_ARCH)
-
-clean-all: clean
-	rm -rf $(BUILD_DIR)
-
-fmtcheck:
-	$(DEV_DIR)/utils/fmtcheck.sh
-
-.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop

_dev/bogo/Dockerfile

@@ -1,38 +0,0 @@
-FROM golang:1.11-alpine
-
-RUN apk add --update \
-    git \
-    make \
-    bash \
-    patch \
-    rsync \
-  && rm -rf /var/cache/apk/*
-
-ENV CGO_ENABLED=0
-
-RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
-    /go/src/github.com/henrydcase/crypto-tls-bogo-shim
-
-# Draft 18 with client-tests branch
-#ARG REVISION=3f5e87d6a1931b6f6930e4eadb7b2d0b2aa7c588
-
-# Draft 22 with draft22 branch
-#ARG REVISION=81cc32b846c9fe2ea32613287e57a6a0db7bbb9a
-
-# Draft 22 with draft22-client branch (client-tests + draft22)
-# ARG REVISION=f9729b5e4eafb1f1d313949388c3c2b167e84734
-
-# Draft 23
-#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
-
-# Draft 23 (+ client authentication)
-# ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
-
-# Draft 28
-ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3
-
-RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
-    git checkout $REVISION
-
-WORKDIR /go/src/github.com/henrydcase/crypto-tls-bogo-shim
-CMD ["make", "run"]

_dev/boring/Dockerfile

@@ -1,69 +0,0 @@
-FROM alpine
-
-RUN apk add --update \
-    git \
-    cmake \
-    patch \
-    perl \
-    python \
-    build-base \
-    go \
-    ninja \
-  && rm -rf /var/cache/apk/*
-
-RUN git clone https://boringssl.googlesource.com/boringssl
-
-RUN mkdir boringssl/build
-
-# Draft 14
-# ARG REVISION=88536c3
-
-# Draft 15
-# RUN cd boringssl && git fetch https://boringssl.googlesource.com/boringssl refs/changes/40/10840/18:draft15
-# ARG REVISION=cae930d
-
-# Draft "14.25" (sigalg renumbering)
-# ARG REVISION=af56fbd
-
-# Draft "14.25" w/ x25519 only
-# ARG REVISION=c8b6b4f
-
-# Draft "14.5" (sigalg, x25519, version ext)
-# ARG REVISION=54afdab
-
-# Draft 16
-# ARG REVISION=89917a5
-
-# Draft 18
-# ARG REVISION=9b885c5
-# Draft 18, but with "bssl server -loop -www" support and build fix
-# ARG REVISION=40b24c8154
-
-# Draft 21
-# ARG REVISION=cd8470f
-
-# Draft 22
-# ARG REVISION=1530ef3e
-
-# Draft 23
-# ARG REVISION=cb15cfda29c0c60d8d74145b17c93b43a7667837
-
-# Draft 28
-# ARG REVISION=861f384d7bc59241a9df1634ae938d8e75be2d30
-
-# TLS 1.3
-ARG REVISION=ff433815b51c34496bb6bea13e73e29e5c278238
-
-ADD sidh_$REVISION.patch /
-
-RUN cd boringssl && git fetch
-RUN cd boringssl && git checkout $REVISION
-RUN cd boringssl && patch -p1 < /sidh_$REVISION.patch
-RUN cd boringssl/build && cmake -GNinja ..
-RUN cd boringssl && ninja -C build
-
-ADD httpreq.txt /httpreq.txt
-ADD run.sh /run.sh
-ADD server.sh rsa.pem ecdsa.pem /
-ADD client_rsa.key client_rsa.crt client_ca.crt /
-ENTRYPOINT ["/run.sh"]

_dev/boring/client_ca.crt

@@ -1,34 +0,0 @@
-MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
-BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
-cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
-IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
-OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
-FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
-T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
-NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
-tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
-j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
-a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
-/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
-SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
-eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
-bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
-WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
-6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
-wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
-TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
-cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
-FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
-oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
-tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
-ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
-bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
-5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
-3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
-UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
-mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
-xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==

_dev/boring/client_rsa.crt

@@ -1,31 +0,0 @@
-MIIFSjCCAzKgAwIBAgIUCKk2npLYEX2Z3Ceu1CwSKK50j04wDQYJKoZIhvcNAQEL
-BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
-cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
-IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDMz
-MloXDTQ2MDcwOTAwNDMzMlowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
-FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
-T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
-MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA0DQrWlCfijylutz28aTB
-T9WDnvBWpJ535t/Clt4o2nv3Cp6JxvUVzYkdKuaLR295gyEBx9JSHiZxPiJoPVfp
-wigmG0R9HvByAG5rhaQbQt99npoBaHMps1i12VxxFy1yaqZW6mrwrHMfV716rZ2M
-AzWx7UfhutloBYeeluiziDWUSEuGeJG7kHdvUtGYlbRd/ElFWHOfAQ7Oc8UUjEHW
-sorkqciqyAERV/H9hr5Rap/J/ERcFC8bNecS4t1Yh98WgIun/MbcBKQzo1LsWmOQ
-dmaMBoG8g1mYRbNap8G/+aQbjfRi1zN0yaW1wtlLoBJmNgLjwYgaS/5Uey5NZMdb
-NwIBA6OBwzCBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAxBglghkgB
-hvhCAQ0EJBYiQ2VydCBUZXN0aW5nIEludGVybWVkaWF0ZSAtIENsaWVudDAdBgNV
-HQ4EFgQULlrGFPbxwz525ywQYPs72P7YnL4wHwYDVR0jBBgwFoAU0uJLph7MfZta
-JndM1uRDMygEEHYwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
-BggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAwLc+Xg5Fyfbgu5iFs1y7E0Et
-4E/5lF0A4iqDVX3e7/upoUIBFZFv2PlAqIlhQ49NgGlIfrBlwEijZJ9kgVmUcKDS
-UrqBvKUn+99dTC8Zn/Py9ofLNcJy+qNJg4TpbpBxXaP1MXdZYXdYkGtyyPIGo31U
-oHibNLQDCtKFMoEPCvFuCBtJgyT46l5KN7VQCA0ZDm84fVmIgEEOXWwz0mDIhGWm
-hDhmqONznl0+aHirqJxsBaplBaFVV1N02ksR53sPPy/UfDsAD3Fpp8R1DAMEyy0o
-kTqm8QINVL961YT1Y/oI+GlypjPq9cL0dEHdxwu6gyCHPMMGGGIDHmLoqJJuj/Kr
-/T08jhtDv8D7e9m3wfSW/RqHKE31Yy21SXv/gpcHGunwzDoj/QUvRl/xTjJfx+S8
-2NHxSU8QOdexhJumsNFJe8kH8cRJMCMB8/hfiBpI0QANkUBJ1aaa/p7vZuEKJm+/
-85m3Yz+zn58/Bube06z6QzFeR8Edi+6hXk4/WoHltgXiNowD3d4xI48sPWEbe+QZ
-6u60sEdpY2a+3Xwt9m9R2R+sGP3QyDFd9GVaUPt21TeeLdfS3kPqwO2k+UXB8nV3
-Yh1Hvyx67u0tX3wBVe40CNaAu7iW+e4aXjksG2dxk71lNq5CHJCOtbRK4LUArjy5
-cw4KAXWoaR8YIC3BWgg=

_dev/boring/client_rsa.key

@@ -1,28 +0,0 @@
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQNCtaUJ+KPKW6
-3PbxpMFP1YOe8Faknnfm38KW3ijae/cKnonG9RXNiR0q5otHb3mDIQHH0lIeJnE+
-Img9V+nCKCYbRH0e8HIAbmuFpBtC332emgFocymzWLXZXHEXLXJqplbqavCscx9X
-vXqtnYwDNbHtR+G62WgFh56W6LOINZRIS4Z4kbuQd29S0ZiVtF38SUVYc58BDs5z
-xRSMQdayiuSpyKrIARFX8f2GvlFqn8n8RFwULxs15xLi3ViH3xaAi6f8xtwEpDOj
-UuxaY5B2ZowGgbyDWZhFs1qnwb/5pBuN9GLXM3TJpbXC2UugEmY2AuPBiBpL/lR7
-Lk1kx1s3AgEDAoIBAQCKzXI8Nb+xfcPR6KShGIDf460UoDnDFE/vP9cPPsXm/U9c
-abEvTg6JBhNx7weE9PuswKvajDa+xEt+wZrTj/EsGsQSLai/Svaq9EeubWeB6lO/
-EVZFohvM5c6Q6EtkyPbxxDnxnKBy92o6flHJE7KsznaeL+vR5kVZBRRkmyJazS4s
-Z5rbrN9AhSIfyHs9GCQGgsXT6HMsyoJYFastwQ2qj+9L2ypcM8TW+KGzGfJipoJb
-l/N/8WHb4ZumA67lfWq4v5JTA5qAUKcfPszEBrUfQ34Tk+73Iiov9f7SXPYxWxVJ
-g9PuzfewvJrp6CPv+/mKNt8PmBYkaXlnyjr9tCwLAoGBAPjAVZapQVuIqftcOZtf
-Re9fAV9Vvv1FEO8bKJeIsPDlRkdg+TfTMgxhZU0I3P4XdEj7Fa87w4wkA6GkIrOO
-W9/usPOYzSdTP5aVEsdGbT8yD2vTST7Aw/GESKTRJA/Fe1PIb5Nz3OijyTusvFE+
-XSR3EXb1myX+2rFS0Wbiz2U5AoGBANZFWoeFzREnBcDG60RayjiTg71E1/T4zhvU
-e/w+71FNbLZXBrNqgV20F73xOme/Mb13yr+YgXxIEQfFtR6hRxZ8u1jndEzw66Jf
-YfHt7EGVceMV2pdP4md5ebebEj7qICfXPxF9IZicwZG3QMR5u0tvnx40iNMWhW0M
-rY4FabPvAoGBAKXVjmRw1j0FxqeS0RI/g/TqAOo5Kf4uC0oSGw+wdfXuLtpApiU3
-drLrmN4F6Klk+DCnY8on17LCrRZtbHe0PT/0dfe7M2+M1Q8ODITZniohX503hinV
-1/ZYMG3gwrUuUjfa9Qz36JsX230d0uDUPhhPYPn5EhlUkcuMi5nsikN7AoGBAI7Y
-5wUD3gtvWSsvR4LnMXsNAn4t5U37NBKNp/1/SjYznc7kryJHAOkiun6g0Zp/dn5P
-3H+7AP2FYK/ZI2nA2g790jtE+DNLR8GU6/aenYEOS+y5PGTf7ET7pnpnYX9GwBqP
-f2D+FmW91mEk1dhRJ4efv2l4WzdkWPNdyQlY8SKfAoGAEIWmowo7EpbR5Boxc2o3
-Tl0JbGi1CNJAHtDjEJCd1OxKrMUrK07hOeEKF6y8K/WBuQhFvI2pu16oT4sMal9Z
-mEiJdJAFErefPLQGomHLXfq9mDEY13Ug/xAd9aMyYcubIg5XjAqLMrB60HcrLr7Q
-2hMCSDdVP2V/F3QVh8DEirE=

_dev/boring/ecdsa.pem

@@ -1,15 +0,0 @@
-MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
-DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
-EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
-B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
-MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
-BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
-hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
-IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
-MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
-AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
-5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==

_dev/boring/httpreq.txt

@@ -1,5 +0,0 @@
-GET / HTTP/1.1
-Host: example.com
-Connection: close
-
-

_dev/boring/rsa.pem

@@ -1,45 +0,0 @@
-MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh
-OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne
-RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu
-H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2
-SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb
-wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl
-2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw
-i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43
-z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z
-NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq
-BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs
-UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU
-49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz
-b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR
-u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ
-8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/
-QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY
-gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G
-ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2
-g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP
-Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc
-xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP
-TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG
-LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq
-/cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==
-MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw
-EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5
-MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI
-+gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId
-FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ
-S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65
-U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF
-ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
-oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
-CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK
-Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj
-MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb
-ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX
-98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX
-46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==

_dev/boring/run.sh

@@ -1,8 +0,0 @@
-#! /bin/sh
-set -e
-
-/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-	-session-out /session -connect "$@" < /httpreq.txt
-exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-    -session-in /session -connect "$@" < /httpreq.txt
-

_dev/boring/server.sh

@@ -1,32 +0,0 @@
-#!/bin/sh
-PATH=/boringssl/build/tool:$PATH
-set -x
-
-# RSA
-bssl server \
-    -key rsa.pem \
-    -min-version tls1.2 -max-version tls1.3 \
-    -accept 1443 -loop -www 2>&1 &
-
-# ECDSA
-bssl server \
-    -key ecdsa.pem \
-    -min-version tls1.2 -max-version tls1.3 \
-    -accept 2443 -loop -www 2>&1 &
-
-# Require client authentication (with ECDSA)
-bssl server \
-    -key ecdsa.pem \
-    -min-version tls1.2 -max-version tls1.3 \
-    -accept 6443 -loop -www \
-    -require-any-client-cert -debug 2>&1 &
-
-# ECDSA and SIDH/P503-X25519
-bssl server \
-    -key ecdsa.pem \
-    -curves X25519-SIDHp503:X25519:P-256:P-384:P-521 \
-    -min-version tls1.2 -max-version tls1.3 \
-    -accept 7443 -loop -www \
-    -debug 2>&1 &
-
-wait

_dev/caddy/Caddyfile

@@ -1,13 +0,0 @@
-tris.filippo.io {
-	tls bip@filippo.io
-	log stdout
-	proxy / https://blog.filippo.io
-}
-
-echo.filippo.io {
-	tls bip@filippo.io
-	log stdout
-	proxy / http://{$ECHO_PORT_80_TCP_ADDR}:{$ECHO_PORT_80_TCP_PORT} {
-		transparent
-	}
-}

_dev/caddy/Dockerfile

@@ -1,17 +0,0 @@
-FROM scratch
-
-# docker create -v /root/.caddy --name caddy-data caddy /bin/true
-# docker run --restart=always -d --volumes-from caddy-data --link echo -p 80:80 -p 443:443 caddy
-
-# GOOS=linux ../go.sh build -v -i github.com/mholt/caddy/caddy
-ADD caddy caddy
-ADD Caddyfile Caddyfile
-ADD https://mkcert.org/generate/ /etc/ssl/certs/ca-certificates.crt
-
-EXPOSE 80
-EXPOSE 443
-
-ENV TLSDEBUG short
-ENV HOME /root/
-
-CMD [ "/caddy" ]

_dev/caddy/Dockerfile.echo

@@ -1,7 +0,0 @@
-FROM scratch
-
-# docker run --restart=always -d --name echo -P echo
-
-ADD echo echo
-EXPOSE 80
-CMD [ "/echo", "0.0.0.0:80" ]

_dev/caddy/caddy.patch

@@ -1,21 +0,0 @@
-diff --git a/caddytls/config.go b/caddytls/config.go
-index 6632aed..767886c 100644
-+++ b/caddytls/config.go
-@@ -372,7 +372,7 @@ func SetDefaultTLSParams(config *Config) {
- 		config.ProtocolMinVersion = tls.VersionTLS11
- 	}
- 	if config.ProtocolMaxVersion == 0 {
--		config.ProtocolMaxVersion = tls.VersionTLS12
-+		config.ProtocolMaxVersion = tls.VersionTLS13
- 	}
- 
- 	// Prefer server cipher suites
-@@ -394,6 +394,7 @@ var supportedProtocols = map[string]uint16{
- 	"tls1.0": tls.VersionTLS10,
- 	"tls1.1": tls.VersionTLS11,
- 	"tls1.2": tls.VersionTLS12,
-+	"tls1.3": tls.VersionTLS13,
- }
- 
- // Map of supported ciphers, used only for parsing config.

_dev/caddy/echo.go

@@ -1,25 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"html"
-	"log"
-	"net/http"
-	"os"
-)
-
-var htmlBody = []byte(`
-<!DOCTYPE html>
-<p>Hello!
-<code><pre>
-`)
-
-func main() {
-	http.HandleFunc("/", func(rw http.ResponseWriter, r *http.Request) {
-		rw.Write(htmlBody)
-		for name, value := range r.Header {
-			fmt.Fprintf(rw, "%s: %s\n", name, html.EscapeString(value[0]))
-		}
-	})
-	log.Println(http.ListenAndServe(os.Args[1], nil))
-}

_dev/go.sh

@@ -1,12 +0,0 @@
-#!/usr/bin/env bash
-# 
-# THIS FILE IS ONLY USED BY _dev/bogo. It will be removed in future
-set -e
-
-BASEDIR=$(cd "$(dirname "$0")" && pwd)
-GOENV="$(go env GOHOSTOS)_$(go env GOHOSTARCH)"
-
-BUILD_DIR=${BASEDIR}/GOROOT make -f $BASEDIR/Makefile >&2
-
-export GOROOT="$BASEDIR/GOROOT/$GOENV"
-exec go "$@"

_dev/interop_test_runner

@@ -1,308 +0,0 @@
-#!/usr/bin/env python2
-
-import docker
-import unittest
-import re
-import time
-
-# Regex patterns used for testing
-
-# Checks if TLS 1.3 was negotiated
-RE_PATTERN_HELLO_TLS_13_NORESUME = "^.*Hello TLS 1.3 \(draft .*\) _o/$|^.*Hello TLS 1.3 _o/$"
-# Checks if TLS 1.3 was resumed
-RE_PATTERN_HELLO_TLS_13_RESUME   = "Hello TLS 1.3 \[resumed\] _o/"
-# Checks if 0-RTT was used and NOT confirmed
-RE_PATTERN_HELLO_0RTT            = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT\] _o/$"
-# Checks if 0-RTT was used and confirmed
-RE_PATTERN_HELLO_0RTT_CONFIRMED  = "^.*Hello TLS 1.3 .*\[resumed\] \[0-RTT confirmed\] _o/$"
-# ALPN
-RE_PATTERN_ALPN = "ALPN protocol: npn_proto$"
-# Successful TLS establishement from TRIS
-RE_TRIS_ALL_PASSED = ".*All handshakes passed.*"
-# TLS handshake from BoringSSL with SIDH/P503-X25519
-RE_BORINGSSL_P503 = "ECDHE curve: X25519-SIDHp503"
-
-class Docker(object):
-    ''' Utility class used for starting/stoping servers and clients during tests'''
-    def __init__(self):
-        self.d = docker.from_env()
-
-    def get_ip(self, server):
-        tris_localserver_container = self.d.containers.get(server)
-        return tris_localserver_container.attrs['NetworkSettings']['IPAddress']
-
-    def run_client(self, image_name, cmd):
-        ''' Runs client and returns tuple (status_code, logs) '''
-        c = self.d.containers.create(image=image_name, command=cmd)
-        c.start()
-        res = c.wait()
-        ret = c.logs()
-        c.remove()
-        return (res['StatusCode'], ret)
-
-    def run_server(self, image_name, cmd=None, ports=None, entrypoint=None):
-        ''' Starts server and returns docker container '''
-        c = self.d.containers.create(image=image_name, detach=True, command=cmd, ports=ports, entrypoint=entrypoint)
-        c.start()
-        # TODO: maybe can be done better?
-        time.sleep(3)
-        return c
-
-class RegexSelfTest(unittest.TestCase):
-    ''' Ensures that those regexe's actually work '''
-
-    LINE_HELLO_TLS      ="\nsomestuff\nHello TLS 1.3 _o/\nsomestuff"
-    LINE_HELLO_DRAFT_TLS="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nsomestuff"
-
-    LINE_HELLO_RESUMED  ="\nsomestuff\nHello TLS 1.3 [resumed] _o/\nsomestuff"
-    LINE_HELLO_MIXED    ="\nsomestuff\nHello TLS 1.3 (draft 23) _o/\nHello TLS 1.3 (draft 23) [resumed] _o/\nsomestuff"
-    LINE_HELLO_TLS_12   ="\nsomestuff\nHello TLS 1.2 (draft 23) [resumed] _o/\nsomestuff"
-    LINE_HELLO_TLS_13_0RTT="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT] _o/\nsomestuff"
-    LINE_HELLO_TLS_13_0RTT_CONFIRMED="\nsomestuff\nHello TLS 1.3 (draft 23) [resumed] [0-RTT confirmed] _o/\nsomestuff"
-    def test_regexes(self):
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS, re.MULTILINE))
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_DRAFT_TLS, re.MULTILINE))
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_RESUMED, re.MULTILINE))
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
-
-        # negative cases
-
-        # expects 1.3, but 1.2 received
-        self.assertIsNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, RegexSelfTest.LINE_HELLO_TLS_12, re.MULTILINE))
-        # expects 0-RTT
-        self.assertIsNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
-        # expectes 0-RTT confirmed
-        self.assertIsNone(
-            re.search(RE_PATTERN_HELLO_0RTT, RegexSelfTest.LINE_HELLO_TLS_13_0RTT_CONFIRMED, re.MULTILINE))
-        # expects resume without 0-RTT
-        self.assertIsNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, RegexSelfTest.LINE_HELLO_TLS_13_0RTT, re.MULTILINE))
-
-
-class InteropServer(object):
-    ''' Instantiates TRIS as a server '''
-
-    TRIS_SERVER_NAME = "tris-localserver"
-
-    @classmethod
-    def setUpClass(self):
-        self.d = Docker()
-        self.server = self.d.run_server(self.TRIS_SERVER_NAME)
-
-    @classmethod
-    def tearDownClass(self):
-        self.server.kill()
-        self.server.remove()
-
-    @property
-    def server_ip(self):
-        return self.d.get_ip(self.server.name)
-
-# Mixins for testing server functionality
-
-class ServerNominalMixin(object):
-    ''' Nominal tests for TLS 1.3 - client tries to perform handshake with server '''
-    def test_rsa(self):
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'1443')
-        self.assertTrue(res[0] == 0)
-        # Check there was TLS hello without resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
-        # Check there was TLS hello with resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
-
-    def test_ecdsa(self):
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":"+'2443')
-        self.assertTrue(res[0] == 0)
-        # Check there was TLS hello without resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
-        # Check there was TLS hello with resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
-
-class ServerClientAuthMixin(object):
-    ''' Client authentication testing '''
-    def test_client_auth(self):
-        args = ''.join([self.server_ip+':6443',' -key client_rsa.key -cert client_rsa.crt -debug'])
-        res = self.d.run_client(self.CLIENT_NAME, args)
-        self.assertEqual(res[0], 0)
-        # Check there was TLS hello without resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
-        # Check there was TLS hello with resume
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
-
-class ClientNominalMixin(object):
-
-    def test_rsa(self):
-        res = self.d.run_client(self.CLIENT_NAME, '-ecdsa=false '+self.server_ip+":1443")
-        self.assertEqual(res[0], 0)
-
-    def test_ecdsa(self):
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false '+self.server_ip+":2443")
-        self.assertEqual(res[0], 0)
-
-
-class ClientClientAuthMixin(object):
-    ''' Client authentication testing - tris on client side '''
-
-    def test_client_auth(self):
-        res = self.d.run_client('tris-testclient', '-rsa=false -cliauth '+self.server_ip+":6443")
-        self.assertTrue(res[0] == 0)
-
-class ServerZeroRttMixin(object):
-    ''' Zero RTT testing '''
-
-    def test_zero_rtt(self):
-        # rejecting 0-RTT
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":3443")
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_TLS_13_RESUME, res[1], re.MULTILINE))
-        self.assertIsNone(
-            re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
-
-        # accepting 0-RTT
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":4443")
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_0RTT, res[1], re.MULTILINE))
-
-        # confirming 0-RTT
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":5443")
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(
-            re.search(RE_PATTERN_HELLO_0RTT_CONFIRMED, res[1], re.MULTILINE))
-
-class InteropClient(object):
-    ''' Instantiates TRIS as a client '''
-
-    CLIENT_NAME = "tris-testclient"
-
-    @classmethod
-    def setUpClass(self):
-        self.d = Docker()
-        self.server = self.d.run_server(
-                            self.SERVER_NAME,
-                            ports={ '1443/tcp': 1443, '2443/tcp': 2443, '6443/tcp': 6443, '7443/tcp': 7443},
-                            entrypoint="/server.sh")
-
-    @classmethod
-    def tearDownClass(self):
-        self.server.kill()
-        self.server.remove()
-
-    @property
-    def server_ip(self):
-        return self.d.get_ip(self.server.name)
-
-# Actual test definition
-
-# TRIS as a server, BoringSSL as a client
-class InteropServer_BoringSSL(InteropServer, ServerNominalMixin, ServerClientAuthMixin, unittest.TestCase):
-
-    CLIENT_NAME = "tls-tris:boring"
-
-    def test_ALPN(self):
-        '''
-        Checks wether ALPN is sent back by tris server in EncryptedExtensions in case of TLS 1.3. The
-        ALPN protocol is set to 'npn_proto', which is hardcoded in TRIS test server.
-        '''
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":1443 "+'-alpn-protos npn_proto')
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(re.search(RE_PATTERN_ALPN, res[1], re.MULTILINE))
-
-    def test_SIDH(self):
-        '''
-        Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
-        '''
-        res = self.d.run_client(self.CLIENT_NAME, self.server_ip+":7443 "+'-curves X25519-SIDHp503')
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(re.search(RE_BORINGSSL_P503, res[1], re.MULTILINE))
-        self.assertIsNotNone(re.search(RE_PATTERN_HELLO_TLS_13_NORESUME, res[1], re.MULTILINE))
-
-# PicoTLS doesn't seem to implement draft-23 correctly. It will
-# be enabled when draft-28 is implemented.
-# class InteropServer_PicoTLS(
-#         InteropServer,
-#         ServerNominalMixin,
-#         ServerZeroRttMixin,
-#         unittest.TestCase
-#     ): CLIENT_NAME = "tls-tris:picotls"
-
-class InteropServer_NSS(
-        InteropServer,
-        ServerNominalMixin,
-        ServerZeroRttMixin,
-        unittest.TestCase
-    ): CLIENT_NAME = "tls-tris:tstclnt"
-
-# TRIS as a client, BoringSSL as a server
-class InteropClient_BoringSSL(InteropClient, ClientNominalMixin, ClientClientAuthMixin, unittest.TestCase):
-
-    SERVER_NAME = "boring-localserver"
-
-    def test_SIDH(self):
-        '''
-        Connects to BoringSSL server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
-        '''
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIDHp503 ' + self.server_ip+":7443")
-        self.assertEqual(res[0], 0)
-        self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))
-
-    def test_SIDH_TLSv12(self):
-        '''
-        Connects to TRIS server listening on 7443 and tries to perform key agreement with SIDH/P503-X25519
-        This connection will be over TLSv12 and hence it should fall back to X25519
-        '''
-        res = self.d.run_client(self.CLIENT_NAME, '-tls_version=1.2 -rsa=false -ecdsa=true -groups X25519-SIDHp503:P-256 -ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ' + self.server_ip+":7443")
-        self.assertEqual(res[0], 0)
-        # Go doesn't provide API to get NamedGroup ID, but boringssl on port 7443 accepts only TLS1.2
-        # so if handshake was successful, then that's all what we need
-        self.assertIsNotNone(re.search(RE_TRIS_ALL_PASSED, res[1], re.MULTILINE))
-
-class InteropClient_NSS(
-        InteropClient,
-        ClientNominalMixin,
-        unittest.TestCase
-    ): SERVER_NAME = "tstclnt-localserver"
-
-# TRIS as a client
-class InteropServer_TRIS(ClientNominalMixin, InteropServer, unittest.TestCase):
-
-    CLIENT_NAME = 'tris-testclient'
-
-    def test_client_auth(self):
-        # I need to block TLS v1.2 as test server needs some rework
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=false -cliauth '+self.server_ip+":6443")
-        self.assertEqual(res[0], 0)
-
-    def test_SIDH(self):
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIDHp503 '+self.server_ip+":7443")
-        self.assertEqual(res[0], 0)
-
-    def test_SIKE(self):
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true -groups X25519-SIKEp503 '+self.server_ip+":7443")
-        self.assertEqual(res[0], 0)
-
-    def test_server_doesnt_support_SIDH(self):
-        '''
-        Client advertises HybridSIDH and ECDH. Server supports ECDH only. Checks weather
-        TLS session can still be established.
-        '''
-        res = self.d.run_client(self.CLIENT_NAME, '-rsa=false -ecdsa=true '+self.server_ip+":7443")
-        self.assertEqual(res[0], 0)
-
-if __name__ == '__main__':
-    unittest.main()

_dev/mint/Dockerfile

@@ -1,21 +0,0 @@
-FROM golang:1.7-alpine
-
-RUN apk add --update \
-    git \
-  && rm -rf /var/cache/apk/*
-
-RUN go get github.com/bifurcation/mint
-
-# Draft 18
-ARG REVISION=52f9f98
-
-RUN cd /go/src/github.com/bifurcation/mint && git fetch https://github.com/FiloSottile/mint
-RUN cd /go/src/github.com/bifurcation/mint && git checkout $REVISION
-
-ADD mint-client.go /mint-client.go
-RUN GOBIN=/ go install /mint-client.go
-
-ENV MINT_LOG=*
-
-ADD run.sh /run.sh
-ENTRYPOINT ["/run.sh"]

_dev/mint/mint-client.go

@@ -1,41 +0,0 @@
-package main
-
-import (
-	"log"
-	"net"
-	"net/http"
-	"os"
-
-	"github.com/bifurcation/mint"
-)
-
-func main() {
-	c := &mint.Config{
-		PSKs: &mint.PSKMapCache{},
-	}
-
-	tr := &http.Transport{
-		DialTLS: func(network, addr string) (net.Conn, error) {
-			return mint.Dial(network, addr, c)
-		},
-		DisableKeepAlives: true,
-	}
-	client := &http.Client{Transport: tr}
-
-	resp, err := client.Get("https://" + os.Args[1])
-	if err != nil {
-		log.Fatal(err)
-	}
-	if err := resp.Write(os.Stdout); err != nil {
-		log.Fatal(err)
-	}
-
-	// Resumption
-	resp, err = client.Get("https://" + os.Args[1])
-	if err != nil {
-		log.Fatal(err)
-	}
-	if err := resp.Write(os.Stdout); err != nil {
-		log.Fatal(err)
-	}
-}

_dev/mint/run.sh

@@ -1,3 +0,0 @@
-#! /bin/sh
-
-exec /mint-client "$@"

_dev/patches/88253a956a753213617d95af3f42a23a78798473.patch

@@ -1,63 +0,0 @@
-From 88253a956a753213617d95af3f42a23a78798473 Mon Sep 17 00:00:00 2001
-From: Filippo Valsorda <filippo@cloudflare.com>
-Date: Mon, 28 Nov 2016 05:24:21 +0000
-Subject: [PATCH] net/http: attach TLSConnContextKey to the request Context
-
-Change-Id: Ic59c84f992c829dc7da741b128dd6899366fa1d2
- src/net/http/request.go |  4 +++-
- src/net/http/server.go  | 12 ++++++++++++
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/src/net/http/request.go b/src/net/http/request.go
-index 13f367c1a8..b2827ff123 100644
-+++ b/src/net/http/request.go
-@@ -275,7 +275,9 @@ type Request struct {
- 	// was received. This field is not filled in by ReadRequest.
- 	// The HTTP server in this package sets the field for
- 	// TLS-enabled connections before invoking a handler;
--	// otherwise it leaves the field nil.
-+	// otherwise it leaves the field nil. The value is fixed
-+	// at the state of the connection immediately after Handshake,
-+	// for an immediate value use TLSConnContextKey.
- 	// This field is ignored by the HTTP client.
- 	TLS *tls.ConnectionState
- 
-diff --git a/src/net/http/server.go b/src/net/http/server.go
-index 2fa8ab23d8..b0542cdbc3 100644
-+++ b/src/net/http/server.go
-@@ -223,6 +223,12 @@ var (
- 	// the local address the connection arrived on.
- 	// The associated value will be of type net.Addr.
- 	LocalAddrContextKey = &contextKey{"local-addr"}
-+
-+	// TLSConnContextKey is a context key. It can be used in
-+	// HTTP handlers with context.WithValue to access the
-+	// underlying *tls.Conn being served. If the connection
-+	// is not TLS, the key is not set.
-+	TLSConnContextKey = &contextKey{"tls-conn"}
- )
- 
- // A conn represents the server side of an HTTP connection.
-@@ -969,6 +975,9 @@ func (c *conn) readRequest(ctx context.Context) (w *response, err error) {
- 	delete(req.Header, "Host")
- 
- 	ctx, cancelCtx := context.WithCancel(ctx)
-+	if tlsConn, ok := c.rwc.(*tls.Conn); ok {
-+		ctx = context.WithValue(ctx, TLSConnContextKey, tlsConn)
-+	}
- 	req.ctx = ctx
- 	req.RemoteAddr = c.remoteAddr
- 	req.TLS = c.tlsState
-@@ -3161,6 +3170,9 @@ func (h initNPNRequest) ServeHTTP(rw ResponseWriter, req *Request) {
- 	if req.RemoteAddr == "" {
- 		req.RemoteAddr = h.c.RemoteAddr().String()
- 	}
-+	if req.ctx != nil && req.ctx.Value(TLSConnContextKey) == nil {
-+		req.ctx = context.WithValue(req.ctx, TLSConnContextKey, h.c)
-+	}
- 	h.h.ServeHTTP(rw, req)
- }
- 

_dev/picotls/Dockerfile

@@ -1,26 +0,0 @@
-FROM alpine
-
-RUN apk add --update \
-    git \
-    cmake \
-    build-base \
-    openssl-dev \
-    bash \
-  && rm -rf /var/cache/apk/*
-
-RUN git clone https://github.com/h2o/picotls
-
-# Draft -18
-#ARG REVISION=a6c1c65
-
-# Draft -22
-ARG REVISION=843ccdc
-
-RUN cd picotls && git fetch && git checkout $REVISION
-
-RUN cd picotls && git submodule update --init
-RUN cd picotls && cmake . && make
-
-ADD httpreq.txt /httpreq.txt
-ADD run.sh /run.sh
-ENTRYPOINT ["/run.sh"]

_dev/picotls/httpreq.txt

@@ -1,5 +0,0 @@
-GET / HTTP/1.1
-Host: example.com
-Connection: close
-
-

_dev/picotls/run.sh

@@ -1,10 +0,0 @@
-#! /bin/bash
-set -e
-
-IFS=':' read -ra ADDR <<< "$1"
-shift
-HOST="${ADDR[0]}"
-PORT="${ADDR[1]}"
-
-/picotls/cli -s /session -e "$@" $HOST $PORT < /httpreq.txt
-/picotls/cli -s /session -e "$@" $HOST $PORT < /httpreq.txt

_dev/testdata/Dockerfile

@@ -1,26 +0,0 @@
-# docker build -t tls-tris:testdata _dev/testdata
-# GOOS=linux ./_dev/go.sh test -c crypto/tls
-# docker run -it --rm -v "$(pwd):$(pwd)" -w "$(pwd)" tls-tris:testdata 
-# ./tls.test -update -test.v -test.run SCTs
-## === RUN   TestHandshakClientSCTs
-## Wrote testdata/Client-TLSv12-SCT
-## --- PASS: TestHandshakClientSCTs (0.62s)
-## PASS
-
-FROM alpine
-
-RUN apk add --update \
-		wget \
-		build-base \
-		perl \
-		ca-certificates \
-		linux-headers \
-	&& rm -rf /var/cache/apk/*
-
-RUN wget https://www.openssl.org/source/openssl-1.1.0c.tar.gz
-RUN tar xvf openssl-1.1.0c.tar.gz
-RUN cd openssl-1.1.0c && perl ./Configure enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method -static linux-x86_64
-RUN cd openssl-1.1.0c && make
-RUN cd openssl-1.1.0c && make install
-
-ENTRYPOINT ["/bin/sh"]

_dev/tls_examples/Makefile

@@ -1,7 +0,0 @@
-# Used to build examples. Must be compiled from current directory and after "make build-all"
-
-build:
-	GOROOT=../GOROOT/linux_amd64 go build ems_client.go
-
-run:
-	./ems_client google.com:443

_dev/tls_examples/ems_client.go

@@ -1,75 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"crypto/tls"
-	"flag"
-	"fmt"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-)
-
-var tlsVersionToName = map[string]uint16{
-	"tls10": tls.VersionTLS10,
-	"tls11": tls.VersionTLS11,
-	"tls12": tls.VersionTLS12,
-	"tls13": tls.VersionTLS13,
-}
-
-// Usage client args host:port
-func main() {
-	var version string
-	var addr string
-	var enableEMS bool
-	var resume bool
-	var config tls.Config
-	var cache tls.ClientSessionCache
-	cache = tls.NewLRUClientSessionCache(0)
-	flag.StringVar(&version, "version", "tls12", "Version of TLS to use")
-	flag.BoolVar(&enableEMS, "m", false, "Enable EMS")
-	flag.BoolVar(&resume, "r", false, "Attempt Resumption")
-	flag.Parse()
-	config.MinVersion = tlsVersionToName[version]
-	config.MaxVersion = tlsVersionToName[version]
-	config.InsecureSkipVerify = true
-	config.UseExtendedMasterSecret = !enableEMS
-	config.ClientSessionCache = cache
-	var iters int
-	if resume {
-		iters = 2
-	} else {
-		iters = 1
-	}
-	addr = flag.Arg(0)
-	for ; iters > 0; iters-- {
-		conn, err := tls.Dial("tcp", addr, &config)
-		if err != nil {
-			fmt.Println("Error %s", err)
-			os.Exit(1)
-		}
-		var req http.Request
-		var response *http.Response
-		req.Method = "GET"
-		req.URL, err = url.Parse("https://" + addr + "/")
-		if err != nil {
-			fmt.Println("Failed to parse url")
-			os.Exit(1)
-		}
-		req.Write(conn)
-		reader := bufio.NewReader(conn)
-		response, err = http.ReadResponse(reader, nil)
-		if err != nil {
-			fmt.Println("HTTP problem")
-			fmt.Println(err)
-			os.Exit(1)
-		}
-		io.Copy(os.Stdout, response.Body)
-		conn.Close()
-		if resume && iters == 2 {
-			fmt.Println("Attempting resumption")
-		}
-	}
-	os.Exit(0)
-}

_dev/tris-localserver/Dockerfile

@@ -1,16 +0,0 @@
-FROM buildpack-deps
-
-ENV TLSDEBUG error
-
-EXPOSE 1443
-EXPOSE 2443
-EXPOSE 3443
-EXPOSE 4443
-EXPOSE 5443
-EXPOSE 6443
-EXPOSE 7443
-
-ADD tris-localserver /
-ADD runner.sh /
-
-CMD [ "./runner.sh" ]

_dev/tris-localserver/runner.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-./tris-localserver -b 0.0.0.0:1443 -cert=rsa   -rtt0=n  2>&1 &  # first port: ECDSA (and no 0-RTT)
-./tris-localserver -b 0.0.0.0:2443 -cert=ecdsa -rtt0=a  2>&1 &  # second port: RSA (and accept 0-RTT but not offer it)
-./tris-localserver -b 0.0.0.0:3443 -cert=ecdsa -rtt0=o  2>&1 &  # third port: offer and reject 0-RTT
-./tris-localserver -b 0.0.0.0:4443 -cert=ecdsa -rtt0=oa 2>&1 &  # fourth port: offer and accept 0-RTT
-./tris-localserver -b 0.0.0.0:5443 -cert=ecdsa -rtt0=oa -rtt0ack 2>&1 &  # fifth port: offer and accept 0-RTT but confirm
-./tris-localserver -b 0.0.0.0:6443 -cert=rsa   -cliauth 2>&1 &  # sixth port: RSA with required client authentication
-./tris-localserver -b 0.0.0.0:7443 -cert=ecdsa -pq=c &          # Enables support for both - post-quantum and classical KEX algorithms
-
-wait

_dev/tris-localserver/server.go

@@ -1,316 +0,0 @@
-package main
-
-import (
-	"crypto/x509"
-	"encoding/hex"
-	"errors"
-	"flag"
-	"fmt"
-	"github.com/henrydcase/trs"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-	"time"
-)
-
-type ZeroRTT_t int
-type PubKeyAlgo_t int
-
-// Bitset
-const (
-	ZeroRTT_None   ZeroRTT_t = 0
-	ZeroRTT_Offer            = 1 << 0
-	ZeroRTT_Accept           = 1 << 1
-)
-
-type server struct {
-	Address string
-	ZeroRTT ZeroRTT_t
-	TLS     tls.Config
-}
-
-var tlsVersionToName = map[uint16]string{
-	tls.VersionTLS10: "1.0",
-	tls.VersionTLS11: "1.1",
-	tls.VersionTLS12: "1.2",
-	tls.VersionTLS13: "1.3",
-}
-
-func NewServer() *server {
-	s := new(server)
-	s.ZeroRTT = ZeroRTT_None
-	s.Address = "0.0.0.0:443"
-	s.TLS = tls.Config{
-		GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) {
-			// If we send the first flight too fast, NSS sends empty early data.
-			time.Sleep(500 * time.Millisecond)
-			return nil, nil
-		},
-		MaxVersion: tls.VersionTLS13,
-		ClientAuth: tls.NoClientCert,
-	}
-
-	return s
-}
-
-func enablePQ(s *server, enableDefault bool) {
-	var pqGroups = []tls.CurveID{tls.HybridSIDHp503Curve25519, tls.HybridSIKEp503Curve25519}
-	if enableDefault {
-		var defaultCurvePreferences = []tls.CurveID{tls.X25519, tls.CurveP256, tls.CurveP384, tls.CurveP521}
-		s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, defaultCurvePreferences...)
-	}
-	s.TLS.CurvePreferences = append(s.TLS.CurvePreferences, pqGroups...)
-}
-
-func (s *server) start() {
-	var err error
-	if (s.ZeroRTT & ZeroRTT_Offer) == ZeroRTT_Offer {
-		s.TLS.Max0RTTDataSize = 100 * 1024
-	}
-
-	if keyLogFile := os.Getenv("SSLKEYLOGFILE"); keyLogFile != "" {
-		s.TLS.KeyLogWriter, err = os.OpenFile(keyLogFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
-		if err != nil {
-			log.Fatalf("Cannot open keylog file: %v", err)
-		}
-		log.Println("Enabled keylog")
-	}
-
-	s.TLS.ClientCAs = x509.NewCertPool()
-	s.TLS.ClientCAs.AppendCertsFromPEM([]byte(rsaCa_client))
-	s.TLS.Accept0RTTData = ((s.ZeroRTT & ZeroRTT_Accept) == ZeroRTT_Accept)
-	s.TLS.NextProtos = []string{"npn_proto"}
-
-	httpServer := &http.Server{
-		Addr:      s.Address,
-		TLSConfig: &s.TLS,
-	}
-	log.Fatal(httpServer.ListenAndServeTLS("", ""))
-}
-
-// setServerCertificateFromArgs sets server certificate from an argument provided by the caller. Possible values
-// for arg_cert:
-// * "rsa": sets hardcoded RSA keypair
-// * "ecdsa": sets hardcoded ECDSA keypair
-// * FILE1:FILE2: Uses private key from FILE1 and public key from FILE2. Both must be in PEM format. FILE2 can
-//   be single certificate or certificate chain.
-// * nil: fallbacks to "rsa"
-//
-// Function generate a panic in case certificate can't be correctly set
-func (s *server) setServerCertificateFromArgs(arg_cert *string) {
-	var certStr, keyStr []byte
-	var cert tls.Certificate
-	var err error
-
-	if arg_cert == nil {
-		// set rsa by default
-		certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
-	} else {
-		switch *arg_cert {
-		case "rsa":
-			certStr, keyStr = []byte(rsaCert), []byte(rsaKey)
-		case "ecdsa":
-			certStr, keyStr = []byte(ecdsaCert), []byte(ecdsaKey)
-		default:
-			files := strings.Split(*arg_cert, ":")
-			if len(files) != 2 {
-				err = errors.New("Wrong format provided after -cert.")
-				goto err
-			}
-			keyStr, err = ioutil.ReadFile(files[0])
-			if err != nil {
-				goto err
-			}
-			certStr, err = ioutil.ReadFile(files[1])
-			if err != nil {
-				goto err
-			}
-		}
-	}
-
-	cert, err = tls.X509KeyPair(certStr, keyStr)
-	if err != nil {
-		goto err
-	}
-
-	s.TLS.Certificates = []tls.Certificate{cert}
-err:
-	if err != nil {
-		// Not possible to proceed really
-		log.Fatal(err)
-		panic(err)
-	}
-}
-
-func main() {
-
-	s := NewServer()
-
-	arg_addr := flag.String("b", "0.0.0.0:443", "Address:port used for binding")
-	arg_cert := flag.String("cert", "rsa", "Public algorithm to use:\nOptions [rsa, ecdsa, PrivateKeyFile:CertificateChainFile]")
-	arg_zerortt := flag.String("rtt0", "n", `0-RTT, accepts following values [n: None, a: Accept, o: Offer, oa: Offer and Accept]`)
-	arg_confirm := flag.Bool("rtt0ack", false, "0-RTT confirm")
-	arg_clientauth := flag.Bool("cliauth", false, "Performs client authentication (RequireAndVerifyClientCert used)")
-	arg_pq := flag.String("pq", "", "Enable quantum-resistant algorithms [c: Support classical and Quantum-Resistant, q: Enable Quantum-Resistant only]")
-	flag.Parse()
-
-	s.Address = *arg_addr
-
-	s.setServerCertificateFromArgs(arg_cert)
-
-	if *arg_zerortt == "a" {
-		s.ZeroRTT = ZeroRTT_Accept
-	} else if *arg_zerortt == "o" {
-		s.ZeroRTT = ZeroRTT_Offer
-	} else if *arg_zerortt == "oa" {
-		s.ZeroRTT = ZeroRTT_Offer | ZeroRTT_Accept
-	}
-
-	if *arg_clientauth {
-		s.TLS.ClientAuth = tls.RequireAndVerifyClientCert
-	}
-
-	if *arg_pq == "c" {
-		enablePQ(s, true)
-	} else if *arg_pq == "q" {
-		enablePQ(s, false)
-	}
-
-	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		tlsConn := r.Context().Value(http.TLSConnContextKey).(*tls.Conn)
-
-		with0RTT := ""
-		if !tlsConn.ConnectionState().HandshakeConfirmed {
-			with0RTT = " [0-RTT]"
-		}
-		if *arg_confirm || r.URL.Path == "/confirm" {
-			if err := tlsConn.ConfirmHandshake(); err != nil {
-				log.Fatal(err)
-			}
-			if with0RTT != "" {
-				with0RTT = " [0-RTT confirmed]"
-			}
-			if !tlsConn.ConnectionState().HandshakeConfirmed {
-				panic("HandshakeConfirmed false after ConfirmHandshake")
-			}
-		}
-
-		resumed := ""
-		if r.TLS.DidResume {
-			resumed = " [resumed]"
-		}
-
-		http2 := ""
-		if r.ProtoMajor == 2 {
-			http2 = " [HTTP/2]"
-		}
-
-		fmt.Fprintf(w, "<!DOCTYPE html><p>Hello TLS %s%s%s%s _o/\n", tlsVersionToName[r.TLS.Version], resumed, with0RTT, http2)
-	})
-
-	http.HandleFunc("/ch", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "text/plain")
-		fmt.Fprintf(w, "Client Hello packet (%d bytes):\n%s", len(r.TLS.ClientHello), hex.Dump(r.TLS.ClientHello))
-	})
-
-	s.start()
-}
-
-const (
-	rsaKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEA1DHcIM3SThFqy8nAkPQFX0E7ph8jqh8EATXryjKHGuVjR3Xh
-OQ0BSPoJxyfdg/VEwevFrtmZAfz0WCbxvP2SVCmf7oobg4V2KPSo3nNt9vlBFUne
-RtIyHRQ8YRnGSWaRHzJbX6ffltnG2aD+8qUfk161rdZgxBA9G0Ga47IkwQhT2Hqu
-H3dW2Uu4W2WMyt6gX/tdyEAV57MOPcoceknr7Nb2kfiuDPR7h6wFrW3I6eoj8oX2
-SkIOuVNt1Z31BAUcPJDUjqopI0o9tolM/7X13M8dEY0OJQVr7FQYDF9JeSYeEMyb
-wizjBaHDm48mSghP1o5UssQBbNNC83btXCjiLQIDAQABAoIBACzvGgRAUYaCnbDl
-2kdXxUN0luMIuQ6vXrO67WF17bI+XRWm2riwDlObzzJDON9Wsua1vLjYD1SickOw
-i4RP1grIfbuPt1/UhT8LAC+LFgA0rBmL+OvaWw5ZWKffQ2QLujN3AG5zKB/Tog43
-z4UmfldAuQxE11zta2M4M0qAUNQnQj1oiuI8RUdG0VvvLw8Htdi1ogH0CI5R669z
-NjHt+JV+2gzKx6EX0s8mQL3yXGkC2xXItRbFclyCMJEhPS7QbBu+tru35N6WpzAq
-BCl2Q7LQogvSA6MXuMOx6CyuExVfgmhbfeoheLE8gmXwl0Y37n/g6ZBZFAtpCjcs
-UckPv0ECgYEA1orl7RwgIsZljMap6vWtMGoRIHKmT91DGpMmkh4suZe+yAk85maU
-49Vd+8ZfIN41AH37yrsGOcPHgz5o5QufELpoub6DCsQ7u9F1vQp55cp+qyBWzAgz
-b/xUuVnIyv3kLan3fpk7ZGCBXFBpLG0QXMFOHtda3Mlk5SmuoEYaYRkCgYEA/TLR
-u4neKqyqwsqMuRJGC1iKFVmfCjZeNMtPNbTWpdqez/vvT8APnEpIumUGt8YROLGZ
-8biUr5/ViOkmaP3wmQbO9m2/cE01lMTYv75w1cw2KVQe6kAHJkOx+JEx9xg53RJ/
-QlFtG5MQUy2599Gxp8BMGaXLH5yo4qwvNvY6CDUCgYEArxr7AwX7rKZlZ/sV4HHY
-gzVu+R7aY0DibiRATO5X7rrNuhLgI+UCDNqvNLn6FqeGdvpcsmDneeozQwmDL77G
-ey7KHyBBcF4tquQQxtRwHX+i1yUz8p+W7AX1WLrRSezjeenJ2QhUE1849hGjZeE2
-g546lq2Kub2enfPhVWsiSLECgYEA72T5QCPeVuLioUH5Q5Kvf1K7W+xcnr9A2xHP
-Vqwgtre5qFQ/tFuXZuIlWXbjnyY6aiwhrZYjntm0f7pRgrt2nHj/fafOdVPK8Voc
-xU4+SSbHntPWVw0qtVcUEjzVzRauvwMaJ43tZ0DpEnwNdO5i1oTObwF+x+jLFWZP
-TdwIinECgYBzjZeCxxOMk5SlPpTsLUtgC+q3m1AavXhUVNEPP2gKMOIPTETPbhbG
-LBxB2vVbJiS3J7itQy8gceT89O0vSEZnaTPXiM/Ws1QbkBJ8yW7KI7X4WuzN4Imq
-/cLBRXLb8R328U27YyQFNGMjr2tX/+vx5FulJjSloWMRNuFWUngv7w==
-	rsaCert = `-----BEGIN CERTIFICATE-----
-MIIC+jCCAeKgAwIBAgIRANBDimJ/ww2tz77qcYIhuZowDQYJKoZIhvcNAQELBQAw
-EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xNjA5MjQxNzI5MTlaFw0yNjA5MjIxNzI5
-MTlaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQDUMdwgzdJOEWrLycCQ9AVfQTumHyOqHwQBNevKMoca5WNHdeE5DQFI
-+gnHJ92D9UTB68Wu2ZkB/PRYJvG8/ZJUKZ/uihuDhXYo9Kjec232+UEVSd5G0jId
-FDxhGcZJZpEfMltfp9+W2cbZoP7ypR+TXrWt1mDEED0bQZrjsiTBCFPYeq4fd1bZ
-S7hbZYzK3qBf+13IQBXnsw49yhx6Sevs1vaR+K4M9HuHrAWtbcjp6iPyhfZKQg65
-U23VnfUEBRw8kNSOqikjSj22iUz/tfXczx0RjQ4lBWvsVBgMX0l5Jh4QzJvCLOMF
-ocObjyZKCE/WjlSyxAFs00Lzdu1cKOItAgMBAAGjSzBJMA4GA1UdDwEB/wQEAwIF
-oDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuC
-CWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAygPV4enmvwSuMd1JarxOXpOK
-Z4Nsk7EKlfCPgzxQUOkFdLIr5ZG1kUkQt/omzTmoIWjLAsoYzT0ZCPOrioczKsWj
-MceFUIkT0w+eIl+8DzauPy34o8rjcApglF165UG3iphlpI+jdPzv5TBarUAbwsFb
-ClMLEiNJQ0OMxAIaRtb2RehD4q3OWlpWf6joJ36PRBqL8T5+f2x6Tg3c64UR+QPX
-98UcCQHHdEhm7y2z5Z2Wt0B48tZ+UAxDEoEwMghNyw7wUD79IRlXGYypBnXaMuLX
-46aGxbsSQ7Rfg62Co3JG7vo+eJd0AoZHrtFUnfM8V70IFzMBZnSwRslHRJe56Q==
-	rsaCa_client = `-----BEGIN CERTIFICATE-----
-MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
-BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
-cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
-IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
-OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
-FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
-T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
-NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
-tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
-j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
-a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
-/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
-SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
-eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
-bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
-WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
-6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
-wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
-TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
-cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
-FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
-oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
-tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
-ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
-bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
-5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
-3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
-UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
-mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
-xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
-	ecdsaCert = `-----BEGIN CERTIFICATE-----
-MIIBbTCCAROgAwIBAgIQZCsHZcs5ZkzV+zC2E6j5RzAKBggqhkjOPQQDAjASMRAw
-DgYDVQQKEwdBY21lIENvMB4XDTE2MDkyNDE3NTE1OFoXDTI2MDkyMjE3NTE1OFow
-EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDTO
-B3IyzjYfKCp2HWy+P3QHxhdBT4AUGYgwTiSEj5phumPIahFNcOSWptN0UzlZvJdN
-MMjVmrFYK/FjF4abkNKjSzBJMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
-BgEFBQcDATAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggq
-hkjOPQQDAgNIADBFAiEAp9W157PM1IadPBc33Cbj7vaFvp+rXs/hSuMCzP8pgV8C
-IHCswo1qiC0ZjQmWsBlmz5Zbp9rOorIzBYmGRhRdNs3j
-	ecdsaKey = `-----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIFdhO7IW5UIwpB1e2Vunm9QyKvUHWcVwGfLjhpOajuR7oAoGCCqGSM49
-AwEHoUQDQgAENM4HcjLONh8oKnYdbL4/dAfGF0FPgBQZiDBOJISPmmG6Y8hqEU1w
-5Jam03RTOVm8l00wyNWasVgr8WMXhpuQ0g==
-)

_dev/tris-localserver/start.sh

@@ -1,5 +0,0 @@
-#! /bin/sh
-set -e
-
-exec docker run --name tris-localserver --env TLSDEBUG=error "$@" tris-localserver
-

_dev/tris-testclient/Dockerfile

@@ -1,7 +0,0 @@
-FROM buildpack-deps
-
-ENV TLSDEBUG error
-
-ADD tris-testclient /
-
-ENTRYPOINT ["/tris-testclient"]

_dev/tris-testclient/client.go

@@ -1,303 +0,0 @@
-package main
-
-import (
-	"crypto/x509"
-	"errors"
-	"flag"
-	"fmt"
-	"github.com/henrydcase/trs"
-	"io"
-	"log"
-	"os"
-	"strings"
-)
-
-var tlsVersionToName = map[uint16]string{
-	tls.VersionTLS10: "1.0",
-	tls.VersionTLS11: "1.1",
-	tls.VersionTLS12: "1.2",
-	tls.VersionTLS13: "1.3",
-}
-
-var cipherSuiteIdToName = map[uint16]string{
-	tls.TLS_RSA_WITH_AES_128_CBC_SHA:            "TLS_RSA_WITH_AES_128_CBC_SHA",
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
-	tls.TLS_AES_128_GCM_SHA256:                  "TLS_AES_128_GCM_SHA256",
-	tls.TLS_AES_256_GCM_SHA384:                  "TLS_AES_256_GCM_SHA384",
-	tls.TLS_CHACHA20_POLY1305_SHA256:            "TLS_CHACHA20_POLY1305_SHA256",
-}
-
-var namedGroupsToName = map[uint16]string{
-	uint16(tls.HybridSIDHp503Curve25519): "X25519-SIDHp503",
-	uint16(tls.HybridSIKEp503Curve25519): "X25519-SIKEp503",
-	uint16(tls.X25519):                   "X25519",
-	uint16(tls.CurveP256):                "P-256",
-	uint16(tls.CurveP384):                "P-384",
-	uint16(tls.CurveP521):                "P-521",
-}
-
-func getIDByName(m map[uint16]string, name string) (uint16, error) {
-	for key, value := range m {
-		if value == name {
-			return key, nil
-		}
-	}
-	return 0, errors.New("Unknown value")
-}
-
-var failed uint
-
-type Client struct {
-	TLS  tls.Config
-	addr string
-}
-
-func NewClient() *Client {
-	var c Client
-	c.TLS.InsecureSkipVerify = true
-	return &c
-}
-
-func (c *Client) clone() *Client {
-	var clone Client
-	clone.TLS = *c.TLS.Clone()
-	clone.addr = c.addr
-	return &clone
-}
-
-func (c *Client) setMinMaxTLS(ver uint16) {
-	c.TLS.MinVersion = ver
-	c.TLS.MaxVersion = ver
-}
-
-func (c *Client) run() {
-	fmt.Printf("TLS %s with %s\n", tlsVersionToName[c.TLS.MinVersion], cipherSuiteIdToName[c.TLS.CipherSuites[0]])
-
-	con, err := tls.Dial("tcp", c.addr, &c.TLS)
-	if err != nil {
-		fmt.Printf("handshake failed: %v\n\n", err)
-		failed++
-		return
-	}
-	defer con.Close()
-
-	_, err = con.Write([]byte("GET / HTTP/1.1\r\nHost: localhost\r\n\r\n"))
-	if err != nil {
-		fmt.Printf("Write failed: %v\n\n", err)
-		failed++
-		return
-	}
-
-	buf := make([]byte, 1024)
-	n, err := con.Read(buf)
-	// A non-zero read with EOF is acceptable and occurs when a close_notify
-	// is received right after reading data (observed with NSS selfserv).
-	if !(n > 0 && err == io.EOF) && err != nil {
-		fmt.Printf("Read failed: %v\n\n", err)
-		failed++
-		return
-	}
-	fmt.Printf("[TLS: %s] Read %d bytes\n", tlsVersionToName[con.ConnectionState().Version], n)
-	fmt.Println("OK\n")
-}
-
-func result() {
-	if failed > 0 {
-		log.Fatalf("Failed handshakes: %d\n", failed)
-	} else {
-		fmt.Println("All handshakes passed")
-	}
-}
-
-// Usage client args host:port
-func main() {
-	var keylog_file, tls_version, named_groups, named_ciphers string
-	var enable_rsa, enable_ecdsa, client_auth bool
-
-	flag.StringVar(&keylog_file, "keylogfile", "", "Secrets will be logged here")
-	flag.BoolVar(&enable_rsa, "rsa", true, "Whether to enable RSA cipher suites")
-	flag.BoolVar(&enable_ecdsa, "ecdsa", true, "Whether to enable ECDSA cipher suites")
-	flag.BoolVar(&client_auth, "cliauth", false, "Whether to enable client authentication")
-	flag.StringVar(&tls_version, "tls_version", "1.3", "TLS version to use")
-	flag.StringVar(&named_groups, "groups", "X25519:P-256:P-384:P-521", "NamedGroups IDs to use")
-	flag.StringVar(&named_ciphers, "ciphers", "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384", "Named cipher IDs to use")
-	flag.Parse()
-	if flag.NArg() != 1 {
-		flag.Usage()
-		os.Exit(1)
-	}
-
-	client := NewClient()
-	client.addr = flag.Arg(0)
-	if !strings.Contains(client.addr, ":") {
-		client.addr += ":443"
-	}
-
-	if keylog_file == "" {
-		keylog_file = os.Getenv("SSLKEYLOGFILE")
-	}
-	if keylog_file != "" {
-		keylog_writer, err := os.OpenFile(keylog_file, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
-		if err != nil {
-			log.Fatalf("Cannot open keylog file: %v", err)
-		}
-		client.TLS.KeyLogWriter = keylog_writer
-		log.Println("Enabled keylog")
-	}
-
-	if client_auth {
-		var err error
-		client_cert, err := tls.X509KeyPair([]byte(client_crt), []byte(client_key))
-		if err != nil {
-			panic("Can't load client certificate")
-		}
-
-		client.TLS.Certificates = []tls.Certificate{client_cert}
-		client.TLS.RootCAs = x509.NewCertPool()
-		if !client.TLS.RootCAs.AppendCertsFromPEM([]byte(client_ca)) {
-			panic("Can't load client CA cert")
-		}
-	}
-
-	if enable_rsa {
-		// Sanity check: TLS 1.2 with the mandatory cipher suite from RFC 5246
-		c := client.clone()
-		c.TLS.CipherSuites = []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}
-		c.setMinMaxTLS(tls.VersionTLS12)
-		c.run()
-	}
-
-	if enable_ecdsa {
-		// Sane cipher suite for TLS 1.2 with an ECDSA cert (as used by boringssl)
-		c := client.clone()
-		c.TLS.CipherSuites = []uint16{tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}
-		c.setMinMaxTLS(tls.VersionTLS12)
-		c.run()
-	}
-
-	// Set requested DH groups
-	client.TLS.CurvePreferences = []tls.CurveID{}
-	for _, ng := range strings.Split(named_groups, ":") {
-		id, err := getIDByName(namedGroupsToName, ng)
-		if err != nil {
-			panic("Wrong group name provided")
-		}
-		client.TLS.CurvePreferences = append(client.TLS.CurvePreferences, tls.CurveID(id))
-	}
-
-	// Perform TLS handshake with each each requested CipherSuite
-	tlsID, err := getIDByName(tlsVersionToName, tls_version)
-	if err != nil {
-		panic("Unknown TLS version")
-	}
-	for _, cn := range strings.Split(named_ciphers, ":") {
-		id, err := getIDByName(cipherSuiteIdToName, cn)
-		if err != nil {
-			panic("Wrong cipher name provided")
-		}
-		client.setMinMaxTLS(tlsID)
-		client.TLS.CipherSuites = []uint16{id}
-		client.run()
-	}
-
-	// TODO test other kex methods besides X25519, like MTI secp256r1
-	// TODO limit supported groups?
-
-	result()
-}
-
-const (
-	client_ca = `-----BEGIN CERTIFICATE-----
-MIIF6zCCA9OgAwIBAgIUC4U4HlbkVMrKKTFK0mNrMFDpRskwDQYJKoZIhvcNAQEL
-BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
-cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
-IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDIz
-OVoXDTQ2MDcwOTAwNDIzOVowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
-FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
-T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0z+DMLb7YIMFFNZpn+ve
-NdT7GL9DPyV9ZWSHpUuDyme6Og6Mp5IpCLlKjNXtizX5aQ9xQ746slt70fivSV/r
-tiEtayZkcwS7zHtc5f+U/S0hR1q5Zh3DaLQH9diSeuNFQN5pg7zQT5csJFlxf6EB
-j/ioSBC+J1E8A2FAh0qDq+TvPPyZEEjcJy0oBuNHUnkC3rwjt24DAUI26rN/Qk9P
-a6KR9bBOdHFFul3DEP/uPqWV9TvV5tJhP3J2RbfS79WljFy/lFIwvJvfQHYEjMt4
-/gq8yTSUgJ8zmgJQ1sgOKH1FzJd4EdAMquSYbElkc35jX8gggUNOUcwsIfJBnu41
-SC51JQruNT256zse76o8Dx3lSHiz5c6luZyJnZWWt6xWtfGEGMnckpn6cVvcbbgq
-eWqmttgE2QTpgYoYUVcX/XFtsmZVTu05r8MZoqje5rgW9nEvvW+3M+eT5h0M9eGQ
-bIT3D3tdXB2XWCjUWqxpZscFwyumGu7vdykBKLhMVR3nEpFfORnH+534vwi49fjz
-WnN6fXAZZLPnGtEdWXNgs9JtgI5UheAQbcA3FT+M3maa88V2JrETLps405NYp6hJ
-6msbS/AmV/eSilRmbGVj9TfKHb/BVHNYwVQ0Bu/QN2YQNQ9olOpIxXgKr6Y4tKZt
-wTOMiCxZrnDQneQOTnW0NAMCAwEAAaNjMGEwHQYDVR0OBBYEFNLiS6YezH2bWiZ3
-TNbkQzMoBBB2MB8GA1UdIwQYMBaAFNLiS6YezH2bWiZ3TNbkQzMoBBB2MA8GA1Ud
-EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAQ
-cWIFOusSLKizqcqMsbMIY/Jzy0Tq5jzeOAQEQBztu7eJb208SG2EJtD6ylBQCF8t
-FCxUbvWNrly1MJoMSXdn3uMz3kLKNQa6RENckwA1UuYZpdhvTUtmPun9QqFPJdqm
-oi0paOVut9q3dplDy6MUknGN4tNWp2ZDfyvom3mUMfYGEO/FCWTy8eFd6cHRE9bw
-tHkcX5r7GpDHH5vKXOF/deMp1Xgep5ZTasL13YwPiYgctst91pEfdcztjHW0mQNT
-ZH/TUQDgs2UCjcvyeOlgoZixWOpkf1Qyje15k9qMb89/5hdarxvAQbG2BezQtzyk
-bbCu1MQa2DBdAKbhQxas/DPSvSkA/y8v+hiovTWtPKErPnQqZqVy59KUTBWj8ZAj
-5dkDVjBvUcsJ/6zHv0X9puEnIDZ8pK+Xn9LbcbPE7Nf1ikDyOqHmLmhGfWlEGvoD
-3Q8f8zUySZ40mfqtVhc7OYqA66Q9quNQ4VBESVNiEJ/LuWHRXe74KqFdggsQqtS6
-UQQgw5lFnKHZ9pk2VlKzgpkmd5fLMOhcHWQbsah9TFOuW5vEhWGHNhGCyGouWTzD
-mkwlPS8arj/ymUn6t/oiwSOA6GbjQLnTXvoAjdBxnukQlNY6TUDk+lSQw0qfZGIA
-xZywUgRbLZH8TFUnuEQps35XnWrY8rrXVj9+9h0B4g==
-	client_crt = `-----BEGIN CERTIFICATE-----
-MIIFSjCCAzKgAwIBAgIUCKk2npLYEX2Z3Ceu1CwSKK50j04wDQYJKoZIhvcNAQEL
-BQAwfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0ExFzAVBgNVBAcMDkNhZ25l
-cyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMSIw
-IAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9uMB4XDTE5MDIyMjAwNDMz
-MloXDTQ2MDcwOTAwNDMzMlowfTELMAkGA1UEBhMCRlIxDTALBgNVBAgMBFBBQ0Ex
-FzAVBgNVBAcMDkNhZ25lcyBzdXIgTWVyMSIwIAYDVQQLDBlDZXJ0IFRlc3Rpbmcg
-T3JnYW5pemF0aW9uMSIwIAYDVQQDDBlDZXJ0IFRlc3RpbmcgT3JnYW5pemF0aW9u
-MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEA0DQrWlCfijylutz28aTB
-T9WDnvBWpJ535t/Clt4o2nv3Cp6JxvUVzYkdKuaLR295gyEBx9JSHiZxPiJoPVfp
-wigmG0R9HvByAG5rhaQbQt99npoBaHMps1i12VxxFy1yaqZW6mrwrHMfV716rZ2M
-AzWx7UfhutloBYeeluiziDWUSEuGeJG7kHdvUtGYlbRd/ElFWHOfAQ7Oc8UUjEHW
-sorkqciqyAERV/H9hr5Rap/J/ERcFC8bNecS4t1Yh98WgIun/MbcBKQzo1LsWmOQ
-dmaMBoG8g1mYRbNap8G/+aQbjfRi1zN0yaW1wtlLoBJmNgLjwYgaS/5Uey5NZMdb
-NwIBA6OBwzCBwDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAxBglghkgB
-hvhCAQ0EJBYiQ2VydCBUZXN0aW5nIEludGVybWVkaWF0ZSAtIENsaWVudDAdBgNV
-HQ4EFgQULlrGFPbxwz525ywQYPs72P7YnL4wHwYDVR0jBBgwFoAU0uJLph7MfZta
-JndM1uRDMygEEHYwDgYDVR0PAQH/BAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMC
-BggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAgEAwLc+Xg5Fyfbgu5iFs1y7E0Et
-4E/5lF0A4iqDVX3e7/upoUIBFZFv2PlAqIlhQ49NgGlIfrBlwEijZJ9kgVmUcKDS
-UrqBvKUn+99dTC8Zn/Py9ofLNcJy+qNJg4TpbpBxXaP1MXdZYXdYkGtyyPIGo31U
-oHibNLQDCtKFMoEPCvFuCBtJgyT46l5KN7VQCA0ZDm84fVmIgEEOXWwz0mDIhGWm
-hDhmqONznl0+aHirqJxsBaplBaFVV1N02ksR53sPPy/UfDsAD3Fpp8R1DAMEyy0o
-kTqm8QINVL961YT1Y/oI+GlypjPq9cL0dEHdxwu6gyCHPMMGGGIDHmLoqJJuj/Kr
-/T08jhtDv8D7e9m3wfSW/RqHKE31Yy21SXv/gpcHGunwzDoj/QUvRl/xTjJfx+S8
-2NHxSU8QOdexhJumsNFJe8kH8cRJMCMB8/hfiBpI0QANkUBJ1aaa/p7vZuEKJm+/
-85m3Yz+zn58/Bube06z6QzFeR8Edi+6hXk4/WoHltgXiNowD3d4xI48sPWEbe+QZ
-6u60sEdpY2a+3Xwt9m9R2R+sGP3QyDFd9GVaUPt21TeeLdfS3kPqwO2k+UXB8nV3
-Yh1Hvyx67u0tX3wBVe40CNaAu7iW+e4aXjksG2dxk71lNq5CHJCOtbRK4LUArjy5
-cw4KAXWoaR8YIC3BWgg=
-	client_key = `-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDQNCtaUJ+KPKW6
-3PbxpMFP1YOe8Faknnfm38KW3ijae/cKnonG9RXNiR0q5otHb3mDIQHH0lIeJnE+
-Img9V+nCKCYbRH0e8HIAbmuFpBtC332emgFocymzWLXZXHEXLXJqplbqavCscx9X
-vXqtnYwDNbHtR+G62WgFh56W6LOINZRIS4Z4kbuQd29S0ZiVtF38SUVYc58BDs5z
-xRSMQdayiuSpyKrIARFX8f2GvlFqn8n8RFwULxs15xLi3ViH3xaAi6f8xtwEpDOj
-UuxaY5B2ZowGgbyDWZhFs1qnwb/5pBuN9GLXM3TJpbXC2UugEmY2AuPBiBpL/lR7
-Lk1kx1s3AgEDAoIBAQCKzXI8Nb+xfcPR6KShGIDf460UoDnDFE/vP9cPPsXm/U9c
-abEvTg6JBhNx7weE9PuswKvajDa+xEt+wZrTj/EsGsQSLai/Svaq9EeubWeB6lO/
-EVZFohvM5c6Q6EtkyPbxxDnxnKBy92o6flHJE7KsznaeL+vR5kVZBRRkmyJazS4s
-Z5rbrN9AhSIfyHs9GCQGgsXT6HMsyoJYFastwQ2qj+9L2ypcM8TW+KGzGfJipoJb
-l/N/8WHb4ZumA67lfWq4v5JTA5qAUKcfPszEBrUfQ34Tk+73Iiov9f7SXPYxWxVJ
-g9PuzfewvJrp6CPv+/mKNt8PmBYkaXlnyjr9tCwLAoGBAPjAVZapQVuIqftcOZtf
-Re9fAV9Vvv1FEO8bKJeIsPDlRkdg+TfTMgxhZU0I3P4XdEj7Fa87w4wkA6GkIrOO
-W9/usPOYzSdTP5aVEsdGbT8yD2vTST7Aw/GESKTRJA/Fe1PIb5Nz3OijyTusvFE+
-XSR3EXb1myX+2rFS0Wbiz2U5AoGBANZFWoeFzREnBcDG60RayjiTg71E1/T4zhvU
-e/w+71FNbLZXBrNqgV20F73xOme/Mb13yr+YgXxIEQfFtR6hRxZ8u1jndEzw66Jf
-YfHt7EGVceMV2pdP4md5ebebEj7qICfXPxF9IZicwZG3QMR5u0tvnx40iNMWhW0M
-rY4FabPvAoGBAKXVjmRw1j0FxqeS0RI/g/TqAOo5Kf4uC0oSGw+wdfXuLtpApiU3
-drLrmN4F6Klk+DCnY8on17LCrRZtbHe0PT/0dfe7M2+M1Q8ODITZniohX503hinV
-1/ZYMG3gwrUuUjfa9Qz36JsX230d0uDUPhhPYPn5EhlUkcuMi5nsikN7AoGBAI7Y
-5wUD3gtvWSsvR4LnMXsNAn4t5U37NBKNp/1/SjYznc7kryJHAOkiun6g0Zp/dn5P
-3H+7AP2FYK/ZI2nA2g790jtE+DNLR8GU6/aenYEOS+y5PGTf7ET7pnpnYX9GwBqP
-f2D+FmW91mEk1dhRJ4efv2l4WzdkWPNdyQlY8SKfAoGAEIWmowo7EpbR5Boxc2o3
-Tl0JbGi1CNJAHtDjEJCd1OxKrMUrK07hOeEKF6y8K/WBuQhFvI2pu16oT4sMal9Z
-mEiJdJAFErefPLQGomHLXfq9mDEY13Ug/xAd9aMyYcubIg5XjAqLMrB60HcrLr7Q
-2hMCSDdVP2V/F3QVh8DEirE=
-)

_dev/tstclnt/Dockerfile

@@ -1,61 +0,0 @@
-FROM buildpack-deps
-
-RUN hg clone https://hg.mozilla.org/projects/nspr
-RUN hg clone https://hg.mozilla.org/projects/nss
-
-ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
-# Incremental build snapshot disabled as dependencies don't seem to be solid:
-# the same value changed in a header file would apply to one .c file and not another
-# RUN cd nss && make nss_build_all
-
-# Draft 15
-# ARG REVISION=c483e5f9e0bc
-
-# Draft 16
-# ARG REVISION=3e7b53b18112
-
-# Draft 18
-# ARG REVISION=b6dfef6d0ff0
-
-# Draft 18, NSS_3_34_1_RTM (with TLS 1.3 keylogging support)
-# ARG REVISION=e61c0f657100
-
-# Draft 22
-#ARG REVISION=88c3f3fa581b
-
-# Draft 23
-# ARG REVISION=16c622c9e1cc
-
-# Latest
-ARG REVISION=ee357b00f2e6
-
-RUN cd nss && hg pull
-RUN cd nss && hg checkout -C $REVISION
-
-ADD *.patch ./
-RUN for p in *.patch; do patch -p1 -d nss < $p; done
-
-RUN cd nss && make nss_build_all
-
-# ENV HOST=localhost
-# RUN cd nss/tests/ssl_gtests && ./ssl_gtests.sh
-
-RUN cd nss && make install
-
-RUN mv /dist/$(uname -s)$(uname -r | cut -f 1-2 -d . -)_$(uname -m)_${CC:-cc}_glibc_PTH_64_$([ -n "$BUILD_OPT" ] && echo OPT || echo DBG).OBJ /dist/OBJ-PATH
-
-ENV LD_LIBRARY_PATH=/dist/OBJ-PATH/lib
-
-ENV SSLTRACE=100 SSLDEBUG=100
-
-# Init test key using an empty noise (seed) file (-z /dev/null).
-# Use different subjects, otherwise NSS seems to merge keys under the same nickname.
-RUN mkdir /certdb && \
-    /dist/OBJ-PATH/bin/certutil -d /certdb -N --empty-password && \
-    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n rsa-server -t u -x -s CN=localhost -k rsa -z /dev/null && \
-    /dist/OBJ-PATH/bin/certutil -d /certdb -S -n ecdsa-server -t u -x -s CN=localhost,O=EC -k ec -z /dev/null -q nistp256
-
-ADD httpreq.txt /httpreq.txt
-ADD run.sh /run.sh
-ADD server.sh /server.sh
-ENTRYPOINT ["/run.sh"]

_dev/tstclnt/httpreq.txt

@@ -1,5 +0,0 @@
-GET / HTTP/1.1
-Host: example.com
-Connection: close
-
-

_dev/tstclnt/poll.patch

@@ -1,37 +0,0 @@
-diff -r 15c6a01b9fe8 cmd/tstclnt/tstclnt.c
-+++ b/cmd/tstclnt/tstclnt.c	Thu Jun 16 16:26:29 2016 +0100
-@@ -713,7 +713,6 @@
-     return NSS_GetClientAuthData(arg, socket, caNames, pRetCert, pRetKey);
- }
- 
--#if defined(WIN32) || defined(OS2)
- void
- thread_main(void *arg)
- {
-@@ -746,7 +745,6 @@
-     PR_Close(ps);
- }
- 
--#endif
- 
- static void
- printHostNameAndAddr(const char *host, const PRNetAddr *addr)
-@@ -1545,7 +1543,8 @@
-     npds = 2;
-     std_out = PR_GetSpecialFD(PR_StandardOutput);
- 
--#if defined(WIN32) || defined(OS2)
-+    // Enabled PR_Poll compatibility mode for running in docker run. (sigh).
-+
-     /* PR_Poll cannot be used with stdin on Windows or OS/2.  (sigh).
-     ** But use of PR_Poll and non-blocking sockets is a major feature
-     ** of this program.  So, we simulate a pollable stdin with a
-@@ -1573,7 +1572,6 @@
-             goto done;
-         }
-     }
--#endif
- 
-     if (serverCertAuth.testFreshStatusFromSideChannel) {
-         SSL_ForceHandshake(s);

_dev/tstclnt/run.sh

@@ -1,8 +0,0 @@
-#! /bin/bash
-
-IFS=':' read -ra ADDR <<< "$1"
-shift
-HOST="${ADDR[0]}"
-PORT="${ADDR[1]}"
-
-exec /dist/OBJ-PATH/bin/tstclnt -D -V tls1.3:tls1.3 -o -O -h $HOST -p $PORT -v -A /httpreq.txt -L 2 -Z "$@"

_dev/tstclnt/server.sh

@@ -1,11 +0,0 @@
-#!/bin/sh
-PATH=/dist/OBJ-PATH/bin:$PATH
-set -x
-
-# RSA
-selfserv -n rsa-server   -p 1443 -d /certdb -V tls1.2:tls1.3 -v -Z &
-
-# ECDSA
-selfserv -n ecdsa-server -p 2443 -d /certdb -V tls1.2:tls1.3 -v -Z &
-
-wait

_dev/utils/fmtcheck.sh

@@ -1,20 +0,0 @@
-#!/bin/sh
-# Copyright 2012 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-gofiles=$(find . -iname "*.go" ! -path "*/_dev/*")
-#[ -z "$gofiles" ] && exit 0
-
-unformatted=$(gofmt -l $gofiles)
-[ -z "$unformatted" ] && exit 0
-
-# Some files are not gofmt'd. Print message and fail.
-
-echo >&2 "Go files must be formatted with gofmt. Please run:"
-for fn in $unformatted; do
-	echo >&2 "  gofmt -w $PWD/$fn"
-done
-
-exit 1
-

_dev/utils/pre-commit

@@ -1,27 +0,0 @@
-#!/bin/sh
-# Copyright 2012 The Go Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-# git gofmt pre-commit hook
-#
-# To use, store as .git/hooks/pre-commit inside your repository and make sure
-# it has execute permissions.
-#
-# This script does not handle file names that contain spaces.
-
-gofiles=$(git diff --cached --name-only --diff-filter=ACM | grep '\.go$')
-[ -z "$gofiles" ] && exit 0
-
-unformatted=$(gofmt -l $gofiles)
-[ -z "$unformatted" ] && exit 0
-
-# Some files are not gofmt'd. Print message and fail.
-
-echo >&2 "Go files must be formatted with gofmt. Please run:"
-for fn in $unformatted; do
-	echo >&2 "  gofmt -w $PWD/$fn"
-done
-
-exit 1
-