From d103ed6ca97ca5a2669f6cf5fe4b3d2a9c945f26 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Wed, 17 May 2017 16:51:25 -0400
Subject: Upgrading server dependancies (#6431)

---
 vendor/golang.org/x/crypto/acme/acme.go            |  23 +-
 vendor/golang.org/x/crypto/acme/acme_test.go       |   3 +
 .../golang.org/x/crypto/acme/autocert/autocert.go  |  47 +-
 .../x/crypto/acme/autocert/autocert_test.go        | 126 ++++
 vendor/golang.org/x/crypto/acme/jws.go             |   2 +-
 vendor/golang.org/x/crypto/acme/jws_test.go        | 177 ++++--
 vendor/golang.org/x/crypto/acme/types.go           | 102 +++-
 vendor/golang.org/x/crypto/acme/types_test.go      |  63 ++
 vendor/golang.org/x/crypto/blake2b/blake2b_test.go |   2 +-
 .../chacha20poly1305/chacha20poly1305_amd64.go     |  59 +-
 .../chacha20poly1305/chacha20poly1305_amd64.s      |  45 +-
 .../golang.org/x/crypto/ssh/agent/client_test.go   |  13 +-
 vendor/golang.org/x/crypto/ssh/certs.go            |  24 +-
 vendor/golang.org/x/crypto/ssh/certs_test.go       |  12 +-
 vendor/golang.org/x/crypto/ssh/client_auth_test.go |   2 +-
 vendor/golang.org/x/crypto/ssh/handshake_test.go   |   7 +-
 .../x/crypto/ssh/knownhosts/knownhosts.go          |  23 +-
 .../x/crypto/ssh/knownhosts/knownhosts_test.go     |  22 +
 vendor/golang.org/x/crypto/ssh/server.go           |   8 +-
 .../x/image/font/sfnt/proprietary_test.go          |  69 ++-
 vendor/golang.org/x/image/font/sfnt/sfnt.go        |   8 +-
 vendor/golang.org/x/image/tiff/lzw/reader.go       |  17 +-
 vendor/golang.org/x/net/http2/ciphers.go           | 641 +++++++++++++++++++++
 vendor/golang.org/x/net/http2/ciphers_test.go      | 309 ++++++++++
 vendor/golang.org/x/net/http2/databuffer_test.go   |   2 +
 vendor/golang.org/x/net/http2/go16.go              |  27 -
 vendor/golang.org/x/net/http2/hpack/tables.go      | 127 ++--
 vendor/golang.org/x/net/http2/not_go16.go          |  25 -
 vendor/golang.org/x/net/http2/server.go            | 104 +++-
 vendor/golang.org/x/net/http2/server_push_test.go  |   2 +-
 vendor/golang.org/x/net/http2/server_test.go       |  13 +-
 vendor/golang.org/x/net/http2/transport_test.go    |   3 +-
 vendor/golang.org/x/net/lif/address_test.go        |   6 +-
 vendor/golang.org/x/net/lif/defs_solaris.go        |   2 +-
 vendor/golang.org/x/net/lif/link.go                |   2 +-
 vendor/golang.org/x/net/lif/link_test.go           |   6 +-
 vendor/golang.org/x/net/lif/zsys_solaris_amd64.go  |   2 +-
 .../golang.org/x/net/route/message_darwin_test.go  |  31 +-
 .../golang.org/x/net/route/message_freebsd_test.go |  94 ++-
 vendor/golang.org/x/net/route/message_test.go      |  36 +-
 vendor/golang.org/x/net/xsrftoken/xsrf.go          |  12 +-
 vendor/golang.org/x/sys/unix/asm_solaris_amd64.s   |   4 +-
 vendor/golang.org/x/sys/unix/linux/types.go        |  19 +-
 vendor/golang.org/x/sys/unix/mkall.sh              |   2 +-
 vendor/golang.org/x/sys/unix/mkerrors.sh           |   9 +-
 vendor/golang.org/x/sys/unix/mksyscall.pl          |   2 +-
 vendor/golang.org/x/sys/unix/sockcmsg_unix.go      |   9 +-
 vendor/golang.org/x/sys/unix/syscall_dragonfly.go  |  33 +-
 vendor/golang.org/x/sys/unix/syscall_linux.go      |   1 +
 .../golang.org/x/sys/unix/syscall_linux_mips64x.go |   5 +-
 .../golang.org/x/sys/unix/syscall_linux_mipsx.go   |   4 +-
 vendor/golang.org/x/sys/unix/syscall_solaris.go    |  24 +-
 .../golang.org/x/sys/unix/syscall_solaris_test.go  |  34 ++
 vendor/golang.org/x/sys/unix/syscall_unix.go       |   1 +
 vendor/golang.org/x/sys/unix/syscall_unix_test.go  |   8 -
 vendor/golang.org/x/sys/unix/types_solaris.go      |   7 +
 .../x/sys/unix/zerrors_dragonfly_amd64.go          |  56 +-
 vendor/golang.org/x/sys/unix/zerrors_linux_386.go  |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_amd64.go   |  23 +
 vendor/golang.org/x/sys/unix/zerrors_linux_arm.go  |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_arm64.go   |  23 +
 vendor/golang.org/x/sys/unix/zerrors_linux_mips.go |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_mips64.go  |  23 +
 .../x/sys/unix/zerrors_linux_mips64le.go           |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_mipsle.go  |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_ppc64.go   |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_ppc64le.go |  23 +
 .../golang.org/x/sys/unix/zerrors_linux_s390x.go   |  23 +
 .../golang.org/x/sys/unix/zerrors_solaris_amd64.go |  49 +-
 .../x/sys/unix/zsyscall_dragonfly_amd64.go         |  13 +-
 vendor/golang.org/x/sys/unix/zsyscall_linux_386.go |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_amd64.go  |  11 +
 vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_arm64.go  |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_mips.go   |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_mips64.go |  21 +
 .../x/sys/unix/zsyscall_linux_mips64le.go          |  21 +
 .../golang.org/x/sys/unix/zsyscall_linux_mipsle.go |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_ppc64.go  |  11 +
 .../x/sys/unix/zsyscall_linux_ppc64le.go           |  11 +
 .../golang.org/x/sys/unix/zsyscall_linux_s390x.go  |  11 +
 .../x/sys/unix/zsyscall_linux_sparc64.go           |  13 +-
 .../x/sys/unix/zsyscall_solaris_amd64.go           | 101 ++--
 .../x/sys/unix/zsysnum_dragonfly_amd64.go          |  21 +-
 .../x/sys/unix/ztypes_dragonfly_amd64.go           |   6 +-
 vendor/golang.org/x/sys/unix/ztypes_linux_386.go   |  14 +
 vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go |  14 +
 vendor/golang.org/x/sys/unix/ztypes_linux_arm.go   |  14 +
 vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go |  14 +
 vendor/golang.org/x/sys/unix/ztypes_linux_mips.go  |  32 +-
 .../golang.org/x/sys/unix/ztypes_linux_mips64.go   |  32 +-
 .../golang.org/x/sys/unix/ztypes_linux_mips64le.go |  32 +-
 .../golang.org/x/sys/unix/ztypes_linux_mipsle.go   |  32 +-
 vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go |  14 +
 .../golang.org/x/sys/unix/ztypes_linux_ppc64le.go  |  14 +
 vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go |  14 +
 .../golang.org/x/sys/unix/ztypes_solaris_amd64.go  |  23 +-
 vendor/golang.org/x/sys/windows/svc/mgr/service.go |   2 +-
 vendor/golang.org/x/sys/windows/syscall_windows.go |   4 +
 vendor/golang.org/x/text/internal/catmsg/catmsg.go | 367 ++++++++++++
 .../x/text/internal/catmsg/catmsg_test.go          | 294 ++++++++++
 vendor/golang.org/x/text/internal/catmsg/codec.go  | 407 +++++++++++++
 vendor/golang.org/x/text/unicode/norm/input.go     |   8 +-
 .../x/text/unicode/norm/normalize_test.go          |  18 +
 vendor/golang.org/x/time/rate/rate.go              |  16 +-
 vendor/golang.org/x/time/rate/rate_go16.go         |  21 +
 vendor/golang.org/x/time/rate/rate_go17.go         |  21 +
 vendor/golang.org/x/time/rate/rate_test.go         |   5 +
 108 files changed, 3955 insertions(+), 570 deletions(-)
 create mode 100644 vendor/golang.org/x/crypto/acme/types_test.go
 create mode 100644 vendor/golang.org/x/net/http2/ciphers.go
 create mode 100644 vendor/golang.org/x/net/http2/ciphers_test.go
 create mode 100644 vendor/golang.org/x/sys/unix/syscall_solaris_test.go
 create mode 100644 vendor/golang.org/x/text/internal/catmsg/catmsg.go
 create mode 100644 vendor/golang.org/x/text/internal/catmsg/catmsg_test.go
 create mode 100755 vendor/golang.org/x/text/internal/catmsg/codec.go
 create mode 100644 vendor/golang.org/x/time/rate/rate_go16.go
 create mode 100644 vendor/golang.org/x/time/rate/rate_go17.go

(limited to 'vendor/golang.org/x')

diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go
index d650604d3..a7b6ce4e9 100644
--- a/vendor/golang.org/x/crypto/acme/acme.go
+++ b/vendor/golang.org/x/crypto/acme/acme.go
@@ -152,7 +152,7 @@ func (c *Client) Discover(ctx context.Context) (Directory, error) {
 			CAA     []string `json:"caa-identities"`
 		}
 	}
-	if json.NewDecoder(res.Body).Decode(&v); err != nil {
+	if err := json.NewDecoder(res.Body).Decode(&v); err != nil {
 		return Directory{}, err
 	}
 	c.dir = &Directory{
@@ -436,7 +436,7 @@ func (c *Client) RevokeAuthorization(ctx context.Context, url string) error {
 //
 // It returns a non-nil Authorization only if its Status is StatusValid.
 // In all other cases WaitAuthorization returns an error.
-// If the Status is StatusInvalid, the returned error is ErrAuthorizationFailed.
+// If the Status is StatusInvalid, the returned error is of type *AuthorizationError.
 func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) {
 	sleep := sleeper(ctx)
 	for {
@@ -465,7 +465,7 @@ func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorizat
 			return raw.authorization(url), nil
 		}
 		if raw.Status == StatusInvalid {
-			return nil, ErrAuthorizationFailed
+			return nil, raw.error(url)
 		}
 		if err := sleep(retry, 0); err != nil {
 			return nil, err
@@ -882,14 +882,8 @@ func responseError(resp *http.Response) error {
 	// don't care if ReadAll returns an error:
 	// json.Unmarshal will fail in that case anyway
 	b, _ := ioutil.ReadAll(resp.Body)
-	e := struct {
-		Status int
-		Type   string
-		Detail string
-	}{
-		Status: resp.StatusCode,
-	}
-	if err := json.Unmarshal(b, &e); err != nil {
+	e := &wireError{Status: resp.StatusCode}
+	if err := json.Unmarshal(b, e); err != nil {
 		// this is not a regular error response:
 		// populate detail with anything we received,
 		// e.Status will already contain HTTP response code value
@@ -898,12 +892,7 @@ func responseError(resp *http.Response) error {
 			e.Detail = resp.Status
 		}
 	}
-	return &Error{
-		StatusCode:  e.Status,
-		ProblemType: e.Type,
-		Detail:      e.Detail,
-		Header:      resp.Header,
-	}
+	return e.error(resp.Header)
 }
 
 // chainCert fetches CA certificate chain recursively by following "up" links.
diff --git a/vendor/golang.org/x/crypto/acme/acme_test.go b/vendor/golang.org/x/crypto/acme/acme_test.go
index 0210ce3df..a4d276db8 100644
--- a/vendor/golang.org/x/crypto/acme/acme_test.go
+++ b/vendor/golang.org/x/crypto/acme/acme_test.go
@@ -543,6 +543,9 @@ func TestWaitAuthorizationInvalid(t *testing.T) {
 		if err == nil {
 			t.Error("err is nil")
 		}
+		if _, ok := err.(*AuthorizationError); !ok {
+			t.Errorf("err is %T; want *AuthorizationError", err)
+		}
 	}
 }
 
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go
index 98842b457..a478eff54 100644
--- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go
+++ b/vendor/golang.org/x/crypto/acme/autocert/autocert.go
@@ -33,6 +33,12 @@ import (
 	"golang.org/x/crypto/acme"
 )
 
+// createCertRetryAfter is how much time to wait before removing a failed state
+// entry due to an unsuccessful createCert call.
+// This is a variable instead of a const for testing.
+// TODO: Consider making it configurable or an exp backoff?
+var createCertRetryAfter = time.Minute
+
 // pseudoRand is safe for concurrent use.
 var pseudoRand *lockedMathRand
 
@@ -170,6 +176,12 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate,
 	if name == "" {
 		return nil, errors.New("acme/autocert: missing server name")
 	}
+	if !strings.Contains(strings.Trim(name, "."), ".") {
+		return nil, errors.New("acme/autocert: server name component count invalid")
+	}
+	if strings.ContainsAny(name, `/\`) {
+		return nil, errors.New("acme/autocert: server name contains invalid character")
+	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
 	defer cancel()
@@ -244,6 +256,7 @@ func (m *Manager) cert(ctx context.Context, name string) (*tls.Certificate, erro
 }
 
 // cacheGet always returns a valid certificate, or an error otherwise.
+// If a cached certficate exists but is not valid, ErrCacheMiss is returned.
 func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate, error) {
 	if m.Cache == nil {
 		return nil, ErrCacheMiss
@@ -256,7 +269,7 @@ func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate
 	// private
 	priv, pub := pem.Decode(data)
 	if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
-		return nil, errors.New("acme/autocert: no private key found in cache")
+		return nil, ErrCacheMiss
 	}
 	privKey, err := parsePrivateKey(priv.Bytes)
 	if err != nil {
@@ -274,13 +287,14 @@ func (m *Manager) cacheGet(ctx context.Context, domain string) (*tls.Certificate
 		pubDER = append(pubDER, b.Bytes)
 	}
 	if len(pub) > 0 {
-		return nil, errors.New("acme/autocert: invalid public key")
+		// Leftover content not consumed by pem.Decode. Corrupt. Ignore.
+		return nil, ErrCacheMiss
 	}
 
 	// verify and create TLS cert
 	leaf, err := validCert(domain, pubDER, privKey)
 	if err != nil {
-		return nil, err
+		return nil, ErrCacheMiss
 	}
 	tlscert := &tls.Certificate{
 		Certificate: pubDER,
@@ -361,6 +375,23 @@ func (m *Manager) createCert(ctx context.Context, domain string) (*tls.Certifica
 
 	der, leaf, err := m.authorizedCert(ctx, state.key, domain)
 	if err != nil {
+		// Remove the failed state after some time,
+		// making the manager call createCert again on the following TLS hello.
+		time.AfterFunc(createCertRetryAfter, func() {
+			defer testDidRemoveState(domain)
+			m.stateMu.Lock()
+			defer m.stateMu.Unlock()
+			// Verify the state hasn't changed and it's still invalid
+			// before deleting.
+			s, ok := m.state[domain]
+			if !ok {
+				return
+			}
+			if _, err := validCert(domain, s.cert, s.key); err == nil {
+				return
+			}
+			delete(m.state, domain)
+		})
 		return nil, err
 	}
 	state.cert = der
@@ -409,7 +440,6 @@ func (m *Manager) certState(domain string) (*certState, error) {
 // authorizedCert starts domain ownership verification process and requests a new cert upon success.
 // The key argument is the certificate private key.
 func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, domain string) (der [][]byte, leaf *x509.Certificate, err error) {
-	// TODO: make m.verify retry or retry m.verify calls here
 	if err := m.verify(ctx, domain); err != nil {
 		return nil, nil, err
 	}
@@ -780,5 +810,10 @@ func (r *lockedMathRand) int63n(max int64) int64 {
 	return n
 }
 
-// for easier testing
-var timeNow = time.Now
+// For easier testing.
+var (
+	timeNow = time.Now
+
+	// Called when a state is removed.
+	testDidRemoveState = func(domain string) {}
+)
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go b/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
index 6df4cf3bf..0352e340d 100644
--- a/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
+++ b/vendor/golang.org/x/crypto/acme/autocert/autocert_test.go
@@ -178,6 +178,88 @@ func TestGetCertificate_nilPrompt(t *testing.T) {
 	}
 }
 
+func TestGetCertificate_expiredCache(t *testing.T) {
+	// Make an expired cert and cache it.
+	pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "example.org"},
+		NotAfter:     time.Now(),
+	}
+	pub, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, &pk.PublicKey, pk)
+	if err != nil {
+		t.Fatal(err)
+	}
+	tlscert := &tls.Certificate{
+		Certificate: [][]byte{pub},
+		PrivateKey:  pk,
+	}
+
+	man := &Manager{Prompt: AcceptTOS, Cache: newMemCache()}
+	defer man.stopRenew()
+	if err := man.cachePut(context.Background(), "example.org", tlscert); err != nil {
+		t.Fatalf("man.cachePut: %v", err)
+	}
+
+	// The expired cached cert should trigger a new cert issuance
+	// and return without an error.
+	hello := &tls.ClientHelloInfo{ServerName: "example.org"}
+	testGetCertificate(t, man, "example.org", hello)
+}
+
+func TestGetCertificate_failedAttempt(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusBadRequest)
+	}))
+	defer ts.Close()
+
+	const example = "example.org"
+	d := createCertRetryAfter
+	f := testDidRemoveState
+	defer func() {
+		createCertRetryAfter = d
+		testDidRemoveState = f
+	}()
+	createCertRetryAfter = 0
+	done := make(chan struct{})
+	testDidRemoveState = func(domain string) {
+		if domain != example {
+			t.Errorf("testDidRemoveState: domain = %q; want %q", domain, example)
+		}
+		close(done)
+	}
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+	man := &Manager{
+		Prompt: AcceptTOS,
+		Client: &acme.Client{
+			Key:          key,
+			DirectoryURL: ts.URL,
+		},
+	}
+	defer man.stopRenew()
+	hello := &tls.ClientHelloInfo{ServerName: example}
+	if _, err := man.GetCertificate(hello); err == nil {
+		t.Error("GetCertificate: err is nil")
+	}
+	select {
+	case <-time.After(5 * time.Second):
+		t.Errorf("took too long to remove the %q state", example)
+	case <-done:
+		man.stateMu.Lock()
+		defer man.stateMu.Unlock()
+		if v, exist := man.state[example]; exist {
+			t.Errorf("state exists for %q: %+v", example, v)
+		}
+	}
+}
+
 // startACMEServerStub runs an ACME server
 // The domain argument is the expected domain name of a certificate request.
 func startACMEServerStub(t *testing.T, man *Manager, domain string) (url string, finish func()) {
@@ -478,3 +560,47 @@ func TestValidCert(t *testing.T) {
 		}
 	}
 }
+
+type cacheGetFunc func(ctx context.Context, key string) ([]byte, error)
+
+func (f cacheGetFunc) Get(ctx context.Context, key string) ([]byte, error) {
+	return f(ctx, key)
+}
+
+func (f cacheGetFunc) Put(ctx context.Context, key string, data []byte) error {
+	return fmt.Errorf("unsupported Put of %q = %q", key, data)
+}
+
+func (f cacheGetFunc) Delete(ctx context.Context, key string) error {
+	return fmt.Errorf("unsupported Delete of %q", key)
+}
+
+func TestManagerGetCertificateBogusSNI(t *testing.T) {
+	m := Manager{
+		Prompt: AcceptTOS,
+		Cache: cacheGetFunc(func(ctx context.Context, key string) ([]byte, error) {
+			return nil, fmt.Errorf("cache.Get of %s", key)
+		}),
+	}
+	tests := []struct {
+		name    string
+		wantErr string
+	}{
+		{"foo.com", "cache.Get of foo.com"},
+		{"foo.com.", "cache.Get of foo.com"},
+		{`a\b.com`, "acme/autocert: server name contains invalid character"},
+		{`a/b.com`, "acme/autocert: server name contains invalid character"},
+		{"", "acme/autocert: missing server name"},
+		{"foo", "acme/autocert: server name component count invalid"},
+		{".foo", "acme/autocert: server name component count invalid"},
+		{"foo.", "acme/autocert: server name component count invalid"},
+		{"fo.o", "cache.Get of fo.o"},
+	}
+	for _, tt := range tests {
+		_, err := m.GetCertificate(&tls.ClientHelloInfo{ServerName: tt.name})
+		got := fmt.Sprint(err)
+		if got != tt.wantErr {
+			t.Errorf("GetCertificate(SNI = %q) = %q; want %q", tt.name, got, tt.wantErr)
+		}
+	}
+}
diff --git a/vendor/golang.org/x/crypto/acme/jws.go b/vendor/golang.org/x/crypto/acme/jws.go
index 49ba313ca..6cbca25de 100644
--- a/vendor/golang.org/x/crypto/acme/jws.go
+++ b/vendor/golang.org/x/crypto/acme/jws.go
@@ -134,7 +134,7 @@ func jwsHasher(key crypto.Signer) (string, crypto.Hash) {
 			return "ES256", crypto.SHA256
 		case "P-384":
 			return "ES384", crypto.SHA384
-		case "P-512":
+		case "P-521":
 			return "ES512", crypto.SHA512
 		}
 	}
diff --git a/vendor/golang.org/x/crypto/acme/jws_test.go b/vendor/golang.org/x/crypto/acme/jws_test.go
index 1def87397..0ff0fb5a3 100644
--- a/vendor/golang.org/x/crypto/acme/jws_test.go
+++ b/vendor/golang.org/x/crypto/acme/jws_test.go
@@ -12,11 +12,13 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"testing"
 )
 
-const testKeyPEM = `
+const (
+	testKeyPEM = `
 -----BEGIN RSA PRIVATE KEY-----
 MIIEowIBAAKCAQEA4xgZ3eRPkwoRvy7qeRUbmMDe0V+xH9eWLdu0iheeLlrmD2mq
 WXfP9IeSKApbn34g8TuAS9g5zhq8ELQ3kmjr+KV86GAMgI6VAcGlq3QrzpTCf/30
@@ -46,10 +48,9 @@ EQeIP6dZtv8IMgtGIb91QX9pXvP0aznzQKwYIA8nZgoENCPfiMTPiEDT9e/0lObO
 -----END RSA PRIVATE KEY-----
 `
 
-// This thumbprint is for the testKey defined above.
-const testKeyThumbprint = "6nicxzh6WETQlrvdchkz-U3e3DOQZ4heJKU63rfqMqQ"
+	// This thumbprint is for the testKey defined above.
+	testKeyThumbprint = "6nicxzh6WETQlrvdchkz-U3e3DOQZ4heJKU63rfqMqQ"
 
-const (
 	// openssl ecparam -name secp256k1 -genkey -noout
 	testKeyECPEM = `
 -----BEGIN EC PRIVATE KEY-----
@@ -58,39 +59,78 @@ AwEHoUQDQgAE5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HThqIrvawF5
 QAaS/RNouybCiRhRjI3EaxLkQwgrCw0gqQ==
 -----END EC PRIVATE KEY-----
 `
-	// 1. opnessl ec -in key.pem -noout -text
+	// openssl ecparam -name secp384r1 -genkey -noout
+	testKeyEC384PEM = `
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAQ4lNtXRORWr1bgKR1CGysr9AJ9SyEk4jiVnlUWWUChmSNL+i9SLSD
+Oe/naPqXJ6CgBwYFK4EEACKhZANiAAQzKtj+Ms0vHoTX5dzv3/L5YMXOWuI5UKRj
+JigpahYCqXD2BA1j0E/2xt5vlPf+gm0PL+UHSQsCokGnIGuaHCsJAp3ry0gHQEke
+WYXapUUFdvaK1R2/2hn5O+eiQM8YzCg=
+-----END EC PRIVATE KEY-----
+`
+	// openssl ecparam -name secp521r1 -genkey -noout
+	testKeyEC512PEM = `
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBSNZKFcWzXzB/aJClAb305ibalKgtDA7+70eEkdPt28/3LZMM935Z
+KqYHh/COcxuu3Kt8azRAUz3gyr4zZKhlKUSgBwYFK4EEACOhgYkDgYYABAHUNKbx
+7JwC7H6pa2sV0tERWhHhB3JmW+OP6SUgMWryvIKajlx73eS24dy4QPGrWO9/ABsD
+FqcRSkNVTXnIv6+0mAF25knqIBIg5Q8M9BnOu9GGAchcwt3O7RDHmqewnJJDrbjd
+GGnm6rb+NnWR9DIopM0nKNkToWoF/hzopxu4Ae/GsQ==
+-----END EC PRIVATE KEY-----
+`
+	// 1. openssl ec -in key.pem -noout -text
 	// 2. remove first byte, 04 (the header); the rest is X and Y
-	// 3. covert each with: echo <val> | xxd -r -p | base64 | tr -d '=' | tr '/+' '_-'
-	testKeyECPubX = "5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HQ"
-	testKeyECPubY = "4aiK72sBeUAGkv0TaLsmwokYUYyNxGsS5EMIKwsNIKk"
+	// 3. convert each with: echo <val> | xxd -r -p | base64 -w 100 | tr -d '=' | tr '/+' '_-'
+	testKeyECPubX    = "5lhEug5xK4xBDZ2nAbaxLtaLiv85bxJ7ePd1dkO23HQ"
+	testKeyECPubY    = "4aiK72sBeUAGkv0TaLsmwokYUYyNxGsS5EMIKwsNIKk"
+	testKeyEC384PubX = "MyrY_jLNLx6E1-Xc79_y-WDFzlriOVCkYyYoKWoWAqlw9gQNY9BP9sbeb5T3_oJt"
+	testKeyEC384PubY = "Dy_lB0kLAqJBpyBrmhwrCQKd68tIB0BJHlmF2qVFBXb2itUdv9oZ-TvnokDPGMwo"
+	testKeyEC512PubX = "AdQ0pvHsnALsfqlraxXS0RFaEeEHcmZb44_pJSAxavK8gpqOXHvd5Lbh3LhA8atY738AGwMWpxFKQ1VNeci_r7SY"
+	testKeyEC512PubY = "AXbmSeogEiDlDwz0Gc670YYByFzC3c7tEMeap7CckkOtuN0Yaebqtv42dZH0MiikzSco2ROhagX-HOinG7gB78ax"
+
 	// echo -n '{"crv":"P-256","kty":"EC","x":"<testKeyECPubX>","y":"<testKeyECPubY>"}' | \
 	// openssl dgst -binary -sha256 | base64 | tr -d '=' | tr '/+' '_-'
 	testKeyECThumbprint = "zedj-Bd1Zshp8KLePv2MB-lJ_Hagp7wAwdkA0NUTniU"
 )
 
 var (
-	testKey   *rsa.PrivateKey
-	testKeyEC *ecdsa.PrivateKey
+	testKey      *rsa.PrivateKey
+	testKeyEC    *ecdsa.PrivateKey
+	testKeyEC384 *ecdsa.PrivateKey
+	testKeyEC512 *ecdsa.PrivateKey
 )
 
 func init() {
-	d, _ := pem.Decode([]byte(testKeyPEM))
+	testKey = parseRSA(testKeyPEM, "testKeyPEM")
+	testKeyEC = parseEC(testKeyECPEM, "testKeyECPEM")
+	testKeyEC384 = parseEC(testKeyEC384PEM, "testKeyEC384PEM")
+	testKeyEC512 = parseEC(testKeyEC512PEM, "testKeyEC512PEM")
+}
+
+func decodePEM(s, name string) []byte {
+	d, _ := pem.Decode([]byte(s))
 	if d == nil {
-		panic("no block found in testKeyPEM")
+		panic("no block found in " + name)
 	}
-	var err error
-	testKey, err = x509.ParsePKCS1PrivateKey(d.Bytes)
+	return d.Bytes
+}
+
+func parseRSA(s, name string) *rsa.PrivateKey {
+	b := decodePEM(s, name)
+	k, err := x509.ParsePKCS1PrivateKey(b)
 	if err != nil {
-		panic(err.Error())
+		panic(fmt.Sprintf("%s: %v", name, err))
 	}
+	return k
+}
 
-	if d, _ = pem.Decode([]byte(testKeyECPEM)); d == nil {
-		panic("no block found in testKeyECPEM")
-	}
-	testKeyEC, err = x509.ParseECPrivateKey(d.Bytes)
+func parseEC(s, name string) *ecdsa.PrivateKey {
+	b := decodePEM(s, name)
+	k, err := x509.ParseECPrivateKey(b)
 	if err != nil {
-		panic(err.Error())
+		panic(fmt.Sprintf("%s: %v", name, err))
 	}
+	return k
 }
 
 func TestJWSEncodeJSON(t *testing.T) {
@@ -141,50 +181,63 @@ func TestJWSEncodeJSON(t *testing.T) {
 }
 
 func TestJWSEncodeJSONEC(t *testing.T) {
-	claims := struct{ Msg string }{"Hello JWS"}
-
-	b, err := jwsEncodeJSON(claims, testKeyEC, "nonce")
-	if err != nil {
-		t.Fatal(err)
-	}
-	var jws struct{ Protected, Payload, Signature string }
-	if err := json.Unmarshal(b, &jws); err != nil {
-		t.Fatal(err)
+	tt := []struct {
+		key      *ecdsa.PrivateKey
+		x, y     string
+		alg, crv string
+	}{
+		{testKeyEC, testKeyECPubX, testKeyECPubY, "ES256", "P-256"},
+		{testKeyEC384, testKeyEC384PubX, testKeyEC384PubY, "ES384", "P-384"},
+		{testKeyEC512, testKeyEC512PubX, testKeyEC512PubY, "ES512", "P-521"},
 	}
+	for i, test := range tt {
+		claims := struct{ Msg string }{"Hello JWS"}
+		b, err := jwsEncodeJSON(claims, test.key, "nonce")
+		if err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
+		var jws struct{ Protected, Payload, Signature string }
+		if err := json.Unmarshal(b, &jws); err != nil {
+			t.Errorf("%d: %v", i, err)
+			continue
+		}
 
-	if b, err = base64.RawURLEncoding.DecodeString(jws.Protected); err != nil {
-		t.Fatalf("jws.Protected: %v", err)
-	}
-	var head struct {
-		Alg   string
-		Nonce string
-		JWK   struct {
-			Crv string
-			Kty string
-			X   string
-			Y   string
-		} `json:"jwk"`
-	}
-	if err := json.Unmarshal(b, &head); err != nil {
-		t.Fatalf("jws.Protected: %v", err)
-	}
-	if head.Alg != "ES256" {
-		t.Errorf("head.Alg = %q; want ES256", head.Alg)
-	}
-	if head.Nonce != "nonce" {
-		t.Errorf("head.Nonce = %q; want nonce", head.Nonce)
-	}
-	if head.JWK.Crv != "P-256" {
-		t.Errorf("head.JWK.Crv = %q; want P-256", head.JWK.Crv)
-	}
-	if head.JWK.Kty != "EC" {
-		t.Errorf("head.JWK.Kty = %q; want EC", head.JWK.Kty)
-	}
-	if head.JWK.X != testKeyECPubX {
-		t.Errorf("head.JWK.X = %q; want %q", head.JWK.X, testKeyECPubX)
-	}
-	if head.JWK.Y != testKeyECPubY {
-		t.Errorf("head.JWK.Y = %q; want %q", head.JWK.Y, testKeyECPubY)
+		b, err = base64.RawURLEncoding.DecodeString(jws.Protected)
+		if err != nil {
+			t.Errorf("%d: jws.Protected: %v", i, err)
+		}
+		var head struct {
+			Alg   string
+			Nonce string
+			JWK   struct {
+				Crv string
+				Kty string
+				X   string
+				Y   string
+			} `json:"jwk"`
+		}
+		if err := json.Unmarshal(b, &head); err != nil {
+			t.Errorf("%d: jws.Protected: %v", i, err)
+		}
+		if head.Alg != test.alg {
+			t.Errorf("%d: head.Alg = %q; want %q", i, head.Alg, test.alg)
+		}
+		if head.Nonce != "nonce" {
+			t.Errorf("%d: head.Nonce = %q; want nonce", i, head.Nonce)
+		}
+		if head.JWK.Crv != test.crv {
+			t.Errorf("%d: head.JWK.Crv = %q; want %q", i, head.JWK.Crv, test.crv)
+		}
+		if head.JWK.Kty != "EC" {
+			t.Errorf("%d: head.JWK.Kty = %q; want EC", i, head.JWK.Kty)
+		}
+		if head.JWK.X != test.x {
+			t.Errorf("%d: head.JWK.X = %q; want %q", i, head.JWK.X, test.x)
+		}
+		if head.JWK.Y != test.y {
+			t.Errorf("%d: head.JWK.Y = %q; want %q", i, head.JWK.Y, test.y)
+		}
 	}
 }
 
diff --git a/vendor/golang.org/x/crypto/acme/types.go b/vendor/golang.org/x/crypto/acme/types.go
index 0513b2e55..ab4de0b88 100644
--- a/vendor/golang.org/x/crypto/acme/types.go
+++ b/vendor/golang.org/x/crypto/acme/types.go
@@ -1,9 +1,15 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
 package acme
 
 import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
+	"time"
 )
 
 // ACME server response statuses used to describe Authorization and Challenge states.
@@ -33,14 +39,8 @@ const (
 	CRLReasonAACompromise         CRLReasonCode = 10
 )
 
-var (
-	// ErrAuthorizationFailed indicates that an authorization for an identifier
-	// did not succeed.
-	ErrAuthorizationFailed = errors.New("acme: identifier authorization failed")
-
-	// ErrUnsupportedKey is returned when an unsupported key type is encountered.
-	ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported")
-)
+// ErrUnsupportedKey is returned when an unsupported key type is encountered.
+var ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported")
 
 // Error is an ACME error, defined in Problem Details for HTTP APIs doc
 // http://tools.ietf.org/html/draft-ietf-appsawg-http-problem.
@@ -53,6 +53,7 @@ type Error struct {
 	// Detail is a human-readable explanation specific to this occurrence of the problem.
 	Detail string
 	// Header is the original server error response headers.
+	// It may be nil.
 	Header http.Header
 }
 
@@ -60,6 +61,50 @@ func (e *Error) Error() string {
 	return fmt.Sprintf("%d %s: %s", e.StatusCode, e.ProblemType, e.Detail)
 }
 
+// AuthorizationError indicates that an authorization for an identifier
+// did not succeed.
+// It contains all errors from Challenge items of the failed Authorization.
+type AuthorizationError struct {
+	// URI uniquely identifies the failed Authorization.
+	URI string
+
+	// Identifier is an AuthzID.Value of the failed Authorization.
+	Identifier string
+
+	// Errors is a collection of non-nil error values of Challenge items
+	// of the failed Authorization.
+	Errors []error
+}
+
+func (a *AuthorizationError) Error() string {
+	e := make([]string, len(a.Errors))
+	for i, err := range a.Errors {
+		e[i] = err.Error()
+	}
+	return fmt.Sprintf("acme: authorization error for %s: %s", a.Identifier, strings.Join(e, "; "))
+}
+
+// RateLimit reports whether err represents a rate limit error and
+// any Retry-After duration returned by the server.
+//
+// See the following for more details on rate limiting:
+// https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-5.6
+func RateLimit(err error) (time.Duration, bool) {
+	e, ok := err.(*Error)
+	if !ok {
+		return 0, false
+	}
+	// Some CA implementations may return incorrect values.
+	// Use case-insensitive comparison.
+	if !strings.HasSuffix(strings.ToLower(e.ProblemType), ":ratelimited") {
+		return 0, false
+	}
+	if e.Header == nil {
+		return 0, true
+	}
+	return retryAfter(e.Header.Get("Retry-After"), 0), true
+}
+
 // Account is a user account. It is associated with a private key.
 type Account struct {
 	// URI is the account unique ID, which is also a URL used to retrieve
@@ -118,6 +163,8 @@ type Directory struct {
 }
 
 // Challenge encodes a returned CA challenge.
+// Its Error field may be non-nil if the challenge is part of an Authorization
+// with StatusInvalid.
 type Challenge struct {
 	// Type is the challenge type, e.g. "http-01", "tls-sni-02", "dns-01".
 	Type string
@@ -130,6 +177,11 @@ type Challenge struct {
 
 	// Status identifies the status of this challenge.
 	Status string
+
+	// Error indicates the reason for an authorization failure
+	// when this challenge was used.
+	// The type of a non-nil value is *Error.
+	Error error
 }
 
 // Authorization encodes an authorization response.
@@ -187,12 +239,26 @@ func (z *wireAuthz) authorization(uri string) *Authorization {
 	return a
 }
 
+func (z *wireAuthz) error(uri string) *AuthorizationError {
+	err := &AuthorizationError{
+		URI:        uri,
+		Identifier: z.Identifier.Value,
+	}
+	for _, raw := range z.Challenges {
+		if raw.Error != nil {
+			err.Errors = append(err.Errors, raw.Error.error(nil))
+		}
+	}
+	return err
+}
+
 // wireChallenge is ACME JSON challenge representation.
 type wireChallenge struct {
 	URI    string `json:"uri"`
 	Type   string
 	Token  string
 	Status string
+	Error  *wireError
 }
 
 func (c *wireChallenge) challenge() *Challenge {
@@ -205,5 +271,25 @@ func (c *wireChallenge) challenge() *Challenge {
 	if v.Status == "" {
 		v.Status = StatusPending
 	}
+	if c.Error != nil {
+		v.Error = c.Error.error(nil)
+	}
 	return v
 }
+
+// wireError is a subset of fields of the Problem Details object
+// as described in https://tools.ietf.org/html/rfc7807#section-3.1.
+type wireError struct {
+	Status int
+	Type   string
+	Detail string
+}
+
+func (e *wireError) error(h http.Header) *Error {
+	return &Error{
+		StatusCode:  e.Status,
+		ProblemType: e.Type,
+		Detail:      e.Detail,
+		Header:      h,
+	}
+}
diff --git a/vendor/golang.org/x/crypto/acme/types_test.go b/vendor/golang.org/x/crypto/acme/types_test.go
new file mode 100644
index 000000000..a7553e6b7
--- /dev/null
+++ b/vendor/golang.org/x/crypto/acme/types_test.go
@@ -0,0 +1,63 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package acme
+
+import (
+	"errors"
+	"net/http"
+	"testing"
+	"time"
+)
+
+func TestRateLimit(t *testing.T) {
+	now := time.Date(2017, 04, 27, 10, 0, 0, 0, time.UTC)
+	f := timeNow
+	defer func() { timeNow = f }()
+	timeNow = func() time.Time { return now }
+
+	h120, hTime := http.Header{}, http.Header{}
+	h120.Set("Retry-After", "120")
+	hTime.Set("Retry-After", "Tue Apr 27 11:00:00 2017")
+
+	err1 := &Error{
+		ProblemType: "urn:ietf:params:acme:error:nolimit",
+		Header:      h120,
+	}
+	err2 := &Error{
+		ProblemType: "urn:ietf:params:acme:error:rateLimited",
+		Header:      h120,
+	}
+	err3 := &Error{
+		ProblemType: "urn:ietf:params:acme:error:rateLimited",
+		Header:      nil,
+	}
+	err4 := &Error{
+		ProblemType: "urn:ietf:params:acme:error:rateLimited",
+		Header:      hTime,
+	}
+
+	tt := []struct {
+		err error
+		res time.Duration
+		ok  bool
+	}{
+		{nil, 0, false},
+		{errors.New("dummy"), 0, false},
+		{err1, 0, false},
+		{err2, 2 * time.Minute, true},
+		{err3, 0, true},
+		{err4, time.Hour, true},
+	}
+	for i, test := range tt {
+		res, ok := RateLimit(test.err)
+		if ok != test.ok {
+			t.Errorf("%d: RateLimit(%+v): ok = %v; want %v", i, test.err, ok, test.ok)
+			continue
+		}
+		if res != test.res {
+			t.Errorf("%d: RateLimit(%+v) = %v; want %v", i, test.err, res, test.res)
+		}
+	}
+}
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_test.go b/vendor/golang.org/x/crypto/blake2b/blake2b_test.go
index a38fceb20..7954346f4 100644
--- a/vendor/golang.org/x/crypto/blake2b/blake2b_test.go
+++ b/vendor/golang.org/x/crypto/blake2b/blake2b_test.go
@@ -22,7 +22,7 @@ func fromHex(s string) []byte {
 
 func TestHashes(t *testing.T) {
 	defer func(sse4, avx, avx2 bool) {
-		useSSE4, useAVX, useAVX2 = sse4, useAVX, avx2
+		useSSE4, useAVX, useAVX2 = sse4, avx, avx2
 	}(useSSE4, useAVX, useAVX2)
 
 	if useAVX2 {
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
index 475503321..7cd7ad834 100644
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
+++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go
@@ -14,13 +14,60 @@ func chacha20Poly1305Open(dst []byte, key []uint32, src, ad []byte) bool
 //go:noescape
 func chacha20Poly1305Seal(dst []byte, key []uint32, src, ad []byte)
 
-//go:noescape
-func haveSSSE3() bool
+// cpuid is implemented in chacha20poly1305_amd64.s.
+func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
+
+// xgetbv with ecx = 0 is implemented in chacha20poly1305_amd64.s.
+func xgetbv() (eax, edx uint32)
 
-var canUseASM bool
+var (
+	useASM  bool
+	useAVX2 bool
+)
 
 func init() {
-	canUseASM = haveSSSE3()
+	detectCPUFeatures()
+}
+
+// detectCPUFeatures is used to detect if cpu instructions
+// used by the functions implemented in assembler in
+// chacha20poly1305_amd64.s are supported.
+func detectCPUFeatures() {
+	maxID, _, _, _ := cpuid(0, 0)
+	if maxID < 1 {
+		return
+	}
+
+	_, _, ecx1, _ := cpuid(1, 0)
+
+	haveSSSE3 := isSet(9, ecx1)
+	useASM = haveSSSE3
+
+	haveOSXSAVE := isSet(27, ecx1)
+
+	osSupportsAVX := false
+	// For XGETBV, OSXSAVE bit is required and sufficient.
+	if haveOSXSAVE {
+		eax, _ := xgetbv()
+		// Check if XMM and YMM registers have OS support.
+		osSupportsAVX = isSet(1, eax) && isSet(2, eax)
+	}
+	haveAVX := isSet(28, ecx1) && osSupportsAVX
+
+	if maxID < 7 {
+		return
+	}
+
+	_, ebx7, _, _ := cpuid(7, 0)
+	haveAVX2 := isSet(5, ebx7) && haveAVX
+	haveBMI2 := isSet(8, ebx7)
+
+	useAVX2 = haveAVX2 && haveBMI2
+}
+
+// isSet checks if bit at bitpos is set in value.
+func isSet(bitpos uint, value uint32) bool {
+	return value&(1<<bitpos) != 0
 }
 
 // setupState writes a ChaCha20 input matrix to state. See
@@ -47,7 +94,7 @@ func setupState(state *[16]uint32, key *[32]byte, nonce []byte) {
 }
 
 func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []byte {
-	if !canUseASM {
+	if !useASM {
 		return c.sealGeneric(dst, nonce, plaintext, additionalData)
 	}
 
@@ -60,7 +107,7 @@ func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []
 }
 
 func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
-	if !canUseASM {
+	if !useASM {
 		return c.openGeneric(dst, nonce, ciphertext, additionalData)
 	}
 
diff --git a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
index 39c58b44a..1c57e3894 100644
--- a/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
+++ b/vendor/golang.org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s
@@ -278,15 +278,8 @@ TEXT ·chacha20Poly1305Open(SB), 0, $288-97
 	MOVQ ad+72(FP), adp
 
 	// Check for AVX2 support
-	CMPB runtime·support_avx2(SB), $0
-	JE   noavx2bmi2Open
-
-	// Check BMI2 bit for MULXQ.
-	// runtime·cpuid_ebx7 is always available here
-	// because it passed avx2 check
-	TESTL $(1<<8), runtime·cpuid_ebx7(SB)
-	JNE   chacha20Poly1305Open_AVX2
-noavx2bmi2Open:
+	CMPB ·useAVX2(SB), $1
+	JE   chacha20Poly1305Open_AVX2
 
 	// Special optimization, for very short buffers
 	CMPQ inl, $128
@@ -1491,16 +1484,8 @@ TEXT ·chacha20Poly1305Seal(SB), 0, $288-96
 	MOVQ src_len+56(FP), inl
 	MOVQ ad+72(FP), adp
 
-	// Check for AVX2 support
-	CMPB runtime·support_avx2(SB), $0
-	JE   noavx2bmi2Seal
-
-	// Check BMI2 bit for MULXQ.
-	// runtime·cpuid_ebx7 is always available here
-	// because it passed avx2 check
-	TESTL $(1<<8), runtime·cpuid_ebx7(SB)
-	JNE   chacha20Poly1305Seal_AVX2
-noavx2bmi2Seal:
+	CMPB ·useAVX2(SB), $1
+	JE   chacha20Poly1305Seal_AVX2
 
 	// Special optimization, for very short buffers
 	CMPQ inl, $128
@@ -2709,13 +2694,21 @@ sealAVX2Tail512LoopB:
 
 	JMP sealAVX2SealHash
 
-// func haveSSSE3() bool
-TEXT ·haveSSSE3(SB), NOSPLIT, $0
-	XORQ AX, AX
-	INCL AX
+// func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
+TEXT ·cpuid(SB), NOSPLIT, $0-24
+	MOVL eaxArg+0(FP), AX
+	MOVL ecxArg+4(FP), CX
 	CPUID
-	SHRQ $9, CX
-	ANDQ $1, CX
-	MOVB CX, ret+0(FP)
+	MOVL AX, eax+8(FP)
+	MOVL BX, ebx+12(FP)
+	MOVL CX, ecx+16(FP)
+	MOVL DX, edx+20(FP)
 	RET
 
+// func xgetbv() (eax, edx uint32)
+TEXT ·xgetbv(SB),NOSPLIT,$0-8
+	MOVL $0, CX
+	XGETBV
+	MOVL AX, eax+0(FP)
+	MOVL DX, edx+4(FP)
+	RET
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client_test.go b/vendor/golang.org/x/crypto/ssh/agent/client_test.go
index 93d3a9cd2..5fc47e577 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/client_test.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/client_test.go
@@ -180,9 +180,12 @@ func TestCert(t *testing.T) {
 // therefore is buffered (net.Pipe deadlocks if both sides start with
 // a write.)
 func netPipe() (net.Conn, net.Conn, error) {
-	listener, err := net.Listen("tcp", ":0")
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
-		return nil, nil, err
+		listener, err = net.Listen("tcp", "[::1]:0")
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 	defer listener.Close()
 	c1, err := net.Dial("tcp", listener.Addr().String())
@@ -200,6 +203,9 @@ func netPipe() (net.Conn, net.Conn, error) {
 }
 
 func TestAuth(t *testing.T) {
+	agent, _, cleanup := startAgent(t)
+	defer cleanup()
+
 	a, b, err := netPipe()
 	if err != nil {
 		t.Fatalf("netPipe: %v", err)
@@ -208,9 +214,6 @@ func TestAuth(t *testing.T) {
 	defer a.Close()
 	defer b.Close()
 
-	agent, _, cleanup := startAgent(t)
-	defer cleanup()
-
 	if err := agent.Add(AddedKey{PrivateKey: testPrivateKeys["rsa"], Comment: "comment"}); err != nil {
 		t.Errorf("Add: %v", err)
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go
index 67600e240..2fc8af1b1 100644
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ b/vendor/golang.org/x/crypto/ssh/certs.go
@@ -251,10 +251,18 @@ type CertChecker struct {
 	// for user certificates.
 	SupportedCriticalOptions []string
 
-	// IsAuthority should return true if the key is recognized as
-	// an authority. This allows for certificates to be signed by other
-	// certificates.
-	IsAuthority func(auth PublicKey) bool
+	// IsUserAuthority should return true if the key is recognized as an
+	// authority for the given user certificate. This allows for
+	// certificates to be signed by other certificates. This must be set
+	// if this CertChecker will be checking user certificates.
+	IsUserAuthority func(auth PublicKey) bool
+
+	// IsHostAuthority should report whether the key is recognized as
+	// an authority for this host. This allows for certificates to be
+	// signed by other keys, and for those other keys to only be valid
+	// signers for particular hostnames. This must be set if this
+	// CertChecker will be checking host certificates.
+	IsHostAuthority func(auth PublicKey, address string) bool
 
 	// Clock is used for verifying time stamps. If nil, time.Now
 	// is used.
@@ -356,7 +364,13 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
 		}
 	}
 
-	if !c.IsAuthority(cert.SignatureKey) {
+	// if this is a host cert, principal is the remote hostname as passed
+	// to CheckHostCert.
+	if cert.CertType == HostCert && !c.IsHostAuthority(cert.SignatureKey, principal) {
+		return fmt.Errorf("ssh: no authorities for hostname: %v", principal)
+	}
+
+	if cert.CertType == UserCert && !c.IsUserAuthority(cert.SignatureKey) {
 		return fmt.Errorf("ssh: certificate signed by unrecognized authority")
 	}
 
diff --git a/vendor/golang.org/x/crypto/ssh/certs_test.go b/vendor/golang.org/x/crypto/ssh/certs_test.go
index c5f2e5330..fba6310c5 100644
--- a/vendor/golang.org/x/crypto/ssh/certs_test.go
+++ b/vendor/golang.org/x/crypto/ssh/certs_test.go
@@ -104,7 +104,7 @@ func TestValidateCert(t *testing.T) {
 		t.Fatalf("got %v (%T), want *Certificate", key, key)
 	}
 	checker := CertChecker{}
-	checker.IsAuthority = func(k PublicKey) bool {
+	checker.IsUserAuthority = func(k PublicKey) bool {
 		return bytes.Equal(k.Marshal(), validCert.SignatureKey.Marshal())
 	}
 
@@ -142,7 +142,7 @@ func TestValidateCertTime(t *testing.T) {
 		checker := CertChecker{
 			Clock: func() time.Time { return time.Unix(ts, 0) },
 		}
-		checker.IsAuthority = func(k PublicKey) bool {
+		checker.IsUserAuthority = func(k PublicKey) bool {
 			return bytes.Equal(k.Marshal(),
 				testPublicKeys["ecdsa"].Marshal())
 		}
@@ -160,7 +160,7 @@ func TestValidateCertTime(t *testing.T) {
 
 func TestHostKeyCert(t *testing.T) {
 	cert := &Certificate{
-		ValidPrincipals: []string{"hostname", "hostname.domain"},
+		ValidPrincipals: []string{"hostname", "hostname.domain", "otherhost"},
 		Key:             testPublicKeys["rsa"],
 		ValidBefore:     CertTimeInfinity,
 		CertType:        HostCert,
@@ -168,8 +168,8 @@ func TestHostKeyCert(t *testing.T) {
 	cert.SignCert(rand.Reader, testSigners["ecdsa"])
 
 	checker := &CertChecker{
-		IsAuthority: func(p PublicKey) bool {
-			return bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal())
+		IsHostAuthority: func(p PublicKey, h string) bool {
+			return h == "hostname" && bytes.Equal(testPublicKeys["ecdsa"].Marshal(), p.Marshal())
 		},
 	}
 
@@ -178,7 +178,7 @@ func TestHostKeyCert(t *testing.T) {
 		t.Errorf("NewCertSigner: %v", err)
 	}
 
-	for _, name := range []string{"hostname", "otherhost"} {
+	for _, name := range []string{"hostname", "otherhost", "lasthost"} {
 		c1, c2, err := netPipe()
 		if err != nil {
 			t.Fatalf("netPipe: %v", err)
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth_test.go b/vendor/golang.org/x/crypto/ssh/client_auth_test.go
index dd83a3c84..bd9f8a169 100644
--- a/vendor/golang.org/x/crypto/ssh/client_auth_test.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth_test.go
@@ -38,7 +38,7 @@ func tryAuth(t *testing.T, config *ClientConfig) error {
 	defer c2.Close()
 
 	certChecker := CertChecker{
-		IsAuthority: func(k PublicKey) bool {
+		IsUserAuthority: func(k PublicKey) bool {
 			return bytes.Equal(k.Marshal(), testPublicKeys["ecdsa"].Marshal())
 		},
 		UserKeyFallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) {
diff --git a/vendor/golang.org/x/crypto/ssh/handshake_test.go b/vendor/golang.org/x/crypto/ssh/handshake_test.go
index 51a4c5ade..91d493568 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake_test.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake_test.go
@@ -40,9 +40,12 @@ func (t *testChecker) Check(dialAddr string, addr net.Addr, key PublicKey) error
 // therefore is buffered (net.Pipe deadlocks if both sides start with
 // a write.)
 func netPipe() (net.Conn, net.Conn, error) {
-	listener, err := net.Listen("tcp", ":0")
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
-		return nil, nil, err
+		listener, err = net.Listen("tcp", "[::1]:0")
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 	defer listener.Close()
 	c1, err := net.Dial("tcp", listener.Addr().String())
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
index d1f371868..ea92b2983 100644
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
+++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
@@ -144,11 +144,16 @@ func keyEq(a, b ssh.PublicKey) bool {
 	return bytes.Equal(a.Marshal(), b.Marshal())
 }
 
-// IsAuthority can be used as a callback in ssh.CertChecker
-func (db *hostKeyDB) IsAuthority(remote ssh.PublicKey) bool {
+// IsAuthorityForHost can be used as a callback in ssh.CertChecker
+func (db *hostKeyDB) IsHostAuthority(remote ssh.PublicKey, address string) bool {
+	h, p, err := net.SplitHostPort(address)
+	if err != nil {
+		return false
+	}
+	a := addr{host: h, port: p}
+
 	for _, l := range db.lines {
-		// TODO(hanwen): should we check the hostname against host pattern?
-		if l.cert && keyEq(l.knownKey.Key, remote) {
+		if l.cert && keyEq(l.knownKey.Key, remote) && l.match([]addr{a}) {
 			return true
 		}
 	}
@@ -409,9 +414,7 @@ func (db *hostKeyDB) Read(r io.Reader, filename string) error {
 
 // New creates a host key callback from the given OpenSSH host key
 // files. The returned callback is for use in
-// ssh.ClientConfig.HostKeyCallback. Hostnames are ignored for
-// certificates, ie. any certificate authority is assumed to be valid
-// for all remote hosts.  Hashed hostnames are not supported.
+// ssh.ClientConfig.HostKeyCallback. Hashed hostnames are not supported.
 func New(files ...string) (ssh.HostKeyCallback, error) {
 	db := newHostKeyDB()
 	for _, fn := range files {
@@ -425,12 +428,8 @@ func New(files ...string) (ssh.HostKeyCallback, error) {
 		}
 	}
 
-	// TODO(hanwen): properly supporting certificates requires an
-	// API change in the SSH library: IsAuthority should provide
-	// the address too?
-
 	var certChecker ssh.CertChecker
-	certChecker.IsAuthority = db.IsAuthority
+	certChecker.IsHostAuthority = db.IsHostAuthority
 	certChecker.IsRevoked = db.IsRevoked
 	certChecker.HostKeyFallback = db.check
 
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
index 63aff9927..be7cc0e80 100644
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
+++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts_test.go
@@ -76,6 +76,28 @@ func TestRevoked(t *testing.T) {
 	}
 }
 
+func TestHostAuthority(t *testing.T) {
+	for _, m := range []struct {
+		authorityFor string
+		address      string
+
+		good bool
+	}{
+		{authorityFor: "localhost", address: "localhost:22", good: true},
+		{authorityFor: "localhost", address: "localhost", good: false},
+		{authorityFor: "localhost", address: "localhost:1234", good: false},
+		{authorityFor: "[localhost]:1234", address: "localhost:1234", good: true},
+		{authorityFor: "[localhost]:1234", address: "localhost:22", good: false},
+		{authorityFor: "[localhost]:1234", address: "localhost", good: false},
+	} {
+		db := testDB(t, `@cert-authority `+m.authorityFor+` `+edKeyStr)
+		if ok := db.IsHostAuthority(db.lines[0].knownKey.Key, m.address); ok != m.good {
+			t.Errorf("IsHostAuthority: authority %s, address %s, wanted good = %v, got good = %v",
+				m.authorityFor, m.address, m.good, ok)
+		}
+	}
+}
+
 func TestBracket(t *testing.T) {
 	db := testDB(t, `[git.eclipse.org]:29418,[198.41.30.196]:29418 `+edKeyStr)
 
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 8e95acc6a..23b41d943 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -147,12 +147,12 @@ type ServerConn struct {
 // Request and NewChannel channels must be serviced, or the connection
 // will hang.
 func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
-	if config.MaxAuthTries == 0 {
-		config.MaxAuthTries = 6
-	}
-
 	fullConf := *config
 	fullConf.SetDefaults()
+	if fullConf.MaxAuthTries == 0 {
+		fullConf.MaxAuthTries = 6
+	}
+
 	s := &connection{
 		sshConn: sshConn{conn: c},
 	}
diff --git a/vendor/golang.org/x/image/font/sfnt/proprietary_test.go b/vendor/golang.org/x/image/font/sfnt/proprietary_test.go
index 2df6f6ce6..dcafdd4c7 100644
--- a/vendor/golang.org/x/image/font/sfnt/proprietary_test.go
+++ b/vendor/golang.org/x/image/font/sfnt/proprietary_test.go
@@ -19,7 +19,11 @@ End User License Agreement (EULA) and a CAB format decoder. These tests assume
 that such fonts have already been installed. You may need to specify the
 directories for these fonts:
 
-go test golang.org/x/image/font/sfnt -args -proprietary -adobeDir=$HOME/fonts/adobe -appleDir=$HOME/fonts/apple -microsoftDir=$HOME/fonts/microsoft
+go test golang.org/x/image/font/sfnt -args -proprietary \
+	-adobeDir=$HOME/fonts/adobe \
+	-appleDir=$HOME/fonts/apple \
+	-dejavuDir=$HOME/fonts/dejavu \
+	-microsoftDir=$HOME/fonts/microsoft
 
 To only run those tests for the Microsoft fonts:
 
@@ -72,6 +76,13 @@ var (
 		"directory name for the Apple proprietary fonts",
 	)
 
+	dejavuDir = flag.String(
+		"dejavuDir",
+		// Get the fonts from https://dejavu-fonts.github.io/
+		"",
+		"directory name for the DejaVu proprietary fonts",
+	)
+
 	microsoftDir = flag.String(
 		"microsoftDir",
 		"/usr/share/fonts/truetype/msttcorefonts",
@@ -143,6 +154,18 @@ func TestProprietaryAppleHiragino1(t *testing.T) {
 	testProprietary(t, "apple", "ヒラギノ角ゴシック W0.ttc?1", 9000, -1)
 }
 
+func TestProprietaryDejaVuSansExtraLight(t *testing.T) {
+	testProprietary(t, "dejavu", "DejaVuSans-ExtraLight.ttf", 2000, -1)
+}
+
+func TestProprietaryDejaVuSansMono(t *testing.T) {
+	testProprietary(t, "dejavu", "DejaVuSansMono.ttf", 3300, -1)
+}
+
+func TestProprietaryDejaVuSerif(t *testing.T) {
+	testProprietary(t, "dejavu", "DejaVuSerif.ttf", 3500, -1)
+}
+
 func TestProprietaryMicrosoftArial(t *testing.T) {
 	testProprietary(t, "microsoft", "Arial.ttf", 1200, -1)
 }
@@ -192,6 +215,8 @@ func testProprietary(t *testing.T, proprietor, filename string, minNumGlyphs, fi
 		dir = *adobeDir
 	case "apple":
 		dir = *appleDir
+	case "dejavu":
+		dir = *dejavuDir
 	case "microsoft":
 		dir = *microsoftDir
 	default:
@@ -375,6 +400,10 @@ var proprietaryVersions = map[string]string{
 	"apple/ヒラギノ角ゴシック W0.ttc?0": "11.0d7e1",
 	"apple/ヒラギノ角ゴシック W0.ttc?1": "11.0d7e1",
 
+	"dejavu/DejaVuSans-ExtraLight.ttf": "Version 2.37",
+	"dejavu/DejaVuSansMono.ttf":        "Version 2.37",
+	"dejavu/DejaVuSerif.ttf":           "Version 2.37",
+
 	"microsoft/Arial.ttf":           "Version 2.82",
 	"microsoft/Arial.ttf?0":         "Version 2.82",
 	"microsoft/Comic_Sans_MS.ttf":   "Version 2.10",
@@ -403,6 +432,10 @@ var proprietaryFullNames = map[string]string{
 	"apple/ヒラギノ角ゴシック W0.ttc?0": "Hiragino Sans W0",
 	"apple/ヒラギノ角ゴシック W0.ttc?1": ".Hiragino Kaku Gothic Interface W0",
 
+	"dejavu/DejaVuSans-ExtraLight.ttf": "DejaVu Sans ExtraLight",
+	"dejavu/DejaVuSansMono.ttf":        "DejaVu Sans Mono",
+	"dejavu/DejaVuSerif.ttf":           "DejaVu Serif",
+
 	"microsoft/Arial.ttf":           "Arial",
 	"microsoft/Arial.ttf?0":         "Arial",
 	"microsoft/Comic_Sans_MS.ttf":   "Comic Sans MS",
@@ -469,6 +502,11 @@ var proprietaryGlyphIndexTestCases = map[string]map[rune]GlyphIndex{
 		'\U0001f100': 0,    // U+0001F100 DIGIT ZERO FULL STOP
 	},
 
+	"dejavu/DejaVuSerif.ttf": {
+		'\u0041': 36,   // U+0041 LATIN CAPITAL LETTER A
+		'\u1e00': 1418, // U+1E00 LATIN CAPITAL LETTER A WITH RING BELOW
+	},
+
 	"microsoft/Arial.ttf": {
 		'\u0041':     36,   // U+0041 LATIN CAPITAL LETTER A
 		'\u00f1':     120,  // U+00F1 LATIN SMALL LETTER N WITH TILDE
@@ -930,6 +968,23 @@ var proprietaryGlyphTestCases = map[string]map[rune][]Segment{
 		},
 	},
 
+	"dejavu/DejaVuSans-ExtraLight.ttf": {
+		'i': {
+			// - contour #0
+			moveTo(230, 1120),
+			lineTo(322, 1120),
+			lineTo(322, 0),
+			lineTo(230, 0),
+			lineTo(230, 1120),
+			// - contour #1
+			moveTo(230, 1556),
+			lineTo(322, 1556),
+			lineTo(322, 1430),
+			lineTo(230, 1430),
+			lineTo(230, 1556),
+		},
+	},
+
 	"microsoft/Arial.ttf": {
 		',': {
 			// - contour #0
@@ -1109,6 +1164,18 @@ type kernTestCase struct {
 // proprietaryKernTestCases hold a sample of each font's kerning pairs. The
 // numerical values can be verified by running the ttx tool.
 var proprietaryKernTestCases = map[string][]kernTestCase{
+	"dejavu/DejaVuSans-ExtraLight.ttf": {
+		{2048, font.HintingNone, [2]rune{'A', 'A'}, 57},
+		{2048, font.HintingNone, [2]rune{'W', 'A'}, -112},
+		// U+00C1 LATIN CAPITAL LETTER A WITH ACUTE
+		// U+01FA LATIN CAPITAL LETTER A WITH RING ABOVE AND ACUTE
+		// U+1E82 LATIN CAPITAL LETTER W WITH ACUTE
+		{2048, font.HintingNone, [2]rune{'\u00c1', 'A'}, 57},
+		// TODO: enable these next two test cases, when we support multiple
+		// kern subtables.
+		// {2048, font.HintingNone, [2]rune{'\u01fa', 'A'}, 57},
+		// {2048, font.HintingNone, [2]rune{'\u1e82', 'A'}, -112},
+	},
 	"microsoft/Arial.ttf": {
 		{2048, font.HintingNone, [2]rune{'A', 'V'}, -152},
 		// U+03B8 GREEK SMALL LETTER THETA
diff --git a/vendor/golang.org/x/image/font/sfnt/sfnt.go b/vendor/golang.org/x/image/font/sfnt/sfnt.go
index 5cb1225ef..34587da75 100644
--- a/vendor/golang.org/x/image/font/sfnt/sfnt.go
+++ b/vendor/golang.org/x/image/font/sfnt/sfnt.go
@@ -869,9 +869,11 @@ func (f *Font) parseKern(buf []byte) (buf1 []byte, kernNumPairs, kernOffset int3
 
 	switch version := u16(buf); version {
 	case 0:
-		// TODO: support numTables != 1. Testing that requires finding such a font.
-		if numTables := int(u16(buf[2:])); numTables != 1 {
-			return nil, 0, 0, errUnsupportedKernTable
+		if numTables := int(u16(buf[2:])); numTables == 0 {
+			return buf, 0, 0, nil
+		} else if numTables > 1 {
+			// TODO: support multiple subtables. For now, fall through and use
+			// only the first one.
 		}
 		return f.parseKernVersion0(buf, offset, length)
 	case 1:
diff --git a/vendor/golang.org/x/image/tiff/lzw/reader.go b/vendor/golang.org/x/image/tiff/lzw/reader.go
index ad35819f5..51ae39f8a 100644
--- a/vendor/golang.org/x/image/tiff/lzw/reader.go
+++ b/vendor/golang.org/x/image/tiff/lzw/reader.go
@@ -147,6 +147,7 @@ func (d *decoder) Read(b []byte) (int, error) {
 // litWidth is the width in bits of literal codes.
 func (d *decoder) decode() {
 	// Loop over the code stream, converting codes into decompressed bytes.
+loop:
 	for {
 		code, err := d.read(d)
 		if err != nil {
@@ -154,8 +155,7 @@ func (d *decoder) decode() {
 				err = io.ErrUnexpectedEOF
 			}
 			d.err = err
-			d.flush()
-			return
+			break
 		}
 		switch {
 		case code < d.clear:
@@ -174,9 +174,8 @@ func (d *decoder) decode() {
 			d.last = decoderInvalidCode
 			continue
 		case code == d.eof:
-			d.flush()
 			d.err = io.EOF
-			return
+			break loop
 		case code <= d.hi:
 			c, i := code, len(d.output)-1
 			if code == d.hi {
@@ -206,8 +205,7 @@ func (d *decoder) decode() {
 			}
 		default:
 			d.err = errors.New("lzw: invalid code")
-			d.flush()
-			return
+			break loop
 		}
 		d.last, d.hi = code, d.hi+1
 		if d.hi+1 >= d.overflow { // NOTE: the "+1" is where TIFF's LZW differs from the standard algorithm.
@@ -219,13 +217,10 @@ func (d *decoder) decode() {
 			}
 		}
 		if d.o >= flushBuffer {
-			d.flush()
-			return
+			break
 		}
 	}
-}
-
-func (d *decoder) flush() {
+	// Flush pending output.
 	d.toRead = d.output[:d.o]
 	d.o = 0
 }
diff --git a/vendor/golang.org/x/net/http2/ciphers.go b/vendor/golang.org/x/net/http2/ciphers.go
new file mode 100644
index 000000000..698860b77
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/ciphers.go
@@ -0,0 +1,641 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+// A list of the possible cipher suite ids. Taken from
+// http://www.iana.org/assignments/tls-parameters/tls-parameters.txt
+
+const (
+	cipher_TLS_NULL_WITH_NULL_NULL               uint16 = 0x0000
+	cipher_TLS_RSA_WITH_NULL_MD5                 uint16 = 0x0001
+	cipher_TLS_RSA_WITH_NULL_SHA                 uint16 = 0x0002
+	cipher_TLS_RSA_EXPORT_WITH_RC4_40_MD5        uint16 = 0x0003
+	cipher_TLS_RSA_WITH_RC4_128_MD5              uint16 = 0x0004
+	cipher_TLS_RSA_WITH_RC4_128_SHA              uint16 = 0x0005
+	cipher_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5    uint16 = 0x0006
+	cipher_TLS_RSA_WITH_IDEA_CBC_SHA             uint16 = 0x0007
+	cipher_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA     uint16 = 0x0008
+	cipher_TLS_RSA_WITH_DES_CBC_SHA              uint16 = 0x0009
+	cipher_TLS_RSA_WITH_3DES_EDE_CBC_SHA         uint16 = 0x000A
+	cipher_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA  uint16 = 0x000B
+	cipher_TLS_DH_DSS_WITH_DES_CBC_SHA           uint16 = 0x000C
+	cipher_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA      uint16 = 0x000D
+	cipher_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA  uint16 = 0x000E
+	cipher_TLS_DH_RSA_WITH_DES_CBC_SHA           uint16 = 0x000F
+	cipher_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA      uint16 = 0x0010
+	cipher_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA uint16 = 0x0011
+	cipher_TLS_DHE_DSS_WITH_DES_CBC_SHA          uint16 = 0x0012
+	cipher_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA     uint16 = 0x0013
+	cipher_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA uint16 = 0x0014
+	cipher_TLS_DHE_RSA_WITH_DES_CBC_SHA          uint16 = 0x0015
+	cipher_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA     uint16 = 0x0016
+	cipher_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5    uint16 = 0x0017
+	cipher_TLS_DH_anon_WITH_RC4_128_MD5          uint16 = 0x0018
+	cipher_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA uint16 = 0x0019
+	cipher_TLS_DH_anon_WITH_DES_CBC_SHA          uint16 = 0x001A
+	cipher_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA     uint16 = 0x001B
+	// Reserved uint16 =  0x001C-1D
+	cipher_TLS_KRB5_WITH_DES_CBC_SHA             uint16 = 0x001E
+	cipher_TLS_KRB5_WITH_3DES_EDE_CBC_SHA        uint16 = 0x001F
+	cipher_TLS_KRB5_WITH_RC4_128_SHA             uint16 = 0x0020
+	cipher_TLS_KRB5_WITH_IDEA_CBC_SHA            uint16 = 0x0021
+	cipher_TLS_KRB5_WITH_DES_CBC_MD5             uint16 = 0x0022
+	cipher_TLS_KRB5_WITH_3DES_EDE_CBC_MD5        uint16 = 0x0023
+	cipher_TLS_KRB5_WITH_RC4_128_MD5             uint16 = 0x0024
+	cipher_TLS_KRB5_WITH_IDEA_CBC_MD5            uint16 = 0x0025
+	cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA   uint16 = 0x0026
+	cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA   uint16 = 0x0027
+	cipher_TLS_KRB5_EXPORT_WITH_RC4_40_SHA       uint16 = 0x0028
+	cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5   uint16 = 0x0029
+	cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5   uint16 = 0x002A
+	cipher_TLS_KRB5_EXPORT_WITH_RC4_40_MD5       uint16 = 0x002B
+	cipher_TLS_PSK_WITH_NULL_SHA                 uint16 = 0x002C
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA             uint16 = 0x002D
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA             uint16 = 0x002E
+	cipher_TLS_RSA_WITH_AES_128_CBC_SHA          uint16 = 0x002F
+	cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA       uint16 = 0x0030
+	cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA       uint16 = 0x0031
+	cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA      uint16 = 0x0032
+	cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA      uint16 = 0x0033
+	cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA      uint16 = 0x0034
+	cipher_TLS_RSA_WITH_AES_256_CBC_SHA          uint16 = 0x0035
+	cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA       uint16 = 0x0036
+	cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA       uint16 = 0x0037
+	cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA      uint16 = 0x0038
+	cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA      uint16 = 0x0039
+	cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA      uint16 = 0x003A
+	cipher_TLS_RSA_WITH_NULL_SHA256              uint16 = 0x003B
+	cipher_TLS_RSA_WITH_AES_128_CBC_SHA256       uint16 = 0x003C
+	cipher_TLS_RSA_WITH_AES_256_CBC_SHA256       uint16 = 0x003D
+	cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA256    uint16 = 0x003E
+	cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA256    uint16 = 0x003F
+	cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256   uint16 = 0x0040
+	cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA     uint16 = 0x0041
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA  uint16 = 0x0042
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA  uint16 = 0x0043
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA uint16 = 0x0044
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA uint16 = 0x0045
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA uint16 = 0x0046
+	// Reserved uint16 =  0x0047-4F
+	// Reserved uint16 =  0x0050-58
+	// Reserved uint16 =  0x0059-5C
+	// Unassigned uint16 =  0x005D-5F
+	// Reserved uint16 =  0x0060-66
+	cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x0067
+	cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA256  uint16 = 0x0068
+	cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA256  uint16 = 0x0069
+	cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 uint16 = 0x006A
+	cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 uint16 = 0x006B
+	cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA256 uint16 = 0x006C
+	cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA256 uint16 = 0x006D
+	// Unassigned uint16 =  0x006E-83
+	cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA        uint16 = 0x0084
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA     uint16 = 0x0085
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA     uint16 = 0x0086
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA    uint16 = 0x0087
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA    uint16 = 0x0088
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA    uint16 = 0x0089
+	cipher_TLS_PSK_WITH_RC4_128_SHA                 uint16 = 0x008A
+	cipher_TLS_PSK_WITH_3DES_EDE_CBC_SHA            uint16 = 0x008B
+	cipher_TLS_PSK_WITH_AES_128_CBC_SHA             uint16 = 0x008C
+	cipher_TLS_PSK_WITH_AES_256_CBC_SHA             uint16 = 0x008D
+	cipher_TLS_DHE_PSK_WITH_RC4_128_SHA             uint16 = 0x008E
+	cipher_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA        uint16 = 0x008F
+	cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA         uint16 = 0x0090
+	cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA         uint16 = 0x0091
+	cipher_TLS_RSA_PSK_WITH_RC4_128_SHA             uint16 = 0x0092
+	cipher_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA        uint16 = 0x0093
+	cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA         uint16 = 0x0094
+	cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA         uint16 = 0x0095
+	cipher_TLS_RSA_WITH_SEED_CBC_SHA                uint16 = 0x0096
+	cipher_TLS_DH_DSS_WITH_SEED_CBC_SHA             uint16 = 0x0097
+	cipher_TLS_DH_RSA_WITH_SEED_CBC_SHA             uint16 = 0x0098
+	cipher_TLS_DHE_DSS_WITH_SEED_CBC_SHA            uint16 = 0x0099
+	cipher_TLS_DHE_RSA_WITH_SEED_CBC_SHA            uint16 = 0x009A
+	cipher_TLS_DH_anon_WITH_SEED_CBC_SHA            uint16 = 0x009B
+	cipher_TLS_RSA_WITH_AES_128_GCM_SHA256          uint16 = 0x009C
+	cipher_TLS_RSA_WITH_AES_256_GCM_SHA384          uint16 = 0x009D
+	cipher_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256      uint16 = 0x009E
+	cipher_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384      uint16 = 0x009F
+	cipher_TLS_DH_RSA_WITH_AES_128_GCM_SHA256       uint16 = 0x00A0
+	cipher_TLS_DH_RSA_WITH_AES_256_GCM_SHA384       uint16 = 0x00A1
+	cipher_TLS_DHE_DSS_WITH_AES_128_GCM_SHA256      uint16 = 0x00A2
+	cipher_TLS_DHE_DSS_WITH_AES_256_GCM_SHA384      uint16 = 0x00A3
+	cipher_TLS_DH_DSS_WITH_AES_128_GCM_SHA256       uint16 = 0x00A4
+	cipher_TLS_DH_DSS_WITH_AES_256_GCM_SHA384       uint16 = 0x00A5
+	cipher_TLS_DH_anon_WITH_AES_128_GCM_SHA256      uint16 = 0x00A6
+	cipher_TLS_DH_anon_WITH_AES_256_GCM_SHA384      uint16 = 0x00A7
+	cipher_TLS_PSK_WITH_AES_128_GCM_SHA256          uint16 = 0x00A8
+	cipher_TLS_PSK_WITH_AES_256_GCM_SHA384          uint16 = 0x00A9
+	cipher_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256      uint16 = 0x00AA
+	cipher_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384      uint16 = 0x00AB
+	cipher_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256      uint16 = 0x00AC
+	cipher_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384      uint16 = 0x00AD
+	cipher_TLS_PSK_WITH_AES_128_CBC_SHA256          uint16 = 0x00AE
+	cipher_TLS_PSK_WITH_AES_256_CBC_SHA384          uint16 = 0x00AF
+	cipher_TLS_PSK_WITH_NULL_SHA256                 uint16 = 0x00B0
+	cipher_TLS_PSK_WITH_NULL_SHA384                 uint16 = 0x00B1
+	cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256      uint16 = 0x00B2
+	cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384      uint16 = 0x00B3
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA256             uint16 = 0x00B4
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA384             uint16 = 0x00B5
+	cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256      uint16 = 0x00B6
+	cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384      uint16 = 0x00B7
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA256             uint16 = 0x00B8
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA384             uint16 = 0x00B9
+	cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256     uint16 = 0x00BA
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256  uint16 = 0x00BB
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256  uint16 = 0x00BC
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0x00BD
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0x00BE
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0x00BF
+	cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256     uint16 = 0x00C0
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256  uint16 = 0x00C1
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256  uint16 = 0x00C2
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 uint16 = 0x00C3
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 uint16 = 0x00C4
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 uint16 = 0x00C5
+	// Unassigned uint16 =  0x00C6-FE
+	cipher_TLS_EMPTY_RENEGOTIATION_INFO_SCSV uint16 = 0x00FF
+	// Unassigned uint16 =  0x01-55,*
+	cipher_TLS_FALLBACK_SCSV uint16 = 0x5600
+	// Unassigned                                   uint16 = 0x5601 - 0xC000
+	cipher_TLS_ECDH_ECDSA_WITH_NULL_SHA                 uint16 = 0xC001
+	cipher_TLS_ECDH_ECDSA_WITH_RC4_128_SHA              uint16 = 0xC002
+	cipher_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA         uint16 = 0xC003
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xC004
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xC005
+	cipher_TLS_ECDHE_ECDSA_WITH_NULL_SHA                uint16 = 0xC006
+	cipher_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA             uint16 = 0xC007
+	cipher_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA        uint16 = 0xC008
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA         uint16 = 0xC009
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA         uint16 = 0xC00A
+	cipher_TLS_ECDH_RSA_WITH_NULL_SHA                   uint16 = 0xC00B
+	cipher_TLS_ECDH_RSA_WITH_RC4_128_SHA                uint16 = 0xC00C
+	cipher_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xC00D
+	cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xC00E
+	cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xC00F
+	cipher_TLS_ECDHE_RSA_WITH_NULL_SHA                  uint16 = 0xC010
+	cipher_TLS_ECDHE_RSA_WITH_RC4_128_SHA               uint16 = 0xC011
+	cipher_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA          uint16 = 0xC012
+	cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA           uint16 = 0xC013
+	cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA           uint16 = 0xC014
+	cipher_TLS_ECDH_anon_WITH_NULL_SHA                  uint16 = 0xC015
+	cipher_TLS_ECDH_anon_WITH_RC4_128_SHA               uint16 = 0xC016
+	cipher_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA          uint16 = 0xC017
+	cipher_TLS_ECDH_anon_WITH_AES_128_CBC_SHA           uint16 = 0xC018
+	cipher_TLS_ECDH_anon_WITH_AES_256_CBC_SHA           uint16 = 0xC019
+	cipher_TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA            uint16 = 0xC01A
+	cipher_TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA        uint16 = 0xC01B
+	cipher_TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA        uint16 = 0xC01C
+	cipher_TLS_SRP_SHA_WITH_AES_128_CBC_SHA             uint16 = 0xC01D
+	cipher_TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA         uint16 = 0xC01E
+	cipher_TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA         uint16 = 0xC01F
+	cipher_TLS_SRP_SHA_WITH_AES_256_CBC_SHA             uint16 = 0xC020
+	cipher_TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA         uint16 = 0xC021
+	cipher_TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA         uint16 = 0xC022
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256      uint16 = 0xC023
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384      uint16 = 0xC024
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xC025
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384       uint16 = 0xC026
+	cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256        uint16 = 0xC027
+	cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384        uint16 = 0xC028
+	cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xC029
+	cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384         uint16 = 0xC02A
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256      uint16 = 0xC02B
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384      uint16 = 0xC02C
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xC02D
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xC02E
+	cipher_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256        uint16 = 0xC02F
+	cipher_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384        uint16 = 0xC030
+	cipher_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xC031
+	cipher_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xC032
+	cipher_TLS_ECDHE_PSK_WITH_RC4_128_SHA               uint16 = 0xC033
+	cipher_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA          uint16 = 0xC034
+	cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA           uint16 = 0xC035
+	cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA           uint16 = 0xC036
+	cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256        uint16 = 0xC037
+	cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384        uint16 = 0xC038
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA                  uint16 = 0xC039
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA256               uint16 = 0xC03A
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA384               uint16 = 0xC03B
+	cipher_TLS_RSA_WITH_ARIA_128_CBC_SHA256             uint16 = 0xC03C
+	cipher_TLS_RSA_WITH_ARIA_256_CBC_SHA384             uint16 = 0xC03D
+	cipher_TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256          uint16 = 0xC03E
+	cipher_TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384          uint16 = 0xC03F
+	cipher_TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256          uint16 = 0xC040
+	cipher_TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384          uint16 = 0xC041
+	cipher_TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256         uint16 = 0xC042
+	cipher_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384         uint16 = 0xC043
+	cipher_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256         uint16 = 0xC044
+	cipher_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384         uint16 = 0xC045
+	cipher_TLS_DH_anon_WITH_ARIA_128_CBC_SHA256         uint16 = 0xC046
+	cipher_TLS_DH_anon_WITH_ARIA_256_CBC_SHA384         uint16 = 0xC047
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256     uint16 = 0xC048
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384     uint16 = 0xC049
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256      uint16 = 0xC04A
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384      uint16 = 0xC04B
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256       uint16 = 0xC04C
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384       uint16 = 0xC04D
+	cipher_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256        uint16 = 0xC04E
+	cipher_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384        uint16 = 0xC04F
+	cipher_TLS_RSA_WITH_ARIA_128_GCM_SHA256             uint16 = 0xC050
+	cipher_TLS_RSA_WITH_ARIA_256_GCM_SHA384             uint16 = 0xC051
+	cipher_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256         uint16 = 0xC052
+	cipher_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384         uint16 = 0xC053
+	cipher_TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256          uint16 = 0xC054
+	cipher_TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384          uint16 = 0xC055
+	cipher_TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256         uint16 = 0xC056
+	cipher_TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384         uint16 = 0xC057
+	cipher_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256          uint16 = 0xC058
+	cipher_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384          uint16 = 0xC059
+	cipher_TLS_DH_anon_WITH_ARIA_128_GCM_SHA256         uint16 = 0xC05A
+	cipher_TLS_DH_anon_WITH_ARIA_256_GCM_SHA384         uint16 = 0xC05B
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256     uint16 = 0xC05C
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384     uint16 = 0xC05D
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256      uint16 = 0xC05E
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384      uint16 = 0xC05F
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256       uint16 = 0xC060
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384       uint16 = 0xC061
+	cipher_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256        uint16 = 0xC062
+	cipher_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384        uint16 = 0xC063
+	cipher_TLS_PSK_WITH_ARIA_128_CBC_SHA256             uint16 = 0xC064
+	cipher_TLS_PSK_WITH_ARIA_256_CBC_SHA384             uint16 = 0xC065
+	cipher_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256         uint16 = 0xC066
+	cipher_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384         uint16 = 0xC067
+	cipher_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256         uint16 = 0xC068
+	cipher_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384         uint16 = 0xC069
+	cipher_TLS_PSK_WITH_ARIA_128_GCM_SHA256             uint16 = 0xC06A
+	cipher_TLS_PSK_WITH_ARIA_256_GCM_SHA384             uint16 = 0xC06B
+	cipher_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256         uint16 = 0xC06C
+	cipher_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384         uint16 = 0xC06D
+	cipher_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256         uint16 = 0xC06E
+	cipher_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384         uint16 = 0xC06F
+	cipher_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256       uint16 = 0xC070
+	cipher_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384       uint16 = 0xC071
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 uint16 = 0xC072
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 uint16 = 0xC073
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  uint16 = 0xC074
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  uint16 = 0xC075
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256   uint16 = 0xC076
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384   uint16 = 0xC077
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256    uint16 = 0xC078
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384    uint16 = 0xC079
+	cipher_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256         uint16 = 0xC07A
+	cipher_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384         uint16 = 0xC07B
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256     uint16 = 0xC07C
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384     uint16 = 0xC07D
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256      uint16 = 0xC07E
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384      uint16 = 0xC07F
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256     uint16 = 0xC080
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384     uint16 = 0xC081
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256      uint16 = 0xC082
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384      uint16 = 0xC083
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256     uint16 = 0xC084
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384     uint16 = 0xC085
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 uint16 = 0xC086
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 uint16 = 0xC087
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  uint16 = 0xC088
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  uint16 = 0xC089
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256   uint16 = 0xC08A
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384   uint16 = 0xC08B
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256    uint16 = 0xC08C
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384    uint16 = 0xC08D
+	cipher_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256         uint16 = 0xC08E
+	cipher_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384         uint16 = 0xC08F
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256     uint16 = 0xC090
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384     uint16 = 0xC091
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256     uint16 = 0xC092
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384     uint16 = 0xC093
+	cipher_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256         uint16 = 0xC094
+	cipher_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384         uint16 = 0xC095
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256     uint16 = 0xC096
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384     uint16 = 0xC097
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256     uint16 = 0xC098
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384     uint16 = 0xC099
+	cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256   uint16 = 0xC09A
+	cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384   uint16 = 0xC09B
+	cipher_TLS_RSA_WITH_AES_128_CCM                     uint16 = 0xC09C
+	cipher_TLS_RSA_WITH_AES_256_CCM                     uint16 = 0xC09D
+	cipher_TLS_DHE_RSA_WITH_AES_128_CCM                 uint16 = 0xC09E
+	cipher_TLS_DHE_RSA_WITH_AES_256_CCM                 uint16 = 0xC09F
+	cipher_TLS_RSA_WITH_AES_128_CCM_8                   uint16 = 0xC0A0
+	cipher_TLS_RSA_WITH_AES_256_CCM_8                   uint16 = 0xC0A1
+	cipher_TLS_DHE_RSA_WITH_AES_128_CCM_8               uint16 = 0xC0A2
+	cipher_TLS_DHE_RSA_WITH_AES_256_CCM_8               uint16 = 0xC0A3
+	cipher_TLS_PSK_WITH_AES_128_CCM                     uint16 = 0xC0A4
+	cipher_TLS_PSK_WITH_AES_256_CCM                     uint16 = 0xC0A5
+	cipher_TLS_DHE_PSK_WITH_AES_128_CCM                 uint16 = 0xC0A6
+	cipher_TLS_DHE_PSK_WITH_AES_256_CCM                 uint16 = 0xC0A7
+	cipher_TLS_PSK_WITH_AES_128_CCM_8                   uint16 = 0xC0A8
+	cipher_TLS_PSK_WITH_AES_256_CCM_8                   uint16 = 0xC0A9
+	cipher_TLS_PSK_DHE_WITH_AES_128_CCM_8               uint16 = 0xC0AA
+	cipher_TLS_PSK_DHE_WITH_AES_256_CCM_8               uint16 = 0xC0AB
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CCM             uint16 = 0xC0AC
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CCM             uint16 = 0xC0AD
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8           uint16 = 0xC0AE
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8           uint16 = 0xC0AF
+	// Unassigned uint16 =  0xC0B0-FF
+	// Unassigned uint16 =  0xC1-CB,*
+	// Unassigned uint16 =  0xCC00-A7
+	cipher_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xCCA8
+	cipher_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xCCA9
+	cipher_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256     uint16 = 0xCCAA
+	cipher_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256         uint16 = 0xCCAB
+	cipher_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xCCAC
+	cipher_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256     uint16 = 0xCCAD
+	cipher_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256     uint16 = 0xCCAE
+)
+
+// isBadCipher reports whether the cipher is blacklisted by the HTTP/2 spec.
+// References:
+// https://tools.ietf.org/html/rfc7540#appendix-A
+// Reject cipher suites from Appendix A.
+// "This list includes those cipher suites that do not
+// offer an ephemeral key exchange and those that are
+// based on the TLS null, stream or block cipher type"
+func isBadCipher(cipher uint16) bool {
+	switch cipher {
+	case cipher_TLS_NULL_WITH_NULL_NULL,
+		cipher_TLS_RSA_WITH_NULL_MD5,
+		cipher_TLS_RSA_WITH_NULL_SHA,
+		cipher_TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+		cipher_TLS_RSA_WITH_RC4_128_MD5,
+		cipher_TLS_RSA_WITH_RC4_128_SHA,
+		cipher_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+		cipher_TLS_RSA_WITH_IDEA_CBC_SHA,
+		cipher_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_RSA_WITH_DES_CBC_SHA,
+		cipher_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_DES_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_DES_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_DES_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,
+		cipher_TLS_DH_anon_WITH_RC4_128_MD5,
+		cipher_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_DES_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_KRB5_WITH_DES_CBC_SHA,
+		cipher_TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_KRB5_WITH_RC4_128_SHA,
+		cipher_TLS_KRB5_WITH_IDEA_CBC_SHA,
+		cipher_TLS_KRB5_WITH_DES_CBC_MD5,
+		cipher_TLS_KRB5_WITH_3DES_EDE_CBC_MD5,
+		cipher_TLS_KRB5_WITH_RC4_128_MD5,
+		cipher_TLS_KRB5_WITH_IDEA_CBC_MD5,
+		cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+		cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+		cipher_TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
+		cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
+		cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
+		cipher_TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
+		cipher_TLS_PSK_WITH_NULL_SHA,
+		cipher_TLS_DHE_PSK_WITH_NULL_SHA,
+		cipher_TLS_RSA_PSK_WITH_NULL_SHA,
+		cipher_TLS_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA,
+		cipher_TLS_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA,
+		cipher_TLS_RSA_WITH_NULL_SHA256,
+		cipher_TLS_RSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_RSA_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+		cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
+		cipher_TLS_PSK_WITH_RC4_128_SHA,
+		cipher_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_PSK_WITH_AES_128_CBC_SHA,
+		cipher_TLS_PSK_WITH_AES_256_CBC_SHA,
+		cipher_TLS_DHE_PSK_WITH_RC4_128_SHA,
+		cipher_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+		cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+		cipher_TLS_RSA_PSK_WITH_RC4_128_SHA,
+		cipher_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+		cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+		cipher_TLS_RSA_WITH_SEED_CBC_SHA,
+		cipher_TLS_DH_DSS_WITH_SEED_CBC_SHA,
+		cipher_TLS_DH_RSA_WITH_SEED_CBC_SHA,
+		cipher_TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+		cipher_TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+		cipher_TLS_DH_anon_WITH_SEED_CBC_SHA,
+		cipher_TLS_RSA_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_RSA_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_DH_RSA_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_DH_DSS_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_DH_DSS_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_DH_anon_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_DH_anon_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_PSK_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_PSK_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_PSK_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_PSK_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_PSK_WITH_NULL_SHA256,
+		cipher_TLS_PSK_WITH_NULL_SHA384,
+		cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_DHE_PSK_WITH_NULL_SHA256,
+		cipher_TLS_DHE_PSK_WITH_NULL_SHA384,
+		cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_RSA_PSK_WITH_NULL_SHA256,
+		cipher_TLS_RSA_PSK_WITH_NULL_SHA384,
+		cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+		cipher_TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+		cipher_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+		cipher_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+		cipher_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDH_RSA_WITH_NULL_SHA,
+		cipher_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+		cipher_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDHE_RSA_WITH_NULL_SHA,
+		cipher_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+		cipher_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDH_anon_WITH_NULL_SHA,
+		cipher_TLS_ECDH_anon_WITH_RC4_128_SHA,
+		cipher_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+		cipher_TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+		cipher_TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
+		cipher_TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+		cipher_TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+		cipher_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+		cipher_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+		cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+		cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+		cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+		cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+		cipher_TLS_ECDHE_PSK_WITH_NULL_SHA,
+		cipher_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+		cipher_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+		cipher_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DH_anon_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DH_anon_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_DH_anon_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_DH_anon_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+		cipher_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+		cipher_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+		cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+		cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+		cipher_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+		cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+		cipher_TLS_RSA_WITH_AES_128_CCM,
+		cipher_TLS_RSA_WITH_AES_256_CCM,
+		cipher_TLS_RSA_WITH_AES_128_CCM_8,
+		cipher_TLS_RSA_WITH_AES_256_CCM_8,
+		cipher_TLS_PSK_WITH_AES_128_CCM,
+		cipher_TLS_PSK_WITH_AES_256_CCM,
+		cipher_TLS_PSK_WITH_AES_128_CCM_8,
+		cipher_TLS_PSK_WITH_AES_256_CCM_8:
+		return true
+	default:
+		return false
+	}
+}
diff --git a/vendor/golang.org/x/net/http2/ciphers_test.go b/vendor/golang.org/x/net/http2/ciphers_test.go
new file mode 100644
index 000000000..25aead013
--- /dev/null
+++ b/vendor/golang.org/x/net/http2/ciphers_test.go
@@ -0,0 +1,309 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package http2
+
+import "testing"
+
+func TestIsBadCipherBad(t *testing.T) {
+	for _, c := range badCiphers {
+		if !isBadCipher(c) {
+			t.Errorf("Wrong result for isBadCipher(%d), want true")
+		}
+	}
+}
+
+// verify we don't give false positives on ciphers not on blacklist
+func TestIsBadCipherGood(t *testing.T) {
+	goodCiphers := map[uint16]string{
+		cipher_TLS_DHE_RSA_WITH_AES_256_CCM:                "cipher_TLS_DHE_RSA_WITH_AES_256_CCM",
+		cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CCM:            "cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CCM",
+		cipher_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: "cipher_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",
+	}
+	for c, name := range goodCiphers {
+		if isBadCipher(c) {
+			t.Errorf("Wrong result for isBadCipher(%d) %s, want false", c, name)
+		}
+	}
+}
+
+// copied from https://http2.github.io/http2-spec/#BadCipherSuites,
+var badCiphers = []uint16{
+	cipher_TLS_NULL_WITH_NULL_NULL,
+	cipher_TLS_RSA_WITH_NULL_MD5,
+	cipher_TLS_RSA_WITH_NULL_SHA,
+	cipher_TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+	cipher_TLS_RSA_WITH_RC4_128_MD5,
+	cipher_TLS_RSA_WITH_RC4_128_SHA,
+	cipher_TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+	cipher_TLS_RSA_WITH_IDEA_CBC_SHA,
+	cipher_TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_RSA_WITH_DES_CBC_SHA,
+	cipher_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_DES_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_DES_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_DES_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_DES_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DH_anon_EXPORT_WITH_RC4_40_MD5,
+	cipher_TLS_DH_anon_WITH_RC4_128_MD5,
+	cipher_TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_DES_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_KRB5_WITH_DES_CBC_SHA,
+	cipher_TLS_KRB5_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_KRB5_WITH_RC4_128_SHA,
+	cipher_TLS_KRB5_WITH_IDEA_CBC_SHA,
+	cipher_TLS_KRB5_WITH_DES_CBC_MD5,
+	cipher_TLS_KRB5_WITH_3DES_EDE_CBC_MD5,
+	cipher_TLS_KRB5_WITH_RC4_128_MD5,
+	cipher_TLS_KRB5_WITH_IDEA_CBC_MD5,
+	cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,
+	cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA,
+	cipher_TLS_KRB5_EXPORT_WITH_RC4_40_SHA,
+	cipher_TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5,
+	cipher_TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5,
+	cipher_TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
+	cipher_TLS_PSK_WITH_NULL_SHA,
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA,
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA,
+	cipher_TLS_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA,
+	cipher_TLS_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA,
+	cipher_TLS_RSA_WITH_NULL_SHA256,
+	cipher_TLS_RSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_RSA_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_DH_DSS_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_DH_RSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_DH_DSS_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_DH_RSA_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_DH_anon_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_DH_anon_WITH_AES_256_CBC_SHA256,
+	cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA,
+	cipher_TLS_PSK_WITH_RC4_128_SHA,
+	cipher_TLS_PSK_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_PSK_WITH_AES_128_CBC_SHA,
+	cipher_TLS_PSK_WITH_AES_256_CBC_SHA,
+	cipher_TLS_DHE_PSK_WITH_RC4_128_SHA,
+	cipher_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA,
+	cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA,
+	cipher_TLS_RSA_PSK_WITH_RC4_128_SHA,
+	cipher_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA,
+	cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA,
+	cipher_TLS_RSA_WITH_SEED_CBC_SHA,
+	cipher_TLS_DH_DSS_WITH_SEED_CBC_SHA,
+	cipher_TLS_DH_RSA_WITH_SEED_CBC_SHA,
+	cipher_TLS_DHE_DSS_WITH_SEED_CBC_SHA,
+	cipher_TLS_DHE_RSA_WITH_SEED_CBC_SHA,
+	cipher_TLS_DH_anon_WITH_SEED_CBC_SHA,
+	cipher_TLS_RSA_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_RSA_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_DH_RSA_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_DH_RSA_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_DH_DSS_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_DH_DSS_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_DH_anon_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_DH_anon_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_PSK_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_PSK_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_PSK_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_PSK_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_PSK_WITH_NULL_SHA256,
+	cipher_TLS_PSK_WITH_NULL_SHA384,
+	cipher_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA256,
+	cipher_TLS_DHE_PSK_WITH_NULL_SHA384,
+	cipher_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA256,
+	cipher_TLS_RSA_PSK_WITH_NULL_SHA384,
+	cipher_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256,
+	cipher_TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
+	cipher_TLS_ECDH_ECDSA_WITH_NULL_SHA,
+	cipher_TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+	cipher_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDH_RSA_WITH_NULL_SHA,
+	cipher_TLS_ECDH_RSA_WITH_RC4_128_SHA,
+	cipher_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDHE_RSA_WITH_NULL_SHA,
+	cipher_TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+	cipher_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDH_anon_WITH_NULL_SHA,
+	cipher_TLS_ECDH_anon_WITH_RC4_128_SHA,
+	cipher_TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDH_anon_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDH_anon_WITH_AES_256_CBC_SHA,
+	cipher_TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_SRP_SHA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA,
+	cipher_TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA,
+	cipher_TLS_SRP_SHA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA,
+	cipher_TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
+	cipher_TLS_ECDHE_PSK_WITH_RC4_128_SHA,
+	cipher_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA,
+	cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA,
+	cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA,
+	cipher_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,
+	cipher_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384,
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA,
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA256,
+	cipher_TLS_ECDHE_PSK_WITH_NULL_SHA384,
+	cipher_TLS_RSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_RSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DH_anon_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DH_anon_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_RSA_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_RSA_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_DH_anon_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_DH_anon_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_PSK_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_PSK_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_PSK_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_PSK_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256,
+	cipher_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384,
+	cipher_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384,
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256,
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384,
+	cipher_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256,
+	cipher_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384,
+	cipher_TLS_RSA_WITH_AES_128_CCM,
+	cipher_TLS_RSA_WITH_AES_256_CCM,
+	cipher_TLS_RSA_WITH_AES_128_CCM_8,
+	cipher_TLS_RSA_WITH_AES_256_CCM_8,
+	cipher_TLS_PSK_WITH_AES_128_CCM,
+	cipher_TLS_PSK_WITH_AES_256_CCM,
+	cipher_TLS_PSK_WITH_AES_128_CCM_8,
+	cipher_TLS_PSK_WITH_AES_256_CCM_8,
+}
diff --git a/vendor/golang.org/x/net/http2/databuffer_test.go b/vendor/golang.org/x/net/http2/databuffer_test.go
index ca227b528..0018130b9 100644
--- a/vendor/golang.org/x/net/http2/databuffer_test.go
+++ b/vendor/golang.org/x/net/http2/databuffer_test.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// +build go1.7
+
 package http2
 
 import (
diff --git a/vendor/golang.org/x/net/http2/go16.go b/vendor/golang.org/x/net/http2/go16.go
index 2b72855f5..00b2e9e3c 100644
--- a/vendor/golang.org/x/net/http2/go16.go
+++ b/vendor/golang.org/x/net/http2/go16.go
@@ -7,7 +7,6 @@
 package http2
 
 import (
-	"crypto/tls"
 	"net/http"
 	"time"
 )
@@ -15,29 +14,3 @@ import (
 func transportExpectContinueTimeout(t1 *http.Transport) time.Duration {
 	return t1.ExpectContinueTimeout
 }
-
-// isBadCipher reports whether the cipher is blacklisted by the HTTP/2 spec.
-func isBadCipher(cipher uint16) bool {
-	switch cipher {
-	case tls.TLS_RSA_WITH_RC4_128_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
-		tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
-		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
-		// Reject cipher suites from Appendix A.
-		// "This list includes those cipher suites that do not
-		// offer an ephemeral key exchange and those that are
-		// based on the TLS null, stream or block cipher type"
-		return true
-	default:
-		return false
-	}
-}
diff --git a/vendor/golang.org/x/net/http2/hpack/tables.go b/vendor/golang.org/x/net/http2/hpack/tables.go
index 31bd5a553..5d7f6359a 100644
--- a/vendor/golang.org/x/net/http2/hpack/tables.go
+++ b/vendor/golang.org/x/net/http2/hpack/tables.go
@@ -131,71 +131,76 @@ func pair(name, value string) HeaderField {
 
 // http://tools.ietf.org/html/draft-ietf-httpbis-header-compression-07#appendix-B
 var staticTable = newStaticTable()
+var staticTableEntries = [...]HeaderField{
+	pair(":authority", ""),
+	pair(":method", "GET"),
+	pair(":method", "POST"),
+	pair(":path", "/"),
+	pair(":path", "/index.html"),
+	pair(":scheme", "http"),
+	pair(":scheme", "https"),
+	pair(":status", "200"),
+	pair(":status", "204"),
+	pair(":status", "206"),
+	pair(":status", "304"),
+	pair(":status", "400"),
+	pair(":status", "404"),
+	pair(":status", "500"),
+	pair("accept-charset", ""),
+	pair("accept-encoding", "gzip, deflate"),
+	pair("accept-language", ""),
+	pair("accept-ranges", ""),
+	pair("accept", ""),
+	pair("access-control-allow-origin", ""),
+	pair("age", ""),
+	pair("allow", ""),
+	pair("authorization", ""),
+	pair("cache-control", ""),
+	pair("content-disposition", ""),
+	pair("content-encoding", ""),
+	pair("content-language", ""),
+	pair("content-length", ""),
+	pair("content-location", ""),
+	pair("content-range", ""),
+	pair("content-type", ""),
+	pair("cookie", ""),
+	pair("date", ""),
+	pair("etag", ""),
+	pair("expect", ""),
+	pair("expires", ""),
+	pair("from", ""),
+	pair("host", ""),
+	pair("if-match", ""),
+	pair("if-modified-since", ""),
+	pair("if-none-match", ""),
+	pair("if-range", ""),
+	pair("if-unmodified-since", ""),
+	pair("last-modified", ""),
+	pair("link", ""),
+	pair("location", ""),
+	pair("max-forwards", ""),
+	pair("proxy-authenticate", ""),
+	pair("proxy-authorization", ""),
+	pair("range", ""),
+	pair("referer", ""),
+	pair("refresh", ""),
+	pair("retry-after", ""),
+	pair("server", ""),
+	pair("set-cookie", ""),
+	pair("strict-transport-security", ""),
+	pair("transfer-encoding", ""),
+	pair("user-agent", ""),
+	pair("vary", ""),
+	pair("via", ""),
+	pair("www-authenticate", ""),
+}
 
 func newStaticTable() *headerFieldTable {
 	t := &headerFieldTable{}
 	t.init()
-	t.addEntry(pair(":authority", ""))
-	t.addEntry(pair(":method", "GET"))
-	t.addEntry(pair(":method", "POST"))
-	t.addEntry(pair(":path", "/"))
-	t.addEntry(pair(":path", "/index.html"))
-	t.addEntry(pair(":scheme", "http"))
-	t.addEntry(pair(":scheme", "https"))
-	t.addEntry(pair(":status", "200"))
-	t.addEntry(pair(":status", "204"))
-	t.addEntry(pair(":status", "206"))
-	t.addEntry(pair(":status", "304"))
-	t.addEntry(pair(":status", "400"))
-	t.addEntry(pair(":status", "404"))
-	t.addEntry(pair(":status", "500"))
-	t.addEntry(pair("accept-charset", ""))
-	t.addEntry(pair("accept-encoding", "gzip, deflate"))
-	t.addEntry(pair("accept-language", ""))
-	t.addEntry(pair("accept-ranges", ""))
-	t.addEntry(pair("accept", ""))
-	t.addEntry(pair("access-control-allow-origin", ""))
-	t.addEntry(pair("age", ""))
-	t.addEntry(pair("allow", ""))
-	t.addEntry(pair("authorization", ""))
-	t.addEntry(pair("cache-control", ""))
-	t.addEntry(pair("content-disposition", ""))
-	t.addEntry(pair("content-encoding", ""))
-	t.addEntry(pair("content-language", ""))
-	t.addEntry(pair("content-length", ""))
-	t.addEntry(pair("content-location", ""))
-	t.addEntry(pair("content-range", ""))
-	t.addEntry(pair("content-type", ""))
-	t.addEntry(pair("cookie", ""))
-	t.addEntry(pair("date", ""))
-	t.addEntry(pair("etag", ""))
-	t.addEntry(pair("expect", ""))
-	t.addEntry(pair("expires", ""))
-	t.addEntry(pair("from", ""))
-	t.addEntry(pair("host", ""))
-	t.addEntry(pair("if-match", ""))
-	t.addEntry(pair("if-modified-since", ""))
-	t.addEntry(pair("if-none-match", ""))
-	t.addEntry(pair("if-range", ""))
-	t.addEntry(pair("if-unmodified-since", ""))
-	t.addEntry(pair("last-modified", ""))
-	t.addEntry(pair("link", ""))
-	t.addEntry(pair("location", ""))
-	t.addEntry(pair("max-forwards", ""))
-	t.addEntry(pair("proxy-authenticate", ""))
-	t.addEntry(pair("proxy-authorization", ""))
-	t.addEntry(pair("range", ""))
-	t.addEntry(pair("referer", ""))
-	t.addEntry(pair("refresh", ""))
-	t.addEntry(pair("retry-after", ""))
-	t.addEntry(pair("server", ""))
-	t.addEntry(pair("set-cookie", ""))
-	t.addEntry(pair("strict-transport-security", ""))
-	t.addEntry(pair("transfer-encoding", ""))
-	t.addEntry(pair("user-agent", ""))
-	t.addEntry(pair("vary", ""))
-	t.addEntry(pair("via", ""))
-	t.addEntry(pair("www-authenticate", ""))
+	for _, e := range staticTableEntries[:] {
+		t.addEntry(e)
+	}
 	return t
 }
 
diff --git a/vendor/golang.org/x/net/http2/not_go16.go b/vendor/golang.org/x/net/http2/not_go16.go
index efd2e1282..508cebcc4 100644
--- a/vendor/golang.org/x/net/http2/not_go16.go
+++ b/vendor/golang.org/x/net/http2/not_go16.go
@@ -7,7 +7,6 @@
 package http2
 
 import (
-	"crypto/tls"
 	"net/http"
 	"time"
 )
@@ -20,27 +19,3 @@ func transportExpectContinueTimeout(t1 *http.Transport) time.Duration {
 	return 0
 
 }
-
-// isBadCipher reports whether the cipher is blacklisted by the HTTP/2 spec.
-func isBadCipher(cipher uint16) bool {
-	switch cipher {
-	case tls.TLS_RSA_WITH_RC4_128_SHA,
-		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_RSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
-		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
-		// Reject cipher suites from Appendix A.
-		// "This list includes those cipher suites that do not
-		// offer an ephemeral key exchange and those that are
-		// based on the TLS null, stream or block cipher type"
-		return true
-	default:
-		return false
-	}
-}
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 029ed958a..3175a08c6 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -292,7 +292,7 @@ func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
 		streams:                     make(map[uint32]*stream),
 		readFrameCh:                 make(chan readFrameResult),
 		wantWriteFrameCh:            make(chan FrameWriteRequest, 8),
-		wantStartPushCh:             make(chan startPushRequest, 8),
+		serveMsgCh:                  make(chan interface{}, 8),
 		wroteFrameCh:                make(chan frameWriteResult, 1), // buffered; one send in writeFrameAsync
 		bodyReadCh:                  make(chan bodyReadMsg),         // buffering doesn't matter either way
 		doneServing:                 make(chan struct{}),
@@ -405,10 +405,9 @@ type serverConn struct {
 	doneServing      chan struct{}          // closed when serverConn.serve ends
 	readFrameCh      chan readFrameResult   // written by serverConn.readFrames
 	wantWriteFrameCh chan FrameWriteRequest // from handlers -> serve
-	wantStartPushCh  chan startPushRequest  // from handlers -> serve
 	wroteFrameCh     chan frameWriteResult  // from writeFrameAsync -> serve, tickles more frame writes
 	bodyReadCh       chan bodyReadMsg       // from handlers -> serve
-	testHookCh       chan func(int)         // code to run on the serve loop
+	serveMsgCh       chan interface{}       // misc messages & code to send to / run on the serve loop
 	flow             flow                   // conn-wide (not stream-specific) outbound flow control
 	inflow           flow                   // conn-wide inbound flow control
 	tlsState         *tls.ConnectionState   // shared by all handlers, like net/http
@@ -440,10 +439,8 @@ type serverConn struct {
 	inFrameScheduleLoop         bool              // whether we're in the scheduleFrameWrite loop
 	needToSendGoAway            bool              // we need to schedule a GOAWAY frame write
 	goAwayCode                  ErrCode
-	shutdownTimerCh             <-chan time.Time // nil until used
-	shutdownTimer               *time.Timer      // nil until used
-	idleTimer                   *time.Timer      // nil if unused
-	idleTimerCh                 <-chan time.Time // nil if unused
+	shutdownTimer               *time.Timer // nil until used
+	idleTimer                   *time.Timer // nil if unused
 
 	// Owned by the writeFrameAsync goroutine:
 	headerWriteBuf bytes.Buffer
@@ -748,19 +745,24 @@ func (sc *serverConn) serve() {
 	sc.setConnState(http.StateIdle)
 
 	if sc.srv.IdleTimeout != 0 {
-		sc.idleTimer = time.NewTimer(sc.srv.IdleTimeout)
+		sc.idleTimer = time.AfterFunc(sc.srv.IdleTimeout, sc.onIdleTimer)
 		defer sc.idleTimer.Stop()
-		sc.idleTimerCh = sc.idleTimer.C
 	}
 
-	var gracefulShutdownCh <-chan struct{}
+	var gracefulShutdownCh chan struct{}
 	if sc.hs != nil {
-		gracefulShutdownCh = h1ServerShutdownChan(sc.hs)
+		ch := h1ServerShutdownChan(sc.hs)
+		if ch != nil {
+			gracefulShutdownCh = make(chan struct{})
+			go sc.awaitGracefulShutdown(ch, gracefulShutdownCh)
+		}
 	}
 
 	go sc.readFrames() // closed by defer sc.conn.Close above
 
-	settingsTimer := time.NewTimer(firstSettingsTimeout)
+	settingsTimer := time.AfterFunc(firstSettingsTimeout, sc.onSettingsTimer)
+	defer settingsTimer.Stop()
+
 	loopNum := 0
 	for {
 		loopNum++
@@ -771,8 +773,6 @@ func (sc *serverConn) serve() {
 				break
 			}
 			sc.writeFrame(wr)
-		case spr := <-sc.wantStartPushCh:
-			sc.startPush(spr)
 		case res := <-sc.wroteFrameCh:
 			sc.wroteFrame(res)
 		case res := <-sc.readFrameCh:
@@ -780,26 +780,38 @@ func (sc *serverConn) serve() {
 				return
 			}
 			res.readMore()
-			if settingsTimer.C != nil {
+			if settingsTimer != nil {
 				settingsTimer.Stop()
-				settingsTimer.C = nil
+				settingsTimer = nil
 			}
 		case m := <-sc.bodyReadCh:
 			sc.noteBodyRead(m.st, m.n)
-		case <-settingsTimer.C:
-			sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
-			return
 		case <-gracefulShutdownCh:
 			gracefulShutdownCh = nil
 			sc.startGracefulShutdown()
-		case <-sc.shutdownTimerCh:
-			sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
-			return
-		case <-sc.idleTimerCh:
-			sc.vlogf("connection is idle")
-			sc.goAway(ErrCodeNo)
-		case fn := <-sc.testHookCh:
-			fn(loopNum)
+		case msg := <-sc.serveMsgCh:
+			switch v := msg.(type) {
+			case func(int):
+				v(loopNum) // for testing
+			case *timerMessage:
+				switch v {
+				case settingsTimerMsg:
+					sc.logf("timeout waiting for SETTINGS frames from %v", sc.conn.RemoteAddr())
+					return
+				case idleTimerMsg:
+					sc.vlogf("connection is idle")
+					sc.goAway(ErrCodeNo)
+				case shutdownTimerMsg:
+					sc.vlogf("GOAWAY close timer fired; closing conn from %v", sc.conn.RemoteAddr())
+					return
+				default:
+					panic("unknown timer")
+				}
+			case *startPushRequest:
+				sc.startPush(v)
+			default:
+				panic(fmt.Sprintf("unexpected type %T", v))
+			}
 		}
 
 		if sc.inGoAway && sc.curOpenStreams() == 0 && !sc.needToSendGoAway && !sc.writingFrame {
@@ -808,6 +820,35 @@ func (sc *serverConn) serve() {
 	}
 }
 
+func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) {
+	select {
+	case <-sc.doneServing:
+	case <-sharedCh:
+		close(privateCh)
+	}
+}
+
+type timerMessage int
+
+// Timeout message values sent to serveMsgCh.
+var (
+	settingsTimerMsg = new(timerMessage)
+	idleTimerMsg     = new(timerMessage)
+	shutdownTimerMsg = new(timerMessage)
+)
+
+func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+func (sc *serverConn) onIdleTimer()     { sc.sendServeMsg(idleTimerMsg) }
+func (sc *serverConn) onShutdownTimer() { sc.sendServeMsg(shutdownTimerMsg) }
+
+func (sc *serverConn) sendServeMsg(msg interface{}) {
+	sc.serveG.checkNotOn() // NOT
+	select {
+	case sc.serveMsgCh <- msg:
+	case <-sc.doneServing:
+	}
+}
+
 // readPreface reads the ClientPreface greeting from the peer
 // or returns an error on timeout or an invalid greeting.
 func (sc *serverConn) readPreface() error {
@@ -1160,8 +1201,7 @@ func (sc *serverConn) goAwayIn(code ErrCode, forceCloseIn time.Duration) {
 
 func (sc *serverConn) shutDownIn(d time.Duration) {
 	sc.serveG.check()
-	sc.shutdownTimer = time.NewTimer(d)
-	sc.shutdownTimerCh = sc.shutdownTimer.C
+	sc.shutdownTimer = time.AfterFunc(d, sc.onShutdownTimer)
 }
 
 func (sc *serverConn) resetStream(se StreamError) {
@@ -2539,7 +2579,7 @@ func (w *responseWriter) push(target string, opts pushOptions) error {
 		return fmt.Errorf("method %q must be GET or HEAD", opts.Method)
 	}
 
-	msg := startPushRequest{
+	msg := &startPushRequest{
 		parent: st,
 		method: opts.Method,
 		url:    u,
@@ -2552,7 +2592,7 @@ func (w *responseWriter) push(target string, opts pushOptions) error {
 		return errClientDisconnected
 	case <-st.cw:
 		return errStreamClosed
-	case sc.wantStartPushCh <- msg:
+	case sc.serveMsgCh <- msg:
 	}
 
 	select {
@@ -2574,7 +2614,7 @@ type startPushRequest struct {
 	done   chan error
 }
 
-func (sc *serverConn) startPush(msg startPushRequest) {
+func (sc *serverConn) startPush(msg *startPushRequest) {
 	sc.serveG.check()
 
 	// http://tools.ietf.org/html/rfc7540#section-6.6.
diff --git a/vendor/golang.org/x/net/http2/server_push_test.go b/vendor/golang.org/x/net/http2/server_push_test.go
index f70edd3c7..918fd30dc 100644
--- a/vendor/golang.org/x/net/http2/server_push_test.go
+++ b/vendor/golang.org/x/net/http2/server_push_test.go
@@ -508,7 +508,7 @@ func TestServer_Push_RejectAfterGoAway(t *testing.T) {
 				return
 			default:
 			}
-			st.sc.testHookCh <- func(loopNum int) {
+			st.sc.serveMsgCh <- func(loopNum int) {
 				if !st.sc.pushEnabled {
 					readyOnce.Do(func() { close(ready) })
 				}
diff --git a/vendor/golang.org/x/net/http2/server_test.go b/vendor/golang.org/x/net/http2/server_test.go
index 591a0c2e6..5cb249056 100644
--- a/vendor/golang.org/x/net/http2/server_test.go
+++ b/vendor/golang.org/x/net/http2/server_test.go
@@ -142,7 +142,6 @@ func newServerTester(t testing.TB, handler http.HandlerFunc, opts ...interface{}
 		st.scMu.Lock()
 		defer st.scMu.Unlock()
 		st.sc = v
-		st.sc.testHookCh = make(chan func(int))
 	}
 	log.SetOutput(io.MultiWriter(stderrv(), twriter{t: t, st: st}))
 	if !onlyServer {
@@ -187,7 +186,7 @@ func (st *serverTester) addLogFilter(phrase string) {
 
 func (st *serverTester) stream(id uint32) *stream {
 	ch := make(chan *stream, 1)
-	st.sc.testHookCh <- func(int) {
+	st.sc.serveMsgCh <- func(int) {
 		ch <- st.sc.streams[id]
 	}
 	return <-ch
@@ -195,7 +194,7 @@ func (st *serverTester) stream(id uint32) *stream {
 
 func (st *serverTester) streamState(id uint32) streamState {
 	ch := make(chan streamState, 1)
-	st.sc.testHookCh <- func(int) {
+	st.sc.serveMsgCh <- func(int) {
 		state, _ := st.sc.state(id)
 		ch <- state
 	}
@@ -205,7 +204,7 @@ func (st *serverTester) streamState(id uint32) streamState {
 // loopNum reports how many times this conn's select loop has gone around.
 func (st *serverTester) loopNum() int {
 	lastc := make(chan int, 1)
-	st.sc.testHookCh <- func(loopNum int) {
+	st.sc.serveMsgCh <- func(loopNum int) {
 		lastc <- loopNum
 	}
 	return <-lastc
@@ -2432,6 +2431,7 @@ func TestServer_Rejects_TLSBadCipher(t *testing.T) {
 			tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
 			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			cipher_TLS_RSA_WITH_AES_128_CBC_SHA256,
 		}
 	})
 	defer st.Close()
@@ -3414,8 +3414,9 @@ func TestServerHandleCustomConn(t *testing.T) {
 	}()
 	const testString = "my custom ConnectionState"
 	fakeConnState := tls.ConnectionState{
-		ServerName: testString,
-		Version:    tls.VersionTLS12,
+		ServerName:  testString,
+		Version:     tls.VersionTLS12,
+		CipherSuite: cipher_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	}
 	go s.ServeConn(connStateConn{c1, fakeConnState}, &ServeConnOpts{
 		BaseConfig: &http.Server{
diff --git a/vendor/golang.org/x/net/http2/transport_test.go b/vendor/golang.org/x/net/http2/transport_test.go
index 7ae8ff787..1ffa92a7c 100644
--- a/vendor/golang.org/x/net/http2/transport_test.go
+++ b/vendor/golang.org/x/net/http2/transport_test.go
@@ -65,7 +65,8 @@ type fakeTLSConn struct {
 
 func (c *fakeTLSConn) ConnectionState() tls.ConnectionState {
 	return tls.ConnectionState{
-		Version: tls.VersionTLS12,
+		Version:     tls.VersionTLS12,
+		CipherSuite: cipher_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 	}
 }
 
diff --git a/vendor/golang.org/x/net/lif/address_test.go b/vendor/golang.org/x/net/lif/address_test.go
index f62ed9347..a25f10b67 100644
--- a/vendor/golang.org/x/net/lif/address_test.go
+++ b/vendor/golang.org/x/net/lif/address_test.go
@@ -78,15 +78,17 @@ type addrPack struct {
 }
 
 func addrPacks() ([]addrPack, error) {
+	var lastErr error
 	var aps []addrPack
 	for _, af := range [...]int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
 		as, err := Addrs(af, "")
 		if err != nil {
-			return nil, err
+			lastErr = err
+			continue
 		}
 		aps = append(aps, addrPack{af: af, as: as})
 	}
-	return aps, nil
+	return aps, lastErr
 }
 
 func TestAddrs(t *testing.T) {
diff --git a/vendor/golang.org/x/net/lif/defs_solaris.go b/vendor/golang.org/x/net/lif/defs_solaris.go
index 8b84ba5e3..02c19981d 100644
--- a/vendor/golang.org/x/net/lif/defs_solaris.go
+++ b/vendor/golang.org/x/net/lif/defs_solaris.go
@@ -75,7 +75,7 @@ const (
 	sizeofLifIfinfoReq = C.sizeof_struct_lif_ifinfo_req
 )
 
-type sysLifnum C.struct_lifnum
+type lifnum C.struct_lifnum
 
 type lifreq C.struct_lifreq
 
diff --git a/vendor/golang.org/x/net/lif/link.go b/vendor/golang.org/x/net/lif/link.go
index fce6b2147..913a53e11 100644
--- a/vendor/golang.org/x/net/lif/link.go
+++ b/vendor/golang.org/x/net/lif/link.go
@@ -70,7 +70,7 @@ func Links(af int, name string) ([]Link, error) {
 
 func links(eps []endpoint, name string) ([]Link, error) {
 	var lls []Link
-	lifn := sysLifnum{Flags: sysLIFC_NOXMIT | sysLIFC_TEMPORARY | sysLIFC_ALLZONES | sysLIFC_UNDER_IPMP}
+	lifn := lifnum{Flags: sysLIFC_NOXMIT | sysLIFC_TEMPORARY | sysLIFC_ALLZONES | sysLIFC_UNDER_IPMP}
 	lifc := lifconf{Flags: sysLIFC_NOXMIT | sysLIFC_TEMPORARY | sysLIFC_ALLZONES | sysLIFC_UNDER_IPMP}
 	for _, ep := range eps {
 		lifn.Family = uint16(ep.af)
diff --git a/vendor/golang.org/x/net/lif/link_test.go b/vendor/golang.org/x/net/lif/link_test.go
index 8fb2bf6f3..0cb9b95c6 100644
--- a/vendor/golang.org/x/net/lif/link_test.go
+++ b/vendor/golang.org/x/net/lif/link_test.go
@@ -21,15 +21,17 @@ type linkPack struct {
 }
 
 func linkPacks() ([]linkPack, error) {
+	var lastErr error
 	var lps []linkPack
 	for _, af := range [...]int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
 		lls, err := Links(af, "")
 		if err != nil {
-			return nil, err
+			lastErr = err
+			continue
 		}
 		lps = append(lps, linkPack{af: af, lls: lls})
 	}
-	return lps, nil
+	return lps, lastErr
 }
 
 func TestLinks(t *testing.T) {
diff --git a/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go b/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
index 94231c49c..b5e999bec 100644
--- a/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
+++ b/vendor/golang.org/x/net/lif/zsys_solaris_amd64.go
@@ -65,7 +65,7 @@ const (
 	sizeofLifIfinfoReq = 0x10
 )
 
-type sysLifnum struct {
+type lifnum struct {
 	Family    uint16
 	Pad_cgo_0 [2]byte
 	Flags     int32
diff --git a/vendor/golang.org/x/net/route/message_darwin_test.go b/vendor/golang.org/x/net/route/message_darwin_test.go
index 3fdd12df5..316aa7507 100644
--- a/vendor/golang.org/x/net/route/message_darwin_test.go
+++ b/vendor/golang.org/x/net/route/message_darwin_test.go
@@ -7,21 +7,28 @@ package route
 import "testing"
 
 func TestFetchAndParseRIBOnDarwin(t *testing.T) {
-	for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
-		for _, typ := range []RIBType{sysNET_RT_FLAGS, sysNET_RT_DUMP2, sysNET_RT_IFLIST2} {
-			ms, err := fetchAndParseRIB(af, typ)
+	for _, typ := range []RIBType{sysNET_RT_FLAGS, sysNET_RT_DUMP2, sysNET_RT_IFLIST2} {
+		var lastErr error
+		var ms []Message
+		for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
+			rs, err := fetchAndParseRIB(af, typ)
 			if err != nil {
-				t.Error(err)
+				lastErr = err
 				continue
 			}
-			ss, err := msgs(ms).validate()
-			if err != nil {
-				t.Errorf("%v %d %v", addrFamily(af), typ, err)
-				continue
-			}
-			for _, s := range ss {
-				t.Log(s)
-			}
+			ms = append(ms, rs...)
+		}
+		if len(ms) == 0 && lastErr != nil {
+			t.Error(typ, lastErr)
+			continue
+		}
+		ss, err := msgs(ms).validate()
+		if err != nil {
+			t.Error(typ, err)
+			continue
+		}
+		for _, s := range ss {
+			t.Log(s)
 		}
 	}
 }
diff --git a/vendor/golang.org/x/net/route/message_freebsd_test.go b/vendor/golang.org/x/net/route/message_freebsd_test.go
index 785c273f6..db4b56752 100644
--- a/vendor/golang.org/x/net/route/message_freebsd_test.go
+++ b/vendor/golang.org/x/net/route/message_freebsd_test.go
@@ -6,26 +6,32 @@ package route
 
 import (
 	"testing"
-	"time"
 	"unsafe"
 )
 
 func TestFetchAndParseRIBOnFreeBSD(t *testing.T) {
-	for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
-		for _, typ := range []RIBType{sysNET_RT_IFMALIST} {
-			ms, err := fetchAndParseRIB(af, typ)
-			if err != nil {
-				t.Error(err)
-				continue
-			}
-			ss, err := msgs(ms).validate()
+	for _, typ := range []RIBType{sysNET_RT_IFMALIST} {
+		var lastErr error
+		var ms []Message
+		for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
+			rs, err := fetchAndParseRIB(af, typ)
 			if err != nil {
-				t.Errorf("%v %d %v", addrFamily(af), typ, err)
+				lastErr = err
 				continue
 			}
-			for _, s := range ss {
-				t.Log(s)
-			}
+			ms = append(ms, rs...)
+		}
+		if len(ms) == 0 && lastErr != nil {
+			t.Error(typ, lastErr)
+			continue
+		}
+		ss, err := msgs(ms).validate()
+		if err != nil {
+			t.Error(typ, err)
+			continue
+		}
+		for _, s := range ss {
+			t.Log(s)
 		}
 	}
 }
@@ -48,58 +54,38 @@ func TestFetchAndParseRIBOnFreeBSD10AndAbove(t *testing.T) {
 		{typ: sysNET_RT_IFLIST},
 		{typ: sysNET_RT_IFLISTL},
 	}
-	for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
+	for i := range tests {
 		var lastErr error
-		for i := 0; i < 3; i++ {
-			for j := range tests {
-				var err error
-				if tests[j].b, err = FetchRIB(af, tests[j].typ, 0); err != nil {
-					lastErr = err
-					time.Sleep(10 * time.Millisecond)
-				}
-			}
-			if lastErr == nil {
-				break
+		for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
+			rs, err := fetchAndParseRIB(af, tests[i].typ)
+			if err != nil {
+				lastErr = err
+				continue
 			}
+			tests[i].msgs = append(tests[i].msgs, rs...)
 		}
-		if lastErr != nil {
-			t.Error(af, lastErr)
+		if len(tests[i].msgs) == 0 && lastErr != nil {
+			t.Error(tests[i].typ, lastErr)
 			continue
 		}
-		for i := range tests {
-			var err error
-			if tests[i].msgs, err = ParseRIB(tests[i].typ, tests[i].b); err != nil {
-				lastErr = err
-				t.Error(af, err)
-			}
-		}
+		tests[i].ss, lastErr = msgs(tests[i].msgs).validate()
 		if lastErr != nil {
+			t.Error(tests[i].typ, lastErr)
 			continue
 		}
-		for i := range tests {
-			var err error
-			tests[i].ss, err = msgs(tests[i].msgs).validate()
-			if err != nil {
-				lastErr = err
-				t.Error(af, err)
-			}
-			for _, s := range tests[i].ss {
-				t.Log(s)
-			}
+		for _, s := range tests[i].ss {
+			t.Log(s)
 		}
-		if lastErr != nil {
+	}
+	for i := len(tests) - 1; i > 0; i-- {
+		if len(tests[i].ss) != len(tests[i-1].ss) {
+			t.Errorf("got %v; want %v", tests[i].ss, tests[i-1].ss)
 			continue
 		}
-		for i := len(tests) - 1; i > 0; i-- {
-			if len(tests[i].ss) != len(tests[i-1].ss) {
-				t.Errorf("got %v; want %v", tests[i].ss, tests[i-1].ss)
-				continue
-			}
-			for j, s1 := range tests[i].ss {
-				s0 := tests[i-1].ss[j]
-				if s1 != s0 {
-					t.Errorf("got %s; want %s", s1, s0)
-				}
+		for j, s1 := range tests[i].ss {
+			s0 := tests[i-1].ss[j]
+			if s1 != s0 {
+				t.Errorf("got %s; want %s", s1, s0)
 			}
 		}
 	}
diff --git a/vendor/golang.org/x/net/route/message_test.go b/vendor/golang.org/x/net/route/message_test.go
index b3bc60c62..e848dabf4 100644
--- a/vendor/golang.org/x/net/route/message_test.go
+++ b/vendor/golang.org/x/net/route/message_test.go
@@ -14,21 +14,28 @@ import (
 )
 
 func TestFetchAndParseRIB(t *testing.T) {
-	for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
-		for _, typ := range []RIBType{sysNET_RT_DUMP, sysNET_RT_IFLIST} {
-			ms, err := fetchAndParseRIB(af, typ)
+	for _, typ := range []RIBType{sysNET_RT_DUMP, sysNET_RT_IFLIST} {
+		var lastErr error
+		var ms []Message
+		for _, af := range []int{sysAF_UNSPEC, sysAF_INET, sysAF_INET6} {
+			rs, err := fetchAndParseRIB(af, typ)
 			if err != nil {
-				t.Error(err)
-				continue
-			}
-			ss, err := msgs(ms).validate()
-			if err != nil {
-				t.Errorf("%v %d %v", addrFamily(af), typ, err)
+				lastErr = err
 				continue
 			}
-			for _, s := range ss {
-				t.Log(s)
-			}
+			ms = append(ms, rs...)
+		}
+		if len(ms) == 0 && lastErr != nil {
+			t.Error(typ, lastErr)
+			continue
+		}
+		ss, err := msgs(ms).validate()
+		if err != nil {
+			t.Error(typ, err)
+			continue
+		}
+		for _, s := range ss {
+			t.Log(typ, s)
 		}
 	}
 }
@@ -145,8 +152,8 @@ func TestRouteMessage(t *testing.T) {
 
 	var ms []RouteMessage
 	for _, af := range []int{sysAF_INET, sysAF_INET6} {
-		rs, err := fetchAndParseRIB(af, sysNET_RT_DUMP)
-		if err != nil || len(rs) == 0 {
+		if _, err := fetchAndParseRIB(af, sysNET_RT_DUMP); err != nil {
+			t.Log(err)
 			continue
 		}
 		switch af {
@@ -228,6 +235,5 @@ func TestRouteMessage(t *testing.T) {
 		for _, s := range ss {
 			t.Log(s)
 		}
-
 	}
 }
diff --git a/vendor/golang.org/x/net/xsrftoken/xsrf.go b/vendor/golang.org/x/net/xsrftoken/xsrf.go
index 881bf199f..bc861e1f3 100644
--- a/vendor/golang.org/x/net/xsrftoken/xsrf.go
+++ b/vendor/golang.org/x/net/xsrftoken/xsrf.go
@@ -27,15 +27,18 @@ func clean(s string) string {
 
 // Generate returns a URL-safe secure XSRF token that expires in 24 hours.
 //
-// key is a secret key for your application.
-// userID is a unique identifier for the user.
-// actionID is the action the user is taking (e.g. POSTing to a particular path).
+// key is a secret key for your application; it must be non-empty.
+// userID is an optional unique identifier for the user.
+// actionID is an optional action the user is taking (e.g. POSTing to a particular path).
 func Generate(key, userID, actionID string) string {
 	return generateTokenAtTime(key, userID, actionID, time.Now())
 }
 
 // generateTokenAtTime is like Generate, but returns a token that expires 24 hours from now.
 func generateTokenAtTime(key, userID, actionID string, now time.Time) string {
+	if len(key) == 0 {
+		panic("zero length xsrf secret key")
+	}
 	// Round time up and convert to milliseconds.
 	milliTime := (now.UnixNano() + 1e6 - 1) / 1e6
 
@@ -57,6 +60,9 @@ func Valid(token, key, userID, actionID string) bool {
 
 // validTokenAtTime reports whether a token is valid at the given time.
 func validTokenAtTime(token, key, userID, actionID string, now time.Time) bool {
+	if len(key) == 0 {
+		panic("zero length xsrf secret key")
+	}
 	// Extract the issue time of the token.
 	sep := strings.LastIndex(token, ":")
 	if sep < 0 {
diff --git a/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s b/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s
index 43ed17a05..ded8260f3 100644
--- a/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s
+++ b/vendor/golang.org/x/sys/unix/asm_solaris_amd64.s
@@ -10,8 +10,8 @@
 // System calls for amd64, Solaris are implemented in runtime/syscall_solaris.go
 //
 
-TEXT ·sysvicall6(SB),NOSPLIT,$0-64
+TEXT ·sysvicall6(SB),NOSPLIT,$0-88
 	JMP	syscall·sysvicall6(SB)
 
-TEXT ·rawSysvicall6(SB),NOSPLIT,$0-64
+TEXT ·rawSysvicall6(SB),NOSPLIT,$0-88
 	JMP	syscall·rawSysvicall6(SB)
diff --git a/vendor/golang.org/x/sys/unix/linux/types.go b/vendor/golang.org/x/sys/unix/linux/types.go
index 2f8b7cc03..2978c5147 100644
--- a/vendor/golang.org/x/sys/unix/linux/types.go
+++ b/vendor/golang.org/x/sys/unix/linux/types.go
@@ -56,6 +56,7 @@ package unix
 #include <utime.h>
 #include <linux/can.h>
 #include <linux/if_alg.h>
+#include <linux/fs.h>
 #include <linux/vm_sockets.h>
 
 // On mips64, the glibc stat and kernel stat do not agree
@@ -107,6 +108,14 @@ struct stat {
 
 #endif
 
+// Certain constants and structs are missing from the fs/crypto UAPI
+#define FS_MAX_KEY_SIZE                 64
+struct fscrypt_key {
+  __u32 mode;
+  __u8 raw[FS_MAX_KEY_SIZE];
+  __u32 size;
+};
+
 #ifdef TCSETS2
 // On systems that have "struct termios2" use this as type Termios.
 typedef struct termios2 termios_t;
@@ -154,10 +163,8 @@ struct my_sockaddr_un {
 typedef struct user_regs PtraceRegs;
 #elif defined(__aarch64__)
 typedef struct user_pt_regs PtraceRegs;
-#elif defined(__powerpc64__)
+#elif defined(__mips__) || defined(__powerpc64__)
 typedef struct pt_regs PtraceRegs;
-#elif defined(__mips__)
-typedef struct user PtraceRegs;
 #elif defined(__s390x__)
 typedef struct _user_regs_struct PtraceRegs;
 #elif defined(__sparc__)
@@ -248,6 +255,12 @@ type Fsid C.fsid_t
 
 type Flock_t C.struct_flock
 
+// Filesystem Encryption
+
+type FscryptPolicy C.struct_fscrypt_policy
+
+type FscryptKey C.struct_fscrypt_key
+
 // Advice to Fadvise
 
 const (
diff --git a/vendor/golang.org/x/sys/unix/mkall.sh b/vendor/golang.org/x/sys/unix/mkall.sh
index a1a27ae7d..f0d6566f2 100755
--- a/vendor/golang.org/x/sys/unix/mkall.sh
+++ b/vendor/golang.org/x/sys/unix/mkall.sh
@@ -45,7 +45,7 @@ case "$#" in
 	exit 2
 esac
 
-if [[ "$GOOS" -eq "linux" ]] && [[ "$GOARCH" != "sparc64" ]]; then
+if [[ "$GOOS" = "linux" ]] && [[ "$GOARCH" != "sparc64" ]]; then
 	# Use then new build system
 	# Files generated through docker (use $cmd so you can Ctl-C the build or run)
 	$cmd docker build --tag generate:$GOOS $GOOS
diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh
index 23648b5b7..1bd1c9e6e 100755
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -161,6 +161,7 @@ struct ltchars {
 #include <linux/if_addr.h>
 #include <linux/falloc.h>
 #include <linux/filter.h>
+#include <linux/fs.h>
 #include <linux/netlink.h>
 #include <linux/random.h>
 #include <linux/reboot.h>
@@ -196,6 +197,11 @@ struct ltchars {
 // but it is already in bluetooth_linux.go
 #undef SOL_BLUETOOTH
 #endif
+
+// Certain constants are missing from the fs/crypto UAPI
+#define FS_KEY_DESC_PREFIX              "fscrypt:"
+#define FS_KEY_DESC_PREFIX_SIZE         8
+#define FS_MAX_KEY_SIZE                 64
 '
 
 includes_NetBSD='
@@ -390,12 +396,13 @@ ccflags="$@"
 		$2 ~ /^CLOCK_/ ||
 		$2 ~ /^CAN_/ ||
 		$2 ~ /^ALG_/ ||
+		$2 ~ /^FS_(POLICY_FLAGS|KEY_DESC|ENCRYPTION_MODE|[A-Z0-9_]+_KEY_SIZE|IOC_(GET|SET)_ENCRYPTION)/ ||
 		$2 ~ /^GRND_/ ||
 		$2 ~ /^SPLICE_/ ||
 		$2 ~ /^(VM|VMADDR)_/ ||
 		$2 !~ "WMESGLEN" &&
 		$2 ~ /^W[A-Z0-9]+$/ ||
-		$2 ~ /^BLK/ {printf("\t%s = C.%s\n", $2, $2)}
+		$2 ~ /^BLK[A-Z]*(GET$|SET$|BUF$|PART$|SIZE)/ {printf("\t%s = C.%s\n", $2, $2)}
 		$2 ~ /^__WCOREFLAG$/ {next}
 		$2 ~ /^__W[A-Z0-9]+$/ {printf("\t%s = C.%s\n", substr($2,3), $2)}
 
diff --git a/vendor/golang.org/x/sys/unix/mksyscall.pl b/vendor/golang.org/x/sys/unix/mksyscall.pl
index eb4b56ff7..fb929b4ce 100755
--- a/vendor/golang.org/x/sys/unix/mksyscall.pl
+++ b/vendor/golang.org/x/sys/unix/mksyscall.pl
@@ -70,7 +70,7 @@ if($ARGV[0] =~ /^-/) {
 }
 
 # Check that we are using the new build system if we should
-if($ENV{'GOOS'} eq "linux" || $ENV{'GOARCH'} ne "sparc64") {
+if($ENV{'GOOS'} eq "linux" && $ENV{'GOARCH'} ne "sparc64") {
 	if($ENV{'GOLANG_SYS_BUILD'} ne "docker") {
 		print STDERR "In the new build system, mksyscall should not be called directly.\n";
 		print STDERR "See README.md\n";
diff --git a/vendor/golang.org/x/sys/unix/sockcmsg_unix.go b/vendor/golang.org/x/sys/unix/sockcmsg_unix.go
index f1493a3e6..bb756ece1 100644
--- a/vendor/golang.org/x/sys/unix/sockcmsg_unix.go
+++ b/vendor/golang.org/x/sys/unix/sockcmsg_unix.go
@@ -1,4 +1,4 @@
-// Copyright 2011 The Go Authors.  All rights reserved.
+// Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
@@ -13,9 +13,10 @@ import "unsafe"
 // Round the length of a raw sockaddr up to align it properly.
 func cmsgAlignOf(salen int) int {
 	salign := sizeofPtr
-	// NOTE: It seems like 64-bit Darwin and DragonFly BSD kernels
-	// still require 32-bit aligned access to network subsystem.
-	if darwin64Bit || dragonfly64Bit {
+	// NOTE: It seems like 64-bit Darwin, DragonFly BSD and
+	// Solaris kernels still require 32-bit aligned access to
+	// network subsystem.
+	if darwin64Bit || dragonfly64Bit || solaris64Bit {
 		salign = 4
 	}
 	return (salen + salign - 1) & ^(salign - 1)
diff --git a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
index 3363456fa..7e0210fc9 100644
--- a/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
+++ b/vendor/golang.org/x/sys/unix/syscall_dragonfly.go
@@ -1,8 +1,8 @@
-// Copyright 2009,2010 The Go Authors. All rights reserved.
+// Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// FreeBSD system calls.
+// DragonFly BSD system calls.
 // This file is compiled as ordinary Go code,
 // but it is also input to mksyscall,
 // which parses the //sys lines and generates system call stubs.
@@ -34,7 +34,7 @@ func nametomib(name string) (mib []_C_int, err error) {
 
 	// NOTE(rsc): It seems strange to set the buffer to have
 	// size CTL_MAXNAME+2 but use only CTL_MAXNAME
-	// as the size.  I don't know why the +2 is here, but the
+	// as the size. I don't know why the +2 is here, but the
 	// kernel uses +2 for its own implementation of this function.
 	// I am scared that if we don't include the +2 here, the kernel
 	// will silently write 2 words farther than we specify
@@ -57,7 +57,7 @@ func nametomib(name string) (mib []_C_int, err error) {
 }
 
 func direntIno(buf []byte) (uint64, bool) {
-	return readInt(buf, unsafe.Offsetof(Dirent{}.Ino), unsafe.Sizeof(Dirent{}.Ino))
+	return readInt(buf, unsafe.Offsetof(Dirent{}.Fileno), unsafe.Sizeof(Dirent{}.Fileno))
 }
 
 func direntReclen(buf []byte) (uint64, bool) {
@@ -65,7 +65,7 @@ func direntReclen(buf []byte) (uint64, bool) {
 	if !ok {
 		return 0, false
 	}
-	return (16 + namlen + 1 + 7) & ^7, true
+	return (16 + namlen + 1 + 7) &^ 7, true
 }
 
 func direntNamlen(buf []byte) (uint64, bool) {
@@ -92,6 +92,24 @@ func Pwrite(fd int, p []byte, offset int64) (n int, err error) {
 	return extpwrite(fd, p, 0, offset)
 }
 
+func Accept4(fd, flags int) (nfd int, sa Sockaddr, err error) {
+	var rsa RawSockaddrAny
+	var len _Socklen = SizeofSockaddrAny
+	nfd, err = accept4(fd, &rsa, &len, flags)
+	if err != nil {
+		return
+	}
+	if len > SizeofSockaddrAny {
+		panic("RawSockaddrAny too small")
+	}
+	sa, err = anyToSockaddr(&rsa)
+	if err != nil {
+		Close(nfd)
+		nfd = 0
+	}
+	return
+}
+
 func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	var bufsize uintptr
@@ -199,6 +217,7 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 //sys   munmap(addr uintptr, length uintptr) (err error)
 //sys	readlen(fd int, buf *byte, nbuf int) (n int, err error) = SYS_READ
 //sys	writelen(fd int, buf *byte, nbuf int) (n int, err error) = SYS_WRITE
+//sys	accept4(fd int, rsa *RawSockaddrAny, addrlen *_Socklen, flags int) (nfd int, err error)
 
 /*
  * Unimplemented
@@ -234,6 +253,8 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 // Kdebug_trace
 // Sigreturn
 // Mmap
+// Mlock
+// Munlock
 // Atsocket
 // Kqueue_from_portset_np
 // Kqueue_portset
@@ -326,6 +347,8 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 // Lio_listio
 // __pthread_cond_wait
 // Iopolicysys
+// Mlockall
+// Munlockall
 // __pthread_kill
 // __pthread_sigmask
 // __sigwait
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index 9737e08b0..8c102bc7b 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -1038,6 +1038,7 @@ func Mount(source string, target string, fstype string, flags uintptr, data stri
 //sys	Chroot(path string) (err error)
 //sys	ClockGettime(clockid int32, time *Timespec) (err error)
 //sys	Close(fd int) (err error)
+//sys	CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error)
 //sys	Dup(oldfd int) (fd int, err error)
 //sys	Dup3(oldfd int, newfd int, flags int) (err error)
 //sysnb	EpollCreate(size int) (fd int, err error)
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go b/vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go
index 8119fde37..73318e5c6 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux_mips64x.go
@@ -7,6 +7,7 @@
 
 package unix
 
+//sys	Dup2(oldfd int, newfd int) (err error)
 //sys	EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error)
 //sys	Fchown(fd int, uid int, gid int) (err error)
 //sys	Fstatfs(fd int, buf *Statfs_t) (err error)
@@ -182,9 +183,9 @@ func fillStat_t(s *Stat_t, st *stat_t) {
 	s.Blocks = st.Blocks
 }
 
-func (r *PtraceRegs) PC() uint64 { return r.Regs[64] }
+func (r *PtraceRegs) PC() uint64 { return r.Epc }
 
-func (r *PtraceRegs) SetPC(pc uint64) { r.Regs[64] = pc }
+func (r *PtraceRegs) SetPC(pc uint64) { r.Epc = pc }
 
 func (iov *Iovec) SetLen(length int) {
 	iov.Len = uint64(length)
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go b/vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go
index be77d24a4..b83d93fdf 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux_mipsx.go
@@ -211,9 +211,9 @@ func Setrlimit(resource int, rlim *Rlimit) (err error) {
 	return setrlimit(resource, &rl)
 }
 
-func (r *PtraceRegs) PC() uint64 { return uint64(r.Regs[64]) }
+func (r *PtraceRegs) PC() uint64 { return r.Epc }
 
-func (r *PtraceRegs) SetPC(pc uint64) { r.Regs[64] = uint32(pc) }
+func (r *PtraceRegs) SetPC(pc uint64) { r.Epc = pc }
 
 func (iov *Iovec) SetLen(length int) {
 	iov.Len = uint32(length)
diff --git a/vendor/golang.org/x/sys/unix/syscall_solaris.go b/vendor/golang.org/x/sys/unix/syscall_solaris.go
index 3cb1d0bfe..cab9b4fba 100644
--- a/vendor/golang.org/x/sys/unix/syscall_solaris.go
+++ b/vendor/golang.org/x/sys/unix/syscall_solaris.go
@@ -422,7 +422,7 @@ func Accept(fd int) (nfd int, sa Sockaddr, err error) {
 	return
 }
 
-//sys	recvmsg(s int, msg *Msghdr, flags int) (n int, err error) = libsocket.recvmsg
+//sys	recvmsg(s int, msg *Msghdr, flags int) (n int, err error) = libsocket.__xnet_recvmsg
 
 func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
 	var msg Msghdr
@@ -441,7 +441,7 @@ func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from
 			iov.Base = &dummy
 			iov.SetLen(1)
 		}
-		msg.Accrights = (*int8)(unsafe.Pointer(&oob[0]))
+		msg.Accrightslen = int32(len(oob))
 	}
 	msg.Iov = &iov
 	msg.Iovlen = 1
@@ -461,7 +461,7 @@ func Sendmsg(fd int, p, oob []byte, to Sockaddr, flags int) (err error) {
 	return
 }
 
-//sys	sendmsg(s int, msg *Msghdr, flags int) (n int, err error) = libsocket.sendmsg
+//sys	sendmsg(s int, msg *Msghdr, flags int) (n int, err error) = libsocket.__xnet_sendmsg
 
 func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error) {
 	var ptr unsafe.Pointer
@@ -487,7 +487,7 @@ func SendmsgN(fd int, p, oob []byte, to Sockaddr, flags int) (n int, err error)
 			iov.Base = &dummy
 			iov.SetLen(1)
 		}
-		msg.Accrights = (*int8)(unsafe.Pointer(&oob[0]))
+		msg.Accrightslen = int32(len(oob))
 	}
 	msg.Iov = &iov
 	msg.Iovlen = 1
@@ -583,6 +583,7 @@ func IoctlGetTermio(fd int, req int) (*Termio, error) {
 //sys	Fdatasync(fd int) (err error)
 //sys	Fpathconf(fd int, name int) (val int, err error)
 //sys	Fstat(fd int, stat *Stat_t) (err error)
+//sys	Fstatvfs(fd int, vfsstat *Statvfs_t) (err error)
 //sys	Getdents(fd int, buf []byte, basep *uintptr) (n int, err error)
 //sysnb	Getgid() (gid int)
 //sysnb	Getpid() (pid int)
@@ -599,7 +600,7 @@ func IoctlGetTermio(fd int, req int) (*Termio, error) {
 //sys	Kill(pid int, signum syscall.Signal) (err error)
 //sys	Lchown(path string, uid int, gid int) (err error)
 //sys	Link(path string, link string) (err error)
-//sys	Listen(s int, backlog int) (err error) = libsocket.listen
+//sys	Listen(s int, backlog int) (err error) = libsocket.__xnet_llisten
 //sys	Lstat(path string, stat *Stat_t) (err error)
 //sys	Madvise(b []byte, advice int) (err error)
 //sys	Mkdir(path string, mode uint32) (err error)
@@ -639,6 +640,7 @@ func IoctlGetTermio(fd int, req int) (*Termio, error) {
 //sysnb	Setuid(uid int) (err error)
 //sys	Shutdown(s int, how int) (err error) = libsocket.shutdown
 //sys	Stat(path string, stat *Stat_t) (err error)
+//sys	Statvfs(path string, vfsstat *Statvfs_t) (err error)
 //sys	Symlink(path string, link string) (err error)
 //sys	Sync() (err error)
 //sysnb	Times(tms *Tms) (ticks uintptr, err error)
@@ -652,15 +654,15 @@ func IoctlGetTermio(fd int, req int) (*Termio, error) {
 //sys	Unlinkat(dirfd int, path string, flags int) (err error)
 //sys	Ustat(dev int, ubuf *Ustat_t) (err error)
 //sys	Utime(path string, buf *Utimbuf) (err error)
-//sys	bind(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.bind
-//sys	connect(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.connect
+//sys	bind(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.__xnet_bind
+//sys	connect(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.__xnet_connect
 //sys	mmap(addr uintptr, length uintptr, prot int, flag int, fd int, pos int64) (ret uintptr, err error)
 //sys	munmap(addr uintptr, length uintptr) (err error)
-//sys	sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.sendto
-//sys	socket(domain int, typ int, proto int) (fd int, err error) = libsocket.socket
-//sysnb	socketpair(domain int, typ int, proto int, fd *[2]int32) (err error) = libsocket.socketpair
+//sys	sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (err error) = libsocket.__xnet_sendto
+//sys	socket(domain int, typ int, proto int) (fd int, err error) = libsocket.__xnet_socket
+//sysnb	socketpair(domain int, typ int, proto int, fd *[2]int32) (err error) = libsocket.__xnet_socketpair
 //sys	write(fd int, p []byte) (n int, err error)
-//sys	getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *_Socklen) (err error) = libsocket.getsockopt
+//sys	getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *_Socklen) (err error) = libsocket.__xnet_getsockopt
 //sysnb	getpeername(fd int, rsa *RawSockaddrAny, addrlen *_Socklen) (err error) = libsocket.getpeername
 //sys	setsockopt(s int, level int, name int, val unsafe.Pointer, vallen uintptr) (err error) = libsocket.setsockopt
 //sys	recvfrom(fd int, p []byte, flags int, from *RawSockaddrAny, fromlen *_Socklen) (n int, err error) = libsocket.recvfrom
diff --git a/vendor/golang.org/x/sys/unix/syscall_solaris_test.go b/vendor/golang.org/x/sys/unix/syscall_solaris_test.go
new file mode 100644
index 000000000..d3e7d2b2e
--- /dev/null
+++ b/vendor/golang.org/x/sys/unix/syscall_solaris_test.go
@@ -0,0 +1,34 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build solaris
+
+package unix_test
+
+import (
+	"os/exec"
+	"testing"
+
+	"golang.org/x/sys/unix"
+)
+
+func TestStatvfs(t *testing.T) {
+	if err := unix.Statvfs("", nil); err == nil {
+		t.Fatal(`Statvfs("") expected failure`)
+	}
+
+	statvfs := unix.Statvfs_t{}
+	if err := unix.Statvfs("/", &statvfs); err != nil {
+		t.Errorf(`Statvfs("/") failed: %v`, err)
+	}
+
+	if t.Failed() {
+		mount, err := exec.Command("mount").CombinedOutput()
+		if err != nil {
+			t.Logf("mount: %v\n%s", err, mount)
+		} else {
+			t.Logf("mount: %s", mount)
+		}
+	}
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_unix.go b/vendor/golang.org/x/sys/unix/syscall_unix.go
index 8a5237de8..3ed8a91f5 100644
--- a/vendor/golang.org/x/sys/unix/syscall_unix.go
+++ b/vendor/golang.org/x/sys/unix/syscall_unix.go
@@ -23,6 +23,7 @@ const (
 	darwin64Bit    = runtime.GOOS == "darwin" && sizeofPtr == 8
 	dragonfly64Bit = runtime.GOOS == "dragonfly" && sizeofPtr == 8
 	netbsd32Bit    = runtime.GOOS == "netbsd" && sizeofPtr == 4
+	solaris64Bit   = runtime.GOOS == "solaris" && sizeofPtr == 8
 )
 
 // Do the interface allocations only once for common
diff --git a/vendor/golang.org/x/sys/unix/syscall_unix_test.go b/vendor/golang.org/x/sys/unix/syscall_unix_test.go
index 49208a000..394b3502e 100644
--- a/vendor/golang.org/x/sys/unix/syscall_unix_test.go
+++ b/vendor/golang.org/x/sys/unix/syscall_unix_test.go
@@ -86,14 +86,6 @@ func TestFcntlFlock(t *testing.T) {
 // "-test.run=^TestPassFD$" and an environment variable used to signal
 // that the test should become the child process instead.
 func TestPassFD(t *testing.T) {
-	switch runtime.GOOS {
-	case "dragonfly":
-		// TODO(jsing): Figure out why sendmsg is returning EINVAL.
-		t.Skip("skipping test on dragonfly")
-	case "solaris":
-		// TODO(aram): Figure out why ReadMsgUnix is returning empty message.
-		t.Skip("skipping test on solaris, see issue 7402")
-	}
 	if os.Getenv("GO_WANT_HELPER_PROCESS") == "1" {
 		passFDChild()
 		return
diff --git a/vendor/golang.org/x/sys/unix/types_solaris.go b/vendor/golang.org/x/sys/unix/types_solaris.go
index 69bf1bc4a..393c7f04f 100644
--- a/vendor/golang.org/x/sys/unix/types_solaris.go
+++ b/vendor/golang.org/x/sys/unix/types_solaris.go
@@ -37,6 +37,7 @@ package unix
 #include <sys/signal.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
+#include <sys/statvfs.h>
 #include <sys/time.h>
 #include <sys/times.h>
 #include <sys/types.h>
@@ -139,6 +140,12 @@ type Flock_t C.struct_flock
 
 type Dirent C.struct_dirent
 
+// Filesystems
+
+type _Fsblkcnt_t C.fsblkcnt_t
+
+type Statvfs_t C.struct_statvfs
+
 // Sockets
 
 type RawSockaddrInet4 C.struct_sockaddr_in
diff --git a/vendor/golang.org/x/sys/unix/zerrors_dragonfly_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_dragonfly_amd64.go
index 0feceee15..8f40598bb 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_dragonfly_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_dragonfly_amd64.go
@@ -1,5 +1,5 @@
 // mkerrors.sh -m64
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build amd64,dragonfly
 
@@ -37,8 +37,8 @@ const (
 	AF_MAX                            = 0x24
 	AF_MPLS                           = 0x22
 	AF_NATM                           = 0x1d
+	AF_NETBIOS                        = 0x6
 	AF_NETGRAPH                       = 0x20
-	AF_NS                             = 0x6
 	AF_OSI                            = 0x7
 	AF_PUP                            = 0x4
 	AF_ROUTE                          = 0x11
@@ -46,6 +46,7 @@ const (
 	AF_SNA                            = 0xb
 	AF_UNIX                           = 0x1
 	AF_UNSPEC                         = 0x0
+	ALTWERASE                         = 0x200
 	B0                                = 0x0
 	B110                              = 0x6e
 	B115200                           = 0x1c200
@@ -141,7 +142,22 @@ const (
 	BRKINT                            = 0x2
 	CFLUSH                            = 0xf
 	CLOCAL                            = 0x8000
+	CLOCK_MONOTONIC                   = 0x4
+	CLOCK_MONOTONIC_FAST              = 0xc
+	CLOCK_MONOTONIC_PRECISE           = 0xb
+	CLOCK_PROCESS_CPUTIME_ID          = 0xf
+	CLOCK_PROF                        = 0x2
+	CLOCK_REALTIME                    = 0x0
+	CLOCK_REALTIME_FAST               = 0xa
+	CLOCK_REALTIME_PRECISE            = 0x9
+	CLOCK_SECOND                      = 0xd
+	CLOCK_THREAD_CPUTIME_ID           = 0xe
+	CLOCK_UPTIME                      = 0x5
+	CLOCK_UPTIME_FAST                 = 0x8
+	CLOCK_UPTIME_PRECISE              = 0x7
+	CLOCK_VIRTUAL                     = 0x1
 	CREAD                             = 0x800
+	CRTSCTS                           = 0x30000
 	CS5                               = 0x0
 	CS6                               = 0x100
 	CS7                               = 0x200
@@ -286,24 +302,28 @@ const (
 	ECHOPRT                           = 0x20
 	EVFILT_AIO                        = -0x3
 	EVFILT_EXCEPT                     = -0x8
+	EVFILT_FS                         = -0xa
 	EVFILT_MARKER                     = 0xf
 	EVFILT_PROC                       = -0x5
 	EVFILT_READ                       = -0x1
 	EVFILT_SIGNAL                     = -0x6
-	EVFILT_SYSCOUNT                   = 0x8
+	EVFILT_SYSCOUNT                   = 0xa
 	EVFILT_TIMER                      = -0x7
+	EVFILT_USER                       = -0x9
 	EVFILT_VNODE                      = -0x4
 	EVFILT_WRITE                      = -0x2
 	EV_ADD                            = 0x1
 	EV_CLEAR                          = 0x20
 	EV_DELETE                         = 0x2
 	EV_DISABLE                        = 0x8
+	EV_DISPATCH                       = 0x80
 	EV_ENABLE                         = 0x4
 	EV_EOF                            = 0x8000
 	EV_ERROR                          = 0x4000
 	EV_FLAG1                          = 0x2000
 	EV_NODATA                         = 0x1000
 	EV_ONESHOT                        = 0x10
+	EV_RECEIPT                        = 0x40
 	EV_SYSFLAGS                       = 0xf000
 	EXTA                              = 0x4b00
 	EXTB                              = 0x9600
@@ -679,7 +699,6 @@ const (
 	IPPROTO_SATEXPAK                  = 0x40
 	IPPROTO_SATMON                    = 0x45
 	IPPROTO_SCCSP                     = 0x60
-	IPPROTO_SCTP                      = 0x84
 	IPPROTO_SDRP                      = 0x2a
 	IPPROTO_SEP                       = 0x21
 	IPPROTO_SKIP                      = 0x39
@@ -730,6 +749,7 @@ const (
 	IPV6_LEAVE_GROUP                  = 0xd
 	IPV6_MAXHLIM                      = 0xff
 	IPV6_MAXPACKET                    = 0xffff
+	IPV6_MINHLIM                      = 0x28
 	IPV6_MMTU                         = 0x500
 	IPV6_MSFILTER                     = 0x4a
 	IPV6_MULTICAST_HOPS               = 0xa
@@ -778,6 +798,7 @@ const (
 	IP_FW_FLUSH                       = 0x34
 	IP_FW_GET                         = 0x36
 	IP_FW_RESETLOG                    = 0x37
+	IP_FW_X                           = 0x31
 	IP_FW_ZERO                        = 0x35
 	IP_HDRINCL                        = 0x2
 	IP_IPSEC_POLICY                   = 0x15
@@ -833,6 +854,7 @@ const (
 	MADV_SETMAP                       = 0xb
 	MADV_WILLNEED                     = 0x3
 	MAP_ANON                          = 0x1000
+	MAP_ANONYMOUS                     = 0x1000
 	MAP_COPY                          = 0x2
 	MAP_FILE                          = 0x0
 	MAP_FIXED                         = 0x10
@@ -851,6 +873,7 @@ const (
 	MAP_VPAGETABLE                    = 0x2000
 	MCL_CURRENT                       = 0x1
 	MCL_FUTURE                        = 0x2
+	MSG_CMSG_CLOEXEC                  = 0x1000
 	MSG_CTRUNC                        = 0x20
 	MSG_DONTROUTE                     = 0x4
 	MSG_DONTWAIT                      = 0x80
@@ -860,11 +883,11 @@ const (
 	MSG_FMASK                         = 0xffff0000
 	MSG_FNONBLOCKING                  = 0x20000
 	MSG_NOSIGNAL                      = 0x400
-	MSG_NOTIFICATION                  = 0x200
 	MSG_OOB                           = 0x1
 	MSG_PEEK                          = 0x2
 	MSG_SYNC                          = 0x800
 	MSG_TRUNC                         = 0x10
+	MSG_UNUSED09                      = 0x200
 	MSG_WAITALL                       = 0x40
 	MS_ASYNC                          = 0x1
 	MS_INVALIDATE                     = 0x2
@@ -875,12 +898,19 @@ const (
 	NET_RT_IFLIST                     = 0x3
 	NET_RT_MAXID                      = 0x4
 	NOFLSH                            = 0x80000000
+	NOKERNINFO                        = 0x2000000
 	NOTE_ATTRIB                       = 0x8
 	NOTE_CHILD                        = 0x4
 	NOTE_DELETE                       = 0x1
 	NOTE_EXEC                         = 0x20000000
 	NOTE_EXIT                         = 0x80000000
 	NOTE_EXTEND                       = 0x4
+	NOTE_FFAND                        = 0x40000000
+	NOTE_FFCOPY                       = 0xc0000000
+	NOTE_FFCTRLMASK                   = 0xc0000000
+	NOTE_FFLAGSMASK                   = 0xffffff
+	NOTE_FFNOP                        = 0x0
+	NOTE_FFOR                         = 0x80000000
 	NOTE_FORK                         = 0x40000000
 	NOTE_LINK                         = 0x10
 	NOTE_LOWAT                        = 0x1
@@ -891,6 +921,7 @@ const (
 	NOTE_REVOKE                       = 0x40
 	NOTE_TRACK                        = 0x1
 	NOTE_TRACKERR                     = 0x2
+	NOTE_TRIGGER                      = 0x1000000
 	NOTE_WRITE                        = 0x2
 	OCRNL                             = 0x10
 	ONLCR                             = 0x2
@@ -898,6 +929,7 @@ const (
 	ONOCR                             = 0x20
 	ONOEOT                            = 0x8
 	OPOST                             = 0x1
+	OXTABS                            = 0x4
 	O_ACCMODE                         = 0x3
 	O_APPEND                          = 0x8
 	O_ASYNC                           = 0x40
@@ -910,14 +942,11 @@ const (
 	O_FAPPEND                         = 0x100000
 	O_FASYNCWRITE                     = 0x800000
 	O_FBLOCKING                       = 0x40000
-	O_FBUFFERED                       = 0x2000000
-	O_FMASK                           = 0x7fc0000
+	O_FMASK                           = 0xfc0000
 	O_FNONBLOCKING                    = 0x80000
 	O_FOFFSET                         = 0x200000
 	O_FSYNC                           = 0x80
 	O_FSYNCWRITE                      = 0x400000
-	O_FUNBUFFERED                     = 0x1000000
-	O_MAPONREAD                       = 0x4000000
 	O_NDELAY                          = 0x4
 	O_NOCTTY                          = 0x8000
 	O_NOFOLLOW                        = 0x100
@@ -1096,8 +1125,10 @@ const (
 	SIOCSLIFPHYADDR                   = 0x8118694a
 	SIOCSLOWAT                        = 0x80047302
 	SIOCSPGRP                         = 0x80047308
+	SOCK_CLOEXEC                      = 0x10000000
 	SOCK_DGRAM                        = 0x2
 	SOCK_MAXADDRLEN                   = 0xff
+	SOCK_NONBLOCK                     = 0x20000000
 	SOCK_RAW                          = 0x3
 	SOCK_RDM                          = 0x4
 	SOCK_SEQPACKET                    = 0x5
@@ -1107,6 +1138,7 @@ const (
 	SO_ACCEPTCONN                     = 0x2
 	SO_ACCEPTFILTER                   = 0x1000
 	SO_BROADCAST                      = 0x20
+	SO_CPUHINT                        = 0x1030
 	SO_DEBUG                          = 0x1
 	SO_DONTROUTE                      = 0x10
 	SO_ERROR                          = 0x1007
@@ -1127,8 +1159,12 @@ const (
 	SO_TYPE                           = 0x1008
 	SO_USELOOPBACK                    = 0x40
 	TCIFLUSH                          = 0x1
+	TCIOFF                            = 0x3
 	TCIOFLUSH                         = 0x3
+	TCION                             = 0x4
 	TCOFLUSH                          = 0x2
+	TCOOFF                            = 0x1
+	TCOON                             = 0x2
 	TCP_FASTKEEP                      = 0x80
 	TCP_KEEPCNT                       = 0x400
 	TCP_KEEPIDLE                      = 0x100
@@ -1227,6 +1263,8 @@ const (
 	VKILL                             = 0x5
 	VLNEXT                            = 0xe
 	VMIN                              = 0x10
+	VM_BCACHE_SIZE_MAX                = 0x0
+	VM_SWZONE_SIZE_MAX                = 0x4000000000
 	VQUIT                             = 0x9
 	VREPRINT                          = 0x6
 	VSTART                            = 0xc
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
index 14a56e03c..341bdfc9f 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_386.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x1264
 	BLKGETSIZE                       = 0x1260
 	BLKGETSIZE64                     = 0x80041272
+	BLKPBSZGET                       = 0x127b
 	BLKRAGET                         = 0x1263
 	BLKRASET                         = 0x1262
 	BLKROGET                         = 0x125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x1000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x400c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x40106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x800c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
index bc7ecee8b..f636a396d 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x1264
 	BLKGETSIZE                       = 0x1260
 	BLKGETSIZE64                     = 0x80081272
+	BLKPBSZGET                       = 0x127b
 	BLKRAGET                         = 0x1263
 	BLKRASET                         = 0x1262
 	BLKROGET                         = 0x125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x1000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x400c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x40106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x800c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
index 189e1e91f..986a94735 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x1264
 	BLKGETSIZE                       = 0x1260
 	BLKGETSIZE64                     = 0x80041272
+	BLKPBSZGET                       = 0x127b
 	BLKRAGET                         = 0x1263
 	BLKRASET                         = 0x1262
 	BLKROGET                         = 0x125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x1000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x400c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x40106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x800c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -809,6 +828,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -822,6 +842,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -838,6 +860,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
index ed41e1203..b72a64538 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x1264
 	BLKGETSIZE                       = 0x1260
 	BLKGETSIZE64                     = 0x80081272
+	BLKPBSZGET                       = 0x127b
 	BLKRAGET                         = 0x1263
 	BLKRASET                         = 0x1262
 	BLKROGET                         = 0x125e
@@ -450,6 +451,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x1000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x400c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x40106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x800c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
index e1af3af42..198a30548 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40041272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x2000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
index 35c7280be..37d66f31a 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40081272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x2000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
index 768e9a75f..0f33f0fa5 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40081272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x2000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
index b6ea4b7c7..3fa39fa79 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40041272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x2000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -810,6 +829,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -823,6 +843,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -839,6 +861,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
index cf2546c73..4585ef778 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40081272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x4000
 	FFDLY                            = 0x4000
 	FLUSHO                           = 0x800000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -809,6 +828,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -822,6 +842,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -838,6 +860,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
index 0609cc135..b2a9128c4 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x20001264
 	BLKGETSIZE                       = 0x20001260
 	BLKGETSIZE64                     = 0x40081272
+	BLKPBSZGET                       = 0x2000127b
 	BLKRAGET                         = 0x20001263
 	BLKRASET                         = 0x20001262
 	BLKROGET                         = 0x2000125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x4000
 	FFDLY                            = 0x4000
 	FLUSHO                           = 0x800000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x800c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x80106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x400c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -809,6 +828,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -822,6 +842,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -838,6 +860,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
index f9556ed11..f8b0eb7ba 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go
@@ -168,6 +168,7 @@ const (
 	BLKFRASET                        = 0x1264
 	BLKGETSIZE                       = 0x1260
 	BLKGETSIZE64                     = 0x80081272
+	BLKPBSZGET                       = 0x127b
 	BLKRAGET                         = 0x1263
 	BLKRASET                         = 0x1262
 	BLKROGET                         = 0x125e
@@ -449,6 +450,24 @@ const (
 	FF1                              = 0x8000
 	FFDLY                            = 0x8000
 	FLUSHO                           = 0x1000
+	FS_ENCRYPTION_MODE_AES_256_CBC   = 0x3
+	FS_ENCRYPTION_MODE_AES_256_CTS   = 0x4
+	FS_ENCRYPTION_MODE_AES_256_GCM   = 0x2
+	FS_ENCRYPTION_MODE_AES_256_XTS   = 0x1
+	FS_ENCRYPTION_MODE_INVALID       = 0x0
+	FS_IOC_GET_ENCRYPTION_POLICY     = 0x400c6615
+	FS_IOC_GET_ENCRYPTION_PWSALT     = 0x40106614
+	FS_IOC_SET_ENCRYPTION_POLICY     = 0x800c6613
+	FS_KEY_DESCRIPTOR_SIZE           = 0x8
+	FS_KEY_DESC_PREFIX               = "fscrypt:"
+	FS_KEY_DESC_PREFIX_SIZE          = 0x8
+	FS_MAX_KEY_SIZE                  = 0x40
+	FS_POLICY_FLAGS_PAD_16           = 0x2
+	FS_POLICY_FLAGS_PAD_32           = 0x3
+	FS_POLICY_FLAGS_PAD_4            = 0x0
+	FS_POLICY_FLAGS_PAD_8            = 0x1
+	FS_POLICY_FLAGS_PAD_MASK         = 0x3
+	FS_POLICY_FLAGS_VALID            = 0x3
 	F_DUPFD                          = 0x0
 	F_DUPFD_CLOEXEC                  = 0x406
 	F_EXLCK                          = 0x4
@@ -809,6 +828,7 @@ const (
 	MS_ACTIVE                        = 0x40000000
 	MS_ASYNC                         = 0x1
 	MS_BIND                          = 0x1000
+	MS_BORN                          = 0x20000000
 	MS_DIRSYNC                       = 0x80
 	MS_INVALIDATE                    = 0x2
 	MS_I_VERSION                     = 0x800000
@@ -822,6 +842,8 @@ const (
 	MS_NODEV                         = 0x4
 	MS_NODIRATIME                    = 0x800
 	MS_NOEXEC                        = 0x8
+	MS_NOREMOTELOCK                  = 0x8000000
+	MS_NOSEC                         = 0x10000000
 	MS_NOSUID                        = 0x2
 	MS_NOUSER                        = -0x80000000
 	MS_POSIXACL                      = 0x10000
@@ -838,6 +860,7 @@ const (
 	MS_SYNC                          = 0x4
 	MS_SYNCHRONOUS                   = 0x10
 	MS_UNBINDABLE                    = 0x20000
+	MS_VERBOSE                       = 0x8000
 	NAME_MAX                         = 0xff
 	NETLINK_ADD_MEMBERSHIP           = 0x1
 	NETLINK_AUDIT                    = 0x9
diff --git a/vendor/golang.org/x/sys/unix/zerrors_solaris_amd64.go b/vendor/golang.org/x/sys/unix/zerrors_solaris_amd64.go
index a08922b98..81e83d78f 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_solaris_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_solaris_amd64.go
@@ -1,5 +1,5 @@
 // mkerrors.sh -m64
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build amd64,solaris
 
@@ -159,7 +159,12 @@ const (
 	BPF_W                         = 0x0
 	BPF_X                         = 0x8
 	BRKINT                        = 0x2
+	BS0                           = 0x0
+	BS1                           = 0x2000
+	BSDLY                         = 0x2000
+	CBAUD                         = 0xf
 	CFLUSH                        = 0xf
+	CIBAUD                        = 0xf0000
 	CLOCAL                        = 0x800
 	CLOCK_HIGHRES                 = 0x4
 	CLOCK_LEVEL                   = 0xa
@@ -169,7 +174,13 @@ const (
 	CLOCK_REALTIME                = 0x3
 	CLOCK_THREAD_CPUTIME_ID       = 0x2
 	CLOCK_VIRTUAL                 = 0x1
+	CR0                           = 0x0
+	CR1                           = 0x200
+	CR2                           = 0x400
+	CR3                           = 0x600
+	CRDLY                         = 0x600
 	CREAD                         = 0x80
+	CRTSCTS                       = 0x80000000
 	CS5                           = 0x0
 	CS6                           = 0x10
 	CS7                           = 0x20
@@ -276,6 +287,9 @@ const (
 	FD_CLOEXEC                    = 0x1
 	FD_NFDBITS                    = 0x40
 	FD_SETSIZE                    = 0x10000
+	FF0                           = 0x0
+	FF1                           = 0x8000
+	FFDLY                         = 0x8000
 	FLUSHALL                      = 0x1
 	FLUSHDATA                     = 0x0
 	FLUSHO                        = 0x2000
@@ -290,6 +304,10 @@ const (
 	F_DUP2FD_CLOEXEC              = 0x24
 	F_DUPFD                       = 0x0
 	F_DUPFD_CLOEXEC               = 0x25
+	F_FLOCK                       = 0x35
+	F_FLOCK64                     = 0x35
+	F_FLOCKW                      = 0x36
+	F_FLOCKW64                    = 0x36
 	F_FREESP                      = 0xb
 	F_FREESP64                    = 0xb
 	F_GETFD                       = 0x1
@@ -304,6 +322,12 @@ const (
 	F_MDACC                       = 0x20
 	F_NODNY                       = 0x0
 	F_NPRIV                       = 0x10
+	F_OFD_GETLK                   = 0x2f
+	F_OFD_GETLK64                 = 0x2f
+	F_OFD_SETLK                   = 0x30
+	F_OFD_SETLK64                 = 0x30
+	F_OFD_SETLKW                  = 0x31
+	F_OFD_SETLKW64                = 0x31
 	F_PRIV                        = 0xf
 	F_QUOTACTL                    = 0x11
 	F_RDACC                       = 0x1
@@ -332,6 +356,7 @@ const (
 	F_WRDNY                       = 0x2
 	F_WRLCK                       = 0x2
 	HUPCL                         = 0x400
+	IBSHIFT                       = 0x10
 	ICANON                        = 0x2
 	ICRNL                         = 0x100
 	IEXTEN                        = 0x8000
@@ -589,15 +614,21 @@ const (
 	IP_UNSPEC_SRC                 = 0x42
 	ISIG                          = 0x1
 	ISTRIP                        = 0x20
+	IUCLC                         = 0x200
 	IXANY                         = 0x800
 	IXOFF                         = 0x1000
 	IXON                          = 0x400
+	LOCK_EX                       = 0x2
+	LOCK_NB                       = 0x4
+	LOCK_SH                       = 0x1
+	LOCK_UN                       = 0x8
 	MADV_ACCESS_DEFAULT           = 0x6
 	MADV_ACCESS_LWP               = 0x7
 	MADV_ACCESS_MANY              = 0x8
 	MADV_DONTNEED                 = 0x4
 	MADV_FREE                     = 0x5
 	MADV_NORMAL                   = 0x0
+	MADV_PURGE                    = 0x9
 	MADV_RANDOM                   = 0x1
 	MADV_SEQUENTIAL               = 0x2
 	MADV_WILLNEED                 = 0x3
@@ -605,6 +636,7 @@ const (
 	MAP_ALIGN                     = 0x200
 	MAP_ANON                      = 0x100
 	MAP_ANONYMOUS                 = 0x100
+	MAP_FILE                      = 0x0
 	MAP_FIXED                     = 0x10
 	MAP_INITDATA                  = 0x800
 	MAP_NORESERVE                 = 0x40
@@ -632,10 +664,14 @@ const (
 	MS_OLDSYNC                    = 0x0
 	MS_SYNC                       = 0x4
 	M_FLUSH                       = 0x86
+	NL0                           = 0x0
+	NL1                           = 0x100
+	NLDLY                         = 0x100
 	NOFLSH                        = 0x80
 	OCRNL                         = 0x8
 	OFDEL                         = 0x80
 	OFILL                         = 0x40
+	OLCUC                         = 0x2
 	ONLCR                         = 0x4
 	ONLRET                        = 0x20
 	ONOCR                         = 0x10
@@ -955,12 +991,21 @@ const (
 	SO_USELOOPBACK                = 0x40
 	SO_VRRP                       = 0x1017
 	SO_WROFF                      = 0x2
+	TAB0                          = 0x0
+	TAB1                          = 0x800
+	TAB2                          = 0x1000
+	TAB3                          = 0x1800
+	TABDLY                        = 0x1800
 	TCFLSH                        = 0x5407
 	TCGETA                        = 0x5401
 	TCGETS                        = 0x540d
 	TCIFLUSH                      = 0x0
+	TCIOFF                        = 0x2
 	TCIOFLUSH                     = 0x2
+	TCION                         = 0x3
 	TCOFLUSH                      = 0x1
+	TCOOFF                        = 0x0
+	TCOON                         = 0x1
 	TCP_ABORT_THRESHOLD           = 0x11
 	TCP_ANONPRIVBIND              = 0x20
 	TCP_CONN_ABORT_THRESHOLD      = 0x13
@@ -1089,6 +1134,8 @@ const (
 	WSTOPPED                      = 0x4
 	WTRAPPED                      = 0x2
 	WUNTRACED                     = 0x4
+	XCASE                         = 0x4
+	XTABS                         = 0x1800
 )
 
 // Errors
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
index 3e9d82a27..eafceb8e8 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_dragonfly_amd64.go
@@ -1,5 +1,5 @@
 // mksyscall.pl -dragonfly -tags dragonfly,amd64 syscall_bsd.go syscall_dragonfly.go syscall_dragonfly_amd64.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build dragonfly,amd64
 
@@ -1380,3 +1380,14 @@ func writelen(fd int, buf *byte, nbuf int) (n int, err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func accept4(fd int, rsa *RawSockaddrAny, addrlen *_Socklen, flags int) (nfd int, err error) {
+	r0, _, e1 := Syscall6(SYS_ACCEPT4, uintptr(fd), uintptr(unsafe.Pointer(rsa)), uintptr(unsafe.Pointer(addrlen)), uintptr(flags), 0, 0)
+	nfd = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_386.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_386.go
index 41693a960..b4e9d8b3d 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_386.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_amd64.go
index f10621d90..3de166a58 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_amd64.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go
index fae666f6f..03463aecd 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_arm.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_arm64.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_arm64.go
index a4dca395a..4f68f3925 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_arm64.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips.go
index b56db7295..73d68896c 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64.go
index ca2359deb..60c9629d8 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
@@ -1194,6 +1205,16 @@ func Munlockall() (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Dup2(oldfd int, newfd int) (err error) {
+	_, _, e1 := Syscall(SYS_DUP2, uintptr(oldfd), uintptr(newfd), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(events) > 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64le.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64le.go
index e574940f9..1fc8c6593 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_mips64le.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
@@ -1194,6 +1205,16 @@ func Munlockall() (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func Dup2(oldfd int, newfd int) (err error) {
+	_, _, e1 := Syscall(SYS_DUP2, uintptr(oldfd), uintptr(newfd), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func EpollWait(epfd int, events []EpollEvent, msec int) (n int, err error) {
 	var _p0 unsafe.Pointer
 	if len(events) > 0 {
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_mipsle.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_mipsle.go
index 31836d456..c5f87e63f 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_mipsle.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go
index 4a767558c..cee6ec35e 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go
index 5fb34282d..f031e10ab 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_ppc64le.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_s390x.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_s390x.go
index 79d285ca3..4e4728ab3 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_s390x.go
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux_sparc64.go b/vendor/golang.org/x/sys/unix/zsyscall_linux_sparc64.go
index ce3ec585b..2dd98434e 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux_sparc64.go
@@ -1,5 +1,5 @@
 // mksyscall.pl -tags linux,sparc64 syscall_linux.go syscall_linux_sparc64.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build linux,sparc64
 
@@ -312,6 +312,17 @@ func Close(fd int) (err error) {
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func CopyFileRange(rfd int, roff *int64, wfd int, woff *int64, len int, flags int) (n int, err error) {
+	r0, _, e1 := Syscall6(SYS_COPY_FILE_RANGE, uintptr(rfd), uintptr(unsafe.Pointer(roff)), uintptr(wfd), uintptr(unsafe.Pointer(woff)), uintptr(len), uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func Dup(oldfd int) (fd int, err error) {
 	r0, _, e1 := Syscall(SYS_DUP, uintptr(oldfd), 0, 0)
 	fd = int(r0)
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
index bdf140b18..cbc6f6e3a 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go
@@ -1,5 +1,5 @@
 // mksyscall_solaris.pl -tags solaris,amd64 syscall_solaris.go syscall_solaris_amd64.go
-// MACHINE GENERATED BY THE COMMAND ABOVE; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build solaris,amd64
 
@@ -22,8 +22,8 @@ import (
 //go:cgo_import_dynamic libc_fcntl fcntl "libc.so"
 //go:cgo_import_dynamic libc_futimesat futimesat "libc.so"
 //go:cgo_import_dynamic libc_accept accept "libsocket.so"
-//go:cgo_import_dynamic libc_recvmsg recvmsg "libsocket.so"
-//go:cgo_import_dynamic libc_sendmsg sendmsg "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_recvmsg __xnet_recvmsg "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_sendmsg __xnet_sendmsg "libsocket.so"
 //go:cgo_import_dynamic libc_acct acct "libc.so"
 //go:cgo_import_dynamic libc_ioctl ioctl "libc.so"
 //go:cgo_import_dynamic libc_access access "libc.so"
@@ -45,6 +45,7 @@ import (
 //go:cgo_import_dynamic libc_fdatasync fdatasync "libc.so"
 //go:cgo_import_dynamic libc_fpathconf fpathconf "libc.so"
 //go:cgo_import_dynamic libc_fstat fstat "libc.so"
+//go:cgo_import_dynamic libc_fstatvfs fstatvfs "libc.so"
 //go:cgo_import_dynamic libc_getdents getdents "libc.so"
 //go:cgo_import_dynamic libc_getgid getgid "libc.so"
 //go:cgo_import_dynamic libc_getpid getpid "libc.so"
@@ -61,7 +62,7 @@ import (
 //go:cgo_import_dynamic libc_kill kill "libc.so"
 //go:cgo_import_dynamic libc_lchown lchown "libc.so"
 //go:cgo_import_dynamic libc_link link "libc.so"
-//go:cgo_import_dynamic libc_listen listen "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_llisten __xnet_llisten "libsocket.so"
 //go:cgo_import_dynamic libc_lstat lstat "libc.so"
 //go:cgo_import_dynamic libc_madvise madvise "libc.so"
 //go:cgo_import_dynamic libc_mkdir mkdir "libc.so"
@@ -101,6 +102,7 @@ import (
 //go:cgo_import_dynamic libc_setuid setuid "libc.so"
 //go:cgo_import_dynamic libc_shutdown shutdown "libsocket.so"
 //go:cgo_import_dynamic libc_stat stat "libc.so"
+//go:cgo_import_dynamic libc_statvfs statvfs "libc.so"
 //go:cgo_import_dynamic libc_symlink symlink "libc.so"
 //go:cgo_import_dynamic libc_sync sync "libc.so"
 //go:cgo_import_dynamic libc_times times "libc.so"
@@ -114,15 +116,15 @@ import (
 //go:cgo_import_dynamic libc_unlinkat unlinkat "libc.so"
 //go:cgo_import_dynamic libc_ustat ustat "libc.so"
 //go:cgo_import_dynamic libc_utime utime "libc.so"
-//go:cgo_import_dynamic libc_bind bind "libsocket.so"
-//go:cgo_import_dynamic libc_connect connect "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_bind __xnet_bind "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_connect __xnet_connect "libsocket.so"
 //go:cgo_import_dynamic libc_mmap mmap "libc.so"
 //go:cgo_import_dynamic libc_munmap munmap "libc.so"
-//go:cgo_import_dynamic libc_sendto sendto "libsocket.so"
-//go:cgo_import_dynamic libc_socket socket "libsocket.so"
-//go:cgo_import_dynamic libc_socketpair socketpair "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_sendto __xnet_sendto "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_socket __xnet_socket "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_socketpair __xnet_socketpair "libsocket.so"
 //go:cgo_import_dynamic libc_write write "libc.so"
-//go:cgo_import_dynamic libc_getsockopt getsockopt "libsocket.so"
+//go:cgo_import_dynamic libc___xnet_getsockopt __xnet_getsockopt "libsocket.so"
 //go:cgo_import_dynamic libc_getpeername getpeername "libsocket.so"
 //go:cgo_import_dynamic libc_setsockopt setsockopt "libsocket.so"
 //go:cgo_import_dynamic libc_recvfrom recvfrom "libsocket.so"
@@ -140,8 +142,8 @@ import (
 //go:linkname procfcntl libc_fcntl
 //go:linkname procfutimesat libc_futimesat
 //go:linkname procaccept libc_accept
-//go:linkname procrecvmsg libc_recvmsg
-//go:linkname procsendmsg libc_sendmsg
+//go:linkname proc__xnet_recvmsg libc___xnet_recvmsg
+//go:linkname proc__xnet_sendmsg libc___xnet_sendmsg
 //go:linkname procacct libc_acct
 //go:linkname procioctl libc_ioctl
 //go:linkname procAccess libc_access
@@ -163,6 +165,7 @@ import (
 //go:linkname procFdatasync libc_fdatasync
 //go:linkname procFpathconf libc_fpathconf
 //go:linkname procFstat libc_fstat
+//go:linkname procFstatvfs libc_fstatvfs
 //go:linkname procGetdents libc_getdents
 //go:linkname procGetgid libc_getgid
 //go:linkname procGetpid libc_getpid
@@ -179,7 +182,7 @@ import (
 //go:linkname procKill libc_kill
 //go:linkname procLchown libc_lchown
 //go:linkname procLink libc_link
-//go:linkname proclisten libc_listen
+//go:linkname proc__xnet_llisten libc___xnet_llisten
 //go:linkname procLstat libc_lstat
 //go:linkname procMadvise libc_madvise
 //go:linkname procMkdir libc_mkdir
@@ -219,6 +222,7 @@ import (
 //go:linkname procSetuid libc_setuid
 //go:linkname procshutdown libc_shutdown
 //go:linkname procStat libc_stat
+//go:linkname procStatvfs libc_statvfs
 //go:linkname procSymlink libc_symlink
 //go:linkname procSync libc_sync
 //go:linkname procTimes libc_times
@@ -232,15 +236,15 @@ import (
 //go:linkname procUnlinkat libc_unlinkat
 //go:linkname procUstat libc_ustat
 //go:linkname procUtime libc_utime
-//go:linkname procbind libc_bind
-//go:linkname procconnect libc_connect
+//go:linkname proc__xnet_bind libc___xnet_bind
+//go:linkname proc__xnet_connect libc___xnet_connect
 //go:linkname procmmap libc_mmap
 //go:linkname procmunmap libc_munmap
-//go:linkname procsendto libc_sendto
-//go:linkname procsocket libc_socket
-//go:linkname procsocketpair libc_socketpair
+//go:linkname proc__xnet_sendto libc___xnet_sendto
+//go:linkname proc__xnet_socket libc___xnet_socket
+//go:linkname proc__xnet_socketpair libc___xnet_socketpair
 //go:linkname procwrite libc_write
-//go:linkname procgetsockopt libc_getsockopt
+//go:linkname proc__xnet_getsockopt libc___xnet_getsockopt
 //go:linkname procgetpeername libc_getpeername
 //go:linkname procsetsockopt libc_setsockopt
 //go:linkname procrecvfrom libc_recvfrom
@@ -259,8 +263,8 @@ var (
 	procfcntl,
 	procfutimesat,
 	procaccept,
-	procrecvmsg,
-	procsendmsg,
+	proc__xnet_recvmsg,
+	proc__xnet_sendmsg,
 	procacct,
 	procioctl,
 	procAccess,
@@ -282,6 +286,7 @@ var (
 	procFdatasync,
 	procFpathconf,
 	procFstat,
+	procFstatvfs,
 	procGetdents,
 	procGetgid,
 	procGetpid,
@@ -298,7 +303,7 @@ var (
 	procKill,
 	procLchown,
 	procLink,
-	proclisten,
+	proc__xnet_llisten,
 	procLstat,
 	procMadvise,
 	procMkdir,
@@ -338,6 +343,7 @@ var (
 	procSetuid,
 	procshutdown,
 	procStat,
+	procStatvfs,
 	procSymlink,
 	procSync,
 	procTimes,
@@ -351,15 +357,15 @@ var (
 	procUnlinkat,
 	procUstat,
 	procUtime,
-	procbind,
-	procconnect,
+	proc__xnet_bind,
+	proc__xnet_connect,
 	procmmap,
 	procmunmap,
-	procsendto,
-	procsocket,
-	procsocketpair,
+	proc__xnet_sendto,
+	proc__xnet_socket,
+	proc__xnet_socketpair,
 	procwrite,
-	procgetsockopt,
+	proc__xnet_getsockopt,
 	procgetpeername,
 	procsetsockopt,
 	procrecvfrom,
@@ -488,7 +494,7 @@ func accept(s int, rsa *RawSockaddrAny, addrlen *_Socklen) (fd int, err error) {
 }
 
 func recvmsg(s int, msg *Msghdr, flags int) (n int, err error) {
-	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procrecvmsg)), 3, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags), 0, 0, 0)
+	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_recvmsg)), 3, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags), 0, 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = e1
@@ -497,7 +503,7 @@ func recvmsg(s int, msg *Msghdr, flags int) (n int, err error) {
 }
 
 func sendmsg(s int, msg *Msghdr, flags int) (n int, err error) {
-	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procsendmsg)), 3, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags), 0, 0, 0)
+	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_sendmsg)), 3, uintptr(s), uintptr(unsafe.Pointer(msg)), uintptr(flags), 0, 0, 0)
 	n = int(r0)
 	if e1 != 0 {
 		err = e1
@@ -713,6 +719,14 @@ func Fstat(fd int, stat *Stat_t) (err error) {
 	return
 }
 
+func Fstatvfs(fd int, vfsstat *Statvfs_t) (err error) {
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procFstatvfs)), 2, uintptr(fd), uintptr(unsafe.Pointer(vfsstat)), 0, 0, 0, 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
 func Getdents(fd int, buf []byte, basep *uintptr) (n int, err error) {
 	var _p0 *byte
 	if len(buf) > 0 {
@@ -853,7 +867,7 @@ func Link(path string, link string) (err error) {
 }
 
 func Listen(s int, backlog int) (err error) {
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proclisten)), 2, uintptr(s), uintptr(backlog), 0, 0, 0, 0)
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_llisten)), 2, uintptr(s), uintptr(backlog), 0, 0, 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
@@ -1302,6 +1316,19 @@ func Stat(path string, stat *Stat_t) (err error) {
 	return
 }
 
+func Statvfs(path string, vfsstat *Statvfs_t) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procStatvfs)), 2, uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(vfsstat)), 0, 0, 0, 0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
 func Symlink(path string, link string) (err error) {
 	var _p0 *byte
 	_p0, err = BytePtrFromString(path)
@@ -1441,7 +1468,7 @@ func Utime(path string, buf *Utimbuf) (err error) {
 }
 
 func bind(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) {
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procbind)), 3, uintptr(s), uintptr(addr), uintptr(addrlen), 0, 0, 0)
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_bind)), 3, uintptr(s), uintptr(addr), uintptr(addrlen), 0, 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
@@ -1449,7 +1476,7 @@ func bind(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) {
 }
 
 func connect(s int, addr unsafe.Pointer, addrlen _Socklen) (err error) {
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procconnect)), 3, uintptr(s), uintptr(addr), uintptr(addrlen), 0, 0, 0)
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_connect)), 3, uintptr(s), uintptr(addr), uintptr(addrlen), 0, 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
@@ -1478,7 +1505,7 @@ func sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (
 	if len(buf) > 0 {
 		_p0 = &buf[0]
 	}
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procsendto)), 6, uintptr(s), uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), uintptr(flags), uintptr(to), uintptr(addrlen))
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_sendto)), 6, uintptr(s), uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), uintptr(flags), uintptr(to), uintptr(addrlen))
 	if e1 != 0 {
 		err = e1
 	}
@@ -1486,7 +1513,7 @@ func sendto(s int, buf []byte, flags int, to unsafe.Pointer, addrlen _Socklen) (
 }
 
 func socket(domain int, typ int, proto int) (fd int, err error) {
-	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procsocket)), 3, uintptr(domain), uintptr(typ), uintptr(proto), 0, 0, 0)
+	r0, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_socket)), 3, uintptr(domain), uintptr(typ), uintptr(proto), 0, 0, 0)
 	fd = int(r0)
 	if e1 != 0 {
 		err = e1
@@ -1495,7 +1522,7 @@ func socket(domain int, typ int, proto int) (fd int, err error) {
 }
 
 func socketpair(domain int, typ int, proto int, fd *[2]int32) (err error) {
-	_, _, e1 := rawSysvicall6(uintptr(unsafe.Pointer(&procsocketpair)), 4, uintptr(domain), uintptr(typ), uintptr(proto), uintptr(unsafe.Pointer(fd)), 0, 0)
+	_, _, e1 := rawSysvicall6(uintptr(unsafe.Pointer(&proc__xnet_socketpair)), 4, uintptr(domain), uintptr(typ), uintptr(proto), uintptr(unsafe.Pointer(fd)), 0, 0)
 	if e1 != 0 {
 		err = e1
 	}
@@ -1516,7 +1543,7 @@ func write(fd int, p []byte) (n int, err error) {
 }
 
 func getsockopt(s int, level int, name int, val unsafe.Pointer, vallen *_Socklen) (err error) {
-	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&procgetsockopt)), 5, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(unsafe.Pointer(vallen)), 0)
+	_, _, e1 := sysvicall6(uintptr(unsafe.Pointer(&proc__xnet_getsockopt)), 5, uintptr(s), uintptr(level), uintptr(name), uintptr(val), uintptr(unsafe.Pointer(vallen)), 0)
 	if e1 != 0 {
 		err = e1
 	}
diff --git a/vendor/golang.org/x/sys/unix/zsysnum_dragonfly_amd64.go b/vendor/golang.org/x/sys/unix/zsysnum_dragonfly_amd64.go
index d6038fa9b..b2c9ef81b 100644
--- a/vendor/golang.org/x/sys/unix/zsysnum_dragonfly_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_dragonfly_amd64.go
@@ -1,5 +1,5 @@
 // mksysnum_dragonfly.pl
-// MACHINE GENERATED BY THE ABOVE COMMAND; DO NOT EDIT
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build amd64,dragonfly
 
@@ -42,7 +42,7 @@ const (
 	SYS_SYNC          = 36  // { int sync(void); }
 	SYS_KILL          = 37  // { int kill(int pid, int signum); }
 	SYS_GETPPID       = 39  // { pid_t getppid(void); }
-	SYS_DUP           = 41  // { int dup(u_int fd); }
+	SYS_DUP           = 41  // { int dup(int fd); }
 	SYS_PIPE          = 42  // { int pipe(void); }
 	SYS_GETEGID       = 43  // { gid_t getegid(void); }
 	SYS_PROFIL        = 44  // { int profil(caddr_t samples, size_t size, \
@@ -76,7 +76,7 @@ const (
 	SYS_SWAPON        = 85  // { int swapon(char *name); }
 	SYS_GETITIMER     = 86  // { int getitimer(u_int which, struct itimerval *itv); }
 	SYS_GETDTABLESIZE = 89  // { int getdtablesize(void); }
-	SYS_DUP2          = 90  // { int dup2(u_int from, u_int to); }
+	SYS_DUP2          = 90  // { int dup2(int from, int to); }
 	SYS_FCNTL         = 92  // { int fcntl(int fd, int cmd, long arg); }
 	SYS_SELECT        = 93  // { int select(int nd, fd_set *in, fd_set *ou, \
 	SYS_FSYNC         = 95  // { int fsync(int fd); }
@@ -144,7 +144,7 @@ const (
 	SYS_SEMOP                  = 222 // { int semop(int semid, struct sembuf *sops, \
 	SYS_MSGCTL                 = 224 // { int msgctl(int msqid, int cmd, \
 	SYS_MSGGET                 = 225 // { int msgget(key_t key, int msgflg); }
-	SYS_MSGSND                 = 226 // { int msgsnd(int msqid, void *msgp, size_t msgsz, \
+	SYS_MSGSND                 = 226 // { int msgsnd(int msqid, const void *msgp, size_t msgsz, \
 	SYS_MSGRCV                 = 227 // { int msgrcv(int msqid, void *msgp, size_t msgsz, \
 	SYS_SHMAT                  = 228 // { caddr_t shmat(int shmid, const void *shmaddr, \
 	SYS_SHMCTL                 = 229 // { int shmctl(int shmid, int cmd, \
@@ -224,7 +224,7 @@ const (
 	SYS_GETRESGID              = 361 // { int getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid); }
 	SYS_KQUEUE                 = 362 // { int kqueue(void); }
 	SYS_KEVENT                 = 363 // { int kevent(int fd, \
-	SYS_SCTP_PEELOFF           = 364 // { int sctp_peeloff(int sd, caddr_t name ); }
+	SYS_KENV                   = 390 // { int kenv(int what, const char *name, char *value, int len); }
 	SYS_LCHFLAGS               = 391 // { int lchflags(char *path, int flags); }
 	SYS_UUIDGEN                = 392 // { int uuidgen(struct uuid *store, int count); }
 	SYS_SENDFILE               = 393 // { int sendfile(int fd, int s, off_t offset, size_t nbytes, \
@@ -301,4 +301,15 @@ const (
 	SYS_LPATHCONF              = 533 // { int lpathconf(char *path, int name); }
 	SYS_VMM_GUEST_CTL          = 534 // { int vmm_guest_ctl(int op, struct vmm_guest_options *options); }
 	SYS_VMM_GUEST_SYNC_ADDR    = 535 // { int vmm_guest_sync_addr(long *dstaddr, long *srcaddr); }
+	SYS_PROCCTL                = 536 // { int procctl(idtype_t idtype, id_t id, int cmd, void *data); }
+	SYS_CHFLAGSAT              = 537 // { int chflagsat(int fd, const char *path, int flags, int atflags);}
+	SYS_PIPE2                  = 538 // { int pipe2(int *fildes, int flags); }
+	SYS_UTIMENSAT              = 539 // { int utimensat(int fd, const char *path, const struct timespec *ts, int flags); }
+	SYS_FUTIMENS               = 540 // { int futimens(int fd, const struct timespec *ts); }
+	SYS_ACCEPT4                = 541 // { int accept4(int s, caddr_t name, int *anamelen, int flags); }
+	SYS_LWP_SETNAME            = 542 // { int lwp_setname(lwpid_t tid, const char *name); }
+	SYS_PPOLL                  = 543 // { int ppoll(struct pollfd *fds, u_int nfds, \
+	SYS_LWP_SETAFFINITY        = 544 // { int lwp_setaffinity(pid_t pid, lwpid_t tid, const cpumask_t *mask); }
+	SYS_LWP_GETAFFINITY        = 545 // { int lwp_getaffinity(pid_t pid, lwpid_t tid, cpumask_t *mask); }
+	SYS_LWP_CREATE2            = 546 // { int lwp_create2(struct lwp_params *params, const cpumask_t *mask); }
 )
diff --git a/vendor/golang.org/x/sys/unix/ztypes_dragonfly_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_dragonfly_amd64.go
index 8a6f4e1ce..e585c893a 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_dragonfly_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_dragonfly_amd64.go
@@ -1,5 +1,5 @@
-// Created by cgo -godefs - DO NOT EDIT
-// cgo -godefs types_dragonfly.go
+// cgo -godefs types_dragonfly.go | go run mkpost.go
+// Code generated by the command above; see README.md. DO NOT EDIT.
 
 // +build amd64,dragonfly
 
@@ -324,7 +324,7 @@ type IfData struct {
 	Iqdrops    uint64
 	Noproto    uint64
 	Hwassist   uint64
-	Unused     uint64
+	Oqdrops    uint64
 	Lastchange Timeval
 }
 
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_386.go b/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
index 8fc7b822d..7333755be 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
@@ -152,6 +152,20 @@ type Flock_t struct {
 	Pid    int32
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
index 6eb6c9600..5807e1747 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
@@ -154,6 +154,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go b/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
index bb103b024..db7c8bfae 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
@@ -156,6 +156,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
index 36ba90826..19cca4f00 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
index ac79d82bb..f97268cc9 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
@@ -554,17 +568,13 @@ type InotifyEvent struct {
 const SizeofInotifyEvent = 0x10
 
 type PtraceRegs struct {
-	Regs        [109]uint32
-	U_tsize     uint32
-	U_dsize     uint32
-	U_ssize     uint32
-	Start_code  uint32
-	Start_data  uint32
-	Start_stack uint32
-	Signal      int32
-	U_ar0       *byte
-	Magic       uint32
-	U_comm      [32]int8
+	Regs     [32]uint64
+	Lo       uint64
+	Hi       uint64
+	Epc      uint64
+	Badvaddr uint64
+	Status   uint64
+	Cause    uint64
 }
 
 type FdSet struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
index 98c53a8f3..8d062087c 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
@@ -556,17 +570,13 @@ type InotifyEvent struct {
 const SizeofInotifyEvent = 0x10
 
 type PtraceRegs struct {
-	Regs        [102]uint64
-	U_tsize     uint64
-	U_dsize     uint64
-	U_ssize     uint64
-	Start_code  uint64
-	Start_data  uint64
-	Start_stack uint64
-	Signal      int64
-	U_ar0       uint64
-	Magic       uint64
-	U_comm      [32]int8
+	Regs     [32]uint64
+	Lo       uint64
+	Hi       uint64
+	Epc      uint64
+	Badvaddr uint64
+	Status   uint64
+	Cause    uint64
 }
 
 type FdSet struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
index 99638abe6..b1fbe717a 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
@@ -556,17 +570,13 @@ type InotifyEvent struct {
 const SizeofInotifyEvent = 0x10
 
 type PtraceRegs struct {
-	Regs        [102]uint64
-	U_tsize     uint64
-	U_dsize     uint64
-	U_ssize     uint64
-	Start_code  uint64
-	Start_data  uint64
-	Start_stack uint64
-	Signal      int64
-	U_ar0       uint64
-	Magic       uint64
-	U_comm      [32]int8
+	Regs     [32]uint64
+	Lo       uint64
+	Hi       uint64
+	Epc      uint64
+	Badvaddr uint64
+	Status   uint64
+	Cause    uint64
 }
 
 type FdSet struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go b/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
index b7131a43b..b634e3c2e 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
@@ -554,17 +568,13 @@ type InotifyEvent struct {
 const SizeofInotifyEvent = 0x10
 
 type PtraceRegs struct {
-	Regs        [109]uint32
-	U_tsize     uint32
-	U_dsize     uint32
-	U_ssize     uint32
-	Start_code  uint32
-	Start_data  uint32
-	Start_stack uint32
-	Signal      int32
-	U_ar0       *byte
-	Magic       uint32
-	U_comm      [32]int8
+	Regs     [32]uint64
+	Lo       uint64
+	Hi       uint64
+	Epc      uint64
+	Badvaddr uint64
+	Status   uint64
+	Cause    uint64
 }
 
 type FdSet struct {
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
index a78282b19..4410abb89 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
@@ -156,6 +156,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
index 564092e21..10947c3ea 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
@@ -156,6 +156,20 @@ type Flock_t struct {
 	Pad_cgo_1 [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go b/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
index 03452c6d0..57dbb36b4 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
@@ -155,6 +155,20 @@ type Flock_t struct {
 	_      [4]byte
 }
 
+type FscryptPolicy struct {
+	Version                   uint8
+	Contents_encryption_mode  uint8
+	Filenames_encryption_mode uint8
+	Flags                     uint8
+	Master_key_descriptor     [8]uint8
+}
+
+type FscryptKey struct {
+	Mode uint32
+	Raw  [64]uint8
+	Size uint32
+}
+
 const (
 	FADV_NORMAL     = 0x0
 	FADV_RANDOM     = 0x1
diff --git a/vendor/golang.org/x/sys/unix/ztypes_solaris_amd64.go b/vendor/golang.org/x/sys/unix/ztypes_solaris_amd64.go
index 02777e4d8..92336f9f9 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_solaris_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_solaris_amd64.go
@@ -1,6 +1,7 @@
-// +build amd64,solaris
-// Created by cgo -godefs - DO NOT EDIT
 // cgo -godefs types_solaris.go | go run mkpost.go
+// Code generated by the command above; see README.md. DO NOT EDIT.
+
+// +build amd64,solaris
 
 package unix
 
@@ -128,6 +129,24 @@ type Dirent struct {
 	Pad_cgo_0 [5]byte
 }
 
+type _Fsblkcnt_t uint64
+
+type Statvfs_t struct {
+	Bsize    uint64
+	Frsize   uint64
+	Blocks   uint64
+	Bfree    uint64
+	Bavail   uint64
+	Files    uint64
+	Ffree    uint64
+	Favail   uint64
+	Fsid     uint64
+	Basetype [16]int8
+	Flag     uint64
+	Namemax  uint64
+	Fstr     [32]int8
+}
+
 type RawSockaddrInet4 struct {
 	Family uint16
 	Port   uint16
diff --git a/vendor/golang.org/x/sys/windows/svc/mgr/service.go b/vendor/golang.org/x/sys/windows/svc/mgr/service.go
index 465f3c3d2..ac9fba5a1 100644
--- a/vendor/golang.org/x/sys/windows/svc/mgr/service.go
+++ b/vendor/golang.org/x/sys/windows/svc/mgr/service.go
@@ -39,7 +39,7 @@ func (s *Service) Start(args ...string) error {
 	var p **uint16
 	if len(args) > 0 {
 		vs := make([]*uint16, len(args))
-		for i, _ := range vs {
+		for i := range vs {
 			vs[i] = syscall.StringToUTF16Ptr(args[i])
 		}
 		p = &vs[0]
diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go
index 99b11fe6a..e439c48ab 100644
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -486,6 +486,10 @@ func Chmod(path string, mode uint32) (err error) {
 	return SetFileAttributes(p, attrs)
 }
 
+func LoadGetSystemTimePreciseAsFileTime() error {
+	return procGetSystemTimePreciseAsFileTime.Find()
+}
+
 func LoadCancelIoEx() error {
 	return procCancelIoEx.Find()
 }
diff --git a/vendor/golang.org/x/text/internal/catmsg/catmsg.go b/vendor/golang.org/x/text/internal/catmsg/catmsg.go
new file mode 100644
index 000000000..1013b43ec
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/catmsg.go
@@ -0,0 +1,367 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package catmsg contains support types for package x/text/message/catalog.
+//
+// This package contains the low-level implementations of Message used by the
+// catalog package and provides primitives for other packages to implement their
+// own. For instance, the plural package provides functionality for selecting
+// translation strings based on the plural category of substitution arguments.
+//
+//
+// Encoding and Decoding
+//
+// Catalogs store Messages encoded as a single string. Compiling a message into
+// a string both results in compacter representation and speeds up evaluation.
+//
+// A Message must implement a Compile method to convert its arbitrary
+// representation to a string. The Compile method takes an Encoder which
+// facilitates serializing the message. Encoders also provide more context of
+// the messages's creation (such as for which language the message is intended),
+// which may not be known at the time of the creation of the message.
+//
+// Each message type must also have an accompanying decoder registered to decode
+// the message. This decoder takes a Decoder argument which provides the
+// counterparts for the decoding.
+//
+//
+// Renderers
+//
+// A Decoder must be initialized with a Renderer implementation. These
+// implementations must be provided by packages that use Catalogs, typically
+// formatting packages such as x/text/message. A typical user will not need to
+// worry about this type; it is only relevant to packages that do string
+// formatting and want to use the catalog package to handle localized strings.
+//
+// A package that uses catalogs for selecting strings receives selection results
+// as sequence of substrings passed to the Renderer. The following snippet shows
+// how to express the above example using the message package.
+//
+//   message.Set(language.English, "You are %d minute(s) late.",
+//       catalog.Var("minutes", plural.Select(1, "one", "minute")),
+//       catalog.String("You are %[1]d ${minutes} late."))
+
+//   p := message.NewPrinter(language.English)
+//
+//   p.Printf("You are %d minute(s) late.", 5) // always 5 minutes late.
+//
+// To evaluate the Printf, package message wraps the arguments in a Renderer
+// that is passed to the catalog for message decoding. The call sequence that
+// results from evaluating the above message, assuming the person is rather
+// tardy, is:
+//
+//   Render("You are %[1]d ")
+//   Arg(1)
+//   Render("minutes")
+//   Render(" late.")
+//
+// The calls to Arg is caused by the plural.Select execution, which evaluates
+// the argument to determine whether the singular or plural message form should
+// be selected. The calls to Render reports the partial results to the message
+// package for further evaluation.
+package catmsg
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+	"sync"
+
+	"golang.org/x/text/language"
+)
+
+// A Handle refers to a registered message type.
+type Handle int
+
+// First is used as a Handle to EncodeMessageType, followed by a series of calls
+// to EncodeMessage, to implement selecting the first matching Message.
+//
+// TODO: this can be removed once we either can use type aliases or if the
+// internals of this package are merged with the catalog package.
+var First Handle = msgFirst
+
+// A Handler decodes and evaluates data compiled by a Message and sends the
+// result to the Decoder. The output may depend on the value of the substitution
+// arguments, accessible by the Decoder's Arg method. The Handler returns false
+// if there is no translation for the given substitution arguments.
+type Handler func(d *Decoder) bool
+
+// Register records the existence of a message type and returns a Handle that
+// can be used in the Encoder's EncodeMessageType method to create such
+// messages. The prefix of the name should be the package path followed by
+// an optional disambiguating string.
+// Register will panic if a handle for the same name was already registered.
+func Register(name string, handler Handler) Handle {
+	mutex.Lock()
+	defer mutex.Unlock()
+
+	if _, ok := names[name]; ok {
+		panic(fmt.Errorf("catmsg: handler for %q already exists", name))
+	}
+	h := Handle(len(handlers))
+	names[name] = h
+	handlers = append(handlers, handler)
+	return h
+}
+
+// These handlers require fixed positions in the handlers slice.
+const (
+	msgVars Handle = iota
+	msgFirst
+	msgRaw
+	msgString
+	numFixed
+)
+
+const prefix = "golang.org/x/text/internal/catmsg."
+
+var (
+	mutex sync.Mutex
+	names = map[string]Handle{
+		prefix + "Vars":   msgVars,
+		prefix + "First":  msgFirst,
+		prefix + "Raw":    msgRaw,
+		prefix + "String": msgString,
+	}
+	handlers = make([]Handler, numFixed)
+)
+
+func init() {
+	// This handler is a message type wrapper that initializes a decoder
+	// with a variable block. This message type, if present, is always at the
+	// start of an encoded message.
+	handlers[msgVars] = func(d *Decoder) bool {
+		blockSize := int(d.DecodeUint())
+		d.vars = d.data[:blockSize]
+		d.data = d.data[blockSize:]
+		return d.executeMessage()
+	}
+
+	// First takes the first message in a sequence that results in a match for
+	// the given substitution arguments.
+	handlers[msgFirst] = func(d *Decoder) bool {
+		for !d.Done() {
+			if d.ExecuteMessage() {
+				return true
+			}
+		}
+		return false
+	}
+
+	handlers[msgRaw] = func(d *Decoder) bool {
+		d.Render(d.data)
+		return true
+	}
+
+	// A String message alternates between a string constant and a variable
+	// substitution.
+	handlers[msgString] = func(d *Decoder) bool {
+		for !d.Done() {
+			if str := d.DecodeString(); str != "" {
+				d.Render(str)
+			}
+			if d.Done() {
+				break
+			}
+			d.ExecuteSubstitution()
+		}
+		return true
+	}
+}
+
+var (
+	// ErrIncomplete indicates a compiled message does not define translations
+	// for all possible argument values. If this message is returned, evaluating
+	// a message may result in the ErrNoMatch error.
+	ErrIncomplete = errors.New("catmsg: incomplete message; may not give result for all inputs")
+
+	// ErrNoMatch indicates no translation message matched the given input
+	// parameters when evaluating a message.
+	ErrNoMatch = errors.New("catmsg: no translation for inputs")
+)
+
+// A Message holds a collection of translations for the same phrase that may
+// vary based on the values of substitution arguments.
+type Message interface {
+	// Compile encodes the format string(s) of the message as a string for later
+	// evaluation.
+	//
+	// The first call Compile makes on the encoder must be EncodeMessageType.
+	// The handle passed to this call may either be a handle returned by
+	// Register to encode a single custom message, or HandleFirst followed by
+	// a sequence of calls to EncodeMessage.
+	//
+	// Compile must return ErrIncomplete if it is possible for evaluation to
+	// not match any translation for a given set of formatting parameters.
+	// For example, selecting a translation based on plural form may not yield
+	// a match if the form "Other" is not one of the selectors.
+	//
+	// Compile may return any other application-specific error. For backwards
+	// compatibility with package like fmt, which often do not do sanity
+	// checking of format strings ahead of time, Compile should still make an
+	// effort to have some sensible fallback in case of an error.
+	Compile(e *Encoder) error
+}
+
+// Compile converts a Message to a data string that can be stored in a Catalog.
+// The resulting string can subsequently be decoded by passing to the Execute
+// method of a Decoder.
+func Compile(tag language.Tag, macros Dictionary, m Message) (data string, err error) {
+	// TODO: pass macros so they can be used for validation.
+	v := &Encoder{inBody: true} // encoder for variables
+	v.root = v
+	e := &Encoder{root: v, parent: v, tag: tag} // encoder for messages
+	err = m.Compile(e)
+	// This package serves te message package, which in turn is meant to be a
+	// drop-in replacement for fmt.  With the fmt package, format strings are
+	// evaluated lazily and errors are handled by substituting strings in the
+	// result, rather then returning an error. Dealing with multiple languages
+	// makes it more important to check errors ahead of time. We chose to be
+	// consistent and compatible and allow graceful degradation in case of
+	// errors.
+	buf := e.buf[stripPrefix(e.buf):]
+	if len(v.buf) > 0 {
+		// Prepend variable block.
+		b := make([]byte, 1+maxVarintBytes+len(v.buf)+len(buf))
+		b[0] = byte(msgVars)
+		b = b[:1+encodeUint(b[1:], uint64(len(v.buf)))]
+		b = append(b, v.buf...)
+		b = append(b, buf...)
+		buf = b
+	}
+	if err == nil {
+		err = v.err
+	}
+	return string(buf), err
+}
+
+// Var defines a message that can be substituted for a placeholder of the same
+// name. If an expression does not result in a string after evaluation, Name is
+// used as the substitution. For example:
+//    Var{
+//      Name:    "minutes",
+//      Message: plural.Select(1, "one", "minute"),
+//    }
+// will resolve to minute for singular and minutes for plural forms.
+type Var struct {
+	Name    string
+	Message Message
+}
+
+var errIsVar = errors.New("catmsg: variable used as message")
+
+// Compile implements Message.
+//
+// Note that this method merely registers a variable; it does not create an
+// encoded message.
+func (v *Var) Compile(e *Encoder) error {
+	if err := e.addVar(v.Name, v.Message); err != nil {
+		return err
+	}
+	// Using a Var by itself is an error. If it is in a sequence followed by
+	// other messages referring to it, this error will be ignored.
+	return errIsVar
+}
+
+// Raw is a message consisting of a single format string that is passed as is
+// to the Renderer.
+//
+// Note that a Renderer may still do its own variable substitution.
+type Raw string
+
+// Compile implements Message.
+func (r Raw) Compile(e *Encoder) (err error) {
+	e.EncodeMessageType(msgRaw)
+	// Special case: raw strings don't have a size encoding and so don't use
+	// EncodeString.
+	e.buf = append(e.buf, r...)
+	return nil
+}
+
+// String is a message consisting of a single format string which contains
+// placeholders that may be substituted with variables.
+//
+// Variable substitutions are marked with placeholders and a variable name of
+// the form ${name}. Any other substitutions such as Go templates or
+// printf-style substitutions are left to be done by the Renderer.
+//
+// When evaluation a string interpolation, a Renderer will receive separate
+// calls for each placeholder and interstitial string. For example, for the
+// message: "%[1]v ${invites} %[2]v to ${their} party." The sequence of calls
+// is:
+//   d.Render("%[1]v ")
+//   d.Arg(1)
+//   d.Render(resultOfInvites)
+//   d.Render(" %[2]v to ")
+//   d.Arg(1)
+//   d.Render(resultOfTheir)
+//   d.Render(" party.")
+// where the messages for "invites" and "their" both use a plural.Select
+// referring to the first argument.
+//
+// Strings may also invoke macros. Macros are essentially variables that can be
+// reused. Macros may, for instance, be used to make selections between
+// different conjugations of a verb. See the catalog package description for an
+// overview of macros.
+type String string
+
+// Compile implements Message. It parses the placeholder formats and returns
+// any error.
+func (s String) Compile(e *Encoder) (err error) {
+	msg := string(s)
+	const subStart = "${"
+	hasHeader := false
+	p := 0
+	b := []byte{}
+	for {
+		i := strings.Index(msg[p:], subStart)
+		if i == -1 {
+			break
+		}
+		b = append(b, msg[p:p+i]...)
+		p += i + len(subStart)
+		if i = strings.IndexByte(msg[p:], '}'); i == -1 {
+			b = append(b, "$!(MISSINGBRACE)"...)
+			err = fmt.Errorf("catmsg: missing '}'")
+			p = len(msg)
+			break
+		}
+		name := strings.TrimSpace(msg[p : p+i])
+		if q := strings.IndexByte(name, '('); q == -1 {
+			if !hasHeader {
+				hasHeader = true
+				e.EncodeMessageType(msgString)
+			}
+			e.EncodeString(string(b))
+			e.EncodeSubstitution(name)
+			b = b[:0]
+		} else if j := strings.IndexByte(name[q:], ')'); j == -1 {
+			// TODO: what should the error be?
+			b = append(b, "$!(MISSINGPAREN)"...)
+			err = fmt.Errorf("catmsg: missing ')'")
+		} else if x, sErr := strconv.ParseUint(strings.TrimSpace(name[q+1:q+j]), 10, 32); sErr != nil {
+			// TODO: handle more than one argument
+			b = append(b, "$!(BADNUM)"...)
+			err = fmt.Errorf("catmsg: invalid number %q", strings.TrimSpace(name[q+1:q+j]))
+		} else {
+			if !hasHeader {
+				hasHeader = true
+				e.EncodeMessageType(msgString)
+			}
+			e.EncodeString(string(b))
+			e.EncodeSubstitution(name[:q], int(x))
+			b = b[:0]
+		}
+		p += i + 1
+	}
+	b = append(b, msg[p:]...)
+	if !hasHeader {
+		// Simplify string to a raw string.
+		Raw(string(b)).Compile(e)
+	} else if len(b) > 0 {
+		e.EncodeString(string(b))
+	}
+	return err
+}
diff --git a/vendor/golang.org/x/text/internal/catmsg/catmsg_test.go b/vendor/golang.org/x/text/internal/catmsg/catmsg_test.go
new file mode 100644
index 000000000..d06502bff
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/catmsg_test.go
@@ -0,0 +1,294 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package catmsg
+
+import (
+	"errors"
+	"strings"
+	"testing"
+
+	"golang.org/x/text/language"
+)
+
+type renderer struct {
+	args   []int
+	result string
+}
+
+func (r *renderer) Arg(i int) interface{} {
+	if i >= len(r.args) {
+		return nil
+	}
+	return r.args[i]
+}
+
+func (r *renderer) Render(s string) {
+	if r.result != "" {
+		r.result += "|"
+	}
+	r.result += s
+}
+
+func TestCodec(t *testing.T) {
+	type test struct {
+		args   []int
+		out    string
+		decErr string
+	}
+	single := func(out, err string) []test { return []test{{out: out, decErr: err}} }
+	testCases := []struct {
+		desc   string
+		m      Message
+		enc    string
+		encErr string
+		tests  []test
+	}{{
+		desc:   "unused variable",
+		m:      &Var{"name", String("foo")},
+		encErr: errIsVar.Error(),
+		tests:  single("", ""),
+	}, {
+		desc:  "empty",
+		m:     empty{},
+		tests: single("", ""),
+	}, {
+		desc:  "sequence with empty",
+		m:     seq{empty{}},
+		tests: single("", ""),
+	}, {
+		desc:  "raw string",
+		m:     Raw("foo"),
+		tests: single("foo", ""),
+	}, {
+		desc:  "raw string no sub",
+		m:     Raw("${foo}"),
+		enc:   "\x02${foo}",
+		tests: single("${foo}", ""),
+	}, {
+		desc:  "simple string",
+		m:     String("foo"),
+		tests: single("foo", ""),
+	}, {
+		desc:   "missing var",
+		m:      String("foo${bar}"),
+		enc:    "\x03\x03foo\x02\x03bar",
+		encErr: `unknown var "bar"`,
+		tests:  single("foo|bar", ""),
+	}, {
+		desc: "empty var",
+		m: seq{
+			&Var{"bar", seq{}},
+			String("foo${bar}"),
+		},
+		enc: "\x00\x05\x04\x02bar\x03\x03foo\x00\x00",
+		// TODO: recognize that it is cheaper to substitute bar.
+		tests: single("foo|bar", ""),
+	}, {
+		desc: "var after value",
+		m: seq{
+			String("foo${bar}"),
+			&Var{"bar", String("baz")},
+		},
+		encErr: errIsVar.Error(),
+		tests:  single("foo|bar", ""),
+	}, {
+		desc: "substitution",
+		m: seq{
+			&Var{"bar", String("baz")},
+			String("foo${bar}"),
+		},
+		tests: single("foo|baz", ""),
+	}, {
+		desc: "shadowed variable",
+		m: seq{
+			&Var{"bar", String("baz")},
+			seq{
+				&Var{"bar", String("BAZ")},
+				String("foo${bar}"),
+			},
+		},
+		tests: single("foo|BAZ", ""),
+	}, {
+		desc: "not shadowed variable",
+		m: seq{
+			&Var{"bar", String("baz")},
+			seq{
+				String("foo${bar}"),
+				&Var{"bar", String("BAZ")},
+			},
+		},
+		encErr: errIsVar.Error(),
+		tests:  single("foo|baz", ""),
+	}, {
+		desc: "duplicate variable",
+		m: seq{
+			&Var{"bar", String("baz")},
+			&Var{"bar", String("BAZ")},
+			String("${bar}"),
+		},
+		encErr: "catmsg: duplicate variable \"bar\"",
+		tests:  single("baz", ""),
+	}, {
+		desc: "complete incomplete variable",
+		m: seq{
+			&Var{"bar", incomplete{}},
+			String("${bar}"),
+		},
+		enc: "\x00\t\b\x01\x01\x04\x04\x02bar\x03\x00\x00\x00",
+		// TODO: recognize that it is cheaper to substitute bar.
+		tests: single("bar", ""),
+	}, {
+		desc: "incomplete sequence",
+		m: seq{
+			incomplete{},
+			incomplete{},
+		},
+		encErr: ErrIncomplete.Error(),
+		tests:  single("", ErrNoMatch.Error()),
+	}, {
+		desc: "compile error variable",
+		m: seq{
+			&Var{"bar", errorCompileMsg{}},
+			String("${bar}"),
+		},
+		encErr: errCompileTest.Error(),
+		tests:  single("bar", ""),
+	}, {
+		desc:   "compile error message",
+		m:      errorCompileMsg{},
+		encErr: errCompileTest.Error(),
+		tests:  single("", ""),
+	}, {
+		desc: "compile error sequence",
+		m: seq{
+			errorCompileMsg{},
+			errorCompileMsg{},
+		},
+		encErr: errCompileTest.Error(),
+		tests:  single("", ""),
+	}, {
+		desc:  "macro",
+		m:     String("${exists(1)}"),
+		tests: single("you betya!", ""),
+	}, {
+		desc:  "macro incomplete",
+		m:     String("${incomplete(1)}"),
+		enc:   "\x03\x00\x01\nincomplete\x01",
+		tests: single("incomplete", ""),
+	}, {
+		desc:  "macro undefined at end",
+		m:     String("${undefined(1)}"),
+		enc:   "\x03\x00\x01\tundefined\x01",
+		tests: single("undefined", "catmsg: undefined macro \"undefined\""),
+	}, {
+		desc:  "macro undefined with more text following",
+		m:     String("${undefined(1)}."),
+		enc:   "\x03\x00\x01\tundefined\x01\x01.",
+		tests: single("undefined|.", "catmsg: undefined macro \"undefined\""),
+	}, {
+		desc:   "macro missing paren",
+		m:      String("${missing(1}"),
+		encErr: "catmsg: missing ')'",
+		tests:  single("$!(MISSINGPAREN)", ""),
+	}, {
+		desc:   "macro bad num",
+		m:      String("aa${bad(a)}"),
+		encErr: "catmsg: invalid number \"a\"",
+		tests:  single("aa$!(BADNUM)", ""),
+	}, {
+		desc:   "var missing brace",
+		m:      String("a${missing"),
+		encErr: "catmsg: missing '}'",
+		tests:  single("a$!(MISSINGBRACE)", ""),
+	}}
+	r := &renderer{}
+	dec := NewDecoder(language.Und, r, macros)
+	for _, tc := range testCases {
+		t.Run(tc.desc, func(t *testing.T) {
+
+			data, err := Compile(language.Und, macros, tc.m)
+			if failErr(err, tc.encErr) {
+				t.Errorf("encoding error: got %+q; want %+q", err, tc.encErr)
+			}
+			if tc.enc != "" && data != tc.enc {
+				t.Errorf("encoding: got %+q; want %+q", data, tc.enc)
+			}
+			for _, st := range tc.tests {
+				t.Run("", func(t *testing.T) {
+					*r = renderer{args: st.args}
+					if err = dec.Execute(data); failErr(err, st.decErr) {
+						t.Errorf("decoding error: got %+q; want %+q", err, st.decErr)
+					}
+					if r.result != st.out {
+						t.Errorf("decode: got %+q; want %+q", r.result, st.out)
+					}
+				})
+			}
+		})
+	}
+}
+
+func failErr(got error, want string) bool {
+	if got == nil {
+		return want != ""
+	}
+	return want == "" || !strings.Contains(got.Error(), want)
+}
+
+type seq []Message
+
+func (s seq) Compile(e *Encoder) (err error) {
+	err = ErrIncomplete
+	e.EncodeMessageType(First)
+	for _, m := range s {
+		// Pass only the last error, but allow erroneous or complete messages
+		// here to allow testing different scenarios.
+		err = e.EncodeMessage(m)
+	}
+	return err
+}
+
+type empty struct{}
+
+func (empty) Compile(e *Encoder) (err error) { return nil }
+
+var msgIncomplete = Register(
+	"golang.org/x/text/internal/catmsg.incomplete",
+	func(d *Decoder) bool { return false })
+
+type incomplete struct{}
+
+func (incomplete) Compile(e *Encoder) (err error) {
+	e.EncodeMessageType(msgIncomplete)
+	return ErrIncomplete
+}
+
+type errorCompileMsg struct{}
+
+var errCompileTest = errors.New("catmsg: compile error test")
+
+func (errorCompileMsg) Compile(e *Encoder) (err error) {
+	return errCompileTest
+}
+
+type dictionary struct{}
+
+var (
+	macros       = dictionary{}
+	dictMessages = map[string]string{
+		"exists":     compile(String("you betya!")),
+		"incomplete": compile(incomplete{}),
+	}
+)
+
+func (d dictionary) Lookup(key string) (data string, ok bool) {
+	data, ok = dictMessages[key]
+	return
+}
+
+func compile(m Message) (data string) {
+	data, _ = Compile(language.Und, macros, m)
+	return data
+}
diff --git a/vendor/golang.org/x/text/internal/catmsg/codec.go b/vendor/golang.org/x/text/internal/catmsg/codec.go
new file mode 100755
index 000000000..e959b08f9
--- /dev/null
+++ b/vendor/golang.org/x/text/internal/catmsg/codec.go
@@ -0,0 +1,407 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package catmsg
+
+import (
+	"errors"
+	"fmt"
+
+	"golang.org/x/text/language"
+)
+
+// A Renderer renders a Message.
+type Renderer interface {
+	// Render renders the given string. The given string may be interpreted as a
+	// format string, such as the one used by the fmt package or a template.
+	Render(s string)
+
+	// Arg returns the i-th argument passed to format a message. This method
+	// should return nil if there is no such argument. Messages need access to
+	// arguments to allow selecting a message based on linguistic features of
+	// those arguments.
+	Arg(i int) interface{}
+}
+
+// A Dictionary specifies a source of messages, including variables or macros.
+type Dictionary interface {
+	// Lookup returns the message for the given key. It returns false for ok if
+	// such a message could not be found.
+	Lookup(key string) (data string, ok bool)
+
+	// TODO: consider returning an interface, instead of a string. This will
+	// allow implementations to do their own message type decoding.
+}
+
+// An Encoder serializes a Message to a string.
+type Encoder struct {
+	// The root encoder is used for storing encoded variables.
+	root *Encoder
+	// The parent encoder provides the surrounding scopes for resolving variable
+	// names.
+	parent *Encoder
+
+	tag language.Tag
+
+	// buf holds the encoded message so far. After a message completes encoding,
+	// the contents of buf, prefixed by the encoded length, are flushed to the
+	// parent buffer.
+	buf []byte
+
+	// vars is the lookup table of variables in the current scope.
+	vars []keyVal
+
+	err    error
+	inBody bool // if false next call must be EncodeMessageType
+}
+
+type keyVal struct {
+	key    string
+	offset int
+}
+
+// Language reports the language for which the encoded message will be stored
+// in the Catalog.
+func (e *Encoder) Language() language.Tag { return e.tag }
+
+func (e *Encoder) setError(err error) {
+	if e.root.err == nil {
+		e.root.err = err
+	}
+}
+
+// EncodeUint encodes x.
+func (e *Encoder) EncodeUint(x uint64) {
+	e.checkInBody()
+	var buf [maxVarintBytes]byte
+	n := encodeUint(buf[:], x)
+	e.buf = append(e.buf, buf[:n]...)
+}
+
+// EncodeString encodes s.
+func (e *Encoder) EncodeString(s string) {
+	e.checkInBody()
+	e.EncodeUint(uint64(len(s)))
+	e.buf = append(e.buf, s...)
+}
+
+// EncodeMessageType marks the current message to be of type h.
+//
+// It must be the first call of a Message's Compile method.
+func (e *Encoder) EncodeMessageType(h Handle) {
+	if e.inBody {
+		panic("catmsg: EncodeMessageType not the first method called")
+	}
+	e.inBody = true
+	e.EncodeUint(uint64(h))
+}
+
+// EncodeMessage serializes the given message inline at the current position.
+func (e *Encoder) EncodeMessage(m Message) error {
+	e = &Encoder{root: e.root, parent: e}
+	err := m.Compile(e)
+	if _, ok := m.(*Var); !ok {
+		e.flushTo(e.parent)
+	}
+	return err
+}
+
+func (e *Encoder) checkInBody() {
+	if !e.inBody {
+		panic("catmsg: expected prior call to EncodeMessageType")
+	}
+}
+
+// stripPrefix indicates the number of prefix bytes that must be stripped to
+// turn a single-element sequence into a message that is just this single member
+// without its size prefix. If the message can be stripped, b[1:n] contains the
+// size prefix.
+func stripPrefix(b []byte) (n int) {
+	if len(b) > 0 && Handle(b[0]) == msgFirst {
+		x, n, _ := decodeUint(b[1:])
+		if 1+n+int(x) == len(b) {
+			return 1 + n
+		}
+	}
+	return 0
+}
+
+func (e *Encoder) flushTo(dst *Encoder) {
+	data := e.buf
+	p := stripPrefix(data)
+	if p > 0 {
+		data = data[1:]
+	} else {
+		// Prefix the size.
+		dst.EncodeUint(uint64(len(data)))
+	}
+	dst.buf = append(dst.buf, data...)
+}
+
+func (e *Encoder) addVar(key string, m Message) error {
+	for _, v := range e.parent.vars {
+		if v.key == key {
+			err := fmt.Errorf("catmsg: duplicate variable %q", key)
+			e.setError(err)
+			return err
+		}
+	}
+	scope := e.parent
+	// If a variable message is Incomplete, and does not evaluate to a message
+	// during execution, we fall back to the variable name. We encode this by
+	// appending the variable name if the message reports it's incomplete.
+
+	err := m.Compile(e)
+	if err != ErrIncomplete {
+		e.setError(err)
+	}
+	switch {
+	case len(e.buf) == 1 && Handle(e.buf[0]) == msgFirst: // empty sequence
+		e.buf = e.buf[:0]
+		e.inBody = false
+		fallthrough
+	case len(e.buf) == 0:
+		// Empty message.
+		if err := String(key).Compile(e); err != nil {
+			e.setError(err)
+		}
+	case err == ErrIncomplete:
+		if Handle(e.buf[0]) != msgFirst {
+			seq := &Encoder{root: e.root, parent: e}
+			seq.EncodeMessageType(First)
+			e.flushTo(seq)
+			e = seq
+		}
+		// e contains a sequence; append the fallback string.
+		e.EncodeMessage(String(key))
+	}
+
+	// Flush result to variable heap.
+	offset := len(e.root.buf)
+	e.flushTo(e.root)
+	e.buf = e.buf[:0]
+
+	// Record variable offset in current scope.
+	scope.vars = append(scope.vars, keyVal{key: key, offset: offset})
+	return err
+}
+
+const (
+	substituteVar = iota
+	substituteMacro
+	substituteError
+)
+
+// EncodeSubstitution inserts a resolved reference to a variable or macro.
+//
+// This call must be matched with a call to ExecuteSubstitution at decoding
+// time.
+func (e *Encoder) EncodeSubstitution(name string, arguments ...int) {
+	if arity := len(arguments); arity > 0 {
+		// TODO: also resolve macros.
+		e.EncodeUint(substituteMacro)
+		e.EncodeString(name)
+		for _, a := range arguments {
+			e.EncodeUint(uint64(a))
+		}
+		return
+	}
+	for scope := e; scope != nil; scope = scope.parent {
+		for _, v := range scope.vars {
+			if v.key != name {
+				continue
+			}
+			e.EncodeUint(substituteVar) // TODO: support arity > 0
+			e.EncodeUint(uint64(v.offset))
+			return
+		}
+	}
+	// TODO: refer to dictionary-wide scoped variables.
+	e.EncodeUint(substituteError)
+	e.EncodeString(name)
+	e.setError(fmt.Errorf("catmsg: unknown var %q", name))
+}
+
+// A Decoder deserializes and evaluates messages that are encoded by an encoder.
+type Decoder struct {
+	tag    language.Tag
+	dst    Renderer
+	macros Dictionary
+
+	err  error
+	vars string
+	data string
+
+	macroArg int // TODO: allow more than one argument
+}
+
+// NewDecoder returns a new Decoder.
+//
+// Decoders are designed to be reused for multiple invocations of Execute.
+// Only one goroutine may call Execute concurrently.
+func NewDecoder(tag language.Tag, r Renderer, macros Dictionary) *Decoder {
+	return &Decoder{
+		tag:    tag,
+		dst:    r,
+		macros: macros,
+	}
+}
+
+func (d *Decoder) setError(err error) {
+	if d.err == nil {
+		d.err = err
+	}
+}
+
+// Language returns the language in which the message is being rendered.
+//
+// The destination language may be a child language of the language used for
+// encoding. For instance, a decoding language of "pt-PT"" is consistent with an
+// encoding language of "pt".
+func (d *Decoder) Language() language.Tag { return d.tag }
+
+// Done reports whether there are more bytes to process in this message.
+func (d *Decoder) Done() bool { return len(d.data) == 0 }
+
+// Render implements Renderer.
+func (d *Decoder) Render(s string) { d.dst.Render(s) }
+
+// Arg implements Renderer.
+//
+// During evaluation of macros, the argument positions may be mapped to
+// arguments that differ from the original call.
+func (d *Decoder) Arg(i int) interface{} {
+	if d.macroArg != 0 {
+		if i != 1 {
+			panic("catmsg: only macros with single argument supported")
+		}
+		i = d.macroArg
+	}
+	return d.dst.Arg(i)
+}
+
+// DecodeUint decodes a number that was encoded with EncodeUint and advances the
+// position.
+func (d *Decoder) DecodeUint() uint64 {
+	x, n, err := decodeUintString(d.data)
+	d.data = d.data[n:]
+	if err != nil {
+		d.setError(err)
+	}
+	return x
+}
+
+// DecodeString decodes a string that was encoded with EncodeString and advances
+// the position.
+func (d *Decoder) DecodeString() string {
+	size := d.DecodeUint()
+	s := d.data[:size]
+	d.data = d.data[size:]
+	return s
+}
+
+// SkipMessage skips the message at the current location and advances the
+// position.
+func (d *Decoder) SkipMessage() {
+	n := int(d.DecodeUint())
+	d.data = d.data[n:]
+}
+
+// Execute decodes and evaluates msg.
+//
+// Only one goroutine may call execute.
+func (d *Decoder) Execute(msg string) error {
+	d.err = nil
+	if !d.execute(msg) {
+		return ErrNoMatch
+	}
+	return d.err
+}
+
+func (d *Decoder) execute(msg string) bool {
+	saved := d.data
+	d.data = msg
+	ok := d.executeMessage()
+	d.data = saved
+	return ok
+}
+
+// executeMessageFromData is like execute, but also decodes a leading message
+// size and clips the given string accordingly.
+//
+// It reports the number of bytes consumed and whether a message was selected.
+func (d *Decoder) executeMessageFromData(s string) (n int, ok bool) {
+	saved := d.data
+	d.data = s
+	size := int(d.DecodeUint())
+	n = len(s) - len(d.data)
+	// Sanitize the setting. This allows skipping a size argument for
+	// RawString and method Done.
+	d.data = d.data[:size]
+	ok = d.executeMessage()
+	n += size - len(d.data)
+	d.data = saved
+	return n, ok
+}
+
+var errUnknownHandler = errors.New("catmsg: string contains unsupported handler")
+
+// executeMessage reads the handle id, initializes the decoder and executes the
+// message. It is assumed that all of d.data[d.p:] is the single message.
+func (d *Decoder) executeMessage() bool {
+	if d.Done() {
+		// We interpret no data as a valid empty message.
+		return true
+	}
+	handle := d.DecodeUint()
+
+	var fn Handler
+	mutex.Lock()
+	if int(handle) < len(handlers) {
+		fn = handlers[handle]
+	}
+	mutex.Unlock()
+	if fn == nil {
+		d.setError(errUnknownHandler)
+		d.execute(fmt.Sprintf("\x02$!(UNKNOWNMSGHANDLER=%#x)", handle))
+		return true
+	}
+	return fn(d)
+}
+
+// ExecuteMessage decodes and executes the message at the current position.
+func (d *Decoder) ExecuteMessage() bool {
+	n, ok := d.executeMessageFromData(d.data)
+	d.data = d.data[n:]
+	return ok
+}
+
+// ExecuteSubstitution executes the message corresponding to the substitution
+// as encoded by EncodeSubstitution.
+func (d *Decoder) ExecuteSubstitution() {
+	switch x := d.DecodeUint(); x {
+	case substituteVar:
+		offset := d.DecodeUint()
+		d.executeMessageFromData(d.vars[offset:])
+	case substituteMacro:
+		name := d.DecodeString()
+		data, ok := d.macros.Lookup(name)
+		old := d.macroArg
+		// TODO: support macros of arity other than 1.
+		d.macroArg = int(d.DecodeUint())
+		switch {
+		case !ok:
+			// TODO: detect this at creation time.
+			d.setError(fmt.Errorf("catmsg: undefined macro %q", name))
+			fallthrough
+		case !d.execute(data):
+			d.dst.Render(name) // fall back to macro name.
+		}
+		d.macroArg = old
+	case substituteError:
+		d.dst.Render(d.DecodeString())
+	default:
+		panic("catmsg: unreachable")
+	}
+}
diff --git a/vendor/golang.org/x/text/unicode/norm/input.go b/vendor/golang.org/x/text/unicode/norm/input.go
index 045d4ccce..479e35bc2 100644
--- a/vendor/golang.org/x/text/unicode/norm/input.go
+++ b/vendor/golang.org/x/text/unicode/norm/input.go
@@ -90,16 +90,20 @@ func (in *input) charinfoNFKC(p int) (uint16, int) {
 }
 
 func (in *input) hangul(p int) (r rune) {
+	var size int
 	if in.bytes == nil {
 		if !isHangulString(in.str[p:]) {
 			return 0
 		}
-		r, _ = utf8.DecodeRuneInString(in.str[p:])
+		r, size = utf8.DecodeRuneInString(in.str[p:])
 	} else {
 		if !isHangul(in.bytes[p:]) {
 			return 0
 		}
-		r, _ = utf8.DecodeRune(in.bytes[p:])
+		r, size = utf8.DecodeRune(in.bytes[p:])
+	}
+	if size != hangulUTF8Size {
+		return 0
 	}
 	return r
 }
diff --git a/vendor/golang.org/x/text/unicode/norm/normalize_test.go b/vendor/golang.org/x/text/unicode/norm/normalize_test.go
index 69a84bfaa..4f837372c 100644
--- a/vendor/golang.org/x/text/unicode/norm/normalize_test.go
+++ b/vendor/golang.org/x/text/unicode/norm/normalize_test.go
@@ -699,6 +699,24 @@ var appendTestsNFC = []AppendTest{
 		"\u0d4a" + strings.Repeat("\u0d3e", 30),
 		"\u0d4a" + strings.Repeat("\u0d3e", 29) + cgj + "\u0d3e",
 	},
+
+	{ //  https://golang.org/issues/20079
+		"",
+		"\xeb\u0344",
+		"\xeb\u0308\u0301",
+	},
+
+	{ //  https://golang.org/issues/20079
+		"",
+		"\uac00" + strings.Repeat("\u0300", 30),
+		"\uac00" + strings.Repeat("\u0300", 29) + "\u034f\u0300",
+	},
+
+	{ //  https://golang.org/issues/20079
+		"",
+		"\xeb" + strings.Repeat("\u0300", 31),
+		"\xeb" + strings.Repeat("\u0300", 30) + "\u034f\u0300",
+	},
 }
 
 var appendTestsNFD = []AppendTest{
diff --git a/vendor/golang.org/x/time/rate/rate.go b/vendor/golang.org/x/time/rate/rate.go
index f65729230..eabcd1147 100644
--- a/vendor/golang.org/x/time/rate/rate.go
+++ b/vendor/golang.org/x/time/rate/rate.go
@@ -6,7 +6,6 @@
 package rate
 
 import (
-	"context"
 	"fmt"
 	"math"
 	"sync"
@@ -213,8 +212,19 @@ func (lim *Limiter) ReserveN(now time.Time, n int) *Reservation {
 	return &r
 }
 
+// contextContext is a temporary(?) copy of the context.Context type
+// to support both Go 1.6 using golang.org/x/net/context and Go 1.7+
+// with the built-in context package. If people ever stop using Go 1.6
+// we can remove this.
+type contextContext interface {
+	Deadline() (deadline time.Time, ok bool)
+	Done() <-chan struct{}
+	Err() error
+	Value(key interface{}) interface{}
+}
+
 // Wait is shorthand for WaitN(ctx, 1).
-func (lim *Limiter) Wait(ctx context.Context) (err error) {
+func (lim *Limiter) wait(ctx contextContext) (err error) {
 	return lim.WaitN(ctx, 1)
 }
 
@@ -222,7 +232,7 @@ func (lim *Limiter) Wait(ctx context.Context) (err error) {
 // It returns an error if n exceeds the Limiter's burst size, the Context is
 // canceled, or the expected wait time exceeds the Context's Deadline.
 // The burst limit is ignored if the rate limit is Inf.
-func (lim *Limiter) WaitN(ctx context.Context, n int) (err error) {
+func (lim *Limiter) waitN(ctx contextContext, n int) (err error) {
 	if n > lim.burst && lim.limit != Inf {
 		return fmt.Errorf("rate: Wait(n=%d) exceeds limiter's burst %d", n, lim.burst)
 	}
diff --git a/vendor/golang.org/x/time/rate/rate_go16.go b/vendor/golang.org/x/time/rate/rate_go16.go
new file mode 100644
index 000000000..6bab1850f
--- /dev/null
+++ b/vendor/golang.org/x/time/rate/rate_go16.go
@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !go1.7
+
+package rate
+
+import "golang.org/x/net/context"
+
+// Wait is shorthand for WaitN(ctx, 1).
+func (lim *Limiter) Wait(ctx context.Context) (err error) {
+	return lim.waitN(ctx, 1)
+}
+
+// WaitN blocks until lim permits n events to happen.
+// It returns an error if n exceeds the Limiter's burst size, the Context is
+// canceled, or the expected wait time exceeds the Context's Deadline.
+func (lim *Limiter) WaitN(ctx context.Context, n int) (err error) {
+	return lim.waitN(ctx, n)
+}
diff --git a/vendor/golang.org/x/time/rate/rate_go17.go b/vendor/golang.org/x/time/rate/rate_go17.go
new file mode 100644
index 000000000..f90d85f51
--- /dev/null
+++ b/vendor/golang.org/x/time/rate/rate_go17.go
@@ -0,0 +1,21 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.7
+
+package rate
+
+import "context"
+
+// Wait is shorthand for WaitN(ctx, 1).
+func (lim *Limiter) Wait(ctx context.Context) (err error) {
+	return lim.waitN(ctx, 1)
+}
+
+// WaitN blocks until lim permits n events to happen.
+// It returns an error if n exceeds the Limiter's burst size, the Context is
+// canceled, or the expected wait time exceeds the Context's Deadline.
+func (lim *Limiter) WaitN(ctx context.Context, n int) (err error) {
+	return lim.waitN(ctx, n)
+}
diff --git a/vendor/golang.org/x/time/rate/rate_test.go b/vendor/golang.org/x/time/rate/rate_test.go
index 9600efaa6..e8add694f 100644
--- a/vendor/golang.org/x/time/rate/rate_test.go
+++ b/vendor/golang.org/x/time/rate/rate_test.go
@@ -2,6 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// +build go1.7
+
 package rate
 
 import (
@@ -163,6 +165,9 @@ func TestSimultaneousRequests(t *testing.T) {
 }
 
 func TestLongRunningQPS(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping in short mode")
+	}
 	if runtime.GOOS == "openbsd" {
 		t.Skip("low resolution time.Sleep invalidates test (golang.org/issue/14183)")
 		return
-- 
cgit v1.2.3-1-g7c22