Change-Id: I978f6df491a19a9c45ab906dbc5194b8665bf4a5
Reviewed-on: https://go-review.googlesource.com/c/go/+/287352
Run-TryBot: Alexander Rakoczy <[email protected]>
Trust: Alexander Rakoczy <[email protected]>
TryBot-Result: Go Bot <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

1004a7c runtime/metrics: update documentation to current interface
6530f26 doc/go1.16: remove draft notice
353e111 doc/go1.16: fix mismatched id attribute
f0d23c9 internal/poll: netpollcheckerr before sendfile
0cb3415 doc: remove all docs not tied to distribution
626ef08 doc: remove install.html and install-source.html
30641e3 internal/poll: if copy_file_range returns 0, assume it failed
33d72fd doc/faq: update generics entry to reflect accepted proposal
852ce7c cmd/go: provide a more helpful suggestion for "go vet -?"
66c2709 cmd/link: fix typo in link_test.go
ff0e93e doc/go1.16: note that package path elements beginning with '.' are disallowed
249da7e CONTRIBUTORS: update for the Go 1.16 release
864d4f1 cmd/go: multiple small 'go help' fixes
26ceae8 spec: More precise wording in section on function calls.
930c2c9 cmd/go: reject embedded files that can't be packed into modules
e5b08e6 io/fs: allow backslash in ValidPath, reject in os.DirFS.Open
ed80790 cmd/compile: mark concrete call of reflect.(*rtype).Method as REFLECTMETHOD
e9c9683 cmd/go: suppress errors from 'go get -d' for packages that only conditionally exist
e0ac989 archive/tar: detect out of bounds accesses in PAX records resulting from padded lengths
c9d6f45 runtime/metrics: fix a couple of documentation typpos
cea4e21 io/fs: backslash is always a glob meta character
dc725bf doc/go1.16: mention new vet check for asn1.Unmarshal
1901853 runtime/metrics: fix panic in readingAllMetric example
ed3e4af syscall/plan9: remove spooky fd action at a distance
724d072 doc/go1.16: add missed heading tag in vet section
b54cd94 embed, io/fs: clarify that leading and trailing slashes are disallowed
4516afe testing/fstest: avoid symlink-induced failures in tester
8869086 runtime: fix typo in histogram.go
e491c6e math/big: fix comment in divRecursiveStep
fca94ab spec: improve the example in Type assertions section
98f8454 cmd/link: don't decode type symbol in shared library in deadcode
1426a57 cmd/link: fix off-by-1 error in findShlibSection
32e789f test: fix incorrectly laid out instructions in issue11656.go
0b6cfea doc/go1.16: document that on OpenBSD syscalls are now made through libc
26e29aa cmd/link: disable TestPIESize if CGO isn't enabled
6ac91e4 doc/go1.16: minor markup fixes
4436114 embed: update docs for proposal tweaks
68058ed runtime: document pointer write atomicity for memclrNoHeapPointers
c8bd801 syscall: generate readlen/writelen for openbsd libc
41bb49b cmd/go: revert TestScript/build_trimpath to use ioutil.ReadFile
725a642 runtime: correct syscall10/syscall10X on openbsd/amd64
4b068ca doc/go1.16: document go/build/constraint package
376518d runtime,syscall: convert syscall on openbsd/arm64 to libc

Change-Id: Icfe3d849f459eda48d7d786d0cd7b082c9c2c325

Change-Id: I4c1350e0cb74ebfde5832973979e02997476d16c
Reviewed-on: https://go-review.googlesource.com/c/go/+/292609
TryBot-Result: Go Bot <[email protected]>
Trust: Alexander Rakoczy <[email protected]>
Run-TryBot: Alexander Rakoczy <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Carlos Amedee <[email protected]>

Co-authored-by: Christopher Patton <[email protected]>

Adds initial support for the Encrypted ClientHello (ECH) extension, as
specified by draft-ietf-tls-esni-08. A few features are not implemented,
including client- and server-side padding.

This commit also adds basic support for handshake metrics:

* Adds a callback `EventHandler()` to `Config`, which can be called at
various points during the handshake to respond to various events. For
example, this callback can be used to record metrics.
* Adds calls to `EventHandler()` just before closing the TLS connection
for resolving ECH usage: whether the client offered, greased, or
bypassed ECH; and whether the server accepted, rejected, or bypassed
ECH.

- Update cf-copy-from-circle.py to exclude some unused packages that
  were breaking the build.
- Fix some API changes.

Extend the experimental Event API with two new event instances:
one for client and server intra-handshake state machine durations,
respectively. Each event records elapsed timestamps (durations)
for relevant events during the course of a connection, such as
reading and writing handshake messages of interest. This will be
useful for recording intra-stack costs of TLS extensions such as
ECH and KEMTLS.

The server sends an HRR if the client does not offer a key share for a
key exchange algorithm the server doesn't support. For testing purposes,
it's useful to trigger this codepath manually. If testingTriggerHRR is
set, then the server only advertises support for algorithms that the
client supports, but did not provide a key share for.

This change fixes a bug in the trigger logic. It seemed to work for the
existing algorithm preferences, but could break if the preferences
change.

This adds an implementation of HPKE-07, which is required for ECH-09.

Most significant spec changes include:
* Bump HPKE-05 to -07.
* Derive acceptance confirmation from handshake secret.
* Reuse HPKE context across HRR.
* Use a new codepoint to distinguish between CHI/CHO.
* Bind context handle to AEAD encryption.

Other changes:
* Remove hrrPsk from ECHProvider.Context (breaks API).
* Prune retry configs of unknown version returned by the ECH provider.
* Add EXP_ECHKeySet, a default implementation of the ECH provider. (This
  will be useful for interop testing.)
* Require that the ECH extension not appear in OuterExtensions.
* Add event handler for outer SNI / public name mismatch.
* Remove implementation of HPKE-05

* Rename EXP_Event to CFEvent.
* Move CFEvent implementations to tls_cf.go.
* Add CFControl parameter to Config. This value will be used to
propagate Cloudflare-internal logic from the TLS configuration to HTTP
requests.

Manually removed Ristretto code because it has external dependencies.

This change upgrades CIRCL's implementation of draft-irtf-cfrg-hpke-07
to 08. This breaks unit tests for ECH in crypto/tls, which currently
expects HPKE-07. It also modifies the implementation of OPRF.

Manually removed Ristretto code, which includes external dependencies
that break ./all.bash.

This change adds support for ECH-10 and removes support for ECH-09. The
primary changes are moving to HPKE-08 and changing the ECHConfig
identifier from a client-computed value to a server-chosen value.
ECHProviders MUST use rejection sampling in choosing the configuration
identifier so as to not introduce conflicts.

…using the same mechanisms used to fetch certificates #67 (#69)

Refactor new API

Address comments from review

Address comments from review 2

Address comments from review 3

Small fixes to the API