update mint

2018-02-25 11:58:35 +08:00
parent 6ca44459e5
commit d1ccef51a7
7 changed files with 148 additions and 97 deletions
--- a/vendor/github.com/bifurcation/mint/client-state-machine.go
+++ b/vendor/github.com/bifurcation/mint/client-state-machine.go
@@ -50,7 +50,7 @@ import (
 //  WAIT_FINISHED			RekeyIn; [Send(EOED);] RekeyOut; [SendCert; SendCV;] SendFin; RekeyOut;
 //  CONNECTED					StoreTicket || (RekeyIn; [RekeyOut])

-type ClientStateStart struct {
+type clientStateStart struct {
 	Config *Config
 	Opts   ConnectionOptions
 	Params ConnectionParameters
@@ -61,13 +61,13 @@ type ClientStateStart struct {
 	hsCtx             HandshakeContext
 }

-var _ HandshakeState = &ClientStateStart{}
+var _ HandshakeState = &clientStateStart{}

-func (state ClientStateStart) State() State {
+func (state clientStateStart) State() State {
 	return StateClientStart
 }

-func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	// key_shares
 	offeredDH := map[NamedGroup][]byte{}
 	ks := KeyShareExtension{
@@ -268,7 +268,7 @@ func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [

 	logf(logTypeHandshake, "[ClientStateStart] -> [ClientStateWaitSH]")
 	state.hsCtx.SetVersion(tls12Version) // Everything after this should be 1.2.
-	nextState := ClientStateWaitSH{
+	nextState := clientStateWaitSH{
 		Config:     state.Config,
 		Opts:       state.Opts,
 		Params:     state.Params,
@@ -298,7 +298,7 @@ func (state ClientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [
 	return nextState, toSend, AlertNoAlert
 }

-type ClientStateWaitSH struct {
+type clientStateWaitSH struct {
 	Config     *Config
 	Opts       ConnectionOptions
 	Params     ConnectionParameters
@@ -315,13 +315,13 @@ type ClientStateWaitSH struct {
 	clientHello       *HandshakeMessage
 }

-var _ HandshakeState = &ClientStateWaitSH{}
+var _ HandshakeState = &clientStateWaitSH{}

-func (state ClientStateWaitSH) State() State {
+func (state clientStateWaitSH) State() State {
 	return StateClientWaitSH
 }

-func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -413,7 +413,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 		}

 		logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateStart]")
-		return ClientStateStart{
+		return clientStateStart{
 			Config:            state.Config,
 			Opts:              state.Opts,
 			hsCtx:             state.hsCtx,
@@ -517,7 +517,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 	serverHandshakeKeys := makeTrafficKeys(params, serverHandshakeTrafficSecret)

 	logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateWaitEE]")
-	nextState := ClientStateWaitEE{
+	nextState := clientStateWaitEE{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -533,7 +533,7 @@ func (state ClientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 	return nextState, toSend, AlertNoAlert
 }

-type ClientStateWaitEE struct {
+type clientStateWaitEE struct {
 	Config                       *Config
 	Params                       ConnectionParameters
 	hsCtx                        HandshakeContext
@@ -544,13 +544,13 @@ type ClientStateWaitEE struct {
 	serverHandshakeTrafficSecret []byte
 }

-var _ HandshakeState = &ClientStateWaitEE{}
+var _ HandshakeState = &clientStateWaitEE{}

-func (state ClientStateWaitEE) State() State {
+func (state clientStateWaitEE) State() State {
 	return StateClientWaitEE
 }

-func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -598,7 +598,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,

 	if state.Params.UsingPSK {
 		logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitFinished]")
-		nextState := ClientStateWaitFinished{
+		nextState := clientStateWaitFinished{
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
 			cryptoParams:                 state.cryptoParams,
@@ -612,7 +612,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,
 	}

 	logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitCertCR]")
-	nextState := ClientStateWaitCertCR{
+	nextState := clientStateWaitCertCR{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -625,7 +625,7 @@ func (state ClientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,
 	return nextState, nil, AlertNoAlert
 }

-type ClientStateWaitCertCR struct {
+type clientStateWaitCertCR struct {
 	Config                       *Config
 	Params                       ConnectionParameters
 	hsCtx                        HandshakeContext
@@ -636,13 +636,13 @@ type ClientStateWaitCertCR struct {
 	serverHandshakeTrafficSecret []byte
 }

-var _ HandshakeState = &ClientStateWaitCertCR{}
+var _ HandshakeState = &clientStateWaitCertCR{}

-func (state ClientStateWaitCertCR) State() State {
+func (state clientStateWaitCertCR) State() State {
 	return StateClientWaitCertCR
 }

-func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -663,7 +663,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta
 	switch body := bodyGeneric.(type) {
 	case *CertificateBody:
 		logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCV]")
-		nextState := ClientStateWaitCV{
+		nextState := clientStateWaitCV{
 			Config:                       state.Config,
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
@@ -686,7 +686,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta
 		state.Params.UsingClientAuth = true

 		logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCert]")
-		nextState := ClientStateWaitCert{
+		nextState := clientStateWaitCert{
 			Config:                       state.Config,
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
@@ -703,7 +703,7 @@ func (state ClientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta
 	return nil, nil, AlertUnexpectedMessage
 }

-type ClientStateWaitCert struct {
+type clientStateWaitCert struct {
 	Config        *Config
 	Params        ConnectionParameters
 	hsCtx         HandshakeContext
@@ -717,13 +717,13 @@ type ClientStateWaitCert struct {
 	serverHandshakeTrafficSecret []byte
 }

-var _ HandshakeState = &ClientStateWaitCert{}
+var _ HandshakeState = &clientStateWaitCert{}

-func (state ClientStateWaitCert) State() State {
+func (state clientStateWaitCert) State() State {
 	return StateClientWaitCert
 }

-func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -742,7 +742,7 @@ func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 	state.handshakeHash.Write(hm.Marshal())

 	logf(logTypeHandshake, "[ClientStateWaitCert] -> [ClientStateWaitCV]")
-	nextState := ClientStateWaitCV{
+	nextState := clientStateWaitCV{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -757,7 +757,7 @@ func (state ClientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 	return nextState, nil, AlertNoAlert
 }

-type ClientStateWaitCV struct {
+type clientStateWaitCV struct {
 	Config        *Config
 	Params        ConnectionParameters
 	hsCtx         HandshakeContext
@@ -772,13 +772,13 @@ type ClientStateWaitCV struct {
 	serverHandshakeTrafficSecret []byte
 }

-var _ HandshakeState = &ClientStateWaitCV{}
+var _ HandshakeState = &clientStateWaitCV{}

-func (state ClientStateWaitCV) State() State {
+func (state clientStateWaitCV) State() State {
 	return StateClientWaitCV
 }

-func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -843,7 +843,7 @@ func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState,
 	state.handshakeHash.Write(hm.Marshal())

 	logf(logTypeHandshake, "[ClientStateWaitCV] -> [ClientStateWaitFinished]")
-	nextState := ClientStateWaitFinished{
+	nextState := clientStateWaitFinished{
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
 		cryptoParams:                 state.cryptoParams,
@@ -859,7 +859,7 @@ func (state ClientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState,
 	return nextState, nil, AlertNoAlert
 }

-type ClientStateWaitFinished struct {
+type clientStateWaitFinished struct {
 	Params        ConnectionParameters
 	hsCtx         HandshakeContext
 	cryptoParams  CipherSuiteParams
@@ -875,13 +875,13 @@ type ClientStateWaitFinished struct {
 	serverHandshakeTrafficSecret []byte
 }

-var _ HandshakeState = &ClientStateWaitFinished{}
+var _ HandshakeState = &clientStateWaitFinished{}

-func (state ClientStateWaitFinished) State() State {
+func (state clientStateWaitFinished) State() State {
 	return StateClientWaitFinished
 }

-func (state ClientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state clientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -1046,7 +1046,7 @@ func (state ClientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS
 	}...)

 	logf(logTypeHandshake, "[ClientStateWaitFinished] -> [StateConnected]")
-	nextState := StateConnected{
+	nextState := stateConnected{
 		Params:              state.Params,
 		hsCtx:               state.hsCtx,
 		isClient:            true,
--- a/vendor/github.com/bifurcation/mint/common.go
+++ b/vendor/github.com/bifurcation/mint/common.go
@@ -201,6 +201,8 @@ func (s State) String() string {
 		return "Client WAIT_CV"
 	case StateClientWaitFinished:
 		return "Client WAIT_FINISHED"
+	case StateClientWaitCertCR:
+		return "Client WAIT_CERT_CR"
 	case StateClientConnected:
 		return "Client CONNECTED"
 	case StateServerStart:
--- a/vendor/github.com/bifurcation/mint/conn.go
+++ b/vendor/github.com/bifurcation/mint/conn.go
@@ -265,7 +265,7 @@ type Conn struct {

 	EarlyData []byte

-	state             StateConnected
+	state             stateConnected
 	hState            HandshakeState
 	handshakeMutex    sync.Mutex
 	handshakeAlert    Alert
@@ -345,7 +345,7 @@ func (c *Conn) consumeRecord() error {
 			}

 			var connected bool
-			c.state, connected = state.(StateConnected)
+			c.state, connected = state.(stateConnected)
 			if !connected {
 				logf(logTypeHandshake, "Disconnected after state transition: %v", alert)
 				c.sendAlert(alert)
@@ -385,7 +385,7 @@ func (c *Conn) consumeRecord() error {
 // Read application data up to the size of buffer.  Handshake and alert records
 // are consumed by the Conn object directly.
 func (c *Conn) Read(buffer []byte) (int, error) {
-	if _, connected := c.hState.(StateConnected); !connected && c.config.NonBlocking {
+	if _, connected := c.hState.(stateConnected); !connected {
 		return 0, errors.New("Read called before the handshake completed")
 	}
 	logf(logTypeHandshake, "conn.Read with buffer = %d", len(buffer))
@@ -661,7 +661,7 @@ func (c *Conn) HandshakeSetup() Alert {
 	}

 	if c.isClient {
-		state, actions, alert = ClientStateStart{Config: c.config, Opts: opts, hsCtx: c.hsCtx}.Next(nil)
+		state, actions, alert = clientStateStart{Config: c.config, Opts: opts, hsCtx: c.hsCtx}.Next(nil)
 		if alert != AlertNoAlert {
 			logf(logTypeHandshake, "Error initializing client state: %v", alert)
 			return alert
@@ -688,7 +688,7 @@ func (c *Conn) HandshakeSetup() Alert {
 				return AlertInternalError
 			}
 		}
-		state = ServerStateStart{Config: c.config, conn: c, hsCtx: c.hsCtx}
+		state = serverStateStart{Config: c.config, conn: c, hsCtx: c.hsCtx}
 	}

 	c.hState = state
@@ -751,7 +751,7 @@ func (c *Conn) Handshake() Alert {

 	logf(logTypeHandshake, "(Re-)entering handshake, state=%v", c.hState)
 	state := c.hState
-	_, connected := state.(StateConnected)
+	_, connected := state.(stateConnected)

 	hmr := &handshakeMessageReaderImpl{hsCtx: &c.hsCtx}
 	for !connected {
@@ -784,9 +784,9 @@ func (c *Conn) Handshake() Alert {

 		c.hState = state
 		logf(logTypeHandshake, "state is now %s", c.GetHsState())
-		_, connected = state.(StateConnected)
+		_, connected = state.(stateConnected)
 		if connected {
-			c.state = state.(StateConnected)
+			c.state = state.(stateConnected)
 			c.handshakeComplete = true
 		}

@@ -852,7 +852,7 @@ func (c *Conn) GetHsState() State {
 }

 func (c *Conn) ComputeExporter(label string, context []byte, keyLength int) ([]byte, error) {
-	_, connected := c.hState.(StateConnected)
+	_, connected := c.hState.(stateConnected)
 	if !connected {
 		return nil, fmt.Errorf("Cannot compute exporter when state is not connected")
 	}
--- a/vendor/github.com/bifurcation/mint/crypto.go
+++ b/vendor/github.com/bifurcation/mint/crypto.go
@@ -11,9 +11,11 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/asn1"
 	"fmt"
 	"math/big"
+	"time"

 	"golang.org/x/crypto/curve25519"

@@ -616,3 +618,50 @@ func makeTrafficKeys(params CipherSuiteParams, secret []byte) keySet {
 		iv:     HkdfExpandLabel(params.Hash, secret, "iv", []byte{}, params.IvLen),
 	}
 }
+
+func MakeNewSelfSignedCert(name string, alg SignatureScheme) (crypto.Signer, *x509.Certificate, error) {
+	priv, err := newSigningKey(alg)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert, err := newSelfSigned(name, alg, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	return priv, cert, nil
+}
+
+func newSelfSigned(name string, alg SignatureScheme, priv crypto.Signer) (*x509.Certificate, error) {
+	sigAlg, ok := x509AlgMap[alg]
+	if !ok {
+		return nil, fmt.Errorf("tls.selfsigned: Unknown signature algorithm [%04x]", alg)
+	}
+	if len(name) == 0 {
+		return nil, fmt.Errorf("tls.selfsigned: No name provided")
+	}
+
+	serial, err := rand.Int(rand.Reader, big.NewInt(0xA0A0A0A0))
+	if err != nil {
+		return nil, err
+	}
+
+	template := &x509.Certificate{
+		SerialNumber:       serial,
+		NotBefore:          time.Now(),
+		NotAfter:           time.Now().AddDate(0, 0, 1),
+		SignatureAlgorithm: sigAlg,
+		Subject:            pkix.Name{CommonName: name},
+		DNSNames:           []string{name},
+		KeyUsage:           x509.KeyUsageDigitalSignature | x509.KeyUsageKeyAgreement | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:        []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+	}
+	der, err := x509.CreateCertificate(prng, template, template, priv.Public(), priv)
+	if err != nil {
+		return nil, err
+	}
+
+	// It is safe to ignore the error here because we're parsing known-good data
+	cert, _ := x509.ParseCertificate(der)
+	return cert, nil
+}
--- a/vendor/github.com/bifurcation/mint/server-state-machine.go
+++ b/vendor/github.com/bifurcation/mint/server-state-machine.go
@@ -71,19 +71,19 @@ type cookie struct {
 	ApplicationCookie []byte `tls:"head=2"`
 }

-type ServerStateStart struct {
+type serverStateStart struct {
 	Config *Config
 	conn   *Conn
 	hsCtx  HandshakeContext
 }

-var _ HandshakeState = &ServerStateStart{}
+var _ HandshakeState = &serverStateStart{}

-func (state ServerStateStart) State() State {
+func (state serverStateStart) State() State {
 	return StateServerStart
 }

-func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateStart) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -381,7 +381,7 @@ func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, [

 	logf(logTypeHandshake, "[ServerStateStart] -> [ServerStateNegotiated]")
 	state.hsCtx.SetVersion(tls12Version) // Everything after this should be 1.2.
-	return ServerStateNegotiated{
+	return serverStateNegotiated{
 		Config:                   state.Config,
 		Params:                   connParams,
 		hsCtx:                    state.hsCtx,
@@ -401,7 +401,7 @@ func (state ServerStateStart) Next(hr handshakeMessageReader) (HandshakeState, [
 	}, nil, AlertNoAlert
 }

-func (state *ServerStateStart) generateHRR(cs CipherSuite, legacySessionId []byte,
+func (state *serverStateStart) generateHRR(cs CipherSuite, legacySessionId []byte,
 	cookieExt *CookieExtension) (*HandshakeMessage, error) {
 	var helloRetryRequest *HandshakeMessage
 	hrr := &ServerHelloBody{
@@ -442,7 +442,7 @@ func (state *ServerStateStart) generateHRR(cs CipherSuite, legacySessionId []byt
 	return helloRetryRequest, nil
 }

-type ServerStateNegotiated struct {
+type serverStateNegotiated struct {
 	Config                   *Config
 	Params                   ConnectionParameters
 	hsCtx                    HandshakeContext
@@ -460,13 +460,13 @@ type ServerStateNegotiated struct {
 	clientHello              *HandshakeMessage
 }

-var _ HandshakeState = &ServerStateNegotiated{}
+var _ HandshakeState = &serverStateNegotiated{}

-func (state ServerStateNegotiated) State() State {
+func (state serverStateNegotiated) State() State {
 	return StateServerNegotiated
 }

-func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateNegotiated) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	// Create the ServerHello
 	sh := &ServerHelloBody{
 		Version:                 tls12Version,
@@ -717,7 +717,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat
 		clientEarlyTrafficKeys := makeTrafficKeys(params, state.clientEarlyTrafficSecret)

 		logf(logTypeHandshake, "[ServerStateNegotiated] -> [ServerStateWaitEOED]")
-		nextState := ServerStateWaitEOED{
+		nextState := serverStateWaitEOED{
 			Config:                       state.Config,
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
@@ -741,7 +741,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat
 		RekeyIn{epoch: EpochHandshakeData, KeySet: clientHandshakeKeys},
 		ReadPastEarlyData{},
 	}...)
-	waitFlight2 := ServerStateWaitFlight2{
+	waitFlight2 := serverStateWaitFlight2{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -756,7 +756,7 @@ func (state ServerStateNegotiated) Next(_ handshakeMessageReader) (HandshakeStat
 	return waitFlight2, toSend, AlertNoAlert
 }

-type ServerStateWaitEOED struct {
+type serverStateWaitEOED struct {
 	Config                       *Config
 	Params                       ConnectionParameters
 	hsCtx                        HandshakeContext
@@ -769,13 +769,13 @@ type ServerStateWaitEOED struct {
 	exporterSecret               []byte
 }

-var _ HandshakeState = &ServerStateWaitEOED{}
+var _ HandshakeState = &serverStateWaitEOED{}

-func (state ServerStateWaitEOED) State() State {
+func (state serverStateWaitEOED) State() State {
 	return StateServerWaitEOED
 }

-func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -798,7 +798,7 @@ func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState
 	toSend := []HandshakeAction{
 		RekeyIn{epoch: EpochHandshakeData, KeySet: clientHandshakeKeys},
 	}
-	waitFlight2 := ServerStateWaitFlight2{
+	waitFlight2 := serverStateWaitFlight2{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -813,7 +813,7 @@ func (state ServerStateWaitEOED) Next(hr handshakeMessageReader) (HandshakeState
 	return waitFlight2, toSend, AlertNoAlert
 }

-type ServerStateWaitFlight2 struct {
+type serverStateWaitFlight2 struct {
 	Config                       *Config
 	Params                       ConnectionParameters
 	hsCtx                        HandshakeContext
@@ -826,16 +826,16 @@ type ServerStateWaitFlight2 struct {
 	exporterSecret               []byte
 }

-var _ HandshakeState = &ServerStateWaitFlight2{}
+var _ HandshakeState = &serverStateWaitFlight2{}

-func (state ServerStateWaitFlight2) State() State {
+func (state serverStateWaitFlight2) State() State {
 	return StateServerWaitFlight2
 }

-func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	if state.Params.UsingClientAuth {
 		logf(logTypeHandshake, "[ServerStateWaitFlight2] -> [ServerStateWaitCert]")
-		nextState := ServerStateWaitCert{
+		nextState := serverStateWaitCert{
 			Config:                       state.Config,
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
@@ -851,7 +851,7 @@ func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeSta
 	}

 	logf(logTypeHandshake, "[ServerStateWaitFlight2] -> [ServerStateWaitFinished]")
-	nextState := ServerStateWaitFinished{
+	nextState := serverStateWaitFinished{
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
 		cryptoParams:                 state.cryptoParams,
@@ -865,7 +865,7 @@ func (state ServerStateWaitFlight2) Next(_ handshakeMessageReader) (HandshakeSta
 	return nextState, nil, AlertNoAlert
 }

-type ServerStateWaitCert struct {
+type serverStateWaitCert struct {
 	Config                       *Config
 	Params                       ConnectionParameters
 	hsCtx                        HandshakeContext
@@ -878,13 +878,13 @@ type ServerStateWaitCert struct {
 	exporterSecret               []byte
 }

-var _ HandshakeState = &ServerStateWaitCert{}
+var _ HandshakeState = &serverStateWaitCert{}

-func (state ServerStateWaitCert) State() State {
+func (state serverStateWaitCert) State() State {
 	return StateServerWaitCert
 }

-func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -906,7 +906,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 		logf(logTypeHandshake, "[ServerStateWaitCert] WARNING client did not provide a certificate")

 		logf(logTypeHandshake, "[ServerStateWaitCert] -> [ServerStateWaitFinished]")
-		nextState := ServerStateWaitFinished{
+		nextState := serverStateWaitFinished{
 			Params:                       state.Params,
 			hsCtx:                        state.hsCtx,
 			cryptoParams:                 state.cryptoParams,
@@ -921,7 +921,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 	}

 	logf(logTypeHandshake, "[ServerStateWaitCert] -> [ServerStateWaitCV]")
-	nextState := ServerStateWaitCV{
+	nextState := serverStateWaitCV{
 		Config:                       state.Config,
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
@@ -937,7 +937,7 @@ func (state ServerStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 	return nextState, nil, AlertNoAlert
 }

-type ServerStateWaitCV struct {
+type serverStateWaitCV struct {
 	Config       *Config
 	Params       ConnectionParameters
 	hsCtx        HandshakeContext
@@ -954,13 +954,13 @@ type ServerStateWaitCV struct {
 	clientCertificate *CertificateBody
 }

-var _ HandshakeState = &ServerStateWaitCV{}
+var _ HandshakeState = &serverStateWaitCV{}

-func (state ServerStateWaitCV) State() State {
+func (state serverStateWaitCV) State() State {
 	return StateServerWaitCV
 }

-func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -1005,7 +1005,7 @@ func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState,
 	state.handshakeHash.Write(hm.Marshal())

 	logf(logTypeHandshake, "[ServerStateWaitCV] -> [ServerStateWaitFinished]")
-	nextState := ServerStateWaitFinished{
+	nextState := serverStateWaitFinished{
 		Params:                       state.Params,
 		hsCtx:                        state.hsCtx,
 		cryptoParams:                 state.cryptoParams,
@@ -1021,7 +1021,7 @@ func (state ServerStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState,
 	return nextState, nil, AlertNoAlert
 }

-type ServerStateWaitFinished struct {
+type serverStateWaitFinished struct {
 	Params       ConnectionParameters
 	hsCtx        HandshakeContext
 	cryptoParams CipherSuiteParams
@@ -1037,13 +1037,13 @@ type ServerStateWaitFinished struct {
 	exporterSecret      []byte
 }

-var _ HandshakeState = &ServerStateWaitFinished{}
+var _ HandshakeState = &serverStateWaitFinished{}

-func (state ServerStateWaitFinished) State() State {
+func (state serverStateWaitFinished) State() State {
 	return StateServerWaitFinished
 }

-func (state ServerStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state serverStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	hm, alert := hr.ReadMessage()
 	if alert != AlertNoAlert {
 		return nil, nil, alert
@@ -1083,7 +1083,7 @@ func (state ServerStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS
 	clientTrafficKeys := makeTrafficKeys(state.cryptoParams, state.clientTrafficSecret)

 	logf(logTypeHandshake, "[ServerStateWaitFinished] -> [StateConnected]")
-	nextState := StateConnected{
+	nextState := stateConnected{
 		Params:              state.Params,
 		hsCtx:               state.hsCtx,
 		isClient:            false,
--- a/vendor/github.com/bifurcation/mint/state-machine.go
+++ b/vendor/github.com/bifurcation/mint/state-machine.go
@@ -81,8 +81,8 @@ func (hc *HandshakeContext) SetVersion(version uint16) {
 	}
 }

-// StateConnected is symmetric between client and server
-type StateConnected struct {
+// stateConnected is symmetric between client and server
+type stateConnected struct {
 	Params              ConnectionParameters
 	hsCtx               HandshakeContext
 	isClient            bool
@@ -95,16 +95,16 @@ type StateConnected struct {
 	verifiedChains      [][]*x509.Certificate
 }

-var _ HandshakeState = &StateConnected{}
+var _ HandshakeState = &stateConnected{}

-func (state StateConnected) State() State {
+func (state stateConnected) State() State {
 	if state.isClient {
 		return StateClientConnected
 	}
 	return StateServerConnected
 }

-func (state *StateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAction, Alert) {
+func (state *stateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAction, Alert) {
 	var trafficKeys keySet
 	if state.isClient {
 		state.clientTrafficSecret = HkdfExpandLabel(state.cryptoParams.Hash, state.clientTrafficSecret,
@@ -130,7 +130,7 @@ func (state *StateConnected) KeyUpdate(request KeyUpdateRequest) ([]HandshakeAct
 	return toSend, AlertNoAlert
 }

-func (state *StateConnected) NewSessionTicket(length int, lifetime, earlyDataLifetime uint32) ([]HandshakeAction, Alert) {
+func (state *stateConnected) NewSessionTicket(length int, lifetime, earlyDataLifetime uint32) ([]HandshakeAction, Alert) {
 	tkt, err := NewSessionTicket(length, lifetime)
 	if err != nil {
 		logf(logTypeHandshake, "[StateConnected] Error generating NewSessionTicket: %v", err)
@@ -172,11 +172,11 @@ func (state *StateConnected) NewSessionTicket(length int, lifetime, earlyDataLif
 }

 // Next does nothing for this state.
-func (state StateConnected) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
+func (state stateConnected) Next(hr handshakeMessageReader) (HandshakeState, []HandshakeAction, Alert) {
 	return state, nil, AlertNoAlert
 }

-func (state StateConnected) ProcessMessage(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
+func (state stateConnected) ProcessMessage(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
 	if hm == nil {
 		logf(logTypeHandshake, "[StateConnected] Unexpected message")
 		return nil, nil, AlertUnexpectedMessage