libgo: Update to Go 1.0.1 release.

From-SVN: r187163

libgo/MERGE

-dc5e410f0b4c
+2ccfd4b451d3
 
 The first line of this file holds the Mercurial revision number of the
 last merge done from the master library sources.

libgo/go/crypto/tls/cipher_suites.go

@@ -23,8 +23,8 @@ type keyAgreement interface {
 	// In the case that the key agreement protocol doesn't use a
 	// ServerKeyExchange message, generateServerKeyExchange can return nil,
 	// nil.
-	generateServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
-	processClientKeyExchange(*Config, *clientKeyExchangeMsg, uint16) ([]byte, error)
+	generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error)
+	processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error)
 
 	// On the client side, the next two methods are called in order.
 

libgo/go/crypto/tls/handshake_server.go

@@ -112,37 +112,38 @@ FindCipherSuite:
 		hello.nextProtoNeg = true
 		hello.nextProtos = config.NextProtos
 	}
-	if clientHello.ocspStapling && len(config.Certificates[0].OCSPStaple) > 0 {
-		hello.ocspStapling = true
-	}
-
-	finishedHash.Write(hello.marshal())
-	c.writeRecord(recordTypeHandshake, hello.marshal())
 
 	if len(config.Certificates) == 0 {
 		return c.sendAlert(alertInternalError)
 	}
-
-	certMsg := new(certificateMsg)
+	cert := &config.Certificates[0]
 	if len(clientHello.serverName) > 0 {
 		c.serverName = clientHello.serverName
-		certMsg.certificates = config.getCertificateForName(clientHello.serverName).Certificate
-	} else {
-		certMsg.certificates = config.Certificates[0].Certificate
+		cert = config.getCertificateForName(clientHello.serverName)
 	}
+
+	if clientHello.ocspStapling && len(cert.OCSPStaple) > 0 {
+		hello.ocspStapling = true
+	}
+
+	finishedHash.Write(hello.marshal())
+	c.writeRecord(recordTypeHandshake, hello.marshal())
+
+	certMsg := new(certificateMsg)
+	certMsg.certificates = cert.Certificate
 	finishedHash.Write(certMsg.marshal())
 	c.writeRecord(recordTypeHandshake, certMsg.marshal())
 
 	if hello.ocspStapling {
 		certStatus := new(certificateStatusMsg)
 		certStatus.statusType = statusTypeOCSP
-		certStatus.response = config.Certificates[0].OCSPStaple
+		certStatus.response = cert.OCSPStaple
 		finishedHash.Write(certStatus.marshal())
 		c.writeRecord(recordTypeHandshake, certStatus.marshal())
 	}
 
 	keyAgreement := suite.ka()
-	skx, err := keyAgreement.generateServerKeyExchange(config, clientHello, hello)
+	skx, err := keyAgreement.generateServerKeyExchange(config, cert, clientHello, hello)
 	if err != nil {
 		c.sendAlert(alertHandshakeFailure)
 		return err
@@ -288,7 +289,7 @@ FindCipherSuite:
 		finishedHash.Write(certVerify.marshal())
 	}
 
-	preMasterSecret, err := keyAgreement.processClientKeyExchange(config, ckx, c.vers)
+	preMasterSecret, err := keyAgreement.processClientKeyExchange(config, cert, ckx, c.vers)
 	if err != nil {
 		c.sendAlert(alertHandshakeFailure)
 		return err

libgo/go/crypto/tls/handshake_server_test.go

@@ -37,9 +37,12 @@ func init() {
 	testConfig = new(Config)
 	testConfig.Time = func() time.Time { return time.Unix(0, 0) }
 	testConfig.Rand = zeroSource{}
-	testConfig.Certificates = make([]Certificate, 1)
+	testConfig.Certificates = make([]Certificate, 2)
 	testConfig.Certificates[0].Certificate = [][]byte{testCertificate}
 	testConfig.Certificates[0].PrivateKey = testPrivateKey
+	testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate}
+	testConfig.Certificates[1].PrivateKey = testPrivateKey
+	testConfig.BuildNameToCertificate()
 	testConfig.CipherSuites = []uint16{TLS_RSA_WITH_RC4_128_SHA}
 	testConfig.InsecureSkipVerify = true
 }
@@ -176,6 +179,13 @@ func TestHandshakeServerSSLv3(t *testing.T) {
 	testServerScript(t, "SSLv3", sslv3ServerScript, testConfig, nil)
 }
 
+// TestHandshakeServerSNI involves a client sending an SNI extension of
+// "snitest.com", which happens to match the CN of testSNICertificate. The test
+// verifies that the server correctly selects that certificate.
+func TestHandshakeServerSNI(t *testing.T) {
+	testServerScript(t, "SNI", selectCertificateBySNIScript, testConfig, nil)
+}
+
 type clientauthTest struct {
 	name       string
 	clientauth ClientAuthType
@@ -258,6 +268,8 @@ func fromHex(s string) []byte {
 
 var testCertificate = fromHex("308202b030820219a00302010202090085b0bba48a7fb8ca300d06092a864886f70d01010505003045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3130303432343039303933385a170d3131303432343039303933385a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819f300d06092a864886f70d010101050003818d0030818902818100bb79d6f517b5e5bf4610d0dc69bee62b07435ad0032d8a7a4385b71452e7a5654c2c78b8238cb5b482e5de1f953b7e62a52ca533d6fe125c7a56fcf506bffa587b263fb5cd04d3d0c921964ac7f4549f5abfef427100fe1899077f7e887d7df10439c4a22edb51c97ce3c04c3b326601cfafb11db8719a1ddbdb896baeda2d790203010001a381a73081a4301d0603551d0e04160414b1ade2855acfcb28db69ce2369ded3268e18883930750603551d23046e306c8014b1ade2855acfcb28db69ce2369ded3268e188839a149a4473045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746482090085b0bba48a7fb8ca300c0603551d13040530030101ff300d06092a864886f70d010105050003818100086c4524c76bb159ab0c52ccf2b014d7879d7a6475b55a9566e4c52b8eae12661feb4f38b36e60d392fdf74108b52513b1187a24fb301dbaed98b917ece7d73159db95d31d78ea50565cd5825a2d5a5f33c4b6d8c97590968c0f5298b5cd981f89205ff2a01ca31b9694dda9fd57e970e8266d71999b266e3850296c90a7bdd9")
 
+var testSNICertificate = fromHex("308201f23082015da003020102020100300b06092a864886f70d01010530283110300e060355040a130741636d6520436f311430120603550403130b736e69746573742e636f6d301e170d3132303431313137343033355a170d3133303431313137343533355a30283110300e060355040a130741636d6520436f311430120603550403130b736e69746573742e636f6d30819d300b06092a864886f70d01010103818d0030818902818100bb79d6f517b5e5bf4610d0dc69bee62b07435ad0032d8a7a4385b71452e7a5654c2c78b8238cb5b482e5de1f953b7e62a52ca533d6fe125c7a56fcf506bffa587b263fb5cd04d3d0c921964ac7f4549f5abfef427100fe1899077f7e887d7df10439c4a22edb51c97ce3c04c3b326601cfafb11db8719a1ddbdb896baeda2d790203010001a3323030300e0603551d0f0101ff0404030200a0300d0603551d0e0406040401020304300f0603551d2304083006800401020304300b06092a864886f70d0101050381810089c6455f1c1f5ef8eb1ab174ee2439059f5c4259bb1a8d86cdb1d056f56a717da40e95ab90f59e8deaf627c157995094db0802266eb34fc6842dea8a4b68d9c1389103ab84fb9e1f85d9b5d23ff2312c8670fbb540148245a4ebafe264d90c8a4cf4f85b0fac12ac2fc4a3154bad52462868af96c62c6525d652b6e31845bdcc")
+
 var testPrivateKey = &rsa.PrivateKey{
 	PublicKey: rsa.PublicKey{
 		N: bigFromString("131650079503776001033793877885499001334664249354723305978524647182322416328664556247316495448366990052837680518067798333412266673813370895702118944398081598789828837447552603077848001020611640547221687072142537202428102790818451901395596882588063427854225330436740647715202971973145151161964464812406232198521"),
@@ -947,6 +959,142 @@ var sslv3ServerScript = [][]byte{
 	},
 }
 
+var selectCertificateBySNIScript = [][]byte{
+	{
+		0x16, 0x03, 0x01, 0x00, 0x6e, 0x01, 0x00, 0x00,
+		0x6a, 0x03, 0x01, 0x4f, 0x85, 0xc4, 0xc2, 0xb9,
+		0x39, 0x80, 0x91, 0x66, 0x65, 0x56, 0x8e, 0xdd,
+		0x48, 0xe9, 0xca, 0x34, 0x02, 0x3c, 0xaf, 0x0d,
+		0x73, 0xb5, 0x2a, 0x05, 0x6e, 0xbd, 0x5e, 0x8f,
+		0x38, 0xf9, 0xe5, 0x00, 0x00, 0x28, 0x00, 0x39,
+		0x00, 0x38, 0x00, 0x35, 0x00, 0x16, 0x00, 0x13,
+		0x00, 0x0a, 0x00, 0x33, 0x00, 0x32, 0x00, 0x2f,
+		0x00, 0x05, 0x00, 0x04, 0x00, 0x15, 0x00, 0x12,
+		0x00, 0x09, 0x00, 0x14, 0x00, 0x11, 0x00, 0x08,
+		0x00, 0x06, 0x00, 0x03, 0x00, 0xff, 0x02, 0x01,
+		0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x10, 0x00,
+		0x0e, 0x00, 0x00, 0x0b, 0x73, 0x6e, 0x69, 0x74,
+		0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x00,
+		0x23, 0x00, 0x00,
+	},
+	{
+		0x16, 0x03, 0x01, 0x00, 0x2a, 0x02, 0x00, 0x00,
+		0x26, 0x03, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+		0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x16,
+		0x03, 0x01, 0x02, 0x00, 0x0b, 0x00, 0x01, 0xfc,
+		0x00, 0x01, 0xf9, 0x00, 0x01, 0xf6, 0x30, 0x82,
+		0x01, 0xf2, 0x30, 0x82, 0x01, 0x5d, 0xa0, 0x03,
+		0x02, 0x01, 0x02, 0x02, 0x01, 0x00, 0x30, 0x0b,
+		0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+		0x01, 0x01, 0x05, 0x30, 0x28, 0x31, 0x10, 0x30,
+		0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07,
+		0x41, 0x63, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x31,
+		0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x03,
+		0x13, 0x0b, 0x73, 0x6e, 0x69, 0x74, 0x65, 0x73,
+		0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17,
+		0x0d, 0x31, 0x32, 0x30, 0x34, 0x31, 0x31, 0x31,
+		0x37, 0x34, 0x30, 0x33, 0x35, 0x5a, 0x17, 0x0d,
+		0x31, 0x33, 0x30, 0x34, 0x31, 0x31, 0x31, 0x37,
+		0x34, 0x35, 0x33, 0x35, 0x5a, 0x30, 0x28, 0x31,
+		0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a,
+		0x13, 0x07, 0x41, 0x63, 0x6d, 0x65, 0x20, 0x43,
+		0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55,
+		0x04, 0x03, 0x13, 0x0b, 0x73, 0x6e, 0x69, 0x74,
+		0x65, 0x73, 0x74, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
+		0x81, 0x9d, 0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86,
+		0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x03,
+		0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x81,
+		0x81, 0x00, 0xbb, 0x79, 0xd6, 0xf5, 0x17, 0xb5,
+		0xe5, 0xbf, 0x46, 0x10, 0xd0, 0xdc, 0x69, 0xbe,
+		0xe6, 0x2b, 0x07, 0x43, 0x5a, 0xd0, 0x03, 0x2d,
+		0x8a, 0x7a, 0x43, 0x85, 0xb7, 0x14, 0x52, 0xe7,
+		0xa5, 0x65, 0x4c, 0x2c, 0x78, 0xb8, 0x23, 0x8c,
+		0xb5, 0xb4, 0x82, 0xe5, 0xde, 0x1f, 0x95, 0x3b,
+		0x7e, 0x62, 0xa5, 0x2c, 0xa5, 0x33, 0xd6, 0xfe,
+		0x12, 0x5c, 0x7a, 0x56, 0xfc, 0xf5, 0x06, 0xbf,
+		0xfa, 0x58, 0x7b, 0x26, 0x3f, 0xb5, 0xcd, 0x04,
+		0xd3, 0xd0, 0xc9, 0x21, 0x96, 0x4a, 0xc7, 0xf4,
+		0x54, 0x9f, 0x5a, 0xbf, 0xef, 0x42, 0x71, 0x00,
+		0xfe, 0x18, 0x99, 0x07, 0x7f, 0x7e, 0x88, 0x7d,
+		0x7d, 0xf1, 0x04, 0x39, 0xc4, 0xa2, 0x2e, 0xdb,
+		0x51, 0xc9, 0x7c, 0xe3, 0xc0, 0x4c, 0x3b, 0x32,
+		0x66, 0x01, 0xcf, 0xaf, 0xb1, 0x1d, 0xb8, 0x71,
+		0x9a, 0x1d, 0xdb, 0xdb, 0x89, 0x6b, 0xae, 0xda,
+		0x2d, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3,
+		0x32, 0x30, 0x30, 0x30, 0x0e, 0x06, 0x03, 0x55,
+		0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
+		0x02, 0x00, 0xa0, 0x30, 0x0d, 0x06, 0x03, 0x55,
+		0x1d, 0x0e, 0x04, 0x06, 0x04, 0x04, 0x01, 0x02,
+		0x03, 0x04, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d,
+		0x23, 0x04, 0x08, 0x30, 0x06, 0x80, 0x04, 0x01,
+		0x02, 0x03, 0x04, 0x30, 0x0b, 0x06, 0x09, 0x2a,
+		0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05,
+		0x03, 0x81, 0x81, 0x00, 0x89, 0xc6, 0x45, 0x5f,
+		0x1c, 0x1f, 0x5e, 0xf8, 0xeb, 0x1a, 0xb1, 0x74,
+		0xee, 0x24, 0x39, 0x05, 0x9f, 0x5c, 0x42, 0x59,
+		0xbb, 0x1a, 0x8d, 0x86, 0xcd, 0xb1, 0xd0, 0x56,
+		0xf5, 0x6a, 0x71, 0x7d, 0xa4, 0x0e, 0x95, 0xab,
+		0x90, 0xf5, 0x9e, 0x8d, 0xea, 0xf6, 0x27, 0xc1,
+		0x57, 0x99, 0x50, 0x94, 0xdb, 0x08, 0x02, 0x26,
+		0x6e, 0xb3, 0x4f, 0xc6, 0x84, 0x2d, 0xea, 0x8a,
+		0x4b, 0x68, 0xd9, 0xc1, 0x38, 0x91, 0x03, 0xab,
+		0x84, 0xfb, 0x9e, 0x1f, 0x85, 0xd9, 0xb5, 0xd2,
+		0x3f, 0xf2, 0x31, 0x2c, 0x86, 0x70, 0xfb, 0xb5,
+		0x40, 0x14, 0x82, 0x45, 0xa4, 0xeb, 0xaf, 0xe2,
+		0x64, 0xd9, 0x0c, 0x8a, 0x4c, 0xf4, 0xf8, 0x5b,
+		0x0f, 0xac, 0x12, 0xac, 0x2f, 0xc4, 0xa3, 0x15,
+		0x4b, 0xad, 0x52, 0x46, 0x28, 0x68, 0xaf, 0x96,
+		0xc6, 0x2c, 0x65, 0x25, 0xd6, 0x52, 0xb6, 0xe3,
+		0x18, 0x45, 0xbd, 0xcc, 0x16, 0x03, 0x01, 0x00,
+		0x04, 0x0e, 0x00, 0x00, 0x00,
+	},
+	{
+		0x16, 0x03, 0x01, 0x00, 0x86, 0x10, 0x00, 0x00,
+		0x82, 0x00, 0x80, 0x70, 0x1d, 0x34, 0x75, 0xa2,
+		0xe7, 0xe3, 0x2f, 0x3d, 0xc1, 0x1d, 0xca, 0x0b,
+		0xe3, 0x64, 0xb9, 0x1a, 0x00, 0x69, 0xc4, 0x14,
+		0x05, 0x07, 0x7e, 0xc3, 0x51, 0x43, 0x52, 0x66,
+		0xe3, 0xbd, 0xff, 0x1b, 0x1a, 0x6a, 0x84, 0xf2,
+		0x07, 0x24, 0xd7, 0x12, 0xa8, 0x58, 0xcf, 0x8a,
+		0x50, 0x30, 0xe8, 0xc8, 0xb2, 0xf9, 0x58, 0x1c,
+		0x56, 0x53, 0x76, 0x21, 0xe0, 0x03, 0x7f, 0x77,
+		0xa7, 0xf1, 0xad, 0x67, 0xd4, 0xe2, 0x8f, 0xa0,
+		0x58, 0x6c, 0xe0, 0x28, 0x59, 0xf3, 0xd1, 0x53,
+		0x2b, 0x21, 0xbd, 0xa3, 0x84, 0x31, 0x73, 0xbf,
+		0x84, 0x0f, 0x83, 0xf4, 0xc4, 0xd0, 0xe5, 0x3c,
+		0x2d, 0x3e, 0xf2, 0x8a, 0x1e, 0xe7, 0xe9, 0x1f,
+		0x12, 0x13, 0xad, 0x29, 0xd6, 0x0c, 0xc7, 0xc6,
+		0x05, 0x53, 0x7d, 0x5e, 0xc6, 0x92, 0x72, 0xba,
+		0xd2, 0x93, 0x8f, 0x53, 0x84, 0x87, 0x44, 0x05,
+		0x9f, 0x5d, 0x66, 0x14, 0x03, 0x01, 0x00, 0x01,
+		0x01, 0x16, 0x03, 0x01, 0x00, 0x24, 0xfc, 0x71,
+		0xaa, 0xa8, 0x37, 0xa8, 0xbd, 0x63, 0xb7, 0xbc,
+		0x95, 0xef, 0x0c, 0xcf, 0x39, 0x31, 0x93, 0xe6,
+		0x86, 0xbd, 0x3f, 0x56, 0x9d, 0xf0, 0xb2, 0xb5,
+		0xd1, 0xa7, 0xc6, 0x45, 0x89, 0x18, 0xfb, 0xa0,
+		0x7f, 0xc1,
+	},
+	{
+		0x14, 0x03, 0x01, 0x00, 0x01, 0x01, 0x16, 0x03,
+		0x01, 0x00, 0x24, 0xb8, 0x6d, 0x9a, 0x90, 0x3c,
+		0x45, 0xe0, 0xff, 0x63, 0xba, 0xab, 0x3d, 0x7a,
+		0xa6, 0x49, 0x5a, 0x13, 0xdc, 0x0e, 0xa3, 0xba,
+		0x7f, 0x04, 0x19, 0x45, 0xfd, 0xfb, 0xbd, 0x00,
+		0xa3, 0xa7, 0x78, 0x81, 0x38, 0x9f, 0x10, 0x17,
+		0x03, 0x01, 0x00, 0x21, 0x43, 0xc3, 0x91, 0xb7,
+		0xbf, 0x50, 0x0b, 0x04, 0xb4, 0x5d, 0xc6, 0x20,
+		0x64, 0xb8, 0x01, 0x09, 0x25, 0x2c, 0x03, 0x30,
+		0xc0, 0x77, 0xc9, 0x5e, 0xe6, 0xe0, 0x99, 0xdc,
+		0xcd, 0x75, 0x9d, 0x51, 0x82, 0x15, 0x03, 0x01,
+		0x00, 0x16, 0x2d, 0x7a, 0x89, 0x7b, 0x36, 0x85,
+		0x2a, 0x93, 0xcb, 0x83, 0xa7, 0x2f, 0x9e, 0x91,
+		0xfc, 0xad, 0x57, 0xca, 0xf5, 0xbc, 0x13, 0x2f,
+	},
+}
+
 var clientauthTests = []clientauthTest{
 	// Server doesn't asks for cert
 	// go test -run "TestRunServer" -serve -clientauth 0
@@ -1285,7 +1433,7 @@ var clientauthTests = []clientauthTest{
 	// go test -run "TestRunServer" -serve -clientauth 1
 	// gnutls-cli --insecure --debug 100 -p 10443 localhost
 	{"RequestClientCert, client gives it", RequestClientCert,
-		[]*x509.Certificate{clicert},
+		[]*x509.Certificate{clientCertificate},
 		[][]byte{{
 			0x16, 0x03, 0x02, 0x00, 0x7a, 0x01, 0x00, 0x00,
 			0x76, 0x03, 0x02, 0x4e, 0xe7, 0x44, 0xda, 0x58,
@@ -1528,14 +1676,16 @@ var clientauthTests = []clientauthTest{
 				0x00, 0x16, 0x53, 0xf5, 0xff, 0xe0, 0xa1, 0x6c,
 				0x33, 0xf4, 0x4e, 0x89, 0x68, 0xe1, 0xf7, 0x61,
 				0x13, 0xb3, 0x12, 0xa1, 0x8e, 0x5a, 0x7a, 0x02,
-			}}},
+			},
+		},
+	},
 }
 
 // cert.pem and key.pem were generated with generate_cert.go
 // Thus, they have no ExtKeyUsage fields and trigger an error
 // when verification is turned on.
 
-var clicert = loadPEMCert(`
+var clientCertificate = loadPEMCert(`
 -----BEGIN CERTIFICATE-----
 MIIB7TCCAVigAwIBAgIBADALBgkqhkiG9w0BAQUwJjEQMA4GA1UEChMHQWNtZSBD
 bzESMBAGA1UEAxMJMTI3LjAuMC4xMB4XDTExMTIwODA3NTUxMloXDTEyMTIwNzA4

libgo/go/crypto/tls/key_agreement.go

@@ -20,11 +20,11 @@ import (
 // encrypts the pre-master secret to the server's public key.
 type rsaKeyAgreement struct{}
 
-func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
+func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
 	return nil, nil
 }
 
-func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
 	preMasterSecret := make([]byte, 48)
 	_, err := io.ReadFull(config.rand(), preMasterSecret[2:])
 	if err != nil {
@@ -44,7 +44,7 @@ func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKe
 		ciphertext = ckx.ciphertext[2:]
 	}
 
-	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), config.Certificates[0].PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)
+	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), ciphertext, preMasterSecret)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +109,7 @@ type ecdheRSAKeyAgreement struct {
 	x, y       *big.Int
 }
 
-func (ka *ecdheRSAKeyAgreement) generateServerKeyExchange(config *Config, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
+func (ka *ecdheRSAKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) {
 	var curveid uint16
 
 Curve:
@@ -151,7 +151,7 @@ Curve:
 	copy(serverECDHParams[4:], ecdhePublic)
 
 	md5sha1 := md5SHA1Hash(clientHello.random, hello.random, serverECDHParams)
-	sig, err := rsa.SignPKCS1v15(config.rand(), config.Certificates[0].PrivateKey.(*rsa.PrivateKey), crypto.MD5SHA1, md5sha1)
+	sig, err := rsa.SignPKCS1v15(config.rand(), cert.PrivateKey.(*rsa.PrivateKey), crypto.MD5SHA1, md5sha1)
 	if err != nil {
 		return nil, errors.New("failed to sign ECDHE parameters: " + err.Error())
 	}
@@ -167,7 +167,7 @@ Curve:
 	return skx, nil
 }
 
-func (ka *ecdheRSAKeyAgreement) processClientKeyExchange(config *Config, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka *ecdheRSAKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
 	if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {
 		return nil, errors.New("bad ClientKeyExchange")
 	}

libgo/go/database/sql/sql.go

@@ -327,6 +327,9 @@ func (db *DB) prepare(query string) (stmt *Stmt, err error) {
 // Exec executes a query without returning any rows.
 func (db *DB) Exec(query string, args ...interface{}) (Result, error) {
 	sargs, err := subsetTypeArgs(args)
+	if err != nil {
+		return nil, err
+	}
 	var res Result
 	for i := 0; i < 10; i++ {
 		res, err = db.exec(query, sargs)

libgo/go/encoding/ascii85/ascii85.go

@@ -57,6 +57,7 @@ func Encode(dst, src []byte) int {
 		if v == 0 && len(src) >= 4 {
 			dst[0] = 'z'
 			dst = dst[1:]
+			src = src[4:]
 			n++
 			continue
 		}

libgo/go/encoding/ascii85/ascii85_test.go

@@ -28,6 +28,11 @@ var pairs = []testpair{
 			"l(DId<j@<?3r@:F%a+D58'ATD4$Bl@l3De:,-DJs`8ARoFb/0JMK@qB4^F!,R<AKZ&-DfTqBG%G\n" +
 			">uD.RTpAKYo'+CT/5+Cei#DII?(E,9)oF*2M7/c\n",
 	},
+	// Special case when shortening !!!!! to z.
+	{
+		"\000\000\000\000",
+		"z",
+	},
 }
 
 var bigtest = pairs[len(pairs)-1]

libgo/go/encoding/asn1/asn1.go

@@ -377,11 +377,6 @@ func parseTagAndLength(bytes []byte, initOffset int) (ret tagAndLength, offset i
 	} else {
 		// Bottom 7 bits give the number of length bytes to follow.
 		numBytes := int(b & 0x7f)
-		// We risk overflowing a signed 32-bit number if we accept more than 3 bytes.
-		if numBytes > 3 {
-			err = StructuralError{"length too large"}
-			return
-		}
 		if numBytes == 0 {
 			err = SyntaxError{"indefinite length found (not DER)"}
 			return
@@ -394,8 +389,19 @@ func parseTagAndLength(bytes []byte, initOffset int) (ret tagAndLength, offset i
 			}
 			b = bytes[offset]
 			offset++
+			if ret.length >= 1<<23 {
+				// We can't shift ret.length up without
+				// overflowing.
+				err = StructuralError{"length too large"}
+				return
+			}
 			ret.length <<= 8
 			ret.length |= int(b)
+			if ret.length == 0 {
+				// DER requires that lengths be minimal.
+				err = StructuralError{"superfluous leading zeros in length"}
+				return
+			}
 		}
 	}
 

libgo/go/encoding/asn1/asn1_test.go

@@ -283,6 +283,12 @@ var tagAndLengthData = []tagAndLengthTest{
 	{[]byte{0x00, 0x83, 0x01, 0x00}, false, tagAndLength{}},
 	{[]byte{0x1f, 0x85}, false, tagAndLength{}},
 	{[]byte{0x30, 0x80}, false, tagAndLength{}},
+	// Superfluous zeros in the length should be an error.
+	{[]byte{0xa0, 0x82, 0x00, 0x01}, false, tagAndLength{}},
+	// Lengths up to the maximum size of an int should work.
+	{[]byte{0xa0, 0x84, 0x7f, 0xff, 0xff, 0xff}, true, tagAndLength{2, 0, 0x7fffffff, true}},
+	// Lengths that would overflow an int should be rejected.
+	{[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}},
 }
 
 func TestParseTagAndLength(t *testing.T) {

libgo/go/encoding/base64/base64.go

@@ -230,7 +230,12 @@ func (enc *Encoding) decode(dst, src []byte) (n int, end bool, err error) {
 			if in == '=' && j >= 2 && len(src) < 4 {
 				// We've reached the end and there's
 				// padding
+				if len(src) == 0 && j == 2 {
+					// not enough padding
+					return n, false, CorruptInputError(len(osrc))
+				}
 				if len(src) > 0 && src[0] != '=' {
+					// incorrect padding
 					return n, false, CorruptInputError(len(osrc) - len(src) - 1)
 				}
 				dlen = j

libgo/go/encoding/base64/base64_test.go

@@ -151,6 +151,9 @@ func TestDecodeCorrupt(t *testing.T) {
 		{"AAA=AAAA", 3},
 		{"AAAAA", 4},
 		{"AAAAAA", 4},
+		{"A=", 1},
+		{"AA=", 3},
+		{"AAAAAA=", 7},
 	}
 
 	for _, e := range examples {

libgo/go/encoding/json/encode.go

@@ -17,6 +17,7 @@ import (
 	"runtime"
 	"sort"
 	"strconv"
+	"strings"
 	"sync"
 	"unicode"
 	"unicode/utf8"
@@ -415,9 +416,11 @@ func isValidTag(s string) bool {
 		return false
 	}
 	for _, c := range s {
-		switch c {
-		case '$', '-', '_', '/', '%':
-			// Acceptable
+		switch {
+		case strings.ContainsRune("!#$%&()*+-./:<=>?@[]^_{|}~", c):
+			// Backslash and quote chars are reserved, but
+			// otherwise any punctuation chars are allowed
+			// in a tag name.
 		default:
 			if !unicode.IsLetter(c) && !unicode.IsDigit(c) {
 				return false

libgo/go/encoding/json/tagkey_test.go

@@ -40,6 +40,10 @@ type percentSlashTag struct {
 	V string `json:"text/html%"` // http://golang.org/issue/2718
 }
 
+type punctuationTag struct {
+	V string `json:"!#$%&()*+-./:<=>?@[]^_{|}~"` // http://golang.org/issue/3546
+}
+
 type emptyTag struct {
 	W string
 }
@@ -73,6 +77,7 @@ var structTagObjectKeyTests = []struct {
 	{badFormatTag{"Orfevre"}, "Orfevre", "Y"},
 	{badCodeTag{"Reliable Man"}, "Reliable Man", "Z"},
 	{percentSlashTag{"brut"}, "brut", "text/html%"},
+	{punctuationTag{"Union Rags"}, "Union Rags", "!#$%&()*+-./:<=>?@[]^_{|}~"},
 }
 
 func TestStructTagObjectKey(t *testing.T) {

libgo/go/encoding/pem/pem.go

@@ -28,9 +28,10 @@ type Block struct {
 }
 
 // getLine results the first \r\n or \n delineated line from the given byte
-// array. The line does not include the \r\n or \n. The remainder of the byte
-// array (also not including the new line bytes) is also returned and this will
-// always be smaller than the original argument.
+// array. The line does not include trailing whitespace or the trailing new
+// line bytes. The remainder of the byte array (also not including the new line
+// bytes) is also returned and this will always be smaller than the original
+// argument.
 func getLine(data []byte) (line, rest []byte) {
 	i := bytes.Index(data, []byte{'\n'})
 	var j int
@@ -43,7 +44,7 @@ func getLine(data []byte) (line, rest []byte) {
 			i--
 		}
 	}
-	return data[0:i], data[j:]
+	return bytes.TrimRight(data[0:i], " \t"), data[j:]
 }
 
 // removeWhitespace returns a copy of its input with all spaces, tab and

libgo/go/encoding/pem/pem_test.go

@@ -127,13 +127,13 @@ Certificate chain
 -----BEGIN CERTIFICATE-----
 testing
 -----BEGIN CERTIFICATE-----
------BEGIN CERTIFICATE-----
+-----BEGIN CERTIFICATE----- 
 MIID6TCCA1ICAQEwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAlVTMRMwEQYD
 VQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRQwEgYDVQQK
-EwtHb29nbGUgSW5jLjEMMAoGA1UECxMDRW5nMQwwCgYDVQQDEwNhZ2wxHTAbBgkq
-hkiG9w0BCQEWDmFnbEBnb29nbGUuY29tMB4XDTA5MDkwOTIyMDU0M1oXDTEwMDkw
-OTIyMDU0M1owajELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf
-BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEjMCEGA1UEAxMaZXVyb3Bh
+EwtHb29nbGUgSW5jLjEMMAoGA1UECxMDRW5nMQwwCgYDVQQDEwNhZ2wxHTAbBgkq 
+hkiG9w0BCQEWDmFnbEBnb29nbGUuY29tMB4XDTA5MDkwOTIyMDU0M1oXDTEwMDkw  
+OTIyMDU0M1owajELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAf  	  
+BgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEjMCEGA1UEAxMaZXVyb3Bh		  
 LnNmby5jb3JwLmdvb2dsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
 AoICAQC6pgYt7/EibBDumASF+S0qvqdL/f+nouJw2T1Qc8GmXF/iiUcrsgzh/Fd8
 pDhz/T96Qg9IyR4ztuc2MXrmPra+zAuSf5bevFReSqvpIt8Duv0HbDbcqs/XKPfB
@@ -149,15 +149,15 @@ Pomjn71GNTtDeWAXibjCgdL6iHACCF6Htbl0zGlG0OAK+bdn0QIDAQABMA0GCSqG
 SIb3DQEBBQUAA4GBAOKnQDtqBV24vVqvesL5dnmyFpFPXBn3WdFfwD6DzEb21UVG
 5krmJiu+ViipORJPGMkgoL6BjU21XI95VQbun5P8vvg8Z+FnFsvRFY3e1CCzAVQY
 ZsUkLw2I7zI/dNlWdB8Xp7v+3w9sX5N3J/WuJ1KOO5m26kRlHQo7EzT3974g
------END CERTIFICATE-----
+-----END CERTIFICATE-----   
  1 s:/C=ZA/O=Ca Inc./CN=CA Inc
 
------BEGIN RSA PRIVATE KEY-----
-Proc-Type: 4,ENCRYPTED
-DEK-Info: DES-EDE3-CBC,80C7C7A09690757A
-
+-----BEGIN RSA PRIVATE KEY-----   	
+Proc-Type: 4,ENCRYPTED	  
+DEK-Info: DES-EDE3-CBC,80C7C7A09690757A  	
+  	
 eQp5ZkH6CyHBz7BZfUPxyLCCmftsBJ7HlqGb8Ld21cSwnzWZ4/SIlhyrUtsfw7VR
-2TTwA+odo9ex7GdxOTaH8oZFumIRoiEjHsk8U7Bhntp+ekkPP79xunnN7hb7hkhr
+2TTwA+odo9ex7GdxOTaH8oZFumIRoiEjHsk8U7Bhntp+ekkPP79xunnN7hb7hkhr   
 yGDQZgA7s2cQHQ71v3gwT2BACAft26jCjbM1wgNzBnJ8M0Rzn68YWqaPtdBu8qb/
 zVR5JB1mnqvTSbFsfF5yMc6o2WQ9jJCl6KypnMl+BpL+dlvdjYVK4l9lYsB1Hs3d
 +zDBbWxos818zzhS8/y6eIfiSG27cqrbhURbmgiSfDXjncK4m/pLcQ7mmBL6mFOr

libgo/go/flag/flag.go

@@ -7,9 +7,11 @@
 
 	Usage:
 
-	Define flags using flag.String(), Bool(), Int(), etc. Example:
+	Define flags using flag.String(), Bool(), Int(), etc.
+
+	This declares an integer flag, -flagname, stored in the pointer ip, with type *int.
 		import "flag"
-		var ip *int = flag.Int("flagname", 1234, "help message for flagname")
+		var ip = flag.Int("flagname", 1234, "help message for flagname")
 	If you like, you can bind the flag to a variable using the Var() functions.
 		var flagvar int
 		func init() {
@@ -26,8 +28,8 @@
 
 	Flags may then be used directly. If you're using the flags themselves,
 	they are all pointers; if you bind to variables, they're values.
-		fmt.Println("ip has value ", *ip);
-		fmt.Println("flagvar has value ", flagvar);
+		fmt.Println("ip has value ", *ip)
+		fmt.Println("flagvar has value ", flagvar)
 
 	After parsing, the arguments after the flag are available as the
 	slice flag.Args() or individually as flag.Arg(i).

libgo/go/fmt/fmt_test.go

@@ -461,6 +461,9 @@ var fmttests = []struct {
 	// zero reflect.Value, which formats as <nil>.
 	// This test is just to check that it shows the two NaNs at all.
 	{"%v", map[float64]int{math.NaN(): 1, math.NaN(): 2}, "map[NaN:<nil> NaN:<nil>]"},
+
+	// Used to crash because nByte didn't allow for a sign.
+	{"%b", int64(-1 << 63), "-1000000000000000000000000000000000000000000000000000000000000000"},
 }
 
 func TestSprintf(t *testing.T) {

libgo/go/fmt/format.go

@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	nByte = 64
+	nByte = 65 // %b of an int64, plus a sign.
 
 	ldigits = "0123456789abcdef"
 	udigits = "0123456789ABCDEF"

libgo/go/html/escape.go

@@ -210,13 +210,15 @@ func escape(w writer, s string) error {
 		case '&':
 			esc = "&"
 		case '\'':
-			esc = "'"
+			// "'" is shorter than "'" and apos was not in HTML until HTML5.
+			esc = "'"
 		case '<':
 			esc = "&lt;"
 		case '>':
 			esc = "&gt;"
 		case '"':
-			esc = "&quot;"
+			// "&#34;" is shorter than "&quot;".
+			esc = "&#34;"
 		default:
 			panic("unrecognized escape character")
 		}
@@ -231,7 +233,7 @@ func escape(w writer, s string) error {
 }
 
 // EscapeString escapes special characters like "<" to become "&lt;". It
-// escapes only five such characters: amp, apos, lt, gt and quot.
+// escapes only five such characters: <, >, &, ' and ".
 // UnescapeString(EscapeString(s)) == s always holds, but the converse isn't
 // always true.
 func EscapeString(s string) string {

libgo/go/mime/mediatype.go

@@ -99,7 +99,7 @@ func ParseMediaType(v string) (mediatype string, params map[string]string, err e
 
 	err = checkMediaTypeDisposition(mediatype)
 	if err != nil {
-		return
+		return "", nil, err
 	}
 
 	params = make(map[string]string)

libgo/go/mime/mediatype_test.go

@@ -244,13 +244,33 @@ func TestParseMediaType(t *testing.T) {
 	}
 }
 
+type badMediaTypeTest struct {
+	in  string
+	err string
+}
+
+var badMediaTypeTests = []badMediaTypeTest{
+	{"bogus ;=========", "mime: invalid media parameter"},
+	{"bogus/<script>alert</script>", "mime: expected token after slash"},
+	{"bogus/bogus<script>alert</script>", "mime: unexpected content after media subtype"},
+}
+
 func TestParseMediaTypeBogus(t *testing.T) {
-	mt, params, err := ParseMediaType("bogus ;=========")
-	if err == nil {
-		t.Fatalf("expected an error parsing invalid media type; got type %q, params %#v", mt, params)
-	}
-	if err.Error() != "mime: invalid media parameter" {
-		t.Errorf("expected invalid media parameter; got error %q", err)
+	for _, tt := range badMediaTypeTests {
+		mt, params, err := ParseMediaType(tt.in)
+		if err == nil {
+			t.Errorf("ParseMediaType(%q) = nil error; want parse error", tt.in)
+			continue
+		}
+		if err.Error() != tt.err {
+			t.Errorf("ParseMediaType(%q) = err %q; want %q", tt.in, err.Error(), tt.err)
+		}
+		if params != nil {
+			t.Errorf("ParseMediaType(%q): got non-nil params on error", tt.in)
+		}
+		if mt != "" {
+			t.Errorf("ParseMediaType(%q): got non-empty media type string on error", tt.in)
+		}
 	}
 }
 

libgo/go/mime/multipart/multipart.go

@@ -185,6 +185,14 @@ func (r *Reader) NextPart() (*Part, error) {
 	expectNewPart := false
 	for {
 		line, err := r.bufReader.ReadSlice('\n')
+		if err == io.EOF && bytes.Equal(line, r.dashBoundaryDash) {
+			// If the buffer ends in "--boundary--" without the
+			// trailing "\r\n", ReadSlice will return an error
+			// (since it's missing the '\n'), but this is a valid
+			// multipart EOF so we need to return io.EOF instead of
+			// a fmt-wrapped one.
+			return nil, io.EOF
+		}
 		if err != nil {
 			return nil, fmt.Errorf("multipart: NextPart: %v", err)
 		}

libgo/go/mime/multipart/multipart_test.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"os"
 	"strings"
 	"testing"
 )
@@ -377,3 +378,52 @@ func TestLineContinuation(t *testing.T) {
 		}
 	}
 }
+
+// Test parsing an image attachment from gmail, which previously failed.
+func TestNested(t *testing.T) {
+	// nested-mime is the body part of a multipart/mixed email
+	// with boundary e89a8ff1c1e83553e304be640612
+	f, err := os.Open("testdata/nested-mime")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+	mr := NewReader(f, "e89a8ff1c1e83553e304be640612")
+	p, err := mr.NextPart()
+	if err != nil {
+		t.Fatalf("error reading first section (alternative): %v", err)
+	}
+
+	// Read the inner text/plain and text/html sections of the multipart/alternative.
+	mr2 := NewReader(p, "e89a8ff1c1e83553e004be640610")
+	p, err = mr2.NextPart()
+	if err != nil {
+		t.Fatalf("reading text/plain part: %v", err)
+	}
+	if b, err := ioutil.ReadAll(p); string(b) != "*body*\r\n" || err != nil {
+		t.Fatalf("reading text/plain part: got %q, %v", b, err)
+	}
+	p, err = mr2.NextPart()
+	if err != nil {
+		t.Fatalf("reading text/html part: %v", err)
+	}
+	if b, err := ioutil.ReadAll(p); string(b) != "<b>body</b>\r\n" || err != nil {
+		t.Fatalf("reading text/html part: got %q, %v", b, err)
+	}
+
+	p, err = mr2.NextPart()
+	if err != io.EOF {
+		t.Fatalf("final inner NextPart = %v; want io.EOF", err)
+	}
+
+	// Back to the outer multipart/mixed, reading the image attachment.
+	_, err = mr.NextPart()
+	if err != nil {
+		t.Fatalf("error reading the image attachment at the end: %v", err)
+	}
+
+	_, err = mr.NextPart()
+	if err != io.EOF {
+		t.Fatalf("final outer NextPart = %v; want io.EOF", err)
+	}
+}

libgo/go/mime/multipart/testdata/nested-mime

+--e89a8ff1c1e83553e304be640612
+Content-Type: multipart/alternative; boundary=e89a8ff1c1e83553e004be640610
+
+--e89a8ff1c1e83553e004be640610
+Content-Type: text/plain; charset=UTF-8
+
+*body*
+
+--e89a8ff1c1e83553e004be640610
+Content-Type: text/html; charset=UTF-8
+
+<b>body</b>
+
+--e89a8ff1c1e83553e004be640610--
+--e89a8ff1c1e83553e304be640612
+Content-Type: image/png; name="x.png"
+Content-Disposition: attachment; 
+	filename="x.png"
+Content-Transfer-Encoding: base64
+X-Attachment-Id: f_h1edgigu0
+
+iVBORw0KGgoAAAANSUhEUgAAAagAAADrCAIAAACza5XhAAAKMWlDQ1BJQ0MgUHJvZmlsZQAASImd
+lndUU9kWh8+9N71QkhCKlNBraFICSA29SJEuKjEJEErAkAAiNkRUcERRkaYIMijggKNDkbEiioUB
+8b2kqeGaj4aTNftesu5mob4pr07ecMywRwLBvDCJOksqlUyldAZD7g9fxIZRWWPMvXRNJROJRBIG
+Y7Vx0mva1HAwYqibdKONXye3dW4iUonhWFJnqK7OaanU1gGkErFYEgaj0cg8wK+zVPh2ziwnHy07
+U8lYTNapezSzOuevRwLB7CFkqQQCwaJDiBQIBIJFhwh8AoFg0SHUqQUCASRJKkwkhMy/JfODWPEJ
+BIJFhwh8AoFg0TFnQqQ55GtPFopcJsN97e1nYtNuIBYeGBgYCmYrmE3jZ05iaGAoMX0xzxkWz6Hv
+yO7WvrlwzA0uLzrD+VkKqViwl9IfTBVNFMyc/x9alloiPPlqhQAAAABJRU5ErkJggg==
+--e89a8ff1c1e83553e304be640612--

libgo/go/net/http/example_test.go

@@ -49,3 +49,8 @@ func ExampleGet() {
 	res.Body.Close()
 	fmt.Printf("%s", robots)
 }
+
+func ExampleFileServer() {
+	// we use StripPrefix so that /tmpfiles/somefile will access /tmp/somefile
+	http.Handle("/tmpfiles/", http.StripPrefix("/tmpfiles/", http.FileServer(http.Dir("/tmp"))))
+}

libgo/go/net/http/server.go

@@ -785,8 +785,10 @@ var htmlReplacer = strings.NewReplacer(
 	"&", "&",
 	"<", "&lt;",
 	">", "&gt;",
-	`"`, "&quot;",
-	"'", "&apos;",
+	// "&#34;" is shorter than "&quot;".
+	`"`, "&#34;",
+	// "&#39;" is shorter than "&apos;" and apos was not in HTML until HTML5.
+	"'", "&#39;",
 )
 
 func htmlEscape(s string) string {

libgo/go/net/iprawsock_posix.go

@@ -83,9 +83,7 @@ func (c *IPConn) Close() error {
 	if !c.ok() {
 		return syscall.EINVAL
 	}
-	err := c.fd.Close()
-	c.fd = nil
-	return err
+	return c.fd.Close()
 }
 
 // LocalAddr returns the local network address.

libgo/go/net/tcpsock_posix.go

@@ -108,9 +108,7 @@ func (c *TCPConn) Close() error {
 	if !c.ok() {
 		return syscall.EINVAL
 	}
-	err := c.fd.Close()
-	c.fd = nil
-	return err
+	return c.fd.Close()
 }
 
 // CloseRead shuts down the reading side of the TCP connection.
@@ -359,5 +357,5 @@ func (l *TCPListener) SetDeadline(t time.Time) error {
 
 // File returns a copy of the underlying os.File, set to blocking mode.
 // It is the caller's responsibility to close f when finished.
-// Closing c does not affect f, and closing f does not affect c.
+// Closing l does not affect f, and closing f does not affect l.
 func (l *TCPListener) File() (f *os.File, err error) { return l.fd.dup() }

libgo/go/net/udpsock_posix.go

@@ -88,9 +88,7 @@ func (c *UDPConn) Close() error {
 	if !c.ok() {
 		return syscall.EINVAL
 	}
-	err := c.fd.Close()
-	c.fd = nil
-	return err
+	return c.fd.Close()
 }
 
 // LocalAddr returns the local network address.

libgo/go/net/unixsock_posix.go

@@ -141,9 +141,7 @@ func (c *UnixConn) Close() error {
 	if !c.ok() {
 		return syscall.EINVAL
 	}
-	err := c.fd.Close()
-	c.fd = nil
-	return err
+	return c.fd.Close()
 }
 
 // LocalAddr returns the local network address, a *UnixAddr.
@@ -406,7 +404,7 @@ func (l *UnixListener) SetDeadline(t time.Time) (err error) {
 
 // File returns a copy of the underlying os.File, set to blocking mode.
 // It is the caller's responsibility to close f when finished.
-// Closing c does not affect f, and closing f does not affect c.
+// Closing l does not affect f, and closing f does not affect l.
 func (l *UnixListener) File() (f *os.File, err error) { return l.fd.dup() }
 
 // ListenUnixgram listens for incoming Unix datagram packets addressed to the

libgo/go/net/url/url.go

@@ -61,16 +61,16 @@ func (e EscapeError) Error() string {
 }
 
 // Return true if the specified character should be escaped when
-// appearing in a URL string, according to RFC 2396.
+// appearing in a URL string, according to RFC 3986.
 // When 'all' is true the full range of reserved characters are matched.
 func shouldEscape(c byte, mode encoding) bool {
-	// RFC 2396 §2.3 Unreserved characters (alphanum)
+	// §2.3 Unreserved characters (alphanum)
 	if 'A' <= c && c <= 'Z' || 'a' <= c && c <= 'z' || '0' <= c && c <= '9' {
 		return false
 	}
-	// TODO: Update the character sets after RFC 3986.
+
 	switch c {
-	case '-', '_', '.', '!', '~', '*', '\'', '(', ')': // §2.3 Unreserved characters (mark)
+	case '-', '_', '.', '~': // §2.3 Unreserved characters (mark)
 		return false
 
 	case '$', '&', '+', ',', '/', ':', ';', '=', '?', '@': // §2.2 Reserved characters (reserved)

libgo/go/net/url/url_test.go

@@ -394,8 +394,8 @@ var escapeTests = []EscapeTest{
 		nil,
 	},
 	{
-		" ?&=#+%!<>#\"{}|\\^[]`☺\t",
-		"+%3F%26%3D%23%2B%25!%3C%3E%23%22%7B%7D%7C%5C%5E%5B%5D%60%E2%98%BA%09",
+		" ?&=#+%!<>#\"{}|\\^[]`☺\t:/@$'()*,;",
+		"+%3F%26%3D%23%2B%25%21%3C%3E%23%22%7B%7D%7C%5C%5E%5B%5D%60%E2%98%BA%09%3A%2F%40%24%27%28%29%2A%2C%3B",
 		nil,
 	},
 }

libgo/go/os/error_windows.go

@@ -26,5 +26,5 @@ func isPermission(err error) bool {
 	if pe, ok := err.(*PathError); ok {
 		err = pe.Err
 	}
-	return err == ErrPermission
+	return err == syscall.ERROR_ACCESS_DENIED || err == ErrPermission
 }

libgo/go/path/filepath/path.go

@@ -30,6 +30,9 @@ const (
 //	   that is, replace "/.." by "/" at the beginning of a path,
 //         assuming Separator is '/'.
 //
+// The returned path ends in a slash only if it represents a root directory,
+// such as "/" on Unix or `C:\` on Windows.
+//
 // If the result of this process is an empty string, Clean
 // returns the string ".".
 //

libgo/go/path/path.go

@@ -21,6 +21,8 @@ import (
 //	4. Eliminate .. elements that begin a rooted path:
 //	   that is, replace "/.." by "/" at the beginning of a path.
 //
+// The returned path ends in a slash only if it is the root "/".
+//
 // If the result of this process is an empty string, Clean
 // returns the string ".".
 //

libgo/go/reflect/all_test.go

@@ -638,6 +638,7 @@ var (
 
 var deepEqualTests = []DeepEqualTest{
 	// Equalities
+	{nil, nil, true},
 	{1, 1, true},
 	{int32(1), int32(1), true},
 	{0.5, 0.5, true},
@@ -696,6 +697,10 @@ func TestDeepEqual(t *testing.T) {
 }
 
 func TestTypeOf(t *testing.T) {
+	// Special case for nil
+	if typ := TypeOf(nil); typ != nil {
+		t.Errorf("expected nil type for nil value; got %v", typ)
+	}
 	for _, test := range deepEqualTests {
 		v := ValueOf(test.a)
 		if !v.IsValid() {

libgo/go/reflect/type.go

@@ -970,6 +970,7 @@ func toType(p *runtimeType) Type {
 }
 
 // TypeOf returns the reflection Type of the value in the interface{}.
+// TypeOf(nil) returns nil.
 func TypeOf(i interface{}) Type {
 	eface := *(*emptyInterface)(unsafe.Pointer(&i))
 	return toType(eface.typ)

libgo/go/runtime/extern.go

@@ -20,7 +20,8 @@ func Goexit()
 
 // Caller reports file and line number information about function invocations on
 // the calling goroutine's stack.  The argument skip is the number of stack frames
-// to ascend, with 0 identifying the caller of Caller.  The return values report the
+// to ascend, with 1 identifying the caller of Caller.  (For historical reasons the
+// meaning of skip differs between Caller and Callers.) The return values report the
 // program counter, file name, and line number within the file of the corresponding
 // call.  The boolean ok is false if it was not possible to recover the information.
 func Caller(skip int) (pc uintptr, file string, line int, ok bool)

libgo/go/text/template/exec.go

@@ -491,7 +491,11 @@ func (s *state) evalCall(dot, fun reflect.Value, name string, args []parse.Node,
 	}
 	// Add final value if necessary.
 	if final.IsValid() {
-		argv[i] = final
+		t := typ.In(typ.NumIn() - 1)
+		if typ.IsVariadic() {
+			t = t.Elem()
+		}
+		argv[i] = s.validateType(final, t)
 	}
 	result := fun.Call(argv)
 	// If we have an error that is not nil, stop execution and return that error to the caller.
@@ -507,6 +511,7 @@ func (s *state) validateType(value reflect.Value, typ reflect.Type) reflect.Valu
 		switch typ.Kind() {
 		case reflect.Interface, reflect.Ptr, reflect.Chan, reflect.Map, reflect.Slice, reflect.Func:
 			// An untyped nil interface{}. Accept as a proper nil value.
+			// TODO: Can we delete the other types in this list? Should we?
 			value = reflect.Zero(typ)
 		default:
 			s.errorf("invalid value; expected %s", typ)

libgo/go/text/template/exec_test.go

@@ -470,6 +470,9 @@ var execTests = []execTest{
 	{"bug7a", "{{3 2}}", "", tVal, false},
 	{"bug7b", "{{$x := 1}}{{$x 2}}", "", tVal, false},
 	{"bug7c", "{{$x := 1}}{{3 | $x}}", "", tVal, false},
+	// Pipelined arg was not being type-checked.
+	{"bug8a", "{{3|oneArg}}", "", tVal, false},
+	{"bug8b", "{{4|dddArg 3}}", "", tVal, false},
 }
 
 func zeroArgs() string {
@@ -480,6 +483,10 @@ func oneArg(a string) string {
 	return "oneArg=" + a
 }
 
+func dddArg(a int, b ...string) string {
+	return fmt.Sprintln(a, b)
+}
+
 // count returns a channel that will deliver n sequential 1-letter strings starting at "a"
 func count(n int) chan string {
 	if n == 0 {
@@ -504,6 +511,7 @@ func testExecute(execTests []execTest, template *Template, t *testing.T) {
 	b := new(bytes.Buffer)
 	funcs := FuncMap{
 		"count":    count,
+		"dddArg":   dddArg,
 		"oneArg":   oneArg,
 		"typeOf":   typeOf,
 		"vfunc":    vfunc,

libgo/go/text/template/funcs.go

@@ -246,7 +246,7 @@ func not(arg interface{}) (truth bool) {
 
 var (
 	htmlQuot = []byte(""") // shorter than """
-	htmlApos = []byte("'") // shorter than "'"
+	htmlApos = []byte("'") // shorter than "'" and apos was not in HTML until HTML5
 	htmlAmp  = []byte("&")
 	htmlLt   = []byte("<")
 	htmlGt   = []byte(">")

libgo/go/time/format.go

@@ -41,8 +41,8 @@ const (
 	ANSIC       = "Mon Jan _2 15:04:05 2006"
 	UnixDate    = "Mon Jan _2 15:04:05 MST 2006"
 	RubyDate    = "Mon Jan 02 15:04:05 -0700 2006"
-	RFC822      = "02 Jan 06 1504 MST"
-	RFC822Z     = "02 Jan 06 1504 -0700" // RFC822 with numeric zone
+	RFC822      = "02 Jan 06 15:04 MST"
+	RFC822Z     = "02 Jan 06 15:04 -0700" // RFC822 with numeric zone
 	RFC850      = "Monday, 02-Jan-06 15:04:05 MST"
 	RFC1123     = "Mon, 02 Jan 2006 15:04:05 MST"
 	RFC1123Z    = "Mon, 02 Jan 2006 15:04:05 -0700" // RFC1123 with numeric zone
@@ -714,7 +714,7 @@ func Parse(layout, value string) (Time, error) {
 			}
 			// Special case: do we have a fractional second but no
 			// fractional second in the format?
-			if len(value) > 2 && value[0] == '.' && isDigit(value, 1) {
+			if len(value) >= 2 && value[0] == '.' && isDigit(value, 1) {
 				_, std, _ := nextStdChunk(layout)
 				if len(std) > 0 && std[0] == '.' && isDigit(std, 1) {
 					// Fractional second in the layout; proceed normally

libgo/go/time/time.go

@@ -403,7 +403,7 @@ const (
 	Hour                 = 60 * Minute
 )
 
-// Duration returns a string representing the duration in the form "72h3m0.5s".
+// String returns a string representing the duration in the form "72h3m0.5s".
 // Leading zero units are omitted.  As a special case, durations less than one
 // second format use a smaller unit (milli-, micro-, or nanoseconds) to ensure
 // that the leading digit is non-zero.  The zero duration formats as 0,
@@ -763,7 +763,9 @@ func (t Time) Unix() int64 {
 }
 
 // UnixNano returns t as a Unix time, the number of nanoseconds elapsed
-// since January 1, 1970 UTC.
+// since January 1, 1970 UTC. The result is undefined if the Unix time
+// in nanoseconds cannot be represented by an int64. Note that this
+// means the result of calling UnixNano on the zero Time is undefined.
 func (t Time) UnixNano() int64 {
 	return (t.sec+internalToUnix)*1e9 + int64(t.nsec)
 }

libgo/go/time/time_test.go

@@ -223,7 +223,7 @@ var formatTests = []FormatTest{
 	{"ANSIC", ANSIC, "Wed Feb  4 21:00:57 2009"},
 	{"UnixDate", UnixDate, "Wed Feb  4 21:00:57 PST 2009"},
 	{"RubyDate", RubyDate, "Wed Feb 04 21:00:57 -0800 2009"},
-	{"RFC822", RFC822, "04 Feb 09 2100 PST"},
+	{"RFC822", RFC822, "04 Feb 09 21:00 PST"},
 	{"RFC850", RFC850, "Wednesday, 04-Feb-09 21:00:57 PST"},
 	{"RFC1123", RFC1123, "Wed, 04 Feb 2009 21:00:57 PST"},
 	{"RFC1123Z", RFC1123Z, "Wed, 04 Feb 2009 21:00:57 -0800"},
@@ -310,6 +310,7 @@ var parseTests = []ParseTest{
 	{"RFC1123", RFC1123, "Thu, 04 Feb 2010 21:00:57.01234 PST", true, true, 1, 5},
 	{"RFC1123Z", RFC1123Z, "Thu, 04 Feb 2010 21:00:57.01234 -0800", true, true, 1, 5},
 	{"RFC3339", RFC3339, "2010-02-04T21:00:57.012345678-08:00", true, false, 1, 9},
+	{"custom: \"2006-01-02 15:04:05\"", "2006-01-02 15:04:05", "2010-02-04 21:00:57.0", false, false, 1, 0},
 	// Amount of white space should not matter.
 	{"ANSIC", ANSIC, "Thu Feb 4 21:00:57 2010", false, true, 1, 0},
 	{"ANSIC", ANSIC, "Thu      Feb     4     21:00:57     2010", false, true, 1, 0},

libgo/go/time/zoneinfo_windows.go

@@ -83,6 +83,9 @@ func initLocalFromTZI(i *syscall.Timezoneinformation) {
 		l.cacheStart = -1 << 63
 		l.cacheEnd = 1<<63 - 1
 		l.cacheZone = std
+		l.tx = make([]zoneTrans, 1)
+		l.tx[0].when = l.cacheStart
+		l.tx[0].index = 0
 		return
 	}