migrate to go-modules

Signed-off-by: Valentin Rothberg <rothberg@redhat.com>

23 files changed, 82 insertions, 5378 deletions

diff --git a/vendor/golang.org/x/crypto/AUTHORS b/vendor/golang.org/x/crypto/AUTHORS
new file mode 100644
index 000000000..2b00ddba0
--- /dev/null
+++ b/vendor/golang.org/x/crypto/AUTHORS
@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at https://tip.golang.org/AUTHORS.
diff --git a/vendor/golang.org/x/crypto/CONTRIBUTORS b/vendor/golang.org/x/crypto/CONTRIBUTORS
new file mode 100644
index 000000000..1fbd3e976
--- /dev/null
+++ b/vendor/golang.org/x/crypto/CONTRIBUTORS
@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at https://tip.golang.org/CONTRIBUTORS.
diff --git a/vendor/golang.org/x/crypto/README.md b/vendor/golang.org/x/crypto/README.md
deleted file mode 100644
index c9d6fecd1..000000000
--- a/vendor/golang.org/x/crypto/README.md
+++ /dev/null
@@ -1,21 +0,0 @@
-# Go Cryptography
-
-This repository holds supplementary Go cryptography libraries.
-
-## Download/Install
-
-The easiest way to install is to run `go get -u golang.org/x/crypto/...`. You
-can also manually git clone the repository to `$GOPATH/src/golang.org/x/crypto`.
-
-## Report Issues / Send Patches
-
-This repository uses Gerrit for code changes. To learn how to submit changes to
-this repository, see https://golang.org/doc/contribute.html.
-
-The main issue tracker for the crypto repository is located at
-https://github.com/golang/go/issues. Prefix your issue with "x/crypto:" in the
-subject line, so it is easy to find.
-
-Note that contributions to the cryptography package receive additional scrutiny
-due to their sensitive nature. Patches may take longer than normal to receive
-feedback.
diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go
index 0b4af37bd..ddcbeb6f2 100644
--- a/vendor/golang.org/x/crypto/cast5/cast5.go
+++ b/vendor/golang.org/x/crypto/cast5/cast5.go
@@ -2,8 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common
-// OpenPGP cipher.
+// Package cast5 implements CAST5, as defined in RFC 2144.
+//
+// CAST5 is a legacy cipher and its short block size makes it vulnerable to
+// birthday bound attacks (see https://sweet32.info). It should only be used
+// where compatibility with legacy systems, not security, is the goal.
+//
+// Deprecated: any new system should use AES (from crypto/aes, if necessary in
+// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
+// golang.org/x/crypto/chacha20poly1305).
 package cast5 // import "golang.org/x/crypto/cast5"
 
 import "errors"
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.h b/vendor/golang.org/x/crypto/curve25519/const_amd64.h
deleted file mode 100644
index b3f74162f..000000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.h
+++ /dev/null
@@ -1,8 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-#define REDMASK51     0x0007FFFFFFFFFFFF
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.s b/vendor/golang.org/x/crypto/curve25519/const_amd64.s
deleted file mode 100644
index ee7b4bd5f..000000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.s
+++ /dev/null
@@ -1,20 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-// These constants cannot be encoded in non-MOVQ immediates.
-// We access them directly from memory instead.
-
-DATA ·_121666_213(SB)/8, $996687872
-GLOBL ·_121666_213(SB), 8, $8
-
-DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
-GLOBL ·_2P0(SB), 8, $8
-
-DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
-GLOBL ·_2P1234(SB), 8, $8
diff --git a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s b/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
deleted file mode 100644
index cd793a5b5..000000000
--- a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-// func cswap(inout *[4][5]uint64, v uint64)
-TEXT ·cswap(SB),7,$0
-	MOVQ inout+0(FP),DI
-	MOVQ v+8(FP),SI
-
-	SUBQ $1, SI
-	NOTQ SI
-	MOVQ SI, X15
-	PSHUFD $0x44, X15, X15
-
-	MOVOU 0(DI), X0
-	MOVOU 16(DI), X2
-	MOVOU 32(DI), X4
-	MOVOU 48(DI), X6
-	MOVOU 64(DI), X8
-	MOVOU 80(DI), X1
-	MOVOU 96(DI), X3
-	MOVOU 112(DI), X5
-	MOVOU 128(DI), X7
-	MOVOU 144(DI), X9
-
-	MOVO X1, X10
-	MOVO X3, X11
-	MOVO X5, X12
-	MOVO X7, X13
-	MOVO X9, X14
-
-	PXOR X0, X10
-	PXOR X2, X11
-	PXOR X4, X12
-	PXOR X6, X13
-	PXOR X8, X14
-	PAND X15, X10
-	PAND X15, X11
-	PAND X15, X12
-	PAND X15, X13
-	PAND X15, X14
-	PXOR X10, X0
-	PXOR X10, X1
-	PXOR X11, X2
-	PXOR X11, X3
-	PXOR X12, X4
-	PXOR X12, X5
-	PXOR X13, X6
-	PXOR X13, X7
-	PXOR X14, X8
-	PXOR X14, X9
-
-	MOVOU X0, 0(DI)
-	MOVOU X2, 16(DI)
-	MOVOU X4, 32(DI)
-	MOVOU X6, 48(DI)
-	MOVOU X8, 64(DI)
-	MOVOU X1, 80(DI)
-	MOVOU X3, 96(DI)
-	MOVOU X5, 112(DI)
-	MOVOU X7, 128(DI)
-	MOVOU X9, 144(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
deleted file mode 100644
index cb8fbc57b..000000000
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ /dev/null
@@ -1,834 +0,0 @@
-// Copyright 2013 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// We have an implementation in amd64 assembly so this code is only run on
-// non-amd64 platforms. The amd64 assembly does not support gccgo.
-// +build !amd64 gccgo appengine
-
-package curve25519
-
-import (
-	"encoding/binary"
-)
-
-// This code is a port of the public domain, "ref10" implementation of
-// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
-
-// fieldElement represents an element of the field GF(2^255 - 19). An element
-// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
-// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
-// context.
-type fieldElement [10]int32
-
-func feZero(fe *fieldElement) {
-	for i := range fe {
-		fe[i] = 0
-	}
-}
-
-func feOne(fe *fieldElement) {
-	feZero(fe)
-	fe[0] = 1
-}
-
-func feAdd(dst, a, b *fieldElement) {
-	for i := range dst {
-		dst[i] = a[i] + b[i]
-	}
-}
-
-func feSub(dst, a, b *fieldElement) {
-	for i := range dst {
-		dst[i] = a[i] - b[i]
-	}
-}
-
-func feCopy(dst, src *fieldElement) {
-	for i := range dst {
-		dst[i] = src[i]
-	}
-}
-
-// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
-//
-// Preconditions: b in {0,1}.
-func feCSwap(f, g *fieldElement, b int32) {
-	b = -b
-	for i := range f {
-		t := b & (f[i] ^ g[i])
-		f[i] ^= t
-		g[i] ^= t
-	}
-}
-
-// load3 reads a 24-bit, little-endian value from in.
-func load3(in []byte) int64 {
-	var r int64
-	r = int64(in[0])
-	r |= int64(in[1]) << 8
-	r |= int64(in[2]) << 16
-	return r
-}
-
-// load4 reads a 32-bit, little-endian value from in.
-func load4(in []byte) int64 {
-	return int64(binary.LittleEndian.Uint32(in))
-}
-
-func feFromBytes(dst *fieldElement, src *[32]byte) {
-	h0 := load4(src[:])
-	h1 := load3(src[4:]) << 6
-	h2 := load3(src[7:]) << 5
-	h3 := load3(src[10:]) << 3
-	h4 := load3(src[13:]) << 2
-	h5 := load4(src[16:])
-	h6 := load3(src[20:]) << 7
-	h7 := load3(src[23:]) << 5
-	h8 := load3(src[26:]) << 4
-	h9 := load3(src[29:]) << 2
-
-	var carry [10]int64
-	carry[9] = (h9 + 1<<24) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	carry[1] = (h1 + 1<<24) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[3] = (h3 + 1<<24) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[5] = (h5 + 1<<24) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	carry[7] = (h7 + 1<<24) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[0] = (h0 + 1<<25) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[2] = (h2 + 1<<25) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[4] = (h4 + 1<<25) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[6] = (h6 + 1<<25) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	carry[8] = (h8 + 1<<25) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	dst[0] = int32(h0)
-	dst[1] = int32(h1)
-	dst[2] = int32(h2)
-	dst[3] = int32(h3)
-	dst[4] = int32(h4)
-	dst[5] = int32(h5)
-	dst[6] = int32(h6)
-	dst[7] = int32(h7)
-	dst[8] = int32(h8)
-	dst[9] = int32(h9)
-}
-
-// feToBytes marshals h to s.
-// Preconditions:
-//   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Write p=2^255-19; q=floor(h/p).
-// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
-//
-// Proof:
-//   Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
-//   Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
-//
-//   Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
-//   Then 0<y<1.
-//
-//   Write r=h-pq.
-//   Have 0<=r<=p-1=2^255-20.
-//   Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
-//
-//   Write x=r+19(2^-255)r+y.
-//   Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
-//
-//   Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
-//   so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
-func feToBytes(s *[32]byte, h *fieldElement) {
-	var carry [10]int32
-
-	q := (19*h[9] + (1 << 24)) >> 25
-	q = (h[0] + q) >> 26
-	q = (h[1] + q) >> 25
-	q = (h[2] + q) >> 26
-	q = (h[3] + q) >> 25
-	q = (h[4] + q) >> 26
-	q = (h[5] + q) >> 25
-	q = (h[6] + q) >> 26
-	q = (h[7] + q) >> 25
-	q = (h[8] + q) >> 26
-	q = (h[9] + q) >> 25
-
-	// Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
-	h[0] += 19 * q
-	// Goal: Output h-2^255 q, which is between 0 and 2^255-20.
-
-	carry[0] = h[0] >> 26
-	h[1] += carry[0]
-	h[0] -= carry[0] << 26
-	carry[1] = h[1] >> 25
-	h[2] += carry[1]
-	h[1] -= carry[1] << 25
-	carry[2] = h[2] >> 26
-	h[3] += carry[2]
-	h[2] -= carry[2] << 26
-	carry[3] = h[3] >> 25
-	h[4] += carry[3]
-	h[3] -= carry[3] << 25
-	carry[4] = h[4] >> 26
-	h[5] += carry[4]
-	h[4] -= carry[4] << 26
-	carry[5] = h[5] >> 25
-	h[6] += carry[5]
-	h[5] -= carry[5] << 25
-	carry[6] = h[6] >> 26
-	h[7] += carry[6]
-	h[6] -= carry[6] << 26
-	carry[7] = h[7] >> 25
-	h[8] += carry[7]
-	h[7] -= carry[7] << 25
-	carry[8] = h[8] >> 26
-	h[9] += carry[8]
-	h[8] -= carry[8] << 26
-	carry[9] = h[9] >> 25
-	h[9] -= carry[9] << 25
-	// h10 = carry9
-
-	// Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
-	// Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
-	// evidently 2^255 h10-2^255 q = 0.
-	// Goal: Output h[0]+...+2^230 h[9].
-
-	s[0] = byte(h[0] >> 0)
-	s[1] = byte(h[0] >> 8)
-	s[2] = byte(h[0] >> 16)
-	s[3] = byte((h[0] >> 24) | (h[1] << 2))
-	s[4] = byte(h[1] >> 6)
-	s[5] = byte(h[1] >> 14)
-	s[6] = byte((h[1] >> 22) | (h[2] << 3))
-	s[7] = byte(h[2] >> 5)
-	s[8] = byte(h[2] >> 13)
-	s[9] = byte((h[2] >> 21) | (h[3] << 5))
-	s[10] = byte(h[3] >> 3)
-	s[11] = byte(h[3] >> 11)
-	s[12] = byte((h[3] >> 19) | (h[4] << 6))
-	s[13] = byte(h[4] >> 2)
-	s[14] = byte(h[4] >> 10)
-	s[15] = byte(h[4] >> 18)
-	s[16] = byte(h[5] >> 0)
-	s[17] = byte(h[5] >> 8)
-	s[18] = byte(h[5] >> 16)
-	s[19] = byte((h[5] >> 24) | (h[6] << 1))
-	s[20] = byte(h[6] >> 7)
-	s[21] = byte(h[6] >> 15)
-	s[22] = byte((h[6] >> 23) | (h[7] << 3))
-	s[23] = byte(h[7] >> 5)
-	s[24] = byte(h[7] >> 13)
-	s[25] = byte((h[7] >> 21) | (h[8] << 4))
-	s[26] = byte(h[8] >> 4)
-	s[27] = byte(h[8] >> 12)
-	s[28] = byte((h[8] >> 20) | (h[9] << 6))
-	s[29] = byte(h[9] >> 2)
-	s[30] = byte(h[9] >> 10)
-	s[31] = byte(h[9] >> 18)
-}
-
-// feMul calculates h = f * g
-// Can overlap h with f or g.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//    |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-//
-// Notes on implementation strategy:
-//
-// Using schoolbook multiplication.
-// Karatsuba would save a little in some cost models.
-//
-// Most multiplications by 2 and 19 are 32-bit precomputations;
-// cheaper than 64-bit postcomputations.
-//
-// There is one remaining multiplication by 19 in the carry chain;
-// one *19 precomputation can be merged into this,
-// but the resulting data flow is considerably less clean.
-//
-// There are 12 carries below.
-// 10 of them are 2-way parallelizable and vectorizable.
-// Can get away with 11 carries, but then data flow is much deeper.
-//
-// With tighter constraints on inputs can squeeze carries into int32.
-func feMul(h, f, g *fieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	g0 := g[0]
-	g1 := g[1]
-	g2 := g[2]
-	g3 := g[3]
-	g4 := g[4]
-	g5 := g[5]
-	g6 := g[6]
-	g7 := g[7]
-	g8 := g[8]
-	g9 := g[9]
-	g1_19 := 19 * g1 // 1.4*2^29
-	g2_19 := 19 * g2 // 1.4*2^30; still ok
-	g3_19 := 19 * g3
-	g4_19 := 19 * g4
-	g5_19 := 19 * g5
-	g6_19 := 19 * g6
-	g7_19 := 19 * g7
-	g8_19 := 19 * g8
-	g9_19 := 19 * g9
-	f1_2 := 2 * f1
-	f3_2 := 2 * f3
-	f5_2 := 2 * f5
-	f7_2 := 2 * f7
-	f9_2 := 2 * f9
-	f0g0 := int64(f0) * int64(g0)
-	f0g1 := int64(f0) * int64(g1)
-	f0g2 := int64(f0) * int64(g2)
-	f0g3 := int64(f0) * int64(g3)
-	f0g4 := int64(f0) * int64(g4)
-	f0g5 := int64(f0) * int64(g5)
-	f0g6 := int64(f0) * int64(g6)
-	f0g7 := int64(f0) * int64(g7)
-	f0g8 := int64(f0) * int64(g8)
-	f0g9 := int64(f0) * int64(g9)
-	f1g0 := int64(f1) * int64(g0)
-	f1g1_2 := int64(f1_2) * int64(g1)
-	f1g2 := int64(f1) * int64(g2)
-	f1g3_2 := int64(f1_2) * int64(g3)
-	f1g4 := int64(f1) * int64(g4)
-	f1g5_2 := int64(f1_2) * int64(g5)
-	f1g6 := int64(f1) * int64(g6)
-	f1g7_2 := int64(f1_2) * int64(g7)
-	f1g8 := int64(f1) * int64(g8)
-	f1g9_38 := int64(f1_2) * int64(g9_19)
-	f2g0 := int64(f2) * int64(g0)
-	f2g1 := int64(f2) * int64(g1)
-	f2g2 := int64(f2) * int64(g2)
-	f2g3 := int64(f2) * int64(g3)
-	f2g4 := int64(f2) * int64(g4)
-	f2g5 := int64(f2) * int64(g5)
-	f2g6 := int64(f2) * int64(g6)
-	f2g7 := int64(f2) * int64(g7)
-	f2g8_19 := int64(f2) * int64(g8_19)
-	f2g9_19 := int64(f2) * int64(g9_19)
-	f3g0 := int64(f3) * int64(g0)
-	f3g1_2 := int64(f3_2) * int64(g1)
-	f3g2 := int64(f3) * int64(g2)
-	f3g3_2 := int64(f3_2) * int64(g3)
-	f3g4 := int64(f3) * int64(g4)
-	f3g5_2 := int64(f3_2) * int64(g5)
-	f3g6 := int64(f3) * int64(g6)
-	f3g7_38 := int64(f3_2) * int64(g7_19)
-	f3g8_19 := int64(f3) * int64(g8_19)
-	f3g9_38 := int64(f3_2) * int64(g9_19)
-	f4g0 := int64(f4) * int64(g0)
-	f4g1 := int64(f4) * int64(g1)
-	f4g2 := int64(f4) * int64(g2)
-	f4g3 := int64(f4) * int64(g3)
-	f4g4 := int64(f4) * int64(g4)
-	f4g5 := int64(f4) * int64(g5)
-	f4g6_19 := int64(f4) * int64(g6_19)
-	f4g7_19 := int64(f4) * int64(g7_19)
-	f4g8_19 := int64(f4) * int64(g8_19)
-	f4g9_19 := int64(f4) * int64(g9_19)
-	f5g0 := int64(f5) * int64(g0)
-	f5g1_2 := int64(f5_2) * int64(g1)
-	f5g2 := int64(f5) * int64(g2)
-	f5g3_2 := int64(f5_2) * int64(g3)
-	f5g4 := int64(f5) * int64(g4)
-	f5g5_38 := int64(f5_2) * int64(g5_19)
-	f5g6_19 := int64(f5) * int64(g6_19)
-	f5g7_38 := int64(f5_2) * int64(g7_19)
-	f5g8_19 := int64(f5) * int64(g8_19)
-	f5g9_38 := int64(f5_2) * int64(g9_19)
-	f6g0 := int64(f6) * int64(g0)
-	f6g1 := int64(f6) * int64(g1)
-	f6g2 := int64(f6) * int64(g2)
-	f6g3 := int64(f6) * int64(g3)
-	f6g4_19 := int64(f6) * int64(g4_19)
-	f6g5_19 := int64(f6) * int64(g5_19)
-	f6g6_19 := int64(f6) * int64(g6_19)
-	f6g7_19 := int64(f6) * int64(g7_19)
-	f6g8_19 := int64(f6) * int64(g8_19)
-	f6g9_19 := int64(f6) * int64(g9_19)
-	f7g0 := int64(f7) * int64(g0)
-	f7g1_2 := int64(f7_2) * int64(g1)
-	f7g2 := int64(f7) * int64(g2)
-	f7g3_38 := int64(f7_2) * int64(g3_19)
-	f7g4_19 := int64(f7) * int64(g4_19)
-	f7g5_38 := int64(f7_2) * int64(g5_19)
-	f7g6_19 := int64(f7) * int64(g6_19)
-	f7g7_38 := int64(f7_2) * int64(g7_19)
-	f7g8_19 := int64(f7) * int64(g8_19)
-	f7g9_38 := int64(f7_2) * int64(g9_19)
-	f8g0 := int64(f8) * int64(g0)
-	f8g1 := int64(f8) * int64(g1)
-	f8g2_19 := int64(f8) * int64(g2_19)
-	f8g3_19 := int64(f8) * int64(g3_19)
-	f8g4_19 := int64(f8) * int64(g4_19)
-	f8g5_19 := int64(f8) * int64(g5_19)
-	f8g6_19 := int64(f8) * int64(g6_19)
-	f8g7_19 := int64(f8) * int64(g7_19)
-	f8g8_19 := int64(f8) * int64(g8_19)
-	f8g9_19 := int64(f8) * int64(g9_19)
-	f9g0 := int64(f9) * int64(g0)
-	f9g1_38 := int64(f9_2) * int64(g1_19)
-	f9g2_19 := int64(f9) * int64(g2_19)
-	f9g3_38 := int64(f9_2) * int64(g3_19)
-	f9g4_19 := int64(f9) * int64(g4_19)
-	f9g5_38 := int64(f9_2) * int64(g5_19)
-	f9g6_19 := int64(f9) * int64(g6_19)
-	f9g7_38 := int64(f9_2) * int64(g7_19)
-	f9g8_19 := int64(f9) * int64(g8_19)
-	f9g9_38 := int64(f9_2) * int64(g9_19)
-	h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
-	h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
-	h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
-	h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
-	h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
-	h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
-	h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
-	h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
-	h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
-	h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
-	var carry [10]int64
-
-	// |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
-	//   i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
-	// |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
-	//   i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	// |h0| <= 2^25
-	// |h4| <= 2^25
-	// |h1| <= 1.51*2^58
-	// |h5| <= 1.51*2^58
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	// |h1| <= 2^24; from now on fits into int32
-	// |h5| <= 2^24; from now on fits into int32
-	// |h2| <= 1.21*2^59
-	// |h6| <= 1.21*2^59
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	// |h2| <= 2^25; from now on fits into int32 unchanged
-	// |h6| <= 2^25; from now on fits into int32 unchanged
-	// |h3| <= 1.51*2^58
-	// |h7| <= 1.51*2^58
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-	// |h3| <= 2^24; from now on fits into int32 unchanged
-	// |h7| <= 2^24; from now on fits into int32 unchanged
-	// |h4| <= 1.52*2^33
-	// |h8| <= 1.52*2^33
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-	// |h4| <= 2^25; from now on fits into int32 unchanged
-	// |h8| <= 2^25; from now on fits into int32 unchanged
-	// |h5| <= 1.01*2^24
-	// |h9| <= 1.51*2^58
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	// |h9| <= 2^24; from now on fits into int32 unchanged
-	// |h0| <= 1.8*2^37
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	// |h0| <= 2^25; from now on fits into int32 unchanged
-	// |h1| <= 1.01*2^24
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feSquare calculates h = f*f. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func feSquare(h, f *fieldElement) {
-	f0 := f[0]
-	f1 := f[1]
-	f2 := f[2]
-	f3 := f[3]
-	f4 := f[4]
-	f5 := f[5]
-	f6 := f[6]
-	f7 := f[7]
-	f8 := f[8]
-	f9 := f[9]
-	f0_2 := 2 * f0
-	f1_2 := 2 * f1
-	f2_2 := 2 * f2
-	f3_2 := 2 * f3
-	f4_2 := 2 * f4
-	f5_2 := 2 * f5
-	f6_2 := 2 * f6
-	f7_2 := 2 * f7
-	f5_38 := 38 * f5 // 1.31*2^30
-	f6_19 := 19 * f6 // 1.31*2^30
-	f7_38 := 38 * f7 // 1.31*2^30
-	f8_19 := 19 * f8 // 1.31*2^30
-	f9_38 := 38 * f9 // 1.31*2^30
-	f0f0 := int64(f0) * int64(f0)
-	f0f1_2 := int64(f0_2) * int64(f1)
-	f0f2_2 := int64(f0_2) * int64(f2)
-	f0f3_2 := int64(f0_2) * int64(f3)
-	f0f4_2 := int64(f0_2) * int64(f4)
-	f0f5_2 := int64(f0_2) * int64(f5)
-	f0f6_2 := int64(f0_2) * int64(f6)
-	f0f7_2 := int64(f0_2) * int64(f7)
-	f0f8_2 := int64(f0_2) * int64(f8)
-	f0f9_2 := int64(f0_2) * int64(f9)
-	f1f1_2 := int64(f1_2) * int64(f1)
-	f1f2_2 := int64(f1_2) * int64(f2)
-	f1f3_4 := int64(f1_2) * int64(f3_2)
-	f1f4_2 := int64(f1_2) * int64(f4)
-	f1f5_4 := int64(f1_2) * int64(f5_2)
-	f1f6_2 := int64(f1_2) * int64(f6)
-	f1f7_4 := int64(f1_2) * int64(f7_2)
-	f1f8_2 := int64(f1_2) * int64(f8)
-	f1f9_76 := int64(f1_2) * int64(f9_38)
-	f2f2 := int64(f2) * int64(f2)
-	f2f3_2 := int64(f2_2) * int64(f3)
-	f2f4_2 := int64(f2_2) * int64(f4)
-	f2f5_2 := int64(f2_2) * int64(f5)
-	f2f6_2 := int64(f2_2) * int64(f6)
-	f2f7_2 := int64(f2_2) * int64(f7)
-	f2f8_38 := int64(f2_2) * int64(f8_19)
-	f2f9_38 := int64(f2) * int64(f9_38)
-	f3f3_2 := int64(f3_2) * int64(f3)
-	f3f4_2 := int64(f3_2) * int64(f4)
-	f3f5_4 := int64(f3_2) * int64(f5_2)
-	f3f6_2 := int64(f3_2) * int64(f6)
-	f3f7_76 := int64(f3_2) * int64(f7_38)
-	f3f8_38 := int64(f3_2) * int64(f8_19)
-	f3f9_76 := int64(f3_2) * int64(f9_38)
-	f4f4 := int64(f4) * int64(f4)
-	f4f5_2 := int64(f4_2) * int64(f5)
-	f4f6_38 := int64(f4_2) * int64(f6_19)
-	f4f7_38 := int64(f4) * int64(f7_38)
-	f4f8_38 := int64(f4_2) * int64(f8_19)
-	f4f9_38 := int64(f4) * int64(f9_38)
-	f5f5_38 := int64(f5) * int64(f5_38)
-	f5f6_38 := int64(f5_2) * int64(f6_19)
-	f5f7_76 := int64(f5_2) * int64(f7_38)
-	f5f8_38 := int64(f5_2) * int64(f8_19)
-	f5f9_76 := int64(f5_2) * int64(f9_38)
-	f6f6_19 := int64(f6) * int64(f6_19)
-	f6f7_38 := int64(f6) * int64(f7_38)
-	f6f8_38 := int64(f6_2) * int64(f8_19)
-	f6f9_38 := int64(f6) * int64(f9_38)
-	f7f7_38 := int64(f7) * int64(f7_38)
-	f7f8_38 := int64(f7_2) * int64(f8_19)
-	f7f9_76 := int64(f7_2) * int64(f9_38)
-	f8f8_19 := int64(f8) * int64(f8_19)
-	f8f9_38 := int64(f8) * int64(f9_38)
-	f9f9_38 := int64(f9) * int64(f9_38)
-	h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
-	h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
-	h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
-	h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
-	h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
-	h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
-	h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
-	h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
-	h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
-	h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
-	var carry [10]int64
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feMul121666 calculates h = f * 121666. Can overlap h with f.
-//
-// Preconditions:
-//    |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
-//
-// Postconditions:
-//    |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
-func feMul121666(h, f *fieldElement) {
-	h0 := int64(f[0]) * 121666
-	h1 := int64(f[1]) * 121666
-	h2 := int64(f[2]) * 121666
-	h3 := int64(f[3]) * 121666
-	h4 := int64(f[4]) * 121666
-	h5 := int64(f[5]) * 121666
-	h6 := int64(f[6]) * 121666
-	h7 := int64(f[7]) * 121666
-	h8 := int64(f[8]) * 121666
-	h9 := int64(f[9]) * 121666
-	var carry [10]int64
-
-	carry[9] = (h9 + (1 << 24)) >> 25
-	h0 += carry[9] * 19
-	h9 -= carry[9] << 25
-	carry[1] = (h1 + (1 << 24)) >> 25
-	h2 += carry[1]
-	h1 -= carry[1] << 25
-	carry[3] = (h3 + (1 << 24)) >> 25
-	h4 += carry[3]
-	h3 -= carry[3] << 25
-	carry[5] = (h5 + (1 << 24)) >> 25
-	h6 += carry[5]
-	h5 -= carry[5] << 25
-	carry[7] = (h7 + (1 << 24)) >> 25
-	h8 += carry[7]
-	h7 -= carry[7] << 25
-
-	carry[0] = (h0 + (1 << 25)) >> 26
-	h1 += carry[0]
-	h0 -= carry[0] << 26
-	carry[2] = (h2 + (1 << 25)) >> 26
-	h3 += carry[2]
-	h2 -= carry[2] << 26
-	carry[4] = (h4 + (1 << 25)) >> 26
-	h5 += carry[4]
-	h4 -= carry[4] << 26
-	carry[6] = (h6 + (1 << 25)) >> 26
-	h7 += carry[6]
-	h6 -= carry[6] << 26
-	carry[8] = (h8 + (1 << 25)) >> 26
-	h9 += carry[8]
-	h8 -= carry[8] << 26
-
-	h[0] = int32(h0)
-	h[1] = int32(h1)
-	h[2] = int32(h2)
-	h[3] = int32(h3)
-	h[4] = int32(h4)
-	h[5] = int32(h5)
-	h[6] = int32(h6)
-	h[7] = int32(h7)
-	h[8] = int32(h8)
-	h[9] = int32(h9)
-}
-
-// feInvert sets out = z^-1.
-func feInvert(out, z *fieldElement) {
-	var t0, t1, t2, t3 fieldElement
-	var i int
-
-	feSquare(&t0, z)
-	for i = 1; i < 1; i++ {
-		feSquare(&t0, &t0)
-	}
-	feSquare(&t1, &t0)
-	for i = 1; i < 2; i++ {
-		feSquare(&t1, &t1)
-	}
-	feMul(&t1, z, &t1)
-	feMul(&t0, &t0, &t1)
-	feSquare(&t2, &t0)
-	for i = 1; i < 1; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t1, &t2)
-	feSquare(&t2, &t1)
-	for i = 1; i < 5; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t2, &t1)
-	for i = 1; i < 10; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t2, &t2, &t1)
-	feSquare(&t3, &t2)
-	for i = 1; i < 20; i++ {
-		feSquare(&t3, &t3)
-	}
-	feMul(&t2, &t3, &t2)
-	feSquare(&t2, &t2)
-	for i = 1; i < 10; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t2, &t1)
-	for i = 1; i < 50; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t2, &t2, &t1)
-	feSquare(&t3, &t2)
-	for i = 1; i < 100; i++ {
-		feSquare(&t3, &t3)
-	}
-	feMul(&t2, &t3, &t2)
-	feSquare(&t2, &t2)
-	for i = 1; i < 50; i++ {
-		feSquare(&t2, &t2)
-	}
-	feMul(&t1, &t2, &t1)
-	feSquare(&t1, &t1)
-	for i = 1; i < 5; i++ {
-		feSquare(&t1, &t1)
-	}
-	feMul(out, &t1, &t0)
-}
-
-func scalarMult(out, in, base *[32]byte) {
-	var e [32]byte
-
-	copy(e[:], in[:])
-	e[0] &= 248
-	e[31] &= 127
-	e[31] |= 64
-
-	var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
-	feFromBytes(&x1, base)
-	feOne(&x2)
-	feCopy(&x3, &x1)
-	feOne(&z3)
-
-	swap := int32(0)
-	for pos := 254; pos >= 0; pos-- {
-		b := e[pos/8] >> uint(pos&7)
-		b &= 1
-		swap ^= int32(b)
-		feCSwap(&x2, &x3, swap)
-		feCSwap(&z2, &z3, swap)
-		swap = int32(b)
-
-		feSub(&tmp0, &x3, &z3)
-		feSub(&tmp1, &x2, &z2)
-		feAdd(&x2, &x2, &z2)
-		feAdd(&z2, &x3, &z3)
-		feMul(&z3, &tmp0, &x2)
-		feMul(&z2, &z2, &tmp1)
-		feSquare(&tmp0, &tmp1)
-		feSquare(&tmp1, &x2)
-		feAdd(&x3, &z3, &z2)
-		feSub(&z2, &z3, &z2)
-		feMul(&x2, &tmp1, &tmp0)
-		feSub(&tmp1, &tmp1, &tmp0)
-		feSquare(&z2, &z2)
-		feMul121666(&z3, &tmp1)
-		feSquare(&x3, &x3)
-		feAdd(&tmp0, &tmp0, &z3)
-		feMul(&z3, &x1, &z2)
-		feMul(&z2, &tmp1, &tmp0)
-	}
-
-	feCSwap(&x2, &x3, swap)
-	feCSwap(&z2, &z3, swap)
-
-	feInvert(&z2, &z2)
-	feMul(&x2, &x2, &z2)
-	feToBytes(out, &x2)
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/doc.go b/vendor/golang.org/x/crypto/curve25519/doc.go
deleted file mode 100644
index da9b10d9c..000000000
--- a/vendor/golang.org/x/crypto/curve25519/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package curve25519 provides an implementation of scalar multiplication on
-// the elliptic curve known as curve25519. See https://cr.yp.to/ecdh.html
-package curve25519 // import "golang.org/x/crypto/curve25519"
-
-// basePoint is the x coordinate of the generator of the curve.
-var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-// ScalarMult sets dst to the product in*base where dst and base are the x
-// coordinates of group points and all values are in little-endian form.
-func ScalarMult(dst, in, base *[32]byte) {
-	scalarMult(dst, in, base)
-}
-
-// ScalarBaseMult sets dst to the product in*base where dst and base are the x
-// coordinates of group points, base is the standard generator and all values
-// are in little-endian form.
-func ScalarBaseMult(dst, in *[32]byte) {
-	ScalarMult(dst, in, &basePoint)
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s b/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
deleted file mode 100644
index 390816106..000000000
--- a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func freeze(inout *[5]uint64)
-TEXT ·freeze(SB),7,$0-8
-	MOVQ inout+0(FP), DI
-
-	MOVQ 0(DI),SI
-	MOVQ 8(DI),DX
-	MOVQ 16(DI),CX
-	MOVQ 24(DI),R8
-	MOVQ 32(DI),R9
-	MOVQ $REDMASK51,AX
-	MOVQ AX,R10
-	SUBQ $18,R10
-	MOVQ $3,R11
-REDUCELOOP:
-	MOVQ SI,R12
-	SHRQ $51,R12
-	ANDQ AX,SI
-	ADDQ R12,DX
-	MOVQ DX,R12
-	SHRQ $51,R12
-	ANDQ AX,DX
-	ADDQ R12,CX
-	MOVQ CX,R12
-	SHRQ $51,R12
-	ANDQ AX,CX
-	ADDQ R12,R8
-	MOVQ R8,R12
-	SHRQ $51,R12
-	ANDQ AX,R8
-	ADDQ R12,R9
-	MOVQ R9,R12
-	SHRQ $51,R12
-	ANDQ AX,R9
-	IMUL3Q $19,R12,R12
-	ADDQ R12,SI
-	SUBQ $1,R11
-	JA REDUCELOOP
-	MOVQ $1,R12
-	CMPQ R10,SI
-	CMOVQLT R11,R12
-	CMPQ AX,DX
-	CMOVQNE R11,R12
-	CMPQ AX,CX
-	CMOVQNE R11,R12
-	CMPQ AX,R8
-	CMOVQNE R11,R12
-	CMPQ AX,R9
-	CMOVQNE R11,R12
-	NEGQ R12
-	ANDQ R12,AX
-	ANDQ R12,R10
-	SUBQ R10,SI
-	SUBQ AX,DX
-	SUBQ AX,CX
-	SUBQ AX,R8
-	SUBQ AX,R9
-	MOVQ SI,0(DI)
-	MOVQ DX,8(DI)
-	MOVQ CX,16(DI)
-	MOVQ R8,24(DI)
-	MOVQ R9,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s b/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
deleted file mode 100644
index 9e9040b25..000000000
--- a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
+++ /dev/null
@@ -1,1377 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func ladderstep(inout *[5][5]uint64)
-TEXT ·ladderstep(SB),0,$296-8
-	MOVQ inout+0(FP),DI
-
-	MOVQ 40(DI),SI
-	MOVQ 48(DI),DX
-	MOVQ 56(DI),CX
-	MOVQ 64(DI),R8
-	MOVQ 72(DI),R9
-	MOVQ SI,AX
-	MOVQ DX,R10
-	MOVQ CX,R11
-	MOVQ R8,R12
-	MOVQ R9,R13
-	ADDQ ·_2P0(SB),AX
-	ADDQ ·_2P1234(SB),R10
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 80(DI),SI
-	ADDQ 88(DI),DX
-	ADDQ 96(DI),CX
-	ADDQ 104(DI),R8
-	ADDQ 112(DI),R9
-	SUBQ 80(DI),AX
-	SUBQ 88(DI),R10
-	SUBQ 96(DI),R11
-	SUBQ 104(DI),R12
-	SUBQ 112(DI),R13
-	MOVQ SI,0(SP)
-	MOVQ DX,8(SP)
-	MOVQ CX,16(SP)
-	MOVQ R8,24(SP)
-	MOVQ R9,32(SP)
-	MOVQ AX,40(SP)
-	MOVQ R10,48(SP)
-	MOVQ R11,56(SP)
-	MOVQ R12,64(SP)
-	MOVQ R13,72(SP)
-	MOVQ 40(SP),AX
-	MULQ 40(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 48(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 56(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 64(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 40(SP),AX
-	SHLQ $1,AX
-	MULQ 72(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 48(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 48(SP),AX
-	SHLQ $1,AX
-	MULQ 56(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 48(SP),AX
-	SHLQ $1,AX
-	MULQ 64(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 48(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 56(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 56(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 56(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 64(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 64(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 72(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,80(SP)
-	MOVQ R8,88(SP)
-	MOVQ R9,96(SP)
-	MOVQ AX,104(SP)
-	MOVQ R10,112(SP)
-	MOVQ 0(SP),AX
-	MULQ 0(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 8(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 16(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 24(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 0(SP),AX
-	SHLQ $1,AX
-	MULQ 32(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	SHLQ $1,AX
-	MULQ 16(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SP),AX
-	SHLQ $1,AX
-	MULQ 24(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 16(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 16(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 16(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 24(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 24(SP),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 32(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,120(SP)
-	MOVQ R8,128(SP)
-	MOVQ R9,136(SP)
-	MOVQ AX,144(SP)
-	MOVQ R10,152(SP)
-	MOVQ SI,SI
-	MOVQ R8,DX
-	MOVQ R9,CX
-	MOVQ AX,R8
-	MOVQ R10,R9
-	ADDQ ·_2P0(SB),SI
-	ADDQ ·_2P1234(SB),DX
-	ADDQ ·_2P1234(SB),CX
-	ADDQ ·_2P1234(SB),R8
-	ADDQ ·_2P1234(SB),R9
-	SUBQ 80(SP),SI
-	SUBQ 88(SP),DX
-	SUBQ 96(SP),CX
-	SUBQ 104(SP),R8
-	SUBQ 112(SP),R9
-	MOVQ SI,160(SP)
-	MOVQ DX,168(SP)
-	MOVQ CX,176(SP)
-	MOVQ R8,184(SP)
-	MOVQ R9,192(SP)
-	MOVQ 120(DI),SI
-	MOVQ 128(DI),DX
-	MOVQ 136(DI),CX
-	MOVQ 144(DI),R8
-	MOVQ 152(DI),R9
-	MOVQ SI,AX
-	MOVQ DX,R10
-	MOVQ CX,R11
-	MOVQ R8,R12
-	MOVQ R9,R13
-	ADDQ ·_2P0(SB),AX
-	ADDQ ·_2P1234(SB),R10
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 160(DI),SI
-	ADDQ 168(DI),DX
-	ADDQ 176(DI),CX
-	ADDQ 184(DI),R8
-	ADDQ 192(DI),R9
-	SUBQ 160(DI),AX
-	SUBQ 168(DI),R10
-	SUBQ 176(DI),R11
-	SUBQ 184(DI),R12
-	SUBQ 192(DI),R13
-	MOVQ SI,200(SP)
-	MOVQ DX,208(SP)
-	MOVQ CX,216(SP)
-	MOVQ R8,224(SP)
-	MOVQ R9,232(SP)
-	MOVQ AX,240(SP)
-	MOVQ R10,248(SP)
-	MOVQ R11,256(SP)
-	MOVQ R12,264(SP)
-	MOVQ R13,272(SP)
-	MOVQ 224(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,280(SP)
-	MULQ 56(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 232(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,288(SP)
-	MULQ 48(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 200(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 200(SP),AX
-	MULQ 48(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 200(SP),AX
-	MULQ 56(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 200(SP),AX
-	MULQ 64(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 200(SP),AX
-	MULQ 72(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 208(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 208(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 208(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 208(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 208(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 216(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 216(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 216(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 216(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 64(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 216(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 72(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 224(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 224(SP),AX
-	MULQ 48(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 280(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 280(SP),AX
-	MULQ 72(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 232(SP),AX
-	MULQ 40(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 288(SP),AX
-	MULQ 56(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 288(SP),AX
-	MULQ 64(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 288(SP),AX
-	MULQ 72(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,40(SP)
-	MOVQ R8,48(SP)
-	MOVQ R9,56(SP)
-	MOVQ AX,64(SP)
-	MOVQ R10,72(SP)
-	MOVQ 264(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,200(SP)
-	MULQ 16(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 272(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,208(SP)
-	MULQ 8(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 240(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 240(SP),AX
-	MULQ 8(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 240(SP),AX
-	MULQ 16(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 240(SP),AX
-	MULQ 24(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 240(SP),AX
-	MULQ 32(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 248(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 248(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 248(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 248(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 248(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 256(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 256(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 256(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 256(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 256(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 264(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 264(SP),AX
-	MULQ 8(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 200(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 200(SP),AX
-	MULQ 32(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 272(SP),AX
-	MULQ 0(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 208(SP),AX
-	MULQ 16(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 208(SP),AX
-	MULQ 24(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 208(SP),AX
-	MULQ 32(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,DX
-	MOVQ R8,CX
-	MOVQ R9,R11
-	MOVQ AX,R12
-	MOVQ R10,R13
-	ADDQ ·_2P0(SB),DX
-	ADDQ ·_2P1234(SB),CX
-	ADDQ ·_2P1234(SB),R11
-	ADDQ ·_2P1234(SB),R12
-	ADDQ ·_2P1234(SB),R13
-	ADDQ 40(SP),SI
-	ADDQ 48(SP),R8
-	ADDQ 56(SP),R9
-	ADDQ 64(SP),AX
-	ADDQ 72(SP),R10
-	SUBQ 40(SP),DX
-	SUBQ 48(SP),CX
-	SUBQ 56(SP),R11
-	SUBQ 64(SP),R12
-	SUBQ 72(SP),R13
-	MOVQ SI,120(DI)
-	MOVQ R8,128(DI)
-	MOVQ R9,136(DI)
-	MOVQ AX,144(DI)
-	MOVQ R10,152(DI)
-	MOVQ DX,160(DI)
-	MOVQ CX,168(DI)
-	MOVQ R11,176(DI)
-	MOVQ R12,184(DI)
-	MOVQ R13,192(DI)
-	MOVQ 120(DI),AX
-	MULQ 120(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 128(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 136(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 144(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 120(DI),AX
-	SHLQ $1,AX
-	MULQ 152(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 128(DI),AX
-	MULQ 128(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 128(DI),AX
-	SHLQ $1,AX
-	MULQ 136(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 128(DI),AX
-	SHLQ $1,AX
-	MULQ 144(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 128(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(DI),AX
-	MULQ 136(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 136(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 144(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 144(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 152(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 152(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,120(DI)
-	MOVQ R8,128(DI)
-	MOVQ R9,136(DI)
-	MOVQ AX,144(DI)
-	MOVQ R10,152(DI)
-	MOVQ 160(DI),AX
-	MULQ 160(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 168(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 176(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 184(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 160(DI),AX
-	SHLQ $1,AX
-	MULQ 192(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 168(DI),AX
-	MULQ 168(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 168(DI),AX
-	SHLQ $1,AX
-	MULQ 176(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 168(DI),AX
-	SHLQ $1,AX
-	MULQ 184(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 168(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),AX
-	MULQ 176(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 176(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 184(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 184(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 192(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	ANDQ DX,SI
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ADDQ R10,CX
-	ANDQ DX,R8
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ADDQ R12,CX
-	ANDQ DX,R9
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ADDQ R14,CX
-	ANDQ DX,AX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,160(DI)
-	MOVQ R8,168(DI)
-	MOVQ R9,176(DI)
-	MOVQ AX,184(DI)
-	MOVQ R10,192(DI)
-	MOVQ 184(DI),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 16(DI)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 192(DI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 8(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 160(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 160(DI),AX
-	MULQ 8(DI)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 160(DI),AX
-	MULQ 16(DI)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 160(DI),AX
-	MULQ 24(DI)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 160(DI),AX
-	MULQ 32(DI)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 168(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 168(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 168(DI),AX
-	MULQ 16(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 168(DI),AX
-	MULQ 24(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 168(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 176(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 176(DI),AX
-	MULQ 16(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 176(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(DI)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 176(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 184(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 184(DI),AX
-	MULQ 8(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 24(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 32(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 192(DI),AX
-	MULQ 0(DI)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 16(DI)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 24(DI)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 32(DI)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,160(DI)
-	MOVQ R8,168(DI)
-	MOVQ R9,176(DI)
-	MOVQ AX,184(DI)
-	MOVQ R10,192(DI)
-	MOVQ 144(SP),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 96(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 152(SP),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 88(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 120(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 120(SP),AX
-	MULQ 88(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 120(SP),AX
-	MULQ 96(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 120(SP),AX
-	MULQ 104(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 120(SP),AX
-	MULQ 112(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 128(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 128(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 128(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 128(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 128(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 112(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 136(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 136(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 136(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 104(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 136(SP),DX
-	IMUL3Q $19,DX,AX
-	MULQ 112(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 144(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 144(SP),AX
-	MULQ 88(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 112(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 152(SP),AX
-	MULQ 80(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 96(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 104(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 112(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,40(DI)
-	MOVQ R8,48(DI)
-	MOVQ R9,56(DI)
-	MOVQ AX,64(DI)
-	MOVQ R10,72(DI)
-	MOVQ 160(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 168(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,CX
-	MOVQ DX,R8
-	MOVQ 176(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R8
-	MOVQ DX,R9
-	MOVQ 184(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R9
-	MOVQ DX,R10
-	MOVQ 192(SP),AX
-	MULQ ·_121666_213(SB)
-	SHRQ $13,AX
-	ADDQ AX,R10
-	IMUL3Q $19,DX,DX
-	ADDQ DX,SI
-	ADDQ 80(SP),SI
-	ADDQ 88(SP),CX
-	ADDQ 96(SP),R8
-	ADDQ 104(SP),R9
-	ADDQ 112(SP),R10
-	MOVQ SI,80(DI)
-	MOVQ CX,88(DI)
-	MOVQ R8,96(DI)
-	MOVQ R9,104(DI)
-	MOVQ R10,112(DI)
-	MOVQ 104(DI),SI
-	IMUL3Q $19,SI,AX
-	MOVQ AX,0(SP)
-	MULQ 176(SP)
-	MOVQ AX,SI
-	MOVQ DX,CX
-	MOVQ 112(DI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 168(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 80(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 80(DI),AX
-	MULQ 168(SP)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 80(DI),AX
-	MULQ 176(SP)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 80(DI),AX
-	MULQ 184(SP)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 80(DI),AX
-	MULQ 192(SP)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 88(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 88(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 88(DI),AX
-	MULQ 176(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 88(DI),AX
-	MULQ 184(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 88(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 96(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 96(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 96(DI),AX
-	MULQ 176(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 96(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 184(SP)
-	ADDQ AX,SI
-	ADCQ DX,CX
-	MOVQ 96(DI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 192(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 104(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 104(DI),AX
-	MULQ 168(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 0(SP),AX
-	MULQ 184(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SP),AX
-	MULQ 192(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 112(DI),AX
-	MULQ 160(SP)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SP),AX
-	MULQ 176(SP)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 8(SP),AX
-	MULQ 184(SP)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 192(SP)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ $REDMASK51,DX
-	SHLQ $13,CX:SI
-	ANDQ DX,SI
-	SHLQ $13,R9:R8
-	ANDQ DX,R8
-	ADDQ CX,R8
-	SHLQ $13,R11:R10
-	ANDQ DX,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ DX,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ DX,R14
-	ADDQ R13,R14
-	IMUL3Q $19,R15,CX
-	ADDQ CX,SI
-	MOVQ SI,CX
-	SHRQ $51,CX
-	ADDQ R8,CX
-	MOVQ CX,R8
-	SHRQ $51,CX
-	ANDQ DX,SI
-	ADDQ R10,CX
-	MOVQ CX,R9
-	SHRQ $51,CX
-	ANDQ DX,R8
-	ADDQ R12,CX
-	MOVQ CX,AX
-	SHRQ $51,CX
-	ANDQ DX,R9
-	ADDQ R14,CX
-	MOVQ CX,R10
-	SHRQ $51,CX
-	ANDQ DX,AX
-	IMUL3Q $19,CX,CX
-	ADDQ CX,SI
-	ANDQ DX,R10
-	MOVQ SI,80(DI)
-	MOVQ R8,88(DI)
-	MOVQ R9,96(DI)
-	MOVQ AX,104(DI)
-	MOVQ R10,112(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go b/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
deleted file mode 100644
index 5822bd533..000000000
--- a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
+++ /dev/null
@@ -1,240 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build amd64,!gccgo,!appengine
-
-package curve25519
-
-// These functions are implemented in the .s files. The names of the functions
-// in the rest of the file are also taken from the SUPERCOP sources to help
-// people following along.
-
-//go:noescape
-
-func cswap(inout *[5]uint64, v uint64)
-
-//go:noescape
-
-func ladderstep(inout *[5][5]uint64)
-
-//go:noescape
-
-func freeze(inout *[5]uint64)
-
-//go:noescape
-
-func mul(dest, a, b *[5]uint64)
-
-//go:noescape
-
-func square(out, in *[5]uint64)
-
-// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
-func mladder(xr, zr *[5]uint64, s *[32]byte) {
-	var work [5][5]uint64
-
-	work[0] = *xr
-	setint(&work[1], 1)
-	setint(&work[2], 0)
-	work[3] = *xr
-	setint(&work[4], 1)
-
-	j := uint(6)
-	var prevbit byte
-
-	for i := 31; i >= 0; i-- {
-		for j < 8 {
-			bit := ((*s)[i] >> j) & 1
-			swap := bit ^ prevbit
-			prevbit = bit
-			cswap(&work[1], uint64(swap))
-			ladderstep(&work)
-			j--
-		}
-		j = 7
-	}
-
-	*xr = work[1]
-	*zr = work[2]
-}
-
-func scalarMult(out, in, base *[32]byte) {
-	var e [32]byte
-	copy(e[:], (*in)[:])
-	e[0] &= 248
-	e[31] &= 127
-	e[31] |= 64
-
-	var t, z [5]uint64
-	unpack(&t, base)
-	mladder(&t, &z, &e)
-	invert(&z, &z)
-	mul(&t, &t, &z)
-	pack(out, &t)
-}
-
-func setint(r *[5]uint64, v uint64) {
-	r[0] = v
-	r[1] = 0
-	r[2] = 0
-	r[3] = 0
-	r[4] = 0
-}
-
-// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
-// order.
-func unpack(r *[5]uint64, x *[32]byte) {
-	r[0] = uint64(x[0]) |
-		uint64(x[1])<<8 |
-		uint64(x[2])<<16 |
-		uint64(x[3])<<24 |
-		uint64(x[4])<<32 |
-		uint64(x[5])<<40 |
-		uint64(x[6]&7)<<48
-
-	r[1] = uint64(x[6])>>3 |
-		uint64(x[7])<<5 |
-		uint64(x[8])<<13 |
-		uint64(x[9])<<21 |
-		uint64(x[10])<<29 |
-		uint64(x[11])<<37 |
-		uint64(x[12]&63)<<45
-
-	r[2] = uint64(x[12])>>6 |
-		uint64(x[13])<<2 |
-		uint64(x[14])<<10 |
-		uint64(x[15])<<18 |
-		uint64(x[16])<<26 |
-		uint64(x[17])<<34 |
-		uint64(x[18])<<42 |
-		uint64(x[19]&1)<<50
-
-	r[3] = uint64(x[19])>>1 |
-		uint64(x[20])<<7 |
-		uint64(x[21])<<15 |
-		uint64(x[22])<<23 |
-		uint64(x[23])<<31 |
-		uint64(x[24])<<39 |
-		uint64(x[25]&15)<<47
-
-	r[4] = uint64(x[25])>>4 |
-		uint64(x[26])<<4 |
-		uint64(x[27])<<12 |
-		uint64(x[28])<<20 |
-		uint64(x[29])<<28 |
-		uint64(x[30])<<36 |
-		uint64(x[31]&127)<<44
-}
-
-// pack sets out = x where out is the usual, little-endian form of the 5,
-// 51-bit limbs in x.
-func pack(out *[32]byte, x *[5]uint64) {
-	t := *x
-	freeze(&t)
-
-	out[0] = byte(t[0])
-	out[1] = byte(t[0] >> 8)
-	out[2] = byte(t[0] >> 16)
-	out[3] = byte(t[0] >> 24)
-	out[4] = byte(t[0] >> 32)
-	out[5] = byte(t[0] >> 40)
-	out[6] = byte(t[0] >> 48)
-
-	out[6] ^= byte(t[1]<<3) & 0xf8
-	out[7] = byte(t[1] >> 5)
-	out[8] = byte(t[1] >> 13)
-	out[9] = byte(t[1] >> 21)
-	out[10] = byte(t[1] >> 29)
-	out[11] = byte(t[1] >> 37)
-	out[12] = byte(t[1] >> 45)
-
-	out[12] ^= byte(t[2]<<6) & 0xc0
-	out[13] = byte(t[2] >> 2)
-	out[14] = byte(t[2] >> 10)
-	out[15] = byte(t[2] >> 18)
-	out[16] = byte(t[2] >> 26)
-	out[17] = byte(t[2] >> 34)
-	out[18] = byte(t[2] >> 42)
-	out[19] = byte(t[2] >> 50)
-
-	out[19] ^= byte(t[3]<<1) & 0xfe
-	out[20] = byte(t[3] >> 7)
-	out[21] = byte(t[3] >> 15)
-	out[22] = byte(t[3] >> 23)
-	out[23] = byte(t[3] >> 31)
-	out[24] = byte(t[3] >> 39)
-	out[25] = byte(t[3] >> 47)
-
-	out[25] ^= byte(t[4]<<4) & 0xf0
-	out[26] = byte(t[4] >> 4)
-	out[27] = byte(t[4] >> 12)
-	out[28] = byte(t[4] >> 20)
-	out[29] = byte(t[4] >> 28)
-	out[30] = byte(t[4] >> 36)
-	out[31] = byte(t[4] >> 44)
-}
-
-// invert calculates r = x^-1 mod p using Fermat's little theorem.
-func invert(r *[5]uint64, x *[5]uint64) {
-	var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
-
-	square(&z2, x)        /* 2 */
-	square(&t, &z2)       /* 4 */
-	square(&t, &t)        /* 8 */
-	mul(&z9, &t, x)       /* 9 */
-	mul(&z11, &z9, &z2)   /* 11 */
-	square(&t, &z11)      /* 22 */
-	mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
-
-	square(&t, &z2_5_0)      /* 2^6 - 2^1 */
-	for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
-
-	square(&t, &z2_10_0)      /* 2^11 - 2^1 */
-	for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
-
-	square(&t, &z2_20_0)      /* 2^21 - 2^1 */
-	for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
-
-	square(&t, &t)            /* 2^41 - 2^1 */
-	for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
-		square(&t, &t)
-	}
-	mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
-
-	square(&t, &z2_50_0)      /* 2^51 - 2^1 */
-	for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
-		square(&t, &t)
-	}
-	mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
-
-	square(&t, &z2_100_0)      /* 2^101 - 2^1 */
-	for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
-
-	square(&t, &t)            /* 2^201 - 2^1 */
-	for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
-		square(&t, &t)
-	}
-	mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
-
-	square(&t, &t) /* 2^251 - 2^1 */
-	square(&t, &t) /* 2^252 - 2^2 */
-	square(&t, &t) /* 2^253 - 2^3 */
-
-	square(&t, &t) /* 2^254 - 2^4 */
-
-	square(&t, &t)   /* 2^255 - 2^5 */
-	mul(r, &t, &z11) /* 2^255 - 21 */
-}
diff --git a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s b/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
deleted file mode 100644
index 5ce80a2e5..000000000
--- a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
+++ /dev/null
@@ -1,169 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func mul(dest, a, b *[5]uint64)
-TEXT ·mul(SB),0,$16-24
-	MOVQ dest+0(FP), DI
-	MOVQ a+8(FP), SI
-	MOVQ b+16(FP), DX
-
-	MOVQ DX,CX
-	MOVQ 24(SI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,0(SP)
-	MULQ 16(CX)
-	MOVQ AX,R8
-	MOVQ DX,R9
-	MOVQ 32(SI),DX
-	IMUL3Q $19,DX,AX
-	MOVQ AX,8(SP)
-	MULQ 8(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 0(SI),AX
-	MULQ 8(CX)
-	MOVQ AX,R10
-	MOVQ DX,R11
-	MOVQ 0(SI),AX
-	MULQ 16(CX)
-	MOVQ AX,R12
-	MOVQ DX,R13
-	MOVQ 0(SI),AX
-	MULQ 24(CX)
-	MOVQ AX,R14
-	MOVQ DX,R15
-	MOVQ 0(SI),AX
-	MULQ 32(CX)
-	MOVQ AX,BX
-	MOVQ DX,BP
-	MOVQ 8(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SI),AX
-	MULQ 16(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 8(SI),AX
-	MULQ 24(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 8(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 16(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 16(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 16(SI),AX
-	MULQ 16(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 16(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(CX)
-	ADDQ AX,R8
-	ADCQ DX,R9
-	MOVQ 16(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 24(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ 24(SI),AX
-	MULQ 8(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 0(SP),AX
-	MULQ 24(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 0(SP),AX
-	MULQ 32(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 32(SI),AX
-	MULQ 0(CX)
-	ADDQ AX,BX
-	ADCQ DX,BP
-	MOVQ 8(SP),AX
-	MULQ 16(CX)
-	ADDQ AX,R10
-	ADCQ DX,R11
-	MOVQ 8(SP),AX
-	MULQ 24(CX)
-	ADDQ AX,R12
-	ADCQ DX,R13
-	MOVQ 8(SP),AX
-	MULQ 32(CX)
-	ADDQ AX,R14
-	ADCQ DX,R15
-	MOVQ $REDMASK51,SI
-	SHLQ $13,R9:R8
-	ANDQ SI,R8
-	SHLQ $13,R11:R10
-	ANDQ SI,R10
-	ADDQ R9,R10
-	SHLQ $13,R13:R12
-	ANDQ SI,R12
-	ADDQ R11,R12
-	SHLQ $13,R15:R14
-	ANDQ SI,R14
-	ADDQ R13,R14
-	SHLQ $13,BP:BX
-	ANDQ SI,BX
-	ADDQ R15,BX
-	IMUL3Q $19,BP,DX
-	ADDQ DX,R8
-	MOVQ R8,DX
-	SHRQ $51,DX
-	ADDQ R10,DX
-	MOVQ DX,CX
-	SHRQ $51,DX
-	ANDQ SI,R8
-	ADDQ R12,DX
-	MOVQ DX,R9
-	SHRQ $51,DX
-	ANDQ SI,CX
-	ADDQ R14,DX
-	MOVQ DX,AX
-	SHRQ $51,DX
-	ANDQ SI,R9
-	ADDQ BX,DX
-	MOVQ DX,R10
-	SHRQ $51,DX
-	ANDQ SI,AX
-	IMUL3Q $19,DX,DX
-	ADDQ DX,R8
-	ANDQ SI,R10
-	MOVQ R8,0(DI)
-	MOVQ CX,8(DI)
-	MOVQ R9,16(DI)
-	MOVQ AX,24(DI)
-	MOVQ R10,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/curve25519/square_amd64.s b/vendor/golang.org/x/crypto/curve25519/square_amd64.s
deleted file mode 100644
index 12f73734f..000000000
--- a/vendor/golang.org/x/crypto/curve25519/square_amd64.s
+++ /dev/null
@@ -1,132 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code was translated into a form compatible with 6a from the public
-// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html
-
-// +build amd64,!gccgo,!appengine
-
-#include "const_amd64.h"
-
-// func square(out, in *[5]uint64)
-TEXT ·square(SB),7,$0-16
-	MOVQ out+0(FP), DI
-	MOVQ in+8(FP), SI
-
-	MOVQ 0(SI),AX
-	MULQ 0(SI)
-	MOVQ AX,CX
-	MOVQ DX,R8
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 8(SI)
-	MOVQ AX,R9
-	MOVQ DX,R10
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 16(SI)
-	MOVQ AX,R11
-	MOVQ DX,R12
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 24(SI)
-	MOVQ AX,R13
-	MOVQ DX,R14
-	MOVQ 0(SI),AX
-	SHLQ $1,AX
-	MULQ 32(SI)
-	MOVQ AX,R15
-	MOVQ DX,BX
-	MOVQ 8(SI),AX
-	MULQ 8(SI)
-	ADDQ AX,R11
-	ADCQ DX,R12
-	MOVQ 8(SI),AX
-	SHLQ $1,AX
-	MULQ 16(SI)
-	ADDQ AX,R13
-	ADCQ DX,R14
-	MOVQ 8(SI),AX
-	SHLQ $1,AX
-	MULQ 24(SI)
-	ADDQ AX,R15
-	ADCQ DX,BX
-	MOVQ 8(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,CX
-	ADCQ DX,R8
-	MOVQ 16(SI),AX
-	MULQ 16(SI)
-	ADDQ AX,R15
-	ADCQ DX,BX
-	MOVQ 16(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 24(SI)
-	ADDQ AX,CX
-	ADCQ DX,R8
-	MOVQ 16(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R9
-	ADCQ DX,R10
-	MOVQ 24(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 24(SI)
-	ADDQ AX,R9
-	ADCQ DX,R10
-	MOVQ 24(SI),DX
-	IMUL3Q $38,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R11
-	ADCQ DX,R12
-	MOVQ 32(SI),DX
-	IMUL3Q $19,DX,AX
-	MULQ 32(SI)
-	ADDQ AX,R13
-	ADCQ DX,R14
-	MOVQ $REDMASK51,SI
-	SHLQ $13,R8:CX
-	ANDQ SI,CX
-	SHLQ $13,R10:R9
-	ANDQ SI,R9
-	ADDQ R8,R9
-	SHLQ $13,R12:R11
-	ANDQ SI,R11
-	ADDQ R10,R11
-	SHLQ $13,R14:R13
-	ANDQ SI,R13
-	ADDQ R12,R13
-	SHLQ $13,BX:R15
-	ANDQ SI,R15
-	ADDQ R14,R15
-	IMUL3Q $19,BX,DX
-	ADDQ DX,CX
-	MOVQ CX,DX
-	SHRQ $51,DX
-	ADDQ R9,DX
-	ANDQ SI,CX
-	MOVQ DX,R8
-	SHRQ $51,DX
-	ADDQ R11,DX
-	ANDQ SI,R8
-	MOVQ DX,R9
-	SHRQ $51,DX
-	ADDQ R13,DX
-	ANDQ SI,R9
-	MOVQ DX,AX
-	SHRQ $51,DX
-	ADDQ R15,DX
-	ANDQ SI,AX
-	MOVQ DX,R10
-	SHRQ $51,DX
-	IMUL3Q $19,DX,DX
-	ADDQ DX,CX
-	ANDQ SI,R10
-	MOVQ CX,0(DI)
-	MOVQ R8,8(DI)
-	MOVQ R9,16(DI)
-	MOVQ AX,24(DI)
-	MOVQ R10,32(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go
index 3e2518600..faa2fb369 100644
--- a/vendor/golang.org/x/crypto/openpgp/keys.go
+++ b/vendor/golang.org/x/crypto/openpgp/keys.go
@@ -504,7 +504,7 @@ const defaultRSAKeyBits = 2048
 // which may be empty but must not contain any of "()<>\x00".
 // If config is nil, sensible defaults will be used.
 func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) {
-	currentTime := config.Now()
+	creationTime := config.Now()
 
 	bits := defaultRSAKeyBits
 	if config != nil && config.RSABits != 0 {
@@ -525,8 +525,8 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 	}
 
 	e := &Entity{
-		PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey),
-		PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv),
+		PrimaryKey: packet.NewRSAPublicKey(creationTime, &signingPriv.PublicKey),
+		PrivateKey: packet.NewRSAPrivateKey(creationTime, signingPriv),
 		Identities: make(map[string]*Identity),
 	}
 	isPrimaryId := true
@@ -534,7 +534,7 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 		Name:   uid.Id,
 		UserId: uid,
 		SelfSignature: &packet.Signature{
-			CreationTime: currentTime,
+			CreationTime: creationTime,
 			SigType:      packet.SigTypePositiveCert,
 			PubKeyAlgo:   packet.PubKeyAlgoRSA,
 			Hash:         config.Hash(),
@@ -563,10 +563,10 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err
 
 	e.Subkeys = make([]Subkey, 1)
 	e.Subkeys[0] = Subkey{
-		PublicKey:  packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey),
-		PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv),
+		PublicKey:  packet.NewRSAPublicKey(creationTime, &encryptingPriv.PublicKey),
+		PrivateKey: packet.NewRSAPrivateKey(creationTime, encryptingPriv),
 		Sig: &packet.Signature{
-			CreationTime:              currentTime,
+			CreationTime:              creationTime,
 			SigType:                   packet.SigTypeSubkeyBinding,
 			PubKeyAlgo:                packet.PubKeyAlgoRSA,
 			Hash:                      config.Hash(),
diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
index bd31cceac..6f8ec0938 100644
--- a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
+++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go
@@ -36,49 +36,49 @@ type PrivateKey struct {
 	iv            []byte
 }
 
-func NewRSAPrivateKey(currentTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
+func NewRSAPrivateKey(creationTime time.Time, priv *rsa.PrivateKey) *PrivateKey {
 	pk := new(PrivateKey)
-	pk.PublicKey = *NewRSAPublicKey(currentTime, &priv.PublicKey)
+	pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey)
 	pk.PrivateKey = priv
 	return pk
 }
 
-func NewDSAPrivateKey(currentTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
+func NewDSAPrivateKey(creationTime time.Time, priv *dsa.PrivateKey) *PrivateKey {
 	pk := new(PrivateKey)
-	pk.PublicKey = *NewDSAPublicKey(currentTime, &priv.PublicKey)
+	pk.PublicKey = *NewDSAPublicKey(creationTime, &priv.PublicKey)
 	pk.PrivateKey = priv
 	return pk
 }
 
-func NewElGamalPrivateKey(currentTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
+func NewElGamalPrivateKey(creationTime time.Time, priv *elgamal.PrivateKey) *PrivateKey {
 	pk := new(PrivateKey)
-	pk.PublicKey = *NewElGamalPublicKey(currentTime, &priv.PublicKey)
+	pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey)
 	pk.PrivateKey = priv
 	return pk
 }
 
-func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
+func NewECDSAPrivateKey(creationTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey {
 	pk := new(PrivateKey)
-	pk.PublicKey = *NewECDSAPublicKey(currentTime, &priv.PublicKey)
+	pk.PublicKey = *NewECDSAPublicKey(creationTime, &priv.PublicKey)
 	pk.PrivateKey = priv
 	return pk
 }
 
 // NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that
 // implements RSA or ECDSA.
-func NewSignerPrivateKey(currentTime time.Time, signer crypto.Signer) *PrivateKey {
+func NewSignerPrivateKey(creationTime time.Time, signer crypto.Signer) *PrivateKey {
 	pk := new(PrivateKey)
 	// In general, the public Keys should be used as pointers. We still
 	// type-switch on the values, for backwards-compatibility.
 	switch pubkey := signer.Public().(type) {
 	case *rsa.PublicKey:
-		pk.PublicKey = *NewRSAPublicKey(currentTime, pubkey)
+		pk.PublicKey = *NewRSAPublicKey(creationTime, pubkey)
 	case rsa.PublicKey:
-		pk.PublicKey = *NewRSAPublicKey(currentTime, &pubkey)
+		pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey)
 	case *ecdsa.PublicKey:
-		pk.PublicKey = *NewECDSAPublicKey(currentTime, pubkey)
+		pk.PublicKey = *NewECDSAPublicKey(creationTime, pubkey)
 	case ecdsa.PublicKey:
-		pk.PublicKey = *NewECDSAPublicKey(currentTime, &pubkey)
+		pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey)
 	default:
 		panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey")
 	}
diff --git a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c b/vendor/golang.org/x/crypto/otr/libotr_test_helper.c
deleted file mode 100644
index b3ca072d4..000000000
--- a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c
+++ /dev/null
@@ -1,197 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This code can be compiled and used to test the otr package against libotr.
-// See otr_test.go.
-
-// +build ignore
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include <proto.h>
-#include <message.h>
-#include <privkey.h>
-
-static int g_session_established = 0;
-
-OtrlPolicy policy(void *opdata, ConnContext *context) {
-  return OTRL_POLICY_ALWAYS;
-}
-
-int is_logged_in(void *opdata, const char *accountname, const char *protocol,
-                 const char *recipient) {
-  return 1;
-}
-
-void inject_message(void *opdata, const char *accountname, const char *protocol,
-                    const char *recipient, const char *message) {
-  printf("%s\n", message);
-  fflush(stdout);
-  fprintf(stderr, "libotr helper sent: %s\n", message);
-}
-
-void update_context_list(void *opdata) {}
-
-void new_fingerprint(void *opdata, OtrlUserState us, const char *accountname,
-                     const char *protocol, const char *username,
-                     unsigned char fingerprint[20]) {
-  fprintf(stderr, "NEW FINGERPRINT\n");
-  g_session_established = 1;
-}
-
-void write_fingerprints(void *opdata) {}
-
-void gone_secure(void *opdata, ConnContext *context) {}
-
-void gone_insecure(void *opdata, ConnContext *context) {}
-
-void still_secure(void *opdata, ConnContext *context, int is_reply) {}
-
-int max_message_size(void *opdata, ConnContext *context) { return 99999; }
-
-const char *account_name(void *opdata, const char *account,
-                         const char *protocol) {
-  return "ACCOUNT";
-}
-
-void account_name_free(void *opdata, const char *account_name) {}
-
-const char *error_message(void *opdata, ConnContext *context,
-                          OtrlErrorCode err_code) {
-  return "ERR";
-}
-
-void error_message_free(void *opdata, const char *msg) {}
-
-void resent_msg_prefix_free(void *opdata, const char *prefix) {}
-
-void handle_smp_event(void *opdata, OtrlSMPEvent smp_event,
-                      ConnContext *context, unsigned short progress_event,
-                      char *question) {}
-
-void handle_msg_event(void *opdata, OtrlMessageEvent msg_event,
-                      ConnContext *context, const char *message,
-                      gcry_error_t err) {
-  fprintf(stderr, "msg event: %d %s\n", msg_event, message);
-}
-
-OtrlMessageAppOps uiops = {
-    policy,
-    NULL,
-    is_logged_in,
-    inject_message,
-    update_context_list,
-    new_fingerprint,
-    write_fingerprints,
-    gone_secure,
-    gone_insecure,
-    still_secure,
-    max_message_size,
-    account_name,
-    account_name_free,
-    NULL, /* received_symkey */
-    error_message,
-    error_message_free,
-    NULL, /* resent_msg_prefix */
-    resent_msg_prefix_free,
-    handle_smp_event,
-    handle_msg_event,
-    NULL /* create_instag */,
-    NULL /* convert_msg */,
-    NULL /* convert_free */,
-    NULL /* timer_control */,
-};
-
-static const char kPrivateKeyData[] =
-    "(privkeys (account (name \"account\") (protocol proto) (private-key (dsa "
-    "(p "
-    "#00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F"
-    "30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E"
-    "5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB"
-    "8C031D3561FECEE72EBB4A090D450A9B7A857#) (q "
-    "#00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#) (g "
-    "#535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F"
-    "1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F"
-    "6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57"
-    "597766A2F9CE3857D7ACE3E1E3BC1FC6F26#) (y "
-    "#0AC8670AD767D7A8D9D14CC1AC6744CD7D76F993B77FFD9E39DF01E5A6536EF65E775FCEF"
-    "2A983E2A19BD6415500F6979715D9FD1257E1FE2B6F5E1E74B333079E7C880D39868462A93"
-    "454B41877BE62E5EF0A041C2EE9C9E76BD1E12AE25D9628DECB097025DD625EF49C3258A1A"
-    "3C0FF501E3DC673B76D7BABF349009B6ECF#) (x "
-    "#14D0345A3562C480A039E3C72764F72D79043216#)))))\n";
-
-int main() {
-  OTRL_INIT;
-
-  // We have to write the private key information to a file because the libotr
-  // API demands a filename to read from.
-  const char *tmpdir = "/tmp";
-  if (getenv("TMP")) {
-    tmpdir = getenv("TMP");
-  }
-
-  char private_key_file[256];
-  snprintf(private_key_file, sizeof(private_key_file),
-           "%s/libotr_test_helper_privatekeys-XXXXXX", tmpdir);
-  int fd = mkstemp(private_key_file);
-  if (fd == -1) {
-    perror("creating temp file");
-  }
-  write(fd, kPrivateKeyData, sizeof(kPrivateKeyData) - 1);
-  close(fd);
-
-  OtrlUserState userstate = otrl_userstate_create();
-  otrl_privkey_read(userstate, private_key_file);
-  unlink(private_key_file);
-
-  fprintf(stderr, "libotr helper started\n");
-
-  char buf[4096];
-
-  for (;;) {
-    char *message = fgets(buf, sizeof(buf), stdin);
-    if (strlen(message) == 0) {
-      break;
-    }
-    message[strlen(message) - 1] = 0;
-    fprintf(stderr, "libotr helper got: %s\n", message);
-
-    char *newmessage = NULL;
-    OtrlTLV *tlvs;
-    int ignore_message = otrl_message_receiving(
-        userstate, &uiops, NULL, "account", "proto", "peer", message,
-        &newmessage, &tlvs, NULL, NULL, NULL);
-    if (tlvs) {
-      otrl_tlv_free(tlvs);
-    }
-
-    if (newmessage != NULL) {
-      fprintf(stderr, "libotr got: %s\n", newmessage);
-      otrl_message_free(newmessage);
-
-      gcry_error_t err;
-      char *newmessage = NULL;
-
-      err = otrl_message_sending(userstate, &uiops, NULL, "account", "proto",
-                                 "peer", 0, "test message", NULL, &newmessage,
-                                 OTRL_FRAGMENT_SEND_SKIP, NULL, NULL, NULL);
-      if (newmessage == NULL) {
-        fprintf(stderr, "libotr didn't encrypt message\n");
-        return 1;
-      }
-      write(1, newmessage, strlen(newmessage));
-      write(1, "\n", 1);
-      fprintf(stderr, "libotr sent: %s\n", newmessage);
-      otrl_message_free(newmessage);
-
-      g_session_established = 0;
-      write(1, "?OTRv2?\n", 8);
-      fprintf(stderr, "libotr sent: ?OTRv2\n");
-    }
-  }
-
-  return 0;
-}
diff --git a/vendor/golang.org/x/crypto/otr/otr.go b/vendor/golang.org/x/crypto/otr/otr.go
deleted file mode 100644
index 173b753db..000000000
--- a/vendor/golang.org/x/crypto/otr/otr.go
+++ /dev/null
@@ -1,1415 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package otr implements the Off The Record protocol as specified in
-// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html
-package otr // import "golang.org/x/crypto/otr"
-
-import (
-	"bytes"
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/dsa"
-	"crypto/hmac"
-	"crypto/rand"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"hash"
-	"io"
-	"math/big"
-	"strconv"
-)
-
-// SecurityChange describes a change in the security state of a Conversation.
-type SecurityChange int
-
-const (
-	NoChange SecurityChange = iota
-	// NewKeys indicates that a key exchange has completed. This occurs
-	// when a conversation first becomes encrypted, and when the keys are
-	// renegotiated within an encrypted conversation.
-	NewKeys
-	// SMPSecretNeeded indicates that the peer has started an
-	// authentication and that we need to supply a secret. Call SMPQuestion
-	// to get the optional, human readable challenge and then Authenticate
-	// to supply the matching secret.
-	SMPSecretNeeded
-	// SMPComplete indicates that an authentication completed. The identity
-	// of the peer has now been confirmed.
-	SMPComplete
-	// SMPFailed indicates that an authentication failed.
-	SMPFailed
-	// ConversationEnded indicates that the peer ended the secure
-	// conversation.
-	ConversationEnded
-)
-
-// QueryMessage can be sent to a peer to start an OTR conversation.
-var QueryMessage = "?OTRv2?"
-
-// ErrorPrefix can be used to make an OTR error by appending an error message
-// to it.
-var ErrorPrefix = "?OTR Error:"
-
-var (
-	fragmentPartSeparator = []byte(",")
-	fragmentPrefix        = []byte("?OTR,")
-	msgPrefix             = []byte("?OTR:")
-	queryMarker           = []byte("?OTR")
-)
-
-// isQuery attempts to parse an OTR query from msg and returns the greatest
-// common version, or 0 if msg is not an OTR query.
-func isQuery(msg []byte) (greatestCommonVersion int) {
-	pos := bytes.Index(msg, queryMarker)
-	if pos == -1 {
-		return 0
-	}
-	for i, c := range msg[pos+len(queryMarker):] {
-		if i == 0 {
-			if c == '?' {
-				// Indicates support for version 1, but we don't
-				// implement that.
-				continue
-			}
-
-			if c != 'v' {
-				// Invalid message
-				return 0
-			}
-
-			continue
-		}
-
-		if c == '?' {
-			// End of message
-			return
-		}
-
-		if c == ' ' || c == '\t' {
-			// Probably an invalid message
-			return 0
-		}
-
-		if c == '2' {
-			greatestCommonVersion = 2
-		}
-	}
-
-	return 0
-}
-
-const (
-	statePlaintext = iota
-	stateEncrypted
-	stateFinished
-)
-
-const (
-	authStateNone = iota
-	authStateAwaitingDHKey
-	authStateAwaitingRevealSig
-	authStateAwaitingSig
-)
-
-const (
-	msgTypeDHCommit  = 2
-	msgTypeData      = 3
-	msgTypeDHKey     = 10
-	msgTypeRevealSig = 17
-	msgTypeSig       = 18
-)
-
-const (
-	// If the requested fragment size is less than this, it will be ignored.
-	minFragmentSize = 18
-	// Messages are padded to a multiple of this number of bytes.
-	paddingGranularity = 256
-	// The number of bytes in a Diffie-Hellman private value (320-bits).
-	dhPrivateBytes = 40
-	// The number of bytes needed to represent an element of the DSA
-	// subgroup (160-bits).
-	dsaSubgroupBytes = 20
-	// The number of bytes of the MAC that are sent on the wire (160-bits).
-	macPrefixBytes = 20
-)
-
-// These are the global, common group parameters for OTR.
-var (
-	p       *big.Int // group prime
-	g       *big.Int // group generator
-	q       *big.Int // group order
-	pMinus2 *big.Int
-)
-
-func init() {
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16)
-	q, _ = new(big.Int).SetString("7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF", 16)
-	g = new(big.Int).SetInt64(2)
-	pMinus2 = new(big.Int).Sub(p, g)
-}
-
-// Conversation represents a relation with a peer. The zero value is a valid
-// Conversation, although PrivateKey must be set.
-//
-// When communicating with a peer, all inbound messages should be passed to
-// Conversation.Receive and all outbound messages to Conversation.Send. The
-// Conversation will take care of maintaining the encryption state and
-// negotiating encryption as needed.
-type Conversation struct {
-	// PrivateKey contains the private key to use to sign key exchanges.
-	PrivateKey *PrivateKey
-
-	// Rand can be set to override the entropy source. Otherwise,
-	// crypto/rand will be used.
-	Rand io.Reader
-	// If FragmentSize is set, all messages produced by Receive and Send
-	// will be fragmented into messages of, at most, this number of bytes.
-	FragmentSize int
-
-	// Once Receive has returned NewKeys once, the following fields are
-	// valid.
-	SSID           [8]byte
-	TheirPublicKey PublicKey
-
-	state, authState int
-
-	r       [16]byte
-	x, y    *big.Int
-	gx, gy  *big.Int
-	gxBytes []byte
-	digest  [sha256.Size]byte
-
-	revealKeys, sigKeys akeKeys
-
-	myKeyId         uint32
-	myCurrentDHPub  *big.Int
-	myCurrentDHPriv *big.Int
-	myLastDHPub     *big.Int
-	myLastDHPriv    *big.Int
-
-	theirKeyId        uint32
-	theirCurrentDHPub *big.Int
-	theirLastDHPub    *big.Int
-
-	keySlots [4]keySlot
-
-	myCounter    [8]byte
-	theirLastCtr [8]byte
-	oldMACs      []byte
-
-	k, n int // fragment state
-	frag []byte
-
-	smp smpState
-}
-
-// A keySlot contains key material for a specific (their keyid, my keyid) pair.
-type keySlot struct {
-	// used is true if this slot is valid. If false, it's free for reuse.
-	used                   bool
-	theirKeyId             uint32
-	myKeyId                uint32
-	sendAESKey, recvAESKey []byte
-	sendMACKey, recvMACKey []byte
-	theirLastCtr           [8]byte
-}
-
-// akeKeys are generated during key exchange. There's one set for the reveal
-// signature message and another for the signature message. In the protocol
-// spec the latter are indicated with a prime mark.
-type akeKeys struct {
-	c      [16]byte
-	m1, m2 [32]byte
-}
-
-func (c *Conversation) rand() io.Reader {
-	if c.Rand != nil {
-		return c.Rand
-	}
-	return rand.Reader
-}
-
-func (c *Conversation) randMPI(buf []byte) *big.Int {
-	_, err := io.ReadFull(c.rand(), buf)
-	if err != nil {
-		panic("otr: short read from random source")
-	}
-
-	return new(big.Int).SetBytes(buf)
-}
-
-// tlv represents the type-length value from the protocol.
-type tlv struct {
-	typ, length uint16
-	data        []byte
-}
-
-const (
-	tlvTypePadding          = 0
-	tlvTypeDisconnected     = 1
-	tlvTypeSMP1             = 2
-	tlvTypeSMP2             = 3
-	tlvTypeSMP3             = 4
-	tlvTypeSMP4             = 5
-	tlvTypeSMPAbort         = 6
-	tlvTypeSMP1WithQuestion = 7
-)
-
-// Receive handles a message from a peer. It returns a human readable message,
-// an indicator of whether that message was encrypted, a hint about the
-// encryption state and zero or more messages to send back to the peer.
-// These messages do not need to be passed to Send before transmission.
-func (c *Conversation) Receive(in []byte) (out []byte, encrypted bool, change SecurityChange, toSend [][]byte, err error) {
-	if bytes.HasPrefix(in, fragmentPrefix) {
-		in, err = c.processFragment(in)
-		if in == nil || err != nil {
-			return
-		}
-	}
-
-	if bytes.HasPrefix(in, msgPrefix) && in[len(in)-1] == '.' {
-		in = in[len(msgPrefix) : len(in)-1]
-	} else if version := isQuery(in); version > 0 {
-		c.authState = authStateAwaitingDHKey
-		c.reset()
-		toSend = c.encode(c.generateDHCommit())
-		return
-	} else {
-		// plaintext message
-		out = in
-		return
-	}
-
-	msg := make([]byte, base64.StdEncoding.DecodedLen(len(in)))
-	msgLen, err := base64.StdEncoding.Decode(msg, in)
-	if err != nil {
-		err = errors.New("otr: invalid base64 encoding in message")
-		return
-	}
-	msg = msg[:msgLen]
-
-	// The first two bytes are the protocol version (2)
-	if len(msg) < 3 || msg[0] != 0 || msg[1] != 2 {
-		err = errors.New("otr: invalid OTR message")
-		return
-	}
-
-	msgType := int(msg[2])
-	msg = msg[3:]
-
-	switch msgType {
-	case msgTypeDHCommit:
-		switch c.authState {
-		case authStateNone:
-			c.authState = authStateAwaitingRevealSig
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			c.reset()
-			toSend = c.encode(c.generateDHKey())
-			return
-		case authStateAwaitingDHKey:
-			// This is a 'SYN-crossing'. The greater digest wins.
-			var cmp int
-			if cmp, err = c.compareToDHCommit(msg); err != nil {
-				return
-			}
-			if cmp > 0 {
-				// We win. Retransmit DH commit.
-				toSend = c.encode(c.serializeDHCommit())
-				return
-			} else {
-				// They win. We forget about our DH commit.
-				c.authState = authStateAwaitingRevealSig
-				if err = c.processDHCommit(msg); err != nil {
-					return
-				}
-				c.reset()
-				toSend = c.encode(c.generateDHKey())
-				return
-			}
-		case authStateAwaitingRevealSig:
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			toSend = c.encode(c.serializeDHKey())
-		case authStateAwaitingSig:
-			if err = c.processDHCommit(msg); err != nil {
-				return
-			}
-			c.reset()
-			toSend = c.encode(c.generateDHKey())
-			c.authState = authStateAwaitingRevealSig
-		default:
-			panic("bad state")
-		}
-	case msgTypeDHKey:
-		switch c.authState {
-		case authStateAwaitingDHKey:
-			var isSame bool
-			if isSame, err = c.processDHKey(msg); err != nil {
-				return
-			}
-			if isSame {
-				err = errors.New("otr: unexpected duplicate DH key")
-				return
-			}
-			toSend = c.encode(c.generateRevealSig())
-			c.authState = authStateAwaitingSig
-		case authStateAwaitingSig:
-			var isSame bool
-			if isSame, err = c.processDHKey(msg); err != nil {
-				return
-			}
-			if isSame {
-				toSend = c.encode(c.serializeDHKey())
-			}
-		}
-	case msgTypeRevealSig:
-		if c.authState != authStateAwaitingRevealSig {
-			return
-		}
-		if err = c.processRevealSig(msg); err != nil {
-			return
-		}
-		toSend = c.encode(c.generateSig())
-		c.authState = authStateNone
-		c.state = stateEncrypted
-		change = NewKeys
-	case msgTypeSig:
-		if c.authState != authStateAwaitingSig {
-			return
-		}
-		if err = c.processSig(msg); err != nil {
-			return
-		}
-		c.authState = authStateNone
-		c.state = stateEncrypted
-		change = NewKeys
-	case msgTypeData:
-		if c.state != stateEncrypted {
-			err = errors.New("otr: encrypted message received without encrypted session established")
-			return
-		}
-		var tlvs []tlv
-		out, tlvs, err = c.processData(msg)
-		encrypted = true
-
-	EachTLV:
-		for _, inTLV := range tlvs {
-			switch inTLV.typ {
-			case tlvTypeDisconnected:
-				change = ConversationEnded
-				c.state = stateFinished
-				break EachTLV
-			case tlvTypeSMP1, tlvTypeSMP2, tlvTypeSMP3, tlvTypeSMP4, tlvTypeSMPAbort, tlvTypeSMP1WithQuestion:
-				var reply tlv
-				var complete bool
-				reply, complete, err = c.processSMP(inTLV)
-				if err == smpSecretMissingError {
-					err = nil
-					change = SMPSecretNeeded
-					c.smp.saved = &inTLV
-					return
-				}
-				if err == smpFailureError {
-					err = nil
-					change = SMPFailed
-				} else if complete {
-					change = SMPComplete
-				}
-				if reply.typ != 0 {
-					toSend = c.encode(c.generateData(nil, &reply))
-				}
-				break EachTLV
-			default:
-				// skip unknown TLVs
-			}
-		}
-	default:
-		err = errors.New("otr: unknown message type " + strconv.Itoa(msgType))
-	}
-
-	return
-}
-
-// Send takes a human readable message from the local user, possibly encrypts
-// it and returns zero one or more messages to send to the peer.
-func (c *Conversation) Send(msg []byte) ([][]byte, error) {
-	switch c.state {
-	case statePlaintext:
-		return [][]byte{msg}, nil
-	case stateEncrypted:
-		return c.encode(c.generateData(msg, nil)), nil
-	case stateFinished:
-		return nil, errors.New("otr: cannot send message because secure conversation has finished")
-	}
-
-	return nil, errors.New("otr: cannot send message in current state")
-}
-
-// SMPQuestion returns the human readable challenge question from the peer.
-// It's only valid after Receive has returned SMPSecretNeeded.
-func (c *Conversation) SMPQuestion() string {
-	return c.smp.question
-}
-
-// Authenticate begins an authentication with the peer. Authentication involves
-// an optional challenge message and a shared secret. The authentication
-// proceeds until either Receive returns SMPComplete, SMPSecretNeeded (which
-// indicates that a new authentication is happening and thus this one was
-// aborted) or SMPFailed.
-func (c *Conversation) Authenticate(question string, mutualSecret []byte) (toSend [][]byte, err error) {
-	if c.state != stateEncrypted {
-		err = errors.New("otr: can't authenticate a peer without a secure conversation established")
-		return
-	}
-
-	if c.smp.saved != nil {
-		c.calcSMPSecret(mutualSecret, false /* they started it */)
-
-		var out tlv
-		var complete bool
-		out, complete, err = c.processSMP(*c.smp.saved)
-		if complete {
-			panic("SMP completed on the first message")
-		}
-		c.smp.saved = nil
-		if out.typ != 0 {
-			toSend = c.encode(c.generateData(nil, &out))
-		}
-		return
-	}
-
-	c.calcSMPSecret(mutualSecret, true /* we started it */)
-	outs := c.startSMP(question)
-	for _, out := range outs {
-		toSend = append(toSend, c.encode(c.generateData(nil, &out))...)
-	}
-	return
-}
-
-// End ends a secure conversation by generating a termination message for
-// the peer and switches to unencrypted communication.
-func (c *Conversation) End() (toSend [][]byte) {
-	switch c.state {
-	case statePlaintext:
-		return nil
-	case stateEncrypted:
-		c.state = statePlaintext
-		return c.encode(c.generateData(nil, &tlv{typ: tlvTypeDisconnected}))
-	case stateFinished:
-		c.state = statePlaintext
-		return nil
-	}
-	panic("unreachable")
-}
-
-// IsEncrypted returns true if a message passed to Send would be encrypted
-// before transmission. This result remains valid until the next call to
-// Receive or End, which may change the state of the Conversation.
-func (c *Conversation) IsEncrypted() bool {
-	return c.state == stateEncrypted
-}
-
-var fragmentError = errors.New("otr: invalid OTR fragment")
-
-// processFragment processes a fragmented OTR message and possibly returns a
-// complete message. Fragmented messages look like "?OTR,k,n,msg," where k is
-// the fragment number (starting from 1), n is the number of fragments in this
-// message and msg is a substring of the base64 encoded message.
-func (c *Conversation) processFragment(in []byte) (out []byte, err error) {
-	in = in[len(fragmentPrefix):] // remove "?OTR,"
-	parts := bytes.Split(in, fragmentPartSeparator)
-	if len(parts) != 4 || len(parts[3]) != 0 {
-		return nil, fragmentError
-	}
-
-	k, err := strconv.Atoi(string(parts[0]))
-	if err != nil {
-		return nil, fragmentError
-	}
-
-	n, err := strconv.Atoi(string(parts[1]))
-	if err != nil {
-		return nil, fragmentError
-	}
-
-	if k < 1 || n < 1 || k > n {
-		return nil, fragmentError
-	}
-
-	if k == 1 {
-		c.frag = append(c.frag[:0], parts[2]...)
-		c.k, c.n = k, n
-	} else if n == c.n && k == c.k+1 {
-		c.frag = append(c.frag, parts[2]...)
-		c.k++
-	} else {
-		c.frag = c.frag[:0]
-		c.n, c.k = 0, 0
-	}
-
-	if c.n > 0 && c.k == c.n {
-		c.n, c.k = 0, 0
-		return c.frag, nil
-	}
-
-	return nil, nil
-}
-
-func (c *Conversation) generateDHCommit() []byte {
-	_, err := io.ReadFull(c.rand(), c.r[:])
-	if err != nil {
-		panic("otr: short read from random source")
-	}
-
-	var xBytes [dhPrivateBytes]byte
-	c.x = c.randMPI(xBytes[:])
-	c.gx = new(big.Int).Exp(g, c.x, p)
-	c.gy = nil
-	c.gxBytes = appendMPI(nil, c.gx)
-
-	h := sha256.New()
-	h.Write(c.gxBytes)
-	h.Sum(c.digest[:0])
-
-	aesCipher, err := aes.NewCipher(c.r[:])
-	if err != nil {
-		panic(err.Error())
-	}
-
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(c.gxBytes, c.gxBytes)
-
-	return c.serializeDHCommit()
-}
-
-func (c *Conversation) serializeDHCommit() []byte {
-	var ret []byte
-	ret = appendU16(ret, 2) // protocol version
-	ret = append(ret, msgTypeDHCommit)
-	ret = appendData(ret, c.gxBytes)
-	ret = appendData(ret, c.digest[:])
-	return ret
-}
-
-func (c *Conversation) processDHCommit(in []byte) error {
-	var ok1, ok2 bool
-	c.gxBytes, in, ok1 = getData(in)
-	digest, in, ok2 := getData(in)
-	if !ok1 || !ok2 || len(in) > 0 {
-		return errors.New("otr: corrupt DH commit message")
-	}
-	copy(c.digest[:], digest)
-	return nil
-}
-
-func (c *Conversation) compareToDHCommit(in []byte) (int, error) {
-	_, in, ok1 := getData(in)
-	digest, in, ok2 := getData(in)
-	if !ok1 || !ok2 || len(in) > 0 {
-		return 0, errors.New("otr: corrupt DH commit message")
-	}
-	return bytes.Compare(c.digest[:], digest), nil
-}
-
-func (c *Conversation) generateDHKey() []byte {
-	var yBytes [dhPrivateBytes]byte
-	c.y = c.randMPI(yBytes[:])
-	c.gy = new(big.Int).Exp(g, c.y, p)
-	return c.serializeDHKey()
-}
-
-func (c *Conversation) serializeDHKey() []byte {
-	var ret []byte
-	ret = appendU16(ret, 2) // protocol version
-	ret = append(ret, msgTypeDHKey)
-	ret = appendMPI(ret, c.gy)
-	return ret
-}
-
-func (c *Conversation) processDHKey(in []byte) (isSame bool, err error) {
-	gy, in, ok := getMPI(in)
-	if !ok {
-		err = errors.New("otr: corrupt DH key message")
-		return
-	}
-	if gy.Cmp(g) < 0 || gy.Cmp(pMinus2) > 0 {
-		err = errors.New("otr: DH value out of range")
-		return
-	}
-	if c.gy != nil {
-		isSame = c.gy.Cmp(gy) == 0
-		return
-	}
-	c.gy = gy
-	return
-}
-
-func (c *Conversation) generateEncryptedSignature(keys *akeKeys, xFirst bool) ([]byte, []byte) {
-	var xb []byte
-	xb = c.PrivateKey.PublicKey.Serialize(xb)
-
-	var verifyData []byte
-	if xFirst {
-		verifyData = appendMPI(verifyData, c.gx)
-		verifyData = appendMPI(verifyData, c.gy)
-	} else {
-		verifyData = appendMPI(verifyData, c.gy)
-		verifyData = appendMPI(verifyData, c.gx)
-	}
-	verifyData = append(verifyData, xb...)
-	verifyData = appendU32(verifyData, c.myKeyId)
-
-	mac := hmac.New(sha256.New, keys.m1[:])
-	mac.Write(verifyData)
-	mb := mac.Sum(nil)
-
-	xb = appendU32(xb, c.myKeyId)
-	xb = append(xb, c.PrivateKey.Sign(c.rand(), mb)...)
-
-	aesCipher, err := aes.NewCipher(keys.c[:])
-	if err != nil {
-		panic(err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(xb, xb)
-
-	mac = hmac.New(sha256.New, keys.m2[:])
-	encryptedSig := appendData(nil, xb)
-	mac.Write(encryptedSig)
-
-	return encryptedSig, mac.Sum(nil)
-}
-
-func (c *Conversation) generateRevealSig() []byte {
-	s := new(big.Int).Exp(c.gy, c.x, p)
-	c.calcAKEKeys(s)
-	c.myKeyId++
-
-	encryptedSig, mac := c.generateEncryptedSignature(&c.revealKeys, true /* gx comes first */)
-
-	c.myCurrentDHPub = c.gx
-	c.myCurrentDHPriv = c.x
-	c.rotateDHKeys()
-	incCounter(&c.myCounter)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeRevealSig)
-	ret = appendData(ret, c.r[:])
-	ret = append(ret, encryptedSig...)
-	ret = append(ret, mac[:20]...)
-	return ret
-}
-
-func (c *Conversation) processEncryptedSig(encryptedSig, theirMAC []byte, keys *akeKeys, xFirst bool) error {
-	mac := hmac.New(sha256.New, keys.m2[:])
-	mac.Write(appendData(nil, encryptedSig))
-	myMAC := mac.Sum(nil)[:20]
-
-	if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 {
-		return errors.New("bad signature MAC in encrypted signature")
-	}
-
-	aesCipher, err := aes.NewCipher(keys.c[:])
-	if err != nil {
-		panic(err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encryptedSig, encryptedSig)
-
-	sig := encryptedSig
-	sig, ok1 := c.TheirPublicKey.Parse(sig)
-	keyId, sig, ok2 := getU32(sig)
-	if !ok1 || !ok2 {
-		return errors.New("otr: corrupt encrypted signature")
-	}
-
-	var verifyData []byte
-	if xFirst {
-		verifyData = appendMPI(verifyData, c.gx)
-		verifyData = appendMPI(verifyData, c.gy)
-	} else {
-		verifyData = appendMPI(verifyData, c.gy)
-		verifyData = appendMPI(verifyData, c.gx)
-	}
-	verifyData = c.TheirPublicKey.Serialize(verifyData)
-	verifyData = appendU32(verifyData, keyId)
-
-	mac = hmac.New(sha256.New, keys.m1[:])
-	mac.Write(verifyData)
-	mb := mac.Sum(nil)
-
-	sig, ok1 = c.TheirPublicKey.Verify(mb, sig)
-	if !ok1 {
-		return errors.New("bad signature in encrypted signature")
-	}
-	if len(sig) > 0 {
-		return errors.New("corrupt encrypted signature")
-	}
-
-	c.theirKeyId = keyId
-	zero(c.theirLastCtr[:])
-	return nil
-}
-
-func (c *Conversation) processRevealSig(in []byte) error {
-	r, in, ok1 := getData(in)
-	encryptedSig, in, ok2 := getData(in)
-	theirMAC := in
-	if !ok1 || !ok2 || len(theirMAC) != 20 {
-		return errors.New("otr: corrupt reveal signature message")
-	}
-
-	aesCipher, err := aes.NewCipher(r)
-	if err != nil {
-		return errors.New("otr: cannot create AES cipher from reveal signature message: " + err.Error())
-	}
-	var iv [aes.BlockSize]byte
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(c.gxBytes, c.gxBytes)
-	h := sha256.New()
-	h.Write(c.gxBytes)
-	digest := h.Sum(nil)
-	if len(digest) != len(c.digest) || subtle.ConstantTimeCompare(digest, c.digest[:]) == 0 {
-		return errors.New("otr: bad commit MAC in reveal signature message")
-	}
-	var rest []byte
-	c.gx, rest, ok1 = getMPI(c.gxBytes)
-	if !ok1 || len(rest) > 0 {
-		return errors.New("otr: gx corrupt after decryption")
-	}
-	if c.gx.Cmp(g) < 0 || c.gx.Cmp(pMinus2) > 0 {
-		return errors.New("otr: DH value out of range")
-	}
-	s := new(big.Int).Exp(c.gx, c.y, p)
-	c.calcAKEKeys(s)
-
-	if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.revealKeys, true /* gx comes first */); err != nil {
-		return errors.New("otr: in reveal signature message: " + err.Error())
-	}
-
-	c.theirCurrentDHPub = c.gx
-	c.theirLastDHPub = nil
-
-	return nil
-}
-
-func (c *Conversation) generateSig() []byte {
-	c.myKeyId++
-
-	encryptedSig, mac := c.generateEncryptedSignature(&c.sigKeys, false /* gy comes first */)
-
-	c.myCurrentDHPub = c.gy
-	c.myCurrentDHPriv = c.y
-	c.rotateDHKeys()
-	incCounter(&c.myCounter)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeSig)
-	ret = append(ret, encryptedSig...)
-	ret = append(ret, mac[:macPrefixBytes]...)
-	return ret
-}
-
-func (c *Conversation) processSig(in []byte) error {
-	encryptedSig, in, ok1 := getData(in)
-	theirMAC := in
-	if !ok1 || len(theirMAC) != macPrefixBytes {
-		return errors.New("otr: corrupt signature message")
-	}
-
-	if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.sigKeys, false /* gy comes first */); err != nil {
-		return errors.New("otr: in signature message: " + err.Error())
-	}
-
-	c.theirCurrentDHPub = c.gy
-	c.theirLastDHPub = nil
-
-	return nil
-}
-
-func (c *Conversation) rotateDHKeys() {
-	// evict slots using our retired key id
-	for i := range c.keySlots {
-		slot := &c.keySlots[i]
-		if slot.used && slot.myKeyId == c.myKeyId-1 {
-			slot.used = false
-			c.oldMACs = append(c.oldMACs, slot.recvMACKey...)
-		}
-	}
-
-	c.myLastDHPriv = c.myCurrentDHPriv
-	c.myLastDHPub = c.myCurrentDHPub
-
-	var xBytes [dhPrivateBytes]byte
-	c.myCurrentDHPriv = c.randMPI(xBytes[:])
-	c.myCurrentDHPub = new(big.Int).Exp(g, c.myCurrentDHPriv, p)
-	c.myKeyId++
-}
-
-func (c *Conversation) processData(in []byte) (out []byte, tlvs []tlv, err error) {
-	origIn := in
-	flags, in, ok1 := getU8(in)
-	theirKeyId, in, ok2 := getU32(in)
-	myKeyId, in, ok3 := getU32(in)
-	y, in, ok4 := getMPI(in)
-	counter, in, ok5 := getNBytes(in, 8)
-	encrypted, in, ok6 := getData(in)
-	macedData := origIn[:len(origIn)-len(in)]
-	theirMAC, in, ok7 := getNBytes(in, macPrefixBytes)
-	_, in, ok8 := getData(in)
-	if !ok1 || !ok2 || !ok3 || !ok4 || !ok5 || !ok6 || !ok7 || !ok8 || len(in) > 0 {
-		err = errors.New("otr: corrupt data message")
-		return
-	}
-
-	ignoreErrors := flags&1 != 0
-
-	slot, err := c.calcDataKeys(myKeyId, theirKeyId)
-	if err != nil {
-		if ignoreErrors {
-			err = nil
-		}
-		return
-	}
-
-	mac := hmac.New(sha1.New, slot.recvMACKey)
-	mac.Write([]byte{0, 2, 3})
-	mac.Write(macedData)
-	myMAC := mac.Sum(nil)
-	if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 {
-		if !ignoreErrors {
-			err = errors.New("otr: bad MAC on data message")
-		}
-		return
-	}
-
-	if bytes.Compare(counter, slot.theirLastCtr[:]) <= 0 {
-		err = errors.New("otr: counter regressed")
-		return
-	}
-	copy(slot.theirLastCtr[:], counter)
-
-	var iv [aes.BlockSize]byte
-	copy(iv[:], counter)
-	aesCipher, err := aes.NewCipher(slot.recvAESKey)
-	if err != nil {
-		panic(err.Error())
-	}
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encrypted, encrypted)
-	decrypted := encrypted
-
-	if myKeyId == c.myKeyId {
-		c.rotateDHKeys()
-	}
-	if theirKeyId == c.theirKeyId {
-		// evict slots using their retired key id
-		for i := range c.keySlots {
-			slot := &c.keySlots[i]
-			if slot.used && slot.theirKeyId == theirKeyId-1 {
-				slot.used = false
-				c.oldMACs = append(c.oldMACs, slot.recvMACKey...)
-			}
-		}
-
-		c.theirLastDHPub = c.theirCurrentDHPub
-		c.theirKeyId++
-		c.theirCurrentDHPub = y
-	}
-
-	if nulPos := bytes.IndexByte(decrypted, 0); nulPos >= 0 {
-		out = decrypted[:nulPos]
-		tlvData := decrypted[nulPos+1:]
-		for len(tlvData) > 0 {
-			var t tlv
-			var ok1, ok2, ok3 bool
-
-			t.typ, tlvData, ok1 = getU16(tlvData)
-			t.length, tlvData, ok2 = getU16(tlvData)
-			t.data, tlvData, ok3 = getNBytes(tlvData, int(t.length))
-			if !ok1 || !ok2 || !ok3 {
-				err = errors.New("otr: corrupt tlv data")
-				return
-			}
-			tlvs = append(tlvs, t)
-		}
-	} else {
-		out = decrypted
-	}
-
-	return
-}
-
-func (c *Conversation) generateData(msg []byte, extra *tlv) []byte {
-	slot, err := c.calcDataKeys(c.myKeyId-1, c.theirKeyId)
-	if err != nil {
-		panic("otr: failed to generate sending keys: " + err.Error())
-	}
-
-	var plaintext []byte
-	plaintext = append(plaintext, msg...)
-	plaintext = append(plaintext, 0)
-
-	padding := paddingGranularity - ((len(plaintext) + 4) % paddingGranularity)
-	plaintext = appendU16(plaintext, tlvTypePadding)
-	plaintext = appendU16(plaintext, uint16(padding))
-	for i := 0; i < padding; i++ {
-		plaintext = append(plaintext, 0)
-	}
-
-	if extra != nil {
-		plaintext = appendU16(plaintext, extra.typ)
-		plaintext = appendU16(plaintext, uint16(len(extra.data)))
-		plaintext = append(plaintext, extra.data...)
-	}
-
-	encrypted := make([]byte, len(plaintext))
-
-	var iv [aes.BlockSize]byte
-	copy(iv[:], c.myCounter[:])
-	aesCipher, err := aes.NewCipher(slot.sendAESKey)
-	if err != nil {
-		panic(err.Error())
-	}
-	ctr := cipher.NewCTR(aesCipher, iv[:])
-	ctr.XORKeyStream(encrypted, plaintext)
-
-	var ret []byte
-	ret = appendU16(ret, 2)
-	ret = append(ret, msgTypeData)
-	ret = append(ret, 0 /* flags */)
-	ret = appendU32(ret, c.myKeyId-1)
-	ret = appendU32(ret, c.theirKeyId)
-	ret = appendMPI(ret, c.myCurrentDHPub)
-	ret = append(ret, c.myCounter[:]...)
-	ret = appendData(ret, encrypted)
-
-	mac := hmac.New(sha1.New, slot.sendMACKey)
-	mac.Write(ret)
-	ret = append(ret, mac.Sum(nil)[:macPrefixBytes]...)
-	ret = appendData(ret, c.oldMACs)
-	c.oldMACs = nil
-	incCounter(&c.myCounter)
-
-	return ret
-}
-
-func incCounter(counter *[8]byte) {
-	for i := 7; i >= 0; i-- {
-		counter[i]++
-		if counter[i] > 0 {
-			break
-		}
-	}
-}
-
-// calcDataKeys computes the keys used to encrypt a data message given the key
-// IDs.
-func (c *Conversation) calcDataKeys(myKeyId, theirKeyId uint32) (slot *keySlot, err error) {
-	// Check for a cache hit.
-	for i := range c.keySlots {
-		slot = &c.keySlots[i]
-		if slot.used && slot.theirKeyId == theirKeyId && slot.myKeyId == myKeyId {
-			return
-		}
-	}
-
-	// Find an empty slot to write into.
-	slot = nil
-	for i := range c.keySlots {
-		if !c.keySlots[i].used {
-			slot = &c.keySlots[i]
-			break
-		}
-	}
-	if slot == nil {
-		return nil, errors.New("otr: internal error: no more key slots")
-	}
-
-	var myPriv, myPub, theirPub *big.Int
-
-	if myKeyId == c.myKeyId {
-		myPriv = c.myCurrentDHPriv
-		myPub = c.myCurrentDHPub
-	} else if myKeyId == c.myKeyId-1 {
-		myPriv = c.myLastDHPriv
-		myPub = c.myLastDHPub
-	} else {
-		err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when I'm on " + strconv.FormatUint(uint64(c.myKeyId), 10))
-		return
-	}
-
-	if theirKeyId == c.theirKeyId {
-		theirPub = c.theirCurrentDHPub
-	} else if theirKeyId == c.theirKeyId-1 && c.theirLastDHPub != nil {
-		theirPub = c.theirLastDHPub
-	} else {
-		err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when they're on " + strconv.FormatUint(uint64(c.myKeyId), 10))
-		return
-	}
-
-	var sendPrefixByte, recvPrefixByte [1]byte
-
-	if myPub.Cmp(theirPub) > 0 {
-		// we're the high end
-		sendPrefixByte[0], recvPrefixByte[0] = 1, 2
-	} else {
-		// we're the low end
-		sendPrefixByte[0], recvPrefixByte[0] = 2, 1
-	}
-
-	s := new(big.Int).Exp(theirPub, myPriv, p)
-	sBytes := appendMPI(nil, s)
-
-	h := sha1.New()
-	h.Write(sendPrefixByte[:])
-	h.Write(sBytes)
-	slot.sendAESKey = h.Sum(slot.sendAESKey[:0])[:16]
-
-	h.Reset()
-	h.Write(slot.sendAESKey)
-	slot.sendMACKey = h.Sum(slot.sendMACKey[:0])
-
-	h.Reset()
-	h.Write(recvPrefixByte[:])
-	h.Write(sBytes)
-	slot.recvAESKey = h.Sum(slot.recvAESKey[:0])[:16]
-
-	h.Reset()
-	h.Write(slot.recvAESKey)
-	slot.recvMACKey = h.Sum(slot.recvMACKey[:0])
-
-	slot.theirKeyId = theirKeyId
-	slot.myKeyId = myKeyId
-	slot.used = true
-
-	zero(slot.theirLastCtr[:])
-	return
-}
-
-func (c *Conversation) calcAKEKeys(s *big.Int) {
-	mpi := appendMPI(nil, s)
-	h := sha256.New()
-
-	var cBytes [32]byte
-	hashWithPrefix(c.SSID[:], 0, mpi, h)
-
-	hashWithPrefix(cBytes[:], 1, mpi, h)
-	copy(c.revealKeys.c[:], cBytes[:16])
-	copy(c.sigKeys.c[:], cBytes[16:])
-
-	hashWithPrefix(c.revealKeys.m1[:], 2, mpi, h)
-	hashWithPrefix(c.revealKeys.m2[:], 3, mpi, h)
-	hashWithPrefix(c.sigKeys.m1[:], 4, mpi, h)
-	hashWithPrefix(c.sigKeys.m2[:], 5, mpi, h)
-}
-
-func hashWithPrefix(out []byte, prefix byte, in []byte, h hash.Hash) {
-	h.Reset()
-	var p [1]byte
-	p[0] = prefix
-	h.Write(p[:])
-	h.Write(in)
-	if len(out) == h.Size() {
-		h.Sum(out[:0])
-	} else {
-		digest := h.Sum(nil)
-		copy(out, digest)
-	}
-}
-
-func (c *Conversation) encode(msg []byte) [][]byte {
-	b64 := make([]byte, base64.StdEncoding.EncodedLen(len(msg))+len(msgPrefix)+1)
-	base64.StdEncoding.Encode(b64[len(msgPrefix):], msg)
-	copy(b64, msgPrefix)
-	b64[len(b64)-1] = '.'
-
-	if c.FragmentSize < minFragmentSize || len(b64) <= c.FragmentSize {
-		// We can encode this in a single fragment.
-		return [][]byte{b64}
-	}
-
-	// We have to fragment this message.
-	var ret [][]byte
-	bytesPerFragment := c.FragmentSize - minFragmentSize
-	numFragments := (len(b64) + bytesPerFragment) / bytesPerFragment
-
-	for i := 0; i < numFragments; i++ {
-		frag := []byte("?OTR," + strconv.Itoa(i+1) + "," + strconv.Itoa(numFragments) + ",")
-		todo := bytesPerFragment
-		if todo > len(b64) {
-			todo = len(b64)
-		}
-		frag = append(frag, b64[:todo]...)
-		b64 = b64[todo:]
-		frag = append(frag, ',')
-		ret = append(ret, frag)
-	}
-
-	return ret
-}
-
-func (c *Conversation) reset() {
-	c.myKeyId = 0
-
-	for i := range c.keySlots {
-		c.keySlots[i].used = false
-	}
-}
-
-type PublicKey struct {
-	dsa.PublicKey
-}
-
-func (pk *PublicKey) Parse(in []byte) ([]byte, bool) {
-	var ok bool
-	var pubKeyType uint16
-
-	if pubKeyType, in, ok = getU16(in); !ok || pubKeyType != 0 {
-		return nil, false
-	}
-	if pk.P, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.Q, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.G, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-	if pk.Y, in, ok = getMPI(in); !ok {
-		return nil, false
-	}
-
-	return in, true
-}
-
-func (pk *PublicKey) Serialize(in []byte) []byte {
-	in = appendU16(in, 0)
-	in = appendMPI(in, pk.P)
-	in = appendMPI(in, pk.Q)
-	in = appendMPI(in, pk.G)
-	in = appendMPI(in, pk.Y)
-	return in
-}
-
-// Fingerprint returns the 20-byte, binary fingerprint of the PublicKey.
-func (pk *PublicKey) Fingerprint() []byte {
-	b := pk.Serialize(nil)
-	h := sha1.New()
-	h.Write(b[2:])
-	return h.Sum(nil)
-}
-
-func (pk *PublicKey) Verify(hashed, sig []byte) ([]byte, bool) {
-	if len(sig) != 2*dsaSubgroupBytes {
-		return nil, false
-	}
-	r := new(big.Int).SetBytes(sig[:dsaSubgroupBytes])
-	s := new(big.Int).SetBytes(sig[dsaSubgroupBytes:])
-	ok := dsa.Verify(&pk.PublicKey, hashed, r, s)
-	return sig[dsaSubgroupBytes*2:], ok
-}
-
-type PrivateKey struct {
-	PublicKey
-	dsa.PrivateKey
-}
-
-func (priv *PrivateKey) Sign(rand io.Reader, hashed []byte) []byte {
-	r, s, err := dsa.Sign(rand, &priv.PrivateKey, hashed)
-	if err != nil {
-		panic(err.Error())
-	}
-	rBytes := r.Bytes()
-	sBytes := s.Bytes()
-	if len(rBytes) > dsaSubgroupBytes || len(sBytes) > dsaSubgroupBytes {
-		panic("DSA signature too large")
-	}
-
-	out := make([]byte, 2*dsaSubgroupBytes)
-	copy(out[dsaSubgroupBytes-len(rBytes):], rBytes)
-	copy(out[len(out)-len(sBytes):], sBytes)
-	return out
-}
-
-func (priv *PrivateKey) Serialize(in []byte) []byte {
-	in = priv.PublicKey.Serialize(in)
-	in = appendMPI(in, priv.PrivateKey.X)
-	return in
-}
-
-func (priv *PrivateKey) Parse(in []byte) ([]byte, bool) {
-	in, ok := priv.PublicKey.Parse(in)
-	if !ok {
-		return in, ok
-	}
-	priv.PrivateKey.PublicKey = priv.PublicKey.PublicKey
-	priv.PrivateKey.X, in, ok = getMPI(in)
-	return in, ok
-}
-
-func (priv *PrivateKey) Generate(rand io.Reader) {
-	if err := dsa.GenerateParameters(&priv.PrivateKey.PublicKey.Parameters, rand, dsa.L1024N160); err != nil {
-		panic(err.Error())
-	}
-	if err := dsa.GenerateKey(&priv.PrivateKey, rand); err != nil {
-		panic(err.Error())
-	}
-	priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey
-}
-
-func notHex(r rune) bool {
-	if r >= '0' && r <= '9' ||
-		r >= 'a' && r <= 'f' ||
-		r >= 'A' && r <= 'F' {
-		return false
-	}
-
-	return true
-}
-
-// Import parses the contents of a libotr private key file.
-func (priv *PrivateKey) Import(in []byte) bool {
-	mpiStart := []byte(" #")
-
-	mpis := make([]*big.Int, 5)
-
-	for i := 0; i < len(mpis); i++ {
-		start := bytes.Index(in, mpiStart)
-		if start == -1 {
-			return false
-		}
-		in = in[start+len(mpiStart):]
-		end := bytes.IndexFunc(in, notHex)
-		if end == -1 {
-			return false
-		}
-		hexBytes := in[:end]
-		in = in[end:]
-
-		if len(hexBytes)&1 != 0 {
-			return false
-		}
-
-		mpiBytes := make([]byte, len(hexBytes)/2)
-		if _, err := hex.Decode(mpiBytes, hexBytes); err != nil {
-			return false
-		}
-
-		mpis[i] = new(big.Int).SetBytes(mpiBytes)
-	}
-
-	for _, mpi := range mpis {
-		if mpi.Sign() <= 0 {
-			return false
-		}
-	}
-
-	priv.PrivateKey.P = mpis[0]
-	priv.PrivateKey.Q = mpis[1]
-	priv.PrivateKey.G = mpis[2]
-	priv.PrivateKey.Y = mpis[3]
-	priv.PrivateKey.X = mpis[4]
-	priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey
-
-	a := new(big.Int).Exp(priv.PrivateKey.G, priv.PrivateKey.X, priv.PrivateKey.P)
-	return a.Cmp(priv.PrivateKey.Y) == 0
-}
-
-func getU8(in []byte) (uint8, []byte, bool) {
-	if len(in) < 1 {
-		return 0, in, false
-	}
-	return in[0], in[1:], true
-}
-
-func getU16(in []byte) (uint16, []byte, bool) {
-	if len(in) < 2 {
-		return 0, in, false
-	}
-	r := uint16(in[0])<<8 | uint16(in[1])
-	return r, in[2:], true
-}
-
-func getU32(in []byte) (uint32, []byte, bool) {
-	if len(in) < 4 {
-		return 0, in, false
-	}
-	r := uint32(in[0])<<24 | uint32(in[1])<<16 | uint32(in[2])<<8 | uint32(in[3])
-	return r, in[4:], true
-}
-
-func getMPI(in []byte) (*big.Int, []byte, bool) {
-	l, in, ok := getU32(in)
-	if !ok || uint32(len(in)) < l {
-		return nil, in, false
-	}
-	r := new(big.Int).SetBytes(in[:l])
-	return r, in[l:], true
-}
-
-func getData(in []byte) ([]byte, []byte, bool) {
-	l, in, ok := getU32(in)
-	if !ok || uint32(len(in)) < l {
-		return nil, in, false
-	}
-	return in[:l], in[l:], true
-}
-
-func getNBytes(in []byte, n int) ([]byte, []byte, bool) {
-	if len(in) < n {
-		return nil, in, false
-	}
-	return in[:n], in[n:], true
-}
-
-func appendU16(out []byte, v uint16) []byte {
-	out = append(out, byte(v>>8), byte(v))
-	return out
-}
-
-func appendU32(out []byte, v uint32) []byte {
-	out = append(out, byte(v>>24), byte(v>>16), byte(v>>8), byte(v))
-	return out
-}
-
-func appendData(out, v []byte) []byte {
-	out = appendU32(out, uint32(len(v)))
-	out = append(out, v...)
-	return out
-}
-
-func appendMPI(out []byte, v *big.Int) []byte {
-	vBytes := v.Bytes()
-	out = appendU32(out, uint32(len(vBytes)))
-	out = append(out, vBytes...)
-	return out
-}
-
-func appendMPIs(out []byte, mpis ...*big.Int) []byte {
-	for _, mpi := range mpis {
-		out = appendMPI(out, mpi)
-	}
-	return out
-}
-
-func zero(b []byte) {
-	for i := range b {
-		b[i] = 0
-	}
-}
diff --git a/vendor/golang.org/x/crypto/otr/smp.go b/vendor/golang.org/x/crypto/otr/smp.go
deleted file mode 100644
index dc6de4ee0..000000000
--- a/vendor/golang.org/x/crypto/otr/smp.go
+++ /dev/null
@@ -1,572 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// This file implements the Socialist Millionaires Protocol as described in
-// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html. The protocol
-// specification is required in order to understand this code and, where
-// possible, the variable names in the code match up with the spec.
-
-package otr
-
-import (
-	"bytes"
-	"crypto/sha256"
-	"errors"
-	"hash"
-	"math/big"
-)
-
-type smpFailure string
-
-func (s smpFailure) Error() string {
-	return string(s)
-}
-
-var smpFailureError = smpFailure("otr: SMP protocol failed")
-var smpSecretMissingError = smpFailure("otr: mutual secret needed")
-
-const smpVersion = 1
-
-const (
-	smpState1 = iota
-	smpState2
-	smpState3
-	smpState4
-)
-
-type smpState struct {
-	state                  int
-	a2, a3, b2, b3, pb, qb *big.Int
-	g2a, g3a               *big.Int
-	g2, g3                 *big.Int
-	g3b, papb, qaqb, ra    *big.Int
-	saved                  *tlv
-	secret                 *big.Int
-	question               string
-}
-
-func (c *Conversation) startSMP(question string) (tlvs []tlv) {
-	if c.smp.state != smpState1 {
-		tlvs = append(tlvs, c.generateSMPAbort())
-	}
-	tlvs = append(tlvs, c.generateSMP1(question))
-	c.smp.question = ""
-	c.smp.state = smpState2
-	return
-}
-
-func (c *Conversation) resetSMP() {
-	c.smp.state = smpState1
-	c.smp.secret = nil
-	c.smp.question = ""
-}
-
-func (c *Conversation) processSMP(in tlv) (out tlv, complete bool, err error) {
-	data := in.data
-
-	switch in.typ {
-	case tlvTypeSMPAbort:
-		if c.smp.state != smpState1 {
-			err = smpFailureError
-		}
-		c.resetSMP()
-		return
-	case tlvTypeSMP1WithQuestion:
-		// We preprocess this into a SMP1 message.
-		nulPos := bytes.IndexByte(data, 0)
-		if nulPos == -1 {
-			err = errors.New("otr: SMP message with question didn't contain a NUL byte")
-			return
-		}
-		c.smp.question = string(data[:nulPos])
-		data = data[nulPos+1:]
-	}
-
-	numMPIs, data, ok := getU32(data)
-	if !ok || numMPIs > 20 {
-		err = errors.New("otr: corrupt SMP message")
-		return
-	}
-
-	mpis := make([]*big.Int, numMPIs)
-	for i := range mpis {
-		var ok bool
-		mpis[i], data, ok = getMPI(data)
-		if !ok {
-			err = errors.New("otr: corrupt SMP message")
-			return
-		}
-	}
-
-	switch in.typ {
-	case tlvTypeSMP1, tlvTypeSMP1WithQuestion:
-		if c.smp.state != smpState1 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if c.smp.secret == nil {
-			err = smpSecretMissingError
-			return
-		}
-		if err = c.processSMP1(mpis); err != nil {
-			return
-		}
-		c.smp.state = smpState3
-		out = c.generateSMP2()
-	case tlvTypeSMP2:
-		if c.smp.state != smpState2 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if out, err = c.processSMP2(mpis); err != nil {
-			out = c.generateSMPAbort()
-			return
-		}
-		c.smp.state = smpState4
-	case tlvTypeSMP3:
-		if c.smp.state != smpState3 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if out, err = c.processSMP3(mpis); err != nil {
-			return
-		}
-		c.smp.state = smpState1
-		c.smp.secret = nil
-		complete = true
-	case tlvTypeSMP4:
-		if c.smp.state != smpState4 {
-			c.resetSMP()
-			out = c.generateSMPAbort()
-			return
-		}
-		if err = c.processSMP4(mpis); err != nil {
-			out = c.generateSMPAbort()
-			return
-		}
-		c.smp.state = smpState1
-		c.smp.secret = nil
-		complete = true
-	default:
-		panic("unknown SMP message")
-	}
-
-	return
-}
-
-func (c *Conversation) calcSMPSecret(mutualSecret []byte, weStarted bool) {
-	h := sha256.New()
-	h.Write([]byte{smpVersion})
-	if weStarted {
-		h.Write(c.PrivateKey.PublicKey.Fingerprint())
-		h.Write(c.TheirPublicKey.Fingerprint())
-	} else {
-		h.Write(c.TheirPublicKey.Fingerprint())
-		h.Write(c.PrivateKey.PublicKey.Fingerprint())
-	}
-	h.Write(c.SSID[:])
-	h.Write(mutualSecret)
-	c.smp.secret = new(big.Int).SetBytes(h.Sum(nil))
-}
-
-func (c *Conversation) generateSMP1(question string) tlv {
-	var randBuf [16]byte
-	c.smp.a2 = c.randMPI(randBuf[:])
-	c.smp.a3 = c.randMPI(randBuf[:])
-	g2a := new(big.Int).Exp(g, c.smp.a2, p)
-	g3a := new(big.Int).Exp(g, c.smp.a3, p)
-	h := sha256.New()
-
-	r2 := c.randMPI(randBuf[:])
-	r := new(big.Int).Exp(g, r2, p)
-	c2 := new(big.Int).SetBytes(hashMPIs(h, 1, r))
-	d2 := new(big.Int).Mul(c.smp.a2, c2)
-	d2.Sub(r2, d2)
-	d2.Mod(d2, q)
-	if d2.Sign() < 0 {
-		d2.Add(d2, q)
-	}
-
-	r3 := c.randMPI(randBuf[:])
-	r.Exp(g, r3, p)
-	c3 := new(big.Int).SetBytes(hashMPIs(h, 2, r))
-	d3 := new(big.Int).Mul(c.smp.a3, c3)
-	d3.Sub(r3, d3)
-	d3.Mod(d3, q)
-	if d3.Sign() < 0 {
-		d3.Add(d3, q)
-	}
-
-	var ret tlv
-	if len(question) > 0 {
-		ret.typ = tlvTypeSMP1WithQuestion
-		ret.data = append(ret.data, question...)
-		ret.data = append(ret.data, 0)
-	} else {
-		ret.typ = tlvTypeSMP1
-	}
-	ret.data = appendU32(ret.data, 6)
-	ret.data = appendMPIs(ret.data, g2a, c2, d2, g3a, c3, d3)
-	return ret
-}
-
-func (c *Conversation) processSMP1(mpis []*big.Int) error {
-	if len(mpis) != 6 {
-		return errors.New("otr: incorrect number of arguments in SMP1 message")
-	}
-	g2a := mpis[0]
-	c2 := mpis[1]
-	d2 := mpis[2]
-	g3a := mpis[3]
-	c3 := mpis[4]
-	d3 := mpis[5]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d2, p)
-	s := new(big.Int).Exp(g2a, c2, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	t := new(big.Int).SetBytes(hashMPIs(h, 1, r))
-	if c2.Cmp(t) != 0 {
-		return errors.New("otr: ZKP c2 incorrect in SMP1 message")
-	}
-	r.Exp(g, d3, p)
-	s.Exp(g3a, c3, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	t.SetBytes(hashMPIs(h, 2, r))
-	if c3.Cmp(t) != 0 {
-		return errors.New("otr: ZKP c3 incorrect in SMP1 message")
-	}
-
-	c.smp.g2a = g2a
-	c.smp.g3a = g3a
-	return nil
-}
-
-func (c *Conversation) generateSMP2() tlv {
-	var randBuf [16]byte
-	b2 := c.randMPI(randBuf[:])
-	c.smp.b3 = c.randMPI(randBuf[:])
-	r2 := c.randMPI(randBuf[:])
-	r3 := c.randMPI(randBuf[:])
-	r4 := c.randMPI(randBuf[:])
-	r5 := c.randMPI(randBuf[:])
-	r6 := c.randMPI(randBuf[:])
-
-	g2b := new(big.Int).Exp(g, b2, p)
-	g3b := new(big.Int).Exp(g, c.smp.b3, p)
-
-	r := new(big.Int).Exp(g, r2, p)
-	h := sha256.New()
-	c2 := new(big.Int).SetBytes(hashMPIs(h, 3, r))
-	d2 := new(big.Int).Mul(b2, c2)
-	d2.Sub(r2, d2)
-	d2.Mod(d2, q)
-	if d2.Sign() < 0 {
-		d2.Add(d2, q)
-	}
-
-	r.Exp(g, r3, p)
-	c3 := new(big.Int).SetBytes(hashMPIs(h, 4, r))
-	d3 := new(big.Int).Mul(c.smp.b3, c3)
-	d3.Sub(r3, d3)
-	d3.Mod(d3, q)
-	if d3.Sign() < 0 {
-		d3.Add(d3, q)
-	}
-
-	c.smp.g2 = new(big.Int).Exp(c.smp.g2a, b2, p)
-	c.smp.g3 = new(big.Int).Exp(c.smp.g3a, c.smp.b3, p)
-	c.smp.pb = new(big.Int).Exp(c.smp.g3, r4, p)
-	c.smp.qb = new(big.Int).Exp(g, r4, p)
-	r.Exp(c.smp.g2, c.smp.secret, p)
-	c.smp.qb.Mul(c.smp.qb, r)
-	c.smp.qb.Mod(c.smp.qb, p)
-
-	s := new(big.Int)
-	s.Exp(c.smp.g2, r6, p)
-	r.Exp(g, r5, p)
-	s.Mul(r, s)
-	s.Mod(s, p)
-	r.Exp(c.smp.g3, r5, p)
-	cp := new(big.Int).SetBytes(hashMPIs(h, 5, r, s))
-
-	// D5 = r5 - r4 cP mod q and D6 = r6 - y cP mod q
-
-	s.Mul(r4, cp)
-	r.Sub(r5, s)
-	d5 := new(big.Int).Mod(r, q)
-	if d5.Sign() < 0 {
-		d5.Add(d5, q)
-	}
-
-	s.Mul(c.smp.secret, cp)
-	r.Sub(r6, s)
-	d6 := new(big.Int).Mod(r, q)
-	if d6.Sign() < 0 {
-		d6.Add(d6, q)
-	}
-
-	var ret tlv
-	ret.typ = tlvTypeSMP2
-	ret.data = appendU32(ret.data, 11)
-	ret.data = appendMPIs(ret.data, g2b, c2, d2, g3b, c3, d3, c.smp.pb, c.smp.qb, cp, d5, d6)
-	return ret
-}
-
-func (c *Conversation) processSMP2(mpis []*big.Int) (out tlv, err error) {
-	if len(mpis) != 11 {
-		err = errors.New("otr: incorrect number of arguments in SMP2 message")
-		return
-	}
-	g2b := mpis[0]
-	c2 := mpis[1]
-	d2 := mpis[2]
-	g3b := mpis[3]
-	c3 := mpis[4]
-	d3 := mpis[5]
-	pb := mpis[6]
-	qb := mpis[7]
-	cp := mpis[8]
-	d5 := mpis[9]
-	d6 := mpis[10]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d2, p)
-	s := new(big.Int).Exp(g2b, c2, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	s.SetBytes(hashMPIs(h, 3, r))
-	if c2.Cmp(s) != 0 {
-		err = errors.New("otr: ZKP c2 failed in SMP2 message")
-		return
-	}
-
-	r.Exp(g, d3, p)
-	s.Exp(g3b, c3, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-	s.SetBytes(hashMPIs(h, 4, r))
-	if c3.Cmp(s) != 0 {
-		err = errors.New("otr: ZKP c3 failed in SMP2 message")
-		return
-	}
-
-	c.smp.g2 = new(big.Int).Exp(g2b, c.smp.a2, p)
-	c.smp.g3 = new(big.Int).Exp(g3b, c.smp.a3, p)
-
-	r.Exp(g, d5, p)
-	s.Exp(c.smp.g2, d6, p)
-	r.Mul(r, s)
-	s.Exp(qb, cp, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, d5, p)
-	t := new(big.Int).Exp(pb, cp, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 5, s, r))
-	if cp.Cmp(t) != 0 {
-		err = errors.New("otr: ZKP cP failed in SMP2 message")
-		return
-	}
-
-	var randBuf [16]byte
-	r4 := c.randMPI(randBuf[:])
-	r5 := c.randMPI(randBuf[:])
-	r6 := c.randMPI(randBuf[:])
-	r7 := c.randMPI(randBuf[:])
-
-	pa := new(big.Int).Exp(c.smp.g3, r4, p)
-	r.Exp(c.smp.g2, c.smp.secret, p)
-	qa := new(big.Int).Exp(g, r4, p)
-	qa.Mul(qa, r)
-	qa.Mod(qa, p)
-
-	r.Exp(g, r5, p)
-	s.Exp(c.smp.g2, r6, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, r5, p)
-	cp.SetBytes(hashMPIs(h, 6, s, r))
-
-	r.Mul(r4, cp)
-	d5 = new(big.Int).Sub(r5, r)
-	d5.Mod(d5, q)
-	if d5.Sign() < 0 {
-		d5.Add(d5, q)
-	}
-
-	r.Mul(c.smp.secret, cp)
-	d6 = new(big.Int).Sub(r6, r)
-	d6.Mod(d6, q)
-	if d6.Sign() < 0 {
-		d6.Add(d6, q)
-	}
-
-	r.ModInverse(qb, p)
-	qaqb := new(big.Int).Mul(qa, r)
-	qaqb.Mod(qaqb, p)
-
-	ra := new(big.Int).Exp(qaqb, c.smp.a3, p)
-	r.Exp(qaqb, r7, p)
-	s.Exp(g, r7, p)
-	cr := new(big.Int).SetBytes(hashMPIs(h, 7, s, r))
-
-	r.Mul(c.smp.a3, cr)
-	d7 := new(big.Int).Sub(r7, r)
-	d7.Mod(d7, q)
-	if d7.Sign() < 0 {
-		d7.Add(d7, q)
-	}
-
-	c.smp.g3b = g3b
-	c.smp.qaqb = qaqb
-
-	r.ModInverse(pb, p)
-	c.smp.papb = new(big.Int).Mul(pa, r)
-	c.smp.papb.Mod(c.smp.papb, p)
-	c.smp.ra = ra
-
-	out.typ = tlvTypeSMP3
-	out.data = appendU32(out.data, 8)
-	out.data = appendMPIs(out.data, pa, qa, cp, d5, d6, ra, cr, d7)
-	return
-}
-
-func (c *Conversation) processSMP3(mpis []*big.Int) (out tlv, err error) {
-	if len(mpis) != 8 {
-		err = errors.New("otr: incorrect number of arguments in SMP3 message")
-		return
-	}
-	pa := mpis[0]
-	qa := mpis[1]
-	cp := mpis[2]
-	d5 := mpis[3]
-	d6 := mpis[4]
-	ra := mpis[5]
-	cr := mpis[6]
-	d7 := mpis[7]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(g, d5, p)
-	s := new(big.Int).Exp(c.smp.g2, d6, p)
-	r.Mul(r, s)
-	s.Exp(qa, cp, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(c.smp.g3, d5, p)
-	t := new(big.Int).Exp(pa, cp, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 6, s, r))
-	if t.Cmp(cp) != 0 {
-		err = errors.New("otr: ZKP cP failed in SMP3 message")
-		return
-	}
-
-	r.ModInverse(c.smp.qb, p)
-	qaqb := new(big.Int).Mul(qa, r)
-	qaqb.Mod(qaqb, p)
-
-	r.Exp(qaqb, d7, p)
-	s.Exp(ra, cr, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(g, d7, p)
-	t.Exp(c.smp.g3a, cr, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 7, s, r))
-	if t.Cmp(cr) != 0 {
-		err = errors.New("otr: ZKP cR failed in SMP3 message")
-		return
-	}
-
-	var randBuf [16]byte
-	r7 := c.randMPI(randBuf[:])
-	rb := new(big.Int).Exp(qaqb, c.smp.b3, p)
-
-	r.Exp(qaqb, r7, p)
-	s.Exp(g, r7, p)
-	cr = new(big.Int).SetBytes(hashMPIs(h, 8, s, r))
-
-	r.Mul(c.smp.b3, cr)
-	d7 = new(big.Int).Sub(r7, r)
-	d7.Mod(d7, q)
-	if d7.Sign() < 0 {
-		d7.Add(d7, q)
-	}
-
-	out.typ = tlvTypeSMP4
-	out.data = appendU32(out.data, 3)
-	out.data = appendMPIs(out.data, rb, cr, d7)
-
-	r.ModInverse(c.smp.pb, p)
-	r.Mul(pa, r)
-	r.Mod(r, p)
-	s.Exp(ra, c.smp.b3, p)
-	if r.Cmp(s) != 0 {
-		err = smpFailureError
-	}
-
-	return
-}
-
-func (c *Conversation) processSMP4(mpis []*big.Int) error {
-	if len(mpis) != 3 {
-		return errors.New("otr: incorrect number of arguments in SMP4 message")
-	}
-	rb := mpis[0]
-	cr := mpis[1]
-	d7 := mpis[2]
-	h := sha256.New()
-
-	r := new(big.Int).Exp(c.smp.qaqb, d7, p)
-	s := new(big.Int).Exp(rb, cr, p)
-	r.Mul(r, s)
-	r.Mod(r, p)
-
-	s.Exp(g, d7, p)
-	t := new(big.Int).Exp(c.smp.g3b, cr, p)
-	s.Mul(s, t)
-	s.Mod(s, p)
-	t.SetBytes(hashMPIs(h, 8, s, r))
-	if t.Cmp(cr) != 0 {
-		return errors.New("otr: ZKP cR failed in SMP4 message")
-	}
-
-	r.Exp(rb, c.smp.a3, p)
-	if r.Cmp(c.smp.papb) != 0 {
-		return smpFailureError
-	}
-
-	return nil
-}
-
-func (c *Conversation) generateSMPAbort() tlv {
-	return tlv{typ: tlvTypeSMPAbort}
-}
-
-func hashMPIs(h hash.Hash, magic byte, mpis ...*big.Int) []byte {
-	if h != nil {
-		h.Reset()
-	} else {
-		h = sha256.New()
-	}
-
-	h.Write([]byte{magic})
-	for _, mpi := range mpis {
-		h.Write(appendMPI(nil, mpi))
-	}
-	return h.Sum(nil)
-}
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
index 9a887598f..2f04ee5b5 100644
--- a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
+++ b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go
@@ -7,6 +7,7 @@ package terminal
 import (
 	"bytes"
 	"io"
+	"strconv"
 	"sync"
 	"unicode/utf8"
 )
@@ -159,6 +160,10 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 			return keyClearScreen, b[1:]
 		case 23: // ^W
 			return keyDeleteWord, b[1:]
+		case 14: // ^N
+			return keyDown, b[1:]
+		case 16: // ^P
+			return keyUp, b[1:]
 		}
 	}
 
@@ -267,34 +272,44 @@ func (t *Terminal) moveCursorToPos(pos int) {
 }
 
 func (t *Terminal) move(up, down, left, right int) {
-	movement := make([]rune, 3*(up+down+left+right))
-	m := movement
-	for i := 0; i < up; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'A'
-		m = m[3:]
-	}
-	for i := 0; i < down; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'B'
-		m = m[3:]
-	}
-	for i := 0; i < left; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'D'
-		m = m[3:]
-	}
-	for i := 0; i < right; i++ {
-		m[0] = keyEscape
-		m[1] = '['
-		m[2] = 'C'
-		m = m[3:]
-	}
-
-	t.queue(movement)
+	m := []rune{}
+
+	// 1 unit up can be expressed as ^[[A or ^[A
+	// 5 units up can be expressed as ^[[5A
+
+	if up == 1 {
+		m = append(m, keyEscape, '[', 'A')
+	} else if up > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(up))...)
+		m = append(m, 'A')
+	}
+
+	if down == 1 {
+		m = append(m, keyEscape, '[', 'B')
+	} else if down > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(down))...)
+		m = append(m, 'B')
+	}
+
+	if right == 1 {
+		m = append(m, keyEscape, '[', 'C')
+	} else if right > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(right))...)
+		m = append(m, 'C')
+	}
+
+	if left == 1 {
+		m = append(m, keyEscape, '[', 'D')
+	} else if left > 1 {
+		m = append(m, keyEscape, '[')
+		m = append(m, []rune(strconv.Itoa(left))...)
+		m = append(m, 'D')
+	}
+
+	t.queue(m)
 }
 
 func (t *Terminal) clearLineToRight() {
diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go b/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
index 6cb8a9503..5cfdf8f3f 100644
--- a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
+++ b/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go
@@ -64,13 +64,15 @@ func Restore(fd int, state *State) error {
 	return windows.SetConsoleMode(windows.Handle(fd), state.mode)
 }
 
-// GetSize returns the dimensions of the given terminal.
+// GetSize returns the visible dimensions of the given terminal.
+//
+// These dimensions don't include any scrollback buffer height.
 func GetSize(fd int) (width, height int, err error) {
 	var info windows.ConsoleScreenBufferInfo
 	if err := windows.GetConsoleScreenBufferInfo(windows.Handle(fd), &info); err != nil {
 		return 0, 0, err
 	}
-	return int(info.Size.X), int(info.Size.Y), nil
+	return int(info.Window.Right - info.Window.Left + 1), int(info.Window.Bottom - info.Window.Top + 1), nil
 }
 
 // ReadPassword reads a line of input from a terminal without local echo.  This
diff --git a/vendor/golang.org/x/crypto/ssh/test/doc.go b/vendor/golang.org/x/crypto/ssh/test/doc.go
deleted file mode 100644
index 198f0ca1e..000000000
--- a/vendor/golang.org/x/crypto/ssh/test/doc.go
+++ /dev/null
@@ -1,7 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package test contains integration tests for the
-// golang.org/x/crypto/ssh package.
-package test // import "golang.org/x/crypto/ssh/test"
diff --git a/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c b/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c
deleted file mode 100644
index 2794a563a..000000000
--- a/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c
+++ /dev/null
@@ -1,173 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// sshd_test_pw.c
-// Wrapper to inject test password data for sshd PAM authentication
-//
-// This wrapper implements custom versions of getpwnam, getpwnam_r,
-// getspnam and getspnam_r. These functions first call their real
-// libc versions, then check if the requested user matches test user
-// specified in env variable TEST_USER and if so replace the password
-// with crypted() value of TEST_PASSWD env variable.
-//
-// Compile:
-// gcc -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c
-//
-// Compile with debug:
-// gcc -DVERBOSE -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c
-//
-// Run sshd:
-// LD_PRELOAD="sshd_test_pw.so" TEST_USER="..." TEST_PASSWD="..." sshd ...
-
-// +build ignore
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <pwd.h>
-#include <shadow.h>
-#include <dlfcn.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-
-#ifdef VERBOSE
-#define DEBUG(X...) fprintf(stderr, X)
-#else
-#define DEBUG(X...) while (0) { }
-#endif
-
-/* crypt() password */
-static char *
-pwhash(char *passwd) {
-  return strdup(crypt(passwd, "$6$"));
-}
-
-/* Pointers to real functions in libc */
-static struct passwd * (*real_getpwnam)(const char *) = NULL;
-static int (*real_getpwnam_r)(const char *, struct passwd *, char *, size_t, struct passwd **) = NULL;
-static struct spwd * (*real_getspnam)(const char *) = NULL;
-static int (*real_getspnam_r)(const char *, struct spwd *, char *, size_t, struct spwd **) = NULL;
-
-/* Cached test user and test password */
-static char *test_user = NULL;
-static char *test_passwd_hash = NULL;
-
-static void
-init(void) {
-  /* Fetch real libc function pointers */
-  real_getpwnam = dlsym(RTLD_NEXT, "getpwnam");
-  real_getpwnam_r = dlsym(RTLD_NEXT, "getpwnam_r");
-  real_getspnam = dlsym(RTLD_NEXT, "getspnam");
-  real_getspnam_r = dlsym(RTLD_NEXT, "getspnam_r");
-  
-  /* abort if env variables are not defined */
-  if (getenv("TEST_USER") == NULL || getenv("TEST_PASSWD") == NULL) {
-    fprintf(stderr, "env variables TEST_USER and TEST_PASSWD are missing\n");
-    abort();
-  }
-
-  /* Fetch test user and test password from env */
-  test_user = strdup(getenv("TEST_USER"));
-  test_passwd_hash = pwhash(getenv("TEST_PASSWD"));
-
-  DEBUG("sshd_test_pw init():\n");
-  DEBUG("\treal_getpwnam: %p\n", real_getpwnam);
-  DEBUG("\treal_getpwnam_r: %p\n", real_getpwnam_r);
-  DEBUG("\treal_getspnam: %p\n", real_getspnam);
-  DEBUG("\treal_getspnam_r: %p\n", real_getspnam_r);
-  DEBUG("\tTEST_USER: '%s'\n", test_user);
-  DEBUG("\tTEST_PASSWD: '%s'\n", getenv("TEST_PASSWD"));
-  DEBUG("\tTEST_PASSWD_HASH: '%s'\n", test_passwd_hash);
-}
-
-static int
-is_test_user(const char *name) {
-  if (test_user != NULL && strcmp(test_user, name) == 0)
-    return 1;
-  return 0;
-}
-
-/* getpwnam */
-
-struct passwd *
-getpwnam(const char *name) {
-  struct passwd *pw;
-
-  DEBUG("sshd_test_pw getpwnam(%s)\n", name);
-  
-  if (real_getpwnam == NULL)
-    init();
-  if ((pw = real_getpwnam(name)) == NULL)
-    return NULL;
-
-  if (is_test_user(name))
-    pw->pw_passwd = strdup(test_passwd_hash);
-      
-  return pw;
-}
-
-/* getpwnam_r */
-
-int
-getpwnam_r(const char *name,
-	   struct passwd *pwd,
-	   char *buf,
-	   size_t buflen,
-	   struct passwd **result) {
-  int r;
-
-  DEBUG("sshd_test_pw getpwnam_r(%s)\n", name);
-  
-  if (real_getpwnam_r == NULL)
-    init();
-  if ((r = real_getpwnam_r(name, pwd, buf, buflen, result)) != 0 || *result == NULL)
-    return r;
-
-  if (is_test_user(name))
-    pwd->pw_passwd = strdup(test_passwd_hash);
-  
-  return 0;
-}
-
-/* getspnam */
-
-struct spwd *
-getspnam(const char *name) {
-  struct spwd *sp;
-
-  DEBUG("sshd_test_pw getspnam(%s)\n", name);
-  
-  if (real_getspnam == NULL)
-    init();
-  if ((sp = real_getspnam(name)) == NULL)
-    return NULL;
-
-  if (is_test_user(name))
-    sp->sp_pwdp = strdup(test_passwd_hash);
-  
-  return sp;
-}
-
-/* getspnam_r */
-
-int
-getspnam_r(const char *name,
-	   struct spwd *spbuf,
-	   char *buf,
-	   size_t buflen,
-	   struct spwd **spbufp) {
-  int r;
-
-  DEBUG("sshd_test_pw getspnam_r(%s)\n", name);
-  
-  if (real_getspnam_r == NULL)
-    init();
-  if ((r = real_getspnam_r(name, spbuf, buf, buflen, spbufp)) != 0)
-    return r;
-
-  if (is_test_user(name))
-    spbuf->sp_pwdp = strdup(test_passwd_hash);
-  
-  return r;
-}