Merge pull request #9264 from hashicorp/update-cty-funcs

Update github.com/hashicorp/go-cty-funcs to master

go.mod

@@ -70,11 +70,7 @@ require (
 	github.com/hashicorp/errwrap v1.0.0
 	github.com/hashicorp/go-checkpoint v0.0.0-20171009173528-1545e56e46de
 	github.com/hashicorp/go-cleanhttp v0.5.1
-	github.com/hashicorp/go-cty-funcs/cidr v0.0.0-20200203151509-c92509f48b18
+	github.com/hashicorp/go-cty-funcs v0.0.0-20200520133146-0d04eb807361
-	github.com/hashicorp/go-cty-funcs/crypto v0.0.0-20200124154056-476681ae9d62
-	github.com/hashicorp/go-cty-funcs/encoding v0.0.0-20200203151509-c92509f48b18
-	github.com/hashicorp/go-cty-funcs/filesystem v0.0.0-20200203151509-c92509f48b18
-	github.com/hashicorp/go-cty-funcs/uuid v0.0.0-20200203151509-c92509f48b18
 	github.com/hashicorp/go-getter/v2 v2.0.0-20200511085045-ad575698c524
 	github.com/hashicorp/go-immutable-radix v1.1.0 // indirect
 	github.com/hashicorp/go-msgpack v0.5.5 // indirect
@@ -152,10 +148,10 @@ require (
 	github.com/xanzy/go-cloudstack v0.0.0-20190526095453-42f262b63ed0
 	github.com/yandex-cloud/go-genproto v0.0.0-20190916101622-7617782d381e
 	github.com/yandex-cloud/go-sdk v0.0.0-20190916101744-c781afa45829
-	github.com/zclconf/go-cty v1.3.2-0.20200309235747-0b5d9cf50df7
+	github.com/zclconf/go-cty v1.4.0
 	github.com/zclconf/go-cty-yaml v1.0.1
 	go.opencensus.io v0.22.3 // indirect
-	golang.org/x/crypto v0.0.0-20200117160349-530e935923ad
+	golang.org/x/crypto v0.0.0-20200422194213-44a606286825
 	golang.org/x/exp v0.0.0-20191129062945-2f5052295587 // indirect
 	golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f // indirect
 	golang.org/x/mobile v0.0.0-20191130191448-5c0e7e404af8

go.sum

@@ -277,16 +277,8 @@ github.com/hashicorp/go-cleanhttp v0.5.0 h1:wvCrVc9TjDls6+YGAF2hAifE1E5U1+b4tH6K
 github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-cleanhttp v0.5.1 h1:dH3aiDG9Jvb5r5+bYHsikaOUIpcM0xvgMXVoDkXMzJM=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
-github.com/hashicorp/go-cty-funcs/cidr v0.0.0-20200203151509-c92509f48b18 h1:XkNsY3+ulbaCO5Dubd9gpFI9FWRIjRWj7m/dn881cAU=
+github.com/hashicorp/go-cty-funcs v0.0.0-20200520133146-0d04eb807361 h1:qFuR7ZaMDC5xelTZeNwsJ90I4+4km7ACDdAP+2w84xI=
-github.com/hashicorp/go-cty-funcs/cidr v0.0.0-20200203151509-c92509f48b18/go.mod h1:0vJoZqJA0f/UCUiRBASXqc1TTlQufBwZpGfXfHAxSNA=
+github.com/hashicorp/go-cty-funcs v0.0.0-20200520133146-0d04eb807361/go.mod h1:Abjk0jbRkDaNCzsRhOv2iDCofYpX1eVsjozoiK63qLA=
-github.com/hashicorp/go-cty-funcs/crypto v0.0.0-20200124154056-476681ae9d62 h1:lopgaqFWgt25jxPgadIuZxg1+AMt6NtZ9n2n/SWsR/A=
-github.com/hashicorp/go-cty-funcs/crypto v0.0.0-20200124154056-476681ae9d62/go.mod h1:e5OaPJuWGKrYY0miHdwWgnlKOtQ+itgsl/AtQqMdaWU=
-github.com/hashicorp/go-cty-funcs/encoding v0.0.0-20200203151509-c92509f48b18 h1:9njD0lH4TmWPf3RpgW4KVohsgOOZs8eTxO5l2fNZ5bs=
-github.com/hashicorp/go-cty-funcs/encoding v0.0.0-20200203151509-c92509f48b18/go.mod h1:Q/aJ+s3PMRuuQvDHQLzECc7IdUGT+Q64gxUXa6djhDc=
-github.com/hashicorp/go-cty-funcs/filesystem v0.0.0-20200203151509-c92509f48b18 h1:VfWkSNJneNfW5gIk8Mi338gTiKeMqhryLDKLx8R5p70=
-github.com/hashicorp/go-cty-funcs/filesystem v0.0.0-20200203151509-c92509f48b18/go.mod h1:Ax0PN5Le7AV107LPtaMyCzQ8JVcR5uHcSP9ytZj/yv8=
-github.com/hashicorp/go-cty-funcs/uuid v0.0.0-20200203151509-c92509f48b18 h1:CxYihpdHlBui2AhjjrpfyZ/ulB/SfPaiiiuz6jJm8q8=
-github.com/hashicorp/go-cty-funcs/uuid v0.0.0-20200203151509-c92509f48b18/go.mod h1:QFbv9KeSic7KIgfOYbUW02G4LxOf3Fh9Ylm4n174LUQ=
 github.com/hashicorp/go-getter v1.4.1 h1:3A2Mh8smGFcf5M+gmcv898mZdrxpseik45IpcyISLsA=
 github.com/hashicorp/go-getter v1.4.1/go.mod h1:7qxyCd8rBfcShwsvxgIguu4KbS3l8bUCwg2Umn7RjeY=
 github.com/hashicorp/go-getter/v2 v2.0.0-20200511085045-ad575698c524 h1:xjV9iDvMeEgjUYEG3GB3KwN6OciqotOQk0J5ggl/B+E=
@@ -597,9 +589,8 @@ github.com/yandex-cloud/go-sdk v0.0.0-20190916101744-c781afa45829 h1:2FGwbx03GpP
 github.com/yandex-cloud/go-sdk v0.0.0-20190916101744-c781afa45829/go.mod h1:Eml0jFLU4VVHgIN8zPHMuNwZXVzUMILyO6lQZSfz854=
 github.com/zclconf/go-cty v1.0.0/go.mod h1:xnAOWiHeOqg2nWS62VtQ7pbOu17FtxJNW8RLEih+O3s=
 github.com/zclconf/go-cty v1.2.0/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
+github.com/zclconf/go-cty v1.4.0 h1:+q+tmgyUB94HIdH/uVTIi/+kt3pt4sHwEZAcTyLoGsQ=
-github.com/zclconf/go-cty v1.3.2-0.20200309235747-0b5d9cf50df7 h1:YyicOFRGFLIyzuZCaKFhIwg1JFpi+x1hEPlfNQUHq2I=
+github.com/zclconf/go-cty v1.4.0/go.mod h1:nHzOclRkoj++EU9ZjSrZvRG0BXIWt8c7loYc0qXAFGQ=
-github.com/zclconf/go-cty v1.3.2-0.20200309235747-0b5d9cf50df7/go.mod h1:nHzOclRkoj++EU9ZjSrZvRG0BXIWt8c7loYc0qXAFGQ=
 github.com/zclconf/go-cty-yaml v1.0.1 h1:up11wlgAaDvlAGENcFDnZgkn0qUJurso7k6EpURKNF8=
 github.com/zclconf/go-cty-yaml v1.0.1/go.mod h1:IP3Ylp0wQpYm50IHK8OZWKMu6sPJIUgKa8XhiVHura0=
 go.opencensus.io v0.21.0 h1:mU6zScU4U1YAFPHEHYk+3JC4SY7JxgkqS10ZOSyksNg=
@@ -624,8 +615,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200117160349-530e935923ad h1:Jh8cai0fqIK+f6nG0UgPW5wFk8wmiMhM3AyciDBdtQg=
+golang.org/x/crypto v0.0.0-20200422194213-44a606286825 h1:dSChiwOTvzwbHFTMq2l6uRardHH7/E6SqEkqccinS/o=
-golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200422194213-44a606286825/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

vendor/github.com/hashicorp/go-cty-funcs/cidr/go.mod

@@ -1,9 +0,0 @@
-module github.com/hashicorp/go-cty-funcs/cidr
-
-go 1.13
-
-require (
-	github.com/apparentlymart/go-cidr v1.0.1
-	github.com/zclconf/go-cty v1.2.1
-	golang.org/x/text v0.3.2 // indirect
-)

vendor/github.com/hashicorp/go-cty-funcs/cidr/go.sum

@@ -1,22 +0,0 @@
-github.com/apparentlymart/go-cidr v1.0.1 h1:NmIwLZ/KdsjIUlhf+/Np40atNXm/+lZ5txfTJ/SpF+U=
-github.com/apparentlymart/go-cidr v1.0.1/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/github.com/hashicorp/go-cty-funcs/crypto/go.mod

@@ -1,12 +0,0 @@
-module github.com/hashicorp/go-cty-funcs/crypto
-
-go 1.13
-
-require (
-	github.com/google/uuid v1.1.1
-	github.com/hashicorp/go-uuid v1.0.2
-	github.com/mitchellh/go-homedir v1.1.0
-	github.com/zclconf/go-cty v1.2.1
-	golang.org/x/crypto v0.0.0-20200117160349-530e935923ad
-	golang.org/x/text v0.3.2 // indirect
-)

vendor/github.com/hashicorp/go-cty-funcs/crypto/go.sum

@@ -1,32 +0,0 @@
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20200117160349-530e935923ad h1:Jh8cai0fqIK+f6nG0UgPW5wFk8wmiMhM3AyciDBdtQg=
-golang.org/x/crypto v0.0.0-20200117160349-530e935923ad/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/github.com/hashicorp/go-cty-funcs/crypto/hash.go

@@ -1,132 +1,12 @@
 package crypto
 
 import (
-	"crypto/md5"
-	"crypto/rsa"
-	"crypto/sha1"
-	"crypto/sha256"
-	"crypto/sha512"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/pem"
-	"fmt"
 	"hash"
-	"io/ioutil"
-	"os"
-	"path/filepath"
 
-	"github.com/mitchellh/go-homedir"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 )
 
-// Base64Sha256Func is a function that computes the SHA256 hash of a given
-// string and encodes it with Base64.
-var Base64Sha256Func = makeStringHashFunction(sha256.New, base64.StdEncoding.EncodeToString)
-
-// MakeFileBase64Sha256Func is a function that is like Base64Sha256Func but
-// reads the contents of a file rather than hashing a given literal string.
-func MakeFileBase64Sha256Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, sha256.New, base64.StdEncoding.EncodeToString)
-}
-
-// Base64Sha512Func is a function that computes the SHA256 hash of a given
-// string and encodes it with Base64.
-var Base64Sha512Func = makeStringHashFunction(sha512.New, base64.StdEncoding.EncodeToString)
-
-// MakeFileBase64Sha512Func is a function that is like Base64Sha512Func but
-// reads the contents of a file rather than hashing a given literal string.
-func MakeFileBase64Sha512Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, sha512.New, base64.StdEncoding.EncodeToString)
-}
-
-// Md5Func is a function that computes the MD5 hash of a given string and
-// encodes it with hexadecimal digits.
-var Md5Func = makeStringHashFunction(md5.New, hex.EncodeToString)
-
-// MakeFileMd5Func is a function that is like Md5Func but reads the contents of
-// a file rather than hashing a given literal string.
-func MakeFileMd5Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, md5.New, hex.EncodeToString)
-}
-
-// RsaDecryptFunc is a function that decrypts an RSA-encrypted ciphertext.
-var RsaDecryptFunc = function.New(&function.Spec{
-	Params: []function.Parameter{
-		{
-			Name: "ciphertext",
-			Type: cty.String,
-		},
-		{
-			Name: "privatekey",
-			Type: cty.String,
-		},
-	},
-	Type: function.StaticReturnType(cty.String),
-	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		s := args[0].AsString()
-		key := args[1].AsString()
-
-		b, err := base64.StdEncoding.DecodeString(s)
-		if err != nil {
-			return cty.UnknownVal(cty.String), fmt.Errorf("failed to decode input %q: cipher text must be base64-encoded", s)
-		}
-
-		block, _ := pem.Decode([]byte(key))
-		if block == nil {
-			return cty.UnknownVal(cty.String), fmt.Errorf("failed to parse key: no key found")
-		}
-		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
-			return cty.UnknownVal(cty.String), fmt.Errorf(
-				"failed to parse key: password protected keys are not supported. Please decrypt the key prior to use",
-			)
-		}
-
-		x509Key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-		if err != nil {
-			return cty.UnknownVal(cty.String), err
-		}
-
-		out, err := rsa.DecryptPKCS1v15(nil, x509Key, b)
-		if err != nil {
-			return cty.UnknownVal(cty.String), err
-		}
-
-		return cty.StringVal(string(out)), nil
-	},
-})
-
-// Sha1Func is a function that computes the SHA1 hash of a given string and
-// encodes it with hexadecimal digits.
-var Sha1Func = makeStringHashFunction(sha1.New, hex.EncodeToString)
-
-// MakeFileSha1Func is a function that is like Sha1Func but reads the contents
-// of a file rather than hashing a given literal string.
-func MakeFileSha1Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, sha1.New, hex.EncodeToString)
-}
-
-// Sha256Func is a function that computes the SHA256 hash of a given string and
-// encodes it with hexadecimal digits.
-var Sha256Func = makeStringHashFunction(sha256.New, hex.EncodeToString)
-
-// MakeFileSha256Func is a function that is like Sha256Func but reads the
-// contents of a file rather than hashing a given literal string.
-func MakeFileSha256Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, sha256.New, hex.EncodeToString)
-}
-
-// Sha512Func is a function that computes the SHA512 hash of a given string and
-// encodes it with hexadecimal digits.
-var Sha512Func = makeStringHashFunction(sha512.New, hex.EncodeToString)
-
-// MakeFileSha512Func is a function that is like Sha512Func but reads the
-// contents of a file rather than hashing a given literal string.
-func MakeFileSha512Func(baseDir string) function.Function {
-	return makeFileHashFunction(baseDir, sha512.New, hex.EncodeToString)
-}
-
 func makeStringHashFunction(hf func() hash.Hash, enc func([]byte) string) function.Function {
 	return function.New(&function.Spec{
 		Params: []function.Parameter{
@@ -145,105 +25,3 @@ func makeStringHashFunction(hf func() hash.Hash, enc func([]byte) string) functi
 		},
 	})
 }
-
-func makeFileHashFunction(baseDir string, hf func() hash.Hash, enc func([]byte) string) function.Function {
-	return function.New(&function.Spec{
-		Params: []function.Parameter{
-			{
-				Name: "path",
-				Type: cty.String,
-			},
-		},
-		Type: function.StaticReturnType(cty.String),
-		Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-			path := args[0].AsString()
-			src, err := readFileBytes(baseDir, path)
-			if err != nil {
-				return cty.UnknownVal(cty.String), err
-			}
-
-			h := hf()
-			h.Write(src)
-			rv := enc(h.Sum(nil))
-			return cty.StringVal(rv), nil
-		},
-	})
-}
-
-// Base64Sha256 computes the SHA256 hash of a given string and encodes it with
-// Base64.
-//
-// The given string is first encoded as UTF-8 and then the SHA256 algorithm is
-// applied as defined in RFC 4634. The raw hash is then encoded with Base64
-// before returning. Terraform uses the "standard" Base64 alphabet as defined
-// in RFC 4648 section 4.
-func Base64Sha256(str cty.Value) (cty.Value, error) {
-	return Base64Sha256Func.Call([]cty.Value{str})
-}
-
-// Base64Sha512 computes the SHA512 hash of a given string and encodes it with
-// Base64.
-//
-// The given string is first encoded as UTF-8 and then the SHA256 algorithm is
-// applied as defined in RFC 4634. The raw hash is then encoded with Base64
-// before returning. Terraform uses the "standard" Base64  alphabet as defined
-// in RFC 4648 section 4
-func Base64Sha512(str cty.Value) (cty.Value, error) {
-	return Base64Sha512Func.Call([]cty.Value{str})
-}
-
-// Md5 computes the MD5 hash of a given string and encodes it with hexadecimal
-// digits.
-func Md5(str cty.Value) (cty.Value, error) {
-	return Md5Func.Call([]cty.Value{str})
-}
-
-// RsaDecrypt decrypts an RSA-encrypted ciphertext, returning the corresponding
-// cleartext.
-func RsaDecrypt(ciphertext, privatekey cty.Value) (cty.Value, error) {
-	return RsaDecryptFunc.Call([]cty.Value{ciphertext, privatekey})
-}
-
-// Sha1 computes the SHA1 hash of a given string and encodes it with
-// hexadecimal digits.
-func Sha1(str cty.Value) (cty.Value, error) {
-	return Sha1Func.Call([]cty.Value{str})
-}
-
-// Sha256 computes the SHA256 hash of a given string and encodes it with
-// hexadecimal digits.
-func Sha256(str cty.Value) (cty.Value, error) {
-	return Sha256Func.Call([]cty.Value{str})
-}
-
-// Sha512 computes the SHA512 hash of a given string and encodes it with
-// hexadecimal digits.
-func Sha512(str cty.Value) (cty.Value, error) {
-	return Sha512Func.Call([]cty.Value{str})
-}
-
-func readFileBytes(baseDir, path string) ([]byte, error) {
-	path, err := homedir.Expand(path)
-	if err != nil {
-		return nil, fmt.Errorf("failed to expand ~: %s", err)
-	}
-
-	if !filepath.IsAbs(path) {
-		path = filepath.Join(baseDir, path)
-	}
-
-	// Ensure that the path is canonical for the host OS
-	path = filepath.Clean(path)
-
-	src, err := ioutil.ReadFile(path)
-	if err != nil {
-		// ReadFile does not return Terraform-user-friendly error messages, so
-		// we'll provide our own.
-		if os.IsNotExist(err) {
-			return nil, fmt.Errorf("no file exists at %s", path)
-		}
-		return nil, fmt.Errorf("failed to read %s", path)
-	}
-
-	return src, nil
-}

vendor/github.com/hashicorp/go-cty-funcs/crypto/md5.go

@@ -0,0 +1,18 @@
+package crypto
+
+import (
+	"crypto/md5"
+	"encoding/hex"
+
+	"github.com/zclconf/go-cty/cty"
+)
+
+// Md5Func is a function that computes the MD5 hash of a given string and
+// encodes it with hexadecimal digits.
+var Md5Func = makeStringHashFunction(md5.New, hex.EncodeToString)
+
+// Md5 computes the MD5 hash of a given string and encodes it with hexadecimal
+// digits.
+func Md5(str cty.Value) (cty.Value, error) {
+	return Md5Func.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/rsa.go

@@ -0,0 +1,64 @@
+package crypto
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/function"
+)
+
+// RsaDecryptFunc is a function that decrypts an RSA-encrypted ciphertext.
+var RsaDecryptFunc = function.New(&function.Spec{
+	Params: []function.Parameter{
+		{
+			Name: "ciphertext",
+			Type: cty.String,
+		},
+		{
+			Name: "privatekey",
+			Type: cty.String,
+		},
+	},
+	Type: function.StaticReturnType(cty.String),
+	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+		s := args[0].AsString()
+		key := args[1].AsString()
+
+		b, err := base64.StdEncoding.DecodeString(s)
+		if err != nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("failed to decode input %q: cipher text must be base64-encoded", s)
+		}
+
+		block, _ := pem.Decode([]byte(key))
+		if block == nil {
+			return cty.UnknownVal(cty.String), fmt.Errorf("failed to parse key: no key found")
+		}
+		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+			return cty.UnknownVal(cty.String), fmt.Errorf(
+				"failed to parse key: password protected keys are not supported. Please decrypt the key prior to use",
+			)
+		}
+
+		x509Key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		out, err := rsa.DecryptPKCS1v15(nil, x509Key, b)
+		if err != nil {
+			return cty.UnknownVal(cty.String), err
+		}
+
+		return cty.StringVal(string(out)), nil
+	},
+})
+
+// RsaDecrypt decrypts an RSA-encrypted ciphertext, returning the corresponding
+// cleartext.
+func RsaDecrypt(ciphertext, privatekey cty.Value) (cty.Value, error) {
+	return RsaDecryptFunc.Call([]cty.Value{ciphertext, privatekey})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/sha.go

@@ -0,0 +1,40 @@
+package crypto
+
+import (
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"encoding/hex"
+
+	"github.com/zclconf/go-cty/cty"
+)
+
+// Sha1Func is a function that computes the SHA1 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha1Func = makeStringHashFunction(sha1.New, hex.EncodeToString)
+
+// Sha256Func is a function that computes the SHA256 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha256Func = makeStringHashFunction(sha256.New, hex.EncodeToString)
+
+// Sha512Func is a function that computes the SHA512 hash of a given string and
+// encodes it with hexadecimal digits.
+var Sha512Func = makeStringHashFunction(sha512.New, hex.EncodeToString)
+
+// Sha1 computes the SHA1 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha1(str cty.Value) (cty.Value, error) {
+	return Sha1Func.Call([]cty.Value{str})
+}
+
+// Sha256 computes the SHA256 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha256(str cty.Value) (cty.Value, error) {
+	return Sha256Func.Call([]cty.Value{str})
+}
+
+// Sha512 computes the SHA512 hash of a given string and encodes it with
+// hexadecimal digits.
+func Sha512(str cty.Value) (cty.Value, error) {
+	return Sha512Func.Call([]cty.Value{str})
+}

vendor/github.com/hashicorp/go-cty-funcs/crypto/uuid.go

@@ -1,29 +0,0 @@
-package crypto
-
-import (
-	uuid "github.com/hashicorp/go-uuid"
-	"github.com/zclconf/go-cty/cty"
-	"github.com/zclconf/go-cty/cty/function"
-)
-
-var UUIDFunc = function.New(&function.Spec{
-	Params: []function.Parameter{},
-	Type:   function.StaticReturnType(cty.String),
-	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		result, err := uuid.GenerateUUID()
-		if err != nil {
-			return cty.UnknownVal(cty.String), err
-		}
-		return cty.StringVal(result), nil
-	},
-})
-
-// UUID generates and returns a Type-4 UUID in the standard hexadecimal string
-// format.
-//
-// This is not a pure function: it will generate a different result for each
-// call. It must therefore be registered as an impure function in the function
-// table in the "lang" package.
-func UUID() (cty.Value, error) {
-	return UUIDFunc.Call(nil)
-}

vendor/github.com/hashicorp/go-cty-funcs/crypto/uuid_v5.go

@@ -1,48 +0,0 @@
-package crypto
-
-import (
-	"fmt"
-
-	uuidv5 "github.com/google/uuid"
-	"github.com/zclconf/go-cty/cty"
-	"github.com/zclconf/go-cty/cty/function"
-)
-
-var UUIDV5Func = function.New(&function.Spec{
-	Params: []function.Parameter{
-		{
-			Name: "namespace",
-			Type: cty.String,
-		},
-		{
-			Name: "name",
-			Type: cty.String,
-		},
-	},
-	Type: function.StaticReturnType(cty.String),
-	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		var namespace uuidv5.UUID
-		switch {
-		case args[0].AsString() == "dns":
-			namespace = uuidv5.NameSpaceDNS
-		case args[0].AsString() == "url":
-			namespace = uuidv5.NameSpaceURL
-		case args[0].AsString() == "oid":
-			namespace = uuidv5.NameSpaceOID
-		case args[0].AsString() == "x500":
-			namespace = uuidv5.NameSpaceX500
-		default:
-			if namespace, err = uuidv5.Parse(args[0].AsString()); err != nil {
-				return cty.UnknownVal(cty.String), fmt.Errorf("uuidv5() doesn't support namespace %s (%v)", args[0].AsString(), err)
-			}
-		}
-		val := args[1].AsString()
-		return cty.StringVal(uuidv5.NewSHA1(namespace, []byte(val)).String()), nil
-	},
-})
-
-// UUIDV5 generates and returns a Type-5 UUID in the standard hexadecimal
-// string format.
-func UUIDV5(namespace cty.Value, name cty.Value) (cty.Value, error) {
-	return UUIDV5Func.Call([]cty.Value{namespace, name})
-}

vendor/github.com/hashicorp/go-cty-funcs/encoding/go.mod

@@ -1,8 +0,0 @@
-module github.com/hashicorp/go-cty-funcs/encoding
-
-go 1.13
-
-require (
-	github.com/zclconf/go-cty v1.2.1
-	golang.org/x/text v0.3.2 // indirect
-)

vendor/github.com/hashicorp/go-cty-funcs/encoding/go.sum

@@ -1,20 +0,0 @@
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/github.com/hashicorp/go-cty-funcs/filesystem/go.mod

@@ -1,9 +0,0 @@
-module github.com/hashicorp/go-cty-funcs/filesystem
-
-go 1.13
-
-require (
-	github.com/bmatcuk/doublestar v1.1.5
-	github.com/mitchellh/go-homedir v1.1.0
-	github.com/zclconf/go-cty v1.2.1
-)

vendor/github.com/hashicorp/go-cty-funcs/filesystem/go.sum

@@ -1,21 +0,0 @@
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/bmatcuk/doublestar v1.1.5 h1:2bNwBOmhyFEFcoB3tGvTD5xanq+4kyOZlB8wFYbMjkk=
-github.com/bmatcuk/doublestar v1.1.5/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/github.com/hashicorp/go-cty-funcs/uuid/go.mod

@@ -1,9 +0,0 @@
-module github.com/hashicorp/go-cty-funcs/uuid
-
-go 1.13
-
-require (
-	github.com/google/uuid v1.1.1
-	github.com/hashicorp/go-uuid v1.0.2
-	github.com/zclconf/go-cty v1.2.1
-)

vendor/github.com/hashicorp/go-cty-funcs/uuid/go.sum

@@ -1,21 +0,0 @@
-github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/Nj9VFpLOpjS5yuumk=
-github.com/golang/protobuf v1.1.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
-github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
-github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
-github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
-github.com/zclconf/go-cty v1.2.1 h1:vGMsygfmeCl4Xb6OA5U5XVAaQZ69FvoG7X2jUtQujb8=
-github.com/zclconf/go-cty v1.2.1/go.mod h1:hOPWgoHbaTUnI5k4D2ld+GRpFJSCe6bCM7m1q/N4PQ8=
-golang.org/x/net v0.0.0-20180811021610-c39426892332/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

vendor/github.com/hashicorp/go-cty-funcs/uuid/uuid_v4.go

@@ -1,7 +1,7 @@
 package uuid
 
 import (
-	uuid "github.com/hashicorp/go-uuid"
+	"github.com/google/uuid"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/function"
 )
@@ -10,11 +10,11 @@ var V4Func = function.New(&function.Spec{
 	Params: []function.Parameter{},
 	Type:   function.StaticReturnType(cty.String),
 	Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
-		result, err := uuid.GenerateUUID()
+		uuid, err := uuid.NewRandom()
 		if err != nil {
 			return cty.UnknownVal(cty.String), err
 		}
-		return cty.StringVal(result), nil
+		return cty.StringVal(uuid.String()), nil
 	},
 })
 

vendor/github.com/zclconf/go-cty/cty/function/stdlib/number.go

@@ -375,6 +375,9 @@ var CeilFunc = function.New(&function.Spec{
 		if err := gocty.FromCtyValue(args[0], &val); err != nil {
 			return cty.UnknownVal(cty.String), err
 		}
+		if math.IsInf(val, 0) {
+			return cty.NumberFloatVal(val), nil
+		}
 		return cty.NumberIntVal(int64(math.Ceil(val))), nil
 	},
 })
@@ -394,6 +397,9 @@ var FloorFunc = function.New(&function.Spec{
 		if err := gocty.FromCtyValue(args[0], &val); err != nil {
 			return cty.UnknownVal(cty.String), err
 		}
+		if math.IsInf(val, 0) {
+			return cty.NumberFloatVal(val), nil
+		}
 		return cty.NumberIntVal(int64(math.Floor(val))), nil
 	},
 })

vendor/github.com/zclconf/go-cty/cty/path.go

@@ -51,11 +51,31 @@ func (p Path) Index(v Value) Path {
 	return ret
 }
 
+// IndexInt is a typed convenience method for Index.
+func (p Path) IndexInt(v int) Path {
+	return p.Index(NumberIntVal(int64(v)))
+}
+
+// IndexString is a typed convenience method for Index.
+func (p Path) IndexString(v string) Path {
+	return p.Index(StringVal(v))
+}
+
 // IndexPath is a convenience method to start a new Path with an IndexStep.
 func IndexPath(v Value) Path {
 	return Path{}.Index(v)
 }
 
+// IndexIntPath is a typed convenience method for IndexPath.
+func IndexIntPath(v int) Path {
+	return IndexPath(NumberIntVal(int64(v)))
+}
+
+// IndexStringPath is a typed convenience method for IndexPath.
+func IndexStringPath(v string) Path {
+	return IndexPath(StringVal(v))
+}
+
 // GetAttr returns a new Path that is the reciever with a GetAttrStep appended
 // to the end.
 //

vendor/golang.org/x/crypto/chacha20/chacha_arm64.go

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build go1.11
+// +build go1.11,!gccgo,!purego
-// +build !gccgo,!appengine
 
 package chacha20
 

vendor/golang.org/x/crypto/chacha20/chacha_arm64.s

@@ -2,8 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build go1.11
+// +build go1.11,!gccgo,!purego
-// +build !gccgo,!appengine
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/chacha20/chacha_generic.go

@@ -89,6 +89,7 @@ func newUnauthenticatedCipher(c *Cipher, key, nonce []byte) (*Cipher, error) {
 		return nil, errors.New("chacha20: wrong nonce size")
 	}
 
+	key, nonce = key[:KeySize], nonce[:NonceSize] // bounds check elimination hint
 	c.key = [8]uint32{
 		binary.LittleEndian.Uint32(key[0:4]),
 		binary.LittleEndian.Uint32(key[4:8]),
@@ -136,6 +137,33 @@ func quarterRound(a, b, c, d uint32) (uint32, uint32, uint32, uint32) {
 	return a, b, c, d
 }
 
+// SetCounter sets the Cipher counter. The next invocation of XORKeyStream will
+// behave as if (64 * counter) bytes had been encrypted so far.
+//
+// To prevent accidental counter reuse, SetCounter panics if counter is
+// less than the current value.
+func (s *Cipher) SetCounter(counter uint32) {
+	// Internally, s may buffer multiple blocks, which complicates this
+	// implementation slightly. When checking whether the counter has rolled
+	// back, we must use both s.counter and s.len to determine how many blocks
+	// we have already output.
+	outputCounter := s.counter - uint32(s.len)/blockSize
+	if counter < outputCounter {
+		panic("chacha20: SetCounter attempted to rollback counter")
+	}
+
+	// In the general case, we set the new counter value and reset s.len to 0,
+	// causing the next call to XORKeyStream to refill the buffer. However, if
+	// we're advancing within the existing buffer, we can save work by simply
+	// setting s.len.
+	if counter < s.counter {
+		s.len = int(s.counter-counter) * blockSize
+	} else {
+		s.counter = counter
+		s.len = 0
+	}
+}
+
 // XORKeyStream XORs each byte in the given slice with a byte from the
 // cipher's key stream. Dst and src must overlap entirely or not at all.
 //
@@ -233,7 +261,9 @@ func (s *Cipher) xorKeyStreamBlocksGeneric(dst, src []byte) {
 		s.precompDone = true
 	}
 
-	for i := 0; i < len(src); i += blockSize {
+	// A condition of len(src) > 0 would be sufficient, but this also
+	// acts as a bounds check elimination hint.
+	for len(src) >= 64 && len(dst) >= 64 {
 		// The remainder of the first column round.
 		fcr0, fcr4, fcr8, fcr12 := quarterRound(c0, c4, c8, s.counter)
 
@@ -258,49 +288,31 @@ func (s *Cipher) xorKeyStreamBlocksGeneric(dst, src []byte) {
 			x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14)
 		}
 
-		// Finally, add back the initial state to generate the key stream.
+		// Add back the initial state to generate the key stream, then
-		x0 += c0
+		// XOR the key stream with the source and write out the result.
-		x1 += c1
+		addXor(dst[0:4], src[0:4], x0, c0)
-		x2 += c2
+		addXor(dst[4:8], src[4:8], x1, c1)
-		x3 += c3
+		addXor(dst[8:12], src[8:12], x2, c2)
-		x4 += c4
+		addXor(dst[12:16], src[12:16], x3, c3)
-		x5 += c5
+		addXor(dst[16:20], src[16:20], x4, c4)
-		x6 += c6
+		addXor(dst[20:24], src[20:24], x5, c5)
-		x7 += c7
+		addXor(dst[24:28], src[24:28], x6, c6)
-		x8 += c8
+		addXor(dst[28:32], src[28:32], x7, c7)
-		x9 += c9
+		addXor(dst[32:36], src[32:36], x8, c8)
-		x10 += c10
+		addXor(dst[36:40], src[36:40], x9, c9)
-		x11 += c11
+		addXor(dst[40:44], src[40:44], x10, c10)
-		x12 += s.counter
+		addXor(dst[44:48], src[44:48], x11, c11)
-		x13 += c13
+		addXor(dst[48:52], src[48:52], x12, s.counter)
-		x14 += c14
+		addXor(dst[52:56], src[52:56], x13, c13)
-		x15 += c15
+		addXor(dst[56:60], src[56:60], x14, c14)
+		addXor(dst[60:64], src[60:64], x15, c15)
 
 		s.counter += 1
 		if s.counter == 0 {
 			panic("chacha20: internal error: counter overflow")
 		}
 
-		in, out := src[i:], dst[i:]
+		src, dst = src[blockSize:], dst[blockSize:]
-		in, out = in[:blockSize], out[:blockSize] // bounds check elimination hint
-
-		// XOR the key stream with the source and write out the result.
-		xor(out[0:], in[0:], x0)
-		xor(out[4:], in[4:], x1)
-		xor(out[8:], in[8:], x2)
-		xor(out[12:], in[12:], x3)
-		xor(out[16:], in[16:], x4)
-		xor(out[20:], in[20:], x5)
-		xor(out[24:], in[24:], x6)
-		xor(out[28:], in[28:], x7)
-		xor(out[32:], in[32:], x8)
-		xor(out[36:], in[36:], x9)
-		xor(out[40:], in[40:], x10)
-		xor(out[44:], in[44:], x11)
-		xor(out[48:], in[48:], x12)
-		xor(out[52:], in[52:], x13)
-		xor(out[56:], in[56:], x14)
-		xor(out[60:], in[60:], x15)
 	}
 }
 

vendor/golang.org/x/crypto/chacha20/chacha_noasm.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !arm64,!s390x,!ppc64le arm64,!go1.11 gccgo appengine
+// +build !arm64,!s390x,!ppc64le arm64,!go1.11 gccgo purego
 
 package chacha20
 

vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !gccgo,!appengine
+// +build !gccgo,!purego
 
 package chacha20
 

vendor/golang.org/x/crypto/chacha20/chacha_ppc64le.s

@@ -19,7 +19,7 @@
 // The differences in this and the original implementation are
 // due to the calling conventions and initialization of constants.
 
-// +build !gccgo,!appengine
+// +build !gccgo,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/chacha20/chacha_s390x.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !gccgo,!appengine
+// +build !gccgo,!purego
 
 package chacha20
 

vendor/golang.org/x/crypto/chacha20/chacha_s390x.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !gccgo,!appengine
+// +build !gccgo,!purego
 
 #include "go_asm.h"
 #include "textflag.h"

vendor/golang.org/x/crypto/chacha20/xor.go

@@ -13,10 +13,10 @@ const unaligned = runtime.GOARCH == "386" ||
 	runtime.GOARCH == "ppc64le" ||
 	runtime.GOARCH == "s390x"
 
-// xor reads a little endian uint32 from src, XORs it with u and
+// addXor reads a little endian uint32 from src, XORs it with (a + b) and
 // places the result in little endian byte order in dst.
-func xor(dst, src []byte, u uint32) {
+func addXor(dst, src []byte, a, b uint32) {
-	_, _ = src[3], dst[3] // eliminate bounds checks
+	_, _ = src[3], dst[3] // bounds check elimination hint
 	if unaligned {
 		// The compiler should optimize this code into
 		// 32-bit unaligned little endian loads and stores.
@@ -27,15 +27,16 @@ func xor(dst, src []byte, u uint32) {
 		v |= uint32(src[1]) << 8
 		v |= uint32(src[2]) << 16
 		v |= uint32(src[3]) << 24
-		v ^= u
+		v ^= a + b
 		dst[0] = byte(v)
 		dst[1] = byte(v >> 8)
 		dst[2] = byte(v >> 16)
 		dst[3] = byte(v >> 24)
 	} else {
-		dst[0] = src[0] ^ byte(u)
+		a += b
-		dst[1] = src[1] ^ byte(u>>8)
+		dst[0] = src[0] ^ byte(a)
-		dst[2] = src[2] ^ byte(u>>16)
+		dst[1] = src[1] ^ byte(a>>8)
-		dst[3] = src[3] ^ byte(u>>24)
+		dst[2] = src[2] ^ byte(a>>16)
+		dst[3] = src[3] ^ byte(a>>24)
 	}
 }

vendor/golang.org/x/crypto/poly1305/mac_noasm.go

@@ -2,10 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !amd64,!ppc64le gccgo appengine
+// +build !amd64,!ppc64le gccgo purego
 
 package poly1305
 
 type mac struct{ macGeneric }
-
-func newMAC(key *[32]byte) mac { return mac{newMACGeneric(key)} }

vendor/golang.org/x/crypto/poly1305/poly1305.go

@@ -46,10 +46,9 @@ func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
 // two different messages with the same key allows an attacker
 // to forge messages at will.
 func New(key *[32]byte) *MAC {
-	return &MAC{
+	m := &MAC{}
-		mac:       newMAC(key),
+	initialize(key, &m.macState)
-		finalized: false,
+	return m
-	}
 }
 
 // MAC is an io.Writer computing an authentication tag
@@ -58,7 +57,7 @@ func New(key *[32]byte) *MAC {
 // MAC cannot be used like common hash.Hash implementations,
 // because using a poly1305 key twice breaks its security.
 // Therefore writing data to a running MAC after calling
-// Sum causes it to panic.
+// Sum or Verify causes it to panic.
 type MAC struct {
 	mac // platform-dependent implementation
 
@@ -71,10 +70,10 @@ func (h *MAC) Size() int { return TagSize }
 // Write adds more data to the running message authentication code.
 // It never returns an error.
 //
-// It must not be called after the first call of Sum.
+// It must not be called after the first call of Sum or Verify.
 func (h *MAC) Write(p []byte) (n int, err error) {
 	if h.finalized {
-		panic("poly1305: write to MAC after Sum")
+		panic("poly1305: write to MAC after Sum or Verify")
 	}
 	return h.mac.Write(p)
 }
@@ -87,3 +86,12 @@ func (h *MAC) Sum(b []byte) []byte {
 	h.finalized = true
 	return append(b, mac[:]...)
 }
+
+// Verify returns whether the authenticator of all data written to
+// the message authentication code matches the expected value.
+func (h *MAC) Verify(expected []byte) bool {
+	var mac [TagSize]byte
+	h.mac.Sum(&mac)
+	h.finalized = true
+	return subtle.ConstantTimeCompare(expected, mac[:]) == 1
+}

vendor/golang.org/x/crypto/poly1305/sum_amd64.go

@@ -2,24 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build amd64,!gccgo,!appengine
+// +build !gccgo,!purego
 
 package poly1305
 
 //go:noescape
 func update(state *macState, msg []byte)
 
-func sum(out *[16]byte, m []byte, key *[32]byte) {
-	h := newMAC(key)
-	h.Write(m)
-	h.Sum(out)
-}
-
-func newMAC(key *[32]byte) (h mac) {
-	initialize(key, &h.r, &h.s)
-	return
-}
-
 // mac is a wrapper for macGeneric that redirects calls that would have gone to
 // updateGeneric to update.
 //

vendor/golang.org/x/crypto/poly1305/sum_amd64.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build amd64,!gccgo,!appengine
+// +build !gccgo,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/poly1305/sum_generic.go

@@ -31,9 +31,10 @@ func sumGeneric(out *[TagSize]byte, msg []byte, key *[32]byte) {
 	h.Sum(out)
 }
 
-func newMACGeneric(key *[32]byte) (h macGeneric) {
+func newMACGeneric(key *[32]byte) macGeneric {
-	initialize(key, &h.r, &h.s)
+	m := macGeneric{}
-	return
+	initialize(key, &m.macState)
+	return m
 }
 
 // macState holds numbers in saturated 64-bit little-endian limbs. That is,
@@ -97,11 +98,12 @@ const (
 	rMask1 = 0x0FFFFFFC0FFFFFFC
 )
 
-func initialize(key *[32]byte, r, s *[2]uint64) {
+// initialize loads the 256-bit key into the two 128-bit secret values r and s.
-	r[0] = binary.LittleEndian.Uint64(key[0:8]) & rMask0
+func initialize(key *[32]byte, m *macState) {
-	r[1] = binary.LittleEndian.Uint64(key[8:16]) & rMask1
+	m.r[0] = binary.LittleEndian.Uint64(key[0:8]) & rMask0
-	s[0] = binary.LittleEndian.Uint64(key[16:24])
+	m.r[1] = binary.LittleEndian.Uint64(key[8:16]) & rMask1
-	s[1] = binary.LittleEndian.Uint64(key[24:32])
+	m.s[0] = binary.LittleEndian.Uint64(key[16:24])
+	m.s[1] = binary.LittleEndian.Uint64(key[24:32])
 }
 
 // uint128 holds a 128-bit number as two 64-bit limbs, for use with the

vendor/golang.org/x/crypto/poly1305/sum_noasm.go

@@ -2,12 +2,17 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build s390x,!go1.11 !amd64,!s390x,!ppc64le gccgo appengine nacl
+// At this point only s390x has an assembly implementation of sum. All other
+// platforms have assembly implementations of mac, and just define sum as using
+// that through New. Once s390x is ported, this file can be deleted and the body
+// of sum moved into Sum.
+
+// +build !go1.11 !s390x gccgo purego
 
 package poly1305
 
 func sum(out *[TagSize]byte, msg []byte, key *[32]byte) {
-	h := newMAC(key)
+	h := New(key)
 	h.Write(msg)
-	h.Sum(out)
+	h.Sum(out[:0])
 }

vendor/golang.org/x/crypto/poly1305/sum_ppc64le.go

@@ -2,24 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build ppc64le,!gccgo,!appengine
+// +build !gccgo,!purego
 
 package poly1305
 
 //go:noescape
 func update(state *macState, msg []byte)
 
-func sum(out *[16]byte, m []byte, key *[32]byte) {
-	h := newMAC(key)
-	h.Write(m)
-	h.Sum(out)
-}
-
-func newMAC(key *[32]byte) (h mac) {
-	initialize(key, &h.r, &h.s)
-	return
-}
-
 // mac is a wrapper for macGeneric that redirects calls that would have gone to
 // updateGeneric to update.
 //

vendor/golang.org/x/crypto/poly1305/sum_ppc64le.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build ppc64le,!gccgo,!appengine
+// +build !gccgo,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/poly1305/sum_s390x.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build s390x,go1.11,!gccgo,!appengine
+// +build go1.11,!gccgo,!purego
 
 package poly1305
 

vendor/golang.org/x/crypto/poly1305/sum_s390x.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build s390x,go1.11,!gccgo,!appengine
+// +build go1.11,!gccgo,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/poly1305/sum_vmsl_s390x.s

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build s390x,go1.11,!gccgo,!appengine
+// +build go1.11,!gccgo,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/ssh/agent/client.go

@@ -102,8 +102,9 @@ type ConstraintExtension struct {
 
 // AddedKey describes an SSH key to be added to an Agent.
 type AddedKey struct {
-	// PrivateKey must be a *rsa.PrivateKey, *dsa.PrivateKey or
+	// PrivateKey must be a *rsa.PrivateKey, *dsa.PrivateKey,
-	// *ecdsa.PrivateKey, which will be inserted into the agent.
+	// ed25519.PrivateKey or *ecdsa.PrivateKey, which will be inserted into the
+	// agent.
 	PrivateKey interface{}
 	// Certificate, if not nil, is communicated to the agent and will be
 	// stored with the key.
@@ -566,6 +567,17 @@ func (c *client) insertKey(s interface{}, comment string, constraints []byte) er
 			Comments:    comment,
 			Constraints: constraints,
 		})
+	case ed25519.PrivateKey:
+		req = ssh.Marshal(ed25519KeyMsg{
+			Type:        ssh.KeyAlgoED25519,
+			Pub:         []byte(k)[32:],
+			Priv:        []byte(k),
+			Comments:    comment,
+			Constraints: constraints,
+		})
+	// This function originally supported only *ed25519.PrivateKey, however the
+	// general idiom is to pass ed25519.PrivateKey by value, not by pointer.
+	// We still support the pointer variant for backwards compatibility.
 	case *ed25519.PrivateKey:
 		req = ssh.Marshal(ed25519KeyMsg{
 			Type:        ssh.KeyAlgoED25519,
@@ -683,6 +695,18 @@ func (c *client) insertCert(s interface{}, cert *ssh.Certificate, comment string
 			Comments:    comment,
 			Constraints: constraints,
 		})
+	case ed25519.PrivateKey:
+		req = ssh.Marshal(ed25519CertMsg{
+			Type:        cert.Type(),
+			CertBytes:   cert.Marshal(),
+			Pub:         []byte(k)[32:],
+			Priv:        []byte(k),
+			Comments:    comment,
+			Constraints: constraints,
+		})
+	// This function originally supported only *ed25519.PrivateKey, however the
+	// general idiom is to pass ed25519.PrivateKey by value, not by pointer.
+	// We still support the pointer variant for backwards compatibility.
 	case *ed25519.PrivateKey:
 		req = ssh.Marshal(ed25519CertMsg{
 			Type:        cert.Type(),

vendor/golang.org/x/crypto/ssh/cipher.go

@@ -119,7 +119,7 @@ var cipherModes = map[string]*cipherMode{
 	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
 
 	// CBC mode is insecure and so is not included in the default config.
-	// (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
+	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.

vendor/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf/bcrypt_pbkdf.go

@@ -0,0 +1,93 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package bcrypt_pbkdf implements bcrypt_pbkdf(3) from OpenBSD.
+//
+// See https://flak.tedunangst.com/post/bcrypt-pbkdf and
+// https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libutil/bcrypt_pbkdf.c.
+package bcrypt_pbkdf
+
+import (
+	"crypto/sha512"
+	"errors"
+	"golang.org/x/crypto/blowfish"
+)
+
+const blockSize = 32
+
+// Key derives a key from the password, salt and rounds count, returning a
+// []byte of length keyLen that can be used as cryptographic key.
+func Key(password, salt []byte, rounds, keyLen int) ([]byte, error) {
+	if rounds < 1 {
+		return nil, errors.New("bcrypt_pbkdf: number of rounds is too small")
+	}
+	if len(password) == 0 {
+		return nil, errors.New("bcrypt_pbkdf: empty password")
+	}
+	if len(salt) == 0 || len(salt) > 1<<20 {
+		return nil, errors.New("bcrypt_pbkdf: bad salt length")
+	}
+	if keyLen > 1024 {
+		return nil, errors.New("bcrypt_pbkdf: keyLen is too large")
+	}
+
+	numBlocks := (keyLen + blockSize - 1) / blockSize
+	key := make([]byte, numBlocks*blockSize)
+
+	h := sha512.New()
+	h.Write(password)
+	shapass := h.Sum(nil)
+
+	shasalt := make([]byte, 0, sha512.Size)
+	cnt, tmp := make([]byte, 4), make([]byte, blockSize)
+	for block := 1; block <= numBlocks; block++ {
+		h.Reset()
+		h.Write(salt)
+		cnt[0] = byte(block >> 24)
+		cnt[1] = byte(block >> 16)
+		cnt[2] = byte(block >> 8)
+		cnt[3] = byte(block)
+		h.Write(cnt)
+		bcryptHash(tmp, shapass, h.Sum(shasalt))
+
+		out := make([]byte, blockSize)
+		copy(out, tmp)
+		for i := 2; i <= rounds; i++ {
+			h.Reset()
+			h.Write(tmp)
+			bcryptHash(tmp, shapass, h.Sum(shasalt))
+			for j := 0; j < len(out); j++ {
+				out[j] ^= tmp[j]
+			}
+		}
+
+		for i, v := range out {
+			key[i*numBlocks+(block-1)] = v
+		}
+	}
+	return key[:keyLen], nil
+}
+
+var magic = []byte("OxychromaticBlowfishSwatDynamite")
+
+func bcryptHash(out, shapass, shasalt []byte) {
+	c, err := blowfish.NewSaltedCipher(shapass, shasalt)
+	if err != nil {
+		panic(err)
+	}
+	for i := 0; i < 64; i++ {
+		blowfish.ExpandKey(shasalt, c)
+		blowfish.ExpandKey(shapass, c)
+	}
+	copy(out, magic)
+	for i := 0; i < 32; i += 8 {
+		for j := 0; j < 64; j++ {
+			c.Encrypt(out[i:i+8], out[i:i+8])
+		}
+	}
+	// Swap bytes due to different endianness.
+	for i := 0; i < 32; i += 4 {
+		out[i+3], out[i+2], out[i+1], out[i] = out[i], out[i+1], out[i+2], out[i+3]
+	}
+}

vendor/golang.org/x/crypto/ssh/kex.go

@@ -572,7 +572,7 @@ func (gex *dhGEXSHA) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, e
 	return new(big.Int).Exp(theirPublic, myPrivate, gex.p), nil
 }
 
-func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
+func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	// Send GexRequest
 	kexDHGexRequest := kexDHGexRequestMsg{
 		MinBits:      dhGroupExchangeMinimumBits,
@@ -677,7 +677,7 @@ func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshak
 // Server half implementation of the Diffie Hellman Key Exchange with SHA1 and SHA256.
 //
 // This is a minimal implementation to satisfy the automated tests.
-func (gex *dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
+func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
 	// Receive GexRequest
 	packet, err := c.readPacket()
 	if err != nil {

vendor/golang.org/x/crypto/ssh/keys.go

@@ -7,6 +7,8 @@ package ssh
 import (
 	"bytes"
 	"crypto"
+	"crypto/aes"
+	"crypto/cipher"
 	"crypto/dsa"
 	"crypto/ecdsa"
 	"crypto/elliptic"
@@ -25,6 +27,7 @@ import (
 	"strings"
 
 	"golang.org/x/crypto/ed25519"
+	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
 )
 
 // These constants represent the algorithm names for key types supported by this
@@ -559,9 +562,11 @@ func parseED25519(in []byte) (out PublicKey, rest []byte, err error) {
 		return nil, nil, err
 	}
 
-	key := ed25519.PublicKey(w.KeyBytes)
+	if l := len(w.KeyBytes); l != ed25519.PublicKeySize {
+		return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
 
-	return (ed25519PublicKey)(key), w.Rest, nil
+	return ed25519PublicKey(w.KeyBytes), w.Rest, nil
 }
 
 func (k ed25519PublicKey) Marshal() []byte {
@@ -579,9 +584,11 @@ func (k ed25519PublicKey) Verify(b []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
+	if l := len(k); l != ed25519.PublicKeySize {
+		return fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l)
+	}
 
-	edKey := (ed25519.PublicKey)(k)
+	if ok := ed25519.Verify(ed25519.PublicKey(k), b, sig.Blob); !ok {
-	if ok := ed25519.Verify(edKey, b, sig.Blob); !ok {
 		return errors.New("ssh: signature did not verify")
 	}
 
@@ -835,6 +842,10 @@ func parseSKEd25519(in []byte) (out PublicKey, rest []byte, err error) {
 		return nil, nil, err
 	}
 
+	if l := len(w.KeyBytes); l != ed25519.PublicKeySize {
+		return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
+
 	key := new(skEd25519PublicKey)
 	key.application = w.Application
 	key.PublicKey = ed25519.PublicKey(w.KeyBytes)
@@ -859,6 +870,9 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
+	if l := len(k.PublicKey); l != ed25519.PublicKeySize {
+		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
+	}
 
 	h := sha256.New()
 	h.Write([]byte(k.application))
@@ -895,8 +909,7 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 
 	original := Marshal(blob)
 
-	edKey := (ed25519.PublicKey)(k.PublicKey)
+	if ok := ed25519.Verify(k.PublicKey, original, edSig.Signature); !ok {
-	if ok := ed25519.Verify(edKey, original, edSig.Signature); !ok {
 		return errors.New("ssh: signature did not verify")
 	}
 
@@ -1048,7 +1061,10 @@ func NewPublicKey(key interface{}) (PublicKey, error) {
 	case *dsa.PublicKey:
 		return (*dsaPublicKey)(key), nil
 	case ed25519.PublicKey:
-		return (ed25519PublicKey)(key), nil
+		if l := len(key); l != ed25519.PublicKeySize {
+			return nil, fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l)
+		}
+		return ed25519PublicKey(key), nil
 	default:
 		return nil, fmt.Errorf("ssh: unsupported key type %T", key)
 	}
@@ -1122,21 +1138,25 @@ func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
 	case "DSA PRIVATE KEY":
 		return ParseDSAPrivateKey(block.Bytes)
 	case "OPENSSH PRIVATE KEY":
-		return parseOpenSSHPrivateKey(block.Bytes)
+		return parseOpenSSHPrivateKey(block.Bytes, unencryptedOpenSSHKey)
 	default:
 		return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
 	}
 }
 
 // ParseRawPrivateKeyWithPassphrase returns a private key decrypted with
-// passphrase from a PEM encoded private key. If wrong passphrase, return
+// passphrase from a PEM encoded private key. If the passphrase is wrong, it
-// x509.IncorrectPasswordError.
+// will return x509.IncorrectPasswordError.
 func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{}, error) {
 	block, _ := pem.Decode(pemBytes)
 	if block == nil {
 		return nil, errors.New("ssh: no key found")
 	}
 
+	if block.Type == "OPENSSH PRIVATE KEY" {
+		return parseOpenSSHPrivateKey(block.Bytes, passphraseProtectedOpenSSHKey(passphrase))
+	}
+
 	if !encryptedBlock(block) || !x509.IsEncryptedPEMBlock(block) {
 		return nil, errors.New("ssh: not an encrypted key")
 	}
@@ -1193,9 +1213,68 @@ func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
 	}, nil
 }
 
-// Implemented based on the documentation at
+func unencryptedOpenSSHKey(cipherName, kdfName, kdfOpts string, privKeyBlock []byte) ([]byte, error) {
-// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
+	if kdfName != "none" || cipherName != "none" {
-func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
+		return nil, &PassphraseMissingError{}
+	}
+	if kdfOpts != "" {
+		return nil, errors.New("ssh: invalid openssh private key")
+	}
+	return privKeyBlock, nil
+}
+
+func passphraseProtectedOpenSSHKey(passphrase []byte) openSSHDecryptFunc {
+	return func(cipherName, kdfName, kdfOpts string, privKeyBlock []byte) ([]byte, error) {
+		if kdfName == "none" || cipherName == "none" {
+			return nil, errors.New("ssh: key is not password protected")
+		}
+		if kdfName != "bcrypt" {
+			return nil, fmt.Errorf("ssh: unknown KDF %q, only supports %q", kdfName, "bcrypt")
+		}
+
+		var opts struct {
+			Salt   string
+			Rounds uint32
+		}
+		if err := Unmarshal([]byte(kdfOpts), &opts); err != nil {
+			return nil, err
+		}
+
+		k, err := bcrypt_pbkdf.Key(passphrase, []byte(opts.Salt), int(opts.Rounds), 32+16)
+		if err != nil {
+			return nil, err
+		}
+		key, iv := k[:32], k[32:]
+
+		c, err := aes.NewCipher(key)
+		if err != nil {
+			return nil, err
+		}
+		switch cipherName {
+		case "aes256-ctr":
+			ctr := cipher.NewCTR(c, iv)
+			ctr.XORKeyStream(privKeyBlock, privKeyBlock)
+		case "aes256-cbc":
+			if len(privKeyBlock)%c.BlockSize() != 0 {
+				return nil, fmt.Errorf("ssh: invalid encrypted private key length, not a multiple of the block size")
+			}
+			cbc := cipher.NewCBCDecrypter(c, iv)
+			cbc.CryptBlocks(privKeyBlock, privKeyBlock)
+		default:
+			return nil, fmt.Errorf("ssh: unknown cipher %q, only supports %q or %q", cipherName, "aes256-ctr", "aes256-cbc")
+		}
+
+		return privKeyBlock, nil
+	}
+}
+
+type openSSHDecryptFunc func(CipherName, KdfName, KdfOpts string, PrivKeyBlock []byte) ([]byte, error)
+
+// parseOpenSSHPrivateKey parses an OpenSSH private key, using the decrypt
+// function to unwrap the encrypted portion. unencryptedOpenSSHKey can be used
+// as the decrypt function to parse an unencrypted private key. See
+// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key.
+func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.PrivateKey, error) {
 	const magic = "openssh-key-v1\x00"
 	if len(key) < len(magic) || string(key[:len(magic)]) != magic {
 		return nil, errors.New("ssh: invalid openssh private key format")
@@ -1214,9 +1293,22 @@ func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
 	if err := Unmarshal(remaining, &w); err != nil {
 		return nil, err
 	}
+	if w.NumKeys != 1 {
+		// We only support single key files, and so does OpenSSH.
+		// https://github.com/openssh/openssh-portable/blob/4103a3ec7/sshkey.c#L4171
+		return nil, errors.New("ssh: multi-key files are not supported")
+	}
 
-	if w.KdfName != "none" || w.CipherName != "none" {
+	privKeyBlock, err := decrypt(w.CipherName, w.KdfName, w.KdfOpts, w.PrivKeyBlock)
-		return nil, errors.New("ssh: cannot decode encrypted private keys")
+	if err != nil {
+		if err, ok := err.(*PassphraseMissingError); ok {
+			pub, errPub := ParsePublicKey(w.PubKey)
+			if errPub != nil {
+				return nil, fmt.Errorf("ssh: failed to parse embedded public key: %v", errPub)
+			}
+			err.PublicKey = pub
+		}
+		return nil, err
 	}
 
 	pk1 := struct {
@@ -1226,15 +1318,13 @@ func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
 		Rest    []byte `ssh:"rest"`
 	}{}
 
-	if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
+	if err := Unmarshal(privKeyBlock, &pk1); err != nil || pk1.Check1 != pk1.Check2 {
-		return nil, err
+		if w.CipherName != "none" {
+			return nil, x509.IncorrectPasswordError
+		}
+		return nil, errors.New("ssh: malformed OpenSSH key")
 	}
 
-	if pk1.Check1 != pk1.Check2 {
-		return nil, errors.New("ssh: checkint mismatch")
-	}
-
-	// we only handle ed25519 and rsa keys currently
 	switch pk1.Keytype {
 	case KeyAlgoRSA:
 		// https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L2760-L2773
@@ -1253,10 +1343,8 @@ func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
 			return nil, err
 		}
 
-		for i, b := range key.Pad {
+		if err := checkOpenSSHKeyPadding(key.Pad); err != nil {
-			if int(b) != i+1 {
+			return nil, err
-				return nil, errors.New("ssh: padding not as expected")
-			}
 		}
 
 		pk := &rsa.PrivateKey{
@@ -1291,20 +1379,78 @@ func parseOpenSSHPrivateKey(key []byte) (crypto.PrivateKey, error) {
 			return nil, errors.New("ssh: private key unexpected length")
 		}
 
-		for i, b := range key.Pad {
+		if err := checkOpenSSHKeyPadding(key.Pad); err != nil {
-			if int(b) != i+1 {
+			return nil, err
-				return nil, errors.New("ssh: padding not as expected")
-			}
 		}
 
 		pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
 		copy(pk, key.Priv)
 		return &pk, nil
+	case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
+		key := struct {
+			Curve   string
+			Pub     []byte
+			D       *big.Int
+			Comment string
+			Pad     []byte `ssh:"rest"`
+		}{}
+
+		if err := Unmarshal(pk1.Rest, &key); err != nil {
+			return nil, err
+		}
+
+		if err := checkOpenSSHKeyPadding(key.Pad); err != nil {
+			return nil, err
+		}
+
+		var curve elliptic.Curve
+		switch key.Curve {
+		case "nistp256":
+			curve = elliptic.P256()
+		case "nistp384":
+			curve = elliptic.P384()
+		case "nistp521":
+			curve = elliptic.P521()
+		default:
+			return nil, errors.New("ssh: unhandled elliptic curve: " + key.Curve)
+		}
+
+		X, Y := elliptic.Unmarshal(curve, key.Pub)
+		if X == nil || Y == nil {
+			return nil, errors.New("ssh: failed to unmarshal public key")
+		}
+
+		if key.D.Cmp(curve.Params().N) >= 0 {
+			return nil, errors.New("ssh: scalar is out of range")
+		}
+
+		x, y := curve.ScalarBaseMult(key.D.Bytes())
+		if x.Cmp(X) != 0 || y.Cmp(Y) != 0 {
+			return nil, errors.New("ssh: public key does not match private key")
+		}
+
+		return &ecdsa.PrivateKey{
+			PublicKey: ecdsa.PublicKey{
+				Curve: curve,
+				X:     X,
+				Y:     Y,
+			},
+			D: key.D,
+		}, nil
 	default:
 		return nil, errors.New("ssh: unhandled key type")
 	}
 }
 
+func checkOpenSSHKeyPadding(pad []byte) error {
+	for i, b := range pad {
+		if int(b) != i+1 {
+			return errors.New("ssh: padding not as expected")
+		}
+	}
+	return nil
+}
+
 // FingerprintLegacyMD5 returns the user presentation of the key's
 // fingerprint as described by RFC 4716 section 4.
 func FingerprintLegacyMD5(pubKey PublicKey) string {

vendor/golang.org/x/crypto/ssh/terminal/terminal.go

@@ -7,6 +7,7 @@ package terminal
 import (
 	"bytes"
 	"io"
+	"runtime"
 	"strconv"
 	"sync"
 	"unicode/utf8"
@@ -112,6 +113,7 @@ func NewTerminal(c io.ReadWriter, prompt string) *Terminal {
 }
 
 const (
+	keyCtrlC     = 3
 	keyCtrlD     = 4
 	keyCtrlU     = 21
 	keyEnter     = '\r'
@@ -150,8 +152,12 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) {
 		switch b[0] {
 		case 1: // ^A
 			return keyHome, b[1:]
+		case 2: // ^B
+			return keyLeft, b[1:]
 		case 5: // ^E
 			return keyEnd, b[1:]
+		case 6: // ^F
+			return keyRight, b[1:]
 		case 8: // ^H
 			return keyBackspace, b[1:]
 		case 11: // ^K
@@ -737,6 +743,9 @@ func (t *Terminal) readLine() (line string, err error) {
 						return "", io.EOF
 					}
 				}
+				if key == keyCtrlC {
+					return "", io.EOF
+				}
 				if key == keyPasteStart {
 					t.pasteActive = true
 					if len(t.line) == 0 {
@@ -939,6 +948,8 @@ func (s *stRingBuffer) NthPreviousEntry(n int) (value string, ok bool) {
 // readPasswordLine reads from reader until it finds \n or io.EOF.
 // The slice returned does not include the \n.
 // readPasswordLine also ignores any \r it finds.
+// Windows uses \r as end of line. So, on Windows, readPasswordLine
+// reads until it finds \r and ignores any \n it finds during processing.
 func readPasswordLine(reader io.Reader) ([]byte, error) {
 	var buf [1]byte
 	var ret []byte
@@ -952,9 +963,15 @@ func readPasswordLine(reader io.Reader) ([]byte, error) {
 					ret = ret[:len(ret)-1]
 				}
 			case '\n':
+				if runtime.GOOS != "windows" {
 					return ret, nil
+				}
+				// otherwise ignore \n
 			case '\r':
-				// remove \r from passwords on Windows
+				if runtime.GOOS == "windows" {
+					return ret, nil
+				}
+				// otherwise ignore \r
 			default:
 				ret = append(ret, buf[0])
 			}

vendor/modules.txt

@@ -309,15 +309,11 @@ github.com/hashicorp/errwrap
 github.com/hashicorp/go-checkpoint
 # github.com/hashicorp/go-cleanhttp v0.5.1
 github.com/hashicorp/go-cleanhttp
-# github.com/hashicorp/go-cty-funcs/cidr v0.0.0-20200203151509-c92509f48b18
+# github.com/hashicorp/go-cty-funcs v0.0.0-20200520133146-0d04eb807361
 github.com/hashicorp/go-cty-funcs/cidr
-# github.com/hashicorp/go-cty-funcs/crypto v0.0.0-20200124154056-476681ae9d62
 github.com/hashicorp/go-cty-funcs/crypto
-# github.com/hashicorp/go-cty-funcs/encoding v0.0.0-20200203151509-c92509f48b18
 github.com/hashicorp/go-cty-funcs/encoding
-# github.com/hashicorp/go-cty-funcs/filesystem v0.0.0-20200203151509-c92509f48b18
 github.com/hashicorp/go-cty-funcs/filesystem
-# github.com/hashicorp/go-cty-funcs/uuid v0.0.0-20200203151509-c92509f48b18
 github.com/hashicorp/go-cty-funcs/uuid
 # github.com/hashicorp/go-getter v1.4.1
 github.com/hashicorp/go-getter/helper/url
@@ -646,7 +642,7 @@ github.com/yandex-cloud/go-sdk/pkg/retry
 github.com/yandex-cloud/go-sdk/pkg/sdkerrors
 github.com/yandex-cloud/go-sdk/pkg/singleflight
 github.com/yandex-cloud/go-sdk/sdkresolvers
-# github.com/zclconf/go-cty v1.3.2-0.20200309235747-0b5d9cf50df7
+# github.com/zclconf/go-cty v1.4.0
 github.com/zclconf/go-cty/cty
 github.com/zclconf/go-cty/cty/convert
 github.com/zclconf/go-cty/cty/function
@@ -673,7 +669,7 @@ go.opencensus.io/trace
 go.opencensus.io/trace/internal
 go.opencensus.io/trace/propagation
 go.opencensus.io/trace/tracestate
-# golang.org/x/crypto v0.0.0-20200117160349-530e935923ad
+# golang.org/x/crypto v0.0.0-20200422194213-44a606286825
 golang.org/x/crypto/bcrypt
 golang.org/x/crypto/blowfish
 golang.org/x/crypto/chacha20
@@ -688,6 +684,7 @@ golang.org/x/crypto/pkcs12/internal/rc2
 golang.org/x/crypto/poly1305
 golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/agent
+golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
 golang.org/x/crypto/ssh/terminal
 # golang.org/x/exp v0.0.0-20191129062945-2f5052295587
 golang.org/x/exp/apidiff