Merge pull request #1842 from thaJeztah/18.09_bump_buildkit_18.09

[18.09 backport] bump buildkit 05766c5c21a1e528eeb1c3522b2f05493fe9ac47 (docker-18.09 branch)

circle.yml

@@ -16,9 +16,7 @@ jobs:
       - run:
           name: "Lint"
           command: |
-            dockerfile=dockerfiles/Dockerfile.lint
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-linter:$CIRCLE_BUILD_NUM .
+            docker build -f dockerfiles/Dockerfile.lint --tag cli-linter:$CIRCLE_BUILD_NUM .
             docker run --rm cli-linter:$CIRCLE_BUILD_NUM
 
   cross:
@@ -34,9 +32,7 @@ jobs:
       - run:
           name: "Cross"
           command: |
-            dockerfile=dockerfiles/Dockerfile.cross
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
+            docker build -f dockerfiles/Dockerfile.cross --tag cli-builder:$CIRCLE_BUILD_NUM .
             name=cross-$CIRCLE_BUILD_NUM-$CIRCLE_NODE_INDEX
             docker run \
                 -e CROSS_GROUP=$CIRCLE_NODE_INDEX \
@@ -60,9 +56,7 @@ jobs:
       - run:
           name: "Unit Test with Coverage"
           command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-builder:$CIRCLE_BUILD_NUM .
+            docker build -f dockerfiles/Dockerfile.dev --tag cli-builder:$CIRCLE_BUILD_NUM .
             docker run --name \
                 test-$CIRCLE_BUILD_NUM cli-builder:$CIRCLE_BUILD_NUM \
                 make test-coverage
@@ -89,10 +83,8 @@ jobs:
       - run:
           name: "Validate Vendor, Docs, and Code Generation"
           command: |
-            dockerfile=dockerfiles/Dockerfile.dev
-            echo "COPY . ." >> $dockerfile
             rm -f .dockerignore # include .git
-            docker build -f $dockerfile --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
+            docker build -f dockerfiles/Dockerfile.dev --tag cli-builder-with-git:$CIRCLE_BUILD_NUM .
             docker run --rm cli-builder-with-git:$CIRCLE_BUILD_NUM \
                 make ci-validate
   shellcheck:
@@ -107,9 +99,7 @@ jobs:
       - run:
           name: "Run shellcheck"
           command: |
-            dockerfile=dockerfiles/Dockerfile.shellcheck
-            echo "COPY . ." >> $dockerfile
-            docker build -f $dockerfile --tag cli-validator:$CIRCLE_BUILD_NUM .
+            docker build -f dockerfiles/Dockerfile.shellcheck --tag cli-validator:$CIRCLE_BUILD_NUM .
             docker run --rm cli-validator:$CIRCLE_BUILD_NUM \
                 make shellcheck
 workflows:

cli/command/config/create.go

@@ -40,7 +40,7 @@ func newConfigCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags := cmd.Flags()
 	flags.VarP(&createOpts.labels, "label", "l", "Config labels")
 	flags.StringVar(&createOpts.templateDriver, "template-driver", "", "Template driver")
-	flags.SetAnnotation("driver", "version", []string{"1.37"})
+	flags.SetAnnotation("template-driver", "version", []string{"1.37"})
 
 	return cmd
 }

cli/command/container/client_test.go

@@ -12,19 +12,24 @@ import (
 
 type fakeClient struct {
 	client.Client
-	inspectFunc           func(string) (types.ContainerJSON, error)
-	execInspectFunc       func(execID string) (types.ContainerExecInspect, error)
-	execCreateFunc        func(container string, config types.ExecConfig) (types.IDResponse, error)
-	createContainerFunc   func(config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, containerName string) (container.ContainerCreateCreatedBody, error)
-	containerStartFunc    func(container string, options types.ContainerStartOptions) error
-	imageCreateFunc       func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
-	infoFunc              func() (types.Info, error)
-	containerStatPathFunc func(container, path string) (types.ContainerPathStat, error)
-	containerCopyFromFunc func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	logFunc               func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
-	waitFunc              func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
-	containerListFunc     func(types.ContainerListOptions) ([]types.Container, error)
-	Version               string
+	inspectFunc         func(string) (types.ContainerJSON, error)
+	execInspectFunc     func(execID string) (types.ContainerExecInspect, error)
+	execCreateFunc      func(container string, config types.ExecConfig) (types.IDResponse, error)
+	createContainerFunc func(config *container.Config,
+		hostConfig *container.HostConfig,
+		networkingConfig *network.NetworkingConfig,
+		containerName string) (container.ContainerCreateCreatedBody, error)
+	containerStartFunc      func(container string, options types.ContainerStartOptions) error
+	imageCreateFunc         func(parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+	infoFunc                func() (types.Info, error)
+	containerStatPathFunc   func(container, path string) (types.ContainerPathStat, error)
+	containerCopyFromFunc   func(container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
+	logFunc                 func(string, types.ContainerLogsOptions) (io.ReadCloser, error)
+	waitFunc                func(string) (<-chan container.ContainerWaitOKBody, <-chan error)
+	containerListFunc       func(types.ContainerListOptions) ([]types.Container, error)
+	containerExportFunc     func(string) (io.ReadCloser, error)
+	containerExecResizeFunc func(id string, options types.ResizeOptions) error
+	Version                 string
 }
 
 func (f *fakeClient) ContainerList(_ context.Context, options types.ContainerListOptions) ([]types.Container, error) {
@@ -124,3 +129,17 @@ func (f *fakeClient) ContainerStart(_ context.Context, container string, options
 	}
 	return nil
 }
+
+func (f *fakeClient) ContainerExport(_ context.Context, container string) (io.ReadCloser, error) {
+	if f.containerExportFunc != nil {
+		return f.containerExportFunc(container)
+	}
+	return nil, nil
+}
+
+func (f *fakeClient) ContainerExecResize(_ context.Context, id string, options types.ResizeOptions) error {
+	if f.containerExecResizeFunc != nil {
+		return f.containerExecResizeFunc(id, options)
+	}
+	return nil
+}

cli/command/container/export_test.go

@@ -0,0 +1,33 @@
+package container
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+
+	"github.com/docker/cli/internal/test"
+	"gotest.tools/assert"
+	"gotest.tools/fs"
+)
+
+func TestContainerExportOutputToFile(t *testing.T) {
+	dir := fs.NewDir(t, "export-test")
+	defer dir.Remove()
+
+	cli := test.NewFakeCli(&fakeClient{
+		containerExportFunc: func(container string) (io.ReadCloser, error) {
+			return ioutil.NopCloser(strings.NewReader("bar")), nil
+		},
+	})
+	cmd := NewExportCommand(cli)
+	cmd.SetOutput(ioutil.Discard)
+	cmd.SetArgs([]string{"-o", dir.Join("foo"), "container"})
+	assert.NilError(t, cmd.Execute())
+
+	expected := fs.Expected(t,
+		fs.WithFile("foo", "bar", fs.MatchAnyFileMode),
+	)
+
+	assert.Assert(t, fs.Equal(dir.Path(), expected))
+}

cli/command/container/tty.go

@@ -16,9 +16,9 @@ import (
 )
 
 // resizeTtyTo resizes tty to specific height and width
-func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) {
+func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id string, height, width uint, isExec bool) error {
 	if height == 0 && width == 0 {
-		return
+		return nil
 	}
 
 	options := types.ResizeOptions{
@@ -34,19 +34,42 @@ func resizeTtyTo(ctx context.Context, client client.ContainerAPIClient, id strin
 	}
 
 	if err != nil {
-		logrus.Debugf("Error resize: %s", err)
+		logrus.Debugf("Error resize: %s\r", err)
+	}
+	return err
+}
+
+// resizeTty is to resize the tty with cli out's tty size
+func resizeTty(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+	height, width := cli.Out().GetTtySize()
+	return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+}
+
+// initTtySize is to init the tty's size to the same as the window, if there is an error, it will retry 5 times.
+func initTtySize(ctx context.Context, cli command.Cli, id string, isExec bool, resizeTtyFunc func(ctx context.Context, cli command.Cli, id string, isExec bool) error) {
+	rttyFunc := resizeTtyFunc
+	if rttyFunc == nil {
+		rttyFunc = resizeTty
+	}
+	if err := rttyFunc(ctx, cli, id, isExec); err != nil {
+		go func() {
+			var err error
+			for retry := 0; retry < 5; retry++ {
+				time.Sleep(10 * time.Millisecond)
+				if err = rttyFunc(ctx, cli, id, isExec); err == nil {
+					break
+				}
+			}
+			if err != nil {
+				fmt.Fprintln(cli.Err(), "failed to resize tty, using default size")
+			}
+		}()
 	}
 }
 
 // MonitorTtySize updates the container tty size when the terminal tty changes size
 func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool) error {
-	resizeTty := func() {
-		height, width := cli.Out().GetTtySize()
-		resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
-	}
-
-	resizeTty()
-
+	initTtySize(ctx, cli, id, isExec, resizeTty)
 	if runtime.GOOS == "windows" {
 		go func() {
 			prevH, prevW := cli.Out().GetTtySize()
@@ -55,7 +78,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 				h, w := cli.Out().GetTtySize()
 
 				if prevW != w || prevH != h {
-					resizeTty()
+					resizeTty(ctx, cli, id, isExec)
 				}
 				prevH = h
 				prevW = w
@@ -66,7 +89,7 @@ func MonitorTtySize(ctx context.Context, cli command.Cli, id string, isExec bool
 		gosignal.Notify(sigchan, signal.SIGWINCH)
 		go func() {
 			for range sigchan {
-				resizeTty()
+				resizeTty(ctx, cli, id, isExec)
 			}
 		}()
 	}

cli/command/container/tty_test.go

@@ -0,0 +1,30 @@
+package container
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
+	"github.com/pkg/errors"
+	"gotest.tools/assert"
+	is "gotest.tools/assert/cmp"
+)
+
+func TestInitTtySizeErrors(t *testing.T) {
+	expectedError := "failed to resize tty, using default size\n"
+	fakeContainerExecResizeFunc := func(id string, options types.ResizeOptions) error {
+		return errors.Errorf("Error response from daemon: no such exec")
+	}
+	fakeResizeTtyFunc := func(ctx context.Context, cli command.Cli, id string, isExec bool) error {
+		height, width := uint(1024), uint(768)
+		return resizeTtyTo(ctx, cli.Client(), id, height, width, isExec)
+	}
+	ctx := context.Background()
+	cli := test.NewFakeCli(&fakeClient{containerExecResizeFunc: fakeContainerExecResizeFunc})
+	initTtySize(ctx, cli, "8mm8nn8tt8bb", true, fakeResizeTtyFunc)
+	time.Sleep(100 * time.Millisecond)
+	assert.Check(t, is.Equal(expectedError, cli.ErrBuffer().String()))
+}

cli/command/secret/create.go

@@ -45,7 +45,7 @@ func newSecretCreateCommand(dockerCli command.Cli) *cobra.Command {
 	flags.StringVarP(&options.driver, "driver", "d", "", "Secret driver")
 	flags.SetAnnotation("driver", "version", []string{"1.31"})
 	flags.StringVar(&options.templateDriver, "template-driver", "", "Template driver")
-	flags.SetAnnotation("driver", "version", []string{"1.37"})
+	flags.SetAnnotation("template-driver", "version", []string{"1.37"})
 
 	return cmd
 }

cli/command/stack/kubernetes/watcher.go

@@ -10,6 +10,7 @@ import (
 	"github.com/pkg/errors"
 	apiv1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeutil "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/watch"
@@ -240,12 +241,12 @@ func newStackInformer(stacksClient stackListWatch, stackName string) cache.Share
 	return cache.NewSharedInformer(
 		&cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
-				options.LabelSelector = labels.SelectorForStack(stackName)
+				options.FieldSelector = fields.OneTermEqualSelector("metadata.name", stackName).String()
 				return stacksClient.List(options)
 			},
 
 			WatchFunc: func(options metav1.ListOptions) (watch.Interface, error) {
-				options.LabelSelector = labels.SelectorForStack(stackName)
+				options.FieldSelector = fields.OneTermEqualSelector("metadata.name", stackName).String()
 				return stacksClient.Watch(options)
 			},
 		},

cli/command/system/dial_stdio.go

@@ -34,12 +34,20 @@ func runDialStdio(dockerCli command.Cli) error {
 	if err != nil {
 		return errors.Wrap(err, "failed to open the raw stream connection")
 	}
-	connHalfCloser, ok := conn.(halfCloser)
-	if !ok {
+	defer conn.Close()
+
+	var connHalfCloser halfCloser
+	switch t := conn.(type) {
+	case halfCloser:
+		connHalfCloser = t
+	case halfReadWriteCloser:
+		connHalfCloser = &nopCloseReader{t}
+	default:
 		return errors.New("the raw stream connection does not implement halfCloser")
 	}
-	stdin2conn := make(chan error)
-	conn2stdout := make(chan error)
+
+	stdin2conn := make(chan error, 1)
+	conn2stdout := make(chan error, 1)
 	go func() {
 		stdin2conn <- copier(connHalfCloser, &halfReadCloserWrapper{os.Stdin}, "stdin to stream")
 	}()
@@ -90,6 +98,19 @@ type halfCloser interface {
 	halfWriteCloser
 }
 
+type halfReadWriteCloser interface {
+	io.Reader
+	halfWriteCloser
+}
+
+type nopCloseReader struct {
+	halfReadWriteCloser
+}
+
+func (x *nopCloseReader) CloseRead() error {
+	return nil
+}
+
 type halfReadCloserWrapper struct {
 	io.ReadCloser
 }

cli/config/config_test.go

@@ -150,9 +150,8 @@ func TestOldValidAuth(t *testing.T) {
 
 	// defaultIndexserver is https://index.docker.io/v1/
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 
 	// Now save it and make sure it shows up in new form
 	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
@@ -213,9 +212,8 @@ func TestOldJSON(t *testing.T) {
 	assert.NilError(t, err)
 
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 
 	// Now save it and make sure it shows up in new form
 	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
@@ -249,9 +247,8 @@ func TestNewJSON(t *testing.T) {
 	assert.NilError(t, err)
 
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 
 	// Now save it and make sure it shows up in new form
 	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
@@ -284,9 +281,8 @@ func TestNewJSONNoEmail(t *testing.T) {
 	assert.NilError(t, err)
 
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 
 	// Now save it and make sure it shows up in new form
 	configStr := saveConfigAndValidateNewFormat(t, config, tmpHome)
@@ -431,10 +427,8 @@ func TestJSONReaderNoFile(t *testing.T) {
 	assert.NilError(t, err)
 
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
-
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 }
 
 func TestOldJSONReaderNoFile(t *testing.T) {
@@ -444,9 +438,8 @@ func TestOldJSONReaderNoFile(t *testing.T) {
 	assert.NilError(t, err)
 
 	ac := config.AuthConfigs["https://index.docker.io/v1/"]
-	if ac.Username != "joejoe" || ac.Password != "hello" {
-		t.Fatalf("Missing data from parsing:\n%q", config)
-	}
+	assert.Equal(t, ac.Username, "joejoe")
+	assert.Equal(t, ac.Password, "hello")
 }
 
 func TestJSONWithPsFormatNoFile(t *testing.T) {

contrib/completion/bash/docker

@@ -1,12 +1,14 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC2016,SC2119,SC2155
+# shellcheck disable=SC2016,SC2119,SC2155,SC2206,SC2207
 #
 # Shellcheck ignore list:
 #  - SC2016: Expressions don't expand in single quotes, use double quotes for that.
 #  - SC2119: Use foo "$@" if function's $1 should mean script's $1.
 #  - SC2155: Declare and assign separately to avoid masking return values.
-# 
-# You can find more details for each warning at the following page: 
+#  - SC2206: Quote to prevent word splitting, or split robustly with mapfile or read -a.
+#  - SC2207: Prefer mapfile or read -a to split command output (or quote to avoid splitting).
+#
+# You can find more details for each warning at the following page:
 #    https://github.com/koalaman/shellcheck/wiki/<SCXXXX>
 #
 # bash completion file for core docker commands

docker.Makefile

@@ -17,24 +17,29 @@ ENVVARS = -e VERSION=$(VERSION) -e GITCOMMIT -e PLATFORM
 # build docker image (dockerfiles/Dockerfile.build)
 .PHONY: build_docker_image
 build_docker_image:
-	docker build ${DOCKER_BUILD_ARGS} -t $(DEV_DOCKER_IMAGE_NAME) -f ./dockerfiles/Dockerfile.dev .
+	# build dockerfile from stdin so that we don't send the build-context; source is bind-mounted in the development environment
+	cat ./dockerfiles/Dockerfile.dev | docker build ${DOCKER_BUILD_ARGS} -t $(DEV_DOCKER_IMAGE_NAME) -
 
 # build docker image having the linting tools (dockerfiles/Dockerfile.lint)
 .PHONY: build_linter_image
 build_linter_image:
-	docker build ${DOCKER_BUILD_ARGS} -t $(LINTER_IMAGE_NAME) -f ./dockerfiles/Dockerfile.lint .
+	# build dockerfile from stdin so that we don't send the build-context; source is bind-mounted in the development environment
+	cat ./dockerfiles/Dockerfile.lint | docker build ${DOCKER_BUILD_ARGS} -t $(LINTER_IMAGE_NAME) -
 
 .PHONY: build_cross_image
 build_cross_image:
-	docker build ${DOCKER_BUILD_ARGS} -t $(CROSS_IMAGE_NAME) -f ./dockerfiles/Dockerfile.cross .
+	# build dockerfile from stdin so that we don't send the build-context; source is bind-mounted in the development environment
+	cat ./dockerfiles/Dockerfile.cross | docker build ${DOCKER_BUILD_ARGS} -t $(CROSS_IMAGE_NAME) -
 
 .PHONY: build_shell_validate_image
 build_shell_validate_image:
-	docker build -t $(VALIDATE_IMAGE_NAME) -f ./dockerfiles/Dockerfile.shellcheck .
+	# build dockerfile from stdin so that we don't send the build-context; source is bind-mounted in the development environment
+	cat ./dockerfiles/Dockerfile.shellcheck | docker build -t $(VALIDATE_IMAGE_NAME) -
 
 .PHONY: build_binary_native_image
 build_binary_native_image:
-	docker build -t $(BINARY_NATIVE_IMAGE_NAME) -f ./dockerfiles/Dockerfile.binary-native .
+	# build dockerfile from stdin so that we don't send the build-context; source is bind-mounted in the development environment
+	cat ./dockerfiles/Dockerfile.binary-native | docker build -t $(BINARY_NATIVE_IMAGE_NAME) -
 
 .PHONY: build_e2e_image
 build_e2e_image:

dockerfiles/Dockerfile.cross

@@ -1,3 +1,4 @@
 FROM    dockercore/golang-cross:1.10.8@sha256:a93210f55a8137b4aa4b9f033ac7a80b66ab6337e98e7afb62abe93b4ad73cad
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
 WORKDIR /go/src/github.com/docker/cli
+COPY    . .

dockerfiles/Dockerfile.dev

@@ -22,3 +22,4 @@ ENV     CGO_ENABLED=0 \
         DISABLE_WARN_OUTSIDE_CONTAINER=1
 WORKDIR /go/src/github.com/docker/cli
 CMD     sh
+COPY    . .

dockerfiles/Dockerfile.lint

@@ -15,3 +15,4 @@ ENV     CGO_ENABLED=0
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
 ENTRYPOINT ["/usr/local/bin/gometalinter"]
 CMD     ["--config=gometalinter.json", "./..."]
+COPY    . .

dockerfiles/Dockerfile.shellcheck

@@ -1,9 +1,5 @@
-FROM    debian:stretch-slim
-
-RUN     apt-get update && \
-        apt-get -y install make shellcheck && \
-        apt-get clean
-
+FROM    koalaman/shellcheck-alpine:v0.6.0
+RUN     apk add --no-cache bash make
 WORKDIR /go/src/github.com/docker/cli
 ENV     DISABLE_WARN_OUTSIDE_CONTAINER=1
-CMD     bash
+COPY    . .

docs/reference/commandline/attach.md

@@ -44,8 +44,8 @@ from different sessions on the Docker host.
 
 To stop a container, use `CTRL-c`. This key sequence sends `SIGKILL` to the
 container. If `--sig-proxy` is true (the default),`CTRL-c` sends a `SIGINT` to
-the container. You can detach from a container and leave it running using the
- `CTRL-p CTRL-q` key sequence.
+the container. If the container was run with `-i` and `-t`, you can detach from
+a container and leave it running using the `CTRL-p CTRL-q` key sequence.
 
 > **Note:**
 > A process running as PID 1 inside a container is treated specially by

docs/reference/commandline/build.md

@@ -504,13 +504,13 @@ stable.
 
 
 Squashing layers can be beneficial if your Dockerfile produces multiple layers
-modifying the same files, for example, file that are created in one step, and
+modifying the same files, for example, files that are created in one step, and
 removed in another step. For other use-cases, squashing images may actually have
 a negative impact on performance; when pulling an image consisting of multiple
 layers, layers can be pulled in parallel, and allows sharing layers between
 images (saving space).
 
-For most use cases, multi-stage are a better alternative, as they give more
+For most use cases, multi-stage builds are a better alternative, as they give more
 fine-grained control over your build, and can take advantage of future
 optimizations in the builder. Refer to the [use multi-stage builds](https://docs.docker.com/develop/develop-images/multistage-build/)
 section in the userguide for more information.
@@ -531,7 +531,7 @@ The `--squash` option has a number of known limitations:
   downloading a single layer cannot be parallelized.
 - When attempting to squash an image that does not make changes to the
   filesystem (for example, the Dockerfile only contains `ENV` instructions),
-  the squash step will fail (see [issue #33823](https://github.com/moby/moby/issues/33823)
+  the squash step will fail (see [issue #33823](https://github.com/moby/moby/issues/33823)).
 
 #### Prerequisites
 

docs/reference/commandline/dockerd.md

@@ -303,7 +303,7 @@ the same file can share a single page cache entry (or entries), it makes
 > **Note**: As promising as `overlay` is, the feature is still quite young and
 > should not be used in production. Most notably, using `overlay` can cause
 > excessive inode consumption (especially as the number of images grows), as
-> well as > being incompatible with the use of RPMs.
+> well as being incompatible with the use of RPMs.
 
 The `overlay2` uses the same fast union filesystem but takes advantage of
 [additional features](https://lkml.org/lkml/2015/2/11/106) added in Linux
@@ -1231,10 +1231,14 @@ The `--metrics-addr` option takes a tcp address to serve the metrics API.
 This feature is still experimental, therefore, the daemon must be running in experimental
 mode for this feature to work.
 
-To serve the metrics API on localhost:1337 you would specify `--metrics-addr 127.0.0.1:1337`
-allowing you to make requests on the API at `127.0.0.1:1337/metrics` to receive metrics in the
+To serve the metrics API on `localhost:9323` you would specify `--metrics-addr 127.0.0.1:9323`,
+allowing you to make requests on the API at `127.0.0.1:9323/metrics` to receive metrics in the
 [prometheus](https://prometheus.io/docs/instrumenting/exposition_formats/) format.
 
+Port `9323` is the [default port associated with Docker
+metrics](https://github.com/prometheus/prometheus/wiki/Default-port-allocations)
+to avoid collisions with other prometheus exporters and services.
+
 If you are running a prometheus server you can add this address to your scrape configs
 to have prometheus collect metrics on Docker.  For more information
 on prometheus you can view the website [here](https://prometheus.io/).
@@ -1243,7 +1247,7 @@ on prometheus you can view the website [here](https://prometheus.io/).
 scrape_configs:
   - job_name: 'docker'
     static_configs:
-      - targets: ['127.0.0.1:1337']
+      - targets: ['127.0.0.1:9323']
 ```
 
 Please note that this feature is still marked as experimental as metrics and metric
@@ -1308,7 +1312,7 @@ This is a full example of the allowed configuration options on Linux:
 	"log-driver": "json-file",
 	"log-opts": {
 		"max-size": "10m",
-		"max-files":"5",
+		"max-file":"5",
 		"labels": "somelabel",
 		"env": "os,customer"
 	},

docs/reference/commandline/manifest.md

@@ -177,7 +177,7 @@ This is similar to tagging an image and pushing it to a foreign registry.
 
 After you have created your local copy of the manifest list, you may optionally
 `annotate` it. Annotations allowed are the architecture and operating system (overriding the image's current values),
-os features, and an archictecure variant. 
+os features, and an architecture variant. 
 
 Finally, you need to `push` your manifest list to the desired registry. Below are descriptions of these three commands,
 and an example putting them all together.
@@ -270,5 +270,5 @@ $ docker manifest create --insecure myprivateregistry.mycompany.com/repo/image:1
 $ docker manifest push --insecure myprivateregistry.mycompany.com/repo/image:tag
 ```
 
-Note that the `--insecure` flag is not required to annotate a manifest list, since annotations are to a locally-stored copy of a manifest list. You may also skip the `--insecure` flag if you are performaing a `docker manifest inspect` on a locally-stored manifest list. Be sure to keep in mind that locally-stored manifest lists are never used by the engine on a `docker pull`.
+Note that the `--insecure` flag is not required to annotate a manifest list, since annotations are to a locally-stored copy of a manifest list. You may also skip the `--insecure` flag if you are performing a `docker manifest inspect` on a locally-stored manifest list. Be sure to keep in mind that locally-stored manifest lists are never used by the engine on a `docker pull`.
 

docs/reference/commandline/node_ps.md

@@ -116,6 +116,7 @@ Valid placeholders for the Go template are listed below:
 
 Placeholder     | Description
 ----------------|------------------------------------------------------------------------------------------
+`.ID`           | Task ID
 `.Name`         | Task name
 `.Image`        | Task image
 `.Node`         | Node ID

docs/reference/commandline/rmi.md

@@ -26,6 +26,17 @@ Options:
       --no-prune   Do not delete untagged parents
 ```
 
+## Description
+
+Removes (and un-tags) one or more images from the host node. If an image has
+multiple tags, using this command with the tag as a parameter only removes the
+tag. If the tag is the only one for the image, both the image and the tag are
+removed.
+
+This does not remove images from a registry. You cannot remove an image of a
+running container unless you use the `-f` option. To see all images on a host
+use the [`docker image ls`](images.md) command.
+
 ## Examples
 
 You can remove an image using its short or long ID, its tag, or its digest. If

docs/reference/commandline/run.md

@@ -717,15 +717,15 @@ $ docker run -d --isolation default busybox top
 On Windows, `--isolation` can take one of these values:
 
 
-| Value     | Description                                                                                |
-|:----------|:-------------------------------------------------------------------------------------------|
-| `default` | Use the value specified by the Docker daemon's `--exec-opt` or system default (see below). |
-| `process` | Shared-kernel namespace isolation (not supported on Windows client operating systems).     |
-| `hyperv`  | Hyper-V hypervisor partition-based isolation.                                              |
+| Value     | Description                                                                                                       |
+|:----------|:------------------------------------------------------------------------------------------------------------------|
+| `default` | Use the value specified by the Docker daemon's `--exec-opt` or system default (see below).                        |
+| `process` | Shared-kernel namespace isolation (not supported on Windows client operating systems older than Windows 10 1809). |
+| `hyperv`  | Hyper-V hypervisor partition-based isolation.                                                                     |
 
-The default isolation on Windows server operating systems is `process`. The default (and only supported)
+The default isolation on Windows server operating systems is `process`. The default
 isolation on Windows client operating systems is `hyperv`. An attempt to start a container on a client
-operating system with `--isolation process` will fail.
+operating system older than Windows 10 1809 with `--isolation process` will fail.
 
 On Windows server, assuming the default configuration, these commands are equivalent
 and result in `process` isolation:

docs/reference/commandline/service_create.md

@@ -219,7 +219,7 @@ tutorial](https://docs.docker.com/engine/swarm/swarm-tutorial/rolling-update/).
 
 ### Set environment variables (-e, --env)
 
-This sets an environmental variable for all tasks in a service. For example:
+This sets an environment variable for all tasks in a service. For example:
 
 ```bash
 $ docker service create \

docs/reference/commandline/stats.md

@@ -171,5 +171,5 @@ On Windows:
     "table {{.ID}}\t{{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}\t{{.BlockIO}}"
 
 
-> **Note**: On Docker 17.09 and older, the `{{.Container}}` column was used, in
-> stead of `{{.ID}}\t{{.Name}}`.
+> **Note**: On Docker 17.09 and older, the `{{.Container}}` column was used,
+> instead of `{{.ID}}\t{{.Name}}`.

e2e/plugin/trust_test.go

@@ -106,7 +106,7 @@ func ensureBasicPluginBin() (string, error) {
 	}
 	installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name)
 	cmd := exec.Command(goBin, "build", "-o", installPath, "./basic")
-	cmd.Env = append(cmd.Env, "CGO_ENABLED=0")
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
 	if out, err := cmd.CombinedOutput(); err != nil {
 		return "", errors.Wrapf(err, "error building basic plugin bin: %s", string(out))
 	}

e2e/testdata/Dockerfile.connhelper-ssh

@@ -1,10 +1,8 @@
 FROM docker:test-dind
 RUN apk --no-cache add shadow openssh-server && \
   groupadd -f docker && \
-  useradd -m penguin && \
+  useradd --create-home --shell /bin/sh --password $(head -c32 /dev/urandom | base64) penguin && \
   usermod -aG docker penguin && \
-  usermod -p $(head -c32 /dev/urandom | base64) penguin && \
-  chsh -s /bin/sh penguin && \
   ssh-keygen -A
 # workaround: ssh session excludes /usr/local/bin from $PATH
 RUN  ln -s /usr/local/bin/docker /usr/bin/docker

man/src/container/exec.md

@@ -23,3 +23,29 @@ the same capabilities as the container, which may be limited. Set
    --user [user | user:group | uid | uid:gid | user:gid | uid:group ]
 
    Without this argument the command will be run as root in the container.
+
+# Exit Status
+
+The exit code from `docker exec` gives information about why the container
+failed to exec or why it exited.  When `docker exec` exits with a non-zero code,
+the exit codes follow the `chroot` standard, see below:
+
+**_126_** if the **_contained command_** cannot be invoked
+
+    $ docker exec busybox /etc; echo $?
+    # exec: "/etc": permission denied
+      docker: Error response from daemon: Contained command could not be invoked
+      126
+
+**_127_** if the **_contained command_** cannot be found
+
+    $ docker exec busybox foo; echo $?
+    # exec: "foo": executable file not found in $PATH
+      docker: Error response from daemon: Contained command not found or does not exist
+      127
+
+**_Exit code_** of **_contained command_** otherwise 
+    
+    $ docker exec busybox /bin/sh -c 'exit 3' 
+    # 3
+

man/src/image/rm.md

@@ -1,6 +1,11 @@
-Removes one or more images from the host node. This does not remove images from
-a registry. You cannot remove an image of a running container unless you use the
-**-f** option. To see all images on a host use the **docker image ls** command.
+Removes (and un-tags) one or more images from the host node. If an image has
+multiple tags, using this command with the tag as a parameter only removes the
+tag. If the tag is the only one for the image, both the image and the tag are
+removed.
+
+This does not remove images from a registry. You cannot remove an image of a
+running container unless you use the **-f** option. To see all images on a host
+use the **docker image ls** command.
 
 # EXAMPLES
 

scripts/gen/windows-resources

@@ -7,7 +7,7 @@ set -eu -o pipefail
 
 SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 # shellcheck source=/go/src/github.com/docker/cli/scripts/build/.variables
-source $SCRIPTDIR/../build/.variables
+source "$SCRIPTDIR"/../build/.variables
 
 RESOURCES=$SCRIPTDIR/../winresources
 
@@ -26,9 +26,9 @@ VERSION_QUAD=$(echo -n "$VERSION" | sed -re 's/^([0-9.]*).*$/\1/' | tr . ,)
 
 # Pass version and commit information into the resource compiler
 defs=
-[ ! -z "$VERSION" ]      && defs+=( "-D DOCKER_VERSION=\"$VERSION\"")
-[ ! -z "$VERSION_QUAD" ] && defs+=( "-D DOCKER_VERSION_QUAD=$VERSION_QUAD")
-[ ! -z "$GITCOMMIT" ]    && defs+=( "-D DOCKER_COMMIT=\"$GITCOMMIT\"")
+[ -n "$VERSION" ]      && defs+=( "-D DOCKER_VERSION=\"$VERSION\"")
+[ -n "$VERSION_QUAD" ] && defs+=( "-D DOCKER_VERSION_QUAD=$VERSION_QUAD")
+[ -n "$GITCOMMIT" ]    && defs+=( "-D DOCKER_COMMIT=\"$GITCOMMIT\"")
 
 function makeres {
 	"$WINDRES" \

scripts/test/e2e/run

@@ -69,7 +69,8 @@ function runtests {
         TEST_SKIP_PLUGIN_TESTS="${SKIP_PLUGIN_TESTS-}" \
         GOPATH="$GOPATH" \
         PATH="$PWD/build/:/usr/bin" \
-        "$(which go)" test -v ./e2e/... ${TESTFLAGS-}
+        HOME="$HOME" \
+        "$(command -v go)" test -v ./e2e/... ${TESTFLAGS-}
 }
 
 export unique_id="${E2E_UNIQUE_ID:-cliendtoendsuite}"

scripts/warn-outside-container

@@ -1,9 +1,9 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 set -eu
 
 target="${1:-}"
 
-if [[ "$target" != "help" && -z "${DISABLE_WARN_OUTSIDE_CONTAINER:-}" ]]; then
+if [ "$target" != "help" ] && [ -z "${DISABLE_WARN_OUTSIDE_CONTAINER:-}" ]; then
     (
         echo
         echo

vendor.conf

@@ -12,7 +12,7 @@ github.com/cpuguy83/go-md2man v1.0.8
 github.com/davecgh/go-spew 346938d642f2ec3594ed81d874461961cd0faa76 # v1.1.0
 github.com/dgrijalva/jwt-go a2c85815a77d0f951e33ba4db5ae93629a1530af
 github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
-github.com/docker/docker d2ecc7bad104139c118249ad159b45315a022754 https://github.com/docker/engine # 18.09 branch
+github.com/docker/docker 200b524eff60a9c95a22bc2518042ac2ff617d07 https://github.com/docker/engine # 18.09 branch
 github.com/docker/docker-credential-helpers 5241b46610f2491efdf9d1c85f1ddf5b02f6d962
 # the docker/go package contains a customized version of canonical/json
 # and is used by Notary. The package is periodically rebased on current Go versions.
@@ -49,9 +49,9 @@ github.com/mattn/go-shellwords v1.0.3
 github.com/matttproud/golang_protobuf_extensions v1.0.1
 github.com/Microsoft/hcsshim 44c060121b68e8bdc40b411beba551f3b4ee9e55
 github.com/Microsoft/go-winio v0.4.10
-github.com/miekg/pkcs11 287d9350987cc9334667882061e202e96cdfb4d0
+github.com/miekg/pkcs11 6120d95c0e9576ccf4a78ba40855809dca31a9ed
 github.com/mitchellh/mapstructure f15292f7a699fcc1a38a80977f80a046874ba8ac
-github.com/moby/buildkit 520201006c9dc676da9cf9655337ac711f7f127d
+github.com/moby/buildkit 05766c5c21a1e528eeb1c3522b2f05493fe9ac47
 github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3
 github.com/modern-go/reflect2 4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1
 github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
@@ -76,7 +76,7 @@ github.com/spf13/cobra v0.0.3
 github.com/spf13/pflag 4cb166e4f25ac4e8016a3595bbf7ea2e9aa85a2c https://github.com/thaJeztah/pflag.git
 github.com/syndtr/gocapability 2c00daeb6c3b45114c80ac44119e7b8801fdd852
 github.com/theupdateframework/notary v0.6.1
-github.com/tonistiigi/fsutil f567071bed2416e4d87d260d3162722651182317
+github.com/tonistiigi/fsutil 2862f6bc5ac9b97124e552a5c108230b38a1b0ca
 github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2
 github.com/xeipuuv/gojsonpointer 4e3ac2762d5f479393488629ee9370b50873b3a6
 github.com/xeipuuv/gojsonreference bd5ef7bd5415a7ac448318e64f11a24cd21e594b

vendor/github.com/docker/docker/builder/remotecontext/git/gitutils.go

@@ -102,6 +102,11 @@ func parseRemoteURL(remoteURL string) (gitRepo, error) {
 		u.Fragment = ""
 		repo.remote = u.String()
 	}
+
+	if strings.HasPrefix(repo.ref, "-") {
+		return gitRepo{}, errors.Errorf("invalid refspec: %s", repo.ref)
+	}
+
 	return repo, nil
 }
 
@@ -124,7 +129,7 @@ func fetchArgs(remoteURL string, ref string) []string {
 		args = append(args, "--depth", "1")
 	}
 
-	return append(args, "origin", ref)
+	return append(args, "origin", "--", ref)
 }
 
 // Check if a given git URL supports a shallow git clone,

vendor/github.com/docker/docker/client/request.go

@@ -195,10 +195,18 @@ func (cli *Client) checkResponseErr(serverResp serverResponse) error {
 		return nil
 	}
 
-	body, err := ioutil.ReadAll(serverResp.body)
+	bodyMax := 1 * 1024 * 1024 // 1 MiB
+	bodyR := &io.LimitedReader{
+		R: serverResp.body,
+		N: int64(bodyMax),
+	}
+	body, err := ioutil.ReadAll(bodyR)
 	if err != nil {
 		return err
 	}
+	if bodyR.N == 0 {
+		return fmt.Errorf("request returned %s with a message (> %d bytes) for API route and version %s, check if the server supports the requested API version", http.StatusText(serverResp.statusCode), bodyMax, serverResp.reqURL)
+	}
 	if len(body) == 0 {
 		return fmt.Errorf("request returned %s for API route and version %s, check if the server supports the requested API version", http.StatusText(serverResp.statusCode), serverResp.reqURL)
 	}

vendor/github.com/docker/docker/pkg/archive/copy.go

@@ -336,6 +336,14 @@ func RebaseArchiveEntries(srcContent io.Reader, oldBase, newBase string) io.Read
 				return
 			}
 
+			// srcContent tar stream, as served by TarWithOptions(), is
+			// definitely in PAX format, but tar.Next() mistakenly guesses it
+			// as USTAR, which creates a problem: if the newBase is >100
+			// characters long, WriteHeader() returns an error like
+			// "archive/tar: cannot encode header: Format specifies USTAR; and USTAR cannot encode Name=...".
+			//
+			// To fix, set the format to PAX here. See docker/for-linux issue #484.
+			hdr.Format = tar.FormatPAX
 			hdr.Name = strings.Replace(hdr.Name, oldBase, newBase, 1)
 			if hdr.Typeflag == tar.TypeLink {
 				hdr.Linkname = strings.Replace(hdr.Linkname, oldBase, newBase, 1)

vendor/github.com/docker/docker/pkg/mount/sharedsubtree_linux.go

@@ -48,18 +48,22 @@ func MakeRUnbindable(mountPoint string) error {
 	return ensureMountedAs(mountPoint, "runbindable")
 }
 
-func ensureMountedAs(mountPoint, options string) error {
-	mounted, err := Mounted(mountPoint)
+// MakeMount ensures that the file or directory given is a mount point,
+// bind mounting it to itself it case it is not.
+func MakeMount(mnt string) error {
+	mounted, err := Mounted(mnt)
 	if err != nil {
 		return err
 	}
-
-	if !mounted {
-		if err := Mount(mountPoint, mountPoint, "none", "bind,rw"); err != nil {
-			return err
-		}
+	if mounted {
+		return nil
 	}
-	if _, err = Mounted(mountPoint); err != nil {
+
+	return Mount(mnt, mnt, "none", "bind")
+}
+
+func ensureMountedAs(mountPoint, options string) error {
+	if err := MakeMount(mountPoint); err != nil {
 		return err
 	}
 

vendor/github.com/docker/docker/pkg/progress/progress.go

@@ -39,6 +39,10 @@ type Output interface {
 type chanOutput chan<- Progress
 
 func (out chanOutput) WriteProgress(p Progress) error {
+	// FIXME: workaround for panic in #37735
+	defer func() {
+		recover()
+	}()
 	out <- p
 	return nil
 }

vendor/github.com/docker/docker/registry/registry.go

@@ -145,7 +145,7 @@ func trustedLocation(req *http.Request) bool {
 // addRequiredHeadersToRedirectedRequests adds the necessary redirection headers
 // for redirected requests
 func addRequiredHeadersToRedirectedRequests(req *http.Request, via []*http.Request) error {
-	if via != nil && via[0] != nil {
+	if len(via) != 0 && via[0] != nil {
 		if trustedLocation(req) && trustedLocation(via[0]) {
 			req.Header = via[0].Header
 			return nil

vendor/github.com/docker/docker/vendor.conf

@@ -1,7 +1,7 @@
 # the following lines are in sorted order, FYI
 github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109
-github.com/Microsoft/hcsshim 44c060121b68e8bdc40b411beba551f3b4ee9e55
-github.com/Microsoft/go-winio v0.4.10
+github.com/Microsoft/hcsshim v0.7.12
+github.com/Microsoft/go-winio v0.4.11
 github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a
 github.com/go-check/check 4ed411733c5785b40214c70bce814c3a3a689609 https://github.com/cpuguy83/check.git
 github.com/golang/gddo 9b12a26f3fbd7397dee4e20939ddca719d840d2a
@@ -26,8 +26,8 @@ github.com/imdario/mergo v0.3.6
 golang.org/x/sync 1d60e4601c6fd243af51cc01ddf169918a5407ca
 
 # buildkit
-github.com/moby/buildkit 6812dac65e0440bb75affce1fb2175e640edc15d
-github.com/tonistiigi/fsutil b19464cd1b6a00773b4f2eb7acf9c30426f9df42
+github.com/moby/buildkit d9f75920678e35090025bb89344c5370e2efc8e7
+github.com/tonistiigi/fsutil 2862f6bc5ac9b97124e552a5c108230b38a1b0ca
 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746
 github.com/opentracing/opentracing-go 1361b9cd60be79c4c3a7fa9841b3c132e40066a7
 github.com/google/shlex 6f45313302b9c56850fc17f99e40caebce98c716
@@ -37,7 +37,7 @@ github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
 #get libnetwork packages
 
 # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy accordingly
-github.com/docker/libnetwork a79d3687931697244b8e03485bf7b2042f8ec6b6
+github.com/docker/libnetwork 4725f2163fb214a6312f3beae5991f838ec36326 # bump_18.09 branch
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec
@@ -47,7 +47,7 @@ github.com/sean-/seed e2103e2c35297fb7e17febb81e49b312087a2372
 github.com/hashicorp/go-sockaddr 6d291a969b86c4b633730bfc6b8b9d64c3aafed9
 github.com/hashicorp/go-multierror fcdddc395df1ddf4247c69bd436e84cfa0733f7e
 github.com/hashicorp/serf 598c54895cc5a7b1a24a398d635e8c0ea0959870
-github.com/docker/libkv 1d8431073ae03cdaedb198a89722f3aab6d418ef
+github.com/docker/libkv 458977154600b9f23984d9f4b82e79570b5ae12b
 github.com/vishvananda/netns 604eaf189ee867d8c147fafc28def2394e878d25
 github.com/vishvananda/netlink b2de5d10e38ecce8607e6b438b6d174f389a004e
 
@@ -59,13 +59,13 @@ github.com/coreos/etcd v3.2.1
 github.com/coreos/go-semver v0.2.0
 github.com/ugorji/go f1f1a805ed361a0e078bb537e4ea78cd37dcf065
 github.com/hashicorp/consul v0.5.2
-github.com/boltdb/bolt fff57c100f4dea1905678da7e90d92429dff2904
 github.com/miekg/dns v1.0.7
 github.com/ishidawataru/sctp 07191f837fedd2f13d1ec7b5f885f0f3ec54b1cb
+go.etcd.io/bbolt v1.3.1-etcd.8
 
 # get graph and distribution packages
 github.com/docker/distribution 83389a148052d74ac602f5f1d62f86ff2f3c4aa5
-github.com/vbatts/tar-split v0.10.2
+github.com/vbatts/tar-split v0.11.0
 github.com/opencontainers/go-digest v1.0.0-rc1
 
 # get go-zfs packages
@@ -74,9 +74,13 @@ github.com/pborman/uuid v1.0
 
 google.golang.org/grpc v1.12.0
 
-# This does not need to match RUNC_COMMIT as it is used for helper packages but should be newer or equal
-github.com/opencontainers/runc 20aff4f0488c6d4b8df4d85b4f63f1f704c11abd
-github.com/opencontainers/runtime-spec d810dbc60d8c5aeeb3d054bd1132fab2121968ce # v1.0.1-43-gd810dbc
+# The version of runc should match the version that is used by the containerd
+# version that is used. If you need to update runc, open a pull request in
+# the containerd project first, and update both after that is merged.
+# This commit does not need to match RUNC_COMMIT as it is used for helper
+# packages but should be newer or equal.
+github.com/opencontainers/runc 96ec2177ae841256168fcf76954f7177af9446eb
+github.com/opencontainers/runtime-spec 5684b8af48c1ac3b1451fa499724e30e3c20a294 # v1.0.1-49-g5684b8a
 github.com/opencontainers/image-spec v1.0.1
 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 
@@ -114,23 +118,24 @@ github.com/googleapis/gax-go v2.0.0
 google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9
 
 # containerd
-github.com/containerd/containerd v1.2.0-beta.2
+github.com/containerd/containerd 9754871865f7fe2f4e74d43e2fc7ccd237edcbce # v1.2.2
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
-github.com/containerd/continuity d3c23511c1bf5851696cba83143d9cbcd666869b
-github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2
+github.com/containerd/continuity 004b46473808b3e7a4a3049c20e4376c91eb966d
+github.com/containerd/cgroups dbea6f2bd41658b84b00417ceefa416b979cbf10
 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23
-github.com/containerd/go-runc edcf3de1f4971445c42d61f20d506b30612aa031
+github.com/containerd/cri 0d5cabd006cb5319dc965046067b8432d9fa5ef8 # release/1.2 branch
+github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
-github.com/containerd/ttrpc 94dde388801693c54f88a6596f713b51a8b30b2d
+github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a
 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef
 
 # cluster
-github.com/docker/swarmkit cfa742c8abe6f8e922f6e4e920153c408e7d9c3b
+github.com/docker/swarmkit c66ed60822d3fc3bf6e17a505ee79014f449ef05 # bump_v18.09 branch
 github.com/gogo/protobuf v1.0.0
 github.com/cloudflare/cfssl 1.3.2
 github.com/fernet/fernet-go 1b2437bc582b3cfbb341ee5a29f8ef5b42912ff2
 github.com/google/certificate-transparency-go v1.0.20
-golang.org/x/crypto a2144134853fc9a27a7b1e3eb4f19f1a76df13c9
+golang.org/x/crypto 0709b304e793a5edb4a2c0145f281ecdc20838a4
 golang.org/x/time fbb02b2291d28baffd63558aa44b4b56f178d650
 github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad
 github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
@@ -143,8 +148,8 @@ github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6
 github.com/prometheus/common ebdfc6da46522d58825777cf1f90490a5b1ef1d8
 github.com/prometheus/procfs abf152e5f3e97f2fafac028d2cc06c1feb87ffa5
 github.com/matttproud/golang_protobuf_extensions v1.0.0
-github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9
-github.com/grpc-ecosystem/go-grpc-prometheus 6b7015e65d366bf3f19b2b2a000a831940f0f7e0
+github.com/pkg/errors 645ef00459ed84a119197bfb8d8205042c6df63d # v0.8.0
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
 
 # cli
 github.com/spf13/cobra v0.0.3
@@ -155,7 +160,7 @@ github.com/Nvveen/Gotty a8b993ba6abdb0e0c12b0125c603323a71c7790c https://github.
 # metrics
 github.com/docker/go-metrics d466d4f6fd960e01820085bd7e1a24426ee7ef18
 
-github.com/opencontainers/selinux b29023b86e4a69d1b46b7e7b4e2b6fda03f0b9cd
+github.com/opencontainers/selinux b6fa367ed7f534f9ba25391cc2d467085dbb445a
 
 
 # archive/tar (for Go 1.10, see https://github.com/golang/go/issues/24787)

vendor/github.com/miekg/pkcs11/README.md

@@ -12,13 +12,13 @@ were it makes sense. It has been tested with SoftHSM.
         softhsm --init-token --slot 0 --label test --pin 1234
 
 * Then use `libsofthsm.so` as the pkcs11 module:
-
+```go
         p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
-
+```
 ## Examples
 
 A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
-
+```go
     p := pkcs11.New("/usr/lib/softhsm/libsofthsm.so")
     err := p.Initialize()
     if err != nil {
@@ -55,7 +55,7 @@ A skeleton program would look somewhat like this (yes, pkcs#11 is verbose):
             fmt.Printf("%x", d)
     }
     fmt.Println()
-
+```
 Further examples are included in the tests.
 
 To expose PKCS#11 keys using the

vendor/github.com/miekg/pkcs11/const.go

@@ -24,15 +24,19 @@ const (
 )
 
 const (
-	CKG_MGF1_SHA1         uint = 0x00000001
-	CKG_MGF1_SHA224       uint = 0x00000005
-	CKG_MGF1_SHA256       uint = 0x00000002
-	CKG_MGF1_SHA384       uint = 0x00000003
-	CKG_MGF1_SHA512       uint = 0x00000004
+	CKG_MGF1_SHA1     uint = 0x00000001
+	CKG_MGF1_SHA224   uint = 0x00000005
+	CKG_MGF1_SHA256   uint = 0x00000002
+	CKG_MGF1_SHA384   uint = 0x00000003
+	CKG_MGF1_SHA512   uint = 0x00000004
+	CKG_MGF1_SHA3_224 uint = 0x00000006
+	CKG_MGF1_SHA3_256 uint = 0x00000007
+	CKG_MGF1_SHA3_384 uint = 0x00000008
+	CKG_MGF1_SHA3_512 uint = 0x00000009
 )
 
 const (
-	CKZ_DATA_SPECIFIED    uint = 0x00000001
+	CKZ_DATA_SPECIFIED uint = 0x00000001
 )
 
 // Generated with: awk '/#define CK[AFKMRC]/{ print $2 " = " $3 }' pkcs11t.h | sed -e 's/UL$//g' -e 's/UL)$/)/g'
@@ -98,15 +102,19 @@ const (
 	CKK_SHA512_224_HMAC                  = 0x00000027
 	CKK_SHA512_256_HMAC                  = 0x00000028
 	CKK_SHA512_T_HMAC                    = 0x00000029
-        CKK_SHA_1_HMAC                       = 0x00000028
-        CKK_SHA224_HMAC                      = 0x0000002E
-        CKK_SHA256_HMAC                      = 0x0000002B
-        CKK_SHA384_HMAC                      = 0x0000002C
-        CKK_SHA512_HMAC                      = 0x0000002D
-	CKK_SEED                             = 0x00000050
-	CKK_GOSTR3410                        = 0x00000060
-	CKK_GOSTR3411                        = 0x00000061
-	CKK_GOST28147                        = 0x00000062
+	CKK_SHA_1_HMAC                       = 0x00000028
+	CKK_SHA224_HMAC                      = 0x0000002E
+	CKK_SHA256_HMAC                      = 0x0000002B
+	CKK_SHA384_HMAC                      = 0x0000002C
+	CKK_SHA512_HMAC                      = 0x0000002D
+	CKK_SEED                             = 0x0000002F
+	CKK_GOSTR3410                        = 0x00000030
+	CKK_GOSTR3411                        = 0x00000031
+	CKK_GOST28147                        = 0x00000032
+	CKK_SHA3_224_HMAC                    = 0x00000033
+	CKK_SHA3_256_HMAC                    = 0x00000034
+	CKK_SHA3_384_HMAC                    = 0x00000035
+	CKK_SHA3_512_HMAC                    = 0x00000036
 	CKK_VENDOR_DEFINED                   = 0x80000000
 	CKC_X_509                            = 0x00000000
 	CKC_X_509_ATTR_CERT                  = 0x00000001
@@ -182,8 +190,8 @@ const (
 	CKA_AUTH_PIN_FLAGS                   = 0x00000201
 	CKA_ALWAYS_AUTHENTICATE              = 0x00000202
 	CKA_WRAP_WITH_TRUSTED                = 0x00000210
-	CKA_WRAP_TEMPLATE                    = (CKF_ARRAY_ATTRIBUTE | 0x00000211)
-	CKA_UNWRAP_TEMPLATE                  = (CKF_ARRAY_ATTRIBUTE | 0x00000212)
+	CKA_WRAP_TEMPLATE                    = CKF_ARRAY_ATTRIBUTE | 0x00000211
+	CKA_UNWRAP_TEMPLATE                  = CKF_ARRAY_ATTRIBUTE | 0x00000212
 	CKA_OTP_FORMAT                       = 0x00000220
 	CKA_OTP_LENGTH                       = 0x00000221
 	CKA_OTP_TIME_INTERVAL                = 0x00000222
@@ -218,7 +226,7 @@ const (
 	CKA_REQUIRED_CMS_ATTRIBUTES          = 0x00000501
 	CKA_DEFAULT_CMS_ATTRIBUTES           = 0x00000502
 	CKA_SUPPORTED_CMS_ATTRIBUTES         = 0x00000503
-	CKA_ALLOWED_MECHANISMS               = (CKF_ARRAY_ATTRIBUTE | 0x00000600)
+	CKA_ALLOWED_MECHANISMS               = CKF_ARRAY_ATTRIBUTE | 0x00000600
 	CKA_VENDOR_DEFINED                   = 0x80000000
 	CKM_RSA_PKCS_KEY_PAIR_GEN            = 0x00000000
 	CKM_RSA_PKCS                         = 0x00000001
@@ -243,6 +251,10 @@ const (
 	CKM_DSA_SHA256                       = 0x00000015
 	CKM_DSA_SHA384                       = 0x00000016
 	CKM_DSA_SHA512                       = 0x00000017
+	CKM_DSA_SHA3_224                     = 0x00000018
+	CKM_DSA_SHA3_256                     = 0x00000019
+	CKM_DSA_SHA3_384                     = 0x0000001A
+	CKM_DSA_SHA3_512                     = 0x0000001B
 	CKM_DH_PKCS_KEY_PAIR_GEN             = 0x00000020
 	CKM_DH_PKCS_DERIVE                   = 0x00000021
 	CKM_X9_42_DH_KEY_PAIR_GEN            = 0x00000030
@@ -269,6 +281,14 @@ const (
 	CKM_SHA512_T_HMAC                    = 0x00000051
 	CKM_SHA512_T_HMAC_GENERAL            = 0x00000052
 	CKM_SHA512_T_KEY_DERIVATION          = 0x00000053
+	CKM_SHA3_256_RSA_PKCS                = 0x00000060
+	CKM_SHA3_384_RSA_PKCS                = 0x00000061
+	CKM_SHA3_512_RSA_PKCS                = 0x00000062
+	CKM_SHA3_256_RSA_PKCS_PSS            = 0x00000063
+	CKM_SHA3_384_RSA_PKCS_PSS            = 0x00000064
+	CKM_SHA3_512_RSA_PKCS_PSS            = 0x00000065
+	CKM_SHA3_224_RSA_PKCS                = 0x00000066
+	CKM_SHA3_224_RSA_PKCS_PSS            = 0x00000067
 	CKM_RC2_KEY_GEN                      = 0x00000100
 	CKM_RC2_ECB                          = 0x00000101
 	CKM_RC2_CBC                          = 0x00000102
@@ -335,6 +355,22 @@ const (
 	CKM_HOTP                             = 0x00000291
 	CKM_ACTI                             = 0x000002A0
 	CKM_ACTI_KEY_GEN                     = 0x000002A1
+	CKM_SHA3_256                         = 0x000002B0
+	CKM_SHA3_256_HMAC                    = 0x000002B1
+	CKM_SHA3_256_HMAC_GENERAL            = 0x000002B2
+	CKM_SHA3_256_KEY_GEN                 = 0x000002B3
+	CKM_SHA3_224                         = 0x000002B5
+	CKM_SHA3_224_HMAC                    = 0x000002B6
+	CKM_SHA3_224_HMAC_GENERAL            = 0x000002B7
+	CKM_SHA3_224_KEY_GEN                 = 0x000002B8
+	CKM_SHA3_384                         = 0x000002C0
+	CKM_SHA3_384_HMAC                    = 0x000002C1
+	CKM_SHA3_384_HMAC_GENERAL            = 0x000002C2
+	CKM_SHA3_384_KEY_GEN                 = 0x000002C3
+	CKM_SHA3_512                         = 0x000002D0
+	CKM_SHA3_512_HMAC                    = 0x000002D1
+	CKM_SHA3_512_HMAC_GENERAL            = 0x000002D2
+	CKM_SHA3_512_KEY_GEN                 = 0x000002D3
 	CKM_CAST_KEY_GEN                     = 0x00000300
 	CKM_CAST_ECB                         = 0x00000301
 	CKM_CAST_CBC                         = 0x00000302
@@ -395,6 +431,12 @@ const (
 	CKM_SHA384_KEY_DERIVATION            = 0x00000394
 	CKM_SHA512_KEY_DERIVATION            = 0x00000395
 	CKM_SHA224_KEY_DERIVATION            = 0x00000396
+	CKM_SHA3_256_KEY_DERIVE              = 0x00000397
+	CKM_SHA3_224_KEY_DERIVE              = 0x00000398
+	CKM_SHA3_384_KEY_DERIVE              = 0x00000399
+	CKM_SHA3_512_KEY_DERIVE              = 0x0000039A
+	CKM_SHAKE_128_KEY_DERIVE             = 0x0000039B
+	CKM_SHAKE_256_KEY_DERIVE             = 0x0000039C
 	CKM_PBE_MD2_DES_CBC                  = 0x000003A0
 	CKM_PBE_MD5_DES_CBC                  = 0x000003A1
 	CKM_PBE_MD5_CAST_CBC                 = 0x000003A2
@@ -678,4 +720,6 @@ const (
 	CKF_EXCLUDE_CHALLENGE                = 0x00000008
 	CKF_EXCLUDE_PIN                      = 0x00000010
 	CKF_USER_FRIENDLY_OTP                = 0x00000020
+	CKD_NULL                             = 0x00000001
+	CKD_SHA1_KDF                         = 0x00000002
 )

vendor/github.com/miekg/pkcs11/params.go

@@ -8,6 +8,24 @@ package pkcs11
 #include <stdlib.h>
 #include <string.h>
 #include "pkcs11go.h"
+
+static inline void putOAEPParams(CK_RSA_PKCS_OAEP_PARAMS_PTR params, CK_VOID_PTR pSourceData, CK_ULONG ulSourceDataLen)
+{
+	params->pSourceData = pSourceData;
+	params->ulSourceDataLen = ulSourceDataLen;
+}
+
+static inline void putECDH1SharedParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pSharedData, CK_ULONG ulSharedDataLen)
+{
+	params->pSharedData = pSharedData;
+	params->ulSharedDataLen = ulSharedDataLen;
+}
+
+static inline void putECDH1PublicParams(CK_ECDH1_DERIVE_PARAMS_PTR params, CK_VOID_PTR pPublicData, CK_ULONG ulPublicDataLen)
+{
+	params->pPublicData = pPublicData;
+	params->ulPublicDataLen = ulPublicDataLen;
+}
 */
 import "C"
 import "unsafe"
@@ -21,9 +39,8 @@ type GCMParams struct {
 	tagSize int
 }
 
-// NewGCMParams returns a pointer to AES-GCM parameters.
-// This is a convenience function for passing GCM parameters to
-// available mechanisms.
+// NewGCMParams returns a pointer to AES-GCM parameters that can be used with the CKM_AES_GCM mechanism.
+// The Free() method must be called after the operation is complete.
 //
 // *NOTE*
 // Some HSMs, like CloudHSM, will ignore the IV you pass in and write their
@@ -55,17 +72,23 @@ func cGCMParams(p *GCMParams) []byte {
 		iv, ivLen := arena.Allocate(p.iv)
 		params.pIv = C.CK_BYTE_PTR(iv)
 		params.ulIvLen = ivLen
+		params.ulIvBits = ivLen * 8
 	}
 	if len(p.aad) > 0 {
 		aad, aadLen := arena.Allocate(p.aad)
 		params.pAAD = C.CK_BYTE_PTR(aad)
 		params.ulAADLen = aadLen
 	}
+	p.Free()
 	p.arena = arena
 	p.params = &params
 	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params)))
 }
 
+// IV returns a copy of the actual IV used for the operation.
+//
+// Some HSMs may ignore the user-specified IV and write their own at the end of
+// the encryption operation; this method allows you to retrieve it.
 func (p *GCMParams) IV() []byte {
 	if p == nil || p.params == nil {
 		return nil
@@ -76,6 +99,10 @@ func (p *GCMParams) IV() []byte {
 	return iv
 }
 
+// Free deallocates the memory reserved for the HSM to write back the actual IV.
+//
+// This must be called after the entire operation is complete, i.e. after
+// Encrypt or EncryptFinal. It is safe to call Free multiple times.
 func (p *GCMParams) Free() {
 	if p == nil || p.arena == nil {
 		return
@@ -84,3 +111,78 @@ func (p *GCMParams) Free() {
 	p.params = nil
 	p.arena = nil
 }
+
+// NewPSSParams creates a CK_RSA_PKCS_PSS_PARAMS structure and returns it as a byte array for use with the CKM_RSA_PKCS_PSS mechanism
+func NewPSSParams(hashAlg, mgf, saltLength uint) []byte {
+	p := C.CK_RSA_PKCS_PSS_PARAMS{
+		hashAlg: C.CK_MECHANISM_TYPE(hashAlg),
+		mgf:     C.CK_RSA_PKCS_MGF_TYPE(mgf),
+		sLen:    C.CK_ULONG(saltLength),
+	}
+	return C.GoBytes(unsafe.Pointer(&p), C.int(unsafe.Sizeof(p)))
+}
+
+// OAEPParams can be passed to NewMechanism to implement CKM_RSA_PKCS_OAEP
+type OAEPParams struct {
+	HashAlg    uint
+	MGF        uint
+	SourceType uint
+	SourceData []byte
+}
+
+// NewOAEPParams creates a CK_RSA_PKCS_OAEP_PARAMS structure suitable for use with the CKM_RSA_PKCS_OAEP mechanism
+func NewOAEPParams(hashAlg, mgf, sourceType uint, sourceData []byte) *OAEPParams {
+	return &OAEPParams{
+		HashAlg:    hashAlg,
+		MGF:        mgf,
+		SourceType: sourceType,
+		SourceData: sourceData,
+	}
+}
+
+func cOAEPParams(p *OAEPParams, arena arena) ([]byte, arena) {
+	params := C.CK_RSA_PKCS_OAEP_PARAMS{
+		hashAlg: C.CK_MECHANISM_TYPE(p.HashAlg),
+		mgf:     C.CK_RSA_PKCS_MGF_TYPE(p.MGF),
+		source:  C.CK_RSA_PKCS_OAEP_SOURCE_TYPE(p.SourceType),
+	}
+	if len(p.SourceData) != 0 {
+		buf, len := arena.Allocate(p.SourceData)
+		// field is unaligned on windows so this has to call into C
+		C.putOAEPParams(&params, buf, len)
+	}
+	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}
+
+// ECDH1DeriveParams can be passed to NewMechanism to implement CK_ECDH1_DERIVE_PARAMS
+type ECDH1DeriveParams struct {
+	KDF           uint
+	SharedData    []byte
+	PublicKeyData []byte
+}
+
+// NewECDH1DeriveParams creates a CK_ECDH1_DERIVE_PARAMS structure suitable for use with the CKM_ECDH1_DERIVE mechanism
+func NewECDH1DeriveParams(kdf uint, sharedData []byte, publicKeyData []byte) *ECDH1DeriveParams {
+	return &ECDH1DeriveParams{
+		KDF:           kdf,
+		SharedData:    sharedData,
+		PublicKeyData: publicKeyData,
+	}
+}
+
+func cECDH1DeriveParams(p *ECDH1DeriveParams, arena arena) ([]byte, arena) {
+	params := C.CK_ECDH1_DERIVE_PARAMS{
+		kdf: C.CK_EC_KDF_TYPE(p.KDF),
+	}
+
+	// SharedData MUST be null if key derivation function (KDF) is CKD_NULL
+	if len(p.SharedData) != 0 {
+		sharedData, sharedDataLen := arena.Allocate(p.SharedData)
+		C.putECDH1SharedParams(&params, sharedData, sharedDataLen)
+	}
+
+	publicKeyData, publicKeyDataLen := arena.Allocate(p.PublicKeyData)
+	C.putECDH1PublicParams(&params, publicKeyData, publicKeyDataLen)
+
+	return C.GoBytes(unsafe.Pointer(&params), C.int(unsafe.Sizeof(params))), arena
+}

vendor/github.com/miekg/pkcs11/pkcs11.go

@@ -11,43 +11,73 @@ package pkcs11
 // * CK_ULONG never overflows an Go int
 
 /*
-#cgo windows CFLAGS: -DREPACK_STRUCTURES
-#cgo windows LDFLAGS: -lltdl
-#cgo linux LDFLAGS: -lltdl -ldl
-#cgo darwin CFLAGS: -I/usr/local/share/libtool
-#cgo darwin LDFLAGS: -lltdl -L/usr/local/lib/
-#cgo openbsd CFLAGS: -I/usr/local/include/
-#cgo openbsd LDFLAGS: -lltdl -L/usr/local/lib/
-#cgo freebsd CFLAGS: -I/usr/local/include/
-#cgo freebsd LDFLAGS: -lltdl -L/usr/local/lib/
-#cgo LDFLAGS: -lltdl
+#cgo windows CFLAGS: -DPACKED_STRUCTURES
+#cgo linux LDFLAGS: -ldl
+#cgo darwin LDFLAGS: -ldl
+#cgo openbsd LDFLAGS: -ldl
+#cgo freebsd LDFLAGS: -ldl
 
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
-#include <ltdl.h>
 #include <unistd.h>
+
 #include "pkcs11go.h"
 
+#ifdef _WIN32
+#include <windows.h>
+
 struct ctx {
-	lt_dlhandle handle;
+	HMODULE handle;
 	CK_FUNCTION_LIST_PTR sym;
 };
 
 // New initializes a ctx and fills the symbol table.
 struct ctx *New(const char *module)
 {
-	if (lt_dlinit() != 0) {
-		return NULL;
-	}
 	CK_C_GetFunctionList list;
 	struct ctx *c = calloc(1, sizeof(struct ctx));
-	c->handle = lt_dlopen(module);
+	c->handle = LoadLibrary(module);
 	if (c->handle == NULL) {
 		free(c);
 		return NULL;
 	}
-	list = (CK_C_GetFunctionList) lt_dlsym(c->handle, "C_GetFunctionList");
+	list = (CK_C_GetFunctionList) GetProcAddress(c->handle, "C_GetFunctionList");
+	if (list == NULL) {
+		free(c);
+		return NULL;
+	}
+	list(&c->sym);
+	return c;
+}
+
+// Destroy cleans up a ctx.
+void Destroy(struct ctx *c)
+{
+	if (!c) {
+		return;
+	}
+	free(c);
+}
+#else
+#include <dlfcn.h>
+
+struct ctx {
+	void *handle;
+	CK_FUNCTION_LIST_PTR sym;
+};
+
+// New initializes a ctx and fills the symbol table.
+struct ctx *New(const char *module)
+{
+	CK_C_GetFunctionList list;
+	struct ctx *c = calloc(1, sizeof(struct ctx));
+	c->handle = dlopen(module, RTLD_LAZY);
+	if (c->handle == NULL) {
+		free(c);
+		return NULL;
+	}
+	list = (CK_C_GetFunctionList) dlsym(c->handle, "C_GetFunctionList");
 	if (list == NULL) {
 		free(c);
 		return NULL;
@@ -65,12 +95,12 @@ void Destroy(struct ctx *c)
 	if (c->handle == NULL) {
 		return;
 	}
-	if (lt_dlclose(c->handle) < 0) {
+	if (dlclose(c->handle) < 0) {
 		return;
 	}
-	lt_dlexit();
 	free(c);
 }
+#endif
 
 CK_RV Initialize(struct ctx * c)
 {
@@ -238,23 +268,17 @@ CK_RV Logout(struct ctx * c, CK_SESSION_HANDLE session)
 }
 
 CK_RV CreateObject(struct ctx * c, CK_SESSION_HANDLE session,
-		   ckAttrPtr temp, CK_ULONG tempCount,
+		   CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
 		   CK_OBJECT_HANDLE_PTR obj)
 {
-	ATTR_TO_C(tempc, temp, tempCount, NULL);
-	CK_RV e = c->sym->C_CreateObject(session, tempc, tempCount, obj);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_CreateObject(session, temp, tempCount, obj);
 }
 
 CK_RV CopyObject(struct ctx * c, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE o,
-		 ckAttrPtr temp, CK_ULONG tempCount,
+		 CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount,
 		 CK_OBJECT_HANDLE_PTR obj)
 {
-	ATTR_TO_C(tempc, temp, tempCount, NULL);
-	CK_RV e = c->sym->C_CopyObject(session, o, tempc, tempCount, obj);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_CopyObject(session, o, temp, tempCount, obj);
 }
 
 CK_RV DestroyObject(struct ctx * c, CK_SESSION_HANDLE session,
@@ -272,48 +296,37 @@ CK_RV GetObjectSize(struct ctx * c, CK_SESSION_HANDLE session,
 }
 
 CK_RV GetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_OBJECT_HANDLE object, ckAttrPtr temp,
+			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
 			CK_ULONG templen)
 {
-	ATTR_TO_C(tempc, temp, templen, NULL);
 	// Call for the first time, check the returned ulValue in the attributes, then
 	// allocate enough space and try again.
-	CK_RV e = c->sym->C_GetAttributeValue(session, object, tempc, templen);
+	CK_RV e = c->sym->C_GetAttributeValue(session, object, temp, templen);
 	if (e != CKR_OK) {
-		ATTR_FREE(tempc);
 		return e;
 	}
 	CK_ULONG i;
 	for (i = 0; i < templen; i++) {
-		if ((CK_LONG) tempc[i].ulValueLen == -1) {
+		if ((CK_LONG) temp[i].ulValueLen == -1) {
 			// either access denied or no such object
 			continue;
 		}
-		tempc[i].pValue = calloc(tempc[i].ulValueLen, sizeof(CK_BYTE));
+		temp[i].pValue = calloc(temp[i].ulValueLen, sizeof(CK_BYTE));
 	}
-	e = c->sym->C_GetAttributeValue(session, object, tempc, templen);
-	ATTR_FROM_C(temp, tempc, templen);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_GetAttributeValue(session, object, temp, templen);
 }
 
 CK_RV SetAttributeValue(struct ctx * c, CK_SESSION_HANDLE session,
-			CK_OBJECT_HANDLE object, ckAttrPtr temp,
+			CK_OBJECT_HANDLE object, CK_ATTRIBUTE_PTR temp,
 			CK_ULONG templen)
 {
-	ATTR_TO_C(tempc, temp, templen, NULL);
-	CK_RV e = c->sym->C_SetAttributeValue(session, object, tempc, templen);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_SetAttributeValue(session, object, temp, templen);
 }
 
 CK_RV FindObjectsInit(struct ctx * c, CK_SESSION_HANDLE session,
-		      ckAttrPtr temp, CK_ULONG tempCount)
+		      CK_ATTRIBUTE_PTR temp, CK_ULONG tempCount)
 {
-	ATTR_TO_C(tempc, temp, tempCount, NULL);
-	CK_RV e = c->sym->C_FindObjectsInit(session, tempc, tempCount);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_FindObjectsInit(session, temp, tempCount);
 }
 
 CK_RV FindObjects(struct ctx * c, CK_SESSION_HANDLE session,
@@ -332,11 +345,9 @@ CK_RV FindObjectsFinal(struct ctx * c, CK_SESSION_HANDLE session)
 }
 
 CK_RV EncryptInit(struct ctx * c, CK_SESSION_HANDLE session,
-		  ckMechPtr mechanism, CK_OBJECT_HANDLE key)
+		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mechanism);
-	CK_RV e = c->sym->C_EncryptInit(session, m, key);
-	return e;
+	return c->sym->C_EncryptInit(session, mechanism, key);
 }
 
 CK_RV Encrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
@@ -388,17 +399,15 @@ CK_RV EncryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
 }
 
 CK_RV DecryptInit(struct ctx * c, CK_SESSION_HANDLE session,
-		  ckMechPtr mechanism, CK_OBJECT_HANDLE key)
+		  CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mechanism);
-	CK_RV e = c->sym->C_DecryptInit(session, m, key);
-	return e;
+	return c->sym->C_DecryptInit(session, mechanism, key);
 }
 
-CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cypher,
+CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cipher,
 	      CK_ULONG clen, CK_BYTE_PTR * plain, CK_ULONG_PTR plainlen)
 {
-	CK_RV e = c->sym->C_Decrypt(session, cypher, clen, NULL, plainlen);
+	CK_RV e = c->sym->C_Decrypt(session, cipher, clen, NULL, plainlen);
 	if (e != CKR_OK) {
 		return e;
 	}
@@ -406,7 +415,7 @@ CK_RV Decrypt(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR cypher,
 	if (*plain == NULL) {
 		return CKR_HOST_MEMORY;
 	}
-	e = c->sym->C_Decrypt(session, cypher, clen, *plain, plainlen);
+	e = c->sym->C_Decrypt(session, cipher, clen, *plain, plainlen);
 	return e;
 }
 
@@ -444,11 +453,9 @@ CK_RV DecryptFinal(struct ctx * c, CK_SESSION_HANDLE session,
 }
 
 CK_RV DigestInit(struct ctx * c, CK_SESSION_HANDLE session,
-		 ckMechPtr mechanism)
+		 CK_MECHANISM_PTR mechanism)
 {
-	MECH_TO_C(m, mechanism);
-	CK_RV e = c->sym->C_DigestInit(session, m);
-	return e;
+	return c->sym->C_DigestInit(session, mechanism);
 }
 
 CK_RV Digest(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
@@ -495,11 +502,9 @@ CK_RV DigestFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * hash,
 }
 
 CK_RV SignInit(struct ctx * c, CK_SESSION_HANDLE session,
-	       ckMechPtr mechanism, CK_OBJECT_HANDLE key)
+	       CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mechanism);
-	CK_RV e = c->sym->C_SignInit(session, m, key);
-	return e;
+	return c->sym->C_SignInit(session, mechanism, key);
 }
 
 CK_RV Sign(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
@@ -540,11 +545,9 @@ CK_RV SignFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR * sig,
 }
 
 CK_RV SignRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
-		      ckMechPtr mech, CK_OBJECT_HANDLE key)
+		      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mech);
-	CK_RV rv = c->sym->C_SignRecoverInit(session, m, key);
-	return rv;
+	return c->sym->C_SignRecoverInit(session, mechanism, key);
 }
 
 CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
@@ -563,11 +566,9 @@ CK_RV SignRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR data,
 }
 
 CK_RV VerifyInit(struct ctx * c, CK_SESSION_HANDLE session,
-		 ckMechPtr mech, CK_OBJECT_HANDLE key)
+		 CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mech);
-	CK_RV rv = c->sym->C_VerifyInit(session, m, key);
-	return rv;
+	return c->sym->C_VerifyInit(session, mechanism, key);
 }
 
 CK_RV Verify(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR message,
@@ -592,11 +593,9 @@ CK_RV VerifyFinal(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
 }
 
 CK_RV VerifyRecoverInit(struct ctx * c, CK_SESSION_HANDLE session,
-			ckMechPtr mech, CK_OBJECT_HANDLE key)
+			CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE key)
 {
-	MECH_TO_C(m, mech);
-	CK_RV rv = c->sym->C_VerifyRecoverInit(session, m, key);
-	return rv;
+	return c->sym->C_VerifyRecoverInit(session, mechanism, key);
 }
 
 CK_RV VerifyRecover(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR sig,
@@ -688,39 +687,28 @@ CK_RV DecryptVerifyUpdate(struct ctx * c, CK_SESSION_HANDLE session,
 }
 
 CK_RV GenerateKey(struct ctx * c, CK_SESSION_HANDLE session,
-		  ckMechPtr mechanism, ckAttrPtr temp,
+		  CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR temp,
 		  CK_ULONG tempCount, CK_OBJECT_HANDLE_PTR key)
 {
-	MECH_TO_C(m, mechanism);
-	ATTR_TO_C(tempc, temp, tempCount, NULL);
-	CK_RV e = c->sym->C_GenerateKey(session, m, tempc, tempCount, key);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_GenerateKey(session, mechanism, temp, tempCount, key);
 }
 
 CK_RV GenerateKeyPair(struct ctx * c, CK_SESSION_HANDLE session,
-		      ckMechPtr mechanism, ckAttrPtr pub,
-		      CK_ULONG pubCount, ckAttrPtr priv,
+		      CK_MECHANISM_PTR mechanism, CK_ATTRIBUTE_PTR pub,
+		      CK_ULONG pubCount, CK_ATTRIBUTE_PTR priv,
 		      CK_ULONG privCount, CK_OBJECT_HANDLE_PTR pubkey,
 		      CK_OBJECT_HANDLE_PTR privkey)
 {
-	MECH_TO_C(m, mechanism);
-	ATTR_TO_C(pubc, pub, pubCount, NULL);
-	ATTR_TO_C(privc, priv, privCount, pubc);
-	CK_RV e = c->sym->C_GenerateKeyPair(session, m, pubc, pubCount,
-		privc, privCount, pubkey, privkey);
-	ATTR_FREE(pubc);
-	ATTR_FREE(privc);
-	return e;
+	return c->sym->C_GenerateKeyPair(session, mechanism, pub, pubCount,
+		priv, privCount, pubkey, privkey);
 }
 
 CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
-	      ckMechPtr mechanism, CK_OBJECT_HANDLE wrappingkey,
+	      CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE wrappingkey,
 	      CK_OBJECT_HANDLE key, CK_BYTE_PTR * wrapped,
 	      CK_ULONG_PTR wrappedlen)
 {
-	MECH_TO_C(m, mechanism);
-	CK_RV rv = c->sym->C_WrapKey(session, m, wrappingkey, key, NULL,
+	CK_RV rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, NULL,
 				     wrappedlen);
 	if (rv != CKR_OK) {
 		return rv;
@@ -729,33 +717,25 @@ CK_RV WrapKey(struct ctx * c, CK_SESSION_HANDLE session,
 	if (*wrapped == NULL) {
 		return CKR_HOST_MEMORY;
 	}
-	rv = c->sym->C_WrapKey(session, m, wrappingkey, key, *wrapped,
+	rv = c->sym->C_WrapKey(session, mechanism, wrappingkey, key, *wrapped,
 			       wrappedlen);
 	return rv;
 }
 
 CK_RV DeriveKey(struct ctx * c, CK_SESSION_HANDLE session,
-		ckMechPtr mech, CK_OBJECT_HANDLE basekey,
-		ckAttrPtr a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE basekey,
+		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
 {
-	MECH_TO_C(m, mech);
-	ATTR_TO_C(tempc, a, alen, NULL);
-	CK_RV e = c->sym->C_DeriveKey(session, m, basekey, tempc, alen, key);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_DeriveKey(session, mechanism, basekey, a, alen, key);
 }
 
 CK_RV UnwrapKey(struct ctx * c, CK_SESSION_HANDLE session,
-		ckMechPtr mech, CK_OBJECT_HANDLE unwrappingkey,
+		CK_MECHANISM_PTR mechanism, CK_OBJECT_HANDLE unwrappingkey,
 		CK_BYTE_PTR wrappedkey, CK_ULONG wrappedkeylen,
-		ckAttrPtr a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
+		CK_ATTRIBUTE_PTR a, CK_ULONG alen, CK_OBJECT_HANDLE_PTR key)
 {
-	MECH_TO_C(m, mech);
-	ATTR_TO_C(tempc, a, alen, NULL);
-	CK_RV e = c->sym->C_UnwrapKey(session, m, unwrappingkey, wrappedkey,
-				      wrappedkeylen, tempc, alen, key);
-	ATTR_FREE(tempc);
-	return e;
+	return c->sym->C_UnwrapKey(session, mechanism, unwrappingkey, wrappedkey,
+				      wrappedkeylen, a, alen, key);
 }
 
 CK_RV SeedRandom(struct ctx * c, CK_SESSION_HANDLE session, CK_BYTE_PTR seed,
@@ -783,37 +763,11 @@ CK_RV WaitForSlotEvent(struct ctx * c, CK_FLAGS flags, CK_ULONG_PTR slot)
 	return e;
 }
 
-#ifdef REPACK_STRUCTURES
-
-CK_RV attrsToC(CK_ATTRIBUTE_PTR *attrOut, ckAttrPtr attrIn, CK_ULONG count) {
-	CK_ATTRIBUTE_PTR attr = calloc(count, sizeof(CK_ATTRIBUTE));
-	if (attr == NULL) {
-		return CKR_HOST_MEMORY;
-	}
-	for (int i = 0; i < count; i++) {
-		attr[i].type = attrIn[i].type;
-		attr[i].pValue = attrIn[i].pValue;
-		attr[i].ulValueLen = attrIn[i].ulValueLen;
-	}
-	*attrOut = attr;
-	return CKR_OK;
+static inline CK_VOID_PTR getAttributePval(CK_ATTRIBUTE_PTR a)
+{
+	return a->pValue;
 }
 
-void attrsFromC(ckAttrPtr attrOut, CK_ATTRIBUTE_PTR attrIn, CK_ULONG count) {
-	for (int i = 0; i < count; i++) {
-		attrOut[i].type = attrIn[i].type;
-		attrOut[i].pValue = attrIn[i].pValue;
-		attrOut[i].ulValueLen = attrIn[i].ulValueLen;
-	}
-}
-
-void mechToC(CK_MECHANISM_PTR mechOut, ckMechPtr mechIn) {
-	mechOut->mechanism = mechIn->mechanism;
-	mechOut->pParameter = mechIn->pParameter;
-	mechOut->ulParameterLen = mechIn->ulParameterLen;
-}
-
-#endif
 */
 import "C"
 import "strings"
@@ -827,11 +781,6 @@ type Ctx struct {
 
 // New creates a new context and initializes the module/library for use.
 func New(module string) *Ctx {
-	// libtool-ltdl will return an assertion error if passed an empty string, so
-	// we check for it explicitly.
-	if module == "" {
-		return nil
-	}
 	c := new(Ctx)
 	mod := C.CString(module)
 	defer C.free(unsafe.Pointer(mod))
@@ -1124,21 +1073,22 @@ func (c *Ctx) GetObjectSize(sh SessionHandle, oh ObjectHandle) (uint, error) {
 func (c *Ctx) GetAttributeValue(sh SessionHandle, o ObjectHandle, a []*Attribute) ([]*Attribute, error) {
 	// copy the attribute list and make all the values nil, so that
 	// the C function can (allocate) fill them in
-	pa := make([]C.ckAttr, len(a))
+	pa := make([]C.CK_ATTRIBUTE, len(a))
 	for i := 0; i < len(a); i++ {
 		pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
 	}
-	e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), C.ckAttrPtr(&pa[0]), C.CK_ULONG(len(a)))
-	if toError(e) != nil {
-		return nil, toError(e)
+	e := C.GetAttributeValue(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_OBJECT_HANDLE(o), &pa[0], C.CK_ULONG(len(a)))
+	if err := toError(e); err != nil {
+		return nil, err
 	}
 	a1 := make([]*Attribute, len(a))
 	for i, c := range pa {
 		x := new(Attribute)
 		x.Type = uint(c._type)
 		if int(c.ulValueLen) != -1 {
-			x.Value = C.GoBytes(unsafe.Pointer(c.pValue), C.int(c.ulValueLen))
-			C.free(unsafe.Pointer(c.pValue))
+			buf := unsafe.Pointer(C.getAttributePval(&c))
+			x.Value = C.GoBytes(buf, C.int(c.ulValueLen))
+			C.free(buf)
 		}
 		a1[i] = x
 	}
@@ -1164,8 +1114,10 @@ func (c *Ctx) FindObjectsInit(sh SessionHandle, temp []*Attribute) error {
 
 // FindObjects continues a search for token and session
 // objects that match a template, obtaining additional object
-// handles. The returned boolean indicates if the list would
-// have been larger than max.
+// handles. Calling the function repeatedly may yield additional results until
+// an empty slice is returned.
+//
+// The returned boolean value is deprecated and should be ignored.
 func (c *Ctx) FindObjects(sh SessionHandle, max int) ([]ObjectHandle, bool, error) {
 	var (
 		objectList C.CK_OBJECT_HANDLE_PTR
@@ -1193,7 +1145,7 @@ func (c *Ctx) FindObjectsFinal(sh SessionHandle) error {
 
 // EncryptInit initializes an encryption operation.
 func (c *Ctx) EncryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.EncryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
 	return toError(e)
@@ -1205,7 +1157,7 @@ func (c *Ctx) Encrypt(sh SessionHandle, message []byte) ([]byte, error) {
 		enc    C.CK_BYTE_PTR
 		enclen C.CK_ULONG
 	)
-	e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&message[0])), C.CK_ULONG(len(message)), &enc, &enclen)
+	e := C.Encrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &enc, &enclen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1220,7 +1172,7 @@ func (c *Ctx) EncryptUpdate(sh SessionHandle, plain []byte) ([]byte, error) {
 		part    C.CK_BYTE_PTR
 		partlen C.CK_ULONG
 	)
-	e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&plain[0])), C.CK_ULONG(len(plain)), &part, &partlen)
+	e := C.EncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(plain), C.CK_ULONG(len(plain)), &part, &partlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1246,19 +1198,19 @@ func (c *Ctx) EncryptFinal(sh SessionHandle) ([]byte, error) {
 
 // DecryptInit initializes a decryption operation.
 func (c *Ctx) DecryptInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.DecryptInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
 	return toError(e)
 }
 
 // Decrypt decrypts encrypted data in a single part.
-func (c *Ctx) Decrypt(sh SessionHandle, cypher []byte) ([]byte, error) {
+func (c *Ctx) Decrypt(sh SessionHandle, cipher []byte) ([]byte, error) {
 	var (
 		plain    C.CK_BYTE_PTR
 		plainlen C.CK_ULONG
 	)
-	e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&cypher[0])), C.CK_ULONG(len(cypher)), &plain, &plainlen)
+	e := C.Decrypt(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &plain, &plainlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1273,7 +1225,7 @@ func (c *Ctx) DecryptUpdate(sh SessionHandle, cipher []byte) ([]byte, error) {
 		part    C.CK_BYTE_PTR
 		partlen C.CK_ULONG
 	)
-	e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&cipher[0])), C.CK_ULONG(len(cipher)), &part, &partlen)
+	e := C.DecryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1299,7 +1251,7 @@ func (c *Ctx) DecryptFinal(sh SessionHandle) ([]byte, error) {
 
 // DigestInit initializes a message-digesting operation.
 func (c *Ctx) DigestInit(sh SessionHandle, m []*Mechanism) error {
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.DigestInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech)
 	return toError(e)
@@ -1311,7 +1263,7 @@ func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) {
 		hash    C.CK_BYTE_PTR
 		hashlen C.CK_ULONG
 	)
-	e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&message[0])), C.CK_ULONG(len(message)), &hash, &hashlen)
+	e := C.Digest(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &hash, &hashlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1322,7 +1274,7 @@ func (c *Ctx) Digest(sh SessionHandle, message []byte) ([]byte, error) {
 
 // DigestUpdate continues a multiple-part message-digesting operation.
 func (c *Ctx) DigestUpdate(sh SessionHandle, message []byte) error {
-	e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&message[0])), C.CK_ULONG(len(message)))
+	e := C.DigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
 	if toError(e) != nil {
 		return toError(e)
 	}
@@ -1359,7 +1311,7 @@ func (c *Ctx) DigestFinal(sh SessionHandle) ([]byte, error) {
 // operation, where the signature is (will be) an appendix to
 // the data, and plaintext cannot be recovered from the signature.
 func (c *Ctx) SignInit(sh SessionHandle, m []*Mechanism, o ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m) // Only the first is used, but still use a list.
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.SignInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(o))
 	return toError(e)
@@ -1372,7 +1324,7 @@ func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) {
 		sig    C.CK_BYTE_PTR
 		siglen C.CK_ULONG
 	)
-	e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&message[0])), C.CK_ULONG(len(message)), &sig, &siglen)
+	e := C.Sign(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)), &sig, &siglen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1385,7 +1337,7 @@ func (c *Ctx) Sign(sh SessionHandle, message []byte) ([]byte, error) {
 // where the signature is (will be) an appendix to the data,
 // and plaintext cannot be recovered from the signature.
 func (c *Ctx) SignUpdate(sh SessionHandle, message []byte) error {
-	e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&message[0])), C.CK_ULONG(len(message)))
+	e := C.SignUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(message), C.CK_ULONG(len(message)))
 	return toError(e)
 }
 
@@ -1406,7 +1358,7 @@ func (c *Ctx) SignFinal(sh SessionHandle) ([]byte, error) {
 
 // SignRecoverInit initializes a signature operation, where the data can be recovered from the signature.
 func (c *Ctx) SignRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.SignRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
 	return toError(e)
@@ -1418,7 +1370,7 @@ func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) {
 		sig    C.CK_BYTE_PTR
 		siglen C.CK_ULONG
 	)
-	e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&data[0])), C.CK_ULONG(len(data)), &sig, &siglen)
+	e := C.SignRecover(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), &sig, &siglen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1431,7 +1383,7 @@ func (c *Ctx) SignRecover(sh SessionHandle, data []byte) ([]byte, error) {
 // signature is an appendix to the data, and plaintext cannot
 // be recovered from the signature (e.g. DSA).
 func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m) // only use one here
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.VerifyInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
 	return toError(e)
@@ -1441,7 +1393,7 @@ func (c *Ctx) VerifyInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) err
 // where the signature is an appendix to the data, and plaintext
 // cannot be recovered from the signature.
 func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error {
-	e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&data[0])), C.CK_ULONG(len(data)), C.CK_BYTE_PTR(unsafe.Pointer(&signature[0])), C.CK_ULONG(len(signature)))
+	e := C.Verify(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(data), C.CK_ULONG(len(data)), cMessage(signature), C.CK_ULONG(len(signature)))
 	return toError(e)
 }
 
@@ -1449,21 +1401,21 @@ func (c *Ctx) Verify(sh SessionHandle, data []byte, signature []byte) error {
 // operation, where the signature is an appendix to the data,
 // and plaintext cannot be recovered from the signature.
 func (c *Ctx) VerifyUpdate(sh SessionHandle, part []byte) error {
-	e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&part[0])), C.CK_ULONG(len(part)))
+	e := C.VerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)))
 	return toError(e)
 }
 
 // VerifyFinal finishes a multiple-part verification
 // operation, checking the signature.
 func (c *Ctx) VerifyFinal(sh SessionHandle, signature []byte) error {
-	e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&signature[0])), C.CK_ULONG(len(signature)))
+	e := C.VerifyFinal(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)))
 	return toError(e)
 }
 
 // VerifyRecoverInit initializes a signature verification
 // operation, where the data is recovered from the signature.
 func (c *Ctx) VerifyRecoverInit(sh SessionHandle, m []*Mechanism, key ObjectHandle) error {
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.VerifyRecoverInit(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(key))
 	return toError(e)
@@ -1476,7 +1428,7 @@ func (c *Ctx) VerifyRecover(sh SessionHandle, signature []byte) ([]byte, error)
 		data    C.CK_BYTE_PTR
 		datalen C.CK_ULONG
 	)
-	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&signature[0])), C.CK_ULONG(len(signature)), &data, &datalen)
+	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(signature), C.CK_ULONG(len(signature)), &data, &datalen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1491,7 +1443,7 @@ func (c *Ctx) DigestEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error)
 		enc    C.CK_BYTE_PTR
 		enclen C.CK_ULONG
 	)
-	e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&part[0])), C.CK_ULONG(len(part)), &enc, &enclen)
+	e := C.DigestEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1506,7 +1458,7 @@ func (c *Ctx) DecryptDigestUpdate(sh SessionHandle, cipher []byte) ([]byte, erro
 		part    C.CK_BYTE_PTR
 		partlen C.CK_ULONG
 	)
-	e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&cipher[0])), C.CK_ULONG(len(cipher)), &part, &partlen)
+	e := C.DecryptDigestUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1521,7 +1473,7 @@ func (c *Ctx) SignEncryptUpdate(sh SessionHandle, part []byte) ([]byte, error) {
 		enc    C.CK_BYTE_PTR
 		enclen C.CK_ULONG
 	)
-	e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&part[0])), C.CK_ULONG(len(part)), &enc, &enclen)
+	e := C.SignEncryptUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(part), C.CK_ULONG(len(part)), &enc, &enclen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1536,7 +1488,7 @@ func (c *Ctx) DecryptVerifyUpdate(sh SessionHandle, cipher []byte) ([]byte, erro
 		part    C.CK_BYTE_PTR
 		partlen C.CK_ULONG
 	)
-	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), C.CK_BYTE_PTR(unsafe.Pointer(&cipher[0])), C.CK_ULONG(len(cipher)), &part, &partlen)
+	e := C.DecryptVerifyUpdate(c.ctx, C.CK_SESSION_HANDLE(sh), cMessage(cipher), C.CK_ULONG(len(cipher)), &part, &partlen)
 	if toError(e) != nil {
 		return nil, toError(e)
 	}
@@ -1550,7 +1502,7 @@ func (c *Ctx) GenerateKey(sh SessionHandle, m []*Mechanism, temp []*Attribute) (
 	var key C.CK_OBJECT_HANDLE
 	attrarena, t, tcount := cAttributeList(temp)
 	defer attrarena.Free()
-	mecharena, mech, _ := cMechanismList(m)
+	mecharena, mech := cMechanism(m)
 	defer mecharena.Free()
 	e := C.GenerateKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, t, tcount, C.CK_OBJECT_HANDLE_PTR(&key))
 	e1 := toError(e)
@@ -1570,7 +1522,7 @@ func (c *Ctx) GenerateKeyPair(sh SessionHandle, m []*Mechanism, public, private
 	defer pubarena.Free()
 	privarena, priv, privcount := cAttributeList(private)
 	defer privarena.Free()
-	mecharena, mech, _ := cMechanismList(m)
+	mecharena, mech := cMechanism(m)
 	defer mecharena.Free()
 	e := C.GenerateKeyPair(c.ctx, C.CK_SESSION_HANDLE(sh), mech, pub, pubcount, priv, privcount, C.CK_OBJECT_HANDLE_PTR(&pubkey), C.CK_OBJECT_HANDLE_PTR(&privkey))
 	e1 := toError(e)
@@ -1586,7 +1538,7 @@ func (c *Ctx) WrapKey(sh SessionHandle, m []*Mechanism, wrappingkey, key ObjectH
 		wrappedkey    C.CK_BYTE_PTR
 		wrappedkeylen C.CK_ULONG
 	)
-	arena, mech, _ := cMechanismList(m)
+	arena, mech := cMechanism(m)
 	defer arena.Free()
 	e := C.WrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(wrappingkey), C.CK_OBJECT_HANDLE(key), &wrappedkey, &wrappedkeylen)
 	if toError(e) != nil {
@@ -1602,7 +1554,7 @@ func (c *Ctx) UnwrapKey(sh SessionHandle, m []*Mechanism, unwrappingkey ObjectHa
 	var key C.CK_OBJECT_HANDLE
 	attrarena, ac, aclen := cAttributeList(a)
 	defer attrarena.Free()
-	mecharena, mech, _ := cMechanismList(m)
+	mecharena, mech := cMechanism(m)
 	defer mecharena.Free()
 	e := C.UnwrapKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(unwrappingkey), C.CK_BYTE_PTR(unsafe.Pointer(&wrappedkey[0])), C.CK_ULONG(len(wrappedkey)), ac, aclen, &key)
 	return ObjectHandle(key), toError(e)
@@ -1613,7 +1565,7 @@ func (c *Ctx) DeriveKey(sh SessionHandle, m []*Mechanism, basekey ObjectHandle,
 	var key C.CK_OBJECT_HANDLE
 	attrarena, ac, aclen := cAttributeList(a)
 	defer attrarena.Free()
-	mecharena, mech, _ := cMechanismList(m)
+	mecharena, mech := cMechanism(m)
 	defer mecharena.Free()
 	e := C.DeriveKey(c.ctx, C.CK_SESSION_HANDLE(sh), mech, C.CK_OBJECT_HANDLE(basekey), ac, aclen, &key)
 	return ObjectHandle(key), toError(e)

vendor/github.com/miekg/pkcs11/pkcs11go.h

@@ -13,7 +13,7 @@
 #define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
 
 #include <unistd.h>
-#ifdef REPACK_STRUCTURES
+#ifdef PACKED_STRUCTURES
 # pragma pack(push, 1)
 # include "pkcs11.h"
 # pragma pack(pop)
@@ -21,12 +21,9 @@
 # include "pkcs11.h"
 #endif
 
-#ifdef REPACK_STRUCTURES
-
-// Go doesn't support structures with non-default packing, but PKCS#11 requires
-// pack(1) on Windows. Use structures with the same members as the CK_ ones but
-// default packing, and copy data between the two.
-
+// Copy of CK_INFO but with default alignment (not packed). Go hides unaligned
+// struct fields so copying to an aligned struct is necessary to read CK_INFO
+// from Go on Windows where packing is required.
 typedef struct ckInfo {
 	CK_VERSION cryptokiVersion;
 	CK_UTF8CHAR manufacturerID[32];
@@ -34,50 +31,3 @@ typedef struct ckInfo {
 	CK_UTF8CHAR libraryDescription[32];
 	CK_VERSION libraryVersion;
 } ckInfo, *ckInfoPtr;
-
-typedef struct ckAttr {
-	CK_ATTRIBUTE_TYPE type;
-	CK_VOID_PTR pValue;
-	CK_ULONG ulValueLen;
-} ckAttr, *ckAttrPtr;
-
-typedef struct ckMech {
-	CK_MECHANISM_TYPE mechanism;
-	CK_VOID_PTR pParameter;
-	CK_ULONG ulParameterLen;
-} ckMech, *ckMechPtr;
-
-CK_RV attrsToC(CK_ATTRIBUTE_PTR *attrOut, ckAttrPtr attrIn, CK_ULONG count);
-void attrsFromC(ckAttrPtr attrOut, CK_ATTRIBUTE_PTR attrIn, CK_ULONG count);
-void mechToC(CK_MECHANISM_PTR mechOut, ckMechPtr mechIn);
-
-#define ATTR_TO_C(aout, ain, count, other) \
-	CK_ATTRIBUTE_PTR aout; \
-	{ \
-		CK_RV e = attrsToC(&aout, ain, count); \
-		if (e != CKR_OK ) { \
-			if (other != NULL) free(other); \
-			return e; \
-		} \
-	}
-#define ATTR_FREE(aout) free(aout)
-#define ATTR_FROM_C(aout, ain, count) attrsFromC(aout, ain, count)
-#define MECH_TO_C(mout, min) \
-	CK_MECHANISM mval, *mout = &mval; \
-	if (min != NULL) { mechToC(mout, min); \
-	} else { mout = NULL; }
-
-#else // REPACK_STRUCTURES
-
-// Dummy types and macros to avoid any unnecessary copying on UNIX
-
-typedef CK_INFO ckInfo, *ckInfoPtr;
-typedef CK_ATTRIBUTE ckAttr, *ckAttrPtr;
-typedef CK_MECHANISM ckMech, *ckMechPtr;
-
-#define ATTR_TO_C(aout, ain, count, other) CK_ATTRIBUTE_PTR aout = ain
-#define ATTR_FREE(aout)
-#define ATTR_FROM_C(aout, ain, count)
-#define MECH_TO_C(mout, min) CK_MECHANISM_PTR mout = min
-
-#endif // REPACK_STRUCTURES

vendor/github.com/miekg/pkcs11/pkcs11t.h

@@ -383,6 +383,11 @@ typedef CK_ULONG          CK_KEY_TYPE;
 #define CKK_GOSTR3411           0x00000031UL
 #define CKK_GOST28147           0x00000032UL
 
+#define CKK_SHA3_224_HMAC       0x00000033UL
+#define CKK_SHA3_256_HMAC       0x00000034UL
+#define CKK_SHA3_384_HMAC       0x00000035UL
+#define CKK_SHA3_512_HMAC       0x00000036UL
+
 
 
 #define CKK_VENDOR_DEFINED      0x80000000UL
@@ -610,6 +615,10 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_DSA_SHA256                 0x00000014UL
 #define CKM_DSA_SHA384                 0x00000015UL
 #define CKM_DSA_SHA512                 0x00000016UL
+#define CKM_DSA_SHA3_224               0x00000018UL
+#define CKM_DSA_SHA3_256               0x00000019UL
+#define CKM_DSA_SHA3_384               0x0000001AUL
+#define CKM_DSA_SHA3_512               0x0000001BUL
 
 #define CKM_DH_PKCS_KEY_PAIR_GEN       0x00000020UL
 #define CKM_DH_PKCS_DERIVE             0x00000021UL
@@ -643,6 +652,15 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_SHA512_T_HMAC_GENERAL      0x00000052UL
 #define CKM_SHA512_T_KEY_DERIVATION    0x00000053UL
 
+#define CKM_SHA3_256_RSA_PKCS          0x00000060UL
+#define CKM_SHA3_384_RSA_PKCS          0x00000061UL
+#define CKM_SHA3_512_RSA_PKCS          0x00000062UL
+#define CKM_SHA3_256_RSA_PKCS_PSS      0x00000063UL
+#define CKM_SHA3_384_RSA_PKCS_PSS      0x00000064UL
+#define CKM_SHA3_512_RSA_PKCS_PSS      0x00000065UL
+#define CKM_SHA3_224_RSA_PKCS          0x00000066UL
+#define CKM_SHA3_224_RSA_PKCS_PSS      0x00000067UL
+
 #define CKM_RC2_KEY_GEN                0x00000100UL
 #define CKM_RC2_ECB                    0x00000101UL
 #define CKM_RC2_CBC                    0x00000102UL
@@ -724,6 +742,23 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_ACTI                       0x000002A0UL
 #define CKM_ACTI_KEY_GEN               0x000002A1UL
 
+#define CKM_SHA3_256                   0x000002B0UL
+#define CKM_SHA3_256_HMAC              0x000002B1UL
+#define CKM_SHA3_256_HMAC_GENERAL      0x000002B2UL
+#define CKM_SHA3_256_KEY_GEN           0x000002B3UL
+#define CKM_SHA3_224                   0x000002B5UL
+#define CKM_SHA3_224_HMAC              0x000002B6UL
+#define CKM_SHA3_224_HMAC_GENERAL      0x000002B7UL
+#define CKM_SHA3_224_KEY_GEN           0x000002B8UL
+#define CKM_SHA3_384                   0x000002C0UL
+#define CKM_SHA3_384_HMAC              0x000002C1UL
+#define CKM_SHA3_384_HMAC_GENERAL      0x000002C2UL
+#define CKM_SHA3_384_KEY_GEN           0x000002C3UL
+#define CKM_SHA3_512                   0x000002D0UL
+#define CKM_SHA3_512_HMAC              0x000002D1UL
+#define CKM_SHA3_512_HMAC_GENERAL      0x000002D2UL
+#define CKM_SHA3_512_KEY_GEN           0x000002D3UL
+
 #define CKM_CAST_KEY_GEN               0x00000300UL
 #define CKM_CAST_ECB                   0x00000301UL
 #define CKM_CAST_CBC                   0x00000302UL
@@ -789,6 +824,12 @@ typedef CK_ULONG          CK_MECHANISM_TYPE;
 #define CKM_SHA384_KEY_DERIVATION      0x00000394UL
 #define CKM_SHA512_KEY_DERIVATION      0x00000395UL
 #define CKM_SHA224_KEY_DERIVATION      0x00000396UL
+#define CKM_SHA3_256_KEY_DERIVE        0x00000397UL
+#define CKM_SHA3_224_KEY_DERIVE        0x00000398UL
+#define CKM_SHA3_384_KEY_DERIVE        0x00000399UL
+#define CKM_SHA3_512_KEY_DERIVE        0x0000039AUL
+#define CKM_SHAKE_128_KEY_DERIVE       0x0000039BUL
+#define CKM_SHAKE_256_KEY_DERIVE       0x0000039CUL
 
 #define CKM_PBE_MD2_DES_CBC            0x000003A0UL
 #define CKM_PBE_MD5_DES_CBC            0x000003A1UL
@@ -1299,7 +1340,10 @@ typedef CK_ULONG CK_EC_KDF_TYPE;
 #define CKD_SHA384_KDF           0x00000007UL
 #define CKD_SHA512_KDF           0x00000008UL
 #define CKD_CPDIVERSIFY_KDF      0x00000009UL
-
+#define CKD_SHA3_224_KDF         0x0000000AUL
+#define CKD_SHA3_256_KDF         0x0000000BUL
+#define CKD_SHA3_384_KDF         0x0000000CUL
+#define CKD_SHA3_512_KDF         0x0000000DUL
 
 /* CK_ECDH1_DERIVE_PARAMS provides the parameters to the
  * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,

vendor/github.com/miekg/pkcs11/types.go

@@ -13,6 +13,16 @@ CK_ULONG Index(CK_ULONG_PTR array, CK_ULONG i)
 {
 	return array[i];
 }
+
+static inline void putAttributePval(CK_ATTRIBUTE_PTR a, CK_VOID_PTR pValue)
+{
+	a->pValue = pValue;
+}
+
+static inline void putMechanismParam(CK_MECHANISM_PTR m, CK_VOID_PTR pParameter)
+{
+	m->pParameter = pParameter;
+}
 */
 import "C"
 
@@ -187,22 +197,22 @@ func NewAttribute(typ uint, x interface{}) *Attribute {
 }
 
 // cAttribute returns the start address and the length of an attribute list.
-func cAttributeList(a []*Attribute) (arena, C.ckAttrPtr, C.CK_ULONG) {
+func cAttributeList(a []*Attribute) (arena, C.CK_ATTRIBUTE_PTR, C.CK_ULONG) {
 	var arena arena
 	if len(a) == 0 {
 		return nil, nil, 0
 	}
-	pa := make([]C.ckAttr, len(a))
-	for i := 0; i < len(a); i++ {
-		pa[i]._type = C.CK_ATTRIBUTE_TYPE(a[i].Type)
-		//skip attribute if length is 0 to prevent panic in arena.Allocate
-		if a[i].Value == nil || len(a[i].Value) == 0 {
-			continue
+	pa := make([]C.CK_ATTRIBUTE, len(a))
+	for i, attr := range a {
+		pa[i]._type = C.CK_ATTRIBUTE_TYPE(attr.Type)
+		if len(attr.Value) != 0 {
+			buf, len := arena.Allocate(attr.Value)
+			// field is unaligned on windows so this has to call into C
+			C.putAttributePval(&pa[i], buf)
+			pa[i].ulValueLen = len
 		}
-
-		pa[i].pValue, pa[i].ulValueLen = arena.Allocate(a[i].Value)
 	}
-	return arena, C.ckAttrPtr(&pa[0]), C.CK_ULONG(len(a))
+	return arena, &pa[0], C.CK_ULONG(len(a))
 }
 
 func cDate(t time.Time) []byte {
@@ -221,6 +231,7 @@ func cDate(t time.Time) []byte {
 type Mechanism struct {
 	Mechanism uint
 	Parameter []byte
+	generator interface{}
 }
 
 // NewMechanism returns a pointer to an initialized Mechanism.
@@ -231,32 +242,44 @@ func NewMechanism(mech uint, x interface{}) *Mechanism {
 		return m
 	}
 
-	switch x.(type) {
-	case *GCMParams:
-		m.Parameter = cGCMParams(x.(*GCMParams))
+	switch p := x.(type) {
+	case *GCMParams, *OAEPParams, *ECDH1DeriveParams:
+		// contains pointers; defer serialization until cMechanism
+		m.generator = p
+	case []byte:
+		m.Parameter = p
 	default:
-		m.Parameter = x.([]byte)
+		panic("parameter must be one of type: []byte, *GCMParams, *OAEPParams, *ECDH1DeriveParams")
 	}
 
 	return m
 }
 
-func cMechanismList(m []*Mechanism) (arena, C.ckMechPtr, C.CK_ULONG) {
+func cMechanism(mechList []*Mechanism) (arena, *C.CK_MECHANISM) {
+	if len(mechList) != 1 {
+		panic("expected exactly one mechanism")
+	}
+	mech := mechList[0]
+	cmech := &C.CK_MECHANISM{mechanism: C.CK_MECHANISM_TYPE(mech.Mechanism)}
+	// params that contain pointers are allocated here
+	param := mech.Parameter
 	var arena arena
-	if len(m) == 0 {
-		return nil, nil, 0
+	switch p := mech.generator.(type) {
+	case *GCMParams:
+		// uses its own arena because it has to outlive this function call (yuck)
+		param = cGCMParams(p)
+	case *OAEPParams:
+		param, arena = cOAEPParams(p, arena)
+	case *ECDH1DeriveParams:
+		param, arena = cECDH1DeriveParams(p, arena)
 	}
-	pm := make([]C.ckMech, len(m))
-	for i := 0; i < len(m); i++ {
-		pm[i].mechanism = C.CK_MECHANISM_TYPE(m[i].Mechanism)
-		//skip parameter if length is 0 to prevent panic in arena.Allocate
-		if m[i].Parameter == nil || len(m[i].Parameter) == 0 {
-			continue
-		}
-
-		pm[i].pParameter, pm[i].ulParameterLen = arena.Allocate(m[i].Parameter)
+	if len(param) != 0 {
+		buf, len := arena.Allocate(param)
+		// field is unaligned on windows so this has to call into C
+		C.putMechanismParam(cmech, buf)
+		cmech.ulParameterLen = len
 	}
-	return arena, C.ckMechPtr(&pm[0]), C.CK_ULONG(len(m))
+	return arena, cmech
 }
 
 // MechanismInfo provides information about a particular mechanism.
@@ -265,3 +288,16 @@ type MechanismInfo struct {
 	MaxKeySize uint
 	Flags      uint
 }
+
+// stubData is a persistent nonempty byte array used by cMessage.
+var stubData = []byte{0}
+
+// cMessage returns the pointer/length pair corresponding to data.
+func cMessage(data []byte) (dataPtr C.CK_BYTE_PTR) {
+	l := len(data)
+	if l == 0 {
+		// &data[0] is forbidden in this case, so use a nontrivial array instead.
+		data = stubData
+	}
+	return C.CK_BYTE_PTR(unsafe.Pointer(&data[0]))
+}

vendor/github.com/miekg/pkcs11/vendor.go

@@ -0,0 +1,127 @@
+package pkcs11
+
+// Vendor specific range for Ncipher network HSM.
+const (
+	NFCK_VENDOR_NCIPHER = 0xde436972
+	CKA_NCIPHER         = NFCK_VENDOR_NCIPHER
+	CKM_NCIPHER         = NFCK_VENDOR_NCIPHER
+	CKK_NCIPHER         = NFCK_VENDOR_NCIPHER
+)
+
+// Vendor specific mechanisms for HMAC on Ncipher HSMs where Ncipher does not allow use of generic_secret keys.
+const (
+	CKM_NC_SHA_1_HMAC_KEY_GEN  = CKM_NCIPHER + 0x3  /* no params */
+	CKM_NC_MD5_HMAC_KEY_GEN    = CKM_NCIPHER + 0x6  /* no params */
+	CKM_NC_SHA224_HMAC_KEY_GEN = CKM_NCIPHER + 0x24 /* no params */
+	CKM_NC_SHA256_HMAC_KEY_GEN = CKM_NCIPHER + 0x25 /* no params */
+	CKM_NC_SHA384_HMAC_KEY_GEN = CKM_NCIPHER + 0x26 /* no params */
+	CKM_NC_SHA512_HMAC_KEY_GEN = CKM_NCIPHER + 0x27 /* no params */
+)
+
+// Vendor specific range for Mozilla NSS.
+const (
+	NSSCK_VENDOR_NSS   = 0x4E534350
+	CKO_NSS            = CKO_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKK_NSS            = CKK_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKC_NSS            = CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKA_NSS            = CKA_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKA_TRUST          = CKA_NSS + 0x2000
+	CKM_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKR_NSS            = CKM_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+	CKT_VENDOR_DEFINED = 0x80000000
+	CKT_NSS            = CKT_VENDOR_DEFINED | NSSCK_VENDOR_NSS
+)
+
+// Vendor specific values for Mozilla NSS.
+const (
+	CKO_NSS_CRL                               = CKO_NSS + 1
+	CKO_NSS_SMIME                             = CKO_NSS + 2
+	CKO_NSS_TRUST                             = CKO_NSS + 3
+	CKO_NSS_BUILTIN_ROOT_LIST                 = CKO_NSS + 4
+	CKO_NSS_NEWSLOT                           = CKO_NSS + 5
+	CKO_NSS_DELSLOT                           = CKO_NSS + 6
+	CKK_NSS_PKCS8                             = CKK_NSS + 1
+	CKK_NSS_JPAKE_ROUND1                      = CKK_NSS + 2
+	CKK_NSS_JPAKE_ROUND2                      = CKK_NSS + 3
+	CKK_NSS_CHACHA20                          = CKK_NSS + 4
+	CKA_NSS_URL                               = CKA_NSS + 1
+	CKA_NSS_EMAIL                             = CKA_NSS + 2
+	CKA_NSS_SMIME_INFO                        = CKA_NSS + 3
+	CKA_NSS_SMIME_TIMESTAMP                   = CKA_NSS + 4
+	CKA_NSS_PKCS8_SALT                        = CKA_NSS + 5
+	CKA_NSS_PASSWORD_CHECK                    = CKA_NSS + 6
+	CKA_NSS_EXPIRES                           = CKA_NSS + 7
+	CKA_NSS_KRL                               = CKA_NSS + 8
+	CKA_NSS_PQG_COUNTER                       = CKA_NSS + 20
+	CKA_NSS_PQG_SEED                          = CKA_NSS + 21
+	CKA_NSS_PQG_H                             = CKA_NSS + 22
+	CKA_NSS_PQG_SEED_BITS                     = CKA_NSS + 23
+	CKA_NSS_MODULE_SPEC                       = CKA_NSS + 24
+	CKA_NSS_OVERRIDE_EXTENSIONS               = CKA_NSS + 25
+	CKA_NSS_JPAKE_SIGNERID                    = CKA_NSS + 26
+	CKA_NSS_JPAKE_PEERID                      = CKA_NSS + 27
+	CKA_NSS_JPAKE_GX1                         = CKA_NSS + 28
+	CKA_NSS_JPAKE_GX2                         = CKA_NSS + 29
+	CKA_NSS_JPAKE_GX3                         = CKA_NSS + 30
+	CKA_NSS_JPAKE_GX4                         = CKA_NSS + 31
+	CKA_NSS_JPAKE_X2                          = CKA_NSS + 32
+	CKA_NSS_JPAKE_X2S                         = CKA_NSS + 33
+	CKA_NSS_MOZILLA_CA_POLICY                 = CKA_NSS + 34
+	CKA_TRUST_DIGITAL_SIGNATURE               = CKA_TRUST + 1
+	CKA_TRUST_NON_REPUDIATION                 = CKA_TRUST + 2
+	CKA_TRUST_KEY_ENCIPHERMENT                = CKA_TRUST + 3
+	CKA_TRUST_DATA_ENCIPHERMENT               = CKA_TRUST + 4
+	CKA_TRUST_KEY_AGREEMENT                   = CKA_TRUST + 5
+	CKA_TRUST_KEY_CERT_SIGN                   = CKA_TRUST + 6
+	CKA_TRUST_CRL_SIGN                        = CKA_TRUST + 7
+	CKA_TRUST_SERVER_AUTH                     = CKA_TRUST + 8
+	CKA_TRUST_CLIENT_AUTH                     = CKA_TRUST + 9
+	CKA_TRUST_CODE_SIGNING                    = CKA_TRUST + 10
+	CKA_TRUST_EMAIL_PROTECTION                = CKA_TRUST + 11
+	CKA_TRUST_IPSEC_END_SYSTEM                = CKA_TRUST + 12
+	CKA_TRUST_IPSEC_TUNNEL                    = CKA_TRUST + 13
+	CKA_TRUST_IPSEC_USER                      = CKA_TRUST + 14
+	CKA_TRUST_TIME_STAMPING                   = CKA_TRUST + 15
+	CKA_TRUST_STEP_UP_APPROVED                = CKA_TRUST + 16
+	CKA_CERT_SHA1_HASH                        = CKA_TRUST + 100
+	CKA_CERT_MD5_HASH                         = CKA_TRUST + 101
+	CKM_NSS_AES_KEY_WRAP                      = CKM_NSS + 1
+	CKM_NSS_AES_KEY_WRAP_PAD                  = CKM_NSS + 2
+	CKM_NSS_HKDF_SHA1                         = CKM_NSS + 3
+	CKM_NSS_HKDF_SHA256                       = CKM_NSS + 4
+	CKM_NSS_HKDF_SHA384                       = CKM_NSS + 5
+	CKM_NSS_HKDF_SHA512                       = CKM_NSS + 6
+	CKM_NSS_JPAKE_ROUND1_SHA1                 = CKM_NSS + 7
+	CKM_NSS_JPAKE_ROUND1_SHA256               = CKM_NSS + 8
+	CKM_NSS_JPAKE_ROUND1_SHA384               = CKM_NSS + 9
+	CKM_NSS_JPAKE_ROUND1_SHA512               = CKM_NSS + 10
+	CKM_NSS_JPAKE_ROUND2_SHA1                 = CKM_NSS + 11
+	CKM_NSS_JPAKE_ROUND2_SHA256               = CKM_NSS + 12
+	CKM_NSS_JPAKE_ROUND2_SHA384               = CKM_NSS + 13
+	CKM_NSS_JPAKE_ROUND2_SHA512               = CKM_NSS + 14
+	CKM_NSS_JPAKE_FINAL_SHA1                  = CKM_NSS + 15
+	CKM_NSS_JPAKE_FINAL_SHA256                = CKM_NSS + 16
+	CKM_NSS_JPAKE_FINAL_SHA384                = CKM_NSS + 17
+	CKM_NSS_JPAKE_FINAL_SHA512                = CKM_NSS + 18
+	CKM_NSS_HMAC_CONSTANT_TIME                = CKM_NSS + 19
+	CKM_NSS_SSL3_MAC_CONSTANT_TIME            = CKM_NSS + 20
+	CKM_NSS_TLS_PRF_GENERAL_SHA256            = CKM_NSS + 21
+	CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256      = CKM_NSS + 22
+	CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256     = CKM_NSS + 23
+	CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256   = CKM_NSS + 24
+	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE    = CKM_NSS + 25
+	CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH = CKM_NSS + 26
+	CKM_NSS_CHACHA20_KEY_GEN                  = CKM_NSS + 27
+	CKM_NSS_CHACHA20_POLY1305                 = CKM_NSS + 28
+	CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN    = CKM_NSS + 29
+	CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN    = CKM_NSS + 30
+	CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN    = CKM_NSS + 31
+	CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN    = CKM_NSS + 32
+	CKR_NSS_CERTDB_FAILED                     = CKR_NSS + 1
+	CKR_NSS_KEYDB_FAILED                      = CKR_NSS + 2
+	CKT_NSS_TRUSTED                           = CKT_NSS + 1
+	CKT_NSS_TRUSTED_DELEGATOR                 = CKT_NSS + 2
+	CKT_NSS_MUST_VERIFY_TRUST                 = CKT_NSS + 3
+	CKT_NSS_NOT_TRUSTED                       = CKT_NSS + 10
+	CKT_NSS_TRUST_UNKNOWN                     = CKT_NSS + 5
+)

vendor/github.com/moby/buildkit/README.md

@@ -27,9 +27,11 @@ Read the proposal from https://github.com/moby/moby/issues/32925
 
 Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056cc5317
 
+:information_source: If you are visiting this repo for the usage of experimental Dockerfile features like `RUN --mount=type=(bind|cache|tmpfs|secret|ssh)`, please refer to [`frontend/dockerfile/docs/experimental.md`](frontend/dockerfile/docs/experimental.md).
+
 ### Used by
 
-[Moby](https://github.com/moby/moby/pull/37151)
+[Moby & Docker](https://github.com/moby/moby/pull/37151)
 
 [img](https://github.com/genuinetools/img)
 
@@ -37,6 +39,12 @@ Introductory blog post https://blog.mobyproject.org/introducing-buildkit-17e056c
 
 [container build interface](https://github.com/containerbuilding/cbi)
 
+[Knative Build Templates](https://github.com/knative/build-templates)
+
+[boss](https://github.com/crosbymichael/boss)
+
+[Rio](https://github.com/rancher/rio) (on roadmap)
+
 ### Quick start
 
 Dependencies:
@@ -79,6 +87,7 @@ See [`solver/pb/ops.proto`](./solver/pb/ops.proto) for the format definition.
 Currently, following high-level languages has been implemented for LLB:
 
 - Dockerfile (See [Exploring Dockerfiles](#exploring-dockerfiles))
+- [Buildpacks](https://github.com/tonistiigi/buildkit-pack)
 - (open a PR to add your own language)
 
 For understanding the basics of LLB, `examples/buildkit*` directory contains scripts that define how to build different configurations of BuildKit itself and its dependencies using the `client` package. Running one of these scripts generates a protobuf definition of a build graph. Note that the script itself does not execute any steps of the build.
@@ -136,15 +145,19 @@ build-using-dockerfile -t mybuildkit -f ./hack/dockerfiles/test.Dockerfile .
 docker inspect myimage
 ```
 
-##### Building a Dockerfile using [external frontend](https://hub.docker.com/r/tonistiigi/dockerfile/tags/):
+##### Building a Dockerfile using [external frontend](https://hub.docker.com/r/docker/dockerfile/tags/):
 
-During development, an external version of the Dockerfile frontend is pushed to https://hub.docker.com/r/tonistiigi/dockerfile that can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `tonistiigi/dockerfile:master` image can be used.
+External versions of the Dockerfile frontend are pushed to https://hub.docker.com/r/docker/dockerfile-upstream and https://hub.docker.com/r/docker/dockerfile and can be used with the gateway frontend. The source for the external frontend is currently located in `./frontend/dockerfile/cmd/dockerfile-frontend` but will move out of this repository in the future ([#163](https://github.com/moby/buildkit/issues/163)). For automatic build from master branch of this repository `docker/dockerfile-upsteam:master` or `docker/dockerfile-upstream:master-experimental` image can be used.
 
 ```
-buildctl build --frontend=gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --local context=. --local dockerfile=.
-buildctl build --frontend gateway.v0 --frontend-opt=source=tonistiigi/dockerfile --frontend-opt=context=git://github.com/moby/moby --frontend-opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
+buildctl build --frontend=gateway.v0 --frontend-opt=source=docker/dockerfile --local context=. --local dockerfile=.
+buildctl build --frontend gateway.v0 --frontend-opt=source=docker/dockerfile --frontend-opt=context=git://github.com/moby/moby --frontend-opt build-arg:APT_MIRROR=cdn-fastly.deb.debian.org
 ````
 
+##### Building a Dockerfile with experimental features like `RUN --mount=type=(bind|cache|tmpfs|secret|ssh)`
+
+See [`frontend/dockerfile/docs/experimental.md`](frontend/dockerfile/docs/experimental.md).
+
 ### Exporters
 
 By default, the build result and intermediate cache will only remain internally in BuildKit. Exporter needs to be specified to retrieve the result.
@@ -207,15 +220,22 @@ buildctl debug workers -v
 
 BuildKit can also be used by running the `buildkitd` daemon inside a Docker container and accessing it remotely. The client tool `buildctl` is also available for Mac and Windows.
 
+We provide `buildkitd` container images as [`moby/buildkit`](https://hub.docker.com/r/moby/buildkit/tags/):
+
+* `moby/buildkit:latest`: built from the latest regular [release](https://github.com/moby/buildkit/releases)
+* `moby/buildkit:rootless`: same as `latest` but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
+* `moby/buildkit:master`: built from the master branch
+* `moby/buildkit:master-rootless`: same as master but runs as an unprivileged user, see [`docs/rootless.md`](docs/rootless.md)
+
 To run daemon in a container:
 
 ```
-docker run -d --privileged -p 1234:1234 tonistiigi/buildkit --addr tcp://0.0.0.0:1234
+docker run -d --privileged -p 1234:1234 moby/buildkit:latest --addr tcp://0.0.0.0:1234
 export BUILDKIT_HOST=tcp://0.0.0.0:1234
 buildctl build --help
 ```
 
-The `tonistiigi/buildkit` image can be built locally using the Dockerfile in `./hack/dockerfiles/test.Dockerfile`.
+The images can be also built locally using `./hack/dockerfiles/test.Dockerfile` (or `./hack/dockerfiles/test.buildkit.Dockerfile` if you already have BuildKit).
 
 ### Opentracing support
 
@@ -232,7 +252,7 @@ export JAEGER_TRACE=0.0.0.0:6831
 
 ### Supported runc version
 
-During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.1.3/RUNC.md) for more information.
+During development, BuildKit is tested with the version of runc that is being used by the containerd repository. Please refer to [runc.md](https://github.com/containerd/containerd/blob/v1.2.0-rc.1/RUNC.md) for more information.
 
 ### Running BuildKit without root privileges
 

vendor/github.com/moby/buildkit/client/llb/source.go

@@ -126,30 +126,11 @@ func Image(ref string, opts ...ImageOption) State {
 		if err != nil {
 			src.err = err
 		} else {
-			var img struct {
-				Config struct {
-					Env        []string `json:"Env,omitempty"`
-					WorkingDir string   `json:"WorkingDir,omitempty"`
-					User       string   `json:"User,omitempty"`
-				} `json:"config,omitempty"`
-			}
-			if err := json.Unmarshal(dt, &img); err != nil {
-				src.err = err
-			} else {
-				st := NewState(src.Output())
-				for _, env := range img.Config.Env {
-					parts := strings.SplitN(env, "=", 2)
-					if len(parts[0]) > 0 {
-						var v string
-						if len(parts) > 1 {
-							v = parts[1]
-						}
-						st = st.AddEnv(parts[0], v)
-					}
-				}
-				st = st.Dir(img.Config.WorkingDir)
+			st, err := NewState(src.Output()).WithImageConfig(dt)
+			if err == nil {
 				return st
 			}
+			src.err = err
 		}
 	}
 	return NewState(src.Output())

vendor/github.com/moby/buildkit/client/llb/state.go

@@ -2,8 +2,10 @@ package llb
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
+	"strings"
 
 	"github.com/containerd/containerd/platforms"
 	"github.com/moby/buildkit/identity"
@@ -171,6 +173,31 @@ func (s State) WithOutput(o Output) State {
 	return s
 }
 
+func (s State) WithImageConfig(c []byte) (State, error) {
+	var img struct {
+		Config struct {
+			Env        []string `json:"Env,omitempty"`
+			WorkingDir string   `json:"WorkingDir,omitempty"`
+			User       string   `json:"User,omitempty"`
+		} `json:"config,omitempty"`
+	}
+	if err := json.Unmarshal(c, &img); err != nil {
+		return State{}, err
+	}
+	for _, env := range img.Config.Env {
+		parts := strings.SplitN(env, "=", 2)
+		if len(parts[0]) > 0 {
+			var v string
+			if len(parts) > 1 {
+				v = parts[1]
+			}
+			s = s.AddEnv(parts[0], v)
+		}
+	}
+	s = s.Dir(img.Config.WorkingDir)
+	return s, nil
+}
+
 func (s State) Run(ro ...RunOption) ExecState {
 	ei := &ExecInfo{State: s}
 	if p := s.GetPlatform(); p != nil {

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -356,6 +356,9 @@ func (r *reference) ReadFile(ctx context.Context, req client.ReadRequest) ([]byt
 }
 
 func (r *reference) ReadDir(ctx context.Context, req client.ReadDirRequest) ([]*fstypes.Stat, error) {
+	if err := r.c.caps.Supports(pb.CapReadDir); err != nil {
+		return nil, err
+	}
 	rdr := &pb.ReadDirRequest{
 		DirPath:        req.Path,
 		IncludePattern: req.IncludePattern,
@@ -369,6 +372,9 @@ func (r *reference) ReadDir(ctx context.Context, req client.ReadDirRequest) ([]*
 }
 
 func (r *reference) StatFile(ctx context.Context, req client.StatRequest) (*fstypes.Stat, error) {
+	if err := r.c.caps.Supports(pb.CapStatFile); err != nil {
+		return nil, err
+	}
 	rdr := &pb.StatFileRequest{
 		Path: req.Path,
 		Ref:  r.id,

vendor/github.com/moby/buildkit/session/session.go

@@ -24,7 +24,7 @@ const (
 // Dialer returns a connection that can be used by the session
 type Dialer func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error)
 
-// Attachable defines a feature that can be expsed on a session
+// Attachable defines a feature that can be exposed on a session
 type Attachable interface {
 	Register(*grpc.Server)
 }
@@ -66,7 +66,7 @@ func NewSession(ctx context.Context, name, sharedKey string) (*Session, error) {
 	return s, nil
 }
 
-// Allow enable a given service to be reachable through the grpc session
+// Allow enables a given service to be reachable through the grpc session
 func (s *Session) Allow(a Attachable) {
 	a.Register(s.grpcServer)
 }

vendor/github.com/moby/buildkit/vendor.conf

@@ -6,7 +6,7 @@ github.com/davecgh/go-spew v1.1.0
 github.com/pmezard/go-difflib v1.0.0
 golang.org/x/sys 1b2967e3c290b7c545b3db0deeda16e9be4f98a2
 
-github.com/containerd/containerd d97a907f7f781c0ab8340877d8e6b53cc7f1c2f6
+github.com/containerd/containerd 1a5f9a3434ac53c0e9d27093ecc588e0c281c333
 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40
 golang.org/x/sync 450f422ab23cf9881c94e2db30cac0eb1b7cf80c
 github.com/sirupsen/logrus v1.0.0
@@ -16,9 +16,9 @@ golang.org/x/net 0ed95abb35c445290478a5348a7b38bb154135fd
 github.com/gogo/protobuf v1.0.0
 github.com/gogo/googleapis b23578765ee54ff6bceff57f397d833bf4ca6869
 github.com/golang/protobuf v1.1.0
-github.com/containerd/continuity f44b615e492bdfb371aae2f76ec694d9da1db537
+github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4
 github.com/opencontainers/image-spec v1.0.1
-github.com/opencontainers/runc 20aff4f0488c6d4b8df4d85b4f63f1f704c11abd
+github.com/opencontainers/runc a00bf0190895aa465a5fbed0268888e2c8ddfe85
 github.com/Microsoft/go-winio v0.4.11
 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c
 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d
@@ -28,8 +28,9 @@ google.golang.org/genproto d80a6e20e776b0b17a324d0ba1ab50a39c8e8944
 golang.org/x/text 19e51611da83d6be54ddafce4a4af510cb3e9ea4
 github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9
 github.com/syndtr/gocapability db04d3cc01c8b54962a58ec7e491717d06cfcc16
-github.com/Microsoft/hcsshim v0.7.3
+github.com/Microsoft/hcsshim v0.7.9
 golang.org/x/crypto 0709b304e793a5edb4a2c0145f281ecdc20838a4
+github.com/containerd/cri 8506fe836677cc3bb23a16b68145128243d843b5 # release/1.2 branch
 
 github.com/urfave/cli 7bc6a0acffa589f415f88aca16cc1de5ffd66f9c
 github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b
@@ -40,8 +41,8 @@ golang.org/x/time f51c12702a4d776e4c1fa9b0fabab841babae631
 github.com/docker/docker 71cd53e4a197b303c6ba086bd584ffd67a884281
 github.com/pkg/profile 5b67d428864e92711fcbd2f8629456121a56d91f
 
-github.com/tonistiigi/fsutil f567071bed2416e4d87d260d3162722651182317
-github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git
+github.com/tonistiigi/fsutil 2862f6bc5ac9b97124e552a5c108230b38a1b0ca
+github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 https://github.com/tonistiigi/go-immutable-radix
 github.com/hashicorp/golang-lru a0d98a5f288019575c6d1f4bb1573fef2d1fcdc4
 github.com/mitchellh/hashstructure 2bca23e0e452137f789efbc8610126fd8b94f73b
 github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d
@@ -66,6 +67,3 @@ github.com/opentracing-contrib/go-stdlib b1a47cfbdd7543e70e9ef3e73d0802ad306cc1c
 # used by dockerfile tests
 gotest.tools v2.1.0
 github.com/google/go-cmp v0.2.0
-
-# used by rootless spec conv test
-github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

vendor/github.com/tonistiigi/fsutil/walker.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/docker/docker/pkg/fileutils"
@@ -71,7 +72,7 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 			return err
 		}
 		defer func() {
-			if retErr != nil && os.IsNotExist(errors.Cause(retErr)) {
+			if retErr != nil && isNotExist(retErr) {
 				retErr = filepath.SkipDir
 			}
 		}()
@@ -216,3 +217,14 @@ func trimUntilIndex(str, sep string, count int) string {
 		}
 	}
 }
+
+func isNotExist(err error) bool {
+	err = errors.Cause(err)
+	if os.IsNotExist(err) {
+		return true
+	}
+	if pe, ok := err.(*os.PathError); ok {
+		err = pe.Err
+	}
+	return err == syscall.ENOTDIR
+}