From 1b60c9d7c6f4121a5561022986a0ae4627668b1b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 20 Nov 2025 02:01:56 +0000
Subject: [PATCH] Bump golang.org/x/crypto from 0.37.0 to 0.45.0

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.37.0 to 0.45.0.
- [Commits](https://github.com/golang/crypto/compare/v0.37.0...v0.45.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.45.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod                                        |   12 +-
 go.sum                                        |   24 +-
 vendor/golang.org/x/crypto/argon2/argon2.go   |   18 +-
 vendor/golang.org/x/crypto/blake2b/blake2x.go |    8 +
 vendor/golang.org/x/crypto/blake2b/go125.go   |   11 +
 .../x/crypto/chacha20/chacha_arm64.s          |    2 +-
 .../x/crypto/curve25519/curve25519.go         |   13 +-
 vendor/golang.org/x/crypto/sha3/doc.go        |   66 -
 vendor/golang.org/x/crypto/sha3/hashes.go     |  133 +-
 .../golang.org/x/crypto/sha3/hashes_noasm.go  |   23 -
 .../golang.org/x/crypto/sha3/keccakf_amd64.go |   13 -
 .../golang.org/x/crypto/sha3/keccakf_amd64.s  | 5419 -----------------
 .../x/crypto/sha3/{sha3.go => legacy_hash.go} |   49 +-
 .../sha3/{keccakf.go => legacy_keccakf.go}    |    6 +-
 vendor/golang.org/x/crypto/sha3/sha3_s390x.go |  303 -
 vendor/golang.org/x/crypto/sha3/sha3_s390x.s  |   33 -
 vendor/golang.org/x/crypto/sha3/shake.go      |  172 +-
 .../golang.org/x/crypto/sha3/shake_noasm.go   |   15 -
 .../golang.org/x/crypto/ssh/agent/client.go   |   28 +-
 .../golang.org/x/crypto/ssh/agent/keyring.go  |    2 +-
 .../golang.org/x/crypto/ssh/agent/server.go   |    7 +-
 vendor/golang.org/x/crypto/ssh/certs.go       |   67 +-
 vendor/golang.org/x/crypto/ssh/cipher.go      |   74 +-
 vendor/golang.org/x/crypto/ssh/client.go      |    1 +
 vendor/golang.org/x/crypto/ssh/client_auth.go |   26 +-
 vendor/golang.org/x/crypto/ssh/common.go      |  475 +-
 vendor/golang.org/x/crypto/ssh/connection.go  |   12 +
 vendor/golang.org/x/crypto/ssh/doc.go         |   11 +
 vendor/golang.org/x/crypto/ssh/handshake.go   |   33 +-
 vendor/golang.org/x/crypto/ssh/kex.go         |  155 +-
 vendor/golang.org/x/crypto/ssh/keys.go        |   97 +-
 .../x/crypto/ssh/knownhosts/knownhosts.go     |   22 +-
 vendor/golang.org/x/crypto/ssh/mac.go         |   42 +-
 vendor/golang.org/x/crypto/ssh/messages.go    |    8 +-
 vendor/golang.org/x/crypto/ssh/mlkem.go       |  168 +
 vendor/golang.org/x/crypto/ssh/server.go      |   46 +-
 vendor/golang.org/x/crypto/ssh/ssh_gss.go     |    8 +-
 vendor/golang.org/x/crypto/ssh/streamlocal.go |    4 +-
 vendor/golang.org/x/crypto/ssh/tcpip.go       |  124 +-
 vendor/golang.org/x/crypto/ssh/transport.go   |   19 +-
 vendor/golang.org/x/net/context/context.go    |   70 +-
 .../golang.org/x/net/internal/socks/socks.go  |    2 +-
 vendor/golang.org/x/sync/errgroup/errgroup.go |    2 +-
 vendor/golang.org/x/sys/cpu/cpu.go            |    3 +
 vendor/golang.org/x/sys/cpu/cpu_arm64.go      |   20 +-
 vendor/golang.org/x/sys/cpu/cpu_arm64.s       |   19 +-
 vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go   |    1 +
 .../golang.org/x/sys/cpu/cpu_gccgo_arm64.go   |    1 +
 .../golang.org/x/sys/cpu/cpu_netbsd_arm64.go  |    2 +-
 .../golang.org/x/sys/cpu/cpu_openbsd_arm64.go |    2 +-
 .../golang.org/x/sys/unix/affinity_linux.go   |    9 +
 vendor/golang.org/x/sys/unix/fdset.go         |    4 +-
 vendor/golang.org/x/sys/unix/ifreq_linux.go   |    4 +-
 vendor/golang.org/x/sys/unix/mkall.sh         |    1 +
 vendor/golang.org/x/sys/unix/mkerrors.sh      |    2 +
 vendor/golang.org/x/sys/unix/syscall_linux.go |   10 +-
 .../golang.org/x/sys/unix/syscall_netbsd.go   |   17 +
 vendor/golang.org/x/sys/unix/zerrors_linux.go |  359 ++
 .../golang.org/x/sys/unix/zsyscall_linux.go   |   10 +
 vendor/golang.org/x/sys/unix/ztypes_linux.go  |   31 +
 .../x/sys/windows/syscall_windows.go          |   17 +
 .../golang.org/x/sys/windows/types_windows.go |   92 +
 .../x/sys/windows/zsyscall_windows.go         |   55 +
 vendor/golang.org/x/term/terminal.go          |    6 +-
 vendor/modules.txt                            |   16 +-
 65 files changed, 1885 insertions(+), 6619 deletions(-)
 create mode 100644 vendor/golang.org/x/crypto/blake2b/go125.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/doc.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/hashes_noasm.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
 rename vendor/golang.org/x/crypto/sha3/{sha3.go => legacy_hash.go} (83%)
 rename vendor/golang.org/x/crypto/sha3/{keccakf.go => legacy_keccakf.go} (98%)
 delete mode 100644 vendor/golang.org/x/crypto/sha3/sha3_s390x.go
 delete mode 100644 vendor/golang.org/x/crypto/sha3/sha3_s390x.s
 delete mode 100644 vendor/golang.org/x/crypto/sha3/shake_noasm.go
 create mode 100644 vendor/golang.org/x/crypto/ssh/mlkem.go

diff --git a/go.mod b/go.mod
index 81f7d8df3..601b01fb0 100644
--- a/go.mod
+++ b/go.mod
@@ -39,8 +39,8 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
-	golang.org/x/sync v0.17.0
-	golang.org/x/sys v0.36.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/sys v0.38.0
 	gopkg.in/ozeidan/fuzzy-patricia.v3 v3.0.0
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -79,10 +79,10 @@ require (
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	golang.org/x/crypto v0.37.0 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/term v0.35.0 // indirect
-	golang.org/x/text v0.29.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	gopkg.in/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
index ec9495501..274d425d5 100644
--- a/go.sum
+++ b/go.sum
@@ -330,8 +330,8 @@ golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -410,8 +410,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -437,8 +437,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20170407050850-f3918c30c5c2/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -491,8 +491,8 @@ golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -502,8 +502,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
-golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -518,8 +518,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
diff --git a/vendor/golang.org/x/crypto/argon2/argon2.go b/vendor/golang.org/x/crypto/argon2/argon2.go
index 29f0a2de4..2b65ec91a 100644
--- a/vendor/golang.org/x/crypto/argon2/argon2.go
+++ b/vendor/golang.org/x/crypto/argon2/argon2.go
@@ -6,7 +6,7 @@
 // Argon2 was selected as the winner of the Password Hashing Competition and can
 // be used to derive cryptographic keys from passwords.
 //
-// For a detailed specification of Argon2 see [1].
+// For a detailed specification of Argon2 see [argon2-specs.pdf].
 //
 // If you aren't sure which function you need, use Argon2id (IDKey) and
 // the parameter recommendations for your scenario.
@@ -17,7 +17,7 @@
 // It uses data-independent memory access, which is preferred for password
 // hashing and password-based key derivation. Argon2i requires more passes over
 // memory than Argon2id to protect from trade-off attacks. The recommended
-// parameters (taken from [2]) for non-interactive operations are time=3 and to
+// parameters (taken from [RFC 9106 Section 7.3]) for non-interactive operations are time=3 and to
 // use the maximum available memory.
 //
 // # Argon2id
@@ -27,11 +27,11 @@
 // half of the first iteration over the memory and data-dependent memory access
 // for the rest. Argon2id is side-channel resistant and provides better brute-
 // force cost savings due to time-memory tradeoffs than Argon2i. The recommended
-// parameters for non-interactive operations (taken from [2]) are time=1 and to
+// parameters for non-interactive operations (taken from [RFC 9106 Section 7.3]) are time=1 and to
 // use the maximum available memory.
 //
-// [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
-// [2] https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3
+// [argon2-specs.pdf]: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 package argon2
 
 import (
@@ -59,7 +59,7 @@ const (
 //
 //	key := argon2.Key([]byte("some password"), salt, 3, 32*1024, 4, 32)
 //
-// The draft RFC recommends[2] time=3, and memory=32*1024 is a sensible number.
+// [RFC 9106 Section 7.3] recommends time=3, and memory=32*1024 as a sensible number.
 // If using that amount of memory (32 MB) is not possible in some contexts then
 // the time parameter can be increased to compensate.
 //
@@ -69,6 +69,8 @@ const (
 // adjusted to the number of available CPUs. The cost parameters should be
 // increased as memory latency and CPU parallelism increases. Remember to get a
 // good random salt.
+//
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
 	return deriveKey(argon2i, password, salt, nil, nil, time, memory, threads, keyLen)
 }
@@ -83,7 +85,7 @@ func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint3
 //
 //	key := argon2.IDKey([]byte("some password"), salt, 1, 64*1024, 4, 32)
 //
-// The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number.
+// [RFC 9106 Section 7.3] recommends time=1, and memory=64*1024 as a sensible number.
 // If using that amount of memory (64 MB) is not possible in some contexts then
 // the time parameter can be increased to compensate.
 //
@@ -93,6 +95,8 @@ func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint3
 // adjusted to the numbers of available CPUs. The cost parameters should be
 // increased as memory latency and CPU parallelism increases. Remember to get a
 // good random salt.
+//
+// [RFC 9106 Section 7.3]: https://www.rfc-editor.org/rfc/rfc9106.html#section-7.3
 func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte {
 	return deriveKey(argon2id, password, salt, nil, nil, time, memory, threads, keyLen)
 }
diff --git a/vendor/golang.org/x/crypto/blake2b/blake2x.go b/vendor/golang.org/x/crypto/blake2b/blake2x.go
index 52c414db0..7692bb346 100644
--- a/vendor/golang.org/x/crypto/blake2b/blake2x.go
+++ b/vendor/golang.org/x/crypto/blake2b/blake2x.go
@@ -12,6 +12,8 @@ import (
 
 // XOF defines the interface to hash functions that
 // support arbitrary-length output.
+//
+// New callers should prefer the standard library [hash.XOF].
 type XOF interface {
 	// Write absorbs more data into the hash's state. It panics if called
 	// after Read.
@@ -47,6 +49,8 @@ const maxOutputLength = (1 << 32) * 64
 //
 // A non-nil key turns the hash into a MAC. The key must between
 // zero and 32 bytes long.
+//
+// The result can be safely interface-upgraded to [hash.XOF].
 func NewXOF(size uint32, key []byte) (XOF, error) {
 	if len(key) > Size {
 		return nil, errKeySize
@@ -93,6 +97,10 @@ func (x *xof) Clone() XOF {
 	return &clone
 }
 
+func (x *xof) BlockSize() int {
+	return x.d.BlockSize()
+}
+
 func (x *xof) Reset() {
 	x.cfg[0] = byte(Size)
 	binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length
diff --git a/vendor/golang.org/x/crypto/blake2b/go125.go b/vendor/golang.org/x/crypto/blake2b/go125.go
new file mode 100644
index 000000000..67e990b7e
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blake2b/go125.go
@@ -0,0 +1,11 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.25
+
+package blake2b
+
+import "hash"
+
+var _ hash.XOF = (*xof)(nil)
diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
index 7dd2638e8..769af387e 100644
--- a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
+++ b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s
@@ -29,7 +29,7 @@ loop:
 	MOVD	$NUM_ROUNDS, R21
 	VLD1	(R11), [V30.S4, V31.S4]
 
-	// load contants
+	// load constants
 	// VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4]
 	WORD	$0x4D60E940
 
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
index 21ca3b2ee..048faef3a 100644
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519.go
@@ -3,11 +3,14 @@
 // license that can be found in the LICENSE file.
 
 // Package curve25519 provides an implementation of the X25519 function, which
-// performs scalar multiplication on the elliptic curve known as Curve25519.
-// See RFC 7748.
+// performs scalar multiplication on the elliptic curve known as Curve25519
+// according to [RFC 7748].
 //
-// This package is a wrapper for the X25519 implementation
-// in the crypto/ecdh package.
+// The curve25519 package is a wrapper for the X25519 implementation in the
+// crypto/ecdh package. It is [frozen] and is not accepting new features.
+//
+// [RFC 7748]: https://datatracker.ietf.org/doc/html/rfc7748
+// [frozen]: https://go.dev/wiki/Frozen
 package curve25519
 
 import "crypto/ecdh"
@@ -36,7 +39,7 @@ func ScalarBaseMult(dst, scalar *[32]byte) {
 	curve := ecdh.X25519()
 	priv, err := curve.NewPrivateKey(scalar[:])
 	if err != nil {
-		panic("curve25519: internal error: scalarBaseMult was not 32 bytes")
+		panic("curve25519: " + err.Error())
 	}
 	copy(dst[:], priv.PublicKey().Bytes())
 }
diff --git a/vendor/golang.org/x/crypto/sha3/doc.go b/vendor/golang.org/x/crypto/sha3/doc.go
deleted file mode 100644
index bbf391fe6..000000000
--- a/vendor/golang.org/x/crypto/sha3/doc.go
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2014 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package sha3 implements the SHA-3 fixed-output-length hash functions and
-// the SHAKE variable-output-length hash functions defined by FIPS-202.
-//
-// All types in this package also implement [encoding.BinaryMarshaler],
-// [encoding.BinaryAppender] and [encoding.BinaryUnmarshaler] to marshal and
-// unmarshal the internal state of the hash.
-//
-// Both types of hash function use the "sponge" construction and the Keccak
-// permutation. For a detailed specification see http://keccak.noekeon.org/
-//
-// # Guidance
-//
-// If you aren't sure what function you need, use SHAKE256 with at least 64
-// bytes of output. The SHAKE instances are faster than the SHA3 instances;
-// the latter have to allocate memory to conform to the hash.Hash interface.
-//
-// If you need a secret-key MAC (message authentication code), prepend the
-// secret key to the input, hash with SHAKE256 and read at least 32 bytes of
-// output.
-//
-// # Security strengths
-//
-// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
-// strength against preimage attacks of x bits. Since they only produce "x"
-// bits of output, their collision-resistance is only "x/2" bits.
-//
-// The SHAKE-256 and -128 functions have a generic security strength of 256 and
-// 128 bits against all attacks, provided that at least 2x bits of their output
-// is used.  Requesting more than 64 or 32 bytes of output, respectively, does
-// not increase the collision-resistance of the SHAKE functions.
-//
-// # The sponge construction
-//
-// A sponge builds a pseudo-random function from a public pseudo-random
-// permutation, by applying the permutation to a state of "rate + capacity"
-// bytes, but hiding "capacity" of the bytes.
-//
-// A sponge starts out with a zero state. To hash an input using a sponge, up
-// to "rate" bytes of the input are XORed into the sponge's state. The sponge
-// is then "full" and the permutation is applied to "empty" it. This process is
-// repeated until all the input has been "absorbed". The input is then padded.
-// The digest is "squeezed" from the sponge in the same way, except that output
-// is copied out instead of input being XORed in.
-//
-// A sponge is parameterized by its generic security strength, which is equal
-// to half its capacity; capacity + rate is equal to the permutation's width.
-// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
-// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
-//
-// # Recommendations
-//
-// The SHAKE functions are recommended for most new uses. They can produce
-// output of arbitrary length. SHAKE256, with an output length of at least
-// 64 bytes, provides 256-bit security against all attacks.  The Keccak team
-// recommends it for most applications upgrading from SHA2-512. (NIST chose a
-// much stronger, but much slower, sponge instance for SHA3-512.)
-//
-// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
-// They produce output of the same length, with the same security strengths
-// against all attacks. This means, in particular, that SHA3-256 only has
-// 128-bit collision resistance, because its output length is 32 bytes.
-package sha3
diff --git a/vendor/golang.org/x/crypto/sha3/hashes.go b/vendor/golang.org/x/crypto/sha3/hashes.go
index 31fffbe04..a51269d91 100644
--- a/vendor/golang.org/x/crypto/sha3/hashes.go
+++ b/vendor/golang.org/x/crypto/sha3/hashes.go
@@ -2,127 +2,94 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// Package sha3 implements the SHA-3 hash algorithms and the SHAKE extendable
+// output functions defined in FIPS 202.
+//
+// Most of this package is a wrapper around the crypto/sha3 package in the
+// standard library. The only exception is the legacy Keccak hash functions.
 package sha3
 
-// This file provides functions for creating instances of the SHA-3
-// and SHAKE hash functions, as well as utility functions for hashing
-// bytes.
-
 import (
-	"crypto"
+	"crypto/sha3"
 	"hash"
 )
 
 // New224 creates a new SHA3-224 hash.
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New224] function in the standard library.
+//
+//go:fix inline
 func New224() hash.Hash {
-	return new224()
+	return sha3.New224()
 }
 
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New256] function in the standard library.
+//
+//go:fix inline
 func New256() hash.Hash {
-	return new256()
+	return sha3.New256()
 }
 
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New384] function in the standard library.
+//
+//go:fix inline
 func New384() hash.Hash {
-	return new384()
+	return sha3.New384()
 }
 
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
+//
+// It is a wrapper for the [sha3.New512] function in the standard library.
+//
+//go:fix inline
 func New512() hash.Hash {
-	return new512()
-}
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
-
-const (
-	dsbyteSHA3   = 0b00000110
-	dsbyteKeccak = 0b00000001
-	dsbyteShake  = 0b00011111
-	dsbyteCShake = 0b00000100
-
-	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
-	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
-	rateK256  = (1600 - 256) / 8
-	rateK448  = (1600 - 448) / 8
-	rateK512  = (1600 - 512) / 8
-	rateK768  = (1600 - 768) / 8
-	rateK1024 = (1600 - 1024) / 8
-)
-
-func new224Generic() *state {
-	return &state{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3}
-}
-
-func new256Generic() *state {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3}
-}
-
-func new384Generic() *state {
-	return &state{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3}
-}
-
-func new512Generic() *state {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3}
-}
-
-// NewLegacyKeccak256 creates a new Keccak-256 hash.
-//
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New256 instead.
-func NewLegacyKeccak256() hash.Hash {
-	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
-}
-
-// NewLegacyKeccak512 creates a new Keccak-512 hash.
-//
-// Only use this function if you require compatibility with an existing cryptosystem
-// that uses non-standard padding. All other users should use New512 instead.
-func NewLegacyKeccak512() hash.Hash {
-	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+	return sha3.New512()
 }
 
 // Sum224 returns the SHA3-224 digest of the data.
-func Sum224(data []byte) (digest [28]byte) {
-	h := New224()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum224] function in the standard library.
+//
+//go:fix inline
+func Sum224(data []byte) [28]byte {
+	return sha3.Sum224(data)
 }
 
 // Sum256 returns the SHA3-256 digest of the data.
-func Sum256(data []byte) (digest [32]byte) {
-	h := New256()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum256] function in the standard library.
+//
+//go:fix inline
+func Sum256(data []byte) [32]byte {
+	return sha3.Sum256(data)
 }
 
 // Sum384 returns the SHA3-384 digest of the data.
-func Sum384(data []byte) (digest [48]byte) {
-	h := New384()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum384] function in the standard library.
+//
+//go:fix inline
+func Sum384(data []byte) [48]byte {
+	return sha3.Sum384(data)
 }
 
 // Sum512 returns the SHA3-512 digest of the data.
-func Sum512(data []byte) (digest [64]byte) {
-	h := New512()
-	h.Write(data)
-	h.Sum(digest[:0])
-	return
+//
+// It is a wrapper for the [sha3.Sum512] function in the standard library.
+//
+//go:fix inline
+func Sum512(data []byte) [64]byte {
+	return sha3.Sum512(data)
 }
diff --git a/vendor/golang.org/x/crypto/sha3/hashes_noasm.go b/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
deleted file mode 100644
index 9d85fb621..000000000
--- a/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func new224() *state {
-	return new224Generic()
-}
-
-func new256() *state {
-	return new256Generic()
-}
-
-func new384() *state {
-	return new384Generic()
-}
-
-func new512() *state {
-	return new512Generic()
-}
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
deleted file mode 100644
index b908696be..000000000
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
+++ /dev/null
@@ -1,13 +0,0 @@
-// Copyright 2015 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build amd64 && !purego && gc
-
-package sha3
-
-// This function is implemented in keccakf_amd64.s.
-
-//go:noescape
-
-func keccakF1600(a *[25]uint64)
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
deleted file mode 100644
index 99e2f16e9..000000000
--- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
+++ /dev/null
@@ -1,5419 +0,0 @@
-// Code generated by command: go run keccakf_amd64_asm.go -out ../keccakf_amd64.s -pkg sha3. DO NOT EDIT.
-
-//go:build amd64 && !purego && gc
-
-// func keccakF1600(a *[25]uint64)
-TEXT ·keccakF1600(SB), $200-8
-	MOVQ a+0(FP), DI
-
-	// Convert the user state into an internal state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-
-	// Execute the KeccakF permutation
-	MOVQ (DI), SI
-	MOVQ 8(DI), BP
-	MOVQ 32(DI), R15
-	XORQ 40(DI), SI
-	XORQ 48(DI), BP
-	XORQ 72(DI), R15
-	XORQ 80(DI), SI
-	XORQ 88(DI), BP
-	XORQ 112(DI), R15
-	XORQ 120(DI), SI
-	XORQ 128(DI), BP
-	XORQ 152(DI), R15
-	XORQ 160(DI), SI
-	XORQ 168(DI), BP
-	MOVQ 176(DI), DX
-	MOVQ 184(DI), R8
-	XORQ 192(DI), R15
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000008082, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000808a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008000, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000008a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000000000088, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080008009, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000008000808b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000000000008b, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008089, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008003, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008002, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000000080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x000000000000800a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x800000008000000a, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008081, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000000008080, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(DI), R12
-	XORQ 56(DI), DX
-	XORQ R15, BX
-	XORQ 96(DI), R12
-	XORQ 136(DI), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(DI), R13
-	XORQ 64(DI), R8
-	XORQ SI, CX
-	XORQ 104(DI), R13
-	XORQ 144(DI), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (DI), R10
-	MOVQ 48(DI), R11
-	XORQ R13, R9
-	MOVQ 96(DI), R12
-	MOVQ 144(DI), R13
-	MOVQ 192(DI), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x0000000080000001, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (SP)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(SP)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(SP)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(SP)
-	MOVQ R12, 8(SP)
-	MOVQ R12, BP
-
-	// Result g
-	MOVQ 72(DI), R11
-	XORQ R9, R11
-	MOVQ 80(DI), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(DI), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(DI), R13
-	MOVQ 176(DI), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(SP)
-	XORQ AX, SI
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(SP)
-	XORQ AX, BP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(SP)
-	NOTQ R14
-	XORQ R10, R15
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(SP)
-
-	// Result k
-	MOVQ 8(DI), R10
-	MOVQ 56(DI), R11
-	MOVQ 104(DI), R12
-	MOVQ 152(DI), R13
-	MOVQ 160(DI), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(SP)
-	XORQ AX, SI
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(SP)
-	XORQ AX, BP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(SP)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(SP)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(SP)
-	XORQ R10, R15
-
-	// Result m
-	MOVQ 40(DI), R11
-	XORQ BX, R11
-	MOVQ 88(DI), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(DI), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(DI), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(DI), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(SP)
-	XORQ AX, SI
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(SP)
-	XORQ AX, BP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(SP)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(SP)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(SP)
-	XORQ R11, R15
-
-	// Result s
-	MOVQ 16(DI), R10
-	MOVQ 64(DI), R11
-	MOVQ 112(DI), R12
-	XORQ DX, R10
-	MOVQ 120(DI), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(DI), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(SP)
-	ROLQ $0x27, R12
-	XORQ R9, R15
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(SP)
-	XORQ BX, SI
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(SP)
-	XORQ CX, BP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(SP)
-	MOVQ R8, 184(SP)
-
-	// Prepare round
-	MOVQ BP, BX
-	ROLQ $0x01, BX
-	MOVQ 16(SP), R12
-	XORQ 56(SP), DX
-	XORQ R15, BX
-	XORQ 96(SP), R12
-	XORQ 136(SP), DX
-	XORQ DX, R12
-	MOVQ R12, CX
-	ROLQ $0x01, CX
-	MOVQ 24(SP), R13
-	XORQ 64(SP), R8
-	XORQ SI, CX
-	XORQ 104(SP), R13
-	XORQ 144(SP), R8
-	XORQ R8, R13
-	MOVQ R13, DX
-	ROLQ $0x01, DX
-	MOVQ R15, R8
-	XORQ BP, DX
-	ROLQ $0x01, R8
-	MOVQ SI, R9
-	XORQ R12, R8
-	ROLQ $0x01, R9
-
-	// Result b
-	MOVQ (SP), R10
-	MOVQ 48(SP), R11
-	XORQ R13, R9
-	MOVQ 96(SP), R12
-	MOVQ 144(SP), R13
-	MOVQ 192(SP), R14
-	XORQ CX, R11
-	ROLQ $0x2c, R11
-	XORQ DX, R12
-	XORQ BX, R10
-	ROLQ $0x2b, R12
-	MOVQ R11, SI
-	MOVQ $0x8000000080008008, AX
-	ORQ  R12, SI
-	XORQ R10, AX
-	XORQ AX, SI
-	MOVQ SI, (DI)
-	XORQ R9, R14
-	ROLQ $0x0e, R14
-	MOVQ R10, R15
-	ANDQ R11, R15
-	XORQ R14, R15
-	MOVQ R15, 32(DI)
-	XORQ R8, R13
-	ROLQ $0x15, R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 16(DI)
-	NOTQ R12
-	ORQ  R10, R14
-	ORQ  R13, R12
-	XORQ R13, R14
-	XORQ R11, R12
-	MOVQ R14, 24(DI)
-	MOVQ R12, 8(DI)
-	NOP
-
-	// Result g
-	MOVQ 72(SP), R11
-	XORQ R9, R11
-	MOVQ 80(SP), R12
-	ROLQ $0x14, R11
-	XORQ BX, R12
-	ROLQ $0x03, R12
-	MOVQ 24(SP), R10
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ R8, R10
-	MOVQ 128(SP), R13
-	MOVQ 176(SP), R14
-	ROLQ $0x1c, R10
-	XORQ R10, AX
-	MOVQ AX, 40(DI)
-	NOP
-	XORQ CX, R13
-	ROLQ $0x2d, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 48(DI)
-	NOP
-	XORQ DX, R14
-	ROLQ $0x3d, R14
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 64(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 72(DI)
-	NOTQ R14
-	NOP
-	ORQ  R14, R13
-	XORQ R12, R13
-	MOVQ R13, 56(DI)
-
-	// Result k
-	MOVQ 8(SP), R10
-	MOVQ 56(SP), R11
-	MOVQ 104(SP), R12
-	MOVQ 152(SP), R13
-	MOVQ 160(SP), R14
-	XORQ DX, R11
-	ROLQ $0x06, R11
-	XORQ R8, R12
-	ROLQ $0x19, R12
-	MOVQ R11, AX
-	ORQ  R12, AX
-	XORQ CX, R10
-	ROLQ $0x01, R10
-	XORQ R10, AX
-	MOVQ AX, 80(DI)
-	NOP
-	XORQ R9, R13
-	ROLQ $0x08, R13
-	MOVQ R12, AX
-	ANDQ R13, AX
-	XORQ R11, AX
-	MOVQ AX, 88(DI)
-	NOP
-	XORQ BX, R14
-	ROLQ $0x12, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ANDQ R14, AX
-	XORQ R12, AX
-	MOVQ AX, 96(DI)
-	MOVQ R14, AX
-	ORQ  R10, AX
-	XORQ R13, AX
-	MOVQ AX, 104(DI)
-	ANDQ R11, R10
-	XORQ R14, R10
-	MOVQ R10, 112(DI)
-	NOP
-
-	// Result m
-	MOVQ 40(SP), R11
-	XORQ BX, R11
-	MOVQ 88(SP), R12
-	ROLQ $0x24, R11
-	XORQ CX, R12
-	MOVQ 32(SP), R10
-	ROLQ $0x0a, R12
-	MOVQ R11, AX
-	MOVQ 136(SP), R13
-	ANDQ R12, AX
-	XORQ R9, R10
-	MOVQ 184(SP), R14
-	ROLQ $0x1b, R10
-	XORQ R10, AX
-	MOVQ AX, 120(DI)
-	NOP
-	XORQ DX, R13
-	ROLQ $0x0f, R13
-	MOVQ R12, AX
-	ORQ  R13, AX
-	XORQ R11, AX
-	MOVQ AX, 128(DI)
-	NOP
-	XORQ R8, R14
-	ROLQ $0x38, R14
-	NOTQ R13
-	MOVQ R13, AX
-	ORQ  R14, AX
-	XORQ R12, AX
-	MOVQ AX, 136(DI)
-	ORQ  R10, R11
-	XORQ R14, R11
-	MOVQ R11, 152(DI)
-	ANDQ R10, R14
-	XORQ R13, R14
-	MOVQ R14, 144(DI)
-	NOP
-
-	// Result s
-	MOVQ 16(SP), R10
-	MOVQ 64(SP), R11
-	MOVQ 112(SP), R12
-	XORQ DX, R10
-	MOVQ 120(SP), R13
-	ROLQ $0x3e, R10
-	XORQ R8, R11
-	MOVQ 168(SP), R14
-	ROLQ $0x37, R11
-	XORQ R9, R12
-	MOVQ R10, R9
-	XORQ CX, R14
-	ROLQ $0x02, R14
-	ANDQ R11, R9
-	XORQ R14, R9
-	MOVQ R9, 192(DI)
-	ROLQ $0x27, R12
-	NOP
-	NOTQ R11
-	XORQ BX, R13
-	MOVQ R11, BX
-	ANDQ R12, BX
-	XORQ R10, BX
-	MOVQ BX, 160(DI)
-	NOP
-	ROLQ $0x29, R13
-	MOVQ R12, CX
-	ORQ  R13, CX
-	XORQ R11, CX
-	MOVQ CX, 168(DI)
-	NOP
-	MOVQ R13, DX
-	MOVQ R14, R8
-	ANDQ R14, DX
-	ORQ  R10, R8
-	XORQ R12, DX
-	XORQ R13, R8
-	MOVQ DX, 176(DI)
-	MOVQ R8, 184(DI)
-
-	// Revert the internal state to the user state
-	NOTQ 8(DI)
-	NOTQ 16(DI)
-	NOTQ 64(DI)
-	NOTQ 96(DI)
-	NOTQ 136(DI)
-	NOTQ 160(DI)
-	RET
diff --git a/vendor/golang.org/x/crypto/sha3/sha3.go b/vendor/golang.org/x/crypto/sha3/legacy_hash.go
similarity index 83%
rename from vendor/golang.org/x/crypto/sha3/sha3.go
rename to vendor/golang.org/x/crypto/sha3/legacy_hash.go
index 6658c4447..b8784536e 100644
--- a/vendor/golang.org/x/crypto/sha3/sha3.go
+++ b/vendor/golang.org/x/crypto/sha3/legacy_hash.go
@@ -4,15 +4,46 @@
 
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import (
 	"crypto/subtle"
 	"encoding/binary"
 	"errors"
+	"hash"
 	"unsafe"
 
 	"golang.org/x/sys/cpu"
 )
 
+const (
+	dsbyteKeccak = 0b00000001
+
+	// rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in
+	// bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits.
+	rateK256  = (1600 - 256) / 8
+	rateK512  = (1600 - 512) / 8
+	rateK1024 = (1600 - 1024) / 8
+)
+
+// NewLegacyKeccak256 creates a new Keccak-256 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New256 instead.
+func NewLegacyKeccak256() hash.Hash {
+	return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak}
+}
+
+// NewLegacyKeccak512 creates a new Keccak-512 hash.
+//
+// Only use this function if you require compatibility with an existing cryptosystem
+// that uses non-standard padding. All other users should use New512 instead.
+func NewLegacyKeccak512() hash.Hash {
+	return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak}
+}
+
 // spongeDirection indicates the direction bytes are flowing through the sponge.
 type spongeDirection int
 
@@ -173,12 +204,9 @@ func (d *state) Sum(in []byte) []byte {
 }
 
 const (
-	magicSHA3   = "sha\x08"
-	magicShake  = "sha\x09"
-	magicCShake = "sha\x0a"
 	magicKeccak = "sha\x0b"
 	// magic || rate || main state || n || sponge direction
-	marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1
+	marshaledSize = len(magicKeccak) + 1 + 200 + 1 + 1
 )
 
 func (d *state) MarshalBinary() ([]byte, error) {
@@ -187,12 +215,6 @@ func (d *state) MarshalBinary() ([]byte, error) {
 
 func (d *state) AppendBinary(b []byte) ([]byte, error) {
 	switch d.dsbyte {
-	case dsbyteSHA3:
-		b = append(b, magicSHA3...)
-	case dsbyteShake:
-		b = append(b, magicShake...)
-	case dsbyteCShake:
-		b = append(b, magicCShake...)
 	case dsbyteKeccak:
 		b = append(b, magicKeccak...)
 	default:
@@ -210,12 +232,9 @@ func (d *state) UnmarshalBinary(b []byte) error {
 		return errors.New("sha3: invalid hash state")
 	}
 
-	magic := string(b[:len(magicSHA3)])
-	b = b[len(magicSHA3):]
+	magic := string(b[:len(magicKeccak)])
+	b = b[len(magicKeccak):]
 	switch {
-	case magic == magicSHA3 && d.dsbyte == dsbyteSHA3:
-	case magic == magicShake && d.dsbyte == dsbyteShake:
-	case magic == magicCShake && d.dsbyte == dsbyteCShake:
 	case magic == magicKeccak && d.dsbyte == dsbyteKeccak:
 	default:
 		return errors.New("sha3: invalid hash state identifier")
diff --git a/vendor/golang.org/x/crypto/sha3/keccakf.go b/vendor/golang.org/x/crypto/sha3/legacy_keccakf.go
similarity index 98%
rename from vendor/golang.org/x/crypto/sha3/keccakf.go
rename to vendor/golang.org/x/crypto/sha3/legacy_keccakf.go
index ce48b1dd3..101588c16 100644
--- a/vendor/golang.org/x/crypto/sha3/keccakf.go
+++ b/vendor/golang.org/x/crypto/sha3/legacy_keccakf.go
@@ -2,10 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !amd64 || purego || !gc
-
 package sha3
 
+// This implementation is only used for NewLegacyKeccak256 and
+// NewLegacyKeccak512, which are not implemented by crypto/sha3.
+// All other functions in this package are wrappers around crypto/sha3.
+
 import "math/bits"
 
 // rc stores the round constants for use in the ι step.
diff --git a/vendor/golang.org/x/crypto/sha3/sha3_s390x.go b/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
deleted file mode 100644
index 00d8034ae..000000000
--- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
+++ /dev/null
@@ -1,303 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-package sha3
-
-// This file contains code for using the 'compute intermediate
-// message digest' (KIMD) and 'compute last message digest' (KLMD)
-// instructions to compute SHA-3 and SHAKE hashes on IBM Z.
-
-import (
-	"hash"
-
-	"golang.org/x/sys/cpu"
-)
-
-// codes represent 7-bit KIMD/KLMD function codes as defined in
-// the Principles of Operation.
-type code uint64
-
-const (
-	// function codes for KIMD/KLMD
-	sha3_224  code = 32
-	sha3_256       = 33
-	sha3_384       = 34
-	sha3_512       = 35
-	shake_128      = 36
-	shake_256      = 37
-	nopad          = 0x100
-)
-
-// kimd is a wrapper for the 'compute intermediate message digest' instruction.
-// src must be a multiple of the rate for the given function code.
-//
-//go:noescape
-func kimd(function code, chain *[200]byte, src []byte)
-
-// klmd is a wrapper for the 'compute last message digest' instruction.
-// src padding is handled by the instruction.
-//
-//go:noescape
-func klmd(function code, chain *[200]byte, dst, src []byte)
-
-type asmState struct {
-	a         [200]byte       // 1600 bit state
-	buf       []byte          // care must be taken to ensure cap(buf) is a multiple of rate
-	rate      int             // equivalent to block size
-	storage   [3072]byte      // underlying storage for buf
-	outputLen int             // output length for full security
-	function  code            // KIMD/KLMD function code
-	state     spongeDirection // whether the sponge is absorbing or squeezing
-}
-
-func newAsmState(function code) *asmState {
-	var s asmState
-	s.function = function
-	switch function {
-	case sha3_224:
-		s.rate = 144
-		s.outputLen = 28
-	case sha3_256:
-		s.rate = 136
-		s.outputLen = 32
-	case sha3_384:
-		s.rate = 104
-		s.outputLen = 48
-	case sha3_512:
-		s.rate = 72
-		s.outputLen = 64
-	case shake_128:
-		s.rate = 168
-		s.outputLen = 32
-	case shake_256:
-		s.rate = 136
-		s.outputLen = 64
-	default:
-		panic("sha3: unrecognized function code")
-	}
-
-	// limit s.buf size to a multiple of s.rate
-	s.resetBuf()
-	return &s
-}
-
-func (s *asmState) clone() *asmState {
-	c := *s
-	c.buf = c.storage[:len(s.buf):cap(s.buf)]
-	return &c
-}
-
-// copyIntoBuf copies b into buf. It will panic if there is not enough space to
-// store all of b.
-func (s *asmState) copyIntoBuf(b []byte) {
-	bufLen := len(s.buf)
-	s.buf = s.buf[:len(s.buf)+len(b)]
-	copy(s.buf[bufLen:], b)
-}
-
-// resetBuf points buf at storage, sets the length to 0 and sets cap to be a
-// multiple of the rate.
-func (s *asmState) resetBuf() {
-	max := (cap(s.storage) / s.rate) * s.rate
-	s.buf = s.storage[:0:max]
-}
-
-// Write (via the embedded io.Writer interface) adds more data to the running hash.
-// It never returns an error.
-func (s *asmState) Write(b []byte) (int, error) {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Write after Read")
-	}
-	length := len(b)
-	for len(b) > 0 {
-		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
-			// Hash the data directly and push any remaining bytes
-			// into the buffer.
-			remainder := len(b) % s.rate
-			kimd(s.function, &s.a, b[:len(b)-remainder])
-			if remainder != 0 {
-				s.copyIntoBuf(b[len(b)-remainder:])
-			}
-			return length, nil
-		}
-
-		if len(s.buf) == cap(s.buf) {
-			// flush the buffer
-			kimd(s.function, &s.a, s.buf)
-			s.buf = s.buf[:0]
-		}
-
-		// copy as much as we can into the buffer
-		n := len(b)
-		if len(b) > cap(s.buf)-len(s.buf) {
-			n = cap(s.buf) - len(s.buf)
-		}
-		s.copyIntoBuf(b[:n])
-		b = b[n:]
-	}
-	return length, nil
-}
-
-// Read squeezes an arbitrary number of bytes from the sponge.
-func (s *asmState) Read(out []byte) (n int, err error) {
-	// The 'compute last message digest' instruction only stores the digest
-	// at the first operand (dst) for SHAKE functions.
-	if s.function != shake_128 && s.function != shake_256 {
-		panic("sha3: can only call Read for SHAKE functions")
-	}
-
-	n = len(out)
-
-	// need to pad if we were absorbing
-	if s.state == spongeAbsorbing {
-		s.state = spongeSqueezing
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
-			s.buf = s.buf[:0]
-			return
-		}
-
-		// write hash into buffer
-		max := cap(s.buf)
-		if max > len(out) {
-			max = (len(out)/s.rate)*s.rate + s.rate
-		}
-		klmd(s.function, &s.a, s.buf[:max], s.buf)
-		s.buf = s.buf[:max]
-	}
-
-	for len(out) > 0 {
-		// flush the buffer
-		if len(s.buf) != 0 {
-			c := copy(out, s.buf)
-			out = out[c:]
-			s.buf = s.buf[c:]
-			continue
-		}
-
-		// write hash directly into out if possible
-		if len(out)%s.rate == 0 {
-			klmd(s.function|nopad, &s.a, out, nil)
-			return
-		}
-
-		// write hash into buffer
-		s.resetBuf()
-		if cap(s.buf) > len(out) {
-			s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate]
-		}
-		klmd(s.function|nopad, &s.a, s.buf, nil)
-	}
-	return
-}
-
-// Sum appends the current hash to b and returns the resulting slice.
-// It does not change the underlying hash state.
-func (s *asmState) Sum(b []byte) []byte {
-	if s.state != spongeAbsorbing {
-		panic("sha3: Sum after Read")
-	}
-
-	// Copy the state to preserve the original.
-	a := s.a
-
-	// Hash the buffer. Note that we don't clear it because we
-	// aren't updating the state.
-	switch s.function {
-	case sha3_224, sha3_256, sha3_384, sha3_512:
-		klmd(s.function, &a, nil, s.buf)
-		return append(b, a[:s.outputLen]...)
-	case shake_128, shake_256:
-		d := make([]byte, s.outputLen, 64)
-		klmd(s.function, &a, d, s.buf)
-		return append(b, d[:s.outputLen]...)
-	default:
-		panic("sha3: unknown function")
-	}
-}
-
-// Reset resets the Hash to its initial state.
-func (s *asmState) Reset() {
-	for i := range s.a {
-		s.a[i] = 0
-	}
-	s.resetBuf()
-	s.state = spongeAbsorbing
-}
-
-// Size returns the number of bytes Sum will return.
-func (s *asmState) Size() int {
-	return s.outputLen
-}
-
-// BlockSize returns the hash's underlying block size.
-// The Write method must be able to accept any amount
-// of data, but it may operate more efficiently if all writes
-// are a multiple of the block size.
-func (s *asmState) BlockSize() int {
-	return s.rate
-}
-
-// Clone returns a copy of the ShakeHash in its current state.
-func (s *asmState) Clone() ShakeHash {
-	return s.clone()
-}
-
-// new224 returns an assembly implementation of SHA3-224 if available,
-// otherwise it returns a generic implementation.
-func new224() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_224)
-	}
-	return new224Generic()
-}
-
-// new256 returns an assembly implementation of SHA3-256 if available,
-// otherwise it returns a generic implementation.
-func new256() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_256)
-	}
-	return new256Generic()
-}
-
-// new384 returns an assembly implementation of SHA3-384 if available,
-// otherwise it returns a generic implementation.
-func new384() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_384)
-	}
-	return new384Generic()
-}
-
-// new512 returns an assembly implementation of SHA3-512 if available,
-// otherwise it returns a generic implementation.
-func new512() hash.Hash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(sha3_512)
-	}
-	return new512Generic()
-}
-
-// newShake128 returns an assembly implementation of SHAKE-128 if available,
-// otherwise it returns a generic implementation.
-func newShake128() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_128)
-	}
-	return newShake128Generic()
-}
-
-// newShake256 returns an assembly implementation of SHAKE-256 if available,
-// otherwise it returns a generic implementation.
-func newShake256() ShakeHash {
-	if cpu.S390X.HasSHA3 {
-		return newAsmState(shake_256)
-	}
-	return newShake256Generic()
-}
diff --git a/vendor/golang.org/x/crypto/sha3/sha3_s390x.s b/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
deleted file mode 100644
index 826b862c7..000000000
--- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2017 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build gc && !purego
-
-#include "textflag.h"
-
-// func kimd(function code, chain *[200]byte, src []byte)
-TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  src+16(FP), R2, R3 // R2=base, R3=len
-
-continue:
-	WORD $0xB93E0002 // KIMD --, R2
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
-
-// func klmd(function code, chain *[200]byte, dst, src []byte)
-TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64
-	// TODO: SHAKE support
-	MOVD function+0(FP), R0
-	MOVD chain+8(FP), R1
-	LMG  dst+16(FP), R2, R3 // R2=base, R3=len
-	LMG  src+40(FP), R4, R5 // R4=base, R5=len
-
-continue:
-	WORD $0xB93F0024 // KLMD R2, R4
-	BVS  continue    // continue if interrupted
-	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
-	RET
diff --git a/vendor/golang.org/x/crypto/sha3/shake.go b/vendor/golang.org/x/crypto/sha3/shake.go
index a6b3a4281..6f3f70c26 100644
--- a/vendor/golang.org/x/crypto/sha3/shake.go
+++ b/vendor/golang.org/x/crypto/sha3/shake.go
@@ -4,24 +4,10 @@
 
 package sha3
 
-// This file defines the ShakeHash interface, and provides
-// functions for creating SHAKE and cSHAKE instances, as well as utility
-// functions for hashing bytes to arbitrary-length output.
-//
-//
-// SHAKE implementation is based on FIPS PUB 202 [1]
-// cSHAKE implementations is based on NIST SP 800-185 [2]
-//
-// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
-// [2] https://doi.org/10.6028/NIST.SP.800-185
-
 import (
-	"bytes"
-	"encoding/binary"
-	"errors"
+	"crypto/sha3"
 	"hash"
 	"io"
-	"math/bits"
 )
 
 // ShakeHash defines the interface to hash functions that support
@@ -32,7 +18,7 @@ type ShakeHash interface {
 	hash.Hash
 
 	// Read reads more output from the hash; reading affects the hash's
-	// state. (ShakeHash.Read is thus very different from Hash.Sum)
+	// state. (ShakeHash.Read is thus very different from Hash.Sum.)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
@@ -41,115 +27,18 @@ type ShakeHash interface {
 	Clone() ShakeHash
 }
 
-// cSHAKE specific context
-type cshakeState struct {
-	*state // SHA-3 state context and Read/Write operations
-
-	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
-	// by newCShake function and stores concatenation of N followed by S, encoded
-	// by the method specified in 3.3 of [1].
-	// It is stored here in order for Reset() to be able to put context into
-	// initial state.
-	initBlock []byte
-}
-
-func bytepad(data []byte, rate int) []byte {
-	out := make([]byte, 0, 9+len(data)+rate-1)
-	out = append(out, leftEncode(uint64(rate))...)
-	out = append(out, data...)
-	if padlen := rate - len(out)%rate; padlen < rate {
-		out = append(out, make([]byte, padlen)...)
-	}
-	return out
-}
-
-func leftEncode(x uint64) []byte {
-	// Let n be the smallest positive integer for which 2^(8n) > x.
-	n := (bits.Len64(x) + 7) / 8
-	if n == 0 {
-		n = 1
-	}
-	// Return n || x with n as a byte and x an n bytes in big-endian order.
-	b := make([]byte, 9)
-	binary.BigEndian.PutUint64(b[1:], x)
-	b = b[9-n-1:]
-	b[0] = byte(n)
-	return b
-}
-
-func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
-	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
-	c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...)
-	c.initBlock = append(c.initBlock, N...)
-	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...)
-	c.initBlock = append(c.initBlock, S...)
-	c.Write(bytepad(c.initBlock, c.rate))
-	return &c
-}
-
-// Reset resets the hash to initial state.
-func (c *cshakeState) Reset() {
-	c.state.Reset()
-	c.Write(bytepad(c.initBlock, c.rate))
-}
-
-// Clone returns copy of a cSHAKE context within its current state.
-func (c *cshakeState) Clone() ShakeHash {
-	b := make([]byte, len(c.initBlock))
-	copy(b, c.initBlock)
-	return &cshakeState{state: c.clone(), initBlock: b}
-}
-
-// Clone returns copy of SHAKE context within its current state.
-func (c *state) Clone() ShakeHash {
-	return c.clone()
-}
-
-func (c *cshakeState) MarshalBinary() ([]byte, error) {
-	return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock)))
-}
-
-func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) {
-	b, err := c.state.AppendBinary(b)
-	if err != nil {
-		return nil, err
-	}
-	b = append(b, c.initBlock...)
-	return b, nil
-}
-
-func (c *cshakeState) UnmarshalBinary(b []byte) error {
-	if len(b) <= marshaledSize {
-		return errors.New("sha3: invalid hash state")
-	}
-	if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil {
-		return err
-	}
-	c.initBlock = bytes.Clone(b[marshaledSize:])
-	return nil
-}
-
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	return &shakeWrapper{sha3.NewSHAKE128(), 32, false, sha3.NewSHAKE128}
 }
 
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
-}
-
-func newShake128Generic() *state {
-	return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake}
-}
-
-func newShake256Generic() *state {
-	return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake}
+	return &shakeWrapper{sha3.NewSHAKE256(), 64, false, sha3.NewSHAKE256}
 }
 
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
@@ -159,10 +48,9 @@ func newShake256Generic() *state {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake128()
-	}
-	return newCShake(N, S, rateK256, 32, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE128(N, S), 32, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE128(N, S)
+	}}
 }
 
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
@@ -172,10 +60,9 @@ func NewCShake128(N, S []byte) ShakeHash {
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
-	if len(N) == 0 && len(S) == 0 {
-		return NewShake256()
-	}
-	return newCShake(N, S, rateK512, 64, dsbyteCShake)
+	return &shakeWrapper{sha3.NewCSHAKE256(N, S), 64, false, func() *sha3.SHAKE {
+		return sha3.NewCSHAKE256(N, S)
+	}}
 }
 
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
@@ -191,3 +78,42 @@ func ShakeSum256(hash, data []byte) {
 	h.Write(data)
 	h.Read(hash)
 }
+
+// shakeWrapper adds the Size, Sum, and Clone methods to a sha3.SHAKE
+// to implement the ShakeHash interface.
+type shakeWrapper struct {
+	*sha3.SHAKE
+	outputLen int
+	squeezing bool
+	newSHAKE  func() *sha3.SHAKE
+}
+
+func (w *shakeWrapper) Read(p []byte) (n int, err error) {
+	w.squeezing = true
+	return w.SHAKE.Read(p)
+}
+
+func (w *shakeWrapper) Clone() ShakeHash {
+	s := w.newSHAKE()
+	b, err := w.MarshalBinary()
+	if err != nil {
+		panic(err) // unreachable
+	}
+	if err := s.UnmarshalBinary(b); err != nil {
+		panic(err) // unreachable
+	}
+	return &shakeWrapper{s, w.outputLen, w.squeezing, w.newSHAKE}
+}
+
+func (w *shakeWrapper) Size() int { return w.outputLen }
+
+func (w *shakeWrapper) Sum(b []byte) []byte {
+	if w.squeezing {
+		panic("sha3: Sum after Read")
+	}
+	out := make([]byte, w.outputLen)
+	// Clone the state so that we don't affect future Write calls.
+	s := w.Clone()
+	s.Read(out)
+	return append(b, out...)
+}
diff --git a/vendor/golang.org/x/crypto/sha3/shake_noasm.go b/vendor/golang.org/x/crypto/sha3/shake_noasm.go
deleted file mode 100644
index 4276ba4ab..000000000
--- a/vendor/golang.org/x/crypto/sha3/shake_noasm.go
+++ /dev/null
@@ -1,15 +0,0 @@
-// Copyright 2023 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !gc || purego || !s390x
-
-package sha3
-
-func newShake128() *state {
-	return newShake128Generic()
-}
-
-func newShake256() *state {
-	return newShake256Generic()
-}
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
index 106708d28..b357e18b0 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/client.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/client.go
@@ -430,8 +430,9 @@ func (c *client) List() ([]*Key, error) {
 		return keys, nil
 	case *failureAgentMsg:
 		return nil, errors.New("agent: failed to list keys")
+	default:
+		return nil, fmt.Errorf("agent: failed to list keys, unexpected message type %T", msg)
 	}
-	panic("unreachable")
 }
 
 // Sign has the agent sign the data using a protocol 2 key as defined
@@ -462,8 +463,9 @@ func (c *client) SignWithFlags(key ssh.PublicKey, data []byte, flags SignatureFl
 		return &sig, nil
 	case *failureAgentMsg:
 		return nil, errors.New("agent: failed to sign challenge")
+	default:
+		return nil, fmt.Errorf("agent: failed to sign challenge, unexpected message type %T", msg)
 	}
-	panic("unreachable")
 }
 
 // unmarshal parses an agent message in packet, returning the parsed
@@ -555,7 +557,7 @@ func (c *client) insertKey(s interface{}, comment string, constraints []byte) er
 		})
 	case *dsa.PrivateKey:
 		req = ssh.Marshal(dsaKeyMsg{
-			Type:        ssh.KeyAlgoDSA,
+			Type:        ssh.InsecureKeyAlgoDSA,
 			P:           k.P,
 			Q:           k.Q,
 			G:           k.G,
@@ -803,16 +805,16 @@ var _ ssh.AlgorithmSigner = &agentKeyringSigner{}
 //
 // This map must be kept in sync with the one in certs.go.
 var certKeyAlgoNames = map[string]string{
-	ssh.CertAlgoRSAv01:        ssh.KeyAlgoRSA,
-	ssh.CertAlgoRSASHA256v01:  ssh.KeyAlgoRSASHA256,
-	ssh.CertAlgoRSASHA512v01:  ssh.KeyAlgoRSASHA512,
-	ssh.CertAlgoDSAv01:        ssh.KeyAlgoDSA,
-	ssh.CertAlgoECDSA256v01:   ssh.KeyAlgoECDSA256,
-	ssh.CertAlgoECDSA384v01:   ssh.KeyAlgoECDSA384,
-	ssh.CertAlgoECDSA521v01:   ssh.KeyAlgoECDSA521,
-	ssh.CertAlgoSKECDSA256v01: ssh.KeyAlgoSKECDSA256,
-	ssh.CertAlgoED25519v01:    ssh.KeyAlgoED25519,
-	ssh.CertAlgoSKED25519v01:  ssh.KeyAlgoSKED25519,
+	ssh.CertAlgoRSAv01:         ssh.KeyAlgoRSA,
+	ssh.CertAlgoRSASHA256v01:   ssh.KeyAlgoRSASHA256,
+	ssh.CertAlgoRSASHA512v01:   ssh.KeyAlgoRSASHA512,
+	ssh.InsecureCertAlgoDSAv01: ssh.InsecureKeyAlgoDSA,
+	ssh.CertAlgoECDSA256v01:    ssh.KeyAlgoECDSA256,
+	ssh.CertAlgoECDSA384v01:    ssh.KeyAlgoECDSA384,
+	ssh.CertAlgoECDSA521v01:    ssh.KeyAlgoECDSA521,
+	ssh.CertAlgoSKECDSA256v01:  ssh.KeyAlgoSKECDSA256,
+	ssh.CertAlgoED25519v01:     ssh.KeyAlgoED25519,
+	ssh.CertAlgoSKED25519v01:   ssh.KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is
diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
index c1b436108..d12987551 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
@@ -112,7 +112,7 @@ func (r *keyring) Unlock(passphrase []byte) error {
 }
 
 // expireKeysLocked removes expired keys from the keyring. If a key was added
-// with a lifetimesecs contraint and seconds >= lifetimesecs seconds have
+// with a lifetimesecs constraint and seconds >= lifetimesecs seconds have
 // elapsed, it is removed. The caller *must* be holding the keyring mutex.
 func (r *keyring) expireKeysLocked() {
 	for _, k := range r.keys {
diff --git a/vendor/golang.org/x/crypto/ssh/agent/server.go b/vendor/golang.org/x/crypto/ssh/agent/server.go
index e35ca7ce3..4e8ff86b6 100644
--- a/vendor/golang.org/x/crypto/ssh/agent/server.go
+++ b/vendor/golang.org/x/crypto/ssh/agent/server.go
@@ -203,6 +203,9 @@ func parseConstraints(constraints []byte) (lifetimeSecs uint32, confirmBeforeUse
 	for len(constraints) != 0 {
 		switch constraints[0] {
 		case agentConstrainLifetime:
+			if len(constraints) < 5 {
+				return 0, false, nil, io.ErrUnexpectedEOF
+			}
 			lifetimeSecs = binary.BigEndian.Uint32(constraints[1:5])
 			constraints = constraints[5:]
 		case agentConstrainConfirm:
@@ -506,7 +509,7 @@ func (s *server) insertIdentity(req []byte) error {
 	switch record.Type {
 	case ssh.KeyAlgoRSA:
 		addedKey, err = parseRSAKey(req)
-	case ssh.KeyAlgoDSA:
+	case ssh.InsecureKeyAlgoDSA:
 		addedKey, err = parseDSAKey(req)
 	case ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521:
 		addedKey, err = parseECDSAKey(req)
@@ -514,7 +517,7 @@ func (s *server) insertIdentity(req []byte) error {
 		addedKey, err = parseEd25519Key(req)
 	case ssh.CertAlgoRSAv01:
 		addedKey, err = parseRSACert(req)
-	case ssh.CertAlgoDSAv01:
+	case ssh.InsecureCertAlgoDSAv01:
 		addedKey, err = parseDSACert(req)
 	case ssh.CertAlgoECDSA256v01, ssh.CertAlgoECDSA384v01, ssh.CertAlgoECDSA521v01:
 		addedKey, err = parseECDSACert(req)
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go
index 27d0e14aa..139fa31e1 100644
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ b/vendor/golang.org/x/crypto/ssh/certs.go
@@ -20,14 +20,19 @@ import (
 // returned by MultiAlgorithmSigner and don't appear in the Signature.Format
 // field.
 const (
-	CertAlgoRSAv01        = "ssh-rsa-cert-v01@openssh.com"
-	CertAlgoDSAv01        = "ssh-dss-cert-v01@openssh.com"
-	CertAlgoECDSA256v01   = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
-	CertAlgoECDSA384v01   = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
-	CertAlgoECDSA521v01   = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-	CertAlgoSKECDSA256v01 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
-	CertAlgoED25519v01    = "ssh-ed25519-cert-v01@openssh.com"
-	CertAlgoSKED25519v01  = "sk-ssh-ed25519-cert-v01@openssh.com"
+	CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com"
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	CertAlgoDSAv01 = InsecureCertAlgoDSAv01
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	InsecureCertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com"
+	CertAlgoECDSA256v01    = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
+	CertAlgoECDSA384v01    = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
+	CertAlgoECDSA521v01    = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
+	CertAlgoSKECDSA256v01  = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
+	CertAlgoED25519v01     = "ssh-ed25519-cert-v01@openssh.com"
+	CertAlgoSKED25519v01   = "sk-ssh-ed25519-cert-v01@openssh.com"
 
 	// CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a
 	// Certificate.Type (or PublicKey.Type), but only in
@@ -228,7 +233,11 @@ func parseCert(in []byte, privAlgo string) (*Certificate, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	// The Type() function is intended to return only certificate key types, but
+	// we use certKeyAlgoNames anyway for safety, to match [Certificate.Type].
+	if _, ok := certKeyAlgoNames[k.Type()]; ok {
+		return nil, fmt.Errorf("ssh: the signature key type %q is invalid for certificates", k.Type())
+	}
 	c.SignatureKey = k
 	c.Signature, rest, ok = parseSignatureBody(g.Signature)
 	if !ok || len(rest) > 0 {
@@ -296,16 +305,13 @@ type CertChecker struct {
 	SupportedCriticalOptions []string
 
 	// IsUserAuthority should return true if the key is recognized as an
-	// authority for the given user certificate. This allows for
-	// certificates to be signed by other certificates. This must be set
-	// if this CertChecker will be checking user certificates.
+	// authority for user certificate. This must be set if this CertChecker
+	// will be checking user certificates.
 	IsUserAuthority func(auth PublicKey) bool
 
 	// IsHostAuthority should report whether the key is recognized as
-	// an authority for this host. This allows for certificates to be
-	// signed by other keys, and for those other keys to only be valid
-	// signers for particular hostnames. This must be set if this
-	// CertChecker will be checking host certificates.
+	// an authority for this host. This must be set if this CertChecker
+	// will be checking host certificates.
 	IsHostAuthority func(auth PublicKey, address string) bool
 
 	// Clock is used for verifying time stamps. If nil, time.Now
@@ -442,12 +448,19 @@ func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
 // SignCert signs the certificate with an authority, setting the Nonce,
 // SignatureKey, and Signature fields. If the authority implements the
 // MultiAlgorithmSigner interface the first algorithm in the list is used. This
-// is useful if you want to sign with a specific algorithm.
+// is useful if you want to sign with a specific algorithm. As specified in
+// [SSH-CERTS], Section 2.1.1, authority can't be a [Certificate].
 func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 	c.Nonce = make([]byte, 32)
 	if _, err := io.ReadFull(rand, c.Nonce); err != nil {
 		return err
 	}
+	// The Type() function is intended to return only certificate key types, but
+	// we use certKeyAlgoNames anyway for safety, to match [Certificate.Type].
+	if _, ok := certKeyAlgoNames[authority.PublicKey().Type()]; ok {
+		return fmt.Errorf("ssh: certificates cannot be used as authority (public key type %q)",
+			authority.PublicKey().Type())
+	}
 	c.SignatureKey = authority.PublicKey()
 
 	if v, ok := authority.(MultiAlgorithmSigner); ok {
@@ -485,16 +498,16 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 //
 // This map must be kept in sync with the one in agent/client.go.
 var certKeyAlgoNames = map[string]string{
-	CertAlgoRSAv01:        KeyAlgoRSA,
-	CertAlgoRSASHA256v01:  KeyAlgoRSASHA256,
-	CertAlgoRSASHA512v01:  KeyAlgoRSASHA512,
-	CertAlgoDSAv01:        KeyAlgoDSA,
-	CertAlgoECDSA256v01:   KeyAlgoECDSA256,
-	CertAlgoECDSA384v01:   KeyAlgoECDSA384,
-	CertAlgoECDSA521v01:   KeyAlgoECDSA521,
-	CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256,
-	CertAlgoED25519v01:    KeyAlgoED25519,
-	CertAlgoSKED25519v01:  KeyAlgoSKED25519,
+	CertAlgoRSAv01:         KeyAlgoRSA,
+	CertAlgoRSASHA256v01:   KeyAlgoRSASHA256,
+	CertAlgoRSASHA512v01:   KeyAlgoRSASHA512,
+	InsecureCertAlgoDSAv01: InsecureKeyAlgoDSA,
+	CertAlgoECDSA256v01:    KeyAlgoECDSA256,
+	CertAlgoECDSA384v01:    KeyAlgoECDSA384,
+	CertAlgoECDSA521v01:    KeyAlgoECDSA521,
+	CertAlgoSKECDSA256v01:  KeyAlgoSKECDSA256,
+	CertAlgoED25519v01:     KeyAlgoED25519,
+	CertAlgoSKED25519v01:   KeyAlgoSKED25519,
 }
 
 // underlyingAlgo returns the signature algorithm associated with algo (which is
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
index 741e984f3..7554ed57a 100644
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@@ -8,6 +8,7 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/des"
+	"crypto/fips140"
 	"crypto/rc4"
 	"crypto/subtle"
 	"encoding/binary"
@@ -15,6 +16,7 @@ import (
 	"fmt"
 	"hash"
 	"io"
+	"slices"
 
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/internal/poly1305"
@@ -58,11 +60,11 @@ func newRC4(key, iv []byte) (cipher.Stream, error) {
 type cipherMode struct {
 	keySize int
 	ivSize  int
-	create  func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error)
+	create  func(key, iv []byte, macKey []byte, algs DirectionAlgorithms) (packetCipher, error)
 }
 
-func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
-	return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
+	return func(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 		stream, err := createFunc(key, iv)
 		if err != nil {
 			return nil, err
@@ -93,41 +95,41 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 }
 
 // cipherModes documents properties of supported ciphers. Ciphers not included
-// are not supported and will not be negotiated, even if explicitly requested in
-// ClientConfig.Crypto.Ciphers.
-var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
-	// are defined in the order specified in the RFC.
-	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
+// are not supported and will not be negotiated, even if explicitly configured.
+// When FIPS mode is enabled, only FIPS-approved algorithms are included.
+var cipherModes = map[string]*cipherMode{}
 
-	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
-	// They are defined in the order specified in the RFC.
-	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
-	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
+func init() {
+	cipherModes[CipherAES128CTR] = &cipherMode{16, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES192CTR] = &cipherMode{24, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	cipherModes[CipherAES256CTR] = &cipherMode{32, aes.BlockSize, streamCipherMode(0, newAESCTR)}
+	//  Use of GCM with arbitrary IVs is not allowed in FIPS 140-only mode,
+	// we'll wire it up to NewGCMForSSH in Go 1.26.
+	//
+	// For now it means we'll work with fips140=on but not fips140=only.
+	cipherModes[CipherAES128GCM] = &cipherMode{16, 12, newGCMCipher}
+	cipherModes[CipherAES256GCM] = &cipherMode{32, 12, newGCMCipher}
 
-	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
-	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
-	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC 4345 introduces improved versions of Arcfour.
-	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
-
-	// AEAD ciphers
-	gcm128CipherID:     {16, 12, newGCMCipher},
-	gcm256CipherID:     {32, 12, newGCMCipher},
-	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
+	if fips140.Enabled() {
+		defaultCiphers = slices.DeleteFunc(defaultCiphers, func(algo string) bool {
+			_, ok := cipherModes[algo]
+			return !ok
+		})
+		return
+	}
 
+	cipherModes[CipherChaCha20Poly1305] = &cipherMode{64, 0, newChaCha20Cipher}
+	// Insecure ciphers not included in the default configuration.
+	cipherModes[InsecureCipherRC4128] = &cipherMode{16, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4256] = &cipherMode{32, 0, streamCipherMode(1536, newRC4)}
+	cipherModes[InsecureCipherRC4] = &cipherMode{16, 0, streamCipherMode(0, newRC4)}
 	// CBC mode is insecure and so is not included in the default config.
 	// (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely
 	// needed, it's possible to specify a custom Config to enable it.
 	// You should expect that an active attacker can recover plaintext if
 	// you do.
-	aes128cbcID: {16, aes.BlockSize, newAESCBCCipher},
-
-	// 3des-cbc is insecure and is not included in the default
-	// config.
-	tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher},
+	cipherModes[InsecureCipherAES128CBC] = &cipherMode{16, aes.BlockSize, newAESCBCCipher}
+	cipherModes[InsecureCipherTripleDESCBC] = &cipherMode{24, des.BlockSize, newTripleDESCBCCipher}
 }
 
 // prefixLen is the length of the packet prefix that contains the packet length
@@ -307,7 +309,7 @@ type gcmCipher struct {
 	buf    []byte
 }
 
-func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
+func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs DirectionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
@@ -429,7 +431,7 @@ type cbcCipher struct {
 	oracleCamouflage uint32
 }
 
-func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	cbc := &cbcCipher{
 		mac:        macModes[algs.MAC].new(macKey),
 		decrypter:  cipher.NewCBCDecrypter(c, iv),
@@ -443,7 +445,7 @@ func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorith
 	return cbc, nil
 }
 
-func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newAESCBCCipher(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	c, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
@@ -457,7 +459,7 @@ func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCi
 	return cbc, nil
 }
 
-func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
+func newTripleDESCBCCipher(key, iv, macKey []byte, algs DirectionAlgorithms) (packetCipher, error) {
 	c, err := des.NewTripleDESCipher(key)
 	if err != nil {
 		return nil, err
@@ -635,8 +637,6 @@ func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader
 	return nil
 }
 
-const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
-
 // chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
 // AEAD, which is described here:
 //
@@ -650,7 +650,7 @@ type chacha20Poly1305Cipher struct {
 	buf        []byte
 }
 
-func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) {
+func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs DirectionAlgorithms) (packetCipher, error) {
 	if len(key) != 64 {
 		panic(len(key))
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/client.go b/vendor/golang.org/x/crypto/ssh/client.go
index fd8c49749..33079789b 100644
--- a/vendor/golang.org/x/crypto/ssh/client.go
+++ b/vendor/golang.org/x/crypto/ssh/client.go
@@ -110,6 +110,7 @@ func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) e
 	}
 
 	c.sessionID = c.transport.getSessionID()
+	c.algorithms = c.transport.getAlgorithms()
 	return c.clientAuthenticate(config)
 }
 
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
index b86dde151..3127e4990 100644
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"
 )
 
@@ -83,7 +84,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 			// success
 			return nil
 		} else if ok == authFailure {
-			if m := auth.method(); !contains(tried, m) {
+			if m := auth.method(); !slices.Contains(tried, m) {
 				tried = append(tried, m)
 			}
 		}
@@ -97,7 +98,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	findNext:
 		for _, a := range config.Auth {
 			candidateMethod := a.method()
-			if contains(tried, candidateMethod) {
+			if slices.Contains(tried, candidateMethod) {
 				continue
 			}
 			for _, meth := range methods {
@@ -117,15 +118,6 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried)
 }
 
-func contains(list []string, e string) bool {
-	for _, s := range list {
-		if s == e {
-			return true
-		}
-	}
-	return false
-}
-
 // An AuthMethod represents an instance of an RFC 4252 authentication method.
 type AuthMethod interface {
 	// auth authenticates user over transport t.
@@ -255,7 +247,7 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 		// Fallback to use if there is no "server-sig-algs" extension or a
 		// common algorithm cannot be found. We use the public key format if the
 		// MultiAlgorithmSigner supports it, otherwise we return an error.
-		if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
+		if !slices.Contains(as.Algorithms(), underlyingAlgo(keyFormat)) {
 			return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v",
 				underlyingAlgo(keyFormat), keyFormat, as.Algorithms())
 		}
@@ -284,12 +276,12 @@ func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiA
 	// Filter algorithms based on those supported by MultiAlgorithmSigner.
 	var keyAlgos []string
 	for _, algo := range algorithmsForKeyFormat(keyFormat) {
-		if contains(as.Algorithms(), underlyingAlgo(algo)) {
+		if slices.Contains(as.Algorithms(), underlyingAlgo(algo)) {
 			keyAlgos = append(keyAlgos, algo)
 		}
 	}
 
-	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos)
+	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos, true)
 	if err != nil {
 		// If there is no overlap, return the fallback algorithm to support
 		// servers that fail to list all supported algorithms.
@@ -334,7 +326,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// the key try to use the obtained algorithm as if "server-sig-algs" had
 		// not been implemented if supported from the algorithm signer.
 		if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 {
-			if contains(as.Algorithms(), KeyAlgoRSA) {
+			if slices.Contains(as.Algorithms(), KeyAlgoRSA) {
 				// We retry using the compat algorithm after all signers have
 				// been tried normally.
 				signers = append(signers, &multiAlgorithmSigner{
@@ -385,7 +377,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 		// contain the "publickey" method, do not attempt to authenticate with any
 		// other keys.  According to RFC 4252 Section 7, the latter can occur when
 		// additional authentication methods are required.
-		if success == authSuccess || !contains(methods, cb.method()) {
+		if success == authSuccess || !slices.Contains(methods, cb.method()) {
 			return success, methods, err
 		}
 	}
@@ -434,7 +426,7 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 			// servers send the key type instead. OpenSSH allows any algorithm
 			// that matches the public key, so we do the same.
 			// https://github.com/openssh/openssh-portable/blob/86bdd385/sshconnect2.c#L709
-			if !contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
+			if !slices.Contains(algorithmsForKeyFormat(key.Type()), msg.Algo) {
 				return false, nil
 			}
 			if !bytes.Equal(msg.PubKey, pubKey) {
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
index 7e9c2cbc6..2e44e9c9e 100644
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ b/vendor/golang.org/x/crypto/ssh/common.go
@@ -6,10 +6,12 @@ package ssh
 
 import (
 	"crypto"
+	"crypto/fips140"
 	"crypto/rand"
 	"fmt"
 	"io"
 	"math"
+	"slices"
 	"sync"
 
 	_ "crypto/sha1"
@@ -24,88 +26,298 @@ const (
 	serviceSSH      = "ssh-connection"
 )
 
-// supportedCiphers lists ciphers we support but might not recommend.
-var supportedCiphers = []string{
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-	"aes128-gcm@openssh.com", gcm256CipherID,
-	chacha20Poly1305ID,
-	"arcfour256", "arcfour128", "arcfour",
-	aes128cbcID,
-	tripledescbcID,
+// The ciphers currently or previously implemented by this library, to use in
+// [Config.Ciphers]. For a list, see the [Algorithms.Ciphers] returned by
+// [SupportedAlgorithms] or [InsecureAlgorithms].
+const (
+	CipherAES128GCM            = "aes128-gcm@openssh.com"
+	CipherAES256GCM            = "aes256-gcm@openssh.com"
+	CipherChaCha20Poly1305     = "chacha20-poly1305@openssh.com"
+	CipherAES128CTR            = "aes128-ctr"
+	CipherAES192CTR            = "aes192-ctr"
+	CipherAES256CTR            = "aes256-ctr"
+	InsecureCipherAES128CBC    = "aes128-cbc"
+	InsecureCipherTripleDESCBC = "3des-cbc"
+	InsecureCipherRC4          = "arcfour"
+	InsecureCipherRC4128       = "arcfour128"
+	InsecureCipherRC4256       = "arcfour256"
+)
+
+// The key exchanges currently or previously implemented by this library, to use
+// in [Config.KeyExchanges]. For a list, see the
+// [Algorithms.KeyExchanges] returned by [SupportedAlgorithms] or
+// [InsecureAlgorithms].
+const (
+	InsecureKeyExchangeDH1SHA1   = "diffie-hellman-group1-sha1"
+	InsecureKeyExchangeDH14SHA1  = "diffie-hellman-group14-sha1"
+	KeyExchangeDH14SHA256        = "diffie-hellman-group14-sha256"
+	KeyExchangeDH16SHA512        = "diffie-hellman-group16-sha512"
+	KeyExchangeECDHP256          = "ecdh-sha2-nistp256"
+	KeyExchangeECDHP384          = "ecdh-sha2-nistp384"
+	KeyExchangeECDHP521          = "ecdh-sha2-nistp521"
+	KeyExchangeCurve25519        = "curve25519-sha256"
+	InsecureKeyExchangeDHGEXSHA1 = "diffie-hellman-group-exchange-sha1"
+	KeyExchangeDHGEXSHA256       = "diffie-hellman-group-exchange-sha256"
+	// KeyExchangeMLKEM768X25519 is supported from Go 1.24.
+	KeyExchangeMLKEM768X25519 = "mlkem768x25519-sha256"
+
+	// An alias for KeyExchangeCurve25519SHA256. This kex ID will be added if
+	// KeyExchangeCurve25519SHA256 is requested for backward compatibility with
+	// OpenSSH versions up to 7.2.
+	keyExchangeCurve25519LibSSH = "curve25519-sha256@libssh.org"
+)
+
+// The message authentication code (MAC) currently or previously implemented by
+// this library, to use in [Config.MACs]. For a list, see the
+// [Algorithms.MACs] returned by [SupportedAlgorithms] or
+// [InsecureAlgorithms].
+const (
+	HMACSHA256ETM      = "hmac-sha2-256-etm@openssh.com"
+	HMACSHA512ETM      = "hmac-sha2-512-etm@openssh.com"
+	HMACSHA256         = "hmac-sha2-256"
+	HMACSHA512         = "hmac-sha2-512"
+	HMACSHA1           = "hmac-sha1"
+	InsecureHMACSHA196 = "hmac-sha1-96"
+)
+
+var (
+	// supportedKexAlgos specifies key-exchange algorithms implemented by this
+	// package in preference order, excluding those with security issues.
+	supportedKexAlgos = []string{
+		KeyExchangeMLKEM768X25519,
+		KeyExchangeCurve25519,
+		KeyExchangeECDHP256,
+		KeyExchangeECDHP384,
+		KeyExchangeECDHP521,
+		KeyExchangeDH14SHA256,
+		KeyExchangeDH16SHA512,
+		KeyExchangeDHGEXSHA256,
+	}
+	// defaultKexAlgos specifies the default preference for key-exchange
+	// algorithms in preference order.
+	defaultKexAlgos = []string{
+		KeyExchangeMLKEM768X25519,
+		KeyExchangeCurve25519,
+		KeyExchangeECDHP256,
+		KeyExchangeECDHP384,
+		KeyExchangeECDHP521,
+		KeyExchangeDH14SHA256,
+		InsecureKeyExchangeDH14SHA1,
+	}
+	// insecureKexAlgos specifies key-exchange algorithms implemented by this
+	// package and which have security issues.
+	insecureKexAlgos = []string{
+		InsecureKeyExchangeDH14SHA1,
+		InsecureKeyExchangeDH1SHA1,
+		InsecureKeyExchangeDHGEXSHA1,
+	}
+	// supportedCiphers specifies cipher algorithms implemented by this package
+	// in preference order, excluding those with security issues.
+	supportedCiphers = []string{
+		CipherAES128GCM,
+		CipherAES256GCM,
+		CipherChaCha20Poly1305,
+		CipherAES128CTR,
+		CipherAES192CTR,
+		CipherAES256CTR,
+	}
+	// defaultCiphers specifies the default preference for ciphers algorithms
+	// in preference order.
+	defaultCiphers = supportedCiphers
+	// insecureCiphers specifies cipher algorithms implemented by this
+	// package and which have security issues.
+	insecureCiphers = []string{
+		InsecureCipherAES128CBC,
+		InsecureCipherTripleDESCBC,
+		InsecureCipherRC4256,
+		InsecureCipherRC4128,
+		InsecureCipherRC4,
+	}
+	// supportedMACs specifies MAC algorithms implemented by this package in
+	// preference order, excluding those with security issues.
+	supportedMACs = []string{
+		HMACSHA256ETM,
+		HMACSHA512ETM,
+		HMACSHA256,
+		HMACSHA512,
+		HMACSHA1,
+	}
+	// defaultMACs specifies the default preference for MAC algorithms in
+	// preference order.
+	defaultMACs = []string{
+		HMACSHA256ETM,
+		HMACSHA512ETM,
+		HMACSHA256,
+		HMACSHA512,
+		HMACSHA1,
+		InsecureHMACSHA196,
+	}
+	// insecureMACs specifies MAC algorithms implemented by this
+	// package and which have security issues.
+	insecureMACs = []string{
+		InsecureHMACSHA196,
+	}
+	// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e.
+	// methods of authenticating servers) implemented by this package in
+	// preference order, excluding those with security issues.
+	supportedHostKeyAlgos = []string{
+		CertAlgoRSASHA256v01,
+		CertAlgoRSASHA512v01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoED25519v01,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoED25519,
+	}
+	// defaultHostKeyAlgos specifies the default preference for host-key
+	// algorithms in preference order.
+	defaultHostKeyAlgos = []string{
+		CertAlgoRSASHA256v01,
+		CertAlgoRSASHA512v01,
+		CertAlgoRSAv01,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoED25519v01,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+		KeyAlgoED25519,
+	}
+	// insecureHostKeyAlgos specifies host-key algorithms implemented by this
+	// package and which have security issues.
+	insecureHostKeyAlgos = []string{
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+		CertAlgoRSAv01,
+		InsecureCertAlgoDSAv01,
+	}
+	// supportedPubKeyAuthAlgos specifies the supported client public key
+	// authentication algorithms. Note that this doesn't include certificate
+	// types since those use the underlying algorithm. Order is irrelevant.
+	supportedPubKeyAuthAlgos = []string{
+		KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+	}
+
+	// defaultPubKeyAuthAlgos specifies the preferred client public key
+	// authentication algorithms. This list is sent to the client if it supports
+	// the server-sig-algs extension. Order is irrelevant.
+	defaultPubKeyAuthAlgos = []string{
+		KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		KeyAlgoRSASHA256,
+		KeyAlgoRSASHA512,
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+	}
+	// insecurePubKeyAuthAlgos specifies client public key authentication
+	// algorithms implemented by this package and which have security issues.
+	insecurePubKeyAuthAlgos = []string{
+		KeyAlgoRSA,
+		InsecureKeyAlgoDSA,
+	}
+)
+
+// NegotiatedAlgorithms defines algorithms negotiated between client and server.
+type NegotiatedAlgorithms struct {
+	KeyExchange string
+	HostKey     string
+	Read        DirectionAlgorithms
+	Write       DirectionAlgorithms
 }
 
-// preferredCiphers specifies the default preference for ciphers.
-var preferredCiphers = []string{
-	"aes128-gcm@openssh.com", gcm256CipherID,
-	chacha20Poly1305ID,
-	"aes128-ctr", "aes192-ctr", "aes256-ctr",
+// Algorithms defines a set of algorithms that can be configured in the client
+// or server config for negotiation during a handshake.
+type Algorithms struct {
+	KeyExchanges   []string
+	Ciphers        []string
+	MACs           []string
+	HostKeys       []string
+	PublicKeyAuths []string
 }
 
-// supportedKexAlgos specifies the supported key-exchange algorithms in
-// preference order.
-var supportedKexAlgos = []string{
-	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
-	// P384 and P521 are not constant-time yet, but since we don't
-	// reuse ephemeral keys, using them for ECDH should be OK.
-	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1,
-	kexAlgoDH1SHA1,
+func init() {
+	if fips140.Enabled() {
+		defaultHostKeyAlgos = slices.DeleteFunc(defaultHostKeyAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+		defaultPubKeyAuthAlgos = slices.DeleteFunc(defaultPubKeyAuthAlgos, func(algo string) bool {
+			_, err := hashFunc(underlyingAlgo(algo))
+			return err != nil
+		})
+	}
 }
 
-// serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
-// for the server half.
-var serverForbiddenKexAlgos = map[string]struct{}{
-	kexAlgoDHGEXSHA1:   {}, // server half implementation is only minimal to satisfy the automated tests
-	kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
+func hashFunc(format string) (crypto.Hash, error) {
+	switch format {
+	case KeyAlgoRSASHA256, KeyAlgoECDSA256, KeyAlgoSKED25519, KeyAlgoSKECDSA256:
+		return crypto.SHA256, nil
+	case KeyAlgoECDSA384:
+		return crypto.SHA384, nil
+	case KeyAlgoRSASHA512, KeyAlgoECDSA521:
+		return crypto.SHA512, nil
+	case KeyAlgoED25519:
+		// KeyAlgoED25519 doesn't pre-hash.
+		return 0, nil
+	case KeyAlgoRSA, InsecureKeyAlgoDSA:
+		if fips140.Enabled() {
+			return 0, fmt.Errorf("ssh: hash algorithm for format %q not allowed in FIPS 140 mode", format)
+		}
+		return crypto.SHA1, nil
+	default:
+		return 0, fmt.Errorf("ssh: hash algorithm for format %q not mapped", format)
+	}
 }
 
-// preferredKexAlgos specifies the default preference for key-exchange
-// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm
-// is disabled by default because it is a bit slower than the others.
-var preferredKexAlgos = []string{
-	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
-	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA256, kexAlgoDH14SHA1,
+// SupportedAlgorithms returns algorithms currently implemented by this package,
+// excluding those with security issues, which are returned by
+// InsecureAlgorithms. The algorithms listed here are in preference order.
+func SupportedAlgorithms() Algorithms {
+	return Algorithms{
+		Ciphers:        slices.Clone(supportedCiphers),
+		MACs:           slices.Clone(supportedMACs),
+		KeyExchanges:   slices.Clone(supportedKexAlgos),
+		HostKeys:       slices.Clone(supportedHostKeyAlgos),
+		PublicKeyAuths: slices.Clone(supportedPubKeyAuthAlgos),
+	}
 }
 
-// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
-// of authenticating servers) in preference order.
-var supportedHostKeyAlgos = []string{
-	CertAlgoRSASHA256v01, CertAlgoRSASHA512v01,
-	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
-	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
-
-	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	KeyAlgoRSASHA256, KeyAlgoRSASHA512,
-	KeyAlgoRSA, KeyAlgoDSA,
-
-	KeyAlgoED25519,
-}
-
-// supportedMACs specifies a default set of MAC algorithms in preference order.
-// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
-// because they have reached the end of their useful life.
-var supportedMACs = []string{
-	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
+// InsecureAlgorithms returns algorithms currently implemented by this package
+// and which have security issues.
+func InsecureAlgorithms() Algorithms {
+	return Algorithms{
+		KeyExchanges:   slices.Clone(insecureKexAlgos),
+		Ciphers:        slices.Clone(insecureCiphers),
+		MACs:           slices.Clone(insecureMACs),
+		HostKeys:       slices.Clone(insecureHostKeyAlgos),
+		PublicKeyAuths: slices.Clone(insecurePubKeyAuthAlgos),
+	}
 }
 
 var supportedCompressions = []string{compressionNone}
 
-// hashFuncs keeps the mapping of supported signature algorithms to their
-// respective hashes needed for signing and verification.
-var hashFuncs = map[string]crypto.Hash{
-	KeyAlgoRSA:       crypto.SHA1,
-	KeyAlgoRSASHA256: crypto.SHA256,
-	KeyAlgoRSASHA512: crypto.SHA512,
-	KeyAlgoDSA:       crypto.SHA1,
-	KeyAlgoECDSA256:  crypto.SHA256,
-	KeyAlgoECDSA384:  crypto.SHA384,
-	KeyAlgoECDSA521:  crypto.SHA512,
-	// KeyAlgoED25519 doesn't pre-hash.
-	KeyAlgoSKECDSA256: crypto.SHA256,
-	KeyAlgoSKED25519:  crypto.SHA256,
-}
-
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
@@ -120,11 +332,40 @@ func algorithmsForKeyFormat(keyFormat string) []string {
 	}
 }
 
+// keyFormatForAlgorithm returns the key format corresponding to the given
+// signature algorithm. It returns an empty string if the signature algorithm is
+// invalid or unsupported.
+func keyFormatForAlgorithm(sigAlgo string) string {
+	switch sigAlgo {
+	case KeyAlgoRSA, KeyAlgoRSASHA256, KeyAlgoRSASHA512:
+		return KeyAlgoRSA
+	case CertAlgoRSAv01, CertAlgoRSASHA256v01, CertAlgoRSASHA512v01:
+		return CertAlgoRSAv01
+	case KeyAlgoED25519,
+		KeyAlgoSKED25519,
+		KeyAlgoSKECDSA256,
+		KeyAlgoECDSA256,
+		KeyAlgoECDSA384,
+		KeyAlgoECDSA521,
+		InsecureKeyAlgoDSA,
+		InsecureCertAlgoDSAv01,
+		CertAlgoECDSA256v01,
+		CertAlgoECDSA384v01,
+		CertAlgoECDSA521v01,
+		CertAlgoSKECDSA256v01,
+		CertAlgoED25519v01,
+		CertAlgoSKED25519v01:
+		return sigAlgo
+	default:
+		return ""
+	}
+}
+
 // isRSA returns whether algo is a supported RSA algorithm, including certificate
 // algorithms.
 func isRSA(algo string) bool {
 	algos := algorithmsForKeyFormat(KeyAlgoRSA)
-	return contains(algos, underlyingAlgo(algo))
+	return slices.Contains(algos, underlyingAlgo(algo))
 }
 
 func isRSACert(algo string) bool {
@@ -135,18 +376,6 @@ func isRSACert(algo string) bool {
 	return isRSA(algo)
 }
 
-// supportedPubKeyAuthAlgos specifies the supported client public key
-// authentication algorithms. Note that this doesn't include certificate types
-// since those use the underlying algorithm. This list is sent to the client if
-// it supports the server-sig-algs extension. Order is irrelevant.
-var supportedPubKeyAuthAlgos = []string{
-	KeyAlgoED25519,
-	KeyAlgoSKED25519, KeyAlgoSKECDSA256,
-	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA,
-	KeyAlgoDSA,
-}
-
 // unexpectedMessageError results when the SSH message that we received didn't
 // match what we wanted.
 func unexpectedMessageError(expected, got uint8) error {
@@ -158,7 +387,7 @@ func parseError(tag uint8) error {
 	return fmt.Errorf("ssh: parse error in message type %d", tag)
 }
 
-func findCommon(what string, client []string, server []string) (common string, err error) {
+func findCommon(what string, client []string, server []string, isClient bool) (string, error) {
 	for _, c := range client {
 		for _, s := range server {
 			if c == s {
@@ -166,23 +395,49 @@ func findCommon(what string, client []string, server []string) (common string, e
 			}
 		}
 	}
-	return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
+	err := &AlgorithmNegotiationError{
+		What: what,
+	}
+	if isClient {
+		err.SupportedAlgorithms = client
+		err.RequestedAlgorithms = server
+	} else {
+		err.SupportedAlgorithms = server
+		err.RequestedAlgorithms = client
+	}
+	return "", err
 }
 
-// directionAlgorithms records algorithm choices in one direction (either read or write)
-type directionAlgorithms struct {
+// AlgorithmNegotiationError defines the error returned if the client and the
+// server cannot agree on an algorithm for key exchange, host key, cipher, MAC.
+type AlgorithmNegotiationError struct {
+	What string
+	// RequestedAlgorithms lists the algorithms supported by the peer.
+	RequestedAlgorithms []string
+	// SupportedAlgorithms lists the algorithms supported on our side.
+	SupportedAlgorithms []string
+}
+
+func (a *AlgorithmNegotiationError) Error() string {
+	return fmt.Sprintf("ssh: no common algorithm for %s; we offered: %v, peer offered: %v",
+		a.What, a.SupportedAlgorithms, a.RequestedAlgorithms)
+}
+
+// DirectionAlgorithms defines the algorithms negotiated in one direction
+// (either read or write).
+type DirectionAlgorithms struct {
 	Cipher      string
 	MAC         string
-	Compression string
+	compression string
 }
 
 // rekeyBytes returns a rekeying intervals in bytes.
-func (a *directionAlgorithms) rekeyBytes() int64 {
+func (a *DirectionAlgorithms) rekeyBytes() int64 {
 	// According to RFC 4344 block ciphers should rekey after
 	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
 	// 128.
 	switch a.Cipher {
-	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcm128CipherID, gcm256CipherID, aes128cbcID:
+	case CipherAES128CTR, CipherAES192CTR, CipherAES256CTR, CipherAES128GCM, CipherAES256GCM, InsecureCipherAES128CBC:
 		return 16 * (1 << 32)
 
 	}
@@ -192,66 +447,59 @@ func (a *directionAlgorithms) rekeyBytes() int64 {
 }
 
 var aeadCiphers = map[string]bool{
-	gcm128CipherID:     true,
-	gcm256CipherID:     true,
-	chacha20Poly1305ID: true,
+	CipherAES128GCM:        true,
+	CipherAES256GCM:        true,
+	CipherChaCha20Poly1305: true,
 }
 
-type algorithms struct {
-	kex     string
-	hostKey string
-	w       directionAlgorithms
-	r       directionAlgorithms
-}
+func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *NegotiatedAlgorithms, err error) {
+	result := &NegotiatedAlgorithms{}
 
-func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
-	result := &algorithms{}
-
-	result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
+	result.KeyExchange, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos, isClient)
 	if err != nil {
 		return
 	}
 
-	result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
+	result.HostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc, ctos := &result.w, &result.r
+	stoc, ctos := &result.Write, &result.Read
 	if isClient {
 		ctos, stoc = stoc, ctos
 	}
 
-	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
+	ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
+	stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient, isClient)
 	if err != nil {
 		return
 	}
 
 	if !aeadCiphers[ctos.Cipher] {
-		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
+		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer, isClient)
 		if err != nil {
 			return
 		}
 	}
 
 	if !aeadCiphers[stoc.Cipher] {
-		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
+		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient, isClient)
 		if err != nil {
 			return
 		}
 	}
 
-	ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
+	ctos.compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer, isClient)
 	if err != nil {
 		return
 	}
 
-	stoc.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
+	stoc.compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient, isClient)
 	if err != nil {
 		return
 	}
@@ -297,7 +545,7 @@ func (c *Config) SetDefaults() {
 		c.Rand = rand.Reader
 	}
 	if c.Ciphers == nil {
-		c.Ciphers = preferredCiphers
+		c.Ciphers = defaultCiphers
 	}
 	var ciphers []string
 	for _, c := range c.Ciphers {
@@ -309,19 +557,22 @@ func (c *Config) SetDefaults() {
 	c.Ciphers = ciphers
 
 	if c.KeyExchanges == nil {
-		c.KeyExchanges = preferredKexAlgos
+		c.KeyExchanges = defaultKexAlgos
 	}
 	var kexs []string
 	for _, k := range c.KeyExchanges {
 		if kexAlgoMap[k] != nil {
 			// Ignore the KEX if we have no kexAlgoMap definition.
 			kexs = append(kexs, k)
+			if k == KeyExchangeCurve25519 && !slices.Contains(c.KeyExchanges, keyExchangeCurve25519LibSSH) {
+				kexs = append(kexs, keyExchangeCurve25519LibSSH)
+			}
 		}
 	}
 	c.KeyExchanges = kexs
 
 	if c.MACs == nil {
-		c.MACs = supportedMACs
+		c.MACs = defaultMACs
 	}
 	var macs []string
 	for _, m := range c.MACs {
diff --git a/vendor/golang.org/x/crypto/ssh/connection.go b/vendor/golang.org/x/crypto/ssh/connection.go
index 8f345ee92..613a71a7b 100644
--- a/vendor/golang.org/x/crypto/ssh/connection.go
+++ b/vendor/golang.org/x/crypto/ssh/connection.go
@@ -74,6 +74,13 @@ type Conn interface {
 	//   Disconnect
 }
 
+// AlgorithmsConnMetadata is a ConnMetadata that can return the algorithms
+// negotiated between client and server.
+type AlgorithmsConnMetadata interface {
+	ConnMetadata
+	Algorithms() NegotiatedAlgorithms
+}
+
 // DiscardRequests consumes and rejects all requests from the
 // passed-in channel.
 func DiscardRequests(in <-chan *Request) {
@@ -106,6 +113,7 @@ type sshConn struct {
 	sessionID     []byte
 	clientVersion []byte
 	serverVersion []byte
+	algorithms    NegotiatedAlgorithms
 }
 
 func dup(src []byte) []byte {
@@ -141,3 +149,7 @@ func (c *sshConn) ClientVersion() []byte {
 func (c *sshConn) ServerVersion() []byte {
 	return dup(c.serverVersion)
 }
+
+func (c *sshConn) Algorithms() NegotiatedAlgorithms {
+	return c.algorithms
+}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
index f5d352fe3..5b4de9eff 100644
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ b/vendor/golang.org/x/crypto/ssh/doc.go
@@ -16,8 +16,19 @@ References:
 	[PROTOCOL]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=HEAD
 	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
+	[SSH-CERTS]:	https://datatracker.ietf.org/doc/html/draft-miller-ssh-cert-01
+	[FIPS 140-3 mode]: https://go.dev/doc/security/fips140
 
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
+
+# FIPS 140-3 mode
+
+When the program is in [FIPS 140-3 mode], this package behaves as if only SP
+800-140C and SP 800-140D approved cipher suites, signature algorithms,
+certificate public key types and sizes, and key exchange and derivation
+algorithms were implemented. Others are silently ignored and not negotiated, or
+rejected. This set may depend on the algorithms supported by the FIPS 140-3 Go
+Cryptographic Module selected with GOFIPS140, and may change across Go versions.
 */
 package ssh
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
index b6bf546b4..4be3cbb6d 100644
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"log"
 	"net"
+	"slices"
 	"strings"
 	"sync"
 )
@@ -38,7 +39,7 @@ type keyingTransport interface {
 	// prepareKeyChange sets up a key change. The key change for a
 	// direction will be effected if a msgNewKeys message is sent
 	// or received.
-	prepareKeyChange(*algorithms, *kexResult) error
+	prepareKeyChange(*NegotiatedAlgorithms, *kexResult) error
 
 	// setStrictMode sets the strict KEX mode, notably triggering
 	// sequence number resets on sending or receiving msgNewKeys.
@@ -115,7 +116,7 @@ type handshakeTransport struct {
 	bannerCallback BannerCallback
 
 	// Algorithms agreed in the last key exchange.
-	algorithms *algorithms
+	algorithms *NegotiatedAlgorithms
 
 	// Counters exclusively owned by readLoop.
 	readPacketsLeft uint32
@@ -164,7 +165,7 @@ func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byt
 	if config.HostKeyAlgorithms != nil {
 		t.hostKeyAlgorithms = config.HostKeyAlgorithms
 	} else {
-		t.hostKeyAlgorithms = supportedHostKeyAlgos
+		t.hostKeyAlgorithms = defaultHostKeyAlgos
 	}
 	go t.readLoop()
 	go t.kexLoop()
@@ -184,6 +185,10 @@ func (t *handshakeTransport) getSessionID() []byte {
 	return t.sessionID
 }
 
+func (t *handshakeTransport) getAlgorithms() NegotiatedAlgorithms {
+	return *t.algorithms
+}
+
 // waitSession waits for the session to be established. This should be
 // the first thing to call after instantiating handshakeTransport.
 func (t *handshakeTransport) waitSession() error {
@@ -290,7 +295,7 @@ func (t *handshakeTransport) resetWriteThresholds() {
 	if t.config.RekeyThreshold > 0 {
 		t.writeBytesLeft = int64(t.config.RekeyThreshold)
 	} else if t.algorithms != nil {
-		t.writeBytesLeft = t.algorithms.w.rekeyBytes()
+		t.writeBytesLeft = t.algorithms.Write.rekeyBytes()
 	} else {
 		t.writeBytesLeft = 1 << 30
 	}
@@ -407,7 +412,7 @@ func (t *handshakeTransport) resetReadThresholds() {
 	if t.config.RekeyThreshold > 0 {
 		t.readBytesLeft = int64(t.config.RekeyThreshold)
 	} else if t.algorithms != nil {
-		t.readBytesLeft = t.algorithms.r.rekeyBytes()
+		t.readBytesLeft = t.algorithms.Read.rekeyBytes()
 	} else {
 		t.readBytesLeft = 1 << 30
 	}
@@ -523,7 +528,7 @@ func (t *handshakeTransport) sendKexInit() error {
 			switch s := k.(type) {
 			case MultiAlgorithmSigner:
 				for _, algo := range algorithmsForKeyFormat(keyFormat) {
-					if contains(s.Algorithms(), underlyingAlgo(algo)) {
+					if slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 						msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
 					}
 				}
@@ -675,7 +680,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		return err
 	}
 
-	if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) {
+	if t.sessionID == nil && ((isClient && slices.Contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && slices.Contains(clientInit.KexAlgos, kexStrictClient))) {
 		t.strictMode = true
 		if err := t.conn.setStrictMode(); err != nil {
 			return err
@@ -700,9 +705,9 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 		}
 	}
 
-	kex, ok := kexAlgoMap[t.algorithms.kex]
+	kex, ok := kexAlgoMap[t.algorithms.KeyExchange]
 	if !ok {
-		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
+		return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.KeyExchange)
 	}
 
 	var result *kexResult
@@ -732,7 +737,7 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
 	// message with the server-sig-algs extension if the client supports it. See
 	// RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9.
-	if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
+	if !isClient && firstKeyExchange && slices.Contains(clientInit.KexAlgos, "ext-info-c") {
 		supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",")
 		extInfo := &extInfoMsg{
 			NumExtensions: 2,
@@ -786,7 +791,7 @@ func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, a
 func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 	for _, k := range hostKeys {
 		if s, ok := k.(MultiAlgorithmSigner); ok {
-			if !contains(s.Algorithms(), underlyingAlgo(algo)) {
+			if !slices.Contains(s.Algorithms(), underlyingAlgo(algo)) {
 				continue
 			}
 		}
@@ -809,12 +814,12 @@ func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 }
 
 func (t *handshakeTransport) server(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) {
-	hostKey := pickHostKey(t.hostKeys, t.algorithms.hostKey)
+	hostKey := pickHostKey(t.hostKeys, t.algorithms.HostKey)
 	if hostKey == nil {
 		return nil, errors.New("ssh: internal error: negotiated unsupported signature type")
 	}
 
-	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.hostKey)
+	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.HostKey)
 	return r, err
 }
 
@@ -829,7 +834,7 @@ func (t *handshakeTransport) client(kex kexAlgorithm, magics *handshakeMagics) (
 		return nil, err
 	}
 
-	if err := verifyHostKeySignature(hostKey, t.algorithms.hostKey, result); err != nil {
+	if err := verifyHostKeySignature(hostKey, t.algorithms.HostKey, result); err != nil {
 		return nil, err
 	}
 
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
index 8a05f7990..5f7fdd851 100644
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ b/vendor/golang.org/x/crypto/ssh/kex.go
@@ -8,33 +8,31 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
+	"crypto/fips140"
 	"crypto/rand"
-	"crypto/subtle"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 
 	"golang.org/x/crypto/curve25519"
 )
 
 const (
-	kexAlgoDH1SHA1                = "diffie-hellman-group1-sha1"
-	kexAlgoDH14SHA1               = "diffie-hellman-group14-sha1"
-	kexAlgoDH14SHA256             = "diffie-hellman-group14-sha256"
-	kexAlgoDH16SHA512             = "diffie-hellman-group16-sha512"
-	kexAlgoECDH256                = "ecdh-sha2-nistp256"
-	kexAlgoECDH384                = "ecdh-sha2-nistp384"
-	kexAlgoECDH521                = "ecdh-sha2-nistp521"
-	kexAlgoCurve25519SHA256LibSSH = "curve25519-sha256@libssh.org"
-	kexAlgoCurve25519SHA256       = "curve25519-sha256"
-
-	// For the following kex only the client half contains a production
-	// ready implementation. The server half only consists of a minimal
-	// implementation to satisfy the automated tests.
-	kexAlgoDHGEXSHA1   = "diffie-hellman-group-exchange-sha1"
-	kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256"
+	// This is the group called diffie-hellman-group1-sha1 in RFC 4253 and
+	// Oakley Group 2 in RFC 2409.
+	oakleyGroup2 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group14-sha1 in RFC 4253 and
+	// Oakley Group 14 in RFC 3526.
+	oakleyGroup14 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group15-sha512 in RFC 8268 and
+	// Oakley Group 15 in RFC 3526.
+	oakleyGroup15 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
+	// This is the group called diffie-hellman-group16-sha512 in RFC 8268 and
+	// Oakley Group 16 in RFC 3526.
+	oakleyGroup16 = "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF"
 )
 
 // kexResult captures the outcome of a key exchange.
@@ -399,56 +397,64 @@ func ecHash(curve elliptic.Curve) crypto.Hash {
 	return crypto.SHA512
 }
 
+// kexAlgoMap defines the supported KEXs. KEXs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
 var kexAlgoMap = map[string]kexAlgorithm{}
 
 func init() {
-	// This is the group called diffie-hellman-group1-sha1 in
-	// RFC 4253 and Oakley Group 2 in RFC 2409.
-	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
-	kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
+	// mlkem768x25519-sha256 we'll work with fips140=on but not fips140=only
+	// until Go 1.26.
+	kexAlgoMap[KeyExchangeMLKEM768X25519] = &mlkem768WithCurve25519sha256{}
+	kexAlgoMap[KeyExchangeECDHP521] = &ecdh{elliptic.P521()}
+	kexAlgoMap[KeyExchangeECDHP384] = &ecdh{elliptic.P384()}
+	kexAlgoMap[KeyExchangeECDHP256] = &ecdh{elliptic.P256()}
+
+	if fips140.Enabled() {
+		defaultKexAlgos = slices.DeleteFunc(defaultKexAlgos, func(algo string) bool {
+			_, ok := kexAlgoMap[algo]
+			return !ok
+		})
+		return
+	}
+
+	p, _ := new(big.Int).SetString(oakleyGroup2, 16)
+	kexAlgoMap[InsecureKeyExchangeDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
 		p:        p,
 		pMinus1:  new(big.Int).Sub(p, bigOne),
 		hashFunc: crypto.SHA1,
 	}
 
-	// This are the groups called diffie-hellman-group14-sha1 and
-	// diffie-hellman-group14-sha256 in RFC 4253 and RFC 8268,
-	// and Oakley Group 14 in RFC 3526.
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
+	p, _ = new(big.Int).SetString(oakleyGroup14, 16)
 	group14 := &dhGroup{
 		g:       new(big.Int).SetInt64(2),
 		p:       p,
 		pMinus1: new(big.Int).Sub(p, bigOne),
 	}
 
-	kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
+	kexAlgoMap[InsecureKeyExchangeDH14SHA1] = &dhGroup{
 		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
 		hashFunc: crypto.SHA1,
 	}
-	kexAlgoMap[kexAlgoDH14SHA256] = &dhGroup{
+	kexAlgoMap[KeyExchangeDH14SHA256] = &dhGroup{
 		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
 		hashFunc: crypto.SHA256,
 	}
 
-	// This is the group called diffie-hellman-group16-sha512 in RFC
-	// 8268 and Oakley Group 16 in RFC 3526.
-	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16)
+	p, _ = new(big.Int).SetString(oakleyGroup16, 16)
 
-	kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{
+	kexAlgoMap[KeyExchangeDH16SHA512] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
 		p:        p,
 		pMinus1:  new(big.Int).Sub(p, bigOne),
 		hashFunc: crypto.SHA512,
 	}
 
-	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
-	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
-	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
-	kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
-	kexAlgoMap[kexAlgoCurve25519SHA256LibSSH] = &curve25519sha256{}
-	kexAlgoMap[kexAlgoDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
-	kexAlgoMap[kexAlgoDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
+	kexAlgoMap[KeyExchangeCurve25519] = &curve25519sha256{}
+	kexAlgoMap[keyExchangeCurve25519LibSSH] = &curve25519sha256{}
+	kexAlgoMap[InsecureKeyExchangeDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
+	kexAlgoMap[KeyExchangeDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
 }
 
 // curve25519sha256 implements the curve25519-sha256 (formerly known as
@@ -464,15 +470,17 @@ func (kp *curve25519KeyPair) generate(rand io.Reader) error {
 	if _, err := io.ReadFull(rand, kp.priv[:]); err != nil {
 		return err
 	}
-	curve25519.ScalarBaseMult(&kp.pub, &kp.priv)
+	p, err := curve25519.X25519(kp.priv[:], curve25519.Basepoint)
+	if err != nil {
+		return fmt.Errorf("curve25519: %w", err)
+	}
+	if len(p) != 32 {
+		return fmt.Errorf("curve25519: internal error: X25519 returned %d bytes, expected 32", len(p))
+	}
+	copy(kp.pub[:], p)
 	return nil
 }
 
-// curve25519Zeros is just an array of 32 zero bytes so that we have something
-// convenient to compare against in order to reject curve25519 points with the
-// wrong order.
-var curve25519Zeros [32]byte
-
 func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	var kp curve25519KeyPair
 	if err := kp.generate(rand); err != nil {
@@ -495,11 +503,9 @@ func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handsh
 		return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
 	}
 
-	var servPub, secret [32]byte
-	copy(servPub[:], reply.EphemeralPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &servPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
+	secret, err := curve25519.X25519(kp.priv[:], reply.EphemeralPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's curve25519 public value is not valid: %w", err)
 	}
 
 	h := crypto.SHA256.New()
@@ -541,11 +547,9 @@ func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handsh
 		return nil, err
 	}
 
-	var clientPub, secret [32]byte
-	copy(clientPub[:], kexInit.ClientPubKey)
-	curve25519.ScalarMult(&secret, &kp.priv, &clientPub)
-	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
-		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
+	secret, err := curve25519.X25519(kp.priv[:], kexInit.ClientPubKey)
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's curve25519 public value is not valid: %w", err)
 	}
 
 	hostKeyBytes := priv.PublicKey().Marshal()
@@ -601,9 +605,9 @@ const (
 func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	// Send GexRequest
 	kexDHGexRequest := kexDHGexRequestMsg{
-		MinBits:      dhGroupExchangeMinimumBits,
-		PreferedBits: dhGroupExchangePreferredBits,
-		MaxBits:      dhGroupExchangeMaximumBits,
+		MinBits:       dhGroupExchangeMinimumBits,
+		PreferredBits: dhGroupExchangePreferredBits,
+		MaxBits:       dhGroupExchangeMaximumBits,
 	}
 	if err := c.writePacket(Marshal(&kexDHGexRequest)); err != nil {
 		return nil, err
@@ -690,9 +694,7 @@ func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshak
 }
 
 // Server half implementation of the Diffie Hellman Key Exchange with SHA1 and SHA256.
-//
-// This is a minimal implementation to satisfy the automated tests.
-func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
+func (gex *dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	// Receive GexRequest
 	packet, err := c.readPacket()
 	if err != nil {
@@ -702,13 +704,32 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	if err = Unmarshal(packet, &kexDHGexRequest); err != nil {
 		return
 	}
+	// We check that the request received is valid and that the MaxBits
+	// requested are at least equal to our supported minimum. This is the same
+	// check done in OpenSSH:
+	// https://github.com/openssh/openssh-portable/blob/80a2f64b/kexgexs.c#L94
+	//
+	// Furthermore, we also check that the required MinBits are less than or
+	// equal to 4096 because we can use up to Oakley Group 16.
+	if kexDHGexRequest.MaxBits < kexDHGexRequest.MinBits || kexDHGexRequest.PreferredBits < kexDHGexRequest.MinBits ||
+		kexDHGexRequest.MaxBits < kexDHGexRequest.PreferredBits || kexDHGexRequest.MaxBits < dhGroupExchangeMinimumBits ||
+		kexDHGexRequest.MinBits > 4096 {
+		return nil, fmt.Errorf("ssh: DH GEX request out of range, min: %d, max: %d, preferred: %d", kexDHGexRequest.MinBits,
+			kexDHGexRequest.MaxBits, kexDHGexRequest.PreferredBits)
+	}
+
+	var p *big.Int
+	// We hardcode sending Oakley Group 14 (2048 bits), Oakley Group 15 (3072
+	// bits) or Oakley Group 16 (4096 bits), based on the requested max size.
+	if kexDHGexRequest.MaxBits < 3072 {
+		p, _ = new(big.Int).SetString(oakleyGroup14, 16)
+	} else if kexDHGexRequest.MaxBits < 4096 {
+		p, _ = new(big.Int).SetString(oakleyGroup15, 16)
+	} else {
+		p, _ = new(big.Int).SetString(oakleyGroup16, 16)
+	}
 
-	// Send GexGroup
-	// This is the group called diffie-hellman-group14-sha1 in RFC
-	// 4253 and Oakley Group 14 in RFC 3526.
-	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
 	g := big.NewInt(2)
-
 	msg := &kexDHGexGroupMsg{
 		P: p,
 		G: g,
@@ -746,9 +767,9 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	h := gex.hashFunc.New()
 	magics.write(h)
 	writeString(h, hostKeyBytes)
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits))
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits))
-	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits))
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.MinBits)
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.PreferredBits)
+	binary.Write(h, binary.BigEndian, kexDHGexRequest.MaxBits)
 	writeInt(h, p)
 	writeInt(h, g)
 	writeInt(h, kexDHGexInit.X)
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
index 98e6706d5..47a07539d 100644
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@@ -27,6 +27,7 @@ import (
 	"fmt"
 	"io"
 	"math/big"
+	"slices"
 	"strings"
 
 	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
@@ -36,14 +37,19 @@ import (
 // ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
 // arguments.
 const (
-	KeyAlgoRSA        = "ssh-rsa"
-	KeyAlgoDSA        = "ssh-dss"
-	KeyAlgoECDSA256   = "ecdsa-sha2-nistp256"
-	KeyAlgoSKECDSA256 = "sk-ecdsa-sha2-nistp256@openssh.com"
-	KeyAlgoECDSA384   = "ecdsa-sha2-nistp384"
-	KeyAlgoECDSA521   = "ecdsa-sha2-nistp521"
-	KeyAlgoED25519    = "ssh-ed25519"
-	KeyAlgoSKED25519  = "sk-ssh-ed25519@openssh.com"
+	KeyAlgoRSA = "ssh-rsa"
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	KeyAlgoDSA = InsecureKeyAlgoDSA
+	// Deprecated: DSA is only supported at insecure key sizes, and was removed
+	// from major implementations.
+	InsecureKeyAlgoDSA = "ssh-dss"
+	KeyAlgoECDSA256    = "ecdsa-sha2-nistp256"
+	KeyAlgoSKECDSA256  = "sk-ecdsa-sha2-nistp256@openssh.com"
+	KeyAlgoECDSA384    = "ecdsa-sha2-nistp384"
+	KeyAlgoECDSA521    = "ecdsa-sha2-nistp521"
+	KeyAlgoED25519     = "ssh-ed25519"
+	KeyAlgoSKED25519   = "sk-ssh-ed25519@openssh.com"
 
 	// KeyAlgoRSASHA256 and KeyAlgoRSASHA512 are only public key algorithms, not
 	// public key formats, so they can't appear as a PublicKey.Type. The
@@ -67,7 +73,7 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 	switch algo {
 	case KeyAlgoRSA:
 		return parseRSA(in)
-	case KeyAlgoDSA:
+	case InsecureKeyAlgoDSA:
 		return parseDSA(in)
 	case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
 		return parseECDSA(in)
@@ -77,13 +83,18 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 		return parseED25519(in)
 	case KeyAlgoSKED25519:
 		return parseSKEd25519(in)
-	case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
+	case CertAlgoRSAv01, InsecureCertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
 		cert, err := parseCert(in, certKeyAlgoNames[algo])
 		if err != nil {
 			return nil, nil, err
 		}
 		return cert, nil, nil
 	}
+	if keyFormat := keyFormatForAlgorithm(algo); keyFormat != "" {
+		return nil, nil, fmt.Errorf("ssh: signature algorithm %q isn't a key format; key is malformed and should be re-encoded with type %q",
+			algo, keyFormat)
+	}
+
 	return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
 }
 
@@ -186,9 +197,10 @@ func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey
 	return "", nil, nil, "", nil, io.EOF
 }
 
-// ParseAuthorizedKey parses a public key from an authorized_keys
-// file used in OpenSSH according to the sshd(8) manual page.
+// ParseAuthorizedKey parses a public key from an authorized_keys file used in
+// OpenSSH according to the sshd(8) manual page. Invalid lines are ignored.
 func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
+	var lastErr error
 	for len(in) > 0 {
 		end := bytes.IndexByte(in, '\n')
 		if end != -1 {
@@ -217,6 +229,8 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		// No key type recognised. Maybe there's an options field at
@@ -259,16 +273,22 @@ func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []str
 		if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
 			options = candidateOptions
 			return out, comment, options, rest, nil
+		} else {
+			lastErr = err
 		}
 
 		in = rest
 		continue
 	}
 
+	if lastErr != nil {
+		return nil, "", nil, nil, fmt.Errorf("ssh: no key found; last parsing error for ignored line: %w", lastErr)
+	}
+
 	return nil, "", nil, nil, errors.New("ssh: no key found")
 }
 
-// ParsePublicKey parses an SSH public key formatted for use in
+// ParsePublicKey parses an SSH public key or certificate formatted for use in
 // the SSH wire protocol according to RFC 4253, section 6.6.
 func ParsePublicKey(in []byte) (out PublicKey, err error) {
 	algo, in, ok := parseString(in)
@@ -390,11 +410,11 @@ func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (Multi
 	}
 
 	for _, algo := range algorithms {
-		if !contains(supportedAlgos, algo) {
+		if !slices.Contains(supportedAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q",
 				algo, signer.PublicKey().Type())
 		}
-		if !contains(signerAlgos, algo) {
+		if !slices.Contains(signerAlgos, algo) {
 			return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo)
 		}
 	}
@@ -481,10 +501,13 @@ func (r *rsaPublicKey) Marshal() []byte {
 
 func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
 	supportedAlgos := algorithmsForKeyFormat(r.Type())
-	if !contains(supportedAlgos, sig.Format) {
+	if !slices.Contains(supportedAlgos, sig.Format) {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
-	hash := hashFuncs[sig.Format]
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
 	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
@@ -601,7 +624,11 @@ func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -646,7 +673,11 @@ func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 	}
 
-	h := hashFuncs[k.PublicKey().Type()].New()
+	hash, err := hashFunc(k.PublicKey().Type())
+	if err != nil {
+		return nil, err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
@@ -796,8 +827,11 @@ func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
 
@@ -900,8 +934,11 @@ func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1004,7 +1041,11 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
 	}
 
-	h := hashFuncs[sig.Format].New()
+	hash, err := hashFunc(sig.Format)
+	if err != nil {
+		return err
+	}
+	h := hash.New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
 
@@ -1107,11 +1148,14 @@ func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		algorithm = s.pubKey.Type()
 	}
 
-	if !contains(s.Algorithms(), algorithm) {
+	if !slices.Contains(s.Algorithms(), algorithm) {
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 
-	hashFunc := hashFuncs[algorithm]
+	hashFunc, err := hashFunc(algorithm)
+	if err != nil {
+		return nil, err
+	}
 	var digest []byte
 	if hashFunc != 0 {
 		h := hashFunc.New()
@@ -1446,6 +1490,7 @@ type openSSHEncryptedPrivateKey struct {
 	NumKeys      uint32
 	PubKey       []byte
 	PrivKeyBlock []byte
+	Rest         []byte `ssh:"rest"`
 }
 
 type openSSHPrivateKey struct {
diff --git a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
index c022e411f..1ebd7e6da 100644
--- a/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
+++ b/vendor/golang.org/x/crypto/ssh/knownhosts/knownhosts.go
@@ -421,20 +421,26 @@ func New(files ...string) (ssh.HostKeyCallback, error) {
 	return certChecker.CheckHostKey, nil
 }
 
-// Normalize normalizes an address into the form used in known_hosts
+// Normalize normalizes an address into the form used in known_hosts. Supports
+// IPv4, hostnames, bracketed IPv6. Any other non-standard formats are returned
+// with minimal transformation.
 func Normalize(address string) string {
+	const defaultSSHPort = "22"
+
 	host, port, err := net.SplitHostPort(address)
 	if err != nil {
 		host = address
-		port = "22"
+		port = defaultSSHPort
 	}
-	entry := host
-	if port != "22" {
-		entry = "[" + entry + "]:" + port
-	} else if strings.Contains(host, ":") && !strings.HasPrefix(host, "[") {
-		entry = "[" + entry + "]"
+
+	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
+		host = host[1 : len(host)-1]
 	}
-	return entry
+
+	if port == defaultSSHPort {
+		return host
+	}
+	return "[" + host + "]:" + port
 }
 
 // Line returns a line to add append to the known_hosts files.
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
index 06a1b2750..87d626fbb 100644
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ b/vendor/golang.org/x/crypto/ssh/mac.go
@@ -7,11 +7,13 @@ package ssh
 // Message authentication support
 
 import (
+	"crypto/fips140"
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
+	"slices"
 )
 
 type macMode struct {
@@ -46,23 +48,37 @@ func (t truncatingMAC) Size() int {
 
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 
-var macModes = map[string]*macMode{
-	"hmac-sha2-512-etm@openssh.com": {64, true, func(key []byte) hash.Hash {
+// macModes defines the supported MACs. MACs not included are not supported
+// and will not be negotiated, even if explicitly configured. When FIPS mode is
+// enabled, only FIPS-approved algorithms are included.
+var macModes = map[string]*macMode{}
+
+func init() {
+	macModes[HMACSHA512ETM] = &macMode{64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256ETM] = &macMode{32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	"hmac-sha2-512": {64, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA512] = &macMode{64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
-	}},
-	"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
+	}}
+	macModes[HMACSHA256] = &macMode{32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
-	}},
-	"hmac-sha1": {20, false, func(key []byte) hash.Hash {
+	}}
+
+	if fips140.Enabled() {
+		defaultMACs = slices.DeleteFunc(defaultMACs, func(algo string) bool {
+			_, ok := macModes[algo]
+			return !ok
+		})
+		return
+	}
+
+	macModes[HMACSHA1] = &macMode{20, false, func(key []byte) hash.Hash {
 		return hmac.New(sha1.New, key)
-	}},
-	"hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
+	}}
+	macModes[InsecureHMACSHA196] = &macMode{20, false, func(key []byte) hash.Hash {
 		return truncatingMAC{12, hmac.New(sha1.New, key)}
-	}},
+	}}
 }
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
index 118427bc0..ab22c3d38 100644
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@@ -122,9 +122,9 @@ type kexDHGexReplyMsg struct {
 const msgKexDHGexRequest = 34
 
 type kexDHGexRequestMsg struct {
-	MinBits      uint32 `sshtype:"34"`
-	PreferedBits uint32
-	MaxBits      uint32
+	MinBits       uint32 `sshtype:"34"`
+	PreferredBits uint32
+	MaxBits       uint32
 }
 
 // See RFC 4253, section 10.
@@ -792,7 +792,7 @@ func marshalString(to []byte, s []byte) []byte {
 	return to[len(s):]
 }
 
-var bigIntType = reflect.TypeOf((*big.Int)(nil))
+var bigIntType = reflect.TypeFor[*big.Int]()
 
 // Decode a packet into its corresponding message.
 func decode(packet []byte) (interface{}, error) {
diff --git a/vendor/golang.org/x/crypto/ssh/mlkem.go b/vendor/golang.org/x/crypto/ssh/mlkem.go
new file mode 100644
index 000000000..ddc0ed1fc
--- /dev/null
+++ b/vendor/golang.org/x/crypto/ssh/mlkem.go
@@ -0,0 +1,168 @@
+// Copyright 2024 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ssh
+
+import (
+	"crypto"
+	"crypto/mlkem"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+// mlkem768WithCurve25519sha256 implements the hybrid ML-KEM768 with
+// curve25519-sha256 key exchange method, as described by
+// draft-kampanakis-curdle-ssh-pq-ke-05 section 2.3.3.
+type mlkem768WithCurve25519sha256 struct{}
+
+func (kex *mlkem768WithCurve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
+	var c25519kp curve25519KeyPair
+	if err := c25519kp.generate(rand); err != nil {
+		return nil, err
+	}
+
+	seed := make([]byte, mlkem.SeedSize)
+	if _, err := io.ReadFull(rand, seed); err != nil {
+		return nil, err
+	}
+
+	mlkemDk, err := mlkem.NewDecapsulationKey768(seed)
+	if err != nil {
+		return nil, err
+	}
+
+	hybridKey := append(mlkemDk.EncapsulationKey().Bytes(), c25519kp.pub[:]...)
+	if err := c.writePacket(Marshal(&kexECDHInitMsg{hybridKey})); err != nil {
+		return nil, err
+	}
+
+	packet, err := c.readPacket()
+	if err != nil {
+		return nil, err
+	}
+
+	var reply kexECDHReplyMsg
+	if err = Unmarshal(packet, &reply); err != nil {
+		return nil, err
+	}
+
+	if len(reply.EphemeralPubKey) != mlkem.CiphertextSize768+32 {
+		return nil, errors.New("ssh: peer's mlkem768x25519 public value has wrong length")
+	}
+
+	// Perform KEM decapsulate operation to obtain shared key from ML-KEM.
+	mlkem768Secret, err := mlkemDk.Decapsulate(reply.EphemeralPubKey[:mlkem.CiphertextSize768])
+	if err != nil {
+		return nil, err
+	}
+
+	// Complete Curve25519 ECDH to obtain its shared key.
+	c25519Secret, err := curve25519.X25519(c25519kp.priv[:], reply.EphemeralPubKey[mlkem.CiphertextSize768:])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's mlkem768x25519 public value is not valid: %w", err)
+	}
+	// Compute actual shared key.
+	h := sha256.New()
+	h.Write(mlkem768Secret)
+	h.Write(c25519Secret)
+	secret := h.Sum(nil)
+
+	h.Reset()
+	magics.write(h)
+	writeString(h, reply.HostKey)
+	writeString(h, hybridKey)
+	writeString(h, reply.EphemeralPubKey)
+
+	K := make([]byte, stringLength(len(secret)))
+	marshalString(K, secret)
+	h.Write(K)
+
+	return &kexResult{
+		H:         h.Sum(nil),
+		K:         K,
+		HostKey:   reply.HostKey,
+		Signature: reply.Signature,
+		Hash:      crypto.SHA256,
+	}, nil
+}
+
+func (kex *mlkem768WithCurve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (*kexResult, error) {
+	packet, err := c.readPacket()
+	if err != nil {
+		return nil, err
+	}
+
+	var kexInit kexECDHInitMsg
+	if err = Unmarshal(packet, &kexInit); err != nil {
+		return nil, err
+	}
+
+	if len(kexInit.ClientPubKey) != mlkem.EncapsulationKeySize768+32 {
+		return nil, errors.New("ssh: peer's ML-KEM768/curve25519 public value has wrong length")
+	}
+
+	encapsulationKey, err := mlkem.NewEncapsulationKey768(kexInit.ClientPubKey[:mlkem.EncapsulationKeySize768])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's ML-KEM768 encapsulation key is not valid: %w", err)
+	}
+	// Perform KEM encapsulate operation to obtain ciphertext and shared key.
+	mlkem768Secret, mlkem768Ciphertext := encapsulationKey.Encapsulate()
+
+	// Perform server side of Curve25519 ECDH to obtain server public value and
+	// shared key.
+	var c25519kp curve25519KeyPair
+	if err := c25519kp.generate(rand); err != nil {
+		return nil, err
+	}
+	c25519Secret, err := curve25519.X25519(c25519kp.priv[:], kexInit.ClientPubKey[mlkem.EncapsulationKeySize768:])
+	if err != nil {
+		return nil, fmt.Errorf("ssh: peer's ML-KEM768/curve25519 public value is not valid: %w", err)
+	}
+	hybridKey := append(mlkem768Ciphertext, c25519kp.pub[:]...)
+
+	// Compute actual shared key.
+	h := sha256.New()
+	h.Write(mlkem768Secret)
+	h.Write(c25519Secret)
+	secret := h.Sum(nil)
+
+	hostKeyBytes := priv.PublicKey().Marshal()
+
+	h.Reset()
+	magics.write(h)
+	writeString(h, hostKeyBytes)
+	writeString(h, kexInit.ClientPubKey)
+	writeString(h, hybridKey)
+
+	K := make([]byte, stringLength(len(secret)))
+	marshalString(K, secret)
+	h.Write(K)
+
+	H := h.Sum(nil)
+
+	sig, err := signAndMarshal(priv, rand, H, algo)
+	if err != nil {
+		return nil, err
+	}
+
+	reply := kexECDHReplyMsg{
+		EphemeralPubKey: hybridKey,
+		HostKey:         hostKeyBytes,
+		Signature:       sig,
+	}
+	if err := c.writePacket(Marshal(&reply)); err != nil {
+		return nil, err
+	}
+	return &kexResult{
+		H:         H,
+		K:         K,
+		HostKey:   hostKeyBytes,
+		Signature: sig,
+		Hash:      crypto.SHA256,
+	}, nil
+}
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
index 1839ddc6a..064dcbaf5 100644
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"slices"
 	"strings"
 )
 
@@ -43,6 +44,9 @@ type Permissions struct {
 	// pass data from the authentication callbacks to the server
 	// application layer.
 	Extensions map[string]string
+
+	// ExtraData allows to store user defined data.
+	ExtraData map[any]any
 }
 
 type GSSAPIWithMICConfig struct {
@@ -126,6 +130,21 @@ type ServerConfig struct {
 	// Permissions.Extensions entry.
 	PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
 
+	// VerifiedPublicKeyCallback, if non-nil, is called after a client
+	// successfully confirms having control over a key that was previously
+	// approved by PublicKeyCallback. The permissions object passed to the
+	// callback is the one returned by PublicKeyCallback for the given public
+	// key and its ownership is transferred to the callback. The returned
+	// Permissions object can be the same object, optionally modified, or a
+	// completely new object. If VerifiedPublicKeyCallback is non-nil,
+	// PublicKeyCallback is not allowed to return a PartialSuccessError, which
+	// can instead be returned by VerifiedPublicKeyCallback.
+	//
+	// VerifiedPublicKeyCallback does not affect which authentication methods
+	// are included in the list of methods that can be attempted by the client.
+	VerifiedPublicKeyCallback func(conn ConnMetadata, key PublicKey, permissions *Permissions,
+		signatureAlgorithm string) (*Permissions, error)
+
 	// KeyboardInteractiveCallback, if non-nil, is called when
 	// keyboard-interactive authentication is selected (RFC
 	// 4256). The client object's Challenge function should be
@@ -243,22 +262,15 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 		fullConf.MaxAuthTries = 6
 	}
 	if len(fullConf.PublicKeyAuthAlgorithms) == 0 {
-		fullConf.PublicKeyAuthAlgorithms = supportedPubKeyAuthAlgos
+		fullConf.PublicKeyAuthAlgorithms = defaultPubKeyAuthAlgos
 	} else {
 		for _, algo := range fullConf.PublicKeyAuthAlgorithms {
-			if !contains(supportedPubKeyAuthAlgos, algo) {
+			if !slices.Contains(SupportedAlgorithms().PublicKeyAuths, algo) && !slices.Contains(InsecureAlgorithms().PublicKeyAuths, algo) {
 				c.Close()
 				return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo)
 			}
 		}
 	}
-	// Check if the config contains any unsupported key exchanges
-	for _, kex := range fullConf.KeyExchanges {
-		if _, ok := serverForbiddenKexAlgos[kex]; ok {
-			c.Close()
-			return nil, nil, nil, fmt.Errorf("ssh: unsupported key exchange %s for server", kex)
-		}
-	}
 
 	s := &connection{
 		sshConn: sshConn{conn: c},
@@ -315,6 +327,7 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 
 	// We just did the key change, so the session ID is established.
 	s.sessionID = s.transport.getSessionID()
+	s.algorithms = s.transport.getAlgorithms()
 
 	var packet []byte
 	if packet, err = s.transport.readPacket(); err != nil {
@@ -637,7 +650,7 @@ userAuthLoop:
 				return nil, parseError(msgUserAuthRequest)
 			}
 			algo := string(algoBytes)
-			if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
+			if !slices.Contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) {
 				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
 				break
 			}
@@ -658,6 +671,9 @@ userAuthLoop:
 				candidate.pubKeyData = pubKeyData
 				candidate.perms, candidate.result = authConfig.PublicKeyCallback(s, pubKey)
 				_, isPartialSuccessError := candidate.result.(*PartialSuccessError)
+				if isPartialSuccessError && config.VerifiedPublicKeyCallback != nil {
+					return nil, errors.New("ssh: invalid library usage: PublicKeyCallback must not return partial success when VerifiedPublicKeyCallback is defined")
+				}
 
 				if (candidate.result == nil || isPartialSuccessError) &&
 					candidate.perms != nil &&
@@ -701,7 +717,7 @@ userAuthLoop:
 				// ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public
 				// key type. The algorithm and public key type must be
 				// consistent: both must be certificate algorithms, or neither.
-				if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
+				if !slices.Contains(algorithmsForKeyFormat(pubKey.Type()), algo) {
 					authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q",
 						pubKey.Type(), algo)
 					break
@@ -711,7 +727,7 @@ userAuthLoop:
 				// algorithm name that corresponds to algo with
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
-				if !contains(config.PublicKeyAuthAlgorithms, sig.Format) {
+				if !slices.Contains(config.PublicKeyAuthAlgorithms, sig.Format) {
 					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}
@@ -728,6 +744,12 @@ userAuthLoop:
 
 				authErr = candidate.result
 				perms = candidate.perms
+				if authErr == nil && config.VerifiedPublicKeyCallback != nil {
+					// Only call VerifiedPublicKeyCallback after the key has been accepted
+					// and successfully verified. If authErr is non-nil, the key is not
+					// considered verified and the callback must not run.
+					perms, authErr = config.VerifiedPublicKeyCallback(s, pubKey, perms, algo)
+				}
 			}
 		case "gssapi-with-mic":
 			if authConfig.GSSAPIWithMICConfig == nil {
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e8..a6249a122 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 	if !ok {
 		return nil, errors.New("parse uint32 failed")
 	}
+	// Each ASN.1 encoded OID must have a minimum
+	// of 2 bytes; 64 maximum mechanisms is an
+	// arbitrary, but reasonable ceiling.
+	const maxMechs = 64
+	if n > maxMechs || int(n)*2 > len(rest) {
+		return nil, errors.New("invalid mechanism count")
+	}
 	s := &userAuthRequestGSSAPI{
 		N:    n,
 		OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
 		if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
 			return nil, err
 		}
-
 	}
 	return s, nil
 }
diff --git a/vendor/golang.org/x/crypto/ssh/streamlocal.go b/vendor/golang.org/x/crypto/ssh/streamlocal.go
index b171b330b..152470fcb 100644
--- a/vendor/golang.org/x/crypto/ssh/streamlocal.go
+++ b/vendor/golang.org/x/crypto/ssh/streamlocal.go
@@ -44,7 +44,7 @@ func (c *Client) ListenUnix(socketPath string) (net.Listener, error) {
 	if !ok {
 		return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer")
 	}
-	ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"})
+	ch := c.forwards.add("unix", socketPath)
 
 	return &unixListener{socketPath, c, ch}, nil
 }
@@ -96,7 +96,7 @@ func (l *unixListener) Accept() (net.Conn, error) {
 // Close closes the listener.
 func (l *unixListener) Close() error {
 	// this also closes the listener.
-	l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"})
+	l.conn.forwards.remove("unix", l.socketPath)
 	m := streamLocalChannelForwardMsg{
 		l.socketPath,
 	}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go
index 93d844f03..78c41fe5a 100644
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ b/vendor/golang.org/x/crypto/ssh/tcpip.go
@@ -11,6 +11,7 @@ import (
 	"io"
 	"math/rand"
 	"net"
+	"net/netip"
 	"strconv"
 	"strings"
 	"sync"
@@ -22,14 +23,21 @@ import (
 // the returned net.Listener. The listener must be serviced, or the
 // SSH connection may hang.
 // N must be "tcp", "tcp4", "tcp6", or "unix".
+//
+// If the address is a hostname, it is sent to the remote peer as-is, without
+// being resolved locally, and the Listener Addr method will return a zero IP.
 func (c *Client) Listen(n, addr string) (net.Listener, error) {
 	switch n {
 	case "tcp", "tcp4", "tcp6":
-		laddr, err := net.ResolveTCPAddr(n, addr)
+		host, portStr, err := net.SplitHostPort(addr)
 		if err != nil {
 			return nil, err
 		}
-		return c.ListenTCP(laddr)
+		port, err := strconv.ParseInt(portStr, 10, 32)
+		if err != nil {
+			return nil, err
+		}
+		return c.listenTCPInternal(host, int(port))
 	case "unix":
 		return c.ListenUnix(addr)
 	default:
@@ -102,15 +110,24 @@ func (c *Client) handleForwards() {
 // ListenTCP requests the remote peer open a listening socket
 // on laddr. Incoming connections will be available by calling
 // Accept on the returned net.Listener.
+//
+// ListenTCP accepts an IP address, to provide a hostname use [Client.Listen]
+// with "tcp", "tcp4", or "tcp6" network instead.
 func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 	c.handleForwardsOnce.Do(c.handleForwards)
 	if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
 		return c.autoPortListenWorkaround(laddr)
 	}
 
+	return c.listenTCPInternal(laddr.IP.String(), laddr.Port)
+}
+
+func (c *Client) listenTCPInternal(host string, port int) (net.Listener, error) {
+	c.handleForwardsOnce.Do(c.handleForwards)
+
 	m := channelForwardMsg{
-		laddr.IP.String(),
-		uint32(laddr.Port),
+		host,
+		uint32(port),
 	}
 	// send message
 	ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
@@ -123,20 +140,33 @@ func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
 
 	// If the original port was 0, then the remote side will
 	// supply a real port number in the response.
-	if laddr.Port == 0 {
+	if port == 0 {
 		var p struct {
 			Port uint32
 		}
 		if err := Unmarshal(resp, &p); err != nil {
 			return nil, err
 		}
-		laddr.Port = int(p.Port)
+		port = int(p.Port)
 	}
+	// Construct a local address placeholder for the remote listener. If the
+	// original host is an IP address, preserve it so that Listener.Addr()
+	// reports the same IP. If the host is a hostname or cannot be parsed as an
+	// IP, fall back to IPv4zero. The port field is always set, even if the
+	// original port was 0, because in that case the remote server will assign
+	// one, allowing callers to determine which port was selected.
+	ip := net.IPv4zero
+	if parsed, err := netip.ParseAddr(host); err == nil {
+		ip = net.IP(parsed.AsSlice())
+	}
+	laddr := &net.TCPAddr{
+		IP:   ip,
+		Port: port,
+	}
+	addr := net.JoinHostPort(host, strconv.FormatInt(int64(port), 10))
+	ch := c.forwards.add("tcp", addr)
 
-	// Register this forward, using the port number we obtained.
-	ch := c.forwards.add(laddr)
-
-	return &tcpListener{laddr, c, ch}, nil
+	return &tcpListener{laddr, addr, c, ch}, nil
 }
 
 // forwardList stores a mapping between remote
@@ -149,8 +179,9 @@ type forwardList struct {
 // forwardEntry represents an established mapping of a laddr on a
 // remote ssh server to a channel connected to a tcpListener.
 type forwardEntry struct {
-	laddr net.Addr
-	c     chan forward
+	addr    string // host:port or socket path
+	network string // tcp or unix
+	c       chan forward
 }
 
 // forward represents an incoming forwarded tcpip connection. The
@@ -161,12 +192,13 @@ type forward struct {
 	raddr net.Addr   // the raddr of the incoming connection
 }
 
-func (l *forwardList) add(addr net.Addr) chan forward {
+func (l *forwardList) add(n, addr string) chan forward {
 	l.Lock()
 	defer l.Unlock()
 	f := forwardEntry{
-		laddr: addr,
-		c:     make(chan forward, 1),
+		addr:    addr,
+		network: n,
+		c:       make(chan forward, 1),
 	}
 	l.entries = append(l.entries, f)
 	return f.c
@@ -185,19 +217,20 @@ func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
 	if port == 0 || port > 65535 {
 		return nil, fmt.Errorf("ssh: port number out of range: %d", port)
 	}
-	ip := net.ParseIP(string(addr))
-	if ip == nil {
+	ip, err := netip.ParseAddr(addr)
+	if err != nil {
 		return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
 	}
-	return &net.TCPAddr{IP: ip, Port: int(port)}, nil
+	return &net.TCPAddr{IP: net.IP(ip.AsSlice()), Port: int(port)}, nil
 }
 
 func (l *forwardList) handleChannels(in <-chan NewChannel) {
 	for ch := range in {
 		var (
-			laddr net.Addr
-			raddr net.Addr
-			err   error
+			addr    string
+			network string
+			raddr   net.Addr
+			err     error
 		)
 		switch channelType := ch.ChannelType(); channelType {
 		case "forwarded-tcpip":
@@ -207,40 +240,34 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 				continue
 			}
 
-			// RFC 4254 section 7.2 specifies that incoming
-			// addresses should list the address, in string
-			// format. It is implied that this should be an IP
-			// address, as it would be impossible to connect to it
-			// otherwise.
-			laddr, err = parseTCPAddr(payload.Addr, payload.Port)
-			if err != nil {
-				ch.Reject(ConnectionFailed, err.Error())
-				continue
-			}
+			// RFC 4254 section 7.2 specifies that incoming addresses should
+			// list the address that was connected, in string format. It is the
+			// same address used in the tcpip-forward request. The originator
+			// address is an IP address instead.
+			addr = net.JoinHostPort(payload.Addr, strconv.FormatUint(uint64(payload.Port), 10))
+
 			raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort)
 			if err != nil {
 				ch.Reject(ConnectionFailed, err.Error())
 				continue
 			}
-
+			network = "tcp"
 		case "forwarded-streamlocal@openssh.com":
 			var payload forwardedStreamLocalPayload
 			if err = Unmarshal(ch.ExtraData(), &payload); err != nil {
 				ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error())
 				continue
 			}
-			laddr = &net.UnixAddr{
-				Name: payload.SocketPath,
-				Net:  "unix",
-			}
+			addr = payload.SocketPath
 			raddr = &net.UnixAddr{
 				Name: "@",
 				Net:  "unix",
 			}
+			network = "unix"
 		default:
 			panic(fmt.Errorf("ssh: unknown channel type %s", channelType))
 		}
-		if ok := l.forward(laddr, raddr, ch); !ok {
+		if ok := l.forward(network, addr, raddr, ch); !ok {
 			// Section 7.2, implementations MUST reject spurious incoming
 			// connections.
 			ch.Reject(Prohibited, "no forward for address")
@@ -252,11 +279,11 @@ func (l *forwardList) handleChannels(in <-chan NewChannel) {
 
 // remove removes the forward entry, and the channel feeding its
 // listener.
-func (l *forwardList) remove(addr net.Addr) {
+func (l *forwardList) remove(n, addr string) {
 	l.Lock()
 	defer l.Unlock()
 	for i, f := range l.entries {
-		if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			l.entries = append(l.entries[:i], l.entries[i+1:]...)
 			close(f.c)
 			return
@@ -274,11 +301,11 @@ func (l *forwardList) closeAll() {
 	l.entries = nil
 }
 
-func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
+func (l *forwardList) forward(n, addr string, raddr net.Addr, ch NewChannel) bool {
 	l.Lock()
 	defer l.Unlock()
 	for _, f := range l.entries {
-		if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() {
+		if n == f.network && addr == f.addr {
 			f.c <- forward{newCh: ch, raddr: raddr}
 			return true
 		}
@@ -288,6 +315,7 @@ func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool {
 
 type tcpListener struct {
 	laddr *net.TCPAddr
+	addr  string
 
 	conn *Client
 	in   <-chan forward
@@ -314,13 +342,21 @@ func (l *tcpListener) Accept() (net.Conn, error) {
 
 // Close closes the listener.
 func (l *tcpListener) Close() error {
+	host, port, err := net.SplitHostPort(l.addr)
+	if err != nil {
+		return err
+	}
+	rport, err := strconv.ParseUint(port, 10, 32)
+	if err != nil {
+		return err
+	}
 	m := channelForwardMsg{
-		l.laddr.IP.String(),
-		uint32(l.laddr.Port),
+		host,
+		uint32(rport),
 	}
 
 	// this also closes the listener.
-	l.conn.forwards.remove(l.laddr)
+	l.conn.forwards.remove("tcp", l.addr)
 	ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
 	if err == nil && !ok {
 		err = errors.New("ssh: cancel-tcpip-forward failed")
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
index 0424d2d37..fa3dd6a42 100644
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ b/vendor/golang.org/x/crypto/ssh/transport.go
@@ -8,6 +8,7 @@ import (
 	"bufio"
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 )
@@ -16,13 +17,6 @@ import (
 // wire. No message decoding is done, to minimize the impact on timing.
 const debugTransport = false
 
-const (
-	gcm128CipherID = "aes128-gcm@openssh.com"
-	gcm256CipherID = "aes256-gcm@openssh.com"
-	aes128cbcID    = "aes128-cbc"
-	tripledescbcID = "3des-cbc"
-)
-
 // packetConn represents a transport that implements packet based
 // operations.
 type packetConn interface {
@@ -92,14 +86,14 @@ func (t *transport) setInitialKEXDone() {
 // prepareKeyChange sets up key material for a keychange. The key changes in
 // both directions are triggered by reading and writing a msgNewKey packet
 // respectively.
-func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
-	ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult)
+func (t *transport) prepareKeyChange(algs *NegotiatedAlgorithms, kexResult *kexResult) error {
+	ciph, err := newPacketCipher(t.reader.dir, algs.Read, kexResult)
 	if err != nil {
 		return err
 	}
 	t.reader.pendingKeyChange <- ciph
 
-	ciph, err = newPacketCipher(t.writer.dir, algs.w, kexResult)
+	ciph, err = newPacketCipher(t.writer.dir, algs.Write, kexResult)
 	if err != nil {
 		return err
 	}
@@ -259,8 +253,11 @@ var (
 // setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
 // described in RFC 4253, section 6.4. direction should either be serverKeys
 // (to setup server->client keys) or clientKeys (for client->server keys).
-func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
+func newPacketCipher(d direction, algs DirectionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
+	if cipherMode == nil {
+		return nil, fmt.Errorf("ssh: unsupported cipher %v", algs.Cipher)
+	}
 
 	iv := make([]byte, cipherMode.ivSize)
 	key := make([]byte, cipherMode.keySize)
diff --git a/vendor/golang.org/x/net/context/context.go b/vendor/golang.org/x/net/context/context.go
index db1c95fab..24cea6882 100644
--- a/vendor/golang.org/x/net/context/context.go
+++ b/vendor/golang.org/x/net/context/context.go
@@ -2,44 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package context defines the Context type, which carries deadlines,
-// cancellation signals, and other request-scoped values across API boundaries
-// and between processes.
-// As of Go 1.7 this package is available in the standard library under the
-// name [context], and migrating to it can be done automatically with [go fix].
+// Package context has been superseded by the standard library [context] package.
 //
-// Incoming requests to a server should create a [Context], and outgoing
-// calls to servers should accept a Context. The chain of function
-// calls between them must propagate the Context, optionally replacing
-// it with a derived Context created using [WithCancel], [WithDeadline],
-// [WithTimeout], or [WithValue].
-//
-// Programs that use Contexts should follow these rules to keep interfaces
-// consistent across packages and enable static analysis tools to check context
-// propagation:
-//
-// Do not store Contexts inside a struct type; instead, pass a Context
-// explicitly to each function that needs it. This is discussed further in
-// https://go.dev/blog/context-and-structs. The Context should be the first
-// parameter, typically named ctx:
-//
-//	func DoSomething(ctx context.Context, arg Arg) error {
-//		// ... use ctx ...
-//	}
-//
-// Do not pass a nil [Context], even if a function permits it. Pass [context.TODO]
-// if you are unsure about which Context to use.
-//
-// Use context Values only for request-scoped data that transits processes and
-// APIs, not for passing optional parameters to functions.
-//
-// The same Context may be passed to functions running in different goroutines;
-// Contexts are safe for simultaneous use by multiple goroutines.
-//
-// See https://go.dev/blog/context for example code for a server that uses
-// Contexts.
-//
-// [go fix]: https://go.dev/cmd/go#hdr-Update_packages_to_use_new_APIs
+// Deprecated: Use the standard library context package instead.
 package context
 
 import (
@@ -51,36 +16,37 @@ import (
 // API boundaries.
 //
 // Context's methods may be called by multiple goroutines simultaneously.
+//
+//go:fix inline
 type Context = context.Context
 
 // Canceled is the error returned by [Context.Err] when the context is canceled
 // for some reason other than its deadline passing.
+//
+//go:fix inline
 var Canceled = context.Canceled
 
 // DeadlineExceeded is the error returned by [Context.Err] when the context is canceled
 // due to its deadline passing.
+//
+//go:fix inline
 var DeadlineExceeded = context.DeadlineExceeded
 
 // Background returns a non-nil, empty Context. It is never canceled, has no
 // values, and has no deadline. It is typically used by the main function,
 // initialization, and tests, and as the top-level Context for incoming
 // requests.
-func Background() Context {
-	return background
-}
+//
+//go:fix inline
+func Background() Context { return context.Background() }
 
 // TODO returns a non-nil, empty Context. Code should use context.TODO when
 // it's unclear which Context to use or it is not yet available (because the
 // surrounding function has not yet been extended to accept a Context
 // parameter).
-func TODO() Context {
-	return todo
-}
-
-var (
-	background = context.Background()
-	todo       = context.TODO()
-)
+//
+//go:fix inline
+func TODO() Context { return context.TODO() }
 
 // A CancelFunc tells an operation to abandon its work.
 // A CancelFunc does not wait for the work to stop.
@@ -95,6 +61,8 @@ type CancelFunc = context.CancelFunc
 //
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this [Context] complete.
+//
+//go:fix inline
 func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
 	return context.WithCancel(parent)
 }
@@ -108,6 +76,8 @@ func WithCancel(parent Context) (ctx Context, cancel CancelFunc) {
 //
 // Canceling this context releases resources associated with it, so code should
 // call cancel as soon as the operations running in this [Context] complete.
+//
+//go:fix inline
 func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) {
 	return context.WithDeadline(parent, d)
 }
@@ -122,6 +92,8 @@ func WithDeadline(parent Context, d time.Time) (Context, CancelFunc) {
 //		defer cancel()  // releases resources if slowOperation completes before timeout elapses
 //		return slowOperation(ctx)
 //	}
+//
+//go:fix inline
 func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 	return context.WithTimeout(parent, timeout)
 }
@@ -139,6 +111,8 @@ func WithTimeout(parent Context, timeout time.Duration) (Context, CancelFunc) {
 // interface{}, context keys often have concrete type
 // struct{}. Alternatively, exported context key variables' static
 // type should be a pointer or interface.
+//
+//go:fix inline
 func WithValue(parent Context, key, val interface{}) Context {
 	return context.WithValue(parent, key, val)
 }
diff --git a/vendor/golang.org/x/net/internal/socks/socks.go b/vendor/golang.org/x/net/internal/socks/socks.go
index 84fcc32b6..8eedb84ce 100644
--- a/vendor/golang.org/x/net/internal/socks/socks.go
+++ b/vendor/golang.org/x/net/internal/socks/socks.go
@@ -297,7 +297,7 @@ func (up *UsernamePassword) Authenticate(ctx context.Context, rw io.ReadWriter,
 		b = append(b, up.Username...)
 		b = append(b, byte(len(up.Password)))
 		b = append(b, up.Password...)
-		// TODO(mikio): handle IO deadlines and cancelation if
+		// TODO(mikio): handle IO deadlines and cancellation if
 		// necessary
 		if _, err := rw.Write(b); err != nil {
 			return err
diff --git a/vendor/golang.org/x/sync/errgroup/errgroup.go b/vendor/golang.org/x/sync/errgroup/errgroup.go
index 1d8cffae8..2f45dbc86 100644
--- a/vendor/golang.org/x/sync/errgroup/errgroup.go
+++ b/vendor/golang.org/x/sync/errgroup/errgroup.go
@@ -3,7 +3,7 @@
 // license that can be found in the LICENSE file.
 
 // Package errgroup provides synchronization, error propagation, and Context
-// cancelation for groups of goroutines working on subtasks of a common task.
+// cancellation for groups of goroutines working on subtasks of a common task.
 //
 // [errgroup.Group] is related to [sync.WaitGroup] but adds handling of tasks
 // returning errors.
diff --git a/vendor/golang.org/x/sys/cpu/cpu.go b/vendor/golang.org/x/sys/cpu/cpu.go
index 63541994e..34c9ae76e 100644
--- a/vendor/golang.org/x/sys/cpu/cpu.go
+++ b/vendor/golang.org/x/sys/cpu/cpu.go
@@ -92,6 +92,9 @@ var ARM64 struct {
 	HasSHA2     bool // SHA2 hardware implementation
 	HasCRC32    bool // CRC32 hardware implementation
 	HasATOMICS  bool // Atomic memory operation instruction set
+	HasHPDS     bool // Hierarchical permission disables in translations tables
+	HasLOR      bool // Limited ordering regions
+	HasPAN      bool // Privileged access never
 	HasFPHP     bool // Half precision floating-point instruction set
 	HasASIMDHP  bool // Advanced SIMD half precision instruction set
 	HasCPUID    bool // CPUID identification scheme registers
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
index af2aa99f9..f449c679f 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.go
@@ -65,10 +65,10 @@ func setMinimalFeatures() {
 func readARM64Registers() {
 	Initialized = true
 
-	parseARM64SystemRegisters(getisar0(), getisar1(), getpfr0())
+	parseARM64SystemRegisters(getisar0(), getisar1(), getmmfr1(), getpfr0())
 }
 
-func parseARM64SystemRegisters(isar0, isar1, pfr0 uint64) {
+func parseARM64SystemRegisters(isar0, isar1, mmfr1, pfr0 uint64) {
 	// ID_AA64ISAR0_EL1
 	switch extractBits(isar0, 4, 7) {
 	case 1:
@@ -152,6 +152,22 @@ func parseARM64SystemRegisters(isar0, isar1, pfr0 uint64) {
 		ARM64.HasI8MM = true
 	}
 
+	// ID_AA64MMFR1_EL1
+	switch extractBits(mmfr1, 12, 15) {
+	case 1, 2:
+		ARM64.HasHPDS = true
+	}
+
+	switch extractBits(mmfr1, 16, 19) {
+	case 1:
+		ARM64.HasLOR = true
+	}
+
+	switch extractBits(mmfr1, 20, 23) {
+	case 1, 2, 3:
+		ARM64.HasPAN = true
+	}
+
 	// ID_AA64PFR0_EL1
 	switch extractBits(pfr0, 16, 19) {
 	case 0:
diff --git a/vendor/golang.org/x/sys/cpu/cpu_arm64.s b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
index 22cc99844..a4f24b3b0 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_arm64.s
+++ b/vendor/golang.org/x/sys/cpu/cpu_arm64.s
@@ -9,31 +9,34 @@
 // func getisar0() uint64
 TEXT ·getisar0(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 0 into x0
-	// mrs x0, ID_AA64ISAR0_EL1 = d5380600
-	WORD	$0xd5380600
+	MRS	ID_AA64ISAR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getisar1() uint64
 TEXT ·getisar1(SB),NOSPLIT,$0-8
 	// get Instruction Set Attributes 1 into x0
-	// mrs x0, ID_AA64ISAR1_EL1 = d5380620
-	WORD	$0xd5380620
+	MRS	ID_AA64ISAR1_EL1, R0
+	MOVD	R0, ret+0(FP)
+	RET
+
+// func getmmfr1() uint64
+TEXT ·getmmfr1(SB),NOSPLIT,$0-8
+	// get Memory Model Feature Register 1 into x0
+	MRS	ID_AA64MMFR1_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getpfr0() uint64
 TEXT ·getpfr0(SB),NOSPLIT,$0-8
 	// get Processor Feature Register 0 into x0
-	// mrs x0, ID_AA64PFR0_EL1 = d5380400
-	WORD	$0xd5380400
+	MRS	ID_AA64PFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
 
 // func getzfr0() uint64
 TEXT ·getzfr0(SB),NOSPLIT,$0-8
 	// get SVE Feature Register 0 into x0
-	// mrs	x0, ID_AA64ZFR0_EL1 = d5380480
-	WORD $0xd5380480
+	MRS	ID_AA64ZFR0_EL1, R0
 	MOVD	R0, ret+0(FP)
 	RET
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
index 6ac6e1efb..e3fc5a8d3 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gc_arm64.go
@@ -8,5 +8,6 @@ package cpu
 
 func getisar0() uint64
 func getisar1() uint64
+func getmmfr1() uint64
 func getpfr0() uint64
 func getzfr0() uint64
diff --git a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
index 7f1946780..8df2079e1 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go
@@ -8,4 +8,5 @@ package cpu
 
 func getisar0() uint64 { return 0 }
 func getisar1() uint64 { return 0 }
+func getmmfr1() uint64 { return 0 }
 func getpfr0() uint64  { return 0 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
index ebfb3fc8e..19aea0633 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_netbsd_arm64.go
@@ -167,7 +167,7 @@ func doinit() {
 		setMinimalFeatures()
 		return
 	}
-	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64pfr0)
+	parseARM64SystemRegisters(cpuid.aa64isar0, cpuid.aa64isar1, cpuid.aa64mmfr1, cpuid.aa64pfr0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
index 85b64d5cc..87fd3a778 100644
--- a/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/cpu/cpu_openbsd_arm64.go
@@ -59,7 +59,7 @@ func doinit() {
 	if !ok {
 		return
 	}
-	parseARM64SystemRegisters(isar0, isar1, 0)
+	parseARM64SystemRegisters(isar0, isar1, 0, 0)
 
 	Initialized = true
 }
diff --git a/vendor/golang.org/x/sys/unix/affinity_linux.go b/vendor/golang.org/x/sys/unix/affinity_linux.go
index 3c7a6d6e2..3ea470387 100644
--- a/vendor/golang.org/x/sys/unix/affinity_linux.go
+++ b/vendor/golang.org/x/sys/unix/affinity_linux.go
@@ -41,6 +41,15 @@ func (s *CPUSet) Zero() {
 	clear(s[:])
 }
 
+// Fill adds all possible CPU bits to the set s. On Linux, [SchedSetaffinity]
+// will silently ignore any invalid CPU bits in [CPUSet] so this is an
+// efficient way of resetting the CPU affinity of a process.
+func (s *CPUSet) Fill() {
+	for i := range s {
+		s[i] = ^cpuMask(0)
+	}
+}
+
 func cpuBitsIndex(cpu int) int {
 	return cpu / _NCPUBITS
 }
diff --git a/vendor/golang.org/x/sys/unix/fdset.go b/vendor/golang.org/x/sys/unix/fdset.go
index 9e83d18cd..62ed12645 100644
--- a/vendor/golang.org/x/sys/unix/fdset.go
+++ b/vendor/golang.org/x/sys/unix/fdset.go
@@ -23,7 +23,5 @@ func (fds *FdSet) IsSet(fd int) bool {
 
 // Zero clears the set fds.
 func (fds *FdSet) Zero() {
-	for i := range fds.Bits {
-		fds.Bits[i] = 0
-	}
+	clear(fds.Bits[:])
 }
diff --git a/vendor/golang.org/x/sys/unix/ifreq_linux.go b/vendor/golang.org/x/sys/unix/ifreq_linux.go
index 848840ae4..309f5a2b0 100644
--- a/vendor/golang.org/x/sys/unix/ifreq_linux.go
+++ b/vendor/golang.org/x/sys/unix/ifreq_linux.go
@@ -111,9 +111,7 @@ func (ifr *Ifreq) SetUint32(v uint32) {
 // clear zeroes the ifreq's union field to prevent trailing garbage data from
 // being sent to the kernel if an ifreq is reused.
 func (ifr *Ifreq) clear() {
-	for i := range ifr.raw.Ifru {
-		ifr.raw.Ifru[i] = 0
-	}
+	clear(ifr.raw.Ifru[:])
 }
 
 // TODO(mdlayher): export as IfreqData? For now we can provide helpers such as
diff --git a/vendor/golang.org/x/sys/unix/mkall.sh b/vendor/golang.org/x/sys/unix/mkall.sh
index e6f31d374..d0ed61191 100644
--- a/vendor/golang.org/x/sys/unix/mkall.sh
+++ b/vendor/golang.org/x/sys/unix/mkall.sh
@@ -49,6 +49,7 @@ esac
 if [[ "$GOOS" = "linux" ]]; then
 	# Use the Docker-based build system
 	# Files generated through docker (use $cmd so you can Ctl-C the build or run)
+	set -e
 	$cmd docker build --tag generate:$GOOS $GOOS
 	$cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS
 	exit
diff --git a/vendor/golang.org/x/sys/unix/mkerrors.sh b/vendor/golang.org/x/sys/unix/mkerrors.sh
index d1c8b2640..42517077c 100644
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@@ -226,6 +226,7 @@ struct ltchars {
 #include <linux/cryptouser.h>
 #include <linux/devlink.h>
 #include <linux/dm-ioctl.h>
+#include <linux/elf.h>
 #include <linux/errqueue.h>
 #include <linux/ethtool_netlink.h>
 #include <linux/falloc.h>
@@ -529,6 +530,7 @@ ccflags="$@"
 		$2 ~ /^O[CNPFPL][A-Z]+[^_][A-Z]+$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)DLY$/ ||
 		$2 ~ /^(NL|CR|TAB|BS|VT|FF)[0-9]$/ ||
+		$2 ~ /^(DT|EI|ELF|EV|NN|NT|PF|SHF|SHN|SHT|STB|STT|VER)_/ ||
 		$2 ~ /^O?XTABS$/ ||
 		$2 ~ /^TC[IO](ON|OFF)$/ ||
 		$2 ~ /^IN_/ ||
diff --git a/vendor/golang.org/x/sys/unix/syscall_linux.go b/vendor/golang.org/x/sys/unix/syscall_linux.go
index 4958a6570..06c0eea6f 100644
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@@ -801,9 +801,7 @@ func (sa *SockaddrPPPoE) sockaddr() (unsafe.Pointer, _Socklen, error) {
 	// one. The kernel expects SID to be in network byte order.
 	binary.BigEndian.PutUint16(sa.raw[6:8], sa.SID)
 	copy(sa.raw[8:14], sa.Remote)
-	for i := 14; i < 14+IFNAMSIZ; i++ {
-		sa.raw[i] = 0
-	}
+	clear(sa.raw[14 : 14+IFNAMSIZ])
 	copy(sa.raw[14:], sa.Dev)
 	return unsafe.Pointer(&sa.raw), SizeofSockaddrPPPoX, nil
 }
@@ -2645,3 +2643,9 @@ func SchedGetAttr(pid int, flags uint) (*SchedAttr, error) {
 
 //sys	Cachestat(fd uint, crange *CachestatRange, cstat *Cachestat_t, flags uint) (err error)
 //sys	Mseal(b []byte, flags uint) (err error)
+
+//sys	setMemPolicy(mode int, mask *CPUSet, size int) (err error) = SYS_SET_MEMPOLICY
+
+func SetMemPolicy(mode int, mask *CPUSet) error {
+	return setMemPolicy(mode, mask, _CPU_SETSIZE)
+}
diff --git a/vendor/golang.org/x/sys/unix/syscall_netbsd.go b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
index 88162099a..34a467697 100644
--- a/vendor/golang.org/x/sys/unix/syscall_netbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_netbsd.go
@@ -248,6 +248,23 @@ func Statvfs(path string, buf *Statvfs_t) (err error) {
 	return Statvfs1(path, buf, ST_WAIT)
 }
 
+func Getvfsstat(buf []Statvfs_t, flags int) (n int, err error) {
+	var (
+		_p0     unsafe.Pointer
+		bufsize uintptr
+	)
+	if len(buf) > 0 {
+		_p0 = unsafe.Pointer(&buf[0])
+		bufsize = unsafe.Sizeof(Statvfs_t{}) * uintptr(len(buf))
+	}
+	r0, _, e1 := Syscall(SYS_GETVFSSTAT, uintptr(_p0), bufsize, uintptr(flags))
+	n = int(r0)
+	if e1 != 0 {
+		err = e1
+	}
+	return
+}
+
 /*
  * Exposed directly
  */
diff --git a/vendor/golang.org/x/sys/unix/zerrors_linux.go b/vendor/golang.org/x/sys/unix/zerrors_linux.go
index b6db27d93..d0a75da57 100644
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@@ -853,20 +853,86 @@ const (
 	DM_VERSION_MAJOR                            = 0x4
 	DM_VERSION_MINOR                            = 0x32
 	DM_VERSION_PATCHLEVEL                       = 0x0
+	DT_ADDRRNGHI                                = 0x6ffffeff
+	DT_ADDRRNGLO                                = 0x6ffffe00
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
+	DT_DEBUG                                    = 0x15
 	DT_DIR                                      = 0x4
+	DT_ENCODING                                 = 0x20
 	DT_FIFO                                     = 0x1
+	DT_FINI                                     = 0xd
+	DT_FLAGS_1                                  = 0x6ffffffb
+	DT_GNU_HASH                                 = 0x6ffffef5
+	DT_HASH                                     = 0x4
+	DT_HIOS                                     = 0x6ffff000
+	DT_HIPROC                                   = 0x7fffffff
+	DT_INIT                                     = 0xc
+	DT_JMPREL                                   = 0x17
 	DT_LNK                                      = 0xa
+	DT_LOOS                                     = 0x6000000d
+	DT_LOPROC                                   = 0x70000000
+	DT_NEEDED                                   = 0x1
+	DT_NULL                                     = 0x0
+	DT_PLTGOT                                   = 0x3
+	DT_PLTREL                                   = 0x14
+	DT_PLTRELSZ                                 = 0x2
 	DT_REG                                      = 0x8
+	DT_REL                                      = 0x11
+	DT_RELA                                     = 0x7
+	DT_RELACOUNT                                = 0x6ffffff9
+	DT_RELAENT                                  = 0x9
+	DT_RELASZ                                   = 0x8
+	DT_RELCOUNT                                 = 0x6ffffffa
+	DT_RELENT                                   = 0x13
+	DT_RELSZ                                    = 0x12
+	DT_RPATH                                    = 0xf
 	DT_SOCK                                     = 0xc
+	DT_SONAME                                   = 0xe
+	DT_STRSZ                                    = 0xa
+	DT_STRTAB                                   = 0x5
+	DT_SYMBOLIC                                 = 0x10
+	DT_SYMENT                                   = 0xb
+	DT_SYMTAB                                   = 0x6
+	DT_TEXTREL                                  = 0x16
 	DT_UNKNOWN                                  = 0x0
+	DT_VALRNGHI                                 = 0x6ffffdff
+	DT_VALRNGLO                                 = 0x6ffffd00
+	DT_VERDEF                                   = 0x6ffffffc
+	DT_VERDEFNUM                                = 0x6ffffffd
+	DT_VERNEED                                  = 0x6ffffffe
+	DT_VERNEEDNUM                               = 0x6fffffff
+	DT_VERSYM                                   = 0x6ffffff0
 	DT_WHT                                      = 0xe
 	ECHO                                        = 0x8
 	ECRYPTFS_SUPER_MAGIC                        = 0xf15f
 	EFD_SEMAPHORE                               = 0x1
 	EFIVARFS_MAGIC                              = 0xde5e81e4
 	EFS_SUPER_MAGIC                             = 0x414a53
+	EI_CLASS                                    = 0x4
+	EI_DATA                                     = 0x5
+	EI_MAG0                                     = 0x0
+	EI_MAG1                                     = 0x1
+	EI_MAG2                                     = 0x2
+	EI_MAG3                                     = 0x3
+	EI_NIDENT                                   = 0x10
+	EI_OSABI                                    = 0x7
+	EI_PAD                                      = 0x8
+	EI_VERSION                                  = 0x6
+	ELFCLASS32                                  = 0x1
+	ELFCLASS64                                  = 0x2
+	ELFCLASSNONE                                = 0x0
+	ELFCLASSNUM                                 = 0x3
+	ELFDATA2LSB                                 = 0x1
+	ELFDATA2MSB                                 = 0x2
+	ELFDATANONE                                 = 0x0
+	ELFMAG                                      = "\177ELF"
+	ELFMAG0                                     = 0x7f
+	ELFMAG1                                     = 'E'
+	ELFMAG2                                     = 'L'
+	ELFMAG3                                     = 'F'
+	ELFOSABI_LINUX                              = 0x3
+	ELFOSABI_NONE                               = 0x0
 	EM_386                                      = 0x3
 	EM_486                                      = 0x6
 	EM_68K                                      = 0x4
@@ -1152,14 +1218,24 @@ const (
 	ETH_P_WCCP                                  = 0x883e
 	ETH_P_X25                                   = 0x805
 	ETH_P_XDSA                                  = 0xf8
+	ET_CORE                                     = 0x4
+	ET_DYN                                      = 0x3
+	ET_EXEC                                     = 0x2
+	ET_HIPROC                                   = 0xffff
+	ET_LOPROC                                   = 0xff00
+	ET_NONE                                     = 0x0
+	ET_REL                                      = 0x1
 	EV_ABS                                      = 0x3
 	EV_CNT                                      = 0x20
+	EV_CURRENT                                  = 0x1
 	EV_FF                                       = 0x15
 	EV_FF_STATUS                                = 0x17
 	EV_KEY                                      = 0x1
 	EV_LED                                      = 0x11
 	EV_MAX                                      = 0x1f
 	EV_MSC                                      = 0x4
+	EV_NONE                                     = 0x0
+	EV_NUM                                      = 0x2
 	EV_PWR                                      = 0x16
 	EV_REL                                      = 0x2
 	EV_REP                                      = 0x14
@@ -2276,7 +2352,167 @@ const (
 	NLM_F_REPLACE                               = 0x100
 	NLM_F_REQUEST                               = 0x1
 	NLM_F_ROOT                                  = 0x100
+	NN_386_IOPERM                               = "LINUX"
+	NN_386_TLS                                  = "LINUX"
+	NN_ARC_V2                                   = "LINUX"
+	NN_ARM_FPMR                                 = "LINUX"
+	NN_ARM_GCS                                  = "LINUX"
+	NN_ARM_HW_BREAK                             = "LINUX"
+	NN_ARM_HW_WATCH                             = "LINUX"
+	NN_ARM_PACA_KEYS                            = "LINUX"
+	NN_ARM_PACG_KEYS                            = "LINUX"
+	NN_ARM_PAC_ENABLED_KEYS                     = "LINUX"
+	NN_ARM_PAC_MASK                             = "LINUX"
+	NN_ARM_POE                                  = "LINUX"
+	NN_ARM_SSVE                                 = "LINUX"
+	NN_ARM_SVE                                  = "LINUX"
+	NN_ARM_SYSTEM_CALL                          = "LINUX"
+	NN_ARM_TAGGED_ADDR_CTRL                     = "LINUX"
+	NN_ARM_TLS                                  = "LINUX"
+	NN_ARM_VFP                                  = "LINUX"
+	NN_ARM_ZA                                   = "LINUX"
+	NN_ARM_ZT                                   = "LINUX"
+	NN_AUXV                                     = "CORE"
+	NN_FILE                                     = "CORE"
+	NN_GNU_PROPERTY_TYPE_0                      = "GNU"
+	NN_LOONGARCH_CPUCFG                         = "LINUX"
+	NN_LOONGARCH_CSR                            = "LINUX"
+	NN_LOONGARCH_HW_BREAK                       = "LINUX"
+	NN_LOONGARCH_HW_WATCH                       = "LINUX"
+	NN_LOONGARCH_LASX                           = "LINUX"
+	NN_LOONGARCH_LBT                            = "LINUX"
+	NN_LOONGARCH_LSX                            = "LINUX"
+	NN_MIPS_DSP                                 = "LINUX"
+	NN_MIPS_FP_MODE                             = "LINUX"
+	NN_MIPS_MSA                                 = "LINUX"
+	NN_PPC_DEXCR                                = "LINUX"
+	NN_PPC_DSCR                                 = "LINUX"
+	NN_PPC_EBB                                  = "LINUX"
+	NN_PPC_HASHKEYR                             = "LINUX"
+	NN_PPC_PKEY                                 = "LINUX"
+	NN_PPC_PMU                                  = "LINUX"
+	NN_PPC_PPR                                  = "LINUX"
+	NN_PPC_SPE                                  = "LINUX"
+	NN_PPC_TAR                                  = "LINUX"
+	NN_PPC_TM_CDSCR                             = "LINUX"
+	NN_PPC_TM_CFPR                              = "LINUX"
+	NN_PPC_TM_CGPR                              = "LINUX"
+	NN_PPC_TM_CPPR                              = "LINUX"
+	NN_PPC_TM_CTAR                              = "LINUX"
+	NN_PPC_TM_CVMX                              = "LINUX"
+	NN_PPC_TM_CVSX                              = "LINUX"
+	NN_PPC_TM_SPR                               = "LINUX"
+	NN_PPC_VMX                                  = "LINUX"
+	NN_PPC_VSX                                  = "LINUX"
+	NN_PRFPREG                                  = "CORE"
+	NN_PRPSINFO                                 = "CORE"
+	NN_PRSTATUS                                 = "CORE"
+	NN_PRXFPREG                                 = "LINUX"
+	NN_RISCV_CSR                                = "LINUX"
+	NN_RISCV_TAGGED_ADDR_CTRL                   = "LINUX"
+	NN_RISCV_VECTOR                             = "LINUX"
+	NN_S390_CTRS                                = "LINUX"
+	NN_S390_GS_BC                               = "LINUX"
+	NN_S390_GS_CB                               = "LINUX"
+	NN_S390_HIGH_GPRS                           = "LINUX"
+	NN_S390_LAST_BREAK                          = "LINUX"
+	NN_S390_PREFIX                              = "LINUX"
+	NN_S390_PV_CPU_DATA                         = "LINUX"
+	NN_S390_RI_CB                               = "LINUX"
+	NN_S390_SYSTEM_CALL                         = "LINUX"
+	NN_S390_TDB                                 = "LINUX"
+	NN_S390_TIMER                               = "LINUX"
+	NN_S390_TODCMP                              = "LINUX"
+	NN_S390_TODPREG                             = "LINUX"
+	NN_S390_VXRS_HIGH                           = "LINUX"
+	NN_S390_VXRS_LOW                            = "LINUX"
+	NN_SIGINFO                                  = "CORE"
+	NN_TASKSTRUCT                               = "CORE"
+	NN_VMCOREDD                                 = "LINUX"
+	NN_X86_SHSTK                                = "LINUX"
+	NN_X86_XSAVE_LAYOUT                         = "LINUX"
+	NN_X86_XSTATE                               = "LINUX"
 	NSFS_MAGIC                                  = 0x6e736673
+	NT_386_IOPERM                               = 0x201
+	NT_386_TLS                                  = 0x200
+	NT_ARC_V2                                   = 0x600
+	NT_ARM_FPMR                                 = 0x40e
+	NT_ARM_GCS                                  = 0x410
+	NT_ARM_HW_BREAK                             = 0x402
+	NT_ARM_HW_WATCH                             = 0x403
+	NT_ARM_PACA_KEYS                            = 0x407
+	NT_ARM_PACG_KEYS                            = 0x408
+	NT_ARM_PAC_ENABLED_KEYS                     = 0x40a
+	NT_ARM_PAC_MASK                             = 0x406
+	NT_ARM_POE                                  = 0x40f
+	NT_ARM_SSVE                                 = 0x40b
+	NT_ARM_SVE                                  = 0x405
+	NT_ARM_SYSTEM_CALL                          = 0x404
+	NT_ARM_TAGGED_ADDR_CTRL                     = 0x409
+	NT_ARM_TLS                                  = 0x401
+	NT_ARM_VFP                                  = 0x400
+	NT_ARM_ZA                                   = 0x40c
+	NT_ARM_ZT                                   = 0x40d
+	NT_AUXV                                     = 0x6
+	NT_FILE                                     = 0x46494c45
+	NT_GNU_PROPERTY_TYPE_0                      = 0x5
+	NT_LOONGARCH_CPUCFG                         = 0xa00
+	NT_LOONGARCH_CSR                            = 0xa01
+	NT_LOONGARCH_HW_BREAK                       = 0xa05
+	NT_LOONGARCH_HW_WATCH                       = 0xa06
+	NT_LOONGARCH_LASX                           = 0xa03
+	NT_LOONGARCH_LBT                            = 0xa04
+	NT_LOONGARCH_LSX                            = 0xa02
+	NT_MIPS_DSP                                 = 0x800
+	NT_MIPS_FP_MODE                             = 0x801
+	NT_MIPS_MSA                                 = 0x802
+	NT_PPC_DEXCR                                = 0x111
+	NT_PPC_DSCR                                 = 0x105
+	NT_PPC_EBB                                  = 0x106
+	NT_PPC_HASHKEYR                             = 0x112
+	NT_PPC_PKEY                                 = 0x110
+	NT_PPC_PMU                                  = 0x107
+	NT_PPC_PPR                                  = 0x104
+	NT_PPC_SPE                                  = 0x101
+	NT_PPC_TAR                                  = 0x103
+	NT_PPC_TM_CDSCR                             = 0x10f
+	NT_PPC_TM_CFPR                              = 0x109
+	NT_PPC_TM_CGPR                              = 0x108
+	NT_PPC_TM_CPPR                              = 0x10e
+	NT_PPC_TM_CTAR                              = 0x10d
+	NT_PPC_TM_CVMX                              = 0x10a
+	NT_PPC_TM_CVSX                              = 0x10b
+	NT_PPC_TM_SPR                               = 0x10c
+	NT_PPC_VMX                                  = 0x100
+	NT_PPC_VSX                                  = 0x102
+	NT_PRFPREG                                  = 0x2
+	NT_PRPSINFO                                 = 0x3
+	NT_PRSTATUS                                 = 0x1
+	NT_PRXFPREG                                 = 0x46e62b7f
+	NT_RISCV_CSR                                = 0x900
+	NT_RISCV_TAGGED_ADDR_CTRL                   = 0x902
+	NT_RISCV_VECTOR                             = 0x901
+	NT_S390_CTRS                                = 0x304
+	NT_S390_GS_BC                               = 0x30c
+	NT_S390_GS_CB                               = 0x30b
+	NT_S390_HIGH_GPRS                           = 0x300
+	NT_S390_LAST_BREAK                          = 0x306
+	NT_S390_PREFIX                              = 0x305
+	NT_S390_PV_CPU_DATA                         = 0x30e
+	NT_S390_RI_CB                               = 0x30d
+	NT_S390_SYSTEM_CALL                         = 0x307
+	NT_S390_TDB                                 = 0x308
+	NT_S390_TIMER                               = 0x301
+	NT_S390_TODCMP                              = 0x302
+	NT_S390_TODPREG                             = 0x303
+	NT_S390_VXRS_HIGH                           = 0x30a
+	NT_S390_VXRS_LOW                            = 0x309
+	NT_SIGINFO                                  = 0x53494749
+	NT_TASKSTRUCT                               = 0x4
+	NT_VMCOREDD                                 = 0x700
+	NT_X86_SHSTK                                = 0x204
+	NT_X86_XSAVE_LAYOUT                         = 0x205
+	NT_X86_XSTATE                               = 0x202
 	OCFS2_SUPER_MAGIC                           = 0x7461636f
 	OCRNL                                       = 0x8
 	OFDEL                                       = 0x80
@@ -2463,6 +2699,59 @@ const (
 	PERF_RECORD_MISC_USER                       = 0x2
 	PERF_SAMPLE_BRANCH_PLM_ALL                  = 0x7
 	PERF_SAMPLE_WEIGHT_TYPE                     = 0x1004000
+	PF_ALG                                      = 0x26
+	PF_APPLETALK                                = 0x5
+	PF_ASH                                      = 0x12
+	PF_ATMPVC                                   = 0x8
+	PF_ATMSVC                                   = 0x14
+	PF_AX25                                     = 0x3
+	PF_BLUETOOTH                                = 0x1f
+	PF_BRIDGE                                   = 0x7
+	PF_CAIF                                     = 0x25
+	PF_CAN                                      = 0x1d
+	PF_DECnet                                   = 0xc
+	PF_ECONET                                   = 0x13
+	PF_FILE                                     = 0x1
+	PF_IB                                       = 0x1b
+	PF_IEEE802154                               = 0x24
+	PF_INET                                     = 0x2
+	PF_INET6                                    = 0xa
+	PF_IPX                                      = 0x4
+	PF_IRDA                                     = 0x17
+	PF_ISDN                                     = 0x22
+	PF_IUCV                                     = 0x20
+	PF_KCM                                      = 0x29
+	PF_KEY                                      = 0xf
+	PF_LLC                                      = 0x1a
+	PF_LOCAL                                    = 0x1
+	PF_MAX                                      = 0x2e
+	PF_MCTP                                     = 0x2d
+	PF_MPLS                                     = 0x1c
+	PF_NETBEUI                                  = 0xd
+	PF_NETLINK                                  = 0x10
+	PF_NETROM                                   = 0x6
+	PF_NFC                                      = 0x27
+	PF_PACKET                                   = 0x11
+	PF_PHONET                                   = 0x23
+	PF_PPPOX                                    = 0x18
+	PF_QIPCRTR                                  = 0x2a
+	PF_R                                        = 0x4
+	PF_RDS                                      = 0x15
+	PF_ROSE                                     = 0xb
+	PF_ROUTE                                    = 0x10
+	PF_RXRPC                                    = 0x21
+	PF_SECURITY                                 = 0xe
+	PF_SMC                                      = 0x2b
+	PF_SNA                                      = 0x16
+	PF_TIPC                                     = 0x1e
+	PF_UNIX                                     = 0x1
+	PF_UNSPEC                                   = 0x0
+	PF_VSOCK                                    = 0x28
+	PF_W                                        = 0x2
+	PF_WANPIPE                                  = 0x19
+	PF_X                                        = 0x1
+	PF_X25                                      = 0x9
+	PF_XDP                                      = 0x2c
 	PID_FS_MAGIC                                = 0x50494446
 	PIPEFS_MAGIC                                = 0x50495045
 	PPPIOCGNPMODE                               = 0xc008744c
@@ -2758,6 +3047,23 @@ const (
 	PTRACE_SYSCALL_INFO_NONE                    = 0x0
 	PTRACE_SYSCALL_INFO_SECCOMP                 = 0x3
 	PTRACE_TRACEME                              = 0x0
+	PT_AARCH64_MEMTAG_MTE                       = 0x70000002
+	PT_DYNAMIC                                  = 0x2
+	PT_GNU_EH_FRAME                             = 0x6474e550
+	PT_GNU_PROPERTY                             = 0x6474e553
+	PT_GNU_RELRO                                = 0x6474e552
+	PT_GNU_STACK                                = 0x6474e551
+	PT_HIOS                                     = 0x6fffffff
+	PT_HIPROC                                   = 0x7fffffff
+	PT_INTERP                                   = 0x3
+	PT_LOAD                                     = 0x1
+	PT_LOOS                                     = 0x60000000
+	PT_LOPROC                                   = 0x70000000
+	PT_NOTE                                     = 0x4
+	PT_NULL                                     = 0x0
+	PT_PHDR                                     = 0x6
+	PT_SHLIB                                    = 0x5
+	PT_TLS                                      = 0x7
 	P_ALL                                       = 0x0
 	P_PGID                                      = 0x2
 	P_PID                                       = 0x1
@@ -3091,6 +3397,47 @@ const (
 	SEEK_MAX                                    = 0x4
 	SEEK_SET                                    = 0x0
 	SELINUX_MAGIC                               = 0xf97cff8c
+	SHF_ALLOC                                   = 0x2
+	SHF_EXCLUDE                                 = 0x8000000
+	SHF_EXECINSTR                               = 0x4
+	SHF_GROUP                                   = 0x200
+	SHF_INFO_LINK                               = 0x40
+	SHF_LINK_ORDER                              = 0x80
+	SHF_MASKOS                                  = 0xff00000
+	SHF_MASKPROC                                = 0xf0000000
+	SHF_MERGE                                   = 0x10
+	SHF_ORDERED                                 = 0x4000000
+	SHF_OS_NONCONFORMING                        = 0x100
+	SHF_RELA_LIVEPATCH                          = 0x100000
+	SHF_RO_AFTER_INIT                           = 0x200000
+	SHF_STRINGS                                 = 0x20
+	SHF_TLS                                     = 0x400
+	SHF_WRITE                                   = 0x1
+	SHN_ABS                                     = 0xfff1
+	SHN_COMMON                                  = 0xfff2
+	SHN_HIPROC                                  = 0xff1f
+	SHN_HIRESERVE                               = 0xffff
+	SHN_LIVEPATCH                               = 0xff20
+	SHN_LOPROC                                  = 0xff00
+	SHN_LORESERVE                               = 0xff00
+	SHN_UNDEF                                   = 0x0
+	SHT_DYNAMIC                                 = 0x6
+	SHT_DYNSYM                                  = 0xb
+	SHT_HASH                                    = 0x5
+	SHT_HIPROC                                  = 0x7fffffff
+	SHT_HIUSER                                  = 0xffffffff
+	SHT_LOPROC                                  = 0x70000000
+	SHT_LOUSER                                  = 0x80000000
+	SHT_NOBITS                                  = 0x8
+	SHT_NOTE                                    = 0x7
+	SHT_NULL                                    = 0x0
+	SHT_NUM                                     = 0xc
+	SHT_PROGBITS                                = 0x1
+	SHT_REL                                     = 0x9
+	SHT_RELA                                    = 0x4
+	SHT_SHLIB                                   = 0xa
+	SHT_STRTAB                                  = 0x3
+	SHT_SYMTAB                                  = 0x2
 	SHUT_RD                                     = 0x0
 	SHUT_RDWR                                   = 0x2
 	SHUT_WR                                     = 0x1
@@ -3317,6 +3664,16 @@ const (
 	STATX_UID                                   = 0x8
 	STATX_WRITE_ATOMIC                          = 0x10000
 	STATX__RESERVED                             = 0x80000000
+	STB_GLOBAL                                  = 0x1
+	STB_LOCAL                                   = 0x0
+	STB_WEAK                                    = 0x2
+	STT_COMMON                                  = 0x5
+	STT_FILE                                    = 0x4
+	STT_FUNC                                    = 0x2
+	STT_NOTYPE                                  = 0x0
+	STT_OBJECT                                  = 0x1
+	STT_SECTION                                 = 0x3
+	STT_TLS                                     = 0x6
 	SYNC_FILE_RANGE_WAIT_AFTER                  = 0x4
 	SYNC_FILE_RANGE_WAIT_BEFORE                 = 0x1
 	SYNC_FILE_RANGE_WRITE                       = 0x2
@@ -3553,6 +3910,8 @@ const (
 	UTIME_OMIT                                  = 0x3ffffffe
 	V9FS_MAGIC                                  = 0x1021997
 	VERASE                                      = 0x2
+	VER_FLG_BASE                                = 0x1
+	VER_FLG_WEAK                                = 0x2
 	VINTR                                       = 0x0
 	VKILL                                       = 0x3
 	VLNEXT                                      = 0xf
diff --git a/vendor/golang.org/x/sys/unix/zsyscall_linux.go b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
index 5cc1e8eb2..8935d10a3 100644
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@@ -2238,3 +2238,13 @@ func Mseal(b []byte, flags uint) (err error) {
 	}
 	return
 }
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func setMemPolicy(mode int, mask *CPUSet, size int) (err error) {
+	_, _, e1 := Syscall(SYS_SET_MEMPOLICY, uintptr(mode), uintptr(unsafe.Pointer(mask)), uintptr(size))
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
diff --git a/vendor/golang.org/x/sys/unix/ztypes_linux.go b/vendor/golang.org/x/sys/unix/ztypes_linux.go
index 944e75a11..c1a467017 100644
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@@ -3590,6 +3590,8 @@ type Nhmsg struct {
 	Flags    uint32
 }
 
+const SizeofNhmsg = 0x8
+
 type NexthopGrp struct {
 	Id     uint32
 	Weight uint8
@@ -3597,6 +3599,8 @@ type NexthopGrp struct {
 	Resvd2 uint16
 }
 
+const SizeofNexthopGrp = 0x8
+
 const (
 	NHA_UNSPEC     = 0x0
 	NHA_ID         = 0x1
@@ -6332,3 +6336,30 @@ type SockDiagReq struct {
 }
 
 const RTM_NEWNVLAN = 0x70
+
+const (
+	MPOL_BIND                = 0x2
+	MPOL_DEFAULT             = 0x0
+	MPOL_F_ADDR              = 0x2
+	MPOL_F_MEMS_ALLOWED      = 0x4
+	MPOL_F_MOF               = 0x8
+	MPOL_F_MORON             = 0x10
+	MPOL_F_NODE              = 0x1
+	MPOL_F_NUMA_BALANCING    = 0x2000
+	MPOL_F_RELATIVE_NODES    = 0x4000
+	MPOL_F_SHARED            = 0x1
+	MPOL_F_STATIC_NODES      = 0x8000
+	MPOL_INTERLEAVE          = 0x3
+	MPOL_LOCAL               = 0x4
+	MPOL_MAX                 = 0x7
+	MPOL_MF_INTERNAL         = 0x10
+	MPOL_MF_LAZY             = 0x8
+	MPOL_MF_MOVE_ALL         = 0x4
+	MPOL_MF_MOVE             = 0x2
+	MPOL_MF_STRICT           = 0x1
+	MPOL_MF_VALID            = 0x7
+	MPOL_MODE_FLAGS          = 0xe000
+	MPOL_PREFERRED           = 0x1
+	MPOL_PREFERRED_MANY      = 0x5
+	MPOL_WEIGHTED_INTERLEAVE = 0x6
+)
diff --git a/vendor/golang.org/x/sys/windows/syscall_windows.go b/vendor/golang.org/x/sys/windows/syscall_windows.go
index 640f6b153..69439df2a 100644
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@@ -321,6 +321,8 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	SetConsoleOutputCP(cp uint32) (err error) = kernel32.SetConsoleOutputCP
 //sys	WriteConsole(console Handle, buf *uint16, towrite uint32, written *uint32, reserved *byte) (err error) = kernel32.WriteConsoleW
 //sys	ReadConsole(console Handle, buf *uint16, toread uint32, read *uint32, inputControl *byte) (err error) = kernel32.ReadConsoleW
+//sys	GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) = kernel32.GetNumberOfConsoleInputEvents
+//sys	FlushConsoleInputBuffer(console Handle) (err error) = kernel32.FlushConsoleInputBuffer
 //sys	resizePseudoConsole(pconsole Handle, size uint32) (hr error) = kernel32.ResizePseudoConsole
 //sys	CreateToolhelp32Snapshot(flags uint32, processId uint32) (handle Handle, err error) [failretval==InvalidHandle] = kernel32.CreateToolhelp32Snapshot
 //sys	Module32First(snapshot Handle, moduleEntry *ModuleEntry32) (err error) = kernel32.Module32FirstW
@@ -890,8 +892,12 @@ const socket_error = uintptr(^uint32(0))
 //sys	MultiByteToWideChar(codePage uint32, dwFlags uint32, str *byte, nstr int32, wchar *uint16, nwchar int32) (nwrite int32, err error) = kernel32.MultiByteToWideChar
 //sys	getBestInterfaceEx(sockaddr unsafe.Pointer, pdwBestIfIndex *uint32) (errcode error) = iphlpapi.GetBestInterfaceEx
 //sys   GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) = iphlpapi.GetIfEntry2Ex
+//sys   GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) = iphlpapi.GetIpForwardEntry2
+//sys   GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) = iphlpapi.GetIpForwardTable2
 //sys   GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) = iphlpapi.GetUnicastIpAddressEntry
+//sys   FreeMibTable(memory unsafe.Pointer) = iphlpapi.FreeMibTable
 //sys   NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyIpInterfaceChange
+//sys   NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyRouteChange2
 //sys   NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) = iphlpapi.NotifyUnicastIpAddressChange
 //sys   CancelMibChangeNotify2(notificationHandle Handle) (errcode error) = iphlpapi.CancelMibChangeNotify2
 
@@ -914,6 +920,17 @@ type RawSockaddrInet6 struct {
 	Scope_id uint32
 }
 
+// RawSockaddrInet is a union that contains an IPv4, an IPv6 address, or an address family. See
+// https://learn.microsoft.com/en-us/windows/win32/api/ws2ipdef/ns-ws2ipdef-sockaddr_inet.
+//
+// A [*RawSockaddrInet] may be converted to a [*RawSockaddrInet4] or [*RawSockaddrInet6] using
+// unsafe, depending on the address family.
+type RawSockaddrInet struct {
+	Family uint16
+	Port   uint16
+	Data   [6]uint32
+}
+
 type RawSockaddr struct {
 	Family uint16
 	Data   [14]int8
diff --git a/vendor/golang.org/x/sys/windows/types_windows.go b/vendor/golang.org/x/sys/windows/types_windows.go
index 993a2297d..6e4f50eb4 100644
--- a/vendor/golang.org/x/sys/windows/types_windows.go
+++ b/vendor/golang.org/x/sys/windows/types_windows.go
@@ -65,6 +65,22 @@ var signals = [...]string{
 	15: "terminated",
 }
 
+// File flags for [os.OpenFile]. The O_ prefix is used to indicate
+// that these flags are specific to the OpenFile function.
+const (
+	O_FILE_FLAG_OPEN_NO_RECALL     = FILE_FLAG_OPEN_NO_RECALL
+	O_FILE_FLAG_OPEN_REPARSE_POINT = FILE_FLAG_OPEN_REPARSE_POINT
+	O_FILE_FLAG_SESSION_AWARE      = FILE_FLAG_SESSION_AWARE
+	O_FILE_FLAG_POSIX_SEMANTICS    = FILE_FLAG_POSIX_SEMANTICS
+	O_FILE_FLAG_BACKUP_SEMANTICS   = FILE_FLAG_BACKUP_SEMANTICS
+	O_FILE_FLAG_DELETE_ON_CLOSE    = FILE_FLAG_DELETE_ON_CLOSE
+	O_FILE_FLAG_SEQUENTIAL_SCAN    = FILE_FLAG_SEQUENTIAL_SCAN
+	O_FILE_FLAG_RANDOM_ACCESS      = FILE_FLAG_RANDOM_ACCESS
+	O_FILE_FLAG_NO_BUFFERING       = FILE_FLAG_NO_BUFFERING
+	O_FILE_FLAG_OVERLAPPED         = FILE_FLAG_OVERLAPPED
+	O_FILE_FLAG_WRITE_THROUGH      = FILE_FLAG_WRITE_THROUGH
+)
+
 const (
 	FILE_READ_DATA        = 0x00000001
 	FILE_READ_ATTRIBUTES  = 0x00000080
@@ -2304,6 +2320,82 @@ type MibIfRow2 struct {
 	OutQLen                     uint64
 }
 
+// IP_ADDRESS_PREFIX stores an IP address prefix. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-ip_address_prefix.
+type IpAddressPrefix struct {
+	Prefix       RawSockaddrInet
+	PrefixLength uint8
+}
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_origin.
+const (
+	NlroManual              = 0
+	NlroWellKnown           = 1
+	NlroDHCP                = 2
+	NlroRouterAdvertisement = 3
+	Nlro6to4                = 4
+)
+
+// NL_ROUTE_ORIGIN enumeration from nldef.h or
+// https://learn.microsoft.com/en-us/windows/win32/api/nldef/ne-nldef-nl_route_protocol.
+const (
+	MIB_IPPROTO_OTHER             = 1
+	MIB_IPPROTO_LOCAL             = 2
+	MIB_IPPROTO_NETMGMT           = 3
+	MIB_IPPROTO_ICMP              = 4
+	MIB_IPPROTO_EGP               = 5
+	MIB_IPPROTO_GGP               = 6
+	MIB_IPPROTO_HELLO             = 7
+	MIB_IPPROTO_RIP               = 8
+	MIB_IPPROTO_IS_IS             = 9
+	MIB_IPPROTO_ES_IS             = 10
+	MIB_IPPROTO_CISCO             = 11
+	MIB_IPPROTO_BBN               = 12
+	MIB_IPPROTO_OSPF              = 13
+	MIB_IPPROTO_BGP               = 14
+	MIB_IPPROTO_IDPR              = 15
+	MIB_IPPROTO_EIGRP             = 16
+	MIB_IPPROTO_DVMRP             = 17
+	MIB_IPPROTO_RPL               = 18
+	MIB_IPPROTO_DHCP              = 19
+	MIB_IPPROTO_NT_AUTOSTATIC     = 10002
+	MIB_IPPROTO_NT_STATIC         = 10006
+	MIB_IPPROTO_NT_STATIC_NON_DOD = 10007
+)
+
+// MIB_IPFORWARD_ROW2 stores information about an IP route entry. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_row2.
+type MibIpForwardRow2 struct {
+	InterfaceLuid        uint64
+	InterfaceIndex       uint32
+	DestinationPrefix    IpAddressPrefix
+	NextHop              RawSockaddrInet
+	SitePrefixLength     uint8
+	ValidLifetime        uint32
+	PreferredLifetime    uint32
+	Metric               uint32
+	Protocol             uint32
+	Loopback             uint8
+	AutoconfigureAddress uint8
+	Publish              uint8
+	Immortal             uint8
+	Age                  uint32
+	Origin               uint32
+}
+
+// MIB_IPFORWARD_TABLE2 contains a table of IP route entries. See
+// https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_ipforward_table2.
+type MibIpForwardTable2 struct {
+	NumEntries uint32
+	Table      [1]MibIpForwardRow2
+}
+
+// Rows returns the IP route entries in the table.
+func (t *MibIpForwardTable2) Rows() []MibIpForwardRow2 {
+	return unsafe.Slice(&t.Table[0], t.NumEntries)
+}
+
 // MIB_UNICASTIPADDRESS_ROW stores information about a unicast IP address. See
 // https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-mib_unicastipaddress_row.
 type MibUnicastIpAddressRow struct {
diff --git a/vendor/golang.org/x/sys/windows/zsyscall_windows.go b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
index 641a5f4b7..f25b7308a 100644
--- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@@ -182,13 +182,17 @@ var (
 	procDwmGetWindowAttribute                                = moddwmapi.NewProc("DwmGetWindowAttribute")
 	procDwmSetWindowAttribute                                = moddwmapi.NewProc("DwmSetWindowAttribute")
 	procCancelMibChangeNotify2                               = modiphlpapi.NewProc("CancelMibChangeNotify2")
+	procFreeMibTable                                         = modiphlpapi.NewProc("FreeMibTable")
 	procGetAdaptersAddresses                                 = modiphlpapi.NewProc("GetAdaptersAddresses")
 	procGetAdaptersInfo                                      = modiphlpapi.NewProc("GetAdaptersInfo")
 	procGetBestInterfaceEx                                   = modiphlpapi.NewProc("GetBestInterfaceEx")
 	procGetIfEntry                                           = modiphlpapi.NewProc("GetIfEntry")
 	procGetIfEntry2Ex                                        = modiphlpapi.NewProc("GetIfEntry2Ex")
+	procGetIpForwardEntry2                                   = modiphlpapi.NewProc("GetIpForwardEntry2")
+	procGetIpForwardTable2                                   = modiphlpapi.NewProc("GetIpForwardTable2")
 	procGetUnicastIpAddressEntry                             = modiphlpapi.NewProc("GetUnicastIpAddressEntry")
 	procNotifyIpInterfaceChange                              = modiphlpapi.NewProc("NotifyIpInterfaceChange")
+	procNotifyRouteChange2                                   = modiphlpapi.NewProc("NotifyRouteChange2")
 	procNotifyUnicastIpAddressChange                         = modiphlpapi.NewProc("NotifyUnicastIpAddressChange")
 	procAddDllDirectory                                      = modkernel32.NewProc("AddDllDirectory")
 	procAssignProcessToJobObject                             = modkernel32.NewProc("AssignProcessToJobObject")
@@ -238,6 +242,7 @@ var (
 	procFindResourceW                                        = modkernel32.NewProc("FindResourceW")
 	procFindVolumeClose                                      = modkernel32.NewProc("FindVolumeClose")
 	procFindVolumeMountPointClose                            = modkernel32.NewProc("FindVolumeMountPointClose")
+	procFlushConsoleInputBuffer                              = modkernel32.NewProc("FlushConsoleInputBuffer")
 	procFlushFileBuffers                                     = modkernel32.NewProc("FlushFileBuffers")
 	procFlushViewOfFile                                      = modkernel32.NewProc("FlushViewOfFile")
 	procFormatMessageW                                       = modkernel32.NewProc("FormatMessageW")
@@ -284,6 +289,7 @@ var (
 	procGetNamedPipeHandleStateW                             = modkernel32.NewProc("GetNamedPipeHandleStateW")
 	procGetNamedPipeInfo                                     = modkernel32.NewProc("GetNamedPipeInfo")
 	procGetNamedPipeServerProcessId                          = modkernel32.NewProc("GetNamedPipeServerProcessId")
+	procGetNumberOfConsoleInputEvents                        = modkernel32.NewProc("GetNumberOfConsoleInputEvents")
 	procGetOverlappedResult                                  = modkernel32.NewProc("GetOverlappedResult")
 	procGetPriorityClass                                     = modkernel32.NewProc("GetPriorityClass")
 	procGetProcAddress                                       = modkernel32.NewProc("GetProcAddress")
@@ -1622,6 +1628,11 @@ func CancelMibChangeNotify2(notificationHandle Handle) (errcode error) {
 	return
 }
 
+func FreeMibTable(memory unsafe.Pointer) {
+	syscall.SyscallN(procFreeMibTable.Addr(), uintptr(memory))
+	return
+}
+
 func GetAdaptersAddresses(family uint32, flags uint32, reserved uintptr, adapterAddresses *IpAdapterAddresses, sizePointer *uint32) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetAdaptersAddresses.Addr(), uintptr(family), uintptr(flags), uintptr(reserved), uintptr(unsafe.Pointer(adapterAddresses)), uintptr(unsafe.Pointer(sizePointer)))
 	if r0 != 0 {
@@ -1662,6 +1673,22 @@ func GetIfEntry2Ex(level uint32, row *MibIfRow2) (errcode error) {
 	return
 }
 
+func GetIpForwardEntry2(row *MibIpForwardRow2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardEntry2.Addr(), uintptr(unsafe.Pointer(row)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
+func GetIpForwardTable2(family uint16, table **MibIpForwardTable2) (errcode error) {
+	r0, _, _ := syscall.SyscallN(procGetIpForwardTable2.Addr(), uintptr(family), uintptr(unsafe.Pointer(table)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func GetUnicastIpAddressEntry(row *MibUnicastIpAddressRow) (errcode error) {
 	r0, _, _ := syscall.SyscallN(procGetUnicastIpAddressEntry.Addr(), uintptr(unsafe.Pointer(row)))
 	if r0 != 0 {
@@ -1682,6 +1709,18 @@ func NotifyIpInterfaceChange(family uint16, callback uintptr, callerContext unsa
 	return
 }
 
+func NotifyRouteChange2(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
+	var _p0 uint32
+	if initialNotification {
+		_p0 = 1
+	}
+	r0, _, _ := syscall.SyscallN(procNotifyRouteChange2.Addr(), uintptr(family), uintptr(callback), uintptr(callerContext), uintptr(_p0), uintptr(unsafe.Pointer(notificationHandle)))
+	if r0 != 0 {
+		errcode = syscall.Errno(r0)
+	}
+	return
+}
+
 func NotifyUnicastIpAddressChange(family uint16, callback uintptr, callerContext unsafe.Pointer, initialNotification bool, notificationHandle *Handle) (errcode error) {
 	var _p0 uint32
 	if initialNotification {
@@ -2111,6 +2150,14 @@ func FindVolumeMountPointClose(findVolumeMountPoint Handle) (err error) {
 	return
 }
 
+func FlushConsoleInputBuffer(console Handle) (err error) {
+	r1, _, e1 := syscall.SyscallN(procFlushConsoleInputBuffer.Addr(), uintptr(console))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func FlushFileBuffers(handle Handle) (err error) {
 	r1, _, e1 := syscall.SyscallN(procFlushFileBuffers.Addr(), uintptr(handle))
 	if r1 == 0 {
@@ -2481,6 +2528,14 @@ func GetNamedPipeServerProcessId(pipe Handle, serverProcessID *uint32) (err erro
 	return
 }
 
+func GetNumberOfConsoleInputEvents(console Handle, numevents *uint32) (err error) {
+	r1, _, e1 := syscall.SyscallN(procGetNumberOfConsoleInputEvents.Addr(), uintptr(console), uintptr(unsafe.Pointer(numevents)))
+	if r1 == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
 func GetOverlappedResult(handle Handle, overlapped *Overlapped, done *uint32, wait bool) (err error) {
 	var _p0 uint32
 	if wait {
diff --git a/vendor/golang.org/x/term/terminal.go b/vendor/golang.org/x/term/terminal.go
index bddb2e2ae..9255449b9 100644
--- a/vendor/golang.org/x/term/terminal.go
+++ b/vendor/golang.org/x/term/terminal.go
@@ -413,7 +413,7 @@ func (t *Terminal) eraseNPreviousChars(n int) {
 	}
 }
 
-// countToLeftWord returns then number of characters from the cursor to the
+// countToLeftWord returns the number of characters from the cursor to the
 // start of the previous word.
 func (t *Terminal) countToLeftWord() int {
 	if t.pos == 0 {
@@ -438,7 +438,7 @@ func (t *Terminal) countToLeftWord() int {
 	return t.pos - pos
 }
 
-// countToRightWord returns then number of characters from the cursor to the
+// countToRightWord returns the number of characters from the cursor to the
 // start of the next word.
 func (t *Terminal) countToRightWord() int {
 	pos := t.pos
@@ -478,7 +478,7 @@ func visualLength(runes []rune) int {
 	return length
 }
 
-// histroryAt unlocks the terminal and relocks it while calling History.At.
+// historyAt unlocks the terminal and relocks it while calling History.At.
 func (t *Terminal) historyAt(idx int) (string, bool) {
 	t.lock.Unlock()     // Unlock to avoid deadlock if History methods use the output writer.
 	defer t.lock.Lock() // panic in At (or Len) protection.
diff --git a/vendor/modules.txt b/vendor/modules.txt
index bf2ccec24..0c56b43e5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -338,8 +338,8 @@ github.com/xanzy/ssh-agent
 # github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778
 ## explicit; go 1.15
 github.com/xo/terminfo
-# golang.org/x/crypto v0.37.0
-## explicit; go 1.23.0
+# golang.org/x/crypto v0.45.0
+## explicit; go 1.24.0
 golang.org/x/crypto/argon2
 golang.org/x/crypto/blake2b
 golang.org/x/crypto/blowfish
@@ -360,25 +360,25 @@ golang.org/x/crypto/ssh/knownhosts
 ## explicit; go 1.20
 golang.org/x/exp/constraints
 golang.org/x/exp/slices
-# golang.org/x/net v0.39.0
-## explicit; go 1.23.0
+# golang.org/x/net v0.47.0
+## explicit; go 1.24.0
 golang.org/x/net/context
 golang.org/x/net/internal/socks
 golang.org/x/net/proxy
-# golang.org/x/sync v0.17.0
+# golang.org/x/sync v0.18.0
 ## explicit; go 1.24.0
 golang.org/x/sync/errgroup
-# golang.org/x/sys v0.36.0
+# golang.org/x/sys v0.38.0
 ## explicit; go 1.24.0
 golang.org/x/sys/cpu
 golang.org/x/sys/execabs
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/term v0.35.0
+# golang.org/x/term v0.37.0
 ## explicit; go 1.24.0
 golang.org/x/term
-# golang.org/x/text v0.29.0
+# golang.org/x/text v0.31.0
 ## explicit; go 1.24.0
 golang.org/x/text/encoding
 golang.org/x/text/encoding/internal/identifier