patches/0002-Vendor-crypto-backends.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Quim Muntal <qmuntaldiaz@microsoft.com>
Date: Mon, 23 May 2022 12:59:36 +0000
Subject: [PATCH] Vendor crypto backends

To reproduce changes in 'src/vendor', run 'go mod vendor' in 'src'.
Use a 'go' that was recently built by the current branch to ensure stable results.
---
 src/crypto/internal/backend/deps_ignore.go    |  22 +
 src/go.mod                                    |   6 +
 src/go.sum                                    |   6 +
 src/go/build/deps_test.go                     |  17 +-
 src/go/build/vendor_test.go                   |   3 +
 .../golang-fips/openssl/v2/.gitignore         |   1 +
 .../golang-fips/openssl/v2/.gitleaks.toml     |   9 +
 .../github.com/golang-fips/openssl/v2/LICENSE |  20 +
 .../golang-fips/openssl/v2/README.md          |  66 ++
 .../github.com/golang-fips/openssl/v2/aes.go  | 147 ++++
 .../golang-fips/openssl/v2/bbig/big.go        |  37 +
 .../github.com/golang-fips/openssl/v2/big.go  |  11 +
 .../golang-fips/openssl/v2/cgo_go124.go       |  18 +
 .../golang-fips/openssl/v2/cipher.go          | 569 ++++++++++++++
 .../github.com/golang-fips/openssl/v2/des.go  | 114 +++
 .../github.com/golang-fips/openssl/v2/dsa.go  | 323 ++++++++
 .../github.com/golang-fips/openssl/v2/ec.go   |  68 ++
 .../github.com/golang-fips/openssl/v2/ecdh.go | 303 ++++++++
 .../golang-fips/openssl/v2/ecdsa.go           | 208 +++++
 .../golang-fips/openssl/v2/ed25519.go         | 228 ++++++
 .../github.com/golang-fips/openssl/v2/evp.go  | 580 ++++++++++++++
 .../golang-fips/openssl/v2/goopenssl.c        | 248 ++++++
 .../golang-fips/openssl/v2/goopenssl.h        | 261 +++++++
 .../github.com/golang-fips/openssl/v2/hash.go | 714 ++++++++++++++++++
 .../github.com/golang-fips/openssl/v2/hkdf.go | 322 ++++++++
 .../github.com/golang-fips/openssl/v2/hmac.go | 274 +++++++
 .../github.com/golang-fips/openssl/v2/init.go |  64 ++
 .../golang-fips/openssl/v2/init_unix.go       |  31 +
 .../golang-fips/openssl/v2/init_windows.go    |  36 +
 .../golang-fips/openssl/v2/openssl.go         | 506 +++++++++++++
 .../golang-fips/openssl/v2/params.go          | 210 ++++++
 .../golang-fips/openssl/v2/pbkdf2.go          |  62 ++
 .../golang-fips/openssl/v2/port_dsa.c         |  85 +++
 .../github.com/golang-fips/openssl/v2/rand.go |  20 +
 .../github.com/golang-fips/openssl/v2/rc4.go  |  66 ++
 .../github.com/golang-fips/openssl/v2/rsa.go  | 408 ++++++++++
 .../github.com/golang-fips/openssl/v2/shims.h | 413 ++++++++++
 .../golang-fips/openssl/v2/thread_setup.go    |  14 +
 .../golang-fips/openssl/v2/thread_setup.h     |   4 +
 .../openssl/v2/thread_setup_unix.c            |  64 ++
 .../openssl/v2/thread_setup_windows.c         |  64 ++
 .../golang-fips/openssl/v2/tls1prf.go         | 160 ++++
 .../github.com/golang-fips/openssl/v2/zaes.go |  86 +++
 .../microsoft/go-crypto-darwin/LICENSE        |  21 +
 .../microsoft/go-crypto-darwin/bbig/big.go    |  31 +
 .../internal/cryptokit/CryptoKit.o            | Bin 0 -> 100952 bytes
 .../internal/cryptokit/cryptokit.go           |  34 +
 .../internal/cryptokit/cryptokit.h            |  43 ++
 .../internal/cryptokit/ed25519.go             |  72 ++
 .../internal/cryptokit/gcm.go                 |  36 +
 .../internal/cryptokit/hkdf.go                |  77 ++
 .../microsoft/go-crypto-darwin/xcrypto/aes.go | 306 ++++++++
 .../microsoft/go-crypto-darwin/xcrypto/big.go |  16 +
 .../go-crypto-darwin/xcrypto/cgo_go124.go     |  21 +
 .../go-crypto-darwin/xcrypto/cipher.go        | 122 +++
 .../microsoft/go-crypto-darwin/xcrypto/des.go | 117 +++
 .../microsoft/go-crypto-darwin/xcrypto/ec.go  |  32 +
 .../go-crypto-darwin/xcrypto/ecdh.go          | 135 ++++
 .../go-crypto-darwin/xcrypto/ecdsa.go         | 181 +++++
 .../go-crypto-darwin/xcrypto/ed25519.go       | 100 +++
 .../microsoft/go-crypto-darwin/xcrypto/evp.go | 338 +++++++++
 .../go-crypto-darwin/xcrypto/hash.go          | 403 ++++++++++
 .../go-crypto-darwin/xcrypto/hkdf.go          |  66 ++
 .../go-crypto-darwin/xcrypto/hmac.go          | 113 +++
 .../go-crypto-darwin/xcrypto/pbkdf2.go        |  65 ++
 .../go-crypto-darwin/xcrypto/rand.go          |  26 +
 .../microsoft/go-crypto-darwin/xcrypto/rc4.go |  83 ++
 .../microsoft/go-crypto-darwin/xcrypto/rsa.go | 194 +++++
 .../go-crypto-darwin/xcrypto/xcrypto.go       |  59 ++
 .../microsoft/go-crypto-winnative/LICENSE     |  21 +
 .../microsoft/go-crypto-winnative/cng/aes.go  | 393 ++++++++++
 .../go-crypto-winnative/cng/bbig/big.go       |  31 +
 .../microsoft/go-crypto-winnative/cng/big.go  |  30 +
 .../go-crypto-winnative/cng/cipher.go         |  52 ++
 .../microsoft/go-crypto-winnative/cng/cng.go  | 131 ++++
 .../microsoft/go-crypto-winnative/cng/des.go  | 106 +++
 .../microsoft/go-crypto-winnative/cng/dsa.go  | 465 ++++++++++++
 .../microsoft/go-crypto-winnative/cng/ecdh.go | 255 +++++++
 .../go-crypto-winnative/cng/ecdsa.go          | 169 +++++
 .../microsoft/go-crypto-winnative/cng/hash.go | 325 ++++++++
 .../microsoft/go-crypto-winnative/cng/hkdf.go | 124 +++
 .../microsoft/go-crypto-winnative/cng/hmac.go |  35 +
 .../microsoft/go-crypto-winnative/cng/keys.go | 220 ++++++
 .../go-crypto-winnative/cng/pbkdf2.go         |  70 ++
 .../microsoft/go-crypto-winnative/cng/rand.go |  28 +
 .../microsoft/go-crypto-winnative/cng/rc4.go  |  65 ++
 .../microsoft/go-crypto-winnative/cng/rsa.go  | 396 ++++++++++
 .../microsoft/go-crypto-winnative/cng/sha3.go | 311 ++++++++
 .../go-crypto-winnative/cng/tls1prf.go        |  88 +++
 .../internal/bcrypt/bcrypt_windows.go         | 368 +++++++++
 .../internal/bcrypt/ntstatus_windows.go       |  45 ++
 .../internal/bcrypt/zsyscall_windows.go       | 412 ++++++++++
 .../internal/subtle/aliasing.go               |  32 +
 .../internal/sysdll/sys_windows.go            |  55 ++
 src/vendor/modules.txt                        |  16 +
 95 files changed, 13799 insertions(+), 3 deletions(-)
 create mode 100644 src/crypto/internal/backend/deps_ignore.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitignore
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/LICENSE
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/README.md
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/aes.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/big.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/cgo_go124.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/cipher.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/des.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/dsa.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/ec.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/ecdh.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/ecdsa.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/ed25519.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/evp.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/goopenssl.c
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/hash.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/hkdf.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/hmac.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/init.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/init_windows.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/openssl.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/params.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/pbkdf2.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/port_dsa.c
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rand.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rc4.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/rsa.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/shims.h
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/thread_setup.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/thread_setup.h
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/thread_setup_windows.c
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go
 create mode 100644 src/vendor/github.com/golang-fips/openssl/v2/zaes.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/LICENSE
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/bbig/big.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.h
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/ed25519.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/gcm.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/hkdf.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/big.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cgo_go124.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/des.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ec.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdh.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdsa.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ed25519.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hkdf.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hmac.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/pbkdf2.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rand.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rc4.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rsa.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/xcrypto.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/LICENSE
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/bbig/big.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/big.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/cipher.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/cng.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/dsa.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdh.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdsa.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/hmac.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/keys.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/pbkdf2.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/rand.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/rc4.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/rsa.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/bcrypt_windows.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/ntstatus_windows.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/zsyscall_windows.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/subtle/aliasing.go
 create mode 100644 src/vendor/github.com/microsoft/go-crypto-winnative/internal/sysdll/sys_windows.go

diff --git a/src/crypto/internal/backend/deps_ignore.go b/src/crypto/internal/backend/deps_ignore.go
new file mode 100644
index 00000000000000..ae4055d2d71303
--- /dev/null
+++ b/src/crypto/internal/backend/deps_ignore.go
@@ -0,0 +1,22 @@
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ms_ignore_backend_deps
+
+package main
+
+import (
+	_ "github.com/golang-fips/openssl/v2"
+	_ "github.com/golang-fips/openssl/v2/bbig"
+
+	_ "github.com/microsoft/go-crypto-darwin/bbig"
+	_ "github.com/microsoft/go-crypto-darwin/xcrypto"
+
+	_ "github.com/microsoft/go-crypto-winnative/cng"
+	_ "github.com/microsoft/go-crypto-winnative/cng/bbig"
+)
+
+// This file is here just to declare the external dependencies
+// that are used by the backend package. This allows to track
+// their versions in a single patch file.
diff --git a/src/go.mod b/src/go.mod
index 7a1318dcac32ba..a59c5f120e7dfb 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -11,3 +11,9 @@ require (
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 )
+
+require (
+	github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6
+	github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67
+	github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70
+)
diff --git a/src/go.sum b/src/go.sum
index 9e661352f16e0b..b4273d691cbe36 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -1,3 +1,9 @@
+github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6 h1:FFp7Q2AwYX+IQhhQt3ljQDdWtG5ZbRu0u3ohWQdFow8=
+github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6/go.mod h1:OYUBsoxLpFu8OFyhZHxfpN8lgcsw8JhTC3BQK7+XUc0=
+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67 h1:SI0IFiHducwfamZR7pv6jb92oc5o/z5tn66wynS6ADE=
+github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67/go.mod h1:LyP4oZ0QcysEJdqUTOk9ngNFArRFK94YRImkoJ8julQ=
+github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70 h1:97wOagHu7OExwU929NjuPIlUEUaFIQtffQMaVj0mR5E=
+github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70/go.mod h1:JkxQeL8dGcyCuKjn1Etz4NmQrOMImMy4BA9hptEfVFA=
 golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
 golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/net v0.32.1-0.20241206180132-552d8ac903a1 h1:+Yk1FZ5E+/ewA0nOO/HRYs9E4yeqpGOShuSAdzCNNoQ=
diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go
index e3e01077c18b17..e017efb1562379 100644
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@@ -503,7 +503,7 @@ var depsRules = `
 	NONE < crypto/internal/boring/sig, crypto/internal/boring/syso;
 	sync/atomic < crypto/internal/boring/bcache;
 
-	FIPS, internal/godebug, hash, embed,
+	FIPS, internal/godebug, hash, embed, encoding/binary,
 	crypto/internal/boring/sig,
 	crypto/internal/boring/syso,
 	crypto/internal/boring/bcache
@@ -513,6 +513,14 @@ var depsRules = `
 	< crypto/sha3
 	< crypto/internal/fips140hash
 	< crypto/cipher
+	< github.com/golang-fips/openssl/v2/internal/subtle
+	< github.com/golang-fips/openssl/v2
+	< github.com/microsoft/go-crypto-darwin/internal/cryptokit
+	< github.com/microsoft/go-crypto-darwin/xcrypto
+	< github.com/microsoft/go-crypto-winnative/internal/subtle
+	< github.com/microsoft/go-crypto-winnative/internal/sysdll
+	< github.com/microsoft/go-crypto-winnative/internal/bcrypt
+	< github.com/microsoft/go-crypto-winnative/cng
 	< crypto/internal/boring
 	< crypto/boring
 	< crypto/aes,
@@ -534,6 +542,9 @@ var depsRules = `
 	# CRYPTO-MATH is crypto that exposes math/big APIs - no cgo, net; fmt now ok.
 
 	CRYPTO, FMT, math/big
+	< github.com/golang-fips/openssl/v2/bbig
+	< github.com/microsoft/go-crypto-darwin/bbig
+	< github.com/microsoft/go-crypto-winnative/cng/bbig
 	< crypto/internal/boring/bbig
 	< crypto/rand
 	< crypto/ed25519 # depends on crypto/rand.Reader
@@ -837,7 +848,7 @@ var buildIgnore = []byte("\n//go:build ignore")
 
 func findImports(pkg string) ([]string, error) {
 	vpkg := pkg
-	if strings.HasPrefix(pkg, "golang.org") {
+	if strings.HasPrefix(pkg, "golang.org") || strings.HasPrefix(pkg, "github.com") {
 		vpkg = "vendor/" + pkg
 	}
 	dir := filepath.Join(Default.GOROOT, "src", vpkg)
@@ -847,7 +858,7 @@ func findImports(pkg string) ([]string, error) {
 	}
 	var imports []string
 	var haveImport = map[string]bool{}
-	if pkg == "crypto/internal/boring" {
+	if pkg == "crypto/internal/boring" || pkg == "github.com/golang-fips/openssl/v2" || strings.HasPrefix(pkg, "github.com/microsoft/go-crypto-darwin") {
 		haveImport["C"] = true // kludge: prevent C from appearing in crypto/internal/boring imports
 	}
 	fset := token.NewFileSet()
diff --git a/src/go/build/vendor_test.go b/src/go/build/vendor_test.go
index 7f6237ffd59c11..6092c93d4c5b26 100644
--- a/src/go/build/vendor_test.go
+++ b/src/go/build/vendor_test.go
@@ -22,6 +22,9 @@ var allowedPackagePrefixes = []string{
 	"github.com/google/pprof",
 	"github.com/ianlancetaylor/demangle",
 	"rsc.io/markdown",
+	"github.com/golang-fips/openssl",
+	"github.com/microsoft/go-crypto-winnative",
+	"github.com/microsoft/go-crypto-darwin",
 }
 
 // Verify that the vendor directories contain only packages matching the list above.
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/.gitignore b/src/vendor/github.com/golang-fips/openssl/v2/.gitignore
new file mode 100644
index 00000000000000..79b5594df7fa29
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/.gitignore
@@ -0,0 +1 @@
+**/.DS_Store
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml b/src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
new file mode 100644
index 00000000000000..aed2e22df2d555
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/.gitleaks.toml
@@ -0,0 +1,9 @@
+#
+# GitLeaks Repo Specific Configuration
+#
+# This allowlist is used to ignore false positives during secret scans.
+
+[allowlist]
+paths = [
+      'ecdh_test.go',
+]
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/LICENSE b/src/vendor/github.com/golang-fips/openssl/v2/LICENSE
new file mode 100644
index 00000000000000..97e85154015761
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/LICENSE
@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 The Golang FIPS Authors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/README.md b/src/vendor/github.com/golang-fips/openssl/v2/README.md
new file mode 100644
index 00000000000000..1bfbaf60f4dd58
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/README.md
@@ -0,0 +1,66 @@
+# Go OpenSSL bindings for FIPS compliance
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/golang-fips/openssl.svg)](https://pkg.go.dev/github.com/golang-fips/openssl)
+
+The `openssl` package implements Go crypto primitives using OpenSSL shared libraries and cgo. When configured correctly, OpenSSL can be executed in FIPS mode, making the `openssl` package FIPS compliant.
+
+The `openssl` package is designed to be used as a drop-in replacement for the [boring](https://pkg.go.dev/crypto/internal/boring) package in order to facilitate integrating `openssl` inside a forked Go toolchain.
+
+## Disclaimer
+
+A program directly or indirectly using this package in FIPS mode can claim it is using a FIPS-certified cryptographic module (OpenSSL), but it can't claim the program as a whole is FIPS certified without passing the certification process, nor claim it is FIPS compliant without ensuring all crypto APIs and workflows are implemented in a FIPS-compliant manner.
+
+## Background
+
+FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic modules. FIPS compliance may come up when working with U.S. government and other regulated industries.
+
+### Go FIPS compliance
+
+The Go `crypto` package is not FIPS certified, and the Go team has stated that it won't be, e.g. in [golang/go/issues/21734](https://github.com/golang/go/issues/21734#issuecomment-326980213) Adam Langley says:
+
+> The status of FIPS 140 for Go itself remains "no plans, basically zero chance".
+
+On the other hand, Google maintains a branch that uses cgo and BoringSSL to implement various crypto primitives: https://github.com/golang/go/blob/dev.boringcrypto/README.boringcrypto.md. As BoringSSL is FIPS 140-2 certified, an application using that branch is more likely to be FIPS 140-2 compliant, yet Google does not provide any liability about the suitability of this code in relation to the FIPS 140-2 standard.
+
+## Features
+
+### Multiple OpenSSL versions supported
+
+The `openssl` package has support for multiple OpenSSL versions, namely 1.0.2, 1.1.0, 1.1.1 and 3.x.
+
+All supported OpenSSL versions pass a small set of automatic tests that ensure they can be built and that there are no major regressions.
+These tests do not validate the cryptographic correctness of the `openssl` package.
+
+On top of that, the [golang-fips Go fork](https://github.com/golang-fips/go) -maintained by Red Hat- and the [Microsoft Go fork](https://github.com/microsoft/go), tests a subset of the supported OpenSSL versions when integrated with the Go `crypto` package.
+These tests are much more exhaustive and validate a specific OpenSSL version can produce working applications.
+
+### Building without OpenSSL headers
+
+The `openssl` package does not use any symbol from the OpenSSL headers. There is no need that have them installed to build an application which imports this library.
+
+The CI tests in this repository verify that all the functions and constants defined in our headers match the ones in the OpenSSL headers for every supported OpenSSL version.
+
+### Portable OpenSSL
+
+The OpenSSL bindings are implemented in such a way that the OpenSSL version available when building a program does not have to match with the OpenSSL version used when running it.
+In fact, OpenSSL doesn't need to be present on the builder.
+For example, using the `openssl` package and `go build .` on a Windows host with `GOOS=linux` can produce a program that successfully runs on Linux and uses OpenSSL.
+
+This feature does not require any additional configuration, but it only works with OpenSSL versions known and supported by the Go toolchain that integrates the `openssl` package.
+
+## Limitations
+
+- Only Unix, Unix-like and Windows platforms are supported.
+- The build must set `CGO_ENABLED=1`.
+
+## Acknowledgements
+
+The work done to support FIPS compatibility mode leverages code and ideas from other open-source projects:
+
+- All crypto stubs are a mirror of Google's [dev.boringcrypto branch](https://github.com/golang/go/tree/dev.boringcrypto) and the release branch ports of that branch.
+- The mapping between BoringSSL and OpenSSL APIs is taken from the former [Red Hat Go fork](https://pagure.io/go).
+- The portable OpenSSL implementation is ported from Microsoft's [.NET runtime](https://github.com/dotnet/runtime) cryptography module.
+
+## Code of Conduct
+
+This project adopts the Go code of conduct: https://go.dev/conduct.
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/aes.go b/src/vendor/github.com/golang-fips/openssl/v2/aes.go
new file mode 100644
index 00000000000000..18bb070a2e5bda
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/aes.go
@@ -0,0 +1,147 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto/cipher"
+	"errors"
+)
+
+//go:generate go run github.com/golang-fips/openssl/v2/cmd/genaesmodes -in aes.go -modes CBC,CTR,GCM -out zaes.go
+//go:generate go run github.com/golang-fips/openssl/v2/cmd/gentestvectors -out vectors_test.go
+
+// Steps to support a new AES mode, e.g. `FOO`:
+// 1. Add `FOO` to the list of modes in the `genaesmodes` command.
+// 2. Run `go generate` to update the generated code.
+// 3. Implement the necessary interfaces for the new struct, which will be named `cipherWithFOO`.
+
+// NewAESCipher creates and returns a new AES cipher.Block.
+// The key argument should be the AES key, either 16, 24, or 32 bytes to select
+// AES-128, AES-192, or AES-256.
+// The returned cipher.Block implements the CBC, CTR, and/or GCM modes if
+// the underlying OpenSSL library supports them.
+func NewAESCipher(key []byte) (cipher.Block, error) {
+	var kind cipherKind
+	switch len(key) * 8 {
+	case 128:
+		kind = cipherAES128
+	case 192:
+		kind = cipherAES192
+	case 256:
+		kind = cipherAES256
+	default:
+		return nil, errors.New("crypto/aes: invalid key size")
+	}
+	c, err := newEVPCipher(key, kind)
+	if err != nil {
+		return nil, err
+	}
+	return newAESBlock(c, kind), nil
+}
+
+// NewGCMTLS returns a GCM cipher specific to TLS
+// and should not be used for non-TLS purposes.
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
+	if c, ok := c.(interface {
+		NewGCMTLS() (cipher.AEAD, error)
+	}); ok {
+		return c.NewGCMTLS()
+	}
+	return nil, errors.New("GCM not supported")
+}
+
+// NewGCMTLS13 returns a GCM cipher specific to TLS 1.3 and should not be used
+// for non-TLS purposes.
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) {
+	if c, ok := c.(interface {
+		NewGCMTLS13() (cipher.AEAD, error)
+	}); ok {
+		return c.NewGCMTLS13()
+	}
+	return nil, errors.New("GCM not supported")
+}
+
+// aesCipher implements the cipher.Block interface.
+type aesCipher struct {
+	cipher *evpCipher
+}
+
+func (c aesCipher) BlockSize() int {
+	return c.cipher.blockSize
+}
+
+func (c aesCipher) Encrypt(dst, src []byte) {
+	if err := c.cipher.encrypt(dst, src); err != nil {
+		// crypto/aes expects that the panic message starts with "crypto/aes: ".
+		panic("crypto/aes: " + err.Error())
+	}
+}
+
+func (c aesCipher) Decrypt(dst, src []byte) {
+	if err := c.cipher.decrypt(dst, src); err != nil {
+		// crypto/aes expects that the panic message starts with "crypto/aes: ".
+		panic("crypto/aes: " + err.Error())
+	}
+}
+
+// Implement optional interfaces for AES modes.
+
+func (c cipherWithCBC) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return c.cipher.newCBC(iv, cipherOpEncrypt)
+}
+
+func (c cipherWithCBC) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return c.cipher.newCBC(iv, cipherOpDecrypt)
+}
+
+func (c cipherWithCTR) NewCTR(iv []byte) cipher.Stream {
+	return c.cipher.newCTR(iv)
+}
+
+func (c cipherWithGCM) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+	return c.cipher.newGCMChecked(nonceSize, tagSize)
+}
+
+func (c cipherWithGCM) NewGCMTLS() (cipher.AEAD, error) {
+	return c.cipher.newGCM(cipherGCMTLS12)
+}
+
+func (c cipherWithGCM) NewGCMTLS13() (cipher.AEAD, error) {
+	return c.cipher.newGCM(cipherGCMTLS13)
+}
+
+// The following interfaces have been copied out of crypto/aes/modes.go.
+
+type gcmAble interface {
+	NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)
+}
+
+type cbcEncAble interface {
+	NewCBCEncrypter(iv []byte) cipher.BlockMode
+}
+
+type cbcDecAble interface {
+	NewCBCDecrypter(iv []byte) cipher.BlockMode
+}
+
+type ctrAble interface {
+	NewCTR(iv []byte) cipher.Stream
+}
+
+// Test that the interfaces are implemented.
+
+var (
+	_ cipher.Block = (*aesCipher)(nil)
+
+	_ cipher.Block = (*cipherWithCBC)(nil)
+	_ cbcEncAble   = (*cipherWithCBC)(nil)
+	_ cbcDecAble   = (*cipherWithCBC)(nil)
+
+	_ cipher.Block = (*cipherWithCTR)(nil)
+	_ ctrAble      = (*cipherWithCTR)(nil)
+
+	_ cipher.Block = (*cipherWithGCM)(nil)
+	_ gcmAble      = (*cipherWithGCM)(nil)
+)
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go b/src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go
new file mode 100644
index 00000000000000..a81cbdbef93148
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/bbig/big.go
@@ -0,0 +1,37 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// This is a mirror of
+// https://github.com/golang/go/blob/36b87f273cc43e21685179dc1664ebb5493d26ae/src/crypto/internal/boring/bbig/big.go.
+
+package bbig
+
+import (
+	"math/big"
+	"unsafe"
+
+	"github.com/golang-fips/openssl/v2"
+)
+
+func Enc(b *big.Int) openssl.BigInt {
+	if b == nil {
+		return nil
+	}
+	x := b.Bits()
+	if len(x) == 0 {
+		return openssl.BigInt{}
+	}
+	return unsafe.Slice((*uint)(&x[0]), len(x))
+}
+
+func Dec(b openssl.BigInt) *big.Int {
+	if b == nil {
+		return nil
+	}
+	if len(b) == 0 {
+		return new(big.Int)
+	}
+	x := unsafe.Slice((*big.Word)(&b[0]), len(b))
+	return new(big.Int).SetBits(x)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/big.go b/src/vendor/github.com/golang-fips/openssl/v2/big.go
new file mode 100644
index 00000000000000..6461f241f863fc
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/big.go
@@ -0,0 +1,11 @@
+package openssl
+
+// This file does not have build constraints to
+// facilitate using BigInt in Go crypto.
+// Go crypto references BigInt unconditionally,
+// even if it is not finally used.
+
+// A BigInt is the raw words from a BigInt.
+// This definition allows us to avoid importing math/big.
+// Conversion between BigInt and *big.Int is in openssl/bbig.
+type BigInt []uint
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cgo_go124.go b/src/vendor/github.com/golang-fips/openssl/v2/cgo_go124.go
new file mode 100644
index 00000000000000..933a751873dd05
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/cgo_go124.go
@@ -0,0 +1,18 @@
+//go:build go1.24 && !cmd_go_bootstrap
+
+package openssl
+
+// The following noescape and nocallback directives are used to prevent the Go
+// compiler from allocating function parameters on the heap. See
+// https://github.com/golang/go/blob/0733682e5ff4cd294f5eccb31cbe87a543147bc6/src/cmd/cgo/doc.go#L439-L461
+//
+// If possible, write a C wrapper function to optimize a call rather than using
+// this feature so the optimization will work for all supported Go versions.
+//
+// This is just a performance optimization. Only add functions that have been
+// observed to benefit from these directives, not every function that is merely
+// expected to meet the noescape/nocallback criteria.
+
+// #cgo noescape go_openssl_RAND_bytes
+// #cgo nocallback go_openssl_RAND_bytes
+import "C"
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/cipher.go b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
new file mode 100644
index 00000000000000..72f7aebfc130e7
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/cipher.go
@@ -0,0 +1,569 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+
+import (
+	"crypto/cipher"
+	"encoding/binary"
+	"errors"
+	"runtime"
+	"strconv"
+	"sync"
+	"unsafe"
+)
+
+type cipherKind int8
+
+const (
+	cipherAES128 cipherKind = iota
+	cipherAES192
+	cipherAES256
+	cipherDES
+	cipherDES3
+	cipherRC4
+)
+
+func (c cipherKind) String() string {
+	switch c {
+	case cipherAES128:
+		return "AES-128"
+	case cipherAES192:
+		return "AES-192"
+	case cipherAES256:
+		return "AES-256"
+	case cipherDES:
+		return "DES"
+	case cipherDES3:
+		return "DES3"
+	case cipherRC4:
+		return "RC4"
+	default:
+		panic("unknown cipher kind: " + strconv.Itoa(int(c)))
+	}
+}
+
+type cipherMode int8
+
+const (
+	cipherModeNone cipherMode = -1
+	cipherModeECB  cipherMode = iota
+	cipherModeCBC
+	cipherModeCTR
+	cipherModeGCM
+)
+
+// cipherOp is the allowed operations for a cipher,
+// as documented in [EVP_CipherInit_ex].
+//
+// [EVP_CipherInit_ex]: https://www.openssl.org/docs/man3.0/man3/EVP_CipherInit_ex.html
+type cipherOp int8
+
+const (
+	cipherOpNone    cipherOp = -1 // leaves the value of the previous call, if any.
+	cipherOpDecrypt cipherOp = 0
+	cipherOpEncrypt cipherOp = 1
+)
+
+// cacheCipher is a cache of cipherKind to GO_EVP_CIPHER_PTR.
+var cacheCipher sync.Map
+
+type cacheCipherKey struct {
+	kind cipherKind
+	mode cipherMode
+}
+
+// loadCipher returns a cipher object for the given k.
+func loadCipher(k cipherKind, mode cipherMode) (cipher C.GO_EVP_CIPHER_PTR) {
+	if v, ok := cacheCipher.Load(cacheCipherKey{k, mode}); ok {
+		return v.(C.GO_EVP_CIPHER_PTR)
+	}
+	defer func() {
+		if cipher != nil && vMajor == 3 {
+			// On OpenSSL 3, directly operating on a EVP_CIPHER object
+			// not created by EVP_CIPHER has negative performance
+			// implications, as cipher operations will have
+			// to fetch it on every call. Better to just fetch it once here.
+			cipher = C.go_openssl_EVP_CIPHER_fetch(nil, C.go_openssl_EVP_CIPHER_get0_name(cipher), nil)
+		}
+		cacheCipher.Store(cacheCipherKey{k, mode}, cipher)
+	}()
+	switch k {
+	case cipherAES128:
+		switch mode {
+		case cipherModeECB:
+			cipher = C.go_openssl_EVP_aes_128_ecb()
+		case cipherModeCBC:
+			cipher = C.go_openssl_EVP_aes_128_cbc()
+		case cipherModeCTR:
+			cipher = C.go_openssl_EVP_aes_128_ctr()
+		case cipherModeGCM:
+			cipher = C.go_openssl_EVP_aes_128_gcm()
+		}
+	case cipherAES192:
+		switch mode {
+		case cipherModeECB:
+			cipher = C.go_openssl_EVP_aes_192_ecb()
+		case cipherModeCBC:
+			cipher = C.go_openssl_EVP_aes_192_cbc()
+		case cipherModeCTR:
+			cipher = C.go_openssl_EVP_aes_192_ctr()
+		case cipherModeGCM:
+			cipher = C.go_openssl_EVP_aes_192_gcm()
+		}
+	case cipherAES256:
+		switch mode {
+		case cipherModeECB:
+			cipher = C.go_openssl_EVP_aes_256_ecb()
+		case cipherModeCBC:
+			cipher = C.go_openssl_EVP_aes_256_cbc()
+		case cipherModeCTR:
+			cipher = C.go_openssl_EVP_aes_256_ctr()
+		case cipherModeGCM:
+			cipher = C.go_openssl_EVP_aes_256_gcm()
+		}
+	case cipherDES:
+		switch mode {
+		case cipherModeECB:
+			cipher = C.go_openssl_EVP_des_ecb()
+		case cipherModeCBC:
+			cipher = C.go_openssl_EVP_des_cbc()
+		}
+	case cipherDES3:
+		switch mode {
+		case cipherModeECB:
+			cipher = C.go_openssl_EVP_des_ede3_ecb()
+		case cipherModeCBC:
+			cipher = C.go_openssl_EVP_des_ede3_cbc()
+		}
+	case cipherRC4:
+		cipher = C.go_openssl_EVP_rc4()
+	}
+	return cipher
+}
+
+type evpCipher struct {
+	key       []byte
+	kind      cipherKind
+	blockSize int
+}
+
+func newEVPCipher(key []byte, kind cipherKind) (*evpCipher, error) {
+	cipher := loadCipher(kind, cipherModeECB)
+	if cipher == nil {
+		return nil, errors.New("crypto/cipher: unsupported cipher: " + kind.String())
+	}
+	c := &evpCipher{key: make([]byte, len(key)), kind: kind}
+	copy(c.key, key)
+	c.blockSize = int(C.go_openssl_EVP_CIPHER_get_block_size(cipher))
+	return c, nil
+}
+
+func (c *evpCipher) encrypt(dst, src []byte) error {
+	if len(src) < c.blockSize {
+		return errors.New("input not full block")
+	}
+	if len(dst) < c.blockSize {
+		return errors.New("output not full block")
+	}
+	// Only check for overlap between the parts of src and dst that will actually be used.
+	// This matches Go standard library behavior.
+	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
+		return errors.New("invalid buffer overlap")
+	}
+	enc_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpEncrypt, c.key, nil)
+	if err != nil {
+		return err
+	}
+	defer C.go_openssl_EVP_CIPHER_CTX_free(enc_ctx)
+
+	if C.go_openssl_EVP_EncryptUpdate_wrapper(enc_ctx, base(dst), base(src), C.int(c.blockSize)) != 1 {
+		return errors.New("EncryptUpdate failed")
+	}
+	runtime.KeepAlive(c)
+	return nil
+}
+
+func (c *evpCipher) decrypt(dst, src []byte) error {
+	if len(src) < c.blockSize {
+		return errors.New("input not full block")
+	}
+	if len(dst) < c.blockSize {
+		return errors.New("output not full block")
+	}
+	// Only check for overlap between the parts of src and dst that will actually be used.
+	// This matches Go standard library behavior.
+	if inexactOverlap(dst[:c.blockSize], src[:c.blockSize]) {
+		return errors.New("invalid buffer overlap")
+	}
+	dec_ctx, err := newCipherCtx(c.kind, cipherModeECB, cipherOpDecrypt, c.key, nil)
+	if err != nil {
+		return err
+	}
+	defer C.go_openssl_EVP_CIPHER_CTX_free(dec_ctx)
+
+	if C.go_openssl_EVP_CIPHER_CTX_set_padding(dec_ctx, 0) != 1 {
+		return errors.New("could not disable cipher padding")
+	}
+
+	C.go_openssl_EVP_DecryptUpdate_wrapper(dec_ctx, base(dst), base(src), C.int(c.blockSize))
+	runtime.KeepAlive(c)
+	return nil
+}
+
+type cipherCBC struct {
+	ctx       C.GO_EVP_CIPHER_CTX_PTR
+	blockSize int
+}
+
+func (c *cipherCBC) finalize() {
+	C.go_openssl_EVP_CIPHER_CTX_free(c.ctx)
+}
+
+func (x *cipherCBC) BlockSize() int { return x.blockSize }
+
+func (x *cipherCBC) CryptBlocks(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src)%x.blockSize != 0 {
+		panic("crypto/cipher: input not full blocks")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) > 0 {
+		if C.go_openssl_EVP_CipherUpdate_wrapper(x.ctx, base(dst), base(src), C.int(len(src))) != 1 {
+			panic("crypto/cipher: CipherUpdate failed")
+		}
+		runtime.KeepAlive(x)
+	}
+}
+
+func (x *cipherCBC) SetIV(iv []byte) {
+	if len(iv) != x.blockSize {
+		panic("cipher: incorrect length IV")
+	}
+	if C.go_openssl_EVP_CipherInit_ex(x.ctx, nil, nil, nil, base(iv), C.int(cipherOpNone)) != 1 {
+		panic("cipher: unable to initialize EVP cipher ctx")
+	}
+}
+
+func (c *evpCipher) newCBC(iv []byte, op cipherOp) cipher.BlockMode {
+	ctx, err := newCipherCtx(c.kind, cipherModeCBC, op, c.key, iv)
+	if err != nil {
+		panic(err)
+	}
+	x := &cipherCBC{ctx: ctx, blockSize: c.blockSize}
+	runtime.SetFinalizer(x, (*cipherCBC).finalize)
+	if C.go_openssl_EVP_CIPHER_CTX_set_padding(x.ctx, 0) != 1 {
+		panic("cipher: unable to set padding")
+	}
+	return x
+}
+
+type cipherCTR struct {
+	ctx C.GO_EVP_CIPHER_CTX_PTR
+}
+
+func (x *cipherCTR) XORKeyStream(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) == 0 {
+		return
+	}
+	if C.go_openssl_EVP_EncryptUpdate_wrapper(x.ctx, base(dst), base(src), C.int(len(src))) != 1 {
+		panic("crypto/cipher: EncryptUpdate failed")
+	}
+	runtime.KeepAlive(x)
+}
+
+func (c *evpCipher) newCTR(iv []byte) cipher.Stream {
+	ctx, err := newCipherCtx(c.kind, cipherModeCTR, cipherOpEncrypt, c.key, iv)
+	if err != nil {
+		panic(err)
+	}
+	x := &cipherCTR{ctx: ctx}
+	runtime.SetFinalizer(x, (*cipherCTR).finalize)
+	return x
+}
+
+func (c *cipherCTR) finalize() {
+	C.go_openssl_EVP_CIPHER_CTX_free(c.ctx)
+}
+
+type cipherGCMTLS uint8
+
+const (
+	cipherGCMTLSNone cipherGCMTLS = iota
+	cipherGCMTLS12
+	cipherGCMTLS13
+)
+
+type cipherGCM struct {
+	c   *evpCipher
+	tls cipherGCMTLS
+	// minNextNonce is the minimum value that the next nonce can be, enforced by
+	// all TLS modes.
+	minNextNonce uint64
+	// mask is the nonce mask used in TLS 1.3 mode.
+	mask uint64
+	// maskInitialized is true if mask has been initialized. This happens during
+	// the first Seal. The initialized mask may be 0. Used by TLS 1.3 mode.
+	maskInitialized bool
+	blockSize       int
+}
+
+const (
+	gcmTagSize           = 16
+	gcmStandardNonceSize = 12
+	// TLS 1.2 additional data is constructed as:
+	//
+	//     additional_data = seq_num(8) + TLSCompressed.type(1) + TLSCompressed.version(2) + TLSCompressed.length(2);
+	gcmTls12AddSize = 13
+	// TLS 1.3 additional data is constructed as:
+	//
+	//     additional_data = TLSCiphertext.opaque_type(1) || TLSCiphertext.legacy_record_version(2) || TLSCiphertext.length(2)
+	gcmTls13AddSize      = 5
+	gcmTlsFixedNonceSize = 4
+)
+
+type noGCM struct {
+	*evpCipher
+}
+
+func (g *noGCM) BlockSize() int {
+	return g.blockSize
+}
+
+func (g *noGCM) Encrypt(dst, src []byte) {
+	g.encrypt(dst, src)
+}
+
+func (g *noGCM) Decrypt(dst, src []byte) {
+	g.decrypt(dst, src)
+}
+
+func (c *evpCipher) newGCMChecked(nonceSize, tagSize int) (cipher.AEAD, error) {
+	if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
+		return nil, errors.New("crypto/cipher: GCM tag and nonce sizes can't be non-standard at the same time")
+	}
+	// Fall back to standard library for GCM with non-standard nonce or tag size.
+	if nonceSize != gcmStandardNonceSize {
+		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+	}
+	if tagSize != gcmTagSize {
+		return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
+	}
+	return c.newGCM(cipherGCMTLSNone)
+}
+
+func (c *evpCipher) newGCM(tls cipherGCMTLS) (cipher.AEAD, error) {
+	g := &cipherGCM{c: c, tls: tls, blockSize: c.blockSize}
+	return g, nil
+}
+
+func (g *cipherGCM) NonceSize() int {
+	return gcmStandardNonceSize
+}
+
+func (g *cipherGCM) Overhead() int {
+	return gcmTagSize
+}
+
+func (g *cipherGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if uint64(len(plaintext)) > ((1<<32)-2)*uint64(g.blockSize) || len(plaintext)+gcmTagSize < len(plaintext) {
+		panic("cipher: message too large for GCM")
+	}
+	if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
+		panic("cipher: message too large for buffer")
+	}
+	if g.tls != cipherGCMTLSNone {
+		if g.tls == cipherGCMTLS12 && len(additionalData) != gcmTls12AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.2")
+		} else if g.tls == cipherGCMTLS13 && len(additionalData) != gcmTls13AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.3")
+		}
+		counter := binary.BigEndian.Uint64(nonce[gcmTlsFixedNonceSize:])
+		if g.tls == cipherGCMTLS13 {
+			// In TLS 1.3, the counter in the nonce has a mask and requires
+			// further decoding.
+			if !g.maskInitialized {
+				// According to TLS 1.3 nonce construction details at
+				// https://tools.ietf.org/html/rfc8446#section-5.3:
+				//
+				//   the first record transmitted under a particular traffic
+				//   key MUST use sequence number 0.
+				//
+				//   The padded sequence number is XORed with [a mask].
+				//
+				//   The resulting quantity (of length iv_length) is used as
+				//   the per-record nonce.
+				//
+				// We need to convert from the given nonce to sequence numbers
+				// to keep track of minNextNonce and enforce the counter
+				// maximum. On the first call, we know counter^mask is 0^mask,
+				// so we can simply store it as the mask.
+				g.mask = counter
+				g.maskInitialized = true
+			}
+			counter ^= g.mask
+		}
+		// BoringCrypto enforces strictly monotonically increasing explicit nonces
+		// and to fail after 2^64 - 1 keys as per FIPS 140-2 IG A.5,
+		// but OpenSSL does not perform this check, so it is implemented here.
+		const maxUint64 = 1<<64 - 1
+		if counter == maxUint64 {
+			panic("cipher: nonce counter must be less than 2^64 - 1")
+		}
+		if counter < g.minNextNonce {
+			panic("cipher: nonce counter must be strictly monotonically increasing")
+		}
+		defer func() {
+			g.minNextNonce = counter + 1
+		}()
+	}
+
+	// Make room in dst to append plaintext+overhead.
+	ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(out, plaintext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
+	if err != nil {
+		panic(err)
+	}
+	defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
+	// Encrypt additional data.
+	// When sealing a TLS payload, OpenSSL app sets the additional data using
+	// 'EVP_CIPHER_CTX_ctrl(g.ctx, C.EVP_CTRL_AEAD_TLS1_AAD, C.EVP_AEAD_TLS1_AAD_LEN, base(additionalData))'.
+	// This makes the explicit nonce component to monotonically increase on every Seal operation without
+	// relying in the explicit nonce being securely set externally,
+	// and it also gives some interesting speed gains.
+	// Unfortunately we can't use it because Go expects AEAD.Seal to honor the provided nonce.
+	if C.go_openssl_EVP_CIPHER_CTX_seal_wrapper(ctx, base(out), base(nonce),
+		base(plaintext), C.int(len(plaintext)),
+		base(additionalData), C.int(len(additionalData))) != 1 {
+
+		panic(fail("EVP_CIPHER_CTX_seal"))
+	}
+	runtime.KeepAlive(g)
+	return ret
+}
+
+var errOpen = errors.New("cipher: message authentication failed")
+
+func (g *cipherGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if len(ciphertext) < gcmTagSize {
+		return nil, errOpen
+	}
+	if uint64(len(ciphertext)) > ((1<<32)-2)*uint64(g.blockSize)+gcmTagSize {
+		return nil, errOpen
+	}
+	// BoringCrypto does not do any TLS check when decrypting, neither do we.
+
+	tag := ciphertext[len(ciphertext)-gcmTagSize:]
+	ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+
+	// Make room in dst to append ciphertext without tag.
+	ret, out := sliceForAppend(dst, len(ciphertext))
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(out, ciphertext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	ctx, err := newCipherCtx(g.c.kind, cipherModeGCM, cipherOpNone, g.c.key, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_EVP_CIPHER_CTX_free(ctx)
+	ok := C.go_openssl_EVP_CIPHER_CTX_open_wrapper(
+		ctx, base(out), base(nonce),
+		base(ciphertext), C.int(len(ciphertext)),
+		base(additionalData), C.int(len(additionalData)), base(tag))
+	runtime.KeepAlive(g)
+	if ok == 0 {
+		// Zero output buffer on error.
+		for i := range out {
+			out[i] = 0
+		}
+		return nil, errOpen
+	}
+	return ret, nil
+}
+
+// sliceForAppend is a mirror of crypto/cipher.sliceForAppend.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+	if total := len(in) + n; cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+func newCipherCtx(kind cipherKind, mode cipherMode, encrypt cipherOp, key, iv []byte) (_ C.GO_EVP_CIPHER_CTX_PTR, err error) {
+	cipher := loadCipher(kind, mode)
+	if cipher == nil {
+		panic("crypto/cipher: unsupported cipher: " + kind.String())
+	}
+	ctx := C.go_openssl_EVP_CIPHER_CTX_new()
+	if ctx == nil {
+		return nil, fail("unable to create EVP cipher ctx")
+	}
+	defer func() {
+		if err != nil {
+			C.go_openssl_EVP_CIPHER_CTX_free(ctx)
+		}
+	}()
+	if kind == cipherRC4 {
+		// RC4 cipher supports a variable key length.
+		// We need to set the key length before setting the key,
+		// and to do so we need to have an initialized cipher ctx.
+		if C.go_openssl_EVP_CipherInit_ex(ctx, cipher, nil, nil, nil, C.int(encrypt)) != 1 {
+			return nil, newOpenSSLError("EVP_CipherInit_ex")
+		}
+		if C.go_openssl_EVP_CIPHER_CTX_set_key_length(ctx, C.int(len(key))) != 1 {
+			return nil, newOpenSSLError("EVP_CIPHER_CTX_set_key_length")
+		}
+		// Pass nil to the next call to EVP_CipherInit_ex to avoid resetting ctx's cipher.
+		cipher = nil
+	}
+	if C.go_openssl_EVP_CipherInit_ex(ctx, cipher, nil, base(key), base(iv), C.int(encrypt)) != 1 {
+		return nil, newOpenSSLError("unable to initialize EVP cipher ctx")
+	}
+	return ctx, nil
+}
+
+// The following two functions are a mirror of golang.org/x/crypto/internal/subtle.
+
+func anyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
+		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
+}
+
+func inexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return anyOverlap(x, y)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/des.go b/src/vendor/github.com/golang-fips/openssl/v2/des.go
new file mode 100644
index 00000000000000..cd006544b5111b
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/des.go
@@ -0,0 +1,114 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto/cipher"
+	"errors"
+)
+
+// SupportsDESCipher returns true if NewDESCipher is supported,
+// which uses ECB mode.
+// If CBC is also supported, then the returned cipher.Block
+// will also implement NewCBCEncrypter and NewCBCDecrypter.
+func SupportsDESCipher() bool {
+	// True for stock OpenSSL 1 w/o FIPS.
+	// False for stock OpenSSL 3 unless the legacy provider is available.
+	return (versionAtOrAbove(3, 0, 0) || !FIPS()) && loadCipher(cipherDES, cipherModeECB) != nil
+}
+
+// SupportsTripleDESCipher returns true if NewTripleDESCipher is supported,
+// which uses ECB mode.
+// If CBC is also supported, then the returned cipher.Block
+// will also implement NewCBCEncrypter and NewCBCDecrypter.
+func SupportsTripleDESCipher() bool {
+	// Should always be true for stock OpenSSL,
+	// even when using the FIPS provider.
+	return loadCipher(cipherDES3, cipherModeECB) != nil
+}
+
+func NewDESCipher(key []byte) (cipher.Block, error) {
+	if len(key) != 8 {
+		return nil, errors.New("crypto/des: invalid key size")
+	}
+	return newDESCipher(key, cipherDES)
+}
+
+func NewTripleDESCipher(key []byte) (cipher.Block, error) {
+	if len(key) != 24 {
+		return nil, errors.New("crypto/des: invalid key size")
+	}
+	return newDESCipher(key, cipherDES3)
+}
+
+func newDESCipher(key []byte, kind cipherKind) (cipher.Block, error) {
+	c, err := newEVPCipher(key, kind)
+	if err != nil {
+		return nil, err
+	}
+	if loadCipher(kind, cipherModeCBC) == nil {
+		return &desCipherWithoutCBC{c}, nil
+	}
+	return &desCipher{c}, nil
+}
+
+type desExtraModes interface {
+	NewCBCEncrypter(iv []byte) cipher.BlockMode
+	NewCBCDecrypter(iv []byte) cipher.BlockMode
+}
+
+var _ desExtraModes = (*desCipher)(nil)
+
+type desCipher struct {
+	*evpCipher
+}
+
+func (c *desCipher) BlockSize() int {
+	return c.blockSize
+}
+
+func (c *desCipher) Encrypt(dst, src []byte) {
+	if err := c.encrypt(dst, src); err != nil {
+		// crypto/des expects that the panic message starts with "crypto/des: ".
+		panic("crypto/des: " + err.Error())
+	}
+}
+
+func (c *desCipher) Decrypt(dst, src []byte) {
+	if err := c.decrypt(dst, src); err != nil {
+		// crypto/des expects that the panic message starts with "crypto/des: ".
+		panic("crypto/des: " + err.Error())
+	}
+}
+
+func (c *desCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return c.newCBC(iv, cipherOpEncrypt)
+}
+
+func (c *desCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return c.newCBC(iv, cipherOpDecrypt)
+}
+
+type desCipherWithoutCBC struct {
+	*evpCipher
+}
+
+func (c *desCipherWithoutCBC) BlockSize() int {
+	return c.blockSize
+}
+
+func (c *desCipherWithoutCBC) Encrypt(dst, src []byte) {
+	if err := c.encrypt(dst, src); err != nil {
+		// crypto/des expects that the panic message starts with "crypto/des: ".
+		panic("crypto/des: " + err.Error())
+	}
+}
+
+func (c *desCipherWithoutCBC) Decrypt(dst, src []byte) {
+	if err := c.decrypt(dst, src); err != nil {
+		// crypto/des expects that the panic message starts with "crypto/des: ".
+		panic("crypto/des: " + err.Error())
+	}
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/dsa.go b/src/vendor/github.com/golang-fips/openssl/v2/dsa.go
new file mode 100644
index 00000000000000..384424c215dcf1
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/dsa.go
@@ -0,0 +1,323 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"runtime"
+	"unsafe"
+)
+
+// SupportsDSA returns true if the OpenSSL library supports DSA.
+func SupportsDSA() bool {
+	ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_DSA, nil)
+	if ctx == nil {
+		return false
+	}
+	C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	return true
+}
+
+// DSAParameters contains the DSA parameters.
+type DSAParameters struct {
+	P, Q, G BigInt
+}
+
+// PrivateKeyDSA represents a DSA private key.
+type PrivateKeyDSA struct {
+	DSAParameters
+	X, Y BigInt
+
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PrivateKeyDSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PrivateKeyDSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+// PublicKeyDSA represents a DSA public key.
+type PublicKeyDSA struct {
+	DSAParameters
+	Y BigInt
+
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PublicKeyDSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PublicKeyDSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+// GenerateParametersDSA generates a set of DSA parameters.
+func GenerateParametersDSA(l, n int) (DSAParameters, error) {
+	// The DSA parameters are generated by creating a new DSA key and
+	// extracting the domain parameters from it.
+
+	// Generate a new DSA key context and set the known parameters.
+	ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_DSA, nil)
+	if ctx == nil {
+		return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_new_id failed")
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	if C.go_openssl_EVP_PKEY_paramgen_init(ctx) != 1 {
+		return DSAParameters{}, newOpenSSLError("EVP_PKEY_paramgen_init failed")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_DSA, -1, C.GO_EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, C.int(l), nil) != 1 {
+		return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_DSA, -1, C.GO_EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, C.int(n), nil) != 1 {
+		return DSAParameters{}, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+	}
+	var pkey C.GO_EVP_PKEY_PTR
+	if C.go_openssl_EVP_PKEY_paramgen(ctx, &pkey) != 1 {
+		return DSAParameters{}, newOpenSSLError("EVP_PKEY_paramgen failed")
+	}
+	defer C.go_openssl_EVP_PKEY_free(pkey)
+
+	// Extract the domain parameters from the generated key.
+	var p, q, g C.GO_BIGNUM_PTR
+	switch vMajor {
+	case 1:
+		dsa := getDSA(pkey)
+		if vMinor == 0 {
+			C.go_openssl_DSA_get0_pqg_backport(dsa, &p, &q, &g)
+		} else {
+			C.go_openssl_DSA_get0_pqg(dsa, &p, &q, &g)
+		}
+	case 3:
+		defer func() {
+			C.go_openssl_BN_free(p)
+			C.go_openssl_BN_free(q)
+			C.go_openssl_BN_free(g)
+		}()
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_P, &p) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_Q, &q) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_FFC_G, &g) != 1 {
+			return DSAParameters{}, newOpenSSLError("EVP_PKEY_get_bn_param")
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+
+	return DSAParameters{
+		P: bnToBig(p),
+		Q: bnToBig(q),
+		G: bnToBig(g),
+	}, nil
+}
+
+// NewPrivateKeyDSA creates a new DSA private key from the given parameters.
+func NewPrivateKeyDSA(params DSAParameters, x, y BigInt) (*PrivateKeyDSA, error) {
+	if x == nil || y == nil {
+		panic("x and y must not be nil")
+	}
+	pkey, err := newDSA(params, x, y)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyDSA{params, x, y, pkey}
+	runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)
+	return k, nil
+}
+
+// NewPublicKeyDSA creates a new DSA public key from the given parameters.
+func NewPublicKeyDSA(params DSAParameters, y BigInt) (*PublicKeyDSA, error) {
+	if y == nil {
+		panic("y must not be nil")
+	}
+	pkey, err := newDSA(params, nil, y)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyDSA{params, y, pkey}
+	runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)
+	return k, nil
+}
+
+// GenerateKeyDSA generates a new private DSA key using the given parameters.
+func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {
+	pkey, err := newDSA(params, nil, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	defer C.go_openssl_EVP_PKEY_free(pkey)
+	var bx, by C.GO_BIGNUM_PTR
+	switch vMajor {
+	case 1:
+		dsa := getDSA(pkey)
+		if vMinor == 0 {
+			C.go_openssl_DSA_get0_key_backport(dsa, &by, &bx)
+		} else {
+			C.go_openssl_DSA_get0_key(dsa, &by, &bx)
+		}
+	case 3:
+		defer func() {
+			C.go_openssl_BN_clear_free(bx)
+			C.go_openssl_BN_free(by)
+		}()
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PUB_KEY, &by) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &bx) != 1 {
+			return nil, nil, newOpenSSLError("EVP_PKEY_get_bn_param")
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+	return bnToBig(bx), bnToBig(by), nil
+}
+
+// SignDSA signs a hash (which should be the result of hashing a larger message).
+func SignDSA(priv *PrivateKeyDSA, hash []byte) ([]byte, error) {
+	return evpSign(priv.withKey, 0, 0, 0, hash)
+}
+
+// VerifyDSA verifiessig using the public key, pub.
+func VerifyDSA(pub *PublicKeyDSA, hash []byte, sig []byte) bool {
+	return evpVerify(pub.withKey, 0, 0, 0, sig, hash) == nil
+}
+
+func newDSA(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) {
+	switch vMajor {
+	case 1:
+		return newDSA1(params, x, y)
+	case 3:
+		return newDSA3(params, x, y)
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func newDSA1(params DSAParameters, x, y BigInt) (pkey C.GO_EVP_PKEY_PTR, err error) {
+	checkMajorVersion(1)
+
+	dsa := C.go_openssl_DSA_new()
+	if dsa == nil {
+		return nil, newOpenSSLError("DSA_new failed")
+	}
+	defer func() {
+		if pkey == nil {
+			C.go_openssl_DSA_free(dsa)
+		}
+	}()
+
+	p, q, g := bigToBN(params.P), bigToBN(params.Q), bigToBN(params.G)
+	var ret C.int
+	if vMinor == 0 {
+		ret = C.go_openssl_DSA_set0_pqg_backport(dsa, p, q, g)
+	} else {
+		ret = C.go_openssl_DSA_set0_pqg(dsa, p, q, g)
+	}
+	if ret != 1 {
+		C.go_openssl_BN_free(p)
+		C.go_openssl_BN_free(q)
+		C.go_openssl_BN_free(g)
+		return nil, newOpenSSLError("DSA_set0_pqg failed")
+	}
+	if y != nil {
+		pub, priv := bigToBN(y), bigToBN(x)
+		if vMinor == 0 {
+			ret = C.go_openssl_DSA_set0_key_backport(dsa, pub, priv)
+		} else {
+			ret = C.go_openssl_DSA_set0_key(dsa, pub, priv)
+		}
+		if ret != 1 {
+			C.go_openssl_BN_free(pub)
+			C.go_openssl_BN_clear_free(priv)
+			return nil, newOpenSSLError("DSA_set0_key failed")
+		}
+	} else {
+		if C.go_openssl_DSA_generate_key(dsa) != 1 {
+			return nil, newOpenSSLError("DSA_generate_key failed")
+		}
+	}
+	pkey = C.go_openssl_EVP_PKEY_new()
+	if pkey == nil {
+		return nil, newOpenSSLError("EVP_PKEY_new failed")
+	}
+	if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_DSA, unsafe.Pointer(dsa)) != 1 {
+		C.go_openssl_EVP_PKEY_free(pkey)
+		return nil, newOpenSSLError("EVP_PKEY_assign failed")
+	}
+	return pkey, nil
+}
+
+func newDSA3(params DSAParameters, x, y BigInt) (C.GO_EVP_PKEY_PTR, error) {
+	checkMajorVersion(3)
+
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
+	}
+	defer bld.finalize()
+
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_P, params.P, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_Q, params.Q, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_FFC_G, params.G, false)
+	selection := C.int(C.GO_EVP_PKEY_KEYPAIR)
+	if y != nil {
+		bld.addBigInt(_OSSL_PKEY_PARAM_PUB_KEY, y, false)
+		if x == nil {
+			selection = C.int(C.GO_EVP_PKEY_PUBLIC_KEY)
+		}
+	}
+	if x != nil {
+		bld.addBigInt(_OSSL_PKEY_PARAM_PRIV_KEY, x, true)
+	}
+	bldparams, err := bld.build()
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(bldparams)
+	pkey, err := newEvpFromParams(C.GO_EVP_PKEY_DSA, selection, bldparams)
+	if err != nil {
+		return nil, err
+	}
+	if y != nil {
+		return pkey, nil
+	}
+	// pkey doesn't contain the public component, but the crypto/dsa package
+	// expects it to be always there. Generate a new key using pkey as domain
+	// parameters placeholder.
+	defer C.go_openssl_EVP_PKEY_free(pkey)
+	ctx := C.go_openssl_EVP_PKEY_CTX_new_from_pkey(nil, pkey, nil)
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new_from_pkey")
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	if C.go_openssl_EVP_PKEY_keygen_init(ctx) != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_keygen_init")
+	}
+	var gkey C.GO_EVP_PKEY_PTR
+	if C.go_openssl_EVP_PKEY_keygen(ctx, &gkey) != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_keygen")
+	}
+	return gkey, nil
+}
+
+// getDSA returns the DSA from pkey.
+// If pkey does not contain an DSA it panics.
+// The returned key should not be freed.
+func getDSA(pkey C.GO_EVP_PKEY_PTR) (key C.GO_DSA_PTR) {
+	if vMajor == 1 && vMinor == 0 {
+		if key0 := C.go_openssl_EVP_PKEY_get0(pkey); key0 != nil {
+			key = C.GO_DSA_PTR(key0)
+		}
+	} else {
+		key = C.go_openssl_EVP_PKEY_get0_DSA(pkey)
+	}
+	if key == nil {
+		panic("pkey does not contain an DSA")
+	}
+	return key
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ec.go b/src/vendor/github.com/golang-fips/openssl/v2/ec.go
new file mode 100644
index 00000000000000..734c14b9bc1e3e
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/ec.go
@@ -0,0 +1,68 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+
+func curveNID(curve string) C.int {
+	switch curve {
+	case "P-224":
+		return C.GO_NID_secp224r1
+	case "P-256":
+		return C.GO_NID_X9_62_prime256v1
+	case "P-384":
+		return C.GO_NID_secp384r1
+	case "P-521":
+		return C.GO_NID_secp521r1
+	default:
+		panic("openssl: unknown curve " + curve)
+	}
+}
+
+// curveSize returns the size of the curve in bytes.
+func curveSize(curve string) int {
+	switch curve {
+	case "P-224":
+		return 224 / 8
+	case "P-256":
+		return 256 / 8
+	case "P-384":
+		return 384 / 8
+	case "P-521":
+		return (521 + 7) / 8
+	default:
+		panic("openssl: unknown curve " + curve)
+	}
+}
+
+// encodeEcPoint encodes pt.
+func encodeEcPoint(group C.GO_EC_GROUP_PTR, pt C.GO_EC_POINT_PTR) ([]byte, error) {
+	// Get encoded point size.
+	n := C.go_openssl_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, nil, 0, nil)
+	if n == 0 {
+		return nil, newOpenSSLError("EC_POINT_point2oct")
+	}
+	// Encode point into bytes.
+	bytes := make([]byte, n)
+	n = C.go_openssl_EC_POINT_point2oct(group, pt, C.GO_POINT_CONVERSION_UNCOMPRESSED, base(bytes), n, nil)
+	if n == 0 {
+		return nil, newOpenSSLError("EC_POINT_point2oct")
+	}
+	return bytes, nil
+}
+
+// generateAndEncodeEcPublicKey calls newPubKeyPointFn to generate a public key point and then encodes it.
+func generateAndEncodeEcPublicKey(nid C.int, newPubKeyPointFn func(group C.GO_EC_GROUP_PTR) (C.GO_EC_POINT_PTR, error)) ([]byte, error) {
+	group := C.go_openssl_EC_GROUP_new_by_curve_name(nid)
+	if group == nil {
+		return nil, newOpenSSLError("EC_GROUP_new_by_curve_name")
+	}
+	defer C.go_openssl_EC_GROUP_free(group)
+	pt, err := newPubKeyPointFn(group)
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_EC_POINT_free(pt)
+	return encodeEcPoint(group, pt)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ecdh.go b/src/vendor/github.com/golang-fips/openssl/v2/ecdh.go
new file mode 100644
index 00000000000000..ad392dca1ced82
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/ecdh.go
@@ -0,0 +1,303 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"errors"
+	"runtime"
+	"slices"
+	"unsafe"
+)
+
+type PublicKeyECDH struct {
+	_pkey C.GO_EVP_PKEY_PTR
+	bytes []byte
+}
+
+func (k *PublicKeyECDH) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+type PrivateKeyECDH struct {
+	_pkey C.GO_EVP_PKEY_PTR
+	curve string
+}
+
+func (k *PrivateKeyECDH) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+	if len(bytes) != 1+2*curveSize(curve) {
+		return nil, errors.New("NewPublicKeyECDH: wrong key length")
+	}
+	pkey, err := newECDHPkey(curve, bytes, false)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyECDH{pkey, slices.Clone(bytes)}
+	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+	return k, nil
+}
+
+func (k *PublicKeyECDH) Bytes() []byte { return k.bytes }
+
+func NewPrivateKeyECDH(curve string, bytes []byte) (*PrivateKeyECDH, error) {
+	if len(bytes) != curveSize(curve) {
+		return nil, errors.New("NewPrivateKeyECDH: wrong key length")
+	}
+	pkey, err := newECDHPkey(curve, bytes, true)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyECDH{pkey, curve}
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	return k, nil
+}
+
+func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+	defer runtime.KeepAlive(k)
+	var pkey C.GO_EVP_PKEY_PTR
+	defer func() {
+		C.go_openssl_EVP_PKEY_free(pkey)
+	}()
+
+	var bytes []byte
+	switch vMajor {
+	case 1:
+		pkey = C.go_openssl_EVP_PKEY_new()
+		if pkey == nil {
+			return nil, newOpenSSLError("EVP_PKEY_new")
+		}
+		key := getECKey(k._pkey)
+		if C.go_openssl_EVP_PKEY_set1_EC_KEY(pkey, key) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_set1_EC_KEY")
+		}
+		pt := C.go_openssl_EC_KEY_get0_public_key(key)
+		if pt == nil {
+			return nil, newOpenSSLError("EC_KEY_get0_public_key")
+		}
+		group := C.go_openssl_EC_KEY_get0_group(key)
+		var err error
+		bytes, err = encodeEcPoint(group, pt)
+		if err != nil {
+			return nil, err
+		}
+	case 3:
+		pkey = k._pkey
+		if C.go_openssl_EVP_PKEY_up_ref(pkey) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_up_ref")
+		}
+
+		var cbytes *C.uchar
+		n := C.go_openssl_EVP_PKEY_get1_encoded_public_key(k._pkey, &cbytes)
+		if n == 0 {
+			return nil, newOpenSSLError("EVP_PKEY_get_octet_string_param")
+		}
+		bytes = C.GoBytes(unsafe.Pointer(cbytes), C.int(n))
+		cryptoFree(unsafe.Pointer(cbytes))
+	default:
+		panic(errUnsupportedVersion())
+	}
+	pub := &PublicKeyECDH{pkey, bytes}
+	pkey = nil
+	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
+	return pub, nil
+}
+
+func newECDHPkey(curve string, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, error) {
+	nid := curveNID(curve)
+	switch vMajor {
+	case 1:
+		return newECDHPkey1(nid, bytes, isPrivate)
+	case 3:
+		return newECDHPkey3(nid, bytes, isPrivate)
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func newECDHPkey1(nid C.int, bytes []byte, isPrivate bool) (pkey C.GO_EVP_PKEY_PTR, err error) {
+	checkMajorVersion(1)
+
+	key := C.go_openssl_EC_KEY_new_by_curve_name(nid)
+	if key == nil {
+		return nil, newOpenSSLError("EC_KEY_new_by_curve_name")
+	}
+	defer func() {
+		if pkey == nil {
+			C.go_openssl_EC_KEY_free(key)
+		}
+	}()
+	group := C.go_openssl_EC_KEY_get0_group(key)
+	if isPrivate {
+		priv := C.go_openssl_BN_bin2bn(base(bytes), C.int(len(bytes)), nil)
+		if priv == nil {
+			return nil, newOpenSSLError("BN_bin2bn")
+		}
+		defer C.go_openssl_BN_clear_free(priv)
+		if C.go_openssl_EC_KEY_set_private_key(key, priv) != 1 {
+			return nil, newOpenSSLError("EC_KEY_set_private_key")
+		}
+		pub, err := pointMult(group, priv)
+		if err != nil {
+			return nil, err
+		}
+		defer C.go_openssl_EC_POINT_free(pub)
+		if C.go_openssl_EC_KEY_set_public_key(key, pub) != 1 {
+			return nil, newOpenSSLError("EC_KEY_set_public_key")
+		}
+	} else {
+		pub := C.go_openssl_EC_POINT_new(group)
+		if pub == nil {
+			return nil, newOpenSSLError("EC_POINT_new")
+		}
+		defer C.go_openssl_EC_POINT_free(pub)
+		if C.go_openssl_EC_POINT_oct2point(group, pub, base(bytes), C.size_t(len(bytes)), nil) != 1 {
+			return nil, errors.New("point not on curve")
+		}
+		if C.go_openssl_EC_KEY_set_public_key(key, pub) != 1 {
+			return nil, newOpenSSLError("EC_KEY_set_public_key")
+		}
+	}
+	if C.go_openssl_EC_KEY_check_key(key) != 1 {
+		// Match upstream error message.
+		if isPrivate {
+			return nil, errors.New("crypto/ecdh: invalid private key")
+		} else {
+			return nil, errors.New("crypto/ecdh: invalid public key")
+		}
+	}
+	return newEVPPKEY(key)
+}
+
+func newECDHPkey3(nid C.int, bytes []byte, isPrivate bool) (C.GO_EVP_PKEY_PTR, error) {
+	checkMajorVersion(3)
+
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
+	}
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
+	var selection C.int
+	if isPrivate {
+		priv := C.go_openssl_BN_bin2bn(base(bytes), C.int(len(bytes)), nil)
+		if priv == nil {
+			return nil, newOpenSSLError("BN_bin2bn")
+		}
+		defer C.go_openssl_BN_clear_free(priv)
+		pubBytes, err := generateAndEncodeEcPublicKey(nid, func(group C.GO_EC_GROUP_PTR) (C.GO_EC_POINT_PTR, error) {
+			return pointMult(group, priv)
+		})
+		if err != nil {
+			return nil, err
+		}
+		bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, pubBytes)
+		bld.addBN(_OSSL_PKEY_PARAM_PRIV_KEY, priv)
+		selection = C.GO_EVP_PKEY_KEYPAIR
+	} else {
+		bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, bytes)
+		selection = C.GO_EVP_PKEY_PUBLIC_KEY
+	}
+
+	params, err := bld.build()
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+	pkey, err := newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := checkPkey(pkey, isPrivate); err != nil {
+		C.go_openssl_EVP_PKEY_free(pkey)
+		return nil, errors.New("crypto/ecdh: " + err.Error())
+	}
+	return pkey, nil
+}
+
+func pointMult(group C.GO_EC_GROUP_PTR, priv C.GO_BIGNUM_PTR) (C.GO_EC_POINT_PTR, error) {
+	// OpenSSL does not expose any method to generate the public
+	// key from the private key [1], so we have to calculate it here.
+	// [1] https://github.com/openssl/openssl/issues/18437#issuecomment-1144717206
+	pt := C.go_openssl_EC_POINT_new(group)
+	if pt == nil {
+		return nil, newOpenSSLError("EC_POINT_new")
+	}
+	if C.go_openssl_EC_POINT_mul(group, pt, priv, nil, nil, nil) == 0 {
+		C.go_openssl_EC_POINT_free(pt)
+		return nil, newOpenSSLError("EC_POINT_mul")
+	}
+	return pt, nil
+}
+
+func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	defer runtime.KeepAlive(pub)
+	ctx := C.go_openssl_EVP_PKEY_CTX_new(priv._pkey, nil)
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new")
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	if C.go_openssl_EVP_PKEY_derive_init(ctx) != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_derive_init")
+	}
+	if C.go_openssl_EVP_PKEY_derive_set_peer(ctx, pub._pkey) != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_derive_set_peer")
+	}
+	r := C.go_openssl_EVP_PKEY_derive_wrapper(ctx, nil, 0)
+	if r.result != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_derive_init")
+	}
+	out := make([]byte, r.keylen)
+	if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(out), r.keylen).result != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_derive_init")
+	}
+	return out, nil
+}
+
+func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
+	pkey, err := generateEVPPKey(C.GO_EVP_PKEY_EC, 0, curve)
+	if err != nil {
+		return nil, nil, err
+	}
+	var k *PrivateKeyECDH
+	defer func() {
+		if k == nil {
+			C.go_openssl_EVP_PKEY_free(pkey)
+		}
+	}()
+	var priv C.GO_BIGNUM_PTR
+	switch vMajor {
+	case 1:
+		key := getECKey(pkey)
+		priv = C.go_openssl_EC_KEY_get0_private_key(key)
+		if priv == nil {
+			return nil, nil, newOpenSSLError("EC_KEY_get0_private_key")
+		}
+	case 3:
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &priv) != 1 {
+			return nil, nil, newOpenSSLError("EVP_PKEY_get_bn_param")
+		}
+		defer C.go_openssl_BN_clear_free(priv)
+	default:
+		panic(errUnsupportedVersion())
+	}
+	// We should not leak bit length of the secret scalar in the key.
+	// For this reason, we use BN_bn2binpad instead of BN_bn2bin with fixed length.
+	// The fixed length is the order of the large prime subgroup of the curve,
+	// returned by EVP_PKEY_get_bits, which is generally the upper bound for
+	// generating a private ECDH key.
+	bits := C.go_openssl_EVP_PKEY_get_bits(pkey)
+	bytes := make([]byte, (bits+7)/8)
+	if err := bnToBinPad(priv, bytes); err != nil {
+		return nil, nil, err
+	}
+	k = &PrivateKeyECDH{pkey, curve}
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	return k, bytes, nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ecdsa.go b/src/vendor/github.com/golang-fips/openssl/v2/ecdsa.go
new file mode 100644
index 00000000000000..bc5f1117fd4355
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/ecdsa.go
@@ -0,0 +1,208 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto"
+	"errors"
+	"runtime"
+)
+
+type PrivateKeyECDSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PrivateKeyECDSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PrivateKeyECDSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+type PublicKeyECDSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PublicKeyECDSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PublicKeyECDSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+var errUnknownCurve = errors.New("openssl: unknown elliptic curve")
+
+func NewPublicKeyECDSA(curve string, x, y BigInt) (*PublicKeyECDSA, error) {
+	pkey, err := newECDSAKey(curve, x, y, nil)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyECDSA{_pkey: pkey}
+	runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)
+	return k, nil
+}
+
+func NewPrivateKeyECDSA(curve string, x, y, d BigInt) (*PrivateKeyECDSA, error) {
+	pkey, err := newECDSAKey(curve, x, y, d)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyECDSA{_pkey: pkey}
+	runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)
+	return k, nil
+}
+
+func GenerateKeyECDSA(curve string) (x, y, d BigInt, err error) {
+	// Generate the private key.
+	pkey, err := generateEVPPKey(C.GO_EVP_PKEY_EC, 0, curve)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	defer C.go_openssl_EVP_PKEY_free(pkey)
+
+	var bx, by, bd C.GO_BIGNUM_PTR
+	defer func() {
+		C.go_openssl_BN_free(bx)
+		C.go_openssl_BN_free(by)
+	}()
+	switch vMajor {
+	case 1:
+		// Retrieve the internal EC_KEY, which holds the X, Y, and D coordinates.
+		key := getECKey(pkey)
+		group := C.go_openssl_EC_KEY_get0_group(key)
+		pt := C.go_openssl_EC_KEY_get0_public_key(key)
+		// Allocate two big numbers to store the X and Y coordinates.
+		bx, by = C.go_openssl_BN_new(), C.go_openssl_BN_new()
+		if bx == nil || by == nil {
+			return nil, nil, nil, newOpenSSLError("BN_new failed")
+		}
+		// Get X and Y.
+		if C.go_openssl_EC_POINT_get_affine_coordinates_GFp(group, pt, bx, by, nil) == 0 {
+			return nil, nil, nil, newOpenSSLError("EC_POINT_get_affine_coordinates_GFp failed")
+		}
+		// Get Z. We don't need to free it, get0 does not increase the reference count.
+		bd = C.go_openssl_EC_KEY_get0_private_key(key)
+	case 3:
+		if C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_EC_PUB_X, &bx) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_EC_PUB_Y, &by) != 1 ||
+			C.go_openssl_EVP_PKEY_get_bn_param(pkey, _OSSL_PKEY_PARAM_PRIV_KEY, &bd) != 1 {
+			return nil, nil, nil, newOpenSSLError("EVP_PKEY_get_bn_param")
+		}
+		defer C.go_openssl_BN_clear_free(bd)
+	default:
+		panic(errUnsupportedVersion())
+	}
+
+	// Get D.
+	return bnToBig(bx), bnToBig(by), bnToBig(bd), nil
+}
+
+func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) {
+	return evpSign(priv.withKey, 0, 0, 0, hash)
+}
+
+func HashSignECDSA(priv *PrivateKeyECDSA, h crypto.Hash, msg []byte) ([]byte, error) {
+	return evpHashSign(priv.withKey, h, msg)
+}
+
+func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool {
+	return evpVerify(pub.withKey, 0, 0, 0, sig, hash) == nil
+}
+
+func HashVerifyECDSA(pub *PublicKeyECDSA, h crypto.Hash, msg, sig []byte) bool {
+	return evpHashVerify(pub.withKey, h, msg, sig) == nil
+}
+
+func newECDSAKey(curve string, x, y, d BigInt) (C.GO_EVP_PKEY_PTR, error) {
+	nid := curveNID(curve)
+	var bx, by, bd C.GO_BIGNUM_PTR
+	defer func() {
+		C.go_openssl_BN_free(bx)
+		C.go_openssl_BN_free(by)
+		C.go_openssl_BN_clear_free(bd)
+	}()
+	bx = bigToBN(x)
+	by = bigToBN(y)
+	bd = bigToBN(d)
+	if bx == nil || by == nil || (d != nil && bd == nil) {
+		return nil, newOpenSSLError("BN_lebin2bn failed")
+	}
+	switch vMajor {
+	case 1:
+		return newECDSAKey1(nid, bx, by, bd)
+	case 3:
+		return newECDSAKey3(nid, bx, by, bd)
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func newECDSAKey1(nid C.int, bx, by, bd C.GO_BIGNUM_PTR) (pkey C.GO_EVP_PKEY_PTR, err error) {
+	checkMajorVersion(1)
+
+	key := C.go_openssl_EC_KEY_new_by_curve_name(nid)
+	if key == nil {
+		return nil, newOpenSSLError("EC_KEY_new_by_curve_name failed")
+	}
+	defer func() {
+		if pkey == nil {
+			defer C.go_openssl_EC_KEY_free(key)
+		}
+	}()
+	if C.go_openssl_EC_KEY_set_public_key_affine_coordinates(key, bx, by) != 1 {
+		return nil, newOpenSSLError("EC_KEY_set_public_key_affine_coordinates failed")
+	}
+	if bd != nil && C.go_openssl_EC_KEY_set_private_key(key, bd) != 1 {
+		return nil, newOpenSSLError("EC_KEY_set_private_key failed")
+	}
+	return newEVPPKEY(key)
+}
+
+func newECDSAKey3(nid C.int, bx, by, bd C.GO_BIGNUM_PTR) (C.GO_EVP_PKEY_PTR, error) {
+	checkMajorVersion(3)
+
+	// Create the encoded public key public key from bx and by.
+	pubBytes, err := generateAndEncodeEcPublicKey(nid, func(group C.GO_EC_GROUP_PTR) (C.GO_EC_POINT_PTR, error) {
+		pt := C.go_openssl_EC_POINT_new(group)
+		if pt == nil {
+			return nil, newOpenSSLError("EC_POINT_new")
+		}
+		if C.go_openssl_EC_POINT_set_affine_coordinates(group, pt, bx, by, nil) != 1 {
+			C.go_openssl_EC_POINT_free(pt)
+			return nil, newOpenSSLError("EC_POINT_set_affine_coordinates")
+		}
+		return pt, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	// Construct the parameters.
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
+	}
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_PKEY_PARAM_GROUP_NAME, C.go_openssl_OBJ_nid2sn(nid), 0)
+	bld.addOctetString(_OSSL_PKEY_PARAM_PUB_KEY, pubBytes)
+	var selection C.int
+	if bd != nil {
+		bld.addBN(_OSSL_PKEY_PARAM_PRIV_KEY, bd)
+		selection = C.GO_EVP_PKEY_KEYPAIR
+	} else {
+		selection = C.GO_EVP_PKEY_PUBLIC_KEY
+	}
+	params, err := bld.build()
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+	return newEvpFromParams(C.GO_EVP_PKEY_EC, selection, params)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go b/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go
new file mode 100644
index 00000000000000..f96db2cd5efcad
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/ed25519.go
@@ -0,0 +1,228 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"errors"
+	"runtime"
+	"strconv"
+	"sync"
+)
+
+const (
+	// publicKeySizeEd25519 is the size, in bytes, of public keys as used in crypto/ed25519.
+	publicKeySizeEd25519 = 32
+	// privateKeySizeEd25519 is the size, in bytes, of private keys as used in crypto/ed25519.
+	privateKeySizeEd25519 = 64
+	// signatureSizeEd25519 is the size, in bytes, of signatures generated and verified by crypto/ed25519.
+	signatureSizeEd25519 = 64
+	// seedSizeEd25519 is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
+	seedSizeEd25519 = 32
+)
+
+// TODO: Add support for Ed25519ph and Ed25519ctx when OpenSSL supports them,
+// which will probably be in 3.2.0 (https://github.com/openssl/openssl/issues/20418).
+
+var supportsEd25519 = sync.OnceValue(func() bool {
+	switch vMajor {
+	case 1:
+		if versionAtOrAbove(1, 1, 1) {
+			ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_ED25519, nil)
+			if ctx != nil {
+				C.go_openssl_EVP_PKEY_CTX_free(ctx)
+				return true
+			}
+		}
+	case 3:
+		sig := C.go_openssl_EVP_SIGNATURE_fetch(nil, keyTypeED25519, nil)
+		if sig != nil {
+			C.go_openssl_EVP_SIGNATURE_free(sig)
+			return true
+		}
+	}
+	return false
+})
+
+// SupportsEd25519 returns true if the current OpenSSL version supports
+// GenerateKeyEd25519, NewKeyFromSeedEd25519, SignEd25519 and VerifyEd25519.
+func SupportsEd25519() bool {
+	return supportsEd25519()
+}
+
+type PublicKeyEd25519 struct {
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PublicKeyEd25519) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PublicKeyEd25519) Bytes() ([]byte, error) {
+	defer runtime.KeepAlive(k)
+	pub := make([]byte, publicKeySizeEd25519)
+	if err := extractPKEYPubEd25519(k._pkey, pub); err != nil {
+		return nil, err
+	}
+	return pub, nil
+}
+
+type PrivateKeyEd25519 struct {
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func (k *PrivateKeyEd25519) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PrivateKeyEd25519) Bytes() ([]byte, error) {
+	defer runtime.KeepAlive(k)
+	priv := make([]byte, privateKeySizeEd25519)
+	if err := extractPKEYPrivEd25519(k._pkey, priv); err != nil {
+		return nil, err
+	}
+	return priv, nil
+}
+
+func (k *PrivateKeyEd25519) Public() (*PublicKeyEd25519, error) {
+	pub := make([]byte, publicKeySizeEd25519)
+	if err := extractPKEYPubEd25519(k._pkey, pub); err != nil {
+		return nil, err
+	}
+	pubk, err := NewPublicKeyEd25519(pub)
+	if err != nil {
+		return nil, err
+	}
+	return pubk, nil
+}
+
+// GenerateKeyEd25519 generates a private key.
+func GenerateKeyEd25519() (*PrivateKeyEd25519, error) {
+	pkeyPriv, err := generateEVPPKey(C.GO_EVP_PKEY_ED25519, 0, "")
+	if err != nil {
+		return nil, err
+	}
+	priv := &PrivateKeyEd25519{_pkey: pkeyPriv}
+	runtime.SetFinalizer(priv, (*PrivateKeyEd25519).finalize)
+	return priv, nil
+}
+
+// Deprecated: use NewPrivateKeyEd25519 instead.
+func NewPrivateKeyEd25119(priv []byte) (*PrivateKeyEd25519, error) {
+	return NewPrivateKeyEd25519(priv)
+}
+
+func NewPrivateKeyEd25519(priv []byte) (*PrivateKeyEd25519, error) {
+	if len(priv) != privateKeySizeEd25519 {
+		panic("ed25519: bad private key length: " + strconv.Itoa(len(priv)))
+	}
+	return NewPrivateKeyEd25519FromSeed(priv[:seedSizeEd25519])
+}
+
+// Deprecated: use NewPublicKeyEd25519 instead.
+func NewPublicKeyEd25119(pub []byte) (*PublicKeyEd25519, error) {
+	return NewPublicKeyEd25519(pub)
+}
+
+func NewPublicKeyEd25519(pub []byte) (*PublicKeyEd25519, error) {
+	if len(pub) != publicKeySizeEd25519 {
+		panic("ed25519: bad public key length: " + strconv.Itoa(len(pub)))
+	}
+	pkey := C.go_openssl_EVP_PKEY_new_raw_public_key(C.GO_EVP_PKEY_ED25519, nil, base(pub), C.size_t(len(pub)))
+	if pkey == nil {
+		return nil, newOpenSSLError("EVP_PKEY_new_raw_public_key")
+	}
+	pubk := &PublicKeyEd25519{_pkey: pkey}
+	runtime.SetFinalizer(pubk, (*PublicKeyEd25519).finalize)
+	return pubk, nil
+}
+
+// NewPrivateKeyEd25519FromSeed calculates a private key from a seed. It will panic if
+// len(seed) is not [SeedSize]. RFC 8032's private keys correspond to seeds in this
+// package.
+func NewPrivateKeyEd25519FromSeed(seed []byte) (*PrivateKeyEd25519, error) {
+	if len(seed) != seedSizeEd25519 {
+		panic("ed25519: bad seed length: " + strconv.Itoa(len(seed)))
+	}
+	pkey := C.go_openssl_EVP_PKEY_new_raw_private_key(C.GO_EVP_PKEY_ED25519, nil, base(seed), C.size_t(len(seed)))
+	if pkey == nil {
+		return nil, newOpenSSLError("EVP_PKEY_new_raw_private_key")
+	}
+	priv := &PrivateKeyEd25519{_pkey: pkey}
+	runtime.SetFinalizer(priv, (*PrivateKeyEd25519).finalize)
+	return priv, nil
+}
+
+func extractPKEYPubEd25519(pkey C.GO_EVP_PKEY_PTR, pub []byte) error {
+	r := C.go_openssl_EVP_PKEY_get_raw_public_key_wrapper(pkey, base(pub), C.size_t(publicKeySizeEd25519))
+	if r.result != 1 {
+		return newOpenSSLError("EVP_PKEY_get_raw_public_key")
+	}
+	if r.len != publicKeySizeEd25519 {
+		return errors.New("ed25519: bad public key length: " + strconv.Itoa(int(r.len)))
+	}
+	return nil
+}
+
+func extractPKEYPrivEd25519(pkey C.GO_EVP_PKEY_PTR, priv []byte) error {
+	if err := extractPKEYPubEd25519(pkey, priv[seedSizeEd25519:]); err != nil {
+		return err
+	}
+	r := C.go_openssl_EVP_PKEY_get_raw_private_key_wrapper(pkey, base(priv), C.size_t(seedSizeEd25519))
+	if r.result != 1 {
+		return newOpenSSLError("EVP_PKEY_get_raw_private_key")
+	}
+	if r.len != seedSizeEd25519 {
+		return errors.New("ed25519: bad private key length: " + strconv.Itoa(int(r.len)))
+	}
+	return nil
+}
+
+// SignEd25519 signs the message with priv and returns a signature.
+func SignEd25519(priv *PrivateKeyEd25519, message []byte) (sig []byte, err error) {
+	// Outline the function body so that the returned key can be stack-allocated.
+	sig = make([]byte, signatureSizeEd25519)
+	err = signEd25519(priv, sig, message)
+	if err != nil {
+		return nil, err
+	}
+	return sig, err
+}
+
+func signEd25519(priv *PrivateKeyEd25519, sig, message []byte) error {
+	defer runtime.KeepAlive(priv)
+	ctx := C.go_openssl_EVP_MD_CTX_new()
+	if ctx == nil {
+		return newOpenSSLError("EVP_MD_CTX_new")
+	}
+	defer C.go_openssl_EVP_MD_CTX_free(ctx)
+	if C.go_openssl_EVP_DigestSignInit(ctx, nil, nil, nil, priv._pkey) != 1 {
+		return newOpenSSLError("EVP_DigestSignInit")
+	}
+	r := C.go_openssl_EVP_DigestSign_wrapper(ctx, base(sig), C.size_t(signatureSizeEd25519), base(message), C.size_t(len(message)))
+	if r.result != 1 {
+		return newOpenSSLError("EVP_DigestSign")
+	}
+	if r.siglen != signatureSizeEd25519 {
+		return errors.New("ed25519: bad signature length: " + strconv.Itoa(int(r.siglen)))
+	}
+	return nil
+}
+
+// VerifyEd25519 reports whether sig is a valid signature of message by pub.
+func VerifyEd25519(pub *PublicKeyEd25519, message, sig []byte) error {
+	defer runtime.KeepAlive(pub)
+	ctx := C.go_openssl_EVP_MD_CTX_new()
+	if ctx == nil {
+		return newOpenSSLError("EVP_MD_CTX_new")
+	}
+	defer C.go_openssl_EVP_MD_CTX_free(ctx)
+	if C.go_openssl_EVP_DigestVerifyInit(ctx, nil, nil, nil, pub._pkey) != 1 {
+		return newOpenSSLError("EVP_DigestVerifyInit")
+	}
+	if C.go_openssl_EVP_DigestVerify(ctx, base(sig), C.size_t(len(sig)), base(message), C.size_t(len(message))) != 1 {
+		return errors.New("ed25519: invalid signature")
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/evp.go b/src/vendor/github.com/golang-fips/openssl/v2/evp.go
new file mode 100644
index 00000000000000..8b5b367f9f8092
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/evp.go
@@ -0,0 +1,580 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"strconv"
+	"sync"
+	"unsafe"
+)
+
+var (
+	keyTypeRSA     = C.CString("RSA")
+	keyTypeEC      = C.CString("EC")
+	keyTypeED25519 = C.CString("ED25519")
+)
+
+// cacheMD is a cache of crypto.Hash to GO_EVP_MD_PTR.
+var cacheMD sync.Map
+
+// hashFuncHash calls fn() and returns its result.
+// If fn() panics, the panic is recovered and returned as an error.
+// This is used to avoid aborting the program when calling
+// an unsupported hash function. It is the caller's responsibility
+// to check the returned value.
+func hashFuncHash(fn func() hash.Hash) (h hash.Hash, err error) {
+	defer func() {
+		r := recover()
+		if r == nil {
+			return
+		}
+		h = nil
+		switch e := r.(type) {
+		case error:
+			err = e
+		case string:
+			err = errors.New(e)
+		default:
+			err = errors.New("unsupported panic")
+		}
+	}()
+	return fn(), nil
+}
+
+// hashToMD converts a hash.Hash implementation from this package to a GO_EVP_MD_PTR.
+func hashToMD(h hash.Hash) C.GO_EVP_MD_PTR {
+	if h, ok := h.(*evpHash); ok {
+		return h.alg.md
+	}
+	return nil
+}
+
+// hashFuncToMD converts a hash.Hash function to a GO_EVP_MD_PTR.
+// See [hashFuncHash] for details on error handling.
+func hashFuncToMD(fn func() hash.Hash) (C.GO_EVP_MD_PTR, error) {
+	h, err := hashFuncHash(fn)
+	if err != nil {
+		return nil, err
+	}
+	md := hashToMD(h)
+	if md == nil {
+		return nil, errors.New("unsupported hash function")
+	}
+	return md, nil
+}
+
+type hashAlgorithm struct {
+	md             C.GO_EVP_MD_PTR
+	ch             crypto.Hash
+	size           int
+	blockSize      int
+	marshallable   bool
+	magic          string
+	marshalledSize int
+}
+
+// loadHash converts a crypto.Hash to a EVP_MD.
+func loadHash(ch crypto.Hash) *hashAlgorithm {
+	if v, ok := cacheMD.Load(ch); ok {
+		return v.(*hashAlgorithm)
+	}
+
+	var hash hashAlgorithm
+	switch ch {
+	case crypto.RIPEMD160:
+		hash.md = C.go_openssl_EVP_ripemd160()
+	case crypto.MD4:
+		hash.md = C.go_openssl_EVP_md4()
+	case crypto.MD5:
+		hash.md = C.go_openssl_EVP_md5()
+		hash.magic = md5Magic
+		hash.marshalledSize = md5MarshaledSize
+	case crypto.MD5SHA1:
+		if vMajor == 1 && vMinor == 0 {
+			// OpenSSL 1.0.2 does not support MD5SHA1.
+			hash.md = nil
+		} else {
+			hash.md = C.go_openssl_EVP_md5_sha1()
+		}
+	case crypto.SHA1:
+		hash.md = C.go_openssl_EVP_sha1()
+		hash.magic = sha1Magic
+		hash.marshalledSize = sha1MarshaledSize
+	case crypto.SHA224:
+		hash.md = C.go_openssl_EVP_sha224()
+		hash.magic = magic224
+		hash.marshalledSize = marshaledSize256
+	case crypto.SHA256:
+		hash.md = C.go_openssl_EVP_sha256()
+		hash.magic = magic256
+		hash.marshalledSize = marshaledSize256
+	case crypto.SHA384:
+		hash.md = C.go_openssl_EVP_sha384()
+		hash.magic = magic384
+		hash.marshalledSize = marshaledSize512
+	case crypto.SHA512:
+		hash.md = C.go_openssl_EVP_sha512()
+		hash.magic = magic512
+		hash.marshalledSize = marshaledSize512
+	case crypto.SHA512_224:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha512_224()
+			hash.magic = magic512_224
+			hash.marshalledSize = marshaledSize512
+		}
+	case crypto.SHA512_256:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha512_256()
+			hash.magic = magic512_256
+			hash.marshalledSize = marshaledSize512
+		}
+	case crypto.SHA3_224:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha3_224()
+		}
+	case crypto.SHA3_256:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha3_256()
+		}
+	case crypto.SHA3_384:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha3_384()
+		}
+	case crypto.SHA3_512:
+		if versionAtOrAbove(1, 1, 1) {
+			hash.md = C.go_openssl_EVP_sha3_512()
+		}
+	}
+	if hash.md == nil {
+		cacheMD.Store(ch, (*hashAlgorithm)(nil))
+		return nil
+	}
+	hash.ch = ch
+	hash.size = int(C.go_openssl_EVP_MD_get_size(hash.md))
+	hash.blockSize = int(C.go_openssl_EVP_MD_get_block_size(hash.md))
+	if vMajor == 3 {
+		// On OpenSSL 3, directly operating on a EVP_MD object
+		// not created by EVP_MD_fetch has negative performance
+		// implications, as digest operations will have
+		// to fetch it on every call. Better to just fetch it once here.
+		md := C.go_openssl_EVP_MD_fetch(nil, C.go_openssl_EVP_MD_get0_name(hash.md), nil)
+		// Don't overwrite md in case it can't be fetched, as the md may still be used
+		// outside of EVP_MD_CTX, for example to sign and verify RSA signatures.
+		if md != nil {
+			hash.md = md
+		}
+	}
+	hash.marshallable = hash.magic != "" && isHashMarshallable(hash.md)
+	cacheMD.Store(ch, &hash)
+	return &hash
+}
+
+// generateEVPPKey generates a new EVP_PKEY with the given id and properties.
+func generateEVPPKey(id C.int, bits int, curve string) (C.GO_EVP_PKEY_PTR, error) {
+	if bits != 0 && curve != "" {
+		return nil, fail("incorrect generateEVPPKey parameters")
+	}
+	var pkey C.GO_EVP_PKEY_PTR
+	switch vMajor {
+	case 1:
+		ctx := C.go_openssl_EVP_PKEY_CTX_new_id(id, nil)
+		if ctx == nil {
+			return nil, newOpenSSLError("EVP_PKEY_CTX_new_id")
+		}
+		defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+		if C.go_openssl_EVP_PKEY_keygen_init(ctx) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_keygen_init")
+		}
+		if bits != 0 {
+			if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, C.GO_EVP_PKEY_CTRL_RSA_KEYGEN_BITS, C.int(bits), nil) != 1 {
+				return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl")
+			}
+		}
+		if curve != "" {
+			if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, id, -1, C.GO_EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, curveNID(curve), nil) != 1 {
+				return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl")
+			}
+		}
+		if C.go_openssl_EVP_PKEY_keygen(ctx, &pkey) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_keygen")
+		}
+	case 3:
+		switch id {
+		case C.GO_EVP_PKEY_RSA:
+			pkey = C.go_openssl_EVP_PKEY_Q_keygen_RSA(nil, nil, keyTypeRSA, C.size_t(bits))
+		case C.GO_EVP_PKEY_EC:
+			pkey = C.go_openssl_EVP_PKEY_Q_keygen_EC(nil, nil, keyTypeEC, C.go_openssl_OBJ_nid2sn(curveNID(curve)))
+		case C.GO_EVP_PKEY_ED25519:
+			pkey = C.go_openssl_EVP_PKEY_Q_keygen(nil, nil, keyTypeED25519)
+		default:
+			panic("unsupported key type '" + strconv.Itoa(int(id)) + "'")
+		}
+		if pkey == nil {
+			return nil, newOpenSSLError("EVP_PKEY_Q_keygen")
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+
+	return pkey, nil
+}
+
+type withKeyFunc func(func(C.GO_EVP_PKEY_PTR) C.int) C.int
+type initFunc func(C.GO_EVP_PKEY_CTX_PTR) error
+type cryptFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, *C.size_t, *C.uchar, C.size_t) error
+type verifyFunc func(C.GO_EVP_PKEY_CTX_PTR, *C.uchar, C.size_t, *C.uchar, C.size_t) error
+
+func setupEVP(withKey withKeyFunc, padding C.int,
+	h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
+	init initFunc) (_ C.GO_EVP_PKEY_CTX_PTR, err error) {
+	var ctx C.GO_EVP_PKEY_CTX_PTR
+	withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
+		ctx = C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
+		return 1
+	})
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new failed")
+	}
+	defer func() {
+		if err != nil {
+			if ctx != nil {
+				C.go_openssl_EVP_PKEY_CTX_free(ctx)
+				ctx = nil
+			}
+		}
+	}()
+	if err := init(ctx); err != nil {
+		return nil, err
+	}
+	if padding == 0 {
+		return ctx, nil
+	}
+	// Each padding type has its own requirements in terms of when to apply the padding,
+	// so it can't be just set at this point.
+	setPadding := func() error {
+		if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_PADDING, padding, nil) != 1 {
+			return newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+		}
+		return nil
+	}
+	switch padding {
+	case C.GO_RSA_PKCS1_OAEP_PADDING:
+		md := hashToMD(h)
+		if md == nil {
+			return nil, errors.New("crypto/rsa: unsupported hash function")
+		}
+		var mgfMD C.GO_EVP_MD_PTR
+		if mgfHash != nil {
+			// mgfHash is optional, but if it is set it must match a supported hash function.
+			mgfMD = hashToMD(mgfHash)
+			if mgfMD == nil {
+				return nil, errors.New("crypto/rsa: unsupported hash function")
+			}
+		}
+		// setPadding must happen before setting EVP_PKEY_CTRL_RSA_OAEP_MD.
+		if err := setPadding(); err != nil {
+			return nil, err
+		}
+		if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_MD, 0, unsafe.Pointer(md)) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+		}
+		if mgfHash != nil {
+			if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_MGF1_MD, 0, unsafe.Pointer(mgfMD)) != 1 {
+				return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+			}
+		}
+		// ctx takes ownership of label, so malloc a copy for OpenSSL to free.
+		// OpenSSL does not take ownership of the label if the length is zero,
+		// so better avoid the allocation.
+		var clabel *C.uchar
+		if len(label) > 0 {
+			clabel = (*C.uchar)(cryptoMalloc(len(label)))
+			copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label)
+			var err error
+			if vMajor == 3 {
+				ret := C.go_openssl_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, unsafe.Pointer(clabel), C.int(len(label)))
+				if ret != 1 {
+					err = newOpenSSLError("EVP_PKEY_CTX_set0_rsa_oaep_label failed")
+				}
+			} else {
+				ret := C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL, C.int(len(label)), unsafe.Pointer(clabel))
+				if ret != 1 {
+					err = newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+				}
+			}
+			if err != nil {
+				cryptoFree(unsafe.Pointer(clabel))
+				return nil, err
+			}
+		}
+	case C.GO_RSA_PKCS1_PSS_PADDING:
+		alg := loadHash(ch)
+		if alg == nil {
+			return nil, errors.New("crypto/rsa: unsupported hash function")
+		}
+		if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+		}
+		// setPadding must happen after setting EVP_PKEY_CTRL_MD.
+		if err := setPadding(); err != nil {
+			return nil, err
+		}
+		if saltLen != 0 {
+			if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, C.GO_EVP_PKEY_RSA, -1, C.GO_EVP_PKEY_CTRL_RSA_PSS_SALTLEN, saltLen, nil) != 1 {
+				return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+			}
+		}
+
+	case C.GO_RSA_PKCS1_PADDING:
+		if ch != 0 {
+			// We support unhashed messages.
+			alg := loadHash(ch)
+			if alg == nil {
+				return nil, errors.New("crypto/rsa: unsupported hash function")
+			}
+			if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, -1, C.GO_EVP_PKEY_CTRL_MD, 0, unsafe.Pointer(alg.md)) != 1 {
+				return nil, newOpenSSLError("EVP_PKEY_CTX_ctrl failed")
+			}
+			if err := setPadding(); err != nil {
+				return nil, err
+			}
+		}
+	default:
+		if err := setPadding(); err != nil {
+			return nil, err
+		}
+	}
+	return ctx, nil
+}
+
+func cryptEVP(withKey withKeyFunc, padding C.int,
+	h, mgfHash hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
+	init initFunc, crypt cryptFunc, in []byte) ([]byte, error) {
+
+	ctx, err := setupEVP(withKey, padding, h, mgfHash, label, saltLen, ch, init)
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	pkeySize := withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
+		return C.go_openssl_EVP_PKEY_get_size(pkey)
+	})
+	outLen := C.size_t(pkeySize)
+	out := make([]byte, pkeySize)
+	if err := crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))); err != nil {
+		return nil, err
+	}
+	// The size returned by EVP_PKEY_get_size() is only preliminary and not exact,
+	// so the final contents of the out buffer may be smaller.
+	return out[:outLen], nil
+}
+
+func verifyEVP(withKey withKeyFunc, padding C.int,
+	h hash.Hash, label []byte, saltLen C.int, ch crypto.Hash,
+	init initFunc, verify verifyFunc,
+	sig, in []byte) error {
+
+	ctx, err := setupEVP(withKey, padding, h, nil, label, saltLen, ch, init)
+	if err != nil {
+		return err
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	return verify(ctx, base(sig), C.size_t(len(sig)), base(in), C.size_t(len(in)))
+}
+
+func evpEncrypt(withKey withKeyFunc, padding C.int, h, mgfHash hash.Hash, label, msg []byte) ([]byte, error) {
+	encryptInit := func(ctx C.GO_EVP_PKEY_CTX_PTR) error {
+		if ret := C.go_openssl_EVP_PKEY_encrypt_init(ctx); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_encrypt_init failed")
+		}
+		return nil
+	}
+	encrypt := func(ctx C.GO_EVP_PKEY_CTX_PTR, out *C.uchar, outLen *C.size_t, in *C.uchar, inLen C.size_t) error {
+		if ret := C.go_openssl_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_encrypt failed")
+		}
+		return nil
+	}
+	return cryptEVP(withKey, padding, h, mgfHash, label, 0, 0, encryptInit, encrypt, msg)
+}
+
+func evpDecrypt(withKey withKeyFunc, padding C.int, h, mgfHash hash.Hash, label, msg []byte) ([]byte, error) {
+	decryptInit := func(ctx C.GO_EVP_PKEY_CTX_PTR) error {
+		if ret := C.go_openssl_EVP_PKEY_decrypt_init(ctx); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_decrypt_init failed")
+		}
+		return nil
+	}
+	decrypt := func(ctx C.GO_EVP_PKEY_CTX_PTR, out *C.uchar, outLen *C.size_t, in *C.uchar, inLen C.size_t) error {
+		if ret := C.go_openssl_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_decrypt failed")
+		}
+		return nil
+	}
+	return cryptEVP(withKey, padding, h, mgfHash, label, 0, 0, decryptInit, decrypt, msg)
+}
+
+func evpSign(withKey withKeyFunc, padding C.int, saltLen C.int, h crypto.Hash, hashed []byte) ([]byte, error) {
+	signtInit := func(ctx C.GO_EVP_PKEY_CTX_PTR) error {
+		if ret := C.go_openssl_EVP_PKEY_sign_init(ctx); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_sign_init failed")
+		}
+		return nil
+	}
+	sign := func(ctx C.GO_EVP_PKEY_CTX_PTR, out *C.uchar, outLen *C.size_t, in *C.uchar, inLen C.size_t) error {
+		if ret := C.go_openssl_EVP_PKEY_sign(ctx, out, outLen, in, inLen); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_sign failed")
+		}
+		return nil
+	}
+	return cryptEVP(withKey, padding, nil, nil, nil, saltLen, h, signtInit, sign, hashed)
+}
+
+func evpVerify(withKey withKeyFunc, padding C.int, saltLen C.int, h crypto.Hash, sig, hashed []byte) error {
+	verifyInit := func(ctx C.GO_EVP_PKEY_CTX_PTR) error {
+		if ret := C.go_openssl_EVP_PKEY_verify_init(ctx); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_verify_init failed")
+		}
+		return nil
+	}
+	verify := func(ctx C.GO_EVP_PKEY_CTX_PTR, out *C.uchar, outLen C.size_t, in *C.uchar, inLen C.size_t) error {
+		if ret := C.go_openssl_EVP_PKEY_verify(ctx, out, outLen, in, inLen); ret != 1 {
+			return newOpenSSLError("EVP_PKEY_verify failed")
+		}
+		return nil
+	}
+	return verifyEVP(withKey, padding, nil, nil, saltLen, h, verifyInit, verify, sig, hashed)
+}
+
+func evpHashSign(withKey withKeyFunc, h crypto.Hash, msg []byte) ([]byte, error) {
+	alg := loadHash(h)
+	if alg == nil {
+		return nil, errors.New("unsupported hash function: " + strconv.Itoa(int(h)))
+	}
+	var out []byte
+	var outLen C.size_t
+	ctx := C.go_openssl_EVP_MD_CTX_new()
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_MD_CTX_new failed")
+	}
+	defer C.go_openssl_EVP_MD_CTX_free(ctx)
+	if withKey(func(key C.GO_EVP_PKEY_PTR) C.int {
+		return C.go_openssl_EVP_DigestSignInit(ctx, nil, alg.md, nil, key)
+	}) != 1 {
+		return nil, newOpenSSLError("EVP_DigestSignInit failed")
+	}
+	if C.go_openssl_EVP_DigestUpdate(ctx, unsafe.Pointer(base(msg)), C.size_t(len(msg))) != 1 {
+		return nil, newOpenSSLError("EVP_DigestUpdate failed")
+	}
+	// Obtain the signature length
+	if C.go_openssl_EVP_DigestSignFinal(ctx, nil, &outLen) != 1 {
+		return nil, newOpenSSLError("EVP_DigestSignFinal failed")
+	}
+	out = make([]byte, outLen)
+	// Obtain the signature
+	if C.go_openssl_EVP_DigestSignFinal(ctx, base(out), &outLen) != 1 {
+		return nil, newOpenSSLError("EVP_DigestSignFinal failed")
+	}
+	return out[:outLen], nil
+}
+
+func evpHashVerify(withKey withKeyFunc, h crypto.Hash, msg, sig []byte) error {
+	alg := loadHash(h)
+	if alg == nil {
+		return errors.New("unsupported hash function: " + strconv.Itoa(int(h)))
+	}
+	ctx := C.go_openssl_EVP_MD_CTX_new()
+	if ctx == nil {
+		return newOpenSSLError("EVP_MD_CTX_new failed")
+	}
+	defer C.go_openssl_EVP_MD_CTX_free(ctx)
+	if withKey(func(key C.GO_EVP_PKEY_PTR) C.int {
+		return C.go_openssl_EVP_DigestVerifyInit(ctx, nil, alg.md, nil, key)
+	}) != 1 {
+		return newOpenSSLError("EVP_DigestVerifyInit failed")
+	}
+	if C.go_openssl_EVP_DigestUpdate(ctx, unsafe.Pointer(base(msg)), C.size_t(len(msg))) != 1 {
+		return newOpenSSLError("EVP_DigestUpdate failed")
+	}
+	if C.go_openssl_EVP_DigestVerifyFinal(ctx, base(sig), C.size_t(len(sig))) != 1 {
+		return newOpenSSLError("EVP_DigestVerifyFinal failed")
+	}
+	return nil
+}
+
+func newEVPPKEY(key C.GO_EC_KEY_PTR) (C.GO_EVP_PKEY_PTR, error) {
+	pkey := C.go_openssl_EVP_PKEY_new()
+	if pkey == nil {
+		return nil, newOpenSSLError("EVP_PKEY_new failed")
+	}
+	if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_EC, unsafe.Pointer(key)) != 1 {
+		C.go_openssl_EVP_PKEY_free(pkey)
+		return nil, newOpenSSLError("EVP_PKEY_assign failed")
+	}
+	return pkey, nil
+}
+
+// getECKey returns the EC_KEY from pkey.
+// If pkey does not contain an EC_KEY it panics.
+// The returned key should not be freed.
+func getECKey(pkey C.GO_EVP_PKEY_PTR) (key C.GO_EC_KEY_PTR) {
+	if vMajor == 1 && vMinor == 0 {
+		if key0 := C.go_openssl_EVP_PKEY_get0(pkey); key0 != nil {
+			key = C.GO_EC_KEY_PTR(key0)
+		}
+	} else {
+		key = C.go_openssl_EVP_PKEY_get0_EC_KEY(pkey)
+	}
+	if key == nil {
+		panic("pkey does not contain an EC_KEY")
+	}
+	return key
+}
+
+func newEvpFromParams(id C.int, selection C.int, params C.GO_OSSL_PARAM_PTR) (C.GO_EVP_PKEY_PTR, error) {
+	ctx := C.go_openssl_EVP_PKEY_CTX_new_id(id, nil)
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new_id")
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	if C.go_openssl_EVP_PKEY_fromdata_init(ctx) != 1 {
+		return nil, newOpenSSLError("EVP_PKEY_fromdata_init")
+	}
+	var pkey C.GO_EVP_PKEY_PTR
+	if C.go_openssl_EVP_PKEY_fromdata(ctx, &pkey, selection, params) != 1 {
+		if vMajor == 3 && vMinor <= 2 {
+			// OpenSSL 3.0.1 and 3.0.2 have a bug where EVP_PKEY_fromdata
+			// does not free the internally allocated EVP_PKEY on error.
+			// See https://github.com/openssl/openssl/issues/17407.
+			C.go_openssl_EVP_PKEY_free(pkey)
+		}
+		return nil, newOpenSSLError("EVP_PKEY_fromdata")
+	}
+	return pkey, nil
+}
+
+func checkPkey(pkey C.GO_EVP_PKEY_PTR, isPrivate bool) error {
+	ctx := C.go_openssl_EVP_PKEY_CTX_new(pkey, nil)
+	if ctx == nil {
+		return newOpenSSLError("EVP_PKEY_CTX_new")
+	}
+	defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	if isPrivate {
+		if C.go_openssl_EVP_PKEY_private_check(ctx) != 1 {
+			// Match upstream error message.
+			return errors.New("invalid private key")
+		}
+	} else {
+		// Upstream Go does a partial check here, so do we.
+		if C.go_openssl_EVP_PKEY_public_check_quick(ctx) != 1 {
+			// Match upstream error message.
+			return errors.New("invalid public key")
+		}
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.c b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.c
new file mode 100644
index 00000000000000..626f184badc53d
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.c
@@ -0,0 +1,248 @@
+//go:build unix || windows
+
+#include "goopenssl.h"
+
+#ifdef _WIN32
+# include <windows.h>
+# define dlsym (void*)GetProcAddress
+#else
+# include <dlfcn.h> // dlsym
+#endif
+#include <stdio.h> // fprintf
+
+// Approach taken from .Net System.Security.Cryptography.Native
+// https://github.com/dotnet/runtime/blob/f64246ce08fb7a58221b2b7c8e68f69c02522b0d/src/libraries/Native/Unix/System.Security.Cryptography.Native/opensslshim.c
+
+#define DEFINEFUNC(ret, func, args, argscall)                  ret (*_g_##func)args;
+#define DEFINEFUNC_LEGACY_1_1(ret, func, args, argscall)       DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)       DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)         DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_1_1(ret, func, args, argscall)              DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_1_1_1(ret, func, args, argscall)            DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_3_0(ret, func, args, argscall)              DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall) DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall) DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_VARIADIC_3_0(ret, func, newname, args, argscall)  DEFINEFUNC(ret, newname, args, argscall)
+
+FOR_ALL_OPENSSL_FUNCTIONS
+
+#undef DEFINEFUNC
+#undef DEFINEFUNC_LEGACY_1_1
+#undef DEFINEFUNC_LEGACY_1_0
+#undef DEFINEFUNC_LEGACY_1
+#undef DEFINEFUNC_1_1
+#undef DEFINEFUNC_1_1_1
+#undef DEFINEFUNC_3_0
+#undef DEFINEFUNC_RENAMED_1_1
+#undef DEFINEFUNC_RENAMED_3_0
+#undef DEFINEFUNC_VARIADIC_3_0
+
+// go_openssl_fips_enabled returns 1 if FIPS mode is enabled, 0 otherwise.
+// As a special case, it returns -1 if it cannot determine if FIPS mode is enabled.
+// See openssl.FIPS for details about its implementation.
+//
+// This function is reimplemented here because openssl.FIPS assumes that
+// all the OpenSSL bindings are loaded, that is, go_openssl_load_functions has
+// already been called. On the other hand, go_openssl_fips_enabled is called from
+// openssl.CheckVersion, which is used to check if a given OpenSSL shared library
+// exists and is FIPS compliant. That shared library might not be the one that
+// was passed to go_openssl_load_functions, or it might not even have been called at all.
+//
+// It is written in C because it is not possible to directly call C function pointers
+// retrieved using dlsym from Go.
+int
+go_openssl_fips_enabled(void* handle)
+{
+    // For OpenSSL 1.x.
+    int (*FIPS_mode)(void);
+    FIPS_mode = (int (*)(void))dlsym(handle, "FIPS_mode");
+    if (FIPS_mode != NULL)
+        return FIPS_mode();
+
+    // For OpenSSL 3.x.
+    int (*EVP_default_properties_is_fips_enabled)(void*) = (int (*)(void*))dlsym(handle, "EVP_default_properties_is_fips_enabled");
+    void *(*EVP_MD_fetch)(void*, const char*, const char*) = (void* (*)(void*, const char*, const char*))dlsym(handle, "EVP_MD_fetch");
+    void (*EVP_MD_free)(void*) = (void (*)(void*))dlsym(handle, "EVP_MD_free");
+
+    if (EVP_default_properties_is_fips_enabled == NULL || EVP_MD_fetch == NULL || EVP_MD_free == NULL) {
+        // Shouldn't happen, but if it does, we can't determine if FIPS mode is enabled.
+        return -1;
+    }
+
+    if (EVP_default_properties_is_fips_enabled(NULL) != 1)
+        return 0;
+
+    void *md = EVP_MD_fetch(NULL, "SHA2-256", NULL);
+    if (md == NULL)
+        return 0;
+
+    EVP_MD_free(md);
+    return 1;
+}
+
+// Load all the functions stored in FOR_ALL_OPENSSL_FUNCTIONS
+// and assign them to their corresponding function pointer
+// defined in goopenssl.h.
+void
+go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor, unsigned int patch)
+{
+#define DEFINEFUNC_INTERNAL(name, func)                                                                         \
+    _g_##name = dlsym(handle, func);                                                                            \
+    if (_g_##name == NULL) {                                                                                    \
+        fprintf(stderr, "Cannot get required symbol " #func " from libcrypto version %u.%u\n", major, minor);   \
+        abort();                                                                                                \
+    }
+#define DEFINEFUNC(ret, func, args, argscall) \
+    DEFINEFUNC_INTERNAL(func, #func)
+#define DEFINEFUNC_LEGACY_1_1(ret, func, args, argscall)  \
+    if (major == 1 && minor == 1)                         \
+    {                                                     \
+        DEFINEFUNC_INTERNAL(func, #func)                  \
+    }
+#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)  \
+    if (major == 1 && minor == 0)                         \
+    {                                                     \
+        DEFINEFUNC_INTERNAL(func, #func)                  \
+    }
+#define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)  \
+    if (major == 1)                                     \
+    {                                                   \
+        DEFINEFUNC_INTERNAL(func, #func)                \
+    }
+#define DEFINEFUNC_1_1(ret, func, args, argscall)     \
+    if (major == 3 || (major == 1 && minor == 1))     \
+    {                                                 \
+        DEFINEFUNC_INTERNAL(func, #func)              \
+    }
+#define DEFINEFUNC_1_1_1(ret, func, args, argscall)     \
+    if (major == 3 || (major == 1 && minor == 1 && patch == 1))     \
+    {                                                 \
+        DEFINEFUNC_INTERNAL(func, #func)              \
+    }
+#define DEFINEFUNC_3_0(ret, func, args, argscall)     \
+    if (major == 3)                                   \
+    {                                                 \
+        DEFINEFUNC_INTERNAL(func, #func)              \
+    }
+#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall)  \
+    if (major == 1 && minor == 0)                                   \
+    {                                                               \
+        DEFINEFUNC_INTERNAL(func, #oldfunc)                         \
+    }                                                               \
+    else                                                            \
+    {                                                               \
+        DEFINEFUNC_INTERNAL(func, #func)                            \
+    }
+#define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall)  \
+    if (major == 1)                                                 \
+    {                                                               \
+        DEFINEFUNC_INTERNAL(func, #oldfunc)                         \
+    }                                                               \
+    else                                                            \
+    {                                                               \
+        DEFINEFUNC_INTERNAL(func, #func)                            \
+    }
+#define DEFINEFUNC_VARIADIC_3_0(ret, func, newname, args, argscall)   \
+    if (major == 3)                                                 \
+    {                                                               \
+        DEFINEFUNC_INTERNAL(newname, #func)                         \
+    }
+
+FOR_ALL_OPENSSL_FUNCTIONS
+
+#undef DEFINEFUNC
+#undef DEFINEFUNC_LEGACY_1_1
+#undef DEFINEFUNC_LEGACY_1_0
+#undef DEFINEFUNC_LEGACY_1
+#undef DEFINEFUNC_1_1
+#undef DEFINEFUNC_1_1_1
+#undef DEFINEFUNC_3_0
+#undef DEFINEFUNC_RENAMED_1_1
+#undef DEFINEFUNC_RENAMED_3_0
+#undef DEFINEFUNC_VARIADIC_3_0
+}
+
+static unsigned long
+version_num(void* handle)
+{
+    unsigned long (*fn)(void);
+    // OPENSSL_version_num is defined in OpenSSL 1.1.0 and 1.1.1.
+    fn = (unsigned long (*)(void))dlsym(handle, "OpenSSL_version_num");
+    if (fn != NULL)
+        return fn();
+
+    // SSLeay is defined in OpenSSL 1.0.2.
+    fn = (unsigned long (*)(void))dlsym(handle, "SSLeay");
+    if (fn != NULL)
+        return fn();
+
+    return 0;
+} 
+
+int
+go_openssl_version_major(void* handle)
+{
+    unsigned int (*fn)(void);
+    // OPENSSL_version_major is supported since OpenSSL 3.
+    fn = (unsigned int (*)(void))dlsym(handle, "OPENSSL_version_major");
+    if (fn != NULL)
+        return (int)fn();
+
+    // If OPENSSL_version_major is not defined, try with OpenSSL 1 functions.
+    unsigned long num = version_num(handle);
+    if (num < 0x10000000L || num >= 0x20000000L)
+        return -1;
+
+    return 1;
+}
+
+int
+go_openssl_version_minor(void* handle)
+{
+    unsigned int (*fn)(void);
+    // OPENSSL_version_minor is supported since OpenSSL 3.
+    fn = (unsigned int (*)(void))dlsym(handle, "OPENSSL_version_minor");
+    if (fn != NULL)
+        return (int)fn();
+
+    // If OPENSSL_version_minor is not defined, try with OpenSSL 1 functions.
+    unsigned long num = version_num(handle);
+    // OpenSSL version number follows this schema:
+    // MNNFFPPS: major minor fix patch status.
+    if (num < 0x10000000L || num >= 0x10200000L)
+    {
+        // We only support minor version 0 and 1,
+        // so there is no need to implement an algorithm
+        // that decodes the version number into individual components.
+        return -1;
+    }
+
+    if (num >= 0x10100000L)
+        return 1;
+    
+    return 0;
+}
+
+int
+go_openssl_version_patch(void* handle)
+{
+    unsigned int (*fn)(void);
+    // OPENSSL_version_patch is supported since OpenSSL 3.
+    fn = (unsigned int (*)(void))dlsym(handle, "OPENSSL_version_patch");
+    if (fn != NULL)
+        return (int)fn();
+
+    // If OPENSSL_version_patch is not defined, try with OpenSSL 1 functions.
+    unsigned long num = version_num(handle);
+    // OpenSSL version number follows this schema:
+    // MNNFFPPS: major minor fix patch status.
+    if (num < 0x10000000L || num >= 0x10200000L)
+    {
+        // We only support minor version 0 and 1,
+        // so there is no need to implement an algorithm
+        // that decodes the version number into individual components.
+        return -1;
+    }
+
+    return (num >> 12) & 0xff;
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h
new file mode 100644
index 00000000000000..f5cdced630679f
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/goopenssl.h
@@ -0,0 +1,261 @@
+// This header file describes the OpenSSL ABI as built for use in Go.
+
+#include <stdlib.h> // size_t
+
+#include "shims.h"
+
+// Suppress warnings about unused parameters.
+#define UNUSED(x) (void)(x)
+
+static inline void
+go_openssl_do_leak_check(void)
+{
+#ifndef __has_feature
+#define __has_feature(x) 0
+#endif
+
+#if (defined(__SANITIZE_ADDRESS__) && __SANITIZE_ADDRESS__) ||	\
+    __has_feature(address_sanitizer)
+    extern void __lsan_do_leak_check(void);
+    __lsan_do_leak_check();
+#endif
+}
+
+int go_openssl_fips_enabled(void* handle);
+int go_openssl_version_major(void* handle);
+int go_openssl_version_minor(void* handle);
+int go_openssl_version_patch(void* handle);
+int go_openssl_thread_setup(void);
+void go_openssl_load_functions(void* handle, unsigned int major, unsigned int minor, unsigned int patch);
+void go_openssl_DSA_get0_pqg_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *p, GO_BIGNUM_PTR *q, GO_BIGNUM_PTR *g);
+int go_openssl_DSA_set0_pqg_backport(GO_DSA_PTR d, GO_BIGNUM_PTR p, GO_BIGNUM_PTR q, GO_BIGNUM_PTR g);
+void go_openssl_DSA_get0_key_backport(const GO_DSA_PTR d, GO_BIGNUM_PTR *pub_key, GO_BIGNUM_PTR *priv_key);
+int go_openssl_DSA_set0_key_backport(GO_DSA_PTR d, GO_BIGNUM_PTR pub_key, GO_BIGNUM_PTR priv_key);
+
+// Define pointers to all the used OpenSSL functions.
+// Calling C function pointers from Go is currently not supported.
+// It is possible to circumvent this by using a C function wrapper.
+// https://pkg.go.dev/cmd/cgo
+#define DEFINEFUNC(ret, func, args, argscall)      \
+    extern ret (*_g_##func)args;                   \
+    static inline ret go_openssl_##func args       \
+    {                                              \
+        return _g_##func argscall;                 \
+    }
+#define DEFINEFUNC_LEGACY_1_1(ret, func, args, argscall)    \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_LEGACY_1_0(ret, func, args, argscall)    \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_LEGACY_1(ret, func, args, argscall)  \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_1_1(ret, func, args, argscall)   \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_1_1_1(ret, func, args, argscall)     \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_3_0(ret, func, args, argscall)     \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_RENAMED_1_1(ret, func, oldfunc, args, argscall)     \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_RENAMED_3_0(ret, func, oldfunc, args, argscall)     \
+    DEFINEFUNC(ret, func, args, argscall)
+#define DEFINEFUNC_VARIADIC_3_0(ret, func, newname, args, argscall)     \
+    DEFINEFUNC(ret, newname, args, argscall)
+
+FOR_ALL_OPENSSL_FUNCTIONS
+
+#undef DEFINEFUNC
+#undef DEFINEFUNC_LEGACY_1_1
+#undef DEFINEFUNC_LEGACY_1_0
+#undef DEFINEFUNC_LEGACY_1
+#undef DEFINEFUNC_1_1
+#undef DEFINEFUNC_1_1_1
+#undef DEFINEFUNC_3_0
+#undef DEFINEFUNC_RENAMED_1_1
+#undef DEFINEFUNC_RENAMED_3_0
+#undef DEFINEFUNC_VARIADIC_3_0
+
+// go_hash_sum copies ctx into ctx2 and calls EVP_DigestFinal using ctx2.
+// This is necessary because Go hash.Hash mandates that Sum has no effect
+// on the underlying stream. In particular it is OK to Sum, then Write more,
+// then Sum again, and the second Sum acts as if the first didn't happen.
+// It is written in C because Sum() tend to be in the hot path,
+// and doing one cgo call instead of two is a significant performance win.
+static inline int
+go_hash_sum(GO_EVP_MD_CTX_PTR ctx, GO_EVP_MD_CTX_PTR ctx2, unsigned char *out)
+{
+    if (go_openssl_EVP_MD_CTX_copy(ctx2, ctx) != 1)
+        return 0;
+    // TODO: use EVP_DigestFinal_ex once we know why it leaks
+    // memory on OpenSSL 1.0.2.
+    return go_openssl_EVP_DigestFinal(ctx2, out, NULL);
+}
+
+// These wrappers allocate out_len on the C stack to avoid having to pass a pointer from Go, which would escape to the heap.
+// Use them only in situations where the output length can be safely discarded.
+static inline int
+go_openssl_EVP_EncryptUpdate_wrapper(GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, const unsigned char *in, int in_len)
+{
+    int len;
+    return go_openssl_EVP_EncryptUpdate(ctx, out, &len, in, in_len);
+}
+
+static inline int
+go_openssl_EVP_DecryptUpdate_wrapper(GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, const unsigned char *in, int in_len)
+{
+    int len;
+    return go_openssl_EVP_DecryptUpdate(ctx, out, &len, in, in_len);
+}
+
+static inline int
+go_openssl_EVP_CipherUpdate_wrapper(GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, const unsigned char *in, int in_len)
+{
+    int len;
+    return go_openssl_EVP_CipherUpdate(ctx, out, &len, in, in_len);
+}
+
+// These wrappers also allocate length variables on the C stack to avoid escape to the heap, but do return the result.
+// A struct is returned that contains multiple return values instead of OpenSSL's approach of using pointers.
+
+typedef struct
+{
+    int result;
+    size_t keylen;
+} go_openssl_EVP_PKEY_derive_wrapper_out;
+
+static inline go_openssl_EVP_PKEY_derive_wrapper_out
+go_openssl_EVP_PKEY_derive_wrapper(GO_EVP_PKEY_CTX_PTR ctx, unsigned char *key, size_t keylen)
+{
+    go_openssl_EVP_PKEY_derive_wrapper_out r = {0, keylen};
+    r.result = go_openssl_EVP_PKEY_derive(ctx, key, &r.keylen);
+    return r;
+}
+
+typedef struct
+{
+    int result;
+    size_t len;
+} go_openssl_EVP_PKEY_get_raw_key_out;
+
+static inline go_openssl_EVP_PKEY_get_raw_key_out
+go_openssl_EVP_PKEY_get_raw_public_key_wrapper(const GO_EVP_PKEY_PTR pkey, unsigned char *pub, size_t len)
+{
+    go_openssl_EVP_PKEY_get_raw_key_out r = {0, len};
+    r.result = go_openssl_EVP_PKEY_get_raw_public_key(pkey, pub, &r.len);
+    return r;
+}
+
+static inline go_openssl_EVP_PKEY_get_raw_key_out
+go_openssl_EVP_PKEY_get_raw_private_key_wrapper(const GO_EVP_PKEY_PTR pkey, unsigned char *priv, size_t len)
+{
+    go_openssl_EVP_PKEY_get_raw_key_out r = {0, len};
+    r.result = go_openssl_EVP_PKEY_get_raw_private_key(pkey, priv, &r.len);
+    return r;
+}
+
+typedef struct
+{
+    int result;
+    size_t siglen;
+} go_openssl_EVP_DigestSign_wrapper_out;
+
+static inline go_openssl_EVP_DigestSign_wrapper_out
+go_openssl_EVP_DigestSign_wrapper(GO_EVP_MD_CTX_PTR ctx, unsigned char *sigret, size_t siglen, const unsigned char *tbs, size_t tbslen)
+{
+    go_openssl_EVP_DigestSign_wrapper_out r = {0, siglen};
+    r.result = go_openssl_EVP_DigestSign(ctx, sigret, &r.siglen, tbs, tbslen);
+    return r;
+}
+
+// These wrappers allocate out_len on the C stack, and check that it matches the expected
+// value, to avoid having to pass a pointer from Go, which would escape to the heap.
+
+static inline int
+go_openssl_EVP_CIPHER_CTX_seal_wrapper(const GO_EVP_CIPHER_CTX_PTR ctx,
+                                       unsigned char *out,
+                                       const unsigned char *nonce,
+                                       const unsigned char *in, int in_len,
+                                       const unsigned char *aad, int aad_len)
+{
+    if (in_len == 0) in = (const unsigned char *)"";
+    if (aad_len == 0) aad = (const unsigned char *)"";
+
+    if (go_openssl_EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, nonce) != 1)
+        return 0;
+
+    int discard_len, out_len;
+    if (go_openssl_EVP_EncryptUpdate(ctx, NULL, &discard_len, aad, aad_len) != 1
+        || go_openssl_EVP_EncryptUpdate(ctx, out, &out_len, in, in_len) != 1
+        || go_openssl_EVP_EncryptFinal_ex(ctx, out + out_len, &discard_len) != 1)
+    {
+        return 0;
+    }
+
+    if (in_len != out_len)
+        return 0;
+
+    return go_openssl_EVP_CIPHER_CTX_ctrl(ctx, GO_EVP_CTRL_GCM_GET_TAG, 16, out + out_len);
+}
+
+static inline int
+go_openssl_EVP_CIPHER_CTX_open_wrapper(const GO_EVP_CIPHER_CTX_PTR ctx,
+                                       unsigned char *out,
+                                       const unsigned char *nonce,
+                                       const unsigned char *in, int in_len,
+                                       const unsigned char *aad, int aad_len,
+                                       const unsigned char *tag)
+{
+    if (in_len == 0) {
+        in = (const unsigned char *)"";
+        // OpenSSL 1.0.2 in FIPS mode contains a bug: it will fail to verify
+        // unless EVP_DecryptUpdate is called at least once with a non-NULL
+        // output buffer.  OpenSSL will not dereference the output buffer when
+        // the input length is zero, so set it to an arbitrary non-NULL pointer
+        // to satisfy OpenSSL when the caller only has authenticated additional
+        // data (AAD) to verify. While a stack-allocated buffer could be used,
+        // that would risk a stack-corrupting buffer overflow if OpenSSL
+        // unexpectedly dereferenced it. Instead pass a value which would
+        // segfault if dereferenced on any modern platform where a NULL-pointer
+        // dereference would also segfault.
+        if (out == NULL) out = (unsigned char *)1;
+    }
+    if (aad_len == 0) aad = (const unsigned char *)"";
+
+    if (go_openssl_EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, nonce) != 1)
+        return 0;
+
+    // OpenSSL 1.0.x FIPS Object Module 2.0 versions below 2.0.5 require that
+    // the tag be set before the ciphertext, otherwise EVP_DecryptUpdate returns
+    // an error. At least one extant commercially-supported, FIPS validated
+    // build of OpenSSL 1.0.2 uses FIPS module version 2.0.1. Set the tag first
+    // to maximize compatibility with all OpenSSL version combinations.
+    if (go_openssl_EVP_CIPHER_CTX_ctrl(ctx, GO_EVP_CTRL_GCM_SET_TAG, 16, (unsigned char *)(tag)) != 1)
+        return 0;
+
+    int discard_len, out_len;
+    if (go_openssl_EVP_DecryptUpdate(ctx, NULL, &discard_len, aad, aad_len) != 1
+        || go_openssl_EVP_DecryptUpdate(ctx, out, &out_len, in, in_len) != 1)
+    {
+        return 0;
+    }
+
+    if (go_openssl_EVP_DecryptFinal_ex(ctx, out + out_len, &discard_len) != 1)
+        return 0;
+
+    if (out_len != in_len)
+        return 0;
+
+    return 1;
+}
+
+// Hand-roll custom wrappers for CRYPTO_malloc and CRYPTO_free which cast the
+// function pointers to the correct signatures for OpenSSL 1.0.2.
+
+static inline void *
+go_openssl_CRYPTO_malloc_legacy102(int num, const char *file, int line) {
+    return ((void *(*)(int, const char *, int))_g_CRYPTO_malloc)(num, file, line);
+}
+
+static inline void
+go_openssl_CRYPTO_free_legacy102(void *str) {
+    ((void (*)(void *))_g_CRYPTO_free)(str);
+}
\ No newline at end of file
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hash.go b/src/vendor/github.com/golang-fips/openssl/v2/hash.go
new file mode 100644
index 00000000000000..b2109857b49bdf
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/hash.go
@@ -0,0 +1,714 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"runtime"
+	"strconv"
+	"sync"
+	"unsafe"
+)
+
+// maxHashSize is the size of SHA52 and SHA3_512, the largest hashes we support.
+const maxHashSize = 64
+
+// NOTE: Implementation ported from https://go-review.googlesource.com/c/go/+/404295.
+// The cgo calls in this file are arranged to avoid marking the parameters as escaping.
+// To do that, we call noescape (including via addr).
+// We must also make sure that the data pointer arguments have the form unsafe.Pointer(&...)
+// so that cgo does not annotate them with cgoCheckPointer calls. If it did that, it might look
+// beyond the byte slice and find Go pointers in unprocessed parts of a larger allocation.
+// To do both of these simultaneously, the idiom is unsafe.Pointer(&*addr(p)),
+// where addr returns the base pointer of p, substituting a non-nil pointer for nil,
+// and applying a noescape along the way.
+// This is all to preserve compatibility with the allocation behavior of the non-openssl implementations.
+
+func hashOneShot(ch crypto.Hash, p []byte, sum []byte) bool {
+	return C.go_openssl_EVP_Digest(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), (*C.uchar)(unsafe.Pointer(&*addr(sum))), nil, loadHash(ch).md, nil) != 0
+}
+
+func MD4(p []byte) (sum [16]byte) {
+	if !hashOneShot(crypto.MD4, p, sum[:]) {
+		panic("openssl: MD4 failed")
+	}
+	return
+}
+
+func MD5(p []byte) (sum [16]byte) {
+	if !hashOneShot(crypto.MD5, p, sum[:]) {
+		panic("openssl: MD5 failed")
+	}
+	return
+}
+
+func SHA1(p []byte) (sum [20]byte) {
+	if !hashOneShot(crypto.SHA1, p, sum[:]) {
+		panic("openssl: SHA1 failed")
+	}
+	return
+}
+
+func SHA224(p []byte) (sum [28]byte) {
+	if !hashOneShot(crypto.SHA224, p, sum[:]) {
+		panic("openssl: SHA224 failed")
+	}
+	return
+}
+
+func SHA256(p []byte) (sum [32]byte) {
+	if !hashOneShot(crypto.SHA256, p, sum[:]) {
+		panic("openssl: SHA256 failed")
+	}
+	return
+}
+
+func SHA384(p []byte) (sum [48]byte) {
+	if !hashOneShot(crypto.SHA384, p, sum[:]) {
+		panic("openssl: SHA384 failed")
+	}
+	return
+}
+
+func SHA512(p []byte) (sum [64]byte) {
+	if !hashOneShot(crypto.SHA512, p, sum[:]) {
+		panic("openssl: SHA512 failed")
+	}
+	return
+}
+
+func SHA512_224(p []byte) (sum [28]byte) {
+	if !hashOneShot(crypto.SHA512_224, p, sum[:]) {
+		panic("openssl: SHA512 failed")
+	}
+	return
+}
+
+func SHA512_256(p []byte) (sum [32]byte) {
+	if !hashOneShot(crypto.SHA512_256, p, sum[:]) {
+		panic("openssl: SHA512_256 failed")
+	}
+	return
+}
+
+// cacheHashSupported is a cache of crypto.Hash support.
+var cacheHashSupported sync.Map
+
+// SupportsHash reports whether the current OpenSSL version supports the given hash.
+func SupportsHash(h crypto.Hash) bool {
+	if v, ok := cacheHashSupported.Load(h); ok {
+		return v.(bool)
+	}
+	alg := loadHash(h)
+	if alg == nil {
+		cacheHashSupported.Store(h, false)
+		return false
+	}
+	// EVP_MD objects can be non-nil even when they can't be used
+	// in a EVP_MD_CTX, e.g. MD5 in FIPS mode. We need to prove
+	// if they can be used by passing them to a EVP_MD_CTX.
+	var supported bool
+	if ctx := C.go_openssl_EVP_MD_CTX_new(); ctx != nil {
+		supported = C.go_openssl_EVP_DigestInit_ex(ctx, alg.md, nil) == 1
+		C.go_openssl_EVP_MD_CTX_free(ctx)
+	}
+	cacheHashSupported.Store(h, supported)
+	return supported
+}
+
+func SHA3_224(p []byte) (sum [28]byte) {
+	if !hashOneShot(crypto.SHA3_224, p, sum[:]) {
+		panic("openssl: SHA3_224 failed")
+	}
+	return
+}
+
+func SHA3_256(p []byte) (sum [32]byte) {
+	if !hashOneShot(crypto.SHA3_256, p, sum[:]) {
+		panic("openssl: SHA3_256 failed")
+	}
+	return
+}
+
+func SHA3_384(p []byte) (sum [48]byte) {
+	if !hashOneShot(crypto.SHA3_384, p, sum[:]) {
+		panic("openssl: SHA3_384 failed")
+	}
+	return
+}
+
+func SHA3_512(p []byte) (sum [64]byte) {
+	if !hashOneShot(crypto.SHA3_512, p, sum[:]) {
+		panic("openssl: SHA3_512 failed")
+	}
+	return
+}
+
+// NewMD4 returns a new MD4 hash.
+// The returned hash doesn't implement encoding.BinaryMarshaler and
+// encoding.BinaryUnmarshaler.
+func NewMD4() hash.Hash {
+	return newEvpHash(crypto.MD4)
+}
+
+// NewMD5 returns a new MD5 hash.
+func NewMD5() hash.Hash {
+	return newEvpHash(crypto.MD5)
+}
+
+// NewSHA1 returns a new SHA1 hash.
+func NewSHA1() hash.Hash {
+	return newEvpHash(crypto.SHA1)
+}
+
+// NewSHA224 returns a new SHA224 hash.
+func NewSHA224() hash.Hash {
+	return newEvpHash(crypto.SHA224)
+}
+
+// NewSHA256 returns a new SHA256 hash.
+func NewSHA256() hash.Hash {
+	return newEvpHash(crypto.SHA256)
+}
+
+// NewSHA384 returns a new SHA384 hash.
+func NewSHA384() hash.Hash {
+	return newEvpHash(crypto.SHA384)
+}
+
+// NewSHA512 returns a new SHA512 hash.
+func NewSHA512() hash.Hash {
+	return newEvpHash(crypto.SHA512)
+}
+
+// NewSHA512_224 returns a new SHA512_224 hash.
+func NewSHA512_224() hash.Hash {
+	return newEvpHash(crypto.SHA512_224)
+}
+
+// NewSHA512_256 returns a new SHA512_256 hash.
+func NewSHA512_256() hash.Hash {
+	return newEvpHash(crypto.SHA512_256)
+}
+
+// NewSHA3_224 returns a new SHA3-224 hash.
+func NewSHA3_224() hash.Hash {
+	return newEvpHash(crypto.SHA3_224)
+}
+
+// NewSHA3_256 returns a new SHA3-256 hash.
+func NewSHA3_256() hash.Hash {
+	return newEvpHash(crypto.SHA3_256)
+}
+
+// NewSHA3_384 returns a new SHA3-384 hash.
+func NewSHA3_384() hash.Hash {
+	return newEvpHash(crypto.SHA3_384)
+}
+
+// NewSHA3_512 returns a new SHA3-512 hash.
+func NewSHA3_512() hash.Hash {
+	return newEvpHash(crypto.SHA3_512)
+}
+
+// isHashMarshallable returns true if the memory layout of md
+// is known by this library and can therefore be marshalled.
+func isHashMarshallable(md C.GO_EVP_MD_PTR) bool {
+	if vMajor == 1 {
+		return true
+	}
+	prov := C.go_openssl_EVP_MD_get0_provider(md)
+	if prov == nil {
+		return false
+	}
+	cname := C.go_openssl_OSSL_PROVIDER_get0_name(prov)
+	if cname == nil {
+		return false
+	}
+	name := C.GoString(cname)
+	// We only know the memory layout of the built-in providers.
+	// See evpHash.hashState for more details.
+	marshallable := name == "default" || name == "fips"
+	return marshallable
+}
+
+// cloneHash is an interface that defines a Clone method.
+//
+// hahs.CloneHash will probably be added in Go 1.25, see https://golang.org/issue/69521,
+// but we need it now.
+type cloneHash interface {
+	hash.Hash
+	// Clone returns a separate Hash instance with the same state as h.
+	Clone() hash.Hash
+}
+
+var _ hash.Hash = (*evpHash)(nil)
+var _ cloneHash = (*evpHash)(nil)
+
+// evpHash implements generic hash methods.
+type evpHash struct {
+	alg *hashAlgorithm
+	ctx C.GO_EVP_MD_CTX_PTR
+	// ctx2 is used in evpHash.sum to avoid changing
+	// the state of ctx. Having it here allows reusing the
+	// same allocated object multiple times.
+	ctx2 C.GO_EVP_MD_CTX_PTR
+}
+
+func newEvpHash(ch crypto.Hash) *evpHash {
+	alg := loadHash(ch)
+	if alg == nil {
+		panic("openssl: unsupported hash function: " + strconv.Itoa(int(ch)))
+	}
+	h := &evpHash{alg: alg}
+	// Don't call init() yet, it would be wasteful
+	// if the caller only wants to know the hash type. This
+	// is a common pattern in this package, as some functions
+	// accept a `func() hash.Hash` parameter and call it just
+	// to know the hash type.
+	return h
+}
+
+func (h *evpHash) finalize() {
+	if h.ctx != nil {
+		C.go_openssl_EVP_MD_CTX_free(h.ctx)
+	}
+	if h.ctx2 != nil {
+		C.go_openssl_EVP_MD_CTX_free(h.ctx2)
+	}
+}
+
+func (h *evpHash) init() {
+	if h.ctx != nil {
+		return
+	}
+	h.ctx = C.go_openssl_EVP_MD_CTX_new()
+	if C.go_openssl_EVP_DigestInit_ex(h.ctx, h.alg.md, nil) != 1 {
+		C.go_openssl_EVP_MD_CTX_free(h.ctx)
+		panic(newOpenSSLError("EVP_DigestInit_ex"))
+	}
+	h.ctx2 = C.go_openssl_EVP_MD_CTX_new()
+	runtime.SetFinalizer(h, (*evpHash).finalize)
+}
+
+func (h *evpHash) Reset() {
+	if h.ctx == nil {
+		// The hash is not initialized yet, no need to reset.
+		return
+	}
+	// There is no need to reset h.ctx2 because it is always reset after
+	// use in evpHash.sum.
+	if C.go_openssl_EVP_DigestInit_ex(h.ctx, nil, nil) != 1 {
+		panic(newOpenSSLError("EVP_DigestInit_ex"))
+	}
+	runtime.KeepAlive(h)
+}
+
+func (h *evpHash) Write(p []byte) (int, error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	h.init()
+	if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(&*addr(p)), C.size_t(len(p))) != 1 {
+		panic(newOpenSSLError("EVP_DigestUpdate"))
+	}
+	runtime.KeepAlive(h)
+	return len(p), nil
+}
+
+func (h *evpHash) WriteString(s string) (int, error) {
+	if len(s) == 0 {
+		return 0, nil
+	}
+	h.init()
+	if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(unsafe.StringData(s)), C.size_t(len(s))) == 0 {
+		panic("openssl: EVP_DigestUpdate failed")
+	}
+	runtime.KeepAlive(h)
+	return len(s), nil
+}
+
+func (h *evpHash) WriteByte(c byte) error {
+	h.init()
+	if C.go_openssl_EVP_DigestUpdate(h.ctx, unsafe.Pointer(&c), 1) == 0 {
+		panic("openssl: EVP_DigestUpdate failed")
+	}
+	runtime.KeepAlive(h)
+	return nil
+}
+
+func (h *evpHash) Size() int {
+	return h.alg.size
+}
+
+func (h *evpHash) BlockSize() int {
+	return h.alg.blockSize
+}
+
+func (h *evpHash) Sum(in []byte) []byte {
+	h.init()
+	out := make([]byte, h.Size(), maxHashSize) // explicit cap to allow stack allocation
+	if C.go_hash_sum(h.ctx, h.ctx2, base(out)) != 1 {
+		panic(newOpenSSLError("go_hash_sum"))
+	}
+	runtime.KeepAlive(h)
+	return append(in, out...)
+}
+
+// Clone returns a new evpHash object that is a deep clone of itself.
+// The duplicate object contains all state and data contained in the
+// original object at the point of duplication.
+func (h *evpHash) Clone() hash.Hash {
+	h2 := &evpHash{alg: h.alg}
+	if h.ctx != nil {
+		h2.ctx = C.go_openssl_EVP_MD_CTX_new()
+		if h2.ctx == nil {
+			panic(newOpenSSLError("EVP_MD_CTX_new"))
+		}
+		if C.go_openssl_EVP_MD_CTX_copy_ex(h2.ctx, h.ctx) != 1 {
+			C.go_openssl_EVP_MD_CTX_free(h2.ctx)
+			panic(newOpenSSLError("EVP_MD_CTX_copy"))
+		}
+		h2.ctx2 = C.go_openssl_EVP_MD_CTX_new()
+		if h2.ctx2 == nil {
+			C.go_openssl_EVP_MD_CTX_free(h2.ctx)
+			panic(newOpenSSLError("EVP_MD_CTX_new"))
+		}
+		runtime.SetFinalizer(h2, (*evpHash).finalize)
+	}
+	runtime.KeepAlive(h)
+	return h2
+}
+
+// hashState returns a pointer to the internal hash structure.
+//
+// The EVP_MD_CTX memory layout has changed in OpenSSL 3
+// and the property holding the internal structure is no longer md_data but algctx.
+func hashState(ctx C.GO_EVP_MD_CTX_PTR) unsafe.Pointer {
+	switch vMajor {
+	case 1:
+		// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/crypto/evp/evp_local.h#L12.
+		type mdCtx struct {
+			_       [2]unsafe.Pointer
+			_       C.ulong
+			md_data unsafe.Pointer
+		}
+		return (*mdCtx)(unsafe.Pointer(ctx)).md_data
+	case 3:
+		// https://github.com/openssl/openssl/blob/5675a5aaf6a2e489022bcfc18330dae9263e598e/crypto/evp/evp_local.h#L16.
+		type mdCtx struct {
+			_      [3]unsafe.Pointer
+			_      C.ulong
+			_      [3]unsafe.Pointer
+			algctx unsafe.Pointer
+		}
+		return (*mdCtx)(unsafe.Pointer(ctx)).algctx
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func (d *evpHash) MarshalBinary() ([]byte, error) {
+	if !d.alg.marshallable {
+		return nil, errors.New("openssl: hash state is not marshallable")
+	}
+	buf := make([]byte, 0, d.alg.marshalledSize)
+	return d.AppendBinary(buf)
+}
+
+func (d *evpHash) AppendBinary(buf []byte) ([]byte, error) {
+	defer runtime.KeepAlive(d)
+	d.init()
+	if !d.alg.marshallable {
+		return nil, errors.New("openssl: hash state is not marshallable")
+	}
+	state := hashState(d.ctx)
+	if state == nil {
+		return nil, errors.New("openssl: can't retrieve hash state")
+	}
+	var appender interface {
+		AppendBinary([]byte) ([]byte, error)
+	}
+	switch d.alg.ch {
+	case crypto.MD5:
+		appender = (*md5State)(state)
+	case crypto.SHA1:
+		appender = (*sha1State)(state)
+	case crypto.SHA224:
+		appender = (*sha256State)(state)
+	case crypto.SHA256:
+		appender = (*sha256State)(state)
+	case crypto.SHA384:
+		appender = (*sha512State)(state)
+	case crypto.SHA512:
+		appender = (*sha512State)(state)
+	case crypto.SHA512_224:
+		appender = (*sha512State)(state)
+	case crypto.SHA512_256:
+		appender = (*sha512State)(state)
+	default:
+		panic("openssl: unsupported hash function: " + strconv.Itoa(int(d.alg.ch)))
+	}
+	buf = append(buf, d.alg.magic[:]...)
+	return appender.AppendBinary(buf)
+}
+
+func (d *evpHash) UnmarshalBinary(b []byte) error {
+	defer runtime.KeepAlive(d)
+	d.init()
+	if !d.alg.marshallable {
+		return errors.New("openssl: hash state is not marshallable")
+	}
+	if len(b) < len(d.alg.magic) || string(b[:len(d.alg.magic)]) != string(d.alg.magic[:]) {
+		return errors.New("openssl: invalid hash state identifier")
+	}
+	if len(b) != d.alg.marshalledSize {
+		return errors.New("openssl: invalid hash state size")
+	}
+	state := hashState(d.ctx)
+	if state == nil {
+		return errors.New("openssl: can't retrieve hash state")
+	}
+	b = b[len(d.alg.magic):]
+	var unmarshaler interface {
+		UnmarshalBinary([]byte) error
+	}
+	switch d.alg.ch {
+	case crypto.MD5:
+		unmarshaler = (*md5State)(state)
+	case crypto.SHA1:
+		unmarshaler = (*sha1State)(state)
+	case crypto.SHA224:
+		unmarshaler = (*sha256State)(state)
+	case crypto.SHA256:
+		unmarshaler = (*sha256State)(state)
+	case crypto.SHA384:
+		unmarshaler = (*sha512State)(state)
+	case crypto.SHA512:
+		unmarshaler = (*sha512State)(state)
+	case crypto.SHA512_224:
+		unmarshaler = (*sha512State)(state)
+	case crypto.SHA512_256:
+		unmarshaler = (*sha512State)(state)
+	default:
+		panic("openssl: unsupported hash function: " + strconv.Itoa(int(d.alg.ch)))
+	}
+	return unmarshaler.UnmarshalBinary(b)
+}
+
+// md5State layout is taken from
+// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/md5.h#L33.
+type md5State struct {
+	h      [4]uint32
+	nl, nh uint32
+	x      [64]byte
+	nx     uint32
+}
+
+const (
+	md5Magic         = "md5\x01"
+	md5MarshaledSize = len(md5Magic) + 4*4 + 64 + 8
+)
+
+func (d *md5State) UnmarshalBinary(b []byte) error {
+	b, d.h[0] = consumeUint32(b)
+	b, d.h[1] = consumeUint32(b)
+	b, d.h[2] = consumeUint32(b)
+	b, d.h[3] = consumeUint32(b)
+	b = b[copy(d.x[:], b):]
+	_, n := consumeUint64(b)
+	d.nl = uint32(n << 3)
+	d.nh = uint32(n >> 29)
+	d.nx = uint32(n) % 64
+	return nil
+}
+
+func (d *md5State) AppendBinary(buf []byte) ([]byte, error) {
+	buf = appendUint32(buf, d.h[0])
+	buf = appendUint32(buf, d.h[1])
+	buf = appendUint32(buf, d.h[2])
+	buf = appendUint32(buf, d.h[3])
+	buf = append(buf, d.x[:d.nx]...)
+	buf = append(buf, make([]byte, len(d.x)-int(d.nx))...)
+	buf = appendUint64(buf, uint64(d.nl)>>3|uint64(d.nh)<<29)
+	return buf, nil
+}
+
+// sha1State layout is taken from
+// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/sha.h#L34.
+type sha1State struct {
+	h      [5]uint32
+	nl, nh uint32
+	x      [64]byte
+	nx     uint32
+}
+
+const (
+	sha1Magic         = "sha\x01"
+	sha1MarshaledSize = len(sha1Magic) + 5*4 + 64 + 8
+)
+
+func (d *sha1State) UnmarshalBinary(b []byte) error {
+	b, d.h[0] = consumeUint32(b)
+	b, d.h[1] = consumeUint32(b)
+	b, d.h[2] = consumeUint32(b)
+	b, d.h[3] = consumeUint32(b)
+	b, d.h[4] = consumeUint32(b)
+	b = b[copy(d.x[:], b):]
+	_, n := consumeUint64(b)
+	d.nl = uint32(n << 3)
+	d.nh = uint32(n >> 29)
+	d.nx = uint32(n) % 64
+	return nil
+}
+
+func (d *sha1State) AppendBinary(buf []byte) ([]byte, error) {
+	buf = appendUint32(buf, d.h[0])
+	buf = appendUint32(buf, d.h[1])
+	buf = appendUint32(buf, d.h[2])
+	buf = appendUint32(buf, d.h[3])
+	buf = appendUint32(buf, d.h[4])
+	buf = append(buf, d.x[:d.nx]...)
+	buf = append(buf, make([]byte, len(d.x)-int(d.nx))...)
+	buf = appendUint64(buf, uint64(d.nl)>>3|uint64(d.nh)<<29)
+	return buf, nil
+}
+
+const (
+	magic224         = "sha\x02"
+	magic256         = "sha\x03"
+	marshaledSize256 = len(magic256) + 8*4 + 64 + 8
+)
+
+// sha256State layout is taken from
+// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/sha.h#L51.
+type sha256State struct {
+	h      [8]uint32
+	nl, nh uint32
+	x      [64]byte
+	nx     uint32
+}
+
+func (d *sha256State) UnmarshalBinary(b []byte) error {
+	b, d.h[0] = consumeUint32(b)
+	b, d.h[1] = consumeUint32(b)
+	b, d.h[2] = consumeUint32(b)
+	b, d.h[3] = consumeUint32(b)
+	b, d.h[4] = consumeUint32(b)
+	b, d.h[5] = consumeUint32(b)
+	b, d.h[6] = consumeUint32(b)
+	b, d.h[7] = consumeUint32(b)
+	b = b[copy(d.x[:], b):]
+	_, n := consumeUint64(b)
+	d.nl = uint32(n << 3)
+	d.nh = uint32(n >> 29)
+	d.nx = uint32(n) % 64
+	return nil
+}
+
+func (d *sha256State) AppendBinary(buf []byte) ([]byte, error) {
+	buf = appendUint32(buf, d.h[0])
+	buf = appendUint32(buf, d.h[1])
+	buf = appendUint32(buf, d.h[2])
+	buf = appendUint32(buf, d.h[3])
+	buf = appendUint32(buf, d.h[4])
+	buf = appendUint32(buf, d.h[5])
+	buf = appendUint32(buf, d.h[6])
+	buf = appendUint32(buf, d.h[7])
+	buf = append(buf, d.x[:d.nx]...)
+	buf = append(buf, make([]byte, len(d.x)-int(d.nx))...)
+	buf = appendUint64(buf, uint64(d.nl)>>3|uint64(d.nh)<<29)
+	return buf, nil
+}
+
+// sha512State layout is taken from
+// https://github.com/openssl/openssl/blob/0418e993c717a6863f206feaa40673a261de7395/include/openssl/sha.h#L95.
+type sha512State struct {
+	h      [8]uint64
+	nl, nh uint64
+	x      [128]byte
+	nx     uint32
+}
+
+const (
+	magic384         = "sha\x04"
+	magic512_224     = "sha\x05"
+	magic512_256     = "sha\x06"
+	magic512         = "sha\x07"
+	marshaledSize512 = len(magic512) + 8*8 + 128 + 8
+)
+
+func (d *sha512State) MarshalBinary() ([]byte, error) {
+	buf := make([]byte, 0, marshaledSize512)
+	return d.AppendBinary(buf)
+}
+
+func (d *sha512State) UnmarshalBinary(b []byte) error {
+	b, d.h[0] = consumeUint64(b)
+	b, d.h[1] = consumeUint64(b)
+	b, d.h[2] = consumeUint64(b)
+	b, d.h[3] = consumeUint64(b)
+	b, d.h[4] = consumeUint64(b)
+	b, d.h[5] = consumeUint64(b)
+	b, d.h[6] = consumeUint64(b)
+	b, d.h[7] = consumeUint64(b)
+	b = b[copy(d.x[:], b):]
+	_, n := consumeUint64(b)
+	d.nl = n << 3
+	d.nh = n >> 61
+	d.nx = uint32(n) % 128
+	return nil
+}
+
+func (d *sha512State) AppendBinary(buf []byte) ([]byte, error) {
+	buf = appendUint64(buf, d.h[0])
+	buf = appendUint64(buf, d.h[1])
+	buf = appendUint64(buf, d.h[2])
+	buf = appendUint64(buf, d.h[3])
+	buf = appendUint64(buf, d.h[4])
+	buf = appendUint64(buf, d.h[5])
+	buf = appendUint64(buf, d.h[6])
+	buf = appendUint64(buf, d.h[7])
+	buf = append(buf, d.x[:d.nx]...)
+	buf = append(buf, make([]byte, len(d.x)-int(d.nx))...)
+	buf = appendUint64(buf, d.nl>>3|d.nh<<61)
+	return buf, nil
+}
+
+// appendUint64 appends x into b as a big endian byte sequence.
+func appendUint64(b []byte, x uint64) []byte {
+	return append(b,
+		byte(x>>56),
+		byte(x>>48),
+		byte(x>>40),
+		byte(x>>32),
+		byte(x>>24),
+		byte(x>>16),
+		byte(x>>8),
+		byte(x),
+	)
+}
+
+// appendUint32 appends x into b as a big endian byte sequence.
+func appendUint32(b []byte, x uint32) []byte {
+	return append(b, byte(x>>24), byte(x>>16), byte(x>>8), byte(x))
+}
+
+// consumeUint64 reads a big endian uint64 number from b.
+func consumeUint64(b []byte) ([]byte, uint64) {
+	_ = b[7]
+	x := uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
+		uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56
+	return b[8:], x
+}
+
+// consumeUint32 reads a big endian uint32 number from b.
+func consumeUint32(b []byte) ([]byte, uint32) {
+	_ = b[3]
+	x := uint32(b[3]) | uint32(b[2])<<8 | uint32(b[1])<<16 | uint32(b[0])<<24
+	return b[4:], x
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go b/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go
new file mode 100644
index 00000000000000..d4f8aa6a92a6fb
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/hkdf.go
@@ -0,0 +1,322 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"errors"
+	"hash"
+	"io"
+	"runtime"
+	"sync"
+	"unsafe"
+)
+
+// SupprtHKDF reports whether the current OpenSSL version supports HKDF.
+func SupportsHKDF() bool {
+	switch vMajor {
+	case 1:
+		return versionAtOrAbove(1, 1, 1)
+	case 3:
+		_, err := fetchHKDF3()
+		return err == nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func newHKDFCtx1(md C.GO_EVP_MD_PTR, mode C.int, secret, salt, pseudorandomKey, info []byte) (ctx C.GO_EVP_PKEY_CTX_PTR, err error) {
+	checkMajorVersion(1)
+
+	ctx = C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_HKDF, nil)
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_PKEY_CTX_new_id")
+	}
+	defer func() {
+		if err != nil {
+			C.go_openssl_EVP_PKEY_CTX_free(ctx)
+		}
+	}()
+
+	if C.go_openssl_EVP_PKEY_derive_init(ctx) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_derive_init")
+	}
+
+	ctrlSlice := func(ctrl int, data []byte) C.int {
+		if len(data) == 0 {
+			return 1 // No data to set.
+		}
+		return C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.int(ctrl), C.int(len(data)), unsafe.Pointer(base(data)))
+	}
+
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.GO_EVP_PKEY_CTRL_HKDF_MODE, mode, nil) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_set_hkdf_mode")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1, C.GO1_EVP_PKEY_OP_DERIVE, C.GO_EVP_PKEY_CTRL_HKDF_MD, 0, unsafe.Pointer(md)) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_set_hkdf_md")
+	}
+	if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_KEY, secret) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key")
+	}
+	if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_SALT, salt) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_salt")
+	}
+	if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_KEY, pseudorandomKey) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_set1_hkdf_key")
+	}
+	if ctrlSlice(C.GO_EVP_PKEY_CTRL_HKDF_INFO, info) != 1 {
+		return ctx, newOpenSSLError("EVP_PKEY_CTX_add1_hkdf_info")
+	}
+	return ctx, nil
+}
+
+type hkdf1 struct {
+	ctx C.GO_EVP_PKEY_CTX_PTR
+
+	hashLen int
+	buf     []byte
+}
+
+func (c *hkdf1) finalize() {
+	if c.ctx != nil {
+		C.go_openssl_EVP_PKEY_CTX_free(c.ctx)
+	}
+}
+
+func (c *hkdf1) Read(p []byte) (int, error) {
+	defer runtime.KeepAlive(c)
+
+	// EVP_PKEY_derive doesn't support incremental output, each call
+	// derives the key from scratch and returns the requested bytes.
+	// To implement io.Reader, we need to ask for len(c.buf) + len(p)
+	// bytes and copy the last derived len(p) bytes to p.
+	// We use c.buf to know how many bytes we've already derived and
+	// to avoid allocating the whole output buffer on each call.
+	prevLen := len(c.buf)
+	needLen := len(p)
+	remains := 255*c.hashLen - prevLen
+	// Check whether enough data can be generated.
+	if remains < needLen {
+		return 0, errors.New("hkdf: entropy limit reached")
+	}
+	c.buf = append(c.buf, make([]byte, needLen)...)
+	outLen := C.size_t(prevLen + needLen)
+	if C.go_openssl_EVP_PKEY_derive_wrapper(c.ctx, base(c.buf), outLen).result != 1 {
+		return 0, newOpenSSLError("EVP_PKEY_derive")
+	}
+	n := copy(p, c.buf[prevLen:outLen])
+	return n, nil
+}
+
+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
+	if !SupportsHKDF() {
+		return nil, errUnsupportedVersion()
+	}
+
+	md, err := hashFuncToMD(h)
+	if err != nil {
+		return nil, err
+	}
+
+	switch vMajor {
+	case 1:
+		ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil)
+		if err != nil {
+			return nil, err
+		}
+		defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+		r := C.go_openssl_EVP_PKEY_derive_wrapper(ctx, nil, 0)
+		if r.result != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_derive_init")
+		}
+		out := make([]byte, r.keylen)
+		if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(out), r.keylen).result != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_derive")
+		}
+		return out[:r.keylen], nil
+	case 3:
+		ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY, secret, salt, nil, nil)
+		if err != nil {
+			return nil, err
+		}
+		defer C.go_openssl_EVP_KDF_CTX_free(ctx)
+		out := make([]byte, C.go_openssl_EVP_KDF_CTX_get_kdf_size(ctx))
+		if C.go_openssl_EVP_KDF_derive(ctx, base(out), C.size_t(len(out)), nil) != 1 {
+			return nil, newOpenSSLError("EVP_KDF_derive")
+		}
+		return out, nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+// ExpandHKDFOneShot derives a key from the given hash, key, and optional context info.
+func ExpandHKDFOneShot(h func() hash.Hash, pseudorandomKey, info []byte, keyLength int) ([]byte, error) {
+	if !SupportsHKDF() {
+		return nil, errUnsupportedVersion()
+	}
+
+	md, err := hashFuncToMD(h)
+	if err != nil {
+		return nil, err
+	}
+
+	out := make([]byte, keyLength)
+	switch vMajor {
+	case 1:
+		ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info)
+		if err != nil {
+			return nil, err
+		}
+		defer C.go_openssl_EVP_PKEY_CTX_free(ctx)
+		if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(out), C.size_t(keyLength)).result != 1 {
+			return nil, newOpenSSLError("EVP_PKEY_derive")
+		}
+	case 3:
+		ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info)
+		if err != nil {
+			return nil, err
+		}
+		defer C.go_openssl_EVP_KDF_CTX_free(ctx)
+		if C.go_openssl_EVP_KDF_derive(ctx, base(out), C.size_t(keyLength), nil) != 1 {
+			return nil, newOpenSSLError("EVP_KDF_derive")
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+	return out, nil
+}
+
+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte) (io.Reader, error) {
+	if !SupportsHKDF() {
+		return nil, errUnsupportedVersion()
+	}
+
+	md, err := hashFuncToMD(h)
+	if err != nil {
+		return nil, err
+	}
+
+	switch vMajor {
+	case 1:
+		ctx, err := newHKDFCtx1(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info)
+		if err != nil {
+			return nil, err
+		}
+		c := &hkdf1{ctx: ctx, hashLen: int(C.go_openssl_EVP_MD_get_size(md))}
+		runtime.SetFinalizer(c, (*hkdf1).finalize)
+		return c, nil
+	case 3:
+		ctx, err := newHKDFCtx3(md, C.GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY, nil, nil, pseudorandomKey, info)
+		if err != nil {
+			return nil, err
+		}
+		c := &hkdf3{ctx: ctx, hashLen: int(C.go_openssl_EVP_MD_get_size(md))}
+		runtime.SetFinalizer(c, (*hkdf3).finalize)
+		return c, nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+type hkdf3 struct {
+	ctx C.GO_EVP_KDF_CTX_PTR
+
+	hashLen int
+	buf     []byte
+}
+
+func (c *hkdf3) finalize() {
+	if c.ctx != nil {
+		C.go_openssl_EVP_KDF_CTX_free(c.ctx)
+	}
+}
+
+// fetchHKDF3 fetches the HKDF algorithm.
+// It is safe to call this function concurrently.
+// The returned EVP_KDF_PTR shouldn't be freed.
+var fetchHKDF3 = sync.OnceValues(func() (C.GO_EVP_KDF_PTR, error) {
+	checkMajorVersion(3)
+
+	name := C.CString("HKDF")
+	kdf := C.go_openssl_EVP_KDF_fetch(nil, name, nil)
+	C.free(unsafe.Pointer(name))
+	if kdf == nil {
+		return nil, newOpenSSLError("EVP_KDF_fetch")
+	}
+	return kdf, nil
+})
+
+// newHKDFCtx3 implements HKDF for OpenSSL 3 using the EVP_KDF API.
+func newHKDFCtx3(md C.GO_EVP_MD_PTR, mode C.int, secret, salt, pseudorandomKey, info []byte) (_ C.GO_EVP_KDF_CTX_PTR, err error) {
+	checkMajorVersion(3)
+
+	kdf, err := fetchHKDF3()
+	if err != nil {
+		return nil, err
+	}
+	ctx := C.go_openssl_EVP_KDF_CTX_new(kdf)
+	if ctx == nil {
+		return nil, newOpenSSLError("EVP_KDF_CTX_new")
+	}
+	defer func() {
+		if err != nil {
+			C.go_openssl_EVP_KDF_CTX_free(ctx)
+		}
+	}()
+
+	bld, err := newParamBuilder()
+	if err != nil {
+		return ctx, err
+	}
+	bld.addUTF8String(_OSSL_KDF_PARAM_DIGEST, C.go_openssl_EVP_MD_get0_name(md), 0)
+	bld.addInt32(_OSSL_KDF_PARAM_MODE, int32(mode))
+	if len(secret) > 0 {
+		bld.addOctetString(_OSSL_KDF_PARAM_KEY, secret)
+	}
+	if len(salt) > 0 {
+		bld.addOctetString(_OSSL_KDF_PARAM_SALT, salt)
+	}
+	if len(pseudorandomKey) > 0 {
+		bld.addOctetString(_OSSL_KDF_PARAM_KEY, pseudorandomKey)
+	}
+	if len(info) > 0 {
+		bld.addOctetString(_OSSL_KDF_PARAM_INFO, info)
+	}
+	params, err := bld.build()
+	if err != nil {
+		return ctx, err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+
+	if C.go_openssl_EVP_KDF_CTX_set_params(ctx, params) != 1 {
+		return ctx, newOpenSSLError("EVP_KDF_CTX_set_params")
+	}
+	return ctx, nil
+}
+
+func (c *hkdf3) Read(p []byte) (int, error) {
+	defer runtime.KeepAlive(c)
+
+	// EVP_KDF_derive doesn't support incremental output, each call
+	// derives the key from scratch and returns the requested bytes.
+	// To implement io.Reader, we need to ask for len(c.buf) + len(p)
+	// bytes and copy the last derived len(p) bytes to p.
+	// We use c.buf to know how many bytes we've already derived and
+	// to avoid allocating the whole output buffer on each call.
+	prevLen := len(c.buf)
+	needLen := len(p)
+	remains := 255*c.hashLen - prevLen
+	// Check whether enough data can be generated.
+	if remains < needLen {
+		return 0, errors.New("hkdf: entropy limit reached")
+	}
+	c.buf = append(c.buf, make([]byte, needLen)...)
+	outLen := C.size_t(prevLen + needLen)
+	if C.go_openssl_EVP_KDF_derive(c.ctx, base(c.buf), outLen, nil) != 1 {
+		return 0, newOpenSSLError("EVP_KDF_derive")
+	}
+	n := copy(p, c.buf[prevLen:outLen])
+	return n, nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/hmac.go b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go
new file mode 100644
index 00000000000000..b519ba3111dcc3
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/hmac.go
@@ -0,0 +1,274 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"hash"
+	"runtime"
+	"sync"
+	"unsafe"
+)
+
+// NewHMAC returns a new HMAC using OpenSSL.
+// The function h must return a hash implemented by
+// OpenSSL (for example, h could be openssl.NewSHA256).
+// If h is not recognized, NewHMAC returns nil.
+func NewHMAC(fh func() hash.Hash, key []byte) hash.Hash {
+	h, _ := hashFuncHash(fh)
+	md := hashToMD(h)
+	if md == nil {
+		return nil
+	}
+
+	if len(key) == 0 {
+		// This is supported in OpenSSL/Standard lib and as such
+		// we must support it here. When using HMAC with a null key
+		// HMAC_Init will try and reuse the key from the ctx. This is
+		// not the behavior previously implemented, so as a workaround
+		// we pass an "empty" key.
+		key = make([]byte, C.GO_EVP_MAX_MD_SIZE)
+	}
+
+	hmac := &opensslHMAC{
+		size:      h.Size(),
+		blockSize: h.BlockSize(),
+	}
+
+	switch vMajor {
+	case 1:
+		ctx := newHMAC1(key, md)
+		if ctx.ctx == nil {
+			return nil
+		}
+		hmac.ctx1 = ctx
+	case 3:
+		ctx := newHMAC3(key, md)
+		if ctx.ctx == nil {
+			return nil
+		}
+		hmac.ctx3 = ctx
+	default:
+		panic(errUnsupportedVersion())
+	}
+	runtime.SetFinalizer(hmac, (*opensslHMAC).finalize)
+	return hmac
+}
+
+// hmacCtx3 is used for OpenSSL 1.
+type hmacCtx1 struct {
+	ctx C.GO_HMAC_CTX_PTR
+}
+
+// hmacCtx3 is used for OpenSSL 3.
+type hmacCtx3 struct {
+	ctx C.GO_EVP_MAC_CTX_PTR
+	key []byte // only set for OpenSSL 3.0.0, 3.0.1, and 3.0.2.
+}
+
+type opensslHMAC struct {
+	ctx1      hmacCtx1
+	ctx3      hmacCtx3
+	size      int
+	blockSize int
+	sum       []byte
+}
+
+func newHMAC1(key []byte, md C.GO_EVP_MD_PTR) hmacCtx1 {
+	ctx := hmacCtxNew()
+	if ctx == nil {
+		panic("openssl: EVP_MAC_CTX_new failed")
+	}
+	if C.go_openssl_HMAC_Init_ex(ctx, unsafe.Pointer(&key[0]), C.int(len(key)), md, nil) == 0 {
+		panic(newOpenSSLError("HMAC_Init_ex failed"))
+	}
+	return hmacCtx1{ctx}
+}
+
+var hmacDigestsSupported sync.Map
+var fetchHMAC3 = sync.OnceValue(func() C.GO_EVP_MAC_PTR {
+	name := C.CString("HMAC")
+	mac := C.go_openssl_EVP_MAC_fetch(nil, name, nil)
+	C.free(unsafe.Pointer(name))
+	if mac == nil {
+		panic("openssl: HMAC not supported")
+	}
+	return mac
+})
+
+func buildHMAC3Params(digest *C.char) (C.GO_OSSL_PARAM_PTR, error) {
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
+	}
+	defer bld.finalize()
+	bld.addUTF8String(_OSSL_MAC_PARAM_DIGEST, digest, 0)
+	return bld.build()
+}
+
+func isHMAC3DigestSupported(digest string) bool {
+	if v, ok := hmacDigestsSupported.Load(digest); ok {
+		return v.(bool)
+	}
+	ctx := C.go_openssl_EVP_MAC_CTX_new(fetchHMAC3())
+	if ctx == nil {
+		panic(newOpenSSLError("EVP_MAC_CTX_new"))
+	}
+	defer C.go_openssl_EVP_MAC_CTX_free(ctx)
+
+	cdigest := C.CString(digest)
+	defer C.free(unsafe.Pointer(cdigest))
+	params, err := buildHMAC3Params(cdigest)
+	if err != nil {
+		panic(err)
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+
+	supported := C.go_openssl_EVP_MAC_CTX_set_params(ctx, params) != 0
+	hmacDigestsSupported.Store(digest, supported)
+	return supported
+}
+
+func newHMAC3(key []byte, md C.GO_EVP_MD_PTR) hmacCtx3 {
+	digest := C.go_openssl_EVP_MD_get0_name(md)
+	if !isHMAC3DigestSupported(C.GoString(digest)) {
+		// The digest is not supported by the HMAC provider.
+		// Don't panic here so the Go standard library to
+		// fall back to the Go implementation.
+		// See https://github.com/golang-fips/openssl/issues/153.
+		return hmacCtx3{}
+	}
+	params, err := buildHMAC3Params(digest)
+	if err != nil {
+		panic(err)
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+
+	ctx := C.go_openssl_EVP_MAC_CTX_new(fetchHMAC3())
+	if ctx == nil {
+		panic(newOpenSSLError("EVP_MAC_CTX_new"))
+	}
+
+	if C.go_openssl_EVP_MAC_init(ctx, base(key), C.size_t(len(key)), params) == 0 {
+		C.go_openssl_EVP_MAC_CTX_free(ctx)
+		panic(newOpenSSLError("EVP_MAC_init"))
+	}
+	var hkey []byte
+	if vMinor == 0 && vPatch <= 2 {
+		// EVP_MAC_init only resets the ctx internal state if a key is passed
+		// when using OpenSSL 3.0.0, 3.0.1, and 3.0.2. Save a copy of the key
+		// in the context so Reset can use it later. New OpenSSL versions
+		// do not have this issue so it isn't necessary to save the key.
+		// See https://github.com/openssl/openssl/issues/17811.
+		hkey = make([]byte, len(key))
+		copy(hkey, key)
+	}
+	return hmacCtx3{ctx, hkey}
+}
+
+func (h *opensslHMAC) Reset() {
+	switch vMajor {
+	case 1:
+		if C.go_openssl_HMAC_Init_ex(h.ctx1.ctx, nil, 0, nil, nil) == 0 {
+			panic(newOpenSSLError("HMAC_Init_ex failed"))
+		}
+	case 3:
+		if C.go_openssl_EVP_MAC_init(h.ctx3.ctx, base(h.ctx3.key), C.size_t(len(h.ctx3.key)), nil) == 0 {
+			panic(newOpenSSLError("EVP_MAC_init failed"))
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+
+	runtime.KeepAlive(h) // Next line will keep h alive too; just making doubly sure.
+	h.sum = nil
+}
+
+func (h *opensslHMAC) finalize() {
+	switch vMajor {
+	case 1:
+		hmacCtxFree(h.ctx1.ctx)
+	case 3:
+		C.go_openssl_EVP_MAC_CTX_free(h.ctx3.ctx)
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+func (h *opensslHMAC) Write(p []byte) (int, error) {
+	if len(p) > 0 {
+		switch vMajor {
+		case 1:
+			C.go_openssl_HMAC_Update(h.ctx1.ctx, base(p), C.size_t(len(p)))
+		case 3:
+			C.go_openssl_EVP_MAC_update(h.ctx3.ctx, base(p), C.size_t(len(p)))
+		default:
+			panic(errUnsupportedVersion())
+		}
+	}
+	runtime.KeepAlive(h)
+	return len(p), nil
+}
+
+func (h *opensslHMAC) Size() int {
+	return h.size
+}
+
+func (h *opensslHMAC) BlockSize() int {
+	return h.blockSize
+}
+
+func (h *opensslHMAC) Sum(in []byte) []byte {
+	if h.sum == nil {
+		size := h.Size()
+		h.sum = make([]byte, size)
+	}
+	// Make copy of context because Go hash.Hash mandates
+	// that Sum has no effect on the underlying stream.
+	// In particular it is OK to Sum, then Write more, then Sum again,
+	// and the second Sum acts as if the first didn't happen.
+	switch vMajor {
+	case 1:
+		ctx2 := hmacCtxNew()
+		if ctx2 == nil {
+			panic("openssl: HMAC_CTX_new failed")
+		}
+		defer hmacCtxFree(ctx2)
+		if C.go_openssl_HMAC_CTX_copy(ctx2, h.ctx1.ctx) == 0 {
+			panic("openssl: HMAC_CTX_copy failed")
+		}
+		C.go_openssl_HMAC_Final(ctx2, base(h.sum), nil)
+	case 3:
+		ctx2 := C.go_openssl_EVP_MAC_CTX_dup(h.ctx3.ctx)
+		if ctx2 == nil {
+			panic("openssl: EVP_MAC_CTX_dup failed")
+		}
+		defer C.go_openssl_EVP_MAC_CTX_free(ctx2)
+		C.go_openssl_EVP_MAC_final(ctx2, base(h.sum), nil, C.size_t(len(h.sum)))
+	default:
+		panic(errUnsupportedVersion())
+	}
+	return append(in, h.sum...)
+}
+
+func hmacCtxNew() C.GO_HMAC_CTX_PTR {
+	if vMajor == 1 && vMinor == 0 {
+		// 0x120 is the sizeof value when building against OpenSSL 1.0.2 on Ubuntu 16.04.
+		ctx := (C.GO_HMAC_CTX_PTR)(C.malloc(0x120))
+		if ctx != nil {
+			C.go_openssl_HMAC_CTX_init(ctx)
+		}
+		return ctx
+	}
+	return C.go_openssl_HMAC_CTX_new()
+}
+
+func hmacCtxFree(ctx C.GO_HMAC_CTX_PTR) {
+	if vMajor == 1 && vMinor == 0 {
+		C.go_openssl_HMAC_CTX_cleanup(ctx)
+		C.free(unsafe.Pointer(ctx))
+		return
+	}
+	C.go_openssl_HMAC_CTX_free(ctx)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init.go b/src/vendor/github.com/golang-fips/openssl/v2/init.go
new file mode 100644
index 00000000000000..a14663298b2fd4
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/init.go
@@ -0,0 +1,64 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"errors"
+)
+
+// opensslInit loads and initialize OpenSSL.
+// If successful, it returns the major and minor OpenSSL version
+// as reported by the OpenSSL API.
+//
+// See Init() for details about file.
+func opensslInit(file string) (major, minor, patch uint, err error) {
+	// Load the OpenSSL shared library using dlopen.
+	handle, err := dlopen(file)
+	if err != nil {
+		return 0, 0, 0, err
+	}
+
+	// Retrieve the loaded OpenSSL version and check if it is supported.
+	// Notice that major and minor could not match with the version parameter
+	// in case the name of the shared library file differs from the OpenSSL
+	// version it contains.
+	imajor := int(C.go_openssl_version_major(handle))
+	iminor := int(C.go_openssl_version_minor(handle))
+	ipatch := int(C.go_openssl_version_patch(handle))
+	if imajor < 0 || iminor < 0 || ipatch < 0 {
+		return 0, 0, 0, errors.New("openssl: can't retrieve OpenSSL version")
+	}
+	major, minor, patch = uint(imajor), uint(iminor), uint(ipatch)
+	var supported bool
+	if major == 1 {
+		supported = minor == 0 || minor == 1
+	} else if major == 3 {
+		// OpenSSL guarantees API and ABI compatibility within the same major version since OpenSSL 3.
+		supported = true
+	}
+	if !supported {
+		return 0, 0, 0, errUnsupportedVersion()
+	}
+
+	// Load the OpenSSL functions.
+	// See shims.go for the complete list of supported functions.
+	C.go_openssl_load_functions(handle, C.uint(major), C.uint(minor), C.uint(patch))
+
+	// Initialize OpenSSL.
+	C.go_openssl_OPENSSL_init()
+	if major == 1 && minor == 0 {
+		if C.go_openssl_thread_setup() != 1 {
+			return 0, 0, 0, fail("openssl: thread setup")
+		}
+		C.go_openssl_OPENSSL_add_all_algorithms_conf()
+		C.go_openssl_ERR_load_crypto_strings()
+	} else {
+		flags := C.uint64_t(C.GO_OPENSSL_INIT_ADD_ALL_CIPHERS | C.GO_OPENSSL_INIT_ADD_ALL_DIGESTS | C.GO_OPENSSL_INIT_LOAD_CONFIG | C.GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS)
+		if C.go_openssl_OPENSSL_init_crypto(flags, nil) != 1 {
+			return 0, 0, 0, fail("openssl: init crypto")
+		}
+	}
+	return major, minor, patch, nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
new file mode 100644
index 00000000000000..5c09da86ee10f4
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/init_unix.go
@@ -0,0 +1,31 @@
+//go:build unix && !cmd_go_bootstrap
+
+package openssl
+
+// #cgo LDFLAGS: -ldl -pthread
+// #include <stdlib.h>
+// #include <dlfcn.h>
+import "C"
+import (
+	"errors"
+	"unsafe"
+)
+
+func dlopen(file string) (handle unsafe.Pointer, err error) {
+	cv := C.CString(file)
+	defer C.free(unsafe.Pointer(cv))
+	handle = C.dlopen(cv, C.RTLD_LAZY|C.RTLD_LOCAL)
+	if handle == nil {
+		errstr := C.GoString(C.dlerror())
+		return nil, errors.New("openssl: can't load " + file + ": " + errstr)
+	}
+	return handle, nil
+}
+
+func dlclose(handle unsafe.Pointer) error {
+	if C.dlclose(handle) != 0 {
+		errstr := C.GoString(C.dlerror())
+		return errors.New("openssl: can't close libcrypto: " + errstr)
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/init_windows.go b/src/vendor/github.com/golang-fips/openssl/v2/init_windows.go
new file mode 100644
index 00000000000000..3778e21227abb9
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/init_windows.go
@@ -0,0 +1,36 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+type dlopenError struct {
+	file string
+	err  error
+}
+
+func (e *dlopenError) Error() string {
+	return "openssl: can't load " + e.file + ": " + e.err.Error()
+}
+
+func (e *dlopenError) Unwrap() error {
+	return e.err
+}
+
+func dlopen(file string) (handle unsafe.Pointer, err error) {
+	// As Windows generally does not ship with a system OpenSSL library, let
+	// alone a FIPS 140 certified one, use the default library search order so
+	// that we preferentially load the DLL bundled with the application.
+	h, err := syscall.LoadLibrary(file)
+	if err != nil {
+		return nil, &dlopenError{file: file, err: err}
+	}
+	return unsafe.Pointer(h), nil
+}
+
+func dlclose(handle unsafe.Pointer) error {
+	return syscall.FreeLibrary(syscall.Handle(handle))
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/openssl.go b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go
new file mode 100644
index 00000000000000..ec39bf1533cae0
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/openssl.go
@@ -0,0 +1,506 @@
+//go:build !cmd_go_bootstrap
+
+// Package openssl provides access to OpenSSL cryptographic functions.
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"encoding/binary"
+	"errors"
+	"math/bits"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"unsafe"
+)
+
+var (
+	// vMajor and vMinor hold the major/minor OpenSSL version.
+	// It is only populated if Init has been called.
+	vMajor, vMinor, vPatch uint
+)
+
+var (
+	initOnce sync.Once
+	initErr  error
+)
+
+var nativeEndian binary.ByteOrder
+
+// CheckVersion checks if the OpenSSL version can be loaded
+// and if the FIPS mode is enabled.
+// This function can be called before Init.
+func CheckVersion(version string) (exists, fips bool) {
+	handle, _ := dlopen(version)
+	if handle == nil {
+		return false, false
+	}
+	defer dlclose(handle)
+	enabled := C.go_openssl_fips_enabled(handle)
+	fips = enabled == 1
+	// If go_openssl_fips_enabled returns -1, it means that all or some of the necessary
+	// functions are not available. This can be due to the version of OpenSSL being too old,
+	// too incompatible, or the shared library not being an OpenSSL library. In any case,
+	// we shouldn't consider this library to be valid for our purposes.
+	exists = enabled != -1
+	return
+}
+
+// Init loads and initializes OpenSSL from the shared library at path.
+// It must be called before any other OpenSSL call, except CheckVersion.
+//
+// Only the first call to Init is effective.
+// Subsequent calls will return the same error result as the one from the first call.
+//
+// The file is passed to dlopen() verbatim to load the OpenSSL shared library.
+// For example, `file=libcrypto.so.1.1.1k-fips` makes Init look for the shared
+// library libcrypto.so.1.1.1k-fips.
+func Init(file string) error {
+	initOnce.Do(func() {
+		buf := [2]byte{}
+		*(*uint16)(unsafe.Pointer(&buf[0])) = uint16(0xABCD)
+
+		switch buf {
+		case [2]byte{0xCD, 0xAB}:
+			nativeEndian = binary.LittleEndian
+		case [2]byte{0xAB, 0xCD}:
+			nativeEndian = binary.BigEndian
+		default:
+			panic("Could not determine native endianness.")
+		}
+		vMajor, vMinor, vPatch, initErr = opensslInit(file)
+	})
+	return initErr
+}
+
+func utoa(n uint) string {
+	return strconv.FormatUint(uint64(n), 10)
+}
+
+func errUnsupportedVersion() error {
+	return errors.New("openssl: OpenSSL version: " + utoa(vMajor) + "." + utoa(vMinor) + "." + utoa(vPatch))
+}
+
+// checkMajorVersion panics if the current major version is not expected.
+func checkMajorVersion(expected uint) {
+	if vMajor != expected {
+		panic("openssl: incorrect major version (" + strconv.Itoa(int(vMajor)) + "), expected " + strconv.Itoa(int(expected)))
+	}
+}
+
+type fail string
+
+func (e fail) Error() string { return "openssl: " + string(e) + " failed" }
+
+// VersionText returns the version text of the OpenSSL currently loaded.
+func VersionText() string {
+	return C.GoString(C.go_openssl_OpenSSL_version(0))
+}
+
+var (
+	providerNameFips    = C.CString("fips")
+	providerNameDefault = C.CString("default")
+	propFIPS            = C.CString("fips=yes")
+	propNoFIPS          = C.CString("-fips")
+
+	algorithmSHA256 = C.CString("SHA2-256")
+)
+
+// FIPS returns true if OpenSSL is running in FIPS mode and there is
+// a provider available that supports FIPS. It returns false otherwise.
+func FIPS() bool {
+	switch vMajor {
+	case 1:
+		return C.go_openssl_FIPS_mode() == 1
+	case 3:
+		// Check if the default properties contain `fips=1`.
+		if C.go_openssl_EVP_default_properties_is_fips_enabled(nil) != 1 {
+			// Note that it is still possible that the provider used by default is FIPS-compliant,
+			// but that wouldn't be a system or user requirement.
+			return false
+		}
+		// Check if the SHA-256 algorithm is available. If it is, then we can be sure that there is a provider available that matches
+		// the `fips=1` query. Most notably, this works for the common case of using the built-in FIPS provider.
+		//
+		// Note that this approach has a small chance of false negative if the FIPS provider doesn't provide the SHA-256 algorithm,
+		// but that is highly unlikely because SHA-256 is one of the most common algorithms and fundamental to many cryptographic operations.
+		// It also has a small chance of false positive if the FIPS provider implements the SHA-256 algorithm but not the other algorithms
+		// used by the caller application, but that is also unlikely because the FIPS provider should provide all common algorithms.
+		return proveSHA256(nil)
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+// FIPSCapable returns true if the provider used by default matches the `fips=yes` query.
+// It is useful for checking whether OpenSSL is capable of running in FIPS mode regardless
+// of whether FIPS mode is explicitly enabled. For example, Azure Linux 3 doesn't set the
+// `fips=yes` query in the default properties, but sets the default provider to be SCOSSL,
+// which is FIPS-capable.
+//
+// Considerations:
+//   - Multiple calls to FIPSCapable can return different values if [SetFIPS] is called in between.
+//   - Can return true even if [FIPS] returns false, because [FIPS] also checks whether
+//     the default properties contain `fips=yes`.
+//   - When using OpenSSL 3, will always return true if [FIPS] returns true.
+//   - When using OpenSSL 1, Will always return the same value as [FIPS].
+//   - OpenSSL 3 doesn't provide a way to know if a provider is FIPS-capable. This function uses
+//     some heuristics that should be treated as an implementation detail that may change in the future.
+func FIPSCapable() bool {
+	if FIPS() {
+		return true
+	}
+	if vMajor == 3 {
+		// Load the provider with and without the `fips=yes` query.
+		// If the providers are the same, then the default provider is FIPS-capable.
+		provFIPS := sha256Provider(propFIPS)
+		if provFIPS == nil {
+			return false
+		}
+		provDefault := sha256Provider(nil)
+		return provFIPS == provDefault
+	}
+	return false
+}
+
+// isProviderAvailable checks if the provider with the given name is available.
+// This function is used in export_test.go, but must be defined here as test files can't access C functions.
+func isProviderAvailable(name string) bool {
+	if vMajor == 1 {
+		return false
+	}
+	providerName := C.CString(name)
+	defer C.free(unsafe.Pointer(providerName))
+	return C.go_openssl_OSSL_PROVIDER_available(nil, providerName) == 1
+}
+
+// SetFIPS enables or disables FIPS mode.
+//
+// For OpenSSL 3, if there is no provider available that supports FIPS mode,
+// SetFIPS will try to load a built-in provider that supports FIPS mode.
+func SetFIPS(enable bool) error {
+	if FIPS() == enable {
+		// Already in the desired state.
+		return nil
+	}
+	var mode C.int
+	if enable {
+		mode = C.int(1)
+	} else {
+		mode = C.int(0)
+	}
+	switch vMajor {
+	case 1:
+		if C.go_openssl_FIPS_mode_set(mode) != 1 {
+			return newOpenSSLError("FIPS_mode_set")
+		}
+		return nil
+	case 3:
+		var shaProps, provName *C.char
+		if enable {
+			shaProps = propFIPS
+			provName = providerNameFips
+		} else {
+			shaProps = propNoFIPS
+			provName = providerNameDefault
+		}
+		if !proveSHA256(shaProps) {
+			// There is no provider available that supports the desired FIPS mode.
+			// Try to load the built-in provider associated with the given mode.
+			if C.go_openssl_OSSL_PROVIDER_try_load(nil, provName, 1) == nil {
+				// The built-in provider was not loaded successfully, we can't enable FIPS mode.
+				C.go_openssl_ERR_clear_error()
+				return errors.New("openssl: FIPS mode not supported by any provider")
+			}
+		}
+		if C.go_openssl_EVP_default_properties_enable_fips(nil, mode) != 1 {
+			return newOpenSSLError("EVP_default_properties_enable_fips")
+		}
+		return nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+// sha256Provider returns the provider for the SHA-256 algorithm
+// using the given properties.
+func sha256Provider(props *C.char) C.GO_OSSL_PROVIDER_PTR {
+	md := C.go_openssl_EVP_MD_fetch(nil, algorithmSHA256, props)
+	if md == nil {
+		C.go_openssl_ERR_clear_error()
+		return nil
+	}
+	defer C.go_openssl_EVP_MD_free(md)
+	return C.go_openssl_EVP_MD_get0_provider(md)
+}
+
+// proveSHA256 checks if the SHA-256 algorithm is available
+// using the given properties.
+func proveSHA256(props *C.char) bool {
+	return sha256Provider(props) != nil
+}
+
+// noescape hides a pointer from escape analysis. noescape is
+// the identity function but escape analysis doesn't think the
+// output depends on the input. noescape is inlined and currently
+// compiles down to zero instructions.
+// USE CAREFULLY!
+//
+//go:nosplit
+func noescape(p unsafe.Pointer) unsafe.Pointer {
+	x := uintptr(p)
+	return unsafe.Pointer(x ^ 0)
+}
+
+var zero byte
+
+// addr converts p to its base addr, including a noescape along the way.
+// If p is nil, addr returns a non-nil pointer, so that the result can always
+// be dereferenced.
+//
+//go:nosplit
+func addr(p []byte) *byte {
+	if len(p) == 0 {
+		return &zero
+	}
+	return (*byte)(noescape(unsafe.Pointer(&p[0])))
+}
+
+// base returns the address of the underlying array in b,
+// being careful not to panic when b has zero length.
+func base(b []byte) *C.uchar {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.uchar)(unsafe.Pointer(&b[0]))
+}
+
+func sbase(b []byte) *C.char {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.char)(unsafe.Pointer(&b[0]))
+}
+
+func newOpenSSLError(msg string) error {
+	var b strings.Builder
+	b.WriteString(msg)
+	b.WriteString("\nopenssl error(s):")
+	for {
+		var (
+			e    C.ulong
+			file *C.char
+			line C.int
+		)
+		switch vMajor {
+		case 1:
+			e = C.go_openssl_ERR_get_error_line(&file, &line)
+		case 3:
+			e = C.go_openssl_ERR_get_error_all(&file, &line, nil, nil, nil)
+		default:
+			panic(errUnsupportedVersion())
+		}
+		if e == 0 {
+			break
+		}
+		b.WriteByte('\n')
+		var buf [256]byte
+		C.go_openssl_ERR_error_string_n(e, (*C.char)(unsafe.Pointer(&buf[0])), C.size_t(len(buf)))
+		b.WriteString(string(buf[:]) + "\n\t" + C.GoString(file) + ":" + strconv.Itoa(int(line)))
+	}
+	return errors.New(b.String())
+}
+
+var unknownFile = "<go code>\000"
+
+// caller reports file and line number information about function invocations on
+// the calling goroutine's stack, in a form suitable for passing to C code.
+// The argument skip is the number of stack frames to ascend, with 0 identifying
+// the caller of caller. The return values report the file name and line number
+// within the file of the corresponding call. The returned file is a C string
+// with static storage duration.
+func caller(skip int) (file *C.char, line C.int) {
+	_, f, l, ok := runtime.Caller(skip + 1)
+	if !ok {
+		f = unknownFile
+	}
+	// The underlying bytes of the file string are null-terminated rodata with
+	// static lifetimes, so can be safely passed to C without worrying about
+	// leaking memory or use-after-free.
+	return (*C.char)(noescape(unsafe.Pointer(unsafe.StringData(f)))), C.int(l)
+}
+
+// cryptoMalloc allocates n bytes of memory on the OpenSSL heap, which may be
+// different from the heap which C.malloc allocates on. The allocated object
+// must be freed using cryptoFree. cryptoMalloc is equivalent to the
+// OPENSSL_malloc macro.
+//
+// Like C.malloc, this function is guaranteed to never return nil. If OpenSSL's
+// malloc indicates out of memory, it crashes the program.
+//
+// Only objects which the OpenSSL library will take ownership of (i.e. will be
+// freed by OPENSSL_free / CRYPTO_free) need to be allocated on the OpenSSL
+// heap.
+func cryptoMalloc(n int) unsafe.Pointer {
+	file, line := caller(1)
+	var p unsafe.Pointer
+	if vMajor == 1 && vMinor == 0 {
+		p = C.go_openssl_CRYPTO_malloc_legacy102(C.int(n), file, line)
+	} else {
+		p = C.go_openssl_CRYPTO_malloc(C.size_t(n), file, line)
+	}
+	if p == nil {
+		// Un-recover()-ably crash the program in the same manner as the
+		// C.malloc() wrapper function.
+		runtime_throw("openssl: CRYPTO_malloc failed")
+	}
+	return p
+}
+
+// cryptoFree frees an object allocated on the OpenSSL heap, which may be
+// different from the heap which C.malloc allocates on. cryptoFree is equivalent
+// to the OPENSSL_free macro.
+func cryptoFree(p unsafe.Pointer) {
+	if vMajor == 1 && vMinor == 0 {
+		C.go_openssl_CRYPTO_free_legacy102(p)
+		return
+	}
+	file, line := caller(1)
+	C.go_openssl_CRYPTO_free(p, file, line)
+}
+
+const wordBytes = bits.UintSize / 8
+
+// Reverse each limb of z.
+func (z BigInt) byteSwap() {
+	for i, d := range z {
+		var n uint = 0
+		for j := range wordBytes {
+			n |= uint(byte(d)) << (8 * (wordBytes - j - 1))
+			d >>= 8
+		}
+		z[i] = n
+	}
+}
+
+func wbase(b BigInt) *C.uchar {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.uchar)(unsafe.Pointer(&b[0]))
+}
+
+// bignum_st_1_0_2 is bignum_st (BIGNUM) memory layout in OpenSSL 1.0.2.
+type bignum_st_1_0_2 struct {
+	d     unsafe.Pointer // Pointer to an array of BN_ULONG bit chunks
+	top   C.int          // Index of last used d +1
+	dmax  C.int
+	neg   C.int
+	flags C.int
+}
+
+func bigToBN(x BigInt) C.GO_BIGNUM_PTR {
+	if len(x) == 0 {
+		return nil
+	}
+
+	if vMajor == 1 && vMinor == 0 {
+		// OpenSSL 1.0.x does not export bn_lebin2bn on all platforms,
+		// so we have to emulate it.
+		bn := C.go_openssl_BN_new()
+		if bn == nil {
+			return nil
+		}
+		if C.go_openssl_bn_expand2(bn, C.int(len(x))) == nil {
+			C.go_openssl_BN_free(bn)
+			panic(newOpenSSLError("BN_expand2"))
+		}
+		// The bytes of a BigInt are laid out in memory in the same order as a
+		// BIGNUM, regardless of host endianness.
+		bns := (*bignum_st_1_0_2)(unsafe.Pointer(bn))
+		d := unsafe.Slice((*uint)(bns.d), len(x))
+		bns.top = C.int(copy(d, x))
+		return bn
+	}
+
+	if nativeEndian == binary.BigEndian {
+		z := make(BigInt, len(x))
+		copy(z, x)
+		z.byteSwap()
+		x = z
+	}
+	// Limbs are always ordered in LSB first, so we can safely apply
+	// BN_lebin2bn regardless of host endianness.
+	return C.go_openssl_BN_lebin2bn(wbase(x), C.int(len(x)*wordBytes), nil)
+}
+
+func bnToBig(bn C.GO_BIGNUM_PTR) BigInt {
+	if bn == nil {
+		return nil
+	}
+
+	if vMajor == 1 && vMinor == 0 {
+		// OpenSSL 1.0.x does not export bn_bn2lebinpad on all platforms,
+		// so we have to emulate it.
+		bns := (*bignum_st_1_0_2)(unsafe.Pointer(bn))
+		d := unsafe.Slice((*uint)(bns.d), bns.top)
+		x := make(BigInt, len(d))
+		copy(x, d)
+		return x
+	}
+
+	// Limbs are always ordered in LSB first, so we can safely apply
+	// BN_bn2lebinpad regardless of host endianness.
+	x := make(BigInt, C.go_openssl_BN_num_bits(bn))
+	if C.go_openssl_BN_bn2lebinpad(bn, wbase(x), C.int(len(x)*wordBytes)) == 0 {
+		panic("openssl: bignum conversion failed")
+	}
+	if nativeEndian == binary.BigEndian {
+		x.byteSwap()
+	}
+	return x
+}
+
+func bnNumBytes(bn C.GO_BIGNUM_PTR) int {
+	return (int(C.go_openssl_BN_num_bits(bn)) + 7) / 8
+}
+
+// bnToBinPad converts the absolute value of bn into big-endian form and stores
+// it at to, padding with zeroes if necessary. If len(to) is not large enough to
+// hold the result, an error is returned.
+func bnToBinPad(bn C.GO_BIGNUM_PTR, to []byte) error {
+	if vMajor == 1 && vMinor == 0 {
+		// OpenSSL 1.0.x does not export bn_bn2binpad on all platforms,
+		// so we have to emulate it.
+		n := bnNumBytes(bn)
+		pad := len(to) - n
+		if pad < 0 {
+			return errors.New("openssl: destination buffer too small")
+		}
+		for i := range pad {
+			to[i] = 0
+		}
+		if int(C.go_openssl_BN_bn2bin(bn, base(to[pad:]))) != n {
+			return errors.New("openssl: BN_bn2bin short write")
+		}
+		return nil
+	}
+
+	if C.go_openssl_BN_bn2binpad(bn, base(to), C.int(len(to))) < 0 {
+		return newOpenSSLError("BN_bn2binpad")
+	}
+	return nil
+}
+
+func CheckLeaks() {
+	C.go_openssl_do_leak_check()
+}
+
+// versionAtOrAbove returns true when
+// (vMajor, vMinor, vPatch) >= (major, minor, patch),
+// compared lexicographically.
+func versionAtOrAbove(major, minor, patch uint) bool {
+	return vMajor > major || (vMajor == major && vMinor > minor) || (vMajor == major && vMinor == minor && vPatch >= patch)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/params.go b/src/vendor/github.com/golang-fips/openssl/v2/params.go
new file mode 100644
index 00000000000000..fa24a8cd673ed0
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/params.go
@@ -0,0 +1,210 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"runtime"
+	"unsafe"
+)
+
+var (
+	// KDF parameters
+	_OSSL_KDF_PARAM_DIGEST = C.CString("digest")
+	_OSSL_KDF_PARAM_SECRET = C.CString("secret")
+	_OSSL_KDF_PARAM_SEED   = C.CString("seed")
+	_OSSL_KDF_PARAM_KEY    = C.CString("key")
+	_OSSL_KDF_PARAM_INFO   = C.CString("info")
+	_OSSL_KDF_PARAM_SALT   = C.CString("salt")
+	_OSSL_KDF_PARAM_MODE   = C.CString("mode")
+
+	// PKEY parameters
+	_OSSL_PKEY_PARAM_PUB_KEY          = C.CString("pub")
+	_OSSL_PKEY_PARAM_PRIV_KEY         = C.CString("priv")
+	_OSSL_PKEY_PARAM_GROUP_NAME       = C.CString("group")
+	_OSSL_PKEY_PARAM_EC_PUB_X         = C.CString("qx")
+	_OSSL_PKEY_PARAM_EC_PUB_Y         = C.CString("qy")
+	_OSSL_PKEY_PARAM_FFC_PBITS        = C.CString("pbits")
+	_OSSL_PKEY_PARAM_FFC_QBITS        = C.CString("qbits")
+	_OSSL_PKEY_PARAM_RSA_N            = C.CString("n")
+	_OSSL_PKEY_PARAM_RSA_E            = C.CString("e")
+	_OSSL_PKEY_PARAM_RSA_D            = C.CString("d")
+	_OSSL_PKEY_PARAM_FFC_P            = C.CString("p")
+	_OSSL_PKEY_PARAM_FFC_Q            = C.CString("q")
+	_OSSL_PKEY_PARAM_FFC_G            = C.CString("g")
+	_OSSL_PKEY_PARAM_RSA_FACTOR1      = C.CString("rsa-factor1")
+	_OSSL_PKEY_PARAM_RSA_FACTOR2      = C.CString("rsa-factor2")
+	_OSSL_PKEY_PARAM_RSA_EXPONENT1    = C.CString("rsa-exponent1")
+	_OSSL_PKEY_PARAM_RSA_EXPONENT2    = C.CString("rsa-exponent2")
+	_OSSL_PKEY_PARAM_RSA_COEFFICIENT1 = C.CString("rsa-coefficient1")
+
+	// MAC parameters
+	_OSSL_MAC_PARAM_DIGEST = C.CString("digest")
+)
+
+type bnParam struct {
+	value   C.GO_BIGNUM_PTR
+	private bool
+}
+
+// paramBuilder is a helper for building OSSL_PARAMs.
+// If an error occurs when adding a new parameter,
+// subsequent calls to add parameters are ignored
+// and build() will return the error.
+type paramBuilder struct {
+	bld      C.GO_OSSL_PARAM_BLD_PTR
+	pinner   runtime.Pinner
+	bnToFree []bnParam
+
+	err error
+}
+
+// newParamBuilder creates a new paramBuilder.
+func newParamBuilder() (*paramBuilder, error) {
+	bld := C.go_openssl_OSSL_PARAM_BLD_new()
+	if bld == nil {
+		return nil, newOpenSSLError("OSSL_PARAM_BLD_new")
+	}
+	pb := &paramBuilder{
+		bld:      bld,
+		bnToFree: make([]bnParam, 0, 8), // the maximum known number of BIGNUMs to free are 8 for RSA
+	}
+	runtime.SetFinalizer(pb, (*paramBuilder).finalize)
+	return pb, nil
+}
+
+// finalize frees the builder.
+func (b *paramBuilder) finalize() {
+	if b.bld != nil {
+		b.pinner.Unpin()
+		for _, bn := range b.bnToFree {
+			if bn.private {
+				C.go_openssl_BN_clear_free(bn.value)
+			} else {
+				C.go_openssl_BN_free(bn.value)
+			}
+		}
+		C.go_openssl_OSSL_PARAM_BLD_free(b.bld)
+		b.bld = nil
+	}
+}
+
+// check is used internally to enforce invariants and should not be called by users of paramBuilder.
+// Returns true if it's ok to add parameters to the builder or build it.
+// Returns false if there has been an error while adding a parameter.
+// Panics if the paramBuilder has been freed, e.g. if it has already been built.
+func (b *paramBuilder) check() bool {
+	if b.err != nil {
+		return false
+	}
+	if b.bld == nil {
+		panic("openssl: paramBuilder has been freed")
+	}
+	return true
+}
+
+// build creates an OSSL_PARAM from the builder.
+// The returned OSSL_PARAM must be freed with OSSL_PARAM_free.
+// If an error occurred while adding parameters, the error is returned
+// and the OSSL_PARAM is nil. Once build() is called, the builder is finalized
+// and cannot be reused.
+func (b *paramBuilder) build() (C.GO_OSSL_PARAM_PTR, error) {
+	defer b.finalize()
+	if !b.check() {
+		return nil, b.err
+	}
+	param := C.go_openssl_OSSL_PARAM_BLD_to_param(b.bld)
+	if param == nil {
+		return nil, newOpenSSLError("OSSL_PARAM_BLD_build")
+	}
+	return param, nil
+}
+
+// addUTF8String adds a NUL-terminated UTF-8 string to the builder.
+// size should not include the terminating NUL byte. If size is zero, then it will be calculated.
+func (b *paramBuilder) addUTF8String(name *C.char, value *C.char, size C.size_t) {
+	if !b.check() {
+		return
+	}
+	// OSSL_PARAM_BLD_push_utf8_string calculates the size if it is zero.
+	if C.go_openssl_OSSL_PARAM_BLD_push_utf8_string(b.bld, name, value, size) != 1 {
+		b.err = newOpenSSLError("OSSL_PARAM_BLD_push_utf8_string(" + C.GoString(name) + ")")
+	}
+}
+
+// addOctetString adds an octet string to the builder.
+// The value is pinned and will be unpinned when the builder is freed.
+func (b *paramBuilder) addOctetString(name *C.char, value []byte) {
+	if !b.check() {
+		return
+	}
+	if len(value) != 0 {
+		b.pinner.Pin(&value[0])
+	}
+	if C.go_openssl_OSSL_PARAM_BLD_push_octet_string(b.bld, name, unsafe.Pointer(sbase(value)), C.size_t(len(value))) != 1 {
+		b.err = newOpenSSLError("OSSL_PARAM_BLD_push_octet_string(" + C.GoString(name) + ")")
+	}
+}
+
+// addInt32 adds an int32 to the builder.
+func (b *paramBuilder) addInt32(name *C.char, value int32) {
+	if !b.check() {
+		return
+	}
+	if C.go_openssl_OSSL_PARAM_BLD_push_int32(b.bld, name, C.int32_t(value)) != 1 {
+		b.err = newOpenSSLError("OSSL_PARAM_BLD_push_int32(" + C.GoString(name) + ")")
+	}
+}
+
+// addBN adds a GO_BIGNUM_PTR to the builder.
+func (b *paramBuilder) addBN(name *C.char, value C.GO_BIGNUM_PTR) {
+	if !b.check() {
+		return
+	}
+	if C.go_openssl_OSSL_PARAM_BLD_push_BN(b.bld, name, value) != 1 {
+		b.err = newOpenSSLError("OSSL_PARAM_BLD_push_BN(" + C.GoString(name) + ")")
+	}
+}
+
+// addBin adds a byte slice to the builder.
+// The slice is converted to a BIGNUM using BN_bin2bn and freed when the builder is finalized.
+// If private is true, the BIGNUM will be cleared with BN_clear_free,
+// otherwise it will be freed with BN_free.
+func (b *paramBuilder) addBin(name *C.char, value []byte, private bool) {
+	if !b.check() {
+		return
+	}
+	if len(value) == 0 {
+		// Nothing to do.
+		return
+	}
+	bn := C.go_openssl_BN_bin2bn(base(value), C.int(len(value)), nil)
+	if bn == nil {
+		b.err = newOpenSSLError("BN_bin2bn")
+		return
+	}
+	b.bnToFree = append(b.bnToFree, bnParam{bn, private})
+	b.addBN(name, bn)
+}
+
+// addBigInt adds a BigInt to the builder.
+// The BigInt is converted using bigToBN to a BIGNUM that is freed when the builder is finalized.
+// If private is true, the BIGNUM will be cleared with BN_clear_free,
+// otherwise it will be freed with BN_free.
+func (b *paramBuilder) addBigInt(name *C.char, value BigInt, private bool) {
+	if !b.check() {
+		return
+	}
+	if len(value) == 0 {
+		// Nothing to do.
+		return
+	}
+	bn := bigToBN(value)
+	if bn == nil {
+		b.err = newOpenSSLError("bigToBN")
+		return
+	}
+	b.bnToFree = append(b.bnToFree, bnParam{bn, private})
+	b.addBN(name, bn)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/pbkdf2.go b/src/vendor/github.com/golang-fips/openssl/v2/pbkdf2.go
new file mode 100644
index 00000000000000..92276c6aadf423
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/pbkdf2.go
@@ -0,0 +1,62 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"errors"
+	"hash"
+	"sync"
+	"unsafe"
+)
+
+// SupportsPBKDF2 reports whether the current OpenSSL version supports PBKDF2.
+func SupportsPBKDF2() bool {
+	switch vMajor {
+	case 1:
+		return true
+	case 3:
+		_, err := fetchPBKDF2()
+		return err == nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+// fetchPBKDF2 fetches the PBKDF2 algorithm.
+// It is safe to call this function concurrently.
+// The returned EVP_KDF_PTR shouldn't be freed.
+var fetchPBKDF2 = sync.OnceValues(func() (C.GO_EVP_KDF_PTR, error) {
+	checkMajorVersion(3)
+
+	name := C.CString("PBKDF2")
+	kdf := C.go_openssl_EVP_KDF_fetch(nil, name, nil)
+	C.free(unsafe.Pointer(name))
+	if kdf == nil {
+		return nil, newOpenSSLError("EVP_KDF_fetch")
+	}
+	return kdf, nil
+})
+
+func PBKDF2(password, salt []byte, iter, keyLen int, fh func() hash.Hash) ([]byte, error) {
+	h, err := hashFuncHash(fh)
+	if err != nil {
+		return nil, err
+	}
+	md := hashToMD(h)
+	if md == nil {
+		return nil, errors.New("unsupported hash function")
+	}
+	if len(password) == 0 && vMajor == 1 && vMinor == 0 {
+		// x/crypto/pbkdf2 supports empty passwords, but OpenSSL 1.0.2
+		// does not. As a workaround, we pass an "empty" password.
+		password = make([]byte, C.GO_EVP_MAX_MD_SIZE)
+	}
+	out := make([]byte, keyLen)
+	ok := C.go_openssl_PKCS5_PBKDF2_HMAC(sbase(password), C.int(len(password)), base(salt), C.int(len(salt)), C.int(iter), md, C.int(keyLen), base(out))
+	if ok != 1 {
+		return nil, newOpenSSLError("PKCS5_PBKDF2_HMAC")
+	}
+	return out, nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/port_dsa.c b/src/vendor/github.com/golang-fips/openssl/v2/port_dsa.c
new file mode 100644
index 00000000000000..5a948eafdbc6a7
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/port_dsa.c
@@ -0,0 +1,85 @@
+// The following is a partial backport of crypto/dsa/dsa_lockl.h
+// and crypto/dsa/dsa_lib.c, commit cbc8a839959418d8a2c2e3ec6bdf394852c9501e
+// on the OpenSSL_1_1_0-stable branch. Only pqg and key getters/setters
+// are backported.
+
+#include "goopenssl.h"
+
+struct dsa_st
+{
+    int _ignored0;
+    long _ignored1;
+    int _ignored2;
+    GO_BIGNUM_PTR p;
+    GO_BIGNUM_PTR q;
+    GO_BIGNUM_PTR g;
+    GO_BIGNUM_PTR pub_key;
+    GO_BIGNUM_PTR priv_key;
+    // The following members are not used by our backport,
+    // so we don't define them here.
+};
+
+void go_openssl_DSA_get0_pqg_backport(const GO_DSA_PTR dsa,
+                  GO_BIGNUM_PTR *p, GO_BIGNUM_PTR *q, GO_BIGNUM_PTR *g)
+{
+    const struct dsa_st *d = dsa;
+    if (p != NULL)
+        *p = d->p;
+    if (q != NULL)
+        *q = d->q;
+    if (g != NULL)
+        *g = d->g;
+}
+
+int go_openssl_DSA_set0_pqg_backport(GO_DSA_PTR dsa,
+                  GO_BIGNUM_PTR p, GO_BIGNUM_PTR q, GO_BIGNUM_PTR g)
+{
+    struct dsa_st *d = dsa;
+    if ((d->p == NULL && p == NULL)
+        || (d->q == NULL && q == NULL)
+        || (d->g == NULL && g == NULL))
+        return 0;
+
+    if (p != NULL) {
+        go_openssl_BN_free(d->p);
+        d->p = p;
+    }
+    if (q != NULL) {
+        go_openssl_BN_free(d->q);
+        d->q = q;
+    }
+    if (g != NULL) {
+        go_openssl_BN_free(d->g);
+        d->g = g;
+    }
+
+    return 1;
+}
+
+void go_openssl_DSA_get0_key_backport(const GO_DSA_PTR dsa,
+                  GO_BIGNUM_PTR *pub_key, GO_BIGNUM_PTR *priv_key)
+{
+    const struct dsa_st *d = dsa;
+    if (pub_key != NULL)
+        *pub_key = d->pub_key;
+    if (priv_key != NULL)
+        *priv_key = d->priv_key;
+}
+
+int go_openssl_DSA_set0_key_backport(GO_DSA_PTR dsa, GO_BIGNUM_PTR pub_key, GO_BIGNUM_PTR priv_key)
+{
+    struct dsa_st *d = dsa;
+    if (d->pub_key == NULL && pub_key == NULL)
+        return 0;
+
+    if (pub_key != NULL) {
+        go_openssl_BN_free(d->pub_key);
+        d->pub_key = pub_key;
+    }
+    if (priv_key != NULL) {
+        go_openssl_BN_free(d->priv_key);
+        d->priv_key = priv_key;
+    }
+
+    return 1;
+}
\ No newline at end of file
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/rand.go b/src/vendor/github.com/golang-fips/openssl/v2/rand.go
new file mode 100644
index 00000000000000..9fd709635c3b40
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/rand.go
@@ -0,0 +1,20 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import "unsafe"
+
+type randReader int
+
+func (randReader) Read(b []byte) (int, error) {
+	// Note: RAND_bytes should never fail; the return value exists only for historical reasons.
+	// We check it even so.
+	if len(b) > 0 && C.go_openssl_RAND_bytes((*C.uchar)(unsafe.Pointer(&b[0])), C.int(len(b))) == 0 {
+		return 0, newOpenSSLError("RAND_bytes")
+	}
+	return len(b), nil
+}
+
+const RandReader = randReader(0)
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/rc4.go b/src/vendor/github.com/golang-fips/openssl/v2/rc4.go
new file mode 100644
index 00000000000000..f1cd3647fb9753
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/rc4.go
@@ -0,0 +1,66 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import "runtime"
+
+// SupportsRC4 returns true if NewRC4Cipher is supported.
+func SupportsRC4() bool {
+	// True for stock OpenSSL 1 w/o FIPS.
+	// False for stock OpenSSL 3 unless the legacy provider is available.
+	return (versionAtOrAbove(3, 0, 0) || !FIPS()) && loadCipher(cipherRC4, cipherModeNone) != nil
+}
+
+// A RC4Cipher is an instance of RC4 using a particular key.
+type RC4Cipher struct {
+	ctx C.GO_EVP_CIPHER_CTX_PTR
+}
+
+// NewRC4Cipher creates and returns a new Cipher.
+func NewRC4Cipher(key []byte) (*RC4Cipher, error) {
+	ctx, err := newCipherCtx(cipherRC4, cipherModeNone, cipherOpEncrypt, key, nil)
+	if err != nil {
+		return nil, err
+	}
+	c := &RC4Cipher{ctx}
+	runtime.SetFinalizer(c, (*RC4Cipher).finalize)
+	return c, nil
+}
+
+func (c *RC4Cipher) finalize() {
+	if c.ctx != nil {
+		C.go_openssl_EVP_CIPHER_CTX_free(c.ctx)
+	}
+}
+
+// Reset zeros the key data and makes the Cipher unusable.
+func (c *RC4Cipher) Reset() {
+	if c.ctx != nil {
+		C.go_openssl_EVP_CIPHER_CTX_free(c.ctx)
+		c.ctx = nil
+	}
+}
+
+// XORKeyStream sets dst to the result of XORing src with the key stream.
+// Dst and src must overlap entirely or not at all.
+func (c *RC4Cipher) XORKeyStream(dst, src []byte) {
+	if c.ctx == nil || len(src) == 0 {
+		return
+	}
+	if inexactOverlap(dst[:len(src)], src) {
+		panic("crypto/rc4: invalid buffer overlap")
+	}
+	// panic if len(dst) < len(src) with a runtime out of bound error,
+	// which is what crypto/rc4 does.
+	_ = dst[len(src)-1]
+	var outLen C.int
+	if C.go_openssl_EVP_EncryptUpdate(c.ctx, base(dst), &outLen, base(src), C.int(len(src))) != 1 {
+		panic("crypto/cipher: EncryptUpdate failed")
+	}
+	if int(outLen) != len(src) {
+		panic("crypto/rc4: src not fully XORed")
+	}
+	runtime.KeepAlive(c)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/rsa.go b/src/vendor/github.com/golang-fips/openssl/v2/rsa.go
new file mode 100644
index 00000000000000..da5c7636173775
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/rsa.go
@@ -0,0 +1,408 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto"
+	"crypto/subtle"
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+)
+
+func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
+	bad := func(e error) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
+		return nil, nil, nil, nil, nil, nil, nil, nil, e
+	}
+	pkey, err := generateEVPPKey(C.GO_EVP_PKEY_RSA, bits, "")
+	if err != nil {
+		return bad(err)
+	}
+	defer C.go_openssl_EVP_PKEY_free(pkey)
+	switch vMajor {
+	case 1:
+		key := C.go_openssl_EVP_PKEY_get1_RSA(pkey)
+		if key == nil {
+			return bad(newOpenSSLError("EVP_PKEY_get1_RSA failed"))
+		}
+		defer C.go_openssl_RSA_free(key)
+		var n, e, d, p, q, dmp1, dmq1, iqmp C.GO_BIGNUM_PTR
+		if vMinor == 0 {
+			r := (*rsa_st_1_0_2)(unsafe.Pointer(key))
+			n, e, d, p, q, dmp1, dmq1, iqmp = r.n, r.e, r.d, r.p, r.q, r.dmp1, r.dmq1, r.iqmp
+		} else {
+			C.go_openssl_RSA_get0_key(key, &n, &e, &d)
+			C.go_openssl_RSA_get0_factors(key, &p, &q)
+			C.go_openssl_RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp)
+		}
+		N, E, D = bnToBig(n), bnToBig(e), bnToBig(d)
+		P, Q = bnToBig(p), bnToBig(q)
+		Dp, Dq, Qinv = bnToBig(dmp1), bnToBig(dmq1), bnToBig(iqmp)
+	case 3:
+		tmp := C.go_openssl_BN_new()
+		if tmp == nil {
+			return bad(newOpenSSLError("BN_new failed"))
+		}
+		defer func() {
+			C.go_openssl_BN_clear_free(tmp)
+		}()
+		var err error
+		setBigInt := func(bi *BigInt, param *C.char) bool {
+			if err != nil {
+				return false
+			}
+			if C.go_openssl_EVP_PKEY_get_bn_param(pkey, param, &tmp) != 1 {
+				err = newOpenSSLError("EVP_PKEY_get_bn_param failed")
+				return false
+			}
+			*bi = bnToBig(tmp)
+			C.go_openssl_BN_clear(tmp)
+			return true
+		}
+		if !(setBigInt(&N, _OSSL_PKEY_PARAM_RSA_N) &&
+			setBigInt(&E, _OSSL_PKEY_PARAM_RSA_E) &&
+			setBigInt(&D, _OSSL_PKEY_PARAM_RSA_D) &&
+			setBigInt(&P, _OSSL_PKEY_PARAM_RSA_FACTOR1) &&
+			setBigInt(&Q, _OSSL_PKEY_PARAM_RSA_FACTOR2) &&
+			setBigInt(&Dp, _OSSL_PKEY_PARAM_RSA_EXPONENT1) &&
+			setBigInt(&Dq, _OSSL_PKEY_PARAM_RSA_EXPONENT2) &&
+			setBigInt(&Qinv, _OSSL_PKEY_PARAM_RSA_COEFFICIENT1)) {
+			return bad(err)
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+	return
+}
+
+type PublicKeyRSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func NewPublicKeyRSA(n, e BigInt) (*PublicKeyRSA, error) {
+	var pkey C.GO_EVP_PKEY_PTR
+	switch vMajor {
+	case 1:
+		key := C.go_openssl_RSA_new()
+		if key == nil {
+			return nil, newOpenSSLError("RSA_new failed")
+		}
+		if !rsaSetKey(key, n, e, nil) {
+			return nil, fail("RSA_set0_key")
+		}
+		pkey = C.go_openssl_EVP_PKEY_new()
+		if pkey == nil {
+			C.go_openssl_RSA_free(key)
+			return nil, newOpenSSLError("EVP_PKEY_new failed")
+		}
+		if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 {
+			C.go_openssl_RSA_free(key)
+			C.go_openssl_EVP_PKEY_free(pkey)
+			return nil, newOpenSSLError("EVP_PKEY_assign failed")
+		}
+	case 3:
+		var err error
+		if pkey, err = newRSAKey3(false, n, e, nil, nil, nil, nil, nil, nil); err != nil {
+			return nil, err
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+	k := &PublicKeyRSA{_pkey: pkey}
+	runtime.SetFinalizer(k, (*PublicKeyRSA).finalize)
+	return k, nil
+}
+
+func (k *PublicKeyRSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PublicKeyRSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	// Because of the finalizer, any time _pkey is passed to cgo, that call must
+	// be followed by a call to runtime.KeepAlive, to make sure k is not
+	// collected (and finalized) before the cgo call returns.
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+type PrivateKeyRSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.GO_EVP_PKEY_PTR
+}
+
+func NewPrivateKeyRSA(n, e, d, p, q, dp, dq, qinv BigInt) (*PrivateKeyRSA, error) {
+	var pkey C.GO_EVP_PKEY_PTR
+	switch vMajor {
+	case 1:
+		key := C.go_openssl_RSA_new()
+		if key == nil {
+			return nil, newOpenSSLError("RSA_new failed")
+		}
+		if !rsaSetKey(key, n, e, d) {
+			return nil, fail("RSA_set0_key")
+		}
+		if p != nil && q != nil {
+			if !rsaSetFactors(key, p, q) {
+				return nil, fail("RSA_set0_factors")
+			}
+		}
+		if dp != nil && dq != nil && qinv != nil {
+			if !rsaSetCRTParams(key, dp, dq, qinv) {
+				return nil, fail("RSA_set0_crt_params")
+			}
+		}
+		pkey = C.go_openssl_EVP_PKEY_new()
+		if pkey == nil {
+			C.go_openssl_RSA_free(key)
+			return nil, newOpenSSLError("EVP_PKEY_new failed")
+		}
+		if C.go_openssl_EVP_PKEY_assign(pkey, C.GO_EVP_PKEY_RSA, (unsafe.Pointer)(key)) != 1 {
+			C.go_openssl_RSA_free(key)
+			C.go_openssl_EVP_PKEY_free(pkey)
+			return nil, newOpenSSLError("EVP_PKEY_assign failed")
+		}
+	case 3:
+		var err error
+		if pkey, err = newRSAKey3(true, n, e, d, p, q, dp, dq, qinv); err != nil {
+			return nil, err
+		}
+	default:
+		panic(errUnsupportedVersion())
+	}
+	k := &PrivateKeyRSA{_pkey: pkey}
+	runtime.SetFinalizer(k, (*PrivateKeyRSA).finalize)
+	return k, nil
+}
+
+func (k *PrivateKeyRSA) finalize() {
+	C.go_openssl_EVP_PKEY_free(k._pkey)
+}
+
+func (k *PrivateKeyRSA) withKey(f func(C.GO_EVP_PKEY_PTR) C.int) C.int {
+	// Because of the finalizer, any time _pkey is passed to cgo, that call must
+	// be followed by a call to runtime.KeepAlive, to make sure k is not
+	// collected (and finalized) before the cgo call returns.
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
+	return evpDecrypt(priv.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, ciphertext)
+}
+
+func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
+	return evpEncrypt(pub.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, msg)
+}
+
+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	return evpDecrypt(priv.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, ciphertext)
+}
+
+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	return evpEncrypt(pub.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, msg)
+}
+
+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	ret, err := evpDecrypt(priv.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, ciphertext)
+	if err != nil {
+		return nil, err
+	}
+	// We could return here, but the Go standard library test expects DecryptRSANoPadding to verify the result
+	// in order to defend against errors in the CRT computation.
+	//
+	// The following code tries to replicate the verification implemented in the upstream function decryptAndCheck, found at
+	// https://github.com/golang/go/blob/9de1ac6ac2cad3871760d0aa288f5ca713afd0a6/src/crypto/rsa/rsa.go#L569-L582.
+	pub := &PublicKeyRSA{_pkey: priv._pkey}
+	// A private EVP_PKEY can be used as a public key as it contains the public information.
+	enc, err := EncryptRSANoPadding(pub, ret)
+	if err != nil {
+		return nil, err
+	}
+	// Upstream does not do a constant time comparison because it works with math/big instead of byte slices,
+	// and math/big does not support constant-time arithmetic yet. See #20654 for more info.
+	if subtle.ConstantTimeCompare(ciphertext, enc) != 1 {
+		return nil, errors.New("rsa: internal error")
+	}
+	return ret, nil
+}
+
+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	return evpEncrypt(pub.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, msg)
+}
+
+func saltLength(saltLen int, sign bool) (C.int, error) {
+	// A salt length of -2 is valid in OpenSSL, but not in crypto/rsa, so reject
+	// it, and lengths < -2, before we convert to the OpenSSL sentinel values.
+	if saltLen <= -2 {
+		return 0, errors.New("crypto/rsa: invalid PSS salt length")
+	}
+	// OpenSSL uses sentinel salt length values like Go crypto does,
+	// but the values don't fully match for rsa.PSSSaltLengthAuto (0).
+	if saltLen == 0 {
+		if sign {
+			if vMajor == 1 {
+				// OpenSSL 1.x uses -2 to mean maximal size when signing where Go crypto uses 0.
+				return C.GO_RSA_PSS_SALTLEN_MAX_SIGN, nil
+			}
+			// OpenSSL 3.x deprecated RSA_PSS_SALTLEN_MAX_SIGN
+			// and uses -3 to mean maximal size when signing where Go crypto uses 0.
+			return C.GO_RSA_PSS_SALTLEN_MAX, nil
+		}
+		// OpenSSL uses -2 to mean auto-detect size when verifying where Go crypto uses 0.
+		return C.GO_RSA_PSS_SALTLEN_AUTO, nil
+	}
+	return C.int(saltLen), nil
+}
+
+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
+	cSaltLen, err := saltLength(saltLen, true)
+	if err != nil {
+		return nil, err
+	}
+	return evpSign(priv.withKey, C.GO_RSA_PKCS1_PSS_PADDING, cSaltLen, h, hashed)
+}
+
+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
+	cSaltLen, err := saltLength(saltLen, false)
+	if err != nil {
+		return err
+	}
+	return evpVerify(pub.withKey, C.GO_RSA_PKCS1_PSS_PADDING, cSaltLen, h, sig, hashed)
+}
+
+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
+	return evpSign(priv.withKey, C.GO_RSA_PKCS1_PADDING, 0, h, hashed)
+}
+
+func HashSignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, msg []byte) ([]byte, error) {
+	return evpHashSign(priv.withKey, h, msg)
+}
+
+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
+	if pub.withKey(func(pkey C.GO_EVP_PKEY_PTR) C.int {
+		size := C.go_openssl_EVP_PKEY_get_size(pkey)
+		if len(sig) < int(size) {
+			return 0
+		}
+		return 1
+	}) == 0 {
+		return errors.New("crypto/rsa: verification error")
+	}
+	return evpVerify(pub.withKey, C.GO_RSA_PKCS1_PADDING, 0, h, sig, hashed)
+}
+
+func HashVerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, msg, sig []byte) error {
+	return evpHashVerify(pub.withKey, h, msg, sig)
+}
+
+// rsa_st_1_0_2 is rsa_st memory layout in OpenSSL 1.0.2.
+type rsa_st_1_0_2 struct {
+	_                C.int
+	_                C.long
+	_                [2]unsafe.Pointer
+	n, e, d          C.GO_BIGNUM_PTR
+	p, q             C.GO_BIGNUM_PTR
+	dmp1, dmq1, iqmp C.GO_BIGNUM_PTR
+	// It contains more fields, but we are not interesed on them.
+}
+
+func bnSet(b1 *C.GO_BIGNUM_PTR, b2 BigInt) {
+	if b2 == nil {
+		return
+	}
+	if *b1 != nil {
+		C.go_openssl_BN_clear_free(*b1)
+	}
+	*b1 = bigToBN(b2)
+}
+
+func rsaSetKey(key C.GO_RSA_PTR, n, e, d BigInt) bool {
+	if vMajor == 1 && vMinor == 0 {
+		r := (*rsa_st_1_0_2)(unsafe.Pointer(key))
+		// r.d and d will be nil for public keys.
+		if (r.n == nil && n == nil) ||
+			(r.e == nil && e == nil) {
+			return false
+		}
+		bnSet(&r.n, n)
+		bnSet(&r.e, e)
+		bnSet(&r.d, d)
+		return true
+	}
+	return C.go_openssl_RSA_set0_key(key, bigToBN(n), bigToBN(e), bigToBN(d)) == 1
+}
+
+func rsaSetFactors(key C.GO_RSA_PTR, p, q BigInt) bool {
+	if vMajor == 1 && vMinor == 0 {
+		r := (*rsa_st_1_0_2)(unsafe.Pointer(key))
+		if (r.p == nil && p == nil) ||
+			(r.q == nil && q == nil) {
+			return false
+		}
+		bnSet(&r.p, p)
+		bnSet(&r.q, q)
+		return true
+	}
+	return C.go_openssl_RSA_set0_factors(key, bigToBN(p), bigToBN(q)) == 1
+}
+
+func rsaSetCRTParams(key C.GO_RSA_PTR, dmp1, dmq1, iqmp BigInt) bool {
+	if vMajor == 1 && vMinor == 0 {
+		r := (*rsa_st_1_0_2)(unsafe.Pointer(key))
+		if (r.dmp1 == nil && dmp1 == nil) ||
+			(r.dmq1 == nil && dmq1 == nil) ||
+			(r.iqmp == nil && iqmp == nil) {
+			return false
+		}
+		bnSet(&r.dmp1, dmp1)
+		bnSet(&r.dmq1, dmq1)
+		bnSet(&r.iqmp, iqmp)
+		return true
+	}
+	return C.go_openssl_RSA_set0_crt_params(key, bigToBN(dmp1), bigToBN(dmq1), bigToBN(iqmp)) == 1
+}
+func newRSAKey3(isPriv bool, n, e, d, p, q, dp, dq, qinv BigInt) (C.GO_EVP_PKEY_PTR, error) {
+	bld, err := newParamBuilder()
+	if err != nil {
+		return nil, err
+	}
+	defer bld.finalize()
+
+	bld.addBigInt(_OSSL_PKEY_PARAM_RSA_N, n, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_RSA_E, e, false)
+	bld.addBigInt(_OSSL_PKEY_PARAM_RSA_D, d, false)
+
+	if p != nil && q != nil {
+		allPrecomputedExists := dp != nil && dq != nil && qinv != nil
+		// The precomputed values should only be passed if P and Q are present
+		// and every precomputed value is present. (If any precomputed value is
+		// missing, don't pass any of them.)
+		//
+		// In OpenSSL 3.0 and 3.1, we must also omit P and Q if any precomputed
+		// value is missing. See https://github.com/openssl/openssl/pull/22334
+		if vMinor >= 2 || allPrecomputedExists {
+			bld.addBigInt(_OSSL_PKEY_PARAM_RSA_FACTOR1, p, true)
+			bld.addBigInt(_OSSL_PKEY_PARAM_RSA_FACTOR2, q, true)
+		}
+		if allPrecomputedExists {
+			bld.addBigInt(_OSSL_PKEY_PARAM_RSA_EXPONENT1, dp, true)
+			bld.addBigInt(_OSSL_PKEY_PARAM_RSA_EXPONENT2, dq, true)
+			bld.addBigInt(_OSSL_PKEY_PARAM_RSA_COEFFICIENT1, qinv, true)
+		}
+	}
+
+	params, err := bld.build()
+	if err != nil {
+		return nil, err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+	selection := C.GO_EVP_PKEY_PUBLIC_KEY
+	if isPriv {
+		selection = C.GO_EVP_PKEY_KEYPAIR
+	}
+	return newEvpFromParams(C.GO_EVP_PKEY_RSA, C.int(selection), params)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/shims.h b/src/vendor/github.com/golang-fips/openssl/v2/shims.h
new file mode 100644
index 00000000000000..437312ad795fc3
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/shims.h
@@ -0,0 +1,413 @@
+#include <stdlib.h> // size_t
+#include <stdint.h> // uint64_t
+
+// #include <openssl/crypto.h>
+enum {
+    GO_OPENSSL_INIT_LOAD_CRYPTO_STRINGS = 0x00000002L,
+    GO_OPENSSL_INIT_ADD_ALL_CIPHERS = 0x00000004L,
+    GO_OPENSSL_INIT_ADD_ALL_DIGESTS = 0x00000008L,
+    GO_OPENSSL_INIT_LOAD_CONFIG = 0x00000040L
+};
+
+// #include <openssl/evp.h>
+enum {
+    GO_EVP_CTRL_GCM_GET_TAG = 0x10,
+    GO_EVP_CTRL_GCM_SET_TAG = 0x11,
+    GO_EVP_PKEY_CTRL_MD = 1,
+    GO_EVP_PKEY_RSA = 6,
+    GO_EVP_PKEY_EC = 408,
+    GO_EVP_PKEY_TLS1_PRF = 1021,
+    GO_EVP_PKEY_HKDF = 1036,
+    GO_EVP_PKEY_ED25519 = 1087,
+    GO_EVP_PKEY_DSA = 116,
+    /* This is defined differently in OpenSSL 3 (1 << 11), but in our
+     * code it is only used in OpenSSL 1.
+     */
+    GO1_EVP_PKEY_OP_DERIVE = (1 << 10),
+    GO_EVP_MAX_MD_SIZE = 64,
+
+    GO_EVP_PKEY_PUBLIC_KEY = 0x86,
+    GO_EVP_PKEY_KEYPAIR = 0x87
+};
+
+// #include <openssl/ec.h>
+enum {
+    GO_EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID = 0x1001
+};
+
+// #include <openssl/kdf.h>
+enum {
+    GO_EVP_KDF_HKDF_MODE_EXTRACT_ONLY = 1,
+    GO_EVP_KDF_HKDF_MODE_EXPAND_ONLY = 2,
+
+    GO_EVP_PKEY_CTRL_TLS_MD = 0x1000,
+    GO_EVP_PKEY_CTRL_TLS_SECRET = 0x1001,
+    GO_EVP_PKEY_CTRL_TLS_SEED = 0x1002,
+    GO_EVP_PKEY_CTRL_HKDF_MD = 0x1003,
+    GO_EVP_PKEY_CTRL_HKDF_SALT = 0x1004,
+    GO_EVP_PKEY_CTRL_HKDF_KEY = 0x1005,
+    GO_EVP_PKEY_CTRL_HKDF_INFO = 0x1006,
+    GO_EVP_PKEY_CTRL_HKDF_MODE = 0x1007
+};
+
+typedef enum {
+    GO_POINT_CONVERSION_UNCOMPRESSED = 4,
+} point_conversion_form_t;
+
+// #include <openssl/obj_mac.h>
+enum {
+    GO_NID_X9_62_prime256v1 = 415,
+    GO_NID_secp224r1 = 713,
+    GO_NID_secp384r1 = 715,
+    GO_NID_secp521r1 = 716
+};
+
+// #include <openssl/rsa.h>
+enum {
+    GO_RSA_PKCS1_PADDING = 1,
+    GO_RSA_NO_PADDING = 3,
+    GO_RSA_PKCS1_OAEP_PADDING = 4,
+    GO_RSA_PKCS1_PSS_PADDING = 6,
+    GO_RSA_PSS_SALTLEN_DIGEST = -1,
+    GO_RSA_PSS_SALTLEN_AUTO = -2,
+    GO_RSA_PSS_SALTLEN_MAX_SIGN = -2,
+    GO_RSA_PSS_SALTLEN_MAX = -3,
+    GO_EVP_PKEY_CTRL_RSA_PADDING = 0x1001,
+    GO_EVP_PKEY_CTRL_RSA_PSS_SALTLEN = 0x1002,
+    GO_EVP_PKEY_CTRL_RSA_KEYGEN_BITS = 0x1003,
+    GO_EVP_PKEY_CTRL_RSA_MGF1_MD = 0x1005,
+    GO_EVP_PKEY_CTRL_RSA_OAEP_MD = 0x1009,
+    GO_EVP_PKEY_CTRL_RSA_OAEP_LABEL = 0x100A,
+    GO_EVP_PKEY_CTRL_DSA_PARAMGEN_BITS = 0x1001,
+    GO_EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS = 0x1002
+};
+
+typedef void* GO_OPENSSL_INIT_SETTINGS_PTR;
+typedef void* GO_OSSL_LIB_CTX_PTR;
+typedef void* GO_OSSL_PROVIDER_PTR;
+typedef void* GO_ENGINE_PTR;
+typedef void* GO_EVP_PKEY_PTR;
+typedef void* GO_EVP_PKEY_CTX_PTR;
+typedef void* GO_EVP_MD_PTR;
+typedef void* GO_EVP_MD_CTX_PTR;
+typedef void* GO_HMAC_CTX_PTR;
+typedef void* GO_EVP_CIPHER_PTR;
+typedef void* GO_EVP_CIPHER_CTX_PTR;
+typedef void* GO_EC_KEY_PTR;
+typedef void* GO_EC_POINT_PTR;
+typedef void* GO_EC_GROUP_PTR;
+typedef void* GO_RSA_PTR;
+typedef void* GO_BIGNUM_PTR;
+typedef void* GO_BN_CTX_PTR;
+typedef void* GO_EVP_MAC_PTR;
+typedef void* GO_EVP_MAC_CTX_PTR;
+typedef void* GO_OSSL_PARAM_BLD_PTR;
+typedef void* GO_OSSL_PARAM_PTR;
+typedef void* GO_CRYPTO_THREADID_PTR;
+typedef void* GO_EVP_SIGNATURE_PTR;
+typedef void* GO_DSA_PTR;
+typedef void* GO_EVP_KDF_PTR;
+typedef void* GO_EVP_KDF_CTX_PTR;
+
+// #include <openssl/md5.h>
+typedef void* GO_MD5_CTX_PTR;
+
+// #include <openssl/sha.h>
+typedef void* GO_SHA_CTX_PTR;
+
+// FOR_ALL_OPENSSL_FUNCTIONS is the list of all functions from libcrypto that are used in this package.
+// Forgetting to add a function here results in build failure with message reporting the function
+// that needs to be added.
+//
+// The purpose of FOR_ALL_OPENSSL_FUNCTIONS is to define all libcrypto functions
+// without depending on the openssl headers so it is easier to use this package
+// with an openssl version different that the one used at build time.
+//
+// The following macros may not be defined at this point,
+// they are not resolved here but just accumulated in FOR_ALL_OPENSSL_FUNCTIONS.
+//
+// DEFINEFUNC defines and loads openssl functions that can be directly called from Go as their signatures match
+// the OpenSSL API and do not require special logic.
+// The process will be aborted if the function can't be loaded.
+//
+// DEFINEFUNC_LEGACY_1_1 acts like DEFINEFUNC but only aborts the process if the function can't be loaded
+// when using 1.1.x. This indicates the function is required when using 1.1.x, but is unused when using later versions.
+// It also might not exist in later versions.
+//
+// DEFINEFUNC_LEGACY_1_0 acts like DEFINEFUNC but only aborts the process if the function can't be loaded
+// when using 1.0.x. This indicates the function is required when using 1.0.x, but is unused when using later versions.
+// It also might not exist in later versions.
+//
+// DEFINEFUNC_LEGACY_1 acts like DEFINEFUNC but only aborts the process if the function can't be loaded
+// when using 1.x. This indicates the function is required when using 1.x, but is unused when using later versions.
+// It also might not exist in later versions.
+//
+// DEFINEFUNC_1_1 acts like DEFINEFUNC but only aborts the process if function can't be loaded
+// when using 1.1.0 or higher.
+//
+// DEFINEFUNC_1_1_1 acts like DEFINEFUNC but only aborts the process if function can't be loaded
+// when using 1.1.1 or higher.
+//
+// DEFINEFUNC_3_0 acts like DEFINEFUNC but only aborts the process if function can't be loaded
+// when using 3.0.0 or higher.
+//
+// DEFINEFUNC_RENAMED_1_1 acts like DEFINEFUNC but tries to load the function using the new name when using >= 1.1.x
+// and the old name when using 1.0.2. In both cases the function will have the new name.
+//
+// DEFINEFUNC_RENAMED_3_0 acts like DEFINEFUNC but tries to load the function using the new name when using >= 3.x
+// and the old name when using 1.x. In both cases the function will have the new name.
+//
+// DEFINEFUNC_VARIADIC_3_0 acts like DEFINEFUNC but creates an alias with a more specific signature.
+// This is necessary to call variadic functions (functions that accept a variable number of arguments)
+// because variadic functions are not directly compatible with cgo. By defining a cgo-compatible alias
+// for each desired signature, the C compiler handles the variadic arguments rather than cgo.
+// Variadic functions are the only known incompatibility of this kind.
+// If you use this macro for a different reason, consider renaming it to something more general first.
+// See https://github.com/golang/go/issues/975.
+// The process is aborted if the function can't be loaded when using 3.0.0 or higher.
+//
+// #include <openssl/crypto.h>
+// #include <openssl/err.h>
+// #include <openssl/rsa.h>
+// #include <openssl/hmac.h>
+// #include <openssl/ec.h>
+// #include <openssl/rand.h>
+// #include <openssl/evp.h>
+// #include <openssl/dsa.h>
+// #if OPENSSL_VERSION_NUMBER >= 0x30000000L
+// #include <openssl/provider.h>
+// #include <openssl/param_build.h>
+// #endif
+// #if OPENSSL_VERSION_NUMBER < 0x10100000L
+// #include <openssl/bn.h>
+// #endif
+#define FOR_ALL_OPENSSL_FUNCTIONS \
+DEFINEFUNC(void, ERR_error_string_n, (unsigned long e, char *buf, size_t len), (e, buf, len)) \
+DEFINEFUNC(void, ERR_clear_error, (void), ()) \
+DEFINEFUNC_LEGACY_1(unsigned long, ERR_get_error_line, (const char **file, int *line), (file, line)) \
+DEFINEFUNC_3_0(unsigned long, ERR_get_error_all, (const char **file, int *line, const char **func, const char **data, int *flags), (file, line, func, data, flags)) \
+DEFINEFUNC_RENAMED_1_1(const char *, OpenSSL_version, SSLeay_version, (int type), (type)) \
+DEFINEFUNC(void, OPENSSL_init, (void), ()) \
+DEFINEFUNC_LEGACY_1_0(void, ERR_load_crypto_strings, (void), ()) \
+DEFINEFUNC_LEGACY_1_0(void, ERR_remove_thread_state, (const GO_CRYPTO_THREADID_PTR tid), (tid)) \
+DEFINEFUNC_LEGACY_1_0(int, CRYPTO_num_locks, (void), ()) \
+DEFINEFUNC_LEGACY_1_0(int, CRYPTO_THREADID_set_callback, (void (*threadid_func) (GO_CRYPTO_THREADID_PTR)), (threadid_func)) \
+DEFINEFUNC_LEGACY_1_0(void, CRYPTO_THREADID_set_numeric, (GO_CRYPTO_THREADID_PTR id, unsigned long val), (id, val)) \
+DEFINEFUNC_LEGACY_1_0(void, CRYPTO_set_locking_callback, (void (*locking_function)(int mode, int n, const char *file, int line)), (locking_function)) \
+/* CRYPTO_malloc argument num changes from int to size_t in OpenSSL 1.1.0, */ \
+/* and CRYPTO_free has file and line arguments added. */ \
+/* Exclude them from headercheck tool when using previous OpenSSL versions. */ \
+/*check:from=1.1.0*/ DEFINEFUNC(void *, CRYPTO_malloc, (size_t num, const char *file, int line), (num, file, line)) \
+/*check:from=1.1.0*/ DEFINEFUNC(void, CRYPTO_free, (void *str, const char *file, int line), (str, file, line)) \
+DEFINEFUNC_LEGACY_1_0(void, OPENSSL_add_all_algorithms_conf, (void), ()) \
+DEFINEFUNC_1_1(int, OPENSSL_init_crypto, (uint64_t ops, const GO_OPENSSL_INIT_SETTINGS_PTR settings), (ops, settings)) \
+DEFINEFUNC_LEGACY_1(int, FIPS_mode, (void), ()) \
+DEFINEFUNC_LEGACY_1(int, FIPS_mode_set, (int r), (r)) \
+DEFINEFUNC_3_0(int, EVP_default_properties_is_fips_enabled, (GO_OSSL_LIB_CTX_PTR libctx), (libctx)) \
+DEFINEFUNC_3_0(int, EVP_default_properties_enable_fips, (GO_OSSL_LIB_CTX_PTR libctx, int enable), (libctx, enable)) \
+DEFINEFUNC_3_0(int, OSSL_PROVIDER_available, (GO_OSSL_LIB_CTX_PTR libctx, const char *name), (libctx, name)) \
+DEFINEFUNC_3_0(GO_OSSL_PROVIDER_PTR, OSSL_PROVIDER_try_load, (GO_OSSL_LIB_CTX_PTR libctx, const char *name, int retain_fallbacks), (libctx, name, retain_fallbacks)) \
+DEFINEFUNC_3_0(const char *, OSSL_PROVIDER_get0_name, (const GO_OSSL_PROVIDER_PTR prov), (prov)) \
+DEFINEFUNC_3_0(GO_EVP_MD_PTR, EVP_MD_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \
+DEFINEFUNC_3_0(void, EVP_MD_free, (GO_EVP_MD_PTR md), (md)) \
+DEFINEFUNC_3_0(const char *, EVP_MD_get0_name, (const GO_EVP_MD_PTR md), (md)) \
+DEFINEFUNC_3_0(const GO_OSSL_PROVIDER_PTR, EVP_MD_get0_provider, (const GO_EVP_MD_PTR md), (md)) \
+DEFINEFUNC_RENAMED_3_0(int, EVP_MD_get_size, EVP_MD_size, (const GO_EVP_MD_PTR md), (md)) \
+DEFINEFUNC_RENAMED_3_0(int, EVP_MD_get_block_size, EVP_MD_block_size, (const GO_EVP_MD_PTR md), (md)) \
+DEFINEFUNC(int, RAND_bytes, (unsigned char *arg0, int arg1), (arg0, arg1)) \
+DEFINEFUNC_RENAMED_1_1(GO_EVP_MD_CTX_PTR, EVP_MD_CTX_new, EVP_MD_CTX_create, (void), ()) \
+DEFINEFUNC_RENAMED_1_1(void, EVP_MD_CTX_free, EVP_MD_CTX_destroy, (GO_EVP_MD_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC(int, EVP_MD_CTX_copy, (GO_EVP_MD_CTX_PTR out, const GO_EVP_MD_CTX_PTR in), (out, in)) \
+DEFINEFUNC(int, EVP_MD_CTX_copy_ex, (GO_EVP_MD_CTX_PTR out, const GO_EVP_MD_CTX_PTR in), (out, in)) \
+DEFINEFUNC(int, EVP_Digest, (const void *data, size_t count, unsigned char *md, unsigned int *size, const GO_EVP_MD_PTR type, GO_ENGINE_PTR impl), (data, count, md, size, type, impl)) \
+DEFINEFUNC(int, EVP_DigestInit_ex, (GO_EVP_MD_CTX_PTR ctx, const GO_EVP_MD_PTR type, GO_ENGINE_PTR impl), (ctx, type, impl)) \
+DEFINEFUNC(int, EVP_DigestInit, (GO_EVP_MD_CTX_PTR ctx, const GO_EVP_MD_PTR type), (ctx, type)) \
+DEFINEFUNC(int, EVP_DigestUpdate, (GO_EVP_MD_CTX_PTR ctx, const void *d, size_t cnt), (ctx, d, cnt)) \
+DEFINEFUNC(int, EVP_DigestFinal, (GO_EVP_MD_CTX_PTR ctx, unsigned char *md, unsigned int *s), (ctx, md, s)) \
+DEFINEFUNC_1_1_1(int, EVP_DigestSign, (GO_EVP_MD_CTX_PTR ctx, unsigned char *sigret, size_t *siglen, const unsigned char *tbs, size_t tbslen), (ctx, sigret, siglen, tbs, tbslen)) \
+DEFINEFUNC(int, EVP_DigestSignInit, (GO_EVP_MD_CTX_PTR ctx, GO_EVP_PKEY_CTX_PTR *pctx, const GO_EVP_MD_PTR type, GO_ENGINE_PTR e, GO_EVP_PKEY_PTR pkey), (ctx, pctx, type, e, pkey)) \
+DEFINEFUNC(int, EVP_DigestSignFinal, (GO_EVP_MD_CTX_PTR ctx, unsigned char *sig, size_t *siglen), (ctx, sig, siglen)) \
+DEFINEFUNC(int, EVP_DigestVerifyInit, (GO_EVP_MD_CTX_PTR ctx, GO_EVP_PKEY_CTX_PTR *pctx, const GO_EVP_MD_PTR type, GO_ENGINE_PTR e, GO_EVP_PKEY_PTR pkey), (ctx, pctx, type, e, pkey)) \
+DEFINEFUNC(int, EVP_DigestVerifyFinal, (GO_EVP_MD_CTX_PTR ctx, const unsigned char *sig, size_t siglen), (ctx, sig, siglen)) \
+DEFINEFUNC_1_1_1(int, EVP_DigestVerify, (GO_EVP_MD_CTX_PTR ctx, const unsigned char *sigret, size_t siglen, const unsigned char *tbs, size_t tbslen), (ctx, sigret, siglen, tbs, tbslen)) \
+DEFINEFUNC_1_1(const GO_EVP_MD_PTR, EVP_md5_sha1, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_ripemd160, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_md4, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_md5, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha1, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha224, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha256, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha384, (void), ()) \
+DEFINEFUNC(const GO_EVP_MD_PTR, EVP_sha512, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha512_224, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha512_256, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_224, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_256, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_384, (void), ()) \
+DEFINEFUNC_1_1_1(const GO_EVP_MD_PTR, EVP_sha3_512, (void), ()) \
+DEFINEFUNC_LEGACY_1_0(void, HMAC_CTX_init, (GO_HMAC_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1_0(void, HMAC_CTX_cleanup, (GO_HMAC_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(int, HMAC_Init_ex, (GO_HMAC_CTX_PTR arg0, const void *arg1, int arg2, const GO_EVP_MD_PTR arg3, GO_ENGINE_PTR arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC_LEGACY_1(int, HMAC_Update, (GO_HMAC_CTX_PTR arg0, const unsigned char *arg1, size_t arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_LEGACY_1(int, HMAC_Final, (GO_HMAC_CTX_PTR arg0, unsigned char *arg1, unsigned int *arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_LEGACY_1(int, HMAC_CTX_copy, (GO_HMAC_CTX_PTR dest, GO_HMAC_CTX_PTR src), (dest, src)) \
+DEFINEFUNC_LEGACY_1_1(void, HMAC_CTX_free, (GO_HMAC_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1_1(GO_HMAC_CTX_PTR, HMAC_CTX_new, (void), ()) \
+DEFINEFUNC(GO_EVP_CIPHER_CTX_PTR, EVP_CIPHER_CTX_new, (void), ()) \
+DEFINEFUNC(int, EVP_CIPHER_CTX_set_padding, (GO_EVP_CIPHER_CTX_PTR x, int padding), (x, padding)) \
+DEFINEFUNC(int, EVP_CipherInit_ex, (GO_EVP_CIPHER_CTX_PTR ctx, const GO_EVP_CIPHER_PTR type, GO_ENGINE_PTR impl, const unsigned char *key, const unsigned char *iv, int enc), (ctx, type, impl, key, iv, enc)) \
+DEFINEFUNC(int, EVP_CipherUpdate, (GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, int *outl, const unsigned char *in, int inl), (ctx, out, outl, in, inl)) \
+DEFINEFUNC(int, EVP_EncryptInit_ex, (GO_EVP_CIPHER_CTX_PTR ctx, const GO_EVP_CIPHER_PTR type, GO_ENGINE_PTR impl, const unsigned char *key, const unsigned char *iv), (ctx, type, impl, key, iv)) \
+DEFINEFUNC(int, EVP_EncryptUpdate, (GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, int *outl, const unsigned char *in, int inl), (ctx, out, outl, in, inl)) \
+DEFINEFUNC(int, EVP_EncryptFinal_ex, (GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, int *outl), (ctx, out, outl)) \
+DEFINEFUNC(int, EVP_DecryptInit_ex, (GO_EVP_CIPHER_CTX_PTR ctx, const GO_EVP_CIPHER_PTR type, GO_ENGINE_PTR impl, const unsigned char *key, const unsigned char *iv), (ctx, type, impl, key, iv)) \
+DEFINEFUNC(int, EVP_DecryptUpdate, (GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *out, int *outl, const unsigned char *in, int inl),	(ctx, out, outl, in, inl)) \
+DEFINEFUNC(int, EVP_DecryptFinal_ex, (GO_EVP_CIPHER_CTX_PTR ctx, unsigned char *outm, int *outl),	(ctx, outm, outl)) \
+DEFINEFUNC_3_0(GO_EVP_CIPHER_PTR, EVP_CIPHER_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \
+DEFINEFUNC_3_0(const char *, EVP_CIPHER_get0_name, (const GO_EVP_CIPHER_PTR cipher), (cipher)) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_128_gcm, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_128_cbc, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_128_ctr, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_128_ecb, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_192_gcm, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_192_cbc, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_192_ctr, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_192_ecb, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_256_cbc, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_256_ctr, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_256_ecb, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_aes_256_gcm, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_des_ecb, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_des_cbc, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_des_ede3_ecb, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_des_ede3_cbc, (void), ()) \
+DEFINEFUNC(const GO_EVP_CIPHER_PTR, EVP_rc4, (void), ()) \
+DEFINEFUNC_RENAMED_3_0(int, EVP_CIPHER_get_block_size, EVP_CIPHER_block_size, (const GO_EVP_CIPHER_PTR cipher), (cipher)) \
+DEFINEFUNC(int, EVP_CIPHER_CTX_set_key_length, (GO_EVP_CIPHER_CTX_PTR x, int keylen), (x, keylen)) \
+DEFINEFUNC(void, EVP_CIPHER_CTX_free, (GO_EVP_CIPHER_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_CIPHER_CTX_ctrl, (GO_EVP_CIPHER_CTX_PTR ctx, int type, int arg, void *ptr), (ctx, type, arg, ptr)) \
+DEFINEFUNC(GO_EVP_PKEY_PTR, EVP_PKEY_new, (void), ()) \
+DEFINEFUNC_1_1_1(GO_EVP_PKEY_PTR, EVP_PKEY_new_raw_private_key, (int type, GO_ENGINE_PTR e, const unsigned char *key, size_t keylen), (type, e, key, keylen)) \
+DEFINEFUNC_1_1_1(GO_EVP_PKEY_PTR, EVP_PKEY_new_raw_public_key, (int type, GO_ENGINE_PTR e, const unsigned char *key, size_t keylen), (type, e, key, keylen)) \
+/* EVP_PKEY_size and EVP_PKEY_get_bits pkey parameter is const since OpenSSL 1.1.1. */ \
+/* Exclude it from headercheck tool when using previous OpenSSL versions. */ \
+/*check:from=1.1.1*/ DEFINEFUNC_RENAMED_3_0(int, EVP_PKEY_get_size, EVP_PKEY_size, (const GO_EVP_PKEY_PTR pkey), (pkey)) \
+/*check:from=1.1.1*/ DEFINEFUNC_RENAMED_3_0(int, EVP_PKEY_get_bits, EVP_PKEY_bits, (const GO_EVP_PKEY_PTR pkey), (pkey)) \
+DEFINEFUNC(void, EVP_PKEY_free, (GO_EVP_PKEY_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(GO_RSA_PTR, EVP_PKEY_get1_RSA, (GO_EVP_PKEY_PTR pkey), (pkey)) \
+DEFINEFUNC_LEGACY_1(int, EVP_PKEY_assign, (GO_EVP_PKEY_PTR pkey, int type, void *key), (pkey, type, key)) \
+DEFINEFUNC(int, EVP_PKEY_verify, (GO_EVP_PKEY_CTX_PTR ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen), (ctx, sig, siglen, tbs, tbslen)) \
+DEFINEFUNC(GO_EVP_PKEY_CTX_PTR, EVP_PKEY_CTX_new, (GO_EVP_PKEY_PTR arg0, GO_ENGINE_PTR arg1), (arg0, arg1)) \
+DEFINEFUNC(GO_EVP_PKEY_CTX_PTR, EVP_PKEY_CTX_new_id, (int id, GO_ENGINE_PTR e), (id, e)) \
+DEFINEFUNC_3_0(GO_EVP_PKEY_CTX_PTR, EVP_PKEY_CTX_new_from_pkey, (GO_OSSL_LIB_CTX_PTR libctx, GO_EVP_PKEY_PTR pkey, const char *propquery), (libctx, pkey, propquery)) \
+DEFINEFUNC(int, EVP_PKEY_paramgen_init, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC(int, EVP_PKEY_paramgen, (GO_EVP_PKEY_CTX_PTR ctx, GO_EVP_PKEY_PTR *ppkey), (ctx, ppkey)) \
+DEFINEFUNC(int, EVP_PKEY_keygen_init, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC(int, EVP_PKEY_keygen, (GO_EVP_PKEY_CTX_PTR ctx, GO_EVP_PKEY_PTR *ppkey), (ctx, ppkey)) \
+DEFINEFUNC_VARIADIC_3_0(GO_EVP_PKEY_PTR, EVP_PKEY_Q_keygen, EVP_PKEY_Q_keygen, (GO_OSSL_LIB_CTX_PTR ctx, const char *propq, const char *type), (ctx, propq, type)) \
+DEFINEFUNC_VARIADIC_3_0(GO_EVP_PKEY_PTR, EVP_PKEY_Q_keygen, EVP_PKEY_Q_keygen_RSA, (GO_OSSL_LIB_CTX_PTR ctx, const char *propq, const char *type, size_t arg1), (ctx, propq, type, arg1)) \
+DEFINEFUNC_VARIADIC_3_0(GO_EVP_PKEY_PTR, EVP_PKEY_Q_keygen, EVP_PKEY_Q_keygen_EC, (GO_OSSL_LIB_CTX_PTR ctx, const char *propq, const char *type, const char *arg1), (ctx, propq, type, arg1)) \
+DEFINEFUNC(void, EVP_PKEY_CTX_free, (GO_EVP_PKEY_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_PKEY_CTX_ctrl, (GO_EVP_PKEY_CTX_PTR ctx, int keytype, int optype, int cmd, int p1, void *p2), (ctx, keytype, optype, cmd, p1, p2)) \
+DEFINEFUNC(int, EVP_PKEY_decrypt, (GO_EVP_PKEY_CTX_PTR arg0, unsigned char *arg1, size_t *arg2, const unsigned char *arg3, size_t arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC(int, EVP_PKEY_encrypt, (GO_EVP_PKEY_CTX_PTR arg0, unsigned char *arg1, size_t *arg2, const unsigned char *arg3, size_t arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC(int, EVP_PKEY_decrypt_init, (GO_EVP_PKEY_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_PKEY_encrypt_init, (GO_EVP_PKEY_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_PKEY_sign_init, (GO_EVP_PKEY_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_PKEY_verify_init, (GO_EVP_PKEY_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EVP_PKEY_sign, (GO_EVP_PKEY_CTX_PTR arg0, unsigned char *arg1, size_t *arg2, const unsigned char *arg3, size_t arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC(int, EVP_PKEY_derive_init, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC(int, EVP_PKEY_derive_set_peer, (GO_EVP_PKEY_CTX_PTR ctx, GO_EVP_PKEY_PTR peer), (ctx, peer)) \
+DEFINEFUNC(int, EVP_PKEY_derive, (GO_EVP_PKEY_CTX_PTR ctx, unsigned char *key, size_t *keylen), (ctx, key, keylen)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_public_check_quick, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_private_check, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC_LEGACY_1_0(void*, EVP_PKEY_get0, (GO_EVP_PKEY_PTR pkey), (pkey)) \
+DEFINEFUNC_LEGACY_1_1(GO_EC_KEY_PTR, EVP_PKEY_get0_EC_KEY, (GO_EVP_PKEY_PTR pkey), (pkey)) \
+DEFINEFUNC_LEGACY_1_1(GO_DSA_PTR, EVP_PKEY_get0_DSA, (GO_EVP_PKEY_PTR pkey), (pkey)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_fromdata_init, (GO_EVP_PKEY_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_fromdata, (GO_EVP_PKEY_CTX_PTR ctx, GO_EVP_PKEY_PTR *pkey, int selection, GO_OSSL_PARAM_PTR params), (ctx, pkey, selection, params)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_set1_encoded_public_key, (GO_EVP_PKEY_PTR pkey, const unsigned char *pub, size_t publen), (pkey, pub, publen)) \
+DEFINEFUNC_3_0(size_t, EVP_PKEY_get1_encoded_public_key, (GO_EVP_PKEY_PTR pkey, unsigned char **ppub), (pkey, ppub)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_get_bn_param, (const GO_EVP_PKEY_PTR pkey, const char *key_name, GO_BIGNUM_PTR *bn), (pkey, key_name, bn)) \
+DEFINEFUNC_LEGACY_1(GO_RSA_PTR, RSA_new, (void), ()) \
+DEFINEFUNC_LEGACY_1(void, RSA_free, (GO_RSA_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1_1(int, RSA_set0_factors, (GO_RSA_PTR rsa, GO_BIGNUM_PTR p, GO_BIGNUM_PTR q), (rsa, p, q)) \
+DEFINEFUNC_LEGACY_1_1(int, RSA_set0_crt_params, (GO_RSA_PTR rsa, GO_BIGNUM_PTR dmp1, GO_BIGNUM_PTR dmp2, GO_BIGNUM_PTR iqmp), (rsa, dmp1, dmp2, iqmp)) \
+DEFINEFUNC_LEGACY_1_1(void, RSA_get0_crt_params, (const GO_RSA_PTR r, const GO_BIGNUM_PTR *dmp1, const GO_BIGNUM_PTR *dmq1, const GO_BIGNUM_PTR *iqmp), (r, dmp1, dmq1, iqmp)) \
+DEFINEFUNC_LEGACY_1_1(int, RSA_set0_key, (GO_RSA_PTR r, GO_BIGNUM_PTR n, GO_BIGNUM_PTR e, GO_BIGNUM_PTR d), (r, n, e, d)) \
+DEFINEFUNC_LEGACY_1_1(void, RSA_get0_factors, (const GO_RSA_PTR rsa, const GO_BIGNUM_PTR *p, const GO_BIGNUM_PTR *q), (rsa, p, q)) \
+DEFINEFUNC_LEGACY_1_1(void, RSA_get0_key, (const GO_RSA_PTR rsa, const GO_BIGNUM_PTR *n, const GO_BIGNUM_PTR *e, const GO_BIGNUM_PTR *d), (rsa, n, e, d)) \
+DEFINEFUNC(GO_BIGNUM_PTR, BN_new, (void), ()) \
+DEFINEFUNC(void, BN_free, (GO_BIGNUM_PTR arg0), (arg0)) \
+DEFINEFUNC(void, BN_clear, (GO_BIGNUM_PTR arg0), (arg0)) \
+DEFINEFUNC(void, BN_clear_free, (GO_BIGNUM_PTR arg0), (arg0)) \
+DEFINEFUNC(int, BN_num_bits, (const GO_BIGNUM_PTR arg0), (arg0)) \
+DEFINEFUNC(GO_BIGNUM_PTR, BN_bin2bn, (const unsigned char *arg0, int arg1, GO_BIGNUM_PTR arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_LEGACY_1_0(int, BN_bn2bin, (const GO_BIGNUM_PTR a, unsigned char *to), (a, to)) \
+DEFINEFUNC_LEGACY_1_0(GO_BIGNUM_PTR, bn_expand2, (GO_BIGNUM_PTR a, int n), (a, n)) \
+DEFINEFUNC_1_1(GO_BIGNUM_PTR, BN_lebin2bn, (const unsigned char *s, int len, GO_BIGNUM_PTR ret), (s, len, ret)) \
+DEFINEFUNC_1_1(int, BN_bn2lebinpad, (const GO_BIGNUM_PTR a, unsigned char *to, int tolen), (a, to, tolen)) \
+DEFINEFUNC_1_1(int, BN_bn2binpad, (const GO_BIGNUM_PTR a, unsigned char *to, int tolen), (a, to, tolen)) \
+DEFINEFUNC_LEGACY_1(int, EC_KEY_set_public_key_affine_coordinates, (GO_EC_KEY_PTR key, GO_BIGNUM_PTR x, GO_BIGNUM_PTR y), (key, x, y)) \
+DEFINEFUNC_LEGACY_1(int, EC_KEY_set_public_key, (GO_EC_KEY_PTR key, const GO_EC_POINT_PTR pub), (key, pub)) \
+DEFINEFUNC_LEGACY_1(void, EC_KEY_free, (GO_EC_KEY_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(const GO_EC_GROUP_PTR, EC_KEY_get0_group, (const GO_EC_KEY_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(const GO_BIGNUM_PTR, EC_KEY_get0_private_key, (const GO_EC_KEY_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(const GO_EC_POINT_PTR, EC_KEY_get0_public_key, (const GO_EC_KEY_PTR arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(GO_EC_KEY_PTR, EC_KEY_new_by_curve_name, (int arg0), (arg0)) \
+DEFINEFUNC_LEGACY_1(int, EC_KEY_set_private_key, (GO_EC_KEY_PTR arg0, const GO_BIGNUM_PTR arg1), (arg0, arg1)) \
+DEFINEFUNC_LEGACY_1(int, EC_KEY_check_key, (const GO_EC_KEY_PTR key), (key)) \
+DEFINEFUNC(GO_EC_POINT_PTR, EC_POINT_new, (const GO_EC_GROUP_PTR arg0), (arg0)) \
+DEFINEFUNC(void, EC_POINT_free, (GO_EC_POINT_PTR arg0), (arg0)) \
+DEFINEFUNC(int, EC_POINT_mul, (const GO_EC_GROUP_PTR group, GO_EC_POINT_PTR r, const GO_BIGNUM_PTR n, const GO_EC_POINT_PTR q, const GO_BIGNUM_PTR m, GO_BN_CTX_PTR ctx), (group, r, n, q, m, ctx)) \
+DEFINEFUNC_LEGACY_1(int, EC_POINT_get_affine_coordinates_GFp, (const GO_EC_GROUP_PTR arg0, const GO_EC_POINT_PTR arg1, GO_BIGNUM_PTR arg2, GO_BIGNUM_PTR arg3, GO_BN_CTX_PTR arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC_3_0(int, EC_POINT_set_affine_coordinates, (const GO_EC_GROUP_PTR arg0, GO_EC_POINT_PTR arg1, const GO_BIGNUM_PTR arg2, const GO_BIGNUM_PTR arg3, GO_BN_CTX_PTR arg4), (arg0, arg1, arg2, arg3, arg4)) \
+DEFINEFUNC(size_t, EC_POINT_point2oct, (const GO_EC_GROUP_PTR group, const GO_EC_POINT_PTR p, point_conversion_form_t form, unsigned char *buf, size_t len, GO_BN_CTX_PTR ctx), (group, p, form, buf, len, ctx)) \
+DEFINEFUNC(int, EC_POINT_oct2point, (const GO_EC_GROUP_PTR group, GO_EC_POINT_PTR p, const unsigned char *buf, size_t len, GO_BN_CTX_PTR ctx), (group, p, buf, len, ctx)) \
+DEFINEFUNC(const char *, OBJ_nid2sn, (int n), (n)) \
+DEFINEFUNC(GO_EC_GROUP_PTR, EC_GROUP_new_by_curve_name, (int nid), (nid)) \
+DEFINEFUNC(void, EC_GROUP_free, (GO_EC_GROUP_PTR group), (group)) \
+DEFINEFUNC_3_0(GO_EVP_MAC_PTR, EVP_MAC_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \
+DEFINEFUNC_3_0(GO_EVP_MAC_CTX_PTR, EVP_MAC_CTX_new, (GO_EVP_MAC_PTR arg0), (arg0)) \
+DEFINEFUNC_3_0(int, EVP_MAC_CTX_set_params, (GO_EVP_MAC_CTX_PTR ctx, const GO_OSSL_PARAM_PTR params), (ctx, params)) \
+DEFINEFUNC_3_0(void, EVP_MAC_CTX_free, (GO_EVP_MAC_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC_3_0(GO_EVP_MAC_CTX_PTR, EVP_MAC_CTX_dup, (const GO_EVP_MAC_CTX_PTR arg0), (arg0)) \
+DEFINEFUNC_3_0(int, EVP_MAC_init, (GO_EVP_MAC_CTX_PTR ctx, const unsigned char *key, size_t keylen, const GO_OSSL_PARAM_PTR params), (ctx, key, keylen, params)) \
+DEFINEFUNC_3_0(int, EVP_MAC_update, (GO_EVP_MAC_CTX_PTR ctx, const unsigned char *data, size_t datalen), (ctx, data, datalen)) \
+DEFINEFUNC_3_0(int, EVP_MAC_final, (GO_EVP_MAC_CTX_PTR ctx, unsigned char *out, size_t *outl, size_t outsize), (ctx, out, outl, outsize)) \
+DEFINEFUNC_3_0(void, OSSL_PARAM_free, (GO_OSSL_PARAM_PTR p), (p)) \
+DEFINEFUNC_3_0(GO_OSSL_PARAM_BLD_PTR, OSSL_PARAM_BLD_new, (void), ()) \
+DEFINEFUNC_3_0(void, OSSL_PARAM_BLD_free, (GO_OSSL_PARAM_BLD_PTR bld), (bld)) \
+DEFINEFUNC_3_0(GO_OSSL_PARAM_PTR, OSSL_PARAM_BLD_to_param, (GO_OSSL_PARAM_BLD_PTR bld), (bld)) \
+DEFINEFUNC_3_0(int, OSSL_PARAM_BLD_push_utf8_string, (GO_OSSL_PARAM_BLD_PTR bld, const char *key, const char *buf, size_t bsize), (bld, key, buf, bsize)) \
+DEFINEFUNC_3_0(int, OSSL_PARAM_BLD_push_octet_string, (GO_OSSL_PARAM_BLD_PTR bld, const char *key, const void *buf, size_t bsize), (bld, key, buf, bsize)) \
+DEFINEFUNC_3_0(int, OSSL_PARAM_BLD_push_BN, (GO_OSSL_PARAM_BLD_PTR bld, const char *key, const GO_BIGNUM_PTR bn), (bld, key, bn)) \
+DEFINEFUNC_3_0(int, OSSL_PARAM_BLD_push_int32, (GO_OSSL_PARAM_BLD_PTR bld, const char *key, int32_t num), (bld, key, num)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_set_hkdf_mode, (GO_EVP_PKEY_CTX_PTR arg0, int arg1), (arg0, arg1)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_set_hkdf_md, (GO_EVP_PKEY_CTX_PTR arg0, const GO_EVP_MD_PTR arg1), (arg0, arg1)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_set1_hkdf_salt, (GO_EVP_PKEY_CTX_PTR arg0, const unsigned char *arg1, int arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_set1_hkdf_key, (GO_EVP_PKEY_CTX_PTR arg0, const unsigned char *arg1, int arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_add1_hkdf_info, (GO_EVP_PKEY_CTX_PTR arg0, const unsigned char *arg1, int arg2), (arg0, arg1, arg2)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_up_ref, (GO_EVP_PKEY_PTR key), (key)) \
+DEFINEFUNC_LEGACY_1(int, EVP_PKEY_set1_EC_KEY, (GO_EVP_PKEY_PTR pkey, GO_EC_KEY_PTR key), (pkey, key)) \
+DEFINEFUNC_3_0(int, EVP_PKEY_CTX_set0_rsa_oaep_label, (GO_EVP_PKEY_CTX_PTR ctx, void *label, int len), (ctx, label, len)) \
+DEFINEFUNC(int, PKCS5_PBKDF2_HMAC, (const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, const GO_EVP_MD_PTR digest, int keylen, unsigned char *out), (pass, passlen, salt, saltlen, iter, digest, keylen, out)) \
+DEFINEFUNC_1_1_1(int, EVP_PKEY_get_raw_public_key, (const GO_EVP_PKEY_PTR pkey, unsigned char *pub, size_t *len), (pkey, pub, len)) \
+DEFINEFUNC_1_1_1(int, EVP_PKEY_get_raw_private_key, (const GO_EVP_PKEY_PTR pkey, unsigned char *priv, size_t *len), (pkey, priv, len)) \
+DEFINEFUNC_3_0(GO_EVP_SIGNATURE_PTR, EVP_SIGNATURE_fetch, (GO_OSSL_LIB_CTX_PTR ctx, const char *algorithm, const char *properties), (ctx, algorithm, properties)) \
+DEFINEFUNC_3_0(void, EVP_SIGNATURE_free, (GO_EVP_SIGNATURE_PTR signature), (signature)) \
+DEFINEFUNC_LEGACY_1(GO_DSA_PTR, DSA_new, (void), ()) \
+DEFINEFUNC_LEGACY_1(void, DSA_free, (GO_DSA_PTR r), (r)) \
+DEFINEFUNC_LEGACY_1(int, DSA_generate_key, (GO_DSA_PTR a), (a)) \
+DEFINEFUNC_LEGACY_1_1(void, DSA_get0_pqg, (const GO_DSA_PTR d, const GO_BIGNUM_PTR *p, const GO_BIGNUM_PTR *q, const GO_BIGNUM_PTR *g), (d, p, q, g)) \
+DEFINEFUNC_LEGACY_1_1(int, DSA_set0_pqg, (GO_DSA_PTR d, GO_BIGNUM_PTR p, GO_BIGNUM_PTR q, GO_BIGNUM_PTR g), (d, p, q, g)) \
+DEFINEFUNC_LEGACY_1_1(void, DSA_get0_key, (const GO_DSA_PTR d, const GO_BIGNUM_PTR *pub_key, const GO_BIGNUM_PTR *priv_key), (d, pub_key, priv_key)) \
+DEFINEFUNC_LEGACY_1_1(int, DSA_set0_key, (GO_DSA_PTR d, GO_BIGNUM_PTR pub_key, GO_BIGNUM_PTR priv_key), (d, pub_key, priv_key)) \
+DEFINEFUNC_3_0(GO_EVP_KDF_PTR, EVP_KDF_fetch, (GO_OSSL_LIB_CTX_PTR libctx, const char *algorithm, const char *properties), (libctx, algorithm, properties)) \
+DEFINEFUNC_3_0(void, EVP_KDF_free, (GO_EVP_KDF_PTR kdf), (kdf)) \
+DEFINEFUNC_3_0(GO_EVP_KDF_CTX_PTR, EVP_KDF_CTX_new, (GO_EVP_KDF_PTR kdf), (kdf)) \
+DEFINEFUNC_3_0(int, EVP_KDF_CTX_set_params, (GO_EVP_KDF_CTX_PTR ctx, const GO_OSSL_PARAM_PTR params), (ctx, params)) \
+DEFINEFUNC_3_0(void, EVP_KDF_CTX_free, (GO_EVP_KDF_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC_3_0(size_t, EVP_KDF_CTX_get_kdf_size, (GO_EVP_KDF_CTX_PTR ctx), (ctx)) \
+DEFINEFUNC_3_0(int, EVP_KDF_derive, (GO_EVP_KDF_CTX_PTR ctx, unsigned char *key, size_t keylen, const GO_OSSL_PARAM_PTR params), (ctx, key, keylen, params)) \
+
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.go b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.go
new file mode 100644
index 00000000000000..5e0da7e362cd04
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.go
@@ -0,0 +1,14 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// Go wrappers for testing the thread setup code as _test.go files cannot import "C".
+
+// #include "thread_setup.h"
+import "C"
+
+// opensslThreadsCleanedUp returns the number of times the thread-local OpenSSL
+// state has been cleaned up since the process started.
+func opensslThreadsCleanedUp() uint {
+	return uint(C.go_openssl_threads_cleaned_up)
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.h b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.h
new file mode 100644
index 00000000000000..98d12f82a27c37
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup.h
@@ -0,0 +1,4 @@
+#define CRYPTO_LOCK 0x01
+
+/* Used by unit tests. */
+extern volatile unsigned int go_openssl_threads_cleaned_up;
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c
new file mode 100644
index 00000000000000..c837f9cb4dd7a3
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_unix.c
@@ -0,0 +1,64 @@
+//go:build unix
+
+#include "goopenssl.h"
+#include "thread_setup.h"
+#include <pthread.h>
+
+/* This array will store all of the mutexes available to OpenSSL. */ 
+static pthread_mutex_t *mutex_buf = NULL;
+
+static pthread_key_t destructor_key;
+
+/* Used by unit tests. */
+volatile unsigned int go_openssl_threads_cleaned_up = 0;
+
+static void locking_function(int mode, int n, const char *file, int line)
+{
+    if (mode & CRYPTO_LOCK)
+        pthread_mutex_lock(&mutex_buf[n]);
+    else
+        pthread_mutex_unlock(&mutex_buf[n]);
+}
+
+static void thread_id(GO_CRYPTO_THREADID_PTR tid)
+{
+    go_openssl_CRYPTO_THREADID_set_numeric(tid, (unsigned long)pthread_self());
+
+    // OpenSSL fetches the current thread ID whenever it does anything with the
+    // per-thread error state, so this function is guaranteed to be executed at
+    // least once on any thread with associated error state. The thread-local
+    // variable needs to be set to a non-NULL value so that the destructor will
+    // be called when the thread exits.
+    // The actual value does not matter, but should be a pointer with a valid size.
+    // See https://github.com/golang-fips/openssl/pull/162
+    static char stub;
+    (void) pthread_setspecific(destructor_key, &stub);
+}
+
+static void cleanup_thread_state(void *ignored)
+{
+    UNUSED(ignored);
+    go_openssl_ERR_remove_thread_state(NULL);
+    // ERR_remove_thread_state(NULL) in turn calls our registered thread_id
+    // callback via CRYPTO_THREADID_current(), which sets the thread-local
+    // variable associated with this destructor to a non-NULL value. We have to
+    // clear the variable ourselves to prevent pthreads from calling the
+    // destructor again for the same thread.
+    (void) pthread_setspecific(destructor_key, NULL);
+    go_openssl_threads_cleaned_up++;
+}
+
+int go_openssl_thread_setup(void)
+{
+    if (pthread_key_create(&destructor_key, cleanup_thread_state) != 0)
+        return 0;
+    mutex_buf = malloc(go_openssl_CRYPTO_num_locks()*sizeof(pthread_mutex_t));
+    if (!mutex_buf)
+        return 0;
+    int i;
+    for (i = 0; i < go_openssl_CRYPTO_num_locks(); i++)
+        pthread_mutex_init(&mutex_buf[i], NULL);
+    go_openssl_CRYPTO_THREADID_set_callback(thread_id);
+    go_openssl_CRYPTO_set_locking_callback(locking_function);
+    return 1;
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_windows.c b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_windows.c
new file mode 100644
index 00000000000000..93281d6cffc352
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/thread_setup_windows.c
@@ -0,0 +1,64 @@
+//go:build windows
+
+#include "goopenssl.h"
+#include "thread_setup.h"
+
+#include <stdlib.h>
+#include <windows.h>
+
+/* This array will store all of the mutexes available to OpenSSL. */
+static HANDLE *mutex_buf = NULL;
+
+static DWORD fls_index = FLS_OUT_OF_INDEXES;
+
+/* Used by unit tests. */
+volatile unsigned int go_openssl_threads_cleaned_up = 0;
+
+static void locking_function(int mode, int n, const char *file, int line)
+{
+    if (mode & CRYPTO_LOCK)
+        WaitForSingleObject(mutex_buf[n], INFINITE);
+    else
+        ReleaseMutex(mutex_buf[n]);
+}
+
+static void thread_id(GO_CRYPTO_THREADID_PTR tid)
+{
+    go_openssl_CRYPTO_THREADID_set_numeric(tid, (unsigned long)GetCurrentThreadId());
+
+    // OpenSSL fetches the current thread ID whenever it does anything with the
+    // per-thread error state, so this function is guaranteed to be executed at
+    // least once on any thread with associated error state. As the Win32 API
+    // reference documentation is unclear on whether the fiber-local storage
+    // slot needs to be set to trigger the destructor on thread exit, set it to
+    // a non-NULL value just in case.
+    (void) FlsSetValue(fls_index, (void*)1);
+    go_openssl_threads_cleaned_up++;
+}
+
+static void cleanup_thread_state(void *ignored)
+{
+    UNUSED(ignored);
+    go_openssl_ERR_remove_thread_state(NULL);
+}
+
+int go_openssl_thread_setup(void)
+{
+    // Use the fiber-local storage API to hook a callback on thread exit.
+    // https://devblogs.microsoft.com/oldnewthing/20191011-00/?p=102989
+    fls_index = FlsAlloc(cleanup_thread_state);
+    if (fls_index == FLS_OUT_OF_INDEXES)
+        return 0;
+    mutex_buf = malloc(go_openssl_CRYPTO_num_locks()*sizeof(HANDLE));
+    if (!mutex_buf)
+        return 0;
+    int i;
+    for (i = 0; i < go_openssl_CRYPTO_num_locks(); i++)
+        mutex_buf[i] = CreateMutex(NULL, FALSE, NULL);
+    go_openssl_CRYPTO_set_locking_callback(locking_function);
+    // go_openssl_CRYPTO_set_id_callback is not strictly needed on Windows
+    // as OpenSSL uses GetCurrentThreadId() by default.
+    // But we need to piggyback off the callback for our own purposes.
+    go_openssl_CRYPTO_THREADID_set_callback(thread_id);
+    return 1;
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go b/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go
new file mode 100644
index 00000000000000..33134548830d3e
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/tls1prf.go
@@ -0,0 +1,160 @@
+//go:build !cmd_go_bootstrap
+
+package openssl
+
+// #include "goopenssl.h"
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"sync"
+	"unsafe"
+)
+
+func SupportsTLS1PRF() bool {
+	switch vMajor {
+	case 1:
+		return vMinor >= 1
+	case 3:
+		_, err := fetchTLS1PRF3()
+		return err == nil
+	default:
+		panic(errUnsupportedVersion())
+	}
+}
+
+// TLS1PRF implements the TLS 1.0/1.1 pseudo-random function if h is nil,
+// else it implements the TLS 1.2 pseudo-random function.
+// The pseudo-random number will be written to result and will be of length len(result).
+func TLS1PRF(result, secret, label, seed []byte, fh func() hash.Hash) error {
+	var md C.GO_EVP_MD_PTR
+	if fh == nil {
+		// TLS 1.0/1.1 PRF doesn't allow to specify the hash function,
+		// it always uses MD5SHA1. If h is nil, then assume
+		// that the caller wants to use TLS 1.0/1.1 PRF.
+		// OpenSSL detects this case by checking if the hash
+		// function is MD5SHA1.
+		md = loadHash(crypto.MD5SHA1).md
+	} else {
+		h, err := hashFuncHash(fh)
+		if err != nil {
+			return err
+		}
+		md = hashToMD(h)
+	}
+	if md == nil {
+		return errors.New("unsupported hash function")
+	}
+
+	switch vMajor {
+	case 1:
+		return tls1PRF1(result, secret, label, seed, md)
+	case 3:
+		return tls1PRF3(result, secret, label, seed, md)
+	default:
+		return errUnsupportedVersion()
+	}
+}
+
+// tls1PRF1 implements TLS1PRF for OpenSSL 1 using the EVP_PKEY API.
+func tls1PRF1(result, secret, label, seed []byte, md C.GO_EVP_MD_PTR) error {
+	checkMajorVersion(1)
+
+	ctx := C.go_openssl_EVP_PKEY_CTX_new_id(C.GO_EVP_PKEY_TLS1_PRF, nil)
+	if ctx == nil {
+		return newOpenSSLError("EVP_PKEY_CTX_new_id")
+	}
+	defer func() {
+		C.go_openssl_EVP_PKEY_CTX_free(ctx)
+	}()
+
+	if C.go_openssl_EVP_PKEY_derive_init(ctx) != 1 {
+		return newOpenSSLError("EVP_PKEY_derive_init")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
+		C.GO1_EVP_PKEY_OP_DERIVE,
+		C.GO_EVP_PKEY_CTRL_TLS_MD,
+		0, unsafe.Pointer(md)) != 1 {
+		return newOpenSSLError("EVP_PKEY_CTX_set_tls1_prf_md")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
+		C.GO1_EVP_PKEY_OP_DERIVE,
+		C.GO_EVP_PKEY_CTRL_TLS_SECRET,
+		C.int(len(secret)), unsafe.Pointer(base(secret))) != 1 {
+		return newOpenSSLError("EVP_PKEY_CTX_set1_tls1_prf_secret")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
+		C.GO1_EVP_PKEY_OP_DERIVE,
+		C.GO_EVP_PKEY_CTRL_TLS_SEED,
+		C.int(len(label)), unsafe.Pointer(base(label))) != 1 {
+		return newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed")
+	}
+	if C.go_openssl_EVP_PKEY_CTX_ctrl(ctx, -1,
+		C.GO1_EVP_PKEY_OP_DERIVE,
+		C.GO_EVP_PKEY_CTRL_TLS_SEED,
+		C.int(len(seed)), unsafe.Pointer(base(seed))) != 1 {
+		return newOpenSSLError("EVP_PKEY_CTX_add1_tls1_prf_seed")
+	}
+	outLen := C.size_t(len(result))
+	if C.go_openssl_EVP_PKEY_derive_wrapper(ctx, base(result), outLen).result != 1 {
+		return newOpenSSLError("EVP_PKEY_derive")
+	}
+	// The Go standard library expects TLS1PRF to return the requested number of bytes,
+	// fail if it doesn't. While there is no known situation where this will happen,
+	// EVP_PKEY_derive handles multiple algorithms and there could be a subtle mismatch
+	// after more code changes in the future.
+	if outLen != C.size_t(len(result)) {
+		return errors.New("tls1-prf: derived less bytes than requested")
+	}
+	return nil
+}
+
+// fetchTLS1PRF3 fetches the TLS1-PRF KDF algorithm.
+// It is safe to call this function concurrently.
+// The returned EVP_KDF_PTR shouldn't be freed.
+var fetchTLS1PRF3 = sync.OnceValues(func() (C.GO_EVP_KDF_PTR, error) {
+	checkMajorVersion(3)
+
+	name := C.CString("TLS1-PRF")
+	kdf := C.go_openssl_EVP_KDF_fetch(nil, name, nil)
+	C.free(unsafe.Pointer(name))
+	if kdf == nil {
+		return nil, newOpenSSLError("EVP_KDF_fetch")
+	}
+	return kdf, nil
+})
+
+// tls1PRF3 implements TLS1PRF for OpenSSL 3 using the EVP_KDF API.
+func tls1PRF3(result, secret, label, seed []byte, md C.GO_EVP_MD_PTR) error {
+	checkMajorVersion(3)
+
+	kdf, err := fetchTLS1PRF3()
+	if err != nil {
+		return err
+	}
+	ctx := C.go_openssl_EVP_KDF_CTX_new(kdf)
+	if ctx == nil {
+		return newOpenSSLError("EVP_KDF_CTX_new")
+	}
+	defer C.go_openssl_EVP_KDF_CTX_free(ctx)
+
+	bld, err := newParamBuilder()
+	if err != nil {
+		return err
+	}
+	bld.addUTF8String(_OSSL_KDF_PARAM_DIGEST, C.go_openssl_EVP_MD_get0_name(md), 0)
+	bld.addOctetString(_OSSL_KDF_PARAM_SECRET, secret)
+	bld.addOctetString(_OSSL_KDF_PARAM_SEED, label)
+	bld.addOctetString(_OSSL_KDF_PARAM_SEED, seed)
+	params, err := bld.build()
+	if err != nil {
+		return err
+	}
+	defer C.go_openssl_OSSL_PARAM_free(params)
+
+	if C.go_openssl_EVP_KDF_derive(ctx, base(result), C.size_t(len(result)), params) != 1 {
+		return newOpenSSLError("EVP_KDF_derive")
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/golang-fips/openssl/v2/zaes.go b/src/vendor/github.com/golang-fips/openssl/v2/zaes.go
new file mode 100644
index 00000000000000..e60a5dde390be6
--- /dev/null
+++ b/src/vendor/github.com/golang-fips/openssl/v2/zaes.go
@@ -0,0 +1,86 @@
+// Code generated by cmd/genaesmodes. DO NOT EDIT.
+
+//go:build cgo && !cmd_go_bootstrap
+
+package openssl
+
+import "crypto/cipher"
+
+type cipherWithCBC struct {
+	aesCipher
+}
+
+type cipherWithCTR struct {
+	aesCipher
+}
+
+type cipherWithCBC_CTR struct {
+	aesCipher
+	cipherWithCBC
+	cipherWithCTR
+}
+
+type cipherWithGCM struct {
+	aesCipher
+}
+
+type cipherWithCBC_GCM struct {
+	aesCipher
+	cipherWithCBC
+	cipherWithGCM
+}
+
+type cipherWithCTR_GCM struct {
+	aesCipher
+	cipherWithCTR
+	cipherWithGCM
+}
+
+type cipherWithCBC_CTR_GCM struct {
+	aesCipher
+	cipherWithCBC
+	cipherWithCTR
+	cipherWithGCM
+}
+
+func newAESBlock(c *evpCipher, kind cipherKind) cipher.Block {
+	aes := aesCipher{c}
+	var block cipher.Block
+	supportsCBC := loadCipher(kind, cipherModeCBC) != nil
+	supportsCTR := loadCipher(kind, cipherModeCTR) != nil
+	supportsGCM := loadCipher(kind, cipherModeGCM) != nil
+	switch {
+	case !supportsCBC && !supportsCTR && !supportsGCM:
+		block = aes
+	case supportsCBC && !supportsCTR && !supportsGCM:
+		block = cipherWithCBC{aes}
+	case !supportsCBC && supportsCTR && !supportsGCM:
+		block = cipherWithCTR{aes}
+	case supportsCBC && supportsCTR && !supportsGCM:
+		block = cipherWithCBC_CTR{aes,
+			cipherWithCBC{aes},
+			cipherWithCTR{aes},
+		}
+	case !supportsCBC && !supportsCTR && supportsGCM:
+		block = cipherWithGCM{aes}
+	case supportsCBC && !supportsCTR && supportsGCM:
+		block = cipherWithCBC_GCM{aes,
+			cipherWithCBC{aes},
+			cipherWithGCM{aes},
+		}
+	case !supportsCBC && supportsCTR && supportsGCM:
+		block = cipherWithCTR_GCM{aes,
+			cipherWithCTR{aes},
+			cipherWithGCM{aes},
+		}
+	case supportsCBC && supportsCTR && supportsGCM:
+		block = cipherWithCBC_CTR_GCM{aes,
+			cipherWithCBC{aes},
+			cipherWithCTR{aes},
+			cipherWithGCM{aes},
+		}
+	default:
+		panic("unreachable")
+	}
+	return block
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/LICENSE b/src/vendor/github.com/microsoft/go-crypto-darwin/LICENSE
new file mode 100644
index 00000000000000..9e841e7a26e4eb
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/LICENSE
@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/bbig/big.go b/src/vendor/github.com/microsoft/go-crypto-darwin/bbig/big.go
new file mode 100644
index 00000000000000..73891afeab93d7
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/bbig/big.go
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package bbig
+
+import (
+	"math/big"
+
+	"github.com/microsoft/go-crypto-darwin/xcrypto"
+)
+
+func Enc(b *big.Int) xcrypto.BigInt {
+	if b == nil {
+		return nil
+	}
+	x := b.Bytes()
+	if len(x) == 0 {
+		return xcrypto.BigInt{}
+	}
+	return x
+}
+
+func Dec(b xcrypto.BigInt) *big.Int {
+	if b == nil {
+		return nil
+	}
+	if len(b) == 0 {
+		return new(big.Int)
+	}
+	return new(big.Int).SetBytes(b)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/CryptoKit.o
new file mode 100644
index 0000000000000000000000000000000000000000..cedd5b03bd3078586649300d1baa94c8b12549f1
GIT binary patch
literal 100952
zcmeFa3t&{$wLX3(6CglLq6CeKVN_J8jwHNHl++oMz(gk!Nr3dqWD=5rq=Y2qp+rSv
z1Da`|jf%b0>TPIkn{d6ow4z4E8pKDev<0zBtJa{XV5nk?7!=I!`_A5b=FCYZiH|<+
z|IdMwZ`NLW?Z?_{uf6s@^Z4!OkN-x~v<Qo)jRIOVEe`Oj1pJ9cS~L*XPTY^@<Bz17
zcH%mrffE`yp@9<`IH7?P8aSbW6B;<7ffE`yp@9<`IH7?P8u-7Wfj@lu*Uz!>w_xM1
zVZX1PfxBZQ{@8HiIvsZ@nPINUDT2{U8C;6yVFK?lOvL5&*7{b~ir0e9%goOU((2XD
z3&bmy7m1g)%QfvMY*?h$AUNW$*IQmz>#Hs*PoAYGc)g+Jsd9Ll!K>?HQJ$bQEk?bN
z==B!Y)K-^OEDO+~<#o$;c_n|3sl14O<<;C!wzPJpx3<2@SM6JBZl7ba5LhAQQl<+1
zC%OB#jaksX%8Htx0?p<9QkJLM@pD<8EWRIjy}nZK((0lWKEX1Vw^^2#6eaj=D34~)
ziuUd3SK2`B%W&p7gBiP%#A}C4+H;90Ps`ObSw%22UU|KhOTJy~En88v%vV;iw9@Mh
zEzg!LvMbpH*rDosNI{bDdP|CGi-H_;d6Q*%tul)Z<*~mGv@bp=7I?++SW#6}T<fi?
zxS_0~#Orlu1ekcyCCe+6^P*Fh*NyU~i;N-7C6R!;V}YjahrOp@sJmxt+BBrua3cxV
zSllP+uk|TunPHuR6x#So$T@&^+#EWVXV=H~hRW*YTKb%;eYN^4r1N4v8*X#H$`wn>
zDqs`g%BigO&8e)bfHKP}D`YtX)rWk!zUu4CihVW66~4Uc`l{N>tI7g~9j4xlvYO@2
z>Lq2h)w1F+`9j*J>b2p8sh?T%WSuOBrfK54D~pTDoprUPzKYtiV%1sXV}4uz{JFm3
zy6UppdY#X4<apW3X~THI*SJ}aNY{NsIt{3{Y)KhBS$%qC1xl#)RTS4VyQv(RzuKp#
zQ{N%wn8rlO+d}hY6jj4g$;74lVJHVWMth1&!|_9OJAiyZr(w#Ux8&Qt;@Yz7ed)6P
zpq}*p<>!DgK)GI{Zpb(F-<zvD?wsmM7+X!yh3owY_h*62|BkEipe=TCW}Lfufz8#N
zndI_kOiFP3^Crc`o*X%8KSf=Q&)7WMV<&1~CcozZi&z>v5uSna&PC3J&IQiAT-R*}
z_kfe_-;wQq-sR8kaQPQ>y8M67@_(M(C+hWQZg4d_dR_j^7NA2mrZd*n*nP+~<r$a%
zXHk89eSzF-l0Zp;R#&sj;qrG4AQQ)2195ztgGIRlMXhm&m;I{G^1tJ@{N3&U#O42s
zUQL$&IhTKTw&j@H-{<zfE7P9I^1tf#*LAu4o}F(0!=)%qm$^S*Z-)?dH_xP+T+QQk
zShuRn?O)O6_V0K5kLcyN{XQhELJ2=B)Ju5J?SC>yfAzVZLI30OKkb4n#&I(QUH*F#
zkRvmBpDf~MDIl}g?2BFV8@Nta^D2zEC&ATRH`!$orDXZpT%>e>+ZjxKF3bN%q{O)_
zpQ+wrRK$=q-!C-!Cd4+on(q;#klEUo6UTm|BW$%zZ|jqjb*O8C3czS^`#(@^Td8x{
ztt$PMXb{XZ%GG?5&<d2e?jF6M=7%}*ZvP>d|II8vI($ESn&tnKyIJpKu24tgGjZsy
zyZK4Bsm=+#pvjrk4=gQnXQ1E(Xyqqpep{A*k1k0it-b?(L8QYBGh6y{qFn3J*b+U<
zZyb2_IKw-a|9MfJe|zlY5jRZIwAhm!ajxexyTH_39sG-{n^n5kt>}8n21-b*8_|uH
zx%l*nSA%QxbFQZn1)=BFvq|+CYnM%TH;-Uu*SaT#em{T(=pwOk?51G)(^FzkPPe%p
z7v*Yue`CX|#~79B>f0&W(!2^r^ErBok%P`xwYi!f7SlkV0(#<;G+(6W1EkcGg(4}(
zki@Y>E)JwBy9w%T5QP6t9o_!-bbNyD7xls9>N;hPJ+5`WJ=Z!HJ3Y<<r`NMR%m1v)
zzbo5+4Ef-qcDlCh|7P-Qu65(jg0QPN@;ffe&ORu(3yh@LNA~oL!`#7ZTgH_Au?@dv
z1;u+{xo-daS^huhmGoSY)m)d5bzxmxY{P#egMpQWS&?<22aNT4(=t<Be)vRMNWc<w
zZN2-C*OuG=Ax1@Saq?>i{`h%cU+h@^bFI@o#^a}=h0YF#-p(gepzz12PCY-eP1FuT
zq8Im>V2#DS^y1iwtC0gfxh2#eHy)hq^8d{><x|%h_{UwY*o;58ZadnCoUz}(fok@D
zo|)VUv;IA$m3cR1zk>X+t68J-338s|AKmC-@SD|(PUmAxcRtC#dOoL~(W%?Mp3Ava
z&!L;C+rOa0slRfqc`0`Fqu|i9iGDo-+lKeah<(KOLhK`%zr~BX7x8D+j@U;$zr%|a
zzmI(+dlwR30^!+>KMP*QpUgkHw(X6=TC>@;?Y+3HZEq)JZF|d>wXJ(HnAv~G+O{_(
zYuh_Xu5E8m&f4}K81E*ywsj-pz9{f_La_6@*{}52Gm~G+Onxo7586Nv^}n5&$uDFk
z|26rw%w#y+BgvrmCBK9vt;0R~GxzA8?9uPK#%6*z<Ql!lJ-RD<^iKC!&t})yRh{n9
zZ@Nc6AN$BI*S5EkT%$k5ay!{z`mtlNc#09z#|x`xZjM+dT~j{eSjA?%DHpEhs-)OQ
zb7m-qM3eRZ1#?GNn`_N$D`#Pil6iF}5bD34cQA^^K<C5S|Aux%UCRlGwI7xgvVP|V
zoJl8IQ0vL^e}Z)ztwNJ(=Y=?`#?NAIak_5%47PXcs{CO!blclOXXWU*Jo&YrZ=x$|
z8o2!1=>Z-`fxI-=*-!T*4!~zuaKWcO?efE!NLLb^0R8OWmE}K@<%j1Ii?N@}nRKCC
zI96@Ide#av+#vMXoZxDPrxf1EweF-p314)Z%hE+(v<Lnt4hGVRWhrahfrKpopR=~T
zZ_Dz(mbI;Ca+d$~tZfIAvixskZTo9VmValKo*PDRAi?E-#kK7Nn+q%Pwhu8W>F(gw
zI-5LQO{-qOnvGY#&1lMgF{5e0j*KRle3S3@8BHtx(6nG@Q{AqNrp%X`vUfY0>Rxs<
zt@@*D-Gs@m#_d?*uwaU4f>Y_h5h%x9{I+Y`XEyhgw`13y!sd4frS@G8tqK9G{Can#
z4Ryw@{x1l^j<Wq9>S<Y1o{4RE6=~U)ceDM+53Iq<&~loK<6O<x!lu{&b9uGUdY~+~
zf3IuGw%CU6vI@)ZQ5>3f-K?IA%x=fj8Th82i!kq)J1TZ8ng&9&ICYOJ*1ZRjTK1YF
zS+N;d0!#s0U_kY7;?FR9SIG3Ew_Vzj1Rwee?u((ITXDxubo7g7>BZds7u|3QS^nQ+
z^6$*@f1HIy%Mdo`@#%oUtgkH?e$tVPNH%QviRhOrZ%~G-t&|a~^gt1_Z$m&Jvq8qn
z2o(Bf&GNsOZFvW4v<lJmC3pdr@l`vsET0D~$-gF_^`fufY#ty!6r+H^RL-h(t2z+K
zBGl-GP)jg4^|k7e>2W<W^(45P>*5e0GAL+r`Rh8}{{LBtim)7t0?h$4GG>Z-X%5N}
z(Z1qpmd(UGZbsmTS?O+Ofc+uL-|TK))!_Djiiy?Lmy23IOg{2BS5deBXkTs$qOZw%
z%|Bx_gb<#=B!B@AY^TGuZk^6(ewgDyBSM&fXhOzj+5T<rW?w4`Z^;b_OJi4G!WoA^
zOZ3QKB;jJqGtUUbmSSDi|DvUEH|Wv26&+96K*{okh%GzxZ0H?ZA8Mj{yd8`!MZb-)
zCA9bjW6KRP9>hqLqCOE~!oSwR3NyPzaLEDYc#HNA6eeQOb{=Sj+Oqv02Q;T==eA|r
z``=7H0!REh^;#T%r_1u&zPB)l@TqX0AN8E$@^8ay8$HbT^*kT-#JHNP5?mKnA=tY`
z3<vyfW*g#Y2<j!v)*uFb1q&;DvrNcrr2!*?R&zmR46X>pdL@x!MSy(PwhxjZpvuUM
zedI__j=Q-A*1jA|MSzh#<pcH<cGGoTO6=GyEaLil5Xj)1@|W0#ofzuu;v?unP?A1S
zN<u%A(KJk?R<7o-KbQYcqK(ZeXcvAa7~ii7KTOWPyh%~6<|ji33D&FDWrJfyXx^-E
z^)Tq1EvnXhyjK2%3uI`JPe*GGY)?ZU(UDeTRNG>QA5O)cjr&^MKgZpT`!~2XRH5P}
z7v>^13bP|>PoHh6%P=lV*r|V_pG+{OVm$SknJY*0FM1f{QQ5Z#!-u6UIcgTH>8y?T
z)^=C3zB`nTPRi@k<XbpBLHv~KY98fU)44L@T0}6|NI&P=_PNdV$zNQ>y)Mg}$uA|p
zAcd^gLO`r9daS29VyPWHJEG1ea&@4mys%WGxHm;R^*)K0+x7TH^v&Q~a4-VT3rl*g
z?-~Rzdt_!+p9_Au`Rd;0tej7_@kFpTF7}ZZ)?E|#$*!|^xvUWA;!#jA9(6U}kl<>b
z(|g1*Kca3FR+1<Wf}iHg<+)E_x54tSfx^UAe$5NWyH0=Iw=4f!+r{~iD~-pvu66E7
z3Du{$ZaY9~^=Ow}Pt|!h96)%mdi3@d{o>e#KVQ=KGoQ)j4hI`@wS&(YaJ37riybm&
z=fFANg^Slm06s{L*DevUeG?nfXK1j+vw!WfyqbKZ?>(3Qw{T1FK7XV4c^a>6Q=X1(
z*r4b7o6-B+!6c3gqSfp!_#m+@$2zI%K{TY-hqER9oaT=Rg5W$i(|I;-x9I^rN^tw(
z^A5<I+_R!TnVrJn?gS||QHGU$fN8k2WiBi$7xyyUb-0y%45sgu+yMAjH3U_;L8`KK
zAXU2jzNTPSc)OLoS<Ukt1Dws_sBM5$$hWxG)xcki0|jyZ=JK!6BO(7ix~DRDY*WY}
z&zbhC5Cq{z?OEzj!r;t0;Ka29W9Z8L9>fa17NI*=^Maj-WZIm4i)`8ccY>zCs9j%(
z#`g$gcpS#yZf3mYX~GtwBisL8Sj+fTf6Hh^QnvpYH@iaP=!9{ILB#aM+Mw(LdkHz}
zpJn-<N1V-0h$9Og>15#;SGN(p`JXBqq0Ked!7wu0gpI&l>NbnsH1jM`9?Iwuw>YiC
zj&}ghJyEm6PEv7a<GvR6Q1dfI*h^<%jy^BVB}_#6&OoD`xf#oFhjC>#jWc7-kU>5p
z+#vVN(YsAwf%6Z9v|>u}Bvc-&iPIPvu^4OwB~ppHct7og?B55QKlv{Iix{>n|6%Mx
z12f|}>@s^@%~v`Gm;zb;cLzvy`Ma^%ue}k6#yerNts<bQLoXI|WUafwhM|-lg+=WK
z7m>k&4TGr=CV$8{Pc96qurF{R{QP#TzkLVF@fgYV{C2$TJ5b2ioHc%0k_TZGqb1B7
z_}0vhz8o8lOS1G6AlP`Pt8vv%t@e!UHGjQjJQjWIGmfihK{x1EPz+ka=o(>!*xyM*
z6+8BItI(6D)jZ&Y&NO5-yc9++8xf^CgF0#N()gd>ew<yn9}^!IfvR_k0@Mc9?eB4I
z>w(W7v4Os!IC_K2f>3`|SKnS3TsGz&cI`M=I@E(L1h!G#plwrnV;elk4z|1aP|vBr
z?B?1@3E3Cc;)zQ`23UG#G10ObKX+vNKWCwJ=d6CMc3Hz`me@6SLszo6j49o*4JYf>
z@9D`kNK$=DMR?uDX)ILE-YTu4L&p9dV}JigFP(>{She;*7UqLZvtdmMh#M>EnV-de
zWQl$>pb%`rMU;;4lTo-Zx#q>_EON%_&5(!udSgFOe#|}P@9c4vqhG^=tu=HaTp%g-
z?RBupHMoC_n`fcM_-!cvR4V2pwx3<Y+{I%)8l4#;t!Ae~m}sNnxfQ2p?CKxrnqJX_
z34&=#KbGB@wXSv&=BGFr*SFl9pBRD#m^;DEhuOtJ#Ub<aN>v1W)Nf!On%d981`rCs
zAU{;o7CA%%pYMcv`VO2yYkIyDFZ&L};I)3d*@0ZaO)=KMPHqQMFhHBR#qfVh(q@>+
zoJl-J_OxIVzo9k}X4d3dgPHHyiMcJGHlb%7*cJ6eG8w+zp;mG*y6ArcU2pcl!{5&Z
z9n-%-coDtTqUq`Z5o~qc!(!S0ZI-_?i(Bs%VmdqN)aiVLMDS(6rOOa$1De_*i`CtM
z@aoRkN1kcywwM;apf#!Z=!?eN=JjAGI{5sw@nEUjpWTF~r}|;jZk#na{l@~!22VQl
zXQ!C^VIGD0ph+1>7_HL>OB^7%+imF)b`v;JR>NdA$1XTPU4_{e9NQXCZZX`>#%KDR
zjmNAvxZxq-J->l9;>zOaR(enW3fK!CvS88b+l#*_sBUMlOK@S*(aW9Ic$l_!V52^f
zc$9-ai!dfQzRH$=NxL3qi9Pd&opbVVb4t70E>BuiPs9^norzUO;?sQW=~h;aXQ;4Z
zs8n~?3*xY&M+kYy)tuewoR25zqGUvOm_}l5e1Hu<av?Nb7#FBd*A>=V*SgHEWE{i3
zp%!$M-jUtBG)kWzA2|D7hA3BSOh2AsV}(13t_qLYj7QsC+IoA=<aw9=ob6CmfxEc3
zXH0hUEeY8d-V#@J4ZK4W4hMMn5IA_CzhD*MVWj1&R*alHy9*x9_6wtgKkvb!oCZg=
z4ELS5Yv2<aaNmjhN4SGC()fHU7Ya>6ID~NdS(iGx;uBJ_9rg3!4o)u-o4ePsiSS&{
z3AHw-;D9Jfy!P`92uwLj9xQQn7$zV0&`AS4VBq=^oUgYX<gU-{Uzd+&>a%tSqAz{c
z8s6~$U8q^xf18THPE105W%!G1m5hMRlMvldlMpL5{>#Ody?E8x_#7tT=hoOe{2bbK
zBjR!Hidl#gT+G7%5ht1AX|Ml&?x*zWh$4C3c@{)4m&C3MJ{r3)F(2g{A&|7eEgZ30
zT@b$o7DnvE2b#rMn4t78IIl9!V%ciBBIO4I%70ixI`!V^LF+%Njvg=E#y?V<%3!6b
zZc~=N4yWDzUVY7bOTF2_r6<ZLfab4;POg<WIYd0R0Yj-`2AE%V^IY|I2$%3-x@%d(
zv*P3<a4l-i;~g3L0dw>HJTO=G5Oghk_AXtETO6U|{782^!oy%ou1C%Yb*swhVWP8}
zZ)U)J^Q5>c56&4mopd+zmZ}n`@?z0vlMUw7tZ(^oCdm_MT{D;$s!w73%^3KbyK#Sl
zJ0JeW2hnQWjkv#$+vso9GzgiA`iY!8-;&ehU&VJWM0BDbLDroKPlhwdr~07%KKL{Y
zt#o*Pt9~NrEZ82H*5a)Oq9cX_y?*DJINtgc=b3+Y6(2%~r<cvA;+@hMajF^AR%pD`
zd~1TMd9HqlSUXl_*Y~F8^GWmprv`l3-2Y4y(H*vbeb?AvKiBfPwXr(&{CXJjabe`u
z_=eNRSLMs|;aYV*ET^PARt^pj^cZ*^uPcj3vgjWisD8mm>Q}mYV`*-6@zf$;&Bgj#
z3?&ng;VWhiyouGew5Y7yS7N)NthUtVtFErBzSO2^nH7WcBO*~qeSOtjO@HOBlITpH
z?yMEBbC-o;y`FO}PL?UFBtlceP}abEkS#aP*DNdJEOF7JqFT`DNhpfN^<qBqvg5UW
zIb-5(k4QgBzWw-1=Tq<B*G%PIgi4I{UZ)@SBT?ncX&kk7<hl{xi~K%TS4}hL|AiVb
zl|MT)zqwyGu@GJ=|D47V>mt8rHJAIW$Q8^tx6#mw{_S7{u3xHLQ#;J%-!Mc!&F#)p
z?eWR+xS~<l#{{Gs^>?Alhj#F#na_6U7x;~6v$>wj4SapvWj*G6#&QPBH`!dCq|N1>
z6DFUz{djsCa+&$x2;m0bb3c^557$1g{DSs2+;UGE!hX#98g99tD1C&n%P(8*65aYx
z_}5(Sv@fWKaCR6k`~79deYkoVZa(w;j~GIK=KR;2$MLGc{n69r@=bo!Ja2}YSO09j
zS+DrmkhrdhiF3vzIAd&$*6+bq%>5Xr@<}xF`8gQ<3giF6*^{|F@?$wc`%iDgD$?Jd
zhRbJe*HG>Ls{DXo4Abwi2E7>9dzJiE&@pP1TJ7{=K0$oJ7e^(2Y@${AaO*rQ<yC$q
zZ%!YIrhJkpM0t5tWB`Za>x*tMj10)B7cJ1luKW>U%ij#nVEhIYbh^bFR(>b>V<W@z
z9hftNmESr<`wCIMMYDu0U+5=7d2!?py>xzLc)kPKhbn(4zFtIVwE;@BFA(Mj($x!_
zcoC^+Gs<}smLDes!s@3GoWb-zl)P<-@f%8>J^w28H^9ez75Sm;kK;4g_zu;-ugXsv
zqJIr&-(d6W&=B%A$m0rYKQ^8Huj5ny5mAw0=kHMMbFlq`%<rMbm-1(8{2IA|F9(tb
z<J*MTKTN-D|6u(KXMg8X3?EC(mADjmyG66V27mh=@G0Qgns(NI1EY|SewcW-#0H5g
zB*p{pgWORRN?Z?Q{_g<yg1!;>4zOCL`y|enc)7&Uz?YHlE!gdEEn3>Ez~6&@mUax9
zpK{v?d=!WeYT17ctU@~<0KR~HtAXc&UIqLe=mkI+&-kl=-Jnx}l$!ypM7~pjzec(h
z_+ym&Ix^#piS|uE(mw{GYxdhErULQbK1pJX#P?w#TOfxzHJnY@yMUDAdBFc5eLe8M
zP~JKq%Z09Wz8A>yu97$v7!5ieh{s#@&oM5f_ep#K_%PBpOZrDZJP5Wwgi8Mc91Eqh
zpGVQj9|7M7-UECc$n@U<e+YaD`A~)Z*FaqMyMfHNM#^6gWWGWmMC{iBuY<nEA~3^$
z`!Q_z*zRuNe<I)0K=${0K)iRtehcsiz<QZ}g-pL#rcaUSACDGtmjaPwKMzPfodKkt
zegy-jJ#GM=jr!|>Xo~&Y5*J9kQsOry9*z}u_y-{KKO*rSi8o8k0pi_Y_NyeF0)#2p
zFOccy0BO%%F`D)$a61r9v$q3j*BgPf>mLGHj}J)u{U(t1I~_>-JsU{-Jp)Ml9S5Xd
zV}MoY7r(fH_S=o8SCc^h2}t|>6%cwJ{|g|;?;arKT7Z?v=LfPqHNc0!F9K3;-7p%C
z&r3ks-?KpK^*2EB9|dx}?f}wmt7Q68Ano^CK+0b(af-x~fcS6kg%QvW-vW|;9!Pur
zrKIl$(k@p?x(dj4F9%km-BVB2w0FTzl&DGc0V}{S0PX|-TR^sVJ`iu)Nz0J@yMb?k
z|1yyJe@x;>K-O~*$a)G+5&YYLP|aC&z(1m#=YW35S+Ozaxb<Q~Lwp0s@qP%1xoiJ#
zU@Ndyrl$ipg1!v+0Ps8@`yU7V8R*YYF6sAx?Vx9&{AS>cQ$_hxBu<cM0kXc`c$CZf
zUIenfCxJ}A8p!(20kVCk0cm$*fcX9pdoRl8xPAnrp56y?Twero{5AvGo_i(U4rDv4
zBz-NA?Ocj>d>1$$@6KjDb0l62WIM(I*}hRS{TTAI9UlVQfZag0<4-`g<0T;5@feWp
z_%V>}Xa=&r>ru`c;M3U1v%W_q-Ys#p#7ZFRcS(A-#AKO1TGGeyg)S`TZHcc+ydTJR
zTq^0)B}N0;{v!!Ou1Df)z@H+02ax@E7RdR~31m6H0J1+<0$JbXK$bHN$niKANIgsd
zQhq#;a>vkL%Dn)j9v+g|3gmc<JX6z}fRphcmgSx)(IW8(Ht0;>5Bxduy$EFa&j8uJ
zr+}>I9w6(vS>k9QT#MZTr2LzxhwXg{$Z^{aWP7&)S>D4ymUADF<&*;1-h3d(EnU*H
zfShN^z#7b}BD9nAVj$_;fpEq4A4vQ;uo3b<w25|nPvQz7$JYvc5cuIl(T@E<xZbn6
zfcP}AeWOgj8_51P17S+`+kyX$cHatw|4Ca3tb<&I<d*@rBYg?57U|alp8=gC(0)0v
z6LbpjdhnBh+d!W$&^{jcB<L964d9Og{s#21L>=vWfz<1E;B!dd3S5bN4+EbEy-A?G
z97uf@0O^nC1F83`fYkeJ$v+E7eUFs*A@oN2RUrLqDi%SwQ2T{ImNyZ|bu$w9BFZ@m
zJ?;RGK2Nmkb1Wuo-y1;6y$qzj`H^<gMZkMOUkPM8(t#-AteHTTdkzpoY>x$Es@bi;
zt;qkuxg!5QAjji%AjjiXAoaZyNPWKmq`sdLXnz=psb~KQ5URA_3%n8ez7M4R+ySfy
zeLaxlQVHa^lma;}1p@7PK$hbKvYb@lD&)Hu$a2mH-VFK_AjfYkkmDB#<oJDhju^i~
zK$i0ckmdXlcq{V#7RYj*2Hpbt7eMOK59Bz12gq^03CMB2PN01mkmcn8S)Lns8}d1U
zEH4$<0Qw`0R|M#{fwYHLfwYI6K#s#U$^QwE<G&8b@n4E@rJjp`)boD;soz{6^?keK
z-v;EoxDm*CQ3K?>__^e71X92E0;$)#fz<PJlD`c|y*&=3z8(TnfA32EULf`GXCV8(
z8%TY`oiEnysX+Gs8$gcdxj>F{8SriNV*~I_;IlyLr4x7)_#-Y5v<4)7IgsUC3gmcB
z2XdUfGW|b*9G_eu$L&^`ej|{2t^wW#{1tE?>T3t$Oe^gtzyy^0ED(OiZqYRD4;C#O
zb3%Iwh~-?{4Mg4ABS2)+HUVb>p9M|@{x2{M_$%O5z^8$kGW}b?r$FaQdKnOVg6twm
z!yWT%Z!s|$Lu?aRKwM|hVlsf_6Q_ai5?DaI1N?HyCr$?+F(k2oxEB2Nl24og{sw^s
z#M{AtM)Ha1Q*@WW0wS)M!}!DciL=1(6<9!ou3{$O5BbDPz_$r3Ai}O=+>%dB0Y67z
z0nrNn&5}<{1;0UH0WlK%2PL0)Dfk#OVgYdk_=vIf`iYl;zeivJaU}SMC7(DO{9b_t
z#8KeKqmgVs5n~vgAh3WK1^#TwCw>!rhrj|N;_a9c$tPY8eyP9$BK&5|TFECmz;6*)
zK!lCOYyq-<q7(cMfdxd&_n4O@pLhk5_6RH>B94uTh7!{uPlSy`#|bPTwqSg@zfA|9
z2%C&f5m-R<gI@wn2cI|xe0~=muz+|c_-ldb;1lP9-y*Pph<G+;D=-~=B5X3cQ(yt{
zF7WpO)4?ZZfxlm10TFR#OgsjeeBzbhCkQMc-VOe2$tPlNMLPr*5D_=VluJI*4Stot
z0^)k`dH%riiP_+95LiG&oE7to<P)z3ze`{N5%E$?B#dkx<cT@pM+qz-;&Y}k7fC+x
z8t{_@77$m1pC|dm`QYaZEFgXl{F^182p<vMAh3Yg2>yeTPs{^<v%mr({8h~Bl22R!
zez(8^VjS%QlYs3fE(AYLU;z<ZqnL{%pSTG8B!LA)Y+Yj9l26PBKSy8zaUA&Nl23%M
zi>?w_K#T`}t>hE`1N;_&1;p{-KPdUcYr)?vuz-m5E#_s(CoTqmkH7-rY2Y80e4+<@
zey<|1fS3S&JSI8&Pb>gGL0|##bns_OKG6%lLtp{%4Dd@NpI8WfslWo_nc%OLd}0y!
zEdmRO@aZuRN<MK3_?rb55YGaChvXBB!QUycfS3sWLCGhUfPY9}0TF9bOf;O7KE6O7
z_;CUYh&J%yrnNuAjzDU!17Q;yd}9oBqrD2W0sjP?415C!U!=VTgs;|K0aC6K`Xipl
z@_|*LiRXi6IoE+EUI5w#tOiX)nb9n_1~hRB=zL&3XyP|OmjbcAFD70H8f9~RUrf9R
zbOR9U`eLFTbPEu#7ZWcA4bay~8<6Xv1GpAg2;}<K0K^s3ia&7qF`YoT&X{hXmHI&<
zr@9S@DHG!W!gOK^flzTw1278M3Z%d91k$f}1L?n67#a~{lm6HNq~9$B(!VwU=|@|E
z^p~AL`o(S_{T~}aKW78dpE-c^TZKUSrv@PXP%DuBrV~iN(ha2lVB_g0Y`|FLa{%Lj
zg+R{l1|a8gE0FWG6Ucel4dnb|r#a7TK+Y!z5Mvor2;}@|0CFC*0%`A^K-zUTkoHSu
z(N1kZ+M@$#1MUMqPK(qof|7_GXp{{&0hN=^L8ZifD4e(jLgY_6PvEzZFVWJV4+e%x
z^GkX&28GuXl1{?l@cNs|k3r%!6P=^H1NHNIThiTV2d@~^uk)cKUb7@!C25|6kl!ll
zJ0;yM>4zm92j%kGD`|(MPl7TjUnS{8Nw-M)Qc34PiM%Q#-EGrJEf#}7`NFdW{a=#K
zIZx0pNV-bWqcK>_-y-Q5lHM$7ucUWM`YsNxMbi#R`YFk`oiEBCi*aFj4oRm=x<S%a
zlHM%o|C00}N$-$!5}X3B1Q-v?%aL@6q^l&|LE}PuS|mLZM#lV|lKu&4*u46l+Mi3h
zSMoPWnoft;FC}f0^sh-rqCb*;OVU?L`naU$OL_vvh4~94eWj$AO1eqX6_Va5>6;}z
z8k2(Zt0jGnr0<gS4<+3y=>w!kv}(VU^axI-k=Ub18ejLN(_JR|kcm!!ljWuIJ4|$y
ziEcH~T_(EML{Em(HkO}nq8m(ftBLM3(fdtw+=Zd#r<mwM6Wt(brLR^Kzr#d#o9H+!
zGRFR-nCMay-D09UP4s>foq$ElSiZwVS4mp6e}jp?*+lO#(Od+L<xe)z`6jx_M0c2I
ze($rfyj~NXFg29V?{zlj&o|KxCc4!`cbe$^COR%DwEPqkoo}L7n&=HCx<k^ZVLl~}
zYSp?WeU+s5OPc41<R6ms|4O=7((g%{n|5BO+eH2-NzajVoTTd{ognE)Nsn&O)b}#K
zDd{B1=Q$qvDUu#1X@{gQkhDwES4uiZ(yJt$FX=W(7fO1+q)R0|?i^8Hm88EZ>6Mb^
zxfa{gAn7(qH%a=iq+29?_PHYe21(~jx>eE-NV-kZuSt5dq%W8x<U1t2RMMT2ejM~P
z4STxhmMjBk7ThKLBd>a_YbA;R{@z6I0ln0UgBXMS#RmD+SjQ$AXud?1+^g#s>8nkA
z$}9feQeM&F<c)mF7mDJwWUOnfU(rfFPVz~!ej}gqRg&+J@`_gSEh9t*C2!<Yp79*7
zH>JFyl|0W~cqw@!pYkd`i^aOc_A8qCslNu?yp+6=Pk9y3Ii<X!mHbX29*{Tk_4bbz
z8CFVpP0~u<5h3`hej}gqDqeg-$}3vQGY;mZ<c)mFtN5}E>n8iJXeD2$O9$nRe7*jY
zMTYfK-XUovpJb9Z@+q(4*R4`s(c$Ece9EhM_n?$lw32t2>NoQB{>%2BhIL)<{}Ao(
zHt;F0;_1tzyrNb8=KdS`lvnZhGAXa<aPmez<*Q_Tez%lYw34@(`fub@zD3GEAmtUU
z<dLjjq^~yQXIx|xEdB2x6FnAji;@2g6P<6OYfW^UiGJNgM<Z@AmY-pwuQ$;@HPJ7b
z=y=2_#`0#H=pqx%ILMfPwTZT9gZuYiAivSyKMZ;x|K2Ib$A`Fv_Ni!=PyZB$n-^)0
zkCD&u-6`ekrM#k*d?8=pB2eDQr+gCjsl1+$@``5uf$BH%DesW-f0FWwR`NEJe>3ta
zUx<AwuNjE5*ndSUd2|1be9Biz`79}~XeF<A9OaX~+K`{LE{}aKuX~leq?Nq6{wf2X
z@(q&yg_Kvcl5enz@=3FPBcJj-#Nc%*90~icXucds|3*IL<D~p~QeM$Y-eJ<ekxzNG
z-(M@`6|LlvtY4(re#P$u!zNhz-_K1n^Ox|Cyv*@Wa&qYWm<@WM`O$!VEUyFLQ$LDk
z(F5tn$Y=jrr2G*nujp{{Mn2_RrF{J~QNN<Y$s75U-z??VNO?so`6QEl82Oa%wz2nk
zwlZDRuV^LTpmT%vZRAs4o!9(Q$}3vQA2QW%<WoKeaVf8~8KQngD|wsF4c2euQ@%>d
zmr8j>hm$w*Dc>UH+oZgr!^s=@l;14ncT0Iihm$w*DZf+7e=g+}9ZufJr~Dx)pFC6O
zPti)=Jim;5%B%CQ0x7R(C2!WhkxzLC;(lJ6q`ab)yhG;($Ir;8e1nvKOUf%+$(!46
z<WpXq$HmSP{a3V-H`j0EQ(m3lrAc{3hm$w*DX-4^mP>g>D|wr#|3*ILbFlB=^{A9r
zbU1k<pYl~w-g=4XzoNs*8~K!Pk@AbAyrPx7S^q{p<<)uR&!oJfm3*A&USNGxd}m6i
zfA^c{r%m*j)X@C%P4rJp^zTgcNtcGor<mws6a51d{W}wV`emWz%`wrdO!NyTnh)n~
zQa1#*iEcL0)TeR1<FXrTu?779cO|XXmy;kszKRF<ego1~$j9qU6hK;y?_-iy>$eSl
zn|u||Es?Z}e;$&winn4SMgBsR&Fd^l3kuJ+B(2u36iGM8^(#}-D*pVIq*Xk4gQQh_
zwpP+AUizV=Rs7NhnmSY0TP8YoL@56<6TQqt`%U!kO!N^Gos4q@WBvIidX0&`&qTj#
zqQ5yRw7dsR^eIuH{45iFvx)xDL}!i;mH(BAe#=CU8xxxU8Wa6p6a7aMeb_`#92;7m
z$3!=o=!odh{CAn?H%#>BCVJvYq4G;i^!+9}HYPOx3=_S}M0;XG^WR~je{7;3HPL%b
z^idOiG90VXzAiJ-xh8tKiN4=NKWU=hFwq~H=p!cjtdm3AGs#3dO?179zSl%QX`(+i
z(Gl2}8v7q-qG#*0Lrs6}Y7@=(#apx>f0K!R(L{e>qQ~LkvQd7ziOx6C*XwkkIod5I
z`g<mNqltdlME}`D$Ha%~<2(~R!$e<UqHUUYQcdzS<JYVtC;3)Z6;+hDuF9B`Jgu~-
zrgTnS1%B|YvLZRDs(N`&WmyG&u`|gv%k8UJR$H1hgTL#Tm6Wvn%A};^q!M2>ej2Xi
zDqlU4%2!;Olv`FaGpnL@`m}}K+?@KFnF~OqES#HL=Da$$EVruOnT^-Aa|UQfGJa{a
z8b8fAKtrb2;Co+uwf);tQ&e6n+cF)EWgEUy6KcwqRb-Y-n>jN%HTjY%bgih?hrX$b
zFIj<~s>4rPx{{Kzq&`w1az)+JrM_x(&(LA7Gb?wQ=&@^V?y>=UJiSDGosBaycW!!i
za?<i(O>+Y3<_}=bO-d?5oii)&bAvt*-v%+gsHg-lm-A(9(K5U&=gZ2vTD)B0!a#&H
z2Lo_T=*_{%nTx-<Wpf8^9)8x4-?sBro0ptaTvk=;tIop!vzcg|Y;ylL=Ae!8X8Y#R
zaIP7+b=Sl6me#A$npIV|q`a(n@WD!&j?wC;8ZlDND+jD5Wtp!6KUk}qfvU?eQ1xhK
zz{tG=mXKQEyCFw4Zh#_^rlaXu94}*07(C~k0mo%p3JVO_rYvzzb>)g&pRXjuie}Ux
z<*M*ShuELy4H<8c0l&c4fw`%9`>RCr4%Q~YHK{=J8YY|O4H-?{J0t~vxiWb=e)tvh
zAh))%8q+U*=92naU(Kv?-6J{Ea~I|=^TMkXFD)KQa+X&Y&AmQ%+4akY%6y4e)R0>?
zoV=Awm)7`dhm$wEs9()9@oSm2Wy|U+>uRoG-*Vtv`PEhnDr$<B`qGo?ufuQE^3Gj!
zRet7G<#Y1BZ7yR5HMB5!#{8m+Wxn}7cqELcFTH<dB4cWCWmUai*R<NonZ@{Z*xFEI
z4!CK<KnPK%GwF&H{BUP&WpQP>)0y2*>ndBaxm!->qMU)-eKnI)0}E4fQhHtW^*-Gb
z&$}cSZW+H2IxjgXX!i?~<dmP2<jhQ(C1%*1q=jOrzEDZYmsA(sFyB{I?W@5L$Lc>D
zo7}I{Ur)KtxhuW3R}~wJ@28~sH<s5eP5;9B;7U|cR9jc=o4&NN+E{}a4p!{EGU>{|
z$e|v69sWYPa?Y(U{t}H7Ryb5msR2K^FnLy4&BCJcvJ#HH-YYM=mAho6_d0K_v3JSS
zX!yz;=ili3_Eqz})k)srb<SAj*JlQUm-_V@fuXK1tmW(qlbKD+tzWUihhOI9O1dya
z&Hd-HnD~Z4HA&A5dNAG5)URBr+}EJh&S1>rOozdKiHQ>02D3({&2S;Y^_7JFNOXE-
ziEp7<7lUN2UpW^(@RDp14VGjkDJK}z#k84{+rOsls?gp~M}ReNIwHV%Gb*cm72cV3
z{5j<08AXO4vIgDHBRMlubA3hl62vPiS1$BAoynnHUy13Sm6R1S-TxzO%{3@V)-1wI
zbNwN;t?XZ&GjrzE3{SBZV}f2~Y;M09dfj|EL&LU5mL)7<0H0}^^ZgxWP^q#gvnBM;
zV44fT3<fo;Shf}ck+F-y#hTZM0gGU?{v}1_$jEq_ZD3)}WlHtll~jG`q%mpAx#DV}
z`+iHzfQ>b4Z3cH|3ulSYFnMNGjjyhx5)ns9<q9|qeQ%gN6MK-Vx>`>8bcPj}Dyadt
zGB;@<!x+XgNnY-dLe$uQEks`DRVD+XsP5oR<|7(+iHudTf>fXxXjV4D_v*5u@)_JN
zI-NsK>|kpVPl%{%S!gpum5Mf&&oQ-SR<6rAZRV_noR)MsYE#|cQ>dI~RR_{dcFFYV
zDKmyyGII`8vYtLb$upCu4YOqC9H?YH-BfZ)Rt2{32u<eAK<kr-QG;2+TvI>3USn?V
ztfDIT(31N4++01l$<4i*J}-BXamw{GGZmNSF4A+?Bqz(Cr=MF_TeEP+vg*nkP-2;0
zVomZ)FOCK(YQ1$8<(0+DeW;8<$&Ix&$+Nh}ou`{We%{_!w89XH)J&W14MzFS>gu9;
zwVx47PtCMh8NQ`Ob>+2?#R`Cv6JK>zWw{=ZE))$LG|K?>*NAw#W@aY8B3G<DYQHLL
zohdq#TH~uK!bX>&BkEmIhN!Eu8sC*$;?13w%bhK*;?m_cwadLFMb$TyLE&Eg>v_F%
z=FLyf^t$IcGrW^TQhMczDl~gZS$SD)Jvxn{=We8aP?2h1aK|@D#*CpV&nT-w<;A6g
zlrgM|vgTb?Ry#-`^Ok(uhl8@~eTdb=Y9c=e+!ekR#Z~CMP*+ho%m!<A2rUXzN%|KW
z&-a!4ifVi+ZJDn&ufEE61>9N1GOYSn7p?GRRnVefbHmD%RgvwhEn;w$i(QVf;6-J%
z6$obXik6fIlB+|j$N5_k$6WNGt^!K{dhaXI4U1FEIKjknm^3S^qP(oacSX{|dc-)3
zuyM#+I-{b*i(&@KpPb|_s$S;H#W{{|m=ZI+q5HOZ!>Xtr!DVr7-uxTYRJbIw+_wUI
zzxlQL-piTp&097TZC$3?8hT_pJ>;Y$<jCa<9o(sCf?nfGo{UkU>ME%StJ!{fS~L&#
zIM5(Ci$iz!i^^f$a@5NzYHEvcP66ZLq=rfOXp%g8G8pB+<-%*4hHB9~*qU+EAB;c(
zq2!`@oW`>Hs_IJ4IPa3mmA(>hWmVC2bv~R-mDSW@=&-(flY@Cnd^NSzmGwj9HT$zr
z2j?v>zkUULedQ8ULkB*cFl@wfm+1}v_c&|sKQVI`<!3Hk;ME5z)UyBChwuUOl@l$v
zfnu1W2P4J(A}E@q(QZr|A7{F;#{;ePCiy@_HFQ-fD8no<$93jbnIjaZZ%C0r`<%BT
zwAX`$u}-HdYOXVVfZggBpVZDJm``{*6P#iCG6qjD=oB*!(;!=7Z`GoCOHADhzkz0M
z{me0FEki4V0dII^gtRmK89}{JECc(mqb#$Dd>v&DHSofWOwR!S+0))QK}D>fT#`FI
zS#zgP!#y4M48$AtE0$CuBCs+3^zyeGY=cD7=KS6&n~Z&N?i^Z_SO3umu*D-vGdp*g
zEoff-R;EF754k*;rR(*+%{5dwh&|haliOSldK+x>Ak(d%F1}0yIHAl9_%h{iGJVx@
z%o8c-rK){P%NeCtR`3y14N%K;dFNCkcuv-q;z{?#zTs^Yu(b(1oxrb?poVappWwb=
z_%dQsGyMGNmB!uD@a5FrX!sJ?zzjdLzGWJI_Hf(8ekBYmP<3+w8N@fxcVuVinZ$P3
zTct?h0_YL0s1<3!dDL(2=Pom68FIq+7g26{pg=<JNU#B4IJ_~*vno#3VN}Je`l;0b
z;f<+O^OPGXyfKLk;?(5A%79OfQLz8R6dO3uF*jkbsKPv~LszT^6<<<pc<mitEb_&h
zFh~evR@tCUFq^>_9KC+x;j}V!K@HsZ)atqlyd7ie4VBf)r!K3s>+esgw2Sko{t1G;
zysUQW#Y^hS%1fr=aIoArRX<o;;Va=jw&vmryu+!)w{oh{yUXnI1ZE(XaPl?wipuI0
zMdedhrp)rrnh}~&UmsRfmek=)<tsKnx3aFf*jE!${!}ga16g0O_<xdi*xt&1Z!_t)
zN&YuFUD3Rzx5)HwY)FPLe-y+AIXnXT%J1Ro_n7d+DID}V*xTn$oWg~irVJ48{QI23
zg>K>geRhLtH!#3<L$UflB?&%-=oj#w*j)5i*Z+Su7e4V8Wcllt|2GzQ)n+X41HC`A
z-@^HY-&i~NJ50^xe~s^w9pL@D+(ep=(7x*1d_&$1+pqLw1N-ZLXL|oP--bRFm>!ZL
z`D=Txb#RY2j2*PT2!;CpkTbd=iwHem9x}VWXD?k|vh@GdG}If+Alvwc?f&LuV4FVl
z@elf}h4Ibg{hIUd@)4AONjt)yh4*(d|Lk-66OZSN4~7OivnxOGc#encd?)RR$8+J{
zVr)F+9QdG1nvp5C_-9Z1L0nSk0{ms3_wbC@{JiJHgDd&Q$j}&NFo$D0r9JVGAnY6a
zhn{sNT@Lc(R6Q~ZMy@9w5>(=Cl7nlZ-zonWdtT8`d|=<{4u0<X#H$k;IH7?P8aSbW
z6B;<7ffE`yp@9<`IH7?P8aSbW6B_vcf(HKZ>0bk1b;s{VI}>*ozDrQE;l_13ZvNI`
zxT_G~L&_@(-!I5Z(Ik1}Yy0%e>(xJ8C@K7woHs8sKQBNAUOafdc**kkot33&_}xdo
zh}0ScNBqSHrOWW)(xUQY(ExLKn`Jrp+ByB|!1tZwD;)zDzJ4#{!Y5Mku@rn(R;HTE
z>y+hrCBMs59-C;q<a;${dTa5qHoTX^T%PR$k$Z&{;_uQ>|5fwwJ4VKW<ZHCA5}%n1
zaLna>PnM_J@dH_2K*03E>-Cj-m-5Z)f?+OCeQ#?Q#(~!clt(k@M*E)8Q$qjrZ(oKp
z&l$|4e)q;9lV~TpSuNCmKQ5S2zVdo2mwda}Tebq<(!}qH!`C*2l(%83$cV3{)UQ^Q
zr}{3FLcoiU8rK#Dlg#C*-`#1IS=wa#9B3cD`mW!_{^FC#_zYoP1wO%y5AM4&jF}us
zg0gWg;d0^oZgu^kykwCS(p(Y=xDQ>6`amSD!tVpZ_NO7uhMTsb|Dv9DlKxuPon?j<
zKSQB^Cx2<ao`JsssQ<(l%d_j_%XheH>2t33)#|TAHa(vWug&=?S1iHjZ1vv~9I%{_
zPYbXP+>-|?r`nh6tG*tezpVi`d_I0H9FP6<OyTq4(+10()l16o$uT}03R_<AjZm^c
zw$Fy!)KBq=Y^0OVp)&E^mBmHnp<lRyOt`|7m&@-Yz$esoKF5*cWiO`<Qz}@GNY~%c
z8}2g;f&9U8Wd3SjK;I$d7(c<GO9$I&$R|JUE;6Wo82Rec?#wX&KSZ|!@B=yxBOm-U
zi!9&NKYqY{pnCaT2Z4|MvtHVpq22Ne7Vy1IFgAYS4eN)y3e1ZpeX=k${I%ceIC@~L
z<LLeiw07i*H`CqL&a?yPI@=GNYiaMcHehCI@y9A3Z~t_erM=f1(SBr+wf*qC$oAtm
zjc7lfZn?A1YTfmV##4KbT1Rd=VjZ#RV{7E5pEl2EKW4RT>a}W{@J;3~p^Wvd*0|oN
z25)csx!SJD7Q8+i?XX5|!n)NG7vVUnMO^;M0jqXrR2uHT-h9_&OVo>P)>C^YTC_V=
z8K0rNc$Cp}&cL!`AnS(g6if7r?TzDmFNdtT4*cHmoo9gW1*&pet?_!>+N|S-Y}a(O
z>(&VTl&5t<bGJ1C{nOTef_AaL8zW9d+IT&UeLsS<NB^GM{^;M6q07@Y?X^zOdE?RN
zhtX%u#g;2H$I;fGT6R5TJ*{`YbsX{t`Ht68+dCRh>17>{G>+@tYduw$Wqrp`Hf0`f
zq|6z*%v&gXywvrAGqs0XF@_c`s+sveMgG5|Ep3gpfi%^=w#J3MXIrDt?$h=1k0S3U
z$h!q&+BC*-bW7s`v>|@e#>PdxPguwIzGXdglV-X66}Ip3c`5B3uO*>x324Kq=<hhx
zbB10{x85$%W|(D5G5Wa?ZT^WhVpoTCA=;g=iRJFIS~tCew!bTN^JrsyZ=I%X`3&vB
zSKG!v_GW6klK%<hS=UDEqTYQn{~yPSylt?nC`(Rn)Ck8>kte5@?R*UVgAQ77W4!T`
zs!<K|-_jc9E4^S{ZP6^9X<B4MT9kI|rKf(H+P($#fY$T0{i43T?H8%-%ohcFin>kP
zWwAJa%{-k}+V-b^V_6Sd6GG~F3wl)TMm*NCn&XVVQwPk?a>pS3N{i#@l@qn2t_vcd
z$1^rrP;Z3o*h}e_hWU{|=AAqWve5rV>jJ$`ZPr}9pRLftMr)p))_TWvoX_i98|U|K
zY|Ld_)_3dnB*viijw+qcIs{MH*>vdQD8_VSV;;s?*Z}38O1JDfep4pqdIsivI_CZr
z@Bz;DW0lXfby~fz97g{>gPpY2T+u%H*e$yshn`2HKU1J1^egVd`nHZMEn}M<mWi*_
zy;-#zUjrWB^m*a#C`<hEcSmS><5xNErmepP8+e;Gh4w-&-hU44)-t;1-AFCZ$Yc6=
zq|ZV6Mr%&58t;3o+EF#;9B<dxs;hX|wP@Qo%&kZJ`cAWHwwKin-`sLG?22>#>4=8;
z=R%i}urKz7dEndhSO;HOulw?IH0?$FT;NAN*6-YV>v8Kx2cxvSzD5mtw!oKacfvPq
z8jX7TinZQ8^sDDGEj1c+4DOR~$Ktl&j>CO2Zu&1PZfqG|8i9Kx?lHKd@H4uwzb)PH
zaeLuo*`D{Uj@1359H|E`aHRHJ=t!OV#>(9*o~+v4bDAUdqcf2{)scE|x+C?_C63gK
z?=RiGc2(i-(FOUt4^4EW#wEITCx0_%ccCYLcTcP%b?-Pw>bW-;?k+*Tp0S|Mb)@=G
z)<~4ua~bNfST;pjPQo37J9^Xdv$Rt%rkje+%6X_u8-uhFxFc~}acj6whEIvxbo?e~
zJM?iU?Th+5JnuJHXM}EOZ&(j?{r%nAbg%N=mL$hx5v7iL_K|arK4mZL_pmiW@Auu7
z-bX1L$dCD@=Kn;urF}2*v);q=p4RP}^&VODBxuxoQ$+i5w8sHm9)_*|9p%i_v>pVw
z+|dPm%2StWAN?*u%Zt)BpYl{hRL>ZlFV;O{``8XKC&k?3c(>kCxZ7g6;@9{Z^LUHa
zi*aTc&T;O=SZeVif4tt8vtM`I#d#Exra6Co{H80=UMJ@1cD)aM)`(rb-bm0RkUkRq
z7}b7!yX8)<0Ux7IVYiN>!lyZo?mgGq-u(xx_r=0Tj<z}4#~i<9H@;fFWjW?Ez9K$u
zMg69ZwU(2b8!(^0aon~0z`0uLg~xMtUvxZw_xl%UuqiF|8^;TGUwFK9_ra-J>ig44
zSM8p195!(YXxQ=?$c=@}fy=ej{pnijXvjuG=KZ;lzl!|Q-BFM^Fi%T8n5(6tjyvC9
zq@~WVOxD*`jw{Ex8|fUkWa#1&_>n2c3-6v~Ij!faQCeR7$Bw%=A5~uF=eV_EP2ubP
z5n9ijky>6&gjgFVYNz%@ZT`W%r=Tp#&hj|nhr`QvL4GNG5amCPIJM_FVGHXgYU5GP
zJ@=L(9r3|Odtsv-C+Il7?`_QIQ5x2zV7Yo9&=1u<+LzM58sFnL&Bgf5!8m5Z|7Nsf
zTmy51cB*drnfq|>$L+x24jHdu9Y2P6?Nb@A9mX2`8RpATv_ZsdLEC1`7Bxhyb_rsl
zKEy<7j!~w~n%q8=oF3yLPBX@MtyuqcdBi@$lMjs%TM;t~`O}7!55{t*2V%J+u$5lu
zp~xDKG~xSO5t~sr8zaup?T};EdPl0ho-(#l^NBGTW4O1l#;RCsyiI%fk+)OZA3==S
zjTmV!;up$ySWoH2zMv%m@whP#d<5(0enY-CtogU;@tKGn)w<hOb3=REd#UY@VJw>v
z&x`nS+@{A6TfN0~9BX0IM3Ig)WBxg~-<Ii5<W6tjQkl}u_Wslwv5PU@e%)`LingDI
zm@EM?Sps6RGd8^^<Aq-IYy4=gDW~b}M;`+I&lpp2uF<djt7EEfCu&Da&u2_EZortT
z4RI3VhF0jCu@Cjth8Ro55__etS`lAuw9XI2Qye?aV<KaxCzjW=Z^am4_aEPZJ<e8?
z@zAyOApt!hCX4I+81}<BiR*W`IBDZws_1j$+ZuCvN5d~-ek{NJBrVSZA4k8>^r-Wk
z?Ppt}dftuJ@)!f1ioMk1sGt4(3HWczwy}Mj%d}g*<{pLqU&QJn&SN^;#F(EpKTx}l
zAkJnC$JkKWt_AVjX=u-^O7=6DUSvJBXAWYT4(O9|$6z~L*DmWT+-=NPYCV1V`S8`M
zUq&AFLphf5_<J?&PaxK1KQ+Ymw9U8CPqw>l)OGD*tgtrfV;3Axy`4zw8p)VD2jho5
z0BF{u#<CT<QhO~mcUUgtJh69CbAJ)?iMdA|4;2?HpR7>$hR_&sA7Vw;#XKrTOhSSK
zHx_>_2lr&$Rk)2Y5XWlbXzjXIP0O1&Lc7js(ekDrcHD*iMLg%74X+^r`y3aDX+Xyt
z<D26*J*DquH0(PHu_hkBX<HlPE#zxK3yvyZ#&S51x#!W2|F}!#Q|)1W%-^8(K58s~
zZ)3xYg-_d>BcMmdrYxs0LOc2iVrM1GSeLe__XquGV1LlBZ9qN$5yxGsOwb|i4=saj
z2>PMDXp_EP>3cxfi9Y5*U9g{%xt?9)c&tlnnl&2jk2=e7*BGaEr^_<=yEaQyGxJ!Y
z9Y>jObe1!<OpCfC0_8chiO><wDZ~&BdM3hi3bht8-kN~2n$8{g%tD=anAcFQL*pP<
z8s@A+$)#ZJooMCWL98o>C34<VzhZp~?{m(^T*kbQcVUi3S<YDgbL`DHFKJU*JVU^q
z>wKhfE#$hUuOS%I{g{iYuEWyTacw#P|3hEbgngKpSEKcDC~U-;31e@pGs;JmVt%T#
z12I-S%TRkz#___>4tLJQVQ{dfY8T;7!HsLsaq6>LcCoFk*3;qNg{|^z<%{TD$<e=_
zit*|SGhXU!Y6i}pevDXYpmV7+!Mhb>x$!%~U!eW^*$v0Cb=0Npq}BWk#0-s$IpTxy
zhJ|ai(3|jMLZ3FQRq4>jLpZ1CI)!>a6Z(zU*L&*zu#9#7D(yz>6R_vS8PnFrgs^-2
zjc*A1Y18-i<CinGR`$~__wvudejc)ZOJAejLfbyEo&*~>N%!NlTUB?^p2T@t+o+Y&
z$HTVK#zN>NXhXs$)5o(fJfG@sLyWh@IxO~uLWX1ZRcz|hWlta;w;(Q$Kzwe+{tD-z
zR-A=mFHd{o+*Ni#KY0f1!ZpPFpMiNyyD*MD*KeN1wT`-M;IU61Z0va^C;HB@$GXC$
zWj)80_QY6J=yH5uPV?+U?Vp7%gJp=li;5edKg^xuH)Wvz>CnR!(1#P}L(i(UWbk>n
zUE9@*J;yQZIe3O7))F!QsJp@RrRGs8=E~)mD+A4=csa)sux~HY=aPsSR17ruTsl24
zmllM~C7$1ka%O4`cl{XpM2vse{Xo|^rMJ^DpK#s=TRj~%#y$LJSYv-YO8e-)v9=ZI
zXT~C~V9fOx<}_mx>VRXzn`anmj<;fNGi^Zx=QQIiA!~dc95YdGaP9}&y8!KEe9ALw
zjz8s}fX`Fq{iyGj-93nL)OwHgAZ|?k6CG15W15d)zS<D~m13Sxv{*jci<kq?CgPj)
z^<u*E=MaZRVZCUBkLX4jd#z(p$5_2TZH@W8J&>oIhCQ>H&vtBtUtk~m_k(3AKNjpu
z9s1%x{eG-XQCOQ;?{kPb&1JJ**3Y_~$NKWlv}iMK9i?4&8_sD|+ZluM91^}Xz7G8p
zYZ1>RCm<dki+LgXA<7o(tFg_TQ*4JiucSO>KQqW~Si~54!lozCPNi>S84pJ!^qh|~
zgbuW|zYc=^4sFBuFC2$5)}#ZNg!=*9`M7ZnYo2~8&jx5akU^X%&Mov<YlyRf%i!0z
zrWyU=aN;554-;^fY4nMl!+fqX_#8enIEVGQBkV}*htJ$}HvFO3533lFdKTy8YR?a!
zc^A%Yp|Xa%@Dr!;N*4Q*5ZR`{+-H0w$~zPD{&e^bFXsJ=nD=K}d2S$lCw0jAZozs%
zdx0(k`!x3H;SW<_FI>08Tql1YWQ^<m#<wlI-o}``gJ*5zGsZK@7+*K_^XbOE(!Yy#
zIjoMmhFTN9YV3`+(ggK;&@(Em4?p`+O8cki-%+_vaLkQyHP;N<-^V!L4tGwZ){1a3
z*8$jN3f2n7&jYO^r-8?Ft!)u})+e8%V2qT1HjWA7VUC4ytT`@RYfDFI*Wh<GuXDlo
zz_$+gjO6iUjPHVLpsE99>hn$2^$qB+O^<n`Z@^k(jPq!(mB=&P@=pB%d3iQ5+;XW4
zF<zqmsz0h9<TKVLcE?Wa#ra0d&#=GRh&4|<8$4~(Pp~$;4ZZKfym}Y&;XU|K=I=|_
z?mR;Oj^~piUZLL=a}WFweYK%Ho+)6h*7u^X=(-cn2s-i1dCQ_3+uJ@L`dkL%7JPmM
zf30F%^}K2+(purejr$w1o{ZbXdej+%cs=kwhvPrg98~8Dap-6v?zOl(aFb5Jt@b{B
z==UerhCZwRJ9KuK^94GJ!v0^_BHs&ubFw?Mc5$vQo)<+$I^c)IYsO@ZL&--K>wi$7
zwSNqKtLKBCT$_&PHWvMCdhmH|*~Rw=9LBu<81uSUt}C1;%Jw<0&*Z*$h<I7;m(R8)
z1bl1j9Vz|iCVZuun;Ro|rYqJ0b>`)ga}&>E!p_ad-cD(U(`s1{UqE}K4qCA<0_wKL
zeUzSNP3UcHjL>5?<1;7vd}aSiM$Ln3U{|Gqy|P-5f@f-+&)-L$e`Fhy{=wzLF8`tJ
zr|yLfY3tvCuGMpQu9MswbMA59xlf*DbBxH-#|*epj@jd{-q23oUYU<$_yGKcdCc0j
zM+AJz+cNK#MRmF?%lx|h3D+E>KWUY19?V{ZKNL3pMg7ToH2yH|JQ%ClpC}zDJ686K
zbgt+6JosnvR2(AqjTj$`_AsCKc28`WZ__S+h39~3o)&)2v&-P~-O#q`{w&^Hp7~7k
zEu3i<;Y^d|tLN<~M?cp*((haoz6|GwdTfmI!zL|imdY#6-$TzMRo%za#hIw^8$zFy
z<9<*t>twEVe1DKQ?>3(C^2~DB<%}M@oPqQ++%(k&<G6HV-C#dBCZZgDKCL&83(uvG
zTgCdK&YF=QLn|)Wn|>L;b98F(>pUe_(=x;l1mnGvwxva7_|X>|e^Sq;|2)j4HciW{
zDCS!+!}9fd_$_&w{>ob=QUB_5@j7=|DAwya=gRlxDv8k4FqBoFXKcLX#`&6MWuhf6
zdZNCL<NOs5jm5>esICck5st?^W<DpU@tOg`D4&ABOTP-E&x-pm%l#2|Th~Y4GvWs$
z|8vxas2`5Lcg&B*-iPP^`o7U9m!t+p$;o0S0gd@q%5=?bC?9EzQ;hjKRlXcUKDI-q
zoAV!1_2--Nv)zy}_w&Io+0Pu+E>ru>dUmLM88NyV&3eFIQe3VWn^H3q%=t28HnYCW
z`5a;LncGD<<7MXCj7+>%wl<hOMjB+ydgcMOek~qgTnzSPZilf<%A3n|C<mbIEsULh
z(Q<7=wO90}-@F>Cz3UN#=-1cW-iwB*2aY@2sC<Y+Zw&sJ?D&h0_fYyBir;Tshp8v?
z{15n*JcFJ6V8nkae_^htW0>`r+fUkf{j2%rah<IiXYwoNcE+oG63yi}6yH>iIbWbY
zlO37!xm0;yGT%_`|Ehd*djtI%qW=Lsx}@Eyetr$;7&S_*QhI54X5PmaM<sr2qE-5E
zt3E8{RemLJP9KV<y!0E&8>u1#I22#%F|0h}61-P7GEkuDg^WMK^64Mo+QafY!G}u-
z%V&InkA#KgGoBc%eK|wa?*Jc{@=Ag-{FU|?mY;#VgZ0lb1b>pKE3E!)L-3_y!pbua
z7)(Dy$#cE`D)L;{@!lg@jp&T=?@;w~{r)QTbDbVc-hsvpHhx33@2m11L-bFsuVL+v
z>*-+qqkqN~);|8#{GsO8Q2xoGcW?0dJJ|Sgef%o?q1yLV`NPytzxl<zB4RK*$CsD{
z{Ix~1m%v|+i_q*jzzY$Dx&@}q07Aw-S)xs1yu>JpTToLM%Gn^XP}J;REHKRmWI55m
zlTc42@MIvKG3e<ySJ4sYygI%vaWfEBYHtA^v1sLM1$tHkKSg~jfya?vE6`H~JO;X4
zpr-_g=OXq(Am)sFvB0!E;Kz`k4aD<ucZ$HYi-35Oojo4-4W!2jOp5|Wv%Q!xEUy=M
z1NesprtJX!1#%t07g7Hffu8$-@35URy;i1I0dc->FOfI_h$`%n61l#S?grwvcLK+N
z-U_7L1HeBay#@GN>P4WZ3CQ|a3-mMq^?HCTFGu1<Kud&HK3SkA4)|x3*9&zs{jfmK
zPD$^ObO#XcF|e<f=`Aw77WgjG55peDKu=LvoOOM{$eu^~LEtvv9w5_q0G|cD1NqQp
zdj}9rur~pjZ>5wk2Qps{ka~9m@nI4-o(mAuTG2VIBlZ>``?ng%{_<hLcF4^JJ_Aew
zJ`KDGi2wFz{2~7s4kO4v1SB7y`O*2E5|e=FlKUcoX*OUC<l}(Ud$d4L6p(t46zFL}
zqd1>xft*iO0@G4}oCg<4oFFkyVx+`pPzmSLeL&`KkeDygA<+gzmF@`w)1ra<AQvV1
zhw*_GOf~y{Ak+5&S#A>$Ds-<Fm{tXR8|mdh{I|P^Xuku<d71)bJ0gLckNZGyK6VTA
z>;ZB<?f`N=b_w)61LS<{6zJ&yavZk+IUhF*Olt#jKDGcaM*3QTX$?Tm$5J5YV~N1D
z#X#Co4p6rXAm^h?U|I$cO|{Pez6trQ$VB^i5XgD60m$)NFVNEh<oK->=vfV<os<JP
z|MDe2Px9SB&c_TO%T1CvL1HhM`aBZoc^$}k(;?Hh$n^VwoOdf_daX<^1adw(WcqBG
zei0B=*e3&TM1Lm<OgjX-IR*OYmY5W$Y1e~)k-)Ucz&P+H0ohNRK+go=3!oDOdZK`o
zixikv1&o2*W+3gLRpK5X+rc+TvmHAHra4X)`7(eHqy3vt5q9%{#3mr^FCU0E+uL)1
zJAfH7{TSp>l)G18+CJd#z<(XM6Sx&fy><xnJOISQ9{XyU-XPP<fqz8$L6rL_P#Z7W
zaTp6POv1ij;tn9&(+XsJHUQb4wK9D+5JkCD1g1>@vOR~#$#Q_4C$9s4kMtct+Etf8
z&oe;kyHlWNE0A{eAdq&`0%U*I3iOmqx>VA6K=yBjOiz;O6M*cW1O0l0h&KwbUo#{o
z0NJl&;Im(cWdHX8+1@?CmyzBDWP6_x=;;Kqy;}u(I)H3%8&LPJK(@C*pr;(jc9fvL
zUjaK$7wy<0ajnD#iRD1H%O&aA5|d>5z64R<Rv`PcS>k$$O%h9iY?lp)A$Cs?m=-7b
zhwuRi%I^cRzdIz|DRDFK4`@dlko|o?pyxgyrj&gHkmauivfmD%u3sR_n+)W5CjhCx
zc!8ccAj^vu=!pWdoL=aM<?I1ce=iI4Y?1V4N#6(Lct@XsHzoq(5vZ}=D2WHp6m+-5
zoj|;i(Y_VPdOHMqHUrs@2Z5}=1<3kumN*Fr6S7YLvix4u$9^3I(k@;HvR``ydR_*y
z{G9?lJAf>AE0E=`2eMx+0zEeaX%~xSdcI6|0qHj~fHz^>90Jqw&_AZ<0GaL<n07M|
zDzrC9Tn+qRl)C|&8@79`#8M#b$_9i<x+e%sJC>+vdysw*$oB6S=-CH^s@>fJ(>j6g
zA>Vz1U%o-0rv*qoHUUwjeKqh^l+z&4b2AYByL_cUPc3j2%B>QZRtltC3GhSYD-`Hi
z47?fn@&%^l0S|$nBhcd#XiotiMEVSYo+RKckh@4=+GOBg!Jj11GeMv|8h8NdQ35@Y
zz*`}w2~0b7mZrTAey>2!A%XVSfz<0(;NQUS5a`(gY=Hb`foTr{{|<heKu@bc`)VLu
zq`N_2S}BnBu^7m8HwQ?&atrjhfE<?$fu7kw=C=W9PZI=sA|<U!x*K*t{_6rg&j7iO
zI&2~yOaii;NkD``_Bh}ts3%&WCkogLI#Qr#|GA>yuS@I%VkxzE0BKiMK)5J(xxlnS
z$<G5m$9jS6$83R~6yOx(pCK@9GLY>^08Ro%1M%O^Kl>rS{~RH|PoU>@AnopDAnj)-
zkoL1fpr;E+`*}uSS|^b9vsIvHi$HrD5dZD>;m>5?df;~;*CH^j3CMZZ0K5(9Hw#Rw
z0@Civ1$s(>w}4+FFs%?syIU;KlPA#b0^+}YHvX`_8NfA=OA?qi8OZu<z|}~fATTWs
zNPCSI=!pW-ULysju~6FUv9opb92RKb4+P8pI*|3f47>w!I|Zh70a;%s@OGqc6`1xQ
zQ1>4|+If>e&uU-;@-+xdyBSD3Un$U2CD2|1WWD)7)|&(LL(VNQEd$7UX9Js%o+2>K
z2E-EOo**zS5@<!fUf3b$$3Y<H$9{pHeL&h(w?NMxAoFhlT44X11$yoS(*AQ`T(lQA
zkoMvd=*a-mJ{$r)vw^gq6oF~wK+2T@>EB8OdJ2K`Z;J(b@`0-$mnSf-2}rrsK-x=#
zK+nxU+Q&+Po?0O7r%GVj13=2P0y*yY3G{3La-7!-^t1qPh1^<!X`MjIZ3XK7NuXy7
zkmIyjpyxqg1LWESrX2(_{*60Nj8`=9Ht?earbPn316mW9<^skde=Tq<@IfN#Z38wU
z-va{E4$JgIGX0=TPdZ=Ja}jVg@=q3+HVL=}v`t`I29WmS0N#%D*#gs2fVATo0@Lz=
z%$EnGJ>>{Ya|3C2E`e#Qf$V1k@O9|pW`UksAWY5P3dFi+w`iL7nMGTLK53r=5esO2
zK<HL`3wQzW72r(ZN5HAT*MMojH-J|GKLBRR^lt%sK<7$&8SpUZB1yyMwM+5#2jXRz
zdT`goMB-x>EoO$~6K8{;A~2Eo5cqkLPedD{^93dnJHW4%eBw93Unww=_-pVVlzigl
z;BOX~NQ5q8UY2~K1N=P#6NwSv9|N-eL?`$Z0wxkMA7d^8l25z>{3L;i#7OWLOFl6j
z{6c|=#F5~ymwaLd_!|T!5=Vo-Rq~0@d32}1L?YISnAatrI0yW0fr&(naSYFu*goQ1
z@S_AK65$79E|Pqr3rR@=6N%VI$K**qF$?^Bfr&({YcV|6V)?`?!RL7wFp-FLG^Py*
zo0&j#ga4qwL?ZeW^Ni#Zv%&8Ym`HpWe4e{eo_IC*R5~z`_$2rffaDYBfo~I-NW}gx
zhUb0c6LY}N7nn%=4fwT^PrL?vo+|<qiP&GoJSh3Z`QY<h5|~JQ3j7_CPsALE-YGDV
z_$%;v-pTrjdEiG0OeA6qV<t&HaRK;~1tt==fX{PO$`coYUnnq<h`AfXbJs=S6Z65p
zPhcYP3CQz&mV6@SYIKLdMB--fUzU90e}KP7U?TBx@DEEq@mlbE1tt>z7yOGxi1LYx
z!A}yHNQA$MSuFWP5BP-w6N!lLW7bPPu>kxH0uza6fWJlZiC*wK1SS&C1pj5pCl-Rg
zM_?jx0{Dj|pI8KbufRm&S>VTG5>h|JCEzCrOe7|PKST0~#o(t1OeDf*#w?b6VhQ+#
z0uzZg@NbrUq7VEAfr-Sk!GA#ViA%w66PQRm2YjBFvVBDO*65uA6N%@7e^~N~rQr7p
zOe9VMf5IpsPb>r9CNPnB9{95*pZIO?9Rd@H=Yzjk@`=mAFBF(aya4>0fovbK9Q+1>
ziA1bhF%L*SaRvBo0uzZ-z=vDaMn-5cQNSo5&VV%ds+a_z6=(yF0HQ2yG%yJ`3YY?n
z08;J-)KA1(6;1h-poz#E&2s8N6O%#PfH#6BP6N$yZvsu64muxr8))JT(51je&_t|>
z(N)0Jpoz0UHvn%3O}qqj3$O_^F$FY0U*~K<u4fJ)*R4Vz*QW-c1$t-&!o|gO0<FMq
zAf{LhnHb6#8*ntx0UQG?1datZ08vRyEAS*>Cy;)*8%Y1lLg{C1K>AY$kbbieNdMRX
zq#tYr(%*Fg>DRh}^j~ZY%8a2ur9W~2>30f&^e+uS`jJ*3{Y58`exV!4`Oi+A2DAY=
zpB+HX+d?4cX9JM)uocMp)(Pai>IT|?JcK_RXak-DbO6r<(tk_>HUQ59wgPFdoxlr#
z-N4B}Dvx#+6|vUZVvUMeZEeEewulEKq9P7kdM!~AJ1jf#x5a|5po=&h*&7)Zv1LTZ
z2;?8tG72dpdq+k^92|LQ<fw?(M|R_H$H=WCBO+QxuE*=cBYH<5J*qouRK$)kJI9QQ
z=!)49Gb-Z2xXp1WA+7~~SI0Hs@5`s|ITfXi?;Vfw$9LfG;rQP8sEDoco$;e09*A$l
z>-DE?I1N&#wcu~}>HAKPis(9h2mW^czxJ*^wyo>BGhA9J+ZuaG2G~oQF|eCtOKd$#
zq&_S;&=d7V>&x+zC2wf(Oo>kvV~S+>VT)N%2&l5Efd>eKv3Y~jYJjn+m@&ABfvSKD
zXsg?LMY=hKH#mR`c$v}Z4{tGsEJzA(*g5Z=L*94zA^M|9hWP?~e7|?@@7{C2&pq#v
zZ~KMq4c@cc&%yEd_T}wf@AYjP+aRxPZ^Lo%@ukNbyr-U6d7{C4^T`jM^m-S4OFq!S
zch=YFUGbfU<4NBsxN_;K%TG0UKiY9?N27Ob$9Xs|>{x{3#b@4r26B1k0vwM&vkb?L
zr*Ayn=so-Nxu>DL&z^s_(R<;!i_d|!&#l98;kiXPUfy+O7sT0h4vr^wpWF@H-OF%1
z-L%>S`e-W})N1fVu+e)Za5d22T@PFcz<Ka0T)7my49B&$^KDRX?U&l274}@(1G((E
z2**=<R^Yg>XAzE9JFay!co#YsJ0X7O`A(>Z&U0|S+Ia?!OI^piK-#s~)#&}G^A=n=
z*R=*$&UBrHE2q0w;drg<I$XKZbrsGpbzO$@Q!lK%0A<{JV{e1^+TQDXp?>zBg5$#8
zML2%cbqnI$?D_!WAMal7h8FBzg5!pMLx<G#>u@})pVJ|oo|PWZA#^+hI)oNO!0ox!
z110LY1jn_W^B_ImyW9(H)VtK%=)DzMfb&bC%Mky3XdU9;=)DP7uJ>+$^lI-lI6vEa
z4vwdKSK!LqeV6(gychZ|_Cd|}t;6|p-w8P0>Ro{2jsBbcaJ_%MzrlO1e+|yB_iaGT
zi-T_uLTe6Q7z7;#&%^ok!3{WG9lQotE)QOT^M&wY7_=R{1y^nkegIcag;(IpiSWrV
z^s(?VoUet?!|`nR99&rqpMm4jzT^9#r27`(czS4c2y_^_3CGppGs6wumEqHHJU_e+
z$8*DLaJ)2p8IBi+-yVjt4=;?sl;%0~7z{?3n-VZSF&qZ`<O2(y*9b2YJ_F+x!`~6!
z3F`%hj|pEV-1VDIdY55x#Lx>E)4NXiKS{m}lOcv*5MCkdg-HtIpC!DDFh59jkZ|`_
zhyOa^*9fEk7WwOh(Z7orZywkICO^bG2|tgMA(a0rIIl4T2y37h2G;l1b_aJ6zY8Wy
z3|xN~VUom<CjJ$|^AvxB@b+y^{)c^bbk8ba%zqn9o*2;2j`&%^YZSko@V^qqeLsdB
zpcj@0_wyJ=3FAH;LxC{vzcHKvjOkw>{4U9H(#G&5SQIe5#|Xbfc%1MXgqI1g5xzqB
z=Y)MQ`D18?#Rb#D{WFHI5XOBnhM(f%1NwZKun+1L<DVpa9x<$a{QvELix}3jb&~&p
z@D;*;Pxu<)pAg1H2*W#wA6)S8|E)g&iyh+MB{}*z5jPX=B>V#5IN^T6e?@qd@cV?n
zOc?#bm|m1H`lAtN2(J-dAlwN3<jK#ic=-R@cLIL+^YFtVlJ6#bTHtkouL+EcF9znf
z3w&7MC4tuj-VoRai@KWrpun>NFAKaT@HK()rZWbv4<BJJPe9=P0xt=?D)2Rd@nHcB
zoPN8&hXh_0_^iMigjxTs&%4v#DR8&IhXq~`cun99fqlE&`E?6?Sl|VLR|H-ccthaE
z-R}G}fe#71An>Zd7X{uBxUos(N4OQoQ^Sgf-#73w;lm{V2H{!4|3ElR`13x8KTo)w
z@B(3r@Dkw@gqI2bGvbF9JS&9%hwv)l9Zxy(vxJ)ouMzGiyiPby_#)v`gf9{P5#cL@
z8^B1%{I3yiCcHuTCBioe<NXMX{}JII5w`yn-vfIMF!oX2r~!b`O?WHeV}!R6{yt$J
z;a?DbmT*6;LztdM_;teVgx>`W`$Esi52s?7-vjW8;(@}S!nzY>0N?2MRq=;_XMm;h
zcPsqAfOTT0g7FlxWOKvLZ&b*Uzm@XDbqV>5tMOGi@_od|bp!c~;ndC_%qlw|#{7K_
zwDm!LfbdJiXN>Vt|Mt&05fCF^l_Q_+y<5a*%zRZ}<g0Szvwip=tOKY&W9Fm36$5@D
zUzH=D?a2V~8Do6Ze;z&<n6Ju_&-UjG@fkCJ-Da2gsvP-juf9oq#>~HoClK%p^;hM{
zXZ!XV@fl<MO8rNb+xb6)slz=-&Yv*z&xrP8`x)iPXZ!h2V4cMJXUu%reySY#Y;S*q
z_>8OZRXOt6KL1PNGiLsNyL6@cQ{~9#0rL*=88g3I@KrhTyQzR56Q42jy98gABcJyR
zzXR*O-G3=P=JyId$45Ex*D3xu@fkC}Tkuu6U4Ghs%oCsYC(Oq_gaPp=9w<JZBA@p!
zr-{!P<;eBH2Loc{v-}do_o09T*d;zbhwsM)-Xrj=z>5N}34BA~C%`UI^BWiV4+VZp
z;P(XHxyzm2u)wbfjCPHh{|SK~fI5icfr4CLz60^2EQIeL0IsyY^iq4}z)r#b#Tb*u
z_IZ%fK#c99%CUV1iN8dA#>~h2QyB0I`KlcGyr2Cs@fl-$%%8e%k*~^;kI(C2_$l!j
zGhgbj%8`GQ_&15qnEBmaCw;`IzbZ#Q@4tt@4#E0kjPWb!ugZ~+&*Nb*h|ie$Qh!yB
zeDqsjm?b`A=KJsj0)C<XsvP<F93F=65}z@~NBw2~svP;V#Q!1j88iRHuVCt>{8c&f
z*<TUVocd$TeA)i09QpX%8-~5aXUu%5zbZ%mR^ks6pE2|C{w4;*qe^_l$Y=k`Tf}FK
za;(2@_+UVce3t(k#P^|q!k7GRjPYxY??Vtj%4GPS23%=;zXpB;3|qiB#s0|{(?|Ve
z{it#*-vaTUAU@-2d{vHoeEtr@H;K=<8ef$oe~I{iO?<}8?-u<_l_Q`1T`h2v2FuTw
z`CA?JitVGyk<b3IPU17J##iOY-++A@h7j=?Ghf<|svP-;eKy^5o%oEIzb4AB%8}3h
zx-1yhSboOLm*rRG$Y=lF9}u5$HNGlGKKlc|N_@u5r{*ozzbZ#Q`w#zy_>8OZRXOt6
z-}oQIXIzc1%8}3h$?ZX>{uo!|t8(PCKeLzkjH~fgIr7>6d5rjsncwAfk7E6)a^$nW
z^fd7qGygHcSLMiO|LRTRGiH9b;Hz@vvp@FPR;T_LGhgbj%8}3h+k?bs%=|%-zbZ#Q
z`+L7ie8$!IsvP<3AO1G+88ctjpDIT_`;-5h_>8OZRXOt6{~T^}>W^_XzA8sP`>Wq1
zK4a#~`d8)1Xa6?5^TnP&7&Bj%pXFa`hq|M-!LNT5xUs`6-!Je<fj0zxbdQ^F2>ca+
zza{WhfgkO3r)LU$T;T5uyag&!EpNZT_~)al{2hU@KGpRe&5kV(_=@Y_8-#g%{Q?kB
z&i2%6gkhSq!{d+u%6WeOF5};F<UUw8P|o)F6k)ax-y+QR?!#axV0@oL_k58sLC^Dq
zdHrrD%=SbdVctLd9$~h}j}d13_Bdg-H~)+<+i$CYvCcTWC-4^VOQ`Zrfnx%HUErSx
z{Gq^pxYwbke@Nih1wJM4&jo&=!JXb2fgfpf%fkY{Ch+?L_dVq1e_P=91b*~a-SJ-(
z_zi*oN#G9z{_S6Lr}vV;O9Fd;-5vjr1^$`9#g{=-hk*ZQb+ylwz;6n?<zaXHfWYqv
z{L&V8{I3c8O@Y57@V^NBvB19p16S=|odO#I9})OXfxjp4&jfy7;131<BJA^3eRc}0
z3tSNR&jtRT!2cz%_Yrq~TLtbCc*MrtJRNuz1pb!5KNk4k1%BjF%)gXgv%r%A=WSff
z-hMz@t*<{4@)d#43H+|WUx0;HO>d{bEduKT`#k2(tiM_PyFI^V&8H*D=-^OqzrT4l
zlAZ0(C#UhR^!!>nb7X%io`g4*YlE%BRx*~G)dKiF>#(LB*{5lKEox=rN3H0PRe(#0
zxqX@u&j!QETubwWY3wg#g9ib$PYf7webk5>>4H82=ehn0dibq*ct7%Vu7V;hS@{1y
zD_5>dHj>DZE-j!e>Tp*oWaF`9U$i+G^mq8%(onQW&VsUW#%*)(ie7l7_n@YQsXjV@
z(vzQ=u`*CRrNE{hHeybR2M3H;#S*tfoxe5I`;39mh+jKW%BjCt-T30~0ZofTp1~x%
zO4tJMGJuvyBnqcT@H7{R!D#|dQ~4a6&J99CxYU6Lc+vgA#@IgqM<YH^Sv|}7SH-(k
z&#z6#)3a7)92ywa1m#HOavk@Bj`TtO#<1hOSXsNH(Dh~t+*+;a{8S=7UAwWg7HF-q
zs&QIM-&Zl4_L!Bl;I-Y@4LC2Qp$ed7v6Gt>Q|L%q$M&;w6_U_eK=m-Tmzoqbp59-v
zU7Fi5!D8Q}6#Fx&Im5D|u3i+#!j+-wNxS-=$8@zfz~a1s=f$z<G0UsOW7g8ik%}tt
zn95-Dn6B2eX9unH#%_NLyzm~zfsspPVEBcCQ-z$BZB5uSk{&W9jF<_t%Jj_iX3SR8
zrW!|$*wNT#k=sls2P0lj+|<lW*2>ircO+7la}eGVo{PuwseHBv%eEipR{V?8gUM`U
z#tLbLSE8ngA7gUpP~T9ZfBa>cMgVJQ!XG#gNye-L7R*S{o>r(lGbdulbSho2^J>ne
zg43ydGUx8h#c5h;2#2ccT2DK?usoNVP9=1Gq^#CCnqL-6*C+Q^)_W8$cN7;UzZS}8
zj#~CiJl1Bwv<z=XAM<Oaem|knknh*@KCRUmVg1^K(^R*WlD{nzId;HGXRNH1%tf5F
zuhjdT(%hSL^?`XaH#F^6>a?tq4!oMk&xCHfK5!*UMsoR#)iRUHs5v+Vz>M{M+P-4T
zK|c06d|P#;4-}^FKsl!uZkAI=ah{y;x5l#*kwiR-ZEu&##9|p!^X4mNPA#3k89P3A
z#{;kGFAp6sGn!dn;nXbeT{ozm>b>m*N?x~J%OgqA&6<tE+?<um*emITtD4KlvNQ0N
zMiuN}X$G?=n!@}%PhT~&4WP}VhoHmW!9a2AAZw&KFbEc|71i^(Ss3f_X?wJXQc-I{
z)<un|h4}%P1KUO%YcSfU@g!KPi{>Cn%X1n@yG!2!2G&>$Sb$@JRN6|K!F(1bJAWXe
z=m=PuGH8D7>oBYc{26vnYJS4hb-%ml^Dx}QTG%z*f4^$ZSxAX;cFatfzpmysU!I-b
z7aT?N6xL!GphK#<Wh3;J12jUb>O*NcJ)y#!DaL&HgjuRoN=o*G@(5xqlp-kA%(iR}
z3?j9NmDh-hNuafUhg51AvZql8OiYh))tmEJ_3l9<YD%9Qb?UxsiK(cpthE5{&L&zN
z)6gGGXRUlR1r|p%H3tT=y*Km+VGokd=Wxh}(5!%=(ovjN2DAw@W6+k-Oxz*4s<C`6
zgt+>U=s-xdCwS3)9Oc@`R)rNL32J~^BVfK~;*mrEw~M;I>A)^&3-*L#b;aCjx+@iQ
zO!Ny~T8%-yIoLXZ!xE<)-c*;*6dY4lb@96Bmw3IUJy2)L7_(B!_Vo%W2mQ@;ri?Kw
zrEFgpDYu7{u!RTHWGn#M`|HR-GGtC=ayv)EXpN*{4viKHhG82whB1nBo-wHoxw3A?
zcBwIG$IklwrU8p!GB%LUWhVl$OzIe<7`Ic*`hzC829h~5pG>5tk64fy8YQphvi?@w
z<Br+gANW>ePO(I?%`Ilh%GWcQNP+h=&eD@@Ztb;ZBKbtl$s0T;RwkWF*h|!eqgc%-
z74pwI_I5Vdm&v3u&dS64RmwH!6s99<r6aJ>Mbi=Tor{CjmCC?76QZWkY~aq;G^b~e
zWOGN%Xe4ti4)twjkHu$lX8+iMP@g$GruUjVolBwATpF~ViYMZ^0+bnA9ycR}nv{%H
zGP!F+?A<K$-gp)=pPsFeMqL?&$A;p$8i|Zey=;M>?5G8%dexdZv>&8%*4%U&3hz``
zBmun!mTVVx65~tudo2!F2`iGd_*%@$jTh2Z56ouC7%cjukvS`z#0~{ruC7So<cO7v
zplxNqCPz(pGM-C<Ei)dON)#_=+}VTsErM<Clp&vl6#z<aMeTm&N$eXBx0o7^G<BRg
ztD@E#PA1|>t4EtCfT=SH`-kzFKr(7Va+Tuywc$u6W*OklvFc<5P51U~tgeg-U}H`j
z;|E^l5z*F{u;#!lJdm@uV0y?Lj|D;380v~;Y@;%|J*X`%$BD}Wb6b8qHZE`yxkE=8
zRxF2TlC*9Itx@}S(_f{=%j$1(4Ek%O#?hzUoBzoK^nU6U@nkj^0izl^7Y=&pG8T4O
zbWJIpwsN{Ksfs3?9D}~7`UFY_O3~7s9K&Hw*{3rp9FgW!YTk;PsdVI(yakS{cs7TY
zKA5*qdX5{lvbjvEP%AFhn4fAc;Iw<myszw^P_|-540UtHg;VS9KJ%$~-OI<OF?pzO
z=Adb}iCe)>+8tl)xjfc_RQExr*OuxY4ItZ0nJ%-fus5n*Mr?`nkXi$ktN_6;+FF}u
z#pW6e5NYvAt)%UuTboj9mU(>6UFuo}uC8-Z1A3^!KKAy<vpxkw3GUmJ2A93U!6Z;?
zbh(<T#%9?}PmWEA;#J>TV{F?SS?VpDR|cBG)hk2oPMfENCjY%iOLmcak>+L%?{p(^
zckq**2GjxSm=8QfCE$LeXE@XhpBDH8;1dLUq%b#?0!zUMQ@d&6E53X+3~d?TO#8?*
z2Dh|3Dbs#87>J!am{M%Se5F2CwldX>z3JK^*#*0714@Q9I-;*M!eu&8+LF#S##~ul
z+=&7>s-yyUk`9ijyG=)qrqWcEv1Srz#ix>Z2PzBSp1wh|KLf_K-!lU@!gpKsZ6sjp
zQ@nX$WMB>=qojOuRN6Px&v7<A^~VpT)ZJA5Jl;Fi&wve1{gLf0RsGScZ6nK4sLN0t
z##N-o+<<e(NUt5q*)5xChRzg#GeS?!xmFrSWn<rn$tar+_;L!*)s?IXyC5Y6ZrjEY
ze9Q_5YaLl(RNJXl!Nw7(${|<D#u1bnlUkuPsZkr1%3mj~vb7^ssAXEnX5Bnv+p@Sr
zT7CLfznwu<W*a28uR;wwMpju(6=XNK&DJZUSF4q#gISoqn=<(%Jgw1mER{LZ6ie-z
z#+QPob~*m4@(YgmNIciHdnzAKM4P~On6R2`zuTM@#eHmccM=|eidyqc>g-O@$wN~~
z<V^C}UCC5tE|O@9Wae4}?s&E%WiA!XgUjVEwKr1v%(RttrQhT!y+-velmBEY2h~lL
zJ%a)>yL(&u8S=GwO!53oxw5VZckUR%yFBO+x~m7g9ACtJAKl$OYj@vAr#vMy_G$a*
z#GdW5v;AZ9zry~4Mddq#(rt+{3-|tRqP)8P|Li6#=aJ;yw#{(2*1{*VoU_WXq*r=e
zv}~!o-RErCJHN?;r!t>=_wXz#VBZ#~@OUq7B8A;@w@(4P9+oXj-LHu6`Gf0NQoMy!
z;Tc_Fo4Fq1_208cvP*ltI(E|bEg`on&*iJzGzqt}dDH0j-hK8+bmsrk=(P1kYg>J+
zyS!H^V)4_EU(zo!)JM+C)cI6ynH6tsJLdEKTY0cM-t5Oc_iyE?&wI(cf3;kDiTk(m
z&=-%-<KDlOSM5P%)frmZA4c6sm>{2>TX}NZcK`mC+hDof`()Bh>Na6&O*q1td;eZS
o)t?7!KI%kW*0{mSca}<q?frWRDR|nlb}h(W{>!?T06*XUUsb2uT>t<8

literal 0
HcmV?d00001

diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go
new file mode 100644
index 00000000000000..5d331b8ed22252
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.go
@@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package cryptokit
+
+// #cgo CFLAGS: -Wno-deprecated-declarations
+// #cgo LDFLAGS: -L /Library/Developer/CommandLineTools/usr/lib/swift/macosx ${SRCDIR}/CryptoKit.o
+import "C"
+import "unsafe"
+
+// base returns the address of the underlying array in b,
+// being careful not to panic when b has zero length.
+func base(b []byte) *C.uchar {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.uchar)(unsafe.Pointer(&b[0]))
+}
+
+func sbase(b []byte) *C.char {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.char)(unsafe.Pointer(&b[0]))
+}
+
+func pbase(b []byte) unsafe.Pointer {
+	if len(b) == 0 {
+		return nil
+	}
+	return unsafe.Pointer(&b[0])
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.h b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.h
new file mode 100644
index 00000000000000..dfc73697c392f8
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/cryptokit.h
@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+#ifndef CRYPTOKIT_H
+#define CRYPTOKIT_H
+
+#include <stdint.h>
+#include <stddef.h>
+
+// AES GCM encryption and decryption
+int encryptAESGCM(const uint8_t* key, size_t keyLength, 
+                         const uint8_t* data, size_t dataLength, 
+                         const uint8_t* nonce, size_t nonceLength, 
+                         const uint8_t* aad, size_t aadLength, 
+                         uint8_t* cipherText, size_t cipherTextLength, 
+                         uint8_t* tag);
+int decryptAESGCM(const uint8_t* key, size_t keyLength, 
+                         const uint8_t* data, size_t dataLength, 
+                         const uint8_t* nonce, size_t nonceLength, 
+                         const uint8_t* aad, size_t aadLength, 
+                         const uint8_t* tag, size_t tagLength, 
+                         uint8_t* out, size_t* outLength);
+
+// Generates an Ed25519 keypair.
+// The private key is 64 bytes (first 32 bytes are the seed, next 32 bytes are the public key).
+// The public key is 32 bytes.
+void generateKeyEd25519(uint8_t* key);
+int newPrivateKeyEd25519FromSeed(uint8_t* key, const uint8_t* seed);
+int newPublicKeyEd25519(uint8_t* key, const uint8_t* pub);
+int signEd25519(const uint8_t* privateKey, const uint8_t* message, size_t messageLength, uint8_t* sigBuffer);
+int verifyEd25519(const uint8_t* publicKey, const uint8_t* message, size_t messageLength, const uint8_t* sig);
+
+// HKDF key derivation
+int extractHKDF(int32_t hashFunction, 
+                      const uint8_t* secret, size_t secretLength, 
+                      const uint8_t* salt, size_t saltLength, 
+                      uint8_t* prk, size_t prkLength);
+int expandHKDF(int32_t hashFunction,
+                        const uint8_t* prk, size_t prkLength,
+                        const uint8_t* info, size_t infoLength,
+                        uint8_t* okm, size_t okmLength);
+
+#endif /* CRYPTOKIT_H */
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/ed25519.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/ed25519.go
new file mode 100644
index 00000000000000..2fa15c8fa5529a
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/ed25519.go
@@ -0,0 +1,72 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package cryptokit
+
+// #include "cryptokit.h"
+import "C"
+import (
+	"errors"
+)
+
+// GenerateKeyEd25519 generates an Ed25519 private key using the Swift implementation.
+func GenerateKeyEd25519(key []byte) {
+	C.generateKeyEd25519(base(key))
+}
+
+// NewPrivateKeyEd25519FromSeed generates an Ed25519 private key from a seed.
+func NewPrivateKeyEd25519FromSeed(key, seed []byte) error {
+	result := C.newPrivateKeyEd25519FromSeed(base(key), base(seed))
+	if result != 0 {
+		return errors.New("failed to generate Ed25519 key from seed")
+	}
+	return nil
+}
+
+// NewPublicKeyEd25519 creates a new Ed25519 public key from raw bytes.
+func NewPublicKeyEd25519(key, pub []byte) error {
+	result := C.newPublicKeyEd25519(base(key), base(pub))
+	if result != 0 {
+		return errors.New("failed to create Ed25519 public key")
+	}
+	return nil
+}
+
+// SignEd25519 signs a message using the provided private key.
+func SignEd25519(sig, privateKey, message []byte) error {
+	result := C.signEd25519(base(privateKey), base(message), C.size_t(len(message)), base(sig))
+	if result < 0 {
+		switch result {
+		case -1:
+			return errors.New("invalid inputs to SignEd25519")
+		case -2:
+			return errors.New("failed to reconstruct private key")
+		case -3:
+			return errors.New("failed to sign the message")
+		case -4:
+			return errors.New("signature buffer too small")
+		default:
+			return errors.New("unknown error in SignEd25519")
+		}
+	}
+	return nil
+}
+
+// VerifyEd25519 verifies a signature using the provided public key and message.
+func VerifyEd25519(publicKey, message, sig []byte) error {
+	result := C.verifyEd25519(base(publicKey), base(message), C.size_t(len(message)), base(sig))
+	switch result {
+	case 1:
+		return nil // Valid signature
+	case 0:
+		return errors.New("ed25519: invalid signature")
+	case -1:
+		return errors.New("invalid inputs to VerifyEd25519")
+	case -2:
+		return errors.New("failed to reconstruct public key")
+	default:
+		return errors.New("unknown error in VerifyEd25519")
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/gcm.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/gcm.go
new file mode 100644
index 00000000000000..458e9eb57416b1
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/gcm.go
@@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package cryptokit
+
+// #include "cryptokit.h"
+import "C"
+
+// EncryptAESGCM performs AES-GCM encryption using Swift.
+func EncryptAESGCM(key, plaintext, nonce, additionalData, ciphertext, tag []byte) int {
+	err := C.encryptAESGCM(
+		base(key), C.size_t(len(key)),
+		base(plaintext), C.size_t(len(plaintext)),
+		base(nonce), C.size_t(len(nonce)),
+		base(additionalData), C.size_t(len(additionalData)),
+		base(ciphertext), C.size_t(len(ciphertext)),
+		base(tag),
+	)
+	return int(err)
+}
+
+// DecryptAESGCM performs AES-GCM decryption using Swift.
+func DecryptAESGCM(key, ciphertext, nonce, additionalData, tag, plaintext []byte) (int, int) {
+	var decSize C.size_t
+	err := C.decryptAESGCM(
+		base(key), C.size_t(len(key)),
+		base(ciphertext), C.size_t(len(ciphertext)),
+		base(nonce), C.size_t(len(nonce)),
+		base(additionalData), C.size_t(len(additionalData)),
+		base(tag), C.size_t(len(tag)),
+		base(plaintext), &decSize,
+	)
+	return int(decSize), int(err)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/hkdf.go b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/hkdf.go
new file mode 100644
index 00000000000000..da161adcd88ea6
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/internal/cryptokit/hkdf.go
@@ -0,0 +1,77 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package cryptokit
+
+// #include "cryptokit.h"
+import "C"
+import (
+	"crypto"
+	"errors"
+)
+
+// ExtractHKDF performs the extract step of HKDF using the specified hash function.
+func ExtractHKDF(hash crypto.Hash, secret, salt []byte) ([]byte, error) {
+	h, err := cryptoHashToSwift(hash)
+	if err != nil {
+		return nil, err
+	}
+
+	// Allocate buffer for derived key
+	prk := make([]byte, hash.Size())
+
+	// Call Swift function
+	result := C.extractHKDF(
+		h,
+		base(secret), C.size_t(len(secret)),
+		base(salt), C.size_t(len(salt)),
+		base(prk), C.size_t(len(prk)),
+	)
+
+	if result != 0 {
+		return nil, errors.New("HKDF derivation failed")
+	}
+
+	return prk, nil
+}
+
+func ExpandHKDF(hash crypto.Hash, pseudorandomKey, info []byte, keyLength int) ([]byte, error) {
+	h, err := cryptoHashToSwift(hash)
+	if err != nil {
+		return nil, err
+	}
+
+	// Allocate buffer for derived key
+	expandedKey := make([]byte, keyLength)
+
+	// Call Swift function
+	result := C.expandHKDF(
+		h,
+		base(pseudorandomKey), C.size_t(len(pseudorandomKey)),
+		base(info), C.size_t(len(info)),
+		base(expandedKey), C.size_t(len(expandedKey)),
+	)
+
+	if result != 0 {
+		return nil, errors.New("HKDF derivation failed")
+	}
+
+	return expandedKey, nil
+}
+
+func cryptoHashToSwift(hash crypto.Hash) (C.int32_t, error) {
+	switch hash {
+	case crypto.SHA1:
+		return 1, nil
+	case crypto.SHA256:
+		return 2, nil
+	case crypto.SHA384:
+		return 3, nil
+	case crypto.SHA512:
+		return 4, nil
+	default:
+		return 0, errors.New("unsupported hash function")
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go
new file mode 100644
index 00000000000000..27a42bfc89ca06
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/aes.go
@@ -0,0 +1,306 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"crypto/cipher"
+	"errors"
+	"slices"
+
+	"github.com/microsoft/go-crypto-darwin/internal/cryptokit"
+)
+
+//go:generate go run github.com/microsoft/go-crypto-darwin/cmd/gentestvectors -out vectors_test.go
+
+type cipherGCMTLS uint8
+
+const (
+	cipherGCMTLSNone cipherGCMTLS = iota
+	cipherGCMTLS12
+	cipherGCMTLS13
+)
+
+const (
+	// AES block size is the same for all key sizes
+	aesBlockSize         = C.kCCBlockSizeAES128
+	gcmTagSize           = 16
+	gcmStandardNonceSize = 12
+	// TLS 1.2 additional data is constructed as:
+	//
+	//     additional_data = seq_num(8) + TLSCompressed.type(1) + TLSCompressed.version(2) + TLSCompressed.length(2);
+	gcmTls12AddSize = 13
+	// TLS 1.3 additional data is constructed as:
+	//
+	//     additional_data = TLSCiphertext.opaque_type(1) || TLSCiphertext.legacy_record_version(2) || TLSCiphertext.length(2)
+	gcmTls13AddSize      = 5
+	gcmTlsFixedNonceSize = 4
+)
+
+type aesCipher struct {
+	key  []byte
+	kind C.CCAlgorithm
+}
+
+func NewAESCipher(key []byte) (cipher.Block, error) {
+	var alg C.CCAlgorithm
+	switch len(key) {
+	case 16, 24, 32:
+		alg = C.kCCAlgorithmAES
+	default:
+		return nil, errors.New("crypto/aes: invalid key size")
+	}
+	c := &aesCipher{
+		key:  slices.Clone(key),
+		kind: alg,
+	}
+	return c, nil
+}
+
+func (c *aesCipher) BlockSize() int { return aesBlockSize }
+
+func (c *aesCipher) Encrypt(dst, src []byte) {
+	blockSize := c.BlockSize()
+	if len(src) < blockSize || len(dst) < blockSize {
+		panic("crypto/aes: input or output block is too small")
+	}
+
+	src, dst = src[:blockSize], dst[:blockSize]
+
+	if inexactOverlap(dst, src) {
+		panic("crypto/aes: invalid buffer overlap")
+	}
+
+	status := C.CCCrypt(
+		C.kCCEncrypt,          // Operation
+		C.CCAlgorithm(c.kind), // Algorithm
+		0,                     // Options
+		pbase(c.key),          // Key
+		C.size_t(len(c.key)),  // Key length
+		nil,                   // IV
+		pbase(src),            // Input
+		C.size_t(blockSize),   // Input length
+		pbase(dst),            // Output
+		C.size_t(blockSize),   // Output length
+		nil,                   // Output length
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/aes: encryption failed")
+	}
+}
+
+func (c *aesCipher) Decrypt(dst, src []byte) {
+	blockSize := c.BlockSize()
+	if len(src) < blockSize || len(dst) < blockSize {
+		panic("crypto/aes: input or output block is too small")
+	}
+
+	src, dst = src[:blockSize], dst[:blockSize]
+
+	if inexactOverlap(dst, src) {
+		panic("crypto/aes: invalid buffer overlap")
+	}
+
+	status := C.CCCrypt(
+		C.kCCDecrypt,          // Operation
+		C.CCAlgorithm(c.kind), // Algorithm
+		0,                     // Options
+		pbase(c.key),          // Key
+		C.size_t(len(c.key)),  // Key length
+		nil,                   // IV
+		pbase(src),            // Input
+		C.size_t(blockSize),   // Input length
+		pbase(dst),            // Output
+		C.size_t(blockSize),   // Output length
+		nil,                   // Output length
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/aes: decryption failed")
+	}
+}
+
+type aesGCM struct {
+	key []byte
+	tls cipherGCMTLS
+	// minNextNonce is the minimum value that the next nonce can be, enforced by
+	// all TLS modes.
+	minNextNonce uint64
+	// mask is the nonce mask used in TLS 1.3 mode.
+	mask uint64
+	// maskInitialized is true if mask has been initialized. This happens during
+	// the first Seal. The initialized mask may be 0. Used by TLS 1.3 mode.
+	maskInitialized bool
+}
+
+type noGCM struct {
+	cipher.Block
+}
+
+// NewGCM constructs a GCM block mode for AES using the cryptokit package
+func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+	if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
+		return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
+	}
+	// Fall back to standard library for GCM with non-standard nonce or tag size.
+	if nonceSize != gcmStandardNonceSize {
+		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+	}
+	if tagSize != gcmTagSize {
+		return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
+	}
+	return &aesGCM{key: c.key, tls: cipherGCMTLSNone}, nil
+}
+
+func (g *aesGCM) NonceSize() int { return gcmStandardNonceSize }
+
+func (g *aesGCM) Overhead() int { return gcmTagSize }
+
+func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
+		panic("cipher: message too large for GCM")
+	}
+	if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
+		panic("cipher: message too large for buffer")
+	}
+
+	if g.tls != cipherGCMTLSNone {
+		if g.tls == cipherGCMTLS12 && len(additionalData) != gcmTls12AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.2")
+		} else if g.tls == cipherGCMTLS13 && len(additionalData) != gcmTls13AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.3")
+		}
+		counter := bigUint64(nonce[gcmTlsFixedNonceSize:])
+
+		// TLS 1.3 Masking
+		if g.tls == cipherGCMTLS13 {
+			if !g.maskInitialized {
+				g.mask = counter
+				g.maskInitialized = true
+			}
+			// Apply mask to the counter
+			counter ^= g.mask
+		}
+
+		// Enforce monotonicity and max limit
+		const maxUint64 = 1<<64 - 1
+		if counter == maxUint64 {
+			panic("cipher: nonce counter must be less than 2^64 - 1")
+		}
+		if counter < g.minNextNonce {
+			panic("cipher: nonce counter must be strictly monotonically increasing")
+		}
+
+		defer func() {
+			g.minNextNonce = counter + 1
+		}()
+	}
+
+	// Make room in dst to append plaintext+overhead.
+	ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(out, plaintext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	tag := out[len(out)-gcmTagSize:]
+	err := cryptokit.EncryptAESGCM(g.key, plaintext, nonce, additionalData, out[:len(out)-gcmTagSize], tag)
+	if err != 0 {
+		panic("cipher: encryption failed")
+	}
+	return ret
+}
+
+var errOpen = errors.New("cipher: message authentication failed")
+
+func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if len(ciphertext) < gcmTagSize {
+		return nil, errOpen
+	}
+	if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
+		return nil, errOpen
+	}
+	// BoringCrypto does not do any TLS check when decrypting, neither do we.
+
+	// Ensure we don't process if ciphertext lacks both ciphertext and tag
+	if len(ciphertext) < gcmTagSize {
+		return nil, errors.New("decryption failed: ciphertext too short for tag")
+	}
+
+	tag := ciphertext[len(ciphertext)-gcmTagSize:]
+	ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+
+	// Make room in dst to append ciphertext without tag.
+	ret, out := sliceForAppend(dst, len(ciphertext))
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if inexactOverlap(out, ciphertext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	decSize, err := cryptokit.DecryptAESGCM(g.key, ciphertext, nonce, additionalData, tag, out)
+	if err != 0 || int(decSize) != len(ciphertext) {
+		// If the decrypted data size does not match, zero out `out` and return `errOpen`
+		for i := range out {
+			out[i] = 0
+		}
+		return nil, errOpen
+	}
+	return ret, nil
+}
+
+// NewGCMTLS returns a GCM cipher specific to TLS
+// and should not be used for non-TLS purposes.
+func NewGCMTLS(block cipher.Block) (cipher.AEAD, error) {
+	cipher, ok := block.(*aesCipher)
+	if !ok {
+		return nil, errors.New("crypto/aes: invalid block cipher")
+	}
+	return &aesGCM{key: cipher.key, tls: cipherGCMTLS12}, nil
+}
+
+// NewGCMTLS13 returns a GCM cipher specific to TLS 1.3 and should not be used
+// for non-TLS purposes.
+func NewGCMTLS13(block cipher.Block) (cipher.AEAD, error) {
+	cipher, ok := block.(*aesCipher)
+	if !ok {
+		return nil, errors.New("crypto/aes: invalid block cipher")
+	}
+	return &aesGCM{key: cipher.key, tls: cipherGCMTLS13}, nil
+}
+
+func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return newCBC(C.kCCEncrypt, c.kind, c.key, iv)
+}
+
+func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return newCBC(C.kCCDecrypt, c.kind, c.key, iv)
+}
+
+// sliceForAppend is a mirror of crypto/cipher.sliceForAppend.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+	if total := len(in) + n; cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+func bigUint64(b []byte) uint64 {
+	_ = b[7] // bounds check hint to compiler; see go.dev/issue/14808
+	return uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
+		uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/big.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/big.go
new file mode 100644
index 00000000000000..865e22ab6a3dda
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/big.go
@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package xcrypto
+
+// This file does not have build constraints to
+// facilitate using BigInt in Go crypto.
+// Go crypto references BigInt unconditionally,
+// even if it is not finally used.
+
+// A BigInt is the big-endian bytes from a math/big BigInt,
+// which are normalized to remove any leading 0 byte.
+// Windows BCrypt accepts this specific data format.
+// This definition allows us to avoid importing math/big.
+// Conversion between BigInt and *big.Int is in xcrypto/bbig.
+type BigInt []byte
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cgo_go124.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cgo_go124.go
new file mode 100644
index 00000000000000..375bc368162acb
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cgo_go124.go
@@ -0,0 +1,21 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build go1.24 && darwin
+
+package xcrypto
+
+// The following noescape and nocallback directives are used to prevent the Go
+// compiler from allocating function parameters on the heap. See
+// https://github.com/golang/go/blob/0733682e5ff4cd294f5eccb31cbe87a543147bc6/src/cmd/cgo/doc.go#L439-L461
+//
+// If possible, write a C wrapper function to optimize a call rather than using
+// this feature so the optimization will work for all supported Go versions.
+//
+// This is just a performance optimization. Only add functions that have been
+// observed to benefit from these directives, not every function that is merely
+// expected to meet the noescape/nocallback criteria.
+
+// #cgo noescape SecRandomCopyBytes
+// #cgo nocallback SecRandomCopyBytes
+import "C"
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go
new file mode 100644
index 00000000000000..9f3a8f92bd43fc
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/cipher.go
@@ -0,0 +1,122 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+
+import (
+	"runtime"
+	"unsafe"
+)
+
+type cbcCipher struct {
+	blockSize int
+	cryptor   C.CCCryptorRef
+}
+
+func newCBC(operation C.CCOperation, kind C.CCAlgorithm, key, iv []byte) *cbcCipher {
+	var blockSize int
+	switch kind {
+	case C.kCCAlgorithmAES:
+		blockSize = aesBlockSize
+	case C.kCCAlgorithmDES, C.kCCAlgorithm3DES:
+		blockSize = desBlockSize
+	default:
+		panic("invalid algorithm")
+	}
+
+	// Create and initialize the cbcMode struct with CCCryptorCreate here
+	x := &cbcCipher{blockSize: blockSize}
+	status := C.CCCryptorCreateWithMode(
+		operation,           // Specifies whether encryption or decryption is performed (kCCEncrypt or kCCDecrypt).
+		C.kCCModeCBC,        // Mode of operation, here explicitly set to CBC (Cipher Block Chaining).
+		C.CCAlgorithm(kind), // The encryption algorithm (e.g., kCCAlgorithmAES128, kCCAlgorithmDES).
+		C.ccNoPadding,       // Padding option, set to no padding; padding can be handled at a higher level if necessary.
+		pbase(iv),           // Initialization Vector (IV) for the cipher, required for CBC mode. Should be nil for ECB mode.
+		pbase(key),          // Pointer to the encryption key.
+		C.size_t(len(key)),  // Length of the encryption key in bytes.
+		nil,                 // Tweak key, used only for XTS mode; here set to nil as it’s not required for CBC.
+		0,                   // Length of the tweak key, set to 0 as tweak is nil.
+		0,                   // Number of rounds, mainly for RC2 and Blowfish; not used here, so set to 0.
+		0,                   // Mode options for CTR and F8 modes; not used for CBC, so set to 0.
+		&x.cryptor,          // Pointer to the CCCryptorRef output, which will hold the state for encryption or decryption.
+	)
+
+	if status != C.kCCSuccess {
+		panic("crypto/des: CCCryptorCreate failed")
+	}
+
+	runtime.SetFinalizer(x, (*cbcCipher).finalize)
+	return x
+
+}
+
+func (x *cbcCipher) finalize() {
+	if x.cryptor != nil {
+		C.CCCryptorRelease(x.cryptor)
+		x.cryptor = nil
+	}
+}
+
+func (x *cbcCipher) BlockSize() int { return x.blockSize }
+
+func (x *cbcCipher) CryptBlocks(dst, src []byte) {
+	if inexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src)%x.blockSize != 0 {
+		panic("crypto/cipher: input not full blocks")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) == 0 {
+		return
+	}
+	var outLength C.size_t
+	status := C.CCCryptorUpdate(
+		x.cryptor,          // CCCryptorRef created by CCCryptorCreateWithMode; holds the encryption/decryption state.
+		pbase(src),         // Pointer to the input data (source buffer) to be encrypted or decrypted.
+		C.size_t(len(src)), // Length of the input data in bytes.
+		pbase(dst),         // Pointer to the output buffer (destination buffer) where the result will be stored.
+		C.size_t(len(dst)), // Size of the output buffer in bytes; must be large enough to hold the processed data.
+		&outLength,         // Pointer to a variable that will contain the number of bytes written to the output buffer.
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/cipher: CCCryptorUpdate failed")
+	}
+	runtime.KeepAlive(x)
+}
+
+func (x *cbcCipher) SetIV(iv []byte) {
+	if len(iv) != x.blockSize {
+		panic("crypto/cipher: incorrect IV length")
+	}
+	status := C.CCCryptorReset(
+		x.cryptor, // CCCryptorRef created by CCCryptorCreateWithMode; holds the encryption/decryption state.
+		pbase(iv), // Pointer to the new IV to be set.
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/cipher: CCCryptorReset failed")
+	}
+	runtime.KeepAlive(x)
+}
+
+// The following two functions are a mirror of golang.org/x/crypto/internal/subtle.
+
+func anyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
+		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
+}
+
+func inexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return anyOverlap(x, y)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/des.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/des.go
new file mode 100644
index 00000000000000..ce490c1167c536
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/des.go
@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"crypto/cipher"
+	"errors"
+	"slices"
+)
+
+const desBlockSize = C.kCCBlockSizeDES
+
+type desCipher struct {
+	key  []byte
+	kind C.CCAlgorithm
+}
+
+// NewDESCipher creates a new DES cipher block using the specified key (8 bytes).
+func NewDESCipher(key []byte) (cipher.Block, error) {
+	if len(key) != 8 {
+		return nil, errors.New("crypto/des: invalid key size for DES")
+	}
+
+	c := &desCipher{
+		key:  slices.Clone(key),
+		kind: C.kCCAlgorithmDES,
+	}
+	return c, nil
+}
+
+// NewTripleDESCipher creates a new 3DES cipher block using the specified key (24 bytes).
+func NewTripleDESCipher(key []byte) (cipher.Block, error) {
+	if len(key) != 24 {
+		return nil, errors.New("crypto/des: invalid key size for 3DES")
+	}
+
+	c := &desCipher{
+		key:  slices.Clone(key),
+		kind: C.kCCAlgorithm3DES,
+	}
+	return c, nil
+}
+
+func (c *desCipher) BlockSize() int { return desBlockSize }
+
+func (c *desCipher) Encrypt(dst, src []byte) {
+	blockSize := c.BlockSize()
+	if len(src) < blockSize || len(dst) < blockSize {
+		panic("crypto/des: input or output block is too small")
+	}
+
+	if inexactOverlap(dst[:blockSize], src[:blockSize]) {
+		panic("crypto/des: invalid buffer overlap")
+	}
+
+	var outLength C.size_t
+	status := C.CCCrypt(
+		C.kCCEncrypt,
+		C.CCAlgorithm(c.kind),
+		C.kCCOptionECBMode,
+		pbase(c.key),
+		C.size_t(len(c.key)),
+		nil,
+		pbase(src[:blockSize]),
+		C.size_t(blockSize),
+		pbase(dst[:blockSize]),
+		C.size_t(blockSize),
+		&outLength,
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/des: encryption failed")
+	}
+}
+
+func (c *desCipher) Decrypt(dst, src []byte) {
+	blockSize := c.BlockSize()
+	if len(src) < blockSize || len(dst) < blockSize {
+		panic("crypto/des: input or output block is too small")
+	}
+
+	if inexactOverlap(dst[:blockSize], src[:blockSize]) {
+		panic("crypto/des: invalid buffer overlap")
+	}
+
+	var outLength C.size_t
+	status := C.CCCrypt(
+		C.kCCDecrypt,
+		C.CCAlgorithm(c.kind),
+		C.kCCOptionECBMode,
+		pbase(c.key),
+		C.size_t(len(c.key)),
+		nil,
+		pbase(src[:blockSize]),
+		C.size_t(blockSize),
+		pbase(dst[:blockSize]),
+		C.size_t(blockSize),
+		&outLength,
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/des: decryption failed")
+	}
+}
+
+// CBC mode encrypter
+func (c *desCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return newCBC(C.kCCEncrypt, c.kind, c.key, iv)
+}
+
+// CBC mode decrypter
+func (c *desCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return newCBC(C.kCCDecrypt, c.kind, c.key, iv)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ec.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ec.go
new file mode 100644
index 00000000000000..e57bde33af4c98
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ec.go
@@ -0,0 +1,32 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+func curveToKeySizeInBits(curve string) int {
+	switch curve {
+	case "P-256":
+		return 256
+	case "P-384":
+		return 384
+	case "P-521":
+		return 521
+	default:
+		return 0
+	}
+}
+
+func curveToKeySizeInBytes(curve string) int {
+	switch curve {
+	case "P-256":
+		return (256 + 7) / 8
+	case "P-384":
+		return (384 + 7) / 8
+	case "P-521":
+		return (521 + 7) / 8
+	default:
+		return 0
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdh.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdh.go
new file mode 100644
index 00000000000000..3bdd3937670285
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdh.go
@@ -0,0 +1,135 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <Security/Security.h>
+import "C"
+import (
+	"errors"
+	"runtime"
+	"slices"
+)
+
+type PublicKeyECDH struct {
+	_pkey C.SecKeyRef
+	bytes []byte
+}
+
+func (k *PublicKeyECDH) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+type PrivateKeyECDH struct {
+	_pkey C.SecKeyRef
+	pub   []byte
+}
+
+func (k *PrivateKeyECDH) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+	if len(bytes) < 1 {
+		return nil, errors.New("NewPublicKeyECDH: missing key")
+	}
+	pubKeyRef, err := createSecKeyWithData(bytes, C.kSecAttrKeyTypeECSECPrimeRandom, C.kSecAttrKeyClassPublic)
+	if err != nil {
+		return nil, err
+	}
+	pubKey := &PublicKeyECDH{pubKeyRef, slices.Clone(bytes)}
+	runtime.SetFinalizer(pubKey, (*PublicKeyECDH).finalize)
+	return pubKey, nil
+}
+
+func (k *PublicKeyECDH) Bytes() []byte { return k.bytes }
+
+// bytes expects the public key to be in uncompressed ANSI X9.63 format
+func NewPrivateKeyECDH(curve string, pub, priv []byte) (*PrivateKeyECDH, error) {
+	key := append(slices.Clone(pub), priv...)
+	privKeyRef, err := createSecKeyWithData(key, C.kSecAttrKeyTypeECSECPrimeRandom, C.kSecAttrKeyClassPrivate)
+	if err != nil {
+		return nil, err
+	}
+	privKey := &PrivateKeyECDH{privKeyRef, pub}
+	runtime.SetFinalizer(privKey, (*PrivateKeyECDH).finalize)
+	return privKey, nil
+}
+
+func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+	defer runtime.KeepAlive(k)
+	pubKeyRef := C.SecKeyCopyPublicKey(k._pkey)
+	if pubKeyRef == 0 {
+		return nil, errors.New("failed to extract public key")
+	}
+	pubKey := &PublicKeyECDH{pubKeyRef, k.pub}
+	runtime.SetFinalizer(pubKey, (*PublicKeyECDH).finalize)
+	return pubKey, nil
+}
+
+func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	defer runtime.KeepAlive(pub)
+
+	var algorithm C.CFStringRef = C.kSecKeyAlgorithmECDHKeyExchangeStandard
+
+	supported := C.SecKeyIsAlgorithmSupported(priv._pkey, C.kSecKeyOperationTypeKeyExchange, algorithm)
+	if supported == 0 {
+		return nil, errors.New("ECDH algorithm not supported for the given private key")
+	}
+
+	var cfErr C.CFErrorRef
+	// Perform the key exchange
+	sharedSecretRef := C.SecKeyCopyKeyExchangeResult(
+		priv._pkey,
+		algorithm,
+		pub._pkey,
+		C.CFDictionaryRef(0),
+		&cfErr,
+	)
+	if err := goCFErrorRef(cfErr); err != nil {
+		return nil, err
+	}
+	defer C.CFRelease(C.CFTypeRef(sharedSecretRef))
+
+	sharedSecret := cfDataToBytes(sharedSecretRef)
+	return sharedSecret, nil
+}
+
+func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
+	keySize := curveToKeySizeInBytes(curve)
+	if keySize == 0 {
+		return nil, nil, errors.New("unsupported curve")
+	}
+	keySizeInBits := curveToKeySizeInBits(curve)
+	// Generate the private key and get its DER representation
+	privKeyDER, privKeyRef, err := createSecKeyRandom(C.kSecAttrKeyTypeECSECPrimeRandom, keySizeInBits)
+	if err != nil {
+		return nil, nil, err
+	}
+	pub, priv, err := extractECDHComponents(privKeyDER, keySize)
+	if err != nil {
+		C.CFRelease(C.CFTypeRef(privKeyRef))
+		return nil, nil, err
+	}
+	k := &PrivateKeyECDH{privKeyRef, pub}
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	return k, priv, nil
+}
+
+func extractECDHComponents(der []byte, keySize int) (pub, priv []byte, err error) {
+	// The private component is the last of the three equally-sized chunks
+	// for the elliptic curve private key.
+	if len(der) != 1+keySize*3 {
+		return nil, nil, errors.New("invalid key length: insufficient data for private component")
+	}
+	pub = der[:1+keySize*2]
+	priv = der[1+keySize*2:]
+	return
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdsa.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdsa.go
new file mode 100644
index 00000000000000..fb0e207a89ff67
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ecdsa.go
@@ -0,0 +1,181 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <Security/Security.h>
+import "C"
+import (
+	"errors"
+	"runtime"
+)
+
+type PrivateKeyECDSA struct {
+	_pkey C.SecKeyRef
+}
+
+func (k *PrivateKeyECDSA) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+func (k *PrivateKeyECDSA) withKey(f func(C.SecKeyRef) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+type PublicKeyECDSA struct {
+	_pkey C.SecKeyRef
+}
+
+func (k *PublicKeyECDSA) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+func (k *PublicKeyECDSA) withKey(f func(C.SecKeyRef) C.int) C.int {
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+func NewPublicKeyECDSA(curve string, x, y BigInt) (*PublicKeyECDSA, error) {
+	keySize := curveToKeySizeInBytes(curve)
+	if keySize == 0 {
+		return nil, errors.New("unsupported curve")
+	}
+	encodedKey, err := encodeToUncompressedAnsiX963Key(x, y, nil, keySize)
+	if err != nil {
+		return nil, errors.New("failed to encode public key to uncompressed ANSI X9.63 format")
+	}
+
+	pubKeyRef, err := createSecKeyWithData(encodedKey, C.kSecAttrKeyTypeECSECPrimeRandom, C.kSecAttrKeyClassPublic)
+	if err != nil {
+		return nil, err
+	}
+
+	pubKey := &PublicKeyECDSA{_pkey: pubKeyRef}
+	runtime.SetFinalizer(pubKey, (*PublicKeyECDSA).finalize)
+	return pubKey, nil
+}
+
+// NewPrivateKeyECDSA creates a new ECDSA private key using the provided curve name and parameters (x, y, d).
+func NewPrivateKeyECDSA(curve string, x, y, d BigInt) (*PrivateKeyECDSA, error) {
+	keySize := curveToKeySizeInBytes(curve)
+	if keySize == 0 {
+		return nil, errors.New("unsupported curve")
+	}
+	encodedKey, err := encodeToUncompressedAnsiX963Key(x, y, d, keySize)
+	if err != nil {
+		return nil, errors.New("crypto/ecdsa: failed to encode private key: " + err.Error())
+	}
+
+	privKeyRef, err := createSecKeyWithData(encodedKey, C.kSecAttrKeyTypeECSECPrimeRandom, C.kSecAttrKeyClassPrivate)
+	if err != nil {
+		return nil, err
+	}
+
+	// Wrap and finalize
+	k := &PrivateKeyECDSA{_pkey: privKeyRef}
+	runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)
+	return k, nil
+}
+
+func GenerateKeyECDSA(curve string) (x, y, d BigInt, err error) {
+	keySize := curveToKeySizeInBytes(curve)
+	if keySize == 0 {
+		return nil, nil, nil, errors.New("unsupported curve")
+	}
+
+	keySizeInBits := curveToKeySizeInBits(curve)
+	privKeyDER, privKeyRef, err := createSecKeyRandom(C.kSecAttrKeyTypeECSECPrimeRandom, keySizeInBits)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	defer C.CFRelease(C.CFTypeRef(privKeyRef))
+	return decodeFromUncompressedAnsiX963Key(privKeyDER, keySize)
+}
+
+func SignMarshalECDSA(priv *PrivateKeyECDSA, hashed []byte) ([]byte, error) {
+	return evpSign(priv.withKey, algorithmTypeECDSA, 0, hashed)
+}
+
+func VerifyECDSA(pub *PublicKeyECDSA, hashed []byte, sig []byte) bool {
+	return evpVerify(pub.withKey, algorithmTypeECDSA, 0, hashed, sig) == nil
+}
+
+// encodeToUncompressedAnsiX963Key encodes the given elliptic curve point (x, y) and optional private key (d)
+// into an uncompressed ANSI X9.63 format byte slice.
+func encodeToUncompressedAnsiX963Key(x, y, d BigInt, keySize int) ([]byte, error) {
+	// Build the uncompressed key point (0x04 || x || y { || d })
+	size := 1 + keySize*2
+	if d != nil {
+		size += keySize
+	}
+	out := make([]byte, size)
+	out[0] = 0x04
+	err := encodeBigInt(out[1:], []sizedBigInt{
+		{x, keySize}, {y, keySize},
+		{d, keySize},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// decodeFromUncompressedAnsiX963Key decodes the given uncompressed ANSI X9.63 format byte slice into
+// the elliptic curve point (x, y) and optional private key (d).
+func decodeFromUncompressedAnsiX963Key(key []byte, keySize int) (x, y, d BigInt, err error) {
+	if len(key) < 1 || key[0] != 0x04 {
+		return nil, nil, nil, errors.New("invalid uncompressed key format")
+	}
+	if len(key) < 1+keySize*2 {
+		return nil, nil, nil, errors.New("invalid key length")
+	}
+	x = normalizeBigInt(key[1 : 1+keySize])
+	y = normalizeBigInt(key[1+keySize : 1+keySize*2])
+	if len(key) > 1+keySize*2 {
+		d = normalizeBigInt(key[1+keySize*2:])
+		return x, y, d, nil
+	}
+	return x, y, nil, nil
+}
+
+func normalizeBigInt(b []byte) BigInt {
+	// Remove leading zero bytes
+	for len(b) > 0 && b[0] == 0 {
+		b = b[1:]
+	}
+	return b
+}
+
+// sizedBigInt defines a big integer with
+// a size that can be different from the
+// one provided by len(b).
+type sizedBigInt struct {
+	b    BigInt
+	size int
+}
+
+// encodeBigInt encodes ints into data.
+// It stops iterating over ints when it finds one nil element.
+func encodeBigInt(data []byte, ints []sizedBigInt) error {
+	for _, v := range ints {
+		if v.b == nil {
+			return nil
+		}
+		normalized := normalizeBigInt(v.b)
+		// b might be shorter than size if the original big number contained leading zeros.
+		leadingZeros := int(v.size) - len(normalized)
+		if leadingZeros < 0 {
+			return errors.New("commoncrypto: invalid parameters")
+		}
+		copy(data[leadingZeros:], normalized)
+		data = data[v.size:]
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ed25519.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ed25519.go
new file mode 100644
index 00000000000000..f59e6f9af58cd4
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/ed25519.go
@@ -0,0 +1,100 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin && cgo
+
+package xcrypto
+
+import (
+	"strconv"
+
+	"github.com/microsoft/go-crypto-darwin/internal/cryptokit"
+)
+
+const (
+	// publicKeySizeEd25519 is the size, in bytes, of public keys as used in crypto/ed25519.
+	publicKeySizeEd25519 = 32
+	// privateKeySizeEd25519 is the size, in bytes, of private keys as used in crypto/ed25519.
+	privateKeySizeEd25519 = 64
+	// signatureSizeEd25519 is the size, in bytes, of signatures generated and verified by crypto/ed25519.
+	signatureSizeEd25519 = 64
+	// seedSizeEd25519 is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032.
+	seedSizeEd25519 = 32
+)
+
+// PublicKeyEd25519 represents an Ed25519 public key.
+type PublicKeyEd25519 []byte
+
+// PrivateKeyEd25519 represents an Ed25519 private key.
+type PrivateKeyEd25519 []byte
+
+func (k PrivateKeyEd25519) Public() PublicKeyEd25519 {
+	publicKey := make([]byte, publicKeySizeEd25519)
+	copy(publicKey, k[seedSizeEd25519:])
+	return PublicKeyEd25519(publicKey)
+}
+
+// GenerateKeyEd25519 generates a new Ed25519 private key.
+func GenerateKeyEd25519() PrivateKeyEd25519 {
+	pkeyPriv := make([]byte, privateKeySizeEd25519)
+	cryptokit.GenerateKeyEd25519(pkeyPriv)
+	return pkeyPriv
+}
+
+func NewPrivateKeyEd25519(priv []byte) (PrivateKeyEd25519, error) {
+	if len(priv) != privateKeySizeEd25519 {
+		panic("ed25519: bad private key length: " + strconv.Itoa(len(priv)))
+	}
+	return NewPrivateKeyEd25519FromSeed(priv[:seedSizeEd25519])
+}
+
+func (k PrivateKeyEd25519) Bytes() ([]byte, error) {
+	return k, nil
+}
+
+func NewPublicKeyEd25519(pub []byte) (PublicKeyEd25519, error) {
+	if len(pub) != publicKeySizeEd25519 {
+		panic("ed25519: bad public key length: " + strconv.Itoa(len(pub)))
+	}
+	pkey := make([]byte, publicKeySizeEd25519)
+	err := cryptokit.NewPublicKeyEd25519(pkey, pub)
+	if err != nil {
+		return nil, err
+	}
+	return pkey, nil
+}
+
+func (k PublicKeyEd25519) Bytes() ([]byte, error) {
+	return k, nil
+}
+
+// NewPrivateKeyEd25519FromSeed calculates a private key from a seed. It will panic if
+// len(seed) is not [SeedSize]. RFC 8032's private keys correspond to seeds in this
+// package.
+// NewPrivateKeyEd25519FromSeed creates an Ed25519 private key from a seed.
+func NewPrivateKeyEd25519FromSeed(seed []byte) (PrivateKeyEd25519, error) {
+	if len(seed) != seedSizeEd25519 {
+		panic("ed25519: bad seed length: " + strconv.Itoa(len(seed)))
+	}
+	pkey := make([]byte, privateKeySizeEd25519)
+	err := cryptokit.NewPrivateKeyEd25519FromSeed(pkey, seed)
+	if err != nil {
+		return nil, err
+	}
+	return pkey, nil
+}
+
+// SignEd25519 signs the message with priv and returns a signature.
+func SignEd25519(priv PrivateKeyEd25519, message []byte) ([]byte, error) {
+	sig := make([]byte, signatureSizeEd25519)
+	err := cryptokit.SignEd25519(sig, priv, message)
+	if err != nil {
+		return nil, err
+	}
+	return sig, nil
+}
+
+// VerifyEd25519 reports whether sig is a valid signature of message by pub.
+func VerifyEd25519(pub PublicKeyEd25519, message, sig []byte) error {
+	return cryptokit.VerifyEd25519(pub, message, sig)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go
new file mode 100644
index 00000000000000..fcdce4c49b6723
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/evp.go
@@ -0,0 +1,338 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <Security/Security.h>
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"unsafe"
+)
+
+type algorithmType int
+
+const (
+	algorithmTypePSS algorithmType = iota
+	algorithmTypeRAW
+	algorithmTypePKCS1v15Enc
+	algorithmTypePKCS1v15Sig
+	algorithmTypeOAEP
+	algorithmTypeECDSA
+)
+
+// Algorithm maps for translating crypto.Hash to SecKeyAlgorithm.
+var (
+	rsaRaw = map[crypto.Hash]C.CFStringRef{
+		0: C.kSecKeyAlgorithmRSAEncryptionRaw,
+	}
+	rsaPKCS1v15Algorithms = map[crypto.Hash]C.CFStringRef{
+		crypto.SHA1:   C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1,
+		crypto.SHA224: C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA224,
+		crypto.SHA256: C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA256,
+		crypto.SHA384: C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA384,
+		crypto.SHA512: C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA512,
+		0:             C.kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw,
+	}
+	rsaPSSAlgorithms = map[crypto.Hash]C.CFStringRef{
+		crypto.SHA1:   C.kSecKeyAlgorithmRSASignatureDigestPSSSHA1,
+		crypto.SHA224: C.kSecKeyAlgorithmRSASignatureDigestPSSSHA224,
+		crypto.SHA256: C.kSecKeyAlgorithmRSASignatureDigestPSSSHA256,
+		crypto.SHA384: C.kSecKeyAlgorithmRSASignatureDigestPSSSHA384,
+		crypto.SHA512: C.kSecKeyAlgorithmRSASignatureDigestPSSSHA512,
+	}
+	rsaOAEPAlgorithms = map[crypto.Hash]C.CFStringRef{
+		crypto.SHA1:   C.kSecKeyAlgorithmRSAEncryptionOAEPSHA1,
+		crypto.SHA224: C.kSecKeyAlgorithmRSAEncryptionOAEPSHA224,
+		crypto.SHA256: C.kSecKeyAlgorithmRSAEncryptionOAEPSHA256,
+		crypto.SHA384: C.kSecKeyAlgorithmRSAEncryptionOAEPSHA384,
+		crypto.SHA512: C.kSecKeyAlgorithmRSAEncryptionOAEPSHA512,
+	}
+)
+
+type withKeyFunc func(func(C.SecKeyRef) C.int) C.int
+
+// Encrypt encrypts a plaintext message using a given key and algorithm.
+func evpEncrypt(withKey withKeyFunc, algorithmType algorithmType, plaintext []byte, hash hash.Hash) ([]byte, error) {
+	var cryptoHash crypto.Hash
+	if hash != nil {
+		var err error
+		cryptoHash, err = hashToCryptoHash(hash)
+		if err != nil {
+			return nil, err
+		}
+	}
+	algorithm, err := selectAlgorithm(cryptoHash, algorithmType)
+	if err != nil {
+		return nil, err
+	}
+
+	dataRef := bytesToCFData(plaintext)
+	defer cfRelease(unsafe.Pointer(dataRef))
+
+	var encryptedDataRef C.CFDataRef
+	result := withKey(func(key C.SecKeyRef) C.int {
+		if C.SecKeyIsAlgorithmSupported(key, C.kSecKeyOperationTypeEncrypt, algorithm) != 1 {
+			return -1 // Algorithm not supported by the key
+		}
+		encryptedDataRef = C.SecKeyCreateEncryptedData(key, algorithm, dataRef, nil)
+		if encryptedDataRef == 0 {
+			return -1 // Encryption failed
+		}
+		return 0
+	})
+	if result != 0 {
+		return nil, errors.New("encryption failed")
+	}
+	defer cfRelease(unsafe.Pointer(encryptedDataRef))
+
+	return cfDataToBytes(encryptedDataRef), nil
+}
+
+// Decrypt decrypts a ciphertext using a given key and algorithm.
+func evpDecrypt(withKey withKeyFunc, algorithmType algorithmType, ciphertext []byte, hash hash.Hash) ([]byte, error) {
+	var cryptoHash crypto.Hash
+	if hash != nil {
+		var err error
+		cryptoHash, err = hashToCryptoHash(hash)
+		if err != nil {
+			return nil, err
+		}
+	}
+	algorithm, err := selectAlgorithm(cryptoHash, algorithmType)
+	if err != nil {
+		return nil, err
+	}
+
+	msg := bytesToCFData(ciphertext)
+
+	var decryptedDataRef C.CFDataRef
+	var cfErr C.CFErrorRef
+	result := withKey(func(key C.SecKeyRef) C.int {
+		if C.SecKeyIsAlgorithmSupported(key, C.kSecKeyOperationTypeDecrypt, algorithm) != 1 {
+			return -1 // Algorithm not supported by the key
+		}
+		decryptedDataRef = C.SecKeyCreateDecryptedData(key, algorithm, msg, &cfErr)
+		if decryptedDataRef == 0 {
+			return -1 // Decryption failed
+		}
+		return 0 // Success
+	})
+
+	if err := goCFErrorRef(cfErr); err != nil {
+		return nil, err
+	}
+
+	if result != 0 || decryptedDataRef == 0 {
+		return nil, errors.New("decryption failed")
+	}
+	defer cfRelease(unsafe.Pointer(decryptedDataRef))
+
+	return cfDataToBytes(decryptedDataRef), nil
+}
+
+func evpSign(withKey withKeyFunc, algorithmType algorithmType, hash crypto.Hash, hashed []byte) ([]byte, error) {
+	algorithm, err := selectAlgorithm(hash, algorithmType)
+	if err != nil {
+		return nil, err
+	}
+
+	var signedDataRef C.CFDataRef
+	var cfErr C.CFErrorRef
+	result := withKey(func(key C.SecKeyRef) C.int {
+		if C.SecKeyIsAlgorithmSupported(key, C.kSecKeyOperationTypeSign, algorithm) != 1 {
+			return -1 // Algorithm not supported by the key
+		}
+		signedDataRef = C.SecKeyCreateSignature(key, algorithm, bytesToCFData(hashed), &cfErr)
+		if signedDataRef == 0 {
+			return -1 // Signing failed
+		}
+		return 0 // Success
+	})
+
+	if err := goCFErrorRef(cfErr); err != nil {
+		return nil, err
+	}
+
+	if result != 0 || signedDataRef == 0 {
+		return nil, errors.New("signing failed")
+	}
+	defer cfRelease(unsafe.Pointer(signedDataRef))
+
+	return cfDataToBytes(signedDataRef), nil
+}
+
+func evpVerify(withKey withKeyFunc, algorithmType algorithmType, hash crypto.Hash, hashed, signature []byte) error {
+	algorithm, err := selectAlgorithm(hash, algorithmType)
+	if err != nil {
+		return err
+	}
+
+	var cfErr C.CFErrorRef
+	result := withKey(func(key C.SecKeyRef) C.int {
+		if C.SecKeyIsAlgorithmSupported(key, C.kSecKeyOperationTypeVerify, algorithm) != 1 {
+			return -1 // Algorithm not supported by the key
+		}
+		if C.SecKeyVerifySignature(key, algorithm, bytesToCFData(hashed), bytesToCFData(signature), &cfErr) != 1 {
+			return -1 // Verification failed
+		}
+		return 0 // Success
+	})
+
+	if err := goCFErrorRef(cfErr); err != nil {
+		return err
+	}
+
+	if result != 0 {
+		return errors.New("verification failed")
+	}
+	return nil
+}
+
+// hashToCryptoHash converts a hash.Hash to a crypto.Hash.
+func hashToCryptoHash(hash hash.Hash) (crypto.Hash, error) {
+	switch hash.(type) {
+	case *sha1Hash:
+		return crypto.SHA1, nil
+	case *sha224Hash:
+		return crypto.SHA224, nil
+	case *sha256Hash:
+		return crypto.SHA256, nil
+	case *sha384Hash:
+		return crypto.SHA384, nil
+	case *sha512Hash:
+		return crypto.SHA512, nil
+	default:
+		return 0, errors.New("unsupported hash function")
+	}
+}
+
+// selectAlgorithm selects the appropriate SecKeyAlgorithm based on hash and algorithm type.
+func selectAlgorithm(hash crypto.Hash, algorithmType algorithmType) (C.CFStringRef, error) {
+	var algorithmMap map[crypto.Hash]C.CFStringRef
+	switch algorithmType {
+	case algorithmTypePSS:
+		algorithmMap = rsaPSSAlgorithms
+	case algorithmTypeRAW:
+		algorithmMap = rsaRaw
+	case algorithmTypePKCS1v15Enc:
+		return C.kSecKeyAlgorithmRSAEncryptionPKCS1, nil
+	case algorithmTypePKCS1v15Sig:
+		algorithmMap = rsaPKCS1v15Algorithms
+	case algorithmTypeOAEP:
+		algorithmMap = rsaOAEPAlgorithms
+	case algorithmTypeECDSA:
+		return C.kSecKeyAlgorithmECDSASignatureDigestX962, nil
+	default:
+		return 0, errors.New("unsupported algorithm type")
+	}
+
+	algorithm, ok := algorithmMap[hash]
+	if !ok {
+		return 0, errors.New("unsupported combination of algorithm type and hash")
+	}
+
+	return algorithm, nil
+}
+
+// bytesToCFData turns a byte slice into a CFDataRef. Caller then "owns" the
+// CFDataRef and must CFRelease the CFDataRef when done.
+func bytesToCFData(buf []byte) C.CFDataRef {
+	return C.CFDataCreate(C.kCFAllocatorDefault, base(buf), C.CFIndex(len(buf)))
+}
+
+// cfDataToBytes turns a CFDataRef into a byte slice.
+func cfDataToBytes(cfData C.CFDataRef) []byte {
+	return C.GoBytes(unsafe.Pointer(C.CFDataGetBytePtr(cfData)), C.int(C.CFDataGetLength(cfData)))
+}
+
+// cfRelease releases a CoreFoundation object.
+func cfRelease(ref unsafe.Pointer) {
+	C.CFRelease(C.CFTypeRef(ref))
+}
+
+// createSecKeyWithData creates a SecKey from the provided encoded key and attributes dictionary.
+func createSecKeyWithData(encodedKey []byte, keyType, keyClass C.CFStringRef) (C.SecKeyRef, error) {
+	encodedKeyCF := C.CFDataCreate(C.kCFAllocatorDefault, base(encodedKey), C.CFIndex(len(encodedKey)))
+	if encodedKeyCF == 0 {
+		return 0, errors.New("xcrypto: failed to create CFData for private key")
+	}
+	defer C.CFRelease(C.CFTypeRef(encodedKeyCF))
+
+	attrKeys := []C.CFTypeRef{
+		C.CFTypeRef(C.kSecAttrKeyType),
+		C.CFTypeRef(C.kSecAttrKeyClass),
+	}
+
+	attrValues := []C.CFTypeRef{
+		C.CFTypeRef(keyType),
+		C.CFTypeRef(keyClass),
+	}
+
+	// Create attributes dictionary for the key
+	attrDict := C.CFDictionaryCreate(
+		C.kCFAllocatorDefault,
+		(*unsafe.Pointer)(unsafe.Pointer(&attrKeys[0])),
+		(*unsafe.Pointer)(unsafe.Pointer(&attrValues[0])),
+		C.CFIndex(len(attrKeys)),
+		nil,
+		nil,
+	)
+	if attrDict == 0 {
+		return 0, errors.New("xcrypto: failed to create attributes dictionary")
+	}
+	defer C.CFRelease(C.CFTypeRef(attrDict))
+
+	// Generate the SecKey
+	var errorRef C.CFErrorRef
+	key := C.SecKeyCreateWithData(encodedKeyCF, attrDict, &errorRef)
+	if err := goCFErrorRef(errorRef); err != nil {
+		return 0, err
+	}
+	return key, nil
+}
+
+// createSecKeyRandom creates a new SecKey with the provided attributes dictionary.
+func createSecKeyRandom(keyType C.CFStringRef, keySize int) ([]byte, C.SecKeyRef, error) {
+	keyAttrs := C.CFDictionaryCreateMutable(C.kCFAllocatorDefault, 0, nil, nil)
+	if keyAttrs == 0 {
+		return nil, 0, errors.New("failed to create key attributes dictionary")
+	}
+	defer C.CFRelease(C.CFTypeRef(keyAttrs))
+
+	C.CFDictionarySetValue(
+		keyAttrs,
+		unsafe.Pointer(C.kSecAttrKeyType),
+		unsafe.Pointer(keyType),
+	)
+
+	C.CFDictionarySetValue(
+		keyAttrs,
+		unsafe.Pointer(C.kSecAttrKeySizeInBits),
+		unsafe.Pointer(C.CFNumberCreate(C.kCFAllocatorDefault, C.kCFNumberIntType, unsafe.Pointer(&keySize))),
+	)
+
+	// Generate the private key
+	var errorRef C.CFErrorRef
+	var privKeyRef C.SecKeyRef = C.SecKeyCreateRandomKey(C.CFDictionaryRef(keyAttrs), &errorRef)
+	if err := goCFErrorRef(errorRef); err != nil {
+		return nil, 0, err
+	}
+
+	// Export the private key as DER
+	privData := C.SecKeyCopyExternalRepresentation(privKeyRef, &errorRef)
+	if err := goCFErrorRef(errorRef); err != nil {
+		return nil, 0, err
+	}
+	defer C.CFRelease(C.CFTypeRef(privData))
+
+	privKeyDER := cfDataToBytes(privData)
+	if privKeyDER == nil {
+		return nil, 0, errors.New("failed to convert CFData to bytes")
+	}
+	return privKeyDER, privKeyRef, nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go
new file mode 100644
index 00000000000000..94442fde5def16
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hash.go
@@ -0,0 +1,403 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+)
+
+// NOTE: Implementation ported from https://go-review.googlesource.com/c/go/+/404295.
+// The cgo calls in this file are arranged to avoid marking the parameters as escaping.
+// To do that, we call noescape (including via addr).
+// We must also make sure that the data pointer arguments have the form unsafe.Pointer(&...)
+// so that cgo does not annotate them with cgoCheckPointer calls. If it did that, it might look
+// beyond the byte slice and find Go pointers in unprocessed parts of a larger allocation.
+// To do both of these simultaneously, the idiom is unsafe.Pointer(&*addr(p)),
+// where addr returns the base pointer of p, substituting a non-nil pointer for nil,
+// and applying a noescape along the way.
+// This is all to preserve compatibility with the allocation behavior of the non-commoncrypto implementations.
+
+// SupportsHash returns true if a hash.Hash implementation is supported for h.
+func SupportsHash(h crypto.Hash) bool {
+	switch h {
+	case crypto.MD4, crypto.MD5, crypto.SHA1, crypto.SHA224, crypto.SHA256, crypto.SHA384, crypto.SHA512:
+		return true
+	default:
+		return false
+	}
+}
+
+func MD4(p []byte) (sum [16]byte) {
+	result := C.CC_MD4(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: MD4 failed")
+	}
+	return
+}
+
+func MD5(p []byte) (sum [16]byte) {
+	result := C.CC_MD5(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: MD5 failed")
+	}
+	return
+}
+
+func SHA1(p []byte) (sum [20]byte) {
+	result := C.CC_SHA1(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: SHA1 failed")
+	}
+	return
+}
+
+func SHA224(p []byte) (sum [28]byte) {
+	result := C.CC_SHA224(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: SHA224 failed")
+	}
+	return
+}
+
+func SHA256(p []byte) (sum [32]byte) {
+	result := C.CC_SHA256(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: SHA256 failed")
+	}
+	return
+}
+
+func SHA384(p []byte) (sum [48]byte) {
+	result := C.CC_SHA384(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: SHA384 failed")
+	}
+	return
+}
+
+func SHA512(p []byte) (sum [64]byte) {
+	result := C.CC_SHA512(unsafe.Pointer(&*addr(p)), C.CC_LONG(len(p)), (*C.uchar)(&*addr(sum[:])))
+	if result == nil {
+		panic("commoncrypto: SHA512 failed")
+	}
+	return
+}
+
+// cloneHash is an interface that defines a Clone method.
+//
+// hash.CloneHash will probably be added in Go 1.25, see https://golang.org/issue/69521,
+// but we need it now.
+type cloneHash interface {
+	hash.Hash
+	// Clone returns a separate Hash instance with the same state as h.
+	Clone() hash.Hash
+}
+
+var _ hash.Hash = (*evpHash)(nil)
+var _ cloneHash = (*evpHash)(nil)
+
+// evpHash implements generic hash methods.
+type evpHash struct {
+	ctx unsafe.Pointer
+	// ctx2 is used in evpHash.sum to avoid changing
+	// the state of ctx. Having it here allows reusing the
+	// same allocated object multiple times.
+	ctx2      unsafe.Pointer
+	init      func(ctx unsafe.Pointer) C.int
+	update    func(ctx unsafe.Pointer, data []byte) C.int
+	final     func(ctx unsafe.Pointer, digest []byte) C.int
+	blockSize int
+	size      int
+	ctxSize   int
+}
+
+func newEvpHash(init func(ctx unsafe.Pointer) C.int, update func(ctx unsafe.Pointer, data []byte) C.int, final func(ctx unsafe.Pointer, digest []byte) C.int, ctxSize, blockSize, size int) *evpHash {
+	h := &evpHash{
+		init:      init,
+		update:    update,
+		final:     final,
+		blockSize: blockSize,
+		size:      size,
+		ctxSize:   ctxSize,
+	}
+	runtime.SetFinalizer(h, (*evpHash).finalize)
+	return h
+}
+
+func (h *evpHash) finalize() {
+	if h.ctx != nil {
+		C.free(h.ctx)
+	}
+	if h.ctx2 != nil {
+		C.free(h.ctx2)
+	}
+}
+
+func (h *evpHash) initialize() {
+	if h.ctx == nil {
+		h.ctx = C.malloc(C.size_t(h.ctxSize))
+		h.ctx2 = C.malloc(C.size_t(h.ctxSize))
+		if h.init(h.ctx) != 1 {
+			C.free(h.ctx)
+			C.free(h.ctx2)
+			panic("commoncrypto: initialization failed")
+		}
+	}
+}
+
+func (h *evpHash) Reset() {
+	if h.ctx == nil {
+		// The hash is not initialized yet, no need to reset.
+		return
+	}
+	// There is no need to reset h.ctx2 because it is always reset after
+	// use in evpHash.sum.
+	h.init(h.ctx)
+	runtime.KeepAlive(h)
+}
+
+func (h *evpHash) Write(p []byte) (int, error) {
+	h.initialize()
+	if len(p) > 0 {
+		// Use a local variable to prevent the compiler from misinterpreting the pointer
+		data := p
+		if h.update(h.ctx, data) != 1 {
+			return 0, errors.New("commoncrypto: Update function failed")
+		}
+	}
+	runtime.KeepAlive(h) // Ensure the hash object is not garbage-collected
+	return len(p), nil
+}
+
+func (h *evpHash) WriteString(s string) (int, error) {
+	h.initialize()
+	if len(s) > 0 {
+		data := []byte(s)
+		if h.update(h.ctx, data) != 1 {
+			return 0, errors.New("commoncrypto: Update function failed")
+		}
+	}
+	runtime.KeepAlive(h)
+	return len(s), nil
+}
+
+func (h *evpHash) WriteByte(c byte) error {
+	h.initialize()
+	if h.update(h.ctx, []byte{c}) != 1 {
+		return errors.New("commoncrypto: Update function failed")
+	}
+	runtime.KeepAlive(h)
+	return nil
+}
+func (h *evpHash) Size() int {
+	return h.size
+}
+
+func (h *evpHash) BlockSize() int {
+	return h.blockSize
+}
+
+func (h *evpHash) Sum(b []byte) []byte {
+	h.initialize()
+	digest := make([]byte, h.size)
+	C.memcpy(h.ctx2, h.ctx, C.size_t(h.ctxSize))
+	h.final(h.ctx2, digest)
+	return append(b, digest...)
+}
+
+func (h *evpHash) MarshalBinary() ([]byte, error) {
+	return nil, errors.New("xcrypto: hash state is not marshallable")
+}
+
+func (h *evpHash) AppendBinary(b []byte) ([]byte, error) {
+	return nil, errors.New("xcrypto: hash state is not marshallable")
+}
+
+func (h *evpHash) UnmarshalBinary(data []byte) error {
+	return errors.New("xcrypto: hash state is not marshallable")
+}
+
+// Clone returns a new evpHash object that is a deep clone of itself.
+// The duplicate object contains all state and data contained in the
+// original object at the point of duplication.
+func (h *evpHash) Clone() hash.Hash {
+	h.initialize()
+	cloned := &evpHash{
+		init:      h.init,
+		update:    h.update,
+		final:     h.final,
+		blockSize: h.blockSize,
+		size:      h.size,
+		ctxSize:   h.ctxSize,
+	}
+	cloned.ctx = C.malloc(C.size_t(h.ctxSize))
+	cloned.ctx2 = C.malloc(C.size_t(h.ctxSize))
+	C.memcpy(cloned.ctx, h.ctx, C.size_t(h.ctxSize))
+	C.memcpy(cloned.ctx2, h.ctx2, C.size_t(h.ctxSize))
+	runtime.SetFinalizer(cloned, (*evpHash).finalize)
+	runtime.KeepAlive(h)
+	return cloned
+}
+
+type md4Hash struct {
+	*evpHash
+}
+
+// NewMD4 initializes a new MD4 hasher.
+func NewMD4() hash.Hash {
+	return &md4Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_MD4_Init((*C.CC_MD4_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_MD4_Update((*C.CC_MD4_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_MD4_Final(base(digest), (*C.CC_MD4_CTX)(ctx))
+			},
+			C.sizeof_CC_MD4_CTX,
+			C.CC_MD4_BLOCK_BYTES,
+			C.CC_MD4_DIGEST_LENGTH,
+		),
+	}
+}
+
+type md5Hash struct {
+	*evpHash
+}
+
+// NewMD5 initializes a new MD5 hasher.
+func NewMD5() hash.Hash {
+	return &md5Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_MD5_Init((*C.CC_MD5_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_MD5_Update((*C.CC_MD5_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_MD5_Final(base(digest), (*C.CC_MD5_CTX)(ctx))
+			},
+			C.sizeof_CC_MD5_CTX,
+			C.CC_MD5_BLOCK_BYTES,
+			C.CC_MD5_DIGEST_LENGTH,
+		),
+	}
+}
+
+type sha1Hash struct {
+	*evpHash
+}
+
+// NewSHA1 initializes a new SHA1 hasher.
+func NewSHA1() hash.Hash {
+	return &sha1Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_SHA1_Init((*C.CC_SHA1_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_SHA1_Update((*C.CC_SHA1_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_SHA1_Final(base(digest), (*C.CC_SHA1_CTX)(ctx))
+			},
+			C.sizeof_CC_SHA1_CTX,
+			C.CC_SHA1_BLOCK_BYTES,
+			C.CC_SHA1_DIGEST_LENGTH,
+		),
+	}
+}
+
+type sha224Hash struct {
+	*evpHash
+}
+
+// NewSHA224 initializes a new SHA224 hasher.
+func NewSHA224() hash.Hash {
+	return &sha224Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_SHA224_Init((*C.CC_SHA256_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_SHA224_Update((*C.CC_SHA256_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_SHA224_Final(base(digest), (*C.CC_SHA256_CTX)(ctx))
+			},
+			C.sizeof_CC_SHA256_CTX,
+			C.CC_SHA224_BLOCK_BYTES,
+			C.CC_SHA224_DIGEST_LENGTH,
+		),
+	}
+}
+
+type sha256Hash struct {
+	*evpHash
+}
+
+// NewSHA256 initializes a new SHA256 hasher.
+func NewSHA256() hash.Hash {
+	return &sha256Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_SHA256_Init((*C.CC_SHA256_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_SHA256_Update((*C.CC_SHA256_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_SHA256_Final(base(digest), (*C.CC_SHA256_CTX)(ctx))
+			},
+			C.sizeof_CC_SHA256_CTX,
+			C.CC_SHA256_BLOCK_BYTES,
+			C.CC_SHA256_DIGEST_LENGTH,
+		),
+	}
+}
+
+type sha384Hash struct {
+	*evpHash
+}
+
+// NewSHA384 initializes a new SHA384 hasher.
+func NewSHA384() hash.Hash {
+	return &sha384Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_SHA384_Init((*C.CC_SHA512_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_SHA384_Update((*C.CC_SHA512_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_SHA384_Final(base(digest), (*C.CC_SHA512_CTX)(ctx))
+			},
+			C.sizeof_CC_SHA512_CTX,
+			C.CC_SHA384_BLOCK_BYTES,
+			C.CC_SHA384_DIGEST_LENGTH,
+		),
+	}
+}
+
+type sha512Hash struct {
+	*evpHash
+}
+
+// NewSHA512 initializes a new SHA512 hasher.
+func NewSHA512() hash.Hash {
+	return &sha512Hash{
+		evpHash: newEvpHash(
+			func(ctx unsafe.Pointer) C.int { return C.CC_SHA512_Init((*C.CC_SHA512_CTX)(ctx)) },
+			func(ctx unsafe.Pointer, data []byte) C.int {
+				return C.CC_SHA512_Update((*C.CC_SHA512_CTX)(ctx), unsafe.Pointer(&*addr(data)), C.CC_LONG(len(data)))
+			},
+			func(ctx unsafe.Pointer, digest []byte) C.int {
+				return C.CC_SHA512_Final(base(digest), (*C.CC_SHA512_CTX)(ctx))
+			},
+			C.sizeof_CC_SHA512_CTX,
+			C.CC_SHA512_BLOCK_BYTES,
+			C.CC_SHA512_DIGEST_LENGTH,
+		),
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hkdf.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hkdf.go
new file mode 100644
index 00000000000000..3cc2d5d31927e0
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hkdf.go
@@ -0,0 +1,66 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin && cgo
+
+package xcrypto
+
+import (
+	"errors"
+	"hash"
+
+	"github.com/microsoft/go-crypto-darwin/internal/cryptokit"
+)
+
+// ExtractHKDF performs the extract step of HKDF using the specified hash function.
+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
+	// Handle empty secret
+	if len(secret) == 0 {
+		return nil, errors.New("secret cannot be empty")
+	}
+
+	hash, err := hashToCryptoHash(h())
+	if err != nil {
+		return nil, err
+	}
+
+	// Default salt to a zero-filled array if not provided
+	if len(salt) == 0 {
+		salt = make([]byte, hash.Size())
+	}
+
+	prk, err := cryptokit.ExtractHKDF(hash, secret, salt)
+	if err != nil {
+		return nil, err
+	}
+
+	return prk, nil
+}
+
+// ExpandHKDF performs the expand step of HKDF using the specified hash function.
+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte, keyLength int) ([]byte, error) {
+	// Handle empty secret
+	if len(pseudorandomKey) == 0 {
+		return nil, errors.New("pseudorandom key cannot be empty")
+	}
+
+	hash, err := hashToCryptoHash(h())
+	if err != nil {
+		return nil, err
+	}
+
+	// Determine the maximum expandable key length based on the hash function
+	maxAllowedLength := hash.Size() * 255
+
+	// Validate requested key length
+	if keyLength > maxAllowedLength {
+		return nil, errors.New("requested key length exceeds maximum allowable size")
+	}
+
+	expandedKey, err := cryptokit.ExpandHKDF(hash, pseudorandomKey, info, keyLength)
+	if err != nil {
+		return nil, err
+	}
+
+	return expandedKey, nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hmac.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hmac.go
new file mode 100644
index 00000000000000..1b22b0a331f825
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/hmac.go
@@ -0,0 +1,113 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"errors"
+	"hash"
+	"runtime"
+	"slices"
+	"unsafe"
+)
+
+// commonCryptoHMAC encapsulates an HMAC using xcrypto.
+type commonCryptoHMAC struct {
+	ctx       C.CCHmacContext
+	alg       C.CCAlgorithm
+	key       []byte
+	output    []byte
+	size      int
+	blockSize int
+}
+
+// NewHMAC returns a new HMAC using xcrypto.
+// The function h must return a hash implemented by
+// CommonCrypto (for example, h could be xcrypto.NewSHA256).
+// If h is not recognized, NewHMAC returns nil.
+func NewHMAC(fh func() hash.Hash, key []byte) hash.Hash {
+	h := fh()
+	ccDigest, err := hashToCCDigestHMAC(h)
+	if err != nil {
+		return nil // Unsupported hash function.
+	}
+
+	// Handle empty key case to match CommonCrypto's behavior.
+	if len(key) == 0 {
+		key = make([]byte, C.CC_SHA512_DIGEST_LENGTH)
+	} else {
+		key = slices.Clone(key)
+	}
+
+	hmac := &commonCryptoHMAC{
+		alg:       ccDigest,
+		key:       key,
+		size:      h.Size(),
+		blockSize: h.BlockSize(),
+	}
+
+	// Initialize the HMAC context with xcrypto.
+	C.CCHmacInit(&hmac.ctx, hmac.alg, pbase(hmac.key), C.size_t(len(hmac.key)))
+	return hmac
+}
+
+// Write adds more data to the running HMAC hash.
+func (h *commonCryptoHMAC) Write(p []byte) (int, error) {
+	if len(p) > 0 {
+		C.CCHmacUpdate(&h.ctx, unsafe.Pointer(&*addr(p)), C.size_t(len(p)))
+	}
+	runtime.KeepAlive(h)
+	return len(p), nil
+}
+
+// Sum appends the current HMAC of the data to `in`.
+func (h *commonCryptoHMAC) Sum(in []byte) []byte {
+	if h.output == nil {
+		h.output = make([]byte, h.size)
+	}
+	// Copy the context to preserve it for further operations after Sum is called.
+	hmacCtxCopy := h.ctx
+	C.CCHmacFinal(&hmacCtxCopy, pbase(h.output))
+	return append(in, h.output...)
+}
+
+// Reset resets the HMAC state to initial values.
+func (h *commonCryptoHMAC) Reset() {
+	// Re-initialize the HMAC context with the stored key and algorithm.
+	C.CCHmacInit(&h.ctx, h.alg, pbase(h.key), C.size_t(len(h.key)))
+	runtime.KeepAlive(h)
+}
+
+// Size returns the size of the HMAC output.
+func (h commonCryptoHMAC) Size() int {
+	return h.size
+}
+
+// BlockSize returns the block size of the underlying hash function.
+func (h commonCryptoHMAC) BlockSize() int {
+	return h.blockSize
+}
+
+// Mapping Go hash functions to CommonCrypto hash constants
+func hashToCCDigestHMAC(hash hash.Hash) (C.CCAlgorithm, error) {
+	switch hash.(type) {
+	case *md5Hash:
+		return C.kCCHmacAlgMD5, nil
+	case *sha1Hash:
+		return C.kCCHmacAlgSHA1, nil
+	case *sha224Hash:
+		return C.kCCHmacAlgSHA224, nil
+	case *sha256Hash:
+		return C.kCCHmacAlgSHA256, nil
+	case *sha384Hash:
+		return C.kCCHmacAlgSHA384, nil
+	case *sha512Hash:
+		return C.kCCHmacAlgSHA512, nil
+	default:
+		return 0, errors.New("unsupported hash function")
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/pbkdf2.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/pbkdf2.go
new file mode 100644
index 00000000000000..e49dc1c0de3cef
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/pbkdf2.go
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"errors"
+	"hash"
+	"unsafe"
+)
+
+func PBKDF2(password, salt []byte, iter, keyLen int, fh func() hash.Hash) ([]byte, error) {
+	// Map Go hash function to CommonCrypto hash constant
+	ccDigest, err := hashToCCDigestPBKDF2(fh())
+	if err != nil {
+		return nil, err
+	}
+
+	if len(password) == 0 {
+		// CommonCrypto requires a non-empty password
+		// Substitute empty password with placeholder
+		password = make([]byte, 1)
+	}
+
+	// Allocate output buffer for the derived key
+	derivedKey := make([]byte, keyLen)
+
+	// Call CommonCrypto's PBKDF2 implementation
+	status := C.CCKeyDerivationPBKDF(
+		C.kCCPBKDF2,                              // PBKDF2 algorithm
+		sbase(password), C.size_t(len(password)), // Password and its length
+		base(salt), C.size_t(len(salt)), // Salt and its length
+		ccDigest,     // Digest algorithm
+		C.uint(iter), // Iteration count
+		(*C.uchar)(unsafe.Pointer(&derivedKey[0])), C.size_t(keyLen), // Output buffer for derived key and its length
+	)
+
+	if status != C.kCCSuccess {
+		return nil, errors.New("PBKDF2 key derivation failed")
+	}
+
+	return derivedKey, nil
+}
+
+// Mapping Go hash functions to CommonCrypto hash constants
+func hashToCCDigestPBKDF2(hash hash.Hash) (C.CCAlgorithm, error) {
+	switch hash.(type) {
+	case *sha1Hash:
+		return C.kCCPRFHmacAlgSHA1, nil
+	case *sha224Hash:
+		return C.kCCPRFHmacAlgSHA224, nil
+	case *sha256Hash:
+		return C.kCCPRFHmacAlgSHA256, nil
+	case *sha384Hash:
+		return C.kCCPRFHmacAlgSHA384, nil
+	case *sha512Hash:
+		return C.kCCPRFHmacAlgSHA512, nil
+	default:
+		return 0, errors.New("unsupported hash function")
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rand.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rand.go
new file mode 100644
index 00000000000000..e58c0b3b19a68b
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rand.go
@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <Security/SecRandom.h>
+import "C"
+import (
+	"errors"
+	"unsafe"
+)
+
+type randReader int
+
+func (randReader) Read(b []byte) (int, error) {
+	// Note: RAND_bytes should never fail; the return value exists only for historical reasons.
+	// We check it even so.
+	if len(b) > 0 && C.SecRandomCopyBytes(C.kSecRandomDefault, C.size_t(len(b)), unsafe.Pointer(&b[0])) != 0 {
+		return 0, errors.New("crypto/rand: unable to read from source")
+	}
+	return len(b), nil
+}
+
+const RandReader = randReader(0)
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rc4.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rc4.go
new file mode 100644
index 00000000000000..415889c4f1bdd2
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rc4.go
@@ -0,0 +1,83 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <CommonCrypto/CommonCrypto.h>
+import "C"
+import (
+	"errors"
+	"runtime"
+	"slices"
+	"unsafe"
+)
+
+// RC4Cipher is an instance of RC4 using a particular key.
+type RC4Cipher struct {
+	ctx C.CCCryptorRef
+}
+
+// NewRC4Cipher creates and returns a new RC4 cipher with the given key.
+func NewRC4Cipher(key []byte) (*RC4Cipher, error) {
+	// Clone the key to prevent modification.
+	key = slices.Clone(key)
+	var ctx C.CCCryptorRef
+	status := C.CCCryptorCreate(
+		C.kCCEncrypt,       // Operation (RC4 stream)
+		C.kCCAlgorithmRC4,  // Algorithm
+		0,                  // No padding or other options
+		pbase(key),         // Key
+		C.size_t(len(key)), // Key length
+		nil,                // No IV needed for RC4
+		&ctx,               // Output: CCCryptorRef
+	)
+	if status != C.kCCSuccess {
+		return nil, errors.New("failed to create RC4 cipher")
+	}
+	c := &RC4Cipher{ctx: ctx}
+	runtime.SetFinalizer(c, (*RC4Cipher).finalize)
+	return c, nil
+}
+
+// finalize releases the RC4 cipher context when no longer needed.
+func (c *RC4Cipher) finalize() {
+	if c.ctx != nil {
+		C.CCCryptorRelease(c.ctx)
+	}
+}
+
+// Reset zeros the key data and makes the cipher unusable.
+func (c *RC4Cipher) Reset() {
+	if c.ctx != nil {
+		C.CCCryptorRelease(c.ctx)
+		c.ctx = nil
+	}
+}
+
+// XORKeyStream sets dst to the result of XORing src with the key stream.
+func (c *RC4Cipher) XORKeyStream(dst, src []byte) {
+	if c.ctx == nil || len(src) == 0 {
+		return
+	}
+	if inexactOverlap(dst[:len(src)], src) {
+		panic("crypto/rc4: invalid buffer overlap")
+	}
+	// Ensures `dst` has sufficient space.
+	_ = dst[len(src)-1]
+	var outLen C.size_t
+	status := C.CCCryptorUpdate(
+		c.ctx,
+		unsafe.Pointer(&*addr(src)), C.size_t(len(src)), // Input
+		unsafe.Pointer(&*addr(dst)), C.size_t(len(dst)), // Output
+		&outLen,
+	)
+	if status != C.kCCSuccess {
+		panic("crypto/cipher: CCCryptorUpdate failed")
+	}
+	if int(outLen) != len(src) {
+		panic("crypto/rc4: src not fully XORed")
+	}
+	runtime.KeepAlive(c)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rsa.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rsa.go
new file mode 100644
index 00000000000000..63df684569e671
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/rsa.go
@@ -0,0 +1,194 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #include <Security/Security.h>
+import "C"
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"runtime"
+	"strconv"
+)
+
+// GenerateKeyRSA generates an RSA key pair on macOS.
+// asn1Data is encoded as PKCS#1 ASN1 DER.
+func GenerateKeyRSA(bits int) (asn1Data []byte, err error) {
+	privKeyDER, privKeyRef, err := createSecKeyRandom(C.kSecAttrKeyTypeRSA, bits)
+	if err != nil {
+		return nil, err
+	}
+	C.CFRelease(C.CFTypeRef(privKeyRef))
+	return privKeyDER, nil
+}
+
+type PublicKeyRSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.SecKeyRef
+}
+
+func (k *PublicKeyRSA) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+// NewPublicKeyRSA creates a new RSA public key from ASN1 DER encoded data.
+func NewPublicKeyRSA(asn1Data []byte) (*PublicKeyRSA, error) {
+	pubKeyRef, err := createSecKeyWithData(asn1Data, C.kSecAttrKeyTypeRSA, C.kSecAttrKeyClassPublic)
+	if err != nil {
+		return nil, err
+	}
+
+	key := &PublicKeyRSA{_pkey: pubKeyRef}
+	runtime.SetFinalizer(key, (*PublicKeyRSA).finalize)
+	return key, nil
+}
+
+func (k *PublicKeyRSA) withKey(f func(C.SecKeyRef) C.int) C.int {
+	// Because of the finalizer, any time key is passed to cgo, that call must
+	// be followed by a call to runtime.KeepAlive, to make sure k is not
+	// collected (and finalized) before the cgo call returns.
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+type PrivateKeyRSA struct {
+	// _pkey MUST NOT be accessed directly. Instead, use the withKey method.
+	_pkey C.SecKeyRef
+}
+
+func (k *PrivateKeyRSA) finalize() {
+	if k._pkey != 0 {
+		C.CFRelease(C.CFTypeRef(k._pkey))
+	}
+}
+
+// NewPrivateKeyRSA creates a new RSA private key from ASN1 DER encoded data.
+func NewPrivateKeyRSA(asn1Data []byte) (*PrivateKeyRSA, error) {
+	privKeyRef, err := createSecKeyWithData(asn1Data, C.kSecAttrKeyTypeRSA, C.kSecAttrKeyClassPrivate)
+	if err != nil {
+		return nil, err
+	}
+
+	key := &PrivateKeyRSA{_pkey: privKeyRef}
+	runtime.SetFinalizer(key, (*PrivateKeyRSA).finalize)
+	return key, nil
+}
+
+func (k *PrivateKeyRSA) PublicKey() *PublicKeyRSA {
+	var pubKeyRef C.SecKeyRef
+	k.withKey(func(key C.SecKeyRef) C.int {
+		pubKeyRef = C.SecKeyCopyPublicKey(k._pkey)
+		return 0
+	})
+	pubKey := &PublicKeyRSA{_pkey: pubKeyRef}
+	runtime.SetFinalizer(pubKey, (*PublicKeyRSA).finalize)
+	return pubKey
+}
+
+func (k *PrivateKeyRSA) withKey(f func(C.SecKeyRef) C.int) C.int {
+	// Because of the finalizer, any time _pkey is passed to cgo, that call must
+	// be followed by a call to runtime.KeepAlive, to make sure k is not
+	// collected (and finalized) before the cgo call returns.
+	defer runtime.KeepAlive(k)
+	return f(k._pkey)
+}
+
+// DecryptRSAOAEP decrypts data using RSA-OAEP.
+func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
+	if len(label) > 0 {
+		// https://github.com/microsoft/go-crypto-darwin/issues/22
+		panic("crypto/rsa: label is not supported on macOS")
+	}
+	return evpDecrypt(priv.withKey, algorithmTypeOAEP, ciphertext, h)
+}
+
+// EncryptRSAOAEP encrypts data using RSA-OAEP.
+func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
+	if len(label) > 0 {
+		// https://github.com/microsoft/go-crypto-darwin/issues/22
+		panic("crypto/rsa: label is not supported on macOS")
+	}
+	return evpEncrypt(pub.withKey, algorithmTypeOAEP, msg, h)
+}
+
+// SignRSAPSS signs data with RSA-PSS.
+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
+	return evpSign(priv.withKey, algorithmTypePSS, h, hashed)
+}
+
+// VerifyRSAPSS verifies data with RSA-PSS.
+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
+	return evpVerify(pub.withKey, algorithmTypePSS, h, hashed, sig)
+}
+
+func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) {
+	return evpSign(priv.withKey, algorithmTypePKCS1v15Sig, h, hashed)
+}
+
+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error {
+	if pub.withKey(func(key C.SecKeyRef) C.int {
+		size := C.SecKeyGetBlockSize(key)
+		if len(sig) < int(size) {
+			return 0
+		}
+		return 1
+	}) == 0 {
+		return errors.New("crypto/rsa: verification error")
+	}
+	return evpVerify(pub.withKey, algorithmTypePKCS1v15Sig, h, hashed, sig)
+}
+
+// DecryptRSAPKCS1 decrypts data using RSA PKCS#1 v1.5 padding.
+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	return evpDecrypt(priv.withKey, algorithmTypePKCS1v15Enc, ciphertext, nil)
+}
+
+// EncryptRSAPKCS1 encrypts data using RSA PKCS#1 v1.5 padding.
+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	return evpEncrypt(pub.withKey, algorithmTypePKCS1v15Enc, msg, nil)
+}
+
+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	return evpDecrypt(priv.withKey, algorithmTypeRAW, ciphertext, nil)
+}
+
+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	return evpEncrypt(pub.withKey, algorithmTypeRAW, msg, nil)
+}
+
+// Helper functions
+
+type cfError struct {
+	code    int
+	message string
+}
+
+func (e *cfError) Error() string {
+	if e.message == "" {
+		return "CFError(" + strconv.Itoa(e.code) + "): unknown error"
+	}
+	return "CFError(" + strconv.Itoa(e.code) + "): " + e.message
+}
+
+func goCFErrorRef(ref C.CFErrorRef) error {
+	if ref == 0 {
+		return nil
+	}
+	var message string
+	if desc := C.CFErrorCopyDescription(ref); desc != C.CFStringRef(0) {
+		defer C.CFRelease(C.CFTypeRef(desc))
+		if cstr := C.CFStringGetCStringPtr(desc, C.kCFStringEncodingUTF8); cstr != nil {
+			message = C.GoString(cstr)
+		}
+	}
+	return &cfError{
+		code:    int(C.CFErrorGetCode(ref)),
+		message: message,
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/xcrypto.go b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/xcrypto.go
new file mode 100644
index 00000000000000..9451d05599f3a8
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-darwin/xcrypto/xcrypto.go
@@ -0,0 +1,59 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build darwin
+
+package xcrypto
+
+// #cgo CFLAGS: -Wno-deprecated-declarations
+import "C"
+import "unsafe"
+
+// noescape hides a pointer from escape analysis. noescape is
+// the identity function but escape analysis doesn't think the
+// output depends on the input. noescape is inlined and currently
+// compiles down to zero instructions.
+// USE CAREFULLY!
+//
+//go:nosplit
+func noescape(p unsafe.Pointer) unsafe.Pointer {
+	x := uintptr(p)
+	return unsafe.Pointer(x ^ 0)
+}
+
+var zero byte
+
+// addr converts p to its base addr, including a noescape along the way.
+// If p is nil, addr returns a non-nil pointer, so that the result can always
+// be dereferenced.
+//
+//go:nosplit
+func addr(p []byte) *byte {
+	if len(p) == 0 {
+		return &zero
+	}
+	return (*byte)(noescape(unsafe.Pointer(&p[0])))
+}
+
+// base returns the address of the underlying array in b,
+// being careful not to panic when b has zero length.
+func base(b []byte) *C.uchar {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.uchar)(unsafe.Pointer(&b[0]))
+}
+
+func sbase(b []byte) *C.char {
+	if len(b) == 0 {
+		return nil
+	}
+	return (*C.char)(unsafe.Pointer(&b[0]))
+}
+
+func pbase(b []byte) unsafe.Pointer {
+	if len(b) == 0 {
+		return nil
+	}
+	return unsafe.Pointer(&b[0])
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/LICENSE b/src/vendor/github.com/microsoft/go-crypto-winnative/LICENSE
new file mode 100644
index 00000000000000..9e841e7a26e4eb
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/LICENSE
@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
new file mode 100644
index 00000000000000..097a0fc77f0adb
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/aes.go
@@ -0,0 +1,393 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"errors"
+	"runtime"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+	"github.com/microsoft/go-crypto-winnative/internal/subtle"
+)
+
+const aesBlockSize = 16
+
+type aesCipher struct {
+	kh  bcrypt.KEY_HANDLE
+	key []byte
+}
+
+func NewAESCipher(key []byte) (cipher.Block, error) {
+	kh, err := newCipherHandle(bcrypt.AES_ALGORITHM, bcrypt.CHAIN_MODE_ECB, key)
+	if err != nil {
+		return nil, err
+	}
+	c := &aesCipher{kh: kh, key: bytes.Clone(key)}
+	runtime.SetFinalizer(c, (*aesCipher).finalize)
+	return c, nil
+}
+
+func (c *aesCipher) finalize() {
+	bcrypt.DestroyKey(c.kh)
+}
+
+func (c *aesCipher) BlockSize() int { return aesBlockSize }
+
+// validateAndClipInputs checks that dst and src meet the [cipher.Block]
+// interface requirements and clips them to a single block.
+func (c *aesCipher) validateAndClipInputs(dst, src []byte) (d, s []byte) {
+	if len(src) < aesBlockSize {
+		panic("crypto/aes: input not full block")
+	}
+	if len(dst) < aesBlockSize {
+		panic("crypto/aes: output not full block")
+	}
+	// cypher.Block methods are documented to operate on
+	// one block at a time, so we truncate the input and output
+	// to the block size.
+	d, s = dst[:aesBlockSize], src[:aesBlockSize]
+	if subtle.InexactOverlap(d, s) {
+		panic("crypto/aes: invalid buffer overlap")
+	}
+	return d, s
+}
+
+func (c *aesCipher) Encrypt(dst, src []byte) {
+	dst, src = c.validateAndClipInputs(dst, src)
+
+	var ret uint32
+	err := bcrypt.Encrypt(c.kh, src, nil, nil, dst, &ret, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(ret) != len(src) {
+		panic("crypto/aes: plaintext not fully encrypted")
+	}
+	runtime.KeepAlive(c)
+}
+
+func (c *aesCipher) Decrypt(dst, src []byte) {
+	dst, src = c.validateAndClipInputs(dst, src)
+
+	var ret uint32
+	err := bcrypt.Decrypt(c.kh, src, nil, nil, dst, &ret, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(ret) != len(src) {
+		panic("crypto/aes: plaintext not fully decrypted")
+	}
+	runtime.KeepAlive(c)
+}
+
+func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return newCBC(true, bcrypt.AES_ALGORITHM, c.key, iv)
+}
+
+func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return newCBC(false, bcrypt.AES_ALGORITHM, c.key, iv)
+}
+
+type noGCM struct {
+	cipher.Block
+}
+
+func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
+	if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize {
+		return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time")
+	}
+	// Fall back to standard library for GCM with non-standard nonce or tag size.
+	if nonceSize != gcmStandardNonceSize {
+		return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize)
+	}
+	if tagSize != gcmTagSize {
+		return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize)
+	}
+	return newGCM(c.key, cipherGCMTLSNone)
+}
+
+// NewGCMTLS returns a GCM cipher specific to TLS
+// and should not be used for non-TLS purposes.
+func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) {
+	return c.(*aesCipher).NewGCMTLS()
+}
+
+func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
+	return newGCM(c.key, cipherGCMTLS12)
+}
+
+// NewGCMTLS13 returns a GCM cipher specific to TLS 1.3 and should not be used
+// for non-TLS purposes.
+func NewGCMTLS13(c cipher.Block) (cipher.AEAD, error) {
+	return c.(*aesCipher).NewGCMTLS13()
+}
+
+func (c *aesCipher) NewGCMTLS13() (cipher.AEAD, error) {
+	return newGCM(c.key, cipherGCMTLS13)
+}
+
+type cbcCipher struct {
+	kh bcrypt.KEY_HANDLE
+	// Use aesBlockSize, the max of all supported cipher block sizes.
+	// The array avoids allocations (vs. a slice).
+	iv        [aesBlockSize]byte
+	blockSize int
+	encrypt   bool
+}
+
+func newCBC(encrypt bool, alg string, key, iv []byte) *cbcCipher {
+	var blockSize int
+	switch alg {
+	case bcrypt.AES_ALGORITHM:
+		blockSize = aesBlockSize
+	case bcrypt.DES_ALGORITHM, bcrypt.DES3_ALGORITHM:
+		blockSize = desBlockSize
+	default:
+		panic("invalid algorithm: " + alg)
+	}
+	kh, err := newCipherHandle(alg, bcrypt.CHAIN_MODE_CBC, key)
+	if err != nil {
+		panic(err)
+	}
+	x := &cbcCipher{kh: kh, encrypt: encrypt, blockSize: blockSize}
+	runtime.SetFinalizer(x, (*cbcCipher).finalize)
+	x.SetIV(iv)
+	return x
+}
+
+func (x *cbcCipher) finalize() {
+	bcrypt.DestroyKey(x.kh)
+}
+
+func (x *cbcCipher) BlockSize() int { return x.blockSize }
+
+func (x *cbcCipher) CryptBlocks(dst, src []byte) {
+	if subtle.InexactOverlap(dst, src) {
+		panic("crypto/cipher: invalid buffer overlap")
+	}
+	if len(src)%x.blockSize != 0 {
+		panic("crypto/cipher: input not full blocks")
+	}
+	if len(dst) < len(src) {
+		panic("crypto/cipher: output smaller than input")
+	}
+	if len(src) == 0 {
+		return
+	}
+	var ret uint32
+	var err error
+	if x.encrypt {
+		err = bcrypt.Encrypt(x.kh, src, nil, x.iv[:x.blockSize], dst, &ret, 0)
+	} else {
+		err = bcrypt.Decrypt(x.kh, src, nil, x.iv[:x.blockSize], dst, &ret, 0)
+	}
+	if err != nil {
+		panic(err)
+	}
+	if int(ret) != len(src) {
+		panic("crypto/aes: plaintext not fully encrypted")
+	}
+	runtime.KeepAlive(x)
+}
+
+func (x *cbcCipher) SetIV(iv []byte) {
+	if len(iv) != x.blockSize {
+		panic("cipher: incorrect length IV")
+	}
+	copy(x.iv[:], iv)
+}
+
+const (
+	gcmTagSize           = 16
+	gcmStandardNonceSize = 12
+	// TLS 1.2 additional data is constructed as:
+	//
+	//     additional_data = seq_num(8) + TLSCompressed.type(1) + TLSCompressed.version(2) + TLSCompressed.length(2);
+	gcmTls12AddSize = 13
+	// TLS 1.3 additional data is constructed as:
+	//
+	//     additional_data = TLSCiphertext.opaque_type(1) || TLSCiphertext.legacy_record_version(2) || TLSCiphertext.length(2)
+	gcmTls13AddSize      = 5
+	gcmTlsFixedNonceSize = 4
+)
+
+type cipherGCMTLS uint8
+
+const (
+	cipherGCMTLSNone cipherGCMTLS = iota
+	cipherGCMTLS12
+	cipherGCMTLS13
+)
+
+type aesGCM struct {
+	kh  bcrypt.KEY_HANDLE
+	tls cipherGCMTLS
+	// minNextNonce is the minimum value that the next nonce can be, enforced by
+	// all TLS modes.
+	minNextNonce uint64
+	// mask is the nonce mask used in TLS 1.3 mode.
+	mask uint64
+	// maskInitialized is true if mask has been initialized. This happens during
+	// the first Seal. The initialized mask may be 0. Used by TLS 1.3 mode.
+	maskInitialized bool
+}
+
+func (g *aesGCM) finalize() {
+	bcrypt.DestroyKey(g.kh)
+}
+
+func newGCM(key []byte, tls cipherGCMTLS) (*aesGCM, error) {
+	kh, err := newCipherHandle(bcrypt.AES_ALGORITHM, bcrypt.CHAIN_MODE_GCM, key)
+	if err != nil {
+		return nil, err
+	}
+	g := &aesGCM{kh: kh, tls: tls}
+	runtime.SetFinalizer(g, (*aesGCM).finalize)
+	return g, nil
+}
+
+func (g *aesGCM) NonceSize() int {
+	return gcmStandardNonceSize
+}
+
+func (g *aesGCM) Overhead() int {
+	return gcmTagSize
+}
+
+func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
+		panic("cipher: message too large for GCM")
+	}
+	if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
+		panic("cipher: message too large for buffer")
+	}
+	if g.tls != cipherGCMTLSNone {
+		if g.tls == cipherGCMTLS12 && len(additionalData) != gcmTls12AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.2")
+		} else if g.tls == cipherGCMTLS13 && len(additionalData) != gcmTls13AddSize {
+			panic("cipher: incorrect additional data length given to GCM TLS 1.3")
+		}
+		counter := bigUint64(nonce[gcmTlsFixedNonceSize:])
+		if g.tls == cipherGCMTLS13 {
+			// In TLS 1.3, the counter in the nonce has a mask and requires
+			// further decoding.
+			if !g.maskInitialized {
+				// According to TLS 1.3 nonce construction details at
+				// https://tools.ietf.org/html/rfc8446#section-5.3:
+				//
+				//   the first record transmitted under a particular traffic
+				//   key MUST use sequence number 0.
+				//
+				//   The padded sequence number is XORed with [a mask].
+				//
+				//   The resulting quantity (of length iv_length) is used as
+				//   the per-record nonce.
+				//
+				// We need to convert from the given nonce to sequence numbers
+				// to keep track of minNextNonce and enforce the counter
+				// maximum. On the first call, we know counter^mask is 0^mask,
+				// so we can simply store it as the mask.
+				g.mask = counter
+				g.maskInitialized = true
+			}
+			counter ^= g.mask
+		}
+		// BoringCrypto enforces strictly monotonically increasing explicit nonces
+		// and to fail after 2^64 - 1 keys as per FIPS 140-2 IG A.5,
+		// but BCrypt does not perform this check, so it is implemented here.
+		const maxUint64 = 1<<64 - 1
+		if counter == maxUint64 {
+			panic("cipher: nonce counter must be less than 2^64 - 1")
+		}
+		if counter < g.minNextNonce {
+			panic("cipher: nonce counter must be strictly monotonically increasing")
+		}
+		defer func() {
+			g.minNextNonce = counter + 1
+		}()
+	}
+	// Make room in dst to append plaintext+overhead.
+	ret, out := sliceForAppend(dst, len(plaintext)+gcmTagSize)
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if subtle.InexactOverlap(out, plaintext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	info := bcrypt.NewAUTHENTICATED_CIPHER_MODE_INFO(nonce, additionalData, out[len(out)-gcmTagSize:])
+	var encSize uint32
+	err := bcrypt.Encrypt(g.kh, plaintext, unsafe.Pointer(info), nil, out, &encSize, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(encSize) != len(plaintext) {
+		panic("crypto/aes: plaintext not fully encrypted")
+	}
+	runtime.KeepAlive(g)
+	return ret
+}
+
+var errOpen = errors.New("cipher: message authentication failed")
+
+func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
+	if len(nonce) != gcmStandardNonceSize {
+		panic("cipher: incorrect nonce length given to GCM")
+	}
+	if len(ciphertext) < gcmTagSize {
+		return nil, errOpen
+	}
+	if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
+		return nil, errOpen
+	}
+
+	tag := ciphertext[len(ciphertext)-gcmTagSize:]
+	ciphertext = ciphertext[:len(ciphertext)-gcmTagSize]
+
+	// Make room in dst to append ciphertext without tag.
+	ret, out := sliceForAppend(dst, len(ciphertext))
+
+	// Check delayed until now to make sure len(dst) is accurate.
+	if subtle.InexactOverlap(out, ciphertext) {
+		panic("cipher: invalid buffer overlap")
+	}
+
+	info := bcrypt.NewAUTHENTICATED_CIPHER_MODE_INFO(nonce, additionalData, tag)
+	var decSize uint32
+	err := bcrypt.Decrypt(g.kh, ciphertext, unsafe.Pointer(info), nil, out, &decSize, 0)
+	if err != nil || int(decSize) != len(ciphertext) {
+		for i := range out {
+			out[i] = 0
+		}
+		return nil, errOpen
+	}
+	runtime.KeepAlive(g)
+	return ret, nil
+}
+
+// sliceForAppend is a mirror of crypto/cipher.sliceForAppend.
+func sliceForAppend(in []byte, n int) (head, tail []byte) {
+	if total := len(in) + n; cap(in) >= total {
+		head = in[:total]
+	} else {
+		head = make([]byte, total)
+		copy(head, in)
+	}
+	tail = head[len(in):]
+	return
+}
+
+func bigUint64(b []byte) uint64 {
+	_ = b[7] // bounds check hint to compiler; see go.dev/issue/14808
+	return uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 |
+		uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/bbig/big.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/bbig/big.go
new file mode 100644
index 00000000000000..584f2069b1cd0a
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/bbig/big.go
@@ -0,0 +1,31 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package bbig
+
+import (
+	"math/big"
+
+	"github.com/microsoft/go-crypto-winnative/cng"
+)
+
+func Enc(b *big.Int) cng.BigInt {
+	if b == nil {
+		return nil
+	}
+	x := b.Bytes()
+	if len(x) == 0 {
+		return cng.BigInt{}
+	}
+	return x
+}
+
+func Dec(b cng.BigInt) *big.Int {
+	if b == nil {
+		return nil
+	}
+	if len(b) == 0 {
+		return new(big.Int)
+	}
+	return new(big.Int).SetBytes(b)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/big.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/big.go
new file mode 100644
index 00000000000000..36f0e0c6e278bc
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/big.go
@@ -0,0 +1,30 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+package cng
+
+import "math/bits"
+
+// This file does not have build constraints to
+// facilitate using BigInt in Go crypto.
+// Go crypto references BigInt unconditionally,
+// even if it is not finally used.
+
+// A BigInt is the big-endian bytes from a math/big BigInt,
+// which are normalized to remove any leading 0 byte.
+// Windows BCrypt accepts this specific data format.
+// This definition allows us to avoid importing math/big.
+// Conversion between BigInt and *big.Int is in cng/bbig.
+type BigInt []byte
+
+const _S = bits.UintSize / 8 // word size in bytes
+
+// Length of x in bits.
+func (x BigInt) bitLen() int {
+	if len(x) == 0 {
+		return 0
+	}
+	// x is normalized, so the length in bits is
+	// the length in bits of x minus one byte (_S),
+	// plus the minimum number of bits to represent the first byte.
+	return (len(x)-1)*_S + bits.Len(uint(x[0]))
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cipher.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cipher.go
new file mode 100644
index 00000000000000..c1365f8d399d21
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cipher.go
@@ -0,0 +1,52 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+type cipherAlgorithm struct {
+	handle            bcrypt.ALG_HANDLE
+	allowedKeyLengths bcrypt.KEY_LENGTHS_STRUCT
+}
+
+func loadCipher(id, mode string) (cipherAlgorithm, error) {
+	return loadOrStoreAlg(id, bcrypt.ALG_NONE_FLAG, mode, func(h bcrypt.ALG_HANDLE) (cipherAlgorithm, error) {
+		if mode != "" {
+			// Windows 8 added support to set the CipherMode value on a key,
+			// but Windows 7 requires that it be set on the algorithm before key creation.
+			err := setString(bcrypt.HANDLE(h), bcrypt.CHAINING_MODE, mode)
+			if err != nil {
+				return cipherAlgorithm{}, err
+			}
+		}
+		lengths, err := getKeyLengths(bcrypt.HANDLE(h))
+		if err != nil {
+			return cipherAlgorithm{}, err
+		}
+		return cipherAlgorithm{h, lengths}, nil
+	})
+}
+
+func newCipherHandle(id, mode string, key []byte) (bcrypt.KEY_HANDLE, error) {
+	h, err := loadCipher(id, mode)
+	if err != nil {
+		return 0, err
+	}
+	if !keyIsAllowed(h.allowedKeyLengths, uint32(len(key)*8)) {
+		return 0, errors.New("crypto/cipher: invalid key size")
+	}
+	var kh bcrypt.KEY_HANDLE
+	err = bcrypt.GenerateSymmetricKey(h.handle, &kh, nil, key, 0)
+	if err != nil {
+		return 0, err
+	}
+	return kh, nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cng.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cng.go
new file mode 100644
index 00000000000000..d1916f94a0a76d
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/cng.go
@@ -0,0 +1,131 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"math"
+	"runtime"
+	"sync"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+func FIPS() (bool, error) {
+	var enabled bool
+	err := bcrypt.GetFipsAlgorithmMode(&enabled)
+	if err != nil {
+		return false, err
+	}
+	return enabled, nil
+}
+
+// len32 clamps s length so it can fit into a Win32 LONG,
+// which is a 32-bit signed integer, without overflowing.
+func len32(s []byte) int {
+	if len(s) > math.MaxInt32 {
+		return math.MaxInt32
+	}
+	return len(s)
+}
+
+var algCache sync.Map
+
+// loadOrStoreAlg loads an algorithm with the given id, flags, and mode from the cache.
+// If the algorithm is not in the cache, a new one is created and then initialized using fn.
+// The returned algorithm handle should not be closed by the caller.
+func loadOrStoreAlg[T any](id string, flags bcrypt.AlgorithmProviderFlags, mode string, fn func(h bcrypt.ALG_HANDLE) (T, error)) (T, error) {
+	var entryKey = struct {
+		id    string
+		flags bcrypt.AlgorithmProviderFlags
+		mode  string
+	}{id, flags, mode}
+
+	if v, ok := algCache.Load(entryKey); ok {
+		return v.(T), nil
+	}
+	var h bcrypt.ALG_HANDLE
+	err := bcrypt.OpenAlgorithmProvider(&h, utf16PtrFromString(id), nil, flags)
+	if err != nil {
+		return *new(T), err
+	}
+	v, err := fn(h)
+	if err != nil {
+		bcrypt.CloseAlgorithmProvider(h, 0)
+		return *new(T), err
+	}
+	if existing, loaded := algCache.LoadOrStore(entryKey, v); loaded {
+		// We can safely use a provider that has already been cached in another concurrent goroutine.
+		bcrypt.CloseAlgorithmProvider(h, 0)
+		v = existing.(T)
+	}
+	return v, nil
+}
+
+func utf16PtrFromString(s string) *uint16 {
+	return &utf16FromString(s)[0]
+}
+
+// utf16FromString converts the string using a stack-allocated slice of 64 bytes.
+// It should only be used to convert known BCrypt identifiers which only contains ASCII characters.
+// utf16FromString allocates if s is longer than 31 characters.
+func utf16FromString(s string) []uint16 {
+	// Once https://go.dev/issues/51896 lands and our support matrix allows it,
+	// we can replace part of this function by utf16.AppendRune
+	a := make([]uint16, 0, 32)
+	for _, v := range s {
+		if v == 0 || v > 127 {
+			panic("utf16FromString only supports ASCII characters, got " + s)
+		}
+		a = append(a, uint16(v))
+	}
+	// Finish with a NULL byte.
+	a = append(a, 0)
+	return a
+}
+
+func setString(h bcrypt.HANDLE, name, val string) error {
+	str := utf16FromString(val)
+	defer runtime.KeepAlive(str)
+	// str is a []uint16, which takes 2 bytes per element.
+	n := len(str) * 2
+	in := unsafe.Slice((*byte)(unsafe.Pointer(&str[0])), n)
+	return bcrypt.SetProperty(h, utf16PtrFromString(name), in, 0)
+}
+
+func getUint32(h bcrypt.HANDLE, name string) (uint32, error) {
+	var prop, discard uint32
+	err := bcrypt.GetProperty(h, utf16PtrFromString(name), (*[4]byte)(unsafe.Pointer(&prop))[:], &discard, 0)
+	return prop, err
+}
+
+const sizeOfKEY_LENGTHS_STRUCT = unsafe.Sizeof(bcrypt.KEY_LENGTHS_STRUCT{})
+
+func getKeyLengths(h bcrypt.HANDLE) (lengths bcrypt.KEY_LENGTHS_STRUCT, err error) {
+	var discard uint32
+	ptr := (*[sizeOfKEY_LENGTHS_STRUCT]byte)(unsafe.Pointer(&lengths))
+	err = bcrypt.GetProperty(bcrypt.HANDLE(h), utf16PtrFromString(bcrypt.KEY_LENGTHS), ptr[:], &discard, 0)
+	if err != nil {
+		return
+	}
+	if lengths.MinLength > lengths.MaxLength || (lengths.Increment == 0 && lengths.MinLength != lengths.MaxLength) {
+		err = errors.New("invalid BCRYPT_KEY_LENGTHS_STRUCT")
+		return
+	}
+	return lengths, nil
+}
+
+func keyIsAllowed(lengths bcrypt.KEY_LENGTHS_STRUCT, bits uint32) bool {
+	if bits < lengths.MinLength || bits > lengths.MaxLength {
+		return false
+	}
+	if lengths.Increment == 0 {
+		return bits == lengths.MinLength
+	}
+	return (bits-lengths.MinLength)%lengths.Increment == 0
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go
new file mode 100644
index 00000000000000..de3f05b84f1d82
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/des.go
@@ -0,0 +1,106 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"bytes"
+	"crypto/cipher"
+	"runtime"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+	"github.com/microsoft/go-crypto-winnative/internal/subtle"
+)
+
+const desBlockSize = 8
+
+type desCipher struct {
+	kh  bcrypt.KEY_HANDLE
+	alg string
+	key []byte
+}
+
+func NewDESCipher(key []byte) (cipher.Block, error) {
+	kh, err := newCipherHandle(bcrypt.DES_ALGORITHM, bcrypt.CHAIN_MODE_ECB, key)
+	if err != nil {
+		return nil, err
+	}
+	c := &desCipher{kh: kh, alg: bcrypt.DES_ALGORITHM, key: bytes.Clone(key)}
+	runtime.SetFinalizer(c, (*desCipher).finalize)
+	return c, nil
+}
+
+func NewTripleDESCipher(key []byte) (cipher.Block, error) {
+	kh, err := newCipherHandle(bcrypt.DES3_ALGORITHM, bcrypt.CHAIN_MODE_ECB, key)
+	if err != nil {
+		return nil, err
+	}
+	c := &desCipher{kh: kh, alg: bcrypt.DES3_ALGORITHM, key: bytes.Clone(key)}
+	runtime.SetFinalizer(c, (*desCipher).finalize)
+	return c, nil
+}
+
+func (c *desCipher) finalize() {
+	bcrypt.DestroyKey(c.kh)
+}
+
+func (c *desCipher) BlockSize() int { return desBlockSize }
+
+func (c *desCipher) Encrypt(dst, src []byte) {
+	if len(src) < desBlockSize {
+		panic("crypto/des: input not full block")
+	}
+	if len(dst) < desBlockSize {
+		panic("crypto/des: output not full block")
+	}
+	// cypher.Block.Encrypt() is documented to encrypt one full block
+	// at a time, so we truncate the input and output to the block size.
+	dst, src = dst[:desBlockSize], src[:desBlockSize]
+	if subtle.InexactOverlap(dst, src) {
+		panic("crypto/des: invalid buffer overlap")
+	}
+	var ret uint32
+	err := bcrypt.Encrypt(c.kh, src, nil, nil, dst, &ret, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(ret) != len(src) {
+		panic("crypto/des: plaintext not fully encrypted")
+	}
+	runtime.KeepAlive(c)
+}
+
+func (c *desCipher) Decrypt(dst, src []byte) {
+	if len(src) < desBlockSize {
+		panic("crypto/des: input not full block")
+	}
+	if len(dst) < desBlockSize {
+		panic("crypto/des: output not full block")
+	}
+	// cypher.Block.Decrypt() is documented to decrypt one full block
+	// at a time, so we truncate the input and output to the block size.
+	dst, src = dst[:desBlockSize], src[:desBlockSize]
+	if subtle.InexactOverlap(dst, src) {
+		panic("crypto/des: invalid buffer overlap")
+	}
+	var ret uint32
+	err := bcrypt.Decrypt(c.kh, src, nil, nil, dst, &ret, 0)
+	if err != nil {
+		panic(err)
+	}
+	if int(ret) != len(src) {
+		panic("crypto/des: plaintext not fully decrypted")
+	}
+	runtime.KeepAlive(c)
+}
+
+func (c *desCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
+	return newCBC(true, c.alg, c.key, iv)
+}
+
+func (c *desCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
+	return newCBC(false, c.alg, c.key, iv)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/dsa.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/dsa.go
new file mode 100644
index 00000000000000..7ab5ac38921d82
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/dsa.go
@@ -0,0 +1,465 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"runtime"
+	"strconv"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+// As of FIPS 186-4 the maximum Q size is 32 bytes.
+//
+// See also: cbGroupSize at
+// https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob_v2
+const maxGroupSize = 32
+
+// crypto/dsa doesn't support passing the seed around, but CNG expects it.
+// CNG will skip seed verification if the count and seed parameters is all 0xff bytes.
+var (
+	dsaCountNil = [4]byte{0xff, 0xff, 0xff, 0xff}
+	dsaSeedNil  = [maxGroupSize]byte{
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	}
+)
+
+type dsaAlgorithm struct {
+	handle            bcrypt.ALG_HANDLE
+	allowedKeyLengths bcrypt.KEY_LENGTHS_STRUCT
+}
+
+func loadDSA() (h dsaAlgorithm, err error) {
+	return loadOrStoreAlg(bcrypt.DSA_ALGORITHM, bcrypt.ALG_NONE_FLAG, "", func(h bcrypt.ALG_HANDLE) (dsaAlgorithm, error) {
+		lengths, err := getKeyLengths(bcrypt.HANDLE(h))
+		if err != nil {
+			return dsaAlgorithm{}, err
+		}
+		return dsaAlgorithm{h, lengths}, nil
+	})
+}
+
+// DSAParameters contains the DSA parameters.
+type DSAParameters struct {
+	P, Q, G BigInt
+}
+
+func (p DSAParameters) keySize() uint32 {
+	return uint32(len(p.P))
+}
+
+func (p DSAParameters) groupSize() uint32 {
+	return uint32(len(p.Q))
+}
+
+// GenerateParametersDSA generates a set of DSA parameters for a key of size L bytes.
+// If L is less than or equal to 1024, the parameters are generated according to FIPS 186-2.
+// If L is greater than 1024, the parameters are generated according to FIPS 186-3.
+// The returned parameters are suitable for use in GenerateKey.
+func GenerateParametersDSA(L int) (params DSAParameters, err error) {
+	h, err := loadDSA()
+	if err != nil {
+		return DSAParameters{}, err
+	}
+	if !keyIsAllowed(h.allowedKeyLengths, uint32(L)) {
+		return DSAParameters{}, errors.New("crypto/dsa: invalid key size")
+	}
+	// To generate the parameters, we need to generate a key pair and then export the public key.
+	// The public key contains the parameters. We then discard the key pair.
+	var hkey bcrypt.KEY_HANDLE
+	if err := bcrypt.GenerateKeyPair(h.handle, &hkey, uint32(L), 0); err != nil {
+		return DSAParameters{}, err
+	}
+	defer bcrypt.DestroyKey(hkey)
+
+	if err := bcrypt.FinalizeKeyPair(hkey, 0); err != nil {
+		return DSAParameters{}, err
+	}
+	params, _, _, err = decodeDSAKey(hkey, false)
+	return params, err
+}
+
+// PrivateKeyDSA represents a DSA private key.
+type PrivateKeyDSA struct {
+	DSAParameters
+	X, Y BigInt
+
+	hkey bcrypt.KEY_HANDLE
+}
+
+func (k *PrivateKeyDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+// PublicKeyDSA represents a DSA public key.
+type PublicKeyDSA struct {
+	DSAParameters
+	Y BigInt
+
+	hkey bcrypt.KEY_HANDLE
+}
+
+func (k *PublicKeyDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+// GenerateKeyDSA generates a new private DSA key using the given parameters.
+func GenerateKeyDSA(params DSAParameters) (x, y BigInt, err error) {
+	h, err := loadDSA()
+	if err != nil {
+		return nil, nil, err
+	}
+	keySize := params.keySize()
+	if !keyIsAllowed(h.allowedKeyLengths, keySize*8) {
+		return nil, nil, errors.New("crypto/dsa: invalid key size")
+	}
+	var hkey bcrypt.KEY_HANDLE
+	if err := bcrypt.GenerateKeyPair(h.handle, &hkey, keySize*8, 0); err != nil {
+		return nil, nil, err
+	}
+	defer bcrypt.DestroyKey(hkey)
+	if err := setDSAParameter(hkey, params); err != nil {
+		return nil, nil, err
+	}
+	if err := bcrypt.FinalizeKeyPair(hkey, 0); err != nil {
+		return nil, nil, err
+	}
+	_, x, y, err = decodeDSAKey(hkey, true)
+	if err != nil {
+		return nil, nil, err
+	}
+	return x, y, nil
+}
+
+// NewPrivateKeyDSA creates a new DSA private key from the given parameters.
+func NewPrivateKeyDSA(params DSAParameters, X, Y BigInt) (*PrivateKeyDSA, error) {
+	h, err := loadDSA()
+	if err != nil {
+		return nil, err
+	}
+	keySize := params.keySize()
+	if !keyIsAllowed(h.allowedKeyLengths, keySize*8) {
+		return nil, errors.New("crypto/dsa: invalid key size")
+	}
+	hkey, err := encodeDSAKey(h.handle, params, X, Y)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyDSA{params, X, Y, hkey}
+	runtime.SetFinalizer(k, (*PrivateKeyDSA).finalize)
+	return k, nil
+}
+
+// NewPublicKeyDSA creates a new DSA public key from the given parameters.
+func NewPublicKeyDSA(params DSAParameters, Y BigInt) (*PublicKeyDSA, error) {
+	h, err := loadDSA()
+	if err != nil {
+		return nil, err
+	}
+	keySize := params.keySize()
+	if !keyIsAllowed(h.allowedKeyLengths, keySize*8) {
+		return nil, errors.New("crypto/dsa: invalid key size")
+	}
+	hkey, err := encodeDSAKey(h.handle, params, nil, Y)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyDSA{params, Y, hkey}
+	runtime.SetFinalizer(k, (*PublicKeyDSA).finalize)
+	return k, nil
+}
+
+// SignDSA signs a hash (which should be the result of hashing a larger message).
+func SignDSA(priv *PrivateKeyDSA, hashed []byte) (r, s BigInt, err error) {
+	defer runtime.KeepAlive(priv)
+	size, err := getUint32(bcrypt.HANDLE(priv.hkey), bcrypt.SIGNATURE_LENGTH)
+	if err != nil {
+		return nil, nil, err
+	}
+	var buf [maxGroupSize]byte
+	hashed, err = dsaAdjustHashSize(priv.hkey, hashed, buf[:])
+	if err != nil {
+		return nil, nil, err
+	}
+	sig := make([]byte, size)
+	err = bcrypt.SignHash(priv.hkey, nil, hashed, sig, &size, 0)
+	if err != nil {
+		return nil, nil, err
+	}
+	sig = sig[:size]
+	// BCRYPTSignHash generates DSA signatures in P1363 format,
+	// which is simply (r, s), each of them exactly half of the array.
+	if len(sig)%2 != 0 {
+		return nil, nil, errors.New("crypto/dsa: invalid signature size from bcrypt")
+	}
+	return sig[:len(sig)/2], sig[len(sig)/2:], nil
+}
+
+// VerifyDSA verifies the signature in r, s of hashed using the public key, pub.
+func VerifyDSA(pub *PublicKeyDSA, hashed []byte, r, s BigInt) bool {
+	defer runtime.KeepAlive(pub)
+	var buf [maxGroupSize]byte
+	hashed, err := dsaAdjustHashSize(pub.hkey, hashed, buf[:])
+	if err != nil {
+		return false
+	}
+	size, err := getUint32(bcrypt.HANDLE(pub.hkey), bcrypt.SIGNATURE_LENGTH)
+	if err != nil {
+		return false
+	}
+	// r and s might be shorter than size
+	// if the original big number contained leading zeros,
+	// but they must not be longer than the public key size.
+	if len(r) > int(size/2) || len(s) > int(size/2) {
+		return false
+	}
+	sig := make([]byte, 0, 2*maxGroupSize)
+	prependZeros := func(nonZeroBytes int) {
+		if zeros := int(size/2) - nonZeroBytes; zeros > 0 {
+			sig = append(sig, make([]byte, zeros)...)
+		}
+	}
+	prependZeros(len(r))
+	sig = append(sig, r...)
+	prependZeros(len(s))
+	sig = append(sig, s...)
+	return keyVerify(pub.hkey, nil, hashed, sig, 0) == nil
+}
+
+func encodeDSAKey(h bcrypt.ALG_HANDLE, params DSAParameters, X, Y BigInt) (bcrypt.KEY_HANDLE, error) {
+	keySize := params.keySize()
+	groupSize := params.groupSize()
+	private := X != nil
+	var blob []byte
+	if keySize*8 <= 1024 {
+		size := sizeOfDSABlobHeader + keySize*3
+		hdr := bcrypt.DSA_KEY_BLOB{
+			Magic:   bcrypt.DSA_PUBLIC_MAGIC,
+			KeySize: keySize,
+			Count:   dsaCountNil,
+		}
+		if private {
+			size += uint32(len(hdr.Q)) // private key is always 20 bytes
+			hdr.Magic = bcrypt.DSA_PRIVATE_MAGIC
+		}
+		copy(hdr.Seed[:], dsaSeedNil[:])
+		copy(hdr.Q[:], params.Q[:])
+		blob = make([]byte, size)
+		copy(blob, (*(*[sizeOfDSABlobHeader]byte)(unsafe.Pointer(&hdr)))[:])
+		data := blob[sizeOfDSABlobHeader:]
+		if err := encodeBigInt(data, []sizedBigInt{
+			{params.P, keySize},
+			{params.G, keySize},
+			{Y, keySize},
+			{X, groupSize},
+		}); err != nil {
+			return 0, err
+		}
+	} else {
+		size := sizeOfDSAV2BlobHeader + 3*keySize + 2*groupSize
+		hashAlg := hashAlgFromGroup(int(groupSize))
+		hdr := bcrypt.DSA_KEY_BLOB_V2{
+			Magic:           bcrypt.DSA_PUBLIC_MAGIC_V2,
+			KeySize:         keySize,
+			GroupSize:       groupSize,
+			HashAlgorithm:   hashAlg,
+			StandardVersion: bcrypt.DSA_FIPS186_3,
+			SeedLength:      groupSize, // crypto/dsa doesn't use the seed, but it must be equal to groupSize.
+			Count:           dsaCountNil,
+		}
+		if private {
+			size += groupSize
+			hdr.Magic = bcrypt.DSA_PRIVATE_MAGIC_V2
+		}
+		blob = make([]byte, size)
+		copy(blob, (*(*[sizeOfDSAV2BlobHeader]byte)(unsafe.Pointer(&hdr)))[:])
+		data := blob[sizeOfDSAV2BlobHeader:]
+		if err := encodeBigInt(data, []sizedBigInt{
+			{dsaSeedNil[:], groupSize},
+			{params.Q, groupSize},
+			{params.P, keySize},
+			{params.G, keySize},
+			{Y, keySize},
+			{X, groupSize},
+		}); err != nil {
+			return 0, err
+		}
+	}
+	kind := bcrypt.DSA_PUBLIC_BLOB
+	if private {
+		kind = bcrypt.DSA_PRIVATE_BLOB
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err := bcrypt.ImportKeyPair(h, 0, utf16PtrFromString(kind), &hkey, blob, 0)
+	if err != nil {
+		return 0, err
+	}
+	return hkey, nil
+}
+
+// decodeDSAKey decodes a DSA key. If private is true, the private exponent, X, is also returned.
+func decodeDSAKey(hkey bcrypt.KEY_HANDLE, private bool) (params DSAParameters, X, Y BigInt, err error) {
+	var data []byte
+	consumeBigInt := func(size uint32) BigInt {
+		b := data[:size]
+		data = data[size:]
+		return b
+	}
+	var L uint32
+	L, err = getUint32(bcrypt.HANDLE(hkey), bcrypt.KEY_LENGTH)
+	if err != nil {
+		return
+	}
+	if L <= 1024 {
+		var hdr bcrypt.DSA_KEY_BLOB
+		hdr, data, err = exportDSAKey(hkey, private)
+		if err != nil {
+			return
+		}
+		magic := bcrypt.DSA_PUBLIC_MAGIC
+		if private {
+			magic = bcrypt.DSA_PRIVATE_MAGIC
+		}
+		if hdr.Magic != magic || hdr.KeySize*8 != uint32(L) {
+			err = errors.New("crypto/dsa: exported key is corrupted")
+			return
+		}
+		params = DSAParameters{
+			Q: hdr.Q[:],
+			P: consumeBigInt(hdr.KeySize),
+			G: consumeBigInt(hdr.KeySize),
+		}
+		Y = consumeBigInt(hdr.KeySize)
+		if private {
+			X = consumeBigInt(uint32(len(hdr.Q))) // private key is always 20 bytes
+		}
+	} else {
+		var hdr bcrypt.DSA_KEY_BLOB_V2
+		hdr, data, err = exporDSAV2Key(hkey, private)
+		if err != nil {
+			return
+		}
+		magic := bcrypt.DSA_PUBLIC_MAGIC_V2
+		if private {
+			magic = bcrypt.DSA_PRIVATE_MAGIC_V2
+		}
+		if hdr.Magic != magic || hdr.KeySize*8 != uint32(L) {
+			err = errors.New("crypto/dsa: exported key is corrupted")
+			return
+		}
+		// Discard the seed, crypto/dsa doesn't use it.
+		consumeBigInt(hdr.SeedLength)
+		params = DSAParameters{
+			Q: consumeBigInt(hdr.GroupSize),
+			P: consumeBigInt(hdr.KeySize),
+			G: consumeBigInt(hdr.KeySize),
+		}
+		Y = consumeBigInt(hdr.KeySize)
+		if private {
+			X = consumeBigInt(hdr.GroupSize)
+		}
+	}
+	return params, X, Y, nil
+}
+
+// setDSAParameter sets the DSA parameters for the given key.
+func setDSAParameter(hkey bcrypt.KEY_HANDLE, params DSAParameters) error {
+	keySize := params.keySize()
+	groupSize := params.groupSize()
+	var blob []byte
+	if keySize*8 <= 1024 {
+		blob = make([]byte, sizeOfDSAParamsHeader+keySize*2)
+		hdr := bcrypt.DSA_PARAMETER_HEADER{
+			Length:  uint32(len(blob)),
+			Magic:   bcrypt.DSA_PARAMETERS_MAGIC,
+			KeySize: keySize,
+			Count:   dsaCountNil,
+		}
+		copy(hdr.Seed[:], dsaSeedNil[:])
+		copy(hdr.Q[:], params.Q[:])
+		copy(blob, (*(*[sizeOfDSAParamsHeader]byte)(unsafe.Pointer(&hdr)))[:])
+		data := blob[sizeOfDSAParamsHeader:]
+		if err := encodeBigInt(data, []sizedBigInt{
+			{params.P, keySize},
+			{params.G, keySize},
+		}); err != nil {
+			return err
+		}
+	} else {
+		blob = make([]byte, sizeOfDSAParamsV2Header+2*keySize+2*groupSize)
+		hashAlg := hashAlgFromGroup(int(groupSize))
+		hdr := bcrypt.DSA_PARAMETER_HEADER_V2{
+			Length:          uint32(len(blob)),
+			Magic:           bcrypt.DSA_PARAMETERS_MAGIC_V2,
+			KeySize:         keySize,
+			GroupSize:       groupSize,
+			HashAlgorithm:   hashAlg,
+			StandardVersion: bcrypt.DSA_FIPS186_3,
+			SeedLength:      groupSize, // crypto/dsa doesn't use the seed, but CNG expects it to be groupSize.
+			Count:           dsaCountNil,
+		}
+		copy(blob, (*(*[sizeOfDSAParamsV2Header]byte)(unsafe.Pointer(&hdr)))[:])
+		data := blob[sizeOfDSAParamsV2Header:]
+		if err := encodeBigInt(data, []sizedBigInt{
+			{dsaSeedNil[:], groupSize},
+			{params.Q, groupSize},
+			{params.P, keySize},
+			{params.G, keySize},
+		}); err != nil {
+			return err
+		}
+
+	}
+	return bcrypt.SetProperty(bcrypt.HANDLE(hkey), utf16PtrFromString(bcrypt.DSA_PARAMETERS), blob, 0)
+}
+
+func dsaAdjustHashSize(hkey bcrypt.KEY_HANDLE, hashed []byte, buf []byte) ([]byte, error) {
+	// Windows CNG requires that the hash output and Q match sizes, but we can better
+	// interoperate with other FIPS 186-3 implementations if we perform truncation
+	// here, before sending it to CNG.
+	//
+	// If, on the other hand, Q is too big, we need to left-pad the hash with zeroes
+	// (since it gets treated as a big-endian number).
+	params, _, _, err := decodeDSAKey(hkey, false)
+	if err != nil {
+		return nil, err
+	}
+	groupSize := int(params.groupSize())
+	if groupSize > len(buf) {
+		panic("output buffer too small")
+	}
+	if groupSize == len(hashed) {
+		return hashed, nil
+	}
+	if groupSize < len(hashed) {
+		return hashed[:groupSize], nil
+	}
+	if err := encodeBigInt(buf, []sizedBigInt{
+		{hashed, uint32(groupSize)},
+	}); err != nil {
+		return nil, err
+	}
+	return buf[:groupSize], nil
+}
+
+func hashAlgFromGroup(groupSize int) bcrypt.HASHALGORITHM_ENUM {
+	switch groupSize {
+	case 20:
+		return bcrypt.DSA_HASH_ALGORITHM_SHA1
+	case 32:
+		return bcrypt.DSA_HASH_ALGORITHM_SHA256
+	case 64:
+		return bcrypt.DSA_HASH_ALGORITHM_SHA512
+	default:
+		panic("invalid group size: " + strconv.Itoa(groupSize))
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdh.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdh.go
new file mode 100644
index 00000000000000..2738728eb1b66f
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdh.go
@@ -0,0 +1,255 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"runtime"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+const ecdhUncompressedPrefix = 4
+
+var errInvalidPublicKey = errors.New("cng: invalid public key")
+var errInvalidPrivateKey = errors.New("cng: invalid private key")
+
+type ecdhAlgorithm struct {
+	handle bcrypt.ALG_HANDLE
+	bits   uint32
+}
+
+func loadECDH(curve string) (ecdhAlgorithm, error) {
+	return loadOrStoreAlg(bcrypt.ECDH_ALGORITHM, bcrypt.ALG_NONE_FLAG, curve, func(h bcrypt.ALG_HANDLE) (ecdhAlgorithm, error) {
+		var name string
+		var bits uint32
+		switch curve {
+		case "P-256":
+			name, bits = bcrypt.ECC_CURVE_NISTP256, 256
+		case "P-384":
+			name, bits = bcrypt.ECC_CURVE_NISTP384, 384
+		case "P-521":
+			name, bits = bcrypt.ECC_CURVE_NISTP521, 521
+		case "X25519":
+			name, bits = bcrypt.ECC_CURVE_25519, 255
+		default:
+			return ecdhAlgorithm{}, errUnknownCurve
+		}
+		err := setString(bcrypt.HANDLE(h), bcrypt.ECC_CURVE_NAME, name)
+		if err != nil {
+			return ecdhAlgorithm{}, err
+		}
+		return ecdhAlgorithm{h, bits}, nil
+	})
+}
+
+type PublicKeyECDH struct {
+	hkey  bcrypt.KEY_HANDLE
+	bytes []byte
+
+	// priv is only set when PublicKeyECDH is derived from a private key,
+	// in which case priv's finalizer is responsible for freeing hkey.
+	// This ensures priv is not finalized while the public key is alive,
+	// which could cause use-after-free and double-free behavior.
+	priv *PrivateKeyECDH
+}
+
+func (k *PublicKeyECDH) finalize() {
+	if k.priv == nil {
+		bcrypt.DestroyKey(k.hkey)
+	}
+}
+
+type PrivateKeyECDH struct {
+	hkey   bcrypt.KEY_HANDLE
+	isNIST bool
+}
+
+func (k *PrivateKeyECDH) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+func ECDH(priv *PrivateKeyECDH, pub *PublicKeyECDH) ([]byte, error) {
+	// First establish the shared secret.
+	var secret bcrypt.SECRET_HANDLE
+	err := bcrypt.SecretAgreement(priv.hkey, pub.hkey, &secret, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer bcrypt.DestroySecret(secret)
+
+	// Then we need to export the raw shared secret from the secret opaque handler.
+	// The only way to do it is using BCryptDeriveKey with BCRYPT_KDF_RAW_SECRET as key derivation function (KDF).
+	// Unfortunately, this KDF is supported starting from Windows 10.
+	kdf := utf16PtrFromString(bcrypt.KDF_RAW_SECRET)
+	var size uint32
+	err = bcrypt.DeriveKey(secret, kdf, nil, nil, &size, 0)
+	if err != nil {
+		return nil, err
+	}
+	agreedSecret := make([]byte, size)
+	err = bcrypt.DeriveKey(secret, kdf, nil, agreedSecret, &size, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// The raw shared secret is little-endian but Go expects big-endian.
+	// Reverse the slice in-place.
+	inputMid := size / 2
+	for i := uint32(0); i < inputMid; i++ {
+		j := size - i - 1
+		agreedSecret[i], agreedSecret[j] = agreedSecret[j], agreedSecret[i]
+	}
+	runtime.KeepAlive(priv)
+	runtime.KeepAlive(pub)
+	return agreedSecret, nil
+}
+
+func GenerateKeyECDH(curve string) (*PrivateKeyECDH, []byte, error) {
+	h, err := loadECDH(curve)
+	if err != nil {
+		return nil, nil, err
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err = bcrypt.GenerateKeyPair(h.handle, &hkey, h.bits, 0)
+	if err != nil {
+		return nil, nil, err
+	}
+	// The key cannot be used until BCryptFinalizeKeyPair has been called.
+	err = bcrypt.FinalizeKeyPair(hkey, 0)
+	if err != nil {
+		bcrypt.DestroyKey(hkey)
+		return nil, nil, err
+	}
+
+	// GenerateKeyECDH returns the private key as a byte slice.
+	// To get it we need to export the raw CNG key bytes.
+	hdr, bytes, err := exportECCKey(hkey, true)
+	if err != nil {
+		bcrypt.DestroyKey(hkey)
+		return nil, nil, err
+	}
+	// Only take the private component of the key,
+	// which is the last of the three equally-sized chunks.
+	bytes = bytes[hdr.KeySize*2:]
+
+	k := &PrivateKeyECDH{hkey, isNIST(curve)}
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	return k, bytes, nil
+}
+
+func NewPublicKeyECDH(curve string, bytes []byte) (*PublicKeyECDH, error) {
+	// Reject the point at infinity and compressed encodings.
+	// The first byte is always the key encoding.
+	nist := isNIST(curve)
+	if len(bytes) == 0 || (nist && bytes[0] != ecdhUncompressedPrefix) {
+		return nil, errInvalidPublicKey
+	}
+	h, err := loadECDH(curve)
+	if err != nil {
+		return nil, err
+	}
+	// Remove the encoding byte, if any. BCrypt doesn't want it
+	// and it only support uncompressed points anyway.
+	var keyWithoutEncoding []byte
+	var ncomponents int
+	if nist {
+		ncomponents = 2
+		keyWithoutEncoding = bytes[1:]
+	} else {
+		ncomponents = 1
+		keyWithoutEncoding = bytes
+	}
+	keySize := int(h.bits+7) / 8
+	if len(keyWithoutEncoding) != keySize*ncomponents {
+		return nil, errInvalidPublicKey
+	}
+	hkey, err := importECCKey(h.handle, bcrypt.ECDH_ALGORITHM, h.bits, keyWithoutEncoding[:keySize], keyWithoutEncoding[keySize:], nil)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyECDH{hkey, append([]byte(nil), bytes...), nil}
+	runtime.SetFinalizer(k, (*PublicKeyECDH).finalize)
+	return k, nil
+}
+
+func (k *PublicKeyECDH) Bytes() []byte { return k.bytes }
+
+func NewPrivateKeyECDH(curve string, key []byte) (*PrivateKeyECDH, error) {
+	h, err := loadECDH(curve)
+	if err != nil {
+		return nil, err
+	}
+	keySize := int(h.bits+7) / 8
+	if len(key) != keySize {
+		return nil, errInvalidPrivateKey
+	}
+	nist := isNIST(curve)
+	if !nist {
+		key = convertX25519PrivKey(key)
+	}
+	// CNG allows to import private ECC keys without defining X/Y,
+	// in which case those will be generated from D.
+	// To trigger this behavior we pass a zeroed X/Y with keySize length.
+	// zero is big enough to fit P-521 curves, the largest we handle, in the stack.
+	var zero [(521 + 7) / 8]byte
+	hkey, err := importECCKey(h.handle, bcrypt.ECDH_ALGORITHM, h.bits, zero[:keySize], zero[:keySize], key)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyECDH{hkey, nist}
+	runtime.SetFinalizer(k, (*PrivateKeyECDH).finalize)
+	return k, nil
+}
+
+func (k *PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) {
+	defer runtime.KeepAlive(k)
+	hdr, data, err := exportECCKey(k.hkey, false)
+	if err != nil {
+		return nil, err
+	}
+	var bytes []byte
+	if k.isNIST {
+		// Include X and Y.
+		bytes = append([]byte{ecdhUncompressedPrefix}, data...)
+	} else {
+		// Only include X.
+		bytes = data[:hdr.KeySize]
+	}
+	pub := &PublicKeyECDH{k.hkey, bytes, k}
+	runtime.SetFinalizer(pub, (*PublicKeyECDH).finalize)
+	return pub, nil
+}
+
+func isNIST(curve string) bool {
+	return curve != "X25519"
+}
+
+func convertX25519PrivKey(key []byte) []byte {
+	// CNG consume private X25519 keys using a slightly non-standard representation that don't affect the end result.
+	// https://github.com/microsoft/SymCrypt/blob/e875f1f957dcb1308f8e712e9f4a8edc6f4f6207/inc/symcrypt.h#L4670
+	// Go internal X25519 implementation also uses this representation, but a raw private key is also accepted.
+	// https://github.com/golang/go/blob/e246cf626d1768ab56fa9eeafe4d23266e956ef6/src/crypto/ecdh/x25519.go#L90-L92
+
+	// Copy the private key so we don't modify the original.
+	var e [32]byte
+
+	copy(e[:], key[:])
+
+	// Convert to DivHTimesH format by
+	// clearing the last three bits of the least significant byte,
+	// which is the same as applying h*(s/(h mod GOrd)) where
+	// s = key, h = 0x08, GOrd (cbSubgroupOrder) = 0x20.
+	// h and GOrd values taken from
+	// https://github.com/microsoft/SymCrypt/blob/e875f1f957dcb1308f8e712e9f4a8edc6f4f6207/lib/ec_internal_curves.c#L496.
+	e[0] &= 248 // 0b1111_1000
+
+	// Apply the High bit restrictions by clearing the bit 255 and setting the bit 254.
+	e[31] &= 127 // 0b0111_1111
+	e[31] |= 64  // 0b0100_0000
+	return e[:]
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdsa.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdsa.go
new file mode 100644
index 00000000000000..586e9ae2ebb0c9
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/ecdsa.go
@@ -0,0 +1,169 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"runtime"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+var errUnknownCurve = errors.New("cng: unknown elliptic curve")
+
+type ecdsaAlgorithm struct {
+	handle bcrypt.ALG_HANDLE
+	bits   uint32
+}
+
+func loadECDSA(curve string) (ecdsaAlgorithm, error) {
+	return loadOrStoreAlg(bcrypt.ECDSA_ALGORITHM, bcrypt.ALG_NONE_FLAG, curve, func(h bcrypt.ALG_HANDLE) (ecdsaAlgorithm, error) {
+		var name string
+		var bits uint32
+		switch curve {
+		case "P-224":
+			name, bits = bcrypt.ECC_CURVE_NISTP224, 224
+		case "P-256":
+			name, bits = bcrypt.ECC_CURVE_NISTP256, 256
+		case "P-384":
+			name, bits = bcrypt.ECC_CURVE_NISTP384, 384
+		case "P-521":
+			name, bits = bcrypt.ECC_CURVE_NISTP521, 521
+		default:
+			return ecdsaAlgorithm{}, errUnknownCurve
+		}
+		err := setString(bcrypt.HANDLE(h), bcrypt.ECC_CURVE_NAME, name)
+		if err != nil {
+			return ecdsaAlgorithm{}, err
+		}
+		return ecdsaAlgorithm{h, bits}, nil
+	})
+}
+
+func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) {
+	var h ecdsaAlgorithm
+	h, err = loadECDSA(curve)
+	if err != nil {
+		return
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err = bcrypt.GenerateKeyPair(h.handle, &hkey, h.bits, 0)
+	if err != nil {
+		return
+	}
+	defer bcrypt.DestroyKey(hkey)
+	// The key cannot be used until BCryptFinalizeKeyPair has been called.
+	err = bcrypt.FinalizeKeyPair(hkey, 0)
+	if err != nil {
+		return
+	}
+	hdr, data, err := exportECCKey(hkey, true)
+	if err != nil {
+		return
+	}
+	consumeBigInt := func(size uint32) BigInt {
+		b := data[:size]
+		data = data[size:]
+		return b
+	}
+	X = consumeBigInt(hdr.KeySize)
+	Y = consumeBigInt(hdr.KeySize)
+	D = consumeBigInt(hdr.KeySize)
+	return
+}
+
+type PublicKeyECDSA struct {
+	hkey bcrypt.KEY_HANDLE
+}
+
+func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) {
+	h, err := loadECDSA(curve)
+	if err != nil {
+		return nil, err
+	}
+	hkey, err := importECCKey(h.handle, bcrypt.ECDSA_ALGORITHM, h.bits, X, Y, nil)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyECDSA{hkey}
+	runtime.SetFinalizer(k, (*PublicKeyECDSA).finalize)
+	return k, nil
+}
+
+func (k *PublicKeyECDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+type PrivateKeyECDSA struct {
+	hkey bcrypt.KEY_HANDLE
+}
+
+func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error) {
+	h, err := loadECDSA(curve)
+	if err != nil {
+		return nil, err
+	}
+	hkey, err := importECCKey(h.handle, bcrypt.ECDSA_ALGORITHM, h.bits, X, Y, D)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyECDSA{hkey}
+	runtime.SetFinalizer(k, (*PrivateKeyECDSA).finalize)
+	return k, nil
+}
+
+func (k *PrivateKeyECDSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+// SignECDSA signs a hash (which should be the result of hashing a larger message),
+// using the private key, priv.
+//
+// We provide this function instead of a boring.SignMarshalECDSA equivalent
+// because BCryptSignHash returns the signature encoded using P1363 instead of ASN.1,
+// so we would have to transform P1363 to ASN.1 using encoding/asn1, which we can't import here,
+// only to be decoded into raw big.Int by the caller.
+func SignECDSA(priv *PrivateKeyECDSA, hash []byte) (r, s BigInt, err error) {
+	defer runtime.KeepAlive(priv)
+	sig, err := keySign(priv.hkey, nil, hash, bcrypt.PAD_UNDEFINED)
+	if err != nil {
+		return nil, nil, err
+	}
+	// BCRYPTSignHash generates ECDSA signatures in P1363 format,
+	// which is simply (r, s), each of them exactly half of the array.
+	if len(sig)%2 != 0 {
+		return nil, nil, errors.New("crypto/ecdsa: invalid signature size from bcrypt")
+	}
+	return sig[:len(sig)/2], sig[len(sig)/2:], nil
+}
+
+// VerifyECDSA verifies the signature in r, s of hash using the public key, pub.
+func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, r, s BigInt) bool {
+	defer runtime.KeepAlive(pub)
+	sizeBits, err := getUint32(bcrypt.HANDLE(pub.hkey), bcrypt.KEY_LENGTH)
+	if err != nil {
+		return false
+	}
+	size := int(sizeBits+7) / 8
+	// r and s might be shorter than size
+	// if the original big number contained leading zeros,
+	// but they must not be longer than the public key size.
+	if len(r) > size || len(s) > size {
+		return false
+	}
+	sig := make([]byte, 0, size*2)
+	prependZeros := func(nonZeroBytes int) {
+		if zeros := size - nonZeroBytes; zeros > 0 {
+			sig = append(sig, make([]byte, zeros)...)
+		}
+	}
+	prependZeros(len(r))
+	sig = append(sig, r...)
+	prependZeros(len(s))
+	sig = append(sig, s...)
+	return keyVerify(pub.hkey, nil, hash, sig, bcrypt.PAD_UNDEFINED) == nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go
new file mode 100644
index 00000000000000..b97e638e4a98ed
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hash.go
@@ -0,0 +1,325 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"bytes"
+	"crypto"
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+// maxHashSize is the size of SHA512 and SHA3_512, the largest hashes we support.
+const maxHashSize = 64
+
+// SupportsHash returns true if a hash.Hash implementation is supported for h.
+func SupportsHash(h crypto.Hash) bool {
+	switch h {
+	case crypto.MD4, crypto.MD5, crypto.SHA1, crypto.SHA256, crypto.SHA384, crypto.SHA512:
+		return true
+	case crypto.SHA3_256:
+		_, err := loadHash(bcrypt.SHA3_256_ALGORITHM, bcrypt.ALG_NONE_FLAG)
+		return err == nil
+	case crypto.SHA3_384:
+		_, err := loadHash(bcrypt.SHA3_384_ALGORITHM, bcrypt.ALG_NONE_FLAG)
+		return err == nil
+	case crypto.SHA3_512:
+		_, err := loadHash(bcrypt.SHA3_512_ALGORITHM, bcrypt.ALG_NONE_FLAG)
+		return err == nil
+	}
+	return false
+}
+
+func hashOneShot(id string, p, sum []byte) error {
+	h, err := loadHash(id, 0)
+	if err != nil {
+		return err
+	}
+	return bcrypt.Hash(h.handle, nil, p, sum)
+}
+
+func MD4(p []byte) (sum [16]byte) {
+	if err := hashOneShot(bcrypt.MD4_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: MD4 failed")
+	}
+	return
+}
+
+func MD5(p []byte) (sum [16]byte) {
+	if err := hashOneShot(bcrypt.MD5_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: MD5 failed")
+	}
+	return
+}
+
+func SHA1(p []byte) (sum [20]byte) {
+	if err := hashOneShot(bcrypt.SHA1_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA1 failed")
+	}
+	return
+}
+
+func SHA256(p []byte) (sum [32]byte) {
+	if err := hashOneShot(bcrypt.SHA256_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA256 failed")
+	}
+	return
+}
+
+func SHA384(p []byte) (sum [48]byte) {
+	if err := hashOneShot(bcrypt.SHA384_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA384 failed")
+	}
+	return
+}
+
+func SHA512(p []byte) (sum [64]byte) {
+	if err := hashOneShot(bcrypt.SHA512_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA512 failed")
+	}
+	return
+}
+
+// NewMD4 returns a new MD4 hash.
+func NewMD4() hash.Hash {
+	return newHashX(bcrypt.MD4_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+// NewMD5 returns a new MD5 hash.
+func NewMD5() hash.Hash {
+	return newHashX(bcrypt.MD5_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+// NewSHA1 returns a new SHA1 hash.
+func NewSHA1() hash.Hash {
+	return newHashX(bcrypt.SHA1_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+// NewSHA256 returns a new SHA256 hash.
+func NewSHA256() hash.Hash {
+	return newHashX(bcrypt.SHA256_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+// NewSHA384 returns a new SHA384 hash.
+func NewSHA384() hash.Hash {
+	return newHashX(bcrypt.SHA384_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+// NewSHA512 returns a new SHA512 hash.
+func NewSHA512() hash.Hash {
+	return newHashX(bcrypt.SHA512_ALGORITHM, bcrypt.ALG_NONE_FLAG, nil)
+}
+
+type hashAlgorithm struct {
+	handle    bcrypt.ALG_HANDLE
+	id        string
+	size      uint32
+	blockSize uint32
+}
+
+func loadHash(id string, flags bcrypt.AlgorithmProviderFlags) (*hashAlgorithm, error) {
+	return loadOrStoreAlg(id, flags, "", func(h bcrypt.ALG_HANDLE) (*hashAlgorithm, error) {
+		size, err := getUint32(bcrypt.HANDLE(h), bcrypt.HASH_LENGTH)
+		if err != nil {
+			return nil, err
+		}
+		blockSize, err := getUint32(bcrypt.HANDLE(h), bcrypt.HASH_BLOCK_LENGTH)
+		if err != nil {
+			return nil, err
+		}
+		return &hashAlgorithm{h, id, size, blockSize}, nil
+	})
+}
+
+// hashToID converts a hash.Hash implementation from this package
+// to a CNG hash ID
+func hashToID(h hash.Hash) string {
+	hx, ok := h.(*hashX)
+	if !ok {
+		return ""
+	}
+	return hx.alg.id
+}
+
+// cloneHash is an interface that defines a Clone method.
+//
+// hash.CloneHash will probably be added in Go 1.25, see https://golang.org/issue/69521,
+// but we need it now.
+type cloneHash interface {
+	hash.Hash
+	// Clone returns a separate Hash instance with the same state as h.
+	Clone() hash.Hash
+}
+
+var _ hash.Hash = (*hashX)(nil)
+var _ cloneHash = (*hashX)(nil)
+
+// hashX implements [hash.Hash].
+type hashX struct {
+	alg *hashAlgorithm
+	ctx bcrypt.HASH_HANDLE
+
+	key []byte
+}
+
+// newHashX returns a new hash.Hash using the specified algorithm.
+func newHashX(id string, flag bcrypt.AlgorithmProviderFlags, key []byte) *hashX {
+	alg, err := loadHash(id, flag)
+	if err != nil {
+		panic(err)
+	}
+	h := &hashX{alg: alg, key: bytes.Clone(key)}
+	// Don't call bcrypt.CreateHash yet, it would be wasteful
+	// if the caller only wants to know the hash type. This
+	// is a common pattern in this package, as some functions
+	// accept a `func() hash.Hash` parameter and call it just
+	// to know the hash type.
+	return h
+}
+
+func (h *hashX) finalize() {
+	bcrypt.DestroyHash(h.ctx)
+}
+
+func (h *hashX) init() {
+	defer runtime.KeepAlive(h)
+	if h.ctx != 0 {
+		return
+	}
+	err := bcrypt.CreateHash(h.alg.handle, &h.ctx, nil, h.key, bcrypt.HASH_REUSABLE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	runtime.SetFinalizer(h, (*hashX).finalize)
+}
+
+func (h *hashX) Clone() hash.Hash {
+	defer runtime.KeepAlive(h)
+	h2 := &hashX{alg: h.alg, key: bytes.Clone(h.key)}
+	if h.ctx != 0 {
+		hashClone(h.ctx, &h2.ctx)
+		runtime.SetFinalizer(h2, (*hashX).finalize)
+	}
+	return h2
+}
+
+func (h *hashX) Reset() {
+	defer runtime.KeepAlive(h)
+	if h.ctx != 0 {
+		hashReset(h.ctx, h.Size())
+	}
+}
+
+func (h *hashX) Write(p []byte) (n int, err error) {
+	defer runtime.KeepAlive(h)
+	h.init()
+	hashData(h.ctx, p)
+	return len(p), nil
+}
+
+func (h *hashX) WriteString(s string) (int, error) {
+	defer runtime.KeepAlive(h)
+	return h.Write(unsafe.Slice(unsafe.StringData(s), len(s)))
+}
+
+func (h *hashX) WriteByte(c byte) error {
+	defer runtime.KeepAlive(h)
+	h.init()
+	hashByte(h.ctx, c)
+	return nil
+}
+
+func (h *hashX) Sum(in []byte) []byte {
+	defer runtime.KeepAlive(h)
+	h.init()
+	return hashSum(h.ctx, h.Size(), in)
+}
+
+func (h *hashX) Size() int {
+	return int(h.alg.size)
+}
+
+func (h *hashX) BlockSize() int {
+	return int(h.alg.blockSize)
+}
+
+func (hx *hashX) MarshalBinary() ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (hx *hashX) AppendBinary(b []byte) ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (hx *hashX) UnmarshalBinary(data []byte) error {
+	return errors.New("cng: hash state is not marshallable")
+}
+
+// hashData writes p to ctx. It panics on error.
+func hashData(ctx bcrypt.HASH_HANDLE, p []byte) {
+	var n int
+	var err error
+	for n < len(p) && err == nil {
+		nn := len32(p[n:])
+		err = bcrypt.HashData(ctx, p[n:n+nn], 0)
+		n += nn
+	}
+	if err != nil {
+		panic(err)
+	}
+}
+
+// hashByte writes c to ctx. It panics on error.
+func hashByte(ctx bcrypt.HASH_HANDLE, c byte) {
+	err := bcrypt.HashDataRaw(ctx, &c, 1, 0)
+	if err != nil {
+		panic(err)
+	}
+}
+
+// hashSum writes the hash of ctx to in and returns the result.
+// size is the size of the hash output.
+// It panics on error.
+func hashSum(ctx bcrypt.HASH_HANDLE, size int, in []byte) []byte {
+	var ctx2 bcrypt.HASH_HANDLE
+	err := bcrypt.DuplicateHash(ctx, &ctx2, nil, 0)
+	if err != nil {
+		panic(err)
+	}
+	defer bcrypt.DestroyHash(ctx2)
+	buf := make([]byte, size, maxHashSize) // explicit cap to allow stack allocation
+	err = bcrypt.FinishHash(ctx2, buf, 0)
+	if err != nil {
+		panic(err)
+	}
+	return append(in, buf...)
+}
+
+// hashReset resets the hash state of ctx.
+// size is the size of the hash output.
+// It panics on error.
+func hashReset(ctx bcrypt.HASH_HANDLE, size int) {
+	// bcrypt.FinishHash expects the output buffer to match the hash size.
+	// We don't care about the output, so we just pass a stack-allocated buffer
+	// that is large enough to hold the largest hash size we support.
+	var discard [maxHashSize]byte
+	if err := bcrypt.FinishHash(ctx, discard[:size], 0); err != nil {
+		panic(err)
+	}
+}
+
+// hashClone clones ctx into ctx2. It panics on error.
+func hashClone(ctx bcrypt.HASH_HANDLE, ctx2 *bcrypt.HASH_HANDLE) {
+	err := bcrypt.DuplicateHash(ctx, ctx2, nil, 0)
+	if err != nil {
+		panic(err)
+	}
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go
new file mode 100644
index 00000000000000..20bcc79a46ba0d
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hkdf.go
@@ -0,0 +1,124 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"encoding/binary"
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+func SupportsHKDF() bool {
+	_, err := loadHKDF()
+	return err == nil
+}
+
+func loadHKDF() (bcrypt.ALG_HANDLE, error) {
+	return loadOrStoreAlg(bcrypt.HKDF_ALGORITHM, bcrypt.ALG_NONE_FLAG, "", func(h bcrypt.ALG_HANDLE) (bcrypt.ALG_HANDLE, error) {
+		return h, nil
+	})
+}
+
+func newHKDF(h func() hash.Hash, secret, salt []byte, info []byte) (bcrypt.KEY_HANDLE, error) {
+	ch := h()
+	hashID := hashToID(ch)
+	if hashID == "" {
+		return 0, errors.New("cng: unsupported hash function")
+	}
+	alg, err := loadHKDF()
+	if err != nil {
+		return 0, err
+	}
+	var kh bcrypt.KEY_HANDLE
+	if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, secret, 0); err != nil {
+		return 0, err
+	}
+	if err := setString(bcrypt.HANDLE(kh), bcrypt.HKDF_HASH_ALGORITHM, hashID); err != nil {
+		bcrypt.DestroyKey(kh)
+		return 0, err
+	}
+	if salt != nil {
+		// Used for Extract.
+		err = bcrypt.SetProperty(bcrypt.HANDLE(kh), utf16PtrFromString(bcrypt.HKDF_SALT_AND_FINALIZE), salt, 0)
+	} else {
+		// Used for Expand.
+		err = bcrypt.SetProperty(bcrypt.HANDLE(kh), utf16PtrFromString(bcrypt.HKDF_PRK_AND_FINALIZE), nil, 0)
+	}
+	if err != nil {
+		bcrypt.DestroyKey(kh)
+		return 0, err
+	}
+	return kh, nil
+}
+
+func ExtractHKDF(h func() hash.Hash, secret, salt []byte) ([]byte, error) {
+	if salt == nil {
+		// Replicate x/crypto/hkdf behavior.
+		salt = make([]byte, h().Size())
+	}
+	kh, err := newHKDF(h, secret, salt, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer bcrypt.DestroyKey(kh)
+	hdr, blob, err := exportKeyData(kh)
+	if err != nil {
+		return nil, err
+	}
+	if hdr.Version != bcrypt.KEY_DATA_BLOB_VERSION1 {
+		return nil, errors.New("cng: unknown key data blob version")
+	}
+	// KEY_DATA_BLOB_VERSION1 format is:
+	// cbHashName uint32 // Big-endian
+	// pHashName [cbHash]byte
+	// key []byte // Rest of the blob
+	if len(blob) < 4 {
+		return nil, errors.New("cng: exported key is corrupted")
+	}
+	cbHashName := binary.BigEndian.Uint32(blob)
+	blob = blob[4:]
+	if len(blob) < int(cbHashName) {
+		return nil, errors.New("cng: exported key is corrupted")
+	}
+	// Skip pHashName.
+	return blob[cbHashName:], nil
+}
+
+// ExpandHKDF derives a key from the given hash, key, and optional context info.
+func ExpandHKDF(h func() hash.Hash, pseudorandomKey, info []byte, keyLength int) ([]byte, error) {
+	kh, err := newHKDF(h, pseudorandomKey, nil, info)
+	if err != nil {
+		return nil, err
+	}
+	defer bcrypt.DestroyKey(kh)
+	out := make([]byte, keyLength)
+	var params *bcrypt.BufferDesc
+	if len(info) > 0 {
+		params = &bcrypt.BufferDesc{
+			Count: 1,
+			Buffers: &bcrypt.Buffer{
+				Length: uint32(len(info)),
+				Type:   bcrypt.KDF_HKDF_INFO,
+				Data:   uintptr(unsafe.Pointer(&info[0])),
+			},
+		}
+		defer runtime.KeepAlive(params)
+	}
+	var n uint32
+	err = bcrypt.KeyDerivation(kh, params, out, &n, 0)
+	if err != nil {
+		return nil, err
+	}
+	if int(n) != keyLength {
+		return nil, errors.New("cng: key derivation returned unexpected length")
+	}
+	return out, err
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hmac.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hmac.go
new file mode 100644
index 00000000000000..2d9fd36ce7252e
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/hmac.go
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"hash"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+// NewHMAC returns a new HMAC using BCrypt.
+// The function h must return a hash implemented by
+// CNG (for example, h could be cng.NewSHA256).
+// If h is not recognized, NewHMAC returns nil.
+func NewHMAC(h func() hash.Hash, key []byte) hash.Hash {
+	ch := h()
+	id := hashToID(ch)
+	if id == "" {
+		return nil
+	}
+	if len(key) > ch.BlockSize() {
+		// Keys longer than BlockSize are first hashed using
+		// the same hash function, according to RFC 2104, Section 3.
+		// BCrypt already does that, but if we hash the key on our side
+		// we avoid allocating unnecessary memory and
+		// allow keys longer than math.MaxUint32 bytes.
+		ch.Write(key)
+		key = ch.Sum(nil)
+	}
+	return newHashX(id, bcrypt.ALG_HANDLE_HMAC_FLAG, key)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/keys.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/keys.go
new file mode 100644
index 00000000000000..bc150a7bd39272
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/keys.go
@@ -0,0 +1,220 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+const (
+	sizeOfECCBlobHeader     = uint32(unsafe.Sizeof(bcrypt.ECCKEY_BLOB{}))
+	sizeOfRSABlobHeader     = uint32(unsafe.Sizeof(bcrypt.RSAKEY_BLOB{}))
+	sizeOfKeyDataBlobHeader = uint32(unsafe.Sizeof(bcrypt.KEY_DATA_BLOB_HEADER{}))
+	sizeOfDSABlobHeader     = uint32(unsafe.Sizeof(bcrypt.DSA_KEY_BLOB{}))
+	sizeOfDSAV2BlobHeader   = uint32(unsafe.Sizeof(bcrypt.DSA_KEY_BLOB_V2{}))
+	sizeOfDSAParamsHeader   = uint32(unsafe.Sizeof(bcrypt.DSA_PARAMETER_HEADER{}))
+	sizeOfDSAParamsV2Header = uint32(unsafe.Sizeof(bcrypt.DSA_PARAMETER_HEADER_V2{}))
+)
+
+// exportDSAKey exports hkey into a bcrypt.DSA_KEY_BLOB header and data.
+func exportDSAKey(hkey bcrypt.KEY_HANDLE, private bool) (bcrypt.DSA_KEY_BLOB, []byte, error) {
+	var magic string
+	if private {
+		magic = bcrypt.DSA_PRIVATE_BLOB
+	} else {
+		magic = bcrypt.DSA_PUBLIC_BLOB
+	}
+	blob, err := exportKey(hkey, magic)
+	if err != nil {
+		return bcrypt.DSA_KEY_BLOB{}, nil, err
+	}
+	if len(blob) < int(sizeOfDSABlobHeader) {
+		return bcrypt.DSA_KEY_BLOB{}, nil, errors.New("cng: exported key is corrupted")
+	}
+	hdr := (*(*bcrypt.DSA_KEY_BLOB)(unsafe.Pointer(&blob[0])))
+	return hdr, blob[sizeOfDSABlobHeader:], nil
+}
+
+// exporDSAV2Key exports hkey into a bcrypt.DSA_KEY_BLOB_V2 header and data.
+func exporDSAV2Key(hkey bcrypt.KEY_HANDLE, private bool) (bcrypt.DSA_KEY_BLOB_V2, []byte, error) {
+	var magic string
+	if private {
+		magic = bcrypt.DSA_PRIVATE_BLOB
+	} else {
+		magic = bcrypt.DSA_PUBLIC_BLOB
+	}
+	blob, err := exportKey(hkey, magic)
+	if err != nil {
+		return bcrypt.DSA_KEY_BLOB_V2{}, nil, err
+	}
+	if len(blob) < int(sizeOfDSAV2BlobHeader) {
+		return bcrypt.DSA_KEY_BLOB_V2{}, nil, errors.New("cng: exported key is corrupted")
+	}
+	hdr := (*(*bcrypt.DSA_KEY_BLOB_V2)(unsafe.Pointer(&blob[0])))
+	return hdr, blob[sizeOfDSAV2BlobHeader:], nil
+}
+
+// exportRSAKey exports hkey into a bcrypt.ECCKEY_BLOB header and data.
+func exportECCKey(hkey bcrypt.KEY_HANDLE, private bool) (bcrypt.ECCKEY_BLOB, []byte, error) {
+	var magic string
+	if private {
+		magic = bcrypt.ECCPRIVATE_BLOB
+	} else {
+		magic = bcrypt.ECCPUBLIC_BLOB
+	}
+	blob, err := exportKey(hkey, magic)
+	if err != nil {
+		return bcrypt.ECCKEY_BLOB{}, nil, err
+	}
+	if len(blob) < int(sizeOfECCBlobHeader) {
+		return bcrypt.ECCKEY_BLOB{}, nil, errors.New("cng: exported key is corrupted")
+	}
+	hdr := (*(*bcrypt.ECCKEY_BLOB)(unsafe.Pointer(&blob[0])))
+	return hdr, blob[sizeOfECCBlobHeader:], nil
+}
+
+// exportRSAKey exports hkey into a bcrypt.RSAKEY_BLOB header and data.
+func exportRSAKey(hkey bcrypt.KEY_HANDLE, private bool) (bcrypt.RSAKEY_BLOB, []byte, error) {
+	var magic string
+	if private {
+		magic = bcrypt.RSAFULLPRIVATE_BLOB
+	} else {
+		magic = bcrypt.RSAPUBLIC_KEY_BLOB
+	}
+	blob, err := exportKey(hkey, magic)
+	if err != nil {
+		return bcrypt.RSAKEY_BLOB{}, nil, err
+	}
+	if len(blob) < int(sizeOfRSABlobHeader) {
+		return bcrypt.RSAKEY_BLOB{}, nil, errors.New("cng: exported key is corrupted")
+	}
+	hdr := (*(*bcrypt.RSAKEY_BLOB)(unsafe.Pointer(&blob[0])))
+	return hdr, blob[sizeOfRSABlobHeader:], nil
+}
+
+// exportKeyData exports hkey into a bcrypt.KEY_DATA_BLOB_HEADER header and data.
+func exportKeyData(hkey bcrypt.KEY_HANDLE) (bcrypt.KEY_DATA_BLOB_HEADER, []byte, error) {
+	blob, err := exportKey(hkey, bcrypt.KEY_DATA_BLOB)
+	if err != nil {
+		return bcrypt.KEY_DATA_BLOB_HEADER{}, nil, err
+	}
+	if len(blob) < int(sizeOfKeyDataBlobHeader) {
+		return bcrypt.KEY_DATA_BLOB_HEADER{}, nil, errors.New("cng: exported key is corrupted")
+	}
+	hdr := (*(*bcrypt.KEY_DATA_BLOB_HEADER)(unsafe.Pointer(&blob[0])))
+	if hdr.Magic != bcrypt.KEY_DATA_BLOB_MAGIC {
+		return bcrypt.KEY_DATA_BLOB_HEADER{}, nil, errors.New("cng: unknown key format")
+	}
+	return hdr, blob[sizeOfKeyDataBlobHeader : sizeOfKeyDataBlobHeader+hdr.Length], nil
+}
+
+// exportKey exports hkey to a memory blob.
+func exportKey(hkey bcrypt.KEY_HANDLE, magic string) ([]byte, error) {
+	psBlobType := utf16PtrFromString(magic)
+	var size uint32
+	err := bcrypt.ExportKey(hkey, 0, psBlobType, nil, &size, 0)
+	if err != nil {
+		return nil, err
+	}
+	blob := make([]byte, size)
+	err = bcrypt.ExportKey(hkey, 0, psBlobType, blob, &size, 0)
+	if err != nil {
+		return nil, err
+	}
+	return blob, err
+}
+
+// importECCKey imports a public/private key pair from the given parameters.
+// If D is nil, only the public components will be populated.
+func importECCKey(h bcrypt.ALG_HANDLE, id string, bits uint32, X, Y, D BigInt) (bcrypt.KEY_HANDLE, error) {
+	blob, err := encodeECCKey(id, bits, X, Y, D)
+	if err != nil {
+		return 0, err
+	}
+	var kind string
+	if D == nil {
+		kind = bcrypt.ECCPUBLIC_BLOB
+	} else {
+		kind = bcrypt.ECCPRIVATE_BLOB
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err = bcrypt.ImportKeyPair(h, 0, utf16PtrFromString(kind), &hkey, blob, 0)
+	if err != nil {
+		return 0, err
+	}
+	return hkey, nil
+}
+
+// encodeECCKey generates a bcrypt.ECCKEY_BLOB from the given parameters.
+func encodeECCKey(id string, bits uint32, X, Y, D BigInt) ([]byte, error) {
+	var hdr bcrypt.ECCKEY_BLOB
+	hdr.KeySize = (bits + 7) / 8
+	if len(X) > int(hdr.KeySize) || len(Y) > int(hdr.KeySize) || len(D) > int(hdr.KeySize) {
+		return nil, errors.New("cng: invalid parameters")
+	}
+	switch id {
+	case bcrypt.ECDSA_ALGORITHM:
+		if D == nil {
+			hdr.Magic = bcrypt.ECDSA_PUBLIC_GENERIC_MAGIC
+		} else {
+			hdr.Magic = bcrypt.ECDSA_PRIVATE_GENERIC_MAGIC
+		}
+	case bcrypt.ECDH_ALGORITHM:
+		if D == nil {
+			hdr.Magic = bcrypt.ECDH_PUBLIC_GENERIC_MAGIC
+		} else {
+			hdr.Magic = bcrypt.ECDH_PRIVATE_GENERIC_MAGIC
+		}
+	default:
+		panic("unsupported key ID: " + id)
+	}
+	var blob []byte
+	if D == nil {
+		blob = make([]byte, sizeOfECCBlobHeader+hdr.KeySize*2)
+	} else {
+		blob = make([]byte, sizeOfECCBlobHeader+hdr.KeySize*3)
+	}
+	copy(blob, (*(*[sizeOfECCBlobHeader]byte)(unsafe.Pointer(&hdr)))[:])
+	data := blob[sizeOfECCBlobHeader:]
+	err := encodeBigInt(data, []sizedBigInt{
+		{X, hdr.KeySize}, {Y, hdr.KeySize},
+		{D, hdr.KeySize},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return blob, nil
+}
+
+// sizedBigInt defines a big integer with
+// a size that can be different from the
+// one provided by len(b).
+type sizedBigInt struct {
+	b    BigInt
+	size uint32
+}
+
+// encodeBigInt encodes ints into data.
+// It stops iterating over ints when it finds one nil element.
+func encodeBigInt(data []byte, ints []sizedBigInt) error {
+	for _, v := range ints {
+		if v.b == nil {
+			return nil
+		}
+		// b might be shorter than size if the original big number contained leading zeros.
+		leadingZeros := int(v.size) - len(v.b)
+		if leadingZeros < 0 {
+			return errors.New("cng: invalid parameters")
+		}
+		copy(data[leadingZeros:], v.b)
+		data = data[v.size:]
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/pbkdf2.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/pbkdf2.go
new file mode 100644
index 00000000000000..5466b180e60e5a
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/pbkdf2.go
@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"hash"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+func loadPBKDF2() (bcrypt.ALG_HANDLE, error) {
+	return loadOrStoreAlg(bcrypt.PBKDF2_ALGORITHM, bcrypt.ALG_NONE_FLAG, "", func(h bcrypt.ALG_HANDLE) (bcrypt.ALG_HANDLE, error) {
+		return h, nil
+	})
+}
+
+func PBKDF2(password, salt []byte, iter, keyLen int, h func() hash.Hash) ([]byte, error) {
+	ch := h()
+	hashID := hashToID(ch)
+	if hashID == "" {
+		return nil, errors.New("cng: unsupported hash function")
+	}
+	alg, err := loadPBKDF2()
+	if err != nil {
+		return nil, err
+	}
+	var kh bcrypt.KEY_HANDLE
+	if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, password, 0); err != nil {
+		return nil, err
+	}
+	defer bcrypt.DestroyKey(kh)
+	u16HashID := utf16FromString(hashID)
+	buffers := make([]bcrypt.Buffer, 0, 3)
+	buffers = append(buffers,
+		bcrypt.Buffer{
+			Type:   bcrypt.KDF_ITERATION_COUNT,
+			Data:   uintptr(unsafe.Pointer(&iter)),
+			Length: 8,
+		},
+		bcrypt.Buffer{
+			Type:   bcrypt.KDF_HASH_ALGORITHM,
+			Data:   uintptr(unsafe.Pointer(&u16HashID[0])),
+			Length: uint32(len(u16HashID) * 2),
+		})
+	if len(salt) > 0 {
+		// The salt is optional.
+		buffers = append(buffers, bcrypt.Buffer{
+			Type:   bcrypt.KDF_SALT,
+			Data:   uintptr(unsafe.Pointer(&salt[0])),
+			Length: uint32(len(salt)),
+		})
+	}
+	params := &bcrypt.BufferDesc{
+		Count:   uint32(len(buffers)),
+		Buffers: &buffers[0],
+	}
+	out := make([]byte, keyLen)
+	var size uint32
+	err = bcrypt.KeyDerivation(kh, params, out, &size, 0)
+	if err != nil {
+		return nil, err
+	}
+	return out[:size], nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rand.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rand.go
new file mode 100644
index 00000000000000..cdd845ab5bea98
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rand.go
@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+type randReader int
+
+func (randReader) Read(b []byte) (int, error) {
+	if len(b) == 0 {
+		return 0, nil
+	}
+	n := len32(b)
+	const flags = bcrypt.USE_SYSTEM_PREFERRED_RNG
+	err := bcrypt.GenRandom(0, b[:n], flags)
+	if err != nil {
+		return 0, err
+	}
+	return n, nil
+}
+
+const RandReader = randReader(0)
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rc4.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rc4.go
new file mode 100644
index 00000000000000..f484a3e2211e04
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rc4.go
@@ -0,0 +1,65 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"runtime"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+	"github.com/microsoft/go-crypto-winnative/internal/subtle"
+)
+
+// A RC4Cipher is an instance of RC4 using a particular key.
+type RC4Cipher struct {
+	kh bcrypt.KEY_HANDLE
+}
+
+// NewRC4Cipher creates and returns a new Cipher.
+func NewRC4Cipher(key []byte) (*RC4Cipher, error) {
+	kh, err := newCipherHandle(bcrypt.RC4_ALGORITHM, "", key)
+	if err != nil {
+		return nil, err
+	}
+	c := &RC4Cipher{kh: kh}
+	runtime.SetFinalizer(c, (*RC4Cipher).finalize)
+	return c, nil
+}
+
+func (c *RC4Cipher) finalize() {
+	if c.kh != 0 {
+		bcrypt.DestroyKey(c.kh)
+	}
+}
+
+// Reset zeros the key data and makes the Cipher unusable.
+func (c *RC4Cipher) Reset() {
+	bcrypt.DestroyKey(c.kh)
+	c.kh = 0
+}
+
+// XORKeyStream sets dst to the result of XORing src with the key stream.
+// Dst and src must overlap entirely or not at all.
+func (c *RC4Cipher) XORKeyStream(dst, src []byte) {
+	if c.kh == 0 || len(src) == 0 {
+		return
+	}
+	// rc4.Cipher.XORKeyStream throws an out of bounds panic if
+	// dst is smaller than src. Replicate the same behavior here.
+	_ = dst[len(src)-1]
+
+	if subtle.InexactOverlap(dst[:len(src)], src) {
+		panic("crypto/rc4: invalid buffer overlap")
+	}
+	var outLen uint32
+	if err := bcrypt.Encrypt(c.kh, src, nil, nil, dst, &outLen, 0); err != nil {
+		panic("crypto/rc4: encryption failed: " + err.Error())
+	}
+	if int(outLen) != len(src) {
+		panic("crypto/rc4: src not fully XORed")
+	}
+	runtime.KeepAlive(c)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rsa.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rsa.go
new file mode 100644
index 00000000000000..0269f9cf86539e
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/rsa.go
@@ -0,0 +1,396 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"crypto"
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+type rsaAlgorithm struct {
+	handle            bcrypt.ALG_HANDLE
+	allowedKeyLengths bcrypt.KEY_LENGTHS_STRUCT
+}
+
+func loadRsa() (rsaAlgorithm, error) {
+	return loadOrStoreAlg(bcrypt.RSA_ALGORITHM, bcrypt.ALG_NONE_FLAG, "", func(h bcrypt.ALG_HANDLE) (rsaAlgorithm, error) {
+		lengths, err := getKeyLengths(bcrypt.HANDLE(h))
+		if err != nil {
+			return rsaAlgorithm{}, err
+		}
+		return rsaAlgorithm{h, lengths}, nil
+	})
+}
+
+func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
+	bad := func(e error) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) {
+		return nil, nil, nil, nil, nil, nil, nil, nil, e
+	}
+	h, err := loadRsa()
+	if err != nil {
+		return bad(err)
+	}
+	if !keyIsAllowed(h.allowedKeyLengths, uint32(bits)) {
+		return bad(errors.New("crypto/rsa: invalid key size"))
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err = bcrypt.GenerateKeyPair(h.handle, &hkey, uint32(bits), 0)
+	if err != nil {
+		return bad(err)
+	}
+	defer bcrypt.DestroyKey(hkey)
+	// The key cannot be used until BcryptFinalizeKeyPair has been called.
+	err = bcrypt.FinalizeKeyPair(hkey, 0)
+	if err != nil {
+		return bad(err)
+	}
+
+	hdr, data, err := exportRSAKey(hkey, true)
+	if err != nil {
+		return bad(err)
+	}
+	if hdr.Magic != bcrypt.RSAFULLPRIVATE_MAGIC || hdr.BitLength != uint32(bits) {
+		return bad(errors.New("crypto/rsa: exported key is corrupted"))
+	}
+	consumeBigInt := func(size uint32) BigInt {
+		b := data[:size]
+		data = data[size:]
+		return b
+	}
+	E = consumeBigInt(hdr.PublicExpSize)
+	N = consumeBigInt(hdr.ModulusSize)
+	P = consumeBigInt(hdr.Prime1Size)
+	Q = consumeBigInt(hdr.Prime2Size)
+	Dp = consumeBigInt(hdr.Prime1Size)
+	Dq = consumeBigInt(hdr.Prime2Size)
+	Qinv = consumeBigInt(hdr.Prime1Size)
+	D = consumeBigInt(hdr.ModulusSize)
+	return
+}
+
+type PublicKeyRSA struct {
+	hkey bcrypt.KEY_HANDLE
+	bits uint32
+}
+
+func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) {
+	h, err := loadRsa()
+	if err != nil {
+		return nil, err
+	}
+	if !keyIsAllowed(h.allowedKeyLengths, uint32(len(N)*8)) {
+		return nil, errors.New("crypto/rsa: invalid key size")
+	}
+	hkey, err := importRSAKey(h.handle, N, E, nil, nil, nil, nil, nil, nil)
+	if err != nil {
+		return nil, err
+	}
+	k := &PublicKeyRSA{hkey, uint32(N.bitLen())}
+	runtime.SetFinalizer(k, (*PublicKeyRSA).finalize)
+	return k, nil
+}
+
+func (k *PublicKeyRSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+type PrivateKeyRSA struct {
+	hkey bcrypt.KEY_HANDLE
+	bits uint32
+}
+
+func (k *PrivateKeyRSA) finalize() {
+	bcrypt.DestroyKey(k.hkey)
+}
+
+func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) {
+	h, err := loadRsa()
+	if err != nil {
+		return nil, err
+	}
+	if !keyIsAllowed(h.allowedKeyLengths, uint32(len(N)*8)) {
+		return nil, errors.New("crypto/rsa: invalid key size")
+	}
+	hkey, err := importRSAKey(h.handle, N, E, D, P, Q, Dp, Dq, Qinv)
+	if err != nil {
+		return nil, err
+	}
+	k := &PrivateKeyRSA{hkey, uint32(N.bitLen())}
+	runtime.SetFinalizer(k, (*PrivateKeyRSA).finalize)
+	return k, nil
+}
+
+func importRSAKey(h bcrypt.ALG_HANDLE, N, E, D, P, Q, Dp, Dq, Qinv BigInt) (bcrypt.KEY_HANDLE, error) {
+	blob, err := encodeRSAKey(N, E, D, P, Q, Dp, Dq, Qinv)
+	if err != nil {
+		return 0, err
+	}
+	var kind string
+	if D == nil {
+		kind = bcrypt.RSAPUBLIC_KEY_BLOB
+	} else {
+		kind = bcrypt.RSAFULLPRIVATE_BLOB
+	}
+	var hkey bcrypt.KEY_HANDLE
+	err = bcrypt.ImportKeyPair(h, 0, utf16PtrFromString(kind), &hkey, blob, 0)
+	if err != nil {
+		return 0, err
+	}
+	return hkey, nil
+}
+
+func encodeRSAKey(N, E, D, P, Q, Dp, Dq, Qinv BigInt) ([]byte, error) {
+	hdr := bcrypt.RSAKEY_BLOB{
+		BitLength:     uint32(len(N) * 8),
+		PublicExpSize: uint32(len(E)),
+		ModulusSize:   uint32(len(N)),
+	}
+	var blob []byte
+	if D == nil {
+		hdr.Magic = bcrypt.RSAPUBLIC_MAGIC
+		blob = make([]byte, sizeOfRSABlobHeader+hdr.PublicExpSize+hdr.ModulusSize)
+	} else {
+		if P == nil || Q == nil {
+			// This case can happen when the key has been generated with more than 2 primes.
+			// CNG only supports 2-prime keys.
+			return nil, errors.New("crypto/rsa: unsupported private key")
+		}
+		hdr.Magic = bcrypt.RSAFULLPRIVATE_MAGIC
+		hdr.Prime1Size = uint32(len(P))
+		hdr.Prime2Size = uint32(len(Q))
+		blob = make([]byte, sizeOfRSABlobHeader+hdr.PublicExpSize+hdr.ModulusSize*2+hdr.Prime1Size*3+hdr.Prime2Size*2)
+	}
+	copy(blob, (*(*[sizeOfRSABlobHeader]byte)(unsafe.Pointer(&hdr)))[:])
+	data := blob[sizeOfRSABlobHeader:]
+	err := encodeBigInt(data, []sizedBigInt{
+		{E, hdr.PublicExpSize}, {N, hdr.ModulusSize},
+		{P, hdr.Prime1Size}, {Q, hdr.Prime2Size},
+		{Dp, hdr.Prime1Size}, {Dq, hdr.Prime2Size},
+		{Qinv, hdr.Prime1Size}, {D, hdr.ModulusSize},
+	})
+	if err != nil {
+		return nil, err
+	}
+	return blob, nil
+}
+
+func DecryptRSAOAEP(h hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	return rsaOAEP(h, priv.hkey, ciphertext, label, false)
+}
+
+func EncryptRSAOAEP(h hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) {
+	defer runtime.KeepAlive(pub)
+	return rsaOAEP(h, pub.hkey, msg, label, true)
+}
+
+func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	return rsaCrypt(priv.hkey, nil, ciphertext, bcrypt.PAD_PKCS1, false)
+}
+
+func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	defer runtime.KeepAlive(pub)
+	return rsaCrypt(pub.hkey, nil, msg, bcrypt.PAD_PKCS1, true)
+}
+
+func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	return rsaCrypt(priv.hkey, nil, ciphertext, bcrypt.PAD_NONE, false)
+
+}
+
+func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) {
+	defer runtime.KeepAlive(pub)
+	return rsaCrypt(pub.hkey, nil, msg, bcrypt.PAD_NONE, true)
+}
+
+func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	info, err := newPSS_PADDING_INFO(h, priv.bits, saltLen, true)
+	if err != nil {
+		return nil, err
+	}
+	return keySign(priv.hkey, unsafe.Pointer(&info), hashed, bcrypt.PAD_PSS)
+}
+
+func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error {
+	defer runtime.KeepAlive(pub)
+	info, err := newPSS_PADDING_INFO(h, pub.bits, saltLen, false)
+	if err != nil {
+		return err
+	}
+	return keyVerify(pub.hkey, unsafe.Pointer(&info), hashed, sig, bcrypt.PAD_PSS)
+}
+
+// SignRSAPKCS1v15 calculates the signature of hashed using
+// RSASSA-PKCS1-V1_5-SIGN from RSA PKCS #1 v1.5.  Note that hashed must
+// be the result of hashing the input message using the given hash
+// function. If hash is zero, hashed is signed directly.
+func SignRSAPKCS1v15(priv *PrivateKeyRSA, hash crypto.Hash, hashed []byte) ([]byte, error) {
+	defer runtime.KeepAlive(priv)
+	if hash != crypto.Hash(0) {
+		if len(hashed) != hash.Size() {
+			return nil, errors.New("crypto/rsa: input must be hashed message")
+		}
+	}
+	info, err := newPKCS1_PADDING_INFO(hash)
+	if err != nil {
+		return nil, err
+	}
+	return keySign(priv.hkey, unsafe.Pointer(&info), hashed, bcrypt.PAD_PKCS1)
+}
+
+// VerifyPKCS1v15 verifies an RSA PKCS #1 v1.5 signature.
+// hashed is the result of hashing the input message using the given hash
+// function and sig is the signature. A valid signature is indicated by
+// returning a nil error. If hash is zero then hashed is used directly.
+func VerifyRSAPKCS1v15(pub *PublicKeyRSA, hash crypto.Hash, hashed, sig []byte) error {
+	defer runtime.KeepAlive(pub)
+	if hash != crypto.Hash(0) {
+		if len(hashed) != hash.Size() {
+			return errors.New("crypto/rsa: input must be hashed message")
+		}
+	}
+	info, err := newPKCS1_PADDING_INFO(hash)
+	if err != nil {
+		return err
+	}
+	return keyVerify(pub.hkey, unsafe.Pointer(&info), hashed, sig, bcrypt.PAD_PKCS1)
+}
+
+func rsaCrypt(pkey bcrypt.KEY_HANDLE, info unsafe.Pointer, in []byte, flags bcrypt.PadMode, encrypt bool) ([]byte, error) {
+	var size uint32
+	var err error
+	if encrypt {
+		err = bcrypt.Encrypt(pkey, in, info, nil, nil, &size, flags)
+	} else {
+		err = bcrypt.Decrypt(pkey, in, info, nil, nil, &size, flags)
+	}
+	if err != nil {
+		return nil, err
+	}
+	out := make([]byte, size)
+	if encrypt {
+		err = bcrypt.Encrypt(pkey, in, info, nil, out, &size, flags)
+	} else {
+		err = bcrypt.Decrypt(pkey, in, info, nil, out, &size, flags)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return out[:size], nil
+}
+
+func rsaOAEP(h hash.Hash, pkey bcrypt.KEY_HANDLE, in, label []byte, encrypt bool) ([]byte, error) {
+	hashID := hashToID(h)
+	if hashID == "" {
+		return nil, errors.New("crypto/rsa: unsupported hash function")
+	}
+	info := bcrypt.OAEP_PADDING_INFO{
+		AlgId:     utf16PtrFromString(hashID),
+		LabelSize: uint32(len(label)),
+	}
+	if len(label) > 0 {
+		info.Label = &label[0]
+	}
+	return rsaCrypt(pkey, unsafe.Pointer(&info), in, bcrypt.PAD_OAEP, encrypt)
+}
+
+func keySign(pkey bcrypt.KEY_HANDLE, info unsafe.Pointer, hashed []byte, flags bcrypt.PadMode) ([]byte, error) {
+	var size uint32
+	err := bcrypt.SignHash(pkey, info, hashed, nil, &size, flags)
+	if err != nil {
+		return nil, err
+	}
+	out := make([]byte, size)
+	err = bcrypt.SignHash(pkey, info, hashed, out, &size, flags)
+	if err != nil {
+		return nil, err
+	}
+	return out[:size], nil
+}
+
+func keyVerify(pkey bcrypt.KEY_HANDLE, info unsafe.Pointer, hashed, sig []byte, flags bcrypt.PadMode) error {
+	return bcrypt.VerifySignature(pkey, info, hashed, sig, flags)
+}
+
+func newPSS_PADDING_INFO(h crypto.Hash, sizeBits uint32, saltLen int, sign bool) (info bcrypt.PSS_PADDING_INFO, err error) {
+	hashID := cryptoHashToID(h)
+	if hashID == "" {
+		return info, errors.New("crypto/rsa: unsupported hash function")
+	}
+	info.AlgId = utf16PtrFromString(hashID)
+
+	// A salt length of -1 and 0 are valid Go sentinel values.
+	if saltLen <= -2 {
+		return info, errors.New("crypto/rsa: invalid PSS salt length")
+	}
+	// CNG does not support salt length special cases like Go crypto does,
+	// so we do a best-effort to resolve them.
+	switch saltLen {
+	case -1: // rsa.PSSSaltLengthEqualsHash
+		info.Salt = uint32(h.Size())
+	case 0: // rsa.PSSSaltLengthAuto
+		if sign {
+			// Algorithm taken from RFC 3447 Section 9.1.1, which is also implemented by Go at
+			// https://github.com/golang/go/blob/54182ff54a687272dd7632c3a963e036ce03cb7c/src/crypto/rsa/pss.go#L288.
+			emLen := (sizeBits - 1 + 7) / 8
+			hLen := uint32(h.Size())
+			info.Salt = emLen - hLen - 2
+		} else {
+			// Go auto-detects the salt length from the signature structure when verifying.
+			// The auto-detection logic is deep in the verification process,
+			// we can't replicate it without exhaustive validation.
+			err = errors.New("crypto/rsa: rsa.PSSSaltLengthAuto not supported")
+		}
+	default:
+		info.Salt = uint32(saltLen)
+	}
+	return
+}
+
+func newPKCS1_PADDING_INFO(h crypto.Hash) (bcrypt.PKCS1_PADDING_INFO, error) {
+	var alg *uint16
+	switch h {
+	case 0:
+		// Unpadded RSA signatures, no need to set the hash algorithm.
+	case crypto.MD5SHA1:
+		// The MD5SHA1 hash is not supported by CNG, but the AlgId field
+		// is only used to pad the signature with the hash OID, and
+		// PKCS1 has historically used a null OID for MD5SHA1.
+		// This is a special case for compatibility with TLS 1.0/1.1.
+	default:
+		hashID := cryptoHashToID(h)
+		if hashID == "" {
+			return bcrypt.PKCS1_PADDING_INFO{}, errors.New("crypto/rsa: unsupported hash function")
+		}
+		alg = utf16PtrFromString(hashID)
+	}
+	return bcrypt.PKCS1_PADDING_INFO{AlgId: alg}, nil
+}
+
+func cryptoHashToID(ch crypto.Hash) string {
+	switch ch {
+	case crypto.MD5:
+		return bcrypt.MD5_ALGORITHM
+	case crypto.SHA1:
+		return bcrypt.SHA1_ALGORITHM
+	case crypto.SHA256:
+		return bcrypt.SHA256_ALGORITHM
+	case crypto.SHA384:
+		return bcrypt.SHA384_ALGORITHM
+	case crypto.SHA512:
+		return bcrypt.SHA512_ALGORITHM
+	}
+	return ""
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go
new file mode 100644
index 00000000000000..15c1345475a3b1
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/sha3.go
@@ -0,0 +1,311 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"hash"
+	"runtime"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+// SumSHA3_256 returns the SHA3-256 checksum of the data.
+func SumSHA3_256(p []byte) (sum [32]byte) {
+	if err := hashOneShot(bcrypt.SHA3_256_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA3_256 failed")
+	}
+	return
+}
+
+// SumSHA3_384 returns the SHA3-384 checksum of the data.
+func SumSHA3_384(p []byte) (sum [48]byte) {
+	if err := hashOneShot(bcrypt.SHA3_384_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA3_384 failed")
+	}
+	return
+}
+
+// SumSHA3_512 returns the SHA3-512 checksum of the data.
+func SumSHA3_512(p []byte) (sum [64]byte) {
+	if err := hashOneShot(bcrypt.SHA3_512_ALGORITHM, p, sum[:]); err != nil {
+		panic("bcrypt: SHA3_512 failed")
+	}
+	return
+}
+
+// SumSHAKE128 applies the SHAKE128 extendable output function to data and
+// returns an output of the given length in bytes.
+func SumSHAKE128(data []byte, length int) []byte {
+	out := make([]byte, length)
+	if err := hashOneShot(bcrypt.CSHAKE128_ALGORITHM, data, out); err != nil {
+		panic("bcrypt: CSHAKE128_ALGORITHM failed")
+	}
+	return out
+}
+
+// SumSHAKE256 applies the SHAKE256 extendable output function to data and
+// returns an output of the given length in bytes.
+func SumSHAKE256(data []byte, length int) []byte {
+	out := make([]byte, length)
+	if err := hashOneShot(bcrypt.CSHAKE256_ALGORITHM, data, out); err != nil {
+		panic("bcrypt: CSHAKE256_ALGORITHM failed")
+	}
+	return out
+}
+
+// SupportsSHAKE returns true if the SHAKE and CSHAKE extendable output functions
+// with the given securityBits are supported.
+func SupportsSHAKE(securityBits int) bool {
+	var id string
+	switch securityBits {
+	case 128:
+		id = bcrypt.CSHAKE128_ALGORITHM
+	case 256:
+		id = bcrypt.CSHAKE256_ALGORITHM
+	default:
+		return false
+	}
+	_, err := loadHash(id, bcrypt.ALG_NONE_FLAG)
+	return err == nil
+}
+
+var _ hash.Hash = (*DigestSHA3)(nil)
+var _ cloneHash = (*DigestSHA3)(nil)
+
+// DigestSHA3 is the [sha3.SHA3] implementation using the CNG API.
+type DigestSHA3 struct {
+	alg *hashAlgorithm
+	ctx bcrypt.HASH_HANDLE
+}
+
+// newDigestSHA3 returns a new hash.Hash using the specified algorithm.
+func newDigestSHA3(id string) *DigestSHA3 {
+	alg, err := loadHash(id, bcrypt.ALG_NONE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	h := &DigestSHA3{alg: alg}
+	// Don't call bcrypt.CreateHash yet, it would be wasteful
+	// if the caller only wants to know the hash type. This
+	// is a common pattern in this package, as some functions
+	// accept a `func() hash.Hash` parameter and call it just
+	// to know the hash type.
+	return h
+}
+
+func (h *DigestSHA3) finalize() {
+	bcrypt.DestroyHash(h.ctx)
+}
+
+func (h *DigestSHA3) init() {
+	defer runtime.KeepAlive(h)
+	if h.ctx != 0 {
+		return
+	}
+	err := bcrypt.CreateHash(h.alg.handle, &h.ctx, nil, nil, bcrypt.HASH_REUSABLE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	runtime.SetFinalizer(h, (*DigestSHA3).finalize)
+}
+
+func (h *DigestSHA3) Clone() hash.Hash {
+	defer runtime.KeepAlive(h)
+	h2 := &DigestSHA3{alg: h.alg}
+	if h.ctx != 0 {
+		hashClone(h.ctx, &h2.ctx)
+		runtime.SetFinalizer(h2, (*DigestSHA3).finalize)
+	}
+	return h2
+}
+
+func (h *DigestSHA3) Reset() {
+	defer runtime.KeepAlive(h)
+	if h.ctx != 0 {
+		hashReset(h.ctx, h.Size())
+	}
+}
+
+func (h *DigestSHA3) Write(p []byte) (n int, err error) {
+	defer runtime.KeepAlive(h)
+	h.init()
+	hashData(h.ctx, p)
+	return len(p), nil
+}
+
+func (h *DigestSHA3) WriteString(s string) (int, error) {
+	defer runtime.KeepAlive(h)
+	return h.Write(unsafe.Slice(unsafe.StringData(s), len(s)))
+}
+
+func (h *DigestSHA3) WriteByte(c byte) error {
+	defer runtime.KeepAlive(h)
+	h.init()
+	hashByte(h.ctx, c)
+	return nil
+}
+
+func (h *DigestSHA3) Sum(in []byte) []byte {
+	defer runtime.KeepAlive(h)
+	h.init()
+	return hashSum(h.ctx, h.Size(), in)
+}
+
+func (h *DigestSHA3) Size() int {
+	return int(h.alg.size)
+}
+
+func (h *DigestSHA3) BlockSize() int {
+	return int(h.alg.blockSize)
+}
+
+func (ds *DigestSHA3) MarshalBinary() ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (ds *DigestSHA3) AppendBinary(b []byte) ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (ds *DigestSHA3) UnmarshalBinary(data []byte) error {
+	return errors.New("cng: hash state is not marshallable")
+}
+
+// NewSHA3_256 returns a new SHA256 hash.
+func NewSHA3_256() *DigestSHA3 {
+	return newDigestSHA3(bcrypt.SHA3_256_ALGORITHM)
+}
+
+// NewSHA3_384 returns a new SHA384 hash.
+func NewSHA3_384() *DigestSHA3 {
+	return newDigestSHA3(bcrypt.SHA3_384_ALGORITHM)
+}
+
+// NewSHA3_512 returns a new SHA512 hash.
+func NewSHA3_512() *DigestSHA3 {
+	return newDigestSHA3(bcrypt.SHA3_512_ALGORITHM)
+}
+
+// SHAKE is an instance of a SHAKE extendable output function.
+type SHAKE struct {
+	ctx       bcrypt.HASH_HANDLE
+	blockSize uint32
+}
+
+func newShake(id string, N, S []byte) *SHAKE {
+	alg, err := loadHash(id, bcrypt.ALG_NONE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	h := &SHAKE{blockSize: alg.blockSize}
+	err = bcrypt.CreateHash(alg.handle, &h.ctx, nil, nil, bcrypt.HASH_REUSABLE_FLAG)
+	if err != nil {
+		panic(err)
+	}
+	if len(N) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(h.ctx), utf16PtrFromString(bcrypt.FUNCTION_NAME_STRING), N, 0); err != nil {
+			panic(err)
+		}
+	}
+	if len(S) != 0 {
+		if err := bcrypt.SetProperty(bcrypt.HANDLE(h.ctx), utf16PtrFromString(bcrypt.CUSTOMIZATION_STRING), S, 0); err != nil {
+			panic(err)
+		}
+	}
+	runtime.SetFinalizer(h, (*SHAKE).finalize)
+	return h
+}
+
+// NewSHAKE128 creates a new SHAKE128 XOF.
+func NewSHAKE128() *SHAKE {
+	return newShake(bcrypt.CSHAKE128_ALGORITHM, nil, nil)
+}
+
+// NewSHAKE256 creates a new SHAKE256 XOF.
+func NewSHAKE256() *SHAKE {
+	return newShake(bcrypt.CSHAKE256_ALGORITHM, nil, nil)
+}
+
+// NewCSHAKE128 creates a new cSHAKE128 XOF.
+//
+// N is used to define functions based on cSHAKE, it can be empty when plain
+// cSHAKE is desired. S is a customization byte string used for domain
+// separation. When N and S are both empty, this is equivalent to NewSHAKE128.
+func NewCSHAKE128(N, S []byte) *SHAKE {
+	return newShake(bcrypt.CSHAKE128_ALGORITHM, N, S)
+}
+
+// NewCSHAKE256 creates a new cSHAKE256 XOF.
+//
+// N is used to define functions based on cSHAKE, it can be empty when plain
+// cSHAKE is desired. S is a customization byte string used for domain
+// separation. When N and S are both empty, this is equivalent to NewSHAKE256.
+func NewCSHAKE256(N, S []byte) *SHAKE {
+	return newShake(bcrypt.CSHAKE256_ALGORITHM, N, S)
+}
+
+func (h *SHAKE) finalize() {
+	bcrypt.DestroyHash(h.ctx)
+}
+
+// Write absorbs more data into the XOF's state.
+//
+// It panics if any output has already been read.
+func (s *SHAKE) Write(p []byte) (n int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	defer runtime.KeepAlive(s)
+	hashData(s.ctx, p)
+	return len(p), nil
+}
+
+// Read squeezes more output from the XOF.
+//
+// Any call to Write after a call to Read will panic.
+func (s *SHAKE) Read(p []byte) (n int, err error) {
+	if len(p) == 0 {
+		return 0, nil
+	}
+	defer runtime.KeepAlive(s)
+	for n < len(p) && err == nil {
+		nn := len32(p[n:])
+		err = bcrypt.FinishHash(s.ctx, p[n:n+nn], bcrypt.HASH_DONT_RESET_FLAG)
+		n += nn
+	}
+	if err != nil {
+		panic(err)
+	}
+	return len(p), nil
+}
+
+// Reset resets the XOF to its initial state.
+func (s *SHAKE) Reset() {
+	defer runtime.KeepAlive(s)
+	// SHAKE has a variable size, CNG doesn't change the size of the hash
+	// when resetting, so we can pass a small value here.
+	hashReset(s.ctx, 1)
+}
+
+// BlockSize returns the rate of the XOF.
+func (s *SHAKE) BlockSize() int {
+	return int(s.blockSize)
+}
+
+func (s *SHAKE) MarshalBinary() ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (s *SHAKE) AppendBinary(b []byte) ([]byte, error) {
+	return nil, errors.New("cng: hash state is not marshallable")
+}
+
+func (s *SHAKE) UnmarshalBinary(data []byte) error {
+	return errors.New("cng: hash state is not marshallable")
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go
new file mode 100644
index 00000000000000..5a3fb01606ef95
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/cng/tls1prf.go
@@ -0,0 +1,88 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:build windows
+// +build windows
+
+package cng
+
+import (
+	"errors"
+	"hash"
+	"unsafe"
+
+	"github.com/microsoft/go-crypto-winnative/internal/bcrypt"
+)
+
+func loadTLS1PRF(id string) (bcrypt.ALG_HANDLE, error) {
+	return loadOrStoreAlg(id, bcrypt.ALG_NONE_FLAG, "", func(h bcrypt.ALG_HANDLE) (bcrypt.ALG_HANDLE, error) {
+		return h, nil
+	})
+}
+
+// TLS1PRF implements the TLS 1.0/1.1 pseudo-random function if h is nil,
+// else it implements the TLS 1.2 pseudo-random function.
+// The pseudo-random number will be written to result and will be of length len(result).
+func TLS1PRF(result, secret, label, seed []byte, h func() hash.Hash) error {
+	// TLS 1.0/1.1 PRF uses MD5SHA1.
+	algID := bcrypt.TLS1_1_KDF_ALGORITHM
+	var hashID string
+	if h != nil {
+		// If h is specified, assume the caller wants to use TLS 1.2 PRF.
+		// TLS 1.0/1.1 PRF doesn't allow specifying the hash function.
+		if hashID = hashToID(h()); hashID == "" {
+			return errors.New("cng: unsupported hash function")
+		}
+		algID = bcrypt.TLS1_2_KDF_ALGORITHM
+	}
+
+	alg, err := loadTLS1PRF(algID)
+	if err != nil {
+		return err
+	}
+	var kh bcrypt.KEY_HANDLE
+	if err := bcrypt.GenerateSymmetricKey(alg, &kh, nil, secret, 0); err != nil {
+		return err
+	}
+
+	buffers := make([]bcrypt.Buffer, 0, 3)
+	if len(label) > 0 {
+		buffers = append(buffers, bcrypt.Buffer{
+			Type:   bcrypt.KDF_TLS_PRF_LABEL,
+			Data:   uintptr(unsafe.Pointer(&label[0])),
+			Length: uint32(len(label)),
+		})
+	}
+	if len(seed) > 0 {
+		buffers = append(buffers, bcrypt.Buffer{
+			Type:   bcrypt.KDF_TLS_PRF_SEED,
+			Data:   uintptr(unsafe.Pointer(&seed[0])),
+			Length: uint32(len(seed)),
+		})
+	}
+	if algID == bcrypt.TLS1_2_KDF_ALGORITHM {
+		u16HashID := utf16FromString(hashID)
+		buffers = append(buffers, bcrypt.Buffer{
+			Type:   bcrypt.KDF_HASH_ALGORITHM,
+			Data:   uintptr(unsafe.Pointer(&u16HashID[0])),
+			Length: uint32(len(u16HashID) * 2),
+		})
+	}
+	params := &bcrypt.BufferDesc{
+		Count:   uint32(len(buffers)),
+		Buffers: &buffers[0],
+	}
+	var size uint32
+	err = bcrypt.KeyDerivation(kh, params, result, &size, 0)
+	if err != nil {
+		return err
+	}
+	// The Go standard library expects TLS1PRF to return the requested number of bytes,
+	// fail if it doesn't. While there is no known situation where this will happen,
+	// BCryptKeyDerivation handles multiple algorithms and there could be a subtle mismatch
+	// after more code changes in the future.
+	if size != uint32(len(result)) {
+		return errors.New("tls1-prf: derived less bytes than requested")
+	}
+	return nil
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/bcrypt_windows.go b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/bcrypt_windows.go
new file mode 100644
index 00000000000000..7d34e6661d3086
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/bcrypt_windows.go
@@ -0,0 +1,368 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+//go:generate go run github.com/microsoft/go-crypto-winnative/cmd/mksyscall -output zsyscall_windows.go bcrypt_windows.go
+
+// Package bcrypt implements interop with bcrypt.dll, a component of Windows CNG.
+// See https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/
+//
+// Note: this package is not related to the bcrypt password hashing algorithm.
+package bcrypt
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+const (
+	SHA1_ALGORITHM       = "SHA1"
+	SHA256_ALGORITHM     = "SHA256"
+	SHA384_ALGORITHM     = "SHA384"
+	SHA512_ALGORITHM     = "SHA512"
+	SHA3_256_ALGORITHM   = "SHA3-256"
+	SHA3_384_ALGORITHM   = "SHA3-384"
+	SHA3_512_ALGORITHM   = "SHA3-512"
+	CSHAKE128_ALGORITHM  = "CSHAKE128"
+	CSHAKE256_ALGORITHM  = "CSHAKE256"
+	AES_ALGORITHM        = "AES"
+	RC4_ALGORITHM        = "RC4"
+	RSA_ALGORITHM        = "RSA"
+	MD4_ALGORITHM        = "MD4"
+	MD5_ALGORITHM        = "MD5"
+	ECDSA_ALGORITHM      = "ECDSA"
+	ECDH_ALGORITHM       = "ECDH"
+	HKDF_ALGORITHM       = "HKDF"
+	PBKDF2_ALGORITHM     = "PBKDF2"
+	DES_ALGORITHM        = "DES"
+	DES3_ALGORITHM       = "3DES" // 3DES_ALGORITHM
+	TLS1_1_KDF_ALGORITHM = "TLS1_1_KDF"
+	TLS1_2_KDF_ALGORITHM = "TLS1_2_KDF"
+	DSA_ALGORITHM        = "DSA"
+)
+
+const (
+	ECC_CURVE_25519    = "curve25519"
+	ECC_CURVE_NISTP224 = "nistP224"
+	ECC_CURVE_NISTP256 = "nistP256"
+	ECC_CURVE_NISTP384 = "nistP384"
+	ECC_CURVE_NISTP521 = "nistP521"
+)
+
+const (
+	HASH_LENGTH          = "HashDigestLength"
+	HASH_BLOCK_LENGTH    = "HashBlockLength"
+	CHAINING_MODE        = "ChainingMode"
+	CHAIN_MODE_ECB       = "ChainingModeECB"
+	CHAIN_MODE_CBC       = "ChainingModeCBC"
+	CHAIN_MODE_GCM       = "ChainingModeGCM"
+	KEY_LENGTH           = "KeyLength"
+	KEY_LENGTHS          = "KeyLengths"
+	SIGNATURE_LENGTH     = "SignatureLength"
+	BLOCK_LENGTH         = "BlockLength"
+	ECC_CURVE_NAME       = "ECCCurveName"
+	FUNCTION_NAME_STRING = "FunctionNameString"
+	CUSTOMIZATION_STRING = "CustomizationString"
+)
+
+const (
+	RSAPUBLIC_KEY_BLOB  = "RSAPUBLICBLOB"
+	RSAFULLPRIVATE_BLOB = "RSAFULLPRIVATEBLOB"
+	ECCPUBLIC_BLOB      = "ECCPUBLICBLOB"
+	ECCPRIVATE_BLOB     = "ECCPRIVATEBLOB"
+	DSA_PUBLIC_BLOB     = "DSAPUBLICBLOB"
+	DSA_PRIVATE_BLOB    = "DSAPRIVATEBLOB"
+)
+
+const (
+	KDF_HKDF_INFO          = 0x14
+	HKDF_HASH_ALGORITHM    = "HkdfHashAlgorithm"
+	HKDF_SALT_AND_FINALIZE = "HkdfSaltAndFinalize"
+	HKDF_PRK_AND_FINALIZE  = "HkdfPrkAndFinalize"
+)
+
+const (
+	KDF_HASH_ALGORITHM   = 0x0
+	KDF_TLS_PRF_LABEL    = 0x4
+	KDF_TLS_PRF_SEED     = 0x5
+	KDF_TLS_PRF_PROTOCOL = 0x6
+	KDF_ITERATION_COUNT  = 0x10
+	KDF_SALT             = 0xF
+)
+
+const (
+	KEY_DATA_BLOB          = "KeyDataBlob"
+	KEY_DATA_BLOB_MAGIC    = 0x4d42444b
+	KEY_DATA_BLOB_VERSION1 = 1
+)
+
+type KEY_DATA_BLOB_HEADER struct {
+	Magic   uint32
+	Version uint32
+	Length  uint32
+}
+
+type Buffer struct {
+	Length uint32
+	Type   uint32
+	Data   uintptr
+}
+
+type BufferDesc struct {
+	Version uint32
+	Count   uint32 // number of buffers
+	Buffers *Buffer
+}
+
+const (
+	USE_SYSTEM_PREFERRED_RNG = 0x00000002
+)
+
+const (
+	HASH_DONT_RESET_FLAG = 0x00000001
+	HASH_REUSABLE_FLAG   = 0x00000020
+)
+
+const (
+	KDF_RAW_SECRET = "TRUNCATE"
+)
+
+const (
+	DSA_PARAMETERS = "DSAParameters"
+)
+
+type HASHALGORITHM_ENUM uint32
+
+const (
+	DSA_HASH_ALGORITHM_SHA1 HASHALGORITHM_ENUM = iota
+	DSA_HASH_ALGORITHM_SHA256
+	DSA_HASH_ALGORITHM_SHA512
+)
+
+type DSAFIPSVERSION_ENUM uint32
+
+const (
+	DSA_FIPS186_2 DSAFIPSVERSION_ENUM = iota
+	DSA_FIPS186_3
+)
+
+type DSA_PARAMETER_HEADER struct {
+	Length  uint32
+	Magic   KeyBlobMagicNumber
+	KeySize uint32
+	Count   [4]uint8
+	Seed    [20]uint8
+	Q       [20]uint8
+}
+
+type DSA_PARAMETER_HEADER_V2 struct {
+	Length          uint32
+	Magic           KeyBlobMagicNumber
+	KeySize         uint32
+	HashAlgorithm   HASHALGORITHM_ENUM
+	StandardVersion DSAFIPSVERSION_ENUM
+	SeedLength      uint32
+	GroupSize       uint32
+	Count           [4]uint8
+}
+
+type PadMode uint32
+
+const (
+	PAD_UNDEFINED PadMode = 0x0
+	PAD_NONE      PadMode = 0x1
+	PAD_PKCS1     PadMode = 0x2
+	PAD_OAEP      PadMode = 0x4
+	PAD_PSS       PadMode = 0x8
+)
+
+type AlgorithmProviderFlags uint32
+
+const (
+	ALG_NONE_FLAG        AlgorithmProviderFlags = 0x00000000
+	ALG_HANDLE_HMAC_FLAG AlgorithmProviderFlags = 0x00000008
+)
+
+type KeyBlobMagicNumber uint32
+
+const (
+	RSAPUBLIC_MAGIC      KeyBlobMagicNumber = 0x31415352
+	RSAFULLPRIVATE_MAGIC KeyBlobMagicNumber = 0x33415352
+
+	ECDSA_PUBLIC_GENERIC_MAGIC  KeyBlobMagicNumber = 0x50444345
+	ECDSA_PRIVATE_GENERIC_MAGIC KeyBlobMagicNumber = 0x56444345
+
+	ECDH_PUBLIC_GENERIC_MAGIC  KeyBlobMagicNumber = 0x504B4345
+	ECDH_PRIVATE_GENERIC_MAGIC KeyBlobMagicNumber = 0x564B4345
+
+	DSA_PARAMETERS_MAGIC KeyBlobMagicNumber = 0x4d505344
+	DSA_PUBLIC_MAGIC     KeyBlobMagicNumber = 0x42505344
+	DSA_PRIVATE_MAGIC    KeyBlobMagicNumber = 0x56505344
+
+	DSA_PARAMETERS_MAGIC_V2 KeyBlobMagicNumber = 0x324d5044
+	DSA_PUBLIC_MAGIC_V2     KeyBlobMagicNumber = 0x32425044
+	DSA_PRIVATE_MAGIC_V2    KeyBlobMagicNumber = 0x32565044
+)
+
+type (
+	HANDLE        syscall.Handle
+	ALG_HANDLE    HANDLE
+	HASH_HANDLE   HANDLE
+	KEY_HANDLE    HANDLE
+	SECRET_HANDLE HANDLE
+)
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_key_lengths_struct
+type KEY_LENGTHS_STRUCT struct {
+	MinLength uint32
+	MaxLength uint32
+	Increment uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_authenticated_cipher_mode_info
+type AUTHENTICATED_CIPHER_MODE_INFO struct {
+	Size           uint32
+	InfoVersion    uint32
+	Nonce          *byte
+	NonceSize      uint32
+	AuthData       *byte
+	AuthDataSize   uint32
+	Tag            *byte
+	TagSize        uint32
+	MacContext     *byte
+	MacContextSize uint32
+	AADSize        uint32
+	DataSize       uint64
+	Flags          uint32
+}
+
+func NewAUTHENTICATED_CIPHER_MODE_INFO(nonce, additionalData, tag []byte) *AUTHENTICATED_CIPHER_MODE_INFO {
+	var aad *byte
+	if len(additionalData) > 0 {
+		aad = &additionalData[0]
+	}
+	info := AUTHENTICATED_CIPHER_MODE_INFO{
+		InfoVersion:  1,
+		Nonce:        &nonce[0],
+		NonceSize:    uint32(len(nonce)),
+		AuthData:     aad,
+		AuthDataSize: uint32(len(additionalData)),
+		Tag:          &tag[0],
+		TagSize:      uint32(len(tag)),
+	}
+	info.Size = uint32(unsafe.Sizeof(info))
+	return &info
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_oaep_padding_info
+type OAEP_PADDING_INFO struct {
+	AlgId     *uint16
+	Label     *byte
+	LabelSize uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_pkcs1_padding_info
+type PKCS1_PADDING_INFO struct {
+	AlgId *uint16
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_pss_padding_info
+type PSS_PADDING_INFO struct {
+	AlgId *uint16
+	Salt  uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_rsakey_blob
+type RSAKEY_BLOB struct {
+	Magic         KeyBlobMagicNumber
+	BitLength     uint32
+	PublicExpSize uint32
+	ModulusSize   uint32
+	Prime1Size    uint32
+	Prime2Size    uint32
+}
+
+// https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_ecckey_blob
+type ECCKEY_BLOB struct {
+	Magic   KeyBlobMagicNumber
+	KeySize uint32
+}
+
+// https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob
+type DSA_KEY_BLOB struct {
+	Magic   KeyBlobMagicNumber
+	KeySize uint32
+	Count   [4]uint8
+	Seed    [20]uint8
+	Q       [20]uint8
+}
+
+// https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/ns-bcrypt-bcrypt_dsa_key_blob_v2
+type DSA_KEY_BLOB_V2 struct {
+	Magic           KeyBlobMagicNumber
+	KeySize         uint32
+	HashAlgorithm   HASHALGORITHM_ENUM
+	StandardVersion DSAFIPSVERSION_ENUM
+	SeedLength      uint32
+	GroupSize       uint32
+	Count           [4]uint8
+}
+
+func Encrypt(hKey KEY_HANDLE, plaintext []byte, pPaddingInfo unsafe.Pointer, pbIV []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) {
+	var pInput *byte
+	if len(plaintext) > 0 {
+		pInput = &plaintext[0]
+	} else {
+		// BCryptEncrypt does not support nil plaintext.
+		// Allocate a zero byte here just to make CNG happy.
+		// It won't be encrypted anyway because the plaintext length is zero.
+		pInput = new(byte)
+	}
+	return _Encrypt(hKey, pInput, uint32(len(plaintext)), pPaddingInfo, pbIV, pbOutput, pcbResult, dwFlags)
+}
+
+//sys	GetFipsAlgorithmMode(enabled *bool) (ntstatus error) = bcrypt.BCryptGetFipsAlgorithmMode
+//sys	SetProperty(hObject HANDLE, pszProperty *uint16, pbInput []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptSetProperty
+//sys	GetProperty(hObject HANDLE, pszProperty *uint16, pbOutput []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptGetProperty
+//sys	OpenAlgorithmProvider(phAlgorithm *ALG_HANDLE, pszAlgId *uint16, pszImplementation *uint16, dwFlags AlgorithmProviderFlags) (ntstatus error) = bcrypt.BCryptOpenAlgorithmProvider
+//sys	CloseAlgorithmProvider(hAlgorithm ALG_HANDLE, dwFlags uint32) (ntstatus error) = bcrypt.BCryptCloseAlgorithmProvider
+
+// SHA and HMAC
+
+//sys	Hash(hAlgorithm ALG_HANDLE, pbSecret []byte, pbInput []byte, pbOutput []byte) (ntstatus error) = bcrypt.BCryptHash
+//sys	CreateHash(hAlgorithm ALG_HANDLE, phHash *HASH_HANDLE, pbHashObject []byte, pbSecret []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptCreateHash
+//sys	DestroyHash(hHash HASH_HANDLE) (ntstatus error) = bcrypt.BCryptDestroyHash
+//sys   HashData(hHash HASH_HANDLE, pbInput []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptHashData
+//sys   HashDataRaw(hHash HASH_HANDLE, pbInput *byte, cbInput uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptHashData
+//sys   DuplicateHash(hHash HASH_HANDLE,  phNewHash *HASH_HANDLE, pbHashObject []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptDuplicateHash
+//sys   FinishHash(hHash HASH_HANDLE, pbOutput []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptFinishHash
+
+// Rand
+
+//sys   GenRandom(hAlgorithm ALG_HANDLE, pbBuffer []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptGenRandom
+
+// Keys
+
+//sys   generateSymmetricKey(hAlgorithm ALG_HANDLE, phKey *KEY_HANDLE, pbKeyObject []byte, pbSecret *byte, cbSecret uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptGenerateSymmetricKey
+//sys   GenerateKeyPair(hAlgorithm ALG_HANDLE, phKey *KEY_HANDLE, dwLength uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptGenerateKeyPair
+//sys   FinalizeKeyPair(hKey KEY_HANDLE, dwFlags uint32) (ntstatus error) = bcrypt.BCryptFinalizeKeyPair
+//sys   ImportKeyPair (hAlgorithm ALG_HANDLE, hImportKey KEY_HANDLE, pszBlobType *uint16, phKey *KEY_HANDLE, pbInput []byte, dwFlags uint32) (ntstatus error) = bcrypt.BCryptImportKeyPair
+//sys   ExportKey(hKey KEY_HANDLE, hExportKey KEY_HANDLE, pszBlobType *uint16, pbOutput []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptExportKey
+//sys   DestroyKey(hKey KEY_HANDLE) (ntstatus error) = bcrypt.BCryptDestroyKey
+//sys   _Encrypt(hKey KEY_HANDLE, pbInput *byte, cbInput uint32, pPaddingInfo unsafe.Pointer, pbIV []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) = bcrypt.BCryptEncrypt
+//sys   Decrypt(hKey KEY_HANDLE, pbInput []byte, pPaddingInfo unsafe.Pointer, pbIV []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) = bcrypt.BCryptDecrypt
+//sys   SignHash (hKey KEY_HANDLE, pPaddingInfo unsafe.Pointer, pbInput []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) = bcrypt.BCryptSignHash
+//sys   VerifySignature(hKey KEY_HANDLE, pPaddingInfo unsafe.Pointer, pbHash []byte, pbSignature []byte, dwFlags PadMode) (ntstatus error) = bcrypt.BCryptVerifySignature
+//sys   SecretAgreement(hPrivKey KEY_HANDLE, hPubKey KEY_HANDLE, phAgreedSecret *SECRET_HANDLE, dwFlags uint32) (ntstatus error) = bcrypt.BCryptSecretAgreement
+//sys   DeriveKey(hSharedSecret SECRET_HANDLE, pwszKDF *uint16, pParameterList *BufferDesc, pbDerivedKey []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptDeriveKey
+//sys   KeyDerivation(hKey KEY_HANDLE, pParameterList *BufferDesc, pbDerivedKey []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) = bcrypt.BCryptKeyDerivation
+//sys   DestroySecret(hSecret SECRET_HANDLE) (ntstatus error) = bcrypt.BCryptDestroySecret
+
+func GenerateSymmetricKey(hAlgorithm ALG_HANDLE, phKey *KEY_HANDLE, pbKeyObject []byte, pbSecret []byte, dwFlags uint32) error {
+	cbLen := uint32(len(pbSecret))
+	if cbLen == 0 {
+		// BCryptGenerateSymmetricKey does not support nil pbSecret,
+		// stack-allocate a zero byte here just to make CNG happy.
+		pbSecret = make([]byte, 1)
+	}
+	return generateSymmetricKey(hAlgorithm, phKey, pbKeyObject, &pbSecret[0], cbLen, dwFlags)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/ntstatus_windows.go b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/ntstatus_windows.go
new file mode 100644
index 00000000000000..ec2eb01aa3cd8a
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/ntstatus_windows.go
@@ -0,0 +1,45 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package bcrypt
+
+import (
+	"strconv"
+	"syscall"
+	"unicode/utf16"
+)
+
+const (
+	FORMAT_MESSAGE_FROM_HMODULE   = 2048
+	FORMAT_MESSAGE_FROM_SYSTEM    = 4096
+	FORMAT_MESSAGE_ARGUMENT_ARRAY = 8192
+
+	LANG_ENGLISH       = 0x09
+	SUBLANG_ENGLISH_US = 0x01
+)
+
+type NTStatus uint32
+
+func (s NTStatus) Errno() syscall.Errno {
+	return rtlNtStatusToDosErrorNoTeb(s)
+}
+
+func langID(pri, sub uint16) uint32 { return uint32(sub)<<10 | uint32(pri) }
+
+func (s NTStatus) Error() string {
+	b := make([]uint16, 300)
+	n, err := formatMessage(FORMAT_MESSAGE_FROM_SYSTEM|FORMAT_MESSAGE_FROM_HMODULE|FORMAT_MESSAGE_ARGUMENT_ARRAY, modntdll.Handle(), uint32(s), langID(LANG_ENGLISH, SUBLANG_ENGLISH_US), b, nil)
+	if err != nil {
+		return "NTSTATUS 0x" + strconv.FormatUint(uint64(s), 16)
+	}
+	// trim terminating \r and \n
+	for ; n > 0 && (b[n-1] == '\n' || b[n-1] == '\r'); n-- {
+	}
+	return string(utf16.Decode(b[:n]))
+}
+
+// NT Native APIs
+//sys	rtlNtStatusToDosErrorNoTeb(ntstatus NTStatus) (ret syscall.Errno) = ntdll.RtlNtStatusToDosErrorNoTeb
+
+// windows api calls
+//sys	formatMessage(flags uint32, msgsrc uintptr, msgid uint32, langid uint32, buf []uint16, args *byte) (n uint32, err error) = FormatMessageW
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/zsyscall_windows.go b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/zsyscall_windows.go
new file mode 100644
index 00000000000000..5d049f025b0301
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/bcrypt/zsyscall_windows.go
@@ -0,0 +1,412 @@
+// Code generated by 'go generate'; DO NOT EDIT.
+
+package bcrypt
+
+import (
+	"github.com/microsoft/go-crypto-winnative/internal/sysdll"
+	"syscall"
+	"unsafe"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+	errERROR_EINVAL     error = syscall.EINVAL
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return errERROR_EINVAL
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modbcrypt   = syscall.NewLazyDLL(sysdll.Add("bcrypt.dll"))
+	modkernel32 = syscall.NewLazyDLL(sysdll.Add("kernel32.dll"))
+	modntdll    = syscall.NewLazyDLL(sysdll.Add("ntdll.dll"))
+
+	procBCryptCloseAlgorithmProvider = modbcrypt.NewProc("BCryptCloseAlgorithmProvider")
+	procBCryptCreateHash             = modbcrypt.NewProc("BCryptCreateHash")
+	procBCryptDecrypt                = modbcrypt.NewProc("BCryptDecrypt")
+	procBCryptDeriveKey              = modbcrypt.NewProc("BCryptDeriveKey")
+	procBCryptDestroyHash            = modbcrypt.NewProc("BCryptDestroyHash")
+	procBCryptDestroyKey             = modbcrypt.NewProc("BCryptDestroyKey")
+	procBCryptDestroySecret          = modbcrypt.NewProc("BCryptDestroySecret")
+	procBCryptDuplicateHash          = modbcrypt.NewProc("BCryptDuplicateHash")
+	procBCryptEncrypt                = modbcrypt.NewProc("BCryptEncrypt")
+	procBCryptExportKey              = modbcrypt.NewProc("BCryptExportKey")
+	procBCryptFinalizeKeyPair        = modbcrypt.NewProc("BCryptFinalizeKeyPair")
+	procBCryptFinishHash             = modbcrypt.NewProc("BCryptFinishHash")
+	procBCryptGenRandom              = modbcrypt.NewProc("BCryptGenRandom")
+	procBCryptGenerateKeyPair        = modbcrypt.NewProc("BCryptGenerateKeyPair")
+	procBCryptGenerateSymmetricKey   = modbcrypt.NewProc("BCryptGenerateSymmetricKey")
+	procBCryptGetFipsAlgorithmMode   = modbcrypt.NewProc("BCryptGetFipsAlgorithmMode")
+	procBCryptGetProperty            = modbcrypt.NewProc("BCryptGetProperty")
+	procBCryptHash                   = modbcrypt.NewProc("BCryptHash")
+	procBCryptHashData               = modbcrypt.NewProc("BCryptHashData")
+	procBCryptImportKeyPair          = modbcrypt.NewProc("BCryptImportKeyPair")
+	procBCryptKeyDerivation          = modbcrypt.NewProc("BCryptKeyDerivation")
+	procBCryptOpenAlgorithmProvider  = modbcrypt.NewProc("BCryptOpenAlgorithmProvider")
+	procBCryptSecretAgreement        = modbcrypt.NewProc("BCryptSecretAgreement")
+	procBCryptSetProperty            = modbcrypt.NewProc("BCryptSetProperty")
+	procBCryptSignHash               = modbcrypt.NewProc("BCryptSignHash")
+	procBCryptVerifySignature        = modbcrypt.NewProc("BCryptVerifySignature")
+	procFormatMessageW               = modkernel32.NewProc("FormatMessageW")
+	procRtlNtStatusToDosErrorNoTeb   = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb")
+)
+
+func CloseAlgorithmProvider(hAlgorithm ALG_HANDLE, dwFlags uint32) (ntstatus error) {
+	r0, _, _ := syscall.Syscall(procBCryptCloseAlgorithmProvider.Addr(), 2, uintptr(hAlgorithm), uintptr(dwFlags), 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func CreateHash(hAlgorithm ALG_HANDLE, phHash *HASH_HANDLE, pbHashObject []byte, pbSecret []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbHashObject) > 0 {
+		_p0 = &pbHashObject[0]
+	}
+	var _p1 *byte
+	if len(pbSecret) > 0 {
+		_p1 = &pbSecret[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptCreateHash.Addr(), 7, uintptr(hAlgorithm), uintptr(unsafe.Pointer(phHash)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbHashObject)), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbSecret)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func Decrypt(hKey KEY_HANDLE, pbInput []byte, pPaddingInfo unsafe.Pointer, pbIV []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) {
+	var _p0 *byte
+	if len(pbInput) > 0 {
+		_p0 = &pbInput[0]
+	}
+	var _p1 *byte
+	if len(pbIV) > 0 {
+		_p1 = &pbIV[0]
+	}
+	var _p2 *byte
+	if len(pbOutput) > 0 {
+		_p2 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall12(procBCryptDecrypt.Addr(), 10, uintptr(hKey), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbInput)), uintptr(pPaddingInfo), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbIV)), uintptr(unsafe.Pointer(_p2)), uintptr(len(pbOutput)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func DeriveKey(hSharedSecret SECRET_HANDLE, pwszKDF *uint16, pParameterList *BufferDesc, pbDerivedKey []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbDerivedKey) > 0 {
+		_p0 = &pbDerivedKey[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptDeriveKey.Addr(), 7, uintptr(hSharedSecret), uintptr(unsafe.Pointer(pwszKDF)), uintptr(unsafe.Pointer(pParameterList)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbDerivedKey)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func DestroyHash(hHash HASH_HANDLE) (ntstatus error) {
+	r0, _, _ := syscall.Syscall(procBCryptDestroyHash.Addr(), 1, uintptr(hHash), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func DestroyKey(hKey KEY_HANDLE) (ntstatus error) {
+	r0, _, _ := syscall.Syscall(procBCryptDestroyKey.Addr(), 1, uintptr(hKey), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func DestroySecret(hSecret SECRET_HANDLE) (ntstatus error) {
+	r0, _, _ := syscall.Syscall(procBCryptDestroySecret.Addr(), 1, uintptr(hSecret), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func DuplicateHash(hHash HASH_HANDLE, phNewHash *HASH_HANDLE, pbHashObject []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbHashObject) > 0 {
+		_p0 = &pbHashObject[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptDuplicateHash.Addr(), 5, uintptr(hHash), uintptr(unsafe.Pointer(phNewHash)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbHashObject)), uintptr(dwFlags), 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func _Encrypt(hKey KEY_HANDLE, pbInput *byte, cbInput uint32, pPaddingInfo unsafe.Pointer, pbIV []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) {
+	var _p0 *byte
+	if len(pbIV) > 0 {
+		_p0 = &pbIV[0]
+	}
+	var _p1 *byte
+	if len(pbOutput) > 0 {
+		_p1 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall12(procBCryptEncrypt.Addr(), 10, uintptr(hKey), uintptr(unsafe.Pointer(pbInput)), uintptr(cbInput), uintptr(pPaddingInfo), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbIV)), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbOutput)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func ExportKey(hKey KEY_HANDLE, hExportKey KEY_HANDLE, pszBlobType *uint16, pbOutput []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbOutput) > 0 {
+		_p0 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptExportKey.Addr(), 7, uintptr(hKey), uintptr(hExportKey), uintptr(unsafe.Pointer(pszBlobType)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbOutput)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func FinalizeKeyPair(hKey KEY_HANDLE, dwFlags uint32) (ntstatus error) {
+	r0, _, _ := syscall.Syscall(procBCryptFinalizeKeyPair.Addr(), 2, uintptr(hKey), uintptr(dwFlags), 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func FinishHash(hHash HASH_HANDLE, pbOutput []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbOutput) > 0 {
+		_p0 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptFinishHash.Addr(), 4, uintptr(hHash), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbOutput)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func GenRandom(hAlgorithm ALG_HANDLE, pbBuffer []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbBuffer) > 0 {
+		_p0 = &pbBuffer[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptGenRandom.Addr(), 4, uintptr(hAlgorithm), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbBuffer)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func GenerateKeyPair(hAlgorithm ALG_HANDLE, phKey *KEY_HANDLE, dwLength uint32, dwFlags uint32) (ntstatus error) {
+	r0, _, _ := syscall.Syscall6(procBCryptGenerateKeyPair.Addr(), 4, uintptr(hAlgorithm), uintptr(unsafe.Pointer(phKey)), uintptr(dwLength), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func generateSymmetricKey(hAlgorithm ALG_HANDLE, phKey *KEY_HANDLE, pbKeyObject []byte, pbSecret *byte, cbSecret uint32, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbKeyObject) > 0 {
+		_p0 = &pbKeyObject[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptGenerateSymmetricKey.Addr(), 7, uintptr(hAlgorithm), uintptr(unsafe.Pointer(phKey)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbKeyObject)), uintptr(unsafe.Pointer(pbSecret)), uintptr(cbSecret), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func GetFipsAlgorithmMode(enabled *bool) (ntstatus error) {
+	var _p0 uint32
+	if *enabled {
+		_p0 = 1
+	}
+	r0, _, _ := syscall.Syscall(procBCryptGetFipsAlgorithmMode.Addr(), 1, uintptr(unsafe.Pointer(&_p0)), 0, 0)
+	*enabled = _p0 != 0
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func GetProperty(hObject HANDLE, pszProperty *uint16, pbOutput []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbOutput) > 0 {
+		_p0 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptGetProperty.Addr(), 6, uintptr(hObject), uintptr(unsafe.Pointer(pszProperty)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbOutput)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags))
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func Hash(hAlgorithm ALG_HANDLE, pbSecret []byte, pbInput []byte, pbOutput []byte) (ntstatus error) {
+	var _p0 *byte
+	if len(pbSecret) > 0 {
+		_p0 = &pbSecret[0]
+	}
+	var _p1 *byte
+	if len(pbInput) > 0 {
+		_p1 = &pbInput[0]
+	}
+	var _p2 *byte
+	if len(pbOutput) > 0 {
+		_p2 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptHash.Addr(), 7, uintptr(hAlgorithm), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbSecret)), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbInput)), uintptr(unsafe.Pointer(_p2)), uintptr(len(pbOutput)), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func HashDataRaw(hHash HASH_HANDLE, pbInput *byte, cbInput uint32, dwFlags uint32) (ntstatus error) {
+	r0, _, _ := syscall.Syscall6(procBCryptHashData.Addr(), 4, uintptr(hHash), uintptr(unsafe.Pointer(pbInput)), uintptr(cbInput), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func HashData(hHash HASH_HANDLE, pbInput []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbInput) > 0 {
+		_p0 = &pbInput[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptHashData.Addr(), 4, uintptr(hHash), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbInput)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func ImportKeyPair(hAlgorithm ALG_HANDLE, hImportKey KEY_HANDLE, pszBlobType *uint16, phKey *KEY_HANDLE, pbInput []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbInput) > 0 {
+		_p0 = &pbInput[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptImportKeyPair.Addr(), 7, uintptr(hAlgorithm), uintptr(hImportKey), uintptr(unsafe.Pointer(pszBlobType)), uintptr(unsafe.Pointer(phKey)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbInput)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func KeyDerivation(hKey KEY_HANDLE, pParameterList *BufferDesc, pbDerivedKey []byte, pcbResult *uint32, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbDerivedKey) > 0 {
+		_p0 = &pbDerivedKey[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptKeyDerivation.Addr(), 6, uintptr(hKey), uintptr(unsafe.Pointer(pParameterList)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbDerivedKey)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags))
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func OpenAlgorithmProvider(phAlgorithm *ALG_HANDLE, pszAlgId *uint16, pszImplementation *uint16, dwFlags AlgorithmProviderFlags) (ntstatus error) {
+	r0, _, _ := syscall.Syscall6(procBCryptOpenAlgorithmProvider.Addr(), 4, uintptr(unsafe.Pointer(phAlgorithm)), uintptr(unsafe.Pointer(pszAlgId)), uintptr(unsafe.Pointer(pszImplementation)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func SecretAgreement(hPrivKey KEY_HANDLE, hPubKey KEY_HANDLE, phAgreedSecret *SECRET_HANDLE, dwFlags uint32) (ntstatus error) {
+	r0, _, _ := syscall.Syscall6(procBCryptSecretAgreement.Addr(), 4, uintptr(hPrivKey), uintptr(hPubKey), uintptr(unsafe.Pointer(phAgreedSecret)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func SetProperty(hObject HANDLE, pszProperty *uint16, pbInput []byte, dwFlags uint32) (ntstatus error) {
+	var _p0 *byte
+	if len(pbInput) > 0 {
+		_p0 = &pbInput[0]
+	}
+	r0, _, _ := syscall.Syscall6(procBCryptSetProperty.Addr(), 5, uintptr(hObject), uintptr(unsafe.Pointer(pszProperty)), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbInput)), uintptr(dwFlags), 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func SignHash(hKey KEY_HANDLE, pPaddingInfo unsafe.Pointer, pbInput []byte, pbOutput []byte, pcbResult *uint32, dwFlags PadMode) (ntstatus error) {
+	var _p0 *byte
+	if len(pbInput) > 0 {
+		_p0 = &pbInput[0]
+	}
+	var _p1 *byte
+	if len(pbOutput) > 0 {
+		_p1 = &pbOutput[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptSignHash.Addr(), 8, uintptr(hKey), uintptr(pPaddingInfo), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbInput)), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbOutput)), uintptr(unsafe.Pointer(pcbResult)), uintptr(dwFlags), 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func VerifySignature(hKey KEY_HANDLE, pPaddingInfo unsafe.Pointer, pbHash []byte, pbSignature []byte, dwFlags PadMode) (ntstatus error) {
+	var _p0 *byte
+	if len(pbHash) > 0 {
+		_p0 = &pbHash[0]
+	}
+	var _p1 *byte
+	if len(pbSignature) > 0 {
+		_p1 = &pbSignature[0]
+	}
+	r0, _, _ := syscall.Syscall9(procBCryptVerifySignature.Addr(), 7, uintptr(hKey), uintptr(pPaddingInfo), uintptr(unsafe.Pointer(_p0)), uintptr(len(pbHash)), uintptr(unsafe.Pointer(_p1)), uintptr(len(pbSignature)), uintptr(dwFlags), 0, 0)
+	if r0 != 0 {
+		ntstatus = NTStatus(r0)
+	}
+	return
+}
+
+func formatMessage(flags uint32, msgsrc uintptr, msgid uint32, langid uint32, buf []uint16, args *byte) (n uint32, err error) {
+	var _p0 *uint16
+	if len(buf) > 0 {
+		_p0 = &buf[0]
+	}
+	r0, _, e1 := syscall.Syscall9(procFormatMessageW.Addr(), 7, uintptr(flags), uintptr(msgsrc), uintptr(msgid), uintptr(langid), uintptr(unsafe.Pointer(_p0)), uintptr(len(buf)), uintptr(unsafe.Pointer(args)), 0, 0)
+	n = uint32(r0)
+	if n == 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+func rtlNtStatusToDosErrorNoTeb(ntstatus NTStatus) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(ntstatus), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/internal/subtle/aliasing.go b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/subtle/aliasing.go
new file mode 100644
index 00000000000000..db09e4aae64f8c
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/subtle/aliasing.go
@@ -0,0 +1,32 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package subtle implements functions that are often useful in cryptographic
+// code but require careful thought to use correctly.
+//
+// This is a mirror of golang.org/x/crypto/internal/subtle.
+package subtle
+
+import "unsafe"
+
+// AnyOverlap reports whether x and y share memory at any (not necessarily
+// corresponding) index. The memory beyond the slice length is ignored.
+func AnyOverlap(x, y []byte) bool {
+	return len(x) > 0 && len(y) > 0 &&
+		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
+		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
+}
+
+// InexactOverlap reports whether x and y share memory at any non-corresponding
+// index. The memory beyond the slice length is ignored. Note that x and y can
+// have different lengths and still not have any inexact overlap.
+//
+// InexactOverlap can be used to implement the requirements of the crypto/cipher
+// AEAD, Block, BlockMode and Stream interfaces.
+func InexactOverlap(x, y []byte) bool {
+	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
+		return false
+	}
+	return AnyOverlap(x, y)
+}
diff --git a/src/vendor/github.com/microsoft/go-crypto-winnative/internal/sysdll/sys_windows.go b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/sysdll/sys_windows.go
new file mode 100644
index 00000000000000..1722410e5af193
--- /dev/null
+++ b/src/vendor/github.com/microsoft/go-crypto-winnative/internal/sysdll/sys_windows.go
@@ -0,0 +1,55 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+// Package sysdll is a custom version of the standard library internal/syscall/windows/sysdll package.
+// sysdll is used to guard against Windows DLL preloading attacks.
+// We can't call Go's sysdll.Add function from within go-crypto-winnative because sysdll is an internal package,
+// so we have reimplemented the sysdll.Add function in a way that it always returns
+// DLL absolute paths rooted at the system directory.
+// See go.dev/issues/14959 for more info.
+package sysdll
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+var (
+	// kernel32.dll is a known system DLL used by Go,
+	// so protected against DLL preloading attacks.
+	modkernel32             = syscall.NewLazyDLL("kernel32.dll")
+	procGetSystemDirectoryW = modkernel32.NewProc("GetSystemDirectoryW")
+)
+
+func getSystemDirectoryW(dir *uint16, dirLen uint32) (len uint32, err error) {
+	r0, _, e1 := syscall.Syscall(procGetSystemDirectoryW.Addr(), 2, uintptr(unsafe.Pointer(dir)), uintptr(dirLen), 0)
+	len = uint32(r0)
+	if len == 0 {
+		err = e1
+	}
+	return
+}
+
+// getSystemDirectory retrieves the path to current location of the system
+// directory, which is typically, though not always, `C:\Windows\System32`.
+func getSystemDirectory() string {
+	n := uint32(syscall.MAX_PATH)
+	for {
+		b := make([]uint16, n)
+		l, e := getSystemDirectoryW(&b[0], n)
+		if e != nil {
+			panic(e)
+		}
+		if l <= n {
+			return syscall.UTF16ToString(b[:l])
+		}
+		n = l
+	}
+}
+
+// Add returns the absolute path of the dll.
+// The returned path points to the system directory,
+// so it is secure against DLL preloading attacks.
+func Add(dll string) string {
+	return getSystemDirectory() + "\\" + dll
+}
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 1c8de570cc2f1f..a249bbfa93dac3 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -1,3 +1,19 @@
+# github.com/golang-fips/openssl/v2 v2.0.4-0.20250115103809-bf655f6d08d6
+## explicit; go 1.22
+github.com/golang-fips/openssl/v2
+github.com/golang-fips/openssl/v2/bbig
+# github.com/microsoft/go-crypto-darwin v0.0.2-0.20250116101429-467bd63a2d67
+## explicit; go 1.22
+github.com/microsoft/go-crypto-darwin/bbig
+github.com/microsoft/go-crypto-darwin/internal/cryptokit
+github.com/microsoft/go-crypto-darwin/xcrypto
+# github.com/microsoft/go-crypto-winnative v0.0.0-20250110072644-50d2dfac4b70
+## explicit; go 1.22
+github.com/microsoft/go-crypto-winnative/cng
+github.com/microsoft/go-crypto-winnative/cng/bbig
+github.com/microsoft/go-crypto-winnative/internal/bcrypt
+github.com/microsoft/go-crypto-winnative/internal/subtle
+github.com/microsoft/go-crypto-winnative/internal/sysdll
 # golang.org/x/crypto v0.30.0
 ## explicit; go 1.20
 golang.org/x/crypto/chacha20