crypto/internal/mlkem768: move to crypto/internal/fips/mlkem

In the process, replace out-of-module imports with their FIPS versions. For #69536 Change-Id: I83e900b7c38ecf760382e5dca7fd0b1eaa5a5589 Reviewed-on: https://go-review.googlesource.com/c/go/+/626879 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Russ Cox <rsc@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Michael Knyszek <mknyszek@google.com>
2025-12-08 06:10:04 +00:00 · 2024-10-23 11:41:42 +02:00 · 2024-10-23 11:41:42 +02:00 · 7e6b38e052
commit 7e6b38e052
parent 9854fc3e86
23 changed files with 43 additions and 6835 deletions
--- a/src/crypto/internal/fips/mlkem/field.go
+++ b/src/crypto/internal/fips/mlkem/field.go
@ -2,13 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-package mlkem768
+package mlkem
 import (
 	"crypto/internal/fips/sha3"
 	"errors"
 	"internal/byteorder"
 	"golang.org/x/crypto/sha3"
 )
 // fieldElement is an integer modulo q, an element of ℤ_q. It is always reduced.
@ -164,7 +163,7 @@ func polyByteEncode[T ~[n]fieldElement](b []byte, f T) []byte {
 // It implements ByteDecode₁₂, according to FIPS 203, Algorithm 6.
 func polyByteDecode[T ~[n]fieldElement](b []byte) (T, error) {
 	if len(b) != encodingSize12 {
-		return T{}, errors.New("mlkem768: invalid encoding length")
+		return T{}, errors.New("mlkem: invalid encoding length")
 	}
 	var f T
 	for i := 0; i < n; i += 2 {
@ -172,10 +171,10 @@ func polyByteDecode[T ~[n]fieldElement](b []byte) (T, error) {
 		const mask12 = 0b1111_1111_1111
 		var err error
 		if f[i], err = fieldCheckReduced(uint16(d & mask12)); err != nil {
-			return T{}, errors.New("mlkem768: invalid polynomial encoding")
+			return T{}, errors.New("mlkem: invalid polynomial encoding")
 		}
 		if f[i+1], err = fieldCheckReduced(uint16(d >> 12)); err != nil {
-			return T{}, errors.New("mlkem768: invalid polynomial encoding")
+			return T{}, errors.New("mlkem: invalid polynomial encoding")
 		}
 		b = b[3:]
 	}
--- a/src/crypto/internal/fips/mlkem/field_test.go
+++ b/src/crypto/internal/fips/mlkem/field_test.go
@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-package mlkem768
+package mlkem
 import (
 	"math/big"
--- a/src/crypto/internal/fips/mlkem/mlkem768.go
+++ b/src/crypto/internal/fips/mlkem/mlkem768.go
@ -2,13 +2,13 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-// Package mlkem768 implements the quantum-resistant key encapsulation method
+// Package mlkem implements the quantum-resistant key encapsulation method
 // ML-KEM (formerly known as Kyber), as specified in [NIST FIPS 203].
 //
 // Only the recommended ML-KEM-768 parameter set is provided.
 //
 // [NIST FIPS 203]: https://doi.org/10.6028/NIST.FIPS.203
-package mlkem768
+package mlkem
 // This package targets security, correctness, simplicity, readability, and
 // reviewability as its primary goals. All critical operations are performed in
@ -21,11 +21,10 @@ package mlkem768
 // background at https://words.filippo.io/kyber-math/ useful.
 import (
-	"crypto/rand"
+	"crypto/internal/fips/drbg"
-	"crypto/subtle"
+	"crypto/internal/fips/sha3"
 	"crypto/internal/fips/subtle"
 	"errors"
 	"golang.org/x/crypto/sha3"
 )
 const (
@ -125,7 +124,7 @@ type decryptionKey struct {
 }
 // GenerateKey768 generates a new decapsulation key, drawing random bytes from
-// crypto/rand. The decapsulation key must be kept secret.
+// a DRBG. The decapsulation key must be kept secret.
 func GenerateKey768() (*DecapsulationKey768, error) {
 	// The actual logic is in a separate function to outline this allocation.
 	dk := &DecapsulationKey768{}
@ -134,9 +133,9 @@ func GenerateKey768() (*DecapsulationKey768, error) {
 func generateKey(dk *DecapsulationKey768) *DecapsulationKey768 {
 	var d [32]byte
-	rand.Read(d[:])
+	drbg.Read(d[:])
 	var z [32]byte
-	rand.Read(z[:])
+	drbg.Read(z[:])
 	return kemKeyGen(dk, &d, &z)
 }
@ -150,7 +149,7 @@ func NewDecapsulationKey768(seed []byte) (*DecapsulationKey768, error) {
 func newKeyFromSeed(dk *DecapsulationKey768, seed []byte) (*DecapsulationKey768, error) {
 	if len(seed) != SeedSize {
-		return nil, errors.New("mlkem768: invalid seed length")
+		return nil, errors.New("mlkem: invalid seed length")
 	}
 	d := (*[32]byte)(seed[:32])
 	z := (*[32]byte)(seed[32:])
@ -212,7 +211,7 @@ func kemKeyGen(dk *DecapsulationKey768, d, z *[32]byte) *DecapsulationKey768 {
 }
 // Encapsulate generates a shared key and an associated ciphertext from an
-// encapsulation key, drawing random bytes from crypto/rand.
+// encapsulation key, drawing random bytes from a DRBG.
 //
 // The shared key must be kept secret.
 func (ek *EncapsulationKey768) Encapsulate() (ciphertext, sharedKey []byte) {
@ -223,7 +222,7 @@ func (ek *EncapsulationKey768) Encapsulate() (ciphertext, sharedKey []byte) {
 func (ek *EncapsulationKey768) encapsulate(cc *[CiphertextSize768]byte) (ciphertext, sharedKey []byte) {
 	var m [messageSize]byte
-	rand.Read(m[:])
+	drbg.Read(m[:])
 	// Note that the modulus check (step 2 of the encapsulation key check from
 	// FIPS 203, Section 7.2) is performed by polyByteDecode in parseEK.
 	return kemEncaps(cc, ek, &m)
@ -260,10 +259,12 @@ func NewEncapsulationKey768(encapsulationKey []byte) (*EncapsulationKey768, erro
 // Algorithm 14.
 func parseEK(ek *EncapsulationKey768, ekPKE []byte) (*EncapsulationKey768, error) {
 	if len(ekPKE) != encryptionKeySize {
-		return nil, errors.New("mlkem768: invalid encapsulation key length")
+		return nil, errors.New("mlkem: invalid encapsulation key length")
 	}
-	ek.h = sha3.Sum256(ekPKE[:])
+	h := sha3.New256()
 	h.Write(ekPKE)
 	h.Sum(ek.h[:0])
 	for i := range ek.t {
 		var err error
@ -333,7 +334,7 @@ func pkeEncrypt(cc *[CiphertextSize768]byte, ex *encryptionKey, m *[messageSize]
 // The shared key must be kept secret.
 func (dk *DecapsulationKey768) Decapsulate(ciphertext []byte) (sharedKey []byte, err error) {
 	if len(ciphertext) != CiphertextSize768 {
-		return nil, errors.New("mlkem768: invalid ciphertext length")
+		return nil, errors.New("mlkem: invalid ciphertext length")
 	}
 	c := (*[CiphertextSize768]byte)(ciphertext)
 	// Note that the hash check (step 3 of the decapsulation input check from
--- a/src/crypto/internal/fips/mlkem/mlkem768_test.go
+++ b/src/crypto/internal/fips/mlkem/mlkem768_test.go
@ -2,17 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-package mlkem768
+package mlkem
 import (
 	"bytes"
 	"crypto/internal/fips/sha3"
 	"crypto/rand"
 	_ "embed"
 	"encoding/hex"
 	"flag"
 	"testing"
 	"golang.org/x/crypto/sha3"
 )
 func TestRoundTrip(t *testing.T) {
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@ -10,9 +10,9 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
 	"crypto/internal/fips/mlkem"
 	"crypto/internal/fips/tls13"
 	"crypto/internal/hpke"
 	"crypto/internal/mlkem768"
 	"crypto/rsa"
 	"crypto/subtle"
 	"crypto/x509"
@ -160,11 +160,11 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, *keySharePrivateKeys, *echCon
 			if err != nil {
 				return nil, nil, nil, err
 			}
-			seed := make([]byte, mlkem768.SeedSize)
+			seed := make([]byte, mlkem.SeedSize)
 			if _, err := io.ReadFull(config.rand(), seed); err != nil {
 				return nil, nil, nil, err
 			}
-			keyShareKeys.kyber, err = mlkem768.NewDecapsulationKey768(seed)
+			keyShareKeys.kyber, err = mlkem.NewDecapsulationKey768(seed)
 			if err != nil {
 				return nil, nil, nil, err
 			}
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@ -10,8 +10,8 @@ import (
 	"crypto"
 	"crypto/hmac"
 	"crypto/internal/fips/hkdf"
 	"crypto/internal/fips/mlkem"
 	"crypto/internal/fips/tls13"
 	"crypto/internal/mlkem768"
 	"crypto/rsa"
 	"crypto/subtle"
 	"errors"
@ -481,7 +481,7 @@ func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
 	ecdhePeerData := hs.serverHello.serverShare.data
 	if hs.serverHello.serverShare.group == x25519Kyber768Draft00 {
-		if len(ecdhePeerData) != x25519PublicKeySize+mlkem768.CiphertextSize768 {
+		if len(ecdhePeerData) != x25519PublicKeySize+mlkem.CiphertextSize768 {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: invalid server key share")
 		}
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@ -9,8 +9,8 @@ import (
 	"context"
 	"crypto"
 	"crypto/hmac"
 	"crypto/internal/fips/mlkem"
 	"crypto/internal/fips/tls13"
 	"crypto/internal/mlkem768"
 	"crypto/rsa"
 	"errors"
 	"hash"
@ -223,7 +223,7 @@ func (hs *serverHandshakeStateTLS13) processClientHello() error {
 	ecdhData := clientKeyShare.data
 	if selectedGroup == x25519Kyber768Draft00 {
 		ecdhGroup = X25519
-		if len(ecdhData) != x25519PublicKeySize+mlkem768.EncapsulationKeySize768 {
+		if len(ecdhData) != x25519PublicKeySize+mlkem.EncapsulationKeySize768 {
 			c.sendAlert(alertIllegalParameter)
 			return errors.New("tls: invalid Kyber client key share")
 		}
--- a/src/crypto/tls/key_schedule.go
+++ b/src/crypto/tls/key_schedule.go
@ -7,13 +7,12 @@ package tls
 import (
 	"crypto/ecdh"
 	"crypto/hmac"
 	"crypto/internal/fips/mlkem"
 	"crypto/internal/fips/sha3"
 	"crypto/internal/fips/tls13"
 	"crypto/internal/mlkem768"
 	"errors"
 	"hash"
 	"io"
 	"golang.org/x/crypto/sha3"
 )
 // This file contains the functions necessary to compute the TLS 1.3 key
@ -54,11 +53,11 @@ func (c *cipherSuiteTLS13) exportKeyingMaterial(s *tls13.MasterSecret, transcrip
 type keySharePrivateKeys struct {
 	curveID CurveID
 	ecdhe   *ecdh.PrivateKey
-	kyber   *mlkem768.DecapsulationKey768
+	kyber   *mlkem.DecapsulationKey768
 }
 // kyberDecapsulate implements decapsulation according to Kyber Round 3.
-func kyberDecapsulate(dk *mlkem768.DecapsulationKey768, c []byte) ([]byte, error) {
+func kyberDecapsulate(dk *mlkem.DecapsulationKey768, c []byte) ([]byte, error) {
 	K, err := dk.Decapsulate(c)
 	if err != nil {
 		return nil, err
@ -68,7 +67,7 @@ func kyberDecapsulate(dk *mlkem768.DecapsulationKey768, c []byte) ([]byte, error
 // kyberEncapsulate implements encapsulation according to Kyber Round 3.
 func kyberEncapsulate(ek []byte) (c, ss []byte, err error) {
-	k, err := mlkem768.NewEncapsulationKey768(ek)
+	k, err := mlkem.NewEncapsulationKey768(ek)
 	if err != nil {
 		return nil, nil, err
 	}
@ -77,13 +76,14 @@ func kyberEncapsulate(ek []byte) (c, ss []byte, err error) {
 }
 func kyberSharedSecret(c, K []byte) []byte {
-	// Package mlkem768 implements ML-KEM, which compared to Kyber removed a
+	// Package mlkem implements ML-KEM, which compared to Kyber removed a
 	// final hashing step. Compute SHAKE-256(K || SHA3-256(c), 32) to match Kyber.
 	// See https://words.filippo.io/mlkem768/#bonus-track-using-a-ml-kem-implementation-as-kyber-v3.
 	h := sha3.NewShake256()
 	h.Write(K)
-	ch := sha3.Sum256(c)
+	ch := sha3.New256()
-	h.Write(ch[:])
+	ch.Write(c)
 	h.Write(ch.Sum(nil))
 	out := make([]byte, 32)
 	h.Read(out)
 	return out
--- a/src/crypto/tls/key_schedule_test.go
+++ b/src/crypto/tls/key_schedule_test.go
@ -6,8 +6,8 @@ package tls
 import (
 	"bytes"
 	"crypto/internal/fips/mlkem"
 	"crypto/internal/fips/tls13"
 	"crypto/internal/mlkem768"
 	"crypto/sha256"
 	"encoding/hex"
 	"strings"
@ -120,7 +120,7 @@ func TestTrafficKey(t *testing.T) {
 }
 func TestKyberEncapsulate(t *testing.T) {
-	dk, err := mlkem768.GenerateKey768()
+	dk, err := mlkem.GenerateKey768()
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/src/go/build/deps_test.go
+++ b/src/go/build/deps_test.go
@ -462,6 +462,7 @@ var depsRules = `
 	< crypto/internal/fips/hmac
 	< crypto/internal/fips/check
 	< crypto/internal/fips/hkdf
 	< crypto/internal/fips/mlkem
 	< crypto/internal/fips/ssh
 	< crypto/internal/fips/tls12
 	< crypto/internal/fips/tls13
@ -525,7 +526,6 @@ var depsRules = `
 	CRYPTO, FMT, math/big
 	< crypto/internal/boring/bbig
 	< crypto/rand
 	< crypto/internal/mlkem768
 	< crypto/ed25519
 	< encoding/asn1
 	< golang.org/x/crypto/cryptobyte/asn1
--- a/src/vendor/golang.org/x/crypto/sha3/doc.go
+++ b/src/vendor/golang.org/x/crypto/sha3/doc.go
@ -1,62 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 // Package sha3 implements the SHA-3 fixed-output-length hash functions and
 // the SHAKE variable-output-length hash functions defined by FIPS-202.
 //
 // Both types of hash function use the "sponge" construction and the Keccak
 // permutation. For a detailed specification see http://keccak.noekeon.org/
 //
 // # Guidance
 //
 // If you aren't sure what function you need, use SHAKE256 with at least 64
 // bytes of output. The SHAKE instances are faster than the SHA3 instances;
 // the latter have to allocate memory to conform to the hash.Hash interface.
 //
 // If you need a secret-key MAC (message authentication code), prepend the
 // secret key to the input, hash with SHAKE256 and read at least 32 bytes of
 // output.
 //
 // # Security strengths
 //
 // The SHA3-x (x equals 224, 256, 384, or 512) functions have a security
 // strength against preimage attacks of x bits. Since they only produce "x"
 // bits of output, their collision-resistance is only "x/2" bits.
 //
 // The SHAKE-256 and -128 functions have a generic security strength of 256 and
 // 128 bits against all attacks, provided that at least 2x bits of their output
 // is used.  Requesting more than 64 or 32 bytes of output, respectively, does
 // not increase the collision-resistance of the SHAKE functions.
 //
 // # The sponge construction
 //
 // A sponge builds a pseudo-random function from a public pseudo-random
 // permutation, by applying the permutation to a state of "rate + capacity"
 // bytes, but hiding "capacity" of the bytes.
 //
 // A sponge starts out with a zero state. To hash an input using a sponge, up
 // to "rate" bytes of the input are XORed into the sponge's state. The sponge
 // is then "full" and the permutation is applied to "empty" it. This process is
 // repeated until all the input has been "absorbed". The input is then padded.
 // The digest is "squeezed" from the sponge in the same way, except that output
 // is copied out instead of input being XORed in.
 //
 // A sponge is parameterized by its generic security strength, which is equal
 // to half its capacity; capacity + rate is equal to the permutation's width.
 // Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means
 // that the security strength of a sponge instance is equal to (1600 - bitrate) / 2.
 //
 // # Recommendations
 //
 // The SHAKE functions are recommended for most new uses. They can produce
 // output of arbitrary length. SHAKE256, with an output length of at least
 // 64 bytes, provides 256-bit security against all attacks.  The Keccak team
 // recommends it for most applications upgrading from SHA2-512. (NIST chose a
 // much stronger, but much slower, sponge instance for SHA3-512.)
 //
 // The SHA-3 functions are "drop-in" replacements for the SHA-2 functions.
 // They produce output of the same length, with the same security strengths
 // against all attacks. This means, in particular, that SHA3-256 only has
 // 128-bit collision resistance, because its output length is 32 bytes.
 package sha3
--- a/src/vendor/golang.org/x/crypto/sha3/hashes.go
+++ b/src/vendor/golang.org/x/crypto/sha3/hashes.go
@ -1,109 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package sha3
 // This file provides functions for creating instances of the SHA-3
 // and SHAKE hash functions, as well as utility functions for hashing
 // bytes.
 import (
 	"crypto"
 	"hash"
 )
 // New224 creates a new SHA3-224 hash.
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
 func New224() hash.Hash {
 	return new224()
 }
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
 func New256() hash.Hash {
 	return new256()
 }
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
 func New384() hash.Hash {
 	return new384()
 }
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
 func New512() hash.Hash {
 	return new512()
 }
 func init() {
 	crypto.RegisterHash(crypto.SHA3_224, New224)
 	crypto.RegisterHash(crypto.SHA3_256, New256)
 	crypto.RegisterHash(crypto.SHA3_384, New384)
 	crypto.RegisterHash(crypto.SHA3_512, New512)
 }
 func new224Generic() *state {
 	return &state{rate: 144, outputLen: 28, dsbyte: 0x06}
 }
 func new256Generic() *state {
 	return &state{rate: 136, outputLen: 32, dsbyte: 0x06}
 }
 func new384Generic() *state {
 	return &state{rate: 104, outputLen: 48, dsbyte: 0x06}
 }
 func new512Generic() *state {
 	return &state{rate: 72, outputLen: 64, dsbyte: 0x06}
 }
 // NewLegacyKeccak256 creates a new Keccak-256 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New256 instead.
 func NewLegacyKeccak256() hash.Hash { return &state{rate: 136, outputLen: 32, dsbyte: 0x01} }
 // NewLegacyKeccak512 creates a new Keccak-512 hash.
 //
 // Only use this function if you require compatibility with an existing cryptosystem
 // that uses non-standard padding. All other users should use New512 instead.
 func NewLegacyKeccak512() hash.Hash { return &state{rate: 72, outputLen: 64, dsbyte: 0x01} }
 // Sum224 returns the SHA3-224 digest of the data.
 func Sum224(data []byte) (digest [28]byte) {
 	h := New224()
 	h.Write(data)
 	h.Sum(digest[:0])
 	return
 }
 // Sum256 returns the SHA3-256 digest of the data.
 func Sum256(data []byte) (digest [32]byte) {
 	h := New256()
 	h.Write(data)
 	h.Sum(digest[:0])
 	return
 }
 // Sum384 returns the SHA3-384 digest of the data.
 func Sum384(data []byte) (digest [48]byte) {
 	h := New384()
 	h.Write(data)
 	h.Sum(digest[:0])
 	return
 }
 // Sum512 returns the SHA3-512 digest of the data.
 func Sum512(data []byte) (digest [64]byte) {
 	h := New512()
 	h.Write(data)
 	h.Sum(digest[:0])
 	return
 }
--- a/src/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
+++ b/src/vendor/golang.org/x/crypto/sha3/hashes_noasm.go
@ -1,23 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !gc || purego || !s390x
 package sha3
 func new224() *state {
 	return new224Generic()
 }
 func new256() *state {
 	return new256Generic()
 }
 func new384() *state {
 	return new384Generic()
 }
 func new512() *state {
 	return new512Generic()
 }
--- a/src/vendor/golang.org/x/crypto/sha3/keccakf.go
+++ b/src/vendor/golang.org/x/crypto/sha3/keccakf.go
@ -1,414 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !amd64 || purego || !gc
 package sha3
 import "math/bits"
 // rc stores the round constants for use in the ι step.
 var rc = [24]uint64{
 	0x0000000000000001,
 	0x0000000000008082,
 	0x800000000000808A,
 	0x8000000080008000,
 	0x000000000000808B,
 	0x0000000080000001,
 	0x8000000080008081,
 	0x8000000000008009,
 	0x000000000000008A,
 	0x0000000000000088,
 	0x0000000080008009,
 	0x000000008000000A,
 	0x000000008000808B,
 	0x800000000000008B,
 	0x8000000000008089,
 	0x8000000000008003,
 	0x8000000000008002,
 	0x8000000000000080,
 	0x000000000000800A,
 	0x800000008000000A,
 	0x8000000080008081,
 	0x8000000000008080,
 	0x0000000080000001,
 	0x8000000080008008,
 }
 // keccakF1600 applies the Keccak permutation to a 1600b-wide
 // state represented as a slice of 25 uint64s.
 func keccakF1600(a *[25]uint64) {
 	// Implementation translated from Keccak-inplace.c
 	// in the keccak reference code.
 	var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64
 	for i := 0; i < 24; i += 4 {
 		// Combines the 5 steps in each round into 2 steps.
 		// Unrolls 4 rounds per loop and spreads some steps across rounds.
 		// Round 1
 		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
 		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
 		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
 		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
 		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
 		d0 = bc4 ^ (bc1<<1 | bc1>>63)
 		d1 = bc0 ^ (bc2<<1 | bc2>>63)
 		d2 = bc1 ^ (bc3<<1 | bc3>>63)
 		d3 = bc2 ^ (bc4<<1 | bc4>>63)
 		d4 = bc3 ^ (bc0<<1 | bc0>>63)
 		bc0 = a[0] ^ d0
 		t = a[6] ^ d1
 		bc1 = bits.RotateLeft64(t, 44)
 		t = a[12] ^ d2
 		bc2 = bits.RotateLeft64(t, 43)
 		t = a[18] ^ d3
 		bc3 = bits.RotateLeft64(t, 21)
 		t = a[24] ^ d4
 		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i]
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
 		a[18] = bc3 ^ (bc0 &^ bc4)
 		a[24] = bc4 ^ (bc1 &^ bc0)
 		t = a[10] ^ d0
 		bc2 = bits.RotateLeft64(t, 3)
 		t = a[16] ^ d1
 		bc3 = bits.RotateLeft64(t, 45)
 		t = a[22] ^ d2
 		bc4 = bits.RotateLeft64(t, 61)
 		t = a[3] ^ d3
 		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
 		bc1 = bits.RotateLeft64(t, 20)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
 		a[3] = bc3 ^ (bc0 &^ bc4)
 		a[9] = bc4 ^ (bc1 &^ bc0)
 		t = a[20] ^ d0
 		bc4 = bits.RotateLeft64(t, 18)
 		t = a[1] ^ d1
 		bc0 = bits.RotateLeft64(t, 1)
 		t = a[7] ^ d2
 		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
 		bc2 = bits.RotateLeft64(t, 25)
 		t = a[19] ^ d4
 		bc3 = bits.RotateLeft64(t, 8)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
 		a[13] = bc3 ^ (bc0 &^ bc4)
 		a[19] = bc4 ^ (bc1 &^ bc0)
 		t = a[5] ^ d0
 		bc1 = bits.RotateLeft64(t, 36)
 		t = a[11] ^ d1
 		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
 		bc3 = bits.RotateLeft64(t, 15)
 		t = a[23] ^ d3
 		bc4 = bits.RotateLeft64(t, 56)
 		t = a[4] ^ d4
 		bc0 = bits.RotateLeft64(t, 27)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
 		a[23] = bc3 ^ (bc0 &^ bc4)
 		a[4] = bc4 ^ (bc1 &^ bc0)
 		t = a[15] ^ d0
 		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
 		bc4 = bits.RotateLeft64(t, 2)
 		t = a[2] ^ d2
 		bc0 = bits.RotateLeft64(t, 62)
 		t = a[8] ^ d3
 		bc1 = bits.RotateLeft64(t, 55)
 		t = a[14] ^ d4
 		bc2 = bits.RotateLeft64(t, 39)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
 		a[8] = bc3 ^ (bc0 &^ bc4)
 		a[14] = bc4 ^ (bc1 &^ bc0)
 		// Round 2
 		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
 		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
 		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
 		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
 		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
 		d0 = bc4 ^ (bc1<<1 | bc1>>63)
 		d1 = bc0 ^ (bc2<<1 | bc2>>63)
 		d2 = bc1 ^ (bc3<<1 | bc3>>63)
 		d3 = bc2 ^ (bc4<<1 | bc4>>63)
 		d4 = bc3 ^ (bc0<<1 | bc0>>63)
 		bc0 = a[0] ^ d0
 		t = a[16] ^ d1
 		bc1 = bits.RotateLeft64(t, 44)
 		t = a[7] ^ d2
 		bc2 = bits.RotateLeft64(t, 43)
 		t = a[23] ^ d3
 		bc3 = bits.RotateLeft64(t, 21)
 		t = a[14] ^ d4
 		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1]
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
 		a[23] = bc3 ^ (bc0 &^ bc4)
 		a[14] = bc4 ^ (bc1 &^ bc0)
 		t = a[20] ^ d0
 		bc2 = bits.RotateLeft64(t, 3)
 		t = a[11] ^ d1
 		bc3 = bits.RotateLeft64(t, 45)
 		t = a[2] ^ d2
 		bc4 = bits.RotateLeft64(t, 61)
 		t = a[18] ^ d3
 		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
 		bc1 = bits.RotateLeft64(t, 20)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
 		a[18] = bc3 ^ (bc0 &^ bc4)
 		a[9] = bc4 ^ (bc1 &^ bc0)
 		t = a[15] ^ d0
 		bc4 = bits.RotateLeft64(t, 18)
 		t = a[6] ^ d1
 		bc0 = bits.RotateLeft64(t, 1)
 		t = a[22] ^ d2
 		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
 		bc2 = bits.RotateLeft64(t, 25)
 		t = a[4] ^ d4
 		bc3 = bits.RotateLeft64(t, 8)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
 		a[13] = bc3 ^ (bc0 &^ bc4)
 		a[4] = bc4 ^ (bc1 &^ bc0)
 		t = a[10] ^ d0
 		bc1 = bits.RotateLeft64(t, 36)
 		t = a[1] ^ d1
 		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
 		bc3 = bits.RotateLeft64(t, 15)
 		t = a[8] ^ d3
 		bc4 = bits.RotateLeft64(t, 56)
 		t = a[24] ^ d4
 		bc0 = bits.RotateLeft64(t, 27)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
 		a[8] = bc3 ^ (bc0 &^ bc4)
 		a[24] = bc4 ^ (bc1 &^ bc0)
 		t = a[5] ^ d0
 		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
 		bc4 = bits.RotateLeft64(t, 2)
 		t = a[12] ^ d2
 		bc0 = bits.RotateLeft64(t, 62)
 		t = a[3] ^ d3
 		bc1 = bits.RotateLeft64(t, 55)
 		t = a[19] ^ d4
 		bc2 = bits.RotateLeft64(t, 39)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
 		a[3] = bc3 ^ (bc0 &^ bc4)
 		a[19] = bc4 ^ (bc1 &^ bc0)
 		// Round 3
 		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
 		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
 		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
 		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
 		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
 		d0 = bc4 ^ (bc1<<1 | bc1>>63)
 		d1 = bc0 ^ (bc2<<1 | bc2>>63)
 		d2 = bc1 ^ (bc3<<1 | bc3>>63)
 		d3 = bc2 ^ (bc4<<1 | bc4>>63)
 		d4 = bc3 ^ (bc0<<1 | bc0>>63)
 		bc0 = a[0] ^ d0
 		t = a[11] ^ d1
 		bc1 = bits.RotateLeft64(t, 44)
 		t = a[22] ^ d2
 		bc2 = bits.RotateLeft64(t, 43)
 		t = a[8] ^ d3
 		bc3 = bits.RotateLeft64(t, 21)
 		t = a[19] ^ d4
 		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2]
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
 		a[8] = bc3 ^ (bc0 &^ bc4)
 		a[19] = bc4 ^ (bc1 &^ bc0)
 		t = a[15] ^ d0
 		bc2 = bits.RotateLeft64(t, 3)
 		t = a[1] ^ d1
 		bc3 = bits.RotateLeft64(t, 45)
 		t = a[12] ^ d2
 		bc4 = bits.RotateLeft64(t, 61)
 		t = a[23] ^ d3
 		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
 		bc1 = bits.RotateLeft64(t, 20)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
 		a[23] = bc3 ^ (bc0 &^ bc4)
 		a[9] = bc4 ^ (bc1 &^ bc0)
 		t = a[5] ^ d0
 		bc4 = bits.RotateLeft64(t, 18)
 		t = a[16] ^ d1
 		bc0 = bits.RotateLeft64(t, 1)
 		t = a[2] ^ d2
 		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
 		bc2 = bits.RotateLeft64(t, 25)
 		t = a[24] ^ d4
 		bc3 = bits.RotateLeft64(t, 8)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
 		a[13] = bc3 ^ (bc0 &^ bc4)
 		a[24] = bc4 ^ (bc1 &^ bc0)
 		t = a[20] ^ d0
 		bc1 = bits.RotateLeft64(t, 36)
 		t = a[6] ^ d1
 		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
 		bc3 = bits.RotateLeft64(t, 15)
 		t = a[3] ^ d3
 		bc4 = bits.RotateLeft64(t, 56)
 		t = a[14] ^ d4
 		bc0 = bits.RotateLeft64(t, 27)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
 		a[3] = bc3 ^ (bc0 &^ bc4)
 		a[14] = bc4 ^ (bc1 &^ bc0)
 		t = a[10] ^ d0
 		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
 		bc4 = bits.RotateLeft64(t, 2)
 		t = a[7] ^ d2
 		bc0 = bits.RotateLeft64(t, 62)
 		t = a[18] ^ d3
 		bc1 = bits.RotateLeft64(t, 55)
 		t = a[4] ^ d4
 		bc2 = bits.RotateLeft64(t, 39)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
 		a[18] = bc3 ^ (bc0 &^ bc4)
 		a[4] = bc4 ^ (bc1 &^ bc0)
 		// Round 4
 		bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20]
 		bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21]
 		bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22]
 		bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23]
 		bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24]
 		d0 = bc4 ^ (bc1<<1 | bc1>>63)
 		d1 = bc0 ^ (bc2<<1 | bc2>>63)
 		d2 = bc1 ^ (bc3<<1 | bc3>>63)
 		d3 = bc2 ^ (bc4<<1 | bc4>>63)
 		d4 = bc3 ^ (bc0<<1 | bc0>>63)
 		bc0 = a[0] ^ d0
 		t = a[1] ^ d1
 		bc1 = bits.RotateLeft64(t, 44)
 		t = a[2] ^ d2
 		bc2 = bits.RotateLeft64(t, 43)
 		t = a[3] ^ d3
 		bc3 = bits.RotateLeft64(t, 21)
 		t = a[4] ^ d4
 		bc4 = bits.RotateLeft64(t, 14)
 		a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3]
 		a[1] = bc1 ^ (bc3 &^ bc2)
 		a[2] = bc2 ^ (bc4 &^ bc3)
 		a[3] = bc3 ^ (bc0 &^ bc4)
 		a[4] = bc4 ^ (bc1 &^ bc0)
 		t = a[5] ^ d0
 		bc2 = bits.RotateLeft64(t, 3)
 		t = a[6] ^ d1
 		bc3 = bits.RotateLeft64(t, 45)
 		t = a[7] ^ d2
 		bc4 = bits.RotateLeft64(t, 61)
 		t = a[8] ^ d3
 		bc0 = bits.RotateLeft64(t, 28)
 		t = a[9] ^ d4
 		bc1 = bits.RotateLeft64(t, 20)
 		a[5] = bc0 ^ (bc2 &^ bc1)
 		a[6] = bc1 ^ (bc3 &^ bc2)
 		a[7] = bc2 ^ (bc4 &^ bc3)
 		a[8] = bc3 ^ (bc0 &^ bc4)
 		a[9] = bc4 ^ (bc1 &^ bc0)
 		t = a[10] ^ d0
 		bc4 = bits.RotateLeft64(t, 18)
 		t = a[11] ^ d1
 		bc0 = bits.RotateLeft64(t, 1)
 		t = a[12] ^ d2
 		bc1 = bits.RotateLeft64(t, 6)
 		t = a[13] ^ d3
 		bc2 = bits.RotateLeft64(t, 25)
 		t = a[14] ^ d4
 		bc3 = bits.RotateLeft64(t, 8)
 		a[10] = bc0 ^ (bc2 &^ bc1)
 		a[11] = bc1 ^ (bc3 &^ bc2)
 		a[12] = bc2 ^ (bc4 &^ bc3)
 		a[13] = bc3 ^ (bc0 &^ bc4)
 		a[14] = bc4 ^ (bc1 &^ bc0)
 		t = a[15] ^ d0
 		bc1 = bits.RotateLeft64(t, 36)
 		t = a[16] ^ d1
 		bc2 = bits.RotateLeft64(t, 10)
 		t = a[17] ^ d2
 		bc3 = bits.RotateLeft64(t, 15)
 		t = a[18] ^ d3
 		bc4 = bits.RotateLeft64(t, 56)
 		t = a[19] ^ d4
 		bc0 = bits.RotateLeft64(t, 27)
 		a[15] = bc0 ^ (bc2 &^ bc1)
 		a[16] = bc1 ^ (bc3 &^ bc2)
 		a[17] = bc2 ^ (bc4 &^ bc3)
 		a[18] = bc3 ^ (bc0 &^ bc4)
 		a[19] = bc4 ^ (bc1 &^ bc0)
 		t = a[20] ^ d0
 		bc3 = bits.RotateLeft64(t, 41)
 		t = a[21] ^ d1
 		bc4 = bits.RotateLeft64(t, 2)
 		t = a[22] ^ d2
 		bc0 = bits.RotateLeft64(t, 62)
 		t = a[23] ^ d3
 		bc1 = bits.RotateLeft64(t, 55)
 		t = a[24] ^ d4
 		bc2 = bits.RotateLeft64(t, 39)
 		a[20] = bc0 ^ (bc2 &^ bc1)
 		a[21] = bc1 ^ (bc3 &^ bc2)
 		a[22] = bc2 ^ (bc4 &^ bc3)
 		a[23] = bc3 ^ (bc0 &^ bc4)
 		a[24] = bc4 ^ (bc1 &^ bc0)
 	}
 }
--- a/src/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
+++ b/src/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go
@ -1,13 +0,0 @@
 // Copyright 2015 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build amd64 && !purego && gc
 package sha3
 // This function is implemented in keccakf_amd64.s.
 //go:noescape
 func keccakF1600(a *[25]uint64)
--- a/src/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
+++ b/src/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s
--- a/src/vendor/golang.org/x/crypto/sha3/sha3.go
+++ b/src/vendor/golang.org/x/crypto/sha3/sha3.go
@ -1,185 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package sha3
 // spongeDirection indicates the direction bytes are flowing through the sponge.
 type spongeDirection int
 const (
 	// spongeAbsorbing indicates that the sponge is absorbing input.
 	spongeAbsorbing spongeDirection = iota
 	// spongeSqueezing indicates that the sponge is being squeezed.
 	spongeSqueezing
 )
 const (
 	// maxRate is the maximum size of the internal buffer. SHAKE-256
 	// currently needs the largest buffer.
 	maxRate = 168
 )
 type state struct {
 	// Generic sponge components.
 	a    [25]uint64 // main state of the hash
 	rate int        // the number of bytes of state to use
 	// dsbyte contains the "domain separation" bits and the first bit of
 	// the padding. Sections 6.1 and 6.2 of [1] separate the outputs of the
 	// SHA-3 and SHAKE functions by appending bitstrings to the message.
 	// Using a little-endian bit-ordering convention, these are "01" for SHA-3
 	// and "1111" for SHAKE, or 00000010b and 00001111b, respectively. Then the
 	// padding rule from section 5.1 is applied to pad the message to a multiple
 	// of the rate, which involves adding a "1" bit, zero or more "0" bits, and
 	// a final "1" bit. We merge the first "1" bit from the padding into dsbyte,
 	// giving 00000110b (0x06) and 00011111b (0x1f).
 	// [1] http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf
 	//     "Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and
 	//      Extendable-Output Functions (May 2014)"
 	dsbyte byte
 	i, n    int // storage[i:n] is the buffer, i is only used while squeezing
 	storage [maxRate]byte
 	// Specific to SHA-3 and SHAKE.
 	outputLen int             // the default output size in bytes
 	state     spongeDirection // whether the sponge is absorbing or squeezing
 }
 // BlockSize returns the rate of sponge underlying this hash function.
 func (d *state) BlockSize() int { return d.rate }
 // Size returns the output size of the hash function in bytes.
 func (d *state) Size() int { return d.outputLen }
 // Reset clears the internal state by zeroing the sponge state and
 // the buffer indexes, and setting Sponge.state to absorbing.
 func (d *state) Reset() {
 	// Zero the permutation's state.
 	for i := range d.a {
 		d.a[i] = 0
 	}
 	d.state = spongeAbsorbing
 	d.i, d.n = 0, 0
 }
 func (d *state) clone() *state {
 	ret := *d
 	return &ret
 }
 // permute applies the KeccakF-1600 permutation. It handles
 // any input-output buffering.
 func (d *state) permute() {
 	switch d.state {
 	case spongeAbsorbing:
 		// If we're absorbing, we need to xor the input into the state
 		// before applying the permutation.
 		xorIn(d, d.storage[:d.rate])
 		d.n = 0
 		keccakF1600(&d.a)
 	case spongeSqueezing:
 		// If we're squeezing, we need to apply the permutation before
 		// copying more output.
 		keccakF1600(&d.a)
 		d.i = 0
 		copyOut(d, d.storage[:d.rate])
 	}
 }
 // pads appends the domain separation bits in dsbyte, applies
 // the multi-bitrate 10..1 padding rule, and permutes the state.
 func (d *state) padAndPermute() {
 	// Pad with this instance's domain-separator bits. We know that there's
 	// at least one byte of space in d.buf because, if it were full,
 	// permute would have been called to empty it. dsbyte also contains the
 	// first one bit for the padding. See the comment in the state struct.
 	d.storage[d.n] = d.dsbyte
 	d.n++
 	for d.n < d.rate {
 		d.storage[d.n] = 0
 		d.n++
 	}
 	// This adds the final one bit for the padding. Because of the way that
 	// bits are numbered from the LSB upwards, the final bit is the MSB of
 	// the last byte.
 	d.storage[d.rate-1] ^= 0x80
 	// Apply the permutation
 	d.permute()
 	d.state = spongeSqueezing
 	d.n = d.rate
 	copyOut(d, d.storage[:d.rate])
 }
 // Write absorbs more data into the hash's state. It panics if any
 // output has already been read.
 func (d *state) Write(p []byte) (written int, err error) {
 	if d.state != spongeAbsorbing {
 		panic("sha3: Write after Read")
 	}
 	written = len(p)
 	for len(p) > 0 {
 		if d.n == 0 && len(p) >= d.rate {
 			// The fast path; absorb a full "rate" bytes of input and apply the permutation.
 			xorIn(d, p[:d.rate])
 			p = p[d.rate:]
 			keccakF1600(&d.a)
 		} else {
 			// The slow path; buffer the input until we can fill the sponge, and then xor it in.
 			todo := d.rate - d.n
 			if todo > len(p) {
 				todo = len(p)
 			}
 			d.n += copy(d.storage[d.n:], p[:todo])
 			p = p[todo:]
 			// If the sponge is full, apply the permutation.
 			if d.n == d.rate {
 				d.permute()
 			}
 		}
 	}
 	return
 }
 // Read squeezes an arbitrary number of bytes from the sponge.
 func (d *state) Read(out []byte) (n int, err error) {
 	// If we're still absorbing, pad and apply the permutation.
 	if d.state == spongeAbsorbing {
 		d.padAndPermute()
 	}
 	n = len(out)
 	// Now, do the squeezing.
 	for len(out) > 0 {
 		n := copy(out, d.storage[d.i:d.n])
 		d.i += n
 		out = out[n:]
 		// Apply the permutation if we've squeezed the sponge dry.
 		if d.i == d.rate {
 			d.permute()
 		}
 	}
 	return
 }
 // Sum applies padding to the hash state and then squeezes out the desired
 // number of output bytes. It panics if any output has already been read.
 func (d *state) Sum(in []byte) []byte {
 	if d.state != spongeAbsorbing {
 		panic("sha3: Sum after Read")
 	}
 	// Make a copy of the original hash so that caller can keep writing
 	// and summing.
 	dup := d.clone()
 	hash := make([]byte, dup.outputLen, 64) // explicit cap to allow stack allocation
 	dup.Read(hash)
 	return append(in, hash...)
 }
--- a/src/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
+++ b/src/vendor/golang.org/x/crypto/sha3/sha3_s390x.go
@ -1,303 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build gc && !purego
 package sha3
 // This file contains code for using the 'compute intermediate
 // message digest' (KIMD) and 'compute last message digest' (KLMD)
 // instructions to compute SHA-3 and SHAKE hashes on IBM Z.
 import (
 	"hash"
 	"golang.org/x/sys/cpu"
 )
 // codes represent 7-bit KIMD/KLMD function codes as defined in
 // the Principles of Operation.
 type code uint64
 const (
 	// function codes for KIMD/KLMD
 	sha3_224  code = 32
 	sha3_256       = 33
 	sha3_384       = 34
 	sha3_512       = 35
 	shake_128      = 36
 	shake_256      = 37
 	nopad          = 0x100
 )
 // kimd is a wrapper for the 'compute intermediate message digest' instruction.
 // src must be a multiple of the rate for the given function code.
 //
 //go:noescape
 func kimd(function code, chain *[200]byte, src []byte)
 // klmd is a wrapper for the 'compute last message digest' instruction.
 // src padding is handled by the instruction.
 //
 //go:noescape
 func klmd(function code, chain *[200]byte, dst, src []byte)
 type asmState struct {
 	a         [200]byte       // 1600 bit state
 	buf       []byte          // care must be taken to ensure cap(buf) is a multiple of rate
 	rate      int             // equivalent to block size
 	storage   [3072]byte      // underlying storage for buf
 	outputLen int             // output length for full security
 	function  code            // KIMD/KLMD function code
 	state     spongeDirection // whether the sponge is absorbing or squeezing
 }
 func newAsmState(function code) *asmState {
 	var s asmState
 	s.function = function
 	switch function {
 	case sha3_224:
 		s.rate = 144
 		s.outputLen = 28
 	case sha3_256:
 		s.rate = 136
 		s.outputLen = 32
 	case sha3_384:
 		s.rate = 104
 		s.outputLen = 48
 	case sha3_512:
 		s.rate = 72
 		s.outputLen = 64
 	case shake_128:
 		s.rate = 168
 		s.outputLen = 32
 	case shake_256:
 		s.rate = 136
 		s.outputLen = 64
 	default:
 		panic("sha3: unrecognized function code")
 	}
 	// limit s.buf size to a multiple of s.rate
 	s.resetBuf()
 	return &s
 }
 func (s *asmState) clone() *asmState {
 	c := *s
 	c.buf = c.storage[:len(s.buf):cap(s.buf)]
 	return &c
 }
 // copyIntoBuf copies b into buf. It will panic if there is not enough space to
 // store all of b.
 func (s *asmState) copyIntoBuf(b []byte) {
 	bufLen := len(s.buf)
 	s.buf = s.buf[:len(s.buf)+len(b)]
 	copy(s.buf[bufLen:], b)
 }
 // resetBuf points buf at storage, sets the length to 0 and sets cap to be a
 // multiple of the rate.
 func (s *asmState) resetBuf() {
 	max := (cap(s.storage) / s.rate) * s.rate
 	s.buf = s.storage[:0:max]
 }
 // Write (via the embedded io.Writer interface) adds more data to the running hash.
 // It never returns an error.
 func (s *asmState) Write(b []byte) (int, error) {
 	if s.state != spongeAbsorbing {
 		panic("sha3: Write after Read")
 	}
 	length := len(b)
 	for len(b) > 0 {
 		if len(s.buf) == 0 && len(b) >= cap(s.buf) {
 			// Hash the data directly and push any remaining bytes
 			// into the buffer.
 			remainder := len(b) % s.rate
 			kimd(s.function, &s.a, b[:len(b)-remainder])
 			if remainder != 0 {
 				s.copyIntoBuf(b[len(b)-remainder:])
 			}
 			return length, nil
 		}
 		if len(s.buf) == cap(s.buf) {
 			// flush the buffer
 			kimd(s.function, &s.a, s.buf)
 			s.buf = s.buf[:0]
 		}
 		// copy as much as we can into the buffer
 		n := len(b)
 		if len(b) > cap(s.buf)-len(s.buf) {
 			n = cap(s.buf) - len(s.buf)
 		}
 		s.copyIntoBuf(b[:n])
 		b = b[n:]
 	}
 	return length, nil
 }
 // Read squeezes an arbitrary number of bytes from the sponge.
 func (s *asmState) Read(out []byte) (n int, err error) {
 	// The 'compute last message digest' instruction only stores the digest
 	// at the first operand (dst) for SHAKE functions.
 	if s.function != shake_128 && s.function != shake_256 {
 		panic("sha3: can only call Read for SHAKE functions")
 	}
 	n = len(out)
 	// need to pad if we were absorbing
 	if s.state == spongeAbsorbing {
 		s.state = spongeSqueezing
 		// write hash directly into out if possible
 		if len(out)%s.rate == 0 {
 			klmd(s.function, &s.a, out, s.buf) // len(out) may be 0
 			s.buf = s.buf[:0]
 			return
 		}
 		// write hash into buffer
 		max := cap(s.buf)
 		if max > len(out) {
 			max = (len(out)/s.rate)*s.rate + s.rate
 		}
 		klmd(s.function, &s.a, s.buf[:max], s.buf)
 		s.buf = s.buf[:max]
 	}
 	for len(out) > 0 {
 		// flush the buffer
 		if len(s.buf) != 0 {
 			c := copy(out, s.buf)
 			out = out[c:]
 			s.buf = s.buf[c:]
 			continue
 		}
 		// write hash directly into out if possible
 		if len(out)%s.rate == 0 {
 			klmd(s.function|nopad, &s.a, out, nil)
 			return
 		}
 		// write hash into buffer
 		s.resetBuf()
 		if cap(s.buf) > len(out) {
 			s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate]
 		}
 		klmd(s.function|nopad, &s.a, s.buf, nil)
 	}
 	return
 }
 // Sum appends the current hash to b and returns the resulting slice.
 // It does not change the underlying hash state.
 func (s *asmState) Sum(b []byte) []byte {
 	if s.state != spongeAbsorbing {
 		panic("sha3: Sum after Read")
 	}
 	// Copy the state to preserve the original.
 	a := s.a
 	// Hash the buffer. Note that we don't clear it because we
 	// aren't updating the state.
 	switch s.function {
 	case sha3_224, sha3_256, sha3_384, sha3_512:
 		klmd(s.function, &a, nil, s.buf)
 		return append(b, a[:s.outputLen]...)
 	case shake_128, shake_256:
 		d := make([]byte, s.outputLen, 64)
 		klmd(s.function, &a, d, s.buf)
 		return append(b, d[:s.outputLen]...)
 	default:
 		panic("sha3: unknown function")
 	}
 }
 // Reset resets the Hash to its initial state.
 func (s *asmState) Reset() {
 	for i := range s.a {
 		s.a[i] = 0
 	}
 	s.resetBuf()
 	s.state = spongeAbsorbing
 }
 // Size returns the number of bytes Sum will return.
 func (s *asmState) Size() int {
 	return s.outputLen
 }
 // BlockSize returns the hash's underlying block size.
 // The Write method must be able to accept any amount
 // of data, but it may operate more efficiently if all writes
 // are a multiple of the block size.
 func (s *asmState) BlockSize() int {
 	return s.rate
 }
 // Clone returns a copy of the ShakeHash in its current state.
 func (s *asmState) Clone() ShakeHash {
 	return s.clone()
 }
 // new224 returns an assembly implementation of SHA3-224 if available,
 // otherwise it returns a generic implementation.
 func new224() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_224)
 	}
 	return new224Generic()
 }
 // new256 returns an assembly implementation of SHA3-256 if available,
 // otherwise it returns a generic implementation.
 func new256() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_256)
 	}
 	return new256Generic()
 }
 // new384 returns an assembly implementation of SHA3-384 if available,
 // otherwise it returns a generic implementation.
 func new384() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_384)
 	}
 	return new384Generic()
 }
 // new512 returns an assembly implementation of SHA3-512 if available,
 // otherwise it returns a generic implementation.
 func new512() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_512)
 	}
 	return new512Generic()
 }
 // newShake128 returns an assembly implementation of SHAKE-128 if available,
 // otherwise it returns a generic implementation.
 func newShake128() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_128)
 	}
 	return newShake128Generic()
 }
 // newShake256 returns an assembly implementation of SHAKE-256 if available,
 // otherwise it returns a generic implementation.
 func newShake256() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_256)
 	}
 	return newShake256Generic()
 }
--- a/src/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
+++ b/src/vendor/golang.org/x/crypto/sha3/sha3_s390x.s
@ -1,33 +0,0 @@
 // Copyright 2017 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build gc && !purego
 #include "textflag.h"
 // func kimd(function code, chain *[200]byte, src []byte)
 TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40
 	MOVD function+0(FP), R0
 	MOVD chain+8(FP), R1
 	LMG  src+16(FP), R2, R3 // R2=base, R3=len
 continue:
 	WORD $0xB93E0002 // KIMD --, R2
 	BVS  continue    // continue if interrupted
 	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
 	RET
 // func klmd(function code, chain *[200]byte, dst, src []byte)
 TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64
 	// TODO: SHAKE support
 	MOVD function+0(FP), R0
 	MOVD chain+8(FP), R1
 	LMG  dst+16(FP), R2, R3 // R2=base, R3=len
 	LMG  src+40(FP), R4, R5 // R4=base, R5=len
 continue:
 	WORD $0xB93F0024 // KLMD R2, R4
 	BVS  continue    // continue if interrupted
 	MOVD $0, R0      // reset R0 for pre-go1.8 compilers
 	RET
--- a/src/vendor/golang.org/x/crypto/sha3/shake.go
+++ b/src/vendor/golang.org/x/crypto/sha3/shake.go
@ -1,174 +0,0 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package sha3
 // This file defines the ShakeHash interface, and provides
 // functions for creating SHAKE and cSHAKE instances, as well as utility
 // functions for hashing bytes to arbitrary-length output.
 //
 //
 // SHAKE implementation is based on FIPS PUB 202 [1]
 // cSHAKE implementations is based on NIST SP 800-185 [2]
 //
 // [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
 // [2] https://doi.org/10.6028/NIST.SP.800-185
 import (
 	"encoding/binary"
 	"hash"
 	"io"
 )
 // ShakeHash defines the interface to hash functions that support
 // arbitrary-length output. When used as a plain [hash.Hash], it
 // produces minimum-length outputs that provide full-strength generic
 // security.
 type ShakeHash interface {
 	hash.Hash
 	// Read reads more output from the hash; reading affects the hash's
 	// state. (ShakeHash.Read is thus very different from Hash.Sum)
 	// It never returns an error, but subsequent calls to Write or Sum
 	// will panic.
 	io.Reader
 	// Clone returns a copy of the ShakeHash in its current state.
 	Clone() ShakeHash
 }
 // cSHAKE specific context
 type cshakeState struct {
 	*state // SHA-3 state context and Read/Write operations
 	// initBlock is the cSHAKE specific initialization set of bytes. It is initialized
 	// by newCShake function and stores concatenation of N followed by S, encoded
 	// by the method specified in 3.3 of [1].
 	// It is stored here in order for Reset() to be able to put context into
 	// initial state.
 	initBlock []byte
 }
 // Consts for configuring initial SHA-3 state
 const (
 	dsbyteShake  = 0x1f
 	dsbyteCShake = 0x04
 	rate128      = 168
 	rate256      = 136
 )
 func bytepad(input []byte, w int) []byte {
 	// leftEncode always returns max 9 bytes
 	buf := make([]byte, 0, 9+len(input)+w)
 	buf = append(buf, leftEncode(uint64(w))...)
 	buf = append(buf, input...)
 	padlen := w - (len(buf) % w)
 	return append(buf, make([]byte, padlen)...)
 }
 func leftEncode(value uint64) []byte {
 	var b [9]byte
 	binary.BigEndian.PutUint64(b[1:], value)
 	// Trim all but last leading zero bytes
 	i := byte(1)
 	for i < 8 && b[i] == 0 {
 		i++
 	}
 	// Prepend number of encoded bytes
 	b[i-1] = 9 - i
 	return b[i-1:]
 }
 func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash {
 	c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}}
 	// leftEncode returns max 9 bytes
 	c.initBlock = make([]byte, 0, 9*2+len(N)+len(S))
 	c.initBlock = append(c.initBlock, leftEncode(uint64(len(N)*8))...)
 	c.initBlock = append(c.initBlock, N...)
 	c.initBlock = append(c.initBlock, leftEncode(uint64(len(S)*8))...)
 	c.initBlock = append(c.initBlock, S...)
 	c.Write(bytepad(c.initBlock, c.rate))
 	return &c
 }
 // Reset resets the hash to initial state.
 func (c *cshakeState) Reset() {
 	c.state.Reset()
 	c.Write(bytepad(c.initBlock, c.rate))
 }
 // Clone returns copy of a cSHAKE context within its current state.
 func (c *cshakeState) Clone() ShakeHash {
 	b := make([]byte, len(c.initBlock))
 	copy(b, c.initBlock)
 	return &cshakeState{state: c.clone(), initBlock: b}
 }
 // Clone returns copy of SHAKE context within its current state.
 func (c *state) Clone() ShakeHash {
 	return c.clone()
 }
 // NewShake128 creates a new SHAKE128 variable-output-length ShakeHash.
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
 	return newShake128()
 }
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
 	return newShake256()
 }
 func newShake128Generic() *state {
 	return &state{rate: rate128, outputLen: 32, dsbyte: dsbyteShake}
 }
 func newShake256Generic() *state {
 	return &state{rate: rate256, outputLen: 64, dsbyte: dsbyteShake}
 }
 // NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash,
 // a customizable variant of SHAKE128.
 // N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is
 // desired. S is a customization byte string used for domain separation - two cSHAKE
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake128.
 func NewCShake128(N, S []byte) ShakeHash {
 	if len(N) == 0 && len(S) == 0 {
 		return NewShake128()
 	}
 	return newCShake(N, S, rate128, 32, dsbyteCShake)
 }
 // NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash,
 // a customizable variant of SHAKE256.
 // N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is
 // desired. S is a customization byte string used for domain separation - two cSHAKE
 // computations on same input with different S yield unrelated outputs.
 // When N and S are both empty, this is equivalent to NewShake256.
 func NewCShake256(N, S []byte) ShakeHash {
 	if len(N) == 0 && len(S) == 0 {
 		return NewShake256()
 	}
 	return newCShake(N, S, rate256, 64, dsbyteCShake)
 }
 // ShakeSum128 writes an arbitrary-length digest of data into hash.
 func ShakeSum128(hash, data []byte) {
 	h := NewShake128()
 	h.Write(data)
 	h.Read(hash)
 }
 // ShakeSum256 writes an arbitrary-length digest of data into hash.
 func ShakeSum256(hash, data []byte) {
 	h := NewShake256()
 	h.Write(data)
 	h.Read(hash)
 }
--- a/src/vendor/golang.org/x/crypto/sha3/shake_noasm.go
+++ b/src/vendor/golang.org/x/crypto/sha3/shake_noasm.go
@ -1,15 +0,0 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !gc || purego || !s390x
 package sha3
 func newShake128() *state {
 	return newShake128Generic()
 }
 func newShake256() *state {
 	return newShake256Generic()
 }
--- a/src/vendor/golang.org/x/crypto/sha3/xor.go
+++ b/src/vendor/golang.org/x/crypto/sha3/xor.go
@ -1,40 +0,0 @@
 // Copyright 2015 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package sha3
 import (
 	"crypto/subtle"
 	"encoding/binary"
 	"unsafe"
 	"golang.org/x/sys/cpu"
 )
 // xorIn xors the bytes in buf into the state.
 func xorIn(d *state, buf []byte) {
 	if cpu.IsBigEndian {
 		for i := 0; len(buf) >= 8; i++ {
 			a := binary.LittleEndian.Uint64(buf)
 			d.a[i] ^= a
 			buf = buf[8:]
 		}
 	} else {
 		ab := (*[25 * 64 / 8]byte)(unsafe.Pointer(&d.a))
 		subtle.XORBytes(ab[:], ab[:], buf)
 	}
 }
 // copyOut copies uint64s to a byte buffer.
 func copyOut(d *state, b []byte) {
 	if cpu.IsBigEndian {
 		for i := 0; len(b) >= 8; i++ {
 			binary.LittleEndian.PutUint64(b, d.a[i])
 			b = b[8:]
 		}
 	} else {
 		ab := (*[25 * 64 / 8]byte)(unsafe.Pointer(&d.a))
 		copy(b, ab[:])
 	}
 }
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@ -7,7 +7,6 @@ golang.org/x/crypto/cryptobyte/asn1
 golang.org/x/crypto/hkdf
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
 golang.org/x/crypto/sha3
 # golang.org/x/net v0.27.1-0.20240722181819-765c7e89b3bd
 ## explicit; go 1.18
 golang.org/x/net/dns/dnsmessage