chore(deps): bump golang.org/x/net from 0.10.0 to 0.12.0

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.10.0 to 0.12.0. - [Commits](https://github.com/golang/net/compare/v0.10.0...v0.12.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
2023-07-15 07:08:54 +00:00 · 2023-07-15 07:08:54 +00:00 · 36281fa581
commit 36281fa581
parent 0bd9017bed
96 changed files with 22198 additions and 4655 deletions
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,7 @@ require (
 	github.com/onsi/gomega v1.27.8
 	github.com/pborman/uuid v1.2.0
 	github.com/stretchr/testify v1.8.4
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.12.0
 	google.golang.org/grpc v1.40.0
 	google.golang.org/protobuf v1.31.0
 	k8s.io/api v0.24.15
@ -81,11 +81,11 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect
 	go.opentelemetry.io/otel/trace v0.20.0 // indirect
 	go.opentelemetry.io/proto/otlp v0.7.0 // indirect
-	golang.org/x/crypto v0.0.0-20220214200702-86341886e292 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
-	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.8.0 // indirect
+	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
--- a/go.sum
+++ b/go.sum
@ -425,8 +425,9 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -507,8 +508,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -596,14 +597,14 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -615,8 +616,8 @@ golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/vendor/golang.org/x/crypto/AUTHORS
+++ b/vendor/golang.org/x/crypto/AUTHORS
@ -1,3 +0,0 @@
 # This source code refers to The Go Authors for copyright purposes.
 # The master list of authors is in the main Go distribution,
 # visible at https://tip.golang.org/AUTHORS.
--- a/vendor/golang.org/x/crypto/CONTRIBUTORS
+++ b/vendor/golang.org/x/crypto/CONTRIBUTORS
@ -1,3 +0,0 @@
 # This source code was written by the Go contributors.
 # The master list of contributors is in the main Go distribution,
 # visible at https://tip.golang.org/CONTRIBUTORS.
--- a/vendor/golang.org/x/crypto/chacha20/chacha_generic.go
+++ b/vendor/golang.org/x/crypto/chacha20/chacha_generic.go
@ -12,7 +12,7 @@ import (
 	"errors"
 	"math/bits"
-	"golang.org/x/crypto/internal/subtle"
+	"golang.org/x/crypto/internal/alias"
 )
 const (
@ -189,7 +189,7 @@ func (s *Cipher) XORKeyStream(dst, src []byte) {
 		panic("chacha20: output smaller than input")
 	}
 	dst = dst[:len(src)]
-	if subtle.InexactOverlap(dst, src) {
+	if alias.InexactOverlap(dst, src) {
 		panic("chacha20: invalid buffer overlap")
 	}
--- a/vendor/golang.org/x/crypto/chacha20/chacha_s390x.go
+++ b/vendor/golang.org/x/crypto/chacha20/chacha_s390x.go
@ -15,6 +15,7 @@ const bufSize = 256
 // xorKeyStreamVX is an assembly implementation of XORKeyStream. It must only
 // be called when the vector facility is available. Implementation in asm_s390x.s.
 //
 //go:noescape
 func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32)
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519.go
@ -5,70 +5,18 @@
 // Package curve25519 provides an implementation of the X25519 function, which
 // performs scalar multiplication on the elliptic curve known as Curve25519.
 // See RFC 7748.
 //
 // Starting in Go 1.20, this package is a wrapper for the X25519 implementation
 // in the crypto/ecdh package.
 package curve25519 // import "golang.org/x/crypto/curve25519"
 import (
 	"crypto/subtle"
 	"fmt"
 	"golang.org/x/crypto/curve25519/internal/field"
 )
 // ScalarMult sets dst to the product scalar * point.
 //
 // Deprecated: when provided a low-order point, ScalarMult will set dst to all
 // zeroes, irrespective of the scalar. Instead, use the X25519 function, which
 // will return an error.
 func ScalarMult(dst, scalar, point *[32]byte) {
-	var e [32]byte
+	scalarMult(dst, scalar, point)
 	copy(e[:], scalar[:])
 	e[0] &= 248
 	e[31] &= 127
 	e[31] |= 64
 	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
 	x1.SetBytes(point[:])
 	x2.One()
 	x3.Set(&x1)
 	z3.One()
 	swap := 0
 	for pos := 254; pos >= 0; pos-- {
 		b := e[pos/8] >> uint(pos&7)
 		b &= 1
 		swap ^= int(b)
 		x2.Swap(&x3, swap)
 		z2.Swap(&z3, swap)
 		swap = int(b)
 		tmp0.Subtract(&x3, &z3)
 		tmp1.Subtract(&x2, &z2)
 		x2.Add(&x2, &z2)
 		z2.Add(&x3, &z3)
 		z3.Multiply(&tmp0, &x2)
 		z2.Multiply(&z2, &tmp1)
 		tmp0.Square(&tmp1)
 		tmp1.Square(&x2)
 		x3.Add(&z3, &z2)
 		z2.Subtract(&z3, &z2)
 		x2.Multiply(&tmp1, &tmp0)
 		tmp1.Subtract(&tmp1, &tmp0)
 		z2.Square(&z2)
 		z3.Mult32(&tmp1, 121666)
 		x3.Square(&x3)
 		tmp0.Add(&tmp0, &z3)
 		z3.Multiply(&x1, &z2)
 		z2.Multiply(&tmp1, &tmp0)
 	}
 	x2.Swap(&x3, swap)
 	z2.Swap(&z3, swap)
 	z2.Invert(&z2)
 	x2.Multiply(&x2, &z2)
 	copy(dst[:], x2.Bytes())
 }
 // ScalarBaseMult sets dst to the product scalar * base where base is the
@ -77,7 +25,7 @@ func ScalarMult(dst, scalar, point *[32]byte) {
 // It is recommended to use the X25519 function with Basepoint instead, as
 // copying into fixed size arrays can lead to unexpected bugs.
 func ScalarBaseMult(dst, scalar *[32]byte) {
-	ScalarMult(dst, scalar, &basePoint)
+	scalarBaseMult(dst, scalar)
 }
 const (
@ -90,21 +38,10 @@ const (
 // Basepoint is the canonical Curve25519 generator.
 var Basepoint []byte
-var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+var basePoint = [32]byte{9}
 func init() { Basepoint = basePoint[:] }
 func checkBasepoint() {
 	if subtle.ConstantTimeCompare(Basepoint, []byte{
 		0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	}) != 1 {
 		panic("curve25519: global Basepoint value was modified")
 	}
 }
 // X25519 returns the result of the scalar multiplication (scalar * point),
 // according to RFC 7748, Section 5. scalar, point and the return value are
 // slices of 32 bytes.
@ -120,26 +57,3 @@ func X25519(scalar, point []byte) ([]byte, error) {
 	var dst [32]byte
 	return x25519(&dst, scalar, point)
 }
 func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) {
 	var in [32]byte
 	if l := len(scalar); l != 32 {
 		return nil, fmt.Errorf("bad scalar length: %d, expected %d", l, 32)
 	}
 	if l := len(point); l != 32 {
 		return nil, fmt.Errorf("bad point length: %d, expected %d", l, 32)
 	}
 	copy(in[:], scalar)
 	if &point[0] == &Basepoint[0] {
 		checkBasepoint()
 		ScalarBaseMult(dst, &in)
 	} else {
 		var base, zero [32]byte
 		copy(base[:], point)
 		ScalarMult(dst, &in, &base)
 		if subtle.ConstantTimeCompare(dst[:], zero[:]) == 1 {
 			return nil, fmt.Errorf("bad input point: low order point")
 		}
 	}
 	return dst[:], nil
 }
--- a/vendor/golang.org/x/crypto/curve25519/curve25519_compat.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519_compat.go
@ -0,0 +1,105 @@
 // Copyright 2019 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !go1.20
 package curve25519
 import (
 	"crypto/subtle"
 	"errors"
 	"strconv"
 	"golang.org/x/crypto/curve25519/internal/field"
 )
 func scalarMult(dst, scalar, point *[32]byte) {
 	var e [32]byte
 	copy(e[:], scalar[:])
 	e[0] &= 248
 	e[31] &= 127
 	e[31] |= 64
 	var x1, x2, z2, x3, z3, tmp0, tmp1 field.Element
 	x1.SetBytes(point[:])
 	x2.One()
 	x3.Set(&x1)
 	z3.One()
 	swap := 0
 	for pos := 254; pos >= 0; pos-- {
 		b := e[pos/8] >> uint(pos&7)
 		b &= 1
 		swap ^= int(b)
 		x2.Swap(&x3, swap)
 		z2.Swap(&z3, swap)
 		swap = int(b)
 		tmp0.Subtract(&x3, &z3)
 		tmp1.Subtract(&x2, &z2)
 		x2.Add(&x2, &z2)
 		z2.Add(&x3, &z3)
 		z3.Multiply(&tmp0, &x2)
 		z2.Multiply(&z2, &tmp1)
 		tmp0.Square(&tmp1)
 		tmp1.Square(&x2)
 		x3.Add(&z3, &z2)
 		z2.Subtract(&z3, &z2)
 		x2.Multiply(&tmp1, &tmp0)
 		tmp1.Subtract(&tmp1, &tmp0)
 		z2.Square(&z2)
 		z3.Mult32(&tmp1, 121666)
 		x3.Square(&x3)
 		tmp0.Add(&tmp0, &z3)
 		z3.Multiply(&x1, &z2)
 		z2.Multiply(&tmp1, &tmp0)
 	}
 	x2.Swap(&x3, swap)
 	z2.Swap(&z3, swap)
 	z2.Invert(&z2)
 	x2.Multiply(&x2, &z2)
 	copy(dst[:], x2.Bytes())
 }
 func scalarBaseMult(dst, scalar *[32]byte) {
 	checkBasepoint()
 	scalarMult(dst, scalar, &basePoint)
 }
 func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) {
 	var in [32]byte
 	if l := len(scalar); l != 32 {
 		return nil, errors.New("bad scalar length: " + strconv.Itoa(l) + ", expected 32")
 	}
 	if l := len(point); l != 32 {
 		return nil, errors.New("bad point length: " + strconv.Itoa(l) + ", expected 32")
 	}
 	copy(in[:], scalar)
 	if &point[0] == &Basepoint[0] {
 		scalarBaseMult(dst, &in)
 	} else {
 		var base, zero [32]byte
 		copy(base[:], point)
 		scalarMult(dst, &in, &base)
 		if subtle.ConstantTimeCompare(dst[:], zero[:]) == 1 {
 			return nil, errors.New("bad input point: low order point")
 		}
 	}
 	return dst[:], nil
 }
 func checkBasepoint() {
 	if subtle.ConstantTimeCompare(Basepoint, []byte{
 		0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	}) != 1 {
 		panic("curve25519: global Basepoint value was modified")
 	}
 }
--- a/vendor/golang.org/x/crypto/curve25519/curve25519_go120.go
+++ b/vendor/golang.org/x/crypto/curve25519/curve25519_go120.go
@ -0,0 +1,46 @@
 // Copyright 2022 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build go1.20
 package curve25519
 import "crypto/ecdh"
 func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) {
 	curve := ecdh.X25519()
 	pub, err := curve.NewPublicKey(point)
 	if err != nil {
 		return nil, err
 	}
 	priv, err := curve.NewPrivateKey(scalar)
 	if err != nil {
 		return nil, err
 	}
 	out, err := priv.ECDH(pub)
 	if err != nil {
 		return nil, err
 	}
 	copy(dst[:], out)
 	return dst[:], nil
 }
 func scalarMult(dst, scalar, point *[32]byte) {
 	if _, err := x25519(dst, scalar[:], point[:]); err != nil {
 		// The only error condition for x25519 when the inputs are 32 bytes long
 		// is if the output would have been the all-zero value.
 		for i := range dst {
 			dst[i] = 0
 		}
 	}
 }
 func scalarBaseMult(dst, scalar *[32]byte) {
 	curve := ecdh.X25519()
 	priv, err := curve.NewPrivateKey(scalar[:])
 	if err != nil {
 		panic("curve25519: internal error: scalarBaseMult was not 32 bytes")
 	}
 	copy(dst[:], priv.PublicKey().Bytes())
 }
--- a/vendor/golang.org/x/crypto/curve25519/internal/field/fe_amd64.go
+++ b/vendor/golang.org/x/crypto/curve25519/internal/field/fe_amd64.go
@ -1,13 +1,16 @@
 // Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT.
 //go:build amd64 && gc && !purego
 // +build amd64,gc,!purego
 package field
 // feMul sets out = a * b. It works like feMulGeneric.
 //
 //go:noescape
 func feMul(out *Element, a *Element, b *Element)
 // feSquare sets out = a * a. It works like feSquareGeneric.
 //
 //go:noescape
 func feSquare(out *Element, a *Element)
--- a/vendor/golang.org/x/crypto/curve25519/internal/field/fe_generic.go
+++ b/vendor/golang.org/x/crypto/curve25519/internal/field/fe_generic.go
@ -245,7 +245,7 @@ func feSquareGeneric(v, a *Element) {
 	v.carryPropagate()
 }
-// carryPropagate brings the limbs below 52 bits by applying the reduction
+// carryPropagateGeneric brings the limbs below 52 bits by applying the reduction
 // identity (a * 2²⁵⁵ + b = a * 19 + b) to the l4 carry. TODO inline
 func (v *Element) carryPropagateGeneric() *Element {
 	c0 := v.l0 >> 51
--- a/vendor/golang.org/x/crypto/internal/subtle/aliasing.go
+++ b/vendor/golang.org/x/crypto/internal/subtle/aliasing.go
@ -5,9 +5,8 @@
 //go:build !purego
 // +build !purego
-// Package subtle implements functions that are often useful in cryptographic
+// Package alias implements memory aliasing tests.
-// code but require careful thought to use correctly.
+package alias
 package subtle // import "golang.org/x/crypto/internal/subtle"
 import "unsafe"
--- a/vendor/golang.org/x/crypto/internal/subtle/aliasing_purego.go
+++ b/vendor/golang.org/x/crypto/internal/subtle/aliasing_purego.go
@ -5,9 +5,8 @@
 //go:build purego
 // +build purego
-// Package subtle implements functions that are often useful in cryptographic
+// Package alias implements memory aliasing tests.
-// code but require careful thought to use correctly.
+package alias
 package subtle // import "golang.org/x/crypto/internal/subtle"
 // This is the Google App Engine standard variant based on reflect
 // because the unsafe package and cgo are disallowed.
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go
@ -136,7 +136,7 @@ func shiftRightBy2(a uint128) uint128 {
 // updateGeneric absorbs msg into the state.h accumulator. For each chunk m of
 // 128 bits of message, it computes
 //
-//     h₊ = (h + m) * r  mod  2¹³⁰ - 5
+//	h₊ = (h + m) * r  mod  2¹³⁰ - 5
 //
 // If the msg length is not a multiple of TagSize, it assumes the last
 // incomplete chunk is the final one.
@ -278,8 +278,7 @@ const (
 // finalize completes the modular reduction of h and computes
 //
-//     out = h + s  mod  2¹²⁸
+//	out = h + s  mod  2¹²⁸
 //
 func finalize(out *[TagSize]byte, h *[3]uint64, s *[2]uint64) {
 	h0, h1, h2 := h[0], h[1], h[2]
--- a/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go
+++ b/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go
@ -14,6 +14,7 @@ import (
 // updateVX is an assembly implementation of Poly1305 that uses vector
 // instructions. It must only be called if the vector facility (vx) is
 // available.
 //
 //go:noescape
 func updateVX(state *macState, msg []byte)
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ b/vendor/golang.org/x/crypto/ssh/certs.go
@ -14,8 +14,10 @@ import (
 	"time"
 )
-// These constants from [PROTOCOL.certkeys] represent the key algorithm names
+// Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear
-// for certificate types supported by this package.
+// in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms.
 // Unlike key algorithm names, these are not passed to AlgorithmSigner and don't
 // appear in the Signature.Format field.
 const (
 	CertAlgoRSAv01        = "ssh-rsa-cert-v01@openssh.com"
 	CertAlgoDSAv01        = "ssh-dss-cert-v01@openssh.com"
@ -25,14 +27,21 @@ const (
 	CertAlgoSKECDSA256v01 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com"
 	CertAlgoED25519v01    = "ssh-ed25519-cert-v01@openssh.com"
 	CertAlgoSKED25519v01  = "sk-ssh-ed25519-cert-v01@openssh.com"
 	// CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a
 	// Certificate.Type (or PublicKey.Type), but only in
 	// ClientConfig.HostKeyAlgorithms.
 	CertAlgoRSASHA256v01 = "rsa-sha2-256-cert-v01@openssh.com"
 	CertAlgoRSASHA512v01 = "rsa-sha2-512-cert-v01@openssh.com"
 )
 // These constants from [PROTOCOL.certkeys] represent additional signature
 // algorithm names for certificate types supported by this package.
 const (
-	CertSigAlgoRSAv01        = "ssh-rsa-cert-v01@openssh.com"
+	// Deprecated: use CertAlgoRSAv01.
-	CertSigAlgoRSASHA2256v01 = "rsa-sha2-256-cert-v01@openssh.com"
+	CertSigAlgoRSAv01 = CertAlgoRSAv01
-	CertSigAlgoRSASHA2512v01 = "rsa-sha2-512-cert-v01@openssh.com"
+	// Deprecated: use CertAlgoRSASHA256v01.
 	CertSigAlgoRSASHA2256v01 = CertAlgoRSASHA256v01
 	// Deprecated: use CertAlgoRSASHA512v01.
 	CertSigAlgoRSASHA2512v01 = CertAlgoRSASHA512v01
 )
 // Certificate types distinguish between host and user
@ -242,7 +251,7 @@ type algorithmOpenSSHCertSigner struct {
 // private key is held by signer. It returns an error if the public key in cert
 // doesn't match the key used by signer.
 func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) {
-	if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
+	if !bytes.Equal(cert.Key.Marshal(), signer.PublicKey().Marshal()) {
 		return nil, errors.New("ssh: signer and cert have different public key")
 	}
@ -431,10 +440,14 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 	}
 	c.SignatureKey = authority.PublicKey()
-	if v, ok := authority.(AlgorithmSigner); ok {
+	// Default to KeyAlgoRSASHA512 for ssh-rsa signers.
-		if v.PublicKey().Type() == KeyAlgoRSA {
+	if v, ok := authority.(AlgorithmSigner); ok && v.PublicKey().Type() == KeyAlgoRSA {
-			authority = &rsaSigner{v, SigAlgoRSASHA2512}
+		sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), KeyAlgoRSASHA512)
 		if err != nil {
 			return err
 		}
 		c.Signature = sig
 		return nil
 	}
 	sig, err := authority.Sign(rand, c.bytesForSigning())
@ -445,32 +458,42 @@ func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
 	return nil
 }
-// certAlgoNames includes a mapping from signature algorithms to the
+// certKeyAlgoNames is a mapping from known certificate algorithm names to the
-// corresponding certificate signature algorithm. When a key type (such
+// corresponding public key signature algorithm.
-// as ED25516) is associated with only one algorithm, the KeyAlgo
+//
-// constant is used instead of the SigAlgo.
+// This map must be kept in sync with the one in agent/client.go.
-var certAlgoNames = map[string]string{
+var certKeyAlgoNames = map[string]string{
-	SigAlgoRSA:        CertSigAlgoRSAv01,
+	CertAlgoRSAv01:        KeyAlgoRSA,
-	SigAlgoRSASHA2256: CertSigAlgoRSASHA2256v01,
+	CertAlgoRSASHA256v01:  KeyAlgoRSASHA256,
-	SigAlgoRSASHA2512: CertSigAlgoRSASHA2512v01,
+	CertAlgoRSASHA512v01:  KeyAlgoRSASHA512,
-	KeyAlgoDSA:        CertAlgoDSAv01,
+	CertAlgoDSAv01:        KeyAlgoDSA,
-	KeyAlgoECDSA256:   CertAlgoECDSA256v01,
+	CertAlgoECDSA256v01:   KeyAlgoECDSA256,
-	KeyAlgoECDSA384:   CertAlgoECDSA384v01,
+	CertAlgoECDSA384v01:   KeyAlgoECDSA384,
-	KeyAlgoECDSA521:   CertAlgoECDSA521v01,
+	CertAlgoECDSA521v01:   KeyAlgoECDSA521,
-	KeyAlgoSKECDSA256: CertAlgoSKECDSA256v01,
+	CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256,
-	KeyAlgoED25519:    CertAlgoED25519v01,
+	CertAlgoED25519v01:    KeyAlgoED25519,
-	KeyAlgoSKED25519:  CertAlgoSKED25519v01,
+	CertAlgoSKED25519v01:  KeyAlgoSKED25519,
 }
-// certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
+// underlyingAlgo returns the signature algorithm associated with algo (which is
-// Panics if a non-certificate algorithm is passed.
+// an advertised or negotiated public key or host key algorithm). These are
-func certToPrivAlgo(algo string) string {
+// usually the same, except for certificate algorithms.
-	for privAlgo, pubAlgo := range certAlgoNames {
+func underlyingAlgo(algo string) string {
-		if pubAlgo == algo {
+	if a, ok := certKeyAlgoNames[algo]; ok {
-			return privAlgo
+		return a
 	}
 	return algo
 }
 // certificateAlgo returns the certificate algorithms that uses the provided
 // underlying signature algorithm.
 func certificateAlgo(algo string) (certAlgo string, ok bool) {
 	for certName, algoName := range certKeyAlgoNames {
 		if algoName == algo {
 			return certName, true
 		}
 	}
-	panic("unknown cert algorithm")
+	return "", false
 }
 func (cert *Certificate) bytesForSigning() []byte {
@ -514,13 +537,13 @@ func (c *Certificate) Marshal() []byte {
 	return result
 }
-// Type returns the key name. It is part of the PublicKey interface.
+// Type returns the certificate algorithm name. It is part of the PublicKey interface.
 func (c *Certificate) Type() string {
-	algo, ok := certAlgoNames[c.Key.Type()]
+	certName, ok := certificateAlgo(c.Key.Type())
 	if !ok {
-		panic("unknown cert key type " + c.Key.Type())
+		panic("unknown certificate type for key type " + c.Key.Type())
 	}
-	return algo
+	return certName
 }
 // Verify verifies a signature against the certificate's public
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ b/vendor/golang.org/x/crypto/ssh/cipher.go
@ -15,7 +15,6 @@ import (
 	"fmt"
 	"hash"
 	"io"
 	"io/ioutil"
 	"golang.org/x/crypto/chacha20"
 	"golang.org/x/crypto/internal/poly1305"
@ -97,13 +96,13 @@ func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream,
 // are not supported and will not be negotiated, even if explicitly requested in
 // ClientConfig.Crypto.Ciphers.
 var cipherModes = map[string]*cipherMode{
-	// Ciphers from RFC4344, which introduced many CTR-based ciphers. Algorithms
+	// Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms
 	// are defined in the order specified in the RFC.
 	"aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)},
 	"aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)},
 	"aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)},
-	// Ciphers from RFC4345, which introduces security-improved arcfour ciphers.
+	// Ciphers from RFC 4345, which introduces security-improved arcfour ciphers.
 	// They are defined in the order specified in the RFC.
 	"arcfour128": {16, 0, streamCipherMode(1536, newRC4)},
 	"arcfour256": {32, 0, streamCipherMode(1536, newRC4)},
@ -111,11 +110,12 @@ var cipherModes = map[string]*cipherMode{
 	// Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
 	// Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
 	// RC4) has problems with weak keys, and should be used with caution."
-	// RFC4345 introduces improved versions of Arcfour.
+	// RFC 4345 introduces improved versions of Arcfour.
 	"arcfour": {16, 0, streamCipherMode(0, newRC4)},
 	// AEAD ciphers
-	gcmCipherID:        {16, 12, newGCMCipher},
+	gcm128CipherID:     {16, 12, newGCMCipher},
 	gcm256CipherID:     {32, 12, newGCMCipher},
 	chacha20Poly1305ID: {64, 0, newChaCha20Cipher},
 	// CBC mode is insecure and so is not included in the default config.
@ -497,7 +497,7 @@ func (c *cbcCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
 			// data, to make distinguishing between
 			// failing MAC and failing length check more
 			// difficult.
-			io.CopyN(ioutil.Discard, r, int64(c.oracleCamouflage))
+			io.CopyN(io.Discard, r, int64(c.oracleCamouflage))
 		}
 	}
 	return p, err
@ -640,9 +640,9 @@ const chacha20Poly1305ID = "chacha20-poly1305@openssh.com"
 // chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com
 // AEAD, which is described here:
 //
-//   https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
+//	https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00
 //
-// the methods here also implement padding, which RFC4253 Section 6
+// the methods here also implement padding, which RFC 4253 Section 6
 // also requires of stream ciphers.
 type chacha20Poly1305Cipher struct {
 	lengthKey  [32]byte
--- a/vendor/golang.org/x/crypto/ssh/client.go
+++ b/vendor/golang.org/x/crypto/ssh/client.go
@ -113,25 +113,16 @@ func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) e
 	return c.clientAuthenticate(config)
 }
-// verifyHostKeySignature verifies the host key obtained in the key
+// verifyHostKeySignature verifies the host key obtained in the key exchange.
-// exchange.
+// algo is the negotiated algorithm, and may be a certificate type.
 func verifyHostKeySignature(hostKey PublicKey, algo string, result *kexResult) error {
 	sig, rest, ok := parseSignatureBody(result.Signature)
 	if len(rest) > 0 || !ok {
 		return errors.New("ssh: signature parse error")
 	}
-	// For keys, underlyingAlgo is exactly algo. For certificates,
+	if a := underlyingAlgo(algo); sig.Format != a {
-	// we have to look up the underlying key algorithm that SSH
+		return fmt.Errorf("ssh: invalid signature algorithm %q, expected %q", sig.Format, a)
 	// uses to evaluate signatures.
 	underlyingAlgo := algo
 	for sigAlgo, certAlgo := range certAlgoNames {
 		if certAlgo == algo {
 			underlyingAlgo = sigAlgo
 		}
 	}
 	if sig.Format != underlyingAlgo {
 		return fmt.Errorf("ssh: invalid signature algorithm %q, expected %q", sig.Format, underlyingAlgo)
 	}
 	return hostKey.Verify(result.H, sig)
@ -237,11 +228,11 @@ type ClientConfig struct {
 	// be used for the connection. If empty, a reasonable default is used.
 	ClientVersion string
-	// HostKeyAlgorithms lists the key types that the client will
+	// HostKeyAlgorithms lists the public key algorithms that the client will
-	// accept from the server as host key, in order of
+	// accept from the server for host key authentication, in order of
 	// preference. If empty, a reasonable default is used. Any
-	// string returned from PublicKey.Type method may be used, or
+	// string returned from a PublicKey.Type method may be used, or
-	// any of the CertAlgoXxxx and KeyAlgoXxxx constants.
+	// any of the CertAlgo and KeyAlgo constants.
 	HostKeyAlgorithms []string
 	// Timeout is the maximum amount of time for the TCP connection to establish.
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ b/vendor/golang.org/x/crypto/ssh/client_auth.go
@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"strings"
 )
 type authResult int
@ -29,6 +30,33 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	if err != nil {
 		return err
 	}
 	// The server may choose to send a SSH_MSG_EXT_INFO at this point (if we
 	// advertised willingness to receive one, which we always do) or not. See
 	// RFC 8308, Section 2.4.
 	extensions := make(map[string][]byte)
 	if len(packet) > 0 && packet[0] == msgExtInfo {
 		var extInfo extInfoMsg
 		if err := Unmarshal(packet, &extInfo); err != nil {
 			return err
 		}
 		payload := extInfo.Payload
 		for i := uint32(0); i < extInfo.NumExtensions; i++ {
 			name, rest, ok := parseString(payload)
 			if !ok {
 				return parseError(msgExtInfo)
 			}
 			value, rest, ok := parseString(rest)
 			if !ok {
 				return parseError(msgExtInfo)
 			}
 			extensions[string(name)] = value
 			payload = rest
 		}
 		packet, err = c.transport.readPacket()
 		if err != nil {
 			return err
 		}
 	}
 	var serviceAccept serviceAcceptMsg
 	if err := Unmarshal(packet, &serviceAccept); err != nil {
 		return err
@ -41,7 +69,7 @@ func (c *connection) clientAuthenticate(config *ClientConfig) error {
 	sessionID := c.transport.getSessionID()
 	for auth := AuthMethod(new(noneAuth)); auth != nil; {
-		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
+		ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand, extensions)
 		if err != nil {
 			return err
 		}
@ -93,7 +121,7 @@ type AuthMethod interface {
 	// If authentication is not successful, a []string of alternative
 	// method names is returned. If the slice is nil, it will be ignored
 	// and the previous set of possible methods will be reused.
-	auth(session []byte, user string, p packetConn, rand io.Reader) (authResult, []string, error)
+	auth(session []byte, user string, p packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error)
 	// method returns the RFC 4252 method name.
 	method() string
@ -102,7 +130,7 @@ type AuthMethod interface {
 // "none" authentication, RFC 4252 section 5.2.
 type noneAuth int
-func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
+func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) {
 	if err := c.writePacket(Marshal(&userAuthRequestMsg{
 		User:    user,
 		Service: serviceSSH,
@ -122,7 +150,7 @@ func (n *noneAuth) method() string {
 // a function call, e.g. by prompting the user.
 type passwordCallback func() (password string, err error)
-func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
+func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) {
 	type passwordAuthMsg struct {
 		User     string `sshtype:"50"`
 		Service  string
@ -189,7 +217,46 @@ func (cb publicKeyCallback) method() string {
 	return "publickey"
 }
-func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
+func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (as AlgorithmSigner, algo string) {
 	keyFormat := signer.PublicKey().Type()
 	// Like in sendKexInit, if the public key implements AlgorithmSigner we
 	// assume it supports all algorithms, otherwise only the key format one.
 	as, ok := signer.(AlgorithmSigner)
 	if !ok {
 		return algorithmSignerWrapper{signer}, keyFormat
 	}
 	extPayload, ok := extensions["server-sig-algs"]
 	if !ok {
 		// If there is no "server-sig-algs" extension, fall back to the key
 		// format algorithm.
 		return as, keyFormat
 	}
 	// The server-sig-algs extension only carries underlying signature
 	// algorithm, but we are trying to select a protocol-level public key
 	// algorithm, which might be a certificate type. Extend the list of server
 	// supported algorithms to include the corresponding certificate algorithms.
 	serverAlgos := strings.Split(string(extPayload), ",")
 	for _, algo := range serverAlgos {
 		if certAlgo, ok := certificateAlgo(algo); ok {
 			serverAlgos = append(serverAlgos, certAlgo)
 		}
 	}
 	keyAlgos := algorithmsForKeyFormat(keyFormat)
 	algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos)
 	if err != nil {
 		// If there is no overlap, try the key anyway with the key format
 		// algorithm, to support servers that fail to list all supported
 		// algorithms.
 		return as, keyFormat
 	}
 	return as, algo
 }
 func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error) {
 	// Authentication is performed by sending an enquiry to test if a key is
 	// acceptable to the remote. If the key is acceptable, the client will
 	// attempt to authenticate with the valid key.  If not the client will repeat
@ -201,7 +268,10 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 	}
 	var methods []string
 	for _, signer := range signers {
-		ok, err := validateKey(signer.PublicKey(), user, c)
+		pub := signer.PublicKey()
 		as, algo := pickSignatureAlgorithm(signer, extensions)
 		ok, err := validateKey(pub, algo, user, c)
 		if err != nil {
 			return authFailure, nil, err
 		}
@ -209,13 +279,13 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 			continue
 		}
 		pub := signer.PublicKey()
 		pubKey := pub.Marshal()
-		sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
+		data := buildDataSignedForAuth(session, userAuthRequestMsg{
 			User:    user,
 			Service: serviceSSH,
 			Method:  cb.method(),
-		}, []byte(pub.Type()), pubKey))
+		}, algo, pubKey)
 		sign, err := as.SignWithAlgorithm(rand, data, underlyingAlgo(algo))
 		if err != nil {
 			return authFailure, nil, err
 		}
@ -229,7 +299,7 @@ func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand
 			Service:  serviceSSH,
 			Method:   cb.method(),
 			HasSig:   true,
-			Algoname: pub.Type(),
+			Algoname: algo,
 			PubKey:   pubKey,
 			Sig:      sig,
 		}
@ -266,26 +336,25 @@ func containsMethod(methods []string, method string) bool {
 }
 // validateKey validates the key provided is acceptable to the server.
-func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
+func validateKey(key PublicKey, algo string, user string, c packetConn) (bool, error) {
 	pubKey := key.Marshal()
 	msg := publickeyAuthMsg{
 		User:     user,
 		Service:  serviceSSH,
 		Method:   "publickey",
 		HasSig:   false,
-		Algoname: key.Type(),
+		Algoname: algo,
 		PubKey:   pubKey,
 	}
 	if err := c.writePacket(Marshal(&msg)); err != nil {
 		return false, err
 	}
-	return confirmKeyAck(key, c)
+	return confirmKeyAck(key, algo, c)
 }
-func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
+func confirmKeyAck(key PublicKey, algo string, c packetConn) (bool, error) {
 	pubKey := key.Marshal()
 	algoname := key.Type()
 	for {
 		packet, err := c.readPacket()
@ -302,14 +371,14 @@ func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
 			if err := Unmarshal(packet, &msg); err != nil {
 				return false, err
 			}
-			if msg.Algo != algoname || !bytes.Equal(msg.PubKey, pubKey) {
+			if msg.Algo != algo || !bytes.Equal(msg.PubKey, pubKey) {
 				return false, nil
 			}
 			return true, nil
 		case msgUserAuthFailure:
 			return false, nil
 		default:
-			return false, unexpectedMessageError(msgUserAuthSuccess, packet[0])
+			return false, unexpectedMessageError(msgUserAuthPubKeyOk, packet[0])
 		}
 	}
 }
@ -330,6 +399,7 @@ func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMet
 // along with a list of remaining authentication methods to try next and
 // an error if an unexpected response was received.
 func handleAuthResponse(c packetConn) (authResult, []string, error) {
 	gotMsgExtInfo := false
 	for {
 		packet, err := c.readPacket()
 		if err != nil {
@ -341,6 +411,12 @@ func handleAuthResponse(c packetConn) (authResult, []string, error) {
 			if err := handleBannerResponse(c, packet); err != nil {
 				return authFailure, nil, err
 			}
 		case msgExtInfo:
 			// Ignore post-authentication RFC 8308 extensions, once.
 			if gotMsgExtInfo {
 				return authFailure, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0])
 			}
 			gotMsgExtInfo = true
 		case msgUserAuthFailure:
 			var msg userAuthFailureMsg
 			if err := Unmarshal(packet, &msg); err != nil {
@ -380,10 +456,10 @@ func handleBannerResponse(c packetConn, packet []byte) error {
 // disabling echoing (e.g. for passwords), and return all the answers.
 // Challenge may be called multiple times in a single session. After
 // successful authentication, the server may send a challenge with no
-// questions, for which the user and instruction messages should be
+// questions, for which the name and instruction messages should be
 // printed.  RFC 4256 section 3.3 details how the UI should behave for
 // both CLI and GUI environments.
-type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
+type KeyboardInteractiveChallenge func(name, instruction string, questions []string, echos []bool) (answers []string, err error)
 // KeyboardInteractive returns an AuthMethod using a prompt/response
 // sequence controlled by the server.
@ -395,7 +471,7 @@ func (cb KeyboardInteractiveChallenge) method() string {
 	return "keyboard-interactive"
 }
-func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
+func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) {
 	type initiateMsg struct {
 		User       string `sshtype:"50"`
 		Service    string
@ -412,6 +488,7 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe
 		return authFailure, nil, err
 	}
 	gotMsgExtInfo := false
 	for {
 		packet, err := c.readPacket()
 		if err != nil {
@ -425,6 +502,13 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe
 				return authFailure, nil, err
 			}
 			continue
 		case msgExtInfo:
 			// Ignore post-authentication RFC 8308 extensions, once.
 			if gotMsgExtInfo {
 				return authFailure, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0])
 			}
 			gotMsgExtInfo = true
 			continue
 		case msgUserAuthInfoRequest:
 			// OK
 		case msgUserAuthFailure:
@ -465,7 +549,7 @@ func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packe
 			return authFailure, nil, errors.New("ssh: extra data following keyboard-interactive pairs")
 		}
-		answers, err := cb(msg.User, msg.Instruction, prompts, echos)
+		answers, err := cb(msg.Name, msg.Instruction, prompts, echos)
 		if err != nil {
 			return authFailure, nil, err
 		}
@ -497,9 +581,9 @@ type retryableAuthMethod struct {
 	maxTries   int
 }
-func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader) (ok authResult, methods []string, err error) {
+func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (ok authResult, methods []string, err error) {
 	for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ {
-		ok, methods, err = r.authMethod.auth(session, user, c, rand)
+		ok, methods, err = r.authMethod.auth(session, user, c, rand, extensions)
 		if ok != authFailure || err != nil { // either success, partial success or error terminate
 			return ok, methods, err
 		}
@ -542,7 +626,7 @@ type gssAPIWithMICCallback struct {
 	target       string
 }
-func (g *gssAPIWithMICCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (authResult, []string, error) {
+func (g *gssAPIWithMICCallback) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) {
 	m := &userAuthRequestMsg{
 		User:    user,
 		Service: serviceSSH,
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ b/vendor/golang.org/x/crypto/ssh/common.go
@ -10,6 +10,7 @@ import (
 	"fmt"
 	"io"
 	"math"
 	"strings"
 	"sync"
 	_ "crypto/sha1"
@ -27,7 +28,7 @@ const (
 // supportedCiphers lists ciphers we support but might not recommend.
 var supportedCiphers = []string{
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
-	"aes128-gcm@openssh.com",
+	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"arcfour256", "arcfour128", "arcfour",
 	aes128cbcID,
@ -36,7 +37,7 @@ var supportedCiphers = []string{
 // preferredCiphers specifies the default preference for ciphers.
 var preferredCiphers = []string{
-	"aes128-gcm@openssh.com",
+	"aes128-gcm@openssh.com", gcm256CipherID,
 	chacha20Poly1305ID,
 	"aes128-ctr", "aes192-ctr", "aes256-ctr",
 }
@ -44,11 +45,11 @@ var preferredCiphers = []string{
 // supportedKexAlgos specifies the supported key-exchange algorithms in
 // preference order.
 var supportedKexAlgos = []string{
-	kexAlgoCurve25519SHA256,
+	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
 	// P384 and P521 are not constant-time yet, but since we don't
 	// reuse ephemeral keys, using them for ECDH should be OK.
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA1, kexAlgoDH1SHA1,
+	kexAlgoDH14SHA256, kexAlgoDH14SHA1, kexAlgoDH1SHA1,
 }
 // serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden
@ -61,21 +62,21 @@ var serverForbiddenKexAlgos = map[string]struct{}{
 // preferredKexAlgos specifies the default preference for key-exchange algorithms
 // in preference order.
 var preferredKexAlgos = []string{
-	kexAlgoCurve25519SHA256,
+	kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH,
 	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
-	kexAlgoDH14SHA1,
+	kexAlgoDH14SHA256, kexAlgoDH14SHA1,
 }
 // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
 // of authenticating servers) in preference order.
 var supportedHostKeyAlgos = []string{
-	CertSigAlgoRSASHA2512v01, CertSigAlgoRSASHA2256v01,
+	CertAlgoRSASHA512v01, CertAlgoRSASHA256v01,
-	CertSigAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
+	CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
 	CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
 	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
-	SigAlgoRSASHA2512, SigAlgoRSASHA2256,
+	KeyAlgoRSASHA512, KeyAlgoRSASHA256,
-	SigAlgoRSA, KeyAlgoDSA,
+	KeyAlgoRSA, KeyAlgoDSA,
 	KeyAlgoED25519,
 }
@ -84,30 +85,54 @@ var supportedHostKeyAlgos = []string{
 // This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
 // because they have reached the end of their useful life.
 var supportedMACs = []string{
-	"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
+	"hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96",
 }
 var supportedCompressions = []string{compressionNone}
-// hashFuncs keeps the mapping of supported algorithms to their respective
+// hashFuncs keeps the mapping of supported signature algorithms to their
-// hashes needed for signature verification.
+// respective hashes needed for signing and verification.
 var hashFuncs = map[string]crypto.Hash{
-	SigAlgoRSA:               crypto.SHA1,
+	KeyAlgoRSA:       crypto.SHA1,
-	SigAlgoRSASHA2256:        crypto.SHA256,
+	KeyAlgoRSASHA256: crypto.SHA256,
-	SigAlgoRSASHA2512:        crypto.SHA512,
+	KeyAlgoRSASHA512: crypto.SHA512,
-	KeyAlgoDSA:               crypto.SHA1,
+	KeyAlgoDSA:       crypto.SHA1,
-	KeyAlgoECDSA256:          crypto.SHA256,
+	KeyAlgoECDSA256:  crypto.SHA256,
-	KeyAlgoECDSA384:          crypto.SHA384,
+	KeyAlgoECDSA384:  crypto.SHA384,
-	KeyAlgoECDSA521:          crypto.SHA512,
+	KeyAlgoECDSA521:  crypto.SHA512,
-	CertSigAlgoRSAv01:        crypto.SHA1,
+	// KeyAlgoED25519 doesn't pre-hash.
-	CertSigAlgoRSASHA2256v01: crypto.SHA256,
+	KeyAlgoSKECDSA256: crypto.SHA256,
-	CertSigAlgoRSASHA2512v01: crypto.SHA512,
+	KeyAlgoSKED25519:  crypto.SHA256,
 	CertAlgoDSAv01:           crypto.SHA1,
 	CertAlgoECDSA256v01:      crypto.SHA256,
 	CertAlgoECDSA384v01:      crypto.SHA384,
 	CertAlgoECDSA521v01:      crypto.SHA512,
 }
 // algorithmsForKeyFormat returns the supported signature algorithms for a given
 // public key format (PublicKey.Type), in order of preference. See RFC 8332,
 // Section 2. See also the note in sendKexInit on backwards compatibility.
 func algorithmsForKeyFormat(keyFormat string) []string {
 	switch keyFormat {
 	case KeyAlgoRSA:
 		return []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA}
 	case CertAlgoRSAv01:
 		return []string{CertAlgoRSASHA256v01, CertAlgoRSASHA512v01, CertAlgoRSAv01}
 	default:
 		return []string{keyFormat}
 	}
 }
 // supportedPubKeyAuthAlgos specifies the supported client public key
 // authentication algorithms. Note that this doesn't include certificate types
 // since those use the underlying algorithm. This list is sent to the client if
 // it supports the server-sig-algs extension. Order is irrelevant.
 var supportedPubKeyAuthAlgos = []string{
 	KeyAlgoED25519,
 	KeyAlgoSKED25519, KeyAlgoSKECDSA256,
 	KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
 	KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA,
 	KeyAlgoDSA,
 }
 var supportedPubKeyAuthAlgosList = strings.Join(supportedPubKeyAuthAlgos, ",")
 // unexpectedMessageError results when the SSH message that we received didn't
 // match what we wanted.
 func unexpectedMessageError(expected, got uint8) error {
@ -139,19 +164,25 @@ type directionAlgorithms struct {
 // rekeyBytes returns a rekeying intervals in bytes.
 func (a *directionAlgorithms) rekeyBytes() int64 {
-	// According to RFC4344 block ciphers should rekey after
+	// According to RFC 4344 block ciphers should rekey after
 	// 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
 	// 128.
 	switch a.Cipher {
-	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
+	case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcm128CipherID, gcm256CipherID, aes128cbcID:
 		return 16 * (1 << 32)
 	}
-	// For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
+	// For others, stick with RFC 4253 recommendation to rekey after 1 Gb of data.
 	return 1 << 30
 }
 var aeadCiphers = map[string]bool{
 	gcm128CipherID:     true,
 	gcm256CipherID:     true,
 	chacha20Poly1305ID: true,
 }
 type algorithms struct {
 	kex     string
 	hostKey string
@ -187,14 +218,18 @@ func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMs
 		return
 	}
-	ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
+	if !aeadCiphers[ctos.Cipher] {
-	if err != nil {
+		ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
-		return
+		if err != nil {
 			return
 		}
 	}
-	stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
+	if !aeadCiphers[stoc.Cipher] {
-	if err != nil {
+		stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
-		return
+		if err != nil {
 			return
 		}
 	}
 	ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
@ -278,8 +313,9 @@ func (c *Config) SetDefaults() {
 }
 // buildDataSignedForAuth returns the data that is signed in order to prove
-// possession of a private key. See RFC 4252, section 7.
+// possession of a private key. See RFC 4252, section 7. algo is the advertised
-func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
+// algorithm, and may be a certificate type.
 func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo string, pubKey []byte) []byte {
 	data := struct {
 		Session []byte
 		Type    byte
@ -287,7 +323,7 @@ func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo, pubK
 		Service string
 		Method  string
 		Sign    bool
-		Algo    []byte
+		Algo    string
 		PubKey  []byte
 	}{
 		sessionID,
--- a/vendor/golang.org/x/crypto/ssh/connection.go
+++ b/vendor/golang.org/x/crypto/ssh/connection.go
@ -52,7 +52,7 @@ type Conn interface {
 	// SendRequest sends a global request, and returns the
 	// reply. If wantReply is true, it returns the response status
-	// and payload. See also RFC4254, section 4.
+	// and payload. See also RFC 4254, section 4.
 	SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error)
 	// OpenChannel tries to open an channel. If the request is
@ -97,7 +97,7 @@ func (c *connection) Close() error {
 	return c.sshConn.conn.Close()
 }
-// sshconn provides net.Conn metadata, but disallows direct reads and
+// sshConn provides net.Conn metadata, but disallows direct reads and
 // writes.
 type sshConn struct {
 	conn net.Conn
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ b/vendor/golang.org/x/crypto/ssh/doc.go
@ -12,8 +12,9 @@ the multiplexed nature of SSH is exposed to users that wish to support
 others.
 References:
-  [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
+
-  [SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
+	[PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
 	[SSH-PARAMETERS]:    http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
 This package does not fall under the stability promise of the Go language itself,
 so its API may be changed when pressing needs arise.
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ b/vendor/golang.org/x/crypto/ssh/handshake.go
@ -58,11 +58,13 @@ type handshakeTransport struct {
 	incoming  chan []byte
 	readError error
-	mu             sync.Mutex
+	mu               sync.Mutex
-	writeError     error
+	writeError       error
-	sentInitPacket []byte
+	sentInitPacket   []byte
-	sentInitMsg    *kexInitMsg
+	sentInitMsg      *kexInitMsg
-	pendingPackets [][]byte // Used when a key exchange is in progress.
+	pendingPackets   [][]byte // Used when a key exchange is in progress.
 	writePacketsLeft uint32
 	writeBytesLeft   int64
 	// If the read loop wants to schedule a kex, it pings this
 	// channel, and the write loop will send out a kex
@ -71,7 +73,8 @@ type handshakeTransport struct {
 	// If the other side requests or confirms a kex, its kexInit
 	// packet is sent here for the write loop to find it.
-	startKex chan *pendingKex
+	startKex    chan *pendingKex
 	kexLoopDone chan struct{} // closed (with writeError non-nil) when kexLoop exits
 	// data for host key checking
 	hostKeyCallback HostKeyCallback
@ -86,12 +89,10 @@ type handshakeTransport struct {
 	// Algorithms agreed in the last key exchange.
 	algorithms *algorithms
 	// Counters exclusively owned by readLoop.
 	readPacketsLeft uint32
 	readBytesLeft   int64
 	writePacketsLeft uint32
 	writeBytesLeft   int64
 	// The session ID or nil if first kex did not complete yet.
 	sessionID []byte
 }
@ -108,7 +109,8 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
 		clientVersion: clientVersion,
 		incoming:      make(chan []byte, chanSize),
 		requestKex:    make(chan struct{}, 1),
-		startKex:      make(chan *pendingKex, 1),
+		startKex:      make(chan *pendingKex),
 		kexLoopDone:   make(chan struct{}),
 		config: config,
 	}
@ -340,16 +342,17 @@ write:
 		t.mu.Unlock()
 	}
 	// drain startKex channel. We don't service t.requestKex
 	// because nobody does blocking sends there.
 	go func() {
 		for init := range t.startKex {
 			init.done <- t.writeError
 		}
 	}()
 	// Unblock reader.
 	t.conn.Close()
 	// drain startKex channel. We don't service t.requestKex
 	// because nobody does blocking sends there.
 	for request := range t.startKex {
 		request.done <- t.getWriteError()
 	}
 	// Mark that the loop is done so that Close can return.
 	close(t.kexLoopDone)
 }
 // The protocol uses uint32 for packet counters, so we can't let them
@ -455,21 +458,38 @@ func (t *handshakeTransport) sendKexInit() error {
 	}
 	io.ReadFull(rand.Reader, msg.Cookie[:])
-	if len(t.hostKeys) > 0 {
+	isServer := len(t.hostKeys) > 0
 	if isServer {
 		for _, k := range t.hostKeys {
-			algo := k.PublicKey().Type()
+			// If k is an AlgorithmSigner, presume it supports all signature algorithms
-			switch algo {
+			// associated with the key format. (Ideally AlgorithmSigner would have a
-			case KeyAlgoRSA:
+			// method to advertise supported algorithms, but it doesn't. This means that
-				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, []string{SigAlgoRSASHA2512, SigAlgoRSASHA2256, SigAlgoRSA}...)
+			// adding support for a new algorithm is a breaking change, as we will
-			case CertAlgoRSAv01:
+			// immediately negotiate it even if existing implementations don't support
-				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, []string{CertSigAlgoRSASHA2512v01, CertSigAlgoRSASHA2256v01, CertSigAlgoRSAv01}...)
+			// it. If that ever happens, we'll have to figure something out.)
-			default:
+			// If k is not an AlgorithmSigner, we can only assume it only supports the
-				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo)
+			// algorithms that matches the key format. (This means that Sign can't pick
 			// a different default.)
 			keyFormat := k.PublicKey().Type()
 			if _, ok := k.(AlgorithmSigner); ok {
 				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algorithmsForKeyFormat(keyFormat)...)
 			} else {
 				msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat)
 			}
 		}
 	} else {
 		msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
 		// As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what
 		// algorithms the server supports for public key authentication. See RFC
 		// 8308, Section 2.1.
 		if firstKeyExchange := t.sessionID == nil; firstKeyExchange {
 			msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+1)
 			msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...)
 			msg.KexAlgos = append(msg.KexAlgos, "ext-info-c")
 		}
 	}
 	packet := Marshal(msg)
 	// writePacket destroys the contents, so save a copy.
@ -528,7 +548,16 @@ func (t *handshakeTransport) writePacket(p []byte) error {
 }
 func (t *handshakeTransport) Close() error {
-	return t.conn.Close()
+	// Close the connection. This should cause the readLoop goroutine to wake up
 	// and close t.startKex, which will shut down kexLoop if running.
 	err := t.conn.Close()
 	// Wait for the kexLoop goroutine to complete.
 	// At that point we know that the readLoop goroutine is complete too,
 	// because kexLoop itself waits for readLoop to close the startKex channel.
 	<-t.kexLoopDone
 	return err
 }
 func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
@ -589,16 +618,17 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	var result *kexResult
 	if len(t.hostKeys) > 0 {
-		result, err = t.server(kex, t.algorithms, &magics)
+		result, err = t.server(kex, &magics)
 	} else {
-		result, err = t.client(kex, t.algorithms, &magics)
+		result, err = t.client(kex, &magics)
 	}
 	if err != nil {
 		return err
 	}
-	if t.sessionID == nil {
+	firstKeyExchange := t.sessionID == nil
 	if firstKeyExchange {
 		t.sessionID = result.H
 	}
 	result.SessionID = t.sessionID
@ -609,6 +639,24 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
 		return err
 	}
 	// On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO
 	// message with the server-sig-algs extension if the client supports it. See
 	// RFC 8308, Sections 2.4 and 3.1.
 	if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") {
 		extInfo := &extInfoMsg{
 			NumExtensions: 1,
 			Payload:       make([]byte, 0, 4+15+4+len(supportedPubKeyAuthAlgosList)),
 		}
 		extInfo.Payload = appendInt(extInfo.Payload, len("server-sig-algs"))
 		extInfo.Payload = append(extInfo.Payload, "server-sig-algs"...)
 		extInfo.Payload = appendInt(extInfo.Payload, len(supportedPubKeyAuthAlgosList))
 		extInfo.Payload = append(extInfo.Payload, supportedPubKeyAuthAlgosList...)
 		if err := t.conn.writePacket(Marshal(extInfo)); err != nil {
 			return err
 		}
 	}
 	if packet, err := t.conn.readPacket(); err != nil {
 		return err
 	} else if packet[0] != msgNewKeys {
@ -618,33 +666,52 @@ func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
 	return nil
 }
-func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
+// algorithmSignerWrapper is an AlgorithmSigner that only supports the default
-	var hostKey Signer
+// key format algorithm.
-	for _, k := range t.hostKeys {
+//
-		kt := k.PublicKey().Type()
+// This is technically a violation of the AlgorithmSigner interface, but it
-		if kt == algs.hostKey {
+// should be unreachable given where we use this. Anyway, at least it returns an
-			hostKey = k
+// error instead of panicing or producing an incorrect signature.
-		} else if signer, ok := k.(AlgorithmSigner); ok {
+type algorithmSignerWrapper struct {
-			// Some signature algorithms don't show up as key types
+	Signer
-			// so we have to manually check for a compatible host key.
+}
-			switch kt {
+
-			case KeyAlgoRSA:
+func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
-				if algs.hostKey == SigAlgoRSASHA2256 || algs.hostKey == SigAlgoRSASHA2512 {
+	if algorithm != underlyingAlgo(a.PublicKey().Type()) {
-					hostKey = &rsaSigner{signer, algs.hostKey}
+		return nil, errors.New("ssh: internal error: algorithmSignerWrapper invoked with non-default algorithm")
-				}
+	}
-			case CertAlgoRSAv01:
+	return a.Sign(rand, data)
-				if algs.hostKey == CertSigAlgoRSASHA2256v01 || algs.hostKey == CertSigAlgoRSASHA2512v01 {
+}
-					hostKey = &rsaSigner{signer, certToPrivAlgo(algs.hostKey)}
+
-				}
+func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner {
 	for _, k := range hostKeys {
 		if algo == k.PublicKey().Type() {
 			return algorithmSignerWrapper{k}
 		}
 		k, ok := k.(AlgorithmSigner)
 		if !ok {
 			continue
 		}
 		for _, a := range algorithmsForKeyFormat(k.PublicKey().Type()) {
 			if algo == a {
 				return k
 			}
 		}
 	}
 	return nil
 }
-	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
+func (t *handshakeTransport) server(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) {
 	hostKey := pickHostKey(t.hostKeys, t.algorithms.hostKey)
 	if hostKey == nil {
 		return nil, errors.New("ssh: internal error: negotiated unsupported signature type")
 	}
 	r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.hostKey)
 	return r, err
 }
-func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
+func (t *handshakeTransport) client(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) {
 	result, err := kex.Client(t.conn, t.config.Rand, magics)
 	if err != nil {
 		return nil, err
@ -655,7 +722,7 @@ func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *
 		return nil, err
 	}
-	if err := verifyHostKeySignature(hostKey, algs.hostKey, result); err != nil {
+	if err := verifyHostKeySignature(hostKey, t.algorithms.hostKey, result); err != nil {
 		return nil, err
 	}
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ b/vendor/golang.org/x/crypto/ssh/kex.go
@ -20,12 +20,14 @@ import (
 )
 const (
-	kexAlgoDH1SHA1          = "diffie-hellman-group1-sha1"
+	kexAlgoDH1SHA1                = "diffie-hellman-group1-sha1"
-	kexAlgoDH14SHA1         = "diffie-hellman-group14-sha1"
+	kexAlgoDH14SHA1               = "diffie-hellman-group14-sha1"
-	kexAlgoECDH256          = "ecdh-sha2-nistp256"
+	kexAlgoDH14SHA256             = "diffie-hellman-group14-sha256"
-	kexAlgoECDH384          = "ecdh-sha2-nistp384"
+	kexAlgoECDH256                = "ecdh-sha2-nistp256"
-	kexAlgoECDH521          = "ecdh-sha2-nistp521"
+	kexAlgoECDH384                = "ecdh-sha2-nistp384"
-	kexAlgoCurve25519SHA256 = "curve25519-sha256@libssh.org"
+	kexAlgoECDH521                = "ecdh-sha2-nistp521"
 	kexAlgoCurve25519SHA256LibSSH = "curve25519-sha256@libssh.org"
 	kexAlgoCurve25519SHA256       = "curve25519-sha256"
 	// For the following kex only the client half contains a production
 	// ready implementation. The server half only consists of a minimal
@ -75,8 +77,9 @@ func (m *handshakeMagics) write(w io.Writer) {
 // kexAlgorithm abstracts different key exchange algorithms.
 type kexAlgorithm interface {
 	// Server runs server-side key agreement, signing the result
-	// with a hostkey.
+	// with a hostkey. algo is the negotiated algorithm, and may
-	Server(p packetConn, rand io.Reader, magics *handshakeMagics, s Signer) (*kexResult, error)
+	// be a certificate type.
 	Server(p packetConn, rand io.Reader, magics *handshakeMagics, s AlgorithmSigner, algo string) (*kexResult, error)
 	// Client runs the client-side key agreement. Caller is
 	// responsible for verifying the host key signature.
@ -86,6 +89,7 @@ type kexAlgorithm interface {
 // dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
 type dhGroup struct {
 	g, p, pMinus1 *big.Int
 	hashFunc      crypto.Hash
 }
 func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
@ -96,8 +100,6 @@ func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int,
 }
 func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	hashFunc := crypto.SHA1
 	var x *big.Int
 	for {
 		var err error
@ -132,7 +134,7 @@ func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handsha
 		return nil, err
 	}
-	h := hashFunc.New()
+	h := group.hashFunc.New()
 	magics.write(h)
 	writeString(h, kexDHReply.HostKey)
 	writeInt(h, X)
@ -146,12 +148,11 @@ func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handsha
 		K:         K,
 		HostKey:   kexDHReply.HostKey,
 		Signature: kexDHReply.Signature,
-		Hash:      crypto.SHA1,
+		Hash:      group.hashFunc,
 	}, nil
 }
-func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
+func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	hashFunc := crypto.SHA1
 	packet, err := c.readPacket()
 	if err != nil {
 		return
@ -179,7 +180,7 @@ func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handsha
 	hostKeyBytes := priv.PublicKey().Marshal()
-	h := hashFunc.New()
+	h := group.hashFunc.New()
 	magics.write(h)
 	writeString(h, hostKeyBytes)
 	writeInt(h, kexDHInit.X)
@ -193,7 +194,7 @@ func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handsha
 	// H is already a hash, but the hostkey signing will apply its
 	// own key-specific hash algorithm.
-	sig, err := signAndMarshal(priv, randSource, H)
+	sig, err := signAndMarshal(priv, randSource, H, algo)
 	if err != nil {
 		return nil, err
 	}
@ -211,7 +212,7 @@ func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handsha
 		K:         K,
 		HostKey:   hostKeyBytes,
 		Signature: sig,
-		Hash:      crypto.SHA1,
+		Hash:      group.hashFunc,
 	}, err
 }
@ -314,7 +315,7 @@ func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool {
 	return true
 }
-func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
+func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	packet, err := c.readPacket()
 	if err != nil {
 		return nil, err
@ -359,7 +360,7 @@ func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, p
 	// H is already a hash, but the hostkey signing will apply its
 	// own key-specific hash algorithm.
-	sig, err := signAndMarshal(priv, rand, H)
+	sig, err := signAndMarshal(priv, rand, H, algo)
 	if err != nil {
 		return nil, err
 	}
@ -384,39 +385,62 @@ func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, p
 	}, nil
 }
 // ecHash returns the hash to match the given elliptic curve, see RFC
 // 5656, section 6.2.1
 func ecHash(curve elliptic.Curve) crypto.Hash {
 	bitSize := curve.Params().BitSize
 	switch {
 	case bitSize <= 256:
 		return crypto.SHA256
 	case bitSize <= 384:
 		return crypto.SHA384
 	}
 	return crypto.SHA512
 }
 var kexAlgoMap = map[string]kexAlgorithm{}
 func init() {
-	// This is the group called diffie-hellman-group1-sha1 in RFC
+	// This is the group called diffie-hellman-group1-sha1 in
-	// 4253 and Oakley Group 2 in RFC 2409.
+	// RFC 4253 and Oakley Group 2 in RFC 2409.
 	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
 	kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
 		g:        new(big.Int).SetInt64(2),
 		p:        p,
 		pMinus1:  new(big.Int).Sub(p, bigOne),
 		hashFunc: crypto.SHA1,
 	}
 	// This are the groups called diffie-hellman-group14-sha1 and
 	// diffie-hellman-group14-sha256 in RFC 4253 and RFC 8268,
 	// and Oakley Group 14 in RFC 3526.
 	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
 	group14 := &dhGroup{
 		g:       new(big.Int).SetInt64(2),
 		p:       p,
 		pMinus1: new(big.Int).Sub(p, bigOne),
 	}
 	// This is the group called diffie-hellman-group14-sha1 in RFC
 	// 4253 and Oakley Group 14 in RFC 3526.
 	p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
 	kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
-		g:       new(big.Int).SetInt64(2),
+		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
-		p:       p,
+		hashFunc: crypto.SHA1,
-		pMinus1: new(big.Int).Sub(p, bigOne),
+	}
 	kexAlgoMap[kexAlgoDH14SHA256] = &dhGroup{
 		g: group14.g, p: group14.p, pMinus1: group14.pMinus1,
 		hashFunc: crypto.SHA256,
 	}
 	kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
 	kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
 	kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
 	kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
 	kexAlgoMap[kexAlgoCurve25519SHA256LibSSH] = &curve25519sha256{}
 	kexAlgoMap[kexAlgoDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1}
 	kexAlgoMap[kexAlgoDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256}
 }
-// curve25519sha256 implements the curve25519-sha256@libssh.org key
+// curve25519sha256 implements the curve25519-sha256 (formerly known as
-// agreement protocol, as described in
+// curve25519-sha256@libssh.org) key exchange method, as described in RFC 8731.
 // https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt
 type curve25519sha256 struct{}
 type curve25519KeyPair struct {
@ -486,7 +510,7 @@ func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handsh
 	}, nil
 }
-func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
+func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	packet, err := c.readPacket()
 	if err != nil {
 		return
@ -527,7 +551,7 @@ func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handsh
 	H := h.Sum(nil)
-	sig, err := signAndMarshal(priv, rand, H)
+	sig, err := signAndMarshal(priv, rand, H, algo)
 	if err != nil {
 		return nil, err
 	}
@ -553,7 +577,6 @@ func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handsh
 // diffie-hellman-group-exchange-sha256 key agreement protocols,
 // as described in RFC 4419
 type dhGEXSHA struct {
 	g, p     *big.Int
 	hashFunc crypto.Hash
 }
@ -563,14 +586,7 @@ const (
 	dhGroupExchangeMaximumBits   = 8192
 )
-func (gex *dhGEXSHA) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
+func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	if theirPublic.Sign() <= 0 || theirPublic.Cmp(gex.p) >= 0 {
 		return nil, fmt.Errorf("ssh: DH parameter out of bounds")
 	}
 	return new(big.Int).Exp(theirPublic, myPrivate, gex.p), nil
 }
 func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
 	// Send GexRequest
 	kexDHGexRequest := kexDHGexRequestMsg{
 		MinBits:      dhGroupExchangeMinimumBits,
@ -587,35 +603,29 @@ func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshake
 		return nil, err
 	}
-	var kexDHGexGroup kexDHGexGroupMsg
+	var msg kexDHGexGroupMsg
-	if err = Unmarshal(packet, &kexDHGexGroup); err != nil {
+	if err = Unmarshal(packet, &msg); err != nil {
 		return nil, err
 	}
 	// reject if p's bit length < dhGroupExchangeMinimumBits or > dhGroupExchangeMaximumBits
-	if kexDHGexGroup.P.BitLen() < dhGroupExchangeMinimumBits || kexDHGexGroup.P.BitLen() > dhGroupExchangeMaximumBits {
+	if msg.P.BitLen() < dhGroupExchangeMinimumBits || msg.P.BitLen() > dhGroupExchangeMaximumBits {
-		return nil, fmt.Errorf("ssh: server-generated gex p is out of range (%d bits)", kexDHGexGroup.P.BitLen())
+		return nil, fmt.Errorf("ssh: server-generated gex p is out of range (%d bits)", msg.P.BitLen())
 	}
-	gex.p = kexDHGexGroup.P
+	// Check if g is safe by verifying that 1 < g < p-1
-	gex.g = kexDHGexGroup.G
+	pMinusOne := new(big.Int).Sub(msg.P, bigOne)
-
+	if msg.G.Cmp(bigOne) <= 0 || msg.G.Cmp(pMinusOne) >= 0 {
 	// Check if g is safe by verifing that g > 1 and g < p - 1
 	one := big.NewInt(1)
 	var pMinusOne = &big.Int{}
 	pMinusOne.Sub(gex.p, one)
 	if gex.g.Cmp(one) != 1 && gex.g.Cmp(pMinusOne) != -1 {
 		return nil, fmt.Errorf("ssh: server provided gex g is not safe")
 	}
 	// Send GexInit
-	var pHalf = &big.Int{}
+	pHalf := new(big.Int).Rsh(msg.P, 1)
 	pHalf.Rsh(gex.p, 1)
 	x, err := rand.Int(randSource, pHalf)
 	if err != nil {
 		return nil, err
 	}
-	X := new(big.Int).Exp(gex.g, x, gex.p)
+	X := new(big.Int).Exp(msg.G, x, msg.P)
 	kexDHGexInit := kexDHGexInitMsg{
 		X: X,
 	}
@ -634,13 +644,13 @@ func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshake
 		return nil, err
 	}
-	kInt, err := gex.diffieHellman(kexDHGexReply.Y, x)
+	if kexDHGexReply.Y.Cmp(bigOne) <= 0 || kexDHGexReply.Y.Cmp(pMinusOne) >= 0 {
-	if err != nil {
+		return nil, errors.New("ssh: DH parameter out of bounds")
 		return nil, err
 	}
 	kInt := new(big.Int).Exp(kexDHGexReply.Y, x, msg.P)
-	// Check if k is safe by verifing that k > 1 and k < p - 1
+	// Check if k is safe by verifying that k > 1 and k < p - 1
-	if kInt.Cmp(one) != 1 && kInt.Cmp(pMinusOne) != -1 {
+	if kInt.Cmp(bigOne) <= 0 || kInt.Cmp(pMinusOne) >= 0 {
 		return nil, fmt.Errorf("ssh: derived k is not safe")
 	}
@ -650,8 +660,8 @@ func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshake
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits))
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits))
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits))
-	writeInt(h, gex.p)
+	writeInt(h, msg.P)
-	writeInt(h, gex.g)
+	writeInt(h, msg.G)
 	writeInt(h, X)
 	writeInt(h, kexDHGexReply.Y)
 	K := make([]byte, intLength(kInt))
@ -670,7 +680,7 @@ func (gex dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshake
 // Server half implementation of the Diffie Hellman Key Exchange with SHA1 and SHA256.
 //
 // This is a minimal implementation to satisfy the automated tests.
-func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
+func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) {
 	// Receive GexRequest
 	packet, err := c.readPacket()
 	if err != nil {
@ -681,35 +691,17 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 		return
 	}
 	// smoosh the user's preferred size into our own limits
 	if kexDHGexRequest.PreferedBits > dhGroupExchangeMaximumBits {
 		kexDHGexRequest.PreferedBits = dhGroupExchangeMaximumBits
 	}
 	if kexDHGexRequest.PreferedBits < dhGroupExchangeMinimumBits {
 		kexDHGexRequest.PreferedBits = dhGroupExchangeMinimumBits
 	}
 	// fix min/max if they're inconsistent.  technically, we could just pout
 	// and hang up, but there's no harm in giving them the benefit of the
 	// doubt and just picking a bitsize for them.
 	if kexDHGexRequest.MinBits > kexDHGexRequest.PreferedBits {
 		kexDHGexRequest.MinBits = kexDHGexRequest.PreferedBits
 	}
 	if kexDHGexRequest.MaxBits < kexDHGexRequest.PreferedBits {
 		kexDHGexRequest.MaxBits = kexDHGexRequest.PreferedBits
 	}
 	// Send GexGroup
 	// This is the group called diffie-hellman-group14-sha1 in RFC
 	// 4253 and Oakley Group 14 in RFC 3526.
 	p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
-	gex.p = p
+	g := big.NewInt(2)
 	gex.g = big.NewInt(2)
-	kexDHGexGroup := kexDHGexGroupMsg{
+	msg := &kexDHGexGroupMsg{
-		P: gex.p,
+		P: p,
-		G: gex.g,
+		G: g,
 	}
-	if err := c.writePacket(Marshal(&kexDHGexGroup)); err != nil {
+	if err := c.writePacket(Marshal(msg)); err != nil {
 		return nil, err
 	}
@ -723,19 +715,19 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 		return
 	}
-	var pHalf = &big.Int{}
+	pHalf := new(big.Int).Rsh(p, 1)
 	pHalf.Rsh(gex.p, 1)
 	y, err := rand.Int(randSource, pHalf)
 	if err != nil {
 		return
 	}
 	Y := new(big.Int).Exp(g, y, p)
-	Y := new(big.Int).Exp(gex.g, y, gex.p)
+	pMinusOne := new(big.Int).Sub(p, bigOne)
-	kInt, err := gex.diffieHellman(kexDHGexInit.X, y)
+	if kexDHGexInit.X.Cmp(bigOne) <= 0 || kexDHGexInit.X.Cmp(pMinusOne) >= 0 {
-	if err != nil {
+		return nil, errors.New("ssh: DH parameter out of bounds")
 		return nil, err
 	}
 	kInt := new(big.Int).Exp(kexDHGexInit.X, y, p)
 	hostKeyBytes := priv.PublicKey().Marshal()
@ -745,8 +737,8 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits))
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits))
 	binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits))
-	writeInt(h, gex.p)
+	writeInt(h, p)
-	writeInt(h, gex.g)
+	writeInt(h, g)
 	writeInt(h, kexDHGexInit.X)
 	writeInt(h, Y)
@ -758,7 +750,7 @@ func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshake
 	// H is already a hash, but the hostkey signing will apply its
 	// own key-specific hash algorithm.
-	sig, err := signAndMarshal(priv, randSource, H)
+	sig, err := signAndMarshal(priv, randSource, H, algo)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ b/vendor/golang.org/x/crypto/ssh/keys.go
@ -30,8 +30,9 @@ import (
 	"golang.org/x/crypto/ssh/internal/bcrypt_pbkdf"
 )
-// These constants represent the algorithm names for key types supported by this
+// Public key algorithms names. These values can appear in PublicKey.Type,
-// package.
+// ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner
 // arguments.
 const (
 	KeyAlgoRSA        = "ssh-rsa"
 	KeyAlgoDSA        = "ssh-dss"
@ -41,16 +42,21 @@ const (
 	KeyAlgoECDSA521   = "ecdsa-sha2-nistp521"
 	KeyAlgoED25519    = "ssh-ed25519"
 	KeyAlgoSKED25519  = "sk-ssh-ed25519@openssh.com"
 	// KeyAlgoRSASHA256 and KeyAlgoRSASHA512 are only public key algorithms, not
 	// public key formats, so they can't appear as a PublicKey.Type. The
 	// corresponding PublicKey.Type is KeyAlgoRSA. See RFC 8332, Section 2.
 	KeyAlgoRSASHA256 = "rsa-sha2-256"
 	KeyAlgoRSASHA512 = "rsa-sha2-512"
 )
 // These constants represent non-default signature algorithms that are supported
 // as algorithm parameters to AlgorithmSigner.SignWithAlgorithm methods. See
 // [PROTOCOL.agent] section 4.5.1 and
 // https://tools.ietf.org/html/draft-ietf-curdle-rsa-sha2-10
 const (
-	SigAlgoRSA        = "ssh-rsa"
+	// Deprecated: use KeyAlgoRSA.
-	SigAlgoRSASHA2256 = "rsa-sha2-256"
+	SigAlgoRSA = KeyAlgoRSA
-	SigAlgoRSASHA2512 = "rsa-sha2-512"
+	// Deprecated: use KeyAlgoRSASHA256.
 	SigAlgoRSASHA2256 = KeyAlgoRSASHA256
 	// Deprecated: use KeyAlgoRSASHA512.
 	SigAlgoRSASHA2512 = KeyAlgoRSASHA512
 )
 // parsePubKey parses a public key of the given algorithm.
@ -70,7 +76,7 @@ func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err err
 	case KeyAlgoSKED25519:
 		return parseSKEd25519(in)
 	case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
-		cert, err := parseCert(in, certToPrivAlgo(algo))
+		cert, err := parseCert(in, certKeyAlgoNames[algo])
 		if err != nil {
 			return nil, nil, err
 		}
@ -178,7 +184,7 @@ func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey
 	return "", nil, nil, "", nil, io.EOF
 }
-// ParseAuthorizedKeys parses a public key from an authorized_keys
+// ParseAuthorizedKey parses a public key from an authorized_keys
 // file used in OpenSSH according to the sshd(8) manual page.
 func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
 	for len(in) > 0 {
@ -289,18 +295,21 @@ func MarshalAuthorizedKey(key PublicKey) []byte {
 	return b.Bytes()
 }
-// PublicKey is an abstraction of different types of public keys.
+// PublicKey represents a public key using an unspecified algorithm.
 //
 // Some PublicKeys provided by this package also implement CryptoPublicKey.
 type PublicKey interface {
-	// Type returns the key's type, e.g. "ssh-rsa".
+	// Type returns the key format name, e.g. "ssh-rsa".
 	Type() string
-	// Marshal returns the serialized key data in SSH wire format,
+	// Marshal returns the serialized key data in SSH wire format, with the name
-	// with the name prefix. To unmarshal the returned data, use
+	// prefix. To unmarshal the returned data, use the ParsePublicKey function.
 	// the ParsePublicKey function.
 	Marshal() []byte
-	// Verify that sig is a signature on the given data using this
+	// Verify that sig is a signature on the given data using this key. This
-	// key. This function will hash the data appropriately first.
+	// method will hash the data appropriately first. sig.Format is allowed to
 	// be any signature algorithm compatible with the key type, the caller
 	// should check if it has more stringent requirements.
 	Verify(data []byte, sig *Signature) error
 }
@ -311,25 +320,32 @@ type CryptoPublicKey interface {
 }
 // A Signer can create signatures that verify against a public key.
 //
 // Some Signers provided by this package also implement AlgorithmSigner.
 type Signer interface {
-	// PublicKey returns an associated PublicKey instance.
+	// PublicKey returns the associated PublicKey.
 	PublicKey() PublicKey
-	// Sign returns raw signature for the given data. This method
+	// Sign returns a signature for the given data. This method will hash the
-	// will apply the hash specified for the keytype to the data.
+	// data appropriately first. The signature algorithm is expected to match
 	// the key format returned by the PublicKey.Type method (and not to be any
 	// alternative algorithm supported by the key format).
 	Sign(rand io.Reader, data []byte) (*Signature, error)
 }
-// A AlgorithmSigner is a Signer that also supports specifying a specific
+// An AlgorithmSigner is a Signer that also supports specifying an algorithm to
-// algorithm to use for signing.
+// use for signing.
 //
 // An AlgorithmSigner can't advertise the algorithms it supports, so it should
 // be prepared to be invoked with every algorithm supported by the public key
 // format.
 type AlgorithmSigner interface {
 	Signer
-	// SignWithAlgorithm is like Signer.Sign, but allows specification of a
+	// SignWithAlgorithm is like Signer.Sign, but allows specifying a desired
-	// non-default signing algorithm. See the SigAlgo* constants in this
+	// signing algorithm. Callers may pass an empty string for the algorithm in
-	// package for signature algorithms supported by this package. Callers may
+	// which case the AlgorithmSigner will use a default algorithm. This default
-	// pass an empty string for the algorithm in which case the AlgorithmSigner
+	// doesn't currently control any behavior in this package.
 	// will use its default algorithm.
 	SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error)
 }
@ -381,17 +397,11 @@ func (r *rsaPublicKey) Marshal() []byte {
 }
 func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
-	var hash crypto.Hash
+	supportedAlgos := algorithmsForKeyFormat(r.Type())
-	switch sig.Format {
+	if !contains(supportedAlgos, sig.Format) {
 	case SigAlgoRSA:
 		hash = crypto.SHA1
 	case SigAlgoRSASHA2256:
 		hash = crypto.SHA256
 	case SigAlgoRSASHA2512:
 		hash = crypto.SHA512
 	default:
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
 	}
 	hash := hashFuncs[sig.Format]
 	h := hash.New()
 	h.Write(data)
 	digest := h.Sum(nil)
@ -466,7 +476,7 @@ func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
 	if sig.Format != k.Type() {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := crypto.SHA1.New()
+	h := hashFuncs[sig.Format].New()
 	h.Write(data)
 	digest := h.Sum(nil)
@ -499,7 +509,7 @@ func (k *dsaPrivateKey) PublicKey() PublicKey {
 }
 func (k *dsaPrivateKey) Sign(rand io.Reader, data []byte) (*Signature, error) {
-	return k.SignWithAlgorithm(rand, data, "")
+	return k.SignWithAlgorithm(rand, data, k.PublicKey().Type())
 }
 func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
@ -507,7 +517,7 @@ func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 	}
-	h := crypto.SHA1.New()
+	h := hashFuncs[k.PublicKey().Type()].New()
 	h.Write(data)
 	digest := h.Sum(nil)
 	r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
@ -603,19 +613,6 @@ func supportedEllipticCurve(curve elliptic.Curve) bool {
 	return curve == elliptic.P256() || curve == elliptic.P384() || curve == elliptic.P521()
 }
 // ecHash returns the hash to match the given elliptic curve, see RFC
 // 5656, section 6.2.1
 func ecHash(curve elliptic.Curve) crypto.Hash {
 	bitSize := curve.Params().BitSize
 	switch {
 	case bitSize <= 256:
 		return crypto.SHA256
 	case bitSize <= 384:
 		return crypto.SHA384
 	}
 	return crypto.SHA512
 }
 // parseECDSA parses an ECDSA key according to RFC 5656, section 3.1.
 func parseECDSA(in []byte) (out PublicKey, rest []byte, err error) {
 	var w struct {
@ -671,7 +668,7 @@ func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := ecHash(k.Curve).New()
+	h := hashFuncs[sig.Format].New()
 	h.Write(data)
 	digest := h.Sum(nil)
@ -775,7 +772,7 @@ func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
 	}
-	h := ecHash(k.Curve).New()
+	h := hashFuncs[sig.Format].New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
@ -874,7 +871,7 @@ func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error {
 		return fmt.Errorf("invalid size %d for Ed25519 public key", l)
 	}
-	h := sha256.New()
+	h := hashFuncs[sig.Format].New()
 	h.Write([]byte(k.application))
 	appDigest := h.Sum(nil)
@ -939,15 +936,6 @@ func newDSAPrivateKey(key *dsa.PrivateKey) (Signer, error) {
 	return &dsaPrivateKey{key}, nil
 }
 type rsaSigner struct {
 	AlgorithmSigner
 	defaultAlgorithm string
 }
 func (s *rsaSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
 	return s.AlgorithmSigner.SignWithAlgorithm(rand, data, s.defaultAlgorithm)
 }
 type wrappedSigner struct {
 	signer crypto.Signer
 	pubKey PublicKey
@ -970,44 +958,20 @@ func (s *wrappedSigner) PublicKey() PublicKey {
 }
 func (s *wrappedSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
-	return s.SignWithAlgorithm(rand, data, "")
+	return s.SignWithAlgorithm(rand, data, s.pubKey.Type())
 }
 func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) {
-	var hashFunc crypto.Hash
+	if algorithm == "" {
-
+		algorithm = s.pubKey.Type()
 	if _, ok := s.pubKey.(*rsaPublicKey); ok {
 		// RSA keys support a few hash functions determined by the requested signature algorithm
 		switch algorithm {
 		case "", SigAlgoRSA:
 			algorithm = SigAlgoRSA
 			hashFunc = crypto.SHA1
 		case SigAlgoRSASHA2256:
 			hashFunc = crypto.SHA256
 		case SigAlgoRSASHA2512:
 			hashFunc = crypto.SHA512
 		default:
 			return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 		}
 	} else {
 		// The only supported algorithm for all other key types is the same as the type of the key
 		if algorithm == "" {
 			algorithm = s.pubKey.Type()
 		} else if algorithm != s.pubKey.Type() {
 			return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm)
 		}
 		switch key := s.pubKey.(type) {
 		case *dsaPublicKey:
 			hashFunc = crypto.SHA1
 		case *ecdsaPublicKey:
 			hashFunc = ecHash(key.Curve)
 		case ed25519PublicKey:
 		default:
 			return nil, fmt.Errorf("ssh: unsupported key type %T", key)
 		}
 	}
 	supportedAlgos := algorithmsForKeyFormat(s.pubKey.Type())
 	if !contains(supportedAlgos, algorithm) {
 		return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type())
 	}
 	hashFunc := hashFuncs[algorithm]
 	var digest []byte
 	if hashFunc != 0 {
 		h := hashFunc.New()
@ -1123,9 +1087,9 @@ func (*PassphraseMissingError) Error() string {
 	return "ssh: this private key is passphrase protected"
 }
-// ParseRawPrivateKey returns a private key from a PEM encoded private key. It
+// ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports
-// supports RSA (PKCS#1), PKCS#8, DSA (OpenSSL), and ECDSA private keys. If the
+// RSA, DSA, ECDSA, and Ed25519 private keys in PKCS#1, PKCS#8, OpenSSL, and OpenSSH
-// private key is encrypted, it will return a PassphraseMissingError.
+// formats. If the private key is encrypted, it will return a PassphraseMissingError.
 func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
 	block, _ := pem.Decode(pemBytes)
 	if block == nil {
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ b/vendor/golang.org/x/crypto/ssh/mac.go
@ -10,6 +10,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/sha512"
 	"hash"
 )
@ -46,9 +47,15 @@ func (t truncatingMAC) Size() int {
 func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
 var macModes = map[string]*macMode{
 	"hmac-sha2-512-etm@openssh.com": {64, true, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
 	}},
 	"hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
 	}},
 	"hmac-sha2-512": {64, false, func(key []byte) hash.Hash {
 		return hmac.New(sha512.New, key)
 	}},
 	"hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
 		return hmac.New(sha256.New, key)
 	}},
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ b/vendor/golang.org/x/crypto/ssh/messages.go
@ -68,7 +68,7 @@ type kexInitMsg struct {
 // See RFC 4253, section 8.
-// Diffie-Helman
+// Diffie-Hellman
 const msgKexDHInit = 30
 type kexDHInitMsg struct {
@ -141,6 +141,14 @@ type serviceAcceptMsg struct {
 	Service string `sshtype:"6"`
 }
 // See RFC 8308, section 2.3
 const msgExtInfo = 7
 type extInfoMsg struct {
 	NumExtensions uint32 `sshtype:"7"`
 	Payload       []byte `ssh:"rest"`
 }
 // See RFC 4252, section 5.
 const msgUserAuthRequest = 50
@ -180,11 +188,11 @@ const msgUserAuthInfoRequest = 60
 const msgUserAuthInfoResponse = 61
 type userAuthInfoRequestMsg struct {
-	User               string `sshtype:"60"`
+	Name        string `sshtype:"60"`
-	Instruction        string
+	Instruction string
-	DeprecatedLanguage string
+	Language    string
-	NumPrompts         uint32
+	NumPrompts  uint32
-	Prompts            []byte `ssh:"rest"`
+	Prompts     []byte `ssh:"rest"`
 }
 // See RFC 4254, section 5.1.
@ -782,6 +790,8 @@ func decode(packet []byte) (interface{}, error) {
 		msg = new(serviceRequestMsg)
 	case msgServiceAccept:
 		msg = new(serviceAcceptMsg)
 	case msgExtInfo:
 		msg = new(extInfoMsg)
 	case msgKexInit:
 		msg = new(kexInitMsg)
 	case msgKexDHInit:
@ -843,6 +853,7 @@ var packetTypeNames = map[byte]string{
 	msgDisconnect:          "disconnectMsg",
 	msgServiceRequest:      "serviceRequestMsg",
 	msgServiceAccept:       "serviceAcceptMsg",
 	msgExtInfo:             "extInfoMsg",
 	msgKexInit:             "kexInitMsg",
 	msgKexDHInit:           "kexDHInitMsg",
 	msgKexDHReply:          "kexDHReplyMsg",
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ b/vendor/golang.org/x/crypto/ssh/server.go
@ -68,8 +68,16 @@ type ServerConfig struct {
 	// NoClientAuth is true if clients are allowed to connect without
 	// authenticating.
 	// To determine NoClientAuth at runtime, set NoClientAuth to true
 	// and the optional NoClientAuthCallback to a non-nil value.
 	NoClientAuth bool
 	// NoClientAuthCallback, if non-nil, is called when a user
 	// attempts to authenticate with auth method "none".
 	// NoClientAuth must also be set to true for this be used, or
 	// this func is unused.
 	NoClientAuthCallback func(ConnMetadata) (*Permissions, error)
 	// MaxAuthTries specifies the maximum number of authentication attempts
 	// permitted per connection. If set to a negative number, the number of
 	// attempts are unlimited. If set to zero, the number of attempts are limited
@ -120,7 +128,7 @@ type ServerConfig struct {
 }
 // AddHostKey adds a private key as a host key. If an existing host
-// key exists with the same algorithm, it is overwritten. Each server
+// key exists with the same public key format, it is replaced. Each server
 // config must have at least one host key.
 func (s *ServerConfig) AddHostKey(key Signer) {
 	for i, k := range s.hostKeys {
@ -212,9 +220,10 @@ func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewCha
 }
 // signAndMarshal signs the data with the appropriate algorithm,
-// and serializes the result in SSH wire format.
+// and serializes the result in SSH wire format. algo is the negotiate
-func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
+// algorithm and may be a certificate type.
-	sig, err := k.Sign(rand, data)
+func signAndMarshal(k AlgorithmSigner, rand io.Reader, data []byte, algo string) ([]byte, error) {
 	sig, err := k.SignWithAlgorithm(rand, data, underlyingAlgo(algo))
 	if err != nil {
 		return nil, err
 	}
@ -282,15 +291,6 @@ func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error)
 	return perms, err
 }
 func isAcceptableAlgo(algo string) bool {
 	switch algo {
 	case SigAlgoRSA, SigAlgoRSASHA2256, SigAlgoRSASHA2512, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoSKECDSA256, KeyAlgoED25519, KeyAlgoSKED25519,
 		CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01:
 		return true
 	}
 	return false
 }
 func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
 	if addr == nil {
 		return errors.New("ssh: no address known for client, but source-address match required")
@ -454,7 +454,11 @@ userAuthLoop:
 		switch userAuthReq.Method {
 		case "none":
 			if config.NoClientAuth {
-				authErr = nil
+				if config.NoClientAuthCallback != nil {
 					perms, authErr = config.NoClientAuthCallback(s)
 				} else {
 					authErr = nil
 				}
 			}
 			// allow initial attempt of 'none' without penalty
@ -501,7 +505,7 @@ userAuthLoop:
 				return nil, parseError(msgUserAuthRequest)
 			}
 			algo := string(algoBytes)
-			if !isAcceptableAlgo(algo) {
+			if !contains(supportedPubKeyAuthAlgos, underlyingAlgo(algo)) {
 				authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
 				break
 			}
@ -553,16 +557,22 @@ userAuthLoop:
 				if !ok || len(payload) > 0 {
 					return nil, parseError(msgUserAuthRequest)
 				}
 				// Ensure the public key algo and signature algo
 				// are supported.  Compare the private key
 				// algorithm name that corresponds to algo with
 				// sig.Format.  This is usually the same, but
 				// for certs, the names differ.
-				if !isAcceptableAlgo(sig.Format) {
+				if !contains(supportedPubKeyAuthAlgos, sig.Format) {
 					authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format)
 					break
 				}
-				signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
+				if underlyingAlgo(algo) != sig.Format {
 					authErr = fmt.Errorf("ssh: signature %q not compatible with selected algorithm %q", sig.Format, algo)
 					break
 				}
 				signedData := buildDataSignedForAuth(sessionID, userAuthReq, algo, pubKeyData)
 				if err := pubKey.Verify(signedData, sig); err != nil {
 					return nil, err
@ -634,7 +644,7 @@ userAuthLoop:
 		authFailures++
 		if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries {
-			// If we have hit the max attemps, don't bother sending the
+			// If we have hit the max attempts, don't bother sending the
 			// final SSH_MSG_USERAUTH_FAILURE message, since there are
 			// no more authentication methods which can be attempted,
 			// and this message may cause the client to re-attempt
@ -694,7 +704,7 @@ type sshClientKeyboardInteractive struct {
 	*connection
 }
-func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
+func (c *sshClientKeyboardInteractive) Challenge(name, instruction string, questions []string, echos []bool) (answers []string, err error) {
 	if len(questions) != len(echos) {
 		return nil, errors.New("ssh: echos and questions must have equal length")
 	}
@ -706,6 +716,7 @@ func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, quest
 	}
 	if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
 		Name:        name,
 		Instruction: instruction,
 		NumPrompts:  uint32(len(questions)),
 		Prompts:     prompts,
--- a/vendor/golang.org/x/crypto/ssh/session.go
+++ b/vendor/golang.org/x/crypto/ssh/session.go
@ -13,7 +13,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"sync"
 )
@ -85,6 +84,7 @@ const (
 	IXANY         = 39
 	IXOFF         = 40
 	IMAXBEL       = 41
 	IUTF8         = 42 // RFC 8160
 	ISIG          = 50
 	ICANON        = 51
 	XCASE         = 52
@ -123,7 +123,7 @@ type Session struct {
 	// output and error.
 	//
 	// If either is nil, Run connects the corresponding file
-	// descriptor to an instance of ioutil.Discard. There is a
+	// descriptor to an instance of io.Discard. There is a
 	// fixed amount of buffering that is shared for the two streams.
 	// If either blocks it may eventually cause the remote
 	// command to block.
@ -505,7 +505,7 @@ func (s *Session) stdout() {
 		return
 	}
 	if s.Stdout == nil {
-		s.Stdout = ioutil.Discard
+		s.Stdout = io.Discard
 	}
 	s.copyFuncs = append(s.copyFuncs, func() error {
 		_, err := io.Copy(s.Stdout, s.ch)
@ -518,7 +518,7 @@ func (s *Session) stderr() {
 		return
 	}
 	if s.Stderr == nil {
-		s.Stderr = ioutil.Discard
+		s.Stderr = io.Discard
 	}
 	s.copyFuncs = append(s.copyFuncs, func() error {
 		_, err := io.Copy(s.Stderr, s.ch.Stderr())
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ b/vendor/golang.org/x/crypto/ssh/transport.go
@ -17,7 +17,8 @@ import (
 const debugTransport = false
 const (
-	gcmCipherID    = "aes128-gcm@openssh.com"
+	gcm128CipherID = "aes128-gcm@openssh.com"
 	gcm256CipherID = "aes256-gcm@openssh.com"
 	aes128cbcID    = "aes128-cbc"
 	tripledescbcID = "3des-cbc"
 )
@ -238,15 +239,19 @@ var (
 // (to setup server->client keys) or clientKeys (for client->server keys).
 func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
 	cipherMode := cipherModes[algs.Cipher]
 	macMode := macModes[algs.MAC]
 	iv := make([]byte, cipherMode.ivSize)
 	key := make([]byte, cipherMode.keySize)
 	macKey := make([]byte, macMode.keySize)
 	generateKeyMaterial(iv, d.ivTag, kex)
 	generateKeyMaterial(key, d.keyTag, kex)
-	generateKeyMaterial(macKey, d.macKeyTag, kex)
+
 	var macKey []byte
 	if !aeadCiphers[algs.Cipher] {
 		macMode := macModes[algs.MAC]
 		macKey = make([]byte, macMode.keySize)
 		generateKeyMaterial(macKey, d.macKeyTag, kex)
 	}
 	return cipherModes[algs.Cipher].create(key, iv, macKey, algs)
 }
--- a/vendor/golang.org/x/net/html/token.go
+++ b/vendor/golang.org/x/net/html/token.go
@ -913,7 +913,14 @@ func (z *Tokenizer) readTagAttrKey() {
 		case ' ', '\n', '\r', '\t', '\f', '/':
 			z.pendingAttr[0].end = z.raw.end - 1
 			return
-		case '=', '>':
+		case '=':
 			if z.pendingAttr[0].start+1 == z.raw.end {
 				// WHATWG 13.2.5.32, if we see an equals sign before the attribute name
 				// begins, we treat it as a character in the attribute name and continue.
 				continue
 			}
 			fallthrough
 		case '>':
 			z.raw.end--
 			z.pendingAttr[0].end = z.raw.end
 			return
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@ -441,7 +441,7 @@ func (s *Server) ServeConn(c net.Conn, opts *ServeConnOpts) {
 	if s.NewWriteScheduler != nil {
 		sc.writeSched = s.NewWriteScheduler()
 	} else {
-		sc.writeSched = NewPriorityWriteScheduler(nil)
+		sc.writeSched = newRoundRobinWriteScheduler()
 	}
 	// These start at the RFC-specified defaults. If there is a higher
@ -2429,7 +2429,7 @@ type requestBody struct {
 	conn          *serverConn
 	closeOnce     sync.Once // for use by Close only
 	sawEOF        bool      // for use by Read only
-	pipe          *pipe     // non-nil if we have a HTTP entity message body
+	pipe          *pipe     // non-nil if we have an HTTP entity message body
 	needsContinue bool      // need to send a 100-continue
 }
@ -2569,7 +2569,8 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
 				clen = ""
 			}
 		}
-		if clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
+		_, hasContentLength := rws.snapHeader["Content-Length"]
 		if !hasContentLength && clen == "" && rws.handlerDone && bodyAllowedForStatus(rws.status) && (len(p) > 0 || !isHeadResp) {
 			clen = strconv.Itoa(len(p))
 		}
 		_, hasContentType := rws.snapHeader["Content-Type"]
@ -2774,7 +2775,7 @@ func (w *responseWriter) FlushError() error {
 		err = rws.bw.Flush()
 	} else {
 		// The bufio.Writer won't call chunkWriter.Write
-		// (writeChunk with zero bytes, so we have to do it
+		// (writeChunk with zero bytes), so we have to do it
 		// ourselves to force the HTTP response header and/or
 		// final DATA frame (with END_STREAM) to be sent.
 		_, err = chunkWriter{rws}.Write(nil)
--- a/vendor/golang.org/x/net/http2/transport.go
+++ b/vendor/golang.org/x/net/http2/transport.go
@ -1268,21 +1268,23 @@ func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
 	cancelRequest := func(cs *clientStream, err error) error {
 		cs.cc.mu.Lock()
-		defer cs.cc.mu.Unlock()
+		bodyClosed := cs.reqBodyClosed
-		cs.abortStreamLocked(err)
+		cs.cc.mu.Unlock()
-		if cs.ID != 0 {
+		// Wait for the request body to be closed.
-			// This request may have failed because of a problem with the connection,
+		//
-			// or for some unrelated reason. (For example, the user might have canceled
+		// If nothing closed the body before now, abortStreamLocked
-			// the request without waiting for a response.) Mark the connection as
+		// will have started a goroutine to close it.
-			// not reusable, since trying to reuse a dead connection is worse than
+		//
-			// unnecessarily creating a new one.
+		// Closing the body before returning avoids a race condition
-			//
+		// with net/http checking its readTrackingBody to see if the
-			// If cs.ID is 0, then the request was never allocated a stream ID and
+		// body was read from or closed. See golang/go#60041.
-			// whatever went wrong was unrelated to the connection. We might have
+		//
-			// timed out waiting for a stream slot when StrictMaxConcurrentStreams
+		// The body is closed in a separate goroutine without the
-			// is set, for example, in which case retrying on a different connection
+		// connection mutex held, but dropping the mutex before waiting
-			// will not help.
+		// will keep us from holding it indefinitely if the body
-			cs.cc.doNotReuse = true
+		// close is slow for some reason.
 		if bodyClosed != nil {
 			<-bodyClosed
 		}
 		return err
 	}
@ -1301,11 +1303,14 @@ func (cc *ClientConn) RoundTrip(req *http.Request) (*http.Response, error) {
 				return handleResponseHeaders()
 			default:
 				waitDone()
-				return nil, cancelRequest(cs, cs.abortErr)
+				return nil, cs.abortErr
 			}
 		case <-ctx.Done():
-			return nil, cancelRequest(cs, ctx.Err())
+			err := ctx.Err()
 			cs.abortStream(err)
 			return nil, cancelRequest(cs, err)
 		case <-cs.reqCancel:
 			cs.abortStream(errRequestCanceled)
 			return nil, cancelRequest(cs, errRequestCanceled)
 		}
 	}
@ -1863,6 +1868,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
 	if err != nil {
 		return nil, err
 	}
 	if !httpguts.ValidHostHeader(host) {
 		return nil, errors.New("http2: invalid Host header")
 	}
 	var path string
 	if req.Method != "CONNECT" {
@ -1899,7 +1907,7 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
 		// 8.1.2.3 Request Pseudo-Header Fields
 		// The :path pseudo-header field includes the path and query parts of the
 		// target URI (the path-absolute production and optionally a '?' character
-		// followed by the query production (see Sections 3.3 and 3.4 of
+		// followed by the query production, see Sections 3.3 and 3.4 of
 		// [RFC3986]).
 		f(":authority", host)
 		m := req.Method
--- a/vendor/golang.org/x/net/http2/writesched.go
+++ b/vendor/golang.org/x/net/http2/writesched.go
@ -184,7 +184,8 @@ func (wr *FrameWriteRequest) replyToWriter(err error) {
 // writeQueue is used by implementations of WriteScheduler.
 type writeQueue struct {
-	s []FrameWriteRequest
+	s          []FrameWriteRequest
 	prev, next *writeQueue
 }
 func (q *writeQueue) empty() bool { return len(q.s) == 0 }
--- a/vendor/golang.org/x/net/http2/writesched_roundrobin.go
+++ b/vendor/golang.org/x/net/http2/writesched_roundrobin.go
@ -0,0 +1,119 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package http2
 import (
 	"fmt"
 	"math"
 )
 type roundRobinWriteScheduler struct {
 	// control contains control frames (SETTINGS, PING, etc.).
 	control writeQueue
 	// streams maps stream ID to a queue.
 	streams map[uint32]*writeQueue
 	// stream queues are stored in a circular linked list.
 	// head is the next stream to write, or nil if there are no streams open.
 	head *writeQueue
 	// pool of empty queues for reuse.
 	queuePool writeQueuePool
 }
 // newRoundRobinWriteScheduler constructs a new write scheduler.
 // The round robin scheduler priorizes control frames
 // like SETTINGS and PING over DATA frames.
 // When there are no control frames to send, it performs a round-robin
 // selection from the ready streams.
 func newRoundRobinWriteScheduler() WriteScheduler {
 	ws := &roundRobinWriteScheduler{
 		streams: make(map[uint32]*writeQueue),
 	}
 	return ws
 }
 func (ws *roundRobinWriteScheduler) OpenStream(streamID uint32, options OpenStreamOptions) {
 	if ws.streams[streamID] != nil {
 		panic(fmt.Errorf("stream %d already opened", streamID))
 	}
 	q := ws.queuePool.get()
 	ws.streams[streamID] = q
 	if ws.head == nil {
 		ws.head = q
 		q.next = q
 		q.prev = q
 	} else {
 		// Queues are stored in a ring.
 		// Insert the new stream before ws.head, putting it at the end of the list.
 		q.prev = ws.head.prev
 		q.next = ws.head
 		q.prev.next = q
 		q.next.prev = q
 	}
 }
 func (ws *roundRobinWriteScheduler) CloseStream(streamID uint32) {
 	q := ws.streams[streamID]
 	if q == nil {
 		return
 	}
 	if q.next == q {
 		// This was the only open stream.
 		ws.head = nil
 	} else {
 		q.prev.next = q.next
 		q.next.prev = q.prev
 		if ws.head == q {
 			ws.head = q.next
 		}
 	}
 	delete(ws.streams, streamID)
 	ws.queuePool.put(q)
 }
 func (ws *roundRobinWriteScheduler) AdjustStream(streamID uint32, priority PriorityParam) {}
 func (ws *roundRobinWriteScheduler) Push(wr FrameWriteRequest) {
 	if wr.isControl() {
 		ws.control.push(wr)
 		return
 	}
 	q := ws.streams[wr.StreamID()]
 	if q == nil {
 		// This is a closed stream.
 		// wr should not be a HEADERS or DATA frame.
 		// We push the request onto the control queue.
 		if wr.DataSize() > 0 {
 			panic("add DATA on non-open stream")
 		}
 		ws.control.push(wr)
 		return
 	}
 	q.push(wr)
 }
 func (ws *roundRobinWriteScheduler) Pop() (FrameWriteRequest, bool) {
 	// Control and RST_STREAM frames first.
 	if !ws.control.empty() {
 		return ws.control.shift(), true
 	}
 	if ws.head == nil {
 		return FrameWriteRequest{}, false
 	}
 	q := ws.head
 	for {
 		if wr, ok := q.consume(math.MaxInt32); ok {
 			ws.head = q.next
 			return wr, true
 		}
 		q = q.next
 		if q == ws.head {
 			break
 		}
 	}
 	return FrameWriteRequest{}, false
 }
--- a/vendor/golang.org/x/net/idna/idna9.0.0.go
+++ b/vendor/golang.org/x/net/idna/idna9.0.0.go
@ -121,7 +121,7 @@ func CheckJoiners(enable bool) Option {
 	}
 }
-// StrictDomainName limits the set of permissable ASCII characters to those
+// StrictDomainName limits the set of permissible ASCII characters to those
 // allowed in domain names as defined in RFC 1034 (A-Z, a-z, 0-9 and the
 // hyphen). This is set by default for MapForLookup and ValidateForRegistration,
 // but is only useful if ValidateLabels is set.
--- a/vendor/golang.org/x/net/idna/tables13.0.0.go
+++ b/vendor/golang.org/x/net/idna/tables13.0.0.go
--- a/vendor/golang.org/x/net/idna/tables15.0.0.go
+++ b/vendor/golang.org/x/net/idna/tables15.0.0.go
--- a/vendor/golang.org/x/net/idna/trie.go
+++ b/vendor/golang.org/x/net/idna/trie.go
@ -6,27 +6,6 @@
 package idna
 // appendMapping appends the mapping for the respective rune. isMapped must be
 // true. A mapping is a categorization of a rune as defined in UTS #46.
 func (c info) appendMapping(b []byte, s string) []byte {
 	index := int(c >> indexShift)
 	if c&xorBit == 0 {
 		s := mappings[index:]
 		return append(b, s[1:s[0]+1]...)
 	}
 	b = append(b, s...)
 	if c&inlineXOR == inlineXOR {
 		// TODO: support and handle two-byte inline masks
 		b[len(b)-1] ^= byte(index)
 	} else {
 		for p := len(b) - int(xorData[index]); p < len(b); p++ {
 			index++
 			b[p] ^= xorData[index]
 		}
 	}
 	return b
 }
 // Sparse block handling code.
 type valueRange struct {
--- a/vendor/golang.org/x/net/idna/trie12.0.0.go
+++ b/vendor/golang.org/x/net/idna/trie12.0.0.go
@ -0,0 +1,31 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
 // Copyright 2016 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build !go1.16
 // +build !go1.16
 package idna
 // appendMapping appends the mapping for the respective rune. isMapped must be
 // true. A mapping is a categorization of a rune as defined in UTS #46.
 func (c info) appendMapping(b []byte, s string) []byte {
 	index := int(c >> indexShift)
 	if c&xorBit == 0 {
 		s := mappings[index:]
 		return append(b, s[1:s[0]+1]...)
 	}
 	b = append(b, s...)
 	if c&inlineXOR == inlineXOR {
 		// TODO: support and handle two-byte inline masks
 		b[len(b)-1] ^= byte(index)
 	} else {
 		for p := len(b) - int(xorData[index]); p < len(b); p++ {
 			index++
 			b[p] ^= xorData[index]
 		}
 	}
 	return b
 }
--- a/vendor/golang.org/x/net/idna/trie13.0.0.go
+++ b/vendor/golang.org/x/net/idna/trie13.0.0.go
@ -0,0 +1,31 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
 // Copyright 2016 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build go1.16
 // +build go1.16
 package idna
 // appendMapping appends the mapping for the respective rune. isMapped must be
 // true. A mapping is a categorization of a rune as defined in UTS #46.
 func (c info) appendMapping(b []byte, s string) []byte {
 	index := int(c >> indexShift)
 	if c&xorBit == 0 {
 		p := index
 		return append(b, mappings[mappingIndex[p]:mappingIndex[p+1]]...)
 	}
 	b = append(b, s...)
 	if c&inlineXOR == inlineXOR {
 		// TODO: support and handle two-byte inline masks
 		b[len(b)-1] ^= byte(index)
 	} else {
 		for p := len(b) - int(xorData[index]); p < len(b); p++ {
 			index++
 			b[p] ^= xorData[index]
 		}
 	}
 	return b
 }
--- a/vendor/golang.org/x/sys/cpu/endian_little.go
+++ b/vendor/golang.org/x/sys/cpu/endian_little.go
@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-//go:build 386 || amd64 || amd64p32 || alpha || arm || arm64 || loong64 || mipsle || mips64le || mips64p32le || nios2 || ppc64le || riscv || riscv64 || sh
+//go:build 386 || amd64 || amd64p32 || alpha || arm || arm64 || loong64 || mipsle || mips64le || mips64p32le || nios2 || ppc64le || riscv || riscv64 || sh || wasm
-// +build 386 amd64 amd64p32 alpha arm arm64 loong64 mipsle mips64le mips64p32le nios2 ppc64le riscv riscv64 sh
+// +build 386 amd64 amd64p32 alpha arm arm64 loong64 mipsle mips64le mips64p32le nios2 ppc64le riscv riscv64 sh wasm
 package cpu
--- a/vendor/golang.org/x/sys/unix/mkall.sh
+++ b/vendor/golang.org/x/sys/unix/mkall.sh
@ -50,7 +50,7 @@ if [[ "$GOOS" = "linux" ]]; then
 	# Use the Docker-based build system
 	# Files generated through docker (use $cmd so you can Ctl-C the build or run)
 	$cmd docker build --tag generate:$GOOS $GOOS
-	$cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && /bin/pwd):/build generate:$GOOS
+	$cmd docker run --interactive --tty --volume $(cd -- "$(dirname -- "$0")/.." && pwd):/build generate:$GOOS
 	exit
 fi
--- a/vendor/golang.org/x/sys/unix/mkerrors.sh
+++ b/vendor/golang.org/x/sys/unix/mkerrors.sh
@ -519,7 +519,7 @@ ccflags="$@"
 		$2 ~ /^LOCK_(SH|EX|NB|UN)$/ ||
 		$2 ~ /^LO_(KEY|NAME)_SIZE$/ ||
 		$2 ~ /^LOOP_(CLR|CTL|GET|SET)_/ ||
-		$2 ~ /^(AF|SOCK|SO|SOL|IPPROTO|IP|IPV6|TCP|MCAST|EVFILT|NOTE|SHUT|PROT|MAP|MFD|T?PACKET|MSG|SCM|MCL|DT|MADV|PR|LOCAL|TCPOPT|UDP)_/ ||
+		$2 ~ /^(AF|SOCK|SO|SOL|IPPROTO|IP|IPV6|TCP|MCAST|EVFILT|NOTE|SHUT|PROT|MAP|MREMAP|MFD|T?PACKET|MSG|SCM|MCL|DT|MADV|PR|LOCAL|TCPOPT|UDP)_/ ||
 		$2 ~ /^NFC_(GENL|PROTO|COMM|RF|SE|DIRECTION|LLCP|SOCKPROTO)_/ ||
 		$2 ~ /^NFC_.*_(MAX)?SIZE$/ ||
 		$2 ~ /^RAW_PAYLOAD_/ ||
@ -741,7 +741,8 @@ main(void)
 		e = errors[i].num;
 		if(i > 0 && errors[i-1].num == e)
 			continue;
-		strcpy(buf, strerror(e));
+		strncpy(buf, strerror(e), sizeof(buf) - 1);
 		buf[sizeof(buf) - 1] = '\0';
 		// lowercase first letter: Bad -> bad, but STREAM -> STREAM.
 		if(A <= buf[0] && buf[0] <= Z && a <= buf[1] && buf[1] <= z)
 			buf[0] += a - A;
@ -760,7 +761,8 @@ main(void)
 		e = signals[i].num;
 		if(i > 0 && signals[i-1].num == e)
 			continue;
-		strcpy(buf, strsignal(e));
+		strncpy(buf, strsignal(e), sizeof(buf) - 1);
 		buf[sizeof(buf) - 1] = '\0';
 		// lowercase first letter: Bad -> bad, but STREAM -> STREAM.
 		if(A <= buf[0] && buf[0] <= Z && a <= buf[1] && buf[1] <= z)
 			buf[0] += a - A;
--- a/vendor/golang.org/x/sys/unix/mremap.go
+++ b/vendor/golang.org/x/sys/unix/mremap.go
@ -0,0 +1,40 @@
 // Copyright 2023 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //go:build linux
 // +build linux
 package unix
 import "unsafe"
 type mremapMmapper struct {
 	mmapper
 	mremap func(oldaddr uintptr, oldlength uintptr, newlength uintptr, flags int, newaddr uintptr) (xaddr uintptr, err error)
 }
 func (m *mremapMmapper) Mremap(oldData []byte, newLength int, flags int) (data []byte, err error) {
 	if newLength <= 0 || len(oldData) == 0 || len(oldData) != cap(oldData) || flags&MREMAP_FIXED != 0 {
 		return nil, EINVAL
 	}
 	pOld := &oldData[cap(oldData)-1]
 	m.Lock()
 	defer m.Unlock()
 	bOld := m.active[pOld]
 	if bOld == nil || &bOld[0] != &oldData[0] {
 		return nil, EINVAL
 	}
 	newAddr, errno := m.mremap(uintptr(unsafe.Pointer(&bOld[0])), uintptr(len(bOld)), uintptr(newLength), flags, 0)
 	if errno != nil {
 		return nil, errno
 	}
 	bNew := unsafe.Slice((*byte)(unsafe.Pointer(newAddr)), newLength)
 	pNew := &bNew[cap(bNew)-1]
 	if flags&MREMAP_DONTUNMAP == 0 {
 		delete(m.active, pOld)
 	}
 	m.active[pNew] = bNew
 	return bNew, nil
 }
--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
@ -1699,12 +1699,23 @@ func PtracePokeUser(pid int, addr uintptr, data []byte) (count int, err error) {
 	return ptracePoke(PTRACE_POKEUSR, PTRACE_PEEKUSR, pid, addr, data)
 }
 // elfNT_PRSTATUS is a copy of the debug/elf.NT_PRSTATUS constant so
 // x/sys/unix doesn't need to depend on debug/elf and thus
 // compress/zlib, debug/dwarf, and other packages.
 const elfNT_PRSTATUS = 1
 func PtraceGetRegs(pid int, regsout *PtraceRegs) (err error) {
-	return ptracePtr(PTRACE_GETREGS, pid, 0, unsafe.Pointer(regsout))
+	var iov Iovec
 	iov.Base = (*byte)(unsafe.Pointer(regsout))
 	iov.SetLen(int(unsafe.Sizeof(*regsout)))
 	return ptracePtr(PTRACE_GETREGSET, pid, uintptr(elfNT_PRSTATUS), unsafe.Pointer(&iov))
 }
 func PtraceSetRegs(pid int, regs *PtraceRegs) (err error) {
-	return ptracePtr(PTRACE_SETREGS, pid, 0, unsafe.Pointer(regs))
+	var iov Iovec
 	iov.Base = (*byte)(unsafe.Pointer(regs))
 	iov.SetLen(int(unsafe.Sizeof(*regs)))
 	return ptracePtr(PTRACE_SETREGSET, pid, uintptr(elfNT_PRSTATUS), unsafe.Pointer(&iov))
 }
 func PtraceSetOptions(pid int, options int) (err error) {
@ -2113,11 +2124,15 @@ func writevRacedetect(iovecs []Iovec, n int) {
 // mmap varies by architecture; see syscall_linux_*.go.
 //sys	munmap(addr uintptr, length uintptr) (err error)
 //sys	mremap(oldaddr uintptr, oldlength uintptr, newlength uintptr, flags int, newaddr uintptr) (xaddr uintptr, err error)
-var mapper = &mmapper{
+var mapper = &mremapMmapper{
-	active: make(map[*byte][]byte),
+	mmapper: mmapper{
-	mmap:   mmap,
+		active: make(map[*byte][]byte),
-	munmap: munmap,
+		mmap:   mmap,
 		munmap: munmap,
 	},
 	mremap: mremap,
 }
 func Mmap(fd int, offset int64, length int, prot int, flags int) (data []byte, err error) {
@ -2128,6 +2143,10 @@ func Munmap(b []byte) (err error) {
 	return mapper.Munmap(b)
 }
 func Mremap(oldData []byte, newLength int, flags int) (data []byte, err error) {
 	return mapper.Mremap(oldData, newLength, flags)
 }
 //sys	Madvise(b []byte, advice int) (err error)
 //sys	Mprotect(b []byte, prot int) (err error)
 //sys	Mlock(b []byte) (err error)
@ -2420,6 +2439,21 @@ func PthreadSigmask(how int, set, oldset *Sigset_t) error {
 	return rtSigprocmask(how, set, oldset, _C__NSIG/8)
 }
 //sysnb	getresuid(ruid *_C_int, euid *_C_int, suid *_C_int)
 //sysnb	getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int)
 func Getresuid() (ruid, euid, suid int) {
 	var r, e, s _C_int
 	getresuid(&r, &e, &s)
 	return int(r), int(e), int(s)
 }
 func Getresgid() (rgid, egid, sgid int) {
 	var r, e, s _C_int
 	getresgid(&r, &e, &s)
 	return int(r), int(e), int(s)
 }
 /*
 * Unimplemented
 */
@ -2461,7 +2495,6 @@ func PthreadSigmask(how int, set, oldset *Sigset_t) error {
 // MqTimedreceive
 // MqTimedsend
 // MqUnlink
 // Mremap
 // Msgctl
 // Msgget
 // Msgrcv
--- a/vendor/golang.org/x/sys/unix/syscall_openbsd.go
+++ b/vendor/golang.org/x/sys/unix/syscall_openbsd.go
@ -151,6 +151,21 @@ func Getfsstat(buf []Statfs_t, flags int) (n int, err error) {
 	return
 }
 //sysnb	getresuid(ruid *_C_int, euid *_C_int, suid *_C_int)
 //sysnb	getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int)
 func Getresuid() (ruid, euid, suid int) {
 	var r, e, s _C_int
 	getresuid(&r, &e, &s)
 	return int(r), int(e), int(s)
 }
 func Getresgid() (rgid, egid, sgid int) {
 	var r, e, s _C_int
 	getresgid(&r, &e, &s)
 	return int(r), int(e), int(s)
 }
 //sys	ioctl(fd int, req uint, arg uintptr) (err error)
 //sys	ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) = SYS_IOCTL
@ -338,8 +353,6 @@ func Uname(uname *Utsname) error {
 // getgid
 // getitimer
 // getlogin
 // getresgid
 // getresuid
 // getthrid
 // ktrace
 // lfs_bmapv
--- a/vendor/golang.org/x/sys/unix/zerrors_linux.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux.go
@ -493,6 +493,7 @@ const (
 	BPF_F_TEST_RUN_ON_CPU                       = 0x1
 	BPF_F_TEST_STATE_FREQ                       = 0x8
 	BPF_F_TEST_XDP_LIVE_FRAMES                  = 0x2
 	BPF_F_XDP_DEV_BOUND_ONLY                    = 0x40
 	BPF_F_XDP_HAS_FRAGS                         = 0x20
 	BPF_H                                       = 0x8
 	BPF_IMM                                     = 0x0
@ -826,9 +827,9 @@ const (
 	DM_UUID_FLAG                                = 0x4000
 	DM_UUID_LEN                                 = 0x81
 	DM_VERSION                                  = 0xc138fd00
-	DM_VERSION_EXTRA                            = "-ioctl (2022-07-28)"
+	DM_VERSION_EXTRA                            = "-ioctl (2023-03-01)"
 	DM_VERSION_MAJOR                            = 0x4
-	DM_VERSION_MINOR                            = 0x2f
+	DM_VERSION_MINOR                            = 0x30
 	DM_VERSION_PATCHLEVEL                       = 0x0
 	DT_BLK                                      = 0x6
 	DT_CHR                                      = 0x2
@ -1197,6 +1198,7 @@ const (
 	FAN_EVENT_METADATA_LEN                      = 0x18
 	FAN_EVENT_ON_CHILD                          = 0x8000000
 	FAN_FS_ERROR                                = 0x8000
 	FAN_INFO                                    = 0x20
 	FAN_MARK_ADD                                = 0x1
 	FAN_MARK_DONT_FOLLOW                        = 0x4
 	FAN_MARK_EVICTABLE                          = 0x200
@ -1233,6 +1235,8 @@ const (
 	FAN_REPORT_PIDFD                            = 0x80
 	FAN_REPORT_TARGET_FID                       = 0x1000
 	FAN_REPORT_TID                              = 0x100
 	FAN_RESPONSE_INFO_AUDIT_RULE                = 0x1
 	FAN_RESPONSE_INFO_NONE                      = 0x0
 	FAN_UNLIMITED_MARKS                         = 0x20
 	FAN_UNLIMITED_QUEUE                         = 0x10
 	FD_CLOEXEC                                  = 0x1
@ -1860,6 +1864,7 @@ const (
 	MEMWRITEOOB64                               = 0xc0184d15
 	MFD_ALLOW_SEALING                           = 0x2
 	MFD_CLOEXEC                                 = 0x1
 	MFD_EXEC                                    = 0x10
 	MFD_HUGETLB                                 = 0x4
 	MFD_HUGE_16GB                               = 0x88000000
 	MFD_HUGE_16MB                               = 0x60000000
@ -1875,6 +1880,7 @@ const (
 	MFD_HUGE_8MB                                = 0x5c000000
 	MFD_HUGE_MASK                               = 0x3f
 	MFD_HUGE_SHIFT                              = 0x1a
 	MFD_NOEXEC_SEAL                             = 0x8
 	MINIX2_SUPER_MAGIC                          = 0x2468
 	MINIX2_SUPER_MAGIC2                         = 0x2478
 	MINIX3_SUPER_MAGIC                          = 0x4d5a
@ -1898,6 +1904,9 @@ const (
 	MOUNT_ATTR_SIZE_VER0                        = 0x20
 	MOUNT_ATTR_STRICTATIME                      = 0x20
 	MOUNT_ATTR__ATIME                           = 0x70
 	MREMAP_DONTUNMAP                            = 0x4
 	MREMAP_FIXED                                = 0x2
 	MREMAP_MAYMOVE                              = 0x1
 	MSDOS_SUPER_MAGIC                           = 0x4d44
 	MSG_BATCH                                   = 0x40000
 	MSG_CMSG_CLOEXEC                            = 0x40000000
@ -2204,6 +2213,7 @@ const (
 	PACKET_USER                                 = 0x6
 	PACKET_VERSION                              = 0xa
 	PACKET_VNET_HDR                             = 0xf
 	PACKET_VNET_HDR_SZ                          = 0x18
 	PARITY_CRC16_PR0                            = 0x2
 	PARITY_CRC16_PR0_CCITT                      = 0x4
 	PARITY_CRC16_PR1                            = 0x3
@ -2221,6 +2231,7 @@ const (
 	PERF_ATTR_SIZE_VER5                         = 0x70
 	PERF_ATTR_SIZE_VER6                         = 0x78
 	PERF_ATTR_SIZE_VER7                         = 0x80
 	PERF_ATTR_SIZE_VER8                         = 0x88
 	PERF_AUX_FLAG_COLLISION                     = 0x8
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_CORESIGHT    = 0x0
 	PERF_AUX_FLAG_CORESIGHT_FORMAT_RAW          = 0x100
@ -2361,6 +2372,7 @@ const (
 	PR_FP_EXC_UND                               = 0x40000
 	PR_FP_MODE_FR                               = 0x1
 	PR_FP_MODE_FRE                              = 0x2
 	PR_GET_AUXV                                 = 0x41555856
 	PR_GET_CHILD_SUBREAPER                      = 0x25
 	PR_GET_DUMPABLE                             = 0x3
 	PR_GET_ENDIAN                               = 0x13
@ -2369,6 +2381,8 @@ const (
 	PR_GET_FP_MODE                              = 0x2e
 	PR_GET_IO_FLUSHER                           = 0x3a
 	PR_GET_KEEPCAPS                             = 0x7
 	PR_GET_MDWE                                 = 0x42
 	PR_GET_MEMORY_MERGE                         = 0x44
 	PR_GET_NAME                                 = 0x10
 	PR_GET_NO_NEW_PRIVS                         = 0x27
 	PR_GET_PDEATHSIG                            = 0x2
@ -2389,6 +2403,7 @@ const (
 	PR_MCE_KILL_GET                             = 0x22
 	PR_MCE_KILL_LATE                            = 0x0
 	PR_MCE_KILL_SET                             = 0x1
 	PR_MDWE_REFUSE_EXEC_GAIN                    = 0x1
 	PR_MPX_DISABLE_MANAGEMENT                   = 0x2c
 	PR_MPX_ENABLE_MANAGEMENT                    = 0x2b
 	PR_MTE_TAG_MASK                             = 0x7fff8
@ -2423,6 +2438,8 @@ const (
 	PR_SET_FP_MODE                              = 0x2d
 	PR_SET_IO_FLUSHER                           = 0x39
 	PR_SET_KEEPCAPS                             = 0x8
 	PR_SET_MDWE                                 = 0x41
 	PR_SET_MEMORY_MERGE                         = 0x43
 	PR_SET_MM                                   = 0x23
 	PR_SET_MM_ARG_END                           = 0x9
 	PR_SET_MM_ARG_START                         = 0x8
@ -2506,6 +2523,7 @@ const (
 	PTRACE_GETSIGMASK                           = 0x420a
 	PTRACE_GET_RSEQ_CONFIGURATION               = 0x420f
 	PTRACE_GET_SYSCALL_INFO                     = 0x420e
 	PTRACE_GET_SYSCALL_USER_DISPATCH_CONFIG     = 0x4211
 	PTRACE_INTERRUPT                            = 0x4207
 	PTRACE_KILL                                 = 0x8
 	PTRACE_LISTEN                               = 0x4208
@ -2536,6 +2554,7 @@ const (
 	PTRACE_SETREGSET                            = 0x4205
 	PTRACE_SETSIGINFO                           = 0x4203
 	PTRACE_SETSIGMASK                           = 0x420b
 	PTRACE_SET_SYSCALL_USER_DISPATCH_CONFIG     = 0x4210
 	PTRACE_SINGLESTEP                           = 0x9
 	PTRACE_SYSCALL                              = 0x18
 	PTRACE_SYSCALL_INFO_ENTRY                   = 0x1
@ -3072,7 +3091,7 @@ const (
 	TASKSTATS_GENL_NAME                         = "TASKSTATS"
 	TASKSTATS_GENL_VERSION                      = 0x1
 	TASKSTATS_TYPE_MAX                          = 0x6
-	TASKSTATS_VERSION                           = 0xd
+	TASKSTATS_VERSION                           = 0xe
 	TCIFLUSH                                    = 0x0
 	TCIOFF                                      = 0x2
 	TCIOFLUSH                                   = 0x2
@ -3238,6 +3257,7 @@ const (
 	TP_STATUS_COPY                              = 0x2
 	TP_STATUS_CSUMNOTREADY                      = 0x8
 	TP_STATUS_CSUM_VALID                        = 0x80
 	TP_STATUS_GSO_TCP                           = 0x100
 	TP_STATUS_KERNEL                            = 0x0
 	TP_STATUS_LOSING                            = 0x4
 	TP_STATUS_SENDING                           = 0x2
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go
@ -443,6 +443,7 @@ const (
 	TIOCSWINSZ                       = 0x5414
 	TIOCVHANGUP                      = 0x5437
 	TOSTOP                           = 0x100
 	TPIDR2_MAGIC                     = 0x54504902
 	TUNATTACHFILTER                  = 0x401054d5
 	TUNDETACHFILTER                  = 0x401054d6
 	TUNGETDEVNETNS                   = 0x54e3
@ -515,6 +516,7 @@ const (
 	XCASE                            = 0x4
 	XTABS                            = 0x1800
 	ZA_MAGIC                         = 0x54366345
 	ZT_MAGIC                         = 0x5a544e01
 	_HIDIOCGRAWNAME                  = 0x80804804
 	_HIDIOCGRAWPHYS                  = 0x80404805
 	_HIDIOCGRAWUNIQ                  = 0x80404808
--- a/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go
@ -329,6 +329,54 @@ const (
 	SCM_WIFI_STATUS                  = 0x25
 	SFD_CLOEXEC                      = 0x400000
 	SFD_NONBLOCK                     = 0x4000
 	SF_FP                            = 0x38
 	SF_I0                            = 0x20
 	SF_I1                            = 0x24
 	SF_I2                            = 0x28
 	SF_I3                            = 0x2c
 	SF_I4                            = 0x30
 	SF_I5                            = 0x34
 	SF_L0                            = 0x0
 	SF_L1                            = 0x4
 	SF_L2                            = 0x8
 	SF_L3                            = 0xc
 	SF_L4                            = 0x10
 	SF_L5                            = 0x14
 	SF_L6                            = 0x18
 	SF_L7                            = 0x1c
 	SF_PC                            = 0x3c
 	SF_RETP                          = 0x40
 	SF_V9_FP                         = 0x70
 	SF_V9_I0                         = 0x40
 	SF_V9_I1                         = 0x48
 	SF_V9_I2                         = 0x50
 	SF_V9_I3                         = 0x58
 	SF_V9_I4                         = 0x60
 	SF_V9_I5                         = 0x68
 	SF_V9_L0                         = 0x0
 	SF_V9_L1                         = 0x8
 	SF_V9_L2                         = 0x10
 	SF_V9_L3                         = 0x18
 	SF_V9_L4                         = 0x20
 	SF_V9_L5                         = 0x28
 	SF_V9_L6                         = 0x30
 	SF_V9_L7                         = 0x38
 	SF_V9_PC                         = 0x78
 	SF_V9_RETP                       = 0x80
 	SF_V9_XARG0                      = 0x88
 	SF_V9_XARG1                      = 0x90
 	SF_V9_XARG2                      = 0x98
 	SF_V9_XARG3                      = 0xa0
 	SF_V9_XARG4                      = 0xa8
 	SF_V9_XARG5                      = 0xb0
 	SF_V9_XXARG                      = 0xb8
 	SF_XARG0                         = 0x44
 	SF_XARG1                         = 0x48
 	SF_XARG2                         = 0x4c
 	SF_XARG3                         = 0x50
 	SF_XARG4                         = 0x54
 	SF_XARG5                         = 0x58
 	SF_XXARG                         = 0x5c
 	SIOCATMARK                       = 0x8905
 	SIOCGPGRP                        = 0x8904
 	SIOCGSTAMPNS_NEW                 = 0x40108907
--- a/vendor/golang.org/x/sys/unix/zsyscall_linux.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_linux.go
@ -1868,6 +1868,17 @@ func munmap(addr uintptr, length uintptr) (err error) {
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func mremap(oldaddr uintptr, oldlength uintptr, newlength uintptr, flags int, newaddr uintptr) (xaddr uintptr, err error) {
 	r0, _, e1 := Syscall6(SYS_MREMAP, uintptr(oldaddr), uintptr(oldlength), uintptr(newlength), uintptr(flags), uintptr(newaddr), 0)
 	xaddr = uintptr(r0)
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func Madvise(b []byte, advice int) (err error) {
 	var _p0 unsafe.Pointer
 	if len(b) > 0 {
@ -2172,3 +2183,17 @@ func rtSigprocmask(how int, set *Sigset_t, oldset *Sigset_t, sigsetsize uintptr)
 	}
 	return
 }
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	RawSyscallNoError(SYS_GETRESUID, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	RawSyscallNoError(SYS_GETRESGID, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_386.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getcwd_trampoline_addr(SB)/4, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getresuid_trampoline_addr(SB)/4, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getresgid_trampoline_addr(SB)/4, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $4
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.go
@ -519,15 +519,29 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
-func ioctl(fd int, req uint, arg uintptr) (err error) {
+func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
-	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
+	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
-func ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) {
+var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
 		err = errnoErr(e1)
@ -541,6 +555,16 @@ var libc_ioctl_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctlPtr(fd int, req uint, arg unsafe.Pointer) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
 		err = errnoErr(e1)
 	}
 	return
 }
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func sysctl(mib []_C_int, old *byte, oldlen *uintptr, new *byte, newlen uintptr) (err error) {
 	var _p0 unsafe.Pointer
 	if len(mib) > 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_amd64.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresuid_trampoline_addr(SB)/8, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresgid_trampoline_addr(SB)/8, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getcwd_trampoline_addr(SB)/4, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getresuid_trampoline_addr(SB)/4, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $4
 DATA	·libc_getresgid_trampoline_addr(SB)/4, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $4
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_arm64.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresuid_trampoline_addr(SB)/8, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresgid_trampoline_addr(SB)/8, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_mips64.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresuid_trampoline_addr(SB)/8, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresgid_trampoline_addr(SB)/8, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_ppc64.s
@ -189,6 +189,18 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_getresuid(SB)
 	RET
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresuid_trampoline_addr(SB)/8, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_getresgid(SB)
 	RET
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresgid_trampoline_addr(SB)/8, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	CALL	libc_ioctl(SB)
 	RET
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.go
@ -519,6 +519,28 @@ var libc_getcwd_trampoline_addr uintptr
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresuid(ruid *_C_int, euid *_C_int, suid *_C_int) {
 	syscall_rawSyscall(libc_getresuid_trampoline_addr, uintptr(unsafe.Pointer(ruid)), uintptr(unsafe.Pointer(euid)), uintptr(unsafe.Pointer(suid)))
 	return
 }
 var libc_getresuid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresuid getresuid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func getresgid(rgid *_C_int, egid *_C_int, sgid *_C_int) {
 	syscall_rawSyscall(libc_getresgid_trampoline_addr, uintptr(unsafe.Pointer(rgid)), uintptr(unsafe.Pointer(egid)), uintptr(unsafe.Pointer(sgid)))
 	return
 }
 var libc_getresgid_trampoline_addr uintptr
 //go:cgo_import_dynamic libc_getresgid getresgid "libc.so"
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 func ioctl(fd int, req uint, arg uintptr) (err error) {
 	_, _, e1 := syscall_syscall(libc_ioctl_trampoline_addr, uintptr(fd), uintptr(req), uintptr(arg))
 	if e1 != 0 {
--- a/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
+++ b/vendor/golang.org/x/sys/unix/zsyscall_openbsd_riscv64.s
@ -158,6 +158,16 @@ TEXT libc_getcwd_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_getcwd_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getcwd_trampoline_addr(SB)/8, $libc_getcwd_trampoline<>(SB)
 TEXT libc_getresuid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresuid(SB)
 GLOBL	·libc_getresuid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresuid_trampoline_addr(SB)/8, $libc_getresuid_trampoline<>(SB)
 TEXT libc_getresgid_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_getresgid(SB)
 GLOBL	·libc_getresgid_trampoline_addr(SB), RODATA, $8
 DATA	·libc_getresgid_trampoline_addr(SB)/8, $libc_getresgid_trampoline<>(SB)
 TEXT libc_ioctl_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_ioctl(SB)
 GLOBL	·libc_ioctl_trampoline_addr(SB), RODATA, $8
--- a/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go
@ -372,6 +372,7 @@ const (
 	SYS_LANDLOCK_CREATE_RULESET = 444
 	SYS_LANDLOCK_ADD_RULE       = 445
 	SYS_LANDLOCK_RESTRICT_SELF  = 446
 	SYS_MEMFD_SECRET            = 447
 	SYS_PROCESS_MRELEASE        = 448
 	SYS_FUTEX_WAITV             = 449
 	SYS_SET_MEMPOLICY_HOME_NODE = 450
--- a/vendor/golang.org/x/sys/unix/ztypes_linux.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux.go
@ -1538,6 +1538,10 @@ const (
 	IFLA_GRO_MAX_SIZE                          = 0x3a
 	IFLA_TSO_MAX_SIZE                          = 0x3b
 	IFLA_TSO_MAX_SEGS                          = 0x3c
 	IFLA_ALLMULTI                              = 0x3d
 	IFLA_DEVLINK_PORT                          = 0x3e
 	IFLA_GSO_IPV4_MAX_SIZE                     = 0x3f
 	IFLA_GRO_IPV4_MAX_SIZE                     = 0x40
 	IFLA_PROTO_DOWN_REASON_UNSPEC              = 0x0
 	IFLA_PROTO_DOWN_REASON_MASK                = 0x1
 	IFLA_PROTO_DOWN_REASON_VALUE               = 0x2
@ -1968,7 +1972,7 @@ const (
 	NFT_MSG_GETFLOWTABLE              = 0x17
 	NFT_MSG_DELFLOWTABLE              = 0x18
 	NFT_MSG_GETRULE_RESET             = 0x19
-	NFT_MSG_MAX                       = 0x1a
+	NFT_MSG_MAX                       = 0x21
 	NFTA_LIST_UNSPEC                  = 0x0
 	NFTA_LIST_ELEM                    = 0x1
 	NFTA_HOOK_UNSPEC                  = 0x0
@ -2555,6 +2559,11 @@ const (
 	BPF_REG_8                                  = 0x8
 	BPF_REG_9                                  = 0x9
 	BPF_REG_10                                 = 0xa
 	BPF_CGROUP_ITER_ORDER_UNSPEC               = 0x0
 	BPF_CGROUP_ITER_SELF_ONLY                  = 0x1
 	BPF_CGROUP_ITER_DESCENDANTS_PRE            = 0x2
 	BPF_CGROUP_ITER_DESCENDANTS_POST           = 0x3
 	BPF_CGROUP_ITER_ANCESTORS_UP               = 0x4
 	BPF_MAP_CREATE                             = 0x0
 	BPF_MAP_LOOKUP_ELEM                        = 0x1
 	BPF_MAP_UPDATE_ELEM                        = 0x2
@ -2566,6 +2575,7 @@ const (
 	BPF_PROG_ATTACH                            = 0x8
 	BPF_PROG_DETACH                            = 0x9
 	BPF_PROG_TEST_RUN                          = 0xa
 	BPF_PROG_RUN                               = 0xa
 	BPF_PROG_GET_NEXT_ID                       = 0xb
 	BPF_MAP_GET_NEXT_ID                        = 0xc
 	BPF_PROG_GET_FD_BY_ID                      = 0xd
@ -2610,6 +2620,7 @@ const (
 	BPF_MAP_TYPE_CPUMAP                        = 0x10
 	BPF_MAP_TYPE_XSKMAP                        = 0x11
 	BPF_MAP_TYPE_SOCKHASH                      = 0x12
 	BPF_MAP_TYPE_CGROUP_STORAGE_DEPRECATED     = 0x13
 	BPF_MAP_TYPE_CGROUP_STORAGE                = 0x13
 	BPF_MAP_TYPE_REUSEPORT_SOCKARRAY           = 0x14
 	BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE         = 0x15
@ -2620,6 +2631,10 @@ const (
 	BPF_MAP_TYPE_STRUCT_OPS                    = 0x1a
 	BPF_MAP_TYPE_RINGBUF                       = 0x1b
 	BPF_MAP_TYPE_INODE_STORAGE                 = 0x1c
 	BPF_MAP_TYPE_TASK_STORAGE                  = 0x1d
 	BPF_MAP_TYPE_BLOOM_FILTER                  = 0x1e
 	BPF_MAP_TYPE_USER_RINGBUF                  = 0x1f
 	BPF_MAP_TYPE_CGRP_STORAGE                  = 0x20
 	BPF_PROG_TYPE_UNSPEC                       = 0x0
 	BPF_PROG_TYPE_SOCKET_FILTER                = 0x1
 	BPF_PROG_TYPE_KPROBE                       = 0x2
@ -2651,6 +2666,7 @@ const (
 	BPF_PROG_TYPE_EXT                          = 0x1c
 	BPF_PROG_TYPE_LSM                          = 0x1d
 	BPF_PROG_TYPE_SK_LOOKUP                    = 0x1e
 	BPF_PROG_TYPE_SYSCALL                      = 0x1f
 	BPF_CGROUP_INET_INGRESS                    = 0x0
 	BPF_CGROUP_INET_EGRESS                     = 0x1
 	BPF_CGROUP_INET_SOCK_CREATE                = 0x2
@ -2689,6 +2705,12 @@ const (
 	BPF_XDP_CPUMAP                             = 0x23
 	BPF_SK_LOOKUP                              = 0x24
 	BPF_XDP                                    = 0x25
 	BPF_SK_SKB_VERDICT                         = 0x26
 	BPF_SK_REUSEPORT_SELECT                    = 0x27
 	BPF_SK_REUSEPORT_SELECT_OR_MIGRATE         = 0x28
 	BPF_PERF_EVENT                             = 0x29
 	BPF_TRACE_KPROBE_MULTI                     = 0x2a
 	BPF_LSM_CGROUP                             = 0x2b
 	BPF_LINK_TYPE_UNSPEC                       = 0x0
 	BPF_LINK_TYPE_RAW_TRACEPOINT               = 0x1
 	BPF_LINK_TYPE_TRACING                      = 0x2
@ -2696,6 +2718,9 @@ const (
 	BPF_LINK_TYPE_ITER                         = 0x4
 	BPF_LINK_TYPE_NETNS                        = 0x5
 	BPF_LINK_TYPE_XDP                          = 0x6
 	BPF_LINK_TYPE_PERF_EVENT                   = 0x7
 	BPF_LINK_TYPE_KPROBE_MULTI                 = 0x8
 	BPF_LINK_TYPE_STRUCT_OPS                   = 0x9
 	BPF_ANY                                    = 0x0
 	BPF_NOEXIST                                = 0x1
 	BPF_EXIST                                  = 0x2
@ -2733,6 +2758,7 @@ const (
 	BPF_F_ZERO_CSUM_TX                         = 0x2
 	BPF_F_DONT_FRAGMENT                        = 0x4
 	BPF_F_SEQ_NUMBER                           = 0x8
 	BPF_F_TUNINFO_FLAGS                        = 0x10
 	BPF_F_INDEX_MASK                           = 0xffffffff
 	BPF_F_CURRENT_CPU                          = 0xffffffff
 	BPF_F_CTXLEN_MASK                          = 0xfffff00000000
@ -2747,6 +2773,7 @@ const (
 	BPF_F_ADJ_ROOM_ENCAP_L4_GRE                = 0x8
 	BPF_F_ADJ_ROOM_ENCAP_L4_UDP                = 0x10
 	BPF_F_ADJ_ROOM_NO_CSUM_RESET               = 0x20
 	BPF_F_ADJ_ROOM_ENCAP_L2_ETH                = 0x40
 	BPF_ADJ_ROOM_ENCAP_L2_MASK                 = 0xff
 	BPF_ADJ_ROOM_ENCAP_L2_SHIFT                = 0x38
 	BPF_F_SYSCTL_BASE_NAME                     = 0x1
@ -2771,10 +2798,16 @@ const (
 	BPF_LWT_ENCAP_SEG6                         = 0x0
 	BPF_LWT_ENCAP_SEG6_INLINE                  = 0x1
 	BPF_LWT_ENCAP_IP                           = 0x2
 	BPF_F_BPRM_SECUREEXEC                      = 0x1
 	BPF_F_BROADCAST                            = 0x8
 	BPF_F_EXCLUDE_INGRESS                      = 0x10
 	BPF_SKB_TSTAMP_UNSPEC                      = 0x0
 	BPF_SKB_TSTAMP_DELIVERY_MONO               = 0x1
 	BPF_OK                                     = 0x0
 	BPF_DROP                                   = 0x2
 	BPF_REDIRECT                               = 0x7
 	BPF_LWT_REROUTE                            = 0x80
 	BPF_FLOW_DISSECTOR_CONTINUE                = 0x81
 	BPF_SOCK_OPS_RTO_CB_FLAG                   = 0x1
 	BPF_SOCK_OPS_RETRANS_CB_FLAG               = 0x2
 	BPF_SOCK_OPS_STATE_CB_FLAG                 = 0x4
@ -2838,6 +2871,10 @@ const (
 	BPF_FIB_LKUP_RET_UNSUPP_LWT                = 0x6
 	BPF_FIB_LKUP_RET_NO_NEIGH                  = 0x7
 	BPF_FIB_LKUP_RET_FRAG_NEEDED               = 0x8
 	BPF_MTU_CHK_SEGS                           = 0x1
 	BPF_MTU_CHK_RET_SUCCESS                    = 0x0
 	BPF_MTU_CHK_RET_FRAG_NEEDED                = 0x1
 	BPF_MTU_CHK_RET_SEGS_TOOBIG                = 0x2
 	BPF_FD_TYPE_RAW_TRACEPOINT                 = 0x0
 	BPF_FD_TYPE_TRACEPOINT                     = 0x1
 	BPF_FD_TYPE_KPROBE                         = 0x2
@ -2847,6 +2884,19 @@ const (
 	BPF_FLOW_DISSECTOR_F_PARSE_1ST_FRAG        = 0x1
 	BPF_FLOW_DISSECTOR_F_STOP_AT_FLOW_LABEL    = 0x2
 	BPF_FLOW_DISSECTOR_F_STOP_AT_ENCAP         = 0x4
 	BPF_CORE_FIELD_BYTE_OFFSET                 = 0x0
 	BPF_CORE_FIELD_BYTE_SIZE                   = 0x1
 	BPF_CORE_FIELD_EXISTS                      = 0x2
 	BPF_CORE_FIELD_SIGNED                      = 0x3
 	BPF_CORE_FIELD_LSHIFT_U64                  = 0x4
 	BPF_CORE_FIELD_RSHIFT_U64                  = 0x5
 	BPF_CORE_TYPE_ID_LOCAL                     = 0x6
 	BPF_CORE_TYPE_ID_TARGET                    = 0x7
 	BPF_CORE_TYPE_EXISTS                       = 0x8
 	BPF_CORE_TYPE_SIZE                         = 0x9
 	BPF_CORE_ENUMVAL_EXISTS                    = 0xa
 	BPF_CORE_ENUMVAL_VALUE                     = 0xb
 	BPF_CORE_TYPE_MATCHES                      = 0xc
 )
 const (
@ -3605,7 +3655,7 @@ const (
 	ETHTOOL_MSG_PSE_GET                       = 0x24
 	ETHTOOL_MSG_PSE_SET                       = 0x25
 	ETHTOOL_MSG_RSS_GET                       = 0x26
-	ETHTOOL_MSG_USER_MAX                      = 0x26
+	ETHTOOL_MSG_USER_MAX                      = 0x2b
 	ETHTOOL_MSG_KERNEL_NONE                   = 0x0
 	ETHTOOL_MSG_STRSET_GET_REPLY              = 0x1
 	ETHTOOL_MSG_LINKINFO_GET_REPLY            = 0x2
@ -3645,7 +3695,7 @@ const (
 	ETHTOOL_MSG_MODULE_NTF                    = 0x24
 	ETHTOOL_MSG_PSE_GET_REPLY                 = 0x25
 	ETHTOOL_MSG_RSS_GET_REPLY                 = 0x26
-	ETHTOOL_MSG_KERNEL_MAX                    = 0x26
+	ETHTOOL_MSG_KERNEL_MAX                    = 0x2b
 	ETHTOOL_A_HEADER_UNSPEC                   = 0x0
 	ETHTOOL_A_HEADER_DEV_INDEX                = 0x1
 	ETHTOOL_A_HEADER_DEV_NAME                 = 0x2
@ -3749,7 +3799,7 @@ const (
 	ETHTOOL_A_RINGS_TCP_DATA_SPLIT            = 0xb
 	ETHTOOL_A_RINGS_CQE_SIZE                  = 0xc
 	ETHTOOL_A_RINGS_TX_PUSH                   = 0xd
-	ETHTOOL_A_RINGS_MAX                       = 0xd
+	ETHTOOL_A_RINGS_MAX                       = 0x10
 	ETHTOOL_A_CHANNELS_UNSPEC                 = 0x0
 	ETHTOOL_A_CHANNELS_HEADER                 = 0x1
 	ETHTOOL_A_CHANNELS_RX_MAX                 = 0x2
@ -3787,14 +3837,14 @@ const (
 	ETHTOOL_A_COALESCE_RATE_SAMPLE_INTERVAL   = 0x17
 	ETHTOOL_A_COALESCE_USE_CQE_MODE_TX        = 0x18
 	ETHTOOL_A_COALESCE_USE_CQE_MODE_RX        = 0x19
-	ETHTOOL_A_COALESCE_MAX                    = 0x19
+	ETHTOOL_A_COALESCE_MAX                    = 0x1c
 	ETHTOOL_A_PAUSE_UNSPEC                    = 0x0
 	ETHTOOL_A_PAUSE_HEADER                    = 0x1
 	ETHTOOL_A_PAUSE_AUTONEG                   = 0x2
 	ETHTOOL_A_PAUSE_RX                        = 0x3
 	ETHTOOL_A_PAUSE_TX                        = 0x4
 	ETHTOOL_A_PAUSE_STATS                     = 0x5
-	ETHTOOL_A_PAUSE_MAX                       = 0x5
+	ETHTOOL_A_PAUSE_MAX                       = 0x6
 	ETHTOOL_A_PAUSE_STAT_UNSPEC               = 0x0
 	ETHTOOL_A_PAUSE_STAT_PAD                  = 0x1
 	ETHTOOL_A_PAUSE_STAT_TX_FRAMES            = 0x2
@ -4444,7 +4494,7 @@ const (
 	NL80211_ATTR_MAC_HINT                                   = 0xc8
 	NL80211_ATTR_MAC_MASK                                   = 0xd7
 	NL80211_ATTR_MAX_AP_ASSOC_STA                           = 0xca
-	NL80211_ATTR_MAX                                        = 0x141
+	NL80211_ATTR_MAX                                        = 0x145
 	NL80211_ATTR_MAX_CRIT_PROT_DURATION                     = 0xb4
 	NL80211_ATTR_MAX_CSA_COUNTERS                           = 0xce
 	NL80211_ATTR_MAX_MATCH_SETS                             = 0x85
@ -4673,7 +4723,7 @@ const (
 	NL80211_BAND_ATTR_HT_CAPA                               = 0x4
 	NL80211_BAND_ATTR_HT_MCS_SET                            = 0x3
 	NL80211_BAND_ATTR_IFTYPE_DATA                           = 0x9
-	NL80211_BAND_ATTR_MAX                                   = 0xb
+	NL80211_BAND_ATTR_MAX                                   = 0xd
 	NL80211_BAND_ATTR_RATES                                 = 0x2
 	NL80211_BAND_ATTR_VHT_CAPA                              = 0x8
 	NL80211_BAND_ATTR_VHT_MCS_SET                           = 0x7
@ -4814,7 +4864,7 @@ const (
 	NL80211_CMD_LEAVE_IBSS                                  = 0x2c
 	NL80211_CMD_LEAVE_MESH                                  = 0x45
 	NL80211_CMD_LEAVE_OCB                                   = 0x6d
-	NL80211_CMD_MAX                                         = 0x98
+	NL80211_CMD_MAX                                         = 0x99
 	NL80211_CMD_MICHAEL_MIC_FAILURE                         = 0x29
 	NL80211_CMD_MODIFY_LINK_STA                             = 0x97
 	NL80211_CMD_NAN_MATCH                                   = 0x78
@ -5795,6 +5845,8 @@ const (
 	TUN_F_TSO6    = 0x4
 	TUN_F_TSO_ECN = 0x8
 	TUN_F_UFO     = 0x10
 	TUN_F_USO4    = 0x20
 	TUN_F_USO6    = 0x40
 )
 const (
@ -5804,9 +5856,10 @@ const (
 )
 const (
-	VIRTIO_NET_HDR_GSO_NONE  = 0x0
+	VIRTIO_NET_HDR_GSO_NONE   = 0x0
-	VIRTIO_NET_HDR_GSO_TCPV4 = 0x1
+	VIRTIO_NET_HDR_GSO_TCPV4  = 0x1
-	VIRTIO_NET_HDR_GSO_UDP   = 0x3
+	VIRTIO_NET_HDR_GSO_UDP    = 0x3
-	VIRTIO_NET_HDR_GSO_TCPV6 = 0x4
+	VIRTIO_NET_HDR_GSO_TCPV6  = 0x4
-	VIRTIO_NET_HDR_GSO_ECN   = 0x80
+	VIRTIO_NET_HDR_GSO_UDP_L4 = 0x5
 	VIRTIO_NET_HDR_GSO_ECN    = 0x80
 )
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_386.go
@ -337,6 +337,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint32
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go
@ -350,6 +350,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go
@ -328,6 +328,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint32
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go
@ -329,6 +329,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go
@ -330,6 +330,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go
@ -333,6 +333,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint32
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go
@ -332,6 +332,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go
@ -332,6 +332,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go
@ -333,6 +333,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint32
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go
@ -340,6 +340,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint32
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go
@ -339,6 +339,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go
@ -339,6 +339,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go
@ -357,6 +357,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go
@ -352,6 +352,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
+++ b/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go
@ -334,6 +334,8 @@ type Taskstats struct {
 	Ac_exe_inode              uint64
 	Wpcopy_count              uint64
 	Wpcopy_delay_total        uint64
 	Irq_count                 uint64
 	Irq_delay_total           uint64
 }
 type cpuMask uint64
--- a/vendor/golang.org/x/sys/windows/service.go
+++ b/vendor/golang.org/x/sys/windows/service.go
@ -218,6 +218,10 @@ type SERVICE_FAILURE_ACTIONS struct {
 	Actions      *SC_ACTION
 }
 type SERVICE_FAILURE_ACTIONS_FLAG struct {
 	FailureActionsOnNonCrashFailures int32
 }
 type SC_ACTION struct {
 	Type  uint32
 	Delay uint32
--- a/vendor/golang.org/x/sys/windows/syscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/syscall_windows.go
@ -405,7 +405,7 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	VerQueryValue(block unsafe.Pointer, subBlock string, pointerToBufferPointer unsafe.Pointer, bufSize *uint32) (err error) = version.VerQueryValueW
 // Process Status API (PSAPI)
-//sys	EnumProcesses(processIds []uint32, bytesReturned *uint32) (err error) = psapi.EnumProcesses
+//sys	enumProcesses(processIds *uint32, nSize uint32, bytesReturned *uint32) (err error) = psapi.EnumProcesses
 //sys	EnumProcessModules(process Handle, module *Handle, cb uint32, cbNeeded *uint32) (err error) = psapi.EnumProcessModules
 //sys	EnumProcessModulesEx(process Handle, module *Handle, cb uint32, cbNeeded *uint32, filterFlag uint32) (err error) = psapi.EnumProcessModulesEx
 //sys	GetModuleInformation(process Handle, module Handle, modinfo *ModuleInfo, cb uint32) (err error) = psapi.GetModuleInformation
@ -1354,6 +1354,17 @@ func SetsockoptIPv6Mreq(fd Handle, level, opt int, mreq *IPv6Mreq) (err error) {
 	return syscall.EWINDOWS
 }
 func EnumProcesses(processIds []uint32, bytesReturned *uint32) error {
 	// EnumProcesses syscall expects the size parameter to be in bytes, but the code generated with mksyscall uses
 	// the length of the processIds slice instead. Hence, this wrapper function is added to fix the discrepancy.
 	var p *uint32
 	if len(processIds) > 0 {
 		p = &processIds[0]
 	}
 	size := uint32(len(processIds) * 4)
 	return enumProcesses(p, size, bytesReturned)
 }
 func Getpid() (pid int) { return int(GetCurrentProcessId()) }
 func FindFirstFile(name *uint16, data *Win32finddata) (handle Handle, err error) {
--- a/vendor/golang.org/x/sys/windows/zsyscall_windows.go
+++ b/vendor/golang.org/x/sys/windows/zsyscall_windows.go
@ -3516,12 +3516,8 @@ func EnumProcessModulesEx(process Handle, module *Handle, cb uint32, cbNeeded *u
 	return
 }
-func EnumProcesses(processIds []uint32, bytesReturned *uint32) (err error) {
+func enumProcesses(processIds *uint32, nSize uint32, bytesReturned *uint32) (err error) {
-	var _p0 *uint32
+	r1, _, e1 := syscall.Syscall(procEnumProcesses.Addr(), 3, uintptr(unsafe.Pointer(processIds)), uintptr(nSize), uintptr(unsafe.Pointer(bytesReturned)))
 	if len(processIds) > 0 {
 		_p0 = &processIds[0]
 	}
 	r1, _, e1 := syscall.Syscall(procEnumProcesses.Addr(), 3, uintptr(unsafe.Pointer(_p0)), uintptr(len(processIds)), uintptr(unsafe.Pointer(bytesReturned)))
 	if r1 == 0 {
 		err = errnoErr(e1)
 	}
--- a/vendor/golang.org/x/term/term_unix.go
+++ b/vendor/golang.org/x/term/term_unix.go
@ -60,7 +60,7 @@ func restore(fd int, state *State) error {
 func getSize(fd int) (width, height int, err error) {
 	ws, err := unix.IoctlGetWinsize(fd, unix.TIOCGWINSZ)
 	if err != nil {
-		return -1, -1, err
+		return 0, 0, err
 	}
 	return int(ws.Col), int(ws.Row), nil
 }
--- a/vendor/golang.org/x/text/internal/language/compact/tables.go
+++ b/vendor/golang.org/x/text/internal/language/compact/tables.go
@ -790,226 +790,226 @@ const (
 var coreTags = []language.CompactCoreInfo{ // 773 elements
 	// Entry 0 - 1F
-	0x00000000, 0x01600000, 0x016000d2, 0x01600161,
+	0x00000000, 0x01600000, 0x016000d3, 0x01600162,
-	0x01c00000, 0x01c00052, 0x02100000, 0x02100080,
+	0x01c00000, 0x01c00052, 0x02100000, 0x02100081,
-	0x02700000, 0x0270006f, 0x03a00000, 0x03a00001,
+	0x02700000, 0x02700070, 0x03a00000, 0x03a00001,
-	0x03a00023, 0x03a00039, 0x03a00062, 0x03a00067,
+	0x03a00023, 0x03a00039, 0x03a00063, 0x03a00068,
-	0x03a0006b, 0x03a0006c, 0x03a0006d, 0x03a00097,
+	0x03a0006c, 0x03a0006d, 0x03a0006e, 0x03a00098,
-	0x03a0009b, 0x03a000a1, 0x03a000a8, 0x03a000ac,
+	0x03a0009c, 0x03a000a2, 0x03a000a9, 0x03a000ad,
-	0x03a000b0, 0x03a000b9, 0x03a000ba, 0x03a000c9,
+	0x03a000b1, 0x03a000ba, 0x03a000bb, 0x03a000ca,
-	0x03a000e1, 0x03a000ed, 0x03a000f3, 0x03a00108,
+	0x03a000e2, 0x03a000ee, 0x03a000f4, 0x03a00109,
 	// Entry 20 - 3F
-	0x03a0010b, 0x03a00115, 0x03a00117, 0x03a0011c,
+	0x03a0010c, 0x03a00116, 0x03a00118, 0x03a0011d,
-	0x03a00120, 0x03a00128, 0x03a0015e, 0x04000000,
+	0x03a00121, 0x03a00129, 0x03a0015f, 0x04000000,
-	0x04300000, 0x04300099, 0x04400000, 0x0440012f,
+	0x04300000, 0x0430009a, 0x04400000, 0x04400130,
-	0x04800000, 0x0480006e, 0x05800000, 0x05820000,
+	0x04800000, 0x0480006f, 0x05800000, 0x05820000,
-	0x05820032, 0x0585a000, 0x0585a032, 0x05e00000,
+	0x05820032, 0x0585b000, 0x0585b032, 0x05e00000,
 	0x05e00052, 0x07100000, 0x07100047, 0x07500000,
-	0x07500162, 0x07900000, 0x0790012f, 0x07e00000,
+	0x07500163, 0x07900000, 0x07900130, 0x07e00000,
-	0x07e00038, 0x08200000, 0x0a000000, 0x0a0000c3,
+	0x07e00038, 0x08200000, 0x0a000000, 0x0a0000c4,
 	// Entry 40 - 5F
-	0x0a500000, 0x0a500035, 0x0a500099, 0x0a900000,
+	0x0a500000, 0x0a500035, 0x0a50009a, 0x0a900000,
-	0x0a900053, 0x0a900099, 0x0b200000, 0x0b200078,
+	0x0a900053, 0x0a90009a, 0x0b200000, 0x0b200079,
-	0x0b500000, 0x0b500099, 0x0b700000, 0x0b720000,
+	0x0b500000, 0x0b50009a, 0x0b700000, 0x0b720000,
-	0x0b720033, 0x0b75a000, 0x0b75a033, 0x0d700000,
+	0x0b720033, 0x0b75b000, 0x0b75b033, 0x0d700000,
-	0x0d700022, 0x0d70006e, 0x0d700078, 0x0d70009e,
+	0x0d700022, 0x0d70006f, 0x0d700079, 0x0d70009f,
-	0x0db00000, 0x0db00035, 0x0db00099, 0x0dc00000,
+	0x0db00000, 0x0db00035, 0x0db0009a, 0x0dc00000,
-	0x0dc00106, 0x0df00000, 0x0df00131, 0x0e500000,
+	0x0dc00107, 0x0df00000, 0x0df00132, 0x0e500000,
-	0x0e500135, 0x0e900000, 0x0e90009b, 0x0e90009c,
+	0x0e500136, 0x0e900000, 0x0e90009c, 0x0e90009d,
 	// Entry 60 - 7F
-	0x0fa00000, 0x0fa0005e, 0x0fe00000, 0x0fe00106,
+	0x0fa00000, 0x0fa0005f, 0x0fe00000, 0x0fe00107,
-	0x10000000, 0x1000007b, 0x10100000, 0x10100063,
+	0x10000000, 0x1000007c, 0x10100000, 0x10100064,
-	0x10100082, 0x10800000, 0x108000a4, 0x10d00000,
+	0x10100083, 0x10800000, 0x108000a5, 0x10d00000,
-	0x10d0002e, 0x10d00036, 0x10d0004e, 0x10d00060,
+	0x10d0002e, 0x10d00036, 0x10d0004e, 0x10d00061,
-	0x10d0009e, 0x10d000b2, 0x10d000b7, 0x11700000,
+	0x10d0009f, 0x10d000b3, 0x10d000b8, 0x11700000,
-	0x117000d4, 0x11f00000, 0x11f00060, 0x12400000,
+	0x117000d5, 0x11f00000, 0x11f00061, 0x12400000,
-	0x12400052, 0x12800000, 0x12b00000, 0x12b00114,
+	0x12400052, 0x12800000, 0x12b00000, 0x12b00115,
-	0x12d00000, 0x12d00043, 0x12f00000, 0x12f000a4,
+	0x12d00000, 0x12d00043, 0x12f00000, 0x12f000a5,
 	// Entry 80 - 9F
-	0x13000000, 0x13000080, 0x13000122, 0x13600000,
+	0x13000000, 0x13000081, 0x13000123, 0x13600000,
-	0x1360005d, 0x13600087, 0x13900000, 0x13900001,
+	0x1360005e, 0x13600088, 0x13900000, 0x13900001,
 	0x1390001a, 0x13900025, 0x13900026, 0x1390002d,
 	0x1390002e, 0x1390002f, 0x13900034, 0x13900036,
 	0x1390003a, 0x1390003d, 0x13900042, 0x13900046,
 	0x13900048, 0x13900049, 0x1390004a, 0x1390004e,
-	0x13900050, 0x13900052, 0x1390005c, 0x1390005d,
+	0x13900050, 0x13900052, 0x1390005d, 0x1390005e,
-	0x13900060, 0x13900061, 0x13900063, 0x13900064,
+	0x13900061, 0x13900062, 0x13900064, 0x13900065,
 	// Entry A0 - BF
-	0x1390006d, 0x13900072, 0x13900073, 0x13900074,
+	0x1390006e, 0x13900073, 0x13900074, 0x13900075,
-	0x13900075, 0x1390007b, 0x1390007c, 0x1390007f,
+	0x13900076, 0x1390007c, 0x1390007d, 0x13900080,
-	0x13900080, 0x13900081, 0x13900083, 0x1390008a,
+	0x13900081, 0x13900082, 0x13900084, 0x1390008b,
-	0x1390008c, 0x1390008d, 0x13900096, 0x13900097,
+	0x1390008d, 0x1390008e, 0x13900097, 0x13900098,
-	0x13900098, 0x13900099, 0x1390009a, 0x1390009f,
+	0x13900099, 0x1390009a, 0x1390009b, 0x139000a0,
-	0x139000a0, 0x139000a4, 0x139000a7, 0x139000a9,
+	0x139000a1, 0x139000a5, 0x139000a8, 0x139000aa,
-	0x139000ad, 0x139000b1, 0x139000b4, 0x139000b5,
+	0x139000ae, 0x139000b2, 0x139000b5, 0x139000b6,
-	0x139000bf, 0x139000c0, 0x139000c6, 0x139000c7,
+	0x139000c0, 0x139000c1, 0x139000c7, 0x139000c8,
 	// Entry C0 - DF
-	0x139000ca, 0x139000cb, 0x139000cc, 0x139000ce,
+	0x139000cb, 0x139000cc, 0x139000cd, 0x139000cf,
-	0x139000d0, 0x139000d2, 0x139000d5, 0x139000d6,
+	0x139000d1, 0x139000d3, 0x139000d6, 0x139000d7,
-	0x139000d9, 0x139000dd, 0x139000df, 0x139000e0,
+	0x139000da, 0x139000de, 0x139000e0, 0x139000e1,
-	0x139000e6, 0x139000e7, 0x139000e8, 0x139000eb,
+	0x139000e7, 0x139000e8, 0x139000e9, 0x139000ec,
-	0x139000ec, 0x139000f0, 0x13900107, 0x13900109,
+	0x139000ed, 0x139000f1, 0x13900108, 0x1390010a,
-	0x1390010a, 0x1390010b, 0x1390010c, 0x1390010d,
+	0x1390010b, 0x1390010c, 0x1390010d, 0x1390010e,
-	0x1390010e, 0x1390010f, 0x13900112, 0x13900117,
+	0x1390010f, 0x13900110, 0x13900113, 0x13900118,
-	0x1390011b, 0x1390011d, 0x1390011f, 0x13900125,
+	0x1390011c, 0x1390011e, 0x13900120, 0x13900126,
 	// Entry E0 - FF
-	0x13900129, 0x1390012c, 0x1390012d, 0x1390012f,
+	0x1390012a, 0x1390012d, 0x1390012e, 0x13900130,
-	0x13900131, 0x13900133, 0x13900135, 0x13900139,
+	0x13900132, 0x13900134, 0x13900136, 0x1390013a,
-	0x1390013c, 0x1390013d, 0x1390013f, 0x13900142,
+	0x1390013d, 0x1390013e, 0x13900140, 0x13900143,
-	0x13900161, 0x13900162, 0x13900164, 0x13c00000,
+	0x13900162, 0x13900163, 0x13900165, 0x13c00000,
 	0x13c00001, 0x13e00000, 0x13e0001f, 0x13e0002c,
 	0x13e0003f, 0x13e00041, 0x13e00048, 0x13e00051,
-	0x13e00054, 0x13e00056, 0x13e00059, 0x13e00065,
+	0x13e00054, 0x13e00057, 0x13e0005a, 0x13e00066,
-	0x13e00068, 0x13e00069, 0x13e0006e, 0x13e00086,
+	0x13e00069, 0x13e0006a, 0x13e0006f, 0x13e00087,
 	// Entry 100 - 11F
-	0x13e00089, 0x13e0008f, 0x13e00094, 0x13e000cf,
+	0x13e0008a, 0x13e00090, 0x13e00095, 0x13e000d0,
-	0x13e000d8, 0x13e000e2, 0x13e000e4, 0x13e000e7,
+	0x13e000d9, 0x13e000e3, 0x13e000e5, 0x13e000e8,
-	0x13e000ec, 0x13e000f1, 0x13e0011a, 0x13e00135,
+	0x13e000ed, 0x13e000f2, 0x13e0011b, 0x13e00136,
-	0x13e00136, 0x13e0013b, 0x14000000, 0x1400006a,
+	0x13e00137, 0x13e0013c, 0x14000000, 0x1400006b,
-	0x14500000, 0x1450006e, 0x14600000, 0x14600052,
+	0x14500000, 0x1450006f, 0x14600000, 0x14600052,
-	0x14800000, 0x14800024, 0x1480009c, 0x14e00000,
+	0x14800000, 0x14800024, 0x1480009d, 0x14e00000,
-	0x14e00052, 0x14e00084, 0x14e000c9, 0x14e00114,
+	0x14e00052, 0x14e00085, 0x14e000ca, 0x14e00115,
-	0x15100000, 0x15100072, 0x15300000, 0x153000e7,
+	0x15100000, 0x15100073, 0x15300000, 0x153000e8,
 	// Entry 120 - 13F
-	0x15800000, 0x15800063, 0x15800076, 0x15e00000,
+	0x15800000, 0x15800064, 0x15800077, 0x15e00000,
 	0x15e00036, 0x15e00037, 0x15e0003a, 0x15e0003b,
 	0x15e0003c, 0x15e00049, 0x15e0004b, 0x15e0004c,
 	0x15e0004d, 0x15e0004e, 0x15e0004f, 0x15e00052,
-	0x15e00062, 0x15e00067, 0x15e00078, 0x15e0007a,
+	0x15e00063, 0x15e00068, 0x15e00079, 0x15e0007b,
-	0x15e0007e, 0x15e00084, 0x15e00085, 0x15e00086,
+	0x15e0007f, 0x15e00085, 0x15e00086, 0x15e00087,
-	0x15e00091, 0x15e000a8, 0x15e000b7, 0x15e000ba,
+	0x15e00092, 0x15e000a9, 0x15e000b8, 0x15e000bb,
-	0x15e000bb, 0x15e000be, 0x15e000bf, 0x15e000c3,
+	0x15e000bc, 0x15e000bf, 0x15e000c0, 0x15e000c4,
 	// Entry 140 - 15F
-	0x15e000c8, 0x15e000c9, 0x15e000cc, 0x15e000d3,
+	0x15e000c9, 0x15e000ca, 0x15e000cd, 0x15e000d4,
-	0x15e000d4, 0x15e000e5, 0x15e000ea, 0x15e00102,
+	0x15e000d5, 0x15e000e6, 0x15e000eb, 0x15e00103,
-	0x15e00107, 0x15e0010a, 0x15e00114, 0x15e0011c,
+	0x15e00108, 0x15e0010b, 0x15e00115, 0x15e0011d,
-	0x15e00120, 0x15e00122, 0x15e00128, 0x15e0013f,
+	0x15e00121, 0x15e00123, 0x15e00129, 0x15e00140,
-	0x15e00140, 0x15e0015f, 0x16900000, 0x1690009e,
+	0x15e00141, 0x15e00160, 0x16900000, 0x1690009f,
-	0x16d00000, 0x16d000d9, 0x16e00000, 0x16e00096,
+	0x16d00000, 0x16d000da, 0x16e00000, 0x16e00097,
-	0x17e00000, 0x17e0007b, 0x19000000, 0x1900006e,
+	0x17e00000, 0x17e0007c, 0x19000000, 0x1900006f,
-	0x1a300000, 0x1a30004e, 0x1a300078, 0x1a3000b2,
+	0x1a300000, 0x1a30004e, 0x1a300079, 0x1a3000b3,
 	// Entry 160 - 17F
-	0x1a400000, 0x1a400099, 0x1a900000, 0x1ab00000,
+	0x1a400000, 0x1a40009a, 0x1a900000, 0x1ab00000,
-	0x1ab000a4, 0x1ac00000, 0x1ac00098, 0x1b400000,
+	0x1ab000a5, 0x1ac00000, 0x1ac00099, 0x1b400000,
-	0x1b400080, 0x1b4000d4, 0x1b4000d6, 0x1b800000,
+	0x1b400081, 0x1b4000d5, 0x1b4000d7, 0x1b800000,
-	0x1b800135, 0x1bc00000, 0x1bc00097, 0x1be00000,
+	0x1b800136, 0x1bc00000, 0x1bc00098, 0x1be00000,
-	0x1be00099, 0x1d100000, 0x1d100033, 0x1d100090,
+	0x1be0009a, 0x1d100000, 0x1d100033, 0x1d100091,
-	0x1d200000, 0x1d200060, 0x1d500000, 0x1d500092,
+	0x1d200000, 0x1d200061, 0x1d500000, 0x1d500093,
-	0x1d700000, 0x1d700028, 0x1e100000, 0x1e100095,
+	0x1d700000, 0x1d700028, 0x1e100000, 0x1e100096,
-	0x1e700000, 0x1e7000d6, 0x1ea00000, 0x1ea00053,
+	0x1e700000, 0x1e7000d7, 0x1ea00000, 0x1ea00053,
 	// Entry 180 - 19F
-	0x1f300000, 0x1f500000, 0x1f800000, 0x1f80009d,
+	0x1f300000, 0x1f500000, 0x1f800000, 0x1f80009e,
-	0x1f900000, 0x1f90004e, 0x1f90009e, 0x1f900113,
+	0x1f900000, 0x1f90004e, 0x1f90009f, 0x1f900114,
-	0x1f900138, 0x1fa00000, 0x1fb00000, 0x20000000,
+	0x1f900139, 0x1fa00000, 0x1fb00000, 0x20000000,
-	0x200000a2, 0x20300000, 0x20700000, 0x20700052,
+	0x200000a3, 0x20300000, 0x20700000, 0x20700052,
-	0x20800000, 0x20a00000, 0x20a0012f, 0x20e00000,
+	0x20800000, 0x20a00000, 0x20a00130, 0x20e00000,
-	0x20f00000, 0x21000000, 0x2100007d, 0x21200000,
+	0x20f00000, 0x21000000, 0x2100007e, 0x21200000,
-	0x21200067, 0x21600000, 0x21700000, 0x217000a4,
+	0x21200068, 0x21600000, 0x21700000, 0x217000a5,
-	0x21f00000, 0x22300000, 0x2230012f, 0x22700000,
+	0x21f00000, 0x22300000, 0x22300130, 0x22700000,
 	// Entry 1A0 - 1BF
-	0x2270005a, 0x23400000, 0x234000c3, 0x23900000,
+	0x2270005b, 0x23400000, 0x234000c4, 0x23900000,
-	0x239000a4, 0x24200000, 0x242000ae, 0x24400000,
+	0x239000a5, 0x24200000, 0x242000af, 0x24400000,
-	0x24400052, 0x24500000, 0x24500082, 0x24600000,
+	0x24400052, 0x24500000, 0x24500083, 0x24600000,
-	0x246000a4, 0x24a00000, 0x24a000a6, 0x25100000,
+	0x246000a5, 0x24a00000, 0x24a000a7, 0x25100000,
-	0x25100099, 0x25400000, 0x254000aa, 0x254000ab,
+	0x2510009a, 0x25400000, 0x254000ab, 0x254000ac,
-	0x25600000, 0x25600099, 0x26a00000, 0x26a00099,
+	0x25600000, 0x2560009a, 0x26a00000, 0x26a0009a,
-	0x26b00000, 0x26b0012f, 0x26d00000, 0x26d00052,
+	0x26b00000, 0x26b00130, 0x26d00000, 0x26d00052,
-	0x26e00000, 0x26e00060, 0x27400000, 0x28100000,
+	0x26e00000, 0x26e00061, 0x27400000, 0x28100000,
 	// Entry 1C0 - 1DF
-	0x2810007b, 0x28a00000, 0x28a000a5, 0x29100000,
+	0x2810007c, 0x28a00000, 0x28a000a6, 0x29100000,
-	0x2910012f, 0x29500000, 0x295000b7, 0x2a300000,
+	0x29100130, 0x29500000, 0x295000b8, 0x2a300000,
-	0x2a300131, 0x2af00000, 0x2af00135, 0x2b500000,
+	0x2a300132, 0x2af00000, 0x2af00136, 0x2b500000,
 	0x2b50002a, 0x2b50004b, 0x2b50004c, 0x2b50004d,
-	0x2b800000, 0x2b8000af, 0x2bf00000, 0x2bf0009b,
+	0x2b800000, 0x2b8000b0, 0x2bf00000, 0x2bf0009c,
-	0x2bf0009c, 0x2c000000, 0x2c0000b6, 0x2c200000,
+	0x2bf0009d, 0x2c000000, 0x2c0000b7, 0x2c200000,
-	0x2c20004b, 0x2c400000, 0x2c4000a4, 0x2c500000,
+	0x2c20004b, 0x2c400000, 0x2c4000a5, 0x2c500000,
-	0x2c5000a4, 0x2c700000, 0x2c7000b8, 0x2d100000,
+	0x2c5000a5, 0x2c700000, 0x2c7000b9, 0x2d100000,
 	// Entry 1E0 - 1FF
-	0x2d1000a4, 0x2d10012f, 0x2e900000, 0x2e9000a4,
+	0x2d1000a5, 0x2d100130, 0x2e900000, 0x2e9000a5,
-	0x2ed00000, 0x2ed000cc, 0x2f100000, 0x2f1000bf,
+	0x2ed00000, 0x2ed000cd, 0x2f100000, 0x2f1000c0,
-	0x2f200000, 0x2f2000d1, 0x2f400000, 0x2f400052,
+	0x2f200000, 0x2f2000d2, 0x2f400000, 0x2f400052,
-	0x2ff00000, 0x2ff000c2, 0x30400000, 0x30400099,
+	0x2ff00000, 0x2ff000c3, 0x30400000, 0x3040009a,
-	0x30b00000, 0x30b000c5, 0x31000000, 0x31b00000,
+	0x30b00000, 0x30b000c6, 0x31000000, 0x31b00000,
-	0x31b00099, 0x31f00000, 0x31f0003e, 0x31f000d0,
+	0x31b0009a, 0x31f00000, 0x31f0003e, 0x31f000d1,
-	0x31f0010d, 0x32000000, 0x320000cb, 0x32500000,
+	0x31f0010e, 0x32000000, 0x320000cc, 0x32500000,
-	0x32500052, 0x33100000, 0x331000c4, 0x33a00000,
+	0x32500052, 0x33100000, 0x331000c5, 0x33a00000,
 	// Entry 200 - 21F
-	0x33a0009c, 0x34100000, 0x34500000, 0x345000d2,
+	0x33a0009d, 0x34100000, 0x34500000, 0x345000d3,
-	0x34700000, 0x347000da, 0x34700110, 0x34e00000,
+	0x34700000, 0x347000db, 0x34700111, 0x34e00000,
-	0x34e00164, 0x35000000, 0x35000060, 0x350000d9,
+	0x34e00165, 0x35000000, 0x35000061, 0x350000da,
-	0x35100000, 0x35100099, 0x351000db, 0x36700000,
+	0x35100000, 0x3510009a, 0x351000dc, 0x36700000,
-	0x36700030, 0x36700036, 0x36700040, 0x3670005b,
+	0x36700030, 0x36700036, 0x36700040, 0x3670005c,
-	0x367000d9, 0x36700116, 0x3670011b, 0x36800000,
+	0x367000da, 0x36700117, 0x3670011c, 0x36800000,
-	0x36800052, 0x36a00000, 0x36a000da, 0x36c00000,
+	0x36800052, 0x36a00000, 0x36a000db, 0x36c00000,
 	0x36c00052, 0x36f00000, 0x37500000, 0x37600000,
 	// Entry 220 - 23F
-	0x37a00000, 0x38000000, 0x38000117, 0x38700000,
+	0x37a00000, 0x38000000, 0x38000118, 0x38700000,
-	0x38900000, 0x38900131, 0x39000000, 0x3900006f,
+	0x38900000, 0x38900132, 0x39000000, 0x39000070,
-	0x390000a4, 0x39500000, 0x39500099, 0x39800000,
+	0x390000a5, 0x39500000, 0x3950009a, 0x39800000,
-	0x3980007d, 0x39800106, 0x39d00000, 0x39d05000,
+	0x3980007e, 0x39800107, 0x39d00000, 0x39d05000,
-	0x39d050e8, 0x39d36000, 0x39d36099, 0x3a100000,
+	0x39d050e9, 0x39d36000, 0x39d3609a, 0x3a100000,
-	0x3b300000, 0x3b3000e9, 0x3bd00000, 0x3bd00001,
+	0x3b300000, 0x3b3000ea, 0x3bd00000, 0x3bd00001,
 	0x3be00000, 0x3be00024, 0x3c000000, 0x3c00002a,
-	0x3c000041, 0x3c00004e, 0x3c00005a, 0x3c000086,
+	0x3c000041, 0x3c00004e, 0x3c00005b, 0x3c000087,
 	// Entry 240 - 25F
-	0x3c00008b, 0x3c0000b7, 0x3c0000c6, 0x3c0000d1,
+	0x3c00008c, 0x3c0000b8, 0x3c0000c7, 0x3c0000d2,
-	0x3c0000ee, 0x3c000118, 0x3c000126, 0x3c400000,
+	0x3c0000ef, 0x3c000119, 0x3c000127, 0x3c400000,
-	0x3c40003f, 0x3c400069, 0x3c4000e4, 0x3d400000,
+	0x3c40003f, 0x3c40006a, 0x3c4000e5, 0x3d400000,
 	0x3d40004e, 0x3d900000, 0x3d90003a, 0x3dc00000,
-	0x3dc000bc, 0x3dc00104, 0x3de00000, 0x3de0012f,
+	0x3dc000bd, 0x3dc00105, 0x3de00000, 0x3de00130,
-	0x3e200000, 0x3e200047, 0x3e2000a5, 0x3e2000ae,
+	0x3e200000, 0x3e200047, 0x3e2000a6, 0x3e2000af,
-	0x3e2000bc, 0x3e200106, 0x3e200130, 0x3e500000,
+	0x3e2000bd, 0x3e200107, 0x3e200131, 0x3e500000,
-	0x3e500107, 0x3e600000, 0x3e60012f, 0x3eb00000,
+	0x3e500108, 0x3e600000, 0x3e600130, 0x3eb00000,
 	// Entry 260 - 27F
-	0x3eb00106, 0x3ec00000, 0x3ec000a4, 0x3f300000,
+	0x3eb00107, 0x3ec00000, 0x3ec000a5, 0x3f300000,
-	0x3f30012f, 0x3fa00000, 0x3fa000e8, 0x3fc00000,
+	0x3f300130, 0x3fa00000, 0x3fa000e9, 0x3fc00000,
-	0x3fd00000, 0x3fd00072, 0x3fd000da, 0x3fd0010c,
+	0x3fd00000, 0x3fd00073, 0x3fd000db, 0x3fd0010d,
-	0x3ff00000, 0x3ff000d1, 0x40100000, 0x401000c3,
+	0x3ff00000, 0x3ff000d2, 0x40100000, 0x401000c4,
 	0x40200000, 0x4020004c, 0x40700000, 0x40800000,
-	0x4085a000, 0x4085a0ba, 0x408e8000, 0x408e80ba,
+	0x4085b000, 0x4085b0bb, 0x408eb000, 0x408eb0bb,
-	0x40c00000, 0x40c000b3, 0x41200000, 0x41200111,
+	0x40c00000, 0x40c000b4, 0x41200000, 0x41200112,
-	0x41600000, 0x4160010f, 0x41c00000, 0x41d00000,
+	0x41600000, 0x41600110, 0x41c00000, 0x41d00000,
 	// Entry 280 - 29F
-	0x41e00000, 0x41f00000, 0x41f00072, 0x42200000,
+	0x41e00000, 0x41f00000, 0x41f00073, 0x42200000,
-	0x42300000, 0x42300164, 0x42900000, 0x42900062,
+	0x42300000, 0x42300165, 0x42900000, 0x42900063,
-	0x4290006f, 0x429000a4, 0x42900115, 0x43100000,
+	0x42900070, 0x429000a5, 0x42900116, 0x43100000,
-	0x43100027, 0x431000c2, 0x4310014d, 0x43200000,
+	0x43100027, 0x431000c3, 0x4310014e, 0x43200000,
-	0x43220000, 0x43220033, 0x432200bd, 0x43220105,
+	0x43220000, 0x43220033, 0x432200be, 0x43220106,
-	0x4322014d, 0x4325a000, 0x4325a033, 0x4325a0bd,
+	0x4322014e, 0x4325b000, 0x4325b033, 0x4325b0be,
-	0x4325a105, 0x4325a14d, 0x43700000, 0x43a00000,
+	0x4325b106, 0x4325b14e, 0x43700000, 0x43a00000,
-	0x43b00000, 0x44400000, 0x44400031, 0x44400072,
+	0x43b00000, 0x44400000, 0x44400031, 0x44400073,
 	// Entry 2A0 - 2BF
-	0x4440010c, 0x44500000, 0x4450004b, 0x445000a4,
+	0x4440010d, 0x44500000, 0x4450004b, 0x445000a5,
-	0x4450012f, 0x44500131, 0x44e00000, 0x45000000,
+	0x44500130, 0x44500132, 0x44e00000, 0x45000000,
-	0x45000099, 0x450000b3, 0x450000d0, 0x4500010d,
+	0x4500009a, 0x450000b4, 0x450000d1, 0x4500010e,
-	0x46100000, 0x46100099, 0x46400000, 0x464000a4,
+	0x46100000, 0x4610009a, 0x46400000, 0x464000a5,
-	0x46400131, 0x46700000, 0x46700124, 0x46b00000,
+	0x46400132, 0x46700000, 0x46700125, 0x46b00000,
-	0x46b00123, 0x46f00000, 0x46f0006d, 0x46f0006f,
+	0x46b00124, 0x46f00000, 0x46f0006e, 0x46f00070,
-	0x47100000, 0x47600000, 0x47600127, 0x47a00000,
+	0x47100000, 0x47600000, 0x47600128, 0x47a00000,
-	0x48000000, 0x48200000, 0x48200129, 0x48a00000,
+	0x48000000, 0x48200000, 0x4820012a, 0x48a00000,
 	// Entry 2C0 - 2DF
-	0x48a0005d, 0x48a0012b, 0x48e00000, 0x49400000,
+	0x48a0005e, 0x48a0012c, 0x48e00000, 0x49400000,
-	0x49400106, 0x4a400000, 0x4a4000d4, 0x4a900000,
+	0x49400107, 0x4a400000, 0x4a4000d5, 0x4a900000,
-	0x4a9000ba, 0x4ac00000, 0x4ac00053, 0x4ae00000,
+	0x4a9000bb, 0x4ac00000, 0x4ac00053, 0x4ae00000,
-	0x4ae00130, 0x4b400000, 0x4b400099, 0x4b4000e8,
+	0x4ae00131, 0x4b400000, 0x4b40009a, 0x4b4000e9,
 	0x4bc00000, 0x4bc05000, 0x4bc05024, 0x4bc20000,
-	0x4bc20137, 0x4bc5a000, 0x4bc5a137, 0x4be00000,
+	0x4bc20138, 0x4bc5b000, 0x4bc5b138, 0x4be00000,
-	0x4be5a000, 0x4be5a0b4, 0x4bef1000, 0x4bef10b4,
+	0x4be5b000, 0x4be5b0b5, 0x4bef4000, 0x4bef40b5,
-	0x4c000000, 0x4c300000, 0x4c30013e, 0x4c900000,
+	0x4c000000, 0x4c300000, 0x4c30013f, 0x4c900000,
 	// Entry 2E0 - 2FF
-	0x4c900001, 0x4cc00000, 0x4cc0012f, 0x4ce00000,
+	0x4c900001, 0x4cc00000, 0x4cc00130, 0x4ce00000,
-	0x4cf00000, 0x4cf0004e, 0x4e500000, 0x4e500114,
+	0x4cf00000, 0x4cf0004e, 0x4e500000, 0x4e500115,
-	0x4f200000, 0x4fb00000, 0x4fb00131, 0x50900000,
+	0x4f200000, 0x4fb00000, 0x4fb00132, 0x50900000,
 	0x50900052, 0x51200000, 0x51200001, 0x51800000,
-	0x5180003b, 0x518000d6, 0x51f00000, 0x51f3b000,
+	0x5180003b, 0x518000d7, 0x51f00000, 0x51f3b000,
-	0x51f3b053, 0x51f3c000, 0x51f3c08d, 0x52800000,
+	0x51f3b053, 0x51f3c000, 0x51f3c08e, 0x52800000,
-	0x528000ba, 0x52900000, 0x5293b000, 0x5293b053,
+	0x528000bb, 0x52900000, 0x5293b000, 0x5293b053,
-	0x5293b08d, 0x5293b0c6, 0x5293b10d, 0x5293c000,
+	0x5293b08e, 0x5293b0c7, 0x5293b10e, 0x5293c000,
 	// Entry 300 - 31F
-	0x5293c08d, 0x5293c0c6, 0x5293c12e, 0x52f00000,
+	0x5293c08e, 0x5293c0c7, 0x5293c12f, 0x52f00000,
-	0x52f00161,
+	0x52f00162,
 } // Size: 3116 bytes
 const specialTagsStr string = "ca-ES-valencia en-US-u-va-posix"
-// Total table size 3147 bytes (3KiB); checksum: 6772C83C
+// Total table size 3147 bytes (3KiB); checksum: 5A8FFFA5
--- a/vendor/golang.org/x/text/internal/language/tables.go
+++ b/vendor/golang.org/x/text/internal/language/tables.go
--- a/vendor/golang.org/x/text/language/tables.go
+++ b/vendor/golang.org/x/text/language/tables.go
@ -23,31 +23,31 @@ const (
 	_419 = 31
 	_BR  = 65
 	_CA  = 73
-	_ES  = 110
+	_ES  = 111
-	_GB  = 123
+	_GB  = 124
-	_MD  = 188
+	_MD  = 189
-	_PT  = 238
+	_PT  = 239
-	_UK  = 306
+	_UK  = 307
-	_US  = 309
+	_US  = 310
-	_ZZ  = 357
+	_ZZ  = 358
-	_XA  = 323
+	_XA  = 324
-	_XC  = 325
+	_XC  = 326
-	_XK  = 333
+	_XK  = 334
 )
 const (
-	_Latn = 90
+	_Latn = 91
 	_Hani = 57
 	_Hans = 59
 	_Hant = 60
-	_Qaaa = 147
+	_Qaaa = 149
-	_Qaai = 155
+	_Qaai = 157
-	_Qabx = 196
+	_Qabx = 198
-	_Zinh = 252
+	_Zinh = 255
-	_Zyyy = 257
+	_Zyyy = 260
-	_Zzzz = 258
+	_Zzzz = 261
 )
-var regionToGroups = []uint8{ // 358 elements
+var regionToGroups = []uint8{ // 359 elements
 	// Entry 0 - 3F
 	0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x04,
 	0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x04, 0x00,
@ -60,51 +60,51 @@ var regionToGroups = []uint8{ // 358 elements
 	// Entry 40 - 7F
 	0x04, 0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x04, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x04, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00,
+	0x00, 0x04, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04,
 	0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x08,
 	0x00, 0x04, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00,
 	// Entry 80 - BF
 	0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0x00, 0x00,
 	0x00, 0x04, 0x01, 0x00, 0x04, 0x02, 0x00, 0x04,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x08, 0x08, 0x00, 0x00, 0x00, 0x04, 0x00,
 	// Entry C0 - FF
 	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x01,
 	0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00, 0x04,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x04, 0x00, 0x05, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x04, 0x00,
 	0x08, 0x00, 0x04, 0x00, 0x00, 0x08, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x04,
 	// Entry 80 - BF
 	0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x04, 0x00,
 	0x00, 0x00, 0x04, 0x01, 0x00, 0x04, 0x02, 0x00,
 	0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 0x00,
 	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x08, 0x08, 0x00, 0x00, 0x00, 0x04,
 	// Entry C0 - FF
 	0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
 	0x01, 0x04, 0x08, 0x04, 0x00, 0x00, 0x00, 0x00,
 	0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x04, 0x00, 0x05, 0x00, 0x00,
 	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	// Entry 100 - 13F
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
-	0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x00, 0x04,
+	0x00, 0x00, 0x00, 0x04, 0x04, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x08, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x00, 0x08, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x01, 0x00, 0x05, 0x04, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x05, 0x04,
-	0x00, 0x04, 0x00, 0x04, 0x04, 0x05, 0x00, 0x00,
+	0x00, 0x00, 0x04, 0x00, 0x04, 0x04, 0x05, 0x00,
 	// Entry 140 - 17F
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-	0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-} // Size: 382 bytes
+} // Size: 383 bytes
 var paradigmLocales = [][3]uint16{ // 3 elements
-	0: [3]uint16{0x139, 0x0, 0x7b},
+	0: [3]uint16{0x139, 0x0, 0x7c},
 	1: [3]uint16{0x13e, 0x0, 0x1f},
-	2: [3]uint16{0x3c0, 0x41, 0xee},
+	2: [3]uint16{0x3c0, 0x41, 0xef},
 } // Size: 42 bytes
 type mutualIntelligibility struct {
@ -249,30 +249,30 @@ var matchLang = []mutualIntelligibility{ // 113 elements
 // matchScript holds pairs of scriptIDs where readers of one script
 // can typically also read the other. Each is associated with a confidence.
 var matchScript = []scriptIntelligibility{ // 26 elements
-	0:  {wantLang: 0x432, haveLang: 0x432, wantScript: 0x5a, haveScript: 0x20, distance: 0x5},
+	0:  {wantLang: 0x432, haveLang: 0x432, wantScript: 0x5b, haveScript: 0x20, distance: 0x5},
-	1:  {wantLang: 0x432, haveLang: 0x432, wantScript: 0x20, haveScript: 0x5a, distance: 0x5},
+	1:  {wantLang: 0x432, haveLang: 0x432, wantScript: 0x20, haveScript: 0x5b, distance: 0x5},
-	2:  {wantLang: 0x58, haveLang: 0x3e2, wantScript: 0x5a, haveScript: 0x20, distance: 0xa},
+	2:  {wantLang: 0x58, haveLang: 0x3e2, wantScript: 0x5b, haveScript: 0x20, distance: 0xa},
-	3:  {wantLang: 0xa5, haveLang: 0x139, wantScript: 0xe, haveScript: 0x5a, distance: 0xa},
+	3:  {wantLang: 0xa5, haveLang: 0x139, wantScript: 0xe, haveScript: 0x5b, distance: 0xa},
 	4:  {wantLang: 0x1d7, haveLang: 0x3e2, wantScript: 0x8, haveScript: 0x20, distance: 0xa},
-	5:  {wantLang: 0x210, haveLang: 0x139, wantScript: 0x2e, haveScript: 0x5a, distance: 0xa},
+	5:  {wantLang: 0x210, haveLang: 0x139, wantScript: 0x2e, haveScript: 0x5b, distance: 0xa},
-	6:  {wantLang: 0x24a, haveLang: 0x139, wantScript: 0x4e, haveScript: 0x5a, distance: 0xa},
+	6:  {wantLang: 0x24a, haveLang: 0x139, wantScript: 0x4f, haveScript: 0x5b, distance: 0xa},
-	7:  {wantLang: 0x251, haveLang: 0x139, wantScript: 0x52, haveScript: 0x5a, distance: 0xa},
+	7:  {wantLang: 0x251, haveLang: 0x139, wantScript: 0x53, haveScript: 0x5b, distance: 0xa},
-	8:  {wantLang: 0x2b8, haveLang: 0x139, wantScript: 0x57, haveScript: 0x5a, distance: 0xa},
+	8:  {wantLang: 0x2b8, haveLang: 0x139, wantScript: 0x58, haveScript: 0x5b, distance: 0xa},
-	9:  {wantLang: 0x304, haveLang: 0x139, wantScript: 0x6e, haveScript: 0x5a, distance: 0xa},
+	9:  {wantLang: 0x304, haveLang: 0x139, wantScript: 0x6f, haveScript: 0x5b, distance: 0xa},
-	10: {wantLang: 0x331, haveLang: 0x139, wantScript: 0x75, haveScript: 0x5a, distance: 0xa},
+	10: {wantLang: 0x331, haveLang: 0x139, wantScript: 0x76, haveScript: 0x5b, distance: 0xa},
-	11: {wantLang: 0x351, haveLang: 0x139, wantScript: 0x22, haveScript: 0x5a, distance: 0xa},
+	11: {wantLang: 0x351, haveLang: 0x139, wantScript: 0x22, haveScript: 0x5b, distance: 0xa},
-	12: {wantLang: 0x395, haveLang: 0x139, wantScript: 0x81, haveScript: 0x5a, distance: 0xa},
+	12: {wantLang: 0x395, haveLang: 0x139, wantScript: 0x83, haveScript: 0x5b, distance: 0xa},
-	13: {wantLang: 0x39d, haveLang: 0x139, wantScript: 0x36, haveScript: 0x5a, distance: 0xa},
+	13: {wantLang: 0x39d, haveLang: 0x139, wantScript: 0x36, haveScript: 0x5b, distance: 0xa},
-	14: {wantLang: 0x3be, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},
+	14: {wantLang: 0x3be, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5b, distance: 0xa},
-	15: {wantLang: 0x3fa, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},
+	15: {wantLang: 0x3fa, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5b, distance: 0xa},
-	16: {wantLang: 0x40c, haveLang: 0x139, wantScript: 0xd4, haveScript: 0x5a, distance: 0xa},
+	16: {wantLang: 0x40c, haveLang: 0x139, wantScript: 0xd6, haveScript: 0x5b, distance: 0xa},
-	17: {wantLang: 0x450, haveLang: 0x139, wantScript: 0xe3, haveScript: 0x5a, distance: 0xa},
+	17: {wantLang: 0x450, haveLang: 0x139, wantScript: 0xe6, haveScript: 0x5b, distance: 0xa},
-	18: {wantLang: 0x461, haveLang: 0x139, wantScript: 0xe6, haveScript: 0x5a, distance: 0xa},
+	18: {wantLang: 0x461, haveLang: 0x139, wantScript: 0xe9, haveScript: 0x5b, distance: 0xa},
-	19: {wantLang: 0x46f, haveLang: 0x139, wantScript: 0x2c, haveScript: 0x5a, distance: 0xa},
+	19: {wantLang: 0x46f, haveLang: 0x139, wantScript: 0x2c, haveScript: 0x5b, distance: 0xa},
-	20: {wantLang: 0x476, haveLang: 0x3e2, wantScript: 0x5a, haveScript: 0x20, distance: 0xa},
+	20: {wantLang: 0x476, haveLang: 0x3e2, wantScript: 0x5b, haveScript: 0x20, distance: 0xa},
-	21: {wantLang: 0x4b4, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5a, distance: 0xa},
+	21: {wantLang: 0x4b4, haveLang: 0x139, wantScript: 0x5, haveScript: 0x5b, distance: 0xa},
-	22: {wantLang: 0x4bc, haveLang: 0x3e2, wantScript: 0x5a, haveScript: 0x20, distance: 0xa},
+	22: {wantLang: 0x4bc, haveLang: 0x3e2, wantScript: 0x5b, haveScript: 0x20, distance: 0xa},
-	23: {wantLang: 0x512, haveLang: 0x139, wantScript: 0x3e, haveScript: 0x5a, distance: 0xa},
+	23: {wantLang: 0x512, haveLang: 0x139, wantScript: 0x3e, haveScript: 0x5b, distance: 0xa},
 	24: {wantLang: 0x529, haveLang: 0x529, wantScript: 0x3b, haveScript: 0x3c, distance: 0xf},
 	25: {wantLang: 0x529, haveLang: 0x529, wantScript: 0x3c, haveScript: 0x3b, distance: 0x13},
 } // Size: 232 bytes
@ -295,4 +295,4 @@ var matchRegion = []regionIntelligibility{ // 15 elements
 	14: {lang: 0x529, script: 0x3c, group: 0x80, distance: 0x5},
 } // Size: 114 bytes
-// Total table size 1472 bytes (1KiB); checksum: F86C669
+// Total table size 1473 bytes (1KiB); checksum: 7BB90B5C
--- a/vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go
+++ b/vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go
@ -1,7 +1,7 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-//go:build go1.16
+//go:build go1.16 && !go1.21
-// +build go1.16
+// +build go1.16,!go1.21
 package bidi
--- a/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go
+++ b/vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go
--- a/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go
+++ b/vendor/golang.org/x/text/unicode/norm/tables13.0.0.go
@ -1,7 +1,7 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-//go:build go1.16
+//go:build go1.16 && !go1.21
-// +build go1.16
+// +build go1.16,!go1.21
 package norm
--- a/vendor/golang.org/x/text/unicode/norm/tables15.0.0.go
+++ b/vendor/golang.org/x/text/unicode/norm/tables15.0.0.go
--- a/vendor/golang.org/x/text/width/tables13.0.0.go
+++ b/vendor/golang.org/x/text/width/tables13.0.0.go
@ -1,7 +1,7 @@
 // Code generated by running "go generate" in golang.org/x/text. DO NOT EDIT.
-//go:build go1.16
+//go:build go1.16 && !go1.21
-// +build go1.16
+// +build go1.16,!go1.21
 package width
--- a/vendor/golang.org/x/text/width/tables15.0.0.go
+++ b/vendor/golang.org/x/text/width/tables15.0.0.go
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@ -310,18 +310,18 @@ go.opentelemetry.io/proto/otlp/common/v1
 go.opentelemetry.io/proto/otlp/metrics/v1
 go.opentelemetry.io/proto/otlp/resource/v1
 go.opentelemetry.io/proto/otlp/trace/v1
-# golang.org/x/crypto v0.0.0-20220214200702-86341886e292
+# golang.org/x/crypto v0.11.0
 ## explicit; go 1.17
 golang.org/x/crypto/blowfish
 golang.org/x/crypto/chacha20
 golang.org/x/crypto/curve25519
 golang.org/x/crypto/curve25519/internal/field
 golang.org/x/crypto/ed25519
 golang.org/x/crypto/internal/alias
 golang.org/x/crypto/internal/poly1305
 golang.org/x/crypto/internal/subtle
 golang.org/x/crypto/ssh
 golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
-# golang.org/x/net v0.10.0
+# golang.org/x/net v0.12.0
 ## explicit; go 1.17
 golang.org/x/net/context
 golang.org/x/net/context/ctxhttp
@ -340,17 +340,17 @@ golang.org/x/net/trace
 ## explicit; go 1.11
 golang.org/x/oauth2
 golang.org/x/oauth2/internal
-# golang.org/x/sys v0.8.0
+# golang.org/x/sys v0.10.0
 ## explicit; go 1.17
 golang.org/x/sys/cpu
 golang.org/x/sys/internal/unsafeheader
 golang.org/x/sys/plan9
 golang.org/x/sys/unix
 golang.org/x/sys/windows
-# golang.org/x/term v0.8.0
+# golang.org/x/term v0.10.0
 ## explicit; go 1.17
 golang.org/x/term
-# golang.org/x/text v0.9.0
+# golang.org/x/text v0.11.0
 ## explicit; go 1.17
 golang.org/x/text/encoding
 golang.org/x/text/encoding/charmap