fix: fix dns on linux (#336)

* fix: fix dns on linux

* feat: detect run in Github action or not to setup DNS

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/coredns/coredns v1.11.2
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli v26.0.0+incompatible
-	github.com/docker/docker v26.0.0+incompatible
+	github.com/docker/docker v26.1.4+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/libcontainer v2.2.1+incompatible
 	github.com/envoyproxy/go-control-plane v0.12.0
@@ -33,37 +33,36 @@ require (
 	github.com/prometheus-community/pro-bing v0.4.0
 	github.com/schollz/progressbar/v3 v3.14.2
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.8.0
+	github.com/spf13/cobra v1.8.1
 	github.com/spf13/pflag v1.0.5
 	github.com/syncthing/syncthing v1.27.7
 	github.com/thejerf/suture/v4 v4.0.5
 	go.uber.org/automaxprocs v1.5.3
-	golang.org/x/crypto v0.23.0
+	golang.org/x/crypto v0.25.0
-	golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0
+	golang.org/x/net v0.27.0
-	golang.org/x/net v0.25.0
 	golang.org/x/oauth2 v0.18.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.20.0
+	golang.org/x/sys v0.22.0
-	golang.org/x/text v0.15.0
+	golang.org/x/text v0.16.0
 	golang.org/x/time v0.5.0
-	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.62.1
 	google.golang.org/protobuf v1.33.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
-	gvisor.dev/gvisor v0.0.0-20240403010941-979aae3d2c21
+	gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987
 	k8s.io/api v0.31.0-alpha.0
 	k8s.io/apimachinery v0.31.0-alpha.0
 	k8s.io/cli-runtime v0.29.3
 	k8s.io/client-go v0.31.0-alpha.0
-	k8s.io/klog/v2 v2.120.1
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubectl v0.29.3
-	k8s.io/utils v0.0.0-20240310230437-4693a0247e57
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8
-	sigs.k8s.io/controller-runtime v0.17.1-0.20240327193027-21368602d84b
+	sigs.k8s.io/controller-runtime v0.18.4
 	sigs.k8s.io/kustomize/api v0.16.0
 	sigs.k8s.io/yaml v1.4.0
-	tags.cncf.io/container-device-interface v0.7.0
+	tailscale.com v1.72.1
 )
 
 require (
@@ -71,6 +70,7 @@ require (
 	cloud.google.com/go/compute v1.25.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	dario.cat/mergo v1.0.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -94,10 +94,12 @@ require (
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Microsoft/hcsshim v0.12.2 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/antonmedv/expr v1.15.5 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/aws/aws-sdk-go v1.51.12 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/calmh/incontainer v1.0.0 // indirect
 	github.com/calmh/xdr v1.1.0 // indirect
 	github.com/ccding/go-stun v0.1.4 // indirect
@@ -107,9 +109,11 @@ require (
 	github.com/chmduquesne/rollinghash v4.0.0+incompatible // indirect
 	github.com/cncf/xds/go v0.0.0-20240329184929-0c46c01016dc // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/dnstap/golang-dnstap v0.4.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
@@ -129,10 +133,13 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/fvbommel/sortorder v1.1.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.6 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -140,16 +147,18 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20240402174815-29b9bb013b0f // indirect
+	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
+	github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
@@ -163,6 +172,8 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
+	github.com/illarion/gonotify v1.0.1 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/infobloxopen/go-trees v0.0.0-20221216143356-66ceba885ebc // indirect
@@ -174,6 +185,8 @@ require (
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
+	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
+	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/julienschmidt/httprouter v1.3.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -182,6 +195,8 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
 	github.com/miscreant/miscreant.go v0.0.0-20200214223636-26d376326b75 // indirect
@@ -215,7 +230,7 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.52.2 // indirect
 	github.com/prometheus/procfs v0.13.0 // indirect
@@ -229,9 +244,13 @@ require (
 	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/syncthing/notify v0.0.0-20210616190510-c6b7342338d2 // indirect
 	github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
+	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/tinylib/msgp v1.1.9 // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
@@ -251,10 +270,13 @@ require (
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/mod v0.17.0 // indirect
+	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/term v0.20.0 // indirect
+	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0 // indirect
-	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.172.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect

go.sum

@@ -7,6 +7,8 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
@@ -41,8 +43,6 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
-github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/DataDog/appsec-internal-go v1.5.0 h1:8kS5zSx5T49uZ8dZTdT19QVAvC/B8ByyZdhQKYQWHno=
 github.com/DataDog/appsec-internal-go v1.5.0/go.mod h1:pEp8gjfNLtEOmz+iZqC8bXhu0h4k7NUsW/qiQb34k1U=
 github.com/DataDog/datadog-agent/pkg/obfuscate v0.52.0 h1:J2iRNRgtKsLq3L55NJzZMQqTqbm8+ps8iKCwjkCph9E=
@@ -90,6 +90,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
+github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/bugsnag/bugsnag-go v1.0.5-0.20150529004307-13fd6b8acda0 h1:s7+5BfS4WFJoVF9pnB8kBk03S7pZXRdKamnV0FOl5Sc=
 github.com/bugsnag/bugsnag-go v1.0.5-0.20150529004307-13fd6b8acda0/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8=
@@ -119,6 +121,8 @@ github.com/chmduquesne/rollinghash v4.0.0+incompatible/go.mod h1:Uc2I36RRfTAf7Dg
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
+github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/cilium/ipam v0.0.0-20230509084518-fd66eae7909b h1:yTDNdo6hd8ABJYeLUvmqKAYj3jaRzLYx3UwM+/jSeBY=
 github.com/cilium/ipam v0.0.0-20230509084518-fd66eae7909b/go.mod h1:Ascfar4FtgB+K+mwqbZpSb3WVZ5sPFIarg+iAOXNZqI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -137,20 +141,24 @@ github.com/coredns/caddy v1.1.1 h1:2eYKZT7i6yxIfGP3qLJoJ7HAsDJqYB+X68g4NYjSrE0=
 github.com/coredns/caddy v1.1.1/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4=
 github.com/coredns/coredns v1.11.2 h1:HnCGNxSolDRge1fhQD1/N7AzYfStLMtqVAmuUe1jo1I=
 github.com/coredns/coredns v1.11.2/go.mod h1:EqOuX/f6iSRMG18JBwkS0Ern3iV9ImS+hZHgVuwGt+0=
+github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
+github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
+github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/d4l3k/messagediff v1.2.1 h1:ZcAIMYsUg0EAp9X+tt8/enBE/Q8Yd5kzPynLyKptt9U=
 github.com/d4l3k/messagediff v1.2.1/go.mod h1:Oozbb1TVXFac9FtSIxHBMnBCq2qeH/2KkEQxENCrlLo=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa h1:h8TfIT1xc8FWbwwpmHn1J5i43Y0uZP97GqasGCzSRJk=
+github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa/go.mod h1:Nx87SkVqTKd8UtT+xu7sM/l+LgXs6c0aHrlKusR+2EQ=
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2 h1:tdlZCpZ/P9DhczCTSixgIKmwPv6+wP5DGjqLYw5SUiA=
 github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
@@ -165,8 +173,8 @@ github.com/docker/cli v26.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvM
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
+github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
 github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@@ -214,6 +222,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
@@ -221,18 +231,24 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw=
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
+github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
+github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
+github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
+github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
 github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
@@ -256,6 +272,8 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -293,8 +311,8 @@ github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93 h1:jc2UWq7CbdszqeH6qu1ougXMIUBfSy8Pbh/anURYbGI=
 github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49/go.mod h1:BkkQ4L1KS1xMt2aWSPStnn55ChGC0DPOn2FQYj+f25M=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -311,9 +329,11 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
+github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
+github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20240402174815-29b9bb013b0f h1:f00RU+zOX+B3rLAmMMkzHUF2h1z4DeYR9tTCvEq2REY=
+github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
-github.com/google/pprof v0.0.0-20240402174815-29b9bb013b0f/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
 github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@@ -330,8 +350,9 @@ github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBH
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -360,9 +381,15 @@ github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mO
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
+github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
+github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
+github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
+github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwsoio=
+github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
@@ -399,6 +426,10 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
+github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
+github.com/jsimonetti/rtnetlink v1.4.0 h1:Z1BF0fRgcETPEa0Kt0MRk3yV5+kF1FWTni6KUFKrq2I=
+github.com/jsimonetti/rtnetlink v1.4.0/go.mod h1:5W1jDvWdnthFJ7fxYX1GMK07BUpI4oskfOqvPteYS6E=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
@@ -434,8 +465,9 @@ github.com/libp2p/go-netroute v0.2.1/go.mod h1:hraioZr0fhBjG0ZRXJJ6Zj2IVEVNx6tDT
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/magiconair/properties v1.5.3 h1:C8fxWnhYyME3n0klPOhVM7PtYUB3eV1W3DeFmN3j53Y=
 github.com/magiconair/properties v1.5.3/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
+github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattbaird/jsonpatch v0.0.0-20240118010651-0ba75a80ca38 h1:hQWBtNqRYrI7CWIaUSXXtNKR90KzcUA5uiuxFVWw7sU=
@@ -447,6 +479,10 @@ github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOq
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/miekg/dns v1.1.31/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
 github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
 github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
@@ -540,6 +576,9 @@ github.com/oschwald/maxminddb-golang v1.12.0 h1:9FnTOD0YOhP7DGxGsq4glzpGy5+w7pq5
 github.com/oschwald/maxminddb-golang v1.12.0/go.mod h1:q0Nob5lTCqyQ8WT6FYgS1L7PXKVVbgiymefNwIjPzgY=
 github.com/outcaste-io/ristretto v0.2.3 h1:AK4zt/fJ76kjlYObOeNwh4T3asEuaCmp26pOvUOL9w0=
 github.com/outcaste-io/ristretto v0.2.3/go.mod h1:W8HywhmtlopSB1jeMg3JtdIhf+DYkLAr0VN/s4+MHac=
+github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
+github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
+github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
 github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/philhofer/fwd v1.1.2 h1:bnDivRJ1EWPjUIRXV5KfORO897HTbpFAQddBdE8t7Gw=
@@ -564,8 +603,8 @@ github.com/prometheus/client_golang v0.9.0-pre1.0.20180209125602-c332b6f63c06/go
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -600,8 +639,8 @@ github.com/schollz/progressbar/v3 v3.14.2 h1:EducH6uNLIWsr560zSV1KrTeUb/wZGAHqyM
 github.com/schollz/progressbar/v3 v3.14.2/go.mod h1:aQAZQnhF4JGFtRJiw/eobaXpsqpVQAftEQ+hLGXaRc4=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
+github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/shirou/gopsutil/v3 v3.24.3 h1:eoUGJSmdfLzJ3mxIhmOAhgKEKgQkeOwKpz1NbhVnuPE=
 github.com/shirou/gopsutil/v3 v3.24.3/go.mod h1:JpND7O217xa72ewWz9zN2eIIkPWsDN/3pl0H8Qt0uwg=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
@@ -614,18 +653,23 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v1.1.0 h1:7c1g84S4BPRrfL5Xrdp6fOJ206sU9y293DDHaoy0bLI=
 github.com/spaolacci/murmur3 v1.1.0/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
+github.com/spf13/afero v1.10.0 h1:EaGW2JJh15aKOejeuJ+wpFSHnbd7GE6Wvp3TsNhb6LY=
+github.com/spf13/afero v1.10.0/go.mod h1:UBogFpq8E9Hx+xc5CNTTEpTnuHVmXDwZcZcE1eb/UhQ=
 github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
+github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
+github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431 h1:XTHrT015sxHyJ5FnQ0AeemSspZWaDq7DoTRW0EVsDCE=
 github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.0/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c h1:2EejZtjFjKJGk71ANb+wtFK5EjUzUkEM3R0xnp559xg=
 github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
+github.com/spf13/viper v1.16.0 h1:rGGH0XDZhdUOryiDWjmIvUSWpbNqisK8Wk0Vyefw8hc=
+github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
@@ -647,12 +691,16 @@ github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8=
+github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/syncthing/notify v0.0.0-20210616190510-c6b7342338d2 h1:F4snRP//nIuTTW9LYEzVH4HVwDG9T3M4t8y/2nqMbiY=
 github.com/syncthing/notify v0.0.0-20210616190510-c6b7342338d2/go.mod h1:J0q59IWjLtpRIJulohwqEZvjzwOfTEPp8SVhDJl+y0Y=
 github.com/syncthing/syncthing v1.27.7 h1:N06QpAUPQi2VaB+X0wko5h8JtH3qJP5Dd4MYq952pEw=
 github.com/syncthing/syncthing v1.27.7/go.mod h1:bMhGhc70k3UFszFhmCVNxM5bOsDfhxYMHvj4lWlIYBk=
 github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=
 github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d/go.mod h1:RRCYJbIwD5jmqPI9XoAFR0OcDxqUctll6zUj/+B4S48=
+github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
+github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
 github.com/thejerf/suture/v4 v4.0.5 h1:F1E/4FZwXWqvlWDKEUo6/ndLtxGAUzMmNqkrMknZbAA=
 github.com/thejerf/suture/v4 v4.0.5/go.mod h1:gu9Y4dXNUWFrByqRt30Rm9/UZ0wzRSt9AJS6xu/ZGxU=
 github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4DzbAiAiEL3c=
@@ -661,8 +709,15 @@ github.com/tinylib/msgp v1.1.9 h1:SHf3yoO2sGA0veCJeCBYLHuttAVFHGm2RHgNodW7wQU=
 github.com/tinylib/msgp v1.1.9/go.mod h1:BCXGB54lDD8qUEPmiG0cQQUANC4IUQyB2ItS2UDlO/k=
 github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
+github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs=
+github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho=
+github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0 h1:okhMind4q9H1OxF44gNegWkiP4H/gsTFLalHFa4OOUI=
 github.com/vitrun/qart v0.0.0-20160531060029-bf64b92db6b0/go.mod h1:TTbGUfE+cXXceWtbTHq6lqcTvYPBKLNejBEbnUsQJtU=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -717,6 +772,10 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
+go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
+go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -729,8 +788,8 @@ golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0 h1:985EYyeCOxTpcgOTJpflJUwOeEz0CQOdPt73OzpE9F8=
 golang.org/x/exp v0.0.0-20240404231335-c0f41cb1a7a0/go.mod h1:/lliqkxwWAhPjf5oSOIJup2XcqJaw8RGS6k3TGEc7GI=
@@ -744,8 +803,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -771,8 +830,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
 golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
@@ -802,7 +861,9 @@ golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -820,7 +881,9 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -828,8 +891,8 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -837,8 +900,8 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -847,8 +910,8 @@ golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -865,17 +928,17 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
+golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9 h1:LLhsEBxRTBLuKlQxFBYUOU8xyFgXv6cOTp2HASDlsDk=
-golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+golang.org/x/xerrors v0.0.0-20240716161551-93cc26a95ae9/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
-golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c h1:Okh6a1xpnJslG9Mn84pId1Mn+Q8cvpo4HCeeFWHo0cA=
 golang.zx2c4.com/wireguard v0.0.0-20220920152132-bb719d3a6e2c/go.mod h1:enML0deDxY1ux+B6ANGiwtg0yAJi1rctkTpcHNAVPyg=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
@@ -934,6 +997,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1 h1:d4KQkxAaAiRY2h5Zqis161Pv91A37uZyJOx73duwUwM=
@@ -952,8 +1017,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20240403010941-979aae3d2c21 h1:bH3op9vONK524+xoo4oiJR+LHMH4g58y0VZIao4eWvU=
+gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
-gvisor.dev/gvisor v0.0.0-20240403010941-979aae3d2c21/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
+gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
 honnef.co/go/gotraceui v0.2.0 h1:dmNsfQ9Vl3GwbiVD7Z8d/osC6WtGGrasyrC2suc4ZIQ=
 honnef.co/go/gotraceui v0.2.0/go.mod h1:qHo4/W75cA3bX0QQoSvDjbJa4R8mAyyFjbWAj63XElc=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -970,16 +1035,16 @@ k8s.io/client-go v0.31.0-alpha.0 h1:VVxcVKbqni0wAWd3rNuXcNcpE7gT6jvVLBe/YlWKu8s=
 k8s.io/client-go v0.31.0-alpha.0/go.mod h1:XM6Bsdnz08pV+PfIUNDOgblfG6PVLI9ll6xHMk1Ifso=
 k8s.io/component-base v0.31.0-alpha.0 h1:Wm2aXDIEXja0o6p/w3+MCAvvfQyvKRWEfSl82wdr1Bo=
 k8s.io/component-base v0.31.0-alpha.0/go.mod h1:MDaPQWtkCUMorX4RRF32PA4rYGmVx9k5uPIze58kixM=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940 h1:qVoMaQV5t62UUvHe16Q3eb2c5HPzLHYzsi0Tu/xLndo=
 k8s.io/kube-openapi v0.0.0-20240322212309-b815d8309940/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
 k8s.io/kubectl v0.29.3 h1:RuwyyIU42MAISRIePaa8Q7A3U74Q9P4MoJbDFz9o3us=
 k8s.io/kubectl v0.29.3/go.mod h1:yCxfY1dbwgVdEt2zkJ6d5NNLOhhWgTyrqACIoFhpdd4=
-k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A=
-k8s.io/utils v0.0.0-20240310230437-4693a0247e57/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/controller-runtime v0.17.1-0.20240327193027-21368602d84b h1:ZQ+OFhT7H5LX/MrAYqJK9NWgyAEituKyU5XO2KQdHpo=
+sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw=
-sigs.k8s.io/controller-runtime v0.17.1-0.20240327193027-21368602d84b/go.mod h1:J31OHxL1QGCaT4cf24B9kcx8E2l7ohnVG4zxzlCuA9o=
+sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/kustomize/api v0.16.0 h1:/zAR4FOQDCkgSDmVzV2uiFbuy9bhu3jEzthrHCuvm1g=
@@ -990,5 +1055,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+s
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-tags.cncf.io/container-device-interface v0.7.0 h1:9z94b0DPipEWShy5nct34ZRx5QnDxHXxhSTdkTr+k1c=
+tailscale.com v1.72.1 h1:hk82jek36ph2S3Tfsh57NVWKEm/pZ9nfUonvlowpfaA=
-tags.cncf.io/container-device-interface v0.7.0/go.mod h1:PZsuvtfPi0YOYD1hvulncIT7R7YoiZY7eOsrsllQPe4=
+tailscale.com v1.72.1/go.mod h1:v7OHtg0KLAnhOVf81Z8WrjNefj238QbFhgkWJQoKxbs=

pkg/core/gvisorstack.go

@@ -15,15 +15,6 @@ import (
 	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
 )
 
-var _ stack.UniqueID = (*ID)(nil)
-
-type ID struct {
-}
-
-func (i ID) UniqueID() uint64 {
-	return 1
-}
-
 func NewStack(ctx context.Context, tun stack.LinkEndpoint) *stack.Stack {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{
@@ -40,7 +31,6 @@ func NewStack(ctx context.Context, tun stack.LinkEndpoint) *stack.Stack {
 		// Enable raw sockets for users with sufficient
 		// privileges.
 		RawFactory: raw.EndpointFactory{},
-		UniqueID:   ID{},
 	})
 	// set handler for TCP UDP ICMP
 	s.SetTransportProtocolHandler(tcp.ProtocolNumber, TCPForwarder(s))

pkg/dns/dns.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/watch"
 	v13 "k8s.io/client-go/kubernetes/typed/core/v1"
+	"tailscale.com/net/dns"
 
 	"github.com/wencaiwulue/kubevpn/v2/pkg/config"
 )
@@ -35,6 +36,9 @@ type Config struct {
 
 	Hosts []Entry
 	Lock  *sync.Mutex
+
+	// only set it on linux
+	OSConfigurator dns.OSConfigurator
 }
 
 func (c *Config) AddServiceNameToHosts(ctx context.Context, serviceInterface v13.ServiceInterface, hosts ...Entry) error {

pkg/dns/dns_linux.go

@@ -5,7 +5,10 @@ package dns
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
+	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"strings"
@@ -17,13 +20,16 @@ import (
 	miekgdns "github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"tailscale.com/net/dns"
+	"tailscale.com/util/dnsname"
 )
 
+// SetupDNS
 // systemd-resolve --status, systemd-resolve --flush-caches
 func (c *Config) SetupDNS(ctx context.Context) error {
-	clientConfig := c.Config
+	config := c.Config
 	tunName := c.TunName
-
+	log.Debugf("Setting up DNS...")
 	// TODO consider use https://wiki.debian.org/NetworkManager and nmcli to config DNS
 	// try to solve:
 	// sudo systemd-resolve --set-dns 172.28.64.10 --interface tun0 --set-domain=vke-system.svc.cluster.local --set-domain=svc.cluster.local --set-domain=cluster.local
@@ -35,21 +41,35 @@ func (c *Config) SetupDNS(ctx context.Context) error {
 	_ = exec.Command("systemctl", "start", "systemd-resolved.service").Run()
 	//systemctl status systemd-resolved.service
 	_ = exec.Command("systemctl", "status", "systemd-resolved.service").Run()
-
+	log.Debugf("Enable service systemd resolved...")
-	cmd := exec.Command("systemd-resolve", []string{
+	var exists = func(cmd string) bool {
-		"--set-dns",
+		_, err := exec.LookPath(cmd)
-		clientConfig.Servers[0],
+		return err == nil
-		"--interface",
-		tunName,
-		"--set-domain=" + clientConfig.Search[0],
-		"--set-domain=" + clientConfig.Search[1],
-		"--set-domain=" + clientConfig.Search[2],
-	}...)
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		log.Debugf("Failed to exec cmd: %s, message: %s, ignore", strings.Join(cmd.Args, " "), string(output))
-		err = nil
 	}
+	log.Debugf("Try to setup DNS by resolvectl or systemd-resolve...")
+	if exists("resolvectl") {
+		_ = GetResolveCtlCmd(ctx, tunName, config)
+	}
+	if exists("systemd-resolve") {
+		_ = GetSystemdResolveCmd(ctx, tunName, config)
+	}
+
+	log.Debugf("Use library to setup DNS...")
+	// https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
+	if _, found := os.LookupEnv("GITHUB_ACTIONS"); !found {
+		err := c.UseLibraryDNS(tunName, config)
+		if err == nil {
+			log.Debugf("Use library to setup DNS done")
+			return nil
+		} else if errors.Is(err, ErrorNotSupportSplitDNS) {
+			log.Debugf("Library not support on current OS")
+			err = nil
+		} else {
+			log.Errorf("Setup DNS by library failed: %v", err)
+			err = nil
+		}
+	}
+
 
 	filename := resolvconf.Path()
 	readFile, err := os.ReadFile(filename)
@@ -60,11 +80,77 @@ func (c *Config) SetupDNS(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
-	localResolvConf.Servers = append([]string{clientConfig.Servers[0]}, localResolvConf.Servers...)
+	localResolvConf.Servers = append([]string{config.Servers[0]}, localResolvConf.Servers...)
-	err = WriteResolvConf(*localResolvConf)
+	err = WriteResolvConf(resolvconf.Path(), *localResolvConf)
 	return err
 }
 
+// GetResolveCtlCmd
+// resolvectl dns utun0 10.10.129.161
+// resolvectl domain utun0 default.svc.cluster.local svc.cluster.local cluster.local
+func GetResolveCtlCmd(ctx context.Context, tunName string, config *miekgdns.ClientConfig) error {
+	cmd := exec.CommandContext(ctx, "resolvectl", "dns", tunName, config.Servers[0])
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Debugf("Failed to exec cmd '%s': %s", strings.Join(cmd.Args, " "), string(output))
+		return err
+	}
+	cmd = exec.CommandContext(ctx, "resolvectl", "domain", tunName, config.Search[0], config.Search[1], config.Search[2])
+	output, err = cmd.CombinedOutput()
+	if err != nil {
+		log.Debugf("Failed to exec cmd '%s': %s", strings.Join(cmd.Args, " "), string(output))
+		return err
+	}
+	return nil
+}
+
+func GetSystemdResolveCmd(ctx context.Context, tunName string, config *miekgdns.ClientConfig) error {
+	cmd := exec.CommandContext(ctx, "systemd-resolve", []string{
+		"--set-dns",
+		config.Servers[0],
+		"--interface",
+		tunName,
+		"--set-domain=" + config.Search[0],
+		"--set-domain=" + config.Search[1],
+		"--set-domain=" + config.Search[2],
+	}...)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Debugf("Failed to exec cmd '%s': %s", strings.Join(cmd.Args, " "), string(output))
+	}
+	return err
+}
+
+var ErrorNotSupportSplitDNS = errors.New("not support split DNS")
+
+func (c *Config) UseLibraryDNS(tunName string, clientConfig *miekgdns.ClientConfig) error {
+	configurator, err := dns.NewOSConfigurator(log.Debugf, nil, nil, tunName)
+	if err != nil {
+		return err
+	}
+	if !configurator.SupportsSplitDNS() {
+		return ErrorNotSupportSplitDNS
+	}
+	c.OSConfigurator = configurator
+	config := dns.OSConfig{Nameservers: []netip.Addr{}, SearchDomains: []dnsname.FQDN{}}
+	for _, s := range clientConfig.Servers {
+		ip, ok := netip.AddrFromSlice(net.ParseIP(s))
+		if !ok {
+			continue
+		}
+		config.Nameservers = append(config.Nameservers, ip)
+	}
+	for _, search := range clientConfig.Search {
+		fqdn, err := dnsname.ToFQDN(search)
+		if err != nil {
+			continue
+		}
+		config.SearchDomains = append(config.SearchDomains, fqdn)
+	}
+	log.Debugf("Setting up DNS...")
+	return c.OSConfigurator.SetDNS(config)
+}
+
 func SetupLocalDNS(ctx context.Context, clientConfig *miekgdns.ClientConfig, existNameservers []string) error {
 	corefile, err := BuildCoreFile(CoreFileTmpl{
 		UpstreamDNS: clientConfig.Servers[0],
@@ -93,6 +179,9 @@ func SetupLocalDNS(ctx context.Context, clientConfig *miekgdns.ClientConfig, exi
 
 func (c *Config) CancelDNS() {
 	c.removeHosts(sets.New[Entry]().Insert(c.Hosts...).UnsortedList())
+	if c.OSConfigurator != nil {
+		_ = c.OSConfigurator.Close()
+	}
 
 	filename := resolvconf.Path()
 	readFile, err := os.ReadFile(filename)
@@ -110,7 +199,7 @@ func (c *Config) CancelDNS() {
 			break
 		}
 	}
-	err = WriteResolvConf(*resolvConf)
+	err = WriteResolvConf(resolvconf.Path(), *resolvConf)
 	if err != nil {
 		log.Warnf("Failed to remove DNS from resolv conf file: %v", err)
 	}
@@ -120,7 +209,7 @@ func GetHostFile() string {
 	return "/etc/hosts"
 }
 
-func WriteResolvConf(config miekgdns.ClientConfig) error {
+func WriteResolvConf(filename string, config miekgdns.ClientConfig) error {
 	var options []string
 	if config.Ndots != 0 {
 		options = append(options, fmt.Sprintf("ndots:%d", config.Ndots))
@@ -132,7 +221,6 @@ func WriteResolvConf(config miekgdns.ClientConfig) error {
 		options = append(options, fmt.Sprintf("timeout:%d", config.Timeout))
 	}
 
-	filename := resolvconf.Path()
 	_, err := resolvconf.Build(filename, config.Servers, config.Search, options)
 	return err
 }

vendor/filippo.io/edwards25519/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/filippo.io/edwards25519/README.md

@@ -0,0 +1,14 @@
+# filippo.io/edwards25519
+
+```
+import "filippo.io/edwards25519"
+```
+
+This library implements the edwards25519 elliptic curve, exposing the necessary APIs to build a wide array of higher-level primitives.
+Read the docs at [pkg.go.dev/filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519).
+
+The code is originally derived from Adam Langley's internal implementation in the Go standard library, and includes George Tankersley's [performance improvements](https://golang.org/cl/71950). It was then further developed by Henry de Valence for use in ristretto255, and was finally [merged back into the Go standard library](https://golang.org/cl/276272) as of Go 1.17. It now tracks the upstream codebase and extends it with additional functionality.
+
+Most users don't need this package, and should instead use `crypto/ed25519` for signatures, `golang.org/x/crypto/curve25519` for Diffie-Hellman, or `github.com/gtank/ristretto255` for prime order group logic. However, for anyone currently using a fork of `crypto/internal/edwards25519`/`crypto/ed25519/internal/edwards25519` or `github.com/agl/edwards25519`, this package should be a safer, faster, and more powerful alternative.
+
+Since this package is meant to curb proliferation of edwards25519 implementations in the Go ecosystem, it welcomes requests for new APIs or reviewable performance improvements.

vendor/filippo.io/edwards25519/doc.go

@@ -0,0 +1,20 @@
+// Copyright (c) 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package edwards25519 implements group logic for the twisted Edwards curve
+//
+//	-x^2 + y^2 = 1 + -(121665/121666)*x^2*y^2
+//
+// This is better known as the Edwards curve equivalent to Curve25519, and is
+// the curve used by the Ed25519 signature scheme.
+//
+// Most users don't need this package, and should instead use crypto/ed25519 for
+// signatures, golang.org/x/crypto/curve25519 for Diffie-Hellman, or
+// github.com/gtank/ristretto255 for prime order group logic.
+//
+// However, developers who do need to interact with low-level edwards25519
+// operations can use this package, which is an extended version of
+// crypto/internal/edwards25519 from the standard library repackaged as
+// an importable module.
+package edwards25519

vendor/filippo.io/edwards25519/edwards25519.go

@@ -0,0 +1,427 @@
+// Copyright (c) 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"errors"
+
+	"filippo.io/edwards25519/field"
+)
+
+// Point types.
+
+type projP1xP1 struct {
+	X, Y, Z, T field.Element
+}
+
+type projP2 struct {
+	X, Y, Z field.Element
+}
+
+// Point represents a point on the edwards25519 curve.
+//
+// This type works similarly to math/big.Int, and all arguments and receivers
+// are allowed to alias.
+//
+// The zero value is NOT valid, and it may be used only as a receiver.
+type Point struct {
+	// Make the type not comparable (i.e. used with == or as a map key), as
+	// equivalent points can be represented by different Go values.
+	_ incomparable
+
+	// The point is internally represented in extended coordinates (X, Y, Z, T)
+	// where x = X/Z, y = Y/Z, and xy = T/Z per https://eprint.iacr.org/2008/522.
+	x, y, z, t field.Element
+}
+
+type incomparable [0]func()
+
+func checkInitialized(points ...*Point) {
+	for _, p := range points {
+		if p.x == (field.Element{}) && p.y == (field.Element{}) {
+			panic("edwards25519: use of uninitialized Point")
+		}
+	}
+}
+
+type projCached struct {
+	YplusX, YminusX, Z, T2d field.Element
+}
+
+type affineCached struct {
+	YplusX, YminusX, T2d field.Element
+}
+
+// Constructors.
+
+func (v *projP2) Zero() *projP2 {
+	v.X.Zero()
+	v.Y.One()
+	v.Z.One()
+	return v
+}
+
+// identity is the point at infinity.
+var identity, _ = new(Point).SetBytes([]byte{
+	1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0})
+
+// NewIdentityPoint returns a new Point set to the identity.
+func NewIdentityPoint() *Point {
+	return new(Point).Set(identity)
+}
+
+// generator is the canonical curve basepoint. See TestGenerator for the
+// correspondence of this encoding with the values in RFC 8032.
+var generator, _ = new(Point).SetBytes([]byte{
+	0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+	0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66})
+
+// NewGeneratorPoint returns a new Point set to the canonical generator.
+func NewGeneratorPoint() *Point {
+	return new(Point).Set(generator)
+}
+
+func (v *projCached) Zero() *projCached {
+	v.YplusX.One()
+	v.YminusX.One()
+	v.Z.One()
+	v.T2d.Zero()
+	return v
+}
+
+func (v *affineCached) Zero() *affineCached {
+	v.YplusX.One()
+	v.YminusX.One()
+	v.T2d.Zero()
+	return v
+}
+
+// Assignments.
+
+// Set sets v = u, and returns v.
+func (v *Point) Set(u *Point) *Point {
+	*v = *u
+	return v
+}
+
+// Encoding.
+
+// Bytes returns the canonical 32-byte encoding of v, according to RFC 8032,
+// Section 5.1.2.
+func (v *Point) Bytes() []byte {
+	// This function is outlined to make the allocations inline in the caller
+	// rather than happen on the heap.
+	var buf [32]byte
+	return v.bytes(&buf)
+}
+
+func (v *Point) bytes(buf *[32]byte) []byte {
+	checkInitialized(v)
+
+	var zInv, x, y field.Element
+	zInv.Invert(&v.z)       // zInv = 1 / Z
+	x.Multiply(&v.x, &zInv) // x = X / Z
+	y.Multiply(&v.y, &zInv) // y = Y / Z
+
+	out := copyFieldElement(buf, &y)
+	out[31] |= byte(x.IsNegative() << 7)
+	return out
+}
+
+var feOne = new(field.Element).One()
+
+// SetBytes sets v = x, where x is a 32-byte encoding of v. If x does not
+// represent a valid point on the curve, SetBytes returns nil and an error and
+// the receiver is unchanged. Otherwise, SetBytes returns v.
+//
+// Note that SetBytes accepts all non-canonical encodings of valid points.
+// That is, it follows decoding rules that match most implementations in
+// the ecosystem rather than RFC 8032.
+func (v *Point) SetBytes(x []byte) (*Point, error) {
+	// Specifically, the non-canonical encodings that are accepted are
+	//   1) the ones where the field element is not reduced (see the
+	//      (*field.Element).SetBytes docs) and
+	//   2) the ones where the x-coordinate is zero and the sign bit is set.
+	//
+	// Read more at https://hdevalence.ca/blog/2020-10-04-its-25519am,
+	// specifically the "Canonical A, R" section.
+
+	y, err := new(field.Element).SetBytes(x)
+	if err != nil {
+		return nil, errors.New("edwards25519: invalid point encoding length")
+	}
+
+	// -x² + y² = 1 + dx²y²
+	// x² + dx²y² = x²(dy² + 1) = y² - 1
+	// x² = (y² - 1) / (dy² + 1)
+
+	// u = y² - 1
+	y2 := new(field.Element).Square(y)
+	u := new(field.Element).Subtract(y2, feOne)
+
+	// v = dy² + 1
+	vv := new(field.Element).Multiply(y2, d)
+	vv = vv.Add(vv, feOne)
+
+	// x = +√(u/v)
+	xx, wasSquare := new(field.Element).SqrtRatio(u, vv)
+	if wasSquare == 0 {
+		return nil, errors.New("edwards25519: invalid point encoding")
+	}
+
+	// Select the negative square root if the sign bit is set.
+	xxNeg := new(field.Element).Negate(xx)
+	xx = xx.Select(xxNeg, xx, int(x[31]>>7))
+
+	v.x.Set(xx)
+	v.y.Set(y)
+	v.z.One()
+	v.t.Multiply(xx, y) // xy = T / Z
+
+	return v, nil
+}
+
+func copyFieldElement(buf *[32]byte, v *field.Element) []byte {
+	copy(buf[:], v.Bytes())
+	return buf[:]
+}
+
+// Conversions.
+
+func (v *projP2) FromP1xP1(p *projP1xP1) *projP2 {
+	v.X.Multiply(&p.X, &p.T)
+	v.Y.Multiply(&p.Y, &p.Z)
+	v.Z.Multiply(&p.Z, &p.T)
+	return v
+}
+
+func (v *projP2) FromP3(p *Point) *projP2 {
+	v.X.Set(&p.x)
+	v.Y.Set(&p.y)
+	v.Z.Set(&p.z)
+	return v
+}
+
+func (v *Point) fromP1xP1(p *projP1xP1) *Point {
+	v.x.Multiply(&p.X, &p.T)
+	v.y.Multiply(&p.Y, &p.Z)
+	v.z.Multiply(&p.Z, &p.T)
+	v.t.Multiply(&p.X, &p.Y)
+	return v
+}
+
+func (v *Point) fromP2(p *projP2) *Point {
+	v.x.Multiply(&p.X, &p.Z)
+	v.y.Multiply(&p.Y, &p.Z)
+	v.z.Square(&p.Z)
+	v.t.Multiply(&p.X, &p.Y)
+	return v
+}
+
+// d is a constant in the curve equation.
+var d, _ = new(field.Element).SetBytes([]byte{
+	0xa3, 0x78, 0x59, 0x13, 0xca, 0x4d, 0xeb, 0x75,
+	0xab, 0xd8, 0x41, 0x41, 0x4d, 0x0a, 0x70, 0x00,
+	0x98, 0xe8, 0x79, 0x77, 0x79, 0x40, 0xc7, 0x8c,
+	0x73, 0xfe, 0x6f, 0x2b, 0xee, 0x6c, 0x03, 0x52})
+var d2 = new(field.Element).Add(d, d)
+
+func (v *projCached) FromP3(p *Point) *projCached {
+	v.YplusX.Add(&p.y, &p.x)
+	v.YminusX.Subtract(&p.y, &p.x)
+	v.Z.Set(&p.z)
+	v.T2d.Multiply(&p.t, d2)
+	return v
+}
+
+func (v *affineCached) FromP3(p *Point) *affineCached {
+	v.YplusX.Add(&p.y, &p.x)
+	v.YminusX.Subtract(&p.y, &p.x)
+	v.T2d.Multiply(&p.t, d2)
+
+	var invZ field.Element
+	invZ.Invert(&p.z)
+	v.YplusX.Multiply(&v.YplusX, &invZ)
+	v.YminusX.Multiply(&v.YminusX, &invZ)
+	v.T2d.Multiply(&v.T2d, &invZ)
+	return v
+}
+
+// (Re)addition and subtraction.
+
+// Add sets v = p + q, and returns v.
+func (v *Point) Add(p, q *Point) *Point {
+	checkInitialized(p, q)
+	qCached := new(projCached).FromP3(q)
+	result := new(projP1xP1).Add(p, qCached)
+	return v.fromP1xP1(result)
+}
+
+// Subtract sets v = p - q, and returns v.
+func (v *Point) Subtract(p, q *Point) *Point {
+	checkInitialized(p, q)
+	qCached := new(projCached).FromP3(q)
+	result := new(projP1xP1).Sub(p, qCached)
+	return v.fromP1xP1(result)
+}
+
+func (v *projP1xP1) Add(p *Point, q *projCached) *projP1xP1 {
+	var YplusX, YminusX, PP, MM, TT2d, ZZ2 field.Element
+
+	YplusX.Add(&p.y, &p.x)
+	YminusX.Subtract(&p.y, &p.x)
+
+	PP.Multiply(&YplusX, &q.YplusX)
+	MM.Multiply(&YminusX, &q.YminusX)
+	TT2d.Multiply(&p.t, &q.T2d)
+	ZZ2.Multiply(&p.z, &q.Z)
+
+	ZZ2.Add(&ZZ2, &ZZ2)
+
+	v.X.Subtract(&PP, &MM)
+	v.Y.Add(&PP, &MM)
+	v.Z.Add(&ZZ2, &TT2d)
+	v.T.Subtract(&ZZ2, &TT2d)
+	return v
+}
+
+func (v *projP1xP1) Sub(p *Point, q *projCached) *projP1xP1 {
+	var YplusX, YminusX, PP, MM, TT2d, ZZ2 field.Element
+
+	YplusX.Add(&p.y, &p.x)
+	YminusX.Subtract(&p.y, &p.x)
+
+	PP.Multiply(&YplusX, &q.YminusX) // flipped sign
+	MM.Multiply(&YminusX, &q.YplusX) // flipped sign
+	TT2d.Multiply(&p.t, &q.T2d)
+	ZZ2.Multiply(&p.z, &q.Z)
+
+	ZZ2.Add(&ZZ2, &ZZ2)
+
+	v.X.Subtract(&PP, &MM)
+	v.Y.Add(&PP, &MM)
+	v.Z.Subtract(&ZZ2, &TT2d) // flipped sign
+	v.T.Add(&ZZ2, &TT2d)      // flipped sign
+	return v
+}
+
+func (v *projP1xP1) AddAffine(p *Point, q *affineCached) *projP1xP1 {
+	var YplusX, YminusX, PP, MM, TT2d, Z2 field.Element
+
+	YplusX.Add(&p.y, &p.x)
+	YminusX.Subtract(&p.y, &p.x)
+
+	PP.Multiply(&YplusX, &q.YplusX)
+	MM.Multiply(&YminusX, &q.YminusX)
+	TT2d.Multiply(&p.t, &q.T2d)
+
+	Z2.Add(&p.z, &p.z)
+
+	v.X.Subtract(&PP, &MM)
+	v.Y.Add(&PP, &MM)
+	v.Z.Add(&Z2, &TT2d)
+	v.T.Subtract(&Z2, &TT2d)
+	return v
+}
+
+func (v *projP1xP1) SubAffine(p *Point, q *affineCached) *projP1xP1 {
+	var YplusX, YminusX, PP, MM, TT2d, Z2 field.Element
+
+	YplusX.Add(&p.y, &p.x)
+	YminusX.Subtract(&p.y, &p.x)
+
+	PP.Multiply(&YplusX, &q.YminusX) // flipped sign
+	MM.Multiply(&YminusX, &q.YplusX) // flipped sign
+	TT2d.Multiply(&p.t, &q.T2d)
+
+	Z2.Add(&p.z, &p.z)
+
+	v.X.Subtract(&PP, &MM)
+	v.Y.Add(&PP, &MM)
+	v.Z.Subtract(&Z2, &TT2d) // flipped sign
+	v.T.Add(&Z2, &TT2d)      // flipped sign
+	return v
+}
+
+// Doubling.
+
+func (v *projP1xP1) Double(p *projP2) *projP1xP1 {
+	var XX, YY, ZZ2, XplusYsq field.Element
+
+	XX.Square(&p.X)
+	YY.Square(&p.Y)
+	ZZ2.Square(&p.Z)
+	ZZ2.Add(&ZZ2, &ZZ2)
+	XplusYsq.Add(&p.X, &p.Y)
+	XplusYsq.Square(&XplusYsq)
+
+	v.Y.Add(&YY, &XX)
+	v.Z.Subtract(&YY, &XX)
+
+	v.X.Subtract(&XplusYsq, &v.Y)
+	v.T.Subtract(&ZZ2, &v.Z)
+	return v
+}
+
+// Negation.
+
+// Negate sets v = -p, and returns v.
+func (v *Point) Negate(p *Point) *Point {
+	checkInitialized(p)
+	v.x.Negate(&p.x)
+	v.y.Set(&p.y)
+	v.z.Set(&p.z)
+	v.t.Negate(&p.t)
+	return v
+}
+
+// Equal returns 1 if v is equivalent to u, and 0 otherwise.
+func (v *Point) Equal(u *Point) int {
+	checkInitialized(v, u)
+
+	var t1, t2, t3, t4 field.Element
+	t1.Multiply(&v.x, &u.z)
+	t2.Multiply(&u.x, &v.z)
+	t3.Multiply(&v.y, &u.z)
+	t4.Multiply(&u.y, &v.z)
+
+	return t1.Equal(&t2) & t3.Equal(&t4)
+}
+
+// Constant-time operations
+
+// Select sets v to a if cond == 1 and to b if cond == 0.
+func (v *projCached) Select(a, b *projCached, cond int) *projCached {
+	v.YplusX.Select(&a.YplusX, &b.YplusX, cond)
+	v.YminusX.Select(&a.YminusX, &b.YminusX, cond)
+	v.Z.Select(&a.Z, &b.Z, cond)
+	v.T2d.Select(&a.T2d, &b.T2d, cond)
+	return v
+}
+
+// Select sets v to a if cond == 1 and to b if cond == 0.
+func (v *affineCached) Select(a, b *affineCached, cond int) *affineCached {
+	v.YplusX.Select(&a.YplusX, &b.YplusX, cond)
+	v.YminusX.Select(&a.YminusX, &b.YminusX, cond)
+	v.T2d.Select(&a.T2d, &b.T2d, cond)
+	return v
+}
+
+// CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0.
+func (v *projCached) CondNeg(cond int) *projCached {
+	v.YplusX.Swap(&v.YminusX, cond)
+	v.T2d.Select(new(field.Element).Negate(&v.T2d), &v.T2d, cond)
+	return v
+}
+
+// CondNeg negates v if cond == 1 and leaves it unchanged if cond == 0.
+func (v *affineCached) CondNeg(cond int) *affineCached {
+	v.YplusX.Swap(&v.YminusX, cond)
+	v.T2d.Select(new(field.Element).Negate(&v.T2d), &v.T2d, cond)
+	return v
+}

vendor/filippo.io/edwards25519/extra.go

@@ -0,0 +1,349 @@
+// Copyright (c) 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+// This file contains additional functionality that is not included in the
+// upstream crypto/internal/edwards25519 package.
+
+import (
+	"errors"
+
+	"filippo.io/edwards25519/field"
+)
+
+// ExtendedCoordinates returns v in extended coordinates (X:Y:Z:T) where
+// x = X/Z, y = Y/Z, and xy = T/Z as in https://eprint.iacr.org/2008/522.
+func (v *Point) ExtendedCoordinates() (X, Y, Z, T *field.Element) {
+	// This function is outlined to make the allocations inline in the caller
+	// rather than happen on the heap. Don't change the style without making
+	// sure it doesn't increase the inliner cost.
+	var e [4]field.Element
+	X, Y, Z, T = v.extendedCoordinates(&e)
+	return
+}
+
+func (v *Point) extendedCoordinates(e *[4]field.Element) (X, Y, Z, T *field.Element) {
+	checkInitialized(v)
+	X = e[0].Set(&v.x)
+	Y = e[1].Set(&v.y)
+	Z = e[2].Set(&v.z)
+	T = e[3].Set(&v.t)
+	return
+}
+
+// SetExtendedCoordinates sets v = (X:Y:Z:T) in extended coordinates where
+// x = X/Z, y = Y/Z, and xy = T/Z as in https://eprint.iacr.org/2008/522.
+//
+// If the coordinates are invalid or don't represent a valid point on the curve,
+// SetExtendedCoordinates returns nil and an error and the receiver is
+// unchanged. Otherwise, SetExtendedCoordinates returns v.
+func (v *Point) SetExtendedCoordinates(X, Y, Z, T *field.Element) (*Point, error) {
+	if !isOnCurve(X, Y, Z, T) {
+		return nil, errors.New("edwards25519: invalid point coordinates")
+	}
+	v.x.Set(X)
+	v.y.Set(Y)
+	v.z.Set(Z)
+	v.t.Set(T)
+	return v, nil
+}
+
+func isOnCurve(X, Y, Z, T *field.Element) bool {
+	var lhs, rhs field.Element
+	XX := new(field.Element).Square(X)
+	YY := new(field.Element).Square(Y)
+	ZZ := new(field.Element).Square(Z)
+	TT := new(field.Element).Square(T)
+	// -x² + y² = 1 + dx²y²
+	// -(X/Z)² + (Y/Z)² = 1 + d(T/Z)²
+	// -X² + Y² = Z² + dT²
+	lhs.Subtract(YY, XX)
+	rhs.Multiply(d, TT).Add(&rhs, ZZ)
+	if lhs.Equal(&rhs) != 1 {
+		return false
+	}
+	// xy = T/Z
+	// XY/Z² = T/Z
+	// XY = TZ
+	lhs.Multiply(X, Y)
+	rhs.Multiply(T, Z)
+	return lhs.Equal(&rhs) == 1
+}
+
+// BytesMontgomery converts v to a point on the birationally-equivalent
+// Curve25519 Montgomery curve, and returns its canonical 32 bytes encoding
+// according to RFC 7748.
+//
+// Note that BytesMontgomery only encodes the u-coordinate, so v and -v encode
+// to the same value. If v is the identity point, BytesMontgomery returns 32
+// zero bytes, analogously to the X25519 function.
+//
+// The lack of an inverse operation (such as SetMontgomeryBytes) is deliberate:
+// while every valid edwards25519 point has a unique u-coordinate Montgomery
+// encoding, X25519 accepts inputs on the quadratic twist, which don't correspond
+// to any edwards25519 point, and every other X25519 input corresponds to two
+// edwards25519 points.
+func (v *Point) BytesMontgomery() []byte {
+	// This function is outlined to make the allocations inline in the caller
+	// rather than happen on the heap.
+	var buf [32]byte
+	return v.bytesMontgomery(&buf)
+}
+
+func (v *Point) bytesMontgomery(buf *[32]byte) []byte {
+	checkInitialized(v)
+
+	// RFC 7748, Section 4.1 provides the bilinear map to calculate the
+	// Montgomery u-coordinate
+	//
+	//              u = (1 + y) / (1 - y)
+	//
+	// where y = Y / Z.
+
+	var y, recip, u field.Element
+
+	y.Multiply(&v.y, y.Invert(&v.z))        // y = Y / Z
+	recip.Invert(recip.Subtract(feOne, &y)) // r = 1/(1 - y)
+	u.Multiply(u.Add(feOne, &y), &recip)    // u = (1 + y)*r
+
+	return copyFieldElement(buf, &u)
+}
+
+// MultByCofactor sets v = 8 * p, and returns v.
+func (v *Point) MultByCofactor(p *Point) *Point {
+	checkInitialized(p)
+	result := projP1xP1{}
+	pp := (&projP2{}).FromP3(p)
+	result.Double(pp)
+	pp.FromP1xP1(&result)
+	result.Double(pp)
+	pp.FromP1xP1(&result)
+	result.Double(pp)
+	return v.fromP1xP1(&result)
+}
+
+// Given k > 0, set s = s**(2*i).
+func (s *Scalar) pow2k(k int) {
+	for i := 0; i < k; i++ {
+		s.Multiply(s, s)
+	}
+}
+
+// Invert sets s to the inverse of a nonzero scalar v, and returns s.
+//
+// If t is zero, Invert returns zero.
+func (s *Scalar) Invert(t *Scalar) *Scalar {
+	// Uses a hardcoded sliding window of width 4.
+	var table [8]Scalar
+	var tt Scalar
+	tt.Multiply(t, t)
+	table[0] = *t
+	for i := 0; i < 7; i++ {
+		table[i+1].Multiply(&table[i], &tt)
+	}
+	// Now table = [t**1, t**3, t**5, t**7, t**9, t**11, t**13, t**15]
+	// so t**k = t[k/2] for odd k
+
+	// To compute the sliding window digits, use the following Sage script:
+
+	// sage: import itertools
+	// sage: def sliding_window(w,k):
+	// ....:     digits = []
+	// ....:     while k > 0:
+	// ....:         if k % 2 == 1:
+	// ....:             kmod = k % (2**w)
+	// ....:             digits.append(kmod)
+	// ....:             k = k - kmod
+	// ....:         else:
+	// ....:             digits.append(0)
+	// ....:         k = k // 2
+	// ....:     return digits
+
+	// Now we can compute s roughly as follows:
+
+	// sage: s = 1
+	// sage: for coeff in reversed(sliding_window(4,l-2)):
+	// ....:     s = s*s
+	// ....:     if coeff > 0 :
+	// ....:         s = s*t**coeff
+
+	// This works on one bit at a time, with many runs of zeros.
+	// The digits can be collapsed into [(count, coeff)] as follows:
+
+	// sage: [(len(list(group)),d) for d,group in itertools.groupby(sliding_window(4,l-2))]
+
+	// Entries of the form (k, 0) turn into pow2k(k)
+	// Entries of the form (1, coeff) turn into a squaring and then a table lookup.
+	// We can fold the squaring into the previous pow2k(k) as pow2k(k+1).
+
+	*s = table[1/2]
+	s.pow2k(127 + 1)
+	s.Multiply(s, &table[1/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[9/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[11/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[13/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[15/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[7/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[15/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[5/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[1/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[15/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[15/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[7/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[3/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[11/2])
+	s.pow2k(5 + 1)
+	s.Multiply(s, &table[11/2])
+	s.pow2k(9 + 1)
+	s.Multiply(s, &table[9/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[3/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[3/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[3/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[9/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[7/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[3/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[13/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[7/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[9/2])
+	s.pow2k(3 + 1)
+	s.Multiply(s, &table[15/2])
+	s.pow2k(4 + 1)
+	s.Multiply(s, &table[11/2])
+
+	return s
+}
+
+// MultiScalarMult sets v = sum(scalars[i] * points[i]), and returns v.
+//
+// Execution time depends only on the lengths of the two slices, which must match.
+func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
+	if len(scalars) != len(points) {
+		panic("edwards25519: called MultiScalarMult with different size inputs")
+	}
+	checkInitialized(points...)
+
+	// Proceed as in the single-base case, but share doublings
+	// between each point in the multiscalar equation.
+
+	// Build lookup tables for each point
+	tables := make([]projLookupTable, len(points))
+	for i := range tables {
+		tables[i].FromP3(points[i])
+	}
+	// Compute signed radix-16 digits for each scalar
+	digits := make([][64]int8, len(scalars))
+	for i := range digits {
+		digits[i] = scalars[i].signedRadix16()
+	}
+
+	// Unwrap first loop iteration to save computing 16*identity
+	multiple := &projCached{}
+	tmp1 := &projP1xP1{}
+	tmp2 := &projP2{}
+	// Lookup-and-add the appropriate multiple of each input point
+	for j := range tables {
+		tables[j].SelectInto(multiple, digits[j][63])
+		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords
+		v.fromP1xP1(tmp1)     // update v
+	}
+	tmp2.FromP3(v) // set up tmp2 = v in P2 coords for next iteration
+	for i := 62; i >= 0; i-- {
+		tmp1.Double(tmp2)    // tmp1 =  2*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  2*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 =  4*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  4*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 =  8*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  8*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 = 16*(prev) in P1xP1 coords
+		v.fromP1xP1(tmp1)    //    v = 16*(prev) in P3 coords
+		// Lookup-and-add the appropriate multiple of each input point
+		for j := range tables {
+			tables[j].SelectInto(multiple, digits[j][i])
+			tmp1.Add(v, multiple) // tmp1 = v + x_(j,i)*Q in P1xP1 coords
+			v.fromP1xP1(tmp1)     // update v
+		}
+		tmp2.FromP3(v) // set up tmp2 = v in P2 coords for next iteration
+	}
+	return v
+}
+
+// VarTimeMultiScalarMult sets v = sum(scalars[i] * points[i]), and returns v.
+//
+// Execution time depends on the inputs.
+func (v *Point) VarTimeMultiScalarMult(scalars []*Scalar, points []*Point) *Point {
+	if len(scalars) != len(points) {
+		panic("edwards25519: called VarTimeMultiScalarMult with different size inputs")
+	}
+	checkInitialized(points...)
+
+	// Generalize double-base NAF computation to arbitrary sizes.
+	// Here all the points are dynamic, so we only use the smaller
+	// tables.
+
+	// Build lookup tables for each point
+	tables := make([]nafLookupTable5, len(points))
+	for i := range tables {
+		tables[i].FromP3(points[i])
+	}
+	// Compute a NAF for each scalar
+	nafs := make([][256]int8, len(scalars))
+	for i := range nafs {
+		nafs[i] = scalars[i].nonAdjacentForm(5)
+	}
+
+	multiple := &projCached{}
+	tmp1 := &projP1xP1{}
+	tmp2 := &projP2{}
+	tmp2.Zero()
+
+	// Move from high to low bits, doubling the accumulator
+	// at each iteration and checking whether there is a nonzero
+	// coefficient to look up a multiple of.
+	//
+	// Skip trying to find the first nonzero coefficent, because
+	// searching might be more work than a few extra doublings.
+	for i := 255; i >= 0; i-- {
+		tmp1.Double(tmp2)
+
+		for j := range nafs {
+			if nafs[j][i] > 0 {
+				v.fromP1xP1(tmp1)
+				tables[j].SelectInto(multiple, nafs[j][i])
+				tmp1.Add(v, multiple)
+			} else if nafs[j][i] < 0 {
+				v.fromP1xP1(tmp1)
+				tables[j].SelectInto(multiple, -nafs[j][i])
+				tmp1.Sub(v, multiple)
+			}
+		}
+
+		tmp2.FromP1xP1(tmp1)
+	}
+
+	v.fromP2(tmp2)
+	return v
+}

vendor/filippo.io/edwards25519/field/fe.go

@@ -8,6 +8,7 @@ package field
 import (
 	"crypto/subtle"
 	"encoding/binary"
+	"errors"
 	"math/bits"
 )
 
@@ -92,7 +93,7 @@ func (v *Element) Add(a, b *Element) *Element {
 	// Using the generic implementation here is actually faster than the
 	// assembly. Probably because the body of this function is so simple that
 	// the compiler can figure out better optimizations by inlining the carry
-	// propagation. TODO
+	// propagation.
 	return v.carryPropagateGeneric()
 }
 
@@ -186,14 +187,17 @@ func (v *Element) Set(a *Element) *Element {
 	return v
 }
 
-// SetBytes sets v to x, which must be a 32-byte little-endian encoding.
+// SetBytes sets v to x, where x is a 32-byte little-endian encoding. If x is
+// not of the right length, SetBytes returns nil and an error, and the
+// receiver is unchanged.
 //
 // Consistent with RFC 7748, the most significant bit (the high bit of the
 // last byte) is ignored, and non-canonical values (2^255-19 through 2^255-1)
-// are accepted. Note that this is laxer than specified by RFC 8032.
+// are accepted. Note that this is laxer than specified by RFC 8032, but
-func (v *Element) SetBytes(x []byte) *Element {
+// consistent with most Ed25519 implementations.
+func (v *Element) SetBytes(x []byte) (*Element, error) {
 	if len(x) != 32 {
-		panic("edwards25519: invalid field element input size")
+		return nil, errors.New("edwards25519: invalid field element input size")
 	}
 
 	// Bits 0:51 (bytes 0:8, bits 0:64, shift 0, mask 51).
@@ -208,12 +212,12 @@ func (v *Element) SetBytes(x []byte) *Element {
 	// Bits 153:204 (bytes 19:27, bits 152:216, shift 1, mask 51).
 	v.l3 = binary.LittleEndian.Uint64(x[19:27]) >> 1
 	v.l3 &= maskLow51Bits
-	// Bits 204:251 (bytes 24:32, bits 192:256, shift 12, mask 51).
+	// Bits 204:255 (bytes 24:32, bits 192:256, shift 12, mask 51).
 	// Note: not bytes 25:33, shift 4, to avoid overread.
 	v.l4 = binary.LittleEndian.Uint64(x[24:32]) >> 12
 	v.l4 &= maskLow51Bits
 
-	return v
+	return v, nil
 }
 
 // Bytes returns the canonical 32-byte little-endian encoding of v.
@@ -391,26 +395,26 @@ var sqrtM1 = &Element{1718705420411056, 234908883556509,
 // If u/v is square, SqrtRatio returns r and 1. If u/v is not square, SqrtRatio
 // sets r according to Section 4.3 of draft-irtf-cfrg-ristretto255-decaf448-00,
 // and returns r and 0.
-func (r *Element) SqrtRatio(u, v *Element) (rr *Element, wasSquare int) {
+func (r *Element) SqrtRatio(u, v *Element) (R *Element, wasSquare int) {
-	var a, b Element
+	t0 := new(Element)
 
 	// r = (u * v3) * (u * v7)^((p-5)/8)
-	v2 := a.Square(v)
+	v2 := new(Element).Square(v)
-	uv3 := b.Multiply(u, b.Multiply(v2, v))
+	uv3 := new(Element).Multiply(u, t0.Multiply(v2, v))
-	uv7 := a.Multiply(uv3, a.Square(v2))
+	uv7 := new(Element).Multiply(uv3, t0.Square(v2))
-	r.Multiply(uv3, r.Pow22523(uv7))
+	rr := new(Element).Multiply(uv3, t0.Pow22523(uv7))
 
-	check := a.Multiply(v, a.Square(r)) // check = v * r^2
+	check := new(Element).Multiply(v, t0.Square(rr)) // check = v * r^2
 
-	uNeg := b.Negate(u)
+	uNeg := new(Element).Negate(u)
 	correctSignSqrt := check.Equal(u)
 	flippedSignSqrt := check.Equal(uNeg)
-	flippedSignSqrtI := check.Equal(uNeg.Multiply(uNeg, sqrtM1))
+	flippedSignSqrtI := check.Equal(t0.Multiply(uNeg, sqrtM1))
 
-	rPrime := b.Multiply(r, sqrtM1) // r_prime = SQRT_M1 * r
+	rPrime := new(Element).Multiply(rr, sqrtM1) // r_prime = SQRT_M1 * r
 	// r = CT_SELECT(r_prime IF flipped_sign_sqrt | flipped_sign_sqrt_i ELSE r)
-	r.Select(rPrime, r, flippedSignSqrt|flippedSignSqrtI)
+	rr.Select(rPrime, rr, flippedSignSqrt|flippedSignSqrtI)
 
-	r.Absolute(r) // Choose the nonnegative square root.
+	r.Absolute(rr) // Choose the nonnegative square root.
 	return r, correctSignSqrt | flippedSignSqrt
 }

vendor/filippo.io/edwards25519/field/fe_amd64.go

@@ -1,6 +1,7 @@
 // Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT.
 
 //go:build amd64 && gc && !purego
+// +build amd64,gc,!purego
 
 package field
 

vendor/filippo.io/edwards25519/field/fe_amd64.s

@@ -1,6 +1,7 @@
 // Code generated by command: go run fe_amd64_asm.go -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field. DO NOT EDIT.
 
 //go:build amd64 && gc && !purego
+// +build amd64,gc,!purego
 
 #include "textflag.h"
 

vendor/filippo.io/edwards25519/field/fe_amd64_noasm.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build !amd64 || !gc || purego
+// +build !amd64 !gc purego
 
 package field
 

vendor/filippo.io/edwards25519/field/fe_arm64.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build arm64 && gc && !purego
+// +build arm64,gc,!purego
 
 package field
 

vendor/filippo.io/edwards25519/field/fe_arm64_noasm.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build !arm64 || !gc || purego
+// +build !arm64 !gc purego
 
 package field
 

vendor/filippo.io/edwards25519/field/fe_extra.go

@@ -0,0 +1,50 @@
+// Copyright (c) 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package field
+
+import "errors"
+
+// This file contains additional functionality that is not included in the
+// upstream crypto/ed25519/edwards25519/field package.
+
+// SetWideBytes sets v to x, where x is a 64-byte little-endian encoding, which
+// is reduced modulo the field order. If x is not of the right length,
+// SetWideBytes returns nil and an error, and the receiver is unchanged.
+//
+// SetWideBytes is not necessary to select a uniformly distributed value, and is
+// only provided for compatibility: SetBytes can be used instead as the chance
+// of bias is less than 2⁻²⁵⁰.
+func (v *Element) SetWideBytes(x []byte) (*Element, error) {
+	if len(x) != 64 {
+		return nil, errors.New("edwards25519: invalid SetWideBytes input size")
+	}
+
+	// Split the 64 bytes into two elements, and extract the most significant
+	// bit of each, which is ignored by SetBytes.
+	lo, _ := new(Element).SetBytes(x[:32])
+	loMSB := uint64(x[31] >> 7)
+	hi, _ := new(Element).SetBytes(x[32:])
+	hiMSB := uint64(x[63] >> 7)
+
+	// The output we want is
+	//
+	//   v = lo + loMSB * 2²⁵⁵ + hi * 2²⁵⁶ + hiMSB * 2⁵¹¹
+	//
+	// which applying the reduction identity comes out to
+	//
+	//   v = lo + loMSB * 19 + hi * 2 * 19 + hiMSB * 2 * 19²
+	//
+	// l0 will be the sum of a 52 bits value (lo.l0), plus a 5 bits value
+	// (loMSB * 19), a 6 bits value (hi.l0 * 2 * 19), and a 10 bits value
+	// (hiMSB * 2 * 19²), so it fits in a uint64.
+
+	v.l0 = lo.l0 + loMSB*19 + hi.l0*2*19 + hiMSB*2*19*19
+	v.l1 = lo.l1 + hi.l1*2*19
+	v.l2 = lo.l2 + hi.l2*2*19
+	v.l3 = lo.l3 + hi.l3*2*19
+	v.l4 = lo.l4 + hi.l4*2*19
+
+	return v.carryPropagate(), nil
+}

vendor/filippo.io/edwards25519/field/fe_generic.go

@@ -156,7 +156,7 @@ func feMulGeneric(v, a, b *Element) {
 	rr4 := r4.lo&maskLow51Bits + c3
 
 	// Now all coefficients fit into 64-bit registers but are still too large to
-	// be passed around as a Element. We therefore do one last carry chain,
+	// be passed around as an Element. We therefore do one last carry chain,
 	// where the carries will be small enough to fit in the wiggle room above 2⁵¹.
 	*v = Element{rr0, rr1, rr2, rr3, rr4}
 	v.carryPropagate()
@@ -246,7 +246,7 @@ func feSquareGeneric(v, a *Element) {
 }
 
 // carryPropagateGeneric brings the limbs below 52 bits by applying the reduction
-// identity (a * 2²⁵⁵ + b = a * 19 + b) to the l4 carry. TODO inline
+// identity (a * 2²⁵⁵ + b = a * 19 + b) to the l4 carry.
 func (v *Element) carryPropagateGeneric() *Element {
 	c0 := v.l0 >> 51
 	c1 := v.l1 >> 51
@@ -254,6 +254,8 @@ func (v *Element) carryPropagateGeneric() *Element {
 	c3 := v.l3 >> 51
 	c4 := v.l4 >> 51
 
+	// c4 is at most 64 - 51 = 13 bits, so c4*19 is at most 18 bits, and
+	// the final l0 will be at most 52 bits. Similarly for the rest.
 	v.l0 = v.l0&maskLow51Bits + c4*19
 	v.l1 = v.l1&maskLow51Bits + c0
 	v.l2 = v.l2&maskLow51Bits + c1

vendor/filippo.io/edwards25519/scalar.go

@@ -0,0 +1,343 @@
+// Copyright (c) 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"encoding/binary"
+	"errors"
+)
+
+// A Scalar is an integer modulo
+//
+//	l = 2^252 + 27742317777372353535851937790883648493
+//
+// which is the prime order of the edwards25519 group.
+//
+// This type works similarly to math/big.Int, and all arguments and
+// receivers are allowed to alias.
+//
+// The zero value is a valid zero element.
+type Scalar struct {
+	// s is the scalar in the Montgomery domain, in the format of the
+	// fiat-crypto implementation.
+	s fiatScalarMontgomeryDomainFieldElement
+}
+
+// The field implementation in scalar_fiat.go is generated by the fiat-crypto
+// project (https://github.com/mit-plv/fiat-crypto) at version v0.0.9 (23d2dbc)
+// from a formally verified model.
+//
+// fiat-crypto code comes under the following license.
+//
+//     Copyright (c) 2015-2020 The fiat-crypto Authors. All rights reserved.
+//
+//     Redistribution and use in source and binary forms, with or without
+//     modification, are permitted provided that the following conditions are
+//     met:
+//
+//         1. Redistributions of source code must retain the above copyright
+//         notice, this list of conditions and the following disclaimer.
+//
+//     THIS SOFTWARE IS PROVIDED BY the fiat-crypto authors "AS IS"
+//     AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+//     THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+//     PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Berkeley Software Design,
+//     Inc. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+//     EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+//     PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+//     PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+//     LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+//     NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+//     SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+
+// NewScalar returns a new zero Scalar.
+func NewScalar() *Scalar {
+	return &Scalar{}
+}
+
+// MultiplyAdd sets s = x * y + z mod l, and returns s. It is equivalent to
+// using Multiply and then Add.
+func (s *Scalar) MultiplyAdd(x, y, z *Scalar) *Scalar {
+	// Make a copy of z in case it aliases s.
+	zCopy := new(Scalar).Set(z)
+	return s.Multiply(x, y).Add(s, zCopy)
+}
+
+// Add sets s = x + y mod l, and returns s.
+func (s *Scalar) Add(x, y *Scalar) *Scalar {
+	// s = 1 * x + y mod l
+	fiatScalarAdd(&s.s, &x.s, &y.s)
+	return s
+}
+
+// Subtract sets s = x - y mod l, and returns s.
+func (s *Scalar) Subtract(x, y *Scalar) *Scalar {
+	// s = -1 * y + x mod l
+	fiatScalarSub(&s.s, &x.s, &y.s)
+	return s
+}
+
+// Negate sets s = -x mod l, and returns s.
+func (s *Scalar) Negate(x *Scalar) *Scalar {
+	// s = -1 * x + 0 mod l
+	fiatScalarOpp(&s.s, &x.s)
+	return s
+}
+
+// Multiply sets s = x * y mod l, and returns s.
+func (s *Scalar) Multiply(x, y *Scalar) *Scalar {
+	// s = x * y + 0 mod l
+	fiatScalarMul(&s.s, &x.s, &y.s)
+	return s
+}
+
+// Set sets s = x, and returns s.
+func (s *Scalar) Set(x *Scalar) *Scalar {
+	*s = *x
+	return s
+}
+
+// SetUniformBytes sets s = x mod l, where x is a 64-byte little-endian integer.
+// If x is not of the right length, SetUniformBytes returns nil and an error,
+// and the receiver is unchanged.
+//
+// SetUniformBytes can be used to set s to a uniformly distributed value given
+// 64 uniformly distributed random bytes.
+func (s *Scalar) SetUniformBytes(x []byte) (*Scalar, error) {
+	if len(x) != 64 {
+		return nil, errors.New("edwards25519: invalid SetUniformBytes input length")
+	}
+
+	// We have a value x of 512 bits, but our fiatScalarFromBytes function
+	// expects an input lower than l, which is a little over 252 bits.
+	//
+	// Instead of writing a reduction function that operates on wider inputs, we
+	// can interpret x as the sum of three shorter values a, b, and c.
+	//
+	//    x = a + b * 2^168 + c * 2^336  mod l
+	//
+	// We then precompute 2^168 and 2^336 modulo l, and perform the reduction
+	// with two multiplications and two additions.
+
+	s.setShortBytes(x[:21])
+	t := new(Scalar).setShortBytes(x[21:42])
+	s.Add(s, t.Multiply(t, scalarTwo168))
+	t.setShortBytes(x[42:])
+	s.Add(s, t.Multiply(t, scalarTwo336))
+
+	return s, nil
+}
+
+// scalarTwo168 and scalarTwo336 are 2^168 and 2^336 modulo l, encoded as a
+// fiatScalarMontgomeryDomainFieldElement, which is a little-endian 4-limb value
+// in the 2^256 Montgomery domain.
+var scalarTwo168 = &Scalar{s: [4]uint64{0x5b8ab432eac74798, 0x38afddd6de59d5d7,
+	0xa2c131b399411b7c, 0x6329a7ed9ce5a30}}
+var scalarTwo336 = &Scalar{s: [4]uint64{0xbd3d108e2b35ecc5, 0x5c3a3718bdf9c90b,
+	0x63aa97a331b4f2ee, 0x3d217f5be65cb5c}}
+
+// setShortBytes sets s = x mod l, where x is a little-endian integer shorter
+// than 32 bytes.
+func (s *Scalar) setShortBytes(x []byte) *Scalar {
+	if len(x) >= 32 {
+		panic("edwards25519: internal error: setShortBytes called with a long string")
+	}
+	var buf [32]byte
+	copy(buf[:], x)
+	fiatScalarFromBytes((*[4]uint64)(&s.s), &buf)
+	fiatScalarToMontgomery(&s.s, (*fiatScalarNonMontgomeryDomainFieldElement)(&s.s))
+	return s
+}
+
+// SetCanonicalBytes sets s = x, where x is a 32-byte little-endian encoding of
+// s, and returns s. If x is not a canonical encoding of s, SetCanonicalBytes
+// returns nil and an error, and the receiver is unchanged.
+func (s *Scalar) SetCanonicalBytes(x []byte) (*Scalar, error) {
+	if len(x) != 32 {
+		return nil, errors.New("invalid scalar length")
+	}
+	if !isReduced(x) {
+		return nil, errors.New("invalid scalar encoding")
+	}
+
+	fiatScalarFromBytes((*[4]uint64)(&s.s), (*[32]byte)(x))
+	fiatScalarToMontgomery(&s.s, (*fiatScalarNonMontgomeryDomainFieldElement)(&s.s))
+
+	return s, nil
+}
+
+// scalarMinusOneBytes is l - 1 in little endian.
+var scalarMinusOneBytes = [32]byte{236, 211, 245, 92, 26, 99, 18, 88, 214, 156, 247, 162, 222, 249, 222, 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16}
+
+// isReduced returns whether the given scalar in 32-byte little endian encoded
+// form is reduced modulo l.
+func isReduced(s []byte) bool {
+	if len(s) != 32 {
+		return false
+	}
+
+	for i := len(s) - 1; i >= 0; i-- {
+		switch {
+		case s[i] > scalarMinusOneBytes[i]:
+			return false
+		case s[i] < scalarMinusOneBytes[i]:
+			return true
+		}
+	}
+	return true
+}
+
+// SetBytesWithClamping applies the buffer pruning described in RFC 8032,
+// Section 5.1.5 (also known as clamping) and sets s to the result. The input
+// must be 32 bytes, and it is not modified. If x is not of the right length,
+// SetBytesWithClamping returns nil and an error, and the receiver is unchanged.
+//
+// Note that since Scalar values are always reduced modulo the prime order of
+// the curve, the resulting value will not preserve any of the cofactor-clearing
+// properties that clamping is meant to provide. It will however work as
+// expected as long as it is applied to points on the prime order subgroup, like
+// in Ed25519. In fact, it is lost to history why RFC 8032 adopted the
+// irrelevant RFC 7748 clamping, but it is now required for compatibility.
+func (s *Scalar) SetBytesWithClamping(x []byte) (*Scalar, error) {
+	// The description above omits the purpose of the high bits of the clamping
+	// for brevity, but those are also lost to reductions, and are also
+	// irrelevant to edwards25519 as they protect against a specific
+	// implementation bug that was once observed in a generic Montgomery ladder.
+	if len(x) != 32 {
+		return nil, errors.New("edwards25519: invalid SetBytesWithClamping input length")
+	}
+
+	// We need to use the wide reduction from SetUniformBytes, since clamping
+	// sets the 2^254 bit, making the value higher than the order.
+	var wideBytes [64]byte
+	copy(wideBytes[:], x[:])
+	wideBytes[0] &= 248
+	wideBytes[31] &= 63
+	wideBytes[31] |= 64
+	return s.SetUniformBytes(wideBytes[:])
+}
+
+// Bytes returns the canonical 32-byte little-endian encoding of s.
+func (s *Scalar) Bytes() []byte {
+	// This function is outlined to make the allocations inline in the caller
+	// rather than happen on the heap.
+	var encoded [32]byte
+	return s.bytes(&encoded)
+}
+
+func (s *Scalar) bytes(out *[32]byte) []byte {
+	var ss fiatScalarNonMontgomeryDomainFieldElement
+	fiatScalarFromMontgomery(&ss, &s.s)
+	fiatScalarToBytes(out, (*[4]uint64)(&ss))
+	return out[:]
+}
+
+// Equal returns 1 if s and t are equal, and 0 otherwise.
+func (s *Scalar) Equal(t *Scalar) int {
+	var diff fiatScalarMontgomeryDomainFieldElement
+	fiatScalarSub(&diff, &s.s, &t.s)
+	var nonzero uint64
+	fiatScalarNonzero(&nonzero, (*[4]uint64)(&diff))
+	nonzero |= nonzero >> 32
+	nonzero |= nonzero >> 16
+	nonzero |= nonzero >> 8
+	nonzero |= nonzero >> 4
+	nonzero |= nonzero >> 2
+	nonzero |= nonzero >> 1
+	return int(^nonzero) & 1
+}
+
+// nonAdjacentForm computes a width-w non-adjacent form for this scalar.
+//
+// w must be between 2 and 8, or nonAdjacentForm will panic.
+func (s *Scalar) nonAdjacentForm(w uint) [256]int8 {
+	// This implementation is adapted from the one
+	// in curve25519-dalek and is documented there:
+	// https://github.com/dalek-cryptography/curve25519-dalek/blob/f630041af28e9a405255f98a8a93adca18e4315b/src/scalar.rs#L800-L871
+	b := s.Bytes()
+	if b[31] > 127 {
+		panic("scalar has high bit set illegally")
+	}
+	if w < 2 {
+		panic("w must be at least 2 by the definition of NAF")
+	} else if w > 8 {
+		panic("NAF digits must fit in int8")
+	}
+
+	var naf [256]int8
+	var digits [5]uint64
+
+	for i := 0; i < 4; i++ {
+		digits[i] = binary.LittleEndian.Uint64(b[i*8:])
+	}
+
+	width := uint64(1 << w)
+	windowMask := uint64(width - 1)
+
+	pos := uint(0)
+	carry := uint64(0)
+	for pos < 256 {
+		indexU64 := pos / 64
+		indexBit := pos % 64
+		var bitBuf uint64
+		if indexBit < 64-w {
+			// This window's bits are contained in a single u64
+			bitBuf = digits[indexU64] >> indexBit
+		} else {
+			// Combine the current 64 bits with bits from the next 64
+			bitBuf = (digits[indexU64] >> indexBit) | (digits[1+indexU64] << (64 - indexBit))
+		}
+
+		// Add carry into the current window
+		window := carry + (bitBuf & windowMask)
+
+		if window&1 == 0 {
+			// If the window value is even, preserve the carry and continue.
+			// Why is the carry preserved?
+			// If carry == 0 and window & 1 == 0,
+			//    then the next carry should be 0
+			// If carry == 1 and window & 1 == 0,
+			//    then bit_buf & 1 == 1 so the next carry should be 1
+			pos += 1
+			continue
+		}
+
+		if window < width/2 {
+			carry = 0
+			naf[pos] = int8(window)
+		} else {
+			carry = 1
+			naf[pos] = int8(window) - int8(width)
+		}
+
+		pos += w
+	}
+	return naf
+}
+
+func (s *Scalar) signedRadix16() [64]int8 {
+	b := s.Bytes()
+	if b[31] > 127 {
+		panic("scalar has high bit set illegally")
+	}
+
+	var digits [64]int8
+
+	// Compute unsigned radix-16 digits:
+	for i := 0; i < 32; i++ {
+		digits[2*i] = int8(b[i] & 15)
+		digits[2*i+1] = int8((b[i] >> 4) & 15)
+	}
+
+	// Recenter coefficients:
+	for i := 0; i < 63; i++ {
+		carry := (digits[i] + 8) >> 4
+		digits[i] -= carry << 4
+		digits[i+1] += carry
+	}
+
+	return digits
+}

vendor/filippo.io/edwards25519/scalarmult.go

@@ -0,0 +1,214 @@
+// Copyright (c) 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import "sync"
+
+// basepointTable is a set of 32 affineLookupTables, where table i is generated
+// from 256i * basepoint. It is precomputed the first time it's used.
+func basepointTable() *[32]affineLookupTable {
+	basepointTablePrecomp.initOnce.Do(func() {
+		p := NewGeneratorPoint()
+		for i := 0; i < 32; i++ {
+			basepointTablePrecomp.table[i].FromP3(p)
+			for j := 0; j < 8; j++ {
+				p.Add(p, p)
+			}
+		}
+	})
+	return &basepointTablePrecomp.table
+}
+
+var basepointTablePrecomp struct {
+	table    [32]affineLookupTable
+	initOnce sync.Once
+}
+
+// ScalarBaseMult sets v = x * B, where B is the canonical generator, and
+// returns v.
+//
+// The scalar multiplication is done in constant time.
+func (v *Point) ScalarBaseMult(x *Scalar) *Point {
+	basepointTable := basepointTable()
+
+	// Write x = sum(x_i * 16^i) so  x*B = sum( B*x_i*16^i )
+	// as described in the Ed25519 paper
+	//
+	// Group even and odd coefficients
+	// x*B     = x_0*16^0*B + x_2*16^2*B + ... + x_62*16^62*B
+	//         + x_1*16^1*B + x_3*16^3*B + ... + x_63*16^63*B
+	// x*B     = x_0*16^0*B + x_2*16^2*B + ... + x_62*16^62*B
+	//    + 16*( x_1*16^0*B + x_3*16^2*B + ... + x_63*16^62*B)
+	//
+	// We use a lookup table for each i to get x_i*16^(2*i)*B
+	// and do four doublings to multiply by 16.
+	digits := x.signedRadix16()
+
+	multiple := &affineCached{}
+	tmp1 := &projP1xP1{}
+	tmp2 := &projP2{}
+
+	// Accumulate the odd components first
+	v.Set(NewIdentityPoint())
+	for i := 1; i < 64; i += 2 {
+		basepointTable[i/2].SelectInto(multiple, digits[i])
+		tmp1.AddAffine(v, multiple)
+		v.fromP1xP1(tmp1)
+	}
+
+	// Multiply by 16
+	tmp2.FromP3(v)       // tmp2 =    v in P2 coords
+	tmp1.Double(tmp2)    // tmp1 =  2*v in P1xP1 coords
+	tmp2.FromP1xP1(tmp1) // tmp2 =  2*v in P2 coords
+	tmp1.Double(tmp2)    // tmp1 =  4*v in P1xP1 coords
+	tmp2.FromP1xP1(tmp1) // tmp2 =  4*v in P2 coords
+	tmp1.Double(tmp2)    // tmp1 =  8*v in P1xP1 coords
+	tmp2.FromP1xP1(tmp1) // tmp2 =  8*v in P2 coords
+	tmp1.Double(tmp2)    // tmp1 = 16*v in P1xP1 coords
+	v.fromP1xP1(tmp1)    // now v = 16*(odd components)
+
+	// Accumulate the even components
+	for i := 0; i < 64; i += 2 {
+		basepointTable[i/2].SelectInto(multiple, digits[i])
+		tmp1.AddAffine(v, multiple)
+		v.fromP1xP1(tmp1)
+	}
+
+	return v
+}
+
+// ScalarMult sets v = x * q, and returns v.
+//
+// The scalar multiplication is done in constant time.
+func (v *Point) ScalarMult(x *Scalar, q *Point) *Point {
+	checkInitialized(q)
+
+	var table projLookupTable
+	table.FromP3(q)
+
+	// Write x = sum(x_i * 16^i)
+	// so  x*Q = sum( Q*x_i*16^i )
+	//         = Q*x_0 + 16*(Q*x_1 + 16*( ... + Q*x_63) ... )
+	//           <------compute inside out---------
+	//
+	// We use the lookup table to get the x_i*Q values
+	// and do four doublings to compute 16*Q
+	digits := x.signedRadix16()
+
+	// Unwrap first loop iteration to save computing 16*identity
+	multiple := &projCached{}
+	tmp1 := &projP1xP1{}
+	tmp2 := &projP2{}
+	table.SelectInto(multiple, digits[63])
+
+	v.Set(NewIdentityPoint())
+	tmp1.Add(v, multiple) // tmp1 = x_63*Q in P1xP1 coords
+	for i := 62; i >= 0; i-- {
+		tmp2.FromP1xP1(tmp1) // tmp2 =    (prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 =  2*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  2*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 =  4*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  4*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 =  8*(prev) in P1xP1 coords
+		tmp2.FromP1xP1(tmp1) // tmp2 =  8*(prev) in P2 coords
+		tmp1.Double(tmp2)    // tmp1 = 16*(prev) in P1xP1 coords
+		v.fromP1xP1(tmp1)    //    v = 16*(prev) in P3 coords
+		table.SelectInto(multiple, digits[i])
+		tmp1.Add(v, multiple) // tmp1 = x_i*Q + 16*(prev) in P1xP1 coords
+	}
+	v.fromP1xP1(tmp1)
+	return v
+}
+
+// basepointNafTable is the nafLookupTable8 for the basepoint.
+// It is precomputed the first time it's used.
+func basepointNafTable() *nafLookupTable8 {
+	basepointNafTablePrecomp.initOnce.Do(func() {
+		basepointNafTablePrecomp.table.FromP3(NewGeneratorPoint())
+	})
+	return &basepointNafTablePrecomp.table
+}
+
+var basepointNafTablePrecomp struct {
+	table    nafLookupTable8
+	initOnce sync.Once
+}
+
+// VarTimeDoubleScalarBaseMult sets v = a * A + b * B, where B is the canonical
+// generator, and returns v.
+//
+// Execution time depends on the inputs.
+func (v *Point) VarTimeDoubleScalarBaseMult(a *Scalar, A *Point, b *Scalar) *Point {
+	checkInitialized(A)
+
+	// Similarly to the single variable-base approach, we compute
+	// digits and use them with a lookup table.  However, because
+	// we are allowed to do variable-time operations, we don't
+	// need constant-time lookups or constant-time digit
+	// computations.
+	//
+	// So we use a non-adjacent form of some width w instead of
+	// radix 16.  This is like a binary representation (one digit
+	// for each binary place) but we allow the digits to grow in
+	// magnitude up to 2^{w-1} so that the nonzero digits are as
+	// sparse as possible.  Intuitively, this "condenses" the
+	// "mass" of the scalar onto sparse coefficients (meaning
+	// fewer additions).
+
+	basepointNafTable := basepointNafTable()
+	var aTable nafLookupTable5
+	aTable.FromP3(A)
+	// Because the basepoint is fixed, we can use a wider NAF
+	// corresponding to a bigger table.
+	aNaf := a.nonAdjacentForm(5)
+	bNaf := b.nonAdjacentForm(8)
+
+	// Find the first nonzero coefficient.
+	i := 255
+	for j := i; j >= 0; j-- {
+		if aNaf[j] != 0 || bNaf[j] != 0 {
+			break
+		}
+	}
+
+	multA := &projCached{}
+	multB := &affineCached{}
+	tmp1 := &projP1xP1{}
+	tmp2 := &projP2{}
+	tmp2.Zero()
+
+	// Move from high to low bits, doubling the accumulator
+	// at each iteration and checking whether there is a nonzero
+	// coefficient to look up a multiple of.
+	for ; i >= 0; i-- {
+		tmp1.Double(tmp2)
+
+		// Only update v if we have a nonzero coeff to add in.
+		if aNaf[i] > 0 {
+			v.fromP1xP1(tmp1)
+			aTable.SelectInto(multA, aNaf[i])
+			tmp1.Add(v, multA)
+		} else if aNaf[i] < 0 {
+			v.fromP1xP1(tmp1)
+			aTable.SelectInto(multA, -aNaf[i])
+			tmp1.Sub(v, multA)
+		}
+
+		if bNaf[i] > 0 {
+			v.fromP1xP1(tmp1)
+			basepointNafTable.SelectInto(multB, bNaf[i])
+			tmp1.AddAffine(v, multB)
+		} else if bNaf[i] < 0 {
+			v.fromP1xP1(tmp1)
+			basepointNafTable.SelectInto(multB, -bNaf[i])
+			tmp1.SubAffine(v, multB)
+		}
+
+		tmp2.FromP1xP1(tmp1)
+	}
+
+	v.fromP2(tmp2)
+	return v
+}

vendor/filippo.io/edwards25519/tables.go

@@ -0,0 +1,129 @@
+// Copyright (c) 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package edwards25519
+
+import (
+	"crypto/subtle"
+)
+
+// A dynamic lookup table for variable-base, constant-time scalar muls.
+type projLookupTable struct {
+	points [8]projCached
+}
+
+// A precomputed lookup table for fixed-base, constant-time scalar muls.
+type affineLookupTable struct {
+	points [8]affineCached
+}
+
+// A dynamic lookup table for variable-base, variable-time scalar muls.
+type nafLookupTable5 struct {
+	points [8]projCached
+}
+
+// A precomputed lookup table for fixed-base, variable-time scalar muls.
+type nafLookupTable8 struct {
+	points [64]affineCached
+}
+
+// Constructors.
+
+// Builds a lookup table at runtime. Fast.
+func (v *projLookupTable) FromP3(q *Point) {
+	// Goal: v.points[i] = (i+1)*Q, i.e., Q, 2Q, ..., 8Q
+	// This allows lookup of -8Q, ..., -Q, 0, Q, ..., 8Q
+	v.points[0].FromP3(q)
+	tmpP3 := Point{}
+	tmpP1xP1 := projP1xP1{}
+	for i := 0; i < 7; i++ {
+		// Compute (i+1)*Q as Q + i*Q and convert to a projCached
+		// This is needlessly complicated because the API has explicit
+		// receivers instead of creating stack objects and relying on RVO
+		v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.Add(q, &v.points[i])))
+	}
+}
+
+// This is not optimised for speed; fixed-base tables should be precomputed.
+func (v *affineLookupTable) FromP3(q *Point) {
+	// Goal: v.points[i] = (i+1)*Q, i.e., Q, 2Q, ..., 8Q
+	// This allows lookup of -8Q, ..., -Q, 0, Q, ..., 8Q
+	v.points[0].FromP3(q)
+	tmpP3 := Point{}
+	tmpP1xP1 := projP1xP1{}
+	for i := 0; i < 7; i++ {
+		// Compute (i+1)*Q as Q + i*Q and convert to affineCached
+		v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.AddAffine(q, &v.points[i])))
+	}
+}
+
+// Builds a lookup table at runtime. Fast.
+func (v *nafLookupTable5) FromP3(q *Point) {
+	// Goal: v.points[i] = (2*i+1)*Q, i.e., Q, 3Q, 5Q, ..., 15Q
+	// This allows lookup of -15Q, ..., -3Q, -Q, 0, Q, 3Q, ..., 15Q
+	v.points[0].FromP3(q)
+	q2 := Point{}
+	q2.Add(q, q)
+	tmpP3 := Point{}
+	tmpP1xP1 := projP1xP1{}
+	for i := 0; i < 7; i++ {
+		v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.Add(&q2, &v.points[i])))
+	}
+}
+
+// This is not optimised for speed; fixed-base tables should be precomputed.
+func (v *nafLookupTable8) FromP3(q *Point) {
+	v.points[0].FromP3(q)
+	q2 := Point{}
+	q2.Add(q, q)
+	tmpP3 := Point{}
+	tmpP1xP1 := projP1xP1{}
+	for i := 0; i < 63; i++ {
+		v.points[i+1].FromP3(tmpP3.fromP1xP1(tmpP1xP1.AddAffine(&q2, &v.points[i])))
+	}
+}
+
+// Selectors.
+
+// Set dest to x*Q, where -8 <= x <= 8, in constant time.
+func (v *projLookupTable) SelectInto(dest *projCached, x int8) {
+	// Compute xabs = |x|
+	xmask := x >> 7
+	xabs := uint8((x + xmask) ^ xmask)
+
+	dest.Zero()
+	for j := 1; j <= 8; j++ {
+		// Set dest = j*Q if |x| = j
+		cond := subtle.ConstantTimeByteEq(xabs, uint8(j))
+		dest.Select(&v.points[j-1], dest, cond)
+	}
+	// Now dest = |x|*Q, conditionally negate to get x*Q
+	dest.CondNeg(int(xmask & 1))
+}
+
+// Set dest to x*Q, where -8 <= x <= 8, in constant time.
+func (v *affineLookupTable) SelectInto(dest *affineCached, x int8) {
+	// Compute xabs = |x|
+	xmask := x >> 7
+	xabs := uint8((x + xmask) ^ xmask)
+
+	dest.Zero()
+	for j := 1; j <= 8; j++ {
+		// Set dest = j*Q if |x| = j
+		cond := subtle.ConstantTimeByteEq(xabs, uint8(j))
+		dest.Select(&v.points[j-1], dest, cond)
+	}
+	// Now dest = |x|*Q, conditionally negate to get x*Q
+	dest.CondNeg(int(xmask & 1))
+}
+
+// Given odd x with 0 < x < 2^4, return x*Q (in variable time).
+func (v *nafLookupTable5) SelectInto(dest *projCached, x int8) {
+	*dest = v.points[x/2]
+}
+
+// Given odd x with 0 < x < 2^7, return x*Q (in variable time).
+func (v *nafLookupTable8) SelectInto(dest *affineCached, x int8) {
+	*dest = v.points[x/2]
+}

vendor/github.com/alexbrainman/sspi/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2012 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/alexbrainman/sspi/README.md

@@ -0,0 +1 @@
+This repository holds Go packages for accessing Security Support Provider Interface on Windows. 

vendor/github.com/alexbrainman/sspi/buffer.go

@@ -0,0 +1,57 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package sspi
+
+import (
+	"io"
+	"unsafe"
+)
+
+func (b *SecBuffer) Set(buftype uint32, data []byte) {
+	b.BufferType = buftype
+	if len(data) > 0 {
+		b.Buffer = &data[0]
+		b.BufferSize = uint32(len(data))
+	} else {
+		b.Buffer = nil
+		b.BufferSize = 0
+	}
+}
+
+func (b *SecBuffer) Free() error {
+	if b.Buffer == nil {
+		return nil
+	}
+	return FreeContextBuffer((*byte)(unsafe.Pointer(b.Buffer)))
+}
+
+func (b *SecBuffer) Bytes() []byte {
+	if b.Buffer == nil || b.BufferSize <= 0 {
+		return nil
+	}
+	return (*[(1 << 31) - 1]byte)(unsafe.Pointer(b.Buffer))[:b.BufferSize]
+}
+
+func (b *SecBuffer) WriteAll(w io.Writer) (int, error) {
+	if b.BufferSize == 0 || b.Buffer == nil {
+		return 0, nil
+	}
+	data := b.Bytes()
+	total := 0
+	for {
+		n, err := w.Write(data)
+		total += n
+		if err != nil {
+			return total, err
+		}
+		if n >= len(data) {
+			break
+		}
+		data = data[n:]
+	}
+	return total, nil
+}

vendor/github.com/alexbrainman/sspi/internal/common/common.go

@@ -0,0 +1,152 @@
+// Copyright 2021 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package common
+
+import (
+	"errors"
+	"syscall"
+
+	"github.com/alexbrainman/sspi"
+)
+
+func BuildAuthIdentity(domain, username, password string) (*sspi.SEC_WINNT_AUTH_IDENTITY, error) {
+	if len(username) == 0 {
+		return nil, errors.New("username parameter cannot be empty")
+	}
+	d, err := syscall.UTF16FromString(domain)
+	if err != nil {
+		return nil, err
+	}
+	u, err := syscall.UTF16FromString(username)
+	if err != nil {
+		return nil, err
+	}
+	p, err := syscall.UTF16FromString(password)
+	if err != nil {
+		return nil, err
+	}
+	return &sspi.SEC_WINNT_AUTH_IDENTITY{
+		User:           &u[0],
+		UserLength:     uint32(len(u) - 1), // do not count terminating 0
+		Domain:         &d[0],
+		DomainLength:   uint32(len(d) - 1), // do not count terminating 0
+		Password:       &p[0],
+		PasswordLength: uint32(len(p) - 1), // do not count terminating 0
+		Flags:          sspi.SEC_WINNT_AUTH_IDENTITY_UNICODE,
+	}, nil
+}
+
+func UpdateContext(c *sspi.Context, dst, src []byte, targetName *uint16) (authCompleted bool, n int, err error) {
+	var inBuf, outBuf [1]sspi.SecBuffer
+	inBuf[0].Set(sspi.SECBUFFER_TOKEN, src)
+	inBufs := &sspi.SecBufferDesc{
+		Version:      sspi.SECBUFFER_VERSION,
+		BuffersCount: 1,
+		Buffers:      &inBuf[0],
+	}
+	outBuf[0].Set(sspi.SECBUFFER_TOKEN, dst)
+	outBufs := &sspi.SecBufferDesc{
+		Version:      sspi.SECBUFFER_VERSION,
+		BuffersCount: 1,
+		Buffers:      &outBuf[0],
+	}
+	ret := c.Update(targetName, outBufs, inBufs)
+	switch ret {
+	case sspi.SEC_E_OK:
+		// session established -> return success
+		return true, int(outBuf[0].BufferSize), nil
+	case sspi.SEC_I_COMPLETE_NEEDED, sspi.SEC_I_COMPLETE_AND_CONTINUE:
+		ret = sspi.CompleteAuthToken(c.Handle, outBufs)
+		if ret != sspi.SEC_E_OK {
+			return false, 0, ret
+		}
+	case sspi.SEC_I_CONTINUE_NEEDED:
+	default:
+		return false, 0, ret
+	}
+	return false, int(outBuf[0].BufferSize), nil
+}
+
+func MakeSignature(c *sspi.Context, msg []byte, qop, seqno uint32) ([]byte, error) {
+	_, maxSignature, _, _, err := c.Sizes()
+	if err != nil {
+		return nil, err
+	}
+
+	if maxSignature == 0 {
+		return nil, errors.New("integrity services are not requested or unavailable")
+	}
+
+	var b [2]sspi.SecBuffer
+	b[0].Set(sspi.SECBUFFER_DATA, msg)
+	b[1].Set(sspi.SECBUFFER_TOKEN, make([]byte, maxSignature))
+
+	ret := sspi.MakeSignature(c.Handle, qop, sspi.NewSecBufferDesc(b[:]), seqno)
+	if ret != sspi.SEC_E_OK {
+		return nil, ret
+	}
+
+	return b[1].Bytes(), nil
+}
+
+func EncryptMessage(c *sspi.Context, msg []byte, qop, seqno uint32) ([]byte, error) {
+	_ /*maxToken*/, maxSignature, cBlockSize, cSecurityTrailer, err := c.Sizes()
+	if err != nil {
+		return nil, err
+	}
+
+	if maxSignature == 0 {
+		return nil, errors.New("integrity services are not requested or unavailable")
+	}
+
+	var b [3]sspi.SecBuffer
+	b[0].Set(sspi.SECBUFFER_TOKEN, make([]byte, cSecurityTrailer))
+	b[1].Set(sspi.SECBUFFER_DATA, msg)
+	b[2].Set(sspi.SECBUFFER_PADDING, make([]byte, cBlockSize))
+
+	ret := sspi.EncryptMessage(c.Handle, qop, sspi.NewSecBufferDesc(b[:]), seqno)
+	if ret != sspi.SEC_E_OK {
+		return nil, ret
+	}
+
+	r0, r1, r2 := b[0].Bytes(), b[1].Bytes(), b[2].Bytes()
+	res := make([]byte, 0, len(r0)+len(r1)+len(r2))
+	res = append(res, r0...)
+	res = append(res, r1...)
+	res = append(res, r2...)
+
+	return res, nil
+}
+
+func DecryptMessage(c *sspi.Context, msg []byte, seqno uint32) (uint32, []byte, error) {
+	var b [2]sspi.SecBuffer
+	b[0].Set(sspi.SECBUFFER_STREAM, msg)
+	b[1].Set(sspi.SECBUFFER_DATA, []byte{})
+
+	var qop uint32
+	ret := sspi.DecryptMessage(c.Handle, sspi.NewSecBufferDesc(b[:]), seqno, &qop)
+	if ret != sspi.SEC_E_OK {
+		return qop, nil, ret
+	}
+
+	return qop, b[1].Bytes(), nil
+}
+
+func VerifySignature(c *sspi.Context, msg, token []byte, seqno uint32) (uint32, error) {
+	var b [2]sspi.SecBuffer
+	b[0].Set(sspi.SECBUFFER_DATA, msg)
+	b[1].Set(sspi.SECBUFFER_TOKEN, token)
+
+	var qop uint32
+
+	ret := sspi.VerifySignature(c.Handle, sspi.NewSecBufferDesc(b[:]), seqno, &qop)
+	if ret != sspi.SEC_E_OK {
+		return 0, ret
+	}
+
+	return qop, nil
+}

vendor/github.com/alexbrainman/sspi/mksyscall.go

@@ -0,0 +1,7 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package sspi
+
+//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -systemdll=false -output=zsyscall_windows.go syscall.go

vendor/github.com/alexbrainman/sspi/negotiate/negotiate.go

@@ -0,0 +1,368 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+// +build windows
+
+// Package negotiate provides access to the Microsoft Negotiate SSP Package.
+package negotiate
+
+import (
+	"errors"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/alexbrainman/sspi"
+	"github.com/alexbrainman/sspi/internal/common"
+)
+
+// TODO: maybe (if possible) move all winapi related out of sspi and into sspi/internal/winapi
+
+// PackageInfo contains the Negotiate SSP package description.
+//
+// It's initialized best-effort during init. During early boot it may not
+// yet be loaded & available and thus this will be nil.
+//
+// Deprecated: use GetPackageInfo instead.
+var PackageInfo *sspi.PackageInfo
+
+func init() {
+	PackageInfo, _ = GetPackageInfo()
+}
+
+var (
+	pkgInfoMu sync.Mutex
+	pkgInfo   *sspi.PackageInfo
+)
+
+// GetPackageInfo returns the Negotiate SSP package description.
+func GetPackageInfo() (*sspi.PackageInfo, error) {
+	pkgInfoMu.Lock()
+	defer pkgInfoMu.Unlock()
+	if pkgInfo != nil {
+		return pkgInfo, nil
+	}
+	v, err := sspi.QueryPackageInfo(sspi.NEGOSSP_NAME)
+	if err != nil {
+		return nil, err
+	}
+	pkgInfo = v
+	return v, nil
+}
+
+func acquireCredentials(principalName string, creduse uint32, ai *sspi.SEC_WINNT_AUTH_IDENTITY) (*sspi.Credentials, error) {
+	c, err := sspi.AcquireCredentials(principalName, sspi.NEGOSSP_NAME, creduse, (*byte)(unsafe.Pointer(ai)))
+	if err != nil {
+		return nil, err
+	}
+	return c, nil
+}
+
+// AcquireCurrentUserCredentials acquires credentials of currently
+// logged on user. These will be used by the client to authenticate
+// itself to the server. It will also be used by the server
+// to impersonate the user.
+func AcquireCurrentUserCredentials() (*sspi.Credentials, error) {
+	return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, nil)
+}
+
+// AcquireUserCredentials acquires credentials of user described by
+// domain, username and password. These will be used by the client to
+// authenticate itself to the server. It will also be used by the
+// server to impersonate the user.
+func AcquireUserCredentials(domain, username, password string) (*sspi.Credentials, error) {
+	ai, err := common.BuildAuthIdentity(domain, username, password)
+	if err != nil {
+		return nil, err
+	}
+	return acquireCredentials("", sspi.SECPKG_CRED_OUTBOUND, ai)
+}
+
+// AcquireServerCredentials acquires server credentials that will
+// be used to authenticate clients.
+// The principalName parameter is passed to the underlying call to
+// the winapi AcquireCredentialsHandle function (and specifies the
+// name of the principal whose credentials the underlying handle
+// will reference).
+// As a special case, using an empty string for the principal name
+// will require the credential of the user under whose security context
+// the current process is running.
+func AcquireServerCredentials(principalName string) (*sspi.Credentials, error) {
+	return acquireCredentials(principalName, sspi.SECPKG_CRED_INBOUND, nil)
+}
+
+// ClientContext is used by the client to manage all steps of Negotiate negotiation.
+type ClientContext struct {
+	sctxt      *sspi.Context
+	targetName *uint16
+}
+
+// NewClientContext creates a new client context. It uses client
+// credentials cred generated by AcquireCurrentUserCredentials or
+// AcquireUserCredentials and SPN to start a client Negotiate
+// negotiation sequence. targetName is the service principal name
+// (SPN) or the security context of the destination server.
+// NewClientContext returns a new token to be sent to the server.
+func NewClientContext(cred *sspi.Credentials, targetName string) (cc *ClientContext, outputToken []byte, err error) {
+	return NewClientContextWithFlags(cred, targetName, sspi.ISC_REQ_CONNECTION)
+}
+
+// NewClientContextWithFlags creates a new client context. It uses client
+// credentials cred generated by AcquireCurrentUserCredentials or
+// AcquireUserCredentials and SPN to start a client Negotiate
+// negotiation sequence. targetName is the service principal name
+// (SPN) or the security context of the destination server.
+// The flags parameter is used to indicate requests for the context
+// (for example sspi.ISC_REQ_CONFIDENTIALITY|sspi.ISC_REQ_REPLAY_DETECT)
+// NewClientContextWithFlags returns a new token to be sent to the server.
+func NewClientContextWithFlags(cred *sspi.Credentials, targetName string, flags uint32) (cc *ClientContext, outputToken []byte, err error) {
+	var tname *uint16
+	if len(targetName) > 0 {
+		p, err2 := syscall.UTF16FromString(targetName)
+		if err2 != nil {
+			return nil, nil, err2
+		}
+		if len(p) > 0 {
+			tname = &p[0]
+		}
+	}
+	pkgInfo, err := GetPackageInfo()
+	if err != nil {
+		return nil, nil, err
+	}
+	otoken := make([]byte, pkgInfo.MaxToken)
+	c := sspi.NewClientContext(cred, flags)
+
+	authCompleted, n, err2 := common.UpdateContext(c, otoken, nil, tname)
+	if err2 != nil {
+		return nil, nil, err2
+	}
+	if authCompleted {
+		c.Release()
+		return nil, nil, errors.New("negotiate authentication should not be completed yet")
+	}
+	if n == 0 {
+		c.Release()
+		return nil, nil, errors.New("negotiate token should not be empty")
+	}
+	otoken = otoken[:n]
+	return &ClientContext{sctxt: c, targetName: tname}, otoken, nil
+}
+
+// Release free up resources associated with client context c.
+func (c *ClientContext) Release() error {
+	if c == nil {
+		return nil
+	}
+	return c.sctxt.Release()
+}
+
+// Expiry returns c expiry time.
+func (c *ClientContext) Expiry() time.Time {
+	return c.sctxt.Expiry()
+}
+
+// Update advances client part of Negotiate negotiation c. It uses
+// token received from the server and returns true if client part
+// of authentication is complete. It also returns new token to be
+// sent to the server.
+func (c *ClientContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error) {
+	pkgInfo, err := GetPackageInfo()
+	if err != nil {
+		return false, nil, err
+	}
+	otoken := make([]byte, pkgInfo.MaxToken)
+	authDone, n, err2 := common.UpdateContext(c.sctxt, otoken, token, c.targetName)
+	if err2 != nil {
+		return false, nil, err2
+	}
+	if n == 0 && !authDone {
+		return false, nil, errors.New("negotiate token should not be empty")
+	}
+	otoken = otoken[:n]
+	return authDone, otoken, nil
+}
+
+// Sizes queries the client context for the sizes used in per-message
+// functions. It returns the maximum token size used in authentication
+// exchanges, the maximum signature size, the preferred integral size of
+// messages, the size of any security trailer, and any error.
+func (c *ClientContext) Sizes() (uint32, uint32, uint32, uint32, error) {
+	return c.sctxt.Sizes()
+}
+
+// MakeSignature uses the established client context to create a signature
+// for the given message using the provided quality of protection flags and
+// sequence number. It returns the signature token in addition to any error.
+func (c *ClientContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error) {
+	return common.MakeSignature(c.sctxt, msg, qop, seqno)
+}
+
+// VerifySignature uses the established client context and signature token
+// to check that the provided message hasn't been tampered or received out
+// of sequence. It returns any quality of protection flags and any error
+// that occurred.
+func (c *ClientContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error) {
+	return common.VerifySignature(c.sctxt, msg, token, seqno)
+}
+
+// EncryptMessage uses the established client context to encrypt a message
+// using the provided quality of protection flags and sequence number.
+// It returns the signature token in addition to any error.
+// IMPORTANT: the input msg parameter is updated in place by the low-level windows api
+// so must be copied if the initial content should not be modified.
+func (c *ClientContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error) {
+	return common.EncryptMessage(c.sctxt, msg, qop, seqno)
+}
+
+// DecryptMessage uses the established client context to decrypt a message
+// using the provided sequence number.
+// It returns the quality of protection flag and the decrypted message in addition to any error.
+func (c *ClientContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error) {
+	return common.DecryptMessage(c.sctxt, msg, seqno)
+}
+
+// VerifyFlags determines if all flags used to construct the client context
+// were honored (see NewClientContextWithFlags).  It should be called after c.Update.
+func (c *ClientContext) VerifyFlags() error {
+	return c.sctxt.VerifyFlags()
+}
+
+// VerifySelectiveFlags determines if the given flags were honored (see NewClientContextWithFlags).
+// It should be called after c.Update.
+func (c *ClientContext) VerifySelectiveFlags(flags uint32) error {
+	return c.sctxt.VerifySelectiveFlags(flags)
+}
+
+// ServerContext is used by the server to manage all steps of Negotiate
+// negotiation. Once authentication is completed the context can be
+// used to impersonate client.
+type ServerContext struct {
+	sctxt *sspi.Context
+}
+
+// NewServerContext creates new server context. It uses server
+// credentials created by AcquireServerCredentials and token from
+// the client to start server Negotiate negotiation sequence.
+// It also returns new token to be sent to the client.
+func NewServerContext(cred *sspi.Credentials, token []byte) (sc *ServerContext, authDone bool, outputToken []byte, err error) {
+	pkgInfo, err := GetPackageInfo()
+	if err != nil {
+		return nil, false, nil, err
+	}
+	otoken := make([]byte, pkgInfo.MaxToken)
+	c := sspi.NewServerContext(cred, sspi.ASC_REQ_CONNECTION)
+	authDone, n, err2 := common.UpdateContext(c, otoken, token, nil)
+	if err2 != nil {
+		return nil, false, nil, err2
+	}
+	otoken = otoken[:n]
+	return &ServerContext{sctxt: c}, authDone, otoken, nil
+}
+
+// Release free up resources associated with server context c.
+func (c *ServerContext) Release() error {
+	if c == nil {
+		return nil
+	}
+	return c.sctxt.Release()
+}
+
+// Expiry returns c expiry time.
+func (c *ServerContext) Expiry() time.Time {
+	return c.sctxt.Expiry()
+}
+
+// Update advances server part of Negotiate negotiation c. It uses
+// token received from the client and returns true if server part
+// of authentication is complete. It also returns new token to be
+// sent to the client.
+func (c *ServerContext) Update(token []byte) (authCompleted bool, outputToken []byte, err error) {
+	pkgInfo, err := GetPackageInfo()
+	if err != nil {
+		return false, nil, err
+	}
+	otoken := make([]byte, pkgInfo.MaxToken)
+	authDone, n, err2 := common.UpdateContext(c.sctxt, otoken, token, nil)
+	if err2 != nil {
+		return false, nil, err2
+	}
+	if n == 0 && !authDone {
+		return false, nil, errors.New("negotiate token should not be empty")
+	}
+	otoken = otoken[:n]
+	return authDone, otoken, nil
+}
+
+const _SECPKG_ATTR_NATIVE_NAMES = 13
+
+type _SecPkgContext_NativeNames struct {
+	ClientName *uint16
+	ServerName *uint16
+}
+
+// GetUsername returns the username corresponding to the authenticated client
+func (c *ServerContext) GetUsername() (string, error) {
+	var ns _SecPkgContext_NativeNames
+	ret := sspi.QueryContextAttributes(c.sctxt.Handle, _SECPKG_ATTR_NATIVE_NAMES, (*byte)(unsafe.Pointer(&ns)))
+	if ret != sspi.SEC_E_OK {
+		return "", ret
+	}
+	sspi.FreeContextBuffer((*byte)(unsafe.Pointer(ns.ServerName)))
+	defer sspi.FreeContextBuffer((*byte)(unsafe.Pointer(ns.ClientName)))
+	return syscall.UTF16ToString((*[2 << 20]uint16)(unsafe.Pointer(ns.ClientName))[:]), nil
+}
+
+// ImpersonateUser changes current OS thread user. New user is
+// the user as specified by client credentials.
+func (c *ServerContext) ImpersonateUser() error {
+	return c.sctxt.ImpersonateUser()
+}
+
+// RevertToSelf stops impersonation. It changes current OS thread
+// user to what it was before ImpersonateUser was executed.
+func (c *ServerContext) RevertToSelf() error {
+	return c.sctxt.RevertToSelf()
+}
+
+// Sizes queries the server context for the sizes used in per-message
+// functions. It returns the maximum token size used in authentication
+// exchanges, the maximum signature size, the preferred integral size of
+// messages, the size of any security trailer, and any error.
+func (c *ServerContext) Sizes() (uint32, uint32, uint32, uint32, error) {
+	return c.sctxt.Sizes()
+}
+
+// MakeSignature uses the established server context to create a signature
+// for the given message using the provided quality of protection flags and
+// sequence number. It returns the signature token in addition to any error.
+func (c *ServerContext) MakeSignature(msg []byte, qop, seqno uint32) ([]byte, error) {
+	return common.MakeSignature(c.sctxt, msg, qop, seqno)
+}
+
+// VerifySignature uses the established server context and signature token
+// to check that the provided message hasn't been tampered or received out
+// of sequence. It returns any quality of protection flags and any error
+// that occurred.
+func (c *ServerContext) VerifySignature(msg, token []byte, seqno uint32) (uint32, error) {
+	return common.VerifySignature(c.sctxt, msg, token, seqno)
+}
+
+// EncryptMessage uses the established server context to encrypt a message
+// using the provided quality of protection flags and sequence number.
+// It returns the signature token in addition to any error.
+// IMPORTANT: the input msg parameter is updated in place by the low-level windows api
+// so must be copied if the initial content should not be modified.
+func (c *ServerContext) EncryptMessage(msg []byte, qop, seqno uint32) ([]byte, error) {
+	return common.EncryptMessage(c.sctxt, msg, qop, seqno)
+}
+
+// DecryptMessage uses the established server context to decrypt a message
+// using the provided sequence number.
+// It returns the quality of protection flag and the decrypted message in addition to any error.
+func (c *ServerContext) DecryptMessage(msg []byte, seqno uint32) (uint32, []byte, error) {
+	return common.DecryptMessage(c.sctxt, msg, seqno)
+}

vendor/github.com/alexbrainman/sspi/sspi.go

@@ -0,0 +1,226 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package sspi
+
+import (
+	"fmt"
+	"syscall"
+	"time"
+	"unsafe"
+)
+
+// TODO: add documentation
+
+type PackageInfo struct {
+	Capabilities uint32
+	Version      uint16
+	RPCID        uint16
+	MaxToken     uint32
+	Name         string
+	Comment      string
+}
+
+func QueryPackageInfo(pkgname string) (*PackageInfo, error) {
+	name, err := syscall.UTF16PtrFromString(pkgname)
+	if err != nil {
+		return nil, err
+	}
+	var pi *SecPkgInfo
+	ret := QuerySecurityPackageInfo(name, &pi)
+	if ret != SEC_E_OK {
+		return nil, ret
+	}
+	defer FreeContextBuffer((*byte)(unsafe.Pointer(pi)))
+
+	return &PackageInfo{
+		Capabilities: pi.Capabilities,
+		Version:      pi.Version,
+		RPCID:        pi.RPCID,
+		MaxToken:     pi.MaxToken,
+		Name:         syscall.UTF16ToString((*[2 << 12]uint16)(unsafe.Pointer(pi.Name))[:]),
+		Comment:      syscall.UTF16ToString((*[2 << 12]uint16)(unsafe.Pointer(pi.Comment))[:]),
+	}, nil
+}
+
+type Credentials struct {
+	Handle CredHandle
+	expiry syscall.Filetime
+}
+
+// AcquireCredentials calls the windows AcquireCredentialsHandle function and
+// returns Credentials containing a security handle that can be used for
+// InitializeSecurityContext or AcceptSecurityContext operations.
+// As a special case, passing an empty string as the principal parameter will
+// pass a null string to the underlying function.
+func AcquireCredentials(principal string, pkgname string, creduse uint32, authdata *byte) (*Credentials, error) {
+	var principalName *uint16
+	if principal != "" {
+		var err error
+		principalName, err = syscall.UTF16PtrFromString(principal)
+		if err != nil {
+			return nil, err
+		}
+	}
+	name, err := syscall.UTF16PtrFromString(pkgname)
+	if err != nil {
+		return nil, err
+	}
+	var c Credentials
+	ret := AcquireCredentialsHandle(principalName, name, creduse, nil, authdata, 0, 0, &c.Handle, &c.expiry)
+	if ret != SEC_E_OK {
+		return nil, ret
+	}
+	return &c, nil
+}
+
+func (c *Credentials) Release() error {
+	if c == nil {
+		return nil
+	}
+	ret := FreeCredentialsHandle(&c.Handle)
+	if ret != SEC_E_OK {
+		return ret
+	}
+	return nil
+}
+
+func (c *Credentials) Expiry() time.Time {
+	return time.Unix(0, c.expiry.Nanoseconds())
+}
+
+// TODO: add functions to display and manage RequestedFlags and EstablishedFlags fields.
+// TODO: maybe get rid of RequestedFlags and EstablishedFlags fields, and replace them with input parameter for New...Context and return value of Update (instead of current bool parameter).
+
+type updateFunc func(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno
+
+type Context struct {
+	Cred             *Credentials
+	Handle           *CtxtHandle
+	handle           CtxtHandle
+	updFn            updateFunc
+	expiry           syscall.Filetime
+	RequestedFlags   uint32
+	EstablishedFlags uint32
+}
+
+func NewClientContext(cred *Credentials, flags uint32) *Context {
+	return &Context{
+		Cred:           cred,
+		updFn:          initialize,
+		RequestedFlags: flags,
+	}
+}
+
+func NewServerContext(cred *Credentials, flags uint32) *Context {
+	return &Context{
+		Cred:           cred,
+		updFn:          accept,
+		RequestedFlags: flags,
+	}
+}
+
+func initialize(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno {
+	return InitializeSecurityContext(&c.Cred.Handle, h, targname, c.RequestedFlags,
+		0, SECURITY_NATIVE_DREP, in, 0, newh, out, &c.EstablishedFlags, &c.expiry)
+}
+
+func accept(c *Context, targname *uint16, h, newh *CtxtHandle, out, in *SecBufferDesc) syscall.Errno {
+	return AcceptSecurityContext(&c.Cred.Handle, h, in, c.RequestedFlags,
+		SECURITY_NATIVE_DREP, newh, out, &c.EstablishedFlags, &c.expiry)
+}
+
+func (c *Context) Update(targname *uint16, out, in *SecBufferDesc) syscall.Errno {
+	h := c.Handle
+	if c.Handle == nil {
+		c.Handle = &c.handle
+	}
+	return c.updFn(c, targname, h, c.Handle, out, in)
+}
+
+func (c *Context) Release() error {
+	if c == nil {
+		return nil
+	}
+	ret := DeleteSecurityContext(c.Handle)
+	if ret != SEC_E_OK {
+		return ret
+	}
+	return nil
+}
+
+func (c *Context) Expiry() time.Time {
+	return time.Unix(0, c.expiry.Nanoseconds())
+}
+
+// TODO: add comment to function doco that this "impersonation" is applied to current OS thread.
+func (c *Context) ImpersonateUser() error {
+	ret := ImpersonateSecurityContext(c.Handle)
+	if ret != SEC_E_OK {
+		return ret
+	}
+	return nil
+}
+
+func (c *Context) RevertToSelf() error {
+	ret := RevertSecurityContext(c.Handle)
+	if ret != SEC_E_OK {
+		return ret
+	}
+	return nil
+}
+
+// Sizes queries the context for the sizes used in per-message functions.
+// It returns the maximum token size used in authentication exchanges, the
+// maximum signature size, the preferred integral size of messages, the
+// size of any security trailer, and any error.
+func (c *Context) Sizes() (uint32, uint32, uint32, uint32, error) {
+	var s _SecPkgContext_Sizes
+	ret := QueryContextAttributes(c.Handle, _SECPKG_ATTR_SIZES, (*byte)(unsafe.Pointer(&s)))
+	if ret != SEC_E_OK {
+		return 0, 0, 0, 0, ret
+	}
+	return s.MaxToken, s.MaxSignature, s.BlockSize, s.SecurityTrailer, nil
+}
+
+// VerifyFlags determines if all flags used to construct the context
+// were honored (see NewClientContext).  It should be called after c.Update.
+func (c *Context) VerifyFlags() error {
+	return c.VerifySelectiveFlags(c.RequestedFlags)
+}
+
+// VerifySelectiveFlags determines if the given flags were honored (see NewClientContext).
+// It should be called after c.Update.
+func (c *Context) VerifySelectiveFlags(flags uint32) error {
+	if valid, missing, extra := verifySelectiveFlags(flags, c.RequestedFlags); !valid {
+		return fmt.Errorf("sspi: invalid flags check: desired=%b requested=%b missing=%b extra=%b", flags, c.RequestedFlags, missing, extra)
+	}
+	if valid, missing, extra := verifySelectiveFlags(flags, c.EstablishedFlags); !valid {
+		return fmt.Errorf("sspi: invalid flags: desired=%b established=%b missing=%b extra=%b", flags, c.EstablishedFlags, missing, extra)
+	}
+	return nil
+}
+
+// verifySelectiveFlags determines if all bits requested in flags are set in establishedFlags.
+// missing represents the bits set in flags that are not set in establishedFlags.
+// extra represents the bits set in establishedFlags that are not set in flags.
+// valid is true and missing is zero when establishedFlags has all of the requested flags.
+func verifySelectiveFlags(flags, establishedFlags uint32) (valid bool, missing, extra uint32) {
+	missing = flags&establishedFlags ^ flags
+	extra = flags | establishedFlags ^ flags
+	valid = missing == 0
+	return valid, missing, extra
+}
+
+// NewSecBufferDesc returns an initialized SecBufferDesc describing the
+// provided SecBuffer.
+func NewSecBufferDesc(b []SecBuffer) *SecBufferDesc {
+	return &SecBufferDesc{
+		Version:      SECBUFFER_VERSION,
+		BuffersCount: uint32(len(b)),
+		Buffers:      &b[0],
+	}
+}

vendor/github.com/alexbrainman/sspi/syscall.go

@@ -0,0 +1,174 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build windows
+
+package sspi
+
+import (
+	"syscall"
+)
+
+const (
+	SEC_E_OK = syscall.Errno(0)
+
+	SEC_I_COMPLETE_AND_CONTINUE = syscall.Errno(590612)
+	SEC_I_COMPLETE_NEEDED       = syscall.Errno(590611)
+	SEC_I_CONTINUE_NEEDED       = syscall.Errno(590610)
+
+	SEC_E_LOGON_DENIED       = syscall.Errno(0x8009030c)
+	SEC_E_CONTEXT_EXPIRED    = syscall.Errno(0x80090317) // not sure if the value is valid
+	SEC_E_INCOMPLETE_MESSAGE = syscall.Errno(0x80090318)
+
+	NTLMSP_NAME             = "NTLM"
+	MICROSOFT_KERBEROS_NAME = "Kerberos"
+	NEGOSSP_NAME            = "Negotiate"
+	UNISP_NAME              = "Microsoft Unified Security Protocol Provider"
+
+	_SECPKG_ATTR_SIZES            = 0
+	_SECPKG_ATTR_NAMES            = 1
+	_SECPKG_ATTR_LIFESPAN         = 2
+	_SECPKG_ATTR_DCE_INFO         = 3
+	_SECPKG_ATTR_STREAM_SIZES     = 4
+	_SECPKG_ATTR_KEY_INFO         = 5
+	_SECPKG_ATTR_AUTHORITY        = 6
+	_SECPKG_ATTR_PROTO_INFO       = 7
+	_SECPKG_ATTR_PASSWORD_EXPIRY  = 8
+	_SECPKG_ATTR_SESSION_KEY      = 9
+	_SECPKG_ATTR_PACKAGE_INFO     = 10
+	_SECPKG_ATTR_USER_FLAGS       = 11
+	_SECPKG_ATTR_NEGOTIATION_INFO = 12
+	_SECPKG_ATTR_NATIVE_NAMES     = 13
+	_SECPKG_ATTR_FLAGS            = 14
+)
+
+type SecPkgInfo struct {
+	Capabilities uint32
+	Version      uint16
+	RPCID        uint16
+	MaxToken     uint32
+	Name         *uint16
+	Comment      *uint16
+}
+
+type _SecPkgContext_Sizes struct {
+	MaxToken        uint32
+	MaxSignature    uint32
+	BlockSize       uint32
+	SecurityTrailer uint32
+}
+
+//sys	QuerySecurityPackageInfo(pkgname *uint16, pkginfo **SecPkgInfo) (ret syscall.Errno) = secur32.QuerySecurityPackageInfoW
+//sys	FreeContextBuffer(buf *byte) (ret syscall.Errno) = secur32.FreeContextBuffer
+
+const (
+	SECPKG_CRED_INBOUND  = 1
+	SECPKG_CRED_OUTBOUND = 2
+	SECPKG_CRED_BOTH     = (SECPKG_CRED_OUTBOUND | SECPKG_CRED_INBOUND)
+
+	SEC_WINNT_AUTH_IDENTITY_UNICODE = 0x2
+)
+
+type SEC_WINNT_AUTH_IDENTITY struct {
+	User           *uint16
+	UserLength     uint32
+	Domain         *uint16
+	DomainLength   uint32
+	Password       *uint16
+	PasswordLength uint32
+	Flags          uint32
+}
+
+type LUID struct {
+	LowPart  uint32
+	HighPart int32
+}
+
+type CredHandle struct {
+	Lower uintptr
+	Upper uintptr
+}
+
+//sys	AcquireCredentialsHandle(principal *uint16, pkgname *uint16, creduse uint32, logonid *LUID, authdata *byte, getkeyfn uintptr, getkeyarg uintptr, handle *CredHandle, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.AcquireCredentialsHandleW
+//sys	FreeCredentialsHandle(handle *CredHandle) (ret syscall.Errno) = secur32.FreeCredentialsHandle
+
+const (
+	SECURITY_NATIVE_DREP = 16
+
+	SECBUFFER_DATA           = 1
+	SECBUFFER_TOKEN          = 2
+	SECBUFFER_PKG_PARAMS     = 3
+	SECBUFFER_MISSING        = 4
+	SECBUFFER_EXTRA          = 5
+	SECBUFFER_STREAM_TRAILER = 6
+	SECBUFFER_STREAM_HEADER  = 7
+	SECBUFFER_PADDING        = 9
+	SECBUFFER_STREAM         = 10
+	SECBUFFER_READONLY       = 0x80000000
+	SECBUFFER_ATTRMASK       = 0xf0000000
+	SECBUFFER_VERSION        = 0
+	SECBUFFER_EMPTY          = 0
+
+	ISC_REQ_DELEGATE               = 1
+	ISC_REQ_MUTUAL_AUTH            = 2
+	ISC_REQ_REPLAY_DETECT          = 4
+	ISC_REQ_SEQUENCE_DETECT        = 8
+	ISC_REQ_CONFIDENTIALITY        = 16
+	ISC_REQ_USE_SESSION_KEY        = 32
+	ISC_REQ_PROMPT_FOR_CREDS       = 64
+	ISC_REQ_USE_SUPPLIED_CREDS     = 128
+	ISC_REQ_ALLOCATE_MEMORY        = 256
+	ISC_REQ_USE_DCE_STYLE          = 512
+	ISC_REQ_DATAGRAM               = 1024
+	ISC_REQ_CONNECTION             = 2048
+	ISC_REQ_EXTENDED_ERROR         = 16384
+	ISC_REQ_STREAM                 = 32768
+	ISC_REQ_INTEGRITY              = 65536
+	ISC_REQ_MANUAL_CRED_VALIDATION = 524288
+	ISC_REQ_HTTP                   = 268435456
+
+	ASC_REQ_DELEGATE        = 1
+	ASC_REQ_MUTUAL_AUTH     = 2
+	ASC_REQ_REPLAY_DETECT   = 4
+	ASC_REQ_SEQUENCE_DETECT = 8
+	ASC_REQ_CONFIDENTIALITY = 16
+	ASC_REQ_USE_SESSION_KEY = 32
+	ASC_REQ_ALLOCATE_MEMORY = 256
+	ASC_REQ_USE_DCE_STYLE   = 512
+	ASC_REQ_DATAGRAM        = 1024
+	ASC_REQ_CONNECTION      = 2048
+	ASC_REQ_EXTENDED_ERROR  = 32768
+	ASC_REQ_STREAM          = 65536
+	ASC_REQ_INTEGRITY       = 131072
+)
+
+type CtxtHandle struct {
+	Lower uintptr
+	Upper uintptr
+}
+
+type SecBuffer struct {
+	BufferSize uint32
+	BufferType uint32
+	Buffer     *byte
+}
+
+type SecBufferDesc struct {
+	Version      uint32
+	BuffersCount uint32
+	Buffers      *SecBuffer
+}
+
+//sys	InitializeSecurityContext(credential *CredHandle, context *CtxtHandle, targname *uint16, contextreq uint32, reserved1 uint32, targdatarep uint32, input *SecBufferDesc, reserved2 uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.InitializeSecurityContextW
+//sys	AcceptSecurityContext(credential *CredHandle, context *CtxtHandle, input *SecBufferDesc, contextreq uint32, targdatarep uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) = secur32.AcceptSecurityContext
+//sys	CompleteAuthToken(context *CtxtHandle, token *SecBufferDesc) (ret syscall.Errno) = secur32.CompleteAuthToken
+//sys	DeleteSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.DeleteSecurityContext
+//sys	ImpersonateSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.ImpersonateSecurityContext
+//sys	RevertSecurityContext(context *CtxtHandle) (ret syscall.Errno) = secur32.RevertSecurityContext
+//sys	QueryContextAttributes(context *CtxtHandle, attribute uint32, buf *byte) (ret syscall.Errno) = secur32.QueryContextAttributesW
+//sys	EncryptMessage(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) = secur32.EncryptMessage
+//sys	DecryptMessage(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) = secur32.DecryptMessage
+//sys	ApplyControlToken(context *CtxtHandle, input *SecBufferDesc) (ret syscall.Errno) = secur32.ApplyControlToken
+//sys	MakeSignature(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) = secur32.MakeSignature
+//sys	VerifySignature(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) = secur32.VerifySignature

vendor/github.com/alexbrainman/sspi/zsyscall_windows.go

@@ -0,0 +1,152 @@
+// MACHINE GENERATED BY 'go generate' COMMAND; DO NOT EDIT
+
+package sspi
+
+import (
+	"syscall"
+	"unsafe"
+)
+
+var _ unsafe.Pointer
+
+// Do the interface allocations only once for common
+// Errno values.
+const (
+	errnoERROR_IO_PENDING = 997
+)
+
+var (
+	errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING)
+)
+
+// errnoErr returns common boxed Errno values, to prevent
+// allocations at runtime.
+func errnoErr(e syscall.Errno) error {
+	switch e {
+	case 0:
+		return nil
+	case errnoERROR_IO_PENDING:
+		return errERROR_IO_PENDING
+	}
+	// TODO: add more here, after collecting data on the common
+	// error values see on Windows. (perhaps when running
+	// all.bat?)
+	return e
+}
+
+var (
+	modsecur32 = syscall.NewLazyDLL("secur32.dll")
+
+	procQuerySecurityPackageInfoW  = modsecur32.NewProc("QuerySecurityPackageInfoW")
+	procFreeContextBuffer          = modsecur32.NewProc("FreeContextBuffer")
+	procAcquireCredentialsHandleW  = modsecur32.NewProc("AcquireCredentialsHandleW")
+	procFreeCredentialsHandle      = modsecur32.NewProc("FreeCredentialsHandle")
+	procInitializeSecurityContextW = modsecur32.NewProc("InitializeSecurityContextW")
+	procAcceptSecurityContext      = modsecur32.NewProc("AcceptSecurityContext")
+	procCompleteAuthToken          = modsecur32.NewProc("CompleteAuthToken")
+	procDeleteSecurityContext      = modsecur32.NewProc("DeleteSecurityContext")
+	procImpersonateSecurityContext = modsecur32.NewProc("ImpersonateSecurityContext")
+	procRevertSecurityContext      = modsecur32.NewProc("RevertSecurityContext")
+	procQueryContextAttributesW    = modsecur32.NewProc("QueryContextAttributesW")
+	procEncryptMessage             = modsecur32.NewProc("EncryptMessage")
+	procDecryptMessage             = modsecur32.NewProc("DecryptMessage")
+	procApplyControlToken          = modsecur32.NewProc("ApplyControlToken")
+	procMakeSignature              = modsecur32.NewProc("MakeSignature")
+	procVerifySignature            = modsecur32.NewProc("VerifySignature")
+)
+
+func QuerySecurityPackageInfo(pkgname *uint16, pkginfo **SecPkgInfo) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procQuerySecurityPackageInfoW.Addr(), 2, uintptr(unsafe.Pointer(pkgname)), uintptr(unsafe.Pointer(pkginfo)), 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func FreeContextBuffer(buf *byte) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procFreeContextBuffer.Addr(), 1, uintptr(unsafe.Pointer(buf)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func AcquireCredentialsHandle(principal *uint16, pkgname *uint16, creduse uint32, logonid *LUID, authdata *byte, getkeyfn uintptr, getkeyarg uintptr, handle *CredHandle, expiry *syscall.Filetime) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall9(procAcquireCredentialsHandleW.Addr(), 9, uintptr(unsafe.Pointer(principal)), uintptr(unsafe.Pointer(pkgname)), uintptr(creduse), uintptr(unsafe.Pointer(logonid)), uintptr(unsafe.Pointer(authdata)), uintptr(getkeyfn), uintptr(getkeyarg), uintptr(unsafe.Pointer(handle)), uintptr(unsafe.Pointer(expiry)))
+	ret = syscall.Errno(r0)
+	return
+}
+
+func FreeCredentialsHandle(handle *CredHandle) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procFreeCredentialsHandle.Addr(), 1, uintptr(unsafe.Pointer(handle)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func InitializeSecurityContext(credential *CredHandle, context *CtxtHandle, targname *uint16, contextreq uint32, reserved1 uint32, targdatarep uint32, input *SecBufferDesc, reserved2 uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall12(procInitializeSecurityContextW.Addr(), 12, uintptr(unsafe.Pointer(credential)), uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(targname)), uintptr(contextreq), uintptr(reserved1), uintptr(targdatarep), uintptr(unsafe.Pointer(input)), uintptr(reserved2), uintptr(unsafe.Pointer(newcontext)), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(contextattr)), uintptr(unsafe.Pointer(expiry)))
+	ret = syscall.Errno(r0)
+	return
+}
+
+func AcceptSecurityContext(credential *CredHandle, context *CtxtHandle, input *SecBufferDesc, contextreq uint32, targdatarep uint32, newcontext *CtxtHandle, output *SecBufferDesc, contextattr *uint32, expiry *syscall.Filetime) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall9(procAcceptSecurityContext.Addr(), 9, uintptr(unsafe.Pointer(credential)), uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(input)), uintptr(contextreq), uintptr(targdatarep), uintptr(unsafe.Pointer(newcontext)), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(contextattr)), uintptr(unsafe.Pointer(expiry)))
+	ret = syscall.Errno(r0)
+	return
+}
+
+func CompleteAuthToken(context *CtxtHandle, token *SecBufferDesc) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procCompleteAuthToken.Addr(), 2, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(token)), 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func DeleteSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procDeleteSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func ImpersonateSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procImpersonateSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func RevertSecurityContext(context *CtxtHandle) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procRevertSecurityContext.Addr(), 1, uintptr(unsafe.Pointer(context)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func QueryContextAttributes(context *CtxtHandle, attribute uint32, buf *byte) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procQueryContextAttributesW.Addr(), 3, uintptr(unsafe.Pointer(context)), uintptr(attribute), uintptr(unsafe.Pointer(buf)))
+	ret = syscall.Errno(r0)
+	return
+}
+
+func EncryptMessage(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall6(procEncryptMessage.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(qop), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func DecryptMessage(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall6(procDecryptMessage.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), uintptr(unsafe.Pointer(qop)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func ApplyControlToken(context *CtxtHandle, input *SecBufferDesc) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall(procApplyControlToken.Addr(), 2, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(input)), 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func MakeSignature(context *CtxtHandle, qop uint32, message *SecBufferDesc, messageseqno uint32) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall6(procMakeSignature.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(qop), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}
+
+func VerifySignature(context *CtxtHandle, message *SecBufferDesc, messageseqno uint32, qop *uint32) (ret syscall.Errno) {
+	r0, _, _ := syscall.Syscall6(procVerifySignature.Addr(), 4, uintptr(unsafe.Pointer(context)), uintptr(unsafe.Pointer(message)), uintptr(messageseqno), uintptr(unsafe.Pointer(qop)), 0, 0)
+	ret = syscall.Errno(r0)
+	return
+}

vendor/github.com/bits-and-blooms/bitset/.gitignore

@@ -0,0 +1,26 @@
+# Compiled Object files, Static and Dynamic libs (Shared Objects)
+*.o
+*.a
+*.so
+
+# Folders
+_obj
+_test
+
+# Architecture specific extensions/prefixes
+*.[568vq]
+[568vq].out
+
+*.cgo1.go
+*.cgo2.c
+_cgo_defun.c
+_cgo_gotypes.go
+_cgo_export.*
+
+_testmain.go
+
+*.exe
+*.test
+*.prof
+
+target

vendor/github.com/bits-and-blooms/bitset/.travis.yml

@@ -0,0 +1,37 @@
+language: go
+
+sudo: false
+
+branches:
+  except:
+    - release
+
+branches:
+  only:
+    - master
+    - travis
+
+go:
+  - "1.11.x"
+  - tip
+
+matrix:
+  allow_failures:
+    - go: tip
+
+before_install:
+  - if [ -n "$GH_USER" ]; then git config --global github.user ${GH_USER}; fi;
+  - if [ -n "$GH_TOKEN" ]; then git config --global github.token ${GH_TOKEN}; fi;
+  - go get github.com/mattn/goveralls
+
+before_script:
+  - make deps
+
+script:
+  - make qa
+
+after_failure:
+  - cat ./target/test/report.xml
+
+after_success:
+  - if [ "$TRAVIS_GO_VERSION" = "1.11.1" ]; then $HOME/gopath/bin/goveralls -covermode=count -coverprofile=target/report/coverage.out -service=travis-ci; fi;

vendor/github.com/bits-and-blooms/bitset/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2014 Will Fitzgerald. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/bits-and-blooms/bitset/README.md

@@ -0,0 +1,159 @@
+# bitset
+
+*Go language library to map between non-negative integers and boolean values*
+
+[![Test](https://github.com/bits-and-blooms/bitset/workflows/Test/badge.svg)](https://github.com/willf/bitset/actions?query=workflow%3ATest)
+[![Go Report Card](https://goreportcard.com/badge/github.com/willf/bitset)](https://goreportcard.com/report/github.com/willf/bitset)
+[![PkgGoDev](https://pkg.go.dev/badge/github.com/bits-and-blooms/bitset?tab=doc)](https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc)
+
+
+This library is part of the [awesome go collection](https://github.com/avelino/awesome-go). It is used in production by several important systems:
+
+* [beego](https://github.com/beego/beego)
+* [CubeFS](https://github.com/cubefs/cubefs)
+* [Amazon EKS Distro](https://github.com/aws/eks-distro)
+* [sourcegraph](https://github.com/sourcegraph/sourcegraph)
+* [torrent](https://github.com/anacrolix/torrent)
+
+
+## Description
+
+Package bitset implements bitsets, a mapping between non-negative integers and boolean values.
+It should be more efficient than map[uint] bool.
+
+It provides methods for setting, clearing, flipping, and testing individual integers.
+
+But it also provides set intersection, union, difference, complement, and symmetric operations, as well as tests to check whether any, all, or no bits are set, and querying a bitset's current length and number of positive bits.
+
+BitSets are expanded to the size of the largest set bit; the memory allocation is approximately Max bits, where Max is the largest set bit. BitSets are never shrunk. On creation, a hint can be given for the number of bits that will be used.
+
+Many of the methods, including Set, Clear, and Flip, return a BitSet pointer, which allows for chaining.
+
+### Example use:
+
+```go
+package main
+
+import (
+	"fmt"
+	"math/rand"
+
+	"github.com/bits-and-blooms/bitset"
+)
+
+func main() {
+	fmt.Printf("Hello from BitSet!\n")
+	var b bitset.BitSet
+	// play some Go Fish
+	for i := 0; i < 100; i++ {
+		card1 := uint(rand.Intn(52))
+		card2 := uint(rand.Intn(52))
+		b.Set(card1)
+		if b.Test(card2) {
+			fmt.Println("Go Fish!")
+		}
+		b.Clear(card1)
+	}
+
+	// Chaining
+	b.Set(10).Set(11)
+
+	for i, e := b.NextSet(0); e; i, e = b.NextSet(i + 1) {
+		fmt.Println("The following bit is set:", i)
+	}
+	if b.Intersection(bitset.New(100).Set(10)).Count() == 1 {
+		fmt.Println("Intersection works.")
+	} else {
+		fmt.Println("Intersection doesn't work???")
+	}
+}
+```
+
+
+Package documentation is at: https://pkg.go.dev/github.com/bits-and-blooms/bitset?tab=doc
+
+## Serialization
+
+
+You may serialize a bitset safely and portably to a stream
+of bytes as follows:
+```Go
+    const length = 9585
+	const oneEvery = 97
+	bs := bitset.New(length)
+	// Add some bits
+	for i := uint(0); i < length; i += oneEvery {
+		bs = bs.Set(i)
+	}
+
+	var buf bytes.Buffer
+	n, err := bs.WriteTo(&buf)
+	if err != nil {
+		// failure
+	}
+	// Here n == buf.Len()
+```
+You can later deserialize the result as follows:
+
+```Go
+	// Read back from buf
+	bs = bitset.New()
+	n, err = bs.ReadFrom(&buf)
+	if err != nil {
+		// error
+	}
+	// n is the number of bytes read
+```
+
+The `ReadFrom` function attempts to read the data into the existing
+BitSet instance, to minimize memory allocations.
+
+
+*Performance tip*: 
+When reading and writing to a file or a network connection, you may get better performance by 
+wrapping your streams with `bufio` instances.
+
+E.g., 
+```Go
+	f, err := os.Create("myfile")
+	w := bufio.NewWriter(f)
+```
+```Go
+	f, err := os.Open("myfile")
+	r := bufio.NewReader(f)
+```
+
+## Memory Usage
+
+The memory usage of a bitset using `N` bits is at least `N/8` bytes. The number of bits in a bitset is at least as large as one plus the greatest bit index you have accessed. Thus it is possible to run out of memory while using a bitset. If you have lots of bits, you might prefer compressed bitsets, like the [Roaring bitmaps](http://roaringbitmap.org) and its [Go implementation](https://github.com/RoaringBitmap/roaring).
+
+The `roaring` library allows you to go back and forth between compressed Roaring bitmaps and the conventional bitset instances:
+```Go
+			mybitset := roaringbitmap.ToBitSet()
+			newroaringbitmap := roaring.FromBitSet(mybitset)
+```
+
+
+## Implementation Note
+
+Go 1.9 introduced a native `math/bits` library. We provide backward compatibility to Go 1.7, which might be removed.
+
+It is possible that a later version will match the `math/bits` return signature for counts (which is `int`, rather than our library's `uint64`). If so, the version will be bumped.
+
+## Installation
+
+```bash
+go get github.com/bits-and-blooms/bitset
+```
+
+## Contributing
+
+If you wish to contribute to this project, please branch and issue a pull request against master ("[GitHub Flow](https://guides.github.com/introduction/flow/)")
+
+## Running all tests
+
+Before committing the code, please check if it passes tests, has adequate coverage, etc.
+```bash
+go test
+go test -cover
+```

vendor/github.com/bits-and-blooms/bitset/SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+You can report privately a vulnerability by email at daniel@lemire.me (current maintainer).

vendor/github.com/bits-and-blooms/bitset/azure-pipelines.yml

@@ -0,0 +1,39 @@
+# Go
+# Build your Go project.
+# Add steps that test, save build artifacts, deploy, and more:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/go
+
+trigger:
+- master
+
+pool:
+  vmImage: 'Ubuntu-16.04'
+
+variables:
+  GOBIN:  '$(GOPATH)/bin' # Go binaries path
+  GOROOT: '/usr/local/go1.11' # Go installation path
+  GOPATH: '$(system.defaultWorkingDirectory)/gopath' # Go workspace path
+  modulePath: '$(GOPATH)/src/github.com/$(build.repository.name)' # Path to the module's code
+
+steps:
+- script: |
+    mkdir -p '$(GOBIN)'
+    mkdir -p '$(GOPATH)/pkg'
+    mkdir -p '$(modulePath)'
+    shopt -s extglob
+    shopt -s dotglob
+    mv !(gopath) '$(modulePath)'
+    echo '##vso[task.prependpath]$(GOBIN)'
+    echo '##vso[task.prependpath]$(GOROOT)/bin'
+  displayName: 'Set up the Go workspace'
+
+- script: |
+    go version
+    go get -v -t -d ./...
+    if [ -f Gopkg.toml ]; then
+        curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
+        dep ensure
+    fi
+    go build -v .
+  workingDirectory: '$(modulePath)'
+  displayName: 'Get dependencies, then build'

vendor/github.com/bits-and-blooms/bitset/popcnt.go

@@ -0,0 +1,53 @@
+package bitset
+
+// bit population count, take from
+// https://code.google.com/p/go/issues/detail?id=4988#c11
+// credit: https://code.google.com/u/arnehormann/
+func popcount(x uint64) (n uint64) {
+	x -= (x >> 1) & 0x5555555555555555
+	x = (x>>2)&0x3333333333333333 + x&0x3333333333333333
+	x += x >> 4
+	x &= 0x0f0f0f0f0f0f0f0f
+	x *= 0x0101010101010101
+	return x >> 56
+}
+
+func popcntSliceGo(s []uint64) uint64 {
+	cnt := uint64(0)
+	for _, x := range s {
+		cnt += popcount(x)
+	}
+	return cnt
+}
+
+func popcntMaskSliceGo(s, m []uint64) uint64 {
+	cnt := uint64(0)
+	for i := range s {
+		cnt += popcount(s[i] &^ m[i])
+	}
+	return cnt
+}
+
+func popcntAndSliceGo(s, m []uint64) uint64 {
+	cnt := uint64(0)
+	for i := range s {
+		cnt += popcount(s[i] & m[i])
+	}
+	return cnt
+}
+
+func popcntOrSliceGo(s, m []uint64) uint64 {
+	cnt := uint64(0)
+	for i := range s {
+		cnt += popcount(s[i] | m[i])
+	}
+	return cnt
+}
+
+func popcntXorSliceGo(s, m []uint64) uint64 {
+	cnt := uint64(0)
+	for i := range s {
+		cnt += popcount(s[i] ^ m[i])
+	}
+	return cnt
+}

vendor/github.com/bits-and-blooms/bitset/popcnt_19.go

@@ -0,0 +1,62 @@
+//go:build go1.9
+// +build go1.9
+
+package bitset
+
+import "math/bits"
+
+func popcntSlice(s []uint64) uint64 {
+	var cnt int
+	for _, x := range s {
+		cnt += bits.OnesCount64(x)
+	}
+	return uint64(cnt)
+}
+
+func popcntMaskSlice(s, m []uint64) uint64 {
+	var cnt int
+	// this explicit check eliminates a bounds check in the loop
+	if len(m) < len(s) {
+		panic("mask slice is too short")
+	}
+	for i := range s {
+		cnt += bits.OnesCount64(s[i] &^ m[i])
+	}
+	return uint64(cnt)
+}
+
+func popcntAndSlice(s, m []uint64) uint64 {
+	var cnt int
+	// this explicit check eliminates a bounds check in the loop
+	if len(m) < len(s) {
+		panic("mask slice is too short")
+	}
+	for i := range s {
+		cnt += bits.OnesCount64(s[i] & m[i])
+	}
+	return uint64(cnt)
+}
+
+func popcntOrSlice(s, m []uint64) uint64 {
+	var cnt int
+	// this explicit check eliminates a bounds check in the loop
+	if len(m) < len(s) {
+		panic("mask slice is too short")
+	}
+	for i := range s {
+		cnt += bits.OnesCount64(s[i] | m[i])
+	}
+	return uint64(cnt)
+}
+
+func popcntXorSlice(s, m []uint64) uint64 {
+	var cnt int
+	// this explicit check eliminates a bounds check in the loop
+	if len(m) < len(s) {
+		panic("mask slice is too short")
+	}
+	for i := range s {
+		cnt += bits.OnesCount64(s[i] ^ m[i])
+	}
+	return uint64(cnt)
+}

vendor/github.com/bits-and-blooms/bitset/popcnt_amd64.go

@@ -0,0 +1,68 @@
+//go:build !go1.9 && amd64 && !appengine
+// +build !go1.9,amd64,!appengine
+
+package bitset
+
+// *** the following functions are defined in popcnt_amd64.s
+
+//go:noescape
+
+func hasAsm() bool
+
+// useAsm is a flag used to select the GO or ASM implementation of the popcnt function
+var useAsm = hasAsm()
+
+//go:noescape
+
+func popcntSliceAsm(s []uint64) uint64
+
+//go:noescape
+
+func popcntMaskSliceAsm(s, m []uint64) uint64
+
+//go:noescape
+
+func popcntAndSliceAsm(s, m []uint64) uint64
+
+//go:noescape
+
+func popcntOrSliceAsm(s, m []uint64) uint64
+
+//go:noescape
+
+func popcntXorSliceAsm(s, m []uint64) uint64
+
+func popcntSlice(s []uint64) uint64 {
+	if useAsm {
+		return popcntSliceAsm(s)
+	}
+	return popcntSliceGo(s)
+}
+
+func popcntMaskSlice(s, m []uint64) uint64 {
+	if useAsm {
+		return popcntMaskSliceAsm(s, m)
+	}
+	return popcntMaskSliceGo(s, m)
+}
+
+func popcntAndSlice(s, m []uint64) uint64 {
+	if useAsm {
+		return popcntAndSliceAsm(s, m)
+	}
+	return popcntAndSliceGo(s, m)
+}
+
+func popcntOrSlice(s, m []uint64) uint64 {
+	if useAsm {
+		return popcntOrSliceAsm(s, m)
+	}
+	return popcntOrSliceGo(s, m)
+}
+
+func popcntXorSlice(s, m []uint64) uint64 {
+	if useAsm {
+		return popcntXorSliceAsm(s, m)
+	}
+	return popcntXorSliceGo(s, m)
+}

vendor/github.com/bits-and-blooms/bitset/popcnt_amd64.s

@@ -0,0 +1,104 @@
+// +build !go1.9
+// +build amd64,!appengine
+
+TEXT ·hasAsm(SB),4,$0-1
+MOVQ $1, AX
+CPUID
+SHRQ $23, CX
+ANDQ $1, CX
+MOVB CX, ret+0(FP)
+RET
+
+#define POPCNTQ_DX_DX BYTE $0xf3; BYTE $0x48; BYTE $0x0f; BYTE $0xb8; BYTE $0xd2
+
+TEXT ·popcntSliceAsm(SB),4,$0-32
+XORQ	AX, AX
+MOVQ	s+0(FP), SI
+MOVQ	s_len+8(FP), CX
+TESTQ	CX, CX
+JZ		popcntSliceEnd
+popcntSliceLoop:
+BYTE $0xf3; BYTE $0x48; BYTE $0x0f; BYTE $0xb8; BYTE $0x16 // POPCNTQ (SI), DX
+ADDQ	DX, AX
+ADDQ	$8, SI
+LOOP	popcntSliceLoop
+popcntSliceEnd:
+MOVQ	AX, ret+24(FP)
+RET
+
+TEXT ·popcntMaskSliceAsm(SB),4,$0-56
+XORQ	AX, AX
+MOVQ	s+0(FP), SI
+MOVQ	s_len+8(FP), CX
+TESTQ	CX, CX
+JZ		popcntMaskSliceEnd
+MOVQ	m+24(FP), DI
+popcntMaskSliceLoop:
+MOVQ	(DI), DX
+NOTQ	DX
+ANDQ	(SI), DX
+POPCNTQ_DX_DX
+ADDQ	DX, AX
+ADDQ	$8, SI
+ADDQ	$8, DI
+LOOP	popcntMaskSliceLoop
+popcntMaskSliceEnd:
+MOVQ	AX, ret+48(FP)
+RET
+
+TEXT ·popcntAndSliceAsm(SB),4,$0-56
+XORQ	AX, AX
+MOVQ	s+0(FP), SI
+MOVQ	s_len+8(FP), CX
+TESTQ	CX, CX
+JZ		popcntAndSliceEnd
+MOVQ	m+24(FP), DI
+popcntAndSliceLoop:
+MOVQ	(DI), DX
+ANDQ	(SI), DX
+POPCNTQ_DX_DX
+ADDQ	DX, AX
+ADDQ	$8, SI
+ADDQ	$8, DI
+LOOP	popcntAndSliceLoop
+popcntAndSliceEnd:
+MOVQ	AX, ret+48(FP)
+RET
+
+TEXT ·popcntOrSliceAsm(SB),4,$0-56
+XORQ	AX, AX
+MOVQ	s+0(FP), SI
+MOVQ	s_len+8(FP), CX
+TESTQ	CX, CX
+JZ		popcntOrSliceEnd
+MOVQ	m+24(FP), DI
+popcntOrSliceLoop:
+MOVQ	(DI), DX
+ORQ		(SI), DX
+POPCNTQ_DX_DX
+ADDQ	DX, AX
+ADDQ	$8, SI
+ADDQ	$8, DI
+LOOP	popcntOrSliceLoop
+popcntOrSliceEnd:
+MOVQ	AX, ret+48(FP)
+RET
+
+TEXT ·popcntXorSliceAsm(SB),4,$0-56
+XORQ	AX, AX
+MOVQ	s+0(FP), SI
+MOVQ	s_len+8(FP), CX
+TESTQ	CX, CX
+JZ		popcntXorSliceEnd
+MOVQ	m+24(FP), DI
+popcntXorSliceLoop:
+MOVQ	(DI), DX
+XORQ	(SI), DX
+POPCNTQ_DX_DX
+ADDQ	DX, AX
+ADDQ	$8, SI
+ADDQ	$8, DI
+LOOP	popcntXorSliceLoop
+popcntXorSliceEnd:
+MOVQ	AX, ret+48(FP)
+RET

vendor/github.com/bits-and-blooms/bitset/popcnt_generic.go

@@ -0,0 +1,25 @@
+//go:build !go1.9 && (!amd64 || appengine)
+// +build !go1.9
+// +build !amd64 appengine
+
+package bitset
+
+func popcntSlice(s []uint64) uint64 {
+	return popcntSliceGo(s)
+}
+
+func popcntMaskSlice(s, m []uint64) uint64 {
+	return popcntMaskSliceGo(s, m)
+}
+
+func popcntAndSlice(s, m []uint64) uint64 {
+	return popcntAndSliceGo(s, m)
+}
+
+func popcntOrSlice(s, m []uint64) uint64 {
+	return popcntOrSliceGo(s, m)
+}
+
+func popcntXorSlice(s, m []uint64) uint64 {
+	return popcntXorSliceGo(s, m)
+}

vendor/github.com/bits-and-blooms/bitset/select.go

@@ -0,0 +1,45 @@
+package bitset
+
+func select64(w uint64, j uint) uint {
+	seen := 0
+	// Divide 64bit
+	part := w & 0xFFFFFFFF
+	n := uint(popcount(part))
+	if n <= j {
+		part = w >> 32
+		seen += 32
+		j -= n
+	}
+	ww := part
+
+	// Divide 32bit
+	part = ww & 0xFFFF
+
+	n = uint(popcount(part))
+	if n <= j {
+		part = ww >> 16
+		seen += 16
+		j -= n
+	}
+	ww = part
+
+	// Divide 16bit
+	part = ww & 0xFF
+	n = uint(popcount(part))
+	if n <= j {
+		part = ww >> 8
+		seen += 8
+		j -= n
+	}
+	ww = part
+
+	// Lookup in final byte
+	counter := 0
+	for ; counter < 8; counter++ {
+		j -= uint((ww >> counter) & 1)
+		if j+1 == 0 {
+			break
+		}
+	}
+	return uint(seen + counter)
+}

vendor/github.com/bits-and-blooms/bitset/trailing_zeros_18.go

@@ -0,0 +1,15 @@
+//go:build !go1.9
+// +build !go1.9
+
+package bitset
+
+var deBruijn = [...]byte{
+	0, 1, 56, 2, 57, 49, 28, 3, 61, 58, 42, 50, 38, 29, 17, 4,
+	62, 47, 59, 36, 45, 43, 51, 22, 53, 39, 33, 30, 24, 18, 12, 5,
+	63, 55, 48, 27, 60, 41, 37, 16, 46, 35, 44, 21, 52, 32, 23, 11,
+	54, 26, 40, 15, 34, 20, 31, 10, 25, 14, 19, 9, 13, 8, 7, 6,
+}
+
+func trailingZeroes64(v uint64) uint {
+	return uint(deBruijn[((v&-v)*0x03f79d71b4ca8b09)>>58])
+}

vendor/github.com/bits-and-blooms/bitset/trailing_zeros_19.go

@@ -0,0 +1,10 @@
+//go:build go1.9
+// +build go1.9
+
+package bitset
+
+import "math/bits"
+
+func trailingZeroes64(v uint64) uint {
+	return uint(bits.TrailingZeros64(v))
+}

vendor/github.com/coreos/go-iptables/LICENSE

@@ -0,0 +1,191 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and
+distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct or
+indirect, to cause the direction or management of such entity, whether by
+contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising
+permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation or
+translation of a Source form, including but not limited to compiled object code,
+generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form, made
+available under the License, as indicated by a copyright notice that is included
+in or attached to the work (an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form, that
+is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative Works
+shall not include works that remain separable from, or merely link (or bind by
+name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative Works
+thereof, that is intentionally submitted to Licensor for inclusion in the Work
+by the copyright owner or by an individual or Legal Entity authorized to submit
+on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor for
+the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently
+incorporated within the Work.
+
+2. Grant of Copyright License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the Work and such
+Derivative Works in Source or Object form.
+
+3. Grant of Patent License.
+
+Subject to the terms and conditions of this License, each Contributor hereby
+grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+irrevocable (except as stated in this section) patent license to make, have
+made, use, offer to sell, sell, import, and otherwise transfer the Work, where
+such license applies only to those patent claims licensable by such Contributor
+that are necessarily infringed by their Contribution(s) alone or by combination
+of their Contribution(s) with the Work to which such Contribution(s) was
+submitted. If You institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work or a
+Contribution incorporated within the Work constitutes direct or contributory
+patent infringement, then any patent licenses granted to You under this License
+for that Work shall terminate as of the date such litigation is filed.
+
+4. Redistribution.
+
+You may reproduce and distribute copies of the Work or Derivative Works thereof
+in any medium, with or without modifications, and in Source or Object form,
+provided that You meet the following conditions:
+
+You must give any other recipients of the Work or Derivative Works a copy of
+this License; and
+You must cause any modified files to carry prominent notices stating that You
+changed the files; and
+You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source form
+of the Work, excluding those notices that do not pertain to any part of the
+Derivative Works; and
+If the Work includes a "NOTICE" text file as part of its distribution, then any
+Derivative Works that You distribute must include a readable copy of the
+attribution notices contained within such NOTICE file, excluding those notices
+that do not pertain to any part of the Derivative Works, in at least one of the
+following places: within a NOTICE text file distributed as part of the
+Derivative Works; within the Source form or documentation, if provided along
+with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents of
+the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works that
+You distribute, alongside or as an addendum to the NOTICE text from the Work,
+provided that such additional attribution notices cannot be construed as
+modifying the License.
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction, or
+distribution of Your modifications, or for any such Derivative Works as a whole,
+provided Your use, reproduction, and distribution of the Work otherwise complies
+with the conditions stated in this License.
+
+5. Submission of Contributions.
+
+Unless You explicitly state otherwise, any Contribution intentionally submitted
+for inclusion in the Work by You to the Licensor shall be under the terms and
+conditions of this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify the terms of
+any separate license agreement you may have executed with Licensor regarding
+such Contributions.
+
+6. Trademarks.
+
+This License does not grant permission to use the trade names, trademarks,
+service marks, or product names of the Licensor, except as required for
+reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty.
+
+Unless required by applicable law or agreed to in writing, Licensor provides the
+Work (and each Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied,
+including, without limitation, any warranties or conditions of TITLE,
+NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are
+solely responsible for determining the appropriateness of using or
+redistributing the Work and assume any risks associated with Your exercise of
+permissions under this License.
+
+8. Limitation of Liability.
+
+In no event and under no legal theory, whether in tort (including negligence),
+contract, or otherwise, unless required by applicable law (such as deliberate
+and grossly negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special, incidental,
+or consequential damages of any character arising as a result of this License or
+out of the use or inability to use the Work (including but not limited to
+damages for loss of goodwill, work stoppage, computer failure or malfunction, or
+any and all other commercial damages or losses), even if such Contributor has
+been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability.
+
+While redistributing the Work or Derivative Works thereof, You may choose to
+offer, and charge a fee for, acceptance of support, warranty, indemnity, or
+other liability obligations and/or rights consistent with this License. However,
+in accepting such obligations, You may act only on Your own behalf and on Your
+sole responsibility, not on behalf of any other Contributor, and only if You
+agree to indemnify, defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason of your
+accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own
+identifying information. (Don't include the brackets!) The text should be
+enclosed in the appropriate comment syntax for the file format. We also
+recommend that a file or class name and description of purpose be included on
+the same "printed page" as the copyright notice for easier identification within
+third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/coreos/go-iptables/NOTICE

@@ -0,0 +1,5 @@
+CoreOS Project
+Copyright 2018 CoreOS, Inc
+
+This product includes software developed at CoreOS, Inc.
+(http://www.coreos.com/).

vendor/github.com/coreos/go-iptables/iptables/iptables.go

@@ -0,0 +1,745 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iptables
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net"
+	"os/exec"
+	"regexp"
+	"strconv"
+	"strings"
+	"syscall"
+)
+
+// Adds the output of stderr to exec.ExitError
+type Error struct {
+	exec.ExitError
+	cmd        exec.Cmd
+	msg        string
+	exitStatus *int //for overriding
+}
+
+func (e *Error) ExitStatus() int {
+	if e.exitStatus != nil {
+		return *e.exitStatus
+	}
+	return e.Sys().(syscall.WaitStatus).ExitStatus()
+}
+
+func (e *Error) Error() string {
+	return fmt.Sprintf("running %v: exit status %v: %v", e.cmd.Args, e.ExitStatus(), e.msg)
+}
+
+var isNotExistPatterns = []string{
+	"Bad rule (does a matching rule exist in that chain?).\n",
+	"No chain/target/match by that name.\n",
+	"No such file or directory",
+	"does not exist",
+}
+
+// IsNotExist returns true if the error is due to the chain or rule not existing
+func (e *Error) IsNotExist() bool {
+	for _, str := range isNotExistPatterns {
+		if strings.Contains(e.msg, str) {
+			return true
+		}
+	}
+	return false
+}
+
+// Protocol to differentiate between IPv4 and IPv6
+type Protocol byte
+
+const (
+	ProtocolIPv4 Protocol = iota
+	ProtocolIPv6
+)
+
+type IPTables struct {
+	path              string
+	proto             Protocol
+	hasCheck          bool
+	hasWait           bool
+	waitSupportSecond bool
+	hasRandomFully    bool
+	v1                int
+	v2                int
+	v3                int
+	mode              string // the underlying iptables operating mode, e.g. nf_tables
+	timeout           int    // time to wait for the iptables lock, default waits forever
+}
+
+// Stat represents a structured statistic entry.
+type Stat struct {
+	Packets     uint64     `json:"pkts"`
+	Bytes       uint64     `json:"bytes"`
+	Target      string     `json:"target"`
+	Protocol    string     `json:"prot"`
+	Opt         string     `json:"opt"`
+	Input       string     `json:"in"`
+	Output      string     `json:"out"`
+	Source      *net.IPNet `json:"source"`
+	Destination *net.IPNet `json:"destination"`
+	Options     string     `json:"options"`
+}
+
+type option func(*IPTables)
+
+func IPFamily(proto Protocol) option {
+	return func(ipt *IPTables) {
+		ipt.proto = proto
+	}
+}
+
+func Timeout(timeout int) option {
+	return func(ipt *IPTables) {
+		ipt.timeout = timeout
+	}
+}
+
+func Path(path string) option {
+	return func(ipt *IPTables) {
+		ipt.path = path
+	}
+}
+
+// New creates a new IPTables configured with the options passed as parameters.
+// Supported parameters are:
+//
+//	IPFamily(Protocol)
+//	Timeout(int)
+//	Path(string)
+//
+// For backwards compatibility, by default New uses IPv4 and timeout 0.
+// i.e. you can create an IPv6 IPTables using a timeout of 5 seconds passing
+// the IPFamily and Timeout options as follow:
+//
+//	ip6t := New(IPFamily(ProtocolIPv6), Timeout(5))
+func New(opts ...option) (*IPTables, error) {
+
+	ipt := &IPTables{
+		proto:   ProtocolIPv4,
+		timeout: 0,
+		path:    "",
+	}
+
+	for _, opt := range opts {
+		opt(ipt)
+	}
+
+	// if path wasn't preset through New(Path()), autodiscover it
+	cmd := ""
+	if ipt.path == "" {
+		cmd = getIptablesCommand(ipt.proto)
+	} else {
+		cmd = ipt.path
+	}
+	path, err := exec.LookPath(cmd)
+	if err != nil {
+		return nil, err
+	}
+	ipt.path = path
+
+	vstring, err := getIptablesVersionString(path)
+	if err != nil {
+		return nil, fmt.Errorf("could not get iptables version: %v", err)
+	}
+	v1, v2, v3, mode, err := extractIptablesVersion(vstring)
+	if err != nil {
+		return nil, fmt.Errorf("failed to extract iptables version from [%s]: %v", vstring, err)
+	}
+	ipt.v1 = v1
+	ipt.v2 = v2
+	ipt.v3 = v3
+	ipt.mode = mode
+
+	checkPresent, waitPresent, waitSupportSecond, randomFullyPresent := getIptablesCommandSupport(v1, v2, v3)
+	ipt.hasCheck = checkPresent
+	ipt.hasWait = waitPresent
+	ipt.waitSupportSecond = waitSupportSecond
+	ipt.hasRandomFully = randomFullyPresent
+
+	return ipt, nil
+}
+
+// New creates a new IPTables for the given proto.
+// The proto will determine which command is used, either "iptables" or "ip6tables".
+func NewWithProtocol(proto Protocol) (*IPTables, error) {
+	return New(IPFamily(proto), Timeout(0))
+}
+
+// Proto returns the protocol used by this IPTables.
+func (ipt *IPTables) Proto() Protocol {
+	return ipt.proto
+}
+
+// Exists checks if given rulespec in specified table/chain exists
+func (ipt *IPTables) Exists(table, chain string, rulespec ...string) (bool, error) {
+	if !ipt.hasCheck {
+		return ipt.existsForOldIptables(table, chain, rulespec)
+
+	}
+	cmd := append([]string{"-t", table, "-C", chain}, rulespec...)
+	err := ipt.run(cmd...)
+	eerr, eok := err.(*Error)
+	switch {
+	case err == nil:
+		return true, nil
+	case eok && eerr.ExitStatus() == 1:
+		return false, nil
+	default:
+		return false, err
+	}
+}
+
+// Insert inserts rulespec to specified table/chain (in specified pos)
+func (ipt *IPTables) Insert(table, chain string, pos int, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-I", chain, strconv.Itoa(pos)}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+// Replace replaces rulespec to specified table/chain (in specified pos)
+func (ipt *IPTables) Replace(table, chain string, pos int, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-R", chain, strconv.Itoa(pos)}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+// InsertUnique acts like Insert except that it won't insert a duplicate (no matter the position in the chain)
+func (ipt *IPTables) InsertUnique(table, chain string, pos int, rulespec ...string) error {
+	exists, err := ipt.Exists(table, chain, rulespec...)
+	if err != nil {
+		return err
+	}
+
+	if !exists {
+		return ipt.Insert(table, chain, pos, rulespec...)
+	}
+
+	return nil
+}
+
+// Append appends rulespec to specified table/chain
+func (ipt *IPTables) Append(table, chain string, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-A", chain}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+// AppendUnique acts like Append except that it won't add a duplicate
+func (ipt *IPTables) AppendUnique(table, chain string, rulespec ...string) error {
+	exists, err := ipt.Exists(table, chain, rulespec...)
+	if err != nil {
+		return err
+	}
+
+	if !exists {
+		return ipt.Append(table, chain, rulespec...)
+	}
+
+	return nil
+}
+
+// Delete removes rulespec in specified table/chain
+func (ipt *IPTables) Delete(table, chain string, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-D", chain}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+func (ipt *IPTables) DeleteIfExists(table, chain string, rulespec ...string) error {
+	exists, err := ipt.Exists(table, chain, rulespec...)
+	if err == nil && exists {
+		err = ipt.Delete(table, chain, rulespec...)
+	}
+	return err
+}
+
+// List rules in specified table/chain
+func (ipt *IPTables) ListById(table, chain string, id int) (string, error) {
+	args := []string{"-t", table, "-S", chain, strconv.Itoa(id)}
+	rule, err := ipt.executeList(args)
+	if err != nil {
+		return "", err
+	}
+	return rule[0], nil
+}
+
+// List rules in specified table/chain
+func (ipt *IPTables) List(table, chain string) ([]string, error) {
+	args := []string{"-t", table, "-S", chain}
+	return ipt.executeList(args)
+}
+
+// List rules (with counters) in specified table/chain
+func (ipt *IPTables) ListWithCounters(table, chain string) ([]string, error) {
+	args := []string{"-t", table, "-v", "-S", chain}
+	return ipt.executeList(args)
+}
+
+// ListChains returns a slice containing the name of each chain in the specified table.
+func (ipt *IPTables) ListChains(table string) ([]string, error) {
+	args := []string{"-t", table, "-S"}
+
+	result, err := ipt.executeList(args)
+	if err != nil {
+		return nil, err
+	}
+
+	// Iterate over rules to find all default (-P) and user-specified (-N) chains.
+	// Chains definition always come before rules.
+	// Format is the following:
+	// -P OUTPUT ACCEPT
+	// -N Custom
+	var chains []string
+	for _, val := range result {
+		if strings.HasPrefix(val, "-P") || strings.HasPrefix(val, "-N") {
+			chains = append(chains, strings.Fields(val)[1])
+		} else {
+			break
+		}
+	}
+	return chains, nil
+}
+
+// '-S' is fine with non existing rule index as long as the chain exists
+// therefore pass index 1 to reduce overhead for large chains
+func (ipt *IPTables) ChainExists(table, chain string) (bool, error) {
+	err := ipt.run("-t", table, "-S", chain, "1")
+	eerr, eok := err.(*Error)
+	switch {
+	case err == nil:
+		return true, nil
+	case eok && eerr.ExitStatus() == 1:
+		return false, nil
+	default:
+		return false, err
+	}
+}
+
+// Stats lists rules including the byte and packet counts
+func (ipt *IPTables) Stats(table, chain string) ([][]string, error) {
+	args := []string{"-t", table, "-L", chain, "-n", "-v", "-x"}
+	lines, err := ipt.executeList(args)
+	if err != nil {
+		return nil, err
+	}
+
+	appendSubnet := func(addr string) string {
+		if strings.IndexByte(addr, byte('/')) < 0 {
+			if strings.IndexByte(addr, '.') < 0 {
+				return addr + "/128"
+			}
+			return addr + "/32"
+		}
+		return addr
+	}
+
+	ipv6 := ipt.proto == ProtocolIPv6
+
+	// Skip the warning if exist
+	if strings.HasPrefix(lines[0], "#") {
+		lines = lines[1:]
+	}
+
+	rows := [][]string{}
+	for i, line := range lines {
+		// Skip over chain name and field header
+		if i < 2 {
+			continue
+		}
+
+		// Fields:
+		// 0=pkts 1=bytes 2=target 3=prot 4=opt 5=in 6=out 7=source 8=destination 9=options
+		line = strings.TrimSpace(line)
+		fields := strings.Fields(line)
+
+		// The ip6tables verbose output cannot be naively split due to the default "opt"
+		// field containing 2 single spaces.
+		if ipv6 {
+			// Check if field 6 is "opt" or "source" address
+			dest := fields[6]
+			ip, _, _ := net.ParseCIDR(dest)
+			if ip == nil {
+				ip = net.ParseIP(dest)
+			}
+
+			// If we detected a CIDR or IP, the "opt" field is empty.. insert it.
+			if ip != nil {
+				f := []string{}
+				f = append(f, fields[:4]...)
+				f = append(f, "  ") // Empty "opt" field for ip6tables
+				f = append(f, fields[4:]...)
+				fields = f
+			}
+		}
+
+		// Adjust "source" and "destination" to include netmask, to match regular
+		// List output
+		fields[7] = appendSubnet(fields[7])
+		fields[8] = appendSubnet(fields[8])
+
+		// Combine "options" fields 9... into a single space-delimited field.
+		options := fields[9:]
+		fields = fields[:9]
+		fields = append(fields, strings.Join(options, " "))
+		rows = append(rows, fields)
+	}
+	return rows, nil
+}
+
+// ParseStat parses a single statistic row into a Stat struct. The input should
+// be a string slice that is returned from calling the Stat method.
+func (ipt *IPTables) ParseStat(stat []string) (parsed Stat, err error) {
+	// For forward-compatibility, expect at least 10 fields in the stat
+	if len(stat) < 10 {
+		return parsed, fmt.Errorf("stat contained fewer fields than expected")
+	}
+
+	// Convert the fields that are not plain strings
+	parsed.Packets, err = strconv.ParseUint(stat[0], 0, 64)
+	if err != nil {
+		return parsed, fmt.Errorf(err.Error(), "could not parse packets")
+	}
+	parsed.Bytes, err = strconv.ParseUint(stat[1], 0, 64)
+	if err != nil {
+		return parsed, fmt.Errorf(err.Error(), "could not parse bytes")
+	}
+	_, parsed.Source, err = net.ParseCIDR(stat[7])
+	if err != nil {
+		return parsed, fmt.Errorf(err.Error(), "could not parse source")
+	}
+	_, parsed.Destination, err = net.ParseCIDR(stat[8])
+	if err != nil {
+		return parsed, fmt.Errorf(err.Error(), "could not parse destination")
+	}
+
+	// Put the fields that are strings
+	parsed.Target = stat[2]
+	parsed.Protocol = stat[3]
+	parsed.Opt = stat[4]
+	parsed.Input = stat[5]
+	parsed.Output = stat[6]
+	parsed.Options = stat[9]
+
+	return parsed, nil
+}
+
+// StructuredStats returns statistics as structured data which may be further
+// parsed and marshaled.
+func (ipt *IPTables) StructuredStats(table, chain string) ([]Stat, error) {
+	rawStats, err := ipt.Stats(table, chain)
+	if err != nil {
+		return nil, err
+	}
+
+	structStats := []Stat{}
+	for _, rawStat := range rawStats {
+		stat, err := ipt.ParseStat(rawStat)
+		if err != nil {
+			return nil, err
+		}
+		structStats = append(structStats, stat)
+	}
+
+	return structStats, nil
+}
+
+func (ipt *IPTables) executeList(args []string) ([]string, error) {
+	var stdout bytes.Buffer
+	if err := ipt.runWithOutput(args, &stdout); err != nil {
+		return nil, err
+	}
+
+	rules := strings.Split(stdout.String(), "\n")
+
+	// strip trailing newline
+	if len(rules) > 0 && rules[len(rules)-1] == "" {
+		rules = rules[:len(rules)-1]
+	}
+
+	for i, rule := range rules {
+		rules[i] = filterRuleOutput(rule)
+	}
+
+	return rules, nil
+}
+
+// NewChain creates a new chain in the specified table.
+// If the chain already exists, it will result in an error.
+func (ipt *IPTables) NewChain(table, chain string) error {
+	return ipt.run("-t", table, "-N", chain)
+}
+
+const existsErr = 1
+
+// ClearChain flushed (deletes all rules) in the specified table/chain.
+// If the chain does not exist, a new one will be created
+func (ipt *IPTables) ClearChain(table, chain string) error {
+	err := ipt.NewChain(table, chain)
+
+	eerr, eok := err.(*Error)
+	switch {
+	case err == nil:
+		return nil
+	case eok && eerr.ExitStatus() == existsErr:
+		// chain already exists. Flush (clear) it.
+		return ipt.run("-t", table, "-F", chain)
+	default:
+		return err
+	}
+}
+
+// RenameChain renames the old chain to the new one.
+func (ipt *IPTables) RenameChain(table, oldChain, newChain string) error {
+	return ipt.run("-t", table, "-E", oldChain, newChain)
+}
+
+// DeleteChain deletes the chain in the specified table.
+// The chain must be empty
+func (ipt *IPTables) DeleteChain(table, chain string) error {
+	return ipt.run("-t", table, "-X", chain)
+}
+
+func (ipt *IPTables) ClearAndDeleteChain(table, chain string) error {
+	exists, err := ipt.ChainExists(table, chain)
+	if err != nil || !exists {
+		return err
+	}
+	err = ipt.run("-t", table, "-F", chain)
+	if err == nil {
+		err = ipt.run("-t", table, "-X", chain)
+	}
+	return err
+}
+
+func (ipt *IPTables) ClearAll() error {
+	return ipt.run("-F")
+}
+
+func (ipt *IPTables) DeleteAll() error {
+	return ipt.run("-X")
+}
+
+// ChangePolicy changes policy on chain to target
+func (ipt *IPTables) ChangePolicy(table, chain, target string) error {
+	return ipt.run("-t", table, "-P", chain, target)
+}
+
+// Check if the underlying iptables command supports the --random-fully flag
+func (ipt *IPTables) HasRandomFully() bool {
+	return ipt.hasRandomFully
+}
+
+// Return version components of the underlying iptables command
+func (ipt *IPTables) GetIptablesVersion() (int, int, int) {
+	return ipt.v1, ipt.v2, ipt.v3
+}
+
+// run runs an iptables command with the given arguments, ignoring
+// any stdout output
+func (ipt *IPTables) run(args ...string) error {
+	return ipt.runWithOutput(args, nil)
+}
+
+// runWithOutput runs an iptables command with the given arguments,
+// writing any stdout output to the given writer
+func (ipt *IPTables) runWithOutput(args []string, stdout io.Writer) error {
+	args = append([]string{ipt.path}, args...)
+	if ipt.hasWait {
+		args = append(args, "--wait")
+		if ipt.timeout != 0 && ipt.waitSupportSecond {
+			args = append(args, strconv.Itoa(ipt.timeout))
+		}
+	} else {
+		fmu, err := newXtablesFileLock()
+		if err != nil {
+			return err
+		}
+		ul, err := fmu.tryLock()
+		if err != nil {
+			syscall.Close(fmu.fd)
+			return err
+		}
+		defer func() {
+			_ = ul.Unlock()
+		}()
+	}
+
+	var stderr bytes.Buffer
+	cmd := exec.Cmd{
+		Path:   ipt.path,
+		Args:   args,
+		Stdout: stdout,
+		Stderr: &stderr,
+	}
+
+	if err := cmd.Run(); err != nil {
+		switch e := err.(type) {
+		case *exec.ExitError:
+			return &Error{*e, cmd, stderr.String(), nil}
+		default:
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getIptablesCommand returns the correct command for the given protocol, either "iptables" or "ip6tables".
+func getIptablesCommand(proto Protocol) string {
+	if proto == ProtocolIPv6 {
+		return "ip6tables"
+	} else {
+		return "iptables"
+	}
+}
+
+// Checks if iptables has the "-C" and "--wait" flag
+func getIptablesCommandSupport(v1 int, v2 int, v3 int) (bool, bool, bool, bool) {
+	return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), iptablesWaitSupportSecond(v1, v2, v3), iptablesHasRandomFully(v1, v2, v3)
+}
+
+// getIptablesVersion returns the first three components of the iptables version
+// and the operating mode (e.g. nf_tables or legacy)
+// e.g. "iptables v1.3.66" would return (1, 3, 66, legacy, nil)
+func extractIptablesVersion(str string) (int, int, int, string, error) {
+	versionMatcher := regexp.MustCompile(`v([0-9]+)\.([0-9]+)\.([0-9]+)(?:\s+\((\w+))?`)
+	result := versionMatcher.FindStringSubmatch(str)
+	if result == nil {
+		return 0, 0, 0, "", fmt.Errorf("no iptables version found in string: %s", str)
+	}
+
+	v1, err := strconv.Atoi(result[1])
+	if err != nil {
+		return 0, 0, 0, "", err
+	}
+
+	v2, err := strconv.Atoi(result[2])
+	if err != nil {
+		return 0, 0, 0, "", err
+	}
+
+	v3, err := strconv.Atoi(result[3])
+	if err != nil {
+		return 0, 0, 0, "", err
+	}
+
+	mode := "legacy"
+	if result[4] != "" {
+		mode = result[4]
+	}
+	return v1, v2, v3, mode, nil
+}
+
+// Runs "iptables --version" to get the version string
+func getIptablesVersionString(path string) (string, error) {
+	cmd := exec.Command(path, "--version")
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	err := cmd.Run()
+	if err != nil {
+		return "", err
+	}
+	return out.String(), nil
+}
+
+// Checks if an iptables version is after 1.4.11, when --check was added
+func iptablesHasCheckCommand(v1 int, v2 int, v3 int) bool {
+	if v1 > 1 {
+		return true
+	}
+	if v1 == 1 && v2 > 4 {
+		return true
+	}
+	if v1 == 1 && v2 == 4 && v3 >= 11 {
+		return true
+	}
+	return false
+}
+
+// Checks if an iptables version is after 1.4.20, when --wait was added
+func iptablesHasWaitCommand(v1 int, v2 int, v3 int) bool {
+	if v1 > 1 {
+		return true
+	}
+	if v1 == 1 && v2 > 4 {
+		return true
+	}
+	if v1 == 1 && v2 == 4 && v3 >= 20 {
+		return true
+	}
+	return false
+}
+
+// Checks if an iptablse version is after 1.6.0, when --wait support second
+func iptablesWaitSupportSecond(v1 int, v2 int, v3 int) bool {
+	if v1 > 1 {
+		return true
+	}
+	if v1 == 1 && v2 >= 6 {
+		return true
+	}
+	return false
+}
+
+// Checks if an iptables version is after 1.6.2, when --random-fully was added
+func iptablesHasRandomFully(v1 int, v2 int, v3 int) bool {
+	if v1 > 1 {
+		return true
+	}
+	if v1 == 1 && v2 > 6 {
+		return true
+	}
+	if v1 == 1 && v2 == 6 && v3 >= 2 {
+		return true
+	}
+	return false
+}
+
+// Checks if a rule specification exists for a table
+func (ipt *IPTables) existsForOldIptables(table, chain string, rulespec []string) (bool, error) {
+	rs := strings.Join(append([]string{"-A", chain}, rulespec...), " ")
+	args := []string{"-t", table, "-S"}
+	var stdout bytes.Buffer
+	err := ipt.runWithOutput(args, &stdout)
+	if err != nil {
+		return false, err
+	}
+	return strings.Contains(stdout.String(), rs), nil
+}
+
+// counterRegex is the regex used to detect nftables counter format
+var counterRegex = regexp.MustCompile(`^\[([0-9]+):([0-9]+)\] `)
+
+// filterRuleOutput works around some inconsistencies in output.
+// For example, when iptables is in legacy vs. nftables mode, it produces
+// different results.
+func filterRuleOutput(rule string) string {
+	out := rule
+
+	// work around an output difference in nftables mode where counters
+	// are output in iptables-save format, rather than iptables -S format
+	// The string begins with "[0:0]"
+	//
+	// Fixes #49
+	if groups := counterRegex.FindStringSubmatch(out); groups != nil {
+		// drop the brackets
+		out = out[len(groups[0]):]
+		out = fmt.Sprintf("%s -c %s %s", out, groups[1], groups[2])
+	}
+
+	return out
+}

vendor/github.com/coreos/go-iptables/iptables/lock.go

@@ -0,0 +1,84 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iptables
+
+import (
+	"os"
+	"sync"
+	"syscall"
+)
+
+const (
+	// In earlier versions of iptables, the xtables lock was implemented
+	// via a Unix socket, but now flock is used via this lockfile:
+	// http://git.netfilter.org/iptables/commit/?id=aa562a660d1555b13cffbac1e744033e91f82707
+	// Note the LSB-conforming "/run" directory does not exist on old
+	// distributions, so assume "/var" is symlinked
+	xtablesLockFilePath = "/var/run/xtables.lock"
+
+	defaultFilePerm = 0600
+)
+
+type Unlocker interface {
+	Unlock() error
+}
+
+type nopUnlocker struct{}
+
+func (_ nopUnlocker) Unlock() error { return nil }
+
+type fileLock struct {
+	// mu is used to protect against concurrent invocations from within this process
+	mu sync.Mutex
+	fd int
+}
+
+// tryLock takes an exclusive lock on the xtables lock file without blocking.
+// This is best-effort only: if the exclusive lock would block (i.e. because
+// another process already holds it), no error is returned. Otherwise, any
+// error encountered during the locking operation is returned.
+// The returned Unlocker should be used to release the lock when the caller is
+// done invoking iptables commands.
+func (l *fileLock) tryLock() (Unlocker, error) {
+	l.mu.Lock()
+	err := syscall.Flock(l.fd, syscall.LOCK_EX|syscall.LOCK_NB)
+	switch err {
+	case syscall.EWOULDBLOCK:
+		l.mu.Unlock()
+		return nopUnlocker{}, nil
+	case nil:
+		return l, nil
+	default:
+		l.mu.Unlock()
+		return nil, err
+	}
+}
+
+// Unlock closes the underlying file, which implicitly unlocks it as well. It
+// also unlocks the associated mutex.
+func (l *fileLock) Unlock() error {
+	defer l.mu.Unlock()
+	return syscall.Close(l.fd)
+}
+
+// newXtablesFileLock opens a new lock on the xtables lockfile without
+// acquiring the lock
+func newXtablesFileLock() (*fileLock, error) {
+	fd, err := syscall.Open(xtablesLockFilePath, os.O_CREATE, defaultFilePerm)
+	if err != nil {
+		return nil, err
+	}
+	return &fileLock{fd: fd}, nil
+}

vendor/github.com/dblohm7/wingoes/.gitignore

@@ -0,0 +1,19 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Vim
+.*.swo
+.*.swp
+
+# Dependency directories (remove the comment below to include it)
+# vendor/

vendor/github.com/dblohm7/wingoes/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2022, Tailscale Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/dblohm7/wingoes/README.md

@@ -0,0 +1,2 @@
+# wingoes, an opinionated library for writing Win32 programs in Go
+

vendor/github.com/dblohm7/wingoes/error.go

@@ -0,0 +1,329 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+
+package wingoes
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows"
+)
+
+// Error represents various error codes that may be encountered when coding
+// against Windows APIs, including HRESULTs, windows.NTStatus, and windows.Errno.
+type Error HRESULT
+
+// Errors are HRESULTs under the hood because the HRESULT encoding allows for
+// all the other common types of Windows errors to be encoded within them.
+
+const (
+	hrS_OK                 = HRESULT(0)
+	hrE_ABORT              = HRESULT(-((0x80004004 ^ 0xFFFFFFFF) + 1))
+	hrE_FAIL               = HRESULT(-((0x80004005 ^ 0xFFFFFFFF) + 1))
+	hrE_NOINTERFACE        = HRESULT(-((0x80004002 ^ 0xFFFFFFFF) + 1))
+	hrE_NOTIMPL            = HRESULT(-((0x80004001 ^ 0xFFFFFFFF) + 1))
+	hrE_POINTER            = HRESULT(-((0x80004003 ^ 0xFFFFFFFF) + 1))
+	hrE_UNEXPECTED         = HRESULT(-((0x8000FFFF ^ 0xFFFFFFFF) + 1))
+	hrTYPE_E_WRONGTYPEKIND = HRESULT(-((0x8002802A ^ 0xFFFFFFFF) + 1))
+)
+
+// S_FALSE is a peculiar HRESULT value which means that the call executed
+// successfully, but returned false as its result.
+const S_FALSE = HRESULT(1)
+
+var (
+	// genericError encodes an Error whose message string is very generic.
+	genericError = Error(hresultFromFacilityAndCode(hrFail, facilityWin32, hrCode(windows.ERROR_UNIDENTIFIED_ERROR)))
+)
+
+// Common HRESULT codes that don't use Win32 facilities, but have meanings that
+// we can manually translate to Win32 error codes.
+var commonHRESULTToErrno = map[HRESULT]windows.Errno{
+	hrE_ABORT:       windows.ERROR_REQUEST_ABORTED,
+	hrE_FAIL:        windows.ERROR_UNIDENTIFIED_ERROR,
+	hrE_NOINTERFACE: windows.ERROR_NOINTERFACE,
+	hrE_NOTIMPL:     windows.ERROR_CALL_NOT_IMPLEMENTED,
+	hrE_UNEXPECTED:  windows.ERROR_INTERNAL_ERROR,
+}
+
+type hrCode uint16
+type hrFacility uint16
+type failBit bool
+
+const (
+	hrFlagBitsMask  = 0xF8000000
+	hrFacilityMax   = 0x00001FFF
+	hrFacilityMask  = hrFacilityMax << 16
+	hrCodeMax       = 0x0000FFFF
+	hrCodeMask      = hrCodeMax
+	hrFailBit       = 0x80000000
+	hrCustomerBit   = 0x20000000 // Also defined as syscall.APPLICATION_ERROR
+	hrFacilityNTBit = 0x10000000
+)
+
+const (
+	facilityWin32 = hrFacility(7)
+)
+
+// Succeeded returns true when hr is successful, but its actual error code
+// may include additional status information.
+func (hr HRESULT) Succeeded() bool {
+	return hr >= 0
+}
+
+// Failed returns true when hr contains a failure code.
+func (hr HRESULT) Failed() bool {
+	return hr < 0
+}
+
+func (hr HRESULT) String() string {
+	return fmt.Sprintf("0x%08X", uint32(hr))
+}
+
+func (hr HRESULT) isNT() bool {
+	return (hr & (hrCustomerBit | hrFacilityNTBit)) == hrFacilityNTBit
+}
+
+func (hr HRESULT) isCustomer() bool {
+	return (hr & hrCustomerBit) != 0
+}
+
+// isNormal returns true when the customer and NT bits are cleared, ie hr's
+// encoding contains valid facility and code fields.
+func (hr HRESULT) isNormal() bool {
+	return (hr & (hrCustomerBit | hrFacilityNTBit)) == 0
+}
+
+// facility returns the facility bits of hr. Only valid when isNormal is true.
+func (hr HRESULT) facility() hrFacility {
+	return hrFacility((uint32(hr) >> 16) & hrFacilityMax)
+}
+
+// facility returns the code bits of hr. Only valid when isNormal is true.
+func (hr HRESULT) code() hrCode {
+	return hrCode(uint32(hr) & hrCodeMask)
+}
+
+const (
+	hrFail    = failBit(true)
+	hrSuccess = failBit(false)
+)
+
+func hresultFromFacilityAndCode(isFail failBit, f hrFacility, c hrCode) HRESULT {
+	var r uint32
+	if isFail {
+		r |= hrFailBit
+	}
+	r |= (uint32(f) << 16) & hrFacilityMask
+	r |= uint32(c) & hrCodeMask
+	return HRESULT(r)
+}
+
+// ErrorFromErrno creates an Error from e.
+func ErrorFromErrno(e windows.Errno) Error {
+	if e == windows.ERROR_SUCCESS {
+		return Error(hrS_OK)
+	}
+	if ue := uint32(e); (ue & hrFlagBitsMask) == hrCustomerBit {
+		// syscall.APPLICATION_ERROR == hrCustomerBit, so the only other thing
+		// we need to do to transform this into an HRESULT is add the fail flag
+		return Error(HRESULT(ue | hrFailBit))
+	}
+	if uint32(e) > hrCodeMax {
+		// Can't be encoded in HRESULT, return generic error instead
+		return genericError
+	}
+	return Error(hresultFromFacilityAndCode(hrFail, facilityWin32, hrCode(e)))
+}
+
+// ErrorFromNTStatus creates an Error from s.
+func ErrorFromNTStatus(s windows.NTStatus) Error {
+	if s == windows.STATUS_SUCCESS {
+		return Error(hrS_OK)
+	}
+	return Error(HRESULT(s) | hrFacilityNTBit)
+}
+
+// ErrorFromHRESULT creates an Error from hr.
+func ErrorFromHRESULT(hr HRESULT) Error {
+	return Error(hr)
+}
+
+// NewError converts e into an Error if e's type is supported. It returns
+// both the Error and a bool indicating whether the conversion was successful.
+func NewError(e any) (Error, bool) {
+	switch v := e.(type) {
+	case Error:
+		return v, true
+	case windows.NTStatus:
+		return ErrorFromNTStatus(v), true
+	case windows.Errno:
+		return ErrorFromErrno(v), true
+	case HRESULT:
+		return ErrorFromHRESULT(v), true
+	default:
+		return ErrorFromHRESULT(hrTYPE_E_WRONGTYPEKIND), false
+	}
+}
+
+// IsOK returns true when the Error is unconditionally successful.
+func (e Error) IsOK() bool {
+	return HRESULT(e) == hrS_OK
+}
+
+// Succeeded returns true when the Error is successful, but its error code
+// may include additional status information.
+func (e Error) Succeeded() bool {
+	return HRESULT(e).Succeeded()
+}
+
+// Failed returns true when the Error contains a failure code.
+func (e Error) Failed() bool {
+	return HRESULT(e).Failed()
+}
+
+// AsHRESULT converts the Error to a HRESULT.
+func (e Error) AsHRESULT() HRESULT {
+	return HRESULT(e)
+}
+
+type errnoFailHandler func(hr HRESULT) windows.Errno
+
+func (e Error) toErrno(f errnoFailHandler) windows.Errno {
+	hr := HRESULT(e)
+
+	if hr == hrS_OK {
+		return windows.ERROR_SUCCESS
+	}
+
+	if hr.isCustomer() {
+		return windows.Errno(uint32(e) ^ hrFailBit)
+	}
+
+	if hr.isNT() {
+		return e.AsNTStatus().Errno()
+	}
+
+	if hr.facility() == facilityWin32 {
+		return windows.Errno(hr.code())
+	}
+
+	if errno, ok := commonHRESULTToErrno[hr]; ok {
+		return errno
+	}
+
+	return f(hr)
+}
+
+// AsError converts the Error to a windows.Errno, but panics if not possible.
+func (e Error) AsErrno() windows.Errno {
+	handler := func(hr HRESULT) windows.Errno {
+		panic(fmt.Sprintf("wingoes.Error: Called AsErrno on a non-convertable HRESULT 0x%08X", uint32(hr)))
+		return windows.ERROR_UNIDENTIFIED_ERROR
+	}
+
+	return e.toErrno(handler)
+}
+
+type ntStatusFailHandler func(hr HRESULT) windows.NTStatus
+
+func (e Error) toNTStatus(f ntStatusFailHandler) windows.NTStatus {
+	hr := HRESULT(e)
+
+	if hr == hrS_OK {
+		return windows.STATUS_SUCCESS
+	}
+
+	if hr.isNT() {
+		return windows.NTStatus(hr ^ hrFacilityNTBit)
+	}
+
+	return f(hr)
+}
+
+// AsNTStatus converts the Error to a windows.NTStatus, but panics if not possible.
+func (e Error) AsNTStatus() windows.NTStatus {
+	handler := func(hr HRESULT) windows.NTStatus {
+		panic(fmt.Sprintf("windows.Error: Called AsNTStatus on a non-NTSTATUS HRESULT 0x%08X", uint32(hr)))
+		return windows.STATUS_UNSUCCESSFUL
+	}
+
+	return e.toNTStatus(handler)
+}
+
+// TryAsErrno converts the Error to a windows.Errno, or returns defval if
+// such a conversion is not possible.
+func (e Error) TryAsErrno(defval windows.Errno) windows.Errno {
+	handler := func(hr HRESULT) windows.Errno {
+		return defval
+	}
+
+	return e.toErrno(handler)
+}
+
+// TryAsNTStatus converts the Error to a windows.NTStatus, or returns defval if
+// such a conversion is not possible.
+func (e Error) TryAsNTStatus(defval windows.NTStatus) windows.NTStatus {
+	handler := func(hr HRESULT) windows.NTStatus {
+		return defval
+	}
+
+	return e.toNTStatus(handler)
+}
+
+// IsAvailableAsHRESULT returns true if e may be converted to an HRESULT.
+func (e Error) IsAvailableAsHRESULT() bool {
+	return true
+}
+
+// IsAvailableAsErrno returns true if e may be converted to a windows.Errno.
+func (e Error) IsAvailableAsErrno() bool {
+	hr := HRESULT(e)
+	if hr.isCustomer() || e.IsAvailableAsNTStatus() || (hr.facility() == facilityWin32) {
+		return true
+	}
+	_, convertable := commonHRESULTToErrno[hr]
+	return convertable
+}
+
+// IsAvailableAsNTStatus returns true if e may be converted to a windows.NTStatus.
+func (e Error) IsAvailableAsNTStatus() bool {
+	return HRESULT(e) == hrS_OK || HRESULT(e).isNT()
+}
+
+// Error produces a human-readable message describing Error e.
+func (e Error) Error() string {
+	if HRESULT(e).isCustomer() {
+		return windows.Errno(uint32(e) ^ hrFailBit).Error()
+	}
+
+	buf := make([]uint16, 300)
+	const flags = windows.FORMAT_MESSAGE_FROM_SYSTEM | windows.FORMAT_MESSAGE_IGNORE_INSERTS
+	lenExclNul, err := windows.FormatMessage(flags, 0, uint32(e), 0, buf, nil)
+	if err != nil {
+		return fmt.Sprintf("wingoes.Error 0x%08X", uint32(e))
+	}
+	for ; lenExclNul > 0 && (buf[lenExclNul-1] == '\n' || buf[lenExclNul-1] == '\r'); lenExclNul-- {
+	}
+	return windows.UTF16ToString(buf[:lenExclNul])
+}
+
+// Unwrap permits extraction of underlying windows.NTStatus or windows.Errno
+// errors that are encoded within e.
+func (e Error) Unwrap() error {
+	// Order is important! We need earlier checks to exclude certain things that
+	// would otherwise be (in this case) false positives in later checks!
+	switch {
+	case e.IsOK():
+		return nil
+	case e.IsAvailableAsNTStatus():
+		return e.AsNTStatus()
+	case e.IsAvailableAsErrno():
+		return e.AsErrno()
+	default:
+		return nil
+	}
+}

vendor/github.com/dblohm7/wingoes/guid.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package wingoes
+
+import (
+	"fmt"
+)
+
+func guidToString(guid GUID) string {
+	return fmt.Sprintf("{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}",
+		guid.Data1, guid.Data2, guid.Data3,
+		guid.Data4[0], guid.Data4[1],
+		guid.Data4[2], guid.Data4[3], guid.Data4[4], guid.Data4[5], guid.Data4[6], guid.Data4[7])
+}

vendor/github.com/dblohm7/wingoes/guid_notwindows.go

@@ -0,0 +1,17 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !windows
+
+package wingoes
+
+type GUID struct {
+	Data1 uint32
+	Data2 uint16
+	Data3 uint16
+	Data4 [8]byte
+}
+
+func (guid GUID) String() string {
+	return guidToString(guid)
+}

vendor/github.com/dblohm7/wingoes/guid_windows.go

@@ -0,0 +1,24 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wingoes
+
+import (
+	"fmt"
+
+	"golang.org/x/sys/windows"
+)
+
+type GUID = windows.GUID
+
+// MustGetGUID parses s, a string containing a GUID and returns a pointer to the
+// parsed GUID. s must be specified in the format "{XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}".
+// If there is an error parsing s, MustGetGUID panics.
+func MustGetGUID(s string) *windows.GUID {
+	guid, err := windows.GUIDFromString(s)
+	if err != nil {
+		panic(fmt.Sprintf("wingoes.MustGetGUID(%q) error %v", s, err))
+	}
+	return &guid
+}

vendor/github.com/dblohm7/wingoes/hresult.go

@@ -0,0 +1,12 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Note this file is explicitly available on non-Windows platforms, in order to
+// aid `go generate` tooling on those platforms. It should not take a dependency
+// on x/sys/windows.
+
+package wingoes
+
+// HRESULT is equivalent to the HRESULT type in the Win32 SDK for C/C++.
+type HRESULT int32

vendor/github.com/dblohm7/wingoes/osversion.go

@@ -0,0 +1,199 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+
+package wingoes
+
+import (
+	"fmt"
+	"sync"
+
+	"golang.org/x/sys/windows"
+	"golang.org/x/sys/windows/registry"
+)
+
+var (
+	verOnce sync.Once
+	verInfo osVersionInfo // must access via getVersionInfo()
+)
+
+// osVersionInfo is more compact than windows.OsVersionInfoEx, which contains
+// extraneous information.
+type osVersionInfo struct {
+	major       uint32
+	minor       uint32
+	build       uint32
+	servicePack uint16
+	str         string
+	isDC        bool
+	isServer    bool
+}
+
+const (
+	_VER_NT_WORKSTATION       = 1
+	_VER_NT_DOMAIN_CONTROLLER = 2
+	_VER_NT_SERVER            = 3
+)
+
+func getVersionInfo() *osVersionInfo {
+	verOnce.Do(func() {
+		osv := windows.RtlGetVersion()
+		verInfo = osVersionInfo{
+			major:       osv.MajorVersion,
+			minor:       osv.MinorVersion,
+			build:       osv.BuildNumber,
+			servicePack: osv.ServicePackMajor,
+			str:         fmt.Sprintf("%d.%d.%d", osv.MajorVersion, osv.MinorVersion, osv.BuildNumber),
+			isDC:        osv.ProductType == _VER_NT_DOMAIN_CONTROLLER,
+			// Domain Controllers are also implicitly servers.
+			isServer: osv.ProductType == _VER_NT_DOMAIN_CONTROLLER || osv.ProductType == _VER_NT_SERVER,
+		}
+		// UBR is only available on Windows 10 and 11 (MajorVersion == 10).
+		if osv.MajorVersion == 10 {
+			if ubr, err := getUBR(); err == nil {
+				verInfo.str = fmt.Sprintf("%s.%d", verInfo.str, ubr)
+			}
+		}
+	})
+	return &verInfo
+}
+
+// getUBR returns the "update build revision," ie. the fourth component of the
+// version string found on Windows 10 and Windows 11 systems.
+func getUBR() (uint32, error) {
+	key, err := registry.OpenKey(registry.LOCAL_MACHINE,
+		`SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE|registry.WOW64_64KEY)
+	if err != nil {
+		return 0, err
+	}
+	defer key.Close()
+
+	val, valType, err := key.GetIntegerValue("UBR")
+	if err != nil {
+		return 0, err
+	}
+	if valType != registry.DWORD {
+		return 0, registry.ErrUnexpectedType
+	}
+
+	return uint32(val), nil
+}
+
+// GetOSVersionString returns the Windows version of the current machine in
+// dotted-decimal form. The version string contains 3 components on Windows 7
+// and 8.x, and 4 components on Windows 10 and 11.
+func GetOSVersionString() string {
+	return getVersionInfo().String()
+}
+
+// IsWinServer returns true if and only if this computer's version of Windows is
+// a server edition.
+func IsWinServer() bool {
+	return getVersionInfo().isServer
+}
+
+// IsWinDomainController returs true if this computer's version of Windows is
+// configured to act as a domain controller.
+func IsWinDomainController() bool {
+	return getVersionInfo().isDC
+}
+
+// IsWin7SP1OrGreater returns true when running on Windows 7 SP1 or newer.
+func IsWin7SP1OrGreater() bool {
+	if IsWin8OrGreater() {
+		return true
+	}
+
+	vi := getVersionInfo()
+	return vi.major == 6 && vi.minor == 1 && vi.servicePack > 0
+}
+
+// IsWin8OrGreater returns true when running on Windows 8.0 or newer.
+func IsWin8OrGreater() bool {
+	return getVersionInfo().isVersionOrGreater(6, 2, 0)
+}
+
+// IsWin8Point1OrGreater returns true when running on Windows 8.1 or newer.
+func IsWin8Point1OrGreater() bool {
+	return getVersionInfo().isVersionOrGreater(6, 3, 0)
+}
+
+// IsWin10OrGreater returns true when running on any build of Windows 10 or newer.
+func IsWin10OrGreater() bool {
+	return getVersionInfo().major >= 10
+}
+
+// Win10BuildConstant encodes build numbers for the various editions of Windows 10,
+// for use with IsWin10BuildOrGreater.
+type Win10BuildConstant uint32
+
+const (
+	Win10BuildRTM          = Win10BuildConstant(10240)
+	Win10Build1511         = Win10BuildConstant(10586)
+	Win10Build1607         = Win10BuildConstant(14393)
+	Win10BuildAnniversary  = Win10Build1607
+	Win10Build1703         = Win10BuildConstant(15063)
+	Win10BuildCreators     = Win10Build1703
+	Win10Build1709         = Win10BuildConstant(16299)
+	Win10BuildFallCreators = Win10Build1709
+	Win10Build1803         = Win10BuildConstant(17134)
+	Win10Build1809         = Win10BuildConstant(17763)
+	Win10Build1903         = Win10BuildConstant(18362)
+	Win10Build1909         = Win10BuildConstant(18363)
+	Win10Build2004         = Win10BuildConstant(19041)
+	Win10Build20H2         = Win10BuildConstant(19042)
+	Win10Build21H1         = Win10BuildConstant(19043)
+	Win10Build21H2         = Win10BuildConstant(19044)
+	Win10Build22H2         = Win10BuildConstant(19045)
+)
+
+// IsWin10BuildOrGreater returns true when running on the specified Windows 10
+// build, or newer.
+func IsWin10BuildOrGreater(build Win10BuildConstant) bool {
+	return getVersionInfo().isWin10BuildOrGreater(uint32(build))
+}
+
+// Win11BuildConstant encodes build numbers for the various editions of Windows 11,
+// for use with IsWin11BuildOrGreater.
+type Win11BuildConstant uint32
+
+const (
+	Win11BuildRTM  = Win11BuildConstant(22000)
+	Win11Build22H2 = Win11BuildConstant(22621)
+	Win11Build23H2 = Win11BuildConstant(22631)
+)
+
+// IsWin11OrGreater returns true when running on any release of Windows 11,
+// or newer.
+func IsWin11OrGreater() bool {
+	return IsWin11BuildOrGreater(Win11BuildRTM)
+}
+
+// IsWin11BuildOrGreater returns true when running on the specified Windows 11
+// build, or newer.
+func IsWin11BuildOrGreater(build Win11BuildConstant) bool {
+	// Under the hood, Windows 11 is just Windows 10 with a sufficiently advanced
+	// build number.
+	return getVersionInfo().isWin10BuildOrGreater(uint32(build))
+}
+
+func (osv *osVersionInfo) String() string {
+	return osv.str
+}
+
+func (osv *osVersionInfo) isWin10BuildOrGreater(build uint32) bool {
+	return osv.isVersionOrGreater(10, 0, build)
+}
+
+func (osv *osVersionInfo) isVersionOrGreater(major, minor, build uint32) bool {
+	return isVerGE(osv.major, major, osv.minor, minor, osv.build, build)
+}
+
+func isVerGE(lmajor, rmajor, lminor, rminor, lbuild, rbuild uint32) bool {
+	return lmajor > rmajor ||
+		lmajor == rmajor &&
+			(lminor > rminor ||
+				lminor == rminor && lbuild >= rbuild)
+}

vendor/github.com/dblohm7/wingoes/time.go

@@ -0,0 +1,29 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+
+package wingoes
+
+import (
+	"errors"
+	"time"
+
+	"golang.org/x/sys/windows"
+)
+
+var (
+	// ErrDurationOutOfRange means that a time.Duration is too large to be able
+	// to be specified as a valid Win32 timeout value.
+	ErrDurationOutOfRange = errors.New("duration is out of timeout range")
+)
+
+// DurationToTimeoutMilliseconds converts d into a timeout usable by Win32 APIs.
+func DurationToTimeoutMilliseconds(d time.Duration) (uint32, error) {
+	millis := d.Milliseconds()
+	if millis >= windows.INFINITE {
+		return 0, ErrDurationOutOfRange
+	}
+	return uint32(millis), nil
+}

vendor/github.com/dblohm7/wingoes/util.go

@@ -0,0 +1,80 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build windows
+
+package wingoes
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// UserSIDs contains pointers to the SIDs for a user and their primary group.
+type UserSIDs struct {
+	User         *windows.SID
+	PrimaryGroup *windows.SID
+}
+
+// CurrentProcessUserSIDs returns a UserSIDs containing the SIDs of the user
+// and primary group who own the current process.
+func CurrentProcessUserSIDs() (*UserSIDs, error) {
+	token, err := windows.OpenCurrentProcessToken()
+	if err != nil {
+		return nil, err
+	}
+	defer token.Close()
+
+	userInfo, err := token.GetTokenUser()
+	if err != nil {
+		return nil, err
+	}
+
+	primaryGroup, err := token.GetTokenPrimaryGroup()
+	if err != nil {
+		return nil, err
+	}
+
+	// We just want the SIDs, not the rest of the structs that were output.
+	userSid, err := userInfo.User.Sid.Copy()
+	if err != nil {
+		return nil, err
+	}
+
+	primaryGroupSid, err := primaryGroup.PrimaryGroup.Copy()
+	if err != nil {
+		return nil, err
+	}
+
+	return &UserSIDs{User: userSid, PrimaryGroup: primaryGroupSid}, nil
+}
+
+// getTokenInfoVariableLen obtains variable-length token information. Use
+// this function for information classes that output variable-length data.
+func getTokenInfoVariableLen[T any](token windows.Token, infoClass uint32) (*T, error) {
+	var buf []byte
+	var desiredLen uint32
+
+	err := windows.GetTokenInformation(token, infoClass, nil, 0, &desiredLen)
+
+	for err == windows.ERROR_INSUFFICIENT_BUFFER {
+		buf = make([]byte, desiredLen)
+		err = windows.GetTokenInformation(token, infoClass, unsafe.SliceData(buf), desiredLen, &desiredLen)
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return (*T)(unsafe.Pointer(unsafe.SliceData(buf))), nil
+}
+
+// getTokenInfoFixedLen obtains known fixed-length token information. Use this
+// function for information classes that output enumerations, BOOLs, integers etc.
+func getTokenInfoFixedLen[T any](token windows.Token, infoClass uint32) (result T, _ error) {
+	var actualLen uint32
+	err := windows.GetTokenInformation(token, infoClass, (*byte)(unsafe.Pointer(&result)), uint32(unsafe.Sizeof(result)), &actualLen)
+	return result, err
+}

vendor/github.com/docker/docker/AUTHORS

@@ -669,6 +669,7 @@ Erik Hollensbe <github@hollensbe.org>
 Erik Inge Bolsø <knan@redpill-linpro.com>
 Erik Kristensen <erik@erikkristensen.com>
 Erik Sipsma <erik@sipsma.dev>
+Erik Sjölund <erik.sjolund@gmail.com>
 Erik St. Martin <alakriti@gmail.com>
 Erik Weathers <erikdw@gmail.com>
 Erno Hopearuoho <erno.hopearuoho@gmail.com>
@@ -731,6 +732,7 @@ Feroz Salam <feroz.salam@sourcegraph.com>
 Ferran Rodenas <frodenas@gmail.com>
 Filipe Brandenburger <filbranden@google.com>
 Filipe Oliveira <contato@fmoliveira.com.br>
+Filipe Pina <hzlu1ot0@duck.com>
 Flavio Castelli <fcastelli@suse.com>
 Flavio Crisciani <flavio.crisciani@docker.com>
 Florian <FWirtz@users.noreply.github.com>
@@ -875,6 +877,8 @@ Hsing-Yu (David) Chen <davidhsingyuchen@gmail.com>
 hsinko <21551195@zju.edu.cn>
 Hu Keping <hukeping@huawei.com>
 Hu Tao <hutao@cn.fujitsu.com>
+Huajin Tong <fliterdashen@gmail.com>
+huang-jl <1046678590@qq.com>
 HuanHuan Ye <logindaveye@gmail.com>
 Huanzhong Zhang <zhanghuanzhong90@gmail.com>
 Huayi Zhang <irachex@gmail.com>
@@ -969,6 +973,7 @@ Jannick Fahlbusch <git@jf-projects.de>
 Januar Wayong <januar@gmail.com>
 Jared Biel <jared.biel@bolderthinking.com>
 Jared Hocutt <jaredh@netapp.com>
+Jaroslav Jindrak <dzejrou@gmail.com>
 Jaroslaw Zabiello <hipertracker@gmail.com>
 Jasmine Hegman <jasmine@jhegman.com>
 Jason A. Donenfeld <Jason@zx2c4.com>
@@ -1012,6 +1017,7 @@ Jeffrey Bolle <jeffreybolle@gmail.com>
 Jeffrey Morgan <jmorganca@gmail.com>
 Jeffrey van Gogh <jvg@google.com>
 Jenny Gebske <jennifer@gebske.de>
+Jeongseok Kang <piono623@naver.com>
 Jeremy Chambers <jeremy@thehipbot.com>
 Jeremy Grosser <jeremy@synack.me>
 Jeremy Huntwork <jhuntwork@lightcubesolutions.com>
@@ -1029,6 +1035,7 @@ Jezeniel Zapanta <jpzapanta22@gmail.com>
 Jhon Honce <jhonce@redhat.com>
 Ji.Zhilong <zhilongji@gmail.com>
 Jian Liao <jliao@alauda.io>
+Jian Zeng <anonymousknight96@gmail.com>
 Jian Zhang <zhangjian.fnst@cn.fujitsu.com>
 Jiang Jinyang <jjyruby@gmail.com>
 Jianyong Wu <jianyong.wu@arm.com>
@@ -1967,6 +1974,7 @@ Sergey Evstifeev <sergey.evstifeev@gmail.com>
 Sergii Kabashniuk <skabashnyuk@codenvy.com>
 Sergio Lopez <slp@redhat.com>
 Serhat Gülçiçek <serhat25@gmail.com>
+Serhii Nakon <serhii.n@thescimus.com>
 SeungUkLee <lsy931106@gmail.com>
 Sevki Hasirci <s@sevki.org>
 Shane Canon <scanon@lbl.gov>
@@ -2253,6 +2261,7 @@ VladimirAus <v_roudakov@yahoo.com>
 Vladislav Kolesnikov <vkolesnikov@beget.ru>
 Vlastimil Zeman <vlastimil.zeman@diffblue.com>
 Vojtech Vitek (V-Teq) <vvitek@redhat.com>
+voloder <110066198+voloder@users.noreply.github.com>
 Walter Leibbrandt <github@wrl.co.za>
 Walter Stanish <walter@pratyeka.org>
 Wang Chao <chao.wang@ucloud.cn>

vendor/github.com/docker/docker/api/swagger.yaml

@@ -2179,72 +2179,129 @@ definitions:
     type: "object"
     properties:
       Name:
+        description: |
+          Name of the network.
         type: "string"
+        example: "my_network"
       Id:
+        description: |
+          ID that uniquely identifies a network on a single machine.
         type: "string"
+        example: "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99"
       Created:
+        description: |
+          Date and time at which the network was created in
+          [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format with nano-seconds.
         type: "string"
         format: "dateTime"
+        example: "2016-10-19T04:33:30.360899459Z"
       Scope:
+        description: |
+          The level at which the network exists (e.g. `swarm` for cluster-wide
+          or `local` for machine level)
         type: "string"
+        example: "local"
       Driver:
+        description: |
+          The name of the driver used to create the network (e.g. `bridge`,
+          `overlay`).
         type: "string"
+        example: "overlay"
       EnableIPv6:
+        description: |
+          Whether the network was created with IPv6 enabled.
         type: "boolean"
+        example: false
       IPAM:
         $ref: "#/definitions/IPAM"
       Internal:
+        description: |
+          Whether the network is created to only allow internal networking
+          connectivity.
         type: "boolean"
+        default: false
+        example: false
       Attachable:
+        description: |
+          Wheter a global / swarm scope network is manually attachable by regular
+          containers from workers in swarm mode.
         type: "boolean"
+        default: false
+        example: false
       Ingress:
+        description: |
+          Whether the network is providing the routing-mesh for the swarm cluster.
         type: "boolean"
+        default: false
+        example: false
+      ConfigFrom:
+        $ref: "#/definitions/ConfigReference"
+      ConfigOnly:
+        description: |
+          Whether the network is a config-only network. Config-only networks are
+          placeholder networks for network configurations to be used by other
+          networks. Config-only networks cannot be used directly to run containers
+          or services.
+        type: "boolean"
+        default: false
       Containers:
+        description: |
+          Contains endpoints attached to the network.
         type: "object"
         additionalProperties:
           $ref: "#/definitions/NetworkContainer"
+        example:
+          19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c:
+            Name: "test"
+            EndpointID: "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a"
+            MacAddress: "02:42:ac:13:00:02"
+            IPv4Address: "172.19.0.2/16"
+            IPv6Address: ""
       Options:
+        description: |
+          Network-specific options uses when creating the network.
         type: "object"
         additionalProperties:
           type: "string"
+        example:
+          com.docker.network.bridge.default_bridge: "true"
+          com.docker.network.bridge.enable_icc: "true"
+          com.docker.network.bridge.enable_ip_masquerade: "true"
+          com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
+          com.docker.network.bridge.name: "docker0"
+          com.docker.network.driver.mtu: "1500"
       Labels:
+        description: "User-defined key/value metadata."
         type: "object"
         additionalProperties:
           type: "string"
-    example:
+        example:
-      Name: "net01"
+          com.example.some-label: "some-value"
-      Id: "7d86d31b1478e7cca9ebed7e73aa0fdeec46c5ca29497431d3007d2d9e15ed99"
+          com.example.some-other-label: "some-other-value"
-      Created: "2016-10-19T04:33:30.360899459Z"
+      Peers:
-      Scope: "local"
+        description: |
-      Driver: "bridge"
+          List of peer nodes for an overlay network. This field is only present
-      EnableIPv6: false
+          for overlay networks, and omitted for other network types.
-      IPAM:
+        type: "array"
-        Driver: "default"
+        items:
-        Config:
+          $ref: "#/definitions/PeerInfo"
-          - Subnet: "172.19.0.0/16"
+        x-nullable: true
-            Gateway: "172.19.0.1"
+      # TODO: Add Services (only present when "verbose" is set).
-        Options:
+
-          foo: "bar"
+  ConfigReference:
-      Internal: false
+    description: |
-      Attachable: false
+      The config-only network source to provide the configuration for
-      Ingress: false
+      this network.
-      Containers:
+    type: "object"
-        19a4d5d687db25203351ed79d478946f861258f018fe384f229f2efa4b23513c:
+    properties:
-          Name: "test"
+      Network:
-          EndpointID: "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a"
+        description: |
-          MacAddress: "02:42:ac:13:00:02"
+          The name of the config-only network that provides the network's
-          IPv4Address: "172.19.0.2/16"
+          configuration. The specified network must be an existing config-only
-          IPv6Address: ""
+          network. Only network names are allowed, not network IDs.
-      Options:
+        type: "string"
-        com.docker.network.bridge.default_bridge: "true"
+        example: "config_only_network_01"
-        com.docker.network.bridge.enable_icc: "true"
+
-        com.docker.network.bridge.enable_ip_masquerade: "true"
-        com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
-        com.docker.network.bridge.name: "docker0"
-        com.docker.network.driver.mtu: "1500"
-      Labels:
-        com.example.some-label: "some-value"
-        com.example.some-other-label: "some-other-value"
   IPAM:
     type: "object"
     properties:
@@ -2252,6 +2309,7 @@ definitions:
         description: "Name of the IPAM driver to use."
         type: "string"
         default: "default"
+        example: "default"
       Config:
         description: |
           List of IPAM configuration options, specified as a map:
@@ -2267,16 +2325,21 @@ definitions:
         type: "object"
         additionalProperties:
           type: "string"
+        example:
+          foo: "bar"
 
   IPAMConfig:
     type: "object"
     properties:
       Subnet:
         type: "string"
+        example: "172.20.0.0/16"
       IPRange:
         type: "string"
+        example: "172.20.10.0/24"
       Gateway:
         type: "string"
+        example: "172.20.10.11"
       AuxiliaryAddresses:
         type: "object"
         additionalProperties:
@@ -2287,14 +2350,35 @@ definitions:
     properties:
       Name:
         type: "string"
+        example: "container_1"
       EndpointID:
         type: "string"
+        example: "628cadb8bcb92de107b2a1e516cbffe463e321f548feb37697cce00ad694f21a"
       MacAddress:
         type: "string"
+        example: "02:42:ac:13:00:02"
       IPv4Address:
         type: "string"
+        example: "172.19.0.2/16"
       IPv6Address:
         type: "string"
+        example: ""
+
+  PeerInfo:
+    description: |
+      PeerInfo represents one peer of an overlay network.
+    type: "object"
+    properties:
+      Name:
+        description:
+          ID of the peer-node in the Swarm cluster.
+        type: "string"
+        example: "6869d7c1732b"
+      IP:
+        description:
+          IP-address of the peer-node in the Swarm cluster.
+        type: "string"
+        example: "10.133.77.91"
 
   BuildInfo:
     type: "object"
@@ -10104,14 +10188,22 @@ paths:
               Name:
                 description: "The network's name."
                 type: "string"
+                example: "my_network"
               CheckDuplicate:
                 description: |
                   Deprecated: CheckDuplicate is now always enabled.
                 type: "boolean"
+                example: true
               Driver:
                 description: "Name of the network driver plugin to use."
                 type: "string"
                 default: "bridge"
+                example: "bridge"
+              Scope:
+                description: |
+                  The level at which the network exists (e.g. `swarm` for cluster-wide
+                  or `local` for machine level).
+                type: "string"
               Internal:
                 description: "Restrict external access to the network."
                 type: "boolean"
@@ -10120,55 +10212,55 @@ paths:
                   Globally scoped network is manually attachable by regular
                   containers from workers in swarm mode.
                 type: "boolean"
+                example: true
               Ingress:
                 description: |
                   Ingress network is the network which provides the routing-mesh
                   in swarm mode.
                 type: "boolean"
+                example: false
+              ConfigOnly:
+                description: |
+                  Creates a config-only network. Config-only networks are placeholder
+                  networks for network configurations to be used by other networks.
+                  Config-only networks cannot be used directly to run containers
+                  or services.
+                type: "boolean"
+                default: false
+                example: false
+              ConfigFrom:
+                description: |
+                  Specifies the source which will provide the configuration for
+                  this network. The specified network must be an existing
+                  config-only network; see ConfigOnly.
+                $ref: "#/definitions/ConfigReference"
               IPAM:
                 description: "Optional custom IP scheme for the network."
                 $ref: "#/definitions/IPAM"
               EnableIPv6:
                 description: "Enable IPv6 on the network."
                 type: "boolean"
+                example: true
               Options:
                 description: "Network specific options to be used by the drivers."
                 type: "object"
                 additionalProperties:
                   type: "string"
+                example:
+                  com.docker.network.bridge.default_bridge: "true"
+                  com.docker.network.bridge.enable_icc: "true"
+                  com.docker.network.bridge.enable_ip_masquerade: "true"
+                  com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
+                  com.docker.network.bridge.name: "docker0"
+                  com.docker.network.driver.mtu: "1500"
               Labels:
                 description: "User-defined key/value metadata."
                 type: "object"
                 additionalProperties:
                   type: "string"
-            example:
+                example:
-              Name: "isolated_nw"
+                  com.example.some-label: "some-value"
-              CheckDuplicate: false
+                  com.example.some-other-label: "some-other-value"
-              Driver: "bridge"
-              EnableIPv6: true
-              IPAM:
-                Driver: "default"
-                Config:
-                  - Subnet: "172.20.0.0/16"
-                    IPRange: "172.20.10.0/24"
-                    Gateway: "172.20.10.11"
-                  - Subnet: "2001:db8:abcd::/64"
-                    Gateway: "2001:db8:abcd::1011"
-                Options:
-                  foo: "bar"
-              Internal: true
-              Attachable: false
-              Ingress: false
-              Options:
-                com.docker.network.bridge.default_bridge: "true"
-                com.docker.network.bridge.enable_icc: "true"
-                com.docker.network.bridge.enable_ip_masquerade: "true"
-                com.docker.network.bridge.host_binding_ipv4: "0.0.0.0"
-                com.docker.network.bridge.name: "docker0"
-                com.docker.network.driver.mtu: "1500"
-              Labels:
-                com.example.some-label: "some-value"
-                com.example.some-other-label: "some-other-value"
       tags: ["Network"]
 
   /networks/{id}/connect:

vendor/github.com/docker/docker/api/types/types.go

@@ -457,24 +457,24 @@ type EndpointResource struct {
 type NetworkCreate struct {
 	// Deprecated: CheckDuplicate is deprecated since API v1.44, but it defaults to true when sent by the client
 	// package to older daemons.
-	CheckDuplicate bool `json:",omitempty"`
+	CheckDuplicate bool                     `json:",omitempty"`
-	Driver         string
+	Driver         string                   // Driver is the driver-name used to create the network (e.g. `bridge`, `overlay`)
-	Scope          string
+	Scope          string                   // Scope describes the level at which the network exists (e.g. `swarm` for cluster-wide or `local` for machine level).
-	EnableIPv6     bool
+	EnableIPv6     bool                     // EnableIPv6 represents whether to enable IPv6.
-	IPAM           *network.IPAM
+	IPAM           *network.IPAM            // IPAM is the network's IP Address Management.
-	Internal       bool
+	Internal       bool                     // Internal represents if the network is used internal only.
-	Attachable     bool
+	Attachable     bool                     // Attachable represents if the global scope is manually attachable by regular containers from workers in swarm mode.
-	Ingress        bool
+	Ingress        bool                     // Ingress indicates the network is providing the routing-mesh for the swarm cluster.
-	ConfigOnly     bool
+	ConfigOnly     bool                     // ConfigOnly creates a config-only network. Config-only networks are place-holder networks for network configurations to be used by other networks. ConfigOnly networks cannot be used directly to run containers or services.
-	ConfigFrom     *network.ConfigReference
+	ConfigFrom     *network.ConfigReference // ConfigFrom specifies the source which will provide the configuration for this network. The specified network must be a config-only network; see [NetworkCreate.ConfigOnly].
-	Options        map[string]string
+	Options        map[string]string        // Options specifies the network-specific options to use for when creating the network.
-	Labels         map[string]string
+	Labels         map[string]string        // Labels holds metadata specific to the network being created.
 }
 
 // NetworkCreateRequest is the request message sent to the server for network create call.
 type NetworkCreateRequest struct {
 	NetworkCreate
-	Name string
+	Name string // Name is the requested name of the network.
 }
 
 // NetworkCreateResponse is the response message sent by the server for network create call

vendor/github.com/docker/docker/pkg/system/stat_illumos.go

@@ -0,0 +1,15 @@
+package system // import "github.com/docker/docker/pkg/system"
+
+import "syscall"
+
+// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
+func fromStatT(s *syscall.Stat_t) (*StatT, error) {
+	return &StatT{
+		size: s.Size,
+		mode: uint32(s.Mode),
+		uid:  s.Uid,
+		gid:  s.Gid,
+		rdev: uint64(s.Rdev),
+		mtim: s.Mtim,
+	}, nil
+}

vendor/github.com/fxamacker/cbor/v2/.gitignore

@@ -0,0 +1,12 @@
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, build with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out

vendor/github.com/fxamacker/cbor/v2/.golangci.yml

@@ -0,0 +1,77 @@
+# Do not delete linter settings. Linters like gocritic can be enabled on the command line.
+
+linters-settings:
+  dupl:
+    threshold: 100
+  funlen:
+    lines: 100
+    statements: 50
+  goconst:
+    min-len: 2
+    min-occurrences: 3
+  gocritic:
+    enabled-tags:
+      - diagnostic
+      - experimental
+      - opinionated
+      - performance
+      - style
+    disabled-checks:
+      - dupImport # https://github.com/go-critic/go-critic/issues/845
+      - ifElseChain
+      - octalLiteral
+      - paramTypeCombine
+      - whyNoLint
+      - wrapperFunc
+  gofmt:
+    simplify: false
+  goimports:
+    local-prefixes: github.com/fxamacker/cbor
+  golint:
+    min-confidence: 0
+  govet:
+    check-shadowing: true
+  lll:
+    line-length: 140
+  maligned:
+    suggest-new: true
+  misspell:
+    locale: US
+
+linters:
+  disable-all: true
+  enable:
+    - bidichk
+    - errcheck
+    - goconst
+    - gocyclo
+    - gofmt
+    - goimports
+    - gosec
+    - govet
+    - ineffassign
+    - misspell
+    - revive
+    - staticcheck
+    - typecheck
+    - unconvert
+    - unused
+
+issues:
+  # max-issues-per-linter default is 50.  Set to 0 to disable limit.
+  max-issues-per-linter: 0
+  # max-same-issues default is 3.  Set to 0 to disable limit.
+  max-same-issues: 0
+  # Excluding configuration per-path, per-linter, per-text and per-source
+  exclude-rules:
+    - path: _test\.go
+      linters:
+        - goconst
+        - dupl
+        - gomnd
+        - lll
+    - path: doc\.go
+      linters:
+        - goimports
+        - gomnd
+        - lll

vendor/github.com/fxamacker/cbor/v2/CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+faye.github@gmail.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

vendor/github.com/fxamacker/cbor/v2/CONTRIBUTING.md

@@ -0,0 +1,41 @@
+# How to contribute
+
+You can contribute by using the library, opening issues, or opening pull requests.
+
+## Bug reports and security vulnerabilities
+
+Most issues are tracked publicly on [GitHub](https://github.com/fxamacker/cbor/issues). 
+
+To report security vulnerabilities, please email faye.github@gmail.com and allow time for the problem to be resolved before disclosing it to the public.  For more info, see [Security Policy](https://github.com/fxamacker/cbor#security-policy).
+
+Please do not send data that might contain personally identifiable information, even if you think you have permission.  That type of support requires payment and a signed contract where I'm indemnified, held harmless, and defended by you for any data you send to me.
+
+## Pull requests
+
+Please [create an issue](https://github.com/fxamacker/cbor/issues/new/choose) before you begin work on a PR.  The improvement may have already been considered, etc.
+
+Pull requests have signing requirements and must not be anonymous.  Exceptions are usually made for docs and CI scripts.
+
+See the [Pull Request Template](https://github.com/fxamacker/cbor/blob/master/.github/pull_request_template.md) for details.
+
+Pull requests have a greater chance of being approved if:
+- it does not reduce speed, increase memory use, reduce security, etc. for people not using the new option or feature.
+- it has > 97% code coverage.
+
+## Describe your issue
+
+Clearly describe the issue:
+* If it's a bug, please provide: **version of this library** and **Go** (`go version`), **unmodified error message**, and describe **how to reproduce it**.  Also state **what you expected to happen** instead of the error.
+* If you propose a change or addition, try to give an example how the improved code could look like or how to use it.
+* If you found a compilation error, please confirm you're using a supported version of Go. If you are, then provide the output of `go version` first, followed by the complete error message.
+
+## Please don't
+
+Please don't send data containing personally identifiable information, even if you think you have permission.  That type of support requires payment and a contract where I'm indemnified, held harmless, and defended for any data you send to me.
+
+Please don't send CBOR data larger than 1024 bytes by email. If you want to send crash-producing CBOR data > 1024 bytes by email, please get my permission before sending it to me.
+
+## Credits
+
+- This guide used nlohmann/json contribution guidelines for inspiration as suggested in issue #22.
+- Special thanks to @lukseven for pointing out the contribution guidelines didn't mention signing requirements.

vendor/github.com/fxamacker/cbor/v2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019-present Faye Amacker
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/fxamacker/cbor/v2/README.md

@@ -0,0 +1,674 @@
+# CBOR Codec in Go
+
+<!-- [![](https://github.com/fxamacker/images/raw/master/cbor/v2.5.0/fxamacker_cbor_banner.png)](#cbor-library-in-go) -->
+
+[fxamacker/cbor](https://github.com/fxamacker/cbor) is a library for encoding and decoding [CBOR](https://www.rfc-editor.org/info/std94) and [CBOR Sequences](https://www.rfc-editor.org/rfc/rfc8742.html).
+
+CBOR is a [trusted alternative](https://www.rfc-editor.org/rfc/rfc8949.html#name-comparison-of-other-binary-) to JSON, MessagePack, Protocol Buffers, etc.&nbsp; CBOR is an Internet&nbsp;Standard defined by [IETF&nbsp;STD&nbsp;94 (RFC&nbsp;8949)](https://www.rfc-editor.org/info/std94) and is designed to be relevant for decades.
+
+`fxamacker/cbor` is used in projects by Arm Ltd., Cisco, Dapper Labs, EdgeX&nbsp;Foundry, Fraunhofer&#8209;AISEC, Let's&nbsp;Encrypt (ISRG), Linux&nbsp;Foundation, Microsoft, Mozilla, Oasis&nbsp;Protocol, Tailscale, Teleport, [and&nbsp;others](https://github.com/fxamacker/cbor#who-uses-fxamackercbor).
+
+See [Quick&nbsp;Start](#quick-start) and [Releases](https://github.com/fxamacker/cbor/releases/).  🆕 `UnmarshalFirst` and `DiagnoseFirst` can decode CBOR Sequences.
+
+## fxamacker/cbor
+
+[![](https://github.com/fxamacker/cbor/workflows/ci/badge.svg)](https://github.com/fxamacker/cbor/actions?query=workflow%3Aci)
+[![](https://github.com/fxamacker/cbor/workflows/cover%20%E2%89%A596%25/badge.svg)](https://github.com/fxamacker/cbor/actions?query=workflow%3A%22cover+%E2%89%A596%25%22)
+[![CodeQL](https://github.com/fxamacker/cbor/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/fxamacker/cbor/actions/workflows/codeql-analysis.yml)
+[![](https://img.shields.io/badge/fuzzing-passing-44c010)](#fuzzing-and-code-coverage)
+[![Go Report Card](https://goreportcard.com/badge/github.com/fxamacker/cbor)](https://goreportcard.com/report/github.com/fxamacker/cbor)
+[![](https://img.shields.io/ossf-scorecard/github.com/fxamacker/cbor?label=openssf%20scorecard)](https://github.com/fxamacker/cbor#fuzzing-and-code-coverage) 
+
+`fxamacker/cbor` is a CBOR codec in full conformance with [IETF STD&nbsp;94 (RFC&nbsp;8949)](https://www.rfc-editor.org/info/std94). It also supports CBOR Sequences ([RFC&nbsp;8742](https://www.rfc-editor.org/rfc/rfc8742.html)) and Extended Diagnostic Notation ([Appendix G of RFC&nbsp;8610](https://www.rfc-editor.org/rfc/rfc8610.html#appendix-G)).
+
+Features include full support for CBOR tags, [Core Deterministic Encoding](https://www.rfc-editor.org/rfc/rfc8949.html#name-core-deterministic-encoding), duplicate map key detection, etc.
+
+Design balances trade-offs between security, speed, concurrency, encoded data size, usability, etc.
+
+<details><summary>Highlights</summary><p/>
+
+__🚀&nbsp; Speed__
+
+Encoding and decoding is fast without using Go's `unsafe` package.  Slower settings are opt-in.  Default limits allow very fast and memory efficient rejection of malformed CBOR data.
+
+__🔒&nbsp; Security__
+
+Decoder has configurable limits that defend against malicious inputs.  Duplicate map key detection is supported.  By contrast, `encoding/gob` is [not designed to be hardened against adversarial inputs](https://pkg.go.dev/encoding/gob#hdr-Security).
+
+Codec passed multiple confidential security assessments in 2022.  No vulnerabilities found in subset of codec in a [nonconfidential security assessment](https://github.com/veraison/go-cose/blob/v1.0.0-rc.1/reports/NCC_Microsoft-go-cose-Report_2022-05-26_v1.0.pdf) prepared by NCC&nbsp;Group for Microsoft&nbsp;Corporation.
+
+__🗜️&nbsp; Data Size__
+
+Struct tags (`toarray`, `keyasint`, `omitempty`) automatically reduce size of encoded structs. Encoding optionally shrinks float64→32→16 when values fit.
+
+__:jigsaw:&nbsp; Usability__
+
+API is mostly same as `encoding/json` plus interfaces that simplify concurrency for CBOR options.  Encoding and decoding modes can be created at startup and reused by any goroutines.
+
+Presets include Core Deterministic Encoding, Preferred Serialization, CTAP2 Canonical CBOR, etc.
+
+__📆&nbsp;  Extensibility__
+
+Features include CBOR [extension points](https://www.rfc-editor.org/rfc/rfc8949.html#section-7.1) (e.g. CBOR tags) and extensive settings.  API has interfaces that allow users to create custom encoding and decoding without modifying this library.
+
+<hr/>
+
+</details>
+
+### Secure Decoding with Configurable Settings
+
+`fxamacker/cbor` has configurable limits, etc. that defend against malicious CBOR data.
+
+By contrast, `encoding/gob` is [not designed to be hardened against adversarial inputs](https://pkg.go.dev/encoding/gob#hdr-Security).
+
+<details><summary>Example decoding with encoding/gob 💥 fatal error (out of memory)</summary><p/>
+
+```Go
+// Example of encoding/gob having "fatal error: runtime: out of memory"
+// while decoding 181 bytes.
+package main
+import (
+	"bytes"
+	"encoding/gob"
+	"encoding/hex"
+	"fmt"
+)
+
+// Example data is from https://github.com/golang/go/issues/24446
+// (shortened to 181 bytes).
+const data = "4dffb503010102303001ff30000109010130010800010130010800010130" +
+	"01ffb80001014a01ffb60001014b01ff860001013001ff860001013001ff" +
+	"860001013001ff860001013001ffb80000001eff850401010e3030303030" +
+	"30303030303030303001ff3000010c0104000016ffb70201010830303030" +
+	"3030303001ff3000010c000030ffb6040405fcff00303030303030303030" +
+	"303030303030303030303030303030303030303030303030303030303030" +
+	"30"
+
+type X struct {
+	J *X
+	K map[string]int
+}
+
+func main() {
+	raw, _ := hex.DecodeString(data)
+	decoder := gob.NewDecoder(bytes.NewReader(raw))
+
+	var x X
+	decoder.Decode(&x) // fatal error: runtime: out of memory
+	fmt.Println("Decoding finished.")
+}
+```
+
+<hr/>
+
+</details>
+
+`fxamacker/cbor` is fast at rejecting malformed CBOR data.  E.g. attempts to  
+decode 10 bytes of malicious CBOR data to `[]byte` (with default settings):
+
+| Codec | Speed (ns/op) | Memory | Allocs |
+| :---- | ------------: | -----: | -----: |
+| fxamacker/cbor 2.5.0 | 44 ± 5% | 32 B/op | 2 allocs/op |
+| ugorji/go 1.2.11 | 5353261 ± 4% | 67111321 B/op |  13 allocs/op |
+
+<details><summary>Benchmark details</summary><p/>
+
+Latest comparison used:
+- Input: `[]byte{0x9B, 0x00, 0x00, 0x42, 0xFA, 0x42, 0xFA, 0x42, 0xFA, 0x42}`
+- go1.19.10, linux/amd64, i5-13600K (disabled all e-cores, DDR4 @2933)
+- go test -bench=. -benchmem -count=20
+
+#### Prior comparisons
+
+| Codec | Speed (ns/op) | Memory | Allocs |
+| :---- | ------------: | -----: | -----: |
+| fxamacker/cbor 2.5.0-beta2 | 44.33 ± 2% | 32 B/op | 2 allocs/op |
+| fxamacker/cbor 0.1.0 - 2.4.0 | ~44.68 ± 6% | 32 B/op |  2 allocs/op |
+| ugorji/go 1.2.10 | 5524792.50 ± 3% | 67110491 B/op |  12 allocs/op |
+| ugorji/go 1.1.0 - 1.2.6 | 💥 runtime: | out of memory: | cannot allocate |
+
+- Input: `[]byte{0x9B, 0x00, 0x00, 0x42, 0xFA, 0x42, 0xFA, 0x42, 0xFA, 0x42}`
+- go1.19.6, linux/amd64, i5-13600K (DDR4)
+- go test -bench=. -benchmem -count=20
+
+<hr/>
+
+</details>
+
+### Smaller Encodings with Struct Tags
+
+Struct tags (`toarray`, `keyasint`, `omitempty`) reduce encoded size of structs.
+
+<details><summary>Example encoding 3-level nested Go struct to 1 byte CBOR</summary><p/>
+
+https://go.dev/play/p/YxwvfPdFQG2
+
+```Go
+// Example encoding nested struct (with omitempty tag)
+// - encoding/json:  18 byte JSON
+// - fxamacker/cbor:  1 byte CBOR
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+
+	"github.com/fxamacker/cbor/v2"
+)
+
+type GrandChild struct {
+	Quux int `json:",omitempty"`
+}
+
+type Child struct {
+	Baz int        `json:",omitempty"`
+	Qux GrandChild `json:",omitempty"`
+}
+
+type Parent struct {
+	Foo Child `json:",omitempty"`
+	Bar int   `json:",omitempty"`
+}
+
+func cb() {
+	results, _ := cbor.Marshal(Parent{})
+	fmt.Println("hex(CBOR): " + hex.EncodeToString(results))
+
+	text, _ := cbor.Diagnose(results) // Diagnostic Notation
+	fmt.Println("DN: " + text)
+}
+
+func js() {
+	results, _ := json.Marshal(Parent{})
+	fmt.Println("hex(JSON): " + hex.EncodeToString(results))
+
+	text := string(results) // JSON
+	fmt.Println("JSON: " + text)
+}
+
+func main() {
+	cb()
+	fmt.Println("-------------")
+	js()
+}
+```
+
+Output (DN is Diagnostic Notation):
+```
+hex(CBOR): a0
+DN: {}
+-------------
+hex(JSON): 7b22466f6f223a7b22517578223a7b7d7d7d
+JSON: {"Foo":{"Qux":{}}}
+```
+
+<hr/>
+
+</details>
+
+Example using different struct tags together:
+
+![alt text](https://github.com/fxamacker/images/raw/master/cbor/v2.3.0/cbor_struct_tags_api.svg?sanitize=1 "CBOR API and Go Struct Tags")
+
+API is mostly same as `encoding/json`, plus interfaces that simplify concurrency for CBOR options.
+
+## Quick Start
+
+__Install__: `go get github.com/fxamacker/cbor/v2` and `import "github.com/fxamacker/cbor/v2"`.
+
+### Key Points
+
+This library can encode and decode CBOR (RFC 8949) and CBOR Sequences (RFC 8742).
+
+- __CBOR data item__ is a single piece of CBOR data and its structure may contain zero, one, or more nested data items.
+- __CBOR sequence__ is a concatenation of 0 or more encoded CBOR data items.
+
+Configurable limits and options can be used to balance trade-offs.
+
+- Encoding and decoding modes are created from options (settings).
+- Modes can be created at startup and reused.
+- Modes are safe for concurrent use.
+
+### Default Mode
+
+Package level functions only use this library's default settings.  
+They provide the "default mode" of encoding and decoding.
+
+```go
+// API matches encoding/json for Marshal, Unmarshal, Encode, Decode, etc.
+b, err = cbor.Marshal(v)        // encode v to []byte b
+err = cbor.Unmarshal(b, &v)     // decode []byte b to v
+decoder = cbor.NewDecoder(r)    // create decoder with io.Reader r
+err = decoder.Decode(&v)        // decode a CBOR data item to v
+
+// v2.5.0 added new functions that return remaining bytes.
+
+// UnmarshalFirst decodes first CBOR data item and returns remaining bytes.
+rest, err = cbor.UnmarshalFirst(b, &v)   // decode []byte b to v
+
+// DiagnoseFirst translates first CBOR data item to text and returns remaining bytes.
+text, rest, err = cbor.DiagnoseFirst(b)  // decode []byte b to Diagnostic Notation text
+
+// NOTE: Unmarshal returns ExtraneousDataError if there are remaining bytes,
+// but new funcs UnmarshalFirst and DiagnoseFirst do not.
+```
+
+__IMPORTANT__: 👉  CBOR settings allow trade-offs between speed, security, encoding size, etc.
+
+- Different CBOR libraries may use different default settings.
+- CBOR-based formats or protocols usually require specific settings.
+
+For example, WebAuthn uses "CTAP2 Canonical CBOR" which is available as a preset.
+
+### Presets
+
+Presets can be used as-is or as a starting point for custom settings.
+
+```go
+// EncOptions is a struct of encoder settings.
+func CoreDetEncOptions() EncOptions              // RFC 8949 Core Deterministic Encoding
+func PreferredUnsortedEncOptions() EncOptions    // RFC 8949 Preferred Serialization
+func CanonicalEncOptions() EncOptions            // RFC 7049 Canonical CBOR
+func CTAP2EncOptions() EncOptions                // FIDO2 CTAP2 Canonical CBOR
+```
+
+Presets are used to create custom modes.
+
+### Custom Modes
+
+Modes are created from settings. Once created, modes have immutable settings.
+
+💡 Create the mode at startup and reuse it. It is safe for concurrent use.
+
+```Go
+// Create encoding mode.
+opts := cbor.CoreDetEncOptions()   // use preset options as a starting point
+opts.Time = cbor.TimeUnix          // change any settings if needed
+em, err := opts.EncMode()          // create an immutable encoding mode
+
+// Reuse the encoding mode. It is safe for concurrent use.
+
+// API matches encoding/json.
+b, err := em.Marshal(v)            // encode v to []byte b
+encoder := em.NewEncoder(w)        // create encoder with io.Writer w
+err := encoder.Encode(v)           // encode v to io.Writer w
+```
+
+Default mode and custom modes automatically apply struct tags.
+
+### Struct Tags
+
+Struct tags (`toarray`, `keyasint`, `omitempty`) reduce encoded size of structs.
+
+<details><summary>Example encoding 3-level nested Go struct to 1 byte CBOR</summary><p/>
+
+https://go.dev/play/p/YxwvfPdFQG2
+
+```Go
+// Example encoding nested struct (with omitempty tag)
+// - encoding/json:  18 byte JSON
+// - fxamacker/cbor:  1 byte CBOR
+package main
+
+import (
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+
+	"github.com/fxamacker/cbor/v2"
+)
+
+type GrandChild struct {
+	Quux int `json:",omitempty"`
+}
+
+type Child struct {
+	Baz int        `json:",omitempty"`
+	Qux GrandChild `json:",omitempty"`
+}
+
+type Parent struct {
+	Foo Child `json:",omitempty"`
+	Bar int   `json:",omitempty"`
+}
+
+func cb() {
+	results, _ := cbor.Marshal(Parent{})
+	fmt.Println("hex(CBOR): " + hex.EncodeToString(results))
+
+	text, _ := cbor.Diagnose(results) // Diagnostic Notation
+	fmt.Println("DN: " + text)
+}
+
+func js() {
+	results, _ := json.Marshal(Parent{})
+	fmt.Println("hex(JSON): " + hex.EncodeToString(results))
+
+	text := string(results) // JSON
+	fmt.Println("JSON: " + text)
+}
+
+func main() {
+	cb()
+	fmt.Println("-------------")
+	js()
+}
+```
+
+Output (DN is Diagnostic Notation):
+```
+hex(CBOR): a0
+DN: {}
+-------------
+hex(JSON): 7b22466f6f223a7b22517578223a7b7d7d7d
+JSON: {"Foo":{"Qux":{}}}
+```
+
+<hr/>
+
+</details>
+
+<details><summary>Example using several struct tags</summary><p/>
+	
+![alt text](https://github.com/fxamacker/images/raw/master/cbor/v2.3.0/cbor_struct_tags_api.svg?sanitize=1 "CBOR API and Go Struct Tags")
+
+</details>
+
+Struct tags simplify use of CBOR-based protocols that require CBOR arrays or maps with integer keys.
+
+### CBOR Tags
+
+CBOR tags are specified in a `TagSet`.
+
+Custom modes can be created with a `TagSet` to handle CBOR tags.
+ 
+```go
+em, err := opts.EncMode()                  // no CBOR tags
+em, err := opts.EncModeWithTags(ts)        // immutable CBOR tags
+em, err := opts.EncModeWithSharedTags(ts)  // mutable shared CBOR tags
+```
+
+`TagSet` and modes using it are safe for concurrent use.  Equivalent API is available for `DecMode`.
+
+<details><summary>Example using TagSet and TagOptions</summary><p/>
+
+```go
+// Use signedCWT struct defined in "Decoding CWT" example.
+
+// Create TagSet (safe for concurrency).
+tags := cbor.NewTagSet()
+// Register tag COSE_Sign1 18 with signedCWT type.
+tags.Add(	
+	cbor.TagOptions{EncTag: cbor.EncTagRequired, DecTag: cbor.DecTagRequired}, 
+	reflect.TypeOf(signedCWT{}), 
+	18)
+
+// Create DecMode with immutable tags.
+dm, _ := cbor.DecOptions{}.DecModeWithTags(tags)
+
+// Unmarshal to signedCWT with tag support.
+var v signedCWT
+if err := dm.Unmarshal(data, &v); err != nil {
+	return err
+}
+
+// Create EncMode with immutable tags.
+em, _ := cbor.EncOptions{}.EncModeWithTags(tags)
+
+// Marshal signedCWT with tag number.
+if data, err := cbor.Marshal(v); err != nil {
+	return err
+}
+```
+
+</details>
+
+### Functions and Interfaces
+
+<details><summary>Functions and interfaces at a glance</summary><p/>
+
+Common functions with same API as `encoding/json`:  
+- `Marshal`, `Unmarshal`
+- `NewEncoder`, `(*Encoder).Encode`
+- `NewDecoder`, `(*Decoder).Decode`
+
+NOTE: `Unmarshal` will return `ExtraneousDataError` if there are remaining bytes
+because RFC 8949 treats CBOR data item with remaining bytes as malformed.
+- 💡 Use `UnmarshalFirst` to decode first CBOR data item and return any remaining bytes.
+
+Other useful functions: 
+- `Diagnose`, `DiagnoseFirst` produce human-readable [Extended Diagnostic Notation](https://www.rfc-editor.org/rfc/rfc8610.html#appendix-G) from CBOR data.
+- `UnmarshalFirst` decodes first CBOR data item and return any remaining bytes.
+- `Wellformed` returns true if the the CBOR data item is well-formed.
+
+Interfaces identical or comparable to Go `encoding` packages include:  
+`Marshaler`, `Unmarshaler`, `BinaryMarshaler`, and `BinaryUnmarshaler`.
+
+The `RawMessage` type can be used to delay CBOR decoding or precompute CBOR encoding.
+
+</details>
+
+### Security Tips
+
+🔒 Use Go's `io.LimitReader` to limit size when decoding very large or indefinite size data.
+
+Default limits may need to be increased for systems handling very large data (e.g. blockchains).
+
+`DecOptions` can be used to modify default limits for `MaxArrayElements`, `MaxMapPairs`, and `MaxNestedLevels`.
+
+## Status
+
+v2.6.0 (February 2024) adds important new features, optimizations, and bug fixes. It is especially useful to systems that need to convert data between CBOR and JSON.  New options and optimizations improve handling of bignum, integers, maps, and strings.
+
+For more details, see [release notes](https://github.com/fxamacker/cbor/releases).
+
+### Prior Release
+
+v2.5.0 was released on Sunday, August 13, 2023 with new features and important bug fixes.  It is fuzz tested and production quality after extended beta [v2.5.0-beta](https://github.com/fxamacker/cbor/releases/tag/v2.5.0-beta) (Dec 2022) -> [v2.5.0](https://github.com/fxamacker/cbor/releases/tag/v2.5.0) (Aug 2023).
+
+__IMPORTANT__:  👉 Before upgrading from v2.4 or older release, please read the notable changes highlighted in the release notes.  v2.5.0 is a large release with bug fixes to error handling for extraneous data in `Unmarshal`, etc. that should be reviewed before upgrading.
+
+See [v2.5.0 release notes](https://github.com/fxamacker/cbor/releases/tag/v2.5.0) for list of new features, improvements, and bug fixes.
+
+See ["Version and API Changes"](https://github.com/fxamacker/cbor#versions-and-api-changes) section for more info about version numbering, etc.
+
+<!--
+<details><summary>👉 Benchmark Comparison: v2.4.0 vs v2.5.0</summary><p/>
+
+TODO: Update to v2.4.0 vs 2.5.0 (not beta2).
+
+Comparison of v2.4.0 vs v2.5.0-beta2 provided by @448 (edited to fit width).
+
+PR [#382](https://github.com/fxamacker/cbor/pull/382) returns buffer to pool in `Encode()`. It adds a bit of overhead to `Encode()` but `NewEncoder().Encode()` is a lot faster and uses less memory as shown here:
+
+```
+$ benchstat bench-v2.4.0.log bench-f9e6291.log 
+goos: linux
+goarch: amd64
+pkg: github.com/fxamacker/cbor/v2
+cpu: 12th Gen Intel(R) Core(TM) i7-12700H
+                                                     │ bench-v2.4.0.log │  bench-f9e6291.log                  │
+                                                     │      sec/op      │   sec/op     vs base                │
+NewEncoderEncode/Go_bool_to_CBOR_bool-20                   236.70n ± 2%   58.04n ± 1%  -75.48% (p=0.000 n=10)
+NewEncoderEncode/Go_uint64_to_CBOR_positive_int-20         238.00n ± 2%   63.93n ± 1%  -73.14% (p=0.000 n=10)
+NewEncoderEncode/Go_int64_to_CBOR_negative_int-20          238.65n ± 2%   64.88n ± 1%  -72.81% (p=0.000 n=10)
+NewEncoderEncode/Go_float64_to_CBOR_float-20               242.00n ± 2%   63.00n ± 1%  -73.97% (p=0.000 n=10)
+NewEncoderEncode/Go_[]uint8_to_CBOR_bytes-20               245.60n ± 1%   68.55n ± 1%  -72.09% (p=0.000 n=10)
+NewEncoderEncode/Go_string_to_CBOR_text-20                 243.20n ± 3%   68.39n ± 1%  -71.88% (p=0.000 n=10)
+NewEncoderEncode/Go_[]int_to_CBOR_array-20                 563.0n ± 2%    378.3n ± 0%  -32.81% (p=0.000 n=10)
+NewEncoderEncode/Go_map[string]string_to_CBOR_map-20       2.043µ ± 2%    1.906µ ± 2%   -6.75% (p=0.000 n=10)
+geomean                                                    349.7n         122.7n       -64.92%
+
+                                                     │ bench-v2.4.0.log │    bench-f9e6291.log                │
+                                                     │       B/op       │    B/op     vs base                 │
+NewEncoderEncode/Go_bool_to_CBOR_bool-20                     128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_uint64_to_CBOR_positive_int-20           128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_int64_to_CBOR_negative_int-20            128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_float64_to_CBOR_float-20                 128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_[]uint8_to_CBOR_bytes-20                 128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_string_to_CBOR_text-20                   128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_[]int_to_CBOR_array-20                   128.0 ± 0%     0.0 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_map[string]string_to_CBOR_map-20         544.0 ± 0%   416.0 ± 0%   -23.53% (p=0.000 n=10)
+geomean                                                      153.4                    ?                       ¹ ²
+¹ summaries must be >0 to compute geomean
+² ratios must be >0 to compute geomean
+
+                                                     │ bench-v2.4.0.log │    bench-f9e6291.log                │
+                                                     │    allocs/op     │ allocs/op   vs base                 │
+NewEncoderEncode/Go_bool_to_CBOR_bool-20                     2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_uint64_to_CBOR_positive_int-20           2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_int64_to_CBOR_negative_int-20            2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_float64_to_CBOR_float-20                 2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_[]uint8_to_CBOR_bytes-20                 2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_string_to_CBOR_text-20                   2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_[]int_to_CBOR_array-20                   2.000 ± 0%   0.000 ± 0%  -100.00% (p=0.000 n=10)
+NewEncoderEncode/Go_map[string]string_to_CBOR_map-20         28.00 ± 0%   26.00 ± 0%    -7.14% (p=0.000 n=10)
+geomean                                                      2.782                    ?                       ¹ ²
+¹ summaries must be >0 to compute geomean
+² ratios must be >0 to compute geomean
+```
+
+</details>
+-->
+
+## Who uses fxamacker/cbor
+
+`fxamacker/cbor` is used in projects by Arm Ltd., Berlin Institute of Health at Charité, Chainlink, Cisco, Confidential Computing Consortium, ConsenSys, Dapper&nbsp;Labs, EdgeX&nbsp;Foundry, F5, FIDO Alliance, Fraunhofer&#8209;AISEC, Let's Encrypt (ISRG), Linux&nbsp;Foundation, Matrix.org, Microsoft, Mozilla, National&nbsp;Cybersecurity&nbsp;Agency&nbsp;of&nbsp;France (govt), Netherlands (govt), Oasis Protocol, Smallstep, Tailscale, Taurus SA, Teleport, TIBCO, and others.
+
+`fxamacker/cbor` passed multiple confidential security assessments.  A [nonconfidential security assessment](https://github.com/veraison/go-cose/blob/v1.0.0-rc.1/reports/NCC_Microsoft-go-cose-Report_2022-05-26_v1.0.pdf) (prepared by NCC Group for Microsoft Corporation) includes a subset of fxamacker/cbor v2.4.0 in its scope.
+
+## Standards
+
+`fxamacker/cbor` is a CBOR codec in full conformance with [IETF STD&nbsp;94 (RFC&nbsp;8949)](https://www.rfc-editor.org/info/std94). It also supports CBOR Sequences ([RFC&nbsp;8742](https://www.rfc-editor.org/rfc/rfc8742.html)) and Extended Diagnostic Notation ([Appendix G of RFC&nbsp;8610](https://www.rfc-editor.org/rfc/rfc8610.html#appendix-G)).
+
+Notable CBOR features include:
+
+| CBOR Feature  | Description  |
+| :--- | :--- |
+| CBOR tags | API supports built-in and user-defined tags.  |
+| Preferred serialization | Integers encode to fewest bytes. Optional float64 → float32 → float16. |
+| Map key sorting | Unsorted, length-first (Canonical CBOR), and bytewise-lexicographic (CTAP2). |
+| Duplicate map keys | Always forbid for encoding and option to allow/forbid for decoding.   |
+| Indefinite length data | Option to allow/forbid for encoding and decoding. |
+| Well-formedness | Always checked and enforced. |
+| Basic validity checks | Optionally check UTF-8 validity and duplicate map keys. |
+| Security considerations | Prevent integer overflow and resource exhaustion (RFC 8949 Section 10). |
+
+Known limitations are noted in the [Limitations section](#limitations). 
+
+Go nil values for slices, maps, pointers, etc. are encoded as CBOR null.  Empty slices, maps, etc. are encoded as empty CBOR arrays and maps.
+
+Decoder checks for all required well-formedness errors, including all "subkinds" of syntax errors and too little data.
+
+After well-formedness is verified, basic validity errors are handled as follows:
+
+* Invalid UTF-8 string: Decoder has option to check and return invalid UTF-8 string error. This check is enabled by default.
+* Duplicate keys in a map: Decoder has options to ignore or enforce rejection of duplicate map keys.
+
+When decoding well-formed CBOR arrays and maps, decoder saves the first error it encounters and continues with the next item.  Options to handle this differently may be added in the future.
+
+By default, decoder treats time values of floating-point NaN and Infinity as if they are CBOR Null or CBOR Undefined.
+
+__Click to expand topic:__
+
+<details>
+ <summary>Duplicate Map Keys</summary><p>
+
+This library provides options for fast detection and rejection of duplicate map keys based on applying a Go-specific data model to CBOR's extended generic data model in order to determine duplicate vs distinct map keys. Detection relies on whether the CBOR map key would be a duplicate "key" when decoded and applied to the user-provided Go map or struct. 
+
+`DupMapKeyQuiet` turns off detection of duplicate map keys. It tries to use a "keep fastest" method by choosing either "keep first" or "keep last" depending on the Go data type.
+
+`DupMapKeyEnforcedAPF` enforces detection and rejection of duplidate map keys. Decoding stops immediately and returns `DupMapKeyError` when the first duplicate key is detected. The error includes the duplicate map key and the index number. 
+
+APF suffix means "Allow Partial Fill" so the destination map or struct can contain some decoded values at the time of error. It is the caller's responsibility to respond to the `DupMapKeyError` by discarding the partially filled result if that's required by their protocol.
+
+</details>
+
+<details>
+ <summary>Tag Validity</summary><p>
+
+This library checks tag validity for built-in tags (currently tag numbers 0, 1, 2, 3, and 55799):
+
+* Inadmissible type for tag content 
+* Inadmissible value for tag content
+
+Unknown tag data items (not tag number 0, 1, 2, 3, or 55799) are handled in two ways:
+
+* When decoding into an empty interface, unknown tag data item will be decoded into `cbor.Tag` data type, which contains tag number and tag content.  The tag content will be decoded into the default Go data type for the CBOR data type.
+* When decoding into other Go types, unknown tag data item is decoded into the specified Go type.  If Go type is registered with a tag number, the tag number can optionally be verified.
+
+Decoder also has an option to forbid tag data items (treat any tag data item as error) which is specified by protocols such as CTAP2 Canonical CBOR.  
+
+For more information, see [decoding options](#decoding-options-1) and [tag options](#tag-options).
+
+</details>
+
+## Limitations
+
+If any of these limitations prevent you from using this library, please open an issue along with a link to your project.
+
+* CBOR `Undefined` (0xf7) value decodes to Go's `nil` value.  CBOR `Null` (0xf6) more closely matches Go's `nil`.
+* CBOR map keys with data types not supported by Go for map keys are ignored and an error is returned after continuing to decode remaining items.  
+* When decoding registered CBOR tag data to interface type, decoder creates a pointer to registered Go type matching CBOR tag number.  Requiring a pointer for this is a Go limitation. 
+
+## Fuzzing and Code Coverage
+
+__Code coverage__ is always 95% or higher (with `go test -cover`) when tagging a release.
+
+__Coverage-guided fuzzing__ must pass billions of execs using before tagging a release.  Fuzzing is done using nonpublic code which may eventually get merged into this project.  Until then, reports like OpenSSF&nbsp;Scorecard can't detect fuzz tests being used by this project.
+
+<hr>
+
+## Versions and API Changes
+This project uses [Semantic Versioning](https://semver.org), so the API is always backwards compatible unless the major version number changes.  
+
+These functions have signatures identical to encoding/json and their API will continue to match `encoding/json` even after major new releases:  
+`Marshal`, `Unmarshal`, `NewEncoder`, `NewDecoder`, `(*Encoder).Encode`, and `(*Decoder).Decode`.
+
+Exclusions from SemVer:
+- Newly added API documented as "subject to change".
+- Newly added API in the master branch that has never been tagged in non-beta release.
+- If function parameters are unchanged, bug fixes that change behavior (e.g. return error for edge case was missed in prior version).  We try to highlight these in the release notes and add extended beta period.  E.g. [v2.5.0-beta](https://github.com/fxamacker/cbor/releases/tag/v2.5.0-beta) (Dec 2022) -> [v2.5.0](https://github.com/fxamacker/cbor/releases/tag/v2.5.0) (Aug 2023).
+
+This project avoids breaking changes to behavior of encoding and decoding functions unless required to improve conformance with supported RFCs (e.g. RFC 8949, RFC 8742, etc.)  Visible changes that don't improve conformance to standards are typically made available as new opt-in settings or new functions.
+
+## Code of Conduct 
+
+This project has adopted the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT.md).  Contact [faye.github@gmail.com](mailto:faye.github@gmail.com) with any questions or comments.
+
+## Contributing
+
+Please open an issue before beginning work on a PR.  The improvement may have already been considered, etc.
+
+For more info, see [How to Contribute](CONTRIBUTING.md).
+
+## Security Policy
+
+Security fixes are provided for the latest released version of fxamacker/cbor.
+
+For the full text of the Security Policy, see [SECURITY.md](SECURITY.md).
+
+## Acknowledgements
+
+Many thanks to all the contributors on this project!
+
+I'm especially grateful to Bastian Müller and Dieter Shirley for suggesting and collaborating on CBOR stream mode, and much more.
+
+I'm very grateful to Stefan Tatschner, Yawning Angel, Jernej Kos, x448, ZenGround0, and Jakob Borg for their contributions or support in the very early days.
+
+This library clearly wouldn't be possible without Carsten Bormann authoring CBOR RFCs.
+
+Special thanks to Laurence Lundblade and Jeffrey Yasskin for their help on IETF mailing list or at [7049bis](https://github.com/cbor-wg/CBORbis).
+
+Huge thanks to The Go Authors for creating a fun and practical programming language with batteries included!
+
+This library uses `x448/float16` which used to be included.  As a standalone package, `x448/float16` is useful to other projects as well.
+
+## License
+
+Copyright © 2019-2024 [Faye Amacker](https://github.com/fxamacker).
+
+fxamacker/cbor is licensed under the MIT License.  See [LICENSE](LICENSE) for the full license text.
+
+<hr>

vendor/github.com/fxamacker/cbor/v2/SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+Security fixes are provided for the latest released version of fxamacker/cbor.
+
+If the security vulnerability is already known to the public, then you can open an issue as a bug report.
+
+To report security vulnerabilities not yet known to the public, please email faye.github@gmail.com and allow time for the problem to be resolved before reporting it to the public.

vendor/github.com/fxamacker/cbor/v2/bytestring.go

@@ -0,0 +1,63 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"errors"
+)
+
+// ByteString represents CBOR byte string (major type 2). ByteString can be used
+// when using a Go []byte is not possible or convenient. For example, Go doesn't
+// allow []byte as map key, so ByteString can be used to support data formats
+// having CBOR map with byte string keys. ByteString can also be used to
+// encode invalid UTF-8 string as CBOR byte string.
+// See DecOption.MapKeyByteStringMode for more details.
+type ByteString string
+
+// Bytes returns bytes representing ByteString.
+func (bs ByteString) Bytes() []byte {
+	return []byte(bs)
+}
+
+// MarshalCBOR encodes ByteString as CBOR byte string (major type 2).
+func (bs ByteString) MarshalCBOR() ([]byte, error) {
+	e := getEncoderBuffer()
+	defer putEncoderBuffer(e)
+
+	// Encode length
+	encodeHead(e, byte(cborTypeByteString), uint64(len(bs)))
+
+	// Encode data
+	buf := make([]byte, e.Len()+len(bs))
+	n := copy(buf, e.Bytes())
+	copy(buf[n:], bs)
+
+	return buf, nil
+}
+
+// UnmarshalCBOR decodes CBOR byte string (major type 2) to ByteString.
+// Decoding CBOR null and CBOR undefined sets ByteString to be empty.
+func (bs *ByteString) UnmarshalCBOR(data []byte) error {
+	if bs == nil {
+		return errors.New("cbor.ByteString: UnmarshalCBOR on nil pointer")
+	}
+
+	// Decoding CBOR null and CBOR undefined to ByteString resets data.
+	// This behavior is similar to decoding CBOR null and CBOR undefined to []byte.
+	if len(data) == 1 && (data[0] == 0xf6 || data[0] == 0xf7) {
+		*bs = ""
+		return nil
+	}
+
+	d := decoder{data: data, dm: defaultDecMode}
+
+	// Check if CBOR data type is byte string
+	if typ := d.nextCBORType(); typ != cborTypeByteString {
+		return &UnmarshalTypeError{CBORType: typ.String(), GoType: typeByteString.String()}
+	}
+
+	b, _ := d.parseByteString()
+	*bs = ByteString(b)
+	return nil
+}

vendor/github.com/fxamacker/cbor/v2/cache.go

@@ -0,0 +1,324 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"bytes"
+	"errors"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+type encodeFuncs struct {
+	ef  encodeFunc
+	ief isEmptyFunc
+}
+
+var (
+	decodingStructTypeCache sync.Map // map[reflect.Type]*decodingStructType
+	encodingStructTypeCache sync.Map // map[reflect.Type]*encodingStructType
+	encodeFuncCache         sync.Map // map[reflect.Type]encodeFuncs
+	typeInfoCache           sync.Map // map[reflect.Type]*typeInfo
+)
+
+type specialType int
+
+const (
+	specialTypeNone specialType = iota
+	specialTypeUnmarshalerIface
+	specialTypeEmptyIface
+	specialTypeIface
+	specialTypeTag
+	specialTypeTime
+)
+
+type typeInfo struct {
+	elemTypeInfo *typeInfo
+	keyTypeInfo  *typeInfo
+	typ          reflect.Type
+	kind         reflect.Kind
+	nonPtrType   reflect.Type
+	nonPtrKind   reflect.Kind
+	spclType     specialType
+}
+
+func newTypeInfo(t reflect.Type) *typeInfo {
+	tInfo := typeInfo{typ: t, kind: t.Kind()}
+
+	for t.Kind() == reflect.Ptr {
+		t = t.Elem()
+	}
+
+	k := t.Kind()
+
+	tInfo.nonPtrType = t
+	tInfo.nonPtrKind = k
+
+	if k == reflect.Interface {
+		if t.NumMethod() == 0 {
+			tInfo.spclType = specialTypeEmptyIface
+		} else {
+			tInfo.spclType = specialTypeIface
+		}
+	} else if t == typeTag {
+		tInfo.spclType = specialTypeTag
+	} else if t == typeTime {
+		tInfo.spclType = specialTypeTime
+	} else if reflect.PtrTo(t).Implements(typeUnmarshaler) {
+		tInfo.spclType = specialTypeUnmarshalerIface
+	}
+
+	switch k {
+	case reflect.Array, reflect.Slice:
+		tInfo.elemTypeInfo = getTypeInfo(t.Elem())
+	case reflect.Map:
+		tInfo.keyTypeInfo = getTypeInfo(t.Key())
+		tInfo.elemTypeInfo = getTypeInfo(t.Elem())
+	}
+
+	return &tInfo
+}
+
+type decodingStructType struct {
+	fields  fields
+	err     error
+	toArray bool
+}
+
+func getDecodingStructType(t reflect.Type) *decodingStructType {
+	if v, _ := decodingStructTypeCache.Load(t); v != nil {
+		return v.(*decodingStructType)
+	}
+
+	flds, structOptions := getFields(t)
+
+	toArray := hasToArrayOption(structOptions)
+
+	var err error
+	for i := 0; i < len(flds); i++ {
+		if flds[i].keyAsInt {
+			nameAsInt, numErr := strconv.Atoi(flds[i].name)
+			if numErr != nil {
+				err = errors.New("cbor: failed to parse field name \"" + flds[i].name + "\" to int (" + numErr.Error() + ")")
+				break
+			}
+			flds[i].nameAsInt = int64(nameAsInt)
+		}
+
+		flds[i].typInfo = getTypeInfo(flds[i].typ)
+	}
+
+	structType := &decodingStructType{fields: flds, err: err, toArray: toArray}
+	decodingStructTypeCache.Store(t, structType)
+	return structType
+}
+
+type encodingStructType struct {
+	fields             fields
+	bytewiseFields     fields
+	lengthFirstFields  fields
+	omitEmptyFieldsIdx []int
+	err                error
+	toArray            bool
+	fixedLength        bool // Struct type doesn't have any omitempty or anonymous fields.
+}
+
+func (st *encodingStructType) getFields(em *encMode) fields {
+	if em.sort == SortNone {
+		return st.fields
+	}
+	if em.sort == SortLengthFirst {
+		return st.lengthFirstFields
+	}
+	return st.bytewiseFields
+}
+
+type bytewiseFieldSorter struct {
+	fields fields
+}
+
+func (x *bytewiseFieldSorter) Len() int {
+	return len(x.fields)
+}
+
+func (x *bytewiseFieldSorter) Swap(i, j int) {
+	x.fields[i], x.fields[j] = x.fields[j], x.fields[i]
+}
+
+func (x *bytewiseFieldSorter) Less(i, j int) bool {
+	return bytes.Compare(x.fields[i].cborName, x.fields[j].cborName) <= 0
+}
+
+type lengthFirstFieldSorter struct {
+	fields fields
+}
+
+func (x *lengthFirstFieldSorter) Len() int {
+	return len(x.fields)
+}
+
+func (x *lengthFirstFieldSorter) Swap(i, j int) {
+	x.fields[i], x.fields[j] = x.fields[j], x.fields[i]
+}
+
+func (x *lengthFirstFieldSorter) Less(i, j int) bool {
+	if len(x.fields[i].cborName) != len(x.fields[j].cborName) {
+		return len(x.fields[i].cborName) < len(x.fields[j].cborName)
+	}
+	return bytes.Compare(x.fields[i].cborName, x.fields[j].cborName) <= 0
+}
+
+func getEncodingStructType(t reflect.Type) (*encodingStructType, error) {
+	if v, _ := encodingStructTypeCache.Load(t); v != nil {
+		structType := v.(*encodingStructType)
+		return structType, structType.err
+	}
+
+	flds, structOptions := getFields(t)
+
+	if hasToArrayOption(structOptions) {
+		return getEncodingStructToArrayType(t, flds)
+	}
+
+	var err error
+	var hasKeyAsInt bool
+	var hasKeyAsStr bool
+	var omitEmptyIdx []int
+	fixedLength := true
+	e := getEncoderBuffer()
+	for i := 0; i < len(flds); i++ {
+		// Get field's encodeFunc
+		flds[i].ef, flds[i].ief = getEncodeFunc(flds[i].typ)
+		if flds[i].ef == nil {
+			err = &UnsupportedTypeError{t}
+			break
+		}
+
+		// Encode field name
+		if flds[i].keyAsInt {
+			nameAsInt, numErr := strconv.Atoi(flds[i].name)
+			if numErr != nil {
+				err = errors.New("cbor: failed to parse field name \"" + flds[i].name + "\" to int (" + numErr.Error() + ")")
+				break
+			}
+			flds[i].nameAsInt = int64(nameAsInt)
+			if nameAsInt >= 0 {
+				encodeHead(e, byte(cborTypePositiveInt), uint64(nameAsInt))
+			} else {
+				n := nameAsInt*(-1) - 1
+				encodeHead(e, byte(cborTypeNegativeInt), uint64(n))
+			}
+			flds[i].cborName = make([]byte, e.Len())
+			copy(flds[i].cborName, e.Bytes())
+			e.Reset()
+
+			hasKeyAsInt = true
+		} else {
+			encodeHead(e, byte(cborTypeTextString), uint64(len(flds[i].name)))
+			flds[i].cborName = make([]byte, e.Len()+len(flds[i].name))
+			n := copy(flds[i].cborName, e.Bytes())
+			copy(flds[i].cborName[n:], flds[i].name)
+			e.Reset()
+
+			// If cborName contains a text string, then cborNameByteString contains a
+			// string that has the byte string major type but is otherwise identical to
+			// cborName.
+			flds[i].cborNameByteString = make([]byte, len(flds[i].cborName))
+			copy(flds[i].cborNameByteString, flds[i].cborName)
+			// Reset encoded CBOR type to byte string, preserving the "additional
+			// information" bits:
+			flds[i].cborNameByteString[0] = byte(cborTypeByteString) | (flds[i].cborNameByteString[0] & 0x1f)
+
+			hasKeyAsStr = true
+		}
+
+		// Check if field is from embedded struct
+		if len(flds[i].idx) > 1 {
+			fixedLength = false
+		}
+
+		// Check if field can be omitted when empty
+		if flds[i].omitEmpty {
+			fixedLength = false
+			omitEmptyIdx = append(omitEmptyIdx, i)
+		}
+	}
+	putEncoderBuffer(e)
+
+	if err != nil {
+		structType := &encodingStructType{err: err}
+		encodingStructTypeCache.Store(t, structType)
+		return structType, structType.err
+	}
+
+	// Sort fields by canonical order
+	bytewiseFields := make(fields, len(flds))
+	copy(bytewiseFields, flds)
+	sort.Sort(&bytewiseFieldSorter{bytewiseFields})
+
+	lengthFirstFields := bytewiseFields
+	if hasKeyAsInt && hasKeyAsStr {
+		lengthFirstFields = make(fields, len(flds))
+		copy(lengthFirstFields, flds)
+		sort.Sort(&lengthFirstFieldSorter{lengthFirstFields})
+	}
+
+	structType := &encodingStructType{
+		fields:             flds,
+		bytewiseFields:     bytewiseFields,
+		lengthFirstFields:  lengthFirstFields,
+		omitEmptyFieldsIdx: omitEmptyIdx,
+		fixedLength:        fixedLength,
+	}
+	encodingStructTypeCache.Store(t, structType)
+	return structType, structType.err
+}
+
+func getEncodingStructToArrayType(t reflect.Type, flds fields) (*encodingStructType, error) {
+	for i := 0; i < len(flds); i++ {
+		// Get field's encodeFunc
+		flds[i].ef, flds[i].ief = getEncodeFunc(flds[i].typ)
+		if flds[i].ef == nil {
+			structType := &encodingStructType{err: &UnsupportedTypeError{t}}
+			encodingStructTypeCache.Store(t, structType)
+			return structType, structType.err
+		}
+	}
+
+	structType := &encodingStructType{
+		fields:      flds,
+		toArray:     true,
+		fixedLength: true,
+	}
+	encodingStructTypeCache.Store(t, structType)
+	return structType, structType.err
+}
+
+func getEncodeFunc(t reflect.Type) (encodeFunc, isEmptyFunc) {
+	if v, _ := encodeFuncCache.Load(t); v != nil {
+		fs := v.(encodeFuncs)
+		return fs.ef, fs.ief
+	}
+	ef, ief := getEncodeFuncInternal(t)
+	encodeFuncCache.Store(t, encodeFuncs{ef, ief})
+	return ef, ief
+}
+
+func getTypeInfo(t reflect.Type) *typeInfo {
+	if v, _ := typeInfoCache.Load(t); v != nil {
+		return v.(*typeInfo)
+	}
+	tInfo := newTypeInfo(t)
+	typeInfoCache.Store(t, tInfo)
+	return tInfo
+}
+
+func hasToArrayOption(tag string) bool {
+	s := ",toarray"
+	idx := strings.Index(tag, s)
+	return idx >= 0 && (len(tag) == idx+len(s) || tag[idx+len(s)] == ',')
+}

vendor/github.com/fxamacker/cbor/v2/diagnose.go

@@ -0,0 +1,741 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"bytes"
+	"encoding/base32"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"io"
+	"math"
+	"math/big"
+	"strconv"
+	"unicode/utf16"
+	"unicode/utf8"
+
+	"github.com/x448/float16"
+)
+
+// DiagMode is the main interface for CBOR diagnostic notation.
+type DiagMode interface {
+	// Diagnose returns extended diagnostic notation (EDN) of CBOR data items using this DiagMode.
+	Diagnose([]byte) (string, error)
+
+	// DiagnoseFirst returns extended diagnostic notation (EDN) of the first CBOR data item using the DiagMode. Any remaining bytes are returned in rest.
+	DiagnoseFirst([]byte) (string, []byte, error)
+
+	// DiagOptions returns user specified options used to create this DiagMode.
+	DiagOptions() DiagOptions
+}
+
+// ByteStringEncoding specifies the base encoding that byte strings are notated.
+type ByteStringEncoding uint8
+
+const (
+	// ByteStringBase16Encoding encodes byte strings in base16, without padding.
+	ByteStringBase16Encoding ByteStringEncoding = iota
+
+	// ByteStringBase32Encoding encodes byte strings in base32, without padding.
+	ByteStringBase32Encoding
+
+	// ByteStringBase32HexEncoding encodes byte strings in base32hex, without padding.
+	ByteStringBase32HexEncoding
+
+	// ByteStringBase64Encoding encodes byte strings in base64url, without padding.
+	ByteStringBase64Encoding
+
+	maxByteStringEncoding
+)
+
+func (bse ByteStringEncoding) valid() error {
+	if bse >= maxByteStringEncoding {
+		return errors.New("cbor: invalid ByteStringEncoding " + strconv.Itoa(int(bse)))
+	}
+	return nil
+}
+
+// DiagOptions specifies Diag options.
+type DiagOptions struct {
+	// ByteStringEncoding specifies the base encoding that byte strings are notated.
+	// Default is ByteStringBase16Encoding.
+	ByteStringEncoding ByteStringEncoding
+
+	// ByteStringHexWhitespace specifies notating with whitespace in byte string
+	// when ByteStringEncoding is ByteStringBase16Encoding.
+	ByteStringHexWhitespace bool
+
+	// ByteStringText specifies notating with text in byte string
+	// if it is a valid UTF-8 text.
+	ByteStringText bool
+
+	// ByteStringEmbeddedCBOR specifies notating embedded CBOR in byte string
+	// if it is a valid CBOR bytes.
+	ByteStringEmbeddedCBOR bool
+
+	// CBORSequence specifies notating CBOR sequences.
+	// otherwise, it returns an error if there are more bytes after the first CBOR.
+	CBORSequence bool
+
+	// FloatPrecisionIndicator specifies appending a suffix to indicate float precision.
+	// Refer to https://www.rfc-editor.org/rfc/rfc8949.html#name-encoding-indicators.
+	FloatPrecisionIndicator bool
+
+	// MaxNestedLevels specifies the max nested levels allowed for any combination of CBOR array, maps, and tags.
+	// Default is 32 levels and it can be set to [4, 65535]. Note that higher maximum levels of nesting can
+	// require larger amounts of stack to deserialize. Don't increase this higher than you require.
+	MaxNestedLevels int
+
+	// MaxArrayElements specifies the max number of elements for CBOR arrays.
+	// Default is 128*1024=131072 and it can be set to [16, 2147483647]
+	MaxArrayElements int
+
+	// MaxMapPairs specifies the max number of key-value pairs for CBOR maps.
+	// Default is 128*1024=131072 and it can be set to [16, 2147483647]
+	MaxMapPairs int
+}
+
+// DiagMode returns a DiagMode with immutable options.
+func (opts DiagOptions) DiagMode() (DiagMode, error) {
+	return opts.diagMode()
+}
+
+func (opts DiagOptions) diagMode() (*diagMode, error) {
+	if err := opts.ByteStringEncoding.valid(); err != nil {
+		return nil, err
+	}
+
+	decMode, err := DecOptions{
+		MaxNestedLevels:  opts.MaxNestedLevels,
+		MaxArrayElements: opts.MaxArrayElements,
+		MaxMapPairs:      opts.MaxMapPairs,
+	}.decMode()
+	if err != nil {
+		return nil, err
+	}
+
+	return &diagMode{
+		byteStringEncoding:      opts.ByteStringEncoding,
+		byteStringHexWhitespace: opts.ByteStringHexWhitespace,
+		byteStringText:          opts.ByteStringText,
+		byteStringEmbeddedCBOR:  opts.ByteStringEmbeddedCBOR,
+		cborSequence:            opts.CBORSequence,
+		floatPrecisionIndicator: opts.FloatPrecisionIndicator,
+		decMode:                 decMode,
+	}, nil
+}
+
+type diagMode struct {
+	byteStringEncoding      ByteStringEncoding
+	byteStringHexWhitespace bool
+	byteStringText          bool
+	byteStringEmbeddedCBOR  bool
+	cborSequence            bool
+	floatPrecisionIndicator bool
+	decMode                 *decMode
+}
+
+// DiagOptions returns user specified options used to create this DiagMode.
+func (dm *diagMode) DiagOptions() DiagOptions {
+	return DiagOptions{
+		ByteStringEncoding:      dm.byteStringEncoding,
+		ByteStringHexWhitespace: dm.byteStringHexWhitespace,
+		ByteStringText:          dm.byteStringText,
+		ByteStringEmbeddedCBOR:  dm.byteStringEmbeddedCBOR,
+		CBORSequence:            dm.cborSequence,
+		FloatPrecisionIndicator: dm.floatPrecisionIndicator,
+		MaxNestedLevels:         dm.decMode.maxNestedLevels,
+		MaxArrayElements:        dm.decMode.maxArrayElements,
+		MaxMapPairs:             dm.decMode.maxMapPairs,
+	}
+}
+
+// Diagnose returns extended diagnostic notation (EDN) of CBOR data items using the DiagMode.
+func (dm *diagMode) Diagnose(data []byte) (string, error) {
+	return newDiagnose(data, dm.decMode, dm).diag(dm.cborSequence)
+}
+
+// DiagnoseFirst returns extended diagnostic notation (EDN) of the first CBOR data item using the DiagMode. Any remaining bytes are returned in rest.
+func (dm *diagMode) DiagnoseFirst(data []byte) (string, []byte, error) {
+	return newDiagnose(data, dm.decMode, dm).diagFirst()
+}
+
+var defaultDiagMode, _ = DiagOptions{}.diagMode()
+
+// Diagnose returns extended diagnostic notation (EDN) of CBOR data items
+// using the default diagnostic mode.
+//
+// Refer to https://www.rfc-editor.org/rfc/rfc8949.html#name-diagnostic-notation.
+func Diagnose(data []byte) (string, error) {
+	return defaultDiagMode.Diagnose(data)
+}
+
+// Diagnose returns extended diagnostic notation (EDN) of the first CBOR data item using the DiagMode. Any remaining bytes are returned in rest.
+func DiagnoseFirst(data []byte) (string, []byte, error) {
+	return defaultDiagMode.DiagnoseFirst(data)
+}
+
+type diagnose struct {
+	dm *diagMode
+	d  *decoder
+	w  *bytes.Buffer
+}
+
+func newDiagnose(data []byte, decm *decMode, diagm *diagMode) *diagnose {
+	return &diagnose{
+		dm: diagm,
+		d:  &decoder{data: data, dm: decm},
+		w:  &bytes.Buffer{},
+	}
+}
+
+func (di *diagnose) diag(cborSequence bool) (string, error) {
+	// CBOR Sequence
+	firstItem := true
+	for {
+		switch err := di.wellformed(cborSequence); err {
+		case nil:
+			if !firstItem {
+				if err = di.writeString(", "); err != nil {
+					return di.w.String(), err
+				}
+			}
+			firstItem = false
+			if err = di.item(); err != nil {
+				return di.w.String(), err
+			}
+
+		case io.EOF:
+			if firstItem {
+				return di.w.String(), err
+			}
+			return di.w.String(), nil
+
+		default:
+			return di.w.String(), err
+		}
+	}
+}
+
+func (di *diagnose) diagFirst() (string, []byte, error) {
+	err := di.wellformed(true)
+	if err == nil {
+		err = di.item()
+	}
+
+	if err == nil {
+		// Return EDN and the rest of the data slice (which might be len 0)
+		return di.w.String(), di.d.data[di.d.off:], nil
+	}
+
+	return di.w.String(), nil, err
+}
+
+func (di *diagnose) wellformed(allowExtraData bool) error {
+	off := di.d.off
+	err := di.d.wellformed(allowExtraData)
+	di.d.off = off
+	return err
+}
+
+func (di *diagnose) item() error { //nolint:gocyclo
+	initialByte := di.d.data[di.d.off]
+	switch initialByte {
+	case 0x5f, 0x7f: // indefinite-length byte/text string
+		di.d.off++
+		if di.d.data[di.d.off] == 0xff {
+			di.d.off++
+			switch initialByte {
+			case 0x5f:
+				// indefinite-length bytes with no chunks.
+				return di.writeString(`''_`)
+			case 0x7f:
+				// indefinite-length text with no chunks.
+				return di.writeString(`""_`)
+			}
+		}
+
+		if err := di.writeString("(_ "); err != nil {
+			return err
+		}
+
+		i := 0
+		for !di.d.foundBreak() {
+			if i > 0 {
+				if err := di.writeString(", "); err != nil {
+					return err
+				}
+			}
+
+			i++
+			// wellformedIndefiniteString() already checked that the next item is a byte/text string.
+			if err := di.item(); err != nil {
+				return err
+			}
+		}
+
+		return di.writeByte(')')
+
+	case 0x9f: // indefinite-length array
+		di.d.off++
+		if err := di.writeString("[_ "); err != nil {
+			return err
+		}
+
+		i := 0
+		for !di.d.foundBreak() {
+			if i > 0 {
+				if err := di.writeString(", "); err != nil {
+					return err
+				}
+			}
+
+			i++
+			if err := di.item(); err != nil {
+				return err
+			}
+		}
+
+		return di.writeByte(']')
+
+	case 0xbf: // indefinite-length map
+		di.d.off++
+		if err := di.writeString("{_ "); err != nil {
+			return err
+		}
+
+		i := 0
+		for !di.d.foundBreak() {
+			if i > 0 {
+				if err := di.writeString(", "); err != nil {
+					return err
+				}
+			}
+
+			i++
+			// key
+			if err := di.item(); err != nil {
+				return err
+			}
+
+			if err := di.writeString(": "); err != nil {
+				return err
+			}
+
+			// value
+			if err := di.item(); err != nil {
+				return err
+			}
+		}
+
+		return di.writeByte('}')
+	}
+
+	t := di.d.nextCBORType()
+	switch t {
+	case cborTypePositiveInt:
+		_, _, val := di.d.getHead()
+		return di.writeString(strconv.FormatUint(val, 10))
+
+	case cborTypeNegativeInt:
+		_, _, val := di.d.getHead()
+		if val > math.MaxInt64 {
+			// CBOR negative integer overflows int64, use big.Int to store value.
+			bi := new(big.Int)
+			bi.SetUint64(val)
+			bi.Add(bi, big.NewInt(1))
+			bi.Neg(bi)
+			return di.writeString(bi.String())
+		}
+
+		nValue := int64(-1) ^ int64(val)
+		return di.writeString(strconv.FormatInt(nValue, 10))
+
+	case cborTypeByteString:
+		b, _ := di.d.parseByteString()
+		return di.encodeByteString(b)
+
+	case cborTypeTextString:
+		b, err := di.d.parseTextString()
+		if err != nil {
+			return err
+		}
+		return di.encodeTextString(string(b), '"')
+
+	case cborTypeArray:
+		_, _, val := di.d.getHead()
+		count := int(val)
+		if err := di.writeByte('['); err != nil {
+			return err
+		}
+
+		for i := 0; i < count; i++ {
+			if i > 0 {
+				if err := di.writeString(", "); err != nil {
+					return err
+				}
+			}
+			if err := di.item(); err != nil {
+				return err
+			}
+		}
+		return di.writeByte(']')
+
+	case cborTypeMap:
+		_, _, val := di.d.getHead()
+		count := int(val)
+		if err := di.writeByte('{'); err != nil {
+			return err
+		}
+
+		for i := 0; i < count; i++ {
+			if i > 0 {
+				if err := di.writeString(", "); err != nil {
+					return err
+				}
+			}
+			// key
+			if err := di.item(); err != nil {
+				return err
+			}
+			if err := di.writeString(": "); err != nil {
+				return err
+			}
+			// value
+			if err := di.item(); err != nil {
+				return err
+			}
+		}
+		return di.writeByte('}')
+
+	case cborTypeTag:
+		_, _, tagNum := di.d.getHead()
+		switch tagNum {
+		case 2:
+			if nt := di.d.nextCBORType(); nt != cborTypeByteString {
+				return errors.New("cbor: tag number 2 must be followed by byte string, got " + nt.String())
+			}
+
+			b, _ := di.d.parseByteString()
+			bi := new(big.Int).SetBytes(b)
+			return di.writeString(bi.String())
+
+		case 3:
+			if nt := di.d.nextCBORType(); nt != cborTypeByteString {
+				return errors.New("cbor: tag number 3 must be followed by byte string, got " + nt.String())
+			}
+
+			b, _ := di.d.parseByteString()
+			bi := new(big.Int).SetBytes(b)
+			bi.Add(bi, big.NewInt(1))
+			bi.Neg(bi)
+			return di.writeString(bi.String())
+
+		default:
+			if err := di.writeString(strconv.FormatUint(tagNum, 10)); err != nil {
+				return err
+			}
+			if err := di.writeByte('('); err != nil {
+				return err
+			}
+			if err := di.item(); err != nil {
+				return err
+			}
+			return di.writeByte(')')
+		}
+
+	case cborTypePrimitives:
+		_, ai, val := di.d.getHead()
+		switch ai {
+		case 20:
+			return di.writeString("false")
+
+		case 21:
+			return di.writeString("true")
+
+		case 22:
+			return di.writeString("null")
+
+		case 23:
+			return di.writeString("undefined")
+
+		case 25, 26, 27:
+			return di.encodeFloat(ai, val)
+
+		default:
+			if err := di.writeString("simple("); err != nil {
+				return err
+			}
+			if err := di.writeString(strconv.FormatUint(val, 10)); err != nil {
+				return err
+			}
+			return di.writeByte(')')
+		}
+	}
+
+	return nil
+}
+
+func (di *diagnose) writeByte(val byte) error {
+	return di.w.WriteByte(val)
+}
+
+func (di *diagnose) writeString(val string) error {
+	_, err := di.w.WriteString(val)
+	return err
+}
+
+// writeU16 format a rune as "\uxxxx"
+func (di *diagnose) writeU16(val rune) error {
+	if err := di.writeString("\\u"); err != nil {
+		return err
+	}
+	b := make([]byte, 2)
+	b[0] = byte(val >> 8)
+	b[1] = byte(val)
+	return di.writeString(hex.EncodeToString(b))
+}
+
+var rawBase32Encoding = base32.StdEncoding.WithPadding(base32.NoPadding)
+var rawBase32HexEncoding = base32.HexEncoding.WithPadding(base32.NoPadding)
+
+func (di *diagnose) encodeByteString(val []byte) error {
+	if len(val) > 0 {
+		if di.dm.byteStringText && utf8.Valid(val) {
+			return di.encodeTextString(string(val), '\'')
+		}
+
+		if di.dm.byteStringEmbeddedCBOR {
+			di2 := newDiagnose(val, di.dm.decMode, di.dm)
+			// should always notating embedded CBOR sequence.
+			if str, err := di2.diag(true); err == nil {
+				if err := di.writeString("<<"); err != nil {
+					return err
+				}
+				if err := di.writeString(str); err != nil {
+					return err
+				}
+				return di.writeString(">>")
+			}
+		}
+	}
+
+	switch di.dm.byteStringEncoding {
+	case ByteStringBase16Encoding:
+		if err := di.writeString("h'"); err != nil {
+			return err
+		}
+
+		encoder := hex.NewEncoder(di.w)
+		if di.dm.byteStringHexWhitespace {
+			for i, b := range val {
+				if i > 0 {
+					if err := di.writeByte(' '); err != nil {
+						return err
+					}
+				}
+				if _, err := encoder.Write([]byte{b}); err != nil {
+					return err
+				}
+			}
+		} else {
+			if _, err := encoder.Write(val); err != nil {
+				return err
+			}
+		}
+		return di.writeByte('\'')
+
+	case ByteStringBase32Encoding:
+		if err := di.writeString("b32'"); err != nil {
+			return err
+		}
+		encoder := base32.NewEncoder(rawBase32Encoding, di.w)
+		if _, err := encoder.Write(val); err != nil {
+			return err
+		}
+		encoder.Close()
+		return di.writeByte('\'')
+
+	case ByteStringBase32HexEncoding:
+		if err := di.writeString("h32'"); err != nil {
+			return err
+		}
+		encoder := base32.NewEncoder(rawBase32HexEncoding, di.w)
+		if _, err := encoder.Write(val); err != nil {
+			return err
+		}
+		encoder.Close()
+		return di.writeByte('\'')
+
+	case ByteStringBase64Encoding:
+		if err := di.writeString("b64'"); err != nil {
+			return err
+		}
+		encoder := base64.NewEncoder(base64.RawURLEncoding, di.w)
+		if _, err := encoder.Write(val); err != nil {
+			return err
+		}
+		encoder.Close()
+		return di.writeByte('\'')
+
+	default:
+		return di.dm.byteStringEncoding.valid()
+	}
+}
+
+var utf16SurrSelf = rune(0x10000)
+
+// quote should be either `'` or `"`
+func (di *diagnose) encodeTextString(val string, quote byte) error {
+	if err := di.writeByte(quote); err != nil {
+		return err
+	}
+
+	for i := 0; i < len(val); {
+		if b := val[i]; b < utf8.RuneSelf {
+			switch {
+			case b == '\t', b == '\n', b == '\r', b == '\\', b == quote:
+				if err := di.writeByte('\\'); err != nil {
+					return err
+				}
+
+				switch b {
+				case '\t':
+					b = 't'
+				case '\n':
+					b = 'n'
+				case '\r':
+					b = 'r'
+				}
+				if err := di.writeByte(b); err != nil {
+					return err
+				}
+
+			case b >= ' ' && b <= '~':
+				if err := di.writeByte(b); err != nil {
+					return err
+				}
+
+			default:
+				if err := di.writeU16(rune(b)); err != nil {
+					return err
+				}
+			}
+
+			i++
+			continue
+		}
+
+		c, size := utf8.DecodeRuneInString(val[i:])
+		switch {
+		case c == utf8.RuneError:
+			// if err := di.writeU16(rune(val[i])); err != nil {
+			// 	return err
+			// }
+			return &SemanticError{"cbor: invalid UTF-8 string"}
+
+		case c < utf16SurrSelf:
+			if err := di.writeU16(c); err != nil {
+				return err
+			}
+
+		default:
+			c1, c2 := utf16.EncodeRune(c)
+			if err := di.writeU16(c1); err != nil {
+				return err
+			}
+			if err := di.writeU16(c2); err != nil {
+				return err
+			}
+		}
+
+		i += size
+	}
+
+	return di.writeByte(quote)
+}
+
+func (di *diagnose) encodeFloat(ai byte, val uint64) error {
+	f64 := float64(0)
+	switch ai {
+	case 25:
+		f16 := float16.Frombits(uint16(val))
+		switch {
+		case f16.IsNaN():
+			return di.writeString("NaN")
+		case f16.IsInf(1):
+			return di.writeString("Infinity")
+		case f16.IsInf(-1):
+			return di.writeString("-Infinity")
+		default:
+			f64 = float64(f16.Float32())
+		}
+
+	case 26:
+		f32 := math.Float32frombits(uint32(val))
+		switch {
+		case f32 != f32:
+			return di.writeString("NaN")
+		case f32 > math.MaxFloat32:
+			return di.writeString("Infinity")
+		case f32 < -math.MaxFloat32:
+			return di.writeString("-Infinity")
+		default:
+			f64 = float64(f32)
+		}
+
+	case 27:
+		f64 = math.Float64frombits(val)
+		switch {
+		case f64 != f64:
+			return di.writeString("NaN")
+		case f64 > math.MaxFloat64:
+			return di.writeString("Infinity")
+		case f64 < -math.MaxFloat64:
+			return di.writeString("-Infinity")
+		}
+	}
+	// Use ES6 number to string conversion which should match most JSON generators.
+	// Inspired by https://github.com/golang/go/blob/4df10fba1687a6d4f51d7238a403f8f2298f6a16/src/encoding/json/encode.go#L585
+	b := make([]byte, 0, 32)
+	if abs := math.Abs(f64); abs != 0 && (abs < 1e-6 || abs >= 1e21) {
+		b = strconv.AppendFloat(b, f64, 'e', -1, 64)
+		// clean up e-09 to e-9
+		n := len(b)
+		if n >= 4 && string(b[n-4:n-1]) == "e-0" {
+			b = append(b[:n-2], b[n-1])
+		}
+	} else {
+		b = strconv.AppendFloat(b, f64, 'f', -1, 64)
+	}
+
+	// add decimal point and trailing zero if needed
+	if bytes.IndexByte(b, '.') < 0 {
+		if i := bytes.IndexByte(b, 'e'); i < 0 {
+			b = append(b, '.', '0')
+		} else {
+			b = append(b[:i+2], b[i:]...)
+			b[i] = '.'
+			b[i+1] = '0'
+		}
+	}
+
+	if err := di.writeString(string(b)); err != nil {
+		return err
+	}
+
+	if di.dm.floatPrecisionIndicator {
+		switch ai {
+		case 25:
+			return di.writeString("_1")
+		case 26:
+			return di.writeString("_2")
+		case 27:
+			return di.writeString("_3")
+		}
+	}
+
+	return nil
+}

vendor/github.com/fxamacker/cbor/v2/doc.go

@@ -0,0 +1,129 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+/*
+Package cbor is a modern CBOR codec (RFC 8949 & RFC 7049) with CBOR tags,
+Go struct tags (toarray/keyasint/omitempty), Core Deterministic Encoding,
+CTAP2, Canonical CBOR, float64->32->16, and duplicate map key detection.
+
+Encoding options allow "preferred serialization" by encoding integers and floats
+to their smallest forms (e.g. float16) when values fit.
+
+Struct tags like "keyasint", "toarray" and "omitempty" make CBOR data smaller
+and easier to use with structs.
+
+For example, "toarray" tag makes struct fields encode to CBOR array elements.  And
+"keyasint" makes a field encode to an element of CBOR map with specified int key.
+
+Latest docs can be viewed at https://github.com/fxamacker/cbor#cbor-library-in-go
+
+# Basics
+
+The Quick Start guide is at https://github.com/fxamacker/cbor#quick-start
+
+Function signatures identical to encoding/json include:
+
+	Marshal, Unmarshal, NewEncoder, NewDecoder, (*Encoder).Encode, (*Decoder).Decode.
+
+Standard interfaces include:
+
+	BinaryMarshaler, BinaryUnmarshaler, Marshaler, and Unmarshaler.
+
+Custom encoding and decoding is possible by implementing standard interfaces for
+user-defined Go types.
+
+Codec functions are available at package-level (using defaults options) or by
+creating modes from options at runtime.
+
+"Mode" in this API means definite way of encoding (EncMode) or decoding (DecMode).
+
+EncMode and DecMode interfaces are created from EncOptions or DecOptions structs.
+
+	em, err := cbor.EncOptions{...}.EncMode()
+	em, err := cbor.CanonicalEncOptions().EncMode()
+	em, err := cbor.CTAP2EncOptions().EncMode()
+
+Modes use immutable options to avoid side-effects and simplify concurrency. Behavior of
+modes won't accidentally change at runtime after they're created.
+
+Modes are intended to be reused and are safe for concurrent use.
+
+EncMode and DecMode Interfaces
+
+	    // EncMode interface uses immutable options and is safe for concurrent use.
+	    type EncMode interface {
+		Marshal(v interface{}) ([]byte, error)
+		NewEncoder(w io.Writer) *Encoder
+		EncOptions() EncOptions  // returns copy of options
+	    }
+
+	    // DecMode interface uses immutable options and is safe for concurrent use.
+	    type DecMode interface {
+		Unmarshal(data []byte, v interface{}) error
+		NewDecoder(r io.Reader) *Decoder
+		DecOptions() DecOptions  // returns copy of options
+	    }
+
+Using Default Encoding Mode
+
+	b, err := cbor.Marshal(v)
+
+	encoder := cbor.NewEncoder(w)
+	err = encoder.Encode(v)
+
+Using Default Decoding Mode
+
+	err := cbor.Unmarshal(b, &v)
+
+	decoder := cbor.NewDecoder(r)
+	err = decoder.Decode(&v)
+
+Creating and Using Encoding Modes
+
+	// Create EncOptions using either struct literal or a function.
+	opts := cbor.CanonicalEncOptions()
+
+	// If needed, modify encoding options
+	opts.Time = cbor.TimeUnix
+
+	// Create reusable EncMode interface with immutable options, safe for concurrent use.
+	em, err := opts.EncMode()
+
+	// Use EncMode like encoding/json, with same function signatures.
+	b, err := em.Marshal(v)
+	// or
+	encoder := em.NewEncoder(w)
+	err := encoder.Encode(v)
+
+	// NOTE: Both em.Marshal(v) and encoder.Encode(v) use encoding options
+	// specified during creation of em (encoding mode).
+
+# CBOR Options
+
+Predefined Encoding Options: https://github.com/fxamacker/cbor#predefined-encoding-options
+
+Encoding Options: https://github.com/fxamacker/cbor#encoding-options
+
+Decoding Options: https://github.com/fxamacker/cbor#decoding-options
+
+# Struct Tags
+
+Struct tags like `cbor:"name,omitempty"` and `json:"name,omitempty"` work as expected.
+If both struct tags are specified then `cbor` is used.
+
+Struct tags like "keyasint", "toarray", and "omitempty" make it easy to use
+very compact formats like COSE and CWT (CBOR Web Tokens) with structs.
+
+For example, "toarray" makes struct fields encode to array elements.  And "keyasint"
+makes struct fields encode to elements of CBOR map with int keys.
+
+https://raw.githubusercontent.com/fxamacker/images/master/cbor/v2.0.0/cbor_easy_api.png
+
+Struct tags are listed at https://github.com/fxamacker/cbor#struct-tags-1
+
+# Tests and Fuzzing
+
+Over 375 tests are included in this package. Cover-guided fuzzing is handled by
+a private fuzzer that replaced fxamacker/cbor-fuzz years ago.
+*/
+package cbor

vendor/github.com/fxamacker/cbor/v2/encode_map.go

@@ -0,0 +1,79 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+//go:build go1.20
+
+package cbor
+
+import (
+	"reflect"
+	"sync"
+)
+
+type mapKeyValueEncodeFunc struct {
+	kf, ef       encodeFunc
+	kpool, vpool sync.Pool
+}
+
+func (me *mapKeyValueEncodeFunc) encodeKeyValues(e *encoderBuffer, em *encMode, v reflect.Value, kvs []keyValue) error {
+	trackKeyValueLength := len(kvs) == v.Len()
+	iterk := me.kpool.Get().(*reflect.Value)
+	defer func() {
+		iterk.SetZero()
+		me.kpool.Put(iterk)
+	}()
+	iterv := me.vpool.Get().(*reflect.Value)
+	defer func() {
+		iterv.SetZero()
+		me.vpool.Put(iterv)
+	}()
+	iter := v.MapRange()
+	for i := 0; iter.Next(); i++ {
+		off := e.Len()
+		iterk.SetIterKey(iter)
+		iterv.SetIterValue(iter)
+
+		if err := me.kf(e, em, *iterk); err != nil {
+			return err
+		}
+		if trackKeyValueLength {
+			kvs[i].keyLen = e.Len() - off
+		}
+
+		if err := me.ef(e, em, *iterv); err != nil {
+			return err
+		}
+		if trackKeyValueLength {
+			kvs[i].keyValueLen = e.Len() - off
+		}
+	}
+
+	return nil
+}
+
+func getEncodeMapFunc(t reflect.Type) encodeFunc {
+	kf, _ := getEncodeFunc(t.Key())
+	ef, _ := getEncodeFunc(t.Elem())
+	if kf == nil || ef == nil {
+		return nil
+	}
+	mkv := &mapKeyValueEncodeFunc{
+		kf: kf,
+		ef: ef,
+		kpool: sync.Pool{
+			New: func() interface{} {
+				rk := reflect.New(t.Key()).Elem()
+				return &rk
+			},
+		},
+		vpool: sync.Pool{
+			New: func() interface{} {
+				rv := reflect.New(t.Elem()).Elem()
+				return &rv
+			},
+		},
+	}
+	return mapEncodeFunc{
+		e: mkv.encodeKeyValues,
+	}.encode
+}

vendor/github.com/fxamacker/cbor/v2/encode_map_go117.go

@@ -0,0 +1,51 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+//go:build !go1.20
+
+package cbor
+
+import (
+	"reflect"
+)
+
+type mapKeyValueEncodeFunc struct {
+	kf, ef encodeFunc
+}
+
+func (me *mapKeyValueEncodeFunc) encodeKeyValues(e *encoderBuffer, em *encMode, v reflect.Value, kvs []keyValue) error {
+	trackKeyValueLength := len(kvs) == v.Len()
+
+	iter := v.MapRange()
+	for i := 0; iter.Next(); i++ {
+		off := e.Len()
+
+		if err := me.kf(e, em, iter.Key()); err != nil {
+			return err
+		}
+		if trackKeyValueLength {
+			kvs[i].keyLen = e.Len() - off
+		}
+
+		if err := me.ef(e, em, iter.Value()); err != nil {
+			return err
+		}
+		if trackKeyValueLength {
+			kvs[i].keyValueLen = e.Len() - off
+		}
+	}
+
+	return nil
+}
+
+func getEncodeMapFunc(t reflect.Type) encodeFunc {
+	kf, _ := getEncodeFunc(t.Key())
+	ef, _ := getEncodeFunc(t.Elem())
+	if kf == nil || ef == nil {
+		return nil
+	}
+	mkv := &mapKeyValueEncodeFunc{kf: kf, ef: ef}
+	return mapEncodeFunc{
+		e: mkv.encodeKeyValues,
+	}.encode
+}

vendor/github.com/fxamacker/cbor/v2/simplevalue.go

@@ -0,0 +1,69 @@
+package cbor
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+)
+
+// SimpleValue represents CBOR simple value.
+// CBOR simple value is:
+//   - an extension point like CBOR tag.
+//   - a subset of CBOR major type 7 that isn't floating-point.
+//   - "identified by a number between 0 and 255, but distinct from that number itself".
+//     For example, "a simple value 2 is not equivalent to an integer 2" as a CBOR map key.
+//
+// CBOR simple values identified by 20..23 are: "false", "true" , "null", and "undefined".
+// Other CBOR simple values are currently unassigned/reserved by IANA.
+type SimpleValue uint8
+
+var (
+	typeSimpleValue = reflect.TypeOf(SimpleValue(0))
+)
+
+// MarshalCBOR encodes SimpleValue as CBOR simple value (major type 7).
+func (sv SimpleValue) MarshalCBOR() ([]byte, error) {
+	// RFC 8949 3.3. Floating-Point Numbers and Values with No Content says:
+	// "An encoder MUST NOT issue two-byte sequences that start with 0xf8
+	// (major type 7, additional information 24) and continue with a byte
+	// less than 0x20 (32 decimal). Such sequences are not well-formed.
+	// (This implies that an encoder cannot encode false, true, null, or
+	// undefined in two-byte sequences and that only the one-byte variants
+	// of these are well-formed; more generally speaking, each simple value
+	// only has a single representation variant)."
+
+	switch {
+	case sv <= 23:
+		return []byte{byte(cborTypePrimitives) | byte(sv)}, nil
+
+	case sv >= 32:
+		return []byte{byte(cborTypePrimitives) | byte(24), byte(sv)}, nil
+
+	default:
+		return nil, &UnsupportedValueError{msg: fmt.Sprintf("SimpleValue(%d)", sv)}
+	}
+}
+
+// UnmarshalCBOR decodes CBOR simple value (major type 7) to SimpleValue.
+func (sv *SimpleValue) UnmarshalCBOR(data []byte) error {
+	if sv == nil {
+		return errors.New("cbor.SimpleValue: UnmarshalCBOR on nil pointer")
+	}
+
+	d := decoder{data: data, dm: defaultDecMode}
+
+	typ, ai, val := d.getHead()
+
+	if typ != cborTypePrimitives {
+		return &UnmarshalTypeError{CBORType: typ.String(), GoType: "SimpleValue"}
+	}
+	if ai > 24 {
+		return &UnmarshalTypeError{CBORType: typ.String(), GoType: "SimpleValue", errorMsg: "not simple values"}
+	}
+
+	// It is safe to cast val to uint8 here because
+	// - data is already verified to be well-formed CBOR simple value and
+	// - val is <= math.MaxUint8.
+	*sv = SimpleValue(val)
+	return nil
+}

vendor/github.com/fxamacker/cbor/v2/stream.go

@@ -0,0 +1,277 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"reflect"
+)
+
+// Decoder reads and decodes CBOR values from io.Reader.
+type Decoder struct {
+	r         io.Reader
+	d         decoder
+	buf       []byte
+	off       int // next read offset in buf
+	bytesRead int
+}
+
+// NewDecoder returns a new decoder that reads and decodes from r using
+// the default decoding options.
+func NewDecoder(r io.Reader) *Decoder {
+	return defaultDecMode.NewDecoder(r)
+}
+
+// Decode reads CBOR value and decodes it into the value pointed to by v.
+func (dec *Decoder) Decode(v interface{}) error {
+	_, err := dec.readNext()
+	if err != nil {
+		// Return validation error or read error.
+		return err
+	}
+
+	dec.d.reset(dec.buf[dec.off:])
+	err = dec.d.value(v)
+
+	// Increment dec.off even if decoding err is not nil because
+	// dec.d.off points to the next CBOR data item if current
+	// CBOR data item is valid but failed to be decoded into v.
+	// This allows next CBOR data item to be decoded in next
+	// call to this function.
+	dec.off += dec.d.off
+	dec.bytesRead += dec.d.off
+
+	return err
+}
+
+// Skip skips to the next CBOR data item (if there is any),
+// otherwise it returns error such as io.EOF, io.UnexpectedEOF, etc.
+func (dec *Decoder) Skip() error {
+	n, err := dec.readNext()
+	if err != nil {
+		// Return validation error or read error.
+		return err
+	}
+
+	dec.off += n
+	dec.bytesRead += n
+	return nil
+}
+
+// NumBytesRead returns the number of bytes read.
+func (dec *Decoder) NumBytesRead() int {
+	return dec.bytesRead
+}
+
+// Buffered returns a reader for data remaining in Decoder's buffer.
+// Returned reader is valid until the next call to Decode or Skip.
+func (dec *Decoder) Buffered() io.Reader {
+	return bytes.NewReader(dec.buf[dec.off:])
+}
+
+// readNext() reads next CBOR data item from Reader to buffer.
+// It returns the size of next CBOR data item.
+// It also returns validation error or read error if any.
+func (dec *Decoder) readNext() (int, error) {
+	var readErr error
+	var validErr error
+
+	for {
+		// Process any unread data in dec.buf.
+		if dec.off < len(dec.buf) {
+			dec.d.reset(dec.buf[dec.off:])
+			off := dec.off // Save offset before data validation
+			validErr = dec.d.wellformed(true)
+			dec.off = off // Restore offset
+
+			if validErr == nil {
+				return dec.d.off, nil
+			}
+
+			if validErr != io.ErrUnexpectedEOF {
+				return 0, validErr
+			}
+
+			// Process last read error on io.ErrUnexpectedEOF.
+			if readErr != nil {
+				if readErr == io.EOF {
+					// current CBOR data item is incomplete.
+					return 0, io.ErrUnexpectedEOF
+				}
+				return 0, readErr
+			}
+		}
+
+		// More data is needed and there was no read error.
+		var n int
+		for n == 0 {
+			n, readErr = dec.read()
+			if n == 0 && readErr != nil {
+				// No more data can be read and read error is encountered.
+				// At this point, validErr is either nil or io.ErrUnexpectedEOF.
+				if readErr == io.EOF {
+					if validErr == io.ErrUnexpectedEOF {
+						// current CBOR data item is incomplete.
+						return 0, io.ErrUnexpectedEOF
+					}
+				}
+				return 0, readErr
+			}
+		}
+
+		// At this point, dec.buf contains new data from last read (n > 0).
+	}
+}
+
+// read() reads data from Reader to buffer.
+// It returns number of bytes read and any read error encountered.
+// Postconditions:
+// - dec.buf contains previously unread data and new data.
+// - dec.off is 0.
+func (dec *Decoder) read() (int, error) {
+	// Grow buf if needed.
+	const minRead = 512
+	if cap(dec.buf)-len(dec.buf)+dec.off < minRead {
+		oldUnreadBuf := dec.buf[dec.off:]
+		dec.buf = make([]byte, len(dec.buf)-dec.off, 2*cap(dec.buf)+minRead)
+		dec.overwriteBuf(oldUnreadBuf)
+	}
+
+	// Copy unread data over read data and reset off to 0.
+	if dec.off > 0 {
+		dec.overwriteBuf(dec.buf[dec.off:])
+	}
+
+	// Read from reader and reslice buf.
+	n, err := dec.r.Read(dec.buf[len(dec.buf):cap(dec.buf)])
+	dec.buf = dec.buf[0 : len(dec.buf)+n]
+	return n, err
+}
+
+func (dec *Decoder) overwriteBuf(newBuf []byte) {
+	n := copy(dec.buf, newBuf)
+	dec.buf = dec.buf[:n]
+	dec.off = 0
+}
+
+// Encoder writes CBOR values to io.Writer.
+type Encoder struct {
+	w          io.Writer
+	em         *encMode
+	indefTypes []cborType
+}
+
+// NewEncoder returns a new encoder that writes to w using the default encoding options.
+func NewEncoder(w io.Writer) *Encoder {
+	return defaultEncMode.NewEncoder(w)
+}
+
+// Encode writes the CBOR encoding of v.
+func (enc *Encoder) Encode(v interface{}) error {
+	if len(enc.indefTypes) > 0 && v != nil {
+		indefType := enc.indefTypes[len(enc.indefTypes)-1]
+		if indefType == cborTypeTextString {
+			k := reflect.TypeOf(v).Kind()
+			if k != reflect.String {
+				return errors.New("cbor: cannot encode item type " + k.String() + " for indefinite-length text string")
+			}
+		} else if indefType == cborTypeByteString {
+			t := reflect.TypeOf(v)
+			k := t.Kind()
+			if (k != reflect.Array && k != reflect.Slice) || t.Elem().Kind() != reflect.Uint8 {
+				return errors.New("cbor: cannot encode item type " + k.String() + " for indefinite-length byte string")
+			}
+		}
+	}
+
+	buf := getEncoderBuffer()
+
+	err := encode(buf, enc.em, reflect.ValueOf(v))
+	if err == nil {
+		_, err = enc.w.Write(buf.Bytes())
+	}
+
+	putEncoderBuffer(buf)
+	return err
+}
+
+// StartIndefiniteByteString starts byte string encoding of indefinite length.
+// Subsequent calls of (*Encoder).Encode() encodes definite length byte strings
+// ("chunks") as one contiguous string until EndIndefinite is called.
+func (enc *Encoder) StartIndefiniteByteString() error {
+	return enc.startIndefinite(cborTypeByteString)
+}
+
+// StartIndefiniteTextString starts text string encoding of indefinite length.
+// Subsequent calls of (*Encoder).Encode() encodes definite length text strings
+// ("chunks") as one contiguous string until EndIndefinite is called.
+func (enc *Encoder) StartIndefiniteTextString() error {
+	return enc.startIndefinite(cborTypeTextString)
+}
+
+// StartIndefiniteArray starts array encoding of indefinite length.
+// Subsequent calls of (*Encoder).Encode() encodes elements of the array
+// until EndIndefinite is called.
+func (enc *Encoder) StartIndefiniteArray() error {
+	return enc.startIndefinite(cborTypeArray)
+}
+
+// StartIndefiniteMap starts array encoding of indefinite length.
+// Subsequent calls of (*Encoder).Encode() encodes elements of the map
+// until EndIndefinite is called.
+func (enc *Encoder) StartIndefiniteMap() error {
+	return enc.startIndefinite(cborTypeMap)
+}
+
+// EndIndefinite closes last opened indefinite length value.
+func (enc *Encoder) EndIndefinite() error {
+	if len(enc.indefTypes) == 0 {
+		return errors.New("cbor: cannot encode \"break\" code outside indefinite length values")
+	}
+	_, err := enc.w.Write([]byte{0xff})
+	if err == nil {
+		enc.indefTypes = enc.indefTypes[:len(enc.indefTypes)-1]
+	}
+	return err
+}
+
+var cborIndefHeader = map[cborType][]byte{
+	cborTypeByteString: {0x5f},
+	cborTypeTextString: {0x7f},
+	cborTypeArray:      {0x9f},
+	cborTypeMap:        {0xbf},
+}
+
+func (enc *Encoder) startIndefinite(typ cborType) error {
+	if enc.em.indefLength == IndefLengthForbidden {
+		return &IndefiniteLengthError{typ}
+	}
+	_, err := enc.w.Write(cborIndefHeader[typ])
+	if err == nil {
+		enc.indefTypes = append(enc.indefTypes, typ)
+	}
+	return err
+}
+
+// RawMessage is a raw encoded CBOR value.
+type RawMessage []byte
+
+// MarshalCBOR returns m or CBOR nil if m is nil.
+func (m RawMessage) MarshalCBOR() ([]byte, error) {
+	if len(m) == 0 {
+		return cborNil, nil
+	}
+	return m, nil
+}
+
+// UnmarshalCBOR creates a copy of data and saves to *m.
+func (m *RawMessage) UnmarshalCBOR(data []byte) error {
+	if m == nil {
+		return errors.New("cbor.RawMessage: UnmarshalCBOR on nil pointer")
+	}
+	*m = append((*m)[0:0], data...)
+	return nil
+}

vendor/github.com/fxamacker/cbor/v2/structfields.go

@@ -0,0 +1,252 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"reflect"
+	"sort"
+	"strings"
+)
+
+type field struct {
+	name               string
+	nameAsInt          int64 // used to decoder to match field name with CBOR int
+	cborName           []byte
+	cborNameByteString []byte // major type 2 name encoding iff cborName has major type 3
+	idx                []int
+	typ                reflect.Type
+	ef                 encodeFunc
+	ief                isEmptyFunc
+	typInfo            *typeInfo // used to decoder to reuse type info
+	tagged             bool      // used to choose dominant field (at the same level tagged fields dominate untagged fields)
+	omitEmpty          bool      // used to skip empty field
+	keyAsInt           bool      // used to encode/decode field name as int
+}
+
+type fields []*field
+
+// indexFieldSorter sorts fields by field idx at each level, breaking ties with idx depth.
+type indexFieldSorter struct {
+	fields fields
+}
+
+func (x *indexFieldSorter) Len() int {
+	return len(x.fields)
+}
+
+func (x *indexFieldSorter) Swap(i, j int) {
+	x.fields[i], x.fields[j] = x.fields[j], x.fields[i]
+}
+
+func (x *indexFieldSorter) Less(i, j int) bool {
+	iIdx, jIdx := x.fields[i].idx, x.fields[j].idx
+	for k := 0; k < len(iIdx) && k < len(jIdx); k++ {
+		if iIdx[k] != jIdx[k] {
+			return iIdx[k] < jIdx[k]
+		}
+	}
+	return len(iIdx) <= len(jIdx)
+}
+
+// nameLevelAndTagFieldSorter sorts fields by field name, idx depth, and presence of tag.
+type nameLevelAndTagFieldSorter struct {
+	fields fields
+}
+
+func (x *nameLevelAndTagFieldSorter) Len() int {
+	return len(x.fields)
+}
+
+func (x *nameLevelAndTagFieldSorter) Swap(i, j int) {
+	x.fields[i], x.fields[j] = x.fields[j], x.fields[i]
+}
+
+func (x *nameLevelAndTagFieldSorter) Less(i, j int) bool {
+	fi, fj := x.fields[i], x.fields[j]
+	if fi.name != fj.name {
+		return fi.name < fj.name
+	}
+	if len(fi.idx) != len(fj.idx) {
+		return len(fi.idx) < len(fj.idx)
+	}
+	if fi.tagged != fj.tagged {
+		return fi.tagged
+	}
+	return i < j // Field i and j have the same name, depth, and tagged status. Nothing else matters.
+}
+
+// getFields returns visible fields of struct type t following visibility rules for JSON encoding.
+func getFields(t reflect.Type) (flds fields, structOptions string) {
+	// Get special field "_" tag options
+	if f, ok := t.FieldByName("_"); ok {
+		tag := f.Tag.Get("cbor")
+		if tag != "-" {
+			structOptions = tag
+		}
+	}
+
+	// nTypes contains next level anonymous fields' types and indexes
+	// (there can be multiple fields of the same type at the same level)
+	flds, nTypes := appendFields(t, nil, nil, nil)
+
+	if len(nTypes) > 0 {
+
+		var cTypes map[reflect.Type][][]int      // current level anonymous fields' types and indexes
+		vTypes := map[reflect.Type]bool{t: true} // visited field types at less nested levels
+
+		for len(nTypes) > 0 {
+			cTypes, nTypes = nTypes, nil
+
+			for t, idx := range cTypes {
+				// If there are multiple anonymous fields of the same struct type at the same level, all are ignored.
+				if len(idx) > 1 {
+					continue
+				}
+
+				// Anonymous field of the same type at deeper nested level is ignored.
+				if vTypes[t] {
+					continue
+				}
+				vTypes[t] = true
+
+				flds, nTypes = appendFields(t, idx[0], flds, nTypes)
+			}
+		}
+	}
+
+	sort.Sort(&nameLevelAndTagFieldSorter{flds})
+
+	// Keep visible fields.
+	j := 0 // index of next unique field
+	for i := 0; i < len(flds); {
+		name := flds[i].name
+		if i == len(flds)-1 || // last field
+			name != flds[i+1].name || // field i has unique field name
+			len(flds[i].idx) < len(flds[i+1].idx) || // field i is at a less nested level than field i+1
+			(flds[i].tagged && !flds[i+1].tagged) { // field i is tagged while field i+1 is not
+			flds[j] = flds[i]
+			j++
+		}
+
+		// Skip fields with the same field name.
+		for i++; i < len(flds) && name == flds[i].name; i++ { //nolint:revive
+		}
+	}
+	if j != len(flds) {
+		flds = flds[:j]
+	}
+
+	// Sort fields by field index
+	sort.Sort(&indexFieldSorter{flds})
+
+	return flds, structOptions
+}
+
+// appendFields appends type t's exportable fields to flds and anonymous struct fields to nTypes .
+func appendFields(t reflect.Type, idx []int, flds fields, nTypes map[reflect.Type][][]int) (fields, map[reflect.Type][][]int) {
+	for i := 0; i < t.NumField(); i++ {
+		f := t.Field(i)
+
+		ft := f.Type
+		for ft.Kind() == reflect.Ptr {
+			ft = ft.Elem()
+		}
+
+		if !isFieldExportable(f, ft.Kind()) {
+			continue
+		}
+
+		tag := f.Tag.Get("cbor")
+		if tag == "" {
+			tag = f.Tag.Get("json")
+		}
+		if tag == "-" {
+			continue
+		}
+
+		tagged := len(tag) > 0
+
+		// Parse field tag options
+		var tagFieldName string
+		var omitempty, keyasint bool
+		for j := 0; len(tag) > 0; j++ {
+			var token string
+			idx := strings.IndexByte(tag, ',')
+			if idx == -1 {
+				token, tag = tag, ""
+			} else {
+				token, tag = tag[:idx], tag[idx+1:]
+			}
+			if j == 0 {
+				tagFieldName = token
+			} else {
+				switch token {
+				case "omitempty":
+					omitempty = true
+				case "keyasint":
+					keyasint = true
+				}
+			}
+		}
+
+		fieldName := tagFieldName
+		if tagFieldName == "" {
+			fieldName = f.Name
+		}
+
+		fIdx := make([]int, len(idx)+1)
+		copy(fIdx, idx)
+		fIdx[len(fIdx)-1] = i
+
+		if !f.Anonymous || ft.Kind() != reflect.Struct || len(tagFieldName) > 0 {
+			flds = append(flds, &field{
+				name:      fieldName,
+				idx:       fIdx,
+				typ:       f.Type,
+				omitEmpty: omitempty,
+				keyAsInt:  keyasint,
+				tagged:    tagged})
+		} else {
+			if nTypes == nil {
+				nTypes = make(map[reflect.Type][][]int)
+			}
+			nTypes[ft] = append(nTypes[ft], fIdx)
+		}
+	}
+
+	return flds, nTypes
+}
+
+// isFieldExportable returns true if f is an exportable (regular or anonymous) field or
+// a nonexportable anonymous field of struct type.
+// Nonexportable anonymous field of struct type can contain exportable fields.
+func isFieldExportable(f reflect.StructField, fk reflect.Kind) bool {
+	exportable := f.PkgPath == ""
+	return exportable || (f.Anonymous && fk == reflect.Struct)
+}
+
+type embeddedFieldNullPtrFunc func(reflect.Value) (reflect.Value, error)
+
+// getFieldValue returns field value of struct v by index.  When encountering null pointer
+// to anonymous (embedded) struct field, f is called with the last traversed field value.
+func getFieldValue(v reflect.Value, idx []int, f embeddedFieldNullPtrFunc) (fv reflect.Value, err error) {
+	fv = v
+	for i, n := range idx {
+		fv = fv.Field(n)
+
+		if i < len(idx)-1 {
+			if fv.Kind() == reflect.Ptr && fv.Type().Elem().Kind() == reflect.Struct {
+				if fv.IsNil() {
+					// Null pointer to embedded struct field
+					fv, err = f(fv)
+					if err != nil || !fv.IsValid() {
+						return fv, err
+					}
+				}
+				fv = fv.Elem()
+			}
+		}
+	}
+	return fv, nil
+}

vendor/github.com/fxamacker/cbor/v2/tag.go

@@ -0,0 +1,297 @@
+package cbor
+
+import (
+	"errors"
+	"fmt"
+	"reflect"
+	"sync"
+)
+
+// Tag represents CBOR tag data, including tag number and unmarshaled tag content.
+type Tag struct {
+	Number  uint64
+	Content interface{}
+}
+
+// RawTag represents CBOR tag data, including tag number and raw tag content.
+// RawTag implements Unmarshaler and Marshaler interfaces.
+type RawTag struct {
+	Number  uint64
+	Content RawMessage
+}
+
+// UnmarshalCBOR sets *t with tag number and raw tag content copied from data.
+func (t *RawTag) UnmarshalCBOR(data []byte) error {
+	if t == nil {
+		return errors.New("cbor.RawTag: UnmarshalCBOR on nil pointer")
+	}
+
+	// Decoding CBOR null and undefined to cbor.RawTag is no-op.
+	if len(data) == 1 && (data[0] == 0xf6 || data[0] == 0xf7) {
+		return nil
+	}
+
+	d := decoder{data: data, dm: defaultDecMode}
+
+	// Unmarshal tag number.
+	typ, _, num := d.getHead()
+	if typ != cborTypeTag {
+		return &UnmarshalTypeError{CBORType: typ.String(), GoType: typeRawTag.String()}
+	}
+	t.Number = num
+
+	// Unmarshal tag content.
+	c := d.data[d.off:]
+	t.Content = make([]byte, len(c))
+	copy(t.Content, c)
+	return nil
+}
+
+// MarshalCBOR returns CBOR encoding of t.
+func (t RawTag) MarshalCBOR() ([]byte, error) {
+	if t.Number == 0 && len(t.Content) == 0 {
+		// Marshal uninitialized cbor.RawTag
+		b := make([]byte, len(cborNil))
+		copy(b, cborNil)
+		return b, nil
+	}
+
+	e := getEncoderBuffer()
+
+	encodeHead(e, byte(cborTypeTag), t.Number)
+
+	content := t.Content
+	if len(content) == 0 {
+		content = cborNil
+	}
+
+	buf := make([]byte, len(e.Bytes())+len(content))
+	n := copy(buf, e.Bytes())
+	copy(buf[n:], content)
+
+	putEncoderBuffer(e)
+	return buf, nil
+}
+
+// DecTagMode specifies how decoder handles tag number.
+type DecTagMode int
+
+const (
+	// DecTagIgnored makes decoder ignore tag number (skips if present).
+	DecTagIgnored DecTagMode = iota
+
+	// DecTagOptional makes decoder verify tag number if it's present.
+	DecTagOptional
+
+	// DecTagRequired makes decoder verify tag number and tag number must be present.
+	DecTagRequired
+
+	maxDecTagMode
+)
+
+func (dtm DecTagMode) valid() bool {
+	return dtm >= 0 && dtm < maxDecTagMode
+}
+
+// EncTagMode specifies how encoder handles tag number.
+type EncTagMode int
+
+const (
+	// EncTagNone makes encoder not encode tag number.
+	EncTagNone EncTagMode = iota
+
+	// EncTagRequired makes encoder encode tag number.
+	EncTagRequired
+
+	maxEncTagMode
+)
+
+func (etm EncTagMode) valid() bool {
+	return etm >= 0 && etm < maxEncTagMode
+}
+
+// TagOptions specifies how encoder and decoder handle tag number.
+type TagOptions struct {
+	DecTag DecTagMode
+	EncTag EncTagMode
+}
+
+// TagSet is an interface to add and remove tag info.  It is used by EncMode and DecMode
+// to provide CBOR tag support.
+type TagSet interface {
+	// Add adds given tag number(s), content type, and tag options to TagSet.
+	Add(opts TagOptions, contentType reflect.Type, num uint64, nestedNum ...uint64) error
+
+	// Remove removes given tag content type from TagSet.
+	Remove(contentType reflect.Type)
+
+	tagProvider
+}
+
+type tagProvider interface {
+	getTagItemFromType(t reflect.Type) *tagItem
+	getTypeFromTagNum(num []uint64) reflect.Type
+}
+
+type tagItem struct {
+	num         []uint64
+	cborTagNum  []byte
+	contentType reflect.Type
+	opts        TagOptions
+}
+
+func (t *tagItem) equalTagNum(num []uint64) bool {
+	// Fast path to compare 1 tag number
+	if len(t.num) == 1 && len(num) == 1 && t.num[0] == num[0] {
+		return true
+	}
+
+	if len(t.num) != len(num) {
+		return false
+	}
+
+	for i := 0; i < len(t.num); i++ {
+		if t.num[i] != num[i] {
+			return false
+		}
+	}
+
+	return true
+}
+
+type (
+	tagSet map[reflect.Type]*tagItem
+
+	syncTagSet struct {
+		sync.RWMutex
+		t tagSet
+	}
+)
+
+func (t tagSet) getTagItemFromType(typ reflect.Type) *tagItem {
+	return t[typ]
+}
+
+func (t tagSet) getTypeFromTagNum(num []uint64) reflect.Type {
+	for typ, tag := range t {
+		if tag.equalTagNum(num) {
+			return typ
+		}
+	}
+	return nil
+}
+
+// NewTagSet returns TagSet (safe for concurrency).
+func NewTagSet() TagSet {
+	return &syncTagSet{t: make(map[reflect.Type]*tagItem)}
+}
+
+// Add adds given tag number(s), content type, and tag options to TagSet.
+func (t *syncTagSet) Add(opts TagOptions, contentType reflect.Type, num uint64, nestedNum ...uint64) error {
+	if contentType == nil {
+		return errors.New("cbor: cannot add nil content type to TagSet")
+	}
+	for contentType.Kind() == reflect.Ptr {
+		contentType = contentType.Elem()
+	}
+	tag, err := newTagItem(opts, contentType, num, nestedNum...)
+	if err != nil {
+		return err
+	}
+	t.Lock()
+	defer t.Unlock()
+	for typ, ti := range t.t {
+		if typ == contentType {
+			return errors.New("cbor: content type " + contentType.String() + " already exists in TagSet")
+		}
+		if ti.equalTagNum(tag.num) {
+			return fmt.Errorf("cbor: tag number %v already exists in TagSet", tag.num)
+		}
+	}
+	t.t[contentType] = tag
+	return nil
+}
+
+// Remove removes given tag content type from TagSet.
+func (t *syncTagSet) Remove(contentType reflect.Type) {
+	for contentType.Kind() == reflect.Ptr {
+		contentType = contentType.Elem()
+	}
+	t.Lock()
+	delete(t.t, contentType)
+	t.Unlock()
+}
+
+func (t *syncTagSet) getTagItemFromType(typ reflect.Type) *tagItem {
+	t.RLock()
+	ti := t.t[typ]
+	t.RUnlock()
+	return ti
+}
+
+func (t *syncTagSet) getTypeFromTagNum(num []uint64) reflect.Type {
+	t.RLock()
+	rt := t.t.getTypeFromTagNum(num)
+	t.RUnlock()
+	return rt
+}
+
+func newTagItem(opts TagOptions, contentType reflect.Type, num uint64, nestedNum ...uint64) (*tagItem, error) {
+	if opts.DecTag == DecTagIgnored && opts.EncTag == EncTagNone {
+		return nil, errors.New("cbor: cannot add tag with DecTagIgnored and EncTagNone options to TagSet")
+	}
+	if contentType.PkgPath() == "" || contentType.Kind() == reflect.Interface {
+		return nil, errors.New("cbor: can only add named types to TagSet, got " + contentType.String())
+	}
+	if contentType == typeTime {
+		return nil, errors.New("cbor: cannot add time.Time to TagSet, use EncOptions.TimeTag and DecOptions.TimeTag instead")
+	}
+	if contentType == typeBigInt {
+		return nil, errors.New("cbor: cannot add big.Int to TagSet, it's built-in and supported automatically")
+	}
+	if contentType == typeTag {
+		return nil, errors.New("cbor: cannot add cbor.Tag to TagSet")
+	}
+	if contentType == typeRawTag {
+		return nil, errors.New("cbor: cannot add cbor.RawTag to TagSet")
+	}
+	if num == 0 || num == 1 {
+		return nil, errors.New("cbor: cannot add tag number 0 or 1 to TagSet, use EncOptions.TimeTag and DecOptions.TimeTag instead")
+	}
+	if num == 2 || num == 3 {
+		return nil, errors.New("cbor: cannot add tag number 2 or 3 to TagSet, it's built-in and supported automatically")
+	}
+	if num == selfDescribedCBORTagNum {
+		return nil, errors.New("cbor: cannot add tag number 55799 to TagSet, it's built-in and ignored automatically")
+	}
+
+	te := tagItem{num: []uint64{num}, opts: opts, contentType: contentType}
+	te.num = append(te.num, nestedNum...)
+
+	// Cache encoded tag numbers
+	e := getEncoderBuffer()
+	for _, n := range te.num {
+		encodeHead(e, byte(cborTypeTag), n)
+	}
+	te.cborTagNum = make([]byte, e.Len())
+	copy(te.cborTagNum, e.Bytes())
+	putEncoderBuffer(e)
+
+	return &te, nil
+}
+
+var (
+	typeTag    = reflect.TypeOf(Tag{})
+	typeRawTag = reflect.TypeOf(RawTag{})
+)
+
+// WrongTagError describes mismatch between CBOR tag and registered tag.
+type WrongTagError struct {
+	RegisteredType   reflect.Type
+	RegisteredTagNum []uint64
+	TagNum           []uint64
+}
+
+func (e *WrongTagError) Error() string {
+	return fmt.Sprintf("cbor: wrong tag number for %s, got %v, expected %v", e.RegisteredType.String(), e.TagNum, e.RegisteredTagNum)
+}

vendor/github.com/fxamacker/cbor/v2/valid.go

@@ -0,0 +1,318 @@
+// Copyright (c) Faye Amacker. All rights reserved.
+// Licensed under the MIT License. See LICENSE in the project root for license information.
+
+package cbor
+
+import (
+	"encoding/binary"
+	"errors"
+	"io"
+	"strconv"
+)
+
+// SyntaxError is a description of a CBOR syntax error.
+type SyntaxError struct {
+	msg string
+}
+
+func (e *SyntaxError) Error() string { return e.msg }
+
+// SemanticError is a description of a CBOR semantic error.
+type SemanticError struct {
+	msg string
+}
+
+func (e *SemanticError) Error() string { return e.msg }
+
+// MaxNestedLevelError indicates exceeded max nested level of any combination of CBOR arrays/maps/tags.
+type MaxNestedLevelError struct {
+	maxNestedLevels int
+}
+
+func (e *MaxNestedLevelError) Error() string {
+	return "cbor: exceeded max nested level " + strconv.Itoa(e.maxNestedLevels)
+}
+
+// MaxArrayElementsError indicates exceeded max number of elements for CBOR arrays.
+type MaxArrayElementsError struct {
+	maxArrayElements int
+}
+
+func (e *MaxArrayElementsError) Error() string {
+	return "cbor: exceeded max number of elements " + strconv.Itoa(e.maxArrayElements) + " for CBOR array"
+}
+
+// MaxMapPairsError indicates exceeded max number of key-value pairs for CBOR maps.
+type MaxMapPairsError struct {
+	maxMapPairs int
+}
+
+func (e *MaxMapPairsError) Error() string {
+	return "cbor: exceeded max number of key-value pairs " + strconv.Itoa(e.maxMapPairs) + " for CBOR map"
+}
+
+// IndefiniteLengthError indicates found disallowed indefinite length items.
+type IndefiniteLengthError struct {
+	t cborType
+}
+
+func (e *IndefiniteLengthError) Error() string {
+	return "cbor: indefinite-length " + e.t.String() + " isn't allowed"
+}
+
+// TagsMdError indicates found disallowed CBOR tags.
+type TagsMdError struct {
+}
+
+func (e *TagsMdError) Error() string {
+	return "cbor: CBOR tag isn't allowed"
+}
+
+// ExtraneousDataError indicates found extraneous data following well-formed CBOR data item.
+type ExtraneousDataError struct {
+	numOfBytes int // number of bytes of extraneous data
+	index      int // location of extraneous data
+}
+
+func (e *ExtraneousDataError) Error() string {
+	return "cbor: " + strconv.Itoa(e.numOfBytes) + " bytes of extraneous data starting at index " + strconv.Itoa(e.index)
+}
+
+// wellformed checks whether the CBOR data item is well-formed.
+// allowExtraData indicates if extraneous data is allowed after the CBOR data item.
+// - use allowExtraData = true when using Decoder.Decode()
+// - use allowExtraData = false when using Unmarshal()
+func (d *decoder) wellformed(allowExtraData bool) error {
+	if len(d.data) == d.off {
+		return io.EOF
+	}
+	_, err := d.wellformedInternal(0)
+	if err == nil {
+		if !allowExtraData && d.off != len(d.data) {
+			err = &ExtraneousDataError{len(d.data) - d.off, d.off}
+		}
+	}
+	return err
+}
+
+// wellformedInternal checks data's well-formedness and returns max depth and error.
+func (d *decoder) wellformedInternal(depth int) (int, error) {
+	t, ai, val, err := d.wellformedHead()
+	if err != nil {
+		return 0, err
+	}
+
+	switch t {
+	case cborTypeByteString, cborTypeTextString:
+		if ai == 31 {
+			if d.dm.indefLength == IndefLengthForbidden {
+				return 0, &IndefiniteLengthError{t}
+			}
+			return d.wellformedIndefiniteString(t, depth)
+		}
+		valInt := int(val)
+		if valInt < 0 {
+			// Detect integer overflow
+			return 0, errors.New("cbor: " + t.String() + " length " + strconv.FormatUint(val, 10) + " is too large, causing integer overflow")
+		}
+		if len(d.data)-d.off < valInt { // valInt+off may overflow integer
+			return 0, io.ErrUnexpectedEOF
+		}
+		d.off += valInt
+	case cborTypeArray, cborTypeMap:
+		depth++
+		if depth > d.dm.maxNestedLevels {
+			return 0, &MaxNestedLevelError{d.dm.maxNestedLevels}
+		}
+
+		if ai == 31 {
+			if d.dm.indefLength == IndefLengthForbidden {
+				return 0, &IndefiniteLengthError{t}
+			}
+			return d.wellformedIndefiniteArrayOrMap(t, depth)
+		}
+
+		valInt := int(val)
+		if valInt < 0 {
+			// Detect integer overflow
+			return 0, errors.New("cbor: " + t.String() + " length " + strconv.FormatUint(val, 10) + " is too large, it would cause integer overflow")
+		}
+
+		if t == cborTypeArray {
+			if valInt > d.dm.maxArrayElements {
+				return 0, &MaxArrayElementsError{d.dm.maxArrayElements}
+			}
+		} else {
+			if valInt > d.dm.maxMapPairs {
+				return 0, &MaxMapPairsError{d.dm.maxMapPairs}
+			}
+		}
+
+		count := 1
+		if t == cborTypeMap {
+			count = 2
+		}
+		maxDepth := depth
+		for j := 0; j < count; j++ {
+			for i := 0; i < valInt; i++ {
+				var dpt int
+				if dpt, err = d.wellformedInternal(depth); err != nil {
+					return 0, err
+				}
+				if dpt > maxDepth {
+					maxDepth = dpt // Save max depth
+				}
+			}
+		}
+		depth = maxDepth
+	case cborTypeTag:
+		if d.dm.tagsMd == TagsForbidden {
+			return 0, &TagsMdError{}
+		}
+
+		// Scan nested tag numbers to avoid recursion.
+		for {
+			if len(d.data) == d.off { // Tag number must be followed by tag content.
+				return 0, io.ErrUnexpectedEOF
+			}
+			if cborType(d.data[d.off]&0xe0) != cborTypeTag {
+				break
+			}
+			if _, _, _, err = d.wellformedHead(); err != nil {
+				return 0, err
+			}
+			depth++
+			if depth > d.dm.maxNestedLevels {
+				return 0, &MaxNestedLevelError{d.dm.maxNestedLevels}
+			}
+		}
+		// Check tag content.
+		return d.wellformedInternal(depth)
+	}
+	return depth, nil
+}
+
+// wellformedIndefiniteString checks indefinite length byte/text string's well-formedness and returns max depth and error.
+func (d *decoder) wellformedIndefiniteString(t cborType, depth int) (int, error) {
+	var err error
+	for {
+		if len(d.data) == d.off {
+			return 0, io.ErrUnexpectedEOF
+		}
+		if d.data[d.off] == 0xff {
+			d.off++
+			break
+		}
+		// Peek ahead to get next type and indefinite length status.
+		nt := cborType(d.data[d.off] & 0xe0)
+		if t != nt {
+			return 0, &SyntaxError{"cbor: wrong element type " + nt.String() + " for indefinite-length " + t.String()}
+		}
+		if (d.data[d.off] & 0x1f) == 31 {
+			return 0, &SyntaxError{"cbor: indefinite-length " + t.String() + " chunk is not definite-length"}
+		}
+		if depth, err = d.wellformedInternal(depth); err != nil {
+			return 0, err
+		}
+	}
+	return depth, nil
+}
+
+// wellformedIndefiniteArrayOrMap checks indefinite length array/map's well-formedness and returns max depth and error.
+func (d *decoder) wellformedIndefiniteArrayOrMap(t cborType, depth int) (int, error) {
+	var err error
+	maxDepth := depth
+	i := 0
+	for {
+		if len(d.data) == d.off {
+			return 0, io.ErrUnexpectedEOF
+		}
+		if d.data[d.off] == 0xff {
+			d.off++
+			break
+		}
+		var dpt int
+		if dpt, err = d.wellformedInternal(depth); err != nil {
+			return 0, err
+		}
+		if dpt > maxDepth {
+			maxDepth = dpt
+		}
+		i++
+		if t == cborTypeArray {
+			if i > d.dm.maxArrayElements {
+				return 0, &MaxArrayElementsError{d.dm.maxArrayElements}
+			}
+		} else {
+			if i%2 == 0 && i/2 > d.dm.maxMapPairs {
+				return 0, &MaxMapPairsError{d.dm.maxMapPairs}
+			}
+		}
+	}
+	if t == cborTypeMap && i%2 == 1 {
+		return 0, &SyntaxError{"cbor: unexpected \"break\" code"}
+	}
+	return maxDepth, nil
+}
+
+func (d *decoder) wellformedHead() (t cborType, ai byte, val uint64, err error) {
+	dataLen := len(d.data) - d.off
+	if dataLen == 0 {
+		return 0, 0, 0, io.ErrUnexpectedEOF
+	}
+
+	t = cborType(d.data[d.off] & 0xe0)
+	ai = d.data[d.off] & 0x1f
+	val = uint64(ai)
+	d.off++
+
+	if ai < 24 {
+		return t, ai, val, nil
+	}
+	if ai == 24 {
+		if dataLen < 2 {
+			return 0, 0, 0, io.ErrUnexpectedEOF
+		}
+		val = uint64(d.data[d.off])
+		d.off++
+		if t == cborTypePrimitives && val < 32 {
+			return 0, 0, 0, &SyntaxError{"cbor: invalid simple value " + strconv.Itoa(int(val)) + " for type " + t.String()}
+		}
+		return t, ai, val, nil
+	}
+	if ai == 25 {
+		if dataLen < 3 {
+			return 0, 0, 0, io.ErrUnexpectedEOF
+		}
+		val = uint64(binary.BigEndian.Uint16(d.data[d.off : d.off+2]))
+		d.off += 2
+		return t, ai, val, nil
+	}
+	if ai == 26 {
+		if dataLen < 5 {
+			return 0, 0, 0, io.ErrUnexpectedEOF
+		}
+		val = uint64(binary.BigEndian.Uint32(d.data[d.off : d.off+4]))
+		d.off += 4
+		return t, ai, val, nil
+	}
+	if ai == 27 {
+		if dataLen < 9 {
+			return 0, 0, 0, io.ErrUnexpectedEOF
+		}
+		val = binary.BigEndian.Uint64(d.data[d.off : d.off+8])
+		d.off += 8
+		return t, ai, val, nil
+	}
+	if ai == 31 {
+		switch t {
+		case cborTypePositiveInt, cborTypeNegativeInt, cborTypeTag:
+			return 0, 0, 0, &SyntaxError{"cbor: invalid additional information " + strconv.Itoa(int(ai)) + " for type " + t.String()}
+		case cborTypePrimitives: // 0xff (break code) should not be outside wellformedIndefinite().
+			return 0, 0, 0, &SyntaxError{"cbor: unexpected \"break\" code"}
+		}
+		return t, ai, val, nil
+	}
+	// ai == 28, 29, 30
+	return 0, 0, 0, &SyntaxError{"cbor: invalid additional information " + strconv.Itoa(int(ai)) + " for type " + t.String()}
+}

vendor/github.com/gaissmai/bart/CONTRIBUTING.md

@@ -0,0 +1 @@
+Contributions are welcome, but please open an issue for discussion before sending a pull request.

vendor/github.com/gaissmai/bart/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Karl Gaissmaier
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/gaissmai/bart/README.md

@@ -0,0 +1,123 @@
+# package bart
+
+[![Go Reference](https://pkg.go.dev/badge/github.com/gaissmai/bart.svg)](https://pkg.go.dev/github.com/gaissmai/bart#section-documentation)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/gaissmai/bart)
+[![CI](https://github.com/gaissmai/bart/actions/workflows/go.yml/badge.svg)](https://github.com/gaissmai/bart/actions/workflows/go.yml)
+[![Coverage Status](https://coveralls.io/repos/github/gaissmai/bart/badge.svg)](https://coveralls.io/github/gaissmai/bart)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Stand With Ukraine](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg)](https://stand-with-ukraine.pp.ua)
+
+## Overview
+
+`package bart` provides a Balanced-Routing-Table (BART).
+
+BART is balanced in terms of memory consumption versus
+lookup time.
+
+The lookup time is by a factor of ~2 slower on average as the
+routing algorithms ART, SMART, CPE, ... but reduces the memory
+consumption by an order of magnitude in comparison.
+
+BART is a multibit-trie with fixed stride length of 8 bits,
+using the _baseIndex_ function from the ART algorithm to
+build the complete-binary-tree (CBT) of prefixes for each stride.
+
+The second key factor is popcount array compression at each stride level
+of the CBT prefix tree and backtracking along the CBT in O(k).
+
+The CBT is implemented as a bitvector, backtracking is just
+a matter of fast cache friendly bitmask operations.
+
+The child array at each stride level is also popcount compressed.
+
+## API
+
+The API changes in v0.4.2, 0.5.3, v0.6.3, v0.10.1, v0.11.0
+
+```golang
+  import "github.com/gaissmai/bart"
+  
+  type Table[V any] struct {
+  	// Has unexported fields.
+  }
+    Table is an IPv4 and IPv6 routing table with payload V. The zero value is
+    ready to use.
+
+    The Table is safe for concurrent readers but not for concurrent readers
+    and/or writers.
+
+  func (t *Table[V]) Insert(pfx netip.Prefix, val V)
+  func (t *Table[V]) Delete(pfx netip.Prefix)
+  func (t *Table[V]) Get(pfx netip.Prefix) (val V, ok bool)
+  func (t *Table[V]) Update(pfx netip.Prefix, cb func(val V, ok bool) V) (newVal V)
+
+  func (t *Table[V]) Union(o *Table[V])
+  func (t *Table[V]) Clone() *Table[V]
+
+  func (t *Table[V]) Lookup(ip netip.Addr) (val V, ok bool)
+
+  func (t *Table[V]) LookupPrefix(pfx netip.Prefix) (val V, ok bool)
+  func (t *Table[V]) LookupPrefixLPM(pfx netip.Prefix) (lpm netip.Prefix, val V, ok bool)
+  func (t *Table[V]) EachLookupPrefix(pfx netip.Prefix, yield func(pfx netip.Prefix, val V) bool)
+  func (t *Table[V]) EachSubnet(pfx netip.Prefix, yield func(pfx netip.Prefix, val V) bool)
+
+  func (t *Table[V]) OverlapsPrefix(pfx netip.Prefix) bool
+
+  func (t *Table[V]) Overlaps(o *Table[V]) bool
+  func (t *Table[V]) Overlaps4(o *Table[V]) bool
+  func (t *Table[V]) Overlaps6(o *Table[V]) bool
+
+  func (t *Table[V]) Size() int
+  func (t *Table[V]) Size4() int
+  func (t *Table[V]) Size6() int
+
+  func (t *Table[V]) All(yield func(pfx netip.Prefix, val V) bool)
+  func (t *Table[V]) All4(yield func(pfx netip.Prefix, val V) bool)
+  func (t *Table[V]) All6(yield func(pfx netip.Prefix, val V) bool)
+
+  func (t *Table[V]) AllSorted(yield func(pfx netip.Prefix, val V) bool)
+  func (t *Table[V]) All4Sorted(yield func(pfx netip.Prefix, val V) bool)
+  func (t *Table[V]) All6Sorted(yield func(pfx netip.Prefix, val V) bool)
+
+  func (t *Table[V]) String() string
+  func (t *Table[V]) Fprint(w io.Writer) error
+  func (t *Table[V]) MarshalText() ([]byte, error)
+  func (t *Table[V]) MarshalJSON() ([]byte, error)
+
+  func (t *Table[V]) DumpList4() []DumpListNode[V]
+  func (t *Table[V]) DumpList6() []DumpListNode[V]
+```
+
+## benchmarks
+
+Please see the extensive [benchmarks](https://github.com/gaissmai/iprbench) comparing `bart` with other IP routing table implementations.
+
+Just a teaser, LPM lookups against the full Internet routing table with random probes:
+
+```
+goos: linux
+goarch: amd64
+pkg: github.com/gaissmai/bart
+cpu: Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
+
+BenchmarkFullMatchV4/Lookup                     24484828            49.03 ns/op
+BenchmarkFullMatchV6/Lookup                     17098262            70.15 ns/op
+BenchmarkFullMissV4/Lookup                      24480925            49.15 ns/op
+BenchmarkFullMissV6/Lookup                      54955310            21.79 ns/op
+```
+
+## CONTRIBUTION
+
+Please open an issue for discussion before sending a pull request.
+
+## CREDIT
+
+Credits for many inspirations go to the clever guys at tailscale,
+to Daniel Lemire for the super-fast bitset package and
+to Donald E. Knuth for the **ART** routing algorithm and
+all the rest of his *Art* and for keeping important algorithms
+in the public domain!
+
+## LICENSE
+
+MIT

vendor/github.com/gaissmai/bart/base_index.go

@@ -0,0 +1,621 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+package bart
+
+import "cmp"
+
+// Please read the ART paper ./doc/artlookup.pdf
+// to understand the baseIndex algorithm.
+
+// hostMasks as lookup table
+var hostMasks = []uint8{
+	0b1111_1111, // bits == 0
+	0b0111_1111, // bits == 1
+	0b0011_1111, // bits == 2
+	0b0001_1111, // bits == 3
+	0b0000_1111, // bits == 4
+	0b0000_0111, // bits == 5
+	0b0000_0011, // bits == 6
+	0b0000_0001, // bits == 7
+	0b0000_0000, // bits == 8
+}
+
+func netMask(mask int) uint8 {
+	return ^hostMasks[uint8(mask)]
+}
+
+const (
+
+	// baseIndex of the first host route: prefixToBaseIndex(0,8)
+	firstHostIndex = 0b1_0000_0000 // 256
+
+	// baseIndex of the last host route: prefixToBaseIndex(255,8)
+	//nolint:unused
+	lastHostIndex = 0b1_1111_1111 // 511
+)
+
+// prefixToBaseIndex, maps a prefix table as a 'complete binary tree'.
+// This is the so-called baseIndex a.k.a heapFunc:
+func prefixToBaseIndex(octet byte, prefixLen int) uint {
+	return uint(octet>>(strideLen-prefixLen)) + (1 << prefixLen)
+}
+
+// octetToBaseIndex, just prefixToBaseIndex(octet, 8), a.k.a host routes
+// but faster, use it for host routes in Lookup.
+func octetToBaseIndex(octet byte) uint {
+	return uint(octet) + firstHostIndex // just: octet + 256
+}
+
+// baseIndexToPrefixLen, calc the bits from baseIndex and octect depth
+func baseIndexToPrefixLen(baseIdx uint, depth int) int {
+	_, pfxLen := baseIndexToPrefix(baseIdx)
+	return depth*strideLen + pfxLen
+}
+
+// hostRoutesByIndex, get range of host routes for this idx.
+//
+//	idx:    72
+//	prefix: 32/6
+//	lower:  256 + 32 = 288
+//	upper:  256 + (32 | 0b0000_0011) = 291
+//
+// Use the pre computed lookup table.
+//
+//	 func hostRoutesByIndex(idx uint) (uint, uint) {
+//		 octet, bits := baseIndexToPrefix(idx)
+//		 return octetToBaseIndex(octet), octetToBaseIndex(octet | hostMasks[bits])
+//	 }
+func hostRoutesByIndex(idx uint) (uint, uint) {
+	item := baseIdxLookupTbl[idx]
+	return uint(item.lower), uint(item.upper)
+}
+
+// baseIndexToPrefix returns the octet and prefix len of baseIdx.
+// It's the inverse to prefixToBaseIndex.
+//
+// Use the pre computed lookup table, bits.LeadingZeros is too slow.
+//
+//	func baseIndexToPrefix(baseIdx uint) (octet byte, pfxLen int) {
+//		nlz := bits.LeadingZeros(baseIdx)
+//		pfxLen = strconv.IntSize - nlz - 1
+//		octet = (baseIdx & (0xFF >> (8 - pfxLen))) << (8 - pfxLen)
+//		return octet, pfxLen
+//	}
+func baseIndexToPrefix(baseIdx uint) (octet byte, pfxLen int) {
+	item := baseIdxLookupTbl[baseIdx]
+	return item.octet, int(item.bits)
+}
+
+// cmpIndexRank, compare SortFunc to sort indexes in prefix sort order.
+func cmpIndexRank(a, b uint) int {
+	return cmp.Compare(baseIdxLookupTbl[a].rank, baseIdxLookupTbl[b].rank)
+}
+
+// baseIdxLookupTbl
+//
+//	octet, bits,
+//	host route boundaries,
+//	prefix sort rank
+//
+// as lookup table.
+var baseIdxLookupTbl = [512]struct {
+	octet byte
+	bits  int8
+	lower uint16 // host route lower bound
+	upper uint16 // host route upper bound
+	rank  uint16 // prefix sort rank
+}{
+	{0, -1, 0, 0, 0},        // idx == 0 invalid!
+	{0, 0, 256, 511, 1},     // idx == 1
+	{0, 1, 256, 383, 2},     // idx == 2
+	{128, 1, 384, 511, 257}, // idx == 3
+	{0, 2, 256, 319, 3},     // idx == 4
+	{64, 2, 320, 383, 130},  // idx == 5
+	{128, 2, 384, 447, 258}, // idx == 6
+	{192, 2, 448, 511, 385}, // idx == 7
+	{0, 3, 256, 287, 4},     // idx == 8
+	{32, 3, 288, 319, 67},   // idx == 9
+	{64, 3, 320, 351, 131},  // idx == 10
+	{96, 3, 352, 383, 194},  // idx == 11
+	{128, 3, 384, 415, 259}, // idx == 12
+	{160, 3, 416, 447, 322}, // idx == 13
+	{192, 3, 448, 479, 386}, // idx == 14
+	{224, 3, 480, 511, 449}, // idx == 15
+	{0, 4, 256, 271, 5},     // idx == 16
+	{16, 4, 272, 287, 36},   // idx == 17
+	{32, 4, 288, 303, 68},   // idx == 18
+	{48, 4, 304, 319, 99},   // idx == 19
+	{64, 4, 320, 335, 132},  // idx == 20
+	{80, 4, 336, 351, 163},  // idx == 21
+	{96, 4, 352, 367, 195},  // idx == 22
+	{112, 4, 368, 383, 226}, // idx == 23
+	{128, 4, 384, 399, 260}, // idx == 24
+	{144, 4, 400, 415, 291}, // idx == 25
+	{160, 4, 416, 431, 323}, // idx == 26
+	{176, 4, 432, 447, 354}, // idx == 27
+	{192, 4, 448, 463, 387}, // idx == 28
+	{208, 4, 464, 479, 418}, // idx == 29
+	{224, 4, 480, 495, 450}, // idx == 30
+	{240, 4, 496, 511, 481}, // idx == 31
+	{0, 5, 256, 263, 6},     // idx == 32
+	{8, 5, 264, 271, 21},    // idx == 33
+	{16, 5, 272, 279, 37},   // idx == 34
+	{24, 5, 280, 287, 52},   // idx == 35
+	{32, 5, 288, 295, 69},   // idx == 36
+	{40, 5, 296, 303, 84},   // idx == 37
+	{48, 5, 304, 311, 100},  // idx == 38
+	{56, 5, 312, 319, 115},  // idx == 39
+	{64, 5, 320, 327, 133},  // idx == 40
+	{72, 5, 328, 335, 148},  // idx == 41
+	{80, 5, 336, 343, 164},  // idx == 42
+	{88, 5, 344, 351, 179},  // idx == 43
+	{96, 5, 352, 359, 196},  // idx == 44
+	{104, 5, 360, 367, 211}, // idx == 45
+	{112, 5, 368, 375, 227}, // idx == 46
+	{120, 5, 376, 383, 242}, // idx == 47
+	{128, 5, 384, 391, 261}, // idx == 48
+	{136, 5, 392, 399, 276}, // idx == 49
+	{144, 5, 400, 407, 292}, // idx == 50
+	{152, 5, 408, 415, 307}, // idx == 51
+	{160, 5, 416, 423, 324}, // idx == 52
+	{168, 5, 424, 431, 339}, // idx == 53
+	{176, 5, 432, 439, 355}, // idx == 54
+	{184, 5, 440, 447, 370}, // idx == 55
+	{192, 5, 448, 455, 388}, // idx == 56
+	{200, 5, 456, 463, 403}, // idx == 57
+	{208, 5, 464, 471, 419}, // idx == 58
+	{216, 5, 472, 479, 434}, // idx == 59
+	{224, 5, 480, 487, 451}, // idx == 60
+	{232, 5, 488, 495, 466}, // idx == 61
+	{240, 5, 496, 503, 482}, // idx == 62
+	{248, 5, 504, 511, 497}, // idx == 63
+	{0, 6, 256, 259, 7},     // idx == 64
+	{4, 6, 260, 263, 14},    // idx == 65
+	{8, 6, 264, 267, 22},    // idx == 66
+	{12, 6, 268, 271, 29},   // idx == 67
+	{16, 6, 272, 275, 38},   // idx == 68
+	{20, 6, 276, 279, 45},   // idx == 69
+	{24, 6, 280, 283, 53},   // idx == 70
+	{28, 6, 284, 287, 60},   // idx == 71
+	{32, 6, 288, 291, 70},   // idx == 72
+	{36, 6, 292, 295, 77},   // idx == 73
+	{40, 6, 296, 299, 85},   // idx == 74
+	{44, 6, 300, 303, 92},   // idx == 75
+	{48, 6, 304, 307, 101},  // idx == 76
+	{52, 6, 308, 311, 108},  // idx == 77
+	{56, 6, 312, 315, 116},  // idx == 78
+	{60, 6, 316, 319, 123},  // idx == 79
+	{64, 6, 320, 323, 134},  // idx == 80
+	{68, 6, 324, 327, 141},  // idx == 81
+	{72, 6, 328, 331, 149},  // idx == 82
+	{76, 6, 332, 335, 156},  // idx == 83
+	{80, 6, 336, 339, 165},  // idx == 84
+	{84, 6, 340, 343, 172},  // idx == 85
+	{88, 6, 344, 347, 180},  // idx == 86
+	{92, 6, 348, 351, 187},  // idx == 87
+	{96, 6, 352, 355, 197},  // idx == 88
+	{100, 6, 356, 359, 204}, // idx == 89
+	{104, 6, 360, 363, 212}, // idx == 90
+	{108, 6, 364, 367, 219}, // idx == 91
+	{112, 6, 368, 371, 228}, // idx == 92
+	{116, 6, 372, 375, 235}, // idx == 93
+	{120, 6, 376, 379, 243}, // idx == 94
+	{124, 6, 380, 383, 250}, // idx == 95
+	{128, 6, 384, 387, 262}, // idx == 96
+	{132, 6, 388, 391, 269}, // idx == 97
+	{136, 6, 392, 395, 277}, // idx == 98
+	{140, 6, 396, 399, 284}, // idx == 99
+	{144, 6, 400, 403, 293}, // idx == 100
+	{148, 6, 404, 407, 300}, // idx == 101
+	{152, 6, 408, 411, 308}, // idx == 102
+	{156, 6, 412, 415, 315}, // idx == 103
+	{160, 6, 416, 419, 325}, // idx == 104
+	{164, 6, 420, 423, 332}, // idx == 105
+	{168, 6, 424, 427, 340}, // idx == 106
+	{172, 6, 428, 431, 347}, // idx == 107
+	{176, 6, 432, 435, 356}, // idx == 108
+	{180, 6, 436, 439, 363}, // idx == 109
+	{184, 6, 440, 443, 371}, // idx == 110
+	{188, 6, 444, 447, 378}, // idx == 111
+	{192, 6, 448, 451, 389}, // idx == 112
+	{196, 6, 452, 455, 396}, // idx == 113
+	{200, 6, 456, 459, 404}, // idx == 114
+	{204, 6, 460, 463, 411}, // idx == 115
+	{208, 6, 464, 467, 420}, // idx == 116
+	{212, 6, 468, 471, 427}, // idx == 117
+	{216, 6, 472, 475, 435}, // idx == 118
+	{220, 6, 476, 479, 442}, // idx == 119
+	{224, 6, 480, 483, 452}, // idx == 120
+	{228, 6, 484, 487, 459}, // idx == 121
+	{232, 6, 488, 491, 467}, // idx == 122
+	{236, 6, 492, 495, 474}, // idx == 123
+	{240, 6, 496, 499, 483}, // idx == 124
+	{244, 6, 500, 503, 490}, // idx == 125
+	{248, 6, 504, 507, 498}, // idx == 126
+	{252, 6, 508, 511, 505}, // idx == 127
+	{0, 7, 256, 257, 8},     // idx == 128
+	{2, 7, 258, 259, 11},    // idx == 129
+	{4, 7, 260, 261, 15},    // idx == 130
+	{6, 7, 262, 263, 18},    // idx == 131
+	{8, 7, 264, 265, 23},    // idx == 132
+	{10, 7, 266, 267, 26},   // idx == 133
+	{12, 7, 268, 269, 30},   // idx == 134
+	{14, 7, 270, 271, 33},   // idx == 135
+	{16, 7, 272, 273, 39},   // idx == 136
+	{18, 7, 274, 275, 42},   // idx == 137
+	{20, 7, 276, 277, 46},   // idx == 138
+	{22, 7, 278, 279, 49},   // idx == 139
+	{24, 7, 280, 281, 54},   // idx == 140
+	{26, 7, 282, 283, 57},   // idx == 141
+	{28, 7, 284, 285, 61},   // idx == 142
+	{30, 7, 286, 287, 64},   // idx == 143
+	{32, 7, 288, 289, 71},   // idx == 144
+	{34, 7, 290, 291, 74},   // idx == 145
+	{36, 7, 292, 293, 78},   // idx == 146
+	{38, 7, 294, 295, 81},   // idx == 147
+	{40, 7, 296, 297, 86},   // idx == 148
+	{42, 7, 298, 299, 89},   // idx == 149
+	{44, 7, 300, 301, 93},   // idx == 150
+	{46, 7, 302, 303, 96},   // idx == 151
+	{48, 7, 304, 305, 102},  // idx == 152
+	{50, 7, 306, 307, 105},  // idx == 153
+	{52, 7, 308, 309, 109},  // idx == 154
+	{54, 7, 310, 311, 112},  // idx == 155
+	{56, 7, 312, 313, 117},  // idx == 156
+	{58, 7, 314, 315, 120},  // idx == 157
+	{60, 7, 316, 317, 124},  // idx == 158
+	{62, 7, 318, 319, 127},  // idx == 159
+	{64, 7, 320, 321, 135},  // idx == 160
+	{66, 7, 322, 323, 138},  // idx == 161
+	{68, 7, 324, 325, 142},  // idx == 162
+	{70, 7, 326, 327, 145},  // idx == 163
+	{72, 7, 328, 329, 150},  // idx == 164
+	{74, 7, 330, 331, 153},  // idx == 165
+	{76, 7, 332, 333, 157},  // idx == 166
+	{78, 7, 334, 335, 160},  // idx == 167
+	{80, 7, 336, 337, 166},  // idx == 168
+	{82, 7, 338, 339, 169},  // idx == 169
+	{84, 7, 340, 341, 173},  // idx == 170
+	{86, 7, 342, 343, 176},  // idx == 171
+	{88, 7, 344, 345, 181},  // idx == 172
+	{90, 7, 346, 347, 184},  // idx == 173
+	{92, 7, 348, 349, 188},  // idx == 174
+	{94, 7, 350, 351, 191},  // idx == 175
+	{96, 7, 352, 353, 198},  // idx == 176
+	{98, 7, 354, 355, 201},  // idx == 177
+	{100, 7, 356, 357, 205}, // idx == 178
+	{102, 7, 358, 359, 208}, // idx == 179
+	{104, 7, 360, 361, 213}, // idx == 180
+	{106, 7, 362, 363, 216}, // idx == 181
+	{108, 7, 364, 365, 220}, // idx == 182
+	{110, 7, 366, 367, 223}, // idx == 183
+	{112, 7, 368, 369, 229}, // idx == 184
+	{114, 7, 370, 371, 232}, // idx == 185
+	{116, 7, 372, 373, 236}, // idx == 186
+	{118, 7, 374, 375, 239}, // idx == 187
+	{120, 7, 376, 377, 244}, // idx == 188
+	{122, 7, 378, 379, 247}, // idx == 189
+	{124, 7, 380, 381, 251}, // idx == 190
+	{126, 7, 382, 383, 254}, // idx == 191
+	{128, 7, 384, 385, 263}, // idx == 192
+	{130, 7, 386, 387, 266}, // idx == 193
+	{132, 7, 388, 389, 270}, // idx == 194
+	{134, 7, 390, 391, 273}, // idx == 195
+	{136, 7, 392, 393, 278}, // idx == 196
+	{138, 7, 394, 395, 281}, // idx == 197
+	{140, 7, 396, 397, 285}, // idx == 198
+	{142, 7, 398, 399, 288}, // idx == 199
+	{144, 7, 400, 401, 294}, // idx == 200
+	{146, 7, 402, 403, 297}, // idx == 201
+	{148, 7, 404, 405, 301}, // idx == 202
+	{150, 7, 406, 407, 304}, // idx == 203
+	{152, 7, 408, 409, 309}, // idx == 204
+	{154, 7, 410, 411, 312}, // idx == 205
+	{156, 7, 412, 413, 316}, // idx == 206
+	{158, 7, 414, 415, 319}, // idx == 207
+	{160, 7, 416, 417, 326}, // idx == 208
+	{162, 7, 418, 419, 329}, // idx == 209
+	{164, 7, 420, 421, 333}, // idx == 210
+	{166, 7, 422, 423, 336}, // idx == 211
+	{168, 7, 424, 425, 341}, // idx == 212
+	{170, 7, 426, 427, 344}, // idx == 213
+	{172, 7, 428, 429, 348}, // idx == 214
+	{174, 7, 430, 431, 351}, // idx == 215
+	{176, 7, 432, 433, 357}, // idx == 216
+	{178, 7, 434, 435, 360}, // idx == 217
+	{180, 7, 436, 437, 364}, // idx == 218
+	{182, 7, 438, 439, 367}, // idx == 219
+	{184, 7, 440, 441, 372}, // idx == 220
+	{186, 7, 442, 443, 375}, // idx == 221
+	{188, 7, 444, 445, 379}, // idx == 222
+	{190, 7, 446, 447, 382}, // idx == 223
+	{192, 7, 448, 449, 390}, // idx == 224
+	{194, 7, 450, 451, 393}, // idx == 225
+	{196, 7, 452, 453, 397}, // idx == 226
+	{198, 7, 454, 455, 400}, // idx == 227
+	{200, 7, 456, 457, 405}, // idx == 228
+	{202, 7, 458, 459, 408}, // idx == 229
+	{204, 7, 460, 461, 412}, // idx == 230
+	{206, 7, 462, 463, 415}, // idx == 231
+	{208, 7, 464, 465, 421}, // idx == 232
+	{210, 7, 466, 467, 424}, // idx == 233
+	{212, 7, 468, 469, 428}, // idx == 234
+	{214, 7, 470, 471, 431}, // idx == 235
+	{216, 7, 472, 473, 436}, // idx == 236
+	{218, 7, 474, 475, 439}, // idx == 237
+	{220, 7, 476, 477, 443}, // idx == 238
+	{222, 7, 478, 479, 446}, // idx == 239
+	{224, 7, 480, 481, 453}, // idx == 240
+	{226, 7, 482, 483, 456}, // idx == 241
+	{228, 7, 484, 485, 460}, // idx == 242
+	{230, 7, 486, 487, 463}, // idx == 243
+	{232, 7, 488, 489, 468}, // idx == 244
+	{234, 7, 490, 491, 471}, // idx == 245
+	{236, 7, 492, 493, 475}, // idx == 246
+	{238, 7, 494, 495, 478}, // idx == 247
+	{240, 7, 496, 497, 484}, // idx == 248
+	{242, 7, 498, 499, 487}, // idx == 249
+	{244, 7, 500, 501, 491}, // idx == 250
+	{246, 7, 502, 503, 494}, // idx == 251
+	{248, 7, 504, 505, 499}, // idx == 252
+	{250, 7, 506, 507, 502}, // idx == 253
+	{252, 7, 508, 509, 506}, // idx == 254
+	{254, 7, 510, 511, 509}, // idx == 255
+	{0, 8, 256, 256, 9},     // idx == 256 -- first host route
+	{1, 8, 257, 257, 10},    // idx == 257
+	{2, 8, 258, 258, 12},    // idx == 258
+	{3, 8, 259, 259, 13},    // idx == 259
+	{4, 8, 260, 260, 16},    // idx == 260
+	{5, 8, 261, 261, 17},    // idx == 261
+	{6, 8, 262, 262, 19},    // idx == 262
+	{7, 8, 263, 263, 20},    // idx == 263
+	{8, 8, 264, 264, 24},    // idx == 264
+	{9, 8, 265, 265, 25},    // idx == 265
+	{10, 8, 266, 266, 27},   // idx == 266
+	{11, 8, 267, 267, 28},   // idx == 267
+	{12, 8, 268, 268, 31},   // idx == 268
+	{13, 8, 269, 269, 32},   // idx == 269
+	{14, 8, 270, 270, 34},   // idx == 270
+	{15, 8, 271, 271, 35},   // idx == 271
+	{16, 8, 272, 272, 40},   // idx == 272
+	{17, 8, 273, 273, 41},   // idx == 273
+	{18, 8, 274, 274, 43},   // idx == 274
+	{19, 8, 275, 275, 44},   // idx == 275
+	{20, 8, 276, 276, 47},   // idx == 276
+	{21, 8, 277, 277, 48},   // idx == 277
+	{22, 8, 278, 278, 50},   // idx == 278
+	{23, 8, 279, 279, 51},   // idx == 279
+	{24, 8, 280, 280, 55},   // idx == 280
+	{25, 8, 281, 281, 56},   // idx == 281
+	{26, 8, 282, 282, 58},   // idx == 282
+	{27, 8, 283, 283, 59},   // idx == 283
+	{28, 8, 284, 284, 62},   // idx == 284
+	{29, 8, 285, 285, 63},   // idx == 285
+	{30, 8, 286, 286, 65},   // idx == 286
+	{31, 8, 287, 287, 66},   // idx == 287
+	{32, 8, 288, 288, 72},   // idx == 288
+	{33, 8, 289, 289, 73},   // idx == 289
+	{34, 8, 290, 290, 75},   // idx == 290
+	{35, 8, 291, 291, 76},   // idx == 291
+	{36, 8, 292, 292, 79},   // idx == 292
+	{37, 8, 293, 293, 80},   // idx == 293
+	{38, 8, 294, 294, 82},   // idx == 294
+	{39, 8, 295, 295, 83},   // idx == 295
+	{40, 8, 296, 296, 87},   // idx == 296
+	{41, 8, 297, 297, 88},   // idx == 297
+	{42, 8, 298, 298, 90},   // idx == 298
+	{43, 8, 299, 299, 91},   // idx == 299
+	{44, 8, 300, 300, 94},   // idx == 300
+	{45, 8, 301, 301, 95},   // idx == 301
+	{46, 8, 302, 302, 97},   // idx == 302
+	{47, 8, 303, 303, 98},   // idx == 303
+	{48, 8, 304, 304, 103},  // idx == 304
+	{49, 8, 305, 305, 104},  // idx == 305
+	{50, 8, 306, 306, 106},  // idx == 306
+	{51, 8, 307, 307, 107},  // idx == 307
+	{52, 8, 308, 308, 110},  // idx == 308
+	{53, 8, 309, 309, 111},  // idx == 309
+	{54, 8, 310, 310, 113},  // idx == 310
+	{55, 8, 311, 311, 114},  // idx == 311
+	{56, 8, 312, 312, 118},  // idx == 312
+	{57, 8, 313, 313, 119},  // idx == 313
+	{58, 8, 314, 314, 121},  // idx == 314
+	{59, 8, 315, 315, 122},  // idx == 315
+	{60, 8, 316, 316, 125},  // idx == 316
+	{61, 8, 317, 317, 126},  // idx == 317
+	{62, 8, 318, 318, 128},  // idx == 318
+	{63, 8, 319, 319, 129},  // idx == 319
+	{64, 8, 320, 320, 136},  // idx == 320
+	{65, 8, 321, 321, 137},  // idx == 321
+	{66, 8, 322, 322, 139},  // idx == 322
+	{67, 8, 323, 323, 140},  // idx == 323
+	{68, 8, 324, 324, 143},  // idx == 324
+	{69, 8, 325, 325, 144},  // idx == 325
+	{70, 8, 326, 326, 146},  // idx == 326
+	{71, 8, 327, 327, 147},  // idx == 327
+	{72, 8, 328, 328, 151},  // idx == 328
+	{73, 8, 329, 329, 152},  // idx == 329
+	{74, 8, 330, 330, 154},  // idx == 330
+	{75, 8, 331, 331, 155},  // idx == 331
+	{76, 8, 332, 332, 158},  // idx == 332
+	{77, 8, 333, 333, 159},  // idx == 333
+	{78, 8, 334, 334, 161},  // idx == 334
+	{79, 8, 335, 335, 162},  // idx == 335
+	{80, 8, 336, 336, 167},  // idx == 336
+	{81, 8, 337, 337, 168},  // idx == 337
+	{82, 8, 338, 338, 170},  // idx == 338
+	{83, 8, 339, 339, 171},  // idx == 339
+	{84, 8, 340, 340, 174},  // idx == 340
+	{85, 8, 341, 341, 175},  // idx == 341
+	{86, 8, 342, 342, 177},  // idx == 342
+	{87, 8, 343, 343, 178},  // idx == 343
+	{88, 8, 344, 344, 182},  // idx == 344
+	{89, 8, 345, 345, 183},  // idx == 345
+	{90, 8, 346, 346, 185},  // idx == 346
+	{91, 8, 347, 347, 186},  // idx == 347
+	{92, 8, 348, 348, 189},  // idx == 348
+	{93, 8, 349, 349, 190},  // idx == 349
+	{94, 8, 350, 350, 192},  // idx == 350
+	{95, 8, 351, 351, 193},  // idx == 351
+	{96, 8, 352, 352, 199},  // idx == 352
+	{97, 8, 353, 353, 200},  // idx == 353
+	{98, 8, 354, 354, 202},  // idx == 354
+	{99, 8, 355, 355, 203},  // idx == 355
+	{100, 8, 356, 356, 206}, // idx == 356
+	{101, 8, 357, 357, 207}, // idx == 357
+	{102, 8, 358, 358, 209}, // idx == 358
+	{103, 8, 359, 359, 210}, // idx == 359
+	{104, 8, 360, 360, 214}, // idx == 360
+	{105, 8, 361, 361, 215}, // idx == 361
+	{106, 8, 362, 362, 217}, // idx == 362
+	{107, 8, 363, 363, 218}, // idx == 363
+	{108, 8, 364, 364, 221}, // idx == 364
+	{109, 8, 365, 365, 222}, // idx == 365
+	{110, 8, 366, 366, 224}, // idx == 366
+	{111, 8, 367, 367, 225}, // idx == 367
+	{112, 8, 368, 368, 230}, // idx == 368
+	{113, 8, 369, 369, 231}, // idx == 369
+	{114, 8, 370, 370, 233}, // idx == 370
+	{115, 8, 371, 371, 234}, // idx == 371
+	{116, 8, 372, 372, 237}, // idx == 372
+	{117, 8, 373, 373, 238}, // idx == 373
+	{118, 8, 374, 374, 240}, // idx == 374
+	{119, 8, 375, 375, 241}, // idx == 375
+	{120, 8, 376, 376, 245}, // idx == 376
+	{121, 8, 377, 377, 246}, // idx == 377
+	{122, 8, 378, 378, 248}, // idx == 378
+	{123, 8, 379, 379, 249}, // idx == 379
+	{124, 8, 380, 380, 252}, // idx == 380
+	{125, 8, 381, 381, 253}, // idx == 381
+	{126, 8, 382, 382, 255}, // idx == 382
+	{127, 8, 383, 383, 256}, // idx == 383
+	{128, 8, 384, 384, 264}, // idx == 384
+	{129, 8, 385, 385, 265}, // idx == 385
+	{130, 8, 386, 386, 267}, // idx == 386
+	{131, 8, 387, 387, 268}, // idx == 387
+	{132, 8, 388, 388, 271}, // idx == 388
+	{133, 8, 389, 389, 272}, // idx == 389
+	{134, 8, 390, 390, 274}, // idx == 390
+	{135, 8, 391, 391, 275}, // idx == 391
+	{136, 8, 392, 392, 279}, // idx == 392
+	{137, 8, 393, 393, 280}, // idx == 393
+	{138, 8, 394, 394, 282}, // idx == 394
+	{139, 8, 395, 395, 283}, // idx == 395
+	{140, 8, 396, 396, 286}, // idx == 396
+	{141, 8, 397, 397, 287}, // idx == 397
+	{142, 8, 398, 398, 289}, // idx == 398
+	{143, 8, 399, 399, 290}, // idx == 399
+	{144, 8, 400, 400, 295}, // idx == 400
+	{145, 8, 401, 401, 296}, // idx == 401
+	{146, 8, 402, 402, 298}, // idx == 402
+	{147, 8, 403, 403, 299}, // idx == 403
+	{148, 8, 404, 404, 302}, // idx == 404
+	{149, 8, 405, 405, 303}, // idx == 405
+	{150, 8, 406, 406, 305}, // idx == 406
+	{151, 8, 407, 407, 306}, // idx == 407
+	{152, 8, 408, 408, 310}, // idx == 408
+	{153, 8, 409, 409, 311}, // idx == 409
+	{154, 8, 410, 410, 313}, // idx == 410
+	{155, 8, 411, 411, 314}, // idx == 411
+	{156, 8, 412, 412, 317}, // idx == 412
+	{157, 8, 413, 413, 318}, // idx == 413
+	{158, 8, 414, 414, 320}, // idx == 414
+	{159, 8, 415, 415, 321}, // idx == 415
+	{160, 8, 416, 416, 327}, // idx == 416
+	{161, 8, 417, 417, 328}, // idx == 417
+	{162, 8, 418, 418, 330}, // idx == 418
+	{163, 8, 419, 419, 331}, // idx == 419
+	{164, 8, 420, 420, 334}, // idx == 420
+	{165, 8, 421, 421, 335}, // idx == 421
+	{166, 8, 422, 422, 337}, // idx == 422
+	{167, 8, 423, 423, 338}, // idx == 423
+	{168, 8, 424, 424, 342}, // idx == 424
+	{169, 8, 425, 425, 343}, // idx == 425
+	{170, 8, 426, 426, 345}, // idx == 426
+	{171, 8, 427, 427, 346}, // idx == 427
+	{172, 8, 428, 428, 349}, // idx == 428
+	{173, 8, 429, 429, 350}, // idx == 429
+	{174, 8, 430, 430, 352}, // idx == 430
+	{175, 8, 431, 431, 353}, // idx == 431
+	{176, 8, 432, 432, 358}, // idx == 432
+	{177, 8, 433, 433, 359}, // idx == 433
+	{178, 8, 434, 434, 361}, // idx == 434
+	{179, 8, 435, 435, 362}, // idx == 435
+	{180, 8, 436, 436, 365}, // idx == 436
+	{181, 8, 437, 437, 366}, // idx == 437
+	{182, 8, 438, 438, 368}, // idx == 438
+	{183, 8, 439, 439, 369}, // idx == 439
+	{184, 8, 440, 440, 373}, // idx == 440
+	{185, 8, 441, 441, 374}, // idx == 441
+	{186, 8, 442, 442, 376}, // idx == 442
+	{187, 8, 443, 443, 377}, // idx == 443
+	{188, 8, 444, 444, 380}, // idx == 444
+	{189, 8, 445, 445, 381}, // idx == 445
+	{190, 8, 446, 446, 383}, // idx == 446
+	{191, 8, 447, 447, 384}, // idx == 447
+	{192, 8, 448, 448, 391}, // idx == 448
+	{193, 8, 449, 449, 392}, // idx == 449
+	{194, 8, 450, 450, 394}, // idx == 450
+	{195, 8, 451, 451, 395}, // idx == 451
+	{196, 8, 452, 452, 398}, // idx == 452
+	{197, 8, 453, 453, 399}, // idx == 453
+	{198, 8, 454, 454, 401}, // idx == 454
+	{199, 8, 455, 455, 402}, // idx == 455
+	{200, 8, 456, 456, 406}, // idx == 456
+	{201, 8, 457, 457, 407}, // idx == 457
+	{202, 8, 458, 458, 409}, // idx == 458
+	{203, 8, 459, 459, 410}, // idx == 459
+	{204, 8, 460, 460, 413}, // idx == 460
+	{205, 8, 461, 461, 414}, // idx == 461
+	{206, 8, 462, 462, 416}, // idx == 462
+	{207, 8, 463, 463, 417}, // idx == 463
+	{208, 8, 464, 464, 422}, // idx == 464
+	{209, 8, 465, 465, 423}, // idx == 465
+	{210, 8, 466, 466, 425}, // idx == 466
+	{211, 8, 467, 467, 426}, // idx == 467
+	{212, 8, 468, 468, 429}, // idx == 468
+	{213, 8, 469, 469, 430}, // idx == 469
+	{214, 8, 470, 470, 432}, // idx == 470
+	{215, 8, 471, 471, 433}, // idx == 471
+	{216, 8, 472, 472, 437}, // idx == 472
+	{217, 8, 473, 473, 438}, // idx == 473
+	{218, 8, 474, 474, 440}, // idx == 474
+	{219, 8, 475, 475, 441}, // idx == 475
+	{220, 8, 476, 476, 444}, // idx == 476
+	{221, 8, 477, 477, 445}, // idx == 477
+	{222, 8, 478, 478, 447}, // idx == 478
+	{223, 8, 479, 479, 448}, // idx == 479
+	{224, 8, 480, 480, 454}, // idx == 480
+	{225, 8, 481, 481, 455}, // idx == 481
+	{226, 8, 482, 482, 457}, // idx == 482
+	{227, 8, 483, 483, 458}, // idx == 483
+	{228, 8, 484, 484, 461}, // idx == 484
+	{229, 8, 485, 485, 462}, // idx == 485
+	{230, 8, 486, 486, 464}, // idx == 486
+	{231, 8, 487, 487, 465}, // idx == 487
+	{232, 8, 488, 488, 469}, // idx == 488
+	{233, 8, 489, 489, 470}, // idx == 489
+	{234, 8, 490, 490, 472}, // idx == 490
+	{235, 8, 491, 491, 473}, // idx == 491
+	{236, 8, 492, 492, 476}, // idx == 492
+	{237, 8, 493, 493, 477}, // idx == 493
+	{238, 8, 494, 494, 479}, // idx == 494
+	{239, 8, 495, 495, 480}, // idx == 495
+	{240, 8, 496, 496, 485}, // idx == 496
+	{241, 8, 497, 497, 486}, // idx == 497
+	{242, 8, 498, 498, 488}, // idx == 498
+	{243, 8, 499, 499, 489}, // idx == 499
+	{244, 8, 500, 500, 492}, // idx == 500
+	{245, 8, 501, 501, 493}, // idx == 501
+	{246, 8, 502, 502, 495}, // idx == 502
+	{247, 8, 503, 503, 496}, // idx == 503
+	{248, 8, 504, 504, 500}, // idx == 504
+	{249, 8, 505, 505, 501}, // idx == 505
+	{250, 8, 506, 506, 503}, // idx == 506
+	{251, 8, 507, 507, 504}, // idx == 507
+	{252, 8, 508, 508, 507}, // idx == 508
+	{253, 8, 509, 509, 508}, // idx == 509
+	{254, 8, 510, 510, 510}, // idx == 510
+	{255, 8, 511, 511, 511}, // idx == 511
+}

vendor/github.com/gaissmai/bart/dumper.go

@@ -0,0 +1,205 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+package bart
+
+import (
+	"fmt"
+	"io"
+	"strconv"
+	"strings"
+)
+
+type nodeType byte
+
+const (
+	nullNode         nodeType = iota // empty node
+	fullNode                         // prefixes and children
+	leafNode                         // only prefixes
+	intermediateNode                 // only children
+)
+
+// ##################################################
+//  useful during development, debugging and testing
+// ##################################################
+
+// dumpString is just a wrapper for dump.
+func (t *Table[V]) dumpString() string {
+	w := new(strings.Builder)
+	t.dump(w)
+	return w.String()
+}
+
+// dump the table structure and all the nodes to w.
+//
+//	 Output:
+//
+//		[FULL] depth:  0 path: [] / 0
+//		indexs(#6): 1 66 128 133 266 383
+//		prefxs(#6): 0/0 8/6 0/7 10/7 10/8 127/8
+//		childs(#3): 10 127 192
+//
+//		.[IMED] depth:  1 path: [10] / 8
+//		.childs(#1): 0
+//
+//		..[LEAF] depth:  2 path: [10.0] / 16
+//		..indexs(#2): 256 257
+//		..prefxs(#2): 0/8 1/8
+//
+//		.[IMED] depth:  1 path: [127] / 8
+//		.childs(#1): 0
+//
+//		..[IMED] depth:  2 path: [127.0] / 16
+//		..childs(#1): 0
+//
+//		...[LEAF] depth:  3 path: [127.0.0] / 24
+//		...indexs(#1): 257
+//		...prefxs(#1): 1/8
+//
+// ...
+func (t *Table[V]) dump(w io.Writer) {
+	t.init()
+
+	fmt.Fprint(w, "### IPv4:")
+	t.rootV4.dumpRec(w, zeroPath, 0, true)
+
+	fmt.Fprint(w, "### IPv6:")
+	t.rootV6.dumpRec(w, zeroPath, 0, false)
+}
+
+// dumpRec, rec-descent the trie.
+func (n *node[V]) dumpRec(w io.Writer, path [16]byte, depth int, is4 bool) {
+	n.dump(w, path, depth, is4)
+
+	// make backing arrays, no heap allocs
+	addrBackingArray := [maxNodeChildren]uint{}
+
+	// the node may have childs, the rec-descent monster starts
+	for i, addr := range n.allChildAddrs(addrBackingArray[:]) {
+		octet := byte(addr)
+		child := n.children[i]
+		path[depth] = octet
+
+		child.dumpRec(w, path, depth+1, is4)
+	}
+}
+
+// dump the node to w.
+func (n *node[V]) dump(w io.Writer, path [16]byte, depth int, is4 bool) {
+	bits := depth * strideLen
+	indent := strings.Repeat(".", depth)
+
+	// node type with depth and octet path and bits.
+	fmt.Fprintf(w, "\n%s[%s] depth:  %d path: [%s] / %d\n",
+		indent, n.hasType(), depth, ipStridePath(path, depth, is4), bits)
+
+	if nPfxLen := len(n.prefixes); nPfxLen != 0 {
+		// make backing arrays, no heap allocs
+		idxBackingArray := [maxNodePrefixes]uint{}
+		allIndices := n.allStrideIndexes(idxBackingArray[:])
+
+		// print the baseIndices for this node.
+		fmt.Fprintf(w, "%sindexs(#%d): %v\n", indent, nPfxLen, allIndices)
+
+		// print the prefixes for this node
+		fmt.Fprintf(w, "%sprefxs(#%d):", indent, nPfxLen)
+
+		for _, idx := range allIndices {
+			octet, bits := baseIndexToPrefix(idx)
+			fmt.Fprintf(w, " %s/%d", octetFmt(octet, is4), bits)
+		}
+		fmt.Fprintln(w)
+
+		// print the values for this node
+		fmt.Fprintf(w, "%svalues(#%d):", indent, nPfxLen)
+
+		for _, val := range n.prefixes {
+			fmt.Fprintf(w, " %v", val)
+		}
+		fmt.Fprintln(w)
+	}
+
+	if childs := len(n.children); childs != 0 {
+		// print the childs for this node
+		fmt.Fprintf(w, "%schilds(#%d):", indent, childs)
+
+		addrBackingArray := [maxNodeChildren]uint{}
+		for _, addr := range n.allChildAddrs(addrBackingArray[:]) {
+			octet := byte(addr)
+			fmt.Fprintf(w, " %s", octetFmt(octet, is4))
+		}
+		fmt.Fprintln(w)
+	}
+}
+
+// octetFmt, different format strings for IPv4 and IPv6, decimal versus hex.
+func octetFmt(octet byte, is4 bool) string {
+	if is4 {
+		return fmt.Sprintf("%d", octet)
+	}
+	return fmt.Sprintf("0x%02x", octet)
+}
+
+// ip stride path, different formats for IPv4 and IPv6, dotted decimal or hex.
+//
+//	127.0.0
+//	2001:0d
+func ipStridePath(path [16]byte, depth int, is4 bool) string {
+	buf := new(strings.Builder)
+
+	if is4 {
+		for i, b := range path[:depth] {
+			if i != 0 {
+				buf.WriteString(".")
+			}
+			buf.WriteString(strconv.Itoa(int(b)))
+		}
+		return buf.String()
+	}
+
+	for i, b := range path[:depth] {
+		if i != 0 && i%2 == 0 {
+			buf.WriteString(":")
+		}
+		buf.WriteString(fmt.Sprintf("%02x", b))
+	}
+	return buf.String()
+}
+
+// String implements Stringer for nodeType.
+func (nt nodeType) String() string {
+	switch nt {
+	case nullNode:
+		return "NULL"
+	case fullNode:
+		return "FULL"
+	case leafNode:
+		return "LEAF"
+	case intermediateNode:
+		return "IMED"
+	}
+	panic("unreachable")
+}
+
+// hasType returns the nodeType.
+func (n *node[V]) hasType() nodeType {
+	lenPefixes := len(n.prefixes)
+	lenChilds := len(n.children)
+
+	if lenPefixes == 0 && lenChilds != 0 {
+		return intermediateNode
+	}
+
+	if lenPefixes == 0 && lenChilds == 0 {
+		return nullNode
+	}
+
+	if lenPefixes != 0 && lenChilds == 0 {
+		return leafNode
+	}
+
+	if lenPefixes != 0 && lenChilds != 0 {
+		return fullNode
+	}
+	panic("unreachable")
+}

vendor/github.com/gaissmai/bart/jsonify.go

@@ -0,0 +1,74 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+package bart
+
+import (
+	"encoding/json"
+	"net/netip"
+	"slices"
+)
+
+// DumpListNode contains CIDR, value and list of subnets (tree childrens).
+type DumpListNode[V any] struct {
+	CIDR    netip.Prefix      `json:"cidr"`
+	Value   V                 `json:"value"`
+	Subnets []DumpListNode[V] `json:"subnets,omitempty"`
+}
+
+// MarshalJSON dumps the table into two sorted lists: for ipv4 and ipv6.
+// Every root and subnet is an array, not a map, because the order matters.
+func (t *Table[V]) MarshalJSON() ([]byte, error) {
+	t.init()
+
+	result := struct {
+		Ipv4 []DumpListNode[V] `json:"ipv4,omitempty"`
+		Ipv6 []DumpListNode[V] `json:"ipv6,omitempty"`
+	}{
+		Ipv4: t.DumpList4(),
+		Ipv6: t.DumpList6(),
+	}
+
+	buf, err := json.Marshal(result)
+	if err != nil {
+		return nil, err
+	}
+
+	return buf, nil
+}
+
+// DumpList4 dumps the ipv4 tree into a list of roots and their subnets.
+// It can be used to analyze the tree or build custom json representation.
+func (t *Table[V]) DumpList4() []DumpListNode[V] {
+	t.init()
+	if t.rootV4 == nil {
+		return nil
+	}
+	return t.rootV4.dumpListRec(0, zeroPath, 0, true)
+}
+
+// DumpList6 dumps the ipv6 tree into a list of roots and their subnets.
+// It can be used to analyze the tree or build custom json representation.
+func (t *Table[V]) DumpList6() []DumpListNode[V] {
+	t.init()
+	if t.rootV6 == nil {
+		return nil
+	}
+	return t.rootV6.dumpListRec(0, zeroPath, 0, false)
+}
+
+func (n *node[V]) dumpListRec(parentIdx uint, path [16]byte, depth int, is4 bool) []DumpListNode[V] {
+	directKids := n.getKidsRec(parentIdx, path, depth, is4)
+	slices.SortFunc(directKids, cmpKidByPrefix[V])
+
+	nodes := make([]DumpListNode[V], 0, len(directKids))
+	for _, kid := range directKids {
+		nodes = append(nodes, DumpListNode[V]{
+			CIDR:    kid.cidr,
+			Value:   kid.val,
+			Subnets: kid.n.dumpListRec(kid.idx, kid.path, kid.depth, is4),
+		})
+	}
+
+	return nodes
+}

vendor/github.com/gaissmai/bart/node.go

@@ -0,0 +1,800 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+package bart
+
+import (
+	"cmp"
+	"net/netip"
+	"slices"
+
+	"github.com/bits-and-blooms/bitset"
+)
+
+const (
+	strideLen       = 8                    // octet
+	maxTreeDepth    = 128 / strideLen      // 16
+	maxNodeChildren = 1 << strideLen       // 256
+	maxNodePrefixes = 1 << (strideLen + 1) // 512
+)
+
+// zero value, used manifold
+var zeroPath [16]byte
+
+// node is a level node in the multibit-trie.
+// A node has prefixes and children.
+//
+// The prefixes form a complete binary tree, see the artlookup.pdf
+// paper in the doc folder to understand the data structure.
+//
+// In contrast to the ART algorithm, popcount-compressed slices are used
+// instead of fixed-size arrays.
+//
+// The array slots are also not pre-allocated as in the ART algorithm,
+// but backtracking is used for the longest-prefix-match.
+//
+// The lookup is then slower by a factor of about 2, but this is
+// the intended trade-off to prevent memory consumption from exploding.
+type node[V any] struct {
+	prefixesBitset *bitset.BitSet
+	childrenBitset *bitset.BitSet
+
+	// popcount compressed slices
+	prefixes []V
+	children []*node[V]
+}
+
+// newNode, BitSets have to be initialized.
+func newNode[V any]() *node[V] {
+	return &node[V]{
+		prefixesBitset: bitset.New(0), // init BitSet
+		childrenBitset: bitset.New(0), // init BitSet
+	}
+}
+
+// isEmpty returns true if node has neither prefixes nor children.
+func (n *node[V]) isEmpty() bool {
+	return len(n.prefixes) == 0 && len(n.children) == 0
+}
+
+// ################## prefixes ################################
+
+// prefixRank, Rank() is the key of the popcount compression algorithm,
+// mapping between bitset index and slice index.
+func (n *node[V]) prefixRank(baseIdx uint) int {
+	// adjust offset by one to slice index
+	return int(n.prefixesBitset.Rank(baseIdx)) - 1
+}
+
+// insertPrefix adds the route for baseIdx, with value val.
+// If the value already exists, overwrite it with val and return false.
+func (n *node[V]) insertPrefix(baseIdx uint, val V) (ok bool) {
+	// prefix exists, overwrite val
+	if n.prefixesBitset.Test(baseIdx) {
+		n.prefixes[n.prefixRank(baseIdx)] = val
+		return false
+	}
+
+	// new, insert into bitset and slice
+	n.prefixesBitset.Set(baseIdx)
+	n.prefixes = slices.Insert(n.prefixes, n.prefixRank(baseIdx), val)
+	return true
+}
+
+// deletePrefix removes the route octet/prefixLen.
+// Returns false if there was no prefix to delete.
+func (n *node[V]) deletePrefix(octet byte, prefixLen int) (ok bool) {
+	baseIdx := prefixToBaseIndex(octet, prefixLen)
+
+	// no route entry
+	if !n.prefixesBitset.Test(baseIdx) {
+		return false
+	}
+
+	rnk := n.prefixRank(baseIdx)
+
+	// delete from slice
+	n.prefixes = slices.Delete(n.prefixes, rnk, rnk+1)
+
+	// delete from bitset, followed by Compact to reduce memory consumption
+	n.prefixesBitset.Clear(baseIdx)
+	n.prefixesBitset.Compact()
+
+	return true
+}
+
+// updatePrefix, update or set the value at prefix via callback. The new value returned
+// and a bool wether the prefix was already present in the node.
+func (n *node[V]) updatePrefix(octet byte, prefixLen int, cb func(V, bool) V) (newVal V, wasPresent bool) {
+	// calculate idx once
+	baseIdx := prefixToBaseIndex(octet, prefixLen)
+
+	var rnk int
+
+	// if prefix is set, get current value
+	var oldVal V
+	if wasPresent = n.prefixesBitset.Test(baseIdx); wasPresent {
+		rnk = n.prefixRank(baseIdx)
+		oldVal = n.prefixes[rnk]
+	}
+
+	// callback function to get updated or new value
+	newVal = cb(oldVal, wasPresent)
+
+	// prefix is already set, update and return value
+	if wasPresent {
+		n.prefixes[rnk] = newVal
+		return
+	}
+
+	// new prefix, insert into bitset ...
+	n.prefixesBitset.Set(baseIdx)
+
+	// bitset has changed, recalc rank
+	rnk = n.prefixRank(baseIdx)
+
+	// ... and insert value into slice
+	n.prefixes = slices.Insert(n.prefixes, rnk, newVal)
+
+	return
+}
+
+// lpm does a route lookup for idx in the 8-bit (stride) routing table
+// at this depth and returns (baseIdx, value, true) if a matching
+// longest prefix exists, or ok=false otherwise.
+//
+// backtracking is fast, it's just a bitset test and, if found, one popcount.
+// max steps in backtracking is the stride length.
+func (n *node[V]) lpm(idx uint) (baseIdx uint, val V, ok bool) {
+	for baseIdx = idx; baseIdx > 0; baseIdx >>= 1 {
+		if n.prefixesBitset.Test(baseIdx) {
+			// longest prefix match
+			return baseIdx, n.prefixes[n.prefixRank(baseIdx)], true
+		}
+	}
+
+	// not found (on this level)
+	return 0, val, false
+}
+
+// lpmTest for internal use in overlap tests, just return true or false, no value needed.
+func (n *node[V]) lpmTest(baseIdx uint) bool {
+	for idx := baseIdx; idx > 0; idx >>= 1 {
+		if n.prefixesBitset.Test(idx) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// getValue for baseIdx.
+func (n *node[V]) getValue(baseIdx uint) (val V, ok bool) {
+	if n.prefixesBitset.Test(baseIdx) {
+		return n.prefixes[n.prefixRank(baseIdx)], true
+	}
+	return
+}
+
+// allStrideIndexes returns all baseIndexes set in this stride node in ascending order.
+func (n *node[V]) allStrideIndexes(buffer []uint) []uint {
+	if len(n.prefixes) > len(buffer) {
+		panic("logic error, buffer is too small")
+	}
+
+	_, buffer = n.prefixesBitset.NextSetMany(0, buffer)
+	return buffer
+}
+
+// ################## children ################################
+
+// childRank, Rank() is the key of the popcount compression algorithm,
+// mapping between bitset index and slice index.
+func (n *node[V]) childRank(octet byte) int {
+	// adjust offset by one to slice index
+	return int(n.childrenBitset.Rank(uint(octet))) - 1
+}
+
+// insertChild, insert the child
+func (n *node[V]) insertChild(octet byte, child *node[V]) {
+	// child exists, overwrite it
+	if n.childrenBitset.Test(uint(octet)) {
+		n.children[n.childRank(octet)] = child
+		return
+	}
+
+	// new insert into bitset and slice
+	n.childrenBitset.Set(uint(octet))
+	n.children = slices.Insert(n.children, n.childRank(octet), child)
+}
+
+// deleteChild, delete the child at octet. It is valid to delete a non-existent child.
+func (n *node[V]) deleteChild(octet byte) {
+	if !n.childrenBitset.Test(uint(octet)) {
+		return
+	}
+
+	rnk := n.childRank(octet)
+
+	// delete from slice
+	n.children = slices.Delete(n.children, rnk, rnk+1)
+
+	// delete from bitset, followed by Compact to reduce memory consumption
+	n.childrenBitset.Clear(uint(octet))
+	n.childrenBitset.Compact()
+}
+
+// getChild returns the child pointer for octet, or nil if none.
+func (n *node[V]) getChild(octet byte) *node[V] {
+	if !n.childrenBitset.Test(uint(octet)) {
+		return nil
+	}
+
+	return n.children[n.childRank(octet)]
+}
+
+// allChildAddrs fills the buffer with the octets of all child nodes in ascending order,
+// panics if the buffer isn't big enough.
+func (n *node[V]) allChildAddrs(buffer []uint) []uint {
+	if len(n.children) > len(buffer) {
+		panic("logic error, buffer is too small")
+	}
+
+	_, buffer = n.childrenBitset.NextSetMany(0, buffer)
+	return buffer
+}
+
+// #################### nodes #############################################
+
+// eachLookupPrefix does an all prefix match in the 8-bit (stride) routing table
+// at this depth and calls yield() for any matching CIDR.
+func (n *node[V]) eachLookupPrefix(path [16]byte, depth int, is4 bool, octet byte, bits int, yield func(pfx netip.Prefix, val V) bool) bool {
+	for idx := prefixToBaseIndex(octet, bits); idx > 0; idx >>= 1 {
+		if n.prefixesBitset.Test(idx) {
+			cidr, _ := cidrFromPath(path, depth, is4, idx)
+			val, _ := n.getValue(idx)
+
+			if !yield(cidr, val) {
+				// early exit
+				return false
+			}
+		}
+	}
+
+	return true
+}
+
+// overlapsRec returns true if any IP in the nodes n or o overlaps.
+func (n *node[V]) overlapsRec(o *node[V]) bool {
+	// ##############################
+	// 1. test if any routes overlaps
+	// ##############################
+
+	nPfxLen := len(n.prefixes)
+	oPfxLen := len(o.prefixes)
+
+	if oPfxLen > 0 && nPfxLen > 0 {
+
+		// some prefixes are identical
+		if n.prefixesBitset.IntersectionCardinality(o.prefixesBitset) > 0 {
+			return true
+		}
+
+		var nIdx, oIdx uint
+
+		nOK := nPfxLen > 0
+		oOK := oPfxLen > 0
+
+		// zip, range over n and o at the same time to help chance on its way
+		for nOK || oOK {
+
+			if nOK {
+				// does any route in o overlap this prefix from n
+				if nIdx, nOK = n.prefixesBitset.NextSet(nIdx); nOK {
+					if o.lpmTest(nIdx) {
+						return true
+					}
+				}
+				nIdx++
+			}
+
+			if oOK {
+				// does any route in n overlap this prefix from o
+				if oIdx, oOK = o.prefixesBitset.NextSet(oIdx); oOK {
+					if n.lpmTest(oIdx) {
+						return true
+					}
+				}
+				oIdx++
+			}
+		}
+	}
+
+	// ####################################
+	// 2. test if routes overlaps any child
+	// ####################################
+
+	nChildLen := len(n.children)
+	oChildLen := len(o.children)
+
+	var nAddr, oAddr uint
+
+	nOK := nChildLen > 0 && oPfxLen > 0 // test the childs in n against the routes in o
+	oOK := oChildLen > 0 && nPfxLen > 0 // test the childs in o against the routes in n
+
+	// zip, range over n and o at the same time to help chance on its way
+	for nOK || oOK {
+
+		if nOK {
+			// does any route in o overlap this child from n
+			if nAddr, nOK = n.childrenBitset.NextSet(nAddr); nOK {
+				if o.lpmTest(octetToBaseIndex(byte(nAddr))) {
+					return true
+				}
+			}
+			nAddr++
+		}
+
+		if oOK {
+			// does any route in n overlap this child from o
+			if oAddr, oOK = o.childrenBitset.NextSet(oAddr); oOK {
+				if n.lpmTest(octetToBaseIndex(byte(oAddr))) {
+					return true
+				}
+			}
+			oAddr++
+		}
+	}
+
+	// ################################################################
+	// 3. rec-descent call for childs with same octet in nodes n and o
+	// ################################################################
+
+	// stop condition, n or o have no childs
+	if nChildLen == 0 || oChildLen == 0 {
+		return false
+	}
+
+	// stop condition, no child with identical octet in n and o
+	if n.childrenBitset.IntersectionCardinality(o.childrenBitset) == 0 {
+		return false
+	}
+
+	// swap the nodes, range over shorter bitset
+	if nChildLen > oChildLen {
+		n, o = o, n
+	}
+
+	addrBackingArray := [maxNodeChildren]uint{}
+	for i, addr := range n.allChildAddrs(addrBackingArray[:]) {
+		oChild := o.getChild(byte(addr))
+		if oChild == nil {
+			// no child in o with this octet
+			continue
+		}
+
+		// we have the slice index for n
+		nChild := n.children[i]
+
+		// rec-descent
+		if nChild.overlapsRec(oChild) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// overlapsPrefix returns true if node overlaps with prefix.
+func (n *node[V]) overlapsPrefix(octet byte, pfxLen int) bool {
+	// ##################################################
+	// 1. test if any route in this node overlaps prefix?
+	// ##################################################
+
+	pfxIdx := prefixToBaseIndex(octet, pfxLen)
+	if n.lpmTest(pfxIdx) {
+		return true
+	}
+
+	// #################################################
+	// 2. test if prefix overlaps any route in this node
+	// #################################################
+
+	// lower/upper boundary for host routes
+	pfxLower, pfxUpper := hostRoutesByIndex(pfxIdx)
+
+	// increment to 'next' routeIdx for start in bitset search
+	// since pfxIdx already testet by lpm in other direction
+	routeIdx := pfxIdx * 2
+	var ok bool
+	for {
+		if routeIdx, ok = n.prefixesBitset.NextSet(routeIdx); !ok {
+			break
+		}
+
+		routeLower, routeUpper := hostRoutesByIndex(routeIdx)
+		if routeLower >= pfxLower && routeUpper <= pfxUpper {
+			return true
+		}
+
+		// next route
+		routeIdx++
+	}
+
+	// #################################################
+	// 3. test if prefix overlaps any child in this node
+	// #################################################
+
+	// set start octet in bitset search with prefix octet
+	addr := uint(octet)
+	for {
+		if addr, ok = n.childrenBitset.NextSet(addr); !ok {
+			break
+		}
+
+		idx := addr + firstHostIndex
+		if idx >= pfxLower && idx <= pfxUpper {
+			return true
+		}
+
+		// next round
+		addr++
+	}
+
+	return false
+}
+
+// eachSubnet calls yield() for any covered CIDR by parent prefix.
+func (n *node[V]) eachSubnet(path [16]byte, depth int, is4 bool, parentOctet byte, pfxLen int, yield func(pfx netip.Prefix, val V) bool) bool {
+	// collect all routes covered by this pfx
+	// see also algorithm in overlapsPrefix
+
+	// can't use lpm, search prefix has no node
+	parentIdx := prefixToBaseIndex(parentOctet, pfxLen)
+	parentLower, parentUpper := hostRoutesByIndex(parentIdx)
+
+	// start bitset search at parentIdx
+	idx := parentIdx
+	var ok bool
+	for {
+		if idx, ok = n.prefixesBitset.NextSet(idx); !ok {
+			break
+		}
+
+		// can't use lpm, search prefix has no node
+		lower, upper := hostRoutesByIndex(idx)
+
+		// idx is covered by parentIdx?
+		if lower >= parentLower && upper <= parentUpper {
+			val, _ := n.getValue(idx)
+			cidr, _ := cidrFromPath(path, depth, is4, idx)
+
+			if !yield(cidr, val) {
+				// early exit
+				return false
+			}
+
+		}
+
+		idx++
+	}
+
+	// collect all children covered
+	var addr uint
+	for {
+		if addr, ok = n.childrenBitset.NextSet(addr); !ok {
+			break
+		}
+		octet := byte(addr)
+
+		// make host route for comparison with lower, upper
+		idx := octetToBaseIndex(octet)
+
+		// is child covered?
+		if idx >= parentLower && idx <= parentUpper {
+			c := n.getChild(octet)
+
+			// add (set) this octet to path
+			path[depth] = octet
+
+			// all cidrs under this child are covered by pfx
+			if !c.allRec(path, depth+1, is4, yield) {
+				// early exit
+				return false
+			}
+		}
+
+		addr++
+	}
+
+	return true
+}
+
+// unionRec combines two nodes, changing the receiver node.
+// If there are duplicate entries, the value is taken from the other node.
+// Count duplicate entries to adjust the t.size struct members.
+func (n *node[V]) unionRec(o *node[V]) (duplicates int) {
+	// make backing arrays, no heap allocs
+	idxBackingArray := [maxNodePrefixes]uint{}
+
+	// for all prefixes in other node do ...
+	for _, oIdx := range o.allStrideIndexes(idxBackingArray[:]) {
+		// insert/overwrite prefix/value from oNode to nNode
+		oVal, _ := o.getValue(oIdx)
+		if !n.insertPrefix(oIdx, oVal) {
+			duplicates++
+		}
+	}
+
+	// make backing arrays, no heap allocs
+	addrBackingArray := [maxNodeChildren]uint{}
+
+	// for all children in other node do ...
+	for i, oOctet := range o.allChildAddrs(addrBackingArray[:]) {
+		octet := byte(oOctet)
+
+		// we know the slice index, faster as o.getChild(octet)
+		oc := o.children[i]
+
+		// get n child with same octet,
+		// we don't know the slice index in n.children
+		nc := n.getChild(octet)
+
+		if nc == nil {
+			// insert cloned child from oNode into nNode
+			n.insertChild(octet, oc.cloneRec())
+		} else {
+			// both nodes have child with octet, call union rec-descent
+			duplicates += nc.unionRec(oc)
+		}
+	}
+	return duplicates
+}
+
+// cloneRec, clones the node recursive.
+func (n *node[V]) cloneRec() *node[V] {
+	c := newNode[V]()
+	if n.isEmpty() {
+		return c
+	}
+
+	c.prefixesBitset = n.prefixesBitset.Clone() // deep
+	c.prefixes = slices.Clone(n.prefixes)       // shallow values
+
+	c.childrenBitset = n.childrenBitset.Clone() // deep
+	c.children = slices.Clone(n.children)       // shallow
+
+	// now clone the children deep
+	for i, child := range c.children {
+		c.children[i] = child.cloneRec()
+	}
+
+	return c
+}
+
+// allRec runs recursive the trie, starting at this node and
+// the yield function is called for each route entry with prefix and value.
+// If the yield function returns false the recursion ends prematurely and the
+// false value is propagated.
+//
+// The iteration order is not defined, just the simplest and fastest recursive implementation.
+func (n *node[V]) allRec(path [16]byte, depth int, is4 bool, yield func(netip.Prefix, V) bool) bool {
+	// for all prefixes in this node do ...
+	idxBackingArray := [maxNodePrefixes]uint{}
+	for _, idx := range n.allStrideIndexes(idxBackingArray[:]) {
+		val, _ := n.getValue(idx)
+		cidr, _ := cidrFromPath(path, depth, is4, idx)
+
+		// make the callback for this prefix
+		if !yield(cidr, val) {
+			// early exit
+			return false
+		}
+	}
+
+	// for all children in this node do ...
+	addrBackingArray := [maxNodeChildren]uint{}
+	for i, addr := range n.allChildAddrs(addrBackingArray[:]) {
+		child := n.children[i]
+		path[depth] = byte(addr)
+
+		if !child.allRec(path, depth+1, is4, yield) {
+			// early exit
+			return false
+		}
+	}
+
+	return true
+}
+
+// allRecSorted runs recursive the trie, starting at node and
+// the yield function is called for each route entry with prefix and value.
+// If the yield function returns false the recursion ends prematurely and the
+// false value is propagated.
+//
+// The iteration is in prefix sort order, it's a very complex implemenation compared with allRec.
+func (n *node[V]) allRecSorted(path [16]byte, depth int, is4 bool, yield func(netip.Prefix, V) bool) bool {
+	// make backing arrays, no heap allocs
+	addrBackingArray := [maxNodeChildren]uint{}
+	idxBackingArray := [maxNodePrefixes]uint{}
+
+	// get slice of all child octets, sorted by addr
+	childAddrs := n.allChildAddrs(addrBackingArray[:])
+	childCursor := 0
+
+	// get slice of all indexes, sorted by idx
+	allIndices := n.allStrideIndexes(idxBackingArray[:])
+
+	// re-sort indexes by prefix in place
+	slices.SortFunc(allIndices, cmpIndexRank)
+
+	// example for entry with root node:
+	//
+	//  ▼
+	//  ├─ 0.0.0.1/32        <-- FOOTNOTE A: child  0     in first node
+	//  ├─ 10.0.0.0/7        <-- FOOTNOTE B: prefix 10/7  in first node
+	//  │  └─ 10.0.0.0/8     <-- FOOTNOTE C: prefix 10/8  in first node
+	//  │     └─ 10.0.0.1/32 <-- FOOTNOTE D: child  10    in first node
+	//  ├─ 127.0.0.0/8       <-- FOOTNOTE E: prefix 127/8 in first node
+	//  └─ 192.168.0.0/16    <-- FOOTNOTE F: child  192   in first node
+
+	// range over all indexes in this node, now in prefix sort order
+	// FOOTNOTE: B, C, E
+	for i, idx := range allIndices {
+		// get the host routes for this index
+		lower, upper := hostRoutesByIndex(idx)
+
+		// adjust host routes for this idx in case the host routes
+		// of the following idx overlaps
+		// FOOTNOTE: B and C have overlaps in host routes
+		// FOOTNOTE: C, E don't overlap in host routes
+		// FOOTNOTE: E has no following prefix in this node
+		if i+1 < len(allIndices) {
+			lower, upper = adjustHostRoutes(idx, allIndices[i+1])
+		}
+
+		// handle childs before the host routes of idx
+		// FOOTNOTE: A
+		for j := childCursor; j < len(childAddrs); j++ {
+			addr := childAddrs[j]
+			octet := byte(addr)
+
+			if octetToBaseIndex(octet) >= lower {
+				// lower border of host routes
+				break
+			}
+
+			// we know the slice index, faster as n.getChild(octet)
+			c := n.children[j]
+
+			// add (set) this octet to path
+			path[depth] = octet
+
+			if !c.allRecSorted(path, depth+1, is4, yield) {
+				// early exit
+				return false
+			}
+
+			childCursor++
+		}
+
+		// FOOTNOTE: B, C, F
+		// now handle prefix for idx
+		val, _ := n.getValue(idx)
+		cidr, _ := cidrFromPath(path, depth, is4, idx)
+
+		if !yield(cidr, val) {
+			// early exit
+			return false
+		}
+
+		// handle the children in host routes for this prefix
+		// FOOTNOTE: D
+		for j := childCursor; j < len(childAddrs); j++ {
+			addr := childAddrs[j]
+			octet := byte(addr)
+			if octetToBaseIndex(octet) > upper {
+				// out of host routes
+				break
+			}
+
+			// we know the slice index, faster as n.getChild(octet)
+			c := n.children[j]
+
+			// add (set) this octet to path
+			path[depth] = octet
+
+			if !c.allRecSorted(path, depth+1, is4, yield) {
+				// early exit
+				return false
+			}
+
+			childCursor++
+		}
+	}
+
+	// FOOTNOTE: F
+	// handle all the rest of the children
+	for j := childCursor; j < len(childAddrs); j++ {
+		addr := childAddrs[j]
+		octet := byte(addr)
+
+		// we know the slice index, faster as n.getChild(octet)
+		c := n.children[j]
+
+		// add (set) this octet to path
+		path[depth] = octet
+
+		if !c.allRecSorted(path, depth+1, is4, yield) {
+			// early exit
+			return false
+		}
+	}
+
+	return true
+}
+
+// adjustHostRoutes, helper function to adjust the lower, upper bounds of the
+// host routes in case the host routes of the next idx overlaps
+func adjustHostRoutes(idx, next uint) (lower, upper uint) {
+	lower, upper = hostRoutesByIndex(idx)
+
+	// get the lower host route border of the next idx
+	nextLower, _ := hostRoutesByIndex(next)
+
+	// is there an overlap?
+	switch {
+	case nextLower == lower:
+		upper = 0
+
+		// [------------] idx
+		// [-----]        next
+		// make host routes for this idx invalid
+		//
+		// ][             idx
+		// [-----]^^^^^^] next
+		//
+		//  these ^^^^^^ children are handled before next prefix
+		//
+		// sorry, I know, it's completely confusing
+
+	case nextLower <= upper:
+		upper = nextLower - 1
+
+		// [------------] idx
+		//       [------] next
+		//
+		// shrink host routes for this idx
+		// [----][------] idx, next
+		//      ^
+	}
+
+	return lower, upper
+}
+
+// numPrefixesRec, calculate the number of prefixes under n.
+func (n *node[V]) numPrefixesRec() int {
+	size := len(n.prefixes) // this node
+	for _, c := range n.children {
+		size += c.numPrefixesRec()
+	}
+	return size
+}
+
+// numNodesRec, calculate the number of nodes under n.
+func (n *node[V]) numNodesRec() int {
+	size := 1 // this node
+	for _, c := range n.children {
+		size += c.numNodesRec()
+	}
+	return size
+}
+
+// cmpPrefix, compare func for prefix sort,
+// all cidrs are already normalized
+func cmpPrefix(a, b netip.Prefix) int {
+	if cmp := a.Addr().Compare(b.Addr()); cmp != 0 {
+		return cmp
+	}
+	return cmp.Compare(a.Bits(), b.Bits())
+}

vendor/github.com/gaissmai/bart/stringify.go

@@ -0,0 +1,213 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+package bart
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/netip"
+	"slices"
+	"strings"
+)
+
+// kid, a node has no path information about its predecessors,
+// we collect this during the recursive descent.
+// The path/depth/idx is needed to get the CIDR back.
+type kid[V any] struct {
+	// for traversing
+	n     *node[V]
+	path  [16]byte
+	depth int
+	idx   uint
+
+	// for printing
+	cidr netip.Prefix
+	val  V
+}
+
+// MarshalText implements the encoding.TextMarshaler interface,
+// just a wrapper for [Table.Fprint].
+func (t *Table[V]) MarshalText() ([]byte, error) {
+	t.init()
+	w := new(bytes.Buffer)
+	if err := t.Fprint(w); err != nil {
+		return nil, err
+	}
+	return w.Bytes(), nil
+}
+
+// String returns a hierarchical tree diagram of the ordered CIDRs
+// as string, just a wrapper for [Table.Fprint].
+// If Fprint returns an error, String panics.
+func (t *Table[V]) String() string {
+	t.init()
+	w := new(strings.Builder)
+	if err := t.Fprint(w); err != nil {
+		panic(err)
+	}
+	return w.String()
+}
+
+// Fprint writes a hierarchical tree diagram of the ordered CIDRs to w.
+// If w is nil, Fprint panics.
+//
+// The order from top to bottom is in ascending order of the prefix address
+// and the subtree structure is determined by the CIDRs coverage.
+//
+//	▼
+//	├─ 10.0.0.0/8 (9.9.9.9)
+//	│  ├─ 10.0.0.0/24 (8.8.8.8)
+//	│  └─ 10.0.1.0/24 (10.0.0.0)
+//	├─ 127.0.0.0/8 (127.0.0.1)
+//	│  └─ 127.0.0.1/32 (127.0.0.1)
+//	├─ 169.254.0.0/16 (10.0.0.0)
+//	├─ 172.16.0.0/12 (8.8.8.8)
+//	└─ 192.168.0.0/16 (9.9.9.9)
+//	   └─ 192.168.1.0/24 (127.0.0.1)
+//	▼
+//	└─ ::/0 (2001:db8::1)
+//	   ├─ ::1/128 (::1%lo)
+//	   ├─ 2000::/3 (2001:db8::1)
+//	   │  └─ 2001:db8::/32 (2001:db8::1)
+//	   └─ fe80::/10 (::1%eth0)
+func (t *Table[V]) Fprint(w io.Writer) error {
+	t.init()
+
+	if err := t.fprint(w, true); err != nil {
+		return err
+	}
+
+	if err := t.fprint(w, false); err != nil {
+		return err
+	}
+	return nil
+}
+
+// fprint is the version dependent adapter to fprintRec.
+func (t *Table[V]) fprint(w io.Writer, is4 bool) error {
+	n := t.rootNodeByVersion(is4)
+	if n.isEmpty() {
+		return nil
+	}
+
+	if _, err := fmt.Fprint(w, "▼\n"); err != nil {
+		return err
+	}
+	if err := n.fprintRec(w, 0, zeroPath, 0, is4, ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+// fprintRec, the output is a hierarchical CIDR tree starting with parentIdx and byte path.
+func (n *node[V]) fprintRec(w io.Writer, parentIdx uint, path [16]byte, depth int, is4 bool, pad string) error {
+	// get direct childs for this parentIdx ...
+	directKids := n.getKidsRec(parentIdx, path, depth, is4)
+
+	// sort them by netip.Prefix, not by baseIndex
+	slices.SortFunc(directKids, cmpKidByPrefix[V])
+
+	// symbols used in tree
+	glyphe := "├─ "
+	spacer := "│  "
+
+	// for all direct kids under this node ...
+	for i, kid := range directKids {
+		// ... treat last kid special
+		if i == len(directKids)-1 {
+			glyphe = "└─ "
+			spacer = "   "
+		}
+
+		// print prefix and val, padded with glyphe
+		if _, err := fmt.Fprintf(w, "%s%s (%v)\n", pad+glyphe, kid.cidr, kid.val); err != nil {
+			return err
+		}
+
+		// rec-descent with this prefix as parentIdx.
+		// hierarchical nested tree view, two rec-descent functions
+		// work together to spoil the reader.
+		if err := kid.n.fprintRec(w, kid.idx, kid.path, kid.depth, is4, pad+spacer); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// getKidsRec, returns the direct kids below path and parentIdx.
+// It's a recursive monster together with printRec,
+// you have to know the data structure by heart to understand this function!
+//
+// See the  artlookup.pdf paper in the doc folder,
+// the baseIndex function is the key.
+func (n *node[V]) getKidsRec(parentIdx uint, path [16]byte, depth int, is4 bool) []kid[V] {
+	directKids := []kid[V]{}
+
+	// make backing arrays, no heap allocs
+	idxBackingArray := [maxNodePrefixes]uint{}
+	for _, idx := range n.allStrideIndexes(idxBackingArray[:]) {
+		// parent or self, handled alreday in an upper stack frame.
+		if idx <= parentIdx {
+			continue
+		}
+
+		// check if lpmIdx for this idx' parent is equal to parentIdx
+		lpmIdx, _, _ := n.lpm(idx >> 1)
+		if lpmIdx == parentIdx {
+			// idx is directKid
+			val, _ := n.getValue(idx)
+			cidr, _ := cidrFromPath(path, depth, is4, idx)
+
+			directKids = append(directKids, kid[V]{n, path, depth, idx, cidr, val})
+		}
+	}
+
+	// the node may have childs, the rec-descent monster starts
+	addrBackingArray := [maxNodeChildren]uint{}
+	for i, addr := range n.allChildAddrs(addrBackingArray[:]) {
+		octet := byte(addr)
+		// do a longest-prefix-match
+		lpmIdx, _, _ := n.lpm(octetToBaseIndex(octet))
+		if lpmIdx == parentIdx {
+			c := n.children[i]
+			path[depth] = octet
+
+			// traverse, rec-descent call with next child node
+			directKids = append(directKids, c.getKidsRec(0, path, depth+1, is4)...)
+		}
+	}
+
+	return directKids
+}
+
+// cidrFromPath, get prefix back from byte path, depth, octet and pfxLen.
+func cidrFromPath(path [16]byte, depth int, is4 bool, idx uint) (netip.Prefix, error) {
+	octet, pfxLen := baseIndexToPrefix(idx)
+
+	// set (partially) masked byte in path at depth
+	path[depth] = octet
+
+	// make ip addr from octets
+	var ip netip.Addr
+	if is4 {
+		b4 := [4]byte{}
+		copy(b4[:], path[:4])
+		ip = netip.AddrFrom4(b4)
+	} else {
+		ip = netip.AddrFrom16(path)
+	}
+
+	// calc bits with pathLen and pfxLen
+	bits := depth*strideLen + pfxLen
+
+	// make a normalized prefix from ip/bits
+	return ip.Prefix(bits)
+}
+
+// cmpKidByPrefix, all prefixes are already normalized (Masked).
+func cmpKidByPrefix[V any](a, b kid[V]) int {
+	return cmpPrefix(a.cidr, b.cidr)
+}

vendor/github.com/gaissmai/bart/table.go

@@ -0,0 +1,821 @@
+// Copyright (c) 2024 Karl Gaissmaier
+// SPDX-License-Identifier: MIT
+
+// package bart provides a Balanced-Routing-Table (BART).
+//
+// BART is balanced in terms of memory consumption versus
+// lookup time.
+//
+// The lookup time is by a factor of ~2 slower on average as the
+// routing algorithms ART, SMART, CPE, ... but reduces the memory
+// consumption by an order of magnitude in comparison.
+//
+// BART is a multibit-trie with fixed stride length of 8 bits,
+// using the _baseIndex_ function from the ART algorithm to
+// build the complete-binary-tree (CBT) of prefixes for each stride.
+//
+// The second key factor is popcount array compression at each stride level
+// of the CBT prefix tree and backtracking along the CBT in O(k).
+//
+// The CBT is implemented as a bitvector, backtracking is just
+// a matter of fast cache friendly bitmask operations.
+//
+// The child array at each stride level is also popcount compressed.
+package bart
+
+import (
+	"net/netip"
+	"sync"
+)
+
+// Table is an IPv4 and IPv6 routing table with payload V.
+// The zero value is ready to use.
+//
+// The Table is safe for concurrent readers but not for
+// concurrent readers and/or writers.
+type Table[V any] struct {
+	rootV4 *node[V]
+	rootV6 *node[V]
+
+	size4 int
+	size6 int
+
+	// BitSets have to be initialized.
+	initOnce sync.Once
+}
+
+// init BitSets once, so no constructor is needed
+func (t *Table[V]) init() {
+	// upfront nil test, faster than the atomic load in sync.Once.Do
+	// this makes bulk inserts 5% faster and the table is not safe
+	// for concurrent writers anyway
+	if t.rootV6 != nil {
+		return
+	}
+
+	t.initOnce.Do(func() {
+		t.rootV4 = newNode[V]()
+		t.rootV6 = newNode[V]()
+	})
+}
+
+// rootNodeByVersion, select root node for ip version.
+func (t *Table[V]) rootNodeByVersion(is4 bool) *node[V] {
+	if is4 {
+		return t.rootV4
+	}
+	return t.rootV6
+}
+
+// Insert adds pfx to the tree, with value val.
+// If pfx is already present in the tree, its value is set to val.
+func (t *Table[V]) Insert(pfx netip.Prefix, val V) {
+	t.init()
+
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	// get the root node of the routing table
+	n := t.rootNodeByVersion(is4)
+
+	// Do not allocate!
+	// As16() is inlined, the prefered AsSlice() is too complex for inlining.
+	// starting with go1.23 we can use AsSlice(),
+	// see https://github.com/golang/go/issues/56136
+
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// 10.0.0.0/8    -> 0
+	// 10.12.0.0/15  -> 1
+	// 10.12.0.0/16  -> 1
+	// 10.12.10.9/32 -> 3
+	lastOctetIdx := (bits - 1) / strideLen
+
+	// 10.0.0.0/8    -> 10
+	// 10.12.0.0/15  -> 12
+	// 10.12.0.0/16  -> 12
+	// 10.12.10.9/32 -> 9
+	lastOctet := octets[lastOctetIdx]
+
+	// 10.0.0.0/8    -> 8
+	// 10.12.0.0/15  -> 7
+	// 10.12.0.0/16  -> 8
+	// 10.12.10.9/32 -> 8
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix, this is faster than netip.Prefix.Masked()
+	lastOctet = lastOctet & netMask(lastOctetBits)
+
+	// find the proper trie node to insert prefix
+	for _, octet := range octets[:lastOctetIdx] {
+		// descend down to next trie level
+		c := n.getChild(octet)
+		if c == nil {
+			// create and insert missing intermediate child
+			c = newNode[V]()
+			n.insertChild(octet, c)
+		}
+
+		// proceed with next level
+		n = c
+	}
+
+	// insert prefix/val into node
+	if n.insertPrefix(prefixToBaseIndex(lastOctet, lastOctetBits), val) {
+		t.sizeUpdate(is4, 1)
+	}
+}
+
+// Update or set the value at pfx with a callback function.
+// The callback function is called with (value, ok) and returns a new value..
+//
+// If the pfx does not already exist, it is set with the new value.
+func (t *Table[V]) Update(pfx netip.Prefix, cb func(val V, ok bool) V) (newVal V) {
+	t.init()
+	if !pfx.IsValid() {
+		var zero V
+		return zero
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+
+	// find the proper trie node to update prefix
+	for _, octet := range octets[:lastOctetIdx] {
+		// descend down to next trie level
+		c := n.getChild(octet)
+		if c == nil {
+			// create and insert missing intermediate child
+			c = newNode[V]()
+			n.insertChild(octet, c)
+		}
+
+		// proceed with next level
+		n = c
+	}
+
+	// update/insert prefix into node
+	var wasPresent bool
+	newVal, wasPresent = n.updatePrefix(lastOctet, lastOctetBits, cb)
+	if !wasPresent {
+		t.sizeUpdate(is4, 1)
+	}
+
+	return newVal
+}
+
+// Get returns the associated payload for prefix and true, or false if
+// prefix is not set in the routing table.
+func (t *Table[V]) Get(pfx netip.Prefix) (val V, ok bool) {
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+
+	// find the proper trie node
+	for _, octet := range octets[:lastOctetIdx] {
+		c := n.getChild(octet)
+		if c == nil {
+			// not found
+			return
+		}
+		n = c
+	}
+	return n.getValue(prefixToBaseIndex(lastOctet, lastOctetBits))
+}
+
+// Delete removes pfx from the tree, pfx does not have to be present.
+func (t *Table[V]) Delete(pfx netip.Prefix) {
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+	octets[lastOctetIdx] = lastOctet
+
+	// record path to deleted node
+	stack := [maxTreeDepth]*node[V]{}
+
+	// run variable as stackPointer, see below
+	var i int
+
+	// find the trie node
+	for i = range octets {
+		// push current node on stack for path recording
+		stack[i] = n
+
+		if i == lastOctetIdx {
+			break
+		}
+
+		// descend down to next level
+		c := n.getChild(octets[i])
+		if c == nil {
+			return
+		}
+		n = c
+	}
+
+	// try to delete prefix in trie node
+	if !n.deletePrefix(lastOctet, lastOctetBits) {
+		// nothing deleted
+		return
+	}
+	t.sizeUpdate(is4, -1)
+
+	// purge dangling nodes after successful deletion
+	for i > 0 {
+		if n.isEmpty() {
+			// purge empty node from parents children
+			parent := stack[i-1]
+			parent.deleteChild(octets[i-1])
+		}
+
+		// unwind the stack
+		i--
+		n = stack[i]
+	}
+}
+
+// Lookup does a route lookup (longest prefix match) for IP and
+// returns the associated value and true, or false if no route matched.
+func (t *Table[V]) Lookup(ip netip.Addr) (val V, ok bool) {
+	if !ip.IsValid() {
+		return
+	}
+
+	is4 := ip.Is4()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// stack of the traversed nodes for fast backtracking, if needed
+	stack := [maxTreeDepth]*node[V]{}
+
+	// run variable, used after for loop
+	var i int
+	var octet byte
+
+	// find leaf node
+	for i, octet = range octets {
+		// push current node on stack for fast backtracking
+		stack[i] = n
+
+		// go down in tight loop to leaf node
+		c := n.getChild(octet)
+		if c == nil {
+			break
+		}
+		n = c
+	}
+
+	// start backtracking, unwind the stack
+	for depth := i; depth >= 0; depth-- {
+		n = stack[depth]
+		octet = octets[depth]
+
+		// longest prefix match
+		// micro benchmarking: skip if node has no prefixes
+		if len(n.prefixes) != 0 {
+			if _, val, ok := n.lpm(octetToBaseIndex(octet)); ok {
+				return val, true
+			}
+		}
+	}
+	return
+}
+
+// LookupPrefix does a route lookup (longest prefix match) for pfx and
+// returns the associated value and true, or false if no route matched.
+func (t *Table[V]) LookupPrefix(pfx netip.Prefix) (val V, ok bool) {
+	_, _, val, ok = t.lpmPrefix(pfx)
+	return val, ok
+}
+
+// LookupPrefixLPM is similar to [Table.LookupPrefix],
+// but it returns the lpm prefix in addition to value,ok.
+//
+// This method is about 20-30% slower than LookupPrefix and should only
+// be used if the matching lpm entry is also required for other reasons.
+//
+// If LookupPrefixLPM is to be used for IP addresses,
+// they must be converted to /32 or /128 prefixes.
+func (t *Table[V]) LookupPrefixLPM(pfx netip.Prefix) (lpm netip.Prefix, val V, ok bool) {
+	depth, baseIdx, val, ok := t.lpmPrefix(pfx)
+
+	if ok {
+		// calculate the mask from baseIdx and depth
+		mask := baseIndexToPrefixLen(baseIdx, depth)
+
+		// calculate the lpm from ip and mask
+		lpm, _ = pfx.Addr().Prefix(mask)
+	}
+
+	return lpm, val, ok
+}
+
+func (t *Table[V]) lpmPrefix(pfx netip.Prefix) (depth int, baseIdx uint, val V, ok bool) {
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+	octets[lastOctetIdx] = lastOctet
+
+	var i int
+	var octet byte
+
+	// record path to leaf node
+	stack := [maxTreeDepth]*node[V]{}
+
+	// find the node
+	for i, octet = range octets[:lastOctetIdx+1] {
+		// push current node on stack
+		stack[i] = n
+
+		// go down in tight loop
+		c := n.getChild(octet)
+		if c == nil {
+			break
+		}
+		n = c
+	}
+
+	// start backtracking, unwind the stack
+	for depth = i; depth >= 0; depth-- {
+		n = stack[depth]
+		octet = octets[depth]
+
+		// longest prefix match
+		// micro benchmarking: skip if node has no prefixes
+		if len(n.prefixes) != 0 {
+
+			// only the lastOctet may have a different prefix len
+			// all others are just host routes
+			idx := uint(0)
+			if depth == lastOctetIdx {
+				idx = prefixToBaseIndex(octet, lastOctetBits)
+			} else {
+				idx = octetToBaseIndex(octet)
+			}
+
+			baseIdx, val, ok = n.lpm(idx)
+			if ok {
+				return depth, baseIdx, val, ok
+			}
+		}
+	}
+	return
+}
+
+// EachLookupPrefix calls yield() for each CIDR covering pfx
+// in reverse CIDR sort order, from longest-prefix-match to
+// shortest-prefix-match.
+//
+// If the yield function returns false, the iteration ends prematurely.
+func (t *Table[V]) EachLookupPrefix(pfx netip.Prefix, yield func(pfx netip.Prefix, val V) bool) {
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	path := ip.As16()
+	octets := path[:]
+	if is4 {
+		octets = octets[12:]
+	}
+	copy(path[:], octets[:])
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+	octets[lastOctetIdx] = lastOctet
+
+	// stack of the traversed nodes for reverse ordering of supernets
+	stack := [maxTreeDepth]*node[V]{}
+
+	// run variable, used after for loop
+	var i int
+	var octet byte
+
+	// find last node
+	for i, octet = range octets[:lastOctetIdx+1] {
+		// push current node on stack
+		stack[i] = n
+
+		// go down in tight loop
+		c := n.getChild(octet)
+		if c == nil {
+			break
+		}
+		n = c
+	}
+
+	// start backtracking, unwind the stack
+	for depth := i; depth >= 0; depth-- {
+		n = stack[depth]
+
+		// microbenchmarking
+		if len(n.prefixes) == 0 {
+			continue
+		}
+
+		// only the lastOctet may have a different prefix len
+		if depth == lastOctetIdx {
+			if !n.eachLookupPrefix(path, depth, is4, lastOctet, lastOctetBits, yield) {
+				// early exit
+				return
+			}
+			continue
+		}
+
+		// all others are just host routes
+		if !n.eachLookupPrefix(path, depth, is4, octets[depth], strideLen, yield) {
+			// early exit
+			return
+		}
+	}
+}
+
+// EachSubnet calls yield() for each CIDR covered by pfx.
+// If the yield function returns false, the iteration ends prematurely.
+//
+// The sort order is undefined and you must not rely on it!
+func (t *Table[V]) EachSubnet(pfx netip.Prefix, yield func(pfx netip.Prefix, val V) bool) {
+	if !pfx.IsValid() {
+		return
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return
+	}
+
+	// do not allocate
+	path := ip.As16()
+	octets := path[:]
+	if is4 {
+		octets = octets[12:]
+	}
+	copy(path[:], octets[:])
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+	octets[lastOctetIdx] = lastOctet
+
+	// find the trie node
+	for i, octet := range octets {
+		if i == lastOctetIdx {
+			_ = n.eachSubnet(path, i, is4, lastOctet, lastOctetBits, yield)
+			return
+		}
+
+		c := n.getChild(octet)
+		if c == nil {
+			break
+		}
+
+		n = c
+	}
+}
+
+// OverlapsPrefix reports whether any IP in pfx matches a route in the table.
+func (t *Table[V]) OverlapsPrefix(pfx netip.Prefix) bool {
+	if !pfx.IsValid() {
+		return false
+	}
+
+	// values derived from pfx
+	ip := pfx.Addr()
+	is4 := ip.Is4()
+	bits := pfx.Bits()
+
+	// get the root node of the routing table
+	n := t.rootNodeByVersion(is4)
+	if n == nil {
+		return false
+	}
+
+	// do not allocate
+	a16 := ip.As16()
+	octets := a16[:]
+	if is4 {
+		octets = octets[12:]
+	}
+
+	// see comment in Insert()
+	lastOctetIdx := (bits - 1) / strideLen
+	lastOctet := octets[lastOctetIdx]
+	lastOctetBits := bits - (lastOctetIdx * strideLen)
+
+	// mask the prefix
+	lastOctet = lastOctet & netMask(lastOctetBits)
+
+	for _, octet := range octets[:lastOctetIdx] {
+		// test if any route overlaps prefix´ so far
+		if n.lpmTest(octetToBaseIndex(octet)) {
+			return true
+		}
+
+		// no overlap so far, go down to next c
+		c := n.getChild(octet)
+		if c == nil {
+			return false
+		}
+		n = c
+	}
+
+	return n.overlapsPrefix(lastOctet, lastOctetBits)
+}
+
+// Overlaps reports whether any IP in the table matches a route in the
+// other table.
+func (t *Table[V]) Overlaps(o *Table[V]) bool {
+	t.init()
+	o.init()
+
+	// t is empty
+	if t.Size() == 0 {
+		return false
+	}
+
+	// o is empty
+	if o.Size() == 0 {
+		return false
+	}
+
+	// at least one v4 is empty
+	if t.size4 == 0 || o.size4 == 0 {
+		return t.Overlaps6(o)
+	}
+
+	// at least one v6 is empty
+	if t.size6 == 0 || o.size6 == 0 {
+		return t.Overlaps4(o)
+	}
+
+	return t.Overlaps4(o) || t.Overlaps6(o)
+}
+
+// Overlaps4 reports whether any IPv4 in the table matches a route in the
+// other table.
+func (t *Table[V]) Overlaps4(o *Table[V]) bool {
+	t.init()
+	o.init()
+
+	return t.rootV4.overlapsRec(o.rootV4)
+}
+
+// Overlaps6 reports whether any IPv6 in the table matches a route in the
+// other table.
+func (t *Table[V]) Overlaps6(o *Table[V]) bool {
+	t.init()
+	o.init()
+
+	return t.rootV6.overlapsRec(o.rootV6)
+}
+
+// Union combines two tables, changing the receiver table.
+// If there are duplicate entries, the value is taken from the other table.
+func (t *Table[V]) Union(o *Table[V]) {
+	t.init()
+	o.init()
+
+	dup4 := t.rootV4.unionRec(o.rootV4)
+	dup6 := t.rootV6.unionRec(o.rootV6)
+
+	t.size4 += o.size4 - dup4
+	t.size6 += o.size6 - dup6
+}
+
+// Clone returns a copy of the routing table.
+// The payloads V are copied using assignment, so this is a shallow clone.
+func (t *Table[V]) Clone() *Table[V] {
+	t.init()
+
+	c := new(Table[V])
+	c.init()
+
+	c.rootV4 = t.rootV4.cloneRec()
+	c.rootV6 = t.rootV6.cloneRec()
+
+	c.size4 = t.size4
+	c.size6 = t.size6
+
+	return c
+}
+
+// All may be used in a for/range loop to iterate
+// through all the prefixes.
+// The sort order is undefined and you must not rely on it!
+//
+// Prefixes must not be inserted or deleted during iteration, otherwise
+// the behavior is undefined. However, value updates are permitted.
+//
+// If the yield function returns false, the iteration ends prematurely.
+func (t *Table[V]) All(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	// respect early exit
+	_ = t.rootV4.allRec(zeroPath, 0, true, yield) &&
+		t.rootV6.allRec(zeroPath, 0, false, yield)
+}
+
+// All4, like [Table.All] but only for the v4 routing table.
+func (t *Table[V]) All4(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	t.rootV4.allRec(zeroPath, 0, true, yield)
+}
+
+// All6, like [Table.All] but only for the v6 routing table.
+func (t *Table[V]) All6(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	t.rootV6.allRec(zeroPath, 0, false, yield)
+}
+
+// AllSorted may be used in a for/range loop to iterate
+// through all the prefixes in natural CIDR sort order.
+//
+// Prefixes must not be inserted or deleted during iteration, otherwise
+// the behavior is undefined. However, value updates are permitted.
+//
+// If the yield function returns false, the iteration ends prematurely.
+func (t *Table[V]) AllSorted(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	// respect early exit
+	_ = t.rootV4.allRecSorted(zeroPath, 0, true, yield) &&
+		t.rootV6.allRecSorted(zeroPath, 0, false, yield)
+}
+
+// All4Sorted, like [Table.AllSorted] but only for the v4 routing table.
+func (t *Table[V]) All4Sorted(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	t.rootV4.allRecSorted(zeroPath, 0, true, yield)
+}
+
+// All6Sorted, like [Table.AllSorted] but only for the v6 routing table.
+func (t *Table[V]) All6Sorted(yield func(pfx netip.Prefix, val V) bool) {
+	t.init()
+	t.rootV6.allRecSorted(zeroPath, 0, false, yield)
+}
+
+func (t *Table[V]) sizeUpdate(is4 bool, n int) {
+	switch is4 {
+	case true:
+		t.size4 += n
+	case false:
+		t.size6 += n
+	}
+}
+
+// Size returns the prefix count.
+func (t *Table[V]) Size() int {
+	return t.size4 + t.size6
+}
+
+// Size4 returns the IPv4 prefix count.
+func (t *Table[V]) Size4() int {
+	return t.size4
+}
+
+// Size6 returns the IPv6 prefix count.
+func (t *Table[V]) Size6() int {
+	return t.size6
+}
+
+// nodes, calculates the IPv4 and IPv6 nodes and returns the sum.
+func (t *Table[V]) nodes() int {
+	t.init()
+	return t.rootV4.numNodesRec() + t.rootV6.numNodesRec()
+}

vendor/github.com/go-json-experiment/json/AUTHORS

@@ -0,0 +1,3 @@
+# This source code refers to The Go Authors for copyright purposes.
+# The master list of authors is in the main Go distribution,
+# visible at https://tip.golang.org/AUTHORS.

vendor/github.com/go-json-experiment/json/CONTRIBUTORS

@@ -0,0 +1,3 @@
+# This source code was written by the Go contributors.
+# The master list of contributors is in the main Go distribution,
+# visible at https://tip.golang.org/CONTRIBUTORS.

vendor/github.com/go-json-experiment/json/LICENSE

@@ -0,0 +1,27 @@
+Copyright (c) 2020 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/go-json-experiment/json/README.md

@@ -0,0 +1,177 @@
+# JSON Serialization (v2)
+
+[![GoDev](https://img.shields.io/static/v1?label=godev&message=reference&color=00add8)](https://pkg.go.dev/github.com/go-json-experiment/json)
+[![Build Status](https://github.com/go-json-experiment/json/actions/workflows/test.yml/badge.svg?branch=master)](https://github.com/go-json-experiment/json/actions)
+
+This module hosts an experimental implementation of v2 `encoding/json`.
+The API is unstable and breaking changes will regularly be made.
+Do not depend on this in publicly available modules.
+
+Any commits that make breaking API or behavior changes will be marked
+with the string "WARNING: " near the top of the commit message.
+It is your responsibility to inspect the list of commit changes
+when upgrading the module. Not all breaking changes will lead to build failures.
+
+A [Discussion about including this package in Go as `encoding/json/v2`](https://github.com/golang/go/discussions/63397) has been started on the Go Github project on 2023-10-05. Please provide your feedback there.
+
+## Goals and objectives
+
+* **Mostly backwards compatible:** If possible, v2 should aim to be _mostly_
+compatible with v1 in terms of both API and default behavior to ease migration.
+For example, the `Marshal` and `Unmarshal` functions are the most widely used
+declarations in the v1 package. It seems sensible for equivalent functionality
+in v2 to be named the same and have a mostly compatible signature.
+Behaviorally, we should aim for 95% to 99% backwards compatibility.
+We do not aim for 100% compatibility since we want the freedom to break
+certain behaviors that are now considered to have been a mistake.
+We may provide options that can bring the v2 implementation to 100% compatibility,
+but it will not be the default.
+
+* **More flexible:** There is a
+[long list of feature requests](https://github.com/golang/go/issues?q=is%3Aissue+is%3Aopen+encoding%2Fjson+in%3Atitle).
+We should aim to provide the most flexible features that addresses most usages.
+We do not want to over fit the v2 API to handle every possible use case.
+Ideally, the features provided should be orthogonal in nature such that
+any combination of features results in as few surprising edge cases as possible.
+
+* **More performant:** JSON serialization is widely used and any bit of extra
+performance gains will be greatly appreciated. Some rarely used behaviors of v1
+may be dropped in favor of better performance. For example,
+despite `Encoder` and `Decoder` operating on an `io.Writer` and `io.Reader`,
+they do not operate in a truly streaming manner,
+leading to a loss in performance. The v2 implementation should aim to be truly
+streaming by default (see [#33714](https://golang.org/issue/33714)).
+
+* **Easy to use (hard to misuse):** The v2 API should aim to make
+the common case easy and the less common case at least possible.
+The API should avoid behavior that goes contrary to user expectation,
+which may result in subtle bugs (see [#36225](https://golang.org/issue/36225)).
+
+* **v1 and v2 maintainability:** Since the v1 implementation must stay forever,
+it would be beneficial if v1 could be implemented under the hood with v2,
+allowing for less maintenance burden in the future. This probably implies that
+behavioral changes in v2 relative to v1 need to be exposed as options.
+
+* **Avoid unsafe:** Standard library packages generally avoid the use of
+package `unsafe` even if it could provide a performance boost.
+We aim to preserve this property.
+
+## Expectations
+
+While this module aims to possibly be the v2 implementation of `encoding/json`,
+there is no guarantee that this outcome will occur. As with any major change
+to the Go standard library, this will eventually go through the
+[Go proposal process](https://github.com/golang/proposal#readme).
+At the present moment, this is still in the design and experimentation phase
+and is not ready for a formal proposal.
+
+There are several possible outcomes from this experiment:
+1. We determine that a v2 `encoding/json` would not provide sufficient benefit
+over the existing v1 `encoding/json` package. Thus, we abandon this effort.
+2. We propose a v2 `encoding/json` design, but it is rejected in favor of some
+other design that is considered superior.
+3. We propose a v2 `encoding/json` design, but rather than adding an entirely
+new v2 `encoding/json` package, we decide to merge its functionality into
+the existing v1 `encoding/json` package.
+4. We propose a v2 `encoding/json` design and it is accepted, resulting in
+its addition to the standard library.
+5. Some other unforeseen outcome (among the infinite number of possibilities).
+
+## Development
+
+This module is primarily developed by
+[@dsnet](https://github.com/dsnet),
+[@mvdan](https://github.com/mvdan), and
+[@johanbrandhorst](https://github.com/johanbrandhorst)
+with feedback provided by
+[@rogpeppe](https://github.com/rogpeppe),
+[@ChrisHines](https://github.com/ChrisHines), and
+[@rsc](https://github.com/rsc).
+
+Discussion about semantics occur semi-regularly, where a
+[record of past meetings can be found here](https://docs.google.com/document/d/1rovrOTd-wTawGMPPlPuKhwXaYBg9VszTXR9AQQL5LfI/edit?usp=sharing).
+
+## Design overview
+
+This package aims to provide a clean separation between syntax and semantics.
+Syntax deals with the structural representation of JSON (as specified in
+[RFC 4627](https://tools.ietf.org/html/rfc4627),
+[RFC 7159](https://tools.ietf.org/html/rfc7159),
+[RFC 7493](https://tools.ietf.org/html/rfc7493),
+[RFC 8259](https://tools.ietf.org/html/rfc8259), and
+[RFC 8785](https://tools.ietf.org/html/rfc8785)).
+Semantics deals with the meaning of syntactic data as usable application data.
+
+The `Encoder` and `Decoder` types are streaming tokenizers concerned with the
+packing or parsing of JSON data. They operate on `Token` and `Value` types
+which represent the common data structures that are representable in JSON.
+`Encoder` and `Decoder` do not aim to provide any interpretation of the data.
+
+Functions like `Marshal`, `MarshalWrite`, `MarshalEncode`, `Unmarshal`,
+`UnmarshalRead`, and `UnmarshalDecode` provide semantic meaning by correlating
+any arbitrary Go type with some JSON representation of that type (as stored in
+data types like `[]byte`, `io.Writer`, `io.Reader`, `Encoder`, or `Decoder`).
+
+![API overview](api.png)
+
+This diagram provides a high-level overview of the v2 `json` and `jsontext` packages.
+Purple blocks represent types, while blue blocks represent functions or methods.
+The arrows and their direction represent the approximate flow of data.
+The bottom half of the diagram contains functionality that is only concerned
+with syntax (implemented by the `jsontext` package),
+while the upper half contains functionality that assigns
+semantic meaning to syntactic data handled by the bottom half
+(as implemented by the v2 `json` package).
+
+In contrast to v1 `encoding/json`, options are represented as separate types
+rather than being setter methods on the `Encoder` or `Decoder` types.
+Some options affects JSON serialization at the syntactic layer,
+while others affect it at the semantic layer.
+Some options only affect JSON when decoding,
+while others affect JSON while encoding.
+
+## Behavior changes
+
+The v2 `json` package changes the default behavior of `Marshal` and `Unmarshal`
+relative to the v1 `json` package to be more sensible.
+Some of these behavior changes have options and workarounds to opt into
+behavior similar to what v1 provided.
+
+This table shows an overview of the changes:
+
+| v1 | v2 | Details |
+| -- | -- | ------- |
+| JSON object members are unmarshaled into a Go struct using a **case-insensitive name match**. | JSON object members are unmarshaled into a Go struct using a **case-sensitive name match**. | [CaseSensitivity](/diff_test.go#:~:text=TestCaseSensitivity) |
+| When marshaling a Go struct, a struct field marked as `omitempty` is omitted if **the field value is an empty Go value**, which is defined as false, 0, a nil pointer, a nil interface value, and any empty array, slice, map, or string. | When marshaling a Go struct, a struct field marked as `omitempty` is omitted if **the field value would encode as an empty JSON value**, which is defined as a JSON null, or an empty JSON string, object, or array. | [OmitEmptyOption](/diff_test.go#:~:text=TestOmitEmptyOption) |
+| The `string` option **does affect** Go bools. | The `string` option **does not affect** Go bools. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| The `string` option **does not recursively affect** sub-values of the Go field value. | The `string` option **does recursively affect** sub-values of the Go field value. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| The `string` option **sometimes accepts** a JSON null escaped within a JSON string. | The `string` option **never accepts** a JSON null escaped within a JSON string. | [StringOption](/diff_test.go#:~:text=TestStringOption) |
+| A nil Go slice is marshaled as a **JSON null**. | A nil Go slice is marshaled as an **empty JSON array**. | [NilSlicesAndMaps](/diff_test.go#:~:text=TestNilSlicesAndMaps) |
+| A nil Go map is marshaled as a **JSON null**. | A nil Go map is marshaled as an **empty JSON object**. | [NilSlicesAndMaps](/diff_test.go#:~:text=TestNilSlicesAndMaps) |
+| A Go array may be unmarshaled from a **JSON array of any length**. | A Go array must be unmarshaled from a **JSON array of the same length**. | [Arrays](/diff_test.go#:~:text=Arrays) |
+| A Go byte array is represented as a **JSON array of JSON numbers**. | A Go byte array is represented as a **Base64-encoded JSON string**. | [ByteArrays](/diff_test.go#:~:text=TestByteArrays) |
+| `MarshalJSON` and `UnmarshalJSON` methods declared on a pointer receiver are **inconsistently called**. | `MarshalJSON` and `UnmarshalJSON` methods declared on a pointer receiver are **consistently called**. | [PointerReceiver](/diff_test.go#:~:text=TestPointerReceiver) |
+| A Go map is marshaled in a **deterministic order**. | A Go map is marshaled in a **non-deterministic order**. | [MapDeterminism](/diff_test.go#:~:text=TestMapDeterminism) |
+| JSON strings are encoded **with HTML-specific characters being escaped**. | JSON strings are encoded **without any characters being escaped** (unless necessary). | [EscapeHTML](/diff_test.go#:~:text=TestEscapeHTML) |
+| When marshaling, invalid UTF-8 within a Go string **are silently replaced**. | When marshaling, invalid UTF-8 within a Go string **results in an error**. | [InvalidUTF8](/diff_test.go#:~:text=TestInvalidUTF8) |
+| When unmarshaling, invalid UTF-8 within a JSON string **are silently replaced**. | When unmarshaling, invalid UTF-8 within a JSON string **results in an error**. | [InvalidUTF8](/diff_test.go#:~:text=TestInvalidUTF8) |
+| When marshaling, **an error does not occur** if the output JSON value contains objects with duplicate names. | When marshaling, **an error does occur** if the output JSON value contains objects with duplicate names. | [DuplicateNames](/diff_test.go#:~:text=TestDuplicateNames) |
+| When unmarshaling, **an error does not occur** if the input JSON value contains objects with duplicate names. | When unmarshaling, **an error does occur** if the input JSON value contains objects with duplicate names. | [DuplicateNames](/diff_test.go#:~:text=TestDuplicateNames) |
+| Unmarshaling a JSON null into a non-empty Go value **inconsistently clears the value or does nothing**. | Unmarshaling a JSON null into a non-empty Go value **always clears the value**. | [MergeNull](/diff_test.go#:~:text=TestMergeNull) |
+| Unmarshaling a JSON value into a non-empty Go value **follows inconsistent and bizarre behavior**. | Unmarshaling a JSON value into a non-empty Go value **always merges if the input is an object, and otherwise replaces**.  | [MergeComposite](/diff_test.go#:~:text=TestMergeComposite) |
+| A `time.Duration` is represented as a **JSON number containing the decimal number of nanoseconds**. | A `time.Duration` is represented as a **JSON string containing the formatted duration (e.g., "1h2m3.456s")**. | [TimeDurations](/diff_test.go#:~:text=TestTimeDurations) |
+| Unmarshaling a JSON number into a Go float beyond its representation **results in an error**. | Unmarshaling a JSON number into a Go float beyond its representation **uses the closest representable value (e.g., ±`math.MaxFloat`)**. | [MaxFloats](/diff_test.go#:~:text=TestMaxFloats) |
+| A Go struct with only unexported fields **can be serialized**. | A Go struct with only unexported fields **cannot be serialized**. | [EmptyStructs](/diff_test.go#:~:text=TestEmptyStructs) |
+| A Go struct that embeds an unexported struct type **can sometimes be serialized**. | A Go struct that embeds an unexported struct type **cannot be serialized**. | [EmbedUnexported](/diff_test.go#:~:text=TestEmbedUnexported) |
+
+See [diff_test.go](/diff_test.go) for details about every change.
+
+## Performance
+
+One of the goals of the v2 module is to be more performant than v1,
+but not at the expense of correctness.
+In general, v2 is at performance parity with v1 for marshaling,
+but dramatically faster for unmarshaling.
+
+See https://github.com/go-json-experiment/jsonbench for benchmarks
+comparing v2 with v1 and a number of other popular JSON implementations.