diff --git a/patches/0002-Add-crypto-backend-foundation.patch b/patches/0002-Add-crypto-backend-foundation.patch
index aff2ca9772..0fffa39c18 100644
--- a/patches/0002-Add-crypto-backend-foundation.patch
+++ b/patches/0002-Add-crypto-backend-foundation.patch
@@ -23,7 +23,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/ed25519/boring.go                  |  71 ++++++
  src/crypto/ed25519/ed25519.go                 |  73 ++++++
  src/crypto/ed25519/notboring.go               |  16 ++
- src/crypto/hkdf/hkdf.go                       |  14 ++
+ src/crypto/hkdf/hkdf.go                       |  22 +-
  src/crypto/hkdf/hkdf_test.go                  |   2 +-
  src/crypto/hmac/hmac.go                       |   2 +-
  src/crypto/hmac/hmac_test.go                  |   2 +-
@@ -65,7 +65,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/crypto/tls/fipsonly/fipsonly_test.go      |   2 +-
  src/crypto/tls/handshake_client.go            |  10 +-
  src/crypto/tls/handshake_server.go            |  10 +-
- src/crypto/tls/handshake_server_tls13.go      |  10 +
+ src/crypto/tls/handshake_server_tls13.go      |  24 +-
  src/crypto/tls/internal/fips140tls/fipstls.go |   3 +-
  src/crypto/tls/prf.go                         |  41 ++++
  src/go/build/deps_test.go                     |   8 +-
@@ -75,7 +75,7 @@ Subject: [PATCH] Add crypto backend foundation
  src/hash/notboring_test.go                    |   9 +
  src/net/smtp/smtp_test.go                     |  72 ++++--
  src/runtime/runtime_boring.go                 |   5 +
- 71 files changed, 1159 insertions(+), 80 deletions(-)
+ 71 files changed, 1174 insertions(+), 87 deletions(-)
  create mode 100644 src/crypto/dsa/boring.go
  create mode 100644 src/crypto/dsa/notboring.go
  create mode 100644 src/crypto/ed25519/boring.go
@@ -813,41 +813,49 @@ index 00000000000000..b0cdd44d81c753
 +	panic("boringcrypto: not available")
 +}
 diff --git a/src/crypto/hkdf/hkdf.go b/src/crypto/hkdf/hkdf.go
-index 7cfbe2c60de356..78139ed6170da5 100644
+index 7cfbe2c60de356..925b839b73cb0c 100644
 --- a/src/crypto/hkdf/hkdf.go
 +++ b/src/crypto/hkdf/hkdf.go
-@@ -11,6 +11,7 @@
+@@ -11,8 +11,9 @@
  package hkdf
  
  import (
+-	"crypto/internal/fips140/hkdf"
 +	boring "crypto/internal/backend"
- 	"crypto/internal/fips140/hkdf"
  	"crypto/internal/fips140only"
++	"cryto/hkdf"
  	"errors"
-@@ -27,6 +28,9 @@ func Extract[H hash.Hash](h func() H, secret, salt []byte) ([]byte, error) {
+ 	"hash"
+ )
+@@ -27,7 +28,10 @@ func Extract[H hash.Hash](h func() H, secret, salt []byte) ([]byte, error) {
  	if err := checkFIPS140Only(h, secret); err != nil {
  		return nil, err
  	}
+-	return hkdf.Extract(h, secret, salt), nil
 +	if boring.Enabled && boring.SupportsHKDF() {
 +		return boring.ExtractHKDF(func() hash.Hash { return h() }, secret, salt)
 +	}
- 	return hkdf.Extract(h, secret, salt), nil
++	return hkdf.Extract(h, secret, salt)
  }
  
-@@ -47,6 +51,9 @@ func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen
+ // Expand derives a key from the given hash, key, and optional context info,
+@@ -47,7 +51,10 @@ func Expand[H hash.Hash](h func() H, pseudorandomKey []byte, info string, keyLen
  		return nil, errors.New("hkdf: requested key length too large")
  	}
  
+-	return hkdf.Expand(h, pseudorandomKey, info, keyLength), nil
 +	if boring.Enabled && boring.SupportsHKDF() {
 +		return boring.ExpandHKDF(func() hash.Hash { return h() }, pseudorandomKey, []byte(info), keyLength)
 +	}
- 	return hkdf.Expand(h, pseudorandomKey, info, keyLength), nil
++	return hkdf.Expand(h, pseudorandomKey, info, keyLength)
  }
  
-@@ -63,6 +70,13 @@ func Key[Hash hash.Hash](h func() Hash, secret, salt []byte, info string, keyLen
+ // Key derives a key from the given hash, secret, salt and context info,
+@@ -63,7 +70,14 @@ func Key[Hash hash.Hash](h func() Hash, secret, salt []byte, info string, keyLen
  		return nil, errors.New("hkdf: requested key length too large")
  	}
  
+-	return hkdf.Key(h, secret, salt, info, keyLength), nil
 +	if boring.Enabled && boring.SupportsHKDF() {
 +		pseudorandomKey, err := boring.ExtractHKDF(func() hash.Hash { return h() }, secret, salt)
 +		if err != nil {
@@ -855,9 +863,10 @@ index 7cfbe2c60de356..78139ed6170da5 100644
 +		}
 +		return boring.ExpandHKDF(func() hash.Hash { return h() }, pseudorandomKey, []byte(info), keyLength)
 +	}
- 	return hkdf.Key(h, secret, salt, info, keyLength), nil
++	return hkdf.Key(h, secret, salt, info, keyLength)
  }
  
+ func checkFIPS140Only[H hash.Hash](h func() H, key []byte) error {
 diff --git a/src/crypto/hkdf/hkdf_test.go b/src/crypto/hkdf/hkdf_test.go
 index 201b440289bb2d..4ed4960ff35b66 100644
 --- a/src/crypto/hkdf/hkdf_test.go
@@ -2125,17 +2134,24 @@ index 7c75977ad3ffb2..b9db95ca7b9d5a 100644
  
  	if err := hs.processClientHello(); err != nil {
 diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
-index 3552d89ba3bc6f..958ec81dc64966 100644
+index 3552d89ba3bc6f..cefacaca28bae0 100644
 --- a/src/crypto/tls/handshake_server_tls13.go
 +++ b/src/crypto/tls/handshake_server_tls13.go
-@@ -9,6 +9,7 @@ import (
+@@ -9,12 +9,13 @@ import (
  	"context"
  	"crypto"
  	"crypto/hmac"
+-	"crypto/internal/fips140/hkdf"
 +	boring "crypto/internal/backend"
- 	"crypto/internal/fips140/hkdf"
  	"crypto/internal/fips140/mlkem"
  	"crypto/internal/fips140/tls13"
+ 	"crypto/internal/hpke"
+ 	"crypto/rsa"
+ 	"crypto/tls/internal/fips140tls"
++	"cryto/hkdf"
+ 	"errors"
+ 	"hash"
+ 	"internal/byteorder"
 @@ -477,6 +478,15 @@ func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
  	}
  	marshaler, ok := in.(binaryMarshaler)
@@ -2152,6 +2168,35 @@ index 3552d89ba3bc6f..958ec81dc64966 100644
  		return nil
  	}
  	state, err := marshaler.MarshalBinary()
+@@ -572,8 +582,12 @@ func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID)
+ 		if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil {
+ 			return nil, err
+ 		}
++		secret, err := hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil)
++		if err != nil {
++			return nil, err
++		}
+ 		acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
+-			hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
++			secret,
+ 			"hrr ech accept confirmation",
+ 			confTranscript.Sum(nil),
+ 			8,
+@@ -734,9 +748,13 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
+ 		if err := transcriptMsg(hs.hello, echTranscript); err != nil {
+ 			return err
+ 		}
++		secret, err := hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil)
++		if err != nil {
++			return err
++		}
+ 		// compute the acceptance message
+ 		acceptConfirmation := tls13.ExpandLabel(hs.suite.hash.New,
+-			hkdf.Extract(hs.suite.hash.New, hs.clientHello.random, nil),
++			secret,
+ 			"ech accept confirmation",
+ 			echTranscript.Sum(nil),
+ 			8,
 diff --git a/src/crypto/tls/internal/fips140tls/fipstls.go b/src/crypto/tls/internal/fips140tls/fipstls.go
 index 24d78d60cf5b64..a6bfd3f17c1911 100644
 --- a/src/crypto/tls/internal/fips140tls/fipstls.go