From 994741f8827cb4eb5e8060f99c6ecfaf684c79bb Mon Sep 17 00:00:00 2001 From: Patricio Whittingslow Date: Fri, 3 Jul 2026 10:47:01 -0300 Subject: [PATCH 1/4] upgrade net --- src/net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/net b/src/net index 1026408a38..d4686b9244 160000 --- a/src/net +++ b/src/net @@ -1 +1 @@ -Subproject commit 1026408a386a88504e6c958e31291dea058e41c0 +Subproject commit d4686b924450221bfa519541552dc773b8e690a5 From 33a811423ecef969e088af2aca7d370fc269fad6 Mon Sep 17 00:00:00 2001 From: Pat Whittingslow Date: Fri, 3 Jul 2026 13:08:00 -0300 Subject: [PATCH 2/4] add some missing crypto and os API (#5488) * add missing crypto API * gofmt crypto/tls/common.go --- src/crypto/tls/cipher_suites.go | 107 +++++++++++++++++++++++++++ src/crypto/tls/common.go | 123 +++++++++++++++++++++++++++++++- src/crypto/tls/tls.go | 45 +++++++++++- src/os/file_other.go | 16 +++++ src/runtime/debug.go | 11 +++ 5 files changed, 297 insertions(+), 5 deletions(-) create mode 100644 src/crypto/tls/cipher_suites.go diff --git a/src/crypto/tls/cipher_suites.go b/src/crypto/tls/cipher_suites.go new file mode 100644 index 0000000000..b8a62091ba --- /dev/null +++ b/src/crypto/tls/cipher_suites.go @@ -0,0 +1,107 @@ +// TINYGO: cipher suite IDs and the exported CipherSuites/InsecureCipherSuites +// descriptors, copied verbatim from the Go official implementation. TinyGo has +// no software handshake, so only these declarations (no selection machinery) +// are provided to satisfy callers such as google.golang.org/grpc/credentials +// and github.com/pion/dtls that reference the cipher-suite API surface. + +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +// A list of cipher suite IDs that are, or have been, implemented by this +// package. +// +// See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml +const ( + // TLS 1.0 - 1.2 cipher suites. + TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 + TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a + TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f + TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 + TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c + TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c + TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a + TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 + + // TLS 1.3 cipher suites. + TLS_AES_128_GCM_SHA256 uint16 = 0x1301 + TLS_AES_256_GCM_SHA384 uint16 = 0x1302 + TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 + + // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator + // that the client is doing version fallback. See RFC 7507. + TLS_FALLBACK_SCSV uint16 = 0x5600 + + // Legacy names for the corresponding cipher suites with the correct _SHA256 + // suffix, retained for backward compatibility. + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +) + +var ( + supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} + supportedOnlyTLS12 = []uint16{VersionTLS12} + supportedOnlyTLS13 = []uint16{VersionTLS13} +) + +// CipherSuites returns a list of cipher suites currently implemented by this +// package, excluding those with security issues, which are returned by +// InsecureCipherSuites. +func CipherSuites() []*CipherSuite { + return []*CipherSuite{ + {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, + {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, + {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, + + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, + } +} + +// InsecureCipherSuites returns a list of cipher suites currently implemented by +// this package and which have security issues. +// +// Most applications should not use the cipher suites in this list, and should +// only use those returned by CipherSuites. +func InsecureCipherSuites() []*CipherSuite { + // This list includes legacy RSA kex, RC4, CBC_SHA256, and 3DES cipher + // suites. See cipherSuitesPreferenceOrder for details. + return []*CipherSuite{ + {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, true}, + {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, true}, + {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + } +} diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go index 21a1a20f50..f107b4518a 100644 --- a/src/crypto/tls/common.go +++ b/src/crypto/tls/common.go @@ -55,6 +55,16 @@ func VersionName(version uint16) string { // only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7. type CurveID uint16 +const ( + CurveP256 CurveID = 23 + CurveP384 CurveID = 24 + CurveP521 CurveID = 25 + X25519 CurveID = 29 + X25519MLKEM768 CurveID = 4588 + SecP256r1MLKEM768 CurveID = 4587 + SecP384r1MLKEM1024 CurveID = 4589 +) + // CipherSuiteName returns the standard name for the passed cipher suite ID // // Not Implemented. @@ -68,14 +78,42 @@ type ConnectionState struct { // // Minimum (empty) fields for fortio.org/log http logging and others // to compile and run. - PeerCertificates []*x509.Certificate - CipherSuite uint16 + Version uint16 + ServerName string + PeerCertificates []*x509.Certificate + CipherSuite uint16 + NegotiatedProtocol string + NegotiatedProtocolIsMutual bool // Deprecated: this value is always true. } // ClientAuthType declares the policy the server will follow for // TLS Client Authentication. type ClientAuthType int +const ( + // NoClientCert indicates that no client certificate should be requested + // during the handshake, and if any certificates are sent they will not + // be verified. + NoClientCert ClientAuthType = iota + // RequestClientCert indicates that a client certificate should be requested + // during the handshake, but does not require that the client send any + // certificates. + RequestClientCert + // RequireAnyClientCert indicates that a client certificate should be requested + // during the handshake, and that at least one certificate is required to be + // sent by the client, but that certificate is not required to be valid. + RequireAnyClientCert + // VerifyClientCertIfGiven indicates that a client certificate should be requested + // during the handshake, but does not require that the client sends a + // certificate. If the client does send a certificate it is required to be + // valid. + VerifyClientCertIfGiven + // RequireAndVerifyClientCert indicates that a client certificate should be requested + // during the handshake, and that at least one valid certificate is required + // to be sent by the client. + RequireAndVerifyClientCert +) + // ClientSessionCache is a cache of ClientSessionState objects that can be used // by a client to resume a TLS session with a given server. ClientSessionCache // implementations should expect to be called concurrently from different @@ -100,6 +138,45 @@ type ClientSessionCache interface { // RFC 8446, Section 4.2.3. type SignatureScheme uint16 +const ( + // RSASSA-PKCS1-v1_5 algorithms. + PKCS1WithSHA256 SignatureScheme = 0x0401 + PKCS1WithSHA384 SignatureScheme = 0x0501 + PKCS1WithSHA512 SignatureScheme = 0x0601 + + // RSASSA-PSS algorithms with public key OID rsaEncryption. + PSSWithSHA256 SignatureScheme = 0x0804 + PSSWithSHA384 SignatureScheme = 0x0805 + PSSWithSHA512 SignatureScheme = 0x0806 + + // ECDSA algorithms. Only constrained to a specific curve in TLS 1.3. + ECDSAWithP256AndSHA256 SignatureScheme = 0x0403 + ECDSAWithP384AndSHA384 SignatureScheme = 0x0503 + ECDSAWithP521AndSHA512 SignatureScheme = 0x0603 + + // EdDSA algorithms. + Ed25519 SignatureScheme = 0x0807 + + // Legacy signature and hash algorithms for TLS 1.2. + PKCS1WithSHA1 SignatureScheme = 0x0201 + ECDSAWithSHA1 SignatureScheme = 0x0203 +) + +// CipherSuite is a TLS cipher suite. Note that most functions in this package +// accept and expose cipher suite IDs instead of this type. +type CipherSuite struct { + ID uint16 + Name string + + // Supported versions is the list of TLS protocol versions that can + // negotiate this cipher suite. + SupportedVersions []uint16 + + // Insecure is true if the cipher suite has known security issues + // due to its primitives, design, or implementation. + Insecure bool +} + // ClientHelloInfo contains information from a ClientHello message in order to // guide application logic in the GetCertificate and GetConfigForClient callbacks. type ClientHelloInfo struct { @@ -459,6 +536,48 @@ type Config struct { autoSessionTicketKeys []ticketKey } +// Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a +// Config that is being used concurrently by a TLS client or server. +func (c *Config) Clone() *Config { + if c == nil { + return nil + } + c.mutex.RLock() + defer c.mutex.RUnlock() + return &Config{ + Rand: c.Rand, + Time: c.Time, + Certificates: c.Certificates, + NameToCertificate: c.NameToCertificate, + GetCertificate: c.GetCertificate, + GetClientCertificate: c.GetClientCertificate, + GetConfigForClient: c.GetConfigForClient, + VerifyPeerCertificate: c.VerifyPeerCertificate, + VerifyConnection: c.VerifyConnection, + RootCAs: c.RootCAs, + NextProtos: c.NextProtos, + ServerName: c.ServerName, + ClientAuth: c.ClientAuth, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: c.InsecureSkipVerify, + CipherSuites: c.CipherSuites, + PreferServerCipherSuites: c.PreferServerCipherSuites, + SessionTicketsDisabled: c.SessionTicketsDisabled, + SessionTicketKey: c.SessionTicketKey, + ClientSessionCache: c.ClientSessionCache, + UnwrapSession: c.UnwrapSession, + WrapSession: c.WrapSession, + MinVersion: c.MinVersion, + MaxVersion: c.MaxVersion, + CurvePreferences: c.CurvePreferences, + DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled, + Renegotiation: c.Renegotiation, + KeyLogWriter: c.KeyLogWriter, + sessionTicketKeys: c.sessionTicketKeys, + autoSessionTicketKeys: c.autoSessionTicketKeys, + } +} + // ticketKey is the internal representation of a session ticket key. type ticketKey struct { aesKey [16]byte diff --git a/src/crypto/tls/tls.go b/src/crypto/tls/tls.go index 6fdedc39fc..255844c6b3 100644 --- a/src/crypto/tls/tls.go +++ b/src/crypto/tls/tls.go @@ -20,13 +20,52 @@ import ( "net" ) +// Conn represents a secured connection. TINYGO: the actual TLS handshake and +// record layer are offloaded to the network device (see net.TLSConn), so Conn +// is a thin wrapper over an underlying net.Conn that exists to satisfy callers +// (e.g. google.golang.org/grpc/credentials) which expect the *tls.Conn API +// shape — ConnectionState/Handshake — that this package does not implement in +// software. +type Conn struct { + net.Conn +} + +// ConnectionState returns basic TLS details about the connection. TINYGO: +// empty; TLS is offloaded to the network device. +func (c *Conn) ConnectionState() ConnectionState { + return ConnectionState{} +} + +// Handshake runs the client or server handshake protocol if it has not yet been +// run. TINYGO: no-op; the handshake is performed by the network device. +func (c *Conn) Handshake() error { + return c.HandshakeContext(context.Background()) +} + +// HandshakeContext is the context-aware variant of Handshake. TINYGO: no-op. +func (c *Conn) HandshakeContext(ctx context.Context) error { + return nil +} + +// NetConn returns the underlying connection that is wrapped by c. +func (c *Conn) NetConn() net.Conn { + return c.Conn +} + // Client returns a new TLS client side connection // using conn as the underlying transport. // The config cannot be nil: users must set either ServerName or // InsecureSkipVerify in the config. -func Client(conn net.Conn, config *Config) *net.TLSConn { - panic("tls.Client() not implemented") - return nil +func Client(conn net.Conn, config *Config) *Conn { + return &Conn{Conn: conn} +} + +// Server returns a new TLS server side connection +// using conn as the underlying transport. +// The configuration config must be non-nil and must include +// at least one certificate or else set GetCertificate. +func Server(conn net.Conn, config *Config) *Conn { + return &Conn{Conn: conn} } // A listener implements a network listener (net.Listener) for TLS connections. diff --git a/src/os/file_other.go b/src/os/file_other.go index 1fdf4b1ef4..a7cf9c3c32 100644 --- a/src/os/file_other.go +++ b/src/os/file_other.go @@ -138,6 +138,22 @@ func Symlink(oldname, newname string) error { return ErrNotImplemented } +func Chmod(name string, mode FileMode) error { + return ErrNotImplemented +} + +func Chown(name string, uid, gid int) error { + return ErrNotImplemented +} + +func Link(oldname, newname string) error { + return ErrNotImplemented +} + +func (f *File) Chown(uid, gid int) error { + return ErrNotImplemented +} + func Readlink(name string) (string, error) { return "", ErrNotImplemented } diff --git a/src/runtime/debug.go b/src/runtime/debug.go index 230515908f..c93684b773 100644 --- a/src/runtime/debug.go +++ b/src/runtime/debug.go @@ -14,3 +14,14 @@ func NumGoroutine() int { func Breakpoint() { panic("Breakpoint not supported") } + +// Stub for SetBlockProfileRate, does not do anything. TinyGo has no block +// profiler. +func SetBlockProfileRate(rate int) { +} + +// Stub for SetMutexProfileFraction, does not do anything and always reports the +// previous rate as 0. TinyGo has no mutex profiler. +func SetMutexProfileFraction(rate int) int { + return 0 +} From 25365d521c88e45f0517a4eb009a99cb58f9b1b0 Mon Sep 17 00:00:00 2001 From: Patricio Whittingslow Date: Mon, 6 Jul 2026 12:06:12 -0300 Subject: [PATCH 3/4] pull new net with unixsock formatted --- src/net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/net b/src/net index d4686b9244..2c757980bd 160000 --- a/src/net +++ b/src/net @@ -1 +1 @@ -Subproject commit d4686b924450221bfa519541552dc773b8e690a5 +Subproject commit 2c757980bd9196991ff931f5ca90bc4ead75fdde From 7b3c196b0993123b3728341350261ffa4fd195af Mon Sep 17 00:00:00 2001 From: Patricio Whittingslow Date: Mon, 6 Jul 2026 23:16:54 -0300 Subject: [PATCH 4/4] update net to latest main --- src/net | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/net b/src/net index 2c757980bd..d5da3ddeef 160000 --- a/src/net +++ b/src/net @@ -1 +1 @@ -Subproject commit 2c757980bd9196991ff931f5ca90bc4ead75fdde +Subproject commit d5da3ddeef797c23fba7fd4a1f47306216e63a4e