util/sparse: add a sparse file PunchAt method

Adds support for sparse file hole punching in linux, windows, and
darwin. Also adds a generic PunchAt method that just writes zeros
instead of using the file Punch syscall.

Updates tailscale/corp#21363

Signed-off-by: James Scott <jim@tailscale.com>

.github/workflows/golangci-lint.yml

@@ -33,7 +33,7 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@2e788936b09dd82dc280e845628a40d2ba6b204c # v6.3.1
         with:
-          version: v1.60
+          version: v1.64
 
           # Show only new issues if it's a pull request.
           only-new-issues: true

Dockerfile

@@ -27,7 +27,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.23-alpine AS build-env
+FROM golang:1.24-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 

appc/appconnector.go

@@ -289,9 +289,11 @@ func (e *AppConnector) updateDomains(domains []string) {
 				toRemove = append(toRemove, netip.PrefixFrom(a, a.BitLen()))
 			}
 		}
-		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-			e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
-		}
+		e.queue.Add(func() {
+			if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+				e.logf("failed to unadvertise routes on domain removal: %v: %v: %v", slicesx.MapKeys(oldDomains), toRemove, err)
+			}
+		})
 	}
 
 	e.logf("handling domains: %v and wildcards: %v", slicesx.MapKeys(e.domains), e.wildcards)
@@ -310,11 +312,6 @@ func (e *AppConnector) updateRoutes(routes []netip.Prefix) {
 		return
 	}
 
-	if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
-		e.logf("failed to advertise routes: %v: %v", routes, err)
-		return
-	}
-
 	var toRemove []netip.Prefix
 
 	// If we're storing routes and know e.controlRoutes is a good
@@ -338,9 +335,14 @@ nextRoute:
 		}
 	}
 
-	if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
-		e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
-	}
+	e.queue.Add(func() {
+		if err := e.routeAdvertiser.AdvertiseRoute(routes...); err != nil {
+			e.logf("failed to advertise routes: %v: %v", routes, err)
+		}
+		if err := e.routeAdvertiser.UnadvertiseRoute(toRemove...); err != nil {
+			e.logf("failed to unadvertise routes: %v: %v", toRemove, err)
+		}
+	})
 
 	e.controlRoutes = routes
 	if err := e.storeRoutesLocked(); err != nil {

appc/appconnector_test.go

@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"reflect"
 	"slices"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -86,6 +87,7 @@ func TestUpdateRoutes(t *testing.T) {
 
 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24"), netip.MustParsePrefix("192.0.0.1/32")}
 		a.updateRoutes(routes)
+		a.Wait(ctx)
 
 		slices.SortFunc(rc.Routes(), prefixCompare)
 		rc.SetRoutes(slices.Compact(rc.Routes()))
@@ -105,6 +107,7 @@ func TestUpdateRoutes(t *testing.T) {
 }
 
 func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
+	ctx := context.Background()
 	for _, shouldStore := range []bool{false, true} {
 		rc := &appctest.RouteCollector{}
 		var a *AppConnector
@@ -117,6 +120,7 @@ func TestUpdateRoutesUnadvertisesContainedRoutes(t *testing.T) {
 		rc.SetRoutes([]netip.Prefix{netip.MustParsePrefix("192.0.2.1/32")})
 		routes := []netip.Prefix{netip.MustParsePrefix("192.0.2.0/24")}
 		a.updateRoutes(routes)
+		a.Wait(ctx)
 
 		if !slices.EqualFunc(routes, rc.Routes(), prefixEqual) {
 			t.Fatalf("got %v, want %v", rc.Routes(), routes)
@@ -636,3 +640,57 @@ func TestMetricBucketsAreSorted(t *testing.T) {
 		t.Errorf("metricStoreRoutesNBuckets must be in order")
 	}
 }
+
+// TestUpdateRoutesDeadlock is a regression test for a deadlock in
+// LocalBackend<->AppConnector interaction. When using real LocalBackend as the
+// routeAdvertiser, calls to Advertise/UnadvertiseRoutes can end up calling
+// back into AppConnector via authReconfig. If everything is called
+// synchronously, this results in a deadlock on AppConnector.mu.
+func TestUpdateRoutesDeadlock(t *testing.T) {
+	ctx := context.Background()
+	rc := &appctest.RouteCollector{}
+	a := NewAppConnector(t.Logf, rc, &RouteInfo{}, fakeStoreRoutes)
+
+	advertiseCalled := new(atomic.Bool)
+	unadvertiseCalled := new(atomic.Bool)
+	rc.AdvertiseCallback = func() {
+		// Call something that requires a.mu to be held.
+		a.DomainRoutes()
+		advertiseCalled.Store(true)
+	}
+	rc.UnadvertiseCallback = func() {
+		// Call something that requires a.mu to be held.
+		a.DomainRoutes()
+		unadvertiseCalled.Store(true)
+	}
+
+	a.updateDomains([]string{"example.com"})
+	a.Wait(ctx)
+
+	// Trigger rc.AdveriseRoute.
+	a.updateRoutes(
+		[]netip.Prefix{
+			netip.MustParsePrefix("127.0.0.1/32"),
+			netip.MustParsePrefix("127.0.0.2/32"),
+		},
+	)
+	a.Wait(ctx)
+	// Trigger rc.UnadveriseRoute.
+	a.updateRoutes(
+		[]netip.Prefix{
+			netip.MustParsePrefix("127.0.0.1/32"),
+		},
+	)
+	a.Wait(ctx)
+
+	if !advertiseCalled.Load() {
+		t.Error("AdvertiseRoute was not called")
+	}
+	if !unadvertiseCalled.Load() {
+		t.Error("UnadvertiseRoute was not called")
+	}
+
+	if want := []netip.Prefix{netip.MustParsePrefix("127.0.0.1/32")}; !slices.Equal(slices.Compact(rc.Routes()), want) {
+		t.Fatalf("got %v, want %v", rc.Routes(), want)
+	}
+}

appc/appctest/appctest.go

@@ -11,12 +11,22 @@ import (
 
 // RouteCollector is a test helper that collects the list of routes advertised
 type RouteCollector struct {
+	// AdvertiseCallback (optional) is called synchronously from
+	// AdvertiseRoute.
+	AdvertiseCallback func()
+	// UnadvertiseCallback (optional) is called synchronously from
+	// UnadvertiseRoute.
+	UnadvertiseCallback func()
+
 	routes        []netip.Prefix
 	removedRoutes []netip.Prefix
 }
 
 func (rc *RouteCollector) AdvertiseRoute(pfx ...netip.Prefix) error {
 	rc.routes = append(rc.routes, pfx...)
+	if rc.AdvertiseCallback != nil {
+		rc.AdvertiseCallback()
+	}
 	return nil
 }
 
@@ -30,6 +40,9 @@ func (rc *RouteCollector) UnadvertiseRoute(toRemove ...netip.Prefix) error {
 			rc.removedRoutes = append(rc.removedRoutes, r)
 		}
 	}
+	if rc.UnadvertiseCallback != nil {
+		rc.UnadvertiseCallback()
+	}
 	return nil
 }
 

client/tailscale/acl.go

@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
+	"net/url"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -83,7 +84,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -97,7 +98,7 @@ func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	// Otherwise, try to decode the response.
@@ -126,7 +127,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", url.Values{"details": {"1"}})
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -138,7 +139,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	data := struct {
@@ -146,7 +147,7 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 		Warnings []string `json:"warnings"`
 	}{}
 	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("json.Unmarshal %q: %w", b, err)
 	}
 
 	acl = &ACLHuJSON{
@@ -184,7 +185,7 @@ func (e ACLTestError) Error() string {
 }
 
 func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, "", err
@@ -328,7 +329,7 @@ type ACLPreview struct {
 }
 
 func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", "preview")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
 	if err != nil {
 		return nil, err
@@ -350,7 +351,7 @@ func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, preview
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 	if err = json.Unmarshal(b, &res); err != nil {
 		return nil, err
@@ -488,7 +489,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 		return nil, err
 	}
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("acl", "validate")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
 	if err != nil {
 		return nil, err

client/tailscale/devices.go

@@ -131,7 +131,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("devices")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -149,7 +149,7 @@ func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceL
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var devices GetDevicesResponse
@@ -188,7 +188,7 @@ func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFiel
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	err = json.Unmarshal(b, &device)
@@ -221,7 +221,7 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 	return nil
 }
@@ -253,7 +253,7 @@ func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 
 	return nil
@@ -281,7 +281,7 @@ func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/dns.go

@@ -44,7 +44,7 @@ type DNSPreferences struct {
 }
 
 func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	path := c.BuildTailnetURL("dns", endpoint)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -57,14 +57,14 @@ func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, er
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	return b, nil
 }
 
 func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	path := c.BuildTailnetURL("dns", endpoint)
 	data, err := json.Marshal(&postData)
 	if err != nil {
 		return nil, err
@@ -84,7 +84,7 @@ func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData a
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	return b, nil

client/tailscale/keys.go

@@ -40,7 +40,7 @@ type KeyDeviceCreateCapabilities struct {
 
 // Keys returns the list of keys for the current user.
 func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("keys")
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -51,7 +51,7 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var keys struct {
@@ -99,7 +99,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
+	path := c.BuildTailnetURL("keys")
 	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
 	if err != nil {
 		return "", nil, err
@@ -110,7 +110,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 		return "", nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return "", nil, handleErrorResponse(b, resp)
+		return "", nil, HandleErrorResponse(b, resp)
 	}
 
 	var key struct {
@@ -126,7 +126,7 @@ func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities,
 // Key returns the metadata for the given key ID. Currently, capabilities are
 // only returned for auth keys, API keys only return general metadata.
 func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	path := c.BuildTailnetURL("keys", id)
 	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
 	if err != nil {
 		return nil, err
@@ -137,7 +137,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 		return nil, err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var key Key
@@ -149,7 +149,7 @@ func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
 
 // DeleteKey deletes the key with the given ID.
 func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
+	path := c.BuildTailnetURL("keys", id)
 	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
 	if err != nil {
 		return err
@@ -160,7 +160,7 @@ func (c *Client) DeleteKey(ctx context.Context, id string) error {
 		return err
 	}
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 	return nil
 }

client/tailscale/routes.go

@@ -44,7 +44,7 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var sr Routes
@@ -84,7 +84,7 @@ func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip
 	// If status code was not successful, return the error.
 	// TODO: Change the check for the StatusCode to include other 2XX success codes.
 	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
+		return nil, HandleErrorResponse(b, resp)
 	}
 
 	var srr *Routes

client/tailscale/tailnet.go

@@ -9,7 +9,6 @@ import (
 	"context"
 	"fmt"
 	"net/http"
-	"net/url"
 
 	"tailscale.com/util/httpm"
 )
@@ -22,7 +21,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 		}
 	}()
 
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
+	path := c.BuildTailnetURL("tailnet")
 	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
 	if err != nil {
 		return err
@@ -35,7 +34,7 @@ func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (er
 	}
 
 	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
+		return HandleErrorResponse(b, resp)
 	}
 
 	return nil

client/tailscale/tailscale.go

@@ -17,6 +17,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"path"
 )
 
 // I_Acknowledge_This_API_Is_Unstable must be set true to use this package
@@ -63,6 +65,46 @@ func (c *Client) httpClient() *http.Client {
 	return http.DefaultClient
 }
 
+// BuildURL builds a url to http(s)://<apiserver>/api/v2/<slash-separated-pathElements>
+// using the given pathElements. It url escapes each path element, so the
+// caller doesn't need to worry about that. The last item of pathElements can
+// be of type url.Values to add a query string to the URL.
+//
+// For example, BuildURL(devices, 5) with the default server URL would result in
+// https://api.tailscale.com/api/v2/devices/5.
+func (c *Client) BuildURL(pathElements ...any) string {
+	elem := make([]string, 1, len(pathElements)+1)
+	elem[0] = "/api/v2"
+	var query string
+	for i, pathElement := range pathElements {
+		if uv, ok := pathElement.(url.Values); ok && i == len(pathElements)-1 {
+			query = uv.Encode()
+		} else {
+			elem = append(elem, url.PathEscape(fmt.Sprint(pathElement)))
+		}
+	}
+	url := c.baseURL() + path.Join(elem...)
+	if query != "" {
+		url += "?" + query
+	}
+	return url
+}
+
+// BuildTailnetURL builds a url to http(s)://<apiserver>/api/v2/tailnet/<tailnet>/<slash-separated-pathElements>
+// using the given pathElements. It url escapes each path element, so the
+// caller doesn't need to worry about that. The last item of pathElements can
+// be of type url.Values to add a query string to the URL.
+//
+// For example, BuildTailnetURL(policy, validate) with the default server URL and a tailnet of "example.com"
+// would result in https://api.tailscale.com/api/v2/tailnet/example.com/policy/validate.
+func (c *Client) BuildTailnetURL(pathElements ...any) string {
+	allElements := make([]any, 2, len(pathElements)+2)
+	allElements[0] = "tailnet"
+	allElements[1] = c.tailnet
+	allElements = append(allElements, pathElements...)
+	return c.BuildURL(allElements...)
+}
+
 func (c *Client) baseURL() string {
 	if c.BaseURL != "" {
 		return c.BaseURL
@@ -150,12 +192,14 @@ func (e ErrResponse) Error() string {
 	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
 }
 
-// handleErrorResponse decodes the error message from the server and returns
+// HandleErrorResponse decodes the error message from the server and returns
 // an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
+//
+// Deprecated: use tailscale.com/client/tailscale/v2 instead.
+func HandleErrorResponse(b []byte, resp *http.Response) error {
 	var errResp ErrResponse
 	if err := json.Unmarshal(b, &errResp); err != nil {
-		return err
+		return fmt.Errorf("json.Unmarshal %q: %w", b, err)
 	}
 	errResp.Status = resp.StatusCode
 	return errResp

client/tailscale/tailscale_test.go

@@ -0,0 +1,86 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"net/url"
+	"testing"
+)
+
+func TestClientBuildURL(t *testing.T) {
+	c := Client{BaseURL: "http://127.0.0.1:1234"}
+	for _, tt := range []struct {
+		desc     string
+		elements []any
+		want     string
+	}{
+		{
+			desc:     "single-element",
+			elements: []any{"devices"},
+			want:     "http://127.0.0.1:1234/api/v2/devices",
+		},
+		{
+			desc:     "multiple-elements",
+			elements: []any{"tailnet", "example.com"},
+			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com",
+		},
+		{
+			desc:     "escape-element",
+			elements: []any{"tailnet", "example dot com?foo=bar"},
+			want:     `http://127.0.0.1:1234/api/v2/tailnet/example%20dot%20com%3Ffoo=bar`,
+		},
+		{
+			desc:     "url.Values",
+			elements: []any{"tailnet", "example.com", "acl", url.Values{"details": {"1"}}},
+			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
+		},
+	} {
+		t.Run(tt.desc, func(t *testing.T) {
+			got := c.BuildURL(tt.elements...)
+			if got != tt.want {
+				t.Errorf("got %q, want %q", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestClientBuildTailnetURL(t *testing.T) {
+	c := Client{
+		BaseURL: "http://127.0.0.1:1234",
+		tailnet: "example.com",
+	}
+	for _, tt := range []struct {
+		desc     string
+		elements []any
+		want     string
+	}{
+		{
+			desc:     "single-element",
+			elements: []any{"devices"},
+			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices",
+		},
+		{
+			desc:     "multiple-elements",
+			elements: []any{"devices", 123},
+			want:     "http://127.0.0.1:1234/api/v2/tailnet/example.com/devices/123",
+		},
+		{
+			desc:     "escape-element",
+			elements: []any{"foo bar?baz=qux"},
+			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/foo%20bar%3Fbaz=qux`,
+		},
+		{
+			desc:     "url.Values",
+			elements: []any{"acl", url.Values{"details": {"1"}}},
+			want:     `http://127.0.0.1:1234/api/v2/tailnet/example.com/acl?details=1`,
+		},
+	} {
+		t.Run(tt.desc, func(t *testing.T) {
+			got := c.BuildTailnetURL(tt.elements...)
+			if got != tt.want {
+				t.Errorf("got %q, want %q", got, tt.want)
+			}
+		})
+	}
+}

cmd/derper/depaware.txt

@@ -191,13 +191,11 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
    W    golang.org/x/exp/constraints                                 from tailscale.com/util/winutil
         golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/setting+
    L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -230,7 +228,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
+        crypto/aes                                                   from crypto/internal/hpke+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -239,31 +237,58 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
+        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
+        crypto/internal/fips140/aes                                  from crypto/aes+
+        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
+        crypto/internal/fips140/alias                                from crypto/cipher+
+        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
+        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
+        crypto/internal/fips140/ecdh                                 from crypto/ecdh
+        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
+        crypto/internal/fips140/ed25519                              from crypto/ed25519
+        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
+        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
+        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
+        crypto/internal/fips140/hmac                                 from crypto/hmac+
+        crypto/internal/fips140/mlkem                                from crypto/tls
+        crypto/internal/fips140/nistec                               from crypto/elliptic+
+        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
+        crypto/internal/fips140/rsa                                  from crypto/rsa
+        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
+        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
+        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
+        crypto/internal/fips140/tls12                                from crypto/tls
+        crypto/internal/fips140/tls13                                from crypto/tls
+        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
+        crypto/internal/fips140hash                                  from crypto/ecdsa+
+        crypto/internal/fips140only                                  from crypto/cipher+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/impl                                         from crypto/internal/fips140/aes+
         crypto/internal/randutil                                     from crypto/dsa+
+        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
+        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
+        crypto/subtle                                                from crypto/cipher+
         crypto/tls                                                   from golang.org/x/crypto/acme+
+        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from crypto/internal/nistec+
+        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -284,23 +309,22 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         html                                                         from net/http/pprof+
         html/template                                                from tailscale.com/cmd/derper
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
+        internal/asan                                                from syscall+
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
+        internal/byteorder                                           from crypto/cipher+
         internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
+        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
+        internal/goarch                                              from crypto/internal/fips140deps/cpu+
         internal/godebug                                             from crypto/tls+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
+        internal/goexperiment                                        from runtime+
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
+        internal/msan                                                from syscall+
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -310,17 +334,20 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
+        internal/runtime/maps                                        from reflect+
+        internal/runtime/math                                        from internal/runtime/maps+
+        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
+        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
+  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
+   W    internal/syscall/windows                                     from crypto/internal/sysrand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
    L    io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -332,7 +359,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
         math/rand                                                    from github.com/mdlayher/netlink+
-        math/rand/v2                                                 from internal/concurrent+
+        math/rand/v2                                                 from crypto/ecdsa+
         mime                                                         from github.com/prometheus/common/expfmt+
         mime/multipart                                               from net/http
         mime/quotedprintable                                         from mime/multipart
@@ -345,7 +372,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
+        os                                                           from crypto/internal/sysrand+
         os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/derper
    W    os/user                                                      from tailscale.com/util/winutil+
@@ -354,10 +381,8 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/coreos/go-iptables/iptables+
         regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/nistec+
+        runtime                                                      from crypto/internal/fips140+
         runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
@@ -367,7 +392,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         strings                                                      from bufio+
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
+        syscall                                                      from crypto/internal/sysrand+
         text/tabwriter                                               from runtime/pprof
         text/template                                                from html/template
         text/template/parse                                          from html/template+
@@ -377,3 +402,4 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
+        weak                                                         from unique

cmd/derper/derper.go

@@ -324,6 +324,9 @@ func main() {
 		Control:   ktimeout.UserTimeout(*tcpUserTimeout),
 		KeepAlive: *tcpKeepAlive,
 	}
+	// As of 2025-02-19, MPTCP does not support TCP_USER_TIMEOUT socket option
+	// set in ktimeout.UserTimeout above.
+	lc.SetMultipathTCP(false)
 
 	quietLogger := log.New(logger.HTTPServerLogFilter{Inner: log.Printf}, "", 0)
 	httpsrv := &http.Server{

cmd/gitops-pusher/gitops-pusher.go

@@ -13,6 +13,7 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"io"
 	"log"
 	"net/http"
 	"os"
@@ -405,7 +406,8 @@ func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
+		errorDetails, _ := io.ReadAll(resp.Body)
+		return "", fmt.Errorf("wanted HTTP status code %d but got %d: %#q", want, got, string(errorDetails))
 	}
 
 	return Shuck(resp.Header.Get("ETag")), nil

cmd/k8s-operator/depaware.txt

@@ -997,14 +997,13 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ipn/ipnlocal
   LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -1055,7 +1054,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
+        crypto/aes                                                   from crypto/internal/hpke+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509+
@@ -1064,27 +1063,54 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
+        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
+        crypto/internal/fips140/aes                                  from crypto/aes+
+        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
+        crypto/internal/fips140/alias                                from crypto/cipher+
+        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
+        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
+        crypto/internal/fips140/ecdh                                 from crypto/ecdh
+        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
+        crypto/internal/fips140/ed25519                              from crypto/ed25519
+        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
+        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
+        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
+        crypto/internal/fips140/hmac                                 from crypto/hmac+
+        crypto/internal/fips140/mlkem                                from crypto/tls
+        crypto/internal/fips140/nistec                               from crypto/elliptic+
+        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
+        crypto/internal/fips140/rsa                                  from crypto/rsa
+        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
+        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
+        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
+        crypto/internal/fips140/tls12                                from crypto/tls
+        crypto/internal/fips140/tls13                                from crypto/tls
+        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
+        crypto/internal/fips140hash                                  from crypto/ecdsa+
+        crypto/internal/fips140only                                  from crypto/cipher+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/impl                                         from crypto/internal/fips140/aes+
         crypto/internal/randutil                                     from crypto/dsa+
+        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls+
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
+        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
+        crypto/subtle                                                from crypto/cipher+
         crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
+        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
@@ -1092,7 +1118,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         database/sql/driver                                          from database/sql+
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from crypto/internal/nistec+
+        embed                                                        from github.com/tailscale/web-client-prebuilt+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -1112,7 +1138,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         go/build/constraint                                          from go/parser
         go/doc                                                       from k8s.io/apimachinery/pkg/runtime
         go/doc/comment                                               from go/doc
-        go/internal/typeparams                                       from go/parser
         go/parser                                                    from k8s.io/apimachinery/pkg/runtime
         go/scanner                                                   from go/ast+
         go/token                                                     from go/ast+
@@ -1124,24 +1149,23 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         html                                                         from html/template+
         html/template                                                from github.com/gorilla/csrf
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
+        internal/asan                                                from syscall+
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
+        internal/byteorder                                           from crypto/cipher+
         internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
+        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
+        internal/goarch                                              from crypto/internal/fips140deps/cpu+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
+        internal/goexperiment                                        from runtime+
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
         internal/lazyregexp                                          from go/doc
-        internal/msan                                                from syscall
+        internal/msan                                                from syscall+
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -1151,18 +1175,21 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
+        internal/runtime/maps                                        from reflect+
+        internal/runtime/math                                        from internal/runtime/maps+
+        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
+        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
+  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
+   W    internal/syscall/windows                                     from crypto/internal/sysrand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -1191,7 +1218,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         net/netip                                                    from github.com/gaissmai/bart+
         net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
+        os                                                           from crypto/internal/sysrand+
         os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
         os/signal                                                    from sigs.k8s.io/controller-runtime/pkg/manager/signals
         os/user                                                      from archive/tar+
@@ -1202,8 +1229,6 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof+
         runtime/trace                                                from net/http/pprof
@@ -1223,3 +1248,4 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
+        weak                                                         from unique

cmd/k8s-operator/ingress-for-pg.go

@@ -26,7 +26,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/tailscale"
+	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsoperator "tailscale.com/k8s-operator"
@@ -186,7 +186,7 @@ func (a *IngressPGReconciler) maybeProvision(ctx context.Context, hostname strin
 	}
 	dnsName := hostname + "." + tcd
 	serviceName := tailcfg.ServiceName("svc:" + hostname)
-	existingVIPSvc, err := a.tsClient.getVIPService(ctx, serviceName)
+	existingVIPSvc, err := a.tsClient.GetVIPService(ctx, serviceName)
 	// TODO(irbekrm): here and when creating the VIPService, verify if the error is not terminal (and therefore
 	// should not be reconciled). For example, if the hostname is already a hostname of a Tailscale node, the GET
 	// here will fail.
@@ -269,7 +269,7 @@ func (a *IngressPGReconciler) maybeProvision(ctx context.Context, hostname strin
 		vipPorts = append(vipPorts, "80")
 	}
 
-	vipSvc := &VIPService{
+	vipSvc := &tailscale.VIPService{
 		Name:    serviceName,
 		Tags:    tags,
 		Ports:   vipPorts,
@@ -282,7 +282,7 @@ func (a *IngressPGReconciler) maybeProvision(ctx context.Context, hostname strin
 		!reflect.DeepEqual(vipSvc.Tags, existingVIPSvc.Tags) ||
 		!reflect.DeepEqual(vipSvc.Ports, existingVIPSvc.Ports) {
 		logger.Infof("Ensuring VIPService %q exists and is up to date", hostname)
-		if err := a.tsClient.createOrUpdateVIPService(ctx, vipSvc); err != nil {
+		if err := a.tsClient.CreateOrUpdateVIPService(ctx, vipSvc); err != nil {
 			logger.Infof("error creating VIPService: %v", err)
 			return fmt.Errorf("error creating VIPService: %w", err)
 		}
@@ -361,7 +361,7 @@ func (a *IngressPGReconciler) maybeCleanupProxyGroup(ctx context.Context, proxyG
 			}
 			if isVIPServiceForAnyIngress(svc) {
 				logger.Infof("cleaning up orphaned VIPService %q", vipServiceName)
-				if err := a.tsClient.deleteVIPService(ctx, vipServiceName); err != nil {
+				if err := a.tsClient.DeleteVIPService(ctx, vipServiceName); err != nil {
 					errResp := &tailscale.ErrResponse{}
 					if !errors.As(err, &errResp) || errResp.Status != http.StatusNotFound {
 						return fmt.Errorf("deleting VIPService %q: %w", vipServiceName, err)
@@ -509,8 +509,8 @@ func (a *IngressPGReconciler) shouldExpose(ing *networkingv1.Ingress) bool {
 	return isTSIngress && pgAnnot != ""
 }
 
-func (a *IngressPGReconciler) getVIPService(ctx context.Context, name tailcfg.ServiceName, logger *zap.SugaredLogger) (*VIPService, error) {
-	svc, err := a.tsClient.getVIPService(ctx, name)
+func (a *IngressPGReconciler) getVIPService(ctx context.Context, name tailcfg.ServiceName, logger *zap.SugaredLogger) (*tailscale.VIPService, error) {
+	svc, err := a.tsClient.GetVIPService(ctx, name)
 	if err != nil {
 		errResp := &tailscale.ErrResponse{}
 		if ok := errors.As(err, errResp); ok && errResp.Status != http.StatusNotFound {
@@ -521,14 +521,14 @@ func (a *IngressPGReconciler) getVIPService(ctx context.Context, name tailcfg.Se
 	return svc, nil
 }
 
-func isVIPServiceForIngress(svc *VIPService, ing *networkingv1.Ingress) bool {
+func isVIPServiceForIngress(svc *tailscale.VIPService, ing *networkingv1.Ingress) bool {
 	if svc == nil || ing == nil {
 		return false
 	}
 	return strings.EqualFold(svc.Comment, fmt.Sprintf(VIPSvcOwnerRef, ing.UID))
 }
 
-func isVIPServiceForAnyIngress(svc *VIPService) bool {
+func isVIPServiceForAnyIngress(svc *tailscale.VIPService) bool {
 	if svc == nil {
 		return false
 	}
@@ -593,7 +593,7 @@ func (a *IngressPGReconciler) deleteVIPServiceIfExists(ctx context.Context, name
 	}
 
 	logger.Infof("Deleting VIPService %q", name)
-	if err = a.tsClient.deleteVIPService(ctx, name); err != nil {
+	if err = a.tsClient.DeleteVIPService(ctx, name); err != nil {
 		return fmt.Errorf("error deleting VIPService: %w", err)
 	}
 	return nil

cmd/k8s-operator/ingress-for-pg_test.go

@@ -70,7 +70,7 @@ func TestIngressPGReconciler(t *testing.T) {
 	expectReconciled(t, ingPGR, "default", "test-ingress")
 
 	// Verify VIPService uses custom tags
-	vipSvc, err := ft.getVIPService(context.Background(), "svc:my-svc")
+	vipSvc, err := ft.GetVIPService(context.Background(), "svc:my-svc")
 	if err != nil {
 		t.Fatalf("getting VIPService: %v", err)
 	}
@@ -398,7 +398,7 @@ func TestIngressPGReconciler_HTTPEndpoint(t *testing.T) {
 
 func verifyVIPService(t *testing.T, ft *fakeTSClient, serviceName string, wantPorts []string) {
 	t.Helper()
-	vipSvc, err := ft.getVIPService(context.Background(), tailcfg.ServiceName(serviceName))
+	vipSvc, err := ft.GetVIPService(context.Background(), tailcfg.ServiceName(serviceName))
 	if err != nil {
 		t.Fatalf("getting VIPService %q: %v", serviceName, err)
 	}

cmd/k8s-operator/testutils_test.go

@@ -28,7 +28,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/tailscale"
+	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
@@ -768,7 +768,7 @@ type fakeTSClient struct {
 	sync.Mutex
 	keyRequests []tailscale.KeyCapabilities
 	deleted     []string
-	vipServices map[tailcfg.ServiceName]*VIPService
+	vipServices map[tailcfg.ServiceName]*tailscale.VIPService
 }
 type fakeTSNetServer struct {
 	certDomains []string
@@ -875,7 +875,7 @@ func removeAuthKeyIfExistsModifier(t *testing.T) func(s *corev1.Secret) {
 	}
 }
 
-func (c *fakeTSClient) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
+func (c *fakeTSClient) GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error) {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
@@ -888,17 +888,17 @@ func (c *fakeTSClient) getVIPService(ctx context.Context, name tailcfg.ServiceNa
 	return svc, nil
 }
 
-func (c *fakeTSClient) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
+func (c *fakeTSClient) CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices == nil {
-		c.vipServices = make(map[tailcfg.ServiceName]*VIPService)
+		c.vipServices = make(map[tailcfg.ServiceName]*tailscale.VIPService)
 	}
 	c.vipServices[svc.Name] = svc
 	return nil
 }
 
-func (c *fakeTSClient) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+func (c *fakeTSClient) DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
 	c.Lock()
 	defer c.Unlock()
 	if c.vipServices != nil {

cmd/k8s-operator/tsclient.go

@@ -6,19 +6,13 @@
 package main
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
-	"io"
-	"net/http"
-	"net/url"
 	"os"
 
 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/httpm"
 )
 
 // defaultTailnet is a value that can be used in Tailscale API calls instead of tailnet name to indicate that the API
@@ -45,141 +39,14 @@ func newTSClient(ctx context.Context, clientIDPath, clientSecretPath string) (ts
 	c := tailscale.NewClient(defaultTailnet, nil)
 	c.UserAgent = "tailscale-k8s-operator"
 	c.HTTPClient = credentials.Client(ctx)
-	tsc := &tsClientImpl{
-		Client:  c,
-		baseURL: defaultBaseURL,
-		tailnet: defaultTailnet,
-	}
-	return tsc, nil
+	return c, nil
 }
 
 type tsClient interface {
 	CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error)
 	Device(ctx context.Context, deviceID string, fields *tailscale.DeviceFieldsOpts) (*tailscale.Device, error)
 	DeleteDevice(ctx context.Context, nodeStableID string) error
-	getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error)
-	createOrUpdateVIPService(ctx context.Context, svc *VIPService) error
-	deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
-}
-
-type tsClientImpl struct {
-	*tailscale.Client
-	baseURL string
-	tailnet string
-}
-
-// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
-type VIPService struct {
-	// Name is a VIPService name in form svc:<leftmost-label-of-service-DNS-name>.
-	Name tailcfg.ServiceName `json:"name,omitempty"`
-	// Addrs are the IP addresses of the VIP Service. There are two addresses:
-	// the first is IPv4 and the second is IPv6.
-	// When creating a new VIP Service, the IP addresses are optional: if no
-	// addresses are specified then they will be selected. If an IPv4 address is
-	// specified at index 0, then that address will attempt to be used. An IPv6
-	// address can not be specified upon creation.
-	Addrs []string `json:"addrs,omitempty"`
-	// Comment is an optional text string for display in the admin panel.
-	Comment string `json:"comment,omitempty"`
-	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
-	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
-	Ports []string `json:"ports,omitempty"`
-	// Tags are optional ACL tags that will be applied to the VIPService.
-	Tags []string `json:"tags,omitempty"`
-}
-
-// GetVIPServiceByName retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
-func (c *tsClientImpl) getVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
-	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	svc := &VIPService{}
-	if err := json.Unmarshal(b, svc); err != nil {
-		return nil, err
-	}
-	return svc, nil
-}
-
-// createOrUpdateVIPService creates or updates a VIPService by its name. Caller must ensure that, if the
-// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
-// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
-// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
-func (c *tsClientImpl) createOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
-	data, err := json.Marshal(svc)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(svc.Name.String()))
-	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
-	if err != nil {
-		return fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return fmt.Errorf("error making Tailscale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// DeleteVIPServiceByName deletes a VIPService by its name. It returns an error if the VIPService
-// does not exist or if the deletion fails.
-func (c *tsClientImpl) deleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/vip-services/%s", c.baseURL, c.tailnet, url.PathEscape(name.String()))
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
-	if err != nil {
-		return fmt.Errorf("error creating new HTTP request: %w", err)
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return fmt.Errorf("error making Tailscale API request: %w", err)
-	}
-	// If status code was not successful, return the error.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// sendRequest add the authentication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *tsClientImpl) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	resp, err := c.Do(req)
-	if err != nil {
-		return nil, resp, fmt.Errorf("error actually doing request: %w", err)
-	}
-	defer resp.Body.Close()
-
-	// Read response
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		err = fmt.Errorf("error reading response body: %v", err)
-	}
-	return b, resp, err
-}
-
-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp tailscale.ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
-		return err
-	}
-	errResp.Status = resp.StatusCode
-	return errResp
+	GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*tailscale.VIPService, error)
+	CreateOrUpdateVIPService(ctx context.Context, svc *tailscale.VIPService) error
+	DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error
 }

cmd/stund/depaware.txt

@@ -88,13 +88,11 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http
         golang.org/x/net/http/httpproxy                              from net/http
@@ -116,7 +114,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
+        crypto/aes                                                   from crypto/internal/hpke+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -124,32 +122,59 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         crypto/ecdsa                                                 from crypto/tls+
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
+        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
+        crypto/internal/fips140/aes                                  from crypto/aes+
+        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
+        crypto/internal/fips140/alias                                from crypto/cipher+
+        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
+        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
+        crypto/internal/fips140/ecdh                                 from crypto/ecdh
+        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
+        crypto/internal/fips140/ed25519                              from crypto/ed25519
+        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
+        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
+        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
+        crypto/internal/fips140/hmac                                 from crypto/hmac+
+        crypto/internal/fips140/mlkem                                from crypto/tls
+        crypto/internal/fips140/nistec                               from crypto/elliptic+
+        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
+        crypto/internal/fips140/rsa                                  from crypto/rsa
+        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
+        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
+        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
+        crypto/internal/fips140/tls12                                from crypto/tls
+        crypto/internal/fips140/tls13                                from crypto/tls
+        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
+        crypto/internal/fips140hash                                  from crypto/ecdsa+
+        crypto/internal/fips140only                                  from crypto/cipher+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/impl                                         from crypto/internal/fips140/aes+
         crypto/internal/randutil                                     from crypto/dsa+
+        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
+        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
+        crypto/subtle                                                from crypto/cipher+
         crypto/tls                                                   from net/http+
+        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509
-        embed                                                        from crypto/internal/nistec+
+        embed                                                        from google.golang.org/protobuf/internal/editiondefaults+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/go-json-experiment/json
@@ -169,23 +194,22 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
+        internal/asan                                                from syscall+
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
+        internal/byteorder                                           from crypto/cipher+
         internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
+        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt
-        internal/goarch                                              from crypto/aes+
+        internal/goarch                                              from crypto/internal/fips140deps/cpu+
         internal/godebug                                             from crypto/tls+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
+        internal/goexperiment                                        from runtime+
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
+        internal/msan                                                from syscall+
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -195,17 +219,20 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
+        internal/runtime/maps                                        from reflect+
+        internal/runtime/math                                        from internal/runtime/maps+
+        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
+        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
+  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
+   W    internal/syscall/windows                                     from crypto/internal/sysrand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
         io                                                           from bufio+
         io/fs                                                        from crypto/x509+
         iter                                                         from maps+
@@ -216,7 +243,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         math/big                                                     from crypto/dsa+
         math/bits                                                    from compress/flate+
         math/rand                                                    from math/big+
-        math/rand/v2                                                 from internal/concurrent+
+        math/rand/v2                                                 from crypto/ecdsa+
         mime                                                         from github.com/prometheus/common/expfmt+
         mime/multipart                                               from net/http
         mime/quotedprintable                                         from mime/multipart
@@ -229,17 +256,15 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
+        os                                                           from crypto/internal/sysrand+
         os/signal                                                    from tailscale.com/cmd/stund
         path                                                         from github.com/prometheus/client_golang/prometheus/internal+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
         regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
         regexp/syntax                                                from regexp
-        runtime                                                      from crypto/internal/nistec+
+        runtime                                                      from crypto/internal/fips140+
         runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
         runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
         runtime/pprof                                                from net/http/pprof
         runtime/trace                                                from net/http/pprof
@@ -249,7 +274,7 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         strings                                                      from bufio+
         sync                                                         from compress/flate+
         sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
+        syscall                                                      from crypto/internal/sysrand+
         text/tabwriter                                               from runtime/pprof
         time                                                         from compress/gzip+
         unicode                                                      from bytes+
@@ -257,3 +282,4 @@ tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depawar
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
+        weak                                                         from unique

cmd/tailscale/depaware.txt

@@ -195,14 +195,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
    W    golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
         golang.org/x/exp/maps                                        from tailscale.com/util/syspolicy/internal/metrics+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
@@ -246,7 +245,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
+        crypto/aes                                                   from crypto/internal/hpke+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509
@@ -255,34 +254,61 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
+        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
+        crypto/internal/fips140/aes                                  from crypto/aes+
+        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
+        crypto/internal/fips140/alias                                from crypto/cipher+
+        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
+        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
+        crypto/internal/fips140/ecdh                                 from crypto/ecdh
+        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
+        crypto/internal/fips140/ed25519                              from crypto/ed25519
+        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
+        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
+        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
+        crypto/internal/fips140/hmac                                 from crypto/hmac+
+        crypto/internal/fips140/mlkem                                from crypto/tls
+        crypto/internal/fips140/nistec                               from crypto/elliptic+
+        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
+        crypto/internal/fips140/rsa                                  from crypto/rsa
+        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
+        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
+        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
+        crypto/internal/fips140/tls12                                from crypto/tls
+        crypto/internal/fips140/tls13                                from crypto/tls
+        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
+        crypto/internal/fips140hash                                  from crypto/ecdsa+
+        crypto/internal/fips140only                                  from crypto/cipher+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/impl                                         from crypto/internal/fips140/aes+
         crypto/internal/randutil                                     from crypto/dsa+
+        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
+        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
+        crypto/subtle                                                from crypto/cipher+
         crypto/tls                                                   from github.com/miekg/dns+
+        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
   DW    database/sql/driver                                          from github.com/google/uuid
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from crypto/internal/nistec+
+        embed                                                        from github.com/peterbourgon/ff/v3+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -307,23 +333,22 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
+        internal/asan                                                from syscall+
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
+        internal/byteorder                                           from crypto/cipher+
         internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
+        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
+        internal/goarch                                              from crypto/internal/fips140deps/cpu+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
+        internal/goexperiment                                        from runtime+
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
+        internal/msan                                                from syscall+
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -332,18 +357,21 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
+        internal/runtime/maps                                        from reflect+
+        internal/runtime/math                                        from internal/runtime/maps+
+        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
+        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
+  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
+   W    internal/syscall/windows                                     from crypto/internal/sysrand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/mitchellh/go-ps+
@@ -369,7 +397,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/netip                                                    from go4.org/netipx+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
+        os                                                           from crypto/internal/sysrand+
         os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
         os/user                                                      from archive/tar+
@@ -380,8 +408,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from tailscale.com+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
         slices                                                       from tailscale.com/client/web+
         sort                                                         from compress/flate+
         strconv                                                      from archive/tar+
@@ -398,3 +424,4 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
+        weak                                                         from unique

cmd/tailscaled/depaware.txt

@@ -449,14 +449,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from golang.org/x/crypto/ssh+
-        golang.org/x/crypto/hkdf                                     from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from tailscale.com/control/controlbase
         golang.org/x/crypto/internal/alias                           from golang.org/x/crypto/chacha20+
         golang.org/x/crypto/internal/poly1305                        from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/sha3                                     from crypto/internal/mlkem768+
   LD    golang.org/x/crypto/ssh                                      from github.com/pkg/sftp+
   LD    golang.org/x/crypto/ssh/internal/bcrypt_pbkdf                from golang.org/x/crypto/ssh
         golang.org/x/exp/constraints                                 from github.com/dblohm7/wingoes/pe+
@@ -504,7 +503,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
+        crypto/aes                                                   from crypto/internal/hpke+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
         crypto/dsa                                                   from crypto/x509+
@@ -513,34 +512,61 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
-        crypto/internal/alias                                        from crypto/aes+
-        crypto/internal/bigmod                                       from crypto/ecdsa+
         crypto/internal/boring                                       from crypto/aes+
         crypto/internal/boring/bbig                                  from crypto/ecdsa+
         crypto/internal/boring/sig                                   from crypto/internal/boring
-        crypto/internal/edwards25519                                 from crypto/ed25519
-        crypto/internal/edwards25519/field                           from crypto/ecdh+
+        crypto/internal/entropy                                      from crypto/internal/fips140/drbg
+        crypto/internal/fips140                                      from crypto/internal/fips140/aes+
+        crypto/internal/fips140/aes                                  from crypto/aes+
+        crypto/internal/fips140/aes/gcm                              from crypto/cipher+
+        crypto/internal/fips140/alias                                from crypto/cipher+
+        crypto/internal/fips140/bigmod                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/check                                from crypto/internal/fips140/aes+
+        crypto/internal/fips140/drbg                                 from crypto/internal/fips140/aes/gcm+
+        crypto/internal/fips140/ecdh                                 from crypto/ecdh
+        crypto/internal/fips140/ecdsa                                from crypto/ecdsa
+        crypto/internal/fips140/ed25519                              from crypto/ed25519
+        crypto/internal/fips140/edwards25519                         from crypto/internal/fips140/ed25519
+        crypto/internal/fips140/edwards25519/field                   from crypto/ecdh+
+        crypto/internal/fips140/hkdf                                 from crypto/internal/fips140/tls13+
+        crypto/internal/fips140/hmac                                 from crypto/hmac+
+        crypto/internal/fips140/mlkem                                from crypto/tls
+        crypto/internal/fips140/nistec                               from crypto/elliptic+
+        crypto/internal/fips140/nistec/fiat                          from crypto/internal/fips140/nistec
+        crypto/internal/fips140/rsa                                  from crypto/rsa
+        crypto/internal/fips140/sha256                               from crypto/internal/fips140/check+
+        crypto/internal/fips140/sha3                                 from crypto/internal/fips140/hmac+
+        crypto/internal/fips140/sha512                               from crypto/internal/fips140/ecdsa+
+        crypto/internal/fips140/subtle                               from crypto/internal/fips140/aes+
+        crypto/internal/fips140/tls12                                from crypto/tls
+        crypto/internal/fips140/tls13                                from crypto/tls
+        crypto/internal/fips140deps/byteorder                        from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/cpu                              from crypto/internal/fips140/aes+
+        crypto/internal/fips140deps/godebug                          from crypto/internal/fips140+
+        crypto/internal/fips140hash                                  from crypto/ecdsa+
+        crypto/internal/fips140only                                  from crypto/cipher+
         crypto/internal/hpke                                         from crypto/tls
-        crypto/internal/mlkem768                                     from crypto/tls
-        crypto/internal/nistec                                       from crypto/ecdh+
-        crypto/internal/nistec/fiat                                  from crypto/internal/nistec
+        crypto/internal/impl                                         from crypto/internal/fips140/aes+
         crypto/internal/randutil                                     from crypto/dsa+
+        crypto/internal/sysrand                                      from crypto/internal/entropy+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
         crypto/rc4                                                   from crypto/tls+
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
+        crypto/sha3                                                  from crypto/internal/fips140hash
         crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
+        crypto/subtle                                                from crypto/cipher+
         crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
+        crypto/tls/internal/fips140tls                               from crypto/tls
         crypto/x509                                                  from crypto/tls+
    D    crypto/x509/internal/macos                                   from crypto/x509
         crypto/x509/pkix                                             from crypto/x509+
   DW    database/sql/driver                                          from github.com/google/uuid
    W    debug/dwarf                                                  from debug/pe
    W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
-        embed                                                        from crypto/internal/nistec+
+        embed                                                        from github.com/tailscale/web-client-prebuilt+
         encoding                                                     from encoding/gob+
         encoding/asn1                                                from crypto/x509+
         encoding/base32                                              from github.com/fxamacker/cbor/v2+
@@ -562,23 +588,22 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         html                                                         from html/template+
         html/template                                                from github.com/gorilla/csrf
         internal/abi                                                 from crypto/x509/internal/macos+
-        internal/asan                                                from syscall
+        internal/asan                                                from syscall+
         internal/bisect                                              from internal/godebug
         internal/bytealg                                             from bytes+
-        internal/byteorder                                           from crypto/aes+
+        internal/byteorder                                           from crypto/cipher+
         internal/chacha8rand                                         from math/rand/v2+
-        internal/concurrent                                          from unique
         internal/coverage/rtcov                                      from runtime
-        internal/cpu                                                 from crypto/aes+
+        internal/cpu                                                 from crypto/internal/fips140deps/cpu+
         internal/filepathlite                                        from os+
         internal/fmtsort                                             from fmt+
-        internal/goarch                                              from crypto/aes+
+        internal/goarch                                              from crypto/internal/fips140deps/cpu+
         internal/godebug                                             from archive/tar+
         internal/godebugs                                            from internal/godebug+
-        internal/goexperiment                                        from runtime
+        internal/goexperiment                                        from runtime+
         internal/goos                                                from crypto/x509+
         internal/itoa                                                from internal/poll+
-        internal/msan                                                from syscall
+        internal/msan                                                from syscall+
         internal/nettrace                                            from net+
         internal/oserror                                             from io/fs+
         internal/poll                                                from net+
@@ -588,18 +613,21 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         internal/reflectlite                                         from context+
         internal/runtime/atomic                                      from internal/runtime/exithook+
         internal/runtime/exithook                                    from runtime
+        internal/runtime/maps                                        from reflect+
+        internal/runtime/math                                        from internal/runtime/maps+
+        internal/runtime/sys                                         from crypto/subtle+
    L    internal/runtime/syscall                                     from runtime+
         internal/saferio                                             from debug/pe+
         internal/singleflight                                        from net
         internal/stringslite                                         from embed+
+        internal/sync                                                from sync+
         internal/syscall/execenv                                     from os+
-  LD    internal/syscall/unix                                        from crypto/rand+
-   W    internal/syscall/windows                                     from crypto/rand+
+  LD    internal/syscall/unix                                        from crypto/internal/sysrand+
+   W    internal/syscall/windows                                     from crypto/internal/sysrand+
    W    internal/syscall/windows/registry                            from mime+
    W    internal/syscall/windows/sysdll                              from internal/syscall/windows+
         internal/testlog                                             from os
         internal/unsafeheader                                        from internal/reflectlite+
-        internal/weak                                                from unique
         io                                                           from archive/tar+
         io/fs                                                        from archive/tar+
         io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
@@ -626,7 +654,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         net/netip                                                    from github.com/tailscale/wireguard-go/conn+
         net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
         net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
+        os                                                           from crypto/internal/sysrand+
         os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
         os/signal                                                    from tailscale.com/cmd/tailscaled
         os/user                                                      from archive/tar+
@@ -637,8 +665,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         regexp/syntax                                                from regexp
         runtime                                                      from archive/tar+
         runtime/debug                                                from github.com/aws/aws-sdk-go-v2/internal/sync/singleflight+
-        runtime/internal/math                                        from runtime
-        runtime/internal/sys                                         from runtime
         runtime/pprof                                                from net/http/pprof+
         runtime/trace                                                from net/http/pprof
         slices                                                       from tailscale.com/appc+
@@ -657,3 +683,4 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         unicode/utf8                                                 from bufio+
         unique                                                       from net/netip
         unsafe                                                       from bytes+
+        weak                                                         from unique

cmd/testwrapper/testwrapper.go

@@ -10,6 +10,7 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"cmp"
 	"context"
 	"encoding/json"
 	"errors"
@@ -59,11 +60,12 @@ type packageTests struct {
 }
 
 type goTestOutput struct {
-	Time    time.Time
-	Action  string
-	Package string
-	Test    string
-	Output  string
+	Time       time.Time
+	Action     string
+	ImportPath string
+	Package    string
+	Test       string
+	Output     string
 }
 
 var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
@@ -111,42 +113,43 @@ func runTests(ctx context.Context, attempt int, pt *packageTests, goTestArgs, te
 	for s.Scan() {
 		var goOutput goTestOutput
 		if err := json.Unmarshal(s.Bytes(), &goOutput); err != nil {
-			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
-				break
-			}
-
-			// `go test -json` outputs invalid JSON when a build fails.
-			// In that case, discard the the output and start reading again.
-			// The build error will be printed to stderr.
-			// See: https://github.com/golang/go/issues/35169
-			if _, ok := err.(*json.SyntaxError); ok {
-				fmt.Println(s.Text())
-				continue
-			}
-			panic(err)
+			return fmt.Errorf("failed to parse go test output %q: %w", s.Bytes(), err)
 		}
-		pkg := goOutput.Package
+		pkg := cmp.Or(
+			goOutput.Package,
+			"build:"+goOutput.ImportPath, // can be "./cmd" while Package is "tailscale.com/cmd" so use separate namespace
+		)
 		pkgTests := resultMap[pkg]
 		if pkgTests == nil {
-			pkgTests = make(map[string]*testAttempt)
+			pkgTests = map[string]*testAttempt{
+				"": {}, // Used for start time and build logs.
+			}
 			resultMap[pkg] = pkgTests
 		}
 		if goOutput.Test == "" {
 			switch goOutput.Action {
 			case "start":
-				pkgTests[""] = &testAttempt{start: goOutput.Time}
-			case "fail", "pass", "skip":
+				pkgTests[""].start = goOutput.Time
+			case "build-output":
+				pkgTests[""].logs.WriteString(goOutput.Output)
+			case "build-fail", "fail", "pass", "skip":
 				for _, test := range pkgTests {
 					if test.testName != "" && test.outcome == "" {
 						test.outcome = "fail"
 						ch <- test
 					}
 				}
+				outcome := goOutput.Action
+				if outcome == "build-fail" {
+					outcome = "FAIL"
+				}
+				pkgTests[""].logs.WriteString(goOutput.Output)
 				ch <- &testAttempt{
 					pkg:         goOutput.Package,
-					outcome:     goOutput.Action,
+					outcome:     outcome,
 					start:       pkgTests[""].start,
 					end:         goOutput.Time,
+					logs:        pkgTests[""].logs,
 					pkgFinished: true,
 				}
 			}
@@ -215,6 +218,9 @@ func main() {
 	}
 	toRun := []*nextRun{firstRun}
 	printPkgOutcome := func(pkg, outcome string, attempt int, runtime time.Duration) {
+		if pkg == "" {
+			return // We reach this path on a build error.
+		}
 		if outcome == "skip" {
 			fmt.Printf("?\t%s [skipped/no tests] \n", pkg)
 			return
@@ -270,6 +276,7 @@ func main() {
 						// when a package times out.
 						failed = true
 					}
+					os.Stdout.ReadFrom(&tr.logs)
 					printPkgOutcome(tr.pkg, tr.outcome, thisRun.attempt, tr.end.Sub(tr.start))
 					continue
 				}

cmd/testwrapper/testwrapper_test.go

@@ -11,6 +11,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"regexp"
+	"strings"
 	"sync"
 	"testing"
 )
@@ -154,24 +155,24 @@ func TestBuildError(t *testing.T) {
 		t.Fatalf("writing package: %s", err)
 	}
 
-	buildErr := []byte("builderror_test.go:3:1: expected declaration, found derp\nFAIL	command-line-arguments [setup failed]")
+	wantErr := "builderror_test.go:3:1: expected declaration, found derp\nFAIL"
 
 	// Confirm `go test` exits with code 1.
 	goOut, err := exec.Command("go", "test", testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("go test %s: expected error with exit code 0 but got: %v", testfile, err)
+		t.Fatalf("go test %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
 	}
-	if !bytes.Contains(goOut, buildErr) {
-		t.Fatalf("go test %s: expected build error containing %q but got:\n%s", testfile, buildErr, goOut)
+	if !strings.Contains(string(goOut), wantErr) {
+		t.Fatalf("go test %s: got output %q, want output containing %q", testfile, goOut, wantErr)
 	}
 
 	// Confirm `testwrapper` exits with code 1.
 	twOut, err := cmdTestwrapper(t, testfile).CombinedOutput()
 	if code, ok := errExitCode(err); !ok || code != 1 {
-		t.Fatalf("testwrapper %s: expected error with exit code 0 but got: %v", testfile, err)
+		t.Fatalf("testwrapper %s: got exit code %d, want 1 (err: %v)", testfile, code, err)
 	}
-	if !bytes.Contains(twOut, buildErr) {
-		t.Fatalf("testwrapper %s: expected build error containing %q but got:\n%s", testfile, buildErr, twOut)
+	if !strings.Contains(string(twOut), wantErr) {
+		t.Fatalf("testwrapper %s: got output %q, want output containing %q", testfile, twOut, wantErr)
 	}
 
 	if testing.Verbose() {

cmd/tsconnect/common.go

@@ -176,6 +176,10 @@ func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
 // wasm_exec.js runtime helper library from the Go toolchain.
 func setupEsbuildWasmExecJS(build esbuild.PluginBuild) {
 	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
+	if _, err := os.Stat(wasmExecSrcPath); os.IsNotExist(err) {
+		// Go 1.24+ location:
+		wasmExecSrcPath = filepath.Join(runtime.GOROOT(), "lib", "wasm", "wasm_exec.js")
+	}
 	build.OnResolve(esbuild.OnResolveOptions{
 		Filter: "./wasm_exec$",
 	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {

go.mod

@@ -1,6 +1,6 @@
 module tailscale.com
 
-go 1.23.6
+go 1.24.0
 
 require (
 	filippo.io/mkcert v1.4.4
@@ -74,7 +74,7 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
 	github.com/tailscale/depaware v0.0.0-20250112153213-b748de04d81b
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4
+	github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20250110151924-54977352e4a6

go.sum

@@ -900,8 +900,8 @@ github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 h1:rXZGgEa+k2vJM8xT0PoSKfVXwFGPQ3z3CJfmnHJkZZw=
-github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
+github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca h1:ecjHwH73Yvqf/oIdQ2vxAX+zc6caQsYdPzsxNW1J3G8=
+github.com/tailscale/golang-x-crypto v0.0.0-20250218230618-9a281fd8faca/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=

go.toolchain.branch

@@ -1 +1 @@
-tailscale.go1.23
+tailscale.go1.24

go.toolchain.rev

@@ -1 +1 @@
-65c3f5f3fc9d96f56a37a79cad4ebbd7ff985801
+a529f1c329a97596448310cd52ab64047294b9d5

internal/client/tailscale/tailscale.go

@@ -8,9 +8,16 @@
 package tailscale
 
 import (
+	"errors"
+	"io"
+	"net/http"
+
 	tsclient "tailscale.com/client/tailscale"
 )
 
+// maxSize is the maximum read size (10MB) of responses from the server.
+const maxReadSize = 10 << 20
+
 func init() {
 	tsclient.I_Acknowledge_This_API_Is_Unstable = true
 }
@@ -50,3 +57,27 @@ func NewClient(tailnet string, auth AuthMethod) *Client {
 type Client struct {
 	*tsclient.Client
 }
+
+// HandleErrorResponse is an alias to tailscale.com/client/tailscale.
+func HandleErrorResponse(b []byte, resp *http.Response) error {
+	return tsclient.HandleErrorResponse(b, resp)
+}
+
+// SendRequest add the authentication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func SendRequest(c *Client, req *http.Request) ([]byte, *http.Response, error) {
+	resp, err := c.Do(req)
+	if err != nil {
+		return nil, resp, err
+	}
+	defer resp.Body.Close()
+
+	// Read response. Limit the response to 10MB.
+	// This limit is carried over from client/tailscale/tailscale.go.
+	body := io.LimitReader(resp.Body, maxReadSize+1)
+	b, err := io.ReadAll(body)
+	if len(b) > maxReadSize {
+		err = errors.New("API response too large")
+	}
+	return b, resp, err
+}

internal/client/tailscale/vip_service.go

@@ -0,0 +1,103 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/httpm"
+)
+
+// VIPService is a Tailscale VIPService with Tailscale API JSON representation.
+type VIPService struct {
+	// Name is a VIPService name in form svc:<leftmost-label-of-service-DNS-name>.
+	Name tailcfg.ServiceName `json:"name,omitempty"`
+	// Addrs are the IP addresses of the VIP Service. There are two addresses:
+	// the first is IPv4 and the second is IPv6.
+	// When creating a new VIP Service, the IP addresses are optional: if no
+	// addresses are specified then they will be selected. If an IPv4 address is
+	// specified at index 0, then that address will attempt to be used. An IPv6
+	// address can not be specified upon creation.
+	Addrs []string `json:"addrs,omitempty"`
+	// Comment is an optional text string for display in the admin panel.
+	Comment string `json:"comment,omitempty"`
+	// Ports are the ports of a VIPService that will be configured via Tailscale serve config.
+	// If set, any node wishing to advertise this VIPService must have this port configured via Tailscale serve.
+	Ports []string `json:"ports,omitempty"`
+	// Tags are optional ACL tags that will be applied to the VIPService.
+	Tags []string `json:"tags,omitempty"`
+}
+
+// GetVIPService retrieves a VIPService by its name. It returns 404 if the VIPService is not found.
+func (client *Client) GetVIPService(ctx context.Context, name tailcfg.ServiceName) (*VIPService, error) {
+	path := client.BuildTailnetURL("vip-services", name.String())
+	req, err := http.NewRequestWithContext(ctx, httpm.GET, path, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := SendRequest(client, req)
+	if err != nil {
+		return nil, fmt.Errorf("error making Tailsale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, HandleErrorResponse(b, resp)
+	}
+	svc := &VIPService{}
+	if err := json.Unmarshal(b, svc); err != nil {
+		return nil, err
+	}
+	return svc, nil
+}
+
+// CreateOrUpdateVIPService creates or updates a VIPService by its name. Caller must ensure that, if the
+// VIPService already exists, the VIPService is fetched first to ensure that any auto-allocated IP addresses are not
+// lost during the update. If the VIPService was created without any IP addresses explicitly set (so that they were
+// auto-allocated by Tailscale) any subsequent request to this function that does not set any IP addresses will error.
+func (client *Client) CreateOrUpdateVIPService(ctx context.Context, svc *VIPService) error {
+	data, err := json.Marshal(svc)
+	if err != nil {
+		return err
+	}
+	path := client.BuildTailnetURL("vip-services", svc.Name.String())
+	req, err := http.NewRequestWithContext(ctx, httpm.PUT, path, bytes.NewBuffer(data))
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := SendRequest(client, req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return HandleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// DeleteVIPService deletes a VIPService by its name. It returns an error if the VIPService
+// does not exist or if the deletion fails.
+func (client *Client) DeleteVIPService(ctx context.Context, name tailcfg.ServiceName) error {
+	path := client.BuildTailnetURL("vip-services", name.String())
+	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
+	if err != nil {
+		return fmt.Errorf("error creating new HTTP request: %w", err)
+	}
+	b, resp, err := SendRequest(client, req)
+	if err != nil {
+		return fmt.Errorf("error making Tailscale API request: %w", err)
+	}
+	// If status code was not successful, return the error.
+	if resp.StatusCode != http.StatusOK {
+		return HandleErrorResponse(b, resp)
+	}
+	return nil
+}

ipn/ipnlocal/local.go

@@ -2341,12 +2341,20 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		}); err != nil {
 			b.logf("failed to save UpdatePrefs state: %v", err)
 		}
-		b.setAtomicValuesFromPrefsLocked(pv)
-	} else {
-		b.setAtomicValuesFromPrefsLocked(b.pm.CurrentPrefs())
 	}
 
+	// Reset the always-on override whenever Start is called.
+	b.resetAlwaysOnOverrideLocked()
+	// And also apply syspolicy settings to the current profile.
+	// This is important in two cases: when opts.UpdatePrefs is not nil,
+	// and when Always Mode is enabled and we need to set WantRunning to true.
+	if newp := b.pm.CurrentPrefs().AsStruct(); applySysPolicy(newp, b.lastSuggestedExitNode, b.overrideAlwaysOn) {
+		setExitNodeID(newp, b.netMap)
+		b.pm.setPrefsNoPermCheck(newp.View())
+	}
 	prefs := b.pm.CurrentPrefs()
+	b.setAtomicValuesFromPrefsLocked(prefs)
+
 	wantRunning := prefs.WantRunning()
 	if wantRunning {
 		if err := b.initMachineKeyLocked(); err != nil {

net/ktimeout/ktimeout_linux_test.go

@@ -4,17 +4,22 @@
 package ktimeout
 
 import (
+	"context"
 	"net"
 	"testing"
 	"time"
 
-	"golang.org/x/net/nettest"
 	"golang.org/x/sys/unix"
 	"tailscale.com/util/must"
 )
 
 func TestSetUserTimeout(t *testing.T) {
-	l := must.Get(nettest.NewLocalListener("tcp"))
+	lc := net.ListenConfig{}
+	// As of 2025-02-19, MPTCP does not support TCP_USER_TIMEOUT socket option
+	// set in ktimeout.UserTimeout above.
+	lc.SetMultipathTCP(false)
+
+	l := must.Get(lc.Listen(context.Background(), "tcp", "localhost:0"))
 	defer l.Close()
 
 	var err error

tempfork/acme/acme.go

@@ -557,7 +557,11 @@ func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error
 		return nil, err
 	}
 
-	res, err := c.post(ctx, nil, chal.URI, json.RawMessage("{}"), wantStatus(
+	payload := json.RawMessage("{}")
+	if len(chal.Payload) != 0 {
+		payload = chal.Payload
+	}
+	res, err := c.post(ctx, nil, chal.URI, payload, wantStatus(
 		http.StatusOK,       // according to the spec
 		http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md)
 	))

tempfork/acme/acme_test.go

@@ -875,7 +875,7 @@ func TestTLSALPN01ChallengeCert(t *testing.T) {
 }
 
 func TestTLSChallengeCertOpt(t *testing.T) {
-	key, err := rsa.GenerateKey(rand.Reader, 512)
+	key, err := rsa.GenerateKey(rand.Reader, 1024)
 	if err != nil {
 		t.Fatal(err)
 	}

tempfork/acme/http.go

@@ -15,6 +15,7 @@ import (
 	"io"
 	"math/big"
 	"net/http"
+	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
@@ -271,9 +272,27 @@ func (c *Client) httpClient() *http.Client {
 }
 
 // packageVersion is the version of the module that contains this package, for
-// sending as part of the User-Agent header. It's set in version_go112.go.
+// sending as part of the User-Agent header.
 var packageVersion string
 
+func init() {
+	// Set packageVersion if the binary was built in modules mode and x/crypto
+	// was not replaced with a different module.
+	info, ok := debug.ReadBuildInfo()
+	if !ok {
+		return
+	}
+	for _, m := range info.Deps {
+		if m.Path != "golang.org/x/crypto" {
+			continue
+		}
+		if m.Replace == nil {
+			packageVersion = m.Version
+		}
+		break
+	}
+}
+
 // userAgent returns the User-Agent header value. It includes the package name,
 // the module version (if available), and the c.UserAgent value (if set).
 func (c *Client) userAgent() string {

tempfork/acme/types.go

@@ -7,6 +7,7 @@ package acme
 import (
 	"crypto"
 	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
@@ -292,7 +293,7 @@ type Directory struct {
 	// Renewal Information (ARI) Extension.
 	RenewalInfoURL string
 
-	// Term is a URI identifying the current terms of service.
+	// Terms is a URI identifying the current terms of service.
 	Terms string
 
 	// Website is an HTTP or HTTPS URL locating a website
@@ -531,6 +532,16 @@ type Challenge struct {
 	// when this challenge was used.
 	// The type of a non-nil value is *Error.
 	Error error
+
+	// Payload is the JSON-formatted payload that the client sends
+	// to the server to indicate it is ready to respond to the challenge.
+	// When unset, it defaults to an empty JSON object: {}.
+	// For most challenges, the client must not set Payload,
+	// see https://tools.ietf.org/html/rfc8555#section-7.5.1.
+	// Payload is used only for newer challenges (such as "device-attest-01")
+	// where the client must send additional data for the server to validate
+	// the challenge.
+	Payload json.RawMessage
 }
 
 // wireChallenge is ACME JSON challenge representation.

util/sparse/punch.go

@@ -0,0 +1,15 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package sparse contains some helpful generic sparse file functions.
+package sparse
+
+import (
+	"os"
+)
+
+// PunchAt takes an os.File and offset and size as int64 to punch
+// a hole in a sparse file.
+func PunchAt(fd *os.File, off, size int64) error {
+	return punchAt(fd, off, size)
+}

util/sparse/punch_darwin.go

@@ -0,0 +1,64 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build darwin
+
+package sparse
+
+import (
+	"errors"
+	"io/fs"
+	"os"
+
+	"golang.org/x/sys/unix"
+)
+
+// punchAt for darwin APFS has a quirk where file punches have to exist on block,
+// boundaries.  This implementation of PunchAt will handle rounding up to the closest block.
+func punchAt(fd *os.File, off, size int64) error {
+	blockSize, err := getBlockSize(fd)
+	if err != nil {
+		return &fs.PathError{Op: "punchAt", Path: fd.Name(), Err: err}
+	}
+	off, size, err = alignToBlockSize(off, size, blockSize)
+	if err != nil {
+		return &fs.PathError{Op: "punchAt", Path: fd.Name(), Err: err}
+	}
+	fstore := &unix.Fstore_t{
+		Offset: off,
+		Length: size,
+	}
+	err = unix.FcntlFstore(fd.Fd(), unix.F_PUNCHHOLE, fstore)
+	if err != nil {
+		return &fs.PathError{Op: "punchAt", Path: fd.Name(), Err: err}
+	}
+	return nil
+}
+
+func getBlockSize(f *os.File) (int64, error) {
+	var statfs unix.Statfs_t
+	if err := unix.Fstatfs(int(f.Fd()), &statfs); err != nil {
+		return 0, err
+	}
+	return int64(statfs.Bsize), nil
+}
+
+func alignToBlockSize(off, size, blockSize int64) (int64, int64, error) {
+	if blockSize <= 0 {
+		return 0, 0, errors.New("block size too small")
+	}
+
+	// Align the offset up to the nearest block boundary
+	alignedOffset := ((off + blockSize - 1) / blockSize) * blockSize
+
+	// Adjust the length to maintain full coverage
+	adjustment := alignedOffset - off
+	alignedLength := size - adjustment
+	if alignedLength < 0 {
+		alignedLength = 0
+	}
+	// Round length up to the nearest multiple of blockSize
+	alignedLength = ((alignedLength + blockSize - 1) / blockSize) * blockSize
+
+	return alignedOffset, alignedLength, nil
+}

util/sparse/punch_generic.go

@@ -0,0 +1,28 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !linux && !darwin && !windows
+
+package sparse
+
+import (
+	"io"
+	"os"
+)
+
+// punchAt just calls [writeZeros] in the generic case.
+func punchAt(fd *os.File, off, size int64) error {
+	return writeZeros(fd, off, size)
+}
+
+// The generic unix implementation does not use sparse files.
+// It just zeros out the file from the offset for the size bites.
+func writeZeros(fd *os.File, off, size int64) error {
+	_, err := fd.Seek(off, io.SeekStart)
+	if err != nil {
+		return err
+	}
+	zeros := make([]byte, size)
+	_, err = fd.Write(zeros)
+	return err
+}

util/sparse/punch_linux.go

@@ -0,0 +1,22 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build linux
+
+// Package sparse contains some helpful generic sparse file functions.
+package sparse
+
+import (
+	"io/fs"
+	"os"
+	"syscall"
+
+	"golang.org/x/sys/unix"
+)
+
+func punchAt(fd *os.File, off, size int64) error {
+	if err := syscall.Fallocate(int(fd.Fd()), unix.FALLOC_FL_KEEP_SIZE|unix.FALLOC_FL_PUNCH_HOLE, off, size); err != nil {
+		return &fs.PathError{Op: "fallocate", Path: fd.Name(), Err: err}
+	}
+	return nil
+}

util/sparse/punch_test.go

@@ -0,0 +1,89 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package sparse
+
+import (
+	"crypto/rand"
+	"io"
+	"os"
+	"testing"
+
+	"tailscale.com/util/must"
+)
+
+func TestFile_PunchAt(t *testing.T) {
+	type args struct {
+		fileSize int64
+		off      int64
+		size     int64
+	}
+
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "Test PunchAt",
+			args: args{
+				fileSize: 5000,
+				off:      0,
+				size:     4096,
+			},
+			wantErr: false,
+		},
+		{
+			name: "Test PunchAt With FileOffset",
+			args: args{
+				fileSize: 100000,
+				off:      4096,
+				size:     4096 * 2,
+			},
+			wantErr: false,
+		},
+		{
+			name: "Test PunchAt With FileOffset smaller than block size",
+			args: args{
+				fileSize: 100000,
+				off:      3,
+				size:     4096 * 2,
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			f := must.Get(os.CreateTemp(t.TempDir(), "punch_at_"))
+			defer f.Close()
+			must.Get(io.Copy(f, io.LimitReader(rand.Reader, tt.args.fileSize)))
+
+			if err := PunchAt(f, tt.args.off, tt.args.size); (err != nil) != tt.wantErr {
+				t.Errorf("PunchAt() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+
+	t.Run("Test PunchAt truncate file twice", func(t *testing.T) {
+		f := must.Get(os.CreateTemp(t.TempDir(), "punch_at_truncate_"))
+		defer f.Close()
+		must.Get(io.Copy(f, io.LimitReader(rand.Reader, 100000)))
+		offset := int64(4096)
+		size := int64(4096 * 2)
+		if err := PunchAt(f, offset, size); err != nil {
+			t.Errorf("PunchAt() error = %v, wantErr %v", err, false)
+		}
+
+		// Write random bytes to hole in file.
+		must.Get(f.Seek(offset, io.SeekStart))
+		must.Get(io.Copy(f, io.LimitReader(rand.Reader, size)))
+		// Change the hole size
+		offset = 4096 * 2
+		size = 4096
+		if err := PunchAt(f, offset, size); err != nil {
+			t.Errorf("PunchAt() error = %v, wantErr %v", err, false)
+		}
+
+	})
+
+}

util/sparse/punch_windows.go

@@ -0,0 +1,52 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build windows
+
+package sparse
+
+import (
+	"io/fs"
+	"os"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+// punchAt for Windows also marks the file as sparse before it punches a hole in it.
+func punchAt(fd *os.File, off, size int64) error {
+	// Windows is unique in that if you call FSCTL_SET_ZERO_DATA on a non sparse file it will just zero out the hole.
+	// Ensure the file is marked as sparse before punching a hole.
+	// Docs: https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_set_zero_data#remarks
+	err := markAsSparseFile(fd)
+	if err != nil {
+		return &fs.PathError{Op: "punchAt", Path: fd.Name(), Err: err}
+	}
+	fileHandle := syscall.Handle(fd.Fd())
+
+	// https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ns-winioctl-file_zero_data_information
+	zeroData := struct {
+		FileOffset      uint64
+		ByeondFinalZero uint64
+	}{
+		FileOffset:      uint64(off),
+		ByeondFinalZero: uint64(off + size),
+	}
+
+	var bytesReturned uint32
+	err = syscall.DeviceIoControl(fileHandle, windows.FSCTL_SET_ZERO_DATA, (*byte)(unsafe.Pointer(&zeroData)), uint32(unsafe.Sizeof(zeroData)), nil, 0, &bytesReturned, nil)
+	if err != nil {
+		return &fs.PathError{Op: "punchAt", Path: fd.Name(), Err: err}
+	}
+	return err
+}
+
+func markAsSparseFile(file *os.File) error {
+	fileHandle := syscall.Handle(file.Fd())
+
+	var bytesReturned uint32
+	// FSCTL_SET_SPARSE is the windows syscall to mark a file as sparse.
+	// Docs: https://learn.microsoft.com/en-us/windows/win32/api/winioctl/ni-winioctl-fsctl_set_sparse
+	return syscall.DeviceIoControl(fileHandle, windows.FSCTL_SET_SPARSE, nil, 0, nil, 0, &bytesReturned, nil)
+}