@@ -3,7 +3,7 @@ module github.com/moby/moby/api

 go 1.23.0

 require (

-	github.com/docker/go-connections v0.5.0

+	github.com/docker/go-connections v0.6.0

 	github.com/docker/go-units v0.5.0

 	github.com/google/go-cmp v0.5.9

 	github.com/moby/docker-image-spec v1.3.1

@@ -1,5 +1,5 @@

-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=

-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=

+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=

+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=

 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=

 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=

 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=

@@ -7,7 +7,7 @@ require (

 	github.com/containerd/errdefs v1.0.0

 	github.com/containerd/errdefs/pkg v0.3.0

 	github.com/distribution/reference v0.6.0

-	github.com/docker/go-connections v0.5.0

+	github.com/docker/go-connections v0.6.0

 	github.com/docker/go-units v0.5.0

 	github.com/moby/moby/api v1.52.0-alpha.1

 	github.com/moby/term v0.5.2

@@ -12,8 +12,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c

 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=

 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=

-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=

-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=

+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=

+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=

 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=

 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=

 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=

@@ -40,7 +40,7 @@ require (

 	github.com/deckarep/golang-set/v2 v2.3.0

 	github.com/distribution/reference v0.6.0

 	github.com/docker/distribution v2.8.3+incompatible

-	github.com/docker/go-connections v0.5.0

+	github.com/docker/go-connections v0.6.0

 	github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32

 	github.com/docker/go-metrics v0.0.1

 	github.com/docker/go-units v0.5.0

@@ -183,8 +183,8 @@ github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjY

 github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=

 github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=

 github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=

-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=

-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=

+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=

+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=

 github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 h1:EHZfspsnLAz8Hzccd67D5abwLiqoqym2jz/jOS39mCk=

 github.com/docker/go-events v0.0.0-20250114142523-c867878c5e32/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=

 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=

@@ -2,6 +2,7 @@

 package nat

 import (

+	"errors"

 	"fmt"

 	"net"

 	"strconv"

@@ -43,19 +44,19 @@ func NewPort(proto, port string) (Port, error) {

 // ParsePort parses the port number string and returns an int

 func ParsePort(rawPort string) (int, error) {

-	if len(rawPort) == 0 {

+	if rawPort == "" {

 		return 0, nil

 	}

 	port, err := strconv.ParseUint(rawPort, 10, 16)

 	if err != nil {

-		return 0, err

+		return 0, fmt.Errorf("invalid port '%s': %w", rawPort, errors.Unwrap(err))

 	}

 	return int(port), nil

 }

 // ParsePortRangeToInt parses the port range string and returns start/end ints

 func ParsePortRangeToInt(rawPort string) (int, int, error) {

-	if len(rawPort) == 0 {

+	if rawPort == "" {

 		return 0, 0, nil

 	}

 	start, end, err := ParsePortRange(rawPort)

@@ -91,29 +92,31 @@ func (p Port) Range() (int, int, error) {

 	return ParsePortRangeToInt(p.Port())

 }

-// SplitProtoPort splits a port in the format of proto/port

-func SplitProtoPort(rawPort string) (string, string) {

-	parts := strings.Split(rawPort, "/")

-	l := len(parts)

-	if len(rawPort) == 0 || l == 0 || len(parts[0]) == 0 {

+// SplitProtoPort splits a port(range) and protocol, formatted as "<portnum>/[<proto>]"

+// "<startport-endport>/[<proto>]". It returns an empty string for both if

+// no port(range) is provided. If a port(range) is provided, but no protocol,

+// the default ("tcp") protocol is returned.

+//

+// SplitProtoPort does not validate or normalize the returned values.

+func SplitProtoPort(rawPort string) (proto string, port string) {

+	port, proto, _ = strings.Cut(rawPort, "/")

+	if port == "" {

 		return "", ""

 	}

-	if l == 1 {

-		return "tcp", rawPort

+	if proto == "" {

+		proto = "tcp"

 	}

-	if len(parts[1]) == 0 {

-		return "tcp", parts[0]

-	}

-	return parts[1], parts[0]

+	return proto, port

 }

-func validateProto(proto string) bool {

-	for _, availableProto := range []string{"tcp", "udp", "sctp"} {

-		if availableProto == proto {

-			return true

-		}

+func validateProto(proto string) error {

+	switch proto {

+	case "tcp", "udp", "sctp":

+		// All good

+		return nil

+	default:

+		return errors.New("invalid proto: " + proto)

 	}

-	return false

 }

 // ParsePortSpecs receives port specs in the format of ip:public:private/proto and parses

@@ -123,22 +126,18 @@ func ParsePortSpecs(ports []string) (map[Port]struct{}, map[Port][]PortBinding,

 		exposedPorts = make(map[Port]struct{}, len(ports))

 		bindings     = make(map[Port][]PortBinding)

 	)

-	for _, rawPort := range ports {

-		portMappings, err := ParsePortSpec(rawPort)

+	for _, p := range ports {

+		portMappings, err := ParsePortSpec(p)

 		if err != nil {

 			return nil, nil, err

 		}

-		for _, portMapping := range portMappings {

-			port := portMapping.Port

-			if _, exists := exposedPorts[port]; !exists {

+		for _, pm := range portMappings {

+			port := pm.Port

+			if _, ok := exposedPorts[port]; !ok {

 				exposedPorts[port] = struct{}{}

 			}

-			bslice, exists := bindings[port]

-			if !exists {

-				bslice = []PortBinding{}

-			}

-			bindings[port] = append(bslice, portMapping.Binding)

+			bindings[port] = append(bindings[port], pm.Binding)

 		}

 	}

 	return exposedPorts, bindings, nil

@@ -150,28 +149,34 @@ type PortMapping struct {

 	Binding PortBinding

 }

-func splitParts(rawport string) (string, string, string) {

+func (p *PortMapping) String() string {

+	return net.JoinHostPort(p.Binding.HostIP, p.Binding.HostPort+":"+string(p.Port))

+}

+

+func splitParts(rawport string) (hostIP, hostPort, containerPort string) {

 	parts := strings.Split(rawport, ":")

-	n := len(parts)

-	containerPort := parts[n-1]

-	switch n {

+	switch len(parts) {

 	case 1:

-		return "", "", containerPort

+		return "", "", parts[0]

 	case 2:

-		return "", parts[0], containerPort

+		return "", parts[0], parts[1]

 	case 3:

-		return parts[0], parts[1], containerPort

+		return parts[0], parts[1], parts[2]

 	default:

-		return strings.Join(parts[:n-2], ":"), parts[n-2], containerPort

+		n := len(parts)

+		return strings.Join(parts[:n-2], ":"), parts[n-2], parts[n-1]

 	}

 }

 // ParsePortSpec parses a port specification string into a slice of PortMappings

 func ParsePortSpec(rawPort string) ([]PortMapping, error) {

-	var proto string

 	ip, hostPort, containerPort := splitParts(rawPort)

-	proto, containerPort = SplitProtoPort(containerPort)

+	proto, containerPort := SplitProtoPort(containerPort)

+	proto = strings.ToLower(proto)

+	if err := validateProto(proto); err != nil {

+		return nil, err

+	}

 	if ip != "" && ip[0] == '[' {

 		// Strip [] from IPV6 addresses

@@ -182,7 +187,7 @@ func ParsePortSpec(rawPort string) ([]PortMapping, error) {

 		ip = rawIP

 	}

 	if ip != "" && net.ParseIP(ip) == nil {

-		return nil, fmt.Errorf("invalid IP address: %s", ip)

+		return nil, errors.New("invalid IP address: " + ip)

 	}

 	if containerPort == "" {

 		return nil, fmt.Errorf("no port specified: %s<empty>", rawPort)

@@ -190,51 +195,43 @@ func ParsePortSpec(rawPort string) ([]PortMapping, error) {

 	startPort, endPort, err := ParsePortRange(containerPort)

 	if err != nil {

-		return nil, fmt.Errorf("invalid containerPort: %s", containerPort)

+		return nil, errors.New("invalid containerPort: " + containerPort)

 	}

-	var startHostPort, endHostPort uint64 = 0, 0

-	if len(hostPort) > 0 {

+	var startHostPort, endHostPort uint64

+	if hostPort != "" {

 		startHostPort, endHostPort, err = ParsePortRange(hostPort)

 		if err != nil {

-			return nil, fmt.Errorf("invalid hostPort: %s", hostPort)

+			return nil, errors.New("invalid hostPort: " + hostPort)

 		}

-	}

-

-	if hostPort != "" && (endPort-startPort) != (endHostPort-startHostPort) {

-		// Allow host port range iff containerPort is not a range.

-		// In this case, use the host port range as the dynamic

-		// host port range to allocate into.

-		if endPort != startPort {

-			return nil, fmt.Errorf("invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)

+		if (endPort - startPort) != (endHostPort - startHostPort) {

+			// Allow host port range iff containerPort is not a range.

+			// In this case, use the host port range as the dynamic

+			// host port range to allocate into.

+			if endPort != startPort {

+				return nil, fmt.Errorf("invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)

+			}

 		}

 	}

-	if !validateProto(strings.ToLower(proto)) {

-		return nil, fmt.Errorf("invalid proto: %s", proto)

-	}

-

-	ports := []PortMapping{}

-	for i := uint64(0); i <= (endPort - startPort); i++ {

-		containerPort = strconv.FormatUint(startPort+i, 10)

-		if len(hostPort) > 0 {

-			hostPort = strconv.FormatUint(startHostPort+i, 10)

-		}

-		// Set hostPort to a range only if there is a single container port

-		// and a dynamic host port.

-		if startPort == endPort && startHostPort != endHostPort {

-			hostPort = fmt.Sprintf("%s-%s", hostPort, strconv.FormatUint(endHostPort, 10))

-		}

-		port, err := NewPort(strings.ToLower(proto), containerPort)

-		if err != nil {

-			return nil, err

-		}

+	count := endPort - startPort + 1

+	ports := make([]PortMapping, 0, count)

-		binding := PortBinding{

-			HostIP:   ip,

-			HostPort: hostPort,

+	for i := uint64(0); i < count; i++ {

+		cPort := Port(strconv.FormatUint(startPort+i, 10) + "/" + proto)

+		hPort := ""

+		if hostPort != "" {

+			hPort = strconv.FormatUint(startHostPort+i, 10)

+			// Set hostPort to a range only if there is a single container port

+			// and a dynamic host port.

+			if count == 1 && startHostPort != endHostPort {

+				hPort += "-" + strconv.FormatUint(endHostPort, 10)

+			}

 		}

-		ports = append(ports, PortMapping{Port: port, Binding: binding})

+		ports = append(ports, PortMapping{

+			Port:    cPort,

+			Binding: PortBinding{HostIP: ip, HostPort: hPort},

+		})

 	}

 	return ports, nil

 }

@@ -1,7 +1,7 @@

 package nat

 import (

-	"fmt"

+	"errors"

 	"strconv"

 	"strings"

 )

@@ -9,7 +9,7 @@ import (

 // ParsePortRange parses and validates the specified string as a port-range (8000-9000)

 func ParsePortRange(ports string) (uint64, uint64, error) {

 	if ports == "" {

-		return 0, 0, fmt.Errorf("empty string specified for ports")

+		return 0, 0, errors.New("empty string specified for ports")

 	}

 	if !strings.Contains(ports, "-") {

 		start, err := strconv.ParseUint(ports, 10, 16)

@@ -27,7 +27,7 @@ func ParsePortRange(ports string) (uint64, uint64, error) {

 		return 0, 0, err

 	}

 	if end < start {

-		return 0, 0, fmt.Errorf("invalid range specified for port: %s", ports)

+		return 0, 0, errors.New("invalid range specified for port: " + ports)

 	}

 	return start, end, nil

 }

deleted file mode 100644

@@ -9,6 +9,8 @@ import (

 // GetProxyEnv allows access to the uppercase and the lowercase forms of

 // proxy-related variables.  See the Go specification for details on these

 // variables. https://golang.org/pkg/net/http/

+//

+// Deprecated: this function was used as helper for [DialerFromEnvironment] and is no longer used. It will be removed in the next release.

 func GetProxyEnv(key string) string {

 	proxyValue := os.Getenv(strings.ToUpper(key))

 	if proxyValue == "" {

@@ -19,10 +21,11 @@ func GetProxyEnv(key string) string {

 // DialerFromEnvironment was previously used to configure a net.Dialer to route

 // connections through a SOCKS proxy.

-// DEPRECATED: SOCKS proxies are now supported by configuring only

+//

+// Deprecated: SOCKS proxies are now supported by configuring only

 // http.Transport.Proxy, and no longer require changing http.Transport.Dial.

-// Therefore, only sockets.ConfigureTransport() needs to be called, and any

-// sockets.DialerFromEnvironment() calls can be dropped.

+// Therefore, only [sockets.ConfigureTransport] needs to be called, and any

+// [sockets.DialerFromEnvironment] calls can be dropped.

 func DialerFromEnvironment(direct *net.Dialer) (*net.Dialer, error) {

 	return direct, nil

 }

@@ -2,13 +2,19 @@

 package sockets

 import (

+	"context"

 	"errors"

+	"fmt"

 	"net"

 	"net/http"

+	"syscall"

 	"time"

 )

-const defaultTimeout = 10 * time.Second

+const (

+	defaultTimeout        = 10 * time.Second

+	maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)

+)

 // ErrProtocolNotAvailable is returned when a given transport protocol is not provided by the operating system.

 var ErrProtocolNotAvailable = errors.New("protocol not available")

@@ -35,3 +41,26 @@ func ConfigureTransport(tr *http.Transport, proto, addr string) error {

 	}

 	return nil

 }

+

+// DialPipe connects to a Windows named pipe. It is not supported on

+// non-Windows platforms.

+//

+// Deprecated: use [github.com/Microsoft/go-winio.DialPipe] or [github.com/Microsoft/go-winio.DialPipeContext].

+func DialPipe(addr string, timeout time.Duration) (net.Conn, error) {

+	return dialPipe(addr, timeout)

+}

+

+func configureUnixTransport(tr *http.Transport, proto, addr string) error {

+	if len(addr) > maxUnixSocketPathSize {

+		return fmt.Errorf("unix socket path %q is too long", addr)

+	}

+	// No need for compression in local communications.

+	tr.DisableCompression = true

+	dialer := &net.Dialer{

+		Timeout: defaultTimeout,

+	}

+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {

+		return dialer.DialContext(ctx, proto, addr)

+	}

+	return nil

+}

@@ -3,37 +3,16 @@

 package sockets

 import (

-	"context"

-	"fmt"

 	"net"

 	"net/http"

 	"syscall"

 	"time"

 )

-const maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)

-

-func configureUnixTransport(tr *http.Transport, proto, addr string) error {

-	if len(addr) > maxUnixSocketPathSize {

-		return fmt.Errorf("unix socket path %q is too long", addr)

-	}

-	// No need for compression in local communications.

-	tr.DisableCompression = true

-	dialer := &net.Dialer{

-		Timeout: defaultTimeout,

-	}

-	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {

-		return dialer.DialContext(ctx, proto, addr)

-	}

-	return nil

-}

-

 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {

 	return ErrProtocolNotAvailable

 }

-// DialPipe connects to a Windows named pipe.

-// This is not supported on other OSes.

-func DialPipe(_ string, _ time.Duration) (net.Conn, error) {

+func dialPipe(_ string, _ time.Duration) (net.Conn, error) {

 	return nil, syscall.EAFNOSUPPORT

 }

@@ -9,10 +9,6 @@ import (

 	"github.com/Microsoft/go-winio"

 )

-func configureUnixTransport(tr *http.Transport, proto, addr string) error {

-	return ErrProtocolNotAvailable

-}

-

 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {

 	// No need for compression in local communications.

 	tr.DisableCompression = true

@@ -22,7 +18,6 @@ func configureNpipeTransport(tr *http.Transport, proto, addr string) error {

 	return nil

 }

-// DialPipe connects to a Windows named pipe.

-func DialPipe(addr string, timeout time.Duration) (net.Conn, error) {

+func dialPipe(addr string, timeout time.Duration) (net.Conn, error) {

 	return winio.DialPipe(addr, &timeout)

 }

@@ -1,5 +1,3 @@

-//go:build !windows

-

 /*

 Package sockets is a simple unix domain socket wrapper.

@@ -57,26 +55,6 @@ import (

 // SockOption sets up socket file's creating option

 type SockOption func(string) error

-// WithChown modifies the socket file's uid and gid

-func WithChown(uid, gid int) SockOption {

-	return func(path string) error {

-		if err := os.Chown(path, uid, gid); err != nil {

-			return err

-		}

-		return nil

-	}

-}

-

-// WithChmod modifies socket file's access mode.

-func WithChmod(mask os.FileMode) SockOption {

-	return func(path string) error {

-		if err := os.Chmod(path, mask); err != nil {

-			return err

-		}

-		return nil

-	}

-}

-

 // NewUnixSocketWithOpts creates a unix socket with the specified options.

 // By default, socket permissions are 0000 (i.e.: no access for anyone); pass

 // WithChmod() and WithChown() to set the desired ownership and permissions.

@@ -90,22 +68,7 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error

 		return nil, err

 	}

-	// net.Listen does not allow for permissions to be set. As a result, when

-	// specifying custom permissions ("WithChmod()"), there is a short time

-	// between creating the socket and applying the permissions, during which

-	// the socket permissions are Less restrictive than desired.

-	//

-	// To work around this limitation of net.Listen(), we temporarily set the

-	// umask to 0777, which forces the socket to be created with 000 permissions

-	// (i.e.: no access for anyone). After that, WithChmod() must be used to set

-	// the desired permissions.

-	//

-	// We don't use "defer" here, to reset the umask to its original value as soon

-	// as possible. Ideally we'd be able to detect if WithChmod() was passed as

-	// an option, and skip changing umask if default permissions are used.

-	origUmask := syscall.Umask(0o777)

-	l, err := net.Listen("unix", path)

-	syscall.Umask(origUmask)

+	l, err := listenUnix(path)

 	if err != nil {

 		return nil, err

 	}

@@ -119,8 +82,3 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error

 	return l, nil

 }

-

-// NewUnixSocket creates a unix socket with the specified path and group.

-func NewUnixSocket(path string, gid int) (net.Listener, error) {

-	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))

-}

new file mode 100644

@@ -0,0 +1,54 @@

+//go:build !windows

+

+package sockets

+

+import (

+	"net"

+	"os"

+	"syscall"

+)

+

+// WithChown modifies the socket file's uid and gid

+func WithChown(uid, gid int) SockOption {

+	return func(path string) error {

+		if err := os.Chown(path, uid, gid); err != nil {

+			return err

+		}

+		return nil

+	}

+}

+

+// WithChmod modifies socket file's access mode.

+func WithChmod(mask os.FileMode) SockOption {

+	return func(path string) error {

+		if err := os.Chmod(path, mask); err != nil {

+			return err

+		}

+		return nil

+	}

+}

+

+// NewUnixSocket creates a unix socket with the specified path and group.

+func NewUnixSocket(path string, gid int) (net.Listener, error) {

+	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))

+}

+

+func listenUnix(path string) (net.Listener, error) {

+	// net.Listen does not allow for permissions to be set. As a result, when

+	// specifying custom permissions ("WithChmod()"), there is a short time

+	// between creating the socket and applying the permissions, during which

+	// the socket permissions are Less restrictive than desired.

+	//

+	// To work around this limitation of net.Listen(), we temporarily set the

+	// umask to 0777, which forces the socket to be created with 000 permissions

+	// (i.e.: no access for anyone). After that, WithChmod() must be used to set

+	// the desired permissions.

+	//

+	// We don't use "defer" here, to reset the umask to its original value as soon

+	// as possible. Ideally we'd be able to detect if WithChmod() was passed as

+	// an option, and skip changing umask if default permissions are used.

+	origUmask := syscall.Umask(0o777)

+	l, err := net.Listen("unix", path)

+	syscall.Umask(origUmask)

+	return l, err

+}

new file mode 100644

@@ -0,0 +1,7 @@

+package sockets

+

+import "net"

+

+func listenUnix(path string) (net.Listener, error) {

+	return net.Listen("unix", path)

+}

@@ -34,51 +34,37 @@ type Options struct {

 	// the system pool will be used.

 	ExclusiveRootPools bool

 	MinVersion         uint16

-	// If Passphrase is set, it will be used to decrypt a TLS private key

-	// if the key is encrypted.

-	//

-	// Deprecated: Use of encrypted TLS private keys has been deprecated, and

-	// will be removed in a future release. Golang has deprecated support for

-	// legacy PEM encryption (as specified in RFC 1423), as it is insecure by

-	// design (see https://go-review.googlesource.com/c/go/+/264159).

-	Passphrase string

-}

-

-// Extra (server-side) accepted CBC cipher suites - will phase out in the future

-var acceptedCBCCiphers = []uint16{

-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,

-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,

-	tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,

-	tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,

 }

 // DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls

 // options struct but wants to use a commonly accepted set of TLS cipher suites, with

 // known weak algorithms removed.

-var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)

+var DefaultServerAcceptedCiphers = defaultCipherSuites

+

+// defaultCipherSuites is shared by both client and server as the default set.

+var defaultCipherSuites = []uint16{

+	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

+	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

+	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

+	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

+}

 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.

 func ServerDefault(ops ...func(*tls.Config)) *tls.Config {

-	tlsConfig := &tls.Config{

-		// Avoid fallback by default to SSL protocols < TLS1.2

-		MinVersion:               tls.VersionTLS12,

-		PreferServerCipherSuites: true,

-		CipherSuites:             DefaultServerAcceptedCiphers,

-	}

-

-	for _, op := range ops {

-		op(tlsConfig)

-	}

-

-	return tlsConfig

+	return defaultConfig(ops...)

 }

 // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.

 func ClientDefault(ops ...func(*tls.Config)) *tls.Config {

+	return defaultConfig(ops...)

+}

+

+// defaultConfig is the default config used by both client and server TLS configuration.

+func defaultConfig(ops ...func(*tls.Config)) *tls.Config {

 	tlsConfig := &tls.Config{

-		// Prefer TLS1.2 as the client minimum

+		// Avoid fallback by default to SSL protocols < TLS1.2

 		MinVersion:   tls.VersionTLS12,

-		CipherSuites: clientCipherSuites,

+		CipherSuites: defaultCipherSuites,

 	}

 	for _, op := range ops {

@@ -92,13 +78,13 @@ func ClientDefault(ops ...func(*tls.Config)) *tls.Config {

 func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {

 	// If we should verify the server, we need to load a trusted ca

 	var (

-		certPool *x509.CertPool

-		err      error

+		pool *x509.CertPool

+		err  error

 	)

 	if exclusivePool {

-		certPool = x509.NewCertPool()

+		pool = x509.NewCertPool()

 	} else {

-		certPool, err = SystemCertPool()

+		pool, err = SystemCertPool()

 		if err != nil {

 			return nil, fmt.Errorf("failed to read system certificates: %v", err)

 		}

@@ -107,10 +93,10 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {

 	if err != nil {

 		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)

 	}

-	if !certPool.AppendCertsFromPEM(pemData) {

+	if !pool.AppendCertsFromPEM(pemData) {

 		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)

 	}

-	return certPool, nil

+	return pool, nil

 }

 // allTLSVersions lists all the TLS versions and is used by the code that validates

@@ -144,34 +130,32 @@ func adjustMinVersion(options Options, config *tls.Config) error {

 	return nil

 }

-// IsErrEncryptedKey returns true if the 'err' is an error of incorrect

-// password when trying to decrypt a TLS private key.

+// errEncryptedKeyDeprecated is produced when we encounter an encrypted

+// (password-protected) key. From https://go-review.googlesource.com/c/go/+/264159;

 //

-// Deprecated: Use of encrypted TLS private keys has been deprecated, and

-// will be removed in a future release. Golang has deprecated support for

-// legacy PEM encryption (as specified in RFC 1423), as it is insecure by

-// design (see https://go-review.googlesource.com/c/go/+/264159).

-func IsErrEncryptedKey(err error) bool {

-	return errors.Is(err, x509.IncorrectPasswordError)

-}

+// > Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since

+// > it does not authenticate the ciphertext, it is vulnerable to padding oracle

+// > attacks that can let an attacker recover the plaintext

+// >

+// > It's unfortunate that we don't implement PKCS#8 encryption so we can't

+// > recommend an alternative but PEM encryption is so broken that it's worth

+// > deprecating outright.

+//

+// Also see https://docs.docker.com/go/deprecated/

+var errEncryptedKeyDeprecated = errors.New("private key is encrypted; encrypted private keys are obsolete, and not supported")

 // getPrivateKey returns the private key in 'keyBytes', in PEM-encoded format.

-// If the private key is encrypted, 'passphrase' is used to decrypted the

-// private key.

-func getPrivateKey(keyBytes []byte, passphrase string) ([]byte, error) {

+// It returns an error if the file could not be decoded or was protected by

+// a passphrase.

+func getPrivateKey(keyBytes []byte) ([]byte, error) {

 	// this section makes some small changes to code from notary/tuf/utils/x509.go

 	pemBlock, _ := pem.Decode(keyBytes)

 	if pemBlock == nil {

 		return nil, fmt.Errorf("no valid private key found")

 	}

-	var err error

 	if x509.IsEncryptedPEMBlock(pemBlock) { //nolint:staticcheck // Ignore SA1019 (IsEncryptedPEMBlock is deprecated)

-		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase)) //nolint:staticcheck // Ignore SA1019 (DecryptPEMBlock is deprecated)

-		if err != nil {

-			return nil, fmt.Errorf("private key is encrypted, but could not decrypt it: %w", err)

-		}

-		keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})

+		return nil, errEncryptedKeyDeprecated

 	}

 	return keyBytes, nil

@@ -195,7 +179,7 @@ func getCert(options Options) ([]tls.Certificate, error) {

 		return nil, err

 	}

-	prKeyBytes, err = getPrivateKey(prKeyBytes, options.Passphrase)

+	prKeyBytes, err = getPrivateKey(prKeyBytes)

 	if err != nil {

 		return nil, err

 	}

@@ -210,7 +194,7 @@ func getCert(options Options) ([]tls.Certificate, error) {

 // Client returns a TLS configuration meant to be used by a client.

 func Client(options Options) (*tls.Config, error) {

-	tlsConfig := ClientDefault()

+	tlsConfig := defaultConfig()

 	tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify

 	if !options.InsecureSkipVerify && options.CAFile != "" {

 		CAs, err := certPool(options.CAFile, options.ExclusiveRootPools)

@@ -235,7 +219,7 @@ func Client(options Options) (*tls.Config, error) {

 // Server returns a TLS configuration meant to be used by a server.

 func Server(options Options) (*tls.Config, error) {

-	tlsConfig := ServerDefault()

+	tlsConfig := defaultConfig()

 	tlsConfig.ClientAuth = options.ClientAuth

 	tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)

 	if err != nil {

deleted file mode 100644

@@ -1,14 +0,0 @@

-// Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.

-package tlsconfig

-

-import (

-	"crypto/tls"

-)

-

-// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)

-var clientCipherSuites = []uint16{

-	tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,

-	tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,

-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,

-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

-}

@@ -511,7 +511,7 @@ github.com/docker/distribution/registry/storage/cache/memory

 github.com/docker/docker/libnetwork/internal/resolvconf

 github.com/docker/docker/libnetwork/resolvconf

 github.com/docker/docker/profiles/seccomp

-# github.com/docker/go-connections v0.5.0

+# github.com/docker/go-connections v0.6.0

 ## explicit; go 1.18

 github.com/docker/go-connections/nat

 github.com/docker/go-connections/sockets