oven-sh · cirospaciari · May 29, 2025 · Mar 25, 2025 · Apr 4, 2025 · Apr 5, 2025
diff --git a/.buildkite/ci.mjs b/.buildkite/ci.mjs
@@ -228,13 +228,7 @@ function getRetry(limit = 0) {
     manual: {
       permit_on_passed: true,
     },
-    automatic: [
-      { exit_status: 1, limit },
-      { exit_status: -1, limit: 1 },
-      { exit_status: 255, limit: 1 },
-      { signal_reason: "cancel", limit: 1 },
-      { signal_reason: "agent_stop", limit: 1 },
-    ],
+    automatic: false,
   };
 }
 
@@ -572,7 +566,7 @@ function getTestBunStep(platform, options, testOptions = {}) {
     retry: getRetry(),
     cancel_on_build_failing: isMergeQueue(),
     parallelism: unifiedTests ? undefined : os === "darwin" ? 2 : 10,
-    timeout_in_minutes: profile === "asan" ? 90 : 30,
+    timeout_in_minutes: profile === "asan" ? 45 : 30,
     command:
       os === "windows"
         ? `node .\\scripts\\runner.node.mjs ${args.join(" ")}`

diff --git a/docs/runtime/nodejs-apis.md b/docs/runtime/nodejs-apis.md
@@ -120,7 +120,7 @@ This page is updated regularly to reflect compatibility status of the latest ver
 
 ### [`node:net`](https://nodejs.org/api/net.html)
 
-🟡 `SocketAddress` class not exposed (but implemented). `BlockList` exists but is a no-op.
+🟢 Fully implemented.
 
 ### [`node:perf_hooks`](https://nodejs.org/api/perf_hooks.html)
 

@@ -3662,7 +3662,7 @@ declare module "bun" {
      * the well-known CAs curated by Mozilla. Mozilla's CAs are completely
      * replaced when CAs are explicitly specified using this option.
      */
-    ca?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
+    ca?: string | BufferSource | BunFile | Array<string | BufferSource | BunFile> | undefined;
     /**
      *  Cert chains in PEM format. One cert chain should be provided per
      *  private key. Each cert chain should consist of the PEM formatted
@@ -3674,7 +3674,7 @@ declare module "bun" {
      *  intermediate certificates are not provided, the peer will not be
      *  able to validate the certificate, and the handshake will fail.
      */
-    cert?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
+    cert?: string | BufferSource | BunFile | Array<string | BufferSource | BunFile> | undefined;
     /**
      * Private keys in PEM format. PEM allows the option of private keys
      * being encrypted. Encrypted keys will be decrypted with
@@ -3685,13 +3685,25 @@ declare module "bun" {
      * object.passphrase is optional. Encrypted keys will be decrypted with
      * object.passphrase if provided, or options.passphrase if it is not.
      */
-    key?: string | Buffer | BunFile | Array<string | Buffer | BunFile> | undefined;
+    key?: string | BufferSource | BunFile | Array<string | BufferSource | BunFile> | undefined;
     /**
      * Optionally affect the OpenSSL protocol behavior, which is not
      * usually necessary. This should be used carefully if at all! Value is
      * a numeric bitmask of the SSL_OP_* options from OpenSSL Options
      */
     secureOptions?: number | undefined; // Value is a numeric bitmask of the `SSL_OP_*` options
+
+    keyFile?: string;
+
+    certFile?: string;
+
+    ALPNProtocols?: string | BufferSource;
+
+    ciphers?: string;
+
+    clientRenegotiationLimit?: number;
+
+    clientRenegotiationWindow?: number;
   }
 
   // Note for contributors: TLSOptionsAsDeprecated should be considered immutable
@@ -6060,7 +6072,7 @@ declare module "bun" {
      * certificate.
      * @return A certificate object.
      */
-    getPeerCertificate(): import("tls").PeerCertificate;
+    getPeerCertificate(): import("node:tls").PeerCertificate;
     getPeerX509Certificate(): import("node:crypto").X509Certificate;
 
     /**
@@ -6165,6 +6177,34 @@ declare module "bun" {
      * The number of bytes written to the socket.
      */
     readonly bytesWritten: number;
+
+    resume(): void;
+
+    pause(): void;
+
+    renegotiate(): void;
+
+    setVerifyMode(requestCert: boolean, rejectUnauthorized: boolean): void;
+
+    getSession(): void;
+
+    setSession(session: string | Buffer | BufferSource): void;
+
+    exportKeyingMaterial(length: number, label: string, context?: string | BufferSource): void;
+
+    upgradeTLS<Data>(options: TLSUpgradeOptions<Data>): [raw: Socket<Data>, tls: Socket<Data>];
+
+    close(): void;
+
+    getServername(): string;
+
+    setServername(name: string): void;
+  }
+
+  interface TLSUpgradeOptions<Data> {
+    data?: Data;
+    tls: TLSOptions | boolean;
+    socket: SocketHandler<Data>;
   }
 
   interface SocketListener<Data = undefined> extends Disposable {
@@ -6265,6 +6305,22 @@ declare module "bun" {
      * The per-instance data context
      */
     data?: Data;
+    /**
+     * Whether to allow half-open connections.
+     *
+     * A half-open connection occurs when one end of the connection has called `close()`
+     * or sent a FIN packet, while the other end remains open. When set to `true`:
+     *
+     * - The socket won't automatically send FIN when the remote side closes its end
+     * - The local side can continue sending data even after the remote side has closed
+     * - The application must explicitly call `end()` to fully close the connection
+     *
+     * When `false`, the socket automatically closes both ends of the connection when
+     * either side closes.
+     *
+     * @default false
+     */
+    allowHalfOpen?: boolean;
   }
 
   interface TCPSocketListenOptions<Data = undefined> extends SocketOptions<Data> {
@@ -6279,7 +6335,7 @@ declare module "bun" {
     /**
      * The TLS configuration object with which to create the server
      */
-    tls?: TLSOptions;
+    tls?: TLSOptions | boolean;
     /**
      * Whether to use exclusive mode.
      *
@@ -6325,7 +6381,7 @@ declare module "bun" {
     /**
      * TLS Configuration with which to create the socket
      */
-    tls?: boolean;
+    tls?: TLSOptions | boolean;
     /**
      * Whether to use exclusive mode.
      *
@@ -6341,22 +6397,8 @@ declare module "bun" {
      * @default false
      */
     exclusive?: boolean;
-    /**
-     * Whether to allow half-open connections.
-     *
-     * A half-open connection occurs when one end of the connection has called `close()`
-     * or sent a FIN packet, while the other end remains open. When set to `true`:
-     *
-     * - The socket won't automatically send FIN when the remote side closes its end
-     * - The local side can continue sending data even after the remote side has closed
-     * - The application must explicitly call `end()` to fully close the connection
-     *
-     * When `false` (default), the socket automatically closes both ends of the connection
-     * when either side closes.
-     *
-     * @default false
-     */
-    allowHalfOpen?: boolean;
+    reusePort?: boolean;
+    ipv6Only?: boolean;
   }
 
   interface UnixSocketOptions<Data = undefined> extends SocketOptions<Data> {
@@ -6367,14 +6409,14 @@ declare module "bun" {
     /**
      * TLS Configuration with which to create the socket
      */
-    tls?: TLSOptions;
+    tls?: TLSOptions | boolean;
   }
 
   interface FdSocketOptions<Data = undefined> extends SocketOptions<Data> {
     /**
      * TLS Configuration with which to create the socket
      */
-    tls?: TLSOptions;
+    tls?: TLSOptions | boolean;
     /**
      * The file descriptor to connect to
      */

diff --git a/packages/bun-usockets/src/context.c b/packages/bun-usockets/src/context.c
@@ -440,7 +440,7 @@ struct us_socket_t* us_socket_context_connect_resolved_dns(struct us_socket_cont
     socket->flags.is_paused = 0;
     socket->flags.is_ipc = 0;
     socket->connect_state = NULL;
-
+    socket->connect_next = NULL;
 
     us_internal_socket_context_link_socket(context, socket);
 
@@ -459,7 +459,7 @@ static void init_addr_with_port(struct addrinfo* info, int port, struct sockaddr
     }
 }
 
-static int try_parse_ip(const char *ip_str, int port, struct sockaddr_storage *storage) {
+static bool try_parse_ip(const char *ip_str, int port, struct sockaddr_storage *storage) {
     memset(storage, 0, sizeof(struct sockaddr_storage));
     // Try to parse as IPv4
     struct sockaddr_in *addr4 = (struct sockaddr_in *)storage;
@@ -469,7 +469,7 @@ static int try_parse_ip(const char *ip_str, int port, struct sockaddr_storage *s
 #ifdef __APPLE__
         addr4->sin_len = sizeof(struct sockaddr_in);
 #endif
-        return 0;
+        return 1;
     }
 
     // Try to parse as IPv6
@@ -480,26 +480,26 @@ static int try_parse_ip(const char *ip_str, int port, struct sockaddr_storage *s
 #ifdef __APPLE__
         addr6->sin6_len = sizeof(struct sockaddr_in6);
 #endif
-        return 0;
+        return 1;
     }
 
     // If we reach here, the input is neither IPv4 nor IPv6
-    return 1;
+    return 0;
 }
 
-void *us_socket_context_connect(int ssl, struct us_socket_context_t *context, const char *host, int port, int options, int socket_ext_size, int* is_connecting) {
+void *us_socket_context_connect(int ssl, struct us_socket_context_t *context, const char *host, int port, int options, int socket_ext_size, int* has_dns_resolved) {
 #ifndef LIBUS_NO_SSL
     if (ssl == 1) {
-        return us_internal_ssl_socket_context_connect((struct us_internal_ssl_socket_context_t *) context, host, port, options, socket_ext_size, is_connecting);
+        return us_internal_ssl_socket_context_connect((struct us_internal_ssl_socket_context_t *) context, host, port, options, socket_ext_size, has_dns_resolved);
     }
 #endif
 
     struct us_loop_t* loop = us_socket_context_loop(ssl, context);
 
     // fast path for IP addresses in text form
     struct sockaddr_storage addr;
-    if (try_parse_ip(host, port, &addr) == 0) {
-        *is_connecting = 1;
+    if (try_parse_ip(host, port, &addr)) {
+        *has_dns_resolved = 1;
         return us_socket_context_connect_resolved_dns(context, &addr, options, socket_ext_size);
     }
 
@@ -518,7 +518,7 @@ void *us_socket_context_connect(int ssl, struct us_socket_context_t *context, co
         if (result->entries && result->entries->info.ai_next == NULL) {
             struct sockaddr_storage addr;
             init_addr_with_port(&result->entries->info, port, &addr);
-            *is_connecting = 1;
+            *has_dns_resolved = 1;
             struct us_socket_t *s = us_socket_context_connect_resolved_dns(context, &addr, options, socket_ext_size);
             Bun__addrinfo_freeRequest(ai_req, s == NULL);
             return s;

diff --git a/packages/bun-usockets/src/crypto/openssl.c b/packages/bun-usockets/src/crypto/openssl.c
@@ -213,7 +213,7 @@ struct us_internal_ssl_socket_t *ssl_on_open(struct us_internal_ssl_socket_t *s,
   s->ssl_read_wants_write = 0;
   s->fatal_error = 0;
   s->handshake_state = HANDSHAKE_PENDING;
-  
+
 
   SSL_set_bio(s->ssl, loop_ssl_data->shared_rbio, loop_ssl_data->shared_wbio);
 // if we allow renegotiation, we need to set the mode here
@@ -255,7 +255,7 @@ struct us_internal_ssl_socket_t *ssl_on_open(struct us_internal_ssl_socket_t *s,
 }
 
 /// @brief Complete the shutdown or do a fast shutdown when needed, this should only be called before closing the socket
-/// @param s 
+/// @param s
 int us_internal_handle_shutdown(struct us_internal_ssl_socket_t *s, int force_fast_shutdown) {
   // if we are already shutdown or in the middle of a handshake we dont need to do anything
   // Scenarios:
@@ -265,7 +265,7 @@ int us_internal_handle_shutdown(struct us_internal_ssl_socket_t *s, int force_fa
   // 4 - we are in the middle of a handshake
   // 5 - we received a fatal error
   if(us_internal_ssl_socket_is_shut_down(s) || s->fatal_error || !SSL_is_init_finished(s->ssl)) return 1;
-    
+
   // we are closing the socket but did not sent a shutdown yet
   int state = SSL_get_shutdown(s->ssl);
   int sent_shutdown = state & SSL_SENT_SHUTDOWN;
@@ -277,7 +277,7 @@ int us_internal_handle_shutdown(struct us_internal_ssl_socket_t *s, int force_fa
     // Zero means that we should wait for the peer to close the connection
     // but we are already closing the connection so we do a fast shutdown here
     int ret = SSL_shutdown(s->ssl);
-    if(ret == 0 && force_fast_shutdown) { 
+    if(ret == 0 && force_fast_shutdown) {
       // do a fast shutdown (dont wait for peer)
       ret = SSL_shutdown(s->ssl);
     }
@@ -397,7 +397,7 @@ void us_internal_update_handshake(struct us_internal_ssl_socket_t *s) {
   // nothing todo here, renegotiation must be handled in SSL_read
   if (s->handshake_state != HANDSHAKE_PENDING)
     return;
-  
+
   if (us_internal_ssl_socket_is_closed(s) || us_internal_ssl_socket_is_shut_down(s) ||
      (s->ssl && SSL_get_shutdown(s->ssl) & SSL_RECEIVED_SHUTDOWN)) {
 
@@ -422,7 +422,7 @@ void us_internal_update_handshake(struct us_internal_ssl_socket_t *s) {
         s->fatal_error = 1;
       }
       us_internal_trigger_handshake_callback(s, 0);
-    
+
       return;
     }
     s->handshake_state = HANDSHAKE_PENDING;
@@ -504,7 +504,7 @@ struct us_internal_ssl_socket_t *ssl_on_data(struct us_internal_ssl_socket_t *s,
                              loop_ssl_data->ssl_read_output +
                                  LIBUS_RECV_BUFFER_PADDING + read,
                              LIBUS_RECV_BUFFER_LENGTH - read);
-    
+
     if (just_read <= 0) {
       int err = SSL_get_error(s->ssl, just_read);
       // as far as I know these are the only errors we want to handle
@@ -603,7 +603,7 @@ struct us_internal_ssl_socket_t *ssl_on_data(struct us_internal_ssl_socket_t *s,
       goto restart;
     }
   }
-  // Trigger writable if we failed last SSL_write with SSL_ERROR_WANT_READ 
+  // Trigger writable if we failed last SSL_write with SSL_ERROR_WANT_READ
   // If we failed SSL_read because we need to write more data (SSL_ERROR_WANT_WRITE) we are not going to trigger on_writable, we will wait until the next on_data or on_writable event
   // SSL_read will try to flush the write buffer and if fails with SSL_ERROR_WANT_WRITE means the socket is not in a writable state anymore and only makes sense to trigger on_writable if we can write more data
   // Otherwise we possible would trigger on_writable -> on_data event in a recursive loop
@@ -1133,7 +1133,7 @@ int us_verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
 }
 
 SSL_CTX *create_ssl_context_from_bun_options(
-    struct us_bun_socket_context_options_t options, 
+    struct us_bun_socket_context_options_t options,
     enum create_bun_socket_error_t *err) {
   ERR_clear_error();
 
@@ -1250,8 +1250,8 @@ SSL_CTX *create_ssl_context_from_bun_options(
         return NULL;
       }
 
-     // It may return spurious errors here.
-    ERR_clear_error();
+      // It may return spurious errors here.
+      ERR_clear_error();
 
       if (options.reject_unauthorized) {
         SSL_CTX_set_verify(ssl_context,
@@ -1755,7 +1755,7 @@ int us_internal_ssl_socket_raw_write(struct us_internal_ssl_socket_t *s,
 
 int us_internal_ssl_socket_write(struct us_internal_ssl_socket_t *s,
                                  const char *data, int length, int msg_more) {
-  
+
   if (us_socket_is_closed(0, &s->s) || us_internal_ssl_socket_is_shut_down(s) || length == 0) {
     return 0;
   }
@@ -1989,7 +1989,7 @@ ssl_wrapped_context_on_end(struct us_internal_ssl_socket_t *s) {
   if (wrapped_context->events.on_end) {
     wrapped_context->events.on_end((struct us_socket_t *)s);
   }
-  
+
   return s;
 }
 
@@ -2082,7 +2082,7 @@ struct us_internal_ssl_socket_t *us_internal_ssl_socket_wrap_with_tls(
   struct us_socket_context_t *context = us_create_bun_ssl_socket_context(
       old_context->loop, sizeof(struct us_wrapped_socket_context_t),
       options, &err);
-  
+
   // Handle SSL context creation failure
   if (UNLIKELY(!context)) {
     return NULL;
@@ -2186,4 +2186,4 @@ us_socket_context_on_socket_connect_error(
   return socket;
 }
 
-#endif
+#endif