tlsconfig: drop support for go1.17 and older

.github/workflows/test.yml

@@ -14,18 +14,18 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: ["1.13.x", "1.20.x", "1.21.x"]
+        go: ["1.18.x", "1.20.x", "1.21.x"]
         platform: [ubuntu-20.04]
     runs-on: ${{ matrix.platform }}
     steps:
     - name: Install Go ${{ matrix.go }}
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v4
       with:
         go-version: ${{ matrix.go }}
     - name: Setup IPv6
       run: sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0 net.ipv6.conf.default.disable_ipv6=0 net.ipv6.conf.all.disable_ipv6=0
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
     - name: Build for ${{ matrix.platform }}
       run: go build ./...
     - name: Test
@@ -37,16 +37,16 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go: ["1.13.x", "1.20.x", "1.21.x"]
+        go: ["1.18.x", "1.20.x", "1.21.x"]
         platform: [windows-latest, macos-latest]
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Install Go ${{ matrix.go }}
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: ${{ matrix.go }}
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
       - name: Build for ${{ matrix.platform }}
         run: go build ./...
       - name: Test
@@ -61,8 +61,13 @@ jobs:
         platform: [ubuntu-20.04, windows-latest, macos-latest]
     runs-on: ${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@v2
-      - uses: golangci/golangci-lint-action@v2
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.21.x"
+          cache: false
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
         with:
           # must be specified without patch version
           version: v1.55

go.mod

@@ -1,5 +1,7 @@
 module github.com/docker/go-connections
 
-go 1.13
+go 1.18
 
 require github.com/Microsoft/go-winio v0.4.14
+
+require golang.org/x/sys v0.1.0 // indirect

go.sum

@@ -8,5 +8,6 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

nat/nat_test.go

@@ -94,7 +94,6 @@ func TestParsePortRangeToInt(t *testing.T) {
 
 func TestPort(t *testing.T) {
 	p, err := NewPort("tcp", "1234")
-
 	if err != nil {
 		t.Fatalf("tcp, 1234 had a parsing issue: %v", err)
 	}

proxy/network_proxy_test.go

@@ -11,8 +11,10 @@ import (
 	"time"
 )
 
-var testBuf = []byte("Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo")
-var testBufSize = len(testBuf)
+var (
+	testBuf     = []byte("Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo")
+	testBufSize = len(testBuf)
+)
 
 type EchoServer interface {
 	Run()

proxy/tcp_proxy.go

@@ -46,7 +46,7 @@ func (proxy *TCPProxy) clientLoop(client *net.TCPConn, quit chan bool) {
 	}
 
 	event := make(chan int64)
-	var broker = func(to, from *net.TCPConn) {
+	broker := func(to, from *net.TCPConn) {
 		written, err := io.Copy(to, from)
 		if err != nil {
 			// If the socket we are writing to is shutdown with

sockets/sockets_unix.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 package sockets
 

sockets/unix_socket.go

@@ -1,9 +1,9 @@
-// +build !windows
+//go:build !windows
 
 /*
 Package sockets is a simple unix domain socket wrapper.
 
-Usage
+# Usage
 
 For example:
 
@@ -103,7 +103,7 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error
 	// We don't use "defer" here, to reset the umask to its original value as soon
 	// as possible. Ideally we'd be able to detect if WithChmod() was passed as
 	// an option, and skip changing umask if default permissions are used.
-	origUmask := syscall.Umask(0777)
+	origUmask := syscall.Umask(0o777)
 	l, err := net.Listen("unix", path)
 	syscall.Umask(origUmask)
 	if err != nil {
@@ -122,5 +122,5 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error
 
 // NewUnixSocket creates a unix socket with the specified path and group.
 func NewUnixSocket(path string, gid int) (net.Listener, error) {
-	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0660))
+	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))
 }

sockets/unix_socket_test.go

@@ -1,4 +1,4 @@
-// +build !windows
+//go:build !windows
 
 package sockets
 
@@ -53,7 +53,7 @@ func TestNewUnixSocket(t *testing.T) {
 
 func TestUnixSocketWithOpts(t *testing.T) {
 	uid, gid := os.Getuid(), os.Getgid()
-	perms := os.FileMode(0660)
+	perms := os.FileMode(0o660)
 	path := "/tmp/test.sock"
 	echoStr := "hello"
 	l, err := NewUnixSocketWithOpts(path, WithChown(uid, gid), WithChmod(perms))

tlsconfig/certpool_go17.go → tlsconfig/certpool.go

@@ -1,5 +1,3 @@
-// +build go1.7
-
 package tlsconfig
 
 import (

tlsconfig/config.go

@@ -1,6 +1,7 @@
 // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
 //
 // As a reminder from https://golang.org/pkg/crypto/tls/#Config:
+//
 //	A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.
 //	A Config may be reused; the tls package will also not modify it.
 package tlsconfig
@@ -11,7 +12,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 )
 
@@ -103,7 +103,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pemData, err := ioutil.ReadFile(caFile)
+	pemData, err := os.ReadFile(caFile)
 	if err != nil {
 		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
 	}
@@ -113,6 +113,15 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 	return certPool, nil
 }
 
+// allTLSVersions lists all the TLS versions and is used by the code that validates
+// a uint16 value as a TLS version.
+var allTLSVersions = map[uint16]struct{}{
+	tls.VersionTLS10: {},
+	tls.VersionTLS11: {},
+	tls.VersionTLS12: {},
+	tls.VersionTLS13: {},
+}
+
 // isValidMinVersion checks that the input value is a valid tls minimum version
 func isValidMinVersion(version uint16) bool {
 	_, ok := allTLSVersions[version]
@@ -176,12 +185,12 @@ func getCert(options Options) ([]tls.Certificate, error) {
 		return nil, nil
 	}
 
-	cert, err := ioutil.ReadFile(options.CertFile)
+	cert, err := os.ReadFile(options.CertFile)
 	if err != nil {
 		return nil, err
 	}
 
-	prKeyBytes, err := ioutil.ReadFile(options.KeyFile)
+	prKeyBytes, err := os.ReadFile(options.KeyFile)
 	if err != nil {
 		return nil, err
 	}

tlsconfig/config_client_ciphers.go

@@ -1,7 +1,4 @@
-// +build go1.5
-
 // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
-//
 package tlsconfig
 
 import (

tlsconfig/config_test.go

@@ -5,7 +5,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
-	"io/ioutil"
 	"os"
 	"reflect"
 	"runtime"
@@ -69,7 +68,7 @@ func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) {
 	key, cert := getCertAndKey()
 	ca := getMultiCert()
 
-	tempFile, err := ioutil.TempFile("", "cert-test")
+	tempFile, err := os.CreateTemp("", "cert-test")
 	if err != nil {
 		t.Fatal("Unable to create temporary empty file")
 	}
@@ -127,7 +126,7 @@ func TestConfigServerTLSServerCertsOnly(t *testing.T) {
 	if !reflect.DeepEqual(tlsConfig.CipherSuites, DefaultServerAcceptedCiphers) {
 		t.Fatal("Unexpected server cipher suites")
 	}
-	if !tlsConfig.PreferServerCipherSuites {
+	if !tlsConfig.PreferServerCipherSuites { //nolint:staticcheck // Ignore SA1019: tlsConfig.PreferServerCipherSuites has been deprecated since Go 1.18: PreferServerCipherSuites is ignored.
 		t.Fatal("Expected server to prefer cipher suites")
 	}
 	if tlsConfig.MinVersion != tls.VersionTLS12 {
@@ -158,7 +157,7 @@ func TestConfigServerTLSClientCANotSetIfClientAuthTooLow(t *testing.T) {
 	if tlsConfig.ClientAuth != tls.RequestClientCert {
 		t.Fatal("ClientAuth was not set to what was in the options")
 	}
-	if tlsConfig.ClientCAs != nil {
+	if tlsConfig.ClientCAs != nil { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
 		t.Fatalf("Client CAs should never have been set")
 	}
 }
@@ -191,7 +190,7 @@ func TestConfigServerTLSClientCASet(t *testing.T) {
 		basePool = x509.NewCertPool()
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
-	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 {
+	if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
 		t.Fatalf("Client CAs were never set correctly")
 	}
 }
@@ -206,7 +205,7 @@ func TestConfigServerExclusiveRootPools(t *testing.T) {
 	key, cert := getCertAndKey()
 	ca := getMultiCert()
 
-	caBytes, err := ioutil.ReadFile(ca)
+	caBytes, err := os.ReadFile(ca)
 	if err != nil {
 		t.Fatal("Unable to read CA certs", err)
 	}
@@ -394,7 +393,7 @@ func TestConfigClientTLSNoVerify(t *testing.T) {
 		t.Fatal("Unable to configure client TLS", err)
 	}
 
-	if tlsConfig.RootCAs != nil {
+	if tlsConfig.RootCAs != nil { //nolint:staticcheck // Ignore SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
 		t.Fatal("Should not have set Root CAs", err)
 	}
 
@@ -449,7 +448,7 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) {
 		basePool = x509.NewCertPool()
 	}
 	// because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots
-	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 {
+	if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots.
 		t.Fatal("Root CAs not set properly", err)
 	}
 	if tlsConfig.Certificates != nil {
@@ -471,7 +470,7 @@ func TestConfigClientTLSNonexistentRootCAFile(t *testing.T) {
 func TestConfigClientTLSClientCertOrKeyInvalid(t *testing.T) {
 	key, cert := getCertAndKey()
 
-	tempFile, err := ioutil.TempFile("", "cert-test")
+	tempFile, err := os.CreateTemp("", "cert-test")
 	if err != nil {
 		t.Fatal("Unable to create temporary empty file")
 	}
@@ -569,7 +568,7 @@ func TestConfigClientExclusiveRootPools(t *testing.T) {
 	}
 	ca := getMultiCert()
 
-	caBytes, err := ioutil.ReadFile(ca)
+	caBytes, err := os.ReadFile(ca)
 	if err != nil {
 		t.Fatal("Unable to read CA certs", err)
 	}