vendor: github.com/docker/go-connections fa09c952e3ea (v0.5.0-dev)

full diff: https://github.com/docker/go-connections/compare/v0.4.0...fa09c952e3ea

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

go.mod

@@ -79,7 +79,7 @@ require (
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
-	github.com/docker/go-connections v0.4.0 // indirect
+	github.com/docker/go-connections v0.4.1-0.20231110212414-fa09c952e3ea // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.1 // indirect
 	github.com/felixge/httpsnoop v1.0.3 // indirect

go.sum

@@ -167,8 +167,9 @@ github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E1
 github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c/go.mod h1:CADgU4DSXK5QUlFslkQu2yW2TKzFZcXq/leZfM0UH5Q=
-github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-connections v0.4.1-0.20231110212414-fa09c952e3ea h1:+4n+kUVbPdu6qMI9SUnSKMC+D50gNW4L7Lhk9tI2lVo=
+github.com/docker/go-connections v0.4.1-0.20231110212414-fa09c952e3ea/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8=
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=

vendor/github.com/docker/go-connections/nat/nat.go

@@ -8,11 +8,6 @@ import (
 	"strings"
 )
 
-const (
-	// portSpecTemplate is the expected format for port specifications
-	portSpecTemplate = "ip:hostPort:containerPort"
-)
-
 // PortBinding represents a binding between a Host IP address and a Host Port
 type PortBinding struct {
 	// HostIP is the host IP Address
@@ -158,48 +153,51 @@ type PortMapping struct {
 func splitParts(rawport string) (string, string, string) {
 	parts := strings.Split(rawport, ":")
 	n := len(parts)
-	containerport := parts[n-1]
+	containerPort := parts[n-1]
 
 	switch n {
 	case 1:
-		return "", "", containerport
+		return "", "", containerPort
 	case 2:
-		return "", parts[0], containerport
+		return "", parts[0], containerPort
 	case 3:
-		return parts[0], parts[1], containerport
+		return parts[0], parts[1], containerPort
 	default:
-		return strings.Join(parts[:n-2], ":"), parts[n-2], containerport
+		return strings.Join(parts[:n-2], ":"), parts[n-2], containerPort
 	}
 }
 
 // ParsePortSpec parses a port specification string into a slice of PortMappings
 func ParsePortSpec(rawPort string) ([]PortMapping, error) {
 	var proto string
-	rawIP, hostPort, containerPort := splitParts(rawPort)
+	ip, hostPort, containerPort := splitParts(rawPort)
 	proto, containerPort = SplitProtoPort(containerPort)
 
-	// Strip [] from IPV6 addresses
-	ip, _, err := net.SplitHostPort(rawIP + ":")
-	if err != nil {
-		return nil, fmt.Errorf("Invalid ip address %v: %s", rawIP, err)
+	if ip != "" && ip[0] == '[' {
+		// Strip [] from IPV6 addresses
+		rawIP, _, err := net.SplitHostPort(ip + ":")
+		if err != nil {
+			return nil, fmt.Errorf("invalid IP address %v: %w", ip, err)
+		}
+		ip = rawIP
 	}
 	if ip != "" && net.ParseIP(ip) == nil {
-		return nil, fmt.Errorf("Invalid ip address: %s", ip)
+		return nil, fmt.Errorf("invalid IP address: %s", ip)
 	}
 	if containerPort == "" {
-		return nil, fmt.Errorf("No port specified: %s<empty>", rawPort)
+		return nil, fmt.Errorf("no port specified: %s<empty>", rawPort)
 	}
 
 	startPort, endPort, err := ParsePortRange(containerPort)
 	if err != nil {
-		return nil, fmt.Errorf("Invalid containerPort: %s", containerPort)
+		return nil, fmt.Errorf("invalid containerPort: %s", containerPort)
 	}
 
 	var startHostPort, endHostPort uint64 = 0, 0
 	if len(hostPort) > 0 {
 		startHostPort, endHostPort, err = ParsePortRange(hostPort)
 		if err != nil {
-			return nil, fmt.Errorf("Invalid hostPort: %s", hostPort)
+			return nil, fmt.Errorf("invalid hostPort: %s", hostPort)
 		}
 	}
 
@@ -208,12 +206,12 @@ func ParsePortSpec(rawPort string) ([]PortMapping, error) {
 		// In this case, use the host port range as the dynamic
 		// host port range to allocate into.
 		if endPort != startPort {
-			return nil, fmt.Errorf("Invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
+			return nil, fmt.Errorf("invalid ranges specified for container and host Ports: %s and %s", containerPort, hostPort)
 		}
 	}
 
 	if !validateProto(strings.ToLower(proto)) {
-		return nil, fmt.Errorf("Invalid proto: %s", proto)
+		return nil, fmt.Errorf("invalid proto: %s", proto)
 	}
 
 	ports := []PortMapping{}

vendor/github.com/docker/go-connections/nat/parse.go

@@ -6,34 +6,10 @@ import (
 	"strings"
 )
 
-// PartParser parses and validates the specified string (data) using the specified template
-// e.g. ip:public:private -> 192.168.0.1:80:8000
-// DEPRECATED: do not use, this function may be removed in a future version
-func PartParser(template, data string) (map[string]string, error) {
-	// ip:public:private
-	var (
-		templateParts = strings.Split(template, ":")
-		parts         = strings.Split(data, ":")
-		out           = make(map[string]string, len(templateParts))
-	)
-	if len(parts) != len(templateParts) {
-		return nil, fmt.Errorf("Invalid format to parse. %s should match template %s", data, template)
-	}
-
-	for i, t := range templateParts {
-		value := ""
-		if len(parts) > i {
-			value = parts[i]
-		}
-		out[t] = value
-	}
-	return out, nil
-}
-
 // ParsePortRange parses and validates the specified string as a port-range (8000-9000)
 func ParsePortRange(ports string) (uint64, uint64, error) {
 	if ports == "" {
-		return 0, 0, fmt.Errorf("Empty string specified for ports.")
+		return 0, 0, fmt.Errorf("empty string specified for ports")
 	}
 	if !strings.Contains(ports, "-") {
 		start, err := strconv.ParseUint(ports, 10, 16)
@@ -51,7 +27,7 @@ func ParsePortRange(ports string) (uint64, uint64, error) {
 		return 0, 0, err
 	}
 	if end < start {
-		return 0, 0, fmt.Errorf("Invalid range specified for the Port: %s", ports)
+		return 0, 0, fmt.Errorf("invalid range specified for port: %s", ports)
 	}
 	return start, end, nil
 }

vendor/github.com/docker/go-connections/nat/sort.go

@@ -43,7 +43,7 @@ type portMapSorter []portMapEntry
 func (s portMapSorter) Len() int      { return len(s) }
 func (s portMapSorter) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
 
-// sort the port so that the order is:
+// Less sorts the port so that the order is:
 // 1. port with larger specified bindings
 // 2. larger port
 // 3. port with tcp protocol
@@ -58,7 +58,7 @@ func (s portMapSorter) Less(i, j int) bool {
 func SortPortMap(ports []Port, bindings PortMap) {
 	s := portMapSorter{}
 	for _, p := range ports {
-		if binding, ok := bindings[p]; ok {
+		if binding, ok := bindings[p]; ok && len(binding) > 0 {
 			for _, b := range binding {
 				s = append(s, portMapEntry{port: p, binding: b})
 			}

vendor/github.com/docker/go-connections/sockets/proxy.go

@@ -2,11 +2,8 @@ package sockets
 
 import (
 	"net"
-	"net/url"
 	"os"
 	"strings"
-
-	"golang.org/x/net/proxy"
 )
 
 // GetProxyEnv allows access to the uppercase and the lowercase forms of
@@ -20,32 +17,12 @@ func GetProxyEnv(key string) string {
 	return proxyValue
 }
 
-// DialerFromEnvironment takes in a "direct" *net.Dialer and returns a
-// proxy.Dialer which will route the connections through the proxy using the
-// given dialer.
-func DialerFromEnvironment(direct *net.Dialer) (proxy.Dialer, error) {
-	allProxy := GetProxyEnv("all_proxy")
-	if len(allProxy) == 0 {
-		return direct, nil
-	}
-
-	proxyURL, err := url.Parse(allProxy)
-	if err != nil {
-		return direct, err
-	}
-
-	proxyFromURL, err := proxy.FromURL(proxyURL, direct)
-	if err != nil {
-		return direct, err
-	}
-
-	noProxy := GetProxyEnv("no_proxy")
-	if len(noProxy) == 0 {
-		return proxyFromURL, nil
-	}
-
-	perHost := proxy.NewPerHost(proxyFromURL, direct)
-	perHost.AddFromString(noProxy)
-
-	return perHost, nil
+// DialerFromEnvironment was previously used to configure a net.Dialer to route
+// connections through a SOCKS proxy.
+// DEPRECATED: SOCKS proxies are now supported by configuring only
+// http.Transport.Proxy, and no longer require changing http.Transport.Dial.
+// Therefore, only sockets.ConfigureTransport() needs to be called, and any
+// sockets.DialerFromEnvironment() calls can be dropped.
+func DialerFromEnvironment(direct *net.Dialer) (*net.Dialer, error) {
+	return direct, nil
 }

vendor/github.com/docker/go-connections/sockets/sockets.go

@@ -8,16 +8,18 @@ import (
 	"time"
 )
 
-// Why 32? See https://github.com/docker/docker/pull/8035.
-const defaultTimeout = 32 * time.Second
+const defaultTimeout = 10 * time.Second
 
 // ErrProtocolNotAvailable is returned when a given transport protocol is not provided by the operating system.
 var ErrProtocolNotAvailable = errors.New("protocol not available")
 
-// ConfigureTransport configures the specified Transport according to the
-// specified proto and addr.
-// If the proto is unix (using a unix socket to communicate) or npipe the
-// compression is disabled.
+// ConfigureTransport configures the specified [http.Transport] according to the specified proto
+// and addr.
+//
+// If the proto is unix (using a unix socket to communicate) or npipe the compression is disabled.
+// For other protos, compression is enabled. If you want to manually enable/disable compression,
+// make sure you do it _after_ any subsequent calls to ConfigureTransport is made against the same
+// [http.Transport].
 func ConfigureTransport(tr *http.Transport, proto, addr string) error {
 	switch proto {
 	case "unix":
@@ -26,13 +28,10 @@ func ConfigureTransport(tr *http.Transport, proto, addr string) error {
 		return configureNpipeTransport(tr, proto, addr)
 	default:
 		tr.Proxy = http.ProxyFromEnvironment
-		dialer, err := DialerFromEnvironment(&net.Dialer{
+		tr.DisableCompression = false
+		tr.DialContext = (&net.Dialer{
 			Timeout: defaultTimeout,
-		})
-		if err != nil {
-			return err
-		}
-		tr.Dial = dialer.Dial
+		}).DialContext
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/sockets_unix.go

@@ -1,8 +1,9 @@
-// +build !windows
+//go:build !windows
 
 package sockets
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"net/http"
@@ -14,12 +15,15 @@ const maxUnixSocketPathSize = len(syscall.RawSockaddrUnix{}.Path)
 
 func configureUnixTransport(tr *http.Transport, proto, addr string) error {
 	if len(addr) > maxUnixSocketPathSize {
-		return fmt.Errorf("Unix socket path %q is too long", addr)
+		return fmt.Errorf("unix socket path %q is too long", addr)
 	}
 	// No need for compression in local communications.
 	tr.DisableCompression = true
-	tr.Dial = func(_, _ string) (net.Conn, error) {
-		return net.DialTimeout(proto, addr, defaultTimeout)
+	dialer := &net.Dialer{
+		Timeout: defaultTimeout,
+	}
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return dialer.DialContext(ctx, proto, addr)
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/sockets_windows.go

@@ -1,6 +1,7 @@
 package sockets
 
 import (
+	"context"
 	"net"
 	"net/http"
 	"time"
@@ -15,8 +16,8 @@ func configureUnixTransport(tr *http.Transport, proto, addr string) error {
 func configureNpipeTransport(tr *http.Transport, proto, addr string) error {
 	// No need for compression in local communications.
 	tr.DisableCompression = true
-	tr.Dial = func(_, _ string) (net.Conn, error) {
-		return DialPipe(addr, defaultTimeout)
+	tr.DialContext = func(ctx context.Context, _, _ string) (net.Conn, error) {
+		return winio.DialPipeContext(ctx, addr)
 	}
 	return nil
 }

vendor/github.com/docker/go-connections/sockets/unix_socket.go

@@ -1,5 +1,51 @@
-// +build !windows
+//go:build !windows
 
+/*
+Package sockets is a simple unix domain socket wrapper.
+
+# Usage
+
+For example:
+
+	import(
+		"fmt"
+		"net"
+		"os"
+		"github.com/docker/go-connections/sockets"
+	)
+
+	func main() {
+		l, err := sockets.NewUnixSocketWithOpts("/path/to/sockets",
+			sockets.WithChown(0,0),sockets.WithChmod(0660))
+		if err != nil {
+			panic(err)
+		}
+		echoStr := "hello"
+
+		go func() {
+			for {
+				conn, err := l.Accept()
+				if err != nil {
+					return
+				}
+				conn.Write([]byte(echoStr))
+				conn.Close()
+			}
+		}()
+
+		conn, err := net.Dial("unix", path)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		buf := make([]byte, 5)
+		if _, err := conn.Read(buf); err != nil {
+			panic(err)
+		} else if string(buf) != echoStr {
+			panic(fmt.Errorf("msg may lost"))
+		}
+	}
+*/
 package sockets
 
 import (
@@ -8,25 +54,73 @@ import (
 	"syscall"
 )
 
-// NewUnixSocket creates a unix socket with the specified path and group.
-func NewUnixSocket(path string, gid int) (net.Listener, error) {
+// SockOption sets up socket file's creating option
+type SockOption func(string) error
+
+// WithChown modifies the socket file's uid and gid
+func WithChown(uid, gid int) SockOption {
+	return func(path string) error {
+		if err := os.Chown(path, uid, gid); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// WithChmod modifies socket file's access mode.
+func WithChmod(mask os.FileMode) SockOption {
+	return func(path string) error {
+		if err := os.Chmod(path, mask); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// NewUnixSocketWithOpts creates a unix socket with the specified options.
+// By default, socket permissions are 0000 (i.e.: no access for anyone); pass
+// WithChmod() and WithChown() to set the desired ownership and permissions.
+//
+// This function temporarily changes the system's "umask" to 0777 to work around
+// a race condition between creating the socket and setting its permissions. While
+// this should only be for a short duration, it may affect other processes that
+// create files/directories during that period.
+func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error) {
 	if err := syscall.Unlink(path); err != nil && !os.IsNotExist(err) {
 		return nil, err
 	}
-	mask := syscall.Umask(0777)
-	defer syscall.Umask(mask)
 
+	// net.Listen does not allow for permissions to be set. As a result, when
+	// specifying custom permissions ("WithChmod()"), there is a short time
+	// between creating the socket and applying the permissions, during which
+	// the socket permissions are Less restrictive than desired.
+	//
+	// To work around this limitation of net.Listen(), we temporarily set the
+	// umask to 0777, which forces the socket to be created with 000 permissions
+	// (i.e.: no access for anyone). After that, WithChmod() must be used to set
+	// the desired permissions.
+	//
+	// We don't use "defer" here, to reset the umask to its original value as soon
+	// as possible. Ideally we'd be able to detect if WithChmod() was passed as
+	// an option, and skip changing umask if default permissions are used.
+	origUmask := syscall.Umask(0o777)
 	l, err := net.Listen("unix", path)
+	syscall.Umask(origUmask)
 	if err != nil {
 		return nil, err
 	}
-	if err := os.Chown(path, 0, gid); err != nil {
-		l.Close()
-		return nil, err
-	}
-	if err := os.Chmod(path, 0660); err != nil {
-		l.Close()
-		return nil, err
+
+	for _, op := range opts {
+		if err := op(path); err != nil {
+			_ = l.Close()
+			return nil, err
+		}
 	}
+
 	return l, nil
 }
+
+// NewUnixSocket creates a unix socket with the specified path and group.
+func NewUnixSocket(path string, gid int) (net.Listener, error) {
+	return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660))
+}

vendor/github.com/docker/go-connections/tlsconfig/certpool.go

@@ -1,5 +1,3 @@
-// +build go1.7
-
 package tlsconfig
 
 import (

vendor/github.com/docker/go-connections/tlsconfig/certpool_other.go

@@ -1,13 +0,0 @@
-// +build !go1.7
-
-package tlsconfig
-
-import (
-	"crypto/x509"
-)
-
-// SystemCertPool returns an new empty cert pool,
-// accessing system cert pool is supported in go 1.7
-func SystemCertPool() (*x509.CertPool, error) {
-	return x509.NewCertPool(), nil
-}

vendor/github.com/docker/go-connections/tlsconfig/config.go

@@ -1,6 +1,7 @@
 // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
 //
 // As a reminder from https://golang.org/pkg/crypto/tls/#Config:
+//
 //	A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.
 //	A Config may be reused; the tls package will also not modify it.
 package tlsconfig
@@ -9,11 +10,9 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
-
-	"github.com/pkg/errors"
 )
 
 // Options represents the information needed to create client and server TLS configurations.
@@ -36,7 +35,12 @@ type Options struct {
 	ExclusiveRootPools bool
 	MinVersion         uint16
 	// If Passphrase is set, it will be used to decrypt a TLS private key
-	// if the key is encrypted
+	// if the key is encrypted.
+	//
+	// Deprecated: Use of encrypted TLS private keys has been deprecated, and
+	// will be removed in a future release. Golang has deprecated support for
+	// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
+	// design (see https://go-review.googlesource.com/c/go/+/264159).
 	Passphrase string
 }
 
@@ -53,18 +57,9 @@ var acceptedCBCCiphers = []uint16{
 // known weak algorithms removed.
 var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
 
-// allTLSVersions lists all the TLS versions and is used by the code that validates
-// a uint16 value as a TLS version.
-var allTLSVersions = map[uint16]struct{}{
-	tls.VersionSSL30: {},
-	tls.VersionTLS10: {},
-	tls.VersionTLS11: {},
-	tls.VersionTLS12: {},
-}
-
 // ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
 func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
-	tlsconfig := &tls.Config{
+	tlsConfig := &tls.Config{
 		// Avoid fallback by default to SSL protocols < TLS1.2
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
@@ -72,25 +67,25 @@ func ServerDefault(ops ...func(*tls.Config)) *tls.Config {
 	}
 
 	for _, op := range ops {
-		op(tlsconfig)
+		op(tlsConfig)
 	}
 
-	return tlsconfig
+	return tlsConfig
 }
 
 // ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
 func ClientDefault(ops ...func(*tls.Config)) *tls.Config {
-	tlsconfig := &tls.Config{
+	tlsConfig := &tls.Config{
 		// Prefer TLS1.2 as the client minimum
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: clientCipherSuites,
 	}
 
 	for _, op := range ops {
-		op(tlsconfig)
+		op(tlsConfig)
 	}
 
-	return tlsconfig
+	return tlsConfig
 }
 
 // certPool returns an X.509 certificate pool from `caFile`, the certificate file.
@@ -108,16 +103,25 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
 			return nil, fmt.Errorf("failed to read system certificates: %v", err)
 		}
 	}
-	pem, err := ioutil.ReadFile(caFile)
+	pemData, err := os.ReadFile(caFile)
 	if err != nil {
 		return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err)
 	}
-	if !certPool.AppendCertsFromPEM(pem) {
+	if !certPool.AppendCertsFromPEM(pemData) {
 		return nil, fmt.Errorf("failed to append certificates from PEM file: %q", caFile)
 	}
 	return certPool, nil
 }
 
+// allTLSVersions lists all the TLS versions and is used by the code that validates
+// a uint16 value as a TLS version.
+var allTLSVersions = map[uint16]struct{}{
+	tls.VersionTLS10: {},
+	tls.VersionTLS11: {},
+	tls.VersionTLS12: {},
+	tls.VersionTLS13: {},
+}
+
 // isValidMinVersion checks that the input value is a valid tls minimum version
 func isValidMinVersion(version uint16) bool {
 	_, ok := allTLSVersions[version]
@@ -129,10 +133,10 @@ func isValidMinVersion(version uint16) bool {
 func adjustMinVersion(options Options, config *tls.Config) error {
 	if options.MinVersion > 0 {
 		if !isValidMinVersion(options.MinVersion) {
-			return fmt.Errorf("Invalid minimum TLS version: %x", options.MinVersion)
+			return fmt.Errorf("invalid minimum TLS version: %x", options.MinVersion)
 		}
 		if options.MinVersion < config.MinVersion {
-			return fmt.Errorf("Requested minimum TLS version is too low. Should be at-least: %x", config.MinVersion)
+			return fmt.Errorf("requested minimum TLS version is too low. Should be at-least: %x", config.MinVersion)
 		}
 		config.MinVersion = options.MinVersion
 	}
@@ -141,9 +145,14 @@ func adjustMinVersion(options Options, config *tls.Config) error {
 }
 
 // IsErrEncryptedKey returns true if the 'err' is an error of incorrect
-// password when tryin to decrypt a TLS private key
+// password when trying to decrypt a TLS private key.
+//
+// Deprecated: Use of encrypted TLS private keys has been deprecated, and
+// will be removed in a future release. Golang has deprecated support for
+// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
+// design (see https://go-review.googlesource.com/c/go/+/264159).
 func IsErrEncryptedKey(err error) bool {
-	return errors.Cause(err) == x509.IncorrectPasswordError
+	return errors.Is(err, x509.IncorrectPasswordError)
 }
 
 // getPrivateKey returns the private key in 'keyBytes', in PEM-encoded format.
@@ -157,10 +166,10 @@ func getPrivateKey(keyBytes []byte, passphrase string) ([]byte, error) {
 	}
 
 	var err error
-	if x509.IsEncryptedPEMBlock(pemBlock) {
-		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase))
+	if x509.IsEncryptedPEMBlock(pemBlock) { //nolint:staticcheck // Ignore SA1019 (IsEncryptedPEMBlock is deprecated)
+		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase)) //nolint:staticcheck // Ignore SA1019 (DecryptPEMBlock is deprecated)
 		if err != nil {
-			return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it")
+			return nil, fmt.Errorf("private key is encrypted, but could not decrypt it: %w", err)
 		}
 		keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})
 	}
@@ -176,26 +185,24 @@ func getCert(options Options) ([]tls.Certificate, error) {
 		return nil, nil
 	}
 
-	errMessage := "Could not load X509 key pair"
-
-	cert, err := ioutil.ReadFile(options.CertFile)
+	cert, err := os.ReadFile(options.CertFile)
 	if err != nil {
-		return nil, errors.Wrap(err, errMessage)
+		return nil, err
 	}
 
-	prKeyBytes, err := ioutil.ReadFile(options.KeyFile)
+	prKeyBytes, err := os.ReadFile(options.KeyFile)
 	if err != nil {
-		return nil, errors.Wrap(err, errMessage)
+		return nil, err
 	}
 
 	prKeyBytes, err = getPrivateKey(prKeyBytes, options.Passphrase)
 	if err != nil {
-		return nil, errors.Wrap(err, errMessage)
+		return nil, err
 	}
 
 	tlsCert, err := tls.X509KeyPair(cert, prKeyBytes)
 	if err != nil {
-		return nil, errors.Wrap(err, errMessage)
+		return nil, err
 	}
 
 	return []tls.Certificate{tlsCert}, nil
@@ -215,7 +222,7 @@ func Client(options Options) (*tls.Config, error) {
 
 	tlsCerts, err := getCert(options)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("could not load X509 key pair: %w", err)
 	}
 	tlsConfig.Certificates = tlsCerts
 
@@ -233,9 +240,9 @@ func Server(options Options) (*tls.Config, error) {
 	tlsCert, err := tls.LoadX509KeyPair(options.CertFile, options.KeyFile)
 	if err != nil {
 		if os.IsNotExist(err) {
-			return nil, fmt.Errorf("Could not load X509 key pair (cert: %q, key: %q): %v", options.CertFile, options.KeyFile, err)
+			return nil, fmt.Errorf("could not load X509 key pair (cert: %q, key: %q): %v", options.CertFile, options.KeyFile, err)
 		}
-		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)
+		return nil, fmt.Errorf("error reading X509 key pair - make sure the key is not encrypted (cert: %q, key: %q): %v", options.CertFile, options.KeyFile, err)
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
 	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {

vendor/github.com/docker/go-connections/tlsconfig/config_client_ciphers.go

@@ -1,7 +1,4 @@
-// +build go1.5
-
 // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
-//
 package tlsconfig
 
 import (

vendor/github.com/docker/go-connections/tlsconfig/config_legacy_client_ciphers.go

@@ -1,15 +0,0 @@
-// +build !go1.5
-
-// Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
-//
-package tlsconfig
-
-import (
-	"crypto/tls"
-)
-
-// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set)
-var clientCipherSuites = []uint16{
-	tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
-	tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
-}

vendor/modules.txt

@@ -288,8 +288,8 @@ github.com/docker/docker-credential-helpers/credentials
 # github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c
 ## explicit
 github.com/docker/go/canonical/json
-# github.com/docker/go-connections v0.4.0
-## explicit
+# github.com/docker/go-connections v0.4.1-0.20231110212414-fa09c952e3ea
+## explicit; go 1.18
 github.com/docker/go-connections/nat
 github.com/docker/go-connections/sockets
 github.com/docker/go-connections/tlsconfig