Lower required Go version, add CI test for specific version (#1725)

### Description of changes: 
Add back support for Go 1.17.13 which is used by NetOS. Fix a few
language compatibility issues for interface{} and cmd struct. This
change does not affect the integrity value of the FIPS module.

### Testing:
This change adds a new CI test which uses Go 1.17.13. 

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

---------

Co-authored-by: Sean McGrail <[email protected]>

---------

    Revert "Replace interface{} with any"

    This reverts commit 6a90c15.

.github/workflows/go.yml

@@ -0,0 +1,34 @@
+name: Go Compatability
+on:
+  push:
+    branches: [ '*' ]
+  pull_request:
+    branches: [ '*' ]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+env:
+  DOCKER_BUILDKIT: 1
+  GOPROXY: https://proxy.golang.org,direct
+jobs:
+  go-version-1_17_13:
+    if: github.repository_owner == 'aws'
+    env:
+      GOROOT: "/usr/local/go"
+      GO_ARCHIVE: "go1.17.13.linux-amd64.tar.gz"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install OS Dependencies
+        run: |
+          which go
+          sudo apt-get update
+          sudo apt-get -y --no-install-recommends install cmake gcc ninja-build make
+          sudo rm -rf /usr/local/go
+          sudo rm /usr/bin/go
+          wget -q "https://dl.google.com/go/${GO_ARCHIVE}"
+          sudo tar -C /usr/local -xf $GO_ARCHIVE
+          echo "${GOROOT}/bin" >> $GITHUB_PATH
+      - uses: actions/checkout@v3
+      - name: Run integration build
+        run: |
+          ./tests/ci/run_fips_tests.sh

BUILDING.md

@@ -20,7 +20,7 @@ If in doubt, use the most recent stable version of each build tool.
     `PERL_EXECUTABLE`.
     * To build without Perl (not recommended) see [this section.](#using-pre-generated-build-files)
 
-  * [Go](https://golang.org/dl/) 1.18 or later is required. If not found by
+  * [Go](https://golang.org/dl/) 1.17.13 or later is required. If not found by
     CMake, the go executable may be configured explicitly by setting
     `GO_EXECUTABLE`.
     * To build without Go (not recommended) see [this section.](#using-pre-generated-build-files)

cmake/go.cmake

@@ -22,7 +22,7 @@ elseif(NOT DISABLE_GO)
   string(REGEX MATCH "([0-9]+\\.)*[0-9]+" go_version ${go_version_output})
 
   # This should track /go.mod and /BUILDING.md
-  set(minimum_go_version "1.18")
+  set(minimum_go_version "1.17.13")
   if(go_version VERSION_LESS minimum_go_version)
     message(FATAL_ERROR "Go compiler version must be at least ${minimum_go_version}. Found version ${go_version}")
   else()

go.mod

@@ -1,7 +1,7 @@
 module boringssl.googlesource.com/boringssl
 
 // When this changes update /cmake/go.cmake minimum_go_version and /BUILDING.md
-go 1.18
+go 1.17
 
 require (
 	golang.org/x/crypto v0.10.0

ssl/test/runner/cipher_suites.go

@@ -84,7 +84,7 @@ type cipherSuite struct {
 	ka     func(version uint16) keyAgreement
 	// flags is a bitmask of the suite* values, above.
 	flags  int
-	cipher func(key, iv []byte, isRead bool) any
+	cipher func(key, iv []byte, isRead bool) interface{}
 	mac    func(version uint16, macKey []byte) macFunction
 	aead   func(version uint16, key, fixedNonce []byte) *tlsAead
 }
@@ -155,19 +155,19 @@ func ivLen3DES(vers uint16) int {
 
 type nullCipher struct{}
 
-func cipherNull(key, iv []byte, isRead bool) any {
+func cipherNull(key, iv []byte, isRead bool) interface{} {
 	return nullCipher{}
 }
 
-func cipher3DES(key, iv []byte, isRead bool) any {
+func cipher3DES(key, iv []byte, isRead bool) interface{} {
 	block, _ := des.NewTripleDESCipher(key)
 	if isRead {
 		return cipher.NewCBCDecrypter(block, iv)
 	}
 	return cipher.NewCBCEncrypter(block, iv)
 }
 
-func cipherAES(key, iv []byte, isRead bool) any {
+func cipherAES(key, iv []byte, isRead bool) interface{} {
 	block, _ := aes.NewCipher(key)
 	if isRead {
 		return cipher.NewCBCDecrypter(block, iv)

ssl/test/runner/common.go

@@ -2234,11 +2234,11 @@ type lruSessionCache struct {
 
 type lruSessionCacheEntry struct {
 	sessionKey string
-	state      any
+	state      interface{}
 }
 
 // Put adds the provided (sessionKey, cs) pair to the cache.
-func (c *lruSessionCache) Put(sessionKey string, cs any) {
+func (c *lruSessionCache) Put(sessionKey string, cs interface{}) {
 	c.Lock()
 	defer c.Unlock()
 
@@ -2266,7 +2266,7 @@ func (c *lruSessionCache) Put(sessionKey string, cs any) {
 
 // Get returns the value associated with a given key. It returns (nil,
 // false) if no value is found.
-func (c *lruSessionCache) Get(sessionKey string) (any, bool) {
+func (c *lruSessionCache) Get(sessionKey string) (interface{}, bool) {
 	c.Lock()
 	defer c.Unlock()
 
@@ -2380,7 +2380,7 @@ func initDefaultCipherSuites() {
 	}
 }
 
-func unexpectedMessageError(wanted, got any) error {
+func unexpectedMessageError(wanted, got interface{}) error {
 	return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted)
 }
 

ssl/test/runner/conn.go

@@ -176,13 +176,13 @@ type halfConn struct {
 	version     uint16 // protocol version
 	wireVersion uint16 // wire version
 	isDTLS      bool
-	cipher      any // cipher algorithm
+	cipher      interface{} // cipher algorithm
 	mac         macFunction
 	seq         [8]byte // 64-bit sequence number
 	outSeq      [8]byte // Mapped sequence number
 	bfree       *block  // list of free blocks
 
-	nextCipher any         // next encryption state
+	nextCipher interface{} // next encryption state
 	nextMac    macFunction // next MAC algorithm
 	nextSeq    [6]byte     // next epoch's starting sequence number in DTLS
 
@@ -209,7 +209,7 @@ func (hc *halfConn) error() error {
 
 // prepareCipherSpec sets the encryption and MAC states
 // that a subsequent changeCipherSpec will use.
-func (hc *halfConn) prepareCipherSpec(version uint16, cipher any, mac macFunction) {
+func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac macFunction) {
 	hc.wireVersion = version
 	protocolVersion, ok := wireToVersion(version, hc.isDTLS)
 	if !ok {
@@ -1343,7 +1343,7 @@ func (c *Conn) doReadHandshake() ([]byte, error) {
 // readHandshake reads the next handshake message from
 // the record layer.
 // c.in.Mutex < L; c.out.Mutex < L.
-func (c *Conn) readHandshake() (any, error) {
+func (c *Conn) readHandshake() (interface{}, error) {
 	data, err := c.doReadHandshake()
 	if err != nil {
 		return nil, err

ssl/test/runner/handshake_client.go

@@ -936,7 +936,7 @@ func (hs *clientHandshakeState) encryptClientHello(hello, innerHello *clientHell
 	return nil
 }
 
-func (hs *clientHandshakeState) checkECHConfirmation(msg any, hello *clientHelloMsg, finishedHash *finishedHash) bool {
+func (hs *clientHandshakeState) checkECHConfirmation(msg interface{}, hello *clientHelloMsg, finishedHash *finishedHash) bool {
 	var offset int
 	var raw, label []byte
 	if hrr, ok := msg.(*helloRetryRequestMsg); ok {
@@ -961,7 +961,7 @@ func (hs *clientHandshakeState) checkECHConfirmation(msg any, hello *clientHello
 	return bytes.Equal(confirmation, raw[offset:offset+echAcceptConfirmationLength])
 }
 
-func (hs *clientHandshakeState) doTLS13Handshake(msg any) error {
+func (hs *clientHandshakeState) doTLS13Handshake(msg interface{}) error {
 	c := hs.c
 
 	// The first message may be a ServerHello or HelloRetryRequest.
@@ -1919,7 +1919,7 @@ func (hs *clientHandshakeState) establishKeys() error {
 
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
-	var clientCipher, serverCipher any
+	var clientCipher, serverCipher interface{}
 	var clientHash, serverHash macFunction
 	if hs.suite.cipher != nil {
 		clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)

ssl/test/runner/handshake_server.go

@@ -2115,7 +2115,7 @@ func (hs *serverHandshakeState) establishKeys() error {
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
 
-	var clientCipher, serverCipher any
+	var clientCipher, serverCipher interface{}
 	var clientHash, serverHash macFunction
 
 	if hs.suite.aead == nil {

ssl/test/runner/prf.go

@@ -452,7 +452,7 @@ var (
 
 // deriveTrafficAEAD derives traffic keys and constructs an AEAD given a traffic
 // secret.
-func deriveTrafficAEAD(version uint16, suite *cipherSuite, secret []byte, side trafficDirection) any {
+func deriveTrafficAEAD(version uint16, suite *cipherSuite, secret []byte, side trafficDirection) interface{} {
 	key := hkdfExpandLabel(suite.hash(), secret, keyTLS13, nil, suite.keyLen)
 	iv := hkdfExpandLabel(suite.hash(), secret, ivTLS13, nil, suite.ivLen(version))
 

ssl/test/runner/sign.go

@@ -272,7 +272,7 @@ func (e *ed25519Signer) verifyMessage(key crypto.PublicKey, msg, sig []byte) err
 	return nil
 }
 
-func getSigner(version uint16, key any, config *Config, sigAlg signatureAlgorithm, isVerify bool) (signer, error) {
+func getSigner(version uint16, key interface{}, config *Config, sigAlg signatureAlgorithm, isVerify bool) (signer, error) {
 	// TLS 1.1 and below use legacy signature algorithms.
 	if version < VersionTLS12 || (!isVerify && config.Bugs.AlwaysSignAsLegacyVersion) {
 		if config.Bugs.SigningAlgorithmForLegacyVersions == 0 || isVerify {

util/all_tests.go

@@ -100,14 +100,14 @@ var sdeCPUs = []string{
 
 func targetArchMatchesRuntime(target string) bool {
 	if (target == "") ||
-	   (target == "x86" && runtime.GOARCH == "amd64") ||
-		 (target == "arm" && (runtime.GOARCH == "arm" || runtime.GOARCH == "arm64")) {
+		(target == "x86" && runtime.GOARCH == "amd64") ||
+		(target == "arm" && (runtime.GOARCH == "arm" || runtime.GOARCH == "arm64")) {
 		return true
 	}
 	return false
 }
 
-func valgrindOf(dbAttach bool, supps []string, path string, args ...string) *exec.Cmd {
+func valgrindOf(ctx context.Context, dbAttach bool, supps []string, path string, args ...string) (context.Context, *exec.Cmd) {
 	valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--trace-children=yes", "--quiet"}
 	for _, supp := range supps {
 		valgrindArgs = append(valgrindArgs, "--suppressions="+*valgrindSuppDir+"/"+supp)
@@ -118,26 +118,26 @@ func valgrindOf(dbAttach bool, supps []string, path string, args ...string) *exe
 	valgrindArgs = append(valgrindArgs, path)
 	valgrindArgs = append(valgrindArgs, args...)
 
-	return exec.Command("valgrind", valgrindArgs...)
+	return ctx, exec.CommandContext(ctx, "valgrind", valgrindArgs...)
 }
 
-func callgrindOf(path string, args ...string) *exec.Cmd {
+func callgrindOf(ctx context.Context, path string, args ...string) (context.Context, *exec.Cmd) {
 	valgrindArgs := []string{"-q", "--tool=callgrind", "--dump-instr=yes", "--collect-jumps=yes", "--callgrind-out-file=" + *buildDir + "/callgrind/callgrind.out.%p"}
 	valgrindArgs = append(valgrindArgs, path)
 	valgrindArgs = append(valgrindArgs, args...)
 
-	return exec.Command("valgrind", valgrindArgs...)
+	return ctx, exec.CommandContext(ctx, "valgrind", valgrindArgs...)
 }
 
-func gdbOf(path string, args ...string) *exec.Cmd {
+func gdbOf(ctx context.Context, path string, args ...string) (context.Context, *exec.Cmd) {
 	xtermArgs := []string{"-e", "gdb", "--args"}
 	xtermArgs = append(xtermArgs, path)
 	xtermArgs = append(xtermArgs, args...)
 
-	return exec.Command("xterm", xtermArgs...)
+	return ctx, exec.CommandContext(ctx, "xterm", xtermArgs...)
 }
 
-func sdeOf(cpu, path string, args ...string) (*exec.Cmd, context.CancelFunc) {
+func sdeOf(ctx context.Context, cpu, path string, args ...string) (context.Context, context.CancelFunc, *exec.Cmd) {
 	sdeArgs := []string{"-" + cpu}
 	// The kernel's vdso code for gettimeofday sometimes uses the RDTSCP
 	// instruction. Although SDE has a -chip_check_vsyscall flag that
@@ -152,9 +152,9 @@ func sdeOf(cpu, path string, args ...string) (*exec.Cmd, context.CancelFunc) {
 
 	// TODO(CryptoAlg-2154):SDE+ASAN tests will hang without exiting if tests pass for an unknown reason.
 	// Current workaround is to manually cancel the run after 20 minutes and check the output.
-	ctx, cancel := context.WithTimeout(context.Background(), 1200*time.Second)
+	ctx, cancel := context.WithTimeout(ctx, 1200*time.Second)
 
-	return exec.CommandContext(ctx, *sdePath, sdeArgs...), cancel
+	return ctx, cancel, exec.CommandContext(ctx, *sdePath, sdeArgs...)
 }
 
 var (
@@ -173,23 +173,20 @@ func runTestOnce(test test, mallocNumToFail int64) (passed bool, err error) {
 	}
 	var cmd *exec.Cmd
 	var cancel context.CancelFunc
-	cancelled := false
+
+	ctx := context.Background()
+
 	if *useValgrind {
-		cmd = valgrindOf(false, test.ValgrindSupp, prog, args...)
+		ctx, cmd = valgrindOf(ctx, false, test.ValgrindSupp, prog, args...)
 	} else if *useCallgrind {
-		cmd = callgrindOf(prog, args...)
+		ctx, cmd = callgrindOf(ctx, prog, args...)
 	} else if *useGDB {
-		cmd = gdbOf(prog, args...)
+		ctx, cmd = gdbOf(ctx, prog, args...)
 	} else if *useSDE {
-		cmd, cancel = sdeOf(test.cpu, prog, args...)
+		ctx, cancel, cmd = sdeOf(ctx, test.cpu, prog, args...)
 		defer cancel()
-
-		cmd.Cancel = func() error {
-			cancelled = true
-			return cmd.Process.Kill()
-		}
 	} else {
-		cmd = exec.Command(prog, args...)
+		cmd = exec.CommandContext(ctx, prog, args...)
 	}
 	if test.Env != nil || test.numShards != 0 {
 		cmd.Env = make([]string, len(os.Environ()))
@@ -219,23 +216,30 @@ func runTestOnce(test test, mallocNumToFail int64) (passed bool, err error) {
 	}
 
 	if err := cmd.Wait(); err != nil {
-		if exitError, ok := err.(*exec.ExitError); ok {
+		var exitError *exec.ExitError
+		if errors.As(err, &exitError) {
 			switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
 			case 88:
 				return false, errMoreMallocs
 			case 89:
 				fmt.Print(string(outBuf.Bytes()))
 				return false, errTestSkipped
 			}
-			if cancelled {
-				return testPass(outBuf), errTestHanging
+			select {
+			case <-ctx.Done():
+				if errors.Is(ctx.Err(), context.DeadlineExceeded) {
+					return testPass(outBuf), errTestHanging
+				} else if ctx.Err() != nil {
+					return false, ctx.Err()
+				}
+			default:
+				// Nothing
 			}
 		}
 		fmt.Print(string(outBuf.Bytes()))
 		return false, err
 	}
 
-
 	return testPass(outBuf), nil
 }