diff --git a/.github/workflows/ci-actions.yml b/.github/workflows/ci-actions.yml index 0c024234b..fd10e7b4f 100644 --- a/.github/workflows/ci-actions.yml +++ b/.github/workflows/ci-actions.yml @@ -13,19 +13,19 @@ jobs: runs-on: ubuntu-22.04 strategy: matrix: - GOVER: ['1.22', '1.21'] + GOVER: ['1.23', '1.22'] steps: + - name: Checkout + uses: actions/checkout@v4 - name: Setup Go-${{ matrix.GOVER }} uses: actions/setup-go@v5 with: go-version: ${{ matrix.GOVER }} - - name: Checkout - uses: actions/checkout@v4 - name: Linting - uses: golangci/golangci-lint-action@v4 + uses: golangci/golangci-lint-action@v6 with: - version: v1.56.2 - args: --config=./.etc/golangci.yml ./... + version: v1.61.0 + install-mode: goinstall - name: Check shadowing run: | go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest @@ -61,7 +61,7 @@ jobs: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes - name: Testing run: | - docker run --rm -v `pwd`:`pwd` -w `pwd` ${{matrix.CFG[1]}}/golang:${{matrix.CFG[2]}} go test -v ./... + docker run --rm --platform linux/${{matrix.CFG[0]}} -v `pwd`:`pwd` -w `pwd` ${{matrix.CFG[1]}}/golang:${{matrix.CFG[2]}} go test -v ./... build_modes: needs: [amd64_job] runs-on: ubuntu-22.04 @@ -72,7 +72,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Build as Static run: make circl_static - name: Build as Plugin @@ -88,7 +88,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Produce Coverage run: go test -coverprofile=./coverage.txt ./... - name: Upload Codecov @@ -110,7 +110,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Building run: go build -v ./... - name: Testing @@ -129,7 +129,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 4090692fe..2250f98de 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,13 +1,12 @@ on: pull_request: {} workflow_dispatch: {} - push: + push: branches: - main - - master schedule: - cron: '0 0 * * *' -name: Semgrep config +name: Semgrep jobs: semgrep: name: semgrep/ci @@ -21,4 +20,4 @@ jobs: image: semgrep/semgrep steps: - uses: actions/checkout@v4 - - run: semgrep ci + - run: semgrep ci --verbose diff --git a/.etc/golangci.yml b/.golangci.yaml similarity index 89% rename from .etc/golangci.yml rename to .golangci.yaml index 386ef2781..064024654 100644 --- a/.etc/golangci.yml +++ b/.golangci.yaml @@ -12,11 +12,12 @@ linters: # - structcheck (deprecated since v1.49.0) # - varcheck (deprecated since v1.49.0) # - deadcode (deprecated since v1.49.0) + # - exportloopref (deprecated since v1.60.2) - bodyclose + - copyloopvar - depguard - dogsled - errcheck - - exportloopref - forbidigo - funlen - goconst @@ -56,15 +57,17 @@ linters-settings: goconst: min-occurrences: 4 govet: - check-shadowing: true + enable-all: true + disable: + - fieldalignment staticcheck: # TODO: replace deprecated elliptic.Marshal, elliptic.GenerateKey, # elliptic.Unmarshal, params.ScalarBaseMult before re-enabling SA1019. checks: ["*", "-SA1019"] + gosec: + excludes: + - G115 issues: max-issues-per-linter: 0 max-same-issues: 0 - -output: - format: github-actions diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..bb0224d57 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1 @@ +.github/ diff --git a/abe/cpabe/tkn20/internal/dsl/lexer.go b/abe/cpabe/tkn20/internal/dsl/lexer.go index 43c19d97f..be648ef7a 100644 --- a/abe/cpabe/tkn20/internal/dsl/lexer.go +++ b/abe/cpabe/tkn20/internal/dsl/lexer.go @@ -1,6 +1,7 @@ package dsl import ( + "errors" "fmt" "strings" ) @@ -58,7 +59,7 @@ func (l *Lexer) scanTokens() error { } l.addToken(EOF) if l.hadError { - return fmt.Errorf(strings.TrimSpace(errMsg)) + return errors.New(strings.TrimSpace(errMsg)) } return nil } diff --git a/go.mod b/go.mod index c58932dce..0340ede9f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/cloudflare/circl -go 1.21 +go 1.22.0 require ( github.com/bwesterb/go-ristretto v1.2.3 diff --git a/group/group_test.go b/group/group_test.go index ee7e25059..b48cd507c 100644 --- a/group/group_test.go +++ b/group/group_test.go @@ -20,7 +20,6 @@ var allGroups = []group.Group{ func TestGroup(t *testing.T) { const testTimes = 1 << 7 for _, g := range allGroups { - g := g n := g.(fmt.Stringer).String() t.Run(n+"/Add", func(tt *testing.T) { testAdd(tt, testTimes, g) }) t.Run(n+"/Neg", func(tt *testing.T) { testNeg(tt, testTimes, g) }) diff --git a/group/hash_test.go b/group/hash_test.go index 51b44ad78..1e784e9ef 100644 --- a/group/hash_test.go +++ b/group/hash_test.go @@ -115,7 +115,6 @@ type vector struct { func BenchmarkHash(b *testing.B) { for _, g := range allGroups { - g := g name := g.(fmt.Stringer).String() b.Run(name+"/HashToElement", func(b *testing.B) { for i := 0; i < b.N; i++ { diff --git a/internal/test/test.go b/internal/test/test.go index 576211a9f..9ba73dd74 100644 --- a/internal/test/test.go +++ b/internal/test/test.go @@ -16,7 +16,7 @@ func ReportError(t testing.TB, got, want interface{}, inputs ...interface{}) { } fmt.Fprintf(b, "got: %v\nwant: %v", got, want) t.Helper() - t.Fatalf(b.String()) + t.Fatal(b.String()) } // CheckOk fails the test if result == false. diff --git a/kem/frodo/kat_test.go b/kem/frodo/kat_test.go index 61b0aae25..c4694c8d3 100644 --- a/kem/frodo/kat_test.go +++ b/kem/frodo/kat_test.go @@ -23,7 +23,6 @@ func TestPQCgenKATKem(t *testing.T) { {"FrodoKEM-640-SHAKE", "604a10cfc871dfaed9cb5b057c644ab03b16852cea7f39bc7f9831513b5b1cfa"}, } for _, kat := range kats { - kat := kat t.Run(kat.name, func(t *testing.T) { testPQCgenKATKem(t, kat.name, kat.want) }) diff --git a/kem/kyber/kat_test.go b/kem/kyber/kat_test.go index 5b6d39e86..08726cd79 100644 --- a/kem/kyber/kat_test.go +++ b/kem/kyber/kat_test.go @@ -31,7 +31,6 @@ func TestPQCgenKATKem(t *testing.T) { {"ML-KEM-1024", "3fba7327d0320cb6134badf2a1bcb963a5b3c0026c7dece8f00d6a6155e47b33"}, } for _, kat := range kats { - kat := kat t.Run(kat.name, func(t *testing.T) { testPQCgenKATKem(t, kat.name, kat.want) }) diff --git a/kem/schemes/schemes_test.go b/kem/schemes/schemes_test.go index 88a02f31b..d9caf70a9 100644 --- a/kem/schemes/schemes_test.go +++ b/kem/schemes/schemes_test.go @@ -17,7 +17,6 @@ func TestCaseSensitivity(t *testing.T) { func BenchmarkGenerateKeyPair(b *testing.B) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme b.Run(scheme.Name(), func(b *testing.B) { for i := 0; i < b.N; i++ { _, _, _ = scheme.GenerateKeyPair() @@ -29,7 +28,6 @@ func BenchmarkGenerateKeyPair(b *testing.B) { func BenchmarkEncapsulate(b *testing.B) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme pk, _, _ := scheme.GenerateKeyPair() b.Run(scheme.Name(), func(b *testing.B) { for i := 0; i < b.N; i++ { @@ -42,7 +40,6 @@ func BenchmarkEncapsulate(b *testing.B) { func BenchmarkDecapsulate(b *testing.B) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme pk, sk, _ := scheme.GenerateKeyPair() ct, _, _ := scheme.Encapsulate(pk) b.Run(scheme.Name(), func(b *testing.B) { @@ -56,7 +53,6 @@ func BenchmarkDecapsulate(b *testing.B) { func TestApi(t *testing.T) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme t.Run(scheme.Name(), func(t *testing.T) { if scheme == nil { t.Fatal() diff --git a/math/wnaf_test.go b/math/wnaf_test.go index d397b0640..ad33d20b6 100644 --- a/math/wnaf_test.go +++ b/math/wnaf_test.go @@ -63,7 +63,6 @@ func BenchmarkOmegaNAF(b *testing.B) { Two128.Lsh(Two128, 128) for w := uint(2); w < 6; w++ { - w := w // pin variable b.Run(fmt.Sprintf("%v", w), func(b *testing.B) { x, _ := rand.Int(rand.Reader, Two128) b.ResetTimer() @@ -79,7 +78,6 @@ func BenchmarkOmegaNAFRegular(b *testing.B) { Two128.Lsh(Two128, 128) for w := uint(2); w < 6; w++ { - w := w // pin variable b.Run(fmt.Sprintf("%v", w), func(b *testing.B) { x, _ := rand.Int(rand.Reader, Two128) x.SetBit(x, 0, uint(1)) // odd-numbers diff --git a/oprf/vectors_test.go b/oprf/vectors_test.go index 774dc50fa..2293049e8 100644 --- a/oprf/vectors_test.go +++ b/oprf/vectors_test.go @@ -245,7 +245,7 @@ func TestVectors(t *testing.T) { for i := range v { suite, err := GetSuite(v[i].Identifier) if err != nil { - t.Logf(v[i].Identifier + " not supported yet") + t.Log(v[i].Identifier + " not supported yet") continue } t.Run(fmt.Sprintf("%v/Mode%v", suite, v[i].Mode), v[i].test) diff --git a/pke/kyber/internal/common/asm/go.mod b/pke/kyber/internal/common/asm/go.mod index ed620578f..12eece759 100644 --- a/pke/kyber/internal/common/asm/go.mod +++ b/pke/kyber/internal/common/asm/go.mod @@ -1,15 +1,15 @@ module github.com/cloudflare/circl/pke/kyber/internal/common/asm -go 1.21 +go 1.22.0 require ( - github.com/cloudflare/circl v1.3.7 + github.com/cloudflare/circl v1.4.0 github.com/mmcloughlin/avo v0.6.0 ) require ( golang.org/x/mod v0.14.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.16.1 // indirect ) replace github.com/cloudflare/circl => ../../../../../ diff --git a/pke/kyber/internal/common/asm/go.sum b/pke/kyber/internal/common/asm/go.sum index d9b5c0cf9..483bba883 100644 --- a/pke/kyber/internal/common/asm/go.sum +++ b/pke/kyber/internal/common/asm/go.sum @@ -2,7 +2,7 @@ github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= diff --git a/pke/kyber/internal/common/poly_test.go b/pke/kyber/internal/common/poly_test.go index 350bef961..cc305d730 100644 --- a/pke/kyber/internal/common/poly_test.go +++ b/pke/kyber/internal/common/poly_test.go @@ -44,7 +44,6 @@ func TestDecompressMessage(t *testing.T) { func TestCompress(t *testing.T) { for _, d := range []int{4, 5, 10, 11} { - d := d t.Run(fmt.Sprintf("d=%d", d), func(t *testing.T) { var p, q Poly bound := (Q + (1 << uint(d))) >> uint(d+1) @@ -351,7 +350,6 @@ func (p *Poly) OldCompressTo(m []byte, d int) { func TestCompressFullInputFirstCoeff(t *testing.T) { for _, d := range []int{4, 5, 10, 11} { - d := d t.Run(fmt.Sprintf("d=%d", d), func(t *testing.T) { var p, q Poly bound := (Q + (1 << uint(d))) >> uint(d+1) diff --git a/pki/pki_test.go b/pki/pki_test.go index 7412dd0ae..64b43759d 100644 --- a/pki/pki_test.go +++ b/pki/pki_test.go @@ -9,7 +9,6 @@ import ( func TestPEM(t *testing.T) { for _, scheme := range schemes.All() { - scheme := scheme t.Run(scheme.Name(), func(t *testing.T) { if scheme == nil { t.Fatal() diff --git a/sign/dilithium/internal/common/asm/go.mod b/sign/dilithium/internal/common/asm/go.mod index 5638957e6..3f9a8a6d3 100644 --- a/sign/dilithium/internal/common/asm/go.mod +++ b/sign/dilithium/internal/common/asm/go.mod @@ -1,15 +1,15 @@ module github.com/cloudflare/circl/sign/dilithium/internal/common/asm -go 1.21 +go 1.22.0 require ( - github.com/cloudflare/circl v1.3.7 + github.com/cloudflare/circl v1.4.0 github.com/mmcloughlin/avo v0.6.0 ) require ( golang.org/x/mod v0.14.0 // indirect - golang.org/x/tools v0.17.0 // indirect + golang.org/x/tools v0.16.1 // indirect ) replace github.com/cloudflare/circl => ../../../../../ diff --git a/sign/dilithium/internal/common/asm/go.sum b/sign/dilithium/internal/common/asm/go.sum index d9b5c0cf9..483bba883 100644 --- a/sign/dilithium/internal/common/asm/go.sum +++ b/sign/dilithium/internal/common/asm/go.sum @@ -2,7 +2,7 @@ github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc= -golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA= +golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0= diff --git a/sign/ed448/ed448.go b/sign/ed448/ed448.go index 324bd8f33..c368b181b 100644 --- a/sign/ed448/ed448.go +++ b/sign/ed448/ed448.go @@ -206,7 +206,7 @@ func newKeyFromSeed(privateKey, seed []byte) { func signAll(signature []byte, privateKey PrivateKey, message, ctx []byte, preHash bool) { if len(ctx) > ContextMaxSize { - panic(fmt.Errorf("ed448: bad context length: " + strconv.Itoa(len(ctx)))) + panic(fmt.Errorf("ed448: bad context length: %v", len(ctx))) } H := sha3.NewShake256() diff --git a/sign/schemes/schemes_test.go b/sign/schemes/schemes_test.go index 2d8e86512..dfa044d78 100644 --- a/sign/schemes/schemes_test.go +++ b/sign/schemes/schemes_test.go @@ -17,7 +17,6 @@ func TestCaseSensitivity(t *testing.T) { func TestApi(t *testing.T) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme t.Run(scheme.Name(), func(t *testing.T) { if scheme == nil { t.Fatal() @@ -122,7 +121,6 @@ func Example() { func BenchmarkGenerateKeyPair(b *testing.B) { allSchemes := schemes.All() for _, scheme := range allSchemes { - scheme := scheme b.Run(scheme.Name(), func(b *testing.B) { for i := 0; i < b.N; i++ { _, _, _ = scheme.GenerateKey() @@ -136,7 +134,6 @@ func BenchmarkSign(b *testing.B) { opts := &sign.SignatureOpts{} for _, scheme := range allSchemes { msg := []byte(fmt.Sprintf("Signing with %s", scheme.Name())) - scheme := scheme _, sk, _ := scheme.GenerateKey() b.Run(scheme.Name(), func(b *testing.B) { for i := 0; i < b.N; i++ { @@ -151,7 +148,6 @@ func BenchmarkVerify(b *testing.B) { opts := &sign.SignatureOpts{} for _, scheme := range allSchemes { msg := []byte(fmt.Sprintf("Signing with %s", scheme.Name())) - scheme := scheme pk, sk, _ := scheme.GenerateKey() sig := scheme.Sign(sk, msg, opts) b.Run(scheme.Name(), func(b *testing.B) {