go1.25 (#104)

Author: zoom-ua

.github/workflows/ci.yml

@@ -1,27 +1,53 @@
 name: CI
+
 on:
   push:
     branches:
       - master
   pull_request:
     branches:
       - master
+  schedule:
+    # Run daily at 2 AM UTC to check for new vulnerabilities
+    - cron: "0 2 * * *"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
+    timeout-minutes: 15
     strategy:
       matrix:
-        go-version: [1.21.x, 1.22.x, 1.23.x]
+        go-version: [1.25.x, 1.24.x]
         os: [ubuntu-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
-      - uses: actions/checkout@v3
+          cache: true
+
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@v9
+        with:
+          version: v2.7.2
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Run govulncheck
+        uses: golang/govulncheck-action@v1
         with:
-          version: v1.63
-      - run: go vet ./...
-      - run: go test ./...
-      - run: env GOARCH=386 go test ./...
+          go-version-input: ${{ matrix.go-version }}
+
+      - name: Test
+        run: go test -race ./...

.golangci.yml

@@ -1,13 +1,85 @@
-linters-settings:
-  gocritic:
-    disabled-checks:
-      - ifElseChain
-      - elseif
+version: "2"
+
+run:
+  timeout: 5m
+  tests: true
+
+formatters:
+  enable:
+    - gofumpt
 
 linters:
   enable:
-    - gofmt
-    - gocritic
-    - unconvert
-    - revive
-    - govet
+    # Core recommended linters
+    - errcheck # Checks for unchecked errors
+    - govet # Go vet checks
+    - ineffassign # Detects ineffectual assignments
+    - staticcheck # Advanced static analysis
+    - unused # Finds unused code
+
+    # Code quality
+    - misspell # Finds commonly misspelled words
+    - unconvert # Unnecessary type conversions (already enabled in original)
+    - unparam # Finds unused function parameters
+    - gocritic # Various checks (already enabled in original)
+    - revive # Fast, configurable linter (already enabled in original)
+
+    # Security and best practices
+    - gosec # Security-focused linter
+    - bodyclose # Checks HTTP response body closed
+    - noctx # Finds HTTP requests without context
+
+  settings:
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+        - elseif
+
+    govet:
+      enable-all: true
+      disable:
+        - shadow
+        - fieldalignment
+
+    revive:
+      enable-all-rules: false
+
+  exclusions:
+    rules:
+      # Exclude specific revive rules
+      - linters:
+          - revive
+        text: "package-comments"
+
+      - linters:
+          - revive
+        text: "exported"
+
+      # Exclude specific staticcheck rules
+      - linters:
+          - staticcheck
+        text: "ST1005"
+
+      # Exclude specific gocritic rules
+      - linters:
+          - gocritic
+        text: "ifElseChain"
+
+      # Exclude misspell in test vectors (generated test data)
+      - linters:
+          - misspell
+        path: "encoding/basex/vectors_test.go"
+
+      # Exclude staticcheck suggestions in test/production code
+      - linters:
+          - staticcheck
+        text: "QF1003"
+
+      - linters:
+          - staticcheck
+        text: "QF1008"
+
+      # Exclude unparam warnings in test code
+      - linters:
+          - unparam
+        path: "_test\\.go"

armor.go

@@ -197,7 +197,6 @@ func (s *framedDecoderStream) loadHeader() (err error) {
 // Read from a framedDeecoderStream. The frame is the "BEGIN FOO." block
 // at the beginning, and the "END FOO." block at the end.
 func (s *framedDecoderStream) Read(p []byte) (n int, err error) {
-
 	if s.state == fdsHeader {
 		err = s.loadHeader()
 		if err != nil {

armor62.go

@@ -51,7 +51,8 @@ func NewArmor62DecoderStream(r io.Reader, hc HeaderChecker, fc FrameChecker) (io
 
 // Armor62Open runs armor stream decoding, but on a string, and it outputs
 // a string. It does not do any validation on the header and footer.
-// Deprecated: user Armor62OpenWithValidation instead.
+//
+// Deprecated: use Armor62OpenWithValidation instead.
 func Armor62Open(msg string) (body []byte, header string, footer string, err error) {
 	body, _, header, footer, err = Armor62OpenWithValidation(msg, nil, nil)
 	return body, header, footer, err

armor62_sign.go

@@ -60,7 +60,6 @@ func NewSignDetachedArmor62Stream(version Version, detachedsig io.Writer, signer
 		return nil, err
 	}
 	return closeForwarder([]io.WriteCloser{out, enc}), nil
-
 }
 
 // SignDetachedArmor62 returns a detached armored signature of plaintext from signer.

armor_test.go

@@ -29,8 +29,10 @@ func brandCheck(t *testing.T, received string) {
 	require.Equal(t, ourBrand, received)
 }
 
-const hdr = "BEGIN ACME SALTPACK ENCRYPTED MESSAGE"
-const ftr = "END ACME SALTPACK ENCRYPTED MESSAGE"
+const (
+	hdr = "BEGIN ACME SALTPACK ENCRYPTED MESSAGE"
+	ftr = "END ACME SALTPACK ENCRYPTED MESSAGE"
+)
 
 func testArmor(t *testing.T, sz int) {
 	m := msg(sz)
@@ -58,6 +60,7 @@ func TestArmor1024(t *testing.T) {
 func TestArmor8192(t *testing.T) {
 	testArmor(t, 8192)
 }
+
 func TestArmor65536(t *testing.T) {
 	testArmor(t, 65536)
 }
@@ -129,7 +132,8 @@ func TestBinaryInput(t *testing.T) {
 	case <-time.After(5 * time.Second):
 		buf := make([]byte, 1<<16)
 		runtime.Stack(buf, true)
-		os.Stderr.Write(buf)
+		_, err := os.Stderr.Write(buf)
+		require.NoError(t, err)
 		t.Fatal("timed out waiting for Armor62Open to finish")
 	}
 

chunk_reader_test.go

@@ -97,8 +97,9 @@ func exampleEncode(plaintext []byte) []byte {
 	for i := 0; i < len(plaintext); i++ {
 		block := exampleBlock{
 			PayloadCiphertext: []byte{^plaintext[i]},
-			Seqno:             packetSeqno(i + 1),
-			IsFinal:           i == len(plaintext)-1,
+			//nolint:gosec // i is a valid slice index, conversion is safe
+			Seqno:   packetSeqno(i + 1),
+			IsFinal: i == len(plaintext)-1,
 		}
 		err := encoder.Encode(block)
 		if err != nil {

classify_and_decrypt.go

@@ -33,7 +33,6 @@ const (
 // saltpack message. If err is nil, msgType will return the type of the encoded message, but this does *NOT* guarantee that the
 // rest of the message is well formed.
 func IsSaltpackBinary(stream *bufio.Reader) (msgType MessageType, version Version, err error) {
-
 	b, err := stream.Peek(minLengthToIdentifyBinarySaltpack)
 	if err == bufio.ErrBufferFull {
 		return MessageTypeUnknown, Version{}, ErrShortSliceOrBuffer
@@ -48,7 +47,6 @@ func IsSaltpackBinary(stream *bufio.Reader) (msgType MessageType, version Versio
 // long enough to make this determination, or if it does not appear to contain a binary saltpack message. If err is nil, msgType
 // will return the type of the encoded message, but this does *NOT* guarantee that the rest of the message is well formed.
 func IsSaltpackBinarySlice(b []byte) (msgType MessageType, version Version, err error) {
-
 	// To avoid decoding the whole header, part of the messagepack decoding is done manually
 	// instead of through go-codec. See https://github.com/msgpack/msgpack/blob/master/spec.md
 	// for details on the encoding.
@@ -241,7 +239,8 @@ func ClassifyStream(stream *bufio.Reader) (isArmored bool, brand string, message
 // as well as some informtation about the stream. The brand is only returned for armored ciphertexts, mki only
 // for encryption-mode ciphertext, senderPublic only for signcryption-mode ciphertexts.
 func ClassifyEncryptedStreamAndMakeDecoder(source io.Reader, decryptionKeyring SigncryptKeyring, keyResolver SymmetricKeyResolver) (
-	plainsource io.Reader, msgType MessageType, mki *MessageKeyInfo, senderPublic SigningPublicKey, isArmored bool, brand string, ver Version, err error) {
+	plainsource io.Reader, msgType MessageType, mki *MessageKeyInfo, senderPublic SigningPublicKey, isArmored bool, brand string, ver Version, err error,
+) {
 	stream := bufio.NewReader(source)
 
 	isArmored, _, msgType, ver, err = ClassifyStream(stream)

common_test.go

@@ -27,7 +27,6 @@ func TestComputePayloadAuthenticator(t *testing.T) {
 			authenticator := computePayloadAuthenticator(macKey, payloadHash)
 			if !authenticator.Equal(expectedAuthenticators[i]) {
 				t.Errorf("Got %#v, expected %#v", authenticator, expectedAuthenticators[i])
-
 			}
 			i++
 		}
@@ -81,20 +80,23 @@ func runTestsOverVersions(t *testing.T, prefix string, fs []func(t *testing.T, v
 var secret1 = boxSecretKey{
 	key: RawBoxKey{0x08},
 }
+
 var secret2 = boxSecretKey{
 	key: RawBoxKey{0x10},
 }
 
 var eSecret1 = boxSecretKey{
 	key: RawBoxKey{0x18},
 }
+
 var eSecret2 = boxSecretKey{
 	key: RawBoxKey{0x20},
 }
 
 var public1 = boxPublicKey{
 	key: RawBoxKey{0x5},
 }
+
 var public2 = boxPublicKey{
 	key: RawBoxKey{0x6},
 }

decrypt.go

@@ -131,6 +131,7 @@ func (ds *decryptStream) tryVisibleReceivers(hdr *EncryptionHeader, ephemeralKey
 		return nil, nil, -1, ErrBadLookup
 	}
 
+	//nolint:gosec // orig is a valid slice index, conversion is safe
 	nonce := nonceForPayloadKeyBox(hdr.Version, uint64(orig))
 	payloadKeySlice, err := sk.Unbox(ephemeralKey, nonce, hdr.Receivers[orig].PayloadKeyBox)
 	if err != nil {
@@ -160,6 +161,7 @@ func (ds *decryptStream) tryHiddenReceivers(hdr *EncryptionHeader, ephemeralKey
 
 		for i, r := range hdr.Receivers {
 			if len(r.ReceiverKID) == 0 {
+				//nolint:gosec // i is a valid slice index, conversion is safe
 				nonce := nonceForPayloadKeyBox(hdr.Version, uint64(i))
 				payloadKeySlice, err := shared.Unbox(nonce, r.PayloadKeyBox)
 				if err != nil {
@@ -259,7 +261,6 @@ func computeMACKeyReceiver(version Version, index uint64, secret BoxSecretKey, p
 }
 
 func (ds *decryptStream) processBlock(ciphertext []byte, authenticators []payloadAuthenticator, isFinal bool, seqno packetSeqno) ([]byte, error) {
-
 	blockNum := encryptionBlockNumber(seqno - 1)
 
 	if err := blockNum.check(); err != nil {