repo: Some fixes reported by CodeQL

.github/workflows/ci-actions.yml

@@ -13,19 +13,19 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        GOVER: ['1.22', '1.21']
+        GOVER: ['1.23', '1.22']
     steps:
+      - name: Checkout
+        uses: actions/checkout@v4
       - name: Setup Go-${{ matrix.GOVER }}
         uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.GOVER }}
-      - name: Checkout
-        uses: actions/checkout@v4
       - name: Linting
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
-          version: v1.56.2
-          args: --config=./.etc/golangci.yml ./...
+          version: v1.61.0
+          install-mode: goinstall
       - name: Check shadowing
         run: |
          go install golang.org/x/tools/go/analysis/passes/shadow/cmd/shadow@latest
@@ -61,7 +61,7 @@ jobs:
           docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
       - name: Testing
         run: |
-          docker run --rm -v `pwd`:`pwd` -w `pwd` ${{matrix.CFG[1]}}/golang:${{matrix.CFG[2]}} go test -v ./...
+          docker run --rm --platform linux/${{matrix.CFG[0]}} -v `pwd`:`pwd` -w `pwd` ${{matrix.CFG[1]}}/golang:${{matrix.CFG[2]}} go test -v ./...
   build_modes:
     needs: [amd64_job]
     runs-on: ubuntu-22.04
@@ -72,7 +72,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Build as Static
         run: make circl_static
       - name: Build as Plugin
@@ -88,7 +88,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Produce Coverage
         run: go test -coverprofile=./coverage.txt ./...
       - name: Upload Codecov
@@ -110,7 +110,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Building
         run: go build -v ./...
       - name: Testing
@@ -129,7 +129,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:

.github/workflows/semgrep.yml

@@ -1,13 +1,12 @@
 on:
   pull_request: {}
   workflow_dispatch: {}
-  push: 
+  push:
     branches:
       - main
-      - master
   schedule:
     - cron: '0 0 * * *'
-name: Semgrep config
+name: Semgrep
 jobs:
   semgrep:
     name: semgrep/ci
@@ -21,4 +20,4 @@ jobs:
       image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
-      - run: semgrep ci
+      - run: semgrep ci --verbose

.etc/golangci.yml → .golangci.yaml

@@ -12,11 +12,12 @@ linters:
     # - structcheck (deprecated since v1.49.0)
     # - varcheck    (deprecated since v1.49.0)
     # - deadcode    (deprecated since v1.49.0)
+    # - exportloopref (deprecated since v1.60.2)
     - bodyclose
+    - copyloopvar
     - depguard
     - dogsled
     - errcheck
-    - exportloopref
     - forbidigo
     - funlen
     - goconst
@@ -56,15 +57,17 @@ linters-settings:
   goconst:
     min-occurrences: 4
   govet:
-    check-shadowing: true
+    enable-all: true
+    disable:
+      - fieldalignment
   staticcheck:
     # TODO: replace deprecated elliptic.Marshal, elliptic.GenerateKey,
     # elliptic.Unmarshal, params.ScalarBaseMult before re-enabling SA1019.
     checks: ["*", "-SA1019"]
+  gosec:
+    excludes:
+      - G115
 
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0
-
-output:
-  format: github-actions

.semgrepignore

@@ -0,0 +1 @@
+.github/

abe/cpabe/tkn20/internal/dsl/lexer.go

@@ -1,6 +1,7 @@
 package dsl
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
@@ -58,7 +59,7 @@ func (l *Lexer) scanTokens() error {
 	}
 	l.addToken(EOF)
 	if l.hadError {
-		return fmt.Errorf(strings.TrimSpace(errMsg))
+		return errors.New(strings.TrimSpace(errMsg))
 	}
 	return nil
 }

go.mod

@@ -1,6 +1,6 @@
 module github.com/cloudflare/circl
 
-go 1.21
+go 1.22.0
 
 require (
 	github.com/bwesterb/go-ristretto v1.2.3

group/group_test.go

@@ -20,7 +20,6 @@ var allGroups = []group.Group{
 func TestGroup(t *testing.T) {
 	const testTimes = 1 << 7
 	for _, g := range allGroups {
-		g := g
 		n := g.(fmt.Stringer).String()
 		t.Run(n+"/Add", func(tt *testing.T) { testAdd(tt, testTimes, g) })
 		t.Run(n+"/Neg", func(tt *testing.T) { testNeg(tt, testTimes, g) })

group/hash_test.go

@@ -115,7 +115,6 @@ type vector struct {
 
 func BenchmarkHash(b *testing.B) {
 	for _, g := range allGroups {
-		g := g
 		name := g.(fmt.Stringer).String()
 		b.Run(name+"/HashToElement", func(b *testing.B) {
 			for i := 0; i < b.N; i++ {

internal/test/test.go

@@ -16,7 +16,7 @@ func ReportError(t testing.TB, got, want interface{}, inputs ...interface{}) {
 	}
 	fmt.Fprintf(b, "got:  %v\nwant: %v", got, want)
 	t.Helper()
-	t.Fatalf(b.String())
+	t.Fatal(b.String())
 }
 
 // CheckOk fails the test if result == false.

kem/frodo/kat_test.go

@@ -23,7 +23,6 @@ func TestPQCgenKATKem(t *testing.T) {
 		{"FrodoKEM-640-SHAKE", "604a10cfc871dfaed9cb5b057c644ab03b16852cea7f39bc7f9831513b5b1cfa"},
 	}
 	for _, kat := range kats {
-		kat := kat
 		t.Run(kat.name, func(t *testing.T) {
 			testPQCgenKATKem(t, kat.name, kat.want)
 		})

kem/kyber/kat_test.go

@@ -31,7 +31,6 @@ func TestPQCgenKATKem(t *testing.T) {
 		{"ML-KEM-1024", "3fba7327d0320cb6134badf2a1bcb963a5b3c0026c7dece8f00d6a6155e47b33"},
 	}
 	for _, kat := range kats {
-		kat := kat
 		t.Run(kat.name, func(t *testing.T) {
 			testPQCgenKATKem(t, kat.name, kat.want)
 		})

kem/schemes/schemes_test.go

@@ -17,7 +17,6 @@ func TestCaseSensitivity(t *testing.T) {
 func BenchmarkGenerateKeyPair(b *testing.B) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		b.Run(scheme.Name(), func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
 				_, _, _ = scheme.GenerateKeyPair()
@@ -29,7 +28,6 @@ func BenchmarkGenerateKeyPair(b *testing.B) {
 func BenchmarkEncapsulate(b *testing.B) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		pk, _, _ := scheme.GenerateKeyPair()
 		b.Run(scheme.Name(), func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
@@ -42,7 +40,6 @@ func BenchmarkEncapsulate(b *testing.B) {
 func BenchmarkDecapsulate(b *testing.B) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		pk, sk, _ := scheme.GenerateKeyPair()
 		ct, _, _ := scheme.Encapsulate(pk)
 		b.Run(scheme.Name(), func(b *testing.B) {
@@ -56,7 +53,6 @@ func BenchmarkDecapsulate(b *testing.B) {
 func TestApi(t *testing.T) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		t.Run(scheme.Name(), func(t *testing.T) {
 			if scheme == nil {
 				t.Fatal()

math/wnaf_test.go

@@ -63,7 +63,6 @@ func BenchmarkOmegaNAF(b *testing.B) {
 	Two128.Lsh(Two128, 128)
 
 	for w := uint(2); w < 6; w++ {
-		w := w // pin variable
 		b.Run(fmt.Sprintf("%v", w), func(b *testing.B) {
 			x, _ := rand.Int(rand.Reader, Two128)
 			b.ResetTimer()
@@ -79,7 +78,6 @@ func BenchmarkOmegaNAFRegular(b *testing.B) {
 	Two128.Lsh(Two128, 128)
 
 	for w := uint(2); w < 6; w++ {
-		w := w // pin variable
 		b.Run(fmt.Sprintf("%v", w), func(b *testing.B) {
 			x, _ := rand.Int(rand.Reader, Two128)
 			x.SetBit(x, 0, uint(1)) // odd-numbers

oprf/vectors_test.go

@@ -245,7 +245,7 @@ func TestVectors(t *testing.T) {
 	for i := range v {
 		suite, err := GetSuite(v[i].Identifier)
 		if err != nil {
-			t.Logf(v[i].Identifier + " not supported yet")
+			t.Log(v[i].Identifier + " not supported yet")
 			continue
 		}
 		t.Run(fmt.Sprintf("%v/Mode%v", suite, v[i].Mode), v[i].test)

pke/kyber/internal/common/asm/go.mod

@@ -1,15 +1,15 @@
 module github.com/cloudflare/circl/pke/kyber/internal/common/asm
 
-go 1.21
+go 1.22.0
 
 require (
-	github.com/cloudflare/circl v1.3.7
+	github.com/cloudflare/circl v1.4.0
 	github.com/mmcloughlin/avo v0.6.0
 )
 
 require (
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
 )
 
 replace github.com/cloudflare/circl => ../../../../../

pke/kyber/internal/common/asm/go.sum

@@ -2,7 +2,7 @@ github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY
 github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=

pke/kyber/internal/common/poly_test.go

@@ -44,7 +44,6 @@ func TestDecompressMessage(t *testing.T) {
 
 func TestCompress(t *testing.T) {
 	for _, d := range []int{4, 5, 10, 11} {
-		d := d
 		t.Run(fmt.Sprintf("d=%d", d), func(t *testing.T) {
 			var p, q Poly
 			bound := (Q + (1 << uint(d))) >> uint(d+1)
@@ -351,7 +350,6 @@ func (p *Poly) OldCompressTo(m []byte, d int) {
 
 func TestCompressFullInputFirstCoeff(t *testing.T) {
 	for _, d := range []int{4, 5, 10, 11} {
-		d := d
 		t.Run(fmt.Sprintf("d=%d", d), func(t *testing.T) {
 			var p, q Poly
 			bound := (Q + (1 << uint(d))) >> uint(d+1)

pki/pki_test.go

@@ -9,7 +9,6 @@ import (
 
 func TestPEM(t *testing.T) {
 	for _, scheme := range schemes.All() {
-		scheme := scheme
 		t.Run(scheme.Name(), func(t *testing.T) {
 			if scheme == nil {
 				t.Fatal()

sign/dilithium/internal/common/asm/go.mod

@@ -1,15 +1,15 @@
 module github.com/cloudflare/circl/sign/dilithium/internal/common/asm
 
-go 1.21
+go 1.22.0
 
 require (
-	github.com/cloudflare/circl v1.3.7
+	github.com/cloudflare/circl v1.4.0
 	github.com/mmcloughlin/avo v0.6.0
 )
 
 require (
 	golang.org/x/mod v0.14.0 // indirect
-	golang.org/x/tools v0.17.0 // indirect
+	golang.org/x/tools v0.16.1 // indirect
 )
 
 replace github.com/cloudflare/circl => ../../../../../

sign/dilithium/internal/common/asm/go.sum

@@ -2,7 +2,7 @@ github.com/mmcloughlin/avo v0.6.0 h1:QH6FU8SKoTLaVs80GA8TJuLNkUYl4VokHKlPhVDg4YY
 github.com/mmcloughlin/avo v0.6.0/go.mod h1:8CoAGaCSYXtCPR+8y18Y9aB/kxb8JSS6FRI7mSkvD+8=
 golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
-golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/tools v0.17.0 h1:FvmRgNOcs3kOa+T20R1uhfP9F6HgG2mfxDv1vrx1Htc=
-golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
+golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=

sign/ed448/ed448.go

@@ -206,7 +206,7 @@ func newKeyFromSeed(privateKey, seed []byte) {
 
 func signAll(signature []byte, privateKey PrivateKey, message, ctx []byte, preHash bool) {
 	if len(ctx) > ContextMaxSize {
-		panic(fmt.Errorf("ed448: bad context length: " + strconv.Itoa(len(ctx))))
+		panic(fmt.Errorf("ed448: bad context length: %v", len(ctx)))
 	}
 
 	H := sha3.NewShake256()

sign/schemes/schemes_test.go

@@ -17,7 +17,6 @@ func TestCaseSensitivity(t *testing.T) {
 func TestApi(t *testing.T) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		t.Run(scheme.Name(), func(t *testing.T) {
 			if scheme == nil {
 				t.Fatal()
@@ -122,7 +121,6 @@ func Example() {
 func BenchmarkGenerateKeyPair(b *testing.B) {
 	allSchemes := schemes.All()
 	for _, scheme := range allSchemes {
-		scheme := scheme
 		b.Run(scheme.Name(), func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
 				_, _, _ = scheme.GenerateKey()
@@ -136,7 +134,6 @@ func BenchmarkSign(b *testing.B) {
 	opts := &sign.SignatureOpts{}
 	for _, scheme := range allSchemes {
 		msg := []byte(fmt.Sprintf("Signing with %s", scheme.Name()))
-		scheme := scheme
 		_, sk, _ := scheme.GenerateKey()
 		b.Run(scheme.Name(), func(b *testing.B) {
 			for i := 0; i < b.N; i++ {
@@ -151,7 +148,6 @@ func BenchmarkVerify(b *testing.B) {
 	opts := &sign.SignatureOpts{}
 	for _, scheme := range allSchemes {
 		msg := []byte(fmt.Sprintf("Signing with %s", scheme.Name()))
-		scheme := scheme
 		pk, sk, _ := scheme.GenerateKey()
 		sig := scheme.Sign(sk, msg, opts)
 		b.Run(scheme.Name(), func(b *testing.B) {