Fix linter errors, simplify tests

Signed-off-by: Knut Ahlers <knut@ahlers.me>

.golangci.yml

@@ -0,0 +1,174 @@
+# Derived from https://github.com/golangci/golangci-lint/blob/master/.golangci.example.yml
+
+---
+
+run:
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
+  timeout: 5m
+  # Force readonly modules usage for checking
+  modules-download-mode: readonly
+
+output:
+  format: tab
+
+issues:
+  # This disables the included exclude-list in golangci-lint as that
+  # list for example fully hides G304 gosec rule, errcheck, exported
+  # rule of revive and other errors one really wants to see.
+  # Smme detail: https://github.com/golangci/golangci-lint/issues/456
+  exclude-use-default: false
+  # Don't limit the number of shown issues: Report ALL of them
+  max-issues-per-linter: 0
+  max-same-issues: 0
+
+linters:
+  disable-all: true
+  enable:
+    - asciicheck    # Simple linter to check that your code does not contain non-ASCII identifiers [fast: true, auto-fix: false]
+    - bidichk       # Checks for dangerous unicode character sequences [fast: true, auto-fix: false]
+    - bodyclose     # checks whether HTTP response body is closed successfully [fast: true, auto-fix: false]
+    - containedctx  # containedctx is a linter that detects struct contained context.Context field [fast: true, auto-fix: false]
+    - contextcheck  # check the function whether use a non-inherited context [fast: false, auto-fix: false]
+    - dogsled       # Checks assignments with too many blank identifiers (e.g. x, _, _, _, := f()) [fast: true, auto-fix: false]
+    - durationcheck # check for two durations multiplied together [fast: false, auto-fix: false]
+    - errcheck      # Errcheck is a program for checking for unchecked errors in go programs. These unchecked errors can be critical bugs in some cases [fast: false, auto-fix: false]
+    - errchkjson    # Checks types passed to the json encoding functions. Reports unsupported types and optionally reports occations, where the check for the returned error can be omitted. [fast: false, auto-fix: false]
+    - exportloopref # checks for pointers to enclosing loop variables [fast: true, auto-fix: false]
+    - forbidigo     # Forbids identifiers [fast: true, auto-fix: false]
+    - funlen        # Tool for detection of long functions [fast: true, auto-fix: false]
+    - gocognit      # Computes and checks the cognitive complexity of functions [fast: true, auto-fix: false]
+    - goconst       # Finds repeated strings that could be replaced by a constant [fast: true, auto-fix: false]
+    - gocritic      # The most opinionated Go source code linter [fast: true, auto-fix: false]
+    - gocyclo       # Computes and checks the cyclomatic complexity of functions [fast: true, auto-fix: false]
+    - godox         # Tool for detection of FIXME, TODO and other comment keywords [fast: true, auto-fix: false]
+    - gofmt         # Gofmt checks whether code was gofmt-ed. By default this tool runs with -s option to check for code simplification [fast: true, auto-fix: true]
+    - gofumpt       # Gofumpt checks whether code was gofumpt-ed. [fast: true, auto-fix: true]
+    - goimports     # Goimports does everything that gofmt does. Additionally it checks unused imports [fast: true, auto-fix: true]
+    - gomnd         # An analyzer to detect magic numbers. [fast: true, auto-fix: false]
+    - gosec         # Inspects source code for security problems [fast: true, auto-fix: false]
+    - gosimple      # Linter for Go source code that specializes in simplifying a code [fast: true, auto-fix: false]
+    - govet         # Vet examines Go source code and reports suspicious constructs, such as Printf calls whose arguments do not align with the format string [fast: true, auto-fix: false]
+    - ineffassign   # Detects when assignments to existing variables are not used [fast: true, auto-fix: false]
+    - misspell      # Finds commonly misspelled English words in comments [fast: true, auto-fix: true]
+    - nakedret      # Finds naked returns in functions greater than a specified function length [fast: true, auto-fix: false]
+    - nilerr        # Finds the code that returns nil even if it checks that the error is not nil. [fast: false, auto-fix: false]
+    - nilnil        # Checks that there is no simultaneous return of `nil` error and an invalid value. [fast: false, auto-fix: false]
+    - noctx         # noctx finds sending http request without context.Context [fast: true, auto-fix: false]
+    - nolintlint    # Reports ill-formed or insufficient nolint directives [fast: true, auto-fix: false]
+    - revive        # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint. [fast: false, auto-fix: false]
+    - staticcheck   # Staticcheck is a go vet on steroids, applying a ton of static analysis checks [fast: true, auto-fix: false]
+    - stylecheck    # Stylecheck is a replacement for golint [fast: true, auto-fix: false]
+    - tenv          # tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17 [fast: false, auto-fix: false]
+    - typecheck     # Like the front-end of a Go compiler, parses and type-checks Go code [fast: true, auto-fix: false]
+    - unconvert     # Remove unnecessary type conversions [fast: true, auto-fix: false]
+    - unused        # Checks Go code for unused constants, variables, functions and types [fast: false, auto-fix: false]
+    - wastedassign  # wastedassign finds wasted assignment statements. [fast: false, auto-fix: false]
+    - wrapcheck     # Checks that errors returned from external packages are wrapped [fast: false, auto-fix: false]
+
+linters-settings:
+  funlen:
+    lines: 100
+    statements: 60
+
+  gocyclo:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 15
+
+  gomnd:
+    settings:
+      mnd:
+        ignored-functions: 'strconv.(?:Format|Parse)\B+'
+
+  revive:
+    rules:
+      #- name: add-constant           # Suggests using constant for magic numbers and string literals
+                                      # Opinion: Makes sense for strings, not for numbers but checks numbers
+      #- name: argument-limit         # Specifies the maximum number of arguments a function can receive | Opinion: Don't need this
+      - name: atomic                  # Check for common mistaken usages of the `sync/atomic` package
+      - name: banned-characters       # Checks banned characters in identifiers
+        arguments:
+          - ';' # Greek question mark
+      - name: bare-return             # Warns on bare returns
+      - name: blank-imports           # Disallows blank imports
+      - name: bool-literal-in-expr    # Suggests removing Boolean literals from logic expressions
+      - name: call-to-gc              # Warns on explicit call to the garbage collector
+      #- name: cognitive-complexity   # Sets restriction for maximum Cognitive complexity.
+                                      # There is a dedicated linter for this
+      - name: confusing-naming        # Warns on methods with names that differ only by capitalization
+      - name: confusing-results       # Suggests to name potentially confusing function results
+      - name: constant-logical-expr   # Warns on constant logical expressions
+      - name: context-as-argument     # `context.Context` should be the first argument of a function.
+      - name: context-keys-type       # Disallows the usage of basic types in `context.WithValue`.
+      #- name: cyclomatic             # Sets restriction for maximum Cyclomatic complexity.
+                                      # There is a dedicated linter for this
+      #- name: datarace               # Spots potential dataraces
+                                      # Is not (yet) available?
+      - name: deep-exit               # Looks for program exits in funcs other than `main()` or `init()`
+      - name: defer                   # Warns on some [defer gotchas](https://blog.learngoprogramming.com/5-gotchas-of-defer-in-go-golang-part-iii-36a1ab3d6ef1)
+      - name: dot-imports             # Forbids `.` imports.
+      - name: duplicated-imports      # Looks for packages that are imported two or more times
+      - name: early-return            # Spots if-then-else statements that can be refactored to simplify code reading
+      - name: empty-block             # Warns on empty code blocks
+      - name: empty-lines             # Warns when there are heading or trailing newlines in a block
+      - name: errorf                  # Should replace `errors.New(fmt.Sprintf())` with `fmt.Errorf()`
+      - name: error-naming            # Naming of error variables.
+      - name: error-return            # The error return parameter should be last.
+      - name: error-strings           # Conventions around error strings.
+      - name: exported                # Naming and commenting conventions on exported symbols.
+        arguments: ['sayRepetitiveInsteadOfStutters']
+      #- name: file-header            # Header which each file should have.
+                                      # Useless without config, have no config for it
+      - name: flag-parameter          # Warns on boolean parameters that create a control coupling
+      #- name: function-length        # Warns on functions exceeding the statements or lines max
+                                      # There is a dedicated linter for this
+      #- name: function-result-limit  # Specifies the maximum number of results a function can return
+                                      # Opinion: Don't need this
+      - name: get-return              # Warns on getters that do not yield any result
+      - name: identical-branches      # Spots if-then-else statements with identical `then` and `else` branches
+      - name: if-return               # Redundant if when returning an error.
+      #- name: imports-blacklist      # Disallows importing the specified packages
+                                      # Useless without config, have no config for it
+      - name: import-shadowing        # Spots identifiers that shadow an import
+      - name: increment-decrement     # Use `i++` and `i--` instead of `i += 1` and `i -= 1`.
+      - name: indent-error-flow       # Prevents redundant else statements.
+      #- name: line-length-limit      # Specifies the maximum number of characters in a lined
+                                      # There is a dedicated linter for this
+      #- name: max-public-structs     # The maximum number of public structs in a file.
+                                      # Opinion: Don't need this
+      - name: modifies-parameter      # Warns on assignments to function parameters
+      - name: modifies-value-receiver # Warns on assignments to value-passed method receivers
+      #- name: nested-structs         # Warns on structs within structs
+                                      # Opinion: Don't need this
+      - name: optimize-operands-order # Checks inefficient conditional expressions
+      #- name: package-comments       # Package commenting conventions.
+                                      # Opinion: Don't need this
+      - name: range                   # Prevents redundant variables when iterating over a collection.
+      - name: range-val-address       # Warns if address of range value is used dangerously
+      - name: range-val-in-closure    # Warns if range value is used in a closure dispatched as goroutine
+      - name: receiver-naming         # Conventions around the naming of receivers.
+      - name: redefines-builtin-id    # Warns on redefinitions of builtin identifiers
+      #- name: string-format          # Warns on specific string literals that fail one or more user-configured regular expressions
+                                      # Useless without config, have no config for it
+      - name: string-of-int           # Warns on suspicious casts from int to string
+      - name: struct-tag              # Checks common struct tags like `json`,`xml`,`yaml`
+      - name: superfluous-else        # Prevents redundant else statements (extends indent-error-flow)
+      - name: time-equal              # Suggests to use `time.Time.Equal` instead of `==` and `!=` for equality check time.
+      - name: time-naming             # Conventions around the naming of time variables.
+      - name: unconditional-recursion # Warns on function calls that will lead to (direct) infinite recursion
+      - name: unexported-naming       # Warns on wrongly named un-exported symbols
+      - name: unexported-return       # Warns when a public return is from unexported type.
+      - name: unhandled-error         # Warns on unhandled errors returned by funcion calls
+        arguments:
+          - "fmt.(Fp|P)rint(f|ln|)"
+      - name: unnecessary-stmt        # Suggests removing or simplifying unnecessary statements
+      - name: unreachable-code        # Warns on unreachable code
+      - name: unused-parameter        # Suggests to rename or remove unused function parameters
+      - name: unused-receiver         # Suggests to rename or remove unused method receivers
+      #- name: use-any                # Proposes to replace `interface{}` with its alias `any`
+                                      # Is not (yet) available?
+      - name: useless-break           # Warns on useless `break` statements in case clauses
+      - name: var-declaration         # Reduces redundancies around variable declaration.
+      - name: var-naming              # Naming rules.
+      - name: waitgroup-by-value      # Warns on functions taking sync.WaitGroup as a by-value parameter
+
+...

examples_test.go

@@ -2,6 +2,7 @@ package openssl
 
 import "fmt"
 
+// #nosec G101 -- Contains harcoded test passphrase
 func ExampleOpenSSL_EncryptBytes() {
 	plaintext := "Hello World!"
 	passphrase := "z4yH36a6zerhfE5427ZV"
@@ -16,6 +17,7 @@ func ExampleOpenSSL_EncryptBytes() {
 	fmt.Printf("Encrypted text: %s\n", string(enc))
 }
 
+// #nosec G101 -- Contains harcoded test passphrase
 func ExampleOpenSSL_DecryptBytes() {
 	opensslEncrypted := "U2FsdGVkX19ZM5qQJGe/d5A/4pccgH+arBGTp+QnWPU="
 	passphrase := "z4yH36a6zerhfE5427ZV"

keys.go

@@ -1,33 +1,58 @@
 package openssl
 
 import (
-	"crypto/md5"
+	"crypto/md5"  //#nosec G501 -- Used for OpenSSL compatibility in old KDF
-	"crypto/sha1"
+	"crypto/sha1" //#nosec G505 -- Used for OpenSSL compatibility in old KDF
 	"crypto/sha256"
 	"crypto/sha512"
+	"fmt"
 	"hash"
 
 	"golang.org/x/crypto/pbkdf2"
 )
 
+// DefaultPBKDF2Iterations specifies the number of iterations to use
+// in PBKDF2 key generation. This is taken from the `openssl enc`
+// commands default.
+//
+// Taken from OpenSSL v3.1.2:
+// `openssl enc --help |& grep -A1 iter`
 const DefaultPBKDF2Iterations = 10000
 
+const (
+	opensslKeyLength = 32
+	opensslIVLength  = 16
+)
+
 // CredsGenerator are functions to derive a key and iv from a password and a salt
 type CredsGenerator func(password, salt []byte) (Creds, error)
 
 var (
-	BytesToKeyMD5    = NewBytesToKeyGenerator(md5.New)
+	// BytesToKeyMD5 utilizes MD5 key-derivation (`-md md5`)
-	BytesToKeySHA1   = NewBytesToKeyGenerator(sha1.New)
+	BytesToKeyMD5 = NewBytesToKeyGenerator(md5.New)
+	// BytesToKeySHA1 utilizes SHA1 key-derivation (`-md sha1`)
+	BytesToKeySHA1 = NewBytesToKeyGenerator(sha1.New)
+	// BytesToKeySHA256 utilizes SHA256 key-derivation (`-md sha256`)
 	BytesToKeySHA256 = NewBytesToKeyGenerator(sha256.New)
+	// BytesToKeySHA384 utilizes SHA384 key-derivation (`-md sha384`)
 	BytesToKeySHA384 = NewBytesToKeyGenerator(sha512.New384)
+	// BytesToKeySHA512 utilizes SHA512 key-derivation (`-md sha512`)
 	BytesToKeySHA512 = NewBytesToKeyGenerator(sha512.New)
-	PBKDF2MD5        = NewPBKDF2Generator(md5.New, DefaultPBKDF2Iterations)
+	// PBKDF2MD5 utilizes PBKDF2 key derivation with MD5 hashing (`-pbkdf2 -md md5`)
-	PBKDF2SHA1       = NewPBKDF2Generator(sha1.New, DefaultPBKDF2Iterations)
+	PBKDF2MD5 = NewPBKDF2Generator(md5.New, DefaultPBKDF2Iterations)
-	PBKDF2SHA256     = NewPBKDF2Generator(sha256.New, DefaultPBKDF2Iterations)
+	// PBKDF2SHA1 utilizes PBKDF2 key derivation with SHA1 hashing (`-pbkdf2 -md sha1`)
-	PBKDF2SHA384     = NewPBKDF2Generator(sha512.New384, DefaultPBKDF2Iterations)
+	PBKDF2SHA1 = NewPBKDF2Generator(sha1.New, DefaultPBKDF2Iterations)
-	PBKDF2SHA512     = NewPBKDF2Generator(sha512.New, DefaultPBKDF2Iterations)
+	// PBKDF2SHA256 utilizes PBKDF2 key derivation with SHA256 hashing (`-pbkdf2 -md sha256`)
+	PBKDF2SHA256 = NewPBKDF2Generator(sha256.New, DefaultPBKDF2Iterations)
+	// PBKDF2SHA384 utilizes PBKDF2 key derivation with SHA384 hashing (`-pbkdf2 -md sha384`)
+	PBKDF2SHA384 = NewPBKDF2Generator(sha512.New384, DefaultPBKDF2Iterations)
+	// PBKDF2SHA512 utilizes PBKDF2 key derivation with SHA512 hashing (`-pbkdf2 -md sha512`)
+	PBKDF2SHA512 = NewPBKDF2Generator(sha512.New, DefaultPBKDF2Iterations)
 )
 
+// NewBytesToKeyGenerator implements the openSSLEvpBytesToKey key
+// derivation functions described in the OpenSSL code as follows:
+//
 // openSSLEvpBytesToKey follows the OpenSSL (undocumented?) convention for extracting the key and IV from passphrase.
 // It uses the EVP_BytesToKey() method which is basically:
 // D_i = HASH^count(D_(i-1) || password || salt) where || denotes concatentaion, until there are sufficient bytes available
@@ -35,14 +60,16 @@ var (
 func NewBytesToKeyGenerator(hashFunc func() hash.Hash) CredsGenerator {
 	df := func(in []byte) []byte {
 		h := hashFunc()
-		h.Write(in)
+		if _, err := h.Write(in); err != nil {
+			panic(fmt.Errorf("writing to hash: %w", err))
+		}
 		return h.Sum(nil)
 	}
 
 	return func(password, salt []byte) (Creds, error) {
 		var m []byte
 		prev := []byte{}
-		for len(m) < 48 {
+		for len(m) < opensslKeyLength+opensslIVLength {
 			a := make([]byte, len(prev)+len(password)+len(salt))
 			copy(a, prev)
 			copy(a[len(prev):], password)
@@ -51,13 +78,15 @@ func NewBytesToKeyGenerator(hashFunc func() hash.Hash) CredsGenerator {
 			prev = df(a)
 			m = append(m, prev...)
 		}
-		return Creds{Key: m[:32], IV: m[32:48]}, nil
+		return Creds{Key: m[:opensslKeyLength], IV: m[opensslKeyLength : opensslKeyLength+opensslIVLength]}, nil
 	}
 }
 
+// NewPBKDF2Generator implements a credential generator compatible
+// with the OpenSSL `-pbkdf2` parameter
 func NewPBKDF2Generator(hashFunc func() hash.Hash, iterations int) CredsGenerator {
 	return func(password, salt []byte) (Creds, error) {
-		m := pbkdf2.Key(password, salt, iterations, 32+16, hashFunc)
+		m := pbkdf2.Key(password, salt, iterations, opensslKeyLength+opensslIVLength, hashFunc)
-		return Creds{Key: m[:32], IV: m[32:48]}, nil
+		return Creds{Key: m[:opensslKeyLength], IV: m[opensslKeyLength : opensslKeyLength+opensslIVLength]}, nil
 	}
 }

openssl.go

@@ -1,3 +1,5 @@
+// Package openssl contains a pure Go implementation of an OpenSSL
+// compatible encryption / decryption
 package openssl
 
 import (
@@ -11,6 +13,8 @@ import (
 	"io"
 )
 
+const opensslSaltLength = 8
+
 // ErrInvalidSalt is returned when a salt with a length of != 8 byte is passed
 var ErrInvalidSalt = errors.New("salt needs to have exactly 8 byte")
 
@@ -68,7 +72,7 @@ func (o OpenSSL) DecryptBytes(passphrase string, encryptedBase64Data []byte, cg
 	data := make([]byte, base64.StdEncoding.DecodedLen(len(encryptedBase64Data)))
 	n, err := base64.StdEncoding.Decode(data, encryptedBase64Data)
 	if err != nil {
-		return nil, fmt.Errorf("could not decode data: %s", err)
+		return nil, fmt.Errorf("decoding data: %w", err)
 	}
 
 	// Truncate to real message length
@@ -89,7 +93,7 @@ func (o OpenSSL) DecryptBytes(passphrase string, encryptedBase64Data []byte, cg
 // condition and you will not be able to decrypt your data properly.
 func (o OpenSSL) DecryptBinaryBytes(passphrase string, encryptedData []byte, cg CredsGenerator) ([]byte, error) {
 	if len(encryptedData) < aes.BlockSize {
-		return nil, fmt.Errorf("data is too short")
+		return nil, fmt.Errorf("data too short")
 	}
 	saltHeader := encryptedData[:aes.BlockSize]
 	if string(saltHeader[:8]) != o.openSSLSaltHeader {
@@ -110,7 +114,7 @@ func (o OpenSSL) decrypt(key, iv, data []byte) ([]byte, error) {
 	}
 	c, err := aes.NewCipher(key)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating AES cipher: %w", err)
 	}
 	cbc := cipher.NewCBCDecrypter(c, iv)
 	cbc.CryptBlocks(data[aes.BlockSize:], data[aes.BlockSize:])
@@ -174,7 +178,7 @@ func (o OpenSSL) encrypt(key, iv, data []byte) ([]byte, error) {
 
 	c, err := aes.NewCipher(key)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating AES cipher: %w", err)
 	}
 	cbc := cipher.NewCBCEncrypter(c, iv)
 	cbc.CryptBlocks(padded[aes.BlockSize:], padded[aes.BlockSize:])
@@ -195,13 +199,13 @@ func (o OpenSSL) encrypt(key, iv, data []byte) ([]byte, error) {
 // If you don't have a good reason to use this, please don't! For more information
 // see this: https://en.wikipedia.org/wiki/Salt_(cryptography)#Common_mistakes
 func (o OpenSSL) EncryptBinaryBytesWithSaltAndDigestFunc(passphrase string, salt, plainData []byte, cg CredsGenerator) ([]byte, error) {
-	if len(salt) != 8 {
+	if len(salt) != opensslSaltLength {
 		return nil, ErrInvalidSalt
 	}
 
 	data := make([]byte, len(plainData)+aes.BlockSize)
 	copy(data[0:], o.openSSLSaltHeader)
-	copy(data[8:], salt)
+	copy(data[len(o.openSSLSaltHeader):], salt)
 	copy(data[aes.BlockSize:], plainData)
 
 	creds, err := cg([]byte(passphrase), salt)
@@ -218,11 +222,11 @@ func (o OpenSSL) EncryptBinaryBytesWithSaltAndDigestFunc(passphrase string, salt
 }
 
 // GenerateSalt generates a random 8 byte salt
-func (o OpenSSL) GenerateSalt() ([]byte, error) {
+func (OpenSSL) GenerateSalt() ([]byte, error) {
-	salt := make([]byte, 8) // Generate an 8 byte salt
+	salt := make([]byte, opensslSaltLength) // Generate an 8 byte salt
 	_, err := io.ReadFull(rand.Reader, salt)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("reading random salt: %w", err)
 	}
 
 	return salt, nil
@@ -239,7 +243,7 @@ func (o OpenSSL) MustGenerateSalt() []byte {
 }
 
 // pkcs7Pad appends padding.
-func (o OpenSSL) pkcs7Pad(data []byte, blocklen int) ([]byte, error) {
+func (OpenSSL) pkcs7Pad(data []byte, blocklen int) ([]byte, error) {
 	if blocklen <= 0 {
 		return nil, fmt.Errorf("invalid blocklen %d", blocklen)
 	}
@@ -253,7 +257,7 @@ func (o OpenSSL) pkcs7Pad(data []byte, blocklen int) ([]byte, error) {
 }
 
 // pkcs7Unpad returns slice of the original data without padding.
-func (o OpenSSL) pkcs7Unpad(data []byte, blocklen int) ([]byte, error) {
+func (OpenSSL) pkcs7Unpad(data []byte, blocklen int) ([]byte, error) {
 	if blocklen <= 0 {
 		return nil, fmt.Errorf("invalid blocklen %d", blocklen)
 	}

openssl_test.go

@@ -6,6 +6,14 @@ import (
 	"os/exec"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+const (
+	testPassphrase = "z4yH36a6zerhfE5427ZV" //#nosec G101 -- Is hardcoded passphrase but only for testing purposes
+	testPlaintext  = "hallowelt"
 )
 
 var testTable = []struct {
@@ -27,72 +35,48 @@ var testTable = []struct {
 }
 
 func TestBinaryEncryptToDecryptWithCustomSalt(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
 	salt := []byte("saltsalt")
 
 	o := New()
 
-	enc, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
+	enc, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(testPassphrase, salt, []byte(testPlaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	dec, err := o.DecryptBinaryBytes(passphrase, enc, BytesToKeySHA256)
+	dec, err := o.DecryptBinaryBytes(testPassphrase, enc, BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at decrypt: %s", err)
-	}
 
-	if string(dec) != plaintext {
+	assert.Equal(t, testPlaintext, string(dec))
-		t.Errorf("Decrypted text did not match input.")
-	}
 }
 
 func TestBinaryEncryptToDecrypt(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
-	enc, err := o.EncryptBinaryBytes(passphrase, []byte(plaintext), BytesToKeySHA256)
+	enc, err := o.EncryptBinaryBytes(testPassphrase, []byte(testPlaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	dec, err := o.DecryptBinaryBytes(passphrase, enc, BytesToKeySHA256)
+	dec, err := o.DecryptBinaryBytes(testPassphrase, enc, BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at decrypt: %s", err)
-	}
 
-	if string(dec) != plaintext {
+	assert.Equal(t, testPlaintext, string(dec))
-		t.Errorf("Decrypted text did not match input.")
-	}
 }
 
 func TestBinaryEncryptToOpenSSL(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
 	for _, tc := range testTable {
 		t.Run(tc.tName, func(t *testing.T) {
 			salt, err := o.GenerateSalt()
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Failed to generate salt: %v", err)
-			}
 
-			enc, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), tc.tMdFunc)
+			enc, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(testPassphrase, salt, []byte(testPlaintext), tc.tMdFunc)
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Test errored at encrypt: %v", err)
-			}
 
 			// Need to specify /dev/stdin as file so that we can pass in binary
 			// data to openssl without creating a file
 			cmdArgs := []string{
 				"openssl", "aes-256-cbc",
 				"-d",
-				"-pass", fmt.Sprintf("pass:%s", passphrase),
+				"-pass", fmt.Sprintf("pass:%s", testPassphrase),
 				"-md", tc.tMdParam,
 				"-in", "/dev/stdin",
 			}
@@ -101,20 +85,16 @@ func TestBinaryEncryptToOpenSSL(t *testing.T) {
 				cmdArgs = append(cmdArgs, "-pbkdf2")
 			}
 
-			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
+			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) //#nosec:G204 -- Hardcoded tests, this is fine
 
 			var out bytes.Buffer
 			cmd.Stdout = &out
 			cmd.Stdin = bytes.NewBuffer(enc)
 
 			err = cmd.Run()
-			if err != nil {
+			require.NoError(t, err)
-				t.Errorf("OpenSSL errored: %v", err)
-			}
 
-			if out.String() != plaintext {
+			assert.Equal(t, testPlaintext, out.String())
-				t.Errorf("OpenSSL output did not match input.\nOutput was: %s", out.String())
-			}
 		})
 	}
 }
@@ -127,24 +107,15 @@ func TestBinaryEncryptWithSaltShouldHaveSameOutput(t *testing.T) {
 	o := New()
 
 	enc1, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
 	enc2, err := o.EncryptBinaryBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	if string(enc1) != string(enc2) {
+	assert.Equal(t, enc1, enc2)
-		t.Errorf("Encrypted outputs are not same.")
-	}
 }
 
 func TestDecryptBinaryFromString(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
 	for _, tc := range testTable {
@@ -153,7 +124,7 @@ func TestDecryptBinaryFromString(t *testing.T) {
 
 			cmdArgs := []string{
 				"openssl", "aes-256-cbc",
-				"-pass", fmt.Sprintf("pass:%s", passphrase),
+				"-pass", fmt.Sprintf("pass:%s", testPassphrase),
 				"-md", tc.tMdParam,
 				"-in", "/dev/stdin",
 			}
@@ -162,31 +133,23 @@ func TestDecryptBinaryFromString(t *testing.T) {
 				cmdArgs = append(cmdArgs, "-pbkdf2")
 			}
 
-			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
+			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) //#nosec:G204 -- Hardcoded tests, this is fine
 			cmd.Stdout = &out
-			cmd.Stdin = strings.NewReader(plaintext)
+			cmd.Stdin = strings.NewReader(testPlaintext)
 
-			if err := cmd.Run(); err != nil {
+			require.NoError(t, cmd.Run())
-				t.Fatalf("Running openssl CLI failed: %v", err)
-			}
 
-			data, err := o.DecryptBinaryBytes(passphrase, out.Bytes(), tc.tMdFunc)
+			data, err := o.DecryptBinaryBytes(testPassphrase, out.Bytes(), tc.tMdFunc)
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Decryption failed: %v", err)
-			}
 
-			if string(data) != plaintext {
+			if !assert.Equal(t, testPlaintext, string(data)) {
-				t.Logf("Data: %s\nPlaintext: %s", string(data), plaintext)
+				t.Logf("Data: %s\nPlaintext: %s", string(data), testPlaintext)
-				t.Errorf("Decryption output did not equal expected output.")
 			}
 		})
 	}
 }
 
 func TestDecryptFromString(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
 	for _, tc := range testTable {
@@ -196,7 +159,7 @@ func TestDecryptFromString(t *testing.T) {
 			cmdArgs := []string{
 				"openssl", "aes-256-cbc",
 				"-base64",
-				"-pass", fmt.Sprintf("pass:%s", passphrase),
+				"-pass", fmt.Sprintf("pass:%s", testPassphrase),
 				"-md", tc.tMdParam,
 			}
 
@@ -204,87 +167,58 @@ func TestDecryptFromString(t *testing.T) {
 				cmdArgs = append(cmdArgs, "-pbkdf2")
 			}
 
-			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
+			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) //#nosec:G204 -- Hardcoded tests, this is fine
 			cmd.Stdout = &out
-			cmd.Stdin = strings.NewReader(plaintext)
+			cmd.Stdin = strings.NewReader(testPlaintext)
 
-			if err := cmd.Run(); err != nil {
+			require.NoError(t, cmd.Run())
-				t.Fatalf("Running openssl CLI failed: %v", err)
-			}
 
-			data, err := o.DecryptBytes(passphrase, out.Bytes(), tc.tMdFunc)
+			data, err := o.DecryptBytes(testPassphrase, out.Bytes(), tc.tMdFunc)
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Decryption failed: %v", err)
-			}
 
-			if string(data) != plaintext {
+			if !assert.Equal(t, testPlaintext, string(data)) {
-				t.Logf("Data: %s\nPlaintext: %s", string(data), plaintext)
+				t.Logf("Data: %s\nPlaintext: %s", string(data), testPlaintext)
-				t.Errorf("Decryption output did not equal expected output.")
 			}
 		})
 	}
 }
 
 func TestEncryptToDecrypt(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
-	enc, err := o.EncryptBytes(passphrase, []byte(plaintext), BytesToKeySHA256)
+	enc, err := o.EncryptBytes(testPassphrase, []byte(testPlaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	dec, err := o.DecryptBytes(passphrase, enc, BytesToKeySHA256)
+	dec, err := o.DecryptBytes(testPassphrase, enc, BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at decrypt: %s", err)
-	}
 
-	if string(dec) != plaintext {
+	assert.Equal(t, testPlaintext, string(dec))
-		t.Errorf("Decrypted text did not match input.")
-	}
 }
 
 func TestEncryptToDecryptWithCustomSalt(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
 	salt := []byte("saltsalt")
 
 	o := New()
 
-	enc, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
+	enc, err := o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, salt, []byte(testPlaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	dec, err := o.DecryptBytes(passphrase, enc, BytesToKeySHA256)
+	dec, err := o.DecryptBytes(testPassphrase, enc, BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at decrypt: %s", err)
-	}
 
-	if string(dec) != plaintext {
+	assert.Equal(t, testPlaintext, string(dec))
-		t.Errorf("Decrypted text did not match input.")
-	}
 }
 
 func TestEncryptToOpenSSL(t *testing.T) {
-	plaintext := "hallowelt"
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	for _, tc := range testTable {
 		t.Run(tc.tName, func(t *testing.T) {
 			o := New()
 
 			salt, err := o.GenerateSalt()
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Failed to generate salt: %s", err)
-			}
 
-			enc, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), tc.tMdFunc)
+			enc, err := o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, salt, []byte(testPlaintext), tc.tMdFunc)
-			if err != nil {
+			require.NoError(t, err)
-				t.Fatalf("Test errored at encrypt (%s): %s", tc.tMdParam, err)
-			}
 
 			enc = append(enc, '\n')
 
@@ -293,7 +227,7 @@ func TestEncryptToOpenSSL(t *testing.T) {
 			cmdArgs := []string{
 				"openssl", "aes-256-cbc",
 				"-base64", "-d",
-				"-pass", fmt.Sprintf("pass:%s", passphrase),
+				"-pass", fmt.Sprintf("pass:%s", testPassphrase),
 				"-md", tc.tMdParam,
 				"-in", "/dev/stdin",
 			}
@@ -302,18 +236,13 @@ func TestEncryptToOpenSSL(t *testing.T) {
 				cmdArgs = append(cmdArgs, "-pbkdf2")
 			}
 
-			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
+			cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...) //#nosec:G204 -- Hardcoded tests, this is fine
 			cmd.Stdout = &out
 			cmd.Stdin = bytes.NewReader(enc)
 
-			err = cmd.Run()
+			require.NoError(t, cmd.Run())
-			if err != nil {
-				t.Errorf("OpenSSL errored (%s): %s", tc.tMdParam, err)
-			}
 
-			if out.String() != plaintext {
+			assert.Equal(t, testPlaintext, out.String())
-				t.Errorf("OpenSSL output did not match input.\nOutput was (%s): %s", tc.tMdParam, out.String())
-			}
 		})
 	}
 }
@@ -326,18 +255,12 @@ func TestEncryptWithSaltShouldHaveSameOutput(t *testing.T) {
 	o := New()
 
 	enc1, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
 	enc2, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), BytesToKeySHA256)
-	if err != nil {
+	require.NoError(t, err)
-		t.Fatalf("Test errored at encrypt: %s", err)
-	}
 
-	if string(enc1) != string(enc2) {
+	assert.Equal(t, enc1, enc2)
-		t.Errorf("Encrypted outputs are not same.")
-	}
 }
 
 func TestGenerateSalt(t *testing.T) {
@@ -347,36 +270,27 @@ func TestGenerateSalt(t *testing.T) {
 
 	for i := 0; i < 1000; i++ {
 		salt, err := o.GenerateSalt()
-		if err != nil {
+		require.NoError(t, err)
-			t.Fatalf("Failed to generate salt: %s", err)
-		}
 
 		for _, ks := range knownSalts {
-			if bytes.Equal(ks, salt) {
+			assert.NotEqual(t, ks, salt)
-				t.Errorf("Duplicate salt detected")
-			}
 			knownSalts = append(knownSalts, salt)
 		}
 	}
 }
 
 func TestSaltValidation(t *testing.T) {
-	plaintext := "hallowelt"
+	var err error
-	passphrase := "z4yH36a6zerhfE5427ZV"
-
 	o := New()
 
-	if _, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, []byte("12345"), []byte(plaintext), BytesToKeySHA256); err != ErrInvalidSalt {
+	_, err = o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, []byte("12345"), []byte(testPlaintext), BytesToKeySHA256)
-		t.Errorf("5-character salt was accepted, needs to have 8 character")
+	assert.ErrorIs(t, err, ErrInvalidSalt)
-	}
 
-	if _, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, []byte("1234567890"), []byte(plaintext), BytesToKeySHA256); err != ErrInvalidSalt {
+	_, err = o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, []byte("1234567890"), []byte(testPlaintext), BytesToKeySHA256)
-		t.Errorf("10-character salt was accepted, needs to have 8 character")
+	assert.ErrorIs(t, err, ErrInvalidSalt)
-	}
 
-	if _, err := o.EncryptBytesWithSaltAndDigestFunc(passphrase, []byte{0xcb, 0xd5, 0x1a, 0x3, 0x84, 0xba, 0xa8, 0xc8}, []byte(plaintext), BytesToKeySHA256); err == ErrInvalidSalt {
+	_, err = o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, []byte{0xcb, 0xd5, 0x1a, 0x3, 0x84, 0xba, 0xa8, 0xc8}, []byte(testPlaintext), BytesToKeySHA256)
-		t.Errorf("Salt with 8 byte unprintable characters was not accepted")
+	assert.NoError(t, err)
-	}
 }
 
 //
@@ -384,11 +298,11 @@ func TestSaltValidation(t *testing.T) {
 //
 
 func benchmarkDecrypt(ciphertext []byte, cg CredsGenerator, b *testing.B) {
-	passphrase := "z4yH36a6zerhfE5427ZV"
 	o := New()
 
 	for n := 0; n < b.N; n++ {
-		o.DecryptBytes(passphrase, ciphertext, cg)
+		_, err := o.DecryptBytes(testPassphrase, ciphertext, cg)
+		require.NoError(b, err)
 	}
 }
 
@@ -405,30 +319,31 @@ func BenchmarkDecryptSHA256(b *testing.B) {
 }
 
 func benchmarkEncrypt(plaintext string, cg CredsGenerator, b *testing.B) {
-	passphrase := "z4yH36a6zerhfE5427ZV"
 	o := New()
 	salt, _ := o.GenerateSalt()
 
 	for n := 0; n < b.N; n++ {
-		o.EncryptBytesWithSaltAndDigestFunc(passphrase, salt, []byte(plaintext), cg)
+		_, err := o.EncryptBytesWithSaltAndDigestFunc(testPassphrase, salt, []byte(plaintext), cg)
+		require.NoError(b, err)
 	}
 }
 
 func BenchmarkEncryptMD5(b *testing.B) {
-	benchmarkEncrypt("hallowelt", BytesToKeyMD5, b)
+	benchmarkEncrypt(testPlaintext, BytesToKeyMD5, b)
 }
 
 func BenchmarkEncryptSHA1(b *testing.B) {
-	benchmarkEncrypt("hallowelt", BytesToKeySHA1, b)
+	benchmarkEncrypt(testPlaintext, BytesToKeySHA1, b)
 }
 
 func BenchmarkEncryptSHA256(b *testing.B) {
-	benchmarkEncrypt("hallowelt", BytesToKeySHA256, b)
+	benchmarkEncrypt(testPlaintext, BytesToKeySHA256, b)
 }
 
 func BenchmarkGenerateSalt(b *testing.B) {
 	o := New()
 	for n := 0; n < b.N; n++ {
-		o.GenerateSalt()
+		_, err := o.GenerateSalt()
+		require.NoError(b, err)
 	}
 }

stream.go

@@ -187,7 +187,7 @@ func (e *EncryptWriter) initMode() error {
 		return nil
 	}
 
-	salt := make([]byte, 8) // Generate an 8 byte salt
+	salt := make([]byte, opensslSaltLength) // Generate an 8 byte salt
 	_, err := io.ReadFull(rand.Reader, salt)
 	if err != nil {
 		return fmt.Errorf("read salt failed: %w", err)