I'm seeing strange behaviour where I should get an error back from a function, but I get nil instead.
The following code block contains 2 encrypt functions using cypher/aes. The only difference is the first 1/2 lines of each function. In encrypt2, I've combined the assignment of the first line of encrypt1 into the conditional.
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"fmt"
"io"
)
func main() {
invalidKey := []byte("TCbKgXZsT")
plaintext := []byte("dummycontenttoenctrypt")
fmt.Println(encrypt1(plaintext, invalidKey))
fmt.Println(encrypt2(plaintext, invalidKey))
}
func encrypt1(plaintext []byte, key []byte) (encrypted []byte, err error) {
c, err := aes.NewCipher(key)
if err == nil {
if gcm, err := cipher.NewGCM(c); err == nil {
nonce := make([]byte, gcm.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err == nil {
return gcm.Seal(nonce, nonce, plaintext, nil), nil
}
}
}
return nil, err
}
func encrypt2(plaintext []byte, key []byte) (encrypted []byte, err error) {
if c, err := aes.NewCipher(key); err == nil {
if gcm, err := cipher.NewGCM(c); err == nil {
nonce := make([]byte, gcm.NonceSize())
if _, err = io.ReadFull(rand.Reader, nonce); err == nil {
return gcm.Seal(nonce, nonce, plaintext, nil), nil
}
}
}
return nil, err
}
I expected the same behaviour from these functions, as the logic is the same. However, calling encrypt1 returns an error (correct), while encrypt2 does not return the error (returns just nil).
I have used named arguments, so err is declared at the start of the function and should be populated by the first error in both functions.
Anything I'm doing wrong here?
This is to do with scoping rules, here is a simplified example:
https://play.golang.org/p/1dCaUB948p
func encrypt2(plaintext []byte, key []byte) (encrypted []byte, err error) {
if _, err := returnErr(); err == nil {
fmt.Println("inner loop")
}
return nil, err
}
If you remove the named arguments, it won't compile, which gives a hint of the problem - the err declared in your if statement does not affect the outer scope, it is only valid within the if statement. If you remove the := assignment, you'll see what you expect.
In go a more verbose version which returns on error is usually preferred, rather than lots of nested if statements, so that you can return specific errors and the flow of logic is clear. It's easy if nesting to forget scope or which variables are assigned when, whereas if you adopt this return on error style the reader knows at any given point no errors have been encountered. You don't have to annotate errors where the original error is self-evident of course, you could just return nil,err.
func encrypt3(plaintext []byte, key []byte) ([]byte, error) {
c, err := aes.NewCipher(key)
if err != nil {
return nil, fmt.Errorf("encrypt: invalid key :%s", err)
}
gcm, err := cipher.NewGCM(c)
if err != nil {
return nil, fmt.Errorf("encrypt: error creating cipher :%s", err)
}
nonce := make([]byte, gcm.NonceSize())
_, err = io.ReadFull(rand.Reader, nonce)
if err != nil {
return nil, fmt.Errorf("encrypt: error creating nonce :%s", err)
}
return gcm.Seal(nonce, nonce, plaintext, nil), nil
}
If you're doing aes encryption in Go, a good ref is this code and video by George Tankersley.