ssh: don't assume packet plaintext size

When reading GCM and ChaChaPoly1305 packets, don't make assumptions
about the size of the enciphered plaintext. This fixes two panics
caused by standards non-compliant malformed packets.

Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.

Fixes golang/go#49932
Fixes CVE-2021-43565

Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
Reviewed-by: Katie Hockman <>
Reviewed-by: Julie Qiu <>
Trust: Roland Shoemaker <>
Trust: Katie Hockman <>
Run-TryBot: Roland Shoemaker <>
TryBot-Result: Gopher Robot <>
Reviewed-by: Julie Qiu <>
Reviewed-by: Katie Hockman <>
2 files changed
tree: 75fd3358961f563865bd18f66c721ede33ddf587
  1. acme/
  2. argon2/
  3. bcrypt/
  4. blake2b/
  5. blake2s/
  6. blowfish/
  7. bn256/
  8. cast5/
  9. chacha20/
  10. chacha20poly1305/
  11. cryptobyte/
  12. curve25519/
  13. ed25519/
  14. hkdf/
  15. internal/
  16. md4/
  17. nacl/
  18. ocsp/
  19. openpgp/
  20. otr/
  21. pbkdf2/
  22. pkcs12/
  23. poly1305/
  24. ripemd160/
  25. salsa20/
  26. scrypt/
  27. sha3/
  28. ssh/
  29. tea/
  30. twofish/
  31. xtea/
  32. xts/
  33. .gitattributes
  34. .gitignore
  36. codereview.cfg
  39. go.mod
  40. go.sum

Go Cryptography

Go Reference

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.