ssh: enforce strict limits on DSA key parameters The parseDSA function previously accepted DSA keys with arbitrary values for the sub-prime Q and did not validate that group elements G and Y were within the modulus P. Malicious actors could provide a key with a massively large Q (e.g., millions of bits), leading to excessive CPU consumption during signature verification. This change restricts the sub-prime Q to exactly 160 bits, as required by FIPS 186-2, and ensures that G and Y are strictly less than P. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79565 Fixes CVE-2026-39829 Change-Id: I526118d94684076088d0625178844f64c1303ec8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781661 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <nealpatel@google.com>
This repository holds supplementary Go cryptography packages.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://go.dev/doc/contribute.
The git repository is https://go.googlesource.com/crypto.
The main issue tracker for the crypto repository is located at https://go.dev/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.
Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.