ssh: allow up to 255 bytes of padding in AES-GCM
The writing side would generate a maximum of 19 bytes of padding, so
the reading side erroneously checked this. However, RFC 5647 specifies
255 as the maximum amount of padding for AES-GCM.
Fixes golang/go#18953.
Change-Id: I416b0023c6e4cbd91a6a1b4214a03f1663b77248
Reviewed-on: https://go-review.googlesource.com/47590
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
diff --git a/ssh/cipher.go b/ssh/cipher.go
index 13484ab..22bb30c 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -392,7 +392,9 @@
c.incIV()
padding := plain[0]
- if padding < 4 || padding >= 20 {
+ if padding < 4 {
+ // padding is a byte, so it automatically satisfies
+ // the maximum size, which is 255.
return nil, fmt.Errorf("ssh: illegal padding %d", padding)
}