ssh: return an error for malformed ed25519 public keys rather than panic

An attacker can craft an ssh-ed25519 or
public key, such that the library will panic when trying to verify a
signature with it. Clients can deliver such a public key and signature
to any server with a PublicKeyCallback, and
servers can deliver them to any client.

This issue was discovered and reported by Alex Gaynor, Fish in a Barrel,
and is tracked as CVE-2020-9283.

Change-Id: Ie25b78a0b0181fbbc8cc7de4f4e27d908777529c
Run-TryBot: Filippo Valsorda <>
Reviewed-by: Katie Hockman <>
TryBot-Result: Gobot Gobot <>
1 file changed
tree: d72fe5ba5bb205a707bdca2f59e35dbb8f043c48
  1. .gitattributes
  2. .gitignore
  9. acme/
  10. argon2/
  11. bcrypt/
  12. blake2b/
  13. blake2s/
  14. blowfish/
  15. bn256/
  16. cast5/
  17. chacha20/
  18. chacha20poly1305/
  19. codereview.cfg
  20. cryptobyte/
  21. curve25519/
  22. ed25519/
  23. go.mod
  24. go.sum
  25. hkdf/
  26. internal/
  27. md4/
  28. nacl/
  29. ocsp/
  30. openpgp/
  31. otr/
  32. pbkdf2/
  33. pkcs12/
  34. poly1305/
  35. ripemd160/
  36. salsa20/
  37. scrypt/
  38. sha3/
  39. ssh/
  40. tea/
  41. twofish/
  42. xtea/
  43. xts/

Go Cryptography

This repository holds supplementary Go cryptography libraries.


The easiest way to install is to run go get -u You can also manually git clone the repository to $GOPATH/src/

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see

The main issue tracker for the crypto repository is located at Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.