commit | bac4c82f69751a6dd76e702d54b3ceb88adab236 | [log] [tgz] |
---|---|---|
author | Filippo Valsorda <filippo@golang.org> | Tue Feb 11 18:53:37 2020 -0500 |
committer | Filippo Valsorda <filippo@golang.org> | Thu Feb 20 18:36:23 2020 +0000 |
tree | d72fe5ba5bb205a707bdca2f59e35dbb8f043c48 | |
parent | 1ad67e1f0ef495d4014b6ffd8f2cf80f91fffbce [diff] |
ssh: return an error for malformed ed25519 public keys rather than panic An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Clients can deliver such a public key and signature to any golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can deliver them to any golang.org/x/crypto/ssh client. This issue was discovered and reported by Alex Gaynor, Fish in a Barrel, and is tracked as CVE-2020-9283. Change-Id: Ie25b78a0b0181fbbc8cc7de4f4e27d908777529c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/220357 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
This repository holds supplementary Go cryptography libraries.
The easiest way to install is to run go get -u golang.org/x/crypto/...
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.
Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.