Comparing changes

The go1.25 build constraint is guaranteed to always be satisfied because the go directive is at 1.25.0, so the separated out go125.go file is not needed. Move the assertion that the *xof type implements the hash.XOF interface into a _test.go file to let it happen alongside other tests in this package. Change-Id: I65c886ede4d574a3168f28689f9529aa56586697 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/775781 Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Reviewed-by: Hyang-Ah Hana Kim <hyangah@gmail.com> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>

Updates golang/go#69587 Change-Id: Ic158558f879b8b8ad23155bf887e083169096d19 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/672837 Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>

We have had VBROADCASTI128 since at least Go 1.11, so no need to use BYTE instructions. Change-Id: I297bbc636320ae830f6e8f83eb174efe8251a9a3 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/672838 Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> Auto-Submit: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Cherry Mui <cherryyz@google.com>

The client Add method only serialized the lifetime and confirm constraints and silently dropped AddedKey.ConstraintExtensions before sending the SSH_AGENTC_ADD_IDENTITY request. As a result the remote agent always received the key with no extension constraints, regardless of what the caller requested. Applications that add a key believing custom constraint extensions (such as restrict-destination-v00@openssh.com) would be enforced instead loaded a completely unrestricted key into the agent. For example, an administrator forwarding their agent into an untrusted jump host and trying to limit the forwarded key with restrict-destination never had that restriction reach the agent: any user or compromised process on that host could make the agent sign arbitrary challenges. Serialize each entry in key.ConstraintExtensions as an agentConstrainExtension constraint so the constraints reach the agent, and add a round-trip regression test that verifies the extensions survive client serialization and server parsing. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Updates CVE-2026-39832 Updates golang/go#79435 Change-Id: I14c5583b106cbf0d282d2ba01e000e0f586f08c7 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778640 Reviewed-by: Neal Patel <neal@golang.org> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Keith Randall <khr@google.com> Reviewed-by: David Chase <drchase@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

The in-memory keyring cannot enforce constraint extensions, so silently accepting a key that carries them gave callers a false sense of restriction. Refuse keys with constraint extensions instead: a key whose constraints cannot be enforced must not be loaded. This behavior is consistent with OpenSSH. This is a deliberate behavior change: keyring.Add previously accepted and ignored ConstraintExtensions and now returns an error. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes CVE-2026-39832 Fixes golang/go#79435 Change-Id: I6ca4f1c29f8edfabb287fe07299641f70896d5fe Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778641 Auto-Submit: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <neal@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Neal Patel <nealpatel@google.com>

The in-memory keyring supports the "lifetime" constraint but does not implement the "confirm" constraint. Previously, keyring.Add silently ignored ConfirmBeforeUse: the key was stored, advertised through List, and used for signing without any interactive confirmation, potentially misleading callers into believing this security measure was enforced. Return an error when ConfirmBeforeUse is set instead of silently downgrading the caller's security expectations. Implementing real confirm-before-use in an in-memory library keyring is infeasible (there is no UI or confirmation callback), so failing closed is the correct behavior; adding actual confirm support would require an API addition and is out of scope. This is a deliberate behavior change: keyring.Add previously accepted and ignored ConfirmBeforeUse and now returns an error. This change also updates the keyring doc comments to document the supported constraints. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes CVE-2026-39833 Updates golang/go#47533 Fixes golang/go#79436 Change-Id: I1b3a286f0c1e4a4e08ac37109f7e491692ca90ae Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778642 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Neal Patel <neal@golang.org> Auto-Submit: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

parseEd25519Key and parseEd25519Cert cast wire bytes to ed25519.PrivateKey without checking length; a short payload panics at priv[32:] in Public(). Fixes CVE-2026-46598 Fixes golang/go#46598 Change-Id: I127bc6a22adff1c4beb4d54533062bebc388de47 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781360 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com>

Fixes CVE-2026-42508 Fixes golang/go#79568 Change-Id: I20f33cba20756b048726ff3464b83871859d3b5c Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781220 Reviewed-by: Nicholas Husin <husin@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicola Murino <nicola.murino@gmail.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

When a server rejects an incoming channel request via NewChannel.Reject, the channel is left in the multiplexer's channel list. Because the channel is never explicitly removed or closed, its internal buffers and sync primitives remain allocated for the lifetime of the SSH connection. A malicious client could exploit this behavior by repeatedly requesting to open channels that are destined to be rejected, causing unbounded memory growth and potentially leading to a Denial of Service (DoS) via resource exhaustion. This change fixes the leak by calling ch.mux.chanList.remove within the Reject method, removing the channel from the list and allowing the garbage collector to reclaim the associated memory immediately. Fixes golang/go#35127 Fixes CVE-2026-3982 Change-Id: Iaa177f5dfd151812dd404e528a4a1c77527a0e29 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781320 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com>

In serverAuthenticate, the permissions variable is reset to nil at the beginning of the authentication loop. If an authentication callback returns a PartialSuccessError along with non-nil Permissions, those permissions are currently silently discarded before the next authentication step. This change returns an error if a callback returns both a PartialSuccessError and non-nil Permissions, preventing API misuse where the user might erroneously expect those permissions to be preserved or merged into the final session permissions. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79562 Fixes CVE-2026-39828 Change-Id: I632c9e46e2b5e8804ef88081063a3612a2462f9f Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781621 Reviewed-by: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>

Previously, the mux implementation handled global request responses by blocking until the response could be sent to the globalResponses channel. Since this channel has a buffer size of 1, unsolicited responses from a server (or responses arriving after a timeout) would fill the buffer. Subsequent unsolicited responses would block handleGlobalPacket, stalling the entire connection's read loop and causing a denial of service. This change modifies handleGlobalPacket to use a non-blocking send. If no goroutine is waiting for a response (or the buffer is full), the message is dropped. This aligns with OpenSSH behavior, which ignores unexpected global responses. Additionally, SendRequest now drains the globalResponses channel after acquiring the mutex but before sending the request. This ensures that any stale responses or "spam" buffered just before the lock was acquired are discarded, preventing race conditions where a legitimate request might otherwise consume an unrelated response. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79564 Fixes CVE-2026-39830 Change-Id: Ia0c46355203d557eadcd432c10b87c8a044e1089 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781640 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Previously, if CertChecker.IsHostAuthority or CertChecker.IsUserAuthority were left unset, calling CheckHostKey or Authenticate would result in a nil pointer dereference panic. This change adds checks to ensure these callbacks are defined before invocation, returning an error instead of panicking. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79563 Fixes CVE-2026-39835 Change-Id: I2bd9c8d76646232e49f6aedc7b5334f3825918be Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781660 Commit-Queue: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <nealpatel@google.com>

Previously, the RSA key parser accepted keys with arbitrary modulus sizes. Processing keys with extremely large moduli (e.g., > 8192 bits) can consume excessive CPU resources during verification, potentially leading to a Denial of Service (DoS). This change introduces a limit of 8192 bits for the RSA modulus in parseRSA, rejecting keys that exceed this size in line with the limit enforced by crypto/tls. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79565 Fixes CVE-2026-39829 Change-Id: Ibdddad1859a4d9db5c9f052d06c82f29bfc2e5e5 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781641 Reviewed-by: Neal Patel <nealpatel@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

The parseDSA function previously accepted DSA keys with arbitrary values for the sub-prime Q and did not validate that group elements G and Y were within the modulus P. Malicious actors could provide a key with a massively large Q (e.g., millions of bits), leading to excessive CPU consumption during signature verification. This change restricts the sub-prime Q to exactly 160 bits, as required by FIPS 186-2, and ensures that G and Y are strictly less than P. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79565 Fixes CVE-2026-39829 Change-Id: I526118d94684076088d0625178844f64c1303ec8 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781661 Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <nealpatel@google.com>

Previously the library did not verify the "User Presence" (UP) bit in signatures generated by FIDO/U2F security keys (sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com). This allowed signatures without physical interaction to be accepted if the underlying hardware produced them, deviating from the default secure behavior expected by the FIDO standards and OpenSSH. skECDSAPublicKey.Verify and skEd25519PublicKey.Verify now enforce the user-presence bit (0x01, constant flagUserPresence) by default. Signatures whose flags byte has UP clear fail with the sentinel errSKMissingUserPresence. The server public-key authentication path honors the OpenSSH "no-touch-required" extension as an opt-out. noTouchAllowed reports true when the extension is present either in the Permissions returned by PublicKeyCallback (authorized_keys-level opt-out) or in the certificate's own Extensions (CA-level opt-out); in that case skKeyWithoutUP is used to derive a clone of the SK public key (and, for certificates, a clone of the wrapping Certificate whose inner Key is the cloned SK key) whose Verify accepts UP-clear signatures. The originals are never mutated, so a per-session opt-out cannot leak across authentication attempts or connections. Matching OpenSSH, the opt-out is read only from Extensions, never from CriticalOptions. skKeyWithoutUP is iterative and unwraps at most one level of *Certificate: the SSH cert format forbids Certificate.Key from being another Certificate (parseCert rejects it) but callers can still construct such a value directly in Go, so a recursive descent would be driven to unbounded depth by malformed or cyclic input. Any such pathological *Certificate is returned unchanged. CertChecker.CheckCert applies skKeyWithoutUP unconditionally to the certificate's CA key before verifying the CA signature, matching OpenSSH, which calls sshkey_verify with detailsp==NULL in sshkey.c:cert_parse and never extracts or enforces UP/UV flags on CA signatures. The UP bit on a CA signature reflects the CA operator's presence at cert-issuance time, which has no bearing on whether the user being authenticated is present now, so enforcing it here would only break interop with certificates issued by non-interactive SK CAs without a corresponding security benefit. The skKeyWithoutUP call is a no-op for non-SK CA keys (the common case). This change breaks backward compatibility for clients or keys that generate user-authentication signatures without the User Presence flag set. Previously those signatures were accepted by the server. They will now be rejected with "ssh: signature missing required user presence flag" unless the "no-touch-required" extension is explicitly granted to the session by the server callbacks, or carried by the user certificate. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79566 Fixes CVE-2026-39831 Change-Id: I74b6de3bb6a2d7a0f34d7fa36bbbbf06f0b3fc6b Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781662 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

The internal 'min' helper function in channel.go incorrectly cast the input data length (int) to uint32 before comparing it with the maximum packet size. On 64-bit systems, if the data length is a multiple of 2^32 (approx. 4GB), this cast results in 0. Consequently, the function returns 0, causing the WriteExtended loop to spin indefinitely because it attempts to reserve 0 bytes while the remaining data length is still positive. This change renames the helper to 'minPayloadSize' to avoid confusion with the Go 1.21 built-in 'min' and updates the logic to use int64 for comparisons, preventing truncation and the resulting infinite loop. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. Fixes golang/go#79567 Fixes CVE-2026-39834 Change-Id: Id5bf81d9f06c7042452acffe1c76580ff878665e Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781663 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Arithmetic is incorrectly applied to 'byte' instead of 'int' resulting in a possible overflow that allows for a panic. Fixes CVE-2026-46597 Fixes golang/go#79561 Change-Id: I83edabeeda676f0209d29d5e2554890bbd0eef8f Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781620 Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Nicholas Husin <nsh@golang.org> Reviewed-by: Nicholas Husin <husin@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. Fixes CVE-2026-46595 Fixes golang/go#79570 Change-Id: I08d86a961048a232c8672f23000e693ed5a0e2fd Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781642 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

Previously, channel.handlePacket sent channelRequestSuccess and channelRequestFailure messages to ch.msg unconditionally via the default arm of its type switch. Because ch.msg is a bounded buffer (chanSize), a peer that sends a burst of unsolicited channel request responses for an open, idle channel fills the buffer and blocks the mux read loop on the next send. That stalls all packet processing on the connection, and because readLoop then backs up on t.incoming, closing the underlying net.Conn does not unblock either goroutine: user code observes Close() returning promptly while Wait() hangs and the mux, readLoop, and kexLoop goroutines leak permanently. This change mirrors the fix for the mux-level SendRequest path: a sentRequestPending atomic gate is set while a SendRequest with WantReply is in flight, handlePacket drops responses when the gate is closed, and uses a non-blocking send otherwise. SendRequest drains any spurious response that slipped through before discarding it, so the caller always observes the reply to its own request. This aligns with OpenSSH, which silently ignores channel confirm messages that do not match a pending request. Fixes golang/go#79564 Fixes CVE-2026-39830 Change-Id: I15e2add4bf7876bb0c6f921f8b57203d97e83f47 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781664 LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Neal Patel <nealpatel@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Roland Shoemaker <roland@golang.org>

Update golang.org/x dependencies to their latest tagged versions. Change-Id: Ia739869d49c750c7fa578b9dbd7bb998d8c87087 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/781683 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Nicholas Husin <nsh@golang.org> Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Nicholas Husin <husin@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comparing changes

Open a pull request

Commits on May 11, 2026

Commits on May 18, 2026

Commits on May 21, 2026

Commits on May 22, 2026

This comparison is taking too long to generate.

Uh oh!