Skip to content

ssh/agent: bound RSA modulus and DSA parameters in key parsers#347

Open
tonghuaroot wants to merge 1 commit into
golang:masterfrom
tonghuaroot:agent-bound-key-params
Open

ssh/agent: bound RSA modulus and DSA parameters in key parsers#347
tonghuaroot wants to merge 1 commit into
golang:masterfrom
tonghuaroot:agent-bound-key-params

Conversation

@tonghuaroot
Copy link
Copy Markdown

@tonghuaroot tonghuaroot commented May 29, 2026

The agent server's key parsers accept attacker-controlled RSA moduli and
DSA P/Q/G parameters of arbitrary size from SSH_AGENTC_ADD_IDENTITY and
SSH2_AGENTC_ADD_ID_CONSTRAINED messages, then run expensive crypto such as
rsa.PrivateKey.Precompute with no size bound. A single oversized key (e.g.
a 16384-bit RSA modulus) can cost hundreds of milliseconds to process,
giving large CPU amplification per packet and allowing a malicious remote
server reached over agent forwarding to peg a Go-based ssh-agent.

Bound the sizes in parseRSAKey, parseRSACert, parseDSAKey, and parseDSACert,
mirroring the limits the same package already enforces on the SSH-server
side in ssh/keys.go: an 8192-bit RSA modulus cap and the FIPS 186-2 DSA
parameter checks (1024-bit P, 160-bit Q, and a generator in range).

Fixes golang/go#79725

@tonghuaroot
ssh/agent: bound RSA modulus and DSA parameters in key parsers
cde0ba3 
The agent server's key parsers accept attacker-controlled RSA moduli and
DSA P/Q/G parameters of arbitrary size from SSH_AGENTC_ADD_IDENTITY and
SSH2_AGENTC_ADD_ID_CONSTRAINED messages, then run expensive crypto such as
rsa.PrivateKey.Precompute with no size bound. A single oversized key (e.g.
a 16384-bit RSA modulus) can cost hundreds of milliseconds to process,
giving large CPU amplification per packet and allowing a malicious remote
server reached over agent forwarding to peg a Go-based ssh-agent.

Bound the sizes in parseRSAKey, parseRSACert, parseDSAKey, and parseDSACert,
mirroring the limits the same package already enforces on the SSH-server
side in ssh/keys.go: an 8192-bit RSA modulus cap and the FIPS 186-2 DSA
parameter checks (1024-bit P, 160-bit Q, and a generator in range).

Fixes golang/go#79725
@gopherbot
Copy link
Copy Markdown
Contributor

gopherbot commented May 29, 2026

This PR (HEAD: cde0ba3) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/crypto/+/784660.

Important tips:

  • Don't comment on this PR. All discussion takes place in Gerrit.
  • You need a Gmail or other Google account to log in to Gerrit.
  • To change your code in response to feedback:
    • Push a new commit to the branch used by your GitHub PR.
    • A new "patch set" will then appear in Gerrit.
    • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
    • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
    • Multiple commits in the PR will be squashed by GerritBot.
  • The title and description of the GitHub PR are used to construct the final commit message.
    • Edit these as needed via the GitHub web interface (not via Gerrit or git).
    • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
  • See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

x/crypto/ssh/agent: unbounded RSA modulus and DSA parameters

2 participants

@tonghuaroot @gopherbot