Bug#747471: libnss: Arbitrary key size limitation for client certificate authenticaton causing out-of-memory error

[Benny Baumann]

Source: iceweasel
Severity: critical
Tags: security upstream

When using client certificate authentication with client certificates with keys
of 4097 bit RSA or larger you always get a diagnostic from the SSL layer saying
that no memory was available which is funny because usinga key of the same size
for the SSL server works just fine. Also using a 4095 bit RSA client certificate
works just fine as well.

This breaks security in system where such keys are used and thus should be
considered serious misbehaviour as cryptographic systems MUST NOT include an
arbitrary limits on the key size of used cryptographic parameters.

Please either remove this restriction completely or raise this to a much more
sane value that is not limitting casually-paranoid configurations which use
keys like 8192 Bit RSA for client authentication.

A suggested increase could be 65536 Bit RSA, but better remove this limitation
completely as it causes no real benefit.

Furthermore RSA 8192 and up to RSA 16384 has to be considered as it corresponds
roughly to 192-256 bit symmetric key sizes and thus properly configured systems
enforcing 256 bit symmetric cryptography will also enforce asymmetric keys
larger than 4096 bit for RSA or similarly for DSA and ECDSA.

Kind regards,
Benny Baumann

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'stable'), (750, 'experimental'), (700, 'unstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash