On Thu, Dec 12, 2013 at 3:40 PM, Niels Möller nisse@lysator.liu.se wrote:
I'm not too concerned about DoS here. An application receiving an RSA key from an untrusted source should impose some reasonable limit on keysize before it is used. If I send you a public RSA key with n and e of 100000 bits, and some signature for you to verify, and you don't impose any limit on key size, I'll hog your cpu for quite a while.
Indeed, but this reasonable limit has to be somehow known to the application to be enforced prior to calling the nettle functions. Now my limits in gnutls and nettle's limits are disconnected (as I only now realized that some functions of nettle could abort after 10000 bits).
That said, Nettle shouldn't do unbounded stack allocations in this case, it ought to use malloc, or abort or fail in some other *reliable* fashion. (I think having some documented limit on keysize would be acceptable, but I'm leaning towards saying that it's better to just use heap allcoation). Do you agree?
Yes, that would be much better. Do you want me to send an updated patch?
regards, Nikos