crypto/tls: verifying certificate chains containing large RSA keys is slow [CVE-2023-29409]

[rolandshoemaker]

Clients and servers which request and verify client certificates can be forced to expend a large amount of time verifying certificate chains which contain very large RSA keys during TLS handshakes.

Thanks to Mateusz Poliwczak for reporting this issue.

This is CVE-2023-29409.

---

This is a PRIVATE issue for CVE-2023-29409, tracked in http://b/282987216 and fixed by http://tg/1912161.

/cc @golang/security and @golang/release

[neild]

@gopherbot please open backport issues

[gopherbot]

Backport issue(s) opened: #61579 (for 1.19), #61580 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[gopherbot]

Change https://go.dev/cl/514915 mentions this issue: [release-branch.go1.19] crypto/tls: restrict RSA keys in certificates to <= 8192 bits

[gopherbot]

Change https://go.dev/cl/514900 mentions this issue: [release-branch.go1.20] crypto/tls: restrict RSA keys in certificates to <= 8192 bits

[gopherbot]

Change https://go.dev/cl/515056 mentions this issue: [release-branch.go1.21] crypto/tls: restrict RSA keys in certificates to <= 8192 bits

[gopherbot]

Closed by merging a51957f to release-branch.go1.21.