OpenSSH (documentation) bug regarding RekeyLimit

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

the OpenSSH documentation regarding "RekeyLimit" specifies:

|  RekeyLimit
|      Specifies the maximum amount of data that may be transmitted before
|      the session key is renegotiated, optionally followed a maximum
|      amount of time that may pass before the session key is
|      renegotiated. The first argument is specified in bytes and may have
|      a suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or
|      Gigabytes, respectively. The default is between ‘1G’ and ‘4G’,
|      depending on the cipher.

Checking packet.c we see the following code:

|         /*
|          * The 2^(blocksize*2) limit is too expensive for 3DES,
|          * blowfish, etc, so enforce a 1GB limit for small blocksizes.
|          */
|         if (enc->block_size >= 16)
|                 *max_blocks = (u_int64_t)1 << (enc->block_size*2);
|         else
|                 *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;

This makes the default RekeyLimit 2G bytes for "small" ciphers like
3des-cbc (which has an enc->block_size of 8).

On other ciphers like aes128-cbc which have a enc->blocksize of 16, this
makes max_blocks = 1 << 32, which is 4G blocks, or, to be more precise 
64G bytes.

Either this is an coding oversight (missing an "/ enc->block_size") or
the documentation is incorrect regarding the 4G limit.

CU,
    Sec
-- 
I think the IDE issue is a good point.  People with IDE hardware in
their machines should be punished by making them wait to boot...
                                               -- terry@xxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux