OpenSSH (documentation) bug regarding RekeyLimit

Stefan `Sec` Zehl sec at 42.org
Tue Mar 17 00:50:34 AEDT 2015


Hi,

the OpenSSH documentation regarding "RekeyLimit" specifies:

|  RekeyLimit
|      Specifies the maximum amount of data that may be transmitted before
|      the session key is renegotiated, optionally followed a maximum
|      amount of time that may pass before the session key is
|      renegotiated. The first argument is specified in bytes and may have
|      a suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or
|      Gigabytes, respectively. The default is between ‘1G’ and ‘4G’,
|      depending on the cipher.

Checking packet.c we see the following code:

|         /*
|          * The 2^(blocksize*2) limit is too expensive for 3DES,
|          * blowfish, etc, so enforce a 1GB limit for small blocksizes.
|          */
|         if (enc->block_size >= 16)
|                 *max_blocks = (u_int64_t)1 << (enc->block_size*2);
|         else
|                 *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;

This makes the default RekeyLimit 2G bytes for "small" ciphers like
3des-cbc (which has an enc->block_size of 8).

On other ciphers like aes128-cbc which have a enc->blocksize of 16, this
makes max_blocks = 1 << 32, which is 4G blocks, or, to be more precise 
64G bytes.

Either this is an coding oversight (missing an "/ enc->block_size") or
the documentation is incorrect regarding the 4G limit.

CU,
    Sec
-- 
I think the IDE issue is a good point.  People with IDE hardware in
their machines should be punished by making them wait to boot...
                                               -- terry at lambert.org


More information about the openssh-unix-dev mailing list