OpenSSH (documentation) bug regarding RekeyLimit
Stefan `Sec` Zehl
sec at 42.org
Tue Mar 17 00:50:34 AEDT 2015
Hi,
the OpenSSH documentation regarding "RekeyLimit" specifies:
| RekeyLimit
| Specifies the maximum amount of data that may be transmitted before
| the session key is renegotiated, optionally followed a maximum
| amount of time that may pass before the session key is
| renegotiated. The first argument is specified in bytes and may have
| a suffix of ‘K’, ‘M’, or ‘G’ to indicate Kilobytes, Megabytes, or
| Gigabytes, respectively. The default is between ‘1G’ and ‘4G’,
| depending on the cipher.
Checking packet.c we see the following code:
| /*
| * The 2^(blocksize*2) limit is too expensive for 3DES,
| * blowfish, etc, so enforce a 1GB limit for small blocksizes.
| */
| if (enc->block_size >= 16)
| *max_blocks = (u_int64_t)1 << (enc->block_size*2);
| else
| *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
This makes the default RekeyLimit 2G bytes for "small" ciphers like
3des-cbc (which has an enc->block_size of 8).
On other ciphers like aes128-cbc which have a enc->blocksize of 16, this
makes max_blocks = 1 << 32, which is 4G blocks, or, to be more precise
64G bytes.
Either this is an coding oversight (missing an "/ enc->block_size") or
the documentation is incorrect regarding the 4G limit.
CU,
Sec
--
I think the IDE issue is a good point. People with IDE hardware in
their machines should be punished by making them wait to boot...
-- terry at lambert.org
More information about the openssh-unix-dev
mailing list