- markus@cvs.openbsd.org 2003/07/10 14:42:28

[packet.c] the 2^(blocksize*2) rekeying limit is too expensive for 3DES, blowfish, etc, so enforce a 1GB limit for small blocksizes.
2003-07-14 17:31:06 +10:00 · 2003-07-14 17:31:06 +10:00 · 81a0b371f4
parent 29588616c2
commit 81a0b371f4
2 changed files with 14 additions and 3 deletions
--- a/6
+++ b/6
@ -13,6 +13,10 @@
     minor tweak: when generating the hex fingerprint, give strlcat the full
     bound to the buffer, and add a comment below explaining why the
     zero-termination is one less than the bound.  markus@ ok
+   - markus@cvs.openbsd.org 2003/07/10 14:42:28
+     [packet.c]
+     the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
+     blowfish, etc, so enforce a 1GB limit for small blocksizes.

 20030708
 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
@ -686,4 +690,4 @@
 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
   Report from murple@murple.net, diagnosis from dtucker@zip.com.au

-$Id: ChangeLog,v 1.2854 2003/07/14 07:28:34 dtucker Exp $
+$Id: ChangeLog,v 1.2855 2003/07/14 07:31:06 dtucker Exp $
--- a/packet.c
+++ b/packet.c
@ -37,7 +37,7 @@
 */

 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.108 2003/06/24 08:23:46 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.109 2003/07/10 14:42:28 markus Exp $");

 #include "openbsd-compat/sys-queue.h"

@ -635,7 +635,14 @@ set_newkeys(int mode)
 			buffer_compress_init_recv();
 		comp->enabled = 1;
 	}
-	*max_blocks = ((u_int64_t)1 << (enc->block_size*2));
+	/*
+	 * The 2^(blocksize*2) limit is too expensive for 3DES,
+	 * blowfish, etc, so enforce a 1GB limit for small blocksizes.
+	 */
+	if (enc->block_size >= 16)
+		*max_blocks = (u_int64_t)1 << (enc->block_size*2);
+	else
+		*max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
 	if (rekey_limit)
 		*max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
 }