- markus@cvs.openbsd.org 2003/07/10 14:42:28

     [packet.c]
     the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
     blowfish, etc, so enforce a 1GB limit for small blocksizes.

diff --git a/ChangeLog b/ChangeLog
index 0f413d52fc9f3ba0b53f6ab0899ada7f177dc584..3ac85134f888644f2bec3951afde1698fb89c5b5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,10 @@
      minor tweak: when generating the hex fingerprint, give strlcat the full
      bound to the buffer, and add a comment below explaining why the
      zero-termination is one less than the bound.  markus@ ok
+   - markus@cvs.openbsd.org 2003/07/10 14:42:28
+     [packet.c]
+     the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
+     blowfish, etc, so enforce a 1GB limit for small blocksizes.
 
 20030708
  - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]

diff --git a/packet.c b/packet.c
index 0222120744567477fabec0d2d26684155d2e53d6..4ef639fd6297ef1bf12cca9f0f6f5fe8ca754ada 100644 (file)
--- a/packet.c
+++ b/packet.c
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.108 2003/06/24 08:23:46 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.109 2003/07/10 14:42:28 markus Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -635,7 +635,14 @@ set_newkeys(int mode)
                        buffer_compress_init_recv();
                comp->enabled = 1;
        }
-       *max_blocks = ((u_int64_t)1 << (enc->block_size*2));
+       /*
+        * The 2^(blocksize*2) limit is too expensive for 3DES,
+        * blowfish, etc, so enforce a 1GB limit for small blocksizes.
+        */
+       if (enc->block_size >= 16)
+               *max_blocks = (u_int64_t)1 << (enc->block_size*2);
+       else
+               *max_blocks = ((u_int64_t)1 << 30) / enc->block_size;
        if (rekey_limit)
                *max_blocks = MIN(*max_blocks, rekey_limit / enc->block_size);
 }