bugzilla-daemon at bugzilla.mindrot.org
2007-Nov-09 17:14 UTC
[Bug 1390] New: RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Summary: RekeyLimit max value is too restrictive Classification: Unclassified Product: Portable OpenSSH Version: 4.7p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: Jan.Pechanec at Sun.COM Created an attachment (id=1380) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1380) patch against 4.7p1 RekeyLimit option allows to set the limit up to 2^31 bytes only since it's a signed integer. However, the default value for rekeying limit is 2^32 since AES's block size is 16 bytes (limit set in packet.c). 2^(block_size * 2) = 2^32 since there is no support for ciphers with block sizes of 32 bytes it's enough to use u_int32_t for rekey_limit + fix the casting and replace INT_MAX with UINT_MAX. patch attached. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Nov-12 22:53 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Jan Pechanec <Jan.Pechanec at Sun.COM> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1380 is|0 |1 obsolete| | --- Comment #1 from Jan Pechanec <Jan.Pechanec at Sun.COM> 2007-11-13 09:53:18 --- Created an attachment (id=1381) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1381) fixed patch I forgot about the initial -1 value... So, the following line was not correct in the patch then: if (*activep && options->rekey_limit == -1) possible solution is to use int64_t for options.rekey_limit and explicitly cast it to u_int32_t in set_packet_rekey_limit(). Since rekey_limit is tested against UINT_MAX it's OK. corrected patch uploaded. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2007-Dec-31 12:56 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Blocks| |1353 --- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2007-12-31 23:56:23 --- Target 4.8 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 21:12 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1381| |ok?(dtucker at zip.com.au) Flag| | --- Comment #3 from Damien Miller <djm at mindrot.org> 2008-01-20 08:12:20 --- (From update of attachment 1381) This looks OK to me. Darren? -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 23:01 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1381|ok?(dtucker at zip.com.au) |ok+ Flag| | -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Jan-19 23:12 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED CC| |djm at mindrot.org --- Comment #4 from Damien Miller <djm at mindrot.org> 2008-01-20 10:12:52 --- fix applied - thanks! -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2008-Mar-31 04:22 UTC
[Bug 1390] RekeyLimit max value is too restrictive
https://bugzilla.mindrot.org/show_bug.cgi?id=1390 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Damien Miller <djm at mindrot.org> 2008-03-31 15:22:30 --- Fix shipped in 4.9/4.9p1 release. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- [Bug 1056] RekeyLimit can be ridiculously low and is undocumented.
- [Bug 2264] New: RekeyLimit option does not allow '4G' value when UINT_MAX is 0xffffffff
- [Bug 1380] New: incorrect check for strlen(fwd->connect_host) in parse_forward()
- VisualHostKey vs. RekeyLimit vs. VerifyHostKeyDNS
- [Bug 1056] RekeyLimit can be ridiculously low and is undocumented.