diff options
author | dtucker@openbsd.org <dtucker@openbsd.org> | 2017-06-09 04:40:04 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-06-10 16:39:09 +1000 |
commit | ad0531614cbe8ec424af3c0fa90c34a8e1ebee4c (patch) | |
tree | 64e1269e1e4c4476e26e34bab2225284dcb939b5 | |
parent | ce9134260b9b1247e2385a1afed00c26112ba479 (diff) |
upstream commit
Add comments referring to the relevant RFC sections for
rekeying behaviour.
Upstream-ID: 6fc8e82485757a27633f9175ad00468f49a07d40
-rw-r--r-- | packet.c | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: packet.c,v 1.260 2017/06/06 09:12:17 dtucker Exp $ */ | 1 | /* $OpenBSD: packet.c,v 1.261 2017/06/09 04:40:04 dtucker Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -901,6 +901,7 @@ ssh_set_newkeys(struct ssh *ssh, int mode) | |||
901 | /* | 901 | /* |
902 | * The 2^(blocksize*2) limit is too expensive for 3DES, | 902 | * The 2^(blocksize*2) limit is too expensive for 3DES, |
903 | * so enforce a 1GB limit for small blocksizes. | 903 | * so enforce a 1GB limit for small blocksizes. |
904 | * See RFC4344 section 3.2. | ||
904 | */ | 905 | */ |
905 | if (enc->block_size >= 16) | 906 | if (enc->block_size >= 16) |
906 | *max_blocks = (u_int64_t)1 << (enc->block_size*2); | 907 | *max_blocks = (u_int64_t)1 << (enc->block_size*2); |
@@ -944,7 +945,10 @@ ssh_packet_need_rekeying(struct ssh *ssh, u_int outbound_packet_len) | |||
944 | (int64_t)state->rekey_time + state->rekey_interval <= monotime()) | 945 | (int64_t)state->rekey_time + state->rekey_interval <= monotime()) |
945 | return 1; | 946 | return 1; |
946 | 947 | ||
947 | /* Always rekey when MAX_PACKETS sent in either direction */ | 948 | /* |
949 | * Always rekey when MAX_PACKETS sent in either direction | ||
950 | * As per RFC4344 section 3.1 we do this after 2^31 packets. | ||
951 | */ | ||
948 | if (state->p_send.packets > MAX_PACKETS || | 952 | if (state->p_send.packets > MAX_PACKETS || |
949 | state->p_read.packets > MAX_PACKETS) | 953 | state->p_read.packets > MAX_PACKETS) |
950 | return 1; | 954 | return 1; |