Created attachment 1380 [details] patch against 4.7p1 RekeyLimit option allows to set the limit up to 2^31 bytes only since it's a signed integer. However, the default value for rekeying limit is 2^32 since AES's block size is 16 bytes (limit set in packet.c). 2^(block_size * 2) = 2^32 since there is no support for ciphers with block sizes of 32 bytes it's enough to use u_int32_t for rekey_limit + fix the casting and replace INT_MAX with UINT_MAX. patch attached.
Created attachment 1381 [details] fixed patch I forgot about the initial -1 value... So, the following line was not correct in the patch then: if (*activep && options->rekey_limit == -1) possible solution is to use int64_t for options.rekey_limit and explicitly cast it to u_int32_t in set_packet_rekey_limit(). Since rekey_limit is tested against UINT_MAX it's OK. corrected patch uploaded.
Target 4.8
Comment on attachment 1381 [details] fixed patch This looks OK to me. Darren?
fix applied - thanks!
Fix shipped in 4.9/4.9p1 release.