In scrypt remove the check that N < 2^(128 * r / 8)#24741
Conversation
|
looks like maybe you need to modify the appropriate ci builds such that they compile with a higher SCRYPT_MAX_MEMORY limit defined on the command line? |
|
This PR is waiting for the creator to make requested changes but it has not been updated for 30 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
This bound is given in RFC 7914, and would imply that scrypt could not make use of more than 16 MB of memory. This bound is contradicted by the RFC itself, which includes tests which use up to 1 GB. An errata was filed for the RFC in 2020 regarding this issue, but never acted upon by the authors. See openssl#24650 for background Co-Authored-By: Neil Horman <nhorman@openssl.org>
28c83ff to
8f0e4db
Compare
|
Sorry about the delay, should be ready for review now |
|
Something seems off here. #24650 cites
However, BoringSSL includes this check: And indeed, using those parameters, 2(128 * r / 8) = 2128, which is much larger than N = 1048576. So it seems this check is perfectly consistent with that tests and also with inputs that use lots of memory. |
|
hmm, @davidben you're right. I took the pkcs8 key in #24650, and ran it through gdb: So we can confirm N = 1048576 , r = 8 and p =1 So we can see that we skip the bounds check entirely, as 16 * 8 > LOG2_UINT64_MAX (63). We're just tripping over the maxmem sizing of 16MB that is fixed inside the scrypt code, which we had discussed here: It seems the test is fine regardless, we just need to settle on the best method for adjusting that sizing |
|
though it does beg the question about what (if anything) to do with that unaddressed errata |
|
Sounds like the erratum is invalid and should be marked as such. |
|
Ah, nevermind, I see. The erratum wasn't filed because of this misdiagnosis but something else. |
|
This PR is waiting for the creator to make requested changes but it has not been updated for 30 days. If you have made changes or commented to the reviewer please make sure you re-request a review (see icon in the 'reviewers' section). |
This bound is given in RFC 7914, and would imply that scrypt could not make use of more than 16 MB of memory. This bound is contradicted by the RFC itself, which includes tests which use up to 1 GB.
An errata was filed for the RFC in 2020 regarding this issue, but never acted upon by the authors.
See #24650 for background