Skip to content

Cap the scrypt cost parameter to avoid OOM

akwizgran requested to merge 1926-cap-scrypt-cost into master

This branch limits the scrypt cost parameter N to avoid running out of memory.

Scrypt uses at least 128 * N * r bytes of memory (https://blog.filippo.io/the-scrypt-parameters/). In Briar's case r is always 8 and N is a power of two between 256 and 1024 * 1024, so scrypt uses between 256 KB and 1 GB of memory (plus allocation overhead) depending on the value of N. During account creation, Briar tries to find a suitable value of N for the device by starting from 256 and doubling the value until scrypt takes more than 1 second to run.

If the CPU and memory bus are fast relative to the heap size, Briar may find a value of N that exhausts the available memory before it finds a value for which scrypt takes more than 1 second to run.

This can be reproduced with briar-headless by restricting the max heap size. On my machine, limiting the heap to 16 MB causes briar-headless to crash with an OOM in ScryptKdf#chooseCostParameter() after account setup:

$ rm -r ~/.briar
$ java -Xmx16M -jar briar-headless/output/libs/briar-headless.jar

The same command doesn't crash with this branch: the scrypt cost parameter is capped to 8192, so scrypt uses no more than 8 MB of memory (plus allocation overhead).

Closes #1926 (closed)

Merge request reports