Avoid extra key fetching on hash check #490
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Noticed that acra-server inefficiently matches searchable envelopes. It checks only hash header that now should contain first byte zero (0) and have > 32 byte length (sha256). If payload has first byte 0 and 32 bytes more than acra-server decide that probably it is searchable envelope and tries to check it by getting HMAC key and hashing. But it may verify remain payload that it has known signature of any CryptoEnvelope, try to detect other 3 types of headers (acrastruct, acrablock, serialized container). It takes less of computational time than getting HMAC key. Because key is private and encrypted. So we should decrypt it even if it stored in local cache. If it is not in a cache then we should make syscall and read file from file system keystore or even make remote request to Redis (one another keystore backend) just to check that payload is a trash, not a ciphertext.
So, here were added
EnvelopeMatcher
that uses existingEnvelopeDetector
that matches new versioned envelopes andOldContainerDetectorWrapper
to match pureAcraStruct
/AcraBlock
signatures. It uses matchers without any callbacks that make any decryption or other expensive operations, they only try to match signatures in a loop and if finds then up flag about it.And updated
hmac.Processor
to use this matcher. If processor matches valid hash signature then it tries to match remain payload to known ciphertext headers. And only after successful check it will do next steps with getting key and verification hashes.Checklist
with new changes