[Fix] Include HS magic in cache key hashes to force recompilation on version bump

diff --git a/src/libserver/hyperscan_tools.cxx b/src/libserver/hyperscan_tools.cxx
index 6e58516dbc5a9de81d92bd53faaf1cf0adc85dde..2dcc62e44fa1076f9c83adf65be385e8dcf0c695 100644 (file)
--- a/src/libserver/hyperscan_tools.cxx
+++ b/src/libserver/hyperscan_tools.cxx
@@ -940,6 +940,15 @@ gboolean rspamd_hyperscan_create_shared_unser(const char *serialized_data,
 static const unsigned char rspamd_hs_magic[] = {'r', 's', 'h', 's', 'r', 'e', '1', '2'};
 #define RSPAMD_HS_MAGIC_LEN (sizeof(rspamd_hs_magic))
 
+const unsigned char *
+rspamd_hyperscan_get_magic(gsize *len)
+{
+       if (len) {
+               *len = RSPAMD_HS_MAGIC_LEN;
+       }
+       return rspamd_hs_magic;
+}
+
 gboolean rspamd_hyperscan_serialize_with_header(hs_database_t *db,
                                                                                                const unsigned int *ids,
                                                                                                const unsigned int *flags,

diff --git a/src/libserver/hyperscan_tools.h b/src/libserver/hyperscan_tools.h
index 255e334e0466c59ba5b34480953051ec87cda2a4..e2fd5c52a530029a29532e68d1b8056c163a6270 100644 (file)
--- a/src/libserver/hyperscan_tools.h
+++ b/src/libserver/hyperscan_tools.h
@@ -161,6 +161,15 @@ gboolean rspamd_hyperscan_validate_header(const char *data,
                                                                                  gsize len,
                                                                                  GError **err);
 
+/**
+ * Get the hyperscan serialization magic bytes.
+ * Used to include magic in hash computations so that version bumps
+ * invalidate cached databases.
+ * @param[out] len length of magic bytes
+ * @return pointer to magic bytes (static storage)
+ */
+const unsigned char *rspamd_hyperscan_get_magic(gsize *len);
+
 G_END_DECLS
 
 #endif

diff --git a/src/libserver/maps/map_helpers.c b/src/libserver/maps/map_helpers.c
index 627743f71e104d7144ba5d3d181753ab4ebc23dc..5f6c27693080b57a89036b2d840a271ca40e9a00 100644 (file)
--- a/src/libserver/maps/map_helpers.c
+++ b/src/libserver/maps/map_helpers.c
@@ -1411,6 +1411,12 @@ void rspamd_regexp_list_fin(struct map_cb_data *data, void **target)
        else {
                if (data->cur_data) {
                        re_map = data->cur_data;
+#ifdef WITH_HYPERSCAN
+                       /* Include serialization magic so version bumps invalidate cache */
+                       gsize magic_len;
+                       const unsigned char *magic = rspamd_hyperscan_get_magic(&magic_len);
+                       rspamd_cryptobox_hash_update(&re_map->hst, magic, magic_len);
+#endif
                        rspamd_cryptobox_hash_final(&re_map->hst, re_map->re_digest);
                        memcpy(&data->map->digest, re_map->re_digest, sizeof(data->map->digest));
                        rspamd_re_map_finalize(re_map);

diff --git a/src/libserver/re_cache.c b/src/libserver/re_cache.c
index bb9c3db8586506579a26ae432b73b2bddd7d0d42..9b8b87dd926af04792640d81eb7268b3bb7826a2 100644 (file)
--- a/src/libserver/re_cache.c
+++ b/src/libserver/re_cache.c
@@ -679,6 +679,10 @@ void rspamd_re_cache_init(struct rspamd_re_cache *cache, struct rspamd_config *c
                        rspamd_cryptobox_hash_update(re_class->st,
                                                                                 (gpointer) &re_class->num_local_re,
                                                                                 sizeof(re_class->num_local_re));
+                       /* Include serialization magic so version bumps invalidate cache */
+                       rspamd_cryptobox_hash_update(re_class->st,
+                                                                                rspamd_hs_magic,
+                                                                                RSPAMD_HS_MAGIC_LEN);
                        rspamd_cryptobox_hash_final(re_class->st, hash_out);
                        rspamd_snprintf(re_class->hash, sizeof(re_class->hash), "%*xs",
                                                        (int) rspamd_cryptobox_HASHBYTES, hash_out);

diff --git a/src/libutil/multipattern.c b/src/libutil/multipattern.c
index 16449cab881f4238ba87b7d9bd93c6a66f749f6f..f84a495f008628d96bf745ac2aa55b8367f14672 100644 (file)
--- a/src/libutil/multipattern.c
+++ b/src/libutil/multipattern.c
@@ -1223,6 +1223,11 @@ void rspamd_multipattern_get_hash(struct rspamd_multipattern *mp,
                g_assert(hs_populate_platform(&plt) == HS_SUCCESS);
                rspamd_cryptobox_hash_update(&hash_state, (void *) &plt, sizeof(plt));
 
+               /* Include serialization magic so version bumps invalidate cache */
+               gsize magic_len;
+               const unsigned char *magic = rspamd_hyperscan_get_magic(&magic_len);
+               rspamd_cryptobox_hash_update(&hash_state, magic, magic_len);
+
                rspamd_cryptobox_hash_final(&hash_state, hash_out);
                return;
        }