httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: [Patch] mod_crypto: A general purpose crypto filter with HLS support
Date Mon, 01 Dec 2014 10:11:09 GMT
On Mon, Dec 1, 2014 at 11:03 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> A few (first glance) questions :
>
> - The input filter seems to read and return blocksize bytes at once,
> couldn't it read up to readbytes - reabytes % blocksize, or even
> readbytes with retained buckets?
> It seems that buffering (at most blocksize[ - 1]) would benefit the
> output filter too (FLUSH).
>
> - The IV length seems to be forcibly corresponding to the cipher's
> blocksize, this is not applicable to all ciphers though.
>
> - The following is used several times in exec_pass_conf_binary() and
> looks buggy :
>
> +                if (len < size) {
> +                    b = apr_palloc(r->pool, size);
> +                    memset(b, 0, size - len);
> +                    [fn](b + size - len, arg, strlen(arg));
> +                }
> +                else {
> +                    b = apr_palloc(r->pool, len);
> +                    [fn](b, arg, strlen(arg), 1,
> +                            NULL);
> +                    b += size - len;
>
> size - len is <= 0 here, maybe len - size?
> Also, maybe allocate size bytes only since the first len - size are ignored.
> Finally, when len != size, why not use a key-type passphrase? (that
> would probably better be configurable though).
>
> +                }
> +                *k = b;

Sorry, I forgot one question :
- What is the purpose of the handler returning the secret key?
Get it through a SSL channel for example?
At first glance it looks quite scary ;)

>
> Regards,
> Yann.

Mime
View raw message