Hi Graham, nice module, looks very useful.
A few (first glance) questions : - The input filter seems to read and return blocksize bytes at once, couldn't it read up to readbytes - reabytes % blocksize, or even readbytes with retained buckets? It seems that buffering (at most blocksize[ - 1]) would benefit the output filter too (FLUSH). - The IV length seems to be forcibly corresponding to the cipher's blocksize, this is not applicable to all ciphers though. - The following is used several times in exec_pass_conf_binary() and looks buggy : + if (len < size) { + b = apr_palloc(r->pool, size); + memset(b, 0, size - len); + [fn](b + size - len, arg, strlen(arg)); + } + else { + b = apr_palloc(r->pool, len); + [fn](b, arg, strlen(arg), 1, + NULL); + b += size - len; size - len is <= 0 here, maybe len - size? Also, maybe allocate size bytes only since the first len - size are ignored. Finally, when len != size, why not use a key-type passphrase? (that would probably better be configurable though). + } + *k = b; Regards, Yann. On Mon, Dec 1, 2014 at 2:02 AM, Graham Leggett <minf...@sharp.fm> wrote: > Hi all, > > I have attached a proof of concept module that teaches httpd to support > symmetrical encryption, initially to support on-the-fly HLS encryption for > video streaming. > > This requires the apr-crypto-secretkey patch that I just posted to the APR > list. > > This module also potentially solves a problem like this one: > http://serverfault.com/questions/372588/decrypting-aes-files-in-an-apache-module > > Regards, > Graham > —