On Mon, Dec 1, 2014 at 11:03 AM, Yann Ylavic <ylavic....@gmail.com> wrote:
> A few (first glance) questions :
>
> - The input filter seems to read and return blocksize bytes at once,
> couldn't it read up to readbytes - reabytes % blocksize, or even
> readbytes with retained buckets?
> It seems that buffering (at most blocksize[ - 1]) would benefit the
> output filter too (FLUSH).
>
> - The IV length seems to be forcibly corresponding to the cipher's
> blocksize, this is not applicable to all ciphers though.
>
> - The following is used several times in exec_pass_conf_binary() and
> looks buggy :
>
> + if (len < size) {
> + b = apr_palloc(r->pool, size);
> + memset(b, 0, size - len);
> + [fn](b + size - len, arg, strlen(arg));
> + }
> + else {
> + b = apr_palloc(r->pool, len);
> + [fn](b, arg, strlen(arg), 1,
> + NULL);
> + b += size - len;
>
> size - len is <= 0 here, maybe len - size?
> Also, maybe allocate size bytes only since the first len - size are ignored.
> Finally, when len != size, why not use a key-type passphrase? (that
> would probably better be configurable though).
>
> + }
> + *k = b;
Sorry, I forgot one question :
- What is the purpose of the handler returning the secret key?
Get it through a SSL channel for example?
At first glance it looks quite scary ;)
>
> Regards,
> Yann.
