On Mon, Dec 1, 2014 at 11:03 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > A few (first glance) questions : > > - The input filter seems to read and return blocksize bytes at once, > couldn't it read up to readbytes - reabytes % blocksize, or even > readbytes with retained buckets? > It seems that buffering (at most blocksize[ - 1]) would benefit the > output filter too (FLUSH). > > - The IV length seems to be forcibly corresponding to the cipher's > blocksize, this is not applicable to all ciphers though. > > - The following is used several times in exec_pass_conf_binary() and > looks buggy : > > + if (len < size) { > + b = apr_palloc(r->pool, size); > + memset(b, 0, size - len); > + [fn](b + size - len, arg, strlen(arg)); > + } > + else { > + b = apr_palloc(r->pool, len); > + [fn](b, arg, strlen(arg), 1, > + NULL); > + b += size - len; > > size - len is <= 0 here, maybe len - size? > Also, maybe allocate size bytes only since the first len - size are ignored. > Finally, when len != size, why not use a key-type passphrase? (that > would probably better be configurable though). > > + } > + *k = b;
Sorry, I forgot one question : - What is the purpose of the handler returning the secret key? Get it through a SSL channel for example? At first glance it looks quite scary ;) > > Regards, > Yann.