Hi Graham,
nice module, looks very useful.
A few (first glance) questions :
- The input filter seems to read and return blocksize bytes at once,
couldn't it read up to readbytes - reabytes % blocksize, or even
readbytes with retained buckets?
It seems that buffering (at most blocksize[ - 1]) would benefit the
output filter too (FLUSH).
- The IV length seems to be forcibly corresponding to the cipher's
blocksize, this is not applicable to all ciphers though.
- The following is used several times in exec_pass_conf_binary() and
looks buggy :
+ if (len < size) {
+ b = apr_palloc(r->pool, size);
+ memset(b, 0, size - len);
+ [fn](b + size - len, arg, strlen(arg));
+ }
+ else {
+ b = apr_palloc(r->pool, len);
+ [fn](b, arg, strlen(arg), 1,
+ NULL);
+ b += size - len;
size - len is <= 0 here, maybe len - size?
Also, maybe allocate size bytes only since the first len - size are ignored.
Finally, when len != size, why not use a key-type passphrase? (that
would probably better be configurable though).
+ }
+ *k = b;
Regards,
Yann.
On Mon, Dec 1, 2014 at 2:02 AM, Graham Leggett <[email protected]> wrote:
> Hi all,
>
> I have attached a proof of concept module that teaches httpd to support
> symmetrical encryption, initially to support on-the-fly HLS encryption for
> video streaming.
>
> This requires the apr-crypto-secretkey patch that I just posted to the APR
> list.
>
> This module also potentially solves a problem like this one:
> http://serverfault.com/questions/372588/decrypting-aes-files-in-an-apache-module
>
> Regards,
> Graham
> —
