| blob | b3f53589c084f00cc5c1c477035d4bd0b2d13282 |
1 /* Copyright 2001,2002,2003 Roger Dingledine, Matej Pfajfar.
2 * Copyright 2004-2005 Roger Dingledine, Nick Mathewson */
3 /* See LICENSE for licensing information */
4 /* $Id$ */
8 /**
9 * \file crypto.c
10 * \brief Wrapper functions to present a consistent interface to
11 * public-key and symmetric cryptography operations from OpenSSL.
12 **/
16 #ifdef MS_WINDOWS
17 #define WIN32_WINNT 0x400
18 #define _WIN32_WINNT 0x400
19 #define WIN32_LEAN_AND_MEAN
20 #include <windows.h>
21 #include <wincrypt.h>
22 #endif
24 #include <string.h>
26 #include <openssl/err.h>
27 #include <openssl/rsa.h>
28 #include <openssl/pem.h>
29 #include <openssl/evp.h>
30 #include <openssl/rand.h>
31 #include <openssl/opensslv.h>
32 #include <openssl/bn.h>
33 #include <openssl/dh.h>
34 #include <openssl/rsa.h>
35 #include <openssl/dh.h>
36 #include <openssl/conf.h>
38 #include <stdlib.h>
39 #include <assert.h>
40 #include <stdio.h>
41 #include <limits.h>
43 #ifdef HAVE_CTYPE_H
44 #include <ctype.h>
45 #endif
46 #ifdef HAVE_UNISTD_H
47 #include <unistd.h>
48 #endif
49 #ifdef HAVE_FCNTL_H
50 #include <fcntl.h>
51 #endif
52 #ifdef HAVE_SYS_FCNTL_H
53 #include <sys/fcntl.h>
54 #endif
63 #if OPENSSL_VERSION_NUMBER < 0x00905000l
65 #elif OPENSSL_VERSION_NUMBER < 0x00906000l
66 #define OPENSSL_095
67 #endif
69 #if OPENSSL_VERSION_NUMBER < 0x00907000l
70 #define OPENSSL_PRE_097
71 #define NO_ENGINES
72 #else
73 #include <openssl/engine.h>
74 #endif
76 /* Certain functions that return a success code in OpenSSL 0.9.6 return void
77 * (and don't indicate errors) in OpenSSL version 0.9.5.
78 *
79 * [OpenSSL 0.9.5 matters, because it ships with Redhat 6.2.]
80 */
81 #ifdef OPENSSL_095
82 #define RETURN_SSL_OUTCOME(exp) (exp); return 0
83 #else
84 #define RETURN_SSL_OUTCOME(exp) return !(exp)
85 #endif
87 /** Macro: is k a valid RSA public or private key? */
88 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
89 /** Macro: is k a valid RSA private key? */
90 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
92 #ifdef TOR_IS_MULTITHREADED
95 #endif
97 /** A public key, or a public/private keypair. */
98 struct crypto_pk_env_t
99 {
102 };
104 /** Key and stream information for a stream cipher. */
105 struct crypto_cipher_env_t
106 {
109 };
111 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
112 * while we're waiting for the second.*/
115 };
117 /* Prototypes for functions only used by tortls.c */
126 /** Return the number of bytes added by padding method <b>padding</b>.
127 */
130 {
132 {
137 }
138 }
140 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
141 */
144 {
146 {
151 }
152 }
154 /** Boolean: has OpenSSL's crypto been initialized? */
157 /** Log all pending crypto errors at level <b>severity</b>. Use
158 * <b>doing</b> to describe our current activities.
159 */
160 static void
162 {
175 }
176 }
177 }
179 #ifndef NO_ENGINES
180 static void
182 {
191 }
192 }
193 #endif
195 /** Initialize the crypto library. Return 0 on success, -1 on failure.
196 */
197 int
199 {
205 #ifndef NO_ENGINES
214 /* XXXX make sure this isn't leaking. */
221 }
222 #endif
223 }
225 }
227 /** Free crypto resources held by this thread. */
228 void
230 {
231 #ifndef ENABLE_0119_PARANOIA_B1
233 #endif
234 }
236 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
237 */
238 int
240 {
242 #ifndef ENABLE_0119_PARANOIA_C
244 #endif
246 #ifndef NO_ENGINES
248 #ifndef ENABLE_0119_PARANOIA_C
251 #endif
252 #endif
253 #ifdef TOR_IS_MULTITHREADED
262 }
264 }
265 #endif
267 }
269 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
270 crypto_pk_env_t *
272 {
279 }
281 /** used by tortls.c: return the RSA* from a crypto_pk_env_t. */
282 RSA *
284 {
286 }
288 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
289 * private is set, include the private-key portion of the key. */
290 EVP_PKEY *
292 {
302 }
308 error:
314 }
316 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
317 */
318 DH *
320 {
322 }
324 /** Allocate and return storage for a public key. The key itself will not yet
325 * be set.
326 */
327 crypto_pk_env_t *
329 {
335 }
337 /** Release a reference to an asymmetric key; when all the references
338 * are released, free the key.
339 */
340 void
342 {
352 }
354 /** Create a new symmetric cipher for a given key and encryption flag
355 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
356 * on failure.
357 */
358 crypto_cipher_env_t *
360 {
367 }
372 }
376 else
383 error:
387 }
389 /** Allocate and return a new symmetric cipher.
390 */
391 crypto_cipher_env_t *
393 {
399 }
401 /** Free a symmetric cipher.
402 */
403 void
405 {
411 }
413 /* public key crypto */
415 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
416 * success, -1 on failure.
417 */
418 int
420 {
429 }
432 }
434 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
435 * Return 0 on success, -1 on failure.
436 */
437 static int
440 {
446 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
459 }
461 }
463 /** Read a PEM-encoded private key from the file named by
464 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
465 */
466 int
469 {
473 /* Read the file into a string. */
478 }
480 /* Try to parse it. */
486 /* Make sure it's valid. */
491 }
493 /** PEM-encode the public key portion of <b>env</b> and write it to a
494 * newly allocated string. On success, set *<b>dest</b> to the new
495 * string, *<b>len</b> to the string's length, and return 0. On
496 * failure, return -1.
497 */
498 int
501 {
511 /* Now you can treat b as if it were a file. Just use the
512 * PEM_*_bio_* functions instead of the non-bio variants.
513 */
517 }
531 }
533 /** Read a PEM-encoded public key from the first <b>len</b> characters of
534 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
535 * failure.
536 */
537 int
540 {
557 }
560 }
562 /* Write the private key from 'env' into the file named by 'fname',
563 * PEM-encoded. Return 0 on success, -1 on failure.
564 */
565 int
568 {
584 }
594 }
596 /** Allocate a new string in *<b>out</b>, containing the public portion of the
597 * RSA key in <b>env</b>, encoded first with DER, then in base-64. Return the
598 * length of the encoded representation on success, and -1 on failure.
599 *
600 * <i>This function is for temporary use only. We need a simple
601 * one-line representation for keys to work around a bug in parsing
602 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
603 * in versions of Tor up to 0.0.9pre2.</i>
604 */
605 int
607 {
615 }
621 }
622 /* Remove spaces */
625 }
627 /** Decode a base-64 encoded DER representation of an RSA key from <b>in</b>,
628 * and store the result in <b>env</b>. Return 0 on success, -1 on failure.
629 *
630 * <i>This function is for temporary use only. We need a simple
631 * one-line representation for keys to work around a bug in parsing
632 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
633 * in versions of Tor up to 0.0.9pre2.</i>
634 */
635 crypto_pk_env_t *
637 {
646 }
647 /* base64_decode doesn't work unless we insert linebreaks every 64
648 * characters. how dumb. */
650 ALWAYS_TERMINATE))
656 }
658 }
660 /** Return true iff <b>env</b> has a valid key.
661 */
662 int
664 {
672 }
674 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
675 * if a==b, and 1 if a\>b.
676 */
677 int
679 {
694 }
696 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
697 size_t
699 {
704 }
706 /** Increase the reference count of <b>env</b>, and return it.
707 */
708 crypto_pk_env_t *
710 {
716 }
718 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
719 * in <b>env</b>, using the padding method <b>padding</b>. On success,
720 * write the result to <b>to</b>, and return the number of bytes
721 * written. On failure, return -1.
722 */
723 int
726 {
737 }
739 }
741 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
742 * in <b>env</b>, using the padding method <b>padding</b>. On success,
743 * write the result to <b>to</b>, and return the number of bytes
744 * written. On failure, return -1.
745 */
746 int
750 {
757 /* Not a private key */
767 }
769 }
771 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
772 * public key in <b>env</b>, using PKCS1 padding. On success, write the
773 * signed data to <b>to</b>, and return the number of bytes written.
774 * On failure, return -1.
775 */
776 int
779 {
790 }
792 }
794 /** Check a siglen-byte long signature at <b>sig</b> against
795 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
796 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
797 * SHA1(data). Else return -1.
798 */
799 int
802 {
814 }
819 }
823 }
826 }
828 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
829 * <b>env</b>, using PKCS1 padding. On success, write the signature to
830 * <b>to</b>, and return the number of bytes written. On failure, return
831 * -1.
832 */
833 int
836 {
842 /* Not a private key */
850 }
852 }
854 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
855 * <b>from</b>; sign the data with the private key in <b>env</b>, and
856 * store it in <b>to</b>. Return the number of bytes written on
857 * success, and -1 on failure.
858 */
859 int
862 {
867 }
869 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
870 * bytes of data from <b>from</b>, with padding type 'padding',
871 * storing the results on <b>to</b>.
872 *
873 * If no padding is used, the public key must be at least as large as
874 * <b>from</b>.
875 *
876 * Returns the number of bytes written on success, -1 on failure.
877 *
878 * The encrypted data consists of:
879 * - The source data, padded and encrypted with the public key, if the
880 * padded source data is no longer than the public key, and <b>force</b>
881 * is false, OR
882 * - The beginning of the source data prefixed with a 16-byte symmetric key,
883 * padded and encrypted with the public key; followed by the rest of
884 * the source data encrypted in AES-CTR mode with the symmetric key.
885 */
886 int
892 {
909 /* It all fits in a single encrypt. */
911 }
916 /* You can't just run around RSA-encrypting any bitstream: if it's
917 * greater than the RSA key, then OpenSSL will happily encrypt, and
918 * later decrypt to the wrong value. So we set the first bit of
919 * 'cipher->key' to 0 if we aren't padding. This means that our
920 * symmetric key is really only 127 bits.
921 */
929 /* Length of symmetrically encrypted data. */
935 }
943 err:
947 }
949 /** Invert crypto_pk_public_hybrid_encrypt. */
950 int
956 {
967 warnOnFailure);
968 }
970 warnOnFailure);
975 }
980 }
984 }
993 err:
997 }
999 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
1000 * Return -1 on error, or the number of characters used on success.
1001 */
1002 int
1004 {
1016 }
1017 /* We don't encode directly into 'dest', because that would be illegal
1018 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1019 */
1023 }
1025 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1026 * success and NULL on failure.
1027 */
1028 crypto_pk_env_t *
1030 {
1033 /* This ifdef suppresses a type warning. Take out the first case once
1034 * everybody is using openssl 0.9.7 or later.
1035 */
1036 #if OPENSSL_VERSION_NUMBER < 0x00907000l
1038 #else
1040 #endif
1048 }
1050 }
1052 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1053 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1054 * Return 0 on success, -1 on failure.
1055 */
1056 int
1058 {
1071 }
1075 }
1078 }
1080 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1081 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1082 * space). Return 0 on success, -1 on failure.
1083 *
1084 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1085 * of the public key, converted to hexadecimal, in upper case, with a
1086 * space after every four digits.
1087 *
1088 * If <b>add_space</b> is false, omit the spaces.
1089 */
1090 int
1092 {
1097 }
1105 }
1107 }
1109 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1110 */
1111 int
1113 {
1120 }
1121 }
1124 }
1126 /* symmetric crypto */
1128 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1129 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1130 */
1131 int
1133 {
1137 }
1139 /** Set the symmetric key for the cipher in <b>env</b> to the first
1140 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1141 * Return 0 on success, -1 on failure.
1142 */
1143 int
1145 {
1155 }
1157 /** Return a pointer to the key set for the cipher in <b>env</b>.
1158 */
1161 {
1163 }
1165 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1166 * success, -1 on failure.
1167 */
1168 int
1170 {
1175 }
1177 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1178 * success, -1 on failure.
1179 */
1180 int
1182 {
1187 }
1189 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1190 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1191 * On failure, return -1.
1192 */
1193 int
1196 {
1205 }
1207 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1208 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1209 * On failure, return -1.
1210 */
1211 int
1214 {
1221 }
1223 /* SHA-1 */
1225 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1226 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1227 * Return 0 on success, -1 on failure.
1228 */
1229 int
1231 {
1235 }
1237 /** Intermediate information about the digest of a stream of data. */
1239 SHA_CTX d;
1240 };
1242 /** Allocate and return a new digest object.
1243 */
1244 crypto_digest_env_t *
1246 {
1251 }
1253 /** Deallocate a digest object.
1254 */
1255 void
1257 {
1259 }
1261 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1262 */
1263 void
1266 {
1269 /* Using the SHA1_*() calls directly means we don't support doing
1270 * sha1 in hardware. But so far the delay of getting the question
1271 * to the hardware, and hearing the answer, is likely higher than
1272 * just doing it ourselves. Hashes are fast.
1273 */
1275 }
1277 /** Compute the hash of the data that has been passed to the digest
1278 * object; write the first out_len bytes of the result to <b>out</b>.
1279 * <b>out_len</b> must be \<= DIGEST_LEN.
1280 */
1281 void
1284 {
1286 SHA_CTX tmpctx;
1290 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1294 }
1296 /** Allocate and return a new digest object with the same state as
1297 * <b>digest</b>
1298 */
1299 crypto_digest_env_t *
1301 {
1307 }
1309 /** Replace the state of the digest object <b>into</b> with the state
1310 * of the digest object <b>from</b>.
1311 */
1312 void
1315 {
1319 }
1321 /* DH */
1323 /** Shared P parameter for our DH key exchanged. */
1325 /** Shared G parameter for our DH key exchanges. */
1328 /** Initialize dh_param_p and dh_param_g if they are not already
1329 * set. */
1330 static void
1332 {
1343 /* This is from rfc2409, section 6.2. It's a safe prime, and
1344 supposedly it equals:
1345 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1346 */
1348 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1349 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1350 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1351 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1359 }
1361 #define DH_PRIVATE_KEY_BITS 320
1363 /** Allocate and return a new DH object for a key exchange.
1364 */
1365 crypto_dh_env_t *
1367 {
1384 #ifndef ENABLE_0119_PARANOIA_A
1386 #endif
1389 err:
1394 }
1396 /** Return the length of the DH key in <b>dh</b>, in bytes.
1397 */
1398 int
1400 {
1403 }
1405 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1406 * success, -1 on failure.
1407 */
1408 int
1410 {
1411 again:
1415 }
1419 /* Free and clear the keys, so openssl will actually try again. */
1424 }
1426 }
1428 /** Generate g^x as necessary, and write the g^x for the key exchange
1429 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1430 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1431 */
1432 int
1434 {
1440 }
1449 }
1455 }
1457 /** Check for bad diffie-hellman public keys (g^x). Return 0 if the key is
1458 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1459 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1460 */
1461 static int
1463 {
1475 }
1481 }
1484 err:
1490 }
1492 #undef MIN
1493 #define MIN(a,b) ((a)<(b)?(a):(b))
1494 /** Given a DH key exchange object, and our peer's value of g^y (as a
1495 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1496 * <b>secret_bytes_out</b> bytes of shared key material and write them
1497 * to <b>secret_out</b>. Return the number of bytes generated on success,
1498 * or -1 on failure.
1499 *
1500 * (We generate key material by computing
1501 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1502 * where || is concatenation.)
1503 */
1504 int
1508 {
1519 /* Check for invalid public keys. */
1522 }
1528 }
1530 /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
1531 /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
1532 * Leading zeros MUST be preserved, so that ZZ occupies as many
1533 * octets as p. For instance, if p is 1024 bits, ZZ should be 128
1534 * bytes long.
1535 * What are the security implications here?
1536 */
1543 error:
1545 done:
1552 else
1554 }
1556 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1557 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1558 * <b>key_out</b> by taking the first key_out_len bytes of
1559 * H(K | [00]) | H(K | [01]) | ....
1560 *
1561 * Return 0 on success, -1 on failure.
1562 */
1563 int
1566 {
1571 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1583 }
1588 err:
1592 }
1594 /** Free a DH key exchange object.
1595 */
1596 void
1598 {
1603 }
1605 /* random numbers */
1607 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1608 * work for us too. */
1609 #define ADD_ENTROPY 32
1611 /* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
1612 "release".) */
1613 #ifndef ENABLE_0119_PARANOIA_B2
1614 #define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1615 #else
1616 #define USE_RAND_POLL 0
1617 #endif
1619 /** Seed OpenSSL's random number generator with bytes from the
1620 * operating system. Return 0 on success, -1 on failure.
1621 */
1622 int
1624 {
1628 /* local variables */
1629 #ifdef MS_WINDOWS
1632 #else
1635 };
1638 #endif
1640 #if USE_RAND_POLL
1641 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1642 * entropy than we do. We'll try calling that, *and* calling our own entropy
1643 * functions. If one succeeds, we'll accept the RNG as seeded. */
1647 #else
1649 #endif
1651 #ifdef MS_WINDOWS
1654 CRYPT_VERIFYCONTEXT)) {
1658 }
1659 }
1661 }
1665 }
1668 #else
1679 }
1682 }
1686 #endif
1687 }
1689 /** Write n bytes of strong random data to <b>to</b>. Return 0 on
1690 * success, -1 on failure.
1691 */
1692 int
1694 {
1701 }
1703 /** Return a pseudorandom integer, chosen uniformly from the values
1704 * between 0 and max-1. */
1705 int
1707 {
1713 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1714 * distribution with clipping at the upper end of unsigned int's
1715 * range.
1716 */
1722 }
1723 }
1725 /** Return a randomly chosen element of sl; or NULL if sl is empty.
1726 */
1729 {
1735 }
1737 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1738 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1739 * bytes. Return the number of bytes written on success; -1 if
1740 * destlen is too short, or other failure.
1741 */
1742 int
1744 {
1745 EVP_ENCODE_CTX ctx;
1748 /* 48 bytes of input -> 64 bytes of output plus newline.
1749 Plus one more byte, in case I'm wrong.
1750 */
1762 }
1764 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
1765 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1766 * bytes. Return the number of bytes written on success; -1 if
1767 * destlen is too short, or other failure.
1768 *
1769 * NOTE: destlen should be a little longer than the amount of data it
1770 * will contain, since we check for sufficient space conservatively.
1771 * Here, "a little" is around 64-ish bytes.
1772 */
1773 int
1775 {
1776 EVP_ENCODE_CTX ctx;
1778 /* 64 bytes of input -> *up to* 48 bytes of output.
1779 Plus one more byte, in case I'm wrong.
1780 */
1792 }
1794 int
1796 {
1802 }
1804 int
1806 {
1817 }
1819 /** Implements base32 encoding as in rfc3548. Limitation: Requires
1820 * that srclen*8 is a multiple of 5.
1821 */
1822 void
1824 {
1833 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
1836 /* set u to the 5-bit value at the bit'th bit of src. */
1839 }
1841 }
1843 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
1844 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
1845 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
1846 * are a salt; the 9th byte describes how much iteration to do.
1847 * Does not support <b>key_out_len</b> > DIGEST_LEN.
1848 */
1849 void
1852 {
1859 #define EXPBIAS 6
1862 #undef EXPBIAS
1878 }
1879 }
1883 }
1885 #ifdef TOR_IS_MULTITHREADED
1886 static void
1888 {
1890 /* This is not a really good fix for the
1891 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
1892 * it can't hurt. */
1896 else
1898 }
1900 static int
1902 {
1912 }
1913 #else
1914 static int
1916 {
1918 }
1919 #endif