| blob | 948e31a50da10bfd0ee20929bf26b8dee1ee9399 |
1 /* Copyright 2001,2002,2003 Roger Dingledine, Matej Pfajfar.
2 * Copyright 2004-2005 Roger Dingledine, Nick Mathewson */
3 /* See LICENSE for licensing information */
4 /* $Id$ */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 #endif
23 #include <string.h>
25 #include <openssl/err.h>
26 #include <openssl/rsa.h>
27 #include <openssl/pem.h>
28 #include <openssl/evp.h>
29 #include <openssl/rand.h>
30 #include <openssl/opensslv.h>
31 #include <openssl/bn.h>
32 #include <openssl/dh.h>
33 #include <openssl/rsa.h>
34 #include <openssl/dh.h>
35 #include <openssl/conf.h>
37 #include <stdlib.h>
38 #include <assert.h>
39 #include <stdio.h>
40 #include <limits.h>
42 #ifdef HAVE_CTYPE_H
43 #include <ctype.h>
44 #endif
45 #ifdef HAVE_UNISTD_H
46 #include <unistd.h>
47 #endif
48 #ifdef HAVE_FCNTL_H
49 #include <fcntl.h>
50 #endif
51 #ifdef HAVE_SYS_FCNTL_H
52 #include <sys/fcntl.h>
53 #endif
62 #if OPENSSL_VERSION_NUMBER < 0x00905000l
64 #elif OPENSSL_VERSION_NUMBER < 0x00906000l
65 #define OPENSSL_095
66 #endif
68 #if OPENSSL_VERSION_NUMBER < 0x00907000l
69 #define OPENSSL_PRE_097
70 #define NO_ENGINES
71 #else
72 #include <openssl/engine.h>
73 #endif
75 /* Certain functions that return a success code in OpenSSL 0.9.6 return void
76 * (and don't indicate errors) in OpenSSL version 0.9.5.
77 *
78 * [OpenSSL 0.9.5 matters, because it ships with Redhat 6.2.]
79 */
80 #ifdef OPENSSL_095
81 #define RETURN_SSL_OUTCOME(exp) (exp); return 0
82 #else
83 #define RETURN_SSL_OUTCOME(exp) return !(exp)
84 #endif
86 /** Macro: is k a valid RSA public or private key? */
87 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
88 /** Macro: is k a valid RSA private key? */
89 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
91 #ifdef TOR_IS_MULTITHREADED
94 #endif
96 /** A public key, or a public/private keypair. */
97 struct crypto_pk_env_t
98 {
101 };
103 /** Key and stream information for a stream cipher. */
104 struct crypto_cipher_env_t
105 {
108 };
110 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
111 * while we're waiting for the second.*/
114 };
116 /* Prototypes for functions only used by tortls.c */
125 /** Return the number of bytes added by padding method <b>padding</b>.
126 */
129 {
131 {
136 }
137 }
139 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
140 */
143 {
145 {
150 }
151 }
153 /** Boolean: has OpenSSL's crypto been initialized? */
156 /** Log all pending crypto errors at level <b>severity</b>. Use
157 * <b>doing</b> to describe our current activities.
158 */
159 static void
161 {
173 }
174 }
175 }
177 #ifndef NO_ENGINES
178 static void
180 {
189 }
190 }
191 #endif
193 /** Initialize the crypto library. Return 0 on success, -1 on failure.
194 */
195 int
197 {
203 #ifndef NO_ENGINES
212 /* XXXX make sure this isn't leaking. */
219 }
220 #endif
221 }
223 }
225 /** Free crypto resources held by this thread. */
226 void
228 {
230 }
232 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
233 */
234 int
236 {
240 #ifndef NO_ENGINES
244 #endif
245 #ifdef TOR_IS_MULTITHREADED
254 }
256 }
257 #endif
259 }
261 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
262 crypto_pk_env_t *
264 {
271 }
273 /** used by tortls.c: return the RSA* from a crypto_pk_env_t. */
274 RSA *
276 {
278 }
280 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
281 * private is set, include the private-key portion of the key. */
282 EVP_PKEY *
284 {
294 }
300 error:
306 }
308 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
309 */
310 DH *
312 {
314 }
316 /** Allocate and return storage for a public key. The key itself will not yet
317 * be set.
318 */
319 crypto_pk_env_t *
321 {
327 }
329 /** Release a reference to an asymmetric key; when all the references
330 * are released, free the key.
331 */
332 void
334 {
344 }
346 /** Create a new symmetric cipher for a given key and encryption flag
347 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
348 * on failure.
349 */
350 crypto_cipher_env_t *
352 {
359 }
364 }
368 else
375 error:
379 }
381 /** Allocate and return a new symmetric cipher.
382 */
383 crypto_cipher_env_t *
385 {
391 }
393 /** Free a symmetric cipher.
394 */
395 void
397 {
403 }
405 /* public key crypto */
407 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
408 * success, -1 on failure.
409 */
410 int
412 {
421 }
424 }
426 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
427 * Return 0 on success, -1 on failure.
428 */
429 static int
432 {
438 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
451 }
453 }
455 /** Read a PEM-encoded private key from the file named by
456 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
457 */
458 int
460 {
464 /* Read the file into a string. */
469 }
471 /* Try to parse it. */
477 /* Make sure it's valid. */
482 }
484 /** PEM-encode the public key portion of <b>env</b> and write it to a
485 * newly allocated string. On success, set *<b>dest</b> to the new
486 * string, *<b>len</b> to the string's length, and return 0. On
487 * failure, return -1.
488 */
489 int
491 {
501 /* Now you can treat b as if it were a file. Just use the
502 * PEM_*_bio_* functions instead of the non-bio variants.
503 */
507 }
521 }
523 /** Read a PEM-encoded public key from the first <b>len</b> characters of
524 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
525 * failure.
526 */
527 int
529 {
546 }
549 }
551 /* Write the private key from 'env' into the file named by 'fname',
552 * PEM-encoded. Return 0 on success, -1 on failure.
553 */
554 int
557 {
573 }
583 }
585 /** Allocate a new string in *<b>out</b>, containing the public portion of the
586 * RSA key in <b>env</b>, encoded first with DER, then in base-64. Return the
587 * length of the encoded representation on success, and -1 on failure.
588 *
589 * <i>This function is for temporary use only. We need a simple
590 * one-line representation for keys to work around a bug in parsing
591 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
592 * in versions of Tor up to 0.0.9pre2.</i>
593 */
594 int
596 {
604 }
610 }
611 /* Remove spaces */
614 }
616 /** Decode a base-64 encoded DER representation of an RSA key from <b>in</b>,
617 * and store the result in <b>env</b>. Return 0 on success, -1 on failure.
618 *
619 * <i>This function is for temporary use only. We need a simple
620 * one-line representation for keys to work around a bug in parsing
621 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
622 * in versions of Tor up to 0.0.9pre2.</i>
623 */
624 crypto_pk_env_t *
626 {
635 }
636 /* base64_decode doesn't work unless we insert linebreaks every 64
637 * characters. how dumb. */
639 ALWAYS_TERMINATE))
645 }
647 }
649 /** Return true iff <b>env</b> has a valid key.
650 */
651 int
653 {
661 }
663 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
664 * if a==b, and 1 if a\>b.
665 */
666 int
668 {
683 }
685 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
686 size_t
688 {
693 }
695 /** Increase the reference count of <b>env</b>, and return it.
696 */
697 crypto_pk_env_t *
699 {
705 }
707 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
708 * in <b>env</b>, using the padding method <b>padding</b>. On success,
709 * write the result to <b>to</b>, and return the number of bytes
710 * written. On failure, return -1.
711 */
712 int
715 {
726 }
728 }
730 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
731 * in <b>env</b>, using the padding method <b>padding</b>. On success,
732 * write the result to <b>to</b>, and return the number of bytes
733 * written. On failure, return -1.
734 */
735 int
739 {
746 /* Not a private key */
756 }
758 }
760 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
761 * public key in <b>env</b>, using PKCS1 padding. On success, write the
762 * signed data to <b>to</b>, and return the number of bytes written.
763 * On failure, return -1.
764 */
765 int
768 {
773 r = RSA_public_decrypt(fromlen, (unsigned char*)from, (unsigned char*)to, env->key, RSA_PKCS1_PADDING);
778 }
780 }
782 /** Check a siglen-byte long signature at <b>sig</b> against
783 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
784 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
785 * SHA1(data). Else return -1.
786 */
787 int
790 {
802 }
807 }
811 }
814 }
816 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
817 * <b>env</b>, using PKCS1 padding. On success, write the signature to
818 * <b>to</b>, and return the number of bytes written. On failure, return
819 * -1.
820 */
821 int
824 {
830 /* Not a private key */
833 r = RSA_private_encrypt(fromlen, (unsigned char*)from, (unsigned char*)to, env->key, RSA_PKCS1_PADDING);
837 }
839 }
841 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
842 * <b>from</b>; sign the data with the private key in <b>env</b>, and
843 * store it in <b>to</b>. Return the number of bytes written on
844 * success, and -1 on failure.
845 */
846 int
849 {
854 }
856 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
857 * bytes of data from <b>from</b>, with padding type 'padding',
858 * storing the results on <b>to</b>.
859 *
860 * If no padding is used, the public key must be at least as large as
861 * <b>from</b>.
862 *
863 * Returns the number of bytes written on success, -1 on failure.
864 *
865 * The encrypted data consists of:
866 * - The source data, padded and encrypted with the public key, if the
867 * padded source data is no longer than the public key, and <b>force</b>
868 * is false, OR
869 * - The beginning of the source data prefixed with a 16-byte symmetric key,
870 * padded and encrypted with the public key; followed by the rest of
871 * the source data encrypted in AES-CTR mode with the symmetric key.
872 */
873 int
879 {
896 /* It all fits in a single encrypt. */
898 }
903 /* You can't just run around RSA-encrypting any bitstream: if it's
904 * greater than the RSA key, then OpenSSL will happily encrypt, and
905 * later decrypt to the wrong value. So we set the first bit of
906 * 'cipher->key' to 0 if we aren't padding. This means that our
907 * symmetric key is really only 127 bits.
908 */
916 /* Length of symmetrically encrypted data. */
922 }
930 err:
934 }
936 /** Invert crypto_pk_public_hybrid_encrypt. */
937 int
943 {
954 }
960 }
965 }
969 }
978 err:
982 }
984 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
985 * Return -1 on error, or the number of characters used on success.
986 */
987 int
989 {
1001 }
1002 /* We don't encode directly into 'dest', because that would be illegal
1003 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1004 */
1008 }
1010 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1011 * success and NULL on failure.
1012 */
1013 crypto_pk_env_t *
1015 {
1018 /* This ifdef suppresses a type warning. Take out the first case once
1019 * everybody is using openssl 0.9.7 or later.
1020 */
1021 #if OPENSSL_VERSION_NUMBER < 0x00907000l
1023 #else
1025 #endif
1033 }
1035 }
1037 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1038 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1039 * Return 0 on success, -1 on failure.
1040 */
1041 int
1043 {
1056 }
1060 }
1063 }
1065 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1066 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1067 * space). Return 0 on success, -1 on failure.
1068 *
1069 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1070 * of the public key, converted to hexadecimal, in upper case, with a
1071 * space after every four digits.
1072 *
1073 * If <b>add_space</b> is false, omit the spaces.
1074 */
1075 int
1077 {
1082 }
1090 }
1092 }
1094 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1095 */
1096 int
1098 {
1105 }
1106 }
1109 }
1111 /* symmetric crypto */
1113 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1114 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1115 */
1116 int
1118 {
1122 }
1124 /** Set the symmetric key for the cipher in <b>env</b> to the first
1125 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1126 * Return 0 on success, -1 on failure.
1127 */
1128 int
1130 {
1140 }
1142 /** Return a pointer to the key set for the cipher in <b>env</b>.
1143 */
1146 {
1148 }
1150 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1151 * success, -1 on failure.
1152 */
1153 int
1155 {
1160 }
1162 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1163 * success, -1 on failure.
1164 */
1165 int
1167 {
1172 }
1174 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1175 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1176 * On failure, return -1.
1177 */
1178 int
1181 {
1190 }
1192 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1193 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1194 * On failure, return -1.
1195 */
1196 int
1199 {
1206 }
1208 /** Move the position of the cipher stream backwards by <b>delta</b> bytes.
1209 * Return 0 on success, -1 on failure.
1210 */
1211 int
1213 {
1215 }
1217 /** Move the position of the cipher stream forwards by <b>delta</b> bytes.
1218 * Return 0 on success, -1 on failure.
1219 */
1220 int
1222 {
1225 }
1227 /* SHA-1 */
1229 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1230 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1231 * Return 0 on success, -1 on failure.
1232 */
1233 int
1235 {
1239 }
1241 /** Intermediate information about the digest of a stream of data. */
1243 SHA_CTX d;
1244 };
1246 /** Allocate and return a new digest object.
1247 */
1248 crypto_digest_env_t *
1250 {
1255 }
1257 /** Deallocate a digest object.
1258 */
1259 void
1261 {
1263 }
1265 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1266 */
1267 void
1270 {
1273 /* Using the SHA1_*() calls directly means we don't support doing
1274 * sha1 in hardware. But so far the delay of getting the question
1275 * to the hardware, and hearing the answer, is likely higher than
1276 * just doing it ourselves. Hashes are fast.
1277 */
1279 }
1281 /** Compute the hash of the data that has been passed to the digest
1282 * object; write the first out_len bytes of the result to <b>out</b>.
1283 * <b>out_len</b> must be \<= DIGEST_LEN.
1284 */
1285 void
1288 {
1290 SHA_CTX tmpctx;
1294 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1298 }
1300 /** Allocate and return a new digest object with the same state as
1301 * <b>digest</b>
1302 */
1303 crypto_digest_env_t *
1305 {
1311 }
1313 /** Replace the state of the digest object <b>into</b> with the state
1314 * of the digest object <b>from</b>.
1315 */
1316 void
1319 {
1323 }
1325 /* DH */
1327 /** Shared P parameter for our DH key exchanged. */
1329 /** Shared G parameter for our DH key exchanges. */
1332 /** Initialize dh_param_p and dh_param_g if they are not already
1333 * set. */
1334 static void
1336 {
1347 /* This is from rfc2409, section 6.2. It's a safe prime, and
1348 supposedly it equals:
1349 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1350 */
1352 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1353 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1354 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1355 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1363 }
1365 #define DH_PRIVATE_KEY_BITS 320
1367 /** Allocate and return a new DH object for a key exchange.
1368 */
1369 crypto_dh_env_t *
1371 {
1391 err:
1396 }
1398 /** Return the length of the DH key in <b>dh</b>, in bytes.
1399 */
1400 int
1402 {
1405 }
1407 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1408 * success, -1 on failure.
1409 */
1410 int
1412 {
1413 again:
1417 }
1419 warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-the-universe chances really do happen. Trying again.");
1420 /* Free and clear the keys, so openssl will actually try again. */
1425 }
1427 }
1429 /** Generate g^x as necessary, and write the g^x for the key exchange
1430 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1431 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1432 */
1433 int
1435 {
1441 }
1447 warn(LD_CRYPTO, "Weird! pubkey_len (%d) was smaller than DH_BYTES (%d)", (int) pubkey_len, bytes);
1449 }
1455 }
1457 /** Check for bad diffie-hellman public keys (g^x). Return 0 if the key is
1458 * okay, or -1 if it's bad.
1459 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1460 */
1461 static int
1463 {
1464 /* There are about 2^116 ways to have a 1024-bit key with <= 16 bits set,
1465 * and similarly for <= 16 bits unset. This is negligible compared to the
1466 * 2^1024 entry keyspace. */
1467 #define MIN_DIFFERING_BITS 16
1468 /* This covers another 2^25 keys, which is still negligible. */
1469 #define MIN_DIST_FROM_EDGE (1<<24)
1470 /* XXXX Note that this is basically voodoo. Really, we only care about 0,
1471 * 1, and p-1. The "number of bits set" business is inherited from some
1472 * dire warnings in the OpenSSH comments. Real Cryptographers assure us
1473 * that these dire warnings are misplaced.
1474 *
1475 * Still, it can't hurt. -NM We will likely remove all the crud from this
1476 * function in a future version, though. -RD
1477 */
1488 }
1492 }
1498 }
1502 }
1507 }
1513 }
1516 err:
1522 }
1524 #undef MIN
1525 #define MIN(a,b) ((a)<(b)?(a):(b))
1526 /** Given a DH key exchange object, and our peer's value of g^y (as a
1527 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1528 * <b>secret_bytes_out</b> bytes of shared key material and write them
1529 * to <b>secret_out</b>. Return the number of bytes generated on success,
1530 * or -1 on failure.
1531 *
1532 * (We generate key material by computing
1533 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1534 * where || is concatenation.)
1535 */
1536 int
1540 {
1553 /* Check for invalid public keys. */
1556 }
1562 }
1564 /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
1565 /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
1566 * Leading zeros MUST be preserved, so that ZZ occupies as many
1567 * octets as p. For instance, if p is 1024 bits, ZZ should be 128
1568 * bytes long.
1569 * What are the security implications here?
1570 */
1576 }
1580 error:
1582 done:
1589 else
1591 }
1593 /** Free a DH key exchange object.
1594 */
1595 void
1597 {
1602 }
1604 /* random numbers */
1606 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1607 * work for us too. */
1608 #define ADD_ENTROPY 32
1610 /* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
1611 "release".) */
1612 #define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1614 /** Seed OpenSSL's random number generator with bytes from the
1615 * operating system. Return 0 on success, -1 on failure.
1616 */
1617 int
1619 {
1623 /* local variables */
1624 #ifdef MS_WINDOWS
1627 #else
1630 };
1633 #endif
1635 #if USE_RAND_POLL
1636 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1637 * entropy than we do. We'll try calling that, *and* calling our own entropy
1638 * functions. If one succeeds, we'll accept the RNG as seeded. */
1642 #else
1644 #endif
1646 #ifdef MS_WINDOWS
1652 }
1653 }
1655 }
1659 }
1662 #else
1672 }
1675 }
1679 #endif
1680 }
1682 /** Write n bytes of strong random data to <b>to</b>. Return 0 on
1683 * success, -1 on failure.
1684 */
1685 int
1687 {
1694 }
1696 /** Return a pseudorandom integer, chosen uniformly from the values
1697 * between 0 and max-1. */
1698 int
1700 {
1706 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1707 * distribution with clipping at the upper end of unsigned int's
1708 * range.
1709 */
1715 }
1716 }
1718 /** Return a randomly chosen element of sl; or NULL if sl is empty.
1719 */
1722 {
1728 }
1730 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1731 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1732 * bytes. Return the number of bytes written on success; -1 if
1733 * destlen is too short, or other failure.
1734 */
1735 int
1737 {
1738 EVP_ENCODE_CTX ctx;
1741 /* 48 bytes of input -> 64 bytes of output plus newline.
1742 Plus one more byte, in case I'm wrong.
1743 */
1754 }
1756 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
1757 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1758 * bytes. Return the number of bytes written on success; -1 if
1759 * destlen is too short, or other failure.
1760 *
1761 * NOTE: destlen should be a little longer than the amount of data it
1762 * will contain, since we check for sufficient space conservatively.
1763 * Here, "a little" is around 64-ish bytes.
1764 */
1765 int
1767 {
1768 EVP_ENCODE_CTX ctx;
1770 /* 64 bytes of input -> *up to* 48 bytes of output.
1771 Plus one more byte, in case I'm wrong.
1772 */
1783 }
1785 int
1787 {
1793 }
1795 int
1797 {
1808 }
1810 /** Implements base32 encoding as in rfc3548. Limitation: Requires
1811 * that srclen*8 is a multiple of 5.
1812 */
1813 void
1815 {
1824 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
1827 /* set u to the 5-bit value at the bit'th bit of src. */
1830 }
1832 }
1834 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
1835 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
1836 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
1837 * are a salt; the 9th byte describes how much iteration to do.
1838 * Does not support <b>key_out_len</b> > DIGEST_LEN.
1839 */
1840 void
1843 {
1850 #define EXPBIAS 6
1853 #undef EXPBIAS
1869 }
1870 }
1874 }
1876 #ifdef TOR_IS_MULTITHREADED
1877 static void
1879 {
1881 /* This is not a really good fix for the
1882 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
1883 * it can't hurt. */
1887 else
1889 }
1891 static int
1893 {
1903 }
1904 #else
1905 static int
1907 {
1909 }
1910 #endif