| blob | 2ab145ee4dcf9da8ef378f67a68809888824abdd |
1 /* Copyright 2001,2002,2003 Roger Dingledine, Matej Pfajfar.
2 * Copyright 2004-2005 Roger Dingledine, Nick Mathewson */
3 /* See LICENSE for licensing information */
4 /* $Id$ */
7 /**
8 * \file crypto.c
9 * \brief Wrapper functions to present a consistent interface to
10 * public-key and symmetric cryptography operations from OpenSSL.
11 **/
15 #ifdef MS_WINDOWS
16 #define WIN32_WINNT 0x400
17 #define _WIN32_WINNT 0x400
18 #define WIN32_LEAN_AND_MEAN
19 #include <windows.h>
20 #include <wincrypt.h>
21 #endif
23 #include <string.h>
25 #include <openssl/err.h>
26 #include <openssl/rsa.h>
27 #include <openssl/pem.h>
28 #include <openssl/evp.h>
29 #include <openssl/rand.h>
30 #include <openssl/opensslv.h>
31 #include <openssl/bn.h>
32 #include <openssl/dh.h>
33 #include <openssl/rsa.h>
34 #include <openssl/dh.h>
35 #include <openssl/conf.h>
37 #include <stdlib.h>
38 #include <assert.h>
39 #include <stdio.h>
40 #include <limits.h>
42 #ifdef HAVE_CTYPE_H
43 #include <ctype.h>
44 #endif
45 #ifdef HAVE_UNISTD_H
46 #include <unistd.h>
47 #endif
48 #ifdef HAVE_FCNTL_H
49 #include <fcntl.h>
50 #endif
51 #ifdef HAVE_SYS_FCNTL_H
52 #include <sys/fcntl.h>
53 #endif
62 #if OPENSSL_VERSION_NUMBER < 0x00905000l
64 #elif OPENSSL_VERSION_NUMBER < 0x00906000l
65 #define OPENSSL_095
66 #endif
68 #if OPENSSL_VERSION_NUMBER < 0x00907000l
69 #define NO_ENGINES
70 #else
71 #include <openssl/engine.h>
72 #endif
74 /* Certain functions that return a success code in OpenSSL 0.9.6 return void
75 * (and don't indicate errors) in OpenSSL version 0.9.5.
76 *
77 * [OpenSSL 0.9.5 matters, because it ships with Redhat 6.2.]
78 */
79 #ifdef OPENSSL_095
80 #define RETURN_SSL_OUTCOME(exp) (exp); return 0
81 #else
82 #define RETURN_SSL_OUTCOME(exp) return !(exp)
83 #endif
85 /** Macro: is k a valid RSA public or private key? */
86 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
87 /** Macro: is k a valid RSA private key? */
88 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
90 #ifdef TOR_IS_MULTITHREADED
93 #endif
95 /** A public key, or a public/private keypair. */
96 struct crypto_pk_env_t
97 {
100 };
102 /** Key and stream information for a stream cipher. */
103 struct crypto_cipher_env_t
104 {
107 };
109 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
110 * while we're waiting for the second.*/
113 };
115 /* Prototypes for functions only used by tortls.c */
124 /** Return the number of bytes added by padding method <b>padding</b>.
125 */
128 {
130 {
135 }
136 }
138 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
139 */
142 {
144 {
149 }
150 }
152 /** Boolean: has OpenSSL's crypto been initialized? */
155 /** Log all pending crypto errors at level <b>severity</b>. Use
156 * <b>doing</b> to describe our current activities.
157 */
158 static void
160 {
172 }
173 }
174 }
176 #ifndef NO_ENGINES
177 static void
179 {
188 }
189 }
190 #endif
192 /** Initialize the crypto library. Return 0 on success, -1 on failure.
193 */
194 int
196 {
202 #ifndef NO_ENGINES
211 /* XXXX make sure this isn't leaking. */
218 }
219 #endif
220 }
222 }
224 /** Free crypto resources held by this thread. */
225 void
227 {
229 }
231 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
232 */
233 int
235 {
239 #ifndef NO_ENGINES
241 #endif
244 #ifdef TOR_IS_MULTITHREADED
253 }
255 }
256 #endif
258 }
260 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
261 crypto_pk_env_t *
263 {
270 }
272 /** used by tortls.c: return the RSA* from a crypto_pk_env_t. */
273 RSA *
275 {
277 }
279 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
280 * private is set, include the private-key portion of the key. */
281 EVP_PKEY *
283 {
293 }
299 error:
305 }
307 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
308 */
309 DH *
311 {
313 }
315 /** Allocate and return storage for a public key. The key itself will not yet
316 * be set.
317 */
318 crypto_pk_env_t *
320 {
326 }
328 /** Release a reference to an asymmetric key; when all the references
329 * are released, free the key.
330 */
331 void
333 {
343 }
345 /** Create a new symmetric cipher for a given key and encryption flag
346 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
347 * on failure.
348 */
349 crypto_cipher_env_t *
351 {
358 }
363 }
367 else
374 error:
378 }
380 /** Allocate and return a new symmetric cipher.
381 */
382 crypto_cipher_env_t *
384 {
390 }
392 /** Free a symmetric cipher.
393 */
394 void
396 {
402 }
404 /* public key crypto */
406 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
407 * success, -1 on failure.
408 */
409 int
411 {
420 }
423 }
425 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
426 * Return 0 on success, -1 on failure.
427 */
428 static int
431 {
437 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
450 }
452 }
454 /** Read a PEM-encoded private key from the file named by
455 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
456 */
457 int
459 {
463 /* Read the file into a string. */
468 }
470 /* Try to parse it. */
476 /* Make sure it's valid. */
481 }
483 /** PEM-encode the public key portion of <b>env</b> and write it to a
484 * newly allocated string. On success, set *<b>dest</b> to the new
485 * string, *<b>len</b> to the string's length, and return 0. On
486 * failure, return -1.
487 */
488 int
490 {
500 /* Now you can treat b as if it were a file. Just use the
501 * PEM_*_bio_* functions instead of the non-bio variants.
502 */
506 }
520 }
522 /** Read a PEM-encoded public key from the first <b>len</b> characters of
523 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
524 * failure.
525 */
526 int
528 {
545 }
548 }
550 /* Write the private key from 'env' into the file named by 'fname',
551 * PEM-encoded. Return 0 on success, -1 on failure.
552 */
553 int
556 {
572 }
582 }
584 /** Allocate a new string in *<b>out</b>, containing the public portion of the
585 * RSA key in <b>env</b>, encoded first with DER, then in base-64. Return the
586 * length of the encoded representation on success, and -1 on failure.
587 *
588 * <i>This function is for temporary use only. We need a simple
589 * one-line representation for keys to work around a bug in parsing
590 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
591 * in versions of Tor up to 0.0.9pre2.</i>
592 */
593 int
595 {
603 }
609 }
610 /* Remove spaces */
613 }
615 /** Decode a base-64 encoded DER representation of an RSA key from <b>in</b>,
616 * and store the result in <b>env</b>. Return 0 on success, -1 on failure.
617 *
618 * <i>This function is for temporary use only. We need a simple
619 * one-line representation for keys to work around a bug in parsing
620 * directories containing "opt keyword\n-----BEGIN OBJECT----" entries
621 * in versions of Tor up to 0.0.9pre2.</i>
622 */
623 crypto_pk_env_t *
625 {
634 }
635 /* base64_decode doesn't work unless we insert linebreaks every 64
636 * characters. how dumb. */
638 ALWAYS_TERMINATE))
644 }
646 }
648 /** Return true iff <b>env</b> has a valid key.
649 */
650 int
652 {
660 }
662 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
663 * if a==b, and 1 if a\>b.
664 */
665 int
667 {
682 }
684 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
685 size_t
687 {
692 }
694 /** Increase the reference count of <b>env</b>, and return it.
695 */
696 crypto_pk_env_t *
698 {
704 }
706 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
707 * in <b>env</b>, using the padding method <b>padding</b>. On success,
708 * write the result to <b>to</b>, and return the number of bytes
709 * written. On failure, return -1.
710 */
711 int
714 {
725 }
727 }
729 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
730 * in <b>env</b>, using the padding method <b>padding</b>. On success,
731 * write the result to <b>to</b>, and return the number of bytes
732 * written. On failure, return -1.
733 */
734 int
738 {
745 /* Not a private key */
755 }
757 }
759 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
760 * public key in <b>env</b>, using PKCS1 padding. On success, write the
761 * signed data to <b>to</b>, and return the number of bytes written.
762 * On failure, return -1.
763 */
764 int
767 {
772 r = RSA_public_decrypt(fromlen, (unsigned char*)from, (unsigned char*)to, env->key, RSA_PKCS1_PADDING);
777 }
779 }
781 /** Check a siglen-byte long signature at <b>sig</b> against
782 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
783 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
784 * SHA1(data). Else return -1.
785 */
786 int
789 {
801 }
806 }
810 }
813 }
815 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
816 * <b>env</b>, using PKCS1 padding. On success, write the signature to
817 * <b>to</b>, and return the number of bytes written. On failure, return
818 * -1.
819 */
820 int
823 {
829 /* Not a private key */
832 r = RSA_private_encrypt(fromlen, (unsigned char*)from, (unsigned char*)to, env->key, RSA_PKCS1_PADDING);
836 }
838 }
840 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
841 * <b>from</b>; sign the data with the private key in <b>env</b>, and
842 * store it in <b>to</b>. Return the number of bytes written on
843 * success, and -1 on failure.
844 */
845 int
848 {
853 }
855 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
856 * bytes of data from <b>from</b>, with padding type 'padding',
857 * storing the results on <b>to</b>.
858 *
859 * If no padding is used, the public key must be at least as large as
860 * <b>from</b>.
861 *
862 * Returns the number of bytes written on success, -1 on failure.
863 *
864 * The encrypted data consists of:
865 * - The source data, padded and encrypted with the public key, if the
866 * padded source data is no longer than the public key, and <b>force</b>
867 * is false, OR
868 * - The beginning of the source data prefixed with a 16-byte symmetric key,
869 * padded and encrypted with the public key; followed by the rest of
870 * the source data encrypted in AES-CTR mode with the symmetric key.
871 */
872 int
878 {
895 /* It all fits in a single encrypt. */
897 }
902 /* You can't just run around RSA-encrypting any bitstream: if it's
903 * greater than the RSA key, then OpenSSL will happily encrypt, and
904 * later decrypt to the wrong value. So we set the first bit of
905 * 'cipher->key' to 0 if we aren't padding. This means that our
906 * symmetric key is really only 127 bits.
907 */
915 /* Length of symmetrically encrypted data. */
921 }
929 err:
933 }
935 /** Invert crypto_pk_public_hybrid_encrypt. */
936 int
942 {
953 }
959 }
964 }
968 }
977 err:
981 }
983 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
984 * Return -1 on error, or the number of characters used on success.
985 */
986 int
988 {
1000 }
1001 /* We don't encode directly into 'dest', because that would be illegal
1002 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
1003 */
1007 }
1009 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
1010 * success and NULL on failure.
1011 */
1012 crypto_pk_env_t *
1014 {
1017 /* This ifdef suppresses a type warning. Take out the first case once
1018 * everybody is using openssl 0.9.7 or later.
1019 */
1020 #if OPENSSL_VERSION_NUMBER < 0x00907000l
1022 #else
1024 #endif
1032 }
1034 }
1036 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
1037 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
1038 * Return 0 on success, -1 on failure.
1039 */
1040 int
1042 {
1055 }
1059 }
1062 }
1064 /** Given a private or public key <b>pk</b>, put a fingerprint of the
1065 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1066 * space). Return 0 on success, -1 on failure.
1067 *
1068 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1069 * of the public key, converted to hexadecimal, in upper case, with a
1070 * space after every four digits.
1071 *
1072 * If <b>add_space</b> is false, omit the spaces.
1073 */
1074 int
1076 {
1081 }
1089 }
1091 }
1093 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1094 */
1095 int
1097 {
1104 }
1105 }
1108 }
1110 /* symmetric crypto */
1112 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1113 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1114 */
1115 int
1117 {
1121 }
1123 /** Set the symmetric key for the cipher in <b>env</b> to the first
1124 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1125 * Return 0 on success, -1 on failure.
1126 */
1127 int
1129 {
1139 }
1141 /** Return a pointer to the key set for the cipher in <b>env</b>.
1142 */
1145 {
1147 }
1149 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1150 * success, -1 on failure.
1151 */
1152 int
1154 {
1159 }
1161 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1162 * success, -1 on failure.
1163 */
1164 int
1166 {
1171 }
1173 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1174 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1175 * On failure, return -1.
1176 */
1177 int
1180 {
1189 }
1191 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1192 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1193 * On failure, return -1.
1194 */
1195 int
1198 {
1205 }
1207 /** Move the position of the cipher stream backwards by <b>delta</b> bytes.
1208 * Return 0 on success, -1 on failure.
1209 */
1210 int
1212 {
1214 }
1216 /** Move the position of the cipher stream forwards by <b>delta</b> bytes.
1217 * Return 0 on success, -1 on failure.
1218 */
1219 int
1221 {
1224 }
1226 /* SHA-1 */
1228 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1229 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1230 * Return 0 on success, -1 on failure.
1231 */
1232 int
1234 {
1238 }
1240 /** Intermediate information about the digest of a stream of data. */
1242 SHA_CTX d;
1243 };
1245 /** Allocate and return a new digest object.
1246 */
1247 crypto_digest_env_t *
1249 {
1254 }
1256 /** Deallocate a digest object.
1257 */
1258 void
1260 {
1262 }
1264 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1265 */
1266 void
1269 {
1272 /* Using the SHA1_*() calls directly means we don't support doing
1273 * sha1 in hardware. But so far the delay of getting the question
1274 * to the hardware, and hearing the answer, is likely higher than
1275 * just doing it ourselves. Hashes are fast.
1276 */
1278 }
1280 /** Compute the hash of the data that has been passed to the digest
1281 * object; write the first out_len bytes of the result to <b>out</b>.
1282 * <b>out_len</b> must be \<= DIGEST_LEN.
1283 */
1284 void
1287 {
1289 SHA_CTX tmpctx;
1293 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1297 }
1299 /** Allocate and return a new digest object with the same state as
1300 * <b>digest</b>
1301 */
1302 crypto_digest_env_t *
1304 {
1310 }
1312 /** Replace the state of the digest object <b>into</b> with the state
1313 * of the digest object <b>from</b>.
1314 */
1315 void
1318 {
1322 }
1324 /* DH */
1326 /** Shared P parameter for our DH key exchanged. */
1328 /** Shared G parameter for our DH key exchanges. */
1331 /** Initialize dh_param_p and dh_param_g if they are not already
1332 * set. */
1333 static void
1335 {
1346 /* This is from rfc2409, section 6.2. It's a safe prime, and
1347 supposedly it equals:
1348 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1349 */
1351 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1352 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1353 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1354 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1362 }
1364 #define DH_PRIVATE_KEY_BITS 320
1366 /** Allocate and return a new DH object for a key exchange.
1367 */
1368 crypto_dh_env_t *
1370 {
1390 err:
1395 }
1397 /** Return the length of the DH key in <b>dh</b>, in bytes.
1398 */
1399 int
1401 {
1404 }
1406 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1407 * success, -1 on failure.
1408 */
1409 int
1411 {
1412 again:
1416 }
1418 warn(LD_CRYPTO, "Weird! Our own DH key was invalid. I guess once-in-the-universe chances really do happen. Trying again.");
1419 /* Free and clear the keys, so openssl will actually try again. */
1424 }
1426 }
1428 /** Generate g^x as necessary, and write the g^x for the key exchange
1429 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1430 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1431 */
1432 int
1434 {
1440 }
1446 warn(LD_CRYPTO, "Weird! pubkey_len (%d) was smaller than DH_BYTES (%d)", (int) pubkey_len, bytes);
1448 }
1454 }
1456 /** Check for bad diffie-hellman public keys (g^x). Return 0 if the key is
1457 * okay, or -1 if it's bad.
1458 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1459 */
1460 static int
1462 {
1463 /* There are about 2^116 ways to have a 1024-bit key with <= 16 bits set,
1464 * and similarly for <= 16 bits unset. This is negligible compared to the
1465 * 2^1024 entry keyspace. */
1466 #define MIN_DIFFERING_BITS 16
1467 /* This covers another 2^25 keys, which is still negligible. */
1468 #define MIN_DIST_FROM_EDGE (1<<24)
1469 /* XXXX Note that this is basically voodoo. Really, we only care about 0,
1470 * 1, and p-1. The "number of bits set" business is inherited from some
1471 * dire warnings in the OpenSSH comments. Real Cryptographers assure us
1472 * that these dire warnings are misplaced.
1473 *
1474 * Still, it can't hurt. -NM We will likely remove all the crud from this
1475 * function in a future version, though. -RD
1476 */
1487 }
1491 }
1497 }
1501 }
1506 }
1512 }
1515 err:
1521 }
1523 #undef MIN
1524 #define MIN(a,b) ((a)<(b)?(a):(b))
1525 /** Given a DH key exchange object, and our peer's value of g^y (as a
1526 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1527 * <b>secret_bytes_out</b> bytes of shared key material and write them
1528 * to <b>secret_out</b>. Return the number of bytes generated on success,
1529 * or -1 on failure.
1530 *
1531 * (We generate key material by computing
1532 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1533 * where || is concatenation.)
1534 */
1535 int
1539 {
1552 /* Check for invalid public keys. */
1555 }
1561 }
1563 /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
1564 /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
1565 * Leading zeros MUST be preserved, so that ZZ occupies as many
1566 * octets as p. For instance, if p is 1024 bits, ZZ should be 128
1567 * bytes long.
1568 * What are the security implications here?
1569 */
1575 }
1579 error:
1581 done:
1588 else
1590 }
1592 /** Free a DH key exchange object.
1593 */
1594 void
1596 {
1601 }
1603 /* random numbers */
1605 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1606 * work for us too. */
1607 #define ADD_ENTROPY 32
1609 /* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
1610 "release".) */
1611 #define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1613 /** Seed OpenSSL's random number generator with bytes from the
1614 * operating system. Return 0 on success, -1 on failure.
1615 */
1616 int
1618 {
1622 /* local variables */
1623 #ifdef MS_WINDOWS
1626 #else
1629 };
1632 #endif
1634 #if USE_RAND_POLL
1635 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1636 * entropy than we do. We'll try calling that, *and* calling our own entropy
1637 * functions. If one succeeds, we'll accept the RNG as seeded. */
1641 #else
1643 #endif
1645 #ifdef MS_WINDOWS
1651 }
1652 }
1654 }
1658 }
1661 #else
1671 }
1674 }
1678 #endif
1679 }
1681 /** Write n bytes of strong random data to <b>to</b>. Return 0 on
1682 * success, -1 on failure.
1683 */
1684 int
1686 {
1693 }
1695 /** Return a pseudorandom integer, chosen uniformly from the values
1696 * between 0 and max-1. */
1697 int
1699 {
1705 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1706 * distribution with clipping at the upper end of unsigned int's
1707 * range.
1708 */
1714 }
1715 }
1717 /** Return a randomly chosen element of sl; or NULL if sl is empty.
1718 */
1721 {
1727 }
1729 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1730 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1731 * bytes. Return the number of bytes written on success; -1 if
1732 * destlen is too short, or other failure.
1733 */
1734 int
1736 {
1737 EVP_ENCODE_CTX ctx;
1740 /* 48 bytes of input -> 64 bytes of output plus newline.
1741 Plus one more byte, in case I'm wrong.
1742 */
1753 }
1755 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
1756 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1757 * bytes. Return the number of bytes written on success; -1 if
1758 * destlen is too short, or other failure.
1759 *
1760 * NOTE: destlen should be a little longer than the amount of data it
1761 * will contain, since we check for sufficient space conservatively.
1762 * Here, "a little" is around 64-ish bytes.
1763 */
1764 int
1766 {
1767 EVP_ENCODE_CTX ctx;
1769 /* 64 bytes of input -> *up to* 48 bytes of output.
1770 Plus one more byte, in case I'm wrong.
1771 */
1782 }
1784 int
1786 {
1792 }
1794 int
1796 {
1807 }
1809 /** Implements base32 encoding as in rfc3548. Limitation: Requires
1810 * that srclen*8 is a multiple of 5.
1811 */
1812 void
1814 {
1823 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
1826 /* set u to the 5-bit value at the bit'th bit of src. */
1829 }
1831 }
1833 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
1834 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
1835 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
1836 * are a salt; the 9th byte describes how much iteration to do.
1837 * Does not support <b>key_out_len</b> > DIGEST_LEN.
1838 */
1839 void
1842 {
1849 #define EXPBIAS 6
1852 #undef EXPBIAS
1868 }
1869 }
1873 }
1875 #ifdef TOR_IS_MULTITHREADED
1876 static void
1878 {
1880 /* This is not a really good fix for the
1881 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
1882 * it can't hurt. */
1886 else
1888 }
1890 static int
1892 {
1902 }
1903 #else
1904 static int
1906 {
1908 }
1909 #endif