| blob | 0daf24310f757e2e4fa2d36091fc3008e1632404 |
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2007, Roger Dingledine, Nick Mathewson. */
4 /* See LICENSE for licensing information */
5 /* $Id$ */
9 /**
10 * \file crypto.c
11 * \brief Wrapper functions to present a consistent interface to
12 * public-key and symmetric cryptography operations from OpenSSL.
13 **/
17 #ifdef MS_WINDOWS
18 #define WIN32_WINNT 0x400
19 #define _WIN32_WINNT 0x400
20 #define WIN32_LEAN_AND_MEAN
21 #include <windows.h>
22 #include <wincrypt.h>
23 #endif
25 #include <string.h>
27 #include <openssl/err.h>
28 #include <openssl/rsa.h>
29 #include <openssl/pem.h>
30 #include <openssl/evp.h>
31 #include <openssl/rand.h>
32 #include <openssl/opensslv.h>
33 #include <openssl/bn.h>
34 #include <openssl/dh.h>
35 #include <openssl/rsa.h>
36 #include <openssl/dh.h>
37 #include <openssl/conf.h>
39 #include <stdlib.h>
40 #include <assert.h>
41 #include <stdio.h>
42 #include <limits.h>
44 #ifdef HAVE_CTYPE_H
45 #include <ctype.h>
46 #endif
47 #ifdef HAVE_UNISTD_H
48 #include <unistd.h>
49 #endif
50 #ifdef HAVE_FCNTL_H
51 #include <fcntl.h>
52 #endif
53 #ifdef HAVE_SYS_FCNTL_H
54 #include <sys/fcntl.h>
55 #endif
64 #if OPENSSL_VERSION_NUMBER < 0x00905000l
66 #endif
68 #if OPENSSL_VERSION_NUMBER < 0x00907000l
69 #define NO_ENGINES
70 #else
71 #include <openssl/engine.h>
72 #endif
74 /** Macro: is k a valid RSA public or private key? */
75 #define PUBLIC_KEY_OK(k) ((k) && (k)->key && (k)->key->n)
76 /** Macro: is k a valid RSA private key? */
77 #define PRIVATE_KEY_OK(k) ((k) && (k)->key && (k)->key->p)
79 #ifdef TOR_IS_MULTITHREADED
80 /** A number of prealloced mutexes for use by openssl. */
82 /** How many mutexes have we allocated for use by openssl? */
84 #endif
86 /** A public key, or a public/private keypair. */
87 struct crypto_pk_env_t
88 {
91 };
93 /** Key and stream information for a stream cipher. */
94 struct crypto_cipher_env_t
95 {
98 };
100 /** A structure to hold the first half (x, g^x) of a Diffie-Hellman handshake
101 * while we're waiting for the second.*/
104 };
106 /* Prototypes for functions only used by tortls.c */
114 /** Return the number of bytes added by padding method <b>padding</b>.
115 */
118 {
120 {
125 }
126 }
128 /** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
129 */
132 {
134 {
139 }
140 }
142 /** Boolean: has OpenSSL's crypto been initialized? */
145 /** Log all pending crypto errors at level <b>severity</b>. Use
146 * <b>doing</b> to describe our current activities.
147 */
148 static void
150 {
165 }
166 }
167 }
169 #ifndef NO_ENGINES
170 /** Log any OpenSSL engines we're using at NOTICE. */
171 static void
173 {
182 }
183 }
184 #endif
186 /** Initialize the crypto library. Return 0 on success, -1 on failure.
187 */
188 int
190 {
196 /* XXX the below is a bug, since we can't know if we're supposed
197 * to be using hardware acceleration or not. we should arrange
198 * for this function to be called before init_keys. But make it
199 * not complain loudly, at least until we make acceleration work. */
202 }
203 #ifndef NO_ENGINES
210 /* XXXX make sure this isn't leaking. */
217 }
218 #endif
219 }
221 }
223 /** Free crypto resources held by this thread. */
224 void
226 {
228 }
230 /** Uninitialize the crypto library. Return 0 on success, -1 on failure.
231 */
232 int
234 {
238 #ifndef NO_ENGINES
242 #endif
243 #ifdef TOR_IS_MULTITHREADED
252 }
254 }
255 #endif
257 }
259 /** used by tortls.c: wrap an RSA* in a crypto_pk_env_t. */
260 crypto_pk_env_t *
262 {
269 }
271 /** used by tortls.c: get an equivalent EVP_PKEY* for a crypto_pk_env_t. Iff
272 * private is set, include the private-key portion of the key. */
273 EVP_PKEY *
275 {
285 }
291 error:
297 }
299 /** Used by tortls.c: Get the DH* from a crypto_dh_env_t.
300 */
301 DH *
303 {
305 }
307 /** Allocate and return storage for a public key. The key itself will not yet
308 * be set.
309 */
310 crypto_pk_env_t *
312 {
318 }
320 /** Release a reference to an asymmetric key; when all the references
321 * are released, free the key.
322 */
323 void
325 {
335 }
337 /** Create a new symmetric cipher for a given key and encryption flag
338 * (1=encrypt, 0=decrypt). Return the crypto object on success; NULL
339 * on failure.
340 */
341 crypto_cipher_env_t *
343 {
350 }
355 }
359 else
366 error:
370 }
372 /** Allocate and return a new symmetric cipher.
373 */
374 crypto_cipher_env_t *
376 {
382 }
384 /** Free a symmetric cipher.
385 */
386 void
388 {
394 }
396 /* public key crypto */
398 /** Generate a new public/private keypair in <b>env</b>. Return 0 on
399 * success, -1 on failure.
400 */
401 int
403 {
412 }
415 }
417 /** Read a PEM-encoded private key from the string <b>s</b> into <b>env</b>.
418 * Return 0 on success, -1 on failure.
419 */
420 static int
423 {
429 /* Create a read-only memory BIO, backed by the nul-terminated string 's' */
442 }
444 }
446 /** Read a PEM-encoded private key from the file named by
447 * <b>keyfile</b> into <b>env</b>. Return 0 on success, -1 on failure.
448 */
449 int
452 {
456 /* Read the file into a string. */
461 }
463 /* Try to parse it. */
469 /* Make sure it's valid. */
474 }
476 /** PEM-encode the public key portion of <b>env</b> and write it to a
477 * newly allocated string. On success, set *<b>dest</b> to the new
478 * string, *<b>len</b> to the string's length, and return 0. On
479 * failure, return -1.
480 */
481 int
484 {
494 /* Now you can treat b as if it were a file. Just use the
495 * PEM_*_bio_* functions instead of the non-bio variants.
496 */
500 }
514 }
516 /** Read a PEM-encoded public key from the first <b>len</b> characters of
517 * <b>src</b>, and store the result in <b>env</b>. Return 0 on success, -1 on
518 * failure.
519 */
520 int
523 {
540 }
543 }
545 /** Write the private key from <b>env</b> into the file named by <b>fname</b>,
546 * PEM-encoded. Return 0 on success, -1 on failure.
547 */
548 int
551 {
567 }
577 }
579 /** Return true iff <b>env</b> has a valid key.
580 */
581 int
583 {
591 }
593 /** Compare the public-key components of a and b. Return -1 if a\<b, 0
594 * if a==b, and 1 if a\>b.
595 */
596 int
598 {
613 }
615 /** Return the size of the public key modulus in <b>env</b>, in bytes. */
616 size_t
618 {
623 }
625 /** Increase the reference count of <b>env</b>, and return it.
626 */
627 crypto_pk_env_t *
629 {
635 }
637 /** Encrypt <b>fromlen</b> bytes from <b>from</b> with the public key
638 * in <b>env</b>, using the padding method <b>padding</b>. On success,
639 * write the result to <b>to</b>, and return the number of bytes
640 * written. On failure, return -1.
641 */
642 int
645 {
656 }
658 }
660 /** Decrypt <b>fromlen</b> bytes from <b>from</b> with the private key
661 * in <b>env</b>, using the padding method <b>padding</b>. On success,
662 * write the result to <b>to</b>, and return the number of bytes
663 * written. On failure, return -1.
664 */
665 int
669 {
676 /* Not a private key */
686 }
688 }
690 /** Check the signature in <b>from</b> (<b>fromlen</b> bytes long) with the
691 * public key in <b>env</b>, using PKCS1 padding. On success, write the
692 * signed data to <b>to</b>, and return the number of bytes written.
693 * On failure, return -1.
694 */
695 int
698 {
709 }
711 }
713 /** Check a siglen-byte long signature at <b>sig</b> against
714 * <b>datalen</b> bytes of data at <b>data</b>, using the public key
715 * in <b>env</b>. Return 0 if <b>sig</b> is a correct signature for
716 * SHA1(data). Else return -1.
717 */
718 int
721 {
733 }
738 }
742 }
745 }
747 /** Sign <b>fromlen</b> bytes of data from <b>from</b> with the private key in
748 * <b>env</b>, using PKCS1 padding. On success, write the signature to
749 * <b>to</b>, and return the number of bytes written. On failure, return
750 * -1.
751 */
752 int
755 {
761 /* Not a private key */
769 }
771 }
773 /** Compute a SHA1 digest of <b>fromlen</b> bytes of data stored at
774 * <b>from</b>; sign the data with the private key in <b>env</b>, and
775 * store it in <b>to</b>. Return the number of bytes written on
776 * success, and -1 on failure.
777 */
778 int
781 {
786 }
788 /** Perform a hybrid (public/secret) encryption on <b>fromlen</b>
789 * bytes of data from <b>from</b>, with padding type 'padding',
790 * storing the results on <b>to</b>.
791 *
792 * If no padding is used, the public key must be at least as large as
793 * <b>from</b>.
794 *
795 * Returns the number of bytes written on success, -1 on failure.
796 *
797 * The encrypted data consists of:
798 * - The source data, padded and encrypted with the public key, if the
799 * padded source data is no longer than the public key, and <b>force</b>
800 * is false, OR
801 * - The beginning of the source data prefixed with a 16-byte symmetric key,
802 * padded and encrypted with the public key; followed by the rest of
803 * the source data encrypted in AES-CTR mode with the symmetric key.
804 */
805 int
811 {
828 /* It all fits in a single encrypt. */
830 }
835 /* You can't just run around RSA-encrypting any bitstream: if it's
836 * greater than the RSA key, then OpenSSL will happily encrypt, and
837 * later decrypt to the wrong value. So we set the first bit of
838 * 'cipher->key' to 0 if we aren't padding. This means that our
839 * symmetric key is really only 127 bits.
840 */
848 /* Length of symmetrically encrypted data. */
854 }
862 err:
866 }
868 /** Invert crypto_pk_public_hybrid_encrypt. */
869 int
875 {
885 warnOnFailure);
886 }
888 warnOnFailure);
893 }
898 }
902 }
911 err:
915 }
917 /** ASN.1-encode the public portion of <b>pk</b> into <b>dest</b>.
918 * Return -1 on error, or the number of characters used on success.
919 */
920 int
922 {
934 }
935 /* We don't encode directly into 'dest', because that would be illegal
936 * type-punning. (C99 is smarter than me, C99 is smarter than me...)
937 */
941 }
943 /** Decode an ASN.1-encoded public key from <b>str</b>; return the result on
944 * success and NULL on failure.
945 */
946 crypto_pk_env_t *
948 {
951 /* This ifdef suppresses a type warning. Take out the first case once
952 * everybody is using openssl 0.9.7 or later.
953 */
954 #if OPENSSL_VERSION_NUMBER < 0x00907000l
956 #else
958 #endif
966 }
968 }
970 /** Given a private or public key <b>pk</b>, put a SHA1 hash of the
971 * public key into <b>digest_out</b> (must have DIGEST_LEN bytes of space).
972 * Return 0 on success, -1 on failure.
973 */
974 int
976 {
989 }
993 }
996 }
998 /** Given a private or public key <b>pk</b>, put a fingerprint of the
999 * public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1 bytes of
1000 * space). Return 0 on success, -1 on failure.
1001 *
1002 * Fingerprints are computed as the SHA1 digest of the ASN.1 encoding
1003 * of the public key, converted to hexadecimal, in upper case, with a
1004 * space after every four digits.
1005 *
1006 * If <b>add_space</b> is false, omit the spaces.
1007 */
1008 int
1010 {
1015 }
1022 }
1024 }
1026 /** Return true iff <b>s</b> is in the correct format for a fingerprint.
1027 */
1028 int
1030 {
1037 }
1038 }
1041 }
1043 /* symmetric crypto */
1045 /** Generate a new random key for the symmetric cipher in <b>env</b>.
1046 * Return 0 on success, -1 on failure. Does not initialize the cipher.
1047 */
1048 int
1050 {
1054 }
1056 /** Set the symmetric key for the cipher in <b>env</b> to the first
1057 * CIPHER_KEY_LEN bytes of <b>key</b>. Does not initialize the cipher.
1058 * Return 0 on success, -1 on failure.
1059 */
1060 int
1062 {
1072 }
1074 /** Return a pointer to the key set for the cipher in <b>env</b>.
1075 */
1078 {
1080 }
1082 /** Initialize the cipher in <b>env</b> for encryption. Return 0 on
1083 * success, -1 on failure.
1084 */
1085 int
1087 {
1092 }
1094 /** Initialize the cipher in <b>env</b> for decryption. Return 0 on
1095 * success, -1 on failure.
1096 */
1097 int
1099 {
1104 }
1106 /** Encrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1107 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1108 * On failure, return -1.
1109 */
1110 int
1113 {
1122 }
1124 /** Decrypt <b>fromlen</b> bytes from <b>from</b> using the cipher
1125 * <b>env</b>; on success, store the result to <b>to</b> and return 0.
1126 * On failure, return -1.
1127 */
1128 int
1131 {
1138 }
1140 /* SHA-1 */
1142 /** Compute the SHA1 digest of <b>len</b> bytes in data stored in
1143 * <b>m</b>. Write the DIGEST_LEN byte result into <b>digest</b>.
1144 * Return 0 on success, -1 on failure.
1145 */
1146 int
1148 {
1152 }
1154 /** Intermediate information about the digest of a stream of data. */
1156 SHA_CTX d;
1157 };
1159 /** Allocate and return a new digest object.
1160 */
1161 crypto_digest_env_t *
1163 {
1168 }
1170 /** Deallocate a digest object.
1171 */
1172 void
1174 {
1176 }
1178 /** Add <b>len</b> bytes from <b>data</b> to the digest object.
1179 */
1180 void
1183 {
1186 /* Using the SHA1_*() calls directly means we don't support doing
1187 * sha1 in hardware. But so far the delay of getting the question
1188 * to the hardware, and hearing the answer, is likely higher than
1189 * just doing it ourselves. Hashes are fast.
1190 */
1192 }
1194 /** Compute the hash of the data that has been passed to the digest
1195 * object; write the first out_len bytes of the result to <b>out</b>.
1196 * <b>out_len</b> must be \<= DIGEST_LEN.
1197 */
1198 void
1201 {
1203 SHA_CTX tmpctx;
1207 /* memcpy into a temporary ctx, since SHA1_Final clears the context */
1211 }
1213 /** Allocate and return a new digest object with the same state as
1214 * <b>digest</b>
1215 */
1216 crypto_digest_env_t *
1218 {
1224 }
1226 /** Replace the state of the digest object <b>into</b> with the state
1227 * of the digest object <b>from</b>.
1228 */
1229 void
1232 {
1236 }
1238 /* DH */
1240 /** Shared P parameter for our DH key exchanged. */
1242 /** Shared G parameter for our DH key exchanges. */
1245 /** Initialize dh_param_p and dh_param_g if they are not already
1246 * set. */
1247 static void
1249 {
1260 /* This is from rfc2409, section 6.2. It's a safe prime, and
1261 supposedly it equals:
1262 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
1263 */
1265 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
1266 "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
1267 "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
1268 "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
1276 }
1278 #define DH_PRIVATE_KEY_BITS 320
1280 /** Allocate and return a new DH object for a key exchange.
1281 */
1282 crypto_dh_env_t *
1284 {
1304 err:
1309 }
1311 /** Return the length of the DH key in <b>dh</b>, in bytes.
1312 */
1313 int
1315 {
1318 }
1320 /** Generate \<x,g^x\> for our part of the key exchange. Return 0 on
1321 * success, -1 on failure.
1322 */
1323 int
1325 {
1326 again:
1330 }
1334 /* Free and clear the keys, so openssl will actually try again. */
1339 }
1341 }
1343 /** Generate g^x as necessary, and write the g^x for the key exchange
1344 * as a <b>pubkey_len</b>-byte value into <b>pubkey</b>. Return 0 on
1345 * success, -1 on failure. <b>pubkey_len</b> must be \>= DH_BYTES.
1346 */
1347 int
1349 {
1355 }
1365 }
1371 }
1373 /** Check for bad diffie-hellman public keys (g^x). Return 0 if the key is
1374 * okay (in the subgroup [2,p-2]), or -1 if it's bad.
1375 * See http://www.cl.cam.ac.uk/ftp/users/rja14/psandqs.ps.gz for some tips.
1376 */
1377 static int
1379 {
1391 }
1397 }
1400 err:
1406 }
1408 #undef MIN
1409 #define MIN(a,b) ((a)<(b)?(a):(b))
1410 /** Given a DH key exchange object, and our peer's value of g^y (as a
1411 * <b>pubkey_len</b>-byte value in <b>pubkey</b>) generate
1412 * <b>secret_bytes_out</b> bytes of shared key material and write them
1413 * to <b>secret_out</b>. Return the number of bytes generated on success,
1414 * or -1 on failure.
1415 *
1416 * (We generate key material by computing
1417 * SHA1( g^xy || "\x00" ) || SHA1( g^xy || "\x01" ) || ...
1418 * where || is concatenation.)
1419 */
1420 int
1424 {
1435 /* Check for invalid public keys. */
1438 }
1444 }
1446 /* sometimes secret_len might be less than 128, e.g., 127. that's ok. */
1447 /* Actually, http://www.faqs.org/rfcs/rfc2631.html says:
1448 * Leading zeros MUST be preserved, so that ZZ occupies as many
1449 * octets as p. For instance, if p is 1024 bits, ZZ should be 128
1450 * bytes long.
1451 * What are the security implications here?
1452 */
1459 error:
1461 done:
1468 else
1470 }
1472 /** Given <b>key_in_len</b> bytes of negotiated randomness in <b>key_in</b>
1473 * ("K"), expand it into <b>key_out_len</b> bytes of negotiated key material in
1474 * <b>key_out</b> by taking the first key_out_len bytes of
1475 * H(K | [00]) | H(K | [01]) | ....
1476 *
1477 * Return 0 on success, -1 on failure.
1478 */
1479 int
1482 {
1487 /* If we try to get more than this amount of key data, we'll repeat blocks.*/
1499 }
1504 err:
1508 }
1510 /** Free a DH key exchange object.
1511 */
1512 void
1514 {
1519 }
1521 /* random numbers */
1523 /* This is how much entropy OpenSSL likes to add right now, so maybe it will
1524 * work for us too. */
1525 #define ADD_ENTROPY 32
1527 /* Use RAND_poll if openssl is 0.9.6 release or later. (The "f" means
1528 "release".) */
1529 //#define USE_RAND_POLL (OPENSSL_VERSION_NUMBER >= 0x0090600fl)
1530 #define USE_RAND_POLL 0
1531 /* XXX Somehow setting USE_RAND_POLL on causes stack smashes. We're
1532 * not sure where. This was the big bug with Tor 0.1.1.9-alpha. */
1534 /** Seed OpenSSL's random number generator with bytes from the
1535 * operating system. Return 0 on success, -1 on failure.
1536 */
1537 int
1539 {
1543 /* local variables */
1544 #ifdef MS_WINDOWS
1547 #else
1550 };
1553 #endif
1555 #if USE_RAND_POLL
1556 /* OpenSSL 0.9.6 adds a RAND_poll function that knows about more kinds of
1557 * entropy than we do. We'll try calling that, *and* calling our own entropy
1558 * functions. If one succeeds, we'll accept the RNG as seeded. */
1562 #else
1564 #endif
1566 #ifdef MS_WINDOWS
1569 CRYPT_VERIFYCONTEXT)) {
1573 }
1574 }
1576 }
1580 }
1583 #else
1594 }
1597 }
1601 #endif
1602 }
1604 /** Write n bytes of strong random data to <b>to</b>. Return 0 on
1605 * success, -1 on failure.
1606 */
1607 int
1609 {
1616 }
1618 /** Return a pseudorandom integer, chosen uniformly from the values
1619 * between 0 and max-1. */
1620 int
1622 {
1628 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1629 * distribution with clipping at the upper end of unsigned int's
1630 * range.
1631 */
1637 }
1638 }
1640 /** Return a pseudorandom integer, chosen uniformly from the values
1641 * between 0 and max-1. */
1642 uint64_t
1644 {
1650 /* We ignore any values that are >= 'cutoff,' to avoid biasing the
1651 * distribution with clipping at the upper end of unsigned int's
1652 * range.
1653 */
1659 }
1660 }
1662 /** Return a randomly chosen element of sl; or NULL if sl is empty.
1663 */
1666 {
1672 }
1674 /** Base-64 encode <b>srclen</b> bytes of data from <b>src</b>. Write
1675 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1676 * bytes. Return the number of bytes written on success; -1 if
1677 * destlen is too short, or other failure.
1678 */
1679 int
1681 {
1682 EVP_ENCODE_CTX ctx;
1685 /* 48 bytes of input -> 64 bytes of output plus newline.
1686 Plus one more byte, in case I'm wrong.
1687 */
1699 }
1701 /** Base-64 decode <b>srclen</b> bytes of data from <b>src</b>. Write
1702 * the result into <b>dest</b>, if it will fit within <b>destlen</b>
1703 * bytes. Return the number of bytes written on success; -1 if
1704 * destlen is too short, or other failure.
1705 *
1706 * NOTE: destlen should be a little longer than the amount of data it
1707 * will contain, since we check for sufficient space conservatively.
1708 * Here, "a little" is around 64-ish bytes.
1709 */
1710 int
1712 {
1713 EVP_ENCODE_CTX ctx;
1715 /* 64 bytes of input -> *up to* 48 bytes of output.
1716 Plus one more byte, in case I'm wrong.
1717 */
1729 }
1731 /** Base-64 encode DIGEST_LINE bytes from <b>digest</b>, remove the trailing =
1732 * and newline characters, and store the nul-terminated result in the first
1733 * BASE64_DIGEST_LEN+1 bytes of <b>d64</b>. */
1734 int
1736 {
1742 }
1744 /** Given a base-64 encoded, nul-terminated digest in <b>d64</b> (without
1745 * trailing newline or = characters), decode it and store the result in the
1746 * first DIGEST_LEN bytes at <b>digest</b>. */
1747 int
1749 {
1760 }
1762 /** Implements base32 encoding as in rfc3548. Limitation: Requires
1763 * that srclen*8 is a multiple of 5.
1764 */
1765 void
1767 {
1776 /* set v to the 16-bit value starting at src[bits/8], 0-padded. */
1779 /* set u to the 5-bit value at the bit'th bit of src. */
1782 }
1784 }
1786 /** Implement RFC2440-style iterated-salted S2K conversion: convert the
1787 * <b>secret_len</b>-byte <b>secret</b> into a <b>key_out_len</b> byte
1788 * <b>key_out</b>. As in RFC2440, the first 8 bytes of s2k_specifier
1789 * are a salt; the 9th byte describes how much iteration to do.
1790 * Does not support <b>key_out_len</b> > DIGEST_LEN.
1791 */
1792 void
1795 {
1802 #define EXPBIAS 6
1805 #undef EXPBIAS
1821 }
1822 }
1826 }
1828 #ifdef TOR_IS_MULTITHREADED
1829 /** Helper: openssl uses this callback to manipulate mutexes. */
1830 static void
1832 {
1836 /* This is not a really good fix for the
1837 * "release-freed-lock-from-separate-thread-on-shutdown" problem, but
1838 * it can't hurt. */
1842 else
1844 }
1846 /** Helper: Construct mutexes, and set callbacks to help OpenSSL handle being
1847 * multithreaded. */
1848 static int
1850 {
1860 }
1861 #else
1862 static int
1864 {
1866 }
1867 #endif