diff --git a/spec/std/openssl/pkcs5_spec.cr b/spec/std/openssl/pkcs5_spec.cr index a8261d42c1f6..666151151d89 100644 --- a/spec/std/openssl/pkcs5_spec.cr +++ b/spec/std/openssl/pkcs5_spec.cr @@ -13,53 +13,51 @@ describe OpenSSL::PKCS5 do end end - {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.0.0") >= 0 || LibSSL::LIBRESSL_VERSION != "0.0.0" %} - {% if compare_versions(LibSSL::OPENSSL_VERSION, "3.0.0") < 0 %} - [ - {OpenSSL::Algorithm::MD4, 1, 16, "1857f69412150bca4542581d0f9e7fd1"}, - {OpenSSL::Algorithm::MD4, 1, 32, "1857f69412150bca4542581d0f9e7fd19332ff5c0b820cb0172457a29c5519be"}, - {OpenSSL::Algorithm::MD4, 2**16, 16, "3d87c982c8c4223f4af39406ac3882e6"}, - {OpenSSL::Algorithm::MD4, 2**16, 32, "3d87c982c8c4223f4af39406ac3882e6e6b92685dcf89f74df8caf7500b41883"}, - {OpenSSL::Algorithm::RIPEMD160, 1, 16, "b725258b125e0bacb0e2307e34feb16a"}, - {OpenSSL::Algorithm::RIPEMD160, 1, 32, "b725258b125e0bacb0e2307e34feb16a4d0d6aed6cb4b0eee458fc1829020428"}, - {OpenSSL::Algorithm::RIPEMD160, 2**16, 16, "93a8e007de2608e54911684cbebe2780"}, - {OpenSSL::Algorithm::RIPEMD160, 2**16, 32, "93a8e007de2608e54911684cbebe27808cc39fa59de9acdf74492155b46c4d2d"}, - ].each do |(algorithm, iterations, key_size, expected)| - it "computes pbkdf2_hmac #{algorithm}" do - OpenSSL::PKCS5.pbkdf2_hmac("password", "salt", iterations, algorithm, key_size).hexstring.should eq expected - end - end - {% end %} - + {% if compare_versions(LibSSL::OPENSSL_VERSION, "3.0.0") < 0 %} [ - {OpenSSL::Algorithm::MD5, 1, 16, "f31afb6d931392daa5e3130f47f9a9b6"}, - {OpenSSL::Algorithm::MD5, 1, 32, "f31afb6d931392daa5e3130f47f9a9b6e8e72029d8350b9fb27a9e0e00b9d991"}, - {OpenSSL::Algorithm::MD5, 2**16, 16, "8b4ffd76e400c3b74b3d0fbfd9232048"}, - {OpenSSL::Algorithm::MD5, 2**16, 32, "8b4ffd76e400c3b74b3d0fbfd9232048762c86fe7684992c6f581f073f6625ee"}, - {OpenSSL::Algorithm::SHA1, 1, 16, "0c60c80f961f0e71f3a9b524af601206"}, - {OpenSSL::Algorithm::SHA1, 1, 32, "0c60c80f961f0e71f3a9b524af6012062fe037a6e0f0eb94fe8fc46bdc637164"}, - {OpenSSL::Algorithm::SHA1, 2**16, 16, "1b345dd55f62a35aecdb9229bc7ae95b"}, - {OpenSSL::Algorithm::SHA1, 2**16, 32, "1b345dd55f62a35aecdb9229bc7ae95b305a8d538940134627e46f82d3a41e5e"}, - {OpenSSL::Algorithm::SHA224, 1, 16, "3c198cbdb9464b7857966bd05b7bc92b"}, - {OpenSSL::Algorithm::SHA224, 1, 32, "3c198cbdb9464b7857966bd05b7bc92bc1cc4e6e63155d4e490557fd85989497"}, - {OpenSSL::Algorithm::SHA224, 2**16, 16, "53a7f042a8154092058cfe87e7fbf1c1"}, - {OpenSSL::Algorithm::SHA224, 2**16, 32, "53a7f042a8154092058cfe87e7fbf1c1f96826a9a2ffd8bcfda50bb9f60786f0"}, - {OpenSSL::Algorithm::SHA256, 1, 16, "120fb6cffcf8b32c43e7225256c4f837"}, - {OpenSSL::Algorithm::SHA256, 1, 32, "120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b"}, - {OpenSSL::Algorithm::SHA256, 2**16, 16, "4156f668bb31db3a17f4d1b91424ef0d"}, - {OpenSSL::Algorithm::SHA256, 2**16, 32, "4156f668bb31db3a17f4d1b91424ef0d417ad1f35d055aceaebd8da0f6a44b7e"}, - {OpenSSL::Algorithm::SHA384, 1, 16, "c0e14f06e49e32d73f9f52ddf1d0c5c7"}, - {OpenSSL::Algorithm::SHA384, 1, 32, "c0e14f06e49e32d73f9f52ddf1d0c5c7191609233631dadd76a567db42b78676"}, - {OpenSSL::Algorithm::SHA384, 2**16, 16, "c7b5b0b726f6556587cced08d184253b"}, - {OpenSSL::Algorithm::SHA384, 2**16, 32, "c7b5b0b726f6556587cced08d184253bc9d2eb802db134fb9029b86ab25e7cd0"}, - {OpenSSL::Algorithm::SHA512, 1, 16, "867f70cf1ade02cff3752599a3a53dc4"}, - {OpenSSL::Algorithm::SHA512, 1, 32, "867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252"}, - {OpenSSL::Algorithm::SHA512, 2**16, 16, "6f64c3f8023813d8c2cab43cabfaa65e"}, - {OpenSSL::Algorithm::SHA512, 2**16, 32, "6f64c3f8023813d8c2cab43cabfaa65ed061822afe974060d8079d122fb869f4"}, + {OpenSSL::Algorithm::MD4, 1, 16, "1857f69412150bca4542581d0f9e7fd1"}, + {OpenSSL::Algorithm::MD4, 1, 32, "1857f69412150bca4542581d0f9e7fd19332ff5c0b820cb0172457a29c5519be"}, + {OpenSSL::Algorithm::MD4, 2**16, 16, "3d87c982c8c4223f4af39406ac3882e6"}, + {OpenSSL::Algorithm::MD4, 2**16, 32, "3d87c982c8c4223f4af39406ac3882e6e6b92685dcf89f74df8caf7500b41883"}, + {OpenSSL::Algorithm::RIPEMD160, 1, 16, "b725258b125e0bacb0e2307e34feb16a"}, + {OpenSSL::Algorithm::RIPEMD160, 1, 32, "b725258b125e0bacb0e2307e34feb16a4d0d6aed6cb4b0eee458fc1829020428"}, + {OpenSSL::Algorithm::RIPEMD160, 2**16, 16, "93a8e007de2608e54911684cbebe2780"}, + {OpenSSL::Algorithm::RIPEMD160, 2**16, 32, "93a8e007de2608e54911684cbebe27808cc39fa59de9acdf74492155b46c4d2d"}, ].each do |(algorithm, iterations, key_size, expected)| it "computes pbkdf2_hmac #{algorithm}" do OpenSSL::PKCS5.pbkdf2_hmac("password", "salt", iterations, algorithm, key_size).hexstring.should eq expected end end {% end %} + + [ + {OpenSSL::Algorithm::MD5, 1, 16, "f31afb6d931392daa5e3130f47f9a9b6"}, + {OpenSSL::Algorithm::MD5, 1, 32, "f31afb6d931392daa5e3130f47f9a9b6e8e72029d8350b9fb27a9e0e00b9d991"}, + {OpenSSL::Algorithm::MD5, 2**16, 16, "8b4ffd76e400c3b74b3d0fbfd9232048"}, + {OpenSSL::Algorithm::MD5, 2**16, 32, "8b4ffd76e400c3b74b3d0fbfd9232048762c86fe7684992c6f581f073f6625ee"}, + {OpenSSL::Algorithm::SHA1, 1, 16, "0c60c80f961f0e71f3a9b524af601206"}, + {OpenSSL::Algorithm::SHA1, 1, 32, "0c60c80f961f0e71f3a9b524af6012062fe037a6e0f0eb94fe8fc46bdc637164"}, + {OpenSSL::Algorithm::SHA1, 2**16, 16, "1b345dd55f62a35aecdb9229bc7ae95b"}, + {OpenSSL::Algorithm::SHA1, 2**16, 32, "1b345dd55f62a35aecdb9229bc7ae95b305a8d538940134627e46f82d3a41e5e"}, + {OpenSSL::Algorithm::SHA224, 1, 16, "3c198cbdb9464b7857966bd05b7bc92b"}, + {OpenSSL::Algorithm::SHA224, 1, 32, "3c198cbdb9464b7857966bd05b7bc92bc1cc4e6e63155d4e490557fd85989497"}, + {OpenSSL::Algorithm::SHA224, 2**16, 16, "53a7f042a8154092058cfe87e7fbf1c1"}, + {OpenSSL::Algorithm::SHA224, 2**16, 32, "53a7f042a8154092058cfe87e7fbf1c1f96826a9a2ffd8bcfda50bb9f60786f0"}, + {OpenSSL::Algorithm::SHA256, 1, 16, "120fb6cffcf8b32c43e7225256c4f837"}, + {OpenSSL::Algorithm::SHA256, 1, 32, "120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b"}, + {OpenSSL::Algorithm::SHA256, 2**16, 16, "4156f668bb31db3a17f4d1b91424ef0d"}, + {OpenSSL::Algorithm::SHA256, 2**16, 32, "4156f668bb31db3a17f4d1b91424ef0d417ad1f35d055aceaebd8da0f6a44b7e"}, + {OpenSSL::Algorithm::SHA384, 1, 16, "c0e14f06e49e32d73f9f52ddf1d0c5c7"}, + {OpenSSL::Algorithm::SHA384, 1, 32, "c0e14f06e49e32d73f9f52ddf1d0c5c7191609233631dadd76a567db42b78676"}, + {OpenSSL::Algorithm::SHA384, 2**16, 16, "c7b5b0b726f6556587cced08d184253b"}, + {OpenSSL::Algorithm::SHA384, 2**16, 32, "c7b5b0b726f6556587cced08d184253bc9d2eb802db134fb9029b86ab25e7cd0"}, + {OpenSSL::Algorithm::SHA512, 1, 16, "867f70cf1ade02cff3752599a3a53dc4"}, + {OpenSSL::Algorithm::SHA512, 1, 32, "867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252"}, + {OpenSSL::Algorithm::SHA512, 2**16, 16, "6f64c3f8023813d8c2cab43cabfaa65e"}, + {OpenSSL::Algorithm::SHA512, 2**16, 32, "6f64c3f8023813d8c2cab43cabfaa65ed061822afe974060d8079d122fb869f4"}, + ].each do |(algorithm, iterations, key_size, expected)| + it "computes pbkdf2_hmac #{algorithm}" do + OpenSSL::PKCS5.pbkdf2_hmac("password", "salt", iterations, algorithm, key_size).hexstring.should eq expected + end + end end diff --git a/spec/std/openssl/ssl/context_spec.cr b/spec/std/openssl/ssl/context_spec.cr index c37055dcedec..d3d109525484 100644 --- a/spec/std/openssl/ssl/context_spec.cr +++ b/spec/std/openssl/ssl/context_spec.cr @@ -11,11 +11,7 @@ describe OpenSSL::SSL::Context do context = OpenSSL::SSL::Context::Client.new (context.options & OpenSSL::SSL::Options::ALL).should eq(OpenSSL::SSL::Options::ALL) - (context.options & OpenSSL::SSL::Options::NO_SSL_V2).should eq(OpenSSL::SSL::Options::NO_SSL_V2) - (context.options & OpenSSL::SSL::Options::NO_SSL_V3).should eq(OpenSSL::SSL::Options::NO_SSL_V3) (context.options & OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION) - (context.options & OpenSSL::SSL::Options::SINGLE_ECDH_USE).should eq(OpenSSL::SSL::Options::SINGLE_ECDH_USE) - (context.options & OpenSSL::SSL::Options::SINGLE_DH_USE).should eq(OpenSSL::SSL::Options::SINGLE_DH_USE) context.modes.should eq(OpenSSL::SSL::Modes.flags(AUTO_RETRY, RELEASE_BUFFERS)) context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::PEER) @@ -27,14 +23,8 @@ describe OpenSSL::SSL::Context do context = OpenSSL::SSL::Context::Server.new (context.options & OpenSSL::SSL::Options::ALL).should eq(OpenSSL::SSL::Options::ALL) - (context.options & OpenSSL::SSL::Options::NO_SSL_V2).should eq(OpenSSL::SSL::Options::NO_SSL_V2) - (context.options & OpenSSL::SSL::Options::NO_SSL_V3).should eq(OpenSSL::SSL::Options::NO_SSL_V3) (context.options & OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_SESSION_RESUMPTION_ON_RENEGOTIATION) - (context.options & OpenSSL::SSL::Options::SINGLE_ECDH_USE).should eq(OpenSSL::SSL::Options::SINGLE_ECDH_USE) - (context.options & OpenSSL::SSL::Options::SINGLE_DH_USE).should eq(OpenSSL::SSL::Options::SINGLE_DH_USE) - {% if LibSSL::Options.has_constant?(:NO_RENEGOTIATION) %} - (context.options & OpenSSL::SSL::Options::NO_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_RENEGOTIATION) - {% end %} + (context.options & OpenSSL::SSL::Options::NO_RENEGOTIATION).should eq(OpenSSL::SSL::Options::NO_RENEGOTIATION) context.modes.should eq(OpenSSL::SSL::Modes.flags(AUTO_RETRY, RELEASE_BUFFERS)) context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE) @@ -47,11 +37,7 @@ describe OpenSSL::SSL::Context do context.should be_a(OpenSSL::SSL::Context::Client) context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE) context.options.no_ssl_v3?.should_not be_true - {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.1.1") >= 0 || compare_versions(LibSSL::LIBRESSL_VERSION, "3.2.0") >= 0 %} - context.modes.should eq(OpenSSL::SSL::Modes::AUTO_RETRY) - {% else %} - context.modes.should eq(OpenSSL::SSL::Modes::None) - {% end %} + context.modes.should eq(OpenSSL::SSL::Modes::AUTO_RETRY) OpenSSL::SSL::Context::Client.insecure(LibSSL.tlsv1_method) end @@ -61,11 +47,7 @@ describe OpenSSL::SSL::Context do context.should be_a(OpenSSL::SSL::Context::Server) context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE) context.options.no_ssl_v3?.should_not be_true - {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.1.1") >= 0 || compare_versions(LibSSL::LIBRESSL_VERSION, "3.2.0") >= 0 %} - context.modes.should eq(OpenSSL::SSL::Modes::AUTO_RETRY) - {% else %} - context.modes.should eq(OpenSSL::SSL::Modes::None) - {% end %} + context.modes.should eq(OpenSSL::SSL::Modes::AUTO_RETRY) OpenSSL::SSL::Context::Server.insecure(LibSSL.tlsv1_method) end diff --git a/src/openssl/lib_crypto.cr b/src/openssl/lib_crypto.cr index b75474951764..2a3e922a251b 100644 --- a/src/openssl/lib_crypto.cr +++ b/src/openssl/lib_crypto.cr @@ -109,47 +109,25 @@ lib LibCrypto alias BioMethodDestroy = Bio* -> Int alias BioMethodCallbackCtrl = (Bio*, Int, Void*) -> Long - {% if compare_versions(LibCrypto::OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LibCrypto::LIBRESSL_VERSION, "2.7.0") >= 0 %} - type BioMethod = Void - {% else %} - struct BioMethod - type_id : Int - name : Char* - bwrite : BioMethodWriteOld - bread : BioMethodReadOld - bputs : BioMethodPuts - bgets : BioMethodGets - ctrl : BioMethodCtrl - create : BioMethodCreate - destroy : BioMethodDestroy - callback_ctrl : BioMethodCallbackCtrl - end - {% end %} + type BioMethod = Void fun BIO_new(BioMethod*) : Bio* fun BIO_free(Bio*) : Int - {% if compare_versions(LibCrypto::OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LibCrypto::LIBRESSL_VERSION, "2.7.0") >= 0 %} - fun BIO_set_data(Bio*, Void*) - fun BIO_get_data(Bio*) : Void* - fun BIO_set_init(Bio*, Int) - fun BIO_set_shutdown(Bio*, Int) - - fun BIO_meth_new(Int, Char*) : BioMethod* - fun BIO_meth_set_read(BioMethod*, BioMethodReadOld) - fun BIO_meth_set_write(BioMethod*, BioMethodWriteOld) - fun BIO_meth_set_puts(BioMethod*, BioMethodPuts) - fun BIO_meth_set_gets(BioMethod*, BioMethodGets) - fun BIO_meth_set_ctrl(BioMethod*, BioMethodCtrl) - fun BIO_meth_set_create(BioMethod*, BioMethodCreate) - fun BIO_meth_set_destroy(BioMethod*, BioMethodDestroy) - fun BIO_meth_set_callback_ctrl(BioMethod*, BioMethodCallbackCtrl) - {% end %} - # LibreSSL does not define these symbols - {% if compare_versions(LibCrypto::OPENSSL_VERSION, "1.1.1") >= 0 %} - fun BIO_meth_set_read_ex(BioMethod*, BioMethodRead) - fun BIO_meth_set_write_ex(BioMethod*, BioMethodWrite) - {% end %} + fun BIO_set_data(Bio*, Void*) + fun BIO_get_data(Bio*) : Void* + fun BIO_set_init(Bio*, Int) + fun BIO_set_shutdown(Bio*, Int) + + fun BIO_meth_new(Int, Char*) : BioMethod* + fun BIO_meth_set_read(BioMethod*, BioMethodReadOld) + fun BIO_meth_set_write(BioMethod*, BioMethodWriteOld) + fun BIO_meth_set_puts(BioMethod*, BioMethodPuts) + fun BIO_meth_set_gets(BioMethod*, BioMethodGets) + fun BIO_meth_set_ctrl(BioMethod*, BioMethodCtrl) + fun BIO_meth_set_create(BioMethod*, BioMethodCreate) + fun BIO_meth_set_destroy(BioMethod*, BioMethodDestroy) + fun BIO_meth_set_callback_ctrl(BioMethod*, BioMethodCallbackCtrl) fun sha1 = SHA1(data : Char*, length : SizeT, md : Char*) : Char* @@ -175,9 +153,7 @@ lib LibCrypto fun obj_obj2nid = OBJ_obj2nid(obj : ASN1_OBJECT) : Int fun obj_ln2nid = OBJ_ln2nid(ln : Char*) : Int fun obj_sn2nid = OBJ_sn2nid(sn : Char*) : Int - {% if compare_versions(OPENSSL_VERSION, "1.0.2") >= 0 || LIBRESSL_VERSION != "0.0.0" %} - fun obj_find_sigid_algs = OBJ_find_sigid_algs(sigid : Int32, pdig_nid : Int32*, ppkey_nid : Int32*) : Int32 - {% end %} + fun obj_find_sigid_algs = OBJ_find_sigid_algs(sigid : Int32, pdig_nid : Int32*, ppkey_nid : Int32*) : Int32 fun asn1_object_free = ASN1_OBJECT_free(obj : ASN1_OBJECT) fun asn1_string_data = ASN1_STRING_data(x : ASN1_STRING) : Char* @@ -230,13 +206,8 @@ lib LibCrypto fun evp_digestfinal_ex = EVP_DigestFinal_ex(ctx : EVP_MD_CTX, md : UInt8*, size : UInt32*) : Int32 - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LibCrypto::LIBRESSL_VERSION, "2.7.0") >= 0 %} - fun evp_md_ctx_new = EVP_MD_CTX_new : EVP_MD_CTX - fun evp_md_ctx_free = EVP_MD_CTX_free(ctx : EVP_MD_CTX) - {% else %} - fun evp_md_ctx_new = EVP_MD_CTX_create : EVP_MD_CTX - fun evp_md_ctx_free = EVP_MD_CTX_destroy(ctx : EVP_MD_CTX) - {% end %} + fun evp_md_ctx_new = EVP_MD_CTX_new : EVP_MD_CTX + fun evp_md_ctx_free = EVP_MD_CTX_free(ctx : EVP_MD_CTX) fun evp_get_cipherbyname = EVP_get_cipherbyname(name : UInt8*) : EVP_CIPHER @@ -307,9 +278,7 @@ lib LibCrypto fun md5 = MD5(data : UInt8*, length : LibC::SizeT, md : UInt8*) : UInt8* fun pkcs5_pbkdf2_hmac_sha1 = PKCS5_PBKDF2_HMAC_SHA1(pass : LibC::Char*, passlen : LibC::Int, salt : UInt8*, saltlen : LibC::Int, iter : LibC::Int, keylen : LibC::Int, out : UInt8*) : LibC::Int - {% if compare_versions(OPENSSL_VERSION, "1.0.0") >= 0 || LIBRESSL_VERSION != "0.0.0" %} - fun pkcs5_pbkdf2_hmac = PKCS5_PBKDF2_HMAC(pass : LibC::Char*, passlen : LibC::Int, salt : UInt8*, saltlen : LibC::Int, iter : LibC::Int, digest : EVP_MD, keylen : LibC::Int, out : UInt8*) : LibC::Int - {% end %} + fun pkcs5_pbkdf2_hmac = PKCS5_PBKDF2_HMAC(pass : LibC::Char*, passlen : LibC::Int, salt : UInt8*, saltlen : LibC::Int, iter : LibC::Int, digest : EVP_MD, keylen : LibC::Int, out : UInt8*) : LibC::Int NID_X9_62_prime256v1 = 415 @@ -330,7 +299,7 @@ lib LibCrypto NID_commonName = 13 NID_subject_alt_name = 85 - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 %} + {% if OPENSSL_VERSION != "0.0.0" %} fun sk_free = OPENSSL_sk_free(st : Void*) fun sk_num = OPENSSL_sk_num(x0 : Void*) : Int fun sk_pop_free = OPENSSL_sk_pop_free(st : Void*, callback : (Void*) ->) @@ -354,9 +323,7 @@ lib LibCrypto fun x509_get_ext = X509_get_ext(x : X509, idx : Int) : X509_EXTENSION fun x509_get_ext_count = X509_get_ext_count(x : X509) : Int fun x509_get_ext_d2i = X509_get_ext_d2i(x : X509, nid : Int, crit : Int*, idx : Int*) : Void* - {% if compare_versions(OPENSSL_VERSION, "1.0.2") >= 0 || LIBRESSL_VERSION != "0.0.0" %} - fun x509_get_signature_nid = X509_get_signature_nid(x509 : X509) : Int32 - {% end %} + fun x509_get_signature_nid = X509_get_signature_nid(x509 : X509) : Int32 MBSTRING_UTF8 = 0x1000 @@ -381,42 +348,35 @@ lib LibCrypto fun x509_store_add_cert = X509_STORE_add_cert(ctx : X509_STORE, x : X509) : Int - {% unless compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LibCrypto::LIBRESSL_VERSION, "3.0.0") >= 0 %} - fun err_load_crypto_strings = ERR_load_crypto_strings - fun openssl_add_all_algorithms = OPENSSL_add_all_algorithms_noconf - {% end %} + type X509VerifyParam = Void* - {% if compare_versions(OPENSSL_VERSION, "1.0.2") >= 0 || LIBRESSL_VERSION != "0.0.0" %} - type X509VerifyParam = Void* - - @[Flags] - enum X509VerifyFlags : ULong - CB_ISSUER_CHECK = 0x1 - USE_CHECK_TIME = 0x2 - CRL_CHECK = 0x4 - CRL_CHECK_ALL = 0x8 - IGNORE_CRITICAL = 0x10 - X509_STRICT = 0x20 - ALLOW_PROXY_CERTS = 0x40 - POLICY_CHECK = 0x80 - EXPLICIT_POLICY = 0x100 - INHIBIT_ANY = 0x200 - INHIBIT_MAP = 0x400 - NOTIFY_POLICY = 0x800 - EXTENDED_CRL_SUPPORT = 0x1000 - USE_DELTAS = 0x2000 - CHECK_SS_SIGNATURE = 0x4000 - TRUSTED_FIRST = 0x8000 - SUITEB_128_LOS_ONLY = 0x10000 - SUITEB_192_LOS = 0x20000 - SUITEB_128_LOS = 0x30000 - PARTIAL_CHAIN = 0x80000 - NO_ALT_CHAINS = 0x100000 - end - - fun x509_verify_param_lookup = X509_VERIFY_PARAM_lookup(name : UInt8*) : X509VerifyParam - fun x509_verify_param_set1_host = X509_VERIFY_PARAM_set1_host(param : X509VerifyParam, name : UInt8*, len : SizeT) : Int - fun x509_verify_param_set1_ip_asc = X509_VERIFY_PARAM_set1_ip_asc(param : X509VerifyParam, ip : UInt8*) : Int - fun x509_verify_param_set_flags = X509_VERIFY_PARAM_set_flags(param : X509VerifyParam, flags : X509VerifyFlags) : Int - {% end %} + @[Flags] + enum X509VerifyFlags : ULong + CB_ISSUER_CHECK = 0x1 + USE_CHECK_TIME = 0x2 + CRL_CHECK = 0x4 + CRL_CHECK_ALL = 0x8 + IGNORE_CRITICAL = 0x10 + X509_STRICT = 0x20 + ALLOW_PROXY_CERTS = 0x40 + POLICY_CHECK = 0x80 + EXPLICIT_POLICY = 0x100 + INHIBIT_ANY = 0x200 + INHIBIT_MAP = 0x400 + NOTIFY_POLICY = 0x800 + EXTENDED_CRL_SUPPORT = 0x1000 + USE_DELTAS = 0x2000 + CHECK_SS_SIGNATURE = 0x4000 + TRUSTED_FIRST = 0x8000 + SUITEB_128_LOS_ONLY = 0x10000 + SUITEB_192_LOS = 0x20000 + SUITEB_128_LOS = 0x30000 + PARTIAL_CHAIN = 0x80000 + NO_ALT_CHAINS = 0x100000 + end + + fun x509_verify_param_lookup = X509_VERIFY_PARAM_lookup(name : UInt8*) : X509VerifyParam + fun x509_verify_param_set1_host = X509_VERIFY_PARAM_set1_host(param : X509VerifyParam, name : UInt8*, len : SizeT) : Int + fun x509_verify_param_set1_ip_asc = X509_VERIFY_PARAM_set1_ip_asc(param : X509VerifyParam, ip : UInt8*) : Int + fun x509_verify_param_set_flags = X509_VERIFY_PARAM_set_flags(param : X509VerifyParam, flags : X509VerifyFlags) : Int end diff --git a/src/openssl/lib_ssl.cr b/src/openssl/lib_ssl.cr index 449f35dd0f72..ce4953a1f708 100644 --- a/src/openssl/lib_ssl.cr +++ b/src/openssl/lib_ssl.cr @@ -105,12 +105,9 @@ lib LibSSL # SSL_CTRL_SET_TMP_RSA = 2 # SSL_CTRL_SET_TMP_DH = 3 - SSL_CTRL_SET_TMP_ECDH = 4 - - SSL_CTRL_OPTIONS = 32 - SSL_CTRL_MODE = 33 - SSL_CTRL_CLEAR_OPTIONS = 77 - SSL_CTRL_CLEAR_MODE = 78 + SSL_CTRL_SET_TMP_ECDH = 4 + SSL_CTRL_MODE = 33 + SSL_CTRL_CLEAR_MODE = 78 enum Options : ULong LEGACY_SERVER_CONNECT = 0x00000004 @@ -118,7 +115,6 @@ lib LibSSL DONT_INSERT_EMPTY_FRAGMENTS = 0x00000800 # Various bug workarounds that should be rather harmless. - # This used to be `0x000FFFFF` before 0.9.7 ALL = 0x80000BFF NO_QUERY_MTU = 0x00001000 @@ -137,39 +133,49 @@ lib LibSSL NO_TLS_V1_3 = 0x20000000 NO_TLS_V1_2 = 0x08000000 NO_TLS_V1_1 = 0x10000000 - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 %} + + {% if OPENSSL_VERSION != "0.0.0" %} NO_RENEGOTIATION = 0x40000000 + {% else %} + NO_RENEGOTIATION = 0x00000000 {% end %} NETSCAPE_CA_DN_BUG = 0x20000000 NETSCAPE_DEMO_CIPHER_CHANGE_BUG = 0x40000000 CRYPTOPRO_TLSEXT_BUG = 0x80000000 - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LIBRESSL_VERSION, "2.3.0") >= 0 %} - MICROSOFT_SESS_ID_BUG = 0x00000000 - NETSCAPE_CHALLENGE_BUG = 0x00000000 - NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000000 - SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000000 - MICROSOFT_BIG_SSL_V3_BUFFER = 0x00000000 - SSLEAY_080_CLIENT_DH_BUG = 0x00000000 - TLS_D5_BUG = 0x00000000 - TLS_BLOCK_PADDING_BUG = 0x00000000 - NO_SSL_V2 = 0x00000000 - SINGLE_ECDH_USE = 0x00000000 - SINGLE_DH_USE = 0x00000000 - {% else %} - MICROSOFT_SESS_ID_BUG = 0x00000001 - NETSCAPE_CHALLENGE_BUG = 0x00000002 - NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000008 - SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000010 - MICROSOFT_BIG_SSL_V3_BUFFER = 0x00000020 - SSLEAY_080_CLIENT_DH_BUG = 0x00000080 - TLS_D5_BUG = 0x00000100 - TLS_BLOCK_PADDING_BUG = 0x00000200 - NO_SSL_V2 = 0x01000000 - SINGLE_ECDH_USE = 0x00080000 - SINGLE_DH_USE = 0x00100000 - {% end %} + @[Deprecated("Removed from LibSSL.")] + MICROSOFT_SESS_ID_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + NETSCAPE_CHALLENGE_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + NETSCAPE_REUSE_CIPHER_CHANGE_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + SSLREF2_REUSE_CERT_TYPE_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + MICROSOFT_BIG_SSL_V3_BUFFER = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + SSLEAY_080_CLIENT_DH_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + TLS_D5_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + TLS_BLOCK_PADDING_BUG = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + NO_SSL_V2 = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + SINGLE_ECDH_USE = 0x00000000 + + @[Deprecated("Removed from LibSSL.")] + SINGLE_DH_USE = 0x00000000 end @[Flags] @@ -243,8 +249,10 @@ lib LibSSL fun ssl_get_peer_certificate = SSL_get_peer_certificate(handle : SSL) : LibCrypto::X509 {% end %} - # In LibreSSL these functions are implemented as macros - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 %} + {% if LIBRESSL_VERSION != "0.0.0" %} + SSL_CTRL_OPTIONS = 32 + SSL_CTRL_CLEAR_OPTIONS = 77 + {% else %} fun ssl_ctx_get_options = SSL_CTX_get_options(ctx : SSLContext) : ULong fun ssl_ctx_set_options = SSL_CTX_set_options(ctx : SSLContext, larg : ULong) : ULong fun ssl_ctx_clear_options = SSL_CTX_clear_options(ctx : SSLContext, larg : ULong) : ULong @@ -258,39 +266,28 @@ lib LibSSL fun ssl_ctx_set_cert_verify_callback = SSL_CTX_set_cert_verify_callback(ctx : SSLContext, callback : CertVerifyCallback, arg : Void*) # control TLS 1.3 session ticket generation - # LibreSSL does not seem to implement these functions - {% if compare_versions(OPENSSL_VERSION, "1.1.1") >= 0 %} + {% if OPENSSL_VERSION != "0.0.0" %} fun ssl_ctx_set_num_tickets = SSL_CTX_set_num_tickets(ctx : SSLContext, larg : LibC::SizeT) : Int fun ssl_set_num_tickets = SSL_set_num_tickets(ctx : SSL, larg : LibC::SizeT) : Int {% end %} - {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LibSSL::LIBRESSL_VERSION, "2.3.0") >= 0 %} - fun tls_method = TLS_method : SSLMethod - {% else %} - fun ssl_library_init = SSL_library_init - fun ssl_load_error_strings = SSL_load_error_strings - fun sslv23_method = SSLv23_method : SSLMethod - {% end %} + fun tls_method = TLS_method : SSLMethod - {% if compare_versions(OPENSSL_VERSION, "1.0.2") >= 0 || compare_versions(LIBRESSL_VERSION, "2.1.0") >= 0 %} - alias ALPNCallback = (SSL, Char**, Char*, Char*, Int, Void*) -> Int + alias ALPNCallback = (SSL, Char**, Char*, Char*, Int, Void*) -> Int - fun ssl_get0_alpn_selected = SSL_get0_alpn_selected(handle : SSL, data : Char**, len : LibC::UInt*) : Void - fun ssl_ctx_set_alpn_select_cb = SSL_CTX_set_alpn_select_cb(ctx : SSLContext, cb : ALPNCallback, arg : Void*) : Void - fun ssl_ctx_set_alpn_protos = SSL_CTX_set_alpn_protos(ctx : SSLContext, protos : Char*, protos_len : Int) : Int - {% end %} + fun ssl_get0_alpn_selected = SSL_get0_alpn_selected(handle : SSL, data : Char**, len : LibC::UInt*) : Void + fun ssl_ctx_set_alpn_select_cb = SSL_CTX_set_alpn_select_cb(ctx : SSLContext, cb : ALPNCallback, arg : Void*) : Void + fun ssl_ctx_set_alpn_protos = SSL_CTX_set_alpn_protos(ctx : SSLContext, protos : Char*, protos_len : Int) : Int - {% if compare_versions(OPENSSL_VERSION, "1.0.2") >= 0 || compare_versions(LIBRESSL_VERSION, "2.7.0") >= 0 %} - alias X509VerifyParam = LibCrypto::X509VerifyParam + alias X509VerifyParam = LibCrypto::X509VerifyParam - fun dtls_method = DTLS_method : SSLMethod + fun dtls_method = DTLS_method : SSLMethod - fun ssl_get0_param = SSL_get0_param(handle : SSL) : X509VerifyParam - fun ssl_ctx_get0_param = SSL_CTX_get0_param(ctx : SSLContext) : X509VerifyParam - fun ssl_ctx_set1_param = SSL_CTX_set1_param(ctx : SSLContext, param : X509VerifyParam) : Int - {% end %} + fun ssl_get0_param = SSL_get0_param(handle : SSL) : X509VerifyParam + fun ssl_ctx_get0_param = SSL_CTX_get0_param(ctx : SSLContext) : X509VerifyParam + fun ssl_ctx_set1_param = SSL_CTX_set1_param(ctx : SSLContext, param : X509VerifyParam) : Int - {% if compare_versions(OPENSSL_VERSION, "1.1.0") >= 0 || compare_versions(LIBRESSL_VERSION, "3.6.0") >= 0 %} + {% if OPENSSL_VERSION != "0.0.0" || compare_versions(LIBRESSL_VERSION, "3.6.0") >= 0 %} fun ssl_ctx_set_security_level = SSL_CTX_set_security_level(ctx : SSLContext, level : Int) : Void fun ssl_ctx_get_security_level = SSL_CTX_get_security_level(ctx : SSLContext) : Int {% end %} @@ -300,10 +297,3 @@ lib LibSSL SSL_R_UNEXPECTED_EOF_WHILE_READING = 294 {% end %} end - -{% if LibSSL.has_method?(:ssl_library_init) %} - LibSSL.ssl_library_init - LibSSL.ssl_load_error_strings - LibCrypto.openssl_add_all_algorithms - LibCrypto.err_load_crypto_strings -{% end %} diff --git a/src/openssl/pkcs5.cr b/src/openssl/pkcs5.cr index d1bca87d2095..98fac7883e19 100644 --- a/src/openssl/pkcs5.cr +++ b/src/openssl/pkcs5.cr @@ -11,15 +11,11 @@ module OpenSSL::PKCS5 end def self.pbkdf2_hmac(secret, salt, iterations = 2**16, algorithm : OpenSSL::Algorithm = OpenSSL::Algorithm::SHA1, key_size = 64) : Bytes - {% if LibCrypto.has_method?(:pkcs5_pbkdf2_hmac) %} - evp = algorithm.to_evp - buffer = Bytes.new(key_size) - if LibCrypto.pkcs5_pbkdf2_hmac(secret, secret.bytesize, salt, salt.bytesize, iterations, evp, key_size, buffer) != 1 - raise OpenSSL::Error.new "pkcs5_pbkdf2_hmac" - end - buffer - {% else %} - raise OpenSSL::Error.new "Method 'pkcs5_pbkdf2_hmac' not supported with OpenSSL version #{LibSSL::OPENSSL_VERSION}" - {% end %} + evp = algorithm.to_evp + buffer = Bytes.new(key_size) + if LibCrypto.pkcs5_pbkdf2_hmac(secret, secret.bytesize, salt, salt.bytesize, iterations, evp, key_size, buffer) != 1 + raise OpenSSL::Error.new "pkcs5_pbkdf2_hmac" + end + buffer end end diff --git a/src/openssl/ssl/context.cr b/src/openssl/ssl/context.cr index 6811aff42e44..bed835ed38d8 100644 --- a/src/openssl/ssl/context.cr +++ b/src/openssl/ssl/context.cr @@ -12,11 +12,7 @@ require "log" abstract class OpenSSL::SSL::Context # :nodoc: def self.default_method - {% if LibSSL.has_method?(:tls_method) %} - LibSSL.tls_method - {% else %} - LibSSL.sslv23_method - {% end %} + LibSSL.tls_method end class Client < Context @@ -44,9 +40,7 @@ abstract class OpenSSL::SSL::Context super(method) self.verify_mode = OpenSSL::SSL::VerifyMode::PEER - {% if LibSSL.has_method?(:x509_verify_param_lookup) %} - self.default_verify_param = "ssl_server" - {% end %} + self.default_verify_param = "ssl_server" end # Returns a new TLS client context with only the given method set. @@ -99,11 +93,7 @@ abstract class OpenSSL::SSL::Context end private def alpn_protocol=(protocol : Bytes) - {% if LibSSL.has_method?(:ssl_ctx_set_alpn_protos) %} - LibSSL.ssl_ctx_set_alpn_protos(@handle, protocol, protocol.size) - {% else %} - raise NotImplementedError.new("LibSSL.ssl_ctx_set_alpn_protos") - {% end %} + LibSSL.ssl_ctx_set_alpn_protos(@handle, protocol, protocol.size) end end @@ -126,10 +116,7 @@ abstract class OpenSSL::SSL::Context # ``` def initialize(method : LibSSL::SSLMethod = Context.default_method) super(method) - - {% if LibSSL.has_method?(:x509_verify_param_lookup) %} - self.default_verify_param = "ssl_client" - {% end %} + self.default_verify_param = "ssl_client" end # Returns a new TLS server context with only the given method set. @@ -175,21 +162,17 @@ abstract class OpenSSL::SSL::Context end private def alpn_protocol=(protocol : Bytes) - {% if LibSSL.has_method?(:ssl_ctx_set_alpn_select_cb) %} - alpn_cb = ->(ssl : LibSSL::SSL, o : LibC::Char**, olen : LibC::Char*, i : LibC::Char*, ilen : LibC::Int, data : Void*) { - proto = Box(Bytes).unbox(data) - ret = LibSSL.ssl_select_next_proto(o, olen, proto, proto.size, i, ilen) - if ret != LibSSL::OPENSSL_NPN_NEGOTIATED - LibSSL::SSL_TLSEXT_ERR_NOACK - else - LibSSL::SSL_TLSEXT_ERR_OK - end - } - @alpn_protocol = alpn_protocol = Box.box(protocol) - LibSSL.ssl_ctx_set_alpn_select_cb(@handle, alpn_cb, alpn_protocol) - {% else %} - raise NotImplementedError.new("LibSSL.ssl_ctx_set_alpn_select_cb") - {% end %} + alpn_cb = ->(ssl : LibSSL::SSL, o : LibC::Char**, olen : LibC::Char*, i : LibC::Char*, ilen : LibC::Int, data : Void*) { + proto = Box(Bytes).unbox(data) + ret = LibSSL.ssl_select_next_proto(o, olen, proto, proto.size, i, ilen) + if ret != LibSSL::OPENSSL_NPN_NEGOTIATED + LibSSL::SSL_TLSEXT_ERR_NOACK + else + LibSSL::SSL_TLSEXT_ERR_OK + end + } + @alpn_protocol = alpn_protocol = Box.box(protocol) + LibSSL.ssl_ctx_set_alpn_select_cb(@handle, alpn_cb, alpn_protocol) end end @@ -201,19 +184,11 @@ abstract class OpenSSL::SSL::Context add_options(OpenSSL::SSL::Options.flags( ALL, - NO_SSL_V2, - NO_SSL_V3, NO_TLS_V1, NO_TLS_V1_1, NO_SESSION_RESUMPTION_ON_RENEGOTIATION, - SINGLE_ECDH_USE, - SINGLE_DH_USE + NO_RENEGOTIATION, )) - - {% if compare_versions(LibSSL::OPENSSL_VERSION, "1.1.0") >= 0 %} - add_options(OpenSSL::SSL::Options::NO_RENEGOTIATION) - {% end %} - add_modes(OpenSSL::SSL::Modes.flags(AUTO_RETRY, RELEASE_BUFFERS)) # OpenSSL does not support reading from the system root certificate store on @@ -470,26 +445,18 @@ abstract class OpenSSL::SSL::Context # Depending on the OpenSSL version, the available defaults are # `default`, `pkcs7`, `smime_sign`, `ssl_client` and `ssl_server`. def default_verify_param=(name : String) - {% if LibSSL.has_method?(:x509_verify_param_lookup) %} - param = LibCrypto.x509_verify_param_lookup(name) - raise ArgumentError.new("#{name} is an unsupported default verify param") unless param - ret = LibSSL.ssl_ctx_set1_param(@handle, param) - raise OpenSSL::Error.new("SSL_CTX_set1_param") unless ret == 1 - {% else %} - raise NotImplementedError.new("LibSSL.x509_verify_param_lookup") - {% end %} + param = LibCrypto.x509_verify_param_lookup(name) + raise ArgumentError.new("#{name} is an unsupported default verify param") unless param + ret = LibSSL.ssl_ctx_set1_param(@handle, param) + raise OpenSSL::Error.new("SSL_CTX_set1_param") unless ret == 1 end # Sets the given `OpenSSL::SSL::X509VerifyFlags` in this context, additionally to # the already set ones. def add_x509_verify_flags(flags : OpenSSL::SSL::X509VerifyFlags) - {% if LibSSL.has_method?(:x509_verify_param_set_flags) %} - param = LibSSL.ssl_ctx_get0_param(@handle) - ret = LibCrypto.x509_verify_param_set_flags(param, flags) - raise OpenSSL::Error.new("X509_VERIFY_PARAM_set_flags)") unless ret == 1 - {% else %} - raise NotImplementedError.new("LibSSL.x509_verify_param_set_flags") - {% end %} + param = LibSSL.ssl_ctx_get0_param(@handle) + ret = LibCrypto.x509_verify_param_set_flags(param, flags) + raise OpenSSL::Error.new("X509_VERIFY_PARAM_set_flags") unless ret == 1 end def to_unsafe diff --git a/src/openssl/ssl/socket.cr b/src/openssl/ssl/socket.cr index 8bff5a131410..7ae97bc260e5 100644 --- a/src/openssl/ssl/socket.cr +++ b/src/openssl/ssl/socket.cr @@ -12,21 +12,17 @@ abstract class OpenSSL::SSL::Socket < IO hostname.to_unsafe.as(Pointer(Void)) ) - {% if LibSSL.has_method?(:ssl_get0_param) %} - param = LibSSL.ssl_get0_param(@ssl) - - if ::Socket::IPAddress.valid?(hostname) - unless LibCrypto.x509_verify_param_set1_ip_asc(param, hostname) == 1 - raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_ip_asc") - end - else - unless LibCrypto.x509_verify_param_set1_host(param, hostname, 0) == 1 - raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_host") - end + param = LibSSL.ssl_get0_param(@ssl) + + if ::Socket::IPAddress.valid?(hostname) + unless LibCrypto.x509_verify_param_set1_ip_asc(param, hostname) == 1 + raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_ip_asc") + end + else + unless LibCrypto.x509_verify_param_set1_host(param, hostname, 0) == 1 + raise OpenSSL::Error.new("X509_VERIFY_PARAM_set1_host") end - {% else %} - context.set_cert_verify_callback(hostname) - {% end %} + end end ret = LibSSL.ssl_connect(@ssl) @@ -158,12 +154,8 @@ abstract class OpenSSL::SSL::Socket < IO # Returns the negotiated ALPN protocol (eg: `"h2"`) of `nil` if no protocol was # negotiated. def alpn_protocol - {% if LibSSL.has_method?(:ssl_get0_alpn_selected) %} - LibSSL.ssl_get0_alpn_selected(@ssl, out protocol, out len) - String.new(protocol, len) unless protocol.null? - {% else %} - raise NotImplementedError.new("LibSSL.ssl_get0_alpn_selected") - {% end %} + LibSSL.ssl_get0_alpn_selected(@ssl, out protocol, out len) + String.new(protocol, len) unless protocol.null? end def unbuffered_close : Nil diff --git a/src/openssl/x509/certificate.cr b/src/openssl/x509/certificate.cr index 593f3fb4dc4b..72c6c2f59a19 100644 --- a/src/openssl/x509/certificate.cr +++ b/src/openssl/x509/certificate.cr @@ -75,17 +75,13 @@ module OpenSSL::X509 # Returns the name of the signature algorithm. def signature_algorithm : String - {% if LibCrypto.has_method?(:obj_find_sigid_algs) %} - sigid = LibCrypto.x509_get_signature_nid(@cert) - result = LibCrypto.obj_find_sigid_algs(sigid, out algo_nid, nil) - raise "Could not determine certificate signature algorithm" if result == 0 + sigid = LibCrypto.x509_get_signature_nid(@cert) + result = LibCrypto.obj_find_sigid_algs(sigid, out algo_nid, nil) + raise "Could not determine certificate signature algorithm" if result == 0 - sn = LibCrypto.obj_nid2sn(algo_nid) - raise "Unknown algo NID #{algo_nid.inspect}" if sn.null? - String.new sn - {% else %} - raise "Missing OpenSSL function for certificate signature algorithm (requires OpenSSL 1.0.2)" - {% end %} + sn = LibCrypto.obj_nid2sn(algo_nid) + raise "Unknown algo NID #{algo_nid.inspect}" if sn.null? + String.new sn end # Returns the digest of the certificate using *algorithm_name*