From 14d0149cdbe2753cd13e73a3fd2dd0715080484d Mon Sep 17 00:00:00 2001
From: Reyk Floeter <contact@reykfloeter.com>
Date: Fri, 29 Nov 2019 17:22:07 +0000
Subject: [PATCH] CMS is back! Use it in LibreSSL > 3.0.2 or with
 USE_LIBRESSL_CMS=1

---
 Makefile      | 5 ++++-
 agent/azure.c | 7 ++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 0f27d6e..893159f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,10 +1,13 @@
 #
 # The Azure agents needs CMS to obtain the SSH public keys.
 # LibreSSL has removed CMS, so either use OpenSSL to decrypt CMS
-# messages or compile the old CMS code for LibreSSL.
+# messages or compile the old CMS code for LibreSSL.  Or use
+# CMS that has returned to newer versions of LibreSSL.
 #
 .ifdef USE_OPENSSL
 MAKE_FLAGS+=	USE_OPENSSL=1
+.elifdef USE_LIBRESSL_CMS
+MAKE_FLAGS+=	USE_LIBRESSL_CMS=1
 .else
 SUBDIR=		cms
 .endif
diff --git a/agent/azure.c b/agent/azure.c
index 1dd5f9f..9b451aa 100644
--- a/agent/azure.c
+++ b/agent/azure.c
@@ -26,6 +26,8 @@
 #include <pwd.h>
 #include <err.h>
 
+#include <openssl/opensslv.h>
+
 #include "main.h"
 #include "http.h"
 #include "xml.h"
@@ -441,13 +443,16 @@ azure_certificates(struct system_config *sc)
 
 	fd = disable_output(sc, STDERR_FILENO);
 
-#ifdef USE_OPENSSL
+#if defined(USE_OPENSSL)
 	/*
 	 * XXX Now comes the part that needs CMS which is only
 	 * XXX present in OpenSSL but got removed from LibreSSL.
 	 */
 	log_debug("%s: running openssl cms", __func__);
 	if (shell("/usr/local/bin/eopenssl", "cms", /* )) */
+#elif defined(USE_LIBRESSL_CMS) || LIBRESSL_VERSION_NUMBER > 0x3000200fL
+	/* And CMS returned to LibreSSL! */
+	if (shell("/usr/bin/openssl", "cms", /* )) */
 #else
 	if (shell("/usr/local/bin/cms",
 #endif