CMS is back! Use it in LibreSSL > 3.0.2 or with USE_LIBRESSL_CMS=1

Makefile

@@ -1,10 +1,13 @@
 #
 # The Azure agents needs CMS to obtain the SSH public keys.
 # LibreSSL has removed CMS, so either use OpenSSL to decrypt CMS
-# messages or compile the old CMS code for LibreSSL.
+# messages or compile the old CMS code for LibreSSL.  Or use
+# CMS that has returned to newer versions of LibreSSL.
 #
 .ifdef USE_OPENSSL
 MAKE_FLAGS+=	USE_OPENSSL=1
+.elifdef USE_LIBRESSL_CMS
+MAKE_FLAGS+=	USE_LIBRESSL_CMS=1
 .else
 SUBDIR=		cms
 .endif

agent/azure.c

@@ -26,6 +26,8 @@
 #include <pwd.h>
 #include <err.h>
 
+#include <openssl/opensslv.h>
+
 #include "main.h"
 #include "http.h"
 #include "xml.h"
@@ -441,13 +443,16 @@ azure_certificates(struct system_config *sc)
 
 	fd = disable_output(sc, STDERR_FILENO);
 
-#ifdef USE_OPENSSL
+#if defined(USE_OPENSSL)
 	/*
 	 * XXX Now comes the part that needs CMS which is only
 	 * XXX present in OpenSSL but got removed from LibreSSL.
 	 */
 	log_debug("%s: running openssl cms", __func__);
 	if (shell("/usr/local/bin/eopenssl", "cms", /* )) */
+#elif defined(USE_LIBRESSL_CMS) || LIBRESSL_VERSION_NUMBER > 0x3000200fL
+	/* And CMS returned to LibreSSL! */
+	if (shell("/usr/bin/openssl", "cms", /* )) */
 #else
 	if (shell("/usr/local/bin/cms",
 #endif