From e003b7669d445fe2a2addd1b36b56f67695a6bc7 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: May 29 2019 15:14:01 +0000
Subject: Fix `build_requestinfo` in LibreSSL environments


`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.

Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaclient/csrgen_ffi.py b/ipaclient/csrgen_ffi.py
index 64906f9..e53f66b 100644
--- a/ipaclient/csrgen_ffi.py
+++ b/ipaclient/csrgen_ffi.py
@@ -6,13 +6,32 @@ from ipalib import errors
 _ffi = FFI()
 
 _ffi.cdef('''
+/* libcrypto/crypto.h */
 unsigned long OpenSSL_version_num(void);
 unsigned long SSLeay(void);
+const char * OpenSSL_version(int t);
+const char * SSLeay_version(int t);
+
+#define OPENSSL_VERSION 0
 ''')
 
 _libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto'))
 
+# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0
+# LibreSSL has OpenSSL_version since 2.7.0
+try:
+    OpenSSL_version = _libcrypto.OpenSSL_version
+except AttributeError:
+    OpenSSL_version = _libcrypto.SSLeay_version
+
+_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION)
+_version = _ffi.string(_version).decode('utf-8')
+LIBRESSL = _version.startswith('LibreSSL')
+if not _version.startswith("OpenSSL") and not LIBRESSL:
+    raise ImportError("Only LibreSSL and OpenSSL are supported")
+
 # SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0
+# LibreSSL has OpenSSL_version_num since 2.7.0
 try:
     OpenSSL_version_num = _libcrypto.OpenSSL_version_num
 except AttributeError:
@@ -98,7 +117,7 @@ typedef struct X509_req_info_st {
 ''')
 
 # since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO
-if _openssl_version >= 0x10100000:
+if _openssl_version >= 0x10100000 and not LIBRESSL:
     _ffi.cdef('''
     typedef struct X509_req_st {
         X509_REQ_INFO req_info;
@@ -334,7 +353,7 @@ def build_requestinfo(config, public_key_info):
                     reqdata, ext_ctx, extn_section, req):
                 _raise_openssl_errors()
 
-        if _openssl_version < 0x10100000:
+        if _openssl_version < 0x10100000 or LIBRESSL:
             der_len = i2d_X509_REQ_INFO(req.req_info, NULL)
         else:
             req_info = _ffi.new("X509_REQ_INFO *", req.req_info)
@@ -345,7 +364,7 @@ def build_requestinfo(config, public_key_info):
 
         der_buf = _ffi.new("unsigned char[%d]" % der_len)
         der_out = _ffi.new("unsigned char **", der_buf)
-        if _openssl_version < 0x10100000:
+        if _openssl_version < 0x10100000 or LIBRESSL:
             der_len = i2d_X509_REQ_INFO(req.req_info, der_out)
         else:
             der_len = i2d_X509_REQ_INFO(req_info, der_out)