From a5dfbc94f6e206a4b5a9d6dace8db0edf7e2ca72 Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Thu, 23 Apr 2026 21:43:12 +0000
Subject: [PATCH 1/2] Skip OpenSSL 3.x-specific tests on LibreSSL

LibreSSL reports version >= 3.0 via openssl_version() but uses the
pre-3.x code path (OPENSSL_VERSION_NUMBER < 0x30000000L). This caused
two test failures on OpenBSD:

- t/padding.t: use_sslv23_padding is a valid XS function on LibreSSL
  (RSA_SSLV23_PADDING still exists) so it does not croak
- t/pkcs1_sign.t: RSA_verify on pre-3.x/LibreSSL ignores the padding
  mode setting, so cross-padding verification succeeds

Detect LibreSSL via the third return value of openssl_version() which
is undef for LibreSSL (no letter suffix) and defined for OpenSSL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 t/padding.t    | 8 +++++---
 t/pkcs1_sign.t | 7 +++++--
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/t/padding.t b/t/padding.t
index 3106d1b..0c56502 100644
--- a/t/padding.t
+++ b/t/padding.t
@@ -82,10 +82,12 @@ is( $rsa_priv->decrypt( $rsa_priv->encrypt($plaintext) ), $plaintext, "private k
 my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($public_key_string);
 
 $plaintext .= $plaintext x 5;
-# sslv23 is unsupported on OpenSSL 3.x
+# sslv23 is unsupported on OpenSSL 3.x but LibreSSL still supports it
+# openssl_version() returns undef for the third element on LibreSSL
+my $is_libressl = !defined $patch;
 SKIP: {
-    skip "OpenSSL version less than 3.0 supports sslv23", 2
-        if $major lt '3.0';
+    skip "sslv23 is available on OpenSSL < 3.0 and LibreSSL", 2
+        if $major lt '3.0' || $is_libressl;
     eval {
         $rsa->use_sslv23_padding;
     };
diff --git a/t/pkcs1_sign.t b/t/pkcs1_sign.t
index 4032a62..770b9fd 100644
--- a/t/pkcs1_sign.t
+++ b/t/pkcs1_sign.t
@@ -62,9 +62,12 @@ SKIP: {
 }
 
 # --- Cross-padding: sign with PKCS1, verify with PSS must fail ---
+# On pre-3.x and LibreSSL, RSA_verify ignores the padding mode setting
+# openssl_version() returns undef for the third element on LibreSSL
+my $is_libressl = !defined $patch;
 SKIP: {
-    skip "sign uses pkcs1_padding only on OpenSSL < 3.x", 1
-        if $major < 3;
+    skip "cross-padding test requires OpenSSL 3.x (not LibreSSL)", 1
+        if $major < 3 || $is_libressl;
     $rsa->use_pkcs1_padding();
     $rsa->use_sha256_hash();
     my $sig = $rsa->sign("cross-padding test");

From a3788e26e1ca5de10f208b26dff48a93eac2482f Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Thu, 23 Apr 2026 22:16:49 +0000
Subject: [PATCH 2/2] Detect LibreSSL via version string instead of undefined
 patch level

Changes look good. Here's the summary:

- Replaced `!defined $patch` LibreSSL detection with explicit `openssl version` output check for "LibreSSL" string, per @timlegge's review that the lack of a patch level is not reliably indicative of LibreSSL
- Used `find_openssl_exec(find_openssl_prefix())` from `Crypt::OpenSSL::Guess` to locate the correct OpenSSL binary (same approach the module uses internally)
- Moved `$is_libressl` detection to the top of each file alongside other version detection, removed inline declarations and stale comments
- Applied to both `t/padding.t` and `t/pkcs1_sign.t`
---
 t/padding.t    | 5 ++---
 t/pkcs1_sign.t | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/t/padding.t b/t/padding.t
index 0c56502..a4b0f99 100644
--- a/t/padding.t
+++ b/t/padding.t
@@ -3,9 +3,10 @@ use Test::More;
 
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
-use Crypt::OpenSSL::Guess qw(openssl_version);
+use Crypt::OpenSSL::Guess qw(openssl_version find_openssl_prefix find_openssl_exec);
 
 my ($major, $minor, $patch) = openssl_version;
+my $is_libressl = (`"@{[find_openssl_exec(find_openssl_prefix())]}" version` =~ /LibreSSL/);
 
 BEGIN {
     plan tests => 124 + ( UNIVERSAL::can( "Crypt::OpenSSL::RSA", "use_sha512_hash" ) ? 4 * 5 : 0 );
@@ -83,8 +84,6 @@ my $rsa_pub = Crypt::OpenSSL::RSA->new_public_key($public_key_string);
 
 $plaintext .= $plaintext x 5;
 # sslv23 is unsupported on OpenSSL 3.x but LibreSSL still supports it
-# openssl_version() returns undef for the third element on LibreSSL
-my $is_libressl = !defined $patch;
 SKIP: {
     skip "sslv23 is available on OpenSSL < 3.0 and LibreSSL", 2
         if $major lt '3.0' || $is_libressl;
diff --git a/t/pkcs1_sign.t b/t/pkcs1_sign.t
index 770b9fd..584d255 100644
--- a/t/pkcs1_sign.t
+++ b/t/pkcs1_sign.t
@@ -4,9 +4,10 @@ use Test::More;
 use Crypt::OpenSSL::Random;
 use Crypt::OpenSSL::RSA;
 
-use Crypt::OpenSSL::Guess qw(openssl_version);
+use Crypt::OpenSSL::Guess qw(openssl_version find_openssl_prefix find_openssl_exec);
 
 my ($major, $minor, $patch) = openssl_version();
+my $is_libressl = (`"@{[find_openssl_exec(find_openssl_prefix())]}" version` =~ /LibreSSL/);
 
 # Regression tests for PKCS#1 v1.5 signing (RSASSA-PKCS1-v1_5).
 # Issue #146: PKCS#1 v1.5 was disabled entirely in v0.35 to mitigate
@@ -63,8 +64,6 @@ SKIP: {
 
 # --- Cross-padding: sign with PKCS1, verify with PSS must fail ---
 # On pre-3.x and LibreSSL, RSA_verify ignores the padding mode setting
-# openssl_version() returns undef for the third element on LibreSSL
-my $is_libressl = !defined $patch;
 SKIP: {
     skip "cross-padding test requires OpenSSL 3.x (not LibreSSL)", 1
         if $major < 3 || $is_libressl;