From e64968e41383436c4be809b3c8706270734ca9d8 Mon Sep 17 00:00:00 2001
From: Casey Deccio <casey@deccio.net>
Date: Fri, 20 Nov 2020 17:27:25 -0700
Subject: Only use DigestSign() and DigestUpdate() with OpenSSL >= 1.1.1

---
 M2Crypto/EVP.py   | 10 ++++++++++
 M2Crypto/X509.py  |  3 ++-
 SWIG/_evp.i       |  4 ++++
 tests/test_evp.py |  2 ++
 4 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/M2Crypto/EVP.py b/M2Crypto/EVP.py
index 7b1efc6..c48b670 100644
--- a/M2Crypto/EVP.py
+++ b/M2Crypto/EVP.py
@@ -298,6 +298,11 @@ class PKey(object):
 
         :return: The signature.
         """
+
+        if m2.OPENSSL_VERSION_NUMBER < 0x10101000:
+            raise NotImplemented('This method requires OpenSSL version ' +
+                    '1.1.1 or greater.')
+
         return m2.digest_sign(self.ctx, data)
 
     def digest_verify_init(self):
@@ -341,6 +346,11 @@ class PKey(object):
         :return: Result of verification: 1 for success, 0 for failure, -1 on
                  other error.
         """
+
+        if m2.OPENSSL_VERSION_NUMBER < 0x10101000:
+            raise NotImplemented('This method requires OpenSSL version ' +
+                    '1.1.1 or greater.')
+
         return m2.digest_verify(self.ctx, sign, data)
 
     def assign_rsa(self, rsa, capture=1):
diff --git a/M2Crypto/X509.py b/M2Crypto/X509.py
index 20beb4a..3b62dda 100644
--- a/M2Crypto/X509.py
+++ b/M2Crypto/X509.py
@@ -29,7 +29,8 @@ verify_ignore_critical = m2.VERIFY_IGNORE_CRITICAL
 verify_inhibit_any = m2.VERIFY_INHIBIT_ANY
 verify_inhibit_map = m2.VERIFY_INHIBIT_MAP
 verify_no_alt_chains = m2.VERIFY_NO_ALT_CHAINS
-verify_no_check_time = m2.VERIFY_NO_CHECK_TIME
+if hasattr(m2, "VERIFY_NO_CHECK_TIME"):
+    verify_no_check_time = m2.VERIFY_NO_CHECK_TIME
 verify_notify_policy = m2.VERIFY_NOTIFY_POLICY
 verify_partial_chain = m2.VERIFY_PARTIAL_CHAIN
 verify_policy_check = m2.VERIFY_POLICY_CHECK
diff --git a/SWIG/_evp.i b/SWIG/_evp.i
index 61f0f23..c4a0d8a 100644
--- a/SWIG/_evp.i
+++ b/SWIG/_evp.i
@@ -608,6 +608,7 @@ PyObject *digest_sign_final(EVP_MD_CTX *ctx) {
     return ret;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
 PyObject *digest_sign(EVP_MD_CTX *ctx, PyObject *msg) {
     PyObject *ret;
     const void *msgbuf;
@@ -643,6 +644,7 @@ PyObject *digest_sign(EVP_MD_CTX *ctx, PyObject *msg) {
     return ret;
 
 }
+#endif
 
 int digest_verify_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey) {
     return EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey);
@@ -668,6 +670,7 @@ int digest_verify_final(EVP_MD_CTX *ctx, PyObject *blob) {
     return EVP_DigestVerifyFinal(ctx, sigbuf, len);
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
 int digest_verify(EVP_MD_CTX *ctx, PyObject *sig, PyObject *msg) {
     unsigned char *sigbuf;
     unsigned char *msgbuf;
@@ -682,6 +685,7 @@ int digest_verify(EVP_MD_CTX *ctx, PyObject *sig, PyObject *msg) {
 
     return EVP_DigestVerify(ctx, sigbuf, siglen, msgbuf, msglen);
 }
+#endif
 %}
 
 %typemap(out) EVP_MD * {
diff --git a/tests/test_evp.py b/tests/test_evp.py
index c98b50c..7ef889e 100644
--- a/tests/test_evp.py
+++ b/tests/test_evp.py
@@ -274,6 +274,8 @@ class EVPTestCase(unittest.TestCase):
         pkey.digest_verify_init()
         self.assertEqual(pkey.digest_verify(sig, b'test  message  not'), 0)
 
+    @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x90800F or m2.OPENSSL_NO_EC != 0,
+                     'Relies on support for EC')
     def test_digest_verify_final(self):
         pkey = EVP.load_key('tests/ec.priv.pem')
         pkey.reset_context('sha256')
-- 
cgit v1.2.1