diff --git a/srcpkgs/ykpivmgr/patches/libressl.patch b/srcpkgs/ykpivmgr/patches/libressl.patch
index bb9d3cb435..4c48300e93 100644
--- a/srcpkgs/ykpivmgr/patches/libressl.patch
+++ b/srcpkgs/ykpivmgr/patches/libressl.patch
@@ -1,47 +1,54 @@
-diff --git tool/openssl-compat.c tool/openssl-compat.c
-index a51af90..bb37dfc 100644
 --- tool/openssl-compat.c
 +++ tool/openssl-compat.c
-@@ -8,7 +8,7 @@
-  */
+@@ -71,6 +71,10 @@
+         *iqmp = r->iqmp;
+ }
  
- #include "openssl-compat.h"
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
- 
- #include <string.h>
- #include <openssl/engine.h>
-@@ -80,4 +80,4 @@ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++
+ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
+                    ASN1_OCTET_STRING **pdigest)
+ {
+@@ -80,4 +84,4 @@
          *pdigest = sig->digest;
  }
  
 -#endif /* OPENSSL_VERSION_NUMBER */
-+#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */
-diff --git tool/openssl-compat.h tool/openssl-compat.h
-index 3700bea..bd1967b 100644
++#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */
+
 --- tool/openssl-compat.h
 +++ tool/openssl-compat.h
-@@ -13,7 +13,7 @@
- #ifndef _WINDOWS
+@@ -20,7 +20,6 @@
+ #include <openssl/ecdsa.h>
+ #include <openssl/dh.h>
+ #include <openssl/evp.h>
+-#include <openssl/x509.h>
  
- #include <openssl/opensslv.h>
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
- 
- #include <openssl/rsa.h>
- #include <openssl/dsa.h>
-@@ -33,5 +33,5 @@ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
+ int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+ void RSA_get0_key(const RSA *r,
+@@ -29,9 +28,15 @@
+ void RSA_get0_crt_params(const RSA *r,
+                          const BIGNUM **dmp1, const BIGNUM **dmq1,
+                          const BIGNUM **iqmp);
++#endif /* OPENSSL_VERSION_NUMBER */
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++
++#include <openssl/x509.h>
++
+ void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
                     ASN1_OCTET_STRING **pdigest);
  
++#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */
  #endif /* _WINDOWS */
 -#endif /* OPENSSL_VERSION_NUMBER */
-+#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */
  #endif /* LIBCRYPTO_COMPAT_H */
-diff --git tool/yubico-piv-tool.c tool/yubico-piv-tool.c
-index 89daa79..c8b3b84 100644
+
 --- tool/yubico-piv-tool.c
 +++ tool/yubico-piv-tool.c
-@@ -124,7 +124,7 @@ static bool sign_data(ykpiv_state *state, const unsigned char *in, size_t len, u
+@@ -124,7 +124,7 @@
    return false;
  }
  
@@ -50,7 +57,7 @@ index 89daa79..c8b3b84 100644
  static int ec_key_ex_data_idx = -1;
  
  struct internal_key {
-@@ -688,7 +688,7 @@ static bool request_certificate(ykpiv_state *state, enum enum_key_format key_for
+@@ -688,7 +688,7 @@
      goto request_out;
    }
  
@@ -59,7 +66,16 @@ index 89daa79..c8b3b84 100644
    memcpy(digest, oid, oid_len);
    /* XXX: this should probably use X509_REQ_digest() but that's buggy */
    if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), md, req->req_info,
-@@ -751,7 +751,7 @@ request_out:
+@@ -721,7 +721,7 @@
+       fprintf(stderr, "Failed signing request.\n");
+       goto request_out;
+     }
+-    M_ASN1_BIT_STRING_set(req->signature, signature, sig_len);
++    ASN1_BIT_STRING_set(req->signature, signature, sig_len);
+     /* mark that all bits should be used. */
+     req->signature->flags = ASN1_STRING_FLAG_BITS_LEFT;
+   }
+@@ -751,7 +751,7 @@
      EVP_PKEY_free(public_key);
    }
    if(req) {
@@ -68,7 +84,7 @@ index 89daa79..c8b3b84 100644
      if(req->sig_alg->parameter) {
        req->sig_alg->parameter = NULL;
      }
-@@ -884,7 +884,7 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
+@@ -884,7 +884,7 @@
    if(nid == 0) {
      goto selfsign_out;
    }
@@ -77,7 +93,16 @@ index 89daa79..c8b3b84 100644
    if(YKPIV_IS_RSA(algorithm)) {
      signinput = digest;
      len = oid_len + md_len;
-@@ -941,7 +941,7 @@ selfsign_out:
+@@ -912,7 +912,7 @@
+       fprintf(stderr, "Failed signing certificate.\n");
+       goto selfsign_out;
+     }
+-    M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
++    ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
+     /* setting flags to ASN1_STRING_FLAG_BITS_LEFT here marks that no bits
+      * should be subtracted from the bit string, thus making sure that the
+      * certificate can be validated. */
+@@ -941,7 +941,7 @@
      fclose(output_file);
    }
    if(x509) {
@@ -86,6 +111,7 @@ index 89daa79..c8b3b84 100644
      if(x509->sig_alg->parameter) {
        x509->sig_alg->parameter = NULL;
        x509->cert_info->signature->parameter = NULL;
+
 diff --git ykcs11/openssl_utils.c ykcs11/openssl_utils.c
 index 68fb29a..5a7f85d 100644
 --- ykcs11/openssl_utils.c
diff --git a/srcpkgs/ykpivmgr/template b/srcpkgs/ykpivmgr/template
index e43d3c767c..7e72bcc15f 100644
--- a/srcpkgs/ykpivmgr/template
+++ b/srcpkgs/ykpivmgr/template
@@ -7,7 +7,7 @@ _libykcs_desc="Yubikey PIV pkcs11 library"
 
 pkgname=ykpivmgr
 version=1.5.0
-revision=4
+revision=5
 wrksrc="${_real_name}-${version}"
 build_style=gnu-configure
 configure_args="--enable-doxygen-man --program-transform-name='s/^yubico-piv-tool$/ykpivmgr/'"