From ccdd42351f79cbb9c2e034a96280a1ded40a2f95 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 19 Jun 2026 12:00:37 +0100
Subject: [PATCH] crypto-util: support OpenSSL 4

OpenSSL 4 broke ABI, so we need to look for both SONAMEs.
Try libcrypto.so.3 first, and fallback to libcrypto.so.4,
so that the older and more stable version is used if both
are installed, giving distros time to fix regressions.
---
 src/shared/crypto-util.c | 16 ++++++++++++++--
 src/shared/crypto-util.h |  2 +-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/shared/crypto-util.c b/src/shared/crypto-util.c
index 5359078f6cf..ed6d2a269c7 100644
--- a/src/shared/crypto-util.c
+++ b/src/shared/crypto-util.c
@@ -335,12 +335,15 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL_RENAME(UI_METHOD*, sym_UI_destroy_method, UI_de
 int dlopen_libcrypto(int log_level) {
 #if HAVE_OPENSSL
         static void *libcrypto_dl = NULL;
+        int r;
 
         LIBCRYPTO_NOTE(SD_ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED);
 
-        return dlopen_many_sym_or_warn(
+        // FIXME: switch order to prefer libcrypto.so.4 in a future version once it has stabilized
+        FOREACH_STRING(soname, "libcrypto.so.3", "libcrypto.so.4") {
+                r = dlopen_many_sym_or_warn(
                         &libcrypto_dl,
-                        "libcrypto.so.3",
+                        soname,
                         log_level,
                         DLSYM_ARG(ASN1_ANY_it),
                         DLSYM_ARG(ASN1_BIT_STRING_it),
@@ -617,6 +620,15 @@ int dlopen_libcrypto(int log_level) {
                         DLSYM_ARG(X509_VERIFY_PARAM_set_hostflags),
                         DLSYM_ARG(X509_VERIFY_PARAM_set1_host),
                         DLSYM_ARG(X509_VERIFY_PARAM_set1_ip));
+                if (r >= 0)
+                        break;
+        }
+        if (r < 0) {
+                log_full_errno(log_level, r, "Neither libcrypto.so.4 nor libcrypto.so.3 could be loaded");
+                return -EOPNOTSUPP; /* turn into recognizable error */
+        }
+
+        return r;
 #else
         return log_full_errno(log_level, SYNTHETIC_ERRNO(EOPNOTSUPP),
                               "libcrypto support is not compiled in.");
diff --git a/src/shared/crypto-util.h b/src/shared/crypto-util.h
index f3494bc6836..980c1c60a2a 100644
--- a/src/shared/crypto-util.h
+++ b/src/shared/crypto-util.h
@@ -37,7 +37,7 @@ int dlopen_libcrypto(int log_level);
         SD_ELF_NOTE_DLOPEN("libcrypto",                                 \
                            "Support for cryptographic operations",      \
                            priority,                                    \
-                           "libcrypto.so.3")
+                           "libcrypto.so.3", "libcrypto.so.4")
 
 #define DLOPEN_LIBCRYPTO(log_level, priority)                           \
         ({                                                              \
-- 
2.47.3