From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Thu, 4 Jun 2026 13:35:47 +0000 (+0200)
Subject: resolve: only write one ELF note for libcrypto
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=7b2c00434572f6633d2bc3ee5e930d5999eb517b;p=thirdparty%2Fsystemd.git

resolve: only write one ELF note for libcrypto

systemd-resolved has 2 contradictory ELF notes for libcrypto:

```
$ systemd-analyze dlopen-metadata /usr/lib/systemd/systemd-resolved
FEATURE   DESCRIPTION                                SONAME         PRIORITY
libcrypto Support for cryptographic operations       libcrypto.so.3 recommended
idn       Support for internationalized domain names libidn2.so.0   recommended
libcrypto Support for cryptographic operations       libcrypto.so.3 required
libssl    Support for TLS                            libssl.so.3    required
```

In order to have a single note, condition its priority based on whether
DNS-over-TLS is enabled.
---

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index 9112369a74c..6f14077d9b1 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -12,6 +12,7 @@
 #include "memory-util.h"
 #include "memstream-util.h"
 #include "resolved-dns-dnssec.h"
+#include "resolved-util.h"
 #include "sort-util.h"
 #include "string-table.h"
 #include "string-util.h"
@@ -709,7 +710,7 @@ int dnssec_verify_rrset(
         assert(dnskey);
         assert(result);
 
-        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, SD_ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED);
+        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, DLOPEN_LIBCRYPTO_PRIORITY);
         if (r < 0)
                 return r;
 
@@ -1066,7 +1067,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds,
         assert(dnskey);
         assert(ds);
 
-        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, SD_ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED);
+        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, DLOPEN_LIBCRYPTO_PRIORITY);
         if (r < 0)
                 return r;
 
@@ -1206,7 +1207,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
         assert(name);
         assert(ret);
 
-        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, SD_ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED);
+        r = DLOPEN_LIBCRYPTO(LOG_DEBUG, DLOPEN_LIBCRYPTO_PRIORITY);
         if (r < 0)
                 return r;
 
diff --git a/src/resolve/resolved-util.h b/src/resolve/resolved-util.h
index 446b7c9f1b6..9e84b44145f 100644
--- a/src/resolve/resolved-util.h
+++ b/src/resolve/resolved-util.h
@@ -1,4 +1,12 @@
 /* SPDX-License-Identifier: LGPL-2.1-or-later */
 #pragma once
 
+#include "sd-dlopen.h"
+
+#if ENABLE_DNS_OVER_TLS
+#  define DLOPEN_LIBCRYPTO_PRIORITY SD_ELF_NOTE_DLOPEN_PRIORITY_REQUIRED
+#else
+#  define DLOPEN_LIBCRYPTO_PRIORITY SD_ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED
+#endif
+
 int resolve_system_hostname(char **full_hostname, char **first_label);