Update location of default openssl.cnf

padelsbach · padelsbach · commit a29736f007c7 · 2025-10-09T19:50:16.000-07:00
diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml
@@ -45,6 +45,7 @@ jobs:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -83,17 +84,16 @@ jobs:
 
       - name: Test OpenSSL provider functionality
         run: |
-          PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
-          PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
+          WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
 
           # Temporarily move wolfprovider config so we can toggle between providers
           echo "Temporarily disabling wolfprovider for default provider tests:"
           mkdir -p /tmp/openssl-test
-          if [ -f $PROVIDER_CONF ]; then
-            mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP
-            echo "   - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_FILE ]; then
+            mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP
+            echo "   - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP"
           else
-            echo "$PROVIDER_CONF not found!"
+            echo "$WOLFPROV_CONF_FILE not found!"
             exit 1
           fi
 
@@ -103,16 +103,36 @@ jobs:
 
           # Restore wolfprovider configuration
           echo "Restoring wolfprovider configuration:"
-          if [ -f $PROVIDER_CONF_BACKUP ]; then
-            mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF
-            echo "   - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_BACKUP ]; then
+            mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE
+            echo "   - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP"
           fi
 
           echo "PASS: All provider interoperability tests successful"
 
       - name: Uninstall package and verify cleanup
         run: |
           # Uninstall the package
+          apt-get remove -y libwolfprov
+
+          # Verify default OpenSSL provider is active
+          echo "Verifying Default Provider is Active:"
+          openssl list -providers
+
+          # Verify that the default provider is present and active
+          echo "Checking default provider status:"
+          if openssl list -providers | grep -q "default" && \
+            openssl list -providers | grep -q "OpenSSL Default Provider" && \
+            openssl list -providers | grep -q "status: active"; then
+            echo "Default provider is present and active"
+          else
+            echo "Default provider verification failed"
+            echo "Provider output:"
+            openssl list -providers
+            exit 1
+          fi
+
+          # Purge the package to remove all files
           apt-get remove --purge -y libwolfprov
 
           # Verify the package is removed
@@ -125,27 +145,24 @@ jobs:
           fi
 
           # Check if the config file is removed
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "wolfprovider.conf still exists after package removal"
-            ls -la /usr/lib/ssl/openssl.cnf.d/
+            ls -la $(dirname $WOLFPROV_CONF_FILE)
             exit 1
           else
             echo "wolfprovider.conf successfully removed"
           fi
 
           # Check if the library files are removed
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "libwolfprov.so still exists after package removal"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null || true
+            echo "$WOLFPROV_OBJS"
             exit 1
           else
             echo "libwolfprov.so successfully removed"
           fi
 
-          # Verify default OpenSSL provider is active
-          echo "Verifying Default Provider is Active:"
-          openssl list -providers
-
           # Verify that the default provider is present and active
           echo "Checking default provider status:"
           if openssl list -providers | grep -q "default" && \
@@ -181,6 +198,7 @@ jobs:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -251,17 +269,18 @@ jobs:
           echo "Verifying wolfprov configuration..."
           
           # Check if configuration file exists
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "SUCCESS: wolfprovider.conf exists"
-            cat /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+            cat $WOLFPROV_CONF_FILE
           else
             echo "WARNING: wolfprovider.conf not found"
           fi
           
           # Check if library file exists
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "SUCCESS: libwolfprov.so exists"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null
+            echo "$WOLFPROV_OBJS"
           else
             echo "WARNING: libwolfprov.so not found"
           fi
diff --git a/.gitignore b/.gitignore
@@ -84,6 +84,8 @@ test/**/*.trs
 test/**/*.o
 test/**/.deps/
 test/**/.dirstamp
+req_outputs
+scripts/cmd_test/req-test.log
 
 IDE/Android/android-ndk-r26b/
 IDE/Android/openssl-source/
@@ -118,4 +120,5 @@ debian/libssl3*
 !debian/*.docs
 !debian/*.links
 !debian/*.triggers
+!debian/shlib.local
 
diff --git a/debian/libwolfprov.install b/debian/libwolfprov.install
@@ -1,3 +1,3 @@
 usr/lib/*/ossl-modules/libwolfprov.so.0.0.0
-usr/lib/ssl/openssl.cnf.d
-usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+etc/ssl/openssl.cnf.d
+etc/ssl/openssl.cnf.d/wolfprovider.conf
diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst
@@ -2,7 +2,7 @@
 set -e
 
 # Define the include line to add to the openssl.cnf file
-INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
+INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/wolfprovider.conf"
 
 # Search for the openssl.cnf file in /usr, /lib and /etc
 CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
diff --git a/debian/libwolfprov.postrm b/debian/libwolfprov.postrm
@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+# On removal/purge of libwolfprov, ensure any include of wolfprovider.conf
+# is removed from system openssl.cnf files to avoid stale includes.
+
+# Search for the openssl.cnf file in /usr, /lib and /etc
+CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
+
+case "$1" in
+remove|purge)
+    for CONF_FILE in $CONF_FILES; do
+        # Remove any line containing both ".include" and "wolfprovider.conf"
+        sed -i '/\.include/ { /wolfprovider\.conf/ d; }' "$CONF_FILE"
+        printf "Removed wolfprovider include line(s) from %s\n" "$CONF_FILE"
+    done
+    ;;
+esac
+
+#DEBHELPER#
+exit 0
+
+
diff --git a/debian/libwolfprov.triggers b/debian/libwolfprov.triggers
@@ -3,6 +3,4 @@ interest-noawait /etc/ssl/openssl.cnf
 interest-noawait /etc/ssl/openssl.cnf.d
 interest-noawait /lib/ssl/openssl.cnf
 interest-noawait /lib/ssl/openssl.cnf.d
-interest-noawait /usr/lib/ssl/openssl.cnf
-interest-noawait /usr/lib/ssl/openssl.cnf.d
 
diff --git a/debian/openssl.install b/debian/openssl.install
@@ -1,2 +1,2 @@
 usr/bin/openssl
-usr/share/openssl-defaults/openssl.cnf
+etc/ssl/openssl.cnf
diff --git a/debian/openssl.links b/debian/openssl.links
@@ -0,0 +1,6 @@
+# openssl expects the conf file under /usr/lib/ssl, so ensure the symlink
+# is set to match the normal install
+/etc/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf
+# Other symlinks expected by Debian
+/etc/ssl/certs       /usr/lib/ssl/certs
+/etc/ssl/private     /usr/lib/ssl/private
diff --git a/debian/openssl.postinst b/debian/openssl.postinst
diff --git a/debian/openssl.postrm b/debian/openssl.postrm
diff --git a/debian/rules b/debian/rules
@@ -80,15 +80,14 @@ override_dh_auto_install:
 		$(DESTDIR)/usr/include/wolfprovider/
 
 	# Install provider config file
-	install -d $(DESTDIR)/usr/lib/ssl/openssl.cnf.d
+	install -d $(DESTDIR)/etc/ssl/openssl.cnf.d
 	install -m644 ./$(PROVIDER_CONF) \
-		$(DESTDIR)/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+		$(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf
 
-	# Install default openssl.cnf template (do NOT ship it directly in /usr/lib/ssl)
-	# The postinstall script will handle copying it to the system location
-	install -d $(DESTDIR)/usr/share/openssl-defaults
+	# Install openssl.cnf directly into /etc/ssl
+	install -d $(DESTDIR)/etc/ssl
 	install -m 0644 ./openssl-source/apps/openssl.cnf \
-		$(DESTDIR)/usr/share/openssl-defaults/openssl.cnf
+		$(DESTDIR)/etc/ssl/openssl.cnf
 
 	# Install pkg-config files for libssl-dev
 	install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig
diff --git a/debian/shlibs.local b/debian/shlibs.local
@@ -0,0 +1,3 @@
+# For the case where wolfssl is not installed on the system, 
+# we must specify that libwolfssl.so.44 comes from the libwolfssl package.
+libwolfssl 44 libwolfssl (>= 5.8.2)

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`usr/bin/openssl`
`2`		`-usr/share/openssl-defaults/openssl.cnf`
	`2`	`+etc/ssl/openssl.cnf`