Update location of default openssl.cnf

padelsbach · padelsbach · commit b1cb5e167fdf · 2025-10-09T11:57:14.000-07:00
diff --git a/.github/workflows/debian-package.yml b/.github/workflows/debian-package.yml
@@ -45,6 +45,7 @@ jobs:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -83,17 +84,16 @@ jobs:
 
       - name: Test OpenSSL provider functionality
         run: |
-          PROVIDER_CONF="/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
-          PROVIDER_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
+          WOLFPROV_CONF_BACKUP="/tmp/wolfprovider.conf.backup"
 
           # Temporarily move wolfprovider config so we can toggle between providers
           echo "Temporarily disabling wolfprovider for default provider tests:"
           mkdir -p /tmp/openssl-test
-          if [ -f $PROVIDER_CONF ]; then
-            mv $PROVIDER_CONF $PROVIDER_CONF_BACKUP
-            echo "   - Moved $PROVIDER_CONF to $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_FILE ]; then
+            mv $WOLFPROV_CONF_FILE $WOLFPROV_CONF_BACKUP
+            echo "   - Moved $WOLFPROV_CONF_FILE to $WOLFPROV_CONF_BACKUP"
           else
-            echo "$PROVIDER_CONF not found!"
+            echo "$WOLFPROV_CONF_FILE not found!"
             exit 1
           fi
 
@@ -103,9 +103,9 @@ jobs:
 
           # Restore wolfprovider configuration
           echo "Restoring wolfprovider configuration:"
-          if [ -f $PROVIDER_CONF_BACKUP ]; then
-            mv $PROVIDER_CONF_BACKUP $PROVIDER_CONF
-            echo "   - Restored $PROVIDER_CONF from $PROVIDER_CONF_BACKUP"
+          if [ -f $WOLFPROV_CONF_BACKUP ]; then
+            mv $WOLFPROV_CONF_BACKUP $WOLFPROV_CONF_FILE
+            echo "   - Restored $WOLFPROV_CONF_FILE from $WOLFPROV_CONF_BACKUP"
           fi
 
           echo "PASS: All provider interoperability tests successful"
@@ -125,18 +125,19 @@ jobs:
           fi
 
           # Check if the config file is removed
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "wolfprovider.conf still exists after package removal"
-            ls -la /usr/lib/ssl/openssl.cnf.d/
+            ls -la $(dirname $WOLFPROV_CONF_FILE)
             exit 1
           else
             echo "wolfprovider.conf successfully removed"
           fi
 
           # Check if the library files are removed
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "libwolfprov.so still exists after package removal"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null || true
+            echo "$WOLFPROV_OBJS"
             exit 1
           else
             echo "libwolfprov.so successfully removed"
@@ -181,6 +182,7 @@ jobs:
       WOLFSSL_PACKAGES_PATH: /tmp/wolfssl-packages
       OPENSSL_PACKAGES_PATH: /tmp/openssl-packages
       WOLFPROV_PACKAGES_PATH: /tmp/wolfprov-packages
+      WOLFPROV_CONF_FILE: /etc/ssl/openssl.cnf.d/wolfprovider.conf
     steps:
       - name: Checkout wolfProvider
         uses: actions/checkout@v4
@@ -251,17 +253,18 @@ jobs:
           echo "Verifying wolfprov configuration..."
           
           # Check if configuration file exists
-          if [ -f /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf ]; then
+          if [ -f $WOLFPROV_CONF_FILE ]; then
             echo "SUCCESS: wolfprovider.conf exists"
-            cat /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+            cat $WOLFPROV_CONF_FILE
           else
             echo "WARNING: wolfprovider.conf not found"
           fi
           
           # Check if library file exists
-          if [ -f /usr/lib/*/ossl-modules/libwolfprov.so ]; then
+          WOLFPROV_OBJS=$(find /usr/lib -name "libwolfprov.so*")
+          if [ -n "$WOLFPROV_OBJS" ]; then
             echo "SUCCESS: libwolfprov.so exists"
-            find /usr/lib -name "libwolfprov.so*" 2>/dev/null
+            echo "$WOLFPROV_OBJS"
           else
             echo "WARNING: libwolfprov.so not found"
           fi
diff --git a/.gitignore b/.gitignore
@@ -118,4 +118,5 @@ debian/libssl3*
 !debian/*.docs
 !debian/*.links
 !debian/*.triggers
+!debian/shlib.local
 
diff --git a/debian/libwolfprov.install b/debian/libwolfprov.install
@@ -1,3 +1,3 @@
 usr/lib/*/ossl-modules/libwolfprov.so.0.0.0
-usr/lib/ssl/openssl.cnf.d
-usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+etc/ssl/openssl.cnf.d
+etc/ssl/openssl.cnf.d/wolfprovider.conf
diff --git a/debian/libwolfprov.postinst b/debian/libwolfprov.postinst
@@ -2,7 +2,7 @@
 set -e
 
 # Define the include line to add to the openssl.cnf file
-INCLUDE_LINE=".include /usr/lib/ssl/openssl.cnf.d/wolfprovider.conf"
+INCLUDE_LINE=".include /etc/ssl/openssl.cnf.d/wolfprovider.conf"
 
 # Search for the openssl.cnf file in /usr, /lib and /etc
 CONF_FILES=$(find /usr /lib /etc -name openssl.cnf 2>/dev/null)
diff --git a/debian/libwolfprov.triggers b/debian/libwolfprov.triggers
@@ -3,6 +3,4 @@ interest-noawait /etc/ssl/openssl.cnf
 interest-noawait /etc/ssl/openssl.cnf.d
 interest-noawait /lib/ssl/openssl.cnf
 interest-noawait /lib/ssl/openssl.cnf.d
-interest-noawait /usr/lib/ssl/openssl.cnf
-interest-noawait /usr/lib/ssl/openssl.cnf.d
 
diff --git a/debian/openssl.install b/debian/openssl.install
@@ -1,2 +1,2 @@
 usr/bin/openssl
-usr/share/openssl-defaults/openssl.cnf
+etc/ssl/openssl.cnf
diff --git a/debian/openssl.links b/debian/openssl.links
@@ -0,0 +1,6 @@
+# openssl expects the conf file under /usr/lib/ssl, so ensure the symlink
+# is set to match the normal install
+/etc/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf
+# Other symlinks expected by Debian
+/etc/ssl/certs       /usr/lib/ssl/certs
+/etc/ssl/private     /usr/lib/ssl/private
diff --git a/debian/openssl.postinst b/debian/openssl.postinst
diff --git a/debian/openssl.postrm b/debian/openssl.postrm
diff --git a/debian/rules b/debian/rules
@@ -80,15 +80,14 @@ override_dh_auto_install:
 		$(DESTDIR)/usr/include/wolfprovider/
 
 	# Install provider config file
-	install -d $(DESTDIR)/usr/lib/ssl/openssl.cnf.d
+	install -d $(DESTDIR)/etc/ssl/openssl.cnf.d
 	install -m644 ./$(PROVIDER_CONF) \
-		$(DESTDIR)/usr/lib/ssl/openssl.cnf.d/wolfprovider.conf
+		$(DESTDIR)/etc/ssl/openssl.cnf.d/wolfprovider.conf
 
-	# Install default openssl.cnf template (do NOT ship it directly in /usr/lib/ssl)
-	# The postinstall script will handle copying it to the system location
-	install -d $(DESTDIR)/usr/share/openssl-defaults
+	# Install openssl.cnf directly into /etc/ssl
+	install -d $(DESTDIR)/etc/ssl
 	install -m 0644 ./openssl-source/apps/openssl.cnf \
-		$(DESTDIR)/usr/share/openssl-defaults/openssl.cnf
+		$(DESTDIR)/etc/ssl/openssl.cnf
 
 	# Install pkg-config files for libssl-dev
 	install -d $(DESTDIR)/usr/lib/$(DEB_HOST_MULTIARCH)/pkgconfig
diff --git a/debian/shlibs.local b/debian/shlibs.local
@@ -0,0 +1,3 @@
+# For the case where wolfssl is not installed on the system, 
+# we must specify that libwolfssl.so.44 comes from the libwolfssl package.
+libwolfssl 44 libwolfssl (>= 5.8.2)

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`usr/bin/openssl`
`2`		`-usr/share/openssl-defaults/openssl.cnf`
	`2`	`+etc/ssl/openssl.cnf`