From 7854b3fe1f54214a521fb74abb98b28ffa666ac3 Mon Sep 17 00:00:00 2001
From: Silvan Calarco <silvan.calarco@mambasoft.it>
Date: Fri, 5 Jan 2024 19:55:29 +0100
Subject: [PATCH] security fix: remove prebuilt cert and key forcing to
 generate them in %posttrans [release 0.9.16-2mamba;Thu Jul 01 2021]

---
 xrdp-openssl.conf | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 xrdp.spec         | 39 +++++++++++++++++++++++++++------------
 2 files changed, 73 insertions(+), 12 deletions(-)
 create mode 100644 xrdp-openssl.conf

diff --git a/xrdp-openssl.conf b/xrdp-openssl.conf
new file mode 100644
index 0000000..faa269c
--- /dev/null
+++ b/xrdp-openssl.conf
@@ -0,0 +1,46 @@
+[req]
+distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
+# Run non-interactively
+prompt = no
+
+[req_distinguished_name]
+# Certificate subject
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Sunnyvale
+#organizationName = xrdp
+#organizationalUnitName =
+commonName = XRDP
+#emailAddress =
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF
diff --git a/xrdp.spec b/xrdp.spec
index 8a8ed80..2b73d01 100644
--- a/xrdp.spec
+++ b/xrdp.spec
@@ -1,6 +1,6 @@
 Name:          xrdp
 Version:       0.9.16
-Release:       1mamba
+Release:       2mamba
 Summary:       Provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP)
 Group:         System/Servers
 Vendor:        openmamba
@@ -8,6 +8,7 @@ Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           https://github.com/neutrinolabs/xrdp
 Source:        https://github.com/neutrinolabs/xrdp.git/v%{version}/xrdp-%{version}.tar.bz2
+Source1:       xrdp-openssl.conf
 Patch0:        xrdp-0.9.15-startwm-openmamba.patch
 License:       Apache License 2.0
 ## AUTOBUILDREQ-BEGIN
@@ -88,7 +89,7 @@ sed -i "s|param=Xorg|param=%{_libexecdir}/Xorg|" sesman/sesman.ini.in
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
 %makeinstall
 
-rm -f %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
+install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/xrdp/openssl.conf
 
 %clean
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
@@ -96,9 +97,6 @@ rm -f %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
 %post
 %systemd_post xrdp
 %systemd_post xrdp-sesman
-if [ $1 -ge 1 ]; then
-   [ -e %{sysconfdir}/xrdp/rsakeys.ini ] || xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini
-fi
 :
 
 %preun
@@ -111,21 +109,35 @@ fi
 %systemd_postun xrdp-sesman
 :
 
+%posttrans
+if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  (umask 377; touch %{_sysconfdir}/xrdp/rsakeys.ini; %{_bindir}/xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini &>/dev/null)
+fi
+
+if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
+  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout %{_sysconfdir}/xrdp/key.pem \
+    -out %{_sysconfdir}/xrdp/cert.pem \
+    -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
+fi
+:
+
 %post -n lib%{name} -p /sbin/ldconfig
 %postun -n lib%{name} -p /sbin/ldconfig
 
 %files
 %defattr(-,root,root)
 %{_sysconfdir}/pam.d/xrdp-sesman
-%{_sysconfdir}/xrdp/cert.pem
-%{_sysconfdir}/xrdp/key.pem
-%{_sysconfdir}/xrdp/km-*.ini
-%{_sysconfdir}/xrdp/pulse/default.pa
+%dir %{_sysconfdir}/xrdp
+%config(noreplace) %{_sysconfdir}/xrdp/*.ini
+%config(noreplace) %{_sysconfdir}/xrdp/openssl.conf
 %{_sysconfdir}/xrdp/reconnectwm.sh
-%config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
 %{_sysconfdir}/xrdp/startwm.sh
-%config(noreplace) %{_sysconfdir}/xrdp/xrdp.ini
-%config(noreplace) %{_sysconfdir}/xrdp/xrdp_keyboard.ini
+%dir %{_sysconfdir}/xrdp/pulse
+%config(noreplace) %{_sysconfdir}/xrdp/pulse/default.pa
+%exclude %ghost %{_sysconfdir}/xrdp/cert.pem
+%exclude %ghost %{_sysconfdir}/xrdp/key.pem
+%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
 %{_bindir}/xrdp-dis
 %{_bindir}/xrdp-genkeymap
 %{_bindir}/xrdp-keygen
@@ -190,6 +202,9 @@ fi
 %doc README.md
 
 %changelog
+* Thu Jul 01 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.16-2mamba
+- security fix: remove prebuilt cert and key forcing to generate them in %posttrans
+
 * Sat May 01 2021 Automatic Build System <autodist@mambasoft.it> 0.9.16-1mamba
 - automatic version update by autodist