security fix: remove prebuilt cert and key forcing to generate them in %posttrans [release 0.9.16-2mamba;Thu Jul 01 2021]

2024-01-05 19:55:29 +01:00 · 2024-01-05 19:55:29 +01:00 · 7854b3fe1f
commit 7854b3fe1f
parent 1758799fd1
2 changed files with 73 additions and 12 deletions
--- a/xrdp-openssl.conf
+++ b/xrdp-openssl.conf
@ -0,0 +1,46 @@
+[req]
+distinguished_name = req_distinguished_name
+# The extensions to add to the self signed cert
+x509_extensions = v3_ca
+# Run non-interactively
+prompt = no
+
+[req_distinguished_name]
+# Certificate subject
+#countryName = US
+#stateOrProvinceName = CA
+#localityName = Sunnyvale
+#organizationName = xrdp
+#organizationalUnitName =
+commonName = XRDP
+#emailAddress =
+
+[v3_ca]
+# Extensions for a typical CA - PKIX recommendation.
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always, issuer
+
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical, CA:true
+# So we do this instead.
+basicConstraints = CA:true
+
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+#keyUsage = cRLSign, keyCertSign
+
+# Some might want this also
+#nsCertType = sslCA, emailCA
+
+# Include email address in subject alt name: another PKIX recommendation
+#subjectAltName = email:copy
+# Copy issuer details
+#issuerAltName = issuer:copy
+
+# DER hex encoding of an extension: experts only!
+#obj = DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+#basicConstraints = critical, DER:30:03:01:01:FF
--- a/xrdp.spec
+++ b/xrdp.spec
@ -1,6 +1,6 @@
 Name:          xrdp
 Version:       0.9.16
-Release:       1mamba
+Release:       2mamba
 Summary:       Provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP)
 Group:         System/Servers
 Vendor:        openmamba
@ -8,6 +8,7 @@ Distribution:  openmamba
 Packager:      Silvan Calarco <silvan.calarco@mambasoft.it>
 URL:           https://github.com/neutrinolabs/xrdp
 Source:        https://github.com/neutrinolabs/xrdp.git/v%{version}/xrdp-%{version}.tar.bz2
+Source1:       xrdp-openssl.conf
 Patch0:        xrdp-0.9.15-startwm-openmamba.patch
 License:       Apache License 2.0
 ## AUTOBUILDREQ-BEGIN
@ -88,7 +89,7 @@ sed -i "s|param=Xorg|param=%{_libexecdir}/Xorg|" sesman/sesman.ini.in
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
 %makeinstall

-rm -f %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
+install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/xrdp/openssl.conf

 %clean
 [ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
@ -96,9 +97,6 @@ rm -f %{buildroot}%{_sysconfdir}/xrdp/rsakeys.ini
 %post
 %systemd_post xrdp
 %systemd_post xrdp-sesman
-if [ $1 -ge 1 ]; then
-   [ -e %{sysconfdir}/xrdp/rsakeys.ini ] || xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini
-fi
 :

 %preun
@ -111,21 +109,35 @@ fi
 %systemd_postun xrdp-sesman
 :

+%posttrans
+if [ ! -s %{_sysconfdir}/xrdp/rsakeys.ini ]; then
+  (umask 377; touch %{_sysconfdir}/xrdp/rsakeys.ini; %{_bindir}/xrdp-keygen xrdp %{_sysconfdir}/xrdp/rsakeys.ini &>/dev/null)
+fi
+
+if [ ! -s %{_sysconfdir}/xrdp/cert.pem ]; then
+  (umask 377; openssl req -x509 -newkey rsa:2048 -sha256 -nodes -days 3652 \
+    -keyout %{_sysconfdir}/xrdp/key.pem \
+    -out %{_sysconfdir}/xrdp/cert.pem \
+    -config %{_sysconfdir}/xrdp/openssl.conf >/dev/null 2>&1)
+fi
+:
+
 %post -n lib%{name} -p /sbin/ldconfig
 %postun -n lib%{name} -p /sbin/ldconfig

 %files
 %defattr(-,root,root)
 %{_sysconfdir}/pam.d/xrdp-sesman
-%{_sysconfdir}/xrdp/cert.pem
-%{_sysconfdir}/xrdp/key.pem
-%{_sysconfdir}/xrdp/km-*.ini
-%{_sysconfdir}/xrdp/pulse/default.pa
+%dir %{_sysconfdir}/xrdp
+%config(noreplace) %{_sysconfdir}/xrdp/*.ini
+%config(noreplace) %{_sysconfdir}/xrdp/openssl.conf
 %{_sysconfdir}/xrdp/reconnectwm.sh
-%config(noreplace) %{_sysconfdir}/xrdp/sesman.ini
 %{_sysconfdir}/xrdp/startwm.sh
-%config(noreplace) %{_sysconfdir}/xrdp/xrdp.ini
-%config(noreplace) %{_sysconfdir}/xrdp/xrdp_keyboard.ini
+%dir %{_sysconfdir}/xrdp/pulse
+%config(noreplace) %{_sysconfdir}/xrdp/pulse/default.pa
+%exclude %ghost %{_sysconfdir}/xrdp/cert.pem
+%exclude %ghost %{_sysconfdir}/xrdp/key.pem
+%exclude %ghost %{_sysconfdir}/xrdp/rsakeys.ini
 %{_bindir}/xrdp-dis
 %{_bindir}/xrdp-genkeymap
 %{_bindir}/xrdp-keygen
@ -190,6 +202,9 @@ fi
 %doc README.md

 %changelog
+* Thu Jul 01 2021 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.16-2mamba
+- security fix: remove prebuilt cert and key forcing to generate them in %posttrans
+
 * Sat May 01 2021 Automatic Build System <autodist@mambasoft.it> 0.9.16-1mamba
 - automatic version update by autodist