diff --git a/AusweisApp2.spec b/AusweisApp2.spec index e26b978..ef0c660 100644 --- a/AusweisApp2.spec +++ b/AusweisApp2.spec @@ -6,10 +6,8 @@ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ -bindir="%{buildroot}%{_bindir}" \ -fipsdir="%{buildroot}%{_libdir}/fipscheck" \ -mkdir -p "$fipsdir" \ -fipshmac -d "$fipsdir" "$bindir/%{name}" \ +bindir="%{buildroot}%{_libexecdir}" \ +fipshmac "$bindir/%{name}" \ %{nil} # Always do out-of-source builds with CMake. @@ -24,7 +22,7 @@ fipshmac -d "$fipsdir" "$bindir/%{name}" \ Name: AusweisApp2 Version: 1.20.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: %{pkg_sum} # Init forge packaging helpers. @@ -44,6 +42,7 @@ Patch00001: %{forgeurl}/pull/28.patch#/%{name}-1.20.1-doxygen_exclude_buil Patch01000: %{name}-1.20.1-use_Qt_TranslationsPath.patch BuildRequires: cmake +BuildRequires: crypto-policies BuildRequires: desktop-file-utils BuildRequires: fipscheck BuildRequires: gcc-c++ @@ -180,6 +179,43 @@ help2man \ --output=%{buildroot}%{_mandir}/man1/%{name}.1 \ %{buildroot}%{_bindir}/%{name} +# Create custom configuration for OpenSSL basing on the system's default +# configuration to enable all ciphers required by the application. +# This basically modifies the system's default configuration to enable +# all RSA-PSK algorithms and the ciphers using SHA384. +# A shell wrapper around the AusweisApp2 binary will take care of injecting +# this configuration before application startup and only for this specific +# application. +cat << EOF >> %{buildroot}%{_datadir}/%{name}/openssl.cnf +openssl_conf = default_conf + +[default_conf] +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +EOF +cat %{_datadir}/crypto-policies/DEFAULT/opensslcnf.txt | \ +grep 'CipherString' | sed -e 's!:-!:kRSAPSK&!' -e 's!:-SHA384!!' \ + >> %{buildroot}%{_datadir}/%{name}/openssl.cnf +cat %{_datadir}/crypto-policies/DEFAULT/opensslcnf.txt | \ +grep -v 'CipherString' \ + >> %{buildroot}%{_datadir}/%{name}/openssl.cnf +chmod 0644 %{buildroot}%{_datadir}/%{name}/openssl.cnf + +# Relocate the application binary so we can call it through a shell wrapper. +mkdir -p %{buildroot}%{_libexecdir} +mv %{buildroot}%{_bindir}/%{name} %{buildroot}%{_libexecdir}/%{name} + +# Create the shell wrapper. +cat << EOF >> %{buildroot}%{_bindir}/%{name} +#!/bin/sh +OPENSSL_CONF=%{_datadir}/%{name}/openssl.cnf %{_libexecdir}/%{name} "\$@" +EOF +chmod 0755 %{buildroot}%{_bindir}/%{name} + # Excessive docs. mkdir -p %{buildroot}%{_pkgdocdir}/{installation,integration,notes,sdk} install -pm 0644 README.rst %{buildroot}%{_pkgdocdir} @@ -210,7 +246,6 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %files -%dir %{_libdir}/fipscheck %dir %{_pkgdocdir} %doc %{_pkgdocdir}/README.rst %license AUTHORS @@ -218,7 +253,8 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %license LICENSE.txt %{_bindir}/%{name} %{_datadir}/applications/com.governikus.%{lc_name}.desktop -%{_libdir}/fipscheck/%{name}.hmac +%{_libexecdir}/.%{name}.hmac +%{_libexecdir}/%{name} %{_mandir}/man1/%{name}.1* %{_metainfodir}/com.governikus.%{lc_name}.metainfo.xml @@ -233,6 +269,9 @@ desktop-file-validate %{buildroot}%{_datadir}/applications/*.desktop %changelog +* Wed Sep 23 2020 Björn Esser - 1.20.2-2 +- Use application specific OpenSSL config through a shell wrapper + * Mon Sep 07 2020 Björn Esser - 1.20.2-1 - New upstream release