Merge branch 'master' into epel7

2016-10-15 13:37:41 -04:00 · 2016-10-15 13:37:41 -04:00 · 538de792f0
commit 538de792f0
parent 01bb2dea6c 25a04412bc
8 changed files with 187 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 /cjdns-v17.3.tar.gz
 /cjdns-v17.4.tar.gz
+/cjdns-v18.tar.gz
+/*.src.rpm
--- a/cjdns.README_Fedora.md
+++ b/cjdns.README_Fedora.md
@ -38,3 +38,63 @@ can speed this up dramatically with:
    systemctl enable cjdns-resume

 The resume service restarts cjdns when the system wakes up from sleep.
+
+For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart
+and stop.
+
+##Security
+
+By default, Fedora Workstation will treat the tun device created by cjdroute as
+"public", with SSH being the only incoming port allowed.  There is no
+additional exposure with cjdns and the default Fedora firewall.  If you have
+modified the firewall config beyond opening additional incoming ports, be sure
+that the cjdns tun is treated as public - because anyone in the world can
+attempt to connect to you through it.  Sometimes, people configure their
+firewall to treat all tun devices as "VPN", and therefore somewhat more
+trusted.  This would be a mistake with cjdns.  It is a VPN, for sure, but one
+anyone in the world can join.
+
+Public keys for cjdns are based on Elliptic Curves.  There is a known quantum
+algorithm that could be used to crack them if quantum computers with sufficient
+qubits are ever built.  The solution when that happens is larger keys - which
+are more cumbersome.
+
+The Distributed Hash Table algorithm is a core component of cjdns - which is
+vulnerable to a Denial of Service attack known as "Sybil".  This attack can
+block specific updates to the DHT - to prevent your node from joining a mesh,
+for instance.
+
+On the positive side, you can safely use telnet to cjdns IPs and the http
+protocol is automatically encrypted (but you need a secure DNS or raw ip to be
+sure you are talking to the right node).  Many other protocols are
+automatically encrypted while using cjdns.  In general, connecting to a raw
+cjdns IP is functionally equivalent to SSL/TLS with both client and server
+authentication.
+
+Since the cjdroute core routing code parses network packets from untrusted
+sources, it is a security risk and is heavily sandboxed.  It runs as the cjdns
+user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to
+disable forking.  Seccomp is used to limit available system calls to only those
+actually needed.  Installing the cjdns-selinux package installs a targeted
+selinux policy that also restricts what the privileged process can access.
+
+##Routing security
+
+If cjdns is not running, cjdns packets will get routed in plaintext
+to your default gateway by default.  An attacker could then play
+man-in-the-middle.  If your default gateway is running cjdns, this
+could even happen accidentally.
+
+This can be blocked by restricting ```fc00::/8``` to the interface 
+used by cjdroute in the firewall. 
+
+## Advanced config
+
+You may install a network service that depends on cjdns, for instance you might
+install thttpd to serve up
+[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html).  If
+thttpd is configured to listen only on your cjdns IP, then it will not start
+until cjdns is up and running.  Add ```After=cjdns-wait-online.service``` to
+```thttpd.service``` to hold off starting the service until cjdns has the
+tunnel up and ready.
+
--- a/cjdns.dyn.patch
+++ b/cjdns.dyn.patch
@ -1,13 +1,16 @@
 diff -up ./node_build/make.js.dyn ./node_build/make.js
--- ./node_build/make.js.dyn	2016-01-27 03:07:49.000000000 -0500
-+++ ./node_build/make.js	2016-04-18 16:17:04.052719207 -0400
-@@ -250,41 +250,9 @@ Builder.configure({
+--- ./node_build/make.js.dyn	2016-10-11 17:39:44.000000000 -0400
+++ ./node_build/make.js	2016-10-14 22:08:23.018241766 -0400
+@@ -252,44 +252,9 @@ Builder.configure({
 
     }).nThen(function (waitFor) {
 
 -        builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
 -        builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
 -
+-        // needed for Sign.c which pulls in crypto_int32.h
+-        builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
+-
 -        Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
 -            if (exists) { return; }
 -
@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
 
     }).nThen(function (waitFor) {
 
-@@ -423,7 +391,7 @@ Builder.configure({
+@@ -430,7 +395,7 @@ Builder.configure({
     builder.buildExecutable('crypto/random/randombytes.c');
 
     builder.lintFiles(function (fileName, file, callback) {
--- a/cjdns.sbin.patch
+++ b/cjdns.sbin.patch
@ -1,6 +1,23 @@
+diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service
+--- ./contrib/systemd/cjdns-loadmodules.service.sbin	2016-08-15 13:39:48.892573194 -0400
+++ ./contrib/systemd/cjdns-loadmodules.service	2016-08-15 13:47:24.336772295 -0400
+@@ -0,0 +1,13 @@
+[Unit]
+Description=Load cjdns kernel modules
+# Load kernel modules needed by cjdns so that it doesn't need the privilege
+Before=cjdns.service
+# Do not try to load modules in containers like openvz
+ConditionVirtualization=!container
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/modprobe tun
+
+[Install]
+WantedBy=multi-user.target
 diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh
--- ./contrib/systemd/cjdns-online.sh.sbin	2016-06-23 22:49:23.703114380 -0400
-+++ ./contrib/systemd/cjdns-online.sh	2016-06-23 22:51:50.666731442 -0400
+--- ./contrib/systemd/cjdns-online.sh.sbin	2016-08-15 13:33:11.356021398 -0400
+++ ./contrib/systemd/cjdns-online.sh	2016-08-15 13:33:11.356021398 -0400
@@ -0,0 +1,90 @@
 +#!/bin/sh
 +#   Check whether cjdns IPs are available
@ -94,25 +111,34 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s
 +fi
 diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service
 --- ./contrib/systemd/cjdns.service.sbin	2016-06-14 17:58:54.000000000 -0400
-+++ ./contrib/systemd/cjdns.service	2016-06-23 22:49:23.703114380 -0400
-@@ -9,10 +9,11 @@ ProtectSystem=true
+++ ./contrib/systemd/cjdns.service	2016-08-15 13:56:20.198792714 -0400
+@@ -1,18 +1,20 @@
+ [Unit]
+ Description=cjdns: routing engine designed for security, scalability, speed and ease of use
+ Wants=network.target
+-After=network.target
+After=network.target cjdns-loadmodules.service
+Requires=cjdns-loadmodules.service
+ 
+ [Service]
+ ProtectHome=true
+ ProtectSystem=true
 SyslogIdentifier=cjdroute
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
 ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
                 then umask 077; \
 -                /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \
 +                /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
                 echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
-            fi"
+             fi"
 -ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf"
-+            fi; case $(wc -c /proc/modules) in \
-+                0*) ;; *) /sbin/modprobe tun;; esac"
 +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
 Restart=always
 
 [Install]
 diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service
--- ./contrib/systemd/cjdns-wait-online.service.sbin	2016-06-23 22:49:23.703114380 -0400
-+++ ./contrib/systemd/cjdns-wait-online.service	2016-06-23 22:49:23.703114380 -0400
+--- ./contrib/systemd/cjdns-wait-online.service.sbin	2016-08-15 13:33:11.356021398 -0400
+++ ./contrib/systemd/cjdns-wait-online.service	2016-08-15 13:33:11.356021398 -0400
@@ -0,0 +1,13 @@
 +[Unit]
 +Description=CJDNS Wait Online
@ -129,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn
 +WantedBy=multi-user.target
 diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf
 --- ./contrib/upstart/cjdns.conf.sbin	2016-06-14 17:58:54.000000000 -0400
-+++ ./contrib/upstart/cjdns.conf	2016-06-23 22:49:23.703114380 -0400
+++ ./contrib/upstart/cjdns.conf	2016-08-15 13:33:11.356021398 -0400
@@ -13,10 +13,16 @@ pre-start script
     if ! [ -s /etc/cjdroute.conf ]; then
         ( # start a subshell to avoid side effects of umask later on
--- a/cjdns.sign.patch
+++ b/cjdns.sign.patch
@ -0,0 +1,36 @@
+diff -up ./crypto/Sign.c.sign ./crypto/Sign.c
+--- ./crypto/Sign.c.sign	2016-10-11 17:39:44.000000000 -0400
+++ ./crypto/Sign.c	2016-10-14 20:59:49.143754098 -0400
+@@ -13,6 +13,7 @@
+  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
+#ifdef SUBNODE
+ #include "crypto/Sign.h"
+ 
+ #include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h"
+@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui
+ 
+     return 0;
+ }
+#else
+#pragma GCC diagnostic ignored "-Wpedantic"
+#endif // SUBNODE
+diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c
+--- ./crypto/test/Sign_test.c.sign	2016-10-11 17:39:44.000000000 -0400
+++ ./crypto/test/Sign_test.c	2016-10-14 20:57:28.737064976 -0400
+@@ -23,6 +23,7 @@
+ 
+ int main()
+ {
+#ifdef SUBNODE
+     struct Allocator* alloc = MallocAllocator_new(1048576);
+     struct Log* logger = FileWriterLog_new(stdout, alloc);
+     struct Random* rand = Random_new(alloc, logger, NULL);
+@@ -42,5 +43,6 @@ int main()
+     Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg));
+     Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32]));
+     Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32));
+#endif  // SUBNODE
+     return 0;
+ }
--- a/cjdns.sodium.patch
+++ b/cjdns.sodium.patch
@ -1,13 +1,16 @@
-diff -up ./node_build/make.js.dyn ./node_build/make.js
--- ./node_build/make.js.dyn	2015-11-02 17:59:41.000000000 -0500
-+++ ./node_build/make.js	2015-11-04 19:57:49.961155943 -0500
-@@ -238,41 +238,9 @@ Builder.configure({
+diff -up ./node_build/make.js.sodium ./node_build/make.js
+--- ./node_build/make.js.sodium	2016-10-11 17:39:44.000000000 -0400
+++ ./node_build/make.js	2016-10-14 22:23:23.711086438 -0400
+@@ -252,44 +252,8 @@ Builder.configure({
 
     }).nThen(function (waitFor) {
 
 -        builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
 -        builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
 -
+-        // needed for Sign.c which pulls in crypto_int32.h
+-        builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
+-
 -        Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
 -            if (exists) { return; }
 -
@ -41,12 +44,11 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
 -            }));
 -        }));
 +        builder.config.libs.push('-lsodium');
-+        builder.config.libs.push('-lstdc++');
 +        builder.config.includeDirs.push('/usr/include/sodium/');
 
     }).nThen(function (waitFor) {
 
-@@ -411,7 +379,7 @@ Builder.configure({
+@@ -430,7 +394,7 @@ Builder.configure({
     builder.buildExecutable('crypto/random/randombytes.c');
 
     builder.lintFiles(function (fileName, file, callback) {
--- a/cjdns.spec
+++ b/cjdns.spec
@ -4,7 +4,11 @@
 # Use the optimized libnacl embedded with cjdns
 %global use_embedded 0
 # Use libsodium instead of nacl
-%global use_libsodium 0
+%global use_libsodium 1
+# Option to enable SUBNODE mode (WIP)
+%bcond_with subnode
+# Option to disable SECCOMP: confusing backward logic
+%bcond_without seccomp

 %if 0%{use_libsodium}
 %global nacl_name libsodium
@ -38,8 +42,8 @@

 Name:           cjdns
 # major version is cjdns protocol version:
-Version:        17.4
-Release:        4%{?dist}
+Version:        18
+Release:        3%{?dist}
 Summary:        The privacy-friendly network without borders
 Group:          System Environment/Base
 # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
@ -84,6 +88,8 @@ Patch9:  cjdns.man.patch
 Patch10: cjdns.tools.patch
 # Alternate dynamic library patch to use libsodium
 Patch11: cjdns.sodium.patch
+# Disable WIP subnode code when SUBNODE not enabled
+Patch12: cjdns.sign.patch

 BuildRequires:  nodejs, nodejs-ronn

@ -104,6 +110,9 @@ Requires(postun): systemd
 %endif
 Requires(pre): shadow-utils
 Provides: bundled(libuv) = 0.11.4
+%if 0%{use_embedded}
+Provides: bundled(nacl) = 20110221
+%endif
 # build system requires nodejs, unfortunately
 ExclusiveArch: %{nodejs_arches}

@ -185,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then
  ln -s %{_includedir}/nacl cnacl/jsbuild/include
  cd -
 fi
+%patch12 -b .sign
 %endif

 %if !0%{?rhel} || 0%{?rhel} > 6
@ -221,7 +231,12 @@ cd contrib/selinux
 ln -s /usr/share/selinux/devel/Makefile .
 make 
 cd -
+
 # nodejs based build system
+
+%if !%{with seccomp}
+export Seccomp_NO=1
+%endif
 CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do

 # FIXME: use system libuv on compatible systems
@ -467,6 +482,25 @@ fi
 %{_bindir}/graphStats

 %changelog
+* Fri Oct 14 2016 Stuart D. Gathman <stuart@gathman.org> 18-3
+- libstdc++ not needed with libsodium
+
+* Fri Oct 14 2016 Stuart D. Gathman <stuart@gathman.org> 18-2
+- Remove Sign.c which uses a private API and isn't needed until supernodes.
+- Use libsodium by default: seems best performance of dynamic libraries
+
+* Wed Oct 12 2016 Stuart D. Gathman <stuart@gathman.org> 18-1
+- Update to 18 upstream release
+
+* Mon Aug 15 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-7
+- Move modprobe to cjdns-loadmodules.service
+
+* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-6
+- Fix logic for %%bcond_without seccomp
+
+* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-5
+- cjdns.service: add CapabilityBoundingSet
+
 * Fri Jun 24 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-4
 - cjdns-selinux: allow cjdroute to manipulate route table

--- a/3
+++ b/3
@ -1,2 +1 @@
-efc62329874a0620a532269a53dbfc85  cjdns-v17.3.tar.gz
-e74f25941879e807086a8b70771fcf60  cjdns-v17.4.tar.gz
+9f6600d9ed0d87d4e17fbc9155ff0368  cjdns-v18.tar.gz