diff --git a/.gitignore b/.gitignore
index 697fa3e..c192c5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
/cjdns-v17.3.tar.gz
/cjdns-v17.4.tar.gz
+/cjdns-v18.tar.gz
+/*.src.rpm
diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md
index 9fb864f..8fa2b55 100644
--- a/cjdns.README_Fedora.md
+++ b/cjdns.README_Fedora.md
@@ -38,3 +38,63 @@ can speed this up dramatically with:
systemctl enable cjdns-resume
The resume service restarts cjdns when the system wakes up from sleep.
+
+For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart
+and stop.
+
+##Security
+
+By default, Fedora Workstation will treat the tun device created by cjdroute as
+"public", with SSH being the only incoming port allowed. There is no
+additional exposure with cjdns and the default Fedora firewall. If you have
+modified the firewall config beyond opening additional incoming ports, be sure
+that the cjdns tun is treated as public - because anyone in the world can
+attempt to connect to you through it. Sometimes, people configure their
+firewall to treat all tun devices as "VPN", and therefore somewhat more
+trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one
+anyone in the world can join.
+
+Public keys for cjdns are based on Elliptic Curves. There is a known quantum
+algorithm that could be used to crack them if quantum computers with sufficient
+qubits are ever built. The solution when that happens is larger keys - which
+are more cumbersome.
+
+The Distributed Hash Table algorithm is a core component of cjdns - which is
+vulnerable to a Denial of Service attack known as "Sybil". This attack can
+block specific updates to the DHT - to prevent your node from joining a mesh,
+for instance.
+
+On the positive side, you can safely use telnet to cjdns IPs and the http
+protocol is automatically encrypted (but you need a secure DNS or raw ip to be
+sure you are talking to the right node). Many other protocols are
+automatically encrypted while using cjdns. In general, connecting to a raw
+cjdns IP is functionally equivalent to SSL/TLS with both client and server
+authentication.
+
+Since the cjdroute core routing code parses network packets from untrusted
+sources, it is a security risk and is heavily sandboxed. It runs as the cjdns
+user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to
+disable forking. Seccomp is used to limit available system calls to only those
+actually needed. Installing the cjdns-selinux package installs a targeted
+selinux policy that also restricts what the privileged process can access.
+
+##Routing security
+
+If cjdns is not running, cjdns packets will get routed in plaintext
+to your default gateway by default. An attacker could then play
+man-in-the-middle. If your default gateway is running cjdns, this
+could even happen accidentally.
+
+This can be blocked by restricting ```fc00::/8``` to the interface
+used by cjdroute in the firewall.
+
+## Advanced config
+
+You may install a network service that depends on cjdns, for instance you might
+install thttpd to serve up
+[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If
+thttpd is configured to listen only on your cjdns IP, then it will not start
+until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to
+```thttpd.service``` to hold off starting the service until cjdns has the
+tunnel up and ready.
+
diff --git a/cjdns.dyn.patch b/cjdns.dyn.patch
index dc5062d..9dc22e0 100644
--- a/cjdns.dyn.patch
+++ b/cjdns.dyn.patch
@@ -1,13 +1,16 @@
diff -up ./node_build/make.js.dyn ./node_build/make.js
---- ./node_build/make.js.dyn 2016-01-27 03:07:49.000000000 -0500
-+++ ./node_build/make.js 2016-04-18 16:17:04.052719207 -0400
-@@ -250,41 +250,9 @@ Builder.configure({
+--- ./node_build/make.js.dyn 2016-10-11 17:39:44.000000000 -0400
++++ ./node_build/make.js 2016-10-14 22:08:23.018241766 -0400
+@@ -252,44 +252,9 @@ Builder.configure({
}).nThen(function (waitFor) {
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
-
+- // needed for Sign.c which pulls in crypto_int32.h
+- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
+-
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
- if (exists) { return; }
-
@@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
}).nThen(function (waitFor) {
-@@ -423,7 +391,7 @@ Builder.configure({
+@@ -430,7 +395,7 @@ Builder.configure({
builder.buildExecutable('crypto/random/randombytes.c');
builder.lintFiles(function (fileName, file, callback) {
diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch
index fecb18c..f628a1c 100644
--- a/cjdns.sbin.patch
+++ b/cjdns.sbin.patch
@@ -1,6 +1,23 @@
+diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service
+--- ./contrib/systemd/cjdns-loadmodules.service.sbin 2016-08-15 13:39:48.892573194 -0400
++++ ./contrib/systemd/cjdns-loadmodules.service 2016-08-15 13:47:24.336772295 -0400
+@@ -0,0 +1,13 @@
++[Unit]
++Description=Load cjdns kernel modules
++# Load kernel modules needed by cjdns so that it doesn't need the privilege
++Before=cjdns.service
++# Do not try to load modules in containers like openvz
++ConditionVirtualization=!container
++
++[Service]
++Type=oneshot
++ExecStart=/usr/sbin/modprobe tun
++
++[Install]
++WantedBy=multi-user.target
diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh
---- ./contrib/systemd/cjdns-online.sh.sbin 2016-06-23 22:49:23.703114380 -0400
-+++ ./contrib/systemd/cjdns-online.sh 2016-06-23 22:51:50.666731442 -0400
+--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-15 13:33:11.356021398 -0400
++++ ./contrib/systemd/cjdns-online.sh 2016-08-15 13:33:11.356021398 -0400
@@ -0,0 +1,90 @@
+#!/bin/sh
+# Check whether cjdns IPs are available
@@ -94,25 +111,34 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s
+fi
diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service
--- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400
-+++ ./contrib/systemd/cjdns.service 2016-06-23 22:49:23.703114380 -0400
-@@ -9,10 +9,11 @@ ProtectSystem=true
++++ ./contrib/systemd/cjdns.service 2016-08-15 13:56:20.198792714 -0400
+@@ -1,18 +1,20 @@
+ [Unit]
+ Description=cjdns: routing engine designed for security, scalability, speed and ease of use
+ Wants=network.target
+-After=network.target
++After=network.target cjdns-loadmodules.service
++Requires=cjdns-loadmodules.service
+
+ [Service]
+ ProtectHome=true
+ ProtectSystem=true
SyslogIdentifier=cjdroute
++CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
then umask 077; \
- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \
+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
-- fi"
+ fi"
-ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf"
-+ fi; case $(wc -c /proc/modules) in \
-+ 0*) ;; *) /sbin/modprobe tun;; esac"
+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
Restart=always
[Install]
diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service
---- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-06-23 22:49:23.703114380 -0400
-+++ ./contrib/systemd/cjdns-wait-online.service 2016-06-23 22:49:23.703114380 -0400
+--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-15 13:33:11.356021398 -0400
++++ ./contrib/systemd/cjdns-wait-online.service 2016-08-15 13:33:11.356021398 -0400
@@ -0,0 +1,13 @@
+[Unit]
+Description=CJDNS Wait Online
@@ -129,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn
+WantedBy=multi-user.target
diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf
--- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400
-+++ ./contrib/upstart/cjdns.conf 2016-06-23 22:49:23.703114380 -0400
++++ ./contrib/upstart/cjdns.conf 2016-08-15 13:33:11.356021398 -0400
@@ -13,10 +13,16 @@ pre-start script
if ! [ -s /etc/cjdroute.conf ]; then
( # start a subshell to avoid side effects of umask later on
diff --git a/cjdns.sign.patch b/cjdns.sign.patch
new file mode 100644
index 0000000..3b36ea4
--- /dev/null
+++ b/cjdns.sign.patch
@@ -0,0 +1,36 @@
+diff -up ./crypto/Sign.c.sign ./crypto/Sign.c
+--- ./crypto/Sign.c.sign 2016-10-11 17:39:44.000000000 -0400
++++ ./crypto/Sign.c 2016-10-14 20:59:49.143754098 -0400
+@@ -13,6 +13,7 @@
+ * along with this program. If not, see .
+ */
+
++#ifdef SUBNODE
+ #include "crypto/Sign.h"
+
+ #include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h"
+@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui
+
+ return 0;
+ }
++#else
++#pragma GCC diagnostic ignored "-Wpedantic"
++#endif // SUBNODE
+diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c
+--- ./crypto/test/Sign_test.c.sign 2016-10-11 17:39:44.000000000 -0400
++++ ./crypto/test/Sign_test.c 2016-10-14 20:57:28.737064976 -0400
+@@ -23,6 +23,7 @@
+
+ int main()
+ {
++#ifdef SUBNODE
+ struct Allocator* alloc = MallocAllocator_new(1048576);
+ struct Log* logger = FileWriterLog_new(stdout, alloc);
+ struct Random* rand = Random_new(alloc, logger, NULL);
+@@ -42,5 +43,6 @@ int main()
+ Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg));
+ Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32]));
+ Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32));
++#endif // SUBNODE
+ return 0;
+ }
diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch
index 19e0c16..7c637a8 100644
--- a/cjdns.sodium.patch
+++ b/cjdns.sodium.patch
@@ -1,13 +1,16 @@
-diff -up ./node_build/make.js.dyn ./node_build/make.js
---- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500
-+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500
-@@ -238,41 +238,9 @@ Builder.configure({
+diff -up ./node_build/make.js.sodium ./node_build/make.js
+--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400
++++ ./node_build/make.js 2016-10-14 22:23:23.711086438 -0400
+@@ -252,44 +252,8 @@ Builder.configure({
}).nThen(function (waitFor) {
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
-
+- // needed for Sign.c which pulls in crypto_int32.h
+- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
+-
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
- if (exists) { return; }
-
@@ -41,12 +44,11 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
- }));
- }));
+ builder.config.libs.push('-lsodium');
-+ builder.config.libs.push('-lstdc++');
+ builder.config.includeDirs.push('/usr/include/sodium/');
}).nThen(function (waitFor) {
-@@ -411,7 +379,7 @@ Builder.configure({
+@@ -430,7 +394,7 @@ Builder.configure({
builder.buildExecutable('crypto/random/randombytes.c');
builder.lintFiles(function (fileName, file, callback) {
diff --git a/cjdns.spec b/cjdns.spec
index 5412a99..67661ee 100644
--- a/cjdns.spec
+++ b/cjdns.spec
@@ -4,7 +4,11 @@
# Use the optimized libnacl embedded with cjdns
%global use_embedded 0
# Use libsodium instead of nacl
-%global use_libsodium 0
+%global use_libsodium 1
+# Option to enable SUBNODE mode (WIP)
+%bcond_with subnode
+# Option to disable SECCOMP: confusing backward logic
+%bcond_without seccomp
%if 0%{use_libsodium}
%global nacl_name libsodium
@@ -38,8 +42,8 @@
Name: cjdns
# major version is cjdns protocol version:
-Version: 17.4
-Release: 4%{?dist}
+Version: 18
+Release: 3%{?dist}
Summary: The privacy-friendly network without borders
Group: System Environment/Base
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
@@ -84,6 +88,8 @@ Patch9: cjdns.man.patch
Patch10: cjdns.tools.patch
# Alternate dynamic library patch to use libsodium
Patch11: cjdns.sodium.patch
+# Disable WIP subnode code when SUBNODE not enabled
+Patch12: cjdns.sign.patch
BuildRequires: nodejs, nodejs-ronn
@@ -104,6 +110,9 @@ Requires(postun): systemd
%endif
Requires(pre): shadow-utils
Provides: bundled(libuv) = 0.11.4
+%if 0%{use_embedded}
+Provides: bundled(nacl) = 20110221
+%endif
# build system requires nodejs, unfortunately
ExclusiveArch: %{nodejs_arches}
@@ -185,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then
ln -s %{_includedir}/nacl cnacl/jsbuild/include
cd -
fi
+%patch12 -b .sign
%endif
%if !0%{?rhel} || 0%{?rhel} > 6
@@ -221,7 +231,12 @@ cd contrib/selinux
ln -s /usr/share/selinux/devel/Makefile .
make
cd -
+
# nodejs based build system
+
+%if !%{with seccomp}
+export Seccomp_NO=1
+%endif
CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do
# FIXME: use system libuv on compatible systems
@@ -467,6 +482,25 @@ fi
%{_bindir}/graphStats
%changelog
+* Fri Oct 14 2016 Stuart D. Gathman 18-3
+- libstdc++ not needed with libsodium
+
+* Fri Oct 14 2016 Stuart D. Gathman 18-2
+- Remove Sign.c which uses a private API and isn't needed until supernodes.
+- Use libsodium by default: seems best performance of dynamic libraries
+
+* Wed Oct 12 2016 Stuart D. Gathman 18-1
+- Update to 18 upstream release
+
+* Mon Aug 15 2016 Stuart D. Gathman 17.4-7
+- Move modprobe to cjdns-loadmodules.service
+
+* Wed Aug 10 2016 Stuart D. Gathman 17.4-6
+- Fix logic for %%bcond_without seccomp
+
+* Wed Aug 10 2016 Stuart D. Gathman 17.4-5
+- cjdns.service: add CapabilityBoundingSet
+
* Fri Jun 24 2016 Stuart D. Gathman 17.4-4
- cjdns-selinux: allow cjdroute to manipulate route table
diff --git a/sources b/sources
index 762a857..744f9ad 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-efc62329874a0620a532269a53dbfc85 cjdns-v17.3.tar.gz
-e74f25941879e807086a8b70771fcf60 cjdns-v17.4.tar.gz
+9f6600d9ed0d87d4e17fbc9155ff0368 cjdns-v18.tar.gz