From 5c006007be3ccc10fe0e6fd6c87d7a02cff47868 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 5 Aug 2016 17:34:50 -0400 Subject: [PATCH 01/16] Add option to omit SECCOMP --- cjdns.spec | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 5412a99..94a93dc 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -5,6 +5,8 @@ %global use_embedded 0 # Use libsodium instead of nacl %global use_libsodium 0 +# Use SECCOMP +%bcond_without seccomp %if 0%{use_libsodium} %global nacl_name libsodium @@ -39,7 +41,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 17.4 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -221,6 +223,11 @@ cd contrib/selinux ln -s /usr/share/selinux/devel/Makefile . make cd - + +%if !0%{?seccomp} +export Seccomp_NO=1 +%endif + # nodejs based build system CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do From 35161c4efe32c2f4701fbb3bc6749a54898cb51c Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 5 Aug 2016 17:38:19 -0400 Subject: [PATCH 02/16] Add CapabilityBoundingSet to systemd service. --- cjdns.sbin.patch | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index fecb18c..04cc506 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -1,6 +1,6 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh ---- ./contrib/systemd/cjdns-online.sh.sbin 2016-06-23 22:49:23.703114380 -0400 -+++ ./contrib/systemd/cjdns-online.sh 2016-06-23 22:51:50.666731442 -0400 +--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-05 17:32:04.937119714 -0400 ++++ ./contrib/systemd/cjdns-online.sh 2016-08-05 17:32:04.937119714 -0400 @@ -0,0 +1,90 @@ +#!/bin/sh +# Check whether cjdns IPs are available @@ -94,9 +94,12 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s +fi diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service --- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2016-06-23 22:49:23.703114380 -0400 -@@ -9,10 +9,11 @@ ProtectSystem=true ++++ ./contrib/systemd/cjdns.service 2016-08-05 17:33:09.595862599 -0400 +@@ -7,12 +7,14 @@ After=network.target + ProtectHome=true + ProtectSystem=true SyslogIdentifier=cjdroute ++CapabilityBoundingSet=CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ then umask 077; \ - /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ @@ -111,8 +114,8 @@ diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service ---- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-06-23 22:49:23.703114380 -0400 -+++ ./contrib/systemd/cjdns-wait-online.service 2016-06-23 22:49:23.703114380 -0400 +--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-05 17:32:04.937119714 -0400 ++++ ./contrib/systemd/cjdns-wait-online.service 2016-08-05 17:32:04.937119714 -0400 @@ -0,0 +1,13 @@ +[Unit] +Description=CJDNS Wait Online @@ -129,7 +132,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn +WantedBy=multi-user.target diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf --- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/upstart/cjdns.conf 2016-06-23 22:49:23.703114380 -0400 ++++ ./contrib/upstart/cjdns.conf 2016-08-05 17:32:04.938119725 -0400 @@ -13,10 +13,16 @@ pre-start script if ! [ -s /etc/cjdroute.conf ]; then ( # start a subshell to avoid side effects of umask later on From b56859af024192c6db1bb94c3cd302b4cfbb15d5 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 13:57:02 -0400 Subject: [PATCH 03/16] Reduce capability set after some testing. --- cjdns.sbin.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index 04cc506..21ed3dd 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -99,7 +99,7 @@ diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service ProtectHome=true ProtectSystem=true SyslogIdentifier=cjdroute -+CapabilityBoundingSet=CAP_SETPCAP CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL ++CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ then umask 077; \ - /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ From d560b413c9974b30ed456848c7bddb1cd41941ea Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 14:12:45 -0400 Subject: [PATCH 04/16] Release 17.4-5 --- cjdns.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cjdns.spec b/cjdns.spec index 94a93dc..8f88448 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -474,6 +474,9 @@ fi %{_bindir}/graphStats %changelog +* Fri Jun 24 2016 Stuart D. Gathman 17.4-5 +- cjdns.service: add CapabilityBoundingSet + * Fri Jun 24 2016 Stuart D. Gathman 17.4-4 - cjdns-selinux: allow cjdroute to manipulate route table From 54bf0cf4da56ca355047a23035b10ae7220674f7 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 14:49:33 -0400 Subject: [PATCH 05/16] Fix backward seccomp logic --- cjdns.spec | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index 8f88448..9f218e0 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -5,7 +5,7 @@ %global use_embedded 0 # Use libsodium instead of nacl %global use_libsodium 0 -# Use SECCOMP +# Option to disable SECCOMP: confusing backward logic %bcond_without seccomp %if 0%{use_libsodium} @@ -224,11 +224,8 @@ ln -s /usr/share/selinux/devel/Makefile . make cd - -%if !0%{?seccomp} -export Seccomp_NO=1 -%endif - # nodejs based build system +export Seccomp_NO=0%{?seccomp} CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do # FIXME: use system libuv on compatible systems From d5c793174d27cd8ffe3cde127dd4087903d3796a Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 14:57:30 -0400 Subject: [PATCH 06/16] Fix still backward bcond_without logic --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 9f218e0..338e135 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -225,7 +225,10 @@ make cd - # nodejs based build system -export Seccomp_NO=0%{?seccomp} + +%if 0%{?seccomp} +export Seccomp_NO=1 +%endif CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do # FIXME: use system libuv on compatible systems From 2eea56b815ec96ddc6af61148484304194b8edf0 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 15:18:22 -0400 Subject: [PATCH 07/16] Now I really have the %bcond_without logic correct... --- cjdns.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 338e135..a3da0b4 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -226,7 +226,7 @@ cd - # nodejs based build system -%if 0%{?seccomp} +%if !%{with seccomp} export Seccomp_NO=1 %endif CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do From 9b87ddf22f02e5871cb77421c6ff2e36ef32ca24 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 15:22:27 -0400 Subject: [PATCH 08/16] release 17.4-6 --- cjdns.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index a3da0b4..3d0f42d 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -41,7 +41,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 17.4 -Release: 5%{?dist} +Release: 6%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -474,7 +474,10 @@ fi %{_bindir}/graphStats %changelog -* Fri Jun 24 2016 Stuart D. Gathman 17.4-5 +* Wed Aug 10 2016 Stuart D. Gathman 17.4-6 +- Fix logic for %bcond_without seccomp + +* Wed Aug 10 2016 Stuart D. Gathman 17.4-5 - cjdns.service: add CapabilityBoundingSet * Fri Jun 24 2016 Stuart D. Gathman 17.4-4 From 9290198c19ec688598f4ffa5df9f6c07bf5fc3af Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 10 Aug 2016 16:55:37 -0400 Subject: [PATCH 09/16] Escape % in log message --- cjdns.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 3d0f42d..520cd25 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -475,7 +475,7 @@ fi %changelog * Wed Aug 10 2016 Stuart D. Gathman 17.4-6 -- Fix logic for %bcond_without seccomp +- Fix logic for %%bcond_without seccomp * Wed Aug 10 2016 Stuart D. Gathman 17.4-5 - cjdns.service: add CapabilityBoundingSet From 34c8c5425f01c288afa62a4f20fdde62f3664a3a Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Mon, 15 Aug 2016 14:08:23 -0400 Subject: [PATCH 10/16] Move modprobe to cjdns-loadmodules.service to avoid adding CAP_SYS_MODULE. --- cjdns.sbin.patch | 43 +++++++++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index 21ed3dd..f628a1c 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -1,6 +1,23 @@ +diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service +--- ./contrib/systemd/cjdns-loadmodules.service.sbin 2016-08-15 13:39:48.892573194 -0400 ++++ ./contrib/systemd/cjdns-loadmodules.service 2016-08-15 13:47:24.336772295 -0400 +@@ -0,0 +1,13 @@ ++[Unit] ++Description=Load cjdns kernel modules ++# Load kernel modules needed by cjdns so that it doesn't need the privilege ++Before=cjdns.service ++# Do not try to load modules in containers like openvz ++ConditionVirtualization=!container ++ ++[Service] ++Type=oneshot ++ExecStart=/usr/sbin/modprobe tun ++ ++[Install] ++WantedBy=multi-user.target diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh ---- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-05 17:32:04.937119714 -0400 -+++ ./contrib/systemd/cjdns-online.sh 2016-08-05 17:32:04.937119714 -0400 +--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-online.sh 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,90 @@ +#!/bin/sh +# Check whether cjdns IPs are available @@ -94,8 +111,16 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s +fi diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service --- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2016-08-05 17:33:09.595862599 -0400 -@@ -7,12 +7,14 @@ After=network.target ++++ ./contrib/systemd/cjdns.service 2016-08-15 13:56:20.198792714 -0400 +@@ -1,18 +1,20 @@ + [Unit] + Description=cjdns: routing engine designed for security, scalability, speed and ease of use + Wants=network.target +-After=network.target ++After=network.target cjdns-loadmodules.service ++Requires=cjdns-loadmodules.service + + [Service] ProtectHome=true ProtectSystem=true SyslogIdentifier=cjdroute @@ -105,17 +130,15 @@ diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service - /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ + /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ -- fi" + fi" -ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf" -+ fi; case $(wc -c /proc/modules) in \ -+ 0*) ;; *) /sbin/modprobe tun;; esac" +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" Restart=always [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service ---- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-05 17:32:04.937119714 -0400 -+++ ./contrib/systemd/cjdns-wait-online.service 2016-08-05 17:32:04.937119714 -0400 +--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-wait-online.service 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,13 @@ +[Unit] +Description=CJDNS Wait Online @@ -132,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn +WantedBy=multi-user.target diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf --- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/upstart/cjdns.conf 2016-08-05 17:32:04.938119725 -0400 ++++ ./contrib/upstart/cjdns.conf 2016-08-15 13:33:11.356021398 -0400 @@ -13,10 +13,16 @@ pre-start script if ! [ -s /etc/cjdroute.conf ]; then ( # start a subshell to avoid side effects of umask later on From e38adcc4071135daf036acfef80e329f5d8a6a52 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Mon, 15 Aug 2016 14:13:40 -0400 Subject: [PATCH 11/16] Release 17.4-7 --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 520cd25..8570799 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -41,7 +41,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 17.4 -Release: 6%{?dist} +Release: 7%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -474,6 +474,9 @@ fi %{_bindir}/graphStats %changelog +* Mon Aug 15 2016 Stuart D. Gathman 17.4-7 +- Move modprobe to cjdns-loadmodules.service + * Wed Aug 10 2016 Stuart D. Gathman 17.4-6 - Fix logic for %%bcond_without seccomp From dcdbe474e79192da5c47f81a6c1d2b5006748cd8 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 12 Oct 2016 16:36:47 -0400 Subject: [PATCH 12/16] New version --- .gitignore | 2 ++ cjdns.README_Fedora.md | 60 ++++++++++++++++++++++++++++++++++++++++++ cjdns.sodium.patch | 13 +++++---- cjdns.spec | 12 ++++++--- sources | 3 +-- 5 files changed, 80 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index 697fa3e..c192c5f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ /cjdns-v17.3.tar.gz /cjdns-v17.4.tar.gz +/cjdns-v18.tar.gz +/*.src.rpm diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index 9fb864f..8fa2b55 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -38,3 +38,63 @@ can speed this up dramatically with: systemctl enable cjdns-resume The resume service restarts cjdns when the system wakes up from sleep. + +For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart +and stop. + +##Security + +By default, Fedora Workstation will treat the tun device created by cjdroute as +"public", with SSH being the only incoming port allowed. There is no +additional exposure with cjdns and the default Fedora firewall. If you have +modified the firewall config beyond opening additional incoming ports, be sure +that the cjdns tun is treated as public - because anyone in the world can +attempt to connect to you through it. Sometimes, people configure their +firewall to treat all tun devices as "VPN", and therefore somewhat more +trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one +anyone in the world can join. + +Public keys for cjdns are based on Elliptic Curves. There is a known quantum +algorithm that could be used to crack them if quantum computers with sufficient +qubits are ever built. The solution when that happens is larger keys - which +are more cumbersome. + +The Distributed Hash Table algorithm is a core component of cjdns - which is +vulnerable to a Denial of Service attack known as "Sybil". This attack can +block specific updates to the DHT - to prevent your node from joining a mesh, +for instance. + +On the positive side, you can safely use telnet to cjdns IPs and the http +protocol is automatically encrypted (but you need a secure DNS or raw ip to be +sure you are talking to the right node). Many other protocols are +automatically encrypted while using cjdns. In general, connecting to a raw +cjdns IP is functionally equivalent to SSL/TLS with both client and server +authentication. + +Since the cjdroute core routing code parses network packets from untrusted +sources, it is a security risk and is heavily sandboxed. It runs as the cjdns +user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to +disable forking. Seccomp is used to limit available system calls to only those +actually needed. Installing the cjdns-selinux package installs a targeted +selinux policy that also restricts what the privileged process can access. + +##Routing security + +If cjdns is not running, cjdns packets will get routed in plaintext +to your default gateway by default. An attacker could then play +man-in-the-middle. If your default gateway is running cjdns, this +could even happen accidentally. + +This can be blocked by restricting ```fc00::/8``` to the interface +used by cjdroute in the firewall. + +## Advanced config + +You may install a network service that depends on cjdns, for instance you might +install thttpd to serve up +[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If +thttpd is configured to listen only on your cjdns IP, then it will not start +until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to +```thttpd.service``` to hold off starting the service until cjdns has the +tunnel up and ready. + diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index 19e0c16..f166608 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -1,13 +1,16 @@ -diff -up ./node_build/make.js.dyn ./node_build/make.js ---- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500 -+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500 -@@ -238,41 +238,9 @@ Builder.configure({ +diff -up ./node_build/make.js.sodium ./node_build/make.js +--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400 ++++ ./node_build/make.js 2016-10-12 14:03:53.289124583 -0400 +@@ -252,44 +252,9 @@ Builder.configure({ }).nThen(function (waitFor) { - builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a'); - builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/'); - +- // needed for Sign.c which pulls in crypto_int32.h +- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/'); +- - Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) { - if (exists) { return; } - @@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js }).nThen(function (waitFor) { -@@ -411,7 +379,7 @@ Builder.configure({ +@@ -430,7 +395,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { diff --git a/cjdns.spec b/cjdns.spec index 8570799..9968f4d 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -2,7 +2,7 @@ # Fedora review: http://bugzilla.redhat.com/1268716 # Use the optimized libnacl embedded with cjdns -%global use_embedded 0 +%global use_embedded 1 # Use libsodium instead of nacl %global use_libsodium 0 # Option to disable SECCOMP: confusing backward logic @@ -40,8 +40,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 17.4 -Release: 7%{?dist} +Version: 18 +Release: 1%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -106,6 +106,9 @@ Requires(postun): systemd %endif Requires(pre): shadow-utils Provides: bundled(libuv) = 0.11.4 +%if 0%{use_embedded} +Provides: bundled(nacl) = 20110221 +%endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} @@ -474,6 +477,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Oct 12 2016 Stuart D. Gathman 18-1 +- Update to 18 upstream release + * Mon Aug 15 2016 Stuart D. Gathman 17.4-7 - Move modprobe to cjdns-loadmodules.service diff --git a/sources b/sources index 762a857..744f9ad 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -efc62329874a0620a532269a53dbfc85 cjdns-v17.3.tar.gz -e74f25941879e807086a8b70771fcf60 cjdns-v17.4.tar.gz +9f6600d9ed0d87d4e17fbc9155ff0368 cjdns-v18.tar.gz From f95a3a159f373b00efaae1aafeca8bc46533901a Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 14 Oct 2016 21:07:40 -0400 Subject: [PATCH 13/16] Disable SUBNODE code when not used. Use libsodium by default. --- cjdns.sign.patch | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 cjdns.sign.patch diff --git a/cjdns.sign.patch b/cjdns.sign.patch new file mode 100644 index 0000000..971f239 --- /dev/null +++ b/cjdns.sign.patch @@ -0,0 +1,36 @@ +diff -up ./crypto/Sign.c.sign ./crypto/Sign.c +--- ./crypto/Sign.c.sign 2016-10-13 21:41:54.994262245 -0400 ++++ ./crypto/Sign.c 2016-10-14 20:51:33.395789629 -0400 +@@ -13,6 +13,7 @@ + * along with this program. If not, see . + */ + ++#ifdef SUBNODE + #include "crypto/Sign.h" + + //#include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h" +@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui + + return 0; + } ++#else ++#pragma GCC diagnostic ignored "-Wpedantic" ++#endif // SUBNODE +diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c +--- ./crypto/test/Sign_test.c.sign 2016-10-14 20:29:19.334704236 -0400 ++++ ./crypto/test/Sign_test.c 2016-10-14 20:52:31.415488510 -0400 +@@ -23,6 +23,7 @@ + + int main() + { ++#ifdef SUBNODE + struct Allocator* alloc = MallocAllocator_new(1048576); + struct Log* logger = FileWriterLog_new(stdout, alloc); + struct Random* rand = Random_new(alloc, logger, NULL); +@@ -42,5 +43,6 @@ int main() + Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg)); + Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32])); + Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32)); ++#endif // SUBNODE + return 0; + } From 51ae82757db8542d25014314832d73524a231030 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 14 Oct 2016 21:09:34 -0400 Subject: [PATCH 14/16] Disable SUBNODE code when unused. Use libsodium by default when not using bundled nacl. --- cjdns.sign.patch | 12 ++++++------ cjdns.spec | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/cjdns.sign.patch b/cjdns.sign.patch index 971f239..3b36ea4 100644 --- a/cjdns.sign.patch +++ b/cjdns.sign.patch @@ -1,6 +1,6 @@ diff -up ./crypto/Sign.c.sign ./crypto/Sign.c ---- ./crypto/Sign.c.sign 2016-10-13 21:41:54.994262245 -0400 -+++ ./crypto/Sign.c 2016-10-14 20:51:33.395789629 -0400 +--- ./crypto/Sign.c.sign 2016-10-11 17:39:44.000000000 -0400 ++++ ./crypto/Sign.c 2016-10-14 20:59:49.143754098 -0400 @@ -13,6 +13,7 @@ * along with this program. If not, see . */ @@ -8,17 +8,17 @@ diff -up ./crypto/Sign.c.sign ./crypto/Sign.c +#ifdef SUBNODE #include "crypto/Sign.h" - //#include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h" + #include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h" @@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui return 0; } +#else +#pragma GCC diagnostic ignored "-Wpedantic" -+#endif // SUBNODE ++#endif // SUBNODE diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c ---- ./crypto/test/Sign_test.c.sign 2016-10-14 20:29:19.334704236 -0400 -+++ ./crypto/test/Sign_test.c 2016-10-14 20:52:31.415488510 -0400 +--- ./crypto/test/Sign_test.c.sign 2016-10-11 17:39:44.000000000 -0400 ++++ ./crypto/test/Sign_test.c 2016-10-14 20:57:28.737064976 -0400 @@ -23,6 +23,7 @@ int main() diff --git a/cjdns.spec b/cjdns.spec index 9968f4d..05986b3 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -2,9 +2,11 @@ # Fedora review: http://bugzilla.redhat.com/1268716 # Use the optimized libnacl embedded with cjdns -%global use_embedded 1 +%global use_embedded 0 # Use libsodium instead of nacl -%global use_libsodium 0 +%global use_libsodium 1 +# Option to enable SUBNODE mode (WIP) +%bcond_with subnode # Option to disable SECCOMP: confusing backward logic %bcond_without seccomp @@ -41,7 +43,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 18 -Release: 1%{?dist} +Release: 2%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -86,6 +88,8 @@ Patch9: cjdns.man.patch Patch10: cjdns.tools.patch # Alternate dynamic library patch to use libsodium Patch11: cjdns.sodium.patch +# Disable WIP subnode code when SUBNODE not enabled +Patch12: cjdns.sign.patch BuildRequires: nodejs, nodejs-ronn @@ -190,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then ln -s %{_includedir}/nacl cnacl/jsbuild/include cd - fi +%patch12 -b .sign %endif %if !0%{?rhel} || 0%{?rhel} > 6 @@ -477,6 +482,10 @@ fi %{_bindir}/graphStats %changelog +* Fri Oct 14 2016 Stuart D. Gathman 18-2 +- Remove Sign.c which uses a private API and isn't needed until supernodes. +- Use libsodium by default: seems best performance of dynamic libraries + * Wed Oct 12 2016 Stuart D. Gathman 18-1 - Update to 18 upstream release From 4f4b22e0b1062e92f8489b7d8262757eded20332 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 14 Oct 2016 22:25:36 -0400 Subject: [PATCH 15/16] libstdc++ not needed for libsodium --- cjdns.dyn.patch | 11 +++++++---- cjdns.sodium.patch | 7 +++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/cjdns.dyn.patch b/cjdns.dyn.patch index dc5062d..9dc22e0 100644 --- a/cjdns.dyn.patch +++ b/cjdns.dyn.patch @@ -1,13 +1,16 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js ---- ./node_build/make.js.dyn 2016-01-27 03:07:49.000000000 -0500 -+++ ./node_build/make.js 2016-04-18 16:17:04.052719207 -0400 -@@ -250,41 +250,9 @@ Builder.configure({ +--- ./node_build/make.js.dyn 2016-10-11 17:39:44.000000000 -0400 ++++ ./node_build/make.js 2016-10-14 22:08:23.018241766 -0400 +@@ -252,44 +252,9 @@ Builder.configure({ }).nThen(function (waitFor) { - builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a'); - builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/'); - +- // needed for Sign.c which pulls in crypto_int32.h +- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/'); +- - Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) { - if (exists) { return; } - @@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js }).nThen(function (waitFor) { -@@ -423,7 +391,7 @@ Builder.configure({ +@@ -430,7 +395,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index f166608..7c637a8 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -1,7 +1,7 @@ diff -up ./node_build/make.js.sodium ./node_build/make.js --- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400 -+++ ./node_build/make.js 2016-10-12 14:03:53.289124583 -0400 -@@ -252,44 +252,9 @@ Builder.configure({ ++++ ./node_build/make.js 2016-10-14 22:23:23.711086438 -0400 +@@ -252,44 +252,8 @@ Builder.configure({ }).nThen(function (waitFor) { @@ -44,12 +44,11 @@ diff -up ./node_build/make.js.sodium ./node_build/make.js - })); - })); + builder.config.libs.push('-lsodium'); -+ builder.config.libs.push('-lstdc++'); + builder.config.includeDirs.push('/usr/include/sodium/'); }).nThen(function (waitFor) { -@@ -430,7 +395,7 @@ Builder.configure({ +@@ -430,7 +394,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { From 25a04412bc5e78a8f64e88d6d98fc3eb8b83bab6 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Fri, 14 Oct 2016 22:28:02 -0400 Subject: [PATCH 16/16] Fix dyn nacl and sodium patches --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 05986b3..67661ee 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -43,7 +43,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 18 -Release: 2%{?dist} +Release: 3%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -482,6 +482,9 @@ fi %{_bindir}/graphStats %changelog +* Fri Oct 14 2016 Stuart D. Gathman 18-3 +- libstdc++ not needed with libsodium + * Fri Oct 14 2016 Stuart D. Gathman 18-2 - Remove Sign.c which uses a private API and isn't needed until supernodes. - Use libsodium by default: seems best performance of dynamic libraries