Merge branch 'master' into epel7
This commit is contained in:
commit
538de792f0
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,4 @@
|
||||
/cjdns-v17.3.tar.gz
|
||||
/cjdns-v17.4.tar.gz
|
||||
/cjdns-v18.tar.gz
|
||||
/*.src.rpm
|
||||
|
@ -38,3 +38,63 @@ can speed this up dramatically with:
|
||||
systemctl enable cjdns-resume
|
||||
|
||||
The resume service restarts cjdns when the system wakes up from sleep.
|
||||
|
||||
For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart
|
||||
and stop.
|
||||
|
||||
##Security
|
||||
|
||||
By default, Fedora Workstation will treat the tun device created by cjdroute as
|
||||
"public", with SSH being the only incoming port allowed. There is no
|
||||
additional exposure with cjdns and the default Fedora firewall. If you have
|
||||
modified the firewall config beyond opening additional incoming ports, be sure
|
||||
that the cjdns tun is treated as public - because anyone in the world can
|
||||
attempt to connect to you through it. Sometimes, people configure their
|
||||
firewall to treat all tun devices as "VPN", and therefore somewhat more
|
||||
trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one
|
||||
anyone in the world can join.
|
||||
|
||||
Public keys for cjdns are based on Elliptic Curves. There is a known quantum
|
||||
algorithm that could be used to crack them if quantum computers with sufficient
|
||||
qubits are ever built. The solution when that happens is larger keys - which
|
||||
are more cumbersome.
|
||||
|
||||
The Distributed Hash Table algorithm is a core component of cjdns - which is
|
||||
vulnerable to a Denial of Service attack known as "Sybil". This attack can
|
||||
block specific updates to the DHT - to prevent your node from joining a mesh,
|
||||
for instance.
|
||||
|
||||
On the positive side, you can safely use telnet to cjdns IPs and the http
|
||||
protocol is automatically encrypted (but you need a secure DNS or raw ip to be
|
||||
sure you are talking to the right node). Many other protocols are
|
||||
automatically encrypted while using cjdns. In general, connecting to a raw
|
||||
cjdns IP is functionally equivalent to SSL/TLS with both client and server
|
||||
authentication.
|
||||
|
||||
Since the cjdroute core routing code parses network packets from untrusted
|
||||
sources, it is a security risk and is heavily sandboxed. It runs as the cjdns
|
||||
user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to
|
||||
disable forking. Seccomp is used to limit available system calls to only those
|
||||
actually needed. Installing the cjdns-selinux package installs a targeted
|
||||
selinux policy that also restricts what the privileged process can access.
|
||||
|
||||
##Routing security
|
||||
|
||||
If cjdns is not running, cjdns packets will get routed in plaintext
|
||||
to your default gateway by default. An attacker could then play
|
||||
man-in-the-middle. If your default gateway is running cjdns, this
|
||||
could even happen accidentally.
|
||||
|
||||
This can be blocked by restricting ```fc00::/8``` to the interface
|
||||
used by cjdroute in the firewall.
|
||||
|
||||
## Advanced config
|
||||
|
||||
You may install a network service that depends on cjdns, for instance you might
|
||||
install thttpd to serve up
|
||||
[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If
|
||||
thttpd is configured to listen only on your cjdns IP, then it will not start
|
||||
until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to
|
||||
```thttpd.service``` to hold off starting the service until cjdns has the
|
||||
tunnel up and ready.
|
||||
|
||||
|
@ -1,13 +1,16 @@
|
||||
diff -up ./node_build/make.js.dyn ./node_build/make.js
|
||||
--- ./node_build/make.js.dyn 2016-01-27 03:07:49.000000000 -0500
|
||||
+++ ./node_build/make.js 2016-04-18 16:17:04.052719207 -0400
|
||||
@@ -250,41 +250,9 @@ Builder.configure({
|
||||
--- ./node_build/make.js.dyn 2016-10-11 17:39:44.000000000 -0400
|
||||
+++ ./node_build/make.js 2016-10-14 22:08:23.018241766 -0400
|
||||
@@ -252,44 +252,9 @@ Builder.configure({
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
|
||||
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
|
||||
-
|
||||
- // needed for Sign.c which pulls in crypto_int32.h
|
||||
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
|
||||
-
|
||||
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
|
||||
- if (exists) { return; }
|
||||
-
|
||||
@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
@@ -423,7 +391,7 @@ Builder.configure({
|
||||
@@ -430,7 +395,7 @@ Builder.configure({
|
||||
builder.buildExecutable('crypto/random/randombytes.c');
|
||||
|
||||
builder.lintFiles(function (fileName, file, callback) {
|
||||
|
@ -1,6 +1,23 @@
|
||||
diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service
|
||||
--- ./contrib/systemd/cjdns-loadmodules.service.sbin 2016-08-15 13:39:48.892573194 -0400
|
||||
+++ ./contrib/systemd/cjdns-loadmodules.service 2016-08-15 13:47:24.336772295 -0400
|
||||
@@ -0,0 +1,13 @@
|
||||
+[Unit]
|
||||
+Description=Load cjdns kernel modules
|
||||
+# Load kernel modules needed by cjdns so that it doesn't need the privilege
|
||||
+Before=cjdns.service
|
||||
+# Do not try to load modules in containers like openvz
|
||||
+ConditionVirtualization=!container
|
||||
+
|
||||
+[Service]
|
||||
+Type=oneshot
|
||||
+ExecStart=/usr/sbin/modprobe tun
|
||||
+
|
||||
+[Install]
|
||||
+WantedBy=multi-user.target
|
||||
diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh
|
||||
--- ./contrib/systemd/cjdns-online.sh.sbin 2016-06-23 22:49:23.703114380 -0400
|
||||
+++ ./contrib/systemd/cjdns-online.sh 2016-06-23 22:51:50.666731442 -0400
|
||||
--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-15 13:33:11.356021398 -0400
|
||||
+++ ./contrib/systemd/cjdns-online.sh 2016-08-15 13:33:11.356021398 -0400
|
||||
@@ -0,0 +1,90 @@
|
||||
+#!/bin/sh
|
||||
+# Check whether cjdns IPs are available
|
||||
@ -94,25 +111,34 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s
|
||||
+fi
|
||||
diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service
|
||||
--- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400
|
||||
+++ ./contrib/systemd/cjdns.service 2016-06-23 22:49:23.703114380 -0400
|
||||
@@ -9,10 +9,11 @@ ProtectSystem=true
|
||||
+++ ./contrib/systemd/cjdns.service 2016-08-15 13:56:20.198792714 -0400
|
||||
@@ -1,18 +1,20 @@
|
||||
[Unit]
|
||||
Description=cjdns: routing engine designed for security, scalability, speed and ease of use
|
||||
Wants=network.target
|
||||
-After=network.target
|
||||
+After=network.target cjdns-loadmodules.service
|
||||
+Requires=cjdns-loadmodules.service
|
||||
|
||||
[Service]
|
||||
ProtectHome=true
|
||||
ProtectSystem=true
|
||||
SyslogIdentifier=cjdroute
|
||||
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
|
||||
ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
|
||||
then umask 077; \
|
||||
- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \
|
||||
+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
|
||||
echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
|
||||
- fi"
|
||||
fi"
|
||||
-ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf"
|
||||
+ fi; case $(wc -c /proc/modules) in \
|
||||
+ 0*) ;; *) /sbin/modprobe tun;; esac"
|
||||
+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service
|
||||
--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-06-23 22:49:23.703114380 -0400
|
||||
+++ ./contrib/systemd/cjdns-wait-online.service 2016-06-23 22:49:23.703114380 -0400
|
||||
--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-15 13:33:11.356021398 -0400
|
||||
+++ ./contrib/systemd/cjdns-wait-online.service 2016-08-15 13:33:11.356021398 -0400
|
||||
@@ -0,0 +1,13 @@
|
||||
+[Unit]
|
||||
+Description=CJDNS Wait Online
|
||||
@ -129,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn
|
||||
+WantedBy=multi-user.target
|
||||
diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf
|
||||
--- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400
|
||||
+++ ./contrib/upstart/cjdns.conf 2016-06-23 22:49:23.703114380 -0400
|
||||
+++ ./contrib/upstart/cjdns.conf 2016-08-15 13:33:11.356021398 -0400
|
||||
@@ -13,10 +13,16 @@ pre-start script
|
||||
if ! [ -s /etc/cjdroute.conf ]; then
|
||||
( # start a subshell to avoid side effects of umask later on
|
||||
|
36
cjdns.sign.patch
Normal file
36
cjdns.sign.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff -up ./crypto/Sign.c.sign ./crypto/Sign.c
|
||||
--- ./crypto/Sign.c.sign 2016-10-11 17:39:44.000000000 -0400
|
||||
+++ ./crypto/Sign.c 2016-10-14 20:59:49.143754098 -0400
|
||||
@@ -13,6 +13,7 @@
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
+#ifdef SUBNODE
|
||||
#include "crypto/Sign.h"
|
||||
|
||||
#include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h"
|
||||
@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui
|
||||
|
||||
return 0;
|
||||
}
|
||||
+#else
|
||||
+#pragma GCC diagnostic ignored "-Wpedantic"
|
||||
+#endif // SUBNODE
|
||||
diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c
|
||||
--- ./crypto/test/Sign_test.c.sign 2016-10-11 17:39:44.000000000 -0400
|
||||
+++ ./crypto/test/Sign_test.c 2016-10-14 20:57:28.737064976 -0400
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
int main()
|
||||
{
|
||||
+#ifdef SUBNODE
|
||||
struct Allocator* alloc = MallocAllocator_new(1048576);
|
||||
struct Log* logger = FileWriterLog_new(stdout, alloc);
|
||||
struct Random* rand = Random_new(alloc, logger, NULL);
|
||||
@@ -42,5 +43,6 @@ int main()
|
||||
Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg));
|
||||
Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32]));
|
||||
Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32));
|
||||
+#endif // SUBNODE
|
||||
return 0;
|
||||
}
|
@ -1,13 +1,16 @@
|
||||
diff -up ./node_build/make.js.dyn ./node_build/make.js
|
||||
--- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500
|
||||
+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500
|
||||
@@ -238,41 +238,9 @@ Builder.configure({
|
||||
diff -up ./node_build/make.js.sodium ./node_build/make.js
|
||||
--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400
|
||||
+++ ./node_build/make.js 2016-10-14 22:23:23.711086438 -0400
|
||||
@@ -252,44 +252,8 @@ Builder.configure({
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
|
||||
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
|
||||
-
|
||||
- // needed for Sign.c which pulls in crypto_int32.h
|
||||
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
|
||||
-
|
||||
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
|
||||
- if (exists) { return; }
|
||||
-
|
||||
@ -41,12 +44,11 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
|
||||
- }));
|
||||
- }));
|
||||
+ builder.config.libs.push('-lsodium');
|
||||
+ builder.config.libs.push('-lstdc++');
|
||||
+ builder.config.includeDirs.push('/usr/include/sodium/');
|
||||
|
||||
}).nThen(function (waitFor) {
|
||||
|
||||
@@ -411,7 +379,7 @@ Builder.configure({
|
||||
@@ -430,7 +394,7 @@ Builder.configure({
|
||||
builder.buildExecutable('crypto/random/randombytes.c');
|
||||
|
||||
builder.lintFiles(function (fileName, file, callback) {
|
||||
|
40
cjdns.spec
40
cjdns.spec
@ -4,7 +4,11 @@
|
||||
# Use the optimized libnacl embedded with cjdns
|
||||
%global use_embedded 0
|
||||
# Use libsodium instead of nacl
|
||||
%global use_libsodium 0
|
||||
%global use_libsodium 1
|
||||
# Option to enable SUBNODE mode (WIP)
|
||||
%bcond_with subnode
|
||||
# Option to disable SECCOMP: confusing backward logic
|
||||
%bcond_without seccomp
|
||||
|
||||
%if 0%{use_libsodium}
|
||||
%global nacl_name libsodium
|
||||
@ -38,8 +42,8 @@
|
||||
|
||||
Name: cjdns
|
||||
# major version is cjdns protocol version:
|
||||
Version: 17.4
|
||||
Release: 4%{?dist}
|
||||
Version: 18
|
||||
Release: 3%{?dist}
|
||||
Summary: The privacy-friendly network without borders
|
||||
Group: System Environment/Base
|
||||
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
|
||||
@ -84,6 +88,8 @@ Patch9: cjdns.man.patch
|
||||
Patch10: cjdns.tools.patch
|
||||
# Alternate dynamic library patch to use libsodium
|
||||
Patch11: cjdns.sodium.patch
|
||||
# Disable WIP subnode code when SUBNODE not enabled
|
||||
Patch12: cjdns.sign.patch
|
||||
|
||||
BuildRequires: nodejs, nodejs-ronn
|
||||
|
||||
@ -104,6 +110,9 @@ Requires(postun): systemd
|
||||
%endif
|
||||
Requires(pre): shadow-utils
|
||||
Provides: bundled(libuv) = 0.11.4
|
||||
%if 0%{use_embedded}
|
||||
Provides: bundled(nacl) = 20110221
|
||||
%endif
|
||||
# build system requires nodejs, unfortunately
|
||||
ExclusiveArch: %{nodejs_arches}
|
||||
|
||||
@ -185,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then
|
||||
ln -s %{_includedir}/nacl cnacl/jsbuild/include
|
||||
cd -
|
||||
fi
|
||||
%patch12 -b .sign
|
||||
%endif
|
||||
|
||||
%if !0%{?rhel} || 0%{?rhel} > 6
|
||||
@ -221,7 +231,12 @@ cd contrib/selinux
|
||||
ln -s /usr/share/selinux/devel/Makefile .
|
||||
make
|
||||
cd -
|
||||
|
||||
# nodejs based build system
|
||||
|
||||
%if !%{with seccomp}
|
||||
export Seccomp_NO=1
|
||||
%endif
|
||||
CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do
|
||||
|
||||
# FIXME: use system libuv on compatible systems
|
||||
@ -467,6 +482,25 @@ fi
|
||||
%{_bindir}/graphStats
|
||||
|
||||
%changelog
|
||||
* Fri Oct 14 2016 Stuart D. Gathman <stuart@gathman.org> 18-3
|
||||
- libstdc++ not needed with libsodium
|
||||
|
||||
* Fri Oct 14 2016 Stuart D. Gathman <stuart@gathman.org> 18-2
|
||||
- Remove Sign.c which uses a private API and isn't needed until supernodes.
|
||||
- Use libsodium by default: seems best performance of dynamic libraries
|
||||
|
||||
* Wed Oct 12 2016 Stuart D. Gathman <stuart@gathman.org> 18-1
|
||||
- Update to 18 upstream release
|
||||
|
||||
* Mon Aug 15 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-7
|
||||
- Move modprobe to cjdns-loadmodules.service
|
||||
|
||||
* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-6
|
||||
- Fix logic for %%bcond_without seccomp
|
||||
|
||||
* Wed Aug 10 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-5
|
||||
- cjdns.service: add CapabilityBoundingSet
|
||||
|
||||
* Fri Jun 24 2016 Stuart D. Gathman <stuart@gathman.org> 17.4-4
|
||||
- cjdns-selinux: allow cjdroute to manipulate route table
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user