Merge branch 'master' into epel7

2018-02-21 19:24:48 -05:00 · 2018-02-21 19:24:48 -05:00 · 72ae666bb9
commit 72ae666bb9
parent 164090c6cc 66beed5a14
10 changed files with 149 additions and 77 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@
 /cjdns-v18.tar.gz
 /*.src.rpm
 /cjdns-v19.1.tar.gz
+/cjdns-v20.tar.gz
+/cjdns-v20.1.tar.gz
--- a/cjdns.README_Fedora.md
+++ b/cjdns.README_Fedora.md
@ -9,6 +9,47 @@ address allocation and a distributed hash table for routing. This provides
 near-zero-configuration networking, and prevents many of the security and
 scalability issues that plague existing networks.

+## Why?
+
+If you're here from the hyperboria docs, you're already sold - proceed to
+Installing.  But why should a Fedora user install cjdns?  I'll mention just two
+contrasting use cases, one mundane and the other paranoid.
+
+### VPN Mesh
+
+Configuring a point to point VPN connection with openvpn is fairly
+straightforward, as is configuring a centralized VPN server and clients.
+However, when every node in the VPN network needs to talk securely with many
+other nodes, relaying every packet through the central server becomes a drag on
+performance, and a single point of failure.  Mesh VPNs, like tinc and cjdns
+automatically create point to point connections based on a shared overall
+configuration.  Each node only needs a connection to one or more peers (that
+can be reused) to get things started.  
+
+With cjdns, however, things are much better than with tinc.  On a local LAN or
+mesh with broadcast, it is zero configuration.  Peers are automatically
+discovered via the 0xFC00 layer 2 protocol.  There is no shared configuration -
+the only thing required is adding one or more (for redundancy) internet peers
+when no peers on the local LAN or mesh are available.  Even better, when your
+node is mobile, and you have geographically separated peers configured, cjdns
+automatically switches to a faster peer as the relative performance changes.
+
+### Darknet
+
+In a widespread VPN, address assignment must be coordinated by a central
+authority.  The internet also uses centralized IP assignment, which means a
+government can take away your IP at any time.  Cjdns uses CryptoGraphic
+Addressing (CGA).  Your IP6 is the double SHA-512 of your public key truncated
+to 128 bits.  Your IP is as safe as the private key pair which produced it, and
+cannot [insert standard cryptography disclaimer] be spoofed.  Most mesh VPNs
+decrypt packets before routing to a new node.  This means that if a relay node
+is compromised in a conventional VPN, it can see and even alter packets.  All
+cjdns packets are end to end encrypted - relay nodes are untrusted.  Cjdns is
+source routed, there is no centralized routing.  If a node is "blackholing"
+your packets for some reason - simply doesn't route through that node anymore.
+(But see Security below.)  The usual security problems with source routing
+don't apply because cjdns IPs can't be (easily) spoofed.
+
 ## Startup

 The key part of cjdns is the cjdroute background daemon.  To start cjdroute:
@ -18,8 +59,8 @@ The key part of cjdns is the cjdroute background daemon.  To start cjdroute:
 This will generate `/etc/cjdroute.conf` pre-populated with random keys and
 passwords.  At first startup, cjdroute looks for neighboring cjdns peers
 on all active network interfaces using a layer 2 (e.g. ethernet) protocol.
-This is exactly what you want if you are on a wifi mesh.  If you only have a
-conventional "clearnet" ISP, see the [upstream](README.md) README for
+This is exactly what you want if you are on a LAN or wifi mesh.  If you only
+have a conventional "clearnet" ISP, see the [upstream](README.md) README for
 instructions on adding peers using the UDP protocol.  (Search for "Find a
 friend".)

@ -42,7 +83,7 @@ The resume service restarts cjdns when the system wakes up from sleep.
 For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart
 and stop.

-##Security
+## Security

 By default, Fedora Workstation will treat the tun device created by cjdroute as
 "public", with SSH being the only incoming port allowed.  There is no
@ -78,7 +119,7 @@ disable forking.  Seccomp is used to limit available system calls to only those
 actually needed.  Installing the cjdns-selinux package installs a targeted
 selinux policy that also restricts what the privileged process can access.

-##Routing security
+### Routing security

 If cjdns is not running, cjdns packets will get routed in plaintext
 to your default gateway by default.  An attacker could then play
@ -86,7 +127,24 @@ man-in-the-middle.  If your default gateway is running cjdns, this
 could even happen accidentally.

 This can be blocked by restricting ```fc00::/8``` to the interface 
-used by cjdroute in the firewall. 
+used by cjdroute in the firewall.   An even simpler solution is
+to not have a "default" route.  Instead route ```2000::/3``` to your
+gateway.  All globally routable ips begin with ```001``` as the first
+three bits.
+
+### Application security
+
+The squid cache package default config allows ```fc00::/7``` unrestricted
+access to the proxy.  If the proxy port is not otherwise firewalled,
+you probably want to change this to ```fd00::/8``` when using cjdns
+on the proxy server.  Apart from that default config, squid works very
+well with cjdns - you can allow specific cjdns ips unrestricted access:
+
+```
+acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede
+acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa 
+http_access allow adultpcs
+```

 ## Advanced config

--- a/cjdns.python3.patch
+++ b/cjdns.python3.patch
@ -5,13 +5,5 @@ diff -up ./node_build/dependencies/libuv/gyp_uv.py.python3 ./node_build/dependen
 -#!/usr/bin/env python
 +#!/usr/bin/env python2
 
- import glob
+ import os
 import platform
-@@ -34,6 +34,7 @@ def compiler_version():
-   proc = subprocess.Popen(CC.split() + ['-dumpversion'], stdout=subprocess.PIPE)
-   version = proc.communicate()[0].split('.')
-   version = map(int, version[:2])
-+  if len(version) < 2: version.append(0)
-   version = tuple(version)
-   return (version, is_clang)
- 
--- a/cjdns.sbin.patch
+++ b/cjdns.sbin.patch
@ -109,34 +109,6 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s
 +    cjdns_dev
 +  fi
 +fi
-diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service
--- ./contrib/systemd/cjdns.service.sbin	2016-10-11 17:39:44.000000000 -0400
-+++ ./contrib/systemd/cjdns.service	2017-01-13 22:07:35.128118775 -0500
-@@ -1,18 +1,21 @@
- [Unit]
- Description=cjdns: routing engine designed for security, scalability, speed and ease of use
- Wants=network.target
-After=network.target
-+After=network.target cjdns-loadmodules.service
-+Requires=cjdns-loadmodules.service
- 
- [Service]
- ProtectHome=true
- ProtectSystem=true
- SyslogIdentifier=cjdroute
-+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
- ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
-                 then umask 077; \
-                /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \
-+                /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
-                 echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
-             fi"
-ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf"
-+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
-+ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up
- Restart=always
- 
- [Install]
 diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service
 --- ./contrib/systemd/cjdns-wait-online.service.sbin	2017-01-13 21:43:05.414731254 -0500
 +++ ./contrib/systemd/cjdns-wait-online.service	2017-01-13 21:43:05.414731254 -0500
--- a/cjdns.service
+++ b/cjdns.service
@ -0,0 +1,23 @@
+[Unit]
+Description=cjdns: routing engine designed for security, scalability, speed and ease of use
+Wants=network.target
+After=network.target cjdns-loadmodules.service
+Requires=cjdns-loadmodules.service
+
+[Service]
+ProtectHome=true
+ProtectSystem=true
+SyslogIdentifier=cjdroute
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL
+ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \
+                then umask 077; \
+                /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \
+                echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \
+            fi"
+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf"
+ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+Also=cjdns-resume.service
--- a/cjdns.sodium.patch
+++ b/cjdns.sodium.patch
@ -72,7 +72,7 @@ diff -up ./contrib/c/privatetopublic.c.sodium ./contrib/c/privatetopublic.c
 +        return 1;
 +    }
 
-     Hex_decode(privateKey, 32, privateKeyHexIn, 65);
+     Hex_decode(privateKey, 32, privateKeyHexIn, 64);
     crypto_scalarmult_curve25519_base(address.key, privateKey);
 diff -up ./contrib/c/publictoip6.c.sodium ./contrib/c/publictoip6.c
 --- ./contrib/c/publictoip6.c.sodium	2017-05-24 16:42:11.085386456 -0400
@ -140,7 +140,7 @@ diff -up ./crypto/random/randombytes.c.sodium ./crypto/random/randombytes.c
 diff -up ./node_build/make.js.sodium ./node_build/make.js
 --- ./node_build/make.js.sodium	2017-02-21 17:56:22.000000000 -0500
 +++ ./node_build/make.js	2017-05-24 16:39:15.557233617 -0400
-@@ -244,44 +244,8 @@ Builder.configure({
+@@ -244,48 +244,8 @@ Builder.configure({
 
     }).nThen(function (waitFor) {
 
@ -165,13 +165,17 @@ diff -up ./node_build/make.js.sodium ./node_build/make.js
 -
 -                args.unshift(builder.config.optimizeLevel, '-fomit-frame-pointer');
 -
+-                if (!/^\-O0$/.test(builder.config.optimizeLevel)) {
+-                    args.unshift('-D_FORTIFY_SOURCE=2');
+-                }
+-
 -                if (CFLAGS) {
 -                    [].push.apply(args, CFLAGS.split(' '));
 -                }
 -
 -                if (!builder.config.crossCompiling) {
-                    if (NO_MARCH_FLAG.indexOf(process.arch) < -1) {
-                        builder.config.cflags.push('-march=native');
+-                    if (NO_MARCH_FLAG.indexOf(process.arch) == -1) {
+-                        args.unshift('-march=native');
 -                    }
 -                }
 -
--- a/cjdns.spec
+++ b/cjdns.spec
@ -2,7 +2,7 @@
 # Fedora review: http://bugzilla.redhat.com/1268716

 # Option to enable SUBNODE mode (WIP)
-%bcond_with subnode
+%bcond_without subnode
 # Use the optimized libnacl embedded with cjdns
 %if %{with subnode}
 %global use_embedded 1
@ -16,7 +16,7 @@

 %if 0%{use_libsodium}
 %global nacl_name libsodium
-%global nacl_version 1.0.5
+%global nacl_version 1.0.14
 %global nacl_lib %{_libdir}/libsodium.so
 %else
 %global nacl_name nacl
@ -46,8 +46,8 @@

 Name:           cjdns
 # major version is cjdns protocol version:
-Version:        19.1
-Release:        4%{?dist}
+Version:        20.1
+Release:        1%{?dist}
 Summary:        The privacy-friendly network without borders
 Group:          System Environment/Base
 # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
@ -56,6 +56,7 @@ License:        GPLv3 and MIT and BSD and ISC
 URL:            http://hyperboria.net/
 Source0: https://github.com/cjdelisle/cjdns/archive/%{name}-v%{version}.tar.gz
 Source1: cjdns.README_Fedora.md
+Source2: cjdns.service
 # Add targeted selinux policy
 Patch0: cjdns.selinux.patch
 # Allow python2.6 for build.  Python is not used during the build
@ -97,9 +98,11 @@ Patch12: cjdns.sign.patch
 # Recognize ppc64, ppc64le, and s390x arches
 Patch13: cjdns.ppc64.patch
 # getentropy(2) added to glibc in Fedora 26
-Patch14: cjdns.entropy.patch
+# included in cjdns-20.1 
+#Patch14: cjdns.entropy.patch
 # Fix buffer overrun in JsonBencSerializer.c
-Patch15: cjdns.benc.patch
+# included in cjdns-20.1
+#Patch15: cjdns.benc.patch
 # Specify python2 for systems that default to python3
 Patch16: cjdns.python3.patch

@ -127,6 +130,11 @@ Provides: bundled(nacl) = 20110221
 %endif
 # build system requires nodejs, unfortunately
 ExclusiveArch: %{nodejs_arches}
+%if 0%{use_embedded}
+# The nodejs build system for embedded cnacl has no "plan" for s390x.
+# It might work to copy another big endian plan like ppc64.
+ExcludeArch: s390x
+%endif

 %description
 Cjdns implements an encrypted IPv6 network using public-key cryptography for
@ -159,13 +167,17 @@ cjdnslog           display cjdroute log
 cjdns-traceroute   trace route to cjdns IP
 sessionStats       show current crypto sessions

-%package python
+%package -n python2-cjdns
+%{?python_provide:%python_provide python2-cjdns}
+# Remove before F30
+Provides: %{name}-python = %{version}-%{release}
+Obsoletes: %{name}-python < %{version}-%{release}
 Summary: Python tools for cjdns
 Group: System Environment/Base
 Requires: python, %{name} = %{version}-%{release}
 BuildArch: noarch

-%description python
+%description -n python2-cjdns
 Python tools for cjdns.

 %package graph
@ -188,6 +200,8 @@ Python graphing tools for cjdns.
 %patch4 -b .genconf
 %patch5 -b .sbin

+cp %{SOURCE2} contrib/systemd
+
 %if !%{use_embedded}
 # use system nacl library if provided.  
 if test -x %{nacl_lib}; then
@ -216,8 +230,8 @@ fi
 %patch9 -b .man
 %patch10 -b .tools
 #patch13 -b .ppc64
-%patch14 -b .entropy
-%patch15 -b .benc
+#patch14 -b .entropy
+#patch15 -b .benc
 %patch16 -b .python3

 cp %{SOURCE1} README_Fedora.md
@ -486,7 +500,7 @@ fi
 %{_mandir}/man1/peerStats.1.gz
 %{_mandir}/man1/cjdnslog.1.gz

-%files python
+%files -n python2-cjdns
 %doc contrib/python/README.md contrib/python/cjdns-dynamic.conf
 %license contrib/python/cjdnsadmin/bencode.py.LICENSE.txt
 %dir %{_libexecdir}/cjdns/python
@ -524,6 +538,28 @@ fi
 %{_bindir}/graphStats

 %changelog
+* Wed Feb 21 2018 Stuart Gathman <stuart@gathman.org> - 20.1-1
+- New upstream release
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 19.1-10
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 19.1-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Oct 02 2017 Remi Collet <remi@fedoraproject.org> - 19.1-8
+- rebuild for libsodium
+
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 19.1-7
+- Python 2 binary package renamed to python2-cjdns
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 19.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 19.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
 * Wed May 24 2017 Stuart D. Gathman <stuart@gathman.org> 19.1-4
 - Add calls to sodium_init()
 - Include mkpasswd (but not in /usr/bin)
@ -544,7 +580,7 @@ fi
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

 * Sat Jan  7 2017 Stuart D. Gathman <stuart@gathman.org> 18-5
- Run scripts in %{sysconfdir}/cjdns/up.d when cjdns comes up.
+- Run scripts in %%{sysconfdir}/cjdns/up.d when cjdns comes up.

 * Sun Nov  6 2016 Stuart D. Gathman <stuart@gathman.org> 18-4
 - update cjdns-online man page
--- a/cjdns.tools.patch
+++ b/cjdns.tools.patch
@ -25,6 +25,6 @@ diff -up ./tools/traceroute.tools ./tools/traceroute
             lastRet = ret;
             process.stdout.write('  ' + ret.ms + 'ms\n');
 +            if (!ret || !ret.nodes) { return; }
-             if (ret.nodes.length === 0) {
-                 console.log('cornered');
-             } else if (ret.nodes[0] !== ret.from) {
+             if (ret.result === 'timeout') {
+                 process.stdout.write('\n' + ret.from + ' ' + ret.result + '!');
+             } else if (ret.nodes.length === 0) {
--- a/cjdns.warnings.patch
+++ b/cjdns.warnings.patch
@ -39,20 +39,6 @@ diff -up ./dht/CJDHTConstants.h.warnings ./dht/CJDHTConstants.h
 -
 +#pragma GCC diagnostic pop
 #endif
-diff -up ./dht/dhtcore/NodeStore.c.warnings ./dht/dhtcore/NodeStore.c
--- ./dht/dhtcore/NodeStore.c.warnings	2017-02-21 17:56:22.000000000 -0500
-+++ ./dht/dhtcore/NodeStore.c	2017-02-24 12:44:19.822328184 -0500
-@@ -1770,7 +1770,9 @@ struct NodeList* NodeStore_getPeers(uint
-             break;
-         }
-         switch (j) {
-            default: Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*));
-+            default:
-+              Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*));
-+              Gcc_FALLTHROUGH;
-             case 1: out->nodes[j - 1] = next->child;
-             case 0:;
-         }
 diff -up ./node_build/dependencies/libuv/test/test-getsockname.c.warnings ./node_build/dependencies/libuv/test/test-getsockname.c
 --- ./node_build/dependencies/libuv/test/test-getsockname.c.warnings	2017-02-21 17:56:22.000000000 -0500
 +++ ./node_build/dependencies/libuv/test/test-getsockname.c	2017-02-24 12:36:55.763819191 -0500
--- a/3
+++ b/3
@ -1,2 +1 @@
-SHA512 (cjdns-v18.tar.gz) = 3b7ed50c81ed51f8deea3999aa0b820f78de53da3d3937c13f572e35bb7c2a6f963d3779c2f0b7b4afc64e6a45ae98c4a6958a0c31d43d4309a47ae3ccbb709b
-SHA512 (cjdns-v19.1.tar.gz) = 9c29bf1d136237bd60e125718bdd2c6d7f5a651d51af50aea3173eed1626a402dac5a2a72f9fb129fc9af24c3b67472a1dfe7b2b6a09bb28d01a120fc667b206
+SHA512 (cjdns-v20.1.tar.gz) = 519835f489359fb677d35040862dece20b75d84716281096f2c32c8531e8d784d852d8e2709d8c67e8098ad819f62c2a2ef1647fbad3e28e3e20f502d23cd3e7