diff --git a/.gitignore b/.gitignore index 1880119..7c7776b 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,5 @@ /cjdns-v18.tar.gz /*.src.rpm /cjdns-v19.1.tar.gz +/cjdns-v20.tar.gz +/cjdns-v20.1.tar.gz diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index 8fa2b55..7f8430b 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -9,6 +9,47 @@ address allocation and a distributed hash table for routing. This provides near-zero-configuration networking, and prevents many of the security and scalability issues that plague existing networks. +## Why? + +If you're here from the hyperboria docs, you're already sold - proceed to +Installing. But why should a Fedora user install cjdns? I'll mention just two +contrasting use cases, one mundane and the other paranoid. + +### VPN Mesh + +Configuring a point to point VPN connection with openvpn is fairly +straightforward, as is configuring a centralized VPN server and clients. +However, when every node in the VPN network needs to talk securely with many +other nodes, relaying every packet through the central server becomes a drag on +performance, and a single point of failure. Mesh VPNs, like tinc and cjdns +automatically create point to point connections based on a shared overall +configuration. Each node only needs a connection to one or more peers (that +can be reused) to get things started. + +With cjdns, however, things are much better than with tinc. On a local LAN or +mesh with broadcast, it is zero configuration. Peers are automatically +discovered via the 0xFC00 layer 2 protocol. There is no shared configuration - +the only thing required is adding one or more (for redundancy) internet peers +when no peers on the local LAN or mesh are available. Even better, when your +node is mobile, and you have geographically separated peers configured, cjdns +automatically switches to a faster peer as the relative performance changes. + +### Darknet + +In a widespread VPN, address assignment must be coordinated by a central +authority. The internet also uses centralized IP assignment, which means a +government can take away your IP at any time. Cjdns uses CryptoGraphic +Addressing (CGA). Your IP6 is the double SHA-512 of your public key truncated +to 128 bits. Your IP is as safe as the private key pair which produced it, and +cannot [insert standard cryptography disclaimer] be spoofed. Most mesh VPNs +decrypt packets before routing to a new node. This means that if a relay node +is compromised in a conventional VPN, it can see and even alter packets. All +cjdns packets are end to end encrypted - relay nodes are untrusted. Cjdns is +source routed, there is no centralized routing. If a node is "blackholing" +your packets for some reason - simply doesn't route through that node anymore. +(But see Security below.) The usual security problems with source routing +don't apply because cjdns IPs can't be (easily) spoofed. + ## Startup The key part of cjdns is the cjdroute background daemon. To start cjdroute: @@ -18,8 +59,8 @@ The key part of cjdns is the cjdroute background daemon. To start cjdroute: This will generate `/etc/cjdroute.conf` pre-populated with random keys and passwords. At first startup, cjdroute looks for neighboring cjdns peers on all active network interfaces using a layer 2 (e.g. ethernet) protocol. -This is exactly what you want if you are on a wifi mesh. If you only have a -conventional "clearnet" ISP, see the [upstream](README.md) README for +This is exactly what you want if you are on a LAN or wifi mesh. If you only +have a conventional "clearnet" ISP, see the [upstream](README.md) README for instructions on adding peers using the UDP protocol. (Search for "Find a friend".) @@ -42,7 +83,7 @@ The resume service restarts cjdns when the system wakes up from sleep. For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart and stop. -##Security +## Security By default, Fedora Workstation will treat the tun device created by cjdroute as "public", with SSH being the only incoming port allowed. There is no @@ -78,7 +119,7 @@ disable forking. Seccomp is used to limit available system calls to only those actually needed. Installing the cjdns-selinux package installs a targeted selinux policy that also restricts what the privileged process can access. -##Routing security +### Routing security If cjdns is not running, cjdns packets will get routed in plaintext to your default gateway by default. An attacker could then play @@ -86,7 +127,24 @@ man-in-the-middle. If your default gateway is running cjdns, this could even happen accidentally. This can be blocked by restricting ```fc00::/8``` to the interface -used by cjdroute in the firewall. +used by cjdroute in the firewall. An even simpler solution is +to not have a "default" route. Instead route ```2000::/3``` to your +gateway. All globally routable ips begin with ```001``` as the first +three bits. + +### Application security + +The squid cache package default config allows ```fc00::/7``` unrestricted +access to the proxy. If the proxy port is not otherwise firewalled, +you probably want to change this to ```fd00::/8``` when using cjdns +on the proxy server. Apart from that default config, squid works very +well with cjdns - you can allow specific cjdns ips unrestricted access: + +``` +acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede +acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa +http_access allow adultpcs +``` ## Advanced config diff --git a/cjdns.python3.patch b/cjdns.python3.patch index c76c490..e453167 100644 --- a/cjdns.python3.patch +++ b/cjdns.python3.patch @@ -5,13 +5,5 @@ diff -up ./node_build/dependencies/libuv/gyp_uv.py.python3 ./node_build/dependen -#!/usr/bin/env python +#!/usr/bin/env python2 - import glob + import os import platform -@@ -34,6 +34,7 @@ def compiler_version(): - proc = subprocess.Popen(CC.split() + ['-dumpversion'], stdout=subprocess.PIPE) - version = proc.communicate()[0].split('.') - version = map(int, version[:2]) -+ if len(version) < 2: version.append(0) - version = tuple(version) - return (version, is_clang) - diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index 0b0f74f..4ea4324 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -109,34 +109,6 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s + cjdns_dev + fi +fi -diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service ---- ./contrib/systemd/cjdns.service.sbin 2016-10-11 17:39:44.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2017-01-13 22:07:35.128118775 -0500 -@@ -1,18 +1,21 @@ - [Unit] - Description=cjdns: routing engine designed for security, scalability, speed and ease of use - Wants=network.target --After=network.target -+After=network.target cjdns-loadmodules.service -+Requires=cjdns-loadmodules.service - - [Service] - ProtectHome=true - ProtectSystem=true - SyslogIdentifier=cjdroute -+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL - ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ - then umask 077; \ -- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ -+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ - echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ - fi" --ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf" -+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" -+ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up - Restart=always - - [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service --- ./contrib/systemd/cjdns-wait-online.service.sbin 2017-01-13 21:43:05.414731254 -0500 +++ ./contrib/systemd/cjdns-wait-online.service 2017-01-13 21:43:05.414731254 -0500 diff --git a/cjdns.service b/cjdns.service new file mode 100644 index 0000000..0a1648c --- /dev/null +++ b/cjdns.service @@ -0,0 +1,23 @@ +[Unit] +Description=cjdns: routing engine designed for security, scalability, speed and ease of use +Wants=network.target +After=network.target cjdns-loadmodules.service +Requires=cjdns-loadmodules.service + +[Service] +ProtectHome=true +ProtectSystem=true +SyslogIdentifier=cjdroute +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL +ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ + then umask 077; \ + /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ + echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ + fi" +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" +ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up +Restart=always + +[Install] +WantedBy=multi-user.target +Also=cjdns-resume.service diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index e23dc9d..c2e3393 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -72,7 +72,7 @@ diff -up ./contrib/c/privatetopublic.c.sodium ./contrib/c/privatetopublic.c + return 1; + } - Hex_decode(privateKey, 32, privateKeyHexIn, 65); + Hex_decode(privateKey, 32, privateKeyHexIn, 64); crypto_scalarmult_curve25519_base(address.key, privateKey); diff -up ./contrib/c/publictoip6.c.sodium ./contrib/c/publictoip6.c --- ./contrib/c/publictoip6.c.sodium 2017-05-24 16:42:11.085386456 -0400 @@ -140,7 +140,7 @@ diff -up ./crypto/random/randombytes.c.sodium ./crypto/random/randombytes.c diff -up ./node_build/make.js.sodium ./node_build/make.js --- ./node_build/make.js.sodium 2017-02-21 17:56:22.000000000 -0500 +++ ./node_build/make.js 2017-05-24 16:39:15.557233617 -0400 -@@ -244,44 +244,8 @@ Builder.configure({ +@@ -244,48 +244,8 @@ Builder.configure({ }).nThen(function (waitFor) { @@ -165,13 +165,17 @@ diff -up ./node_build/make.js.sodium ./node_build/make.js - - args.unshift(builder.config.optimizeLevel, '-fomit-frame-pointer'); - +- if (!/^\-O0$/.test(builder.config.optimizeLevel)) { +- args.unshift('-D_FORTIFY_SOURCE=2'); +- } +- - if (CFLAGS) { - [].push.apply(args, CFLAGS.split(' ')); - } - - if (!builder.config.crossCompiling) { -- if (NO_MARCH_FLAG.indexOf(process.arch) < -1) { -- builder.config.cflags.push('-march=native'); +- if (NO_MARCH_FLAG.indexOf(process.arch) == -1) { +- args.unshift('-march=native'); - } - } - diff --git a/cjdns.spec b/cjdns.spec index a1354e2..b07597f 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -2,7 +2,7 @@ # Fedora review: http://bugzilla.redhat.com/1268716 # Option to enable SUBNODE mode (WIP) -%bcond_with subnode +%bcond_without subnode # Use the optimized libnacl embedded with cjdns %if %{with subnode} %global use_embedded 1 @@ -16,7 +16,7 @@ %if 0%{use_libsodium} %global nacl_name libsodium -%global nacl_version 1.0.5 +%global nacl_version 1.0.14 %global nacl_lib %{_libdir}/libsodium.so %else %global nacl_name nacl @@ -46,8 +46,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 19.1 -Release: 4%{?dist} +Version: 20.1 +Release: 1%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -56,6 +56,7 @@ License: GPLv3 and MIT and BSD and ISC URL: http://hyperboria.net/ Source0: https://github.com/cjdelisle/cjdns/archive/%{name}-v%{version}.tar.gz Source1: cjdns.README_Fedora.md +Source2: cjdns.service # Add targeted selinux policy Patch0: cjdns.selinux.patch # Allow python2.6 for build. Python is not used during the build @@ -97,9 +98,11 @@ Patch12: cjdns.sign.patch # Recognize ppc64, ppc64le, and s390x arches Patch13: cjdns.ppc64.patch # getentropy(2) added to glibc in Fedora 26 -Patch14: cjdns.entropy.patch +# included in cjdns-20.1 +#Patch14: cjdns.entropy.patch # Fix buffer overrun in JsonBencSerializer.c -Patch15: cjdns.benc.patch +# included in cjdns-20.1 +#Patch15: cjdns.benc.patch # Specify python2 for systems that default to python3 Patch16: cjdns.python3.patch @@ -127,6 +130,11 @@ Provides: bundled(nacl) = 20110221 %endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} +%if 0%{use_embedded} +# The nodejs build system for embedded cnacl has no "plan" for s390x. +# It might work to copy another big endian plan like ppc64. +ExcludeArch: s390x +%endif %description Cjdns implements an encrypted IPv6 network using public-key cryptography for @@ -159,13 +167,17 @@ cjdnslog display cjdroute log cjdns-traceroute trace route to cjdns IP sessionStats show current crypto sessions -%package python +%package -n python2-cjdns +%{?python_provide:%python_provide python2-cjdns} +# Remove before F30 +Provides: %{name}-python = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} Summary: Python tools for cjdns Group: System Environment/Base Requires: python, %{name} = %{version}-%{release} BuildArch: noarch -%description python +%description -n python2-cjdns Python tools for cjdns. %package graph @@ -188,6 +200,8 @@ Python graphing tools for cjdns. %patch4 -b .genconf %patch5 -b .sbin +cp %{SOURCE2} contrib/systemd + %if !%{use_embedded} # use system nacl library if provided. if test -x %{nacl_lib}; then @@ -216,8 +230,8 @@ fi %patch9 -b .man %patch10 -b .tools #patch13 -b .ppc64 -%patch14 -b .entropy -%patch15 -b .benc +#patch14 -b .entropy +#patch15 -b .benc %patch16 -b .python3 cp %{SOURCE1} README_Fedora.md @@ -486,7 +500,7 @@ fi %{_mandir}/man1/peerStats.1.gz %{_mandir}/man1/cjdnslog.1.gz -%files python +%files -n python2-cjdns %doc contrib/python/README.md contrib/python/cjdns-dynamic.conf %license contrib/python/cjdnsadmin/bencode.py.LICENSE.txt %dir %{_libexecdir}/cjdns/python @@ -524,6 +538,28 @@ fi %{_bindir}/graphStats %changelog +* Wed Feb 21 2018 Stuart Gathman - 20.1-1 +- New upstream release + +* Fri Feb 09 2018 Igor Gnatenko - 19.1-10 +- Escape macros in %%changelog + +* Wed Feb 07 2018 Fedora Release Engineering - 19.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Mon Oct 02 2017 Remi Collet - 19.1-8 +- rebuild for libsodium + +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 19.1-7 +- Python 2 binary package renamed to python2-cjdns + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + +* Wed Aug 02 2017 Fedora Release Engineering - 19.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 19.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Wed May 24 2017 Stuart D. Gathman 19.1-4 - Add calls to sodium_init() - Include mkpasswd (but not in /usr/bin) @@ -544,7 +580,7 @@ fi - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Sat Jan 7 2017 Stuart D. Gathman 18-5 -- Run scripts in %{sysconfdir}/cjdns/up.d when cjdns comes up. +- Run scripts in %%{sysconfdir}/cjdns/up.d when cjdns comes up. * Sun Nov 6 2016 Stuart D. Gathman 18-4 - update cjdns-online man page diff --git a/cjdns.tools.patch b/cjdns.tools.patch index cc6392c..d789d2e 100644 --- a/cjdns.tools.patch +++ b/cjdns.tools.patch @@ -25,6 +25,6 @@ diff -up ./tools/traceroute.tools ./tools/traceroute lastRet = ret; process.stdout.write(' ' + ret.ms + 'ms\n'); + if (!ret || !ret.nodes) { return; } - if (ret.nodes.length === 0) { - console.log('cornered'); - } else if (ret.nodes[0] !== ret.from) { + if (ret.result === 'timeout') { + process.stdout.write('\n' + ret.from + ' ' + ret.result + '!'); + } else if (ret.nodes.length === 0) { diff --git a/cjdns.warnings.patch b/cjdns.warnings.patch index 9042c2c..cb8a72e 100644 --- a/cjdns.warnings.patch +++ b/cjdns.warnings.patch @@ -39,20 +39,6 @@ diff -up ./dht/CJDHTConstants.h.warnings ./dht/CJDHTConstants.h - +#pragma GCC diagnostic pop #endif -diff -up ./dht/dhtcore/NodeStore.c.warnings ./dht/dhtcore/NodeStore.c ---- ./dht/dhtcore/NodeStore.c.warnings 2017-02-21 17:56:22.000000000 -0500 -+++ ./dht/dhtcore/NodeStore.c 2017-02-24 12:44:19.822328184 -0500 -@@ -1770,7 +1770,9 @@ struct NodeList* NodeStore_getPeers(uint - break; - } - switch (j) { -- default: Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*)); -+ default: -+ Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*)); -+ Gcc_FALLTHROUGH; - case 1: out->nodes[j - 1] = next->child; - case 0:; - } diff -up ./node_build/dependencies/libuv/test/test-getsockname.c.warnings ./node_build/dependencies/libuv/test/test-getsockname.c --- ./node_build/dependencies/libuv/test/test-getsockname.c.warnings 2017-02-21 17:56:22.000000000 -0500 +++ ./node_build/dependencies/libuv/test/test-getsockname.c 2017-02-24 12:36:55.763819191 -0500 diff --git a/sources b/sources index 0f233d8..064b4c7 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (cjdns-v18.tar.gz) = 3b7ed50c81ed51f8deea3999aa0b820f78de53da3d3937c13f572e35bb7c2a6f963d3779c2f0b7b4afc64e6a45ae98c4a6958a0c31d43d4309a47ae3ccbb709b -SHA512 (cjdns-v19.1.tar.gz) = 9c29bf1d136237bd60e125718bdd2c6d7f5a651d51af50aea3173eed1626a402dac5a2a72f9fb129fc9af24c3b67472a1dfe7b2b6a09bb28d01a120fc667b206 +SHA512 (cjdns-v20.1.tar.gz) = 519835f489359fb677d35040862dece20b75d84716281096f2c32c8531e8d784d852d8e2709d8c67e8098ad819f62c2a2ef1647fbad3e28e3e20f502d23cd3e7