From 556f82d3584e36ad37749c6bc18731c102b8ebbb Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 26 Jul 2017 04:51:45 +0000 Subject: [PATCH 01/13] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index a1354e2..094c438 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -524,6 +524,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Jul 26 2017 Fedora Release Engineering - 19.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + * Wed May 24 2017 Stuart D. Gathman 19.1-4 - Add calls to sodium_init() - Include mkpasswd (but not in /usr/bin) From fa1896de2a45922a6170dfd6e72d2e93ffc11f24 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 2 Aug 2017 18:49:14 +0000 Subject: [PATCH 02/13] - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 094c438..c7a7f2d 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 5%{?dist} +Release: 6%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -524,6 +524,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Aug 02 2017 Fedora Release Engineering - 19.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + * Wed Jul 26 2017 Fedora Release Engineering - 19.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild From 9050885df9ee03c360274602c615b1dea0c39fbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Sat, 19 Aug 2017 09:38:09 -0400 Subject: [PATCH 03/13] Python 2 binary package renamed to python2-cjdns --- cjdns.spec | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index c7a7f2d..28e6af1 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 6%{?dist} +Release: 7%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -159,13 +159,17 @@ cjdnslog display cjdroute log cjdns-traceroute trace route to cjdns IP sessionStats show current crypto sessions -%package python +%package -n python2-cjdns +%{?python_provide:%python_provide python2-cjdns} +# Remove before F30 +Provides: %{name}-python%{?_isa} = %{version}-%{release} +Obsoletes: %{name}-python < %{version}-%{release} Summary: Python tools for cjdns Group: System Environment/Base Requires: python, %{name} = %{version}-%{release} BuildArch: noarch -%description python +%description -n python2-cjdns Python tools for cjdns. %package graph @@ -486,7 +490,7 @@ fi %{_mandir}/man1/peerStats.1.gz %{_mandir}/man1/cjdnslog.1.gz -%files python +%files -n python2-cjdns %doc contrib/python/README.md contrib/python/cjdns-dynamic.conf %license contrib/python/cjdnsadmin/bencode.py.LICENSE.txt %dir %{_libexecdir}/cjdns/python @@ -524,6 +528,10 @@ fi %{_bindir}/graphStats %changelog +* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 19.1-7 +- Python 2 binary package renamed to python2-cjdns + See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 + * Wed Aug 02 2017 Fedora Release Engineering - 19.1-6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild From 863b68adfd660dd63f8dfec1d9331e38ff753732 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 2 Oct 2017 08:34:06 +0200 Subject: [PATCH 04/13] rebuild for libsodium --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index 28e6af1..eb99fae 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 7%{?dist} +Release: 8%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -528,6 +528,9 @@ fi %{_bindir}/graphStats %changelog +* Mon Oct 02 2017 Remi Collet - 19.1-8 +- rebuild for libsodium + * Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek - 19.1-7 - Python 2 binary package renamed to python2-cjdns See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3 From 0f417ec561c942b687230e96a8c6d13c148c2f05 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Tue, 5 Dec 2017 18:10:41 -0500 Subject: [PATCH 05/13] Talk about squid in README --- cjdns.README_Fedora.md | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index 8fa2b55..a7647b7 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -78,7 +78,7 @@ disable forking. Seccomp is used to limit available system calls to only those actually needed. Installing the cjdns-selinux package installs a targeted selinux policy that also restricts what the privileged process can access. -##Routing security +### Routing security If cjdns is not running, cjdns packets will get routed in plaintext to your default gateway by default. An attacker could then play @@ -86,7 +86,24 @@ man-in-the-middle. If your default gateway is running cjdns, this could even happen accidentally. This can be blocked by restricting ```fc00::/8``` to the interface -used by cjdroute in the firewall. +used by cjdroute in the firewall. An even simpler solution is +to not have a "default" route. Instead route ```2000::/3``` to your +gateway. All globally routable ips begin with ```001``` as the first +three bits. + +### Application security + +The squid cache package default config allows ```fc00::/7``` unrestricted +access to the proxy. If the proxy port is not otherwise firewalled, +you probably want to change this to ```fd00::/8``` when using cjdns +on the proxy server. Apart from that default config, squid works very +well with cjdns - you can allow specific cjdns ips unrestricted access: + +``` +acl adultpcs src fc25:dede:dede:dede:dede:dede:dede:dede +acl adultpcs src fc37:daaa:daaa:daaa:daaa:daaa:daaa:daaa +http_access allow adultpcs +``` ## Advanced config From bf371a4946cbc60cd5ed4afbf40644df062f6ea1 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Tue, 5 Dec 2017 18:12:29 -0500 Subject: [PATCH 06/13] New sources --- .gitignore | 1 + sources | 1 + 2 files changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 1880119..e9bfb65 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ /cjdns-v18.tar.gz /*.src.rpm /cjdns-v19.1.tar.gz +/cjdns-v20.tar.gz diff --git a/sources b/sources index 0f233d8..434d356 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (cjdns-v18.tar.gz) = 3b7ed50c81ed51f8deea3999aa0b820f78de53da3d3937c13f572e35bb7c2a6f963d3779c2f0b7b4afc64e6a45ae98c4a6958a0c31d43d4309a47ae3ccbb709b SHA512 (cjdns-v19.1.tar.gz) = 9c29bf1d136237bd60e125718bdd2c6d7f5a651d51af50aea3173eed1626a402dac5a2a72f9fb129fc9af24c3b67472a1dfe7b2b6a09bb28d01a120fc667b206 +SHA512 (cjdns-v20.tar.gz) = 7da6537ed417d33ebd9ffa27a9e08758c48ea99930a85497853f0ee43cc87501434ab76bee0e69dc935b3338959d86bcb4bef527f1b93887b0a3662b4ab55879 From 04f62b1c11e7109267cee1f0d383d072a1364b02 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 7 Feb 2018 04:58:55 +0000 Subject: [PATCH 07/13] - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- cjdns.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index eb99fae..1372178 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 8%{?dist} +Release: 9%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -528,6 +528,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Feb 07 2018 Fedora Release Engineering - 19.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + * Mon Oct 02 2017 Remi Collet - 19.1-8 - rebuild for libsodium From 3dea32b24dcd2a6a33efb5f7a45aae2ba7b67cc0 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Fri, 9 Feb 2018 09:04:13 +0100 Subject: [PATCH 08/13] Escape macros in %changelog Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/ Signed-off-by: Igor Gnatenko --- cjdns.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cjdns.spec b/cjdns.spec index 1372178..2af2b2e 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -47,7 +47,7 @@ Name: cjdns # major version is cjdns protocol version: Version: 19.1 -Release: 9%{?dist} +Release: 10%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -528,6 +528,9 @@ fi %{_bindir}/graphStats %changelog +* Fri Feb 09 2018 Igor Gnatenko - 19.1-10 +- Escape macros in %%changelog + * Wed Feb 07 2018 Fedora Release Engineering - 19.1-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild @@ -564,7 +567,7 @@ fi - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild * Sat Jan 7 2017 Stuart D. Gathman 18-5 -- Run scripts in %{sysconfdir}/cjdns/up.d when cjdns comes up. +- Run scripts in %%{sysconfdir}/cjdns/up.d when cjdns comes up. * Sun Nov 6 2016 Stuart D. Gathman 18-4 - update cjdns-online man page From 1afaf13c91489d4975137b2087bede7197356b55 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 21 Feb 2018 13:52:53 -0500 Subject: [PATCH 09/13] Upstream release 20.1 and add cjdns.service to local SOURCES --- .gitignore | 1 + cjdns.sbin.patch | 28 ---------------------------- cjdns.service | 23 +++++++++++++++++++++++ cjdns.spec | 14 ++++++++++---- sources | 4 +--- 5 files changed, 35 insertions(+), 35 deletions(-) create mode 100644 cjdns.service diff --git a/.gitignore b/.gitignore index e9bfb65..7c7776b 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /*.src.rpm /cjdns-v19.1.tar.gz /cjdns-v20.tar.gz +/cjdns-v20.1.tar.gz diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index 0b0f74f..4ea4324 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -109,34 +109,6 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s + cjdns_dev + fi +fi -diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service ---- ./contrib/systemd/cjdns.service.sbin 2016-10-11 17:39:44.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2017-01-13 22:07:35.128118775 -0500 -@@ -1,18 +1,21 @@ - [Unit] - Description=cjdns: routing engine designed for security, scalability, speed and ease of use - Wants=network.target --After=network.target -+After=network.target cjdns-loadmodules.service -+Requires=cjdns-loadmodules.service - - [Service] - ProtectHome=true - ProtectSystem=true - SyslogIdentifier=cjdroute -+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL - ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ - then umask 077; \ -- /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ -+ /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ - echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ - fi" --ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf" -+ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" -+ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up - Restart=always - - [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service --- ./contrib/systemd/cjdns-wait-online.service.sbin 2017-01-13 21:43:05.414731254 -0500 +++ ./contrib/systemd/cjdns-wait-online.service 2017-01-13 21:43:05.414731254 -0500 diff --git a/cjdns.service b/cjdns.service new file mode 100644 index 0000000..0a1648c --- /dev/null +++ b/cjdns.service @@ -0,0 +1,23 @@ +[Unit] +Description=cjdns: routing engine designed for security, scalability, speed and ease of use +Wants=network.target +After=network.target cjdns-loadmodules.service +Requires=cjdns-loadmodules.service + +[Service] +ProtectHome=true +ProtectSystem=true +SyslogIdentifier=cjdroute +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL +ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ + then umask 077; \ + /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ + echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ + fi" +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" +ExecStartPost=/bin/sh /usr/libexec/cjdns/cjdns-up +Restart=always + +[Install] +WantedBy=multi-user.target +Also=cjdns-resume.service diff --git a/cjdns.spec b/cjdns.spec index 2af2b2e..9624322 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -2,7 +2,7 @@ # Fedora review: http://bugzilla.redhat.com/1268716 # Option to enable SUBNODE mode (WIP) -%bcond_with subnode +%bcond_without subnode # Use the optimized libnacl embedded with cjdns %if %{with subnode} %global use_embedded 1 @@ -16,7 +16,7 @@ %if 0%{use_libsodium} %global nacl_name libsodium -%global nacl_version 1.0.5 +%global nacl_version 1.0.14 %global nacl_lib %{_libdir}/libsodium.so %else %global nacl_name nacl @@ -46,8 +46,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 19.1 -Release: 10%{?dist} +Version: 20.1 +Release: 1%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -56,6 +56,7 @@ License: GPLv3 and MIT and BSD and ISC URL: http://hyperboria.net/ Source0: https://github.com/cjdelisle/cjdns/archive/%{name}-v%{version}.tar.gz Source1: cjdns.README_Fedora.md +Source2: cjdns.service # Add targeted selinux policy Patch0: cjdns.selinux.patch # Allow python2.6 for build. Python is not used during the build @@ -192,6 +193,8 @@ Python graphing tools for cjdns. %patch4 -b .genconf %patch5 -b .sbin +cp %{SOURCE2} contrib/systemd + %if !%{use_embedded} # use system nacl library if provided. if test -x %{nacl_lib}; then @@ -528,6 +531,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Feb 21 2018 Stuart Gathman - 20.1-1 +- New upstream release + * Fri Feb 09 2018 Igor Gnatenko - 19.1-10 - Escape macros in %%changelog diff --git a/sources b/sources index 434d356..064b4c7 100644 --- a/sources +++ b/sources @@ -1,3 +1 @@ -SHA512 (cjdns-v18.tar.gz) = 3b7ed50c81ed51f8deea3999aa0b820f78de53da3d3937c13f572e35bb7c2a6f963d3779c2f0b7b4afc64e6a45ae98c4a6958a0c31d43d4309a47ae3ccbb709b -SHA512 (cjdns-v19.1.tar.gz) = 9c29bf1d136237bd60e125718bdd2c6d7f5a651d51af50aea3173eed1626a402dac5a2a72f9fb129fc9af24c3b67472a1dfe7b2b6a09bb28d01a120fc667b206 -SHA512 (cjdns-v20.tar.gz) = 7da6537ed417d33ebd9ffa27a9e08758c48ea99930a85497853f0ee43cc87501434ab76bee0e69dc935b3338959d86bcb4bef527f1b93887b0a3662b4ab55879 +SHA512 (cjdns-v20.1.tar.gz) = 519835f489359fb677d35040862dece20b75d84716281096f2c32c8531e8d784d852d8e2709d8c67e8098ad819f62c2a2ef1647fbad3e28e3e20f502d23cd3e7 From 5c914f7825d1c0230c2866b6c0a728e59f01df0a Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 21 Feb 2018 13:58:17 -0500 Subject: [PATCH 10/13] Build for 20.1 on rawhide --- cjdns.python3.patch | 10 +--------- cjdns.sodium.patch | 12 ++++++++---- cjdns.spec | 10 ++++++---- cjdns.tools.patch | 6 +++--- cjdns.warnings.patch | 14 -------------- 5 files changed, 18 insertions(+), 34 deletions(-) diff --git a/cjdns.python3.patch b/cjdns.python3.patch index c76c490..e453167 100644 --- a/cjdns.python3.patch +++ b/cjdns.python3.patch @@ -5,13 +5,5 @@ diff -up ./node_build/dependencies/libuv/gyp_uv.py.python3 ./node_build/dependen -#!/usr/bin/env python +#!/usr/bin/env python2 - import glob + import os import platform -@@ -34,6 +34,7 @@ def compiler_version(): - proc = subprocess.Popen(CC.split() + ['-dumpversion'], stdout=subprocess.PIPE) - version = proc.communicate()[0].split('.') - version = map(int, version[:2]) -+ if len(version) < 2: version.append(0) - version = tuple(version) - return (version, is_clang) - diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index e23dc9d..c2e3393 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -72,7 +72,7 @@ diff -up ./contrib/c/privatetopublic.c.sodium ./contrib/c/privatetopublic.c + return 1; + } - Hex_decode(privateKey, 32, privateKeyHexIn, 65); + Hex_decode(privateKey, 32, privateKeyHexIn, 64); crypto_scalarmult_curve25519_base(address.key, privateKey); diff -up ./contrib/c/publictoip6.c.sodium ./contrib/c/publictoip6.c --- ./contrib/c/publictoip6.c.sodium 2017-05-24 16:42:11.085386456 -0400 @@ -140,7 +140,7 @@ diff -up ./crypto/random/randombytes.c.sodium ./crypto/random/randombytes.c diff -up ./node_build/make.js.sodium ./node_build/make.js --- ./node_build/make.js.sodium 2017-02-21 17:56:22.000000000 -0500 +++ ./node_build/make.js 2017-05-24 16:39:15.557233617 -0400 -@@ -244,44 +244,8 @@ Builder.configure({ +@@ -244,48 +244,8 @@ Builder.configure({ }).nThen(function (waitFor) { @@ -165,13 +165,17 @@ diff -up ./node_build/make.js.sodium ./node_build/make.js - - args.unshift(builder.config.optimizeLevel, '-fomit-frame-pointer'); - +- if (!/^\-O0$/.test(builder.config.optimizeLevel)) { +- args.unshift('-D_FORTIFY_SOURCE=2'); +- } +- - if (CFLAGS) { - [].push.apply(args, CFLAGS.split(' ')); - } - - if (!builder.config.crossCompiling) { -- if (NO_MARCH_FLAG.indexOf(process.arch) < -1) { -- builder.config.cflags.push('-march=native'); +- if (NO_MARCH_FLAG.indexOf(process.arch) == -1) { +- args.unshift('-march=native'); - } - } - diff --git a/cjdns.spec b/cjdns.spec index 9624322..db6089f 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -98,9 +98,11 @@ Patch12: cjdns.sign.patch # Recognize ppc64, ppc64le, and s390x arches Patch13: cjdns.ppc64.patch # getentropy(2) added to glibc in Fedora 26 -Patch14: cjdns.entropy.patch +# included in cjdns-20.1 +#Patch14: cjdns.entropy.patch # Fix buffer overrun in JsonBencSerializer.c -Patch15: cjdns.benc.patch +# included in cjdns-20.1 +#Patch15: cjdns.benc.patch # Specify python2 for systems that default to python3 Patch16: cjdns.python3.patch @@ -223,8 +225,8 @@ fi %patch9 -b .man %patch10 -b .tools #patch13 -b .ppc64 -%patch14 -b .entropy -%patch15 -b .benc +#patch14 -b .entropy +#patch15 -b .benc %patch16 -b .python3 cp %{SOURCE1} README_Fedora.md diff --git a/cjdns.tools.patch b/cjdns.tools.patch index cc6392c..d789d2e 100644 --- a/cjdns.tools.patch +++ b/cjdns.tools.patch @@ -25,6 +25,6 @@ diff -up ./tools/traceroute.tools ./tools/traceroute lastRet = ret; process.stdout.write(' ' + ret.ms + 'ms\n'); + if (!ret || !ret.nodes) { return; } - if (ret.nodes.length === 0) { - console.log('cornered'); - } else if (ret.nodes[0] !== ret.from) { + if (ret.result === 'timeout') { + process.stdout.write('\n' + ret.from + ' ' + ret.result + '!'); + } else if (ret.nodes.length === 0) { diff --git a/cjdns.warnings.patch b/cjdns.warnings.patch index 9042c2c..cb8a72e 100644 --- a/cjdns.warnings.patch +++ b/cjdns.warnings.patch @@ -39,20 +39,6 @@ diff -up ./dht/CJDHTConstants.h.warnings ./dht/CJDHTConstants.h - +#pragma GCC diagnostic pop #endif -diff -up ./dht/dhtcore/NodeStore.c.warnings ./dht/dhtcore/NodeStore.c ---- ./dht/dhtcore/NodeStore.c.warnings 2017-02-21 17:56:22.000000000 -0500 -+++ ./dht/dhtcore/NodeStore.c 2017-02-24 12:44:19.822328184 -0500 -@@ -1770,7 +1770,9 @@ struct NodeList* NodeStore_getPeers(uint - break; - } - switch (j) { -- default: Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*)); -+ default: -+ Bits_memmove(out->nodes, &out->nodes[1], (j - 1) * sizeof(char*)); -+ Gcc_FALLTHROUGH; - case 1: out->nodes[j - 1] = next->child; - case 0:; - } diff -up ./node_build/dependencies/libuv/test/test-getsockname.c.warnings ./node_build/dependencies/libuv/test/test-getsockname.c --- ./node_build/dependencies/libuv/test/test-getsockname.c.warnings 2017-02-21 17:56:22.000000000 -0500 +++ ./node_build/dependencies/libuv/test/test-getsockname.c 2017-02-24 12:36:55.763819191 -0500 From a6396ab85cad7669655a1bd86d75b268b3b44409 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 21 Feb 2018 15:00:07 -0500 Subject: [PATCH 11/13] Add example applications to README_Fedora.md --- cjdns.README_Fedora.md | 47 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index a7647b7..7f8430b 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -9,6 +9,47 @@ address allocation and a distributed hash table for routing. This provides near-zero-configuration networking, and prevents many of the security and scalability issues that plague existing networks. +## Why? + +If you're here from the hyperboria docs, you're already sold - proceed to +Installing. But why should a Fedora user install cjdns? I'll mention just two +contrasting use cases, one mundane and the other paranoid. + +### VPN Mesh + +Configuring a point to point VPN connection with openvpn is fairly +straightforward, as is configuring a centralized VPN server and clients. +However, when every node in the VPN network needs to talk securely with many +other nodes, relaying every packet through the central server becomes a drag on +performance, and a single point of failure. Mesh VPNs, like tinc and cjdns +automatically create point to point connections based on a shared overall +configuration. Each node only needs a connection to one or more peers (that +can be reused) to get things started. + +With cjdns, however, things are much better than with tinc. On a local LAN or +mesh with broadcast, it is zero configuration. Peers are automatically +discovered via the 0xFC00 layer 2 protocol. There is no shared configuration - +the only thing required is adding one or more (for redundancy) internet peers +when no peers on the local LAN or mesh are available. Even better, when your +node is mobile, and you have geographically separated peers configured, cjdns +automatically switches to a faster peer as the relative performance changes. + +### Darknet + +In a widespread VPN, address assignment must be coordinated by a central +authority. The internet also uses centralized IP assignment, which means a +government can take away your IP at any time. Cjdns uses CryptoGraphic +Addressing (CGA). Your IP6 is the double SHA-512 of your public key truncated +to 128 bits. Your IP is as safe as the private key pair which produced it, and +cannot [insert standard cryptography disclaimer] be spoofed. Most mesh VPNs +decrypt packets before routing to a new node. This means that if a relay node +is compromised in a conventional VPN, it can see and even alter packets. All +cjdns packets are end to end encrypted - relay nodes are untrusted. Cjdns is +source routed, there is no centralized routing. If a node is "blackholing" +your packets for some reason - simply doesn't route through that node anymore. +(But see Security below.) The usual security problems with source routing +don't apply because cjdns IPs can't be (easily) spoofed. + ## Startup The key part of cjdns is the cjdroute background daemon. To start cjdroute: @@ -18,8 +59,8 @@ The key part of cjdns is the cjdroute background daemon. To start cjdroute: This will generate `/etc/cjdroute.conf` pre-populated with random keys and passwords. At first startup, cjdroute looks for neighboring cjdns peers on all active network interfaces using a layer 2 (e.g. ethernet) protocol. -This is exactly what you want if you are on a wifi mesh. If you only have a -conventional "clearnet" ISP, see the [upstream](README.md) README for +This is exactly what you want if you are on a LAN or wifi mesh. If you only +have a conventional "clearnet" ISP, see the [upstream](README.md) README for instructions on adding peers using the UDP protocol. (Search for "Find a friend".) @@ -42,7 +83,7 @@ The resume service restarts cjdns when the system wakes up from sleep. For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart and stop. -##Security +## Security By default, Fedora Workstation will treat the tun device created by cjdroute as "public", with SSH being the only incoming port allowed. There is no From a67e6cae16b2b3e0704144bd0f7bb764e3b1b5cd Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 21 Feb 2018 17:01:25 -0500 Subject: [PATCH 12/13] Exclude s390x for embedded cnacl --- cjdns.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cjdns.spec b/cjdns.spec index db6089f..f682c2f 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -130,6 +130,11 @@ Provides: bundled(nacl) = 20110221 %endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} +%if 0%{use_embedded} +# The nodejs build system for embedded cnacl has no "plan" for s390x. +# It might work to copy another big endian plan like ppc64. +ExcludeArch: s390x +%endif %description Cjdns implements an encrypted IPv6 network using public-key cryptography for From 66beed5a143d2317080ec0437273466bc6080185 Mon Sep 17 00:00:00 2001 From: "Stuart D. Gathman" Date: Wed, 21 Feb 2018 17:51:34 -0500 Subject: [PATCH 13/13] Remove isa from Provides in python2-cjdns --- cjdns.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cjdns.spec b/cjdns.spec index f682c2f..b07597f 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -170,7 +170,7 @@ sessionStats show current crypto sessions %package -n python2-cjdns %{?python_provide:%python_provide python2-cjdns} # Remove before F30 -Provides: %{name}-python%{?_isa} = %{version}-%{release} +Provides: %{name}-python = %{version}-%{release} Obsoletes: %{name}-python < %{version}-%{release} Summary: Python tools for cjdns Group: System Environment/Base