From 538de792f0c0d3f223a1cfd1f673b3d06ed36e63 Mon Sep 17 00:00:00 2001 From: Stuart D. Gathman Date: Oct 15 2016 17:37:41 +0000 Subject: Merge branch 'master' into epel7 --- diff --git a/.gitignore b/.gitignore index 697fa3e..c192c5f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ /cjdns-v17.3.tar.gz /cjdns-v17.4.tar.gz +/cjdns-v18.tar.gz +/*.src.rpm diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index 9fb864f..8fa2b55 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -38,3 +38,63 @@ can speed this up dramatically with: systemctl enable cjdns-resume The resume service restarts cjdns when the system wakes up from sleep. + +For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart +and stop. + +##Security + +By default, Fedora Workstation will treat the tun device created by cjdroute as +"public", with SSH being the only incoming port allowed. There is no +additional exposure with cjdns and the default Fedora firewall. If you have +modified the firewall config beyond opening additional incoming ports, be sure +that the cjdns tun is treated as public - because anyone in the world can +attempt to connect to you through it. Sometimes, people configure their +firewall to treat all tun devices as "VPN", and therefore somewhat more +trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one +anyone in the world can join. + +Public keys for cjdns are based on Elliptic Curves. There is a known quantum +algorithm that could be used to crack them if quantum computers with sufficient +qubits are ever built. The solution when that happens is larger keys - which +are more cumbersome. + +The Distributed Hash Table algorithm is a core component of cjdns - which is +vulnerable to a Denial of Service attack known as "Sybil". This attack can +block specific updates to the DHT - to prevent your node from joining a mesh, +for instance. + +On the positive side, you can safely use telnet to cjdns IPs and the http +protocol is automatically encrypted (but you need a secure DNS or raw ip to be +sure you are talking to the right node). Many other protocols are +automatically encrypted while using cjdns. In general, connecting to a raw +cjdns IP is functionally equivalent to SSL/TLS with both client and server +authentication. + +Since the cjdroute core routing code parses network packets from untrusted +sources, it is a security risk and is heavily sandboxed. It runs as the cjdns +user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to +disable forking. Seccomp is used to limit available system calls to only those +actually needed. Installing the cjdns-selinux package installs a targeted +selinux policy that also restricts what the privileged process can access. + +##Routing security + +If cjdns is not running, cjdns packets will get routed in plaintext +to your default gateway by default. An attacker could then play +man-in-the-middle. If your default gateway is running cjdns, this +could even happen accidentally. + +This can be blocked by restricting ```fc00::/8``` to the interface +used by cjdroute in the firewall. + +## Advanced config + +You may install a network service that depends on cjdns, for instance you might +install thttpd to serve up +[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If +thttpd is configured to listen only on your cjdns IP, then it will not start +until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to +```thttpd.service``` to hold off starting the service until cjdns has the +tunnel up and ready. + diff --git a/cjdns.dyn.patch b/cjdns.dyn.patch index dc5062d..9dc22e0 100644 --- a/cjdns.dyn.patch +++ b/cjdns.dyn.patch @@ -1,13 +1,16 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js ---- ./node_build/make.js.dyn 2016-01-27 03:07:49.000000000 -0500 -+++ ./node_build/make.js 2016-04-18 16:17:04.052719207 -0400 -@@ -250,41 +250,9 @@ Builder.configure({ +--- ./node_build/make.js.dyn 2016-10-11 17:39:44.000000000 -0400 ++++ ./node_build/make.js 2016-10-14 22:08:23.018241766 -0400 +@@ -252,44 +252,9 @@ Builder.configure({ }).nThen(function (waitFor) { - builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a'); - builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/'); - +- // needed for Sign.c which pulls in crypto_int32.h +- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/'); +- - Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) { - if (exists) { return; } - @@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js }).nThen(function (waitFor) { -@@ -423,7 +391,7 @@ Builder.configure({ +@@ -430,7 +395,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { diff --git a/cjdns.sbin.patch b/cjdns.sbin.patch index fecb18c..f628a1c 100644 --- a/cjdns.sbin.patch +++ b/cjdns.sbin.patch @@ -1,6 +1,23 @@ +diff -up ./contrib/systemd/cjdns-loadmodules.service.sbin ./contrib/systemd/cjdns-loadmodules.service +--- ./contrib/systemd/cjdns-loadmodules.service.sbin 2016-08-15 13:39:48.892573194 -0400 ++++ ./contrib/systemd/cjdns-loadmodules.service 2016-08-15 13:47:24.336772295 -0400 +@@ -0,0 +1,13 @@ ++[Unit] ++Description=Load cjdns kernel modules ++# Load kernel modules needed by cjdns so that it doesn't need the privilege ++Before=cjdns.service ++# Do not try to load modules in containers like openvz ++ConditionVirtualization=!container ++ ++[Service] ++Type=oneshot ++ExecStart=/usr/sbin/modprobe tun ++ ++[Install] ++WantedBy=multi-user.target diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.sh ---- ./contrib/systemd/cjdns-online.sh.sbin 2016-06-23 22:49:23.703114380 -0400 -+++ ./contrib/systemd/cjdns-online.sh 2016-06-23 22:51:50.666731442 -0400 +--- ./contrib/systemd/cjdns-online.sh.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-online.sh 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,90 @@ +#!/bin/sh +# Check whether cjdns IPs are available @@ -94,25 +111,34 @@ diff -up ./contrib/systemd/cjdns-online.sh.sbin ./contrib/systemd/cjdns-online.s +fi diff -up ./contrib/systemd/cjdns.service.sbin ./contrib/systemd/cjdns.service --- ./contrib/systemd/cjdns.service.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/systemd/cjdns.service 2016-06-23 22:49:23.703114380 -0400 -@@ -9,10 +9,11 @@ ProtectSystem=true ++++ ./contrib/systemd/cjdns.service 2016-08-15 13:56:20.198792714 -0400 +@@ -1,18 +1,20 @@ + [Unit] + Description=cjdns: routing engine designed for security, scalability, speed and ease of use + Wants=network.target +-After=network.target ++After=network.target cjdns-loadmodules.service ++Requires=cjdns-loadmodules.service + + [Service] + ProtectHome=true + ProtectSystem=true SyslogIdentifier=cjdroute ++CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_CHROOT CAP_AUDIT_CONTROL ExecStartPre=/bin/sh -ec "if ! test -s /etc/cjdroute.conf; \ then umask 077; \ - /usr/bin/cjdroute --genconf > /etc/cjdroute.conf; \ + /usr/sbin/cjdroute --genconf | cat > /etc/cjdroute.conf; \ echo 'WARNING: A new /etc/cjdroute.conf file has been generated.'; \ -- fi" + fi" -ExecStart=/bin/sh -c "exec cjdroute --nobg < /etc/cjdroute.conf" -+ fi; case $(wc -c /proc/modules) in \ -+ 0*) ;; *) /sbin/modprobe tun;; esac" +ExecStart=/bin/sh -c "exec /usr/sbin/cjdroute --nobg < /etc/cjdroute.conf" Restart=always [Install] diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdns-wait-online.service ---- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-06-23 22:49:23.703114380 -0400 -+++ ./contrib/systemd/cjdns-wait-online.service 2016-06-23 22:49:23.703114380 -0400 +--- ./contrib/systemd/cjdns-wait-online.service.sbin 2016-08-15 13:33:11.356021398 -0400 ++++ ./contrib/systemd/cjdns-wait-online.service 2016-08-15 13:33:11.356021398 -0400 @@ -0,0 +1,13 @@ +[Unit] +Description=CJDNS Wait Online @@ -129,7 +155,7 @@ diff -up ./contrib/systemd/cjdns-wait-online.service.sbin ./contrib/systemd/cjdn +WantedBy=multi-user.target diff -up ./contrib/upstart/cjdns.conf.sbin ./contrib/upstart/cjdns.conf --- ./contrib/upstart/cjdns.conf.sbin 2016-06-14 17:58:54.000000000 -0400 -+++ ./contrib/upstart/cjdns.conf 2016-06-23 22:49:23.703114380 -0400 ++++ ./contrib/upstart/cjdns.conf 2016-08-15 13:33:11.356021398 -0400 @@ -13,10 +13,16 @@ pre-start script if ! [ -s /etc/cjdroute.conf ]; then ( # start a subshell to avoid side effects of umask later on diff --git a/cjdns.sign.patch b/cjdns.sign.patch new file mode 100644 index 0000000..3b36ea4 --- /dev/null +++ b/cjdns.sign.patch @@ -0,0 +1,36 @@ +diff -up ./crypto/Sign.c.sign ./crypto/Sign.c +--- ./crypto/Sign.c.sign 2016-10-11 17:39:44.000000000 -0400 ++++ ./crypto/Sign.c 2016-10-14 20:59:49.143754098 -0400 +@@ -13,6 +13,7 @@ + * along with this program. If not, see . + */ + ++#ifdef SUBNODE + #include "crypto/Sign.h" + + #include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h" +@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui + + return 0; + } ++#else ++#pragma GCC diagnostic ignored "-Wpedantic" ++#endif // SUBNODE +diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c +--- ./crypto/test/Sign_test.c.sign 2016-10-11 17:39:44.000000000 -0400 ++++ ./crypto/test/Sign_test.c 2016-10-14 20:57:28.737064976 -0400 +@@ -23,6 +23,7 @@ + + int main() + { ++#ifdef SUBNODE + struct Allocator* alloc = MallocAllocator_new(1048576); + struct Log* logger = FileWriterLog_new(stdout, alloc); + struct Random* rand = Random_new(alloc, logger, NULL); +@@ -42,5 +43,6 @@ int main() + Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg)); + Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32])); + Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32)); ++#endif // SUBNODE + return 0; + } diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index 19e0c16..7c637a8 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -1,13 +1,16 @@ -diff -up ./node_build/make.js.dyn ./node_build/make.js ---- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500 -+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500 -@@ -238,41 +238,9 @@ Builder.configure({ +diff -up ./node_build/make.js.sodium ./node_build/make.js +--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400 ++++ ./node_build/make.js 2016-10-14 22:23:23.711086438 -0400 +@@ -252,44 +252,8 @@ Builder.configure({ }).nThen(function (waitFor) { - builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a'); - builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/'); - +- // needed for Sign.c which pulls in crypto_int32.h +- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/'); +- - Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) { - if (exists) { return; } - @@ -41,12 +44,11 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js - })); - })); + builder.config.libs.push('-lsodium'); -+ builder.config.libs.push('-lstdc++'); + builder.config.includeDirs.push('/usr/include/sodium/'); }).nThen(function (waitFor) { -@@ -411,7 +379,7 @@ Builder.configure({ +@@ -430,7 +394,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { diff --git a/cjdns.spec b/cjdns.spec index 5412a99..67661ee 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -4,7 +4,11 @@ # Use the optimized libnacl embedded with cjdns %global use_embedded 0 # Use libsodium instead of nacl -%global use_libsodium 0 +%global use_libsodium 1 +# Option to enable SUBNODE mode (WIP) +%bcond_with subnode +# Option to disable SECCOMP: confusing backward logic +%bcond_without seccomp %if 0%{use_libsodium} %global nacl_name libsodium @@ -38,8 +42,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 17.4 -Release: 4%{?dist} +Version: 18 +Release: 3%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -84,6 +88,8 @@ Patch9: cjdns.man.patch Patch10: cjdns.tools.patch # Alternate dynamic library patch to use libsodium Patch11: cjdns.sodium.patch +# Disable WIP subnode code when SUBNODE not enabled +Patch12: cjdns.sign.patch BuildRequires: nodejs, nodejs-ronn @@ -104,6 +110,9 @@ Requires(postun): systemd %endif Requires(pre): shadow-utils Provides: bundled(libuv) = 0.11.4 +%if 0%{use_embedded} +Provides: bundled(nacl) = 20110221 +%endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} @@ -185,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then ln -s %{_includedir}/nacl cnacl/jsbuild/include cd - fi +%patch12 -b .sign %endif %if !0%{?rhel} || 0%{?rhel} > 6 @@ -221,7 +231,12 @@ cd contrib/selinux ln -s /usr/share/selinux/devel/Makefile . make cd - + # nodejs based build system + +%if !%{with seccomp} +export Seccomp_NO=1 +%endif CJDNS_RELEASE_VERSION="%{name}-%{version}-%{release}" ./do # FIXME: use system libuv on compatible systems @@ -467,6 +482,25 @@ fi %{_bindir}/graphStats %changelog +* Fri Oct 14 2016 Stuart D. Gathman 18-3 +- libstdc++ not needed with libsodium + +* Fri Oct 14 2016 Stuart D. Gathman 18-2 +- Remove Sign.c which uses a private API and isn't needed until supernodes. +- Use libsodium by default: seems best performance of dynamic libraries + +* Wed Oct 12 2016 Stuart D. Gathman 18-1 +- Update to 18 upstream release + +* Mon Aug 15 2016 Stuart D. Gathman 17.4-7 +- Move modprobe to cjdns-loadmodules.service + +* Wed Aug 10 2016 Stuart D. Gathman 17.4-6 +- Fix logic for %%bcond_without seccomp + +* Wed Aug 10 2016 Stuart D. Gathman 17.4-5 +- cjdns.service: add CapabilityBoundingSet + * Fri Jun 24 2016 Stuart D. Gathman 17.4-4 - cjdns-selinux: allow cjdroute to manipulate route table diff --git a/sources b/sources index 762a857..744f9ad 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -efc62329874a0620a532269a53dbfc85 cjdns-v17.3.tar.gz -e74f25941879e807086a8b70771fcf60 cjdns-v17.4.tar.gz +9f6600d9ed0d87d4e17fbc9155ff0368 cjdns-v18.tar.gz