From dcdbe474e79192da5c47f81a6c1d2b5006748cd8 Mon Sep 17 00:00:00 2001 From: Stuart D. Gathman Date: Oct 12 2016 20:36:47 +0000 Subject: New version --- diff --git a/.gitignore b/.gitignore index 697fa3e..c192c5f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ /cjdns-v17.3.tar.gz /cjdns-v17.4.tar.gz +/cjdns-v18.tar.gz +/*.src.rpm diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md index 9fb864f..8fa2b55 100644 --- a/cjdns.README_Fedora.md +++ b/cjdns.README_Fedora.md @@ -38,3 +38,63 @@ can speed this up dramatically with: systemctl enable cjdns-resume The resume service restarts cjdns when the system wakes up from sleep. + +For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart +and stop. + +##Security + +By default, Fedora Workstation will treat the tun device created by cjdroute as +"public", with SSH being the only incoming port allowed. There is no +additional exposure with cjdns and the default Fedora firewall. If you have +modified the firewall config beyond opening additional incoming ports, be sure +that the cjdns tun is treated as public - because anyone in the world can +attempt to connect to you through it. Sometimes, people configure their +firewall to treat all tun devices as "VPN", and therefore somewhat more +trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one +anyone in the world can join. + +Public keys for cjdns are based on Elliptic Curves. There is a known quantum +algorithm that could be used to crack them if quantum computers with sufficient +qubits are ever built. The solution when that happens is larger keys - which +are more cumbersome. + +The Distributed Hash Table algorithm is a core component of cjdns - which is +vulnerable to a Denial of Service attack known as "Sybil". This attack can +block specific updates to the DHT - to prevent your node from joining a mesh, +for instance. + +On the positive side, you can safely use telnet to cjdns IPs and the http +protocol is automatically encrypted (but you need a secure DNS or raw ip to be +sure you are talking to the right node). Many other protocols are +automatically encrypted while using cjdns. In general, connecting to a raw +cjdns IP is functionally equivalent to SSL/TLS with both client and server +authentication. + +Since the cjdroute core routing code parses network packets from untrusted +sources, it is a security risk and is heavily sandboxed. It runs as the cjdns +user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to +disable forking. Seccomp is used to limit available system calls to only those +actually needed. Installing the cjdns-selinux package installs a targeted +selinux policy that also restricts what the privileged process can access. + +##Routing security + +If cjdns is not running, cjdns packets will get routed in plaintext +to your default gateway by default. An attacker could then play +man-in-the-middle. If your default gateway is running cjdns, this +could even happen accidentally. + +This can be blocked by restricting ```fc00::/8``` to the interface +used by cjdroute in the firewall. + +## Advanced config + +You may install a network service that depends on cjdns, for instance you might +install thttpd to serve up +[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If +thttpd is configured to listen only on your cjdns IP, then it will not start +until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to +```thttpd.service``` to hold off starting the service until cjdns has the +tunnel up and ready. + diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch index 19e0c16..f166608 100644 --- a/cjdns.sodium.patch +++ b/cjdns.sodium.patch @@ -1,13 +1,16 @@ -diff -up ./node_build/make.js.dyn ./node_build/make.js ---- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500 -+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500 -@@ -238,41 +238,9 @@ Builder.configure({ +diff -up ./node_build/make.js.sodium ./node_build/make.js +--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400 ++++ ./node_build/make.js 2016-10-12 14:03:53.289124583 -0400 +@@ -252,44 +252,9 @@ Builder.configure({ }).nThen(function (waitFor) { - builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a'); - builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/'); - +- // needed for Sign.c which pulls in crypto_int32.h +- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/'); +- - Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) { - if (exists) { return; } - @@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js }).nThen(function (waitFor) { -@@ -411,7 +379,7 @@ Builder.configure({ +@@ -430,7 +395,7 @@ Builder.configure({ builder.buildExecutable('crypto/random/randombytes.c'); builder.lintFiles(function (fileName, file, callback) { diff --git a/cjdns.spec b/cjdns.spec index 8570799..9968f4d 100644 --- a/cjdns.spec +++ b/cjdns.spec @@ -2,7 +2,7 @@ # Fedora review: http://bugzilla.redhat.com/1268716 # Use the optimized libnacl embedded with cjdns -%global use_embedded 0 +%global use_embedded 1 # Use libsodium instead of nacl %global use_libsodium 0 # Option to disable SECCOMP: confusing backward logic @@ -40,8 +40,8 @@ Name: cjdns # major version is cjdns protocol version: -Version: 17.4 -Release: 7%{?dist} +Version: 18 +Release: 1%{?dist} Summary: The privacy-friendly network without borders Group: System Environment/Base # cjdns is all GPLv3 except libuv which is MIT and BSD and ISC @@ -106,6 +106,9 @@ Requires(postun): systemd %endif Requires(pre): shadow-utils Provides: bundled(libuv) = 0.11.4 +%if 0%{use_embedded} +Provides: bundled(nacl) = 20110221 +%endif # build system requires nodejs, unfortunately ExclusiveArch: %{nodejs_arches} @@ -474,6 +477,9 @@ fi %{_bindir}/graphStats %changelog +* Wed Oct 12 2016 Stuart D. Gathman 18-1 +- Update to 18 upstream release + * Mon Aug 15 2016 Stuart D. Gathman 17.4-7 - Move modprobe to cjdns-loadmodules.service diff --git a/sources b/sources index 762a857..744f9ad 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -efc62329874a0620a532269a53dbfc85 cjdns-v17.3.tar.gz -e74f25941879e807086a8b70771fcf60 cjdns-v17.4.tar.gz +9f6600d9ed0d87d4e17fbc9155ff0368 cjdns-v18.tar.gz