diff --git a/.gitignore b/.gitignore
index 697fa3e..c192c5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
/cjdns-v17.3.tar.gz
/cjdns-v17.4.tar.gz
+/cjdns-v18.tar.gz
+/*.src.rpm
diff --git a/cjdns.README_Fedora.md b/cjdns.README_Fedora.md
index 9fb864f..8fa2b55 100644
--- a/cjdns.README_Fedora.md
+++ b/cjdns.README_Fedora.md
@@ -38,3 +38,63 @@ can speed this up dramatically with:
systemctl enable cjdns-resume
The resume service restarts cjdns when the system wakes up from sleep.
+
+For rhel6, use ```start cjdns``` instead of systemctl - ditto for restart
+and stop.
+
+##Security
+
+By default, Fedora Workstation will treat the tun device created by cjdroute as
+"public", with SSH being the only incoming port allowed. There is no
+additional exposure with cjdns and the default Fedora firewall. If you have
+modified the firewall config beyond opening additional incoming ports, be sure
+that the cjdns tun is treated as public - because anyone in the world can
+attempt to connect to you through it. Sometimes, people configure their
+firewall to treat all tun devices as "VPN", and therefore somewhat more
+trusted. This would be a mistake with cjdns. It is a VPN, for sure, but one
+anyone in the world can join.
+
+Public keys for cjdns are based on Elliptic Curves. There is a known quantum
+algorithm that could be used to crack them if quantum computers with sufficient
+qubits are ever built. The solution when that happens is larger keys - which
+are more cumbersome.
+
+The Distributed Hash Table algorithm is a core component of cjdns - which is
+vulnerable to a Denial of Service attack known as "Sybil". This attack can
+block specific updates to the DHT - to prevent your node from joining a mesh,
+for instance.
+
+On the positive side, you can safely use telnet to cjdns IPs and the http
+protocol is automatically encrypted (but you need a secure DNS or raw ip to be
+sure you are talking to the right node). Many other protocols are
+automatically encrypted while using cjdns. In general, connecting to a raw
+cjdns IP is functionally equivalent to SSL/TLS with both client and server
+authentication.
+
+Since the cjdroute core routing code parses network packets from untrusted
+sources, it is a security risk and is heavily sandboxed. It runs as the cjdns
+user in a chroot jail in an empty directory, with RLIMIT_NPROC set to 1 to
+disable forking. Seccomp is used to limit available system calls to only those
+actually needed. Installing the cjdns-selinux package installs a targeted
+selinux policy that also restricts what the privileged process can access.
+
+##Routing security
+
+If cjdns is not running, cjdns packets will get routed in plaintext
+to your default gateway by default. An attacker could then play
+man-in-the-middle. If your default gateway is running cjdns, this
+could even happen accidentally.
+
+This can be blocked by restricting ```fc00::/8``` to the interface
+used by cjdroute in the firewall.
+
+## Advanced config
+
+You may install a network service that depends on cjdns, for instance you might
+install thttpd to serve up
+[nodeinfo.json](https://docs.meshwith.me/en/cjdns/nodeinfo.json.html). If
+thttpd is configured to listen only on your cjdns IP, then it will not start
+until cjdns is up and running. Add ```After=cjdns-wait-online.service``` to
+```thttpd.service``` to hold off starting the service until cjdns has the
+tunnel up and ready.
+
diff --git a/cjdns.sign.patch b/cjdns.sign.patch
new file mode 100644
index 0000000..3b36ea4
--- /dev/null
+++ b/cjdns.sign.patch
@@ -0,0 +1,36 @@
+diff -up ./crypto/Sign.c.sign ./crypto/Sign.c
+--- ./crypto/Sign.c.sign 2016-10-11 17:39:44.000000000 -0400
++++ ./crypto/Sign.c 2016-10-14 20:59:49.143754098 -0400
+@@ -13,6 +13,7 @@
+ * along with this program. If not, see .
+ */
+
++#ifdef SUBNODE
+ #include "crypto/Sign.h"
+
+ #include "node_build/dependencies/cnacl/crypto_sign/ed25519/ref10/ge.h"
+@@ -110,3 +111,6 @@ int Sign_publicSigningKeyToCurve25519(ui
+
+ return 0;
+ }
++#else
++#pragma GCC diagnostic ignored "-Wpedantic"
++#endif // SUBNODE
+diff -up ./crypto/test/Sign_test.c.sign ./crypto/test/Sign_test.c
+--- ./crypto/test/Sign_test.c.sign 2016-10-11 17:39:44.000000000 -0400
++++ ./crypto/test/Sign_test.c 2016-10-14 20:57:28.737064976 -0400
+@@ -23,6 +23,7 @@
+
+ int main()
+ {
++#ifdef SUBNODE
+ struct Allocator* alloc = MallocAllocator_new(1048576);
+ struct Log* logger = FileWriterLog_new(stdout, alloc);
+ struct Random* rand = Random_new(alloc, logger, NULL);
+@@ -42,5 +43,6 @@ int main()
+ Assert_true(!Sign_verifyMsg(&signingKeyPair[32], msg));
+ Assert_true(!Sign_publicSigningKeyToCurve25519(curve25519publicB, &signingKeyPair[32]));
+ Assert_true(!Bits_memcmp(curve25519publicB, curve25519public, 32));
++#endif // SUBNODE
+ return 0;
+ }
diff --git a/cjdns.sodium.patch b/cjdns.sodium.patch
index 19e0c16..f166608 100644
--- a/cjdns.sodium.patch
+++ b/cjdns.sodium.patch
@@ -1,13 +1,16 @@
-diff -up ./node_build/make.js.dyn ./node_build/make.js
---- ./node_build/make.js.dyn 2015-11-02 17:59:41.000000000 -0500
-+++ ./node_build/make.js 2015-11-04 19:57:49.961155943 -0500
-@@ -238,41 +238,9 @@ Builder.configure({
+diff -up ./node_build/make.js.sodium ./node_build/make.js
+--- ./node_build/make.js.sodium 2016-10-11 17:39:44.000000000 -0400
++++ ./node_build/make.js 2016-10-12 14:03:53.289124583 -0400
+@@ -252,44 +252,9 @@ Builder.configure({
}).nThen(function (waitFor) {
- builder.config.libs.push(dependencyDir + '/cnacl/jsbuild/libnacl.a');
- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include/');
-
+- // needed for Sign.c which pulls in crypto_int32.h
+- builder.config.includeDirs.push(dependencyDir + '/cnacl/jsbuild/include_internal/');
+-
- Fs.exists(dependencyDir + '/cnacl/jsbuild/libnacl.a', waitFor(function (exists) {
- if (exists) { return; }
-
@@ -46,7 +49,7 @@ diff -up ./node_build/make.js.dyn ./node_build/make.js
}).nThen(function (waitFor) {
-@@ -411,7 +379,7 @@ Builder.configure({
+@@ -430,7 +395,7 @@ Builder.configure({
builder.buildExecutable('crypto/random/randombytes.c');
builder.lintFiles(function (fileName, file, callback) {
diff --git a/cjdns.spec b/cjdns.spec
index 7f627d5..05986b3 100644
--- a/cjdns.spec
+++ b/cjdns.spec
@@ -3,8 +3,10 @@
# Use the optimized libnacl embedded with cjdns
%global use_embedded 0
-# Use libsodium instead of nacl (f22,f23)
+# Use libsodium instead of nacl
%global use_libsodium 1
+# Option to enable SUBNODE mode (WIP)
+%bcond_with subnode
# Option to disable SECCOMP: confusing backward logic
%bcond_without seccomp
@@ -40,8 +42,8 @@
Name: cjdns
# major version is cjdns protocol version:
-Version: 17.4
-Release: 7%{?dist}
+Version: 18
+Release: 2%{?dist}
Summary: The privacy-friendly network without borders
Group: System Environment/Base
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
@@ -86,6 +88,8 @@ Patch9: cjdns.man.patch
Patch10: cjdns.tools.patch
# Alternate dynamic library patch to use libsodium
Patch11: cjdns.sodium.patch
+# Disable WIP subnode code when SUBNODE not enabled
+Patch12: cjdns.sign.patch
BuildRequires: nodejs, nodejs-ronn
@@ -106,6 +110,9 @@ Requires(postun): systemd
%endif
Requires(pre): shadow-utils
Provides: bundled(libuv) = 0.11.4
+%if 0%{use_embedded}
+Provides: bundled(nacl) = 20110221
+%endif
# build system requires nodejs, unfortunately
ExclusiveArch: %{nodejs_arches}
@@ -187,6 +194,7 @@ elif test -d %{_includedir}/nacl && test -r %{_libdir}/libnacl.a; then
ln -s %{_includedir}/nacl cnacl/jsbuild/include
cd -
fi
+%patch12 -b .sign
%endif
%if !0%{?rhel} || 0%{?rhel} > 6
@@ -474,6 +482,13 @@ fi
%{_bindir}/graphStats
%changelog
+* Fri Oct 14 2016 Stuart D. Gathman 18-2
+- Remove Sign.c which uses a private API and isn't needed until supernodes.
+- Use libsodium by default: seems best performance of dynamic libraries
+
+* Wed Oct 12 2016 Stuart D. Gathman 18-1
+- Update to 18 upstream release
+
* Mon Aug 15 2016 Stuart D. Gathman 17.4-7
- Move modprobe to cjdns-loadmodules.service
diff --git a/sources b/sources
index 762a857..744f9ad 100644
--- a/sources
+++ b/sources
@@ -1,2 +1 @@
-efc62329874a0620a532269a53dbfc85 cjdns-v17.3.tar.gz
-e74f25941879e807086a8b70771fcf60 cjdns-v17.4.tar.gz
+9f6600d9ed0d87d4e17fbc9155ff0368 cjdns-v18.tar.gz