733 Commits

This Branch

This Branch

All Branches

Author	SHA1	Message	Date
Wade Simmons	7f6976ba5d	Merge remote-tracking branch 'origin/master' into fips140	2026-05-01 13:57:26 -04:00
Nate Brown	f141cebe8d	Run e2e tests in parallel, include a goroutine leak detector test (#1700)	2026-04-30 21:30:56 -05:00
Nate Brown	9ec8cf10f3	Handshake state machine (#1656)	2026-04-30 21:30:27 -05:00
Wade Simmons	5dd566e220	also support fips140v1.26 ... This will be inprocess soon	2026-04-30 15:21:58 -04:00
Wade Simmons	b79fdc272a	better default	2026-04-28 13:12:57 -04:00
Wade Simmons	d4d747f219	no longer need go1.26 with this fix	2026-04-28 13:12:22 -04:00
Wade Simmons	4ff9e97dce	Revert "need go1.26" ... This reverts commit 65450f9d21.	2026-04-28 13:12:10 -04:00
Wade Simmons	bdbd483063	Revert "bump linter to support go1.26" ... This reverts commit 1403473e4b.	2026-04-28 13:11:36 -04:00
Wade Simmons	1403473e4b	bump linter to support go1.26	2026-04-28 12:03:31 -04:00
Wade Simmons	ae58085032	cleanup, no GODEBUG needed	2026-04-28 11:58:43 -04:00
Wade Simmons	65450f9d21	need go1.26	2026-04-27 17:18:04 -04:00
Wade Simmons	f9532f4244	requires go1.26	2026-04-27 17:16:28 -04:00
Wade Simmons	fcfbec4710	log the fips140 mode and version ... Requires go1.26 for fips140.Version()	2026-04-27 16:43:35 -04:00
Wade Simmons	e6eeb3709b	fix smoke tests	2026-04-27 16:27:58 -04:00
Wade Simmons	ef8b700474	fix mismerge	2026-04-27 16:24:34 -04:00
Wade Simmons	243cf4a7c5	Revert "cleanup" ... This reverts commit 08ee2ab35f.	2026-04-27 16:22:09 -04:00
Wade Simmons	08ee2ab35f	cleanup	2026-04-27 14:18:17 -04:00
Wade Simmons	2d5d86f24d	Merge remote-tracking branch 'origin/master' into fips140	2026-04-27 14:13:47 -04:00
Nate Brown	1ab1f71dba	Make stats a server we can reconfigure and start/stop (#1670)	2026-04-27 12:25:24 -05:00
Nate Brown	d0f02ba873	Switch to slog, remove logrus (#1672)	2026-04-27 09:41:47 -05:00
Jack Doan	5f890dbc34	noise: only type-assert once (#1691)	2026-04-24 13:12:42 -05:00
brad-defined	db85d61c23	SSH handshake in goroutine and defer close (#1640) ... * SSH handshake in goroutine and defer close	2026-04-23 14:53:52 -04:00
Nate Brown	db9218b0be	Another shot at the flakey smoke test (#1688)	2026-04-23 13:51:15 -05:00
Nate Brown	5f00ab4b74	Fix e2e tests writing after the tester tun is closed causing a panic (#1681)	2026-04-22 17:18:06 -05:00
Guy Nesher	2a1cc62001	fix: guard QueryCert against panic on short/empty QNAME (#1635) ... * fix: guard QueryCert against panic on short/empty QNAME QueryCert slices data[:len(data)-1] to strip a trailing dot, which panics when data is empty (slice bounds [:-1]). Add a length check to return early for inputs shorter than a minimal valid "x." form. While miekg/dns currently rejects wire-format packets that would produce an empty QNAME, the Nebula code should not rely on library behavior for crash safety. Made-with: Cursor * fix merge conflicts --------- Co-authored-by: JackDoan <me@jackdoan.com>	2026-04-22 12:42:14 -05:00
John Maguire	e753e6e93c	Immediate Lighthouse update after reconfig/reconnect (#1645)	2026-04-21 16:33:32 -04:00
John Maguire	32a7c04498	Return NODATA instead of NXDOMAIN for missing record types (#1668) ... The DNS responder was setting RCODE=NXDOMAIN (Name Error) any time the answer section was empty, including for names that exist in the lighthouse but lack a record of the requested type (e.g. an AAAA query for a v4-only host). Per RFC 2308 §2.1, NXDOMAIN means "the domain referred to by the QNAME does not exist", and per RFC 2308 §2.2 a name that exists with no record of the requested type must be answered with RCODE=NOERROR and an empty answer section (NODATA). The practical fallout: busybox ping in Alpine issues AAAA first, treats NXDOMAIN as a hard failure, and never falls through to A. Returning NODATA lets the resolver continue to the A query as it should. Track whether any queried A/AAAA name is known in either map and only set RcodeNameError when no queried name exists at all.	2026-04-21 16:32:48 -04:00
Nate Brown	8c50fc3f60	Plug the conntrack cache ticker leak and nebula-service log.Fatal calls (#1669)	2026-04-21 13:19:54 -05:00
Nate Brown	2f4532f102	No more dns globals, proper cleanup on shutdown (#1667)	2026-04-21 12:41:10 -05:00
Nate Brown	8c71f2f3f9	FreeBSD tun needs to be non blocking as well (#1666)	2026-04-21 10:45:46 -05:00
Nate Brown	3d34cc9b74	Try to make smoke less flakey (#1663)	2026-04-20 16:38:14 -05:00
Jack Doan	e80b9830a3	Remove more os.Exit calls and give a more reliable wait for stop function (attempt 3) (#1661)	2026-04-20 16:08:26 -05:00
Nate Brown	49e3c4649b	Try the hot new DefinedNet openbsd78 box (#1657)	2026-04-17 09:18:23 -05:00
dependabot[bot]	72c04b90bd	Bump golang.zx2c4.com/wireguard/windows in the zx2c4-dependencies group (#1652) ... Bumps the zx2c4-dependencies group with 1 update: golang.zx2c4.com/wireguard/windows. Updates `golang.zx2c4.com/wireguard/windows` from 0.5.3 to 0.6.1 --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-version: 0.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: zx2c4-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:27:14 -05:00
dependabot[bot]	36ab1dbb97	Bump the golang-x-dependencies group across 1 directory with 5 updates (#1629) ... Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/sync](https://github.com/golang/sync). Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/crypto/compare/v0.47.0...v0.48.0) Updates `golang.org/x/net` from 0.49.0 to 0.51.0 - [Commits](https://github.com/golang/net/compare/v0.49.0...v0.51.0) Updates `golang.org/x/sync` from 0.19.0 to 0.20.0 - [Commits](https://github.com/golang/sync/compare/v0.19.0...v0.20.0) Updates `golang.org/x/sys` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0) Updates `golang.org/x/term` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/term/compare/v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/net dependency-version: 0.51.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:02:29 -05:00
dependabot[bot]	f77fe74192	Bump github.com/miekg/pkcs11 (#1586) ... Bumps [github.com/miekg/pkcs11](https://github.com/miekg/pkcs11) from 1.1.2-0.20231115102856-9078ad6b9d4b to 1.1.2. - [Changelog](https://github.com/miekg/pkcs11/blob/master/release.go) - [Commits](https://github.com/miekg/pkcs11/commits/v1.1.2) --- updated-dependencies: - dependency-name: github.com/miekg/pkcs11 dependency-version: 1.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 12:27:19 -05:00
dependabot[bot]	24c9c704a0	Bump github.com/miekg/dns from 1.1.70 to 1.1.72 (#1587) ... Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.70 to 1.1.72. - [Commits](https://github.com/miekg/dns/compare/v1.1.70...v1.1.72) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-version: 1.1.72 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 11:54:47 -05:00
Nate Brown	a5e81efe7b	Try rsync from somewhere else (#1655)	2026-04-15 09:23:33 -05:00
Jack Doan	b3194236aa	udp_linux: wrap socket operations with syscall.RawConn for clean teardown (#1654) ... remove runtime.LockOSThread() because it makes things worse now remove the "custom" Write() method from tun_linux.go, the stdlib path via os.File performs better We should change our guidance around number of routines, ~2 per thread (that you wish to use for Nebula) seems to be about right now	2026-04-14 18:25:24 -05:00
Nate Brown	3fae693c42	Additional e2e tests to assert current handshake behavior (#1653)	2026-04-14 13:32:01 -05:00
John Maguire	0ad5c771e9	Refactor CA pool handling to use streaming (#1644) ... Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com> Co-authored-by: JackDoan <me@jackdoan.com>	2026-04-13 13:19:55 -04:00
Jay R. Wren	6727113b2b	gh workflow release: protect from ref_name attack (#1650) ... It is not likely, but better to be safe.	2026-04-06 12:24:28 -04:00
Jay R. Wren	f8587956ba	add sshd.sandbox_dir config option (#1622) ... * add sshd.sandbox_dir config option Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory. Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior. * update default and example * use os.TempDir() for sshd.sandbox_dir default * split sandbox path validation into separate conditionals Separate the combined && check in sshSanitizeFilePath into two distinct conditionals with specific error messages: one for paths resolving to the sandbox directory itself, and one for paths outside the sandbox. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> * fix: trim leading zeros from p256 signature swap result bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER parsing strips leading zeros. This caused a flaky test failure (~1/256 chance) when the S value's high byte was zero. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> --------- Co-authored-by: Claude <svc-devxp-claude@slack-corp.com>	2026-04-03 09:37:18 -04:00
John Maguire	951d368faf	Add a small link to DN Managed Nebula (#1641) ... * Add a small link to DN Managed Nebula Also link the mobile source code	2026-03-30 16:20:21 -04:00
Jack Doan	91d1f4675a	properly handle closetunnel packets (#1638)	2026-03-25 11:59:37 -05:00
John Maguire	9f1aef53fa	Fix dissector logic (#1626) ... * Fix typo in Wireshark dissector * Fix wireshark dissector prefs_changed logic The previous logic had several issues: - Changing only the port number (without toggling all_ports) would not re-register the dissector on the new port. - Turning all_ports off would remove all registrations but only re-add the specific port inside a branch that also required all_ports to have changed, and never updated default_settings.port. Simplify to: remove all registrations, then register based on current prefs, then update the cached state.	2026-03-23 11:15:40 -04:00
Jay R. Wren	1aa1a0476f	#ECCN:Open Source in CODEOWNERS (#1632) ... Salesforce is requesting this in all opensource repositories	2026-03-16 17:07:40 -04:00
Jay R. Wren	7760ccefba	fix logging copy pasta (#1621)	2026-03-06 14:03:32 -05:00
Jack Doan	51308b845b	connection-track ICMP traffic (#1602) ... * connection-track ICMP and ICMPv6 traffic * icmpv6 only has identifier on echo	2026-02-18 23:19:37 -06:00
Wade Simmons	422fc2ad1e	go fix (#1608)	2026-02-17 11:42:14 -05:00