Wade Simmons
81afed439e
Merge remote-tracking branch 'origin/master' into fips140
2026-06-18 12:07:19 -04:00
Wade Simmons
7d3166a19d
cleanup ipv6 iputil helpers / skip reject for ICMP error packets and fragments ( #1768 )
...
smoke-extra / freebsd-amd64 (push) Failing after 23s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 15s
smoke-extra / netbsd-amd64 (push) Failing after 14s
smoke-extra / openbsd-amd64 (push) Failing after 15s
smoke-extra / linux-386 (push) Failing after 17s
smoke / Run multi node smoke test (push) Failing after 1m27s
Build and test / Static checks (push) Successful in 53s
Build and test / Test linux (push) Failing after 1m16s
Build and test / Test linux-boringcrypto (push) Failing after 3m9s
Build and test / Test linux-pkcs11 (push) Failing after 2m21s
Build and test / Cross-build linux-arm (push) Successful in 3m5s
Build and test / Cross-build linux-mips (push) Successful in 3m57s
Build and test / Cross-build linux-other (push) Successful in 3m8s
Build and test / Cross-build windows (push) Successful in 1m2s
Build and test / Cross-build freebsd (push) Successful in 1m34s
Build and test / Cross-build netbsd (push) Successful in 1m34s
Build and test / Cross-build openbsd (push) Successful in 1m35s
Build and test / Cross-build mobile (push) Successful in 3m19s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
* cleanup ipv6 iputil helpers
With my refactoring in this PR I accidentally had some duplicate logic,
this PR cleans it up:
- https://github.com/slackhq/nebula/pull/1766
* skip ICMP reject for ICMP error packets and fragments
Per RFC 1122, ICMP error messages must not be generated in response to
other ICMP error messages to prevent infinite error loops. This applies
to both IPv4 (types 3, 4, 5, 11, 12) and IPv6 (types 1-4).
Do not generate reject packets for IPv4 or IPv6 fragments. For IPv4,
check MF flag and fragment offset. For IPv6, add isFragment return to
ipv6FindUpperProtocol so a single traversal handles both protocol
lookup and fragment detection.
* do send rejects for the initial fragment
RFC says "non-initial fragment"s
* fix fragment checks
2026-06-16 16:51:14 -04:00
Wade Simmons
fe1c5682f0
add IPv6 support to CreateICMPEchoResponse ( #1767 )
...
smoke-extra / freebsd-amd64 (push) Failing after 16s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 17s
smoke-extra / netbsd-amd64 (push) Failing after 14s
smoke-extra / openbsd-amd64 (push) Failing after 14s
smoke-extra / linux-386 (push) Failing after 15s
smoke / Run multi node smoke test (push) Failing after 1m28s
Build and test / Static checks (push) Successful in 42s
Build and test / Test linux (push) Failing after 1m29s
Build and test / Test linux-boringcrypto (push) Failing after 2m51s
Build and test / Test linux-pkcs11 (push) Failing after 2m51s
Build and test / Cross-build linux-arm (push) Successful in 3m9s
Build and test / Cross-build linux-mips (push) Successful in 3m51s
Build and test / Cross-build linux-other (push) Successful in 3m16s
Build and test / Cross-build windows (push) Successful in 1m3s
Build and test / Cross-build freebsd (push) Successful in 1m38s
Build and test / Cross-build netbsd (push) Successful in 1m36s
Build and test / Cross-build openbsd (push) Successful in 1m36s
Build and test / Cross-build mobile (push) Successful in 3m20s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
The function previously only handled IPv4 ICMP Echo Request packets.
This adds handling for IPv6 ICMPv6 Echo Request (type 128) by generating
a proper Echo Reply (type 129) with correct pseudo-header checksum.
2026-06-16 13:16:47 -04:00
Wade Simmons
e4cc80aaca
add IPv6 reject packet generation ( #1766 )
...
* add IPv6 reject packet generation (ICMPv6 Destination Unreachable and TCP RST)
* use ICMPv6 code 1 (administratively prohibited) and cap body at 1000 bytes
* cleanup, use ICMP error code 13 for ipv4
* better docs
* cleanup
2026-06-16 13:04:21 -04:00
Jack Doan
16b302c11d
Relay log fix ( #1765 )
...
* ensure CreateRelayRequest gets logged correctly
* ensure CreateRelayResponse gets logged correctly
2026-06-16 11:38:34 -05:00
Wade Simmons
ab539f8a3f
Add smoke test for ipv6 ( #1764 )
...
* Add smoke test for ipv6
* fix ncat listen for ipv6
2026-06-16 12:13:05 -04:00
dependabot[bot]
b7d83b0500
Bump golang.org/x/net in the golang-x-dependencies group ( #1763 )
...
smoke-extra / freebsd-amd64 (push) Failing after 14s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 11s
smoke-extra / netbsd-amd64 (push) Failing after 11s
smoke-extra / openbsd-amd64 (push) Failing after 11s
smoke-extra / linux-386 (push) Failing after 11s
smoke / Run multi node smoke test (push) Failing after 1m28s
Build and test / Static checks (push) Successful in 2m0s
Build and test / Test linux (push) Failing after 1m54s
Build and test / Test linux-boringcrypto (push) Failing after 3m10s
Build and test / Test linux-pkcs11 (push) Failing after 2m5s
Build and test / Cross-build linux-arm (push) Successful in 2m58s
Build and test / Cross-build linux-mips (push) Successful in 3m42s
Build and test / Cross-build linux-other (push) Successful in 3m2s
Build and test / Cross-build windows (push) Successful in 1m0s
Build and test / Cross-build freebsd (push) Successful in 1m33s
Build and test / Cross-build netbsd (push) Successful in 1m35s
Build and test / Cross-build openbsd (push) Successful in 1m36s
Build and test / Cross-build mobile (push) Successful in 3m20s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
Bumps the golang-x-dependencies group with 1 update: [golang.org/x/net](https://github.com/golang/net ).
Updates `golang.org/x/net` from 0.55.0 to 0.56.0
- [Commits](https://github.com/golang/net/compare/v0.55.0...v0.56.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/net
dependency-version: 0.56.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 14:59:19 -04:00
dependabot[bot]
ef95b25fa3
Bump github.com/gaissmai/bart from 0.27.1 to 0.28.0 ( #1743 )
...
smoke-extra / freebsd-amd64 (push) Failing after 16s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 12s
smoke-extra / netbsd-amd64 (push) Failing after 11s
smoke-extra / openbsd-amd64 (push) Failing after 11s
smoke-extra / linux-386 (push) Failing after 11s
smoke / Run multi node smoke test (push) Failing after 1m29s
Build and test / Static checks (push) Successful in 2m9s
Build and test / Test linux (push) Failing after 1m36s
Build and test / Test linux-boringcrypto (push) Failing after 3m0s
Build and test / Test linux-pkcs11 (push) Failing after 1m58s
Build and test / Cross-build linux-arm (push) Successful in 3m3s
Build and test / Cross-build linux-mips (push) Successful in 3m50s
Build and test / Cross-build linux-other (push) Successful in 3m12s
Build and test / Cross-build windows (push) Successful in 1m2s
Build and test / Cross-build freebsd (push) Successful in 1m36s
Build and test / Cross-build netbsd (push) Successful in 1m34s
Build and test / Cross-build openbsd (push) Successful in 1m36s
Build and test / Cross-build mobile (push) Successful in 3m21s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
Bumps [github.com/gaissmai/bart](https://github.com/gaissmai/bart ) from 0.27.1 to 0.28.0.
- [Release notes](https://github.com/gaissmai/bart/releases )
- [Commits](https://github.com/gaissmai/bart/compare/v0.27.1...v0.28.0 )
---
updated-dependencies:
- dependency-name: github.com/gaissmai/bart
dependency-version: 0.28.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 10:09:39 -04:00
dependabot[bot]
36b38396af
Bump the golang-x-dependencies group with 4 updates ( #1750 )
...
Bumps the golang-x-dependencies group with 4 updates: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/sync](https://github.com/golang/sync ), [golang.org/x/sys](https://github.com/golang/sys ) and [golang.org/x/term](https://github.com/golang/term ).
Updates `golang.org/x/crypto` from 0.52.0 to 0.53.0
- [Commits](https://github.com/golang/crypto/compare/v0.52.0...v0.53.0 )
Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](https://github.com/golang/sync/compare/v0.20.0...v0.21.0 )
Updates `golang.org/x/sys` from 0.45.0 to 0.46.0
- [Commits](https://github.com/golang/sys/compare/v0.45.0...v0.46.0 )
Updates `golang.org/x/term` from 0.43.0 to 0.44.0
- [Commits](https://github.com/golang/term/compare/v0.43.0...v0.44.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.53.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sync
dependency-version: 0.21.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sys
dependency-version: 0.46.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/term
dependency-version: 0.44.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-15 10:04:22 -04:00
Jack Doan
2e9117da5b
fix tunnels that could permanently escape connection-manager monitoring ( #1752 )
smoke-extra / freebsd-amd64 (push) Failing after 16s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 15s
smoke-extra / netbsd-amd64 (push) Failing after 14s
smoke-extra / openbsd-amd64 (push) Failing after 16s
smoke-extra / linux-386 (push) Failing after 17s
smoke / Run multi node smoke test (push) Failing after 1m25s
Build and test / Static checks (push) Successful in 1m42s
Build and test / Test linux (push) Failing after 2m17s
Build and test / Test linux-boringcrypto (push) Failing after 3m9s
Build and test / Test linux-pkcs11 (push) Failing after 2m54s
Build and test / Cross-build linux-arm (push) Successful in 3m3s
Build and test / Cross-build linux-mips (push) Successful in 3m44s
Build and test / Cross-build linux-other (push) Successful in 3m7s
Build and test / Cross-build windows (push) Successful in 59s
Build and test / Cross-build freebsd (push) Successful in 1m33s
Build and test / Cross-build netbsd (push) Successful in 1m34s
Build and test / Cross-build openbsd (push) Successful in 1m33s
Build and test / Cross-build mobile (push) Successful in 3m15s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
2026-06-10 11:03:23 -05:00
Jack Doan
a690c904ba
improve rejection of malformed handshakes ( #1756 )
smoke-extra / freebsd-amd64 (push) Failing after 18s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 17s
smoke-extra / netbsd-amd64 (push) Failing after 15s
smoke-extra / openbsd-amd64 (push) Failing after 16s
smoke-extra / linux-386 (push) Failing after 16s
smoke / Run multi node smoke test (push) Failing after 1m28s
Build and test / Static checks (push) Successful in 1m42s
Build and test / Test linux (push) Failing after 1m31s
Build and test / Test linux-boringcrypto (push) Failing after 2m54s
Build and test / Test linux-pkcs11 (push) Failing after 3m7s
Build and test / Cross-build linux-arm (push) Successful in 3m5s
Build and test / Cross-build linux-mips (push) Successful in 3m48s
Build and test / Cross-build linux-other (push) Successful in 3m12s
Build and test / Cross-build windows (push) Successful in 1m1s
Build and test / Cross-build freebsd (push) Successful in 1m34s
Build and test / Cross-build netbsd (push) Successful in 1m35s
Build and test / Cross-build openbsd (push) Successful in 1m35s
Build and test / Cross-build mobile (push) Successful in 3m22s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
2026-06-10 09:28:07 -05:00
Jack Doan
e028e6bf1a
disallow negative stats intervals ( #1754 )
2026-06-10 09:27:40 -05:00
Jack Doan
3db406b8ac
fix a race in RelayState.CopyRelayIps ( #1753 )
2026-06-10 09:27:15 -05:00
Jack Doan
eaad4896c1
udp_darwin: don't call the EncReader on a UDP error ( #1755 )
2026-06-10 09:26:31 -05:00
Wade Simmons
d42407cf9a
dont need race detector on these extra smoke runs
...
We should catch any issues in the original run
2026-06-10 09:49:09 -04:00
Wade Simmons
ac5a18e56a
use fips140-all in CI tests
2026-06-10 09:43:41 -04:00
Wade Simmons
2efdcb0366
fips140-all
2026-06-10 09:35:59 -04:00
Jack Doan
e6032f81aa
correctly record window counters for relayed packets in a tunnel ( #1751 )
smoke-extra / freebsd-amd64 (push) Failing after 18s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 16s
smoke-extra / netbsd-amd64 (push) Failing after 15s
smoke-extra / openbsd-amd64 (push) Failing after 16s
smoke-extra / linux-386 (push) Failing after 16s
smoke / Run multi node smoke test (push) Failing after 1m27s
Build and test / Static checks (push) Successful in 1m43s
Build and test / Test linux (push) Failing after 1m42s
Build and test / Test linux-boringcrypto (push) Failing after 2m57s
Build and test / Test linux-pkcs11 (push) Failing after 3m3s
Build and test / Cross-build linux-arm (push) Successful in 3m2s
Build and test / Cross-build linux-mips (push) Successful in 3m46s
Build and test / Cross-build linux-other (push) Successful in 3m7s
Build and test / Cross-build windows (push) Successful in 1m2s
Build and test / Cross-build freebsd (push) Successful in 1m36s
Build and test / Cross-build netbsd (push) Successful in 1m34s
Build and test / Cross-build openbsd (push) Successful in 1m33s
Build and test / Cross-build mobile (push) Successful in 3m16s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
2026-06-09 16:18:59 -05:00
Wade Simmons
92bd785f2b
no mips64le
2026-06-09 17:05:34 -04:00
Wade Simmons
7d087a6d9f
add all fips140 platforms
2026-06-09 15:42:05 -04:00
Wade Simmons
67da623e3b
cleanup enforcement
2026-06-09 15:33:31 -04:00
Wade Simmons
060b46f4b3
better names
2026-06-09 13:49:55 -04:00
Wade Simmons
69c6132a76
fix the tag
2026-06-09 13:27:57 -04:00
Wade Simmons
a383937bde
make the build tag clearer
...
Make it clear this isnt an automatic tag, but one we created for
enforcement
2026-06-09 13:26:36 -04:00
Wade Simmons
3b30526379
boringcrypto cleanup
2026-06-09 13:24:59 -04:00
Wade Simmons
cb9547b6a1
remove commented out code
2026-06-09 12:28:02 -04:00
Wade Simmons
69a6db705a
cleanup unused test
2026-06-09 12:26:42 -04:00
Wade Simmons
9709893009
use testing log
2026-06-09 12:26:04 -04:00
Wade Simmons
32db819315
cleanup
2026-06-09 12:23:48 -04:00
Wade Simmons
f437c7d372
more cleanup
2026-06-09 10:55:57 -04:00
Wade Simmons
d725e53072
makefile cleanup
2026-06-09 10:39:09 -04:00
Wade Simmons
06fb503fc3
WIP
2026-06-09 10:31:49 -04:00
Wade Simmons
7cd3875934
fix expected for fips140
...
We actually set the nonce wrong before this branch, fixing now.
2026-06-08 12:22:25 -04:00
Wade Simmons
90ea6346e9
WIP
2026-06-08 11:41:07 -04:00
Wade Simmons
37b752bb23
WIP
2026-06-08 09:43:28 -04:00
dependabot[bot]
b041f306cb
Bump the golang-x-dependencies group with 3 updates ( #1742 )
...
smoke-extra / freebsd-amd64 (push) Failing after 43s
smoke-extra / linux-amd64-ipv6disable (push) Failing after 13s
smoke-extra / netbsd-amd64 (push) Failing after 12s
smoke-extra / openbsd-amd64 (push) Failing after 12s
smoke-extra / linux-386 (push) Failing after 12s
smoke / Run multi node smoke test (push) Failing after 1m31s
Build and test / Static checks (push) Successful in 2m7s
Build and test / Test linux (push) Failing after 1m35s
Build and test / Test linux-boringcrypto (push) Failing after 2m51s
Build and test / Test linux-pkcs11 (push) Failing after 2m12s
Build and test / Cross-build linux-arm (push) Successful in 3m8s
Build and test / Cross-build linux-mips (push) Successful in 3m47s
Build and test / Cross-build linux-other (push) Successful in 3m8s
Build and test / Cross-build windows (push) Successful in 1m4s
Build and test / Cross-build freebsd (push) Successful in 1m34s
Build and test / Cross-build netbsd (push) Successful in 1m35s
Build and test / Cross-build openbsd (push) Successful in 1m37s
Build and test / Cross-build mobile (push) Successful in 3m18s
smoke-extra / Run windows smoke test (push) Has been cancelled
Build and test / Test macos (push) Has been cancelled
Build and test / Test windows (push) Has been cancelled
Build and test / CI status (push) Has been cancelled
Bumps the golang-x-dependencies group with 3 updates: [golang.org/x/crypto](https://github.com/golang/crypto ), [golang.org/x/net](https://github.com/golang/net ) and [golang.org/x/sys](https://github.com/golang/sys ).
Updates `golang.org/x/crypto` from 0.51.0 to 0.52.0
- [Commits](https://github.com/golang/crypto/compare/v0.51.0...v0.52.0 )
Updates `golang.org/x/net` from 0.54.0 to 0.55.0
- [Commits](https://github.com/golang/net/compare/v0.54.0...v0.55.0 )
Updates `golang.org/x/sys` from 0.44.0 to 0.45.0
- [Commits](https://github.com/golang/sys/compare/v0.44.0...v0.45.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/crypto
dependency-version: 0.52.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/net
dependency-version: 0.55.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
- dependency-name: golang.org/x/sys
dependency-version: 0.45.0
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: golang-x-dependencies
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 10:25:27 -04:00
Wade Simmons
c7e035479c
enforce GODEBUG=fips140=only
...
This makes it much nicer to prove we are using the fips140 module for
all crypto.
2026-06-02 16:36:58 -04:00
Wade Simmons
adb01f66a3
make the test match the code
...
Ensure we use the correctly AESGCM for fips140
2026-06-01 13:48:34 -04:00
Wade Simmons
cf5d73d625
better check
2026-06-01 11:24:09 -04:00
Wade Simmons
56a09b7cbb
fix
2026-06-01 11:22:39 -04:00
Wade Simmons
1d17c785a8
fixup tests
2026-06-01 11:19:12 -04:00
Wade Simmons
7c8a70b0cc
fix smoke boringcrypto and fips140
2026-06-01 11:03:15 -04:00
Wade Simmons
c73245ca5c
fix missing import
2026-06-01 10:56:10 -04:00
Wade Simmons
f1a8054a9d
latest golanglint-ci
2026-06-01 10:53:58 -04:00
Wade Simmons
dd081ffeb6
cleanup
2026-06-01 10:51:31 -04:00
Wade Simmons
cfcdcb0546
use go1.26
2026-06-01 10:46:48 -04:00
Wade Simmons
c3e2a2b3a7
better smoke
2026-06-01 10:38:31 -04:00
Wade Simmons
0897f49576
default GODEBUG=fips140=only
2026-06-01 10:36:05 -04:00
Wade Simmons
8671a4ebbd
cleanup
2026-06-01 10:21:34 -04:00
Wade Simmons
b5ad62aea1
Merge remote-tracking branch 'origin/master' into fips140
2026-06-01 09:52:57 -04:00