726 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Nate Brown	398d67e2da	Windows code signing (#1718)	2026-05-08 14:43:19 -05:00
Nate Brown	696903d6d9	Add a way to set the network type on windows + tests (#1710)	2026-05-07 20:17:38 -05:00
Nate Brown	c82db210ef	Change windows unsafe routes to link routes, fix sshd reload bug (#1709)	2026-05-07 11:30:26 -05:00
Nate Brown	1ada3d4dd9	Use DefinedNets fancy new netbsd10 vagrant box for smokes (#1711)	2026-05-07 10:30:29 -05:00
Nate Brown	5f920fdd7d	Remove the global noiseEndianness var (#1707)	2026-05-06 17:37:03 -05:00
dependabot[bot]	cba9ea5b1f	Bump github.com/gaissmai/bart from 0.26.0 to 0.26.1 (#1604) ... Bumps [github.com/gaissmai/bart](https://github.com/gaissmai/bart) from 0.26.0 to 0.26.1. - [Release notes](https://github.com/gaissmai/bart/releases) - [Commits](https://github.com/gaissmai/bart/compare/v0.26.0...v0.26.1) --- updated-dependencies: - dependency-name: github.com/gaissmai/bart dependency-version: 0.26.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:36:07 -05:00
dependabot[bot]	83809a599a	Bump actions/download-artifact from 7 to 8 (#1617) ... Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7 to 8. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v7...v8) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-version: '8' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:34:06 -05:00
dependabot[bot]	23c67bd8d8	Bump actions/upload-artifact from 6 to 7 (#1618) ... Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/v6...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:33:47 -05:00
dependabot[bot]	dd3a7ad03c	Bump docker/setup-buildx-action from 3 to 4 (#1627) ... Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:33:16 -05:00
dependabot[bot]	dd2ac5d655	Bump docker/login-action from 3 to 4 (#1628) ... Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:32:45 -05:00
dependabot[bot]	76e82a5256	Bump golang.org/x/net (#1664) ... Bumps the golang-x-dependencies group with 1 update in the / directory: [golang.org/x/net](https://github.com/golang/net). Updates `golang.org/x/net` from 0.52.0 to 0.53.0 - [Commits](https://github.com/golang/net/compare/v0.52.0...v0.53.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-version: 0.53.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-05-06 17:32:21 -05:00
dependabot[bot]	eaf756ea6c	Bump Apple-Actions/import-codesign-certs from 6 to 7 (#1697)	2026-05-06 17:31:48 -05:00
Jack Doan	a82a8dc547	don't panic on bad ed25519 key lengths (#1601) ... * don't panic on bad ed25519 key lengths * don't allow mismatched curves * add test	2026-05-06 17:00:07 -05:00
Nate Brown	213dd46588	Stop leaking goroutines past Control.Stop, consolidate punching in Punchy (#1708)	2026-05-06 16:21:16 -05:00
Wade Simmons	4fb5cdb4fa	refactor readOutsidePackets (#1642) ... * refactor readOutsidePackets They layout of this method is confusing and relys on certain parts to return early for things to work correctly. Change the ordering of the logic so that we do this: - Handle unencrypted packets - Decrypt packet - Handle encrypted packets This way, nothing can sneak through unencrypted to where it shouldn't be. * fix comment * code review comments * check for expected type/subtype * check header version * log header * need to handle TestReply * clean roaming / connectionManager * dont need to roam here now, we do it earlier * cleanup metrics and errors * rxInvalid * debug logger checks * ErrOutOfWindow	2026-05-06 12:23:27 -04:00
Jack Doan	ff91c37529	switch Bits to a packed u64 (#1705)	2026-05-06 10:22:26 -05:00
Nate Brown	b7e9939e92	More stable e2e test harness, better for benchmarking (#1702)	2026-05-04 10:12:58 -05:00
Nate Brown	33c2d7277c	Reduce HandshakeManager complexity a little bit (#1701)	2026-05-01 13:21:38 -05:00
Nate Brown	f141cebe8d	Run e2e tests in parallel, include a goroutine leak detector test (#1700)	2026-04-30 21:30:56 -05:00
Nate Brown	9ec8cf10f3	Handshake state machine (#1656)	2026-04-30 21:30:27 -05:00
Nate Brown	1ab1f71dba	Make stats a server we can reconfigure and start/stop (#1670)	2026-04-27 12:25:24 -05:00
Nate Brown	d0f02ba873	Switch to slog, remove logrus (#1672)	2026-04-27 09:41:47 -05:00
Jack Doan	5f890dbc34	noise: only type-assert once (#1691)	2026-04-24 13:12:42 -05:00
brad-defined	db85d61c23	SSH handshake in goroutine and defer close (#1640) ... * SSH handshake in goroutine and defer close	2026-04-23 14:53:52 -04:00
Nate Brown	db9218b0be	Another shot at the flakey smoke test (#1688)	2026-04-23 13:51:15 -05:00
Nate Brown	5f00ab4b74	Fix e2e tests writing after the tester tun is closed causing a panic (#1681)	2026-04-22 17:18:06 -05:00
Guy Nesher	2a1cc62001	fix: guard QueryCert against panic on short/empty QNAME (#1635) ... * fix: guard QueryCert against panic on short/empty QNAME QueryCert slices data[:len(data)-1] to strip a trailing dot, which panics when data is empty (slice bounds [:-1]). Add a length check to return early for inputs shorter than a minimal valid "x." form. While miekg/dns currently rejects wire-format packets that would produce an empty QNAME, the Nebula code should not rely on library behavior for crash safety. Made-with: Cursor * fix merge conflicts --------- Co-authored-by: JackDoan <me@jackdoan.com>	2026-04-22 12:42:14 -05:00
John Maguire	e753e6e93c	Immediate Lighthouse update after reconfig/reconnect (#1645)	2026-04-21 16:33:32 -04:00
John Maguire	32a7c04498	Return NODATA instead of NXDOMAIN for missing record types (#1668) ... The DNS responder was setting RCODE=NXDOMAIN (Name Error) any time the answer section was empty, including for names that exist in the lighthouse but lack a record of the requested type (e.g. an AAAA query for a v4-only host). Per RFC 2308 §2.1, NXDOMAIN means "the domain referred to by the QNAME does not exist", and per RFC 2308 §2.2 a name that exists with no record of the requested type must be answered with RCODE=NOERROR and an empty answer section (NODATA). The practical fallout: busybox ping in Alpine issues AAAA first, treats NXDOMAIN as a hard failure, and never falls through to A. Returning NODATA lets the resolver continue to the A query as it should. Track whether any queried A/AAAA name is known in either map and only set RcodeNameError when no queried name exists at all.	2026-04-21 16:32:48 -04:00
Nate Brown	8c50fc3f60	Plug the conntrack cache ticker leak and nebula-service log.Fatal calls (#1669)	2026-04-21 13:19:54 -05:00
Nate Brown	2f4532f102	No more dns globals, proper cleanup on shutdown (#1667)	2026-04-21 12:41:10 -05:00
Nate Brown	8c71f2f3f9	FreeBSD tun needs to be non blocking as well (#1666)	2026-04-21 10:45:46 -05:00
Nate Brown	3d34cc9b74	Try to make smoke less flakey (#1663)	2026-04-20 16:38:14 -05:00
Jack Doan	e80b9830a3	Remove more os.Exit calls and give a more reliable wait for stop function (attempt 3) (#1661)	2026-04-20 16:08:26 -05:00
Nate Brown	49e3c4649b	Try the hot new DefinedNet openbsd78 box (#1657)	2026-04-17 09:18:23 -05:00
dependabot[bot]	72c04b90bd	Bump golang.zx2c4.com/wireguard/windows in the zx2c4-dependencies group (#1652) ... Bumps the zx2c4-dependencies group with 1 update: golang.zx2c4.com/wireguard/windows. Updates `golang.zx2c4.com/wireguard/windows` from 0.5.3 to 0.6.1 --- updated-dependencies: - dependency-name: golang.zx2c4.com/wireguard/windows dependency-version: 0.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: zx2c4-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:27:14 -05:00
dependabot[bot]	36ab1dbb97	Bump the golang-x-dependencies group across 1 directory with 5 updates (#1629) ... Bumps the golang-x-dependencies group with 3 updates in the / directory: [golang.org/x/crypto](https://github.com/golang/crypto), [golang.org/x/net](https://github.com/golang/net) and [golang.org/x/sync](https://github.com/golang/sync). Updates `golang.org/x/crypto` from 0.47.0 to 0.48.0 - [Commits](https://github.com/golang/crypto/compare/v0.47.0...v0.48.0) Updates `golang.org/x/net` from 0.49.0 to 0.51.0 - [Commits](https://github.com/golang/net/compare/v0.49.0...v0.51.0) Updates `golang.org/x/sync` from 0.19.0 to 0.20.0 - [Commits](https://github.com/golang/sync/compare/v0.19.0...v0.20.0) Updates `golang.org/x/sys` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/sys/compare/v0.40.0...v0.41.0) Updates `golang.org/x/term` from 0.39.0 to 0.40.0 - [Commits](https://github.com/golang/term/compare/v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.48.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/net dependency-version: 0.51.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sync dependency-version: 0.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies - dependency-name: golang.org/x/term dependency-version: 0.40.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang-x-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 13:02:29 -05:00
dependabot[bot]	f77fe74192	Bump github.com/miekg/pkcs11 (#1586) ... Bumps [github.com/miekg/pkcs11](https://github.com/miekg/pkcs11) from 1.1.2-0.20231115102856-9078ad6b9d4b to 1.1.2. - [Changelog](https://github.com/miekg/pkcs11/blob/master/release.go) - [Commits](https://github.com/miekg/pkcs11/commits/v1.1.2) --- updated-dependencies: - dependency-name: github.com/miekg/pkcs11 dependency-version: 1.1.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 12:27:19 -05:00
dependabot[bot]	24c9c704a0	Bump github.com/miekg/dns from 1.1.70 to 1.1.72 (#1587) ... Bumps [github.com/miekg/dns](https://github.com/miekg/dns) from 1.1.70 to 1.1.72. - [Commits](https://github.com/miekg/dns/compare/v1.1.70...v1.1.72) --- updated-dependencies: - dependency-name: github.com/miekg/dns dependency-version: 1.1.72 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-04-15 11:54:47 -05:00
Nate Brown	a5e81efe7b	Try rsync from somewhere else (#1655)	2026-04-15 09:23:33 -05:00
Jack Doan	b3194236aa	udp_linux: wrap socket operations with syscall.RawConn for clean teardown (#1654) ... remove runtime.LockOSThread() because it makes things worse now remove the "custom" Write() method from tun_linux.go, the stdlib path via os.File performs better We should change our guidance around number of routines, ~2 per thread (that you wish to use for Nebula) seems to be about right now	2026-04-14 18:25:24 -05:00
Nate Brown	3fae693c42	Additional e2e tests to assert current handshake behavior (#1653)	2026-04-14 13:32:01 -05:00
John Maguire	0ad5c771e9	Refactor CA pool handling to use streaming (#1644) ... Co-authored-by: maggie44 <64841595+maggie44@users.noreply.github.com> Co-authored-by: JackDoan <me@jackdoan.com>	2026-04-13 13:19:55 -04:00
Jay R. Wren	6727113b2b	gh workflow release: protect from ref_name attack (#1650) ... It is not likely, but better to be safe.	2026-04-06 12:24:28 -04:00
Jay R. Wren	f8587956ba	add sshd.sandbox_dir config option (#1622) ... * add sshd.sandbox_dir config option Sanitize SSH profile paths (ssh.go:514,683,719) — restrict os.Create(a[0]) to a safe directory. Add a config option in the config file to specify the sandbox directory. For backwards compatibility, if the config is not specified, keep the current behavior. * update default and example * use os.TempDir() for sshd.sandbox_dir default * split sandbox path validation into separate conditionals Separate the combined && check in sshSanitizeFilePath into two distinct conditionals with specific error messages: one for paths resolving to the sandbox directory itself, and one for paths outside the sandbox. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> * fix: trim leading zeros from p256 signature swap result bigmod.Nat.Bytes() returns fixed-size 32-byte slices, but ASN.1 INTEGER parsing strips leading zeros. This caused a flaky test failure (~1/256 chance) when the S value's high byte was zero. Co-Authored-By: Claude <svc-devxp-claude@slack-corp.com> --------- Co-authored-by: Claude <svc-devxp-claude@slack-corp.com>	2026-04-03 09:37:18 -04:00
John Maguire	951d368faf	Add a small link to DN Managed Nebula (#1641) ... * Add a small link to DN Managed Nebula Also link the mobile source code	2026-03-30 16:20:21 -04:00
Jack Doan	91d1f4675a	properly handle closetunnel packets (#1638)	2026-03-25 11:59:37 -05:00
John Maguire	9f1aef53fa	Fix dissector logic (#1626) ... * Fix typo in Wireshark dissector * Fix wireshark dissector prefs_changed logic The previous logic had several issues: - Changing only the port number (without toggling all_ports) would not re-register the dissector on the new port. - Turning all_ports off would remove all registrations but only re-add the specific port inside a branch that also required all_ports to have changed, and never updated default_settings.port. Simplify to: remove all registrations, then register based on current prefs, then update the cached state.	2026-03-23 11:15:40 -04:00
Jay R. Wren	1aa1a0476f	#ECCN:Open Source in CODEOWNERS (#1632) ... Salesforce is requesting this in all opensource repositories	2026-03-16 17:07:40 -04:00
Jay R. Wren	7760ccefba	fix logging copy pasta (#1621)	2026-03-06 14:03:32 -05:00