0bffa76b5e
Build for openbsd ( #812 )
2023-07-27 14:27:35 -05:00
03e70210a5
Add support for NetBSD ( #916 )
2023-07-27 13:44:47 -05:00
9c6592b159
Guard e2e udp and tun channels when closed ( #934 )
2023-07-26 12:52:14 -05:00
e5af94e27a
Bump github.com/prometheus/client_golang from 1.15.1 to 1.16.0 ( #927 )
...
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang ) from 1.15.1 to 1.16.0.
- [Release notes](https://github.com/prometheus/client_golang/releases )
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md )
- [Commits](https://github.com/prometheus/client_golang/compare/v1.15.1...v1.16.0 )
---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-24 13:56:09 -04:00
96f51f78ea
Bump golang.org/x/sys from 0.8.0 to 0.10.0 ( #926 )
...
Bumps [golang.org/x/sys](https://github.com/golang/sys ) from 0.8.0 to 0.10.0.
- [Commits](https://github.com/golang/sys/compare/v0.8.0...v0.10.0 )
---
updated-dependencies:
- dependency-name: golang.org/x/sys
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-24 13:53:39 -04:00
a10baeee92
Pull hostmap and pending hostmap apart, remove unused functions ( #843 )
2023-07-24 12:37:52 -05:00
52c9e360e7
Bump github.com/miekg/dns from 1.1.54 to 1.1.55 ( #925 )
...
Bumps [github.com/miekg/dns](https://github.com/miekg/dns ) from 1.1.54 to 1.1.55.
- [Changelog](https://github.com/miekg/dns/blob/master/Makefile.release )
- [Commits](https://github.com/miekg/dns/compare/v1.1.54...v1.1.55 )
---
updated-dependencies:
- dependency-name: github.com/miekg/dns
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-24 12:52:29 -04:00
8caaff7109
Bump github.com/stretchr/testify from 1.8.2 to 1.8.4 ( #924 )
...
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify ) from 1.8.2 to 1.8.4.
- [Release notes](https://github.com/stretchr/testify/releases )
- [Commits](https://github.com/stretchr/testify/compare/v1.8.2...v1.8.4 )
---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-24 12:51:31 -04:00
1e3c155896
Attempt to notify systemd of service readiness on linux ( #929 )
2023-07-24 11:30:18 -05:00
f5db03c834
add dependabot config ( #922 )
...
This should give us PRs weekly with dependency updates, and also let us
manually check for updates when needed.
- https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
2023-07-21 17:21:58 -04:00
c5ce945852
Update README to include a link to go install docs ( #919 )
2023-07-20 21:30:38 -05:00
7e380bde7e
Document new DNS config options ( #879 )
2023-07-10 15:19:05 -04:00
a3e59a38ef
Use registered io on Windows when possible ( #905 )
2023-07-10 12:43:48 -05:00
8ba5d64dbc
Add support for naming FreeBSD tun devices ( #903 )
2023-06-22 12:13:31 -04:00
3bbf5f4e67
Use an interface for udp conns ( #901 )
2023-06-14 10:48:52 -05:00
928731acfe
fix up the release workflow ( #891 )
...
actions/create-release is deprecated, just switch to using `gh` cli.
This is actually much easier anyways!
2023-06-14 11:45:01 -04:00
57eb80e9fb
v1.7.2 ( #887 )
...
Update CHANGELOG for Nebula v1.7.2
2023-06-01 11:05:07 -04:00
96f4dcaab8
Fix reconfig freeze attempting to send to an unbuffered, unread channel ( #886 )
...
* Fixes a reocnfig freeze where the reconfig attempts to send to an unbuffered channel with no readers.
Only create stop channel when a DNS goroutine is created, and only send when the channel exists.
Buffer to size 1 so that the stop message can be immediately sent even if the goroutine is busy doing DNS lookups.
2023-05-31 16:05:46 -04:00
6d8c5f437c
GitHub actions update setup-go ( #881 )
...
This does caching for us, so we can remove our manual caching of modules
2023-05-23 13:24:33 -04:00
165b671e70
v1.7.1 ( #878 )
...
Update CHANGELOG for Nebula v1.7.1
2023-05-18 15:39:24 -04:00
6be0bad68a
Fix static_host_map DNS lookup Linux issue - put v4 addr into v6 slice( #877 )
2023-05-18 14:13:32 -04:00
7ae3cd25f8
v1.7.0 ( #870 )
...
Update CHANGELOG for Nebula v1.7.0
2023-05-17 11:02:53 -04:00
9a7ed57a3f
Cache cert verification methods ( #871 )
...
* cache cert verification
CheckSignature and Verify are expensive methods, and certificates are
static. Cache the results.
* use atomics
* make sure public key bytes match
* add VerifyWithCache and ResetCache
* cleanup
* use VerifyWithCache
* doc
2023-05-17 10:14:26 -04:00
eb9f22a8fa
fix mismerge of P256 and encrypted private keys ( #869 )
...
The private key length is checked in a switch statement below these
lines, these lines should have been removed.
2023-05-09 14:05:55 -04:00
54a8499c7b
Fix go vet ( #868 )
2023-05-09 11:01:30 -05:00
419aaf2e36
issue templates: remove Report Security Vulnerability ( #867 )
...
This is redundant as Github automatically adds a section for this near the top.
2023-05-09 11:37:48 -04:00
1701087035
Add destination CIDR checking ( #507 )
2023-05-09 10:37:23 -05:00
a9cb2e06f4
Add ability to respect the system route table for unsafe route on linux ( #839 )
2023-05-09 10:36:55 -05:00
115b4b70b1
add SECURITY.md ( #864 )
...
* add SECURITY.md
Fixes : #699
* add Security mention to New issue template
* cleanup
2023-05-09 11:25:21 -04:00
0707caedb4
document P256 and BoringCrypto ( #865 )
...
* document P256 and BoringCrypto
Some basic descriptions of P256 and BoringCrypto added to the bottom of
README.md so that their prupose is not a mystery.
* typo
2023-05-09 11:24:52 -04:00
bd9cc01d62
Dns static lookerupper ( #796 )
...
* Support lighthouse DNS names, and regularly resolve the name in a background goroutine to discover DNS updates.
2023-05-09 11:22:08 -04:00
d1f786419c
Try rehandshaking a main hostinfo after releasing hostmap locks ( #863 )
2023-05-08 14:43:03 -05:00
31ed9269d7
add test for GOEXPERIMENT=boringcrypto ( #861 )
...
* add test for GOEXPERIMENT=boringcrypto
* fix NebulaCertificate.Sign
Set the PublicKey field in a more compatible way for the tests. The
current method grabs the public key from the certificate, but the
correct thing to do is to derive it from the private key. Either way
doesn't really matter as I don't think the Sign method actually even
uses the PublicKey field.
* assert boring
* cleanup tests
2023-05-08 13:27:01 -04:00
48eb63899f
Have lighthouses ack updates to reduce test packet traffic ( #851 )
2023-05-05 14:44:03 -05:00
b26c13336f
Fix test on master ( #860 )
2023-05-04 20:11:33 -05:00
e0185c4b01
Support NIST curve P256 ( #769 )
...
* Support NIST curve P256
This change adds support for NIST curve P256. When you use `nebula-cert ca`
or `nebula-cert keygen`, you can specify `-curve P256` to enable it. The
curve to use is based on the curve defined in your CA certificate.
Internally, we use ECDSA P256 to sign certificates, and ECDH P256 to do
Noise handshakes. P256 is not supported natively in Noise Protocol, so
we define `DHP256` in the `noiseutil` package to implement support for
it.
You cannot have a mixed network of Curve25519 and P256 certificates,
since the Noise protocol will only attempt to parse using the Curve
defined in the host's certificate.
* verify the curves match in VerifyPrivateKey
This would have failed anyways once we tried to actually use the bytes
in the private key, but its better to detect the issue up front with
a better error message.
* add cert.Curve argument to Sign method
* fix mismerge
* use crypto/ecdh
This is the preferred method for doing ECDH functions now, and also has
a boringcrypto specific codepath.
* remove other ecdh uses of crypto/elliptic
use crypto/ecdh instead
2023-05-04 17:50:23 -04:00
702e1c59bd
Always disconnect block listed hosts ( #858 )
2023-05-04 16:09:42 -05:00
5fe8f45d05
Clear lighthouse cache for a vpn ip on a dead connection when its the final hostinfo ( #857 )
2023-05-04 15:42:12 -05:00
03e4a7f988
Rehandshaking ( #838 )
...
Co-authored-by: Brad Higgins <brad@defined.net>
Co-authored-by: Wade Simmons <wadey@slack-corp.com>
2023-05-04 15:16:37 -05:00
0b67b19771
add boringcrypto Makefile targets ( #856 )
...
This adds a few build targets to compile with `GOEXPERIMENT=boringcrypto`:
- `bin-boringcrypto`
- `release-boringcrypto`
It also adds a field to the intial start up log indicating if
boringcrypto is enabled in the binary.
2023-05-04 15:42:45 -04:00
a0d3b93ae5
update dependencies: 2023-05 ( #855 )
...
Updates that end up in the final binaries (go version -m):
Updated github.com/imdario/mergo https://github.com/imdario/mergo/compare/v0.3.13...v0.3.15
Updated github.com/miekg/dns https://github.com/miekg/dns/compare/v1.1.52...v1.1.54
Updated github.com/prometheus/client_golang https://github.com/prometheus/client_golang/compare/v1.14.0...v1.15.1
Updated github.com/prometheus/client_model https://github.com/prometheus/client_model/compare/v0.3.0...v0.4.0
Updated golang.org/x/crypto https://github.com/golang/crypto/compare/v0.7.0...v0.8.0
Updated golang.org/x/net https://github.com/golang/net/compare/v0.8.0...v0.9.0
Updated golang.org/x/sys https://github.com/golang/sys/compare/v0.6.0...v0.8.0
Updated golang.org/x/term https://github.com/golang/term/compare/v0.6.0...v0.8.0
Updated google.golang.org/protobuf v1.29.0...v1.30.0
2023-05-04 15:42:15 -04:00
58ec1f7a7b
build with go1.20 ( #854 )
...
* build with go1.20
This has been out for a bit and is up to go1.20.4. We have been using
go1.20 for the Slack builds and have seen no issues.
* need the quotes
* use go install
2023-05-04 11:35:03 -04:00
397fe5f879
Add ability to skip installing unsafe routes on the os routing table ( #831 )
2023-04-10 12:32:37 -05:00
9b03053191
update EncReader and EncWriter interface function args to have concrete types ( #844 )
...
* Update LightHouseHandlerFunc to remove EncWriter param.
* Move EncWriter to interface
* EncReader, too
2023-04-07 14:28:37 -04:00
3cb4e0ef57
Allow listen.host to contain names ( #825 )
2023-04-05 11:29:26 -05:00
e0553822b0
Use NewGCMTLS (when using experiment boringcrypto) ( #803 )
...
* Use NewGCMTLS (when using experiment boringcrypto)
This change only affects builds built using `GOEXPERIMENT=boringcrypto`.
When built with this experiment, we use the NewGCMTLS() method exposed by
goboring, which validates that the nonce is strictly monotonically increasing.
This is the TLS 1.2 specification for nonce generation (which also matches the
method used by the Noise Protocol)
- https://github.com/golang/go/blob/go1.19/src/crypto/tls/cipher_suites.go#L520-L522
- https://github.com/golang/go/blob/go1.19/src/crypto/internal/boring/aes.go#L235-L237
- https://github.com/golang/go/blob/go1.19/src/crypto/internal/boring/aes.go#L250
- ae223d6138/include/openssl/aead.h (L379-L381)ae223d6138/crypto/fipsmodule/cipher/e_aes.c (L1082-L1093)
2023-04-05 11:08:23 -04:00
d3fe3efcb0
Fix handshake retry regression ( #842 )
2023-04-05 10:04:30 -05:00
fd99ce9a71
Use fewer test packets ( #840 )
2023-04-04 13:42:24 -05:00
6685856b5d
emit certificate.expiration_ttl_seconds metric ( #782 )
2023-04-03 20:18:16 -05:00
a56a97e5c3
Add ability to encrypt CA private key at rest ( #386 )
...
Fixes #8 .
`nebula-cert ca` now supports encrypting the CA's private key with a
passphrase. Pass `-encrypt` in order to be prompted for a passphrase.
Encryption is performed using AES-256-GCM and Argon2id for KDF. KDF
parameters default to RFC recommendations, but can be overridden via CLI
flags `-argon-memory`, `-argon-parallelism`, and `-argon-iterations`.
2023-04-03 13:59:38 -04:00
Nate Brown