Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nebula for openSUSE:Factory checked in at 2026-02-13 16:40:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nebula (Old) and /work/SRC/openSUSE:Factory/.nebula.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nebula" Fri Feb 13 16:40:05 2026 rev:13 rq:1332861 version:1.10.3 Changes: -------- --- /work/SRC/openSUSE:Factory/nebula/nebula.changes 2026-01-22 15:13:40.756988280 +0100 +++ /work/SRC/openSUSE:Factory/.nebula.new.1977/nebula.changes 2026-02-13 16:40:39.949413367 +0100 @@ -1,0 +2,9 @@ +Fri Feb 13 13:23:16 UTC 2026 - Richard Rahl <[email protected]> + +- Update to version 1.10.3: + * Fix an issue where blocklist bypass is possible when using curve P256 + Any newly issued P256 based certificates will have their signature clamped + to the low-s form. Nebula will assert the low-s signature form when + validating certificates in a future version + +------------------------------------------------------------------- Old: ---- nebula-1.10.2.tar.gz New: ---- nebula-1.10.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nebula.spec ++++++ --- /var/tmp/diff_new_pack.HdG1q5/_old 2026-02-13 16:40:41.905495557 +0100 +++ /var/tmp/diff_new_pack.HdG1q5/_new 2026-02-13 16:40:41.921496229 +0100 @@ -17,7 +17,7 @@ Name: nebula -Version: 1.10.2 +Version: 1.10.3 Release: 0 Summary: A scalable overlay networking tool License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.HdG1q5/_old 2026-02-13 16:40:42.097503624 +0100 +++ /var/tmp/diff_new_pack.HdG1q5/_new 2026-02-13 16:40:42.125504800 +0100 @@ -3,7 +3,7 @@ <service name="tar_scm" mode="manual"> <param name="url">https://github.com/slackhq/nebula.git</param> <param name="scm">git</param> - <param name="revision">refs/tags/v1.10.2</param> + <param name="revision">refs/tags/v1.10.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> <param name="package-meta">yes</param> ++++++ nebula-1.10.2.tar.gz -> nebula-1.10.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/HEAD new/nebula-1.10.3/.git/HEAD --- old/nebula-1.10.2/.git/HEAD 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/HEAD 2026-02-06 20:26:51.000000000 +0100 @@ -1 +1 @@ -0b02d982b256dffc9c215306a2e550d8a1bd16ab +f573e8a26695278f9d71587390fbfe0d0933aa21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/ORIG_HEAD new/nebula-1.10.3/.git/ORIG_HEAD --- old/nebula-1.10.2/.git/ORIG_HEAD 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/ORIG_HEAD 2026-02-06 20:26:51.000000000 +0100 @@ -1 +1 @@ -0b02d982b256dffc9c215306a2e550d8a1bd16ab +f573e8a26695278f9d71587390fbfe0d0933aa21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/config new/nebula-1.10.3/.git/config --- old/nebula-1.10.2/.git/config 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/config 2026-02-06 20:26:51.000000000 +0100 @@ -1,11 +1,15 @@ [core] - repositoryformatversion = 0 + repositoryformatversion = 1 filemode = true bare = false logallrefupdates = true [remote "origin"] url = https://github.com/slackhq/nebula.git fetch = +refs/heads/*:refs/remotes/origin/* + promisor = true + partialclonefilter = tree:0 [branch "master"] remote = origin merge = refs/heads/master +[extensions] + partialClone = origin Binary files old/nebula-1.10.2/.git/index and new/nebula-1.10.3/.git/index differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/logs/HEAD new/nebula-1.10.3/.git/logs/HEAD --- old/nebula-1.10.2/.git/logs/HEAD 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/logs/HEAD 2026-02-06 20:26:51.000000000 +0100 @@ -1,2 +1,2 @@ -0000000000000000000000000000000000000000 0b02d982b256dffc9c215306a2e550d8a1bd16ab Richard Rahl <[email protected]> 1769027621 +0100 clone: from https://github.com/slackhq/nebula.git -0b02d982b256dffc9c215306a2e550d8a1bd16ab 0b02d982b256dffc9c215306a2e550d8a1bd16ab Richard Rahl <[email protected]> 1769027621 +0100 checkout: moving from master to refs/tags/v1.10.2 +0000000000000000000000000000000000000000 f573e8a26695278f9d71587390fbfe0d0933aa21 Richard Rahl <[email protected]> 1770988774 +0100 clone: from https://github.com/slackhq/nebula.git +f573e8a26695278f9d71587390fbfe0d0933aa21 f573e8a26695278f9d71587390fbfe0d0933aa21 Richard Rahl <[email protected]> 1770988775 +0100 checkout: moving from master to refs/tags/v1.10.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/logs/refs/heads/master new/nebula-1.10.3/.git/logs/refs/heads/master --- old/nebula-1.10.2/.git/logs/refs/heads/master 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/logs/refs/heads/master 2026-02-06 20:26:51.000000000 +0100 @@ -1 +1 @@ -0000000000000000000000000000000000000000 0b02d982b256dffc9c215306a2e550d8a1bd16ab Richard Rahl <[email protected]> 1769027621 +0100 clone: from https://github.com/slackhq/nebula.git +0000000000000000000000000000000000000000 f573e8a26695278f9d71587390fbfe0d0933aa21 Richard Rahl <[email protected]> 1770988774 +0100 clone: from https://github.com/slackhq/nebula.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/logs/refs/remotes/origin/HEAD new/nebula-1.10.3/.git/logs/refs/remotes/origin/HEAD --- old/nebula-1.10.2/.git/logs/refs/remotes/origin/HEAD 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/logs/refs/remotes/origin/HEAD 2026-02-06 20:26:51.000000000 +0100 @@ -1 +1 @@ -0000000000000000000000000000000000000000 0b02d982b256dffc9c215306a2e550d8a1bd16ab Richard Rahl <[email protected]> 1769027621 +0100 clone: from https://github.com/slackhq/nebula.git +0000000000000000000000000000000000000000 f573e8a26695278f9d71587390fbfe0d0933aa21 Richard Rahl <[email protected]> 1770988774 +0100 clone: from https://github.com/slackhq/nebula.git Binary files old/nebula-1.10.2/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.idx and new/nebula-1.10.3/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.idx differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.pack and new/nebula-1.10.3/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.pack differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.rev and new/nebula-1.10.3/.git/objects/pack/pack-35317a581769d2f0ac26c1f3118761db585cb646.rev differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.idx and new/nebula-1.10.3/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.idx differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.pack and new/nebula-1.10.3/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.pack differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.promisor new/nebula-1.10.3/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.promisor --- old/nebula-1.10.2/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.promisor 1970-01-01 01:00:00.000000000 +0100 +++ new/nebula-1.10.3/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.promisor 2026-02-06 20:26:51.000000000 +0100 @@ -0,0 +1,218 @@ +0017794f4638f1a1b4e469619a9824accac6ccea 0017794f4638f1a1b4e469619a9824accac6ccea +01d775e51aff1eeb3a880a9c685cc6a60b4ea807 01d775e51aff1eeb3a880a9c685cc6a60b4ea807 +0b199a5ad77b9710ea16d938b9673a5a6fd451fd 0b199a5ad77b9710ea16d938b9673a5a6fd451fd +0bb2345ac0bc40f01a8a0ec0e4939503cd911990 0bb2345ac0bc40f01a8a0ec0e4939503cd911990 +0caf86a4d76001da9e2b89e6218fa6e78440f542 0caf86a4d76001da9e2b89e6218fa6e78440f542 +0ce01df8648a64cad9f3ffeda6cba69412a36528 0ce01df8648a64cad9f3ffeda6cba69412a36528 +0d1be128bb8a4e34dff98605e8e07aa4d86219ec 0d1be128bb8a4e34dff98605e8e07aa4d86219ec +0d53f952974d22bbb03c3930360277f370b64167 0d53f952974d22bbb03c3930360277f370b64167 +0e28bb425b095e5ab683df554ce269e1c7fe2dbb 0e28bb425b095e5ab683df554ce269e1c7fe2dbb +102ddb3262f7251addc9188c3bbcedfbb1061638 102ddb3262f7251addc9188c3bbcedfbb1061638 +10e8472c5e6892adfeba1a8bd4dfa6c18915486d 10e8472c5e6892adfeba1a8bd4dfa6c18915486d +128c20011538fd6ba5962993e023a0b9c73e0568 128c20011538fd6ba5962993e023a0b9c73e0568 +129744fd2513138b0d3269fcdf61bdc5a1f0bd78 129744fd2513138b0d3269fcdf61bdc5a1f0bd78 +12a848794037c671b6d016d099c517138ef8b9ea 12a848794037c671b6d016d099c517138ef8b9ea +1304fd5135978e09d8c30c32914488311d10300c 1304fd5135978e09d8c30c32914488311d10300c +14ba2ce145c06795b4387de56029e160697140b2 14ba2ce145c06795b4387de56029e160697140b2 +1510b942ed9c9447bdc95411ebf756462f486184 1510b942ed9c9447bdc95411ebf756462f486184 +16e6a680fefc2fc02952634fce616297c1725157 16e6a680fefc2fc02952634fce616297c1725157 +16e768ee42b7416f77f5f2f603688c8e28679d17 16e768ee42b7416f77f5f2f603688c8e28679d17 +172c3e83ffbe80d5a9ddd3cffef7120625bb5b52 172c3e83ffbe80d5a9ddd3cffef7120625bb5b52 +17aaa548010f5cb3100801a34735ed2e0ccf2ccc 17aaa548010f5cb3100801a34735ed2e0ccf2ccc +1856877edd8c720151972053861e24edae427321 1856877edd8c720151972053861e24edae427321 +19869d58dd9908ebff1f73c9adf383efd347a62b 19869d58dd9908ebff1f73c9adf383efd347a62b +1ae585c268144bac54b34019b3a485f0c20ce5d8 1ae585c268144bac54b34019b3a485f0c20ce5d8 +1b72a0ffd5e12ab8c21c85c811a0dda470745594 1b72a0ffd5e12ab8c21c85c811a0dda470745594 +1b777c3743a9f9aee4f0bdb020a0c49becbd3bfc 1b777c3743a9f9aee4f0bdb020a0c49becbd3bfc +1c1842da5532f71f64ab20a23e3ceade57046140 1c1842da5532f71f64ab20a23e3ceade57046140 +1c1e3c50f06fd892d70291164b419ff60ecc456c 1c1e3c50f06fd892d70291164b419ff60ecc456c +1db60a7c41b17e09f1f24f0ed795b514f3edcab4 1db60a7c41b17e09f1f24f0ed795b514f3edcab4 +1df62a811eb1b20c9855da074b707113354464b1 1df62a811eb1b20c9855da074b707113354464b1 +1e27a6bf56c7aa0c7f0e6d43b2f21b3c9a6049ad 1e27a6bf56c7aa0c7f0e6d43b2f21b3c9a6049ad +1f92d4e94b5227a806430221c5a58ffdffbe730a 1f92d4e94b5227a806430221c5a58ffdffbe730a +2034405a70048b4afbf04c625828ee3819324bef 2034405a70048b4afbf04c625828ee3819324bef +2129af71eacfa1c80e5e5f3b7142a49c90358765 2129af71eacfa1c80e5e5f3b7142a49c90358765 +221ab778e868eced82cdb8751ee35ff10bfbd0c6 221ab778e868eced82cdb8751ee35ff10bfbd0c6 +223eabeedcfb066c5125bba9e755edcd7531ba65 223eabeedcfb066c5125bba9e755edcd7531ba65 +24f899abcc574932bc540018fb767ae81f16fe96 24f899abcc574932bc540018fb767ae81f16fe96 +261ed3642b694b55ba1cf8b6ec6a7033693548de 261ed3642b694b55ba1cf8b6ec6a7033693548de +2986c895d33d2aded696119e7789d77b22e5bed1 2986c895d33d2aded696119e7789d77b22e5bed1 +2ab97dba062208bcb6ffc32bef8347d586751038 2ab97dba062208bcb6ffc32bef8347d586751038 +2beca66c91c38c5ee8036319e29fe439c94d4195 2beca66c91c38c5ee8036319e29fe439c94d4195 +2e6d34b5faa44aa8eb00dcc8d5ef9772e8f62771 2e6d34b5faa44aa8eb00dcc8d5ef9772e8f62771 +2e92e7e2046e6a6a2d24b5503680147dc29a005d 2e92e7e2046e6a6a2d24b5503680147dc29a005d +2ef7551f7179e7ae28297e87ea774de1f4eb119c 2ef7551f7179e7ae28297e87ea774de1f4eb119c +2f65b3a42002c6f99f500e6a392a4c897f07f5ee 2f65b3a42002c6f99f500e6a392a4c897f07f5ee +2f8efbfb9c3c73aa551a992a8cfb0111667b38a5 2f8efbfb9c3c73aa551a992a8cfb0111667b38a5 +2fab9274b8c46eb5c8415ac1c7c67ff8ff645919 2fab9274b8c46eb5c8415ac1c7c67ff8ff645919 +2fd2ff665a07420fc61da940806bf1cb98f8e374 2fd2ff665a07420fc61da940806bf1cb98f8e374 +30e0965b9512a84c879dae7dea2e98dc07e4b6bc 30e0965b9512a84c879dae7dea2e98dc07e4b6bc +310c57a319d083cf5dc51eb08e0bce19009f3835 310c57a319d083cf5dc51eb08e0bce19009f3835 +311afc24ea9e31343f8e9be650e715f1a98e67ca 311afc24ea9e31343f8e9be650e715f1a98e67ca +32de1a0dc422823c07c82e7a01370d3970311b1d 32de1a0dc422823c07c82e7a01370d3970311b1d +3477de3dd6b00811f19e369f35ce4f94b744b35d 3477de3dd6b00811f19e369f35ce4f94b744b35d +34fe17e5902aebb08a0a2e04d7c713919ff28c35 34fe17e5902aebb08a0a2e04d7c713919ff28c35 +3504cefa2f9b7eadd8db031248a6656c687f8349 3504cefa2f9b7eadd8db031248a6656c687f8349 +356e58903c80f91edf169bf8feb4f01738abf3e7 356e58903c80f91edf169bf8feb4f01738abf3e7 +36b0fc94c25000a774e77f2953ec2627f2c74705 36b0fc94c25000a774e77f2953ec2627f2c74705 +36d043bcd53f5526b521f8c3dce5c1bb1115f02a 36d043bcd53f5526b521f8c3dce5c1bb1115f02a +38dbef62f8db5a796c503ae9c91b37f3e0b1e62c 38dbef62f8db5a796c503ae9c91b37f3e0b1e62c +39843efefdc70274c8f5093c4b3398762cb65e65 39843efefdc70274c8f5093c4b3398762cb65e65 +3b69159ad93ce3fb1c56da2ad24c40b04a355949 3b69159ad93ce3fb1c56da2ad24c40b04a355949 +3b7cdd1c9a1d4efbf1082648c0d6e712525bc7a0 3b7cdd1c9a1d4efbf1082648c0d6e712525bc7a0 +3d60f34c7d61ee8c503bff0c80896eed2abf7371 3d60f34c7d61ee8c503bff0c80896eed2abf7371 +400e275b469b6bf0d21ecbfc628fa55d68263571 400e275b469b6bf0d21ecbfc628fa55d68263571 +40c7fc5d2ddb829e975340837b2bfbf596ecf063 40c7fc5d2ddb829e975340837b2bfbf596ecf063 +45dc069184be1c8ca03ab2b2cedd70319e90cb32 45dc069184be1c8ca03ab2b2cedd70319e90cb32 +4648c4964ea5860447c2e2dc5b32b1b9b8192e3c 4648c4964ea5860447c2e2dc5b32b1b9b8192e3c +486a72423e21ce02c52271f8365cd5c8a74d6c4c 486a72423e21ce02c52271f8365cd5c8a74d6c4c +48c5a978375782660aa4d688f511a7ad786b182d 48c5a978375782660aa4d688f511a7ad786b182d +496f84c278ad092dff6d5f6e66bc0004012b24c5 496f84c278ad092dff6d5f6e66bc0004012b24c5 +4b1d0bd0d028528610d5f38b77a6e9937ea07a1c 4b1d0bd0d028528610d5f38b77a6e9937ea07a1c +4c236aeed55c552d69aef89ebf5fd9a8d5f6648a 4c236aeed55c552d69aef89ebf5fd9a8d5f6648a +4c2f26efa28d7de96878303369041ee0bac034ba 4c2f26efa28d7de96878303369041ee0bac034ba +4d57c7b296e09e25befa5ea258475b2f33df60a7 4d57c7b296e09e25befa5ea258475b2f33df60a7 +4e04f4502f4ec855312eb39ff5eec3ceb2900d20 4e04f4502f4ec855312eb39ff5eec3ceb2900d20 +547037c5a10a71380bc2e12a5ff4b9389e3a73d9 547037c5a10a71380bc2e12a5ff4b9389e3a73d9 +55068f31b3acc61768fc384cc6683ea605c1fd2a 55068f31b3acc61768fc384cc6683ea605c1fd2a +55d441f4a8017b2ea30eae55137c52f2829dba5f 55d441f4a8017b2ea30eae55137c52f2829dba5f +561138cacd8b2de1b56ab427f2263dd5b966838d 561138cacd8b2de1b56ab427f2263dd5b966838d +56dd1c2513560fe82a7ecb896af203744f4b1b5b 56dd1c2513560fe82a7ecb896af203744f4b1b5b +57990a7943a518013e8a86e0c3d8e99c9fadc01f 57990a7943a518013e8a86e0c3d8e99c9fadc01f +5afeaeabe191d7878ca66eebf370d07572c8ae18 5afeaeabe191d7878ca66eebf370d07572c8ae18 +5dd355ca24f262cc7778b5d9f4d95c591a06c80d 5dd355ca24f262cc7778b5d9f4d95c591a06c80d +5f0f77655080eeae12b2809c3c7e8514020ec14f 5f0f77655080eeae12b2809c3c7e8514020ec14f +6135f36c0e14ae67c346e4c9e19ec79b7fb205f8 6135f36c0e14ae67c346e4c9e19ec79b7fb205f8 +61989581b57d3e7d8fd446f6bedd052e19546fd9 61989581b57d3e7d8fd446f6bedd052e19546fd9 +61b1f228312e4378a8d8f68ff8b06de9cdbfc12b 61b1f228312e4378a8d8f68ff8b06de9cdbfc12b +647dd72b801f3609c1fa55816cd2b1931f591206 647dd72b801f3609c1fa55816cd2b1931f591206 +65ef31a5656c7b49517e3d1c70a75c2a53ff0599 65ef31a5656c7b49517e3d1c70a75c2a53ff0599 +66913326c5ba4b92fa8cf9b7811528e742848f57 66913326c5ba4b92fa8cf9b7811528e742848f57 +67b166b1d5824fee3edab56323ba5e6854dde8d8 67b166b1d5824fee3edab56323ba5e6854dde8d8 +692c1840da4afc594e1aee2daea89109023d02d4 692c1840da4afc594e1aee2daea89109023d02d4 +6bf6a8ded9fb99bde5affb206cfff7c696e47565 6bf6a8ded9fb99bde5affb206cfff7c696e47565 +6d04027aa7ab62201683f852fd13d8e70bd045a2 6d04027aa7ab62201683f852fd13d8e70bd045a2 +6d5c8a433279de7637aed7ab48574b65540a8d54 6d5c8a433279de7637aed7ab48574b65540a8d54 +6df893c1670d288edc6bda7b99b4883ef6a34865 6df893c1670d288edc6bda7b99b4883ef6a34865 +6e3746341b0e51cd2207d9d2b3c5b36fe85ac7af 6e3746341b0e51cd2207d9d2b3c5b36fe85ac7af +6f5249703c5c383b5c6db79c58c992d4937c7c07 6f5249703c5c383b5c6db79c58c992d4937c7c07 +7061de6acf773ff4e53f59a42fc5d00a4bb5d6a6 7061de6acf773ff4e53f59a42fc5d00a4bb5d6a6 +70b07f4e3252539a0ddd7fe3954c244716787e4f 70b07f4e3252539a0ddd7fe3954c244716787e4f +71b83f433fdac1cd69384227ded09527a559c452 71b83f433fdac1cd69384227ded09527a559c452 +7276dfa1325163a2fa2c31506d9ecda2773c802d 7276dfa1325163a2fa2c31506d9ecda2773c802d +7323d1203dfe86339abdc2d09b9c3a36e9ed1489 7323d1203dfe86339abdc2d09b9c3a36e9ed1489 +73576546981aea68ec60ecef9aa66df7a8a2fab8 73576546981aea68ec60ecef9aa66df7a8a2fab8 +7403a745da4f601b5d659135ae23728cb958a8ba 7403a745da4f601b5d659135ae23728cb958a8ba +75134316c6aae07fe5debb7aea0544393708cc23 75134316c6aae07fe5debb7aea0544393708cc23 +779d3a2da16923c3ae845609e34ef49429791a62 779d3a2da16923c3ae845609e34ef49429791a62 +796b96d1c402326528b4ba3c12ee9d92d0e212e9 796b96d1c402326528b4ba3c12ee9d92d0e212e9 +7d8f2eb8fbd90b7d895b6587331446edb1f3146b 7d8f2eb8fbd90b7d895b6587331446edb1f3146b +7e2939e0ff43d8ead1299e7a426cfa5e44ccaeaf 7e2939e0ff43d8ead1299e7a426cfa5e44ccaeaf +7e4aa41839824d5a77d71e67a7233966c5743092 7e4aa41839824d5a77d71e67a7233966c5743092 +8129560efeaf185ef1ef3cac5cd78383995b145a 8129560efeaf185ef1ef3cac5cd78383995b145a +814c77a1126feea315c49216ee8b1412a9f7600a 814c77a1126feea315c49216ee8b1412a9f7600a +82ad2feefbca5256ea1b1952ea369c6759591598 82ad2feefbca5256ea1b1952ea369c6759591598 +8354c094ea61d80dd3d9462e303d4261ffcb1892 8354c094ea61d80dd3d9462e303d4261ffcb1892 +87cc216f81f3ff0eaf745b3762e434005997f919 87cc216f81f3ff0eaf745b3762e434005997f919 +88cf093342163614036ac29731f3e88d3e2d05ac 88cf093342163614036ac29731f3e88d3e2d05ac +8942c23a258b25c166152c41a5e0193390cdeffc 8942c23a258b25c166152c41a5e0193390cdeffc +89f94772682096261658d8ff92fb3298a82427b3 89f94772682096261658d8ff92fb3298a82427b3 +8ae78f3cbd78d69821a1a499df8016e781139f5d 8ae78f3cbd78d69821a1a499df8016e781139f5d +8b1ce83958c38556c8f070b90ef80846a80d7d21 8b1ce83958c38556c8f070b90ef80846a80d7d21 +8c3dca558ce2b3443f1cd95ce86d7dfde3fa7dbd 8c3dca558ce2b3443f1cd95ce86d7dfde3fa7dbd +8c480a1459bca56be86ea2b823741c6daeb8f27e 8c480a1459bca56be86ea2b823741c6daeb8f27e +8c88439248a753c368b833ee55e8310c03737afe 8c88439248a753c368b833ee55e8310c03737afe +9120119414b15a4040e51ced5239bbb8beaabc12 9120119414b15a4040e51ced5239bbb8beaabc12 +9209b7950b1ddf5bebdeef3cb22231a082469833 9209b7950b1ddf5bebdeef3cb22231a082469833 +94e868cc2a3e395aefd09ed3b86bec597b6c138e 94e868cc2a3e395aefd09ed3b86bec597b6c138e +95d9893ef37f8cd4dbb02cacf5d3b4d0d0cd626e 95d9893ef37f8cd4dbb02cacf5d3b4d0d0cd626e +976a2742308b3194ca482b692adfadf6e64b5526 976a2742308b3194ca482b692adfadf6e64b5526 +9a17b9479f8bf840056f99041f4275d44b9406f3 9a17b9479f8bf840056f99041f4275d44b9406f3 +9a26c2908e0dbdc39b1cb21395d40dd85fd8f669 9a26c2908e0dbdc39b1cb21395d40dd85fd8f669 +9a959a55da3c94427ba7786dc64e01951751818e 9a959a55da3c94427ba7786dc64e01951751818e +9c113e185938fcd0e21af6b7f9773ef96ac3d83e 9c113e185938fcd0e21af6b7f9773ef96ac3d83e +9cd9d37f2025c7d8f242226e6a99d7404cb3dbe6 9cd9d37f2025c7d8f242226e6a99d7404cb3dbe6 +9ce1d5e3b4bef28f1d129ca3067796e6571f99c5 9ce1d5e3b4bef28f1d129ca3067796e6571f99c5 +a54fb0f30f6048101cad79c191a70e5a9c263746 a54fb0f30f6048101cad79c191a70e5a9c263746 +a7e537424c5528bdc2b358ee1058d1509fe16566 a7e537424c5528bdc2b358ee1058d1509fe16566 +a8b60ba7bfdf33c8c2475210a3d757da40e7d954 a8b60ba7bfdf33c8c2475210a3d757da40e7d954 +aa3dddaf03c956cc897b00cc43d1cfde34e2e467 aa3dddaf03c956cc897b00cc43d1cfde34e2e467 +aaf6f29c99a183e6b558abc1f84895d8e824a92d aaf6f29c99a183e6b558abc1f84895d8e824a92d +ab5218f8dbfb8a6fcaef2d88e40b681591229193 ab5218f8dbfb8a6fcaef2d88e40b681591229193 +aba7b2a806ee8831eb0d8d1cda72f88429cce653 aba7b2a806ee8831eb0d8d1cda72f88429cce653 +abf74a0fa2c7ab37e9f79cb3495c73203c0006a4 abf74a0fa2c7ab37e9f79cb3495c73203c0006a4 +aeaea294b51a813a168df3a7074b7c8ce955233e aeaea294b51a813a168df3a7074b7c8ce955233e +aee04e77bfbd6601adbcd5a46435f059e31cf6e4 aee04e77bfbd6601adbcd5a46435f059e31cf6e4 +af11cc48821f95a3418c18ef6d277fb7fbb6e6c4 af11cc48821f95a3418c18ef6d277fb7fbb6e6c4 +af6480effb6b4339eb78b77311634c546f8c6d11 af6480effb6b4339eb78b77311634c546f8c6d11 +b18e52447c872fcd40abb1ce334253d153335e09 b18e52447c872fcd40abb1ce334253d153335e09 +b5a717d82d7ba9ea31228d97c4207f4c9fb9066c b5a717d82d7ba9ea31228d97c4207f4c9fb9066c +b6077aba15a0d34c04b3e7532aebcaaf46abac17 b6077aba15a0d34c04b3e7532aebcaaf46abac17 +b865391e7738ff0e9d98e75a1282deb6d0f0ea66 b865391e7738ff0e9d98e75a1282deb6d0f0ea66 +bb19195469431a0e2b94832ea9e7a60b1e30c6fc bb19195469431a0e2b94832ea9e7a60b1e30c6fc +bbfcb22601c5cffae7341b26965124649fe08688 bbfcb22601c5cffae7341b26965124649fe08688 +bc8d3f0e60565567a8b8598972614dce7d4ffccd bc8d3f0e60565567a8b8598972614dce7d4ffccd +bd82a9523344a2585ca30f1ae20c69e3c19e4c6f bd82a9523344a2585ca30f1ae20c69e3c19e4c6f +be0a2381ac64ba68f8831c523b3e9a46e1335c1e be0a2381ac64ba68f8831c523b3e9a46e1335c1e +be746f4096f772a5e4a461263375f0ce939fd21c be746f4096f772a5e4a461263375f0ce939fd21c +bea4d1d941736c9da1b6668b2d8b549b8ab4e66d bea4d1d941736c9da1b6668b2d8b549b8ab4e66d +bf4c9c0d471aee16991c1cf5824b5f4e7aca9cb3 bf4c9c0d471aee16991c1cf5824b5f4e7aca9cb3 +bf6e0654a27ce0fd07a51fb85185b0934b6307a1 bf6e0654a27ce0fd07a51fb85185b0934b6307a1 +bfff621a7ca4e6baf72151ab8918fbc19391a46b bfff621a7ca4e6baf72151ab8918fbc19391a46b +c167e70d8b20ec2254115c7b72673605b6a27625 c167e70d8b20ec2254115c7b72673605b6a27625 +c1b4c398b44cec672dc8a32b83e4ec489466881e c1b4c398b44cec672dc8a32b83e4ec489466881e +c32f409aef5929086916d6d4aedef09b57817568 c32f409aef5929086916d6d4aedef09b57817568 +c423cfc72547100e9f9db1aeeb205bc6e5154309 c423cfc72547100e9f9db1aeeb205bc6e5154309 +c57c44ec0de74d8d2d384dab589e10bcdb9f934f c57c44ec0de74d8d2d384dab589e10bcdb9f934f +c6b87423e0d9c0c4df0dfe43289d4b5201f5e4f1 c6b87423e0d9c0c4df0dfe43289d4b5201f5e4f1 +c8264ab7eaab9dc3aca8d6d2c0871eadff2fbf4f c8264ab7eaab9dc3aca8d6d2c0871eadff2fbf4f +c86b0bc3ef91cd92d5020d809938560c08d3ad1e c86b0bc3ef91cd92d5020d809938560c08d3ad1e +c88c45cc9facb1fd6a9accfe9baec6360b7d431e c88c45cc9facb1fd6a9accfe9baec6360b7d431e +c8a4c64aafacbc447fa4474a04fd7e2400c901f9 c8a4c64aafacbc447fa4474a04fd7e2400c901f9 +c9c7730de063da9473cfb52991f3da2afb30e455 c9c7730de063da9473cfb52991f3da2afb30e455 +cba56fcea1613399ca819d93372c374c9a9ec44f cba56fcea1613399ca819d93372c374c9a9ec44f +cd9b82f98871f0c42b779760abf5dad0ed1fc6a7 cd9b82f98871f0c42b779760abf5dad0ed1fc6a7 +d0b64b936318af6541ae64ad2830fc6a04f38abe d0b64b936318af6541ae64ad2830fc6a04f38abe +d1c7ba91853fca818c6ae6c5c29d54a464ebf1fc d1c7ba91853fca818c6ae6c5c29d54a464ebf1fc +d1f8ecf7a045e2559efb03efb4ca3e93a5a131c3 d1f8ecf7a045e2559efb03efb4ca3e93a5a131c3 +db36fec73eced367b288192827364f6e40fbfb50 db36fec73eced367b288192827364f6e40fbfb50 +db885d424512310ddaacedda51a09174c7688d59 db885d424512310ddaacedda51a09174c7688d59 +dbc29510f90ed2d462f3f98568281f4bfbadae1f dbc29510f90ed2d462f3f98568281f4bfbadae1f +dc4e4aeeb1400f75fa40bfd4d2503a029c03c52c dc4e4aeeb1400f75fa40bfd4d2503a029c03c52c +dcd132b0ab7e4220ce11dc171c06ede0331300a4 dcd132b0ab7e4220ce11dc171c06ede0331300a4 +ddc808f94f89f623fee361e510d505edef1a2ebf ddc808f94f89f623fee361e510d505edef1a2ebf +de8f1cdf0682d02cd02af6884d7545045f8ae6e1 de8f1cdf0682d02cd02af6884d7545045f8ae6e1 +e0bf69f6b5c079e2c0ea3461ee0912fe444f70e1 e0bf69f6b5c079e2c0ea3461ee0912fe444f70e1 +e1d0d95d881f314f3314eeafd1acb10c7d7db140 e1d0d95d881f314f3314eeafd1acb10c7d7db140 +e2508c83cc1b77af7bbeae6671efa899433c183d e2508c83cc1b77af7bbeae6671efa899433c183d +e2a6b98d6c2e5740e8efc658e0509c93b5f3a5ce e2a6b98d6c2e5740e8efc658e0509c93b5f3a5ce +e34a4ad0d0afc2d990c5e7c80e4f5e9d2bf71b7a e34a4ad0d0afc2d990c5e7c80e4f5e9d2bf71b7a +e4f41049713e4c689f7dbd69d34db8500ca0c01a e4f41049713e4c689f7dbd69d34db8500ca0c01a +e62860938cee3569c3655b4c2793cdf76ba3a6c5 e62860938cee3569c3655b4c2793cdf76ba3a6c5 +e7758e0943c0589f31b874e5e388e78502695cbe e7758e0943c0589f31b874e5e388e78502695cbe +e77593298bbbe0b686a07dfcc3b2ea772493cc98 e77593298bbbe0b686a07dfcc3b2ea772493cc98 +e872c7d4f060e941c0e1c6b384eaed9774973224 e872c7d4f060e941c0e1c6b384eaed9774973224 +e89cf8692734d53564d0aa662bba603059f56176 e89cf8692734d53564d0aa662bba603059f56176 +e8a5d312089d683c4be3128ca64589d3a65cd775 e8a5d312089d683c4be3128ca64589d3a65cd775 +e9903e1fbfcd79d495c8fd34f7107db8f316c5c3 e9903e1fbfcd79d495c8fd34f7107db8f316c5c3 +e9dad6c596793080d118a5724314d9a14587743f e9dad6c596793080d118a5724314d9a14587743f +ea1023348db967cc3a84371c44fd4af857dc0e8c ea1023348db967cc3a84371c44fd4af857dc0e8c +eddef8824915c478bb8231a0ec639ade1e8abe3c eddef8824915c478bb8231a0ec639ade1e8abe3c +f1f1ec6281d556093b203f341b89738190d6f527 f1f1ec6281d556093b203f341b89738190d6f527 +f22509b8972edabd4a409f4d98e3e5c37f03d222 f22509b8972edabd4a409f4d98e3e5c37f03d222 +f2805d0c816bd929b1299f137652a8b0e84a46d5 f2805d0c816bd929b1299f137652a8b0e84a46d5 +f302f9282ee4020a1c9d469a5f514eab25cb6d78 f302f9282ee4020a1c9d469a5f514eab25cb6d78 +f3642961c9660f495dec47f5e4e4fc37e6b077e3 f3642961c9660f495dec47f5e4e4fc37e6b077e3 +f4b1074c37d2f70f07665d586d7583c4a3c693a4 f4b1074c37d2f70f07665d586d7583c4a3c693a4 +f555e5f5bec4c42b15a8faac133a2dd4a8a1e220 f555e5f5bec4c42b15a8faac133a2dd4a8a1e220 +f5f8cbb0bb22dfa8d4ddebc985a97dc31b8488d3 f5f8cbb0bb22dfa8d4ddebc985a97dc31b8488d3 +f81baab60e1a45422f51b6ee1ec430993fb9eb66 f81baab60e1a45422f51b6ee1ec430993fb9eb66 +f8567b500786d35d29204bb54f6a312874724bbd f8567b500786d35d29204bb54f6a312874724bbd +f863133f777c9dc6bb70f020eb23d1a292434d31 f863133f777c9dc6bb70f020eb23d1a292434d31 +f8a89ef59b4f74566cb2b086b1a88eaabd3ccb4c f8a89ef59b4f74566cb2b086b1a88eaabd3ccb4c +fab9cff1f116904ad8ec40ce484982b96f803425 fab9cff1f116904ad8ec40ce484982b96f803425 +fb32782ff7d883e75b81705c494c6425cce5863f fb32782ff7d883e75b81705c494c6425cce5863f +fbfffe4e6f38b83ede6e8fe7f52823f64735bdbb fbfffe4e6f38b83ede6e8fe7f52823f64735bdbb +fc8ac97ac2ba18ea0d5a299b74b1dc9b57fa18fa fc8ac97ac2ba18ea0d5a299b74b1dc9b57fa18fa +fe40c5334da4f8b5ffcf386bea5e75642fc1fa9c fe40c5334da4f8b5ffcf386bea5e75642fc1fa9c +ffdc15bfb4ba1a57de36b2693066cc9dc61db669 ffdc15bfb4ba1a57de36b2693066cc9dc61db669 Binary files old/nebula-1.10.2/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.rev and new/nebula-1.10.3/.git/objects/pack/pack-a5a60f079d81415f8432774dd3b6ce905aff211f.rev differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.idx and new/nebula-1.10.3/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.idx differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.pack and new/nebula-1.10.3/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.pack differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.rev and new/nebula-1.10.3/.git/objects/pack/pack-aeda6b1ac3ae522872a3d92ab1c5dd78bc8394a6.rev differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.idx and new/nebula-1.10.3/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.idx differ Binary files old/nebula-1.10.2/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.pack and new/nebula-1.10.3/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.pack differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.promisor new/nebula-1.10.3/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.promisor --- old/nebula-1.10.2/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.promisor 1970-01-01 01:00:00.000000000 +0100 +++ new/nebula-1.10.3/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.promisor 2026-02-06 20:26:51.000000000 +0100 @@ -0,0 +1,85 @@ +f573e8a26695278f9d71587390fbfe0d0933aa21 HEAD +0af7e6a1ddadd96dfe967ba49e456f2c67969b1e refs/heads/add-http-pprof +2d128a3254cef202a81c88d5d7b6922f632bcc2c refs/heads/batched-path +e7423d39f936f801697f70516c4f5c778d912f9a refs/heads/botched-path +43bdf9066ec7758afee3a33cbb8cf5efaa109d64 refs/heads/cert-v2-mixed-af-unsafe-nets +5fa386bb703fec75a7a59ac6de9350013a52293d refs/heads/cert-v2-reloads-with-relay-stuff +2ea8a72d5c9688985603370e46ba9520950cbca8 refs/heads/channels +2c6f81c224885ce9d66de433f60ba424f1b784af refs/heads/channels-batching +9253f36a3c875d5738d0f026e54c763a686ef084 refs/heads/channels-sendmmsg-batching +f2bb43fb4231b228385082d2b087b97a4ba83a5e refs/heads/channels-spicy +2ab75709ad84e02a1010b30e5181f249cd13867c refs/heads/channels2 +a0f8cb209854b140410f0832559622c16d20ec5a refs/heads/channels_and_minimal_gsogro +40e4ca0920f99b5015d4a15e8e8e97a75a2ac9fb refs/heads/conntrack-icmp +9101b62162b2f55a21e37e800cc84a18be9b5278 refs/heads/cross-stack-relay +f597aa71e325eb52f57d2ac404862ecc79822f79 refs/heads/cross-stack-relay-overlaps +25451dc42ec0854a6f7d924128cbbefb035dc099 refs/heads/dependabot/go_modules/github.com/gaissmai/bart-0.26.1 +b558262b19e65fce65578a7d10ca38d2c3f77dba refs/heads/dependabot/go_modules/github.com/miekg/dns-1.1.72 +054cba9d8c71fac21629f0a57d9ff815cd60edc9 refs/heads/dependabot/go_modules/github.com/miekg/pkcs11-1.1.2 +0993d1a78e8b0335615831db4cb7e804ba767d7d refs/heads/dependabot/go_modules/golang-x-dependencies-0900014c3e +6fa1ecdc2991e244a879e48539bb69a660aa6929 refs/heads/fips140 +8bb6090ffd9bd2a7433d83d8f1f9f81c4a4fd231 refs/heads/firewall-feedback +e25016a94692b668d4c37833e2f8a25c2fa6b874 refs/heads/firewall-forward-table +12bf7a154d476af976e7f6b11f9d859853e6df4a refs/heads/github-release-upload +2190c04201172cfdf91b6e64ae2c1be6f149c881 refs/heads/go-fix +d00ddc5e0feb54b57eecf8a4d3b63984e24efa74 refs/heads/icmp-no-port +db11e2f1af19017d21ef5912a5613d48b9db3d02 refs/heads/interface-hooks +a4b7f624da48761fff4122ab4d0aaec1deb2ef92 refs/heads/io-uring-gso-gro-offtherails +ef1739bec4a6345be4415f49e6c2305bf126e562 refs/heads/jay.wren-batch-packets +5ceac2b078bcb816d9d738c570a35a0a3bc33c78 refs/heads/jay.wren-dns-ctx +2400e2392be3fcb87bf6ef3badc30ee6689ba848 refs/heads/jay.wren-lint +97977982cb56f334db00bb67c801359c1a671188 refs/heads/jay.wren-maybe-ipv4-6-fix +c618b96feff1dc2c057a4d5c02f34de92869ec45 refs/heads/jay.wren-stats.pprof +8d4dd2648445c1482c7b35d93261d94b2132df63 refs/heads/jay.wren-wireguard-tun +be90e4aa0511a43f11b419eb1707eb41c3744b29 refs/heads/jay.wren-wireguard-tun-2 +5cc3ff594a9d782a86f8484f623f4805f72ca6e9 refs/heads/jay.wren-wireguard-tun-3 +9c6fb08a6dd15e950731a0440691c234e4227b30 refs/heads/make-boringcrypto-checklinkname +f573e8a26695278f9d71587390fbfe0d0933aa21 refs/heads/master +d6c5c00ef75fe0b4dcac7bc57c28a009cc2bd7fe refs/heads/master-1-9-tag +0824035906474c6f815e4b1388b008f1ec57ea3d refs/heads/multiport +d4aea03dd1236a032fe5508e29cf0494768ba71c refs/heads/mutex-debug +30863642468dd7386325edb036cc5fa0928abd6f refs/heads/no-exit +2944be4bb08b16f7752738d13773fc2551bac556 refs/heads/no-exit-jack +06372e12f1a2fd763c2a8a9d465f5b80511de614 refs/heads/prometheus-static-labels +6d5299715ebb720197f0095b8c287ff0b94928f5 refs/heads/psk +0681195da3f68b6bcda375a2c8f31fca105fec61 refs/heads/psk-v2 +7c3f5339508c7dbc74eea7f925d31b28bafa1b45 refs/heads/release-1.9 +4c745e8cfe032899e6188f12e241d1adb13a3856 refs/heads/remove-olddead-tunnels +29157f413c727e937b73acb12035be13520f8b7f refs/heads/stinkier +703ac81fa6cf5a8e4c2d68c91ffa87c40301425e refs/heads/stinky +886141decfc087ffed71b22eb3a7a515634edf14 refs/heads/stream-cas-scanner +00016ff066186f8bc4b1a843ef12e7fd153b9fd1 refs/heads/stupid-ed25519-panic +03ab9a1208a32cb59d1f4a917ad66b1ed618d803 refs/heads/synctrace +be58a866d91183f6d98096821b1ebff2cdfc2525 refs/heads/tun-dnshax +3583a3f7aba2cccc6f8d1a1e16338430771c5b64 refs/heads/tun-name-template +9642afa14989ee490cda2f6e8c6ceef1ae5b11bd refs/heads/update-lh-on-netlink-addr +14714431ed64f43801ce23cb224ea275e0c7ea42 refs/heads/v6hax +71bf3744b14c0c11338b603b130e4c9f175e4f30 refs/heads/vhost +b6c6b96c79a5c64d98fd77162c4427811e69c2e1 refs/heads/windows_udp_buffer_setting +f9d3d521b62aa52463d008ef4e2f2133daaa0b4c refs/tags/v1.0.0 +0312a3e4408836e2a58a08171c31d7b13ae917e2 refs/tags/v1.1.0 +b7e608f0d744dac34e171a3af21cc50a776f977e refs/tags/v1.10.0 +63208c0ab6f0879b8f1c10774582b6a2fd8f4671 refs/tags/v1.10.1 +f16df96a63328ddfb82b03de853139b5c0ab66b2 refs/tags/v1.10.2 +afe3e8c52cd4b91e8c5f946bf2e624df6d311c13 refs/tags/v1.10.3 +019d573fd023224454e7dce0d68fcf4155f77b91 refs/tags/v1.2.0 +14bd5487d818474fcd39a12b12789a6daeaa210a refs/tags/v1.3.0 +8ef4213a01084719c80a7bd3d1c04e3999ba673c refs/tags/v1.4.0 +57a32f7c15f1ea105507958aac538ae736474158 refs/tags/v1.5.0 +6f6452112c7bd441dc4bea2134a9cda3faea858a refs/tags/v1.5.2 +d2847cddd89fb1c44b3da10a84e7a9b3e2f55131 refs/tags/v1.6.0 +e6f8783d68238d851832a892ece04b0877644f4c refs/tags/v1.6.1 +2bd87e2fd9648115aae5eec6c8405dff4415bb60 refs/tags/v1.7.0 +dc15e3c8f7e27deb87260749015bcc9d80846314 refs/tags/v1.7.1 +fe5893ceb0e59a00921d412c542351af21858279 refs/tags/v1.7.2 +2b49fed0ff9829f2cddff6b9b84daa4573015ba0 refs/tags/v1.8.0 +8a6a50394fc0af13759121a33f6b822da3d7e2b0 refs/tags/v1.8.1 +0627ffad3e6db253fee4309fb2fbf6c3e6bfc138 refs/tags/v1.8.2 +2e19289b18f2617e9b89ca1017795861f79e3001 refs/tags/v1.9.0 +c9a28bc6ee349611a4946e83d51729f4656fdcd7 refs/tags/v1.9.1 +72d867cdb6bd15dccc51a64ecd5c6af545996298 refs/tags/v1.9.2 +68d6c921d3f355bce2be65450d99def28c957482 refs/tags/v1.9.3 +50504c0f3d54a87ed608587010d6358936e1587a refs/tags/v1.9.4 +a2dd225410da9c21b51df1312dc8aa0bf8358c3c refs/tags/v1.9.5 +86fa4053b125adcc2f587cce9aee8af95894f444 refs/tags/v1.9.6 +0c17c48bb173f5208f265b0c3fe074feeb1d4a3b refs/tags/v1.9.7 Binary files old/nebula-1.10.2/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.rev and new/nebula-1.10.3/.git/objects/pack/pack-cbf5d84dfc52e6bc3e92d6cc0fc0ba2773d1d108.rev differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/packed-refs new/nebula-1.10.3/.git/packed-refs --- old/nebula-1.10.2/.git/packed-refs 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/packed-refs 2026-02-06 20:26:51.000000000 +0100 @@ -3,47 +3,57 @@ 2d128a3254cef202a81c88d5d7b6922f632bcc2c refs/remotes/origin/batched-path e7423d39f936f801697f70516c4f5c778d912f9a refs/remotes/origin/botched-path 43bdf9066ec7758afee3a33cbb8cf5efaa109d64 refs/remotes/origin/cert-v2-mixed-af-unsafe-nets -f8fe454972d740556600cf2ec9e69caf7a18ff75 refs/remotes/origin/cert-v2-more-todo 5fa386bb703fec75a7a59ac6de9350013a52293d refs/remotes/origin/cert-v2-reloads-with-relay-stuff -824cd3f0d6bc2c36a6515bc93a2c56c3fa8b90b5 refs/remotes/origin/changelog-v1.9.7 2ea8a72d5c9688985603370e46ba9520950cbca8 refs/remotes/origin/channels 2c6f81c224885ce9d66de433f60ba424f1b784af refs/remotes/origin/channels-batching 9253f36a3c875d5738d0f026e54c763a686ef084 refs/remotes/origin/channels-sendmmsg-batching f2bb43fb4231b228385082d2b087b97a4ba83a5e refs/remotes/origin/channels-spicy 2ab75709ad84e02a1010b30e5181f249cd13867c refs/remotes/origin/channels2 a0f8cb209854b140410f0832559622c16d20ec5a refs/remotes/origin/channels_and_minimal_gsogro +40e4ca0920f99b5015d4a15e8e8e97a75a2ac9fb refs/remotes/origin/conntrack-icmp 9101b62162b2f55a21e37e800cc84a18be9b5278 refs/remotes/origin/cross-stack-relay f597aa71e325eb52f57d2ac404862ecc79822f79 refs/remotes/origin/cross-stack-relay-overlaps -b418a081a8feebe5740574a43a3364578c9e1c61 refs/remotes/origin/fips140 +25451dc42ec0854a6f7d924128cbbefb035dc099 refs/remotes/origin/dependabot/go_modules/github.com/gaissmai/bart-0.26.1 +b558262b19e65fce65578a7d10ca38d2c3f77dba refs/remotes/origin/dependabot/go_modules/github.com/miekg/dns-1.1.72 +054cba9d8c71fac21629f0a57d9ff815cd60edc9 refs/remotes/origin/dependabot/go_modules/github.com/miekg/pkcs11-1.1.2 +0993d1a78e8b0335615831db4cb7e804ba767d7d refs/remotes/origin/dependabot/go_modules/golang-x-dependencies-0900014c3e +6fa1ecdc2991e244a879e48539bb69a660aa6929 refs/remotes/origin/fips140 +8bb6090ffd9bd2a7433d83d8f1f9f81c4a4fd231 refs/remotes/origin/firewall-feedback e25016a94692b668d4c37833e2f8a25c2fa6b874 refs/remotes/origin/firewall-forward-table 12bf7a154d476af976e7f6b11f9d859853e6df4a refs/remotes/origin/github-release-upload +2190c04201172cfdf91b6e64ae2c1be6f149c881 refs/remotes/origin/go-fix +d00ddc5e0feb54b57eecf8a4d3b63984e24efa74 refs/remotes/origin/icmp-no-port db11e2f1af19017d21ef5912a5613d48b9db3d02 refs/remotes/origin/interface-hooks a4b7f624da48761fff4122ab4d0aaec1deb2ef92 refs/remotes/origin/io-uring-gso-gro-offtherails +ef1739bec4a6345be4415f49e6c2305bf126e562 refs/remotes/origin/jay.wren-batch-packets 5ceac2b078bcb816d9d738c570a35a0a3bc33c78 refs/remotes/origin/jay.wren-dns-ctx 2400e2392be3fcb87bf6ef3badc30ee6689ba848 refs/remotes/origin/jay.wren-lint 97977982cb56f334db00bb67c801359c1a671188 refs/remotes/origin/jay.wren-maybe-ipv4-6-fix +c618b96feff1dc2c057a4d5c02f34de92869ec45 refs/remotes/origin/jay.wren-stats.pprof 8d4dd2648445c1482c7b35d93261d94b2132df63 refs/remotes/origin/jay.wren-wireguard-tun be90e4aa0511a43f11b419eb1707eb41c3744b29 refs/remotes/origin/jay.wren-wireguard-tun-2 -1cdc7b41494836ff21a3569a704f38e45eed5977 refs/remotes/origin/jay.wren-wireguard-tun-3 +5cc3ff594a9d782a86f8484f623f4805f72ca6e9 refs/remotes/origin/jay.wren-wireguard-tun-3 9c6fb08a6dd15e950731a0440691c234e4227b30 refs/remotes/origin/make-boringcrypto-checklinkname -0b02d982b256dffc9c215306a2e550d8a1bd16ab refs/remotes/origin/master +f573e8a26695278f9d71587390fbfe0d0933aa21 refs/remotes/origin/master d6c5c00ef75fe0b4dcac7bc57c28a009cc2bd7fe refs/remotes/origin/master-1-9-tag 0824035906474c6f815e4b1388b008f1ec57ea3d refs/remotes/origin/multiport d4aea03dd1236a032fe5508e29cf0494768ba71c refs/remotes/origin/mutex-debug -064831cf21020d42200a9399fcf0253e4efcfa6a refs/remotes/origin/no-exit +30863642468dd7386325edb036cc5fa0928abd6f refs/remotes/origin/no-exit +2944be4bb08b16f7752738d13773fc2551bac556 refs/remotes/origin/no-exit-jack 06372e12f1a2fd763c2a8a9d465f5b80511de614 refs/remotes/origin/prometheus-static-labels 6d5299715ebb720197f0095b8c287ff0b94928f5 refs/remotes/origin/psk 0681195da3f68b6bcda375a2c8f31fca105fec61 refs/remotes/origin/psk-v2 7c3f5339508c7dbc74eea7f925d31b28bafa1b45 refs/remotes/origin/release-1.9 -d400d9a5ecb588586c3b9a11f69dda006caed39c refs/remotes/origin/release-1.9-hostmap-networks-fix 4c745e8cfe032899e6188f12e241d1adb13a3856 refs/remotes/origin/remove-olddead-tunnels 29157f413c727e937b73acb12035be13520f8b7f refs/remotes/origin/stinkier 703ac81fa6cf5a8e4c2d68c91ffa87c40301425e refs/remotes/origin/stinky 886141decfc087ffed71b22eb3a7a515634edf14 refs/remotes/origin/stream-cas-scanner +00016ff066186f8bc4b1a843ef12e7fd153b9fd1 refs/remotes/origin/stupid-ed25519-panic 03ab9a1208a32cb59d1f4a917ad66b1ed618d803 refs/remotes/origin/synctrace +be58a866d91183f6d98096821b1ebff2cdfc2525 refs/remotes/origin/tun-dnshax 3583a3f7aba2cccc6f8d1a1e16338430771c5b64 refs/remotes/origin/tun-name-template 9642afa14989ee490cda2f6e8c6ceef1ae5b11bd refs/remotes/origin/update-lh-on-netlink-addr -2c30c2edb93e9d116c3a4832684b85fc9bcde4eb refs/remotes/origin/v6hax +14714431ed64f43801ce23cb224ea275e0c7ea42 refs/remotes/origin/v6hax 71bf3744b14c0c11338b603b130e4c9f175e4f30 refs/remotes/origin/vhost b6c6b96c79a5c64d98fd77162c4427811e69c2e1 refs/remotes/origin/windows_udp_buffer_setting f9d3d521b62aa52463d008ef4e2f2133daaa0b4c refs/tags/v1.0.0 @@ -55,6 +65,8 @@ ^72a40007ea873d914a099b77916e4933befc85b6 f16df96a63328ddfb82b03de853139b5c0ab66b2 refs/tags/v1.10.2 ^0b02d982b256dffc9c215306a2e550d8a1bd16ab +afe3e8c52cd4b91e8c5f946bf2e624df6d311c13 refs/tags/v1.10.3 +^f573e8a26695278f9d71587390fbfe0d0933aa21 019d573fd023224454e7dce0d68fcf4155f77b91 refs/tags/v1.2.0 ^fb252db4a153ba7467d1d7320b3821d897640791 14bd5487d818474fcd39a12b12789a6daeaa210a refs/tags/v1.3.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/.git/refs/heads/master new/nebula-1.10.3/.git/refs/heads/master --- old/nebula-1.10.2/.git/refs/heads/master 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/.git/refs/heads/master 2026-02-06 20:26:51.000000000 +0100 @@ -1 +1 @@ -0b02d982b256dffc9c215306a2e550d8a1bd16ab +f573e8a26695278f9d71587390fbfe0d0933aa21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/CHANGELOG.md new/nebula-1.10.3/CHANGELOG.md --- old/nebula-1.10.2/CHANGELOG.md 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/CHANGELOG.md 2026-02-06 20:26:51.000000000 +0100 @@ -7,6 +7,19 @@ ## [Unreleased] +## [1.10.3] - 2026-02-06 + +### Security + +- Fix an issue where blocklist bypass is possible when using curve P256 since the signature can have 2 valid representations. + Both fingerprint representations will be tested against the blocklist. + Any newly issued P256 based certificates will have their signature clamped to the low-s form. + Nebula will assert the low-s signature form when validating certificates in a future version. [GHSA-69x3-g4r3-p962](https://github.com/slackhq/nebula/security/advisories/GHSA-69x3-g4r3-p962) + +### Changed + +- Improve error reporting if nebula fails to start due to a tun device naming issue. (#1588) + ## [1.10.2] - 2026-01-21 ### Fixed @@ -775,7 +788,8 @@ - Initial public release. -[Unreleased]: https://github.com/slackhq/nebula/compare/v1.10.2...HEAD +[Unreleased]: https://github.com/slackhq/nebula/compare/v1.10.3...HEAD +[1.10.3]: https://github.com/slackhq/nebula/releases/tag/v1.10.3 [1.10.2]: https://github.com/slackhq/nebula/releases/tag/v1.10.2 [1.10.1]: https://github.com/slackhq/nebula/releases/tag/v1.10.1 [1.10.0]: https://github.com/slackhq/nebula/releases/tag/v1.10.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/ca_pool.go new/nebula-1.10.3/cert/ca_pool.go --- old/nebula-1.10.2/cert/ca_pool.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/cert/ca_pool.go 2026-02-06 20:26:51.000000000 +0100 @@ -141,10 +141,23 @@ return nil, err } + // Pre nebula v1.10.3 could generate signatures in either high or low s form and validation + // of signatures allowed for either. Nebula v1.10.3 and beyond clamps signature generation to low-s form + // but validation still allows for either. Since a change in the signature bytes affects the fingerprint, we + // need to test both forms until such a time comes that we enforce low-s form on signature validation. + fp2, err := CalculateAlternateFingerprint(c) + if err != nil { + return nil, fmt.Errorf("could not calculate alternate fingerprint to verify: %w", err) + } + if fp2 != "" && ncp.IsBlocklisted(fp2) { + return nil, ErrBlockListed + } + cc := CachedCertificate{ Certificate: c, InvertedGroups: make(map[string]struct{}), Fingerprint: fp, + fingerprint2: fp2, signerFingerprint: signer.Fingerprint, } @@ -158,6 +171,11 @@ // VerifyCachedCertificate is the same as VerifyCertificate other than it operates on a pre-verified structure and // is a cheaper operation to perform as a result. func (ncp *CAPool) VerifyCachedCertificate(now time.Time, c *CachedCertificate) error { + // Check any available alternate fingerprint forms for this certificate, re P256 high-s/low-s + if c.fingerprint2 != "" && ncp.IsBlocklisted(c.fingerprint2) { + return ErrBlockListed + } + _, err := ncp.verify(c.Certificate, now, c.Fingerprint, c.signerFingerprint) return err } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/ca_pool_test.go new/nebula-1.10.3/cert/ca_pool_test.go --- old/nebula-1.10.2/cert/ca_pool_test.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/cert/ca_pool_test.go 2026-02-06 20:26:51.000000000 +0100 @@ -5,6 +5,7 @@ "testing" "time" + "github.com/slackhq/nebula/cert/p256" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -170,6 +171,15 @@ _, err = caPool.VerifyCertificate(time.Now(), c) require.EqualError(t, err, "certificate is in the block list") + // Create a copy of the cert and swap to the alternate form for the signature + nc := c.Copy() + b, err := p256.Swap(c.Signature()) + require.NoError(t, err) + require.NoError(t, nc.(*certificateV1).setSignature(b)) + + _, err = caPool.VerifyCertificate(time.Now(), nc) + require.EqualError(t, err, "certificate is in the block list") + caPool.ResetCertBlocklist() _, err = caPool.VerifyCertificate(time.Now(), c) require.NoError(t, err) @@ -187,7 +197,7 @@ require.NoError(t, err) caPool = NewCAPool() - b, err := caPool.AddCAFromPEM(caPem) + b, err = caPool.AddCAFromPEM(caPem) require.NoError(t, err) assert.Empty(t, b) @@ -196,7 +206,17 @@ }) c, _, _, _ = NewTestCert(Version1, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"}) - _, err = caPool.VerifyCertificate(time.Now(), c) + cc, err := caPool.VerifyCertificate(time.Now(), c) + require.NoError(t, err) + + // Reset the blocklist and block the alternate form fingerprint + caPool.ResetCertBlocklist() + caPool.BlocklistFingerprint(cc.fingerprint2) + err = caPool.VerifyCachedCertificate(time.Now(), cc) + require.EqualError(t, err, "certificate is in the block list") + + caPool.ResetCertBlocklist() + err = caPool.VerifyCachedCertificate(time.Now(), cc) require.NoError(t, err) } @@ -394,6 +414,15 @@ _, err = caPool.VerifyCertificate(time.Now(), c) require.EqualError(t, err, "certificate is in the block list") + // Create a copy of the cert and swap to the alternate form for the signature + nc := c.Copy() + b, err := p256.Swap(c.Signature()) + require.NoError(t, err) + require.NoError(t, nc.(*certificateV2).setSignature(b)) + + _, err = caPool.VerifyCertificate(time.Now(), nc) + require.EqualError(t, err, "certificate is in the block list") + caPool.ResetCertBlocklist() _, err = caPool.VerifyCertificate(time.Now(), c) require.NoError(t, err) @@ -411,7 +440,7 @@ require.NoError(t, err) caPool = NewCAPool() - b, err := caPool.AddCAFromPEM(caPem) + b, err = caPool.AddCAFromPEM(caPem) require.NoError(t, err) assert.Empty(t, b) @@ -420,7 +449,17 @@ }) c, _, _, _ = NewTestCert(Version2, Curve_P256, ca, caKey, "test", time.Now(), time.Now().Add(5*time.Minute), nil, nil, []string{"test1"}) - _, err = caPool.VerifyCertificate(time.Now(), c) + cc, err := caPool.VerifyCertificate(time.Now(), c) + require.NoError(t, err) + + // Reset the blocklist and block the alternate form fingerprint + caPool.ResetCertBlocklist() + caPool.BlocklistFingerprint(cc.fingerprint2) + err = caPool.VerifyCachedCertificate(time.Now(), cc) + require.EqualError(t, err, "certificate is in the block list") + + caPool.ResetCertBlocklist() + err = caPool.VerifyCachedCertificate(time.Now(), cc) require.NoError(t, err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/cert.go new/nebula-1.10.3/cert/cert.go --- old/nebula-1.10.2/cert/cert.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/cert/cert.go 2026-02-06 20:26:51.000000000 +0100 @@ -4,6 +4,8 @@ "fmt" "net/netip" "time" + + "github.com/slackhq/nebula/cert/p256" ) type Version uint8 @@ -110,6 +112,9 @@ InvertedGroups map[string]struct{} Fingerprint string signerFingerprint string + + // A place to store a 2nd fingerprint if the certificate could have one, such as with P256 + fingerprint2 string } func (cc *CachedCertificate) String() string { @@ -152,3 +157,31 @@ return c, nil } + +// CalculateAlternateFingerprint calculates a 2nd fingerprint representation for P256 certificates +// CAPool blocklist testing through `VerifyCertificate` and `VerifyCachedCertificate` automatically performs this step. +func CalculateAlternateFingerprint(c Certificate) (string, error) { + if c.Curve() != Curve_P256 { + return "", nil + } + + nc := c.Copy() + b, err := p256.Swap(nc.Signature()) + if err != nil { + return "", err + } + + switch v := nc.(type) { + case *certificateV1: + err = v.setSignature(b) + case *certificateV2: + err = v.setSignature(b) + default: + return "", ErrUnknownVersion + } + + if err != nil { + return "", err + } + return nc.Fingerprint() +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/p256/p256.go new/nebula-1.10.3/cert/p256/p256.go --- old/nebula-1.10.2/cert/p256/p256.go 1970-01-01 01:00:00.000000000 +0100 +++ new/nebula-1.10.3/cert/p256/p256.go 2026-02-06 20:26:51.000000000 +0100 @@ -0,0 +1,122 @@ +package p256 + +import ( + "crypto/elliptic" + "errors" + "math/big" + + "filippo.io/bigmod" + + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/cryptobyte/asn1" +) + +var halfN = new(big.Int).Rsh(elliptic.P256().Params().N, 1) +var nMod *bigmod.Modulus + +func init() { + n, err := bigmod.NewModulus(elliptic.P256().Params().N.Bytes()) + if err != nil { + panic(err) + } + nMod = n +} + +func IsNormalized(sig []byte) (bool, error) { + r, s, err := parseSignature(sig) + if err != nil { + return false, err + } + return checkLowS(r, s), nil +} + +func checkLowS(_, s []byte) bool { + bigS := new(big.Int).SetBytes(s) + // Check if S <= (N/2), because we want to include the midpoint in the set of low-s + return bigS.Cmp(halfN) <= 0 +} + +func swap(r, s []byte) ([]byte, []byte, error) { + var err error + bigS, err := bigmod.NewNat().SetBytes(s, nMod) + if err != nil { + return nil, nil, err + } + sNormalized := nMod.Nat().Sub(bigS, nMod) + + return r, sNormalized.Bytes(nMod), nil +} + +func Normalize(sig []byte) ([]byte, error) { + r, s, err := parseSignature(sig) + if err != nil { + return nil, err + } + + if checkLowS(r, s) { + return sig, nil + } + + newR, newS, err := swap(r, s) + if err != nil { + return nil, err + } + + return encodeSignature(newR, newS) +} + +// Swap will change sig between its current form to the opposite high or low form. +func Swap(sig []byte) ([]byte, error) { + r, s, err := parseSignature(sig) + if err != nil { + return nil, err + } + + newR, newS, err := swap(r, s) + if err != nil { + return nil, err + } + + return encodeSignature(newR, newS) +} + +// parseSignature taken exactly from crypto/ecdsa/ecdsa.go +func parseSignature(sig []byte) (r, s []byte, err error) { + var inner cryptobyte.String + input := cryptobyte.String(sig) + if !input.ReadASN1(&inner, asn1.SEQUENCE) || + !input.Empty() || + !inner.ReadASN1Integer(&r) || + !inner.ReadASN1Integer(&s) || + !inner.Empty() { + return nil, nil, errors.New("invalid ASN.1") + } + return r, s, nil +} + +func encodeSignature(r, s []byte) ([]byte, error) { + var b cryptobyte.Builder + b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) { + addASN1IntBytes(b, r) + addASN1IntBytes(b, s) + }) + return b.Bytes() +} + +// addASN1IntBytes encodes in ASN.1 a positive integer represented as +// a big-endian byte slice with zero or more leading zeroes. +func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) { + for len(bytes) > 0 && bytes[0] == 0 { + bytes = bytes[1:] + } + if len(bytes) == 0 { + b.SetError(errors.New("invalid integer")) + return + } + b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) { + if bytes[0]&0x80 != 0 { + c.AddUint8(0) + } + c.AddBytes(bytes) + }) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/p256/p256_test.go new/nebula-1.10.3/cert/p256/p256_test.go --- old/nebula-1.10.2/cert/p256/p256_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/nebula-1.10.3/cert/p256/p256_test.go 2026-02-06 20:26:51.000000000 +0100 @@ -0,0 +1,28 @@ +package p256 + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "testing" + + "github.com/stretchr/testify/require" +) + +func TestFlipping(t *testing.T) { + priv, err1 := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + require.NoError(t, err1) + + out, err := ecdsa.SignASN1(rand.Reader, priv, []byte("big chungus")) + require.NoError(t, err) + + r, s, err := parseSignature(out) + require.NoError(t, err) + + r, s1, err := swap(r, s) + require.NoError(t, err) + r, s2, err := swap(r, s1) + require.NoError(t, err) + require.Equal(t, s, s2) + require.NotEqual(t, s, s1) +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/sign.go new/nebula-1.10.3/cert/sign.go --- old/nebula-1.10.2/cert/sign.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/cert/sign.go 2026-02-06 20:26:51.000000000 +0100 @@ -9,6 +9,8 @@ "fmt" "net/netip" "time" + + "github.com/slackhq/nebula/cert/p256" ) // TBSCertificate represents a certificate intended to be signed. @@ -126,6 +128,13 @@ return nil, err } + if curve == Curve_P256 { + sig, err = p256.Normalize(sig) + if err != nil { + return nil, err + } + } + err = c.setSignature(sig) if err != nil { return nil, err diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/cert/sign_test.go new/nebula-1.10.3/cert/sign_test.go --- old/nebula-1.10.2/cert/sign_test.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/cert/sign_test.go 2026-02-06 20:26:51.000000000 +0100 @@ -9,6 +9,7 @@ "testing" "time" + "github.com/slackhq/nebula/cert/p256" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -89,3 +90,48 @@ require.NoError(t, err) assert.NotNil(t, uc) } + +func TestCertificate_SignP256_AlwaysNormalized(t *testing.T) { + before := time.Now().Add(time.Second * -60).Round(time.Second) + after := time.Now().Add(time.Second * 60).Round(time.Second) + pubKey := []byte("01234567890abcedfghij1234567890ab1234567890abcedfghij1234567890ab") + + tbs := TBSCertificate{ + Version: Version1, + Name: "testing", + Networks: []netip.Prefix{ + mustParsePrefixUnmapped("10.1.1.1/24"), + mustParsePrefixUnmapped("10.1.1.2/16"), + }, + UnsafeNetworks: []netip.Prefix{ + mustParsePrefixUnmapped("9.1.1.2/24"), + mustParsePrefixUnmapped("9.1.1.3/16"), + }, + Groups: []string{"test-group1", "test-group2", "test-group3"}, + NotBefore: before, + NotAfter: after, + PublicKey: pubKey, + IsCA: true, + Curve: Curve_P256, + } + + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + require.NoError(t, err) + pub := elliptic.Marshal(elliptic.P256(), priv.PublicKey.X, priv.PublicKey.Y) + rawPriv := priv.D.FillBytes(make([]byte, 32)) + + for i := 0; i < 1000; i++ { + if i&1 == 1 { + tbs.Version = Version1 + } else { + tbs.Version = Version2 + } + c, err := tbs.Sign(nil, Curve_P256, rawPriv) + require.NoError(t, err) + assert.NotNil(t, c) + assert.True(t, c.CheckSignature(pub)) + normie, err := p256.IsNormalized(c.Signature()) + require.NoError(t, err) + assert.True(t, normie) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/go.mod new/nebula-1.10.3/go.mod --- old/nebula-1.10.2/go.mod 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/go.mod 2026-02-06 20:26:51.000000000 +0100 @@ -4,6 +4,7 @@ require ( dario.cat/mergo v1.0.2 + filippo.io/bigmod v0.1.0 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be github.com/armon/go-radix v1.0.0 github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/go.sum new/nebula-1.10.3/go.sum --- old/nebula-1.10.2/go.sum 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/go.sum 2026-02-06 20:26:51.000000000 +0100 @@ -1,6 +1,8 @@ cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= +filippo.io/bigmod v0.1.0 h1:UNzDk7y9ADKST+axd9skUpBQeW7fG2KrTZyOE4uGQy8= +filippo.io/bigmod v0.1.0/go.mod h1:OjOXDNlClLblvXdwgFFOQFJEocLhhtai8vGLy0JCZlI= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/interface.go new/nebula-1.10.3/interface.go --- old/nebula-1.10.2/interface.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/interface.go 2026-02-06 20:26:51.000000000 +0100 @@ -490,6 +490,14 @@ f.l.WithError(err).Error("Error while closing udp socket") } } + for i, r := range f.readers { + if i == 0 { + continue // f.readers[0] is f.inside, which we want to save for last + } + if err := r.Close(); err != nil { + f.l.WithError(err).Error("Error while closing tun reader") + } + } // Release the tun device return f.inside.Close() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/lighthouse_test.go new/nebula-1.10.3/lighthouse_test.go --- old/nebula-1.10.2/lighthouse_test.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/lighthouse_test.go 2026-02-06 20:26:51.000000000 +0100 @@ -1,7 +1,6 @@ package nebula import ( - "context" "encoding/binary" "fmt" "net/netip" @@ -42,14 +41,14 @@ c := config.NewC(l) c.Settings["lighthouse"] = map[string]any{"hosts": []any{lh1}} c.Settings["static_host_map"] = map[string]any{lh1: []any{"1.1.1.1:4242"}} - _, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + _, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.NoError(t, err) lh2 := "10.128.0.3" c = config.NewC(l) c.Settings["lighthouse"] = map[string]any{"hosts": []any{lh1, lh2}} c.Settings["static_host_map"] = map[string]any{lh1: []any{"100.1.1.1:4242"}} - _, err = NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + _, err = NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.EqualError(t, err, "lighthouse 10.128.0.3 does not have a static_host_map entry") } @@ -71,7 +70,7 @@ } c.Settings["static_host_map"] = map[string]any{lh1: []any{"1.1.1.1:4242"}} - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.NoError(t, err) lh.ifce = &mockEncWriter{} @@ -99,7 +98,7 @@ } c := config.NewC(l) - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(b.Context(), l, c, cs, nil, nil) require.NoError(b, err) hAddr := netip.MustParseAddrPort("4.5.6.7:12345") @@ -202,7 +201,7 @@ myVpnNetworks: []netip.Prefix{myVpnNet}, myVpnNetworksTable: nt, } - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) lh.ifce = &mockEncWriter{} require.NoError(t, err) lhh := lh.NewRequestHandler() @@ -288,7 +287,7 @@ myVpnNetworksTable: nt, } - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.NoError(t, err) nc := map[string]any{ @@ -523,7 +522,7 @@ myVpnNetworks: []netip.Prefix{myVpnNet}, myVpnNetworksTable: nt, } - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.NoError(t, err) lh.ifce = &mockEncWriter{} @@ -589,7 +588,7 @@ myVpnNetworks: []netip.Prefix{myVpnNet}, myVpnNetworksTable: nt, } - lh, err := NewLightHouseFromConfig(context.Background(), l, c, cs, nil, nil) + lh, err := NewLightHouseFromConfig(t.Context(), l, c, cs, nil, nil) require.NoError(t, err) lh.ifce = &mockEncWriter{} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/overlay/tun.go new/nebula-1.10.3/overlay/tun.go --- old/nebula-1.10.2/overlay/tun.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/overlay/tun.go 2026-02-06 20:26:51.000000000 +0100 @@ -12,6 +12,15 @@ const DefaultMTU = 1300 +type NameError struct { + Name string + Underlying error +} + +func (e *NameError) Error() string { + return fmt.Sprintf("could not set tun device name: %s because %s", e.Name, e.Underlying) +} + // TODO: We may be able to remove routines type DeviceFactory func(c *config.C, l *logrus.Logger, vpnNetworks []netip.Prefix, routines int) (Device, error) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/overlay/tun_freebsd.go new/nebula-1.10.3/overlay/tun_freebsd.go --- old/nebula-1.10.2/overlay/tun_freebsd.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/overlay/tun_freebsd.go 2026-02-06 20:26:51.000000000 +0100 @@ -266,7 +266,7 @@ } // Set the device name - ioctl(fd, syscall.SIOCSIFNAME, uintptr(unsafe.Pointer(&ifrr))) + _ = ioctl(fd, syscall.SIOCSIFNAME, uintptr(unsafe.Pointer(&ifrr))) } t := &tun{ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/overlay/tun_linux.go new/nebula-1.10.3/overlay/tun_linux.go --- old/nebula-1.10.2/overlay/tun_linux.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/overlay/tun_linux.go 2026-02-06 20:26:51.000000000 +0100 @@ -112,9 +112,13 @@ if multiqueue { req.Flags |= unix.IFF_MULTI_QUEUE } - copy(req.Name[:], c.GetString("tun.dev", "")) + nameStr := c.GetString("tun.dev", "") + copy(req.Name[:], nameStr) if err = ioctl(uintptr(fd), uintptr(unix.TUNSETIFF), uintptr(unsafe.Pointer(&req))); err != nil { - return nil, err + return nil, &NameError{ + Name: nameStr, + Underlying: err, + } } name := strings.Trim(string(req.Name[:]), "\x00") @@ -713,6 +717,7 @@ if t.ioctlFd > 0 { _ = os.NewFile(t.ioctlFd, "ioctlFd").Close() + t.ioctlFd = 0 } return nil diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nebula-1.10.2/overlay/tun_windows.go new/nebula-1.10.3/overlay/tun_windows.go --- old/nebula-1.10.2/overlay/tun_windows.go 2026-01-21 18:42:34.000000000 +0100 +++ new/nebula-1.10.3/overlay/tun_windows.go 2026-02-06 20:26:51.000000000 +0100 @@ -74,7 +74,10 @@ l.WithError(err).Debug("Failed to create wintun device, retrying") tunDevice, err = wintun.CreateTUNWithRequestedGUID(deviceName, guid, t.MTU) if err != nil { - return nil, fmt.Errorf("create TUN device failed: %w", err) + return nil, &NameError{ + Name: deviceName, + Underlying: fmt.Errorf("create TUN device failed: %w", err), + } } } t.tun = tunDevice.(*wintun.NativeTun) ++++++ vendor.tar.zst ++++++ ++++ 3200 lines of diff (skipped)
