Add Go 1.25 to CI pipeline

OpenBSD: Pledge full filesystem read for Go's resolv.conf polling (#1275 )
sys/kern/kern_pledge.c r1.329[0] removed the unveil bypass for "dns", so "rpath" is needed for Go's DNS to stat(2) it. Since current "/ rwc" and "cpath" with the new "rpath" amount to full read access, there is no point in unveiling anymore. 0: 8d49ad01ac
2025-08-26 22:53:10 +00:00 · 2025-08-16 11:49:37 +01:00 · 2025-08-11 23:39:52 +01:00 · 2025-06-22 23:00:44 +01:00 · 2025-06-22 16:37:34 +01:00 · 2025-06-21 20:09:12 +01:00
21 changed files with 213 additions and 93 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,7 +51,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.23", "1.24", "1.25"]

    name: Build & Test (Linux, Go ${{ matrix.goversion }})
    needs: [lint]
@@ -75,7 +75,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.23", "1.24", "1.25"]

    name: Build & Test (Windows, Go ${{ matrix.goversion }})
    needs: [lint]
@@ -99,7 +99,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.23", "1.24", "1.25"]

    name: Build & Test (macOS, Go ${{ matrix.goversion }})
    needs: [lint]
@@ -123,7 +123,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        goversion: ["1.21", "1.22", "1.23"]
+        goversion: ["1.23", "1.24", "1.25"]
        goos:
          - freebsd
          - openbsd
--- a/.github/workflows/pkg.yml
+++ b/.github/workflows/pkg.yml
@@ -16,7 +16,7 @@ jobs:

    name: Package (Debian, ${{ matrix.pkgarch }})

-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -110,7 +110,7 @@ jobs:

    name: Package (Router, ${{ matrix.pkgarch }})

-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,36 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - in case of vulnerabilities.
 -->

+## [0.5.12] - 2024-12-18
+
+* Go 1.22 is now required to build Yggdrasil
+
+### Changed
+
+* The `latency_ms` field in the admin socket `getPeers` response has been renamed to `latency`
+
+### Fixed
+
+* A timing regression which causes a higher level of idle protocol traffic on each peering has been fixed
+* The `-user` flag now correctly detects an empty user/group specification
+
+## [0.5.11] - 2024-12-12
+
+### Added
+
+* Support for `unveil` and `pledge` on OpenBSD
+
+### Changed
+
+* The parent selection algorithm now only chooses a new parent if there is a larger cost benefit to doing so, which should help to stabilise the tree
+* The bloom filters are now repropagated periodically, to avoid nodes getting stuck with bad state
+
+### Fixed
+
+* A memory leak caused by missed cleanup of the peer response map has been fixed
+* Other bug fixes with bloom filter propagation for off-tree filters and zero vs one bits
+* TLS-based peering connections now support TLS 1.2 again
+
 ## [0.5.10] - 2024-11-24

 ### Added
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ or tools in the `contrib` folder.
 If you want to build from source, as opposed to installing one of the pre-built
 packages:

-1. Install [Go](https://golang.org) (requires Go 1.21 or later)
+1. Install [Go](https://golang.org) (requires Go 1.22 or later)
 2. Clone this repository
 2. Run `./build`

@@ -81,11 +81,9 @@ Documentation is available [on our website](https://yggdrasil-network.github.io)
 - [Frequently asked questions](https://yggdrasil-network.github.io/faq.html)
 - [Version changelog](CHANGELOG.md)

-## Community
+## Communities

-Feel free to join us on our [Matrix
-channel](https://matrix.to/#/#yggdrasil:matrix.org) at `#yggdrasil:matrix.org`
-or in the `#yggdrasil` IRC channel on [libera.chat](https://libera.chat).
+A number of IRC communities exist, including the `#yggdrasil` IRC channel on [libera.chat](https://libera.chat) and various others on [Yggdrasil-internal IRC networks](https://yggdrasil-network.github.io/services.html#irc).

 ## License

--- a/cmd/genkeys/main.go
+++ b/cmd/genkeys/main.go
@@ -18,18 +18,27 @@ import (
 	"runtime"
 	"time"

+	"suah.dev/protect"
+
 	"github.com/yggdrasil-network/yggdrasil-go/src/address"
 )

 type keySet struct {
 	priv ed25519.PrivateKey
 	pub  ed25519.PublicKey
+	count uint64
 }

 func main() {
+	if err := protect.Pledge("stdio"); err != nil {
+		panic(err)
+	}
+
 	threads := runtime.GOMAXPROCS(0)
 	fmt.Println("Threads:", threads)
 	start := time.Now()
+	var totalKeys uint64
+	totalKeys = 0
 	var currentBest ed25519.PublicKey
 	newKeys := make(chan keySet, threads)
 	for i := 0; i < threads; i++ {
@@ -38,8 +47,9 @@ func main() {
 	for {
 		newKey := <-newKeys
 		if isBetter(currentBest, newKey.pub) || len(currentBest) == 0 {
+			totalKeys += newKey.count
 			currentBest = newKey.pub
-			fmt.Println("-----", time.Since(start))
+			fmt.Println("-----", time.Since(start), "---", totalKeys, "keys tried")
 			fmt.Println("Priv:", hex.EncodeToString(newKey.priv))
 			fmt.Println("Pub:", hex.EncodeToString(newKey.pub))
 			addr := address.AddrForKey(newKey.pub)
@@ -62,11 +72,14 @@ func isBetter(oldPub, newPub ed25519.PublicKey) bool {

 func doKeys(out chan<- keySet) {
 	bestKey := make(ed25519.PublicKey, ed25519.PublicKeySize)
+	var count uint64
+	count = 0
 	for idx := range bestKey {
 		bestKey[idx] = 0xff
 	}
 	for {
 		pub, priv, err := ed25519.GenerateKey(nil)
+		count++
 		if err != nil {
 			panic(err)
 		}
@@ -74,6 +87,7 @@ func doKeys(out chan<- keySet) {
 			continue
 		}
 		bestKey = pub
-		out <- keySet{priv, pub}
+		out <- keySet{priv, pub, count}
+		count = 0
 	}
 }
--- a/cmd/yggdrasil/chuser_unix.go
+++ b/cmd/yggdrasil/chuser_unix.go
@@ -14,6 +14,12 @@ import (

 func chuser(input string) error {
 	givenUser, givenGroup, _ := strings.Cut(input, ":")
+	if givenUser == "" {
+		return fmt.Errorf("user is empty")
+	}
+	if strings.Contains(input, ":") && givenGroup == "" {
+		return fmt.Errorf("group is empty")
+	}

 	var (
 		err      error
--- a/cmd/yggdrasil/chuser_unix_test.go
+++ b/cmd/yggdrasil/chuser_unix_test.go
@@ -4,8 +4,8 @@
 package main

 import (
-	"testing"
 	"os/user"
+	"testing"
 )

 // Usernames must not contain a number sign.
--- a/cmd/yggdrasil/main.go
+++ b/cmd/yggdrasil/main.go
@@ -14,6 +14,8 @@ import (
 	"strings"
 	"syscall"

+	"suah.dev/protect"
+
 	"github.com/gologme/log"
 	gsyslog "github.com/hashicorp/go-syslog"
 	"github.com/hjson/hjson-go/v4"
@@ -296,6 +298,21 @@ func main() {
 		}
 	}

+	// Promise final modes of operation.  At this point, if at all:
+	// - raw socket is created/open
+	// - admin socket is created/open
+	// - privileges are dropped to non-root user
+	//
+	// Peers, InterfacePeers, Listen can be UNIX sockets;
+	// Go's net.Listen.Close() deletes files on shutdown.
+	promises := []string{"stdio", "rpath", "cpath", "inet", "unix", "dns"}
+	if len(cfg.MulticastInterfaces) > 0 {
+		promises = append(promises, "mcast")
+	}
+	if err := protect.Pledge(strings.Join(promises, " ")); err != nil {
+		panic(fmt.Sprintf("pledge: %v: %v", promises, err))
+	}
+
 	// Block until we are told to shut down.
 	<-ctx.Done()

--- a/cmd/yggdrasilctl/main.go
+++ b/cmd/yggdrasilctl/main.go
@@ -13,6 +13,8 @@ import (
 	"strings"
 	"time"

+	"suah.dev/protect"
+
 	"github.com/olekukonko/tablewriter"
 	"github.com/yggdrasil-network/yggdrasil-go/src/admin"
 	"github.com/yggdrasil-network/yggdrasil-go/src/core"
@@ -22,6 +24,11 @@ import (
 )

 func main() {
+	// read config, speak DNS/TCP and/or over a UNIX socket
+	if err := protect.Pledge("stdio rpath inet unix dns"); err != nil {
+		panic(err)
+	}
+
 	// makes sure we can use defer and still return an error code to the OS
 	os.Exit(run())
 }
@@ -78,6 +85,11 @@ func run() int {
 		panic(err)
 	}

+	// config and socket are done, work without unprivileges
+	if err := protect.Pledge("stdio"); err != nil {
+		panic(err)
+	}
+
 	logger.Println("Connected")
 	defer conn.Close()

--- a/contrib/apparmor/usr.bin.yggdrasilctl
+++ b/contrib/apparmor/usr.bin.yggdrasilctl
@@ -0,0 +1,11 @@
+# Last Modified: Mon Feb  3 22:19:45 2025
+include <tunables/global>
+
+/usr/bin/yggdrasilctl {
+  include <abstractions/base>
+
+  /etc/yggdrasil.conf rw,
+  /run/yggdrasil.sock rw,
+  owner /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+}
--- a/contrib/mobile/mobile.go
+++ b/contrib/mobile/mobile.go
@@ -1,6 +1,7 @@
 package mobile

 import (
+	"crypto/ed25519"
 	"encoding/hex"
 	"encoding/json"
 	"net"
@@ -273,3 +274,28 @@ func (m *Yggdrasil) GetMTU() int {
 func GetVersion() string {
 	return version.BuildVersion()
 }
+
+type ConfigSummary struct {
+	PublicKey   string
+	IPv6Address string
+	IPv6Subnet  string
+}
+
+func SummaryForConfig(b []byte) *ConfigSummary {
+	cfg := config.GenerateConfig()
+	if err := cfg.UnmarshalHJSON(b); err != nil {
+		return nil
+	}
+	pub := ed25519.PrivateKey(cfg.PrivateKey).Public().(ed25519.PublicKey)
+	hpub := hex.EncodeToString(pub)
+	addr := net.IP(address.AddrForKey(pub)[:])
+	snet := net.IPNet{
+		IP:   append(address.SubnetForKey(pub)[:], 0, 0, 0, 0, 0, 0, 0, 0),
+		Mask: net.CIDRMask(64, 128),
+	}
+	return &ConfigSummary{
+		PublicKey:   hpub,
+		IPv6Address: addr.String(),
+		IPv6Subnet:  snet.String(),
+	}
+}
--- a/contrib/openrc/yggdrasil
+++ b/contrib/openrc/yggdrasil
@@ -6,7 +6,6 @@ CONFFILE="/etc/yggdrasil.conf"
 pidfile="/run/${RC_SVCNAME}.pid"

 command="/usr/bin/yggdrasil"
-extra_started_commands="reload"

 depend() {
 	use net dns logger
@@ -42,12 +41,6 @@ start() {
 	eend $?
 }

-reload() {
-	ebegin "Reloading ${RC_SVCNAME}"
-	start-stop-daemon --signal HUP --pidfile "${pidfile}"
-	eend $?
-}
-
 stop() {
 	ebegin "Stopping ${RC_SVCNAME}"
 	start-stop-daemon --stop --pidfile "${pidfile}" --exec "${command}"
--- a/go.mod
+++ b/go.mod
@@ -1,25 +1,27 @@
 module github.com/yggdrasil-network/yggdrasil-go

-go 1.21
+go 1.23.1
+
+toolchain go1.24.2

 require (
-	github.com/Arceliar/ironwood v0.0.0-20241122002527-75a6e82fa380
+	github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3
 	github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d
 	github.com/cheggaaa/pb/v3 v3.1.5
-	github.com/coder/websocket v1.8.12
+	github.com/coder/websocket v1.8.13
 	github.com/gologme/log v1.3.0
 	github.com/hashicorp/go-syslog v1.0.0
-	github.com/hjson/hjson-go/v4 v4.4.0
+	github.com/hjson/hjson-go/v4 v4.5.0
 	github.com/kardianos/minwinsvc v1.0.2
-	github.com/quic-go/quic-go v0.46.0
+	github.com/quic-go/quic-go v0.52.0
 	github.com/vishvananda/netlink v1.3.0
 	github.com/wlynxg/anet v0.0.5
-	golang.org/x/crypto v0.29.0
-	golang.org/x/net v0.31.0
-	golang.org/x/sys v0.27.0
-	golang.org/x/text v0.20.0
+	golang.org/x/crypto v0.39.0
+	golang.org/x/net v0.41.0
+	golang.org/x/sys v0.33.0
+	golang.org/x/text v0.26.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
-	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
+	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
 	golang.zx2c4.com/wireguard/windows v0.5.3
 )

@@ -31,18 +33,18 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/onsi/ginkgo/v2 v2.9.5 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	go.uber.org/mock v0.4.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/sync v0.9.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
+	go.uber.org/mock v0.5.0 // indirect
+	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/tools v0.33.0 // indirect
 )

 require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
-	github.com/fatih/color v1.15.0 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/fatih/color v1.18.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/vishvananda/netns v0.0.4 // indirect
+	github.com/vishvananda/netns v0.0.5 // indirect
+	suah.dev/protect v1.2.4
 )
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,5 @@
-github.com/Arceliar/ironwood v0.0.0-20241122002527-75a6e82fa380 h1:WRLvBMWzs6NOiPUYA7fMu8XqZFg/clXKorUumfbJNv0=
-github.com/Arceliar/ironwood v0.0.0-20241122002527-75a6e82fa380/go.mod h1:SrrElc3FFMpYCODSr11jWbLFeOM8WsY+DbDY/l2AXF0=
+github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3 h1:d8N0z+udAnbU5PdjpLSNPTWlqeU/nnYsQ42B6+879aw=
+github.com/Arceliar/ironwood v0.0.0-20241213013129-743fe2fccbd3/go.mod h1:SrrElc3FFMpYCODSr11jWbLFeOM8WsY+DbDY/l2AXF0=
 github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d h1:UK9fsWbWqwIQkMCz1CP+v5pGbsGoWAw6g4AyvMpm1EM=
 github.com/Arceliar/phony v0.0.0-20220903101357-530938a4b13d/go.mod h1:BCnxhRf47C/dy/e/D2pmB8NkB3dQVIrkD98b220rx5Q=
 github.com/VividCortex/ewma v1.2.0 h1:f58SaIzcDXrSy3kWaHNvuJgJ3Nmz59Zji6XoJR/q1ow=
@@ -14,13 +14,13 @@ github.com/cheggaaa/pb/v3 v3.1.5/go.mod h1:CrxkeghYTXi1lQBEI7jSn+3svI3cuc19haAj6
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
-github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
+github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
-github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
@@ -29,27 +29,27 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/gologme/log v1.3.0 h1:l781G4dE+pbigClDSDzSaaYKtiueHCILUa/qSDsmHAo=
 github.com/gologme/log v1.3.0/go.mod h1:yKT+DvIPdDdDoPtqFrFxheooyVmoqi0BAsw+erN3wA4=
-github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
+github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/hashicorp/go-syslog v1.0.0 h1:KaodqZuhUoZereWVIYmpUgZysurB1kBLX2j0MwMrUAE=
 github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4=
-github.com/hjson/hjson-go/v4 v4.4.0 h1:D/NPvqOCH6/eisTb5/ztuIS8GUvmpHaLOcNk1Bjr298=
-github.com/hjson/hjson-go/v4 v4.4.0/go.mod h1:KaYt3bTw3zhBjYqnXkYywcYctk0A2nxeEFTse3rH13E=
+github.com/hjson/hjson-go/v4 v4.5.0 h1:ZHLiZ+HaGqPOtEe8T6qY8QHnoEsAeBv8wqxniQAp+CY=
+github.com/hjson/hjson-go/v4 v4.5.0/go.mod h1:4zx6c7Y0vWcm8IRyVoQJUHAPJLXLvbG6X8nk1RLigSo=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/kardianos/minwinsvc v1.0.2 h1:JmZKFJQrmTGa/WiW+vkJXKmfzdjabuEW4Tirj5lLdR0=
 github.com/kardianos/minwinsvc v1.0.2/go.mod h1:LUZNYhNmxujx2tR7FbdxqYJ9XDDoCd3MQcl1o//FWl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec=
 github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY=
 github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
@@ -58,50 +58,51 @@ github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
 github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quic-go/quic-go v0.46.0 h1:uuwLClEEyk1DNvchH8uCByQVjo3yKL9opKulExNDs7Y=
-github.com/quic-go/quic-go v0.46.0/go.mod h1:1dLehS7TIR64+vxGR70GDcatWTOtMX2PUtnKsjbTurI=
+github.com/quic-go/quic-go v0.52.0 h1:/SlHrCRElyaU6MaEPKqKr9z83sBg2v4FLLvWM+Z47pA=
+github.com/quic-go/quic-go v0.52.0/go.mod h1:MFlGGpcpJqRAfmYi6NC2cptDPSxRWTOGNuP4wqrWmzQ=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/twmb/murmur3 v1.1.6 h1:mqrRot1BRxm+Yct+vavLMou2/iJt0tNVTTC0QoIjaZg=
 github.com/twmb/murmur3 v1.1.6/go.mod h1:Qq/R7NUyOfr65zD+6Q5IHKsJLwP7exErjN6lyyq3OSQ=
 github.com/vishvananda/netlink v1.3.0 h1:X7l42GfcV4S6E4vHTsw48qbrV+9PVojNfIhZcwQdrZk=
 github.com/vishvananda/netlink v1.3.0/go.mod h1:i6NetklAujEcC6fK0JPjT8qSwWyO0HLn4UKG+hGqeJs=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
+github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
+github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/wlynxg/anet v0.0.5 h1:J3VJGi1gvo0JwZ/P1/Yc/8p63SoW98B5dHkYDmpgvvU=
 github.com/wlynxg/anet v0.0.5/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
-go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU=
-go.uber.org/mock v0.4.0/go.mod h1:a6FSlNadKUHUa9IP5Vyt1zh4fC7uAwxMutEAscFbkZc=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
-golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
-golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
-golang.org/x/sync v0.9.0 h1:fEo0HyrW1GIgZdpbhCRO0PkJajUS5H9IFUztCgEo2jQ=
-golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.20.0 h1:gK/Kv2otX8gz+wn7Rmb3vT96ZwuoxnQlY+HlJVj7Qug=
-golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
-golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
-golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173 h1:/jFs0duh4rdb8uIfPMv78iAJGcPKDeqAFnaLBropIC4=
-golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
+golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
@@ -110,5 +111,7 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259 h1:TbRPT0HtzFP3Cno1zZo7yPzEEnfu8EjLfl6IU9VfqkQ=
-gvisor.dev/gvisor v0.0.0-20230927004350-cbd86285d259/go.mod h1:AVgIgHMwK63XvmAzWG9vLQ41YnVHN0du0tEC46fI7yY=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c h1:m/r7OM+Y2Ty1sgBQ7Qb27VgIMBW8ZZhT4gLnUyDIhzI=
+gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c/go.mod h1:3r5CMtNQMKIvBlrmM9xWUNamjKBYPOWyXOjmg5Kts3g=
+suah.dev/protect v1.2.4 h1:iVZG/zQB63FKNpITDYM/cXoAeCTIjCiXHuFVByJFDzg=
+suah.dev/protect v1.2.4/go.mod h1:vVrquYO3u1Ep9Ez2z8x+6N6/czm+TBmWKZfiXU2tb54=
--- a/src/address/address.go
+++ b/src/address/address.go
@@ -113,7 +113,7 @@ func SubnetForKey(publicKey ed25519.PublicKey) *Subnet {
 	return &snet
 }

-// GetKet returns the partial ed25519.PublicKey for the Address.
+// GetKey returns the partial ed25519.PublicKey for the Address.
 // This is used for key lookup.
 func (a *Address) GetKey() ed25519.PublicKey {
 	var key [ed25519.PublicKeySize]byte
@@ -141,7 +141,7 @@ func (a *Address) GetKey() ed25519.PublicKey {
 	return ed25519.PublicKey(key[:])
 }

-// GetKet returns the partial ed25519.PublicKey for the Subnet.
+// GetKey returns the partial ed25519.PublicKey for the Subnet.
 // This is used for key lookup.
 func (s *Subnet) GetKey() ed25519.PublicKey {
 	var addr Address
--- a/src/admin/getpeers.go
+++ b/src/admin/getpeers.go
@@ -31,7 +31,7 @@ type PeerEntry struct {
 	RXRate        DataUnit      `json:"rate_recvd,omitempty"`
 	TXRate        DataUnit      `json:"rate_sent,omitempty"`
 	Uptime        float64       `json:"uptime,omitempty"`
-	Latency       time.Duration `json:"latency_ms,omitempty"`
+	Latency       time.Duration `json:"latency,omitempty"`
 	LastErrorTime time.Duration `json:"last_error_time,omitempty"`
 	LastError     string        `json:"last_error,omitempty"`
 }
--- a/src/core/link.go
+++ b/src/core/link.go
@@ -28,7 +28,7 @@ const (
 )

 const defaultBackoffLimit = time.Second << 12 // 1h8m16s
-const minimumBackoffLimit = time.Second * 30
+const minimumBackoffLimit = time.Second * 5

 type links struct {
 	phony.Inbox
--- a/src/core/link_quic.go
+++ b/src/core/link_quic.go
@@ -54,6 +54,8 @@ func (l *linkQUIC) dial(ctx context.Context, url *url.URL, info linkInfo, option
 	tlsconfig := l.tlsconfig.Clone()
 	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
 		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
 		hostport := net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
 		qc, err := quic.DialAddr(ctx, hostport, l.tlsconfig, l.quicconfig)
 		if err != nil {
--- a/src/core/link_socks.go
+++ b/src/core/link_socks.go
@@ -51,6 +51,8 @@ func (l *linkSOCKS) dial(_ context.Context, url *url.URL, info linkInfo, options
 		}
 		if url.Scheme == "sockstls" {
 			tlsconfig.ServerName = hostname
+			tlsconfig.MinVersion = tls.VersionTLS12
+			tlsconfig.MaxVersion = tls.VersionTLS13
 			if sni := options.tlsSNI; sni != "" {
 				tlsconfig.ServerName = sni
 			}
--- a/src/core/link_tls.go
+++ b/src/core/link_tls.go
@@ -35,6 +35,8 @@ func (l *linkTLS) dial(ctx context.Context, url *url.URL, info linkInfo, options
 	tlsconfig := l.config.Clone()
 	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
 		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
 		if sni := options.tlsSNI; sni != "" {
 			tlsconfig.ServerName = sni
 		}
--- a/src/core/link_wss.go
+++ b/src/core/link_wss.go
@@ -34,6 +34,8 @@ func (l *linkWSS) dial(ctx context.Context, url *url.URL, info linkInfo, options
 	tlsconfig := l.tlsconfig.Clone()
 	return l.links.findSuitableIP(url, func(hostname string, ip net.IP, port int) (net.Conn, error) {
 		tlsconfig.ServerName = hostname
+		tlsconfig.MinVersion = tls.VersionTLS12
+		tlsconfig.MaxVersion = tls.VersionTLS13
 		u := *url
 		u.Host = net.JoinHostPort(ip.String(), fmt.Sprintf("%d", port))
 		addr := &net.TCPAddr{
Author	SHA1	Message	Date
Neil Alexander	89a3718d59	Add Go 1.25 to CI pipeline	2025-08-16 11:49:37 +01:00
Klemens Nanni	6d195c6de3	OpenBSD: Pledge full filesystem read for Go's resolv.conf polling (#1275 ) sys/kern/kern_pledge.c r1.329[0] removed the unveil bypass for "dns", so "rpath" is needed for Go's DNS to stat(2) it. Since current "/ rwc" and "cpath" with the new "rpath" amount to full read access, there is no point in unveiling anymore. 0: `8d49ad01ac`	2025-08-11 23:39:52 +01:00
Neil Alexander	429403aea5	Update CI workers for packaging pipeline	2025-06-22 23:00:44 +01:00
Neil Alexander	ffc0dc92e0	Reduce minimum `maxbackoff` to 5 seconds	2025-06-22 16:37:34 +01:00
Neil Alexander	81543e9cc0	Remove Go 1.22 from CI	2025-06-21 20:09:12 +01:00
Neil Alexander	9e5c25d4af	Update to Go 1.23, update dependencies	2025-06-21 20:08:08 +01:00
Neil	390dba0471	Update readme	2025-06-02 22:02:02 +01:00
Sergey Alirzaev	47818a1a7c	apparmor: add yggdrasilctl policy (#1235 )	2025-04-15 17:17:52 +01:00
Sergey Alirzaev	6377d7f071	contrib/openrc: remove SIGHUP logic (#1236 ) as it is long gone from the daemon code and unexpectedly kills the daemon	2025-04-15 17:15:09 +01:00
Neil Alexander	5b8dbc8b1e	Add summary helpers to mobile wrapper	2025-03-31 10:18:57 +01:00
patrini32	73705ff09d	Typo fix (#1232 )	2025-02-20 09:45:49 +00:00
Neil Alexander	3b18909f70	Update dependencies	2025-02-18 12:57:58 +00:00
Neil Alexander	58b727d1f0	Add Go 1.24 to CI	2025-02-18 12:52:21 +00:00
Klemens Nanni	782c0250d7	Use pledge(2) on OpenBSD (#1215 ) Straight forward thanks to all privileged operations being done early enough during startup.	2024-12-22 11:04:26 +00:00
Neil Alexander	213f72b840	Yggdrasil 0.5.12	2024-12-18 22:34:30 +00:00
Neil Alexander	1fbcf3b3c2	Rename `latency_ms` to `latency` in `getPeers` response since it isn't even milliseconds anymore	2024-12-18 22:21:23 +00:00
Peter Gervai	22bc9c44e2	genkeys print the number of generated keys (#1217 ) It is good to know how many resources have we carelessly wasted. :-)	2024-12-18 19:56:46 +00:00
Neil	9c73bacab9	Update to Go 1.22, quic-go/quic-go@v0.48.2 (#1218 ) Our dependencies are now moving beyond Go 1.21 so need to update. Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>	2024-12-13 23:33:26 +00:00
Neil Alexander	04be129878	Update to Arceliar/ironwood@743fe2f	2024-12-13 23:12:36 +00:00
Neil Alexander	657f7e0db3	Fix empty user/group detection on `chuser` This should fix #1216.	2024-12-13 16:55:25 +00:00
Neil	7adf5f18b7	Yggdrasil 0.5.11 (#1214 ) Changelog updates. Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com>	2024-12-12 19:26:54 +00:00
Neil Alexander	69451fe969	Specify TLS 1.2-TLS 1.3 supported range for client connections Should fix #1208.	2024-12-12 19:07:55 +00:00
Klemens Nanni	2d587740c1	genkeys, yggdrasilctl: Use pledge(2) on OpenBSD (#1193 ) Restrict system operations of CLI tools with https://man.openbsd.org/pledge.2. https://pkg.go.dev/suah.dev/protect abstracts the OS specific code, i.e. is a NOOP on non-OpenBSD systems. This PR is to gauge upstream interest in this direction; my OpenBSD port of yggdrasil already pledges the daemon, resulting in minimal runtime privileges, but there are still a few rough edges: https://github.com/jasperla/openbsd-wip/blob/master/net/yggdrasil/patches/patch-cmd_yggdrasil_main_go#L80 --------- Co-authored-by: Neil <git@neilalexander.dev>	2024-12-12 18:48:24 +00:00
Neil Alexander	b2b0396d48	Update dependencies	2024-12-12 18:42:53 +00:00
Klemens Nanni	83ec58afc7	Use unveil(2) on OpenBSD (#1194 ) After #1175 removed ioctl(2) fallback code shelling out to ifconfig(8), there is no code left (compiled on OpenBSD) that would fork(2) or execve(2). Drop the ability to run any executable file to double down on this, thus reducing the attack surface of this this experimental, internet facing daemon running as root. pledge(2) is doable, but needs more polish. unveil(2), however, is as simple as it gets. On other systems, this code is a NOOP, but can still help to implement similar safety belts.	2024-12-12 18:37:02 +00:00
Neil Alexander	b436052b2d	Update to Arceliar/ironwood@9deb08d	2024-12-10 19:02:13 +00:00