fix(dtls): upgrade pion/dtls v2.2.6 to v3.1.1 fixing CVE-2026-26014
Upgrade github.com/pion/dtls from v2.2.6 to v3.1.1 to fix nonce reuse vulnerability in AES-GCM ciphers (GHSA-9f3f-wv7r-qc8r). Migrate from deprecated Config-struct API to ListenWithOptions/ClientWithOptions options-based API. v2 Config fields mapped to v3 functional options: - Certificates, InsecureSkipVerify, ExtendedMasterSecret, ServerName, RootCAs, ClientCAs, ClientAuth, FlightInterval, MTU ConnectContextMaker removed — no longer exists in v3; explicit HandshakeContext(ctx) on *Conn is the replacement for timeout control.
This commit is contained in:
+10
-12
@@ -12,7 +12,7 @@ import (
|
||||
"github.com/go-gost/x/internal/net/proxyproto"
|
||||
xdtls "github.com/go-gost/x/internal/util/dtls"
|
||||
"github.com/go-gost/x/registry"
|
||||
"github.com/pion/dtls/v2"
|
||||
"github.com/pion/dtls/v3"
|
||||
)
|
||||
|
||||
func init() {
|
||||
@@ -64,17 +64,15 @@ func (d *dtlsDialer) Dial(ctx context.Context, addr string, opts ...dialer.DialO
|
||||
InsecureSkipVerify: true,
|
||||
}
|
||||
}
|
||||
config := dtls.Config{
|
||||
Certificates: tlsCfg.Certificates,
|
||||
InsecureSkipVerify: tlsCfg.InsecureSkipVerify,
|
||||
ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
|
||||
ServerName: tlsCfg.ServerName,
|
||||
RootCAs: tlsCfg.RootCAs,
|
||||
FlightInterval: d.md.flightInterval,
|
||||
MTU: d.md.mtu,
|
||||
}
|
||||
|
||||
c, err := dtls.ClientWithContext(ctx, conn, &config)
|
||||
c, err := dtls.ClientWithOptions(conn.(net.PacketConn), conn.RemoteAddr(),
|
||||
dtls.WithCertificates(tlsCfg.Certificates...),
|
||||
dtls.WithInsecureSkipVerify(tlsCfg.InsecureSkipVerify),
|
||||
dtls.WithExtendedMasterSecret(dtls.RequireExtendedMasterSecret),
|
||||
dtls.WithServerName(tlsCfg.ServerName),
|
||||
dtls.WithRootCAs(tlsCfg.RootCAs),
|
||||
dtls.WithFlightInterval(d.md.flightInterval),
|
||||
dtls.WithMTU(d.md.mtu),
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user