fix(dtls): upgrade pion/dtls v2.2.6 to v3.1.1 fixing CVE-2026-26014

Upgrade github.com/pion/dtls from v2.2.6 to v3.1.1 to fix nonce reuse
vulnerability in AES-GCM ciphers (GHSA-9f3f-wv7r-qc8r). Migrate from
deprecated Config-struct API to ListenWithOptions/ClientWithOptions
options-based API.

v2 Config fields mapped to v3 functional options:
- Certificates, InsecureSkipVerify, ExtendedMasterSecret, ServerName,
  RootCAs, ClientCAs, ClientAuth, FlightInterval, MTU

ConnectContextMaker removed — no longer exists in v3; explicit
HandshakeContext(ctx) on *Conn is the replacement for timeout control.
This commit is contained in:
ginuerzh
2026-05-23 18:48:21 +08:00
parent 982ffa8149
commit 5a838a7d47
4 changed files with 28 additions and 64 deletions
+9 -16
View File
@@ -1,7 +1,6 @@
package dtls
import (
"context"
"crypto/tls"
"net"
"time"
@@ -19,7 +18,7 @@ import (
metrics "github.com/go-gost/x/metrics/wrapper"
stats "github.com/go-gost/x/observer/stats/wrapper"
"github.com/go-gost/x/registry"
"github.com/pion/dtls/v2"
"github.com/pion/dtls/v3"
)
func init() {
@@ -62,20 +61,14 @@ func (l *dtlsListener) Init(md md.Metadata) (err error) {
if tlsCfg == nil {
tlsCfg = &tls.Config{}
}
config := dtls.Config{
Certificates: tlsCfg.Certificates,
ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
// Create timeout context for accepted connection.
ConnectContextMaker: func() (context.Context, func()) {
return context.WithTimeout(context.Background(), 30*time.Second)
},
ClientCAs: tlsCfg.ClientCAs,
ClientAuth: dtls.ClientAuthType(tlsCfg.ClientAuth),
FlightInterval: l.md.flightInterval,
MTU: l.md.mtu,
}
ln, err := dtls.Listen(network, laddr, &config)
ln, err := dtls.ListenWithOptions(network, laddr,
dtls.WithCertificates(tlsCfg.Certificates...),
dtls.WithExtendedMasterSecret(dtls.RequireExtendedMasterSecret),
dtls.WithClientCAs(tlsCfg.ClientCAs),
dtls.WithClientAuth(dtls.ClientAuthType(tlsCfg.ClientAuth)),
dtls.WithFlightInterval(l.md.flightInterval),
dtls.WithMTU(l.md.mtu),
)
if err != nil {
return
}