Files
x/dialer/dtls/dialer.go
T
ginuerzh 5a838a7d47 fix(dtls): upgrade pion/dtls v2.2.6 to v3.1.1 fixing CVE-2026-26014
Upgrade github.com/pion/dtls from v2.2.6 to v3.1.1 to fix nonce reuse
vulnerability in AES-GCM ciphers (GHSA-9f3f-wv7r-qc8r). Migrate from
deprecated Config-struct API to ListenWithOptions/ClientWithOptions
options-based API.

v2 Config fields mapped to v3 functional options:
- Certificates, InsecureSkipVerify, ExtendedMasterSecret, ServerName,
  RootCAs, ClientCAs, ClientAuth, FlightInterval, MTU

ConnectContextMaker removed — no longer exists in v3; explicit
HandshakeContext(ctx) on *Conn is the replacement for timeout control.
2026-05-23 18:48:21 +08:00

81 lines
1.8 KiB
Go

package dtls
import (
"context"
"crypto/tls"
"net"
"github.com/go-gost/core/dialer"
"github.com/go-gost/core/logger"
md "github.com/go-gost/core/metadata"
xctx "github.com/go-gost/x/ctx"
"github.com/go-gost/x/internal/net/proxyproto"
xdtls "github.com/go-gost/x/internal/util/dtls"
"github.com/go-gost/x/registry"
"github.com/pion/dtls/v3"
)
func init() {
registry.DialerRegistry().Register("dtls", NewDialer)
}
type dtlsDialer struct {
md metadata
logger logger.Logger
options dialer.Options
}
func NewDialer(opts ...dialer.Option) dialer.Dialer {
options := dialer.Options{}
for _, opt := range opts {
opt(&options)
}
return &dtlsDialer{
logger: options.Logger,
options: options,
}
}
func (d *dtlsDialer) Init(md md.Metadata) (err error) {
return d.parseMetadata(md)
}
func (d *dtlsDialer) Dial(ctx context.Context, addr string, opts ...dialer.DialOption) (net.Conn, error) {
var options dialer.DialOptions
for _, opt := range opts {
opt(&options)
}
conn, err := options.Dialer.Dial(ctx, "udp", addr)
if err != nil {
return nil, err
}
conn = proxyproto.WrapClientConn(
d.options.ProxyProtocol,
xctx.SrcAddrFromContext(ctx),
xctx.DstAddrFromContext(ctx),
conn)
tlsCfg := d.options.TLSConfig
if tlsCfg == nil {
tlsCfg = &tls.Config{
InsecureSkipVerify: true,
}
}
c, err := dtls.ClientWithOptions(conn.(net.PacketConn), conn.RemoteAddr(),
dtls.WithCertificates(tlsCfg.Certificates...),
dtls.WithInsecureSkipVerify(tlsCfg.InsecureSkipVerify),
dtls.WithExtendedMasterSecret(dtls.RequireExtendedMasterSecret),
dtls.WithServerName(tlsCfg.ServerName),
dtls.WithRootCAs(tlsCfg.RootCAs),
dtls.WithFlightInterval(d.md.flightInterval),
dtls.WithMTU(d.md.mtu),
)
if err != nil {
return nil, err
}
return xdtls.Conn(c, d.md.bufferSize), nil
}