Update to latest dtls library. Fixes #85

plorenz · plorenz · commit 69e08b617de1 · 2024-08-14T16:45:38.000-04:00
diff --git a/address.go b/address.go
@@ -31,6 +31,9 @@ const (
 	KeyProxy                    = "proxy"
 	KeyProtocol                 = "protocol"
 	KeyCachedProxyConfiguration = "cachedProxyConfiguration"
+
+	KeyHandshakeTimeout       = "handshakeTimeout"
+	KeyCachedHandshakeTimeout = "cachedHandshakeTimeout"
 )
 
 type Configuration map[interface{}]interface{}
@@ -84,6 +87,28 @@ func (self Configuration) GetProxyConfiguration() (*ProxyConfiguration, error) {
 	return result, nil
 }
 
+func (self Configuration) GetHandshakeTimeout() (time.Duration, error) {
+	if val, ok := self[KeyCachedHandshakeTimeout]; ok {
+		if timeout, ok := val.(time.Duration); ok {
+			return timeout, nil
+		}
+	}
+
+	if val, ok := self[KeyHandshakeTimeout]; ok {
+		if strVal, ok := val.(string); ok {
+			timeout, err := time.ParseDuration(strVal)
+			if err == nil {
+				self[KeyCachedHandshakeTimeout] = timeout
+			}
+			return timeout, errors.Wrapf(err, "unable to parse handshake timeout '%s' to duration", strVal)
+		} else {
+			return 0, errors.New("invalid handshake timeout, must be string value")
+		}
+	}
+
+	return 0, nil
+}
+
 type ProxyType string
 
 const (
diff --git a/dtls/address.go b/dtls/address.go
@@ -46,8 +46,8 @@ func (a *address) DialWithLocalBinding(name string, localBinding string, i *iden
 	return DialWithLocalBinding(a, name, localBinding, i, timeout)
 }
 
-func (a *address) Listen(name string, i *identity.TokenId, acceptF func(transport.Conn), _ transport.Configuration) (io.Closer, error) {
-	return Listen(a, name, i, acceptF)
+func (a *address) Listen(name string, i *identity.TokenId, acceptF func(transport.Conn), tcfg transport.Configuration) (io.Closer, error) {
+	return Listen(a, name, i, tcfg, acceptF)
 }
 
 func (a *address) MustListen(name string, i *identity.TokenId, acceptF func(transport.Conn), tcfg transport.Configuration) io.Closer {
@@ -62,7 +62,7 @@ func (a *address) String() string {
 	return a.original
 }
 
-func (a address) Type() string {
+func (a *address) Type() string {
 	return Type
 }
 
@@ -75,7 +75,7 @@ func (a *address) Hostname() string {
 	return a.UDPAddr.IP.String()
 }
 
-func (a address) Port() uint16 {
+func (a *address) Port() uint16 {
 	return uint16(a.UDPAddr.Port)
 }
 
diff --git a/dtls/connection.go b/dtls/connection.go
@@ -19,13 +19,17 @@ package dtls
 import (
 	"crypto/x509"
 	"github.com/openziti/transport/v2"
-	"github.com/pion/dtls/v2"
+	"github.com/pion/dtls/v3"
 	"github.com/pkg/errors"
 )
 
 func getPeerCerts(conn *dtls.Conn) ([]*x509.Certificate, error) {
 	var certs []*x509.Certificate
-	for _, certBytes := range conn.ConnectionState().PeerCertificates {
+	connState, ok := conn.ConnectionState()
+	if !ok {
+		return nil, errors.New("unable to get dtls connection state, couldn't get peer certificates")
+	}
+	for _, certBytes := range connState.PeerCertificates {
 		cert, err := x509.ParseCertificate(certBytes)
 		if err != nil {
 			return nil, errors.Wrap(err, "couldn't parse peer cert")
diff --git a/dtls/dialer.go b/dtls/dialer.go
@@ -22,7 +22,8 @@ import (
 	"github.com/michaelquigley/pfxlog"
 	"github.com/openziti/identity"
 	"github.com/openziti/transport/v2"
-	"github.com/pion/dtls/v2"
+	"github.com/pion/dtls/v3"
+	"github.com/pkg/errors"
 	"net"
 	"time"
 )
@@ -32,16 +33,17 @@ func Dial(addr *address, name string, i *identity.TokenId, timeout time.Duration
 }
 
 func DialWithLocalBinding(addr *address, name, localBinding string, i *identity.TokenId, timeout time.Duration) (transport.Conn, error) {
+	log := pfxlog.Logger()
+	log.WithField("address", addr.String()).Debug("dialing")
+
 	if addr.err != nil {
 		return nil, addr.err
 	}
-	ip, err := transport.ResolveLocalBinding(localBinding)
-	if err != nil {
-		return nil, err
+	ip, closeErr := transport.ResolveLocalBinding(localBinding)
+	if closeErr != nil {
+		return nil, closeErr
 	}
 
-	log := pfxlog.Logger()
-
 	cfg := &dtls.Config{
 		Certificates: []tls.Certificate{*i.Cert()},
 		//ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
@@ -53,29 +55,40 @@ func DialWithLocalBinding(addr *address, name, localBinding string, i *identity.
 		localAddr = &net.UDPAddr{IP: ip}
 	}
 
-	udpConn, err := net.DialUDP("udp", localAddr, &addr.UDPAddr)
-	if err != nil {
-		return nil, err
+	udpConn, closeErr := net.ListenUDP("udp", localAddr)
+	if closeErr != nil {
+		return nil, closeErr
+	}
+
+	conn, closeErr := dtls.Client(udpConn, &addr.UDPAddr, cfg)
+	if closeErr != nil {
+		return nil, closeErr
 	}
 
 	ctx := context.Background()
 	cancelF := func() {}
 	if timeout > 0 {
 		ctx, cancelF = context.WithTimeout(ctx, timeout)
 	}
-	conn, err := dtls.ClientWithContext(ctx, udpConn, cfg)
+	closeErr = conn.HandshakeContext(ctx)
 	cancelF()
-	if err != nil {
-		return nil, err
+	if closeErr != nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			log.WithError(closeErr).Error("error closing connection")
+		}
+		return nil, errors.Wrap(closeErr, "dtls handshake error")
 	}
 
-	log.Debugf("server provided [%d] certificates", len(conn.ConnectionState().PeerCertificates))
-
-	certs, err := getPeerCerts(conn)
-	if err != nil {
-		return nil, err
+	certs, closeErr := getPeerCerts(conn)
+	if closeErr != nil {
+		if closeErr = conn.Close(); closeErr != nil {
+			log.WithError(closeErr).Error("error closing connection")
+		}
+		return nil, errors.Wrap(closeErr, "error getting peer certificates")
 	}
 
+	log.Debugf("server provided [%d] certificates", len(certs))
+
 	return &Connection{
 		detail: &transport.ConnectionDetail{
 			Address: addr.String(),
diff --git a/dtls/listener.go b/dtls/listener.go
@@ -22,18 +22,30 @@ import (
 	"github.com/michaelquigley/pfxlog"
 	"github.com/openziti/identity"
 	"github.com/openziti/transport/v2"
-	"github.com/pion/dtls/v2"
+	"github.com/pion/dtls/v3"
 	"github.com/sirupsen/logrus"
 	"io"
 	"net"
 	"sync/atomic"
 	"time"
 )
 
-func Listen(addr *address, name string, i *identity.TokenId, acceptF func(transport.Conn)) (io.Closer, error) {
+const DefaultHandshakeTimeout = 30 * time.Second
+
+func Listen(addr *address, name string, i *identity.TokenId, tcfg transport.Configuration, acceptF func(transport.Conn)) (io.Closer, error) {
 	if addr.err != nil {
 		return nil, addr.err
 	}
+
+	timeout, err := tcfg.GetHandshakeTimeout()
+	if err != nil {
+		return nil, err
+	}
+
+	if timeout == 0 {
+		timeout = DefaultHandshakeTimeout
+	}
+
 	log := pfxlog.ContextLogger(name + "/" + addr.String()).Entry
 
 	var certs []tls.Certificate
@@ -49,9 +61,6 @@ func Listen(addr *address, name string, i *identity.TokenId, acceptF func(transp
 		RootCAs:    i.CA(),
 		//CipherSuites:         tlz.GetCipherSuites(),
 		// Create timeout context for accepted connection.
-		ConnectContextMaker: func() (context.Context, func()) {
-			return context.WithTimeout(context.Background(), 30*time.Second)
-		},
 	}
 
 	listener, err := dtls.Listen("udp", &addr.UDPAddr, cfg)
@@ -63,6 +72,7 @@ func Listen(addr *address, name string, i *identity.TokenId, acceptF func(transp
 		name:     name,
 		listener: listener,
 		acceptF:  acceptF,
+		timeout:  timeout,
 	}
 
 	go result.acceptLoop(log)
@@ -75,6 +85,7 @@ type acceptor struct {
 	listener net.Listener
 	acceptF  func(transport.Conn)
 	closed   atomic.Bool
+	timeout  time.Duration
 }
 
 func (self *acceptor) Close() error {
@@ -99,6 +110,22 @@ func (self *acceptor) acceptLoop(log *logrus.Entry) {
 		}
 
 		conn := socket.(*dtls.Conn)
+		ctx := context.Background()
+		cancelF := func() {}
+		if self.timeout > 0 {
+			ctx, cancelF = context.WithTimeout(ctx, self.timeout)
+		}
+		err = conn.HandshakeContext(ctx)
+		cancelF()
+
+		if err != nil {
+			log.WithError(err).Error("dtls handshake error")
+			if err = conn.Close(); err != nil {
+				log.WithError(err).Error("error closing connection")
+			}
+			continue
+		}
+
 		certs, err := getPeerCerts(conn)
 		if err != nil {
 			log.WithError(err).Error("unable to parse peer certificates")
@@ -115,7 +142,7 @@ func (self *acceptor) acceptLoop(log *logrus.Entry) {
 				Name:    self.name,
 			},
 			certs: certs,
-			Conn:  socket.(*dtls.Conn),
+			Conn:  conn,
 		}
 		self.acceptF(connection)
 	}
diff --git a/go.mod b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/stretchr/testify v1.9.0
-	golang.org/x/net v0.24.0
+	golang.org/x/net v0.27.0
 	nhooyr.io/websocket v1.8.11
 )
 
@@ -26,17 +26,19 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/transport/v2 v2.2.4 // indirect
-	golang.org/x/crypto v0.22.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
 )
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 // indirect
+	github.com/pion/dtls/v3 v3.0.1 // indirect
+	github.com/pion/transport/v3 v3.0.7 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -334,10 +334,14 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
 github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
+github.com/pion/dtls/v3 v3.0.1 h1:0kmoaPYLAo0md/VemjcrAXQiSf8U+tuU3nDYVNpEKaw=
+github.com/pion/dtls/v3 v3.0.1/go.mod h1:dfIXcFkKoujDQ+jtd8M6RgqKK3DuaUilm3YatAbGp5k=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
 github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QAlo=
 github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
+github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
+github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -485,6 +489,8 @@ golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98y
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -576,6 +582,7 @@ golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181017192945-9dcd33a902f4/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -676,6 +683,7 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -685,6 +693,7 @@ golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -699,6 +708,7 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,8 @@ func (a address) DialWithLocalBinding(name string, localBinding string, i iden`
`46`	`46`	`return DialWithLocalBinding(a, name, localBinding, i, timeout)`
`47`	`47`	`}`
`48`	`48`
`49`		`-func (a address) Listen(name string, i identity.TokenId, acceptF func(transport.Conn), _ transport.Configuration) (io.Closer, error) {`
`50`		`- return Listen(a, name, i, acceptF)`
	`49`	`+func (a address) Listen(name string, i identity.TokenId, acceptF func(transport.Conn), tcfg transport.Configuration) (io.Closer, error) {`
	`50`	`+ return Listen(a, name, i, tcfg, acceptF)`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`func (a address) MustListen(name string, i identity.TokenId, acceptF func(transport.Conn), tcfg transport.Configuration) io.Closer {`
`@@ -62,7 +62,7 @@ func (a *address) String() string {`
`62`	`62`	`return a.original`
`63`	`63`	`}`
`64`	`64`
`65`		`-func (a address) Type() string {`
	`65`	`+func (a *address) Type() string {`
`66`	`66`	`return Type`
`67`	`67`	`}`
`68`	`68`
`@@ -75,7 +75,7 @@ func (a *address) Hostname() string {`
`75`	`75`	`return a.UDPAddr.IP.String()`
`76`	`76`	`}`
`77`	`77`
`78`		`-func (a address) Port() uint16 {`
	`78`	`+func (a *address) Port() uint16 {`
`79`	`79`	`return uint16(a.UDPAddr.Port)`
`80`	`80`	`}`
`81`	`81`