Use latest seq num for remote address updates

Uses the update to the replay detector to determine if we should update remote address. Signed-off-by: Daniel Mangum <georgedanielmangum@gmail.com>
pion · Aug 1, 2023 · 9d01288 · 9d01288
1 parent c97d4f6
commit 9d01288
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 16 deletions.
diff --git a/conn.go b/conn.go
@@ -783,6 +783,10 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 		return false, nil, nil
 	}
 
+	// originalCID indicates whether the original record had content type
+	// Connection ID.
+	originalCID := false
+
 	// Decrypt
 	if h.Epoch != 0 {
 		if c.state.cipherSuite == nil || !c.state.cipherSuite.IsInitialized() {
@@ -813,6 +817,7 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 		// If this is a connection ID record, make it look like a normal record for
 		// further processing.
 		if h.ContentType == protocol.ContentTypeConnectionID {
+			originalCID = true
 			ip := &recordlayer.InnerPlaintext{}
 			if err := ip.Unmarshal(buf[h.Size():]); err != nil { //nolint:govet
 				c.log.Debugf("unpacking inner plaintext failed: %s", err)
@@ -839,14 +844,6 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 			return false, nil, nil
 		}
 
-		// Any valid connection ID record is a candidate for updating the remote
-		// address.
-		// https://datatracker.ietf.org/doc/html/rfc9146#peer-address-update
-		if rAddr != c.RemoteAddr() {
-			c.lock.Lock()
-			c.rAddr = rAddr
-			c.lock.Unlock()
-		}
 	}
 
 	isHandshake, err := c.fragmentBuffer.push(append([]byte{}, buf...))
@@ -874,6 +871,7 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 		return false, &alert.Alert{Level: alert.Fatal, Description: alert.DecodeError}, err
 	}
 
+	isLatestSeqNum := false
 	switch content := r.Content.(type) {
 	case *alert.Alert:
 		c.log.Tracef("%s: <- %s", srvCliStr(c.state.isClient), content.String())
@@ -882,7 +880,7 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 			// Respond with a close_notify [RFC5246 Section 7.2.1]
 			a = &alert.Alert{Level: alert.Warning, Description: alert.CloseNotify}
 		}
-		markPacketAsValid()
+		_ = markPacketAsValid()
 		return false, a, &alertError{content}
 	case *protocol.ChangeCipherSpec:
 		if c.state.cipherSuite == nil || !c.state.cipherSuite.IsInitialized() {
@@ -898,14 +896,14 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 
 		if c.state.getRemoteEpoch()+1 == newRemoteEpoch {
 			c.setRemoteEpoch(newRemoteEpoch)
-			markPacketAsValid()
+			isLatestSeqNum = markPacketAsValid()
 		}
 	case *protocol.ApplicationData:
 		if h.Epoch == 0 {
 			return false, &alert.Alert{Level: alert.Fatal, Description: alert.UnexpectedMessage}, errApplicationDataEpochZero
 		}
 
-		markPacketAsValid()
+		isLatestSeqNum = markPacketAsValid()
 
 		select {
 		case c.decrypted <- content.Data:
@@ -916,6 +914,18 @@ func (c *Conn) handleIncomingPacket(ctx context.Context, buf []byte, rAddr net.A
 	default:
 		return false, &alert.Alert{Level: alert.Fatal, Description: alert.UnexpectedMessage}, fmt.Errorf("%w: %d", errUnhandledContextType, content.ContentType())
 	}
+
+	// Any valid connection ID record is a candidate for updating the remote
+	// address if it is the latest record received.
+	// https://datatracker.ietf.org/doc/html/rfc9146#peer-address-update
+	if originalCID && isLatestSeqNum {
+		if rAddr != c.RemoteAddr() {
+			c.lock.Lock()
+			c.rAddr = rAddr
+			c.lock.Unlock()
+		}
+	}
+
 	return false, nil, nil
 }
 

diff --git a/go.mod b/go.mod
@@ -1,8 +1,10 @@
 module github.com/pion/dtls/v2
 
+replace github.com/pion/transport/v2 => github.com/hasheddan/transport/v2 v2.0.0-20230801191430-bb77a73aa34f
+
 require (
 	github.com/pion/logging v0.2.2
-	github.com/pion/transport/v2 v2.2.2-0.20230801111619-41845b068b67
+	github.com/pion/transport/v2 v2.2.2-0.20230711104634-a789100cc553
 	golang.org/x/crypto v0.11.0
 	golang.org/x/net v0.12.0
 )

diff --git a/go.sum b/go.sum
@@ -1,12 +1,10 @@
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/hasheddan/transport/v2 v2.0.0-20230801191430-bb77a73aa34f h1:SlGsavjn/LoyxLkL1eAfuc8lUNbN2zk/OcmZYbFKAGo=
+github.com/hasheddan/transport/v2 v2.0.0-20230801191430-bb77a73aa34f/go.mod h1:PpOb8shbrv07ogRHvGlPYfp0lYSCxtXJQa0orEfXvHg=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/transport/v2 v2.2.2-0.20230711104634-a789100cc553 h1:HpaB7Mq9VWmMMiz9727IecxPj/XWyV7urHKFxugYLzg=
-github.com/pion/transport/v2 v2.2.2-0.20230711104634-a789100cc553/go.mod h1:btMS/SQTvTDn7tf8eZedcgo4YouWf1kH4p0mAETpu1w=
-github.com/pion/transport/v2 v2.2.2-0.20230801111619-41845b068b67 h1:PYVmNZmJN/Ide6jcp6IdoqsvjhQxmrUSjQaQxsY5ROQ=
-github.com/pion/transport/v2 v2.2.2-0.20230801111619-41845b068b67/go.mod h1:PpOb8shbrv07ogRHvGlPYfp0lYSCxtXJQa0orEfXvHg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=