chore(snownet): check remote key and creds on connection upsert (#9902)

2026-01-27 18:18:55 +00:00 · 2025-07-18 18:43:34 +10:00
parent c8760d87ae
commit 93ca701896
2 changed files with 9 additions and 2 deletions
--- a/rust/Cargo.lock
+++ b/rust/Cargo.lock
@@ -951,7 +951,7 @@ dependencies = [
 [[package]]
 name = "boringtun"
 version = "0.6.1"
-source = "git+https://github.com/firezone/boringtun?branch=master#3d5df9c2a6f55424e02671374f835cc7db1d7a44"
+source = "git+https://github.com/firezone/boringtun?branch=master#b9f2d4bad50a5d3ea9bbb6e7c67809158fcf4118"
 dependencies = [
 "aead",
 "base64 0.22.1",
@@ -6944,7 +6944,7 @@ checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f"
 [[package]]
 name = "str0m"
 version = "0.9.0"
-source = "git+https://github.com/algesten/str0m?branch=main#3d6e3d2f2745c9e8c561603b99c034c9bab7670f"
+source = "git+https://github.com/algesten/str0m?branch=main#214fcd2f2064046efb4194f33a40085fb9e86ac6"
 dependencies = [
 "combine",
 "crc",
--- a/rust/connlib/snownet/src/node.rs
+++ b/rust/connlib/snownet/src/node.rs
@@ -248,8 +248,15 @@ where
            return Ok(());
        }

+        // Compare the ICE credentials and public key.
+        // Technically, just comparing the ICE credentials should be enough because the portal computes them deterministically based on Client/Gateway ID and their public keys.
+        // But better be safe than sorry.
        if let Some(c) = self.connections.get_established_mut(&cid)
            && c.agent.local_credentials() == &local_creds
+            && c.agent
+                .remote_credentials()
+                .is_some_and(|c| c == &remote_creds)
+            && c.tunnel.remote_static_public() == remote
        {
            c.state.on_upsert(&mut c.agent, now);