From 93ca701896c1a5cccf318ae18820a7ff751bd94e Mon Sep 17 00:00:00 2001 From: Thomas Eizinger Date: Fri, 18 Jul 2025 18:43:34 +1000 Subject: [PATCH] chore(snownet): check remote key and creds on connection upsert (#9902) --- rust/Cargo.lock | 4 ++-- rust/connlib/snownet/src/node.rs | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/rust/Cargo.lock b/rust/Cargo.lock index 41c826f0a..ece050301 100644 --- a/rust/Cargo.lock +++ b/rust/Cargo.lock @@ -951,7 +951,7 @@ dependencies = [ [[package]] name = "boringtun" version = "0.6.1" -source = "git+https://github.com/firezone/boringtun?branch=master#3d5df9c2a6f55424e02671374f835cc7db1d7a44" +source = "git+https://github.com/firezone/boringtun?branch=master#b9f2d4bad50a5d3ea9bbb6e7c67809158fcf4118" dependencies = [ "aead", "base64 0.22.1", @@ -6944,7 +6944,7 @@ checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" [[package]] name = "str0m" version = "0.9.0" -source = "git+https://github.com/algesten/str0m?branch=main#3d6e3d2f2745c9e8c561603b99c034c9bab7670f" +source = "git+https://github.com/algesten/str0m?branch=main#214fcd2f2064046efb4194f33a40085fb9e86ac6" dependencies = [ "combine", "crc", diff --git a/rust/connlib/snownet/src/node.rs b/rust/connlib/snownet/src/node.rs index 00d0aa45f..f9afda371 100644 --- a/rust/connlib/snownet/src/node.rs +++ b/rust/connlib/snownet/src/node.rs @@ -248,8 +248,15 @@ where return Ok(()); } + // Compare the ICE credentials and public key. + // Technically, just comparing the ICE credentials should be enough because the portal computes them deterministically based on Client/Gateway ID and their public keys. + // But better be safe than sorry. if let Some(c) = self.connections.get_established_mut(&cid) && c.agent.local_credentials() == &local_creds + && c.agent + .remote_credentials() + .is_some_and(|c| c == &remote_creds) + && c.tunnel.remote_static_public() == remote { c.state.on_upsert(&mut c.agent, now);