Add protocol version param to HelloVerifyRequest and update DTLS handling

TianMengLucky · TianMengLucky · commit 6da607b4223a · 2025-06-15T22:05:59.000+08:00
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -1,6 +1,6 @@
 <Project>
     <PropertyGroup>
-        <TargetFrameworks>net9.0;net6.0</TargetFrameworks>
+        <TargetFrameworks>net9.0;net8.0</TargetFrameworks>
         <LangVersion>latest</LangVersion>
         <Authors>Impostor,Next-Fast</Authors>
         <PackageLicenseExpression>MIT</PackageLicenseExpression>
diff --git a/Next.Hazel/Dtls/DtlsConnectionListener.cs b/Next.Hazel/Dtls/DtlsConnectionListener.cs
@@ -764,7 +764,7 @@ private async ValueTask<bool> HandleClientHello(PeerData peer, IPEndPoint peerAd
         }
 
         // Find an acceptable cipher suite we can use
-        var selectedCipherSuite = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
+        const CipherSuite selectedCipherSuite = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
         if (!clientHello.ContainsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) ||
             !clientHello.ContainsCurve(NamedCurve.x25519))
         {
@@ -787,7 +787,7 @@ private async ValueTask<bool> HandleClientHello(PeerData peer, IPEndPoint peerAd
                     recordProtection = peer.CurrentEpoch.RecordProtection;
                 }
 
-                await SendHelloVerifyRequest(peerAddress, outgoingSequence, record.Epoch, recordProtection);
+                await SendHelloVerifyRequest(peerAddress, outgoingSequence, record.Epoch, recordProtection, peer.ProtocolVersion);
                 return true;
             }
 
@@ -1132,7 +1132,7 @@ private async ValueTask HandleNonPeerRecord(ByteSpan message, IPEndPoint peerAdd
         if (!HelloVerifyRequest.VerifyCookie(clientHello.Cookie, peerAddress, currentCookieHmac))
             if (!HelloVerifyRequest.VerifyCookie(clientHello.Cookie, peerAddress, previousCookieHmac))
             {
-                await SendHelloVerifyRequest(peerAddress, 1, 0, NullRecordProtection.Instance);
+                await SendHelloVerifyRequest(peerAddress, 1, 0, NullRecordProtection.Instance, clientHello.ClientProtocolVersion);
                 return;
             }
 
@@ -1151,7 +1151,7 @@ private async ValueTask HandleNonPeerRecord(ByteSpan message, IPEndPoint peerAdd
 
     //Send a HelloVerifyRequest handshake message to a peer
     private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSequence, ushort epoch,
-        IRecordProtection recordProtection)
+        IRecordProtection recordProtection, ProtocolVersion protocolVersion)
     {
         // Do we need to rotate the HMAC key?
         var now = DateTime.UtcNow;
@@ -1177,6 +1177,7 @@ private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSeq
         var record = new Record
         {
             ContentType = ContentType.Handshake,
+            ProtocolVersion = protocolVersion,
             Epoch = epoch,
             SequenceNumber = recordSequence,
             Length = (ushort)recordProtection.GetEncryptedSize(plaintextPayloadSize)
@@ -1189,7 +1190,7 @@ private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSeq
         writer = writer[Record.Size..];
         handshake.Encode(writer);
         writer = writer[Handshake.Handshake.Size..];
-        HelloVerifyRequest.Encode(writer, peerAddress, currentCookieHmac);
+        HelloVerifyRequest.Encode(writer, peerAddress, currentCookieHmac, protocolVersion);
 
         // Protect record payload
         recordProtection.EncryptServerPlaintext(
diff --git a/Next.Hazel/Dtls/Handshake/HelloVerifyRequest.cs b/Next.Hazel/Dtls/Handshake/HelloVerifyRequest.cs
@@ -53,11 +53,12 @@ public static bool Parse(out HelloVerifyRequest result, ProtocolVersion? expecte
     /// <param name="span"></param>
     /// <param name="peerAddress">Address of the remote peer</param>
     /// <param name="hmac">Listener HMAC signature provider</param>
-    public static void Encode(ByteSpan span, EndPoint peerAddress, HMAC hmac)
+    /// <param name="protocolVersion"></param>
+    public static void Encode(ByteSpan span, EndPoint peerAddress, HMAC hmac, ProtocolVersion protocolVersion)
     {
         var cookie = ComputeAddressMac(peerAddress, hmac);
 
-        span.WriteBigEndian16((ushort)ProtocolVersion.DTLS1_2);
+        span.WriteBigEndian16((ushort)protocolVersion);
         span[2] = CookieSize;
         cookie.CopyTo(span[3..]);
     }
diff --git a/Next.Hazel/Dtls/Record.cs b/Next.Hazel/Dtls/Record.cs
@@ -93,9 +93,7 @@ public static bool Parse(ByteSpan span)
         if (span.Length != 1) return false;
 
         var value = (Value)span[0];
-        if (value != Value.ChangeCipherSpec) return false;
-
-        return true;
+        return value == Value.ChangeCipherSpec;
     }
 
     /// <summary>
diff --git a/Next.Hazel/Extensions/DefaultMessageWriterProvider.cs b/Next.Hazel/Extensions/DefaultMessageWriterProvider.cs
@@ -0,0 +1,11 @@
+using Next.Hazel.Abstractions;
+
+namespace Next.Hazel.Extensions;
+
+public class DefaultMessageWriterProvider : IMessageWriterProvider
+{
+    public IMessageWriter Get(MessageType sendOption = MessageType.Unreliable)
+    {
+        return MessageWriter.Get(sendOption);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -764,7 +764,7 @@ private async ValueTask<bool> HandleClientHello(PeerData peer, IPEndPoint peerAd`
`764`	`764`	`}`
`765`	`765`
`766`	`766`	`// Find an acceptable cipher suite we can use`
`767`		`- var selectedCipherSuite = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;`
	`767`	`+ const CipherSuite selectedCipherSuite = CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;`
`768`	`768`	`if (!clientHello.ContainsCipherSuite(CipherSuite.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) \|\|`
`769`	`769`	`!clientHello.ContainsCurve(NamedCurve.x25519))`
`770`	`770`	`{`
`@@ -787,7 +787,7 @@ private async ValueTask<bool> HandleClientHello(PeerData peer, IPEndPoint peerAd`
`787`	`787`	`recordProtection = peer.CurrentEpoch.RecordProtection;`
`788`	`788`	`}`
`789`	`789`
`790`		`- await SendHelloVerifyRequest(peerAddress, outgoingSequence, record.Epoch, recordProtection);`
	`790`	`+ await SendHelloVerifyRequest(peerAddress, outgoingSequence, record.Epoch, recordProtection, peer.ProtocolVersion);`
`791`	`791`	`return true;`
`792`	`792`	`}`
`793`	`793`
`@@ -1132,7 +1132,7 @@ private async ValueTask HandleNonPeerRecord(ByteSpan message, IPEndPoint peerAdd`
`1132`	`1132`	`if (!HelloVerifyRequest.VerifyCookie(clientHello.Cookie, peerAddress, currentCookieHmac))`
`1133`	`1133`	`if (!HelloVerifyRequest.VerifyCookie(clientHello.Cookie, peerAddress, previousCookieHmac))`
`1134`	`1134`	`{`
`1135`		`- await SendHelloVerifyRequest(peerAddress, 1, 0, NullRecordProtection.Instance);`
	`1135`	`+ await SendHelloVerifyRequest(peerAddress, 1, 0, NullRecordProtection.Instance, clientHello.ClientProtocolVersion);`
`1136`	`1136`	`return;`
`1137`	`1137`	`}`
`1138`	`1138`
`@@ -1151,7 +1151,7 @@ private async ValueTask HandleNonPeerRecord(ByteSpan message, IPEndPoint peerAdd`
`1151`	`1151`
`1152`	`1152`	`//Send a HelloVerifyRequest handshake message to a peer`
`1153`	`1153`	`private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSequence, ushort epoch,`
`1154`		`- IRecordProtection recordProtection)`
	`1154`	`+ IRecordProtection recordProtection, ProtocolVersion protocolVersion)`
`1155`	`1155`	`{`
`1156`	`1156`	`// Do we need to rotate the HMAC key?`
`1157`	`1157`	`var now = DateTime.UtcNow;`
`@@ -1177,6 +1177,7 @@ private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSeq`
`1177`	`1177`	`var record = new Record`
`1178`	`1178`	`{`
`1179`	`1179`	`ContentType = ContentType.Handshake,`
	`1180`	`+ ProtocolVersion = protocolVersion,`
`1180`	`1181`	`Epoch = epoch,`
`1181`	`1182`	`SequenceNumber = recordSequence,`
`1182`	`1183`	`Length = (ushort)recordProtection.GetEncryptedSize(plaintextPayloadSize)`
`@@ -1189,7 +1190,7 @@ private ValueTask SendHelloVerifyRequest(IPEndPoint peerAddress, ulong recordSeq`
`1189`	`1190`	`writer = writer[Record.Size..];`
`1190`	`1191`	`handshake.Encode(writer);`
`1191`	`1192`	`writer = writer[Handshake.Handshake.Size..];`
`1192`		`- HelloVerifyRequest.Encode(writer, peerAddress, currentCookieHmac);`
	`1193`	`+ HelloVerifyRequest.Encode(writer, peerAddress, currentCookieHmac, protocolVersion);`
`1193`	`1194`
`1194`	`1195`	`// Protect record payload`
`1195`	`1196`	`recordProtection.EncryptServerPlaintext(`
Original file line number	Diff line number	Diff line change
`@@ -53,11 +53,12 @@ public static bool Parse(out HelloVerifyRequest result, ProtocolVersion? expecte`
`53`	`53`	`/// <param name="span"></param>`
`54`	`54`	`/// <param name="peerAddress">Address of the remote peer</param>`
`55`	`55`	`/// <param name="hmac">Listener HMAC signature provider</param>`
`56`		`- public static void Encode(ByteSpan span, EndPoint peerAddress, HMAC hmac)`
	`56`	`+ /// <param name="protocolVersion"></param>`
	`57`	`+ public static void Encode(ByteSpan span, EndPoint peerAddress, HMAC hmac, ProtocolVersion protocolVersion)`
`57`	`58`	`{`
`58`	`59`	`var cookie = ComputeAddressMac(peerAddress, hmac);`
`59`	`60`
`60`		`- span.WriteBigEndian16((ushort)ProtocolVersion.DTLS1_2);`
	`61`	`+ span.WriteBigEndian16((ushort)protocolVersion);`
`61`	`62`	`span[2] = CookieSize;`
`62`	`63`	`cookie.CopyTo(span[3..]);`
`63`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,9 +93,7 @@ public static bool Parse(ByteSpan span)`
`93`	`93`	`if (span.Length != 1) return false;`
`94`	`94`
`95`	`95`	`var value = (Value)span[0];`
`96`		`- if (value != Value.ChangeCipherSpec) return false;`
`97`		`-`
`98`		`- return true;`
	`96`	`+ return value == Value.ChangeCipherSpec;`
`99`	`97`	`}`
`100`	`98`
`101`	`99`	`/// <summary>`