From 8220ef1ae99c3c5911dff6253992385a88031585 Mon Sep 17 00:00:00 2001
From: Marco Munizaga <git@marcopolo.io>
Date: Thu, 13 Jul 2023 11:50:00 -0700
Subject: [PATCH] webtransport: return an error when listening on a multiaddr
 with a certhash

---
 p2p/transport/webtransport/transport.go      | 5 ++++-
 p2p/transport/webtransport/transport_test.go | 9 ++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/p2p/transport/webtransport/transport.go b/p2p/transport/webtransport/transport.go
index 2b2c3e709f..957d2ff1c1 100644
--- a/p2p/transport/webtransport/transport.go
+++ b/p2p/transport/webtransport/transport.go
@@ -295,10 +295,13 @@ func (t *transport) CanDial(addr ma.Multiaddr) bool {
 }
 
 func (t *transport) Listen(laddr ma.Multiaddr) (tpt.Listener, error) {
-	isWebTransport, _ := IsWebtransportMultiaddr(laddr)
+	isWebTransport, certhashCount := IsWebtransportMultiaddr(laddr)
 	if !isWebTransport {
 		return nil, fmt.Errorf("cannot listen on non-WebTransport addr: %s", laddr)
 	}
+	if certhashCount > 0 {
+		return nil, fmt.Errorf("cannot listen on a specific certhash non-WebTransport addr: %s", laddr)
+	}
 	if t.staticTLSConf == nil {
 		t.listenOnce.Do(func() {
 			t.certManager, t.listenOnceErr = newCertManager(t.privKey, t.clock)
diff --git a/p2p/transport/webtransport/transport_test.go b/p2p/transport/webtransport/transport_test.go
index 56c381ccc1..749d12f1a0 100644
--- a/p2p/transport/webtransport/transport_test.go
+++ b/p2p/transport/webtransport/transport_test.go
@@ -220,14 +220,13 @@ func TestCanDial(t *testing.T) {
 func TestListenAddrValidity(t *testing.T) {
 	valid := []ma.Multiaddr{
 		ma.StringCast("/ip6/::/udp/0/quic-v1/webtransport/"),
-		ma.StringCast("/ip4/127.0.0.1/udp/11234/quic-v1/webtransport/"),
 	}
 
 	invalid := []ma.Multiaddr{
-		ma.StringCast("/ip4/127.0.0.1/udp/11234"),                                                     // missing webtransport
-		ma.StringCast("/ip4/127.0.0.1/udp/11234/webtransport"),                                        // missing quic
-		ma.StringCast("/ip4/127.0.0.1/tcp/11234/webtransport"),                                        // WebTransport over TCP? Is this a joke?
-		ma.StringCast("/ip4/127.0.0.1/udp/11234/quic-v1/webtransport/certhash/" + randomMultihash(t)), // We can't listen on a specific certhash
+		ma.StringCast("/ip4/127.0.0.1/udp/0"),                                                     // missing webtransport
+		ma.StringCast("/ip4/127.0.0.1/udp/0/webtransport"),                                        // missing quic
+		ma.StringCast("/ip4/127.0.0.1/tcp/0/webtransport"),                                        // WebTransport over TCP? Is this a joke?
+		ma.StringCast("/ip4/127.0.0.1/udp/0/quic-v1/webtransport/certhash/" + randomMultihash(t)), // We can't listen on a specific certhash
 	}
 
 	_, key := newIdentity(t)