TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled

This commit is contained in:
Chung-Ting Huang 2023-08-22 15:47:33 +01:00
parent f2d765351d
commit 38d3c3cae5
4 changed files with 39 additions and 29 deletions

View File

@ -3,7 +3,6 @@ package tunnel
import (
"crypto/tls"
"fmt"
mathRand "math/rand"
"net"
"net/netip"
"os"
@ -203,12 +202,10 @@ func prepareTunnelConfig(
log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
}
var pqKexIdx int
if needPQ {
pqKexIdx = mathRand.Intn(len(supervisor.PQKexes))
log.Info().Msgf(
"Using experimental hybrid post-quantum key agreement %s",
supervisor.PQKexNames[supervisor.PQKexes[pqKexIdx]],
"Using hybrid post-quantum key agreement %s",
supervisor.PQKexName,
)
}
@ -237,7 +234,6 @@ func prepareTunnelConfig(
ProtocolSelector: protocolSelector,
EdgeTLSConfigs: edgeTLSConfigs,
NeedPQ: needPQ,
PQKexIdx: pqKexIdx,
MaxEdgeAddrRetries: uint8(c.Int("max-edge-addr-retries")),
UDPUnregisterSessionTimeout: c.Duration(udpUnregisterSessionTimeoutFlag),
DisableQUICPathMTUDiscovery: c.Bool(quicDisablePathMTUDiscovery),

View File

@ -12,16 +12,12 @@ import (
// issue creating the tunnel, we'll report the first error
// to https://pqtunnels.cloudflareresearch.com.
var (
PQKexes = [...]tls.CurveID{
tls.CurveID(0xfe30), // X25519Kyber512Draft00
tls.CurveID(0xfe31), // X25519Kyber768Draft00
}
PQKexNames map[tls.CurveID]string = map[tls.CurveID]string{
tls.CurveID(0xfe30): "X25519Kyber512Draft00",
tls.CurveID(0xfe31): "X25519Kyber768Draft00",
}
const (
PQKex = tls.CurveID(0xfe31) // X25519Kyber768Draft00
PQKexName = "X25519Kyber768Draft00"
)
var (
pqtMux sync.Mutex // protects pqtSubmitted and pqtWaitForMessage
pqtSubmitted bool // whether an error has already been submitted
@ -70,7 +66,7 @@ func submitPQTunnelError(rep error, config *TunnelConfig) {
Message string `json:"m"`
Version string `json:"v"`
}{
Group: int(PQKexes[config.PQKexIdx]),
Group: int(PQKex),
Message: rep.Error(),
Version: config.ReportedVersion,
})

View File

@ -2,6 +2,7 @@ package supervisor
import (
"context"
"crypto/tls"
"errors"
"net"
"strings"
@ -10,6 +11,8 @@ import (
"github.com/quic-go/quic-go"
"github.com/rs/zerolog"
qtls120 "github.com/quic-go/qtls-go1-20"
"github.com/cloudflare/cloudflared/connection"
"github.com/cloudflare/cloudflared/edgediscovery"
"github.com/cloudflare/cloudflared/orchestration"
@ -78,6 +81,8 @@ func NewSupervisor(config *TunnelConfig, orchestrator *orchestration.Orchestrato
reconnectCredentialManager := newReconnectCredentialManager(connection.MetricsNamespace, connection.TunnelSubsystem, config.HAConnections)
registerTLSEventLogger(config.Log)
tracker := tunnelstate.NewConnTracker(config.Log)
log := NewConnAwareLogger(config.Log, tracker, config.Observer)
@ -336,3 +341,26 @@ func (s *Supervisor) waitForNextTunnel(index int) bool {
func (s *Supervisor) unusedIPs() bool {
return s.edgeIPs.AvailableAddrs() > s.config.HAConnections
}
func registerTLSEventLogger(logger *zerolog.Logger) {
qtls120.SetCFEventHandler(func(ev qtls120.CFEvent) {
logger.Debug().Bool("handshake", ev.IsHandshake()).Str("handshake_duration", ev.Duration().String()).Str("curve", tlsCurveName(ev.KEX())).Msg("QUIC TLS event")
})
}
func tlsCurveName(curve tls.CurveID) string {
switch curve {
case tls.CurveP256:
return "p256"
case tls.CurveP384:
return "p384"
case tls.CurveP521:
return "p521"
case tls.X25519:
return "X25519"
case PQKex:
return PQKexName
default:
return "unknown"
}
}

View File

@ -61,9 +61,6 @@ type TunnelConfig struct {
NeedPQ bool
// Index into PQKexes of post-quantum kex to use if NeedPQ is set.
PQKexIdx int
NamedTunnel *connection.NamedTunnelProperties
ProtocolSelector connection.ProtocolSelector
EdgeTLSConfigs map[connection.Protocol]*tls.Config
@ -585,16 +582,9 @@ func (e *EdgeTunnelServer) serveQUIC(
if e.config.NeedPQ {
// If the user passes the -post-quantum flag, we override
// CurvePreferences to only support hybrid post-quantum key agreements.
cs := make([]tls.CurveID, len(PQKexes))
copy(cs, PQKexes[:])
// It is unclear whether Kyber512 or Kyber768 will become the standard.
// Kyber768 is a bit bigger (and doesn't fit in one initial
// datagram anymore). We're enabling both, but pick randomly which
// one to put first. (TLS will use the first one in the list
// and allows a fallback to the second.)
cs[0], cs[e.config.PQKexIdx] = cs[e.config.PQKexIdx], cs[0]
tlsConfig.CurvePreferences = cs
tlsConfig.CurvePreferences = []tls.CurveID{
PQKex,
}
}
quicConfig := &quic.Config{