RTG-1339 Support post-quantum hybrid key exchange

Func spec: https://wiki.cfops.it/x/ZcBKHw

supervisor/pqtunnels.go

@@ -0,0 +1,100 @@
+package supervisor
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/json"
+	"net/http"
+	"sync"
+)
+
+// When experimental post-quantum tunnels are enabled, and we're hitting an
+// issue creating the tunnel, we'll report the first error
+// to https://pqtunnels.cloudflareresearch.com.
+
+var (
+	PQKexes = [...]tls.CurveID{
+		tls.CurveID(0xfe30), // X25519Kyber512Draft00
+		tls.CurveID(0xfe31), // X25519Kyber768Draft00
+	}
+	PQKexNames map[tls.CurveID]string = map[tls.CurveID]string{
+		tls.CurveID(0xfe30): "X25519Kyber512Draft00",
+		tls.CurveID(0xfe31): "X25519Kyber768Draft00",
+	}
+
+	pqtMux       sync.Mutex // protects pqtSubmitted and pqtWaitForMessage
+	pqtSubmitted bool       // whether an error has already been submitted
+
+	// Number of errors to ignore before printing elaborate instructions.
+	pqtWaitForMessage int
+)
+
+func handlePQTunnelError(rep error, config *TunnelConfig) {
+	needToMessage := false
+
+	pqtMux.Lock()
+	needToSubmit := !pqtSubmitted
+	if needToSubmit {
+		pqtSubmitted = true
+	}
+	pqtWaitForMessage--
+	if pqtWaitForMessage < 0 {
+		pqtWaitForMessage = 5
+		needToMessage = true
+	}
+	pqtMux.Unlock()
+
+	if needToMessage {
+		config.Log.Info().Msgf(
+			"\n\n" +
+				"===================================================================================\n" +
+				"You are hitting an error while using the experimental post-quantum tunnels feature.\n" +
+				"\n" +
+				"Please check:\n" +
+				"\n" +
+				"   https://pqtunnels.cloudflareresearch.com\n" +
+				"\n" +
+				"for known problems.\n" +
+				"===================================================================================\n\n",
+		)
+	}
+
+	if needToSubmit {
+		go submitPQTunnelError(rep, config)
+	}
+}
+
+func submitPQTunnelError(rep error, config *TunnelConfig) {
+	body, err := json.Marshal(struct {
+		Group   int    `json:"g"`
+		Message string `json:"m"`
+		Version string `json:"v"`
+	}{
+		Group:   int(PQKexes[config.PQKexIdx]),
+		Message: rep.Error(),
+		Version: config.ReportedVersion,
+	})
+	if err != nil {
+		config.Log.Err(err).Msg("Failed to create error report")
+		return
+	}
+
+	resp, err := http.Post(
+		"https://pqtunnels.cloudflareresearch.com",
+		"application/json",
+		bytes.NewBuffer(body),
+	)
+	if err != nil {
+		config.Log.Err(err).Msg(
+			"Failed to submit post-quantum tunnel error report",
+		)
+		return
+	}
+	if resp.StatusCode != 200 {
+		config.Log.Error().Msgf(
+			"Failed to submit post-quantum tunnel error report: status %d",
+			resp.StatusCode,
+		)
+	}
+	resp.Body.Close()
+}

supervisor/tunnel.go

@@ -36,6 +36,7 @@ const (
 	FeatureQuickReconnects   = "quick_reconnects"
 	FeatureAllowRemoteConfig = "allow_remote_config"
 	FeatureDatagramV2        = "support_datagram_v2"
+	FeaturePostQuantum       = "postquantum"
 )
 
 type TunnelConfig struct {
@@ -59,6 +60,11 @@ type TunnelConfig struct {
 	Retries         uint
 	RunFromTerminal bool
 
+	NeedPQ bool
+
+	// Index into PQKexes of post-quantum kex to use if NeedPQ is set.
+	PQKexIdx int
+
 	NamedTunnel      *connection.NamedTunnelProperties
 	ClassicTunnel    *connection.ClassicTunnelProperties
 	MuxerConfig      *connection.MuxerConfig
@@ -524,6 +530,9 @@ func (e *EdgeTunnelServer) serveH2mux(
 	connIndex uint8,
 	connectedFuse *connectedFuse,
 ) error {
+	if e.config.NeedPQ {
+		return unrecoverableError{errors.New("H2Mux transport does not support post-quantum")}
+	}
 	connLog.Logger().Debug().Msgf("Connecting via h2mux")
 	// Returns error from parsing the origin URL or handshake errors
 	handler, err, recoverable := connection.NewH2muxConnection(
@@ -575,6 +584,10 @@ func (e *EdgeTunnelServer) serveHTTP2(
 	controlStreamHandler connection.ControlStreamHandler,
 	connIndex uint8,
 ) error {
+	if e.config.NeedPQ {
+		return unrecoverableError{errors.New("HTTP/2 transport does not support post-quantum")}
+	}
+
 	connLog.Logger().Debug().Msgf("Connecting via http2")
 	h2conn := connection.NewHTTP2Connection(
 		tlsServerConn,
@@ -613,6 +626,22 @@ func (e *EdgeTunnelServer) serveQUIC(
 	connIndex uint8,
 ) (err error, recoverable bool) {
 	tlsConfig := e.config.EdgeTLSConfigs[connection.QUIC]
+
+	if e.config.NeedPQ {
+		// If the user passes the -post-quantum flag, we override
+		// CurvePreferences to only support hybrid post-quantum key agreements.
+		cs := make([]tls.CurveID, len(PQKexes))
+		copy(cs, PQKexes[:])
+
+		// It is unclear whether Kyber512 or Kyber768 will become the standard.
+		// Kyber768 is a bit bigger (and doesn't fit in one initial
+		// datagram anymore). We're enabling both, but pick randomly which
+		// one to put first. (TLS will use the first one in the list
+		// and allows a fallback to the second.)
+		cs[0], cs[e.config.PQKexIdx] = cs[e.config.PQKexIdx], cs[0]
+		tlsConfig.CurvePreferences = cs
+	}
+
 	quicConfig := &quic.Config{
 		HandshakeIdleTimeout:  quicpogs.HandshakeIdleTimeout,
 		MaxIdleTimeout:        quicpogs.MaxIdleTimeout,
@@ -634,6 +663,10 @@ func (e *EdgeTunnelServer) serveQUIC(
 		connLogger.Logger(),
 		e.icmpProxy)
 	if err != nil {
+		if e.config.NeedPQ {
+			handlePQTunnelError(err, e.config)
+		}
+
 		connLogger.ConnAwareLogger().Err(err).Msgf("Failed to create new quic connection")
 		return err, true
 	}

supervisor/tunnel_test.go

@@ -44,6 +44,7 @@ func TestWaitForBackoffFallback(t *testing.T) {
 		mockFetcher.fetch(),
 		resolveTTL,
 		&log,
+		false,
 	)
 	assert.NoError(t, err)
 
@@ -104,6 +105,7 @@ func TestWaitForBackoffFallback(t *testing.T) {
 		mockFetcher.fetch(),
 		resolveTTL,
 		&log,
+		false,
 	)
 	assert.NoError(t, err)
 	protoFallback = &protocolFallback{backoff, protocolSelector.Current(), false}