TUN-7707: Use X25519Kyber768Draft00 curve when post-quantum feature is enabled

2025-07-27 15:49:58 +00:00 · 2023-08-22 15:47:33 +01:00
parent f2d765351d
commit 38d3c3cae5
4 changed files with 39 additions and 29 deletions
--- a/supervisor/supervisor.go
+++ b/supervisor/supervisor.go
@@ -2,6 +2,7 @@ package supervisor

 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"net"
 	"strings"
@@ -10,6 +11,8 @@ import (
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"

+	qtls120 "github.com/quic-go/qtls-go1-20"
+
 	"github.com/cloudflare/cloudflared/connection"
 	"github.com/cloudflare/cloudflared/edgediscovery"
 	"github.com/cloudflare/cloudflared/orchestration"
@@ -78,6 +81,8 @@ func NewSupervisor(config *TunnelConfig, orchestrator *orchestration.Orchestrato

 	reconnectCredentialManager := newReconnectCredentialManager(connection.MetricsNamespace, connection.TunnelSubsystem, config.HAConnections)

+	registerTLSEventLogger(config.Log)
+
 	tracker := tunnelstate.NewConnTracker(config.Log)
 	log := NewConnAwareLogger(config.Log, tracker, config.Observer)

@@ -336,3 +341,26 @@ func (s *Supervisor) waitForNextTunnel(index int) bool {
 func (s *Supervisor) unusedIPs() bool {
 	return s.edgeIPs.AvailableAddrs() > s.config.HAConnections
 }
+
+func registerTLSEventLogger(logger *zerolog.Logger) {
+	qtls120.SetCFEventHandler(func(ev qtls120.CFEvent) {
+		logger.Debug().Bool("handshake", ev.IsHandshake()).Str("handshake_duration", ev.Duration().String()).Str("curve", tlsCurveName(ev.KEX())).Msg("QUIC TLS event")
+	})
+}
+
+func tlsCurveName(curve tls.CurveID) string {
+	switch curve {
+	case tls.CurveP256:
+		return "p256"
+	case tls.CurveP384:
+		return "p384"
+	case tls.CurveP521:
+		return "p521"
+	case tls.X25519:
+		return "X25519"
+	case PQKex:
+		return PQKexName
+	default:
+		return "unknown"
+	}
+}