TUN-7970: Default to enable post quantum encryption for quic transport

2025-07-27 19:29:57 +00:00 · 2023-12-07 11:27:44 +00:00
parent 8068cdebb6
commit 4ddc8d758b
4 changed files with 22 additions and 184 deletions
--- a/supervisor/pqtunnels.go
+++ b/supervisor/pqtunnels.go
@@ -1,12 +1,8 @@
 package supervisor

 import (
-	"bytes"
 	"crypto/tls"
-	"encoding/json"
 	"fmt"
-	"net/http"
-	"sync"

 	"github.com/cloudflare/cloudflared/features"
 )
@@ -20,84 +16,6 @@ const (
 	PQKexName = "X25519Kyber768Draft00"
 )

-var (
-	pqtMux       sync.Mutex // protects pqtSubmitted and pqtWaitForMessage
-	pqtSubmitted bool       // whether an error has already been submitted
-
-	// Number of errors to ignore before printing elaborate instructions.
-	pqtWaitForMessage int
-)
-
-func handlePQTunnelError(rep error, config *TunnelConfig) {
-	needToMessage := false
-
-	pqtMux.Lock()
-	needToSubmit := !pqtSubmitted
-	if needToSubmit {
-		pqtSubmitted = true
-	}
-	pqtWaitForMessage--
-	if pqtWaitForMessage < 0 {
-		pqtWaitForMessage = 5
-		needToMessage = true
-	}
-	pqtMux.Unlock()
-
-	if needToMessage {
-		config.Log.Info().Msgf(
-			"\n\n" +
-				"===================================================================================\n" +
-				"You are hitting an error while using the experimental post-quantum tunnels feature.\n" +
-				"\n" +
-				"Please check:\n" +
-				"\n" +
-				"   https://pqtunnels.cloudflareresearch.com\n" +
-				"\n" +
-				"for known problems.\n" +
-				"===================================================================================\n\n",
-		)
-	}
-
-	if needToSubmit {
-		go submitPQTunnelError(rep, config)
-	}
-}
-
-func submitPQTunnelError(rep error, config *TunnelConfig) {
-	body, err := json.Marshal(struct {
-		Group   int    `json:"g"`
-		Message string `json:"m"`
-		Version string `json:"v"`
-	}{
-		Group:   int(PQKex),
-		Message: rep.Error(),
-		Version: config.ReportedVersion,
-	})
-	if err != nil {
-		config.Log.Err(err).Msg("Failed to create error report")
-		return
-	}
-
-	resp, err := http.Post(
-		"https://pqtunnels.cloudflareresearch.com",
-		"application/json",
-		bytes.NewBuffer(body),
-	)
-	if err != nil {
-		config.Log.Err(err).Msg(
-			"Failed to submit post-quantum tunnel error report",
-		)
-		return
-	}
-	if resp.StatusCode != 200 {
-		config.Log.Error().Msgf(
-			"Failed to submit post-quantum tunnel error report: status %d",
-			resp.StatusCode,
-		)
-	}
-	resp.Body.Close()
-}
-
 func curvePreference(pqMode features.PostQuantumMode, currentCurve []tls.CurveID) ([]tls.CurveID, error) {
 	switch pqMode {
 	case features.PostQuantumStrict:
@@ -113,15 +31,6 @@ func curvePreference(pqMode features.PostQuantumMode, currentCurve []tls.CurveID
 			return append([]tls.CurveID{PQKex}, currentCurve...), nil
 		}
 		return currentCurve, nil
-	case features.PostQuantumDisabled:
-		curvePref := currentCurve
-		// Remove PQ from curve preference
-		for i, curve := range currentCurve {
-			if curve == PQKex {
-				curvePref = append(curvePref[:i], curvePref[i+1:]...)
-			}
-		}
-		return curvePref, nil
 	default:
 		return nil, fmt.Errorf("Unexpected post quantum mode")
 	}
--- a/supervisor/tunnel.go
+++ b/supervisor/tunnel.go
@@ -616,10 +616,6 @@ func (e *EdgeTunnelServer) serveQUIC(
 		e.config.UDPUnregisterSessionTimeout,
 	)
 	if err != nil {
-		if pqMode == features.PostQuantumStrict || pqMode == features.PostQuantumPrefer {
-			handlePQTunnelError(err, e.config)
-		}
-
 		connLogger.ConnAwareLogger().Err(err).Msgf("Failed to create new quic connection")
 		return err, true
 	}