Support post-quantum KYBER_LEVEL1 and P256_KYBER_LEVEL1 with FALCON_LEVEL1 in wolfMQTT.

README.md

@@ -292,3 +292,45 @@ Unsupported features:
 * Multiple gateway handling
 
 The SN client was tested using the Eclipse Paho MQTT-SN Gateway (https://github.com/eclipse/paho.mqtt-sn.embedded-c) running locally and on a separate network node. Instructions for building and running the gateway are in the project README.
+
+## Post-Quantum MQTT Support
+
+Recently the OpenQuantumSafe project has integrated their fork of OpenSSL with the mosquito MQTT broker. You can now build wolfMQTT with wolfSSL and liboqs and use that to publish to the mosquito MQTT broker. Currently, wolfMQTT supports the `KYBER_LEVEL1` and `P256_KYBER_LEVEL1` groups and FALCON_LEVEL1 for authentication in TLS 1.3. This works on Linux.
+
+### Getting Started with Post-Quantum Mosquito MQTT Broker and Subscriber
+
+To get started, you can use the code from the following github pull request:
+
+https://github.com/open-quantum-safe/oqs-demos/pull/143
+
+Follow all the instructions in README.md and USAGE.md. This allows you to create a docker image and a docker network. Then you will run a broker, a subscriber and a publisher. At the end the publisher will exit and the broker and subscriber will remain active. You will need to re-activate the publisher docker instance and get the following files onto your local machine:
+
+- /test/cert/CA.crt
+- /test/cert/publisher.crt
+- /test/cert/publisher.key
+
+NOTE: Do not stop the broker and the subscriber instances.
+
+### Building and Running Post-Quantum wolfMQTT Publisher
+
+Follow the instructions for obtaining and building liboqs and building wolfSSL in section 15 of the following document:
+
+https://github.com/wolfSSL/wolfssl/blob/master/INSTALL
+
+No special flags are required for building wolfMQTT. Simply do the following:
+
+```
+./autogen.sh (if obtained from github)
+./configure
+make all
+make check
+```
+
+Since the broker and subscriber are still running, you can use `mqttclient` to publish using post-quantum algorithms in TLS 1.3 by doing the following:
+
+```
+./examples/mqttclient/mqttclient -h 172.18.0.2 -t -A CA.crt -K publisher.key -c publisher.crt -m "Hello from post-quantum wolfMQTT!!" -n test/sensor1 -Q KYBER_LEVEL1
+```
+
+Congratulations! You have just published an MQTT message using TLS 1.3 with the `KYBER_LEVEL1` KEM and `FALCON_LEVEL1` signature scheme. To use the hybrid group, replace `KYBER_LEVEL1` with `P256_KYBER_LEVEL1`.
+

examples/firmware/fwpush.h

@@ -25,7 +25,7 @@
 #include "examples/mqttexample.h"
 
 #define FIRMWARE_PUSH_CLIENT_ID "WolfMQTTFwPush"
-#define FIRMWARE_PUSH_DEF_FILE  "README.md"
+#define FIRMWARE_PUSH_DEF_FILE  "examples/publish.dat"
 
 /* Structure to pass into the publish callback
  * using the publish->ctx pointer */

examples/include.am

@@ -157,6 +157,7 @@ DISTCLEANFILES+=   examples/mqttclient/.libs/mqttclient \
                    examples/sn-client/.libs/sn-multithread
 
 EXTRA_DIST+=       examples/mqttuart.c \
+                   examples/publish.dat \
                    examples/mqttclient/mqttclient.vcxproj \
                    examples/nbclient/nbclient.vcxproj \
                    examples/firmware/fwclient.vcxproj \

examples/mqttexample.c

@@ -43,10 +43,13 @@ static const char* mTlsCaFile;
 static const char* mTlsCertFile;
 static const char* mTlsKeyFile;
 #ifdef HAVE_SNI
-static int useSNI = 0;
+static int useSNI;
 static const char* mTlsSniHostName;
 #endif
+#ifdef HAVE_PQC
+static const char* mTlsPQAlg;
 #endif
+#endif /* ENABLE_MQTT_TLS */
 
 static int mygetopt(int argc, char** argv, const char* optstring)
 {
@@ -206,6 +209,9 @@ void mqtt_show_usage(MQTTCtx* mqttCtx)
 #ifdef HAVE_SNI
         PRINTF("-S <str>    Use Host Name Indication, blank defaults to host");
 #endif
+#ifdef HAVE_PQC
+        PRINTF("-Q <str>    Use Key Share with post-quantum algorithm");
+#endif
 #else
         PRINTF("-p <num>    Port to connect on, default: %d",
              MQTT_DEFAULT_PORT);
@@ -264,7 +270,7 @@ int mqtt_parse_args(MQTTCtx* mqttCtx, int argc, char** argv)
     int rc;
 
     #ifdef ENABLE_MQTT_TLS
-        #define MQTT_TLS_ARGS "c:A:K:S;"
+        #define MQTT_TLS_ARGS "c:A:K:S:Q;"
     #else
         #define MQTT_TLS_ARGS ""
     #endif
@@ -370,6 +376,13 @@ int mqtt_parse_args(MQTTCtx* mqttCtx, int argc, char** argv)
             PRINTF("To use '-S', enable SNI in wolfSSL");
         #endif
             break;
+        case 'Q':
+        #ifdef HAVE_PQC
+            mTlsPQAlg = myoptarg;
+        #else
+            PRINTF("To use '-Q', build wolfSSL with --with-liboqs");
+        #endif
+            break;
     #endif
 
     #ifdef WOLFMQTT_V5
@@ -616,16 +629,42 @@ int mqtt_tls_cb(MqttClient* client)
     #endif
     #endif /* !NO_FILESYSTEM */
 #endif /* !NO_CERT */
-    }
 #ifdef HAVE_SNI
-    if ((rc == WOLFSSL_SUCCESS) && (mTlsSniHostName != NULL)) {
-        rc = wolfSSL_CTX_UseSNI(client->tls.ctx, WOLFSSL_SNI_HOST_NAME,
-                mTlsSniHostName, (word16) XSTRLEN(mTlsSniHostName));
-        if (rc != WOLFSSL_SUCCESS) {
-            PRINTF("UseSNI failed");
+        if ((rc == WOLFSSL_SUCCESS) && (mTlsSniHostName != NULL)) {
+            rc = wolfSSL_CTX_UseSNI(client->tls.ctx, WOLFSSL_SNI_HOST_NAME,
+                    mTlsSniHostName, (word16) XSTRLEN(mTlsSniHostName));
+            if (rc != WOLFSSL_SUCCESS) {
+                PRINTF("UseSNI failed");
+            }
         }
-    }
 #endif /* HAVE_SNI */
+#ifdef HAVE_PQC
+        if ((rc == WOLFSSL_SUCCESS) && (mTlsPQAlg != NULL)) {
+            int group = 0;
+            if (XSTRCMP(mTlsPQAlg, "KYBER_LEVEL1") == 0) {
+                group = WOLFSSL_KYBER_LEVEL1;
+            } else if (XSTRCMP(mTlsPQAlg, "P256_KYBER_LEVEL1") == 0) {
+                group = WOLFSSL_P256_KYBER_LEVEL1;
+            } else {
+                PRINTF("Invalid post-quantum KEM specified");
+            }
+
+            if (group != 0) {
+                client->tls.ssl = wolfSSL_new(client->tls.ctx);
+                if (client->tls.ssl == NULL) {
+                    rc = WOLFSSL_FAILURE;
+                }
+
+                if (rc == WOLFSSL_SUCCESS) {
+                    rc = wolfSSL_UseKeyShare(client->tls.ssl, group);
+                    if (rc != WOLFSSL_SUCCESS) {
+                        PRINTF("Use key share failed");
+                    }
+                }
+            }
+        }
+#endif /* HAVE_PQC */
+    }
 
     PRINTF("MQTT TLS Setup (%d)", rc);