feat(wpa_supplicant): Add TLS v1.3 support for WiFi enterprise

* Add TLS v1.3 support for following EAP methods:
  - EAP-TLS  (RFC 9190)
  - EAP-PEAP (RFC 9427)
  - EAP-TTLS (RFC 9427)
* Add mbedtls porting for TLS v1.3 exporter (RFC 8446 Section 7.5)
* Add new Kconfig flag to enable TLS v1.3 for EAP methods
* Advertise TLS v1.3 signature algorithms if TLS 1.3 is enabled for EAP
  methods
* Advertise TLS v1.3 cipher suites if CONFIG_ESP_WIFI_EAP_TLS1_3 enabled
* Add support to Ack protected success indication
  (workaround for EAP-TLS 1.3 and 1.2 compatibilty)

components/esp_wifi/Kconfig

@@ -493,6 +493,20 @@ menu "Wi-Fi"
                     TLS-v1.0, TLS-v1.1 versions. Incase your server is using one of these version,
                     it is advisable to update your server.
                     Please disable this option for compatibilty with older TLS versions.
+
+        config ESP_WIFI_EAP_TLS1_3
+            bool "Enable EAP-TLS v1.3 Support for WiFi Enterprise connection"
+            default n
+            select MBEDTLS_SSL_PROTO_TLS1_3
+            depends on ESP_WIFI_MBEDTLS_TLS_CLIENT
+            help
+                Select this option to support EAP with TLS v1.3.
+                This configuration still supports compatibility with EAP-TLS v1.2.
+                Please note that enabling this configuration will cause every application which
+                uses TLS go for TLS1.3 if server supports that. TLS1.3 is still in development in mbedtls
+                and there may be interoperability issues with this. Please modify your application to set
+                max version as TLS1.2 if you want to enable TLS1.3 only for WiFi connection.
+
         endif
 
         config ESP_WIFI_WAPI_PSK

components/wpa_supplicant/CMakeLists.txt

@@ -304,6 +304,9 @@ endif()
 if(CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA)
         target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_OWE_STA)
 endif()
+if(CONFIG_ESP_WIFI_EAP_TLS1_3)
+    target_compile_definitions(${COMPONENT_LIB} PRIVATE CONFIG_TLSV13)
+endif()
 set_property(TARGET ${COMPONENT_LIB} APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 3)
 
 target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")

components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c

@@ -37,10 +37,21 @@
 #include "mbedtls/platform.h"
 #include "eap_peer/eap.h"
 
+#ifdef CONFIG_TLSV13
+#include "psa/crypto.h"
+#include "md_psa.h"
+#include "ssl_tls13_keys.h"
+#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status,   \
+                                                           psa_to_ssl_errors,             \
+                                                           psa_generic_status_to_mbedtls)
+#endif /* CONFIG_TLSV13 */
+
 
 #define TLS_RANDOM_LEN 32
+#define TLS_HASH_MAX_SIZE 64
 #define TLS_MASTER_SECRET_LEN 48
 #define MAX_CIPHERSUITE 32
+#define MAX_EXPORTER_CONTEXT_LEN 65535
 
 
 
@@ -82,8 +93,10 @@ struct tls_connection {
 	struct tls_data tls_io_data;
 	unsigned char master_secret[TLS_MASTER_SECRET_LEN];
 	unsigned char randbytes[2 * TLS_RANDOM_LEN];
-        mbedtls_tls_prf_types tls_prf_type;
-	mbedtls_md_type_t mac;
+	mbedtls_tls_prf_types tls_prf_type;
+#ifdef CONFIG_TLSV13
+	unsigned char exporter_master_secret[TLS_HASH_MAX_SIZE];
+#endif /* CONFIG_TLSV13 */
 };
 
 static void tls_mbedtls_cleanup(tls_context_t *tls)
@@ -201,6 +214,43 @@ static int set_ca_cert(tls_context_t *tls, const unsigned char *cacert, size_t c
 
 #ifdef CONFIG_SUITEB192
 static uint16_t tls_sig_algs_for_suiteb[] = {
+
+#ifdef CONFIG_TLSV13
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA384) && \
+    defined(PSA_WANT_ECC_SECP_R1_384)
+    MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
+    // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA512) && \
+    defined(PSA_WANT_ECC_SECP_R1_521)
+    MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
+    // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
+    defined(MBEDTLS_MD_CAN_SHA512)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif \
+    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
+    defined(MBEDTLS_MD_CAN_SHA384)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif \
+    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
+    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
+    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
+#endif /* CONFIG_TLSV13 */
+
 #if defined(MBEDTLS_SHA512_C)
 #if defined(MBEDTLS_ECDSA_C)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
@@ -235,6 +285,60 @@ static void tls_set_suiteb_config(tls_context_t *tls)
 #endif
 
 static uint16_t tls_sig_algs_for_eap[] = {
+
+#ifdef CONFIG_TLSV13
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA256) && \
+    defined(PSA_WANT_ECC_SECP_R1_256)
+    MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
+    // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA384) && \
+    defined(PSA_WANT_ECC_SECP_R1_384)
+    MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
+    // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
+    defined(MBEDTLS_MD_CAN_SHA512) && \
+    defined(PSA_WANT_ECC_SECP_R1_521)
+    MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
+    // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
+#endif
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
+    defined(MBEDTLS_MD_CAN_SHA512)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
+#endif \
+    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
+    defined(MBEDTLS_MD_CAN_SHA384)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
+#endif \
+    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
+    defined(MBEDTLS_MD_CAN_SHA256)
+    MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
+#endif \
+    /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
+    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
+    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
+
+#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
+    MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
+#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
+#endif /* CONFIG_TLSV13 */
+
 #if defined(MBEDTLS_SHA512_C)
 #if defined(MBEDTLS_ECDSA_C)
     MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512 ),
@@ -300,8 +404,20 @@ static int tls_disable_key_usages(void *data, mbedtls_x509_crt *cert, int depth,
 }
 #endif /*CONFIG_ESP_WIFI_DISABLE_KEY_USAGE_CHECK*/
 
+#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
+#define TLS1_3_CIPHER_SUITES \
+	MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256,	\
+	MBEDTLS_TLS1_3_AES_256_GCM_SHA384,			\
+	MBEDTLS_TLS1_3_AES_128_GCM_SHA256,			\
+	MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256,		\
+	MBEDTLS_TLS1_3_AES_128_CCM_SHA256
+#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
+
 static const int eap_ciphersuite_preference[] =
 {
+#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
+	TLS1_3_CIPHER_SUITES,
+#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
 #if defined(MBEDTLS_CCM_C)
 	MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM,
@@ -417,6 +533,9 @@ static const int eap_ciphersuite_preference[] =
 #ifdef CONFIG_SUITEB192
 static const int suiteb_rsa_ciphersuite_preference[] =
 {
+#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
+	TLS1_3_CIPHER_SUITES,
+#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
 	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
@@ -428,6 +547,9 @@ static const int suiteb_rsa_ciphersuite_preference[] =
 
 static const int suiteb_ecc_ciphersuite_preference[] =
 {
+#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
+	TLS1_3_CIPHER_SUITES,
+#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
 	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -437,6 +559,9 @@ static const int suiteb_ecc_ciphersuite_preference[] =
 };
 static const int suiteb_ciphersuite_preference[] =
 {
+#if defined(CONFIG_ESP_WIFI_EAP_TLS1_3)
+	TLS1_3_CIPHER_SUITES,
+#endif /* CONFIG_ESP_WIFI_EAP_TLS1_3 */
 #if defined(MBEDTLS_GCM_C)
 #if defined(MBEDTLS_SHA512_C)
 	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
@@ -469,12 +594,23 @@ static void tls_set_ciphersuite(const struct tls_connection_params *cfg, tls_con
 		}
 	} else
 #endif
+#ifdef CONFIG_TLSV13
+	/* Enable TLS1.3 ciphers if TLS1.3 is enabled */
+	mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
+#else
+	/* Set cipher suites if User has explicitly set those
+	 * TODO: public API to set EAP ciphers */
 	if (tls->ciphersuite[0]) {
 		mbedtls_ssl_conf_ciphersuites(&tls->conf, tls->ciphersuite);
 	} else if (mbedtls_pk_get_bitlen(&tls->clientkey) > 2048 ||
 		(tls->cacert_ptr && mbedtls_pk_get_bitlen(&tls->cacert_ptr->pk) > 2048)) {
+		/* Incase of big RSA keylen, ESP chips do not have sufficient processing
+		 * power to use high computation ciphers. This code will limit the ciphers
+		 * to less computational ones */
 		mbedtls_ssl_conf_ciphersuites(&tls->conf, eap_ciphersuite_preference);
 	}
+
+#endif /* CONFIG_TLSV13 */
 }
 
 static int set_client_config(const struct tls_connection_params *cfg, tls_context_t *tls)
@@ -548,6 +684,22 @@ static int set_client_config(const struct tls_connection_params *cfg, tls_contex
 	return 0;
 }
 
+#ifdef CONFIG_TLSV13
+static void tls13_extract_exporter_master_secret(struct tls_connection *conn)
+{
+	mbedtls_ssl_context *ssl = &conn->tls->ssl;
+	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
+	psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
+
+	size_t hash_len = PSA_HASH_LENGTH(hash_alg);
+	assert(hash_len != 0);
+
+	mbedtls_ssl_tls13_application_secrets *app_secrets =
+		&ssl->session_negotiate->app_secrets;
+	os_memcpy(conn->exporter_master_secret, app_secrets->exporter_master_secret, hash_len);
+}
+#endif /* CONFIG_TLSV13 */
+
 static void  tls_key_derivation(void *ctx,
 				mbedtls_ssl_key_export_type secret_type,
 				const unsigned char *secret,
@@ -562,6 +714,12 @@ static void  tls_key_derivation(void *ctx,
 	os_memcpy(conn->randbytes, client_random, TLS_RANDOM_LEN);
 	os_memcpy(conn->randbytes + 32, server_random, TLS_RANDOM_LEN);
 	conn->tls_prf_type = tls_prf_type;
+
+#ifdef CONFIG_TLSV13
+	if (secret_type == MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET) {
+		tls13_extract_exporter_master_secret(conn);
+	}
+#endif /* CONFIG_TLSV13 */
 }
 
 static int tls_create_mbedtls_handle(struct tls_connection *conn,
@@ -593,6 +751,12 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn,
 
 	mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg);
 
+#if defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3) && !defined(CONFIG_TLSV13)
+	/* Disable TLSv1.3 even when enabled in MbedTLS and not enabled in WiFi config.
+	 * TODO: Remove Kconfig option for TLSv1.3 when it is matured enough */
+	mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
+#endif /* CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && !CONFIG_TLSV13 */
+
 	ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf);
 	if (ret != 0) {
 		wpa_printf(MSG_ERROR, "mbedtls_ssl_setup returned -0x%x", -ret);
@@ -749,17 +913,8 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	/* Multiple reads */
 	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
 		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
-		if (cli_state == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
-			/* Read random data before session completes, not present after handshake */
-			if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
-				os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
-					  TLS_RANDOM_LEN * 2);
-				conn->mac = tls->ssl.MBEDTLS_PRIVATE(handshake)->ciphersuite_info->mac;
-			}
-		}
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
-
-		if (ret < 0) {
+		if (ret < 0)
 			break;
 		}
 #ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
@@ -782,7 +937,28 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	if (!conn->tls_io_data.out_data) {
 		wpa_printf(MSG_INFO, "application data is null, adding one byte for ack");
 		u8 *dummy = os_zalloc(1);
+		if (dummy == NULL) {
+			wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
+			goto end;
+		}
+
+#ifdef CONFIG_TLSV13
+		if (mbedtls_ssl_get_version_number(&conn->tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3) {
+			*appl_data = wpabuf_alloc_ext_data(dummy, 1);
+			if (appl_data == NULL) {
+				wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
+				os_free(dummy);
+				goto end;
+			}
+			return NULL;
+		}
+#endif /* CONFIG_TLSV13 */
 		conn->tls_io_data.out_data = wpabuf_alloc_ext_data(dummy, 0);
+		if (conn->tls_io_data.out_data == NULL) {
+			wpa_printf(MSG_INFO, "%s: memory allocation failure. line:%d", __func__, __LINE__);
+			os_free(dummy);
+			goto end;
+		}
 	}
 
 end:
@@ -1006,25 +1182,26 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 	size_t seed_len = 2 * TLS_RANDOM_LEN;
 	mbedtls_ssl_context *ssl = &conn->tls->ssl;
 
-	if (context_len > 65535)
+	if (context_len > MAX_EXPORTER_CONTEXT_LEN) {
 		return -1;
+	}
 
-	if (context)
+	if (context) {
+		// The magic value 2 represents the memory required to store the context length.
 		seed_len += 2 + context_len;
-
-	seed = os_malloc(seed_len);
-	if (!seed) {
-		return -1;
 	}
 
 	if (!ssl) {
 		wpa_printf(MSG_ERROR, "TLS: %s, session ingo is null", __func__);
-		os_free(seed);
 		return -1;
 	}
 	if (!mbedtls_ssl_is_handshake_over(ssl)) {
 		wpa_printf(MSG_ERROR, "TLS: %s, incorrect tls state=%d", __func__, ssl->MBEDTLS_PRIVATE(state));
-		os_free(seed);
+		return -1;
+	}
+
+	seed = os_malloc(seed_len);
+	if (!seed) {
 		return -1;
 	}
 
@@ -1046,7 +1223,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 	wpa_hexdump_key(MSG_MSGDUMP, "master",  ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN);
 
 	ret = mbedtls_ssl_tls_prf(conn->tls_prf_type, conn->master_secret, TLS_MASTER_SECRET_LEN,
-				label, seed, 2 * TLS_RANDOM_LEN, out, out_len);
+				label, seed, seed_len, out, out_len);
 	os_free(seed);
 
 	if (ret < 0) {
@@ -1058,11 +1235,72 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 	return ret;
 }
 
+#ifdef CONFIG_TLSV13
+/* RFC 8446 Section 7.5 */
+static int tls13_connection_export_key(void *tls_ctx, struct tls_connection *conn,
+			      const char *label, const u8 *context,
+			      size_t context_len, u8 *out, size_t out_len)
+{
+	int ret;
+	mbedtls_ssl_context *ssl = &conn->tls->ssl;
+	psa_algorithm_t hash_alg;
+	size_t hash_len;
+	unsigned char tmp_secret[PSA_MAC_MAX_SIZE] = { 0 };
+	unsigned char hashed_context[PSA_HASH_MAX_SIZE] = { 0 };
+	psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+	const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
+
+	hash_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
+	hash_len = PSA_HASH_LENGTH(hash_alg);
+
+	ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
+			conn->exporter_master_secret, hash_len,
+			(unsigned char const *) label, (size_t) strlen(label),
+			NULL, 0,
+			MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
+			tmp_secret, hash_len);
+
+	if (ret != 0) {
+		wpa_printf(MSG_ERROR, "%s(): mbedtls_ssl_tls13_derive_secret() failed",
+				__func__);
+		return ret;
+	}
+
+	status = psa_hash_compute(hash_alg, context, context_len, hashed_context,
+				PSA_HASH_LENGTH(hash_alg), &context_len);
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "%s(): psa_hash_compute() failed",
+				__func__);
+		ret = PSA_TO_MBEDTLS_ERR(status);
+		return ret;
+	}
+
+	ret = mbedtls_ssl_tls13_hkdf_expand_label(hash_alg,
+			tmp_secret, hash_len,
+			MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exporter),
+			hashed_context, context_len,
+			out, out_len);
+
+	if (ret != 0) {
+		wpa_printf(MSG_ERROR, "%s(): psa_hash_compute() failed",
+				__func__);
+		return ret;
+	}
+	return 0;
+}
+#endif /* CONFIG_TLSV13 */
+
 int tls_connection_export_key(void *tls_ctx, struct tls_connection *conn,
 			      const char *label, const u8 *context,
 			      size_t context_len, u8 *out, size_t out_len)
 {
-	return tls_connection_prf(tls_ctx, conn, label,context, context_len,
+#ifdef CONFIG_TLSV13
+	if (mbedtls_ssl_get_version_number(&conn->tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3)
+		return tls13_connection_export_key(tls_ctx, conn, label, context, context_len,
+				out, out_len);
+#endif /* CONFIG_TLSV13 */
+	return tls_connection_prf(tls_ctx, conn, label, context, context_len,
 			0, out, out_len);
 }
 

components/wpa_supplicant/src/eap_peer/eap_peap.c

@@ -18,6 +18,10 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"
 
+#ifdef CONFIG_TLSV13
+#include "psa/crypto.h"
+#endif /* CONFIG_TLSV13 */
+
 /* Maximum supported PEAP version
  * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt
  * 1 = draft-josefsson-ppext-eap-tls-eap-05.txt
@@ -160,6 +164,13 @@ eap_peap_init(struct eap_sm *sm)
 {
 	struct eap_peap_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
+#ifdef CONFIG_TLSV13
+	psa_status_t status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "EAP-PEAP: Failed to initialize PSA crypto, returned %d", (int) status);
+		return NULL;
+	}
+#endif /* CONFIG_TLSV13 */
 
 	data = (struct eap_peap_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)

components/wpa_supplicant/src/eap_peer/eap_tls.c

@@ -16,6 +16,10 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"
 
+#ifdef CONFIG_TLSV13
+#include "psa/crypto.h"
+#endif /* CONFIG_TLSV13 */
+
 
 static void eap_tls_deinit(struct eap_sm *sm, void *priv);
 
@@ -36,7 +40,13 @@ static void * eap_tls_init(struct eap_sm *sm)
 {
 	struct eap_tls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
-
+#ifdef CONFIG_TLSV13
+	psa_status_t status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "EAP-TLS: Failed to initialize PSA crypto, returned %d", (int) status);
+		return NULL;
+	}
+#endif /* CONFIG_TLSV13 */
 	if (config == NULL ||
 	    config->private_key == 0) {
 		wpa_printf(MSG_INFO, "EAP-TLS: Private key not configured");

components/wpa_supplicant/src/eap_peer/eap_ttls.c

@@ -22,6 +22,9 @@
 #include "eap_peer/eap_config.h"
 #include "eap_peer/eap_methods.h"
 
+#ifdef CONFIG_TLSV13
+#include "psa/crypto.h"
+#endif /* CONFIG_TLSV13 */
 
 #define EAP_TTLS_VERSION 0
 
@@ -72,6 +75,13 @@ static void * eap_ttls_init(struct eap_sm *sm)
 {
 	struct eap_ttls_data *data;
 	struct eap_peer_config *config = eap_get_config(sm);
+#ifdef CONFIG_TLSV13
+	psa_status_t status = psa_crypto_init();
+	if (status != PSA_SUCCESS) {
+		wpa_printf(MSG_ERROR, "EAP-TTLS: Failed to initialize PSA crypto, returned %d", (int) status);
+		return NULL;
+	}
+#endif /* CONFIG_TLSV13 */
 
 	data = (struct eap_ttls_data *)os_zalloc(sizeof(*data));
 	if (data == NULL)