struct eap_method_ret *ret)
{
const char *label;
+ const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
+ const u8 *context = NULL;
+ size_t context_len = 0;
wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
if (data->ssl.tls_v13) {
label = "EXPORTER_EAP_TLS_Key_Material";
+ context = eap_tls13_context;
+ context_len = 1;
/* A possible NewSessionTicket may be received before
* EAP-Success, so need to allow it to be received. */
eap_tls_free_key(data);
data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
- NULL, 0,
+ context, context_len,
EAP_TLS_KEY_LEN +
EAP_EMSK_LEN);
if (data->key_data) {
if (eap_type == EAP_TYPE_TLS && data->tls_v13) {
u8 *id, *method_id;
+ const u8 context[] = { EAP_TYPE_TLS };
/* Session-Id = <EAP-Type> || Method-Id
* Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
- * "", 64)
+ * Type-Code, 64)
*/
*len = 1 + 64;
id = os_malloc(*len);
if (!id)
return NULL;
method_id = eap_peer_tls_derive_key(
- sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64);
+ sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64);
if (!method_id) {
os_free(id);
return NULL;
struct eap_tls_data *data = priv;
u8 *eapKeyData;
const char *label;
+ const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
+ const u8 *context = NULL;
+ size_t context_len = 0;
if (data->state != SUCCESS)
return NULL;
- if (data->ssl.tls_v13)
+ if (data->ssl.tls_v13) {
label = "EXPORTER_EAP_TLS_Key_Material";
- else
+ context = eap_tls13_context;
+ context_len = 1;
+ } else {
label = "client EAP encryption";
+ }
eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, label,
- NULL, 0,
+ context, context_len,
EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
if (eapKeyData) {
*len = EAP_TLS_KEY_LEN;
struct eap_tls_data *data = priv;
u8 *eapKeyData, *emsk;
const char *label;
+ const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
+ const u8 *context = NULL;
+ size_t context_len = 0;
if (data->state != SUCCESS)
return NULL;
- if (data->ssl.tls_v13)
+ if (data->ssl.tls_v13) {
label = "EXPORTER_EAP_TLS_Key_Material";
- else
+ context = eap_tls13_context;
+ context_len = 1;
+ } else {
label = "client EAP encryption";
+ }
eapKeyData = eap_server_tls_derive_key(sm, &data->ssl, label,
- NULL, 0,
+ context, context_len,
EAP_TLS_KEY_LEN + EAP_EMSK_LEN);
if (eapKeyData) {
emsk = os_malloc(EAP_EMSK_LEN);
{
struct tls_random keys;
u8 *out;
+ const u8 context[] = { EAP_TYPE_TLS };
if (eap_type == EAP_TYPE_TLS && data->tls_v13) {
u8 *id, *method_id;
/* Session-Id = <EAP-Type> || Method-Id
* Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id",
- * "", 64)
+ * Type-Code, 64)
*/
*len = 1 + 64;
id = os_malloc(*len);
if (!id)
return NULL;
method_id = eap_server_tls_derive_key(
- sm, data, "EXPORTER_EAP_TLS_Method-Id", NULL, 0, 64);
+ sm, data, "EXPORTER_EAP_TLS_Method-Id", context, 1, 64);
if (!method_id) {
os_free(id);
return NULL;