net: lib: hostap_crypto: Add support for WPA3-PSA

This implements the PSA variant of WPA3, disables the internal WPA3 in
the supplicant and uses the nRF Oberon's WPA3 HKDF APIs.

Signed-off-by: Chaitanya Tata <[email protected]>

Author: krish2718

doc/nrf/app_dev/device_guides/nrf70/wifi_advanced_security_modes.rst

@@ -220,7 +220,7 @@ This improves the security of the nRF70 device compared to the non-PSA mode.
 
 .. note::
 
-      Currently, the PSA crypto support is only applicable to the WPA2™-personal security profile.
+      Currently, the PSA crypto support is only applicable to the WPA2™ and WPA3™-personal security profiles.
 
 Enable PSA support
 ==================

subsys/net/lib/hostap_crypto/CMakeLists.txt

@@ -79,4 +79,14 @@ if(DEFINED CONFIG_HOSTAP_CRYPTO_ALT_PSA)
     ${HOSTAP_BASE}/port/mbedtls/supp_psa_api.c
     ${HOSTAP_SRC_BASE}/crypto/tls_none.c
   )
+
+  if(CONFIG_HOSTAP_CRYPTO_WPA3_PSA)
+    zephyr_library_sources(
+      wpa3_psa.c
+    )
+    zephyr_library_compile_definitions(
+      CONFIG_SAE
+      CONFIG_ECC
+    )
+  endif()
 endif()

subsys/net/lib/hostap_crypto/Kconfig

@@ -97,15 +97,21 @@ config HOSTAP_CRYPTO_ENTERPRISE
 
 endif
 
-# PSA crypto is WPA2 only for now
+# PSA crypto is personal security only for now
 if HOSTAP_CRYPTO_ALT_PSA
+	# PSA doesn't work with WPA3 builtin (uses bignum)
+	config WIFI_NM_WPA_SUPPLICANT_WPA3
+		default n
+	# PSA doesn't support with enterprise mode yet
+	config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
+		default n
 
-config WIFI_NM_WPA_SUPPLICANT_WPA3
-	default n
-
-config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ENTERPRISE
-	default n
-
+	config HOSTAP_CRYPTO_WPA3_PSA
+		bool "WPA3 PSA support"
+		select EXPERIMENTAL
+		select PSA_WANT_ALG_WPA3_SAE
+		select PSA_WANT_ALG_WPA3_SAE_H2E
+		select PSA_WANT_KEY_TYPE_WPA3_SAE_PT
 endif
 
 endif