GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.0/patches/2198443/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2198443,
    "url": "http://patchwork.ozlabs.org/api/1.0/patches/2198443/?format=api",
    "project": {
        "id": 22,
        "url": "http://patchwork.ozlabs.org/api/1.0/projects/22/?format=api",
        "name": "HostAP Development",
        "link_name": "hostap",
        "list_id": "hostap.lists.infradead.org",
        "list_email": "hostap@lists.infradead.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": ""
    },
    "msgid": "<20260219202514.5781-41-andrei.otcheretianski@intel.com>",
    "date": "2026-02-19T20:24:56",
    "name": "[40/58] NAN: Add support for adding security attributes",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": false,
    "hash": "55f54d1ce800b150b9b0b37c09d055f794b1e0bd",
    "submitter": {
        "id": 62065,
        "url": "http://patchwork.ozlabs.org/api/1.0/people/62065/?format=api",
        "name": "Andrei Otcheretianski",
        "email": "andrei.otcheretianski@intel.com"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/hostap/patch/20260219202514.5781-41-andrei.otcheretianski@intel.com/mbox/",
    "series": [
        {
            "id": 492721,
            "url": "http://patchwork.ozlabs.org/api/1.0/series/492721/?format=api",
            "date": "2026-02-19T20:24:21",
            "name": "NAN: Add NAN Data Path (NDP) support",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/492721/mbox/"
        }
    ],
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2198443/checks/",
    "tags": {},
    "headers": {
        "Return-Path": "\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>",
        "X-Original-To": "incoming@patchwork.ozlabs.org",
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=SoZ6U9Pl;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=GiE8N1/p;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fH4jr0CJZz1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 20 Feb 2026 07:29:36 +1100 (AEDT)",
            "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAe2-0000000C0GJ-2QMF;\n\tThu, 19 Feb 2026 20:29:06 +0000",
            "from mgamail.intel.com ([198.175.65.10])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAd4-0000000Bwog-1ZKs\n\tfor hostap@lists.infradead.org;\n\tThu, 19 Feb 2026 20:28:19 +0000",
            "from orviesa004.jf.intel.com ([10.64.159.144])\n  by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:24 -0800",
            "from aotchere-mobl1.ger.corp.intel.com (HELO\n aotchere-mobl1.intel.com) ([10.245.246.171])\n  by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:21 -0800"
        ],
        "DKIM-Signature": [
            "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=6/zUo4UhTpLP03qptcEXZ3hF3SGnVpblWDw19oUcoso=; b=SoZ6U9PlfwNfuG\n\tAsrXmZwzJHD50qRJ+105DcWPb7x3gYZFad/cI9fsWArlcR9mZ0jLqiyYpnJVbvHmI1ySfU6LSgcC+\n\t5Ra41EFEFZQNtsvUrH/IFfBIxBvq+pJ/AgtkDl51LAQCLfV1TEVO4WZuPXZGD6Zi2urfthbckJMqJ\n\tc18lsqRK1ezT1VC8Q4eyzRQLFYheH7FnYYY1wFDiWPFx0N0EZp8SLvqOT9796fJGuf4gA+2K7UO1F\n\t/Q0Uqm89RQ/2c4rQIIPm/be71r+2vL+SedHvFczUs8m0ifiMuHunAcnD4XYc1WroHwKWhRAgVGGhU\n\tOcUzdUStVGNsGjuocFMg==;",
            "v=1; a=rsa-sha256; c=relaxed/simple;\n  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n  t=1771532887; x=1803068887;\n  h=from:to:cc:subject:date:message-id:in-reply-to:\n   references:mime-version:content-transfer-encoding;\n  bh=etuBz5KDWv11FVrNczqlN81b5RNcEHVmk1Dh4VIrISs=;\n  b=GiE8N1/pbSvALBXIr1Rp6VwUc3vhxm0yp5Z9ritA3To0OCZw4TCB/Pvs\n   EIYO75rvZCDTExwobOqxINKkpqlULb6l5D9UAyX3KI+55EUHmxsn81xxC\n   /hkBY6ui5GDExlj/TVG2w8V0rcsdL8WF3hX5NY43uvu2NxYh9s0DGliYs\n   YbaEJH4UHT5aG1CQsdqZOTA3Vl4ATq/d1Og08LDUNw+rKgzMM7NDDK0h1\n   JU1ROona7VIcnGyjvAf1+KvpngYuy9+eBDAJdXDzC7F/y4eaQtGOdhfBO\n   +igIHSArK0CAjEAFpTjsOhxcgGbzdsSRY/RulN9HaO8vDx0np9B07CPZK\n   Q==;"
        ],
        "X-CSE-ConnectionGUID": [
            "vRPM4ElvST6nCB8EorMf/Q==",
            "PAM7R3NBRCOET90+sjNnMQ=="
        ],
        "X-CSE-MsgGUID": [
            "RNb15F9pSEeiWcNw7oYEYw==",
            "17O5gPJhSQSexC4U5Gbkzg=="
        ],
        "X-IronPort-AV": [
            "E=McAfee;i=\"6800,10657,11706\"; a=\"90040117\"",
            "E=Sophos;i=\"6.21,300,1763452800\";\n   d=\"scan'208\";a=\"90040117\"",
            "E=Sophos;i=\"6.21,300,1763452800\";\n   d=\"scan'208\";a=\"219153982\""
        ],
        "X-ExtLoop1": "1",
        "From": "Andrei Otcheretianski <andrei.otcheretianski@intel.com>",
        "To": "hostap@lists.infradead.org,\n\tvamsin@qti.qualcomm.com,\n\tvganneva@qti.qualcomm.com,\n\tmaheshkkv@google.com",
        "Cc": "Ilan Peer <ilan.peer@intel.com>",
        "Subject": "[PATCH 40/58] NAN: Add support for adding security attributes",
        "Date": "Thu, 19 Feb 2026 22:24:56 +0200",
        "Message-ID": "<20260219202514.5781-41-andrei.otcheretianski@intel.com>",
        "X-Mailer": "git-send-email 2.52.0",
        "In-Reply-To": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>",
        "References": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>",
        "MIME-Version": "1.0",
        "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ",
        "X-CRM114-CacheID": "sfid-20260219_122806_645528_23361780 ",
        "X-CRM114-Status": "GOOD (  21.29  )",
        "X-Spam-Score": "-4.4 (----)",
        "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  From: Ilan Peer <ilan.peer@intel.com> Add support for\n adding\n    NAN security attributes to NAFs. In addition add function to initialize\n the\n    security data for the case that the device is going to be an NDP\n responder.    \n Content analysis details:   (-4.4 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,\n                             medium trust\n                             [198.175.65.10 listed in list.dnswl.org]\n -0.0 SPF_PASS               SPF: sender matches SPF record\n  0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n                             query to Validity was blocked.  See\n                             https://knowledge.validity.com/hc/en-us/articles/20961730681243\n                              for more information.\n                          [198.175.65.10 listed in\n sa-trusted.bondedsender.org]\n  0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n                              Validity was blocked.  See\n                             https://knowledge.validity.com/hc/en-us/articles/20961730681243\n                              for more information.\n                             [198.175.65.10 listed in sa-accredit.habeas.com]\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\n author's\n                             domain\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\n                             envelope-from domain\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n                             [score: 0.0000]\n  0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n                              Validity was blocked.  See\n                             https://knowledge.validity.com/hc/en-us/articles/20961730681243\n                              for more information.\n                             [198.175.65.10 listed in\n bl.score.senderscore.com]\n -0.0 DKIMWL_WL_HIGH         DKIMwl.org - High trust sender",
        "X-BeenThere": "hostap@lists.infradead.org",
        "X-Mailman-Version": "2.1.34",
        "Precedence": "list",
        "List-Id": "<hostap.lists.infradead.org>",
        "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>",
        "List-Archive": "<http://lists.infradead.org/pipermail/hostap/>",
        "List-Post": "<mailto:hostap@lists.infradead.org>",
        "List-Help": "<mailto:hostap-request@lists.infradead.org?subject=help>",
        "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Sender": "\"Hostap\" <hostap-bounces@lists.infradead.org>",
        "Errors-To": "hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"
    },
    "content": "From: Ilan Peer <ilan.peer@intel.com>\n\nAdd support for adding NAN security attributes to\nNAFs.\n\nIn addition add function to initialize the security\ndata for the case that the device is going to be\nan NDP responder.\n\nSigned-off-by: Ilan Peer <ilan.peer@intel.com>\n---\n src/nan/nan.h     |   1 +\n src/nan/nan_i.h   |   3 +\n src/nan/nan_sec.c | 369 ++++++++++++++++++++++++++++++++++++++++++++++\n 3 files changed, 373 insertions(+)",
    "diff": "diff --git a/src/nan/nan.h b/src/nan/nan.h\nindex 729a4a6fb9..1ca3e49dba 100644\n--- a/src/nan/nan.h\n+++ b/src/nan/nan.h\n@@ -302,6 +302,7 @@ struct nan_channels {\n \n struct nan_config {\n \tvoid *cb_ctx;\n+\tu8 nmi_addr[ETH_ALEN];\n \n \tstruct nan_device_capabilities dev_capa;\n \ndiff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 8f64c3d332..3a1ad24a7e 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -588,4 +588,7 @@ int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n \t       struct nan_msg *msg);\n int nan_add_csia(struct wpabuf *buf, u8 capab, size_t cs_list_len,\n \t\t struct nan_cipher_suite *cs_list);\n+int nan_sec_add_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t      enum nan_subtype subtype, struct wpabuf *buf);\n+int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer);\n #endif /* NAN_I_H */\ndiff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c\nindex b5f51282ae..a1d9cda54b 100644\n--- a/src/nan/nan_sec.c\n+++ b/src/nan/nan_sec.c\n@@ -623,3 +623,372 @@ int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n \n \treturn 0;\n }\n+\n+\n+/*\n+ * nan_sec_add_m1_attrs - Add security attributes to NAN message 1\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @buf: Buffer to which the attribute should be added\n+ * Returns: 0 on success, negative on failure\n+ *\n+ * In addition to building the attributes, the function also initializes the\n+ * security context for the NDP security exchange. Assumes that the following\n+ * are already set:\n+ * - initiator CSID\n+ * - PMK\n+ * - NDP puslish ID\n+ * - initiator address\n+ * - peer_nmi\n+ */\n+static int nan_sec_add_m1_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t\tstruct wpabuf *buf)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct wpa_eapol_key *key;\n+\tstruct nan_cipher_suite cs;\n+\tu16 info;\n+\tu8 key_len = sizeof(struct wpa_eapol_key) + 2;\n+\tint ret;\n+\n+\tif (ndp_sec->i_csid == NAN_CS_SK_CCM_128)\n+\t\tkey_len += NAN_KEY_MIC_LEN;\n+\telse if (ndp_sec->i_csid == NAN_CS_SK_GCM_256)\n+\t\tkey_len += NAN_KEY_MIC_24_LEN;\n+\telse\n+\t\treturn -1;\n+\n+\t/* Initialize the initiator security state */\n+\tos_get_random(ndp_sec->i_nonce, sizeof(ndp_sec->i_nonce));\n+\tndp_sec->i_capab = 0;\n+\tndp_sec->i_instance_id = peer->ndp_setup.publish_inst_id;\n+\n+\t/* Compute the PMKID */\n+\tret = nan_crypto_calc_pmkid(ndp_sec->pmk,\n+\t\t\t\t    nan->cfg->nmi_addr,\n+\t\t\t\t    peer->nmi_addr,\n+\t\t\t\t    peer->ndp_setup.service_id,\n+\t\t\t\t    ndp_sec->i_csid, ndp_sec->i_pmkid);\n+\tif (ret) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: SEC: Failed to compute PMKID (m1)\");\n+\t\treturn ret;\n+\t}\n+\n+\t/* Cipher suite information */\n+\tcs.csid = ndp_sec->i_csid;\n+\tcs.instance_id = ndp_sec->i_instance_id;\n+\tnan_add_csia(buf, ndp_sec->i_capab, 1, &cs);\n+\n+\t/* Security context information */\n+\twpabuf_put_u8(buf, NAN_ATTR_SCIA);\n+\twpabuf_put_le16(buf, sizeof(struct nan_sec_ctxt) + PMKID_LEN);\n+\n+\twpabuf_put_le16(buf, PMKID_LEN);\n+\twpabuf_put_u8(buf, NAN_SEC_CTX_TYPE_PMKID);\n+\twpabuf_put_u8(buf, ndp_sec->i_instance_id);\n+\twpabuf_put_data(buf, ndp_sec->i_pmkid, PMKID_LEN);\n+\n+\t/* Shared key descriptor */\n+\twpabuf_put_u8(buf, NAN_ATTR_SHARED_KEY_DESCR);\n+\twpabuf_put_le16(buf, sizeof(struct nan_shared_key) + key_len);\n+\twpabuf_put_u8(buf, ndp_sec->i_instance_id);\n+\n+\tkey = (struct wpa_eapol_key *)wpabuf_put(buf, key_len);\n+\tos_memset(key, 0, key_len);\n+\n+\tkey->type = NAN_KEY_DESC;\n+\tinfo = WPA_KEY_INFO_TYPE_AKM_DEFINED | WPA_KEY_INFO_KEY_TYPE |\n+\t\tWPA_KEY_INFO_ACK;\n+\tWPA_PUT_BE16(key->key_info, info);\n+\n+\t/* Copy the initiator nonce */\n+\tos_memcpy(key->key_nonce, ndp_sec->i_nonce, WPA_NONCE_LEN);\n+\n+\t/* Key length is zero (it can be deduced from the cipher suite) */\n+\n+\t/* Initialize replay counter */\n+\tWPA_PUT_BE64(ndp_sec->replaycnt, 1ULL);\n+\tos_memcpy(key->replay_counter, ndp_sec->replaycnt,\n+\t\t  sizeof(key->replay_counter));\n+\tndp_sec->replaycnt_ok = 1;\n+\n+\tndp_sec->valid = 1;\n+\treturn 0;\n+}\n+\n+\n+/*\n+ * nan_sec_add_m2_attrs - Add security attributes to NAN message 2\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @buf: Buffer to which the attribute should be added\n+ * Returns: 0 on success, negative on failure\n+ */\n+static int nan_sec_add_m2_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t\tstruct wpabuf *buf)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct wpa_eapol_key *key;\n+\tstruct nan_cipher_suite cs;\n+\tu16 info;\n+\tu8 key_len;\n+\n+\tkey_len = sizeof(struct wpa_eapol_key) + 2;\n+\tif (ndp_sec->i_csid == NAN_CS_SK_CCM_128)\n+\t\tkey_len += NAN_KEY_MIC_LEN;\n+\telse if (ndp_sec->i_csid == NAN_CS_SK_GCM_256)\n+\t\tkey_len += NAN_KEY_MIC_24_LEN;\n+\telse\n+\t\treturn -1;\n+\n+\t/* Cipher suite information */\n+\tcs.csid = ndp_sec->r_csid;\n+\tcs.instance_id = ndp_sec->r_instance_id;\n+\tnan_add_csia(buf, ndp_sec->r_capab, 1, &cs);\n+\n+\t/* Security context information */\n+\twpabuf_put_u8(buf, NAN_ATTR_SCIA);\n+\twpabuf_put_le16(buf, sizeof(struct nan_sec_ctxt) + PMKID_LEN);\n+\n+\twpabuf_put_le16(buf, PMKID_LEN);\n+\twpabuf_put_u8(buf, NAN_SEC_CTX_TYPE_PMKID);\n+\twpabuf_put_u8(buf, ndp_sec->r_instance_id);\n+\twpabuf_put_data(buf, ndp_sec->r_pmkid, PMKID_LEN);\n+\n+\tif (peer->ndp_setup.status == NAN_NDP_STATUS_REJECTED)\n+\t\treturn 0;\n+\n+\t/* Shared key descriptor */\n+\twpabuf_put_u8(buf, NAN_ATTR_SHARED_KEY_DESCR);\n+\twpabuf_put_le16(buf, sizeof(struct nan_shared_key) + key_len);\n+\twpabuf_put_u8(buf, ndp_sec->r_instance_id);\n+\n+\tkey = (struct wpa_eapol_key *)wpabuf_put(buf, key_len);\n+\tos_memset(key, 0, key_len);\n+\n+\tkey->type = NAN_KEY_DESC;\n+\tinfo = WPA_KEY_INFO_TYPE_AKM_DEFINED | WPA_KEY_INFO_KEY_TYPE |\n+\t\tWPA_KEY_INFO_MIC;\n+\tWPA_PUT_BE16(key->key_info, info);\n+\n+\t/* copy the responders's nonce */\n+\tos_memcpy(key->key_nonce, ndp_sec->r_nonce, WPA_NONCE_LEN);\n+\n+\t/*\n+\t * Key length is zero (it can be deduced from the cipher suite).\n+\t * No additional data is added.\n+\t */\n+\n+\t/* Copy replay counter */\n+\tos_memcpy(key->replay_counter, ndp_sec->replaycnt,\n+\t\t  sizeof(key->replay_counter));\n+\tndp_sec->replaycnt_ok = 1;\n+\n+\treturn 0;\n+}\n+\n+\n+/*\n+ * nan_sec_add_key_attrs - Add security key attributes to NAN message\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @buf: Buffer to which the attribute should be added\n+ * @instance_id: Instance ID to use\n+ * @nonce: Nonce to use\n+ * @is_ack: Whether to include ACK flag in key info\n+ * Returns: 0 on success, negative on failure\n+ */\n+static int nan_sec_add_key_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t\t struct wpabuf *buf, u8 instance_id,\n+\t\t\t\t const u8 *nonce, bool is_ack)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct wpa_eapol_key *key;\n+\tu16 info;\n+\tu8 key_len = sizeof(struct wpa_eapol_key) + 2;\n+\n+\tif (ndp_sec->i_csid == NAN_CS_SK_CCM_128)\n+\t\tkey_len += NAN_KEY_MIC_LEN;\n+\telse if (ndp_sec->i_csid == NAN_CS_SK_GCM_256)\n+\t\tkey_len += NAN_KEY_MIC_24_LEN;\n+\telse\n+\t\treturn -1;\n+\n+\t/* Shared key descriptor */\n+\twpabuf_put_u8(buf, NAN_ATTR_SHARED_KEY_DESCR);\n+\twpabuf_put_le16(buf, sizeof(struct nan_shared_key) + key_len);\n+\twpabuf_put_u8(buf, instance_id);\n+\n+\tkey = (struct wpa_eapol_key *)wpabuf_put(buf, key_len);\n+\tos_memset(key, 0, key_len);\n+\n+\tkey->type = NAN_KEY_DESC;\n+\n+\tinfo = WPA_KEY_INFO_TYPE_AKM_DEFINED | WPA_KEY_INFO_KEY_TYPE |\n+\t\tWPA_KEY_INFO_MIC | WPA_KEY_INFO_INSTALL | WPA_KEY_INFO_SECURE;\n+\tif (is_ack)\n+\t\tinfo |= WPA_KEY_INFO_ACK;\n+\n+\tWPA_PUT_BE16(key->key_info, info);\n+\n+\tos_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);\n+\n+\t/*\n+\t * Key length is zero (it can be deduced from the cipher suite).\n+\t * No additional data is added.\n+\t *\n+\t * Copy replay counter. It was already incremented while processing m2\n+\t * so no need to increment it again\n+\t */\n+\tos_memcpy(key->replay_counter, ndp_sec->replaycnt,\n+\t\t  sizeof(key->replay_counter));\n+\treturn 0;\n+}\n+\n+\n+/*\n+ * nan_sec_add_m3_attrs - Add security attributes to NAN message 3\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @buf: Buffer to which the attribute should be added\n+ * Returns: 0 on success, negative on failure\n+ */\n+static int nan_sec_add_m3_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t\tstruct wpabuf *buf)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\n+\treturn nan_sec_add_key_attrs(nan, peer, buf, ndp_sec->i_instance_id,\n+\t\t\t\t     ndp_sec->i_nonce, true);\n+}\n+\n+\n+/*\n+ * nan_sec_add_m4_attrs - Add security attributes to NAN message 4\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @buf: Buffer to which the attribute should be added\n+ * Returns: 0 on success, negative on failure\n+ */\n+static int nan_sec_add_m4_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t\tstruct wpabuf *buf)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\n+\treturn nan_sec_add_key_attrs(nan, peer, buf, ndp_sec->r_instance_id,\n+\t\t\t\t     ndp_sec->r_nonce, false);\n+}\n+\n+\n+/*\n+ * nan_sec_add_attrs - Add security attributes to NAN message\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer which is the recipient of the message\n+ * @subtype: Frame subtype\n+ * @buf: Buffer to which the attribute should be added\n+ * Returns: 0 on success, negative on failure\n+ */\n+int nan_sec_add_attrs(struct nan_data *nan, struct nan_peer *peer,\n+\t\t      enum nan_subtype subtype, struct wpabuf *buf)\n+{\n+\t/* NDP establishment is not in progress */\n+\tif (!peer->ndp_setup.ndp)\n+\t\treturn 0;\n+\n+\twpa_printf(MSG_DEBUG, \"NAN: SEC: Add security attributes\");\n+\tnan_sec_dump(nan, peer);\n+\n+\t/* No security configuration */\n+\tif (peer->ndp_setup.sec.i_csid != NAN_CS_SK_CCM_128 &&\n+\t    peer->ndp_setup.sec.i_csid != NAN_CS_SK_GCM_256)\n+\t\treturn 0;\n+\n+\tswitch (subtype) {\n+\tcase NAN_SUBTYPE_DATA_PATH_REQUEST:\n+\t\treturn nan_sec_add_m1_attrs(nan, peer, buf);\n+\tcase NAN_SUBTYPE_DATA_PATH_RESPONSE:\n+\t\treturn nan_sec_add_m2_attrs(nan, peer, buf);\n+\tcase NAN_SUBTYPE_DATA_PATH_CONFIRM:\n+\t\treturn nan_sec_add_m3_attrs(nan, peer, buf);\n+\tcase NAN_SUBTYPE_DATA_PATH_KEY_INSTALL:\n+\t\treturn nan_sec_add_m4_attrs(nan, peer, buf);\n+\tcase NAN_SUBTYPE_DATA_PATH_TERMINATION:\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+\n+/**\n+ * nan_sec_init_resp - Initialize security context for responder\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer with whom the NDP is being established\n+ * Returns: 0 on success, negative on failure\n+ *\n+ * The function initializes the security context for the NDP security\n+ * exchange for the responder. Assumes that the following re already set:\n+ * - Initiator CSID\n+ * - Responder CSID\n+ * - PMK\n+ * - NDP publish ID\n+ * - Initiator address\n+ * - Responder address\n+ */\n+int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct nan_ndp *ndp = peer->ndp_setup.ndp;\n+\tint ret;\n+\n+\tif (ndp_sec->i_csid != ndp_sec->r_csid)\n+\t\treturn -1;\n+\n+\t/* Initialize the responder's security state */\n+\tos_get_random(ndp_sec->r_nonce, sizeof(ndp_sec->r_nonce));\n+\tndp_sec->r_capab = 0;\n+\tndp_sec->r_instance_id = peer->ndp_setup.publish_inst_id;\n+\n+\tif (ndp_sec->i_instance_id != ndp_sec->r_instance_id) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t   \"NAN: SEC: Service instance IDs are different (m2)\");\n+\t\treturn -1;\n+\t}\n+\n+\t/* Compute the PMKID */\n+\tret = nan_crypto_calc_pmkid(ndp_sec->pmk, peer->nmi_addr,\n+\t\t\t\t    nan->cfg->nmi_addr,\n+\t\t\t\t    peer->ndp_setup.service_id,\n+\t\t\t\t    ndp_sec->r_csid, ndp_sec->r_pmkid);\n+\tif (ret) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: SEC: Failed to compute PMKID (m2)\");\n+\t\treturn -1;\n+\t}\n+\n+\t/* Sanity check */\n+\tif (os_memcmp(ndp_sec->i_pmkid, ndp_sec->r_pmkid, PMKID_LEN) != 0) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t   \"NAN: SEC: m2: local PMKID differs from remote\");\n+\t\treturn -1;\n+\t}\n+\n+\t/* PTK should be derived using the NDI address */\n+\tret = nan_crypto_pmk_to_ptk(ndp_sec->pmk,\n+\t\t\t\t    ndp->init_ndi, ndp->resp_ndi,\n+\t\t\t\t    ndp_sec->i_nonce, ndp_sec->r_nonce,\n+\t\t\t\t    &ndp_sec->ptk, ndp_sec->i_csid);\n+\n+\twpa_printf(MSG_DEBUG, \"NAN: SEC: derived PTK for responder (m2). ret=%d\",\n+\t\t   ret);\n+\n+\treturn ret;\n+}\n",
    "prefixes": [
        "40/58"
    ]
}