Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2198444/?format=api
{ "id": 2198444, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2198444/?format=api", "project": { "id": 22, "url": "http://patchwork.ozlabs.org/api/1.0/projects/22/?format=api", "name": "HostAP Development", "link_name": "hostap", "list_id": "hostap.lists.infradead.org", "list_email": "hostap@lists.infradead.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260219202514.5781-42-andrei.otcheretianski@intel.com>", "date": "2026-02-19T20:24:57", "name": "[41/58] NAN: Add handling of pre Tx security operations", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "97dedda158518d3f3c70afba8247a7102ad4f669", "submitter": { "id": 62065, "url": "http://patchwork.ozlabs.org/api/1.0/people/62065/?format=api", "name": "Andrei Otcheretianski", "email": "andrei.otcheretianski@intel.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/hostap/patch/20260219202514.5781-42-andrei.otcheretianski@intel.com/mbox/", "series": [ { "id": 492721, "url": "http://patchwork.ozlabs.org/api/1.0/series/492721/?format=api", "date": "2026-02-19T20:24:21", "name": "NAN: Add NAN Data Path (NDP) support", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492721/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2198444/checks/", "tags": {}, "headers": { "Return-Path": "\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=i+jP2GjV;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=eRRjNwCm;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fH4jv1j1hz1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 20 Feb 2026 07:29:39 +1100 (AEDT)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAe6-0000000C0Lk-2zOf;\n\tThu, 19 Feb 2026 20:29:10 +0000", "from mgamail.intel.com ([198.175.65.10])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAd6-0000000BwCB-49uP\n\tfor hostap@lists.infradead.org;\n\tThu, 19 Feb 2026 20:28:20 +0000", "from orviesa004.jf.intel.com ([10.64.159.144])\n by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:27 -0800", "from aotchere-mobl1.ger.corp.intel.com (HELO\n aotchere-mobl1.intel.com) ([10.245.246.171])\n by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:23 -0800" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=xh6FfAQVc1J0bJjgjg0nUV71JVyCUS//4CDK0JzHLUo=; b=i+jP2GjVs0H/Q4\n\tlzc5Dx/Yn3oeATHB0vKuUwvo4fxjpkZQWZW30/nLxlqMQuga3mgNB3tsLh1a90H7Bou6a7OoOiapm\n\tf4s3AWx/13o1Xb20iZdOlzhk9hKuC1fn/D86DKL2u2nT/9k5LDg4Aqg0XEDXY+5Jp7eo5eQNScWyZ\n\tQs7MctRUdjM0z+Od4+txf/vZyKZP6kcjfNBvnT6O74kLZ39OBxQ39ayCLKW2JSqNpYvMa6MxVlwQG\n\ttueERJid822LjaYcrOa4ulNXx8vU1ffUMCQNs+MXGhIF8f4FdtRVYrrVDojDXuevIy/jKEnVnJzNS\n\tVnkwoePYkwR/xp2v1PrQ==;", "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1771532889; x=1803068889;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=Yauc/mUe1Uopwgr4e7h00aAVvDB85J15B2ed68LffBI=;\n b=eRRjNwCmYuGTAv5AHf9X3Pe5Rj/6XlJ0KRQft88enhUBtJHa9apsWBVy\n S6zpgoPXHWrdvc2hpmPYenSe6lLO4G+42QbwklJIwrmo1K874n75NiXqi\n pTOXj8zrRGJZ5FDc5huWLgBEry5gfUKRoJUiRnMmrmd4p8yNBClK+fGAd\n I/PUbyt/yD7ByVnD6489fpPUJrxbHbw17GHJtCmcnJzSGa5vmlO6vd4bu\n cqRg6lMf5mM3bKbjL5yDajpPQ2MYheoyNRebn2S7uh7FUmAOl5e3y3RgZ\n b8WDZzFyXEKA1gjTmjch7svcfEn+zkFp+LMp2kJqyq+OCzcUurycpiUAl\n A==;" ], "X-CSE-ConnectionGUID": [ "j6C4+NoFQ8uKAn42pY1L3Q==", "RBj70/RkQiK/3oFC1JQNGw==" ], "X-CSE-MsgGUID": [ "r4w/xCqDT1S179wmX4nX6A==", "TGaTQJnYS+Cg/Kc/H7aNmQ==" ], "X-IronPort-AV": [ "E=McAfee;i=\"6800,10657,11706\"; a=\"90040121\"", "E=Sophos;i=\"6.21,300,1763452800\";\n d=\"scan'208\";a=\"90040121\"", "E=Sophos;i=\"6.21,300,1763452800\";\n d=\"scan'208\";a=\"219153993\"" ], "X-ExtLoop1": "1", "From": "Andrei Otcheretianski <andrei.otcheretianski@intel.com>", "To": "hostap@lists.infradead.org,\n\tvamsin@qti.qualcomm.com,\n\tvganneva@qti.qualcomm.com,\n\tmaheshkkv@google.com", "Cc": "Ilan Peer <ilan.peer@intel.com>", "Subject": "[PATCH 41/58] NAN: Add handling of pre Tx security operations", "Date": "Thu, 19 Feb 2026 22:24:57 +0200", "Message-ID": "<20260219202514.5781-42-andrei.otcheretianski@intel.com>", "X-Mailer": "git-send-email 2.52.0", "In-Reply-To": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>", "References": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>", "MIME-Version": "1.0", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260219_122809_164018_F7D9247A ", "X-CRM114-Status": "GOOD ( 14.54 )", "X-Spam-Score": "-4.4 (----)", "X-Spam-Report": "Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Ilan Peer <ilan.peer@intel.com> Before transmitting\n a NAF, perform needed security calculation: - Calculate MIC and set it in\n relevant NAFs. - Calculate the authentication token on relevant NAFs.\n Content analysis details: (-4.4 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [198.175.65.10 listed in list.dnswl.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in\n bl.score.senderscore.com]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender", "X-BeenThere": "hostap@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "<hostap.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/hostap/>", "List-Post": "<mailto:hostap@lists.infradead.org>", "List-Help": "<mailto:hostap-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"Hostap\" <hostap-bounces@lists.infradead.org>", "Errors-To": "hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "From: Ilan Peer <ilan.peer@intel.com>\n\nBefore transmitting a NAF, perform needed security calculation:\n\n- Calculate MIC and set it in relevant NAFs.\n- Calculate the authentication token on relevant NAFs.\n\nSigned-off-by: Ilan Peer <ilan.peer@intel.com>\n---\n src/nan/nan_i.h | 2 +\n src/nan/nan_sec.c | 148 ++++++++++++++++++++++++++++++++++++++++++++++\n 2 files changed, 150 insertions(+)", "diff": "diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 3a1ad24a7e..5cabd66228 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -591,4 +591,6 @@ int nan_add_csia(struct wpabuf *buf, u8 capab, size_t cs_list_len,\n int nan_sec_add_attrs(struct nan_data *nan, struct nan_peer *peer,\n \t\t enum nan_subtype subtype, struct wpabuf *buf);\n int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer);\n+int nan_sec_pre_tx(struct nan_data *nan, struct nan_peer *peer,\n+\t\t struct wpabuf *buf);\n #endif /* NAN_I_H */\ndiff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c\nindex a1d9cda54b..004c0ac60a 100644\n--- a/src/nan/nan_sec.c\n+++ b/src/nan/nan_sec.c\n@@ -992,3 +992,151 @@ int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer)\n \n \treturn ret;\n }\n+\n+\n+/*\n+ * nan_sec_pre_tx - Handle security aspects before sending a NDP NAF\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: Peer with whom the NDP is being established\n+ * @buf: Buffer holding the NAF body (not including the ieee80211 header)\n+ * return 0 on success, and a negative error value on failure.\n+ *\n+ * Note: The NAF content should not be altered after the function returns,\n+ * as the function might have signed the frame body, i.e., updated the MIC\n+ * field.\n+ */\n+int nan_sec_pre_tx(struct nan_data *nan, struct nan_peer *peer,\n+\t\t struct wpabuf *buf)\n+{\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct nan_attrs attrs;\n+\tstruct nan_shared_key *shared_key_desc;\n+\tstruct wpa_eapol_key *key;\n+\tu8 *data, *tmp, *mic_ptr;\n+\tsize_t len;\n+\tu8 subtype;\n+\tint ret;\n+\n+\t/* NDP establishment is not in progress */\n+\tif (!peer->ndp_setup.ndp || peer->ndp_setup.status ==\n+\t NAN_NDP_STATUS_REJECTED)\n+\t\treturn 0;\n+\n+\t/* No security configuration */\n+\tif (!ndp_sec->valid)\n+\t\treturn 0;\n+\n+\twpa_printf(MSG_DEBUG, \"NAN: SEC: NDP setup state=%u (pre Tx)\",\n+\t\t peer->ndp_setup.state);\n+\n+\tdata = wpabuf_mhead_u8(buf);\n+\tlen = wpabuf_len(buf);\n+\n+\tif (len < 7) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: buffer is too short=%zu (pre Tx)\", len);\n+\t\treturn -1;\n+\t}\n+\n+\t/* The subtype is in position 5. See nan_action_build_header() */\n+\tsubtype = data[6];\n+\n+\twpa_printf(MSG_DEBUG, \"NAN: SEC: subtype=0x%x (pre Tx)\", subtype);\n+\n+\tswitch (subtype) {\n+\tcase NAN_SUBTYPE_DATA_PATH_REQUEST:\n+\tcase NAN_SUBTYPE_DATA_PATH_RESPONSE:\n+\tcase NAN_SUBTYPE_DATA_PATH_CONFIRM:\n+\tcase NAN_SUBTYPE_DATA_PATH_KEY_INSTALL:\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\t/*\n+\t * First get a pointer to the shared key descriptor attribute and\n+\t * validate it\n+\t */\n+\tret = nan_parse_attrs(nan, data + 7, len - 7, &attrs);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tif (!attrs.shared_key_desc ||\n+\t attrs.shared_key_desc_len <\n+\t (sizeof(*shared_key_desc) + (sizeof(*key) + 2 + NAN_KEY_MIC_LEN))) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: Invalid shared key descriptor attribute\");\n+\t\treturn -1;\n+\t}\n+\n+\tshared_key_desc = (struct nan_shared_key *)attrs.shared_key_desc;\n+\tkey = (struct wpa_eapol_key *)shared_key_desc->key;\n+\tmic_ptr = (u8 *)(key + 1);\n+\tnan_attrs_clear(nan, &attrs);\n+\n+\tswitch (subtype) {\n+\tcase NAN_SUBTYPE_DATA_PATH_REQUEST:\n+\t\tif (peer->ndp_setup.state != NAN_NDP_STATE_START)\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: request invalid state (pre Tx)\");\n+\n+\t\t/* Save the authentication token for m3 */\n+\t\tret = nan_crypto_calc_auth_token(ndp_sec->i_csid,\n+\t\t\t\t\t\t data, len,\n+\t\t\t\t\t\t ndp_sec->auth_token);\n+\t\tbreak;\n+\tcase NAN_SUBTYPE_DATA_PATH_RESPONSE:\n+\t\tif (peer->ndp_setup.state != NAN_NDP_STATE_REQ_RECV)\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: pre Tx response invalid state\");\n+\n+\t\t/* Calculate MIC over the frame body */\n+\t\tret = nan_crypto_key_mic(data, len,\n+\t\t\t\t\t ndp_sec->ptk.kck,\n+\t\t\t\t\t ndp_sec->ptk.kck_len,\n+\t\t\t\t\t ndp_sec->i_csid,\n+\t\t\t\t\t mic_ptr);\n+\t\tbreak;\n+\tcase NAN_SUBTYPE_DATA_PATH_CONFIRM:\n+\t\tif (peer->ndp_setup.state != NAN_NDP_STATE_RES_RECV)\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: Confirm invalid state (pre Tx)\");\n+\n+\t\t/*\n+\t\t * Calculate MIC over the frame body concatenated with\n+\t\t * authentication token\n+\t\t */\n+\t\ttmp = os_malloc(len + NAN_AUTH_TOKEN_LEN);\n+\t\tif (!tmp)\n+\t\t\treturn -1;\n+\n+\t\tos_memcpy(tmp, ndp_sec->auth_token, NAN_AUTH_TOKEN_LEN);\n+\t\tos_memcpy(tmp + NAN_AUTH_TOKEN_LEN, data, len);\n+\n+\t\tret = nan_crypto_key_mic(tmp,\n+\t\t\t\t\t len + NAN_AUTH_TOKEN_LEN,\n+\t\t\t\t\t ndp_sec->ptk.kck,\n+\t\t\t\t\t ndp_sec->ptk.kck_len,\n+\t\t\t\t\t ndp_sec->i_csid,\n+\t\t\t\t\t mic_ptr);\n+\t\tos_free(tmp);\n+\t\tbreak;\n+\tcase NAN_SUBTYPE_DATA_PATH_KEY_INSTALL:\n+\t\tif (peer->ndp_setup.state != NAN_NDP_STATE_CON_RECV)\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: Key install invalid state (pre Tx)\");\n+\n+\t\t/* Calculate MIC over the frame body */\n+\t\tret = nan_crypto_key_mic(data, len,\n+\t\t\t\t\t ndp_sec->ptk.kck,\n+\t\t\t\t\t ndp_sec->ptk.kck_len,\n+\t\t\t\t\t ndp_sec->i_csid,\n+\t\t\t\t\t mic_ptr);\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\treturn ret;\n+}\n", "prefixes": [ "41/58" ] }