Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2198446/?format=api
{ "id": 2198446, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2198446/?format=api", "project": { "id": 22, "url": "http://patchwork.ozlabs.org/api/1.0/projects/22/?format=api", "name": "HostAP Development", "link_name": "hostap", "list_id": "hostap.lists.infradead.org", "list_email": "hostap@lists.infradead.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260219202514.5781-43-andrei.otcheretianski@intel.com>", "date": "2026-02-19T20:24:58", "name": "[42/58] NAN: Support security processing on NDP done", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "ab6179a38ec8821a97e8c0c267ab2765f29a50e2", "submitter": { "id": 62065, "url": "http://patchwork.ozlabs.org/api/1.0/people/62065/?format=api", "name": "Andrei Otcheretianski", "email": "andrei.otcheretianski@intel.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/hostap/patch/20260219202514.5781-43-andrei.otcheretianski@intel.com/mbox/", "series": [ { "id": 492721, "url": "http://patchwork.ozlabs.org/api/1.0/series/492721/?format=api", "date": "2026-02-19T20:24:21", "name": "NAN: Add NAN Data Path (NDP) support", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492721/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2198446/checks/", "tags": {}, "headers": { "Return-Path": "\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=hXhBe87G;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256\n header.s=desiato.20200630 header.b=EakaiEY+;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=NAa8fwpo;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fH4kJ2ysWz1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 20 Feb 2026 07:30:00 +1100 (AEDT)", "from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAeN-0000000C0kc-2c5T;\n\tThu, 19 Feb 2026 20:29:27 +0000", "from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAdN-0000000BzMD-2Dpo\n\tfor hostap@bombadil.infradead.org;\n\tThu, 19 Feb 2026 20:28:27 +0000", "from mgamail.intel.com ([198.175.65.10])\n\tby desiato.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1vtAdA-00000001pxP-0EVk\n\tfor hostap@lists.infradead.org;\n\tThu, 19 Feb 2026 20:28:22 +0000", "from orviesa004.jf.intel.com ([10.64.159.144])\n by orvoesa102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:29 -0800", "from aotchere-mobl1.ger.corp.intel.com (HELO\n aotchere-mobl1.intel.com) ([10.245.246.171])\n by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 19 Feb 2026 12:27:26 -0800" ], "DKIM-Signature": [ "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=TXVu/NtzMLkH5/r1g2iUvwclZGt/c/ht5uQ8kQWmyp0=; b=hXhBe87GFNcXSv\n\tedzzEY1DZ0O7qOIxy2W36/KBofpgV4cEwPnYb+BW5/l9lITzFDJoQVM1a3+5QdSQAqinDDYomMfX5\n\tWmLSwtiVFMxllDdvZBBj8Ir/xhailgdUCLdK1F65oAY1XSvBYFhWCnj2M4WfaB7Pm57+wgB+f4rH7\n\tajCRf2rJt7iyj3wXYI0AWgEf9YtwS3CBYD1dD8wZpJREXTqZXqMexDJ2FIfG/R2oBUzgI3ROVCofY\n\tU2yeyVvWYszt97vO1N5zIC/evBPhiSVxJ9ndQ+jHhEE0ANbXygQDTWTxvbGFFE7Di20R3L9Z6SeIj\n\tJg871wJ9KK1p7jitLPSA==;", "v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version\n\t:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:\n\tContent-Type:Content-ID:Content-Description;\n\tbh=lPyutRWjABwHKezUnCwX6fqiNBctKuYObGYwXxQWkwA=; b=EakaiEY+LuSZPQZddndl96zPow\n\tsje2A8zTUnBz3Jx4ZTPLJeIVElvBdE60euns4RZMKivg3pz28hrOCRnvsVCiNsNSgYE+Rk12ntaan\n\tOPTJQdDLJw02NoA5X5MSBqUnBB7ancnAaXE1F13ttNMeeuBEeaQGZRtD8GOc5GEqOjX/SPcvIYLCD\n\tocP99GhaTGRlQf1EyB7fR9ajkXoMnOciYd9TMLTQB3c9AwRhMtPEY1XkDToVmjVDRUWvD+ZZAZcSK\n\tK8ecAg3vzZulpyg7xV7JskxDKebIA0dgiUyzHwBzWNEHlZb4YQsp6jTzwh389kpReqMFU8bs62YmD\n\tW+MKkQYw==;", "v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1771532893; x=1803068893;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=+JUpo59QuAoZg1Hg0d8TZcneXA0izf1DsW0jRt5vZ/A=;\n b=NAa8fwpokE3TVxGmti4JFYO0nm8FxjuLTrsDH1+xAKQMdL4wfQVtN7mX\n RJ67roZbV/pMU1sgVw3DLb/UfSd/c0bY96pFHTNhXI+Bshn5bzIF14IDU\n UyRc/sMvI9BDPD8gUr2qrHFy0jxPm4969I3RGB9gi6WZplr+HIwoRp7jQ\n LO32dVXKA5SBNdbPRPM2l1wOmEIV5cqJZpxDAPZ3QpdIqjKwl4fHpvw9K\n h/YoPj2WwFgXg5afOJxxKrvuhpryJc8g6ImM4kuMhdJAwQnL3mDdXg2OR\n Iwg6dX+aLywQZxtV9xgj57JN9bRAO4siPohn7Bu+jbr3UbEl8CAfjH4Rr\n Q==;" ], "X-CSE-ConnectionGUID": [ "6YY24r4nTVqxskmdQ5MVJA==", "LD/bqZD9QzOF9bftDDHMZQ==" ], "X-CSE-MsgGUID": [ "Eae7PpWBSAWWrxoPGvB9rw==", "z/nYTQ84R+aoom9zNjO8qQ==" ], "X-IronPort-AV": [ "E=McAfee;i=\"6800,10657,11706\"; a=\"90040126\"", "E=Sophos;i=\"6.21,300,1763452800\";\n d=\"scan'208\";a=\"90040126\"", "E=Sophos;i=\"6.21,300,1763452800\";\n d=\"scan'208\";a=\"219154012\"" ], "X-ExtLoop1": "1", "From": "Andrei Otcheretianski <andrei.otcheretianski@intel.com>", "To": "hostap@lists.infradead.org,\n\tvamsin@qti.qualcomm.com,\n\tvganneva@qti.qualcomm.com,\n\tmaheshkkv@google.com", "Cc": "Ilan Peer <ilan.peer@intel.com>", "Subject": "[PATCH 42/58] NAN: Support security processing on NDP done", "Date": "Thu, 19 Feb 2026 22:24:58 +0200", "Message-ID": "<20260219202514.5781-43-andrei.otcheretianski@intel.com>", "X-Mailer": "git-send-email 2.52.0", "In-Reply-To": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>", "References": "<20260219202514.5781-1-andrei.otcheretianski@intel.com>", "MIME-Version": "1.0", "X-CRM114-Version": "20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ", "X-CRM114-CacheID": "sfid-20260219_202820_674146_6FF42C7C ", "X-CRM114-Status": "GOOD ( 19.10 )", "X-Spam-Score": "-2.5 (--)", "X-Spam-Report": "Spam detection software,\n running on the system \"desiato.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Ilan Peer <ilan.peer@intel.com> When a Secure\n Association\n (SA) NDP is done, keys should only be installed if the cipher suite used\n is stronger and newer than any of the cipher suites used for already\n established\n NDPs.\n Content analysis details: (-2.5 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [198.175.65.10 listed in list.dnswl.org]\n -0.0 SPF_PASS SPF: sender matches SPF record\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The\n query to Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in\n sa-trusted.bondedsender.org]\n 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in sa-accredit.habeas.com]\n 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to\n Validity was blocked. See\n https://knowledge.validity.com/hc/en-us/articles/20961730681243\n for more information.\n [198.175.65.10 listed in\n bl.score.senderscore.com]\n -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender", "X-BeenThere": "hostap@lists.infradead.org", "X-Mailman-Version": "2.1.34", "Precedence": "list", "List-Id": "<hostap.lists.infradead.org>", "List-Unsubscribe": "<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>", "List-Archive": "<http://lists.infradead.org/pipermail/hostap/>", "List-Post": "<mailto:hostap@lists.infradead.org>", "List-Help": "<mailto:hostap-request@lists.infradead.org?subject=help>", "List-Subscribe": "<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Sender": "\"Hostap\" <hostap-bounces@lists.infradead.org>", "Errors-To": "hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org" }, "content": "From: Ilan Peer <ilan.peer@intel.com>\n\nWhen a Secure Association (SA) NDP is done, keys should only\nbe installed if the cipher suite used is stronger and newer\nthan any of the cipher suites used for already established\nNDPs.\n\nAs the NAN specification only allows a single key for a given\npair of initiator/responder NDIs, add logic to determine if the\nnewly established keys should be installed.\n\nSigned-off-by: Ilan Peer <ilan.peer@intel.com>\n---\n src/nan/nan.c | 18 ++++++++++++-\n src/nan/nan_i.h | 30 +++++++++++++++++++++\n src/nan/nan_sec.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++\n 3 files changed, 116 insertions(+), 1 deletion(-)", "diff": "diff --git a/src/nan/nan.c b/src/nan/nan.c\nindex 236b70457e..98cc4e94d8 100644\n--- a/src/nan/nan.c\n+++ b/src/nan/nan.c\n@@ -88,6 +88,18 @@ static void nan_ndp_setup_stop(struct nan_data *nan, struct nan_peer *peer)\n }\n \n \n+static void nan_peer_flush_sec(struct nan_peer_info *info)\n+{\n+\tstruct nan_peer_sec_info_entry *cur, *next;\n+\n+\tdl_list_for_each_safe(cur, next, &info->sec,\n+\t\t\t struct nan_peer_sec_info_entry, list) {\n+\t\tdl_list_del(&cur->list);\n+\t\tos_free(cur);\n+\t}\n+}\n+\n+\n static void nan_del_peer(struct nan_data *nan, struct nan_peer *peer)\n {\n \tif (!peer)\n@@ -121,8 +133,8 @@ static void nan_del_peer(struct nan_data *nan, struct nan_peer *peer)\n \tnan_peer_flush_avail(&peer->info);\n \tnan_peer_flush_dev_capa(&peer->info);\n \tnan_peer_flush_elem_container(&peer->info);\n-\n \tnan_ndl_reset(nan, peer);\n+\tnan_peer_flush_sec(&peer->info);\n \tos_free(peer);\n }\n \n@@ -989,6 +1001,7 @@ static struct nan_peer *nan_alloc_peer(struct nan_data *nan)\n \tdl_list_init(&peer->info.avail_entries);\n \tdl_list_init(&peer->info.dev_capa);\n \tdl_list_init(&peer->info.element_container);\n+\tdl_list_init(&peer->info.sec);\n \n \tdl_list_add(&nan->peer_list, &peer->list);\n \tdl_list_init(&peer->ndps);\n@@ -1201,6 +1214,9 @@ static void nan_ndp_connected(struct nan_data *nan, struct nan_peer *peer)\n \t\tparams.peer_ndi = peer->ndp_setup.ndp->init_ndi;\n \t}\n \n+\tnan_sec_ndp_store_keys(nan, peer, params.peer_ndi,\n+\t\t\t params.local_ndi);\n+\n \tnan->cfg->ndp_connected(nan->cfg->cb_ctx, ¶ms);\n \n \t/* Move the NDP to the list of tracked NDPs */\ndiff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 5cabd66228..2477564322 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -269,6 +269,31 @@ struct nan_elem_container_entry {\n \tu8 data[];\n };\n \n+/*\n+ * struct nan_peer_sec_info_entry - NAN peer security information entry\n+ *\n+ * Maintains the latest security information for an NDI pair.\n+ *\n+ * @list: used for linking in the peer security info list.\n+ * @peer_ndi: Peer NDI address.\n+ * @local_ndi: Local NDI address.\n+ * @csid: Cipher Suite ID used for the secure NAN communication\n+ * @pmk: PMK shared with the peer\n+ * @pmkid: PMKID shared with the peer\n+ * @ptk: PTK shared with the peer\n+ */\n+struct nan_peer_sec_info_entry {\n+\tstruct dl_list list;\n+\n+\tu8 peer_ndi[ETH_ALEN];\n+\tu8 local_ndi[ETH_ALEN];\n+\n+\tenum nan_cipher_suite_id csid;\n+\tu8 pmk[PMK_LEN];\n+\tu8 pmkid[PMKID_LEN];\n+\tstruct nan_ptk ptk;\n+};\n+\n /*\n * struct nan_peer_info - NAN peer information\n *\n@@ -277,6 +302,7 @@ struct nan_elem_container_entry {\n * @avail_entries: List of availability entries of the peer.\n * @dev_capa: List of device capabilities of the peer.\n * @element_container: List of element container entries of the peer.\n+ * @sec: List of security information entries of the peer.\n */\n struct nan_peer_info {\n \tstruct os_reltime last_seen;\n@@ -284,6 +310,7 @@ struct nan_peer_info {\n \tstruct dl_list avail_entries;\n \tstruct dl_list dev_capa;\n \tstruct dl_list element_container;\n+\tstruct dl_list sec;\n };\n \n /**\n@@ -593,4 +620,7 @@ int nan_sec_add_attrs(struct nan_data *nan, struct nan_peer *peer,\n int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer);\n int nan_sec_pre_tx(struct nan_data *nan, struct nan_peer *peer,\n \t\t struct wpabuf *buf);\n+bool nan_sec_ndp_store_keys(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t const u8 *peer_ndi, const u8 *local_ndi);\n+\n #endif /* NAN_I_H */\ndiff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c\nindex 004c0ac60a..08d9852f2f 100644\n--- a/src/nan/nan_sec.c\n+++ b/src/nan/nan_sec.c\n@@ -1140,3 +1140,72 @@ int nan_sec_pre_tx(struct nan_data *nan, struct nan_peer *peer,\n \n \treturn ret;\n }\n+\n+\n+/*\n+ * nan_sec_ndp_store_keys - Store the NDP keys after successful NDP\n+ * establishment\n+ *\n+ * @nan: NAN module context from nan_init()\n+ * @peer: NAN peer for which the NDP was established\n+ * @peer_ndi: NDI address of the peer for the NDP that was just established\n+ * @local_ndi: Local NDI address for the NDP that was just established\n+ *\n+ * Returns true if keys were stored, false otherwise\n+ */\n+bool nan_sec_ndp_store_keys(struct nan_data *nan, struct nan_peer *peer,\n+\t\t\t const u8 *peer_ndi, const u8 *local_ndi)\n+{\n+\tstruct nan_ndp *ndp = peer->ndp_setup.ndp;\n+\tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n+\tstruct nan_peer_sec_info_entry *cur, *next;\n+\n+\tif (!ndp || !ndp_sec->valid || !ndp_sec->i_csid ||\n+\t peer->ndp_setup.state != NAN_NDP_STATE_DONE)\n+\t\treturn false;\n+\n+\tif (ndp_sec->i_csid != NAN_CS_SK_CCM_128 &&\n+\t ndp_sec->i_csid != NAN_CS_SK_GCM_256)\n+\t\treturn false;\n+\n+\tdl_list_for_each_safe(cur, next, &peer->info.sec,\n+\t\t\t struct nan_peer_sec_info_entry, list) {\n+\t\tif (os_memcmp(peer_ndi, cur->peer_ndi, ETH_ALEN) != 0 ||\n+\t\t os_memcmp(local_ndi, cur->local_ndi, ETH_ALEN) != 0)\n+\t\t\tcontinue;\n+\n+\t\t/*\n+\t\t * The security configuration should be updated if it is\n+\t\t * stronger than the existing one or equal in strength. Since\n+\t\t * GCM-256 is considered stronger than CCM-128, always update if\n+\t\t * it is the current one. Otherwise, update only if the previous\n+\t\t * one was CCMP-128.\n+\t\t */\n+\t\tif (ndp_sec->i_csid == NAN_CS_SK_GCM_256 ||\n+\t\t cur->csid == NAN_CS_SK_CCM_128)\n+\t\t\tgoto store;\n+\n+\t\treturn false;\n+\t}\n+\n+\tcur = os_zalloc(sizeof(*cur));\n+\tif (!cur) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: Failed memory allocation for security info\");\n+\t\treturn false;\n+\t}\n+\n+\tdl_list_add(&peer->info.sec, &cur->list);\n+\tos_memcpy(cur->peer_ndi, peer_ndi, ETH_ALEN);\n+\tos_memcpy(cur->local_ndi, local_ndi, ETH_ALEN);\n+\n+store:\n+\twpa_printf(MSG_DEBUG, \"NAN: SEC: Store security information\");\n+\n+\tcur->csid = ndp_sec->i_csid;\n+\tos_memcpy(cur->pmkid, ndp_sec->i_pmkid, PMKID_LEN);\n+\tos_memcpy(cur->pmk, ndp_sec->pmk, PMK_LEN);\n+\tos_memcpy(&cur->ptk, &ndp_sec->ptk, sizeof(cur->ptk));\n+\n+\treturn true;\n+}\n", "prefixes": [ "42/58" ] }