{"id":2229831,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229831/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-25-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.1/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260428200639.40243-25-andrei.otcheretianski@intel.com>","date":"2026-04-28T20:05:25","name":"[24/97] NAN: Add IGTK KDE to NDP setup messages","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"81e3f7a990d53de7e64eec6d62b041d29855212e","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.1/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-25-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501927,"url":"http://patchwork.ozlabs.org/api/1.1/series/501927/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501927","date":"2026-04-28T20:05:05","name":"NAN: Group keys support, schedule update and more","version":1,"mbox":"http://patchwork.ozlabs.org/series/501927/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229831/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229831/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=pY5B/F8T;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=l81l0Gk4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4s416jzzz1xvV\n\tfor ; Wed, 29 Apr 2026 06:10:09 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHokQ-00000002F61-3bhb;\n\tTue, 28 Apr 2026 20:09:35 +0000","from mgamail.intel.com ([198.175.65.16])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHoim-00000002CcZ-1Vn3\n\tfor hostap@lists.infradead.org;\n\tTue, 28 Apr 2026 20:07:56 +0000","from fmviesa001.fm.intel.com ([10.60.135.141])\n by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:07:52 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:07:50 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=USr4v4ya991lyqIA0NvtUZFB3cSoiR4ubpq+u/Svrjg=; b=pY5B/F8TpW8FG3\n\tb9LvtIn3KSazQo+TUX8VV/oHGcU71XM6XXXwDO0rIz/Dhlto3bTkK/YmHf5wGi1KJ/KvDbQmL+Eo2\n\tLQHrUWdPIUzvyr15q4/fK+V4ephrRzvzqogWIOb7EH+rmFdWFhY7Y4GpH3vBkNUo85lStNM+RORgK\n\tbNS+BKm/cVqlRSnXVILfviQP/NHtdDMavta7BJjlNy+F4H3P61textWPsTPfRV5MCTk091kHYpkqg\n\tdHZcpi08PGqEelKuLU2P+7vZgpPaAbyvrvBGHcht4x2s7JULcZK0qzbIp5RctTlLnz7YUdEqXIu8a\n\t246dyn+5eEClnawStkbg==;","v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1777406873; x=1808942873;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=+viphBijfGq4qr4CxRsptwmyJEHXpSCcWtLrMwVFNeY=;\n b=l81l0Gk4abilCzUQcqU7wKC/DBrUCeso+C8GhzRRW/IWCMyWBoGFZny0\n DCLGSY3+5u1MaWD2yj2aBgA2L3huLt12KjHSczSfxIHMWi400ZvaRLj0A\n 5hCKiovyjXHBG2LDilmoezNGcnLROuDFZ/eC1NQEuaMW2Vs8A/IsF9yCT\n ws4+7h8CFnLl9OCq+Dt756mjTnsdNE9bRNnCbJn+S7iztiSFJSFolezkk\n mL7xb5+UJSln0ajPcCYj7PFZuEdVlPHPKyYC2BuwUOnelmzyrX/DxDph0\n /FWy3Ft4R7Eifq5Rfu7xtK+hwZVj/J88TrZ7/i7kk/eINWBpNMsXenZMJ\n w==;"],"X-CSE-ConnectionGUID":["RqX1tUxKTLy+aQFsejHAVQ==","Zu5/e7WaQFipP/uq1UMV4A=="],"X-CSE-MsgGUID":["j2CXElnyQjW74tIpaHRREg==","E+dl/d/5TQOnh0x0Ay4eFg=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11770\"; a=\"78519345\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"78519345\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"257610103\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski ","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern ","Subject":"[PATCH 24/97] NAN: Add IGTK KDE to NDP setup messages","Date":"Tue, 28 Apr 2026 23:05:25 +0300","Message-ID":"<20260428200639.40243-25-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","References":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260428_130752_713553_17FF2F5A ","X-CRM114-Status":"GOOD ( 22.54 )","X-Spam-Score":"-4.5 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Avraham Stern If IGTK is\n supported\n by both peers, add the IGTK KDE to NDP setup M3 and M4 messages. The KDE\n is put in the key data field and is encrypted with the KEK. The local IGTK\n is randomized and installed whe [...]\n Content analysis details: (-4.5 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [198.175.65.16 listed in list.dnswl.org]\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" ","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern \n\nIf IGTK is supported by both peers, add the IGTK KDE to NDP\nsetup M3 and M4 messages. The KDE is put in the key data field\nand is encrypted with the KEK.\nThe local IGTK is randomized and installed when NAN is started.\n\nSigned-off-by: Avraham Stern \n---\n src/nan/nan.c | 52 ++++++++++++++++++\n src/nan/nan_i.h | 6 +++\n src/nan/nan_pairing.c | 8 ---\n src/nan/nan_sec.c | 119 +++++++++++++++++++++++++++++++++++++-----\n src/nan/nan_util.c | 8 +++\n 5 files changed, 173 insertions(+), 20 deletions(-)","diff":"diff --git a/src/nan/nan.c b/src/nan/nan.c\nindex 5614a7bd89..6babdf51f1 100644\n--- a/src/nan/nan.c\n+++ b/src/nan/nan.c\n@@ -189,6 +189,43 @@ void nan_deinit(struct nan_data *nan)\n }\n \n \n+static int nan_gen_igtk(struct nan_data *nan)\n+{\n+\tu8 tsc[RSN_PN_LEN];\n+\tenum wpa_alg alg;\n+\tint cipher;\n+\n+\tif (((nan->cfg->security_capab & NAN_CS_INFO_CAPA_GTK_SUPP_MASK) >>\n+\t NAN_CS_INFO_CAPA_GTK_SUPP_POS) == NAN_CS_INFO_CAPA_GTK_SUPP_NONE)\n+\t\treturn 0;\n+\n+\tif (nan->cfg->security_capab &\n+\t NAN_CS_INFO_CAPA_IGTK_USE_NCS_BIP_GMAC_256) {\n+\t\talg = WPA_ALG_BIP_GMAC_256;\n+\t\tcipher = WPA_CIPHER_BIP_GMAC_256;\n+\t} else {\n+\t\talg = WPA_ALG_BIP_CMAC_128;\n+\t\tcipher = WPA_CIPHER_AES_128_CMAC;\n+\t}\n+\n+\tnan->igtk.igtk_len = wpa_cipher_key_len(cipher);\n+\tnan->igtk_id = 4;\n+\tos_get_random(nan->igtk.igtk, nan->igtk.igtk_len);\n+\tos_memset(tsc, 0, sizeof(tsc));\n+\tif (nan->cfg->set_group_key(nan->cfg->cb_ctx, alg, broadcast_ether_addr,\n+\t\t\t\t nan->igtk_id, tsc, nan->igtk.igtk,\n+\t\t\t\t nan->igtk.igtk_len,\n+\t\t\t\t KEY_FLAG_GROUP_TX_DEFAULT) < 0) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: Failed to install own IGTK\");\n+\t\treturn -1;\n+\t}\n+\n+\twpa_hexdump_key(MSG_DEBUG, \"NAN: New own IGTK\", nan->igtk.igtk,\n+\t\t\tnan->igtk.igtk_len);\n+\treturn 0;\n+}\n+\n+\n int nan_start(struct nan_data *nan, const struct nan_cluster_config *config)\n {\n \tint ret;\n@@ -207,6 +244,11 @@ int nan_start(struct nan_data *nan, const struct nan_cluster_config *config)\n \t}\n \tnan->nan_started = 1;\n \n+\tif (nan_gen_igtk(nan) < 0) {\n+\t\tnan_stop(nan);\n+\t\treturn -1;\n+\t}\n+\n \treturn 0;\n }\n \n@@ -255,6 +297,16 @@ void nan_stop(struct nan_data *nan)\n \t\treturn;\n \t}\n \n+\tif (nan->igtk.igtk_len) {\n+\t\tif (nan->cfg->set_group_key(nan->cfg->cb_ctx, WPA_ALG_NONE,\n+\t\t\t\t\t NULL, nan->igtk_id, NULL, NULL,\n+\t\t\t\t\t 0, KEY_FLAG_GROUP))\n+\t\t\twpa_printf(MSG_DEBUG, \"NAN: Failed to clear Own IGTK\");\n+\n+\t\tnan->igtk.igtk_len = 0;\n+\t\tnan->igtk_id = 0;\n+\t}\n+\n \tnan_flush(nan);\n \tnan->cfg->stop(nan->cfg->cb_ctx);\n }\ndiff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex d01f720be6..5f43d5325e 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -561,6 +561,8 @@ struct nan_peer {\n * @nira_tag: Tag for NAN Identity Resolution attribute (NIRA)\n * @initiator_pmksa: PMKSA cache for PASN-PMK authentication as an initiator\n * @responder_pmksa: PMKSA cache for PASN-PMK authentication as a responder\n+ * @igtk: IGTK for NAN secure NDP\n+ * @igtk_id: Key ID of the IGTK\n */\n struct nan_data {\n \tstruct nan_config *cfg;\n@@ -577,6 +579,9 @@ struct nan_data {\n \n \tstruct rsn_pmksa_cache *initiator_pmksa;\n \tstruct rsn_pmksa_cache *responder_pmksa;\n+\n+\tstruct wpa_igtk igtk;\n+\tu8 igtk_id;\n };\n \n struct nan_attrs_entry {\n@@ -796,6 +801,7 @@ void nan_parse_peer_dev_capa_ext(struct nan_data *nan, struct nan_peer *peer,\n int nan_configure_peer_schedule(struct nan_data *nan, struct nan_peer *peer,\n \t\t\t\tconst struct nan_schedule *local_sched);\n bool nan_is_ndpe_supported(struct nan_data *nan, struct nan_peer *peer);\n+void nan_add_kde_hdr(struct wpabuf *buf, u32 kde, size_t data_len);\n #ifdef CONFIG_PASN\n int nan_nira_get_tag_nonce(const struct nan_config *nan, u8 *nonce, u8 *tag);\n void nan_pairing_deinit_peer(struct nan_peer *peer);\ndiff --git a/src/nan/nan_pairing.c b/src/nan/nan_pairing.c\nindex b5608aaccd..938925eacf 100644\n--- a/src/nan/nan_pairing.c\n+++ b/src/nan/nan_pairing.c\n@@ -651,14 +651,6 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)\n }\n \n \n-static void nan_add_kde_hdr(struct wpabuf *buf, u32 kde, size_t data_len)\n-{\n-\twpabuf_put_u8(buf, WLAN_EID_VENDOR_SPECIFIC);\n-\twpabuf_put_u8(buf, RSN_SELECTOR_LEN + data_len);\n-\tRSN_SELECTOR_PUT(wpabuf_put(buf, RSN_SELECTOR_LEN), kde);\n-}\n-\n-\n /**\n * nan_nik_build_key_data - Build NAN Identity Key (NIK) key data buffer\n * @nan_data: Pointer to NAN data structure containing configuration\ndiff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c\nindex ae41019c83..07dd47dbae 100644\n--- a/src/nan/nan_sec.c\n+++ b/src/nan/nan_sec.c\n@@ -791,6 +791,85 @@ static int nan_sec_add_m2_attrs(struct nan_data *nan, struct nan_peer *peer,\n }\n \n \n+static int nan_sec_igtk_kde(struct nan_data *nan, struct wpabuf *buf)\n+{\n+\tu8 tsc[RSN_PN_LEN];\n+\n+\tif (nan->cfg->get_seqnum(nan->cfg->cb_ctx, nan->igtk_id, tsc) < 0) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: Failed to get IGTK seqnum\");\n+\t\treturn -1;\n+\t}\n+\n+\tnan_add_kde_hdr(buf, RSN_KEY_DATA_IGTK,\n+\t\t\tWPA_IGTK_KDE_PREFIX_LEN + nan->igtk.igtk_len);\n+\twpabuf_put_le16(buf, nan->igtk_id);\n+\twpabuf_put_data(buf, tsc, RSN_PN_LEN);\n+\twpabuf_put_data(buf, nan->igtk.igtk, nan->igtk.igtk_len);\n+\treturn 0;\n+}\n+\n+\n+#define NAN_KDES_MAX_LEN\t(KDE_HDR_LEN + sizeof(struct wpa_igtk_kde))\n+\n+\n+static bool nan_sec_igtk_supported(struct nan_ndp_sec *ndp_sec)\n+{\n+\treturn ((ndp_sec->i_capab & NAN_CS_INFO_CAPA_GTK_SUPP_MASK) >>\n+\t\tNAN_CS_INFO_CAPA_GTK_SUPP_POS) !=\n+\t\tNAN_CS_INFO_CAPA_GTK_SUPP_NONE &&\n+\t ((ndp_sec->r_capab & NAN_CS_INFO_CAPA_GTK_SUPP_MASK) >>\n+\t\tNAN_CS_INFO_CAPA_GTK_SUPP_POS) !=\n+\t\tNAN_CS_INFO_CAPA_GTK_SUPP_NONE;\n+}\n+\n+\n+static int nan_sec_add_kdes(struct nan_data *nan,\n+\t\t\t struct nan_ndp_sec *ndp_sec,\n+\t\t\t struct wpabuf *buf)\n+{\n+\tstruct wpabuf *kde_buf;\n+\tstruct wpabuf *enc_kde;\n+\tint ret = -1;\n+\n+\tif (!nan_sec_igtk_supported(ndp_sec)) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: IGTK not supported for this NDP\");\n+\t\treturn 0;\n+\t}\n+\n+\tif (!ndp_sec->ptk.kek_len) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: No KEK available to encrypt KDEs\");\n+\t\treturn -1;\n+\t}\n+\n+\tkde_buf = wpabuf_alloc(NAN_KDES_MAX_LEN);\n+\tif (!kde_buf) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: Failed to allocate KDE buffer\");\n+\t\treturn -1;\n+\t}\n+\n+\tif (nan_sec_igtk_kde(nan, kde_buf) < 0)\n+\t\tgoto fail;\n+\n+\tenc_kde = nan_crypto_encrypt_key_data(kde_buf, ndp_sec->ptk.kek,\n+\t\t\t\t\t ndp_sec->ptk.kek_len);\n+\tif (!enc_kde) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: Failed to encrypt KDEs\");\n+\t\tgoto fail;\n+\t}\n+\n+\twpabuf_put_buf(buf, enc_kde);\n+\tret = wpabuf_len(enc_kde);\n+\twpabuf_free(enc_kde);\n+fail:\n+\twpabuf_clear_free(kde_buf);\n+\treturn ret;\n+}\n+\n+\n /*\n * nan_sec_add_key_attrs - Add security key attributes to NAN message\n * @nan: NAN module context from nan_init()\n@@ -808,7 +887,10 @@ static int nan_sec_add_key_attrs(struct nan_data *nan, struct nan_peer *peer,\n \tstruct nan_ndp_sec *ndp_sec = &peer->ndp_setup.sec;\n \tstruct wpa_eapol_key *key;\n \tu16 info;\n-\tsize_t key_len = sizeof(struct wpa_eapol_key) + 2;\n+\tsize_t key_len = sizeof(struct wpa_eapol_key);\n+\tu8 *key_len_pos;\n+\tint kde_len;\n+\tu8 *key_data_len_pos;\n \n \tif (NAN_CS_IS_128(ndp_sec->i_csid))\n \t\tkey_len += NAN_KEY_MIC_LEN;\n@@ -819,7 +901,7 @@ static int nan_sec_add_key_attrs(struct nan_data *nan, struct nan_peer *peer,\n \n \t/* Shared key descriptor */\n \twpabuf_put_u8(buf, NAN_ATTR_SHARED_KEY_DESCR);\n-\twpabuf_put_le16(buf, sizeof(struct nan_shared_key) + key_len);\n+\tkey_len_pos = wpabuf_put(buf, 2);\n \twpabuf_put_u8(buf, instance_id);\n \n \tkey = (struct wpa_eapol_key *) wpabuf_put(buf, key_len);\n@@ -827,24 +909,37 @@ static int nan_sec_add_key_attrs(struct nan_data *nan, struct nan_peer *peer,\n \n \tkey->type = NAN_KEY_DESC;\n \n-\tinfo = WPA_KEY_INFO_TYPE_AKM_DEFINED | WPA_KEY_INFO_KEY_TYPE |\n-\t\tWPA_KEY_INFO_MIC | WPA_KEY_INFO_INSTALL | WPA_KEY_INFO_SECURE;\n-\tif (is_ack)\n-\t\tinfo |= WPA_KEY_INFO_ACK;\n-\n-\tWPA_PUT_BE16(key->key_info, info);\n-\n \tos_memcpy(key->key_nonce, nonce, WPA_NONCE_LEN);\n \n \t/*\n-\t * Key length is zero (it can be deduced from the cipher suite).\n-\t * No additional data is added.\n-\t *\n \t * Copy replay counter. It was already incremented while processing m2\n \t * so no need to increment it again.\n \t */\n \tos_memcpy(key->replay_counter, ndp_sec->replaycnt,\n \t\t sizeof(key->replay_counter));\n+\n+\t/* Add KDEs to the key data and set key length accordingly */\n+\tkey_data_len_pos = wpabuf_put(buf, 2);\n+\n+\tkde_len = nan_sec_add_kdes(nan, ndp_sec, buf);\n+\tif (kde_len < 0) {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t \"NAN: SEC: Failed to add KDEs to m3\");\n+\t\treturn -1;\n+\t}\n+\n+\tinfo = WPA_KEY_INFO_TYPE_AKM_DEFINED | WPA_KEY_INFO_KEY_TYPE |\n+\t WPA_KEY_INFO_MIC | WPA_KEY_INFO_INSTALL | WPA_KEY_INFO_SECURE;\n+\tif (is_ack)\n+\t\tinfo |= WPA_KEY_INFO_ACK;\n+\tif (kde_len)\n+\t\tinfo |= WPA_KEY_INFO_ENCR_KEY_DATA;\n+\n+\tWPA_PUT_BE16(key->key_info, info);\n+\n+\tWPA_PUT_LE16(key_len_pos,\n+\t\t sizeof(struct nan_shared_key) + key_len + 2 + kde_len);\n+\tWPA_PUT_BE16(key_data_len_pos, kde_len);\n \treturn 0;\n }\n \ndiff --git a/src/nan/nan_util.c b/src/nan/nan_util.c\nindex c0bd91aae5..c8604dc5ad 100644\n--- a/src/nan/nan_util.c\n+++ b/src/nan/nan_util.c\n@@ -1972,3 +1972,11 @@ bool nan_peer_schedule_intersects(struct nan_data *nan,\n \n \treturn false;\n }\n+\n+\n+void nan_add_kde_hdr(struct wpabuf *buf, u32 kde, size_t data_len)\n+{\n+\twpabuf_put_u8(buf, WLAN_EID_VENDOR_SPECIFIC);\n+\twpabuf_put_u8(buf, RSN_SELECTOR_LEN + data_len);\n+\tRSN_SELECTOR_PUT(wpabuf_put(buf, RSN_SELECTOR_LEN), kde);\n+}\n","prefixes":["24/97"]}