{"id":2229837,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229837/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-32-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.1/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260428200639.40243-32-andrei.otcheretianski@intel.com>","date":"2026-04-28T20:05:32","name":"[31/97] NAN: Add an option to set GTK required for a service","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"fde135e35fffc768e59c4d323d5134eaad2778ae","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.1/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-32-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501927,"url":"http://patchwork.ozlabs.org/api/1.1/series/501927/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501927","date":"2026-04-28T20:05:05","name":"NAN: Group keys support, schedule update and more","version":1,"mbox":"http://patchwork.ozlabs.org/series/501927/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229837/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229837/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ISdf23ch;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=J6pCXsX0;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4s4R31yXz1xrS\n\tfor ; Wed, 29 Apr 2026 06:10:31 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHokl-00000002FXI-0K0D;\n\tTue, 28 Apr 2026 20:09:55 +0000","from mgamail.intel.com ([198.175.65.16])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHoix-00000002Cfh-1gkC\n\tfor hostap@lists.infradead.org;\n\tTue, 28 Apr 2026 20:08:07 +0000","from fmviesa001.fm.intel.com ([10.60.135.141])\n by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:03 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:01 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=MnMe9tzSDqev3c7DFPhujCKD/oruhJbRu4rBaT0ucRg=; b=ISdf23chL/c/FC\n\t+IRBCzQl56yTzUr0SVTr10Lxtvo1/61+Q2PyA980NfjGwFcX2cv+OxFAbFB7vWFr5dBY8OKmzJgz1\n\tL3sMflOOD7Ij7jUnjIYMP2OQZMTqR2c59Agho2nMBAd3ZaI0k4nj8iWwxXflQUcXmOxdx5j+E2eSf\n\t0DjxBdeYFcU7Uesf3WAP4xnImqJDs3P/+kUdrloQBWyI0FWLrM4c7tUVTvh5dPeIf9fqnMiLZol3o\n\tKGcRmhDQT/yqztdPL/U2f4DglDJYaTa79QlLeQjumv67+s4Djv6WwlcpHEjfI7v57J6OMURB7IOKu\n\tqXua4rvDJ1C54WPwR7zA==;","v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1777406884; x=1808942884;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=/JaQ0+vNRxxDlvBxws1Fo7zs2jQ0Pb18rdKZPKo5Pzo=;\n b=J6pCXsX0E62vbXBnvNiTdGWorPWOyTCmBjhbek8ByRy6Zsx9tsZ1Y2Nz\n fHfb5pkezecq2dBGz9XmnYcRr/KreST96IjjwSfvxyU8fdNOjLbEHm+VO\n NPs9jmMBzH7jStwPIFqC+Qec9s5c2l/jqiUDoTwL6La7qS506VFXsXm25\n CPb/tSkhzPGhPAiDgnPcXhI5fWbh30a+xATJ+Cw1SmCsZplAJWr91fa2r\n FoU/vm86RQtwIl8qlDT3vEeQD31DaM1KoYLtCiQ1ebvEagVpRNutX1kL/\n s/esXCawz2eGWIvDHei1V6wFt3eguY6ChIlCaA+v4559mbCf2bo7Atbda\n A==;"],"X-CSE-ConnectionGUID":["/stcXgSiTJOZez0TR5Gc3w==","gKG9iKmKQCuAp/7sSsCr/w=="],"X-CSE-MsgGUID":["SoQQxzhhScWwnSMwIQ3wkA==","pQaASvdmQ/KBgNojbsgQJA=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11770\"; a=\"78519374\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"78519374\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"257610201\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski ","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern ","Subject":"[PATCH 31/97] NAN: Add an option to set GTK required for a service","Date":"Tue, 28 Apr 2026 23:05:32 +0300","Message-ID":"<20260428200639.40243-32-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","References":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260428_130803_683243_41031E2E ","X-CRM114-Status":"GOOD ( 16.12 )","X-Spam-Score":"-4.5 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Avraham Stern Add an option\n to indicate that a service requires GTK protection for group-addressed\n data\n frames transmitted and received for the service. When GTK is required, a\n cipher suite list with one of the NCS [...]\n Content analysis details: (-4.5 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [198.175.65.16 listed in list.dnswl.org]\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" ","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern \n\nAdd an option to indicate that a service requires GTK protection\nfor group-addressed data frames transmitted and received for\nthe service. When GTK is required, a cipher suite list with one\nof the NCS-GTK-* shall be specified as well.\n\nSigned-off-by: Avraham Stern \n---\n src/common/nan_de.c | 5 +++++\n src/common/nan_de.h | 12 ++++++++++++\n wpa_supplicant/ctrl_iface.c | 26 ++++++++++++++++++++++++++\n 3 files changed, 43 insertions(+)","diff":"diff --git a/src/common/nan_de.c b/src/common/nan_de.c\nindex 154c7c0a00..0e2fb8a854 100644\n--- a/src/common/nan_de.c\n+++ b/src/common/nan_de.c\n@@ -84,6 +84,7 @@ struct nan_de_service {\n \tu8 srf_bf_idx;\n \tstruct wpabuf *srf;\n \tbool close_proximity;\n+\tbool gtk_required;\n \n \t/* Bootstrapping methods */\n \tu16 pbm;\n@@ -417,6 +418,8 @@ static void nan_de_tx_sdf(struct nan_de *de, struct nan_de_service *srv,\n \t\t\t\tsdea_ctrl |= NAN_SDEA_CTRL_FSD_REQ;\n \t\t\tif (srv->publish.fsd_gas)\n \t\t\t\tsdea_ctrl |= NAN_SDEA_CTRL_FSD_GAS;\n+\t\t\tif (srv->gtk_required)\n+\t\t\t\tsdea_ctrl |= NAN_SDEA_CTRL_GTK_REQ;\n \t\t}\n \n \t\tif (sdea_ctrl || ssi) {\n@@ -2122,6 +2125,7 @@ int nan_de_publish(struct nan_de *de, const char *service_name,\n \tsrv->is_pr = params->proximity_ranging && params->solicited;\n \tsrv->close_proximity = params->close_proximity;\n \tsrv->pbm = params->pbm;\n+\tsrv->gtk_required = params->gtk_required;\n \n \tnan_de_add_srv(de, srv);\n \tnan_de_run_timer(de);\n@@ -2399,6 +2403,7 @@ int nan_de_subscribe(struct nan_de *de, const char *service_name,\n \tsrv->sync = params->sync;\n \tsrv->close_proximity = params->close_proximity;\n \tsrv->pbm = params->pbm;\n+\tsrv->gtk_required = params->gtk_required;\n \n \tnan_de_add_srv(de, srv);\n \tnan_de_run_timer(de);\ndiff --git a/src/common/nan_de.h b/src/common/nan_de.h\nindex 7df4de58b6..e376725191 100644\n--- a/src/common/nan_de.h\n+++ b/src/common/nan_de.h\n@@ -166,6 +166,12 @@ struct nan_publish_params {\n \n \t/* ND-PMK to use for creating a list of PMKIDs for the service */\n \tconst u8 *nd_pmk;\n+\n+\t/*\n+\t * GTK protection required for group-addressed data frames transmitted\n+\t * and received for the service\n+\t */\n+\tbool gtk_required;\n };\n \n /* Returns -1 on failure or >0 publish_id */\n@@ -237,6 +243,12 @@ struct nan_subscribe_params {\n \t * Table 128\n \t */\n \tu16 pbm;\n+\n+\t/*\n+\t * GTK protection required for group-addressed data frames transmitted\n+\t * and received for the service\n+\t */\n+\tbool gtk_required;\n };\n \n /* Returns -1 on failure or >0 subscribe_id */\ndiff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c\nindex 1096fa228d..1ff295922f 100644\n--- a/wpa_supplicant/ctrl_iface.c\n+++ b/wpa_supplicant/ctrl_iface.c\n@@ -12767,6 +12767,20 @@ static int wpas_ctrl_ml_probe(struct wpa_supplicant *wpa_s, char *cmd)\n \n #if defined(CONFIG_NAN) || defined(CONFIG_NAN_USD)\n \n+static bool wpas_nan_gtk_cs_supported(const int *cipher_list)\n+{\n+\tsize_t i;\n+\n+\tfor (i = 0; cipher_list && cipher_list[i]; i++) {\n+\t\tif (cipher_list[i] == NAN_CS_GTK_CCMP_128 ||\n+\t\t cipher_list[i] == NAN_CS_GTK_GCMP_256)\n+\t\t\treturn true;\n+\t}\n+\n+\treturn false;\n+}\n+\n+\n static int wpas_ctrl_nan_publish(struct wpa_supplicant *wpa_s, char *cmd,\n \t\t\t\t char *buf, size_t buflen)\n {\n@@ -12922,11 +12936,23 @@ static int wpas_ctrl_nan_publish(struct wpa_supplicant *wpa_s, char *cmd,\n \t\t\tcontinue;\n \t\t}\n \n+\t\tif (os_strcmp(token, \"gtk_required=1\") == 0) {\n+\t\t\tparams.gtk_required = true;\n+\t\t\tcontinue;\n+\t\t}\n+\n \t\twpa_printf(MSG_INFO, \"CTRL: Invalid NAN_PUBLISH parameter: %s\",\n \t\t\t token);\n \t\tgoto fail;\n \t}\n \n+\tif (params.gtk_required &&\n+\t !wpas_nan_gtk_cs_supported(params.cipher_suites_list)) {\n+\t\twpa_printf(MSG_INFO,\n+\t\t\t \"CTRL: GTK required but no GTK cipher suite configured\");\n+\t\tgoto fail;\n+\t}\n+\n \tpublish_id = wpas_nan_publish(wpa_s, service_name, srv_proto_type,\n \t\t\t\t ssi, ¶ms, p2p);\n \tif (publish_id > 0)\n","prefixes":["31/97"]}