{"id":2229841,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229841/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-36-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.1/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260428200639.40243-36-andrei.otcheretianski@intel.com>","date":"2026-04-28T20:05:36","name":"[35/97] wpa_supplicant: Add an option to set the GTK cipher suite for NDP setup","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"f97ae6acabaa3aeb53d73cab4440db4c585672ad","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.1/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-36-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501927,"url":"http://patchwork.ozlabs.org/api/1.1/series/501927/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501927","date":"2026-04-28T20:05:05","name":"NAN: Group keys support, schedule update and more","version":1,"mbox":"http://patchwork.ozlabs.org/series/501927/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229841/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229841/checks/","tags":{},"headers":{"Return-Path":"\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=iU2GBckR;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=cG0SG4pN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4s4y6V4yz1xrS\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 06:10:58 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHolG-00000002GCu-1Cja;\n\tTue, 28 Apr 2026 20:10:26 +0000","from mgamail.intel.com ([198.175.65.16])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHojF-00000002Cfh-10b9\n\tfor hostap@lists.infradead.org;\n\tTue, 28 Apr 2026 20:08:27 +0000","from fmviesa001.fm.intel.com ([10.60.135.141])\n  by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:09 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n  by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:07 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=/VIHvhhsPcuTWg9/EBlKahkuMgje734nrSufpvrP4pw=; b=iU2GBckRFz11Wu\n\tZEWtACU+4tc9Up92EpmqetI0Jnr22UJEDbhX6kZ8PqnNGyQqSMjfeXrSM4akx1CZ8HfSZ2uWs3MFY\n\t9oSROtDr5WEead6MpwREKN3fbpBQp1pbECOeJDO0nxgFXcSsP545v+6Z3BKDLPoQQtVR00az3mkTI\n\teTTqp/tqkQwCJWAo47rf+VVKWaCCqwdwUtQd0JFrzOuq/3h8ML77h8papS0wE5Fm0qsQwprKKdpgh\n\ti9T27imu9O0xMbFHtvN6J7P2QrS1fRa+DQwIkDLmAT2e+CbKtn5Ik8+UqzjdK3EGOfqkHzsk0P8NJ\n\tyix+pWTC8dyGqEkBYA1Q==;","v=1; a=rsa-sha256; c=relaxed/simple;\n  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n  t=1777406902; x=1808942902;\n  h=from:to:cc:subject:date:message-id:in-reply-to:\n   references:mime-version:content-transfer-encoding;\n  bh=04igHsqdMiLroFLOhoWGzRzcQsAd+hqP9jYq5czzs58=;\n  b=cG0SG4pNrFujGpK09RV+Xngp6pS29Y27MMk2Dg7vR9qeyCDpHXkdFIVu\n   ucgfMuV15KCe91LLja71aIeWicqJ2akyCA6aQDyWzT9XbebiwZwL3G9DN\n   0LSE+6UELME54kVoqjq4Xri0A8IkPO1Yhv4hi6TjuHSd/Pn1Q5ZcAH5vK\n   z2pz+beK4iagvFugJvpNb3Mz7FoK+C3JnHDIXd2tgKviPsnZ/m5AbGsT7\n   6zwSBpiRzkOH+cw7ScNKkEwObKUqkaJ3a/Rz4HoQ6Qi0kl2gXX2nbg8ZN\n   OL5bbCzBhlMymoqjaW0NUe/EGLaOe956PzI0QjJipibQVNTIjl+fG+07P\n   w==;"],"X-CSE-ConnectionGUID":["ux9y1NZwQa2XTvzqF5ZfZQ==","A63eZKRrRYGhqL1FjoezhA=="],"X-CSE-MsgGUID":["ajqjg5ViTAGMqj+55cnrGg==","eYiwo0iZTHaR2HZyI3kgVg=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11770\"; a=\"78519394\"","E=Sophos;i=\"6.23,204,1770624000\";\n   d=\"scan'208\";a=\"78519394\"","E=Sophos;i=\"6.23,204,1770624000\";\n   d=\"scan'208\";a=\"257610281\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski <andrei.otcheretianski@intel.com>","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern <avraham.stern@intel.com>","Subject":"[PATCH 35/97] wpa_supplicant: Add an option to set the GTK cipher\n suite for NDP setup","Date":"Tue, 28 Apr 2026 23:05:36 +0300","Message-ID":"<20260428200639.40243-36-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","References":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260428_130822_609872_582860F4 ","X-CRM114-Status":"GOOD (  19.22  )","X-Spam-Score":"-4.5 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  From: Avraham Stern <avraham.stern@intel.com> Add an option\n    to set the required GTK cipher suite in NDP request command. If a GTK is\n   still not configured for the NDI for which the NDP setup is requested,\n a new\n    GTK will be randomized.\n Content analysis details:   (-4.5 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,\n                             medium trust\n                             [198.175.65.16 listed in list.dnswl.org]\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS               SPF: sender matches SPF record\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\n                             envelope-from domain\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\n author's\n                             domain\n -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n                             [score: 0.0000]\n -0.1 DKIMWL_WL_HIGH         DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"<hostap.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/hostap/>","List-Post":"<mailto:hostap@lists.infradead.org>","List-Help":"<mailto:hostap-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" <hostap-bounces@lists.infradead.org>","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern <avraham.stern@intel.com>\n\nAdd an option to set the required GTK cipher suite in NDP request\ncommand. If a GTK is still not configured for the NDI for which the\nNDP setup is requested, a new GTK will be randomized.\n\nSigned-off-by: Avraham Stern <avraham.stern@intel.com>\n---\n wpa_supplicant/nan_supplicant.c   | 71 +++++++++++++++++++++++++++++--\n wpa_supplicant/wpa_supplicant_i.h |  2 +\n 2 files changed, 70 insertions(+), 3 deletions(-)","diff":"diff --git a/wpa_supplicant/nan_supplicant.c b/wpa_supplicant/nan_supplicant.c\nindex 3a004abd24..db876fc098 100644\n--- a/wpa_supplicant/nan_supplicant.c\n+++ b/wpa_supplicant/nan_supplicant.c\n@@ -2234,9 +2234,52 @@ static int wpas_nan_fill_nd_pmk(struct wpa_supplicant *wpa_s,\n }\n \n \n+static int wpas_nan_set_gtk(struct wpa_supplicant *ndi_wpa_s,\n+\t\t\t    struct nan_ndp_params *ndp, int gtk_csid)\n+{\n+\tif (ndi_wpa_s->ndi_gtk.gtk.gtk_len) {\n+\t\tif (ndi_wpa_s->ndi_gtk.csid != gtk_csid) {\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t   \"NAN: NDI GTK CSID mismatch (expected %d, got %d)\",\n+\t\t\t\t   gtk_csid, ndi_wpa_s->ndi_gtk.csid);\n+\t\t\treturn -1;\n+\t\t}\n+\n+\t\tos_memcpy(&ndp->sec.gtk, &ndi_wpa_s->ndi_gtk,\n+\t\t\t  sizeof(ndp->sec.gtk));\n+\t\treturn 0;\n+\t}\n+\n+\tndp->sec.gtk.csid = gtk_csid;\n+\tif (gtk_csid == NAN_CS_GTK_GCMP_256 &&\n+\t    (ndi_wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_GCMP_256)) {\n+\t\tndp->sec.gtk.gtk.gtk_len = 32;\n+\t} else if (gtk_csid == NAN_CS_GTK_CCMP_128 &&\n+\t\t   (ndi_wpa_s->drv_enc & WPA_DRIVER_CAPA_ENC_CCMP)) {\n+\t\tndp->sec.gtk.gtk.gtk_len = 16;\n+\t} else {\n+\t\twpa_printf(MSG_DEBUG,\n+\t\t\t   \"NAN: NDI does not support GTK cipher suites\");\n+\t\treturn -1;\n+\t}\n+\n+\tif (os_get_random(ndp->sec.gtk.gtk.gtk, ndp->sec.gtk.gtk.gtk_len) < 0) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: Failed to generate GTK\");\n+\t\treturn -1;\n+\t}\n+\n+\tndp->sec.gtk.id = 1;\n+\n+\twpa_hexdump_key(MSG_DEBUG, \"NAN: Generated new GTK\",\n+\t\t\tndp->sec.gtk.gtk.gtk, ndp->sec.gtk.gtk.gtk_len);\n+\treturn 0;\n+}\n+\n+\n /* Command format NAN_NDP_REQUEST handle=<id> ndi=<ifname> peer_nmi=<nmi>\n    peer_id=<peer_instance_id> ssi=<hexdata> qos=<slots:latency>\n-   [csid = <cipher_suite> <password=<string>|pmk=<hex>>] [interface_id=<hex>]*/\n+   [csid = <cipher_suite> <password=<string>|pmk=<hex>>\n+   [gtk_csid=<cipher_suite>]] [interface_id=<hex>] */\n int wpas_nan_ndp_request(struct wpa_supplicant *wpa_s, char *cmd)\n {\n \tstruct nan_ndp_params ndp;\n@@ -2246,6 +2289,8 @@ int wpas_nan_ndp_request(struct wpa_supplicant *wpa_s, char *cmd)\n \tconst char *pwd = NULL, *pmk = NULL;\n \tint handle = -1;\n \tint ret = -1;\n+\tstruct wpa_supplicant *ndi_wpa_s = NULL;\n+\tint gtk_csid = 0;\n \n \tos_memset(&ndp, 0, sizeof(ndp));\n \n@@ -2281,8 +2326,6 @@ int wpas_nan_ndp_request(struct wpa_supplicant *wpa_s, char *cmd)\n \t\t\t\tgoto fail;\n \t\t\t}\n \t\t} else if (os_strcmp(token, \"ndi\") == 0) {\n-\t\t\tstruct wpa_supplicant *ndi_wpa_s;\n-\n \t\t\tndi_wpa_s = wpa_supplicant_get_iface(wpa_s->global,\n \t\t\t\t\t\t\t     pos);\n \t\t\tif (!ndi_wpa_s) {\n@@ -2348,6 +2391,15 @@ int wpas_nan_ndp_request(struct wpa_supplicant *wpa_s, char *cmd)\n \t\t\t\t\t   pos);\n \t\t\t\tgoto fail;\n \t\t\t}\n+\t\t} else if (os_strcmp(token, \"gtk_csid\") == 0) {\n+\t\t\tgtk_csid = atoi(pos);\n+\t\t\tif (gtk_csid != NAN_CS_GTK_CCMP_128 &&\n+\t\t\t    gtk_csid != NAN_CS_GTK_GCMP_256) {\n+\t\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t\t   \"NAN: Invalid GTK CSID value: %d\",\n+\t\t\t\t\t   gtk_csid);\n+\t\t\t\tgoto fail;\n+\t\t\t}\n \t\t} else {\n \t\t\twpa_printf(MSG_INFO, \"NAN: Unknown parameter: %s\",\n \t\t\t\t   token);\n@@ -2396,6 +2448,19 @@ int wpas_nan_ndp_request(struct wpa_supplicant *wpa_s, char *cmd)\n \t\tgoto fail;\n \t}\n \n+\tif (gtk_csid) {\n+\t\tif (ndp.sec.csid == NAN_CS_NONE) {\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t   \"NAN: GTK CSID specified without a valid NDP CSID\");\n+\t\t\tgoto fail;\n+\t\t}\n+\n+\t\tif (wpas_nan_set_gtk(ndi_wpa_s, &ndp, gtk_csid) < 0) {\n+\t\t\twpa_printf(MSG_DEBUG, \"NAN: Failed to set NDP GTK\");\n+\t\t\tgoto fail;\n+\t\t}\n+\t}\n+\n \twpa_printf(MSG_DEBUG, \"NAN: Requesting NDP with peer \" MACSTR\n \t\t   \" using handle %d\", MAC2STR(ndp.ndp_id.peer_nmi),\n \t\t   ndp.u.req.publish_inst_id);\ndiff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h\nindex d68dd582fb..17a55f0db7 100644\n--- a/wpa_supplicant/wpa_supplicant_i.h\n+++ b/wpa_supplicant/wpa_supplicant_i.h\n@@ -21,6 +21,7 @@\n #include \"config_ssid.h\"\n #include \"wmm_ac.h\"\n #include \"pasn/pasn_common.h\"\n+#include \"nan/nan.h\"\n \n extern const char *const wpa_supplicant_version;\n extern const char *const wpa_supplicant_license;\n@@ -1738,6 +1739,7 @@ struct wpa_supplicant {\n \tstruct wpa_freq_range_list nan_disallowed_freqs;\n \tu16 nan_max_bw;\n \tunsigned int nan_ndi_ndp_refcount; /* Active NDP count on this NDI */\n+\tstruct nan_gtk ndi_gtk;\n #endif /* CONFIG_NAN */\n #ifdef CONFIG_ENC_ASSOC\n \tbool assoc_resp_encrypted; /* Whether (Re)Association Response frame\n","prefixes":["35/97"]}