{"id":2229845,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229845/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-39-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.1/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260428200639.40243-39-andrei.otcheretianski@intel.com>","date":"2026-04-28T20:05:39","name":"[38/97] NAN: Parse the GTK KDE from key data","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"4c78e0bfdb4cf28cca38b4f9983e453e56fb571f","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.1/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-39-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501927,"url":"http://patchwork.ozlabs.org/api/1.1/series/501927/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501927","date":"2026-04-28T20:05:05","name":"NAN: Group keys support, schedule update and more","version":1,"mbox":"http://patchwork.ozlabs.org/series/501927/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229845/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229845/checks/","tags":{},"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=zI6OGkXr;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=ZNpth4KI;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4s5G3KLcz1yJH\n\tfor ; Wed, 29 Apr 2026 06:11:14 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHolX-00000002GaA-3bB8;\n\tTue, 28 Apr 2026 20:10:43 +0000","from mgamail.intel.com ([198.175.65.16])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHojN-00000002CcZ-0eL4\n\tfor hostap@lists.infradead.org;\n\tTue, 28 Apr 2026 20:08:41 +0000","from fmviesa001.fm.intel.com ([10.60.135.141])\n by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:14 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:12 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=8HQShBG4h3h42ZTRVKJ1Ud2O6jEqhR8/EU8aBvhxb+8=; b=zI6OGkXryL99d8\n\twEq10tDdWWMFSff60VqFDhCV0Ry91lNW4MQdasjJ0+qgOHDrtjO2oZQNvYey89ERvBuH/mX3+/7x0\n\tTJGGsDqKIy+Qb5PuQDkb22meO+DXfaQ78TzCb1qtYkGFzFZiolCMyq6AE4Mt1KDQz+r6NQZLrkDQj\n\teA3H9WCvRv2iSOQ9YqpeMmYYKDRttlay7T0WnnjpTED9p9IhsCnfUll3Hs+Mxx4iFM5wTTrDaq+VS\n\tWfke3SwVf8557IjLxuCUGcEDEIv6IbvrrbO3VIT2wbPh4DWr2tqB3ed3vtOslahdFeWKP7fxjg6t6\n\tPh5SomsMt8kLsY+4YXhQ==;","v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1777406909; x=1808942909;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=CsTLJZMiFkdvMRynISKC/XE8j0cEJxiTEHRDD5W1vIM=;\n b=ZNpth4KIJ14m6bamW/WaOSL/x3Re5tzL4uybO9Nnm1hBJ8qBFvyOx/q4\n x5rpD5EsMZaeemCuK5WaTEHRc6aEQg8jsQVerCAv/T2sxJQqkEygReuEa\n 2GFqozOauNvUs6Zbdtc1tmpa82bqdgEi7nXf3KaNPaCsSgO/QPUhyovQ9\n 6nJ8imuwSaRr+fFAatZfMfk3QS6TaT0PAOfECrYplhRUr+YhGzeHmV7so\n jntWhAGyOdCfywq09SX4w5uj0RnFxzxZ5QS8KS6Ys6gaZV95gvKuajDWQ\n Jag924yN2Mknw0bO4+hBUVkcIK2jOudyJfEM2RNIY+022CKNgNptzqNJV\n A==;"],"X-CSE-ConnectionGUID":["/WQHZiiQRU2smrcCuc6HWA==","kNarTGh1T+q9EWVwibitNA=="],"X-CSE-MsgGUID":["W6rm3Ac7TzS5I8L9oEYFjg==","ERkFFjgzQ3KAMzfyuzUr5A=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11770\"; a=\"78519405\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"78519405\"","E=Sophos;i=\"6.23,204,1770624000\";\n d=\"scan'208\";a=\"257610343\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski ","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern ","Subject":"[PATCH 38/97] NAN: Parse the GTK KDE from key data","Date":"Tue, 28 Apr 2026 23:05:39 +0300","Message-ID":"<20260428200639.40243-39-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","References":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260428_130831_612004_C350522E ","X-CRM114-Status":"GOOD ( 15.37 )","X-Spam-Score":"-4.5 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Avraham Stern When a GTK is\n required for the NDP, parse the GTK KDE from the key data field and save\n the GTK,\n its key ID and RSC in the NDP setup data. The GTK will be installed\n for the NDI station when the NDP is [...]\n Content analysis details: (-4.5 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [198.175.65.16 listed in list.dnswl.org]\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n -0.1 DKIMWL_WL_HIGH DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" ","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern \n\nWhen a GTK is required for the NDP, parse the GTK KDE from the key\ndata field and save the GTK, its key ID and RSC in the NDP setup\ndata. The GTK will be installed for the NDI station when the NDP is\nestablished.\n\nSigned-off-by: Avraham Stern \n---\n src/nan/nan_i.h | 4 ++++\n src/nan/nan_sec.c | 48 +++++++++++++++++++++++++++++++++++++++++++----\n 2 files changed, 48 insertions(+), 4 deletions(-)","diff":"diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 1d6956986b..772971ba84 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -66,6 +66,8 @@ struct nan_ptk {\n * @pmk: PMK used for the secure NDP establishment\n * @ptk: Derived PTK\n * @local_gtk: Group Temporal Key information of the local NDI\n+ * @peer_gtk: Group Temporal Key information of the peer NDI\n+ * @peer_gtk_rsc: Receive sequence counter of the peer NDI GTK\n */\n struct nan_ndp_sec {\n \tbool present;\n@@ -94,6 +96,8 @@ struct nan_ndp_sec {\n \tstruct nan_ptk ptk;\n \n \tstruct nan_gtk local_gtk;\n+\tstruct nan_gtk peer_gtk;\n+\tu8 peer_gtk_rsc[WPA_KEY_RSC_LEN];\n };\n \n /*\ndiff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c\nindex 68310c94f1..dc65610bdf 100644\n--- a/src/nan/nan_sec.c\n+++ b/src/nan/nan_sec.c\n@@ -435,9 +435,10 @@ static int nan_sec_rx_key_data(struct nan_data *nan,\n \tenum wpa_alg alg;\n \n \tif (((peer_capab & NAN_CS_INFO_CAPA_GTK_SUPP_MASK) >>\n-\t NAN_CS_INFO_CAPA_GTK_SUPP_POS) == NAN_CS_INFO_CAPA_GTK_SUPP_NONE) {\n+\t NAN_CS_INFO_CAPA_GTK_SUPP_POS) == NAN_CS_INFO_CAPA_GTK_SUPP_NONE &&\n+\t ndp_sec->peer_gtk.csid == NAN_CS_NONE) {\n \t\twpa_printf(MSG_DEBUG,\n-\t\t\t \"NAN: SEC: Peer does not support IGTK/BIGTK, ignore key data\");\n+\t\t\t \"NAN: SEC: Peer does not support GTK/IGTK/BIGTK, ignore key data\");\n \t\treturn 0;\n \t}\n \n@@ -538,6 +539,38 @@ static int nan_sec_rx_key_data(struct nan_data *nan,\n \t\t\t\tbigtk_kde->bigtk, key_len);\n \t}\n \n+\tif (ie.gtk && ie.gtk_len) {\n+\t\tstruct wpa_gtk_kde *gtk_kde =\n+\t\t\t(struct wpa_gtk_kde *)ie.gtk;\n+\t\tint gtk_cipher = ndp_sec->peer_gtk.csid == NAN_CS_GTK_GCMP_256 ?\n+\t\t\tWPA_CIPHER_GCMP_256 : WPA_CIPHER_CCMP;\n+\t\tsize_t gtk_len = wpa_cipher_key_len(gtk_cipher);\n+\n+\t\tif (ie.gtk_len != WPA_GTK_KDE_PREFIX_LEN + gtk_len) {\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: Invalid GTK KDE length: %zu (expected %zu)\",\n+\t\t\t\t ie.gtk_len,\n+\t\t\t\t WPA_GTK_KDE_PREFIX_LEN + gtk_len);\n+\t\t\tgoto fail;\n+\t\t}\n+\n+\t\t/* GTK key ID must be 1 or 2, see Wi-Fi Aware Specification v4.0,\n+\t\t * section 7.1.3.2\n+\t\t */\n+\t\tif (gtk_kde->keyid < 1 || gtk_kde->keyid > 2) {\n+\t\t\twpa_printf(MSG_DEBUG,\n+\t\t\t\t \"NAN: SEC: Invalid GTK key index: %u\",\n+\t\t\t\t gtk_kde->keyid);\n+\t\t\tgoto fail;\n+\t\t}\n+\n+\t\tndp_sec->peer_gtk.id = gtk_kde->keyid;\n+\t\tos_memcpy(ndp_sec->peer_gtk.gtk.gtk, gtk_kde->gtk, gtk_len);\n+\t\tndp_sec->peer_gtk.gtk.gtk_len = gtk_len;\n+\t\twpa_hexdump_key(MSG_DEBUG, \"NAN: SEC: Received GTK\",\n+\t\t\t\tgtk_kde->gtk, gtk_len);\n+\t}\n+\n \tret = 0;\n fail:\n \twpabuf_clear_free(key_data);\n@@ -562,7 +595,7 @@ int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n \tsize_t shared_key_desc_len;\n \tu16 info, desc, key_data_len;\n \tsize_t total_len;\n-\tu8 instance_id, cipher, capab, gtk_csid;\n+\tu8 instance_id, cipher, capab, gtk_csid = NAN_CS_NONE;\n \tu8 *pos;\n \tint ret;\n \n@@ -661,7 +694,6 @@ int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n \t * be ignored:\n \t * key->len: as the key length is derived from the cipher suite.\n \t * key->iv: not needed for AES Key WRAP\n-\t * key->rsc: to avoid implicit assumption of a single GTK.\n \t */\n \tif (key->type != NAN_KEY_DESC) {\n \t\twpa_printf(MSG_DEBUG,\n@@ -701,6 +733,14 @@ int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n \t\treturn -1;\n \t}\n \n+\tif (gtk_csid != NAN_CS_NONE) {\n+\t\twpa_printf(MSG_DEBUG, \"NAN: SEC: Peer GTK CSID=%u\", gtk_csid);\n+\n+\t\tos_memcpy(ndp_sec->peer_gtk_rsc, key->key_rsc,\n+\t\t\t sizeof(key->key_rsc));\n+\t\tndp_sec->peer_gtk.csid = gtk_csid;\n+\t}\n+\n \tswitch (msg->oui_subtype) {\n \tcase NAN_SUBTYPE_DATA_PATH_REQUEST:\n \t\tif (!(info & WPA_KEY_INFO_ACK))\n","prefixes":["38/97"]}