{"id":2229850,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229850/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-44-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.1/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260428200639.40243-44-andrei.otcheretianski@intel.com>","date":"2026-04-28T20:05:44","name":"[43/97] wpa_supplicant: Install/remove group keys on NDI interface","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"16f68ade9ca4e2e277c826d0d4fdc4bbc439198d","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.1/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260428200639.40243-44-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501927,"url":"http://patchwork.ozlabs.org/api/1.1/series/501927/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501927","date":"2026-04-28T20:05:05","name":"NAN: Group keys support, schedule update and more","version":1,"mbox":"http://patchwork.ozlabs.org/series/501927/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229850/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229850/checks/","tags":{},"headers":{"Return-Path":"\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=jCCjK4J6;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=Sb19NHeN;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4s5w1j5Zz1xrS\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 06:11:48 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHom5-00000002HIn-3JhN;\n\tTue, 28 Apr 2026 20:11:17 +0000","from mgamail.intel.com ([198.175.65.16])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wHojm-00000002Cfh-0eFo\n\tfor hostap@lists.infradead.org;\n\tTue, 28 Apr 2026 20:09:01 +0000","from fmviesa001.fm.intel.com ([10.60.135.141])\n  by orvoesa108.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:22 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n  by smtpauth.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 28 Apr 2026 13:08:20 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=GLQjqjciq6x/HSd0/Fsy661RIN8Q1HmRqXi2Qa7loTg=; b=jCCjK4J6KtdUIQ\n\tHo7+YFJuBFWa9mA3nYoApX2z44+4FAxiA5CkHl1751/B96pyr7bl2Z7lWC6OHeiUe8sAZI5XJ/W7p\n\tEl99owCOq6/ZJwKF6KhLnmPfUgDfwVChS9QqXK+thcoUvFezwLM3/MfcjC/QNcx/Cl410DyuvaN4S\n\tK5GkzFNlgTTk0fWcrAmM80nZMh9vBVyhzj/vVPcYNw1SEU7xkcFEFho4IkM+ZRq2oMYw9xksOXTBP\n\t2Dz7S9eUbIfZ4Y1O4i2oDBvfl15dPD+wxQ75c/wDlAFmuk+CAHdy2lZo+ABKS96GvFcqiAgb6x3WB\n\t/X9DCZNli4BUtd7He4Zw==;","v=1; a=rsa-sha256; c=relaxed/simple;\n  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n  t=1777406934; x=1808942934;\n  h=from:to:cc:subject:date:message-id:in-reply-to:\n   references:mime-version:content-transfer-encoding;\n  bh=sH3YqFktsLkZg9V5UweyrpCimdCzC1Cv9e3nAA0/J2U=;\n  b=Sb19NHeNmooyfU0j/MVsfImnipud05g8stJIXm57ZD0mdzAtv5fVtRJW\n   8ivDqT4K4NYIWBPQAW37+CZ1aiDs70xE7g27cfS0i2zXaYeSjPBZyFd8+\n   0paMkspv2s4e+2T/xD9u19iVFyQtX1xpelA6qr9+xNbEkljYBaqmw9eI8\n   FMV1UpCsJnacVEJMbVGu3pSNaKyfrhwYuqUoIfkrgi1HtgptED9sz/LL7\n   pzbp2O8qJt+BM7l5aZJ3PDgVQVbX/xdOEkC0fTRO86Aj6u3rJDj5bj15M\n   +Jc/Wh+HkMlreXUTXiGJcrNi0IrcUPnZ8M1gF3aU3kZmj0XM5iluH9KLG\n   w==;"],"X-CSE-ConnectionGUID":["hyDq5tGKSGOeJm+XJVJUvw==","U/4awJz8TDeUUaVswrGz3w=="],"X-CSE-MsgGUID":["LldIlrl0SQGsfaby2d5A3g==","hCnS9BqtRoWsdmykI3yVag=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11770\"; a=\"78519420\"","E=Sophos;i=\"6.23,204,1770624000\";\n   d=\"scan'208\";a=\"78519420\"","E=Sophos;i=\"6.23,204,1770624000\";\n   d=\"scan'208\";a=\"257610440\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski <andrei.otcheretianski@intel.com>","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern <avraham.stern@intel.com>","Subject":"[PATCH 43/97] wpa_supplicant: Install/remove group keys on NDI\n interface","Date":"Tue, 28 Apr 2026 23:05:44 +0300","Message-ID":"<20260428200639.40243-44-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","References":"<20260428200639.40243-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260428_130854_317263_E39C3E38 ","X-CRM114-Status":"GOOD (  17.87  )","X-Spam-Score":"-4.5 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  From: Avraham Stern <avraham.stern@intel.com> When a NDP\n that\n    requires GTK is connected,\n install the peer's GTK on the NDI interface. The\n    peer's GTK is removed when the NDP with this peer is terminated and there\n    are no other NDPs that use the GTK [...]\n Content analysis details:   (-4.5 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,\n                             medium trust\n                             [198.175.65.16 listed in list.dnswl.org]\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS               SPF: sender matches SPF record\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\n                             envelope-from domain\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\n author's\n                             domain\n -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%\n                             [score: 0.0000]\n -0.1 DKIMWL_WL_HIGH         DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"<hostap.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/hostap/>","List-Post":"<mailto:hostap@lists.infradead.org>","List-Help":"<mailto:hostap-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" <hostap-bounces@lists.infradead.org>","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern <avraham.stern@intel.com>\n\nWhen a NDP that requires GTK is connected, install the peer's GTK on\nthe NDI interface. The peer's GTK is removed when the NDP with\nthis peer is terminated and there are no other NDPs that use the GTK.\nThe local GTK is removed when there are no more NDPs on this NDI.\n\nSigned-off-by: Avraham Stern <avraham.stern@intel.com>\n---\n wpa_supplicant/nan_supplicant.c | 130 +++++++++++++++++++++++++++++++-\n 1 file changed, 126 insertions(+), 4 deletions(-)","diff":"diff --git a/wpa_supplicant/nan_supplicant.c b/wpa_supplicant/nan_supplicant.c\nindex daaf19f78d..684e52596c 100644\n--- a/wpa_supplicant/nan_supplicant.c\n+++ b/wpa_supplicant/nan_supplicant.c\n@@ -397,6 +397,32 @@ static int wpas_nan_remove_ndi_keys(struct wpa_supplicant *wpa_s,\n }\n \n \n+static int wpas_nan_remove_ndi_gtk(struct wpa_supplicant *wpa_s, int key_id,\n+\t\t\t\t   const u8 *ndi_addr)\n+{\n+\treturn wpa_drv_set_key(wpa_s, -1, WPA_ALG_NONE, ndi_addr, key_id, 0,\n+\t\t\t       NULL, 0, NULL, 0, KEY_FLAG_GROUP);\n+}\n+\n+\n+static int wpas_nan_remove_ndi_local_gtk(struct wpa_supplicant *wpa_s)\n+{\n+\tif (!wpa_s->ndi_gtk.gtk.gtk_len)\n+\t\treturn 0;\n+\n+\tif (wpa_drv_set_key(wpa_s, -1, WPA_ALG_NONE, broadcast_ether_addr,\n+\t\t\t    wpa_s->ndi_gtk.id, 0, NULL, 0, NULL, 0,\n+\t\t\t    KEY_FLAG_GROUP_TX_DEFAULT)) {\n+\t\twpa_printf(MSG_ERROR, \"NAN: Failed to remove NDI group TX key\");\n+\t\treturn -1;\n+\t}\n+\n+\twpa_s->ndi_gtk.id = 0;\n+\tos_memset(&wpa_s->ndi_gtk, 0, sizeof(wpa_s->ndi_gtk));\n+\treturn 0;\n+}\n+\n+\n static struct wpa_supplicant *\n wpas_nan_get_ndi_iface(struct wpa_supplicant *wpa_s, const u8 *ndi_addr)\n {\n@@ -449,6 +475,86 @@ static int wpas_nan_configure_nmi_sta_capa(struct wpa_supplicant *wpa_s,\n }\n \n \n+static int wpas_nan_csid_to_wpa_alg(enum nan_cipher_suite_id csid,\n+\t\t\t\t    enum wpa_alg *alg)\n+{\n+\tswitch (csid) {\n+\tcase NAN_CS_NONE:\n+\t\t*alg = WPA_ALG_NONE;\n+\t\tbreak;\n+\tcase NAN_CS_SK_CCM_128:\n+\tcase NAN_CS_GTK_CCMP_128:\n+\t\t*alg = WPA_ALG_CCMP;\n+\t\tbreak;\n+\tcase NAN_CS_SK_GCM_256:\n+\tcase NAN_CS_GTK_GCMP_256:\n+\t\t*alg = WPA_ALG_GCMP_256;\n+\t\tbreak;\n+\tdefault:\n+\t\twpa_printf(MSG_ERROR, \"NAN: Unsupported CSID %d\",\n+\t\t\t   csid);\n+\t\treturn -1;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+\n+static int wpas_nan_set_ndi_group_keys(struct wpa_supplicant *wpa_s,\n+\t\t\t\t       struct nan_ndp_connection_params *params)\n+{\n+\tenum wpa_alg alg;\n+\n+\t/* Install the local GTK only if not already installed */\n+\tif (!wpa_s->ndi_gtk.id && params->local_gtk && params->local_gtk->id) {\n+\t\tu8 rsc[RSN_PN_LEN];\n+\n+\t\tif (wpas_nan_csid_to_wpa_alg(params->local_gtk->csid, &alg)) {\n+\t\t\twpa_printf(MSG_ERROR,\n+\t\t\t\t   \"NAN: Unsupported CSID %u for local GTK\",\n+\t\t\t\t   params->local_gtk->csid);\n+\t\t\treturn -1;\n+\t\t}\n+\n+\t\tos_memset(rsc, 0, sizeof(rsc));\n+\t\tif (wpa_drv_set_key(wpa_s, -1, alg, broadcast_ether_addr,\n+\t\t\t\t    params->local_gtk->id, 0, rsc, sizeof(rsc),\n+\t\t\t\t    params->local_gtk->gtk.gtk,\n+\t\t\t\t    params->local_gtk->gtk.gtk_len,\n+\t\t\t\t    KEY_FLAG_GROUP_TX_DEFAULT)) {\n+\t\t\twpa_printf(MSG_ERROR,\n+\t\t\t\t   \"NAN: Failed to set local GTK for NDI\");\n+\t\t\treturn -1;\n+\t\t}\n+\n+\t\tos_memcpy(&wpa_s->ndi_gtk, params->local_gtk,\n+\t\t\t  sizeof(wpa_s->ndi_gtk));\n+\t}\n+\n+\tif (params->peer_gtk && params->peer_gtk->id) {\n+\t\tif (wpas_nan_csid_to_wpa_alg(params->peer_gtk->csid, &alg)) {\n+\t\t\twpa_printf(MSG_ERROR,\n+\t\t\t\t   \"NAN: Unsupported CSID %u for peer GTK\",\n+\t\t\t\t   params->peer_gtk->csid);\n+\t\t\treturn -1;\n+\t\t}\n+\n+\t\tif (wpa_drv_set_key(wpa_s, -1, alg, params->peer_ndi,\n+\t\t\t\t    params->peer_gtk->id, 0,\n+\t\t\t\t    params->peer_gtk_rsc, RSN_PN_LEN,\n+\t\t\t\t    params->peer_gtk->gtk.gtk,\n+\t\t\t\t    params->peer_gtk->gtk.gtk_len,\n+\t\t\t\t    KEY_FLAG_GROUP_RX)) {\n+\t\t\twpa_printf(MSG_ERROR,\n+\t\t\t\t   \"NAN: Failed to set peer GTK for NDI\");\n+\t\t\treturn -1;\n+\t\t}\n+\t}\n+\n+\treturn 0;\n+}\n+\n+\n static int wpas_nan_add_ndi_sta(struct wpa_supplicant *wpa_s,\n \t\t\t\tstruct nan_ndp_connection_params *params)\n {\n@@ -539,11 +645,21 @@ static int wpas_nan_add_ndi_sta(struct wpa_supplicant *wpa_s,\n \t}\n \tforced_memzero(tk, tk_len);\n \n+\tif (wpas_nan_set_ndi_group_keys(ndi_wpa_s, params)) {\n+\t\twpa_printf(MSG_ERROR,\n+\t\t\t   \"NAN: Failed to set NDI group keys for peer \"\n+\t\t\t   MACSTR, MAC2STR(peer_ndi));\n+\t\twpas_nan_remove_ndi_keys(ndi_wpa_s, peer_ndi);\n+\t\tgoto remove_sta;\n+\t}\n+\n \tif (wpa_drv_sta_set_flags(ndi_wpa_s, peer_ndi, WPA_STA_AUTHORIZED,\n \t\t\t\t  WPA_STA_AUTHORIZED, ~0)) {\n \t\twpa_printf(MSG_INFO,\n \t\t\t   \"NAN: Failed to set authorize for NDI station\");\n \t\twpas_nan_remove_ndi_keys(ndi_wpa_s, peer_ndi);\n+\t\twpas_nan_remove_ndi_gtk(ndi_wpa_s, params->peer_gtk->id,\n+\t\t\t\t\tpeer_ndi);\n \t\tgoto remove_sta;\n \t}\n \n@@ -572,7 +688,7 @@ remove_sta:\n static void wpas_nan_remove_ndi_sta(struct wpa_supplicant *wpa_s,\n \t\t\t\t    const u8 *local_ndi,\n \t\t\t\t    const u8 *peer_ndi,\n-\t\t\t\t    bool remove_sta)\n+\t\t\t\t    bool remove_sta, int gtk_id)\n {\n \tstruct wpa_supplicant *ndi_wpa_s;\n \n@@ -602,12 +718,18 @@ static void wpas_nan_remove_ndi_sta(struct wpa_supplicant *wpa_s,\n \t\t\t\t   \"NAN: Failed to clear authorized flag for NDI station\");\n \n \t\twpas_nan_remove_ndi_keys(ndi_wpa_s, peer_ndi);\n+\t\tif (gtk_id)\n+\t\t\twpas_nan_remove_ndi_gtk(ndi_wpa_s, gtk_id, peer_ndi);\n \t\twpa_drv_sta_remove(ndi_wpa_s, peer_ndi);\n \t}\n \n-\t/* Set operstate DORMANT only when last NDP is removed from this NDI */\n-\tif (!ndi_wpa_s->nan_ndi_ndp_refcount)\n+\t/* Remove the local GTK and set operstate DORMANT only when last NDP\n+\t * is removed from this NDI\n+\t */\n+\tif (!ndi_wpa_s->nan_ndi_ndp_refcount) {\n+\t\twpas_nan_remove_ndi_local_gtk(ndi_wpa_s);\n \t\twpa_drv_set_operstate(ndi_wpa_s, 0);\n+\t}\n }\n \n \n@@ -642,7 +764,7 @@ static void wpas_nan_ndp_disconnected_cb(void *ctx, struct nan_ndp_id *ndp_id,\n {\n \tstruct wpa_supplicant *wpa_s = ctx;\n \n-\twpas_nan_remove_ndi_sta(wpa_s, local_ndi, peer_ndi, remove_sta);\n+\twpas_nan_remove_ndi_sta(wpa_s, local_ndi, peer_ndi, remove_sta, gtk_id);\n \twpas_notify_nan_ndp_disconnected(wpa_s, ndp_id->peer_nmi,\n \t\t\t\t\t ndp_id->id, local_ndi, peer_ndi,\n \t\t\t\t\t reason, locally_generated, failure);\n","prefixes":["43/97"]}