{"id":2226379,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2226379/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260422122424.43776-34-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.2/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422122424.43776-34-andrei.otcheretianski@intel.com>","list_archive_url":null,"date":"2026-04-22T12:23:24","name":"[33/92] NAN: Add a function for encrypting the key data using the KEK","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"b8c6a3a51c3660a9149b89852880f46c4c86baba","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.2/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260422122424.43776-34-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501001,"url":"http://patchwork.ozlabs.org/api/1.2/series/501001/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501001","date":"2026-04-22T12:23:05","name":"Add NAN PASN pairing support","version":1,"mbox":"http://patchwork.ozlabs.org/series/501001/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226379/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226379/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n ","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=j1He0L0d;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=VnhPhsZd;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0z4g1WZXz1yCv\n\tfor ; Wed, 22 Apr 2026 22:27:15 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wFWf8-0000000A4xj-1FEz;\n\tWed, 22 Apr 2026 12:26:38 +0000","from mgamail.intel.com ([192.198.163.17])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wFWe4-0000000A34B-0kDa\n\tfor hostap@lists.infradead.org;\n\tWed, 22 Apr 2026 12:25:38 +0000","from orviesa010.jf.intel.com ([10.64.159.150])\n by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 22 Apr 2026 05:25:28 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 22 Apr 2026 05:25:27 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=WxYSbp4yO7uzcPjJYBbDAnwp8dExLfZ/lvZyc96+Onc=; b=j1He0L0dTjWJw0\n\t5YVLnUB7sB9yL6GMo+QvHSEzu9rlz5QI+Pys5z6vvSbOJCim8fUCxKTVHWKau2rSoEs4SuK2VOf64\n\tSw5ebd2SyVQTPTbsrYQMjVVH4FhlPrNiZYZLqZofy3nOVec3SVD2ffbJerAt8LK+Dc6oIteUJb/iX\n\tzUcC8nClGzTD3vYe4w4NtphyNh4aMKcVd6L8pt2a4QUPxwct32ml2asitf2Gobgrq2qPmTo2jEtEj\n\tU/xGuoLnNFdvU0XUgZLsqR+LUjFFH4TqhxLgID/hokvMmxQjYDieoGBGkrsUpeXXYDVHJTtmqcv2V\n\t6SM8/FbUmSI8uuEr1wVw==;","v=1; a=rsa-sha256; c=relaxed/simple;\n d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n t=1776860732; x=1808396732;\n h=from:to:cc:subject:date:message-id:in-reply-to:\n references:mime-version:content-transfer-encoding;\n bh=PUzZLKTQHd/yI0l255IzystrK0KvzK2TnqKjSuA5M3g=;\n b=VnhPhsZddYF+TRfawkQ24f2q2itBLGPFfPBlSfBr+yq08bK2Uig2/Qq9\n QeMCNidnRQQwuZO5/Jpbp+JAdMj7BOfJa0/GxXFLRvlF45N9sKRHdooiE\n FWS5WdSNaFmkNHlP2eXDASETcbyPX9TZK4oSxoS3fcc8+ieMs07pa5ZFd\n 6m9LjdxZsHBzZRSEwd3g/YvNLknkm0dCkd+fvHXsXXXqY6J0KpjT73KU1\n NeYhuKwHMP+1TVv3p++abeyWg3+wxzik7GJ+lY672QjC/r11p4BRB31ti\n f4/S6PmdhqPIi2Wpf0JUSgRwNmpfwnkSoMX3pdWmocjAzjL2yUkPwz1RV\n A==;"],"X-CSE-ConnectionGUID":["zSJ7ZFSNShu0c5ZldXbEWA==","t2ipOCz5SeKryefl9UU8Kg=="],"X-CSE-MsgGUID":["gz8X5dZcS2WOE3lEy0bvkA==","UYFkOTfDQVOHTfksXnfPXg=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11764\"; a=\"77687307\"","E=Sophos;i=\"6.23,192,1770624000\";\n d=\"scan'208\";a=\"77687307\"","E=Sophos;i=\"6.23,192,1770624000\";\n d=\"scan'208\";a=\"231444987\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski ","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern ","Subject":"[PATCH 33/92] NAN: Add a function for encrypting the key data using\n the KEK","Date":"Wed, 22 Apr 2026 15:23:24 +0300","Message-ID":"<20260422122424.43776-34-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260422122424.43776-1-andrei.otcheretianski@intel.com>","References":"<20260422122424.43776-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260422_052532_439060_C0D42E0B ","X-CRM114-Status":"GOOD ( 15.93 )","X-Spam-Score":"-4.4 (----)","X-Spam-Report":"Spam detection software,\n running on the system \"bombadil.infradead.org\",\n has NOT identified this incoming email as spam. The original\n message has been attached to this so you can view it or label\n similar future email. If you have any questions, see\n the administrator of that system for details.\n Content preview: From: Avraham Stern \n Signed-off-by:\n Avraham Stern --- src/nan/nan_crypto.c | 80\n ++++++++++++++++++++++++++++++++++++++++++++\n src/nan/nan_i.h | 3 +- 2 files changed, 82 insertions(+),\n 1 deletion(- [...] \n Content analysis details: (-4.4 points, 5.0 required)\n pts rule name description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/,\n medium trust\n [192.198.163.17 listed in list.dnswl.org]\n 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record\n -0.0 SPF_PASS SPF: sender matches SPF record\n -0.1 DKIM_VALID Message has at least one valid DKIM or DK\n signature\n -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from\n author's\n domain\n -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from\n envelope-from domain\n 0.1 DKIM_SIGNED Message has a DKIM or DK signature,\n not necessarily valid\n -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%\n [score: 0.0000]\n -0.0 DKIMWL_WL_HIGH DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" ","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern \n\nSigned-off-by: Avraham Stern \n---\n src/nan/nan_crypto.c | 80 ++++++++++++++++++++++++++++++++++++++++++++\n src/nan/nan_i.h | 3 +-\n 2 files changed, 82 insertions(+), 1 deletion(-)","diff":"diff --git a/src/nan/nan_crypto.c b/src/nan/nan_crypto.c\nindex f582830e8d..256ff23840 100644\n--- a/src/nan/nan_crypto.c\n+++ b/src/nan/nan_crypto.c\n@@ -12,6 +12,7 @@\n #include \"crypto/sha256.h\"\n #include \"crypto/sha384.h\"\n #include \"crypto/crypto.h\"\n+#include \"crypto/aes_wrap.h\"\n #include \"nan_i.h\"\n \n #define NAN_KCK_MAX_LEN 24\n@@ -523,3 +524,82 @@ int nan_crypto_derive_kek(const u8 *kdk, size_t kdk_len,\n \t\t\t\t\t initiator_nmi, responder_nmi,\n \t\t\t\t\t ptk->kek, ptk->kek_len);\n }\n+\n+\n+/*\n+ * nan_crypto_encrypt_key - Encrypt key data using AES Key Wrap (RFC 3394)\n+ *\n+ * @key_data: Key data to be encrypted\n+ * @kek: Key Encryption Key (KEK)\n+ * @kek_len: Length of KEK in octets\n+ *\n+ * This function encrypts the provided key data using AES Key Wrap algorithm\n+ * as defined in RFC 3394. The input data is padded to 8-byte alignment before\n+ * encryption. The padding scheme uses 0xdd as the first padding byte followed\n+ * by zeros.\n+ *\n+ * Returns: Encrypted key data in a newly allocated wpabuf, or NULL on failure.\n+ * The caller is responsible for freeing the returned wpabuf.\n+ */\n+struct wpabuf *nan_crypto_encrypt_key_data(const struct wpabuf *key_data,\n+\t\t\t\t\t const u8 *kek, size_t kek_len)\n+{\n+\tsize_t key_data_len;\n+\tsize_t pad;\n+\tsize_t padded_len;\n+\tu8 *padded_key_data;\n+\tstruct wpabuf *encrypted_key_data;\n+\n+\tif (!key_data || !kek || !kek_len) {\n+\t\twpa_printf(MSG_ERROR,\n+\t\t\t \"NAN: Pairing: Invalid parameters for key data encryption\");\n+\t\treturn NULL;\n+\t}\n+\n+\tkey_data_len = wpabuf_len(key_data);\n+\tif (!key_data_len) {\n+\t\twpa_printf(MSG_ERROR,\n+\t\t\t \"NAN: Pairing: Key data is empty for encryption\");\n+\t\treturn NULL;\n+\t}\n+\n+\twpa_hexdump_key(MSG_DEBUG, \"NAN: Plain key data\", wpabuf_head(key_data),\n+\t\t\tkey_data_len);\n+\n+\t/* Calculate padding to align to 8 bytes (AES block size) */\n+\tpad = key_data_len % 8;\n+\tif (pad)\n+\t\tpad = 8 - pad;\n+\n+\tpadded_len = key_data_len + pad;\n+\tpadded_key_data = os_zalloc(padded_len);\n+\tif (!padded_key_data)\n+\t\treturn NULL;\n+\n+\t/* Copy key data and apply padding (0xdd followed by zeros) */\n+\tos_memcpy(padded_key_data, wpabuf_head(key_data), key_data_len);\n+\tif (pad)\n+\t\tpadded_key_data[key_data_len] = 0xdd;\n+\n+\t/* Allocate buffer for encrypted data (input length + 8 bytes for IV) */\n+\tencrypted_key_data = wpabuf_alloc(padded_len + 8);\n+\tif (!encrypted_key_data)\n+\t\tgoto fail;\n+\n+\t/* Encrypt the padded data using AES Key Wrap */\n+\tif (aes_wrap(kek, kek_len, padded_len / 8, padded_key_data,\n+\t\t wpabuf_put(encrypted_key_data, padded_len + 8))) {\n+\t\twpa_printf(MSG_ERROR, \"NAN: Pairing: AES wrap failed\");\n+\t\twpabuf_free(encrypted_key_data);\n+\t\tencrypted_key_data = NULL;\n+\t} else {\n+\t\twpa_hexdump_key(MSG_DEBUG, \"NAN: Encrypted key data\",\n+\t\t\t\twpabuf_head(encrypted_key_data),\n+\t\t\t\twpabuf_len(encrypted_key_data));\n+\t}\n+\n+fail:\n+\tos_memset(padded_key_data, 0, padded_len);\n+\tos_free(padded_key_data);\n+\treturn encrypted_key_data;\n+}\ndiff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 07fa7a0e85..edfe28358a 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -727,7 +727,8 @@ int nan_crypto_derive_kek(const u8 *kdk, size_t kdk_len,\n \t\t\t enum nan_cipher_suite_id cipher,\n \t\t\t const u8 *initiator_nmi, const u8 *responder_nmi,\n \t\t\t struct wpa_ptk *ptk);\n-\n+struct wpabuf *nan_crypto_encrypt_key_data(const struct wpabuf *key_data,\n+\t\t\t\t\t const u8 *kek, size_t kek_len);\n \n void nan_sec_reset(struct nan_data *nan, struct nan_ndp_sec *ndp_sec);\n int nan_sec_rx(struct nan_data *nan, struct nan_peer *peer,\n","prefixes":["33/92"]}