{"id":2226392,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2226392/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/patch/20260422122424.43776-46-andrei.otcheretianski@intel.com/","project":{"id":22,"url":"http://patchwork.ozlabs.org/api/1.2/projects/22/?format=json","name":"HostAP Development","link_name":"hostap","list_id":"hostap.lists.infradead.org","list_email":"hostap@lists.infradead.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260422122424.43776-46-andrei.otcheretianski@intel.com>","list_archive_url":null,"date":"2026-04-22T12:23:36","name":"[45/92] NAN: Don't derive NPK and send NIK when pairing verification is complete","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"9392c34c57f82d3c5bd6f59f64c6776e23f79513","submitter":{"id":62065,"url":"http://patchwork.ozlabs.org/api/1.2/people/62065/?format=json","name":"Andrei Otcheretianski","email":"andrei.otcheretianski@intel.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/hostap/patch/20260422122424.43776-46-andrei.otcheretianski@intel.com/mbox/","series":[{"id":501001,"url":"http://patchwork.ozlabs.org/api/1.2/series/501001/?format=json","web_url":"http://patchwork.ozlabs.org/project/hostap/list/?series=501001","date":"2026-04-22T12:23:05","name":"Add NAN PASN pairing support","version":1,"mbox":"http://patchwork.ozlabs.org/series/501001/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2226392/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2226392/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=lists.infradead.org header.i=@lists.infradead.org\n header.a=rsa-sha256 header.s=bombadil.20210309 header.b=B4GyaV8M;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n secure) header.d=infradead.org header.i=@infradead.org header.a=rsa-sha256\n header.s=desiato.20200630 header.b=WqYVMcrX;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256\n header.s=Intel header.b=nQjJ/bou;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=none (no SPF record) smtp.mailfrom=lists.infradead.org\n (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org;\n envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from bombadil.infradead.org (bombadil.infradead.org\n [IPv6:2607:7c80:54:3::133])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0z6539lzz1yCv\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 22 Apr 2026 22:28:29 +1000 (AEST)","from localhost ([::1] helo=bombadil.infradead.org)\n\tby bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wFWgG-0000000A6Zl-1ZLJ;\n\tWed, 22 Apr 2026 12:27:48 +0000","from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05])\n\tby bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wFWez-0000000A4ja-0r5H\n\tfor hostap@bombadil.infradead.org;\n\tWed, 22 Apr 2026 12:26:29 +0000","from mgamail.intel.com ([192.198.163.17])\n\tby desiato.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux))\n\tid 1wFWeu-0000000BKYa-3Gyc\n\tfor hostap@lists.infradead.org;\n\tWed, 22 Apr 2026 12:26:28 +0000","from orviesa010.jf.intel.com ([10.64.159.150])\n  by fmvoesa111.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 22 Apr 2026 05:25:48 -0700","from iapp347.iil.intel.com (HELO 87c02287900a.iil.intel.com)\n ([10.167.28.6])\n  by orviesa010-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 22 Apr 2026 05:25:47 -0700"],"DKIM-Signature":["v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=lists.infradead.org; s=bombadil.20210309; h=Sender:\n\tContent-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:\n\tList-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To:\n\tMessage-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description:\n\tResent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:\n\tList-Owner; bh=0BbUwChz5lE9GekPUoepyE1wthJ2Swf0f3SjSI2dbE8=; b=B4GyaV8MZ6fXbv\n\tAxxX6B9rhFDMe9C2vXvTvJJWqsQWSXYO5FbV/enAkcGG5lDa5HKO4JIn8cCZFOFROOplRjUGWHIgJ\n\tTqzSCFaYUAgZ63NBiVR6JgPbgbiXkg8EumUbbQ/9sKPfCTfDP7p0DNd26tMnImK9AyTrC3H7AVfX7\n\tegH7aW2iSeDGJqdsVesR1yz+HCVxE2+OYYb5WpwuWBa1s9a0zC3jntS05CJwHBU5hlJz3VU0af34L\n\tdT5L5Fsu1ojo7GYYB3m1m96uQla12ak13+moIFs6WdmhJBE4lliNZ8EPHG/OOGYIr9Sz9MCh2tyP0\n\tqAqee0HGmgpxSCTif9pw==;","v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;\n\td=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version\n\t:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:\n\tContent-Type:Content-ID:Content-Description;\n\tbh=tAMzcLwUXElq18WLVSucdIW1kKowQAm92/N/f0+JkY0=; b=WqYVMcrXg7MoRh8rqq3oD/cY0w\n\tvoxNVAMEqytQGL9raFU5o0/GZ7QlmOlimwpV9mCa5r7U4hDIXp6v8IDu3uWi0NPdb4KllqleKH/M4\n\tjHVHBSNX4OwdY1hfP7xbXLhZap8sBoX4rkBitDbDqYAAiKO+NiLOckEonoH15yCKT7tkUyV+xQ3Uo\n\tzw3W8u9AdM5oGnH9RnPpqsweT9pe58Vk29aI1z3v2EQfiygjXAOZhMs0XJqB/9YC4g4sOhszpPpjA\n\thQ32UF2vfWotonfrJ1ak0nl5C68dSmP6leIf/YcrAvreWPLuuu7k2VSFwV9oEPM/2zzs5HF5UdzGh\n\twE/NW2ug==;","v=1; a=rsa-sha256; c=relaxed/simple;\n  d=intel.com; i=@intel.com; q=dns/txt; s=Intel;\n  t=1776860784; x=1808396784;\n  h=from:to:cc:subject:date:message-id:in-reply-to:\n   references:mime-version:content-transfer-encoding;\n  bh=HHP9tUe8I4Aa5CB9KAWQEAaap70HozMx2wOwpjR4jb8=;\n  b=nQjJ/bouhBQiemFe41svGCg5qvA4zk2n/BH94WjyKh+todYquLZ3fsbR\n   hc2XlAJ6KUl1euDbI5JyRJgsCjW8CWmxFHibUNKlMI2cdTxQjqnrvYag3\n   1+9m/lafYMAU1dPJqCm6IEKeNIPDPeI/82UnxXZPXBBYfU1MzokszkrEM\n   phKaxK9d7F3QtsDTbr/Vber2Be1nM0QhxZa358FuZ08qHzPdPbvgS/QSS\n   jGoKRTUvNuCTpXiOLBMzFB7hjs/Qm9tli9lyh7wGaJls50Z7F0vw3evmq\n   FVKWxMYrZRuqk3cdylwGWcLCcHF1wfoWukR4l/XHuaZZJjSr/1WmhTJ1A\n   g==;"],"X-CSE-ConnectionGUID":["ijdov7efRr2Lu4F3ULcDBw==","GR9IoIbGRRWYJKbr8no22w=="],"X-CSE-MsgGUID":["2QVLR8xrRqybnDEbFJyPfg==","Ynv/xi4bSDuB5ZW228Dzuw=="],"X-IronPort-AV":["E=McAfee;i=\"6800,10657,11764\"; a=\"77687372\"","E=Sophos;i=\"6.23,192,1770624000\";\n   d=\"scan'208\";a=\"77687372\"","E=Sophos;i=\"6.23,192,1770624000\";\n   d=\"scan'208\";a=\"231445041\""],"X-ExtLoop1":"1","From":"Andrei Otcheretianski <andrei.otcheretianski@intel.com>","To":"hostap@lists.infradead.org","Cc":"vamsin@qti.qualcomm.com,\n\tmaheshkkv@google.com,\n\tAvraham Stern <avraham.stern@intel.com>","Subject":"[PATCH 45/92] NAN: Don't derive NPK and send NIK when pairing\n verification is complete","Date":"Wed, 22 Apr 2026 15:23:36 +0300","Message-ID":"<20260422122424.43776-46-andrei.otcheretianski@intel.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260422122424.43776-1-andrei.otcheretianski@intel.com>","References":"<20260422122424.43776-1-andrei.otcheretianski@intel.com>","MIME-Version":"1.0","X-CRM114-Version":"20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 ","X-CRM114-CacheID":"sfid-20260422_132625_253235_5B785471 ","X-CRM114-Status":"GOOD (  13.20  )","X-Spam-Score":"-2.5 (--)","X-Spam-Report":"Spam detection software,\n running on the system \"desiato.infradead.org\",\n has NOT identified this incoming email as spam.  The original\n message has been attached to this so you can view it or label\n similar future email.  If you have any questions, see\n the administrator of that system for details.\n Content preview:  From: Avraham Stern <avraham.stern@intel.com> When pairing\n    verification is performed, there is no need to derive a NPK since the NPK\n    already exists. In addition, there is no need to send the NIK to the peer\n    since NIKs were already exchanged after [...]\n Content analysis details:   (-2.5 points, 5.0 required)\n  pts rule name              description\n ---- ----------------------\n --------------------------------------------------\n -2.3 RCVD_IN_DNSWL_MED      RBL: Sender listed at https://www.dnswl.org/,\n                             medium trust\n                             [192.198.163.17 listed in list.dnswl.org]\n -0.0 SPF_PASS               SPF: sender matches SPF record\n  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record\n -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from\n author's\n                             domain\n -0.1 DKIM_VALID             Message has at least one valid DKIM or DK\n signature\n  0.1 DKIM_SIGNED            Message has a DKIM or DK signature,\n not necessarily valid\n -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from\n                             envelope-from domain\n -0.0 DKIMWL_WL_HIGH         DKIMwl.org - High trust sender","X-BeenThere":"hostap@lists.infradead.org","X-Mailman-Version":"2.1.34","Precedence":"list","List-Id":"<hostap.lists.infradead.org>","List-Unsubscribe":"<http://lists.infradead.org/mailman/options/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=unsubscribe>","List-Archive":"<http://lists.infradead.org/pipermail/hostap/>","List-Post":"<mailto:hostap@lists.infradead.org>","List-Help":"<mailto:hostap-request@lists.infradead.org?subject=help>","List-Subscribe":"<http://lists.infradead.org/mailman/listinfo/hostap>,\n <mailto:hostap-request@lists.infradead.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Sender":"\"Hostap\" <hostap-bounces@lists.infradead.org>","Errors-To":"hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org"},"content":"From: Avraham Stern <avraham.stern@intel.com>\n\nWhen pairing verification is performed, there is no need to derive a\nNPK since the NPK already exists. In addition, there is no need to\nsend the NIK to the peer since NIKs were already exchanged after the\noriginal pairing.\n\nSigned-off-by: Avraham Stern <avraham.stern@intel.com>\n---\n src/nan/nan_i.h       | 6 ++++++\n src/nan/nan_pairing.c | 8 +++++++-\n 2 files changed, 13 insertions(+), 1 deletion(-)","diff":"diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h\nindex 926eea2a9f..eedf6c2389 100644\n--- a/src/nan/nan_i.h\n+++ b/src/nan/nan_i.h\n@@ -470,6 +470,10 @@ enum nan_pairing_role {\n \tNAN_PAIRING_ROLE_RESPONDER,\n };\n \n+\n+/* Current pairing uses pairing verification */\n+#define NAN_PAIRING_FLAG_NPK_VERIFICATION BIT(0)\n+\n /**\n  * struct nan_pairing_peer_data - NAN pairing peer information\n  *\n@@ -481,6 +485,7 @@ enum nan_pairing_role {\n  * @nonce_tag_valid: Indicates if the nonce and tag fields are valid\n  * @nonce: Nonce from peer's NIRA attribute\n  * @tag: Tag from peer's NIRA attribute\n+ * @flags: Bitmap of pairing flags. See NAN_PAIRING_FLAG_*\n  */\n struct nan_pairing_peer_data {\n \tstruct nan_pairing_cfg pairing_cfg;\n@@ -491,6 +496,7 @@ struct nan_pairing_peer_data {\n \tbool nonce_tag_valid;\n \tu8 nonce[NAN_NIRA_NONCE_LEN];\n \tu8 tag[NAN_NIRA_TAG_LEN];\n+\tu32 flags;\n };\n \n /**\ndiff --git a/src/nan/nan_pairing.c b/src/nan/nan_pairing.c\nindex 1c0d2e0ffb..b4c8fafd67 100644\n--- a/src/nan/nan_pairing.c\n+++ b/src/nan/nan_pairing.c\n@@ -543,11 +543,13 @@ int nan_pairing_initiate_pasn_auth(struct nan_data *nan_data, const u8 *addr,\n \n \tpeer->pairing.handle = handle;\n \tpeer->pairing.peer_instance_id = peer_instance_id;\n+\tpeer->pairing.flags = 0;\n \n \tif (responder)\n \t\treturn 0;\n \n \tif (auth_mode == NAN_PASN_AUTH_MODE_PMK) {\n+\t\tpeer->pairing.flags |= NAN_PAIRING_FLAG_NPK_VERIFICATION;\n \t\tret = wpa_pasn_verify(pasn, pasn->own_addr, pasn->peer_addr,\n \t\t\t\t      pasn->bssid, pasn->akmp, pasn->cipher,\n \t\t\t\t      pasn->group, 0, NULL, 0, NULL, 0, NULL);\n@@ -586,7 +588,8 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)\n \tint ret;\n \n \tif (!nan_data->cfg->pairing_cfg.npk_caching ||\n-\t    !peer->pairing.pairing_cfg.npk_caching)\n+\t    !peer->pairing.pairing_cfg.npk_caching ||\n+\t    peer->pairing.flags & NAN_PAIRING_FLAG_NPK_VERIFICATION)\n \t\treturn;\n \n \twpa_printf(MSG_DEBUG, \"NAN: Pairing: Derive KEK after PASN pairing\");\n@@ -710,6 +713,9 @@ static int nan_send_nik(struct nan_data *nan_data, struct nan_peer *peer)\n \t\treturn 0;\n \t}\n \n+\tif (peer->pairing.flags & NAN_PAIRING_FLAG_NPK_VERIFICATION)\n+\t\treturn 0;\n+\n \tif (!peer->pairing.pasn || !peer->pairing.pasn->ptk.kek_len) {\n \t\twpa_printf(MSG_DEBUG,\n \t\t\t   \"NAN: Pairing: KEK not available for NIK encryption\");\n","prefixes":["45/92"]}