[PATCH 00/92] Add NAN PASN pairing support

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed Apr 22 05:22:51 PDT 2026 

This series adds support for NAN PASN pairing.
The pairing can be performed using:
- Opportunistic pairing (unauthenticated PASN)
- SAE-based authentication with password
- NPK caching for pairing verification

The series start with the previously submitted tests for bootstrapping
and NAN data path and few more patches with enhancements and fixes.

Note that test patches are still marked with RFC as the wireless-next
kernel still doesn't have all the required support in mac80211_hwsim.
For testing purposes iwlwifi-next/mac80211_candidate kernel can be used.

Andrei Otcheretianski (13):
  tests: Add get_iface_addr() to wpasupplicant.py
  tests: Add NAN data path tests
  tests: Add NAN bootstrapping hwsim testing
  NAN: Correctly configure SAE groups on responder
  wpa_supplicant: Support NAN pairing abort
  NAN: Add handle and requestor_instance_id parameters in BOOTSTRAP
    events
  NAN: Add NAN-PAIRING-REQUEST notification
  wpa_supplicant: Move NAN notifications to notify.c
  NAN: Add API to retrieve peer pairing configuration
  NAN: Add key_mgmt and verify flag to NAN-PAIRING-REQUEST notification
  NAN: Support NDP establishment with PASN cipher suites
  NAN: Verify that only advertised CSIDs are used for NDP
  NAN: Use pairing CSID in NDP establishment

Avraham Stern (66):
  PASN: Add support for PMK caching with PASN AKM
  PASN: Remove an unused variable
  NAN: Add pairing configuration
  NAN: Add pairing capability indication attribute to NAN IE
  NAN: Add a function for deriving NIRA's tag from NIK
  NAN: Add NIK and NIK lifetime to NAN config
  NAN: Add NIRA to NAN IE when pairing verification is enabled
  wpa_supplicant: Indicate NAN pairing capabilities in publish/subscribe
  wpa_supplicant: Set NAN Identity Key and its lifetime to NAN module
  wpa_supplicant: Add PMKSA cache to NAN data
  NAN: Save the NPBA from successful bootstrapping
  NAN: Add a function for triggering NAN pairing
  NAN: Keep NAN pairing data in one place
  NAN: Handle PASN auth frame Tx status
  wpa_supplicant: Add an API to trigger NAN pairing
  NAN: Handle pairing PASN auth frame 1
  NAN: Handle pairing PASN auth frame 2
  NAN: Handle pairing PASN auth frame 3
  NAN: Add control interface for triggering NAN pairing
  wpa_supplicant: Implement NAN send_pasn() callback
  wpa_supplicant: Redirect PASN auth Tx status to NAN module
  wpa_supplicant: Pass Rx PASN auth frames to NAN module
  wpa_supplicant: Implement the NAN pairing result callback
  NAN: Add functions for deriving NPK and KEK from KDK
  NAN: Derive KEK and NPK after pairing
  NAN: Add NIK KDE and Key lifetime KDE definitions
  NAN: Add a function for encrypting the key data using the KEK
  NAN: Add function for decrypting the Key Data field
  NAN: Send NIK after successful pairing
  NAN: Add NAN KDE parsing to key data parsing
  NAN: Handle followup frame after pairing is completed
  wpa_supplicant: Store NIK received after pairing
  NAN: Add NIRA to the list of parsed attributes
  NAN: Parse NAN Identity Resolution attribute from SDFs
  NAN: Set PASN data for pairing verification
  NAN: Add NIRA to PASN frames for pairing verification
  NAN: Add support for starting pairing verification
  wpa_supplicant: Implement NAN get_npk_akmp() callback
  NAN: Don't derive NPK and send NIK when pairing verification is
    complete
  nl80211: Register for PASN authentication frames for NAN interface
  wpa_supplicant: Add NAN-NIK-RECEIVED notification
  NAN: Add Cipher Suite Information attribute to publish messages
  NAN: Add function for creating a list of PMKIDs for a given PMK
  NAN: Add Security Context Information attribute to publish messages
  wpa_supplicant: Add cipher_suites parameter to NAN_PUBLISH command
  wpa_supplicant: Add nd_pmk parameter to NAN_PUBLISH command
  NAN: Parse PMKIDs from the SCIA in publish messages
  wpa_supplicant: Add PMKIDs list to NAN-DISCOVERY-RESULT event
  NAN: Add supported cipher suite list to the discovery result callback
  wpa_supplicant: Add supported cipher suites to NAN discovery result
  NAN: Add set functions for NAN pairing configurations
  NAN: Add an option to set NAN pairing config
  NAN: Add an indication that a peer is paired
  NAN: Pass protected SDFs to NAN module
  nl80211: Register for dual protected SDF on NAN interface
  nl80211: Support key operations (new/set/del) on non-netdev interfaces
  NAN: Pass a schedule in pairing command
  NAN: Set support for NAN pairing by default
  NAN: Add the option to set the NIK and its lifetime
  wpa_supplicant: Rename nan_config to nan_cluster_config
  NAN: Send and receive only protected SDF frames if peer is paired
  wpa_supplicant: Set MFP flag for NAN NMI station before pairing
  NAN: Add a function for deriving ND-PMK from KDK
  NAN: Derive and report ND-PMK after successful pairing
  NAN: Send NAFs to paired peer as protected dual public action
  tests: Add NAN hwsim pairing tests

Benjamin Berg (1):
  NAN: improve and fix NAN device type checking

Ilan Peer (12):
  common: Set the operating class if it is known
  nl80211: Track cookies for NAN Device action frames
  nl80211: Register for NAFs and protected NAFs on NAN Data
  nl80211: Extend the transmit cookie matching to NAN Data interface
  wpa_supplicant: Do not enable Pairing and NDP if not supported by the
    driver
  NAN: Prepare module tests for NAF transmitted over NDIs
  NAN: Support transmission and reception of NAFs in a secure manner
  PASN: Allow verification with PASN base AKM
  NAN: Unpair a peer before the NMI station is removed
  NAN: Aggregate NAN discovery result information into a struct
  NAN: Indicate if a service supports pairing and/or NPK/NIK caching
  NAN: Indicate the service supported bootstrap and pairing methods

 src/ap/ieee802_11.c                |    3 +-
 src/ap/nan_usd_ap.c                |   21 +-
 src/common/ieee802_11_common.c     |   11 +-
 src/common/ieee802_11_common.h     |    2 +
 src/common/nan_de.c                |  371 ++++++-
 src/common/nan_de.h                |   36 +-
 src/common/nan_defs.h              |   46 +
 src/common/proximity_ranging.c     |    8 +-
 src/common/wpa_common.c            |   22 +
 src/common/wpa_common.h            |    4 +
 src/common/wpa_ctrl.h              |    9 +
 src/drivers/driver_nl80211.c       |  104 +-
 src/drivers/driver_nl80211_event.c |   38 +-
 src/nan/nan.c                      |  291 +++++-
 src/nan/nan.h                      |  178 +++-
 src/nan/nan_bootstrap.c            |   68 +-
 src/nan/nan_crypto.c               |  484 ++++++++-
 src/nan/nan_i.h                    |  138 ++-
 src/nan/nan_module_tests.c         |   41 +-
 src/nan/nan_module_tests.h         |    2 +
 src/nan/nan_pairing.c              | 1570 ++++++++++++++++++++++++++++
 src/nan/nan_sec.c                  |   33 +-
 src/nan/nan_util.c                 |   60 +-
 src/p2p/p2p.c                      |    6 +-
 src/pasn/pasn_common.c             |    8 -
 src/pasn/pasn_common.h             |    6 +-
 src/pasn/pasn_initiator.c          |   17 +-
 src/pasn/pasn_responder.c          |   31 +-
 tests/hwsim/test_nan.py            |  793 +++++++++++++-
 tests/hwsim/wpasupplicant.py       |   18 +
 wpa_supplicant/Makefile            |    3 +
 wpa_supplicant/config.h            |    5 +
 wpa_supplicant/ctrl_iface.c        |   45 +
 wpa_supplicant/events.c            |   29 +-
 wpa_supplicant/nan_supplicant.c    |  843 +++++++++++++--
 wpa_supplicant/nan_supplicant.h    |   19 +
 wpa_supplicant/notify.c            |  281 ++++-
 wpa_supplicant/notify.h            |   50 +-
 wpa_supplicant/wpa_cli.c           |   21 +
 wpa_supplicant/wpa_supplicant.c    |    2 +-
 wpa_supplicant/wpa_supplicant_i.h  |   11 +-
 41 files changed, 5379 insertions(+), 349 deletions(-)
 create mode 100644 src/nan/nan_pairing.c

-- 
2.53.0

More information about the Hostap mailing list