[PATCH 45/92] NAN: Don't derive NPK and send NIK when pairing verification is complete

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed Apr 22 05:23:36 PDT 2026 

From: Avraham Stern <avraham.stern at intel.com>

When pairing verification is performed, there is no need to derive a
NPK since the NPK already exists. In addition, there is no need to
send the NIK to the peer since NIKs were already exchanged after the
original pairing.

Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
 src/nan/nan_i.h       | 6 ++++++
 src/nan/nan_pairing.c | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h
index 926eea2a9f..eedf6c2389 100644
--- a/src/nan/nan_i.h
+++ b/src/nan/nan_i.h
@@ -470,6 +470,10 @@ enum nan_pairing_role {
 	NAN_PAIRING_ROLE_RESPONDER,
 };
 
+
+/* Current pairing uses pairing verification */
+#define NAN_PAIRING_FLAG_NPK_VERIFICATION BIT(0)
+
 /**
  * struct nan_pairing_peer_data - NAN pairing peer information
  *
@@ -481,6 +485,7 @@ enum nan_pairing_role {
  * @nonce_tag_valid: Indicates if the nonce and tag fields are valid
  * @nonce: Nonce from peer's NIRA attribute
  * @tag: Tag from peer's NIRA attribute
+ * @flags: Bitmap of pairing flags. See NAN_PAIRING_FLAG_*
  */
 struct nan_pairing_peer_data {
 	struct nan_pairing_cfg pairing_cfg;
@@ -491,6 +496,7 @@ struct nan_pairing_peer_data {
 	bool nonce_tag_valid;
 	u8 nonce[NAN_NIRA_NONCE_LEN];
 	u8 tag[NAN_NIRA_TAG_LEN];
+	u32 flags;
 };
 
 /**
diff --git a/src/nan/nan_pairing.c b/src/nan/nan_pairing.c
index 1c0d2e0ffb..b4c8fafd67 100644
--- a/src/nan/nan_pairing.c
+++ b/src/nan/nan_pairing.c
@@ -543,11 +543,13 @@ int nan_pairing_initiate_pasn_auth(struct nan_data *nan_data, const u8 *addr,
 
 	peer->pairing.handle = handle;
 	peer->pairing.peer_instance_id = peer_instance_id;
+	peer->pairing.flags = 0;
 
 	if (responder)
 		return 0;
 
 	if (auth_mode == NAN_PASN_AUTH_MODE_PMK) {
+		peer->pairing.flags |= NAN_PAIRING_FLAG_NPK_VERIFICATION;
 		ret = wpa_pasn_verify(pasn, pasn->own_addr, pasn->peer_addr,
 				      pasn->bssid, pasn->akmp, pasn->cipher,
 				      pasn->group, 0, NULL, 0, NULL, 0, NULL);
@@ -586,7 +588,8 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)
 	int ret;
 
 	if (!nan_data->cfg->pairing_cfg.npk_caching ||
-	    !peer->pairing.pairing_cfg.npk_caching)
+	    !peer->pairing.pairing_cfg.npk_caching ||
+	    peer->pairing.flags & NAN_PAIRING_FLAG_NPK_VERIFICATION)
 		return;
 
 	wpa_printf(MSG_DEBUG, "NAN: Pairing: Derive KEK after PASN pairing");
@@ -710,6 +713,9 @@ static int nan_send_nik(struct nan_data *nan_data, struct nan_peer *peer)
 		return 0;
 	}
 
+	if (peer->pairing.flags & NAN_PAIRING_FLAG_NPK_VERIFICATION)
+		return 0;
+
 	if (!peer->pairing.pasn || !peer->pairing.pasn->ptk.kek_len) {
 		wpa_printf(MSG_DEBUG,
 			   "NAN: Pairing: KEK not available for NIK encryption");
-- 
2.53.0

More information about the Hostap mailing list