[PATCH 91/92] NAN: Use pairing CSID in NDP establishment

Andrei Otcheretianski andrei.otcheretianski at intel.com
Wed Apr 22 05:24:22 PDT 2026 

NDP establihment between paired peers should use the same CSID as in
the original pairing.
Store pairing CSID and reuse it in NDP setup. In addition, make sure
PASN cipher suites are not used if the devices are not paired.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski at intel.com>
---
 src/common/nan_defs.h |  2 ++
 src/nan/nan.c         | 17 +++++++++++++++++
 src/nan/nan_i.h       |  2 ++
 src/nan/nan_pairing.c | 13 +++++++------
 4 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/src/common/nan_defs.h b/src/common/nan_defs.h
index e9b6f21be6..d4fb4ef875 100644
--- a/src/common/nan_defs.h
+++ b/src/common/nan_defs.h
@@ -503,6 +503,8 @@ enum nan_cipher_suite_id {
 	((csid) == NAN_CS_SK_GCM_256 || (csid) == NAN_CS_PK_PASN_256)
 #define NAN_CS_IS_VALID_NDP(csid) \
 	(NAN_CS_IS_128(csid) || NAN_CS_IS_256(csid))
+#define NAN_CS_IS_PASN(csid) \
+	((csid) == NAN_CS_PK_PASN_128 || (csid) == NAN_CS_PK_PASN_256)
 
 struct nan_cipher_suite {
 	u8 csid; /* Cipher Suite ID */
diff --git a/src/nan/nan.c b/src/nan/nan.c
index 38006f349f..91d63e0a77 100644
--- a/src/nan/nan.c
+++ b/src/nan/nan.c
@@ -1928,6 +1928,23 @@ int nan_handle_ndp_setup(struct nan_data *nan, struct nan_ndp_params *params)
 		return -1;
 	}
 
+	/*
+	 * If the peer is paired, select the CSID based on the pairing
+	 * information (and ignore the CSID in the parameters, if any).
+	 * Otherwise, make sure that PASN CSIDs are not used.
+	 */
+	if (peer->pairing.flags & NAN_PAIRING_FLAG_PAIRED) {
+		params->sec.csid = peer->pairing.pairing_csid;
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Paired peer, selected CSID=%d from pairing",
+			   params->sec.csid);
+	} else if (NAN_CS_IS_PASN(params->sec.csid)) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: PASN CSID %d requires peer to be paired",
+			   params->sec.csid);
+		return -1;
+	}
+
 	switch (params->type) {
 	case NAN_NDP_ACTION_REQ:
 		params->ndp_id.id = nan_get_next_ndp_id(nan);
diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h
index c2257f56fb..fe9a5fba07 100644
--- a/src/nan/nan_i.h
+++ b/src/nan/nan_i.h
@@ -489,6 +489,7 @@ enum nan_pairing_role {
  * @tag: Tag from peer's NIRA attribute
  * @flags: Bitmap of pairing flags. See NAN_PAIRING_FLAG_*
  * @pending_auth1: Pending PASN Authentication frame 1 to be processed
+ * @pairing_csid: Cipher suite ID used for the pairing
  */
 struct nan_pairing_peer_data {
 	struct nan_pairing_cfg pairing_cfg;
@@ -501,6 +502,7 @@ struct nan_pairing_peer_data {
 	u8 tag[NAN_NIRA_TAG_LEN];
 	u32 flags;
 	struct wpabuf *pending_auth1;
+	enum nan_cipher_suite_id pairing_csid;
 };
 
 /**
diff --git a/src/nan/nan_pairing.c b/src/nan/nan_pairing.c
index eff743125e..163b6b9619 100644
--- a/src/nan/nan_pairing.c
+++ b/src/nan/nan_pairing.c
@@ -607,12 +607,14 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)
 	u8 npk[NAN_NPK_LEN];
 	struct pasn_data *pasn = peer->pairing.pasn;
 	int cipher = pasn_get_cipher(pasn);
-	enum nan_cipher_suite_id csid;
 	u8 *initiator_nmi, *responder_nmi;
 	int ret;
 
 	peer->pairing.flags |= NAN_PAIRING_FLAG_PAIRED;
 
+	peer->pairing.pairing_csid = cipher == WPA_CIPHER_GCMP_256 ?
+				     NAN_CS_PK_PASN_256 : NAN_CS_PK_PASN_128;
+
 	if (!nan_data->cfg->pairing_cfg.npk_caching ||
 	    !peer->pairing.pairing_cfg.npk_caching ||
 	    peer->pairing.flags & NAN_PAIRING_FLAG_NPK_VERIFICATION)
@@ -628,10 +630,8 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)
 		responder_nmi = nan_data->cfg->nmi_addr;
 	}
 
-	csid = cipher == WPA_CIPHER_GCMP_256 ? NAN_CS_PK_PASN_256 :
-					       NAN_CS_PK_PASN_128;
-
-	ret = nan_crypto_derive_kek(pasn->ptk.kdk, pasn->ptk.kdk_len, csid,
+	ret = nan_crypto_derive_kek(pasn->ptk.kdk, pasn->ptk.kdk_len,
+				    peer->pairing.pairing_csid,
 				    initiator_nmi, responder_nmi,
 				    &pasn->ptk);
 	if (ret) {
@@ -650,7 +650,8 @@ static void nan_pairing_done(struct nan_data *nan_data, struct nan_peer *peer)
 
 	wpa_printf(MSG_DEBUG, "NAN: Pairing: Derive NPK after PASN pairing");
 
-	ret = nan_crypto_derive_npk(pasn->ptk.kdk, pasn->ptk.kdk_len, csid,
+	ret = nan_crypto_derive_npk(pasn->ptk.kdk, pasn->ptk.kdk_len,
+				    peer->pairing.pairing_csid,
 				    initiator_nmi, responder_nmi, npk,
 				    sizeof(npk));
 	if (ret) {
-- 
2.53.0

More information about the Hostap mailing list