[PATCH 00/92] Add NAN PASN pairing support
Johannes Berg
johannes at sipsolutions.net
Mon Apr 27 03:22:18 PDT 2026
On Mon, 2026-04-27 at 12:30 +0300, Jouni Malinen wrote:
> IMHO, the key will either need to be
> configured earlier (with all the extra checks to avoid misuse) or there
> needs to be a fallback mechanism that can decrypt a received frame that
> was not decrypted because the key was not quite yet configured for it.
I don't think such a fallback mechanism can really be done. We have up
to four different layers involved: HW/FW, driver, mac80211 and then
wpa_supplicant, with different implementations (from different vendors)
splitting MIC check and replay check differently, e.g. iwlwifi will
usually do MIC validation in HW/FW and replay check in the driver (due
to multi-queue).
Synchronising state across these layers for maintaining correct replay
counters when HW crypto cannot be used doesn't really seem plausible.
johannes
More information about the Hostap
mailing list