[PATCH 00/92] Add NAN PASN pairing support
Jouni Malinen
j at w1.fi
Mon Apr 27 09:50:45 PDT 2026
On Mon, Apr 27, 2026 at 12:22:18PM +0200, Johannes Berg wrote:
> On Mon, 2026-04-27 at 12:30 +0300, Jouni Malinen wrote:
> > IMHO, the key will either need to be
> > configured earlier (with all the extra checks to avoid misuse) or there
> > needs to be a fallback mechanism that can decrypt a received frame that
> > was not decrypted because the key was not quite yet configured for it.
>
> I don't think such a fallback mechanism can really be done. We have up
> to four different layers involved: HW/FW, driver, mac80211 and then
> wpa_supplicant, with different implementations (from different vendors)
> splitting MIC check and replay check differently, e.g. iwlwifi will
> usually do MIC validation in HW/FW and replay check in the driver (due
> to multi-queue).
>
> Synchronising state across these layers for maintaining correct replay
> counters when HW crypto cannot be used doesn't really seem plausible.
Understood that this would be really inconvenient and that other
approach (early key configuration) would likely be significantly
simpler. This could be as simple as having wpa_supplicant configure the
key before sending out PASN Auth 2 for NAN cases and then discarding all
encrypted frames that are received from that peer device before a valid
PASN Auth 3 has been received. If there is a timeout on being able to
validate the key, the key would be additionally removed from the driver.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list