[PATCH 21/97] NAN: Add security cabapilities to NAN module

Andrei Otcheretianski andrei.otcheretianski at intel.com
Tue Apr 28 13:05:22 PDT 2026 

From: Avraham Stern <avraham.stern at intel.com>

Add the security capabilities (GTK, IGTK and BIGTK support) to the
NAN module. These capabilities depend on driver capabilities.
Add this information to the CSIA capabilities field in pairing
negotiation and NDP setup.

Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
 src/nan/nan.h         | 3 +++
 src/nan/nan_pairing.c | 6 +-----
 src/nan/nan_sec.c     | 4 ++--
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/src/nan/nan.h b/src/nan/nan.h
index a999a6582c..979fb66c14 100644
--- a/src/nan/nan.h
+++ b/src/nan/nan.h
@@ -449,6 +449,9 @@ struct nan_config {
 	 */
 	u16 bootstrap_comeback_timeout;
 
+	/* Security capabilities. See Table 122, capabilities field */
+	u8 security_capab;
+
 	/**
 	 * start - Start NAN
 	 * @ctx: Callback context from cb_ctx
diff --git a/src/nan/nan_pairing.c b/src/nan/nan_pairing.c
index b03ca68dac..b5608aaccd 100644
--- a/src/nan/nan_pairing.c
+++ b/src/nan/nan_pairing.c
@@ -448,11 +448,7 @@ static void nan_pairing_prepare_pasn_elems(struct nan_data *nan_data,
 
 	cs.instance_id = publish_id;
 
-	/*
-	 * TODO: Get security capabilities from somewhere. For now, it doesn't
-	 * matter as the capability field is not used in pairing anyway.
-	 */
-	nan_add_csia(extra_ies, 0, 1, &cs);
+	nan_add_csia(extra_ies, nan_data->cfg->security_capab, 1, &cs);
 
 	if (auth_mode == NAN_PASN_AUTH_MODE_SAE ||
 	    auth_mode == NAN_PASN_AUTH_MODE_PASN) {
diff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c
index d3d8b90d0e..ae41019c83 100644
--- a/src/nan/nan_sec.c
+++ b/src/nan/nan_sec.c
@@ -663,7 +663,7 @@ static int nan_sec_add_m1_attrs(struct nan_data *nan, struct nan_peer *peer,
 
 	/* Initialize the initiator security state */
 	os_get_random(ndp_sec->i_nonce, sizeof(ndp_sec->i_nonce));
-	ndp_sec->i_capab = 0;
+	ndp_sec->i_capab = nan->cfg->security_capab;
 	ndp_sec->i_instance_id = peer->ndp_setup.publish_inst_id;
 
 	/* Compute the PMKID */
@@ -950,7 +950,7 @@ int nan_sec_init_resp(struct nan_data *nan, struct nan_peer *peer)
 
 	/* Initialize the responder's security state */
 	os_get_random(ndp_sec->r_nonce, sizeof(ndp_sec->r_nonce));
-	ndp_sec->r_capab = 0;
+	ndp_sec->r_capab = nan->cfg->security_capab;
 	ndp_sec->r_instance_id = peer->ndp_setup.publish_inst_id;
 
 	if (ndp_sec->i_instance_id != ndp_sec->r_instance_id) {
-- 
2.53.0

More information about the Hostap mailing list