[PATCH 27/97] NAN: Process BIGTK KDE from NDP setup messages

Andrei Otcheretianski andrei.otcheretianski at intel.com
Tue Apr 28 13:05:28 PDT 2026 

From: Avraham Stern <avraham.stern at intel.com>

If the BIGTK KDE is included in the key data field of NDP setup
M3 and M4 messages, parse it and install the BIGTK for Rx from
this peer.

Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
 src/nan/nan_i.h   |  2 ++
 src/nan/nan_sec.c | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/src/nan/nan_i.h b/src/nan/nan_i.h
index a21e9d3f8e..84e9508fb8 100644
--- a/src/nan/nan_i.h
+++ b/src/nan/nan_i.h
@@ -529,6 +529,7 @@ struct nan_pairing_peer_data {
  * @bootstrap: Bootstrap information of the peer
  * @pairing: Pairing data associated with this peer
  * @igtk_id: IGTK key ID used with this peer. Zero if IGTK is not used.
+ * @bigtk_id: BIGTK key ID used with this peer. Zero if BIGTK is not used.
  */
 struct nan_peer {
 	struct dl_list list;
@@ -548,6 +549,7 @@ struct nan_peer {
 	struct nan_pairing_peer_data pairing;
 
 	u8 igtk_id;
+	u8 bigtk_id;
 };
 
 /**
diff --git a/src/nan/nan_sec.c b/src/nan/nan_sec.c
index 7220fc7fa3..4875fc14b7 100644
--- a/src/nan/nan_sec.c
+++ b/src/nan/nan_sec.c
@@ -503,6 +503,41 @@ static int nan_sec_rx_key_data(struct nan_data *nan,
 				igtk_kde->igtk, key_len);
 	}
 
+	if (ie.bigtk && ie.bigtk_len) {
+		struct wpa_bigtk_kde *bigtk_kde =
+			(struct wpa_bigtk_kde *)ie.bigtk;
+		u16 key_idx;
+
+		if (ie.bigtk_len != WPA_BIGTK_KDE_PREFIX_LEN + key_len) {
+			wpa_printf(MSG_DEBUG,
+				   "NAN: SEC: Invalid BIGTK KDE length: %zu (expected %d)",
+				   ie.bigtk_len,
+				   WPA_BIGTK_KDE_PREFIX_LEN + key_len);
+			goto fail;
+		}
+
+		key_idx = WPA_GET_LE16(bigtk_kde->keyid);
+		if (key_idx < 6 || key_idx > 7) {
+			wpa_printf(MSG_DEBUG,
+				   "NAN: SEC: Invalid BIGTK key index: %u",
+				   key_idx);
+			goto fail;
+		}
+
+		if (nan->cfg->set_group_key(nan->cfg->cb_ctx, alg,
+					    peer->nmi_addr, key_idx,
+					    bigtk_kde->pn, bigtk_kde->bigtk,
+					    key_len, KEY_FLAG_GROUP_RX) < 0) {
+			wpa_printf(MSG_DEBUG,
+				   "NAN: SEC: Failed to install BIGTK");
+			goto fail;
+		}
+
+		peer->bigtk_id = key_idx;
+		wpa_hexdump_key(MSG_DEBUG, "NAN: SEC: Received BIGTK",
+				bigtk_kde->bigtk, key_len);
+	}
+
 	ret = 0;
 fail:
 	wpabuf_clear_free(key_data);
-- 
2.53.0

More information about the Hostap mailing list