[PATCH 39/97] wpa_supplicant: Set the GTK for NDP response

Andrei Otcheretianski andrei.otcheretianski at intel.com
Tue Apr 28 13:05:40 PDT 2026 

From: Avraham Stern <avraham.stern at intel.com>

When the NDP request included a GTK cipher suite, check that the
requested cipher suite is supported by the service.
If the NDI already has a GTK installed which uses a different cipher
suite, reject the request. Otherwise use the existing GTK or generate
a new one if needed.

Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
 src/nan/nan.h                   |  1 +
 src/nan/nan_ndp.c               | 36 +++++++++++++++++++++++++++++++++
 wpa_supplicant/nan_supplicant.c | 33 ++++++++++++++++++++++++++++--
 3 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/src/nan/nan.h b/src/nan/nan.h
index 294d715bf5..0e2469d8b3 100644
--- a/src/nan/nan.h
+++ b/src/nan/nan.h
@@ -824,6 +824,7 @@ int nan_set_bootstrap_configuration(struct nan_data *nan,
 struct wpabuf * nan_crypto_derive_nira_tag(const u8 *nik, size_t nik_len,
 					   const u8 *nmi_addr,
 					   const u8 *nira_nonce);
+int nan_ndp_requested_gtk_csid(struct nan_data *nan, struct nan_ndp_id *ndp_id);
 #ifdef CONFIG_PASN
 int nan_pairing_add_attrs(struct nan_data *nan_data, struct wpabuf *buf);
 int nan_pairing_initiate_pasn_auth(struct nan_data *nan_data, const u8 *addr,
diff --git a/src/nan/nan_ndp.c b/src/nan/nan_ndp.c
index 9ab2cee65e..e6f790b7c6 100644
--- a/src/nan/nan_ndp.c
+++ b/src/nan/nan_ndp.c
@@ -1173,3 +1173,39 @@ int nan_ndp_term_req(struct nan_data *nan, struct nan_peer *peer,
 	peer->ndp_setup.reason = NAN_REASON_UNSPECIFIED_REASON;
 	return 0;
 }
+
+
+/*
+ * nan_ndp_requested_gtk_csid - Get the GTK CSID requested by peer for NDP setup
+ *
+ * @nan: NAN module context from nan_init()
+ * @ndp_id: NDP identifier
+ *
+ * Returns: The GTK CSID requested by peer, or NAN_CS_NONE if no matching NDP is
+ *	found or GTK is not requested by peer.
+ */
+int nan_ndp_requested_gtk_csid(struct nan_data *nan, struct nan_ndp_id *ndp_id)
+{
+	struct nan_peer *peer;
+
+	peer = nan_get_peer(nan, ndp_id->peer_nmi);
+	if (!peer) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: NDP: No matching peer found for GTK CSID request");
+		return NAN_CS_NONE;
+	}
+
+	if (!peer->ndp_setup.ndp ||
+	    peer->ndp_setup.ndp->ndp_id != ndp_id->id ||
+	    os_memcmp(peer->ndp_setup.ndp->init_ndi,
+		      ndp_id->init_ndi, ETH_ALEN) != 0) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: NDP: No matching NDP found for GTK CSID request");
+		return NAN_CS_NONE;
+	}
+
+	if (peer->ndp_setup.state != NAN_NDP_STATE_REQ_RECV)
+		return NAN_CS_NONE;
+
+	return peer->ndp_setup.sec.peer_gtk.csid;
+}
diff --git a/wpa_supplicant/nan_supplicant.c b/wpa_supplicant/nan_supplicant.c
index aa29bfc021..81ae22e95a 100644
--- a/wpa_supplicant/nan_supplicant.c
+++ b/wpa_supplicant/nan_supplicant.c
@@ -2490,6 +2490,29 @@ fail:
 }
 
 
+int wpas_nan_ndp_response_set_gtk(struct wpa_supplicant *wpa_s,
+				  struct wpa_supplicant *ndi_wpa_s,
+				  int handle, struct nan_ndp_params *ndp)
+{
+	int gtk_csid;
+
+	gtk_csid = nan_ndp_requested_gtk_csid(wpa_s->nan, &ndp->ndp_id);
+	if (!gtk_csid) {
+		wpa_printf(MSG_DEBUG, "NAN: No GTK requested by peer for NDP");
+		return 0;
+	}
+
+	if (!nan_de_service_supports_csid(wpa_s->nan_de, handle, gtk_csid)) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Cannot set GTK - CSID %d not supported by service",
+			   gtk_csid);
+		return -1;
+	}
+
+	return wpas_nan_set_gtk(ndi_wpa_s, ndp, gtk_csid);
+}
+
+
 /* Command format NAN_NDP_RESPONSE accept|reject peer_nmi=<nmi>
    [reason_code=<reject_reason>]
    [ndi=<ifname> handle=<service_handle> init_ndi=<ndi>
@@ -2504,6 +2527,7 @@ int wpas_nan_ndp_response(struct wpa_supplicant *wpa_s, char *cmd)
 	const char *pwd = NULL, *pmk = NULL;
 	int handle = -1;
 	int ret = -1;
+	struct wpa_supplicant *ndi_wpa_s = NULL;
 
 	if (!wpas_nan_ndp_allowed(wpa_s))
 		return -1;
@@ -2544,8 +2568,6 @@ int wpas_nan_ndp_response(struct wpa_supplicant *wpa_s, char *cmd)
 		if (os_strcmp(token, "reason_code") == 0) {
 			ndp.u.resp.reason_code = atoi(pos);
 		} else if (os_strcmp(token, "ndi") == 0) {
-			struct wpa_supplicant *ndi_wpa_s;
-
 			ndi_wpa_s = wpa_supplicant_get_iface(wpa_s->global,
 							     pos);
 			if (!ndi_wpa_s) {
@@ -2682,6 +2704,13 @@ int wpas_nan_ndp_response(struct wpa_supplicant *wpa_s, char *cmd)
 		goto fail;
 	}
 
+	if (ndp.u.resp.status == NAN_NDP_STATUS_ACCEPTED &&
+	    wpas_nan_ndp_response_set_gtk(wpa_s, ndi_wpa_s, handle, &ndp) < 0) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Failed to set GTK for NDP response");
+		goto fail;
+	}
+
 	wpa_printf(MSG_DEBUG, "NAN: %s NDP response for peer " MACSTR
 		   " ndp_id=%u",
 		   ndp.u.resp.status == NAN_NDP_STATUS_ACCEPTED ?
-- 
2.53.0

More information about the Hostap mailing list