[PATCH 49/97] NAN: Control the support for beacon protection
Andrei Otcheretianski
andrei.otcheretianski at intel.com
Tue Apr 28 13:05:50 PDT 2026
From: Ilan Peer <ilan.peer at intel.com>
By default, even if the driver advertises support for beacon
protection, do not enable it.
Add a control interface configuration to enable/disable
beacon protection. This is only possible before NAN operation
is started.
Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
src/nan/nan.c | 47 +++++++++++++++++++++++++++++++++
src/nan/nan.h | 1 +
wpa_supplicant/nan_supplicant.c | 31 +++++++++++++++-------
3 files changed, 70 insertions(+), 9 deletions(-)
diff --git a/src/nan/nan.c b/src/nan/nan.c
index 21b5e0ea69..e55936edd7 100644
--- a/src/nan/nan.c
+++ b/src/nan/nan.c
@@ -3006,3 +3006,50 @@ int nan_set_mgmt_group_cipher(struct nan_data *nan, int cipher)
~NAN_CS_INFO_CAPA_IGTK_USE_NCS_BIP_GMAC_256;
return 0;
}
+
+
+/**
+ * nan_set_beacon_prot - Enable or disable NAN beacon protection
+ *
+ * @nan: Pointer to NAN data structure
+ * @enable: true to enable beacon protection, false to disable
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * This function enables or disables NAN beacon protection. Beacon protection
+ * can only be changed when NAN is not started. Additionally, the device must
+ * support management frame protection for this function to succeed.
+ */
+int nan_set_beacon_prot(struct nan_data *nan, bool enable)
+{
+ u8 gtk_supp;
+
+ if (!nan)
+ return -1;
+
+ if (nan->nan_started) {
+ wpa_printf(MSG_DEBUG,
+ "NAN: Cannot change beacon protection setting while NAN is started");
+ return -1;
+ }
+
+ if (((nan->cfg->security_capab & NAN_CS_INFO_CAPA_GTK_SUPP_MASK) >>
+ NAN_CS_INFO_CAPA_GTK_SUPP_POS) == NAN_CS_INFO_CAPA_GTK_SUPP_NONE) {
+ if (enable) {
+ wpa_printf(MSG_DEBUG,
+ "NAN: Management frame protection is not supported by the device");
+ return -1;
+ }
+ return 0;
+ }
+
+ if (enable)
+ gtk_supp = NAN_CS_INFO_CAPA_GTK_SUPP_ALL;
+ else
+ gtk_supp = NAN_CS_INFO_CAPA_GTK_SUPP_NO_BIGTK;
+
+ nan->cfg->security_capab &= ~NAN_CS_INFO_CAPA_GTK_SUPP_MASK;
+ nan->cfg->security_capab |= gtk_supp << NAN_CS_INFO_CAPA_GTK_SUPP_POS;
+
+ return 0;
+}
diff --git a/src/nan/nan.h b/src/nan/nan.h
index 97644a7117..8b23f1ae93 100644
--- a/src/nan/nan.h
+++ b/src/nan/nan.h
@@ -836,6 +836,7 @@ struct wpabuf * nan_crypto_derive_nira_tag(const u8 *nik, size_t nik_len,
const u8 *nira_nonce);
int nan_ndp_requested_gtk_csid(struct nan_data *nan, struct nan_ndp_id *ndp_id);
int nan_set_mgmt_group_cipher(struct nan_data *nan, int cipher);
+int nan_set_beacon_prot(struct nan_data *nan, bool enable);
#ifdef CONFIG_PASN
int nan_pairing_add_attrs(struct nan_data *nan_data, struct wpabuf *buf);
int nan_pairing_initiate_pasn_auth(struct nan_data *nan_data, const u8 *addr,
diff --git a/wpa_supplicant/nan_supplicant.c b/wpa_supplicant/nan_supplicant.c
index 2559613d7f..774012da21 100644
--- a/wpa_supplicant/nan_supplicant.c
+++ b/wpa_supplicant/nan_supplicant.c
@@ -1300,8 +1300,6 @@ int wpas_nan_init(struct wpa_supplicant *wpa_s)
WPA_DRIVER_CAPA_ENC_GCMP_256)) &&
(wpa_s->drv_enc & (WPA_DRIVER_CAPA_ENC_BIP |
WPA_DRIVER_CAPA_ENC_BIP_GMAC_256))) {
- u8 gtk_supp;
-
/*
* By default, use BIP-CMAC-128 cipher suite for
* group keys for maximum compatibility.
@@ -1310,14 +1308,13 @@ int wpas_nan_init(struct wpa_supplicant *wpa_s)
nan.security_capab |=
NAN_CS_INFO_CAPA_IGTK_USE_NCS_BIP_GMAC_256;
- if (wpa_s->nan_capa.drv_flags &
- WPA_DRIVER_FLAGS_NAN_SUPPORT_BEACON_PROT)
- gtk_supp = NAN_CS_INFO_CAPA_GTK_SUPP_ALL;
- else
- gtk_supp = NAN_CS_INFO_CAPA_GTK_SUPP_NO_BIGTK;
-
+ /*
+ * By default enable only GTK/IGTK support. Beacon
+ * protection support can be enabled separately
+ */
nan.security_capab |=
- gtk_supp << NAN_CS_INFO_CAPA_GTK_SUPP_POS;
+ NAN_CS_INFO_CAPA_GTK_SUPP_NO_BIGTK <<
+ NAN_CS_INFO_CAPA_GTK_SUPP_POS;
}
wpa_printf(MSG_DEBUG, "NAN: security capabilities=0x%02x",
@@ -1673,6 +1670,22 @@ int wpas_nan_set(struct wpa_supplicant *wpa_s, char *cmd)
return nan_set_mgmt_group_cipher(wpa_s->nan, cipher);
}
+ if (os_strcmp("set_beacon_prot", cmd) == 0) {
+ bool val = !!atoi(param);
+
+ if (val && !(wpa_s->nan_capa.drv_flags &
+ WPA_DRIVER_FLAGS_NAN_SUPPORT_BEACON_PROT)) {
+ wpa_printf(MSG_DEBUG,
+ "NAN: Beacon protection not supported by driver");
+ return -1;
+ }
+
+ if (nan_set_beacon_prot(wpa_s->nan, val) < 0)
+ return -1;
+
+ return 0;
+ }
+
#ifdef CONFIG_TESTING_OPTIONS
if (os_strcmp("tx_mcast_fu_dual_prot", cmd) == 0) {
bool val = !!atoi(param);
--
2.53.0
More information about the Hostap
mailing list