[PATCH 44/97] NAN: Add an API to set the cipher suite for group keys

Tue Apr 28 13:05:45 PDT 2026

From: Avraham Stern <avraham.stern at intel.com>

Add an option to set the group keys cipher suite. The group keys
cipher suite can only be set before calling nan_start().

Signed-off-by: Avraham Stern <avraham.stern at intel.com>
---
 src/nan/nan.c | 41 +++++++++++++++++++++++++++++++++++++++++
 src/nan/nan.h |  1 +
 2 files changed, 42 insertions(+)

diff --git a/src/nan/nan.c b/src/nan/nan.c
index 51ea72e20f..21b5e0ea69 100644
--- a/src/nan/nan.c
+++ b/src/nan/nan.c
@@ -2965,3 +2965,44 @@ bool nan_is_ndpe_supported(struct nan_data *nan, struct nan_peer *peer)
 
 	return false;
 }
+
+
+/**
+ * nan_set_mgmt_group_cipher - Set NAN management group cipher
+ *
+ * @nan: Pointer to NAN data structure
+ * @cipher: Cipher suite to be set (WPA_CIPHER_AES_128_CMAC or
+ *	WPA_CIPHER_BIP_GMAC_256)
+ *
+ * This function sets the management group cipher for NAN communication.
+ * The cipher can only be changed when NAN is not started.
+ *
+ * Returns: 0 on success, -1 on failure
+ */
+int nan_set_mgmt_group_cipher(struct nan_data *nan, int cipher)
+{
+	if (!nan)
+		return -1;
+
+	if (nan->nan_started) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Cannot set NAN management group cipher while NAN is started");
+		return -1;
+	}
+
+	if (cipher != WPA_CIPHER_AES_128_CMAC &&
+	    cipher != WPA_CIPHER_BIP_GMAC_256) {
+		wpa_printf(MSG_DEBUG,
+			   "NAN: Unsupported NAN management group cipher %d",
+			   cipher);
+		return -1;
+	}
+
+	if (cipher == WPA_CIPHER_BIP_GMAC_256)
+		nan->cfg->security_capab |=
+			NAN_CS_INFO_CAPA_IGTK_USE_NCS_BIP_GMAC_256;
+	else
+		nan->cfg->security_capab &=
+			~NAN_CS_INFO_CAPA_IGTK_USE_NCS_BIP_GMAC_256;
+	return 0;
+}
diff --git a/src/nan/nan.h b/src/nan/nan.h
index cf7db9b3b7..97644a7117 100644
--- a/src/nan/nan.h
+++ b/src/nan/nan.h
@@ -835,6 +835,7 @@ struct wpabuf * nan_crypto_derive_nira_tag(const u8 *nik, size_t nik_len,
 					   const u8 *nmi_addr,
 					   const u8 *nira_nonce);
 int nan_ndp_requested_gtk_csid(struct nan_data *nan, struct nan_ndp_id *ndp_id);
+int nan_set_mgmt_group_cipher(struct nan_data *nan, int cipher);
 #ifdef CONFIG_PASN
 int nan_pairing_add_attrs(struct nan_data *nan_data, struct wpabuf *buf);
 int nan_pairing_initiate_pasn_auth(struct nan_data *nan_data, const u8 *addr,
-- 
2.53.0


