[RFC v2 42/99] NAN: Add security configuration to NDP request/response

Andrei Otcheretianski andrei.otcheretianski at intel.com
Tue Dec 23 03:51:46 PST 2025 

From: Ilan Peer <ilan.peer at intel.com>

Add security configuration parameters to struct nan_ndp_params,
and update the NDP state machine with the security configuration.

Signed-off-by: Ilan Peer <ilan.peer at intel.com>
---
 src/nan/nan.h     | 15 ++++++++++++
 src/nan/nan_ndp.c | 59 ++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 66 insertions(+), 8 deletions(-)

diff --git a/src/nan/nan.h b/src/nan/nan.h
index a792c2bce2..2bbd5b6da3 100644
--- a/src/nan/nan.h
+++ b/src/nan/nan.h
@@ -10,6 +10,7 @@
 #define NAN_H
 
 #include "common/nan_defs.h"
+#include "common/wpa_common.h"
 
 struct nan_cluster_config;
 enum nan_reason;
@@ -181,6 +182,17 @@ struct nan_schedule {
 	struct wpabuf *elems;
 };
 
+/*
+ * struct nan_ndp_sec_params - NAN NDP security parameters
+ *
+ * @csid: Cipher suite ID. See &enum nan_cipher_suite_id
+ * @pmk: NAN Pairwise Master Key (PMK)
+ */
+struct nan_ndp_sec_params {
+	enum nan_cipher_suite_id csid;
+	u8 pmk[PMK_LEN];
+};
+
 /*
  * struct nan_ndp_params - Holds the ndp parameters for setting up or
  * terminating an NDP.
@@ -191,6 +203,8 @@ struct nan_schedule {
  *     max_latency, max_latency should be set to NAN_QOS_MAX_LATENCY_NO_PREF.
  *     Should be set only with NAN_NDP_ACTION_REQ and NAN_NDP_ACTION_RESP.
  *     Ignored for other types.
+ * @sec: NDP security parameters. Should be set only with NAN_NDP_ACTION_REQ
+ *     and NAN_NDP_ACTION_RESP. Ignored for other types.
  * @ssi: Service specific information. Should be set only with
  *     NAN_NDP_ACTION_REQ and NAN_NDP_ACTION_RESP. Ignored for other types.
  * @ssi_len: Service specific information length
@@ -211,6 +225,7 @@ struct nan_ndp_params {
 
 	struct nan_ndp_id ndp_id;
 	struct nan_qos qos;
+	struct nan_ndp_sec_params sec;
 	const u8 *ssi;
 	u16 ssi_len;
 
diff --git a/src/nan/nan_ndp.c b/src/nan/nan_ndp.c
index 9d8ca08ce2..3b5fd525f4 100644
--- a/src/nan/nan_ndp.c
+++ b/src/nan/nan_ndp.c
@@ -121,6 +121,8 @@ int nan_ndp_setup_req(struct nan_data *nan, struct nan_peer *peer,
 
 	peer->ndp_setup.dialog_token = ++nan->next_dialog_token;
 	peer->ndp_setup.publish_inst_id = params->u.req.publish_inst_id;
+	os_memcpy(peer->ndp_setup.service_id, params->u.req.service_id,
+		  NAN_SERVICE_ID_LEN);
 
 	/* Require confirmation for all locally initiated NDPs */
 	peer->ndp_setup.conf_req = 1;
@@ -134,6 +136,19 @@ int nan_ndp_setup_req(struct nan_data *nan, struct nan_peer *peer,
 	}
 
 	nan_sec_reset(nan, &peer->ndp_setup.sec);
+
+	if (params->sec.csid) {
+		peer->ndp_setup.sec.i_csid = params->sec.csid;
+		os_memcpy(peer->ndp_setup.sec.pmk, params->sec.pmk,
+			  PMK_LEN);
+
+		peer->ndp_setup.sec.present = 1;
+		peer->ndp_setup.sec.valid = 1;
+
+		peer->ndp_setup.sec.i_instance_id =
+			peer->ndp_setup.publish_inst_id;
+	}
+
 	nan_ndp_set_state(nan, &peer->ndp_setup, NAN_NDP_STATE_START);
 	peer->ndp_setup.status = NAN_NDP_STATUS_CONTINUED;
 	return 0;
@@ -180,14 +195,6 @@ int nan_ndp_setup_resp(struct nan_data *nan, struct nan_peer *peer,
 		return -1;
 	}
 
-	/* Store service specific information */
-	ret = nan_ndp_ssi(nan, &peer->ndp_setup, params->ssi, params->ssi_len);
-	if (ret)
-		return ret;
-
-	/* TODO: In case of security and status accept, need to change to
-	 * continue
-	 */
 	peer->ndp_setup.status = params->u.resp.status;
 	peer->ndp_setup.reason = params->u.resp.reason_code;
 
@@ -197,8 +204,44 @@ int nan_ndp_setup_resp(struct nan_data *nan, struct nan_peer *peer,
 
 		os_memcpy(peer->ndp_setup.ndp->resp_ndi,
 			  params->u.resp.resp_ndi, ETH_ALEN);
+
+		if (!peer->ndp_setup.sec.present && params->sec.csid) {
+			wpa_printf(MSG_DEBUG,
+				   "NAN: NDP: security not requested by peer");
+			return -1;
+		} else if (peer->ndp_setup.sec.present) {
+			if (params->sec.csid != peer->ndp_setup.sec.i_csid) {
+				wpa_printf(MSG_DEBUG,
+					   "NAN: NDP: Different cipher suite specified.");
+				return -1;
+			}
+
+			peer->ndp_setup.sec.r_csid = params->sec.csid;
+			os_memcpy(peer->ndp_setup.sec.pmk, params->sec.pmk,
+				  PMK_LEN);
+
+			ret = nan_sec_init_resp(nan, peer);
+			if (ret) {
+				wpa_printf(MSG_DEBUG,
+					   "NAN: NDP: Failed to init responder security");
+
+				peer->ndp_setup.status =
+					NAN_NDP_STATUS_REJECTED;
+				peer->ndp_setup.reason =
+					NAN_REASON_INVALID_PARAMETERS;
+				return 0;
+			}
+
+			peer->ndp_setup.status = NAN_NDP_STATUS_CONTINUED;
+		}
+
 	}
 
+	/* Store service specific information */
+	ret = nan_ndp_ssi(nan, &peer->ndp_setup, params->ssi, params->ssi_len);
+	if (ret)
+		return ret;
+
 	return 0;
 }
 
-- 
2.49.0

More information about the Hostap mailing list