From: Daniel Gabay Date: Fri, 15 May 2026 11:28:06 +0000 (+0300) Subject: wifi: mac80211: allow cipher change on NAN_DATA interfaces X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=098056028370aa1eda9a1709d99f062d96749345;p=thirdparty%2Fkernel%2Flinux.git wifi: mac80211: allow cipher change on NAN_DATA interfaces ieee80211_key_link() rejects pairwise key installation when the cipher differs from the existing PTK. Per Wi-Fi Aware version 4.0 section 7.4, the ND-TKSA between the same NDI pair shall be updated when a new NDP requires a stronger cipher suite. Exempt NL80211_IFTYPE_NAN_DATA from the same-cipher enforcement so the PTK can be replaced with a different cipher. Signed-off-by: Daniel Gabay Reviewed-by: Ilan Peer Reviewed-by: Johannes Berg Signed-off-by: Miri Korenblit Link: https://patch.msgid.link/20260515142736.3188a47a23bf.I5fba3a111ffe054b46928aefa5c2d763fef51d4d@changeid Signed-off-by: Johannes Berg --- diff --git a/net/mac80211/key.c b/net/mac80211/key.c index 3030bd40bca00..f45e792abede5 100644 --- a/net/mac80211/key.c +++ b/net/mac80211/key.c @@ -870,11 +870,16 @@ int ieee80211_key_link(struct ieee80211_key *key, alt_key = wiphy_dereference(sdata->local->hw.wiphy, sta->ptk[idx ^ 1]); - /* The rekey code assumes that the old and new key are using + /* + * The rekey code assumes that the old and new key are using * the same cipher. Enforce the assumption for pairwise keys. + * NAN Data interfaces are exempt: Wi-Fi Aware v4.0 section 7.4 + * requires upgrading the ND-TKSA when a new NDP negotiates a + * stronger cipher suite. */ - if ((alt_key && alt_key->conf.cipher != key->conf.cipher) || - (old_key && old_key->conf.cipher != key->conf.cipher)) { + if (sdata->vif.type != NL80211_IFTYPE_NAN_DATA && + ((alt_key && alt_key->conf.cipher != key->conf.cipher) || + (old_key && old_key->conf.cipher != key->conf.cipher))) { ret = -EOPNOTSUPP; goto out; }