TDLS: Do not modify RNonce for an TPK M1 frame with same INonce

There is no point in updating the RNonce for every obtained TPK M1 frame
(e.g., retransmission due to timeout) with the same INonce (SNonce in
FTIE). Update RNonce only if a TPK M1 is received with a different
INonce (new TDLS session) to avoid issues with two setup exchanges
getting mixed and exchange failing due to mismatching nonces ("TDLS:
FTIE ANonce in TPK M3 does not match with FTIE ANonce used in TPK M2").

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>

1 files changed, 17 insertions, 6 deletions

diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
index 335e1d90..eb587914 100644
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -1683,16 +1683,27 @@ skip_rsn:
 	}
 
 	ftie = (struct wpa_tdls_ftie *) kde.ftie;
-	os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
 	os_memcpy(peer->rsnie_i, kde.rsn_ie, kde.rsn_ie_len);
 	peer->rsnie_i_len = kde.rsn_ie_len;
 	peer->cipher = cipher;
 
-	if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
-		wpa_msg(sm->ctx->ctx, MSG_WARNING,
-			"TDLS: Failed to get random data for responder nonce");
-		wpa_tdls_peer_free(sm, peer);
-		goto error;
+	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
+		/*
+		 * There is no point in updating the RNonce for every obtained
+		 * TPK M1 frame (e.g., retransmission due to timeout) with the
+		 * same INonce (SNonce in FTIE). However, if the TPK M1 is
+		 * retransmitted with a different INonce, update the RNonce
+		 * since this is for a new TDLS session.
+		 */
+		wpa_printf(MSG_DEBUG,
+			   "TDLS: New TPK M1 INonce - generate new RNonce");
+		os_memcpy(peer->inonce, ftie->Snonce, WPA_NONCE_LEN);
+		if (os_get_random(peer->rnonce, WPA_NONCE_LEN)) {
+			wpa_msg(sm->ctx->ctx, MSG_WARNING,
+				"TDLS: Failed to get random data for responder nonce");
+			wpa_tdls_peer_free(sm, peer);
+			goto error;
+		}
 	}
 
 #if 0