Add patch set 2017-1.

A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. Approved by: leres (maintainer) Security: https://w1.fi/security/2017-1/ \ wpa-packet-number-reuse-with-replayed-messages.txt Security: https://www.krackattacks.com/ MFH: 2017Q4 Differential Revision: D12691
svn path=/head/; revision=452257
2025-07-18 17:59:20 -04:00 · 2017-10-17 01:30:47 +00:00 · 2017-10-17 01:30:47 +00:00 · 96028ad87a · 2021-03-31 03:12:20 +00:00
commit 96028ad87a
parent a725929299
2 changed files with 25 additions and 1 deletions
--- a/net/hostapd/Makefile
+++ b/net/hostapd/Makefile
@ -3,8 +3,18 @@

 PORTNAME=	hostapd
 PORTVERSION=	2.6
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	https://w1.fi/releases/
+PATCH_SITES=	https://w1.fi/security/2017-1/
+PATCHFILES=	rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch \
+	rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch \
+	rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch \
+	rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch \
+	rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch \
+	rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch \
+	rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+PATCH_DIST_STRIP=	-p1

 MAINTAINER=	leres@FreeBSD.org
 COMMENT=	IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
--- a/net/hostapd/distinfo
+++ b/net/hostapd/distinfo
@ -1,3 +1,17 @@
-TIMESTAMP = 1489911667
+TIMESTAMP = 1508200169
 SHA256 (hostapd-2.6.tar.gz) = 01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d
 SIZE (hostapd-2.6.tar.gz) = 1822341
+SHA256 (rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) = 529113cc81256c6178f3c1cf25dd8d3f33e6d770e4a180bd31c6ab7e4917f40b
+SIZE (rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) = 6218
+SHA256 (rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) = d86d47ab74170f3648b45b91bce780949ca92b09ab43df065178850ec0c335d7
+SIZE (rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) = 7883
+SHA256 (rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) = d4535e36739a0cc7f3585e6bcba3c0bb8fc67cb3e729844e448c5dc751f47e81
+SIZE (rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) = 6861
+SHA256 (rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch) = 793a54748161b5af430dd9de4a1988d19cb8e85ab29bc2340f886b0297cee20b
+SIZE (rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch) = 2566
+SHA256 (rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) = 147c8abe07606905d16404fb2d2c8849796ca7c85ed8673c09bb50038bcdeb9e
+SIZE (rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) = 1949
+SHA256 (rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch) = 596d4d3b63ea859ed7ea9791b3a21cb11b6173b04c0a14a2afa47edf1666afa6
+SIZE (rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch) = 4309
+SHA256 (rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) = c8840d857b9432f3b488113c85c1ff5d4a4b8d81078b7033388dae1e990843b1
+SIZE (rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) = 2750