KRACK attack: Patch wpa_supplicant & hostapd
authorMichael Tremer <michael.tremer@ipfire.org>
Mon, 16 Oct 2017 14:49:35 +0000 (15:49 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 16 Oct 2017 14:52:12 +0000 (15:52 +0100)
commita10e6aaefe6cf2127b8b9f51ff45fef175f53e2c
treef0db5ff2ae3d99fc558b4e942ff979efebb5092b
parentde5862aaab0e73bffe32162de760b0f000d07d8f
KRACK attack: Patch wpa_supplicant & hostapd

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
  CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
  CVE-2017-13087, CVE-2017-13088

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
18 files changed:
lfs/hostapd
lfs/wpa_supplicant
src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch [new file with mode: 0644]