KRACK attack: Patch wpa_supplicant & hostapd
authorMichael Tremer <michael.tremer@ipfire.org>
Mon, 16 Oct 2017 14:49:35 +0000 (15:49 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 16 Oct 2017 14:49:35 +0000 (15:49 +0100)
commitd7d5774529358c4ccbfc841f7ac1726d384a6bc9
tree078b7b19f3a5952332bd2dbc185aa84b4ad89979
parenta54350cdb9d56691644486a49b7e5b7594d8d504
KRACK attack: Patch wpa_supplicant & hostapd

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
  CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
  CVE-2017-13087, CVE-2017-13088

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
18 files changed:
lfs/hostapd
lfs/wpa_supplicant
src/patches/wpa_supplicant/0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0004-Prevent-installation-of-an-all-zero-TK.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0006-TDLS-Reject-TPK-TK-reconfiguration.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch [new file with mode: 0644]
src/patches/wpa_supplicant/0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch [new file with mode: 0644]
src/patches/wpa_supplicant/rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch [new file with mode: 0644]