From owner-freebsd-current@freebsd.org Mon Oct 16 13:02:12 2017 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 27CDFE3A4F3 for ; Mon, 16 Oct 2017 13:02:12 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id E1F348015B; Mon, 16 Oct 2017 13:02:11 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id 451ueT9iQM9gt451wenXD7; Mon, 16 Oct 2017 07:02:04 -0600 X-Authority-Analysis: v=2.2 cv=a+JAzQaF c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=kj9zAlcOel0A:10 a=02M-m0pO-4AA:10 a=6I5d2MoRAAAA:8 a=pGLkceISAAAA:8 a=sMBj6sIwAAAA:8 a=yaAG3qJ-AAAA:8 a=YxBL1-UpAAAA:8 a=k_vEdIhUomsFTEsDafIA:9 a=CjuIK1q_8ugA:10 a=GFfUI7B0NGUA:10 a=IjZwj45LgO3ly-622nXo:22 a=tjUNV7USy4TualkcfLLZ:22 a=oLVlbjkABFOu4cUI0CGI:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id 9F4ED410; Mon, 16 Oct 2017 06:02:02 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id v9GD22aC011647; Mon, 16 Oct 2017 06:02:02 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201710161302.v9GD22aC011647@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Stefan Esser cc: freebsd-current@freebsd.org Subject: Re: cve-2017-13077 - WPA2 security vulni In-Reply-To: Message from Stefan Esser of "Mon, 16 Oct 2017 13:19:15 +0200." <21896d6e-75be-3376-bc32-9d911227de5c@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <11645.1508158922.1@slippy> Content-Transfer-Encoding: quoted-printable Date: Mon, 16 Oct 2017 06:02:02 -0700 X-CMAE-Envelope: MS4wfO8nz3MX/8z/gU9u7H7/5c7X2YQ5+QfCO3KPVw5tBLfu6cZKiS+BwfT7s74jOVum9XkFGFaczxvfeYGeSkEUT+nffo9WznFc8Tsdh8IEcll6OqKTCCW9 pR0uk8wphfHdE5WEVgRksrIW9zik+KBwu8GLZ96MrqnrlvpQSqXGN48oA/tGYrOFnc6Pecbl6Tj0LgWUe7WJAre+cZjMgKUYfV4= X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Oct 2017 13:02:12 -0000 In message <21896d6e-75be-3376-bc32-9d911227de5c@freebsd.org>, Stefan Esse= r = wri tes: > Am 16.10.17 um 12:38 schrieb blubee blubeeme: > > well, that's a cluster if I ever seen one. > > = > > On Mon, Oct 16, 2017 at 6:35 PM, Poul-Henning Kamp > > wrote: > > = > >> -------- > >> In message >> gmail.com> > >> , blubee blubeeme writes: > >> > >>> Does anyone on FreeBSD know if it's affected by this? > >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=3D2017-13077 > >> > >> It is, same as Linux, we use the same wpa_supplicant software > = > The attached patch includes the official patch applied by the WPA > developers in https://w1.fi/cgit/hostap/commit/?id=3Da00e946 but > for our version of wpa_supplicant in /usr/src/contrib. > = > Regards, STefan > Index: contrib/wpa/src/rsn_supp/wpa.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- contrib/wpa/src/rsn_supp/wpa.c (Revision 324638) > +++ contrib/wpa/src/rsn_supp/wpa.c (Arbeitskopie) > @@ -1534,6 +1534,14 @@ > sm->ptk_set =3D 1; > os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk)); > os_memset(&sm->tptk, 0, sizeof(sm->tptk)); > + /* > + * This assures the same TPTK in sm->tptk can never be > + * copied twice to sm->pkt as the new PTK. In > + * combination with the installed flag in the wpa_ptk > + * struct, this assures the same PTK is only installed > + * once. > + */ > + sm->renew_snonce =3D 1; > } > } > = > = We should also patch the wpa_supplicant and hostapd ports. Also rmove peer= key functionality: http://w1.fi/cgit/hostap/commit/?id=3De760851176c77ae6d= e19821bb1d5bf3ae2cb5187 Looks like hostapd is also affected. Simple for us, not so simple if you'v= e purchased a commodity wirless router. I doubt most of the vendors will d= o anything. There are over a dozen (excluding tests and debugging outputs, 16 by my co= unt) commits our upstream have applied to hostapd and wpa_supplicant. Rather than commit a blob, we should a) mirror their commits which can be = MFCed to stable and b) then update head and ports to the latest upstream. = B could be MFCed at a later date. -- = Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.