Nixpkgs: Patches for WPA/WPA2 KRACK

@NixOS/security-notifications @grahamc I guess…

What other WPA/WPA2 client software do we have?

hostapd and wicd?

hostapd is hopefully AP-side (it will probably get released
simultaneously with wpa_supplicant, if there is anything to patch
there, though).

wicd, networkmanager etc. delegate encryption to wpa_supplicant.

• [x] hostapd
• [x] wpa_supplicant

@grahamc hostapd is AP-side and therefore unlikely to need any patches.

Re: reactions: i had a different idea what «hooray» means…

I'm patching with http://w1.fi/security/2017-1/ now

Check out Impact on AP/hostapd in http://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

I had just submitted #30468 for this. Didn't see this issue, my apologies.

@grahamc maybe just use fetchpatch for the entire upstream git diff, including attempts at hardening?

wpa_supplicant: ea50efcc67cfa6c8331b54ff33ab791dacd52fe4 (unstable), 83388e75603bda0ee0324d585070480fa6544547 (stable)
hostapd: 629965a53251afa23a60c08c16000b732374b9f9 (unstable), d1c53cd6fe09587654ec05630e03145e250e19d1 (stable)

@7c6f434c I'd rather wait until 2.7 comes out, which should be soon I think. I don't want to add too many patches, delaying the critical release.

I thought about grabbing a single diff from the repository — there is
a single block of related changes. But not sure.

@grahamc how can one verify that the patches have been applied after a nixos-rebuild?

Thanks.

@stefano-m run nixos-version.
The part after the last dot in the version string is the commit short hash.
It should match one of those @grahamc wrote.

Thanks for the tip @rnhmjoj

@stefano-m If it doesn't match you may be at a newer commit. In that case you have to check against the git history of nixpkgs or using this page (try clicking on some of the green build numbers and you should find your hash)

@rnhmjoj You can actually do this through Git if you have the repo cloned:

if (git merge-base --is-ancestor ea50efc HEAD && git merge-base --is-ancestor 629965a HEAD) || \
   (git merge-base --is-ancestor 83388e7 HEAD && git merge-base --is-ancestor d1c53cd HEAD); then
  echo "wpa_supplicant and hostapd patched"
else
  echo "wpa_supplicant and hostapd NOT patched"
fi

in "0005-Prevent-installation-of-an-all-zero-TK.patch"
@@ -219,6 +219,7 @@ struct wpa_ptk {
size_t kck_len;
size_t kek_len;
size_t tk_len;

• int installed; /* 1 if key has already been installed to driver */
  };

I found “installed” item did not been initiated, but first used in wpa_supplicant_process_1_of_4 to judge if reinstall or not. I have found through all the sm->ptk, but did not found any value assign or memset, as we know if it's not initated, "installed" could be any value in some platform. Does anybody know that?

wpa_supplicant 2.6 has been released on 2016-10-02, are there any plans to land this on NixOS 17.09? Would it be worth opening a new issue?

@stefano-m AFAICT 17.09 does ship 2.6, and nixpkgs has done so for a year

D'Oh! I meant 2.7 which clearly is not out yet... I even copy-pasted the 2016 date!

Apologies.

I am running wpa_supplicant 2.6 and need to apply the patches listed in http://w1.fi/security/2017-1/. My questions are:

1. What is the difference between the 000 patches and the rebase patches?
2. If I am running the 2.6 wpa_supplicant do I need all 16 patches or just the rebase versions?

Thanks so much

To be clear, nixos-17.099, nixos-unstable, and nixpkgs-unstable has been patched for KRACK for 7-8 days.