Add patch set 2017-1.

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

Approved by:	leres (maintainer)
Security:	https://w1.fi/security/2017-1/ \
		wpa-packet-number-reuse-with-replayed-messages.txt
Security:	https://www.krackattacks.com/
MFH:		2017Q4
Differential Revision:	D12691

2 files changed, 25 insertions, 1 deletions

diff --git a/net/hostapd/Makefile b/net/hostapd/Makefile
index f06c98b330bb..49d1801b9927 100644
--- a/net/hostapd/Makefile
+++ b/net/hostapd/Makefile
@@ -3,8 +3,18 @@
 
 PORTNAME=	hostapd
 PORTVERSION=	2.6
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	https://w1.fi/releases/
+PATCH_SITES=	https://w1.fi/security/2017-1/
+PATCHFILES=	rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch \
+	rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch \
+	rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch \
+	rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch \
+	rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch \
+	rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch \
+	rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
+PATCH_DIST_STRIP=	-p1
 
 MAINTAINER=	leres@FreeBSD.org
 COMMENT=	IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator
diff --git a/net/hostapd/distinfo b/net/hostapd/distinfo
index 0b5b42e63be3..e31ca85ed580 100644
--- a/net/hostapd/distinfo
+++ b/net/hostapd/distinfo
@@ -1,3 +1,17 @@
-TIMESTAMP = 1489911667
+TIMESTAMP = 1508200169
 SHA256 (hostapd-2.6.tar.gz) = 01526b90c1d23bec4b0f052039cc4456c2fd19347b4d830d1d58a0a6aea7117d
 SIZE (hostapd-2.6.tar.gz) = 1822341
+SHA256 (rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) = 529113cc81256c6178f3c1cf25dd8d3f33e6d770e4a180bd31c6ab7e4917f40b
+SIZE (rebased-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch) = 6218
+SHA256 (rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) = d86d47ab74170f3648b45b91bce780949ca92b09ab43df065178850ec0c335d7
+SIZE (rebased-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch) = 7883
+SHA256 (rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) = d4535e36739a0cc7f3585e6bcba3c0bb8fc67cb3e729844e448c5dc751f47e81
+SIZE (rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch) = 6861
+SHA256 (rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch) = 793a54748161b5af430dd9de4a1988d19cb8e85ab29bc2340f886b0297cee20b
+SIZE (rebased-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch) = 2566
+SHA256 (rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) = 147c8abe07606905d16404fb2d2c8849796ca7c85ed8673c09bb50038bcdeb9e
+SIZE (rebased-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch) = 1949
+SHA256 (rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch) = 596d4d3b63ea859ed7ea9791b3a21cb11b6173b04c0a14a2afa47edf1666afa6
+SIZE (rebased-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch) = 4309
+SHA256 (rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) = c8840d857b9432f3b488113c85c1ff5d4a4b8d81078b7033388dae1e990843b1
+SIZE (rebased-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch) = 2750