wpa: Import wpa 2.11 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2024-07-21 13:14:24 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2024-07-21 13:14:24 +0000
commit	950d2f43375b87e95ebc0ecda9b281b84b2213d7 (patch)
tree	e5c37bef0e53ac309e9c1f0c7859da6098a18f0a /hostapd/ChangeLog
parent	df0c787c3ece1d65fd6fef34aa8f56da557b5ac0 (diff)

vendor/wpa/2.11

Diffstat (limited to 'hostapd/ChangeLog')

-rw-r--r--

hostapd/ChangeLog

1321

1 files changed, 0 insertions, 1321 deletions

diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
deleted file mode 100644
index 279298e4d4d4..000000000000
--- a/hostapd/ChangeLog
+++ /dev/null

@@ -1,1321 +0,0 @@

-ChangeLog for hostapd

-2022-01-16 - v2.10

- * SAE changes

- - improved protection against side channel attacks

- [https://w1.fi/security/2022-1/]

- - added option send SAE Confirm immediately (sae_config_immediate=1)

- after SAE Commit

- - added support for the hash-to-element mechanism (sae_pwe=1 or

- sae_pwe=2)

- - fixed PMKSA caching with OKC

- - added support for SAE-PK

- * EAP-pwd changes

- - improved protection against side channel attacks

- [https://w1.fi/security/2022-1/]

- * fixed WPS UPnP SUBSCRIBE handling of invalid operations

- [https://w1.fi/security/2020-1/]

- * fixed PMF disconnection protection bypass

- [https://w1.fi/security/2019-7/]

- * added support for using OpenSSL 3.0

- * fixed various issues in experimental support for EAP-TEAP server

- * added configuration (max_auth_rounds, max_auth_rounds_short) to

- increase the maximum number of EAP message exchanges (mainly to

- support cases with very large certificates) for the EAP server

- * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)

- * extended HE (IEEE 802.11ax) support, including 6 GHz support

- * removed obsolete IAPP functionality

- * fixed EAP-FAST server with TLS GCM/CCM ciphers

- * dropped support for libnl 1.1

- * added support for nl80211 control port for EAPOL frame TX/RX

- * fixed OWE key derivation with groups 20 and 21; this breaks backwards

- compatibility for these groups while the default group 19 remains

- backwards compatible; owe_ptk_workaround=1 can be used to enabled a

- a workaround for the group 20/21 backwards compatibility

- * added support for Beacon protection

- * added support for Extended Key ID for pairwise keys

- * removed WEP support from the default build (CONFIG_WEP=y can be used

- to enable it, if really needed)

- * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)

- * added support for Transition Disable mechanism to allow the AP to

- automatically disable transition mode to improve security

- * added support for PASN

- * added EAP-TLS server support for TLS 1.3 (disabled by default for now)

- * a large number of other fixes, cleanup, and extensions

-2019-08-07 - v2.9

- * SAE changes

- - disable use of groups using Brainpool curves

- - improved protection against side channel attacks

- [https://w1.fi/security/2019-6/]

- * EAP-pwd changes

- - disable use of groups using Brainpool curves

- - improved protection against side channel attacks

- [https://w1.fi/security/2019-6/]

- * fixed FT-EAP initial mobility domain association using PMKSA caching

- * added configuration of airtime policy

- * fixed FILS to and RSNE into (Re)Association Response frames

- * fixed DPP bootstrapping URI parser of channel list

- * added support for regulatory WMM limitation (for ETSI)

- * added support for MACsec Key Agreement using IEEE 802.1X/PSK

- * added experimental support for EAP-TEAP server (RFC 7170)

- * added experimental support for EAP-TLS server with TLS v1.3

- * added support for two server certificates/keys (RSA/ECC)

- * added AKMSuiteSelector into "STA <addr>" control interface data to

- determine with AKM was used for an association

- * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and

- fast reauthentication use to be disabled

- * fixed an ECDH operation corner case with OpenSSL

-2019-04-21 - v2.8

- * SAE changes

- - added support for SAE Password Identifier

- - changed default configuration to enable only group 19

- (i.e., disable groups 20, 21, 25, 26 from default configuration) and

- disable all unsuitable groups completely based on REVmd changes

- - improved anti-clogging token mechanism and SAE authentication

- frame processing during heavy CPU load; this mitigates some issues

- with potential DoS attacks trying to flood an AP with large number

- of SAE messages

- - added Finite Cyclic Group field in status code 77 responses

- - reject use of unsuitable groups based on new implementation guidance

- in REVmd (allow only FFC groups with prime >= 3072 bits and ECC

- groups with prime >= 256)

- - minimize timing and memory use differences in PWE derivation

- [https://w1.fi/security/2019-1/] (CVE-2019-9494)

- - fixed confirm message validation in error cases

- [https://w1.fi/security/2019-3/] (CVE-2019-9496)

- * EAP-pwd changes

- - minimize timing and memory use differences in PWE derivation

- [https://w1.fi/security/2019-2/] (CVE-2019-9495)

- - verify peer scalar/element

- [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)

- - fix message reassembly issue with unexpected fragment

- [https://w1.fi/security/2019-5/]

- - enforce rand,mask generation rules more strictly

- - fix a memory leak in PWE derivation

- - disallow ECC groups with a prime under 256 bits (groups 25, 26, and

- 27)

- * Hotspot 2.0 changes

- - added support for release number 3

- - reject release 2 or newer association without PMF

- * added support for RSN operating channel validation

- (CONFIG_OCV=y and configuration parameter ocv=1)

- * added Multi-AP protocol support

- * added FTM responder configuration

- * fixed build with LibreSSL

- * added FT/RRB workaround for short Ethernet frame padding

- * fixed KEK2 derivation for FILS+FT

- * added RSSI-based association rejection from OCE

- * extended beacon reporting functionality

- * VLAN changes

- - allow local VLAN management with remote RADIUS authentication

- - add WPA/WPA2 passphrase/PSK -based VLAN assignment

- * OpenSSL: allow systemwide policies to be overridden

- * extended PEAP to derive EMSK to enable use with ERP/FILS

- * extended WPS to allow SAE configuration to be added automatically

- for PSK (wps_cred_add_sae=1)

- * fixed FT and SA Query Action frame with AP-MLME-in-driver cases

- * OWE: allow Diffie-Hellman Parameter element to be included with DPP

- in preparation for DPP protocol extension

- * RADIUS server: started to accept ERP keyName-NAI as user identity

- automatically without matching EAP database entry

- * fixed PTK rekeying with FILS and FT

-2018-12-02 - v2.7

- * fixed WPA packet number reuse with replayed messages and key

- reinstallation

- [http://w1.fi/security/2017-1/] (CVE-2017-13082)

- * added support for FILS (IEEE 802.11ai) shared key authentication

- * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;

- and transition mode defined by WFA)

- * added support for DPP (Wi-Fi Device Provisioning Protocol)

- * FT:

- - added local generation of PMK-R0/PMK-R1 for FT-PSK

- (ft_psk_generate_local=1)

- - replaced inter-AP protocol with a cleaner design that is more

- easily extensible; this breaks backward compatibility and requires

- all APs in the ESS to be updated at the same time to maintain FT

- functionality

- - added support for wildcard R0KH/R1KH

- - replaced r0_key_lifetime (minutes) parameter with

- ft_r0_key_lifetime (seconds)

- - fixed wpa_psk_file use for FT-PSK

- - fixed FT-SAE PMKID matching

- - added expiration to PMK-R0 and PMK-R1 cache

- - added IEEE VLAN support (including tagged VLANs)

- - added support for SHA384 based AKM

- * SAE

- - fixed some PMKSA caching cases with SAE

- - added support for configuring SAE password separately of the

- WPA2 PSK/passphrase

- - added option to require MFP for SAE associations

- (sae_require_pmf=1)

- - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection

- for SAE;

- note: this is not backwards compatible, i.e., both the AP and

- station side implementations will need to be update at the same

- time to maintain interoperability

- - added support for Password Identifier

- * hostapd_cli: added support for command history and completion

- * added support for requesting beacon report

- * large number of other fixes, cleanup, and extensions

- * added option to configure EAPOL-Key retry limits

- (wpa_group_update_count and wpa_pairwise_update_count)

- * removed all PeerKey functionality

- * fixed nl80211 AP mode configuration regression with Linux 4.15 and

- newer

- * added support for using wolfSSL cryptographic library

- * fixed some 20/40 MHz coexistence cases where the BSS could drop to

- 20 MHz even when 40 MHz would be allowed

- * Hotspot 2.0

- - added support for setting Venue URL ANQP-element (venue_url)

- - added support for advertising Hotspot 2.0 operator icons

- - added support for Roaming Consortium Selection element

- - added support for Terms and Conditions

- - added support for OSEN connection in a shared RSN BSS

- * added support for using OpenSSL 1.1.1

- * added EAP-pwd server support for salted passwords

-2016-10-02 - v2.6

- * fixed EAP-pwd last fragment validation

- [http://w1.fi/security/2015-7/] (CVE-2015-5314)

- * fixed WPS configuration update vulnerability with malformed passphrase

- [http://w1.fi/security/2016-1/] (CVE-2016-4476)

- * extended channel switch support for VHT bandwidth changes

- * added support for configuring new ANQP-elements with

- anqp_elem=<InfoID>:<hexdump of payload>

- * fixed Suite B 192-bit AKM to use proper PMK length

- (note: this makes old releases incompatible with the fixed behavior)

- * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response

- frame sending for not-associated STAs if max_num_sta limit has been

- reached

- * added option (-S as command line argument) to request all interfaces

- to be started at the same time

- * modified rts_threshold and fragm_threshold configuration parameters

- to allow -1 to be used to disable RTS/fragmentation

- * EAP-pwd: added support for Brainpool Elliptic Curves

- (with OpenSSL 1.0.2 and newer)

- * fixed EAPOL reauthentication after FT protocol run

- * fixed FTIE generation for 4-way handshake after FT protocol run

- * fixed and improved various FST operations

- * TLS server

- - support SHA384 and SHA512 hashes

- - support TLS v1.2 signature algorithm with SHA384 and SHA512

- - support PKCS #5 v2.0 PBES2

- - support PKCS #5 with PKCS #12 style key decryption

- - minimal support for PKCS #12

- - support OCSP stapling (including ocsp_multi)

- * added support for OpenSSL 1.1 API changes

- - drop support for OpenSSL 0.9.8

- - drop support for OpenSSL 1.0.0

- * EAP-PEAP: support fast-connect crypto binding

- * RADIUS

- - fix Called-Station-Id to not escape SSID

- - add Event-Timestamp to all Accounting-Request packets

- - add Acct-Session-Id to Accounting-On/Off

- - add Acct-Multi-Session-Id ton Access-Request packets

- - add Service-Type (= Frames)

- - allow server to provide PSK instead of passphrase for WPA-PSK

- Tunnel_password case

- - update full message for interim accounting updates

- - add Acct-Delay-Time into Accounting messages

- - add require_message_authenticator configuration option to require

- CoA/Disconnect-Request packets to be authenticated

- * started to postpone WNM-Notification frame sending by 100 ms so that

- the STA has some more time to configure the key before this frame is

- received after the 4-way handshake

- * VHT: added interoperability workaround for 80+80 and 160 MHz channels

- * extended VLAN support (per-STA vif, etc.)

- * fixed PMKID derivation with SAE

- * nl80211

- - added support for full station state operations

- - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use

- unencrypted EAPOL frames

- * added initial MBO support; number of extensions to WNM BSS Transition

- Management

- * added initial functionality for location related operations

- * added assocresp_elements parameter to allow vendor specific elements

- to be added into (Re)Association Response frames

- * improved Public Action frame addressing

- - use Address 3 = wildcard BSSID in GAS response if a query from an

- unassociated STA used that address

- - fix TX status processing for Address 3 = wildcard BSSID

- - add gas_address3 configuration parameter to control Address 3

- behavior

- * added command line parameter -i to override interface parameter in

- hostapd.conf

- * added command completion support to hostapd_cli

- * added passive client taxonomy determination (CONFIG_TAXONOMY=y

- compile option and "SIGNATURE <addr>" control interface command)

- * number of small fixes

-2015-09-27 - v2.5

- * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding

- [http://w1.fi/security/2015-2/] (CVE-2015-4141)

- * fixed WMM Action frame parser

- [http://w1.fi/security/2015-3/] (CVE-2015-4142)

- * fixed EAP-pwd server missing payload length validation

- [http://w1.fi/security/2015-4/]

- (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145)

- * fixed validation of WPS and P2P NFC NDEF record payload length

- [http://w1.fi/security/2015-5/]

- * nl80211:

- - fixed vendor command handling to check OUI properly

- * fixed hlr_auc_gw build with OpenSSL

- * hlr_auc_gw: allow Milenage RES length to be reduced

- * disable HT for a station that does not support WMM/QoS

- * added support for hashed password (NtHash) in EAP-pwd server

- * fixed and extended dynamic VLAN cases

- * added EAP-EKE server support for deriving Session-Id

- * set Acct-Session-Id to a random value to make it more likely to be

- unique even if the device does not have a proper clock

- * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan

- * modified SAE routines to be more robust and PWE generation to be

- stronger against timing attacks

- * added support for Brainpool Elliptic Curves with SAE

- * increases maximum value accepted for cwmin/cwmax

- * added support for CCMP-256 and GCMP-256 as group ciphers with FT

- * added Fast Session Transfer (FST) module

- * removed optional fields from RSNE when using FT with PMF

- (workaround for interoperability issues with iOS 8.4)

- * added EAP server support for TLS session resumption

- * fixed key derivation for Suite B 192-bit AKM (this breaks

- compatibility with the earlier version)

- * added mechanism to track unconnected stations and do minimal band

- steering

- * number of small fixes

-2015-03-15 - v2.4

- * allow OpenSSL cipher configuration to be set for internal EAP server

- (openssl_ciphers parameter)

- * fixed number of small issues based on hwsim test case failures and

- static analyzer reports

- * fixed Accounting-Request to not include duplicated Acct-Session-Id

- * add support for Acct-Multi-Session-Id in RADIUS Accounting messages

- * add support for PMKSA caching with SAE

- * add support for generating BSS Load element (bss_load_update_period)

- * fixed channel switch from VHT to HT

- * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events

- * add support for learning STA IPv4/IPv6 addresses and configuring

- ProxyARP support

- * dropped support for the madwifi driver interface

- * add support for Suite B (128-bit and 192-bit level) key management and

- cipher suites

- * fixed a regression with driver=wired

- * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce

- * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management

- Request frames and BSS-TM-RESP event to indicate response to such

- frame

- * add support for EAP Re-Authentication Protocol (ERP)

- * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled

- * fixed a regression in HT 20/40 coex Action frame parsing

- * set stdout to be line-buffered

- * add support for vendor specific VHT extension to enable 256 QAM rates

- (VHT-MCS 8 and 9) on 2.4 GHz band

- * RADIUS DAS:

- - extend Disconnect-Request processing to allow matching of multiple

- sessions

- - support Acct-Multi-Session-Id as an identifier

- - allow PMKSA cache entry to be removed without association

- * expire hostapd STA entry if kernel does not have a matching entry

- * allow chanlist to be used to specify a subset of channels for ACS

- * improve ACS behavior on 2.4 GHz band and allow channel bias to be

- configured with acs_chan_bias parameter

- * do not reply to a Probe Request frame that includes DSS Parameter Set

- element in which the channel does not match the current operating

- channel

- * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon

- frame contents to be updated and to start beaconing on an interface

- that used start_disabled=1

- * fixed some RADIUS server failover cases

-2014-10-09 - v2.3

- * fixed number of minor issues identified in static analyzer warnings

- * fixed DFS and channel switch operation for multi-BSS cases

- * started to use constant time comparison for various password and hash

- values to reduce possibility of any externally measurable timing

- differences

- * extended explicit clearing of freed memory and expired keys to avoid

- keeping private data in memory longer than necessary

- * added support for number of new RADIUS attributes from RFC 7268

- (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher,

- WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)

- * fixed GET_CONFIG wpa_pairwise_cipher value

- * added code to clear bridge FDB entry on station disconnection

- * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases

- * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop

- in case the first entry does not match

- * fixed hostapd_cli action script execution to use more robust mechanism

- (CVE-2014-3686)

-2014-06-04 - v2.2

- * fixed SAE confirm-before-commit validation to avoid a potential

- segmentation fault in an unexpected message sequence that could be

- triggered remotely

- * extended VHT support

- - Operating Mode Notification

- - Power Constraint element (local_pwr_constraint)

- - Spectrum management capability (spectrum_mgmt_required=1)

- - fix VHT80 segment picking in ACS

- - fix vht_capab 'Maximum A-MPDU Length Exponent' handling

- - fix VHT20

- * fixed HT40 co-ex scan for some pri/sec channel switches

- * extended HT40 co-ex support to allow dynamic channel width changes

- during the lifetime of the BSS

- * fixed HT40 co-ex support to check for overlapping 20 MHz BSS

- * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;

- this fixes password with include UTF-8 characters that use

- three-byte encoding EAP methods that use NtPasswordHash

- * reverted TLS certificate validation step change in v2.1 that rejected

- any AAA server certificate with id-kp-clientAuth even if

- id-kp-serverAuth EKU was included

- * fixed STA validation step for WPS ER commands to prevent a potential

- crash if an ER sends an unexpected PutWLANResponse to a station that

- is disassociated, but not fully removed

- * enforce full EAP authentication after RADIUS Disconnect-Request by

- removing the PMKSA cache entry

- * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address

- in RADIUS Disconnect-Request

- * added mechanism for removing addresses for MAC ACLs by prefixing an

- entry with "-"

- * Interworking/Hotspot 2.0 enhancements

- - support Hotspot 2.0 Release 2

- * OSEN network for online signup connection

- * subscription remediation (based on RADIUS server request or

- control interface HS20_WNM_NOTIF for testing purposes)

- * Hotspot 2.0 release number indication in WFA RADIUS VSA

- * deauthentication request (based on RADIUS server request or

- control interface WNM_DEAUTH_REQ for testing purposes)

- * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent

- * hs20_icon config parameter to configure icon files for OSU

- * osu_* config parameters for OSU Providers list

- - do not use Interworking filtering rules on Probe Request if

- Interworking is disabled to avoid interop issues

- * added/fixed nl80211 functionality

- - AP interface teardown optimization

- - support vendor specific driver command

- (VENDOR <vendor id> <sub command id> [<hex formatted data>])

- * fixed PMF protection of Deauthentication frame when this is triggered

- by session timeout

- * internal TLS implementation enhancements/fixes

- - add SHA256-based cipher suites

- - add DHE-RSA cipher suites

- - fix X.509 validation of PKCS#1 signature to check for extra data

- * RADIUS server functionality

- - add minimal RADIUS accounting server support (hostapd-as-server);

- this is mainly to enable testing coverage with hwsim scripts

- - allow authentication log to be written into SQLite database

- - added option for TLS protocol testing of an EAP peer by simulating

- various misbehaviors/known attacks

- - MAC ACL support for testing purposes

- * fixed PTK derivation for CCMP-256 and GCMP-256

- * extended WPS per-station PSK to support ER case

- * added option to configure the management group cipher

- (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,

- BIP-CMAC-256)

- * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these

- were rounded incorrectly)

- * added support for postponing FT response in case PMK-R1 needs to be

- pulled from R0KH

- * added option to advertise 40 MHz intolerant HT capability with

- ht_capab=[40-INTOLERANT]

- * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled

- whenever CONFIG_WPS=y is set

- * EAP-pwd fixes

- - fix possible segmentation fault on EAP method deinit if an invalid

- group is negotiated

- * fixed RADIUS client retransmit/failover behavior

- - there was a potential ctash due to freed memory being accessed

- - failover to a backup server mechanism did not work properly

- * fixed a possible crash on double DISABLE command when multiple BSSes

- are enabled

- * fixed a memory leak in SAE random number generation

- * fixed GTK rekeying when the station uses FT protocol

- * fixed off-by-one bounds checking in printf_encode()

- - this could result in deinial of service in some EAP server cases

- * various bug fixes

-2014-02-04 - v2.1

- * added support for simultaneous authentication of equals (SAE) for

- stronger password-based authentication with WPA2-Personal

- * added nl80211 functionality

- - VHT configuration for nl80211

- - support split wiphy dump

- - driver-based MAC ACL

- - QoS Mapping configuration

- * added fully automated regression testing with mac80211_hwsim

- * allow ctrl_iface group to be specified on command line (-G<group>)

- * allow single hostapd process to control independent WPS interfaces

- (wps_independent=1) instead of synchronized operations through all

- configured interfaces within a process

- * avoid processing received management frames multiple times when using

- nl80211 with multiple BSSes

- * added support for DFS (processing radar detection events, CAC, channel

- re-selection)

- * added EAP-EKE server

- * added automatic channel selection (ACS)

- * added option for using per-BSS (vif) configuration files with

- -b<phyname>:<config file name>

- * extended global control interface ADD/REMOVE commands to allow BSSes

- of a radio to be removed individually without having to add/remove all

- other BSSes of the radio at the same time

- * added support for sending debug info to Linux tracing (-T on command

- line)

- * replace dump_file functionality with same information being available

- through the hostapd control interface

- * added support for using Protected Dual of Public Action frames for

- GAS/ANQP exchanges when PMF is enabled

- * added support for WPS+NFC updates

- - improved protocol

- - option to fetch and report alternative carrier records for external

- NFC operations

- * various bug fixes

-2013-01-12 - v2.0

- * added AP-STA-DISCONNECTED ctrl_iface event

- * improved debug logging (human readable event names, interface name

- included in more entries)

- * added number of small changes to make it easier for static analyzers

- to understand the implementation

- * added a workaround for Windows 7 Michael MIC failure reporting and

- use of the Secure bit in EAPOL-Key msg 3/4

- * fixed number of small bugs (see git logs for more details)

- * changed OpenSSL to read full certificate chain from server_cert file

- * nl80211: number of updates to use new cfg80211/nl80211 functionality

- - replace monitor interface with nl80211 commands

- - additional information for driver-based AP SME

- * EAP-pwd:

- - fix KDF for group 21 and zero-padding

- - added support for fragmentation

- - increased maximum number of hunting-and-pecking iterations

- * avoid excessive Probe Response retries for broadcast Probe Request

- frames (only with drivers using hostapd SME/MLME)

- * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)

- * fixed WPS operation stopping on dual concurrent AP

- * added wps_rf_bands configuration parameter for overriding RF Bands

- value for WPS

- * added support for getting per-device PSK from RADIUS Tunnel-Password

- * added support for libnl 3.2 and newer

- * increased initial group key handshake retransmit timeout to 500 ms

- * added a workaround for 4-way handshake to update SNonce even after

- having sent EAPOL-Key 3/4 to avoid issues with some supplicant

- implementations that can change SNonce for each EAP-Key 2/4

- * added a workaround for EAPOL-Key 4/4 using incorrect type value in

- WPA2 mode (some deployed stations use WPA type in that message)

- * added a WPS workaround for mixed mode AP Settings with Windows 7

- * changed WPS AP PIN disabling mechanism to disable the PIN after 10

- consecutive failures in addition to using the exponential lockout

- period

- * added support for WFA Hotspot 2.0

- - GAS/ANQP advertisement of network information

- - disable_dgaf parameter to disable downstream group-addressed

- forwarding

- * simplified licensing terms by selecting the BSD license as the only

- alternative

- * EAP-SIM: fixed re-authentication not to update pseudonym

- * EAP-SIM: use Notification round before EAP-Failure

- * EAP-AKA: added support for AT_COUNTER_TOO_SMALL

- * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized

- * EAP-AKA': fixed identity for MK derivation

- * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this

- breaks interoperability with older versions

- * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id

- * changed ANonce to be a random number instead of Counter-based

- * added support for canceling WPS operations with hostapd_cli wps_cancel

- * fixed EAP/WPS to PSK transition on reassociation in cases where

- deauthentication is missed

- * hlr_auc_gw enhancements:

- - a new command line parameter -u can be used to enable updating of

- SQN in Milenage file

- - use 5 bit IND for SQN updates

- - SQLite database can now be used to store Milenage information

- * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms

- and reauth data

- * added support for Chargeable-User-Identity (RFC 4372)

- * added radius_auth_req_attr and radius_acct_req_attr configuration

- parameters to allow adding/overriding of RADIUS attributes in

- Access-Request and Accounting-Request packets

- * added support for RADIUS dynamic authorization server (RFC 5176)

- * added initial support for WNM operations

- - BSS max idle period

- - WNM-Sleep Mode

- * added new WPS NFC ctrl_iface mechanism

- - removed obsoleted WPS_OOB command (including support for deprecated

- UFD config_method)

- * added FT support for drivers that implement MLME internally

- * added SA Query support for drivers that implement MLME internally

- * removed default ACM=1 from AC_VO and AC_VI

- * changed VENDOR-TEST EAP method to use proper private enterprise number

- (this will not interoperate with older versions)

- * added hostapd.conf parameter vendor_elements to allow arbitrary vendor

- specific elements to be added to the Beacon and Probe Response frames

- * added support for configuring GCMP cipher for IEEE 802.11ad

- * added support for 256-bit AES with internal TLS implementation

- * changed EAPOL transmission to use AC_VO if WMM is active

- * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length

- correctly; invalid messages could have caused the hostapd process to

- terminate before this fix [CVE-2012-4445]

- * limit number of active wildcard PINs for WPS Registrar to one to avoid

- confusing behavior with multiple wildcard PINs

- * added a workaround for WPS PBC session overlap detection to avoid

- interop issues with deployed station implementations that do not

- remove active PBC indication from Probe Request frames properly

- * added support for using SQLite for the eap_user database

- * added Acct-Session-Id attribute into Access-Request messages

- * fixed EAPOL frame transmission to non-QoS STAs with nl80211

- (do not send QoS frames if the STA did not negotiate use of QoS for

- this association)

-2012-05-10 - v1.0

- * Add channel selection support in hostapd. See hostapd.conf.

- * Add support for IEEE 802.11v Time Advertisement mechanism with UTC

- TSF offset. See hostapd.conf for config info.

- * Delay STA entry removal until Deauth/Disassoc TX status in AP mode.

- This allows the driver to use PS buffering of Deauthentication and

- Disassociation frames when the STA is in power save sleep. Only

- available with drivers that provide TX status events for Deauth/

- Disassoc frames (nl80211).

- * Allow PMKSA caching to be disabled on the Authenticator. See

- hostap.conf config parameter disable_pmksa_caching.

- * atheros: Add support for IEEE 802.11w configuration.

- * bsd: Add support for setting HT values in IFM_MMASK.

- * Allow client isolation to be configured with ap_isolate. Client

- isolation can be used to prevent low-level bridging of frames

- between associated stations in the BSS. By default, this bridging

- is allowed.

- * Allow coexistance of HT BSSes with WEP/TKIP BSSes.

- * Add require_ht config parameter, which can be used to configure

- hostapd to reject association with any station that does not support

- HT PHY.

- * Add support for writing debug log to a file using "-f" option. Also

- add relog CLI command to re-open the log file.

- * Add bridge handling for WDS STA interfaces. By default they are

- added to the configured bridge of the AP interface (if present),

- but the user can also specify a separate bridge using cli command

- wds_bridge.

- * hostapd_cli:

- - Add wds_bridge command for specifying bridge for WDS STA

- interfaces.

- - Add relog command for reopening log file.

- - Send AP-STA-DISCONNECTED event when an AP disconnects a station

- due to inactivity.

- - Add wps_config ctrl_interface command for configuring AP. This

- command can be used to configure the AP using the internal WPS

- registrar. It works in the same way as new AP settings received

- from an ER.

- - Many WPS/WPS ER commands - see WPS/WPS ER sections for details.

- - Add command get version, that returns hostapd version string.

- * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent.

- Use hostapd_cli ess_disassoc (STA addr) (URL) to send the

- notification to the STA.

- * Allow AP mode to disconnect STAs based on low ACK condition (when

- the data connection is not working properly, e.g., due to the STA

- going outside the range of the AP). Disabled by default, enable by

- config option disassoc_low_ack.

- * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad

- config file.

- * WPS:

- - Send AP Settings as a wrapped Credential attribute to ctrl_iface

- in WPS-NEW-AP-SETTINGS.

- - Dispatch more WPS events through hostapd ctrl_iface.

- - Add mechanism for indicating non-standard WPS errors.

- - Change concurrent radio AP to use only one WPS UPnP instance.

- - Add wps_check_pin command for processing PIN from user input.

- UIs can use this command to process a PIN entered by a user and to

- validate the checksum digit (if present).

- - Add hostap_cli get_config command to display current AP config.

- - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at

- runtime and support dynamic AP PIN management.

- - Disable AP PIN after 10 consecutive failures. Slow down attacks

- on failures up to 10.

- - Allow AP to start in Enrollee mode without AP PIN for probing,

- to be compatible with Windows 7.

- - Add Config Error into WPS-FAIL events to provide more info

- to the user on how to resolve the issue.

- - When controlling multiple interfaces:

- - apply WPS commands to all interfaces configured to use WPS

- - apply WPS config changes to all interfaces that use WPS

- - when an attack is detected on any interface, disable AP PIN on

- all interfaces

- * WPS ER:

- - Show SetSelectedRegistrar events as ctrl_iface events.

- - Add special AP Setup Locked mode to allow read only ER.

- ap_setup_locked=2 can now be used to enable a special mode where

- WPS ER can learn the current AP settings, but cannot change them.

- * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2)

- - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool

- for testing protocol extensibility.

- - Add build option CONFIG_WPS_STRICT to allow disabling of WPS

- workarounds.

- - Add support for AuthorizedMACs attribute.

- * TDLS:

- - Allow TDLS use or TDLS channel switching in the BSS to be

- prohibited in the BSS, using config params tdls_prohibit and

- tdls_prohibit_chan_switch.

- * EAP server: Add support for configuring fragment size (see

- fragment_size in hostapd.conf).

- * wlantest: Add a tool wlantest for IEEE802.11 protocol testing.

- wlantest can be used to capture frames from a monitor interface

- for realtime capturing or from pcap files for offline analysis.

- * Interworking: Support added for 802.11u. Enable in .config with

- CONFIG_INTERWORKING. See hostapd.conf for config parameters for

- interworking.

- * Android: Add build and runtime support for Android hostapd.

- * Add a new debug message level for excessive information. Use

- -ddd to enable.

- * TLS: Add support for tls_disable_time_checks=1 in client mode.

- * Internal TLS:

- - Add support for TLS v1.1 (RFC 4346). Enable with build parameter

- CONFIG_TLSV11.

- - Add domainComponent parser for X.509 names

- * Reorder some IEs to get closer to IEEE 802.11 standard. Move

- WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames.

- Move HT IEs to be later in (Re)Assoc Resp.

- * Many bugfixes.

-2010-04-18 - v0.7.2

- * fix WPS internal Registrar use when an external Registrar is also

- active

- * bsd: Cleaned up driver wrapper and added various low-level

- configuration options

- * TNC: fixed issues with fragmentation

- * EAP-TNC: add Flags field into fragment acknowledgement (needed to

- interoperate with other implementations; may potentially breaks

- compatibility with older wpa_supplicant/hostapd versions)

- * cleaned up driver wrapper API for multi-BSS operations

- * nl80211: fix multi-BSS and VLAN operations

- * fix number of issues with IEEE 802.11r/FT; this version is not

- backwards compatible with old versions

- * add SA Query Request processing in AP mode (IEEE 802.11w)

- * fix IGTK PN in group rekeying (IEEE 802.11w)

- * fix WPS PBC session overlap detection to use correct attribute

- * hostapd_notif_Assoc() can now be called with all IEs to simplify

- driver wrappers

- * work around interoperability issue with some WPS External Registrar

- implementations

- * nl80211: fix WPS IE update

- * hostapd_cli: add support for action script operations (run a script

- on hostapd events)

- * fix DH padding with internal crypto code (mainly, for WPS)

- * fix WPS association with both WPS IE and WPA/RSN IE present with

- driver wrappers that use hostapd MLME (e.g., nl80211)

-2010-01-16 - v0.7.1

- * cleaned up driver wrapper API (struct wpa_driver_ops); the new API

- is not fully backwards compatible, so out-of-tree driver wrappers

- will need modifications

- * cleaned up various module interfaces

- * merge hostapd and wpa_supplicant developers' documentation into a

- single document

- * fixed HT Capabilities IE with nl80211 drivers

- * moved generic AP functionality code into src/ap

- * WPS: handle Selected Registrar as union of info from all Registrars

- * remove obsolete Prism54.org driver wrapper

- * added internal debugging mechanism with backtrace support and memory

- allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y)

- * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1

- * WPS: add support for dynamically selecting whether to provision the

- PSK as an ASCII passphrase or PSK

- * added support for WDS (4-address frame) mode with per-station virtual

- interfaces (wds_sta=1 in config file; only supported with

- driver=nl80211 for now)

- * fixed WPS Probe Request processing to handle missing required

- attribute

- * fixed PKCS#12 use with OpenSSL 1.0.0

- * detect bridge interface automatically so that bridge parameter in

- hostapd.conf becomes optional (though, it may now be used to

- automatically add then WLAN interface into a bridge with

- driver=nl80211)

-2009-11-21 - v0.7.0

- * increased hostapd_cli ping interval to 5 seconds and made this

- configurable with a new command line options (-G<seconds>)

- * driver_nl80211: use Linux socket filter to improve performance

- * added support for external Registrars with WPS (UPnP transport)

- * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel

- * driver_nl80211: fixed STA accounting data collection (TX/RX bytes

- reported correctly; TX/RX packets not yet available from kernel)

- * added support for WPS USBA out-of-band mechanism with USB Flash

- Drives (UFD) (CONFIG_WPS_UFD=y)

- * fixed EAPOL/EAP reauthentication when using an external RADIUS

- authentication server

- * fixed TNC with EAP-TTLS

- * fixed IEEE 802.11r key derivation function to match with the standard

- (note: this breaks interoperability with previous version) [Bug 303]

- * fixed SHA-256 based key derivation function to match with the

- standard when using CCMP (for IEEE 802.11r and IEEE 802.11w)

- (note: this breaks interoperability with previous version) [Bug 307]

- * added number of code size optimizations to remove unnecessary

- functionality from the program binary based on build configuration

- (part of this automatic; part configurable with CONFIG_NO_* build

- options)

- * use shared driver wrapper files with wpa_supplicant

- * driver_nl80211: multiple updates to provide support for new Linux

- nl80211/mac80211 functionality

- * updated management frame protection to use IEEE Std 802.11w-2009

- * fixed number of small WPS issues and added workarounds to

- interoperate with common deployed broken implementations

- * added some IEEE 802.11n co-existence rules to disable 40 MHz channels

- or modify primary/secondary channels if needed based on neighboring

- networks

- * added support for NFC out-of-band mechanism with WPS

- * added preliminary support for IEEE 802.11r RIC processing

-2009-01-06 - v0.6.7

- * added support for Wi-Fi Protected Setup (WPS)

- (hostapd can now be configured to act as an integrated WPS Registrar

- and provision credentials for WPS Enrollees using PIN and PBC

- methods; external wireless Registrar can configure the AP, but

- external WLAN Manager Registrars are not supported); WPS support can

- be enabled by adding CONFIG_WPS=y into .config and setting the

- runtime configuration variables in hostapd.conf (see WPS section in

- the example configuration file); new hostapd_cli commands wps_pin and

- wps_pbc are used to configure WPS negotiation; see README-WPS for

- more details

- * added IEEE 802.11n HT capability configuration (ht_capab)

- * added support for generating Country IE based on nl80211 regulatory

- information (added if ieee80211d=1 in configuration)

- * fixed WEP authentication (both Open System and Shared Key) with

- mac80211

- * added support for EAP-AKA' (draft-arkko-eap-aka-kdf)

- * added support for using driver_test over UDP socket

- * changed EAP-GPSK to use the IANA assigned EAP method type 51

- * updated management frame protection to use IEEE 802.11w/D7.0

- * fixed retransmission of EAP requests if no response is received

-2008-11-23 - v0.6.6

- * added a new configuration option, wpa_ptk_rekey, that can be used to

- enforce frequent PTK rekeying, e.g., to mitigate some attacks against

- TKIP deficiencies

- * updated OpenSSL code for EAP-FAST to use an updated version of the

- session ticket overriding API that was included into the upstream

- OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is

- needed with that version anymore)

- * changed channel flags configuration to read the information from

- the driver (e.g., via driver_nl80211 when using mac80211) instead of

- using hostapd as the source of the regulatory information (i.e.,

- information from CRDA is now used with mac80211); this allows 5 GHz

- channels to be used with hostapd (if allowed in the current

- regulatory domain)

- * fixed EAP-TLS message processing for the last TLS message if it is

- large enough to require fragmentation (e.g., if a large Session

- Ticket data is included)

- * fixed listen interval configuration for nl80211 drivers

-2008-11-01 - v0.6.5

- * added support for SHA-256 as X.509 certificate digest when using the

- internal X.509/TLSv1 implementation

- * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer

- identity lengths)

- * fixed internal TLSv1 implementation for abbreviated handshake (used

- by EAP-FAST server)

- * added support for setting VLAN ID for STAs based on local MAC ACL

- (accept_mac_file) as an alternative for RADIUS server-based

- configuration

- * updated management frame protection to use IEEE 802.11w/D6.0

- (adds a new association ping to protect against unauthenticated

- authenticate or (re)associate request frames dropping association)

- * added support for using SHA256-based stronger key derivation for WPA2

- (IEEE 802.11w)

- * added new "driver wrapper" for RADIUS-only configuration

- (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config)

- * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2)

- is enabled in configuration

- * changed EAP-FAST configuration to use separate fields for A-ID and

- A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed

- 16-octet len binary value for better interoperability with some peer

- implementations; eap_fast_a_id is now configured as a hex string

- * driver_nl80211: Updated to match the current Linux mac80211 AP mode

- configuration (wireless-testing.git and Linux kernel releases

- starting from 2.6.29)

-2008-08-10 - v0.6.4

- * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2

- Identity Request if identity is already known

- * added support for EAP Sequences in EAP-FAST Phase 2

- * added support for EAP-TNC (Trusted Network Connect)

- (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST

- changes needed to run two methods in sequence (IF-T) and the IF-IMV

- and IF-TNCCS interfaces from TNCS)

- * added support for optional cryptobinding with PEAPv0

- * added fragmentation support for EAP-TNC

- * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled)

- data

- * added support for opportunistic key caching (OKC)

-2008-02-22 - v0.6.3

- * fixed Reassociation Response callback processing when using internal

- MLME (driver_{hostap,nl80211,test}.c)

- * updated FT support to use the latest draft, IEEE 802.11r/D9.0

- * copy optional Proxy-State attributes into RADIUS response when acting

- as a RADIUS authentication server

- * fixed EAPOL state machine to handle a case in which no response is

- received from the RADIUS authentication server; previous version

- could have triggered a crash in some cases after a timeout

- * fixed EAP-SIM/AKA realm processing to allow decorated usernames to

- be used

- * added a workaround for EAP-SIM/AKA peers that include incorrect null

- termination in the username

- * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER

- attribute in notification messages only when using fast

- reauthentication

- * fixed EAP-SIM Start response processing for fast reauthentication

- case

- * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST}

- phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method

-2008-01-01 - v0.6.2

- * fixed EAP-SIM and EAP-AKA message parser to validate attribute

- lengths properly to avoid potential crash caused by invalid messages

- * added data structure for storing allocated buffers (struct wpabuf);

- this does not affect hostapd usage, but many of the APIs changed

- and various interfaces (e.g., EAP) is not compatible with old

- versions

- * added support for protecting EAP-AKA/Identity messages with

- AT_CHECKCODE (optional feature in RFC 4187)

- * added support for protected result indication with AT_RESULT_IND for

- EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1)

- * added support for configuring EAP-TTLS phase 2 non-EAP methods in

- EAP server configuration; previously all four were enabled for every

- phase 2 user, now all four are disabled by default and need to be

- enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP,

- TTLS-MSCHAPV2

- * removed old debug printing mechanism and the related 'debug'

- parameter in the configuration file; debug verbosity is now set with

- -d (or -dd) command line arguments

- * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);

- only shared key/password authentication is supported in this version

-2007-11-24 - v0.6.1

- * added experimental, integrated TLSv1 server implementation with the

- needed X.509/ASN.1/RSA/bignum processing (this can be enabled by

- setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in

- .config); this can be useful, e.g., if the target system does not

- have a suitable TLS library and a minimal code size is required

- * added support for EAP-FAST server method to the integrated EAP

- server

- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest

- draft (draft-ietf-emu-eap-gpsk-07.txt)

- * added a new configuration parameter, rsn_pairwise, to allow different

- pairwise cipher suites to be enabled for WPA and RSN/WPA2

- (note: if wpa_pairwise differs from rsn_pairwise, the driver will

- either need to support this or will have to use the WPA/RSN IEs from

- hostapd; currently, the included madwifi and bsd driver interfaces do

- not have support for this)

- * updated FT support to use the latest draft, IEEE 802.11r/D8.0

-2007-05-28 - v0.6.0

- * added experimental IEEE 802.11r/D6.0 support

- * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48

- * updated EAP-PSK to use the IANA-allocated EAP type 47

- * fixed EAP-PSK bit ordering of the Flags field

- * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs

- by reading wpa_psk_file [Bug 181]

- * fixed EAP-TTLS AVP parser processing for too short AVP lengths

- * fixed IPv6 connection to RADIUS accounting server

- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest

- draft (draft-ietf-emu-eap-gpsk-04.txt)

- * hlr_auc_gw: read GSM triplet file into memory and rotate through the

- entries instead of only using the same three triplets every time

- (this does not work properly with tests using multiple clients, but

- provides bit better triplet data for testing a single client; anyway,

- if a better quality triplets are needed, GSM-Milenage should be used

- instead of hardcoded triplet file)

- * fixed EAP-MSCHAPv2 server to use a space between S and M parameters

- in Success Request [Bug 203]

- * added support for sending EAP-AKA Notifications in error cases

- * updated to use IEEE 802.11w/D2.0 for management frame protection

- (still experimental)

- * RADIUS server: added support for processing duplicate messages

- (retransmissions from RADIUS client) by replying with the previous

- reply

-2006-11-24 - v0.5.6

- * added support for configuring and controlling multiple BSSes per

- radio interface (bss=<ifname> in hostapd.conf); this is only

- available with Devicescape and test driver interfaces

- * fixed PMKSA cache update in the end of successful RSN

- pre-authentication

- * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID

- for each STA based on RADIUS Access-Accept attributes); this requires

- VLAN support from the kernel driver/802.11 stack and this is

- currently only available with Devicescape and test driver interfaces

- * driver_madwifi: fixed configuration of unencrypted modes (plaintext

- and IEEE 802.1X without WEP)

- * removed STAKey handshake since PeerKey handshake has replaced it in

- IEEE 802.11ma and there are no known deployments of STAKey

- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest

- draft (draft-ietf-emu-eap-gpsk-01.txt)

- * added preliminary implementation of IEEE 802.11w/D1.0 (management

- frame protection)

- (Note: this requires driver support to work properly.)

- (Note2: IEEE 802.11w is an unapproved draft and subject to change.)

- * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)

- * hlr_auc_gw: added support for reading per-IMSI Milenage keys and

- parameters from a text file to make it possible to implement proper

- GSM/UMTS authentication server for multiple SIM/USIM cards using

- EAP-SIM/EAP-AKA

- * fixed session timeout processing with drivers that do not use

- ieee802_11.c (e.g., madwifi)

-2006-08-27 - v0.5.5

- * added 'hostapd_cli new_sta <addr>' command for adding a new STA into

- hostapd (e.g., to initialize wired network authentication based on an

- external signal)

- * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when

- using WPA2 even if PMKSA caching is not used

- * added -P<pid file> argument for hostapd to write the current process

- id into a file

- * added support for RADIUS Authentication Server MIB (RFC 2619)

-2006-06-20 - v0.5.4

- * fixed nt_password_hash build [Bug 144]

- * added PeerKey handshake implementation for IEEE 802.11e

- direct link setup (DLS) to replace STAKey handshake

- * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,

- draft-clancy-emu-eap-shared-secret-00.txt)

- * fixed a segmentation fault when RSN pre-authentication was completed

- successfully [Bug 152]

-2006-04-27 - v0.5.3

- * do not build nt_password_hash and hlr_auc_gw by default to avoid

- requiring a TLS library for a successful build; these programs can be

- build with 'make nt_password_hash' and 'make hlr_auc_gw'

- * added a new configuration option, eapol_version, that can be used to

- set EAPOL version to 1 (default is 2) to work around broken client

- implementations that drop EAPOL frames which use version number 2

- [Bug 89]

- * added support for EAP-SAKE (no EAP method number allocated yet, so

- this is using the same experimental type 255 as EAP-PSK)

- * fixed EAP-MSCHAPv2 message length validation

-2006-03-19 - v0.5.2

- * fixed stdarg use in hostapd_logger(): if both stdout and syslog

- logging was enabled, hostapd could trigger a segmentation fault in

- vsyslog on some CPU -- C library combinations

- * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external

- program to make it easier to use for implementing real SS7 gateway;

- eap_sim_db is not anymore used as a file name for GSM authentication

- triplets; instead, it is path to UNIX domain socket that will be used

- to communicate with the external gateway program (e.g., hlr_auc_gw)

- * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses

- local information (GSM authentication triplets from a text file and

- hardcoded AKA authentication data); this can be used to test EAP-SIM

- and EAP-AKA

- * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw

- to make it possible to test EAP-AKA with real USIM cards (this is

- disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw

- to enable this)

- * driver_madwifi: added support for getting station RSN IE from

- madwifi-ng svn r1453 and newer; this fixes RSN that was apparently

- broken with earlier change (r1357) in the driver

- * changed EAP method registration to use a dynamic list of methods

- instead of a static list generated at build time

- * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE)

- [Bug 125]

- * added ap_max_inactivity configuration parameter

-2006-01-29 - v0.5.1

- * driver_test: added better support for multiple APs and STAs by using

- a directory with sockets that include MAC address for each device in

- the name (test_socket=DIR:/tmp/test)

- * added support for EAP expanded type (vendor specific EAP methods)

-2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)

- * added experimental STAKey handshake implementation for IEEE 802.11e

- direct link setup (DLS); note: this is disabled by default in both

- build and runtime configuration (can be enabled with CONFIG_STAKEY=y

- and stakey=1)

- * added support for EAP methods to use callbacks to external programs

- by buffering a pending request and processing it after the EAP method

- is ready to continue

- * improved EAP-SIM database interface to allow external request to GSM

- HLR/AuC without blocking hostapd process

- * added support for using EAP-SIM pseudonyms and fast re-authentication

- * added support for EAP-AKA in the integrated EAP authenticator

- * added support for matching EAP identity prefixes (e.g., "1"*) in EAP

- user database to allow EAP-SIM/AKA selection without extra roundtrip

- for EAP-Nak negotiation

- * added support for storing EAP user password as NtPasswordHash instead

- of plaintext password when using MSCHAP or MSCHAPv2 for

- authentication (hash:<16-octet hex value>); added nt_password_hash

- tool for hashing password to generate NtPasswordHash

-2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)

- * driver_wired: fixed EAPOL sending to optionally use PAE group address

- as the destination instead of supplicant MAC address; this is

- disabled by default, but should be enabled with use_pae_group_addr=1

- in configuration file if the wired interface is used by only one

- device at the time (common switch configuration)

- * driver_madwifi: configure driver to use TKIP countermeasures in order

- to get correct behavior (IEEE 802.11 association failing; previously,

- association succeeded, but hostpad forced disassociation immediately)

- * driver_madwifi: added support for madwifi-ng

-2005-10-27 - v0.4.6

- * added support for replacing user identity from EAP with RADIUS

- User-Name attribute from Access-Accept message, if that is included,

- for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get

- tunneled identity into accounting messages when the RADIUS server

- does not support better way of doing this with Class attribute)

- * driver_madwifi: fixed EAPOL packet receive for configuration where

- ath# is part of a bridge interface

- * added a configuration file and log analyzer script for logwatch

- * fixed EAPOL state machine step function to process all state

- transitions before processing new events; this resolves a race

- condition in which EAPOL-Start message could trigger hostapd to send

- two EAP-Response/Identity frames to the authentication server

-2005-09-25 - v0.4.5

- * added client CA list to the TLS certificate request in order to make

- it easier for the client to select which certificate to use

- * added experimental support for EAP-PSK

- * added support for WE-19 (hostap, madwifi)

-2005-08-21 - v0.4.4

- * fixed build without CONFIG_RSN_PREAUTH

- * fixed FreeBSD build

-2005-06-26 - v0.4.3

- * fixed PMKSA caching to copy User-Name and Class attributes so that

- RADIUS accounting gets correct information

- * start RADIUS accounting only after successful completion of WPA

- 4-Way Handshake if WPA-PSK is used

- * fixed PMKSA caching for the case where STA (re)associates without

- first disassociating

-2005-06-12 - v0.4.2

- * EAP-PAX is now registered as EAP type 46

- * fixed EAP-PAX MAC calculation

- * fixed EAP-PAX CK and ICK key derivation

- * renamed eap_authenticator configuration variable to eap_server to

- better match with RFC 3748 (EAP) terminology

- * driver_test: added support for testing hostapd with wpa_supplicant

- by using test driver interface without any kernel drivers or network

- cards

-2005-05-22 - v0.4.1

- * fixed RADIUS server initialization when only auth or acct server

- is configured and the other one is left empty

- * driver_madwifi: added support for RADIUS accounting

- * driver_madwifi: added preliminary support for compiling against 'BSD'

- branch of madwifi CVS tree

- * driver_madwifi: fixed pairwise key removal to allow WPA reauth

- without disassociation

- * added support for reading additional certificates from PKCS#12 files

- and adding them to the certificate chain

- * fixed RADIUS Class attribute processing to only use Access-Accept

- packets to update Class; previously, other RADIUS authentication

- packets could have cleared Class attribute

- * added support for more than one Class attribute in RADIUS packets

- * added support for verifying certificate revocation list (CRL) when

- using integrated EAP authenticator for EAP-TLS; new hostapd.conf

- options 'check_crl'; CRL must be included in the ca_cert file for now

-2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)

- * added support for including network information into

- EAP-Request/Identity message (ASCII-0 (nul) in eap_message)

- (e.g., to implement draft-adrange-eap-network-discovery-07.txt)

- * fixed a bug which caused some RSN pre-authentication cases to use

- freed memory and potentially crash hostapd

- * fixed private key loading for cases where passphrase is not set

- * added support for sending TLS alerts and aborting authentication

- when receiving a TLS alert

- * fixed WPA2 to add PMKSA cache entry when using integrated EAP

- authenticator

- * fixed PMKSA caching (EAP authentication was not skipped correctly

- with the new state machine changes from IEEE 802.1X draft)

- * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,

- and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs

- to be added to .config to include IPv6 support); for RADIUS server,

- radius_server_ipv6=1 needs to be set in hostapd.conf and addresses

- in RADIUS clients file can then use IPv6 format

- * added experimental support for EAP-PAX

- * replaced hostapd control interface library (hostapd_ctrl.[ch]) with

- the same implementation that wpa_supplicant is using (wpa_ctrl.[ch])

-2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)

-2005-01-23 - v0.3.5

- * added support for configuring a forced PEAP version based on the

- Phase 1 identity

- * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV

- to terminate authentication

- * fixed EAP identifier duplicate processing with the new IEEE 802.1X

- draft

- * clear accounting data in the driver when starting a new accounting

- session

- * driver_madwifi: filter wireless events based on ifindex to allow more

- than one network interface to be used

- * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt

- setting if the packet does not pass MIC verification (e.g., due to

- incorrect PSK); previously, message 1/4 was not tried again if an

- invalid message 2/4 was received

- * fixed reconfiguration of RADIUS client retransmission timer when

- adding a new message to the pending list; previously, timer was not

- updated at this point and if there was a pending message with long

- time for the next retry, the new message needed to wait that long for

- its first retry, too

-2005-01-09 - v0.3.4

- * added support for configuring multiple allowed EAP types for Phase 2

- authentication (EAP-PEAP, EAP-TTLS)

- * fixed EAPOL-Start processing to trigger WPA reauthentication

- (previously, only EAPOL authentication was done)

-2005-01-02 - v0.3.3

- * added support for EAP-PEAP in the integrated EAP authenticator

- * added support for EAP-GTC in the integrated EAP authenticator

- * added support for configuring list of EAP methods for Phase 1 so that

- the integrated EAP authenticator can, e.g., use the wildcard entry

- for EAP-TLS and EAP-PEAP

- * added support for EAP-TTLS in the integrated EAP authenticator

- * added support for EAP-SIM in the integrated EAP authenticator

- * added support for using hostapd as a RADIUS authentication server

- with the integrated EAP authenticator taking care of EAP

- authentication (new hostapd.conf options: radius_server_clients and

- radius_server_auth_port); this is not included in default build; use

- CONFIG_RADIUS_SERVER=y in .config to include

-2004-12-19 - v0.3.2

- * removed 'daemonize' configuration file option since it has not really

- been used at all for more than year

- * driver_madwifi: fixed group key setup and added get_ssid method

- * added support for EAP-MSCHAPv2 in the integrated EAP authenticator

-2004-12-12 - v0.3.1

- * added support for integrated EAP-TLS authentication (new hostapd.conf

- variables: ca_cert, server_cert, private_key, private_key_passwd);

- this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without

- external RADIUS server

- * added support for reading PKCS#12 (PFX) files (as a replacement for

- PEM/DER) to get certificate and private key (CONFIG_PKCS12)

-2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)

- * added support for Acct-{Input,Output}-Gigawords

- * added support for Event-Timestamp (in RADIUS Accounting-Requests)

- * added support for RADIUS Authentication Client MIB (RFC2618)

- * added support for RADIUS Accounting Client MIB (RFC2620)

- * made EAP re-authentication period configurable (eap_reauth_period)

- * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication

- * fixed EAPOL state machine to stop if STA is removed during

- eapol_sm_step(); this fixes at least one segfault triggering bug with

- IEEE 802.11i pre-authentication

- * added support for multiple WPA pre-shared keys (e.g., one for each

- client MAC address or keys shared by a group of clients);

- new hostapd.conf field wpa_psk_file for setting path to a text file

- containing PSKs, see hostapd.wpa_psk for an example

- * added support for multiple driver interfaces to allow hostapd to be

- used with other drivers

- * added wired authenticator driver interface (driver=wired in

- hostapd.conf, see wired.conf for example configuration)

- * added madwifi driver interface (driver=madwifi in hostapd.conf, see

- madwifi.conf for example configuration; Note: include files from

- madwifi project is needed for building and a configuration file,

- .config, needs to be created in hostapd directory with

- CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd

- build)

- * fixed an alignment issue that could cause SHA-1 to fail on some

- platforms (e.g., Intel ixp425 with a compiler that does not 32-bit

- align variables)

- * fixed RADIUS reconnection after an error in sending interim

- accounting packets

- * added hostapd control interface for external programs and an example

- CLI, hostapd_cli (like wpa_cli for wpa_supplicant)

- * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',

- 'hostapd_cli sta <addr>')

- * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)

- * added support for strict GTK rekeying (wpa_strict_rekey in

- hostapd.conf)

- * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178

- (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to

- IEEE 802.11F-2003)

- * added Prism54 driver interface (driver=prism54 in hostapd.conf;

- note: .config needs to be created in hostapd directory with

- CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd

- build)

- * dual-licensed hostapd (GPLv2 and BSD licenses)

- * fixed RADIUS accounting to generate a new session id for cases where

- a station reassociates without first being complete deauthenticated

- * fixed STA disassociation handler to mark next timeout state to

- deauthenticate the station, i.e., skip long wait for inactivity poll

- and extra disassociation, if the STA disassociates without

- deauthenticating

- * added integrated EAP authenticator that can be used instead of

- external RADIUS authentication server; currently, only EAP-MD5 is

- supported, so this cannot yet be used for key distribution; the EAP

- method interface is generic, though, so adding new EAP methods should

- be straightforward; new hostapd.conf variables: 'eap_authenticator'

- and 'eap_user_file'; this obsoletes "minimal authentication server"

- ('minimal_eap' in hostapd.conf) which is now removed

- * added support for FreeBSD and driver interface for the BSD net80211

- layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in

- .config); please note that some of the required kernel mods have not

- yet been committed

-2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)

- * fixed some accounting cases where Accounting-Start was sent when

- IEEE 802.1X port was being deauthorized

-2004-06-20 - v0.2.3

- * modified RADIUS client to re-connect the socket in case of certain

- error codes that are generated when a network interface state is

- changes (e.g., when IP address changes or the interface is set UP)

- * fixed couple of cases where EAPOL state for a station was freed

- twice causing a segfault for hostapd

- * fixed couple of bugs in processing WPA deauthentication (freed data

- was used)

-2004-05-31 - v0.2.2

- * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM)

- * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix

- cases where STAs dropped multicast frames as replay attacks

- * added support for copying RADIUS Attribute 'Class' from

- authentication messages into accounting messages

- * send canned EAP failure if RADIUS server sends Access-Reject without

- EAP message (previously, Supplicant was not notified in this case)

- * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do

- not start EAPOL state machines if the STA selected to use WPA-PSK)

-2004-05-06 - v0.2.1

- * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality

- - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA

- (i.e., IEEE 802.11i/D3.0)

- - supports WPA-only, RSN-only, and mixed WPA/RSN mode

- - both WPA-PSK and WPA-RADIUS/EAP are supported

- - PMKSA caching and pre-authentication

- - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,

- wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey,

- rsn_preauth, rsn_preauth_interfaces

- * fixed interim accounting to remove any pending accounting messages

- to the STA before sending a new one

-2004-02-15 - v0.2.0

- * added support for Acct-Interim-Interval:

- - draft-ietf-radius-acct-interim-01.txt

- - use Acct-Interim-Interval attribute from Access-Accept if local

- 'radius_acct_interim_interval' is not set

- - allow different update intervals for each STA

- * fixed event loop to call signal handlers only after returning from

- the real signal handler

- * reset sta->timeout_next after successful association to make sure

- that the previously registered inactivity timer will not remove the

- STA immediately (e.g., if STA deauthenticates and re-associates

- before the timer is triggered).

- * added new hostapd.conf variable, nas_identifier, that can be used to

- add an optional RADIUS Attribute, NAS-Identifier, into authentication

- and accounting messages

- * added support for Accounting-On and Accounting-Off messages

- * fixed accounting session handling to send Accounting-Start only once

- per session and not to send Accounting-Stop if the session was not

- initialized properly

- * fixed Accounting-Stop statistics in cases where the message was

- previously sent after the kernel entry for the STA (and/or IEEE

- 802.1X data) was removed

-Note:

-Older changes up to and including v0.1.0 are included in the ChangeLog

-of the Host AP driver.