diff options
Diffstat (limited to 'hostapd/ChangeLog')
| -rw-r--r-- | hostapd/ChangeLog | 1358 |
1 files changed, 1358 insertions, 0 deletions
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog new file mode 100644 index 000000000000..1c8240d333c4 --- /dev/null +++ b/hostapd/ChangeLog @@ -0,0 +1,1358 @@ +ChangeLog for hostapd + +2024-07-20 - v2.11 + * Wi-Fi Easy Connect + - add support for DPP release 3 + - allow Configurator parameters to be provided during config exchange + * HE/IEEE 802.11ax/Wi-Fi 6 + - various fixes + * EHT/IEEE 802.11be/Wi-Fi 7 + - add preliminary support + * SAE: add support for fetching the password from a RADIUS server + * support OpenSSL 3.0 API changes + * support background radar detection and CAC with some additional + drivers + * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3) + * EAP-SIM/AKA: support IMSI privacy + * improve 4-way handshake operations + - use Secure=1 in message 3 during PTK rekeying + * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases + to avoid interoperability issues + * support new SAE AKM suites with variable length keys + * support new AKM for 802.1X/EAP with SHA384 + * extend PASN support for secure ranging + * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP) + - this is based on additional details being added in the IEEE 802.11 + standard + - the new implementation is not backwards compatible + * improved ACS to cover additional channel types/bandwidths + * extended Multiple BSSID support + * fix beacon protection with FT protocol (incorrect BIGTK was provided) + * support unsynchronized service discovery (USD) + * add preliminary support for RADIUS/TLS + * add support for explicit SSID protection in 4-way handshake + (a mitigation for CVE-2023-52424; disabled by default for now, can be + enabled with ssid_protection=1) + * fix SAE H2E rejected groups validation to avoid downgrade attacks + * use stricter validation for some RADIUS messages + * a large number of other fixes, cleanup, and extensions + +2022-01-16 - v2.10 + * SAE changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + - added option send SAE Confirm immediately (sae_config_immediate=1) + after SAE Commit + - added support for the hash-to-element mechanism (sae_pwe=1 or + sae_pwe=2) + - fixed PMKSA caching with OKC + - added support for SAE-PK + * EAP-pwd changes + - improved protection against side channel attacks + [https://w1.fi/security/2022-1/] + * fixed WPS UPnP SUBSCRIBE handling of invalid operations + [https://w1.fi/security/2020-1/] + * fixed PMF disconnection protection bypass + [https://w1.fi/security/2019-7/] + * added support for using OpenSSL 3.0 + * fixed various issues in experimental support for EAP-TEAP server + * added configuration (max_auth_rounds, max_auth_rounds_short) to + increase the maximum number of EAP message exchanges (mainly to + support cases with very large certificates) for the EAP server + * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) + * extended HE (IEEE 802.11ax) support, including 6 GHz support + * removed obsolete IAPP functionality + * fixed EAP-FAST server with TLS GCM/CCM ciphers + * dropped support for libnl 1.1 + * added support for nl80211 control port for EAPOL frame TX/RX + * fixed OWE key derivation with groups 20 and 21; this breaks backwards + compatibility for these groups while the default group 19 remains + backwards compatible; owe_ptk_workaround=1 can be used to enabled a + a workaround for the group 20/21 backwards compatibility + * added support for Beacon protection + * added support for Extended Key ID for pairwise keys + * removed WEP support from the default build (CONFIG_WEP=y can be used + to enable it, if really needed) + * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) + * added support for Transition Disable mechanism to allow the AP to + automatically disable transition mode to improve security + * added support for PASN + * added EAP-TLS server support for TLS 1.3 (disabled by default for now) + * a large number of other fixes, cleanup, and extensions + +2019-08-07 - v2.9 + * SAE changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * EAP-pwd changes + - disable use of groups using Brainpool curves + - improved protection against side channel attacks + [https://w1.fi/security/2019-6/] + * fixed FT-EAP initial mobility domain association using PMKSA caching + * added configuration of airtime policy + * fixed FILS to and RSNE into (Re)Association Response frames + * fixed DPP bootstrapping URI parser of channel list + * added support for regulatory WMM limitation (for ETSI) + * added support for MACsec Key Agreement using IEEE 802.1X/PSK + * added experimental support for EAP-TEAP server (RFC 7170) + * added experimental support for EAP-TLS server with TLS v1.3 + * added support for two server certificates/keys (RSA/ECC) + * added AKMSuiteSelector into "STA <addr>" control interface data to + determine with AKM was used for an association + * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and + fast reauthentication use to be disabled + * fixed an ECDH operation corner case with OpenSSL + +2019-04-21 - v2.8 + * SAE changes + - added support for SAE Password Identifier + - changed default configuration to enable only group 19 + (i.e., disable groups 20, 21, 25, 26 from default configuration) and + disable all unsuitable groups completely based on REVmd changes + - improved anti-clogging token mechanism and SAE authentication + frame processing during heavy CPU load; this mitigates some issues + with potential DoS attacks trying to flood an AP with large number + of SAE messages + - added Finite Cyclic Group field in status code 77 responses + - reject use of unsuitable groups based on new implementation guidance + in REVmd (allow only FFC groups with prime >= 3072 bits and ECC + groups with prime >= 256) + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-1/] (CVE-2019-9494) + - fixed confirm message validation in error cases + [https://w1.fi/security/2019-3/] (CVE-2019-9496) + * EAP-pwd changes + - minimize timing and memory use differences in PWE derivation + [https://w1.fi/security/2019-2/] (CVE-2019-9495) + - verify peer scalar/element + [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) + - fix message reassembly issue with unexpected fragment + [https://w1.fi/security/2019-5/] + - enforce rand,mask generation rules more strictly + - fix a memory leak in PWE derivation + - disallow ECC groups with a prime under 256 bits (groups 25, 26, and + 27) + * Hotspot 2.0 changes + - added support for release number 3 + - reject release 2 or newer association without PMF + * added support for RSN operating channel validation + (CONFIG_OCV=y and configuration parameter ocv=1) + * added Multi-AP protocol support + * added FTM responder configuration + * fixed build with LibreSSL + * added FT/RRB workaround for short Ethernet frame padding + * fixed KEK2 derivation for FILS+FT + * added RSSI-based association rejection from OCE + * extended beacon reporting functionality + * VLAN changes + - allow local VLAN management with remote RADIUS authentication + - add WPA/WPA2 passphrase/PSK -based VLAN assignment + * OpenSSL: allow systemwide policies to be overridden + * extended PEAP to derive EMSK to enable use with ERP/FILS + * extended WPS to allow SAE configuration to be added automatically + for PSK (wps_cred_add_sae=1) + * fixed FT and SA Query Action frame with AP-MLME-in-driver cases + * OWE: allow Diffie-Hellman Parameter element to be included with DPP + in preparation for DPP protocol extension + * RADIUS server: started to accept ERP keyName-NAI as user identity + automatically without matching EAP database entry + * fixed PTK rekeying with FILS and FT + +2018-12-02 - v2.7 + * fixed WPA packet number reuse with replayed messages and key + reinstallation + [http://w1.fi/security/2017-1/] (CVE-2017-13082) + * added support for FILS (IEEE 802.11ai) shared key authentication + * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; + and transition mode defined by WFA) + * added support for DPP (Wi-Fi Device Provisioning Protocol) + * FT: + - added local generation of PMK-R0/PMK-R1 for FT-PSK + (ft_psk_generate_local=1) + - replaced inter-AP protocol with a cleaner design that is more + easily extensible; this breaks backward compatibility and requires + all APs in the ESS to be updated at the same time to maintain FT + functionality + - added support for wildcard R0KH/R1KH + - replaced r0_key_lifetime (minutes) parameter with + ft_r0_key_lifetime (seconds) + - fixed wpa_psk_file use for FT-PSK + - fixed FT-SAE PMKID matching + - added expiration to PMK-R0 and PMK-R1 cache + - added IEEE VLAN support (including tagged VLANs) + - added support for SHA384 based AKM + * SAE + - fixed some PMKSA caching cases with SAE + - added support for configuring SAE password separately of the + WPA2 PSK/passphrase + - added option to require MFP for SAE associations + (sae_require_pmf=1) + - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection + for SAE; + note: this is not backwards compatible, i.e., both the AP and + station side implementations will need to be update at the same + time to maintain interoperability + - added support for Password Identifier + * hostapd_cli: added support for command history and completion + * added support for requesting beacon report + * large number of other fixes, cleanup, and extensions + * added option to configure EAPOL-Key retry limits + (wpa_group_update_count and wpa_pairwise_update_count) + * removed all PeerKey functionality + * fixed nl80211 AP mode configuration regression with Linux 4.15 and + newer + * added support for using wolfSSL cryptographic library + * fixed some 20/40 MHz coexistence cases where the BSS could drop to + 20 MHz even when 40 MHz would be allowed + * Hotspot 2.0 + - added support for setting Venue URL ANQP-element (venue_url) + - added support for advertising Hotspot 2.0 operator icons + - added support for Roaming Consortium Selection element + - added support for Terms and Conditions + - added support for OSEN connection in a shared RSN BSS + * added support for using OpenSSL 1.1.1 + * added EAP-pwd server support for salted passwords + +2016-10-02 - v2.6 + * fixed EAP-pwd last fragment validation + [http://w1.fi/security/2015-7/] (CVE-2015-5314) + * fixed WPS configuration update vulnerability with malformed passphrase + [http://w1.fi/security/2016-1/] (CVE-2016-4476) + * extended channel switch support for VHT bandwidth changes + * added support for configuring new ANQP-elements with + anqp_elem=<InfoID>:<hexdump of payload> + * fixed Suite B 192-bit AKM to use proper PMK length + (note: this makes old releases incompatible with the fixed behavior) + * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response + frame sending for not-associated STAs if max_num_sta limit has been + reached + * added option (-S as command line argument) to request all interfaces + to be started at the same time + * modified rts_threshold and fragm_threshold configuration parameters + to allow -1 to be used to disable RTS/fragmentation + * EAP-pwd: added support for Brainpool Elliptic Curves + (with OpenSSL 1.0.2 and newer) + * fixed EAPOL reauthentication after FT protocol run + * fixed FTIE generation for 4-way handshake after FT protocol run + * fixed and improved various FST operations + * TLS server + - support SHA384 and SHA512 hashes + - support TLS v1.2 signature algorithm with SHA384 and SHA512 + - support PKCS #5 v2.0 PBES2 + - support PKCS #5 with PKCS #12 style key decryption + - minimal support for PKCS #12 + - support OCSP stapling (including ocsp_multi) + * added support for OpenSSL 1.1 API changes + - drop support for OpenSSL 0.9.8 + - drop support for OpenSSL 1.0.0 + * EAP-PEAP: support fast-connect crypto binding + * RADIUS + - fix Called-Station-Id to not escape SSID + - add Event-Timestamp to all Accounting-Request packets + - add Acct-Session-Id to Accounting-On/Off + - add Acct-Multi-Session-Id ton Access-Request packets + - add Service-Type (= Frames) + - allow server to provide PSK instead of passphrase for WPA-PSK + Tunnel_password case + - update full message for interim accounting updates + - add Acct-Delay-Time into Accounting messages + - add require_message_authenticator configuration option to require + CoA/Disconnect-Request packets to be authenticated + * started to postpone WNM-Notification frame sending by 100 ms so that + the STA has some more time to configure the key before this frame is + received after the 4-way handshake + * VHT: added interoperability workaround for 80+80 and 160 MHz channels + * extended VLAN support (per-STA vif, etc.) + * fixed PMKID derivation with SAE + * nl80211 + - added support for full station state operations + - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use + unencrypted EAPOL frames + * added initial MBO support; number of extensions to WNM BSS Transition + Management + * added initial functionality for location related operations + * added assocresp_elements parameter to allow vendor specific elements + to be added into (Re)Association Response frames + * improved Public Action frame addressing + - use Address 3 = wildcard BSSID in GAS response if a query from an + unassociated STA used that address + - fix TX status processing for Address 3 = wildcard BSSID + - add gas_address3 configuration parameter to control Address 3 + behavior + * added command line parameter -i to override interface parameter in + hostapd.conf + * added command completion support to hostapd_cli + * added passive client taxonomy determination (CONFIG_TAXONOMY=y + compile option and "SIGNATURE <addr>" control interface command) + * number of small fixes + +2015-09-27 - v2.5 + * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding + [http://w1.fi/security/2015-2/] (CVE-2015-4141) + * fixed WMM Action frame parser + [http://w1.fi/security/2015-3/] (CVE-2015-4142) + * fixed EAP-pwd server missing payload length validation + [http://w1.fi/security/2015-4/] + (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145) + * fixed validation of WPS and P2P NFC NDEF record payload length + [http://w1.fi/security/2015-5/] + * nl80211: + - fixed vendor command handling to check OUI properly + * fixed hlr_auc_gw build with OpenSSL + * hlr_auc_gw: allow Milenage RES length to be reduced + * disable HT for a station that does not support WMM/QoS + * added support for hashed password (NtHash) in EAP-pwd server + * fixed and extended dynamic VLAN cases + * added EAP-EKE server support for deriving Session-Id + * set Acct-Session-Id to a random value to make it more likely to be + unique even if the device does not have a proper clock + * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan + * modified SAE routines to be more robust and PWE generation to be + stronger against timing attacks + * added support for Brainpool Elliptic Curves with SAE + * increases maximum value accepted for cwmin/cwmax + * added support for CCMP-256 and GCMP-256 as group ciphers with FT + * added Fast Session Transfer (FST) module + * removed optional fields from RSNE when using FT with PMF + (workaround for interoperability issues with iOS 8.4) + * added EAP server support for TLS session resumption + * fixed key derivation for Suite B 192-bit AKM (this breaks + compatibility with the earlier version) + * added mechanism to track unconnected stations and do minimal band + steering + * number of small fixes + +2015-03-15 - v2.4 + * allow OpenSSL cipher configuration to be set for internal EAP server + (openssl_ciphers parameter) + * fixed number of small issues based on hwsim test case failures and + static analyzer reports + * fixed Accounting-Request to not include duplicated Acct-Session-Id + * add support for Acct-Multi-Session-Id in RADIUS Accounting messages + * add support for PMKSA caching with SAE + * add support for generating BSS Load element (bss_load_update_period) + * fixed channel switch from VHT to HT + * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events + * add support for learning STA IPv4/IPv6 addresses and configuring + ProxyARP support + * dropped support for the madwifi driver interface + * add support for Suite B (128-bit and 192-bit level) key management and + cipher suites + * fixed a regression with driver=wired + * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce + * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management + Request frames and BSS-TM-RESP event to indicate response to such + frame + * add support for EAP Re-Authentication Protocol (ERP) + * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled + * fixed a regression in HT 20/40 coex Action frame parsing + * set stdout to be line-buffered + * add support for vendor specific VHT extension to enable 256 QAM rates + (VHT-MCS 8 and 9) on 2.4 GHz band + * RADIUS DAS: + - extend Disconnect-Request processing to allow matching of multiple + sessions + - support Acct-Multi-Session-Id as an identifier + - allow PMKSA cache entry to be removed without association + * expire hostapd STA entry if kernel does not have a matching entry + * allow chanlist to be used to specify a subset of channels for ACS + * improve ACS behavior on 2.4 GHz band and allow channel bias to be + configured with acs_chan_bias parameter + * do not reply to a Probe Request frame that includes DSS Parameter Set + element in which the channel does not match the current operating + channel + * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon + frame contents to be updated and to start beaconing on an interface + that used start_disabled=1 + * fixed some RADIUS server failover cases + +2014-10-09 - v2.3 + * fixed number of minor issues identified in static analyzer warnings + * fixed DFS and channel switch operation for multi-BSS cases + * started to use constant time comparison for various password and hash + values to reduce possibility of any externally measurable timing + differences + * extended explicit clearing of freed memory and expired keys to avoid + keeping private data in memory longer than necessary + * added support for number of new RADIUS attributes from RFC 7268 + (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, + WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) + * fixed GET_CONFIG wpa_pairwise_cipher value + * added code to clear bridge FDB entry on station disconnection + * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases + * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop + in case the first entry does not match + * fixed hostapd_cli action script execution to use more robust mechanism + (CVE-2014-3686) + +2014-06-04 - v2.2 + * fixed SAE confirm-before-commit validation to avoid a potential + segmentation fault in an unexpected message sequence that could be + triggered remotely + * extended VHT support + - Operating Mode Notification + - Power Constraint element (local_pwr_constraint) + - Spectrum management capability (spectrum_mgmt_required=1) + - fix VHT80 segment picking in ACS + - fix vht_capab 'Maximum A-MPDU Length Exponent' handling + - fix VHT20 + * fixed HT40 co-ex scan for some pri/sec channel switches + * extended HT40 co-ex support to allow dynamic channel width changes + during the lifetime of the BSS + * fixed HT40 co-ex support to check for overlapping 20 MHz BSS + * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; + this fixes password with include UTF-8 characters that use + three-byte encoding EAP methods that use NtPasswordHash + * reverted TLS certificate validation step change in v2.1 that rejected + any AAA server certificate with id-kp-clientAuth even if + id-kp-serverAuth EKU was included + * fixed STA validation step for WPS ER commands to prevent a potential + crash if an ER sends an unexpected PutWLANResponse to a station that + is disassociated, but not fully removed + * enforce full EAP authentication after RADIUS Disconnect-Request by + removing the PMKSA cache entry + * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address + in RADIUS Disconnect-Request + * added mechanism for removing addresses for MAC ACLs by prefixing an + entry with "-" + * Interworking/Hotspot 2.0 enhancements + - support Hotspot 2.0 Release 2 + * OSEN network for online signup connection + * subscription remediation (based on RADIUS server request or + control interface HS20_WNM_NOTIF for testing purposes) + * Hotspot 2.0 release number indication in WFA RADIUS VSA + * deauthentication request (based on RADIUS server request or + control interface WNM_DEAUTH_REQ for testing purposes) + * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent + * hs20_icon config parameter to configure icon files for OSU + * osu_* config parameters for OSU Providers list + - do not use Interworking filtering rules on Probe Request if + Interworking is disabled to avoid interop issues + * added/fixed nl80211 functionality + - AP interface teardown optimization + - support vendor specific driver command + (VENDOR <vendor id> <sub command id> [<hex formatted data>]) + * fixed PMF protection of Deauthentication frame when this is triggered + by session timeout + * internal TLS implementation enhancements/fixes + - add SHA256-based cipher suites + - add DHE-RSA cipher suites + - fix X.509 validation of PKCS#1 signature to check for extra data + * RADIUS server functionality + - add minimal RADIUS accounting server support (hostapd-as-server); + this is mainly to enable testing coverage with hwsim scripts + - allow authentication log to be written into SQLite database + - added option for TLS protocol testing of an EAP peer by simulating + various misbehaviors/known attacks + - MAC ACL support for testing purposes + * fixed PTK derivation for CCMP-256 and GCMP-256 + * extended WPS per-station PSK to support ER case + * added option to configure the management group cipher + (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, + BIP-CMAC-256) + * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these + were rounded incorrectly) + * added support for postponing FT response in case PMK-R1 needs to be + pulled from R0KH + * added option to advertise 40 MHz intolerant HT capability with + ht_capab=[40-INTOLERANT] + * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled + whenever CONFIG_WPS=y is set + * EAP-pwd fixes + - fix possible segmentation fault on EAP method deinit if an invalid + group is negotiated + * fixed RADIUS client retransmit/failover behavior + - there was a potential ctash due to freed memory being accessed + - failover to a backup server mechanism did not work properly + * fixed a possible crash on double DISABLE command when multiple BSSes + are enabled + * fixed a memory leak in SAE random number generation + * fixed GTK rekeying when the station uses FT protocol + * fixed off-by-one bounds checking in printf_encode() + - this could result in deinial of service in some EAP server cases + * various bug fixes + +2014-02-04 - v2.1 + * added support for simultaneous authentication of equals (SAE) for + stronger password-based authentication with WPA2-Personal + * added nl80211 functionality + - VHT configuration for nl80211 + - support split wiphy dump + - driver-based MAC ACL + - QoS Mapping configuration + * added fully automated regression testing with mac80211_hwsim + * allow ctrl_iface group to be specified on command line (-G<group>) + * allow single hostapd process to control independent WPS interfaces + (wps_independent=1) instead of synchronized operations through all + configured interfaces within a process + * avoid processing received management frames multiple times when using + nl80211 with multiple BSSes + * added support for DFS (processing radar detection events, CAC, channel + re-selection) + * added EAP-EKE server + * added automatic channel selection (ACS) + * added option for using per-BSS (vif) configuration files with + -b<phyname>:<config file name> + * extended global control interface ADD/REMOVE commands to allow BSSes + of a radio to be removed individually without having to add/remove all + other BSSes of the radio at the same time + * added support for sending debug info to Linux tracing (-T on command + line) + * replace dump_file functionality with same information being available + through the hostapd control interface + * added support for using Protected Dual of Public Action frames for + GAS/ANQP exchanges when PMF is enabled + * added support for WPS+NFC updates + - improved protocol + - option to fetch and report alternative carrier records for external + NFC operations + * various bug fixes + +2013-01-12 - v2.0 + * added AP-STA-DISCONNECTED ctrl_iface event + * improved debug logging (human readable event names, interface name + included in more entries) + * added number of small changes to make it easier for static analyzers + to understand the implementation + * added a workaround for Windows 7 Michael MIC failure reporting and + use of the Secure bit in EAPOL-Key msg 3/4 + * fixed number of small bugs (see git logs for more details) + * changed OpenSSL to read full certificate chain from server_cert file + * nl80211: number of updates to use new cfg80211/nl80211 functionality + - replace monitor interface with nl80211 commands + - additional information for driver-based AP SME + * EAP-pwd: + - fix KDF for group 21 and zero-padding + - added support for fragmentation + - increased maximum number of hunting-and-pecking iterations + * avoid excessive Probe Response retries for broadcast Probe Request + frames (only with drivers using hostapd SME/MLME) + * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) + * fixed WPS operation stopping on dual concurrent AP + * added wps_rf_bands configuration parameter for overriding RF Bands + value for WPS + * added support for getting per-device PSK from RADIUS Tunnel-Password + * added support for libnl 3.2 and newer + * increased initial group key handshake retransmit timeout to 500 ms + * added a workaround for 4-way handshake to update SNonce even after + having sent EAPOL-Key 3/4 to avoid issues with some supplicant + implementations that can change SNonce for each EAP-Key 2/4 + * added a workaround for EAPOL-Key 4/4 using incorrect type value in + WPA2 mode (some deployed stations use WPA type in that message) + * added a WPS workaround for mixed mode AP Settings with Windows 7 + * changed WPS AP PIN disabling mechanism to disable the PIN after 10 + consecutive failures in addition to using the exponential lockout + period + * added support for WFA Hotspot 2.0 + - GAS/ANQP advertisement of network information + - disable_dgaf parameter to disable downstream group-addressed + forwarding + * simplified licensing terms by selecting the BSD license as the only + alternative + * EAP-SIM: fixed re-authentication not to update pseudonym + * EAP-SIM: use Notification round before EAP-Failure + * EAP-AKA: added support for AT_COUNTER_TOO_SMALL + * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized + * EAP-AKA': fixed identity for MK derivation + * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this + breaks interoperability with older versions + * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id + * changed ANonce to be a random number instead of Counter-based + * added support for canceling WPS operations with hostapd_cli wps_cancel + * fixed EAP/WPS to PSK transition on reassociation in cases where + deauthentication is missed + * hlr_auc_gw enhancements: + - a new command line parameter -u can be used to enable updating of + SQN in Milenage file + - use 5 bit IND for SQN updates + - SQLite database can now be used to store Milenage information + * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms + and reauth data + * added support for Chargeable-User-Identity (RFC 4372) + * added radius_auth_req_attr and radius_acct_req_attr configuration + parameters to allow adding/overriding of RADIUS attributes in + Access-Request and Accounting-Request packets + * added support for RADIUS dynamic authorization server (RFC 5176) + * added initial support for WNM operations + - BSS max idle period + - WNM-Sleep Mode + * added new WPS NFC ctrl_iface mechanism + - removed obsoleted WPS_OOB command (including support for deprecated + UFD config_method) + * added FT support for drivers that implement MLME internally + * added SA Query support for drivers that implement MLME internally + * removed default ACM=1 from AC_VO and AC_VI + * changed VENDOR-TEST EAP method to use proper private enterprise number + (this will not interoperate with older versions) + * added hostapd.conf parameter vendor_elements to allow arbitrary vendor + specific elements to be added to the Beacon and Probe Response frames + * added support for configuring GCMP cipher for IEEE 802.11ad + * added support for 256-bit AES with internal TLS implementation + * changed EAPOL transmission to use AC_VO if WMM is active + * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length + correctly; invalid messages could have caused the hostapd process to + terminate before this fix [CVE-2012-4445] + * limit number of active wildcard PINs for WPS Registrar to one to avoid + confusing behavior with multiple wildcard PINs + * added a workaround for WPS PBC session overlap detection to avoid + interop issues with deployed station implementations that do not + remove active PBC indication from Probe Request frames properly + * added support for using SQLite for the eap_user database + * added Acct-Session-Id attribute into Access-Request messages + * fixed EAPOL frame transmission to non-QoS STAs with nl80211 + (do not send QoS frames if the STA did not negotiate use of QoS for + this association) + +2012-05-10 - v1.0 + * Add channel selection support in hostapd. See hostapd.conf. + * Add support for IEEE 802.11v Time Advertisement mechanism with UTC + TSF offset. See hostapd.conf for config info. + * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. + This allows the driver to use PS buffering of Deauthentication and + Disassociation frames when the STA is in power save sleep. Only + available with drivers that provide TX status events for Deauth/ + Disassoc frames (nl80211). + * Allow PMKSA caching to be disabled on the Authenticator. See + hostap.conf config parameter disable_pmksa_caching. + * atheros: Add support for IEEE 802.11w configuration. + * bsd: Add support for setting HT values in IFM_MMASK. + * Allow client isolation to be configured with ap_isolate. Client + isolation can be used to prevent low-level bridging of frames + between associated stations in the BSS. By default, this bridging + is allowed. + * Allow coexistance of HT BSSes with WEP/TKIP BSSes. + * Add require_ht config parameter, which can be used to configure + hostapd to reject association with any station that does not support + HT PHY. + * Add support for writing debug log to a file using "-f" option. Also + add relog CLI command to re-open the log file. + * Add bridge handling for WDS STA interfaces. By default they are + added to the configured bridge of the AP interface (if present), + but the user can also specify a separate bridge using cli command + wds_bridge. + * hostapd_cli: + - Add wds_bridge command for specifying bridge for WDS STA + interfaces. + - Add relog command for reopening log file. + - Send AP-STA-DISCONNECTED event when an AP disconnects a station + due to inactivity. + - Add wps_config ctrl_interface command for configuring AP. This + command can be used to configure the AP using the internal WPS + registrar. It works in the same way as new AP settings received + from an ER. + - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. + - Add command get version, that returns hostapd version string. + * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. + Use hostapd_cli ess_disassoc (STA addr) (URL) to send the + notification to the STA. + * Allow AP mode to disconnect STAs based on low ACK condition (when + the data connection is not working properly, e.g., due to the STA + going outside the range of the AP). Disabled by default, enable by + config option disassoc_low_ack. + * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad + config file. + * WPS: + - Send AP Settings as a wrapped Credential attribute to ctrl_iface + in WPS-NEW-AP-SETTINGS. + - Dispatch more WPS events through hostapd ctrl_iface. + - Add mechanism for indicating non-standard WPS errors. + - Change concurrent radio AP to use only one WPS UPnP instance. + - Add wps_check_pin command for processing PIN from user input. + UIs can use this command to process a PIN entered by a user and to + validate the checksum digit (if present). + - Add hostap_cli get_config command to display current AP config. + - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at + runtime and support dynamic AP PIN management. + - Disable AP PIN after 10 consecutive failures. Slow down attacks + on failures up to 10. + - Allow AP to start in Enrollee mode without AP PIN for probing, + to be compatible with Windows 7. + - Add Config Error into WPS-FAIL events to provide more info + to the user on how to resolve the issue. + - When controlling multiple interfaces: + - apply WPS commands to all interfaces configured to use WPS + - apply WPS config changes to all interfaces that use WPS + - when an attack is detected on any interface, disable AP PIN on + all interfaces + * WPS ER: + - Show SetSelectedRegistrar events as ctrl_iface events. + - Add special AP Setup Locked mode to allow read only ER. + ap_setup_locked=2 can now be used to enable a special mode where + WPS ER can learn the current AP settings, but cannot change them. + * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) + - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool + for testing protocol extensibility. + - Add build option CONFIG_WPS_STRICT to allow disabling of WPS + workarounds. + - Add support for AuthorizedMACs attribute. + * TDLS: + - Allow TDLS use or TDLS channel switching in the BSS to be + prohibited in the BSS, using config params tdls_prohibit and + tdls_prohibit_chan_switch. + * EAP server: Add support for configuring fragment size (see + fragment_size in hostapd.conf). + * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. + wlantest can be used to capture frames from a monitor interface + for realtime capturing or from pcap files for offline analysis. + * Interworking: Support added for 802.11u. Enable in .config with + CONFIG_INTERWORKING. See hostapd.conf for config parameters for + interworking. + * Android: Add build and runtime support for Android hostapd. + * Add a new debug message level for excessive information. Use + -ddd to enable. + * TLS: Add support for tls_disable_time_checks=1 in client mode. + * Internal TLS: + - Add support for TLS v1.1 (RFC 4346). Enable with build parameter + CONFIG_TLSV11. + - Add domainComponent parser for X.509 names + * Reorder some IEs to get closer to IEEE 802.11 standard. Move + WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. + Move HT IEs to be later in (Re)Assoc Resp. + * Many bugfixes. + +2010-04-18 - v0.7.2 + * fix WPS internal Registrar use when an external Registrar is also + active + * bsd: Cleaned up driver wrapper and added various low-level + configuration options + * TNC: fixed issues with fragmentation + * EAP-TNC: add Flags field into fragment acknowledgement (needed to + interoperate with other implementations; may potentially breaks + compatibility with older wpa_supplicant/hostapd versions) + * cleaned up driver wrapper API for multi-BSS operations + * nl80211: fix multi-BSS and VLAN operations + * fix number of issues with IEEE 802.11r/FT; this version is not + backwards compatible with old versions + * add SA Query Request processing in AP mode (IEEE 802.11w) + * fix IGTK PN in group rekeying (IEEE 802.11w) + * fix WPS PBC session overlap detection to use correct attribute + * hostapd_notif_Assoc() can now be called with all IEs to simplify + driver wrappers + * work around interoperability issue with some WPS External Registrar + implementations + * nl80211: fix WPS IE update + * hostapd_cli: add support for action script operations (run a script + on hostapd events) + * fix DH padding with internal crypto code (mainly, for WPS) + * fix WPS association with both WPS IE and WPA/RSN IE present with + driver wrappers that use hostapd MLME (e.g., nl80211) + +2010-01-16 - v0.7.1 + * cleaned up driver wrapper API (struct wpa_driver_ops); the new API + is not fully backwards compatible, so out-of-tree driver wrappers + will need modifications + * cleaned up various module interfaces + * merge hostapd and wpa_supplicant developers' documentation into a + single document + * fixed HT Capabilities IE with nl80211 drivers + * moved generic AP functionality code into src/ap + * WPS: handle Selected Registrar as union of info from all Registrars + * remove obsolete Prism54.org driver wrapper + * added internal debugging mechanism with backtrace support and memory + allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) + * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 + * WPS: add support for dynamically selecting whether to provision the + PSK as an ASCII passphrase or PSK + * added support for WDS (4-address frame) mode with per-station virtual + interfaces (wds_sta=1 in config file; only supported with + driver=nl80211 for now) + * fixed WPS Probe Request processing to handle missing required + attribute + * fixed PKCS#12 use with OpenSSL 1.0.0 + * detect bridge interface automatically so that bridge parameter in + hostapd.conf becomes optional (though, it may now be used to + automatically add then WLAN interface into a bridge with + driver=nl80211) + +2009-11-21 - v0.7.0 + * increased hostapd_cli ping interval to 5 seconds and made this + configurable with a new command line options (-G<seconds>) + * driver_nl80211: use Linux socket filter to improve performance + * added support for external Registrars with WPS (UPnP transport) + * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel + * driver_nl80211: fixed STA accounting data collection (TX/RX bytes + reported correctly; TX/RX packets not yet available from kernel) + * added support for WPS USBA out-of-band mechanism with USB Flash + Drives (UFD) (CONFIG_WPS_UFD=y) + * fixed EAPOL/EAP reauthentication when using an external RADIUS + authentication server + * fixed TNC with EAP-TTLS + * fixed IEEE 802.11r key derivation function to match with the standard + (note: this breaks interoperability with previous version) [Bug 303] + * fixed SHA-256 based key derivation function to match with the + standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) + (note: this breaks interoperability with previous version) [Bug 307] + * added number of code size optimizations to remove unnecessary + functionality from the program binary based on build configuration + (part of this automatic; part configurable with CONFIG_NO_* build + options) + * use shared driver wrapper files with wpa_supplicant + * driver_nl80211: multiple updates to provide support for new Linux + nl80211/mac80211 functionality + * updated management frame protection to use IEEE Std 802.11w-2009 + * fixed number of small WPS issues and added workarounds to + interoperate with common deployed broken implementations + * added some IEEE 802.11n co-existence rules to disable 40 MHz channels + or modify primary/secondary channels if needed based on neighboring + networks + * added support for NFC out-of-band mechanism with WPS + * added preliminary support for IEEE 802.11r RIC processing + +2009-01-06 - v0.6.7 + * added support for Wi-Fi Protected Setup (WPS) + (hostapd can now be configured to act as an integrated WPS Registrar + and provision credentials for WPS Enrollees using PIN and PBC + methods; external wireless Registrar can configure the AP, but + external WLAN Manager Registrars are not supported); WPS support can + be enabled by adding CONFIG_WPS=y into .config and setting the + runtime configuration variables in hostapd.conf (see WPS section in + the example configuration file); new hostapd_cli commands wps_pin and + wps_pbc are used to configure WPS negotiation; see README-WPS for + more details + * added IEEE 802.11n HT capability configuration (ht_capab) + * added support for generating Country IE based on nl80211 regulatory + information (added if ieee80211d=1 in configuration) + * fixed WEP authentication (both Open System and Shared Key) with + mac80211 + * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) + * added support for using driver_test over UDP socket + * changed EAP-GPSK to use the IANA assigned EAP method type 51 + * updated management frame protection to use IEEE 802.11w/D7.0 + * fixed retransmission of EAP requests if no response is received + +2008-11-23 - v0.6.6 + * added a new configuration option, wpa_ptk_rekey, that can be used to + enforce frequent PTK rekeying, e.g., to mitigate some attacks against + TKIP deficiencies + * updated OpenSSL code for EAP-FAST to use an updated version of the + session ticket overriding API that was included into the upstream + OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is + needed with that version anymore) + * changed channel flags configuration to read the information from + the driver (e.g., via driver_nl80211 when using mac80211) instead of + using hostapd as the source of the regulatory information (i.e., + information from CRDA is now used with mac80211); this allows 5 GHz + channels to be used with hostapd (if allowed in the current + regulatory domain) + * fixed EAP-TLS message processing for the last TLS message if it is + large enough to require fragmentation (e.g., if a large Session + Ticket data is included) + * fixed listen interval configuration for nl80211 drivers + +2008-11-01 - v0.6.5 + * added support for SHA-256 as X.509 certificate digest when using the + internal X.509/TLSv1 implementation + * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer + identity lengths) + * fixed internal TLSv1 implementation for abbreviated handshake (used + by EAP-FAST server) + * added support for setting VLAN ID for STAs based on local MAC ACL + (accept_mac_file) as an alternative for RADIUS server-based + configuration + * updated management frame protection to use IEEE 802.11w/D6.0 + (adds a new association ping to protect against unauthenticated + authenticate or (re)associate request frames dropping association) + * added support for using SHA256-based stronger key derivation for WPA2 + (IEEE 802.11w) + * added new "driver wrapper" for RADIUS-only configuration + (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) + * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) + is enabled in configuration + * changed EAP-FAST configuration to use separate fields for A-ID and + A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed + 16-octet len binary value for better interoperability with some peer + implementations; eap_fast_a_id is now configured as a hex string + * driver_nl80211: Updated to match the current Linux mac80211 AP mode + configuration (wireless-testing.git and Linux kernel releases + starting from 2.6.29) + +2008-08-10 - v0.6.4 + * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 + Identity Request if identity is already known + * added support for EAP Sequences in EAP-FAST Phase 2 + * added support for EAP-TNC (Trusted Network Connect) + (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST + changes needed to run two methods in sequence (IF-T) and the IF-IMV + and IF-TNCCS interfaces from TNCS) + * added support for optional cryptobinding with PEAPv0 + * added fragmentation support for EAP-TNC + * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) + data + * added support for opportunistic key caching (OKC) + +2008-02-22 - v0.6.3 + * fixed Reassociation Response callback processing when using internal + MLME (driver_{hostap,nl80211,test}.c) + * updated FT support to use the latest draft, IEEE 802.11r/D9.0 + * copy optional Proxy-State attributes into RADIUS response when acting + as a RADIUS authentication server + * fixed EAPOL state machine to handle a case in which no response is + received from the RADIUS authentication server; previous version + could have triggered a crash in some cases after a timeout + * fixed EAP-SIM/AKA realm processing to allow decorated usernames to + be used + * added a workaround for EAP-SIM/AKA peers that include incorrect null + termination in the username + * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER + attribute in notification messages only when using fast + reauthentication + * fixed EAP-SIM Start response processing for fast reauthentication + case + * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} + phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method + +2008-01-01 - v0.6.2 + * fixed EAP-SIM and EAP-AKA message parser to validate attribute + lengths properly to avoid potential crash caused by invalid messages + * added data structure for storing allocated buffers (struct wpabuf); + this does not affect hostapd usage, but many of the APIs changed + and various interfaces (e.g., EAP) is not compatible with old + versions + * added support for protecting EAP-AKA/Identity messages with + AT_CHECKCODE (optional feature in RFC 4187) + * added support for protected result indication with AT_RESULT_IND for + EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) + * added support for configuring EAP-TTLS phase 2 non-EAP methods in + EAP server configuration; previously all four were enabled for every + phase 2 user, now all four are disabled by default and need to be + enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, + TTLS-MSCHAPV2 + * removed old debug printing mechanism and the related 'debug' + parameter in the configuration file; debug verbosity is now set with + -d (or -dd) command line arguments + * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); + only shared key/password authentication is supported in this version + +2007-11-24 - v0.6.1 + * added experimental, integrated TLSv1 server implementation with the + needed X.509/ASN.1/RSA/bignum processing (this can be enabled by + setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in + .config); this can be useful, e.g., if the target system does not + have a suitable TLS library and a minimal code size is required + * added support for EAP-FAST server method to the integrated EAP + server + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-07.txt) + * added a new configuration parameter, rsn_pairwise, to allow different + pairwise cipher suites to be enabled for WPA and RSN/WPA2 + (note: if wpa_pairwise differs from rsn_pairwise, the driver will + either need to support this or will have to use the WPA/RSN IEs from + hostapd; currently, the included madwifi and bsd driver interfaces do + not have support for this) + * updated FT support to use the latest draft, IEEE 802.11r/D8.0 + +2007-05-28 - v0.6.0 + * added experimental IEEE 802.11r/D6.0 support + * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 + * updated EAP-PSK to use the IANA-allocated EAP type 47 + * fixed EAP-PSK bit ordering of the Flags field + * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs + by reading wpa_psk_file [Bug 181] + * fixed EAP-TTLS AVP parser processing for too short AVP lengths + * fixed IPv6 connection to RADIUS accounting server + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-04.txt) + * hlr_auc_gw: read GSM triplet file into memory and rotate through the + entries instead of only using the same three triplets every time + (this does not work properly with tests using multiple clients, but + provides bit better triplet data for testing a single client; anyway, + if a better quality triplets are needed, GSM-Milenage should be used + instead of hardcoded triplet file) + * fixed EAP-MSCHAPv2 server to use a space between S and M parameters + in Success Request [Bug 203] + * added support for sending EAP-AKA Notifications in error cases + * updated to use IEEE 802.11w/D2.0 for management frame protection + (still experimental) + * RADIUS server: added support for processing duplicate messages + (retransmissions from RADIUS client) by replying with the previous + reply + +2006-11-24 - v0.5.6 + * added support for configuring and controlling multiple BSSes per + radio interface (bss=<ifname> in hostapd.conf); this is only + available with Devicescape and test driver interfaces + * fixed PMKSA cache update in the end of successful RSN + pre-authentication + * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID + for each STA based on RADIUS Access-Accept attributes); this requires + VLAN support from the kernel driver/802.11 stack and this is + currently only available with Devicescape and test driver interfaces + * driver_madwifi: fixed configuration of unencrypted modes (plaintext + and IEEE 802.1X without WEP) + * removed STAKey handshake since PeerKey handshake has replaced it in + IEEE 802.11ma and there are no known deployments of STAKey + * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest + draft (draft-ietf-emu-eap-gpsk-01.txt) + * added preliminary implementation of IEEE 802.11w/D1.0 (management + frame protection) + (Note: this requires driver support to work properly.) + (Note2: IEEE 802.11w is an unapproved draft and subject to change.) + * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) + * hlr_auc_gw: added support for reading per-IMSI Milenage keys and + parameters from a text file to make it possible to implement proper + GSM/UMTS authentication server for multiple SIM/USIM cards using + EAP-SIM/EAP-AKA + * fixed session timeout processing with drivers that do not use + ieee802_11.c (e.g., madwifi) + +2006-08-27 - v0.5.5 + * added 'hostapd_cli new_sta <addr>' command for adding a new STA into + hostapd (e.g., to initialize wired network authentication based on an + external signal) + * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when + using WPA2 even if PMKSA caching is not used + * added -P<pid file> argument for hostapd to write the current process + id into a file + * added support for RADIUS Authentication Server MIB (RFC 2619) + +2006-06-20 - v0.5.4 + * fixed nt_password_hash build [Bug 144] + * added PeerKey handshake implementation for IEEE 802.11e + direct link setup (DLS) to replace STAKey handshake + * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, + draft-clancy-emu-eap-shared-secret-00.txt) + * fixed a segmentation fault when RSN pre-authentication was completed + successfully [Bug 152] + +2006-04-27 - v0.5.3 + * do not build nt_password_hash and hlr_auc_gw by default to avoid + requiring a TLS library for a successful build; these programs can be + build with 'make nt_password_hash' and 'make hlr_auc_gw' + * added a new configuration option, eapol_version, that can be used to + set EAPOL version to 1 (default is 2) to work around broken client + implementations that drop EAPOL frames which use version number 2 + [Bug 89] + * added support for EAP-SAKE (no EAP method number allocated yet, so + this is using the same experimental type 255 as EAP-PSK) + * fixed EAP-MSCHAPv2 message length validation + +2006-03-19 - v0.5.2 + * fixed stdarg use in hostapd_logger(): if both stdout and syslog + logging was enabled, hostapd could trigger a segmentation fault in + vsyslog on some CPU -- C library combinations + * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external + program to make it easier to use for implementing real SS7 gateway; + eap_sim_db is not anymore used as a file name for GSM authentication + triplets; instead, it is path to UNIX domain socket that will be used + to communicate with the external gateway program (e.g., hlr_auc_gw) + * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses + local information (GSM authentication triplets from a text file and + hardcoded AKA authentication data); this can be used to test EAP-SIM + and EAP-AKA + * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw + to make it possible to test EAP-AKA with real USIM cards (this is + disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw + to enable this) + * driver_madwifi: added support for getting station RSN IE from + madwifi-ng svn r1453 and newer; this fixes RSN that was apparently + broken with earlier change (r1357) in the driver + * changed EAP method registration to use a dynamic list of methods + instead of a static list generated at build time + * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) + [Bug 125] + * added ap_max_inactivity configuration parameter + +2006-01-29 - v0.5.1 + * driver_test: added better support for multiple APs and STAs by using + a directory with sockets that include MAC address for each device in + the name (test_socket=DIR:/tmp/test) + * added support for EAP expanded type (vendor specific EAP methods) + +2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) + * added experimental STAKey handshake implementation for IEEE 802.11e + direct link setup (DLS); note: this is disabled by default in both + build and runtime configuration (can be enabled with CONFIG_STAKEY=y + and stakey=1) + * added support for EAP methods to use callbacks to external programs + by buffering a pending request and processing it after the EAP method + is ready to continue + * improved EAP-SIM database interface to allow external request to GSM + HLR/AuC without blocking hostapd process + * added support for using EAP-SIM pseudonyms and fast re-authentication + * added support for EAP-AKA in the integrated EAP authenticator + * added support for matching EAP identity prefixes (e.g., "1"*) in EAP + user database to allow EAP-SIM/AKA selection without extra roundtrip + for EAP-Nak negotiation + * added support for storing EAP user password as NtPasswordHash instead + of plaintext password when using MSCHAP or MSCHAPv2 for + authentication (hash:<16-octet hex value>); added nt_password_hash + tool for hashing password to generate NtPasswordHash + +2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) + * driver_wired: fixed EAPOL sending to optionally use PAE group address + as the destination instead of supplicant MAC address; this is + disabled by default, but should be enabled with use_pae_group_addr=1 + in configuration file if the wired interface is used by only one + device at the time (common switch configuration) + * driver_madwifi: configure driver to use TKIP countermeasures in order + to get correct behavior (IEEE 802.11 association failing; previously, + association succeeded, but hostpad forced disassociation immediately) + * driver_madwifi: added support for madwifi-ng + +2005-10-27 - v0.4.6 + * added support for replacing user identity from EAP with RADIUS + User-Name attribute from Access-Accept message, if that is included, + for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get + tunneled identity into accounting messages when the RADIUS server + does not support better way of doing this with Class attribute) + * driver_madwifi: fixed EAPOL packet receive for configuration where + ath# is part of a bridge interface + * added a configuration file and log analyzer script for logwatch + * fixed EAPOL state machine step function to process all state + transitions before processing new events; this resolves a race + condition in which EAPOL-Start message could trigger hostapd to send + two EAP-Response/Identity frames to the authentication server + +2005-09-25 - v0.4.5 + * added client CA list to the TLS certificate request in order to make + it easier for the client to select which certificate to use + * added experimental support for EAP-PSK + * added support for WE-19 (hostap, madwifi) + +2005-08-21 - v0.4.4 + * fixed build without CONFIG_RSN_PREAUTH + * fixed FreeBSD build + +2005-06-26 - v0.4.3 + * fixed PMKSA caching to copy User-Name and Class attributes so that + RADIUS accounting gets correct information + * start RADIUS accounting only after successful completion of WPA + 4-Way Handshake if WPA-PSK is used + * fixed PMKSA caching for the case where STA (re)associates without + first disassociating + +2005-06-12 - v0.4.2 + * EAP-PAX is now registered as EAP type 46 + * fixed EAP-PAX MAC calculation + * fixed EAP-PAX CK and ICK key derivation + * renamed eap_authenticator configuration variable to eap_server to + better match with RFC 3748 (EAP) terminology + * driver_test: added support for testing hostapd with wpa_supplicant + by using test driver interface without any kernel drivers or network + cards + +2005-05-22 - v0.4.1 + * fixed RADIUS server initialization when only auth or acct server + is configured and the other one is left empty + * driver_madwifi: added support for RADIUS accounting + * driver_madwifi: added preliminary support for compiling against 'BSD' + branch of madwifi CVS tree + * driver_madwifi: fixed pairwise key removal to allow WPA reauth + without disassociation + * added support for reading additional certificates from PKCS#12 files + and adding them to the certificate chain + * fixed RADIUS Class attribute processing to only use Access-Accept + packets to update Class; previously, other RADIUS authentication + packets could have cleared Class attribute + * added support for more than one Class attribute in RADIUS packets + * added support for verifying certificate revocation list (CRL) when + using integrated EAP authenticator for EAP-TLS; new hostapd.conf + options 'check_crl'; CRL must be included in the ca_cert file for now + +2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) + * added support for including network information into + EAP-Request/Identity message (ASCII-0 (nul) in eap_message) + (e.g., to implement draft-adrange-eap-network-discovery-07.txt) + * fixed a bug which caused some RSN pre-authentication cases to use + freed memory and potentially crash hostapd + * fixed private key loading for cases where passphrase is not set + * added support for sending TLS alerts and aborting authentication + when receiving a TLS alert + * fixed WPA2 to add PMKSA cache entry when using integrated EAP + authenticator + * fixed PMKSA caching (EAP authentication was not skipped correctly + with the new state machine changes from IEEE 802.1X draft) + * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, + and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs + to be added to .config to include IPv6 support); for RADIUS server, + radius_server_ipv6=1 needs to be set in hostapd.conf and addresses + in RADIUS clients file can then use IPv6 format + * added experimental support for EAP-PAX + * replaced hostapd control interface library (hostapd_ctrl.[ch]) with + the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) + +2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) + +2005-01-23 - v0.3.5 + * added support for configuring a forced PEAP version based on the + Phase 1 identity + * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV + to terminate authentication + * fixed EAP identifier duplicate processing with the new IEEE 802.1X + draft + * clear accounting data in the driver when starting a new accounting + session + * driver_madwifi: filter wireless events based on ifindex to allow more + than one network interface to be used + * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt + setting if the packet does not pass MIC verification (e.g., due to + incorrect PSK); previously, message 1/4 was not tried again if an + invalid message 2/4 was received + * fixed reconfiguration of RADIUS client retransmission timer when + adding a new message to the pending list; previously, timer was not + updated at this point and if there was a pending message with long + time for the next retry, the new message needed to wait that long for + its first retry, too + +2005-01-09 - v0.3.4 + * added support for configuring multiple allowed EAP types for Phase 2 + authentication (EAP-PEAP, EAP-TTLS) + * fixed EAPOL-Start processing to trigger WPA reauthentication + (previously, only EAPOL authentication was done) + +2005-01-02 - v0.3.3 + * added support for EAP-PEAP in the integrated EAP authenticator + * added support for EAP-GTC in the integrated EAP authenticator + * added support for configuring list of EAP methods for Phase 1 so that + the integrated EAP authenticator can, e.g., use the wildcard entry + for EAP-TLS and EAP-PEAP + * added support for EAP-TTLS in the integrated EAP authenticator + * added support for EAP-SIM in the integrated EAP authenticator + * added support for using hostapd as a RADIUS authentication server + with the integrated EAP authenticator taking care of EAP + authentication (new hostapd.conf options: radius_server_clients and + radius_server_auth_port); this is not included in default build; use + CONFIG_RADIUS_SERVER=y in .config to include + +2004-12-19 - v0.3.2 + * removed 'daemonize' configuration file option since it has not really + been used at all for more than year + * driver_madwifi: fixed group key setup and added get_ssid method + * added support for EAP-MSCHAPv2 in the integrated EAP authenticator + +2004-12-12 - v0.3.1 + * added support for integrated EAP-TLS authentication (new hostapd.conf + variables: ca_cert, server_cert, private_key, private_key_passwd); + this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without + external RADIUS server + * added support for reading PKCS#12 (PFX) files (as a replacement for + PEM/DER) to get certificate and private key (CONFIG_PKCS12) + +2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) + * added support for Acct-{Input,Output}-Gigawords + * added support for Event-Timestamp (in RADIUS Accounting-Requests) + * added support for RADIUS Authentication Client MIB (RFC2618) + * added support for RADIUS Accounting Client MIB (RFC2620) + * made EAP re-authentication period configurable (eap_reauth_period) + * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication + * fixed EAPOL state machine to stop if STA is removed during + eapol_sm_step(); this fixes at least one segfault triggering bug with + IEEE 802.11i pre-authentication + * added support for multiple WPA pre-shared keys (e.g., one for each + client MAC address or keys shared by a group of clients); + new hostapd.conf field wpa_psk_file for setting path to a text file + containing PSKs, see hostapd.wpa_psk for an example + * added support for multiple driver interfaces to allow hostapd to be + used with other drivers + * added wired authenticator driver interface (driver=wired in + hostapd.conf, see wired.conf for example configuration) + * added madwifi driver interface (driver=madwifi in hostapd.conf, see + madwifi.conf for example configuration; Note: include files from + madwifi project is needed for building and a configuration file, + .config, needs to be created in hostapd directory with + CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd + build) + * fixed an alignment issue that could cause SHA-1 to fail on some + platforms (e.g., Intel ixp425 with a compiler that does not 32-bit + align variables) + * fixed RADIUS reconnection after an error in sending interim + accounting packets + * added hostapd control interface for external programs and an example + CLI, hostapd_cli (like wpa_cli for wpa_supplicant) + * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', + 'hostapd_cli sta <addr>') + * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) + * added support for strict GTK rekeying (wpa_strict_rekey in + hostapd.conf) + * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 + (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to + IEEE 802.11F-2003) + * added Prism54 driver interface (driver=prism54 in hostapd.conf; + note: .config needs to be created in hostapd directory with + CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd + build) + * dual-licensed hostapd (GPLv2 and BSD licenses) + * fixed RADIUS accounting to generate a new session id for cases where + a station reassociates without first being complete deauthenticated + * fixed STA disassociation handler to mark next timeout state to + deauthenticate the station, i.e., skip long wait for inactivity poll + and extra disassociation, if the STA disassociates without + deauthenticating + * added integrated EAP authenticator that can be used instead of + external RADIUS authentication server; currently, only EAP-MD5 is + supported, so this cannot yet be used for key distribution; the EAP + method interface is generic, though, so adding new EAP methods should + be straightforward; new hostapd.conf variables: 'eap_authenticator' + and 'eap_user_file'; this obsoletes "minimal authentication server" + ('minimal_eap' in hostapd.conf) which is now removed + * added support for FreeBSD and driver interface for the BSD net80211 + layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in + .config); please note that some of the required kernel mods have not + yet been committed + +2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) + * fixed some accounting cases where Accounting-Start was sent when + IEEE 802.1X port was being deauthorized + +2004-06-20 - v0.2.3 + * modified RADIUS client to re-connect the socket in case of certain + error codes that are generated when a network interface state is + changes (e.g., when IP address changes or the interface is set UP) + * fixed couple of cases where EAPOL state for a station was freed + twice causing a segfault for hostapd + * fixed couple of bugs in processing WPA deauthentication (freed data + was used) + +2004-05-31 - v0.2.2 + * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) + * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix + cases where STAs dropped multicast frames as replay attacks + * added support for copying RADIUS Attribute 'Class' from + authentication messages into accounting messages + * send canned EAP failure if RADIUS server sends Access-Reject without + EAP message (previously, Supplicant was not notified in this case) + * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do + not start EAPOL state machines if the STA selected to use WPA-PSK) + +2004-05-06 - v0.2.1 + * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality + - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA + (i.e., IEEE 802.11i/D3.0) + - supports WPA-only, RSN-only, and mixed WPA/RSN mode + - both WPA-PSK and WPA-RADIUS/EAP are supported + - PMKSA caching and pre-authentication + - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, + wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, + rsn_preauth, rsn_preauth_interfaces + * fixed interim accounting to remove any pending accounting messages + to the STA before sending a new one + +2004-02-15 - v0.2.0 + * added support for Acct-Interim-Interval: + - draft-ietf-radius-acct-interim-01.txt + - use Acct-Interim-Interval attribute from Access-Accept if local + 'radius_acct_interim_interval' is not set + - allow different update intervals for each STA + * fixed event loop to call signal handlers only after returning from + the real signal handler + * reset sta->timeout_next after successful association to make sure + that the previously registered inactivity timer will not remove the + STA immediately (e.g., if STA deauthenticates and re-associates + before the timer is triggered). + * added new hostapd.conf variable, nas_identifier, that can be used to + add an optional RADIUS Attribute, NAS-Identifier, into authentication + and accounting messages + * added support for Accounting-On and Accounting-Off messages + * fixed accounting session handling to send Accounting-Start only once + per session and not to send Accounting-Stop if the session was not + initialized properly + * fixed Accounting-Stop statistics in cases where the message was + previously sent after the kernel entry for the STA (and/or IEEE + 802.1X data) was removed + + +Note: + +Older changes up to and including v0.1.0 are included in the ChangeLog +of the Host AP driver. |