Lines Matching +full:10 +full:g +full:- +full:support

3 2024-07-20 - v2.11
4 * Wi-Fi Easy Connect
5 - add support for DPP release 3
6 - allow Configurator parameters to be provided during config exchange
7 * HE/IEEE 802.11ax/Wi-Fi 6
8 - various fixes
9 * EHT/IEEE 802.11be/Wi-Fi 7
10 - add preliminary support
11 * SAE: add support for fetching the password from a RADIUS server
12 * support OpenSSL 3.0 API changes
13 * support background radar detection and CAC with some additional
15 * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
16 * EAP-SIM/AKA: support IMSI privacy
17 * improve 4-way handshake operations
18 - use Secure=1 in message 3 during PTK rekeying
21 * support new SAE AKM suites with variable length keys
22 * support new AKM for 802.1X/EAP with SHA384
23 * extend PASN support for secure ranging
24 * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
25 - this is based on additional details being added in the IEEE 802.11
27 - the new implementation is not backwards compatible
29 * extended Multiple BSSID support
31 * support unsynchronized service discovery (USD)
32 * add preliminary support for RADIUS/TLS
33 * add support for explicit SSID protection in 4-way handshake
34 (a mitigation for CVE-2023-52424; disabled by default for now, can be
40 2022-01-16 - v2.10
42 - improved protection against side channel attacks
43 [https://w1.fi/security/2022-1/]
44 - added option send SAE Confirm immediately (sae_config_immediate=1)
46 - added support for the hash-to-element mechanism (sae_pwe=1 or
48 - fixed PMKSA caching with OKC
49 - added support for SAE-PK
50 * EAP-pwd changes
51 - improved protection against side channel attacks
52 [https://w1.fi/security/2022-1/]
54 [https://w1.fi/security/2020-1/]
56 [https://w1.fi/security/2019-7/]
57 * added support for using OpenSSL 3.0
58 * fixed various issues in experimental support for EAP-TEAP server
61 support cases with very large certificates) for the EAP server
62 * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
63 * extended HE (IEEE 802.11ax) support, including 6 GHz support
65 * fixed EAP-FAST server with TLS GCM/CCM ciphers
66 * dropped support for libnl 1.1
67 * added support for nl80211 control port for EAPOL frame TX/RX
72 * added support for Beacon protection
73 * added support for Extended Key ID for pairwise keys
74 * removed WEP support from the default build (CONFIG_WEP=y can be used
76 * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
77 * added support for Transition Disable mechanism to allow the AP to
79 * added support for PASN
80 * added EAP-TLS server support for TLS 1.3 (disabled by default for now)
83 2019-08-07 - v2.9
85 - disable use of groups using Brainpool curves
86 - improved protection against side channel attacks
87 [https://w1.fi/security/2019-6/]
88 * EAP-pwd changes
89 - disable use of groups using Brainpool curves
90 - improved protection against side channel attacks
91 [https://w1.fi/security/2019-6/]
92 * fixed FT-EAP initial mobility domain association using PMKSA caching
96 * added support for regulatory WMM limitation (for ETSI)
97 * added support for MACsec Key Agreement using IEEE 802.1X/PSK
98 * added experimental support for EAP-TEAP server (RFC 7170)
99 * added experimental support for EAP-TLS server with TLS v1.3
100 * added support for two server certificates/keys (RSA/ECC)
103 * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
107 2019-04-21 - v2.8
109 - added support for SAE Password Identifier
110 - changed default configuration to enable only group 19
113 - improved anti-clogging token mechanism and SAE authentication
117 - added Finite Cyclic Group field in status code 77 responses
118 - reject use of unsuitable groups based on new implementation guidance
121 - minimize timing and memory use differences in PWE derivation
122 [https://w1.fi/security/2019-1/] (CVE-2019-9494)
123 - fixed confirm message validation in error cases
124 [https://w1.fi/security/2019-3/] (CVE-2019-9496)
125 * EAP-pwd changes
126 - minimize timing and memory use differences in PWE derivation
127 [https://w1.fi/security/2019-2/] (CVE-2019-9495)
128 - verify peer scalar/element
129 [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
130 - fix message reassembly issue with unexpected fragment
131 [https://w1.fi/security/2019-5/]
132 - enforce rand,mask generation rules more strictly
133 - fix a memory leak in PWE derivation
134 - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
137 - added support for release number 3
138 - reject release 2 or newer association without PMF
139 * added support for RSN operating channel validation
141 * added Multi-AP protocol support
146 * added RSSI-based association rejection from OCE
149 - allow local VLAN management with remote RADIUS authentication
150 - add WPA/WPA2 passphrase/PSK -based VLAN assignment
155 * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
156 * OWE: allow Diffie-Hellman Parameter element to be included with DPP
158 * RADIUS server: started to accept ERP keyName-NAI as user identity
162 2018-12-02 - v2.7
165 [http://w1.fi/security/2017-1/] (CVE-2017-13082)
166 * added support for FILS (IEEE 802.11ai) shared key authentication
167 * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
169 * added support for DPP (Wi-Fi Device Provisioning Protocol)
171 - added local generation of PMK-R0/PMK-R1 for FT-PSK
173 - replaced inter-AP protocol with a cleaner design that is more
177 - added support for wildcard R0KH/R1KH
178 - replaced r0_key_lifetime (minutes) parameter with
180 - fixed wpa_psk_file use for FT-PSK
181 - fixed FT-SAE PMKID matching
182 - added expiration to PMK-R0 and PMK-R1 cache
183 - added IEEE VLAN support (including tagged VLANs)
184 - added support for SHA384 based AKM
186 - fixed some PMKSA caching cases with SAE
187 - added support for configuring SAE password separately of the
189 - added option to require MFP for SAE associations
191 - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
196 - added support for Password Identifier
197 * hostapd_cli: added support for command history and completion
198 * added support for requesting beacon report
200 * added option to configure EAPOL-Key retry limits
205 * added support for using wolfSSL cryptographic library
209 - added support for setting Venue URL ANQP-element (venue_url)
210 - added support for advertising Hotspot 2.0 operator icons
211 - added support for Roaming Consortium Selection element
212 - added support for Terms and Conditions
213 - added support for OSEN connection in a shared RSN BSS
214 * added support for using OpenSSL 1.1.1
215 * added EAP-pwd server support for salted passwords
217 2016-10-02 - v2.6
218 * fixed EAP-pwd last fragment validation
219 [http://w1.fi/security/2015-7/] (CVE-2015-5314)
221 [http://w1.fi/security/2016-1/] (CVE-2016-4476)
222 * extended channel switch support for VHT bandwidth changes
223 * added support for configuring new ANQP-elements with
225 * fixed Suite B 192-bit AKM to use proper PMK length
228 frame sending for not-associated STAs if max_num_sta limit has been
230 * added option (-S as command line argument) to request all interfaces
233 to allow -1 to be used to disable RTS/fragmentation
234 * EAP-pwd: added support for Brainpool Elliptic Curves
237 * fixed FTIE generation for 4-way handshake after FT protocol run
240 - support SHA384 and SHA512 hashes
241 - support TLS v1.2 signature algorithm with SHA384 and SHA512
242 - support PKCS #5 v2.0 PBES2
243 - support PKCS #5 with PKCS #12 style key decryption
244 - minimal support for PKCS #12
245 - support OCSP stapling (including ocsp_multi)
246 * added support for OpenSSL 1.1 API changes
247 - drop support for OpenSSL 0.9.8
248 - drop support for OpenSSL 1.0.0
249 * EAP-PEAP: support fast-connect crypto binding
251 - fix Called-Station-Id to not escape SSID
252 - add Event-Timestamp to all Accounting-Request packets
253 - add Acct-Session-Id to Accounting-On/Off
254 - add Acct-Multi-Session-Id ton Access-Request packets
255 - add Service-Type (= Frames)
256 - allow server to provide PSK instead of passphrase for WPA-PSK
258 - update full message for interim accounting updates
259 - add Acct-Delay-Time into Accounting messages
260 - add require_message_authenticator configuration option to require
261 CoA/Disconnect-Request packets to be authenticated
262 * started to postpone WNM-Notification frame sending by 100 ms so that
264 received after the 4-way handshake
266 * extended VLAN support (per-STA vif, etc.)
269 - added support for full station state operations
270 - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
272 * added initial MBO support; number of extensions to WNM BSS Transition
278 - use Address 3 = wildcard BSSID in GAS response if a query from an
280 - fix TX status processing for Address 3 = wildcard BSSID
281 - add gas_address3 configuration parameter to control Address 3
283 * added command line parameter -i to override interface parameter in
285 * added command completion support to hostapd_cli
290 2015-09-27 - v2.5
292 [http://w1.fi/security/2015-2/] (CVE-2015-4141)
294 [http://w1.fi/security/2015-3/] (CVE-2015-4142)
295 * fixed EAP-pwd server missing payload length validation
296 [http://w1.fi/security/2015-4/]
297 (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145)
299 [http://w1.fi/security/2015-5/]
301 - fixed vendor command handling to check OUI properly
304 * disable HT for a station that does not support WMM/QoS
305 * added support for hashed password (NtHash) in EAP-pwd server
307 * added EAP-EKE server support for deriving Session-Id
308 * set Acct-Session-Id to a random value to make it more likely to be
310 * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
313 * added support for Brainpool Elliptic Curves with SAE
315 * added support for CCMP-256 and GCMP-256 as group ciphers with FT
319 * added EAP server support for TLS session resumption
320 * fixed key derivation for Suite B 192-bit AKM (this breaks
326 2015-03-15 - v2.4
331 * fixed Accounting-Request to not include duplicated Acct-Session-Id
332 * add support for Acct-Multi-Session-Id in RADIUS Accounting messages
333 * add support for PMKSA caching with SAE
334 * add support for generating BSS Load element (bss_load_update_period)
336 * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
337 * add support for learning STA IPv4/IPv6 addresses and configuring
338 ProxyARP support
339 * dropped support for the madwifi driver interface
340 * add support for Suite B (128-bit and 192-bit level) key management and
343 * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
345 Request frames and BSS-TM-RESP event to indicate response to such
347 * add support for EAP Re-Authentication Protocol (ERP)
348 * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
350 * set stdout to be line-buffered
351 * add support for vendor specific VHT extension to enable 256 QAM rates
352 (VHT-MCS 8 and 9) on 2.4 GHz band
354 - extend Disconnect-Request processing to allow matching of multiple
356 - support Acct-Multi-Session-Id as an identifier
357 - allow PMKSA cache entry to be removed without association
370 2014-10-09 - v2.3
372 * fixed DFS and channel switch operation for multi-BSS cases
378 * added support for number of new RADIUS attributes from RFC 7268
379 (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher,
380 WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)
383 * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases
387 (CVE-2014-3686)
389 2014-06-04 - v2.2
390 * fixed SAE confirm-before-commit validation to avoid a potential
393 * extended VHT support
394 - Operating Mode Notification
395 - Power Constraint element (local_pwr_constraint)
396 - Spectrum management capability (spectrum_mgmt_required=1)
397 - fix VHT80 segment picking in ACS
398 - fix vht_capab 'Maximum A-MPDU Length Exponent' handling
399 - fix VHT20
400 * fixed HT40 co-ex scan for some pri/sec channel switches
401 * extended HT40 co-ex support to allow dynamic channel width changes
403 * fixed HT40 co-ex support to check for overlapping 20 MHz BSS
404 * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
405 this fixes password with include UTF-8 characters that use
406 three-byte encoding EAP methods that use NtPasswordHash
408 any AAA server certificate with id-kp-clientAuth even if
409 id-kp-serverAuth EKU was included
413 * enforce full EAP authentication after RADIUS Disconnect-Request by
415 * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
416 in RADIUS Disconnect-Request
418 entry with "-"
420 - support Hotspot 2.0 Release 2
430 - do not use Interworking filtering rules on Probe Request if
433 - AP interface teardown optimization
434 - support vendor specific driver command
439 - add SHA256-based cipher suites
440 - add DHE-RSA cipher suites
441 - fix X.509 validation of PKCS#1 signature to check for extra data
443 - add minimal RADIUS accounting server support (hostapd-as-server);
445 - allow authentication log to be written into SQLite database
446 - added option for TLS protocol testing of an EAP peer by simulating
448 - MAC ACL support for testing purposes
449 * fixed PTK derivation for CCMP-256 and GCMP-256
450 * extended WPS per-station PSK to support ER case
452 (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
453 BIP-CMAC-256)
456 * added support for postponing FT response in case PMK-R1 needs to be
459 ht_capab=[40-INTOLERANT]
460 * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
462 * EAP-pwd fixes
463 - fix possible segmentation fault on EAP method deinit if an invalid
466 - there was a potential ctash due to freed memory being accessed
467 - failover to a backup server mechanism did not work properly
472 * fixed off-by-one bounds checking in printf_encode()
473 - this could result in deinial of service in some EAP server cases
476 2014-02-04 - v2.1
477 * added support for simultaneous authentication of equals (SAE) for
478 stronger password-based authentication with WPA2-Personal
480 - VHT configuration for nl80211
481 - support split wiphy dump
482 - driver-based MAC ACL
483 - QoS Mapping configuration
485 * allow ctrl_iface group to be specified on command line (-G<group>)
491 * added support for DFS (processing radar detection events, CAC, channel
492 re-selection)
493 * added EAP-EKE server
495 * added option for using per-BSS (vif) configuration files with
496 -b<phyname>:<config file name>
500 * added support for sending debug info to Linux tracing (-T on command
504 * added support for using Protected Dual of Public Action frames for
506 * added support for WPS+NFC updates
507 - improved protocol
508 - option to fetch and report alternative carrier records for external
512 2013-01-12 - v2.0
513 * added AP-STA-DISCONNECTED ctrl_iface event
519 use of the Secure bit in EAPOL-Key msg 3/4
523 - replace monitor interface with nl80211 commands
524 - additional information for driver-based AP SME
525 * EAP-pwd:
526 - fix KDF for group 21 and zero-padding
527 - added support for fragmentation
528 - increased maximum number of hunting-and-pecking iterations
531 * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)
535 * added support for getting per-device PSK from RADIUS Tunnel-Password
536 * added support for libnl 3.2 and newer
538 * added a workaround for 4-way handshake to update SNonce even after
539 having sent EAPOL-Key 3/4 to avoid issues with some supplicant
540 implementations that can change SNonce for each EAP-Key 2/4
541 * added a workaround for EAPOL-Key 4/4 using incorrect type value in
544 * changed WPS AP PIN disabling mechanism to disable the PIN after 10
547 * added support for WFA Hotspot 2.0
548 - GAS/ANQP advertisement of network information
549 - disable_dgaf parameter to disable downstream group-addressed
553 * EAP-SIM: fixed re-authentication not to update pseudonym
554 * EAP-SIM: use Notification round before EAP-Failure
555 * EAP-AKA: added support for AT_COUNTER_TOO_SMALL
556 * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized
557 * EAP-AKA': fixed identity for MK derivation
558 * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this
560 * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id
561 * changed ANonce to be a random number instead of Counter-based
562 * added support for canceling WPS operations with hostapd_cli wps_cancel
566 - a new command line parameter -u can be used to enable updating of
568 - use 5 bit IND for SQN updates
569 - SQLite database can now be used to store Milenage information
570 * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms
572 * added support for Chargeable-User-Identity (RFC 4372)
575 Access-Request and Accounting-Request packets
576 * added support for RADIUS dynamic authorization server (RFC 5176)
577 * added initial support for WNM operations
578 - BSS max idle period
579 - WNM-Sleep Mode
581 - removed obsoleted WPS_OOB command (including support for deprecated
583 * added FT support for drivers that implement MLME internally
584 * added SA Query support for drivers that implement MLME internally
586 * changed VENDOR-TEST EAP method to use proper private enterprise number
590 * added support for configuring GCMP cipher for IEEE 802.11ad
591 * added support for 256-bit AES with internal TLS implementation
593 * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length
595 terminate before this fix [CVE-2012-4445]
601 * added support for using SQLite for the eap_user database
602 * added Acct-Session-Id attribute into Access-Request messages
603 * fixed EAPOL frame transmission to non-QoS STAs with nl80211
607 2012-05-10 - v1.0
608 * Add channel selection support in hostapd. See hostapd.conf.
609 * Add support for IEEE 802.11v Time Advertisement mechanism with UTC
618 * atheros: Add support for IEEE 802.11w configuration.
619 * bsd: Add support for setting HT values in IFM_MMASK.
621 isolation can be used to prevent low-level bridging of frames
626 hostapd to reject association with any station that does not support
628 * Add support for writing debug log to a file using "-f" option. Also
629 add relog CLI command to re-open the log file.
635 - Add wds_bridge command for specifying bridge for WDS STA
637 - Add relog command for reopening log file.
638 - Send AP-STA-DISCONNECTED event when an AP disconnects a station
640 - Add wps_config ctrl_interface command for configuring AP. This
644 - Many WPS/WPS ER commands - see WPS/WPS ER sections for details.
645 - Add command get version, that returns hostapd version string.
650 the data connection is not working properly, e.g., due to the STA
656 - Send AP Settings as a wrapped Credential attribute to ctrl_iface
657 in WPS-NEW-AP-SETTINGS.
658 - Dispatch more WPS events through hostapd ctrl_iface.
659 - Add mechanism for indicating non-standard WPS errors.
660 - Change concurrent radio AP to use only one WPS UPnP instance.
661 - Add wps_check_pin command for processing PIN from user input.
664 - Add hostap_cli get_config command to display current AP config.
665 - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at
666 runtime and support dynamic AP PIN management.
667 - Disable AP PIN after 10 consecutive failures. Slow down attacks
668 on failures up to 10.
669 - Allow AP to start in Enrollee mode without AP PIN for probing,
671 - Add Config Error into WPS-FAIL events to provide more info
673 - When controlling multiple interfaces:
674 - apply WPS commands to all interfaces configured to use WPS
675 - apply WPS config changes to all interfaces that use WPS
676 - when an attack is detected on any interface, disable AP PIN on
679 - Show SetSelectedRegistrar events as ctrl_iface events.
680 - Add special AP Setup Locked mode to allow read only ER.
683 * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2)
684 - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool
686 - Add build option CONFIG_WPS_STRICT to allow disabling of WPS
688 - Add support for AuthorizedMACs attribute.
690 - Allow TDLS use or TDLS channel switching in the BSS to be
693 * EAP server: Add support for configuring fragment size (see
698 * Interworking: Support added for 802.11u. Enable in .config with
701 * Android: Add build and runtime support for Android hostapd.
703 -ddd to enable.
704 * TLS: Add support for tls_disable_time_checks=1 in client mode.
706 - Add support for TLS v1.1 (RFC 4346). Enable with build parameter
708 - Add domainComponent parser for X.509 names
714 2010-04-18 - v0.7.2
717 * bsd: Cleaned up driver wrapper and added various low-level
720 * EAP-TNC: add Flags field into fragment acknowledgement (needed to
723 * cleaned up driver wrapper API for multi-BSS operations
724 * nl80211: fix multi-BSS and VLAN operations
735 * hostapd_cli: add support for action script operations (run a script
739 driver wrappers that use hostapd MLME (e.g., nl80211)
741 2010-01-16 - v0.7.1
743 is not fully backwards compatible, so out-of-tree driver wrappers
752 * added internal debugging mechanism with backtrace support and memory
754 * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1
755 * WPS: add support for dynamically selecting whether to provision the
757 * added support for WDS (4-address frame) mode with per-station virtual
768 2009-11-21 - v0.7.0
770 configurable with a new command line options (-G<seconds>)
772 * added support for external Registrars with WPS (UPnP transport)
776 * added support for WPS USBA out-of-band mechanism with USB Flash
780 * fixed TNC with EAP-TTLS
783 * fixed SHA-256 based key derivation function to match with the
791 * driver_nl80211: multiple updates to provide support for new Linux
793 * updated management frame protection to use IEEE Std 802.11w-2009
796 * added some IEEE 802.11n co-existence rules to disable 40 MHz channels
799 * added support for NFC out-of-band mechanism with WPS
800 * added preliminary support for IEEE 802.11r RIC processing
802 2009-01-06 - v0.6.7
803 * added support for Wi-Fi Protected Setup (WPS)
807 external WLAN Manager Registrars are not supported); WPS support can
811 wps_pbc are used to configure WPS negotiation; see README-WPS for
814 * added support for generating Country IE based on nl80211 regulatory
818 * added support for EAP-AKA' (draft-arkko-eap-aka-kdf)
819 * added support for using driver_test over UDP socket
820 * changed EAP-GPSK to use the IANA assigned EAP method type 51
824 2008-11-23 - v0.6.6
826 enforce frequent PTK rekeying, e.g., to mitigate some attacks against
828 * updated OpenSSL code for EAP-FAST to use an updated version of the
830 OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
833 the driver (e.g., via driver_nl80211 when using mac80211) instead of
838 * fixed EAP-TLS message processing for the last TLS message if it is
839 large enough to require fragmentation (e.g., if a large Session
843 2008-11-01 - v0.6.5
844 * added support for SHA-256 as X.509 certificate digest when using the
846 * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer
849 by EAP-FAST server)
850 * added support for setting VLAN ID for STAs based on local MAC ACL
851 (accept_mac_file) as an alternative for RADIUS server-based
856 * added support for using SHA256-based stronger key derivation for WPA2
858 * added new "driver wrapper" for RADIUS-only configuration
862 * changed EAP-FAST configuration to use separate fields for A-ID and
863 A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed
864 16-octet len binary value for better interoperability with some peer
867 configuration (wireless-testing.git and Linux kernel releases
870 2008-08-10 - v0.6.4
871 * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
873 * added support for EAP Sequences in EAP-FAST Phase 2
874 * added support for EAP-TNC (Trusted Network Connect)
875 (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
876 changes needed to run two methods in sequence (IF-T) and the IF-IMV
877 and IF-TNCCS interfaces from TNCS)
878 * added support for optional cryptobinding with PEAPv0
879 * added fragmentation support for EAP-TNC
880 * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled)
882 * added support for opportunistic key caching (OKC)
884 2008-02-22 - v0.6.3
887 * updated FT support to use the latest draft, IEEE 802.11r/D9.0
888 * copy optional Proxy-State attributes into RADIUS response when acting
893 * fixed EAP-SIM/AKA realm processing to allow decorated usernames to
895 * added a workaround for EAP-SIM/AKA peers that include incorrect null
897 * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER
900 * fixed EAP-SIM Start response processing for fast reauthentication
902 * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST}
903 phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method
905 2008-01-01 - v0.6.2
906 * fixed EAP-SIM and EAP-AKA message parser to validate attribute
910 and various interfaces (e.g., EAP) is not compatible with old
912 * added support for protecting EAP-AKA/Identity messages with
914 * added support for protected result indication with AT_RESULT_IND for
915 EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1)
916 * added support for configuring EAP-TTLS phase 2 non-EAP methods in
919 enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP,
920 TTLS-MSCHAPV2
923 -d (or -dd) command line arguments
924 * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);
927 2007-11-24 - v0.6.1
931 .config); this can be useful, e.g., if the target system does not
933 * added support for EAP-FAST server method to the integrated EAP
935 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
936 draft (draft-ietf-emu-eap-gpsk-07.txt)
940 either need to support this or will have to use the WPA/RSN IEs from
942 not have support for this)
943 * updated FT support to use the latest draft, IEEE 802.11r/D8.0
945 2007-05-28 - v0.6.0
946 * added experimental IEEE 802.11r/D6.0 support
947 * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
948 * updated EAP-PSK to use the IANA-allocated EAP type 47
949 * fixed EAP-PSK bit ordering of the Flags field
950 * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs
952 * fixed EAP-TTLS AVP parser processing for too short AVP lengths
954 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
955 draft (draft-ietf-emu-eap-gpsk-04.txt)
960 if a better quality triplets are needed, GSM-Milenage should be used
962 * fixed EAP-MSCHAPv2 server to use a space between S and M parameters
964 * added support for sending EAP-AKA Notifications in error cases
967 * RADIUS server: added support for processing duplicate messages
971 2006-11-24 - v0.5.6
972 * added support for configuring and controlling multiple BSSes per
976 pre-authentication
977 * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID
978 for each STA based on RADIUS Access-Accept attributes); this requires
979 VLAN support from the kernel driver/802.11 stack and this is
985 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
986 draft (draft-ietf-emu-eap-gpsk-01.txt)
989 (Note: this requires driver support to work properly.)
991 * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)
992 * hlr_auc_gw: added support for reading per-IMSI Milenage keys and
995 EAP-SIM/EAP-AKA
997 ieee802_11.c (e.g., madwifi)
999 2006-08-27 - v0.5.5
1001 hostapd (e.g., to initialize wired network authentication based on an
1003 * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when
1005 * added -P<pid file> argument for hostapd to write the current process
1007 * added support for RADIUS Authentication Server MIB (RFC 2619)
1009 2006-06-20 - v0.5.4
1013 * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
1014 draft-clancy-emu-eap-shared-secret-00.txt)
1015 * fixed a segmentation fault when RSN pre-authentication was completed
1018 2006-04-27 - v0.5.3
1026 * added support for EAP-SAKE (no EAP method number allocated yet, so
1027 this is using the same experimental type 255 as EAP-PSK)
1028 * fixed EAP-MSCHAPv2 message length validation
1030 2006-03-19 - v0.5.2
1033 vsyslog on some CPU -- C library combinations
1034 * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external
1038 to communicate with the external gateway program (e.g., hlr_auc_gw)
1041 hardcoded AKA authentication data); this can be used to test EAP-SIM
1042 and EAP-AKA
1044 to make it possible to test EAP-AKA with real USIM cards (this is
1047 * driver_madwifi: added support for getting station RSN IE from
1048 madwifi-ng svn r1453 and newer; this fixes RSN that was apparently
1056 2006-01-29 - v0.5.1
1057 * driver_test: added better support for multiple APs and STAs by using
1060 * added support for EAP expanded type (vendor specific EAP methods)
1062 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
1067 * added support for EAP methods to use callbacks to external programs
1070 * improved EAP-SIM database interface to allow external request to GSM
1072 * added support for using EAP-SIM pseudonyms and fast re-authentication
1073 * added support for EAP-AKA in the integrated EAP authenticator
1074 * added support for matching EAP identity prefixes (e.g., "1"*) in EAP
1075 user database to allow EAP-SIM/AKA selection without extra roundtrip
1076 for EAP-Nak negotiation
1077 * added support for storing EAP user password as NtPasswordHash instead
1079 authentication (hash:<16-octet hex value>); added nt_password_hash
1082 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
1091 * driver_madwifi: added support for madwifi-ng
1093 2005-10-27 - v0.4.6
1094 * added support for replacing user identity from EAP with RADIUS
1095 User-Name attribute from Access-Accept message, if that is included,
1096 for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get
1098 does not support better way of doing this with Class attribute)
1104 condition in which EAPOL-Start message could trigger hostapd to send
1105 two EAP-Response/Identity frames to the authentication server
1107 2005-09-25 - v0.4.5
1110 * added experimental support for EAP-PSK
1111 * added support for WE-19 (hostap, madwifi)
1113 2005-08-21 - v0.4.4
1117 2005-06-26 - v0.4.3
1118 * fixed PMKSA caching to copy User-Name and Class attributes so that
1121 4-Way Handshake if WPA-PSK is used
1125 2005-06-12 - v0.4.2
1126 * EAP-PAX is now registered as EAP type 46
1127 * fixed EAP-PAX MAC calculation
1128 * fixed EAP-PAX CK and ICK key derivation
1131 * driver_test: added support for testing hostapd with wpa_supplicant
1135 2005-05-22 - v0.4.1
1138 * driver_madwifi: added support for RADIUS accounting
1139 * driver_madwifi: added preliminary support for compiling against 'BSD'
1143 * added support for reading additional certificates from PKCS#12 files
1145 * fixed RADIUS Class attribute processing to only use Access-Accept
1148 * added support for more than one Class attribute in RADIUS packets
1149 * added support for verifying certificate revocation list (CRL) when
1150 using integrated EAP authenticator for EAP-TLS; new hostapd.conf
1153 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
1154 * added support for including network information into
1155 EAP-Request/Identity message (ASCII-0 (nul) in eap_message)
1156 (e.g., to implement draft-adrange-eap-network-discovery-07.txt)
1157 * fixed a bug which caused some RSN pre-authentication cases to use
1160 * added support for sending TLS alerts and aborting authentication
1166 * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,
1168 to be added to .config to include IPv6 support); for RADIUS server,
1171 * added experimental support for EAP-PAX
1175 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
1177 2005-01-23 - v0.3.5
1178 * added support for configuring a forced PEAP version based on the
1180 * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV
1189 setting if the packet does not pass MIC verification (e.g., due to
1198 2005-01-09 - v0.3.4
1199 * added support for configuring multiple allowed EAP types for Phase 2
1200 authentication (EAP-PEAP, EAP-TTLS)
1201 * fixed EAPOL-Start processing to trigger WPA reauthentication
1204 2005-01-02 - v0.3.3
1205 * added support for EAP-PEAP in the integrated EAP authenticator
1206 * added support for EAP-GTC in the integrated EAP authenticator
1207 * added support for configuring list of EAP methods for Phase 1 so that
1208 the integrated EAP authenticator can, e.g., use the wildcard entry
1209 for EAP-TLS and EAP-PEAP
1210 * added support for EAP-TTLS in the integrated EAP authenticator
1211 * added support for EAP-SIM in the integrated EAP authenticator
1212 * added support for using hostapd as a RADIUS authentication server
1218 2004-12-19 - v0.3.2
1222 * added support for EAP-MSCHAPv2 in the integrated EAP authenticator
1224 2004-12-12 - v0.3.1
1225 * added support for integrated EAP-TLS authentication (new hostapd.conf
1229 * added support for reading PKCS#12 (PFX) files (as a replacement for
1232 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
1233 * added support for Acct-{Input,Output}-Gigawords
1234 * added support for Event-Timestamp (in RADIUS Accounting-Requests)
1235 * added support for RADIUS Authentication Client MIB (RFC2618)
1236 * added support for RADIUS Accounting Client MIB (RFC2620)
1237 * made EAP re-authentication period configurable (eap_reauth_period)
1241 IEEE 802.11i pre-authentication
1242 * added support for multiple WPA pre-shared keys (e.g., one for each
1246 * added support for multiple driver interfaces to allow hostapd to be
1256 * fixed an alignment issue that could cause SHA-1 to fail on some
1257 platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
1265 * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
1266 * added support for strict GTK rekeying (wpa_strict_rekey in
1269 (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
1270 IEEE 802.11F-2003)
1275 * dual-licensed hostapd (GPLv2 and BSD licenses)
1283 external RADIUS authentication server; currently, only EAP-MD5 is
1289 * added support for FreeBSD and driver interface for the BSD net80211
1294 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
1295 * fixed some accounting cases where Accounting-Start was sent when
1298 2004-06-20 - v0.2.3
1299 * modified RADIUS client to re-connect the socket in case of certain
1301 changes (e.g., when IP address changes or the interface is set UP)
1307 2004-05-31 - v0.2.2
1309 * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix
1311 * added support for copying RADIUS Attribute 'Class' from
1313 * send canned EAP failure if RADIUS server sends Access-Reject without
1315 * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do
1316 not start EAPOL state machines if the STA selected to use WPA-PSK)
1318 2004-05-06 - v0.2.1
1320 - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA
1322 - supports WPA-only, RSN-only, and mixed WPA/RSN mode
1323 - both WPA-PSK and WPA-RADIUS/EAP are supported
1324 - PMKSA caching and pre-authentication
1325 - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,
1331 2004-02-15 - v0.2.0
1332 * added support for Acct-Interim-Interval:
1333 - draft-ietf-radius-acct-interim-01.txt
1334 - use Acct-Interim-Interval attribute from Access-Accept if local
1336 - allow different update intervals for each STA
1339 * reset sta->timeout_next after successful association to make sure
1341 STA immediately (e.g., if STA deauthenticates and re-associates
1344 add an optional RADIUS Attribute, NAS-Identifier, into authentication
1346 * added support for Accounting-On and Accounting-Off messages
1347 * fixed accounting session handling to send Accounting-Start only once
1348 per session and not to send Accounting-Stop if the session was not
1350 * fixed Accounting-Stop statistics in cases where the message was