Lines Matching +full:10 +full:g +full:- +full:support
3 2024-07-20 - v2.11
4 * Wi-Fi Easy Connect
5 - add support for DPP release 3
6 - allow Configurator parameters to be provided during config exchange
8 - add support for GCM-AES-256 cipher suite
9 - remove incorrect EAP Session-Id length constraint
10 - add hardware offload support for additional drivers
11 * HE/IEEE 802.11ax/Wi-Fi 6
12 - support BSS color updates
13 - various fixes
14 * EHT/IEEE 802.11be/Wi-Fi 7
15 - add preliminary support
16 * support OpenSSL 3.0 API changes
17 * improve EAP-TLS support for TLSv1.3
18 * EAP-SIM/AKA: support IMSI privacy
20 * improve 4-way handshake operations
21 - discard unencrypted EAPOL frames in additional cases
22 - use Secure=1 in message 2 during PTK rekeying
25 * support new SAE AKM suites with variable length keys
26 * support new AKM for 802.1X/EAP with SHA384
27 * improve cross-AKM roaming with driver-based SME/BSS selection
29 - extend support for secure ranging
30 - allow PASN implementation to be used with external programs for
31 Wi-Fi Aware
32 * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
33 - this is based on additional details being added in the IEEE 802.11
35 - the new implementation is not backwards compatible, but PMKSA
36 caching with FT-EAP was, and still is, disabled by default
37 * support a pregenerated MAC (mac_addr=3) as an alternative mechanism
38 for using per-network random MAC addresses
39 * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
42 * extend SCS support for QoS Characteristics
43 * extend MSCS support
44 * support unsynchronized service discovery (USD)
45 * add support for explicit SSID protection in 4-way handshake
46 (a mitigation for CVE-2023-52424; disabled by default for now, can be
48 - in addition, verify SSID after key setup when beacon protection is
53 2022-01-16 - v2.10
55 - improved protection against side channel attacks
56 [https://w1.fi/security/2022-1/]
57 - added support for the hash-to-element mechanism (sae_pwe=1 or
60 - fixed PMKSA caching with OKC
61 - added support for SAE-PK
62 * EAP-pwd changes
63 - improved protection against side channel attacks
64 [https://w1.fi/security/2022-1/]
67 [https://w1.fi/security/2021-1/]
70 [https://w1.fi/security/2020-2/]
72 [https://w1.fi/security/2019-7/]
73 * added support for using OpenSSL 3.0
75 support cases with very large certificates)
76 * fixed various issues in experimental support for EAP-TEAP peer
77 * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
79 * added support for SAE (WPA3-Personal) AP mode configuration
80 * added P2P support for EDMG (IEEE 802.11ay) channels
81 * fixed EAP-FAST peer with TLS GCM/CCM ciphers
83 * dropped support for libnl 1.1
84 * added support for nl80211 control port for EAPOL frame TX/RX
88 * added support for Beacon protection
89 * added support for Extended Key ID for pairwise keys
90 * removed WEP support from the default build (CONFIG_WEP=y can be used
92 * added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
93 * added support for Transition Disable mechanism to allow the AP to
95 * extended D-Bus interface
96 * added support for PASN
97 * added a file-based backend for external password storage to allow
100 * added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
101 * added support for SCS, MSCS, DSCP policy
106 2019-08-07 - v2.9
108 - disable use of groups using Brainpool curves
109 - improved protection against side channel attacks
110 [https://w1.fi/security/2019-6/]
111 * EAP-pwd changes
112 - disable use of groups using Brainpool curves
113 - allow the set of groups to be configured (eap_pwd_groups)
114 - improved protection against side channel attacks
115 [https://w1.fi/security/2019-6/]
116 * fixed FT-EAP initial mobility domain association using PMKSA caching
122 * extended EAP-SIM/AKA fast re-authentication to allow use with FILS
123 * extended ca_cert_blob to support PEM format
125 * added support for EAP-SIM/AKA using anonymous@realm identity
128 * added experimental support for EAP-TEAP peer (RFC 7170)
129 * added experimental support for EAP-TLS peer with TLS v1.3
132 4-way handshake
135 2019-04-21 - v2.8
137 - added support for SAE Password Identifier
138 - changed default configuration to enable only groups 19, 20, 21
141 - do not regenerate PWE unnecessarily when the AP uses the
142 anti-clogging token mechanisms
143 - fixed some association cases where both SAE and FT-SAE were enabled
145 - started to prefer FT-SAE over SAE AKM if both are enabled
146 - started to prefer FT-SAE over FT-PSK if both are enabled
147 - fixed FT-SAE when SAE PMKSA caching is used
148 - reject use of unsuitable groups based on new implementation guidance
151 - minimize timing and memory use differences in PWE derivation
152 [https://w1.fi/security/2019-1/] (CVE-2019-9494)
153 * EAP-pwd changes
154 - minimize timing and memory use differences in PWE derivation
155 [https://w1.fi/security/2019-2/] (CVE-2019-9495)
156 - verify server scalar/element
157 [https://w1.fi/security/2019-4/] (CVE-2019-9499)
158 - fix message reassembly issue with unexpected fragment
159 [https://w1.fi/security/2019-5/]
160 - enforce rand,mask generation rules more strictly
161 - fix a memory leak in PWE derivation
162 - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
166 - do not indicate release number that is higher than the one
168 - added support for release number 3
169 - enable PMF automatically for network profiles created from
173 * added support for RSN operating channel validation
175 * added Multi-AP backhaul STA support
181 * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
183 * extended nl80211 Connect and external authentication to support
184 SAE, FT-SAE, FT-EAP-SHA384
189 * extended D-Bus interface with number of new properties
190 * fixed a regression in FT-over-DS with mac80211-based drivers
193 4-way handshake offload capability
194 * added support for random P2P Device/Interface Address use
198 * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
204 2018-12-02 - v2.7
207 [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
208 CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
209 CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
210 * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
211 [https://w1.fi/security/2018-1/] (CVE-2018-14526)
212 * added support for FILS (IEEE 802.11ai) shared key authentication
213 * added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
215 * added support for DPP (Wi-Fi Device Provisioning Protocol)
216 * added support for RSA 3k key case with Suite B 192-bit level
217 * fixed Suite B PMKSA caching not to update PMKID during each 4-way
219 * fixed EAP-pwd pre-processing with PasswordHashHash
220 * added EAP-pwd client support for salted passwords
225 - new macsec_linux driver interface support for the Linux
227 - number of fixes and extensions
228 * added support for external persistent storage of PMKSA cache
232 * added support for beacon report
234 * added support for randomizing local address for GAS queries
236 * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
238 * added SHA256-hash support for OCSP certificate matching
239 * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
240 * fixed a regression in RSN pre-authentication candidate selection
247 * added support for nl80211 to offload 4-way handshake into the driver
248 * added support for using wolfSSL cryptographic library
250 - added support for configuring SAE password separately of the
252 - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
257 - added support for Password Identifier
258 - fixed FT-SAE PMKID matching
260 - added support for fetching of Operator Icon Metadata ANQP-element
261 - added support for Roaming Consortium Selection element
262 - added support for Terms and Conditions
263 - added support for OSEN connection in a shared RSN BSS
264 - added support for fetching Venue URL information
265 * added support for using OpenSSL 1.1.1
267 - disabled PMKSA caching with FT since it is not fully functional
268 - added support for SHA384 based AKM
269 - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
270 BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
271 - fixed additional IE inclusion in Reassociation Request frame when
274 2016-10-02 - v2.6
276 [http://w1.fi/security/2015-6/] (CVE-2015-5310)
277 * fixed EAP-pwd last fragment validation
278 [http://w1.fi/security/2015-7/] (CVE-2015-5315)
279 * fixed EAP-pwd unexpected Confirm message processing
280 [http://w1.fi/security/2015-8/] (CVE-2015-5316)
282 [http://w1.fi/security/2016-1/] (CVE-2016-4476)
285 [http://w1.fi/security/2016-1/] (CVE-2016-4477)
286 * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case
287 * extended channel switch support for P2P GO
291 - generate proper AID for peer
292 - enable WMM by default
293 - add VHT support
294 - fix PMKID derivation
295 - improve robustness on various exchanges
296 - fix peer link counting in reconnect case
297 - improve mesh joining behavior
298 - allow DTIM period to be configured
299 - allow HT to be disabled (disable_ht=1)
300 - add MESH_PEER_ADD and MESH_PEER_REMOVE commands
301 - add support for PMKSA caching
302 - add minimal support for SAE group negotiation
303 - allow pairwise/group cipher to be configured in the network profile
304 - use ieee80211w profile parameter to enable/disable PMF and derive
307 - fix AEK and MTK derivation
308 - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close
309 - note: these changes are not fully backwards compatible for secure
312 * added support for requesting and fetching arbitrary ANQP-elements
313 without internal support in wpa_supplicant for the specific element
316 - filter control characters in group client device names to be
318 - support VHT 80+80 MHz and 160 MHz
319 - indicate group completion in P2P Client role after data association
321 - improve group-join operation to use SSID, if known, to filter BSS
323 - added optional ssid=<hexdump> argument to P2P_CONNECT for join case
324 - added P2P_GROUP_MEMBER command to fetch client interface address
326 - fix follow-on PD Response behavior
327 - fix PD Response generation for unknown peer
328 - fix persistent group reporting
329 - add channel policy to PD Request
330 - add group SSID to the P2PS-PROV-DONE event
331 - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the
334 - support for OCSP stapling
335 - support building of h20-osu-client
336 * D-Bus
337 - add ExpectDisconnect()
338 - add global config parameters as properties
339 - add SaveConfig()
340 - add VendorElemAdd(), VendorElemGet(), VendorElemRem()
341 * fixed Suite B 192-bit AKM to use proper PMK length
346 * added option to reopen debug log (e.g., to rotate the file) upon
348 * EAP-pwd: added support for Brainpool Elliptic Curves
351 * fixed FTIE generation for 4-way handshake after FT protocol run
355 * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh
360 - do not verify CA certificates when ca_cert is not specified
361 - support validating server certificate hash
362 - support SHA384 and SHA512 hashes
363 - add signature_algorithms extension into ClientHello
364 - support TLS v1.2 signature algorithm with SHA384 and SHA512
365 - support server certificate probing
366 - allow specific TLS versions to be disabled with phase2 parameter
367 - support extKeyUsage
368 - support PKCS #5 v2.0 PBES2
369 - support PKCS #5 with PKCS #12 style key decryption
370 - minimal support for PKCS #12
371 - support OCSP stapling (including ocsp_multi)
373 - support OpenSSL 1.1 API changes
374 - drop support for OpenSSL 0.9.8
375 - drop support for OpenSSL 1.0.0
376 * added support for multiple schedule scan plans (sched_scan_plans)
377 * added support for external server certificate chain validation
384 * added command for retrieving HS 2.0 icons with in-memory storage
386 RX-HS20-ICON event)
387 * enabled ACS support for AP mode operations with wpa_supplicant
388 * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server
390 * EAP-TTLS: fixed success after fragmented final Phase 2 message
393 * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE)
395 - add support for full station state operations
396 - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled
397 - add NL80211_ATTR_PREV_BSSID with Connect command
398 - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
400 * added initial MBO support; number of extensions to WNM BSS Transition
402 * added support for PBSS/PCP and P2P on 60 GHz
403 * Interworking: add credential realm to EAP-TLS identity
404 * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set
405 * HS 2.0: add support for configuring frame filters
408 * started to ignore pmf=1/2 parameter for non-RSN networks
411 * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED
414 - add gas_address3 configuration parameter to control Address 3
418 2015-09-27 - v2.5
420 [http://w1.fi/security/2015-1/] (CVE-2015-1863)
422 [http://w1.fi/security/2015-2/] (CVE-2015-4141)
424 [http://w1.fi/security/2015-3/] (CVE-2015-4142)
425 * fixed EAP-pwd peer missing payload length validation
426 [http://w1.fi/security/2015-4/]
427 (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
429 [http://w1.fi/security/2015-5/]
431 - added VHT configuration for IBSS
432 - fixed vendor command handling to check OUI properly
433 - allow driver-based roaming to change ESS
436 * removed unmaintained and not yet completed SChannel/CryptoAPI support
438 include all cases if any of the values are non-zero
439 * added support for dynamically creating/removing a virtual interface
441 * added support for hashed password (NtHash) in EAP-pwd peer
442 * added support for memory-only PSK/passphrase (mem_only_psk=1 and
443 CTRL-REQ/RSP-PSK_PASSPHRASE)
445 - optimize scan frequencies list when re-joining a persistent group
446 - fixed number of sequences with nl80211 P2P Device interface
447 - added operating class 125 for P2P use cases (this allows 5 GHz
450 - number of fixes to P2PS functionality
451 - do not allow 40 MHz co-ex PRI/SEC switch to force MCC
452 - extended support for preferred channel listing
453 * D-Bus:
454 - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
455 - fixed PresenceRequest to use group interface
456 - added new signals: FindStopped, WPS pbc-overlap,
458 - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
459 - added manufacturer info
460 * added EAP-EKE peer support for deriving Session-Id
463 * added support to request a scan with specific SSIDs with the SCAN
465 * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
469 * added support for Brainpool Elliptic Curves with SAE
470 * added support for CCMP-256 and GCMP-256 as group ciphers with FT
476 * fixed key derivation for Suite B 192-bit AKM (this breaks
481 2015-03-15 - v2.4
487 - add new=<0/1> flag to P2P-DEVICE-FOUND events
488 - add passive channels in invitation response from P2P Client
489 - enable nl80211 P2P_DEVICE support by default
490 - fix regresssion in disallow_freq preventing search on social
492 - fix regressions in P2P SD query processing
493 - try to re-invite with social operating channel if no common channels
495 - allow cross connection on parent interface (this fixes number of
497 - add support for P2P services (P2PS)
498 - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to
500 * increase postponing of EAPOL-Start by one second with AP/GO that
503 * add support for PMKSA caching with SAE
504 * add support for control mesh BSS (IEEE 802.11s) operations
505 * fixed number of issues with D-Bus P2P commands
509 EAPOL-Key descriptor version 3 when the station supports PMF even if
514 * add support for Suite B (128-bit and 192-bit level) key management and
516 * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS)
518 * add support for neighbor report
519 * add support for link measurement
520 * fixed expiration of BSS entry with all-zeros BSSID
524 * add support for EAP Re-Authentication Protocol (ERP)
525 * fixed EAP-IKEv2 fragmentation reassembly
527 * set stdout to be line-buffered
529 * add support for MAC address randomization in scans with nl80211
532 * add support for domain_suffix_match with GnuTLS
533 * add OCSP stapling client support with GnuTLS
537 (CTRL-EVENT-EAP-PEER-ALT)
540 * enable AP/GO mode HT Tx STBC automatically based on driver support
541 * add ANQP-QUERY-DONE event to provide information on ANQP parsing
548 HT/VHT/specific TX rate support)
559 2014-10-09 - v2.3
562 when parsing invalid information for P2P-DEVICE-FOUND
563 * extended P2P and GAS query operations to support drivers that have
564 maximum remain-on-channel time below 1000 ms (500 ms is the current
568 * improved P2P operating channel selection for various multi-channel
576 * fixed EAP-AKA' message parser with multiple AT_KDF attributes
581 * modified D-Bus interface for P2P peers/groups
589 * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value
591 configuration to support external configuration
597 * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that
598 MS-CHAP2-Success is required to be present regardless of
604 * modified WPS to merge mixed-WPA/WPA2 credentials from a single session
609 * added experimental support for using temporary, random local MAC
613 * added D-Bus interface for setting/clearing WFD IEs
615 * modified -m<conf> configuration file to be used only for the P2P
616 non-netdev management device and do not load this for the default
622 (CVE-2014-3686)
624 2014-06-04 - v2.2
627 - BSSID/frequency hint for driver-based BSS selection
628 - fix tearing down WDS STA interfaces
629 - support vendor specific driver command
631 - GO interface teardown optimization
632 - allow beacon interval to be configured for IBSS
633 - add SHA256-based AKM suites to CONNECT/ASSOCIATE commands
636 * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
637 this fixes password with include UTF-8 characters that use
638 three-byte encoding EAP methods that use NtPasswordHash
640 e.g., when rfkill blocking happens during scanning or when
641 scan-for-auth workaround is used
643 - enable enable U-APSD on GO automatically if the driver indicates
644 support for this
645 - fixed some service discovery cases with broadcast queries not being
647 - fixed Probe Request frame triggering invitation to trigger only a
650 - fixed a potential NULL pointer dereference crash when processing an
652 - add optional configuration file for the P2P_DEVICE parameters
653 - optimize scan for GO during persistent group invocation
654 - fix possible segmentation fault when PBC overlap is detected while
656 - improve GO Negotiation robustness by allowing GO Negotiation
658 - do use freed memory on device found event when P2P NFC
662 * added support for OCSP stapling to validate AAA server certificate
665 - prefer the last added network in Interworking connection to make the
667 - roaming partner configuration (roaming_partner within a cred block)
668 - support Hotspot 2.0 Release 2
680 required behavior (no more than 10 retries within a 10-minute
683 OMA-DM protocols) (hs20/client/*)
684 - fixed GAS indication for additional comeback delay with status
686 - extend ANQP_GET to accept Hotspot 2.0 subtypes
689 - add control interface events CRED-ADDED <id>,
690 CRED-MODIFIED <id> <field>, CRED-REMOVED <id>
691 - add "GET_CRED <id> <field>" command
692 - enable FT for the connection automatically if the AP advertises
693 support for this
694 - fix a case where auto_interworking=1 could end up stopping scanning
698 - add SHA256-based cipher suites
699 - add DHE-RSA cipher suites
700 - fix X.509 validation of PKCS#1 signature to check for extra data
701 * fixed PTK derivation for CCMP-256 and GCMP-256
702 * added "reattach" command for fast reassociate-back-to-same-BSS
708 * D-Bus interface extensions/fixes
709 - make p2p_no_group_iface configurable
710 - declare ServiceDiscoveryRequest method properly
711 - export peer's device address as a property
712 - make reassociate command behave like the control interface one,
716 * fixed OBSS scan result processing for 20/40 MHz co-ex report
717 * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
722 * EAP-pwd fixes
723 - fragmentation of PWD-Confirm-Resp
724 - fix memory leak when fragmentation is used
725 - fix possible segmentation fault on EAP method deinit if an invalid
727 * added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently
729 * fixed EAP-SIM counter-too-small message
733 * added support for using epoll in eloop (CONFIG_ELOOP_EPOLL=y)
738 * fixed off-by-one bounds checking in printf_encode()
739 - this could result in some control interface ATTACH command cases
741 * fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM
744 2014-02-04 - v2.1
745 * added support for simultaneous authentication of equals (SAE) for
746 stronger password-based authentication with WPA2-Personal
748 - avoid unnecessary Dialog Token value changes during retries
749 - avoid more concurrent scanning cases during full group formation
751 - do not use potentially obsolete scan result data from driver
753 - avoid undesired re-starting of GO negotiation based on Probe
755 - increase GO Negotiation and Invitation timeouts to address busy
757 e.g., due to power saving
758 - P2P Device interface type
761 * added support for optional per-device PSK assignment by P2P GO
765 a client from a group if per-device PSKs are used
769 - VHT configuration for nl80211
770 - MFP (IEEE 802.11w) information for nl80211 command API
771 - support split wiphy dump
772 - FT (IEEE 802.11r) with driver-based SME
773 - use advertised number of supported concurrent channels
774 - QoS Mapping configuration
783 without executing roaming/network re-selection on scan results
784 * added Session-Id derivation for EAP peer methods
797 * added support for BSS Transition Management
799 control interface connection to perform per-interface commands;
802 * fixed OKC-based PMKSA cache entry clearing
804 * added support for using OCSP stapling to validate server certificate
806 * added EAP-EKE peer
809 EAP-TLS) to specify additional constraint for the server certificate
811 * added support for external SIM/USIM processing in EAP-SIM, EAP-AKA,
812 and EAP-AKA' (CTRL-REQ-SIM and CTRL-RSP-SIM commands over control
816 * added D-Bus methods for TDLS
818 - "SCAN freq=<freq list>" can be used to specify which channels are
819 scanned (comma-separated frequency ranges in MHz)
820 - "SCAN passive=1" can be used to request a passive scan (no Probe
822 - "SCAN use_id" can be used to request a scan id to be returned and
824 - "SCAN only_new=1" can be used to request the driver/cfg80211 to
827 - these optional arguments to the SCAN command can be combined with
830 - avoid concurrent operations requiring full control of the radio when
832 - do not use results for internal roaming decision
837 for off-channel functionality
838 - reduce issues with concurrent operations that try to control which
840 - allow external programs to request exclusive radio control in a way
842 * added support for using Protected Dual of Public Action frames for
844 * added support for WPS+NFC updates and P2P+NFC
845 - improved protocol for WPS
846 - P2P group formation/join based on NFC connection handover
847 - new IPv4 address assignment for P2P groups (ip_addr_* configuration
849 - option to fetch and report alternative carrier records for external
853 2013-01-12 - v2.0
854 * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4)
861 WPA/WPA2-Personal configuration
863 - better coordination of concurrent scan and P2P search operations
864 - avoid concurrent remain-on-channel operation requests by canceling
866 - reject operations that would require multi-channel concurrency if
867 the driver does not support it
868 - add parameter to select whether STA or P2P connection is preferred
869 if the driver cannot support both at the same time
870 - allow driver to indicate channel changes
871 - added optional delay=<search delay in milliseconds> parameter for
873 - use 500 ms p2p_find search delay by default during concurrent
875 - allow all channels in GO Negotiation if the driver supports
876 multi-channel concurrency
881 - replace monitor interface with nl80211 commands for AP mode
882 - additional information for driver-based AP SME
883 - STA entry authorization in RSN IBSS
884 * EAP-pwd:
885 - fixed KDF for group 21 and zero-padding
886 - added support for fragmentation
887 - increased maximum number of hunting-and-pecking iterations
895 * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)
902 * added "wpa_cli status wps" command to fetch WPA2-Personal passhrase
904 * EAP-AKA: keep pseudonym identity across EAP exchanges to match EAP-SIM
909 - try to avoid extra scans when the needed information is available
911 * added group ifname to P2P-PROV-DISC-* events
912 * added P2P Device Address to AP-STA-DISCONNECTED event and use
913 p2p_dev_addr parameter name with AP-STA-CONNECTED
919 - accept 0x67 (Wrong length) as a response to READ RECORD to fix
921 - try to read MNC length from SIM/USIM
922 - build realm according to 3GPP TS 23.003 with identity from the SIM
923 - allow T1 protocol to be enabled
924 * added more WPS and P2P information available through D-Bus
926 - extra waits to get ACK frames through
927 - longer timeouts for cases where deployed devices have been
929 - more retries for some P2P frames
930 - handle race conditions in GO Negotiation start by both devices
931 - ignore unexpected GO Negotiation Response frame
932 * added support for libnl 3.2 and newer
937 * added P2P-FIND-STOPPED ctrl_iface event
939 and driver-based BSS selection
944 * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use
945 * EAP-SIM/AKA: append realm to pseudonym identity
946 * EAP-SIM/AKA: store pseudonym identity in network configuration to
949 * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this
951 * added support for WFA Hotspot 2.0
952 - GAS/ANQP to fetch network information
953 - credential configuration and automatic network selections based on
958 * adjusted bgscan_simple fast-scan backoff to avoid too frequent
960 * removed ctrl_iface event on P2P PD Response in join-group case
966 * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS command to
974 * added support for advertising immediate availability of a WPS
978 * EAP-TTLS: fixed peer challenge generation for MSCHAPv2
981 * added support for sending debug info to Linux tracing (-T on command
983 * added support for using Deauthentication reason code 3 as an
988 (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different CA
991 GO Negotiation vs. join-a-group selection
996 * added support for OBSS scan requests and 20/40 BSS coexistence reports
1000 * added initial support for WNM operations
1001 - Keep-alive based on BSS max idle period
1002 - WNM-Sleep Mode
1003 - minimal BSS Transition Management processing
1005 - autoscan_periodic and autoscan_exponential modules
1007 - added initial support NFC connection handover
1008 - removed obsoleted WPS_OOB command (including support for deprecated
1011 * wpa_cli: added optional support for controlling wpa_supplicant
1012 remotely over UDP (CONFIG_CTRL_IFACE=udp-remote) for testing purposes
1014 * changed SSID output to use printf-escaped strings instead of masking
1015 of non-ASCII characters
1016 - SSID can now be configured in the same format: ssid=P"abc\x00test"
1023 - "make fips" with CONFIG_FIPS=y to build wpa_supplicant with the
1025 - replace low level OpenSSL AES API calls to use EVP
1026 - use OpenSSL keying material exporter when possible
1027 - do not export TLS keys in FIPS mode
1028 - remove MD5 from CONFIG_FIPS=y builds
1029 - use OpenSSL function for PKBDF2 passphrase-to-PSK
1030 - use OpenSSL HMAC implementation
1031 - mix RAND_bytes() output into random_get_bytes() to force OpenSSL
1033 - use OpenSSL CMAC implementation
1035 - a workaround for servers that do not support TLS extensions that
1037 - tls_disable_session_ticket=1
1038 - automatically disable TLS Session Ticket extension by default when
1039 using EAP-TLS/PEAP/TTLS (i.e., only use it with EAP-FAST)
1040 * changed VENDOR-TEST EAP method to use proper private enterprise number
1044 * added support for configuring GCMP cipher for IEEE 802.11ad
1045 * added support for Wi-Fi Display extensions
1046 - WFD_SUBELEMENT_SET ctrl_iface command to configure WFD subelements
1047 - SET wifi_display <0/1> to disable/enable WFD support
1048 - WFD service discovery
1049 - an external program is needed to manage the audio/video streaming
1052 - use the internal BSS table instead of raw scan results
1053 - allow unnecessary scans to be skipped if fresh information is
1054 available (e.g., after GAS/ANQP round for Interworking)
1055 * added support for 256-bit AES with internal TLS implementation
1060 * re-enable the networks disabled during WPS operations
1066 compressed domain name format and support multiple Bonjour PTR matches
1078 * added basic support for 60 GHz band
1083 2012-05-10 - v1.0
1084 * bsd: Add support for setting HT values in IFM_MMASK.
1093 * Add systemd support.
1094 * Add support for setting the syslog facility from the config file
1096 * atheros: Add support for IEEE 802.11w configuration.
1100 the data connection is not working properly, e.g., due to the STA
1104 - Support GTK rekey offload.
1105 - Support PMKSA candidate events. This adds support for RSN
1106 pre-authentication with nl80211 interface and drivers that handle
1109 - Add a DBus signal for EAP SM requests, emitted on the Interface
1111 - Export max scan ssids supported by the driver as MaxScanSSID.
1112 - Add signal Certification for information about server certification.
1113 - Add BSSExpireAge and BSSExpireCount interface properties and
1114 support set/get, which allows for setting BSS cache expiration age
1116 - Add ConfigFile to AddInterface properties.
1117 - Add Interface.Country property and support to get/set the value.
1118 - Add DBus property CurrentAuthMode.
1119 - P2P DBus API added.
1120 - Emit property changed events (for property BSSs) when adding/
1122 - Treat '' in SSIDs of Interface.Scan as a request for broadcast
1124 - Add DBus getter/setter for FastReauth.
1125 - Raise PropertiesChanged on org.freedesktop.DBus.Properties.
1127 - Send AP-STA-DISCONNECTED event when an AP disconnects a station
1129 - Make second argument to set command optional. This can be used to
1131 - Add signal_poll command.
1132 - Add bss_expire_age and bss_expire_count commands to set/get BSS
1134 - Add ability to set scan interval (the time in seconds wpa_s waits
1137 - Add event CTRL-EVENT-ASSOC-REJECT for association rejected.
1138 - Add command get version, that returns wpa_supplicant version string.
1139 - Add command sta_autoconnect for disabling automatic reconnection
1141 - Setting bssid parameter to an empty string "" or any can now be
1144 - Add tdls_testing command to add a special testing feature for
1147 - For interworking, add wpa_cli commands interworking_select,
1149 - Many P2P commands were added. See README-P2P.
1150 - Many WPS/WPS ER commands - see WPS/WPS ER sections for details.
1151 - Allow set command to change global config parameters.
1152 - Add log_level command, which can be used to display the current
1154 - Add note command, which can be used to insert notes to the debug
1156 - Add internal line edit implementation. CONFIG_WPA_CLI_EDIT=y
1158 line editing and history support. This can be used as a replacement
1164 * wext: Increase scan timeout from 5 to 10 seconds.
1168 - Add wpa_cli wps_pin get command for generating random PINs. This can
1171 - Set RF bands based on driver capabilities, instead of hardcoding
1173 - Add mechanism for indicating non-standard WPS errors.
1174 - Add CONFIG_WPS_REG_DISABLE_OPEN=y option to disable open networks
1176 - Add wps_ap_pin cli command for wpa_supplicant AP mode.
1177 - Add wps_check_pin cli command for processing PIN from user input.
1180 - Cancel WPS operation on PBC session overlap detection.
1181 - New wps_cancel command in wpa_cli will cancel a pending WPS
1183 - wpa_cli action: Add WPS_EVENT_SUCCESS and WPS_EVENT_FAIL handlers.
1184 - Trigger WPS config update on Manufacturer, Model Name, Model
1186 - Fragment size is now configurable for EAP-WSC peer. Use
1188 - Disable AP PIN after 10 consecutive failures. Slow down attacks on
1189 failures up to 10.
1190 - Allow AP to start in Enrollee mode without AP PIN for probing, to
1192 - Add Config Error into WPS-FAIL events to provide more info to the
1194 - Label and Display config methods are not allowed to be enabled
1197 - When controlling multiple interfaces:
1198 - apply WPS commands to all interfaces configured to use WPS
1199 - apply WPS config changes to all interfaces that use WPS
1200 - when an attack is detected on any interface, disable AP PIN on
1203 - Add special AP Setup Locked mode to allow read only ER.
1206 - Show SetSelectedRegistrar events as ctrl_iface events
1207 - Add wps_er_set_config to enroll a network based on a local
1208 network configuration block instead of having to (re-)learn the
1210 - Allow AP filtering based on IP address, add ctrl_iface event for
1212 * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2)
1213 - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool
1215 - Add build option CONFIG_WPS_STRICT to allow disabling of WPS
1217 - Add support for AuthorizedMACs attribute.
1219 - Propagate TDLS related nl80211 capability flags from kernel and
1220 add them as driver capability flags. If the driver doesn't support
1223 - Allow TDLS to be disabled at runtime (mostly for testing).
1225 - Honor AP TDLS settings that prohibit/allow TDLS.
1226 - Add a special testing feature for changing TDLS behavior. Use
1229 - Add support for TDLS 802.11z.
1233 * Interworking: Support added for 802.11u. Enable in .config with
1235 for interworking. wpa_cli commands added to support this are
1238 * Android: Add build and runtime support for Android wpa_supplicant.
1243 -ddd to enable.
1244 * TLS: Add support for tls_disable_time_checks=1 in client mode.
1246 - Add support for TLS v1.1 (RFC 4346). Enable with build parameter
1248 - Add domainComponent parser for X.509 names.
1249 * Linux: Add RFKill support by adding an interface state "disabled".
1253 * Solaris: Add support for wired 802.1X client.
1254 * Wi-Fi Direct support. See README-P2P for more information.
1257 2010-04-18 - v0.7.2
1265 * bsd: Cleaned up driver wrapper and added various low-level
1267 * wpa_gui-qt4: do not show too frequent WPS AP available events as
1270 * EAP-TNC: add Flags field into fragment acknowledgement (needed to
1275 (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this)
1281 * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air
1282 and over-the-DS)
1288 ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network
1294 * wpa_gui-qt4: more complete support for translating the GUI with
1300 2010-01-16 - v0.7.1
1302 is not fully backwards compatible, so out-of-tree driver wrappers
1309 * dbus: major design changes in the new D-Bus API
1311 * nl80211: added support for IBSS networks
1312 * added internal debugging mechanism with backtrace support and memory
1320 * wpa_gui-qt4: update Peers dialog information more dynamically while
1323 * driver_wext: Added cfg80211-specific optimization to avoid some
1326 2009-11-21 - v0.7.0
1328 configurable with a new command line options (-G<seconds>)
1332 (e.g., -Dnl80211,wext); the first one that is able to initialize the
1334 * added support for multiple SSIDs per scan request to optimize
1336 SSIDs); this requires driver support and can currently be used only
1338 * added support for WPS USBA out-of-band mechanism with USB Flash
1344 * added better support for drivers that allow separate authentication
1345 and association commands (e.g., mac80211-based Linux drivers with
1346 nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol
1348 * fixed SHA-256 based key derivation function to match with the
1353 block; this can be used for open and WPA2-Personal networks
1356 * wpa_gui-qt4: added new Peers dialog to show information about peers
1358 * added support for WPS External Registrar functionality (configure APs
1359 and enroll new devices); can be used with wpa_gui-qt4 Peers dialog
1364 * driver_nl80211: multiple updates to provide support for new Linux
1366 * updated management frame protection to use IEEE Std 802.11w-2009
1369 * added support for NFC out-of-band mechanism with WPS
1372 * added preliminary support for IEEE 802.11r RIC processing
1373 * added support for specifying subset of enabled frequencies to scan
1377 supported only with -Dnl80211)
1379 association event and the following EAPOL-Key
1381 network-specific optimizations to be used to improve roaming within
1385 2009-01-06 - v0.6.7
1386 * added support for Wi-Fi Protected Setup (WPS)
1390 configure an AP); WPS support can be enabled by adding CONFIG_WPS=y
1394 manage WPS negotiation; see README-WPS for more details
1395 * added support for EAP-AKA' (draft-arkko-eap-aka-kdf)
1396 * added support for using driver_test over UDP socket
1400 * changed EAP-GPSK to use the IANA assigned EAP method type 51
1407 2008-11-23 - v0.6.6
1408 * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA
1413 used to enforce frequent PTK rekeying, e.g., to mitigate some attacks
1419 * fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
1421 * updated OpenSSL code for EAP-FAST to use an updated version of the
1423 OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
1428 * added support (Linux only) for RoboSwitch chipsets (often found in
1434 2008-11-01 - v0.6.5
1435 * added support for SHA-256 as X.509 certificate digest when using the
1438 * added support for using SHA256-based stronger key derivation for WPA2
1442 * added support for configuring Phase 2 (inner/tunneled) authentication
1443 method with wpa_gui-qt4
1445 2008-08-10 - v0.6.4
1446 * added support for EAP Sequences in EAP-FAST Phase 2
1447 * added support for using TNC with EAP-FAST
1449 * added support for optional cryptobinding with PEAPv0
1450 * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to
1451 allow fallback to full handshake if server rejects PAC-Opaque
1452 * added fragmentation support for EAP-TNC
1453 * added support for parsing PKCS #8 formatted private keys into the
1463 2008-02-22 - v0.6.3
1465 previously used for configuring user identity and key for EAP-PSK,
1466 EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the
1472 * removed '-w' command line parameter (wait for interface to be added,
1474 external mechanism (e.g., hotplug scripts) that start wpa_supplicant
1476 * updated FT support to use the latest draft, IEEE 802.11r/D9.0
1477 * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for
1482 * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION
1483 attributes in EAP-SIM Start/Response when using fast reauthentication
1488 2008-01-01 - v0.6.2
1489 * added support for Makefile builds to include debug-log-to-a-file
1490 functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line)
1491 * fixed EAP-SIM and EAP-AKA message parser to validate attribute
1495 changed and various interfaces (e.g., EAP) is not compatible with old
1497 * added support for protecting EAP-AKA/Identity messages with
1499 * added support for protected result indication with AT_RESULT_IND for
1500 EAP-SIM and EAP-AKA (phase1="result_ind=1")
1503 channels (e.g., madwifi with dual-band cards); wpa_supplicant is now
1506 e.g., in cases where wpa_supplicant and madwifi driver ended up in
1511 * added support for privilege separation (run only minimal part of
1513 non-root process); see 'Privilege separation' in README for details;
1517 elements to make it easier to support new IEs; old get_scan_result()
1522 * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4
1528 http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip
1529 * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);
1532 2007-11-24 - v0.6.1
1533 * added support for configuring password as NtPasswordHash
1534 (16-byte MD4 hash of password) in hash:<32 hex digits> format
1535 * added support for fallback from abbreviated TLS handshake to
1536 full handshake when using EAP-FAST (e.g., due to an expired
1537 PAC-Opaque)
1538 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
1539 draft (draft-ietf-emu-eap-gpsk-07.txt)
1540 * added support for drivers that take care of RSN 4-way handshake
1545 driver to take care of the 4-way handshake
1547 driver_wext.c with a driver that includes the TSF (e.g., iwl4965)
1549 * updated FT support to use the latest draft, IEEE 802.11r/D8.0
1553 * fixed a race condition with -W option (wait for a control interface
1556 * added support for processing TNCC-TNCS-Messages to report
1559 2007-05-28 - v0.6.0
1562 * added experimental IEEE 802.11r/D6.0 support
1563 * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
1564 * updated EAP-PSK to use the IANA-allocated EAP type 47
1565 * fixed EAP-PAX key derivation
1566 * fixed EAP-PSK bit ordering of the Flags field
1567 * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in
1571 * added support for fragmentation of outer TLS packets during Phase 2
1572 of EAP-PEAP/TTLS/FAST
1573 * fixed EAP-TTLS AVP parser processing for too short AVP lengths
1574 * added support for EAP-FAST authentication with inner methods that
1575 generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported
1577 * added support for authenticated EAP-FAST provisioning
1578 * added support for configuring maximum number of EAP-FAST PACs to
1580 * added support for storing EAP-FAST PACs in binary format
1586 added support for EAP-FAST
1587 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
1588 draft (draft-ietf-emu-eap-gpsk-04.txt)
1589 * fixed EAP-AKA Notification processing to allow Notification to be
1593 * fixed EAP-TTLS implementation not to crash on use of freed memory
1595 * added support for EAP-TNC (Trusted Network Connect)
1596 (this version implements the EAP-TNC method and EAP-TTLS changes
1597 needed to run two methods in sequence (IF-T) and the IF-IMC and
1598 IF-TNCCS interfaces from TNCC)
1600 2006-11-24 - v0.5.6
1604 .config); this can be useful, e.g., if the target system does not
1611 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
1612 draft (draft-ietf-emu-eap-gpsk-01.txt)
1615 (Note: this requires driver support to work properly.)
1621 needed (this allows EAP-AKA to be used with USIM cards that do not
1623 * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to
1624 be used with cards that do not support file selection based on
1626 * added support for matching the subjectAltName of the authentication
1627 server certificate against multiple name components (e.g.,
1629 * fixed EAP-SIM/AKA key derivation for re-authentication case (only
1636 2006-08-27 - v0.5.5
1637 * added support for building Windows version with UNICODE defined
1638 (wide-char functions)
1647 return -1 on error (e.g., connection lost); control interface clients
1655 - deprecated ctrl_interface_group variable (it may be removed in
1657 - allow both directory and group be configured with ctrl_interface
1659 - ctrl_interface=/var/run/wpa_supplicant is still supported for the
1661 * added support for controlling more than one interface per process in
1664 (e.g., MAC address of the wired interface) as the source address for
1665 EAPOL-Key frames; previously, that source address was used as the
1666 destination for EAPOL-Key frames and in key derivation; now, BSSID is
1669 * added a workaround for UDP-based control interface (which was used in
1679 correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500
1683 network for enabled (e.g., after 'wpa_cli select_network 0')
1684 * winsvc: added support for configuring ctrl_interface parameters in
1690 * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format
1692 2006-06-20 - v0.5.4
1694 * added support for doing MLME (IEEE 802.11 management frame
1696 stack (wireless-dev.git tree)
1701 will be re-enabled (if it was enabled originally) when wpa_supplicant
1705 library, e.g., to reduce total size requirement on systems that do
1724 if WPA-None (adhoc) is used (pairwise=NONE in that case)
1727 * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
1728 draft-clancy-emu-eap-shared-secret-00.txt)
1733 at the end of RSN pre-authentication and added unregistration of
1736 * driver_ndis: added support for selecting AP based on BSSID
1739 * driver_ndis: added support for using NDISUIO instead of WinPcap for
1745 * changed NDIS driver naming to only include device GUID, e.g.,
1746 {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap
1750 * driver_ndis: re-initialize driver interface is the adapter is removed
1751 and re-inserted [Bug 159]
1755 2006-04-27 - v0.5.3
1756 * fixed EAP-GTC response to include correct user identity when run as
1757 phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2)
1759 networks (some NDIS drivers ignored this, but others, e.g., Broadcom,
1766 * config_winreg: added support for saving configuration data into
1768 * added support for controlling network device operational state
1772 * driver_wext: added support for WE-21 change to SSID configuration
1775 * added an optional driver_ops callback for MLME-SETPROTECTION.request
1777 * added support for EAP-SAKE (no EAP method number allocated yet, so
1778 this is using the same experimental type 255 as EAP-PSK)
1779 * added support for dynamically loading EAP methods (.so files) instead
1784 2006-03-19 - v0.5.2
1786 access for a network that has not enabled EAP-AKA
1787 * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in
1788 v0.5.1 due to the new support for expanded EAP types)
1789 * added support for generating EAP Expanded Nak
1792 a lot with, e.g., madwifi-ng driver)
1793 * added support for receiving EAPOL frames from a Linux bridge
1794 interface (-bbr0 on command line)
1795 * fixed EAPOL re-authentication for sessions that used PMKSA caching
1800 * fixed a memory leak in EAP-TTLS re-authentication
1804 if the driver does not support SIOCSIWAUTH
1806 2006-01-29 - v0.5.1
1807 * driver_test: added better support for multiple APs and STAs by using
1810 * added support for EAP expanded type (vendor specific EAP methods)
1813 * wpa_cli/wpa_gui: skip non-socket files in control directory when
1815 interface (e.g., a PID file could be in this directory, even though
1818 * fixed TLS library deinitialization after RSN pre-authentication not
1820 * driver_wext: Remove null-termination from SSID length if the driver
1828 EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or
1831 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
1836 * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to
1838 * fixed EAP-AKA to allow resynchronization within the same session
1845 (e.g., with the freely available Toolkit 2003 version or Visual
1848 * added support for using Windows registry for command line parameters
1858 * added better support for multiple control interface backends
1862 causing visible problems with pcsc-lite, but Windows Winscard.dll
1863 refused the previously used parameters; this fixes EAP-SIM and
1864 EAP-AKA authentication using SIM/USIM card under Windows
1867 for non-socket objects; this can be selected with
1869 * added support for selecting l2_packet implementation in .config
1876 * added support for EAP-FAST key derivation using other ciphers than
1877 RC4-128-SHA for authentication and AES128-SHA for provisioning
1878 * added support for configuring CA certificate as DER file and as a
1881 support for using PKCS#12 as a blob
1882 * tls_gnutls: added support for using PKCS#12 files; added support for
1884 * added support for loading trusted CA certificates from Windows
1889 easily on cross-compilation builds
1900 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
1909 (e.g., proto or key_mgmt) that the file parser would not accept
1913 * fixed EAP state machine to not discard EAP-Failure messages in many
1914 cases (e.g., during TLS handshake)
1917 * driver_madwifi: added support for madwifi-ng
1926 2005-10-27 - v0.4.6
1929 * added support for named configuration blobs in order to avoid having
1930 to use file system for external files (e.g., certificates);
1934 * fixed RSN pre-authentication (it was broken in the clean up of WPA
1939 to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the
1940 system-wide trusted CA list
1941 * added support for starting wpa_supplicant without a configuration
1942 file (-C argument must be used to set ctrl_interface parameter for
1943 this case; in addition, -p argument can be used to provide
1947 and removing network interfaces dynamically (-g command line argument
1951 - try to save configuration whenever something is modified
1952 - added WEP key configuration
1953 - added possibility to edit the current network configuration
1959 * delay sending initial EAPOL-Start couple of seconds to speed up
1963 2005-09-25 - v0.4.5
1967 generate, e.g., man pages
1970 Ethernet headers (e.g., network stack that includes IEEE 802.11
1972 * use receipt of EAPOL-Key frame as a lower layer success indication
1973 for EAP state machine to allow recovery from dropped EAP-Success
1980 * updated EAP-PSK to use draft 9 by default since this can now be
1981 tested with hostapd; removed support for draft 3, including
1986 * driver_wext: add support for WE-19
1987 * added support for multiple configuration backends (CONFIG_BACKEND
1990 * added support for updating configuration ('wpa_cli save_config');
1995 (e.g., 'wpa_cli get_network 0 ssid')
1997 2005-08-21 - v0.4.4
1998 * replaced OpenSSL patch for EAP-FAST support
1999 (openssl-tls-extensions.patch) with a more generic and correct
2002 to be able to build wpa_supplicant with EAP-FAST support)
2003 * added support for using Windows certificate store (through CryptoAPI)
2004 for client certificate and private key operations (EAP-TLS)
2008 * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be
2010 * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used
2011 with drivers that do not support WPA
2012 * ndis_events: fixed Windows 2000 support
2013 * added support for enabling/disabling networks from the list of all
2016 * added support for adding and removing network from the current
2022 * added support for setting network configuration parameters through
2026 quoted area (e.g., "start"#end")
2028 i.e., not tunneled, EAP-Success to terminate session since; this can
2033 * wpa_gui: added preliminary support for adding new networks to the
2037 2005-06-26 - v0.4.3
2038 * removed interface for external EAPOL/EAP supplicant (e.g.,
2041 * driver_ndis: fixed WinPcap 3.0 support
2046 2005-06-12 - v0.4.2
2047 * driver_ipw: updated driver structures to match with ipw2200-1.0.4
2048 (note: ipw2100-1.1.0 is likely to require an update to work with
2050 * added support for using ap_scan=2 mode with multiple network blocks;
2055 * fixed a potential issue in RSN pre-authentication ending up using
2056 freed memory if pre-authentication times out
2057 * added support for matching alternative subject name extensions of the
2060 * driver_ndis: added support for IEEE 802.1X authentication with wired
2062 * added support for querying private key password (EAP-TLS) through the
2067 * EAP-PAX is now registered as EAP type 46
2068 * fixed EAP-PAX MAC calculation
2069 * fixed EAP-PAX CK and ICK key derivation
2070 * added support for using password with EAP-PAX (as an alternative to
2071 entering key with eappsk); SHA-1 hash of the password will be used as
2073 * added support for arbitrary driver interface parameters through the
2081 * driver_test: added support for testing hostapd with wpa_supplicant
2085 2005-05-22 - v0.4.1
2089 * driver_madwifi: added preliminary support for compiling against 'BSD'
2091 * added support for EAP-MSCHAPv2 password retries within the same EAP
2093 * added support for password changes with EAP-MSCHAPv2 (used when the
2095 * added support for reading additional certificates from PKCS#12 files
2099 * fixed a possible double free in EAP-TTLS fast-reauthentication when
2102 with "CTRL-EVENT-EAP-NOTIFICATION" prefix
2109 * added support for selecting a network from the list of all configured
2111 other networks; to re-enable, 'wpa_cli select_network any')
2112 * added support for getting scan results through control interface
2114 i.e., not tunneled, EAP-Success to terminate session since; this can
2117 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
2121 * fixed EAPOL-Key validation to drop packets with invalid Key Data
2124 * added support for wired authentication (IEEE 802.1X on wired
2131 * modified the EAP workaround that accepts EAP-Success with incorrect
2134 * added support for sending TLS alerts
2135 * added support for 'any' SSID wildcard; if ssid is not configured or
2136 is set to an empty string, any SSID will be accepted for non-WPA AP
2137 * added support for asking PIN (for SIM) from frontends (e.g.,
2141 * added support for using external devices (e.g., a smartcard) for
2142 private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config);
2144 - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path
2145 - network: engine, engine_id, key_id
2146 * added experimental support for EAP-PAX
2147 * added monitor mode for wpa_cli (-a<path to a program to run>) that
2148 allows external commands (e.g., shell scripts) to be run based on
2149 wpa_supplicant events, e.g., when authentication has been completed
2151 -B (run in background), -P (write PID file); wpa_supplicant has a new
2152 command line argument (-W) that can be used to make it wait until a
2155 * added support for opportunistic WPA2 PMKSA key caching (disabled by
2157 * fixed RSN IE in 4-Way Handshake message 2/4 for the case where
2160 * added -P<pid file> argument for wpa_supplicant to write the current
2163 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
2168 * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when
2169 using drivers that take care of AP selection (e.g., when using
2174 EAP-PEAP and EAP-TTLS
2181 2005-01-24 - v0.3.6
2185 2005-01-23 - v0.3.5
2187 when using WPA2-PSK
2188 * fixed non-WPA IEEE 802.1X to use the same authentication timeout as
2189 WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow
2191 * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version
2192 (e.g., segfault when processing EAPOL-Key frames)
2194 RSN pre-authentication; previously these were disabled and
2195 pre-authentication would fail if the used authentication server
2197 * added support for blacklisting APs that fail or timeout
2200 * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS
2202 * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded
2206 2005-01-09 - v0.3.4
2207 * added preliminary support for IBSS (ad-hoc) mode configuration
2209 WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no
2214 supports WPA-None)
2218 2005-01-02 - v0.3.3
2219 * added optional support for GNU Readline and History Libraries for
2221 * cleaned up EAP state machine <-> method interface and number of
2223 EAP-Failure but waiting for timeout
2226 * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt);
2227 Note: This requires a patch for openssl to add support for TLS
2230 included in openssl-tls-extensions.patch.
2232 2004-12-19 - v0.3.2
2235 could cause a segfault when RSN pre-authentication was completed
2236 * added support for PMKSA caching with drivers that generate RSN IEs
2237 (e.g., NDIS); currently, this is only implemented in driver_ndis.c,
2239 ndiswrapper gets full support for RSN PMKSA caching
2242 * driver_ndis: added support for NDIS NdisMIncidateStatus() events
2246 * added support for driver interfaces to replace the interface name
2247 based on driver/OS specific mapping, e.g., in case of driver_ndis,
2250 * added support for CR+LF (Windows-style) line ends in configuration
2259 * added support for driver events to add PMKID candidates in order to
2269 * driver_ndis: added legacy WPA capability detection for non-WPA2
2271 * added support for setting static WEP keys for IEEE 802.1X without
2274 2004-12-12 - v0.3.1
2275 * added support for reading PKCS#12 (PFX) files (as a replacement for
2280 e.g., ndiswrapper and NDIS driver; this mode should allow such
2287 - driver_ndis.c driver interface (NDIS OIDs)
2288 - currently, this requires cygwin and WinPcap
2289 - small utility, win_if_list, can be used to get interface name
2298 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
2300 (a generic driver for Broadcom IEEE 802.11a/g cards)
2301 * wpa_cli: fixed parsing of -p <path> command line argument
2302 * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
2303 ACK, not tunneled EAP-Success (of which only the first byte was
2306 * PEAPv1: added support for terminating PEAP authentication on tunneled
2307 EAP-Success message; this can be configured by adding
2315 * added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
2317 * added support for configuring list of allowed Phase 2 EAP types
2318 (for both EAP-PEAP and EAP-TTLS) instead of only one type
2319 * added support for configuring IEEE 802.11 authentication algorithm
2322 * added support for EAP-AKA (with UMTS SIM)
2324 random-looking errors for EAP-SIM
2325 * added support for EAP-SIM pseudonyms and fast re-authentication
2326 * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
2328 * added support for EAP-SIM with two challenges
2330 * added support for configuring DH/DSA parameters for an ephemeral DH
2331 key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
2332 dh_file and dh_file2 (phase 2); this adds support for using DSA keys
2334 * added support for matching subject of the authentication server
2335 certificate with a substring when using EAP-TLS/PEAP/TTLS; new
2341 connection on some platforms (e.g., ARM)
2343 * added support for LEAP with WPA
2344 * added support for larger scan results report (old limit was 4 kB of
2347 * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
2353 default; all key information can be included with -K command line
2355 * added support for timestamping debug log messages (disabled by
2356 default, can be enabled with -t command line argument)
2357 * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
2360 bit can be in Beacon frames (e.g., ndiswrapper)
2367 - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
2370 - pass pointer to private data structure to all calls
2371 - the new API is not backwards compatible; all in-tree driver
2373 * added support for controlling multiple interfaces (radios) per
2375 command line (-c, -i, -D arguments) with -N as a separator
2376 (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
2388 * added support for FreeBSD and driver interface for the BSD net80211
2394 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
2395 * resolved couple of interoperability issues with EAP-PEAPv1 and
2398 AP is using non-zero key index for the unicast key and key index zero
2401 re-authentication by allowing unencrypted EAPOL frames when not using
2405 currently, this can be used only for non-WPA IEEE 802.1X mode, but
2406 eventually, this is to be extended to support full WPA/WPA2 once
2407 Linux wireless extensions get support for this
2408 * added support for mode in which the driver is responsible for AP
2411 this mode can be used, e.g., with generic 'wext' driver interface to
2414 * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g.,
2416 * added support for new EAP authentication methods:
2417 EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP
2418 * added support for asking one-time-passwords from frontends (e.g.,
2422 password; this can be used with both EAP-OTP and EAP-GTC
2423 * changed wpa_cli to automatically re-establish connection so that it
2424 does not need to be re-started when wpa_supplicant is terminated and
2439 in /var/run/wpa_supplicant; this path can be overridden with -p option
2440 and an interface can be selected with -i option (i.e., in most common
2442 * added support for LEAP
2448 2004-06-20 - v0.2.3
2452 * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and
2458 * added support for madwifi driver (Atheros ar521x)
2464 EAP-SIM; this requires pcsc-lite
2465 * added support for ATMEL AT76C5XXx driver
2467 does not include key data in the EAPOL-Key frame (i.e., part of
2469 * added support for using plaintext and static WEP networks
2472 2004-05-31 - v0.2.2
2473 * added support for new EAP authentication methods:
2474 EAP-TTLS/EAP-MD5-Challenge
2475 EAP-TTLS/EAP-GTC
2476 EAP-TTLS/EAP-MSCHAPv2
2477 EAP-TTLS/EAP-TLS
2478 EAP-TTLS/MSCHAPv2
2479 EAP-TTLS/MSCHAP
2480 EAP-TTLS/PAP
2481 EAP-TTLS/CHAP
2482 EAP-PEAP/TLS
2483 EAP-PEAP/GTC
2484 EAP-PEAP/MD5-Challenge
2485 EAP-GTC
2486 EAP-SIM (not yet complete; needs GSM/SIM authentication interface)
2487 * added support for anonymous identity (to be used when identity is
2489 tunnel (e.g., with EAP-TTLS)
2490 * added event messages from wpa_supplicant to frontends, e.g., wpa_cli
2491 * added support for requesting identity and password information using
2492 control interface; in other words, the password for EAP-PEAP or
2493 EAP-TTLS does not need to be included in the configuration file since
2494 a frontand (e.g., wpa_cli) can ask it from the user
2495 * improved RSN pre-authentication to use a candidate list and process
2500 * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant
2501 with TLS support (this replaces the included implementation with
2504 * fixed WPA-PSK only mode when compiled without IEEE 802.1X support
2507 2004-05-06 - v0.2.1
2508 * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1)
2510 - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1]
2511 - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf]
2512 - EAP-MD5 (cannot be used with WPA-RADIUS)
2513 [draft-ietf-eap-rfc2284bis-09.txt]
2514 - EAP-TLS [RFC 2716]
2515 - EAP-MSCHAPv2 (currently used only with EAP-PEAP)
2516 - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt]
2517 [draft-kamath-pppext-eap-mschapv2-00.txt]
2520 - new configuration file options: eap, identity, password, ca_cert,
2522 - Xsupplicant is not required anymore, but it can be used by
2523 disabling the internal IEEE 802.1X Supplicant with -e command line
2525 - this code is not included in the default build; Makefile need to
2527 - EAP-TLS and EAP-PEAP require openssl libraries
2528 * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..)
2529 * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys
2531 EAPOL-Key frames instead of WPA key handshakes)
2532 * added support for IEEE 802.11i/RSN (WPA2)
2533 - improved PTK Key Handshake
2534 - PMKSA caching, pre-authentication
2536 EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using
2537 TPTK' error from message 3 of 4-Way Handshake in case the AP
2538 includes extra data after the EAPOL-Key)
2541 - CLI example (wpa_cli) with interactive mode and command line
2543 - replaced SIGUSR1 status/statistics with the new control interface
2545 - .config file for make
2546 - driver interfaces (hostap, hermes, ..)
2547 - EAPOL/EAP functions
2549 2004-02-15 - v0.2.0