139beb93cSSam LefflerChangeLog for hostapd 239beb93cSSam Leffler 3*325151a3SRui Paulo2015-09-27 - v2.5 4*325151a3SRui Paulo * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding 5*325151a3SRui Paulo [http://w1.fi/security/2015-2/] (CVE-2015-4141) 6*325151a3SRui Paulo * fixed WMM Action frame parser 7*325151a3SRui Paulo [http://w1.fi/security/2015-3/] (CVE-2015-4142) 8*325151a3SRui Paulo * fixed EAP-pwd server missing payload length validation 9*325151a3SRui Paulo [http://w1.fi/security/2015-4/] 10*325151a3SRui Paulo (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145) 11*325151a3SRui Paulo * fixed validation of WPS and P2P NFC NDEF record payload length 12*325151a3SRui Paulo [http://w1.fi/security/2015-5/] 13*325151a3SRui Paulo * nl80211: 14*325151a3SRui Paulo - fixed vendor command handling to check OUI properly 15*325151a3SRui Paulo * fixed hlr_auc_gw build with OpenSSL 16*325151a3SRui Paulo * hlr_auc_gw: allow Milenage RES length to be reduced 17*325151a3SRui Paulo * disable HT for a station that does not support WMM/QoS 18*325151a3SRui Paulo * added support for hashed password (NtHash) in EAP-pwd server 19*325151a3SRui Paulo * fixed and extended dynamic VLAN cases 20*325151a3SRui Paulo * added EAP-EKE server support for deriving Session-Id 21*325151a3SRui Paulo * set Acct-Session-Id to a random value to make it more likely to be 22*325151a3SRui Paulo unique even if the device does not have a proper clock 23*325151a3SRui Paulo * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan 24*325151a3SRui Paulo * modified SAE routines to be more robust and PWE generation to be 25*325151a3SRui Paulo stronger against timing attacks 26*325151a3SRui Paulo * added support for Brainpool Elliptic Curves with SAE 27*325151a3SRui Paulo * increases maximum value accepted for cwmin/cwmax 28*325151a3SRui Paulo * added support for CCMP-256 and GCMP-256 as group ciphers with FT 29*325151a3SRui Paulo * added Fast Session Transfer (FST) module 30*325151a3SRui Paulo * removed optional fields from RSNE when using FT with PMF 31*325151a3SRui Paulo (workaround for interoperability issues with iOS 8.4) 32*325151a3SRui Paulo * added EAP server support for TLS session resumption 33*325151a3SRui Paulo * fixed key derivation for Suite B 192-bit AKM (this breaks 34*325151a3SRui Paulo compatibility with the earlier version) 35*325151a3SRui Paulo * added mechanism to track unconnected stations and do minimal band 36*325151a3SRui Paulo steering 37*325151a3SRui Paulo * number of small fixes 38*325151a3SRui Paulo 395b9c547cSRui Paulo2015-03-15 - v2.4 405b9c547cSRui Paulo * allow OpenSSL cipher configuration to be set for internal EAP server 415b9c547cSRui Paulo (openssl_ciphers parameter) 425b9c547cSRui Paulo * fixed number of small issues based on hwsim test case failures and 435b9c547cSRui Paulo static analyzer reports 445b9c547cSRui Paulo * fixed Accounting-Request to not include duplicated Acct-Session-Id 455b9c547cSRui Paulo * add support for Acct-Multi-Session-Id in RADIUS Accounting messages 465b9c547cSRui Paulo * add support for PMKSA caching with SAE 475b9c547cSRui Paulo * add support for generating BSS Load element (bss_load_update_period) 485b9c547cSRui Paulo * fixed channel switch from VHT to HT 495b9c547cSRui Paulo * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events 505b9c547cSRui Paulo * add support for learning STA IPv4/IPv6 addresses and configuring 515b9c547cSRui Paulo ProxyARP support 525b9c547cSRui Paulo * dropped support for the madwifi driver interface 535b9c547cSRui Paulo * add support for Suite B (128-bit and 192-bit level) key management and 545b9c547cSRui Paulo cipher suites 555b9c547cSRui Paulo * fixed a regression with driver=wired 565b9c547cSRui Paulo * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce 575b9c547cSRui Paulo * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management 585b9c547cSRui Paulo Request frames and BSS-TM-RESP event to indicate response to such 595b9c547cSRui Paulo frame 605b9c547cSRui Paulo * add support for EAP Re-Authentication Protocol (ERP) 615b9c547cSRui Paulo * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled 625b9c547cSRui Paulo * fixed a regression in HT 20/40 coex Action frame parsing 635b9c547cSRui Paulo * set stdout to be line-buffered 645b9c547cSRui Paulo * add support for vendor specific VHT extension to enable 256 QAM rates 655b9c547cSRui Paulo (VHT-MCS 8 and 9) on 2.4 GHz band 665b9c547cSRui Paulo * RADIUS DAS: 675b9c547cSRui Paulo - extend Disconnect-Request processing to allow matching of multiple 685b9c547cSRui Paulo sessions 695b9c547cSRui Paulo - support Acct-Multi-Session-Id as an identifier 705b9c547cSRui Paulo - allow PMKSA cache entry to be removed without association 715b9c547cSRui Paulo * expire hostapd STA entry if kernel does not have a matching entry 725b9c547cSRui Paulo * allow chanlist to be used to specify a subset of channels for ACS 735b9c547cSRui Paulo * improve ACS behavior on 2.4 GHz band and allow channel bias to be 745b9c547cSRui Paulo configured with acs_chan_bias parameter 755b9c547cSRui Paulo * do not reply to a Probe Request frame that includes DSS Parameter Set 765b9c547cSRui Paulo element in which the channel does not match the current operating 775b9c547cSRui Paulo channel 785b9c547cSRui Paulo * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon 795b9c547cSRui Paulo frame contents to be updated and to start beaconing on an interface 805b9c547cSRui Paulo that used start_disabled=1 815b9c547cSRui Paulo * fixed some RADIUS server failover cases 825b9c547cSRui Paulo 835b9c547cSRui Paulo2014-10-09 - v2.3 845b9c547cSRui Paulo * fixed number of minor issues identified in static analyzer warnings 855b9c547cSRui Paulo * fixed DFS and channel switch operation for multi-BSS cases 865b9c547cSRui Paulo * started to use constant time comparison for various password and hash 875b9c547cSRui Paulo values to reduce possibility of any externally measurable timing 885b9c547cSRui Paulo differences 895b9c547cSRui Paulo * extended explicit clearing of freed memory and expired keys to avoid 905b9c547cSRui Paulo keeping private data in memory longer than necessary 915b9c547cSRui Paulo * added support for number of new RADIUS attributes from RFC 7268 925b9c547cSRui Paulo (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, 935b9c547cSRui Paulo WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) 945b9c547cSRui Paulo * fixed GET_CONFIG wpa_pairwise_cipher value 955b9c547cSRui Paulo * added code to clear bridge FDB entry on station disconnection 965b9c547cSRui Paulo * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases 975b9c547cSRui Paulo * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop 985b9c547cSRui Paulo in case the first entry does not match 995b9c547cSRui Paulo * fixed hostapd_cli action script execution to use more robust mechanism 1005b9c547cSRui Paulo (CVE-2014-3686) 1015b9c547cSRui Paulo 1025b9c547cSRui Paulo2014-06-04 - v2.2 1035b9c547cSRui Paulo * fixed SAE confirm-before-commit validation to avoid a potential 1045b9c547cSRui Paulo segmentation fault in an unexpected message sequence that could be 1055b9c547cSRui Paulo triggered remotely 1065b9c547cSRui Paulo * extended VHT support 1075b9c547cSRui Paulo - Operating Mode Notification 1085b9c547cSRui Paulo - Power Constraint element (local_pwr_constraint) 1095b9c547cSRui Paulo - Spectrum management capability (spectrum_mgmt_required=1) 1105b9c547cSRui Paulo - fix VHT80 segment picking in ACS 1115b9c547cSRui Paulo - fix vht_capab 'Maximum A-MPDU Length Exponent' handling 1125b9c547cSRui Paulo - fix VHT20 1135b9c547cSRui Paulo * fixed HT40 co-ex scan for some pri/sec channel switches 1145b9c547cSRui Paulo * extended HT40 co-ex support to allow dynamic channel width changes 1155b9c547cSRui Paulo during the lifetime of the BSS 1165b9c547cSRui Paulo * fixed HT40 co-ex support to check for overlapping 20 MHz BSS 1175b9c547cSRui Paulo * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; 1185b9c547cSRui Paulo this fixes password with include UTF-8 characters that use 1195b9c547cSRui Paulo three-byte encoding EAP methods that use NtPasswordHash 1205b9c547cSRui Paulo * reverted TLS certificate validation step change in v2.1 that rejected 1215b9c547cSRui Paulo any AAA server certificate with id-kp-clientAuth even if 1225b9c547cSRui Paulo id-kp-serverAuth EKU was included 1235b9c547cSRui Paulo * fixed STA validation step for WPS ER commands to prevent a potential 1245b9c547cSRui Paulo crash if an ER sends an unexpected PutWLANResponse to a station that 1255b9c547cSRui Paulo is disassociated, but not fully removed 1265b9c547cSRui Paulo * enforce full EAP authentication after RADIUS Disconnect-Request by 1275b9c547cSRui Paulo removing the PMKSA cache entry 1285b9c547cSRui Paulo * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address 1295b9c547cSRui Paulo in RADIUS Disconnect-Request 1305b9c547cSRui Paulo * added mechanism for removing addresses for MAC ACLs by prefixing an 1315b9c547cSRui Paulo entry with "-" 1325b9c547cSRui Paulo * Interworking/Hotspot 2.0 enhancements 1335b9c547cSRui Paulo - support Hotspot 2.0 Release 2 1345b9c547cSRui Paulo * OSEN network for online signup connection 1355b9c547cSRui Paulo * subscription remediation (based on RADIUS server request or 1365b9c547cSRui Paulo control interface HS20_WNM_NOTIF for testing purposes) 1375b9c547cSRui Paulo * Hotspot 2.0 release number indication in WFA RADIUS VSA 1385b9c547cSRui Paulo * deauthentication request (based on RADIUS server request or 1395b9c547cSRui Paulo control interface WNM_DEAUTH_REQ for testing purposes) 1405b9c547cSRui Paulo * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent 1415b9c547cSRui Paulo * hs20_icon config parameter to configure icon files for OSU 1425b9c547cSRui Paulo * osu_* config parameters for OSU Providers list 1435b9c547cSRui Paulo - do not use Interworking filtering rules on Probe Request if 1445b9c547cSRui Paulo Interworking is disabled to avoid interop issues 1455b9c547cSRui Paulo * added/fixed nl80211 functionality 1465b9c547cSRui Paulo - AP interface teardown optimization 1475b9c547cSRui Paulo - support vendor specific driver command 1485b9c547cSRui Paulo (VENDOR <vendor id> <sub command id> [<hex formatted data>]) 1495b9c547cSRui Paulo * fixed PMF protection of Deauthentication frame when this is triggered 1505b9c547cSRui Paulo by session timeout 1515b9c547cSRui Paulo * internal TLS implementation enhancements/fixes 1525b9c547cSRui Paulo - add SHA256-based cipher suites 1535b9c547cSRui Paulo - add DHE-RSA cipher suites 1545b9c547cSRui Paulo - fix X.509 validation of PKCS#1 signature to check for extra data 1555b9c547cSRui Paulo * RADIUS server functionality 1565b9c547cSRui Paulo - add minimal RADIUS accounting server support (hostapd-as-server); 1575b9c547cSRui Paulo this is mainly to enable testing coverage with hwsim scripts 1585b9c547cSRui Paulo - allow authentication log to be written into SQLite databse 1595b9c547cSRui Paulo - added option for TLS protocol testing of an EAP peer by simulating 1605b9c547cSRui Paulo various misbehaviors/known attacks 1615b9c547cSRui Paulo - MAC ACL support for testing purposes 1625b9c547cSRui Paulo * fixed PTK derivation for CCMP-256 and GCMP-256 1635b9c547cSRui Paulo * extended WPS per-station PSK to support ER case 1645b9c547cSRui Paulo * added option to configure the management group cipher 1655b9c547cSRui Paulo (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, 1665b9c547cSRui Paulo BIP-CMAC-256) 1675b9c547cSRui Paulo * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these 1685b9c547cSRui Paulo were rounded incorrectly) 1695b9c547cSRui Paulo * added support for postponing FT response in case PMK-R1 needs to be 1705b9c547cSRui Paulo pulled from R0KH 1715b9c547cSRui Paulo * added option to advertise 40 MHz intolerant HT capability with 1725b9c547cSRui Paulo ht_capab=[40-INTOLERANT] 1735b9c547cSRui Paulo * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled 1745b9c547cSRui Paulo whenever CONFIG_WPS=y is set 1755b9c547cSRui Paulo * EAP-pwd fixes 1765b9c547cSRui Paulo - fix possible segmentation fault on EAP method deinit if an invalid 1775b9c547cSRui Paulo group is negotiated 1785b9c547cSRui Paulo * fixed RADIUS client retransmit/failover behavior 1795b9c547cSRui Paulo - there was a potential ctash due to freed memory being accessed 1805b9c547cSRui Paulo - failover to a backup server mechanism did not work properly 1815b9c547cSRui Paulo * fixed a possible crash on double DISABLE command when multiple BSSes 1825b9c547cSRui Paulo are enabled 1835b9c547cSRui Paulo * fixed a memory leak in SAE random number generation 1845b9c547cSRui Paulo * fixed GTK rekeying when the station uses FT protocol 1855b9c547cSRui Paulo * fixed off-by-one bounds checking in printf_encode() 1865b9c547cSRui Paulo - this could result in deinial of service in some EAP server cases 1875b9c547cSRui Paulo * various bug fixes 1885b9c547cSRui Paulo 1895b9c547cSRui Paulo2014-02-04 - v2.1 1905b9c547cSRui Paulo * added support for simultaneous authentication of equals (SAE) for 1915b9c547cSRui Paulo stronger password-based authentication with WPA2-Personal 1925b9c547cSRui Paulo * added nl80211 functionality 1935b9c547cSRui Paulo - VHT configuration for nl80211 1945b9c547cSRui Paulo - support split wiphy dump 1955b9c547cSRui Paulo - driver-based MAC ACL 1965b9c547cSRui Paulo - QoS Mapping configuration 1975b9c547cSRui Paulo * added fully automated regression testing with mac80211_hwsim 1985b9c547cSRui Paulo * allow ctrl_iface group to be specified on command line (-G<group>) 1995b9c547cSRui Paulo * allow single hostapd process to control independent WPS interfaces 2005b9c547cSRui Paulo (wps_independent=1) instead of synchronized operations through all 2015b9c547cSRui Paulo configured interfaces within a process 2025b9c547cSRui Paulo * avoid processing received management frames multiple times when using 2035b9c547cSRui Paulo nl80211 with multiple BSSes 2045b9c547cSRui Paulo * added support for DFS (processing radar detection events, CAC, channel 2055b9c547cSRui Paulo re-selection) 2065b9c547cSRui Paulo * added EAP-EKE server 2075b9c547cSRui Paulo * added automatic channel selection (ACS) 2085b9c547cSRui Paulo * added option for using per-BSS (vif) configuration files with 2095b9c547cSRui Paulo -b<phyname>:<config file name> 2105b9c547cSRui Paulo * extended global control interface ADD/REMOVE commands to allow BSSes 2115b9c547cSRui Paulo of a radio to be removed individually without having to add/remove all 2125b9c547cSRui Paulo other BSSes of the radio at the same time 2135b9c547cSRui Paulo * added support for sending debug info to Linux tracing (-T on command 2145b9c547cSRui Paulo line) 2155b9c547cSRui Paulo * replace dump_file functionality with same information being available 2165b9c547cSRui Paulo through the hostapd control interface 2175b9c547cSRui Paulo * added support for using Protected Dual of Public Action frames for 2185b9c547cSRui Paulo GAS/ANQP exchanges when PMF is enabled 2195b9c547cSRui Paulo * added support for WPS+NFC updates 2205b9c547cSRui Paulo - improved protocol 2215b9c547cSRui Paulo - option to fetch and report alternative carrier records for external 2225b9c547cSRui Paulo NFC operations 2235b9c547cSRui Paulo * various bug fixes 2245b9c547cSRui Paulo 225f05cddf9SRui Paulo2013-01-12 - v2.0 226f05cddf9SRui Paulo * added AP-STA-DISCONNECTED ctrl_iface event 227f05cddf9SRui Paulo * improved debug logging (human readable event names, interface name 228f05cddf9SRui Paulo included in more entries) 229f05cddf9SRui Paulo * added number of small changes to make it easier for static analyzers 230f05cddf9SRui Paulo to understand the implementation 231f05cddf9SRui Paulo * added a workaround for Windows 7 Michael MIC failure reporting and 232f05cddf9SRui Paulo use of the Secure bit in EAPOL-Key msg 3/4 233f05cddf9SRui Paulo * fixed number of small bugs (see git logs for more details) 234f05cddf9SRui Paulo * changed OpenSSL to read full certificate chain from server_cert file 235f05cddf9SRui Paulo * nl80211: number of updates to use new cfg80211/nl80211 functionality 236f05cddf9SRui Paulo - replace monitor interface with nl80211 commands 237f05cddf9SRui Paulo - additional information for driver-based AP SME 238f05cddf9SRui Paulo * EAP-pwd: 239f05cddf9SRui Paulo - fix KDF for group 21 and zero-padding 240f05cddf9SRui Paulo - added support for fragmentation 241f05cddf9SRui Paulo - increased maximum number of hunting-and-pecking iterations 242f05cddf9SRui Paulo * avoid excessive Probe Response retries for broadcast Probe Request 243f05cddf9SRui Paulo frames (only with drivers using hostapd SME/MLME) 244f05cddf9SRui Paulo * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) 245f05cddf9SRui Paulo * fixed WPS operation stopping on dual concurrent AP 246f05cddf9SRui Paulo * added wps_rf_bands configuration parameter for overriding RF Bands 247f05cddf9SRui Paulo value for WPS 248f05cddf9SRui Paulo * added support for getting per-device PSK from RADIUS Tunnel-Password 249f05cddf9SRui Paulo * added support for libnl 3.2 and newer 250f05cddf9SRui Paulo * increased initial group key handshake retransmit timeout to 500 ms 251f05cddf9SRui Paulo * added a workaround for 4-way handshake to update SNonce even after 252f05cddf9SRui Paulo having sent EAPOL-Key 3/4 to avoid issues with some supplicant 253f05cddf9SRui Paulo implementations that can change SNonce for each EAP-Key 2/4 254f05cddf9SRui Paulo * added a workaround for EAPOL-Key 4/4 using incorrect type value in 255f05cddf9SRui Paulo WPA2 mode (some deployed stations use WPA type in that message) 256f05cddf9SRui Paulo * added a WPS workaround for mixed mode AP Settings with Windows 7 257f05cddf9SRui Paulo * changed WPS AP PIN disabling mechanism to disable the PIN after 10 258f05cddf9SRui Paulo consecutive failures in addition to using the exponential lockout 259f05cddf9SRui Paulo period 260f05cddf9SRui Paulo * added support for WFA Hotspot 2.0 261f05cddf9SRui Paulo - GAS/ANQP advertisement of network information 262f05cddf9SRui Paulo - disable_dgaf parameter to disable downstream group-addressed 263f05cddf9SRui Paulo forwarding 264f05cddf9SRui Paulo * simplified licensing terms by selecting the BSD license as the only 265f05cddf9SRui Paulo alternative 266f05cddf9SRui Paulo * EAP-SIM: fixed re-authentication not to update pseudonym 267f05cddf9SRui Paulo * EAP-SIM: use Notification round before EAP-Failure 268f05cddf9SRui Paulo * EAP-AKA: added support for AT_COUNTER_TOO_SMALL 269f05cddf9SRui Paulo * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized 270f05cddf9SRui Paulo * EAP-AKA': fixed identity for MK derivation 271f05cddf9SRui Paulo * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this 272f05cddf9SRui Paulo breaks interoperability with older versions 273f05cddf9SRui Paulo * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id 274f05cddf9SRui Paulo * changed ANonce to be a random number instead of Counter-based 275f05cddf9SRui Paulo * added support for canceling WPS operations with hostapd_cli wps_cancel 276f05cddf9SRui Paulo * fixed EAP/WPS to PSK transition on reassociation in cases where 277f05cddf9SRui Paulo deauthentication is missed 278f05cddf9SRui Paulo * hlr_auc_gw enhancements: 279f05cddf9SRui Paulo - a new command line parameter -u can be used to enable updating of 280f05cddf9SRui Paulo SQN in Milenage file 281f05cddf9SRui Paulo - use 5 bit IND for SQN updates 282f05cddf9SRui Paulo - SQLite database can now be used to store Milenage information 283f05cddf9SRui Paulo * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms 284f05cddf9SRui Paulo and reauth data 285f05cddf9SRui Paulo * added support for Chargeable-User-Identity (RFC 4372) 286f05cddf9SRui Paulo * added radius_auth_req_attr and radius_acct_req_attr configuration 287f05cddf9SRui Paulo parameters to allow adding/overriding of RADIUS attributes in 288f05cddf9SRui Paulo Access-Request and Accounting-Request packets 289f05cddf9SRui Paulo * added support for RADIUS dynamic authorization server (RFC 5176) 290f05cddf9SRui Paulo * added initial support for WNM operations 291f05cddf9SRui Paulo - BSS max idle period 292f05cddf9SRui Paulo - WNM-Sleep Mode 293f05cddf9SRui Paulo * added new WPS NFC ctrl_iface mechanism 294f05cddf9SRui Paulo - removed obsoleted WPS_OOB command (including support for deprecated 295f05cddf9SRui Paulo UFD config_method) 296f05cddf9SRui Paulo * added FT support for drivers that implement MLME internally 297f05cddf9SRui Paulo * added SA Query support for drivers that implement MLME internally 298f05cddf9SRui Paulo * removed default ACM=1 from AC_VO and AC_VI 299f05cddf9SRui Paulo * changed VENDOR-TEST EAP method to use proper private enterprise number 300f05cddf9SRui Paulo (this will not interoperate with older versions) 301f05cddf9SRui Paulo * added hostapd.conf parameter vendor_elements to allow arbitrary vendor 302f05cddf9SRui Paulo specific elements to be added to the Beacon and Probe Response frames 303f05cddf9SRui Paulo * added support for configuring GCMP cipher for IEEE 802.11ad 304f05cddf9SRui Paulo * added support for 256-bit AES with internal TLS implementation 305f05cddf9SRui Paulo * changed EAPOL transmission to use AC_VO if WMM is active 306f05cddf9SRui Paulo * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length 307f05cddf9SRui Paulo correctly; invalid messages could have caused the hostapd process to 308f05cddf9SRui Paulo terminate before this fix [CVE-2012-4445] 309f05cddf9SRui Paulo * limit number of active wildcard PINs for WPS Registrar to one to avoid 310f05cddf9SRui Paulo confusing behavior with multiple wildcard PINs 311f05cddf9SRui Paulo * added a workaround for WPS PBC session overlap detection to avoid 312f05cddf9SRui Paulo interop issues with deployed station implementations that do not 313f05cddf9SRui Paulo remove active PBC indication from Probe Request frames properly 314f05cddf9SRui Paulo * added support for using SQLite for the eap_user database 315f05cddf9SRui Paulo * added Acct-Session-Id attribute into Access-Request messages 316f05cddf9SRui Paulo * fixed EAPOL frame transmission to non-QoS STAs with nl80211 317f05cddf9SRui Paulo (do not send QoS frames if the STA did not negotiate use of QoS for 318f05cddf9SRui Paulo this association) 319f05cddf9SRui Paulo 320f05cddf9SRui Paulo2012-05-10 - v1.0 321f05cddf9SRui Paulo * Add channel selection support in hostapd. See hostapd.conf. 322f05cddf9SRui Paulo * Add support for IEEE 802.11v Time Advertisement mechanism with UTC 323f05cddf9SRui Paulo TSF offset. See hostapd.conf for config info. 324f05cddf9SRui Paulo * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. 325f05cddf9SRui Paulo This allows the driver to use PS buffering of Deauthentication and 326f05cddf9SRui Paulo Disassociation frames when the STA is in power save sleep. Only 327f05cddf9SRui Paulo available with drivers that provide TX status events for Deauth/ 328f05cddf9SRui Paulo Disassoc frames (nl80211). 329f05cddf9SRui Paulo * Allow PMKSA caching to be disabled on the Authenticator. See 330f05cddf9SRui Paulo hostap.conf config parameter disable_pmksa_caching. 331f05cddf9SRui Paulo * atheros: Add support for IEEE 802.11w configuration. 332f05cddf9SRui Paulo * bsd: Add support for setting HT values in IFM_MMASK. 333f05cddf9SRui Paulo * Allow client isolation to be configured with ap_isolate. Client 334f05cddf9SRui Paulo isolation can be used to prevent low-level bridging of frames 335f05cddf9SRui Paulo between associated stations in the BSS. By default, this bridging 336f05cddf9SRui Paulo is allowed. 337f05cddf9SRui Paulo * Allow coexistance of HT BSSes with WEP/TKIP BSSes. 338f05cddf9SRui Paulo * Add require_ht config parameter, which can be used to configure 339f05cddf9SRui Paulo hostapd to reject association with any station that does not support 340f05cddf9SRui Paulo HT PHY. 341f05cddf9SRui Paulo * Add support for writing debug log to a file using "-f" option. Also 342f05cddf9SRui Paulo add relog CLI command to re-open the log file. 343f05cddf9SRui Paulo * Add bridge handling for WDS STA interfaces. By default they are 344f05cddf9SRui Paulo added to the configured bridge of the AP interface (if present), 345f05cddf9SRui Paulo but the user can also specify a separate bridge using cli command 346f05cddf9SRui Paulo wds_bridge. 347f05cddf9SRui Paulo * hostapd_cli: 348f05cddf9SRui Paulo - Add wds_bridge command for specifying bridge for WDS STA 349f05cddf9SRui Paulo interfaces. 350f05cddf9SRui Paulo - Add relog command for reopening log file. 351f05cddf9SRui Paulo - Send AP-STA-DISCONNECTED event when an AP disconnects a station 352f05cddf9SRui Paulo due to inactivity. 353f05cddf9SRui Paulo - Add wps_config ctrl_interface command for configuring AP. This 354f05cddf9SRui Paulo command can be used to configure the AP using the internal WPS 355f05cddf9SRui Paulo registrar. It works in the same way as new AP settings received 356f05cddf9SRui Paulo from an ER. 357f05cddf9SRui Paulo - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. 358f05cddf9SRui Paulo - Add command get version, that returns hostapd version string. 359f05cddf9SRui Paulo * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. 360f05cddf9SRui Paulo Use hostapd_cli ess_disassoc (STA addr) (URL) to send the 361f05cddf9SRui Paulo notification to the STA. 362f05cddf9SRui Paulo * Allow AP mode to disconnect STAs based on low ACK condition (when 363f05cddf9SRui Paulo the data connection is not working properly, e.g., due to the STA 364f05cddf9SRui Paulo going outside the range of the AP). Disabled by default, enable by 365f05cddf9SRui Paulo config option disassoc_low_ack. 366f05cddf9SRui Paulo * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad 367f05cddf9SRui Paulo config file. 368f05cddf9SRui Paulo * WPS: 369f05cddf9SRui Paulo - Send AP Settings as a wrapped Credential attribute to ctrl_iface 370f05cddf9SRui Paulo in WPS-NEW-AP-SETTINGS. 371f05cddf9SRui Paulo - Dispatch more WPS events through hostapd ctrl_iface. 372f05cddf9SRui Paulo - Add mechanism for indicating non-standard WPS errors. 373f05cddf9SRui Paulo - Change concurrent radio AP to use only one WPS UPnP instance. 374f05cddf9SRui Paulo - Add wps_check_pin command for processing PIN from user input. 375f05cddf9SRui Paulo UIs can use this command to process a PIN entered by a user and to 376f05cddf9SRui Paulo validate the checksum digit (if present). 377f05cddf9SRui Paulo - Add hostap_cli get_config command to display current AP config. 378f05cddf9SRui Paulo - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at 379f05cddf9SRui Paulo runtime and support dynamic AP PIN management. 380f05cddf9SRui Paulo - Disable AP PIN after 10 consecutive failures. Slow down attacks 381f05cddf9SRui Paulo on failures up to 10. 382f05cddf9SRui Paulo - Allow AP to start in Enrollee mode without AP PIN for probing, 383f05cddf9SRui Paulo to be compatible with Windows 7. 384f05cddf9SRui Paulo - Add Config Error into WPS-FAIL events to provide more info 385f05cddf9SRui Paulo to the user on how to resolve the issue. 386f05cddf9SRui Paulo - When controlling multiple interfaces: 387f05cddf9SRui Paulo - apply WPS commands to all interfaces configured to use WPS 388f05cddf9SRui Paulo - apply WPS config changes to all interfaces that use WPS 389f05cddf9SRui Paulo - when an attack is detected on any interface, disable AP PIN on 390f05cddf9SRui Paulo all interfaces 391f05cddf9SRui Paulo * WPS ER: 392f05cddf9SRui Paulo - Show SetSelectedRegistrar events as ctrl_iface events. 393f05cddf9SRui Paulo - Add special AP Setup Locked mode to allow read only ER. 394f05cddf9SRui Paulo ap_setup_locked=2 can now be used to enable a special mode where 395f05cddf9SRui Paulo WPS ER can learn the current AP settings, but cannot change them. 396f05cddf9SRui Paulo * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) 397f05cddf9SRui Paulo - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool 398f05cddf9SRui Paulo for testing protocol extensibility. 399f05cddf9SRui Paulo - Add build option CONFIG_WPS_STRICT to allow disabling of WPS 400f05cddf9SRui Paulo workarounds. 401f05cddf9SRui Paulo - Add support for AuthorizedMACs attribute. 402f05cddf9SRui Paulo * TDLS: 403f05cddf9SRui Paulo - Allow TDLS use or TDLS channel switching in the BSS to be 404f05cddf9SRui Paulo prohibited in the BSS, using config params tdls_prohibit and 405f05cddf9SRui Paulo tdls_prohibit_chan_switch. 406f05cddf9SRui Paulo * EAP server: Add support for configuring fragment size (see 407f05cddf9SRui Paulo fragment_size in hostapd.conf). 408f05cddf9SRui Paulo * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. 409f05cddf9SRui Paulo wlantest can be used to capture frames from a monitor interface 410f05cddf9SRui Paulo for realtime capturing or from pcap files for offline analysis. 411f05cddf9SRui Paulo * Interworking: Support added for 802.11u. Enable in .config with 412f05cddf9SRui Paulo CONFIG_INTERWORKING. See hostapd.conf for config parameters for 413f05cddf9SRui Paulo interworking. 414f05cddf9SRui Paulo * Android: Add build and runtime support for Android hostapd. 415f05cddf9SRui Paulo * Add a new debug message level for excessive information. Use 416f05cddf9SRui Paulo -ddd to enable. 417f05cddf9SRui Paulo * TLS: Add support for tls_disable_time_checks=1 in client mode. 418f05cddf9SRui Paulo * Internal TLS: 419f05cddf9SRui Paulo - Add support for TLS v1.1 (RFC 4346). Enable with build parameter 420f05cddf9SRui Paulo CONFIG_TLSV11. 421f05cddf9SRui Paulo - Add domainComponent parser for X.509 names 422f05cddf9SRui Paulo * Reorder some IEs to get closer to IEEE 802.11 standard. Move 423f05cddf9SRui Paulo WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. 424f05cddf9SRui Paulo Move HT IEs to be later in (Re)Assoc Resp. 425f05cddf9SRui Paulo * Many bugfixes. 426e28a4053SRui Paulo 427e28a4053SRui Paulo2010-04-18 - v0.7.2 428e28a4053SRui Paulo * fix WPS internal Registrar use when an external Registrar is also 429e28a4053SRui Paulo active 430e28a4053SRui Paulo * bsd: Cleaned up driver wrapper and added various low-level 431e28a4053SRui Paulo configuration options 432e28a4053SRui Paulo * TNC: fixed issues with fragmentation 433e28a4053SRui Paulo * EAP-TNC: add Flags field into fragment acknowledgement (needed to 434e28a4053SRui Paulo interoperate with other implementations; may potentially breaks 435e28a4053SRui Paulo compatibility with older wpa_supplicant/hostapd versions) 436e28a4053SRui Paulo * cleaned up driver wrapper API for multi-BSS operations 437e28a4053SRui Paulo * nl80211: fix multi-BSS and VLAN operations 438e28a4053SRui Paulo * fix number of issues with IEEE 802.11r/FT; this version is not 439e28a4053SRui Paulo backwards compatible with old versions 440e28a4053SRui Paulo * add SA Query Request processing in AP mode (IEEE 802.11w) 441e28a4053SRui Paulo * fix IGTK PN in group rekeying (IEEE 802.11w) 442e28a4053SRui Paulo * fix WPS PBC session overlap detection to use correct attribute 443e28a4053SRui Paulo * hostapd_notif_Assoc() can now be called with all IEs to simplify 444e28a4053SRui Paulo driver wrappers 445e28a4053SRui Paulo * work around interoperability issue with some WPS External Registrar 446e28a4053SRui Paulo implementations 447e28a4053SRui Paulo * nl80211: fix WPS IE update 448e28a4053SRui Paulo * hostapd_cli: add support for action script operations (run a script 449e28a4053SRui Paulo on hostapd events) 450e28a4053SRui Paulo * fix DH padding with internal crypto code (mainly, for WPS) 451e28a4053SRui Paulo * fix WPS association with both WPS IE and WPA/RSN IE present with 452e28a4053SRui Paulo driver wrappers that use hostapd MLME (e.g., nl80211) 453e28a4053SRui Paulo 454e28a4053SRui Paulo2010-01-16 - v0.7.1 455e28a4053SRui Paulo * cleaned up driver wrapper API (struct wpa_driver_ops); the new API 456e28a4053SRui Paulo is not fully backwards compatible, so out-of-tree driver wrappers 457e28a4053SRui Paulo will need modifications 458e28a4053SRui Paulo * cleaned up various module interfaces 459e28a4053SRui Paulo * merge hostapd and wpa_supplicant developers' documentation into a 460e28a4053SRui Paulo single document 461e28a4053SRui Paulo * fixed HT Capabilities IE with nl80211 drivers 462e28a4053SRui Paulo * moved generic AP functionality code into src/ap 463e28a4053SRui Paulo * WPS: handle Selected Registrar as union of info from all Registrars 464e28a4053SRui Paulo * remove obsolte Prism54.org driver wrapper 465e28a4053SRui Paulo * added internal debugging mechanism with backtrace support and memory 466e28a4053SRui Paulo allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) 467e28a4053SRui Paulo * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 468e28a4053SRui Paulo * WPS: add support for dynamically selecting whether to provision the 469e28a4053SRui Paulo PSK as an ASCII passphrase or PSK 470e28a4053SRui Paulo * added support for WDS (4-address frame) mode with per-station virtual 471e28a4053SRui Paulo interfaces (wds_sta=1 in config file; only supported with 472e28a4053SRui Paulo driver=nl80211 for now) 4733157ba21SRui Paulo * fixed WPS Probe Request processing to handle missing required 4743157ba21SRui Paulo attribute 4753157ba21SRui Paulo * fixed PKCS#12 use with OpenSSL 1.0.0 476e28a4053SRui Paulo * detect bridge interface automatically so that bridge parameter in 477e28a4053SRui Paulo hostapd.conf becomes optional (though, it may now be used to 478e28a4053SRui Paulo automatically add then WLAN interface into a bridge with 479e28a4053SRui Paulo driver=nl80211) 4803157ba21SRui Paulo 481e28a4053SRui Paulo2009-11-21 - v0.7.0 48239beb93cSSam Leffler * increased hostapd_cli ping interval to 5 seconds and made this 48339beb93cSSam Leffler configurable with a new command line options (-G<seconds>) 48439beb93cSSam Leffler * driver_nl80211: use Linux socket filter to improve performance 48539beb93cSSam Leffler * added support for external Registrars with WPS (UPnP transport) 486e28a4053SRui Paulo * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel 487e28a4053SRui Paulo * driver_nl80211: fixed STA accounting data collection (TX/RX bytes 488e28a4053SRui Paulo reported correctly; TX/RX packets not yet available from kernel) 489e28a4053SRui Paulo * added support for WPS USBA out-of-band mechanism with USB Flash 490e28a4053SRui Paulo Drives (UFD) (CONFIG_WPS_UFD=y) 491e28a4053SRui Paulo * fixed EAPOL/EAP reauthentication when using an external RADIUS 492e28a4053SRui Paulo authentication server 493e28a4053SRui Paulo * fixed TNC with EAP-TTLS 494e28a4053SRui Paulo * fixed IEEE 802.11r key derivation function to match with the standard 495e28a4053SRui Paulo (note: this breaks interoperability with previous version) [Bug 303] 496e28a4053SRui Paulo * fixed SHA-256 based key derivation function to match with the 497e28a4053SRui Paulo standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) 498e28a4053SRui Paulo (note: this breaks interoperability with previous version) [Bug 307] 499e28a4053SRui Paulo * added number of code size optimizations to remove unnecessary 500e28a4053SRui Paulo functionality from the program binary based on build configuration 501e28a4053SRui Paulo (part of this automatic; part configurable with CONFIG_NO_* build 502e28a4053SRui Paulo options) 503e28a4053SRui Paulo * use shared driver wrapper files with wpa_supplicant 504e28a4053SRui Paulo * driver_nl80211: multiple updates to provide support for new Linux 505e28a4053SRui Paulo nl80211/mac80211 functionality 506e28a4053SRui Paulo * updated management frame protection to use IEEE Std 802.11w-2009 507e28a4053SRui Paulo * fixed number of small WPS issues and added workarounds to 508e28a4053SRui Paulo interoperate with common deployed broken implementations 509f05cddf9SRui Paulo * added some IEEE 802.11n co-existence rules to disable 40 MHz channels 510e28a4053SRui Paulo or modify primary/secondary channels if needed based on neighboring 511e28a4053SRui Paulo networks 512e28a4053SRui Paulo * added support for NFC out-of-band mechanism with WPS 513e28a4053SRui Paulo * added preliminary support for IEEE 802.11r RIC processing 51439beb93cSSam Leffler 51539beb93cSSam Leffler2009-01-06 - v0.6.7 51639beb93cSSam Leffler * added support for Wi-Fi Protected Setup (WPS) 51739beb93cSSam Leffler (hostapd can now be configured to act as an integrated WPS Registrar 51839beb93cSSam Leffler and provision credentials for WPS Enrollees using PIN and PBC 51939beb93cSSam Leffler methods; external wireless Registrar can configure the AP, but 52039beb93cSSam Leffler external WLAN Manager Registrars are not supported); WPS support can 52139beb93cSSam Leffler be enabled by adding CONFIG_WPS=y into .config and setting the 52239beb93cSSam Leffler runtime configuration variables in hostapd.conf (see WPS section in 52339beb93cSSam Leffler the example configuration file); new hostapd_cli commands wps_pin and 52439beb93cSSam Leffler wps_pbc are used to configure WPS negotiation; see README-WPS for 52539beb93cSSam Leffler more details 52639beb93cSSam Leffler * added IEEE 802.11n HT capability configuration (ht_capab) 52739beb93cSSam Leffler * added support for generating Country IE based on nl80211 regulatory 52839beb93cSSam Leffler information (added if ieee80211d=1 in configuration) 52939beb93cSSam Leffler * fixed WEP authentication (both Open System and Shared Key) with 53039beb93cSSam Leffler mac80211 53139beb93cSSam Leffler * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) 53239beb93cSSam Leffler * added support for using driver_test over UDP socket 53339beb93cSSam Leffler * changed EAP-GPSK to use the IANA assigned EAP method type 51 53439beb93cSSam Leffler * updated management frame protection to use IEEE 802.11w/D7.0 53539beb93cSSam Leffler * fixed retransmission of EAP requests if no response is received 53639beb93cSSam Leffler 53739beb93cSSam Leffler2008-11-23 - v0.6.6 53839beb93cSSam Leffler * added a new configuration option, wpa_ptk_rekey, that can be used to 53939beb93cSSam Leffler enforce frequent PTK rekeying, e.g., to mitigate some attacks against 54039beb93cSSam Leffler TKIP deficiencies 54139beb93cSSam Leffler * updated OpenSSL code for EAP-FAST to use an updated version of the 54239beb93cSSam Leffler session ticket overriding API that was included into the upstream 54339beb93cSSam Leffler OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is 54439beb93cSSam Leffler needed with that version anymore) 54539beb93cSSam Leffler * changed channel flags configuration to read the information from 54639beb93cSSam Leffler the driver (e.g., via driver_nl80211 when using mac80211) instead of 54739beb93cSSam Leffler using hostapd as the source of the regulatory information (i.e., 54839beb93cSSam Leffler information from CRDA is now used with mac80211); this allows 5 GHz 54939beb93cSSam Leffler channels to be used with hostapd (if allowed in the current 55039beb93cSSam Leffler regulatory domain) 55139beb93cSSam Leffler * fixed EAP-TLS message processing for the last TLS message if it is 55239beb93cSSam Leffler large enough to require fragmentation (e.g., if a large Session 55339beb93cSSam Leffler Ticket data is included) 55439beb93cSSam Leffler * fixed listen interval configuration for nl80211 drivers 55539beb93cSSam Leffler 55639beb93cSSam Leffler2008-11-01 - v0.6.5 55739beb93cSSam Leffler * added support for SHA-256 as X.509 certificate digest when using the 55839beb93cSSam Leffler internal X.509/TLSv1 implementation 55939beb93cSSam Leffler * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer 56039beb93cSSam Leffler identity lengths) 56139beb93cSSam Leffler * fixed internal TLSv1 implementation for abbreviated handshake (used 56239beb93cSSam Leffler by EAP-FAST server) 56339beb93cSSam Leffler * added support for setting VLAN ID for STAs based on local MAC ACL 56439beb93cSSam Leffler (accept_mac_file) as an alternative for RADIUS server-based 56539beb93cSSam Leffler configuration 56639beb93cSSam Leffler * updated management frame protection to use IEEE 802.11w/D6.0 56739beb93cSSam Leffler (adds a new association ping to protect against unauthenticated 56839beb93cSSam Leffler authenticate or (re)associate request frames dropping association) 56939beb93cSSam Leffler * added support for using SHA256-based stronger key derivation for WPA2 57039beb93cSSam Leffler (IEEE 802.11w) 57139beb93cSSam Leffler * added new "driver wrapper" for RADIUS-only configuration 57239beb93cSSam Leffler (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) 57339beb93cSSam Leffler * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) 57439beb93cSSam Leffler is enabled in configuration 57539beb93cSSam Leffler * changed EAP-FAST configuration to use separate fields for A-ID and 57639beb93cSSam Leffler A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed 57739beb93cSSam Leffler 16-octet len binary value for better interoperability with some peer 57839beb93cSSam Leffler implementations; eap_fast_a_id is now configured as a hex string 57939beb93cSSam Leffler * driver_nl80211: Updated to match the current Linux mac80211 AP mode 58039beb93cSSam Leffler configuration (wireless-testing.git and Linux kernel releases 58139beb93cSSam Leffler starting from 2.6.29) 58239beb93cSSam Leffler 58339beb93cSSam Leffler2008-08-10 - v0.6.4 58439beb93cSSam Leffler * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 58539beb93cSSam Leffler Identity Request if identity is already known 58639beb93cSSam Leffler * added support for EAP Sequences in EAP-FAST Phase 2 58739beb93cSSam Leffler * added support for EAP-TNC (Trusted Network Connect) 58839beb93cSSam Leffler (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST 58939beb93cSSam Leffler changes needed to run two methods in sequence (IF-T) and the IF-IMV 59039beb93cSSam Leffler and IF-TNCCS interfaces from TNCS) 59139beb93cSSam Leffler * added support for optional cryptobinding with PEAPv0 59239beb93cSSam Leffler * added fragmentation support for EAP-TNC 59339beb93cSSam Leffler * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) 59439beb93cSSam Leffler data 59539beb93cSSam Leffler * added support for opportunistic key caching (OKC) 59639beb93cSSam Leffler 59739beb93cSSam Leffler2008-02-22 - v0.6.3 59839beb93cSSam Leffler * fixed Reassociation Response callback processing when using internal 59939beb93cSSam Leffler MLME (driver_{hostap,nl80211,test}.c) 60039beb93cSSam Leffler * updated FT support to use the latest draft, IEEE 802.11r/D9.0 60139beb93cSSam Leffler * copy optional Proxy-State attributes into RADIUS response when acting 60239beb93cSSam Leffler as a RADIUS authentication server 60339beb93cSSam Leffler * fixed EAPOL state machine to handle a case in which no response is 60439beb93cSSam Leffler received from the RADIUS authentication server; previous version 60539beb93cSSam Leffler could have triggered a crash in some cases after a timeout 60639beb93cSSam Leffler * fixed EAP-SIM/AKA realm processing to allow decorated usernames to 60739beb93cSSam Leffler be used 60839beb93cSSam Leffler * added a workaround for EAP-SIM/AKA peers that include incorrect null 60939beb93cSSam Leffler termination in the username 61039beb93cSSam Leffler * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER 61139beb93cSSam Leffler attribute in notification messages only when using fast 61239beb93cSSam Leffler reauthentication 61339beb93cSSam Leffler * fixed EAP-SIM Start response processing for fast reauthentication 61439beb93cSSam Leffler case 61539beb93cSSam Leffler * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} 61639beb93cSSam Leffler phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method 61739beb93cSSam Leffler 61839beb93cSSam Leffler2008-01-01 - v0.6.2 61939beb93cSSam Leffler * fixed EAP-SIM and EAP-AKA message parser to validate attribute 62039beb93cSSam Leffler lengths properly to avoid potential crash caused by invalid messages 62139beb93cSSam Leffler * added data structure for storing allocated buffers (struct wpabuf); 62239beb93cSSam Leffler this does not affect hostapd usage, but many of the APIs changed 62339beb93cSSam Leffler and various interfaces (e.g., EAP) is not compatible with old 62439beb93cSSam Leffler versions 62539beb93cSSam Leffler * added support for protecting EAP-AKA/Identity messages with 62639beb93cSSam Leffler AT_CHECKCODE (optional feature in RFC 4187) 62739beb93cSSam Leffler * added support for protected result indication with AT_RESULT_IND for 62839beb93cSSam Leffler EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) 62939beb93cSSam Leffler * added support for configuring EAP-TTLS phase 2 non-EAP methods in 63039beb93cSSam Leffler EAP server configuration; previously all four were enabled for every 63139beb93cSSam Leffler phase 2 user, now all four are disabled by default and need to be 63239beb93cSSam Leffler enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, 63339beb93cSSam Leffler TTLS-MSCHAPV2 63439beb93cSSam Leffler * removed old debug printing mechanism and the related 'debug' 63539beb93cSSam Leffler parameter in the configuration file; debug verbosity is now set with 63639beb93cSSam Leffler -d (or -dd) command line arguments 63739beb93cSSam Leffler * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); 63839beb93cSSam Leffler only shared key/password authentication is supported in this version 63939beb93cSSam Leffler 64039beb93cSSam Leffler2007-11-24 - v0.6.1 64139beb93cSSam Leffler * added experimental, integrated TLSv1 server implementation with the 64239beb93cSSam Leffler needed X.509/ASN.1/RSA/bignum processing (this can be enabled by 64339beb93cSSam Leffler setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in 64439beb93cSSam Leffler .config); this can be useful, e.g., if the target system does not 64539beb93cSSam Leffler have a suitable TLS library and a minimal code size is required 64639beb93cSSam Leffler * added support for EAP-FAST server method to the integrated EAP 64739beb93cSSam Leffler server 64839beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 64939beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-07.txt) 65039beb93cSSam Leffler * added a new configuration parameter, rsn_pairwise, to allow different 65139beb93cSSam Leffler pairwise cipher suites to be enabled for WPA and RSN/WPA2 65239beb93cSSam Leffler (note: if wpa_pairwise differs from rsn_pairwise, the driver will 65339beb93cSSam Leffler either need to support this or will have to use the WPA/RSN IEs from 65439beb93cSSam Leffler hostapd; currently, the included madwifi and bsd driver interfaces do 65539beb93cSSam Leffler not have support for this) 65639beb93cSSam Leffler * updated FT support to use the latest draft, IEEE 802.11r/D8.0 65739beb93cSSam Leffler 65839beb93cSSam Leffler2007-05-28 - v0.6.0 65939beb93cSSam Leffler * added experimental IEEE 802.11r/D6.0 support 66039beb93cSSam Leffler * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 66139beb93cSSam Leffler * updated EAP-PSK to use the IANA-allocated EAP type 47 66239beb93cSSam Leffler * fixed EAP-PSK bit ordering of the Flags field 66339beb93cSSam Leffler * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs 66439beb93cSSam Leffler by reading wpa_psk_file [Bug 181] 66539beb93cSSam Leffler * fixed EAP-TTLS AVP parser processing for too short AVP lengths 66639beb93cSSam Leffler * fixed IPv6 connection to RADIUS accounting server 66739beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 66839beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-04.txt) 66939beb93cSSam Leffler * hlr_auc_gw: read GSM triplet file into memory and rotate through the 67039beb93cSSam Leffler entries instead of only using the same three triplets every time 67139beb93cSSam Leffler (this does not work properly with tests using multiple clients, but 67239beb93cSSam Leffler provides bit better triplet data for testing a single client; anyway, 67339beb93cSSam Leffler if a better quality triplets are needed, GSM-Milenage should be used 67439beb93cSSam Leffler instead of hardcoded triplet file) 67539beb93cSSam Leffler * fixed EAP-MSCHAPv2 server to use a space between S and M parameters 67639beb93cSSam Leffler in Success Request [Bug 203] 67739beb93cSSam Leffler * added support for sending EAP-AKA Notifications in error cases 67839beb93cSSam Leffler * updated to use IEEE 802.11w/D2.0 for management frame protection 67939beb93cSSam Leffler (still experimental) 68039beb93cSSam Leffler * RADIUS server: added support for processing duplicate messages 68139beb93cSSam Leffler (retransmissions from RADIUS client) by replying with the previous 68239beb93cSSam Leffler reply 68339beb93cSSam Leffler 68439beb93cSSam Leffler2006-11-24 - v0.5.6 68539beb93cSSam Leffler * added support for configuring and controlling multiple BSSes per 68639beb93cSSam Leffler radio interface (bss=<ifname> in hostapd.conf); this is only 68739beb93cSSam Leffler available with Devicescape and test driver interfaces 68839beb93cSSam Leffler * fixed PMKSA cache update in the end of successful RSN 68939beb93cSSam Leffler pre-authentication 69039beb93cSSam Leffler * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID 69139beb93cSSam Leffler for each STA based on RADIUS Access-Accept attributes); this requires 69239beb93cSSam Leffler VLAN support from the kernel driver/802.11 stack and this is 69339beb93cSSam Leffler currently only available with Devicescape and test driver interfaces 69439beb93cSSam Leffler * driver_madwifi: fixed configuration of unencrypted modes (plaintext 69539beb93cSSam Leffler and IEEE 802.1X without WEP) 69639beb93cSSam Leffler * removed STAKey handshake since PeerKey handshake has replaced it in 69739beb93cSSam Leffler IEEE 802.11ma and there are no known deployments of STAKey 69839beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 69939beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-01.txt) 70039beb93cSSam Leffler * added preliminary implementation of IEEE 802.11w/D1.0 (management 70139beb93cSSam Leffler frame protection) 70239beb93cSSam Leffler (Note: this requires driver support to work properly.) 70339beb93cSSam Leffler (Note2: IEEE 802.11w is an unapproved draft and subject to change.) 70439beb93cSSam Leffler * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) 70539beb93cSSam Leffler * hlr_auc_gw: added support for reading per-IMSI Milenage keys and 70639beb93cSSam Leffler parameters from a text file to make it possible to implement proper 70739beb93cSSam Leffler GSM/UMTS authentication server for multiple SIM/USIM cards using 70839beb93cSSam Leffler EAP-SIM/EAP-AKA 70939beb93cSSam Leffler * fixed session timeout processing with drivers that do not use 71039beb93cSSam Leffler ieee802_11.c (e.g., madwifi) 71139beb93cSSam Leffler 71239beb93cSSam Leffler2006-08-27 - v0.5.5 71339beb93cSSam Leffler * added 'hostapd_cli new_sta <addr>' command for adding a new STA into 71439beb93cSSam Leffler hostapd (e.g., to initialize wired network authentication based on an 71539beb93cSSam Leffler external signal) 71639beb93cSSam Leffler * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when 71739beb93cSSam Leffler using WPA2 even if PMKSA caching is not used 71839beb93cSSam Leffler * added -P<pid file> argument for hostapd to write the current process 71939beb93cSSam Leffler id into a file 72039beb93cSSam Leffler * added support for RADIUS Authentication Server MIB (RFC 2619) 72139beb93cSSam Leffler 72239beb93cSSam Leffler2006-06-20 - v0.5.4 72339beb93cSSam Leffler * fixed nt_password_hash build [Bug 144] 72439beb93cSSam Leffler * added PeerKey handshake implementation for IEEE 802.11e 72539beb93cSSam Leffler direct link setup (DLS) to replace STAKey handshake 72639beb93cSSam Leffler * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, 72739beb93cSSam Leffler draft-clancy-emu-eap-shared-secret-00.txt) 72839beb93cSSam Leffler * fixed a segmentation fault when RSN pre-authentication was completed 72939beb93cSSam Leffler successfully [Bug 152] 73039beb93cSSam Leffler 73139beb93cSSam Leffler2006-04-27 - v0.5.3 73239beb93cSSam Leffler * do not build nt_password_hash and hlr_auc_gw by default to avoid 73339beb93cSSam Leffler requiring a TLS library for a successful build; these programs can be 73439beb93cSSam Leffler build with 'make nt_password_hash' and 'make hlr_auc_gw' 73539beb93cSSam Leffler * added a new configuration option, eapol_version, that can be used to 73639beb93cSSam Leffler set EAPOL version to 1 (default is 2) to work around broken client 73739beb93cSSam Leffler implementations that drop EAPOL frames which use version number 2 73839beb93cSSam Leffler [Bug 89] 73939beb93cSSam Leffler * added support for EAP-SAKE (no EAP method number allocated yet, so 74039beb93cSSam Leffler this is using the same experimental type 255 as EAP-PSK) 74139beb93cSSam Leffler * fixed EAP-MSCHAPv2 message length validation 74239beb93cSSam Leffler 74339beb93cSSam Leffler2006-03-19 - v0.5.2 74439beb93cSSam Leffler * fixed stdarg use in hostapd_logger(): if both stdout and syslog 74539beb93cSSam Leffler logging was enabled, hostapd could trigger a segmentation fault in 74639beb93cSSam Leffler vsyslog on some CPU -- C library combinations 74739beb93cSSam Leffler * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external 74839beb93cSSam Leffler program to make it easier to use for implementing real SS7 gateway; 74939beb93cSSam Leffler eap_sim_db is not anymore used as a file name for GSM authentication 75039beb93cSSam Leffler triplets; instead, it is path to UNIX domain socket that will be used 75139beb93cSSam Leffler to communicate with the external gateway program (e.g., hlr_auc_gw) 75239beb93cSSam Leffler * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses 75339beb93cSSam Leffler local information (GSM authentication triplets from a text file and 75439beb93cSSam Leffler hardcoded AKA authentication data); this can be used to test EAP-SIM 75539beb93cSSam Leffler and EAP-AKA 75639beb93cSSam Leffler * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw 75739beb93cSSam Leffler to make it possible to test EAP-AKA with real USIM cards (this is 75839beb93cSSam Leffler disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw 75939beb93cSSam Leffler to enable this) 76039beb93cSSam Leffler * driver_madwifi: added support for getting station RSN IE from 76139beb93cSSam Leffler madwifi-ng svn r1453 and newer; this fixes RSN that was apparently 76239beb93cSSam Leffler broken with earlier change (r1357) in the driver 76339beb93cSSam Leffler * changed EAP method registration to use a dynamic list of methods 76439beb93cSSam Leffler instead of a static list generated at build time 76539beb93cSSam Leffler * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) 76639beb93cSSam Leffler [Bug 125] 76739beb93cSSam Leffler * added ap_max_inactivity configuration parameter 76839beb93cSSam Leffler 76939beb93cSSam Leffler2006-01-29 - v0.5.1 77039beb93cSSam Leffler * driver_test: added better support for multiple APs and STAs by using 77139beb93cSSam Leffler a directory with sockets that include MAC address for each device in 77239beb93cSSam Leffler the name (test_socket=DIR:/tmp/test) 77339beb93cSSam Leffler * added support for EAP expanded type (vendor specific EAP methods) 77439beb93cSSam Leffler 77539beb93cSSam Leffler2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) 77639beb93cSSam Leffler * added experimental STAKey handshake implementation for IEEE 802.11e 77739beb93cSSam Leffler direct link setup (DLS); note: this is disabled by default in both 77839beb93cSSam Leffler build and runtime configuration (can be enabled with CONFIG_STAKEY=y 77939beb93cSSam Leffler and stakey=1) 78039beb93cSSam Leffler * added support for EAP methods to use callbacks to external programs 78139beb93cSSam Leffler by buffering a pending request and processing it after the EAP method 78239beb93cSSam Leffler is ready to continue 78339beb93cSSam Leffler * improved EAP-SIM database interface to allow external request to GSM 78439beb93cSSam Leffler HLR/AuC without blocking hostapd process 78539beb93cSSam Leffler * added support for using EAP-SIM pseudonyms and fast re-authentication 78639beb93cSSam Leffler * added support for EAP-AKA in the integrated EAP authenticator 78739beb93cSSam Leffler * added support for matching EAP identity prefixes (e.g., "1"*) in EAP 78839beb93cSSam Leffler user database to allow EAP-SIM/AKA selection without extra roundtrip 78939beb93cSSam Leffler for EAP-Nak negotiation 79039beb93cSSam Leffler * added support for storing EAP user password as NtPasswordHash instead 79139beb93cSSam Leffler of plaintext password when using MSCHAP or MSCHAPv2 for 79239beb93cSSam Leffler authentication (hash:<16-octet hex value>); added nt_password_hash 79339beb93cSSam Leffler tool for hashing password to generate NtPasswordHash 79439beb93cSSam Leffler 79539beb93cSSam Leffler2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) 79639beb93cSSam Leffler * driver_wired: fixed EAPOL sending to optionally use PAE group address 79739beb93cSSam Leffler as the destination instead of supplicant MAC address; this is 79839beb93cSSam Leffler disabled by default, but should be enabled with use_pae_group_addr=1 79939beb93cSSam Leffler in configuration file if the wired interface is used by only one 80039beb93cSSam Leffler device at the time (common switch configuration) 80139beb93cSSam Leffler * driver_madwifi: configure driver to use TKIP countermeasures in order 80239beb93cSSam Leffler to get correct behavior (IEEE 802.11 association failing; previously, 80339beb93cSSam Leffler association succeeded, but hostpad forced disassociation immediately) 80439beb93cSSam Leffler * driver_madwifi: added support for madwifi-ng 80539beb93cSSam Leffler 80639beb93cSSam Leffler2005-10-27 - v0.4.6 80739beb93cSSam Leffler * added support for replacing user identity from EAP with RADIUS 80839beb93cSSam Leffler User-Name attribute from Access-Accept message, if that is included, 80939beb93cSSam Leffler for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get 81039beb93cSSam Leffler tunneled identity into accounting messages when the RADIUS server 81139beb93cSSam Leffler does not support better way of doing this with Class attribute) 81239beb93cSSam Leffler * driver_madwifi: fixed EAPOL packet receive for configuration where 81339beb93cSSam Leffler ath# is part of a bridge interface 81439beb93cSSam Leffler * added a configuration file and log analyzer script for logwatch 81539beb93cSSam Leffler * fixed EAPOL state machine step function to process all state 81639beb93cSSam Leffler transitions before processing new events; this resolves a race 81739beb93cSSam Leffler condition in which EAPOL-Start message could trigger hostapd to send 81839beb93cSSam Leffler two EAP-Response/Identity frames to the authentication server 81939beb93cSSam Leffler 82039beb93cSSam Leffler2005-09-25 - v0.4.5 82139beb93cSSam Leffler * added client CA list to the TLS certificate request in order to make 82239beb93cSSam Leffler it easier for the client to select which certificate to use 82339beb93cSSam Leffler * added experimental support for EAP-PSK 82439beb93cSSam Leffler * added support for WE-19 (hostap, madwifi) 82539beb93cSSam Leffler 82639beb93cSSam Leffler2005-08-21 - v0.4.4 82739beb93cSSam Leffler * fixed build without CONFIG_RSN_PREAUTH 82839beb93cSSam Leffler * fixed FreeBSD build 82939beb93cSSam Leffler 83039beb93cSSam Leffler2005-06-26 - v0.4.3 83139beb93cSSam Leffler * fixed PMKSA caching to copy User-Name and Class attributes so that 83239beb93cSSam Leffler RADIUS accounting gets correct information 83339beb93cSSam Leffler * start RADIUS accounting only after successful completion of WPA 83439beb93cSSam Leffler 4-Way Handshake if WPA-PSK is used 83539beb93cSSam Leffler * fixed PMKSA caching for the case where STA (re)associates without 83639beb93cSSam Leffler first disassociating 83739beb93cSSam Leffler 83839beb93cSSam Leffler2005-06-12 - v0.4.2 83939beb93cSSam Leffler * EAP-PAX is now registered as EAP type 46 84039beb93cSSam Leffler * fixed EAP-PAX MAC calculation 84139beb93cSSam Leffler * fixed EAP-PAX CK and ICK key derivation 84239beb93cSSam Leffler * renamed eap_authenticator configuration variable to eap_server to 84339beb93cSSam Leffler better match with RFC 3748 (EAP) terminology 84439beb93cSSam Leffler * driver_test: added support for testing hostapd with wpa_supplicant 84539beb93cSSam Leffler by using test driver interface without any kernel drivers or network 84639beb93cSSam Leffler cards 84739beb93cSSam Leffler 84839beb93cSSam Leffler2005-05-22 - v0.4.1 84939beb93cSSam Leffler * fixed RADIUS server initialization when only auth or acct server 85039beb93cSSam Leffler is configured and the other one is left empty 85139beb93cSSam Leffler * driver_madwifi: added support for RADIUS accounting 85239beb93cSSam Leffler * driver_madwifi: added preliminary support for compiling against 'BSD' 85339beb93cSSam Leffler branch of madwifi CVS tree 85439beb93cSSam Leffler * driver_madwifi: fixed pairwise key removal to allow WPA reauth 85539beb93cSSam Leffler without disassociation 85639beb93cSSam Leffler * added support for reading additional certificates from PKCS#12 files 85739beb93cSSam Leffler and adding them to the certificate chain 85839beb93cSSam Leffler * fixed RADIUS Class attribute processing to only use Access-Accept 85939beb93cSSam Leffler packets to update Class; previously, other RADIUS authentication 86039beb93cSSam Leffler packets could have cleared Class attribute 86139beb93cSSam Leffler * added support for more than one Class attribute in RADIUS packets 86239beb93cSSam Leffler * added support for verifying certificate revocation list (CRL) when 86339beb93cSSam Leffler using integrated EAP authenticator for EAP-TLS; new hostapd.conf 86439beb93cSSam Leffler options 'check_crl'; CRL must be included in the ca_cert file for now 86539beb93cSSam Leffler 86639beb93cSSam Leffler2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) 86739beb93cSSam Leffler * added support for including network information into 86839beb93cSSam Leffler EAP-Request/Identity message (ASCII-0 (nul) in eap_message) 86939beb93cSSam Leffler (e.g., to implement draft-adrange-eap-network-discovery-07.txt) 87039beb93cSSam Leffler * fixed a bug which caused some RSN pre-authentication cases to use 87139beb93cSSam Leffler freed memory and potentially crash hostapd 87239beb93cSSam Leffler * fixed private key loading for cases where passphrase is not set 87339beb93cSSam Leffler * added support for sending TLS alerts and aborting authentication 87439beb93cSSam Leffler when receiving a TLS alert 87539beb93cSSam Leffler * fixed WPA2 to add PMKSA cache entry when using integrated EAP 87639beb93cSSam Leffler authenticator 87739beb93cSSam Leffler * fixed PMKSA caching (EAP authentication was not skipped correctly 87839beb93cSSam Leffler with the new state machine changes from IEEE 802.1X draft) 87939beb93cSSam Leffler * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, 88039beb93cSSam Leffler and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs 88139beb93cSSam Leffler to be added to .config to include IPv6 support); for RADIUS server, 88239beb93cSSam Leffler radius_server_ipv6=1 needs to be set in hostapd.conf and addresses 88339beb93cSSam Leffler in RADIUS clients file can then use IPv6 format 88439beb93cSSam Leffler * added experimental support for EAP-PAX 88539beb93cSSam Leffler * replaced hostapd control interface library (hostapd_ctrl.[ch]) with 88639beb93cSSam Leffler the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) 88739beb93cSSam Leffler 88839beb93cSSam Leffler2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 88939beb93cSSam Leffler 89039beb93cSSam Leffler2005-01-23 - v0.3.5 89139beb93cSSam Leffler * added support for configuring a forced PEAP version based on the 89239beb93cSSam Leffler Phase 1 identity 89339beb93cSSam Leffler * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV 89439beb93cSSam Leffler to terminate authentication 89539beb93cSSam Leffler * fixed EAP identifier duplicate processing with the new IEEE 802.1X 89639beb93cSSam Leffler draft 89739beb93cSSam Leffler * clear accounting data in the driver when starting a new accounting 89839beb93cSSam Leffler session 89939beb93cSSam Leffler * driver_madwifi: filter wireless events based on ifindex to allow more 90039beb93cSSam Leffler than one network interface to be used 90139beb93cSSam Leffler * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt 90239beb93cSSam Leffler setting if the packet does not pass MIC verification (e.g., due to 90339beb93cSSam Leffler incorrect PSK); previously, message 1/4 was not tried again if an 90439beb93cSSam Leffler invalid message 2/4 was received 90539beb93cSSam Leffler * fixed reconfiguration of RADIUS client retransmission timer when 90639beb93cSSam Leffler adding a new message to the pending list; previously, timer was not 90739beb93cSSam Leffler updated at this point and if there was a pending message with long 90839beb93cSSam Leffler time for the next retry, the new message needed to wait that long for 90939beb93cSSam Leffler its first retry, too 91039beb93cSSam Leffler 91139beb93cSSam Leffler2005-01-09 - v0.3.4 91239beb93cSSam Leffler * added support for configuring multiple allowed EAP types for Phase 2 91339beb93cSSam Leffler authentication (EAP-PEAP, EAP-TTLS) 91439beb93cSSam Leffler * fixed EAPOL-Start processing to trigger WPA reauthentication 91539beb93cSSam Leffler (previously, only EAPOL authentication was done) 91639beb93cSSam Leffler 91739beb93cSSam Leffler2005-01-02 - v0.3.3 91839beb93cSSam Leffler * added support for EAP-PEAP in the integrated EAP authenticator 91939beb93cSSam Leffler * added support for EAP-GTC in the integrated EAP authenticator 92039beb93cSSam Leffler * added support for configuring list of EAP methods for Phase 1 so that 92139beb93cSSam Leffler the integrated EAP authenticator can, e.g., use the wildcard entry 92239beb93cSSam Leffler for EAP-TLS and EAP-PEAP 92339beb93cSSam Leffler * added support for EAP-TTLS in the integrated EAP authenticator 92439beb93cSSam Leffler * added support for EAP-SIM in the integrated EAP authenticator 92539beb93cSSam Leffler * added support for using hostapd as a RADIUS authentication server 92639beb93cSSam Leffler with the integrated EAP authenticator taking care of EAP 92739beb93cSSam Leffler authentication (new hostapd.conf options: radius_server_clients and 92839beb93cSSam Leffler radius_server_auth_port); this is not included in default build; use 92939beb93cSSam Leffler CONFIG_RADIUS_SERVER=y in .config to include 93039beb93cSSam Leffler 93139beb93cSSam Leffler2004-12-19 - v0.3.2 93239beb93cSSam Leffler * removed 'daemonize' configuration file option since it has not really 93339beb93cSSam Leffler been used at all for more than year 93439beb93cSSam Leffler * driver_madwifi: fixed group key setup and added get_ssid method 93539beb93cSSam Leffler * added support for EAP-MSCHAPv2 in the integrated EAP authenticator 93639beb93cSSam Leffler 93739beb93cSSam Leffler2004-12-12 - v0.3.1 93839beb93cSSam Leffler * added support for integrated EAP-TLS authentication (new hostapd.conf 93939beb93cSSam Leffler variables: ca_cert, server_cert, private_key, private_key_passwd); 94039beb93cSSam Leffler this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without 94139beb93cSSam Leffler external RADIUS server 94239beb93cSSam Leffler * added support for reading PKCS#12 (PFX) files (as a replacement for 94339beb93cSSam Leffler PEM/DER) to get certificate and private key (CONFIG_PKCS12) 94439beb93cSSam Leffler 94539beb93cSSam Leffler2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) 94639beb93cSSam Leffler * added support for Acct-{Input,Output}-Gigawords 94739beb93cSSam Leffler * added support for Event-Timestamp (in RADIUS Accounting-Requests) 94839beb93cSSam Leffler * added support for RADIUS Authentication Client MIB (RFC2618) 94939beb93cSSam Leffler * added support for RADIUS Accounting Client MIB (RFC2620) 95039beb93cSSam Leffler * made EAP re-authentication period configurable (eap_reauth_period) 95139beb93cSSam Leffler * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication 95239beb93cSSam Leffler * fixed EAPOL state machine to stop if STA is removed during 95339beb93cSSam Leffler eapol_sm_step(); this fixes at least one segfault triggering bug with 95439beb93cSSam Leffler IEEE 802.11i pre-authentication 95539beb93cSSam Leffler * added support for multiple WPA pre-shared keys (e.g., one for each 95639beb93cSSam Leffler client MAC address or keys shared by a group of clients); 95739beb93cSSam Leffler new hostapd.conf field wpa_psk_file for setting path to a text file 95839beb93cSSam Leffler containing PSKs, see hostapd.wpa_psk for an example 95939beb93cSSam Leffler * added support for multiple driver interfaces to allow hostapd to be 96039beb93cSSam Leffler used with other drivers 96139beb93cSSam Leffler * added wired authenticator driver interface (driver=wired in 96239beb93cSSam Leffler hostapd.conf, see wired.conf for example configuration) 96339beb93cSSam Leffler * added madwifi driver interface (driver=madwifi in hostapd.conf, see 96439beb93cSSam Leffler madwifi.conf for example configuration; Note: include files from 96539beb93cSSam Leffler madwifi project is needed for building and a configuration file, 96639beb93cSSam Leffler .config, needs to be created in hostapd directory with 96739beb93cSSam Leffler CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd 96839beb93cSSam Leffler build) 96939beb93cSSam Leffler * fixed an alignment issue that could cause SHA-1 to fail on some 97039beb93cSSam Leffler platforms (e.g., Intel ixp425 with a compiler that does not 32-bit 97139beb93cSSam Leffler align variables) 97239beb93cSSam Leffler * fixed RADIUS reconnection after an error in sending interim 97339beb93cSSam Leffler accounting packets 97439beb93cSSam Leffler * added hostapd control interface for external programs and an example 97539beb93cSSam Leffler CLI, hostapd_cli (like wpa_cli for wpa_supplicant) 97639beb93cSSam Leffler * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', 97739beb93cSSam Leffler 'hostapd_cli sta <addr>') 97839beb93cSSam Leffler * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) 97939beb93cSSam Leffler * added support for strict GTK rekeying (wpa_strict_rekey in 98039beb93cSSam Leffler hostapd.conf) 98139beb93cSSam Leffler * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 98239beb93cSSam Leffler (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to 98339beb93cSSam Leffler IEEE 802.11F-2003) 98439beb93cSSam Leffler * added Prism54 driver interface (driver=prism54 in hostapd.conf; 98539beb93cSSam Leffler note: .config needs to be created in hostapd directory with 98639beb93cSSam Leffler CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd 98739beb93cSSam Leffler build) 98839beb93cSSam Leffler * dual-licensed hostapd (GPLv2 and BSD licenses) 98939beb93cSSam Leffler * fixed RADIUS accounting to generate a new session id for cases where 99039beb93cSSam Leffler a station reassociates without first being complete deauthenticated 99139beb93cSSam Leffler * fixed STA disassociation handler to mark next timeout state to 99239beb93cSSam Leffler deauthenticate the station, i.e., skip long wait for inactivity poll 99339beb93cSSam Leffler and extra disassociation, if the STA disassociates without 99439beb93cSSam Leffler deauthenticating 99539beb93cSSam Leffler * added integrated EAP authenticator that can be used instead of 99639beb93cSSam Leffler external RADIUS authentication server; currently, only EAP-MD5 is 99739beb93cSSam Leffler supported, so this cannot yet be used for key distribution; the EAP 99839beb93cSSam Leffler method interface is generic, though, so adding new EAP methods should 99939beb93cSSam Leffler be straightforward; new hostapd.conf variables: 'eap_authenticator' 100039beb93cSSam Leffler and 'eap_user_file'; this obsoletes "minimal authentication server" 100139beb93cSSam Leffler ('minimal_eap' in hostapd.conf) which is now removed 100239beb93cSSam Leffler * added support for FreeBSD and driver interface for the BSD net80211 100339beb93cSSam Leffler layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in 100439beb93cSSam Leffler .config); please note that some of the required kernel mods have not 100539beb93cSSam Leffler yet been committed 100639beb93cSSam Leffler 100739beb93cSSam Leffler2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) 100839beb93cSSam Leffler * fixed some accounting cases where Accounting-Start was sent when 100939beb93cSSam Leffler IEEE 802.1X port was being deauthorized 101039beb93cSSam Leffler 101139beb93cSSam Leffler2004-06-20 - v0.2.3 101239beb93cSSam Leffler * modified RADIUS client to re-connect the socket in case of certain 101339beb93cSSam Leffler error codes that are generated when a network interface state is 101439beb93cSSam Leffler changes (e.g., when IP address changes or the interface is set UP) 101539beb93cSSam Leffler * fixed couple of cases where EAPOL state for a station was freed 101639beb93cSSam Leffler twice causing a segfault for hostapd 101739beb93cSSam Leffler * fixed couple of bugs in processing WPA deauthentication (freed data 101839beb93cSSam Leffler was used) 101939beb93cSSam Leffler 102039beb93cSSam Leffler2004-05-31 - v0.2.2 102139beb93cSSam Leffler * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) 102239beb93cSSam Leffler * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix 102339beb93cSSam Leffler cases where STAs dropped multicast frames as replay attacks 102439beb93cSSam Leffler * added support for copying RADIUS Attribute 'Class' from 102539beb93cSSam Leffler authentication messages into accounting messages 102639beb93cSSam Leffler * send canned EAP failure if RADIUS server sends Access-Reject without 102739beb93cSSam Leffler EAP message (previously, Supplicant was not notified in this case) 102839beb93cSSam Leffler * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do 102939beb93cSSam Leffler not start EAPOL state machines if the STA selected to use WPA-PSK) 103039beb93cSSam Leffler 103139beb93cSSam Leffler2004-05-06 - v0.2.1 103239beb93cSSam Leffler * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality 103339beb93cSSam Leffler - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA 103439beb93cSSam Leffler (i.e., IEEE 802.11i/D3.0) 103539beb93cSSam Leffler - supports WPA-only, RSN-only, and mixed WPA/RSN mode 103639beb93cSSam Leffler - both WPA-PSK and WPA-RADIUS/EAP are supported 103739beb93cSSam Leffler - PMKSA caching and pre-authentication 103839beb93cSSam Leffler - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, 103939beb93cSSam Leffler wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, 104039beb93cSSam Leffler rsn_preauth, rsn_preauth_interfaces 104139beb93cSSam Leffler * fixed interim accounting to remove any pending accounting messages 104239beb93cSSam Leffler to the STA before sending a new one 104339beb93cSSam Leffler 104439beb93cSSam Leffler2004-02-15 - v0.2.0 104539beb93cSSam Leffler * added support for Acct-Interim-Interval: 104639beb93cSSam Leffler - draft-ietf-radius-acct-interim-01.txt 104739beb93cSSam Leffler - use Acct-Interim-Interval attribute from Access-Accept if local 104839beb93cSSam Leffler 'radius_acct_interim_interval' is not set 104939beb93cSSam Leffler - allow different update intervals for each STA 105039beb93cSSam Leffler * fixed event loop to call signal handlers only after returning from 105139beb93cSSam Leffler the real signal handler 105239beb93cSSam Leffler * reset sta->timeout_next after successful association to make sure 105339beb93cSSam Leffler that the previously registered inactivity timer will not remove the 105439beb93cSSam Leffler STA immediately (e.g., if STA deauthenticates and re-associates 105539beb93cSSam Leffler before the timer is triggered). 105639beb93cSSam Leffler * added new hostapd.conf variable, nas_identifier, that can be used to 105739beb93cSSam Leffler add an optional RADIUS Attribute, NAS-Identifier, into authentication 105839beb93cSSam Leffler and accounting messages 105939beb93cSSam Leffler * added support for Accounting-On and Accounting-Off messages 106039beb93cSSam Leffler * fixed accounting session handling to send Accounting-Start only once 106139beb93cSSam Leffler per session and not to send Accounting-Stop if the session was not 106239beb93cSSam Leffler initialized properly 106339beb93cSSam Leffler * fixed Accounting-Stop statistics in cases where the message was 106439beb93cSSam Leffler previously sent after the kernel entry for the STA (and/or IEEE 106539beb93cSSam Leffler 802.1X data) was removed 106639beb93cSSam Leffler 106739beb93cSSam Leffler 106839beb93cSSam LefflerNote: 106939beb93cSSam Leffler 107039beb93cSSam LefflerOlder changes up to and including v0.1.0 are included in the ChangeLog 107139beb93cSSam Lefflerof the Host AP driver. 1072