]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | ChangeLog for hostapd |
2 | ||
c2c6c01b JM |
3 | 2018-12-02 - v2.7 |
4 | * fixed WPA packet number reuse with replayed messages and key | |
5 | reinstallation | |
6 | [http://w1.fi/security/2017-1/] (CVE-2017-13082) | |
7 | * added support for FILS (IEEE 802.11ai) shared key authentication | |
8 | * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; | |
9 | and transition mode defined by WFA) | |
10 | * added support for DPP (Wi-Fi Device Provisioning Protocol) | |
11 | * FT: | |
12 | - added local generation of PMK-R0/PMK-R1 for FT-PSK | |
13 | (ft_psk_generate_local=1) | |
14 | - replaced inter-AP protocol with a cleaner design that is more | |
15 | easily extensible; this breaks backward compatibility and requires | |
16 | all APs in the ESS to be updated at the same time to maintain FT | |
17 | functionality | |
18 | - added support for wildcard R0KH/R1KH | |
19 | - replaced r0_key_lifetime (minutes) parameter with | |
20 | ft_r0_key_lifetime (seconds) | |
21 | - fixed wpa_psk_file use for FT-PSK | |
22 | - fixed FT-SAE PMKID matching | |
23 | - added expiration to PMK-R0 and PMK-R1 cache | |
24 | - added IEEE VLAN support (including tagged VLANs) | |
25 | - added support for SHA384 based AKM | |
26 | * SAE | |
27 | - fixed some PMKSA caching cases with SAE | |
28 | - added support for configuring SAE password separately of the | |
29 | WPA2 PSK/passphrase | |
30 | - added option to require MFP for SAE associations | |
31 | (sae_require_pmf=1) | |
32 | - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection | |
33 | for SAE; | |
34 | note: this is not backwards compatible, i.e., both the AP and | |
35 | station side implementations will need to be update at the same | |
36 | time to maintain interoperability | |
37 | - added support for Password Identifier | |
38 | * hostapd_cli: added support for command history and completion | |
39 | * added support for requesting beacon report | |
40 | * large number of other fixes, cleanup, and extensions | |
41 | * added option to configure EAPOL-Key retry limits | |
42 | (wpa_group_update_count and wpa_pairwise_update_count) | |
43 | * removed all PeerKey functionality | |
44 | * fixed nl80211 AP mode configuration regression with Linux 4.15 and | |
45 | newer | |
46 | * added support for using wolfSSL cryptographic library | |
47 | * fixed some 20/40 MHz coexistence cases where the BSS could drop to | |
48 | 20 MHz even when 40 MHz would be allowed | |
49 | * Hotspot 2.0 | |
50 | - added support for setting Venue URL ANQP-element (venue_url) | |
51 | - added support for advertising Hotspot 2.0 operator icons | |
52 | - added support for Roaming Consortium Selection element | |
53 | - added support for Terms and Conditions | |
54 | - added support for OSEN connection in a shared RSN BSS | |
55 | * added support for using OpenSSL 1.1.1 | |
56 | * added EAP-pwd server support for salted passwords | |
57 | ||
2462f347 | 58 | 2016-10-02 - v2.6 |
a1703947 JM |
59 | * fixed EAP-pwd last fragment validation |
60 | [http://w1.fi/security/2015-7/] (CVE-2015-5314) | |
61 | * fixed WPS configuration update vulnerability with malformed passphrase | |
62 | [http://w1.fi/security/2016-1/] (CVE-2016-4476) | |
61bcc853 | 63 | * extended channel switch support for VHT bandwidth changes |
a1703947 JM |
64 | * added support for configuring new ANQP-elements with |
65 | anqp_elem=<InfoID>:<hexdump of payload> | |
66 | * fixed Suite B 192-bit AKM to use proper PMK length | |
67 | (note: this makes old releases incompatible with the fixed behavior) | |
68 | * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response | |
69 | frame sending for not-associated STAs if max_num_sta limit has been | |
70 | reached | |
71 | * added option (-S as command line argument) to request all interfaces | |
72 | to be started at the same time | |
73 | * modified rts_threshold and fragm_threshold configuration parameters | |
74 | to allow -1 to be used to disable RTS/fragmentation | |
75 | * EAP-pwd: added support for Brainpool Elliptic Curves | |
76 | (with OpenSSL 1.0.2 and newer) | |
77 | * fixed EAPOL reauthentication after FT protocol run | |
78 | * fixed FTIE generation for 4-way handshake after FT protocol run | |
79 | * fixed and improved various FST operations | |
80 | * TLS server | |
81 | - support SHA384 and SHA512 hashes | |
82 | - support TLS v1.2 signature algorithm with SHA384 and SHA512 | |
83 | - support PKCS #5 v2.0 PBES2 | |
84 | - support PKCS #5 with PKCS #12 style key decryption | |
85 | - minimal support for PKCS #12 | |
86 | - support OCSP stapling (including ocsp_multi) | |
87 | * added support for OpenSSL 1.1 API changes | |
61bcc853 JM |
88 | - drop support for OpenSSL 0.9.8 |
89 | - drop support for OpenSSL 1.0.0 | |
a1703947 JM |
90 | * EAP-PEAP: support fast-connect crypto binding |
91 | * RADIUS | |
92 | - fix Called-Station-Id to not escape SSID | |
93 | - add Event-Timestamp to all Accounting-Request packets | |
94 | - add Acct-Session-Id to Accounting-On/Off | |
95 | - add Acct-Multi-Session-Id ton Access-Request packets | |
96 | - add Service-Type (= Frames) | |
97 | - allow server to provide PSK instead of passphrase for WPA-PSK | |
98 | Tunnel_password case | |
99 | - update full message for interim accounting updates | |
100 | - add Acct-Delay-Time into Accounting messages | |
61bcc853 JM |
101 | - add require_message_authenticator configuration option to require |
102 | CoA/Disconnect-Request packets to be authenticated | |
a1703947 JM |
103 | * started to postpone WNM-Notification frame sending by 100 ms so that |
104 | the STA has some more time to configure the key before this frame is | |
105 | received after the 4-way handshake | |
106 | * VHT: added interoperability workaround for 80+80 and 160 MHz channels | |
107 | * extended VLAN support (per-STA vif, etc.) | |
108 | * fixed PMKID derivation with SAE | |
61bcc853 JM |
109 | * nl80211 |
110 | - added support for full station state operations | |
111 | - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use | |
112 | unencrypted EAPOL frames | |
a1703947 JM |
113 | * added initial MBO support; number of extensions to WNM BSS Transition |
114 | Management | |
115 | * added initial functionality for location related operations | |
116 | * added assocresp_elements parameter to allow vendor specific elements | |
117 | to be added into (Re)Association Response frames | |
61bcc853 JM |
118 | * improved Public Action frame addressing |
119 | - use Address 3 = wildcard BSSID in GAS response if a query from an | |
120 | unassociated STA used that address | |
121 | - fix TX status processing for Address 3 = wildcard BSSID | |
122 | - add gas_address3 configuration parameter to control Address 3 | |
123 | behavior | |
124 | * added command line parameter -i to override interface parameter in | |
125 | hostapd.conf | |
126 | * added command completion support to hostapd_cli | |
127 | * added passive client taxonomy determination (CONFIG_TAXONOMY=y | |
128 | compile option and "SIGNATURE <addr>" control interface command) | |
a1703947 JM |
129 | * number of small fixes |
130 | ||
49c36b70 JM |
131 | 2015-09-27 - v2.5 |
132 | * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding | |
133 | [http://w1.fi/security/2015-2/] (CVE-2015-4141) | |
134 | * fixed WMM Action frame parser | |
135 | [http://w1.fi/security/2015-3/] (CVE-2015-4142) | |
136 | * fixed EAP-pwd server missing payload length validation | |
137 | [http://w1.fi/security/2015-4/] | |
138 | (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145) | |
139 | * fixed validation of WPS and P2P NFC NDEF record payload length | |
140 | [http://w1.fi/security/2015-5/] | |
141 | * nl80211: | |
142 | - fixed vendor command handling to check OUI properly | |
143 | * fixed hlr_auc_gw build with OpenSSL | |
144 | * hlr_auc_gw: allow Milenage RES length to be reduced | |
145 | * disable HT for a station that does not support WMM/QoS | |
146 | * added support for hashed password (NtHash) in EAP-pwd server | |
147 | * fixed and extended dynamic VLAN cases | |
148 | * added EAP-EKE server support for deriving Session-Id | |
149 | * set Acct-Session-Id to a random value to make it more likely to be | |
150 | unique even if the device does not have a proper clock | |
151 | * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan | |
152 | * modified SAE routines to be more robust and PWE generation to be | |
153 | stronger against timing attacks | |
154 | * added support for Brainpool Elliptic Curves with SAE | |
155 | * increases maximum value accepted for cwmin/cwmax | |
156 | * added support for CCMP-256 and GCMP-256 as group ciphers with FT | |
157 | * added Fast Session Transfer (FST) module | |
158 | * removed optional fields from RSNE when using FT with PMF | |
159 | (workaround for interoperability issues with iOS 8.4) | |
160 | * added EAP server support for TLS session resumption | |
161 | * fixed key derivation for Suite B 192-bit AKM (this breaks | |
162 | compatibility with the earlier version) | |
163 | * added mechanism to track unconnected stations and do minimal band | |
164 | steering | |
165 | * number of small fixes | |
166 | ||
bc1d23ae JM |
167 | 2015-03-15 - v2.4 |
168 | * allow OpenSSL cipher configuration to be set for internal EAP server | |
169 | (openssl_ciphers parameter) | |
170 | * fixed number of small issues based on hwsim test case failures and | |
171 | static analyzer reports | |
172 | * fixed Accounting-Request to not include duplicated Acct-Session-Id | |
173 | * add support for Acct-Multi-Session-Id in RADIUS Accounting messages | |
174 | * add support for PMKSA caching with SAE | |
175 | * add support for generating BSS Load element (bss_load_update_period) | |
176 | * fixed channel switch from VHT to HT | |
177 | * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events | |
178 | * add support for learning STA IPv4/IPv6 addresses and configuring | |
179 | ProxyARP support | |
180 | * dropped support for the madwifi driver interface | |
181 | * add support for Suite B (128-bit and 192-bit level) key management and | |
182 | cipher suites | |
183 | * fixed a regression with driver=wired | |
184 | * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce | |
185 | * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management | |
186 | Request frames and BSS-TM-RESP event to indicate response to such | |
187 | frame | |
188 | * add support for EAP Re-Authentication Protocol (ERP) | |
189 | * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled | |
190 | * fixed a regression in HT 20/40 coex Action frame parsing | |
191 | * set stdout to be line-buffered | |
192 | * add support for vendor specific VHT extension to enable 256 QAM rates | |
193 | (VHT-MCS 8 and 9) on 2.4 GHz band | |
194 | * RADIUS DAS: | |
195 | - extend Disconnect-Request processing to allow matching of multiple | |
196 | sessions | |
197 | - support Acct-Multi-Session-Id as an identifier | |
198 | - allow PMKSA cache entry to be removed without association | |
199 | * expire hostapd STA entry if kernel does not have a matching entry | |
200 | * allow chanlist to be used to specify a subset of channels for ACS | |
201 | * improve ACS behavior on 2.4 GHz band and allow channel bias to be | |
202 | configured with acs_chan_bias parameter | |
203 | * do not reply to a Probe Request frame that includes DSS Parameter Set | |
204 | element in which the channel does not match the current operating | |
205 | channel | |
206 | * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon | |
207 | frame contents to be updated and to start beaconing on an interface | |
208 | that used start_disabled=1 | |
209 | * fixed some RADIUS server failover cases | |
210 | ||
5cb14403 JM |
211 | 2014-10-09 - v2.3 |
212 | * fixed number of minor issues identified in static analyzer warnings | |
213 | * fixed DFS and channel switch operation for multi-BSS cases | |
214 | * started to use constant time comparison for various password and hash | |
215 | values to reduce possibility of any externally measurable timing | |
216 | differences | |
217 | * extended explicit clearing of freed memory and expired keys to avoid | |
218 | keeping private data in memory longer than necessary | |
219 | * added support for number of new RADIUS attributes from RFC 7268 | |
220 | (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, | |
221 | WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) | |
222 | * fixed GET_CONFIG wpa_pairwise_cipher value | |
223 | * added code to clear bridge FDB entry on station disconnection | |
224 | * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases | |
225 | * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop | |
226 | in case the first entry does not match | |
227 | * fixed hostapd_cli action script execution to use more robust mechanism | |
228 | (CVE-2014-3686) | |
229 | ||
6a98f673 JM |
230 | 2014-06-04 - v2.2 |
231 | * fixed SAE confirm-before-commit validation to avoid a potential | |
232 | segmentation fault in an unexpected message sequence that could be | |
233 | triggered remotely | |
234 | * extended VHT support | |
235 | - Operating Mode Notification | |
236 | - Power Constraint element (local_pwr_constraint) | |
237 | - Spectrum management capability (spectrum_mgmt_required=1) | |
238 | - fix VHT80 segment picking in ACS | |
239 | - fix vht_capab 'Maximum A-MPDU Length Exponent' handling | |
240 | - fix VHT20 | |
241 | * fixed HT40 co-ex scan for some pri/sec channel switches | |
242 | * extended HT40 co-ex support to allow dynamic channel width changes | |
243 | during the lifetime of the BSS | |
244 | * fixed HT40 co-ex support to check for overlapping 20 MHz BSS | |
245 | * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; | |
246 | this fixes password with include UTF-8 characters that use | |
247 | three-byte encoding EAP methods that use NtPasswordHash | |
248 | * reverted TLS certificate validation step change in v2.1 that rejected | |
249 | any AAA server certificate with id-kp-clientAuth even if | |
250 | id-kp-serverAuth EKU was included | |
251 | * fixed STA validation step for WPS ER commands to prevent a potential | |
252 | crash if an ER sends an unexpected PutWLANResponse to a station that | |
253 | is disassociated, but not fully removed | |
254 | * enforce full EAP authentication after RADIUS Disconnect-Request by | |
255 | removing the PMKSA cache entry | |
256 | * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address | |
257 | in RADIUS Disconnect-Request | |
258 | * added mechanism for removing addresses for MAC ACLs by prefixing an | |
259 | entry with "-" | |
260 | * Interworking/Hotspot 2.0 enhancements | |
261 | - support Hotspot 2.0 Release 2 | |
262 | * OSEN network for online signup connection | |
263 | * subscription remediation (based on RADIUS server request or | |
264 | control interface HS20_WNM_NOTIF for testing purposes) | |
265 | * Hotspot 2.0 release number indication in WFA RADIUS VSA | |
266 | * deauthentication request (based on RADIUS server request or | |
267 | control interface WNM_DEAUTH_REQ for testing purposes) | |
268 | * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent | |
269 | * hs20_icon config parameter to configure icon files for OSU | |
270 | * osu_* config parameters for OSU Providers list | |
271 | - do not use Interworking filtering rules on Probe Request if | |
272 | Interworking is disabled to avoid interop issues | |
273 | * added/fixed nl80211 functionality | |
274 | - AP interface teardown optimization | |
275 | - support vendor specific driver command | |
276 | (VENDOR <vendor id> <sub command id> [<hex formatted data>]) | |
277 | * fixed PMF protection of Deauthentication frame when this is triggered | |
278 | by session timeout | |
279 | * internal TLS implementation enhancements/fixes | |
280 | - add SHA256-based cipher suites | |
281 | - add DHE-RSA cipher suites | |
282 | - fix X.509 validation of PKCS#1 signature to check for extra data | |
283 | * RADIUS server functionality | |
284 | - add minimal RADIUS accounting server support (hostapd-as-server); | |
285 | this is mainly to enable testing coverage with hwsim scripts | |
286 | - allow authentication log to be written into SQLite databse | |
287 | - added option for TLS protocol testing of an EAP peer by simulating | |
288 | various misbehaviors/known attacks | |
289 | - MAC ACL support for testing purposes | |
290 | * fixed PTK derivation for CCMP-256 and GCMP-256 | |
291 | * extended WPS per-station PSK to support ER case | |
292 | * added option to configure the management group cipher | |
293 | (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, | |
294 | BIP-CMAC-256) | |
295 | * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these | |
296 | were rounded incorrectly) | |
297 | * added support for postponing FT response in case PMK-R1 needs to be | |
298 | pulled from R0KH | |
299 | * added option to advertise 40 MHz intolerant HT capability with | |
300 | ht_capab=[40-INTOLERANT] | |
301 | * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled | |
302 | whenever CONFIG_WPS=y is set | |
303 | * EAP-pwd fixes | |
304 | - fix possible segmentation fault on EAP method deinit if an invalid | |
305 | group is negotiated | |
306 | * fixed RADIUS client retransmit/failover behavior | |
307 | - there was a potential ctash due to freed memory being accessed | |
308 | - failover to a backup server mechanism did not work properly | |
309 | * fixed a possible crash on double DISABLE command when multiple BSSes | |
310 | are enabled | |
311 | * fixed a memory leak in SAE random number generation | |
312 | * fixed GTK rekeying when the station uses FT protocol | |
313 | * fixed off-by-one bounds checking in printf_encode() | |
314 | - this could result in deinial of service in some EAP server cases | |
315 | * various bug fixes | |
316 | ||
44f967c7 JM |
317 | 2014-02-04 - v2.1 |
318 | * added support for simultaneous authentication of equals (SAE) for | |
67bc1375 | 319 | stronger password-based authentication with WPA2-Personal |
44f967c7 JM |
320 | * added nl80211 functionality |
321 | - VHT configuration for nl80211 | |
322 | - support split wiphy dump | |
323 | - driver-based MAC ACL | |
324 | - QoS Mapping configuration | |
325 | * added fully automated regression testing with mac80211_hwsim | |
326 | * allow ctrl_iface group to be specified on command line (-G<group>) | |
327 | * allow single hostapd process to control independent WPS interfaces | |
328 | (wps_independent=1) instead of synchronized operations through all | |
329 | configured interfaces within a process | |
330 | * avoid processing received management frames multiple times when using | |
331 | nl80211 with multiple BSSes | |
332 | * added support for DFS (processing radar detection events, CAC, channel | |
333 | re-selection) | |
334 | * added EAP-EKE server | |
335 | * added automatic channel selection (ACS) | |
336 | * added option for using per-BSS (vif) configuration files with | |
337 | -b<phyname>:<config file name> | |
338 | * extended global control interface ADD/REMOVE commands to allow BSSes | |
339 | of a radio to be removed individually without having to add/remove all | |
340 | other BSSes of the radio at the same time | |
341 | * added support for sending debug info to Linux tracing (-T on command | |
342 | line) | |
343 | * replace dump_file functionality with same information being available | |
344 | through the hostapd control interface | |
345 | * added support for using Protected Dual of Public Action frames for | |
346 | GAS/ANQP exchanges when PMF is enabled | |
347 | * added support for WPS+NFC updates | |
348 | - improved protocol | |
349 | - option to fetch and report alternative carrier records for external | |
350 | NFC operations | |
351 | * various bug fixes | |
67bc1375 | 352 | |
22760dd9 | 353 | 2013-01-12 - v2.0 |
1ae1570b JM |
354 | * added AP-STA-DISCONNECTED ctrl_iface event |
355 | * improved debug logging (human readable event names, interface name | |
356 | included in more entries) | |
357 | * added number of small changes to make it easier for static analyzers | |
358 | to understand the implementation | |
359 | * added a workaround for Windows 7 Michael MIC failure reporting and | |
360 | use of the Secure bit in EAPOL-Key msg 3/4 | |
361 | * fixed number of small bugs (see git logs for more details) | |
362 | * changed OpenSSL to read full certificate chain from server_cert file | |
363 | * nl80211: number of updates to use new cfg80211/nl80211 functionality | |
364 | - replace monitor interface with nl80211 commands | |
365 | - additional information for driver-based AP SME | |
366 | * EAP-pwd: | |
367 | - fix KDF for group 21 and zero-padding | |
368 | - added support for fragmentation | |
369 | - increased maximum number of hunting-and-pecking iterations | |
370 | * avoid excessive Probe Response retries for broadcast Probe Request | |
371 | frames (only with drivers using hostapd SME/MLME) | |
372 | * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) | |
373 | * fixed WPS operation stopping on dual concurrent AP | |
374 | * added wps_rf_bands configuration parameter for overriding RF Bands | |
375 | value for WPS | |
376 | * added support for getting per-device PSK from RADIUS Tunnel-Password | |
377 | * added support for libnl 3.2 and newer | |
378 | * increased initial group key handshake retransmit timeout to 500 ms | |
379 | * added a workaround for 4-way handshake to update SNonce even after | |
380 | having sent EAPOL-Key 3/4 to avoid issues with some supplicant | |
381 | implementations that can change SNonce for each EAP-Key 2/4 | |
382 | * added a workaround for EAPOL-Key 4/4 using incorrect type value in | |
383 | WPA2 mode (some deployed stations use WPA type in that message) | |
384 | * added a WPS workaround for mixed mode AP Settings with Windows 7 | |
385 | * changed WPS AP PIN disabling mechanism to disable the PIN after 10 | |
386 | consecutive failures in addition to using the exponential lockout | |
387 | period | |
388 | * added support for WFA Hotspot 2.0 | |
389 | - GAS/ANQP advertisement of network information | |
390 | - disable_dgaf parameter to disable downstream group-addressed | |
391 | forwarding | |
392 | * simplified licensing terms by selecting the BSD license as the only | |
393 | alternative | |
394 | * EAP-SIM: fixed re-authentication not to update pseudonym | |
395 | * EAP-SIM: use Notification round before EAP-Failure | |
396 | * EAP-AKA: added support for AT_COUNTER_TOO_SMALL | |
397 | * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized | |
398 | * EAP-AKA': fixed identity for MK derivation | |
399 | * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this | |
400 | breaks interoperability with older versions | |
401 | * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id | |
402 | * changed ANonce to be a random number instead of Counter-based | |
403 | * added support for canceling WPS operations with hostapd_cli wps_cancel | |
404 | * fixed EAP/WPS to PSK transition on reassociation in cases where | |
405 | deauthentication is missed | |
406 | * hlr_auc_gw enhancements: | |
407 | - a new command line parameter -u can be used to enable updating of | |
408 | SQN in Milenage file | |
409 | - use 5 bit IND for SQN updates | |
410 | - SQLite database can now be used to store Milenage information | |
411 | * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms | |
412 | and reauth data | |
413 | * added support for Chargeable-User-Identity (RFC 4372) | |
414 | * added radius_auth_req_attr and radius_acct_req_attr configuration | |
415 | parameters to allow adding/overriding of RADIUS attributes in | |
416 | Access-Request and Accounting-Request packets | |
417 | * added support for RADIUS dynamic authorization server (RFC 5176) | |
418 | * added initial support for WNM operations | |
419 | - BSS max idle period | |
420 | - WNM-Sleep Mode | |
421 | * added new WPS NFC ctrl_iface mechanism | |
422 | - removed obsoleted WPS_OOB command (including support for deprecated | |
423 | UFD config_method) | |
424 | * added FT support for drivers that implement MLME internally | |
425 | * added SA Query support for drivers that implement MLME internally | |
426 | * removed default ACM=1 from AC_VO and AC_VI | |
427 | * changed VENDOR-TEST EAP method to use proper private enterprise number | |
428 | (this will not interoperate with older versions) | |
429 | * added hostapd.conf parameter vendor_elements to allow arbitrary vendor | |
430 | specific elements to be added to the Beacon and Probe Response frames | |
431 | * added support for configuring GCMP cipher for IEEE 802.11ad | |
432 | * added support for 256-bit AES with internal TLS implementation | |
433 | * changed EAPOL transmission to use AC_VO if WMM is active | |
434 | * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length | |
435 | correctly; invalid messages could have caused the hostapd process to | |
436 | terminate before this fix [CVE-2012-4445] | |
437 | * limit number of active wildcard PINs for WPS Registrar to one to avoid | |
438 | confusing behavior with multiple wildcard PINs | |
439 | * added a workaround for WPS PBC session overlap detection to avoid | |
440 | interop issues with deployed station implementations that do not | |
441 | remove active PBC indication from Probe Request frames properly | |
2cd6af9c JM |
442 | * added support for using SQLite for the eap_user database |
443 | * added Acct-Session-Id attribute into Access-Request messages | |
22760dd9 JM |
444 | * fixed EAPOL frame transmission to non-QoS STAs with nl80211 |
445 | (do not send QoS frames if the STA did not negotiate use of QoS for | |
446 | this association) | |
1ae1570b | 447 | |
ec4a5d32 JM |
448 | 2012-05-10 - v1.0 |
449 | * Add channel selection support in hostapd. See hostapd.conf. | |
450 | * Add support for IEEE 802.11v Time Advertisement mechanism with UTC | |
451 | TSF offset. See hostapd.conf for config info. | |
452 | * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. | |
453 | This allows the driver to use PS buffering of Deauthentication and | |
454 | Disassociation frames when the STA is in power save sleep. Only | |
455 | available with drivers that provide TX status events for Deauth/ | |
456 | Disassoc frames (nl80211). | |
457 | * Allow PMKSA caching to be disabled on the Authenticator. See | |
458 | hostap.conf config parameter disable_pmksa_caching. | |
459 | * atheros: Add support for IEEE 802.11w configuration. | |
460 | * bsd: Add support for setting HT values in IFM_MMASK. | |
461 | * Allow client isolation to be configured with ap_isolate. Client | |
462 | isolation can be used to prevent low-level bridging of frames | |
463 | between associated stations in the BSS. By default, this bridging | |
464 | is allowed. | |
465 | * Allow coexistance of HT BSSes with WEP/TKIP BSSes. | |
466 | * Add require_ht config parameter, which can be used to configure | |
467 | hostapd to reject association with any station that does not support | |
468 | HT PHY. | |
469 | * Add support for writing debug log to a file using "-f" option. Also | |
470 | add relog CLI command to re-open the log file. | |
471 | * Add bridge handling for WDS STA interfaces. By default they are | |
472 | added to the configured bridge of the AP interface (if present), | |
473 | but the user can also specify a separate bridge using cli command | |
474 | wds_bridge. | |
475 | * hostapd_cli: | |
476 | - Add wds_bridge command for specifying bridge for WDS STA | |
477 | interfaces. | |
478 | - Add relog command for reopening log file. | |
479 | - Send AP-STA-DISCONNECTED event when an AP disconnects a station | |
480 | due to inactivity. | |
481 | - Add wps_config ctrl_interface command for configuring AP. This | |
482 | command can be used to configure the AP using the internal WPS | |
483 | registrar. It works in the same way as new AP settings received | |
484 | from an ER. | |
485 | - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. | |
486 | - Add command get version, that returns hostapd version string. | |
487 | * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. | |
488 | Use hostapd_cli ess_disassoc (STA addr) (URL) to send the | |
489 | notification to the STA. | |
490 | * Allow AP mode to disconnect STAs based on low ACK condition (when | |
491 | the data connection is not working properly, e.g., due to the STA | |
492 | going outside the range of the AP). Disabled by default, enable by | |
493 | config option disassoc_low_ack. | |
494 | * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad | |
495 | config file. | |
496 | * WPS: | |
497 | - Send AP Settings as a wrapped Credential attribute to ctrl_iface | |
498 | in WPS-NEW-AP-SETTINGS. | |
499 | - Dispatch more WPS events through hostapd ctrl_iface. | |
500 | - Add mechanism for indicating non-standard WPS errors. | |
501 | - Change concurrent radio AP to use only one WPS UPnP instance. | |
502 | - Add wps_check_pin command for processing PIN from user input. | |
503 | UIs can use this command to process a PIN entered by a user and to | |
504 | validate the checksum digit (if present). | |
505 | - Add hostap_cli get_config command to display current AP config. | |
506 | - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at | |
507 | runtime and support dynamic AP PIN management. | |
508 | - Disable AP PIN after 10 consecutive failures. Slow down attacks | |
509 | on failures up to 10. | |
510 | - Allow AP to start in Enrollee mode without AP PIN for probing, | |
511 | to be compatible with Windows 7. | |
512 | - Add Config Error into WPS-FAIL events to provide more info | |
513 | to the user on how to resolve the issue. | |
514 | - When controlling multiple interfaces: | |
515 | - apply WPS commands to all interfaces configured to use WPS | |
516 | - apply WPS config changes to all interfaces that use WPS | |
517 | - when an attack is detected on any interface, disable AP PIN on | |
518 | all interfaces | |
519 | * WPS ER: | |
520 | - Show SetSelectedRegistrar events as ctrl_iface events. | |
521 | - Add special AP Setup Locked mode to allow read only ER. | |
522 | ap_setup_locked=2 can now be used to enable a special mode where | |
523 | WPS ER can learn the current AP settings, but cannot change them. | |
524 | * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) | |
525 | - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool | |
526 | for testing protocol extensibility. | |
527 | - Add build option CONFIG_WPS_STRICT to allow disabling of WPS | |
528 | workarounds. | |
529 | - Add support for AuthorizedMACs attribute. | |
530 | * TDLS: | |
531 | - Allow TDLS use or TDLS channel switching in the BSS to be | |
532 | prohibited in the BSS, using config params tdls_prohibit and | |
533 | tdls_prohibit_chan_switch. | |
534 | * EAP server: Add support for configuring fragment size (see | |
535 | fragment_size in hostapd.conf). | |
536 | * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. | |
537 | wlantest can be used to capture frames from a monitor interface | |
538 | for realtime capturing or from pcap files for offline analysis. | |
539 | * Interworking: Support added for 802.11u. Enable in .config with | |
540 | CONFIG_INTERWORKING. See hostapd.conf for config parameters for | |
541 | interworking. | |
542 | * Android: Add build and runtime support for Android hostapd. | |
543 | * Add a new debug message level for excessive information. Use | |
544 | -ddd to enable. | |
545 | * TLS: Add support for tls_disable_time_checks=1 in client mode. | |
546 | * Internal TLS: | |
547 | - Add support for TLS v1.1 (RFC 4346). Enable with build parameter | |
548 | CONFIG_TLSV11. | |
549 | - Add domainComponent parser for X.509 names | |
550 | * Reorder some IEs to get closer to IEEE 802.11 standard. Move | |
551 | WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. | |
552 | Move HT IEs to be later in (Re)Assoc Resp. | |
553 | * Many bugfixes. | |
554 | ||
be48214d JM |
555 | 2010-04-18 - v0.7.2 |
556 | * fix WPS internal Registrar use when an external Registrar is also | |
557 | active | |
558 | * bsd: Cleaned up driver wrapper and added various low-level | |
559 | configuration options | |
560 | * TNC: fixed issues with fragmentation | |
561 | * EAP-TNC: add Flags field into fragment acknowledgement (needed to | |
562 | interoperate with other implementations; may potentially breaks | |
563 | compatibility with older wpa_supplicant/hostapd versions) | |
564 | * cleaned up driver wrapper API for multi-BSS operations | |
565 | * nl80211: fix multi-BSS and VLAN operations | |
566 | * fix number of issues with IEEE 802.11r/FT; this version is not | |
567 | backwards compatible with old versions | |
568 | * add SA Query Request processing in AP mode (IEEE 802.11w) | |
569 | * fix IGTK PN in group rekeying (IEEE 802.11w) | |
570 | * fix WPS PBC session overlap detection to use correct attribute | |
571 | * hostapd_notif_Assoc() can now be called with all IEs to simplify | |
572 | driver wrappers | |
573 | * work around interoperability issue with some WPS External Registrar | |
574 | implementations | |
575 | * nl80211: fix WPS IE update | |
576 | * hostapd_cli: add support for action script operations (run a script | |
577 | on hostapd events) | |
578 | * fix DH padding with internal crypto code (mainly, for WPS) | |
579 | * fix WPS association with both WPS IE and WPA/RSN IE present with | |
580 | driver wrappers that use hostapd MLME (e.g., nl80211) | |
581 | ||
dff0f701 JM |
582 | 2010-01-16 - v0.7.1 |
583 | * cleaned up driver wrapper API (struct wpa_driver_ops); the new API | |
584 | is not fully backwards compatible, so out-of-tree driver wrappers | |
585 | will need modifications | |
586 | * cleaned up various module interfaces | |
587 | * merge hostapd and wpa_supplicant developers' documentation into a | |
588 | single document | |
589 | * fixed HT Capabilities IE with nl80211 drivers | |
590 | * moved generic AP functionality code into src/ap | |
591 | * WPS: handle Selected Registrar as union of info from all Registrars | |
592 | * remove obsolte Prism54.org driver wrapper | |
593 | * added internal debugging mechanism with backtrace support and memory | |
594 | allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) | |
595 | * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 | |
596 | * WPS: add support for dynamically selecting whether to provision the | |
597 | PSK as an ASCII passphrase or PSK | |
598 | * added support for WDS (4-address frame) mode with per-station virtual | |
599 | interfaces (wds_sta=1 in config file; only supported with | |
600 | driver=nl80211 for now) | |
601 | * fixed WPS Probe Request processing to handle missing required | |
602 | attribute | |
603 | * fixed PKCS#12 use with OpenSSL 1.0.0 | |
604 | * detect bridge interface automatically so that bridge parameter in | |
605 | hostapd.conf becomes optional (though, it may now be used to | |
606 | automatically add then WLAN interface into a bridge with | |
607 | driver=nl80211) | |
608 | ||
224f7bda | 609 | 2009-11-21 - v0.7.0 |
1cc84c1c JM |
610 | * increased hostapd_cli ping interval to 5 seconds and made this |
611 | configurable with a new command line options (-G<seconds>) | |
9616af52 | 612 | * driver_nl80211: use Linux socket filter to improve performance |
f620268f | 613 | * added support for external Registrars with WPS (UPnP transport) |
5eb4e3d0 | 614 | * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel |
dbdf58b0 JM |
615 | * driver_nl80211: fixed STA accounting data collection (TX/RX bytes |
616 | reported correctly; TX/RX packets not yet available from kernel) | |
f4c617ee JM |
617 | * added support for WPS USBA out-of-band mechanism with USB Flash |
618 | Drives (UFD) (CONFIG_WPS_UFD=y) | |
1fd4b0db JM |
619 | * fixed EAPOL/EAP reauthentication when using an external RADIUS |
620 | authentication server | |
51853c89 | 621 | * fixed TNC with EAP-TTLS |
4cb0dcd9 JM |
622 | * fixed IEEE 802.11r key derivation function to match with the standard |
623 | (note: this breaks interoperability with previous version) [Bug 303] | |
c0a61908 JM |
624 | * fixed SHA-256 based key derivation function to match with the |
625 | standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) | |
626 | (note: this breaks interoperability with previous version) [Bug 307] | |
56360b16 JM |
627 | * added number of code size optimizations to remove unnecessary |
628 | functionality from the program binary based on build configuration | |
629 | (part of this automatic; part configurable with CONFIG_NO_* build | |
630 | options) | |
631 | * use shared driver wrapper files with wpa_supplicant | |
632 | * driver_nl80211: multiple updates to provide support for new Linux | |
633 | nl80211/mac80211 functionality | |
634 | * updated management frame protection to use IEEE Std 802.11w-2009 | |
635 | * fixed number of small WPS issues and added workarounds to | |
636 | interoperate with common deployed broken implementations | |
ffbf1eaa | 637 | * added some IEEE 802.11n co-existence rules to disable 40 MHz channels |
56360b16 JM |
638 | or modify primary/secondary channels if needed based on neighboring |
639 | networks | |
640 | * added support for NFC out-of-band mechanism with WPS | |
641 | * added preliminary support for IEEE 802.11r RIC processing | |
1cc84c1c | 642 | |
6f78f2fb | 643 | 2009-01-06 - v0.6.7 |
ad08c363 JM |
644 | * added support for Wi-Fi Protected Setup (WPS) |
645 | (hostapd can now be configured to act as an integrated WPS Registrar | |
646 | and provision credentials for WPS Enrollees using PIN and PBC | |
6f78f2fb JM |
647 | methods; external wireless Registrar can configure the AP, but |
648 | external WLAN Manager Registrars are not supported); WPS support can | |
ad08c363 JM |
649 | be enabled by adding CONFIG_WPS=y into .config and setting the |
650 | runtime configuration variables in hostapd.conf (see WPS section in | |
651 | the example configuration file); new hostapd_cli commands wps_pin and | |
30f5c941 | 652 | wps_pbc are used to configure WPS negotiation; see README-WPS for |
ad08c363 | 653 | more details |
fc14f567 | 654 | * added IEEE 802.11n HT capability configuration (ht_capab) |
df73d284 JM |
655 | * added support for generating Country IE based on nl80211 regulatory |
656 | information (added if ieee80211d=1 in configuration) | |
4a7b9f88 JM |
657 | * fixed WEP authentication (both Open System and Shared Key) with |
658 | mac80211 | |
a9d1364c | 659 | * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) |
e33bbd8f | 660 | * added support for using driver_test over UDP socket |
a2b3a34b | 661 | * changed EAP-GPSK to use the IANA assigned EAP method type 51 |
cae93bdc | 662 | * updated management frame protection to use IEEE 802.11w/D7.0 |
8e09c6d2 | 663 | * fixed retransmission of EAP requests if no response is received |
ad08c363 | 664 | |
6e89cc43 | 665 | 2008-11-23 - v0.6.6 |
581a8cde JM |
666 | * added a new configuration option, wpa_ptk_rekey, that can be used to |
667 | enforce frequent PTK rekeying, e.g., to mitigate some attacks against | |
668 | TKIP deficiencies | |
0cf03892 JM |
669 | * updated OpenSSL code for EAP-FAST to use an updated version of the |
670 | session ticket overriding API that was included into the upstream | |
671 | OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is | |
672 | needed with that version anymore) | |
10b83bd7 JM |
673 | * changed channel flags configuration to read the information from |
674 | the driver (e.g., via driver_nl80211 when using mac80211) instead of | |
675 | using hostapd as the source of the regulatory information (i.e., | |
676 | information from CRDA is now used with mac80211); this allows 5 GHz | |
677 | channels to be used with hostapd (if allowed in the current | |
678 | regulatory domain) | |
012783f1 JM |
679 | * fixed EAP-TLS message processing for the last TLS message if it is |
680 | large enough to require fragmentation (e.g., if a large Session | |
681 | Ticket data is included) | |
39e50be0 | 682 | * fixed listen interval configuration for nl80211 drivers |
581a8cde | 683 | |
988ab690 | 684 | 2008-11-01 - v0.6.5 |
1d8ce433 JM |
685 | * added support for SHA-256 as X.509 certificate digest when using the |
686 | internal X.509/TLSv1 implementation | |
1f21bc4c JM |
687 | * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer |
688 | identity lengths) | |
4d4233ea JM |
689 | * fixed internal TLSv1 implementation for abbreviated handshake (used |
690 | by EAP-FAST server) | |
271d2830 JM |
691 | * added support for setting VLAN ID for STAs based on local MAC ACL |
692 | (accept_mac_file) as an alternative for RADIUS server-based | |
693 | configuration | |
5d22a1d5 JM |
694 | * updated management frame protection to use IEEE 802.11w/D6.0 |
695 | (adds a new association ping to protect against unauthenticated | |
696 | authenticate or (re)associate request frames dropping association) | |
56586197 JM |
697 | * added support for using SHA256-based stronger key derivation for WPA2 |
698 | (IEEE 802.11w) | |
d64dabee JM |
699 | * added new "driver wrapper" for RADIUS-only configuration |
700 | (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) | |
2100a768 JM |
701 | * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) |
702 | is enabled in configuration | |
2d867244 JM |
703 | * changed EAP-FAST configuration to use separate fields for A-ID and |
704 | A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed | |
705 | 16-octet len binary value for better interoperability with some peer | |
706 | implementations; eap_fast_a_id is now configured as a hex string | |
07d44bee JM |
707 | * driver_nl80211: Updated to match the current Linux mac80211 AP mode |
708 | configuration (wireless-testing.git and Linux kernel releases | |
709 | starting from 2.6.29) | |
1d8ce433 | 710 | |
d48ae45b | 711 | 2008-08-10 - v0.6.4 |
829f14be JM |
712 | * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 |
713 | Identity Request if identity is already known | |
7914585f | 714 | * added support for EAP Sequences in EAP-FAST Phase 2 |
502a293e JM |
715 | * added support for EAP-TNC (Trusted Network Connect) |
716 | (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST | |
717 | changes needed to run two methods in sequence (IF-T) and the IF-IMV | |
718 | and IF-TNCCS interfaces from TNCS) | |
e7d80033 | 719 | * added support for optional cryptobinding with PEAPv0 |
1b52ea47 | 720 | * added fragmentation support for EAP-TNC |
34f564db JM |
721 | * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) |
722 | data | |
bf98f7f3 | 723 | * added support for opportunistic key caching (OKC) |
829f14be | 724 | |
6fc6879b JM |
725 | 2008-02-22 - v0.6.3 |
726 | * fixed Reassociation Response callback processing when using internal | |
727 | MLME (driver_{hostap,nl80211,test}.c) | |
728 | * updated FT support to use the latest draft, IEEE 802.11r/D9.0 | |
729 | * copy optional Proxy-State attributes into RADIUS response when acting | |
730 | as a RADIUS authentication server | |
731 | * fixed EAPOL state machine to handle a case in which no response is | |
732 | received from the RADIUS authentication server; previous version | |
733 | could have triggered a crash in some cases after a timeout | |
734 | * fixed EAP-SIM/AKA realm processing to allow decorated usernames to | |
735 | be used | |
736 | * added a workaround for EAP-SIM/AKA peers that include incorrect null | |
737 | termination in the username | |
738 | * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER | |
739 | attribute in notification messages only when using fast | |
740 | reauthentication | |
741 | * fixed EAP-SIM Start response processing for fast reauthentication | |
742 | case | |
743 | * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} | |
744 | phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method | |
745 | ||
746 | 2008-01-01 - v0.6.2 | |
747 | * fixed EAP-SIM and EAP-AKA message parser to validate attribute | |
748 | lengths properly to avoid potential crash caused by invalid messages | |
749 | * added data structure for storing allocated buffers (struct wpabuf); | |
750 | this does not affect hostapd usage, but many of the APIs changed | |
751 | and various interfaces (e.g., EAP) is not compatible with old | |
752 | versions | |
753 | * added support for protecting EAP-AKA/Identity messages with | |
754 | AT_CHECKCODE (optional feature in RFC 4187) | |
755 | * added support for protected result indication with AT_RESULT_IND for | |
756 | EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) | |
757 | * added support for configuring EAP-TTLS phase 2 non-EAP methods in | |
758 | EAP server configuration; previously all four were enabled for every | |
759 | phase 2 user, now all four are disabled by default and need to be | |
760 | enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, | |
761 | TTLS-MSCHAPV2 | |
762 | * removed old debug printing mechanism and the related 'debug' | |
763 | parameter in the configuration file; debug verbosity is now set with | |
764 | -d (or -dd) command line arguments | |
765 | * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); | |
766 | only shared key/password authentication is supported in this version | |
767 | ||
768 | 2007-11-24 - v0.6.1 | |
769 | * added experimental, integrated TLSv1 server implementation with the | |
770 | needed X.509/ASN.1/RSA/bignum processing (this can be enabled by | |
771 | setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in | |
772 | .config); this can be useful, e.g., if the target system does not | |
773 | have a suitable TLS library and a minimal code size is required | |
774 | * added support for EAP-FAST server method to the integrated EAP | |
775 | server | |
776 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
777 | draft (draft-ietf-emu-eap-gpsk-07.txt) | |
778 | * added a new configuration parameter, rsn_pairwise, to allow different | |
779 | pairwise cipher suites to be enabled for WPA and RSN/WPA2 | |
780 | (note: if wpa_pairwise differs from rsn_pairwise, the driver will | |
781 | either need to support this or will have to use the WPA/RSN IEs from | |
782 | hostapd; currently, the included madwifi and bsd driver interfaces do | |
783 | not have support for this) | |
784 | * updated FT support to use the latest draft, IEEE 802.11r/D8.0 | |
785 | ||
786 | 2007-05-28 - v0.6.0 | |
787 | * added experimental IEEE 802.11r/D6.0 support | |
788 | * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 | |
789 | * updated EAP-PSK to use the IANA-allocated EAP type 47 | |
790 | * fixed EAP-PSK bit ordering of the Flags field | |
791 | * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs | |
792 | by reading wpa_psk_file [Bug 181] | |
793 | * fixed EAP-TTLS AVP parser processing for too short AVP lengths | |
794 | * fixed IPv6 connection to RADIUS accounting server | |
795 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
796 | draft (draft-ietf-emu-eap-gpsk-04.txt) | |
797 | * hlr_auc_gw: read GSM triplet file into memory and rotate through the | |
798 | entries instead of only using the same three triplets every time | |
799 | (this does not work properly with tests using multiple clients, but | |
800 | provides bit better triplet data for testing a single client; anyway, | |
801 | if a better quality triplets are needed, GSM-Milenage should be used | |
802 | instead of hardcoded triplet file) | |
803 | * fixed EAP-MSCHAPv2 server to use a space between S and M parameters | |
804 | in Success Request [Bug 203] | |
805 | * added support for sending EAP-AKA Notifications in error cases | |
806 | * updated to use IEEE 802.11w/D2.0 for management frame protection | |
807 | (still experimental) | |
808 | * RADIUS server: added support for processing duplicate messages | |
809 | (retransmissions from RADIUS client) by replying with the previous | |
810 | reply | |
811 | ||
812 | 2006-11-24 - v0.5.6 | |
813 | * added support for configuring and controlling multiple BSSes per | |
814 | radio interface (bss=<ifname> in hostapd.conf); this is only | |
815 | available with Devicescape and test driver interfaces | |
816 | * fixed PMKSA cache update in the end of successful RSN | |
817 | pre-authentication | |
818 | * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID | |
819 | for each STA based on RADIUS Access-Accept attributes); this requires | |
820 | VLAN support from the kernel driver/802.11 stack and this is | |
821 | currently only available with Devicescape and test driver interfaces | |
822 | * driver_madwifi: fixed configuration of unencrypted modes (plaintext | |
823 | and IEEE 802.1X without WEP) | |
824 | * removed STAKey handshake since PeerKey handshake has replaced it in | |
825 | IEEE 802.11ma and there are no known deployments of STAKey | |
826 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
827 | draft (draft-ietf-emu-eap-gpsk-01.txt) | |
828 | * added preliminary implementation of IEEE 802.11w/D1.0 (management | |
829 | frame protection) | |
830 | (Note: this requires driver support to work properly.) | |
831 | (Note2: IEEE 802.11w is an unapproved draft and subject to change.) | |
832 | * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) | |
833 | * hlr_auc_gw: added support for reading per-IMSI Milenage keys and | |
834 | parameters from a text file to make it possible to implement proper | |
835 | GSM/UMTS authentication server for multiple SIM/USIM cards using | |
836 | EAP-SIM/EAP-AKA | |
837 | * fixed session timeout processing with drivers that do not use | |
838 | ieee802_11.c (e.g., madwifi) | |
839 | ||
840 | 2006-08-27 - v0.5.5 | |
841 | * added 'hostapd_cli new_sta <addr>' command for adding a new STA into | |
842 | hostapd (e.g., to initialize wired network authentication based on an | |
843 | external signal) | |
844 | * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when | |
845 | using WPA2 even if PMKSA caching is not used | |
846 | * added -P<pid file> argument for hostapd to write the current process | |
847 | id into a file | |
848 | * added support for RADIUS Authentication Server MIB (RFC 2619) | |
849 | ||
850 | 2006-06-20 - v0.5.4 | |
851 | * fixed nt_password_hash build [Bug 144] | |
852 | * added PeerKey handshake implementation for IEEE 802.11e | |
853 | direct link setup (DLS) to replace STAKey handshake | |
854 | * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, | |
855 | draft-clancy-emu-eap-shared-secret-00.txt) | |
856 | * fixed a segmentation fault when RSN pre-authentication was completed | |
857 | successfully [Bug 152] | |
858 | ||
859 | 2006-04-27 - v0.5.3 | |
860 | * do not build nt_password_hash and hlr_auc_gw by default to avoid | |
861 | requiring a TLS library for a successful build; these programs can be | |
862 | build with 'make nt_password_hash' and 'make hlr_auc_gw' | |
863 | * added a new configuration option, eapol_version, that can be used to | |
864 | set EAPOL version to 1 (default is 2) to work around broken client | |
865 | implementations that drop EAPOL frames which use version number 2 | |
866 | [Bug 89] | |
867 | * added support for EAP-SAKE (no EAP method number allocated yet, so | |
868 | this is using the same experimental type 255 as EAP-PSK) | |
869 | * fixed EAP-MSCHAPv2 message length validation | |
870 | ||
871 | 2006-03-19 - v0.5.2 | |
872 | * fixed stdarg use in hostapd_logger(): if both stdout and syslog | |
873 | logging was enabled, hostapd could trigger a segmentation fault in | |
874 | vsyslog on some CPU -- C library combinations | |
875 | * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external | |
876 | program to make it easier to use for implementing real SS7 gateway; | |
877 | eap_sim_db is not anymore used as a file name for GSM authentication | |
878 | triplets; instead, it is path to UNIX domain socket that will be used | |
879 | to communicate with the external gateway program (e.g., hlr_auc_gw) | |
880 | * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses | |
881 | local information (GSM authentication triplets from a text file and | |
882 | hardcoded AKA authentication data); this can be used to test EAP-SIM | |
883 | and EAP-AKA | |
884 | * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw | |
885 | to make it possible to test EAP-AKA with real USIM cards (this is | |
886 | disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw | |
887 | to enable this) | |
888 | * driver_madwifi: added support for getting station RSN IE from | |
889 | madwifi-ng svn r1453 and newer; this fixes RSN that was apparently | |
890 | broken with earlier change (r1357) in the driver | |
891 | * changed EAP method registration to use a dynamic list of methods | |
892 | instead of a static list generated at build time | |
893 | * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) | |
894 | [Bug 125] | |
895 | * added ap_max_inactivity configuration parameter | |
896 | ||
897 | 2006-01-29 - v0.5.1 | |
898 | * driver_test: added better support for multiple APs and STAs by using | |
899 | a directory with sockets that include MAC address for each device in | |
900 | the name (test_socket=DIR:/tmp/test) | |
901 | * added support for EAP expanded type (vendor specific EAP methods) | |
902 | ||
903 | 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) | |
904 | * added experimental STAKey handshake implementation for IEEE 802.11e | |
905 | direct link setup (DLS); note: this is disabled by default in both | |
906 | build and runtime configuration (can be enabled with CONFIG_STAKEY=y | |
907 | and stakey=1) | |
908 | * added support for EAP methods to use callbacks to external programs | |
909 | by buffering a pending request and processing it after the EAP method | |
910 | is ready to continue | |
911 | * improved EAP-SIM database interface to allow external request to GSM | |
912 | HLR/AuC without blocking hostapd process | |
913 | * added support for using EAP-SIM pseudonyms and fast re-authentication | |
914 | * added support for EAP-AKA in the integrated EAP authenticator | |
915 | * added support for matching EAP identity prefixes (e.g., "1"*) in EAP | |
916 | user database to allow EAP-SIM/AKA selection without extra roundtrip | |
917 | for EAP-Nak negotiation | |
918 | * added support for storing EAP user password as NtPasswordHash instead | |
919 | of plaintext password when using MSCHAP or MSCHAPv2 for | |
920 | authentication (hash:<16-octet hex value>); added nt_password_hash | |
921 | tool for hashing password to generate NtPasswordHash | |
922 | ||
923 | 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) | |
924 | * driver_wired: fixed EAPOL sending to optionally use PAE group address | |
925 | as the destination instead of supplicant MAC address; this is | |
926 | disabled by default, but should be enabled with use_pae_group_addr=1 | |
927 | in configuration file if the wired interface is used by only one | |
928 | device at the time (common switch configuration) | |
929 | * driver_madwifi: configure driver to use TKIP countermeasures in order | |
930 | to get correct behavior (IEEE 802.11 association failing; previously, | |
931 | association succeeded, but hostpad forced disassociation immediately) | |
932 | * driver_madwifi: added support for madwifi-ng | |
933 | ||
934 | 2005-10-27 - v0.4.6 | |
935 | * added support for replacing user identity from EAP with RADIUS | |
936 | User-Name attribute from Access-Accept message, if that is included, | |
937 | for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get | |
938 | tunneled identity into accounting messages when the RADIUS server | |
939 | does not support better way of doing this with Class attribute) | |
940 | * driver_madwifi: fixed EAPOL packet receive for configuration where | |
941 | ath# is part of a bridge interface | |
942 | * added a configuration file and log analyzer script for logwatch | |
943 | * fixed EAPOL state machine step function to process all state | |
944 | transitions before processing new events; this resolves a race | |
945 | condition in which EAPOL-Start message could trigger hostapd to send | |
946 | two EAP-Response/Identity frames to the authentication server | |
947 | ||
948 | 2005-09-25 - v0.4.5 | |
949 | * added client CA list to the TLS certificate request in order to make | |
950 | it easier for the client to select which certificate to use | |
951 | * added experimental support for EAP-PSK | |
952 | * added support for WE-19 (hostap, madwifi) | |
953 | ||
954 | 2005-08-21 - v0.4.4 | |
955 | * fixed build without CONFIG_RSN_PREAUTH | |
956 | * fixed FreeBSD build | |
957 | ||
958 | 2005-06-26 - v0.4.3 | |
959 | * fixed PMKSA caching to copy User-Name and Class attributes so that | |
960 | RADIUS accounting gets correct information | |
961 | * start RADIUS accounting only after successful completion of WPA | |
962 | 4-Way Handshake if WPA-PSK is used | |
963 | * fixed PMKSA caching for the case where STA (re)associates without | |
964 | first disassociating | |
965 | ||
966 | 2005-06-12 - v0.4.2 | |
967 | * EAP-PAX is now registered as EAP type 46 | |
968 | * fixed EAP-PAX MAC calculation | |
969 | * fixed EAP-PAX CK and ICK key derivation | |
970 | * renamed eap_authenticator configuration variable to eap_server to | |
971 | better match with RFC 3748 (EAP) terminology | |
972 | * driver_test: added support for testing hostapd with wpa_supplicant | |
973 | by using test driver interface without any kernel drivers or network | |
974 | cards | |
975 | ||
976 | 2005-05-22 - v0.4.1 | |
977 | * fixed RADIUS server initialization when only auth or acct server | |
978 | is configured and the other one is left empty | |
979 | * driver_madwifi: added support for RADIUS accounting | |
980 | * driver_madwifi: added preliminary support for compiling against 'BSD' | |
981 | branch of madwifi CVS tree | |
982 | * driver_madwifi: fixed pairwise key removal to allow WPA reauth | |
983 | without disassociation | |
984 | * added support for reading additional certificates from PKCS#12 files | |
985 | and adding them to the certificate chain | |
986 | * fixed RADIUS Class attribute processing to only use Access-Accept | |
987 | packets to update Class; previously, other RADIUS authentication | |
988 | packets could have cleared Class attribute | |
989 | * added support for more than one Class attribute in RADIUS packets | |
990 | * added support for verifying certificate revocation list (CRL) when | |
991 | using integrated EAP authenticator for EAP-TLS; new hostapd.conf | |
992 | options 'check_crl'; CRL must be included in the ca_cert file for now | |
993 | ||
994 | 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) | |
995 | * added support for including network information into | |
996 | EAP-Request/Identity message (ASCII-0 (nul) in eap_message) | |
997 | (e.g., to implement draft-adrange-eap-network-discovery-07.txt) | |
998 | * fixed a bug which caused some RSN pre-authentication cases to use | |
999 | freed memory and potentially crash hostapd | |
1000 | * fixed private key loading for cases where passphrase is not set | |
1001 | * added support for sending TLS alerts and aborting authentication | |
1002 | when receiving a TLS alert | |
1003 | * fixed WPA2 to add PMKSA cache entry when using integrated EAP | |
1004 | authenticator | |
1005 | * fixed PMKSA caching (EAP authentication was not skipped correctly | |
1006 | with the new state machine changes from IEEE 802.1X draft) | |
1007 | * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, | |
1008 | and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs | |
1009 | to be added to .config to include IPv6 support); for RADIUS server, | |
1010 | radius_server_ipv6=1 needs to be set in hostapd.conf and addresses | |
1011 | in RADIUS clients file can then use IPv6 format | |
1012 | * added experimental support for EAP-PAX | |
1013 | * replaced hostapd control interface library (hostapd_ctrl.[ch]) with | |
1014 | the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) | |
1015 | ||
1016 | 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) | |
1017 | ||
1018 | 2005-01-23 - v0.3.5 | |
1019 | * added support for configuring a forced PEAP version based on the | |
1020 | Phase 1 identity | |
1021 | * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV | |
1022 | to terminate authentication | |
1023 | * fixed EAP identifier duplicate processing with the new IEEE 802.1X | |
1024 | draft | |
1025 | * clear accounting data in the driver when starting a new accounting | |
1026 | session | |
1027 | * driver_madwifi: filter wireless events based on ifindex to allow more | |
1028 | than one network interface to be used | |
1029 | * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt | |
1030 | setting if the packet does not pass MIC verification (e.g., due to | |
1031 | incorrect PSK); previously, message 1/4 was not tried again if an | |
1032 | invalid message 2/4 was received | |
1033 | * fixed reconfiguration of RADIUS client retransmission timer when | |
1034 | adding a new message to the pending list; previously, timer was not | |
1035 | updated at this point and if there was a pending message with long | |
1036 | time for the next retry, the new message needed to wait that long for | |
1037 | its first retry, too | |
1038 | ||
1039 | 2005-01-09 - v0.3.4 | |
1040 | * added support for configuring multiple allowed EAP types for Phase 2 | |
1041 | authentication (EAP-PEAP, EAP-TTLS) | |
1042 | * fixed EAPOL-Start processing to trigger WPA reauthentication | |
1043 | (previously, only EAPOL authentication was done) | |
1044 | ||
1045 | 2005-01-02 - v0.3.3 | |
1046 | * added support for EAP-PEAP in the integrated EAP authenticator | |
1047 | * added support for EAP-GTC in the integrated EAP authenticator | |
1048 | * added support for configuring list of EAP methods for Phase 1 so that | |
1049 | the integrated EAP authenticator can, e.g., use the wildcard entry | |
1050 | for EAP-TLS and EAP-PEAP | |
1051 | * added support for EAP-TTLS in the integrated EAP authenticator | |
1052 | * added support for EAP-SIM in the integrated EAP authenticator | |
1053 | * added support for using hostapd as a RADIUS authentication server | |
1054 | with the integrated EAP authenticator taking care of EAP | |
1055 | authentication (new hostapd.conf options: radius_server_clients and | |
1056 | radius_server_auth_port); this is not included in default build; use | |
1057 | CONFIG_RADIUS_SERVER=y in .config to include | |
1058 | ||
1059 | 2004-12-19 - v0.3.2 | |
1060 | * removed 'daemonize' configuration file option since it has not really | |
1061 | been used at all for more than year | |
1062 | * driver_madwifi: fixed group key setup and added get_ssid method | |
1063 | * added support for EAP-MSCHAPv2 in the integrated EAP authenticator | |
1064 | ||
1065 | 2004-12-12 - v0.3.1 | |
1066 | * added support for integrated EAP-TLS authentication (new hostapd.conf | |
1067 | variables: ca_cert, server_cert, private_key, private_key_passwd); | |
1068 | this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without | |
1069 | external RADIUS server | |
1070 | * added support for reading PKCS#12 (PFX) files (as a replacement for | |
1071 | PEM/DER) to get certificate and private key (CONFIG_PKCS12) | |
1072 | ||
1073 | 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) | |
1074 | * added support for Acct-{Input,Output}-Gigawords | |
1075 | * added support for Event-Timestamp (in RADIUS Accounting-Requests) | |
1076 | * added support for RADIUS Authentication Client MIB (RFC2618) | |
1077 | * added support for RADIUS Accounting Client MIB (RFC2620) | |
1078 | * made EAP re-authentication period configurable (eap_reauth_period) | |
1079 | * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication | |
1080 | * fixed EAPOL state machine to stop if STA is removed during | |
1081 | eapol_sm_step(); this fixes at least one segfault triggering bug with | |
1082 | IEEE 802.11i pre-authentication | |
1083 | * added support for multiple WPA pre-shared keys (e.g., one for each | |
1084 | client MAC address or keys shared by a group of clients); | |
1085 | new hostapd.conf field wpa_psk_file for setting path to a text file | |
1086 | containing PSKs, see hostapd.wpa_psk for an example | |
1087 | * added support for multiple driver interfaces to allow hostapd to be | |
1088 | used with other drivers | |
1089 | * added wired authenticator driver interface (driver=wired in | |
1090 | hostapd.conf, see wired.conf for example configuration) | |
1091 | * added madwifi driver interface (driver=madwifi in hostapd.conf, see | |
1092 | madwifi.conf for example configuration; Note: include files from | |
1093 | madwifi project is needed for building and a configuration file, | |
1094 | .config, needs to be created in hostapd directory with | |
1095 | CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd | |
1096 | build) | |
1097 | * fixed an alignment issue that could cause SHA-1 to fail on some | |
1098 | platforms (e.g., Intel ixp425 with a compiler that does not 32-bit | |
1099 | align variables) | |
1100 | * fixed RADIUS reconnection after an error in sending interim | |
1101 | accounting packets | |
1102 | * added hostapd control interface for external programs and an example | |
1103 | CLI, hostapd_cli (like wpa_cli for wpa_supplicant) | |
1104 | * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', | |
1105 | 'hostapd_cli sta <addr>') | |
1106 | * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) | |
1107 | * added support for strict GTK rekeying (wpa_strict_rekey in | |
1108 | hostapd.conf) | |
1109 | * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 | |
1110 | (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to | |
1111 | IEEE 802.11F-2003) | |
1112 | * added Prism54 driver interface (driver=prism54 in hostapd.conf; | |
1113 | note: .config needs to be created in hostapd directory with | |
1114 | CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd | |
1115 | build) | |
1116 | * dual-licensed hostapd (GPLv2 and BSD licenses) | |
1117 | * fixed RADIUS accounting to generate a new session id for cases where | |
1118 | a station reassociates without first being complete deauthenticated | |
1119 | * fixed STA disassociation handler to mark next timeout state to | |
1120 | deauthenticate the station, i.e., skip long wait for inactivity poll | |
1121 | and extra disassociation, if the STA disassociates without | |
1122 | deauthenticating | |
1123 | * added integrated EAP authenticator that can be used instead of | |
1124 | external RADIUS authentication server; currently, only EAP-MD5 is | |
1125 | supported, so this cannot yet be used for key distribution; the EAP | |
1126 | method interface is generic, though, so adding new EAP methods should | |
1127 | be straightforward; new hostapd.conf variables: 'eap_authenticator' | |
1128 | and 'eap_user_file'; this obsoletes "minimal authentication server" | |
1129 | ('minimal_eap' in hostapd.conf) which is now removed | |
1130 | * added support for FreeBSD and driver interface for the BSD net80211 | |
1131 | layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in | |
1132 | .config); please note that some of the required kernel mods have not | |
1133 | yet been committed | |
1134 | ||
1135 | 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) | |
1136 | * fixed some accounting cases where Accounting-Start was sent when | |
1137 | IEEE 802.1X port was being deauthorized | |
1138 | ||
1139 | 2004-06-20 - v0.2.3 | |
1140 | * modified RADIUS client to re-connect the socket in case of certain | |
1141 | error codes that are generated when a network interface state is | |
1142 | changes (e.g., when IP address changes or the interface is set UP) | |
1143 | * fixed couple of cases where EAPOL state for a station was freed | |
1144 | twice causing a segfault for hostapd | |
1145 | * fixed couple of bugs in processing WPA deauthentication (freed data | |
1146 | was used) | |
1147 | ||
1148 | 2004-05-31 - v0.2.2 | |
1149 | * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) | |
1150 | * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix | |
1151 | cases where STAs dropped multicast frames as replay attacks | |
1152 | * added support for copying RADIUS Attribute 'Class' from | |
1153 | authentication messages into accounting messages | |
1154 | * send canned EAP failure if RADIUS server sends Access-Reject without | |
1155 | EAP message (previously, Supplicant was not notified in this case) | |
1156 | * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do | |
1157 | not start EAPOL state machines if the STA selected to use WPA-PSK) | |
1158 | ||
1159 | 2004-05-06 - v0.2.1 | |
1160 | * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality | |
1161 | - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA | |
1162 | (i.e., IEEE 802.11i/D3.0) | |
1163 | - supports WPA-only, RSN-only, and mixed WPA/RSN mode | |
1164 | - both WPA-PSK and WPA-RADIUS/EAP are supported | |
1165 | - PMKSA caching and pre-authentication | |
1166 | - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, | |
1167 | wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, | |
1168 | rsn_preauth, rsn_preauth_interfaces | |
1169 | * fixed interim accounting to remove any pending accounting messages | |
1170 | to the STA before sending a new one | |
1171 | ||
1172 | 2004-02-15 - v0.2.0 | |
1173 | * added support for Acct-Interim-Interval: | |
1174 | - draft-ietf-radius-acct-interim-01.txt | |
1175 | - use Acct-Interim-Interval attribute from Access-Accept if local | |
1176 | 'radius_acct_interim_interval' is not set | |
1177 | - allow different update intervals for each STA | |
1178 | * fixed event loop to call signal handlers only after returning from | |
1179 | the real signal handler | |
1180 | * reset sta->timeout_next after successful association to make sure | |
1181 | that the previously registered inactivity timer will not remove the | |
1182 | STA immediately (e.g., if STA deauthenticates and re-associates | |
1183 | before the timer is triggered). | |
1184 | * added new hostapd.conf variable, nas_identifier, that can be used to | |
1185 | add an optional RADIUS Attribute, NAS-Identifier, into authentication | |
1186 | and accounting messages | |
1187 | * added support for Accounting-On and Accounting-Off messages | |
1188 | * fixed accounting session handling to send Accounting-Start only once | |
1189 | per session and not to send Accounting-Stop if the session was not | |
1190 | initialized properly | |
1191 | * fixed Accounting-Stop statistics in cases where the message was | |
1192 | previously sent after the kernel entry for the STA (and/or IEEE | |
1193 | 802.1X data) was removed | |
1194 | ||
1195 | ||
1196 | Note: | |
1197 | ||
1198 | Older changes up to and including v0.1.0 are included in the ChangeLog | |
1199 | of the Host AP driver. |