]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | ChangeLog for hostapd |
2 | ||
1cc84c1c JM |
3 | ????-??-?? - v0.7.0 |
4 | * increased hostapd_cli ping interval to 5 seconds and made this | |
5 | configurable with a new command line options (-G<seconds>) | |
9616af52 | 6 | * driver_nl80211: use Linux socket filter to improve performance |
f620268f | 7 | * added support for external Registrars with WPS (UPnP transport) |
5eb4e3d0 | 8 | * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel |
dbdf58b0 JM |
9 | * driver_nl80211: fixed STA accounting data collection (TX/RX bytes |
10 | reported correctly; TX/RX packets not yet available from kernel) | |
f4c617ee JM |
11 | * added support for WPS USBA out-of-band mechanism with USB Flash |
12 | Drives (UFD) (CONFIG_WPS_UFD=y) | |
1fd4b0db JM |
13 | * fixed EAPOL/EAP reauthentication when using an external RADIUS |
14 | authentication server | |
51853c89 | 15 | * fixed TNC with EAP-TTLS |
4cb0dcd9 JM |
16 | * fixed IEEE 802.11r key derivation function to match with the standard |
17 | (note: this breaks interoperability with previous version) [Bug 303] | |
c0a61908 JM |
18 | * fixed SHA-256 based key derivation function to match with the |
19 | standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) | |
20 | (note: this breaks interoperability with previous version) [Bug 307] | |
56360b16 JM |
21 | * added number of code size optimizations to remove unnecessary |
22 | functionality from the program binary based on build configuration | |
23 | (part of this automatic; part configurable with CONFIG_NO_* build | |
24 | options) | |
25 | * use shared driver wrapper files with wpa_supplicant | |
26 | * driver_nl80211: multiple updates to provide support for new Linux | |
27 | nl80211/mac80211 functionality | |
28 | * updated management frame protection to use IEEE Std 802.11w-2009 | |
29 | * fixed number of small WPS issues and added workarounds to | |
30 | interoperate with common deployed broken implementations | |
31 | * added some IEEE 802.11n co-existance rules to disable 40 MHz channels | |
32 | or modify primary/secondary channels if needed based on neighboring | |
33 | networks | |
34 | * added support for NFC out-of-band mechanism with WPS | |
35 | * added preliminary support for IEEE 802.11r RIC processing | |
1cc84c1c | 36 | |
6f78f2fb | 37 | 2009-01-06 - v0.6.7 |
ad08c363 JM |
38 | * added support for Wi-Fi Protected Setup (WPS) |
39 | (hostapd can now be configured to act as an integrated WPS Registrar | |
40 | and provision credentials for WPS Enrollees using PIN and PBC | |
6f78f2fb JM |
41 | methods; external wireless Registrar can configure the AP, but |
42 | external WLAN Manager Registrars are not supported); WPS support can | |
ad08c363 JM |
43 | be enabled by adding CONFIG_WPS=y into .config and setting the |
44 | runtime configuration variables in hostapd.conf (see WPS section in | |
45 | the example configuration file); new hostapd_cli commands wps_pin and | |
30f5c941 | 46 | wps_pbc are used to configure WPS negotiation; see README-WPS for |
ad08c363 | 47 | more details |
fc14f567 | 48 | * added IEEE 802.11n HT capability configuration (ht_capab) |
df73d284 JM |
49 | * added support for generating Country IE based on nl80211 regulatory |
50 | information (added if ieee80211d=1 in configuration) | |
4a7b9f88 JM |
51 | * fixed WEP authentication (both Open System and Shared Key) with |
52 | mac80211 | |
a9d1364c | 53 | * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) |
e33bbd8f | 54 | * added support for using driver_test over UDP socket |
a2b3a34b | 55 | * changed EAP-GPSK to use the IANA assigned EAP method type 51 |
cae93bdc | 56 | * updated management frame protection to use IEEE 802.11w/D7.0 |
8e09c6d2 | 57 | * fixed retransmission of EAP requests if no response is received |
ad08c363 | 58 | |
6e89cc43 | 59 | 2008-11-23 - v0.6.6 |
581a8cde JM |
60 | * added a new configuration option, wpa_ptk_rekey, that can be used to |
61 | enforce frequent PTK rekeying, e.g., to mitigate some attacks against | |
62 | TKIP deficiencies | |
0cf03892 JM |
63 | * updated OpenSSL code for EAP-FAST to use an updated version of the |
64 | session ticket overriding API that was included into the upstream | |
65 | OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is | |
66 | needed with that version anymore) | |
10b83bd7 JM |
67 | * changed channel flags configuration to read the information from |
68 | the driver (e.g., via driver_nl80211 when using mac80211) instead of | |
69 | using hostapd as the source of the regulatory information (i.e., | |
70 | information from CRDA is now used with mac80211); this allows 5 GHz | |
71 | channels to be used with hostapd (if allowed in the current | |
72 | regulatory domain) | |
012783f1 JM |
73 | * fixed EAP-TLS message processing for the last TLS message if it is |
74 | large enough to require fragmentation (e.g., if a large Session | |
75 | Ticket data is included) | |
39e50be0 | 76 | * fixed listen interval configuration for nl80211 drivers |
581a8cde | 77 | |
988ab690 | 78 | 2008-11-01 - v0.6.5 |
1d8ce433 JM |
79 | * added support for SHA-256 as X.509 certificate digest when using the |
80 | internal X.509/TLSv1 implementation | |
1f21bc4c JM |
81 | * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer |
82 | identity lengths) | |
4d4233ea JM |
83 | * fixed internal TLSv1 implementation for abbreviated handshake (used |
84 | by EAP-FAST server) | |
271d2830 JM |
85 | * added support for setting VLAN ID for STAs based on local MAC ACL |
86 | (accept_mac_file) as an alternative for RADIUS server-based | |
87 | configuration | |
5d22a1d5 JM |
88 | * updated management frame protection to use IEEE 802.11w/D6.0 |
89 | (adds a new association ping to protect against unauthenticated | |
90 | authenticate or (re)associate request frames dropping association) | |
56586197 JM |
91 | * added support for using SHA256-based stronger key derivation for WPA2 |
92 | (IEEE 802.11w) | |
d64dabee JM |
93 | * added new "driver wrapper" for RADIUS-only configuration |
94 | (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) | |
2100a768 JM |
95 | * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) |
96 | is enabled in configuration | |
2d867244 JM |
97 | * changed EAP-FAST configuration to use separate fields for A-ID and |
98 | A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed | |
99 | 16-octet len binary value for better interoperability with some peer | |
100 | implementations; eap_fast_a_id is now configured as a hex string | |
07d44bee JM |
101 | * driver_nl80211: Updated to match the current Linux mac80211 AP mode |
102 | configuration (wireless-testing.git and Linux kernel releases | |
103 | starting from 2.6.29) | |
1d8ce433 | 104 | |
d48ae45b | 105 | 2008-08-10 - v0.6.4 |
829f14be JM |
106 | * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 |
107 | Identity Request if identity is already known | |
7914585f | 108 | * added support for EAP Sequences in EAP-FAST Phase 2 |
502a293e JM |
109 | * added support for EAP-TNC (Trusted Network Connect) |
110 | (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST | |
111 | changes needed to run two methods in sequence (IF-T) and the IF-IMV | |
112 | and IF-TNCCS interfaces from TNCS) | |
e7d80033 | 113 | * added support for optional cryptobinding with PEAPv0 |
1b52ea47 | 114 | * added fragmentation support for EAP-TNC |
34f564db JM |
115 | * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) |
116 | data | |
bf98f7f3 | 117 | * added support for opportunistic key caching (OKC) |
829f14be | 118 | |
6fc6879b JM |
119 | 2008-02-22 - v0.6.3 |
120 | * fixed Reassociation Response callback processing when using internal | |
121 | MLME (driver_{hostap,nl80211,test}.c) | |
122 | * updated FT support to use the latest draft, IEEE 802.11r/D9.0 | |
123 | * copy optional Proxy-State attributes into RADIUS response when acting | |
124 | as a RADIUS authentication server | |
125 | * fixed EAPOL state machine to handle a case in which no response is | |
126 | received from the RADIUS authentication server; previous version | |
127 | could have triggered a crash in some cases after a timeout | |
128 | * fixed EAP-SIM/AKA realm processing to allow decorated usernames to | |
129 | be used | |
130 | * added a workaround for EAP-SIM/AKA peers that include incorrect null | |
131 | termination in the username | |
132 | * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER | |
133 | attribute in notification messages only when using fast | |
134 | reauthentication | |
135 | * fixed EAP-SIM Start response processing for fast reauthentication | |
136 | case | |
137 | * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} | |
138 | phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method | |
139 | ||
140 | 2008-01-01 - v0.6.2 | |
141 | * fixed EAP-SIM and EAP-AKA message parser to validate attribute | |
142 | lengths properly to avoid potential crash caused by invalid messages | |
143 | * added data structure for storing allocated buffers (struct wpabuf); | |
144 | this does not affect hostapd usage, but many of the APIs changed | |
145 | and various interfaces (e.g., EAP) is not compatible with old | |
146 | versions | |
147 | * added support for protecting EAP-AKA/Identity messages with | |
148 | AT_CHECKCODE (optional feature in RFC 4187) | |
149 | * added support for protected result indication with AT_RESULT_IND for | |
150 | EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) | |
151 | * added support for configuring EAP-TTLS phase 2 non-EAP methods in | |
152 | EAP server configuration; previously all four were enabled for every | |
153 | phase 2 user, now all four are disabled by default and need to be | |
154 | enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, | |
155 | TTLS-MSCHAPV2 | |
156 | * removed old debug printing mechanism and the related 'debug' | |
157 | parameter in the configuration file; debug verbosity is now set with | |
158 | -d (or -dd) command line arguments | |
159 | * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); | |
160 | only shared key/password authentication is supported in this version | |
161 | ||
162 | 2007-11-24 - v0.6.1 | |
163 | * added experimental, integrated TLSv1 server implementation with the | |
164 | needed X.509/ASN.1/RSA/bignum processing (this can be enabled by | |
165 | setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in | |
166 | .config); this can be useful, e.g., if the target system does not | |
167 | have a suitable TLS library and a minimal code size is required | |
168 | * added support for EAP-FAST server method to the integrated EAP | |
169 | server | |
170 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
171 | draft (draft-ietf-emu-eap-gpsk-07.txt) | |
172 | * added a new configuration parameter, rsn_pairwise, to allow different | |
173 | pairwise cipher suites to be enabled for WPA and RSN/WPA2 | |
174 | (note: if wpa_pairwise differs from rsn_pairwise, the driver will | |
175 | either need to support this or will have to use the WPA/RSN IEs from | |
176 | hostapd; currently, the included madwifi and bsd driver interfaces do | |
177 | not have support for this) | |
178 | * updated FT support to use the latest draft, IEEE 802.11r/D8.0 | |
179 | ||
180 | 2007-05-28 - v0.6.0 | |
181 | * added experimental IEEE 802.11r/D6.0 support | |
182 | * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 | |
183 | * updated EAP-PSK to use the IANA-allocated EAP type 47 | |
184 | * fixed EAP-PSK bit ordering of the Flags field | |
185 | * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs | |
186 | by reading wpa_psk_file [Bug 181] | |
187 | * fixed EAP-TTLS AVP parser processing for too short AVP lengths | |
188 | * fixed IPv6 connection to RADIUS accounting server | |
189 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
190 | draft (draft-ietf-emu-eap-gpsk-04.txt) | |
191 | * hlr_auc_gw: read GSM triplet file into memory and rotate through the | |
192 | entries instead of only using the same three triplets every time | |
193 | (this does not work properly with tests using multiple clients, but | |
194 | provides bit better triplet data for testing a single client; anyway, | |
195 | if a better quality triplets are needed, GSM-Milenage should be used | |
196 | instead of hardcoded triplet file) | |
197 | * fixed EAP-MSCHAPv2 server to use a space between S and M parameters | |
198 | in Success Request [Bug 203] | |
199 | * added support for sending EAP-AKA Notifications in error cases | |
200 | * updated to use IEEE 802.11w/D2.0 for management frame protection | |
201 | (still experimental) | |
202 | * RADIUS server: added support for processing duplicate messages | |
203 | (retransmissions from RADIUS client) by replying with the previous | |
204 | reply | |
205 | ||
206 | 2006-11-24 - v0.5.6 | |
207 | * added support for configuring and controlling multiple BSSes per | |
208 | radio interface (bss=<ifname> in hostapd.conf); this is only | |
209 | available with Devicescape and test driver interfaces | |
210 | * fixed PMKSA cache update in the end of successful RSN | |
211 | pre-authentication | |
212 | * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID | |
213 | for each STA based on RADIUS Access-Accept attributes); this requires | |
214 | VLAN support from the kernel driver/802.11 stack and this is | |
215 | currently only available with Devicescape and test driver interfaces | |
216 | * driver_madwifi: fixed configuration of unencrypted modes (plaintext | |
217 | and IEEE 802.1X without WEP) | |
218 | * removed STAKey handshake since PeerKey handshake has replaced it in | |
219 | IEEE 802.11ma and there are no known deployments of STAKey | |
220 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
221 | draft (draft-ietf-emu-eap-gpsk-01.txt) | |
222 | * added preliminary implementation of IEEE 802.11w/D1.0 (management | |
223 | frame protection) | |
224 | (Note: this requires driver support to work properly.) | |
225 | (Note2: IEEE 802.11w is an unapproved draft and subject to change.) | |
226 | * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) | |
227 | * hlr_auc_gw: added support for reading per-IMSI Milenage keys and | |
228 | parameters from a text file to make it possible to implement proper | |
229 | GSM/UMTS authentication server for multiple SIM/USIM cards using | |
230 | EAP-SIM/EAP-AKA | |
231 | * fixed session timeout processing with drivers that do not use | |
232 | ieee802_11.c (e.g., madwifi) | |
233 | ||
234 | 2006-08-27 - v0.5.5 | |
235 | * added 'hostapd_cli new_sta <addr>' command for adding a new STA into | |
236 | hostapd (e.g., to initialize wired network authentication based on an | |
237 | external signal) | |
238 | * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when | |
239 | using WPA2 even if PMKSA caching is not used | |
240 | * added -P<pid file> argument for hostapd to write the current process | |
241 | id into a file | |
242 | * added support for RADIUS Authentication Server MIB (RFC 2619) | |
243 | ||
244 | 2006-06-20 - v0.5.4 | |
245 | * fixed nt_password_hash build [Bug 144] | |
246 | * added PeerKey handshake implementation for IEEE 802.11e | |
247 | direct link setup (DLS) to replace STAKey handshake | |
248 | * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, | |
249 | draft-clancy-emu-eap-shared-secret-00.txt) | |
250 | * fixed a segmentation fault when RSN pre-authentication was completed | |
251 | successfully [Bug 152] | |
252 | ||
253 | 2006-04-27 - v0.5.3 | |
254 | * do not build nt_password_hash and hlr_auc_gw by default to avoid | |
255 | requiring a TLS library for a successful build; these programs can be | |
256 | build with 'make nt_password_hash' and 'make hlr_auc_gw' | |
257 | * added a new configuration option, eapol_version, that can be used to | |
258 | set EAPOL version to 1 (default is 2) to work around broken client | |
259 | implementations that drop EAPOL frames which use version number 2 | |
260 | [Bug 89] | |
261 | * added support for EAP-SAKE (no EAP method number allocated yet, so | |
262 | this is using the same experimental type 255 as EAP-PSK) | |
263 | * fixed EAP-MSCHAPv2 message length validation | |
264 | ||
265 | 2006-03-19 - v0.5.2 | |
266 | * fixed stdarg use in hostapd_logger(): if both stdout and syslog | |
267 | logging was enabled, hostapd could trigger a segmentation fault in | |
268 | vsyslog on some CPU -- C library combinations | |
269 | * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external | |
270 | program to make it easier to use for implementing real SS7 gateway; | |
271 | eap_sim_db is not anymore used as a file name for GSM authentication | |
272 | triplets; instead, it is path to UNIX domain socket that will be used | |
273 | to communicate with the external gateway program (e.g., hlr_auc_gw) | |
274 | * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses | |
275 | local information (GSM authentication triplets from a text file and | |
276 | hardcoded AKA authentication data); this can be used to test EAP-SIM | |
277 | and EAP-AKA | |
278 | * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw | |
279 | to make it possible to test EAP-AKA with real USIM cards (this is | |
280 | disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw | |
281 | to enable this) | |
282 | * driver_madwifi: added support for getting station RSN IE from | |
283 | madwifi-ng svn r1453 and newer; this fixes RSN that was apparently | |
284 | broken with earlier change (r1357) in the driver | |
285 | * changed EAP method registration to use a dynamic list of methods | |
286 | instead of a static list generated at build time | |
287 | * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) | |
288 | [Bug 125] | |
289 | * added ap_max_inactivity configuration parameter | |
290 | ||
291 | 2006-01-29 - v0.5.1 | |
292 | * driver_test: added better support for multiple APs and STAs by using | |
293 | a directory with sockets that include MAC address for each device in | |
294 | the name (test_socket=DIR:/tmp/test) | |
295 | * added support for EAP expanded type (vendor specific EAP methods) | |
296 | ||
297 | 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) | |
298 | * added experimental STAKey handshake implementation for IEEE 802.11e | |
299 | direct link setup (DLS); note: this is disabled by default in both | |
300 | build and runtime configuration (can be enabled with CONFIG_STAKEY=y | |
301 | and stakey=1) | |
302 | * added support for EAP methods to use callbacks to external programs | |
303 | by buffering a pending request and processing it after the EAP method | |
304 | is ready to continue | |
305 | * improved EAP-SIM database interface to allow external request to GSM | |
306 | HLR/AuC without blocking hostapd process | |
307 | * added support for using EAP-SIM pseudonyms and fast re-authentication | |
308 | * added support for EAP-AKA in the integrated EAP authenticator | |
309 | * added support for matching EAP identity prefixes (e.g., "1"*) in EAP | |
310 | user database to allow EAP-SIM/AKA selection without extra roundtrip | |
311 | for EAP-Nak negotiation | |
312 | * added support for storing EAP user password as NtPasswordHash instead | |
313 | of plaintext password when using MSCHAP or MSCHAPv2 for | |
314 | authentication (hash:<16-octet hex value>); added nt_password_hash | |
315 | tool for hashing password to generate NtPasswordHash | |
316 | ||
317 | 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) | |
318 | * driver_wired: fixed EAPOL sending to optionally use PAE group address | |
319 | as the destination instead of supplicant MAC address; this is | |
320 | disabled by default, but should be enabled with use_pae_group_addr=1 | |
321 | in configuration file if the wired interface is used by only one | |
322 | device at the time (common switch configuration) | |
323 | * driver_madwifi: configure driver to use TKIP countermeasures in order | |
324 | to get correct behavior (IEEE 802.11 association failing; previously, | |
325 | association succeeded, but hostpad forced disassociation immediately) | |
326 | * driver_madwifi: added support for madwifi-ng | |
327 | ||
328 | 2005-10-27 - v0.4.6 | |
329 | * added support for replacing user identity from EAP with RADIUS | |
330 | User-Name attribute from Access-Accept message, if that is included, | |
331 | for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get | |
332 | tunneled identity into accounting messages when the RADIUS server | |
333 | does not support better way of doing this with Class attribute) | |
334 | * driver_madwifi: fixed EAPOL packet receive for configuration where | |
335 | ath# is part of a bridge interface | |
336 | * added a configuration file and log analyzer script for logwatch | |
337 | * fixed EAPOL state machine step function to process all state | |
338 | transitions before processing new events; this resolves a race | |
339 | condition in which EAPOL-Start message could trigger hostapd to send | |
340 | two EAP-Response/Identity frames to the authentication server | |
341 | ||
342 | 2005-09-25 - v0.4.5 | |
343 | * added client CA list to the TLS certificate request in order to make | |
344 | it easier for the client to select which certificate to use | |
345 | * added experimental support for EAP-PSK | |
346 | * added support for WE-19 (hostap, madwifi) | |
347 | ||
348 | 2005-08-21 - v0.4.4 | |
349 | * fixed build without CONFIG_RSN_PREAUTH | |
350 | * fixed FreeBSD build | |
351 | ||
352 | 2005-06-26 - v0.4.3 | |
353 | * fixed PMKSA caching to copy User-Name and Class attributes so that | |
354 | RADIUS accounting gets correct information | |
355 | * start RADIUS accounting only after successful completion of WPA | |
356 | 4-Way Handshake if WPA-PSK is used | |
357 | * fixed PMKSA caching for the case where STA (re)associates without | |
358 | first disassociating | |
359 | ||
360 | 2005-06-12 - v0.4.2 | |
361 | * EAP-PAX is now registered as EAP type 46 | |
362 | * fixed EAP-PAX MAC calculation | |
363 | * fixed EAP-PAX CK and ICK key derivation | |
364 | * renamed eap_authenticator configuration variable to eap_server to | |
365 | better match with RFC 3748 (EAP) terminology | |
366 | * driver_test: added support for testing hostapd with wpa_supplicant | |
367 | by using test driver interface without any kernel drivers or network | |
368 | cards | |
369 | ||
370 | 2005-05-22 - v0.4.1 | |
371 | * fixed RADIUS server initialization when only auth or acct server | |
372 | is configured and the other one is left empty | |
373 | * driver_madwifi: added support for RADIUS accounting | |
374 | * driver_madwifi: added preliminary support for compiling against 'BSD' | |
375 | branch of madwifi CVS tree | |
376 | * driver_madwifi: fixed pairwise key removal to allow WPA reauth | |
377 | without disassociation | |
378 | * added support for reading additional certificates from PKCS#12 files | |
379 | and adding them to the certificate chain | |
380 | * fixed RADIUS Class attribute processing to only use Access-Accept | |
381 | packets to update Class; previously, other RADIUS authentication | |
382 | packets could have cleared Class attribute | |
383 | * added support for more than one Class attribute in RADIUS packets | |
384 | * added support for verifying certificate revocation list (CRL) when | |
385 | using integrated EAP authenticator for EAP-TLS; new hostapd.conf | |
386 | options 'check_crl'; CRL must be included in the ca_cert file for now | |
387 | ||
388 | 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) | |
389 | * added support for including network information into | |
390 | EAP-Request/Identity message (ASCII-0 (nul) in eap_message) | |
391 | (e.g., to implement draft-adrange-eap-network-discovery-07.txt) | |
392 | * fixed a bug which caused some RSN pre-authentication cases to use | |
393 | freed memory and potentially crash hostapd | |
394 | * fixed private key loading for cases where passphrase is not set | |
395 | * added support for sending TLS alerts and aborting authentication | |
396 | when receiving a TLS alert | |
397 | * fixed WPA2 to add PMKSA cache entry when using integrated EAP | |
398 | authenticator | |
399 | * fixed PMKSA caching (EAP authentication was not skipped correctly | |
400 | with the new state machine changes from IEEE 802.1X draft) | |
401 | * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, | |
402 | and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs | |
403 | to be added to .config to include IPv6 support); for RADIUS server, | |
404 | radius_server_ipv6=1 needs to be set in hostapd.conf and addresses | |
405 | in RADIUS clients file can then use IPv6 format | |
406 | * added experimental support for EAP-PAX | |
407 | * replaced hostapd control interface library (hostapd_ctrl.[ch]) with | |
408 | the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) | |
409 | ||
410 | 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) | |
411 | ||
412 | 2005-01-23 - v0.3.5 | |
413 | * added support for configuring a forced PEAP version based on the | |
414 | Phase 1 identity | |
415 | * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV | |
416 | to terminate authentication | |
417 | * fixed EAP identifier duplicate processing with the new IEEE 802.1X | |
418 | draft | |
419 | * clear accounting data in the driver when starting a new accounting | |
420 | session | |
421 | * driver_madwifi: filter wireless events based on ifindex to allow more | |
422 | than one network interface to be used | |
423 | * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt | |
424 | setting if the packet does not pass MIC verification (e.g., due to | |
425 | incorrect PSK); previously, message 1/4 was not tried again if an | |
426 | invalid message 2/4 was received | |
427 | * fixed reconfiguration of RADIUS client retransmission timer when | |
428 | adding a new message to the pending list; previously, timer was not | |
429 | updated at this point and if there was a pending message with long | |
430 | time for the next retry, the new message needed to wait that long for | |
431 | its first retry, too | |
432 | ||
433 | 2005-01-09 - v0.3.4 | |
434 | * added support for configuring multiple allowed EAP types for Phase 2 | |
435 | authentication (EAP-PEAP, EAP-TTLS) | |
436 | * fixed EAPOL-Start processing to trigger WPA reauthentication | |
437 | (previously, only EAPOL authentication was done) | |
438 | ||
439 | 2005-01-02 - v0.3.3 | |
440 | * added support for EAP-PEAP in the integrated EAP authenticator | |
441 | * added support for EAP-GTC in the integrated EAP authenticator | |
442 | * added support for configuring list of EAP methods for Phase 1 so that | |
443 | the integrated EAP authenticator can, e.g., use the wildcard entry | |
444 | for EAP-TLS and EAP-PEAP | |
445 | * added support for EAP-TTLS in the integrated EAP authenticator | |
446 | * added support for EAP-SIM in the integrated EAP authenticator | |
447 | * added support for using hostapd as a RADIUS authentication server | |
448 | with the integrated EAP authenticator taking care of EAP | |
449 | authentication (new hostapd.conf options: radius_server_clients and | |
450 | radius_server_auth_port); this is not included in default build; use | |
451 | CONFIG_RADIUS_SERVER=y in .config to include | |
452 | ||
453 | 2004-12-19 - v0.3.2 | |
454 | * removed 'daemonize' configuration file option since it has not really | |
455 | been used at all for more than year | |
456 | * driver_madwifi: fixed group key setup and added get_ssid method | |
457 | * added support for EAP-MSCHAPv2 in the integrated EAP authenticator | |
458 | ||
459 | 2004-12-12 - v0.3.1 | |
460 | * added support for integrated EAP-TLS authentication (new hostapd.conf | |
461 | variables: ca_cert, server_cert, private_key, private_key_passwd); | |
462 | this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without | |
463 | external RADIUS server | |
464 | * added support for reading PKCS#12 (PFX) files (as a replacement for | |
465 | PEM/DER) to get certificate and private key (CONFIG_PKCS12) | |
466 | ||
467 | 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) | |
468 | * added support for Acct-{Input,Output}-Gigawords | |
469 | * added support for Event-Timestamp (in RADIUS Accounting-Requests) | |
470 | * added support for RADIUS Authentication Client MIB (RFC2618) | |
471 | * added support for RADIUS Accounting Client MIB (RFC2620) | |
472 | * made EAP re-authentication period configurable (eap_reauth_period) | |
473 | * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication | |
474 | * fixed EAPOL state machine to stop if STA is removed during | |
475 | eapol_sm_step(); this fixes at least one segfault triggering bug with | |
476 | IEEE 802.11i pre-authentication | |
477 | * added support for multiple WPA pre-shared keys (e.g., one for each | |
478 | client MAC address or keys shared by a group of clients); | |
479 | new hostapd.conf field wpa_psk_file for setting path to a text file | |
480 | containing PSKs, see hostapd.wpa_psk for an example | |
481 | * added support for multiple driver interfaces to allow hostapd to be | |
482 | used with other drivers | |
483 | * added wired authenticator driver interface (driver=wired in | |
484 | hostapd.conf, see wired.conf for example configuration) | |
485 | * added madwifi driver interface (driver=madwifi in hostapd.conf, see | |
486 | madwifi.conf for example configuration; Note: include files from | |
487 | madwifi project is needed for building and a configuration file, | |
488 | .config, needs to be created in hostapd directory with | |
489 | CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd | |
490 | build) | |
491 | * fixed an alignment issue that could cause SHA-1 to fail on some | |
492 | platforms (e.g., Intel ixp425 with a compiler that does not 32-bit | |
493 | align variables) | |
494 | * fixed RADIUS reconnection after an error in sending interim | |
495 | accounting packets | |
496 | * added hostapd control interface for external programs and an example | |
497 | CLI, hostapd_cli (like wpa_cli for wpa_supplicant) | |
498 | * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', | |
499 | 'hostapd_cli sta <addr>') | |
500 | * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) | |
501 | * added support for strict GTK rekeying (wpa_strict_rekey in | |
502 | hostapd.conf) | |
503 | * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 | |
504 | (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to | |
505 | IEEE 802.11F-2003) | |
506 | * added Prism54 driver interface (driver=prism54 in hostapd.conf; | |
507 | note: .config needs to be created in hostapd directory with | |
508 | CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd | |
509 | build) | |
510 | * dual-licensed hostapd (GPLv2 and BSD licenses) | |
511 | * fixed RADIUS accounting to generate a new session id for cases where | |
512 | a station reassociates without first being complete deauthenticated | |
513 | * fixed STA disassociation handler to mark next timeout state to | |
514 | deauthenticate the station, i.e., skip long wait for inactivity poll | |
515 | and extra disassociation, if the STA disassociates without | |
516 | deauthenticating | |
517 | * added integrated EAP authenticator that can be used instead of | |
518 | external RADIUS authentication server; currently, only EAP-MD5 is | |
519 | supported, so this cannot yet be used for key distribution; the EAP | |
520 | method interface is generic, though, so adding new EAP methods should | |
521 | be straightforward; new hostapd.conf variables: 'eap_authenticator' | |
522 | and 'eap_user_file'; this obsoletes "minimal authentication server" | |
523 | ('minimal_eap' in hostapd.conf) which is now removed | |
524 | * added support for FreeBSD and driver interface for the BSD net80211 | |
525 | layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in | |
526 | .config); please note that some of the required kernel mods have not | |
527 | yet been committed | |
528 | ||
529 | 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) | |
530 | * fixed some accounting cases where Accounting-Start was sent when | |
531 | IEEE 802.1X port was being deauthorized | |
532 | ||
533 | 2004-06-20 - v0.2.3 | |
534 | * modified RADIUS client to re-connect the socket in case of certain | |
535 | error codes that are generated when a network interface state is | |
536 | changes (e.g., when IP address changes or the interface is set UP) | |
537 | * fixed couple of cases where EAPOL state for a station was freed | |
538 | twice causing a segfault for hostapd | |
539 | * fixed couple of bugs in processing WPA deauthentication (freed data | |
540 | was used) | |
541 | ||
542 | 2004-05-31 - v0.2.2 | |
543 | * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) | |
544 | * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix | |
545 | cases where STAs dropped multicast frames as replay attacks | |
546 | * added support for copying RADIUS Attribute 'Class' from | |
547 | authentication messages into accounting messages | |
548 | * send canned EAP failure if RADIUS server sends Access-Reject without | |
549 | EAP message (previously, Supplicant was not notified in this case) | |
550 | * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do | |
551 | not start EAPOL state machines if the STA selected to use WPA-PSK) | |
552 | ||
553 | 2004-05-06 - v0.2.1 | |
554 | * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality | |
555 | - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA | |
556 | (i.e., IEEE 802.11i/D3.0) | |
557 | - supports WPA-only, RSN-only, and mixed WPA/RSN mode | |
558 | - both WPA-PSK and WPA-RADIUS/EAP are supported | |
559 | - PMKSA caching and pre-authentication | |
560 | - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, | |
561 | wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, | |
562 | rsn_preauth, rsn_preauth_interfaces | |
563 | * fixed interim accounting to remove any pending accounting messages | |
564 | to the STA before sending a new one | |
565 | ||
566 | 2004-02-15 - v0.2.0 | |
567 | * added support for Acct-Interim-Interval: | |
568 | - draft-ietf-radius-acct-interim-01.txt | |
569 | - use Acct-Interim-Interval attribute from Access-Accept if local | |
570 | 'radius_acct_interim_interval' is not set | |
571 | - allow different update intervals for each STA | |
572 | * fixed event loop to call signal handlers only after returning from | |
573 | the real signal handler | |
574 | * reset sta->timeout_next after successful association to make sure | |
575 | that the previously registered inactivity timer will not remove the | |
576 | STA immediately (e.g., if STA deauthenticates and re-associates | |
577 | before the timer is triggered). | |
578 | * added new hostapd.conf variable, nas_identifier, that can be used to | |
579 | add an optional RADIUS Attribute, NAS-Identifier, into authentication | |
580 | and accounting messages | |
581 | * added support for Accounting-On and Accounting-Off messages | |
582 | * fixed accounting session handling to send Accounting-Start only once | |
583 | per session and not to send Accounting-Stop if the session was not | |
584 | initialized properly | |
585 | * fixed Accounting-Stop statistics in cases where the message was | |
586 | previously sent after the kernel entry for the STA (and/or IEEE | |
587 | 802.1X data) was removed | |
588 | ||
589 | ||
590 | Note: | |
591 | ||
592 | Older changes up to and including v0.1.0 are included in the ChangeLog | |
593 | of the Host AP driver. |