]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | ChangeLog for wpa_supplicant |
2 | ||
ca8c2bd2 JM |
3 | 2019-08-07 - v2.9 |
4 | * SAE changes | |
5 | - disable use of groups using Brainpool curves | |
6 | - improved protection against side channel attacks | |
7 | [https://w1.fi/security/2019-6/] | |
8 | * EAP-pwd changes | |
9 | - disable use of groups using Brainpool curves | |
10 | - allow the set of groups to be configured (eap_pwd_groups) | |
11 | - improved protection against side channel attacks | |
12 | [https://w1.fi/security/2019-6/] | |
13 | * fixed FT-EAP initial mobility domain association using PMKSA caching | |
14 | (disabled by default for backwards compatibility; can be enabled | |
15 | with ft_eap_pmksa_caching=1) | |
16 | * fixed a regression in OpenSSL 1.1+ engine loading | |
17 | * added validation of RSNE in (Re)Association Response frames | |
18 | * fixed DPP bootstrapping URI parser of channel list | |
19 | * extended EAP-SIM/AKA fast re-authentication to allow use with FILS | |
20 | * extended ca_cert_blob to support PEM format | |
21 | * improved robustness of P2P Action frame scheduling | |
22 | * added support for EAP-SIM/AKA using anonymous@realm identity | |
23 | * fixed Hotspot 2.0 credential selection based on roaming consortium | |
24 | to ignore credentials without a specific EAP method | |
25 | * added experimental support for EAP-TEAP peer (RFC 7170) | |
26 | * added experimental support for EAP-TLS peer with TLS v1.3 | |
27 | * fixed a regression in WMM parameter configuration for a TDLS peer | |
28 | * fixed a regression in operation with drivers that offload 802.1X | |
29 | 4-way handshake | |
30 | * fixed an ECDH operation corner case with OpenSSL | |
31 | ||
63962824 JM |
32 | 2019-04-21 - v2.8 |
33 | * SAE changes | |
34 | - added support for SAE Password Identifier | |
35 | - changed default configuration to enable only groups 19, 20, 21 | |
36 | (i.e., disable groups 25 and 26) and disable all unsuitable groups | |
37 | completely based on REVmd changes | |
38 | - do not regenerate PWE unnecessarily when the AP uses the | |
39 | anti-clogging token mechanisms | |
40 | - fixed some association cases where both SAE and FT-SAE were enabled | |
41 | on both the station and the selected AP | |
42 | - started to prefer FT-SAE over SAE AKM if both are enabled | |
43 | - started to prefer FT-SAE over FT-PSK if both are enabled | |
44 | - fixed FT-SAE when SAE PMKSA caching is used | |
45 | - reject use of unsuitable groups based on new implementation guidance | |
46 | in REVmd (allow only FFC groups with prime >= 3072 bits and ECC | |
47 | groups with prime >= 256) | |
48 | - minimize timing and memory use differences in PWE derivation | |
49 | [https://w1.fi/security/2019-1/] (CVE-2019-9494) | |
50 | * EAP-pwd changes | |
51 | - minimize timing and memory use differences in PWE derivation | |
52 | [https://w1.fi/security/2019-2/] (CVE-2019-9495) | |
53 | - verify server scalar/element | |
54 | [https://w1.fi/security/2019-4/] (CVE-2019-9499) | |
55 | - fix message reassembly issue with unexpected fragment | |
56 | [https://w1.fi/security/2019-5/] | |
57 | - enforce rand,mask generation rules more strictly | |
58 | - fix a memory leak in PWE derivation | |
59 | - disallow ECC groups with a prime under 256 bits (groups 25, 26, and | |
60 | 27) | |
61 | * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y | |
62 | * Hotspot 2.0 changes | |
63 | - do not indicate release number that is higher than the one | |
64 | AP supports | |
65 | - added support for release number 3 | |
66 | - enable PMF automatically for network profiles created from | |
67 | credentials | |
68 | * fixed OWE network profile saving | |
69 | * fixed DPP network profile saving | |
70 | * added support for RSN operating channel validation | |
71 | (CONFIG_OCV=y and network profile parameter ocv=1) | |
72 | * added Multi-AP backhaul STA support | |
73 | * fixed build with LibreSSL | |
74 | * number of MKA/MACsec fixes and extensions | |
75 | * extended domain_match and domain_suffix_match to allow list of values | |
76 | * fixed dNSName matching in domain_match and domain_suffix_match when | |
77 | using wolfSSL | |
78 | * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both | |
79 | are enabled | |
80 | * extended nl80211 Connect and external authentication to support | |
81 | SAE, FT-SAE, FT-EAP-SHA384 | |
82 | * fixed KEK2 derivation for FILS+FT | |
83 | * extended client_cert file to allow loading of a chain of PEM | |
84 | encoded certificates | |
85 | * extended beacon reporting functionality | |
86 | * extended D-Bus interface with number of new properties | |
87 | * fixed a regression in FT-over-DS with mac80211-based drivers | |
88 | * OpenSSL: allow systemwide policies to be overridden | |
89 | * extended driver flags indication for separate 802.1X and PSK | |
90 | 4-way handshake offload capability | |
91 | * added support for random P2P Device/Interface Address use | |
92 | * extended PEAP to derive EMSK to enable use with ERP/FILS | |
93 | * extended WPS to allow SAE configuration to be added automatically | |
94 | for PSK (wps_cred_add_sae=1) | |
95 | * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) | |
96 | * extended domain_match and domain_suffix_match to allow list of values | |
97 | * added a RSN workaround for misbehaving PMF APs that advertise | |
98 | IGTK/BIP KeyID using incorrect byte order | |
99 | * fixed PTK rekeying with FILS and FT | |
100 | ||
c2c6c01b JM |
101 | 2018-12-02 - v2.7 |
102 | * fixed WPA packet number reuse with replayed messages and key | |
103 | reinstallation | |
104 | [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, | |
105 | CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, | |
106 | CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) | |
107 | * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant | |
108 | [https://w1.fi/security/2018-1/] (CVE-2018-14526) | |
109 | * added support for FILS (IEEE 802.11ai) shared key authentication | |
110 | * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; | |
111 | and transition mode defined by WFA) | |
112 | * added support for DPP (Wi-Fi Device Provisioning Protocol) | |
113 | * added support for RSA 3k key case with Suite B 192-bit level | |
114 | * fixed Suite B PMKSA caching not to update PMKID during each 4-way | |
115 | handshake | |
116 | * fixed EAP-pwd pre-processing with PasswordHashHash | |
117 | * added EAP-pwd client support for salted passwords | |
118 | * fixed a regression in TDLS prohibited bit validation | |
119 | * started to use estimated throughput to avoid undesired signal | |
120 | strength based roaming decision | |
121 | * MACsec/MKA: | |
122 | - new macsec_linux driver interface support for the Linux | |
123 | kernel macsec module | |
124 | - number of fixes and extensions | |
125 | * added support for external persistent storage of PMKSA cache | |
126 | (PMKSA_GET/PMKSA_ADD control interface commands; and | |
127 | MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) | |
128 | * fixed mesh channel configuration pri/sec switch case | |
129 | * added support for beacon report | |
130 | * large number of other fixes, cleanup, and extensions | |
131 | * added support for randomizing local address for GAS queries | |
132 | (gas_rand_mac_addr parameter) | |
133 | * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel | |
134 | * added option for using random WPS UUID (auto_uuid=1) | |
135 | * added SHA256-hash support for OCSP certificate matching | |
136 | * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure | |
137 | * fixed a regression in RSN pre-authentication candidate selection | |
138 | * added option to configure allowed group management cipher suites | |
139 | (group_mgmt network profile parameter) | |
140 | * removed all PeerKey functionality | |
141 | * fixed nl80211 AP and mesh mode configuration regression with | |
142 | Linux 4.15 and newer | |
143 | * added ap_isolate configuration option for AP mode | |
144 | * added support for nl80211 to offload 4-way handshake into the driver | |
145 | * added support for using wolfSSL cryptographic library | |
146 | * SAE | |
147 | - added support for configuring SAE password separately of the | |
148 | WPA2 PSK/passphrase | |
149 | - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection | |
150 | for SAE; | |
151 | note: this is not backwards compatible, i.e., both the AP and | |
152 | station side implementations will need to be update at the same | |
153 | time to maintain interoperability | |
154 | - added support for Password Identifier | |
155 | - fixed FT-SAE PMKID matching | |
156 | * Hotspot 2.0 | |
157 | - added support for fetching of Operator Icon Metadata ANQP-element | |
158 | - added support for Roaming Consortium Selection element | |
159 | - added support for Terms and Conditions | |
160 | - added support for OSEN connection in a shared RSN BSS | |
161 | - added support for fetching Venue URL information | |
162 | * added support for using OpenSSL 1.1.1 | |
163 | * FT | |
164 | - disabled PMKSA caching with FT since it is not fully functional | |
165 | - added support for SHA384 based AKM | |
166 | - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, | |
167 | BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 | |
168 | - fixed additional IE inclusion in Reassociation Request frame when | |
169 | using FT protocol | |
170 | ||
2462f347 | 171 | 2016-10-02 - v2.6 |
a1703947 JM |
172 | * fixed WNM Sleep Mode processing when PMF is not enabled |
173 | [http://w1.fi/security/2015-6/] (CVE-2015-5310) | |
174 | * fixed EAP-pwd last fragment validation | |
175 | [http://w1.fi/security/2015-7/] (CVE-2015-5315) | |
176 | * fixed EAP-pwd unexpected Confirm message processing | |
177 | [http://w1.fi/security/2015-8/] (CVE-2015-5316) | |
178 | * fixed WPS configuration update vulnerability with malformed passphrase | |
179 | [http://w1.fi/security/2016-1/] (CVE-2016-4476) | |
180 | * fixed configuration update vulnerability with malformed parameters set | |
181 | over the local control interface | |
182 | [http://w1.fi/security/2016-1/] (CVE-2016-4477) | |
183 | * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case | |
184 | * extended channel switch support for P2P GO | |
185 | * started to throttle control interface event message bursts to avoid | |
186 | issues with monitor sockets running out of buffer space | |
187 | * mesh mode fixes/improvements | |
188 | - generate proper AID for peer | |
189 | - enable WMM by default | |
190 | - add VHT support | |
191 | - fix PMKID derivation | |
192 | - improve robustness on various exchanges | |
193 | - fix peer link counting in reconnect case | |
61bcc853 JM |
194 | - improve mesh joining behavior |
195 | - allow DTIM period to be configured | |
196 | - allow HT to be disabled (disable_ht=1) | |
a1703947 JM |
197 | - add MESH_PEER_ADD and MESH_PEER_REMOVE commands |
198 | - add support for PMKSA caching | |
61bcc853 JM |
199 | - add minimal support for SAE group negotiation |
200 | - allow pairwise/group cipher to be configured in the network profile | |
201 | - use ieee80211w profile parameter to enable/disable PMF and derive | |
202 | a separate TX IGTK if PMF is enabled instead of using MGTK | |
203 | incorrectly | |
204 | - fix AEK and MTK derivation | |
205 | - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close | |
206 | - note: these changes are not fully backwards compatible for secure | |
207 | (RSN) mesh network | |
a1703947 JM |
208 | * fixed PMKID derivation with SAE |
209 | * added support for requesting and fetching arbitrary ANQP-elements | |
210 | without internal support in wpa_supplicant for the specific element | |
211 | (anqp[265]=<hexdump> in "BSS <BSSID>" command output) | |
212 | * P2P | |
213 | - filter control characters in group client device names to be | |
214 | consistent with other P2P peer cases | |
215 | - support VHT 80+80 MHz and 160 MHz | |
216 | - indicate group completion in P2P Client role after data association | |
217 | instead of already after the WPS provisioning step | |
218 | - improve group-join operation to use SSID, if known, to filter BSS | |
219 | entries | |
220 | - added optional ssid=<hexdump> argument to P2P_CONNECT for join case | |
221 | - added P2P_GROUP_MEMBER command to fetch client interface address | |
222 | * P2PS | |
223 | - fix follow-on PD Response behavior | |
224 | - fix PD Response generation for unknown peer | |
225 | - fix persistent group reporting | |
226 | - add channel policy to PD Request | |
227 | - add group SSID to the P2PS-PROV-DONE event | |
228 | - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the | |
229 | default PIN | |
230 | * BoringSSL | |
231 | - support for OCSP stapling | |
232 | - support building of h20-osu-client | |
233 | * D-Bus | |
234 | - add ExpectDisconnect() | |
235 | - add global config parameters as properties | |
236 | - add SaveConfig() | |
237 | - add VendorElemAdd(), VendorElemGet(), VendorElemRem() | |
238 | * fixed Suite B 192-bit AKM to use proper PMK length | |
239 | (note: this makes old releases incompatible with the fixed behavior) | |
240 | * improved PMF behavior for cases where the AP and STA has different | |
241 | configuration by not trying to connect in some corner cases where the | |
242 | connection cannot succeed | |
243 | * added option to reopen debug log (e.g., to rotate the file) upon | |
244 | receipt of SIGHUP signal | |
245 | * EAP-pwd: added support for Brainpool Elliptic Curves | |
246 | (with OpenSSL 1.0.2 and newer) | |
247 | * fixed EAPOL reauthentication after FT protocol run | |
248 | * fixed FTIE generation for 4-way handshake after FT protocol run | |
249 | * extended INTERFACE_ADD command to allow certain type (sta/ap) | |
250 | interface to be created | |
251 | * fixed and improved various FST operations | |
61bcc853 | 252 | * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh |
a1703947 JM |
253 | * fixed SIGNAL_POLL in IBSS and mesh cases |
254 | * added an option to abort an ongoing scan (used to speed up connection | |
255 | and can also be done with the new ABORT_SCAN command) | |
256 | * TLS client | |
257 | - do not verify CA certificates when ca_cert is not specified | |
258 | - support validating server certificate hash | |
259 | - support SHA384 and SHA512 hashes | |
260 | - add signature_algorithms extension into ClientHello | |
261 | - support TLS v1.2 signature algorithm with SHA384 and SHA512 | |
262 | - support server certificate probing | |
263 | - allow specific TLS versions to be disabled with phase2 parameter | |
264 | - support extKeyUsage | |
265 | - support PKCS #5 v2.0 PBES2 | |
266 | - support PKCS #5 with PKCS #12 style key decryption | |
267 | - minimal support for PKCS #12 | |
268 | - support OCSP stapling (including ocsp_multi) | |
269 | * OpenSSL | |
270 | - support OpenSSL 1.1 API changes | |
271 | - drop support for OpenSSL 0.9.8 | |
272 | - drop support for OpenSSL 1.0.0 | |
273 | * added support for multiple schedule scan plans (sched_scan_plans) | |
274 | * added support for external server certificate chain validation | |
275 | (tls_ext_cert_check=1 in the network profile phase1 parameter) | |
276 | * made phase2 parser more strict about correct use of auth=<val> and | |
277 | autheap=<val> values | |
278 | * improved GAS offchannel operations with comeback request | |
279 | * added SIGNAL_MONITOR command to request signal strength monitoring | |
280 | events | |
281 | * added command for retrieving HS 2.0 icons with in-memory storage | |
282 | (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and | |
283 | RX-HS20-ICON event) | |
284 | * enabled ACS support for AP mode operations with wpa_supplicant | |
285 | * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server | |
286 | ("Invalid Compound_MAC in cryptobinding TLV") | |
61bcc853 | 287 | * EAP-TTLS: fixed success after fragmented final Phase 2 message |
a1703947 JM |
288 | * VHT: added interoperability workaround for 80+80 and 160 MHz channels |
289 | * WNM: workaround for broken AP operating class behavior | |
290 | * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) | |
291 | * nl80211: | |
292 | - add support for full station state operations | |
293 | - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled | |
294 | - add NL80211_ATTR_PREV_BSSID with Connect command | |
61bcc853 JM |
295 | - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use |
296 | unencrypted EAPOL frames | |
a1703947 JM |
297 | * added initial MBO support; number of extensions to WNM BSS Transition |
298 | Management | |
299 | * added support for PBSS/PCP and P2P on 60 GHz | |
300 | * Interworking: add credential realm to EAP-TLS identity | |
301 | * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set | |
302 | * HS 2.0: add support for configuring frame filters | |
303 | * added POLL_STA command to check connectivity in AP mode | |
304 | * added initial functionality for location related operations | |
305 | * started to ignore pmf=1/2 parameter for non-RSN networks | |
306 | * added wps_disabled=1 network profile parameter to allow AP mode to | |
307 | be started without enabling WPS | |
61bcc853 JM |
308 | * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED |
309 | events | |
310 | * improved Public Action frame addressing | |
311 | - add gas_address3 configuration parameter to control Address 3 | |
312 | behavior | |
a1703947 JM |
313 | * number of small fixes |
314 | ||
49c36b70 JM |
315 | 2015-09-27 - v2.5 |
316 | * fixed P2P validation of SSID element length before copying it | |
317 | [http://w1.fi/security/2015-1/] (CVE-2015-1863) | |
318 | * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding | |
319 | [http://w1.fi/security/2015-2/] (CVE-2015-4141) | |
320 | * fixed WMM Action frame parser (AP mode) | |
321 | [http://w1.fi/security/2015-3/] (CVE-2015-4142) | |
322 | * fixed EAP-pwd peer missing payload length validation | |
323 | [http://w1.fi/security/2015-4/] | |
324 | (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) | |
325 | * fixed validation of WPS and P2P NFC NDEF record payload length | |
326 | [http://w1.fi/security/2015-5/] | |
327 | * nl80211: | |
328 | - added VHT configuration for IBSS | |
329 | - fixed vendor command handling to check OUI properly | |
330 | - allow driver-based roaming to change ESS | |
331 | * added AVG_BEACON_RSSI to SIGNAL_POLL output | |
332 | * wpa_cli: added tab completion for number of commands | |
333 | * removed unmaintained and not yet completed SChannel/CryptoAPI support | |
334 | * modified Extended Capabilities element use in Probe Request frames to | |
335 | include all cases if any of the values are non-zero | |
336 | * added support for dynamically creating/removing a virtual interface | |
337 | with interface_add/interface_remove | |
338 | * added support for hashed password (NtHash) in EAP-pwd peer | |
339 | * added support for memory-only PSK/passphrase (mem_only_psk=1 and | |
340 | CTRL-REQ/RSP-PSK_PASSPHRASE) | |
341 | * P2P | |
342 | - optimize scan frequencies list when re-joining a persistent group | |
343 | - fixed number of sequences with nl80211 P2P Device interface | |
344 | - added operating class 125 for P2P use cases (this allows 5 GHz | |
345 | channels 161 and 169 to be used if they are enabled in the current | |
346 | regulatory domain) | |
347 | - number of fixes to P2PS functionality | |
348 | - do not allow 40 MHz co-ex PRI/SEC switch to force MCC | |
349 | - extended support for preferred channel listing | |
350 | * D-Bus: | |
351 | - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface | |
352 | - fixed PresenceRequest to use group interface | |
353 | - added new signals: FindStopped, WPS pbc-overlap, | |
354 | GroupFormationFailure, WPS timeout, InvitationReceived | |
355 | - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient | |
356 | - added manufacturer info | |
357 | * added EAP-EKE peer support for deriving Session-Id | |
358 | * added wps_priority configuration parameter to set the default priority | |
359 | for all network profiles added by WPS | |
360 | * added support to request a scan with specific SSIDs with the SCAN | |
361 | command (optional "ssid <hexdump>" arguments) | |
362 | * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 | |
363 | * fixed SAE group selection in an error case | |
364 | * modified SAE routines to be more robust and PWE generation to be | |
365 | stronger against timing attacks | |
366 | * added support for Brainpool Elliptic Curves with SAE | |
367 | * added support for CCMP-256 and GCMP-256 as group ciphers with FT | |
368 | * fixed BSS selection based on estimated throughput | |
369 | * added option to disable TLSv1.0 with OpenSSL | |
370 | (phase1="tls_disable_tlsv1_0=1") | |
371 | * added Fast Session Transfer (FST) module | |
372 | * fixed OpenSSL PKCS#12 extra certificate handling | |
373 | * fixed key derivation for Suite B 192-bit AKM (this breaks | |
374 | compatibility with the earlier version) | |
375 | * added RSN IE to Mesh Peering Open/Confirm frames | |
376 | * number of small fixes | |
377 | ||
bc1d23ae JM |
378 | 2015-03-15 - v2.4 |
379 | * allow OpenSSL cipher configuration to be set for internal EAP server | |
380 | (openssl_ciphers parameter) | |
381 | * fixed number of small issues based on hwsim test case failures and | |
382 | static analyzer reports | |
383 | * P2P: | |
384 | - add new=<0/1> flag to P2P-DEVICE-FOUND events | |
385 | - add passive channels in invitation response from P2P Client | |
386 | - enable nl80211 P2P_DEVICE support by default | |
387 | - fix regresssion in disallow_freq preventing search on social | |
388 | channels | |
389 | - fix regressions in P2P SD query processing | |
390 | - try to re-invite with social operating channel if no common channels | |
391 | in invitation | |
392 | - allow cross connection on parent interface (this fixes number of | |
393 | use cases with nl80211) | |
394 | - add support for P2P services (P2PS) | |
395 | - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to | |
396 | be configured | |
397 | * increase postponing of EAPOL-Start by one second with AP/GO that | |
398 | supports WPS 2.0 (this makes it less likely to trigger extra roundtrip | |
399 | of identity frames) | |
400 | * add support for PMKSA caching with SAE | |
401 | * add support for control mesh BSS (IEEE 802.11s) operations | |
402 | * fixed number of issues with D-Bus P2P commands | |
403 | * fixed regression in ap_scan=2 special case for WPS | |
404 | * fixed macsec_validate configuration | |
405 | * add a workaround for incorrectly behaving APs that try to use | |
406 | EAPOL-Key descriptor version 3 when the station supports PMF even if | |
407 | PMF is not enabled on the AP | |
408 | * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior | |
409 | of disabling these can be configured to work around issues with broken | |
410 | servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" | |
411 | * add support for Suite B (128-bit and 192-bit level) key management and | |
412 | cipher suites | |
413 | * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) | |
414 | * improved BSS Transition Management processing | |
415 | * add support for neighbor report | |
416 | * add support for link measurement | |
417 | * fixed expiration of BSS entry with all-zeros BSSID | |
418 | * add optional LAST_ID=x argument to LIST_NETWORK to allow all | |
419 | configured networks to be listed even with huge number of network | |
420 | profiles | |
421 | * add support for EAP Re-Authentication Protocol (ERP) | |
422 | * fixed EAP-IKEv2 fragmentation reassembly | |
423 | * improved PKCS#11 configuration for OpenSSL | |
424 | * set stdout to be line-buffered | |
425 | * add TDLS channel switch configuration | |
426 | * add support for MAC address randomization in scans with nl80211 | |
427 | * enable HT for IBSS if supported by the driver | |
428 | * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) | |
429 | * add support for domain_suffix_match with GnuTLS | |
430 | * add OCSP stapling client support with GnuTLS | |
431 | * include peer certificate in EAP events even without a separate probe | |
432 | operation; old behavior can be restored with cert_in_cb=0 | |
433 | * add peer ceritficate alt subject name to EAP events | |
434 | (CTRL-EVENT-EAP-PEER-ALT) | |
435 | * add domain_match network profile parameter (similar to | |
436 | domain_suffix_match, but full match is required) | |
437 | * enable AP/GO mode HT Tx STBC automatically based on driver support | |
438 | * add ANQP-QUERY-DONE event to provide information on ANQP parsing | |
439 | status | |
440 | * allow passive scanning to be forced with passive_scan=1 | |
441 | * add a workaround for Linux packet socket behavior when interface is in | |
442 | bridge | |
443 | * increase 5 GHz band preference in BSS selection (estimate SNR, if info | |
444 | not available from driver; estimate maximum throughput based on common | |
445 | HT/VHT/specific TX rate support) | |
446 | * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to | |
447 | implement Interworking network selection behavior in upper layers | |
448 | software components | |
449 | * add optional reassoc_same_bss_optim=1 (disabled by default) | |
450 | optimization to avoid unnecessary Authentication frame exchange | |
451 | * extend TDLS frame padding workaround to cover all packets | |
452 | * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 | |
453 | module gets removed and reloaded without restarting wpa_supplicant | |
454 | * allow hostapd DFS implementation to be used in wpa_supplicant AP mode | |
455 | ||
5cb14403 JM |
456 | 2014-10-09 - v2.3 |
457 | * fixed number of minor issues identified in static analyzer warnings | |
458 | * fixed wfd_dev_info to be more careful and not read beyond the buffer | |
459 | when parsing invalid information for P2P-DEVICE-FOUND | |
460 | * extended P2P and GAS query operations to support drivers that have | |
461 | maximum remain-on-channel time below 1000 ms (500 ms is the current | |
462 | minimum supported value) | |
463 | * added p2p_search_delay parameter to make the default p2p_find delay | |
464 | configurable | |
465 | * improved P2P operating channel selection for various multi-channel | |
466 | concurrency cases | |
467 | * fixed some TDLS failure cases to clean up driver state | |
468 | * fixed dynamic interface addition cases with nl80211 to avoid adding | |
469 | ifindex values to incorrect interface to skip foreign interface events | |
470 | properly | |
471 | * added TDLS workaround for some APs that may add extra data to the | |
472 | end of a short frame | |
473 | * fixed EAP-AKA' message parser with multiple AT_KDF attributes | |
474 | * added configuration option (p2p_passphrase_len) to allow longer | |
475 | passphrases to be generated for P2P groups | |
476 | * fixed IBSS channel configuration in some corner cases | |
477 | * improved HT/VHT/QoS parameter setup for TDLS | |
478 | * modified D-Bus interface for P2P peers/groups | |
479 | * started to use constant time comparison for various password and hash | |
480 | values to reduce possibility of any externally measurable timing | |
481 | differences | |
482 | * extended explicit clearing of freed memory and expired keys to avoid | |
483 | keeping private data in memory longer than necessary | |
484 | * added optional scan_id parameter to the SCAN command to allow manual | |
485 | scan requests for active scans for specific configured SSIDs | |
486 | * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value | |
487 | * added option to set Hotspot 2.0 Rel 2 update_identifier in network | |
488 | configuration to support external configuration | |
489 | * modified Android PNO functionality to send Probe Request frames only | |
490 | for hidden SSIDs (based on scan_ssid=1) | |
491 | * added generic mechanism for adding vendor elements into frames at | |
492 | runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) | |
493 | * added fields to show unrecognized vendor elements in P2P_PEER | |
494 | * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that | |
495 | MS-CHAP2-Success is required to be present regardless of | |
496 | eap_workaround configuration | |
497 | * modified EAP fast session resumption to allow results to be used only | |
498 | with the same network block that generated them | |
499 | * extended freq_list configuration to apply for sched_scan as well as | |
500 | normal scan | |
501 | * modified WPS to merge mixed-WPA/WPA2 credentials from a single session | |
502 | * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is | |
503 | removed from a bridge | |
504 | * fixed number of small P2P issues to make negotiations more robust in | |
505 | corner cases | |
506 | * added experimental support for using temporary, random local MAC | |
507 | address (mac_addr and preassoc_mac_addr parameters); this is disabled | |
508 | by default (i.e., previous behavior of using permanent address is | |
509 | maintained if configuration is not changed) | |
510 | * added D-Bus interface for setting/clearing WFD IEs | |
511 | * fixed TDLS AID configuration for VHT | |
512 | * modified -m<conf> configuration file to be used only for the P2P | |
513 | non-netdev management device and do not load this for the default | |
514 | station interface or load the station interface configuration for | |
515 | the P2P management interface | |
516 | * fixed external MAC address changes while wpa_supplicant is running | |
517 | * started to enable HT (if supported by the driver) for IBSS | |
518 | * fixed wpa_cli action script execution to use more robust mechanism | |
519 | (CVE-2014-3686) | |
520 | ||
6a98f673 JM |
521 | 2014-06-04 - v2.2 |
522 | * added DFS indicator to get_capability freq | |
523 | * added/fixed nl80211 functionality | |
524 | - BSSID/frequency hint for driver-based BSS selection | |
525 | - fix tearing down WDS STA interfaces | |
526 | - support vendor specific driver command | |
527 | (VENDOR <vendor id> <sub command id> [<hex formatted data>]) | |
528 | - GO interface teardown optimization | |
529 | - allow beacon interval to be configured for IBSS | |
530 | - add SHA256-based AKM suites to CONNECT/ASSOCIATE commands | |
531 | * removed unused NFC_RX_HANDOVER_REQ and NFC_RX_HANDOVER_SEL control | |
532 | interface commands (the more generic NFC_REPORT_HANDOVER is now used) | |
533 | * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; | |
534 | this fixes password with include UTF-8 characters that use | |
535 | three-byte encoding EAP methods that use NtPasswordHash | |
536 | * fixed couple of sequencies where radio work items could get stuck, | |
537 | e.g., when rfkill blocking happens during scanning or when | |
538 | scan-for-auth workaround is used | |
539 | * P2P enhancements/fixes | |
540 | - enable enable U-APSD on GO automatically if the driver indicates | |
541 | support for this | |
542 | - fixed some service discovery cases with broadcast queries not being | |
543 | sent to all stations | |
544 | - fixed Probe Request frame triggering invitation to trigger only a | |
545 | single invitation instance even if multiple Probe Request frames are | |
546 | received | |
547 | - fixed a potential NULL pointer dereference crash when processing an | |
548 | invalid Invitation Request frame | |
549 | - add optional configuration file for the P2P_DEVICE parameters | |
550 | - optimize scan for GO during persistent group invocation | |
551 | - fix possible segmentation fault when PBC overlap is detected while | |
552 | using a separate P2P group interface | |
553 | - improve GO Negotiation robustness by allowing GO Negotiation | |
554 | Confirmation to be retransmitted | |
555 | - do use freed memory on device found event when P2P NFC | |
556 | * added phase1 network parameter options for disabling TLS v1.1 and v1.2 | |
557 | to allow workarounds with misbehaving AAA servers | |
558 | (tls_disable_tlsv1_1=1 and tls_disable_tlsv1_2=1) | |
559 | * added support for OCSP stapling to validate AAA server certificate | |
560 | during TLS exchange | |
561 | * Interworking/Hotspot 2.0 enhancements | |
562 | - prefer the last added network in Interworking connection to make the | |
563 | behavior more consistent with likely user expectation | |
564 | - roaming partner configuration (roaming_partner within a cred block) | |
565 | - support Hotspot 2.0 Release 2 | |
566 | * "hs20_anqp_get <BSSID> 8" to request OSU Providers list | |
567 | * "hs20_icon_request <BSSID> <icon filename>" to request icon files | |
568 | * "fetch_osu" and "cancel_osu_fetch" to start/stop full OSU provider | |
569 | search (all suitable APs in scan results) | |
570 | * OSEN network for online signup connection | |
571 | * min_{dl,ul}_bandwidth_{home,roaming} cred parameters | |
572 | * max_bss_load cred parameter | |
573 | * req_conn_capab cred parameter | |
574 | * sp_priority cred parameter | |
575 | * ocsp cred parameter | |
576 | * slow down automatic connection attempts on EAP failure to meet | |
577 | required behavior (no more than 10 retries within a 10-minute | |
578 | interval) | |
579 | * sample implementation of online signup client (both SPP and | |
580 | OMA-DM protocols) (hs20/client/*) | |
581 | - fixed GAS indication for additional comeback delay with status | |
582 | code 95 | |
583 | - extend ANQP_GET to accept Hotspot 2.0 subtypes | |
584 | ANQP_GET <addr> <info id>[,<info id>]... | |
585 | [,hs20:<subtype>][...,hs20:<subtype>] | |
586 | - add control interface events CRED-ADDED <id>, | |
587 | CRED-MODIFIED <id> <field>, CRED-REMOVED <id> | |
588 | - add "GET_CRED <id> <field>" command | |
589 | - enable FT for the connection automatically if the AP advertises | |
590 | support for this | |
591 | - fix a case where auto_interworking=1 could end up stopping scanning | |
592 | * fixed TDLS interoperability issues with supported operating class in | |
593 | some deployed stations | |
594 | * internal TLS implementation enhancements/fixes | |
595 | - add SHA256-based cipher suites | |
596 | - add DHE-RSA cipher suites | |
597 | - fix X.509 validation of PKCS#1 signature to check for extra data | |
598 | * fixed PTK derivation for CCMP-256 and GCMP-256 | |
599 | * added "reattach" command for fast reassociate-back-to-same-BSS | |
600 | * allow PMF to be enabled for AP mode operation with the ieee80211w | |
601 | parameter | |
602 | * added "get_capability tdls" command | |
603 | * added option to set config blobs through control interface with | |
604 | "SET blob <name> <hexdump>" | |
605 | * D-Bus interface extensions/fixes | |
606 | - make p2p_no_group_iface configurable | |
607 | - declare ServiceDiscoveryRequest method properly | |
608 | - export peer's device address as a property | |
609 | - make reassociate command behave like the control interface one, | |
610 | i.e., to allow connection from disconnected state | |
611 | * added optional "freq=<channel ranges>" parameter to SET pno | |
612 | * added optional "freq=<channel ranges>" parameter to SELECT_NETWORK | |
613 | * fixed OBSS scan result processing for 20/40 MHz co-ex report | |
614 | * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled | |
615 | whenever CONFIG_WPS=y is set | |
616 | * fixed regression in parsing of WNM Sleep Mode exit key data | |
617 | * fixed potential segmentation fault and memory leaks in WNM neighbor | |
618 | report processing | |
619 | * EAP-pwd fixes | |
620 | - fragmentation of PWD-Confirm-Resp | |
621 | - fix memory leak when fragmentation is used | |
622 | - fix possible segmentation fault on EAP method deinit if an invalid | |
623 | group is negotiated | |
624 | * added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently | |
625 | available only with the macsec_qca driver wrapper) | |
626 | * fixed EAP-SIM counter-too-small message | |
627 | * added 'dup_network <id_s> <id_d> <name>' command; this can be used to | |
628 | clone the psk field without having toextract it from wpa_supplicant | |
629 | * fixed GSM authentication on USIM | |
630 | * added support for usin epoll in eloop (CONFIG_ELOOP_EPOLL=y) | |
631 | * fixed some concurrent virtual interface cases with dedicated P2P | |
632 | management interface to not catch events from removed interface (this | |
633 | could result in the management interface getting disabled) | |
634 | * fixed a memory leak in SAE random number generation | |
635 | * fixed off-by-one bounds checking in printf_encode() | |
636 | - this could result in some control interface ATTACH command cases | |
637 | terminating wpa_supplicant | |
638 | * fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM | |
639 | * various bug fixes | |
640 | ||
44f967c7 JM |
641 | 2014-02-04 - v2.1 |
642 | * added support for simultaneous authentication of equals (SAE) for | |
67bc1375 | 643 | stronger password-based authentication with WPA2-Personal |
44f967c7 JM |
644 | * improved P2P negotiation and group formation robustness |
645 | - avoid unnecessary Dialog Token value changes during retries | |
646 | - avoid more concurrent scanning cases during full group formation | |
647 | sequence | |
648 | - do not use potentially obsolete scan result data from driver | |
649 | cache for peer discovery/updates | |
650 | - avoid undesired re-starting of GO negotiation based on Probe | |
651 | Request frames | |
652 | - increase GO Negotiation and Invitation timeouts to address busy | |
653 | environments and peers that take long time to react to messages, | |
654 | e.g., due to power saving | |
655 | - P2P Device interface type | |
656 | * improved P2P channel selection (use more peer information and allow | |
657 | more local options) | |
658 | * added support for optional per-device PSK assignment by P2P GO | |
659 | (wpa_cli p2p_set per_sta_psk <0/1>) | |
660 | * added P2P_REMOVE_CLIENT for removing a client from P2P groups | |
661 | (including persistent groups); this can be used to securely remove | |
662 | a client from a group if per-device PSKs are used | |
663 | * added more configuration flexibility for allowed P2P GO/client | |
664 | channels (p2p_no_go_freq list and p2p_add_cli_chan=0/1) | |
665 | * added nl80211 functionality | |
666 | - VHT configuration for nl80211 | |
667 | - MFP (IEEE 802.11w) information for nl80211 command API | |
668 | - support split wiphy dump | |
669 | - FT (IEEE 802.11r) with driver-based SME | |
670 | - use advertised number of supported concurrent channels | |
671 | - QoS Mapping configuration | |
672 | * improved TDLS negotiation robustness | |
673 | * added more TDLS peer parameters to be configured to the driver | |
674 | * optimized connection time by allowing recently received scan results | |
675 | to be used instead of having to run through a new scan | |
676 | * fixed ctrl_iface BSS command iteration with RANGE argument and no | |
677 | exact matches; also fixed argument parsing for some cases with | |
678 | multiple arguments | |
679 | * added 'SCAN TYPE=ONLY' ctrl_iface command to request manual scan | |
680 | without executing roaming/network re-selection on scan results | |
681 | * added Session-Id derivation for EAP peer methods | |
682 | * added fully automated regression testing with mac80211_hwsim | |
683 | * changed configuration parser to reject invalid integer values | |
684 | * allow AP/Enrollee to be specified with BSSID instead of UUID for | |
685 | WPS ER operations | |
686 | * disable network block temporarily on repeated connection failures | |
687 | * changed the default driver interface from wext to nl80211 if both are | |
688 | included in the build | |
689 | * remove duplicate networks if WPS provisioning is run multiple times | |
690 | * remove duplicate networks when Interworking network selection uses the | |
691 | same network | |
692 | * added global freq_list configuration to allow scan frequencies to be | |
693 | limited for all cases instead of just for a specific network block | |
694 | * added support for BSS Transition Management | |
695 | * added option to use "IFNAME=<ifname> " prefix to use the global | |
696 | control interface connection to perform per-interface commands; | |
697 | similarly, allow global control interface to be used as a monitor | |
698 | interface to receive events from all interfaces | |
699 | * fixed OKC-based PMKSA cache entry clearing | |
700 | * fixed TKIP group key configuration with FT | |
701 | * added support for using OCSP stapling to validate server certificate | |
702 | (ocsp=1 as optional and ocsp=2 as mandatory) | |
703 | * added EAP-EKE peer | |
704 | * added peer restart detection for IBSS RSN | |
705 | * added domain_suffix_match (and domain_suffix_match2 for Phase 2 | |
706 | EAP-TLS) to specify additional constraint for the server certificate | |
707 | domain name | |
708 | * added support for external SIM/USIM processing in EAP-SIM, EAP-AKA, | |
709 | and EAP-AKA' (CTRL-REQ-SIM and CTRL-RSP-SIM commands over control | |
710 | interface) | |
711 | * added global bgscan configuration option as a default for all network | |
712 | blocks that do not specify their own bgscan parameters | |
713 | * added D-Bus methods for TDLS | |
714 | * added more control to scan requests | |
715 | - "SCAN freq=<freq list>" can be used to specify which channels are | |
716 | scanned (comma-separated frequency ranges in MHz) | |
717 | - "SCAN passive=1" can be used to request a passive scan (no Probe | |
718 | Request frames are sent) | |
719 | - "SCAN use_id" can be used to request a scan id to be returned and | |
720 | included in event messages related to this specific scan operation | |
721 | - "SCAN only_new=1" can be used to request the driver/cfg80211 to | |
722 | report only BSS entries that have been updated during this scan | |
723 | round | |
724 | - these optional arguments to the SCAN command can be combined with | |
725 | each other | |
726 | * modified behavior on externally triggered scans | |
727 | - avoid concurrent operations requiring full control of the radio when | |
728 | an externally triggered scan is detected | |
729 | - do not use results for internal roaming decision | |
730 | * added a new cred block parameter 'temporary' to allow credential | |
731 | blocks to be stored separately even if wpa_supplicant configuration | |
732 | file is used to maintain other network information | |
733 | * added "radio work" framework to schedule exclusive radio operations | |
734 | for off-channel functionality | |
735 | - reduce issues with concurrent operations that try to control which | |
736 | channel is used | |
737 | - allow external programs to request exclusive radio control in a way | |
738 | that avoids conflicts with wpa_supplicant | |
739 | * added support for using Protected Dual of Public Action frames for | |
740 | GAS/ANQP exchanges when associated with PMF | |
741 | * added support for WPS+NFC updates and P2P+NFC | |
742 | - improved protocol for WPS | |
743 | - P2P group formation/join based on NFC connection handover | |
744 | - new IPv4 address assignment for P2P groups (ip_addr_* configuration | |
745 | parameters on the GO) to replace DHCP | |
746 | - option to fetch and report alternative carrier records for external | |
747 | NFC operations | |
748 | * various bug fixes | |
67bc1375 | 749 | |
22760dd9 | 750 | 2013-01-12 - v2.0 |
1ae1570b JM |
751 | * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4) |
752 | * removed unmaintained driver wrappers broadcom, iphone, osx, ralink, | |
753 | hostap, madwifi (hostap and madwifi remain available for hostapd; | |
754 | their wpa_supplicant functionality is obsoleted by wext) | |
755 | * improved debug logging (human readable event names, interface name | |
756 | included in more entries) | |
757 | * changed AP mode behavior to enable WPS only for open and | |
758 | WPA/WPA2-Personal configuration | |
759 | * improved P2P concurrency operations | |
760 | - better coordination of concurrent scan and P2P search operations | |
761 | - avoid concurrent remain-on-channel operation requests by canceling | |
762 | previous operations prior to starting a new one | |
763 | - reject operations that would require multi-channel concurrency if | |
764 | the driver does not support it | |
765 | - add parameter to select whether STA or P2P connection is preferred | |
766 | if the driver cannot support both at the same time | |
767 | - allow driver to indicate channel changes | |
768 | - added optional delay=<search delay in milliseconds> parameter for | |
769 | p2p_find to avoid taking all radio resources | |
770 | - use 500 ms p2p_find search delay by default during concurrent | |
771 | operations | |
772 | - allow all channels in GO Negotiation if the driver supports | |
773 | multi-channel concurrency | |
774 | * added number of small changes to make it easier for static analyzers | |
775 | to understand the implementation | |
776 | * fixed number of small bugs (see git logs for more details) | |
777 | * nl80211: number of updates to use new cfg80211/nl80211 functionality | |
778 | - replace monitor interface with nl80211 commands for AP mode | |
779 | - additional information for driver-based AP SME | |
780 | - STA entry authorization in RSN IBSS | |
781 | * EAP-pwd: | |
782 | - fixed KDF for group 21 and zero-padding | |
783 | - added support for fragmentation | |
784 | - increased maximum number of hunting-and-pecking iterations | |
785 | * avoid excessive Probe Response retries for broadcast Probe Request | |
786 | frames (only with drivers using wpa_supplicant AP mode SME/MLME) | |
787 | * added "GET country" ctrl_iface command | |
788 | * do not save an invalid network block in wpa_supplicant.conf to avoid | |
789 | problems reading the file on next start | |
790 | * send STA connected/disconnected ctrl_iface events to both the P2P | |
791 | group and parent interfaces | |
792 | * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) | |
793 | * added "SET pno <1/0>" ctrl_iface command to start/stop preferred | |
794 | network offload with sched_scan driver command | |
795 | * merged in number of changes from Android repository for P2P, nl80211, | |
796 | and build parameters | |
797 | * changed P2P GO mode configuration to use driver capabilities to | |
798 | automatically enable HT operations when supported | |
799 | * added "wpa_cli status wps" command to fetch WPA2-Personal passhrase | |
800 | for WPS use cases in AP mode | |
801 | * EAP-AKA: keep pseudonym identity across EAP exchanges to match EAP-SIM | |
802 | behavior | |
803 | * improved reassociation behavior in cases where association is rejected | |
804 | or when an AP disconnects us to handle common load balancing | |
805 | mechanisms | |
806 | - try to avoid extra scans when the needed information is available | |
807 | * added optional "join" argument for p2p_prov_disc ctrl_iface command | |
808 | * added group ifname to P2P-PROV-DISC-* events | |
809 | * added P2P Device Address to AP-STA-DISCONNECTED event and use | |
810 | p2p_dev_addr parameter name with AP-STA-CONNECTED | |
811 | * added workarounds for WPS PBC overlap detection for some P2P use cases | |
812 | where deployed stations work incorrectly | |
813 | * optimize WPS connection speed by disconnecting prior to WPS scan and | |
814 | by using single channel scans when AP channel is known | |
815 | * PCSC and SIM/USIM improvements: | |
816 | - accept 0x67 (Wrong length) as a response to READ RECORD to fix | |
817 | issues with some USIM cards | |
818 | - try to read MNC length from SIM/USIM | |
819 | - build realm according to 3GPP TS 23.003 with identity from the SIM | |
820 | - allow T1 protocol to be enabled | |
821 | * added more WPS and P2P information available through D-Bus | |
822 | * improve P2P negotiation robustness | |
823 | - extra waits to get ACK frames through | |
824 | - longer timeouts for cases where deployed devices have been | |
825 | identified have issues meeting the specification requirements | |
826 | - more retries for some P2P frames | |
827 | - handle race conditions in GO Negotiation start by both devices | |
828 | - ignore unexpected GO Negotiation Response frame | |
829 | * added support for libnl 3.2 and newer | |
830 | * added P2P persistent group info to P2P_PEER data | |
831 | * maintain a list of P2P Clients for persistent group on GO | |
832 | * AP: increased initial group key handshake retransmit timeout to 500 ms | |
833 | * added optional dev_id parameter for p2p_find | |
834 | * added P2P-FIND-STOPPED ctrl_iface event | |
835 | * fixed issues in WPA/RSN element validation when roaming with ap_scan=1 | |
836 | and driver-based BSS selection | |
837 | * do not expire P2P peer entries while connected with the peer in a | |
838 | group | |
839 | * fixed WSC element inclusion in cases where P2P is disabled | |
840 | * AP: added a WPS workaround for mixed mode AP Settings with Windows 7 | |
841 | * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use | |
842 | * EAP-SIM/AKA: append realm to pseudonym identity | |
843 | * EAP-SIM/AKA: store pseudonym identity in network configuration to | |
844 | allow it to persist over multiple EAP sessions and wpa_supplicant | |
845 | restarts | |
846 | * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this | |
847 | breaks interoperability with older versions | |
848 | * added support for WFA Hotspot 2.0 | |
849 | - GAS/ANQP to fetch network information | |
850 | - credential configuration and automatic network selections based on | |
851 | credential match with ANQP information | |
852 | * limited PMKSA cache entries to be used only with the network context | |
853 | that was used to create them | |
2cd6af9c | 854 | * improved PMKSA cache expiration to avoid unnecessary disconnections |
1ae1570b JM |
855 | * adjusted bgscan_simple fast-scan backoff to avoid too frequent |
856 | background scans | |
857 | * removed ctrl_iface event on P2P PD Response in join-group case | |
858 | * added option to fetch BSS table entry based on P2P Device Address | |
859 | ("BSS p2p_dev_addr=<P2P Device Address>") | |
860 | * added BSS entry age to ctrl_iface BSS command output | |
861 | * added optional MASK=0xH option for ctrl_iface BSS command to select | |
862 | which fields are included in the response | |
863 | * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS command to | |
864 | fetch information about several BSSes in one call | |
865 | * simplified licensing terms by selecting the BSD license as the only | |
866 | alternative | |
867 | * added "P2P_SET disallow_freq <freq list>" ctrl_iface command to | |
868 | disable channels from P2P use | |
869 | * added p2p_pref_chan configuration parameter to allow preferred P2P | |
870 | channels to be specified | |
871 | * added support for advertising immediate availability of a WPS | |
872 | credential for P2P use cases | |
873 | * optimized scan operations for P2P use cases (use single channel scan | |
874 | for a specific SSID when possible) | |
875 | * EAP-TTLS: fixed peer challenge generation for MSCHAPv2 | |
876 | * SME: do not use reassociation after explicit disconnection request | |
877 | (local or a notification from an AP) | |
878 | * added support for sending debug info to Linux tracing (-T on command | |
879 | line) | |
880 | * added support for using Deauthentication reason code 3 as an | |
881 | indication of P2P group termination | |
882 | * added wps_vendor_ext_m1 configuration parameter to allow vendor | |
883 | specific attributes to be added to WPS M1 | |
884 | * started using separate TLS library context for tunneled TLS | |
885 | (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different CA | |
886 | certificate configuration between Phase 1 and Phase 2 | |
887 | * added optional "auto" parameter for p2p_connect to request automatic | |
888 | GO Negotiation vs. join-a-group selection | |
889 | * added disabled_scan_offload parameter to disable automatic scan | |
890 | offloading (sched_scan) | |
891 | * added optional persistent=<network id> parameter for p2p_connect to | |
892 | allow forcing of a specific SSID/passphrase for GO Negotiation | |
893 | * added support for OBSS scan requests and 20/40 BSS coexistence reports | |
894 | * reject PD Request for unknown group | |
895 | * removed scripts and notes related to Windows binary releases (which | |
896 | have not been used starting from 1.x) | |
897 | * added initial support for WNM operations | |
898 | - Keep-alive based on BSS max idle period | |
899 | - WNM-Sleep Mode | |
2cd6af9c | 900 | - minimal BSS Transition Management processing |
1ae1570b JM |
901 | * added autoscan module to control scanning behavior while not connected |
902 | - autoscan_periodic and autoscan_exponential modules | |
903 | * added new WPS NFC ctrl_iface mechanism | |
904 | - added initial support NFC connection handover | |
905 | - removed obsoleted WPS_OOB command (including support for deprecated | |
906 | UFD config_method) | |
907 | * added optional framework for external password storage ("ext:<name>") | |
908 | * wpa_cli: added optional support for controlling wpa_supplicant | |
909 | remotely over UDP (CONFIG_CTRL_IFACE=udp-remote) for testing purposes | |
910 | * wpa_cli: extended tab completion to more commands | |
911 | * changed SSID output to use printf-escaped strings instead of masking | |
912 | of non-ASCII characters | |
913 | - SSID can now be configured in the same format: ssid=P"abc\x00test" | |
914 | * removed default ACM=1 from AC_VO and AC_VI | |
915 | * added optional "ht40" argument for P2P ctrl_iface commands to allow | |
916 | 40 MHz channels to be requested on the 5 GHz band | |
917 | * added optional parameters for p2p_invite command to specify channel | |
918 | when reinvoking a persistent group as the GO | |
919 | * improved FIPS mode builds with OpenSSL | |
920 | - "make fips" with CONFIG_FIPS=y to build wpa_supplicant with the | |
921 | OpenSSL FIPS object module | |
922 | - replace low level OpenSSL AES API calls to use EVP | |
923 | - use OpenSSL keying material exporter when possible | |
924 | - do not export TLS keys in FIPS mode | |
925 | - remove MD5 from CONFIG_FIPS=y builds | |
926 | - use OpenSSL function for PKBDF2 passphrase-to-PSK | |
927 | - use OpenSSL HMAC implementation | |
928 | - mix RAND_bytes() output into random_get_bytes() to force OpenSSL | |
929 | DRBG to be used in FIPS mode | |
930 | - use OpenSSL CMAC implementation | |
931 | * added mechanism to disable TLS Session Ticket extension | |
932 | - a workaround for servers that do not support TLS extensions that | |
933 | was enabled by default in recent OpenSSL versions | |
934 | - tls_disable_session_ticket=1 | |
935 | - automatically disable TLS Session Ticket extension by default when | |
936 | using EAP-TLS/PEAP/TTLS (i.e., only use it with EAP-FAST) | |
937 | * changed VENDOR-TEST EAP method to use proper private enterprise number | |
938 | (this will not interoperate with older versions) | |
939 | * disable network block temporarily on authentication failures | |
940 | * improved WPS AP selection during WPS PIN iteration | |
941 | * added support for configuring GCMP cipher for IEEE 802.11ad | |
942 | * added support for Wi-Fi Display extensions | |
943 | - WFD_SUBELEMENT_SET ctrl_iface command to configure WFD subelements | |
944 | - SET wifi_display <0/1> to disable/enable WFD support | |
945 | - WFD service discovery | |
946 | - an external program is needed to manage the audio/video streaming | |
947 | and codecs | |
948 | * optimized scan result use for network selection | |
949 | - use the internal BSS table instead of raw scan results | |
950 | - allow unnecessary scans to be skipped if fresh information is | |
951 | available (e.g., after GAS/ANQP round for Interworking) | |
952 | * added support for 256-bit AES with internal TLS implementation | |
953 | * allow peer to propose channel in P2P invitation process for a | |
954 | persistent group | |
955 | * added disallow_aps parameter to allow BSSIDs/SSIDs to be disallowed | |
956 | from network selection | |
957 | * re-enable the networks disabled during WPS operations | |
958 | * allow P2P functionality to be disabled per interface (p2p_disabled=1) | |
959 | * added secondary device types into P2P_PEER output | |
960 | * added an option to disable use of a separate P2P group interface | |
961 | (p2p_no_group_iface=1) | |
962 | * fixed P2P Bonjour SD to match entries with both compressed and not | |
963 | compressed domain name format and support multiple Bonjour PTR matches | |
964 | for the same key | |
965 | * use deauthentication instead of disassociation for all disconnection | |
966 | operations; this removes the now unused disassociate() wpa_driver_ops | |
967 | callback | |
968 | * optimized PSK generation on P2P GO by caching results to avoid | |
969 | multiple PBKDF2 operations | |
970 | * added okc=1 global configuration parameter to allow OKC to be enabled | |
971 | by default for all network blocks | |
972 | * added a workaround for WPS PBC session overlap detection to avoid | |
973 | interop issues with deployed station implementations that do not | |
974 | remove active PBC indication from Probe Request frames properly | |
2cd6af9c JM |
975 | * added basic support for 60 GHz band |
976 | * extend EAPOL frames processing workaround for roaming cases | |
977 | (postpone processing of unexpected EAPOL frame until association | |
978 | event to handle reordered events) | |
1ae1570b | 979 | |
ec4a5d32 JM |
980 | 2012-05-10 - v1.0 |
981 | * bsd: Add support for setting HT values in IFM_MMASK. | |
982 | * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. | |
983 | This allows the driver to use PS buffering of Deauthentication and | |
984 | Disassociation frames when the STA is in power save sleep. Only | |
985 | available with drivers that provide TX status events for Deauth/ | |
986 | Disassoc frames (nl80211). | |
987 | * Drop oldest unknown BSS table entries first. This makes it less | |
988 | likely to hit connection issues in environments with huge number | |
989 | of visible APs. | |
990 | * Add systemd support. | |
991 | * Add support for setting the syslog facility from the config file | |
992 | at build time. | |
993 | * atheros: Add support for IEEE 802.11w configuration. | |
994 | * AP mode: Allow enable HT20 if driver supports it, by setting the | |
995 | config parameter ieee80211n. | |
996 | * Allow AP mode to disconnect STAs based on low ACK condition (when | |
997 | the data connection is not working properly, e.g., due to the STA | |
998 | going outside the range of the AP). Disabled by default, enable by | |
999 | config option disassoc_low_ack. | |
1000 | * nl80211: | |
1001 | - Support GTK rekey offload. | |
1002 | - Support PMKSA candidate events. This adds support for RSN | |
1003 | pre-authentication with nl80211 interface and drivers that handle | |
1004 | roaming internally. | |
1005 | * dbus: | |
1006 | - Add a DBus signal for EAP SM requests, emitted on the Interface | |
1007 | object. | |
1008 | - Export max scan ssids supported by the driver as MaxScanSSID. | |
1009 | - Add signal Certification for information about server certification. | |
1010 | - Add BSSExpireAge and BSSExpireCount interface properties and | |
1011 | support set/get, which allows for setting BSS cache expiration age | |
1012 | and expiration scan count. | |
1013 | - Add ConfigFile to AddInterface properties. | |
1014 | - Add Interface.Country property and support to get/set the value. | |
1015 | - Add DBus property CurrentAuthMode. | |
1016 | - P2P DBus API added. | |
1017 | - Emit property changed events (for property BSSs) when adding/ | |
1018 | removing BSSs. | |
1019 | - Treat '' in SSIDs of Interface.Scan as a request for broadcast | |
1020 | scan, instead of ignoring it. | |
1021 | - Add DBus getter/setter for FastReauth. | |
1022 | - Raise PropertiesChanged on org.freedesktop.DBus.Properties. | |
1023 | * wpa_cli: | |
1024 | - Send AP-STA-DISCONNECTED event when an AP disconnects a station | |
1025 | due to inactivity. | |
1026 | - Make second argument to set command optional. This can be used to | |
1027 | indicate a zero length value. | |
1028 | - Add signal_poll command. | |
1029 | - Add bss_expire_age and bss_expire_count commands to set/get BSS | |
1030 | cache expiration age and expiration scan count. | |
1031 | - Add ability to set scan interval (the time in seconds wpa_s waits | |
1032 | before requesting a new scan after failing to find a suitable | |
1033 | network in scan results) using scan_interval command. | |
1034 | - Add event CTRL-EVENT-ASSOC-REJECT for association rejected. | |
1035 | - Add command get version, that returns wpa_supplicant version string. | |
1036 | - Add command sta_autoconnect for disabling automatic reconnection | |
1037 | on receiving disconnection event. | |
1038 | - Setting bssid parameter to an empty string "" or any can now be | |
1039 | used to clear the bssid_set flag in a network block, i.e., to remove | |
1040 | bssid filtering. | |
1041 | - Add tdls_testing command to add a special testing feature for | |
1042 | changing TDLS behavior. Build param CONFIG_TDLS_TESTING must be | |
1043 | enabled as well. | |
1044 | - For interworking, add wpa_cli commands interworking_select, | |
1045 | interworking_connect, anqp_get, fetch_anqp, and stop_fetch_anqp. | |
1046 | - Many P2P commands were added. See README-P2P. | |
1047 | - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. | |
1048 | - Allow set command to change global config parameters. | |
1049 | - Add log_level command, which can be used to display the current | |
1050 | debugging level and to change the log level during run time. | |
1051 | - Add note command, which can be used to insert notes to the debug | |
1052 | log. | |
1053 | - Add internal line edit implementation. CONFIG_WPA_CLI_EDIT=y | |
1054 | can now be used to build wpa_cli with internal implementation of | |
1055 | line editing and history support. This can be used as a replacement | |
1056 | for CONFIG_READLINE=y. | |
1057 | * AP mode: Add max_num_sta config option, which can be used to limit | |
1058 | the number of stations allowed to connect to the AP. | |
1059 | * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad | |
1060 | config file. | |
1061 | * wext: Increase scan timeout from 5 to 10 seconds. | |
1062 | * Add blacklist command, allowing an external program to | |
1063 | manage the BSS blacklist and display its current contents. | |
1064 | * WPS: | |
1065 | - Add wpa_cli wps_pin get command for generating random PINs. This can | |
1066 | be used in a UI to generate a PIN without starting WPS (or P2P) | |
1067 | operation. | |
1068 | - Set RF bands based on driver capabilities, instead of hardcoding | |
1069 | them. | |
1070 | - Add mechanism for indicating non-standard WPS errors. | |
1071 | - Add CONFIG_WPS_REG_DISABLE_OPEN=y option to disable open networks | |
1072 | by default. | |
1073 | - Add wps_ap_pin cli command for wpa_supplicant AP mode. | |
1074 | - Add wps_check_pin cli command for processing PIN from user input. | |
1075 | UIs can use this command to process a PIN entered by a user and to | |
1076 | validate the checksum digit (if present). | |
1077 | - Cancel WPS operation on PBC session overlap detection. | |
1078 | - New wps_cancel command in wpa_cli will cancel a pending WPS | |
1079 | operation. | |
1080 | - wpa_cli action: Add WPS_EVENT_SUCCESS and WPS_EVENT_FAIL handlers. | |
1081 | - Trigger WPS config update on Manufacturer, Model Name, Model | |
1082 | Number, and Serial Number changes. | |
1083 | - Fragment size is now configurable for EAP-WSC peer. Use | |
1084 | wpa_cli set wps_fragment_size <val>. | |
1085 | - Disable AP PIN after 10 consecutive failures. Slow down attacks on | |
1086 | failures up to 10. | |
1087 | - Allow AP to start in Enrollee mode without AP PIN for probing, to | |
1088 | be compatible with Windows 7. | |
1089 | - Add Config Error into WPS-FAIL events to provide more info to the | |
1090 | user on how to resolve the issue. | |
1091 | - Label and Display config methods are not allowed to be enabled | |
1092 | at the same time, since it is unclear which PIN to use if both | |
1093 | methods are advertised. | |
1094 | - When controlling multiple interfaces: | |
1095 | - apply WPS commands to all interfaces configured to use WPS | |
1096 | - apply WPS config changes to all interfaces that use WPS | |
1097 | - when an attack is detected on any interface, disable AP PIN on | |
1098 | all interfaces | |
1099 | * WPS ER: | |
1100 | - Add special AP Setup Locked mode to allow read only ER. | |
1101 | ap_setup_locked=2 can now be used to enable a special mode where | |
1102 | WPS ER can learn the current AP settings, but cannot change them. | |
1103 | - Show SetSelectedRegistrar events as ctrl_iface events | |
1104 | - Add wps_er_set_config to enroll a network based on a local | |
1105 | network configuration block instead of having to (re-)learn the | |
1106 | current AP settings with wps_er_learn. | |
1107 | - Allow AP filtering based on IP address, add ctrl_iface event for | |
1108 | learned AP settings, add wps_er_config command to configure an AP. | |
1109 | * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) | |
1110 | - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool | |
1111 | for testing protocol extensibility. | |
1112 | - Add build option CONFIG_WPS_STRICT to allow disabling of WPS | |
1113 | workarounds. | |
1114 | - Add support for AuthorizedMACs attribute. | |
1115 | * TDLS: | |
1116 | - Propogate TDLS related nl80211 capability flags from kernel and | |
1117 | add them as driver capability flags. If the driver doesn't support | |
1118 | capabilities, assume TDLS is supported internally. When TDLS is | |
1119 | explicitly not supported, disable all user facing TDLS operations. | |
1120 | - Allow TDLS to be disabled at runtime (mostly for testing). | |
1121 | Use set tdls_disabled. | |
1122 | - Honor AP TDLS settings that prohibit/allow TDLS. | |
1123 | - Add a special testing feature for changing TDLS behavior. Use | |
1124 | CONFIG_TDLS_TESTING build param to enable. Configure at runtime | |
1125 | with tdls_testing cli command. | |
1126 | - Add support for TDLS 802.11z. | |
1127 | * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. | |
1128 | wlantest can be used to capture frames from a monitor interface | |
1129 | for realtime capturing or from pcap files for offline analysis. | |
1130 | * Interworking: Support added for 802.11u. Enable in .config with | |
1131 | CONFIG_INTERWORKING. See wpa_supplicant.conf for config parameters | |
1132 | for interworking. wpa_cli commands added to support this are | |
1133 | interworking_select, interworking_connect, anqp_get, fetch_anqp, | |
1134 | and stop_fetch_anqp. | |
1135 | * Android: Add build and runtime support for Android wpa_supplicant. | |
1136 | * bgscan learn: Add new bgscan that learns BSS information based on | |
1137 | previous scans, and uses that information to dynamically generate | |
1138 | the list of channels for background scans. | |
1139 | * Add a new debug message level for excessive information. Use | |
1140 | -ddd to enable. | |
1141 | * TLS: Add support for tls_disable_time_checks=1 in client mode. | |
1142 | * Internal TLS: | |
1143 | - Add support for TLS v1.1 (RFC 4346). Enable with build parameter | |
1144 | CONFIG_TLSV11. | |
1145 | - Add domainComponent parser for X.509 names. | |
1146 | * Linux: Add RFKill support by adding an interface state "disabled". | |
1147 | * Reorder some IEs to get closer to IEEE 802.11 standard. Move | |
1148 | WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. | |
1149 | Move HT IEs to be later in (Re)Assoc Resp. | |
1150 | * Solaris: Add support for wired 802.1X client. | |
1151 | * Wi-Fi Direct support. See README-P2P for more information. | |
1152 | * Many bugfixes. | |
1153 | ||
be48214d JM |
1154 | 2010-04-18 - v0.7.2 |
1155 | * nl80211: fixed number of issues with roaming | |
1156 | * avoid unnecessary roaming if multiple APs with similar signal | |
1157 | strength are present in scan results | |
1158 | * add TLS client events and server probing to ease design of | |
1159 | automatic detection of EAP parameters | |
1160 | * add option for server certificate matching (SHA256 hash of the | |
1161 | certificate) instead of trusted CA certificate configuration | |
1162 | * bsd: Cleaned up driver wrapper and added various low-level | |
1163 | configuration options | |
1164 | * wpa_gui-qt4: do not show too frequent WPS AP available events as | |
1165 | tray messages | |
1166 | * TNC: fixed issues with fragmentation | |
1167 | * EAP-TNC: add Flags field into fragment acknowledgement (needed to | |
1168 | interoperate with other implementations; may potentially breaks | |
1169 | compatibility with older wpa_supplicant/hostapd versions) | |
1170 | * wpa_cli: added option for using a separate process to receive event | |
1171 | messages to reduce latency in showing these | |
1172 | (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this) | |
1173 | * maximum BSS table size can now be configured (bss_max_count) | |
1174 | * BSSes to be included in the BSS table can be filtered based on | |
1175 | configured SSIDs to save memory (filter_ssids) | |
1176 | * fix number of issues with IEEE 802.11r/FT; this version is not | |
1177 | backwards compatible with old versions | |
1178 | * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air | |
1179 | and over-the-DS) | |
1180 | * add freq_list network configuration parameter to allow the AP | |
1181 | selection to filter out entries based on the operating channel | |
1182 | * add signal strength change events for bgscan; this allows more | |
1183 | dynamic changes to background scanning interval based on changes in | |
1184 | the signal strength with the current AP; this improves roaming within | |
1185 | ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network | |
1186 | configuration block to request background scans less frequently when | |
1187 | signal strength remains good and to automatically trigger background | |
1188 | scans whenever signal strength drops noticeably | |
1189 | (this is currently only available with nl80211) | |
1190 | * add BSSID and reason code (if available) to disconnect event messages | |
1191 | * wpa_gui-qt4: more complete support for translating the GUI with | |
1192 | linguist and add German translation | |
1193 | * fix DH padding with internal crypto code (mainly, for WPS) | |
1194 | * do not trigger initial scan automatically anymore if there are no | |
1195 | enabled networks | |
1196 | ||
dff0f701 JM |
1197 | 2010-01-16 - v0.7.1 |
1198 | * cleaned up driver wrapper API (struct wpa_driver_ops); the new API | |
1199 | is not fully backwards compatible, so out-of-tree driver wrappers | |
1200 | will need modifications | |
1201 | * cleaned up various module interfaces | |
1202 | * merge hostapd and wpa_supplicant developers' documentation into a | |
1203 | single document | |
1204 | * nl80211: use explicit deauthentication to clear cfg80211 state to | |
1205 | avoid issues when roaming between APs | |
1206 | * dbus: major design changes in the new D-Bus API | |
1207 | (fi.w1.wpa_supplicant1) | |
1208 | * nl80211: added support for IBSS networks | |
1209 | * added internal debugging mechanism with backtrace support and memory | |
1210 | allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) | |
1211 | * added WPS ER unsubscription command to more cleanly unregister from | |
1212 | receiving UPnP events when ER is terminated | |
1213 | * cleaned up AP mode operations to avoid need for virtual driver_ops | |
1214 | wrapper | |
1215 | * added BSS table to maintain more complete scan result information | |
1216 | over multiple scans (that may include only partial results) | |
1217 | * wpa_gui-qt4: update Peers dialog information more dynamically while | |
1218 | the dialog is kept open | |
1219 | * fixed PKCS#12 use with OpenSSL 1.0.0 | |
1220 | * driver_wext: Added cfg80211-specific optimization to avoid some | |
1221 | unnecessary scans and to speed up association | |
1222 | ||
224f7bda | 1223 | 2009-11-21 - v0.7.0 |
1cc84c1c JM |
1224 | * increased wpa_cli ping interval to 5 seconds and made this |
1225 | configurable with a new command line options (-G<seconds>) | |
42f1ee7d JM |
1226 | * fixed scan buffer processing with WEXT to handle up to 65535 |
1227 | byte result buffer (previously, limited to 32768 bytes) | |
362f781e JM |
1228 | * allow multiple driver wrappers to be specified on command line |
1229 | (e.g., -Dnl80211,wext); the first one that is able to initialize the | |
1230 | interface will be used | |
6a1063e0 JM |
1231 | * added support for multiple SSIDs per scan request to optimize |
1232 | scan_ssid=1 operations in ap_scan=1 mode (i.e., search for hidden | |
1233 | SSIDs); this requires driver support and can currently be used only | |
1234 | with nl80211 | |
f4c617ee JM |
1235 | * added support for WPS USBA out-of-band mechanism with USB Flash |
1236 | Drives (UFD) (CONFIG_WPS_UFD=y) | |
c472ef75 JM |
1237 | * driver_ndis: add PAE group address to the multicast address list to |
1238 | fix wired IEEE 802.1X authentication | |
4cb0dcd9 JM |
1239 | * fixed IEEE 802.11r key derivation function to match with the standard |
1240 | (note: this breaks interoperability with previous version) [Bug 303] | |
c2a04078 JM |
1241 | * added better support for drivers that allow separate authentication |
1242 | and association commands (e.g., mac80211-based Linux drivers with | |
1243 | nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol | |
1244 | to be used (IEEE 802.11r) | |
c0a61908 JM |
1245 | * fixed SHA-256 based key derivation function to match with the |
1246 | standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) | |
1247 | (note: this breaks interoperability with previous version) [Bug 307] | |
56360b16 JM |
1248 | * use shared driver wrapper files with hostapd |
1249 | * added AP mode functionality (CONFIG_AP=y) with mode=2 in the network | |
1250 | block; this can be used for open and WPA2-Personal networks | |
1251 | (optionally, with WPS); this links in parts of hostapd functionality | |
1252 | into wpa_supplicant | |
1253 | * wpa_gui-qt4: added new Peers dialog to show information about peers | |
1254 | (other devices, including APs and stations, etc. in the neighborhood) | |
1255 | * added support for WPS External Registrar functionality (configure APs | |
1256 | and enroll new devices); can be used with wpa_gui-qt4 Peers dialog | |
1257 | and wpa_cli commands wps_er_start, wps_er_stop, wps_er_pin, | |
1258 | wps_er_pbc, wps_er_learn | |
1259 | (this can also be used with a new 'none' driver wrapper if no | |
1260 | wireless device or IEEE 802.1X on wired is needed) | |
1261 | * driver_nl80211: multiple updates to provide support for new Linux | |
1262 | nl80211/mac80211 functionality | |
1263 | * updated management frame protection to use IEEE Std 802.11w-2009 | |
1264 | * fixed number of small WPS issues and added workarounds to | |
1265 | interoperate with common deployed broken implementations | |
1266 | * added support for NFC out-of-band mechanism with WPS | |
1267 | * driver_ndis: fixed wired IEEE 802.1X authentication with PAE group | |
1268 | address frames | |
1269 | * added preliminary support for IEEE 802.11r RIC processing | |
1270 | * added support for specifying subset of enabled frequencies to scan | |
1271 | (scan_freq option in the network configuration block); this can speed | |
1272 | up scanning process considerably if it is known that only a small | |
1273 | subset of channels is actually used in the network (this is currently | |
1274 | supported only with -Dnl80211) | |
1275 | * added a workaround for race condition between receiving the | |
1276 | association event and the following EAPOL-Key | |
1277 | * added background scan and roaming infrastructure to allow | |
1278 | network-specific optimizations to be used to improve roaming within | |
1279 | an ESS (same SSID) | |
1280 | * added new DBus interface (fi.w1.wpa_supplicant1) | |
1cc84c1c | 1281 | |
6f78f2fb | 1282 | 2009-01-06 - v0.6.7 |
30f5c941 JM |
1283 | * added support for Wi-Fi Protected Setup (WPS) |
1284 | (wpa_supplicant can now be configured to act as a WPS Enrollee to | |
1285 | enroll credentials for a network using PIN and PBC methods; in | |
1286 | addition, wpa_supplicant can act as a wireless WPS Registrar to | |
1287 | configure an AP); WPS support can be enabled by adding CONFIG_WPS=y | |
1288 | into .config and setting the runtime configuration variables in | |
1289 | wpa_supplicant.conf (see WPS section in the example configuration | |
1290 | file); new wpa_cli commands wps_pin, wps_pbc, and wps_reg are used to | |
1291 | manage WPS negotiation; see README-WPS for more details | |
a9d1364c | 1292 | * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) |
e33bbd8f | 1293 | * added support for using driver_test over UDP socket |
f4f2774a JM |
1294 | * fixed PEAPv0 Cryptobinding interoperability issue with Windows Server |
1295 | 2008 NPS; optional cryptobinding is now enabled (again) by default | |
c3ece504 | 1296 | * fixed PSK editing in wpa_gui |
a2b3a34b | 1297 | * changed EAP-GPSK to use the IANA assigned EAP method type 51 |
c674a55d JM |
1298 | * added a Windows installer that includes WinPcap and all the needed |
1299 | DLLs; in addition, it set up the registry automatically so that user | |
1300 | will only need start wpa_gui to get prompted to start the wpasvc | |
1301 | servide and add a new interface if needed through wpa_gui dialog | |
cae93bdc | 1302 | * updated management frame protection to use IEEE 802.11w/D7.0 |
a9d1364c | 1303 | |
6e89cc43 | 1304 | 2008-11-23 - v0.6.6 |
81eec387 JM |
1305 | * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA |
1306 | (can be used to simulate test SIM/USIM card with a known private key; | |
1307 | enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config | |
1308 | and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration) | |
581a8cde JM |
1309 | * added a new network configuration option, wpa_ptk_rekey, that can be |
1310 | used to enforce frequent PTK rekeying, e.g., to mitigate some attacks | |
1311 | against TKIP deficiencies | |
46690a3b JM |
1312 | * added an optional mitigation mechanism for certain attacks against |
1313 | TKIP by delaying Michael MIC error reports by a random amount of time | |
1314 | between 0 and 60 seconds; this can be enabled with a build option | |
1315 | CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config | |
fa71a1d8 JM |
1316 | * fixed EAP-AKA to use RES Length field in AT_RES as length in bits, |
1317 | not bytes | |
0cf03892 JM |
1318 | * updated OpenSSL code for EAP-FAST to use an updated version of the |
1319 | session ticket overriding API that was included into the upstream | |
1320 | OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is | |
1321 | needed with that version anymore) | |
cd35db9f JM |
1322 | * updated userspace MLME instructions to match with the current Linux |
1323 | mac80211 implementation; please also note that this can only be used | |
1324 | with driver_nl80211.c (the old code from driver_wext.c was removed) | |
e519314e JW |
1325 | * added support (Linux only) for RoboSwitch chipsets (often found in |
1326 | consumer grade routers); driver interface 'roboswitch' | |
1ac2d4a9 JM |
1327 | * fixed canceling of PMKSA caching when using drivers that generate |
1328 | RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know | |
1329 | about | |
2a24bb31 | 1330 | |
988ab690 | 1331 | 2008-11-01 - v0.6.5 |
1d8ce433 JM |
1332 | * added support for SHA-256 as X.509 certificate digest when using the |
1333 | internal X.509/TLSv1 implementation | |
5d22a1d5 | 1334 | * updated management frame protection to use IEEE 802.11w/D6.0 |
56586197 JM |
1335 | * added support for using SHA256-based stronger key derivation for WPA2 |
1336 | (IEEE 802.11w) | |
c6845259 JM |
1337 | * fixed FT (IEEE 802.11r) authentication after a failed association to |
1338 | use correct FTIE | |
8de59496 JM |
1339 | * added support for configuring Phase 2 (inner/tunneled) authentication |
1340 | method with wpa_gui-qt4 | |
1d8ce433 | 1341 | |
d48ae45b | 1342 | 2008-08-10 - v0.6.4 |
7914585f | 1343 | * added support for EAP Sequences in EAP-FAST Phase 2 |
4f1c5617 | 1344 | * added support for using TNC with EAP-FAST |
b5a357b4 | 1345 | * added driver_ps3 for the PS3 Linux wireless driver |
e7d80033 | 1346 | * added support for optional cryptobinding with PEAPv0 |
fe2b7dda JM |
1347 | * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to |
1348 | allow fallback to full handshake if server rejects PAC-Opaque | |
1b52ea47 | 1349 | * added fragmentation support for EAP-TNC |
d952d16d JM |
1350 | * added support for parsing PKCS #8 formatted private keys into the |
1351 | internal TLS implementation (both PKCS #1 RSA key and PKCS #8 | |
1352 | encapsulated RSA key can now be used) | |
b95394c6 JM |
1353 | * added option of using faster, but larger, routines in the internal |
1354 | LibTomMath (for internal TLS implementation) to speed up DH and RSA | |
1355 | calculations (CONFIG_INTERNAL_LIBTOMMATH_FAST=y) | |
3e2ad1b9 JM |
1356 | * fixed race condition between disassociation event and group key |
1357 | handshake to avoid getting stuck in incorrect state [Bug 261] | |
3ff77e07 | 1358 | * fixed opportunistic key caching (proactive_key_caching) |
7914585f | 1359 | |
6fc6879b JM |
1360 | 2008-02-22 - v0.6.3 |
1361 | * removed 'nai' and 'eappsk' network configuration variables that were | |
1362 | previously used for configuring user identity and key for EAP-PSK, | |
1363 | EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the | |
1364 | replacement for 'nai' (if old configuration used a separate | |
1365 | 'identity' value, that would now be configured as | |
1366 | 'anonymous_identity'). 'password' field is now used as the | |
1367 | replacement for 'eappsk' (it can also be set using hexstring to | |
1368 | present random binary data) | |
1369 | * removed '-w' command line parameter (wait for interface to be added, | |
1370 | if needed); cleaner way of handling this functionality is to use an | |
1371 | external mechanism (e.g., hotplug scripts) that start wpa_supplicant | |
1372 | when an interface is added | |
1373 | * updated FT support to use the latest draft, IEEE 802.11r/D9.0 | |
1374 | * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for | |
1375 | indicating when new scan results become available | |
1376 | * added new ctrl_iface command, BSS, to allow scan results to be | |
1377 | fetched without hitting the message size limits (this command | |
1378 | can be used to iterate through the scan results one BSS at the time) | |
1379 | * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION | |
1380 | attributes in EAP-SIM Start/Response when using fast reauthentication | |
1381 | * fixed EAPOL not to end up in infinite loop when processing dynamic | |
1382 | WEP keys with IEEE 802.1X | |
1383 | * fixed problems in getting NDIS events from WMI on Windows 2000 | |
1384 | ||
1385 | 2008-01-01 - v0.6.2 | |
1386 | * added support for Makefile builds to include debug-log-to-a-file | |
1387 | functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line) | |
1388 | * fixed EAP-SIM and EAP-AKA message parser to validate attribute | |
1389 | lengths properly to avoid potential crash caused by invalid messages | |
1390 | * added data structure for storing allocated buffers (struct wpabuf); | |
1391 | this does not affect wpa_supplicant usage, but many of the APIs | |
1392 | changed and various interfaces (e.g., EAP) is not compatible with old | |
1393 | versions | |
1394 | * added support for protecting EAP-AKA/Identity messages with | |
1395 | AT_CHECKCODE (optional feature in RFC 4187) | |
1396 | * added support for protected result indication with AT_RESULT_IND for | |
1397 | EAP-SIM and EAP-AKA (phase1="result_ind=1") | |
1398 | * added driver_wext workaround for race condition between scanning and | |
1399 | association with drivers that take very long time to scan all | |
1400 | channels (e.g., madwifi with dual-band cards); wpa_supplicant is now | |
1401 | using a longer hardcoded timeout for the scan if the driver supports | |
1402 | notifications for scan completion (SIOCGIWSCAN event); this helps, | |
1403 | e.g., in cases where wpa_supplicant and madwifi driver ended up in | |
1404 | loop where the driver did not even try to associate | |
1405 | * stop EAPOL timer tick when no timers are in use in order to reduce | |
1406 | power consumption (no need to wake up the process once per second) | |
1407 | [Bug 237] | |
1408 | * added support for privilege separation (run only minimal part of | |
1409 | wpa_supplicant functionality as root and rest as unprivileged, | |
1410 | non-root process); see 'Privilege separation' in README for details; | |
1411 | this is disabled by default and can be enabled with CONFIG_PRIVSEP=y | |
1412 | in .config | |
1413 | * changed scan results data structure to include all information | |
1414 | elements to make it easier to support new IEs; old get_scan_result() | |
1415 | driver_ops is still supported for backwards compatibility (results | |
1416 | are converted internally to the new format), but all drivers should | |
1417 | start using the new get_scan_results2() to make them more likely to | |
1418 | work with new features | |
1419 | * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4 | |
1420 | application, i.e., it does not require Qt3Support anymore; Windows | |
1421 | binary of wpa_gui.exe is now from this directory and only requires | |
1422 | QtCore4.dll and QtGui4.dll libraries | |
1423 | * updated Windows binary build to use Qt 4.3.3 and made Qt DLLs | |
1424 | available as a separate package to make wpa_gui installation easier: | |
1425 | http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip | |
1426 | * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); | |
1427 | only shared key/password authentication is supported in this version | |
1428 | ||
1429 | 2007-11-24 - v0.6.1 | |
1430 | * added support for configuring password as NtPasswordHash | |
1431 | (16-byte MD4 hash of password) in hash:<32 hex digits> format | |
1432 | * added support for fallback from abbreviated TLS handshake to | |
1433 | full handshake when using EAP-FAST (e.g., due to an expired | |
1434 | PAC-Opaque) | |
1435 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
1436 | draft (draft-ietf-emu-eap-gpsk-07.txt) | |
1437 | * added support for drivers that take care of RSN 4-way handshake | |
1438 | internally (WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in get_capa flags and | |
1439 | WPA_ALG_PMK in set_key) | |
1440 | * added an experimental port for Mac OS X (CONFIG_DRIVER_OSX=y in | |
1441 | .config); this version supports only ap_scan=2 mode and allow the | |
1442 | driver to take care of the 4-way handshake | |
1443 | * fixed a buffer overflow in parsing TSF from scan results when using | |
1444 | driver_wext.c with a driver that includes the TSF (e.g., iwl4965) | |
1445 | [Bug 232] | |
1446 | * updated FT support to use the latest draft, IEEE 802.11r/D8.0 | |
1447 | * fixed an integer overflow issue in the ASN.1 parser used by the | |
1448 | (experimental) internal TLS implementation to avoid a potential | |
1449 | buffer read overflow | |
1450 | * fixed a race condition with -W option (wait for a control interface | |
1451 | monitor before starting) that could have caused the first messages to | |
1452 | be lost | |
1453 | * added support for processing TNCC-TNCS-Messages to report | |
1454 | recommendation (allow/none/isolate) when using TNC [Bug 243] | |
1455 | ||
1456 | 2007-05-28 - v0.6.0 | |
1457 | * added network configuration parameter 'frequency' for setting | |
1458 | initial channel for IBSS (adhoc) networks | |
1459 | * added experimental IEEE 802.11r/D6.0 support | |
1460 | * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 | |
1461 | * updated EAP-PSK to use the IANA-allocated EAP type 47 | |
1462 | * fixed EAP-PAX key derivation | |
1463 | * fixed EAP-PSK bit ordering of the Flags field | |
1464 | * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in | |
1465 | tunnelled identity request (previously, the identifier from the outer | |
1466 | method was used, not the tunnelled identifier which could be | |
1467 | different) | |
1468 | * added support for fragmentation of outer TLS packets during Phase 2 | |
1469 | of EAP-PEAP/TTLS/FAST | |
1470 | * fixed EAP-TTLS AVP parser processing for too short AVP lengths | |
1471 | * added support for EAP-FAST authentication with inner methods that | |
1472 | generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported | |
1473 | for PAC provisioning) | |
1474 | * added support for authenticated EAP-FAST provisioning | |
1475 | * added support for configuring maximum number of EAP-FAST PACs to | |
1476 | store in a PAC list (fast_max_pac_list_len=<max> in phase1 string) | |
1477 | * added support for storing EAP-FAST PACs in binary format | |
1478 | (fast_pac_format=binary in phase1 string) | |
1479 | * fixed dbus ctrl_iface to validate message interface before | |
1480 | dispatching to avoid a possible segfault [Bug 190] | |
1481 | * fixed PeerKey key derivation to use the correct PRF label | |
1482 | * updated Windows binary build to link against OpenSSL 0.9.8d and | |
1483 | added support for EAP-FAST | |
1484 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
1485 | draft (draft-ietf-emu-eap-gpsk-04.txt) | |
1486 | * fixed EAP-AKA Notification processing to allow Notification to be | |
1487 | processed after AKA Challenge response has been sent | |
1488 | * updated to use IEEE 802.11w/D2.0 for management frame protection | |
1489 | (still experimental) | |
1490 | * fixed EAP-TTLS implementation not to crash on use of freed memory | |
1491 | if TLS library initialization fails | |
1492 | * added support for EAP-TNC (Trusted Network Connect) | |
1493 | (this version implements the EAP-TNC method and EAP-TTLS changes | |
1494 | needed to run two methods in sequence (IF-T) and the IF-IMC and | |
1495 | IF-TNCCS interfaces from TNCC) | |
1496 | ||
1497 | 2006-11-24 - v0.5.6 | |
1498 | * added experimental, integrated TLSv1 client implementation with the | |
1499 | needed X.509/ASN.1/RSA/bignum processing (this can be enabled by | |
1500 | setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in | |
1501 | .config); this can be useful, e.g., if the target system does not | |
1502 | have a suitable TLS library and a minimal code size is required | |
1503 | (total size of this internal TLS/crypto code is bit under 50 kB on | |
1504 | x86 and the crypto code is shared by rest of the supplicant so some | |
1505 | of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB) | |
1506 | * removed STAKey handshake since PeerKey handshake has replaced it in | |
1507 | IEEE 802.11ma and there are no known deployments of STAKey | |
1508 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
1509 | draft (draft-ietf-emu-eap-gpsk-01.txt) | |
1510 | * added preliminary implementation of IEEE 802.11w/D1.0 (management | |
1511 | frame protection) | |
1512 | (Note: this requires driver support to work properly.) | |
1513 | (Note2: IEEE 802.11w is an unapproved draft and subject to change.) | |
1514 | * fixed Windows named pipes ctrl_iface to not stop listening for | |
1515 | commands if client program opens a named pipe and closes it | |
1516 | immediately without sending a command | |
1517 | * fixed USIM PIN status determination for the case that PIN is not | |
1518 | needed (this allows EAP-AKA to be used with USIM cards that do not | |
1519 | use PIN) | |
1520 | * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to | |
1521 | be used with cards that do not support file selection based on | |
1522 | partial AID | |
1523 | * added support for matching the subjectAltName of the authentication | |
1524 | server certificate against multiple name components (e.g., | |
1525 | altsubject_match="DNS:server.example.com;DNS:server2.example.com") | |
1526 | * fixed EAP-SIM/AKA key derivation for re-authentication case (only | |
1527 | affects IEEE 802.1X with dynamic WEP keys) | |
1528 | * changed ctrl_iface network configuration 'get' operations to not | |
1529 | return password/key material; if these fields are requested, "*" | |
1530 | will be returned if the password/key is set, but the value of the | |
1531 | parameter is not exposed | |
1532 | ||
1533 | 2006-08-27 - v0.5.5 | |
1534 | * added support for building Windows version with UNICODE defined | |
1535 | (wide-char functions) | |
1536 | * driver_ndis: fixed static WEP configuration to avoid race condition | |
1537 | issues with some NDIS drivers between association and setting WEP | |
1538 | keys | |
1539 | * driver_ndis: added validation for IELength value in scan results to | |
1540 | avoid crashes when using buggy NDIS drivers [Bug 165] | |
1541 | * fixed Release|Win32 target in the Visual Studio project files | |
1542 | (previously, only Debug|Win32 target was set properly) | |
1543 | * changed control interface API call wpa_ctrl_pending() to allow it to | |
1544 | return -1 on error (e.g., connection lost); control interface clients | |
1545 | will need to make sure that they verify that the value is indeed >0 | |
1546 | when determining whether there are pending messages | |
1547 | * added an alternative control interface backend for Windows targets: | |
1548 | Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default | |
1549 | control interface mechanism for Windows builds (previously, UDP to | |
1550 | localhost was used) | |
1551 | * changed ctrl_interface configuration for UNIX domain sockets: | |
1552 | - deprecated ctrl_interface_group variable (it may be removed in | |
1553 | future versions) | |
1554 | - allow both directory and group be configured with ctrl_interface | |
1555 | in following format: DIR=/var/run/wpa_supplicant GROUP=wheel | |
1556 | - ctrl_interface=/var/run/wpa_supplicant is still supported for the | |
1557 | case when group is not changed | |
1558 | * added support for controlling more than one interface per process in | |
1559 | Windows version | |
1560 | * added a workaround for a case where the AP is using unknown address | |
1561 | (e.g., MAC address of the wired interface) as the source address for | |
1562 | EAPOL-Key frames; previously, that source address was used as the | |
1563 | destination for EAPOL-Key frames and in key derivation; now, BSSID is | |
1564 | used even if the source address does not match with it | |
1565 | (this resolves an interoperability issue with Thomson SpeedTouch 580) | |
1566 | * added a workaround for UDP-based control interface (which was used in | |
1567 | Windows builds before this release) to prevent packets with forged | |
1568 | addresses from being accepted as local control requests | |
1569 | * removed ndis_events.cpp and possibility of using external | |
1570 | ndis_events.exe; C version (ndis_events.c) is fully functional and | |
1571 | there is no desire to maintain two separate versions of this | |
1572 | implementation | |
1573 | * ndis_events: Changed NDIS event notification design to use WMI to | |
1574 | learn the adapter description through Win32_PnPEntity class; this | |
1575 | should fix some cases where the adapter name was not recognized | |
1576 | correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500 | |
1577 | USB) [Bug 113] | |
1578 | * fixed selection of the first network in ap_scan=2 mode; previously, | |
1579 | wpa_supplicant could get stuck in SCANNING state when only the first | |
1580 | network for enabled (e.g., after 'wpa_cli select_network 0') | |
1581 | * winsvc: added support for configuring ctrl_interface parameters in | |
1582 | registry (ctrl_interface string value in | |
1583 | HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is | |
1584 | required to enable control interface (previously, this was hardcoded | |
1585 | to be enabled) | |
1586 | * allow wpa_gui subdirectory to be built with both Qt3 and Qt4 | |
1587 | * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format | |
1588 | ||
1589 | 2006-06-20 - v0.5.4 | |
1590 | * fixed build with CONFIG_STAKEY=y [Bug 143] | |
1591 | * added support for doing MLME (IEEE 802.11 management frame | |
1592 | processing) in wpa_supplicant when using Devicescape IEEE 802.11 | |
1593 | stack (wireless-dev.git tree) | |
1594 | * added a new network block configuration option, fragment_size, to | |
1595 | configure the maximum EAP fragment size | |
1596 | * driver_ndis: Disable WZC automatically for the selected interface to | |
1597 | avoid conflicts with two programs trying to control the radio; WZC | |
1598 | will be re-enabled (if it was enabled originally) when wpa_supplicant | |
1599 | is terminated | |
1600 | * added an experimental TLSv1 client implementation | |
1601 | (CONFIG_TLS=internal) that can be used instead of an external TLS | |
1602 | library, e.g., to reduce total size requirement on systems that do | |
1603 | not include any TLS library by default (this is not yet complete; | |
1604 | basic functionality is there, but certificate validation is not yet | |
1605 | included) | |
1606 | * added PeerKey handshake implementation for IEEE 802.11e | |
1607 | direct link setup (DLS) to replace STAKey handshake | |
1608 | * fixed WPA PSK update through ctrl_iface for the case where the old | |
1609 | PSK was derived from an ASCII passphrase and the new PSK is set as | |
1610 | a raw PSK (hex string) | |
1611 | * added new configuration option for identifying which network block | |
1612 | was used (id_str in wpa_supplicant.conf; included on | |
1613 | WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental | |
1614 | variable in wpa_cli action scripts; in addition WPA_ID variable is | |
1615 | set to the current unique identifier that wpa_supplicant assigned | |
1616 | automatically for the network and that can be used with | |
1617 | GET_NETWORK/SET_NETWORK ctrl_iface commands) | |
1618 | * wpa_cli action script is now called only when the connect/disconnect | |
1619 | status changes or when associating with a different network | |
1620 | * fixed configuration parser not to remove CCMP from group cipher list | |
1621 | if WPA-None (adhoc) is used (pairwise=NONE in that case) | |
1622 | * fixed integrated NDIS events processing not to hang the process due | |
1623 | to a missed change in eloop_win.c API in v0.5.3 [Bug 155] | |
1624 | * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, | |
1625 | draft-clancy-emu-eap-shared-secret-00.txt) | |
1626 | * added Microsoft Visual Studio 2005 solution and project files for | |
1627 | build wpa_supplicant for Windows (see vs2005 subdirectory) | |
1628 | * eloop_win: fixed unregistration of Windows events | |
1629 | * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet | |
1630 | at the end of RSN pre-authentication and added unregistration of | |
1631 | a Windows event to avoid getting eloop_win stuck with an invalid | |
1632 | handle | |
1633 | * driver_ndis: added support for selecting AP based on BSSID | |
1634 | * added new environmental variable for wpa_cli action scripts: | |
1635 | WPA_CTRL_DIR is the current control interface directory | |
1636 | * driver_ndis: added support for using NDISUIO instead of WinPcap for | |
1637 | OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new | |
1638 | l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build | |
1639 | wpa_supplicant without requiring WinPcap; note that using NDISUIO | |
1640 | requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows | |
1641 | only one application to open the device | |
1642 | * changed NDIS driver naming to only include device GUID, e.g., | |
1643 | {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap | |
1644 | specific \Device\NPF_ prefix before the GUID; the prefix is still | |
1645 | allowed for backwards compatibility, but it is not required anymore | |
1646 | when specifying the interface | |
1647 | * driver_ndis: re-initialize driver interface is the adapter is removed | |
1648 | and re-inserted [Bug 159] | |
1649 | * driver_madwifi: fixed TKIP and CCMP sequence number configuration on | |
1650 | big endian hosts [Bug 146] | |
1651 | ||
1652 | 2006-04-27 - v0.5.3 | |
1653 | * fixed EAP-GTC response to include correct user identity when run as | |
1654 | phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2) | |
1655 | * driver_ndis: Fixed encryption mode configuration for unencrypted | |
1656 | networks (some NDIS drivers ignored this, but others, e.g., Broadcom, | |
1657 | refused to associate with open networks) [Bug 106] | |
1658 | * driver_ndis: use BSSID OID polling to detect when IBSS network is | |
1659 | formed even when ndis_events code is included since some NDIS drivers | |
1660 | do not generate media connect events in IBSS mode | |
1661 | * config_winreg: allow global ctrl_interface parameter to be configured | |
1662 | in Windows registry | |
1663 | * config_winreg: added support for saving configuration data into | |
1664 | Windows registry | |
1665 | * added support for controlling network device operational state | |
1666 | (dormant/up) for Linux 2.6.17 to improve DHCP processing (see | |
1667 | http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client | |
1668 | that can use this information) | |
1669 | * driver_wext: added support for WE-21 change to SSID configuration | |
1670 | * driver_wext: fixed privacy configuration for static WEP keys mode | |
1671 | [Bug 140] | |
1672 | * added an optional driver_ops callback for MLME-SETPROTECTION.request | |
1673 | primitive | |
1674 | * added support for EAP-SAKE (no EAP method number allocated yet, so | |
1675 | this is using the same experimental type 255 as EAP-PSK) | |
1676 | * added support for dynamically loading EAP methods (.so files) instead | |
1677 | of requiring them to be statically linked in; this is disabled by | |
1678 | default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information | |
1679 | on how to use this) | |
1680 | ||
1681 | 2006-03-19 - v0.5.2 | |
1682 | * do not try to use USIM APDUs when initializing PC/SC for SIM card | |
1683 | access for a network that has not enabled EAP-AKA | |
1684 | * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in | |
1685 | v0.5.1 due to the new support for expanded EAP types) | |
1686 | * added support for generating EAP Expanded Nak | |
1687 | * try to fetch scan results once before requesting new scan when | |
1688 | starting up in ap_scan=1 mode (this can speed up initial association | |
1689 | a lot with, e.g., madwifi-ng driver) | |
1690 | * added support for receiving EAPOL frames from a Linux bridge | |
1691 | interface (-bbr0 on command line) | |
1692 | * fixed EAPOL re-authentication for sessions that used PMKSA caching | |
1693 | * changed EAP method registration to use a dynamic list of methods | |
1694 | instead of a static list generated at build time | |
1695 | * fixed PMKSA cache deinitialization not to use freed memory when | |
1696 | removing PMKSA entries | |
1697 | * fixed a memory leak in EAP-TTLS re-authentication | |
1698 | * reject WPA/WPA2 message 3/4 if it does not include any valid | |
1699 | WPA/RSN IE | |
1700 | * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg | |
1701 | if the driver does not support SIOCSIWAUTH | |
1702 | ||
1703 | 2006-01-29 - v0.5.1 | |
1704 | * driver_test: added better support for multiple APs and STAs by using | |
1705 | a directory with sockets that include MAC address for each device in | |
1706 | the name (driver_param=test_dir=/tmp/test) | |
1707 | * added support for EAP expanded type (vendor specific EAP methods) | |
1708 | * added AP_SCAN command into ctrl_iface so that ap_scan configuration | |
1709 | option can be changed if needed | |
1710 | * wpa_cli/wpa_gui: skip non-socket files in control directory when | |
1711 | using UNIX domain sockets; this avoids selecting an incorrect | |
1712 | interface (e.g., a PID file could be in this directory, even though | |
1713 | use of this directory for something else than socket files is not | |
1714 | recommended) | |
1715 | * fixed TLS library deinitialization after RSN pre-authentication not | |
1716 | to disable TLS library for normal authentication | |
1717 | * driver_wext: Remove null-termination from SSID length if the driver | |
1718 | used it; some Linux drivers do this and they were causing problems in | |
1719 | wpa_supplicant not finding matching configuration block. This change | |
1720 | would break a case where the SSID actually ends in '\0', but that is | |
1721 | not likely to happen in real use. | |
1722 | * fixed PMKSA cache processing not to trigger deauthentication if the | |
1723 | current PMKSA cache entry is replaced with a valid new entry | |
1724 | * fixed PC/SC initialization for ap_scan != 1 modes (this fixes | |
1725 | EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or | |
1726 | ap_scan=2) | |
1727 | ||
1728 | 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) | |
1729 | * added experimental STAKey handshake implementation for IEEE 802.11e | |
1730 | direct link setup (DLS); note: this is disabled by default in both | |
1731 | build and runtime configuration (can be enabled with CONFIG_STAKEY=y | |
1732 | and stakey=1) | |
1733 | * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to | |
1734 | decrypt AT_ENCR_DATA attributes correctly | |
1735 | * fixed EAP-AKA to allow resynchronization within the same session | |
1736 | * made code closer to ANSI C89 standard to make it easier to port to | |
1737 | other C libraries and compilers | |
1738 | * started moving operating system or C library specific functions into | |
1739 | wrapper functions defined in os.h and implemented in os_*.c to make | |
1740 | code more portable | |
1741 | * wpa_supplicant can now be built with Microsoft Visual C++ | |
1742 | (e.g., with the freely available Toolkit 2003 version or Visual | |
1743 | C++ 2005 Express Edition and Platform SDK); see nmake.mak for an | |
1744 | example makefile for nmake | |
1745 | * added support for using Windows registry for command line parameters | |
1746 | (CONFIG_MAIN=main_winsvc) and configuration data | |
1747 | (CONFIG_BACKEND=winreg); see win_example.reg for an example registry | |
1748 | contents; this version can be run both as a Windows service and as a | |
1749 | normal application; 'wpasvc.exe app' to start as applicant, | |
1750 | 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service, | |
1751 | 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to | |
1752 | unregister a service | |
1753 | * made it possible to link ndis_events.exe functionality into | |
1754 | wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED | |
1755 | * added better support for multiple control interface backends | |
1756 | (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported | |
1757 | * fixed PC/SC code to use correct length for GSM AUTH command buffer | |
1758 | and to not use pioRecvPci with SCardTransmit() calls; these were not | |
1759 | causing visible problems with pcsc-lite, but Windows Winscard.dll | |
1760 | refused the previously used parameters; this fixes EAP-SIM and | |
1761 | EAP-AKA authentication using SIM/USIM card under Windows | |
1762 | * added new event loop implementation for Windows using | |
1763 | WaitForMultipleObject() instead of select() in order to allow waiting | |
1764 | for non-socket objects; this can be selected with | |
1765 | CONFIG_ELOOP=eloop_win in .config | |
1766 | * added support for selecting l2_packet implementation in .config | |
1767 | (CONFIG_L2_PACKET; following options are available now: linux, pcap, | |
1768 | winpcap, freebsd, none) | |
1769 | * added new l2_packet implementation for WinPcap | |
1770 | (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to | |
1771 | reduce latency in EAPOL receive processing from about 100 ms to about | |
1772 | 3 ms | |
1773 | * added support for EAP-FAST key derivation using other ciphers than | |
1774 | RC4-128-SHA for authentication and AES128-SHA for provisioning | |
1775 | * added support for configuring CA certificate as DER file and as a | |
1776 | configuration blob | |
1777 | * fixed private key configuration as configuration blob and added | |
1778 | support for using PKCS#12 as a blob | |
1779 | * tls_gnutls: added support for using PKCS#12 files; added support for | |
1780 | session resumption | |
1781 | * added support for loading trusted CA certificates from Windows | |
1782 | certificate store: ca_cert="cert_store://<name>", where <name> is | |
1783 | likely CA (Intermediate CA certificates) or ROOT (root certificates) | |
1784 | * added C version of ndis_events.cpp and made it possible to build this | |
1785 | with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more | |
1786 | easily on cross-compilation builds | |
1787 | * added wpasvc.exe into Windows binary release; this is an alternative | |
1788 | version of wpa_supplicant.exe with configuration backend using | |
1789 | Windows registry and with the entry point designed to run as a | |
1790 | Windows service | |
1791 | * integrated ndis_events.exe functionality into wpa_supplicant.exe and | |
1792 | wpasvc.exe and removed this additional tool from the Windows binary | |
1793 | release since it is not needed anymore | |
1794 | * load winscard.dll functions dynamically when building with MinGW | |
1795 | since MinGW does not yet include winscard library | |
1796 | ||
1797 | 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) | |
1798 | * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap | |
1799 | and WinPcap to receive frames sent to PAE group address | |
1800 | * disable EAP state machine when IEEE 802.1X authentication is not used | |
1801 | in order to get rid of bogus "EAP failed" messages | |
1802 | * fixed OpenSSL error reporting to go through all pending errors to | |
1803 | avoid confusing reports of old errors being reported at later point | |
1804 | during handshake | |
1805 | * fixed configuration file updating to not write empty variables | |
1806 | (e.g., proto or key_mgmt) that the file parser would not accept | |
1807 | * fixed ADD_NETWORK ctrl_iface command to use the same default values | |
1808 | for variables as empty network definitions read from config file | |
1809 | would get | |
1810 | * fixed EAP state machine to not discard EAP-Failure messages in many | |
1811 | cases (e.g., during TLS handshake) | |
1812 | * fixed a infinite loop in private key reading if the configured file | |
1813 | cannot be parsed successfully | |
1814 | * driver_madwifi: added support for madwifi-ng | |
1815 | * wpa_gui: do not display password/PSK field contents | |
1816 | * wpa_gui: added CA certificate configuration | |
1817 | * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID | |
1818 | * driver_ndis: include Beacon IEs in AssocInfo in order to notice if | |
1819 | the new AP is using different WPA/RSN IE | |
1820 | * use longer timeout for IEEE 802.11 association to avoid problems with | |
1821 | drivers that may take more than five second to associate | |
1822 | ||
1823 | 2005-10-27 - v0.4.6 | |
1824 | * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in | |
1825 | RSN IE, but WPA IE would match with wpa_supplicant configuration | |
1826 | * added support for named configuration blobs in order to avoid having | |
1827 | to use file system for external files (e.g., certificates); | |
1828 | variables can be set to "blob://<blob name>" instead of file path to | |
1829 | use a named blob; supported fields: pac_file, client_cert, | |
1830 | private_key | |
1831 | * fixed RSN pre-authentication (it was broken in the clean up of WPA | |
1832 | state machine interface in v0.4.5) | |
1833 | * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make | |
1834 | sure the driver configures broadcast decryption correctly | |
1835 | * added ca_path (and ca_path2) configuration variables that can be used | |
1836 | to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the | |
1837 | system-wide trusted CA list | |
1838 | * added support for starting wpa_supplicant without a configuration | |
1839 | file (-C argument must be used to set ctrl_interface parameter for | |
1840 | this case; in addition, -p argument can be used to provide | |
1841 | driver_param; these new arguments can also be used with a | |
1842 | configuration to override the values from the configuration) | |
1843 | * added global control interface that can be optionally used for adding | |
1844 | and removing network interfaces dynamically (-g command line argument | |
1845 | for both wpa_supplicant and wpa_cli) without having to restart | |
1846 | wpa_supplicant process | |
1847 | * wpa_gui: | |
1848 | - try to save configuration whenever something is modified | |
1849 | - added WEP key configuration | |
1850 | - added possibility to edit the current network configuration | |
1851 | * driver_ndis: fixed driver polling not to increase frequency on each | |
1852 | received EAPOL frame due to incorrectly cancelled timeout | |
1853 | * added simple configuration file examples (in examples subdirectory) | |
1854 | * fixed driver_wext.c to filter wireless events based on ifindex to | |
1855 | avoid interfaces receiving events from other interfaces | |
1856 | * delay sending initial EAPOL-Start couple of seconds to speed up | |
1857 | authentication for the most common case of Authenticator starting | |
1858 | EAP authentication immediately after association | |
1859 | ||
1860 | 2005-09-25 - v0.4.5 | |
1861 | * added a workaround for clearing keys with ndiswrapper to allow | |
1862 | roaming from WPA enabled AP to plaintext one | |
1863 | * added docbook documentation (doc/docbook) that can be used to | |
1864 | generate, e.g., man pages | |
1865 | * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for | |
1866 | PF_PACKET in order to prepare for network devices that do not use | |
1867 | Ethernet headers (e.g., network stack with native IEEE 802.11 frames) | |
1868 | * use receipt of EAPOL-Key frame as a lower layer success indication | |
1869 | for EAP state machine to allow recovery from dropped EAP-Success | |
1870 | frame | |
1871 | * cleaned up internal EAPOL frame processing by not including link | |
1872 | layer (Ethernet) header during WPA and EAPOL/EAP processing; this | |
1873 | header is added only when transmitted the frame; this makes it easier | |
1874 | to use wpa_supplicant on link layers that use different header than | |
1875 | Ethernet | |
1876 | * updated EAP-PSK to use draft 9 by default since this can now be | |
1877 | tested with hostapd; removed support for draft 3, including | |
1878 | server_nai configuration option from network blocks | |
1879 | * driver_wired: add PAE address to the multicast address list in order | |
1880 | to be able to receive EAPOL frames with drivers that do not include | |
1881 | these multicast addresses by default | |
1882 | * driver_wext: add support for WE-19 | |
1883 | * added support for multiple configuration backends (CONFIG_BACKEND | |
1884 | option); currently, only 'file' is supported (i.e., the format used | |
1885 | in wpa_supplicant.conf) | |
1886 | * added support for updating configuration ('wpa_cli save_config'); | |
1887 | this is disabled by default and can be enabled with global | |
1888 | update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli | |
1889 | and wpa_gui to store the configuration changes in a permanent store | |
1890 | * added GET_NETWORK ctrl_iface command | |
1891 | (e.g., 'wpa_cli get_network 0 ssid') | |
1892 | ||
1893 | 2005-08-21 - v0.4.4 | |
1894 | * replaced OpenSSL patch for EAP-FAST support | |
1895 | (openssl-tls-extensions.patch) with a more generic and correct | |
1896 | patch (the new patch is not compatible with the previous one, so the | |
1897 | OpenSSL library will need to be patched with the new patch in order | |
1898 | to be able to build wpa_supplicant with EAP-FAST support) | |
1899 | * added support for using Windows certificate store (through CryptoAPI) | |
1900 | for client certificate and private key operations (EAP-TLS) | |
1901 | (see wpa_supplicant.conf for more information on how to configure | |
1902 | this with private_key) | |
1903 | * ported wpa_gui to Windows | |
1904 | * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be | |
1905 | built with the open source version of the Qt4 for Windows | |
1906 | * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used | |
1907 | with drivers that do not support WPA | |
1908 | * ndis_events: fixed Windows 2000 support | |
1909 | * added support for enabling/disabling networks from the list of all | |
1910 | configured networks ('wpa_cli enable_network <network id>' and | |
1911 | 'wpa_cli disable_network <network id>') | |
1912 | * added support for adding and removing network from the current | |
1913 | configuration ('wpa_cli add_network' and 'wpa_cli remove_network | |
1914 | <network id>'); added networks are disabled by default and they can | |
1915 | be enabled with enable_network command once the configuration is done | |
1916 | for the new network; note: configuration file is not yet updated, so | |
1917 | these new networks are lost when wpa_supplicant is restarted | |
1918 | * added support for setting network configuration parameters through | |
1919 | the control interface, for example: | |
1920 | wpa_cli set_network 0 ssid "\"my network\"" | |
1921 | * fixed parsing of strings that include both " and # within double | |
1922 | quoted area (e.g., "start"#end") | |
1923 | * added EAP workaround for PEAP session resumption: allow outer, | |
1924 | i.e., not tunneled, EAP-Success to terminate session since; this can | |
1925 | be disabled with eap_workaround=0 | |
1926 | (this was allowed for PEAPv1 before, but now it is also allowed for | |
1927 | PEAPv0 since at least one RADIUS authentication server seems to be | |
1928 | doing this for PEAPv0, too) | |
1929 | * wpa_gui: added preliminary support for adding new networks to the | |
1930 | wpa_supplicant configuration (double click on the scan results to | |
1931 | open network configuration) | |
1932 | ||
1933 | 2005-06-26 - v0.4.3 | |
1934 | * removed interface for external EAPOL/EAP supplicant (e.g., | |
1935 | Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required | |
1936 | anymore and is unlikely to be used by anyone | |
1937 | * driver_ndis: fixed WinPcap 3.0 support | |
1938 | * fixed build with CONFIG_DNET_PCAP=y on Linux | |
1939 | * l2_packet: moved different implementations into separate files | |
1940 | (l2_packet_*.c) | |
1941 | ||
1942 | 2005-06-12 - v0.4.2 | |
1943 | * driver_ipw: updated driver structures to match with ipw2200-1.0.4 | |
1944 | (note: ipw2100-1.1.0 is likely to require an update to work with | |
1945 | this) | |
1946 | * added support for using ap_scan=2 mode with multiple network blocks; | |
1947 | wpa_supplicant will go through the networks one by one until the | |
1948 | driver reports a successful association; this uses the same order for | |
1949 | networks as scan_ssid=1 scans, i.e., the priority field is ignored | |
1950 | and the network block order in the file is used instead | |
1951 | * fixed a potential issue in RSN pre-authentication ending up using | |
1952 | freed memory if pre-authentication times out | |
1953 | * added support for matching alternative subject name extensions of the | |
1954 | authentication server certificate; new configuration variables | |
1955 | altsubject_match and altsubject_match2 | |
1956 | * driver_ndis: added support for IEEE 802.1X authentication with wired | |
1957 | NDIS drivers | |
1958 | * added support for querying private key password (EAP-TLS) through the | |
1959 | control interface (wpa_cli/wpa_gui) if one is not included in the | |
1960 | configuration file | |
1961 | * driver_broadcom: fixed couple of memory leaks in scan result | |
1962 | processing | |
1963 | * EAP-PAX is now registered as EAP type 46 | |
1964 | * fixed EAP-PAX MAC calculation | |
1965 | * fixed EAP-PAX CK and ICK key derivation | |
1966 | * added support for using password with EAP-PAX (as an alternative to | |
1967 | entering key with eappsk); SHA-1 hash of the password will be used as | |
1968 | the key in this case | |
1969 | * added support for arbitrary driver interface parameters through the | |
1970 | configuration file with a new driver_param field; this adds a new | |
1971 | driver_ops function set_param() | |
1972 | * added possibility to override l2_packet module with driver interface | |
1973 | API (new send_eapol handler); this can be used to implement driver | |
1974 | specific TX/RX functions for EAPOL frames | |
1975 | * fixed ctrl_interface_group processing for the case where gid is | |
1976 | entered as a number, not group name | |
1977 | * driver_test: added support for testing hostapd with wpa_supplicant | |
1978 | by using test driver interface without any kernel drivers or network | |
1979 | cards | |
1980 | ||
1981 | 2005-05-22 - v0.4.1 | |
1982 | * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL | |
1983 | packets to be encrypted; this was apparently broken by the changed | |
1984 | ioctl order in v0.4.0 | |
1985 | * driver_madwifi: added preliminary support for compiling against 'BSD' | |
1986 | branch of madwifi CVS tree | |
1987 | * added support for EAP-MSCHAPv2 password retries within the same EAP | |
1988 | authentication session | |
1989 | * added support for password changes with EAP-MSCHAPv2 (used when the | |
1990 | password has expired) | |
1991 | * added support for reading additional certificates from PKCS#12 files | |
1992 | and adding them to the certificate chain | |
1993 | * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys | |
1994 | were used | |
1995 | * fixed a possible double free in EAP-TTLS fast-reauthentication when | |
1996 | identity or password is entered through control interface | |
1997 | * display EAP Notification messages to user through control interface | |
1998 | with "CTRL-EVENT-EAP-NOTIFICATION" prefix | |
1999 | * added GUI version of wpa_cli, wpa_gui; this is not build | |
2000 | automatically with 'make'; use 'make wpa_gui' to build (this requires | |
2001 | Qt development tools) | |
2002 | * added 'disconnect' command to control interface for setting | |
2003 | wpa_supplicant in state where it will not associate before | |
2004 | 'reassociate' command has been used | |
2005 | * added support for selecting a network from the list of all configured | |
2006 | networks ('wpa_cli select_network <network id>'; this disabled all | |
2007 | other networks; to re-enable, 'wpa_cli select_network any') | |
2008 | * added support for getting scan results through control interface | |
2009 | * added EAP workaround for PEAPv1 session resumption: allow outer, | |
2010 | i.e., not tunneled, EAP-Success to terminate session since; this can | |
2011 | be disabled with eap_workaround=0 | |
2012 | ||
2013 | 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) | |
2014 | * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be | |
2015 | used to reduce the size of the wpa_supplicant considerably if | |
2016 | debugging code is not needed | |
2017 | * fixed EAPOL-Key validation to drop packets with invalid Key Data | |
2018 | Length; such frames could have crashed wpa_supplicant due to buffer | |
2019 | overflow | |
2020 | * added support for wired authentication (IEEE 802.1X on wired | |
2021 | Ethernet); driver interface 'wired' | |
2022 | * obsoleted set_wpa() handler in the driver interface API (it can be | |
2023 | replaced by moving enable/disable functionality into init()/deinit()) | |
2024 | (calls to set_wpa() are still present for backwards compatibility, | |
2025 | but they may be removed in the future) | |
2026 | * driver_madwifi: fixed association in plaintext mode | |
2027 | * modified the EAP workaround that accepts EAP-Success with incorrect | |
2028 | Identifier to be even less strict about verification in order to | |
2029 | interoperate with some authentication servers | |
2030 | * added support for sending TLS alerts | |
2031 | * added support for 'any' SSID wildcard; if ssid is not configured or | |
2032 | is set to an empty string, any SSID will be accepted for non-WPA AP | |
2033 | * added support for asking PIN (for SIM) from frontends (e.g., | |
2034 | wpa_cli); if a PIN is needed, but not included in the configuration | |
2035 | file, a control interface request is sent and EAP processing is | |
2036 | delayed until the PIN is available | |
2037 | * added support for using external devices (e.g., a smartcard) for | |
2038 | private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config); | |
2039 | new wpa_supplicant.conf variables: | |
2040 | - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path | |
2041 | - network: engine, engine_id, key_id | |
2042 | * added experimental support for EAP-PAX | |
2043 | * added monitor mode for wpa_cli (-a<path to a program to run>) that | |
2044 | allows external commands (e.g., shell scripts) to be run based on | |
2045 | wpa_supplicant events, e.g., when authentication has been completed | |
2046 | and data connection is ready; other related wpa_cli arguments: | |
2047 | -B (run in background), -P (write PID file); wpa_supplicant has a new | |
2048 | command line argument (-W) that can be used to make it wait until a | |
2049 | control interface command is received in order to avoid missing | |
2050 | events | |
2051 | * added support for opportunistic WPA2 PMKSA key caching (disabled by | |
2052 | default, can be enabled with proactive_key_caching=1) | |
2053 | * fixed RSN IE in 4-Way Handshake message 2/4 for the case where | |
2054 | Authenticator rejects PMKSA caching attempt and the driver is not | |
2055 | using assoc_info events | |
2056 | * added -P<pid file> argument for wpa_supplicant to write the current | |
2057 | process id into a file | |
2058 | ||
2059 | 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) | |
2060 | * added new phase1 option parameter, include_tls_length=1, to force | |
2061 | wpa_supplicant to add TLS Message Length field to all TLS messages | |
2062 | even if the packet is not fragmented; this may be needed with some | |
2063 | authentication servers | |
2064 | * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when | |
2065 | using drivers that take care of AP selection (e.g., when using | |
2066 | ap_scan=2) | |
2067 | * fixed reprocessing of pending request after ctrl_iface requests for | |
2068 | identity/password/otp | |
2069 | * fixed ctrl_iface requests for identity/password/otp in Phase 2 of | |
2070 | EAP-PEAP and EAP-TTLS | |
2071 | * all drivers using driver_wext: set interface up and select Managed | |
2072 | mode when starting wpa_supplicant; set interface down when exiting | |
2073 | * renamed driver_ipw2100.c to driver_ipw.c since it now supports both | |
2074 | ipw2100 and ipw2200; please note that this also changed the | |
2075 | configuration variable in .config to CONFIG_DRIVER_IPW | |
2076 | ||
2077 | 2005-01-24 - v0.3.6 | |
2078 | * fixed a busy loop introduced in v0.3.5 for scan result processing | |
2079 | when no matching AP is found | |
2080 | ||
2081 | 2005-01-23 - v0.3.5 | |
2082 | * added a workaround for an interoperability issue with a Cisco AP | |
2083 | when using WPA2-PSK | |
2084 | * fixed non-WPA IEEE 802.1X to use the same authentication timeout as | |
2085 | WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow | |
2086 | retransmission of dropped frames) | |
2087 | * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version | |
2088 | (e.g., segfault when processing EAPOL-Key frames) | |
2089 | * fixed EAP workaround and fast reauthentication configuration for | |
2090 | RSN pre-authentication; previously these were disabled and | |
2091 | pre-authentication would fail if the used authentication server | |
2092 | requires EAP workarounds | |
2093 | * added support for blacklisting APs that fail or timeout | |
2094 | authentication in ap_scan=1 mode so that all APs are tried in cases | |
2095 | where the ones with strongest signal level are failing authentication | |
2096 | * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS | |
2097 | authentication attempt | |
2098 | * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded | |
2099 | in the previous authentication (previously, only Phase 1 success was | |
2100 | verified) | |
2101 | ||
2102 | 2005-01-09 - v0.3.4 | |
2103 | * added preliminary support for IBSS (ad-hoc) mode configuration | |
2104 | (mode=1 in network block); this included a new key_mgmt mode | |
2105 | WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no | |
2106 | key management; see wpa_supplicant.conf for more details and an | |
2107 | example on how to configure this (note: this is currently implemented | |
2108 | only for driver_hostapd.c, but the changes should be trivial to add | |
2109 | in associate() handler for other drivers, too (assuming the driver | |
2110 | supports WPA-None) | |
2111 | * added preliminary port for native Windows (i.e., no cygwin) using | |
2112 | mingw | |
2113 | ||
2114 | 2005-01-02 - v0.3.3 | |
2115 | * added optional support for GNU Readline and History Libraries for | |
2116 | wpa_cli (CONFIG_READLINE) | |
2117 | * cleaned up EAP state machine <-> method interface and number of | |
2118 | small problems with error case processing not terminating on | |
2119 | EAP-Failure but waiting for timeout | |
2120 | * added couple of workarounds for interoperability issues with a | |
2121 | Cisco AP when using WPA2 | |
2122 | * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt); | |
2123 | Note: This requires a patch for openssl to add support for TLS | |
2124 | extensions and number of workarounds for operations without | |
2125 | certificates. Proof of concept type of experimental patch is | |
2126 | included in openssl-tls-extensions.patch. | |
2127 | ||
2128 | 2004-12-19 - v0.3.2 | |
2129 | * fixed private key loading for cases where passphrase is not set | |
2130 | * fixed Windows/cygwin L2 packet handler freeing; previous version | |
2131 | could cause a segfault when RSN pre-authentication was completed | |
2132 | * added support for PMKSA caching with drivers that generate RSN IEs | |
2133 | (e.g., NDIS); currently, this is only implemented in driver_ndis.c, | |
2134 | but similar code can be easily added to driver_ndiswrapper.c once | |
2135 | ndiswrapper gets full support for RSN PMKSA caching | |
2136 | * improved recovery from PMKID mismatches by requesting full EAP | |
2137 | authentication in case of failed PMKSA caching attempt | |
2138 | * driver_ndis: added support for NDIS NdisMIncidateStatus() events | |
2139 | (this requires that ndis_events is ran while wpa_supplicant is | |
2140 | running) | |
2141 | * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys | |
2142 | * added support for driver interfaces to replace the interface name | |
2143 | based on driver/OS specific mapping, e.g., in case of driver_ndis, | |
2144 | this allows the beginning of the adapter description to be used as | |
2145 | the interface name | |
2146 | * added support for CR+LF (Windows-style) line ends in configuration | |
2147 | file | |
2148 | * driver_ndis: enable radio before starting scanning, disable radio | |
2149 | when exiting | |
2150 | * modified association event handler to set portEnabled = FALSE before | |
2151 | clearing port Valid in order to reset EAP state machine and avoid | |
2152 | problems with new authentication getting ignored because of state | |
2153 | machines ending up in AUTHENTICATED/SUCCESS state based on old | |
2154 | information | |
2155 | * added support for driver events to add PMKID candidates in order to | |
2156 | allow drivers to give priority to most likely roaming candidates | |
2157 | * driver_hostap: moved PrivacyInvoked configuration to associate() | |
2158 | function so that this will not be set for plaintext connections | |
2159 | * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver | |
2160 | interface can distinguish plaintext and IEEE 802.1X (no WPA) | |
2161 | authentication | |
2162 | * fixed static WEP key configuration to use broadcast/default type for | |
2163 | all keys (previously, the default TX key was configured as pairwise/ | |
2164 | unicast key) | |
2165 | * driver_ndis: added legacy WPA capability detection for non-WPA2 | |
2166 | drivers | |
2167 | * added support for setting static WEP keys for IEEE 802.1X without | |
2168 | dynamic WEP keying (eapol_flags=0) | |
2169 | ||
2170 | 2004-12-12 - v0.3.1 | |
2171 | * added support for reading PKCS#12 (PFX) files (as a replacement for | |
2172 | PEM/DER) to get certificate and private key (CONFIG_PKCS12) | |
2173 | * fixed compilation with CONFIG_PCSC=y | |
2174 | * added new ap_scan mode, ap_scan=2, for drivers that take care of | |
2175 | association, but need to be configured with security policy and SSID, | |
2176 | e.g., ndiswrapper and NDIS driver; this mode should allow such | |
2177 | drivers to work with hidden SSIDs and optimized roaming; when | |
2178 | ap_scan=2 is used, only the first network block in the configuration | |
2179 | file is used and this configuration should have explicit security | |
2180 | policy (i.e., only one option in the lists) for key_mgmt, pairwise, | |
2181 | group, proto variables | |
2182 | * added experimental port of wpa_supplicant for Windows | |
2183 | - driver_ndis.c driver interface (NDIS OIDs) | |
2184 | - currently, this requires cygwin and WinPcap | |
2185 | - small utility, win_if_list, can be used to get interface name | |
2186 | * control interface can now be removed at build time; add | |
2187 | CONFIG_CTRL_IFACE=y to .config to maintain old functionality | |
2188 | * optional Xsupplicant interface can now be removed at build time; | |
2189 | (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back) | |
2190 | * added auth_alg to driver interface associate() parameters to make it | |
2191 | easier for drivers to configure authentication algorithm as part of | |
2192 | the association | |
2193 | ||
2194 | 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) | |
2195 | * driver_broadcom: added new driver interface for Broadcom wl.o driver | |
2196 | (a generic driver for Broadcom IEEE 802.11a/g cards) | |
2197 | * wpa_cli: fixed parsing of -p <path> command line argument | |
2198 | * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS | |
2199 | ACK, not tunneled EAP-Success (of which only the first byte was | |
2200 | actually send due to a bug in previous code); this seems to | |
2201 | interoperate with most RADIUS servers that implements PEAPv1 | |
2202 | * PEAPv1: added support for terminating PEAP authentication on tunneled | |
2203 | EAP-Success message; this can be configured by adding | |
2204 | peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf | |
2205 | (some RADIUS servers require this whereas others require a tunneled | |
2206 | reply | |
2207 | * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to | |
2208 | the old label for key derivation; previously, the default was 1, | |
2209 | but it looks like most existing PEAPv1 implementations use the old | |
2210 | label which is thus more suitable default option | |
2211 | * added support for EAP-PSK (draft-bersani-eap-psk-03.txt) | |
2212 | * fixed parsing of wep_tx_keyidx | |
2213 | * added support for configuring list of allowed Phase 2 EAP types | |
2214 | (for both EAP-PEAP and EAP-TTLS) instead of only one type | |
2215 | * added support for configuring IEEE 802.11 authentication algorithm | |
2216 | (auth_alg; mainly for using Shared Key authentication with static | |
2217 | WEP keys) | |
2218 | * added support for EAP-AKA (with UMTS SIM) | |
2219 | * fixed couple of errors in PCSC handling that could have caused | |
2220 | random-looking errors for EAP-SIM | |
2221 | * added support for EAP-SIM pseudonyms and fast re-authentication | |
2222 | * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS | |
2223 | session resumption) | |
2224 | * added support for EAP-SIM with two challanges | |
2225 | (phase1="sim_min_num_chal=3" can be used to require three challenges) | |
2226 | * added support for configuring DH/DSA parameters for an ephemeral DH | |
2227 | key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters | |
2228 | dh_file and dh_file2 (phase 2); this adds support for using DSA keys | |
2229 | and optional DH key exchange to achieve forward secracy with RSA keys | |
2230 | * added support for matching subject of the authentication server | |
2231 | certificate with a substring when using EAP-TLS/PEAP/TTLS; new | |
2232 | configuration variables subject_match and subject_match2 | |
2233 | * changed SSID configuration in driver_wext.c (used by many driver | |
2234 | interfaces) to use ssid_len+1 as the length for SSID since some Linux | |
2235 | drivers expect this | |
2236 | * fixed couple of unaligned reads in scan result parsing to fix WPA | |
2237 | connection on some platforms (e.g., ARM) | |
2238 | * added driver interface for Intel ipw2100 driver | |
2239 | * added support for LEAP with WPA | |
2240 | * added support for larger scan results report (old limit was 4 kB of | |
2241 | data, i.e., about 35 or so APs) when using Linux wireless extensions | |
2242 | v17 or newer | |
2243 | * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start | |
2244 | only if there is a PMKSA cache entry for the current AP | |
2245 | * fixed error handling for case where reading of scan results fails: | |
2246 | must schedule a new scan or wpa_supplicant will remain waiting | |
2247 | forever | |
2248 | * changed debug output to remove shared password/key material by | |
2249 | default; all key information can be included with -K command line | |
2250 | argument to match the previous behavior | |
2251 | * added support for timestamping debug log messages (disabled by | |
2252 | default, can be enabled with -t command line argument) | |
2253 | * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104 | |
2254 | if keys are not configured to be used; this fixes IEEE 802.1X mode | |
2255 | with drivers that use this information to configure whether Privacy | |
2256 | bit can be in Beacon frames (e.g., ndiswrapper) | |
2257 | * avoid clearing driver keys if no keys have been configured since last | |
2258 | key clear request; this seems to improve reliability of group key | |
2259 | handshake for ndiswrapper & NDIS driver which seems to be suffering | |
2260 | of some kind of timing issue when the keys are cleared again after | |
2261 | association | |
2262 | * changed driver interface API: | |
2263 | - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which | |
2264 | version is being used (now, this is set to 2; previously, it was | |
2265 | not defined) | |
2266 | - pass pointer to private data structure to all calls | |
2267 | - the new API is not backwards compatible; all in-tree driver | |
2268 | interfaces has been converted to the new API | |
2269 | * added support for controlling multiple interfaces (radios) per | |
2270 | wpa_supplicant process; each interface needs to be listed on the | |
2271 | command line (-c, -i, -D arguments) with -N as a separator | |
2272 | (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi) | |
2273 | * added a workaround for EAP servers that incorrectly use same Id for | |
2274 | sequential EAP packets | |
2275 | * changed libpcap/libdnet configuration to use .config variable, | |
2276 | CONFIG_DNET_PCAP, instead of requiring Makefile modification | |
2277 | * improved downgrade attack detection in IE verification of msg 3/4: | |
2278 | verify both WPA and RSN IEs, if present, not only the selected one; | |
2279 | reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or | |
2280 | Probe Response frame, and RSN is enabled in wpa_supplicant | |
2281 | configuration | |
2282 | * fixed WPA msg 3/4 processing to allow Key Data field contain other | |
2283 | IEs than just one WPA IE | |
2284 | * added support for FreeBSD and driver interface for the BSD net80211 | |
2285 | layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the | |
2286 | required kernel mods have not yet been committed | |
2287 | * made EAP workarounds configurable; enabled by default, can be | |
2288 | disabled with network block option eap_workaround=0 | |
2289 | ||
2290 | 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) | |
2291 | * resolved couple of interoperability issues with EAP-PEAPv1 and | |
2292 | Phase 2 (inner EAP) fragment reassembly | |
2293 | * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the | |
2294 | AP is using non-zero key index for the unicast key and key index zero | |
2295 | for the broadcast key | |
2296 | * driver_hostap: fixed IEEE 802.1X WEP key updates and | |
2297 | re-authentication by allowing unencrypted EAPOL frames when not using | |
2298 | WPA | |
2299 | * added a new driver interface, 'wext', which uses only standard, | |
2300 | driver independent functionality in Linux wireless extensions; | |
2301 | currently, this can be used only for non-WPA IEEE 802.1X mode, but | |
2302 | eventually, this is to be extended to support full WPA/WPA2 once | |
2303 | Linux wireless extensions get support for this | |
2304 | * added support for mode in which the driver is responsible for AP | |
2305 | scanning and selection; this is disabled by default and can be | |
2306 | enabled with global ap_scan=0 variable in wpa_supplicant.conf; | |
2307 | this mode can be used, e.g., with generic 'wext' driver interface to | |
2308 | use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver | |
2309 | supporting wireless extensions. | |
2310 | * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g., | |
2311 | operation with an AP that does not include SSID in the Beacon frames) | |
2312 | * added support for new EAP authentication methods: | |
2313 | EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP | |
2314 | * added support for asking one-time-passwords from frontends (e.g., | |
2315 | wpa_cli); this 'otp' command works otherwise like 'password' command, | |
2316 | but the password is used only once and the frontend will be asked for | |
2317 | a new password whenever a request from authenticator requires a | |
2318 | password; this can be used with both EAP-OTP and EAP-GTC | |
2319 | * changed wpa_cli to automatically re-establish connection so that it | |
2320 | does not need to be re-started when wpa_supplicant is terminated and | |
2321 | started again | |
2322 | * improved user data (identity/password/otp) requests through | |
2323 | frontends: process pending EAPOL packets after getting new | |
2324 | information so that full authentication does not need to be | |
2325 | restarted; in addition, send pending requests again whenever a new | |
2326 | frontend is attached | |
2327 | * changed control frontends to use a new directory for socket files to | |
2328 | make it easier for wpa_cli to automatically select between interfaces | |
2329 | and to provide access control for the control interface; | |
2330 | wpa_supplicant.conf: ctrl_interface is now a path | |
2331 | (/var/run/wpa_supplicant is the recommended path) and | |
2332 | ctrl_interface_group can be used to select which group gets access to | |
2333 | the control interface; | |
2334 | wpa_cli: by default, try to connect to the first interface available | |
2335 | in /var/run/wpa_supplicant; this path can be overriden with -p option | |
2336 | and an interface can be selected with -i option (i.e., in most common | |
2337 | cases, wpa_cli does not need to get any arguments) | |
2338 | * added support for LEAP | |
2339 | * added driver interface for Linux ndiswrapper | |
2340 | * added priority option for network blocks in the configuration file; | |
2341 | this allows networks to be grouped based on priority (the scan | |
2342 | results are searched for matches with network blocks in this order) | |
2343 | ||
2344 | 2004-06-20 - v0.2.3 | |
2345 | * sort scan results to improve AP selection | |
2346 | * fixed control interface socket removal for some error cases | |
2347 | * improved scan requesting and authentication timeout | |
2348 | * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and | |
2349 | TLS processing | |
2350 | * PEAP version can now be forced with phase1="peapver=<ver>" | |
2351 | (mostly for testing; by default, the highest version supported by | |
2352 | both the Supplicant and Authentication Server is selected | |
2353 | automatically) | |
2354 | * added support for madwifi driver (Atheros ar521x) | |
2355 | * added a workaround for cases where AP sets Install Tx/Rx bit for | |
2356 | WPA Group Key messages when pairwise keys are used (without this, | |
2357 | the Group Key would be used for Tx and the AP would drop frames | |
2358 | from the station) | |
2359 | * added GSM SIM/USIM interface for GSM authentication algorithm for | |
2360 | EAP-SIM; this requires pcsc-lite | |
2361 | * added support for ATMEL AT76C5XXx driver | |
2362 | * fixed IEEE 802.1X WEP key derivation in the case where Authenticator | |
2363 | does not include key data in the EAPOL-Key frame (i.e., part of | |
2364 | EAP keying material is used as data encryption key) | |
2365 | * added support for using plaintext and static WEP networks | |
2366 | (key_mgmt=NONE) | |
2367 | ||
2368 | 2004-05-31 - v0.2.2 | |
2369 | * added support for new EAP authentication methods: | |
2370 | EAP-TTLS/EAP-MD5-Challenge | |
2371 | EAP-TTLS/EAP-GTC | |
2372 | EAP-TTLS/EAP-MSCHAPv2 | |
2373 | EAP-TTLS/EAP-TLS | |
2374 | EAP-TTLS/MSCHAPv2 | |
2375 | EAP-TTLS/MSCHAP | |
2376 | EAP-TTLS/PAP | |
2377 | EAP-TTLS/CHAP | |
2378 | EAP-PEAP/TLS | |
2379 | EAP-PEAP/GTC | |
2380 | EAP-PEAP/MD5-Challenge | |
2381 | EAP-GTC | |
2382 | EAP-SIM (not yet complete; needs GSM/SIM authentication interface) | |
2383 | * added support for anonymous identity (to be used when identity is | |
2384 | sent in plaintext; real identity will be used within TLS protected | |
2385 | tunnel (e.g., with EAP-TTLS) | |
2386 | * added event messages from wpa_supplicant to frontends, e.g., wpa_cli | |
2387 | * added support for requesting identity and password information using | |
2388 | control interface; in other words, the password for EAP-PEAP or | |
2389 | EAP-TTLS does not need to be included in the configuration file since | |
2390 | a frontand (e.g., wpa_cli) can ask it from the user | |
2391 | * improved RSN pre-authentication to use a candidate list and process | |
2392 | all candidates from each scan; not only one per scan | |
2393 | * fixed RSN IE and WPA IE capabilities field parsing | |
2394 | * ignore Tx bit in GTK IE when Pairwise keys are used | |
2395 | * avoid making new scan requests during IEEE 802.1X negotiation | |
2396 | * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant | |
2397 | with TLS support (this replaces the included implementation with | |
2398 | library code to save about 8 kB since the library code is needed | |
2399 | anyway for TLS) | |
2400 | * fixed WPA-PSK only mode when compiled without IEEE 802.1X support | |
2401 | (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config) | |
2402 | ||
2403 | 2004-05-06 - v0.2.1 | |
2404 | * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1) | |
2405 | Supplicant | |
2406 | - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1] | |
2407 | - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf] | |
2408 | - EAP-MD5 (cannot be used with WPA-RADIUS) | |
2409 | [draft-ietf-eap-rfc2284bis-09.txt] | |
2410 | - EAP-TLS [RFC 2716] | |
2411 | - EAP-MSCHAPv2 (currently used only with EAP-PEAP) | |
2412 | - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt] | |
2413 | [draft-kamath-pppext-eap-mschapv2-00.txt] | |
2414 | (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by | |
2415 | default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey) | |
2416 | - new configuration file options: eap, identity, password, ca_cert, | |
2417 | client_cert, privatekey, private_key_passwd | |
2418 | - Xsupplicant is not required anymore, but it can be used by | |
2419 | disabling the internal IEEE 802.1X Supplicant with -e command line | |
2420 | option | |
2421 | - this code is not included in the default build; Makefile need to | |
2422 | be edited for this (uncomment lines for selected functionality) | |
2423 | - EAP-TLS and EAP-PEAP require openssl libraries | |
2424 | * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..) | |
2425 | * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys | |
2426 | (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X | |
2427 | EAPOL-Key frames instead of WPA key handshakes) | |
2428 | * added support for IEEE 802.11i/RSN (WPA2) | |
2429 | - improved PTK Key Handshake | |
2430 | - PMKSA caching, pre-authentication | |
2431 | * fixed wpa_supplicant to ignore possible extra data after WPA | |
2432 | EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using | |
2433 | TPTK' error from message 3 of 4-Way Handshake in case the AP | |
2434 | includes extra data after the EAPOL-Key) | |
2435 | * added interface for external programs (frontends) to control | |
2436 | wpa_supplicant | |
2437 | - CLI example (wpa_cli) with interactive mode and command line | |
2438 | mode | |
2439 | - replaced SIGUSR1 status/statistics with the new control interface | |
2440 | * made some feature compile time configurable | |
2441 | - .config file for make | |
2442 | - driver interfaces (hostap, hermes, ..) | |
2443 | - EAPOL/EAP functions | |
2444 | ||
2445 | 2004-02-15 - v0.2.0 | |
2446 | * Initial version of wpa_supplicant |