]>
Commit | Line | Data |
---|---|---|
6fc6879b JM |
1 | ChangeLog for wpa_supplicant |
2 | ||
6e89cc43 | 3 | 2008-11-23 - v0.6.6 |
81eec387 JM |
4 | * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA |
5 | (can be used to simulate test SIM/USIM card with a known private key; | |
6 | enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config | |
7 | and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration) | |
581a8cde JM |
8 | * added a new network configuration option, wpa_ptk_rekey, that can be |
9 | used to enforce frequent PTK rekeying, e.g., to mitigate some attacks | |
10 | against TKIP deficiencies | |
46690a3b JM |
11 | * added an optional mitigation mechanism for certain attacks against |
12 | TKIP by delaying Michael MIC error reports by a random amount of time | |
13 | between 0 and 60 seconds; this can be enabled with a build option | |
14 | CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config | |
fa71a1d8 JM |
15 | * fixed EAP-AKA to use RES Length field in AT_RES as length in bits, |
16 | not bytes | |
0cf03892 JM |
17 | * updated OpenSSL code for EAP-FAST to use an updated version of the |
18 | session ticket overriding API that was included into the upstream | |
19 | OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is | |
20 | needed with that version anymore) | |
cd35db9f JM |
21 | * updated userspace MLME instructions to match with the current Linux |
22 | mac80211 implementation; please also note that this can only be used | |
23 | with driver_nl80211.c (the old code from driver_wext.c was removed) | |
e519314e JW |
24 | * added support (Linux only) for RoboSwitch chipsets (often found in |
25 | consumer grade routers); driver interface 'roboswitch' | |
1ac2d4a9 JM |
26 | * fixed canceling of PMKSA caching when using drivers that generate |
27 | RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know | |
28 | about | |
2a24bb31 | 29 | |
988ab690 | 30 | 2008-11-01 - v0.6.5 |
1d8ce433 JM |
31 | * added support for SHA-256 as X.509 certificate digest when using the |
32 | internal X.509/TLSv1 implementation | |
5d22a1d5 | 33 | * updated management frame protection to use IEEE 802.11w/D6.0 |
56586197 JM |
34 | * added support for using SHA256-based stronger key derivation for WPA2 |
35 | (IEEE 802.11w) | |
c6845259 JM |
36 | * fixed FT (IEEE 802.11r) authentication after a failed association to |
37 | use correct FTIE | |
8de59496 JM |
38 | * added support for configuring Phase 2 (inner/tunneled) authentication |
39 | method with wpa_gui-qt4 | |
1d8ce433 | 40 | |
d48ae45b | 41 | 2008-08-10 - v0.6.4 |
7914585f | 42 | * added support for EAP Sequences in EAP-FAST Phase 2 |
4f1c5617 | 43 | * added support for using TNC with EAP-FAST |
b5a357b4 | 44 | * added driver_ps3 for the PS3 Linux wireless driver |
e7d80033 | 45 | * added support for optional cryptobinding with PEAPv0 |
fe2b7dda JM |
46 | * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to |
47 | allow fallback to full handshake if server rejects PAC-Opaque | |
1b52ea47 | 48 | * added fragmentation support for EAP-TNC |
d952d16d JM |
49 | * added support for parsing PKCS #8 formatted private keys into the |
50 | internal TLS implementation (both PKCS #1 RSA key and PKCS #8 | |
51 | encapsulated RSA key can now be used) | |
b95394c6 JM |
52 | * added option of using faster, but larger, routines in the internal |
53 | LibTomMath (for internal TLS implementation) to speed up DH and RSA | |
54 | calculations (CONFIG_INTERNAL_LIBTOMMATH_FAST=y) | |
3e2ad1b9 JM |
55 | * fixed race condition between disassociation event and group key |
56 | handshake to avoid getting stuck in incorrect state [Bug 261] | |
3ff77e07 | 57 | * fixed opportunistic key caching (proactive_key_caching) |
7914585f | 58 | |
6fc6879b JM |
59 | 2008-02-22 - v0.6.3 |
60 | * removed 'nai' and 'eappsk' network configuration variables that were | |
61 | previously used for configuring user identity and key for EAP-PSK, | |
62 | EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the | |
63 | replacement for 'nai' (if old configuration used a separate | |
64 | 'identity' value, that would now be configured as | |
65 | 'anonymous_identity'). 'password' field is now used as the | |
66 | replacement for 'eappsk' (it can also be set using hexstring to | |
67 | present random binary data) | |
68 | * removed '-w' command line parameter (wait for interface to be added, | |
69 | if needed); cleaner way of handling this functionality is to use an | |
70 | external mechanism (e.g., hotplug scripts) that start wpa_supplicant | |
71 | when an interface is added | |
72 | * updated FT support to use the latest draft, IEEE 802.11r/D9.0 | |
73 | * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for | |
74 | indicating when new scan results become available | |
75 | * added new ctrl_iface command, BSS, to allow scan results to be | |
76 | fetched without hitting the message size limits (this command | |
77 | can be used to iterate through the scan results one BSS at the time) | |
78 | * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION | |
79 | attributes in EAP-SIM Start/Response when using fast reauthentication | |
80 | * fixed EAPOL not to end up in infinite loop when processing dynamic | |
81 | WEP keys with IEEE 802.1X | |
82 | * fixed problems in getting NDIS events from WMI on Windows 2000 | |
83 | ||
84 | 2008-01-01 - v0.6.2 | |
85 | * added support for Makefile builds to include debug-log-to-a-file | |
86 | functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line) | |
87 | * fixed EAP-SIM and EAP-AKA message parser to validate attribute | |
88 | lengths properly to avoid potential crash caused by invalid messages | |
89 | * added data structure for storing allocated buffers (struct wpabuf); | |
90 | this does not affect wpa_supplicant usage, but many of the APIs | |
91 | changed and various interfaces (e.g., EAP) is not compatible with old | |
92 | versions | |
93 | * added support for protecting EAP-AKA/Identity messages with | |
94 | AT_CHECKCODE (optional feature in RFC 4187) | |
95 | * added support for protected result indication with AT_RESULT_IND for | |
96 | EAP-SIM and EAP-AKA (phase1="result_ind=1") | |
97 | * added driver_wext workaround for race condition between scanning and | |
98 | association with drivers that take very long time to scan all | |
99 | channels (e.g., madwifi with dual-band cards); wpa_supplicant is now | |
100 | using a longer hardcoded timeout for the scan if the driver supports | |
101 | notifications for scan completion (SIOCGIWSCAN event); this helps, | |
102 | e.g., in cases where wpa_supplicant and madwifi driver ended up in | |
103 | loop where the driver did not even try to associate | |
104 | * stop EAPOL timer tick when no timers are in use in order to reduce | |
105 | power consumption (no need to wake up the process once per second) | |
106 | [Bug 237] | |
107 | * added support for privilege separation (run only minimal part of | |
108 | wpa_supplicant functionality as root and rest as unprivileged, | |
109 | non-root process); see 'Privilege separation' in README for details; | |
110 | this is disabled by default and can be enabled with CONFIG_PRIVSEP=y | |
111 | in .config | |
112 | * changed scan results data structure to include all information | |
113 | elements to make it easier to support new IEs; old get_scan_result() | |
114 | driver_ops is still supported for backwards compatibility (results | |
115 | are converted internally to the new format), but all drivers should | |
116 | start using the new get_scan_results2() to make them more likely to | |
117 | work with new features | |
118 | * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4 | |
119 | application, i.e., it does not require Qt3Support anymore; Windows | |
120 | binary of wpa_gui.exe is now from this directory and only requires | |
121 | QtCore4.dll and QtGui4.dll libraries | |
122 | * updated Windows binary build to use Qt 4.3.3 and made Qt DLLs | |
123 | available as a separate package to make wpa_gui installation easier: | |
124 | http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip | |
125 | * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); | |
126 | only shared key/password authentication is supported in this version | |
127 | ||
128 | 2007-11-24 - v0.6.1 | |
129 | * added support for configuring password as NtPasswordHash | |
130 | (16-byte MD4 hash of password) in hash:<32 hex digits> format | |
131 | * added support for fallback from abbreviated TLS handshake to | |
132 | full handshake when using EAP-FAST (e.g., due to an expired | |
133 | PAC-Opaque) | |
134 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
135 | draft (draft-ietf-emu-eap-gpsk-07.txt) | |
136 | * added support for drivers that take care of RSN 4-way handshake | |
137 | internally (WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in get_capa flags and | |
138 | WPA_ALG_PMK in set_key) | |
139 | * added an experimental port for Mac OS X (CONFIG_DRIVER_OSX=y in | |
140 | .config); this version supports only ap_scan=2 mode and allow the | |
141 | driver to take care of the 4-way handshake | |
142 | * fixed a buffer overflow in parsing TSF from scan results when using | |
143 | driver_wext.c with a driver that includes the TSF (e.g., iwl4965) | |
144 | [Bug 232] | |
145 | * updated FT support to use the latest draft, IEEE 802.11r/D8.0 | |
146 | * fixed an integer overflow issue in the ASN.1 parser used by the | |
147 | (experimental) internal TLS implementation to avoid a potential | |
148 | buffer read overflow | |
149 | * fixed a race condition with -W option (wait for a control interface | |
150 | monitor before starting) that could have caused the first messages to | |
151 | be lost | |
152 | * added support for processing TNCC-TNCS-Messages to report | |
153 | recommendation (allow/none/isolate) when using TNC [Bug 243] | |
154 | ||
155 | 2007-05-28 - v0.6.0 | |
156 | * added network configuration parameter 'frequency' for setting | |
157 | initial channel for IBSS (adhoc) networks | |
158 | * added experimental IEEE 802.11r/D6.0 support | |
159 | * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 | |
160 | * updated EAP-PSK to use the IANA-allocated EAP type 47 | |
161 | * fixed EAP-PAX key derivation | |
162 | * fixed EAP-PSK bit ordering of the Flags field | |
163 | * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in | |
164 | tunnelled identity request (previously, the identifier from the outer | |
165 | method was used, not the tunnelled identifier which could be | |
166 | different) | |
167 | * added support for fragmentation of outer TLS packets during Phase 2 | |
168 | of EAP-PEAP/TTLS/FAST | |
169 | * fixed EAP-TTLS AVP parser processing for too short AVP lengths | |
170 | * added support for EAP-FAST authentication with inner methods that | |
171 | generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported | |
172 | for PAC provisioning) | |
173 | * added support for authenticated EAP-FAST provisioning | |
174 | * added support for configuring maximum number of EAP-FAST PACs to | |
175 | store in a PAC list (fast_max_pac_list_len=<max> in phase1 string) | |
176 | * added support for storing EAP-FAST PACs in binary format | |
177 | (fast_pac_format=binary in phase1 string) | |
178 | * fixed dbus ctrl_iface to validate message interface before | |
179 | dispatching to avoid a possible segfault [Bug 190] | |
180 | * fixed PeerKey key derivation to use the correct PRF label | |
181 | * updated Windows binary build to link against OpenSSL 0.9.8d and | |
182 | added support for EAP-FAST | |
183 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
184 | draft (draft-ietf-emu-eap-gpsk-04.txt) | |
185 | * fixed EAP-AKA Notification processing to allow Notification to be | |
186 | processed after AKA Challenge response has been sent | |
187 | * updated to use IEEE 802.11w/D2.0 for management frame protection | |
188 | (still experimental) | |
189 | * fixed EAP-TTLS implementation not to crash on use of freed memory | |
190 | if TLS library initialization fails | |
191 | * added support for EAP-TNC (Trusted Network Connect) | |
192 | (this version implements the EAP-TNC method and EAP-TTLS changes | |
193 | needed to run two methods in sequence (IF-T) and the IF-IMC and | |
194 | IF-TNCCS interfaces from TNCC) | |
195 | ||
196 | 2006-11-24 - v0.5.6 | |
197 | * added experimental, integrated TLSv1 client implementation with the | |
198 | needed X.509/ASN.1/RSA/bignum processing (this can be enabled by | |
199 | setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in | |
200 | .config); this can be useful, e.g., if the target system does not | |
201 | have a suitable TLS library and a minimal code size is required | |
202 | (total size of this internal TLS/crypto code is bit under 50 kB on | |
203 | x86 and the crypto code is shared by rest of the supplicant so some | |
204 | of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB) | |
205 | * removed STAKey handshake since PeerKey handshake has replaced it in | |
206 | IEEE 802.11ma and there are no known deployments of STAKey | |
207 | * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest | |
208 | draft (draft-ietf-emu-eap-gpsk-01.txt) | |
209 | * added preliminary implementation of IEEE 802.11w/D1.0 (management | |
210 | frame protection) | |
211 | (Note: this requires driver support to work properly.) | |
212 | (Note2: IEEE 802.11w is an unapproved draft and subject to change.) | |
213 | * fixed Windows named pipes ctrl_iface to not stop listening for | |
214 | commands if client program opens a named pipe and closes it | |
215 | immediately without sending a command | |
216 | * fixed USIM PIN status determination for the case that PIN is not | |
217 | needed (this allows EAP-AKA to be used with USIM cards that do not | |
218 | use PIN) | |
219 | * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to | |
220 | be used with cards that do not support file selection based on | |
221 | partial AID | |
222 | * added support for matching the subjectAltName of the authentication | |
223 | server certificate against multiple name components (e.g., | |
224 | altsubject_match="DNS:server.example.com;DNS:server2.example.com") | |
225 | * fixed EAP-SIM/AKA key derivation for re-authentication case (only | |
226 | affects IEEE 802.1X with dynamic WEP keys) | |
227 | * changed ctrl_iface network configuration 'get' operations to not | |
228 | return password/key material; if these fields are requested, "*" | |
229 | will be returned if the password/key is set, but the value of the | |
230 | parameter is not exposed | |
231 | ||
232 | 2006-08-27 - v0.5.5 | |
233 | * added support for building Windows version with UNICODE defined | |
234 | (wide-char functions) | |
235 | * driver_ndis: fixed static WEP configuration to avoid race condition | |
236 | issues with some NDIS drivers between association and setting WEP | |
237 | keys | |
238 | * driver_ndis: added validation for IELength value in scan results to | |
239 | avoid crashes when using buggy NDIS drivers [Bug 165] | |
240 | * fixed Release|Win32 target in the Visual Studio project files | |
241 | (previously, only Debug|Win32 target was set properly) | |
242 | * changed control interface API call wpa_ctrl_pending() to allow it to | |
243 | return -1 on error (e.g., connection lost); control interface clients | |
244 | will need to make sure that they verify that the value is indeed >0 | |
245 | when determining whether there are pending messages | |
246 | * added an alternative control interface backend for Windows targets: | |
247 | Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default | |
248 | control interface mechanism for Windows builds (previously, UDP to | |
249 | localhost was used) | |
250 | * changed ctrl_interface configuration for UNIX domain sockets: | |
251 | - deprecated ctrl_interface_group variable (it may be removed in | |
252 | future versions) | |
253 | - allow both directory and group be configured with ctrl_interface | |
254 | in following format: DIR=/var/run/wpa_supplicant GROUP=wheel | |
255 | - ctrl_interface=/var/run/wpa_supplicant is still supported for the | |
256 | case when group is not changed | |
257 | * added support for controlling more than one interface per process in | |
258 | Windows version | |
259 | * added a workaround for a case where the AP is using unknown address | |
260 | (e.g., MAC address of the wired interface) as the source address for | |
261 | EAPOL-Key frames; previously, that source address was used as the | |
262 | destination for EAPOL-Key frames and in key derivation; now, BSSID is | |
263 | used even if the source address does not match with it | |
264 | (this resolves an interoperability issue with Thomson SpeedTouch 580) | |
265 | * added a workaround for UDP-based control interface (which was used in | |
266 | Windows builds before this release) to prevent packets with forged | |
267 | addresses from being accepted as local control requests | |
268 | * removed ndis_events.cpp and possibility of using external | |
269 | ndis_events.exe; C version (ndis_events.c) is fully functional and | |
270 | there is no desire to maintain two separate versions of this | |
271 | implementation | |
272 | * ndis_events: Changed NDIS event notification design to use WMI to | |
273 | learn the adapter description through Win32_PnPEntity class; this | |
274 | should fix some cases where the adapter name was not recognized | |
275 | correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500 | |
276 | USB) [Bug 113] | |
277 | * fixed selection of the first network in ap_scan=2 mode; previously, | |
278 | wpa_supplicant could get stuck in SCANNING state when only the first | |
279 | network for enabled (e.g., after 'wpa_cli select_network 0') | |
280 | * winsvc: added support for configuring ctrl_interface parameters in | |
281 | registry (ctrl_interface string value in | |
282 | HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is | |
283 | required to enable control interface (previously, this was hardcoded | |
284 | to be enabled) | |
285 | * allow wpa_gui subdirectory to be built with both Qt3 and Qt4 | |
286 | * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format | |
287 | ||
288 | 2006-06-20 - v0.5.4 | |
289 | * fixed build with CONFIG_STAKEY=y [Bug 143] | |
290 | * added support for doing MLME (IEEE 802.11 management frame | |
291 | processing) in wpa_supplicant when using Devicescape IEEE 802.11 | |
292 | stack (wireless-dev.git tree) | |
293 | * added a new network block configuration option, fragment_size, to | |
294 | configure the maximum EAP fragment size | |
295 | * driver_ndis: Disable WZC automatically for the selected interface to | |
296 | avoid conflicts with two programs trying to control the radio; WZC | |
297 | will be re-enabled (if it was enabled originally) when wpa_supplicant | |
298 | is terminated | |
299 | * added an experimental TLSv1 client implementation | |
300 | (CONFIG_TLS=internal) that can be used instead of an external TLS | |
301 | library, e.g., to reduce total size requirement on systems that do | |
302 | not include any TLS library by default (this is not yet complete; | |
303 | basic functionality is there, but certificate validation is not yet | |
304 | included) | |
305 | * added PeerKey handshake implementation for IEEE 802.11e | |
306 | direct link setup (DLS) to replace STAKey handshake | |
307 | * fixed WPA PSK update through ctrl_iface for the case where the old | |
308 | PSK was derived from an ASCII passphrase and the new PSK is set as | |
309 | a raw PSK (hex string) | |
310 | * added new configuration option for identifying which network block | |
311 | was used (id_str in wpa_supplicant.conf; included on | |
312 | WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental | |
313 | variable in wpa_cli action scripts; in addition WPA_ID variable is | |
314 | set to the current unique identifier that wpa_supplicant assigned | |
315 | automatically for the network and that can be used with | |
316 | GET_NETWORK/SET_NETWORK ctrl_iface commands) | |
317 | * wpa_cli action script is now called only when the connect/disconnect | |
318 | status changes or when associating with a different network | |
319 | * fixed configuration parser not to remove CCMP from group cipher list | |
320 | if WPA-None (adhoc) is used (pairwise=NONE in that case) | |
321 | * fixed integrated NDIS events processing not to hang the process due | |
322 | to a missed change in eloop_win.c API in v0.5.3 [Bug 155] | |
323 | * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, | |
324 | draft-clancy-emu-eap-shared-secret-00.txt) | |
325 | * added Microsoft Visual Studio 2005 solution and project files for | |
326 | build wpa_supplicant for Windows (see vs2005 subdirectory) | |
327 | * eloop_win: fixed unregistration of Windows events | |
328 | * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet | |
329 | at the end of RSN pre-authentication and added unregistration of | |
330 | a Windows event to avoid getting eloop_win stuck with an invalid | |
331 | handle | |
332 | * driver_ndis: added support for selecting AP based on BSSID | |
333 | * added new environmental variable for wpa_cli action scripts: | |
334 | WPA_CTRL_DIR is the current control interface directory | |
335 | * driver_ndis: added support for using NDISUIO instead of WinPcap for | |
336 | OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new | |
337 | l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build | |
338 | wpa_supplicant without requiring WinPcap; note that using NDISUIO | |
339 | requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows | |
340 | only one application to open the device | |
341 | * changed NDIS driver naming to only include device GUID, e.g., | |
342 | {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap | |
343 | specific \Device\NPF_ prefix before the GUID; the prefix is still | |
344 | allowed for backwards compatibility, but it is not required anymore | |
345 | when specifying the interface | |
346 | * driver_ndis: re-initialize driver interface is the adapter is removed | |
347 | and re-inserted [Bug 159] | |
348 | * driver_madwifi: fixed TKIP and CCMP sequence number configuration on | |
349 | big endian hosts [Bug 146] | |
350 | ||
351 | 2006-04-27 - v0.5.3 | |
352 | * fixed EAP-GTC response to include correct user identity when run as | |
353 | phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2) | |
354 | * driver_ndis: Fixed encryption mode configuration for unencrypted | |
355 | networks (some NDIS drivers ignored this, but others, e.g., Broadcom, | |
356 | refused to associate with open networks) [Bug 106] | |
357 | * driver_ndis: use BSSID OID polling to detect when IBSS network is | |
358 | formed even when ndis_events code is included since some NDIS drivers | |
359 | do not generate media connect events in IBSS mode | |
360 | * config_winreg: allow global ctrl_interface parameter to be configured | |
361 | in Windows registry | |
362 | * config_winreg: added support for saving configuration data into | |
363 | Windows registry | |
364 | * added support for controlling network device operational state | |
365 | (dormant/up) for Linux 2.6.17 to improve DHCP processing (see | |
366 | http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client | |
367 | that can use this information) | |
368 | * driver_wext: added support for WE-21 change to SSID configuration | |
369 | * driver_wext: fixed privacy configuration for static WEP keys mode | |
370 | [Bug 140] | |
371 | * added an optional driver_ops callback for MLME-SETPROTECTION.request | |
372 | primitive | |
373 | * added support for EAP-SAKE (no EAP method number allocated yet, so | |
374 | this is using the same experimental type 255 as EAP-PSK) | |
375 | * added support for dynamically loading EAP methods (.so files) instead | |
376 | of requiring them to be statically linked in; this is disabled by | |
377 | default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information | |
378 | on how to use this) | |
379 | ||
380 | 2006-03-19 - v0.5.2 | |
381 | * do not try to use USIM APDUs when initializing PC/SC for SIM card | |
382 | access for a network that has not enabled EAP-AKA | |
383 | * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in | |
384 | v0.5.1 due to the new support for expanded EAP types) | |
385 | * added support for generating EAP Expanded Nak | |
386 | * try to fetch scan results once before requesting new scan when | |
387 | starting up in ap_scan=1 mode (this can speed up initial association | |
388 | a lot with, e.g., madwifi-ng driver) | |
389 | * added support for receiving EAPOL frames from a Linux bridge | |
390 | interface (-bbr0 on command line) | |
391 | * fixed EAPOL re-authentication for sessions that used PMKSA caching | |
392 | * changed EAP method registration to use a dynamic list of methods | |
393 | instead of a static list generated at build time | |
394 | * fixed PMKSA cache deinitialization not to use freed memory when | |
395 | removing PMKSA entries | |
396 | * fixed a memory leak in EAP-TTLS re-authentication | |
397 | * reject WPA/WPA2 message 3/4 if it does not include any valid | |
398 | WPA/RSN IE | |
399 | * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg | |
400 | if the driver does not support SIOCSIWAUTH | |
401 | ||
402 | 2006-01-29 - v0.5.1 | |
403 | * driver_test: added better support for multiple APs and STAs by using | |
404 | a directory with sockets that include MAC address for each device in | |
405 | the name (driver_param=test_dir=/tmp/test) | |
406 | * added support for EAP expanded type (vendor specific EAP methods) | |
407 | * added AP_SCAN command into ctrl_iface so that ap_scan configuration | |
408 | option can be changed if needed | |
409 | * wpa_cli/wpa_gui: skip non-socket files in control directory when | |
410 | using UNIX domain sockets; this avoids selecting an incorrect | |
411 | interface (e.g., a PID file could be in this directory, even though | |
412 | use of this directory for something else than socket files is not | |
413 | recommended) | |
414 | * fixed TLS library deinitialization after RSN pre-authentication not | |
415 | to disable TLS library for normal authentication | |
416 | * driver_wext: Remove null-termination from SSID length if the driver | |
417 | used it; some Linux drivers do this and they were causing problems in | |
418 | wpa_supplicant not finding matching configuration block. This change | |
419 | would break a case where the SSID actually ends in '\0', but that is | |
420 | not likely to happen in real use. | |
421 | * fixed PMKSA cache processing not to trigger deauthentication if the | |
422 | current PMKSA cache entry is replaced with a valid new entry | |
423 | * fixed PC/SC initialization for ap_scan != 1 modes (this fixes | |
424 | EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or | |
425 | ap_scan=2) | |
426 | ||
427 | 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) | |
428 | * added experimental STAKey handshake implementation for IEEE 802.11e | |
429 | direct link setup (DLS); note: this is disabled by default in both | |
430 | build and runtime configuration (can be enabled with CONFIG_STAKEY=y | |
431 | and stakey=1) | |
432 | * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to | |
433 | decrypt AT_ENCR_DATA attributes correctly | |
434 | * fixed EAP-AKA to allow resynchronization within the same session | |
435 | * made code closer to ANSI C89 standard to make it easier to port to | |
436 | other C libraries and compilers | |
437 | * started moving operating system or C library specific functions into | |
438 | wrapper functions defined in os.h and implemented in os_*.c to make | |
439 | code more portable | |
440 | * wpa_supplicant can now be built with Microsoft Visual C++ | |
441 | (e.g., with the freely available Toolkit 2003 version or Visual | |
442 | C++ 2005 Express Edition and Platform SDK); see nmake.mak for an | |
443 | example makefile for nmake | |
444 | * added support for using Windows registry for command line parameters | |
445 | (CONFIG_MAIN=main_winsvc) and configuration data | |
446 | (CONFIG_BACKEND=winreg); see win_example.reg for an example registry | |
447 | contents; this version can be run both as a Windows service and as a | |
448 | normal application; 'wpasvc.exe app' to start as applicant, | |
449 | 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service, | |
450 | 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to | |
451 | unregister a service | |
452 | * made it possible to link ndis_events.exe functionality into | |
453 | wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED | |
454 | * added better support for multiple control interface backends | |
455 | (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported | |
456 | * fixed PC/SC code to use correct length for GSM AUTH command buffer | |
457 | and to not use pioRecvPci with SCardTransmit() calls; these were not | |
458 | causing visible problems with pcsc-lite, but Windows Winscard.dll | |
459 | refused the previously used parameters; this fixes EAP-SIM and | |
460 | EAP-AKA authentication using SIM/USIM card under Windows | |
461 | * added new event loop implementation for Windows using | |
462 | WaitForMultipleObject() instead of select() in order to allow waiting | |
463 | for non-socket objects; this can be selected with | |
464 | CONFIG_ELOOP=eloop_win in .config | |
465 | * added support for selecting l2_packet implementation in .config | |
466 | (CONFIG_L2_PACKET; following options are available now: linux, pcap, | |
467 | winpcap, freebsd, none) | |
468 | * added new l2_packet implementation for WinPcap | |
469 | (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to | |
470 | reduce latency in EAPOL receive processing from about 100 ms to about | |
471 | 3 ms | |
472 | * added support for EAP-FAST key derivation using other ciphers than | |
473 | RC4-128-SHA for authentication and AES128-SHA for provisioning | |
474 | * added support for configuring CA certificate as DER file and as a | |
475 | configuration blob | |
476 | * fixed private key configuration as configuration blob and added | |
477 | support for using PKCS#12 as a blob | |
478 | * tls_gnutls: added support for using PKCS#12 files; added support for | |
479 | session resumption | |
480 | * added support for loading trusted CA certificates from Windows | |
481 | certificate store: ca_cert="cert_store://<name>", where <name> is | |
482 | likely CA (Intermediate CA certificates) or ROOT (root certificates) | |
483 | * added C version of ndis_events.cpp and made it possible to build this | |
484 | with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more | |
485 | easily on cross-compilation builds | |
486 | * added wpasvc.exe into Windows binary release; this is an alternative | |
487 | version of wpa_supplicant.exe with configuration backend using | |
488 | Windows registry and with the entry point designed to run as a | |
489 | Windows service | |
490 | * integrated ndis_events.exe functionality into wpa_supplicant.exe and | |
491 | wpasvc.exe and removed this additional tool from the Windows binary | |
492 | release since it is not needed anymore | |
493 | * load winscard.dll functions dynamically when building with MinGW | |
494 | since MinGW does not yet include winscard library | |
495 | ||
496 | 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) | |
497 | * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap | |
498 | and WinPcap to receive frames sent to PAE group address | |
499 | * disable EAP state machine when IEEE 802.1X authentication is not used | |
500 | in order to get rid of bogus "EAP failed" messages | |
501 | * fixed OpenSSL error reporting to go through all pending errors to | |
502 | avoid confusing reports of old errors being reported at later point | |
503 | during handshake | |
504 | * fixed configuration file updating to not write empty variables | |
505 | (e.g., proto or key_mgmt) that the file parser would not accept | |
506 | * fixed ADD_NETWORK ctrl_iface command to use the same default values | |
507 | for variables as empty network definitions read from config file | |
508 | would get | |
509 | * fixed EAP state machine to not discard EAP-Failure messages in many | |
510 | cases (e.g., during TLS handshake) | |
511 | * fixed a infinite loop in private key reading if the configured file | |
512 | cannot be parsed successfully | |
513 | * driver_madwifi: added support for madwifi-ng | |
514 | * wpa_gui: do not display password/PSK field contents | |
515 | * wpa_gui: added CA certificate configuration | |
516 | * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID | |
517 | * driver_ndis: include Beacon IEs in AssocInfo in order to notice if | |
518 | the new AP is using different WPA/RSN IE | |
519 | * use longer timeout for IEEE 802.11 association to avoid problems with | |
520 | drivers that may take more than five second to associate | |
521 | ||
522 | 2005-10-27 - v0.4.6 | |
523 | * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in | |
524 | RSN IE, but WPA IE would match with wpa_supplicant configuration | |
525 | * added support for named configuration blobs in order to avoid having | |
526 | to use file system for external files (e.g., certificates); | |
527 | variables can be set to "blob://<blob name>" instead of file path to | |
528 | use a named blob; supported fields: pac_file, client_cert, | |
529 | private_key | |
530 | * fixed RSN pre-authentication (it was broken in the clean up of WPA | |
531 | state machine interface in v0.4.5) | |
532 | * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make | |
533 | sure the driver configures broadcast decryption correctly | |
534 | * added ca_path (and ca_path2) configuration variables that can be used | |
535 | to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the | |
536 | system-wide trusted CA list | |
537 | * added support for starting wpa_supplicant without a configuration | |
538 | file (-C argument must be used to set ctrl_interface parameter for | |
539 | this case; in addition, -p argument can be used to provide | |
540 | driver_param; these new arguments can also be used with a | |
541 | configuration to override the values from the configuration) | |
542 | * added global control interface that can be optionally used for adding | |
543 | and removing network interfaces dynamically (-g command line argument | |
544 | for both wpa_supplicant and wpa_cli) without having to restart | |
545 | wpa_supplicant process | |
546 | * wpa_gui: | |
547 | - try to save configuration whenever something is modified | |
548 | - added WEP key configuration | |
549 | - added possibility to edit the current network configuration | |
550 | * driver_ndis: fixed driver polling not to increase frequency on each | |
551 | received EAPOL frame due to incorrectly cancelled timeout | |
552 | * added simple configuration file examples (in examples subdirectory) | |
553 | * fixed driver_wext.c to filter wireless events based on ifindex to | |
554 | avoid interfaces receiving events from other interfaces | |
555 | * delay sending initial EAPOL-Start couple of seconds to speed up | |
556 | authentication for the most common case of Authenticator starting | |
557 | EAP authentication immediately after association | |
558 | ||
559 | 2005-09-25 - v0.4.5 | |
560 | * added a workaround for clearing keys with ndiswrapper to allow | |
561 | roaming from WPA enabled AP to plaintext one | |
562 | * added docbook documentation (doc/docbook) that can be used to | |
563 | generate, e.g., man pages | |
564 | * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for | |
565 | PF_PACKET in order to prepare for network devices that do not use | |
566 | Ethernet headers (e.g., network stack with native IEEE 802.11 frames) | |
567 | * use receipt of EAPOL-Key frame as a lower layer success indication | |
568 | for EAP state machine to allow recovery from dropped EAP-Success | |
569 | frame | |
570 | * cleaned up internal EAPOL frame processing by not including link | |
571 | layer (Ethernet) header during WPA and EAPOL/EAP processing; this | |
572 | header is added only when transmitted the frame; this makes it easier | |
573 | to use wpa_supplicant on link layers that use different header than | |
574 | Ethernet | |
575 | * updated EAP-PSK to use draft 9 by default since this can now be | |
576 | tested with hostapd; removed support for draft 3, including | |
577 | server_nai configuration option from network blocks | |
578 | * driver_wired: add PAE address to the multicast address list in order | |
579 | to be able to receive EAPOL frames with drivers that do not include | |
580 | these multicast addresses by default | |
581 | * driver_wext: add support for WE-19 | |
582 | * added support for multiple configuration backends (CONFIG_BACKEND | |
583 | option); currently, only 'file' is supported (i.e., the format used | |
584 | in wpa_supplicant.conf) | |
585 | * added support for updating configuration ('wpa_cli save_config'); | |
586 | this is disabled by default and can be enabled with global | |
587 | update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli | |
588 | and wpa_gui to store the configuration changes in a permanent store | |
589 | * added GET_NETWORK ctrl_iface command | |
590 | (e.g., 'wpa_cli get_network 0 ssid') | |
591 | ||
592 | 2005-08-21 - v0.4.4 | |
593 | * replaced OpenSSL patch for EAP-FAST support | |
594 | (openssl-tls-extensions.patch) with a more generic and correct | |
595 | patch (the new patch is not compatible with the previous one, so the | |
596 | OpenSSL library will need to be patched with the new patch in order | |
597 | to be able to build wpa_supplicant with EAP-FAST support) | |
598 | * added support for using Windows certificate store (through CryptoAPI) | |
599 | for client certificate and private key operations (EAP-TLS) | |
600 | (see wpa_supplicant.conf for more information on how to configure | |
601 | this with private_key) | |
602 | * ported wpa_gui to Windows | |
603 | * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be | |
604 | built with the open source version of the Qt4 for Windows | |
605 | * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used | |
606 | with drivers that do not support WPA | |
607 | * ndis_events: fixed Windows 2000 support | |
608 | * added support for enabling/disabling networks from the list of all | |
609 | configured networks ('wpa_cli enable_network <network id>' and | |
610 | 'wpa_cli disable_network <network id>') | |
611 | * added support for adding and removing network from the current | |
612 | configuration ('wpa_cli add_network' and 'wpa_cli remove_network | |
613 | <network id>'); added networks are disabled by default and they can | |
614 | be enabled with enable_network command once the configuration is done | |
615 | for the new network; note: configuration file is not yet updated, so | |
616 | these new networks are lost when wpa_supplicant is restarted | |
617 | * added support for setting network configuration parameters through | |
618 | the control interface, for example: | |
619 | wpa_cli set_network 0 ssid "\"my network\"" | |
620 | * fixed parsing of strings that include both " and # within double | |
621 | quoted area (e.g., "start"#end") | |
622 | * added EAP workaround for PEAP session resumption: allow outer, | |
623 | i.e., not tunneled, EAP-Success to terminate session since; this can | |
624 | be disabled with eap_workaround=0 | |
625 | (this was allowed for PEAPv1 before, but now it is also allowed for | |
626 | PEAPv0 since at least one RADIUS authentication server seems to be | |
627 | doing this for PEAPv0, too) | |
628 | * wpa_gui: added preliminary support for adding new networks to the | |
629 | wpa_supplicant configuration (double click on the scan results to | |
630 | open network configuration) | |
631 | ||
632 | 2005-06-26 - v0.4.3 | |
633 | * removed interface for external EAPOL/EAP supplicant (e.g., | |
634 | Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required | |
635 | anymore and is unlikely to be used by anyone | |
636 | * driver_ndis: fixed WinPcap 3.0 support | |
637 | * fixed build with CONFIG_DNET_PCAP=y on Linux | |
638 | * l2_packet: moved different implementations into separate files | |
639 | (l2_packet_*.c) | |
640 | ||
641 | 2005-06-12 - v0.4.2 | |
642 | * driver_ipw: updated driver structures to match with ipw2200-1.0.4 | |
643 | (note: ipw2100-1.1.0 is likely to require an update to work with | |
644 | this) | |
645 | * added support for using ap_scan=2 mode with multiple network blocks; | |
646 | wpa_supplicant will go through the networks one by one until the | |
647 | driver reports a successful association; this uses the same order for | |
648 | networks as scan_ssid=1 scans, i.e., the priority field is ignored | |
649 | and the network block order in the file is used instead | |
650 | * fixed a potential issue in RSN pre-authentication ending up using | |
651 | freed memory if pre-authentication times out | |
652 | * added support for matching alternative subject name extensions of the | |
653 | authentication server certificate; new configuration variables | |
654 | altsubject_match and altsubject_match2 | |
655 | * driver_ndis: added support for IEEE 802.1X authentication with wired | |
656 | NDIS drivers | |
657 | * added support for querying private key password (EAP-TLS) through the | |
658 | control interface (wpa_cli/wpa_gui) if one is not included in the | |
659 | configuration file | |
660 | * driver_broadcom: fixed couple of memory leaks in scan result | |
661 | processing | |
662 | * EAP-PAX is now registered as EAP type 46 | |
663 | * fixed EAP-PAX MAC calculation | |
664 | * fixed EAP-PAX CK and ICK key derivation | |
665 | * added support for using password with EAP-PAX (as an alternative to | |
666 | entering key with eappsk); SHA-1 hash of the password will be used as | |
667 | the key in this case | |
668 | * added support for arbitrary driver interface parameters through the | |
669 | configuration file with a new driver_param field; this adds a new | |
670 | driver_ops function set_param() | |
671 | * added possibility to override l2_packet module with driver interface | |
672 | API (new send_eapol handler); this can be used to implement driver | |
673 | specific TX/RX functions for EAPOL frames | |
674 | * fixed ctrl_interface_group processing for the case where gid is | |
675 | entered as a number, not group name | |
676 | * driver_test: added support for testing hostapd with wpa_supplicant | |
677 | by using test driver interface without any kernel drivers or network | |
678 | cards | |
679 | ||
680 | 2005-05-22 - v0.4.1 | |
681 | * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL | |
682 | packets to be encrypted; this was apparently broken by the changed | |
683 | ioctl order in v0.4.0 | |
684 | * driver_madwifi: added preliminary support for compiling against 'BSD' | |
685 | branch of madwifi CVS tree | |
686 | * added support for EAP-MSCHAPv2 password retries within the same EAP | |
687 | authentication session | |
688 | * added support for password changes with EAP-MSCHAPv2 (used when the | |
689 | password has expired) | |
690 | * added support for reading additional certificates from PKCS#12 files | |
691 | and adding them to the certificate chain | |
692 | * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys | |
693 | were used | |
694 | * fixed a possible double free in EAP-TTLS fast-reauthentication when | |
695 | identity or password is entered through control interface | |
696 | * display EAP Notification messages to user through control interface | |
697 | with "CTRL-EVENT-EAP-NOTIFICATION" prefix | |
698 | * added GUI version of wpa_cli, wpa_gui; this is not build | |
699 | automatically with 'make'; use 'make wpa_gui' to build (this requires | |
700 | Qt development tools) | |
701 | * added 'disconnect' command to control interface for setting | |
702 | wpa_supplicant in state where it will not associate before | |
703 | 'reassociate' command has been used | |
704 | * added support for selecting a network from the list of all configured | |
705 | networks ('wpa_cli select_network <network id>'; this disabled all | |
706 | other networks; to re-enable, 'wpa_cli select_network any') | |
707 | * added support for getting scan results through control interface | |
708 | * added EAP workaround for PEAPv1 session resumption: allow outer, | |
709 | i.e., not tunneled, EAP-Success to terminate session since; this can | |
710 | be disabled with eap_workaround=0 | |
711 | ||
712 | 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) | |
713 | * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be | |
714 | used to reduce the size of the wpa_supplicant considerably if | |
715 | debugging code is not needed | |
716 | * fixed EAPOL-Key validation to drop packets with invalid Key Data | |
717 | Length; such frames could have crashed wpa_supplicant due to buffer | |
718 | overflow | |
719 | * added support for wired authentication (IEEE 802.1X on wired | |
720 | Ethernet); driver interface 'wired' | |
721 | * obsoleted set_wpa() handler in the driver interface API (it can be | |
722 | replaced by moving enable/disable functionality into init()/deinit()) | |
723 | (calls to set_wpa() are still present for backwards compatibility, | |
724 | but they may be removed in the future) | |
725 | * driver_madwifi: fixed association in plaintext mode | |
726 | * modified the EAP workaround that accepts EAP-Success with incorrect | |
727 | Identifier to be even less strict about verification in order to | |
728 | interoperate with some authentication servers | |
729 | * added support for sending TLS alerts | |
730 | * added support for 'any' SSID wildcard; if ssid is not configured or | |
731 | is set to an empty string, any SSID will be accepted for non-WPA AP | |
732 | * added support for asking PIN (for SIM) from frontends (e.g., | |
733 | wpa_cli); if a PIN is needed, but not included in the configuration | |
734 | file, a control interface request is sent and EAP processing is | |
735 | delayed until the PIN is available | |
736 | * added support for using external devices (e.g., a smartcard) for | |
737 | private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config); | |
738 | new wpa_supplicant.conf variables: | |
739 | - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path | |
740 | - network: engine, engine_id, key_id | |
741 | * added experimental support for EAP-PAX | |
742 | * added monitor mode for wpa_cli (-a<path to a program to run>) that | |
743 | allows external commands (e.g., shell scripts) to be run based on | |
744 | wpa_supplicant events, e.g., when authentication has been completed | |
745 | and data connection is ready; other related wpa_cli arguments: | |
746 | -B (run in background), -P (write PID file); wpa_supplicant has a new | |
747 | command line argument (-W) that can be used to make it wait until a | |
748 | control interface command is received in order to avoid missing | |
749 | events | |
750 | * added support for opportunistic WPA2 PMKSA key caching (disabled by | |
751 | default, can be enabled with proactive_key_caching=1) | |
752 | * fixed RSN IE in 4-Way Handshake message 2/4 for the case where | |
753 | Authenticator rejects PMKSA caching attempt and the driver is not | |
754 | using assoc_info events | |
755 | * added -P<pid file> argument for wpa_supplicant to write the current | |
756 | process id into a file | |
757 | ||
758 | 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) | |
759 | * added new phase1 option parameter, include_tls_length=1, to force | |
760 | wpa_supplicant to add TLS Message Length field to all TLS messages | |
761 | even if the packet is not fragmented; this may be needed with some | |
762 | authentication servers | |
763 | * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when | |
764 | using drivers that take care of AP selection (e.g., when using | |
765 | ap_scan=2) | |
766 | * fixed reprocessing of pending request after ctrl_iface requests for | |
767 | identity/password/otp | |
768 | * fixed ctrl_iface requests for identity/password/otp in Phase 2 of | |
769 | EAP-PEAP and EAP-TTLS | |
770 | * all drivers using driver_wext: set interface up and select Managed | |
771 | mode when starting wpa_supplicant; set interface down when exiting | |
772 | * renamed driver_ipw2100.c to driver_ipw.c since it now supports both | |
773 | ipw2100 and ipw2200; please note that this also changed the | |
774 | configuration variable in .config to CONFIG_DRIVER_IPW | |
775 | ||
776 | 2005-01-24 - v0.3.6 | |
777 | * fixed a busy loop introduced in v0.3.5 for scan result processing | |
778 | when no matching AP is found | |
779 | ||
780 | 2005-01-23 - v0.3.5 | |
781 | * added a workaround for an interoperability issue with a Cisco AP | |
782 | when using WPA2-PSK | |
783 | * fixed non-WPA IEEE 802.1X to use the same authentication timeout as | |
784 | WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow | |
785 | retransmission of dropped frames) | |
786 | * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version | |
787 | (e.g., segfault when processing EAPOL-Key frames) | |
788 | * fixed EAP workaround and fast reauthentication configuration for | |
789 | RSN pre-authentication; previously these were disabled and | |
790 | pre-authentication would fail if the used authentication server | |
791 | requires EAP workarounds | |
792 | * added support for blacklisting APs that fail or timeout | |
793 | authentication in ap_scan=1 mode so that all APs are tried in cases | |
794 | where the ones with strongest signal level are failing authentication | |
795 | * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS | |
796 | authentication attempt | |
797 | * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded | |
798 | in the previous authentication (previously, only Phase 1 success was | |
799 | verified) | |
800 | ||
801 | 2005-01-09 - v0.3.4 | |
802 | * added preliminary support for IBSS (ad-hoc) mode configuration | |
803 | (mode=1 in network block); this included a new key_mgmt mode | |
804 | WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no | |
805 | key management; see wpa_supplicant.conf for more details and an | |
806 | example on how to configure this (note: this is currently implemented | |
807 | only for driver_hostapd.c, but the changes should be trivial to add | |
808 | in associate() handler for other drivers, too (assuming the driver | |
809 | supports WPA-None) | |
810 | * added preliminary port for native Windows (i.e., no cygwin) using | |
811 | mingw | |
812 | ||
813 | 2005-01-02 - v0.3.3 | |
814 | * added optional support for GNU Readline and History Libraries for | |
815 | wpa_cli (CONFIG_READLINE) | |
816 | * cleaned up EAP state machine <-> method interface and number of | |
817 | small problems with error case processing not terminating on | |
818 | EAP-Failure but waiting for timeout | |
819 | * added couple of workarounds for interoperability issues with a | |
820 | Cisco AP when using WPA2 | |
821 | * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt); | |
822 | Note: This requires a patch for openssl to add support for TLS | |
823 | extensions and number of workarounds for operations without | |
824 | certificates. Proof of concept type of experimental patch is | |
825 | included in openssl-tls-extensions.patch. | |
826 | ||
827 | 2004-12-19 - v0.3.2 | |
828 | * fixed private key loading for cases where passphrase is not set | |
829 | * fixed Windows/cygwin L2 packet handler freeing; previous version | |
830 | could cause a segfault when RSN pre-authentication was completed | |
831 | * added support for PMKSA caching with drivers that generate RSN IEs | |
832 | (e.g., NDIS); currently, this is only implemented in driver_ndis.c, | |
833 | but similar code can be easily added to driver_ndiswrapper.c once | |
834 | ndiswrapper gets full support for RSN PMKSA caching | |
835 | * improved recovery from PMKID mismatches by requesting full EAP | |
836 | authentication in case of failed PMKSA caching attempt | |
837 | * driver_ndis: added support for NDIS NdisMIncidateStatus() events | |
838 | (this requires that ndis_events is ran while wpa_supplicant is | |
839 | running) | |
840 | * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys | |
841 | * added support for driver interfaces to replace the interface name | |
842 | based on driver/OS specific mapping, e.g., in case of driver_ndis, | |
843 | this allows the beginning of the adapter description to be used as | |
844 | the interface name | |
845 | * added support for CR+LF (Windows-style) line ends in configuration | |
846 | file | |
847 | * driver_ndis: enable radio before starting scanning, disable radio | |
848 | when exiting | |
849 | * modified association event handler to set portEnabled = FALSE before | |
850 | clearing port Valid in order to reset EAP state machine and avoid | |
851 | problems with new authentication getting ignored because of state | |
852 | machines ending up in AUTHENTICATED/SUCCESS state based on old | |
853 | information | |
854 | * added support for driver events to add PMKID candidates in order to | |
855 | allow drivers to give priority to most likely roaming candidates | |
856 | * driver_hostap: moved PrivacyInvoked configuration to associate() | |
857 | function so that this will not be set for plaintext connections | |
858 | * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver | |
859 | interface can distinguish plaintext and IEEE 802.1X (no WPA) | |
860 | authentication | |
861 | * fixed static WEP key configuration to use broadcast/default type for | |
862 | all keys (previously, the default TX key was configured as pairwise/ | |
863 | unicast key) | |
864 | * driver_ndis: added legacy WPA capability detection for non-WPA2 | |
865 | drivers | |
866 | * added support for setting static WEP keys for IEEE 802.1X without | |
867 | dynamic WEP keying (eapol_flags=0) | |
868 | ||
869 | 2004-12-12 - v0.3.1 | |
870 | * added support for reading PKCS#12 (PFX) files (as a replacement for | |
871 | PEM/DER) to get certificate and private key (CONFIG_PKCS12) | |
872 | * fixed compilation with CONFIG_PCSC=y | |
873 | * added new ap_scan mode, ap_scan=2, for drivers that take care of | |
874 | association, but need to be configured with security policy and SSID, | |
875 | e.g., ndiswrapper and NDIS driver; this mode should allow such | |
876 | drivers to work with hidden SSIDs and optimized roaming; when | |
877 | ap_scan=2 is used, only the first network block in the configuration | |
878 | file is used and this configuration should have explicit security | |
879 | policy (i.e., only one option in the lists) for key_mgmt, pairwise, | |
880 | group, proto variables | |
881 | * added experimental port of wpa_supplicant for Windows | |
882 | - driver_ndis.c driver interface (NDIS OIDs) | |
883 | - currently, this requires cygwin and WinPcap | |
884 | - small utility, win_if_list, can be used to get interface name | |
885 | * control interface can now be removed at build time; add | |
886 | CONFIG_CTRL_IFACE=y to .config to maintain old functionality | |
887 | * optional Xsupplicant interface can now be removed at build time; | |
888 | (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back) | |
889 | * added auth_alg to driver interface associate() parameters to make it | |
890 | easier for drivers to configure authentication algorithm as part of | |
891 | the association | |
892 | ||
893 | 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) | |
894 | * driver_broadcom: added new driver interface for Broadcom wl.o driver | |
895 | (a generic driver for Broadcom IEEE 802.11a/g cards) | |
896 | * wpa_cli: fixed parsing of -p <path> command line argument | |
897 | * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS | |
898 | ACK, not tunneled EAP-Success (of which only the first byte was | |
899 | actually send due to a bug in previous code); this seems to | |
900 | interoperate with most RADIUS servers that implements PEAPv1 | |
901 | * PEAPv1: added support for terminating PEAP authentication on tunneled | |
902 | EAP-Success message; this can be configured by adding | |
903 | peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf | |
904 | (some RADIUS servers require this whereas others require a tunneled | |
905 | reply | |
906 | * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to | |
907 | the old label for key derivation; previously, the default was 1, | |
908 | but it looks like most existing PEAPv1 implementations use the old | |
909 | label which is thus more suitable default option | |
910 | * added support for EAP-PSK (draft-bersani-eap-psk-03.txt) | |
911 | * fixed parsing of wep_tx_keyidx | |
912 | * added support for configuring list of allowed Phase 2 EAP types | |
913 | (for both EAP-PEAP and EAP-TTLS) instead of only one type | |
914 | * added support for configuring IEEE 802.11 authentication algorithm | |
915 | (auth_alg; mainly for using Shared Key authentication with static | |
916 | WEP keys) | |
917 | * added support for EAP-AKA (with UMTS SIM) | |
918 | * fixed couple of errors in PCSC handling that could have caused | |
919 | random-looking errors for EAP-SIM | |
920 | * added support for EAP-SIM pseudonyms and fast re-authentication | |
921 | * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS | |
922 | session resumption) | |
923 | * added support for EAP-SIM with two challanges | |
924 | (phase1="sim_min_num_chal=3" can be used to require three challenges) | |
925 | * added support for configuring DH/DSA parameters for an ephemeral DH | |
926 | key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters | |
927 | dh_file and dh_file2 (phase 2); this adds support for using DSA keys | |
928 | and optional DH key exchange to achieve forward secracy with RSA keys | |
929 | * added support for matching subject of the authentication server | |
930 | certificate with a substring when using EAP-TLS/PEAP/TTLS; new | |
931 | configuration variables subject_match and subject_match2 | |
932 | * changed SSID configuration in driver_wext.c (used by many driver | |
933 | interfaces) to use ssid_len+1 as the length for SSID since some Linux | |
934 | drivers expect this | |
935 | * fixed couple of unaligned reads in scan result parsing to fix WPA | |
936 | connection on some platforms (e.g., ARM) | |
937 | * added driver interface for Intel ipw2100 driver | |
938 | * added support for LEAP with WPA | |
939 | * added support for larger scan results report (old limit was 4 kB of | |
940 | data, i.e., about 35 or so APs) when using Linux wireless extensions | |
941 | v17 or newer | |
942 | * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start | |
943 | only if there is a PMKSA cache entry for the current AP | |
944 | * fixed error handling for case where reading of scan results fails: | |
945 | must schedule a new scan or wpa_supplicant will remain waiting | |
946 | forever | |
947 | * changed debug output to remove shared password/key material by | |
948 | default; all key information can be included with -K command line | |
949 | argument to match the previous behavior | |
950 | * added support for timestamping debug log messages (disabled by | |
951 | default, can be enabled with -t command line argument) | |
952 | * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104 | |
953 | if keys are not configured to be used; this fixes IEEE 802.1X mode | |
954 | with drivers that use this information to configure whether Privacy | |
955 | bit can be in Beacon frames (e.g., ndiswrapper) | |
956 | * avoid clearing driver keys if no keys have been configured since last | |
957 | key clear request; this seems to improve reliability of group key | |
958 | handshake for ndiswrapper & NDIS driver which seems to be suffering | |
959 | of some kind of timing issue when the keys are cleared again after | |
960 | association | |
961 | * changed driver interface API: | |
962 | - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which | |
963 | version is being used (now, this is set to 2; previously, it was | |
964 | not defined) | |
965 | - pass pointer to private data structure to all calls | |
966 | - the new API is not backwards compatible; all in-tree driver | |
967 | interfaces has been converted to the new API | |
968 | * added support for controlling multiple interfaces (radios) per | |
969 | wpa_supplicant process; each interface needs to be listed on the | |
970 | command line (-c, -i, -D arguments) with -N as a separator | |
971 | (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi) | |
972 | * added a workaround for EAP servers that incorrectly use same Id for | |
973 | sequential EAP packets | |
974 | * changed libpcap/libdnet configuration to use .config variable, | |
975 | CONFIG_DNET_PCAP, instead of requiring Makefile modification | |
976 | * improved downgrade attack detection in IE verification of msg 3/4: | |
977 | verify both WPA and RSN IEs, if present, not only the selected one; | |
978 | reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or | |
979 | Probe Response frame, and RSN is enabled in wpa_supplicant | |
980 | configuration | |
981 | * fixed WPA msg 3/4 processing to allow Key Data field contain other | |
982 | IEs than just one WPA IE | |
983 | * added support for FreeBSD and driver interface for the BSD net80211 | |
984 | layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the | |
985 | required kernel mods have not yet been committed | |
986 | * made EAP workarounds configurable; enabled by default, can be | |
987 | disabled with network block option eap_workaround=0 | |
988 | ||
989 | 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) | |
990 | * resolved couple of interoperability issues with EAP-PEAPv1 and | |
991 | Phase 2 (inner EAP) fragment reassembly | |
992 | * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the | |
993 | AP is using non-zero key index for the unicast key and key index zero | |
994 | for the broadcast key | |
995 | * driver_hostap: fixed IEEE 802.1X WEP key updates and | |
996 | re-authentication by allowing unencrypted EAPOL frames when not using | |
997 | WPA | |
998 | * added a new driver interface, 'wext', which uses only standard, | |
999 | driver independent functionality in Linux wireless extensions; | |
1000 | currently, this can be used only for non-WPA IEEE 802.1X mode, but | |
1001 | eventually, this is to be extended to support full WPA/WPA2 once | |
1002 | Linux wireless extensions get support for this | |
1003 | * added support for mode in which the driver is responsible for AP | |
1004 | scanning and selection; this is disabled by default and can be | |
1005 | enabled with global ap_scan=0 variable in wpa_supplicant.conf; | |
1006 | this mode can be used, e.g., with generic 'wext' driver interface to | |
1007 | use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver | |
1008 | supporting wireless extensions. | |
1009 | * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g., | |
1010 | operation with an AP that does not include SSID in the Beacon frames) | |
1011 | * added support for new EAP authentication methods: | |
1012 | EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP | |
1013 | * added support for asking one-time-passwords from frontends (e.g., | |
1014 | wpa_cli); this 'otp' command works otherwise like 'password' command, | |
1015 | but the password is used only once and the frontend will be asked for | |
1016 | a new password whenever a request from authenticator requires a | |
1017 | password; this can be used with both EAP-OTP and EAP-GTC | |
1018 | * changed wpa_cli to automatically re-establish connection so that it | |
1019 | does not need to be re-started when wpa_supplicant is terminated and | |
1020 | started again | |
1021 | * improved user data (identity/password/otp) requests through | |
1022 | frontends: process pending EAPOL packets after getting new | |
1023 | information so that full authentication does not need to be | |
1024 | restarted; in addition, send pending requests again whenever a new | |
1025 | frontend is attached | |
1026 | * changed control frontends to use a new directory for socket files to | |
1027 | make it easier for wpa_cli to automatically select between interfaces | |
1028 | and to provide access control for the control interface; | |
1029 | wpa_supplicant.conf: ctrl_interface is now a path | |
1030 | (/var/run/wpa_supplicant is the recommended path) and | |
1031 | ctrl_interface_group can be used to select which group gets access to | |
1032 | the control interface; | |
1033 | wpa_cli: by default, try to connect to the first interface available | |
1034 | in /var/run/wpa_supplicant; this path can be overriden with -p option | |
1035 | and an interface can be selected with -i option (i.e., in most common | |
1036 | cases, wpa_cli does not need to get any arguments) | |
1037 | * added support for LEAP | |
1038 | * added driver interface for Linux ndiswrapper | |
1039 | * added priority option for network blocks in the configuration file; | |
1040 | this allows networks to be grouped based on priority (the scan | |
1041 | results are searched for matches with network blocks in this order) | |
1042 | ||
1043 | 2004-06-20 - v0.2.3 | |
1044 | * sort scan results to improve AP selection | |
1045 | * fixed control interface socket removal for some error cases | |
1046 | * improved scan requesting and authentication timeout | |
1047 | * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and | |
1048 | TLS processing | |
1049 | * PEAP version can now be forced with phase1="peapver=<ver>" | |
1050 | (mostly for testing; by default, the highest version supported by | |
1051 | both the Supplicant and Authentication Server is selected | |
1052 | automatically) | |
1053 | * added support for madwifi driver (Atheros ar521x) | |
1054 | * added a workaround for cases where AP sets Install Tx/Rx bit for | |
1055 | WPA Group Key messages when pairwise keys are used (without this, | |
1056 | the Group Key would be used for Tx and the AP would drop frames | |
1057 | from the station) | |
1058 | * added GSM SIM/USIM interface for GSM authentication algorithm for | |
1059 | EAP-SIM; this requires pcsc-lite | |
1060 | * added support for ATMEL AT76C5XXx driver | |
1061 | * fixed IEEE 802.1X WEP key derivation in the case where Authenticator | |
1062 | does not include key data in the EAPOL-Key frame (i.e., part of | |
1063 | EAP keying material is used as data encryption key) | |
1064 | * added support for using plaintext and static WEP networks | |
1065 | (key_mgmt=NONE) | |
1066 | ||
1067 | 2004-05-31 - v0.2.2 | |
1068 | * added support for new EAP authentication methods: | |
1069 | EAP-TTLS/EAP-MD5-Challenge | |
1070 | EAP-TTLS/EAP-GTC | |
1071 | EAP-TTLS/EAP-MSCHAPv2 | |
1072 | EAP-TTLS/EAP-TLS | |
1073 | EAP-TTLS/MSCHAPv2 | |
1074 | EAP-TTLS/MSCHAP | |
1075 | EAP-TTLS/PAP | |
1076 | EAP-TTLS/CHAP | |
1077 | EAP-PEAP/TLS | |
1078 | EAP-PEAP/GTC | |
1079 | EAP-PEAP/MD5-Challenge | |
1080 | EAP-GTC | |
1081 | EAP-SIM (not yet complete; needs GSM/SIM authentication interface) | |
1082 | * added support for anonymous identity (to be used when identity is | |
1083 | sent in plaintext; real identity will be used within TLS protected | |
1084 | tunnel (e.g., with EAP-TTLS) | |
1085 | * added event messages from wpa_supplicant to frontends, e.g., wpa_cli | |
1086 | * added support for requesting identity and password information using | |
1087 | control interface; in other words, the password for EAP-PEAP or | |
1088 | EAP-TTLS does not need to be included in the configuration file since | |
1089 | a frontand (e.g., wpa_cli) can ask it from the user | |
1090 | * improved RSN pre-authentication to use a candidate list and process | |
1091 | all candidates from each scan; not only one per scan | |
1092 | * fixed RSN IE and WPA IE capabilities field parsing | |
1093 | * ignore Tx bit in GTK IE when Pairwise keys are used | |
1094 | * avoid making new scan requests during IEEE 802.1X negotiation | |
1095 | * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant | |
1096 | with TLS support (this replaces the included implementation with | |
1097 | library code to save about 8 kB since the library code is needed | |
1098 | anyway for TLS) | |
1099 | * fixed WPA-PSK only mode when compiled without IEEE 802.1X support | |
1100 | (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config) | |
1101 | ||
1102 | 2004-05-06 - v0.2.1 | |
1103 | * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1) | |
1104 | Supplicant | |
1105 | - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1] | |
1106 | - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf] | |
1107 | - EAP-MD5 (cannot be used with WPA-RADIUS) | |
1108 | [draft-ietf-eap-rfc2284bis-09.txt] | |
1109 | - EAP-TLS [RFC 2716] | |
1110 | - EAP-MSCHAPv2 (currently used only with EAP-PEAP) | |
1111 | - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt] | |
1112 | [draft-kamath-pppext-eap-mschapv2-00.txt] | |
1113 | (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by | |
1114 | default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey) | |
1115 | - new configuration file options: eap, identity, password, ca_cert, | |
1116 | client_cert, privatekey, private_key_passwd | |
1117 | - Xsupplicant is not required anymore, but it can be used by | |
1118 | disabling the internal IEEE 802.1X Supplicant with -e command line | |
1119 | option | |
1120 | - this code is not included in the default build; Makefile need to | |
1121 | be edited for this (uncomment lines for selected functionality) | |
1122 | - EAP-TLS and EAP-PEAP require openssl libraries | |
1123 | * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..) | |
1124 | * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys | |
1125 | (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X | |
1126 | EAPOL-Key frames instead of WPA key handshakes) | |
1127 | * added support for IEEE 802.11i/RSN (WPA2) | |
1128 | - improved PTK Key Handshake | |
1129 | - PMKSA caching, pre-authentication | |
1130 | * fixed wpa_supplicant to ignore possible extra data after WPA | |
1131 | EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using | |
1132 | TPTK' error from message 3 of 4-Way Handshake in case the AP | |
1133 | includes extra data after the EAPOL-Key) | |
1134 | * added interface for external programs (frontends) to control | |
1135 | wpa_supplicant | |
1136 | - CLI example (wpa_cli) with interactive mode and command line | |
1137 | mode | |
1138 | - replaced SIGUSR1 status/statistics with the new control interface | |
1139 | * made some feature compile time configurable | |
1140 | - .config file for make | |
1141 | - driver interfaces (hostap, hermes, ..) | |
1142 | - EAPOL/EAP functions | |
1143 | ||
1144 | 2004-02-15 - v0.2.0 | |
1145 | * Initial version of wpa_supplicant |