Preparations for v2.8 release

Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/doc/doxygen.conf b/doc/doxygen.conf
index af9a459f0dbb496e77db271fcccc741c66c85aa5..a5b1fa5036c6ae88e0193512e8e0da57cf8cc29a 100644 (file)
--- a/doc/doxygen.conf
+++ b/doc/doxygen.conf
@@ -31,7 +31,7 @@ PROJECT_NAME           = "wpa_supplicant / hostapd"
 # This could be handy for archiving the generated documentation or
 # if some version control system is used.
 
-PROJECT_NUMBER         = 2.7
+PROJECT_NUMBER         = 2.8
 
 # The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute)
 # base path where the generated documentation will be put.

diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index f1366b4a9542df26b363ded9f3a55c8b89d75eb5..327ee3b46ede07590f9864fbad5a8a5237d1a0e7 100644 (file)
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -1,5 +1,60 @@
 ChangeLog for hostapd
 
+2019-04-21 - v2.8
+       * SAE changes
+         - added support for SAE Password Identifier
+         - changed default configuration to enable only group 19
+           (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+           disable all unsuitable groups completely based on REVmd changes
+         - improved anti-clogging token mechanism and SAE authentication
+           frame processing during heavy CPU load; this mitigates some issues
+           with potential DoS attacks trying to flood an AP with large number
+           of SAE messages
+         - added Finite Cyclic Group field in status code 77 responses
+         - reject use of unsuitable groups based on new implementation guidance
+           in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+           groups with prime >= 256)
+         - minimize timing and memory use differences in PWE derivation
+           [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+         - fixed confirm message validation in error cases
+           [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+       * EAP-pwd changes
+         - minimize timing and memory use differences in PWE derivation
+           [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+         - verify peer scalar/element
+           [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+         - fix message reassembly issue with unexpected fragment
+           [https://w1.fi/security/2019-5/]
+         - enforce rand,mask generation rules more strictly
+         - fix a memory leak in PWE derivation
+         - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+           27)
+       * Hotspot 2.0 changes
+         - added support for release number 3
+         - reject release 2 or newer association without PMF
+       * added support for RSN operating channel validation
+         (CONFIG_OCV=y and configuration parameter ocv=1)
+       * added Multi-AP protocol support
+       * added FTM responder configuration
+       * fixed build with LibreSSL
+       * added FT/RRB workaround for short Ethernet frame padding
+       * fixed KEK2 derivation for FILS+FT
+       * added RSSI-based association rejection from OCE
+       * extended beacon reporting functionality
+       * VLAN changes
+         - allow local VLAN management with remote RADIUS authentication
+         - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+       * OpenSSL: allow systemwide policies to be overridden
+       * extended PEAP to derive EMSK to enable use with ERP/FILS
+       * extended WPS to allow SAE configuration to be added automatically
+         for PSK (wps_cred_add_sae=1)
+       * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+       * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+         in preparation for DPP protocol extension
+       * RADIUS server: started to accept ERP keyName-NAI as user identity
+         automatically without matching EAP database entry
+       * fixed PTK rekeying with FILS and FT
+
 2018-12-02 - v2.7
        * fixed WPA packet number reuse with replayed messages and key
          reinstallation

diff --git a/src/common/version.h b/src/common/version.h
index eb4f3130ff9d8222aaecb81645fe99a5dfb21d76..06fc5e4d25a34a259c9c0b21ad60f23893b1d0d0 100644 (file)
--- a/src/common/version.h
+++ b/src/common/version.h
@@ -9,6 +9,6 @@
 #define GIT_VERSION_STR_POSTFIX ""
 #endif /* GIT_VERSION_STR_POSTFIX */
 
-#define VERSION_STR "2.8-devel" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
+#define VERSION_STR "2.8" VERSION_STR_POSTFIX GIT_VERSION_STR_POSTFIX
 
 #endif /* VERSION_H */

diff --git a/wpa_supplicant/ChangeLog b/wpa_supplicant/ChangeLog
index bf4daaa4cb1e7f66771ed4ff0841cc7921a2b219..89119e7bd18fa69e8c34f5cabe9d9a2f4c81999b 100644 (file)
--- a/wpa_supplicant/ChangeLog
+++ b/wpa_supplicant/ChangeLog
@@ -1,5 +1,74 @@
 ChangeLog for wpa_supplicant
 
+2019-04-21 - v2.8
+       * SAE changes
+         - added support for SAE Password Identifier
+         - changed default configuration to enable only groups 19, 20, 21
+           (i.e., disable groups 25 and 26) and disable all unsuitable groups
+           completely based on REVmd changes
+         - do not regenerate PWE unnecessarily when the AP uses the
+           anti-clogging token mechanisms
+         - fixed some association cases where both SAE and FT-SAE were enabled
+           on both the station and the selected AP
+         - started to prefer FT-SAE over SAE AKM if both are enabled
+         - started to prefer FT-SAE over FT-PSK if both are enabled
+         - fixed FT-SAE when SAE PMKSA caching is used
+         - reject use of unsuitable groups based on new implementation guidance
+           in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+           groups with prime >= 256)
+         - minimize timing and memory use differences in PWE derivation
+           [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+       * EAP-pwd changes
+         - minimize timing and memory use differences in PWE derivation
+           [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+         - verify server scalar/element
+           [https://w1.fi/security/2019-4/] (CVE-2019-9499)
+         - fix message reassembly issue with unexpected fragment
+           [https://w1.fi/security/2019-5/]
+         - enforce rand,mask generation rules more strictly
+         - fix a memory leak in PWE derivation
+         - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+           27)
+       * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y
+       * Hotspot 2.0 changes
+         - do not indicate release number that is higher than the one
+           AP supports
+         - added support for release number 3
+         - enable PMF automatically for network profiles created from
+           credentials
+       * fixed OWE network profile saving
+       * fixed DPP network profile saving
+       * added support for RSN operating channel validation
+         (CONFIG_OCV=y and network profile parameter ocv=1)
+       * added Multi-AP backhaul STA support
+       * fixed build with LibreSSL
+       * number of MKA/MACsec fixes and extensions
+       * extended domain_match and domain_suffix_match to allow list of values
+       * fixed dNSName matching in domain_match and domain_suffix_match when
+         using wolfSSL
+       * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both
+         are enabled
+       * extended nl80211 Connect and external authentication to support
+         SAE, FT-SAE, FT-EAP-SHA384
+       * fixed KEK2 derivation for FILS+FT
+       * extended client_cert file to allow loading of a chain of PEM
+         encoded certificates
+       * extended beacon reporting functionality
+       * extended D-Bus interface with number of new properties
+       * fixed a regression in FT-over-DS with mac80211-based drivers
+       * OpenSSL: allow systemwide policies to be overridden
+       * extended driver flags indication for separate 802.1X and PSK
+         4-way handshake offload capability
+       * added support for random P2P Device/Interface Address use
+       * extended PEAP to derive EMSK to enable use with ERP/FILS
+       * extended WPS to allow SAE configuration to be added automatically
+         for PSK (wps_cred_add_sae=1)
+       * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS)
+       * extended domain_match and domain_suffix_match to allow list of values
+       * added a RSN workaround for misbehaving PMF APs that advertise
+         IGTK/BIP KeyID using incorrect byte order
+       * fixed PTK rekeying with FILS and FT
+
 2018-12-02 - v2.7
        * fixed WPA packet number reuse with replayed messages and key
          reinstallation