d720de929f
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
1278 lines
64 KiB
Text
1278 lines
64 KiB
Text
ChangeLog for hostapd
|
|
|
|
2019-08-07 - v2.9
|
|
* SAE changes
|
|
- disable use of groups using Brainpool curves
|
|
- improved protection against side channel attacks
|
|
[https://w1.fi/security/2019-6/]
|
|
* EAP-pwd changes
|
|
- disable use of groups using Brainpool curves
|
|
- improved protection against side channel attacks
|
|
[https://w1.fi/security/2019-6/]
|
|
* fixed FT-EAP initial mobility domain association using PMKSA caching
|
|
* added configuration of airtime policy
|
|
* fixed FILS to and RSNE into (Re)Association Response frames
|
|
* fixed DPP bootstrapping URI parser of channel list
|
|
* added support for regulatory WMM limitation (for ETSI)
|
|
* added support for MACsec Key Agreement using IEEE 802.1X/PSK
|
|
* added experimental support for EAP-TEAP server (RFC 7170)
|
|
* added experimental support for EAP-TLS server with TLS v1.3
|
|
* added support for two server certificates/keys (RSA/ECC)
|
|
* added AKMSuiteSelector into "STA <addr>" control interface data to
|
|
determine with AKM was used for an association
|
|
* added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and
|
|
fast reauthentication use to be disabled
|
|
* fixed an ECDH operation corner case with OpenSSL
|
|
|
|
2019-04-21 - v2.8
|
|
* SAE changes
|
|
- added support for SAE Password Identifier
|
|
- changed default configuration to enable only group 19
|
|
(i.e., disable groups 20, 21, 25, 26 from default configuration) and
|
|
disable all unsuitable groups completely based on REVmd changes
|
|
- improved anti-clogging token mechanism and SAE authentication
|
|
frame processing during heavy CPU load; this mitigates some issues
|
|
with potential DoS attacks trying to flood an AP with large number
|
|
of SAE messages
|
|
- added Finite Cyclic Group field in status code 77 responses
|
|
- reject use of unsuitable groups based on new implementation guidance
|
|
in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
|
|
groups with prime >= 256)
|
|
- minimize timing and memory use differences in PWE derivation
|
|
[https://w1.fi/security/2019-1/] (CVE-2019-9494)
|
|
- fixed confirm message validation in error cases
|
|
[https://w1.fi/security/2019-3/] (CVE-2019-9496)
|
|
* EAP-pwd changes
|
|
- minimize timing and memory use differences in PWE derivation
|
|
[https://w1.fi/security/2019-2/] (CVE-2019-9495)
|
|
- verify peer scalar/element
|
|
[https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
|
|
- fix message reassembly issue with unexpected fragment
|
|
[https://w1.fi/security/2019-5/]
|
|
- enforce rand,mask generation rules more strictly
|
|
- fix a memory leak in PWE derivation
|
|
- disallow ECC groups with a prime under 256 bits (groups 25, 26, and
|
|
27)
|
|
* Hotspot 2.0 changes
|
|
- added support for release number 3
|
|
- reject release 2 or newer association without PMF
|
|
* added support for RSN operating channel validation
|
|
(CONFIG_OCV=y and configuration parameter ocv=1)
|
|
* added Multi-AP protocol support
|
|
* added FTM responder configuration
|
|
* fixed build with LibreSSL
|
|
* added FT/RRB workaround for short Ethernet frame padding
|
|
* fixed KEK2 derivation for FILS+FT
|
|
* added RSSI-based association rejection from OCE
|
|
* extended beacon reporting functionality
|
|
* VLAN changes
|
|
- allow local VLAN management with remote RADIUS authentication
|
|
- add WPA/WPA2 passphrase/PSK -based VLAN assignment
|
|
* OpenSSL: allow systemwide policies to be overridden
|
|
* extended PEAP to derive EMSK to enable use with ERP/FILS
|
|
* extended WPS to allow SAE configuration to be added automatically
|
|
for PSK (wps_cred_add_sae=1)
|
|
* fixed FT and SA Query Action frame with AP-MLME-in-driver cases
|
|
* OWE: allow Diffie-Hellman Parameter element to be included with DPP
|
|
in preparation for DPP protocol extension
|
|
* RADIUS server: started to accept ERP keyName-NAI as user identity
|
|
automatically without matching EAP database entry
|
|
* fixed PTK rekeying with FILS and FT
|
|
|
|
2018-12-02 - v2.7
|
|
* fixed WPA packet number reuse with replayed messages and key
|
|
reinstallation
|
|
[http://w1.fi/security/2017-1/] (CVE-2017-13082)
|
|
* added support for FILS (IEEE 802.11ai) shared key authentication
|
|
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
|
|
and transition mode defined by WFA)
|
|
* added support for DPP (Wi-Fi Device Provisioning Protocol)
|
|
* FT:
|
|
- added local generation of PMK-R0/PMK-R1 for FT-PSK
|
|
(ft_psk_generate_local=1)
|
|
- replaced inter-AP protocol with a cleaner design that is more
|
|
easily extensible; this breaks backward compatibility and requires
|
|
all APs in the ESS to be updated at the same time to maintain FT
|
|
functionality
|
|
- added support for wildcard R0KH/R1KH
|
|
- replaced r0_key_lifetime (minutes) parameter with
|
|
ft_r0_key_lifetime (seconds)
|
|
- fixed wpa_psk_file use for FT-PSK
|
|
- fixed FT-SAE PMKID matching
|
|
- added expiration to PMK-R0 and PMK-R1 cache
|
|
- added IEEE VLAN support (including tagged VLANs)
|
|
- added support for SHA384 based AKM
|
|
* SAE
|
|
- fixed some PMKSA caching cases with SAE
|
|
- added support for configuring SAE password separately of the
|
|
WPA2 PSK/passphrase
|
|
- added option to require MFP for SAE associations
|
|
(sae_require_pmf=1)
|
|
- fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
|
|
for SAE;
|
|
note: this is not backwards compatible, i.e., both the AP and
|
|
station side implementations will need to be update at the same
|
|
time to maintain interoperability
|
|
- added support for Password Identifier
|
|
* hostapd_cli: added support for command history and completion
|
|
* added support for requesting beacon report
|
|
* large number of other fixes, cleanup, and extensions
|
|
* added option to configure EAPOL-Key retry limits
|
|
(wpa_group_update_count and wpa_pairwise_update_count)
|
|
* removed all PeerKey functionality
|
|
* fixed nl80211 AP mode configuration regression with Linux 4.15 and
|
|
newer
|
|
* added support for using wolfSSL cryptographic library
|
|
* fixed some 20/40 MHz coexistence cases where the BSS could drop to
|
|
20 MHz even when 40 MHz would be allowed
|
|
* Hotspot 2.0
|
|
- added support for setting Venue URL ANQP-element (venue_url)
|
|
- added support for advertising Hotspot 2.0 operator icons
|
|
- added support for Roaming Consortium Selection element
|
|
- added support for Terms and Conditions
|
|
- added support for OSEN connection in a shared RSN BSS
|
|
* added support for using OpenSSL 1.1.1
|
|
* added EAP-pwd server support for salted passwords
|
|
|
|
2016-10-02 - v2.6
|
|
* fixed EAP-pwd last fragment validation
|
|
[http://w1.fi/security/2015-7/] (CVE-2015-5314)
|
|
* fixed WPS configuration update vulnerability with malformed passphrase
|
|
[http://w1.fi/security/2016-1/] (CVE-2016-4476)
|
|
* extended channel switch support for VHT bandwidth changes
|
|
* added support for configuring new ANQP-elements with
|
|
anqp_elem=<InfoID>:<hexdump of payload>
|
|
* fixed Suite B 192-bit AKM to use proper PMK length
|
|
(note: this makes old releases incompatible with the fixed behavior)
|
|
* added no_probe_resp_if_max_sta=1 parameter to disable Probe Response
|
|
frame sending for not-associated STAs if max_num_sta limit has been
|
|
reached
|
|
* added option (-S as command line argument) to request all interfaces
|
|
to be started at the same time
|
|
* modified rts_threshold and fragm_threshold configuration parameters
|
|
to allow -1 to be used to disable RTS/fragmentation
|
|
* EAP-pwd: added support for Brainpool Elliptic Curves
|
|
(with OpenSSL 1.0.2 and newer)
|
|
* fixed EAPOL reauthentication after FT protocol run
|
|
* fixed FTIE generation for 4-way handshake after FT protocol run
|
|
* fixed and improved various FST operations
|
|
* TLS server
|
|
- support SHA384 and SHA512 hashes
|
|
- support TLS v1.2 signature algorithm with SHA384 and SHA512
|
|
- support PKCS #5 v2.0 PBES2
|
|
- support PKCS #5 with PKCS #12 style key decryption
|
|
- minimal support for PKCS #12
|
|
- support OCSP stapling (including ocsp_multi)
|
|
* added support for OpenSSL 1.1 API changes
|
|
- drop support for OpenSSL 0.9.8
|
|
- drop support for OpenSSL 1.0.0
|
|
* EAP-PEAP: support fast-connect crypto binding
|
|
* RADIUS
|
|
- fix Called-Station-Id to not escape SSID
|
|
- add Event-Timestamp to all Accounting-Request packets
|
|
- add Acct-Session-Id to Accounting-On/Off
|
|
- add Acct-Multi-Session-Id ton Access-Request packets
|
|
- add Service-Type (= Frames)
|
|
- allow server to provide PSK instead of passphrase for WPA-PSK
|
|
Tunnel_password case
|
|
- update full message for interim accounting updates
|
|
- add Acct-Delay-Time into Accounting messages
|
|
- add require_message_authenticator configuration option to require
|
|
CoA/Disconnect-Request packets to be authenticated
|
|
* started to postpone WNM-Notification frame sending by 100 ms so that
|
|
the STA has some more time to configure the key before this frame is
|
|
received after the 4-way handshake
|
|
* VHT: added interoperability workaround for 80+80 and 160 MHz channels
|
|
* extended VLAN support (per-STA vif, etc.)
|
|
* fixed PMKID derivation with SAE
|
|
* nl80211
|
|
- added support for full station state operations
|
|
- fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use
|
|
unencrypted EAPOL frames
|
|
* added initial MBO support; number of extensions to WNM BSS Transition
|
|
Management
|
|
* added initial functionality for location related operations
|
|
* added assocresp_elements parameter to allow vendor specific elements
|
|
to be added into (Re)Association Response frames
|
|
* improved Public Action frame addressing
|
|
- use Address 3 = wildcard BSSID in GAS response if a query from an
|
|
unassociated STA used that address
|
|
- fix TX status processing for Address 3 = wildcard BSSID
|
|
- add gas_address3 configuration parameter to control Address 3
|
|
behavior
|
|
* added command line parameter -i to override interface parameter in
|
|
hostapd.conf
|
|
* added command completion support to hostapd_cli
|
|
* added passive client taxonomy determination (CONFIG_TAXONOMY=y
|
|
compile option and "SIGNATURE <addr>" control interface command)
|
|
* number of small fixes
|
|
|
|
2015-09-27 - v2.5
|
|
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
|
|
[http://w1.fi/security/2015-2/] (CVE-2015-4141)
|
|
* fixed WMM Action frame parser
|
|
[http://w1.fi/security/2015-3/] (CVE-2015-4142)
|
|
* fixed EAP-pwd server missing payload length validation
|
|
[http://w1.fi/security/2015-4/]
|
|
(CVE-2015-4143, CVE-2015-4144, CVE-2015-4145)
|
|
* fixed validation of WPS and P2P NFC NDEF record payload length
|
|
[http://w1.fi/security/2015-5/]
|
|
* nl80211:
|
|
- fixed vendor command handling to check OUI properly
|
|
* fixed hlr_auc_gw build with OpenSSL
|
|
* hlr_auc_gw: allow Milenage RES length to be reduced
|
|
* disable HT for a station that does not support WMM/QoS
|
|
* added support for hashed password (NtHash) in EAP-pwd server
|
|
* fixed and extended dynamic VLAN cases
|
|
* added EAP-EKE server support for deriving Session-Id
|
|
* set Acct-Session-Id to a random value to make it more likely to be
|
|
unique even if the device does not have a proper clock
|
|
* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
|
|
* modified SAE routines to be more robust and PWE generation to be
|
|
stronger against timing attacks
|
|
* added support for Brainpool Elliptic Curves with SAE
|
|
* increases maximum value accepted for cwmin/cwmax
|
|
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
|
|
* added Fast Session Transfer (FST) module
|
|
* removed optional fields from RSNE when using FT with PMF
|
|
(workaround for interoperability issues with iOS 8.4)
|
|
* added EAP server support for TLS session resumption
|
|
* fixed key derivation for Suite B 192-bit AKM (this breaks
|
|
compatibility with the earlier version)
|
|
* added mechanism to track unconnected stations and do minimal band
|
|
steering
|
|
* number of small fixes
|
|
|
|
2015-03-15 - v2.4
|
|
* allow OpenSSL cipher configuration to be set for internal EAP server
|
|
(openssl_ciphers parameter)
|
|
* fixed number of small issues based on hwsim test case failures and
|
|
static analyzer reports
|
|
* fixed Accounting-Request to not include duplicated Acct-Session-Id
|
|
* add support for Acct-Multi-Session-Id in RADIUS Accounting messages
|
|
* add support for PMKSA caching with SAE
|
|
* add support for generating BSS Load element (bss_load_update_period)
|
|
* fixed channel switch from VHT to HT
|
|
* add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events
|
|
* add support for learning STA IPv4/IPv6 addresses and configuring
|
|
ProxyARP support
|
|
* dropped support for the madwifi driver interface
|
|
* add support for Suite B (128-bit and 192-bit level) key management and
|
|
cipher suites
|
|
* fixed a regression with driver=wired
|
|
* extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
|
|
* add BSS_TM_REQ ctrl_iface command to send BSS Transition Management
|
|
Request frames and BSS-TM-RESP event to indicate response to such
|
|
frame
|
|
* add support for EAP Re-Authentication Protocol (ERP)
|
|
* fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
|
|
* fixed a regression in HT 20/40 coex Action frame parsing
|
|
* set stdout to be line-buffered
|
|
* add support for vendor specific VHT extension to enable 256 QAM rates
|
|
(VHT-MCS 8 and 9) on 2.4 GHz band
|
|
* RADIUS DAS:
|
|
- extend Disconnect-Request processing to allow matching of multiple
|
|
sessions
|
|
- support Acct-Multi-Session-Id as an identifier
|
|
- allow PMKSA cache entry to be removed without association
|
|
* expire hostapd STA entry if kernel does not have a matching entry
|
|
* allow chanlist to be used to specify a subset of channels for ACS
|
|
* improve ACS behavior on 2.4 GHz band and allow channel bias to be
|
|
configured with acs_chan_bias parameter
|
|
* do not reply to a Probe Request frame that includes DSS Parameter Set
|
|
element in which the channel does not match the current operating
|
|
channel
|
|
* add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon
|
|
frame contents to be updated and to start beaconing on an interface
|
|
that used start_disabled=1
|
|
* fixed some RADIUS server failover cases
|
|
|
|
2014-10-09 - v2.3
|
|
* fixed number of minor issues identified in static analyzer warnings
|
|
* fixed DFS and channel switch operation for multi-BSS cases
|
|
* started to use constant time comparison for various password and hash
|
|
values to reduce possibility of any externally measurable timing
|
|
differences
|
|
* extended explicit clearing of freed memory and expired keys to avoid
|
|
keeping private data in memory longer than necessary
|
|
* added support for number of new RADIUS attributes from RFC 7268
|
|
(Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher,
|
|
WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher)
|
|
* fixed GET_CONFIG wpa_pairwise_cipher value
|
|
* added code to clear bridge FDB entry on station disconnection
|
|
* fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases
|
|
* fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop
|
|
in case the first entry does not match
|
|
* fixed hostapd_cli action script execution to use more robust mechanism
|
|
(CVE-2014-3686)
|
|
|
|
2014-06-04 - v2.2
|
|
* fixed SAE confirm-before-commit validation to avoid a potential
|
|
segmentation fault in an unexpected message sequence that could be
|
|
triggered remotely
|
|
* extended VHT support
|
|
- Operating Mode Notification
|
|
- Power Constraint element (local_pwr_constraint)
|
|
- Spectrum management capability (spectrum_mgmt_required=1)
|
|
- fix VHT80 segment picking in ACS
|
|
- fix vht_capab 'Maximum A-MPDU Length Exponent' handling
|
|
- fix VHT20
|
|
* fixed HT40 co-ex scan for some pri/sec channel switches
|
|
* extended HT40 co-ex support to allow dynamic channel width changes
|
|
during the lifetime of the BSS
|
|
* fixed HT40 co-ex support to check for overlapping 20 MHz BSS
|
|
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
|
|
this fixes password with include UTF-8 characters that use
|
|
three-byte encoding EAP methods that use NtPasswordHash
|
|
* reverted TLS certificate validation step change in v2.1 that rejected
|
|
any AAA server certificate with id-kp-clientAuth even if
|
|
id-kp-serverAuth EKU was included
|
|
* fixed STA validation step for WPS ER commands to prevent a potential
|
|
crash if an ER sends an unexpected PutWLANResponse to a station that
|
|
is disassociated, but not fully removed
|
|
* enforce full EAP authentication after RADIUS Disconnect-Request by
|
|
removing the PMKSA cache entry
|
|
* added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
|
|
in RADIUS Disconnect-Request
|
|
* added mechanism for removing addresses for MAC ACLs by prefixing an
|
|
entry with "-"
|
|
* Interworking/Hotspot 2.0 enhancements
|
|
- support Hotspot 2.0 Release 2
|
|
* OSEN network for online signup connection
|
|
* subscription remediation (based on RADIUS server request or
|
|
control interface HS20_WNM_NOTIF for testing purposes)
|
|
* Hotspot 2.0 release number indication in WFA RADIUS VSA
|
|
* deauthentication request (based on RADIUS server request or
|
|
control interface WNM_DEAUTH_REQ for testing purposes)
|
|
* Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
|
|
* hs20_icon config parameter to configure icon files for OSU
|
|
* osu_* config parameters for OSU Providers list
|
|
- do not use Interworking filtering rules on Probe Request if
|
|
Interworking is disabled to avoid interop issues
|
|
* added/fixed nl80211 functionality
|
|
- AP interface teardown optimization
|
|
- support vendor specific driver command
|
|
(VENDOR <vendor id> <sub command id> [<hex formatted data>])
|
|
* fixed PMF protection of Deauthentication frame when this is triggered
|
|
by session timeout
|
|
* internal TLS implementation enhancements/fixes
|
|
- add SHA256-based cipher suites
|
|
- add DHE-RSA cipher suites
|
|
- fix X.509 validation of PKCS#1 signature to check for extra data
|
|
* RADIUS server functionality
|
|
- add minimal RADIUS accounting server support (hostapd-as-server);
|
|
this is mainly to enable testing coverage with hwsim scripts
|
|
- allow authentication log to be written into SQLite database
|
|
- added option for TLS protocol testing of an EAP peer by simulating
|
|
various misbehaviors/known attacks
|
|
- MAC ACL support for testing purposes
|
|
* fixed PTK derivation for CCMP-256 and GCMP-256
|
|
* extended WPS per-station PSK to support ER case
|
|
* added option to configure the management group cipher
|
|
(group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
|
|
BIP-CMAC-256)
|
|
* fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these
|
|
were rounded incorrectly)
|
|
* added support for postponing FT response in case PMK-R1 needs to be
|
|
pulled from R0KH
|
|
* added option to advertise 40 MHz intolerant HT capability with
|
|
ht_capab=[40-INTOLERANT]
|
|
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
|
|
whenever CONFIG_WPS=y is set
|
|
* EAP-pwd fixes
|
|
- fix possible segmentation fault on EAP method deinit if an invalid
|
|
group is negotiated
|
|
* fixed RADIUS client retransmit/failover behavior
|
|
- there was a potential ctash due to freed memory being accessed
|
|
- failover to a backup server mechanism did not work properly
|
|
* fixed a possible crash on double DISABLE command when multiple BSSes
|
|
are enabled
|
|
* fixed a memory leak in SAE random number generation
|
|
* fixed GTK rekeying when the station uses FT protocol
|
|
* fixed off-by-one bounds checking in printf_encode()
|
|
- this could result in deinial of service in some EAP server cases
|
|
* various bug fixes
|
|
|
|
2014-02-04 - v2.1
|
|
* added support for simultaneous authentication of equals (SAE) for
|
|
stronger password-based authentication with WPA2-Personal
|
|
* added nl80211 functionality
|
|
- VHT configuration for nl80211
|
|
- support split wiphy dump
|
|
- driver-based MAC ACL
|
|
- QoS Mapping configuration
|
|
* added fully automated regression testing with mac80211_hwsim
|
|
* allow ctrl_iface group to be specified on command line (-G<group>)
|
|
* allow single hostapd process to control independent WPS interfaces
|
|
(wps_independent=1) instead of synchronized operations through all
|
|
configured interfaces within a process
|
|
* avoid processing received management frames multiple times when using
|
|
nl80211 with multiple BSSes
|
|
* added support for DFS (processing radar detection events, CAC, channel
|
|
re-selection)
|
|
* added EAP-EKE server
|
|
* added automatic channel selection (ACS)
|
|
* added option for using per-BSS (vif) configuration files with
|
|
-b<phyname>:<config file name>
|
|
* extended global control interface ADD/REMOVE commands to allow BSSes
|
|
of a radio to be removed individually without having to add/remove all
|
|
other BSSes of the radio at the same time
|
|
* added support for sending debug info to Linux tracing (-T on command
|
|
line)
|
|
* replace dump_file functionality with same information being available
|
|
through the hostapd control interface
|
|
* added support for using Protected Dual of Public Action frames for
|
|
GAS/ANQP exchanges when PMF is enabled
|
|
* added support for WPS+NFC updates
|
|
- improved protocol
|
|
- option to fetch and report alternative carrier records for external
|
|
NFC operations
|
|
* various bug fixes
|
|
|
|
2013-01-12 - v2.0
|
|
* added AP-STA-DISCONNECTED ctrl_iface event
|
|
* improved debug logging (human readable event names, interface name
|
|
included in more entries)
|
|
* added number of small changes to make it easier for static analyzers
|
|
to understand the implementation
|
|
* added a workaround for Windows 7 Michael MIC failure reporting and
|
|
use of the Secure bit in EAPOL-Key msg 3/4
|
|
* fixed number of small bugs (see git logs for more details)
|
|
* changed OpenSSL to read full certificate chain from server_cert file
|
|
* nl80211: number of updates to use new cfg80211/nl80211 functionality
|
|
- replace monitor interface with nl80211 commands
|
|
- additional information for driver-based AP SME
|
|
* EAP-pwd:
|
|
- fix KDF for group 21 and zero-padding
|
|
- added support for fragmentation
|
|
- increased maximum number of hunting-and-pecking iterations
|
|
* avoid excessive Probe Response retries for broadcast Probe Request
|
|
frames (only with drivers using hostapd SME/MLME)
|
|
* added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y)
|
|
* fixed WPS operation stopping on dual concurrent AP
|
|
* added wps_rf_bands configuration parameter for overriding RF Bands
|
|
value for WPS
|
|
* added support for getting per-device PSK from RADIUS Tunnel-Password
|
|
* added support for libnl 3.2 and newer
|
|
* increased initial group key handshake retransmit timeout to 500 ms
|
|
* added a workaround for 4-way handshake to update SNonce even after
|
|
having sent EAPOL-Key 3/4 to avoid issues with some supplicant
|
|
implementations that can change SNonce for each EAP-Key 2/4
|
|
* added a workaround for EAPOL-Key 4/4 using incorrect type value in
|
|
WPA2 mode (some deployed stations use WPA type in that message)
|
|
* added a WPS workaround for mixed mode AP Settings with Windows 7
|
|
* changed WPS AP PIN disabling mechanism to disable the PIN after 10
|
|
consecutive failures in addition to using the exponential lockout
|
|
period
|
|
* added support for WFA Hotspot 2.0
|
|
- GAS/ANQP advertisement of network information
|
|
- disable_dgaf parameter to disable downstream group-addressed
|
|
forwarding
|
|
* simplified licensing terms by selecting the BSD license as the only
|
|
alternative
|
|
* EAP-SIM: fixed re-authentication not to update pseudonym
|
|
* EAP-SIM: use Notification round before EAP-Failure
|
|
* EAP-AKA: added support for AT_COUNTER_TOO_SMALL
|
|
* EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized
|
|
* EAP-AKA': fixed identity for MK derivation
|
|
* EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this
|
|
breaks interoperability with older versions
|
|
* EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id
|
|
* changed ANonce to be a random number instead of Counter-based
|
|
* added support for canceling WPS operations with hostapd_cli wps_cancel
|
|
* fixed EAP/WPS to PSK transition on reassociation in cases where
|
|
deauthentication is missed
|
|
* hlr_auc_gw enhancements:
|
|
- a new command line parameter -u can be used to enable updating of
|
|
SQN in Milenage file
|
|
- use 5 bit IND for SQN updates
|
|
- SQLite database can now be used to store Milenage information
|
|
* EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms
|
|
and reauth data
|
|
* added support for Chargeable-User-Identity (RFC 4372)
|
|
* added radius_auth_req_attr and radius_acct_req_attr configuration
|
|
parameters to allow adding/overriding of RADIUS attributes in
|
|
Access-Request and Accounting-Request packets
|
|
* added support for RADIUS dynamic authorization server (RFC 5176)
|
|
* added initial support for WNM operations
|
|
- BSS max idle period
|
|
- WNM-Sleep Mode
|
|
* added new WPS NFC ctrl_iface mechanism
|
|
- removed obsoleted WPS_OOB command (including support for deprecated
|
|
UFD config_method)
|
|
* added FT support for drivers that implement MLME internally
|
|
* added SA Query support for drivers that implement MLME internally
|
|
* removed default ACM=1 from AC_VO and AC_VI
|
|
* changed VENDOR-TEST EAP method to use proper private enterprise number
|
|
(this will not interoperate with older versions)
|
|
* added hostapd.conf parameter vendor_elements to allow arbitrary vendor
|
|
specific elements to be added to the Beacon and Probe Response frames
|
|
* added support for configuring GCMP cipher for IEEE 802.11ad
|
|
* added support for 256-bit AES with internal TLS implementation
|
|
* changed EAPOL transmission to use AC_VO if WMM is active
|
|
* fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length
|
|
correctly; invalid messages could have caused the hostapd process to
|
|
terminate before this fix [CVE-2012-4445]
|
|
* limit number of active wildcard PINs for WPS Registrar to one to avoid
|
|
confusing behavior with multiple wildcard PINs
|
|
* added a workaround for WPS PBC session overlap detection to avoid
|
|
interop issues with deployed station implementations that do not
|
|
remove active PBC indication from Probe Request frames properly
|
|
* added support for using SQLite for the eap_user database
|
|
* added Acct-Session-Id attribute into Access-Request messages
|
|
* fixed EAPOL frame transmission to non-QoS STAs with nl80211
|
|
(do not send QoS frames if the STA did not negotiate use of QoS for
|
|
this association)
|
|
|
|
2012-05-10 - v1.0
|
|
* Add channel selection support in hostapd. See hostapd.conf.
|
|
* Add support for IEEE 802.11v Time Advertisement mechanism with UTC
|
|
TSF offset. See hostapd.conf for config info.
|
|
* Delay STA entry removal until Deauth/Disassoc TX status in AP mode.
|
|
This allows the driver to use PS buffering of Deauthentication and
|
|
Disassociation frames when the STA is in power save sleep. Only
|
|
available with drivers that provide TX status events for Deauth/
|
|
Disassoc frames (nl80211).
|
|
* Allow PMKSA caching to be disabled on the Authenticator. See
|
|
hostap.conf config parameter disable_pmksa_caching.
|
|
* atheros: Add support for IEEE 802.11w configuration.
|
|
* bsd: Add support for setting HT values in IFM_MMASK.
|
|
* Allow client isolation to be configured with ap_isolate. Client
|
|
isolation can be used to prevent low-level bridging of frames
|
|
between associated stations in the BSS. By default, this bridging
|
|
is allowed.
|
|
* Allow coexistance of HT BSSes with WEP/TKIP BSSes.
|
|
* Add require_ht config parameter, which can be used to configure
|
|
hostapd to reject association with any station that does not support
|
|
HT PHY.
|
|
* Add support for writing debug log to a file using "-f" option. Also
|
|
add relog CLI command to re-open the log file.
|
|
* Add bridge handling for WDS STA interfaces. By default they are
|
|
added to the configured bridge of the AP interface (if present),
|
|
but the user can also specify a separate bridge using cli command
|
|
wds_bridge.
|
|
* hostapd_cli:
|
|
- Add wds_bridge command for specifying bridge for WDS STA
|
|
interfaces.
|
|
- Add relog command for reopening log file.
|
|
- Send AP-STA-DISCONNECTED event when an AP disconnects a station
|
|
due to inactivity.
|
|
- Add wps_config ctrl_interface command for configuring AP. This
|
|
command can be used to configure the AP using the internal WPS
|
|
registrar. It works in the same way as new AP settings received
|
|
from an ER.
|
|
- Many WPS/WPS ER commands - see WPS/WPS ER sections for details.
|
|
- Add command get version, that returns hostapd version string.
|
|
* WNM: Add BSS Transition Management Request for ESS Disassoc Imminent.
|
|
Use hostapd_cli ess_disassoc (STA addr) (URL) to send the
|
|
notification to the STA.
|
|
* Allow AP mode to disconnect STAs based on low ACK condition (when
|
|
the data connection is not working properly, e.g., due to the STA
|
|
going outside the range of the AP). Disabled by default, enable by
|
|
config option disassoc_low_ack.
|
|
* Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad
|
|
config file.
|
|
* WPS:
|
|
- Send AP Settings as a wrapped Credential attribute to ctrl_iface
|
|
in WPS-NEW-AP-SETTINGS.
|
|
- Dispatch more WPS events through hostapd ctrl_iface.
|
|
- Add mechanism for indicating non-standard WPS errors.
|
|
- Change concurrent radio AP to use only one WPS UPnP instance.
|
|
- Add wps_check_pin command for processing PIN from user input.
|
|
UIs can use this command to process a PIN entered by a user and to
|
|
validate the checksum digit (if present).
|
|
- Add hostap_cli get_config command to display current AP config.
|
|
- Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at
|
|
runtime and support dynamic AP PIN management.
|
|
- Disable AP PIN after 10 consecutive failures. Slow down attacks
|
|
on failures up to 10.
|
|
- Allow AP to start in Enrollee mode without AP PIN for probing,
|
|
to be compatible with Windows 7.
|
|
- Add Config Error into WPS-FAIL events to provide more info
|
|
to the user on how to resolve the issue.
|
|
- When controlling multiple interfaces:
|
|
- apply WPS commands to all interfaces configured to use WPS
|
|
- apply WPS config changes to all interfaces that use WPS
|
|
- when an attack is detected on any interface, disable AP PIN on
|
|
all interfaces
|
|
* WPS ER:
|
|
- Show SetSelectedRegistrar events as ctrl_iface events.
|
|
- Add special AP Setup Locked mode to allow read only ER.
|
|
ap_setup_locked=2 can now be used to enable a special mode where
|
|
WPS ER can learn the current AP settings, but cannot change them.
|
|
* WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2)
|
|
- Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool
|
|
for testing protocol extensibility.
|
|
- Add build option CONFIG_WPS_STRICT to allow disabling of WPS
|
|
workarounds.
|
|
- Add support for AuthorizedMACs attribute.
|
|
* TDLS:
|
|
- Allow TDLS use or TDLS channel switching in the BSS to be
|
|
prohibited in the BSS, using config params tdls_prohibit and
|
|
tdls_prohibit_chan_switch.
|
|
* EAP server: Add support for configuring fragment size (see
|
|
fragment_size in hostapd.conf).
|
|
* wlantest: Add a tool wlantest for IEEE802.11 protocol testing.
|
|
wlantest can be used to capture frames from a monitor interface
|
|
for realtime capturing or from pcap files for offline analysis.
|
|
* Interworking: Support added for 802.11u. Enable in .config with
|
|
CONFIG_INTERWORKING. See hostapd.conf for config parameters for
|
|
interworking.
|
|
* Android: Add build and runtime support for Android hostapd.
|
|
* Add a new debug message level for excessive information. Use
|
|
-ddd to enable.
|
|
* TLS: Add support for tls_disable_time_checks=1 in client mode.
|
|
* Internal TLS:
|
|
- Add support for TLS v1.1 (RFC 4346). Enable with build parameter
|
|
CONFIG_TLSV11.
|
|
- Add domainComponent parser for X.509 names
|
|
* Reorder some IEs to get closer to IEEE 802.11 standard. Move
|
|
WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames.
|
|
Move HT IEs to be later in (Re)Assoc Resp.
|
|
* Many bugfixes.
|
|
|
|
2010-04-18 - v0.7.2
|
|
* fix WPS internal Registrar use when an external Registrar is also
|
|
active
|
|
* bsd: Cleaned up driver wrapper and added various low-level
|
|
configuration options
|
|
* TNC: fixed issues with fragmentation
|
|
* EAP-TNC: add Flags field into fragment acknowledgement (needed to
|
|
interoperate with other implementations; may potentially breaks
|
|
compatibility with older wpa_supplicant/hostapd versions)
|
|
* cleaned up driver wrapper API for multi-BSS operations
|
|
* nl80211: fix multi-BSS and VLAN operations
|
|
* fix number of issues with IEEE 802.11r/FT; this version is not
|
|
backwards compatible with old versions
|
|
* add SA Query Request processing in AP mode (IEEE 802.11w)
|
|
* fix IGTK PN in group rekeying (IEEE 802.11w)
|
|
* fix WPS PBC session overlap detection to use correct attribute
|
|
* hostapd_notif_Assoc() can now be called with all IEs to simplify
|
|
driver wrappers
|
|
* work around interoperability issue with some WPS External Registrar
|
|
implementations
|
|
* nl80211: fix WPS IE update
|
|
* hostapd_cli: add support for action script operations (run a script
|
|
on hostapd events)
|
|
* fix DH padding with internal crypto code (mainly, for WPS)
|
|
* fix WPS association with both WPS IE and WPA/RSN IE present with
|
|
driver wrappers that use hostapd MLME (e.g., nl80211)
|
|
|
|
2010-01-16 - v0.7.1
|
|
* cleaned up driver wrapper API (struct wpa_driver_ops); the new API
|
|
is not fully backwards compatible, so out-of-tree driver wrappers
|
|
will need modifications
|
|
* cleaned up various module interfaces
|
|
* merge hostapd and wpa_supplicant developers' documentation into a
|
|
single document
|
|
* fixed HT Capabilities IE with nl80211 drivers
|
|
* moved generic AP functionality code into src/ap
|
|
* WPS: handle Selected Registrar as union of info from all Registrars
|
|
* remove obsolete Prism54.org driver wrapper
|
|
* added internal debugging mechanism with backtrace support and memory
|
|
allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y)
|
|
* EAP-FAST server: piggyback Phase 2 start with the end of Phase 1
|
|
* WPS: add support for dynamically selecting whether to provision the
|
|
PSK as an ASCII passphrase or PSK
|
|
* added support for WDS (4-address frame) mode with per-station virtual
|
|
interfaces (wds_sta=1 in config file; only supported with
|
|
driver=nl80211 for now)
|
|
* fixed WPS Probe Request processing to handle missing required
|
|
attribute
|
|
* fixed PKCS#12 use with OpenSSL 1.0.0
|
|
* detect bridge interface automatically so that bridge parameter in
|
|
hostapd.conf becomes optional (though, it may now be used to
|
|
automatically add then WLAN interface into a bridge with
|
|
driver=nl80211)
|
|
|
|
2009-11-21 - v0.7.0
|
|
* increased hostapd_cli ping interval to 5 seconds and made this
|
|
configurable with a new command line options (-G<seconds>)
|
|
* driver_nl80211: use Linux socket filter to improve performance
|
|
* added support for external Registrars with WPS (UPnP transport)
|
|
* 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel
|
|
* driver_nl80211: fixed STA accounting data collection (TX/RX bytes
|
|
reported correctly; TX/RX packets not yet available from kernel)
|
|
* added support for WPS USBA out-of-band mechanism with USB Flash
|
|
Drives (UFD) (CONFIG_WPS_UFD=y)
|
|
* fixed EAPOL/EAP reauthentication when using an external RADIUS
|
|
authentication server
|
|
* fixed TNC with EAP-TTLS
|
|
* fixed IEEE 802.11r key derivation function to match with the standard
|
|
(note: this breaks interoperability with previous version) [Bug 303]
|
|
* fixed SHA-256 based key derivation function to match with the
|
|
standard when using CCMP (for IEEE 802.11r and IEEE 802.11w)
|
|
(note: this breaks interoperability with previous version) [Bug 307]
|
|
* added number of code size optimizations to remove unnecessary
|
|
functionality from the program binary based on build configuration
|
|
(part of this automatic; part configurable with CONFIG_NO_* build
|
|
options)
|
|
* use shared driver wrapper files with wpa_supplicant
|
|
* driver_nl80211: multiple updates to provide support for new Linux
|
|
nl80211/mac80211 functionality
|
|
* updated management frame protection to use IEEE Std 802.11w-2009
|
|
* fixed number of small WPS issues and added workarounds to
|
|
interoperate with common deployed broken implementations
|
|
* added some IEEE 802.11n co-existence rules to disable 40 MHz channels
|
|
or modify primary/secondary channels if needed based on neighboring
|
|
networks
|
|
* added support for NFC out-of-band mechanism with WPS
|
|
* added preliminary support for IEEE 802.11r RIC processing
|
|
|
|
2009-01-06 - v0.6.7
|
|
* added support for Wi-Fi Protected Setup (WPS)
|
|
(hostapd can now be configured to act as an integrated WPS Registrar
|
|
and provision credentials for WPS Enrollees using PIN and PBC
|
|
methods; external wireless Registrar can configure the AP, but
|
|
external WLAN Manager Registrars are not supported); WPS support can
|
|
be enabled by adding CONFIG_WPS=y into .config and setting the
|
|
runtime configuration variables in hostapd.conf (see WPS section in
|
|
the example configuration file); new hostapd_cli commands wps_pin and
|
|
wps_pbc are used to configure WPS negotiation; see README-WPS for
|
|
more details
|
|
* added IEEE 802.11n HT capability configuration (ht_capab)
|
|
* added support for generating Country IE based on nl80211 regulatory
|
|
information (added if ieee80211d=1 in configuration)
|
|
* fixed WEP authentication (both Open System and Shared Key) with
|
|
mac80211
|
|
* added support for EAP-AKA' (draft-arkko-eap-aka-kdf)
|
|
* added support for using driver_test over UDP socket
|
|
* changed EAP-GPSK to use the IANA assigned EAP method type 51
|
|
* updated management frame protection to use IEEE 802.11w/D7.0
|
|
* fixed retransmission of EAP requests if no response is received
|
|
|
|
2008-11-23 - v0.6.6
|
|
* added a new configuration option, wpa_ptk_rekey, that can be used to
|
|
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
|
|
TKIP deficiencies
|
|
* updated OpenSSL code for EAP-FAST to use an updated version of the
|
|
session ticket overriding API that was included into the upstream
|
|
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
|
|
needed with that version anymore)
|
|
* changed channel flags configuration to read the information from
|
|
the driver (e.g., via driver_nl80211 when using mac80211) instead of
|
|
using hostapd as the source of the regulatory information (i.e.,
|
|
information from CRDA is now used with mac80211); this allows 5 GHz
|
|
channels to be used with hostapd (if allowed in the current
|
|
regulatory domain)
|
|
* fixed EAP-TLS message processing for the last TLS message if it is
|
|
large enough to require fragmentation (e.g., if a large Session
|
|
Ticket data is included)
|
|
* fixed listen interval configuration for nl80211 drivers
|
|
|
|
2008-11-01 - v0.6.5
|
|
* added support for SHA-256 as X.509 certificate digest when using the
|
|
internal X.509/TLSv1 implementation
|
|
* fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer
|
|
identity lengths)
|
|
* fixed internal TLSv1 implementation for abbreviated handshake (used
|
|
by EAP-FAST server)
|
|
* added support for setting VLAN ID for STAs based on local MAC ACL
|
|
(accept_mac_file) as an alternative for RADIUS server-based
|
|
configuration
|
|
* updated management frame protection to use IEEE 802.11w/D6.0
|
|
(adds a new association ping to protect against unauthenticated
|
|
authenticate or (re)associate request frames dropping association)
|
|
* added support for using SHA256-based stronger key derivation for WPA2
|
|
(IEEE 802.11w)
|
|
* added new "driver wrapper" for RADIUS-only configuration
|
|
(driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config)
|
|
* fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2)
|
|
is enabled in configuration
|
|
* changed EAP-FAST configuration to use separate fields for A-ID and
|
|
A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed
|
|
16-octet len binary value for better interoperability with some peer
|
|
implementations; eap_fast_a_id is now configured as a hex string
|
|
* driver_nl80211: Updated to match the current Linux mac80211 AP mode
|
|
configuration (wireless-testing.git and Linux kernel releases
|
|
starting from 2.6.29)
|
|
|
|
2008-08-10 - v0.6.4
|
|
* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
|
|
Identity Request if identity is already known
|
|
* added support for EAP Sequences in EAP-FAST Phase 2
|
|
* added support for EAP-TNC (Trusted Network Connect)
|
|
(this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
|
|
changes needed to run two methods in sequence (IF-T) and the IF-IMV
|
|
and IF-TNCCS interfaces from TNCS)
|
|
* added support for optional cryptobinding with PEAPv0
|
|
* added fragmentation support for EAP-TNC
|
|
* added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled)
|
|
data
|
|
* added support for opportunistic key caching (OKC)
|
|
|
|
2008-02-22 - v0.6.3
|
|
* fixed Reassociation Response callback processing when using internal
|
|
MLME (driver_{hostap,nl80211,test}.c)
|
|
* updated FT support to use the latest draft, IEEE 802.11r/D9.0
|
|
* copy optional Proxy-State attributes into RADIUS response when acting
|
|
as a RADIUS authentication server
|
|
* fixed EAPOL state machine to handle a case in which no response is
|
|
received from the RADIUS authentication server; previous version
|
|
could have triggered a crash in some cases after a timeout
|
|
* fixed EAP-SIM/AKA realm processing to allow decorated usernames to
|
|
be used
|
|
* added a workaround for EAP-SIM/AKA peers that include incorrect null
|
|
termination in the username
|
|
* fixed EAP-SIM/AKA protected result indication to include AT_COUNTER
|
|
attribute in notification messages only when using fast
|
|
reauthentication
|
|
* fixed EAP-SIM Start response processing for fast reauthentication
|
|
case
|
|
* added support for pending EAP processing in EAP-{PEAP,TTLS,FAST}
|
|
phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method
|
|
|
|
2008-01-01 - v0.6.2
|
|
* fixed EAP-SIM and EAP-AKA message parser to validate attribute
|
|
lengths properly to avoid potential crash caused by invalid messages
|
|
* added data structure for storing allocated buffers (struct wpabuf);
|
|
this does not affect hostapd usage, but many of the APIs changed
|
|
and various interfaces (e.g., EAP) is not compatible with old
|
|
versions
|
|
* added support for protecting EAP-AKA/Identity messages with
|
|
AT_CHECKCODE (optional feature in RFC 4187)
|
|
* added support for protected result indication with AT_RESULT_IND for
|
|
EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1)
|
|
* added support for configuring EAP-TTLS phase 2 non-EAP methods in
|
|
EAP server configuration; previously all four were enabled for every
|
|
phase 2 user, now all four are disabled by default and need to be
|
|
enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP,
|
|
TTLS-MSCHAPV2
|
|
* removed old debug printing mechanism and the related 'debug'
|
|
parameter in the configuration file; debug verbosity is now set with
|
|
-d (or -dd) command line arguments
|
|
* added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);
|
|
only shared key/password authentication is supported in this version
|
|
|
|
2007-11-24 - v0.6.1
|
|
* added experimental, integrated TLSv1 server implementation with the
|
|
needed X.509/ASN.1/RSA/bignum processing (this can be enabled by
|
|
setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in
|
|
.config); this can be useful, e.g., if the target system does not
|
|
have a suitable TLS library and a minimal code size is required
|
|
* added support for EAP-FAST server method to the integrated EAP
|
|
server
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-07.txt)
|
|
* added a new configuration parameter, rsn_pairwise, to allow different
|
|
pairwise cipher suites to be enabled for WPA and RSN/WPA2
|
|
(note: if wpa_pairwise differs from rsn_pairwise, the driver will
|
|
either need to support this or will have to use the WPA/RSN IEs from
|
|
hostapd; currently, the included madwifi and bsd driver interfaces do
|
|
not have support for this)
|
|
* updated FT support to use the latest draft, IEEE 802.11r/D8.0
|
|
|
|
2007-05-28 - v0.6.0
|
|
* added experimental IEEE 802.11r/D6.0 support
|
|
* updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
|
|
* updated EAP-PSK to use the IANA-allocated EAP type 47
|
|
* fixed EAP-PSK bit ordering of the Flags field
|
|
* fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs
|
|
by reading wpa_psk_file [Bug 181]
|
|
* fixed EAP-TTLS AVP parser processing for too short AVP lengths
|
|
* fixed IPv6 connection to RADIUS accounting server
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-04.txt)
|
|
* hlr_auc_gw: read GSM triplet file into memory and rotate through the
|
|
entries instead of only using the same three triplets every time
|
|
(this does not work properly with tests using multiple clients, but
|
|
provides bit better triplet data for testing a single client; anyway,
|
|
if a better quality triplets are needed, GSM-Milenage should be used
|
|
instead of hardcoded triplet file)
|
|
* fixed EAP-MSCHAPv2 server to use a space between S and M parameters
|
|
in Success Request [Bug 203]
|
|
* added support for sending EAP-AKA Notifications in error cases
|
|
* updated to use IEEE 802.11w/D2.0 for management frame protection
|
|
(still experimental)
|
|
* RADIUS server: added support for processing duplicate messages
|
|
(retransmissions from RADIUS client) by replying with the previous
|
|
reply
|
|
|
|
2006-11-24 - v0.5.6
|
|
* added support for configuring and controlling multiple BSSes per
|
|
radio interface (bss=<ifname> in hostapd.conf); this is only
|
|
available with Devicescape and test driver interfaces
|
|
* fixed PMKSA cache update in the end of successful RSN
|
|
pre-authentication
|
|
* added support for dynamic VLAN configuration (i.e., selecting VLAN-ID
|
|
for each STA based on RADIUS Access-Accept attributes); this requires
|
|
VLAN support from the kernel driver/802.11 stack and this is
|
|
currently only available with Devicescape and test driver interfaces
|
|
* driver_madwifi: fixed configuration of unencrypted modes (plaintext
|
|
and IEEE 802.1X without WEP)
|
|
* removed STAKey handshake since PeerKey handshake has replaced it in
|
|
IEEE 802.11ma and there are no known deployments of STAKey
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-01.txt)
|
|
* added preliminary implementation of IEEE 802.11w/D1.0 (management
|
|
frame protection)
|
|
(Note: this requires driver support to work properly.)
|
|
(Note2: IEEE 802.11w is an unapproved draft and subject to change.)
|
|
* hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)
|
|
* hlr_auc_gw: added support for reading per-IMSI Milenage keys and
|
|
parameters from a text file to make it possible to implement proper
|
|
GSM/UMTS authentication server for multiple SIM/USIM cards using
|
|
EAP-SIM/EAP-AKA
|
|
* fixed session timeout processing with drivers that do not use
|
|
ieee802_11.c (e.g., madwifi)
|
|
|
|
2006-08-27 - v0.5.5
|
|
* added 'hostapd_cli new_sta <addr>' command for adding a new STA into
|
|
hostapd (e.g., to initialize wired network authentication based on an
|
|
external signal)
|
|
* fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when
|
|
using WPA2 even if PMKSA caching is not used
|
|
* added -P<pid file> argument for hostapd to write the current process
|
|
id into a file
|
|
* added support for RADIUS Authentication Server MIB (RFC 2619)
|
|
|
|
2006-06-20 - v0.5.4
|
|
* fixed nt_password_hash build [Bug 144]
|
|
* added PeerKey handshake implementation for IEEE 802.11e
|
|
direct link setup (DLS) to replace STAKey handshake
|
|
* added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
|
|
draft-clancy-emu-eap-shared-secret-00.txt)
|
|
* fixed a segmentation fault when RSN pre-authentication was completed
|
|
successfully [Bug 152]
|
|
|
|
2006-04-27 - v0.5.3
|
|
* do not build nt_password_hash and hlr_auc_gw by default to avoid
|
|
requiring a TLS library for a successful build; these programs can be
|
|
build with 'make nt_password_hash' and 'make hlr_auc_gw'
|
|
* added a new configuration option, eapol_version, that can be used to
|
|
set EAPOL version to 1 (default is 2) to work around broken client
|
|
implementations that drop EAPOL frames which use version number 2
|
|
[Bug 89]
|
|
* added support for EAP-SAKE (no EAP method number allocated yet, so
|
|
this is using the same experimental type 255 as EAP-PSK)
|
|
* fixed EAP-MSCHAPv2 message length validation
|
|
|
|
2006-03-19 - v0.5.2
|
|
* fixed stdarg use in hostapd_logger(): if both stdout and syslog
|
|
logging was enabled, hostapd could trigger a segmentation fault in
|
|
vsyslog on some CPU -- C library combinations
|
|
* moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external
|
|
program to make it easier to use for implementing real SS7 gateway;
|
|
eap_sim_db is not anymore used as a file name for GSM authentication
|
|
triplets; instead, it is path to UNIX domain socket that will be used
|
|
to communicate with the external gateway program (e.g., hlr_auc_gw)
|
|
* added example HLR/AuC gateway implementation, hlr_auc_gw, that uses
|
|
local information (GSM authentication triplets from a text file and
|
|
hardcoded AKA authentication data); this can be used to test EAP-SIM
|
|
and EAP-AKA
|
|
* added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw
|
|
to make it possible to test EAP-AKA with real USIM cards (this is
|
|
disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw
|
|
to enable this)
|
|
* driver_madwifi: added support for getting station RSN IE from
|
|
madwifi-ng svn r1453 and newer; this fixes RSN that was apparently
|
|
broken with earlier change (r1357) in the driver
|
|
* changed EAP method registration to use a dynamic list of methods
|
|
instead of a static list generated at build time
|
|
* fixed WPA message 3/4 not to encrypt Key Data field (WPA IE)
|
|
[Bug 125]
|
|
* added ap_max_inactivity configuration parameter
|
|
|
|
2006-01-29 - v0.5.1
|
|
* driver_test: added better support for multiple APs and STAs by using
|
|
a directory with sockets that include MAC address for each device in
|
|
the name (test_socket=DIR:/tmp/test)
|
|
* added support for EAP expanded type (vendor specific EAP methods)
|
|
|
|
2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
|
|
* added experimental STAKey handshake implementation for IEEE 802.11e
|
|
direct link setup (DLS); note: this is disabled by default in both
|
|
build and runtime configuration (can be enabled with CONFIG_STAKEY=y
|
|
and stakey=1)
|
|
* added support for EAP methods to use callbacks to external programs
|
|
by buffering a pending request and processing it after the EAP method
|
|
is ready to continue
|
|
* improved EAP-SIM database interface to allow external request to GSM
|
|
HLR/AuC without blocking hostapd process
|
|
* added support for using EAP-SIM pseudonyms and fast re-authentication
|
|
* added support for EAP-AKA in the integrated EAP authenticator
|
|
* added support for matching EAP identity prefixes (e.g., "1"*) in EAP
|
|
user database to allow EAP-SIM/AKA selection without extra roundtrip
|
|
for EAP-Nak negotiation
|
|
* added support for storing EAP user password as NtPasswordHash instead
|
|
of plaintext password when using MSCHAP or MSCHAPv2 for
|
|
authentication (hash:<16-octet hex value>); added nt_password_hash
|
|
tool for hashing password to generate NtPasswordHash
|
|
|
|
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
|
|
* driver_wired: fixed EAPOL sending to optionally use PAE group address
|
|
as the destination instead of supplicant MAC address; this is
|
|
disabled by default, but should be enabled with use_pae_group_addr=1
|
|
in configuration file if the wired interface is used by only one
|
|
device at the time (common switch configuration)
|
|
* driver_madwifi: configure driver to use TKIP countermeasures in order
|
|
to get correct behavior (IEEE 802.11 association failing; previously,
|
|
association succeeded, but hostpad forced disassociation immediately)
|
|
* driver_madwifi: added support for madwifi-ng
|
|
|
|
2005-10-27 - v0.4.6
|
|
* added support for replacing user identity from EAP with RADIUS
|
|
User-Name attribute from Access-Accept message, if that is included,
|
|
for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get
|
|
tunneled identity into accounting messages when the RADIUS server
|
|
does not support better way of doing this with Class attribute)
|
|
* driver_madwifi: fixed EAPOL packet receive for configuration where
|
|
ath# is part of a bridge interface
|
|
* added a configuration file and log analyzer script for logwatch
|
|
* fixed EAPOL state machine step function to process all state
|
|
transitions before processing new events; this resolves a race
|
|
condition in which EAPOL-Start message could trigger hostapd to send
|
|
two EAP-Response/Identity frames to the authentication server
|
|
|
|
2005-09-25 - v0.4.5
|
|
* added client CA list to the TLS certificate request in order to make
|
|
it easier for the client to select which certificate to use
|
|
* added experimental support for EAP-PSK
|
|
* added support for WE-19 (hostap, madwifi)
|
|
|
|
2005-08-21 - v0.4.4
|
|
* fixed build without CONFIG_RSN_PREAUTH
|
|
* fixed FreeBSD build
|
|
|
|
2005-06-26 - v0.4.3
|
|
* fixed PMKSA caching to copy User-Name and Class attributes so that
|
|
RADIUS accounting gets correct information
|
|
* start RADIUS accounting only after successful completion of WPA
|
|
4-Way Handshake if WPA-PSK is used
|
|
* fixed PMKSA caching for the case where STA (re)associates without
|
|
first disassociating
|
|
|
|
2005-06-12 - v0.4.2
|
|
* EAP-PAX is now registered as EAP type 46
|
|
* fixed EAP-PAX MAC calculation
|
|
* fixed EAP-PAX CK and ICK key derivation
|
|
* renamed eap_authenticator configuration variable to eap_server to
|
|
better match with RFC 3748 (EAP) terminology
|
|
* driver_test: added support for testing hostapd with wpa_supplicant
|
|
by using test driver interface without any kernel drivers or network
|
|
cards
|
|
|
|
2005-05-22 - v0.4.1
|
|
* fixed RADIUS server initialization when only auth or acct server
|
|
is configured and the other one is left empty
|
|
* driver_madwifi: added support for RADIUS accounting
|
|
* driver_madwifi: added preliminary support for compiling against 'BSD'
|
|
branch of madwifi CVS tree
|
|
* driver_madwifi: fixed pairwise key removal to allow WPA reauth
|
|
without disassociation
|
|
* added support for reading additional certificates from PKCS#12 files
|
|
and adding them to the certificate chain
|
|
* fixed RADIUS Class attribute processing to only use Access-Accept
|
|
packets to update Class; previously, other RADIUS authentication
|
|
packets could have cleared Class attribute
|
|
* added support for more than one Class attribute in RADIUS packets
|
|
* added support for verifying certificate revocation list (CRL) when
|
|
using integrated EAP authenticator for EAP-TLS; new hostapd.conf
|
|
options 'check_crl'; CRL must be included in the ca_cert file for now
|
|
|
|
2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
|
|
* added support for including network information into
|
|
EAP-Request/Identity message (ASCII-0 (nul) in eap_message)
|
|
(e.g., to implement draft-adrange-eap-network-discovery-07.txt)
|
|
* fixed a bug which caused some RSN pre-authentication cases to use
|
|
freed memory and potentially crash hostapd
|
|
* fixed private key loading for cases where passphrase is not set
|
|
* added support for sending TLS alerts and aborting authentication
|
|
when receiving a TLS alert
|
|
* fixed WPA2 to add PMKSA cache entry when using integrated EAP
|
|
authenticator
|
|
* fixed PMKSA caching (EAP authentication was not skipped correctly
|
|
with the new state machine changes from IEEE 802.1X draft)
|
|
* added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,
|
|
and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs
|
|
to be added to .config to include IPv6 support); for RADIUS server,
|
|
radius_server_ipv6=1 needs to be set in hostapd.conf and addresses
|
|
in RADIUS clients file can then use IPv6 format
|
|
* added experimental support for EAP-PAX
|
|
* replaced hostapd control interface library (hostapd_ctrl.[ch]) with
|
|
the same implementation that wpa_supplicant is using (wpa_ctrl.[ch])
|
|
|
|
2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
|
|
|
|
2005-01-23 - v0.3.5
|
|
* added support for configuring a forced PEAP version based on the
|
|
Phase 1 identity
|
|
* fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV
|
|
to terminate authentication
|
|
* fixed EAP identifier duplicate processing with the new IEEE 802.1X
|
|
draft
|
|
* clear accounting data in the driver when starting a new accounting
|
|
session
|
|
* driver_madwifi: filter wireless events based on ifindex to allow more
|
|
than one network interface to be used
|
|
* fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt
|
|
setting if the packet does not pass MIC verification (e.g., due to
|
|
incorrect PSK); previously, message 1/4 was not tried again if an
|
|
invalid message 2/4 was received
|
|
* fixed reconfiguration of RADIUS client retransmission timer when
|
|
adding a new message to the pending list; previously, timer was not
|
|
updated at this point and if there was a pending message with long
|
|
time for the next retry, the new message needed to wait that long for
|
|
its first retry, too
|
|
|
|
2005-01-09 - v0.3.4
|
|
* added support for configuring multiple allowed EAP types for Phase 2
|
|
authentication (EAP-PEAP, EAP-TTLS)
|
|
* fixed EAPOL-Start processing to trigger WPA reauthentication
|
|
(previously, only EAPOL authentication was done)
|
|
|
|
2005-01-02 - v0.3.3
|
|
* added support for EAP-PEAP in the integrated EAP authenticator
|
|
* added support for EAP-GTC in the integrated EAP authenticator
|
|
* added support for configuring list of EAP methods for Phase 1 so that
|
|
the integrated EAP authenticator can, e.g., use the wildcard entry
|
|
for EAP-TLS and EAP-PEAP
|
|
* added support for EAP-TTLS in the integrated EAP authenticator
|
|
* added support for EAP-SIM in the integrated EAP authenticator
|
|
* added support for using hostapd as a RADIUS authentication server
|
|
with the integrated EAP authenticator taking care of EAP
|
|
authentication (new hostapd.conf options: radius_server_clients and
|
|
radius_server_auth_port); this is not included in default build; use
|
|
CONFIG_RADIUS_SERVER=y in .config to include
|
|
|
|
2004-12-19 - v0.3.2
|
|
* removed 'daemonize' configuration file option since it has not really
|
|
been used at all for more than year
|
|
* driver_madwifi: fixed group key setup and added get_ssid method
|
|
* added support for EAP-MSCHAPv2 in the integrated EAP authenticator
|
|
|
|
2004-12-12 - v0.3.1
|
|
* added support for integrated EAP-TLS authentication (new hostapd.conf
|
|
variables: ca_cert, server_cert, private_key, private_key_passwd);
|
|
this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without
|
|
external RADIUS server
|
|
* added support for reading PKCS#12 (PFX) files (as a replacement for
|
|
PEM/DER) to get certificate and private key (CONFIG_PKCS12)
|
|
|
|
2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
|
|
* added support for Acct-{Input,Output}-Gigawords
|
|
* added support for Event-Timestamp (in RADIUS Accounting-Requests)
|
|
* added support for RADIUS Authentication Client MIB (RFC2618)
|
|
* added support for RADIUS Accounting Client MIB (RFC2620)
|
|
* made EAP re-authentication period configurable (eap_reauth_period)
|
|
* fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
|
|
* fixed EAPOL state machine to stop if STA is removed during
|
|
eapol_sm_step(); this fixes at least one segfault triggering bug with
|
|
IEEE 802.11i pre-authentication
|
|
* added support for multiple WPA pre-shared keys (e.g., one for each
|
|
client MAC address or keys shared by a group of clients);
|
|
new hostapd.conf field wpa_psk_file for setting path to a text file
|
|
containing PSKs, see hostapd.wpa_psk for an example
|
|
* added support for multiple driver interfaces to allow hostapd to be
|
|
used with other drivers
|
|
* added wired authenticator driver interface (driver=wired in
|
|
hostapd.conf, see wired.conf for example configuration)
|
|
* added madwifi driver interface (driver=madwifi in hostapd.conf, see
|
|
madwifi.conf for example configuration; Note: include files from
|
|
madwifi project is needed for building and a configuration file,
|
|
.config, needs to be created in hostapd directory with
|
|
CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
|
|
build)
|
|
* fixed an alignment issue that could cause SHA-1 to fail on some
|
|
platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
|
|
align variables)
|
|
* fixed RADIUS reconnection after an error in sending interim
|
|
accounting packets
|
|
* added hostapd control interface for external programs and an example
|
|
CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
|
|
* started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
|
|
'hostapd_cli sta <addr>')
|
|
* finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
|
|
* added support for strict GTK rekeying (wpa_strict_rekey in
|
|
hostapd.conf)
|
|
* updated IAPP to use UDP port 3517 and multicast address 224.0.1.178
|
|
(instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
|
|
IEEE 802.11F-2003)
|
|
* added Prism54 driver interface (driver=prism54 in hostapd.conf;
|
|
note: .config needs to be created in hostapd directory with
|
|
CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
|
|
build)
|
|
* dual-licensed hostapd (GPLv2 and BSD licenses)
|
|
* fixed RADIUS accounting to generate a new session id for cases where
|
|
a station reassociates without first being complete deauthenticated
|
|
* fixed STA disassociation handler to mark next timeout state to
|
|
deauthenticate the station, i.e., skip long wait for inactivity poll
|
|
and extra disassociation, if the STA disassociates without
|
|
deauthenticating
|
|
* added integrated EAP authenticator that can be used instead of
|
|
external RADIUS authentication server; currently, only EAP-MD5 is
|
|
supported, so this cannot yet be used for key distribution; the EAP
|
|
method interface is generic, though, so adding new EAP methods should
|
|
be straightforward; new hostapd.conf variables: 'eap_authenticator'
|
|
and 'eap_user_file'; this obsoletes "minimal authentication server"
|
|
('minimal_eap' in hostapd.conf) which is now removed
|
|
* added support for FreeBSD and driver interface for the BSD net80211
|
|
layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
|
|
.config); please note that some of the required kernel mods have not
|
|
yet been committed
|
|
|
|
2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
|
|
* fixed some accounting cases where Accounting-Start was sent when
|
|
IEEE 802.1X port was being deauthorized
|
|
|
|
2004-06-20 - v0.2.3
|
|
* modified RADIUS client to re-connect the socket in case of certain
|
|
error codes that are generated when a network interface state is
|
|
changes (e.g., when IP address changes or the interface is set UP)
|
|
* fixed couple of cases where EAPOL state for a station was freed
|
|
twice causing a segfault for hostapd
|
|
* fixed couple of bugs in processing WPA deauthentication (freed data
|
|
was used)
|
|
|
|
2004-05-31 - v0.2.2
|
|
* fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM)
|
|
* fixed group rekeying to send zero TSC in EAPOL-Key messages to fix
|
|
cases where STAs dropped multicast frames as replay attacks
|
|
* added support for copying RADIUS Attribute 'Class' from
|
|
authentication messages into accounting messages
|
|
* send canned EAP failure if RADIUS server sends Access-Reject without
|
|
EAP message (previously, Supplicant was not notified in this case)
|
|
* fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do
|
|
not start EAPOL state machines if the STA selected to use WPA-PSK)
|
|
|
|
2004-05-06 - v0.2.1
|
|
* added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality
|
|
- based on IEEE 802.11i/D10.0 but modified to interoperate with WPA
|
|
(i.e., IEEE 802.11i/D3.0)
|
|
- supports WPA-only, RSN-only, and mixed WPA/RSN mode
|
|
- both WPA-PSK and WPA-RADIUS/EAP are supported
|
|
- PMKSA caching and pre-authentication
|
|
- new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,
|
|
wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey,
|
|
rsn_preauth, rsn_preauth_interfaces
|
|
* fixed interim accounting to remove any pending accounting messages
|
|
to the STA before sending a new one
|
|
|
|
2004-02-15 - v0.2.0
|
|
* added support for Acct-Interim-Interval:
|
|
- draft-ietf-radius-acct-interim-01.txt
|
|
- use Acct-Interim-Interval attribute from Access-Accept if local
|
|
'radius_acct_interim_interval' is not set
|
|
- allow different update intervals for each STA
|
|
* fixed event loop to call signal handlers only after returning from
|
|
the real signal handler
|
|
* reset sta->timeout_next after successful association to make sure
|
|
that the previously registered inactivity timer will not remove the
|
|
STA immediately (e.g., if STA deauthenticates and re-associates
|
|
before the timer is triggered).
|
|
* added new hostapd.conf variable, nas_identifier, that can be used to
|
|
add an optional RADIUS Attribute, NAS-Identifier, into authentication
|
|
and accounting messages
|
|
* added support for Accounting-On and Accounting-Off messages
|
|
* fixed accounting session handling to send Accounting-Start only once
|
|
per session and not to send Accounting-Stop if the session was not
|
|
initialized properly
|
|
* fixed Accounting-Stop statistics in cases where the message was
|
|
previously sent after the kernel entry for the STA (and/or IEEE
|
|
802.1X data) was removed
|
|
|
|
|
|
Note:
|
|
|
|
Older changes up to and including v0.1.0 are included in the ChangeLog
|
|
of the Host AP driver.
|