16d49e1aeSJan LentferChangeLog for wpa_supplicant 26d49e1aeSJan Lentfer 3*a1157835SDaniel Fojt2019-08-07 - v2.9 4*a1157835SDaniel Fojt * SAE changes 5*a1157835SDaniel Fojt - disable use of groups using Brainpool curves 6*a1157835SDaniel Fojt - improved protection against side channel attacks 7*a1157835SDaniel Fojt [https://w1.fi/security/2019-6/] 8*a1157835SDaniel Fojt * EAP-pwd changes 9*a1157835SDaniel Fojt - disable use of groups using Brainpool curves 10*a1157835SDaniel Fojt - allow the set of groups to be configured (eap_pwd_groups) 11*a1157835SDaniel Fojt - improved protection against side channel attacks 12*a1157835SDaniel Fojt [https://w1.fi/security/2019-6/] 13*a1157835SDaniel Fojt * fixed FT-EAP initial mobility domain association using PMKSA caching 14*a1157835SDaniel Fojt (disabled by default for backwards compatibility; can be enabled 15*a1157835SDaniel Fojt with ft_eap_pmksa_caching=1) 16*a1157835SDaniel Fojt * fixed a regression in OpenSSL 1.1+ engine loading 17*a1157835SDaniel Fojt * added validation of RSNE in (Re)Association Response frames 18*a1157835SDaniel Fojt * fixed DPP bootstrapping URI parser of channel list 19*a1157835SDaniel Fojt * extended EAP-SIM/AKA fast re-authentication to allow use with FILS 20*a1157835SDaniel Fojt * extended ca_cert_blob to support PEM format 21*a1157835SDaniel Fojt * improved robustness of P2P Action frame scheduling 22*a1157835SDaniel Fojt * added support for EAP-SIM/AKA using anonymous@realm identity 23*a1157835SDaniel Fojt * fixed Hotspot 2.0 credential selection based on roaming consortium 24*a1157835SDaniel Fojt to ignore credentials without a specific EAP method 25*a1157835SDaniel Fojt * added experimental support for EAP-TEAP peer (RFC 7170) 26*a1157835SDaniel Fojt * added experimental support for EAP-TLS peer with TLS v1.3 27*a1157835SDaniel Fojt * fixed a regression in WMM parameter configuration for a TDLS peer 28*a1157835SDaniel Fojt * fixed a regression in operation with drivers that offload 802.1X 29*a1157835SDaniel Fojt 4-way handshake 30*a1157835SDaniel Fojt * fixed an ECDH operation corner case with OpenSSL 31*a1157835SDaniel Fojt 32*a1157835SDaniel Fojt2019-04-21 - v2.8 33*a1157835SDaniel Fojt * SAE changes 34*a1157835SDaniel Fojt - added support for SAE Password Identifier 35*a1157835SDaniel Fojt - changed default configuration to enable only groups 19, 20, 21 36*a1157835SDaniel Fojt (i.e., disable groups 25 and 26) and disable all unsuitable groups 37*a1157835SDaniel Fojt completely based on REVmd changes 38*a1157835SDaniel Fojt - do not regenerate PWE unnecessarily when the AP uses the 39*a1157835SDaniel Fojt anti-clogging token mechanisms 40*a1157835SDaniel Fojt - fixed some association cases where both SAE and FT-SAE were enabled 41*a1157835SDaniel Fojt on both the station and the selected AP 42*a1157835SDaniel Fojt - started to prefer FT-SAE over SAE AKM if both are enabled 43*a1157835SDaniel Fojt - started to prefer FT-SAE over FT-PSK if both are enabled 44*a1157835SDaniel Fojt - fixed FT-SAE when SAE PMKSA caching is used 45*a1157835SDaniel Fojt - reject use of unsuitable groups based on new implementation guidance 46*a1157835SDaniel Fojt in REVmd (allow only FFC groups with prime >= 3072 bits and ECC 47*a1157835SDaniel Fojt groups with prime >= 256) 48*a1157835SDaniel Fojt - minimize timing and memory use differences in PWE derivation 49*a1157835SDaniel Fojt [https://w1.fi/security/2019-1/] (CVE-2019-9494) 50*a1157835SDaniel Fojt * EAP-pwd changes 51*a1157835SDaniel Fojt - minimize timing and memory use differences in PWE derivation 52*a1157835SDaniel Fojt [https://w1.fi/security/2019-2/] (CVE-2019-9495) 53*a1157835SDaniel Fojt - verify server scalar/element 54*a1157835SDaniel Fojt [https://w1.fi/security/2019-4/] (CVE-2019-9499) 55*a1157835SDaniel Fojt - fix message reassembly issue with unexpected fragment 56*a1157835SDaniel Fojt [https://w1.fi/security/2019-5/] 57*a1157835SDaniel Fojt - enforce rand,mask generation rules more strictly 58*a1157835SDaniel Fojt - fix a memory leak in PWE derivation 59*a1157835SDaniel Fojt - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 60*a1157835SDaniel Fojt 27) 61*a1157835SDaniel Fojt * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y 62*a1157835SDaniel Fojt * Hotspot 2.0 changes 63*a1157835SDaniel Fojt - do not indicate release number that is higher than the one 64*a1157835SDaniel Fojt AP supports 65*a1157835SDaniel Fojt - added support for release number 3 66*a1157835SDaniel Fojt - enable PMF automatically for network profiles created from 67*a1157835SDaniel Fojt credentials 68*a1157835SDaniel Fojt * fixed OWE network profile saving 69*a1157835SDaniel Fojt * fixed DPP network profile saving 70*a1157835SDaniel Fojt * added support for RSN operating channel validation 71*a1157835SDaniel Fojt (CONFIG_OCV=y and network profile parameter ocv=1) 72*a1157835SDaniel Fojt * added Multi-AP backhaul STA support 73*a1157835SDaniel Fojt * fixed build with LibreSSL 74*a1157835SDaniel Fojt * number of MKA/MACsec fixes and extensions 75*a1157835SDaniel Fojt * extended domain_match and domain_suffix_match to allow list of values 76*a1157835SDaniel Fojt * fixed dNSName matching in domain_match and domain_suffix_match when 77*a1157835SDaniel Fojt using wolfSSL 78*a1157835SDaniel Fojt * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both 79*a1157835SDaniel Fojt are enabled 80*a1157835SDaniel Fojt * extended nl80211 Connect and external authentication to support 81*a1157835SDaniel Fojt SAE, FT-SAE, FT-EAP-SHA384 82*a1157835SDaniel Fojt * fixed KEK2 derivation for FILS+FT 83*a1157835SDaniel Fojt * extended client_cert file to allow loading of a chain of PEM 84*a1157835SDaniel Fojt encoded certificates 85*a1157835SDaniel Fojt * extended beacon reporting functionality 86*a1157835SDaniel Fojt * extended D-Bus interface with number of new properties 87*a1157835SDaniel Fojt * fixed a regression in FT-over-DS with mac80211-based drivers 88*a1157835SDaniel Fojt * OpenSSL: allow systemwide policies to be overridden 89*a1157835SDaniel Fojt * extended driver flags indication for separate 802.1X and PSK 90*a1157835SDaniel Fojt 4-way handshake offload capability 91*a1157835SDaniel Fojt * added support for random P2P Device/Interface Address use 92*a1157835SDaniel Fojt * extended PEAP to derive EMSK to enable use with ERP/FILS 93*a1157835SDaniel Fojt * extended WPS to allow SAE configuration to be added automatically 94*a1157835SDaniel Fojt for PSK (wps_cred_add_sae=1) 95*a1157835SDaniel Fojt * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) 96*a1157835SDaniel Fojt * extended domain_match and domain_suffix_match to allow list of values 97*a1157835SDaniel Fojt * added a RSN workaround for misbehaving PMF APs that advertise 98*a1157835SDaniel Fojt IGTK/BIP KeyID using incorrect byte order 99*a1157835SDaniel Fojt * fixed PTK rekeying with FILS and FT 100*a1157835SDaniel Fojt 101*a1157835SDaniel Fojt2018-12-02 - v2.7 102*a1157835SDaniel Fojt * fixed WPA packet number reuse with replayed messages and key 103*a1157835SDaniel Fojt reinstallation 104*a1157835SDaniel Fojt [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, 105*a1157835SDaniel Fojt CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, 106*a1157835SDaniel Fojt CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) 107*a1157835SDaniel Fojt * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant 108*a1157835SDaniel Fojt [https://w1.fi/security/2018-1/] (CVE-2018-14526) 109*a1157835SDaniel Fojt * added support for FILS (IEEE 802.11ai) shared key authentication 110*a1157835SDaniel Fojt * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; 111*a1157835SDaniel Fojt and transition mode defined by WFA) 112*a1157835SDaniel Fojt * added support for DPP (Wi-Fi Device Provisioning Protocol) 113*a1157835SDaniel Fojt * added support for RSA 3k key case with Suite B 192-bit level 114*a1157835SDaniel Fojt * fixed Suite B PMKSA caching not to update PMKID during each 4-way 115*a1157835SDaniel Fojt handshake 116*a1157835SDaniel Fojt * fixed EAP-pwd pre-processing with PasswordHashHash 117*a1157835SDaniel Fojt * added EAP-pwd client support for salted passwords 118*a1157835SDaniel Fojt * fixed a regression in TDLS prohibited bit validation 119*a1157835SDaniel Fojt * started to use estimated throughput to avoid undesired signal 120*a1157835SDaniel Fojt strength based roaming decision 121*a1157835SDaniel Fojt * MACsec/MKA: 122*a1157835SDaniel Fojt - new macsec_linux driver interface support for the Linux 123*a1157835SDaniel Fojt kernel macsec module 124*a1157835SDaniel Fojt - number of fixes and extensions 125*a1157835SDaniel Fojt * added support for external persistent storage of PMKSA cache 126*a1157835SDaniel Fojt (PMKSA_GET/PMKSA_ADD control interface commands; and 127*a1157835SDaniel Fojt MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) 128*a1157835SDaniel Fojt * fixed mesh channel configuration pri/sec switch case 129*a1157835SDaniel Fojt * added support for beacon report 130*a1157835SDaniel Fojt * large number of other fixes, cleanup, and extensions 131*a1157835SDaniel Fojt * added support for randomizing local address for GAS queries 132*a1157835SDaniel Fojt (gas_rand_mac_addr parameter) 133*a1157835SDaniel Fojt * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel 134*a1157835SDaniel Fojt * added option for using random WPS UUID (auto_uuid=1) 135*a1157835SDaniel Fojt * added SHA256-hash support for OCSP certificate matching 136*a1157835SDaniel Fojt * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure 137*a1157835SDaniel Fojt * fixed a regression in RSN pre-authentication candidate selection 138*a1157835SDaniel Fojt * added option to configure allowed group management cipher suites 139*a1157835SDaniel Fojt (group_mgmt network profile parameter) 140*a1157835SDaniel Fojt * removed all PeerKey functionality 141*a1157835SDaniel Fojt * fixed nl80211 AP and mesh mode configuration regression with 142*a1157835SDaniel Fojt Linux 4.15 and newer 143*a1157835SDaniel Fojt * added ap_isolate configuration option for AP mode 144*a1157835SDaniel Fojt * added support for nl80211 to offload 4-way handshake into the driver 145*a1157835SDaniel Fojt * added support for using wolfSSL cryptographic library 146*a1157835SDaniel Fojt * SAE 147*a1157835SDaniel Fojt - added support for configuring SAE password separately of the 148*a1157835SDaniel Fojt WPA2 PSK/passphrase 149*a1157835SDaniel Fojt - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection 150*a1157835SDaniel Fojt for SAE; 151*a1157835SDaniel Fojt note: this is not backwards compatible, i.e., both the AP and 152*a1157835SDaniel Fojt station side implementations will need to be update at the same 153*a1157835SDaniel Fojt time to maintain interoperability 154*a1157835SDaniel Fojt - added support for Password Identifier 155*a1157835SDaniel Fojt - fixed FT-SAE PMKID matching 156*a1157835SDaniel Fojt * Hotspot 2.0 157*a1157835SDaniel Fojt - added support for fetching of Operator Icon Metadata ANQP-element 158*a1157835SDaniel Fojt - added support for Roaming Consortium Selection element 159*a1157835SDaniel Fojt - added support for Terms and Conditions 160*a1157835SDaniel Fojt - added support for OSEN connection in a shared RSN BSS 161*a1157835SDaniel Fojt - added support for fetching Venue URL information 162*a1157835SDaniel Fojt * added support for using OpenSSL 1.1.1 163*a1157835SDaniel Fojt * FT 164*a1157835SDaniel Fojt - disabled PMKSA caching with FT since it is not fully functional 165*a1157835SDaniel Fojt - added support for SHA384 based AKM 166*a1157835SDaniel Fojt - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, 167*a1157835SDaniel Fojt BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 168*a1157835SDaniel Fojt - fixed additional IE inclusion in Reassociation Request frame when 169*a1157835SDaniel Fojt using FT protocol 170*a1157835SDaniel Fojt 171*a1157835SDaniel Fojt2016-10-02 - v2.6 172*a1157835SDaniel Fojt * fixed WNM Sleep Mode processing when PMF is not enabled 173*a1157835SDaniel Fojt [http://w1.fi/security/2015-6/] (CVE-2015-5310) 174*a1157835SDaniel Fojt * fixed EAP-pwd last fragment validation 175*a1157835SDaniel Fojt [http://w1.fi/security/2015-7/] (CVE-2015-5315) 176*a1157835SDaniel Fojt * fixed EAP-pwd unexpected Confirm message processing 177*a1157835SDaniel Fojt [http://w1.fi/security/2015-8/] (CVE-2015-5316) 178*a1157835SDaniel Fojt * fixed WPS configuration update vulnerability with malformed passphrase 179*a1157835SDaniel Fojt [http://w1.fi/security/2016-1/] (CVE-2016-4476) 180*a1157835SDaniel Fojt * fixed configuration update vulnerability with malformed parameters set 181*a1157835SDaniel Fojt over the local control interface 182*a1157835SDaniel Fojt [http://w1.fi/security/2016-1/] (CVE-2016-4477) 183*a1157835SDaniel Fojt * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case 184*a1157835SDaniel Fojt * extended channel switch support for P2P GO 185*a1157835SDaniel Fojt * started to throttle control interface event message bursts to avoid 186*a1157835SDaniel Fojt issues with monitor sockets running out of buffer space 187*a1157835SDaniel Fojt * mesh mode fixes/improvements 188*a1157835SDaniel Fojt - generate proper AID for peer 189*a1157835SDaniel Fojt - enable WMM by default 190*a1157835SDaniel Fojt - add VHT support 191*a1157835SDaniel Fojt - fix PMKID derivation 192*a1157835SDaniel Fojt - improve robustness on various exchanges 193*a1157835SDaniel Fojt - fix peer link counting in reconnect case 194*a1157835SDaniel Fojt - improve mesh joining behavior 195*a1157835SDaniel Fojt - allow DTIM period to be configured 196*a1157835SDaniel Fojt - allow HT to be disabled (disable_ht=1) 197*a1157835SDaniel Fojt - add MESH_PEER_ADD and MESH_PEER_REMOVE commands 198*a1157835SDaniel Fojt - add support for PMKSA caching 199*a1157835SDaniel Fojt - add minimal support for SAE group negotiation 200*a1157835SDaniel Fojt - allow pairwise/group cipher to be configured in the network profile 201*a1157835SDaniel Fojt - use ieee80211w profile parameter to enable/disable PMF and derive 202*a1157835SDaniel Fojt a separate TX IGTK if PMF is enabled instead of using MGTK 203*a1157835SDaniel Fojt incorrectly 204*a1157835SDaniel Fojt - fix AEK and MTK derivation 205*a1157835SDaniel Fojt - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close 206*a1157835SDaniel Fojt - note: these changes are not fully backwards compatible for secure 207*a1157835SDaniel Fojt (RSN) mesh network 208*a1157835SDaniel Fojt * fixed PMKID derivation with SAE 209*a1157835SDaniel Fojt * added support for requesting and fetching arbitrary ANQP-elements 210*a1157835SDaniel Fojt without internal support in wpa_supplicant for the specific element 211*a1157835SDaniel Fojt (anqp[265]=<hexdump> in "BSS <BSSID>" command output) 212*a1157835SDaniel Fojt * P2P 213*a1157835SDaniel Fojt - filter control characters in group client device names to be 214*a1157835SDaniel Fojt consistent with other P2P peer cases 215*a1157835SDaniel Fojt - support VHT 80+80 MHz and 160 MHz 216*a1157835SDaniel Fojt - indicate group completion in P2P Client role after data association 217*a1157835SDaniel Fojt instead of already after the WPS provisioning step 218*a1157835SDaniel Fojt - improve group-join operation to use SSID, if known, to filter BSS 219*a1157835SDaniel Fojt entries 220*a1157835SDaniel Fojt - added optional ssid=<hexdump> argument to P2P_CONNECT for join case 221*a1157835SDaniel Fojt - added P2P_GROUP_MEMBER command to fetch client interface address 222*a1157835SDaniel Fojt * P2PS 223*a1157835SDaniel Fojt - fix follow-on PD Response behavior 224*a1157835SDaniel Fojt - fix PD Response generation for unknown peer 225*a1157835SDaniel Fojt - fix persistent group reporting 226*a1157835SDaniel Fojt - add channel policy to PD Request 227*a1157835SDaniel Fojt - add group SSID to the P2PS-PROV-DONE event 228*a1157835SDaniel Fojt - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the 229*a1157835SDaniel Fojt default PIN 230*a1157835SDaniel Fojt * BoringSSL 231*a1157835SDaniel Fojt - support for OCSP stapling 232*a1157835SDaniel Fojt - support building of h20-osu-client 233*a1157835SDaniel Fojt * D-Bus 234*a1157835SDaniel Fojt - add ExpectDisconnect() 235*a1157835SDaniel Fojt - add global config parameters as properties 236*a1157835SDaniel Fojt - add SaveConfig() 237*a1157835SDaniel Fojt - add VendorElemAdd(), VendorElemGet(), VendorElemRem() 238*a1157835SDaniel Fojt * fixed Suite B 192-bit AKM to use proper PMK length 239*a1157835SDaniel Fojt (note: this makes old releases incompatible with the fixed behavior) 240*a1157835SDaniel Fojt * improved PMF behavior for cases where the AP and STA has different 241*a1157835SDaniel Fojt configuration by not trying to connect in some corner cases where the 242*a1157835SDaniel Fojt connection cannot succeed 243*a1157835SDaniel Fojt * added option to reopen debug log (e.g., to rotate the file) upon 244*a1157835SDaniel Fojt receipt of SIGHUP signal 245*a1157835SDaniel Fojt * EAP-pwd: added support for Brainpool Elliptic Curves 246*a1157835SDaniel Fojt (with OpenSSL 1.0.2 and newer) 247*a1157835SDaniel Fojt * fixed EAPOL reauthentication after FT protocol run 248*a1157835SDaniel Fojt * fixed FTIE generation for 4-way handshake after FT protocol run 249*a1157835SDaniel Fojt * extended INTERFACE_ADD command to allow certain type (sta/ap) 250*a1157835SDaniel Fojt interface to be created 251*a1157835SDaniel Fojt * fixed and improved various FST operations 252*a1157835SDaniel Fojt * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh 253*a1157835SDaniel Fojt * fixed SIGNAL_POLL in IBSS and mesh cases 254*a1157835SDaniel Fojt * added an option to abort an ongoing scan (used to speed up connection 255*a1157835SDaniel Fojt and can also be done with the new ABORT_SCAN command) 256*a1157835SDaniel Fojt * TLS client 257*a1157835SDaniel Fojt - do not verify CA certificates when ca_cert is not specified 258*a1157835SDaniel Fojt - support validating server certificate hash 259*a1157835SDaniel Fojt - support SHA384 and SHA512 hashes 260*a1157835SDaniel Fojt - add signature_algorithms extension into ClientHello 261*a1157835SDaniel Fojt - support TLS v1.2 signature algorithm with SHA384 and SHA512 262*a1157835SDaniel Fojt - support server certificate probing 263*a1157835SDaniel Fojt - allow specific TLS versions to be disabled with phase2 parameter 264*a1157835SDaniel Fojt - support extKeyUsage 265*a1157835SDaniel Fojt - support PKCS #5 v2.0 PBES2 266*a1157835SDaniel Fojt - support PKCS #5 with PKCS #12 style key decryption 267*a1157835SDaniel Fojt - minimal support for PKCS #12 268*a1157835SDaniel Fojt - support OCSP stapling (including ocsp_multi) 269*a1157835SDaniel Fojt * OpenSSL 270*a1157835SDaniel Fojt - support OpenSSL 1.1 API changes 271*a1157835SDaniel Fojt - drop support for OpenSSL 0.9.8 272*a1157835SDaniel Fojt - drop support for OpenSSL 1.0.0 273*a1157835SDaniel Fojt * added support for multiple schedule scan plans (sched_scan_plans) 274*a1157835SDaniel Fojt * added support for external server certificate chain validation 275*a1157835SDaniel Fojt (tls_ext_cert_check=1 in the network profile phase1 parameter) 276*a1157835SDaniel Fojt * made phase2 parser more strict about correct use of auth=<val> and 277*a1157835SDaniel Fojt autheap=<val> values 278*a1157835SDaniel Fojt * improved GAS offchannel operations with comeback request 279*a1157835SDaniel Fojt * added SIGNAL_MONITOR command to request signal strength monitoring 280*a1157835SDaniel Fojt events 281*a1157835SDaniel Fojt * added command for retrieving HS 2.0 icons with in-memory storage 282*a1157835SDaniel Fojt (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and 283*a1157835SDaniel Fojt RX-HS20-ICON event) 284*a1157835SDaniel Fojt * enabled ACS support for AP mode operations with wpa_supplicant 285*a1157835SDaniel Fojt * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server 286*a1157835SDaniel Fojt ("Invalid Compound_MAC in cryptobinding TLV") 287*a1157835SDaniel Fojt * EAP-TTLS: fixed success after fragmented final Phase 2 message 288*a1157835SDaniel Fojt * VHT: added interoperability workaround for 80+80 and 160 MHz channels 289*a1157835SDaniel Fojt * WNM: workaround for broken AP operating class behavior 290*a1157835SDaniel Fojt * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) 291*a1157835SDaniel Fojt * nl80211: 292*a1157835SDaniel Fojt - add support for full station state operations 293*a1157835SDaniel Fojt - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled 294*a1157835SDaniel Fojt - add NL80211_ATTR_PREV_BSSID with Connect command 295*a1157835SDaniel Fojt - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use 296*a1157835SDaniel Fojt unencrypted EAPOL frames 297*a1157835SDaniel Fojt * added initial MBO support; number of extensions to WNM BSS Transition 298*a1157835SDaniel Fojt Management 299*a1157835SDaniel Fojt * added support for PBSS/PCP and P2P on 60 GHz 300*a1157835SDaniel Fojt * Interworking: add credential realm to EAP-TLS identity 301*a1157835SDaniel Fojt * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set 302*a1157835SDaniel Fojt * HS 2.0: add support for configuring frame filters 303*a1157835SDaniel Fojt * added POLL_STA command to check connectivity in AP mode 304*a1157835SDaniel Fojt * added initial functionality for location related operations 305*a1157835SDaniel Fojt * started to ignore pmf=1/2 parameter for non-RSN networks 306*a1157835SDaniel Fojt * added wps_disabled=1 network profile parameter to allow AP mode to 307*a1157835SDaniel Fojt be started without enabling WPS 308*a1157835SDaniel Fojt * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED 309*a1157835SDaniel Fojt events 310*a1157835SDaniel Fojt * improved Public Action frame addressing 311*a1157835SDaniel Fojt - add gas_address3 configuration parameter to control Address 3 312*a1157835SDaniel Fojt behavior 313*a1157835SDaniel Fojt * number of small fixes 314*a1157835SDaniel Fojt 315*a1157835SDaniel Fojt2015-09-27 - v2.5 316*a1157835SDaniel Fojt * fixed P2P validation of SSID element length before copying it 317*a1157835SDaniel Fojt [http://w1.fi/security/2015-1/] (CVE-2015-1863) 318*a1157835SDaniel Fojt * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding 319*a1157835SDaniel Fojt [http://w1.fi/security/2015-2/] (CVE-2015-4141) 320*a1157835SDaniel Fojt * fixed WMM Action frame parser (AP mode) 321*a1157835SDaniel Fojt [http://w1.fi/security/2015-3/] (CVE-2015-4142) 322*a1157835SDaniel Fojt * fixed EAP-pwd peer missing payload length validation 323*a1157835SDaniel Fojt [http://w1.fi/security/2015-4/] 324*a1157835SDaniel Fojt (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) 325*a1157835SDaniel Fojt * fixed validation of WPS and P2P NFC NDEF record payload length 326*a1157835SDaniel Fojt [http://w1.fi/security/2015-5/] 327*a1157835SDaniel Fojt * nl80211: 328*a1157835SDaniel Fojt - added VHT configuration for IBSS 329*a1157835SDaniel Fojt - fixed vendor command handling to check OUI properly 330*a1157835SDaniel Fojt - allow driver-based roaming to change ESS 331*a1157835SDaniel Fojt * added AVG_BEACON_RSSI to SIGNAL_POLL output 332*a1157835SDaniel Fojt * wpa_cli: added tab completion for number of commands 333*a1157835SDaniel Fojt * removed unmaintained and not yet completed SChannel/CryptoAPI support 334*a1157835SDaniel Fojt * modified Extended Capabilities element use in Probe Request frames to 335*a1157835SDaniel Fojt include all cases if any of the values are non-zero 336*a1157835SDaniel Fojt * added support for dynamically creating/removing a virtual interface 337*a1157835SDaniel Fojt with interface_add/interface_remove 338*a1157835SDaniel Fojt * added support for hashed password (NtHash) in EAP-pwd peer 339*a1157835SDaniel Fojt * added support for memory-only PSK/passphrase (mem_only_psk=1 and 340*a1157835SDaniel Fojt CTRL-REQ/RSP-PSK_PASSPHRASE) 341*a1157835SDaniel Fojt * P2P 342*a1157835SDaniel Fojt - optimize scan frequencies list when re-joining a persistent group 343*a1157835SDaniel Fojt - fixed number of sequences with nl80211 P2P Device interface 344*a1157835SDaniel Fojt - added operating class 125 for P2P use cases (this allows 5 GHz 345*a1157835SDaniel Fojt channels 161 and 169 to be used if they are enabled in the current 346*a1157835SDaniel Fojt regulatory domain) 347*a1157835SDaniel Fojt - number of fixes to P2PS functionality 348*a1157835SDaniel Fojt - do not allow 40 MHz co-ex PRI/SEC switch to force MCC 349*a1157835SDaniel Fojt - extended support for preferred channel listing 350*a1157835SDaniel Fojt * D-Bus: 351*a1157835SDaniel Fojt - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface 352*a1157835SDaniel Fojt - fixed PresenceRequest to use group interface 353*a1157835SDaniel Fojt - added new signals: FindStopped, WPS pbc-overlap, 354*a1157835SDaniel Fojt GroupFormationFailure, WPS timeout, InvitationReceived 355*a1157835SDaniel Fojt - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient 356*a1157835SDaniel Fojt - added manufacturer info 357*a1157835SDaniel Fojt * added EAP-EKE peer support for deriving Session-Id 358*a1157835SDaniel Fojt * added wps_priority configuration parameter to set the default priority 359*a1157835SDaniel Fojt for all network profiles added by WPS 360*a1157835SDaniel Fojt * added support to request a scan with specific SSIDs with the SCAN 361*a1157835SDaniel Fojt command (optional "ssid <hexdump>" arguments) 362*a1157835SDaniel Fojt * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 363*a1157835SDaniel Fojt * fixed SAE group selection in an error case 364*a1157835SDaniel Fojt * modified SAE routines to be more robust and PWE generation to be 365*a1157835SDaniel Fojt stronger against timing attacks 366*a1157835SDaniel Fojt * added support for Brainpool Elliptic Curves with SAE 367*a1157835SDaniel Fojt * added support for CCMP-256 and GCMP-256 as group ciphers with FT 368*a1157835SDaniel Fojt * fixed BSS selection based on estimated throughput 369*a1157835SDaniel Fojt * added option to disable TLSv1.0 with OpenSSL 370*a1157835SDaniel Fojt (phase1="tls_disable_tlsv1_0=1") 371*a1157835SDaniel Fojt * added Fast Session Transfer (FST) module 372*a1157835SDaniel Fojt * fixed OpenSSL PKCS#12 extra certificate handling 373*a1157835SDaniel Fojt * fixed key derivation for Suite B 192-bit AKM (this breaks 374*a1157835SDaniel Fojt compatibility with the earlier version) 375*a1157835SDaniel Fojt * added RSN IE to Mesh Peering Open/Confirm frames 376*a1157835SDaniel Fojt * number of small fixes 377*a1157835SDaniel Fojt 378*a1157835SDaniel Fojt2015-03-15 - v2.4 379*a1157835SDaniel Fojt * allow OpenSSL cipher configuration to be set for internal EAP server 380*a1157835SDaniel Fojt (openssl_ciphers parameter) 381*a1157835SDaniel Fojt * fixed number of small issues based on hwsim test case failures and 382*a1157835SDaniel Fojt static analyzer reports 383*a1157835SDaniel Fojt * P2P: 384*a1157835SDaniel Fojt - add new=<0/1> flag to P2P-DEVICE-FOUND events 385*a1157835SDaniel Fojt - add passive channels in invitation response from P2P Client 386*a1157835SDaniel Fojt - enable nl80211 P2P_DEVICE support by default 387*a1157835SDaniel Fojt - fix regresssion in disallow_freq preventing search on social 388*a1157835SDaniel Fojt channels 389*a1157835SDaniel Fojt - fix regressions in P2P SD query processing 390*a1157835SDaniel Fojt - try to re-invite with social operating channel if no common channels 391*a1157835SDaniel Fojt in invitation 392*a1157835SDaniel Fojt - allow cross connection on parent interface (this fixes number of 393*a1157835SDaniel Fojt use cases with nl80211) 394*a1157835SDaniel Fojt - add support for P2P services (P2PS) 395*a1157835SDaniel Fojt - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to 396*a1157835SDaniel Fojt be configured 397*a1157835SDaniel Fojt * increase postponing of EAPOL-Start by one second with AP/GO that 398*a1157835SDaniel Fojt supports WPS 2.0 (this makes it less likely to trigger extra roundtrip 399*a1157835SDaniel Fojt of identity frames) 400*a1157835SDaniel Fojt * add support for PMKSA caching with SAE 401*a1157835SDaniel Fojt * add support for control mesh BSS (IEEE 802.11s) operations 402*a1157835SDaniel Fojt * fixed number of issues with D-Bus P2P commands 403*a1157835SDaniel Fojt * fixed regression in ap_scan=2 special case for WPS 404*a1157835SDaniel Fojt * fixed macsec_validate configuration 405*a1157835SDaniel Fojt * add a workaround for incorrectly behaving APs that try to use 406*a1157835SDaniel Fojt EAPOL-Key descriptor version 3 when the station supports PMF even if 407*a1157835SDaniel Fojt PMF is not enabled on the AP 408*a1157835SDaniel Fojt * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior 409*a1157835SDaniel Fojt of disabling these can be configured to work around issues with broken 410*a1157835SDaniel Fojt servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" 411*a1157835SDaniel Fojt * add support for Suite B (128-bit and 192-bit level) key management and 412*a1157835SDaniel Fojt cipher suites 413*a1157835SDaniel Fojt * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) 414*a1157835SDaniel Fojt * improved BSS Transition Management processing 415*a1157835SDaniel Fojt * add support for neighbor report 416*a1157835SDaniel Fojt * add support for link measurement 417*a1157835SDaniel Fojt * fixed expiration of BSS entry with all-zeros BSSID 418*a1157835SDaniel Fojt * add optional LAST_ID=x argument to LIST_NETWORK to allow all 419*a1157835SDaniel Fojt configured networks to be listed even with huge number of network 420*a1157835SDaniel Fojt profiles 421*a1157835SDaniel Fojt * add support for EAP Re-Authentication Protocol (ERP) 422*a1157835SDaniel Fojt * fixed EAP-IKEv2 fragmentation reassembly 423*a1157835SDaniel Fojt * improved PKCS#11 configuration for OpenSSL 424*a1157835SDaniel Fojt * set stdout to be line-buffered 425*a1157835SDaniel Fojt * add TDLS channel switch configuration 426*a1157835SDaniel Fojt * add support for MAC address randomization in scans with nl80211 427*a1157835SDaniel Fojt * enable HT for IBSS if supported by the driver 428*a1157835SDaniel Fojt * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) 429*a1157835SDaniel Fojt * add support for domain_suffix_match with GnuTLS 430*a1157835SDaniel Fojt * add OCSP stapling client support with GnuTLS 431*a1157835SDaniel Fojt * include peer certificate in EAP events even without a separate probe 432*a1157835SDaniel Fojt operation; old behavior can be restored with cert_in_cb=0 433*a1157835SDaniel Fojt * add peer ceritficate alt subject name to EAP events 434*a1157835SDaniel Fojt (CTRL-EVENT-EAP-PEER-ALT) 435*a1157835SDaniel Fojt * add domain_match network profile parameter (similar to 436*a1157835SDaniel Fojt domain_suffix_match, but full match is required) 437*a1157835SDaniel Fojt * enable AP/GO mode HT Tx STBC automatically based on driver support 438*a1157835SDaniel Fojt * add ANQP-QUERY-DONE event to provide information on ANQP parsing 439*a1157835SDaniel Fojt status 440*a1157835SDaniel Fojt * allow passive scanning to be forced with passive_scan=1 441*a1157835SDaniel Fojt * add a workaround for Linux packet socket behavior when interface is in 442*a1157835SDaniel Fojt bridge 443*a1157835SDaniel Fojt * increase 5 GHz band preference in BSS selection (estimate SNR, if info 444*a1157835SDaniel Fojt not available from driver; estimate maximum throughput based on common 445*a1157835SDaniel Fojt HT/VHT/specific TX rate support) 446*a1157835SDaniel Fojt * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to 447*a1157835SDaniel Fojt implement Interworking network selection behavior in upper layers 448*a1157835SDaniel Fojt software components 449*a1157835SDaniel Fojt * add optional reassoc_same_bss_optim=1 (disabled by default) 450*a1157835SDaniel Fojt optimization to avoid unnecessary Authentication frame exchange 451*a1157835SDaniel Fojt * extend TDLS frame padding workaround to cover all packets 452*a1157835SDaniel Fojt * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 453*a1157835SDaniel Fojt module gets removed and reloaded without restarting wpa_supplicant 454*a1157835SDaniel Fojt * allow hostapd DFS implementation to be used in wpa_supplicant AP mode 455*a1157835SDaniel Fojt 456*a1157835SDaniel Fojt2014-10-09 - v2.3 457*a1157835SDaniel Fojt * fixed number of minor issues identified in static analyzer warnings 458*a1157835SDaniel Fojt * fixed wfd_dev_info to be more careful and not read beyond the buffer 459*a1157835SDaniel Fojt when parsing invalid information for P2P-DEVICE-FOUND 460*a1157835SDaniel Fojt * extended P2P and GAS query operations to support drivers that have 461*a1157835SDaniel Fojt maximum remain-on-channel time below 1000 ms (500 ms is the current 462*a1157835SDaniel Fojt minimum supported value) 463*a1157835SDaniel Fojt * added p2p_search_delay parameter to make the default p2p_find delay 464*a1157835SDaniel Fojt configurable 465*a1157835SDaniel Fojt * improved P2P operating channel selection for various multi-channel 466*a1157835SDaniel Fojt concurrency cases 467*a1157835SDaniel Fojt * fixed some TDLS failure cases to clean up driver state 468*a1157835SDaniel Fojt * fixed dynamic interface addition cases with nl80211 to avoid adding 469*a1157835SDaniel Fojt ifindex values to incorrect interface to skip foreign interface events 470*a1157835SDaniel Fojt properly 471*a1157835SDaniel Fojt * added TDLS workaround for some APs that may add extra data to the 472*a1157835SDaniel Fojt end of a short frame 473*a1157835SDaniel Fojt * fixed EAP-AKA' message parser with multiple AT_KDF attributes 474*a1157835SDaniel Fojt * added configuration option (p2p_passphrase_len) to allow longer 475*a1157835SDaniel Fojt passphrases to be generated for P2P groups 476*a1157835SDaniel Fojt * fixed IBSS channel configuration in some corner cases 477*a1157835SDaniel Fojt * improved HT/VHT/QoS parameter setup for TDLS 478*a1157835SDaniel Fojt * modified D-Bus interface for P2P peers/groups 479*a1157835SDaniel Fojt * started to use constant time comparison for various password and hash 480*a1157835SDaniel Fojt values to reduce possibility of any externally measurable timing 481*a1157835SDaniel Fojt differences 482*a1157835SDaniel Fojt * extended explicit clearing of freed memory and expired keys to avoid 483*a1157835SDaniel Fojt keeping private data in memory longer than necessary 484*a1157835SDaniel Fojt * added optional scan_id parameter to the SCAN command to allow manual 485*a1157835SDaniel Fojt scan requests for active scans for specific configured SSIDs 486*a1157835SDaniel Fojt * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value 487*a1157835SDaniel Fojt * added option to set Hotspot 2.0 Rel 2 update_identifier in network 488*a1157835SDaniel Fojt configuration to support external configuration 489*a1157835SDaniel Fojt * modified Android PNO functionality to send Probe Request frames only 490*a1157835SDaniel Fojt for hidden SSIDs (based on scan_ssid=1) 491*a1157835SDaniel Fojt * added generic mechanism for adding vendor elements into frames at 492*a1157835SDaniel Fojt runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) 493*a1157835SDaniel Fojt * added fields to show unrecognized vendor elements in P2P_PEER 494*a1157835SDaniel Fojt * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that 495*a1157835SDaniel Fojt MS-CHAP2-Success is required to be present regardless of 496*a1157835SDaniel Fojt eap_workaround configuration 497*a1157835SDaniel Fojt * modified EAP fast session resumption to allow results to be used only 498*a1157835SDaniel Fojt with the same network block that generated them 499*a1157835SDaniel Fojt * extended freq_list configuration to apply for sched_scan as well as 500*a1157835SDaniel Fojt normal scan 501*a1157835SDaniel Fojt * modified WPS to merge mixed-WPA/WPA2 credentials from a single session 502*a1157835SDaniel Fojt * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is 503*a1157835SDaniel Fojt removed from a bridge 504*a1157835SDaniel Fojt * fixed number of small P2P issues to make negotiations more robust in 505*a1157835SDaniel Fojt corner cases 506*a1157835SDaniel Fojt * added experimental support for using temporary, random local MAC 507*a1157835SDaniel Fojt address (mac_addr and preassoc_mac_addr parameters); this is disabled 508*a1157835SDaniel Fojt by default (i.e., previous behavior of using permanent address is 509*a1157835SDaniel Fojt maintained if configuration is not changed) 510*a1157835SDaniel Fojt * added D-Bus interface for setting/clearing WFD IEs 511*a1157835SDaniel Fojt * fixed TDLS AID configuration for VHT 512*a1157835SDaniel Fojt * modified -m<conf> configuration file to be used only for the P2P 513*a1157835SDaniel Fojt non-netdev management device and do not load this for the default 514*a1157835SDaniel Fojt station interface or load the station interface configuration for 515*a1157835SDaniel Fojt the P2P management interface 516*a1157835SDaniel Fojt * fixed external MAC address changes while wpa_supplicant is running 517*a1157835SDaniel Fojt * started to enable HT (if supported by the driver) for IBSS 518*a1157835SDaniel Fojt * fixed wpa_cli action script execution to use more robust mechanism 519*a1157835SDaniel Fojt (CVE-2014-3686) 520*a1157835SDaniel Fojt 521*a1157835SDaniel Fojt2014-06-04 - v2.2 522*a1157835SDaniel Fojt * added DFS indicator to get_capability freq 523*a1157835SDaniel Fojt * added/fixed nl80211 functionality 524*a1157835SDaniel Fojt - BSSID/frequency hint for driver-based BSS selection 525*a1157835SDaniel Fojt - fix tearing down WDS STA interfaces 526*a1157835SDaniel Fojt - support vendor specific driver command 527*a1157835SDaniel Fojt (VENDOR <vendor id> <sub command id> [<hex formatted data>]) 528*a1157835SDaniel Fojt - GO interface teardown optimization 529*a1157835SDaniel Fojt - allow beacon interval to be configured for IBSS 530*a1157835SDaniel Fojt - add SHA256-based AKM suites to CONNECT/ASSOCIATE commands 531*a1157835SDaniel Fojt * removed unused NFC_RX_HANDOVER_REQ and NFC_RX_HANDOVER_SEL control 532*a1157835SDaniel Fojt interface commands (the more generic NFC_REPORT_HANDOVER is now used) 533*a1157835SDaniel Fojt * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; 534*a1157835SDaniel Fojt this fixes password with include UTF-8 characters that use 535*a1157835SDaniel Fojt three-byte encoding EAP methods that use NtPasswordHash 536*a1157835SDaniel Fojt * fixed couple of sequencies where radio work items could get stuck, 537*a1157835SDaniel Fojt e.g., when rfkill blocking happens during scanning or when 538*a1157835SDaniel Fojt scan-for-auth workaround is used 539*a1157835SDaniel Fojt * P2P enhancements/fixes 540*a1157835SDaniel Fojt - enable enable U-APSD on GO automatically if the driver indicates 541*a1157835SDaniel Fojt support for this 542*a1157835SDaniel Fojt - fixed some service discovery cases with broadcast queries not being 543*a1157835SDaniel Fojt sent to all stations 544*a1157835SDaniel Fojt - fixed Probe Request frame triggering invitation to trigger only a 545*a1157835SDaniel Fojt single invitation instance even if multiple Probe Request frames are 546*a1157835SDaniel Fojt received 547*a1157835SDaniel Fojt - fixed a potential NULL pointer dereference crash when processing an 548*a1157835SDaniel Fojt invalid Invitation Request frame 549*a1157835SDaniel Fojt - add optional configuration file for the P2P_DEVICE parameters 550*a1157835SDaniel Fojt - optimize scan for GO during persistent group invocation 551*a1157835SDaniel Fojt - fix possible segmentation fault when PBC overlap is detected while 552*a1157835SDaniel Fojt using a separate P2P group interface 553*a1157835SDaniel Fojt - improve GO Negotiation robustness by allowing GO Negotiation 554*a1157835SDaniel Fojt Confirmation to be retransmitted 555*a1157835SDaniel Fojt - do use freed memory on device found event when P2P NFC 556*a1157835SDaniel Fojt * added phase1 network parameter options for disabling TLS v1.1 and v1.2 557*a1157835SDaniel Fojt to allow workarounds with misbehaving AAA servers 558*a1157835SDaniel Fojt (tls_disable_tlsv1_1=1 and tls_disable_tlsv1_2=1) 559*a1157835SDaniel Fojt * added support for OCSP stapling to validate AAA server certificate 560*a1157835SDaniel Fojt during TLS exchange 561*a1157835SDaniel Fojt * Interworking/Hotspot 2.0 enhancements 562*a1157835SDaniel Fojt - prefer the last added network in Interworking connection to make the 563*a1157835SDaniel Fojt behavior more consistent with likely user expectation 564*a1157835SDaniel Fojt - roaming partner configuration (roaming_partner within a cred block) 565*a1157835SDaniel Fojt - support Hotspot 2.0 Release 2 566*a1157835SDaniel Fojt * "hs20_anqp_get <BSSID> 8" to request OSU Providers list 567*a1157835SDaniel Fojt * "hs20_icon_request <BSSID> <icon filename>" to request icon files 568*a1157835SDaniel Fojt * "fetch_osu" and "cancel_osu_fetch" to start/stop full OSU provider 569*a1157835SDaniel Fojt search (all suitable APs in scan results) 570*a1157835SDaniel Fojt * OSEN network for online signup connection 571*a1157835SDaniel Fojt * min_{dl,ul}_bandwidth_{home,roaming} cred parameters 572*a1157835SDaniel Fojt * max_bss_load cred parameter 573*a1157835SDaniel Fojt * req_conn_capab cred parameter 574*a1157835SDaniel Fojt * sp_priority cred parameter 575*a1157835SDaniel Fojt * ocsp cred parameter 576*a1157835SDaniel Fojt * slow down automatic connection attempts on EAP failure to meet 577*a1157835SDaniel Fojt required behavior (no more than 10 retries within a 10-minute 578*a1157835SDaniel Fojt interval) 579*a1157835SDaniel Fojt * sample implementation of online signup client (both SPP and 580*a1157835SDaniel Fojt OMA-DM protocols) (hs20/client/*) 581*a1157835SDaniel Fojt - fixed GAS indication for additional comeback delay with status 582*a1157835SDaniel Fojt code 95 583*a1157835SDaniel Fojt - extend ANQP_GET to accept Hotspot 2.0 subtypes 584*a1157835SDaniel Fojt ANQP_GET <addr> <info id>[,<info id>]... 585*a1157835SDaniel Fojt [,hs20:<subtype>][...,hs20:<subtype>] 586*a1157835SDaniel Fojt - add control interface events CRED-ADDED <id>, 587*a1157835SDaniel Fojt CRED-MODIFIED <id> <field>, CRED-REMOVED <id> 588*a1157835SDaniel Fojt - add "GET_CRED <id> <field>" command 589*a1157835SDaniel Fojt - enable FT for the connection automatically if the AP advertises 590*a1157835SDaniel Fojt support for this 591*a1157835SDaniel Fojt - fix a case where auto_interworking=1 could end up stopping scanning 592*a1157835SDaniel Fojt * fixed TDLS interoperability issues with supported operating class in 593*a1157835SDaniel Fojt some deployed stations 594*a1157835SDaniel Fojt * internal TLS implementation enhancements/fixes 595*a1157835SDaniel Fojt - add SHA256-based cipher suites 596*a1157835SDaniel Fojt - add DHE-RSA cipher suites 597*a1157835SDaniel Fojt - fix X.509 validation of PKCS#1 signature to check for extra data 598*a1157835SDaniel Fojt * fixed PTK derivation for CCMP-256 and GCMP-256 599*a1157835SDaniel Fojt * added "reattach" command for fast reassociate-back-to-same-BSS 600*a1157835SDaniel Fojt * allow PMF to be enabled for AP mode operation with the ieee80211w 601*a1157835SDaniel Fojt parameter 602*a1157835SDaniel Fojt * added "get_capability tdls" command 603*a1157835SDaniel Fojt * added option to set config blobs through control interface with 604*a1157835SDaniel Fojt "SET blob <name> <hexdump>" 605*a1157835SDaniel Fojt * D-Bus interface extensions/fixes 606*a1157835SDaniel Fojt - make p2p_no_group_iface configurable 607*a1157835SDaniel Fojt - declare ServiceDiscoveryRequest method properly 608*a1157835SDaniel Fojt - export peer's device address as a property 609*a1157835SDaniel Fojt - make reassociate command behave like the control interface one, 610*a1157835SDaniel Fojt i.e., to allow connection from disconnected state 611*a1157835SDaniel Fojt * added optional "freq=<channel ranges>" parameter to SET pno 612*a1157835SDaniel Fojt * added optional "freq=<channel ranges>" parameter to SELECT_NETWORK 613*a1157835SDaniel Fojt * fixed OBSS scan result processing for 20/40 MHz co-ex report 614*a1157835SDaniel Fojt * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled 615*a1157835SDaniel Fojt whenever CONFIG_WPS=y is set 616*a1157835SDaniel Fojt * fixed regression in parsing of WNM Sleep Mode exit key data 617*a1157835SDaniel Fojt * fixed potential segmentation fault and memory leaks in WNM neighbor 618*a1157835SDaniel Fojt report processing 619*a1157835SDaniel Fojt * EAP-pwd fixes 620*a1157835SDaniel Fojt - fragmentation of PWD-Confirm-Resp 621*a1157835SDaniel Fojt - fix memory leak when fragmentation is used 622*a1157835SDaniel Fojt - fix possible segmentation fault on EAP method deinit if an invalid 623*a1157835SDaniel Fojt group is negotiated 624*a1157835SDaniel Fojt * added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently 625*a1157835SDaniel Fojt available only with the macsec_qca driver wrapper) 626*a1157835SDaniel Fojt * fixed EAP-SIM counter-too-small message 627*a1157835SDaniel Fojt * added 'dup_network <id_s> <id_d> <name>' command; this can be used to 628*a1157835SDaniel Fojt clone the psk field without having toextract it from wpa_supplicant 629*a1157835SDaniel Fojt * fixed GSM authentication on USIM 630*a1157835SDaniel Fojt * added support for usin epoll in eloop (CONFIG_ELOOP_EPOLL=y) 631*a1157835SDaniel Fojt * fixed some concurrent virtual interface cases with dedicated P2P 632*a1157835SDaniel Fojt management interface to not catch events from removed interface (this 633*a1157835SDaniel Fojt could result in the management interface getting disabled) 634*a1157835SDaniel Fojt * fixed a memory leak in SAE random number generation 635*a1157835SDaniel Fojt * fixed off-by-one bounds checking in printf_encode() 636*a1157835SDaniel Fojt - this could result in some control interface ATTACH command cases 637*a1157835SDaniel Fojt terminating wpa_supplicant 638*a1157835SDaniel Fojt * fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM 639*a1157835SDaniel Fojt * various bug fixes 640*a1157835SDaniel Fojt 6413ff40c12SJohn Marino2014-02-04 - v2.1 6423ff40c12SJohn Marino * added support for simultaneous authentication of equals (SAE) for 6433ff40c12SJohn Marino stronger password-based authentication with WPA2-Personal 6443ff40c12SJohn Marino * improved P2P negotiation and group formation robustness 6453ff40c12SJohn Marino - avoid unnecessary Dialog Token value changes during retries 6463ff40c12SJohn Marino - avoid more concurrent scanning cases during full group formation 6473ff40c12SJohn Marino sequence 6483ff40c12SJohn Marino - do not use potentially obsolete scan result data from driver 6493ff40c12SJohn Marino cache for peer discovery/updates 6503ff40c12SJohn Marino - avoid undesired re-starting of GO negotiation based on Probe 6513ff40c12SJohn Marino Request frames 6523ff40c12SJohn Marino - increase GO Negotiation and Invitation timeouts to address busy 6533ff40c12SJohn Marino environments and peers that take long time to react to messages, 6543ff40c12SJohn Marino e.g., due to power saving 6553ff40c12SJohn Marino - P2P Device interface type 6563ff40c12SJohn Marino * improved P2P channel selection (use more peer information and allow 6573ff40c12SJohn Marino more local options) 6583ff40c12SJohn Marino * added support for optional per-device PSK assignment by P2P GO 6593ff40c12SJohn Marino (wpa_cli p2p_set per_sta_psk <0/1>) 6603ff40c12SJohn Marino * added P2P_REMOVE_CLIENT for removing a client from P2P groups 6613ff40c12SJohn Marino (including persistent groups); this can be used to securely remove 6623ff40c12SJohn Marino a client from a group if per-device PSKs are used 6633ff40c12SJohn Marino * added more configuration flexibility for allowed P2P GO/client 6643ff40c12SJohn Marino channels (p2p_no_go_freq list and p2p_add_cli_chan=0/1) 6653ff40c12SJohn Marino * added nl80211 functionality 6663ff40c12SJohn Marino - VHT configuration for nl80211 6673ff40c12SJohn Marino - MFP (IEEE 802.11w) information for nl80211 command API 6683ff40c12SJohn Marino - support split wiphy dump 6693ff40c12SJohn Marino - FT (IEEE 802.11r) with driver-based SME 6703ff40c12SJohn Marino - use advertised number of supported concurrent channels 6713ff40c12SJohn Marino - QoS Mapping configuration 6723ff40c12SJohn Marino * improved TDLS negotiation robustness 6733ff40c12SJohn Marino * added more TDLS peer parameters to be configured to the driver 6743ff40c12SJohn Marino * optimized connection time by allowing recently received scan results 6753ff40c12SJohn Marino to be used instead of having to run through a new scan 6763ff40c12SJohn Marino * fixed ctrl_iface BSS command iteration with RANGE argument and no 6773ff40c12SJohn Marino exact matches; also fixed argument parsing for some cases with 6783ff40c12SJohn Marino multiple arguments 6793ff40c12SJohn Marino * added 'SCAN TYPE=ONLY' ctrl_iface command to request manual scan 6803ff40c12SJohn Marino without executing roaming/network re-selection on scan results 6813ff40c12SJohn Marino * added Session-Id derivation for EAP peer methods 6823ff40c12SJohn Marino * added fully automated regression testing with mac80211_hwsim 6833ff40c12SJohn Marino * changed configuration parser to reject invalid integer values 6843ff40c12SJohn Marino * allow AP/Enrollee to be specified with BSSID instead of UUID for 6853ff40c12SJohn Marino WPS ER operations 6863ff40c12SJohn Marino * disable network block temporarily on repeated connection failures 6873ff40c12SJohn Marino * changed the default driver interface from wext to nl80211 if both are 6883ff40c12SJohn Marino included in the build 6893ff40c12SJohn Marino * remove duplicate networks if WPS provisioning is run multiple times 6903ff40c12SJohn Marino * remove duplicate networks when Interworking network selection uses the 6913ff40c12SJohn Marino same network 6923ff40c12SJohn Marino * added global freq_list configuration to allow scan frequencies to be 6933ff40c12SJohn Marino limited for all cases instead of just for a specific network block 6943ff40c12SJohn Marino * added support for BSS Transition Management 6953ff40c12SJohn Marino * added option to use "IFNAME=<ifname> " prefix to use the global 6963ff40c12SJohn Marino control interface connection to perform per-interface commands; 6973ff40c12SJohn Marino similarly, allow global control interface to be used as a monitor 6983ff40c12SJohn Marino interface to receive events from all interfaces 6993ff40c12SJohn Marino * fixed OKC-based PMKSA cache entry clearing 7003ff40c12SJohn Marino * fixed TKIP group key configuration with FT 7013ff40c12SJohn Marino * added support for using OCSP stapling to validate server certificate 7023ff40c12SJohn Marino (ocsp=1 as optional and ocsp=2 as mandatory) 7033ff40c12SJohn Marino * added EAP-EKE peer 7043ff40c12SJohn Marino * added peer restart detection for IBSS RSN 7053ff40c12SJohn Marino * added domain_suffix_match (and domain_suffix_match2 for Phase 2 7063ff40c12SJohn Marino EAP-TLS) to specify additional constraint for the server certificate 7073ff40c12SJohn Marino domain name 7083ff40c12SJohn Marino * added support for external SIM/USIM processing in EAP-SIM, EAP-AKA, 7093ff40c12SJohn Marino and EAP-AKA' (CTRL-REQ-SIM and CTRL-RSP-SIM commands over control 7103ff40c12SJohn Marino interface) 7113ff40c12SJohn Marino * added global bgscan configuration option as a default for all network 7123ff40c12SJohn Marino blocks that do not specify their own bgscan parameters 7133ff40c12SJohn Marino * added D-Bus methods for TDLS 7143ff40c12SJohn Marino * added more control to scan requests 7153ff40c12SJohn Marino - "SCAN freq=<freq list>" can be used to specify which channels are 7163ff40c12SJohn Marino scanned (comma-separated frequency ranges in MHz) 7173ff40c12SJohn Marino - "SCAN passive=1" can be used to request a passive scan (no Probe 7183ff40c12SJohn Marino Request frames are sent) 7193ff40c12SJohn Marino - "SCAN use_id" can be used to request a scan id to be returned and 7203ff40c12SJohn Marino included in event messages related to this specific scan operation 7213ff40c12SJohn Marino - "SCAN only_new=1" can be used to request the driver/cfg80211 to 7223ff40c12SJohn Marino report only BSS entries that have been updated during this scan 7233ff40c12SJohn Marino round 7243ff40c12SJohn Marino - these optional arguments to the SCAN command can be combined with 7253ff40c12SJohn Marino each other 7263ff40c12SJohn Marino * modified behavior on externally triggered scans 7273ff40c12SJohn Marino - avoid concurrent operations requiring full control of the radio when 7283ff40c12SJohn Marino an externally triggered scan is detected 7293ff40c12SJohn Marino - do not use results for internal roaming decision 7303ff40c12SJohn Marino * added a new cred block parameter 'temporary' to allow credential 7313ff40c12SJohn Marino blocks to be stored separately even if wpa_supplicant configuration 7323ff40c12SJohn Marino file is used to maintain other network information 7333ff40c12SJohn Marino * added "radio work" framework to schedule exclusive radio operations 7343ff40c12SJohn Marino for off-channel functionality 7353ff40c12SJohn Marino - reduce issues with concurrent operations that try to control which 7363ff40c12SJohn Marino channel is used 7373ff40c12SJohn Marino - allow external programs to request exclusive radio control in a way 7383ff40c12SJohn Marino that avoids conflicts with wpa_supplicant 7393ff40c12SJohn Marino * added support for using Protected Dual of Public Action frames for 7403ff40c12SJohn Marino GAS/ANQP exchanges when associated with PMF 7413ff40c12SJohn Marino * added support for WPS+NFC updates and P2P+NFC 7423ff40c12SJohn Marino - improved protocol for WPS 7433ff40c12SJohn Marino - P2P group formation/join based on NFC connection handover 7443ff40c12SJohn Marino - new IPv4 address assignment for P2P groups (ip_addr_* configuration 7453ff40c12SJohn Marino parameters on the GO) to replace DHCP 7463ff40c12SJohn Marino - option to fetch and report alternative carrier records for external 7473ff40c12SJohn Marino NFC operations 7483ff40c12SJohn Marino * various bug fixes 7493ff40c12SJohn Marino 7503ff40c12SJohn Marino2013-01-12 - v2.0 7513ff40c12SJohn Marino * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4) 7523ff40c12SJohn Marino * removed unmaintained driver wrappers broadcom, iphone, osx, ralink, 7533ff40c12SJohn Marino hostap, madwifi (hostap and madwifi remain available for hostapd; 7543ff40c12SJohn Marino their wpa_supplicant functionality is obsoleted by wext) 7553ff40c12SJohn Marino * improved debug logging (human readable event names, interface name 7563ff40c12SJohn Marino included in more entries) 7573ff40c12SJohn Marino * changed AP mode behavior to enable WPS only for open and 7583ff40c12SJohn Marino WPA/WPA2-Personal configuration 7593ff40c12SJohn Marino * improved P2P concurrency operations 7603ff40c12SJohn Marino - better coordination of concurrent scan and P2P search operations 7613ff40c12SJohn Marino - avoid concurrent remain-on-channel operation requests by canceling 7623ff40c12SJohn Marino previous operations prior to starting a new one 7633ff40c12SJohn Marino - reject operations that would require multi-channel concurrency if 7643ff40c12SJohn Marino the driver does not support it 7653ff40c12SJohn Marino - add parameter to select whether STA or P2P connection is preferred 7663ff40c12SJohn Marino if the driver cannot support both at the same time 7673ff40c12SJohn Marino - allow driver to indicate channel changes 7683ff40c12SJohn Marino - added optional delay=<search delay in milliseconds> parameter for 7693ff40c12SJohn Marino p2p_find to avoid taking all radio resources 7703ff40c12SJohn Marino - use 500 ms p2p_find search delay by default during concurrent 7713ff40c12SJohn Marino operations 7723ff40c12SJohn Marino - allow all channels in GO Negotiation if the driver supports 7733ff40c12SJohn Marino multi-channel concurrency 7743ff40c12SJohn Marino * added number of small changes to make it easier for static analyzers 7753ff40c12SJohn Marino to understand the implementation 7763ff40c12SJohn Marino * fixed number of small bugs (see git logs for more details) 7773ff40c12SJohn Marino * nl80211: number of updates to use new cfg80211/nl80211 functionality 7783ff40c12SJohn Marino - replace monitor interface with nl80211 commands for AP mode 7793ff40c12SJohn Marino - additional information for driver-based AP SME 7803ff40c12SJohn Marino - STA entry authorization in RSN IBSS 7813ff40c12SJohn Marino * EAP-pwd: 7823ff40c12SJohn Marino - fixed KDF for group 21 and zero-padding 7833ff40c12SJohn Marino - added support for fragmentation 7843ff40c12SJohn Marino - increased maximum number of hunting-and-pecking iterations 7853ff40c12SJohn Marino * avoid excessive Probe Response retries for broadcast Probe Request 7863ff40c12SJohn Marino frames (only with drivers using wpa_supplicant AP mode SME/MLME) 7873ff40c12SJohn Marino * added "GET country" ctrl_iface command 7883ff40c12SJohn Marino * do not save an invalid network block in wpa_supplicant.conf to avoid 7893ff40c12SJohn Marino problems reading the file on next start 7903ff40c12SJohn Marino * send STA connected/disconnected ctrl_iface events to both the P2P 7913ff40c12SJohn Marino group and parent interfaces 7923ff40c12SJohn Marino * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) 7933ff40c12SJohn Marino * added "SET pno <1/0>" ctrl_iface command to start/stop preferred 7943ff40c12SJohn Marino network offload with sched_scan driver command 7953ff40c12SJohn Marino * merged in number of changes from Android repository for P2P, nl80211, 7963ff40c12SJohn Marino and build parameters 7973ff40c12SJohn Marino * changed P2P GO mode configuration to use driver capabilities to 7983ff40c12SJohn Marino automatically enable HT operations when supported 7993ff40c12SJohn Marino * added "wpa_cli status wps" command to fetch WPA2-Personal passhrase 8003ff40c12SJohn Marino for WPS use cases in AP mode 8013ff40c12SJohn Marino * EAP-AKA: keep pseudonym identity across EAP exchanges to match EAP-SIM 8023ff40c12SJohn Marino behavior 8033ff40c12SJohn Marino * improved reassociation behavior in cases where association is rejected 8043ff40c12SJohn Marino or when an AP disconnects us to handle common load balancing 8053ff40c12SJohn Marino mechanisms 8063ff40c12SJohn Marino - try to avoid extra scans when the needed information is available 8073ff40c12SJohn Marino * added optional "join" argument for p2p_prov_disc ctrl_iface command 8083ff40c12SJohn Marino * added group ifname to P2P-PROV-DISC-* events 8093ff40c12SJohn Marino * added P2P Device Address to AP-STA-DISCONNECTED event and use 8103ff40c12SJohn Marino p2p_dev_addr parameter name with AP-STA-CONNECTED 8113ff40c12SJohn Marino * added workarounds for WPS PBC overlap detection for some P2P use cases 8123ff40c12SJohn Marino where deployed stations work incorrectly 8133ff40c12SJohn Marino * optimize WPS connection speed by disconnecting prior to WPS scan and 8143ff40c12SJohn Marino by using single channel scans when AP channel is known 8153ff40c12SJohn Marino * PCSC and SIM/USIM improvements: 8163ff40c12SJohn Marino - accept 0x67 (Wrong length) as a response to READ RECORD to fix 8173ff40c12SJohn Marino issues with some USIM cards 8183ff40c12SJohn Marino - try to read MNC length from SIM/USIM 8193ff40c12SJohn Marino - build realm according to 3GPP TS 23.003 with identity from the SIM 8203ff40c12SJohn Marino - allow T1 protocol to be enabled 8213ff40c12SJohn Marino * added more WPS and P2P information available through D-Bus 8223ff40c12SJohn Marino * improve P2P negotiation robustness 8233ff40c12SJohn Marino - extra waits to get ACK frames through 8243ff40c12SJohn Marino - longer timeouts for cases where deployed devices have been 8253ff40c12SJohn Marino identified have issues meeting the specification requirements 8263ff40c12SJohn Marino - more retries for some P2P frames 8273ff40c12SJohn Marino - handle race conditions in GO Negotiation start by both devices 8283ff40c12SJohn Marino - ignore unexpected GO Negotiation Response frame 8293ff40c12SJohn Marino * added support for libnl 3.2 and newer 8303ff40c12SJohn Marino * added P2P persistent group info to P2P_PEER data 8313ff40c12SJohn Marino * maintain a list of P2P Clients for persistent group on GO 8323ff40c12SJohn Marino * AP: increased initial group key handshake retransmit timeout to 500 ms 8333ff40c12SJohn Marino * added optional dev_id parameter for p2p_find 8343ff40c12SJohn Marino * added P2P-FIND-STOPPED ctrl_iface event 8353ff40c12SJohn Marino * fixed issues in WPA/RSN element validation when roaming with ap_scan=1 8363ff40c12SJohn Marino and driver-based BSS selection 8373ff40c12SJohn Marino * do not expire P2P peer entries while connected with the peer in a 8383ff40c12SJohn Marino group 8393ff40c12SJohn Marino * fixed WSC element inclusion in cases where P2P is disabled 8403ff40c12SJohn Marino * AP: added a WPS workaround for mixed mode AP Settings with Windows 7 8413ff40c12SJohn Marino * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use 8423ff40c12SJohn Marino * EAP-SIM/AKA: append realm to pseudonym identity 8433ff40c12SJohn Marino * EAP-SIM/AKA: store pseudonym identity in network configuration to 8443ff40c12SJohn Marino allow it to persist over multiple EAP sessions and wpa_supplicant 8453ff40c12SJohn Marino restarts 8463ff40c12SJohn Marino * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this 8473ff40c12SJohn Marino breaks interoperability with older versions 8483ff40c12SJohn Marino * added support for WFA Hotspot 2.0 8493ff40c12SJohn Marino - GAS/ANQP to fetch network information 8503ff40c12SJohn Marino - credential configuration and automatic network selections based on 8513ff40c12SJohn Marino credential match with ANQP information 8523ff40c12SJohn Marino * limited PMKSA cache entries to be used only with the network context 8533ff40c12SJohn Marino that was used to create them 8543ff40c12SJohn Marino * improved PMKSA cache expiration to avoid unnecessary disconnections 8553ff40c12SJohn Marino * adjusted bgscan_simple fast-scan backoff to avoid too frequent 8563ff40c12SJohn Marino background scans 8573ff40c12SJohn Marino * removed ctrl_iface event on P2P PD Response in join-group case 8583ff40c12SJohn Marino * added option to fetch BSS table entry based on P2P Device Address 8593ff40c12SJohn Marino ("BSS p2p_dev_addr=<P2P Device Address>") 8603ff40c12SJohn Marino * added BSS entry age to ctrl_iface BSS command output 8613ff40c12SJohn Marino * added optional MASK=0xH option for ctrl_iface BSS command to select 8623ff40c12SJohn Marino which fields are included in the response 8633ff40c12SJohn Marino * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS command to 8643ff40c12SJohn Marino fetch information about several BSSes in one call 8653ff40c12SJohn Marino * simplified licensing terms by selecting the BSD license as the only 8663ff40c12SJohn Marino alternative 8673ff40c12SJohn Marino * added "P2P_SET disallow_freq <freq list>" ctrl_iface command to 8683ff40c12SJohn Marino disable channels from P2P use 8693ff40c12SJohn Marino * added p2p_pref_chan configuration parameter to allow preferred P2P 8703ff40c12SJohn Marino channels to be specified 8713ff40c12SJohn Marino * added support for advertising immediate availability of a WPS 8723ff40c12SJohn Marino credential for P2P use cases 8733ff40c12SJohn Marino * optimized scan operations for P2P use cases (use single channel scan 8743ff40c12SJohn Marino for a specific SSID when possible) 8753ff40c12SJohn Marino * EAP-TTLS: fixed peer challenge generation for MSCHAPv2 8763ff40c12SJohn Marino * SME: do not use reassociation after explicit disconnection request 8773ff40c12SJohn Marino (local or a notification from an AP) 8783ff40c12SJohn Marino * added support for sending debug info to Linux tracing (-T on command 8793ff40c12SJohn Marino line) 8803ff40c12SJohn Marino * added support for using Deauthentication reason code 3 as an 8813ff40c12SJohn Marino indication of P2P group termination 8823ff40c12SJohn Marino * added wps_vendor_ext_m1 configuration parameter to allow vendor 8833ff40c12SJohn Marino specific attributes to be added to WPS M1 8843ff40c12SJohn Marino * started using separate TLS library context for tunneled TLS 8853ff40c12SJohn Marino (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different CA 8863ff40c12SJohn Marino certificate configuration between Phase 1 and Phase 2 8873ff40c12SJohn Marino * added optional "auto" parameter for p2p_connect to request automatic 8883ff40c12SJohn Marino GO Negotiation vs. join-a-group selection 8893ff40c12SJohn Marino * added disabled_scan_offload parameter to disable automatic scan 8903ff40c12SJohn Marino offloading (sched_scan) 8913ff40c12SJohn Marino * added optional persistent=<network id> parameter for p2p_connect to 8923ff40c12SJohn Marino allow forcing of a specific SSID/passphrase for GO Negotiation 8933ff40c12SJohn Marino * added support for OBSS scan requests and 20/40 BSS coexistence reports 8943ff40c12SJohn Marino * reject PD Request for unknown group 8953ff40c12SJohn Marino * removed scripts and notes related to Windows binary releases (which 8963ff40c12SJohn Marino have not been used starting from 1.x) 8973ff40c12SJohn Marino * added initial support for WNM operations 8983ff40c12SJohn Marino - Keep-alive based on BSS max idle period 8993ff40c12SJohn Marino - WNM-Sleep Mode 9003ff40c12SJohn Marino - minimal BSS Transition Management processing 9013ff40c12SJohn Marino * added autoscan module to control scanning behavior while not connected 9023ff40c12SJohn Marino - autoscan_periodic and autoscan_exponential modules 9033ff40c12SJohn Marino * added new WPS NFC ctrl_iface mechanism 9043ff40c12SJohn Marino - added initial support NFC connection handover 9053ff40c12SJohn Marino - removed obsoleted WPS_OOB command (including support for deprecated 9063ff40c12SJohn Marino UFD config_method) 9073ff40c12SJohn Marino * added optional framework for external password storage ("ext:<name>") 9083ff40c12SJohn Marino * wpa_cli: added optional support for controlling wpa_supplicant 9093ff40c12SJohn Marino remotely over UDP (CONFIG_CTRL_IFACE=udp-remote) for testing purposes 9103ff40c12SJohn Marino * wpa_cli: extended tab completion to more commands 9113ff40c12SJohn Marino * changed SSID output to use printf-escaped strings instead of masking 9123ff40c12SJohn Marino of non-ASCII characters 9133ff40c12SJohn Marino - SSID can now be configured in the same format: ssid=P"abc\x00test" 9143ff40c12SJohn Marino * removed default ACM=1 from AC_VO and AC_VI 9153ff40c12SJohn Marino * added optional "ht40" argument for P2P ctrl_iface commands to allow 9163ff40c12SJohn Marino 40 MHz channels to be requested on the 5 GHz band 9173ff40c12SJohn Marino * added optional parameters for p2p_invite command to specify channel 9183ff40c12SJohn Marino when reinvoking a persistent group as the GO 9193ff40c12SJohn Marino * improved FIPS mode builds with OpenSSL 9203ff40c12SJohn Marino - "make fips" with CONFIG_FIPS=y to build wpa_supplicant with the 9213ff40c12SJohn Marino OpenSSL FIPS object module 9223ff40c12SJohn Marino - replace low level OpenSSL AES API calls to use EVP 9233ff40c12SJohn Marino - use OpenSSL keying material exporter when possible 9243ff40c12SJohn Marino - do not export TLS keys in FIPS mode 9253ff40c12SJohn Marino - remove MD5 from CONFIG_FIPS=y builds 9263ff40c12SJohn Marino - use OpenSSL function for PKBDF2 passphrase-to-PSK 9273ff40c12SJohn Marino - use OpenSSL HMAC implementation 9283ff40c12SJohn Marino - mix RAND_bytes() output into random_get_bytes() to force OpenSSL 9293ff40c12SJohn Marino DRBG to be used in FIPS mode 9303ff40c12SJohn Marino - use OpenSSL CMAC implementation 9313ff40c12SJohn Marino * added mechanism to disable TLS Session Ticket extension 9323ff40c12SJohn Marino - a workaround for servers that do not support TLS extensions that 9333ff40c12SJohn Marino was enabled by default in recent OpenSSL versions 9343ff40c12SJohn Marino - tls_disable_session_ticket=1 9353ff40c12SJohn Marino - automatically disable TLS Session Ticket extension by default when 9363ff40c12SJohn Marino using EAP-TLS/PEAP/TTLS (i.e., only use it with EAP-FAST) 9373ff40c12SJohn Marino * changed VENDOR-TEST EAP method to use proper private enterprise number 9383ff40c12SJohn Marino (this will not interoperate with older versions) 9393ff40c12SJohn Marino * disable network block temporarily on authentication failures 9403ff40c12SJohn Marino * improved WPS AP selection during WPS PIN iteration 9413ff40c12SJohn Marino * added support for configuring GCMP cipher for IEEE 802.11ad 9423ff40c12SJohn Marino * added support for Wi-Fi Display extensions 9433ff40c12SJohn Marino - WFD_SUBELEMENT_SET ctrl_iface command to configure WFD subelements 9443ff40c12SJohn Marino - SET wifi_display <0/1> to disable/enable WFD support 9453ff40c12SJohn Marino - WFD service discovery 9463ff40c12SJohn Marino - an external program is needed to manage the audio/video streaming 9473ff40c12SJohn Marino and codecs 9483ff40c12SJohn Marino * optimized scan result use for network selection 9493ff40c12SJohn Marino - use the internal BSS table instead of raw scan results 9503ff40c12SJohn Marino - allow unnecessary scans to be skipped if fresh information is 9513ff40c12SJohn Marino available (e.g., after GAS/ANQP round for Interworking) 9523ff40c12SJohn Marino * added support for 256-bit AES with internal TLS implementation 9533ff40c12SJohn Marino * allow peer to propose channel in P2P invitation process for a 9543ff40c12SJohn Marino persistent group 9553ff40c12SJohn Marino * added disallow_aps parameter to allow BSSIDs/SSIDs to be disallowed 9563ff40c12SJohn Marino from network selection 9573ff40c12SJohn Marino * re-enable the networks disabled during WPS operations 9583ff40c12SJohn Marino * allow P2P functionality to be disabled per interface (p2p_disabled=1) 9593ff40c12SJohn Marino * added secondary device types into P2P_PEER output 9603ff40c12SJohn Marino * added an option to disable use of a separate P2P group interface 9613ff40c12SJohn Marino (p2p_no_group_iface=1) 9623ff40c12SJohn Marino * fixed P2P Bonjour SD to match entries with both compressed and not 9633ff40c12SJohn Marino compressed domain name format and support multiple Bonjour PTR matches 9643ff40c12SJohn Marino for the same key 9653ff40c12SJohn Marino * use deauthentication instead of disassociation for all disconnection 9663ff40c12SJohn Marino operations; this removes the now unused disassociate() wpa_driver_ops 9673ff40c12SJohn Marino callback 9683ff40c12SJohn Marino * optimized PSK generation on P2P GO by caching results to avoid 9693ff40c12SJohn Marino multiple PBKDF2 operations 9703ff40c12SJohn Marino * added okc=1 global configuration parameter to allow OKC to be enabled 9713ff40c12SJohn Marino by default for all network blocks 9723ff40c12SJohn Marino * added a workaround for WPS PBC session overlap detection to avoid 9733ff40c12SJohn Marino interop issues with deployed station implementations that do not 9743ff40c12SJohn Marino remove active PBC indication from Probe Request frames properly 9753ff40c12SJohn Marino * added basic support for 60 GHz band 9763ff40c12SJohn Marino * extend EAPOL frames processing workaround for roaming cases 9773ff40c12SJohn Marino (postpone processing of unexpected EAPOL frame until association 9783ff40c12SJohn Marino event to handle reordered events) 9793ff40c12SJohn Marino 9803ff40c12SJohn Marino2012-05-10 - v1.0 9813ff40c12SJohn Marino * bsd: Add support for setting HT values in IFM_MMASK. 9823ff40c12SJohn Marino * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. 9833ff40c12SJohn Marino This allows the driver to use PS buffering of Deauthentication and 9843ff40c12SJohn Marino Disassociation frames when the STA is in power save sleep. Only 9853ff40c12SJohn Marino available with drivers that provide TX status events for Deauth/ 9863ff40c12SJohn Marino Disassoc frames (nl80211). 9873ff40c12SJohn Marino * Drop oldest unknown BSS table entries first. This makes it less 9883ff40c12SJohn Marino likely to hit connection issues in environments with huge number 9893ff40c12SJohn Marino of visible APs. 9903ff40c12SJohn Marino * Add systemd support. 9913ff40c12SJohn Marino * Add support for setting the syslog facility from the config file 9923ff40c12SJohn Marino at build time. 9933ff40c12SJohn Marino * atheros: Add support for IEEE 802.11w configuration. 9943ff40c12SJohn Marino * AP mode: Allow enable HT20 if driver supports it, by setting the 9953ff40c12SJohn Marino config parameter ieee80211n. 9963ff40c12SJohn Marino * Allow AP mode to disconnect STAs based on low ACK condition (when 9973ff40c12SJohn Marino the data connection is not working properly, e.g., due to the STA 9983ff40c12SJohn Marino going outside the range of the AP). Disabled by default, enable by 9993ff40c12SJohn Marino config option disassoc_low_ack. 10003ff40c12SJohn Marino * nl80211: 10013ff40c12SJohn Marino - Support GTK rekey offload. 10023ff40c12SJohn Marino - Support PMKSA candidate events. This adds support for RSN 10033ff40c12SJohn Marino pre-authentication with nl80211 interface and drivers that handle 10043ff40c12SJohn Marino roaming internally. 10053ff40c12SJohn Marino * dbus: 10063ff40c12SJohn Marino - Add a DBus signal for EAP SM requests, emitted on the Interface 10073ff40c12SJohn Marino object. 10083ff40c12SJohn Marino - Export max scan ssids supported by the driver as MaxScanSSID. 10093ff40c12SJohn Marino - Add signal Certification for information about server certification. 10103ff40c12SJohn Marino - Add BSSExpireAge and BSSExpireCount interface properties and 10113ff40c12SJohn Marino support set/get, which allows for setting BSS cache expiration age 10123ff40c12SJohn Marino and expiration scan count. 10133ff40c12SJohn Marino - Add ConfigFile to AddInterface properties. 10143ff40c12SJohn Marino - Add Interface.Country property and support to get/set the value. 10153ff40c12SJohn Marino - Add DBus property CurrentAuthMode. 10163ff40c12SJohn Marino - P2P DBus API added. 10173ff40c12SJohn Marino - Emit property changed events (for property BSSs) when adding/ 10183ff40c12SJohn Marino removing BSSs. 10193ff40c12SJohn Marino - Treat '' in SSIDs of Interface.Scan as a request for broadcast 10203ff40c12SJohn Marino scan, instead of ignoring it. 10213ff40c12SJohn Marino - Add DBus getter/setter for FastReauth. 10223ff40c12SJohn Marino - Raise PropertiesChanged on org.freedesktop.DBus.Properties. 10233ff40c12SJohn Marino * wpa_cli: 10243ff40c12SJohn Marino - Send AP-STA-DISCONNECTED event when an AP disconnects a station 10253ff40c12SJohn Marino due to inactivity. 10263ff40c12SJohn Marino - Make second argument to set command optional. This can be used to 10273ff40c12SJohn Marino indicate a zero length value. 10283ff40c12SJohn Marino - Add signal_poll command. 10293ff40c12SJohn Marino - Add bss_expire_age and bss_expire_count commands to set/get BSS 10303ff40c12SJohn Marino cache expiration age and expiration scan count. 10313ff40c12SJohn Marino - Add ability to set scan interval (the time in seconds wpa_s waits 10323ff40c12SJohn Marino before requesting a new scan after failing to find a suitable 10333ff40c12SJohn Marino network in scan results) using scan_interval command. 10343ff40c12SJohn Marino - Add event CTRL-EVENT-ASSOC-REJECT for association rejected. 10353ff40c12SJohn Marino - Add command get version, that returns wpa_supplicant version string. 10363ff40c12SJohn Marino - Add command sta_autoconnect for disabling automatic reconnection 10373ff40c12SJohn Marino on receiving disconnection event. 10383ff40c12SJohn Marino - Setting bssid parameter to an empty string "" or any can now be 10393ff40c12SJohn Marino used to clear the bssid_set flag in a network block, i.e., to remove 10403ff40c12SJohn Marino bssid filtering. 10413ff40c12SJohn Marino - Add tdls_testing command to add a special testing feature for 10423ff40c12SJohn Marino changing TDLS behavior. Build param CONFIG_TDLS_TESTING must be 10433ff40c12SJohn Marino enabled as well. 10443ff40c12SJohn Marino - For interworking, add wpa_cli commands interworking_select, 10453ff40c12SJohn Marino interworking_connect, anqp_get, fetch_anqp, and stop_fetch_anqp. 10463ff40c12SJohn Marino - Many P2P commands were added. See README-P2P. 10473ff40c12SJohn Marino - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. 10483ff40c12SJohn Marino - Allow set command to change global config parameters. 10493ff40c12SJohn Marino - Add log_level command, which can be used to display the current 10503ff40c12SJohn Marino debugging level and to change the log level during run time. 10513ff40c12SJohn Marino - Add note command, which can be used to insert notes to the debug 10523ff40c12SJohn Marino log. 10533ff40c12SJohn Marino - Add internal line edit implementation. CONFIG_WPA_CLI_EDIT=y 10543ff40c12SJohn Marino can now be used to build wpa_cli with internal implementation of 10553ff40c12SJohn Marino line editing and history support. This can be used as a replacement 10563ff40c12SJohn Marino for CONFIG_READLINE=y. 10573ff40c12SJohn Marino * AP mode: Add max_num_sta config option, which can be used to limit 10583ff40c12SJohn Marino the number of stations allowed to connect to the AP. 10593ff40c12SJohn Marino * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad 10603ff40c12SJohn Marino config file. 10613ff40c12SJohn Marino * wext: Increase scan timeout from 5 to 10 seconds. 10623ff40c12SJohn Marino * Add blacklist command, allowing an external program to 10633ff40c12SJohn Marino manage the BSS blacklist and display its current contents. 10643ff40c12SJohn Marino * WPS: 10653ff40c12SJohn Marino - Add wpa_cli wps_pin get command for generating random PINs. This can 10663ff40c12SJohn Marino be used in a UI to generate a PIN without starting WPS (or P2P) 10673ff40c12SJohn Marino operation. 10683ff40c12SJohn Marino - Set RF bands based on driver capabilities, instead of hardcoding 10693ff40c12SJohn Marino them. 10703ff40c12SJohn Marino - Add mechanism for indicating non-standard WPS errors. 10713ff40c12SJohn Marino - Add CONFIG_WPS_REG_DISABLE_OPEN=y option to disable open networks 10723ff40c12SJohn Marino by default. 10733ff40c12SJohn Marino - Add wps_ap_pin cli command for wpa_supplicant AP mode. 10743ff40c12SJohn Marino - Add wps_check_pin cli command for processing PIN from user input. 10753ff40c12SJohn Marino UIs can use this command to process a PIN entered by a user and to 10763ff40c12SJohn Marino validate the checksum digit (if present). 10773ff40c12SJohn Marino - Cancel WPS operation on PBC session overlap detection. 10783ff40c12SJohn Marino - New wps_cancel command in wpa_cli will cancel a pending WPS 10793ff40c12SJohn Marino operation. 10803ff40c12SJohn Marino - wpa_cli action: Add WPS_EVENT_SUCCESS and WPS_EVENT_FAIL handlers. 10813ff40c12SJohn Marino - Trigger WPS config update on Manufacturer, Model Name, Model 10823ff40c12SJohn Marino Number, and Serial Number changes. 10833ff40c12SJohn Marino - Fragment size is now configurable for EAP-WSC peer. Use 10843ff40c12SJohn Marino wpa_cli set wps_fragment_size <val>. 10853ff40c12SJohn Marino - Disable AP PIN after 10 consecutive failures. Slow down attacks on 10863ff40c12SJohn Marino failures up to 10. 10873ff40c12SJohn Marino - Allow AP to start in Enrollee mode without AP PIN for probing, to 10883ff40c12SJohn Marino be compatible with Windows 7. 10893ff40c12SJohn Marino - Add Config Error into WPS-FAIL events to provide more info to the 10903ff40c12SJohn Marino user on how to resolve the issue. 10913ff40c12SJohn Marino - Label and Display config methods are not allowed to be enabled 10923ff40c12SJohn Marino at the same time, since it is unclear which PIN to use if both 10933ff40c12SJohn Marino methods are advertised. 10943ff40c12SJohn Marino - When controlling multiple interfaces: 10953ff40c12SJohn Marino - apply WPS commands to all interfaces configured to use WPS 10963ff40c12SJohn Marino - apply WPS config changes to all interfaces that use WPS 10973ff40c12SJohn Marino - when an attack is detected on any interface, disable AP PIN on 10983ff40c12SJohn Marino all interfaces 10993ff40c12SJohn Marino * WPS ER: 11003ff40c12SJohn Marino - Add special AP Setup Locked mode to allow read only ER. 11013ff40c12SJohn Marino ap_setup_locked=2 can now be used to enable a special mode where 11023ff40c12SJohn Marino WPS ER can learn the current AP settings, but cannot change them. 11033ff40c12SJohn Marino - Show SetSelectedRegistrar events as ctrl_iface events 11043ff40c12SJohn Marino - Add wps_er_set_config to enroll a network based on a local 11053ff40c12SJohn Marino network configuration block instead of having to (re-)learn the 11063ff40c12SJohn Marino current AP settings with wps_er_learn. 11073ff40c12SJohn Marino - Allow AP filtering based on IP address, add ctrl_iface event for 11083ff40c12SJohn Marino learned AP settings, add wps_er_config command to configure an AP. 11093ff40c12SJohn Marino * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) 11103ff40c12SJohn Marino - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool 11113ff40c12SJohn Marino for testing protocol extensibility. 11123ff40c12SJohn Marino - Add build option CONFIG_WPS_STRICT to allow disabling of WPS 11133ff40c12SJohn Marino workarounds. 11143ff40c12SJohn Marino - Add support for AuthorizedMACs attribute. 11153ff40c12SJohn Marino * TDLS: 11163ff40c12SJohn Marino - Propogate TDLS related nl80211 capability flags from kernel and 11173ff40c12SJohn Marino add them as driver capability flags. If the driver doesn't support 11183ff40c12SJohn Marino capabilities, assume TDLS is supported internally. When TDLS is 11193ff40c12SJohn Marino explicitly not supported, disable all user facing TDLS operations. 11203ff40c12SJohn Marino - Allow TDLS to be disabled at runtime (mostly for testing). 11213ff40c12SJohn Marino Use set tdls_disabled. 11223ff40c12SJohn Marino - Honor AP TDLS settings that prohibit/allow TDLS. 11233ff40c12SJohn Marino - Add a special testing feature for changing TDLS behavior. Use 11243ff40c12SJohn Marino CONFIG_TDLS_TESTING build param to enable. Configure at runtime 11253ff40c12SJohn Marino with tdls_testing cli command. 11263ff40c12SJohn Marino - Add support for TDLS 802.11z. 11273ff40c12SJohn Marino * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. 11283ff40c12SJohn Marino wlantest can be used to capture frames from a monitor interface 11293ff40c12SJohn Marino for realtime capturing or from pcap files for offline analysis. 11303ff40c12SJohn Marino * Interworking: Support added for 802.11u. Enable in .config with 11313ff40c12SJohn Marino CONFIG_INTERWORKING. See wpa_supplicant.conf for config parameters 11323ff40c12SJohn Marino for interworking. wpa_cli commands added to support this are 11333ff40c12SJohn Marino interworking_select, interworking_connect, anqp_get, fetch_anqp, 11343ff40c12SJohn Marino and stop_fetch_anqp. 11353ff40c12SJohn Marino * Android: Add build and runtime support for Android wpa_supplicant. 11363ff40c12SJohn Marino * bgscan learn: Add new bgscan that learns BSS information based on 11373ff40c12SJohn Marino previous scans, and uses that information to dynamically generate 11383ff40c12SJohn Marino the list of channels for background scans. 11393ff40c12SJohn Marino * Add a new debug message level for excessive information. Use 11403ff40c12SJohn Marino -ddd to enable. 11413ff40c12SJohn Marino * TLS: Add support for tls_disable_time_checks=1 in client mode. 11423ff40c12SJohn Marino * Internal TLS: 11433ff40c12SJohn Marino - Add support for TLS v1.1 (RFC 4346). Enable with build parameter 11443ff40c12SJohn Marino CONFIG_TLSV11. 11453ff40c12SJohn Marino - Add domainComponent parser for X.509 names. 11463ff40c12SJohn Marino * Linux: Add RFKill support by adding an interface state "disabled". 11473ff40c12SJohn Marino * Reorder some IEs to get closer to IEEE 802.11 standard. Move 11483ff40c12SJohn Marino WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. 11493ff40c12SJohn Marino Move HT IEs to be later in (Re)Assoc Resp. 11503ff40c12SJohn Marino * Solaris: Add support for wired 802.1X client. 11513ff40c12SJohn Marino * Wi-Fi Direct support. See README-P2P for more information. 11523ff40c12SJohn Marino * Many bugfixes. 11533ff40c12SJohn Marino 11543ff40c12SJohn Marino2010-04-18 - v0.7.2 11553ff40c12SJohn Marino * nl80211: fixed number of issues with roaming 11563ff40c12SJohn Marino * avoid unnecessary roaming if multiple APs with similar signal 11573ff40c12SJohn Marino strength are present in scan results 11583ff40c12SJohn Marino * add TLS client events and server probing to ease design of 11593ff40c12SJohn Marino automatic detection of EAP parameters 11603ff40c12SJohn Marino * add option for server certificate matching (SHA256 hash of the 11613ff40c12SJohn Marino certificate) instead of trusted CA certificate configuration 11623ff40c12SJohn Marino * bsd: Cleaned up driver wrapper and added various low-level 11633ff40c12SJohn Marino configuration options 11643ff40c12SJohn Marino * wpa_gui-qt4: do not show too frequent WPS AP available events as 11653ff40c12SJohn Marino tray messages 11663ff40c12SJohn Marino * TNC: fixed issues with fragmentation 11673ff40c12SJohn Marino * EAP-TNC: add Flags field into fragment acknowledgement (needed to 11683ff40c12SJohn Marino interoperate with other implementations; may potentially breaks 11693ff40c12SJohn Marino compatibility with older wpa_supplicant/hostapd versions) 11703ff40c12SJohn Marino * wpa_cli: added option for using a separate process to receive event 11713ff40c12SJohn Marino messages to reduce latency in showing these 11723ff40c12SJohn Marino (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this) 11733ff40c12SJohn Marino * maximum BSS table size can now be configured (bss_max_count) 11743ff40c12SJohn Marino * BSSes to be included in the BSS table can be filtered based on 11753ff40c12SJohn Marino configured SSIDs to save memory (filter_ssids) 11763ff40c12SJohn Marino * fix number of issues with IEEE 802.11r/FT; this version is not 11773ff40c12SJohn Marino backwards compatible with old versions 11783ff40c12SJohn Marino * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air 11793ff40c12SJohn Marino and over-the-DS) 11803ff40c12SJohn Marino * add freq_list network configuration parameter to allow the AP 11813ff40c12SJohn Marino selection to filter out entries based on the operating channel 11823ff40c12SJohn Marino * add signal strength change events for bgscan; this allows more 11833ff40c12SJohn Marino dynamic changes to background scanning interval based on changes in 11843ff40c12SJohn Marino the signal strength with the current AP; this improves roaming within 11853ff40c12SJohn Marino ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network 11863ff40c12SJohn Marino configuration block to request background scans less frequently when 11873ff40c12SJohn Marino signal strength remains good and to automatically trigger background 11883ff40c12SJohn Marino scans whenever signal strength drops noticeably 11893ff40c12SJohn Marino (this is currently only available with nl80211) 11903ff40c12SJohn Marino * add BSSID and reason code (if available) to disconnect event messages 11913ff40c12SJohn Marino * wpa_gui-qt4: more complete support for translating the GUI with 11923ff40c12SJohn Marino linguist and add German translation 11933ff40c12SJohn Marino * fix DH padding with internal crypto code (mainly, for WPS) 11943ff40c12SJohn Marino * do not trigger initial scan automatically anymore if there are no 11953ff40c12SJohn Marino enabled networks 11963ff40c12SJohn Marino 11973ff40c12SJohn Marino2010-01-16 - v0.7.1 11983ff40c12SJohn Marino * cleaned up driver wrapper API (struct wpa_driver_ops); the new API 11993ff40c12SJohn Marino is not fully backwards compatible, so out-of-tree driver wrappers 12003ff40c12SJohn Marino will need modifications 12013ff40c12SJohn Marino * cleaned up various module interfaces 12023ff40c12SJohn Marino * merge hostapd and wpa_supplicant developers' documentation into a 12033ff40c12SJohn Marino single document 12043ff40c12SJohn Marino * nl80211: use explicit deauthentication to clear cfg80211 state to 12053ff40c12SJohn Marino avoid issues when roaming between APs 12063ff40c12SJohn Marino * dbus: major design changes in the new D-Bus API 12073ff40c12SJohn Marino (fi.w1.wpa_supplicant1) 12083ff40c12SJohn Marino * nl80211: added support for IBSS networks 12093ff40c12SJohn Marino * added internal debugging mechanism with backtrace support and memory 12103ff40c12SJohn Marino allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) 12113ff40c12SJohn Marino * added WPS ER unsubscription command to more cleanly unregister from 12123ff40c12SJohn Marino receiving UPnP events when ER is terminated 12133ff40c12SJohn Marino * cleaned up AP mode operations to avoid need for virtual driver_ops 12143ff40c12SJohn Marino wrapper 12153ff40c12SJohn Marino * added BSS table to maintain more complete scan result information 12163ff40c12SJohn Marino over multiple scans (that may include only partial results) 12173ff40c12SJohn Marino * wpa_gui-qt4: update Peers dialog information more dynamically while 12183ff40c12SJohn Marino the dialog is kept open 12196d49e1aeSJan Lentfer * fixed PKCS#12 use with OpenSSL 1.0.0 12203ff40c12SJohn Marino * driver_wext: Added cfg80211-specific optimization to avoid some 12213ff40c12SJohn Marino unnecessary scans and to speed up association 12226d49e1aeSJan Lentfer 12233ff40c12SJohn Marino2009-11-21 - v0.7.0 12246d49e1aeSJan Lentfer * increased wpa_cli ping interval to 5 seconds and made this 12256d49e1aeSJan Lentfer configurable with a new command line options (-G<seconds>) 12266d49e1aeSJan Lentfer * fixed scan buffer processing with WEXT to handle up to 65535 12276d49e1aeSJan Lentfer byte result buffer (previously, limited to 32768 bytes) 12283ff40c12SJohn Marino * allow multiple driver wrappers to be specified on command line 12293ff40c12SJohn Marino (e.g., -Dnl80211,wext); the first one that is able to initialize the 12303ff40c12SJohn Marino interface will be used 12313ff40c12SJohn Marino * added support for multiple SSIDs per scan request to optimize 12323ff40c12SJohn Marino scan_ssid=1 operations in ap_scan=1 mode (i.e., search for hidden 12333ff40c12SJohn Marino SSIDs); this requires driver support and can currently be used only 12343ff40c12SJohn Marino with nl80211 12353ff40c12SJohn Marino * added support for WPS USBA out-of-band mechanism with USB Flash 12363ff40c12SJohn Marino Drives (UFD) (CONFIG_WPS_UFD=y) 12373ff40c12SJohn Marino * driver_ndis: add PAE group address to the multicast address list to 12383ff40c12SJohn Marino fix wired IEEE 802.1X authentication 12393ff40c12SJohn Marino * fixed IEEE 802.11r key derivation function to match with the standard 12403ff40c12SJohn Marino (note: this breaks interoperability with previous version) [Bug 303] 12413ff40c12SJohn Marino * added better support for drivers that allow separate authentication 12423ff40c12SJohn Marino and association commands (e.g., mac80211-based Linux drivers with 12433ff40c12SJohn Marino nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol 12443ff40c12SJohn Marino to be used (IEEE 802.11r) 12453ff40c12SJohn Marino * fixed SHA-256 based key derivation function to match with the 12463ff40c12SJohn Marino standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) 12473ff40c12SJohn Marino (note: this breaks interoperability with previous version) [Bug 307] 12483ff40c12SJohn Marino * use shared driver wrapper files with hostapd 12493ff40c12SJohn Marino * added AP mode functionality (CONFIG_AP=y) with mode=2 in the network 12503ff40c12SJohn Marino block; this can be used for open and WPA2-Personal networks 12513ff40c12SJohn Marino (optionally, with WPS); this links in parts of hostapd functionality 12523ff40c12SJohn Marino into wpa_supplicant 12533ff40c12SJohn Marino * wpa_gui-qt4: added new Peers dialog to show information about peers 12543ff40c12SJohn Marino (other devices, including APs and stations, etc. in the neighborhood) 12553ff40c12SJohn Marino * added support for WPS External Registrar functionality (configure APs 12563ff40c12SJohn Marino and enroll new devices); can be used with wpa_gui-qt4 Peers dialog 12573ff40c12SJohn Marino and wpa_cli commands wps_er_start, wps_er_stop, wps_er_pin, 12583ff40c12SJohn Marino wps_er_pbc, wps_er_learn 12593ff40c12SJohn Marino (this can also be used with a new 'none' driver wrapper if no 12603ff40c12SJohn Marino wireless device or IEEE 802.1X on wired is needed) 12613ff40c12SJohn Marino * driver_nl80211: multiple updates to provide support for new Linux 12623ff40c12SJohn Marino nl80211/mac80211 functionality 12633ff40c12SJohn Marino * updated management frame protection to use IEEE Std 802.11w-2009 12643ff40c12SJohn Marino * fixed number of small WPS issues and added workarounds to 12653ff40c12SJohn Marino interoperate with common deployed broken implementations 12663ff40c12SJohn Marino * added support for NFC out-of-band mechanism with WPS 12673ff40c12SJohn Marino * driver_ndis: fixed wired IEEE 802.1X authentication with PAE group 12683ff40c12SJohn Marino address frames 12693ff40c12SJohn Marino * added preliminary support for IEEE 802.11r RIC processing 12703ff40c12SJohn Marino * added support for specifying subset of enabled frequencies to scan 12713ff40c12SJohn Marino (scan_freq option in the network configuration block); this can speed 12723ff40c12SJohn Marino up scanning process considerably if it is known that only a small 12733ff40c12SJohn Marino subset of channels is actually used in the network (this is currently 12743ff40c12SJohn Marino supported only with -Dnl80211) 12753ff40c12SJohn Marino * added a workaround for race condition between receiving the 12763ff40c12SJohn Marino association event and the following EAPOL-Key 12773ff40c12SJohn Marino * added background scan and roaming infrastructure to allow 12783ff40c12SJohn Marino network-specific optimizations to be used to improve roaming within 12793ff40c12SJohn Marino an ESS (same SSID) 12803ff40c12SJohn Marino * added new DBus interface (fi.w1.wpa_supplicant1) 12816d49e1aeSJan Lentfer 12826d49e1aeSJan Lentfer2009-01-06 - v0.6.7 12836d49e1aeSJan Lentfer * added support for Wi-Fi Protected Setup (WPS) 12846d49e1aeSJan Lentfer (wpa_supplicant can now be configured to act as a WPS Enrollee to 12856d49e1aeSJan Lentfer enroll credentials for a network using PIN and PBC methods; in 12866d49e1aeSJan Lentfer addition, wpa_supplicant can act as a wireless WPS Registrar to 12876d49e1aeSJan Lentfer configure an AP); WPS support can be enabled by adding CONFIG_WPS=y 12886d49e1aeSJan Lentfer into .config and setting the runtime configuration variables in 12896d49e1aeSJan Lentfer wpa_supplicant.conf (see WPS section in the example configuration 12906d49e1aeSJan Lentfer file); new wpa_cli commands wps_pin, wps_pbc, and wps_reg are used to 12916d49e1aeSJan Lentfer manage WPS negotiation; see README-WPS for more details 12926d49e1aeSJan Lentfer * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) 12936d49e1aeSJan Lentfer * added support for using driver_test over UDP socket 12946d49e1aeSJan Lentfer * fixed PEAPv0 Cryptobinding interoperability issue with Windows Server 12956d49e1aeSJan Lentfer 2008 NPS; optional cryptobinding is now enabled (again) by default 12966d49e1aeSJan Lentfer * fixed PSK editing in wpa_gui 12976d49e1aeSJan Lentfer * changed EAP-GPSK to use the IANA assigned EAP method type 51 12986d49e1aeSJan Lentfer * added a Windows installer that includes WinPcap and all the needed 12996d49e1aeSJan Lentfer DLLs; in addition, it set up the registry automatically so that user 13006d49e1aeSJan Lentfer will only need start wpa_gui to get prompted to start the wpasvc 13016d49e1aeSJan Lentfer servide and add a new interface if needed through wpa_gui dialog 13026d49e1aeSJan Lentfer * updated management frame protection to use IEEE 802.11w/D7.0 13036d49e1aeSJan Lentfer 13046d49e1aeSJan Lentfer2008-11-23 - v0.6.6 13056d49e1aeSJan Lentfer * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA 13066d49e1aeSJan Lentfer (can be used to simulate test SIM/USIM card with a known private key; 13076d49e1aeSJan Lentfer enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config 13086d49e1aeSJan Lentfer and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration) 13096d49e1aeSJan Lentfer * added a new network configuration option, wpa_ptk_rekey, that can be 13106d49e1aeSJan Lentfer used to enforce frequent PTK rekeying, e.g., to mitigate some attacks 13116d49e1aeSJan Lentfer against TKIP deficiencies 13126d49e1aeSJan Lentfer * added an optional mitigation mechanism for certain attacks against 13136d49e1aeSJan Lentfer TKIP by delaying Michael MIC error reports by a random amount of time 13146d49e1aeSJan Lentfer between 0 and 60 seconds; this can be enabled with a build option 13156d49e1aeSJan Lentfer CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config 13166d49e1aeSJan Lentfer * fixed EAP-AKA to use RES Length field in AT_RES as length in bits, 13176d49e1aeSJan Lentfer not bytes 13186d49e1aeSJan Lentfer * updated OpenSSL code for EAP-FAST to use an updated version of the 13196d49e1aeSJan Lentfer session ticket overriding API that was included into the upstream 13206d49e1aeSJan Lentfer OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is 13216d49e1aeSJan Lentfer needed with that version anymore) 13226d49e1aeSJan Lentfer * updated userspace MLME instructions to match with the current Linux 13236d49e1aeSJan Lentfer mac80211 implementation; please also note that this can only be used 13246d49e1aeSJan Lentfer with driver_nl80211.c (the old code from driver_wext.c was removed) 13256d49e1aeSJan Lentfer * added support (Linux only) for RoboSwitch chipsets (often found in 13266d49e1aeSJan Lentfer consumer grade routers); driver interface 'roboswitch' 13276d49e1aeSJan Lentfer * fixed canceling of PMKSA caching when using drivers that generate 13286d49e1aeSJan Lentfer RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know 13296d49e1aeSJan Lentfer about 13306d49e1aeSJan Lentfer 13316d49e1aeSJan Lentfer2008-11-01 - v0.6.5 13326d49e1aeSJan Lentfer * added support for SHA-256 as X.509 certificate digest when using the 13336d49e1aeSJan Lentfer internal X.509/TLSv1 implementation 13346d49e1aeSJan Lentfer * updated management frame protection to use IEEE 802.11w/D6.0 13356d49e1aeSJan Lentfer * added support for using SHA256-based stronger key derivation for WPA2 13366d49e1aeSJan Lentfer (IEEE 802.11w) 13376d49e1aeSJan Lentfer * fixed FT (IEEE 802.11r) authentication after a failed association to 13386d49e1aeSJan Lentfer use correct FTIE 13396d49e1aeSJan Lentfer * added support for configuring Phase 2 (inner/tunneled) authentication 13406d49e1aeSJan Lentfer method with wpa_gui-qt4 13416d49e1aeSJan Lentfer 13426d49e1aeSJan Lentfer2008-08-10 - v0.6.4 13436d49e1aeSJan Lentfer * added support for EAP Sequences in EAP-FAST Phase 2 13446d49e1aeSJan Lentfer * added support for using TNC with EAP-FAST 13456d49e1aeSJan Lentfer * added driver_ps3 for the PS3 Linux wireless driver 13466d49e1aeSJan Lentfer * added support for optional cryptobinding with PEAPv0 13476d49e1aeSJan Lentfer * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to 13486d49e1aeSJan Lentfer allow fallback to full handshake if server rejects PAC-Opaque 13496d49e1aeSJan Lentfer * added fragmentation support for EAP-TNC 13506d49e1aeSJan Lentfer * added support for parsing PKCS #8 formatted private keys into the 13516d49e1aeSJan Lentfer internal TLS implementation (both PKCS #1 RSA key and PKCS #8 13526d49e1aeSJan Lentfer encapsulated RSA key can now be used) 13536d49e1aeSJan Lentfer * added option of using faster, but larger, routines in the internal 13546d49e1aeSJan Lentfer LibTomMath (for internal TLS implementation) to speed up DH and RSA 13556d49e1aeSJan Lentfer calculations (CONFIG_INTERNAL_LIBTOMMATH_FAST=y) 13566d49e1aeSJan Lentfer * fixed race condition between disassociation event and group key 13576d49e1aeSJan Lentfer handshake to avoid getting stuck in incorrect state [Bug 261] 13586d49e1aeSJan Lentfer * fixed opportunistic key caching (proactive_key_caching) 13596d49e1aeSJan Lentfer 13606d49e1aeSJan Lentfer2008-02-22 - v0.6.3 13616d49e1aeSJan Lentfer * removed 'nai' and 'eappsk' network configuration variables that were 13626d49e1aeSJan Lentfer previously used for configuring user identity and key for EAP-PSK, 13636d49e1aeSJan Lentfer EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the 13646d49e1aeSJan Lentfer replacement for 'nai' (if old configuration used a separate 13656d49e1aeSJan Lentfer 'identity' value, that would now be configured as 13666d49e1aeSJan Lentfer 'anonymous_identity'). 'password' field is now used as the 13676d49e1aeSJan Lentfer replacement for 'eappsk' (it can also be set using hexstring to 13686d49e1aeSJan Lentfer present random binary data) 13696d49e1aeSJan Lentfer * removed '-w' command line parameter (wait for interface to be added, 13706d49e1aeSJan Lentfer if needed); cleaner way of handling this functionality is to use an 13716d49e1aeSJan Lentfer external mechanism (e.g., hotplug scripts) that start wpa_supplicant 13726d49e1aeSJan Lentfer when an interface is added 13736d49e1aeSJan Lentfer * updated FT support to use the latest draft, IEEE 802.11r/D9.0 13746d49e1aeSJan Lentfer * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for 13756d49e1aeSJan Lentfer indicating when new scan results become available 13766d49e1aeSJan Lentfer * added new ctrl_iface command, BSS, to allow scan results to be 13776d49e1aeSJan Lentfer fetched without hitting the message size limits (this command 13786d49e1aeSJan Lentfer can be used to iterate through the scan results one BSS at the time) 13796d49e1aeSJan Lentfer * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION 13806d49e1aeSJan Lentfer attributes in EAP-SIM Start/Response when using fast reauthentication 13816d49e1aeSJan Lentfer * fixed EAPOL not to end up in infinite loop when processing dynamic 13826d49e1aeSJan Lentfer WEP keys with IEEE 802.1X 13836d49e1aeSJan Lentfer * fixed problems in getting NDIS events from WMI on Windows 2000 13846d49e1aeSJan Lentfer 13856d49e1aeSJan Lentfer2008-01-01 - v0.6.2 13866d49e1aeSJan Lentfer * added support for Makefile builds to include debug-log-to-a-file 13876d49e1aeSJan Lentfer functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line) 13886d49e1aeSJan Lentfer * fixed EAP-SIM and EAP-AKA message parser to validate attribute 13896d49e1aeSJan Lentfer lengths properly to avoid potential crash caused by invalid messages 13906d49e1aeSJan Lentfer * added data structure for storing allocated buffers (struct wpabuf); 13916d49e1aeSJan Lentfer this does not affect wpa_supplicant usage, but many of the APIs 13926d49e1aeSJan Lentfer changed and various interfaces (e.g., EAP) is not compatible with old 13936d49e1aeSJan Lentfer versions 13946d49e1aeSJan Lentfer * added support for protecting EAP-AKA/Identity messages with 13956d49e1aeSJan Lentfer AT_CHECKCODE (optional feature in RFC 4187) 13966d49e1aeSJan Lentfer * added support for protected result indication with AT_RESULT_IND for 13976d49e1aeSJan Lentfer EAP-SIM and EAP-AKA (phase1="result_ind=1") 13986d49e1aeSJan Lentfer * added driver_wext workaround for race condition between scanning and 13996d49e1aeSJan Lentfer association with drivers that take very long time to scan all 14006d49e1aeSJan Lentfer channels (e.g., madwifi with dual-band cards); wpa_supplicant is now 14016d49e1aeSJan Lentfer using a longer hardcoded timeout for the scan if the driver supports 14026d49e1aeSJan Lentfer notifications for scan completion (SIOCGIWSCAN event); this helps, 14036d49e1aeSJan Lentfer e.g., in cases where wpa_supplicant and madwifi driver ended up in 14046d49e1aeSJan Lentfer loop where the driver did not even try to associate 14056d49e1aeSJan Lentfer * stop EAPOL timer tick when no timers are in use in order to reduce 14066d49e1aeSJan Lentfer power consumption (no need to wake up the process once per second) 14076d49e1aeSJan Lentfer [Bug 237] 14086d49e1aeSJan Lentfer * added support for privilege separation (run only minimal part of 14096d49e1aeSJan Lentfer wpa_supplicant functionality as root and rest as unprivileged, 14106d49e1aeSJan Lentfer non-root process); see 'Privilege separation' in README for details; 14116d49e1aeSJan Lentfer this is disabled by default and can be enabled with CONFIG_PRIVSEP=y 14126d49e1aeSJan Lentfer in .config 14136d49e1aeSJan Lentfer * changed scan results data structure to include all information 14146d49e1aeSJan Lentfer elements to make it easier to support new IEs; old get_scan_result() 14156d49e1aeSJan Lentfer driver_ops is still supported for backwards compatibility (results 14166d49e1aeSJan Lentfer are converted internally to the new format), but all drivers should 14176d49e1aeSJan Lentfer start using the new get_scan_results2() to make them more likely to 14186d49e1aeSJan Lentfer work with new features 14196d49e1aeSJan Lentfer * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4 14206d49e1aeSJan Lentfer application, i.e., it does not require Qt3Support anymore; Windows 14216d49e1aeSJan Lentfer binary of wpa_gui.exe is now from this directory and only requires 14226d49e1aeSJan Lentfer QtCore4.dll and QtGui4.dll libraries 14236d49e1aeSJan Lentfer * updated Windows binary build to use Qt 4.3.3 and made Qt DLLs 14246d49e1aeSJan Lentfer available as a separate package to make wpa_gui installation easier: 14256d49e1aeSJan Lentfer http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip 14266d49e1aeSJan Lentfer * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); 14276d49e1aeSJan Lentfer only shared key/password authentication is supported in this version 14286d49e1aeSJan Lentfer 14296d49e1aeSJan Lentfer2007-11-24 - v0.6.1 14306d49e1aeSJan Lentfer * added support for configuring password as NtPasswordHash 14316d49e1aeSJan Lentfer (16-byte MD4 hash of password) in hash:<32 hex digits> format 14326d49e1aeSJan Lentfer * added support for fallback from abbreviated TLS handshake to 14336d49e1aeSJan Lentfer full handshake when using EAP-FAST (e.g., due to an expired 14346d49e1aeSJan Lentfer PAC-Opaque) 14356d49e1aeSJan Lentfer * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 14366d49e1aeSJan Lentfer draft (draft-ietf-emu-eap-gpsk-07.txt) 14376d49e1aeSJan Lentfer * added support for drivers that take care of RSN 4-way handshake 14386d49e1aeSJan Lentfer internally (WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in get_capa flags and 14396d49e1aeSJan Lentfer WPA_ALG_PMK in set_key) 14406d49e1aeSJan Lentfer * added an experimental port for Mac OS X (CONFIG_DRIVER_OSX=y in 14416d49e1aeSJan Lentfer .config); this version supports only ap_scan=2 mode and allow the 14426d49e1aeSJan Lentfer driver to take care of the 4-way handshake 14436d49e1aeSJan Lentfer * fixed a buffer overflow in parsing TSF from scan results when using 14446d49e1aeSJan Lentfer driver_wext.c with a driver that includes the TSF (e.g., iwl4965) 14456d49e1aeSJan Lentfer [Bug 232] 14466d49e1aeSJan Lentfer * updated FT support to use the latest draft, IEEE 802.11r/D8.0 14476d49e1aeSJan Lentfer * fixed an integer overflow issue in the ASN.1 parser used by the 14486d49e1aeSJan Lentfer (experimental) internal TLS implementation to avoid a potential 14496d49e1aeSJan Lentfer buffer read overflow 14506d49e1aeSJan Lentfer * fixed a race condition with -W option (wait for a control interface 14516d49e1aeSJan Lentfer monitor before starting) that could have caused the first messages to 14526d49e1aeSJan Lentfer be lost 14536d49e1aeSJan Lentfer * added support for processing TNCC-TNCS-Messages to report 14546d49e1aeSJan Lentfer recommendation (allow/none/isolate) when using TNC [Bug 243] 14556d49e1aeSJan Lentfer 14566d49e1aeSJan Lentfer2007-05-28 - v0.6.0 14576d49e1aeSJan Lentfer * added network configuration parameter 'frequency' for setting 14586d49e1aeSJan Lentfer initial channel for IBSS (adhoc) networks 14596d49e1aeSJan Lentfer * added experimental IEEE 802.11r/D6.0 support 14606d49e1aeSJan Lentfer * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 14616d49e1aeSJan Lentfer * updated EAP-PSK to use the IANA-allocated EAP type 47 14626d49e1aeSJan Lentfer * fixed EAP-PAX key derivation 14636d49e1aeSJan Lentfer * fixed EAP-PSK bit ordering of the Flags field 14646d49e1aeSJan Lentfer * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in 14656d49e1aeSJan Lentfer tunnelled identity request (previously, the identifier from the outer 14666d49e1aeSJan Lentfer method was used, not the tunnelled identifier which could be 14676d49e1aeSJan Lentfer different) 14686d49e1aeSJan Lentfer * added support for fragmentation of outer TLS packets during Phase 2 14696d49e1aeSJan Lentfer of EAP-PEAP/TTLS/FAST 14706d49e1aeSJan Lentfer * fixed EAP-TTLS AVP parser processing for too short AVP lengths 14716d49e1aeSJan Lentfer * added support for EAP-FAST authentication with inner methods that 14726d49e1aeSJan Lentfer generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported 14736d49e1aeSJan Lentfer for PAC provisioning) 14746d49e1aeSJan Lentfer * added support for authenticated EAP-FAST provisioning 14756d49e1aeSJan Lentfer * added support for configuring maximum number of EAP-FAST PACs to 14766d49e1aeSJan Lentfer store in a PAC list (fast_max_pac_list_len=<max> in phase1 string) 14776d49e1aeSJan Lentfer * added support for storing EAP-FAST PACs in binary format 14786d49e1aeSJan Lentfer (fast_pac_format=binary in phase1 string) 14796d49e1aeSJan Lentfer * fixed dbus ctrl_iface to validate message interface before 14806d49e1aeSJan Lentfer dispatching to avoid a possible segfault [Bug 190] 14816d49e1aeSJan Lentfer * fixed PeerKey key derivation to use the correct PRF label 14826d49e1aeSJan Lentfer * updated Windows binary build to link against OpenSSL 0.9.8d and 14836d49e1aeSJan Lentfer added support for EAP-FAST 14846d49e1aeSJan Lentfer * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 14856d49e1aeSJan Lentfer draft (draft-ietf-emu-eap-gpsk-04.txt) 14866d49e1aeSJan Lentfer * fixed EAP-AKA Notification processing to allow Notification to be 14876d49e1aeSJan Lentfer processed after AKA Challenge response has been sent 14886d49e1aeSJan Lentfer * updated to use IEEE 802.11w/D2.0 for management frame protection 14896d49e1aeSJan Lentfer (still experimental) 14906d49e1aeSJan Lentfer * fixed EAP-TTLS implementation not to crash on use of freed memory 14916d49e1aeSJan Lentfer if TLS library initialization fails 14926d49e1aeSJan Lentfer * added support for EAP-TNC (Trusted Network Connect) 14936d49e1aeSJan Lentfer (this version implements the EAP-TNC method and EAP-TTLS changes 14946d49e1aeSJan Lentfer needed to run two methods in sequence (IF-T) and the IF-IMC and 14956d49e1aeSJan Lentfer IF-TNCCS interfaces from TNCC) 14966d49e1aeSJan Lentfer 14976d49e1aeSJan Lentfer2006-11-24 - v0.5.6 14986d49e1aeSJan Lentfer * added experimental, integrated TLSv1 client implementation with the 14996d49e1aeSJan Lentfer needed X.509/ASN.1/RSA/bignum processing (this can be enabled by 15006d49e1aeSJan Lentfer setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in 15016d49e1aeSJan Lentfer .config); this can be useful, e.g., if the target system does not 15026d49e1aeSJan Lentfer have a suitable TLS library and a minimal code size is required 15036d49e1aeSJan Lentfer (total size of this internal TLS/crypto code is bit under 50 kB on 15046d49e1aeSJan Lentfer x86 and the crypto code is shared by rest of the supplicant so some 15056d49e1aeSJan Lentfer of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB) 15066d49e1aeSJan Lentfer * removed STAKey handshake since PeerKey handshake has replaced it in 15076d49e1aeSJan Lentfer IEEE 802.11ma and there are no known deployments of STAKey 15086d49e1aeSJan Lentfer * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 15096d49e1aeSJan Lentfer draft (draft-ietf-emu-eap-gpsk-01.txt) 15106d49e1aeSJan Lentfer * added preliminary implementation of IEEE 802.11w/D1.0 (management 15116d49e1aeSJan Lentfer frame protection) 15126d49e1aeSJan Lentfer (Note: this requires driver support to work properly.) 15136d49e1aeSJan Lentfer (Note2: IEEE 802.11w is an unapproved draft and subject to change.) 15146d49e1aeSJan Lentfer * fixed Windows named pipes ctrl_iface to not stop listening for 15156d49e1aeSJan Lentfer commands if client program opens a named pipe and closes it 15166d49e1aeSJan Lentfer immediately without sending a command 15176d49e1aeSJan Lentfer * fixed USIM PIN status determination for the case that PIN is not 15186d49e1aeSJan Lentfer needed (this allows EAP-AKA to be used with USIM cards that do not 15196d49e1aeSJan Lentfer use PIN) 15206d49e1aeSJan Lentfer * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to 15216d49e1aeSJan Lentfer be used with cards that do not support file selection based on 15226d49e1aeSJan Lentfer partial AID 15236d49e1aeSJan Lentfer * added support for matching the subjectAltName of the authentication 15246d49e1aeSJan Lentfer server certificate against multiple name components (e.g., 15256d49e1aeSJan Lentfer altsubject_match="DNS:server.example.com;DNS:server2.example.com") 15266d49e1aeSJan Lentfer * fixed EAP-SIM/AKA key derivation for re-authentication case (only 15276d49e1aeSJan Lentfer affects IEEE 802.1X with dynamic WEP keys) 15286d49e1aeSJan Lentfer * changed ctrl_iface network configuration 'get' operations to not 15296d49e1aeSJan Lentfer return password/key material; if these fields are requested, "*" 15306d49e1aeSJan Lentfer will be returned if the password/key is set, but the value of the 15316d49e1aeSJan Lentfer parameter is not exposed 15326d49e1aeSJan Lentfer 15336d49e1aeSJan Lentfer2006-08-27 - v0.5.5 15346d49e1aeSJan Lentfer * added support for building Windows version with UNICODE defined 15356d49e1aeSJan Lentfer (wide-char functions) 15366d49e1aeSJan Lentfer * driver_ndis: fixed static WEP configuration to avoid race condition 15376d49e1aeSJan Lentfer issues with some NDIS drivers between association and setting WEP 15386d49e1aeSJan Lentfer keys 15396d49e1aeSJan Lentfer * driver_ndis: added validation for IELength value in scan results to 15406d49e1aeSJan Lentfer avoid crashes when using buggy NDIS drivers [Bug 165] 15416d49e1aeSJan Lentfer * fixed Release|Win32 target in the Visual Studio project files 15426d49e1aeSJan Lentfer (previously, only Debug|Win32 target was set properly) 15436d49e1aeSJan Lentfer * changed control interface API call wpa_ctrl_pending() to allow it to 15446d49e1aeSJan Lentfer return -1 on error (e.g., connection lost); control interface clients 15456d49e1aeSJan Lentfer will need to make sure that they verify that the value is indeed >0 15466d49e1aeSJan Lentfer when determining whether there are pending messages 15476d49e1aeSJan Lentfer * added an alternative control interface backend for Windows targets: 15486d49e1aeSJan Lentfer Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default 15496d49e1aeSJan Lentfer control interface mechanism for Windows builds (previously, UDP to 15506d49e1aeSJan Lentfer localhost was used) 15516d49e1aeSJan Lentfer * changed ctrl_interface configuration for UNIX domain sockets: 15526d49e1aeSJan Lentfer - deprecated ctrl_interface_group variable (it may be removed in 15536d49e1aeSJan Lentfer future versions) 15546d49e1aeSJan Lentfer - allow both directory and group be configured with ctrl_interface 15556d49e1aeSJan Lentfer in following format: DIR=/var/run/wpa_supplicant GROUP=wheel 15566d49e1aeSJan Lentfer - ctrl_interface=/var/run/wpa_supplicant is still supported for the 15576d49e1aeSJan Lentfer case when group is not changed 15586d49e1aeSJan Lentfer * added support for controlling more than one interface per process in 15596d49e1aeSJan Lentfer Windows version 15606d49e1aeSJan Lentfer * added a workaround for a case where the AP is using unknown address 15616d49e1aeSJan Lentfer (e.g., MAC address of the wired interface) as the source address for 15626d49e1aeSJan Lentfer EAPOL-Key frames; previously, that source address was used as the 15636d49e1aeSJan Lentfer destination for EAPOL-Key frames and in key derivation; now, BSSID is 15646d49e1aeSJan Lentfer used even if the source address does not match with it 15656d49e1aeSJan Lentfer (this resolves an interoperability issue with Thomson SpeedTouch 580) 15666d49e1aeSJan Lentfer * added a workaround for UDP-based control interface (which was used in 15676d49e1aeSJan Lentfer Windows builds before this release) to prevent packets with forged 15686d49e1aeSJan Lentfer addresses from being accepted as local control requests 15696d49e1aeSJan Lentfer * removed ndis_events.cpp and possibility of using external 15706d49e1aeSJan Lentfer ndis_events.exe; C version (ndis_events.c) is fully functional and 15716d49e1aeSJan Lentfer there is no desire to maintain two separate versions of this 15726d49e1aeSJan Lentfer implementation 15736d49e1aeSJan Lentfer * ndis_events: Changed NDIS event notification design to use WMI to 15746d49e1aeSJan Lentfer learn the adapter description through Win32_PnPEntity class; this 15756d49e1aeSJan Lentfer should fix some cases where the adapter name was not recognized 15766d49e1aeSJan Lentfer correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500 15776d49e1aeSJan Lentfer USB) [Bug 113] 15786d49e1aeSJan Lentfer * fixed selection of the first network in ap_scan=2 mode; previously, 15796d49e1aeSJan Lentfer wpa_supplicant could get stuck in SCANNING state when only the first 15806d49e1aeSJan Lentfer network for enabled (e.g., after 'wpa_cli select_network 0') 15816d49e1aeSJan Lentfer * winsvc: added support for configuring ctrl_interface parameters in 15826d49e1aeSJan Lentfer registry (ctrl_interface string value in 15836d49e1aeSJan Lentfer HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is 15846d49e1aeSJan Lentfer required to enable control interface (previously, this was hardcoded 15856d49e1aeSJan Lentfer to be enabled) 15866d49e1aeSJan Lentfer * allow wpa_gui subdirectory to be built with both Qt3 and Qt4 15876d49e1aeSJan Lentfer * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format 15886d49e1aeSJan Lentfer 15896d49e1aeSJan Lentfer2006-06-20 - v0.5.4 15906d49e1aeSJan Lentfer * fixed build with CONFIG_STAKEY=y [Bug 143] 15916d49e1aeSJan Lentfer * added support for doing MLME (IEEE 802.11 management frame 15926d49e1aeSJan Lentfer processing) in wpa_supplicant when using Devicescape IEEE 802.11 15936d49e1aeSJan Lentfer stack (wireless-dev.git tree) 15946d49e1aeSJan Lentfer * added a new network block configuration option, fragment_size, to 15956d49e1aeSJan Lentfer configure the maximum EAP fragment size 15966d49e1aeSJan Lentfer * driver_ndis: Disable WZC automatically for the selected interface to 15976d49e1aeSJan Lentfer avoid conflicts with two programs trying to control the radio; WZC 15986d49e1aeSJan Lentfer will be re-enabled (if it was enabled originally) when wpa_supplicant 15996d49e1aeSJan Lentfer is terminated 16006d49e1aeSJan Lentfer * added an experimental TLSv1 client implementation 16016d49e1aeSJan Lentfer (CONFIG_TLS=internal) that can be used instead of an external TLS 16026d49e1aeSJan Lentfer library, e.g., to reduce total size requirement on systems that do 16036d49e1aeSJan Lentfer not include any TLS library by default (this is not yet complete; 16046d49e1aeSJan Lentfer basic functionality is there, but certificate validation is not yet 16056d49e1aeSJan Lentfer included) 16066d49e1aeSJan Lentfer * added PeerKey handshake implementation for IEEE 802.11e 16076d49e1aeSJan Lentfer direct link setup (DLS) to replace STAKey handshake 16086d49e1aeSJan Lentfer * fixed WPA PSK update through ctrl_iface for the case where the old 16096d49e1aeSJan Lentfer PSK was derived from an ASCII passphrase and the new PSK is set as 16106d49e1aeSJan Lentfer a raw PSK (hex string) 16116d49e1aeSJan Lentfer * added new configuration option for identifying which network block 16126d49e1aeSJan Lentfer was used (id_str in wpa_supplicant.conf; included on 16136d49e1aeSJan Lentfer WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental 16146d49e1aeSJan Lentfer variable in wpa_cli action scripts; in addition WPA_ID variable is 16156d49e1aeSJan Lentfer set to the current unique identifier that wpa_supplicant assigned 16166d49e1aeSJan Lentfer automatically for the network and that can be used with 16176d49e1aeSJan Lentfer GET_NETWORK/SET_NETWORK ctrl_iface commands) 16186d49e1aeSJan Lentfer * wpa_cli action script is now called only when the connect/disconnect 16196d49e1aeSJan Lentfer status changes or when associating with a different network 16206d49e1aeSJan Lentfer * fixed configuration parser not to remove CCMP from group cipher list 16216d49e1aeSJan Lentfer if WPA-None (adhoc) is used (pairwise=NONE in that case) 16226d49e1aeSJan Lentfer * fixed integrated NDIS events processing not to hang the process due 16236d49e1aeSJan Lentfer to a missed change in eloop_win.c API in v0.5.3 [Bug 155] 16246d49e1aeSJan Lentfer * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, 16256d49e1aeSJan Lentfer draft-clancy-emu-eap-shared-secret-00.txt) 16266d49e1aeSJan Lentfer * added Microsoft Visual Studio 2005 solution and project files for 16276d49e1aeSJan Lentfer build wpa_supplicant for Windows (see vs2005 subdirectory) 16286d49e1aeSJan Lentfer * eloop_win: fixed unregistration of Windows events 16296d49e1aeSJan Lentfer * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet 16306d49e1aeSJan Lentfer at the end of RSN pre-authentication and added unregistration of 16316d49e1aeSJan Lentfer a Windows event to avoid getting eloop_win stuck with an invalid 16326d49e1aeSJan Lentfer handle 16336d49e1aeSJan Lentfer * driver_ndis: added support for selecting AP based on BSSID 16346d49e1aeSJan Lentfer * added new environmental variable for wpa_cli action scripts: 16356d49e1aeSJan Lentfer WPA_CTRL_DIR is the current control interface directory 16366d49e1aeSJan Lentfer * driver_ndis: added support for using NDISUIO instead of WinPcap for 16376d49e1aeSJan Lentfer OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new 16386d49e1aeSJan Lentfer l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build 16396d49e1aeSJan Lentfer wpa_supplicant without requiring WinPcap; note that using NDISUIO 16406d49e1aeSJan Lentfer requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows 16416d49e1aeSJan Lentfer only one application to open the device 16426d49e1aeSJan Lentfer * changed NDIS driver naming to only include device GUID, e.g., 16436d49e1aeSJan Lentfer {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap 16446d49e1aeSJan Lentfer specific \Device\NPF_ prefix before the GUID; the prefix is still 16456d49e1aeSJan Lentfer allowed for backwards compatibility, but it is not required anymore 16466d49e1aeSJan Lentfer when specifying the interface 16476d49e1aeSJan Lentfer * driver_ndis: re-initialize driver interface is the adapter is removed 16486d49e1aeSJan Lentfer and re-inserted [Bug 159] 16496d49e1aeSJan Lentfer * driver_madwifi: fixed TKIP and CCMP sequence number configuration on 16506d49e1aeSJan Lentfer big endian hosts [Bug 146] 16516d49e1aeSJan Lentfer 16526d49e1aeSJan Lentfer2006-04-27 - v0.5.3 16536d49e1aeSJan Lentfer * fixed EAP-GTC response to include correct user identity when run as 16546d49e1aeSJan Lentfer phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2) 16556d49e1aeSJan Lentfer * driver_ndis: Fixed encryption mode configuration for unencrypted 16566d49e1aeSJan Lentfer networks (some NDIS drivers ignored this, but others, e.g., Broadcom, 16576d49e1aeSJan Lentfer refused to associate with open networks) [Bug 106] 16586d49e1aeSJan Lentfer * driver_ndis: use BSSID OID polling to detect when IBSS network is 16596d49e1aeSJan Lentfer formed even when ndis_events code is included since some NDIS drivers 16606d49e1aeSJan Lentfer do not generate media connect events in IBSS mode 16616d49e1aeSJan Lentfer * config_winreg: allow global ctrl_interface parameter to be configured 16626d49e1aeSJan Lentfer in Windows registry 16636d49e1aeSJan Lentfer * config_winreg: added support for saving configuration data into 16646d49e1aeSJan Lentfer Windows registry 16656d49e1aeSJan Lentfer * added support for controlling network device operational state 16666d49e1aeSJan Lentfer (dormant/up) for Linux 2.6.17 to improve DHCP processing (see 16676d49e1aeSJan Lentfer http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client 16686d49e1aeSJan Lentfer that can use this information) 16696d49e1aeSJan Lentfer * driver_wext: added support for WE-21 change to SSID configuration 16706d49e1aeSJan Lentfer * driver_wext: fixed privacy configuration for static WEP keys mode 16716d49e1aeSJan Lentfer [Bug 140] 16726d49e1aeSJan Lentfer * added an optional driver_ops callback for MLME-SETPROTECTION.request 16736d49e1aeSJan Lentfer primitive 16746d49e1aeSJan Lentfer * added support for EAP-SAKE (no EAP method number allocated yet, so 16756d49e1aeSJan Lentfer this is using the same experimental type 255 as EAP-PSK) 16766d49e1aeSJan Lentfer * added support for dynamically loading EAP methods (.so files) instead 16776d49e1aeSJan Lentfer of requiring them to be statically linked in; this is disabled by 16786d49e1aeSJan Lentfer default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information 16796d49e1aeSJan Lentfer on how to use this) 16806d49e1aeSJan Lentfer 16816d49e1aeSJan Lentfer2006-03-19 - v0.5.2 16826d49e1aeSJan Lentfer * do not try to use USIM APDUs when initializing PC/SC for SIM card 16836d49e1aeSJan Lentfer access for a network that has not enabled EAP-AKA 16846d49e1aeSJan Lentfer * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in 16856d49e1aeSJan Lentfer v0.5.1 due to the new support for expanded EAP types) 16866d49e1aeSJan Lentfer * added support for generating EAP Expanded Nak 16876d49e1aeSJan Lentfer * try to fetch scan results once before requesting new scan when 16886d49e1aeSJan Lentfer starting up in ap_scan=1 mode (this can speed up initial association 16896d49e1aeSJan Lentfer a lot with, e.g., madwifi-ng driver) 16906d49e1aeSJan Lentfer * added support for receiving EAPOL frames from a Linux bridge 16916d49e1aeSJan Lentfer interface (-bbr0 on command line) 16926d49e1aeSJan Lentfer * fixed EAPOL re-authentication for sessions that used PMKSA caching 16936d49e1aeSJan Lentfer * changed EAP method registration to use a dynamic list of methods 16946d49e1aeSJan Lentfer instead of a static list generated at build time 16956d49e1aeSJan Lentfer * fixed PMKSA cache deinitialization not to use freed memory when 16966d49e1aeSJan Lentfer removing PMKSA entries 16976d49e1aeSJan Lentfer * fixed a memory leak in EAP-TTLS re-authentication 16986d49e1aeSJan Lentfer * reject WPA/WPA2 message 3/4 if it does not include any valid 16996d49e1aeSJan Lentfer WPA/RSN IE 17006d49e1aeSJan Lentfer * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg 17016d49e1aeSJan Lentfer if the driver does not support SIOCSIWAUTH 17026d49e1aeSJan Lentfer 17036d49e1aeSJan Lentfer2006-01-29 - v0.5.1 17046d49e1aeSJan Lentfer * driver_test: added better support for multiple APs and STAs by using 17056d49e1aeSJan Lentfer a directory with sockets that include MAC address for each device in 17066d49e1aeSJan Lentfer the name (driver_param=test_dir=/tmp/test) 17076d49e1aeSJan Lentfer * added support for EAP expanded type (vendor specific EAP methods) 17086d49e1aeSJan Lentfer * added AP_SCAN command into ctrl_iface so that ap_scan configuration 17096d49e1aeSJan Lentfer option can be changed if needed 17106d49e1aeSJan Lentfer * wpa_cli/wpa_gui: skip non-socket files in control directory when 17116d49e1aeSJan Lentfer using UNIX domain sockets; this avoids selecting an incorrect 17126d49e1aeSJan Lentfer interface (e.g., a PID file could be in this directory, even though 17136d49e1aeSJan Lentfer use of this directory for something else than socket files is not 17146d49e1aeSJan Lentfer recommended) 17156d49e1aeSJan Lentfer * fixed TLS library deinitialization after RSN pre-authentication not 17166d49e1aeSJan Lentfer to disable TLS library for normal authentication 17176d49e1aeSJan Lentfer * driver_wext: Remove null-termination from SSID length if the driver 17186d49e1aeSJan Lentfer used it; some Linux drivers do this and they were causing problems in 17196d49e1aeSJan Lentfer wpa_supplicant not finding matching configuration block. This change 17206d49e1aeSJan Lentfer would break a case where the SSID actually ends in '\0', but that is 17216d49e1aeSJan Lentfer not likely to happen in real use. 17226d49e1aeSJan Lentfer * fixed PMKSA cache processing not to trigger deauthentication if the 17236d49e1aeSJan Lentfer current PMKSA cache entry is replaced with a valid new entry 17246d49e1aeSJan Lentfer * fixed PC/SC initialization for ap_scan != 1 modes (this fixes 17256d49e1aeSJan Lentfer EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or 17266d49e1aeSJan Lentfer ap_scan=2) 17276d49e1aeSJan Lentfer 17286d49e1aeSJan Lentfer2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) 17296d49e1aeSJan Lentfer * added experimental STAKey handshake implementation for IEEE 802.11e 17306d49e1aeSJan Lentfer direct link setup (DLS); note: this is disabled by default in both 17316d49e1aeSJan Lentfer build and runtime configuration (can be enabled with CONFIG_STAKEY=y 17326d49e1aeSJan Lentfer and stakey=1) 17336d49e1aeSJan Lentfer * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to 17346d49e1aeSJan Lentfer decrypt AT_ENCR_DATA attributes correctly 17356d49e1aeSJan Lentfer * fixed EAP-AKA to allow resynchronization within the same session 17366d49e1aeSJan Lentfer * made code closer to ANSI C89 standard to make it easier to port to 17376d49e1aeSJan Lentfer other C libraries and compilers 17386d49e1aeSJan Lentfer * started moving operating system or C library specific functions into 17396d49e1aeSJan Lentfer wrapper functions defined in os.h and implemented in os_*.c to make 17406d49e1aeSJan Lentfer code more portable 17416d49e1aeSJan Lentfer * wpa_supplicant can now be built with Microsoft Visual C++ 17426d49e1aeSJan Lentfer (e.g., with the freely available Toolkit 2003 version or Visual 17436d49e1aeSJan Lentfer C++ 2005 Express Edition and Platform SDK); see nmake.mak for an 17446d49e1aeSJan Lentfer example makefile for nmake 17456d49e1aeSJan Lentfer * added support for using Windows registry for command line parameters 17466d49e1aeSJan Lentfer (CONFIG_MAIN=main_winsvc) and configuration data 17476d49e1aeSJan Lentfer (CONFIG_BACKEND=winreg); see win_example.reg for an example registry 17486d49e1aeSJan Lentfer contents; this version can be run both as a Windows service and as a 17496d49e1aeSJan Lentfer normal application; 'wpasvc.exe app' to start as applicant, 17506d49e1aeSJan Lentfer 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service, 17516d49e1aeSJan Lentfer 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to 17526d49e1aeSJan Lentfer unregister a service 17536d49e1aeSJan Lentfer * made it possible to link ndis_events.exe functionality into 17546d49e1aeSJan Lentfer wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED 17556d49e1aeSJan Lentfer * added better support for multiple control interface backends 17566d49e1aeSJan Lentfer (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported 17576d49e1aeSJan Lentfer * fixed PC/SC code to use correct length for GSM AUTH command buffer 17586d49e1aeSJan Lentfer and to not use pioRecvPci with SCardTransmit() calls; these were not 17596d49e1aeSJan Lentfer causing visible problems with pcsc-lite, but Windows Winscard.dll 17606d49e1aeSJan Lentfer refused the previously used parameters; this fixes EAP-SIM and 17616d49e1aeSJan Lentfer EAP-AKA authentication using SIM/USIM card under Windows 17626d49e1aeSJan Lentfer * added new event loop implementation for Windows using 17636d49e1aeSJan Lentfer WaitForMultipleObject() instead of select() in order to allow waiting 17646d49e1aeSJan Lentfer for non-socket objects; this can be selected with 17656d49e1aeSJan Lentfer CONFIG_ELOOP=eloop_win in .config 17666d49e1aeSJan Lentfer * added support for selecting l2_packet implementation in .config 17676d49e1aeSJan Lentfer (CONFIG_L2_PACKET; following options are available now: linux, pcap, 17686d49e1aeSJan Lentfer winpcap, freebsd, none) 17696d49e1aeSJan Lentfer * added new l2_packet implementation for WinPcap 17706d49e1aeSJan Lentfer (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to 17716d49e1aeSJan Lentfer reduce latency in EAPOL receive processing from about 100 ms to about 17726d49e1aeSJan Lentfer 3 ms 17736d49e1aeSJan Lentfer * added support for EAP-FAST key derivation using other ciphers than 17746d49e1aeSJan Lentfer RC4-128-SHA for authentication and AES128-SHA for provisioning 17756d49e1aeSJan Lentfer * added support for configuring CA certificate as DER file and as a 17766d49e1aeSJan Lentfer configuration blob 17776d49e1aeSJan Lentfer * fixed private key configuration as configuration blob and added 17786d49e1aeSJan Lentfer support for using PKCS#12 as a blob 17796d49e1aeSJan Lentfer * tls_gnutls: added support for using PKCS#12 files; added support for 17806d49e1aeSJan Lentfer session resumption 17816d49e1aeSJan Lentfer * added support for loading trusted CA certificates from Windows 17826d49e1aeSJan Lentfer certificate store: ca_cert="cert_store://<name>", where <name> is 17836d49e1aeSJan Lentfer likely CA (Intermediate CA certificates) or ROOT (root certificates) 17846d49e1aeSJan Lentfer * added C version of ndis_events.cpp and made it possible to build this 17856d49e1aeSJan Lentfer with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more 17866d49e1aeSJan Lentfer easily on cross-compilation builds 17876d49e1aeSJan Lentfer * added wpasvc.exe into Windows binary release; this is an alternative 17886d49e1aeSJan Lentfer version of wpa_supplicant.exe with configuration backend using 17896d49e1aeSJan Lentfer Windows registry and with the entry point designed to run as a 17906d49e1aeSJan Lentfer Windows service 17916d49e1aeSJan Lentfer * integrated ndis_events.exe functionality into wpa_supplicant.exe and 17926d49e1aeSJan Lentfer wpasvc.exe and removed this additional tool from the Windows binary 17936d49e1aeSJan Lentfer release since it is not needed anymore 17946d49e1aeSJan Lentfer * load winscard.dll functions dynamically when building with MinGW 17956d49e1aeSJan Lentfer since MinGW does not yet include winscard library 17966d49e1aeSJan Lentfer 17976d49e1aeSJan Lentfer2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) 17986d49e1aeSJan Lentfer * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap 17996d49e1aeSJan Lentfer and WinPcap to receive frames sent to PAE group address 18006d49e1aeSJan Lentfer * disable EAP state machine when IEEE 802.1X authentication is not used 18016d49e1aeSJan Lentfer in order to get rid of bogus "EAP failed" messages 18026d49e1aeSJan Lentfer * fixed OpenSSL error reporting to go through all pending errors to 18036d49e1aeSJan Lentfer avoid confusing reports of old errors being reported at later point 18046d49e1aeSJan Lentfer during handshake 18056d49e1aeSJan Lentfer * fixed configuration file updating to not write empty variables 18066d49e1aeSJan Lentfer (e.g., proto or key_mgmt) that the file parser would not accept 18076d49e1aeSJan Lentfer * fixed ADD_NETWORK ctrl_iface command to use the same default values 18086d49e1aeSJan Lentfer for variables as empty network definitions read from config file 18096d49e1aeSJan Lentfer would get 18106d49e1aeSJan Lentfer * fixed EAP state machine to not discard EAP-Failure messages in many 18116d49e1aeSJan Lentfer cases (e.g., during TLS handshake) 18126d49e1aeSJan Lentfer * fixed a infinite loop in private key reading if the configured file 18136d49e1aeSJan Lentfer cannot be parsed successfully 18146d49e1aeSJan Lentfer * driver_madwifi: added support for madwifi-ng 18156d49e1aeSJan Lentfer * wpa_gui: do not display password/PSK field contents 18166d49e1aeSJan Lentfer * wpa_gui: added CA certificate configuration 18176d49e1aeSJan Lentfer * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID 18186d49e1aeSJan Lentfer * driver_ndis: include Beacon IEs in AssocInfo in order to notice if 18196d49e1aeSJan Lentfer the new AP is using different WPA/RSN IE 18206d49e1aeSJan Lentfer * use longer timeout for IEEE 802.11 association to avoid problems with 18216d49e1aeSJan Lentfer drivers that may take more than five second to associate 18226d49e1aeSJan Lentfer 18236d49e1aeSJan Lentfer2005-10-27 - v0.4.6 18246d49e1aeSJan Lentfer * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in 18256d49e1aeSJan Lentfer RSN IE, but WPA IE would match with wpa_supplicant configuration 18266d49e1aeSJan Lentfer * added support for named configuration blobs in order to avoid having 18276d49e1aeSJan Lentfer to use file system for external files (e.g., certificates); 18286d49e1aeSJan Lentfer variables can be set to "blob://<blob name>" instead of file path to 18296d49e1aeSJan Lentfer use a named blob; supported fields: pac_file, client_cert, 18306d49e1aeSJan Lentfer private_key 18316d49e1aeSJan Lentfer * fixed RSN pre-authentication (it was broken in the clean up of WPA 18326d49e1aeSJan Lentfer state machine interface in v0.4.5) 18336d49e1aeSJan Lentfer * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make 18346d49e1aeSJan Lentfer sure the driver configures broadcast decryption correctly 18356d49e1aeSJan Lentfer * added ca_path (and ca_path2) configuration variables that can be used 18366d49e1aeSJan Lentfer to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the 18376d49e1aeSJan Lentfer system-wide trusted CA list 18386d49e1aeSJan Lentfer * added support for starting wpa_supplicant without a configuration 18396d49e1aeSJan Lentfer file (-C argument must be used to set ctrl_interface parameter for 18406d49e1aeSJan Lentfer this case; in addition, -p argument can be used to provide 18416d49e1aeSJan Lentfer driver_param; these new arguments can also be used with a 18426d49e1aeSJan Lentfer configuration to override the values from the configuration) 18436d49e1aeSJan Lentfer * added global control interface that can be optionally used for adding 18446d49e1aeSJan Lentfer and removing network interfaces dynamically (-g command line argument 18456d49e1aeSJan Lentfer for both wpa_supplicant and wpa_cli) without having to restart 18466d49e1aeSJan Lentfer wpa_supplicant process 18476d49e1aeSJan Lentfer * wpa_gui: 18486d49e1aeSJan Lentfer - try to save configuration whenever something is modified 18496d49e1aeSJan Lentfer - added WEP key configuration 18506d49e1aeSJan Lentfer - added possibility to edit the current network configuration 18516d49e1aeSJan Lentfer * driver_ndis: fixed driver polling not to increase frequency on each 18526d49e1aeSJan Lentfer received EAPOL frame due to incorrectly cancelled timeout 18536d49e1aeSJan Lentfer * added simple configuration file examples (in examples subdirectory) 18546d49e1aeSJan Lentfer * fixed driver_wext.c to filter wireless events based on ifindex to 18556d49e1aeSJan Lentfer avoid interfaces receiving events from other interfaces 18566d49e1aeSJan Lentfer * delay sending initial EAPOL-Start couple of seconds to speed up 18576d49e1aeSJan Lentfer authentication for the most common case of Authenticator starting 18586d49e1aeSJan Lentfer EAP authentication immediately after association 18596d49e1aeSJan Lentfer 18606d49e1aeSJan Lentfer2005-09-25 - v0.4.5 18616d49e1aeSJan Lentfer * added a workaround for clearing keys with ndiswrapper to allow 18626d49e1aeSJan Lentfer roaming from WPA enabled AP to plaintext one 18636d49e1aeSJan Lentfer * added docbook documentation (doc/docbook) that can be used to 18646d49e1aeSJan Lentfer generate, e.g., man pages 18656d49e1aeSJan Lentfer * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for 18666d49e1aeSJan Lentfer PF_PACKET in order to prepare for network devices that do not use 18676d49e1aeSJan Lentfer Ethernet headers (e.g., network stack with native IEEE 802.11 frames) 18686d49e1aeSJan Lentfer * use receipt of EAPOL-Key frame as a lower layer success indication 18696d49e1aeSJan Lentfer for EAP state machine to allow recovery from dropped EAP-Success 18706d49e1aeSJan Lentfer frame 18716d49e1aeSJan Lentfer * cleaned up internal EAPOL frame processing by not including link 18726d49e1aeSJan Lentfer layer (Ethernet) header during WPA and EAPOL/EAP processing; this 18736d49e1aeSJan Lentfer header is added only when transmitted the frame; this makes it easier 18746d49e1aeSJan Lentfer to use wpa_supplicant on link layers that use different header than 18756d49e1aeSJan Lentfer Ethernet 18766d49e1aeSJan Lentfer * updated EAP-PSK to use draft 9 by default since this can now be 18776d49e1aeSJan Lentfer tested with hostapd; removed support for draft 3, including 18786d49e1aeSJan Lentfer server_nai configuration option from network blocks 18796d49e1aeSJan Lentfer * driver_wired: add PAE address to the multicast address list in order 18806d49e1aeSJan Lentfer to be able to receive EAPOL frames with drivers that do not include 18816d49e1aeSJan Lentfer these multicast addresses by default 18826d49e1aeSJan Lentfer * driver_wext: add support for WE-19 18836d49e1aeSJan Lentfer * added support for multiple configuration backends (CONFIG_BACKEND 18846d49e1aeSJan Lentfer option); currently, only 'file' is supported (i.e., the format used 18856d49e1aeSJan Lentfer in wpa_supplicant.conf) 18866d49e1aeSJan Lentfer * added support for updating configuration ('wpa_cli save_config'); 18876d49e1aeSJan Lentfer this is disabled by default and can be enabled with global 18886d49e1aeSJan Lentfer update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli 18896d49e1aeSJan Lentfer and wpa_gui to store the configuration changes in a permanent store 18906d49e1aeSJan Lentfer * added GET_NETWORK ctrl_iface command 18916d49e1aeSJan Lentfer (e.g., 'wpa_cli get_network 0 ssid') 18926d49e1aeSJan Lentfer 18936d49e1aeSJan Lentfer2005-08-21 - v0.4.4 18946d49e1aeSJan Lentfer * replaced OpenSSL patch for EAP-FAST support 18956d49e1aeSJan Lentfer (openssl-tls-extensions.patch) with a more generic and correct 18966d49e1aeSJan Lentfer patch (the new patch is not compatible with the previous one, so the 18976d49e1aeSJan Lentfer OpenSSL library will need to be patched with the new patch in order 18986d49e1aeSJan Lentfer to be able to build wpa_supplicant with EAP-FAST support) 18996d49e1aeSJan Lentfer * added support for using Windows certificate store (through CryptoAPI) 19006d49e1aeSJan Lentfer for client certificate and private key operations (EAP-TLS) 19016d49e1aeSJan Lentfer (see wpa_supplicant.conf for more information on how to configure 19026d49e1aeSJan Lentfer this with private_key) 19036d49e1aeSJan Lentfer * ported wpa_gui to Windows 19046d49e1aeSJan Lentfer * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be 19056d49e1aeSJan Lentfer built with the open source version of the Qt4 for Windows 19066d49e1aeSJan Lentfer * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used 19076d49e1aeSJan Lentfer with drivers that do not support WPA 19086d49e1aeSJan Lentfer * ndis_events: fixed Windows 2000 support 19096d49e1aeSJan Lentfer * added support for enabling/disabling networks from the list of all 19106d49e1aeSJan Lentfer configured networks ('wpa_cli enable_network <network id>' and 19116d49e1aeSJan Lentfer 'wpa_cli disable_network <network id>') 19126d49e1aeSJan Lentfer * added support for adding and removing network from the current 19136d49e1aeSJan Lentfer configuration ('wpa_cli add_network' and 'wpa_cli remove_network 19146d49e1aeSJan Lentfer <network id>'); added networks are disabled by default and they can 19156d49e1aeSJan Lentfer be enabled with enable_network command once the configuration is done 19166d49e1aeSJan Lentfer for the new network; note: configuration file is not yet updated, so 19176d49e1aeSJan Lentfer these new networks are lost when wpa_supplicant is restarted 19186d49e1aeSJan Lentfer * added support for setting network configuration parameters through 19196d49e1aeSJan Lentfer the control interface, for example: 19206d49e1aeSJan Lentfer wpa_cli set_network 0 ssid "\"my network\"" 19216d49e1aeSJan Lentfer * fixed parsing of strings that include both " and # within double 19226d49e1aeSJan Lentfer quoted area (e.g., "start"#end") 19236d49e1aeSJan Lentfer * added EAP workaround for PEAP session resumption: allow outer, 19246d49e1aeSJan Lentfer i.e., not tunneled, EAP-Success to terminate session since; this can 19256d49e1aeSJan Lentfer be disabled with eap_workaround=0 19266d49e1aeSJan Lentfer (this was allowed for PEAPv1 before, but now it is also allowed for 19276d49e1aeSJan Lentfer PEAPv0 since at least one RADIUS authentication server seems to be 19286d49e1aeSJan Lentfer doing this for PEAPv0, too) 19296d49e1aeSJan Lentfer * wpa_gui: added preliminary support for adding new networks to the 19306d49e1aeSJan Lentfer wpa_supplicant configuration (double click on the scan results to 19316d49e1aeSJan Lentfer open network configuration) 19326d49e1aeSJan Lentfer 19336d49e1aeSJan Lentfer2005-06-26 - v0.4.3 19346d49e1aeSJan Lentfer * removed interface for external EAPOL/EAP supplicant (e.g., 19356d49e1aeSJan Lentfer Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required 19366d49e1aeSJan Lentfer anymore and is unlikely to be used by anyone 19376d49e1aeSJan Lentfer * driver_ndis: fixed WinPcap 3.0 support 19386d49e1aeSJan Lentfer * fixed build with CONFIG_DNET_PCAP=y on Linux 19396d49e1aeSJan Lentfer * l2_packet: moved different implementations into separate files 19406d49e1aeSJan Lentfer (l2_packet_*.c) 19416d49e1aeSJan Lentfer 19426d49e1aeSJan Lentfer2005-06-12 - v0.4.2 19436d49e1aeSJan Lentfer * driver_ipw: updated driver structures to match with ipw2200-1.0.4 19446d49e1aeSJan Lentfer (note: ipw2100-1.1.0 is likely to require an update to work with 19456d49e1aeSJan Lentfer this) 19466d49e1aeSJan Lentfer * added support for using ap_scan=2 mode with multiple network blocks; 19476d49e1aeSJan Lentfer wpa_supplicant will go through the networks one by one until the 19486d49e1aeSJan Lentfer driver reports a successful association; this uses the same order for 19496d49e1aeSJan Lentfer networks as scan_ssid=1 scans, i.e., the priority field is ignored 19506d49e1aeSJan Lentfer and the network block order in the file is used instead 19516d49e1aeSJan Lentfer * fixed a potential issue in RSN pre-authentication ending up using 19526d49e1aeSJan Lentfer freed memory if pre-authentication times out 19536d49e1aeSJan Lentfer * added support for matching alternative subject name extensions of the 19546d49e1aeSJan Lentfer authentication server certificate; new configuration variables 19556d49e1aeSJan Lentfer altsubject_match and altsubject_match2 19566d49e1aeSJan Lentfer * driver_ndis: added support for IEEE 802.1X authentication with wired 19576d49e1aeSJan Lentfer NDIS drivers 19586d49e1aeSJan Lentfer * added support for querying private key password (EAP-TLS) through the 19596d49e1aeSJan Lentfer control interface (wpa_cli/wpa_gui) if one is not included in the 19606d49e1aeSJan Lentfer configuration file 19616d49e1aeSJan Lentfer * driver_broadcom: fixed couple of memory leaks in scan result 19626d49e1aeSJan Lentfer processing 19636d49e1aeSJan Lentfer * EAP-PAX is now registered as EAP type 46 19646d49e1aeSJan Lentfer * fixed EAP-PAX MAC calculation 19656d49e1aeSJan Lentfer * fixed EAP-PAX CK and ICK key derivation 19666d49e1aeSJan Lentfer * added support for using password with EAP-PAX (as an alternative to 19676d49e1aeSJan Lentfer entering key with eappsk); SHA-1 hash of the password will be used as 19686d49e1aeSJan Lentfer the key in this case 19696d49e1aeSJan Lentfer * added support for arbitrary driver interface parameters through the 19706d49e1aeSJan Lentfer configuration file with a new driver_param field; this adds a new 19716d49e1aeSJan Lentfer driver_ops function set_param() 19726d49e1aeSJan Lentfer * added possibility to override l2_packet module with driver interface 19736d49e1aeSJan Lentfer API (new send_eapol handler); this can be used to implement driver 19746d49e1aeSJan Lentfer specific TX/RX functions for EAPOL frames 19756d49e1aeSJan Lentfer * fixed ctrl_interface_group processing for the case where gid is 19766d49e1aeSJan Lentfer entered as a number, not group name 19776d49e1aeSJan Lentfer * driver_test: added support for testing hostapd with wpa_supplicant 19786d49e1aeSJan Lentfer by using test driver interface without any kernel drivers or network 19796d49e1aeSJan Lentfer cards 19806d49e1aeSJan Lentfer 19816d49e1aeSJan Lentfer2005-05-22 - v0.4.1 19826d49e1aeSJan Lentfer * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL 19836d49e1aeSJan Lentfer packets to be encrypted; this was apparently broken by the changed 19846d49e1aeSJan Lentfer ioctl order in v0.4.0 19856d49e1aeSJan Lentfer * driver_madwifi: added preliminary support for compiling against 'BSD' 19866d49e1aeSJan Lentfer branch of madwifi CVS tree 19876d49e1aeSJan Lentfer * added support for EAP-MSCHAPv2 password retries within the same EAP 19886d49e1aeSJan Lentfer authentication session 19896d49e1aeSJan Lentfer * added support for password changes with EAP-MSCHAPv2 (used when the 19906d49e1aeSJan Lentfer password has expired) 19916d49e1aeSJan Lentfer * added support for reading additional certificates from PKCS#12 files 19926d49e1aeSJan Lentfer and adding them to the certificate chain 19936d49e1aeSJan Lentfer * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys 19946d49e1aeSJan Lentfer were used 19956d49e1aeSJan Lentfer * fixed a possible double free in EAP-TTLS fast-reauthentication when 19966d49e1aeSJan Lentfer identity or password is entered through control interface 19976d49e1aeSJan Lentfer * display EAP Notification messages to user through control interface 19986d49e1aeSJan Lentfer with "CTRL-EVENT-EAP-NOTIFICATION" prefix 19996d49e1aeSJan Lentfer * added GUI version of wpa_cli, wpa_gui; this is not build 20006d49e1aeSJan Lentfer automatically with 'make'; use 'make wpa_gui' to build (this requires 20016d49e1aeSJan Lentfer Qt development tools) 20026d49e1aeSJan Lentfer * added 'disconnect' command to control interface for setting 20036d49e1aeSJan Lentfer wpa_supplicant in state where it will not associate before 20046d49e1aeSJan Lentfer 'reassociate' command has been used 20056d49e1aeSJan Lentfer * added support for selecting a network from the list of all configured 20066d49e1aeSJan Lentfer networks ('wpa_cli select_network <network id>'; this disabled all 20076d49e1aeSJan Lentfer other networks; to re-enable, 'wpa_cli select_network any') 20086d49e1aeSJan Lentfer * added support for getting scan results through control interface 20096d49e1aeSJan Lentfer * added EAP workaround for PEAPv1 session resumption: allow outer, 20106d49e1aeSJan Lentfer i.e., not tunneled, EAP-Success to terminate session since; this can 20116d49e1aeSJan Lentfer be disabled with eap_workaround=0 20126d49e1aeSJan Lentfer 20136d49e1aeSJan Lentfer2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) 20146d49e1aeSJan Lentfer * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be 20156d49e1aeSJan Lentfer used to reduce the size of the wpa_supplicant considerably if 20166d49e1aeSJan Lentfer debugging code is not needed 20176d49e1aeSJan Lentfer * fixed EAPOL-Key validation to drop packets with invalid Key Data 20186d49e1aeSJan Lentfer Length; such frames could have crashed wpa_supplicant due to buffer 20196d49e1aeSJan Lentfer overflow 20206d49e1aeSJan Lentfer * added support for wired authentication (IEEE 802.1X on wired 20216d49e1aeSJan Lentfer Ethernet); driver interface 'wired' 20226d49e1aeSJan Lentfer * obsoleted set_wpa() handler in the driver interface API (it can be 20236d49e1aeSJan Lentfer replaced by moving enable/disable functionality into init()/deinit()) 20246d49e1aeSJan Lentfer (calls to set_wpa() are still present for backwards compatibility, 20256d49e1aeSJan Lentfer but they may be removed in the future) 20266d49e1aeSJan Lentfer * driver_madwifi: fixed association in plaintext mode 20276d49e1aeSJan Lentfer * modified the EAP workaround that accepts EAP-Success with incorrect 20286d49e1aeSJan Lentfer Identifier to be even less strict about verification in order to 20296d49e1aeSJan Lentfer interoperate with some authentication servers 20306d49e1aeSJan Lentfer * added support for sending TLS alerts 20316d49e1aeSJan Lentfer * added support for 'any' SSID wildcard; if ssid is not configured or 20326d49e1aeSJan Lentfer is set to an empty string, any SSID will be accepted for non-WPA AP 20336d49e1aeSJan Lentfer * added support for asking PIN (for SIM) from frontends (e.g., 20346d49e1aeSJan Lentfer wpa_cli); if a PIN is needed, but not included in the configuration 20356d49e1aeSJan Lentfer file, a control interface request is sent and EAP processing is 20366d49e1aeSJan Lentfer delayed until the PIN is available 20376d49e1aeSJan Lentfer * added support for using external devices (e.g., a smartcard) for 20386d49e1aeSJan Lentfer private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config); 20396d49e1aeSJan Lentfer new wpa_supplicant.conf variables: 20406d49e1aeSJan Lentfer - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path 20416d49e1aeSJan Lentfer - network: engine, engine_id, key_id 20426d49e1aeSJan Lentfer * added experimental support for EAP-PAX 20436d49e1aeSJan Lentfer * added monitor mode for wpa_cli (-a<path to a program to run>) that 20446d49e1aeSJan Lentfer allows external commands (e.g., shell scripts) to be run based on 20456d49e1aeSJan Lentfer wpa_supplicant events, e.g., when authentication has been completed 20466d49e1aeSJan Lentfer and data connection is ready; other related wpa_cli arguments: 20476d49e1aeSJan Lentfer -B (run in background), -P (write PID file); wpa_supplicant has a new 20486d49e1aeSJan Lentfer command line argument (-W) that can be used to make it wait until a 20496d49e1aeSJan Lentfer control interface command is received in order to avoid missing 20506d49e1aeSJan Lentfer events 20516d49e1aeSJan Lentfer * added support for opportunistic WPA2 PMKSA key caching (disabled by 20526d49e1aeSJan Lentfer default, can be enabled with proactive_key_caching=1) 20536d49e1aeSJan Lentfer * fixed RSN IE in 4-Way Handshake message 2/4 for the case where 20546d49e1aeSJan Lentfer Authenticator rejects PMKSA caching attempt and the driver is not 20556d49e1aeSJan Lentfer using assoc_info events 20566d49e1aeSJan Lentfer * added -P<pid file> argument for wpa_supplicant to write the current 20576d49e1aeSJan Lentfer process id into a file 20586d49e1aeSJan Lentfer 20596d49e1aeSJan Lentfer2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 20606d49e1aeSJan Lentfer * added new phase1 option parameter, include_tls_length=1, to force 20616d49e1aeSJan Lentfer wpa_supplicant to add TLS Message Length field to all TLS messages 20626d49e1aeSJan Lentfer even if the packet is not fragmented; this may be needed with some 20636d49e1aeSJan Lentfer authentication servers 20646d49e1aeSJan Lentfer * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when 20656d49e1aeSJan Lentfer using drivers that take care of AP selection (e.g., when using 20666d49e1aeSJan Lentfer ap_scan=2) 20676d49e1aeSJan Lentfer * fixed reprocessing of pending request after ctrl_iface requests for 20686d49e1aeSJan Lentfer identity/password/otp 20696d49e1aeSJan Lentfer * fixed ctrl_iface requests for identity/password/otp in Phase 2 of 20706d49e1aeSJan Lentfer EAP-PEAP and EAP-TTLS 20716d49e1aeSJan Lentfer * all drivers using driver_wext: set interface up and select Managed 20726d49e1aeSJan Lentfer mode when starting wpa_supplicant; set interface down when exiting 20736d49e1aeSJan Lentfer * renamed driver_ipw2100.c to driver_ipw.c since it now supports both 20746d49e1aeSJan Lentfer ipw2100 and ipw2200; please note that this also changed the 20756d49e1aeSJan Lentfer configuration variable in .config to CONFIG_DRIVER_IPW 20766d49e1aeSJan Lentfer 20776d49e1aeSJan Lentfer2005-01-24 - v0.3.6 20786d49e1aeSJan Lentfer * fixed a busy loop introduced in v0.3.5 for scan result processing 20796d49e1aeSJan Lentfer when no matching AP is found 20806d49e1aeSJan Lentfer 20816d49e1aeSJan Lentfer2005-01-23 - v0.3.5 20826d49e1aeSJan Lentfer * added a workaround for an interoperability issue with a Cisco AP 20836d49e1aeSJan Lentfer when using WPA2-PSK 20846d49e1aeSJan Lentfer * fixed non-WPA IEEE 802.1X to use the same authentication timeout as 20856d49e1aeSJan Lentfer WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow 20866d49e1aeSJan Lentfer retransmission of dropped frames) 20876d49e1aeSJan Lentfer * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version 20886d49e1aeSJan Lentfer (e.g., segfault when processing EAPOL-Key frames) 20896d49e1aeSJan Lentfer * fixed EAP workaround and fast reauthentication configuration for 20906d49e1aeSJan Lentfer RSN pre-authentication; previously these were disabled and 20916d49e1aeSJan Lentfer pre-authentication would fail if the used authentication server 20926d49e1aeSJan Lentfer requires EAP workarounds 20936d49e1aeSJan Lentfer * added support for blacklisting APs that fail or timeout 20946d49e1aeSJan Lentfer authentication in ap_scan=1 mode so that all APs are tried in cases 20956d49e1aeSJan Lentfer where the ones with strongest signal level are failing authentication 20966d49e1aeSJan Lentfer * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS 20976d49e1aeSJan Lentfer authentication attempt 20986d49e1aeSJan Lentfer * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded 20996d49e1aeSJan Lentfer in the previous authentication (previously, only Phase 1 success was 21006d49e1aeSJan Lentfer verified) 21016d49e1aeSJan Lentfer 21026d49e1aeSJan Lentfer2005-01-09 - v0.3.4 21036d49e1aeSJan Lentfer * added preliminary support for IBSS (ad-hoc) mode configuration 21046d49e1aeSJan Lentfer (mode=1 in network block); this included a new key_mgmt mode 21056d49e1aeSJan Lentfer WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no 21066d49e1aeSJan Lentfer key management; see wpa_supplicant.conf for more details and an 21076d49e1aeSJan Lentfer example on how to configure this (note: this is currently implemented 21086d49e1aeSJan Lentfer only for driver_hostapd.c, but the changes should be trivial to add 21096d49e1aeSJan Lentfer in associate() handler for other drivers, too (assuming the driver 21106d49e1aeSJan Lentfer supports WPA-None) 21116d49e1aeSJan Lentfer * added preliminary port for native Windows (i.e., no cygwin) using 21126d49e1aeSJan Lentfer mingw 21136d49e1aeSJan Lentfer 21146d49e1aeSJan Lentfer2005-01-02 - v0.3.3 21156d49e1aeSJan Lentfer * added optional support for GNU Readline and History Libraries for 21166d49e1aeSJan Lentfer wpa_cli (CONFIG_READLINE) 21176d49e1aeSJan Lentfer * cleaned up EAP state machine <-> method interface and number of 21186d49e1aeSJan Lentfer small problems with error case processing not terminating on 21196d49e1aeSJan Lentfer EAP-Failure but waiting for timeout 21206d49e1aeSJan Lentfer * added couple of workarounds for interoperability issues with a 21216d49e1aeSJan Lentfer Cisco AP when using WPA2 21226d49e1aeSJan Lentfer * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt); 21236d49e1aeSJan Lentfer Note: This requires a patch for openssl to add support for TLS 21246d49e1aeSJan Lentfer extensions and number of workarounds for operations without 21256d49e1aeSJan Lentfer certificates. Proof of concept type of experimental patch is 21266d49e1aeSJan Lentfer included in openssl-tls-extensions.patch. 21276d49e1aeSJan Lentfer 21286d49e1aeSJan Lentfer2004-12-19 - v0.3.2 21296d49e1aeSJan Lentfer * fixed private key loading for cases where passphrase is not set 21306d49e1aeSJan Lentfer * fixed Windows/cygwin L2 packet handler freeing; previous version 21316d49e1aeSJan Lentfer could cause a segfault when RSN pre-authentication was completed 21326d49e1aeSJan Lentfer * added support for PMKSA caching with drivers that generate RSN IEs 21336d49e1aeSJan Lentfer (e.g., NDIS); currently, this is only implemented in driver_ndis.c, 21346d49e1aeSJan Lentfer but similar code can be easily added to driver_ndiswrapper.c once 21356d49e1aeSJan Lentfer ndiswrapper gets full support for RSN PMKSA caching 21366d49e1aeSJan Lentfer * improved recovery from PMKID mismatches by requesting full EAP 21376d49e1aeSJan Lentfer authentication in case of failed PMKSA caching attempt 21386d49e1aeSJan Lentfer * driver_ndis: added support for NDIS NdisMIncidateStatus() events 21396d49e1aeSJan Lentfer (this requires that ndis_events is ran while wpa_supplicant is 21406d49e1aeSJan Lentfer running) 21416d49e1aeSJan Lentfer * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys 21426d49e1aeSJan Lentfer * added support for driver interfaces to replace the interface name 21436d49e1aeSJan Lentfer based on driver/OS specific mapping, e.g., in case of driver_ndis, 21446d49e1aeSJan Lentfer this allows the beginning of the adapter description to be used as 21456d49e1aeSJan Lentfer the interface name 21466d49e1aeSJan Lentfer * added support for CR+LF (Windows-style) line ends in configuration 21476d49e1aeSJan Lentfer file 21486d49e1aeSJan Lentfer * driver_ndis: enable radio before starting scanning, disable radio 21496d49e1aeSJan Lentfer when exiting 21506d49e1aeSJan Lentfer * modified association event handler to set portEnabled = FALSE before 21516d49e1aeSJan Lentfer clearing port Valid in order to reset EAP state machine and avoid 21526d49e1aeSJan Lentfer problems with new authentication getting ignored because of state 21536d49e1aeSJan Lentfer machines ending up in AUTHENTICATED/SUCCESS state based on old 21546d49e1aeSJan Lentfer information 21556d49e1aeSJan Lentfer * added support for driver events to add PMKID candidates in order to 21566d49e1aeSJan Lentfer allow drivers to give priority to most likely roaming candidates 21576d49e1aeSJan Lentfer * driver_hostap: moved PrivacyInvoked configuration to associate() 21586d49e1aeSJan Lentfer function so that this will not be set for plaintext connections 21596d49e1aeSJan Lentfer * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver 21606d49e1aeSJan Lentfer interface can distinguish plaintext and IEEE 802.1X (no WPA) 21616d49e1aeSJan Lentfer authentication 21626d49e1aeSJan Lentfer * fixed static WEP key configuration to use broadcast/default type for 21636d49e1aeSJan Lentfer all keys (previously, the default TX key was configured as pairwise/ 21646d49e1aeSJan Lentfer unicast key) 21656d49e1aeSJan Lentfer * driver_ndis: added legacy WPA capability detection for non-WPA2 21666d49e1aeSJan Lentfer drivers 21676d49e1aeSJan Lentfer * added support for setting static WEP keys for IEEE 802.1X without 21686d49e1aeSJan Lentfer dynamic WEP keying (eapol_flags=0) 21696d49e1aeSJan Lentfer 21706d49e1aeSJan Lentfer2004-12-12 - v0.3.1 21716d49e1aeSJan Lentfer * added support for reading PKCS#12 (PFX) files (as a replacement for 21726d49e1aeSJan Lentfer PEM/DER) to get certificate and private key (CONFIG_PKCS12) 21736d49e1aeSJan Lentfer * fixed compilation with CONFIG_PCSC=y 21746d49e1aeSJan Lentfer * added new ap_scan mode, ap_scan=2, for drivers that take care of 21756d49e1aeSJan Lentfer association, but need to be configured with security policy and SSID, 21766d49e1aeSJan Lentfer e.g., ndiswrapper and NDIS driver; this mode should allow such 21776d49e1aeSJan Lentfer drivers to work with hidden SSIDs and optimized roaming; when 21786d49e1aeSJan Lentfer ap_scan=2 is used, only the first network block in the configuration 21796d49e1aeSJan Lentfer file is used and this configuration should have explicit security 21806d49e1aeSJan Lentfer policy (i.e., only one option in the lists) for key_mgmt, pairwise, 21816d49e1aeSJan Lentfer group, proto variables 21826d49e1aeSJan Lentfer * added experimental port of wpa_supplicant for Windows 21836d49e1aeSJan Lentfer - driver_ndis.c driver interface (NDIS OIDs) 21846d49e1aeSJan Lentfer - currently, this requires cygwin and WinPcap 21856d49e1aeSJan Lentfer - small utility, win_if_list, can be used to get interface name 21866d49e1aeSJan Lentfer * control interface can now be removed at build time; add 21876d49e1aeSJan Lentfer CONFIG_CTRL_IFACE=y to .config to maintain old functionality 21886d49e1aeSJan Lentfer * optional Xsupplicant interface can now be removed at build time; 21896d49e1aeSJan Lentfer (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back) 21906d49e1aeSJan Lentfer * added auth_alg to driver interface associate() parameters to make it 21916d49e1aeSJan Lentfer easier for drivers to configure authentication algorithm as part of 21926d49e1aeSJan Lentfer the association 21936d49e1aeSJan Lentfer 21946d49e1aeSJan Lentfer2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) 21956d49e1aeSJan Lentfer * driver_broadcom: added new driver interface for Broadcom wl.o driver 21966d49e1aeSJan Lentfer (a generic driver for Broadcom IEEE 802.11a/g cards) 21976d49e1aeSJan Lentfer * wpa_cli: fixed parsing of -p <path> command line argument 21986d49e1aeSJan Lentfer * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS 21996d49e1aeSJan Lentfer ACK, not tunneled EAP-Success (of which only the first byte was 22006d49e1aeSJan Lentfer actually send due to a bug in previous code); this seems to 22016d49e1aeSJan Lentfer interoperate with most RADIUS servers that implements PEAPv1 22026d49e1aeSJan Lentfer * PEAPv1: added support for terminating PEAP authentication on tunneled 22036d49e1aeSJan Lentfer EAP-Success message; this can be configured by adding 22046d49e1aeSJan Lentfer peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf 22056d49e1aeSJan Lentfer (some RADIUS servers require this whereas others require a tunneled 22066d49e1aeSJan Lentfer reply 22076d49e1aeSJan Lentfer * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to 22086d49e1aeSJan Lentfer the old label for key derivation; previously, the default was 1, 22096d49e1aeSJan Lentfer but it looks like most existing PEAPv1 implementations use the old 22106d49e1aeSJan Lentfer label which is thus more suitable default option 22116d49e1aeSJan Lentfer * added support for EAP-PSK (draft-bersani-eap-psk-03.txt) 22126d49e1aeSJan Lentfer * fixed parsing of wep_tx_keyidx 22136d49e1aeSJan Lentfer * added support for configuring list of allowed Phase 2 EAP types 22146d49e1aeSJan Lentfer (for both EAP-PEAP and EAP-TTLS) instead of only one type 22156d49e1aeSJan Lentfer * added support for configuring IEEE 802.11 authentication algorithm 22166d49e1aeSJan Lentfer (auth_alg; mainly for using Shared Key authentication with static 22176d49e1aeSJan Lentfer WEP keys) 22186d49e1aeSJan Lentfer * added support for EAP-AKA (with UMTS SIM) 22196d49e1aeSJan Lentfer * fixed couple of errors in PCSC handling that could have caused 22206d49e1aeSJan Lentfer random-looking errors for EAP-SIM 22216d49e1aeSJan Lentfer * added support for EAP-SIM pseudonyms and fast re-authentication 22226d49e1aeSJan Lentfer * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS 22236d49e1aeSJan Lentfer session resumption) 22246d49e1aeSJan Lentfer * added support for EAP-SIM with two challanges 22256d49e1aeSJan Lentfer (phase1="sim_min_num_chal=3" can be used to require three challenges) 22266d49e1aeSJan Lentfer * added support for configuring DH/DSA parameters for an ephemeral DH 22276d49e1aeSJan Lentfer key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters 22286d49e1aeSJan Lentfer dh_file and dh_file2 (phase 2); this adds support for using DSA keys 22296d49e1aeSJan Lentfer and optional DH key exchange to achieve forward secracy with RSA keys 22306d49e1aeSJan Lentfer * added support for matching subject of the authentication server 22316d49e1aeSJan Lentfer certificate with a substring when using EAP-TLS/PEAP/TTLS; new 22326d49e1aeSJan Lentfer configuration variables subject_match and subject_match2 22336d49e1aeSJan Lentfer * changed SSID configuration in driver_wext.c (used by many driver 22346d49e1aeSJan Lentfer interfaces) to use ssid_len+1 as the length for SSID since some Linux 22356d49e1aeSJan Lentfer drivers expect this 22366d49e1aeSJan Lentfer * fixed couple of unaligned reads in scan result parsing to fix WPA 22376d49e1aeSJan Lentfer connection on some platforms (e.g., ARM) 22386d49e1aeSJan Lentfer * added driver interface for Intel ipw2100 driver 22396d49e1aeSJan Lentfer * added support for LEAP with WPA 22406d49e1aeSJan Lentfer * added support for larger scan results report (old limit was 4 kB of 22416d49e1aeSJan Lentfer data, i.e., about 35 or so APs) when using Linux wireless extensions 22426d49e1aeSJan Lentfer v17 or newer 22436d49e1aeSJan Lentfer * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start 22446d49e1aeSJan Lentfer only if there is a PMKSA cache entry for the current AP 22456d49e1aeSJan Lentfer * fixed error handling for case where reading of scan results fails: 22466d49e1aeSJan Lentfer must schedule a new scan or wpa_supplicant will remain waiting 22476d49e1aeSJan Lentfer forever 22486d49e1aeSJan Lentfer * changed debug output to remove shared password/key material by 22496d49e1aeSJan Lentfer default; all key information can be included with -K command line 22506d49e1aeSJan Lentfer argument to match the previous behavior 22516d49e1aeSJan Lentfer * added support for timestamping debug log messages (disabled by 22526d49e1aeSJan Lentfer default, can be enabled with -t command line argument) 22536d49e1aeSJan Lentfer * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104 22546d49e1aeSJan Lentfer if keys are not configured to be used; this fixes IEEE 802.1X mode 22556d49e1aeSJan Lentfer with drivers that use this information to configure whether Privacy 22566d49e1aeSJan Lentfer bit can be in Beacon frames (e.g., ndiswrapper) 22576d49e1aeSJan Lentfer * avoid clearing driver keys if no keys have been configured since last 22586d49e1aeSJan Lentfer key clear request; this seems to improve reliability of group key 22596d49e1aeSJan Lentfer handshake for ndiswrapper & NDIS driver which seems to be suffering 22606d49e1aeSJan Lentfer of some kind of timing issue when the keys are cleared again after 22616d49e1aeSJan Lentfer association 22626d49e1aeSJan Lentfer * changed driver interface API: 22636d49e1aeSJan Lentfer - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which 22646d49e1aeSJan Lentfer version is being used (now, this is set to 2; previously, it was 22656d49e1aeSJan Lentfer not defined) 22666d49e1aeSJan Lentfer - pass pointer to private data structure to all calls 22676d49e1aeSJan Lentfer - the new API is not backwards compatible; all in-tree driver 22686d49e1aeSJan Lentfer interfaces has been converted to the new API 22696d49e1aeSJan Lentfer * added support for controlling multiple interfaces (radios) per 22706d49e1aeSJan Lentfer wpa_supplicant process; each interface needs to be listed on the 22716d49e1aeSJan Lentfer command line (-c, -i, -D arguments) with -N as a separator 22726d49e1aeSJan Lentfer (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi) 22736d49e1aeSJan Lentfer * added a workaround for EAP servers that incorrectly use same Id for 22746d49e1aeSJan Lentfer sequential EAP packets 22756d49e1aeSJan Lentfer * changed libpcap/libdnet configuration to use .config variable, 22766d49e1aeSJan Lentfer CONFIG_DNET_PCAP, instead of requiring Makefile modification 22776d49e1aeSJan Lentfer * improved downgrade attack detection in IE verification of msg 3/4: 22786d49e1aeSJan Lentfer verify both WPA and RSN IEs, if present, not only the selected one; 22796d49e1aeSJan Lentfer reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or 22806d49e1aeSJan Lentfer Probe Response frame, and RSN is enabled in wpa_supplicant 22816d49e1aeSJan Lentfer configuration 22826d49e1aeSJan Lentfer * fixed WPA msg 3/4 processing to allow Key Data field contain other 22836d49e1aeSJan Lentfer IEs than just one WPA IE 22846d49e1aeSJan Lentfer * added support for FreeBSD and driver interface for the BSD net80211 22856d49e1aeSJan Lentfer layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the 22866d49e1aeSJan Lentfer required kernel mods have not yet been committed 22876d49e1aeSJan Lentfer * made EAP workarounds configurable; enabled by default, can be 22886d49e1aeSJan Lentfer disabled with network block option eap_workaround=0 22896d49e1aeSJan Lentfer 22906d49e1aeSJan Lentfer2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) 22916d49e1aeSJan Lentfer * resolved couple of interoperability issues with EAP-PEAPv1 and 22926d49e1aeSJan Lentfer Phase 2 (inner EAP) fragment reassembly 22936d49e1aeSJan Lentfer * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the 22946d49e1aeSJan Lentfer AP is using non-zero key index for the unicast key and key index zero 22956d49e1aeSJan Lentfer for the broadcast key 22966d49e1aeSJan Lentfer * driver_hostap: fixed IEEE 802.1X WEP key updates and 22976d49e1aeSJan Lentfer re-authentication by allowing unencrypted EAPOL frames when not using 22986d49e1aeSJan Lentfer WPA 22996d49e1aeSJan Lentfer * added a new driver interface, 'wext', which uses only standard, 23006d49e1aeSJan Lentfer driver independent functionality in Linux wireless extensions; 23016d49e1aeSJan Lentfer currently, this can be used only for non-WPA IEEE 802.1X mode, but 23026d49e1aeSJan Lentfer eventually, this is to be extended to support full WPA/WPA2 once 23036d49e1aeSJan Lentfer Linux wireless extensions get support for this 23046d49e1aeSJan Lentfer * added support for mode in which the driver is responsible for AP 23056d49e1aeSJan Lentfer scanning and selection; this is disabled by default and can be 23066d49e1aeSJan Lentfer enabled with global ap_scan=0 variable in wpa_supplicant.conf; 23076d49e1aeSJan Lentfer this mode can be used, e.g., with generic 'wext' driver interface to 23086d49e1aeSJan Lentfer use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver 23096d49e1aeSJan Lentfer supporting wireless extensions. 23106d49e1aeSJan Lentfer * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g., 23116d49e1aeSJan Lentfer operation with an AP that does not include SSID in the Beacon frames) 23126d49e1aeSJan Lentfer * added support for new EAP authentication methods: 23136d49e1aeSJan Lentfer EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP 23146d49e1aeSJan Lentfer * added support for asking one-time-passwords from frontends (e.g., 23156d49e1aeSJan Lentfer wpa_cli); this 'otp' command works otherwise like 'password' command, 23166d49e1aeSJan Lentfer but the password is used only once and the frontend will be asked for 23176d49e1aeSJan Lentfer a new password whenever a request from authenticator requires a 23186d49e1aeSJan Lentfer password; this can be used with both EAP-OTP and EAP-GTC 23196d49e1aeSJan Lentfer * changed wpa_cli to automatically re-establish connection so that it 23206d49e1aeSJan Lentfer does not need to be re-started when wpa_supplicant is terminated and 23216d49e1aeSJan Lentfer started again 23226d49e1aeSJan Lentfer * improved user data (identity/password/otp) requests through 23236d49e1aeSJan Lentfer frontends: process pending EAPOL packets after getting new 23246d49e1aeSJan Lentfer information so that full authentication does not need to be 23256d49e1aeSJan Lentfer restarted; in addition, send pending requests again whenever a new 23266d49e1aeSJan Lentfer frontend is attached 23276d49e1aeSJan Lentfer * changed control frontends to use a new directory for socket files to 23286d49e1aeSJan Lentfer make it easier for wpa_cli to automatically select between interfaces 23296d49e1aeSJan Lentfer and to provide access control for the control interface; 23306d49e1aeSJan Lentfer wpa_supplicant.conf: ctrl_interface is now a path 23316d49e1aeSJan Lentfer (/var/run/wpa_supplicant is the recommended path) and 23326d49e1aeSJan Lentfer ctrl_interface_group can be used to select which group gets access to 23336d49e1aeSJan Lentfer the control interface; 23346d49e1aeSJan Lentfer wpa_cli: by default, try to connect to the first interface available 23356d49e1aeSJan Lentfer in /var/run/wpa_supplicant; this path can be overriden with -p option 23366d49e1aeSJan Lentfer and an interface can be selected with -i option (i.e., in most common 23376d49e1aeSJan Lentfer cases, wpa_cli does not need to get any arguments) 23386d49e1aeSJan Lentfer * added support for LEAP 23396d49e1aeSJan Lentfer * added driver interface for Linux ndiswrapper 23406d49e1aeSJan Lentfer * added priority option for network blocks in the configuration file; 23416d49e1aeSJan Lentfer this allows networks to be grouped based on priority (the scan 23426d49e1aeSJan Lentfer results are searched for matches with network blocks in this order) 23436d49e1aeSJan Lentfer 23446d49e1aeSJan Lentfer2004-06-20 - v0.2.3 23456d49e1aeSJan Lentfer * sort scan results to improve AP selection 23466d49e1aeSJan Lentfer * fixed control interface socket removal for some error cases 23476d49e1aeSJan Lentfer * improved scan requesting and authentication timeout 23486d49e1aeSJan Lentfer * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and 23496d49e1aeSJan Lentfer TLS processing 23506d49e1aeSJan Lentfer * PEAP version can now be forced with phase1="peapver=<ver>" 23516d49e1aeSJan Lentfer (mostly for testing; by default, the highest version supported by 23526d49e1aeSJan Lentfer both the Supplicant and Authentication Server is selected 23536d49e1aeSJan Lentfer automatically) 23546d49e1aeSJan Lentfer * added support for madwifi driver (Atheros ar521x) 23556d49e1aeSJan Lentfer * added a workaround for cases where AP sets Install Tx/Rx bit for 23566d49e1aeSJan Lentfer WPA Group Key messages when pairwise keys are used (without this, 23576d49e1aeSJan Lentfer the Group Key would be used for Tx and the AP would drop frames 23586d49e1aeSJan Lentfer from the station) 23596d49e1aeSJan Lentfer * added GSM SIM/USIM interface for GSM authentication algorithm for 23606d49e1aeSJan Lentfer EAP-SIM; this requires pcsc-lite 23616d49e1aeSJan Lentfer * added support for ATMEL AT76C5XXx driver 23626d49e1aeSJan Lentfer * fixed IEEE 802.1X WEP key derivation in the case where Authenticator 23636d49e1aeSJan Lentfer does not include key data in the EAPOL-Key frame (i.e., part of 23646d49e1aeSJan Lentfer EAP keying material is used as data encryption key) 23656d49e1aeSJan Lentfer * added support for using plaintext and static WEP networks 23666d49e1aeSJan Lentfer (key_mgmt=NONE) 23676d49e1aeSJan Lentfer 23686d49e1aeSJan Lentfer2004-05-31 - v0.2.2 23696d49e1aeSJan Lentfer * added support for new EAP authentication methods: 23706d49e1aeSJan Lentfer EAP-TTLS/EAP-MD5-Challenge 23716d49e1aeSJan Lentfer EAP-TTLS/EAP-GTC 23726d49e1aeSJan Lentfer EAP-TTLS/EAP-MSCHAPv2 23736d49e1aeSJan Lentfer EAP-TTLS/EAP-TLS 23746d49e1aeSJan Lentfer EAP-TTLS/MSCHAPv2 23756d49e1aeSJan Lentfer EAP-TTLS/MSCHAP 23766d49e1aeSJan Lentfer EAP-TTLS/PAP 23776d49e1aeSJan Lentfer EAP-TTLS/CHAP 23786d49e1aeSJan Lentfer EAP-PEAP/TLS 23796d49e1aeSJan Lentfer EAP-PEAP/GTC 23806d49e1aeSJan Lentfer EAP-PEAP/MD5-Challenge 23816d49e1aeSJan Lentfer EAP-GTC 23826d49e1aeSJan Lentfer EAP-SIM (not yet complete; needs GSM/SIM authentication interface) 23836d49e1aeSJan Lentfer * added support for anonymous identity (to be used when identity is 23846d49e1aeSJan Lentfer sent in plaintext; real identity will be used within TLS protected 23856d49e1aeSJan Lentfer tunnel (e.g., with EAP-TTLS) 23866d49e1aeSJan Lentfer * added event messages from wpa_supplicant to frontends, e.g., wpa_cli 23876d49e1aeSJan Lentfer * added support for requesting identity and password information using 23886d49e1aeSJan Lentfer control interface; in other words, the password for EAP-PEAP or 23896d49e1aeSJan Lentfer EAP-TTLS does not need to be included in the configuration file since 23906d49e1aeSJan Lentfer a frontand (e.g., wpa_cli) can ask it from the user 23916d49e1aeSJan Lentfer * improved RSN pre-authentication to use a candidate list and process 23926d49e1aeSJan Lentfer all candidates from each scan; not only one per scan 23936d49e1aeSJan Lentfer * fixed RSN IE and WPA IE capabilities field parsing 23946d49e1aeSJan Lentfer * ignore Tx bit in GTK IE when Pairwise keys are used 23956d49e1aeSJan Lentfer * avoid making new scan requests during IEEE 802.1X negotiation 23966d49e1aeSJan Lentfer * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant 23976d49e1aeSJan Lentfer with TLS support (this replaces the included implementation with 23986d49e1aeSJan Lentfer library code to save about 8 kB since the library code is needed 23996d49e1aeSJan Lentfer anyway for TLS) 24006d49e1aeSJan Lentfer * fixed WPA-PSK only mode when compiled without IEEE 802.1X support 24016d49e1aeSJan Lentfer (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config) 24026d49e1aeSJan Lentfer 24036d49e1aeSJan Lentfer2004-05-06 - v0.2.1 24046d49e1aeSJan Lentfer * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1) 24056d49e1aeSJan Lentfer Supplicant 24066d49e1aeSJan Lentfer - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1] 24076d49e1aeSJan Lentfer - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf] 24086d49e1aeSJan Lentfer - EAP-MD5 (cannot be used with WPA-RADIUS) 24096d49e1aeSJan Lentfer [draft-ietf-eap-rfc2284bis-09.txt] 24106d49e1aeSJan Lentfer - EAP-TLS [RFC 2716] 24116d49e1aeSJan Lentfer - EAP-MSCHAPv2 (currently used only with EAP-PEAP) 24126d49e1aeSJan Lentfer - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt] 24136d49e1aeSJan Lentfer [draft-kamath-pppext-eap-mschapv2-00.txt] 24146d49e1aeSJan Lentfer (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by 24156d49e1aeSJan Lentfer default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey) 24166d49e1aeSJan Lentfer - new configuration file options: eap, identity, password, ca_cert, 24176d49e1aeSJan Lentfer client_cert, privatekey, private_key_passwd 24186d49e1aeSJan Lentfer - Xsupplicant is not required anymore, but it can be used by 24196d49e1aeSJan Lentfer disabling the internal IEEE 802.1X Supplicant with -e command line 24206d49e1aeSJan Lentfer option 24216d49e1aeSJan Lentfer - this code is not included in the default build; Makefile need to 24226d49e1aeSJan Lentfer be edited for this (uncomment lines for selected functionality) 24236d49e1aeSJan Lentfer - EAP-TLS and EAP-PEAP require openssl libraries 24246d49e1aeSJan Lentfer * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..) 24256d49e1aeSJan Lentfer * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys 24266d49e1aeSJan Lentfer (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X 24276d49e1aeSJan Lentfer EAPOL-Key frames instead of WPA key handshakes) 24286d49e1aeSJan Lentfer * added support for IEEE 802.11i/RSN (WPA2) 24296d49e1aeSJan Lentfer - improved PTK Key Handshake 24306d49e1aeSJan Lentfer - PMKSA caching, pre-authentication 24316d49e1aeSJan Lentfer * fixed wpa_supplicant to ignore possible extra data after WPA 24326d49e1aeSJan Lentfer EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using 24336d49e1aeSJan Lentfer TPTK' error from message 3 of 4-Way Handshake in case the AP 24346d49e1aeSJan Lentfer includes extra data after the EAPOL-Key) 24356d49e1aeSJan Lentfer * added interface for external programs (frontends) to control 24366d49e1aeSJan Lentfer wpa_supplicant 24376d49e1aeSJan Lentfer - CLI example (wpa_cli) with interactive mode and command line 24386d49e1aeSJan Lentfer mode 24396d49e1aeSJan Lentfer - replaced SIGUSR1 status/statistics with the new control interface 24406d49e1aeSJan Lentfer * made some feature compile time configurable 24416d49e1aeSJan Lentfer - .config file for make 24426d49e1aeSJan Lentfer - driver interfaces (hostap, hermes, ..) 24436d49e1aeSJan Lentfer - EAPOL/EAP functions 24446d49e1aeSJan Lentfer 24456d49e1aeSJan Lentfer2004-02-15 - v0.2.0 24466d49e1aeSJan Lentfer * Initial version of wpa_supplicant 2447