139beb93cSSam LefflerChangeLog for hostapd 239beb93cSSam Leffler 3ec080394SCy Schubert2022-01-16 - v2.10 4ec080394SCy Schubert * SAE changes 5ec080394SCy Schubert - improved protection against side channel attacks 6ec080394SCy Schubert [https://w1.fi/security/2022-1/] 7ec080394SCy Schubert - added option send SAE Confirm immediately (sae_config_immediate=1) 8ec080394SCy Schubert after SAE Commit 9ec080394SCy Schubert - added support for the hash-to-element mechanism (sae_pwe=1 or 10ec080394SCy Schubert sae_pwe=2) 11ec080394SCy Schubert - fixed PMKSA caching with OKC 12ec080394SCy Schubert - added support for SAE-PK 13ec080394SCy Schubert * EAP-pwd changes 14ec080394SCy Schubert - improved protection against side channel attacks 15ec080394SCy Schubert [https://w1.fi/security/2022-1/] 16ec080394SCy Schubert * fixed WPS UPnP SUBSCRIBE handling of invalid operations 17ec080394SCy Schubert [https://w1.fi/security/2020-1/] 18ec080394SCy Schubert * fixed PMF disconnection protection bypass 19ec080394SCy Schubert [https://w1.fi/security/2019-7/] 20ec080394SCy Schubert * added support for using OpenSSL 3.0 21ec080394SCy Schubert * fixed various issues in experimental support for EAP-TEAP server 22ec080394SCy Schubert * added configuration (max_auth_rounds, max_auth_rounds_short) to 23ec080394SCy Schubert increase the maximum number of EAP message exchanges (mainly to 24ec080394SCy Schubert support cases with very large certificates) for the EAP server 25ec080394SCy Schubert * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) 26ec080394SCy Schubert * extended HE (IEEE 802.11ax) support, including 6 GHz support 27ec080394SCy Schubert * removed obsolete IAPP functionality 28ec080394SCy Schubert * fixed EAP-FAST server with TLS GCM/CCM ciphers 29ec080394SCy Schubert * dropped support for libnl 1.1 30ec080394SCy Schubert * added support for nl80211 control port for EAPOL frame TX/RX 31ec080394SCy Schubert * fixed OWE key derivation with groups 20 and 21; this breaks backwards 32ec080394SCy Schubert compatibility for these groups while the default group 19 remains 33ec080394SCy Schubert backwards compatible; owe_ptk_workaround=1 can be used to enabled a 34ec080394SCy Schubert a workaround for the group 20/21 backwards compatibility 35ec080394SCy Schubert * added support for Beacon protection 36ec080394SCy Schubert * added support for Extended Key ID for pairwise keys 37ec080394SCy Schubert * removed WEP support from the default build (CONFIG_WEP=y can be used 38ec080394SCy Schubert to enable it, if really needed) 39ec080394SCy Schubert * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) 40ec080394SCy Schubert * added support for Transition Disable mechanism to allow the AP to 41ec080394SCy Schubert automatically disable transition mode to improve security 42ec080394SCy Schubert * added support for PASN 43ec080394SCy Schubert * added EAP-TLS server support for TLS 1.3 (disabled by default for now) 44ec080394SCy Schubert * a large number of other fixes, cleanup, and extensions 45ec080394SCy Schubert 46206b73d0SCy Schubert2019-08-07 - v2.9 47206b73d0SCy Schubert * SAE changes 48206b73d0SCy Schubert - disable use of groups using Brainpool curves 49206b73d0SCy Schubert - improved protection against side channel attacks 50206b73d0SCy Schubert [https://w1.fi/security/2019-6/] 51206b73d0SCy Schubert * EAP-pwd changes 52206b73d0SCy Schubert - disable use of groups using Brainpool curves 53206b73d0SCy Schubert - improved protection against side channel attacks 54206b73d0SCy Schubert [https://w1.fi/security/2019-6/] 55206b73d0SCy Schubert * fixed FT-EAP initial mobility domain association using PMKSA caching 56206b73d0SCy Schubert * added configuration of airtime policy 57206b73d0SCy Schubert * fixed FILS to and RSNE into (Re)Association Response frames 58206b73d0SCy Schubert * fixed DPP bootstrapping URI parser of channel list 59206b73d0SCy Schubert * added support for regulatory WMM limitation (for ETSI) 60206b73d0SCy Schubert * added support for MACsec Key Agreement using IEEE 802.1X/PSK 61206b73d0SCy Schubert * added experimental support for EAP-TEAP server (RFC 7170) 62206b73d0SCy Schubert * added experimental support for EAP-TLS server with TLS v1.3 63206b73d0SCy Schubert * added support for two server certificates/keys (RSA/ECC) 64206b73d0SCy Schubert * added AKMSuiteSelector into "STA <addr>" control interface data to 65206b73d0SCy Schubert determine with AKM was used for an association 66206b73d0SCy Schubert * added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and 67206b73d0SCy Schubert fast reauthentication use to be disabled 68206b73d0SCy Schubert * fixed an ECDH operation corner case with OpenSSL 69206b73d0SCy Schubert 704bc52338SCy Schubert2019-04-21 - v2.8 714bc52338SCy Schubert * SAE changes 724bc52338SCy Schubert - added support for SAE Password Identifier 734bc52338SCy Schubert - changed default configuration to enable only group 19 744bc52338SCy Schubert (i.e., disable groups 20, 21, 25, 26 from default configuration) and 754bc52338SCy Schubert disable all unsuitable groups completely based on REVmd changes 764bc52338SCy Schubert - improved anti-clogging token mechanism and SAE authentication 774bc52338SCy Schubert frame processing during heavy CPU load; this mitigates some issues 784bc52338SCy Schubert with potential DoS attacks trying to flood an AP with large number 794bc52338SCy Schubert of SAE messages 804bc52338SCy Schubert - added Finite Cyclic Group field in status code 77 responses 814bc52338SCy Schubert - reject use of unsuitable groups based on new implementation guidance 824bc52338SCy Schubert in REVmd (allow only FFC groups with prime >= 3072 bits and ECC 834bc52338SCy Schubert groups with prime >= 256) 844bc52338SCy Schubert - minimize timing and memory use differences in PWE derivation 854bc52338SCy Schubert [https://w1.fi/security/2019-1/] (CVE-2019-9494) 864bc52338SCy Schubert - fixed confirm message validation in error cases 874bc52338SCy Schubert [https://w1.fi/security/2019-3/] (CVE-2019-9496) 884bc52338SCy Schubert * EAP-pwd changes 894bc52338SCy Schubert - minimize timing and memory use differences in PWE derivation 904bc52338SCy Schubert [https://w1.fi/security/2019-2/] (CVE-2019-9495) 914bc52338SCy Schubert - verify peer scalar/element 924bc52338SCy Schubert [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498) 934bc52338SCy Schubert - fix message reassembly issue with unexpected fragment 944bc52338SCy Schubert [https://w1.fi/security/2019-5/] 954bc52338SCy Schubert - enforce rand,mask generation rules more strictly 964bc52338SCy Schubert - fix a memory leak in PWE derivation 974bc52338SCy Schubert - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 984bc52338SCy Schubert 27) 994bc52338SCy Schubert * Hotspot 2.0 changes 1004bc52338SCy Schubert - added support for release number 3 1014bc52338SCy Schubert - reject release 2 or newer association without PMF 1024bc52338SCy Schubert * added support for RSN operating channel validation 1034bc52338SCy Schubert (CONFIG_OCV=y and configuration parameter ocv=1) 1044bc52338SCy Schubert * added Multi-AP protocol support 1054bc52338SCy Schubert * added FTM responder configuration 1064bc52338SCy Schubert * fixed build with LibreSSL 1074bc52338SCy Schubert * added FT/RRB workaround for short Ethernet frame padding 1084bc52338SCy Schubert * fixed KEK2 derivation for FILS+FT 1094bc52338SCy Schubert * added RSSI-based association rejection from OCE 1104bc52338SCy Schubert * extended beacon reporting functionality 1114bc52338SCy Schubert * VLAN changes 1124bc52338SCy Schubert - allow local VLAN management with remote RADIUS authentication 1134bc52338SCy Schubert - add WPA/WPA2 passphrase/PSK -based VLAN assignment 1144bc52338SCy Schubert * OpenSSL: allow systemwide policies to be overridden 1154bc52338SCy Schubert * extended PEAP to derive EMSK to enable use with ERP/FILS 1164bc52338SCy Schubert * extended WPS to allow SAE configuration to be added automatically 1174bc52338SCy Schubert for PSK (wps_cred_add_sae=1) 1184bc52338SCy Schubert * fixed FT and SA Query Action frame with AP-MLME-in-driver cases 1194bc52338SCy Schubert * OWE: allow Diffie-Hellman Parameter element to be included with DPP 1204bc52338SCy Schubert in preparation for DPP protocol extension 1214bc52338SCy Schubert * RADIUS server: started to accept ERP keyName-NAI as user identity 1224bc52338SCy Schubert automatically without matching EAP database entry 1234bc52338SCy Schubert * fixed PTK rekeying with FILS and FT 1244bc52338SCy Schubert 12585732ac8SCy Schubert2018-12-02 - v2.7 12685732ac8SCy Schubert * fixed WPA packet number reuse with replayed messages and key 12785732ac8SCy Schubert reinstallation 12885732ac8SCy Schubert [http://w1.fi/security/2017-1/] (CVE-2017-13082) 12985732ac8SCy Schubert * added support for FILS (IEEE 802.11ai) shared key authentication 13085732ac8SCy Schubert * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; 13185732ac8SCy Schubert and transition mode defined by WFA) 13285732ac8SCy Schubert * added support for DPP (Wi-Fi Device Provisioning Protocol) 13385732ac8SCy Schubert * FT: 13485732ac8SCy Schubert - added local generation of PMK-R0/PMK-R1 for FT-PSK 13585732ac8SCy Schubert (ft_psk_generate_local=1) 13685732ac8SCy Schubert - replaced inter-AP protocol with a cleaner design that is more 13785732ac8SCy Schubert easily extensible; this breaks backward compatibility and requires 13885732ac8SCy Schubert all APs in the ESS to be updated at the same time to maintain FT 13985732ac8SCy Schubert functionality 14085732ac8SCy Schubert - added support for wildcard R0KH/R1KH 14185732ac8SCy Schubert - replaced r0_key_lifetime (minutes) parameter with 14285732ac8SCy Schubert ft_r0_key_lifetime (seconds) 14385732ac8SCy Schubert - fixed wpa_psk_file use for FT-PSK 14485732ac8SCy Schubert - fixed FT-SAE PMKID matching 14585732ac8SCy Schubert - added expiration to PMK-R0 and PMK-R1 cache 14685732ac8SCy Schubert - added IEEE VLAN support (including tagged VLANs) 14785732ac8SCy Schubert - added support for SHA384 based AKM 14885732ac8SCy Schubert * SAE 14985732ac8SCy Schubert - fixed some PMKSA caching cases with SAE 15085732ac8SCy Schubert - added support for configuring SAE password separately of the 15185732ac8SCy Schubert WPA2 PSK/passphrase 15285732ac8SCy Schubert - added option to require MFP for SAE associations 15385732ac8SCy Schubert (sae_require_pmf=1) 15485732ac8SCy Schubert - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection 15585732ac8SCy Schubert for SAE; 15685732ac8SCy Schubert note: this is not backwards compatible, i.e., both the AP and 15785732ac8SCy Schubert station side implementations will need to be update at the same 15885732ac8SCy Schubert time to maintain interoperability 15985732ac8SCy Schubert - added support for Password Identifier 16085732ac8SCy Schubert * hostapd_cli: added support for command history and completion 16185732ac8SCy Schubert * added support for requesting beacon report 16285732ac8SCy Schubert * large number of other fixes, cleanup, and extensions 16385732ac8SCy Schubert * added option to configure EAPOL-Key retry limits 16485732ac8SCy Schubert (wpa_group_update_count and wpa_pairwise_update_count) 16585732ac8SCy Schubert * removed all PeerKey functionality 16685732ac8SCy Schubert * fixed nl80211 AP mode configuration regression with Linux 4.15 and 16785732ac8SCy Schubert newer 16885732ac8SCy Schubert * added support for using wolfSSL cryptographic library 16985732ac8SCy Schubert * fixed some 20/40 MHz coexistence cases where the BSS could drop to 17085732ac8SCy Schubert 20 MHz even when 40 MHz would be allowed 17185732ac8SCy Schubert * Hotspot 2.0 17285732ac8SCy Schubert - added support for setting Venue URL ANQP-element (venue_url) 17385732ac8SCy Schubert - added support for advertising Hotspot 2.0 operator icons 17485732ac8SCy Schubert - added support for Roaming Consortium Selection element 17585732ac8SCy Schubert - added support for Terms and Conditions 17685732ac8SCy Schubert - added support for OSEN connection in a shared RSN BSS 17785732ac8SCy Schubert * added support for using OpenSSL 1.1.1 17885732ac8SCy Schubert * added EAP-pwd server support for salted passwords 17985732ac8SCy Schubert 180780fb4a2SCy Schubert2016-10-02 - v2.6 181780fb4a2SCy Schubert * fixed EAP-pwd last fragment validation 182780fb4a2SCy Schubert [http://w1.fi/security/2015-7/] (CVE-2015-5314) 183780fb4a2SCy Schubert * fixed WPS configuration update vulnerability with malformed passphrase 184780fb4a2SCy Schubert [http://w1.fi/security/2016-1/] (CVE-2016-4476) 185780fb4a2SCy Schubert * extended channel switch support for VHT bandwidth changes 186780fb4a2SCy Schubert * added support for configuring new ANQP-elements with 187780fb4a2SCy Schubert anqp_elem=<InfoID>:<hexdump of payload> 188780fb4a2SCy Schubert * fixed Suite B 192-bit AKM to use proper PMK length 189780fb4a2SCy Schubert (note: this makes old releases incompatible with the fixed behavior) 190780fb4a2SCy Schubert * added no_probe_resp_if_max_sta=1 parameter to disable Probe Response 191780fb4a2SCy Schubert frame sending for not-associated STAs if max_num_sta limit has been 192780fb4a2SCy Schubert reached 193780fb4a2SCy Schubert * added option (-S as command line argument) to request all interfaces 194780fb4a2SCy Schubert to be started at the same time 195780fb4a2SCy Schubert * modified rts_threshold and fragm_threshold configuration parameters 196780fb4a2SCy Schubert to allow -1 to be used to disable RTS/fragmentation 197780fb4a2SCy Schubert * EAP-pwd: added support for Brainpool Elliptic Curves 198780fb4a2SCy Schubert (with OpenSSL 1.0.2 and newer) 199780fb4a2SCy Schubert * fixed EAPOL reauthentication after FT protocol run 200780fb4a2SCy Schubert * fixed FTIE generation for 4-way handshake after FT protocol run 201780fb4a2SCy Schubert * fixed and improved various FST operations 202780fb4a2SCy Schubert * TLS server 203780fb4a2SCy Schubert - support SHA384 and SHA512 hashes 204780fb4a2SCy Schubert - support TLS v1.2 signature algorithm with SHA384 and SHA512 205780fb4a2SCy Schubert - support PKCS #5 v2.0 PBES2 206780fb4a2SCy Schubert - support PKCS #5 with PKCS #12 style key decryption 207780fb4a2SCy Schubert - minimal support for PKCS #12 208780fb4a2SCy Schubert - support OCSP stapling (including ocsp_multi) 209780fb4a2SCy Schubert * added support for OpenSSL 1.1 API changes 210780fb4a2SCy Schubert - drop support for OpenSSL 0.9.8 211780fb4a2SCy Schubert - drop support for OpenSSL 1.0.0 212780fb4a2SCy Schubert * EAP-PEAP: support fast-connect crypto binding 213780fb4a2SCy Schubert * RADIUS 214780fb4a2SCy Schubert - fix Called-Station-Id to not escape SSID 215780fb4a2SCy Schubert - add Event-Timestamp to all Accounting-Request packets 216780fb4a2SCy Schubert - add Acct-Session-Id to Accounting-On/Off 217780fb4a2SCy Schubert - add Acct-Multi-Session-Id ton Access-Request packets 218780fb4a2SCy Schubert - add Service-Type (= Frames) 219780fb4a2SCy Schubert - allow server to provide PSK instead of passphrase for WPA-PSK 220780fb4a2SCy Schubert Tunnel_password case 221780fb4a2SCy Schubert - update full message for interim accounting updates 222780fb4a2SCy Schubert - add Acct-Delay-Time into Accounting messages 223780fb4a2SCy Schubert - add require_message_authenticator configuration option to require 224780fb4a2SCy Schubert CoA/Disconnect-Request packets to be authenticated 225780fb4a2SCy Schubert * started to postpone WNM-Notification frame sending by 100 ms so that 226780fb4a2SCy Schubert the STA has some more time to configure the key before this frame is 227780fb4a2SCy Schubert received after the 4-way handshake 228780fb4a2SCy Schubert * VHT: added interoperability workaround for 80+80 and 160 MHz channels 229780fb4a2SCy Schubert * extended VLAN support (per-STA vif, etc.) 230780fb4a2SCy Schubert * fixed PMKID derivation with SAE 231780fb4a2SCy Schubert * nl80211 232780fb4a2SCy Schubert - added support for full station state operations 233780fb4a2SCy Schubert - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use 234780fb4a2SCy Schubert unencrypted EAPOL frames 235780fb4a2SCy Schubert * added initial MBO support; number of extensions to WNM BSS Transition 236780fb4a2SCy Schubert Management 237780fb4a2SCy Schubert * added initial functionality for location related operations 238780fb4a2SCy Schubert * added assocresp_elements parameter to allow vendor specific elements 239780fb4a2SCy Schubert to be added into (Re)Association Response frames 240780fb4a2SCy Schubert * improved Public Action frame addressing 241780fb4a2SCy Schubert - use Address 3 = wildcard BSSID in GAS response if a query from an 242780fb4a2SCy Schubert unassociated STA used that address 243780fb4a2SCy Schubert - fix TX status processing for Address 3 = wildcard BSSID 244780fb4a2SCy Schubert - add gas_address3 configuration parameter to control Address 3 245780fb4a2SCy Schubert behavior 246780fb4a2SCy Schubert * added command line parameter -i to override interface parameter in 247780fb4a2SCy Schubert hostapd.conf 248780fb4a2SCy Schubert * added command completion support to hostapd_cli 249780fb4a2SCy Schubert * added passive client taxonomy determination (CONFIG_TAXONOMY=y 250780fb4a2SCy Schubert compile option and "SIGNATURE <addr>" control interface command) 251780fb4a2SCy Schubert * number of small fixes 252780fb4a2SCy Schubert 253325151a3SRui Paulo2015-09-27 - v2.5 254325151a3SRui Paulo * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding 255325151a3SRui Paulo [http://w1.fi/security/2015-2/] (CVE-2015-4141) 256325151a3SRui Paulo * fixed WMM Action frame parser 257325151a3SRui Paulo [http://w1.fi/security/2015-3/] (CVE-2015-4142) 258325151a3SRui Paulo * fixed EAP-pwd server missing payload length validation 259325151a3SRui Paulo [http://w1.fi/security/2015-4/] 260325151a3SRui Paulo (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145) 261325151a3SRui Paulo * fixed validation of WPS and P2P NFC NDEF record payload length 262325151a3SRui Paulo [http://w1.fi/security/2015-5/] 263325151a3SRui Paulo * nl80211: 264325151a3SRui Paulo - fixed vendor command handling to check OUI properly 265325151a3SRui Paulo * fixed hlr_auc_gw build with OpenSSL 266325151a3SRui Paulo * hlr_auc_gw: allow Milenage RES length to be reduced 267325151a3SRui Paulo * disable HT for a station that does not support WMM/QoS 268325151a3SRui Paulo * added support for hashed password (NtHash) in EAP-pwd server 269325151a3SRui Paulo * fixed and extended dynamic VLAN cases 270325151a3SRui Paulo * added EAP-EKE server support for deriving Session-Id 271325151a3SRui Paulo * set Acct-Session-Id to a random value to make it more likely to be 272325151a3SRui Paulo unique even if the device does not have a proper clock 273325151a3SRui Paulo * added more 2.4 GHz channels for 20/40 MHz HT co-ex scan 274325151a3SRui Paulo * modified SAE routines to be more robust and PWE generation to be 275325151a3SRui Paulo stronger against timing attacks 276325151a3SRui Paulo * added support for Brainpool Elliptic Curves with SAE 277325151a3SRui Paulo * increases maximum value accepted for cwmin/cwmax 278325151a3SRui Paulo * added support for CCMP-256 and GCMP-256 as group ciphers with FT 279325151a3SRui Paulo * added Fast Session Transfer (FST) module 280325151a3SRui Paulo * removed optional fields from RSNE when using FT with PMF 281325151a3SRui Paulo (workaround for interoperability issues with iOS 8.4) 282325151a3SRui Paulo * added EAP server support for TLS session resumption 283325151a3SRui Paulo * fixed key derivation for Suite B 192-bit AKM (this breaks 284325151a3SRui Paulo compatibility with the earlier version) 285325151a3SRui Paulo * added mechanism to track unconnected stations and do minimal band 286325151a3SRui Paulo steering 287325151a3SRui Paulo * number of small fixes 288325151a3SRui Paulo 2895b9c547cSRui Paulo2015-03-15 - v2.4 2905b9c547cSRui Paulo * allow OpenSSL cipher configuration to be set for internal EAP server 2915b9c547cSRui Paulo (openssl_ciphers parameter) 2925b9c547cSRui Paulo * fixed number of small issues based on hwsim test case failures and 2935b9c547cSRui Paulo static analyzer reports 2945b9c547cSRui Paulo * fixed Accounting-Request to not include duplicated Acct-Session-Id 2955b9c547cSRui Paulo * add support for Acct-Multi-Session-Id in RADIUS Accounting messages 2965b9c547cSRui Paulo * add support for PMKSA caching with SAE 2975b9c547cSRui Paulo * add support for generating BSS Load element (bss_load_update_period) 2985b9c547cSRui Paulo * fixed channel switch from VHT to HT 2995b9c547cSRui Paulo * add INTERFACE-ENABLED and INTERFACE-DISABLED ctrl_iface events 3005b9c547cSRui Paulo * add support for learning STA IPv4/IPv6 addresses and configuring 3015b9c547cSRui Paulo ProxyARP support 3025b9c547cSRui Paulo * dropped support for the madwifi driver interface 3035b9c547cSRui Paulo * add support for Suite B (128-bit and 192-bit level) key management and 3045b9c547cSRui Paulo cipher suites 3055b9c547cSRui Paulo * fixed a regression with driver=wired 3065b9c547cSRui Paulo * extend EAPOL-Key msg 1/4 retry workaround for changing SNonce 3075b9c547cSRui Paulo * add BSS_TM_REQ ctrl_iface command to send BSS Transition Management 3085b9c547cSRui Paulo Request frames and BSS-TM-RESP event to indicate response to such 3095b9c547cSRui Paulo frame 3105b9c547cSRui Paulo * add support for EAP Re-Authentication Protocol (ERP) 3115b9c547cSRui Paulo * fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled 3125b9c547cSRui Paulo * fixed a regression in HT 20/40 coex Action frame parsing 3135b9c547cSRui Paulo * set stdout to be line-buffered 3145b9c547cSRui Paulo * add support for vendor specific VHT extension to enable 256 QAM rates 3155b9c547cSRui Paulo (VHT-MCS 8 and 9) on 2.4 GHz band 3165b9c547cSRui Paulo * RADIUS DAS: 3175b9c547cSRui Paulo - extend Disconnect-Request processing to allow matching of multiple 3185b9c547cSRui Paulo sessions 3195b9c547cSRui Paulo - support Acct-Multi-Session-Id as an identifier 3205b9c547cSRui Paulo - allow PMKSA cache entry to be removed without association 3215b9c547cSRui Paulo * expire hostapd STA entry if kernel does not have a matching entry 3225b9c547cSRui Paulo * allow chanlist to be used to specify a subset of channels for ACS 3235b9c547cSRui Paulo * improve ACS behavior on 2.4 GHz band and allow channel bias to be 3245b9c547cSRui Paulo configured with acs_chan_bias parameter 3255b9c547cSRui Paulo * do not reply to a Probe Request frame that includes DSS Parameter Set 3265b9c547cSRui Paulo element in which the channel does not match the current operating 3275b9c547cSRui Paulo channel 3285b9c547cSRui Paulo * add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon 3295b9c547cSRui Paulo frame contents to be updated and to start beaconing on an interface 3305b9c547cSRui Paulo that used start_disabled=1 3315b9c547cSRui Paulo * fixed some RADIUS server failover cases 3325b9c547cSRui Paulo 3335b9c547cSRui Paulo2014-10-09 - v2.3 3345b9c547cSRui Paulo * fixed number of minor issues identified in static analyzer warnings 3355b9c547cSRui Paulo * fixed DFS and channel switch operation for multi-BSS cases 3365b9c547cSRui Paulo * started to use constant time comparison for various password and hash 3375b9c547cSRui Paulo values to reduce possibility of any externally measurable timing 3385b9c547cSRui Paulo differences 3395b9c547cSRui Paulo * extended explicit clearing of freed memory and expired keys to avoid 3405b9c547cSRui Paulo keeping private data in memory longer than necessary 3415b9c547cSRui Paulo * added support for number of new RADIUS attributes from RFC 7268 3425b9c547cSRui Paulo (Mobility-Domain-Id, WLAN-HESSID, WLAN-Pairwise-Cipher, 3435b9c547cSRui Paulo WLAN-Group-Cipher, WLAN-AKM-Suite, WLAN-Group-Mgmt-Pairwise-Cipher) 3445b9c547cSRui Paulo * fixed GET_CONFIG wpa_pairwise_cipher value 3455b9c547cSRui Paulo * added code to clear bridge FDB entry on station disconnection 3465b9c547cSRui Paulo * fixed PMKSA cache timeout from Session-Timeout for WPA/WPA2 cases 3475b9c547cSRui Paulo * fixed OKC PMKSA cache entry fetch to avoid a possible infinite loop 3485b9c547cSRui Paulo in case the first entry does not match 3495b9c547cSRui Paulo * fixed hostapd_cli action script execution to use more robust mechanism 3505b9c547cSRui Paulo (CVE-2014-3686) 3515b9c547cSRui Paulo 3525b9c547cSRui Paulo2014-06-04 - v2.2 3535b9c547cSRui Paulo * fixed SAE confirm-before-commit validation to avoid a potential 3545b9c547cSRui Paulo segmentation fault in an unexpected message sequence that could be 3555b9c547cSRui Paulo triggered remotely 3565b9c547cSRui Paulo * extended VHT support 3575b9c547cSRui Paulo - Operating Mode Notification 3585b9c547cSRui Paulo - Power Constraint element (local_pwr_constraint) 3595b9c547cSRui Paulo - Spectrum management capability (spectrum_mgmt_required=1) 3605b9c547cSRui Paulo - fix VHT80 segment picking in ACS 3615b9c547cSRui Paulo - fix vht_capab 'Maximum A-MPDU Length Exponent' handling 3625b9c547cSRui Paulo - fix VHT20 3635b9c547cSRui Paulo * fixed HT40 co-ex scan for some pri/sec channel switches 3645b9c547cSRui Paulo * extended HT40 co-ex support to allow dynamic channel width changes 3655b9c547cSRui Paulo during the lifetime of the BSS 3665b9c547cSRui Paulo * fixed HT40 co-ex support to check for overlapping 20 MHz BSS 3675b9c547cSRui Paulo * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; 3685b9c547cSRui Paulo this fixes password with include UTF-8 characters that use 3695b9c547cSRui Paulo three-byte encoding EAP methods that use NtPasswordHash 3705b9c547cSRui Paulo * reverted TLS certificate validation step change in v2.1 that rejected 3715b9c547cSRui Paulo any AAA server certificate with id-kp-clientAuth even if 3725b9c547cSRui Paulo id-kp-serverAuth EKU was included 3735b9c547cSRui Paulo * fixed STA validation step for WPS ER commands to prevent a potential 3745b9c547cSRui Paulo crash if an ER sends an unexpected PutWLANResponse to a station that 3755b9c547cSRui Paulo is disassociated, but not fully removed 3765b9c547cSRui Paulo * enforce full EAP authentication after RADIUS Disconnect-Request by 3775b9c547cSRui Paulo removing the PMKSA cache entry 3785b9c547cSRui Paulo * added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address 3795b9c547cSRui Paulo in RADIUS Disconnect-Request 3805b9c547cSRui Paulo * added mechanism for removing addresses for MAC ACLs by prefixing an 3815b9c547cSRui Paulo entry with "-" 3825b9c547cSRui Paulo * Interworking/Hotspot 2.0 enhancements 3835b9c547cSRui Paulo - support Hotspot 2.0 Release 2 3845b9c547cSRui Paulo * OSEN network for online signup connection 3855b9c547cSRui Paulo * subscription remediation (based on RADIUS server request or 3865b9c547cSRui Paulo control interface HS20_WNM_NOTIF for testing purposes) 3875b9c547cSRui Paulo * Hotspot 2.0 release number indication in WFA RADIUS VSA 3885b9c547cSRui Paulo * deauthentication request (based on RADIUS server request or 3895b9c547cSRui Paulo control interface WNM_DEAUTH_REQ for testing purposes) 3905b9c547cSRui Paulo * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent 3915b9c547cSRui Paulo * hs20_icon config parameter to configure icon files for OSU 3925b9c547cSRui Paulo * osu_* config parameters for OSU Providers list 3935b9c547cSRui Paulo - do not use Interworking filtering rules on Probe Request if 3945b9c547cSRui Paulo Interworking is disabled to avoid interop issues 3955b9c547cSRui Paulo * added/fixed nl80211 functionality 3965b9c547cSRui Paulo - AP interface teardown optimization 3975b9c547cSRui Paulo - support vendor specific driver command 3985b9c547cSRui Paulo (VENDOR <vendor id> <sub command id> [<hex formatted data>]) 3995b9c547cSRui Paulo * fixed PMF protection of Deauthentication frame when this is triggered 4005b9c547cSRui Paulo by session timeout 4015b9c547cSRui Paulo * internal TLS implementation enhancements/fixes 4025b9c547cSRui Paulo - add SHA256-based cipher suites 4035b9c547cSRui Paulo - add DHE-RSA cipher suites 4045b9c547cSRui Paulo - fix X.509 validation of PKCS#1 signature to check for extra data 4055b9c547cSRui Paulo * RADIUS server functionality 4065b9c547cSRui Paulo - add minimal RADIUS accounting server support (hostapd-as-server); 4075b9c547cSRui Paulo this is mainly to enable testing coverage with hwsim scripts 408c1d255d3SCy Schubert - allow authentication log to be written into SQLite database 4095b9c547cSRui Paulo - added option for TLS protocol testing of an EAP peer by simulating 4105b9c547cSRui Paulo various misbehaviors/known attacks 4115b9c547cSRui Paulo - MAC ACL support for testing purposes 4125b9c547cSRui Paulo * fixed PTK derivation for CCMP-256 and GCMP-256 4135b9c547cSRui Paulo * extended WPS per-station PSK to support ER case 4145b9c547cSRui Paulo * added option to configure the management group cipher 4155b9c547cSRui Paulo (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256, 4165b9c547cSRui Paulo BIP-CMAC-256) 4175b9c547cSRui Paulo * fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these 4185b9c547cSRui Paulo were rounded incorrectly) 4195b9c547cSRui Paulo * added support for postponing FT response in case PMK-R1 needs to be 4205b9c547cSRui Paulo pulled from R0KH 4215b9c547cSRui Paulo * added option to advertise 40 MHz intolerant HT capability with 4225b9c547cSRui Paulo ht_capab=[40-INTOLERANT] 4235b9c547cSRui Paulo * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled 4245b9c547cSRui Paulo whenever CONFIG_WPS=y is set 4255b9c547cSRui Paulo * EAP-pwd fixes 4265b9c547cSRui Paulo - fix possible segmentation fault on EAP method deinit if an invalid 4275b9c547cSRui Paulo group is negotiated 4285b9c547cSRui Paulo * fixed RADIUS client retransmit/failover behavior 4295b9c547cSRui Paulo - there was a potential ctash due to freed memory being accessed 4305b9c547cSRui Paulo - failover to a backup server mechanism did not work properly 4315b9c547cSRui Paulo * fixed a possible crash on double DISABLE command when multiple BSSes 4325b9c547cSRui Paulo are enabled 4335b9c547cSRui Paulo * fixed a memory leak in SAE random number generation 4345b9c547cSRui Paulo * fixed GTK rekeying when the station uses FT protocol 4355b9c547cSRui Paulo * fixed off-by-one bounds checking in printf_encode() 4365b9c547cSRui Paulo - this could result in deinial of service in some EAP server cases 4375b9c547cSRui Paulo * various bug fixes 4385b9c547cSRui Paulo 4395b9c547cSRui Paulo2014-02-04 - v2.1 4405b9c547cSRui Paulo * added support for simultaneous authentication of equals (SAE) for 4415b9c547cSRui Paulo stronger password-based authentication with WPA2-Personal 4425b9c547cSRui Paulo * added nl80211 functionality 4435b9c547cSRui Paulo - VHT configuration for nl80211 4445b9c547cSRui Paulo - support split wiphy dump 4455b9c547cSRui Paulo - driver-based MAC ACL 4465b9c547cSRui Paulo - QoS Mapping configuration 4475b9c547cSRui Paulo * added fully automated regression testing with mac80211_hwsim 4485b9c547cSRui Paulo * allow ctrl_iface group to be specified on command line (-G<group>) 4495b9c547cSRui Paulo * allow single hostapd process to control independent WPS interfaces 4505b9c547cSRui Paulo (wps_independent=1) instead of synchronized operations through all 4515b9c547cSRui Paulo configured interfaces within a process 4525b9c547cSRui Paulo * avoid processing received management frames multiple times when using 4535b9c547cSRui Paulo nl80211 with multiple BSSes 4545b9c547cSRui Paulo * added support for DFS (processing radar detection events, CAC, channel 4555b9c547cSRui Paulo re-selection) 4565b9c547cSRui Paulo * added EAP-EKE server 4575b9c547cSRui Paulo * added automatic channel selection (ACS) 4585b9c547cSRui Paulo * added option for using per-BSS (vif) configuration files with 4595b9c547cSRui Paulo -b<phyname>:<config file name> 4605b9c547cSRui Paulo * extended global control interface ADD/REMOVE commands to allow BSSes 4615b9c547cSRui Paulo of a radio to be removed individually without having to add/remove all 4625b9c547cSRui Paulo other BSSes of the radio at the same time 4635b9c547cSRui Paulo * added support for sending debug info to Linux tracing (-T on command 4645b9c547cSRui Paulo line) 4655b9c547cSRui Paulo * replace dump_file functionality with same information being available 4665b9c547cSRui Paulo through the hostapd control interface 4675b9c547cSRui Paulo * added support for using Protected Dual of Public Action frames for 4685b9c547cSRui Paulo GAS/ANQP exchanges when PMF is enabled 4695b9c547cSRui Paulo * added support for WPS+NFC updates 4705b9c547cSRui Paulo - improved protocol 4715b9c547cSRui Paulo - option to fetch and report alternative carrier records for external 4725b9c547cSRui Paulo NFC operations 4735b9c547cSRui Paulo * various bug fixes 4745b9c547cSRui Paulo 475f05cddf9SRui Paulo2013-01-12 - v2.0 476f05cddf9SRui Paulo * added AP-STA-DISCONNECTED ctrl_iface event 477f05cddf9SRui Paulo * improved debug logging (human readable event names, interface name 478f05cddf9SRui Paulo included in more entries) 479f05cddf9SRui Paulo * added number of small changes to make it easier for static analyzers 480f05cddf9SRui Paulo to understand the implementation 481f05cddf9SRui Paulo * added a workaround for Windows 7 Michael MIC failure reporting and 482f05cddf9SRui Paulo use of the Secure bit in EAPOL-Key msg 3/4 483f05cddf9SRui Paulo * fixed number of small bugs (see git logs for more details) 484f05cddf9SRui Paulo * changed OpenSSL to read full certificate chain from server_cert file 485f05cddf9SRui Paulo * nl80211: number of updates to use new cfg80211/nl80211 functionality 486f05cddf9SRui Paulo - replace monitor interface with nl80211 commands 487f05cddf9SRui Paulo - additional information for driver-based AP SME 488f05cddf9SRui Paulo * EAP-pwd: 489f05cddf9SRui Paulo - fix KDF for group 21 and zero-padding 490f05cddf9SRui Paulo - added support for fragmentation 491f05cddf9SRui Paulo - increased maximum number of hunting-and-pecking iterations 492f05cddf9SRui Paulo * avoid excessive Probe Response retries for broadcast Probe Request 493f05cddf9SRui Paulo frames (only with drivers using hostapd SME/MLME) 494f05cddf9SRui Paulo * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) 495f05cddf9SRui Paulo * fixed WPS operation stopping on dual concurrent AP 496f05cddf9SRui Paulo * added wps_rf_bands configuration parameter for overriding RF Bands 497f05cddf9SRui Paulo value for WPS 498f05cddf9SRui Paulo * added support for getting per-device PSK from RADIUS Tunnel-Password 499f05cddf9SRui Paulo * added support for libnl 3.2 and newer 500f05cddf9SRui Paulo * increased initial group key handshake retransmit timeout to 500 ms 501f05cddf9SRui Paulo * added a workaround for 4-way handshake to update SNonce even after 502f05cddf9SRui Paulo having sent EAPOL-Key 3/4 to avoid issues with some supplicant 503f05cddf9SRui Paulo implementations that can change SNonce for each EAP-Key 2/4 504f05cddf9SRui Paulo * added a workaround for EAPOL-Key 4/4 using incorrect type value in 505f05cddf9SRui Paulo WPA2 mode (some deployed stations use WPA type in that message) 506f05cddf9SRui Paulo * added a WPS workaround for mixed mode AP Settings with Windows 7 507f05cddf9SRui Paulo * changed WPS AP PIN disabling mechanism to disable the PIN after 10 508f05cddf9SRui Paulo consecutive failures in addition to using the exponential lockout 509f05cddf9SRui Paulo period 510f05cddf9SRui Paulo * added support for WFA Hotspot 2.0 511f05cddf9SRui Paulo - GAS/ANQP advertisement of network information 512f05cddf9SRui Paulo - disable_dgaf parameter to disable downstream group-addressed 513f05cddf9SRui Paulo forwarding 514f05cddf9SRui Paulo * simplified licensing terms by selecting the BSD license as the only 515f05cddf9SRui Paulo alternative 516f05cddf9SRui Paulo * EAP-SIM: fixed re-authentication not to update pseudonym 517f05cddf9SRui Paulo * EAP-SIM: use Notification round before EAP-Failure 518f05cddf9SRui Paulo * EAP-AKA: added support for AT_COUNTER_TOO_SMALL 519f05cddf9SRui Paulo * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized 520f05cddf9SRui Paulo * EAP-AKA': fixed identity for MK derivation 521f05cddf9SRui Paulo * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this 522f05cddf9SRui Paulo breaks interoperability with older versions 523f05cddf9SRui Paulo * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id 524f05cddf9SRui Paulo * changed ANonce to be a random number instead of Counter-based 525f05cddf9SRui Paulo * added support for canceling WPS operations with hostapd_cli wps_cancel 526f05cddf9SRui Paulo * fixed EAP/WPS to PSK transition on reassociation in cases where 527f05cddf9SRui Paulo deauthentication is missed 528f05cddf9SRui Paulo * hlr_auc_gw enhancements: 529f05cddf9SRui Paulo - a new command line parameter -u can be used to enable updating of 530f05cddf9SRui Paulo SQN in Milenage file 531f05cddf9SRui Paulo - use 5 bit IND for SQN updates 532f05cddf9SRui Paulo - SQLite database can now be used to store Milenage information 533f05cddf9SRui Paulo * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms 534f05cddf9SRui Paulo and reauth data 535f05cddf9SRui Paulo * added support for Chargeable-User-Identity (RFC 4372) 536f05cddf9SRui Paulo * added radius_auth_req_attr and radius_acct_req_attr configuration 537f05cddf9SRui Paulo parameters to allow adding/overriding of RADIUS attributes in 538f05cddf9SRui Paulo Access-Request and Accounting-Request packets 539f05cddf9SRui Paulo * added support for RADIUS dynamic authorization server (RFC 5176) 540f05cddf9SRui Paulo * added initial support for WNM operations 541f05cddf9SRui Paulo - BSS max idle period 542f05cddf9SRui Paulo - WNM-Sleep Mode 543f05cddf9SRui Paulo * added new WPS NFC ctrl_iface mechanism 544f05cddf9SRui Paulo - removed obsoleted WPS_OOB command (including support for deprecated 545f05cddf9SRui Paulo UFD config_method) 546f05cddf9SRui Paulo * added FT support for drivers that implement MLME internally 547f05cddf9SRui Paulo * added SA Query support for drivers that implement MLME internally 548f05cddf9SRui Paulo * removed default ACM=1 from AC_VO and AC_VI 549f05cddf9SRui Paulo * changed VENDOR-TEST EAP method to use proper private enterprise number 550f05cddf9SRui Paulo (this will not interoperate with older versions) 551f05cddf9SRui Paulo * added hostapd.conf parameter vendor_elements to allow arbitrary vendor 552f05cddf9SRui Paulo specific elements to be added to the Beacon and Probe Response frames 553f05cddf9SRui Paulo * added support for configuring GCMP cipher for IEEE 802.11ad 554f05cddf9SRui Paulo * added support for 256-bit AES with internal TLS implementation 555f05cddf9SRui Paulo * changed EAPOL transmission to use AC_VO if WMM is active 556f05cddf9SRui Paulo * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length 557f05cddf9SRui Paulo correctly; invalid messages could have caused the hostapd process to 558f05cddf9SRui Paulo terminate before this fix [CVE-2012-4445] 559f05cddf9SRui Paulo * limit number of active wildcard PINs for WPS Registrar to one to avoid 560f05cddf9SRui Paulo confusing behavior with multiple wildcard PINs 561f05cddf9SRui Paulo * added a workaround for WPS PBC session overlap detection to avoid 562f05cddf9SRui Paulo interop issues with deployed station implementations that do not 563f05cddf9SRui Paulo remove active PBC indication from Probe Request frames properly 564f05cddf9SRui Paulo * added support for using SQLite for the eap_user database 565f05cddf9SRui Paulo * added Acct-Session-Id attribute into Access-Request messages 566f05cddf9SRui Paulo * fixed EAPOL frame transmission to non-QoS STAs with nl80211 567f05cddf9SRui Paulo (do not send QoS frames if the STA did not negotiate use of QoS for 568f05cddf9SRui Paulo this association) 569f05cddf9SRui Paulo 570f05cddf9SRui Paulo2012-05-10 - v1.0 571f05cddf9SRui Paulo * Add channel selection support in hostapd. See hostapd.conf. 572f05cddf9SRui Paulo * Add support for IEEE 802.11v Time Advertisement mechanism with UTC 573f05cddf9SRui Paulo TSF offset. See hostapd.conf for config info. 574f05cddf9SRui Paulo * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. 575f05cddf9SRui Paulo This allows the driver to use PS buffering of Deauthentication and 576f05cddf9SRui Paulo Disassociation frames when the STA is in power save sleep. Only 577f05cddf9SRui Paulo available with drivers that provide TX status events for Deauth/ 578f05cddf9SRui Paulo Disassoc frames (nl80211). 579f05cddf9SRui Paulo * Allow PMKSA caching to be disabled on the Authenticator. See 580f05cddf9SRui Paulo hostap.conf config parameter disable_pmksa_caching. 581f05cddf9SRui Paulo * atheros: Add support for IEEE 802.11w configuration. 582f05cddf9SRui Paulo * bsd: Add support for setting HT values in IFM_MMASK. 583f05cddf9SRui Paulo * Allow client isolation to be configured with ap_isolate. Client 584f05cddf9SRui Paulo isolation can be used to prevent low-level bridging of frames 585f05cddf9SRui Paulo between associated stations in the BSS. By default, this bridging 586f05cddf9SRui Paulo is allowed. 587f05cddf9SRui Paulo * Allow coexistance of HT BSSes with WEP/TKIP BSSes. 588f05cddf9SRui Paulo * Add require_ht config parameter, which can be used to configure 589f05cddf9SRui Paulo hostapd to reject association with any station that does not support 590f05cddf9SRui Paulo HT PHY. 591f05cddf9SRui Paulo * Add support for writing debug log to a file using "-f" option. Also 592f05cddf9SRui Paulo add relog CLI command to re-open the log file. 593f05cddf9SRui Paulo * Add bridge handling for WDS STA interfaces. By default they are 594f05cddf9SRui Paulo added to the configured bridge of the AP interface (if present), 595f05cddf9SRui Paulo but the user can also specify a separate bridge using cli command 596f05cddf9SRui Paulo wds_bridge. 597f05cddf9SRui Paulo * hostapd_cli: 598f05cddf9SRui Paulo - Add wds_bridge command for specifying bridge for WDS STA 599f05cddf9SRui Paulo interfaces. 600f05cddf9SRui Paulo - Add relog command for reopening log file. 601f05cddf9SRui Paulo - Send AP-STA-DISCONNECTED event when an AP disconnects a station 602f05cddf9SRui Paulo due to inactivity. 603f05cddf9SRui Paulo - Add wps_config ctrl_interface command for configuring AP. This 604f05cddf9SRui Paulo command can be used to configure the AP using the internal WPS 605f05cddf9SRui Paulo registrar. It works in the same way as new AP settings received 606f05cddf9SRui Paulo from an ER. 607f05cddf9SRui Paulo - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. 608f05cddf9SRui Paulo - Add command get version, that returns hostapd version string. 609f05cddf9SRui Paulo * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. 610f05cddf9SRui Paulo Use hostapd_cli ess_disassoc (STA addr) (URL) to send the 611f05cddf9SRui Paulo notification to the STA. 612f05cddf9SRui Paulo * Allow AP mode to disconnect STAs based on low ACK condition (when 613f05cddf9SRui Paulo the data connection is not working properly, e.g., due to the STA 614f05cddf9SRui Paulo going outside the range of the AP). Disabled by default, enable by 615f05cddf9SRui Paulo config option disassoc_low_ack. 616f05cddf9SRui Paulo * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad 617f05cddf9SRui Paulo config file. 618f05cddf9SRui Paulo * WPS: 619f05cddf9SRui Paulo - Send AP Settings as a wrapped Credential attribute to ctrl_iface 620f05cddf9SRui Paulo in WPS-NEW-AP-SETTINGS. 621f05cddf9SRui Paulo - Dispatch more WPS events through hostapd ctrl_iface. 622f05cddf9SRui Paulo - Add mechanism for indicating non-standard WPS errors. 623f05cddf9SRui Paulo - Change concurrent radio AP to use only one WPS UPnP instance. 624f05cddf9SRui Paulo - Add wps_check_pin command for processing PIN from user input. 625f05cddf9SRui Paulo UIs can use this command to process a PIN entered by a user and to 626f05cddf9SRui Paulo validate the checksum digit (if present). 627f05cddf9SRui Paulo - Add hostap_cli get_config command to display current AP config. 628f05cddf9SRui Paulo - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at 629f05cddf9SRui Paulo runtime and support dynamic AP PIN management. 630f05cddf9SRui Paulo - Disable AP PIN after 10 consecutive failures. Slow down attacks 631f05cddf9SRui Paulo on failures up to 10. 632f05cddf9SRui Paulo - Allow AP to start in Enrollee mode without AP PIN for probing, 633f05cddf9SRui Paulo to be compatible with Windows 7. 634f05cddf9SRui Paulo - Add Config Error into WPS-FAIL events to provide more info 635f05cddf9SRui Paulo to the user on how to resolve the issue. 636f05cddf9SRui Paulo - When controlling multiple interfaces: 637f05cddf9SRui Paulo - apply WPS commands to all interfaces configured to use WPS 638f05cddf9SRui Paulo - apply WPS config changes to all interfaces that use WPS 639f05cddf9SRui Paulo - when an attack is detected on any interface, disable AP PIN on 640f05cddf9SRui Paulo all interfaces 641f05cddf9SRui Paulo * WPS ER: 642f05cddf9SRui Paulo - Show SetSelectedRegistrar events as ctrl_iface events. 643f05cddf9SRui Paulo - Add special AP Setup Locked mode to allow read only ER. 644f05cddf9SRui Paulo ap_setup_locked=2 can now be used to enable a special mode where 645f05cddf9SRui Paulo WPS ER can learn the current AP settings, but cannot change them. 646f05cddf9SRui Paulo * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) 647f05cddf9SRui Paulo - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool 648f05cddf9SRui Paulo for testing protocol extensibility. 649f05cddf9SRui Paulo - Add build option CONFIG_WPS_STRICT to allow disabling of WPS 650f05cddf9SRui Paulo workarounds. 651f05cddf9SRui Paulo - Add support for AuthorizedMACs attribute. 652f05cddf9SRui Paulo * TDLS: 653f05cddf9SRui Paulo - Allow TDLS use or TDLS channel switching in the BSS to be 654f05cddf9SRui Paulo prohibited in the BSS, using config params tdls_prohibit and 655f05cddf9SRui Paulo tdls_prohibit_chan_switch. 656f05cddf9SRui Paulo * EAP server: Add support for configuring fragment size (see 657f05cddf9SRui Paulo fragment_size in hostapd.conf). 658f05cddf9SRui Paulo * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. 659f05cddf9SRui Paulo wlantest can be used to capture frames from a monitor interface 660f05cddf9SRui Paulo for realtime capturing or from pcap files for offline analysis. 661f05cddf9SRui Paulo * Interworking: Support added for 802.11u. Enable in .config with 662f05cddf9SRui Paulo CONFIG_INTERWORKING. See hostapd.conf for config parameters for 663f05cddf9SRui Paulo interworking. 664f05cddf9SRui Paulo * Android: Add build and runtime support for Android hostapd. 665f05cddf9SRui Paulo * Add a new debug message level for excessive information. Use 666f05cddf9SRui Paulo -ddd to enable. 667f05cddf9SRui Paulo * TLS: Add support for tls_disable_time_checks=1 in client mode. 668f05cddf9SRui Paulo * Internal TLS: 669f05cddf9SRui Paulo - Add support for TLS v1.1 (RFC 4346). Enable with build parameter 670f05cddf9SRui Paulo CONFIG_TLSV11. 671f05cddf9SRui Paulo - Add domainComponent parser for X.509 names 672f05cddf9SRui Paulo * Reorder some IEs to get closer to IEEE 802.11 standard. Move 673f05cddf9SRui Paulo WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. 674f05cddf9SRui Paulo Move HT IEs to be later in (Re)Assoc Resp. 675f05cddf9SRui Paulo * Many bugfixes. 676e28a4053SRui Paulo 677e28a4053SRui Paulo2010-04-18 - v0.7.2 678e28a4053SRui Paulo * fix WPS internal Registrar use when an external Registrar is also 679e28a4053SRui Paulo active 680e28a4053SRui Paulo * bsd: Cleaned up driver wrapper and added various low-level 681e28a4053SRui Paulo configuration options 682e28a4053SRui Paulo * TNC: fixed issues with fragmentation 683e28a4053SRui Paulo * EAP-TNC: add Flags field into fragment acknowledgement (needed to 684e28a4053SRui Paulo interoperate with other implementations; may potentially breaks 685e28a4053SRui Paulo compatibility with older wpa_supplicant/hostapd versions) 686e28a4053SRui Paulo * cleaned up driver wrapper API for multi-BSS operations 687e28a4053SRui Paulo * nl80211: fix multi-BSS and VLAN operations 688e28a4053SRui Paulo * fix number of issues with IEEE 802.11r/FT; this version is not 689e28a4053SRui Paulo backwards compatible with old versions 690e28a4053SRui Paulo * add SA Query Request processing in AP mode (IEEE 802.11w) 691e28a4053SRui Paulo * fix IGTK PN in group rekeying (IEEE 802.11w) 692e28a4053SRui Paulo * fix WPS PBC session overlap detection to use correct attribute 693e28a4053SRui Paulo * hostapd_notif_Assoc() can now be called with all IEs to simplify 694e28a4053SRui Paulo driver wrappers 695e28a4053SRui Paulo * work around interoperability issue with some WPS External Registrar 696e28a4053SRui Paulo implementations 697e28a4053SRui Paulo * nl80211: fix WPS IE update 698e28a4053SRui Paulo * hostapd_cli: add support for action script operations (run a script 699e28a4053SRui Paulo on hostapd events) 700e28a4053SRui Paulo * fix DH padding with internal crypto code (mainly, for WPS) 701e28a4053SRui Paulo * fix WPS association with both WPS IE and WPA/RSN IE present with 702e28a4053SRui Paulo driver wrappers that use hostapd MLME (e.g., nl80211) 703e28a4053SRui Paulo 704e28a4053SRui Paulo2010-01-16 - v0.7.1 705e28a4053SRui Paulo * cleaned up driver wrapper API (struct wpa_driver_ops); the new API 706e28a4053SRui Paulo is not fully backwards compatible, so out-of-tree driver wrappers 707e28a4053SRui Paulo will need modifications 708e28a4053SRui Paulo * cleaned up various module interfaces 709e28a4053SRui Paulo * merge hostapd and wpa_supplicant developers' documentation into a 710e28a4053SRui Paulo single document 711e28a4053SRui Paulo * fixed HT Capabilities IE with nl80211 drivers 712e28a4053SRui Paulo * moved generic AP functionality code into src/ap 713e28a4053SRui Paulo * WPS: handle Selected Registrar as union of info from all Registrars 714c1d255d3SCy Schubert * remove obsolete Prism54.org driver wrapper 715e28a4053SRui Paulo * added internal debugging mechanism with backtrace support and memory 716e28a4053SRui Paulo allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) 717e28a4053SRui Paulo * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 718e28a4053SRui Paulo * WPS: add support for dynamically selecting whether to provision the 719e28a4053SRui Paulo PSK as an ASCII passphrase or PSK 720e28a4053SRui Paulo * added support for WDS (4-address frame) mode with per-station virtual 721e28a4053SRui Paulo interfaces (wds_sta=1 in config file; only supported with 722e28a4053SRui Paulo driver=nl80211 for now) 7233157ba21SRui Paulo * fixed WPS Probe Request processing to handle missing required 7243157ba21SRui Paulo attribute 7253157ba21SRui Paulo * fixed PKCS#12 use with OpenSSL 1.0.0 726e28a4053SRui Paulo * detect bridge interface automatically so that bridge parameter in 727e28a4053SRui Paulo hostapd.conf becomes optional (though, it may now be used to 728e28a4053SRui Paulo automatically add then WLAN interface into a bridge with 729e28a4053SRui Paulo driver=nl80211) 7303157ba21SRui Paulo 731e28a4053SRui Paulo2009-11-21 - v0.7.0 73239beb93cSSam Leffler * increased hostapd_cli ping interval to 5 seconds and made this 73339beb93cSSam Leffler configurable with a new command line options (-G<seconds>) 73439beb93cSSam Leffler * driver_nl80211: use Linux socket filter to improve performance 73539beb93cSSam Leffler * added support for external Registrars with WPS (UPnP transport) 736e28a4053SRui Paulo * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel 737e28a4053SRui Paulo * driver_nl80211: fixed STA accounting data collection (TX/RX bytes 738e28a4053SRui Paulo reported correctly; TX/RX packets not yet available from kernel) 739e28a4053SRui Paulo * added support for WPS USBA out-of-band mechanism with USB Flash 740e28a4053SRui Paulo Drives (UFD) (CONFIG_WPS_UFD=y) 741e28a4053SRui Paulo * fixed EAPOL/EAP reauthentication when using an external RADIUS 742e28a4053SRui Paulo authentication server 743e28a4053SRui Paulo * fixed TNC with EAP-TTLS 744e28a4053SRui Paulo * fixed IEEE 802.11r key derivation function to match with the standard 745e28a4053SRui Paulo (note: this breaks interoperability with previous version) [Bug 303] 746e28a4053SRui Paulo * fixed SHA-256 based key derivation function to match with the 747e28a4053SRui Paulo standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) 748e28a4053SRui Paulo (note: this breaks interoperability with previous version) [Bug 307] 749e28a4053SRui Paulo * added number of code size optimizations to remove unnecessary 750e28a4053SRui Paulo functionality from the program binary based on build configuration 751e28a4053SRui Paulo (part of this automatic; part configurable with CONFIG_NO_* build 752e28a4053SRui Paulo options) 753e28a4053SRui Paulo * use shared driver wrapper files with wpa_supplicant 754e28a4053SRui Paulo * driver_nl80211: multiple updates to provide support for new Linux 755e28a4053SRui Paulo nl80211/mac80211 functionality 756e28a4053SRui Paulo * updated management frame protection to use IEEE Std 802.11w-2009 757e28a4053SRui Paulo * fixed number of small WPS issues and added workarounds to 758e28a4053SRui Paulo interoperate with common deployed broken implementations 759f05cddf9SRui Paulo * added some IEEE 802.11n co-existence rules to disable 40 MHz channels 760e28a4053SRui Paulo or modify primary/secondary channels if needed based on neighboring 761e28a4053SRui Paulo networks 762e28a4053SRui Paulo * added support for NFC out-of-band mechanism with WPS 763e28a4053SRui Paulo * added preliminary support for IEEE 802.11r RIC processing 76439beb93cSSam Leffler 76539beb93cSSam Leffler2009-01-06 - v0.6.7 76639beb93cSSam Leffler * added support for Wi-Fi Protected Setup (WPS) 76739beb93cSSam Leffler (hostapd can now be configured to act as an integrated WPS Registrar 76839beb93cSSam Leffler and provision credentials for WPS Enrollees using PIN and PBC 76939beb93cSSam Leffler methods; external wireless Registrar can configure the AP, but 77039beb93cSSam Leffler external WLAN Manager Registrars are not supported); WPS support can 77139beb93cSSam Leffler be enabled by adding CONFIG_WPS=y into .config and setting the 77239beb93cSSam Leffler runtime configuration variables in hostapd.conf (see WPS section in 77339beb93cSSam Leffler the example configuration file); new hostapd_cli commands wps_pin and 77439beb93cSSam Leffler wps_pbc are used to configure WPS negotiation; see README-WPS for 77539beb93cSSam Leffler more details 77639beb93cSSam Leffler * added IEEE 802.11n HT capability configuration (ht_capab) 77739beb93cSSam Leffler * added support for generating Country IE based on nl80211 regulatory 77839beb93cSSam Leffler information (added if ieee80211d=1 in configuration) 77939beb93cSSam Leffler * fixed WEP authentication (both Open System and Shared Key) with 78039beb93cSSam Leffler mac80211 78139beb93cSSam Leffler * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) 78239beb93cSSam Leffler * added support for using driver_test over UDP socket 78339beb93cSSam Leffler * changed EAP-GPSK to use the IANA assigned EAP method type 51 78439beb93cSSam Leffler * updated management frame protection to use IEEE 802.11w/D7.0 78539beb93cSSam Leffler * fixed retransmission of EAP requests if no response is received 78639beb93cSSam Leffler 78739beb93cSSam Leffler2008-11-23 - v0.6.6 78839beb93cSSam Leffler * added a new configuration option, wpa_ptk_rekey, that can be used to 78939beb93cSSam Leffler enforce frequent PTK rekeying, e.g., to mitigate some attacks against 79039beb93cSSam Leffler TKIP deficiencies 79139beb93cSSam Leffler * updated OpenSSL code for EAP-FAST to use an updated version of the 79239beb93cSSam Leffler session ticket overriding API that was included into the upstream 79339beb93cSSam Leffler OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is 79439beb93cSSam Leffler needed with that version anymore) 79539beb93cSSam Leffler * changed channel flags configuration to read the information from 79639beb93cSSam Leffler the driver (e.g., via driver_nl80211 when using mac80211) instead of 79739beb93cSSam Leffler using hostapd as the source of the regulatory information (i.e., 79839beb93cSSam Leffler information from CRDA is now used with mac80211); this allows 5 GHz 79939beb93cSSam Leffler channels to be used with hostapd (if allowed in the current 80039beb93cSSam Leffler regulatory domain) 80139beb93cSSam Leffler * fixed EAP-TLS message processing for the last TLS message if it is 80239beb93cSSam Leffler large enough to require fragmentation (e.g., if a large Session 80339beb93cSSam Leffler Ticket data is included) 80439beb93cSSam Leffler * fixed listen interval configuration for nl80211 drivers 80539beb93cSSam Leffler 80639beb93cSSam Leffler2008-11-01 - v0.6.5 80739beb93cSSam Leffler * added support for SHA-256 as X.509 certificate digest when using the 80839beb93cSSam Leffler internal X.509/TLSv1 implementation 80939beb93cSSam Leffler * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer 81039beb93cSSam Leffler identity lengths) 81139beb93cSSam Leffler * fixed internal TLSv1 implementation for abbreviated handshake (used 81239beb93cSSam Leffler by EAP-FAST server) 81339beb93cSSam Leffler * added support for setting VLAN ID for STAs based on local MAC ACL 81439beb93cSSam Leffler (accept_mac_file) as an alternative for RADIUS server-based 81539beb93cSSam Leffler configuration 81639beb93cSSam Leffler * updated management frame protection to use IEEE 802.11w/D6.0 81739beb93cSSam Leffler (adds a new association ping to protect against unauthenticated 81839beb93cSSam Leffler authenticate or (re)associate request frames dropping association) 81939beb93cSSam Leffler * added support for using SHA256-based stronger key derivation for WPA2 82039beb93cSSam Leffler (IEEE 802.11w) 82139beb93cSSam Leffler * added new "driver wrapper" for RADIUS-only configuration 82239beb93cSSam Leffler (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) 82339beb93cSSam Leffler * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) 82439beb93cSSam Leffler is enabled in configuration 82539beb93cSSam Leffler * changed EAP-FAST configuration to use separate fields for A-ID and 82639beb93cSSam Leffler A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed 82739beb93cSSam Leffler 16-octet len binary value for better interoperability with some peer 82839beb93cSSam Leffler implementations; eap_fast_a_id is now configured as a hex string 82939beb93cSSam Leffler * driver_nl80211: Updated to match the current Linux mac80211 AP mode 83039beb93cSSam Leffler configuration (wireless-testing.git and Linux kernel releases 83139beb93cSSam Leffler starting from 2.6.29) 83239beb93cSSam Leffler 83339beb93cSSam Leffler2008-08-10 - v0.6.4 83439beb93cSSam Leffler * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 83539beb93cSSam Leffler Identity Request if identity is already known 83639beb93cSSam Leffler * added support for EAP Sequences in EAP-FAST Phase 2 83739beb93cSSam Leffler * added support for EAP-TNC (Trusted Network Connect) 83839beb93cSSam Leffler (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST 83939beb93cSSam Leffler changes needed to run two methods in sequence (IF-T) and the IF-IMV 84039beb93cSSam Leffler and IF-TNCCS interfaces from TNCS) 84139beb93cSSam Leffler * added support for optional cryptobinding with PEAPv0 84239beb93cSSam Leffler * added fragmentation support for EAP-TNC 84339beb93cSSam Leffler * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) 84439beb93cSSam Leffler data 84539beb93cSSam Leffler * added support for opportunistic key caching (OKC) 84639beb93cSSam Leffler 84739beb93cSSam Leffler2008-02-22 - v0.6.3 84839beb93cSSam Leffler * fixed Reassociation Response callback processing when using internal 84939beb93cSSam Leffler MLME (driver_{hostap,nl80211,test}.c) 85039beb93cSSam Leffler * updated FT support to use the latest draft, IEEE 802.11r/D9.0 85139beb93cSSam Leffler * copy optional Proxy-State attributes into RADIUS response when acting 85239beb93cSSam Leffler as a RADIUS authentication server 85339beb93cSSam Leffler * fixed EAPOL state machine to handle a case in which no response is 85439beb93cSSam Leffler received from the RADIUS authentication server; previous version 85539beb93cSSam Leffler could have triggered a crash in some cases after a timeout 85639beb93cSSam Leffler * fixed EAP-SIM/AKA realm processing to allow decorated usernames to 85739beb93cSSam Leffler be used 85839beb93cSSam Leffler * added a workaround for EAP-SIM/AKA peers that include incorrect null 85939beb93cSSam Leffler termination in the username 86039beb93cSSam Leffler * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER 86139beb93cSSam Leffler attribute in notification messages only when using fast 86239beb93cSSam Leffler reauthentication 86339beb93cSSam Leffler * fixed EAP-SIM Start response processing for fast reauthentication 86439beb93cSSam Leffler case 86539beb93cSSam Leffler * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} 86639beb93cSSam Leffler phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method 86739beb93cSSam Leffler 86839beb93cSSam Leffler2008-01-01 - v0.6.2 86939beb93cSSam Leffler * fixed EAP-SIM and EAP-AKA message parser to validate attribute 87039beb93cSSam Leffler lengths properly to avoid potential crash caused by invalid messages 87139beb93cSSam Leffler * added data structure for storing allocated buffers (struct wpabuf); 87239beb93cSSam Leffler this does not affect hostapd usage, but many of the APIs changed 87339beb93cSSam Leffler and various interfaces (e.g., EAP) is not compatible with old 87439beb93cSSam Leffler versions 87539beb93cSSam Leffler * added support for protecting EAP-AKA/Identity messages with 87639beb93cSSam Leffler AT_CHECKCODE (optional feature in RFC 4187) 87739beb93cSSam Leffler * added support for protected result indication with AT_RESULT_IND for 87839beb93cSSam Leffler EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) 87939beb93cSSam Leffler * added support for configuring EAP-TTLS phase 2 non-EAP methods in 88039beb93cSSam Leffler EAP server configuration; previously all four were enabled for every 88139beb93cSSam Leffler phase 2 user, now all four are disabled by default and need to be 88239beb93cSSam Leffler enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, 88339beb93cSSam Leffler TTLS-MSCHAPV2 88439beb93cSSam Leffler * removed old debug printing mechanism and the related 'debug' 88539beb93cSSam Leffler parameter in the configuration file; debug verbosity is now set with 88639beb93cSSam Leffler -d (or -dd) command line arguments 88739beb93cSSam Leffler * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); 88839beb93cSSam Leffler only shared key/password authentication is supported in this version 88939beb93cSSam Leffler 89039beb93cSSam Leffler2007-11-24 - v0.6.1 89139beb93cSSam Leffler * added experimental, integrated TLSv1 server implementation with the 89239beb93cSSam Leffler needed X.509/ASN.1/RSA/bignum processing (this can be enabled by 89339beb93cSSam Leffler setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in 89439beb93cSSam Leffler .config); this can be useful, e.g., if the target system does not 89539beb93cSSam Leffler have a suitable TLS library and a minimal code size is required 89639beb93cSSam Leffler * added support for EAP-FAST server method to the integrated EAP 89739beb93cSSam Leffler server 89839beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 89939beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-07.txt) 90039beb93cSSam Leffler * added a new configuration parameter, rsn_pairwise, to allow different 90139beb93cSSam Leffler pairwise cipher suites to be enabled for WPA and RSN/WPA2 90239beb93cSSam Leffler (note: if wpa_pairwise differs from rsn_pairwise, the driver will 90339beb93cSSam Leffler either need to support this or will have to use the WPA/RSN IEs from 90439beb93cSSam Leffler hostapd; currently, the included madwifi and bsd driver interfaces do 90539beb93cSSam Leffler not have support for this) 90639beb93cSSam Leffler * updated FT support to use the latest draft, IEEE 802.11r/D8.0 90739beb93cSSam Leffler 90839beb93cSSam Leffler2007-05-28 - v0.6.0 90939beb93cSSam Leffler * added experimental IEEE 802.11r/D6.0 support 91039beb93cSSam Leffler * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 91139beb93cSSam Leffler * updated EAP-PSK to use the IANA-allocated EAP type 47 91239beb93cSSam Leffler * fixed EAP-PSK bit ordering of the Flags field 91339beb93cSSam Leffler * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs 91439beb93cSSam Leffler by reading wpa_psk_file [Bug 181] 91539beb93cSSam Leffler * fixed EAP-TTLS AVP parser processing for too short AVP lengths 91639beb93cSSam Leffler * fixed IPv6 connection to RADIUS accounting server 91739beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 91839beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-04.txt) 91939beb93cSSam Leffler * hlr_auc_gw: read GSM triplet file into memory and rotate through the 92039beb93cSSam Leffler entries instead of only using the same three triplets every time 92139beb93cSSam Leffler (this does not work properly with tests using multiple clients, but 92239beb93cSSam Leffler provides bit better triplet data for testing a single client; anyway, 92339beb93cSSam Leffler if a better quality triplets are needed, GSM-Milenage should be used 92439beb93cSSam Leffler instead of hardcoded triplet file) 92539beb93cSSam Leffler * fixed EAP-MSCHAPv2 server to use a space between S and M parameters 92639beb93cSSam Leffler in Success Request [Bug 203] 92739beb93cSSam Leffler * added support for sending EAP-AKA Notifications in error cases 92839beb93cSSam Leffler * updated to use IEEE 802.11w/D2.0 for management frame protection 92939beb93cSSam Leffler (still experimental) 93039beb93cSSam Leffler * RADIUS server: added support for processing duplicate messages 93139beb93cSSam Leffler (retransmissions from RADIUS client) by replying with the previous 93239beb93cSSam Leffler reply 93339beb93cSSam Leffler 93439beb93cSSam Leffler2006-11-24 - v0.5.6 93539beb93cSSam Leffler * added support for configuring and controlling multiple BSSes per 93639beb93cSSam Leffler radio interface (bss=<ifname> in hostapd.conf); this is only 93739beb93cSSam Leffler available with Devicescape and test driver interfaces 93839beb93cSSam Leffler * fixed PMKSA cache update in the end of successful RSN 93939beb93cSSam Leffler pre-authentication 94039beb93cSSam Leffler * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID 94139beb93cSSam Leffler for each STA based on RADIUS Access-Accept attributes); this requires 94239beb93cSSam Leffler VLAN support from the kernel driver/802.11 stack and this is 94339beb93cSSam Leffler currently only available with Devicescape and test driver interfaces 94439beb93cSSam Leffler * driver_madwifi: fixed configuration of unencrypted modes (plaintext 94539beb93cSSam Leffler and IEEE 802.1X without WEP) 94639beb93cSSam Leffler * removed STAKey handshake since PeerKey handshake has replaced it in 94739beb93cSSam Leffler IEEE 802.11ma and there are no known deployments of STAKey 94839beb93cSSam Leffler * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 94939beb93cSSam Leffler draft (draft-ietf-emu-eap-gpsk-01.txt) 95039beb93cSSam Leffler * added preliminary implementation of IEEE 802.11w/D1.0 (management 95139beb93cSSam Leffler frame protection) 95239beb93cSSam Leffler (Note: this requires driver support to work properly.) 95339beb93cSSam Leffler (Note2: IEEE 802.11w is an unapproved draft and subject to change.) 95439beb93cSSam Leffler * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) 95539beb93cSSam Leffler * hlr_auc_gw: added support for reading per-IMSI Milenage keys and 95639beb93cSSam Leffler parameters from a text file to make it possible to implement proper 95739beb93cSSam Leffler GSM/UMTS authentication server for multiple SIM/USIM cards using 95839beb93cSSam Leffler EAP-SIM/EAP-AKA 95939beb93cSSam Leffler * fixed session timeout processing with drivers that do not use 96039beb93cSSam Leffler ieee802_11.c (e.g., madwifi) 96139beb93cSSam Leffler 96239beb93cSSam Leffler2006-08-27 - v0.5.5 96339beb93cSSam Leffler * added 'hostapd_cli new_sta <addr>' command for adding a new STA into 96439beb93cSSam Leffler hostapd (e.g., to initialize wired network authentication based on an 96539beb93cSSam Leffler external signal) 96639beb93cSSam Leffler * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when 96739beb93cSSam Leffler using WPA2 even if PMKSA caching is not used 96839beb93cSSam Leffler * added -P<pid file> argument for hostapd to write the current process 96939beb93cSSam Leffler id into a file 97039beb93cSSam Leffler * added support for RADIUS Authentication Server MIB (RFC 2619) 97139beb93cSSam Leffler 97239beb93cSSam Leffler2006-06-20 - v0.5.4 97339beb93cSSam Leffler * fixed nt_password_hash build [Bug 144] 97439beb93cSSam Leffler * added PeerKey handshake implementation for IEEE 802.11e 97539beb93cSSam Leffler direct link setup (DLS) to replace STAKey handshake 97639beb93cSSam Leffler * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, 97739beb93cSSam Leffler draft-clancy-emu-eap-shared-secret-00.txt) 97839beb93cSSam Leffler * fixed a segmentation fault when RSN pre-authentication was completed 97939beb93cSSam Leffler successfully [Bug 152] 98039beb93cSSam Leffler 98139beb93cSSam Leffler2006-04-27 - v0.5.3 98239beb93cSSam Leffler * do not build nt_password_hash and hlr_auc_gw by default to avoid 98339beb93cSSam Leffler requiring a TLS library for a successful build; these programs can be 98439beb93cSSam Leffler build with 'make nt_password_hash' and 'make hlr_auc_gw' 98539beb93cSSam Leffler * added a new configuration option, eapol_version, that can be used to 98639beb93cSSam Leffler set EAPOL version to 1 (default is 2) to work around broken client 98739beb93cSSam Leffler implementations that drop EAPOL frames which use version number 2 98839beb93cSSam Leffler [Bug 89] 98939beb93cSSam Leffler * added support for EAP-SAKE (no EAP method number allocated yet, so 99039beb93cSSam Leffler this is using the same experimental type 255 as EAP-PSK) 99139beb93cSSam Leffler * fixed EAP-MSCHAPv2 message length validation 99239beb93cSSam Leffler 99339beb93cSSam Leffler2006-03-19 - v0.5.2 99439beb93cSSam Leffler * fixed stdarg use in hostapd_logger(): if both stdout and syslog 99539beb93cSSam Leffler logging was enabled, hostapd could trigger a segmentation fault in 99639beb93cSSam Leffler vsyslog on some CPU -- C library combinations 99739beb93cSSam Leffler * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external 99839beb93cSSam Leffler program to make it easier to use for implementing real SS7 gateway; 99939beb93cSSam Leffler eap_sim_db is not anymore used as a file name for GSM authentication 100039beb93cSSam Leffler triplets; instead, it is path to UNIX domain socket that will be used 100139beb93cSSam Leffler to communicate with the external gateway program (e.g., hlr_auc_gw) 100239beb93cSSam Leffler * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses 100339beb93cSSam Leffler local information (GSM authentication triplets from a text file and 100439beb93cSSam Leffler hardcoded AKA authentication data); this can be used to test EAP-SIM 100539beb93cSSam Leffler and EAP-AKA 100639beb93cSSam Leffler * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw 100739beb93cSSam Leffler to make it possible to test EAP-AKA with real USIM cards (this is 100839beb93cSSam Leffler disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw 100939beb93cSSam Leffler to enable this) 101039beb93cSSam Leffler * driver_madwifi: added support for getting station RSN IE from 101139beb93cSSam Leffler madwifi-ng svn r1453 and newer; this fixes RSN that was apparently 101239beb93cSSam Leffler broken with earlier change (r1357) in the driver 101339beb93cSSam Leffler * changed EAP method registration to use a dynamic list of methods 101439beb93cSSam Leffler instead of a static list generated at build time 101539beb93cSSam Leffler * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) 101639beb93cSSam Leffler [Bug 125] 101739beb93cSSam Leffler * added ap_max_inactivity configuration parameter 101839beb93cSSam Leffler 101939beb93cSSam Leffler2006-01-29 - v0.5.1 102039beb93cSSam Leffler * driver_test: added better support for multiple APs and STAs by using 102139beb93cSSam Leffler a directory with sockets that include MAC address for each device in 102239beb93cSSam Leffler the name (test_socket=DIR:/tmp/test) 102339beb93cSSam Leffler * added support for EAP expanded type (vendor specific EAP methods) 102439beb93cSSam Leffler 102539beb93cSSam Leffler2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) 102639beb93cSSam Leffler * added experimental STAKey handshake implementation for IEEE 802.11e 102739beb93cSSam Leffler direct link setup (DLS); note: this is disabled by default in both 102839beb93cSSam Leffler build and runtime configuration (can be enabled with CONFIG_STAKEY=y 102939beb93cSSam Leffler and stakey=1) 103039beb93cSSam Leffler * added support for EAP methods to use callbacks to external programs 103139beb93cSSam Leffler by buffering a pending request and processing it after the EAP method 103239beb93cSSam Leffler is ready to continue 103339beb93cSSam Leffler * improved EAP-SIM database interface to allow external request to GSM 103439beb93cSSam Leffler HLR/AuC without blocking hostapd process 103539beb93cSSam Leffler * added support for using EAP-SIM pseudonyms and fast re-authentication 103639beb93cSSam Leffler * added support for EAP-AKA in the integrated EAP authenticator 103739beb93cSSam Leffler * added support for matching EAP identity prefixes (e.g., "1"*) in EAP 103839beb93cSSam Leffler user database to allow EAP-SIM/AKA selection without extra roundtrip 103939beb93cSSam Leffler for EAP-Nak negotiation 104039beb93cSSam Leffler * added support for storing EAP user password as NtPasswordHash instead 104139beb93cSSam Leffler of plaintext password when using MSCHAP or MSCHAPv2 for 104239beb93cSSam Leffler authentication (hash:<16-octet hex value>); added nt_password_hash 104339beb93cSSam Leffler tool for hashing password to generate NtPasswordHash 104439beb93cSSam Leffler 104539beb93cSSam Leffler2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) 104639beb93cSSam Leffler * driver_wired: fixed EAPOL sending to optionally use PAE group address 104739beb93cSSam Leffler as the destination instead of supplicant MAC address; this is 104839beb93cSSam Leffler disabled by default, but should be enabled with use_pae_group_addr=1 104939beb93cSSam Leffler in configuration file if the wired interface is used by only one 105039beb93cSSam Leffler device at the time (common switch configuration) 105139beb93cSSam Leffler * driver_madwifi: configure driver to use TKIP countermeasures in order 105239beb93cSSam Leffler to get correct behavior (IEEE 802.11 association failing; previously, 105339beb93cSSam Leffler association succeeded, but hostpad forced disassociation immediately) 105439beb93cSSam Leffler * driver_madwifi: added support for madwifi-ng 105539beb93cSSam Leffler 105639beb93cSSam Leffler2005-10-27 - v0.4.6 105739beb93cSSam Leffler * added support for replacing user identity from EAP with RADIUS 105839beb93cSSam Leffler User-Name attribute from Access-Accept message, if that is included, 105939beb93cSSam Leffler for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get 106039beb93cSSam Leffler tunneled identity into accounting messages when the RADIUS server 106139beb93cSSam Leffler does not support better way of doing this with Class attribute) 106239beb93cSSam Leffler * driver_madwifi: fixed EAPOL packet receive for configuration where 106339beb93cSSam Leffler ath# is part of a bridge interface 106439beb93cSSam Leffler * added a configuration file and log analyzer script for logwatch 106539beb93cSSam Leffler * fixed EAPOL state machine step function to process all state 106639beb93cSSam Leffler transitions before processing new events; this resolves a race 106739beb93cSSam Leffler condition in which EAPOL-Start message could trigger hostapd to send 106839beb93cSSam Leffler two EAP-Response/Identity frames to the authentication server 106939beb93cSSam Leffler 107039beb93cSSam Leffler2005-09-25 - v0.4.5 107139beb93cSSam Leffler * added client CA list to the TLS certificate request in order to make 107239beb93cSSam Leffler it easier for the client to select which certificate to use 107339beb93cSSam Leffler * added experimental support for EAP-PSK 107439beb93cSSam Leffler * added support for WE-19 (hostap, madwifi) 107539beb93cSSam Leffler 107639beb93cSSam Leffler2005-08-21 - v0.4.4 107739beb93cSSam Leffler * fixed build without CONFIG_RSN_PREAUTH 107839beb93cSSam Leffler * fixed FreeBSD build 107939beb93cSSam Leffler 108039beb93cSSam Leffler2005-06-26 - v0.4.3 108139beb93cSSam Leffler * fixed PMKSA caching to copy User-Name and Class attributes so that 108239beb93cSSam Leffler RADIUS accounting gets correct information 108339beb93cSSam Leffler * start RADIUS accounting only after successful completion of WPA 108439beb93cSSam Leffler 4-Way Handshake if WPA-PSK is used 108539beb93cSSam Leffler * fixed PMKSA caching for the case where STA (re)associates without 108639beb93cSSam Leffler first disassociating 108739beb93cSSam Leffler 108839beb93cSSam Leffler2005-06-12 - v0.4.2 108939beb93cSSam Leffler * EAP-PAX is now registered as EAP type 46 109039beb93cSSam Leffler * fixed EAP-PAX MAC calculation 109139beb93cSSam Leffler * fixed EAP-PAX CK and ICK key derivation 109239beb93cSSam Leffler * renamed eap_authenticator configuration variable to eap_server to 109339beb93cSSam Leffler better match with RFC 3748 (EAP) terminology 109439beb93cSSam Leffler * driver_test: added support for testing hostapd with wpa_supplicant 109539beb93cSSam Leffler by using test driver interface without any kernel drivers or network 109639beb93cSSam Leffler cards 109739beb93cSSam Leffler 109839beb93cSSam Leffler2005-05-22 - v0.4.1 109939beb93cSSam Leffler * fixed RADIUS server initialization when only auth or acct server 110039beb93cSSam Leffler is configured and the other one is left empty 110139beb93cSSam Leffler * driver_madwifi: added support for RADIUS accounting 110239beb93cSSam Leffler * driver_madwifi: added preliminary support for compiling against 'BSD' 110339beb93cSSam Leffler branch of madwifi CVS tree 110439beb93cSSam Leffler * driver_madwifi: fixed pairwise key removal to allow WPA reauth 110539beb93cSSam Leffler without disassociation 110639beb93cSSam Leffler * added support for reading additional certificates from PKCS#12 files 110739beb93cSSam Leffler and adding them to the certificate chain 110839beb93cSSam Leffler * fixed RADIUS Class attribute processing to only use Access-Accept 110939beb93cSSam Leffler packets to update Class; previously, other RADIUS authentication 111039beb93cSSam Leffler packets could have cleared Class attribute 111139beb93cSSam Leffler * added support for more than one Class attribute in RADIUS packets 111239beb93cSSam Leffler * added support for verifying certificate revocation list (CRL) when 111339beb93cSSam Leffler using integrated EAP authenticator for EAP-TLS; new hostapd.conf 111439beb93cSSam Leffler options 'check_crl'; CRL must be included in the ca_cert file for now 111539beb93cSSam Leffler 111639beb93cSSam Leffler2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) 111739beb93cSSam Leffler * added support for including network information into 111839beb93cSSam Leffler EAP-Request/Identity message (ASCII-0 (nul) in eap_message) 111939beb93cSSam Leffler (e.g., to implement draft-adrange-eap-network-discovery-07.txt) 112039beb93cSSam Leffler * fixed a bug which caused some RSN pre-authentication cases to use 112139beb93cSSam Leffler freed memory and potentially crash hostapd 112239beb93cSSam Leffler * fixed private key loading for cases where passphrase is not set 112339beb93cSSam Leffler * added support for sending TLS alerts and aborting authentication 112439beb93cSSam Leffler when receiving a TLS alert 112539beb93cSSam Leffler * fixed WPA2 to add PMKSA cache entry when using integrated EAP 112639beb93cSSam Leffler authenticator 112739beb93cSSam Leffler * fixed PMKSA caching (EAP authentication was not skipped correctly 112839beb93cSSam Leffler with the new state machine changes from IEEE 802.1X draft) 112939beb93cSSam Leffler * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, 113039beb93cSSam Leffler and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs 113139beb93cSSam Leffler to be added to .config to include IPv6 support); for RADIUS server, 113239beb93cSSam Leffler radius_server_ipv6=1 needs to be set in hostapd.conf and addresses 113339beb93cSSam Leffler in RADIUS clients file can then use IPv6 format 113439beb93cSSam Leffler * added experimental support for EAP-PAX 113539beb93cSSam Leffler * replaced hostapd control interface library (hostapd_ctrl.[ch]) with 113639beb93cSSam Leffler the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) 113739beb93cSSam Leffler 113839beb93cSSam Leffler2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 113939beb93cSSam Leffler 114039beb93cSSam Leffler2005-01-23 - v0.3.5 114139beb93cSSam Leffler * added support for configuring a forced PEAP version based on the 114239beb93cSSam Leffler Phase 1 identity 114339beb93cSSam Leffler * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV 114439beb93cSSam Leffler to terminate authentication 114539beb93cSSam Leffler * fixed EAP identifier duplicate processing with the new IEEE 802.1X 114639beb93cSSam Leffler draft 114739beb93cSSam Leffler * clear accounting data in the driver when starting a new accounting 114839beb93cSSam Leffler session 114939beb93cSSam Leffler * driver_madwifi: filter wireless events based on ifindex to allow more 115039beb93cSSam Leffler than one network interface to be used 115139beb93cSSam Leffler * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt 115239beb93cSSam Leffler setting if the packet does not pass MIC verification (e.g., due to 115339beb93cSSam Leffler incorrect PSK); previously, message 1/4 was not tried again if an 115439beb93cSSam Leffler invalid message 2/4 was received 115539beb93cSSam Leffler * fixed reconfiguration of RADIUS client retransmission timer when 115639beb93cSSam Leffler adding a new message to the pending list; previously, timer was not 115739beb93cSSam Leffler updated at this point and if there was a pending message with long 115839beb93cSSam Leffler time for the next retry, the new message needed to wait that long for 115939beb93cSSam Leffler its first retry, too 116039beb93cSSam Leffler 116139beb93cSSam Leffler2005-01-09 - v0.3.4 116239beb93cSSam Leffler * added support for configuring multiple allowed EAP types for Phase 2 116339beb93cSSam Leffler authentication (EAP-PEAP, EAP-TTLS) 116439beb93cSSam Leffler * fixed EAPOL-Start processing to trigger WPA reauthentication 116539beb93cSSam Leffler (previously, only EAPOL authentication was done) 116639beb93cSSam Leffler 116739beb93cSSam Leffler2005-01-02 - v0.3.3 116839beb93cSSam Leffler * added support for EAP-PEAP in the integrated EAP authenticator 116939beb93cSSam Leffler * added support for EAP-GTC in the integrated EAP authenticator 117039beb93cSSam Leffler * added support for configuring list of EAP methods for Phase 1 so that 117139beb93cSSam Leffler the integrated EAP authenticator can, e.g., use the wildcard entry 117239beb93cSSam Leffler for EAP-TLS and EAP-PEAP 117339beb93cSSam Leffler * added support for EAP-TTLS in the integrated EAP authenticator 117439beb93cSSam Leffler * added support for EAP-SIM in the integrated EAP authenticator 117539beb93cSSam Leffler * added support for using hostapd as a RADIUS authentication server 117639beb93cSSam Leffler with the integrated EAP authenticator taking care of EAP 117739beb93cSSam Leffler authentication (new hostapd.conf options: radius_server_clients and 117839beb93cSSam Leffler radius_server_auth_port); this is not included in default build; use 117939beb93cSSam Leffler CONFIG_RADIUS_SERVER=y in .config to include 118039beb93cSSam Leffler 118139beb93cSSam Leffler2004-12-19 - v0.3.2 118239beb93cSSam Leffler * removed 'daemonize' configuration file option since it has not really 118339beb93cSSam Leffler been used at all for more than year 118439beb93cSSam Leffler * driver_madwifi: fixed group key setup and added get_ssid method 118539beb93cSSam Leffler * added support for EAP-MSCHAPv2 in the integrated EAP authenticator 118639beb93cSSam Leffler 118739beb93cSSam Leffler2004-12-12 - v0.3.1 118839beb93cSSam Leffler * added support for integrated EAP-TLS authentication (new hostapd.conf 118939beb93cSSam Leffler variables: ca_cert, server_cert, private_key, private_key_passwd); 119039beb93cSSam Leffler this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without 119139beb93cSSam Leffler external RADIUS server 119239beb93cSSam Leffler * added support for reading PKCS#12 (PFX) files (as a replacement for 119339beb93cSSam Leffler PEM/DER) to get certificate and private key (CONFIG_PKCS12) 119439beb93cSSam Leffler 119539beb93cSSam Leffler2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) 119639beb93cSSam Leffler * added support for Acct-{Input,Output}-Gigawords 119739beb93cSSam Leffler * added support for Event-Timestamp (in RADIUS Accounting-Requests) 119839beb93cSSam Leffler * added support for RADIUS Authentication Client MIB (RFC2618) 119939beb93cSSam Leffler * added support for RADIUS Accounting Client MIB (RFC2620) 120039beb93cSSam Leffler * made EAP re-authentication period configurable (eap_reauth_period) 120139beb93cSSam Leffler * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication 120239beb93cSSam Leffler * fixed EAPOL state machine to stop if STA is removed during 120339beb93cSSam Leffler eapol_sm_step(); this fixes at least one segfault triggering bug with 120439beb93cSSam Leffler IEEE 802.11i pre-authentication 120539beb93cSSam Leffler * added support for multiple WPA pre-shared keys (e.g., one for each 120639beb93cSSam Leffler client MAC address or keys shared by a group of clients); 120739beb93cSSam Leffler new hostapd.conf field wpa_psk_file for setting path to a text file 120839beb93cSSam Leffler containing PSKs, see hostapd.wpa_psk for an example 120939beb93cSSam Leffler * added support for multiple driver interfaces to allow hostapd to be 121039beb93cSSam Leffler used with other drivers 121139beb93cSSam Leffler * added wired authenticator driver interface (driver=wired in 121239beb93cSSam Leffler hostapd.conf, see wired.conf for example configuration) 121339beb93cSSam Leffler * added madwifi driver interface (driver=madwifi in hostapd.conf, see 121439beb93cSSam Leffler madwifi.conf for example configuration; Note: include files from 121539beb93cSSam Leffler madwifi project is needed for building and a configuration file, 121639beb93cSSam Leffler .config, needs to be created in hostapd directory with 121739beb93cSSam Leffler CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd 121839beb93cSSam Leffler build) 121939beb93cSSam Leffler * fixed an alignment issue that could cause SHA-1 to fail on some 122039beb93cSSam Leffler platforms (e.g., Intel ixp425 with a compiler that does not 32-bit 122139beb93cSSam Leffler align variables) 122239beb93cSSam Leffler * fixed RADIUS reconnection after an error in sending interim 122339beb93cSSam Leffler accounting packets 122439beb93cSSam Leffler * added hostapd control interface for external programs and an example 122539beb93cSSam Leffler CLI, hostapd_cli (like wpa_cli for wpa_supplicant) 122639beb93cSSam Leffler * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', 122739beb93cSSam Leffler 'hostapd_cli sta <addr>') 122839beb93cSSam Leffler * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) 122939beb93cSSam Leffler * added support for strict GTK rekeying (wpa_strict_rekey in 123039beb93cSSam Leffler hostapd.conf) 123139beb93cSSam Leffler * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 123239beb93cSSam Leffler (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to 123339beb93cSSam Leffler IEEE 802.11F-2003) 123439beb93cSSam Leffler * added Prism54 driver interface (driver=prism54 in hostapd.conf; 123539beb93cSSam Leffler note: .config needs to be created in hostapd directory with 123639beb93cSSam Leffler CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd 123739beb93cSSam Leffler build) 123839beb93cSSam Leffler * dual-licensed hostapd (GPLv2 and BSD licenses) 123939beb93cSSam Leffler * fixed RADIUS accounting to generate a new session id for cases where 124039beb93cSSam Leffler a station reassociates without first being complete deauthenticated 124139beb93cSSam Leffler * fixed STA disassociation handler to mark next timeout state to 124239beb93cSSam Leffler deauthenticate the station, i.e., skip long wait for inactivity poll 124339beb93cSSam Leffler and extra disassociation, if the STA disassociates without 124439beb93cSSam Leffler deauthenticating 124539beb93cSSam Leffler * added integrated EAP authenticator that can be used instead of 124639beb93cSSam Leffler external RADIUS authentication server; currently, only EAP-MD5 is 124739beb93cSSam Leffler supported, so this cannot yet be used for key distribution; the EAP 124839beb93cSSam Leffler method interface is generic, though, so adding new EAP methods should 124939beb93cSSam Leffler be straightforward; new hostapd.conf variables: 'eap_authenticator' 125039beb93cSSam Leffler and 'eap_user_file'; this obsoletes "minimal authentication server" 125139beb93cSSam Leffler ('minimal_eap' in hostapd.conf) which is now removed 125239beb93cSSam Leffler * added support for FreeBSD and driver interface for the BSD net80211 125339beb93cSSam Leffler layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in 125439beb93cSSam Leffler .config); please note that some of the required kernel mods have not 125539beb93cSSam Leffler yet been committed 125639beb93cSSam Leffler 125739beb93cSSam Leffler2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) 125839beb93cSSam Leffler * fixed some accounting cases where Accounting-Start was sent when 125939beb93cSSam Leffler IEEE 802.1X port was being deauthorized 126039beb93cSSam Leffler 126139beb93cSSam Leffler2004-06-20 - v0.2.3 126239beb93cSSam Leffler * modified RADIUS client to re-connect the socket in case of certain 126339beb93cSSam Leffler error codes that are generated when a network interface state is 126439beb93cSSam Leffler changes (e.g., when IP address changes or the interface is set UP) 126539beb93cSSam Leffler * fixed couple of cases where EAPOL state for a station was freed 126639beb93cSSam Leffler twice causing a segfault for hostapd 126739beb93cSSam Leffler * fixed couple of bugs in processing WPA deauthentication (freed data 126839beb93cSSam Leffler was used) 126939beb93cSSam Leffler 127039beb93cSSam Leffler2004-05-31 - v0.2.2 127139beb93cSSam Leffler * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) 127239beb93cSSam Leffler * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix 127339beb93cSSam Leffler cases where STAs dropped multicast frames as replay attacks 127439beb93cSSam Leffler * added support for copying RADIUS Attribute 'Class' from 127539beb93cSSam Leffler authentication messages into accounting messages 127639beb93cSSam Leffler * send canned EAP failure if RADIUS server sends Access-Reject without 127739beb93cSSam Leffler EAP message (previously, Supplicant was not notified in this case) 127839beb93cSSam Leffler * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do 127939beb93cSSam Leffler not start EAPOL state machines if the STA selected to use WPA-PSK) 128039beb93cSSam Leffler 128139beb93cSSam Leffler2004-05-06 - v0.2.1 128239beb93cSSam Leffler * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality 128339beb93cSSam Leffler - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA 128439beb93cSSam Leffler (i.e., IEEE 802.11i/D3.0) 128539beb93cSSam Leffler - supports WPA-only, RSN-only, and mixed WPA/RSN mode 128639beb93cSSam Leffler - both WPA-PSK and WPA-RADIUS/EAP are supported 128739beb93cSSam Leffler - PMKSA caching and pre-authentication 128839beb93cSSam Leffler - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, 128939beb93cSSam Leffler wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, 129039beb93cSSam Leffler rsn_preauth, rsn_preauth_interfaces 129139beb93cSSam Leffler * fixed interim accounting to remove any pending accounting messages 129239beb93cSSam Leffler to the STA before sending a new one 129339beb93cSSam Leffler 129439beb93cSSam Leffler2004-02-15 - v0.2.0 129539beb93cSSam Leffler * added support for Acct-Interim-Interval: 129639beb93cSSam Leffler - draft-ietf-radius-acct-interim-01.txt 129739beb93cSSam Leffler - use Acct-Interim-Interval attribute from Access-Accept if local 129839beb93cSSam Leffler 'radius_acct_interim_interval' is not set 129939beb93cSSam Leffler - allow different update intervals for each STA 130039beb93cSSam Leffler * fixed event loop to call signal handlers only after returning from 130139beb93cSSam Leffler the real signal handler 130239beb93cSSam Leffler * reset sta->timeout_next after successful association to make sure 130339beb93cSSam Leffler that the previously registered inactivity timer will not remove the 130439beb93cSSam Leffler STA immediately (e.g., if STA deauthenticates and re-associates 130539beb93cSSam Leffler before the timer is triggered). 130639beb93cSSam Leffler * added new hostapd.conf variable, nas_identifier, that can be used to 130739beb93cSSam Leffler add an optional RADIUS Attribute, NAS-Identifier, into authentication 130839beb93cSSam Leffler and accounting messages 130939beb93cSSam Leffler * added support for Accounting-On and Accounting-Off messages 131039beb93cSSam Leffler * fixed accounting session handling to send Accounting-Start only once 131139beb93cSSam Leffler per session and not to send Accounting-Stop if the session was not 131239beb93cSSam Leffler initialized properly 131339beb93cSSam Leffler * fixed Accounting-Stop statistics in cases where the message was 131439beb93cSSam Leffler previously sent after the kernel entry for the STA (and/or IEEE 131539beb93cSSam Leffler 802.1X data) was removed 131639beb93cSSam Leffler 131739beb93cSSam Leffler 131839beb93cSSam LefflerNote: 131939beb93cSSam Leffler 132039beb93cSSam LefflerOlder changes up to and including v0.1.0 are included in the ChangeLog 132139beb93cSSam Lefflerof the Host AP driver. 1322