| ChangeLog for hostapd |
| |
| 2013-01-12 - v2.0 |
| * added AP-STA-DISCONNECTED ctrl_iface event |
| * improved debug logging (human readable event names, interface name |
| included in more entries) |
| * added number of small changes to make it easier for static analyzers |
| to understand the implementation |
| * added a workaround for Windows 7 Michael MIC failure reporting and |
| use of the Secure bit in EAPOL-Key msg 3/4 |
| * fixed number of small bugs (see git logs for more details) |
| * changed OpenSSL to read full certificate chain from server_cert file |
| * nl80211: number of updates to use new cfg80211/nl80211 functionality |
| - replace monitor interface with nl80211 commands |
| - additional information for driver-based AP SME |
| * EAP-pwd: |
| - fix KDF for group 21 and zero-padding |
| - added support for fragmentation |
| - increased maximum number of hunting-and-pecking iterations |
| * avoid excessive Probe Response retries for broadcast Probe Request |
| frames (only with drivers using hostapd SME/MLME) |
| * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) |
| * fixed WPS operation stopping on dual concurrent AP |
| * added wps_rf_bands configuration parameter for overriding RF Bands |
| value for WPS |
| * added support for getting per-device PSK from RADIUS Tunnel-Password |
| * added support for libnl 3.2 and newer |
| * increased initial group key handshake retransmit timeout to 500 ms |
| * added a workaround for 4-way handshake to update SNonce even after |
| having sent EAPOL-Key 3/4 to avoid issues with some supplicant |
| implementations that can change SNonce for each EAP-Key 2/4 |
| * added a workaround for EAPOL-Key 4/4 using incorrect type value in |
| WPA2 mode (some deployed stations use WPA type in that message) |
| * added a WPS workaround for mixed mode AP Settings with Windows 7 |
| * changed WPS AP PIN disabling mechanism to disable the PIN after 10 |
| consecutive failures in addition to using the exponential lockout |
| period |
| * added support for WFA Hotspot 2.0 |
| - GAS/ANQP advertisement of network information |
| - disable_dgaf parameter to disable downstream group-addressed |
| forwarding |
| * simplified licensing terms by selecting the BSD license as the only |
| alternative |
| * EAP-SIM: fixed re-authentication not to update pseudonym |
| * EAP-SIM: use Notification round before EAP-Failure |
| * EAP-AKA: added support for AT_COUNTER_TOO_SMALL |
| * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized |
| * EAP-AKA': fixed identity for MK derivation |
| * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this |
| breaks interoperability with older versions |
| * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id |
| * changed ANonce to be a random number instead of Counter-based |
| * added support for canceling WPS operations with hostapd_cli wps_cancel |
| * fixed EAP/WPS to PSK transition on reassociation in cases where |
| deauthentication is missed |
| * hlr_auc_gw enhancements: |
| - a new command line parameter -u can be used to enable updating of |
| SQN in Milenage file |
| - use 5 bit IND for SQN updates |
| - SQLite database can now be used to store Milenage information |
| * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms |
| and reauth data |
| * added support for Chargeable-User-Identity (RFC 4372) |
| * added radius_auth_req_attr and radius_acct_req_attr configuration |
| parameters to allow adding/overriding of RADIUS attributes in |
| Access-Request and Accounting-Request packets |
| * added support for RADIUS dynamic authorization server (RFC 5176) |
| * added initial support for WNM operations |
| - BSS max idle period |
| - WNM-Sleep Mode |
| * added new WPS NFC ctrl_iface mechanism |
| - removed obsoleted WPS_OOB command (including support for deprecated |
| UFD config_method) |
| * added FT support for drivers that implement MLME internally |
| * added SA Query support for drivers that implement MLME internally |
| * removed default ACM=1 from AC_VO and AC_VI |
| * changed VENDOR-TEST EAP method to use proper private enterprise number |
| (this will not interoperate with older versions) |
| * added hostapd.conf parameter vendor_elements to allow arbitrary vendor |
| specific elements to be added to the Beacon and Probe Response frames |
| * added support for configuring GCMP cipher for IEEE 802.11ad |
| * added support for 256-bit AES with internal TLS implementation |
| * changed EAPOL transmission to use AC_VO if WMM is active |
| * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length |
| correctly; invalid messages could have caused the hostapd process to |
| terminate before this fix [CVE-2012-4445] |
| * limit number of active wildcard PINs for WPS Registrar to one to avoid |
| confusing behavior with multiple wildcard PINs |
| * added a workaround for WPS PBC session overlap detection to avoid |
| interop issues with deployed station implementations that do not |
| remove active PBC indication from Probe Request frames properly |
| * added support for using SQLite for the eap_user database |
| * added Acct-Session-Id attribute into Access-Request messages |
| * fixed EAPOL frame transmission to non-QoS STAs with nl80211 |
| (do not send QoS frames if the STA did not negotiate use of QoS for |
| this association) |
| |
| 2012-05-10 - v1.0 |
| * Add channel selection support in hostapd. See hostapd.conf. |
| * Add support for IEEE 802.11v Time Advertisement mechanism with UTC |
| TSF offset. See hostapd.conf for config info. |
| * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. |
| This allows the driver to use PS buffering of Deauthentication and |
| Disassociation frames when the STA is in power save sleep. Only |
| available with drivers that provide TX status events for Deauth/ |
| Disassoc frames (nl80211). |
| * Allow PMKSA caching to be disabled on the Authenticator. See |
| hostap.conf config parameter disable_pmksa_caching. |
| * atheros: Add support for IEEE 802.11w configuration. |
| * bsd: Add support for setting HT values in IFM_MMASK. |
| * Allow client isolation to be configured with ap_isolate. Client |
| isolation can be used to prevent low-level bridging of frames |
| between associated stations in the BSS. By default, this bridging |
| is allowed. |
| * Allow coexistance of HT BSSes with WEP/TKIP BSSes. |
| * Add require_ht config parameter, which can be used to configure |
| hostapd to reject association with any station that does not support |
| HT PHY. |
| * Add support for writing debug log to a file using "-f" option. Also |
| add relog CLI command to re-open the log file. |
| * Add bridge handling for WDS STA interfaces. By default they are |
| added to the configured bridge of the AP interface (if present), |
| but the user can also specify a separate bridge using cli command |
| wds_bridge. |
| * hostapd_cli: |
| - Add wds_bridge command for specifying bridge for WDS STA |
| interfaces. |
| - Add relog command for reopening log file. |
| - Send AP-STA-DISCONNECTED event when an AP disconnects a station |
| due to inactivity. |
| - Add wps_config ctrl_interface command for configuring AP. This |
| command can be used to configure the AP using the internal WPS |
| registrar. It works in the same way as new AP settings received |
| from an ER. |
| - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. |
| - Add command get version, that returns hostapd version string. |
| * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. |
| Use hostapd_cli ess_disassoc (STA addr) (URL) to send the |
| notification to the STA. |
| * Allow AP mode to disconnect STAs based on low ACK condition (when |
| the data connection is not working properly, e.g., due to the STA |
| going outside the range of the AP). Disabled by default, enable by |
| config option disassoc_low_ack. |
| * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad |
| config file. |
| * WPS: |
| - Send AP Settings as a wrapped Credential attribute to ctrl_iface |
| in WPS-NEW-AP-SETTINGS. |
| - Dispatch more WPS events through hostapd ctrl_iface. |
| - Add mechanism for indicating non-standard WPS errors. |
| - Change concurrent radio AP to use only one WPS UPnP instance. |
| - Add wps_check_pin command for processing PIN from user input. |
| UIs can use this command to process a PIN entered by a user and to |
| validate the checksum digit (if present). |
| - Add hostap_cli get_config command to display current AP config. |
| - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at |
| runtime and support dynamic AP PIN management. |
| - Disable AP PIN after 10 consecutive failures. Slow down attacks |
| on failures up to 10. |
| - Allow AP to start in Enrollee mode without AP PIN for probing, |
| to be compatible with Windows 7. |
| - Add Config Error into WPS-FAIL events to provide more info |
| to the user on how to resolve the issue. |
| - When controlling multiple interfaces: |
| - apply WPS commands to all interfaces configured to use WPS |
| - apply WPS config changes to all interfaces that use WPS |
| - when an attack is detected on any interface, disable AP PIN on |
| all interfaces |
| * WPS ER: |
| - Show SetSelectedRegistrar events as ctrl_iface events. |
| - Add special AP Setup Locked mode to allow read only ER. |
| ap_setup_locked=2 can now be used to enable a special mode where |
| WPS ER can learn the current AP settings, but cannot change them. |
| * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) |
| - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool |
| for testing protocol extensibility. |
| - Add build option CONFIG_WPS_STRICT to allow disabling of WPS |
| workarounds. |
| - Add support for AuthorizedMACs attribute. |
| * TDLS: |
| - Allow TDLS use or TDLS channel switching in the BSS to be |
| prohibited in the BSS, using config params tdls_prohibit and |
| tdls_prohibit_chan_switch. |
| * EAP server: Add support for configuring fragment size (see |
| fragment_size in hostapd.conf). |
| * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. |
| wlantest can be used to capture frames from a monitor interface |
| for realtime capturing or from pcap files for offline analysis. |
| * Interworking: Support added for 802.11u. Enable in .config with |
| CONFIG_INTERWORKING. See hostapd.conf for config parameters for |
| interworking. |
| * Android: Add build and runtime support for Android hostapd. |
| * Add a new debug message level for excessive information. Use |
| -ddd to enable. |
| * TLS: Add support for tls_disable_time_checks=1 in client mode. |
| * Internal TLS: |
| - Add support for TLS v1.1 (RFC 4346). Enable with build parameter |
| CONFIG_TLSV11. |
| - Add domainComponent parser for X.509 names |
| * Reorder some IEs to get closer to IEEE 802.11 standard. Move |
| WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. |
| Move HT IEs to be later in (Re)Assoc Resp. |
| * Many bugfixes. |
| |
| 2010-04-18 - v0.7.2 |
| * fix WPS internal Registrar use when an external Registrar is also |
| active |
| * bsd: Cleaned up driver wrapper and added various low-level |
| configuration options |
| * TNC: fixed issues with fragmentation |
| * EAP-TNC: add Flags field into fragment acknowledgement (needed to |
| interoperate with other implementations; may potentially breaks |
| compatibility with older wpa_supplicant/hostapd versions) |
| * cleaned up driver wrapper API for multi-BSS operations |
| * nl80211: fix multi-BSS and VLAN operations |
| * fix number of issues with IEEE 802.11r/FT; this version is not |
| backwards compatible with old versions |
| * add SA Query Request processing in AP mode (IEEE 802.11w) |
| * fix IGTK PN in group rekeying (IEEE 802.11w) |
| * fix WPS PBC session overlap detection to use correct attribute |
| * hostapd_notif_Assoc() can now be called with all IEs to simplify |
| driver wrappers |
| * work around interoperability issue with some WPS External Registrar |
| implementations |
| * nl80211: fix WPS IE update |
| * hostapd_cli: add support for action script operations (run a script |
| on hostapd events) |
| * fix DH padding with internal crypto code (mainly, for WPS) |
| * fix WPS association with both WPS IE and WPA/RSN IE present with |
| driver wrappers that use hostapd MLME (e.g., nl80211) |
| |
| 2010-01-16 - v0.7.1 |
| * cleaned up driver wrapper API (struct wpa_driver_ops); the new API |
| is not fully backwards compatible, so out-of-tree driver wrappers |
| will need modifications |
| * cleaned up various module interfaces |
| * merge hostapd and wpa_supplicant developers' documentation into a |
| single document |
| * fixed HT Capabilities IE with nl80211 drivers |
| * moved generic AP functionality code into src/ap |
| * WPS: handle Selected Registrar as union of info from all Registrars |
| * remove obsolte Prism54.org driver wrapper |
| * added internal debugging mechanism with backtrace support and memory |
| allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) |
| * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 |
| * WPS: add support for dynamically selecting whether to provision the |
| PSK as an ASCII passphrase or PSK |
| * added support for WDS (4-address frame) mode with per-station virtual |
| interfaces (wds_sta=1 in config file; only supported with |
| driver=nl80211 for now) |
| * fixed WPS Probe Request processing to handle missing required |
| attribute |
| * fixed PKCS#12 use with OpenSSL 1.0.0 |
| * detect bridge interface automatically so that bridge parameter in |
| hostapd.conf becomes optional (though, it may now be used to |
| automatically add then WLAN interface into a bridge with |
| driver=nl80211) |
| |
| 2009-11-21 - v0.7.0 |
| * increased hostapd_cli ping interval to 5 seconds and made this |
| configurable with a new command line options (-G<seconds>) |
| * driver_nl80211: use Linux socket filter to improve performance |
| * added support for external Registrars with WPS (UPnP transport) |
| * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel |
| * driver_nl80211: fixed STA accounting data collection (TX/RX bytes |
| reported correctly; TX/RX packets not yet available from kernel) |
| * added support for WPS USBA out-of-band mechanism with USB Flash |
| Drives (UFD) (CONFIG_WPS_UFD=y) |
| * fixed EAPOL/EAP reauthentication when using an external RADIUS |
| authentication server |
| * fixed TNC with EAP-TTLS |
| * fixed IEEE 802.11r key derivation function to match with the standard |
| (note: this breaks interoperability with previous version) [Bug 303] |
| * fixed SHA-256 based key derivation function to match with the |
| standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) |
| (note: this breaks interoperability with previous version) [Bug 307] |
| * added number of code size optimizations to remove unnecessary |
| functionality from the program binary based on build configuration |
| (part of this automatic; part configurable with CONFIG_NO_* build |
| options) |
| * use shared driver wrapper files with wpa_supplicant |
| * driver_nl80211: multiple updates to provide support for new Linux |
| nl80211/mac80211 functionality |
| * updated management frame protection to use IEEE Std 802.11w-2009 |
| * fixed number of small WPS issues and added workarounds to |
| interoperate with common deployed broken implementations |
| * added some IEEE 802.11n co-existence rules to disable 40 MHz channels |
| or modify primary/secondary channels if needed based on neighboring |
| networks |
| * added support for NFC out-of-band mechanism with WPS |
| * added preliminary support for IEEE 802.11r RIC processing |
| |
| 2009-01-06 - v0.6.7 |
| * added support for Wi-Fi Protected Setup (WPS) |
| (hostapd can now be configured to act as an integrated WPS Registrar |
| and provision credentials for WPS Enrollees using PIN and PBC |
| methods; external wireless Registrar can configure the AP, but |
| external WLAN Manager Registrars are not supported); WPS support can |
| be enabled by adding CONFIG_WPS=y into .config and setting the |
| runtime configuration variables in hostapd.conf (see WPS section in |
| the example configuration file); new hostapd_cli commands wps_pin and |
| wps_pbc are used to configure WPS negotiation; see README-WPS for |
| more details |
| * added IEEE 802.11n HT capability configuration (ht_capab) |
| * added support for generating Country IE based on nl80211 regulatory |
| information (added if ieee80211d=1 in configuration) |
| * fixed WEP authentication (both Open System and Shared Key) with |
| mac80211 |
| * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) |
| * added support for using driver_test over UDP socket |
| * changed EAP-GPSK to use the IANA assigned EAP method type 51 |
| * updated management frame protection to use IEEE 802.11w/D7.0 |
| * fixed retransmission of EAP requests if no response is received |
| |
| 2008-11-23 - v0.6.6 |
| * added a new configuration option, wpa_ptk_rekey, that can be used to |
| enforce frequent PTK rekeying, e.g., to mitigate some attacks against |
| TKIP deficiencies |
| * updated OpenSSL code for EAP-FAST to use an updated version of the |
| session ticket overriding API that was included into the upstream |
| OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is |
| needed with that version anymore) |
| * changed channel flags configuration to read the information from |
| the driver (e.g., via driver_nl80211 when using mac80211) instead of |
| using hostapd as the source of the regulatory information (i.e., |
| information from CRDA is now used with mac80211); this allows 5 GHz |
| channels to be used with hostapd (if allowed in the current |
| regulatory domain) |
| * fixed EAP-TLS message processing for the last TLS message if it is |
| large enough to require fragmentation (e.g., if a large Session |
| Ticket data is included) |
| * fixed listen interval configuration for nl80211 drivers |
| |
| 2008-11-01 - v0.6.5 |
| * added support for SHA-256 as X.509 certificate digest when using the |
| internal X.509/TLSv1 implementation |
| * fixed EAP-FAST PAC-Opaque padding (0.6.4 broke this for some peer |
| identity lengths) |
| * fixed internal TLSv1 implementation for abbreviated handshake (used |
| by EAP-FAST server) |
| * added support for setting VLAN ID for STAs based on local MAC ACL |
| (accept_mac_file) as an alternative for RADIUS server-based |
| configuration |
| * updated management frame protection to use IEEE 802.11w/D6.0 |
| (adds a new association ping to protect against unauthenticated |
| authenticate or (re)associate request frames dropping association) |
| * added support for using SHA256-based stronger key derivation for WPA2 |
| (IEEE 802.11w) |
| * added new "driver wrapper" for RADIUS-only configuration |
| (driver=none in hostapd.conf; CONFIG_DRIVER_NONE=y in .config) |
| * fixed WPA/RSN IE validation to verify that the proto (WPA vs. WPA2) |
| is enabled in configuration |
| * changed EAP-FAST configuration to use separate fields for A-ID and |
| A-ID-Info (eap_fast_a_id_info) to allow A-ID to be set to a fixed |
| 16-octet len binary value for better interoperability with some peer |
| implementations; eap_fast_a_id is now configured as a hex string |
| * driver_nl80211: Updated to match the current Linux mac80211 AP mode |
| configuration (wireless-testing.git and Linux kernel releases |
| starting from 2.6.29) |
| |
| 2008-08-10 - v0.6.4 |
| * added peer identity into EAP-FAST PAC-Opaque and skip Phase 2 |
| Identity Request if identity is already known |
| * added support for EAP Sequences in EAP-FAST Phase 2 |
| * added support for EAP-TNC (Trusted Network Connect) |
| (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST |
| changes needed to run two methods in sequence (IF-T) and the IF-IMV |
| and IF-TNCCS interfaces from TNCS) |
| * added support for optional cryptobinding with PEAPv0 |
| * added fragmentation support for EAP-TNC |
| * added support for fragmenting EAP-TTLS/PEAP/FAST Phase 2 (tunneled) |
| data |
| * added support for opportunistic key caching (OKC) |
| |
| 2008-02-22 - v0.6.3 |
| * fixed Reassociation Response callback processing when using internal |
| MLME (driver_{hostap,nl80211,test}.c) |
| * updated FT support to use the latest draft, IEEE 802.11r/D9.0 |
| * copy optional Proxy-State attributes into RADIUS response when acting |
| as a RADIUS authentication server |
| * fixed EAPOL state machine to handle a case in which no response is |
| received from the RADIUS authentication server; previous version |
| could have triggered a crash in some cases after a timeout |
| * fixed EAP-SIM/AKA realm processing to allow decorated usernames to |
| be used |
| * added a workaround for EAP-SIM/AKA peers that include incorrect null |
| termination in the username |
| * fixed EAP-SIM/AKA protected result indication to include AT_COUNTER |
| attribute in notification messages only when using fast |
| reauthentication |
| * fixed EAP-SIM Start response processing for fast reauthentication |
| case |
| * added support for pending EAP processing in EAP-{PEAP,TTLS,FAST} |
| phase 2 to allow EAP-SIM and EAP-AKA to be used as the Phase 2 method |
| |
| 2008-01-01 - v0.6.2 |
| * fixed EAP-SIM and EAP-AKA message parser to validate attribute |
| lengths properly to avoid potential crash caused by invalid messages |
| * added data structure for storing allocated buffers (struct wpabuf); |
| this does not affect hostapd usage, but many of the APIs changed |
| and various interfaces (e.g., EAP) is not compatible with old |
| versions |
| * added support for protecting EAP-AKA/Identity messages with |
| AT_CHECKCODE (optional feature in RFC 4187) |
| * added support for protected result indication with AT_RESULT_IND for |
| EAP-SIM and EAP-AKA (eap_sim_aka_result_ind=1) |
| * added support for configuring EAP-TTLS phase 2 non-EAP methods in |
| EAP server configuration; previously all four were enabled for every |
| phase 2 user, now all four are disabled by default and need to be |
| enabled with new method names TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP, |
| TTLS-MSCHAPV2 |
| * removed old debug printing mechanism and the related 'debug' |
| parameter in the configuration file; debug verbosity is now set with |
| -d (or -dd) command line arguments |
| * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); |
| only shared key/password authentication is supported in this version |
| |
| 2007-11-24 - v0.6.1 |
| * added experimental, integrated TLSv1 server implementation with the |
| needed X.509/ASN.1/RSA/bignum processing (this can be enabled by |
| setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in |
| .config); this can be useful, e.g., if the target system does not |
| have a suitable TLS library and a minimal code size is required |
| * added support for EAP-FAST server method to the integrated EAP |
| server |
| * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest |
| draft (draft-ietf-emu-eap-gpsk-07.txt) |
| * added a new configuration parameter, rsn_pairwise, to allow different |
| pairwise cipher suites to be enabled for WPA and RSN/WPA2 |
| (note: if wpa_pairwise differs from rsn_pairwise, the driver will |
| either need to support this or will have to use the WPA/RSN IEs from |
| hostapd; currently, the included madwifi and bsd driver interfaces do |
| not have support for this) |
| * updated FT support to use the latest draft, IEEE 802.11r/D8.0 |
| |
| 2007-05-28 - v0.6.0 |
| * added experimental IEEE 802.11r/D6.0 support |
| * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 |
| * updated EAP-PSK to use the IANA-allocated EAP type 47 |
| * fixed EAP-PSK bit ordering of the Flags field |
| * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs |
| by reading wpa_psk_file [Bug 181] |
| * fixed EAP-TTLS AVP parser processing for too short AVP lengths |
| * fixed IPv6 connection to RADIUS accounting server |
| * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest |
| draft (draft-ietf-emu-eap-gpsk-04.txt) |
| * hlr_auc_gw: read GSM triplet file into memory and rotate through the |
| entries instead of only using the same three triplets every time |
| (this does not work properly with tests using multiple clients, but |
| provides bit better triplet data for testing a single client; anyway, |
| if a better quality triplets are needed, GSM-Milenage should be used |
| instead of hardcoded triplet file) |
| * fixed EAP-MSCHAPv2 server to use a space between S and M parameters |
| in Success Request [Bug 203] |
| * added support for sending EAP-AKA Notifications in error cases |
| * updated to use IEEE 802.11w/D2.0 for management frame protection |
| (still experimental) |
| * RADIUS server: added support for processing duplicate messages |
| (retransmissions from RADIUS client) by replying with the previous |
| reply |
| |
| 2006-11-24 - v0.5.6 |
| * added support for configuring and controlling multiple BSSes per |
| radio interface (bss=<ifname> in hostapd.conf); this is only |
| available with Devicescape and test driver interfaces |
| * fixed PMKSA cache update in the end of successful RSN |
| pre-authentication |
| * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID |
| for each STA based on RADIUS Access-Accept attributes); this requires |
| VLAN support from the kernel driver/802.11 stack and this is |
| currently only available with Devicescape and test driver interfaces |
| * driver_madwifi: fixed configuration of unencrypted modes (plaintext |
| and IEEE 802.1X without WEP) |
| * removed STAKey handshake since PeerKey handshake has replaced it in |
| IEEE 802.11ma and there are no known deployments of STAKey |
| * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest |
| draft (draft-ietf-emu-eap-gpsk-01.txt) |
| * added preliminary implementation of IEEE 802.11w/D1.0 (management |
| frame protection) |
| (Note: this requires driver support to work properly.) |
| (Note2: IEEE 802.11w is an unapproved draft and subject to change.) |
| * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM) |
| * hlr_auc_gw: added support for reading per-IMSI Milenage keys and |
| parameters from a text file to make it possible to implement proper |
| GSM/UMTS authentication server for multiple SIM/USIM cards using |
| EAP-SIM/EAP-AKA |
| * fixed session timeout processing with drivers that do not use |
| ieee802_11.c (e.g., madwifi) |
| |
| 2006-08-27 - v0.5.5 |
| * added 'hostapd_cli new_sta <addr>' command for adding a new STA into |
| hostapd (e.g., to initialize wired network authentication based on an |
| external signal) |
| * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when |
| using WPA2 even if PMKSA caching is not used |
| * added -P<pid file> argument for hostapd to write the current process |
| id into a file |
| * added support for RADIUS Authentication Server MIB (RFC 2619) |
| |
| 2006-06-20 - v0.5.4 |
| * fixed nt_password_hash build [Bug 144] |
| * added PeerKey handshake implementation for IEEE 802.11e |
| direct link setup (DLS) to replace STAKey handshake |
| * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, |
| draft-clancy-emu-eap-shared-secret-00.txt) |
| * fixed a segmentation fault when RSN pre-authentication was completed |
| successfully [Bug 152] |
| |
| 2006-04-27 - v0.5.3 |
| * do not build nt_password_hash and hlr_auc_gw by default to avoid |
| requiring a TLS library for a successful build; these programs can be |
| build with 'make nt_password_hash' and 'make hlr_auc_gw' |
| * added a new configuration option, eapol_version, that can be used to |
| set EAPOL version to 1 (default is 2) to work around broken client |
| implementations that drop EAPOL frames which use version number 2 |
| [Bug 89] |
| * added support for EAP-SAKE (no EAP method number allocated yet, so |
| this is using the same experimental type 255 as EAP-PSK) |
| * fixed EAP-MSCHAPv2 message length validation |
| |
| 2006-03-19 - v0.5.2 |
| * fixed stdarg use in hostapd_logger(): if both stdout and syslog |
| logging was enabled, hostapd could trigger a segmentation fault in |
| vsyslog on some CPU -- C library combinations |
| * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external |
| program to make it easier to use for implementing real SS7 gateway; |
| eap_sim_db is not anymore used as a file name for GSM authentication |
| triplets; instead, it is path to UNIX domain socket that will be used |
| to communicate with the external gateway program (e.g., hlr_auc_gw) |
| * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses |
| local information (GSM authentication triplets from a text file and |
| hardcoded AKA authentication data); this can be used to test EAP-SIM |
| and EAP-AKA |
| * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw |
| to make it possible to test EAP-AKA with real USIM cards (this is |
| disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw |
| to enable this) |
| * driver_madwifi: added support for getting station RSN IE from |
| madwifi-ng svn r1453 and newer; this fixes RSN that was apparently |
| broken with earlier change (r1357) in the driver |
| * changed EAP method registration to use a dynamic list of methods |
| instead of a static list generated at build time |
| * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE) |
| [Bug 125] |
| * added ap_max_inactivity configuration parameter |
| |
| 2006-01-29 - v0.5.1 |
| * driver_test: added better support for multiple APs and STAs by using |
| a directory with sockets that include MAC address for each device in |
| the name (test_socket=DIR:/tmp/test) |
| * added support for EAP expanded type (vendor specific EAP methods) |
| |
| 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases) |
| * added experimental STAKey handshake implementation for IEEE 802.11e |
| direct link setup (DLS); note: this is disabled by default in both |
| build and runtime configuration (can be enabled with CONFIG_STAKEY=y |
| and stakey=1) |
| * added support for EAP methods to use callbacks to external programs |
| by buffering a pending request and processing it after the EAP method |
| is ready to continue |
| * improved EAP-SIM database interface to allow external request to GSM |
| HLR/AuC without blocking hostapd process |
| * added support for using EAP-SIM pseudonyms and fast re-authentication |
| * added support for EAP-AKA in the integrated EAP authenticator |
| * added support for matching EAP identity prefixes (e.g., "1"*) in EAP |
| user database to allow EAP-SIM/AKA selection without extra roundtrip |
| for EAP-Nak negotiation |
| * added support for storing EAP user password as NtPasswordHash instead |
| of plaintext password when using MSCHAP or MSCHAPv2 for |
| authentication (hash:<16-octet hex value>); added nt_password_hash |
| tool for hashing password to generate NtPasswordHash |
| |
| 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) |
| * driver_wired: fixed EAPOL sending to optionally use PAE group address |
| as the destination instead of supplicant MAC address; this is |
| disabled by default, but should be enabled with use_pae_group_addr=1 |
| in configuration file if the wired interface is used by only one |
| device at the time (common switch configuration) |
| * driver_madwifi: configure driver to use TKIP countermeasures in order |
| to get correct behavior (IEEE 802.11 association failing; previously, |
| association succeeded, but hostpad forced disassociation immediately) |
| * driver_madwifi: added support for madwifi-ng |
| |
| 2005-10-27 - v0.4.6 |
| * added support for replacing user identity from EAP with RADIUS |
| User-Name attribute from Access-Accept message, if that is included, |
| for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get |
| tunneled identity into accounting messages when the RADIUS server |
| does not support better way of doing this with Class attribute) |
| * driver_madwifi: fixed EAPOL packet receive for configuration where |
| ath# is part of a bridge interface |
| * added a configuration file and log analyzer script for logwatch |
| * fixed EAPOL state machine step function to process all state |
| transitions before processing new events; this resolves a race |
| condition in which EAPOL-Start message could trigger hostapd to send |
| two EAP-Response/Identity frames to the authentication server |
| |
| 2005-09-25 - v0.4.5 |
| * added client CA list to the TLS certificate request in order to make |
| it easier for the client to select which certificate to use |
| * added experimental support for EAP-PSK |
| * added support for WE-19 (hostap, madwifi) |
| |
| 2005-08-21 - v0.4.4 |
| * fixed build without CONFIG_RSN_PREAUTH |
| * fixed FreeBSD build |
| |
| 2005-06-26 - v0.4.3 |
| * fixed PMKSA caching to copy User-Name and Class attributes so that |
| RADIUS accounting gets correct information |
| * start RADIUS accounting only after successful completion of WPA |
| 4-Way Handshake if WPA-PSK is used |
| * fixed PMKSA caching for the case where STA (re)associates without |
| first disassociating |
| |
| 2005-06-12 - v0.4.2 |
| * EAP-PAX is now registered as EAP type 46 |
| * fixed EAP-PAX MAC calculation |
| * fixed EAP-PAX CK and ICK key derivation |
| * renamed eap_authenticator configuration variable to eap_server to |
| better match with RFC 3748 (EAP) terminology |
| * driver_test: added support for testing hostapd with wpa_supplicant |
| by using test driver interface without any kernel drivers or network |
| cards |
| |
| 2005-05-22 - v0.4.1 |
| * fixed RADIUS server initialization when only auth or acct server |
| is configured and the other one is left empty |
| * driver_madwifi: added support for RADIUS accounting |
| * driver_madwifi: added preliminary support for compiling against 'BSD' |
| branch of madwifi CVS tree |
| * driver_madwifi: fixed pairwise key removal to allow WPA reauth |
| without disassociation |
| * added support for reading additional certificates from PKCS#12 files |
| and adding them to the certificate chain |
| * fixed RADIUS Class attribute processing to only use Access-Accept |
| packets to update Class; previously, other RADIUS authentication |
| packets could have cleared Class attribute |
| * added support for more than one Class attribute in RADIUS packets |
| * added support for verifying certificate revocation list (CRL) when |
| using integrated EAP authenticator for EAP-TLS; new hostapd.conf |
| options 'check_crl'; CRL must be included in the ca_cert file for now |
| |
| 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) |
| * added support for including network information into |
| EAP-Request/Identity message (ASCII-0 (nul) in eap_message) |
| (e.g., to implement draft-adrange-eap-network-discovery-07.txt) |
| * fixed a bug which caused some RSN pre-authentication cases to use |
| freed memory and potentially crash hostapd |
| * fixed private key loading for cases where passphrase is not set |
| * added support for sending TLS alerts and aborting authentication |
| when receiving a TLS alert |
| * fixed WPA2 to add PMKSA cache entry when using integrated EAP |
| authenticator |
| * fixed PMKSA caching (EAP authentication was not skipped correctly |
| with the new state machine changes from IEEE 802.1X draft) |
| * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, |
| and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs |
| to be added to .config to include IPv6 support); for RADIUS server, |
| radius_server_ipv6=1 needs to be set in hostapd.conf and addresses |
| in RADIUS clients file can then use IPv6 format |
| * added experimental support for EAP-PAX |
| * replaced hostapd control interface library (hostapd_ctrl.[ch]) with |
| the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) |
| |
| 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) |
| |
| 2005-01-23 - v0.3.5 |
| * added support for configuring a forced PEAP version based on the |
| Phase 1 identity |
| * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV |
| to terminate authentication |
| * fixed EAP identifier duplicate processing with the new IEEE 802.1X |
| draft |
| * clear accounting data in the driver when starting a new accounting |
| session |
| * driver_madwifi: filter wireless events based on ifindex to allow more |
| than one network interface to be used |
| * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt |
| setting if the packet does not pass MIC verification (e.g., due to |
| incorrect PSK); previously, message 1/4 was not tried again if an |
| invalid message 2/4 was received |
| * fixed reconfiguration of RADIUS client retransmission timer when |
| adding a new message to the pending list; previously, timer was not |
| updated at this point and if there was a pending message with long |
| time for the next retry, the new message needed to wait that long for |
| its first retry, too |
| |
| 2005-01-09 - v0.3.4 |
| * added support for configuring multiple allowed EAP types for Phase 2 |
| authentication (EAP-PEAP, EAP-TTLS) |
| * fixed EAPOL-Start processing to trigger WPA reauthentication |
| (previously, only EAPOL authentication was done) |
| |
| 2005-01-02 - v0.3.3 |
| * added support for EAP-PEAP in the integrated EAP authenticator |
| * added support for EAP-GTC in the integrated EAP authenticator |
| * added support for configuring list of EAP methods for Phase 1 so that |
| the integrated EAP authenticator can, e.g., use the wildcard entry |
| for EAP-TLS and EAP-PEAP |
| * added support for EAP-TTLS in the integrated EAP authenticator |
| * added support for EAP-SIM in the integrated EAP authenticator |
| * added support for using hostapd as a RADIUS authentication server |
| with the integrated EAP authenticator taking care of EAP |
| authentication (new hostapd.conf options: radius_server_clients and |
| radius_server_auth_port); this is not included in default build; use |
| CONFIG_RADIUS_SERVER=y in .config to include |
| |
| 2004-12-19 - v0.3.2 |
| * removed 'daemonize' configuration file option since it has not really |
| been used at all for more than year |
| * driver_madwifi: fixed group key setup and added get_ssid method |
| * added support for EAP-MSCHAPv2 in the integrated EAP authenticator |
| |
| 2004-12-12 - v0.3.1 |
| * added support for integrated EAP-TLS authentication (new hostapd.conf |
| variables: ca_cert, server_cert, private_key, private_key_passwd); |
| this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without |
| external RADIUS server |
| * added support for reading PKCS#12 (PFX) files (as a replacement for |
| PEM/DER) to get certificate and private key (CONFIG_PKCS12) |
| |
| 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) |
| * added support for Acct-{Input,Output}-Gigawords |
| * added support for Event-Timestamp (in RADIUS Accounting-Requests) |
| * added support for RADIUS Authentication Client MIB (RFC2618) |
| * added support for RADIUS Accounting Client MIB (RFC2620) |
| * made EAP re-authentication period configurable (eap_reauth_period) |
| * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication |
| * fixed EAPOL state machine to stop if STA is removed during |
| eapol_sm_step(); this fixes at least one segfault triggering bug with |
| IEEE 802.11i pre-authentication |
| * added support for multiple WPA pre-shared keys (e.g., one for each |
| client MAC address or keys shared by a group of clients); |
| new hostapd.conf field wpa_psk_file for setting path to a text file |
| containing PSKs, see hostapd.wpa_psk for an example |
| * added support for multiple driver interfaces to allow hostapd to be |
| used with other drivers |
| * added wired authenticator driver interface (driver=wired in |
| hostapd.conf, see wired.conf for example configuration) |
| * added madwifi driver interface (driver=madwifi in hostapd.conf, see |
| madwifi.conf for example configuration; Note: include files from |
| madwifi project is needed for building and a configuration file, |
| .config, needs to be created in hostapd directory with |
| CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd |
| build) |
| * fixed an alignment issue that could cause SHA-1 to fail on some |
| platforms (e.g., Intel ixp425 with a compiler that does not 32-bit |
| align variables) |
| * fixed RADIUS reconnection after an error in sending interim |
| accounting packets |
| * added hostapd control interface for external programs and an example |
| CLI, hostapd_cli (like wpa_cli for wpa_supplicant) |
| * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', |
| 'hostapd_cli sta <addr>') |
| * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) |
| * added support for strict GTK rekeying (wpa_strict_rekey in |
| hostapd.conf) |
| * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 |
| (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to |
| IEEE 802.11F-2003) |
| * added Prism54 driver interface (driver=prism54 in hostapd.conf; |
| note: .config needs to be created in hostapd directory with |
| CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd |
| build) |
| * dual-licensed hostapd (GPLv2 and BSD licenses) |
| * fixed RADIUS accounting to generate a new session id for cases where |
| a station reassociates without first being complete deauthenticated |
| * fixed STA disassociation handler to mark next timeout state to |
| deauthenticate the station, i.e., skip long wait for inactivity poll |
| and extra disassociation, if the STA disassociates without |
| deauthenticating |
| * added integrated EAP authenticator that can be used instead of |
| external RADIUS authentication server; currently, only EAP-MD5 is |
| supported, so this cannot yet be used for key distribution; the EAP |
| method interface is generic, though, so adding new EAP methods should |
| be straightforward; new hostapd.conf variables: 'eap_authenticator' |
| and 'eap_user_file'; this obsoletes "minimal authentication server" |
| ('minimal_eap' in hostapd.conf) which is now removed |
| * added support for FreeBSD and driver interface for the BSD net80211 |
| layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in |
| .config); please note that some of the required kernel mods have not |
| yet been committed |
| |
| 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) |
| * fixed some accounting cases where Accounting-Start was sent when |
| IEEE 802.1X port was being deauthorized |
| |
| 2004-06-20 - v0.2.3 |
| * modified RADIUS client to re-connect the socket in case of certain |
| error codes that are generated when a network interface state is |
| changes (e.g., when IP address changes or the interface is set UP) |
| * fixed couple of cases where EAPOL state for a station was freed |
| twice causing a segfault for hostapd |
| * fixed couple of bugs in processing WPA deauthentication (freed data |
| was used) |
| |
| 2004-05-31 - v0.2.2 |
| * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) |
| * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix |
| cases where STAs dropped multicast frames as replay attacks |
| * added support for copying RADIUS Attribute 'Class' from |
| authentication messages into accounting messages |
| * send canned EAP failure if RADIUS server sends Access-Reject without |
| EAP message (previously, Supplicant was not notified in this case) |
| * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do |
| not start EAPOL state machines if the STA selected to use WPA-PSK) |
| |
| 2004-05-06 - v0.2.1 |
| * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality |
| - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA |
| (i.e., IEEE 802.11i/D3.0) |
| - supports WPA-only, RSN-only, and mixed WPA/RSN mode |
| - both WPA-PSK and WPA-RADIUS/EAP are supported |
| - PMKSA caching and pre-authentication |
| - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, |
| wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, |
| rsn_preauth, rsn_preauth_interfaces |
| * fixed interim accounting to remove any pending accounting messages |
| to the STA before sending a new one |
| |
| 2004-02-15 - v0.2.0 |
| * added support for Acct-Interim-Interval: |
| - draft-ietf-radius-acct-interim-01.txt |
| - use Acct-Interim-Interval attribute from Access-Accept if local |
| 'radius_acct_interim_interval' is not set |
| - allow different update intervals for each STA |
| * fixed event loop to call signal handlers only after returning from |
| the real signal handler |
| * reset sta->timeout_next after successful association to make sure |
| that the previously registered inactivity timer will not remove the |
| STA immediately (e.g., if STA deauthenticates and re-associates |
| before the timer is triggered). |
| * added new hostapd.conf variable, nas_identifier, that can be used to |
| add an optional RADIUS Attribute, NAS-Identifier, into authentication |
| and accounting messages |
| * added support for Accounting-On and Accounting-Off messages |
| * fixed accounting session handling to send Accounting-Start only once |
| per session and not to send Accounting-Stop if the session was not |
| initialized properly |
| * fixed Accounting-Stop statistics in cases where the message was |
| previously sent after the kernel entry for the STA (and/or IEEE |
| 802.1X data) was removed |
| |
| |
| Note: |
| |
| Older changes up to and including v0.1.0 are included in the ChangeLog |
| of the Host AP driver. |