432 lines
21 KiB
Plaintext
432 lines
21 KiB
Plaintext
ChangeLog for hostapd
|
|
|
|
2008-02-19 - v0.5.10
|
|
* fixed EAP-SIM and EAP-AKA message parser to validate attribute
|
|
lengths properly to avoid potential crash caused by invalid messages
|
|
* fixed Reassociation Response callback processing when using internal
|
|
MLME (driver_{hostap,devicescape,test}.c)
|
|
* fixed EAP-SIM/AKA realm processing to allow decorated usernames to
|
|
be used
|
|
* added a workaround for EAP-SIM/AKA peers that include incorrect null
|
|
termination in the username
|
|
* fixed EAP-SIM Start response processing for fast reauthentication
|
|
case
|
|
* copy optional Proxy-State attributes into RADIUS response when acting
|
|
as a RADIUS authentication server
|
|
|
|
2007-12-02 - v0.5.9
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-07.txt)
|
|
* fixed debugging code not to use potentially unaligned read to fetch
|
|
IPv4 addresses
|
|
|
|
2007-05-28 - v0.5.8
|
|
* updated driver_devicescape.c to build with the current
|
|
wireless-dev.git tree and net/d80211 changes
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-03.txt)
|
|
* fixed EAP-MSCHAPv2 server to use a space between S and M parameters
|
|
in Success Request [Bug 203]
|
|
* added support for sending EAP-AKA Notifications in error cases
|
|
* RADIUS server: added support for processing duplicate messages
|
|
(retransmissions from RADIUS client) by replying with the previous
|
|
reply
|
|
|
|
2006-12-31 - v0.5.7
|
|
* updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
|
|
* updated EAP-PSK to use the IANA-allocated EAP type 47
|
|
* fixed EAP-PSK bit ordering of the Flags field
|
|
* fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs
|
|
by reading wpa_psk_file [Bug 181]
|
|
* fixed EAP-TTLS AVP parser processing for too short AVP lengths
|
|
* fixed IPv6 connection to RADIUS accounting server
|
|
|
|
2006-11-24 - v0.5.6
|
|
* added support for configuring and controlling multiple BSSes per
|
|
radio interface (bss=<ifname> in hostapd.conf); this is only
|
|
available with Devicescape and test driver interfaces
|
|
* fixed PMKSA cache update in the end of successful RSN
|
|
pre-authentication
|
|
* added support for dynamic VLAN configuration (i.e., selecting VLAN-ID
|
|
for each STA based on RADIUS Access-Accept attributes); this requires
|
|
VLAN support from the kernel driver/802.11 stack and this is
|
|
currently only available with Devicescape and test driver interfaces
|
|
* driver_madwifi: fixed configuration of unencrypted modes (plaintext
|
|
and IEEE 802.1X without WEP)
|
|
* removed STAKey handshake since PeerKey handshake has replaced it in
|
|
IEEE 802.11ma and there are no known deployments of STAKey
|
|
* updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
|
|
draft (draft-ietf-emu-eap-gpsk-01.txt)
|
|
* added preliminary implementation of IEEE 802.11w/D1.0 (management
|
|
frame protection)
|
|
(Note: this requires driver support to work properly.)
|
|
(Note2: IEEE 802.11w is an unapproved draft and subject to change.)
|
|
* hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)
|
|
* hlr_auc_gw: added support for reading per-IMSI Milenage keys and
|
|
parameters from a text file to make it possible to implement proper
|
|
GSM/UMTS authentication server for multiple SIM/USIM cards using
|
|
EAP-SIM/EAP-AKA
|
|
* fixed session timeout processing with drivers that do not use
|
|
ieee802_11.c (e.g., madwifi)
|
|
|
|
2006-08-27 - v0.5.5
|
|
* added 'hostapd_cli new_sta <addr>' command for adding a new STA into
|
|
hostapd (e.g., to initialize wired network authentication based on an
|
|
external signal)
|
|
* fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when
|
|
using WPA2 even if PMKSA caching is not used
|
|
* added -P<pid file> argument for hostapd to write the current process
|
|
id into a file
|
|
* added support for RADIUS Authentication Server MIB (RFC 2619)
|
|
|
|
2006-06-20 - v0.5.4
|
|
* fixed nt_password_hash build [Bug 144]
|
|
* added PeerKey handshake implementation for IEEE 802.11e
|
|
direct link setup (DLS) to replace STAKey handshake
|
|
* added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
|
|
draft-clancy-emu-eap-shared-secret-00.txt)
|
|
* fixed a segmentation fault when RSN pre-authentication was completed
|
|
successfully [Bug 152]
|
|
|
|
2006-04-27 - v0.5.3
|
|
* do not build nt_password_hash and hlr_auc_gw by default to avoid
|
|
requiring a TLS library for a successful build; these programs can be
|
|
build with 'make nt_password_hash' and 'make hlr_auc_gw'
|
|
* added a new configuration option, eapol_version, that can be used to
|
|
set EAPOL version to 1 (default is 2) to work around broken client
|
|
implementations that drop EAPOL frames which use version number 2
|
|
[Bug 89]
|
|
* added support for EAP-SAKE (no EAP method number allocated yet, so
|
|
this is using the same experimental type 255 as EAP-PSK)
|
|
* fixed EAP-MSCHAPv2 message length validation
|
|
|
|
2006-03-19 - v0.5.2
|
|
* fixed stdarg use in hostapd_logger(): if both stdout and syslog
|
|
logging was enabled, hostapd could trigger a segmentation fault in
|
|
vsyslog on some CPU -- C library combinations
|
|
* moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external
|
|
program to make it easier to use for implementing real SS7 gateway;
|
|
eap_sim_db is not anymore used as a file name for GSM authentication
|
|
triplets; instead, it is path to UNIX domain socket that will be used
|
|
to communicate with the external gateway program (e.g., hlr_auc_gw)
|
|
* added example HLR/AuC gateway implementation, hlr_auc_gw, that uses
|
|
local information (GSM authentication triplets from a text file and
|
|
hardcoded AKA authentication data); this can be used to test EAP-SIM
|
|
and EAP-AKA
|
|
* added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw
|
|
to make it possible to test EAP-AKA with real USIM cards (this is
|
|
disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw
|
|
to enable this)
|
|
* driver_madwifi: added support for getting station RSN IE from
|
|
madwifi-ng svn r1453 and newer; this fixes RSN that was apparently
|
|
broken with earlier change (r1357) in the driver
|
|
* changed EAP method registration to use a dynamic list of methods
|
|
instead of a static list generated at build time
|
|
* fixed WPA message 3/4 not to encrypt Key Data field (WPA IE)
|
|
[Bug 125]
|
|
* added ap_max_inactivity configuration parameter
|
|
|
|
2006-01-29 - v0.5.1
|
|
* driver_test: added better support for multiple APs and STAs by using
|
|
a directory with sockets that include MAC address for each device in
|
|
the name (test_socket=DIR:/tmp/test)
|
|
* added support for EAP expanded type (vendor specific EAP methods)
|
|
|
|
2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
|
|
* added experimental STAKey handshake implementation for IEEE 802.11e
|
|
direct link setup (DLS); note: this is disabled by default in both
|
|
build and runtime configuration (can be enabled with CONFIG_STAKEY=y
|
|
and stakey=1)
|
|
* added support for EAP methods to use callbacks to external programs
|
|
by buffering a pending request and processing it after the EAP method
|
|
is ready to continue
|
|
* improved EAP-SIM database interface to allow external request to GSM
|
|
HLR/AuC without blocking hostapd process
|
|
* added support for using EAP-SIM pseudonyms and fast re-authentication
|
|
* added support for EAP-AKA in the integrated EAP authenticator
|
|
* added support for matching EAP identity prefixes (e.g., "1"*) in EAP
|
|
user database to allow EAP-SIM/AKA selection without extra roundtrip
|
|
for EAP-Nak negotiation
|
|
* added support for storing EAP user password as NtPasswordHash instead
|
|
of plaintext password when using MSCHAP or MSCHAPv2 for
|
|
authentication (hash:<16-octet hex value>); added nt_password_hash
|
|
tool for hashing password to generate NtPasswordHash
|
|
|
|
2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
|
|
* driver_wired: fixed EAPOL sending to optionally use PAE group address
|
|
as the destination instead of supplicant MAC address; this is
|
|
disabled by default, but should be enabled with use_pae_group_addr=1
|
|
in configuration file if the wired interface is used by only one
|
|
device at the time (common switch configuration)
|
|
* driver_madwifi: configure driver to use TKIP countermeasures in order
|
|
to get correct behavior (IEEE 802.11 association failing; previously,
|
|
association succeeded, but hostpad forced disassociation immediately)
|
|
* driver_madwifi: added support for madwifi-ng
|
|
|
|
2005-10-27 - v0.4.6
|
|
* added support for replacing user identity from EAP with RADIUS
|
|
User-Name attribute from Access-Accept message, if that is included,
|
|
for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get
|
|
tunneled identity into accounting messages when the RADIUS server
|
|
does not support better way of doing this with Class attribute)
|
|
* driver_madwifi: fixed EAPOL packet receive for configuration where
|
|
ath# is part of a bridge interface
|
|
* added a configuration file and log analyzer script for logwatch
|
|
* fixed EAPOL state machine step function to process all state
|
|
transitions before processing new events; this resolves a race
|
|
condition in which EAPOL-Start message could trigger hostapd to send
|
|
two EAP-Response/Identity frames to the authentication server
|
|
|
|
2005-09-25 - v0.4.5
|
|
* added client CA list to the TLS certificate request in order to make
|
|
it easier for the client to select which certificate to use
|
|
* added experimental support for EAP-PSK
|
|
* added support for WE-19 (hostap, madwifi)
|
|
|
|
2005-08-21 - v0.4.4
|
|
* fixed build without CONFIG_RSN_PREAUTH
|
|
* fixed FreeBSD build
|
|
|
|
2005-06-26 - v0.4.3
|
|
* fixed PMKSA caching to copy User-Name and Class attributes so that
|
|
RADIUS accounting gets correct information
|
|
* start RADIUS accounting only after successful completion of WPA
|
|
4-Way Handshake if WPA-PSK is used
|
|
* fixed PMKSA caching for the case where STA (re)associates without
|
|
first disassociating
|
|
|
|
2005-06-12 - v0.4.2
|
|
* EAP-PAX is now registered as EAP type 46
|
|
* fixed EAP-PAX MAC calculation
|
|
* fixed EAP-PAX CK and ICK key derivation
|
|
* renamed eap_authenticator configuration variable to eap_server to
|
|
better match with RFC 3748 (EAP) terminology
|
|
* driver_test: added support for testing hostapd with wpa_supplicant
|
|
by using test driver interface without any kernel drivers or network
|
|
cards
|
|
|
|
2005-05-22 - v0.4.1
|
|
* fixed RADIUS server initialization when only auth or acct server
|
|
is configured and the other one is left empty
|
|
* driver_madwifi: added support for RADIUS accounting
|
|
* driver_madwifi: added preliminary support for compiling against 'BSD'
|
|
branch of madwifi CVS tree
|
|
* driver_madwifi: fixed pairwise key removal to allow WPA reauth
|
|
without disassociation
|
|
* added support for reading additional certificates from PKCS#12 files
|
|
and adding them to the certificate chain
|
|
* fixed RADIUS Class attribute processing to only use Access-Accept
|
|
packets to update Class; previously, other RADIUS authentication
|
|
packets could have cleared Class attribute
|
|
* added support for more than one Class attribute in RADIUS packets
|
|
* added support for verifying certificate revocation list (CRL) when
|
|
using integrated EAP authenticator for EAP-TLS; new hostapd.conf
|
|
options 'check_crl'; CRL must be included in the ca_cert file for now
|
|
|
|
2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
|
|
* added support for including network information into
|
|
EAP-Request/Identity message (ASCII-0 (nul) in eap_message)
|
|
(e.g., to implement draft-adrange-eap-network-discovery-07.txt)
|
|
* fixed a bug which caused some RSN pre-authentication cases to use
|
|
freed memory and potentially crash hostapd
|
|
* fixed private key loading for cases where passphrase is not set
|
|
* added support for sending TLS alerts and aborting authentication
|
|
when receiving a TLS alert
|
|
* fixed WPA2 to add PMKSA cache entry when using integrated EAP
|
|
authenticator
|
|
* fixed PMKSA caching (EAP authentication was not skipped correctly
|
|
with the new state machine changes from IEEE 802.1X draft)
|
|
* added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,
|
|
and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs
|
|
to be added to .config to include IPv6 support); for RADIUS server,
|
|
radius_server_ipv6=1 needs to be set in hostapd.conf and addresses
|
|
in RADIUS clients file can then use IPv6 format
|
|
* added experimental support for EAP-PAX
|
|
* replaced hostapd control interface library (hostapd_ctrl.[ch]) with
|
|
the same implementation that wpa_supplicant is using (wpa_ctrl.[ch])
|
|
|
|
2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
|
|
|
|
2005-01-23 - v0.3.5
|
|
* added support for configuring a forced PEAP version based on the
|
|
Phase 1 identity
|
|
* fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV
|
|
to terminate authentication
|
|
* fixed EAP identifier duplicate processing with the new IEEE 802.1X
|
|
draft
|
|
* clear accounting data in the driver when starting a new accounting
|
|
session
|
|
* driver_madwifi: filter wireless events based on ifindex to allow more
|
|
than one network interface to be used
|
|
* fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt
|
|
setting if the packet does not pass MIC verification (e.g., due to
|
|
incorrect PSK); previously, message 1/4 was not tried again if an
|
|
invalid message 2/4 was received
|
|
* fixed reconfiguration of RADIUS client retransmission timer when
|
|
adding a new message to the pending list; previously, timer was not
|
|
updated at this point and if there was a pending message with long
|
|
time for the next retry, the new message needed to wait that long for
|
|
its first retry, too
|
|
|
|
2005-01-09 - v0.3.4
|
|
* added support for configuring multiple allowed EAP types for Phase 2
|
|
authentication (EAP-PEAP, EAP-TTLS)
|
|
* fixed EAPOL-Start processing to trigger WPA reauthentication
|
|
(previously, only EAPOL authentication was done)
|
|
|
|
2005-01-02 - v0.3.3
|
|
* added support for EAP-PEAP in the integrated EAP authenticator
|
|
* added support for EAP-GTC in the integrated EAP authenticator
|
|
* added support for configuring list of EAP methods for Phase 1 so that
|
|
the integrated EAP authenticator can, e.g., use the wildcard entry
|
|
for EAP-TLS and EAP-PEAP
|
|
* added support for EAP-TTLS in the integrated EAP authenticator
|
|
* added support for EAP-SIM in the integrated EAP authenticator
|
|
* added support for using hostapd as a RADIUS authentication server
|
|
with the integrated EAP authenticator taking care of EAP
|
|
authentication (new hostapd.conf options: radius_server_clients and
|
|
radius_server_auth_port); this is not included in default build; use
|
|
CONFIG_RADIUS_SERVER=y in .config to include
|
|
|
|
2004-12-19 - v0.3.2
|
|
* removed 'daemonize' configuration file option since it has not really
|
|
been used at all for more than year
|
|
* driver_madwifi: fixed group key setup and added get_ssid method
|
|
* added support for EAP-MSCHAPv2 in the integrated EAP authenticator
|
|
|
|
2004-12-12 - v0.3.1
|
|
* added support for integrated EAP-TLS authentication (new hostapd.conf
|
|
variables: ca_cert, server_cert, private_key, private_key_passwd);
|
|
this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without
|
|
external RADIUS server
|
|
* added support for reading PKCS#12 (PFX) files (as a replacement for
|
|
PEM/DER) to get certificate and private key (CONFIG_PKCS12)
|
|
|
|
2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
|
|
* added support for Acct-{Input,Output}-Gigawords
|
|
* added support for Event-Timestamp (in RADIUS Accounting-Requests)
|
|
* added support for RADIUS Authentication Client MIB (RFC2618)
|
|
* added support for RADIUS Accounting Client MIB (RFC2620)
|
|
* made EAP re-authentication period configurable (eap_reauth_period)
|
|
* fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
|
|
* fixed EAPOL state machine to stop if STA is removed during
|
|
eapol_sm_step(); this fixes at least one segfault triggering bug with
|
|
IEEE 802.11i pre-authentication
|
|
* added support for multiple WPA pre-shared keys (e.g., one for each
|
|
client MAC address or keys shared by a group of clients);
|
|
new hostapd.conf field wpa_psk_file for setting path to a text file
|
|
containing PSKs, see hostapd.wpa_psk for an example
|
|
* added support for multiple driver interfaces to allow hostapd to be
|
|
used with other drivers
|
|
* added wired authenticator driver interface (driver=wired in
|
|
hostapd.conf, see wired.conf for example configuration)
|
|
* added madwifi driver interface (driver=madwifi in hostapd.conf, see
|
|
madwifi.conf for example configuration; Note: include files from
|
|
madwifi project is needed for building and a configuration file,
|
|
.config, needs to be created in hostapd directory with
|
|
CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
|
|
build)
|
|
* fixed an alignment issue that could cause SHA-1 to fail on some
|
|
platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
|
|
align variables)
|
|
* fixed RADIUS reconnection after an error in sending interim
|
|
accounting packets
|
|
* added hostapd control interface for external programs and an example
|
|
CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
|
|
* started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
|
|
'hostapd_cli sta <addr>')
|
|
* finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
|
|
* added support for strict GTK rekeying (wpa_strict_rekey in
|
|
hostapd.conf)
|
|
* updated IAPP to use UDP port 3517 and multicast address 224.0.1.178
|
|
(instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
|
|
IEEE 802.11F-2003)
|
|
* added Prism54 driver interface (driver=prism54 in hostapd.conf;
|
|
note: .config needs to be created in hostapd directory with
|
|
CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
|
|
build)
|
|
* dual-licensed hostapd (GPLv2 and BSD licenses)
|
|
* fixed RADIUS accounting to generate a new session id for cases where
|
|
a station reassociates without first being complete deauthenticated
|
|
* fixed STA disassociation handler to mark next timeout state to
|
|
deauthenticate the station, i.e., skip long wait for inactivity poll
|
|
and extra disassociation, if the STA disassociates without
|
|
deauthenticating
|
|
* added integrated EAP authenticator that can be used instead of
|
|
external RADIUS authentication server; currently, only EAP-MD5 is
|
|
supported, so this cannot yet be used for key distribution; the EAP
|
|
method interface is generic, though, so adding new EAP methods should
|
|
be straightforward; new hostapd.conf variables: 'eap_authenticator'
|
|
and 'eap_user_file'; this obsoletes "minimal authentication server"
|
|
('minimal_eap' in hostapd.conf) which is now removed
|
|
* added support for FreeBSD and driver interface for the BSD net80211
|
|
layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
|
|
.config); please note that some of the required kernel mods have not
|
|
yet been committed
|
|
|
|
2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
|
|
* fixed some accounting cases where Accounting-Start was sent when
|
|
IEEE 802.1X port was being deauthorized
|
|
|
|
2004-06-20 - v0.2.3
|
|
* modified RADIUS client to re-connect the socket in case of certain
|
|
error codes that are generated when a network interface state is
|
|
changes (e.g., when IP address changes or the interface is set UP)
|
|
* fixed couple of cases where EAPOL state for a station was freed
|
|
twice causing a segfault for hostapd
|
|
* fixed couple of bugs in processing WPA deauthentication (freed data
|
|
was used)
|
|
|
|
2004-05-31 - v0.2.2
|
|
* fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM)
|
|
* fixed group rekeying to send zero TSC in EAPOL-Key messages to fix
|
|
cases where STAs dropped multicast frames as replay attacks
|
|
* added support for copying RADIUS Attribute 'Class' from
|
|
authentication messages into accounting messages
|
|
* send canned EAP failure if RADIUS server sends Access-Reject without
|
|
EAP message (previously, Supplicant was not notified in this case)
|
|
* fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do
|
|
not start EAPOL state machines if the STA selected to use WPA-PSK)
|
|
|
|
2004-05-06 - v0.2.1
|
|
* added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality
|
|
- based on IEEE 802.11i/D10.0 but modified to interoperate with WPA
|
|
(i.e., IEEE 802.11i/D3.0)
|
|
- supports WPA-only, RSN-only, and mixed WPA/RSN mode
|
|
- both WPA-PSK and WPA-RADIUS/EAP are supported
|
|
- PMKSA caching and pre-authentication
|
|
- new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,
|
|
wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey,
|
|
rsn_preauth, rsn_preauth_interfaces
|
|
* fixed interim accounting to remove any pending accounting messages
|
|
to the STA before sending a new one
|
|
|
|
2004-02-15 - v0.2.0
|
|
* added support for Acct-Interim-Interval:
|
|
- draft-ietf-radius-acct-interim-01.txt
|
|
- use Acct-Interim-Interval attribute from Access-Accept if local
|
|
'radius_acct_interim_interval' is not set
|
|
- allow different update intervals for each STA
|
|
* fixed event loop to call signal handlers only after returning from
|
|
the real signal handler
|
|
* reset sta->timeout_next after successful association to make sure
|
|
that the previously registered inactivity timer will not remove the
|
|
STA immediately (e.g., if STA deauthenticates and re-associates
|
|
before the timer is triggered).
|
|
* added new hostapd.conf variable, nas_identifier, that can be used to
|
|
add an optional RADIUS Attribute, NAS-Identifier, into authentication
|
|
and accounting messages
|
|
* added support for Accounting-On and Accounting-Off messages
|
|
* fixed accounting session handling to send Accounting-Start only once
|
|
per session and not to send Accounting-Stop if the session was not
|
|
initialized properly
|
|
* fixed Accounting-Stop statistics in cases where the message was
|
|
previously sent after the kernel entry for the STA (and/or IEEE
|
|
802.1X data) was removed
|
|
|
|
|
|
Note:
|
|
|
|
Older changes up to and including v0.1.0 are included in the ChangeLog
|
|
of the Host AP driver.
|