12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295 |
- ChangeLog for wpa_supplicant
-
- 2010-04-18 - v0.7.2
- * nl80211: fixed number of issues with roaming
- * avoid unnecessary roaming if multiple APs with similar signal
- strength are present in scan results
- * add TLS client events and server probing to ease design of
- automatic detection of EAP parameters
- * add option for server certificate matching (SHA256 hash of the
- certificate) instead of trusted CA certificate configuration
- * bsd: Cleaned up driver wrapper and added various low-level
- configuration options
- * wpa_gui-qt4: do not show too frequent WPS AP available events as
- tray messages
- * TNC: fixed issues with fragmentation
- * EAP-TNC: add Flags field into fragment acknowledgement (needed to
- interoperate with other implementations; may potentially breaks
- compatibility with older wpa_supplicant/hostapd versions)
- * wpa_cli: added option for using a separate process to receive event
- messages to reduce latency in showing these
- (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this)
- * maximum BSS table size can now be configured (bss_max_count)
- * BSSes to be included in the BSS table can be filtered based on
- configured SSIDs to save memory (filter_ssids)
- * fix number of issues with IEEE 802.11r/FT; this version is not
- backwards compatible with old versions
- * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air
- and over-the-DS)
- * add freq_list network configuration parameter to allow the AP
- selection to filter out entries based on the operating channel
- * add signal strength change events for bgscan; this allows more
- dynamic changes to background scanning interval based on changes in
- the signal strength with the current AP; this improves roaming within
- ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network
- configuration block to request background scans less frequently when
- signal strength remains good and to automatically trigger background
- scans whenever signal strength drops noticeably
- (this is currently only available with nl80211)
- * add BSSID and reason code (if available) to disconnect event messages
- * wpa_gui-qt4: more complete support for translating the GUI with
- linguist and add German translation
- * fix DH padding with internal crypto code (mainly, for WPS)
- * do not trigger initial scan automatically anymore if there are no
- enabled networks
-
- 2010-01-16 - v0.7.1
- * cleaned up driver wrapper API (struct wpa_driver_ops); the new API
- is not fully backwards compatible, so out-of-tree driver wrappers
- will need modifications
- * cleaned up various module interfaces
- * merge hostapd and wpa_supplicant developers' documentation into a
- single document
- * nl80211: use explicit deauthentication to clear cfg80211 state to
- avoid issues when roaming between APs
- * dbus: major design changes in the new D-Bus API
- (fi.w1.wpa_supplicant1)
- * nl80211: added support for IBSS networks
- * added internal debugging mechanism with backtrace support and memory
- allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y)
- * added WPS ER unsubscription command to more cleanly unregister from
- receiving UPnP events when ER is terminated
- * cleaned up AP mode operations to avoid need for virtual driver_ops
- wrapper
- * added BSS table to maintain more complete scan result information
- over multiple scans (that may include only partial results)
- * wpa_gui-qt4: update Peers dialog information more dynamically while
- the dialog is kept open
- * fixed PKCS#12 use with OpenSSL 1.0.0
- * driver_wext: Added cfg80211-specific optimization to avoid some
- unnecessary scans and to speed up association
-
- 2009-11-21 - v0.7.0
- * increased wpa_cli ping interval to 5 seconds and made this
- configurable with a new command line options (-G<seconds>)
- * fixed scan buffer processing with WEXT to handle up to 65535
- byte result buffer (previously, limited to 32768 bytes)
- * allow multiple driver wrappers to be specified on command line
- (e.g., -Dnl80211,wext); the first one that is able to initialize the
- interface will be used
- * added support for multiple SSIDs per scan request to optimize
- scan_ssid=1 operations in ap_scan=1 mode (i.e., search for hidden
- SSIDs); this requires driver support and can currently be used only
- with nl80211
- * added support for WPS USBA out-of-band mechanism with USB Flash
- Drives (UFD) (CONFIG_WPS_UFD=y)
- * driver_ndis: add PAE group address to the multicast address list to
- fix wired IEEE 802.1X authentication
- * fixed IEEE 802.11r key derivation function to match with the standard
- (note: this breaks interoperability with previous version) [Bug 303]
- * added better support for drivers that allow separate authentication
- and association commands (e.g., mac80211-based Linux drivers with
- nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol
- to be used (IEEE 802.11r)
- * fixed SHA-256 based key derivation function to match with the
- standard when using CCMP (for IEEE 802.11r and IEEE 802.11w)
- (note: this breaks interoperability with previous version) [Bug 307]
- * use shared driver wrapper files with hostapd
- * added AP mode functionality (CONFIG_AP=y) with mode=2 in the network
- block; this can be used for open and WPA2-Personal networks
- (optionally, with WPS); this links in parts of hostapd functionality
- into wpa_supplicant
- * wpa_gui-qt4: added new Peers dialog to show information about peers
- (other devices, including APs and stations, etc. in the neighborhood)
- * added support for WPS External Registrar functionality (configure APs
- and enroll new devices); can be used with wpa_gui-qt4 Peers dialog
- and wpa_cli commands wps_er_start, wps_er_stop, wps_er_pin,
- wps_er_pbc, wps_er_learn
- (this can also be used with a new 'none' driver wrapper if no
- wireless device or IEEE 802.1X on wired is needed)
- * driver_nl80211: multiple updates to provide support for new Linux
- nl80211/mac80211 functionality
- * updated management frame protection to use IEEE Std 802.11w-2009
- * fixed number of small WPS issues and added workarounds to
- interoperate with common deployed broken implementations
- * added support for NFC out-of-band mechanism with WPS
- * driver_ndis: fixed wired IEEE 802.1X authentication with PAE group
- address frames
- * added preliminary support for IEEE 802.11r RIC processing
- * added support for specifying subset of enabled frequencies to scan
- (scan_freq option in the network configuration block); this can speed
- up scanning process considerably if it is known that only a small
- subset of channels is actually used in the network (this is currently
- supported only with -Dnl80211)
- * added a workaround for race condition between receiving the
- association event and the following EAPOL-Key
- * added background scan and roaming infrastructure to allow
- network-specific optimizations to be used to improve roaming within
- an ESS (same SSID)
- * added new DBus interface (fi.w1.wpa_supplicant1)
-
- 2009-01-06 - v0.6.7
- * added support for Wi-Fi Protected Setup (WPS)
- (wpa_supplicant can now be configured to act as a WPS Enrollee to
- enroll credentials for a network using PIN and PBC methods; in
- addition, wpa_supplicant can act as a wireless WPS Registrar to
- configure an AP); WPS support can be enabled by adding CONFIG_WPS=y
- into .config and setting the runtime configuration variables in
- wpa_supplicant.conf (see WPS section in the example configuration
- file); new wpa_cli commands wps_pin, wps_pbc, and wps_reg are used to
- manage WPS negotiation; see README-WPS for more details
- * added support for EAP-AKA' (draft-arkko-eap-aka-kdf)
- * added support for using driver_test over UDP socket
- * fixed PEAPv0 Cryptobinding interoperability issue with Windows Server
- 2008 NPS; optional cryptobinding is now enabled (again) by default
- * fixed PSK editing in wpa_gui
- * changed EAP-GPSK to use the IANA assigned EAP method type 51
- * added a Windows installer that includes WinPcap and all the needed
- DLLs; in addition, it set up the registry automatically so that user
- will only need start wpa_gui to get prompted to start the wpasvc
- servide and add a new interface if needed through wpa_gui dialog
- * updated management frame protection to use IEEE 802.11w/D7.0
-
- 2008-11-23 - v0.6.6
- * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA
- (can be used to simulate test SIM/USIM card with a known private key;
- enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config
- and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration)
- * added a new network configuration option, wpa_ptk_rekey, that can be
- used to enforce frequent PTK rekeying, e.g., to mitigate some attacks
- against TKIP deficiencies
- * added an optional mitigation mechanism for certain attacks against
- TKIP by delaying Michael MIC error reports by a random amount of time
- between 0 and 60 seconds; this can be enabled with a build option
- CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
- * fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
- not bytes
- * updated OpenSSL code for EAP-FAST to use an updated version of the
- session ticket overriding API that was included into the upstream
- OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
- needed with that version anymore)
- * updated userspace MLME instructions to match with the current Linux
- mac80211 implementation; please also note that this can only be used
- with driver_nl80211.c (the old code from driver_wext.c was removed)
- * added support (Linux only) for RoboSwitch chipsets (often found in
- consumer grade routers); driver interface 'roboswitch'
- * fixed canceling of PMKSA caching when using drivers that generate
- RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
- about
-
- 2008-11-01 - v0.6.5
- * added support for SHA-256 as X.509 certificate digest when using the
- internal X.509/TLSv1 implementation
- * updated management frame protection to use IEEE 802.11w/D6.0
- * added support for using SHA256-based stronger key derivation for WPA2
- (IEEE 802.11w)
- * fixed FT (IEEE 802.11r) authentication after a failed association to
- use correct FTIE
- * added support for configuring Phase 2 (inner/tunneled) authentication
- method with wpa_gui-qt4
-
- 2008-08-10 - v0.6.4
- * added support for EAP Sequences in EAP-FAST Phase 2
- * added support for using TNC with EAP-FAST
- * added driver_ps3 for the PS3 Linux wireless driver
- * added support for optional cryptobinding with PEAPv0
- * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to
- allow fallback to full handshake if server rejects PAC-Opaque
- * added fragmentation support for EAP-TNC
- * added support for parsing PKCS #8 formatted private keys into the
- internal TLS implementation (both PKCS #1 RSA key and PKCS #8
- encapsulated RSA key can now be used)
- * added option of using faster, but larger, routines in the internal
- LibTomMath (for internal TLS implementation) to speed up DH and RSA
- calculations (CONFIG_INTERNAL_LIBTOMMATH_FAST=y)
- * fixed race condition between disassociation event and group key
- handshake to avoid getting stuck in incorrect state [Bug 261]
- * fixed opportunistic key caching (proactive_key_caching)
-
- 2008-02-22 - v0.6.3
- * removed 'nai' and 'eappsk' network configuration variables that were
- previously used for configuring user identity and key for EAP-PSK,
- EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the
- replacement for 'nai' (if old configuration used a separate
- 'identity' value, that would now be configured as
- 'anonymous_identity'). 'password' field is now used as the
- replacement for 'eappsk' (it can also be set using hexstring to
- present random binary data)
- * removed '-w' command line parameter (wait for interface to be added,
- if needed); cleaner way of handling this functionality is to use an
- external mechanism (e.g., hotplug scripts) that start wpa_supplicant
- when an interface is added
- * updated FT support to use the latest draft, IEEE 802.11r/D9.0
- * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for
- indicating when new scan results become available
- * added new ctrl_iface command, BSS, to allow scan results to be
- fetched without hitting the message size limits (this command
- can be used to iterate through the scan results one BSS at the time)
- * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION
- attributes in EAP-SIM Start/Response when using fast reauthentication
- * fixed EAPOL not to end up in infinite loop when processing dynamic
- WEP keys with IEEE 802.1X
- * fixed problems in getting NDIS events from WMI on Windows 2000
-
- 2008-01-01 - v0.6.2
- * added support for Makefile builds to include debug-log-to-a-file
- functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line)
- * fixed EAP-SIM and EAP-AKA message parser to validate attribute
- lengths properly to avoid potential crash caused by invalid messages
- * added data structure for storing allocated buffers (struct wpabuf);
- this does not affect wpa_supplicant usage, but many of the APIs
- changed and various interfaces (e.g., EAP) is not compatible with old
- versions
- * added support for protecting EAP-AKA/Identity messages with
- AT_CHECKCODE (optional feature in RFC 4187)
- * added support for protected result indication with AT_RESULT_IND for
- EAP-SIM and EAP-AKA (phase1="result_ind=1")
- * added driver_wext workaround for race condition between scanning and
- association with drivers that take very long time to scan all
- channels (e.g., madwifi with dual-band cards); wpa_supplicant is now
- using a longer hardcoded timeout for the scan if the driver supports
- notifications for scan completion (SIOCGIWSCAN event); this helps,
- e.g., in cases where wpa_supplicant and madwifi driver ended up in
- loop where the driver did not even try to associate
- * stop EAPOL timer tick when no timers are in use in order to reduce
- power consumption (no need to wake up the process once per second)
- [Bug 237]
- * added support for privilege separation (run only minimal part of
- wpa_supplicant functionality as root and rest as unprivileged,
- non-root process); see 'Privilege separation' in README for details;
- this is disabled by default and can be enabled with CONFIG_PRIVSEP=y
- in .config
- * changed scan results data structure to include all information
- elements to make it easier to support new IEs; old get_scan_result()
- driver_ops is still supported for backwards compatibility (results
- are converted internally to the new format), but all drivers should
- start using the new get_scan_results2() to make them more likely to
- work with new features
- * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4
- application, i.e., it does not require Qt3Support anymore; Windows
- binary of wpa_gui.exe is now from this directory and only requires
- QtCore4.dll and QtGui4.dll libraries
- * updated Windows binary build to use Qt 4.3.3 and made Qt DLLs
- available as a separate package to make wpa_gui installation easier:
- http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip
- * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt);
- only shared key/password authentication is supported in this version
-
- 2007-11-24 - v0.6.1
- * added support for configuring password as NtPasswordHash
- (16-byte MD4 hash of password) in hash:<32 hex digits> format
- * added support for fallback from abbreviated TLS handshake to
- full handshake when using EAP-FAST (e.g., due to an expired
- PAC-Opaque)
- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
- draft (draft-ietf-emu-eap-gpsk-07.txt)
- * added support for drivers that take care of RSN 4-way handshake
- internally (WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in get_capa flags and
- WPA_ALG_PMK in set_key)
- * added an experimental port for Mac OS X (CONFIG_DRIVER_OSX=y in
- .config); this version supports only ap_scan=2 mode and allow the
- driver to take care of the 4-way handshake
- * fixed a buffer overflow in parsing TSF from scan results when using
- driver_wext.c with a driver that includes the TSF (e.g., iwl4965)
- [Bug 232]
- * updated FT support to use the latest draft, IEEE 802.11r/D8.0
- * fixed an integer overflow issue in the ASN.1 parser used by the
- (experimental) internal TLS implementation to avoid a potential
- buffer read overflow
- * fixed a race condition with -W option (wait for a control interface
- monitor before starting) that could have caused the first messages to
- be lost
- * added support for processing TNCC-TNCS-Messages to report
- recommendation (allow/none/isolate) when using TNC [Bug 243]
-
- 2007-05-28 - v0.6.0
- * added network configuration parameter 'frequency' for setting
- initial channel for IBSS (adhoc) networks
- * added experimental IEEE 802.11r/D6.0 support
- * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
- * updated EAP-PSK to use the IANA-allocated EAP type 47
- * fixed EAP-PAX key derivation
- * fixed EAP-PSK bit ordering of the Flags field
- * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in
- tunnelled identity request (previously, the identifier from the outer
- method was used, not the tunnelled identifier which could be
- different)
- * added support for fragmentation of outer TLS packets during Phase 2
- of EAP-PEAP/TTLS/FAST
- * fixed EAP-TTLS AVP parser processing for too short AVP lengths
- * added support for EAP-FAST authentication with inner methods that
- generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported
- for PAC provisioning)
- * added support for authenticated EAP-FAST provisioning
- * added support for configuring maximum number of EAP-FAST PACs to
- store in a PAC list (fast_max_pac_list_len=<max> in phase1 string)
- * added support for storing EAP-FAST PACs in binary format
- (fast_pac_format=binary in phase1 string)
- * fixed dbus ctrl_iface to validate message interface before
- dispatching to avoid a possible segfault [Bug 190]
- * fixed PeerKey key derivation to use the correct PRF label
- * updated Windows binary build to link against OpenSSL 0.9.8d and
- added support for EAP-FAST
- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
- draft (draft-ietf-emu-eap-gpsk-04.txt)
- * fixed EAP-AKA Notification processing to allow Notification to be
- processed after AKA Challenge response has been sent
- * updated to use IEEE 802.11w/D2.0 for management frame protection
- (still experimental)
- * fixed EAP-TTLS implementation not to crash on use of freed memory
- if TLS library initialization fails
- * added support for EAP-TNC (Trusted Network Connect)
- (this version implements the EAP-TNC method and EAP-TTLS changes
- needed to run two methods in sequence (IF-T) and the IF-IMC and
- IF-TNCCS interfaces from TNCC)
-
- 2006-11-24 - v0.5.6
- * added experimental, integrated TLSv1 client implementation with the
- needed X.509/ASN.1/RSA/bignum processing (this can be enabled by
- setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in
- .config); this can be useful, e.g., if the target system does not
- have a suitable TLS library and a minimal code size is required
- (total size of this internal TLS/crypto code is bit under 50 kB on
- x86 and the crypto code is shared by rest of the supplicant so some
- of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB)
- * removed STAKey handshake since PeerKey handshake has replaced it in
- IEEE 802.11ma and there are no known deployments of STAKey
- * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
- draft (draft-ietf-emu-eap-gpsk-01.txt)
- * added preliminary implementation of IEEE 802.11w/D1.0 (management
- frame protection)
- (Note: this requires driver support to work properly.)
- (Note2: IEEE 802.11w is an unapproved draft and subject to change.)
- * fixed Windows named pipes ctrl_iface to not stop listening for
- commands if client program opens a named pipe and closes it
- immediately without sending a command
- * fixed USIM PIN status determination for the case that PIN is not
- needed (this allows EAP-AKA to be used with USIM cards that do not
- use PIN)
- * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to
- be used with cards that do not support file selection based on
- partial AID
- * added support for matching the subjectAltName of the authentication
- server certificate against multiple name components (e.g.,
- altsubject_match="DNS:server.example.com;DNS:server2.example.com")
- * fixed EAP-SIM/AKA key derivation for re-authentication case (only
- affects IEEE 802.1X with dynamic WEP keys)
- * changed ctrl_iface network configuration 'get' operations to not
- return password/key material; if these fields are requested, "*"
- will be returned if the password/key is set, but the value of the
- parameter is not exposed
-
- 2006-08-27 - v0.5.5
- * added support for building Windows version with UNICODE defined
- (wide-char functions)
- * driver_ndis: fixed static WEP configuration to avoid race condition
- issues with some NDIS drivers between association and setting WEP
- keys
- * driver_ndis: added validation for IELength value in scan results to
- avoid crashes when using buggy NDIS drivers [Bug 165]
- * fixed Release|Win32 target in the Visual Studio project files
- (previously, only Debug|Win32 target was set properly)
- * changed control interface API call wpa_ctrl_pending() to allow it to
- return -1 on error (e.g., connection lost); control interface clients
- will need to make sure that they verify that the value is indeed >0
- when determining whether there are pending messages
- * added an alternative control interface backend for Windows targets:
- Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default
- control interface mechanism for Windows builds (previously, UDP to
- localhost was used)
- * changed ctrl_interface configuration for UNIX domain sockets:
- - deprecated ctrl_interface_group variable (it may be removed in
- future versions)
- - allow both directory and group be configured with ctrl_interface
- in following format: DIR=/var/run/wpa_supplicant GROUP=wheel
- - ctrl_interface=/var/run/wpa_supplicant is still supported for the
- case when group is not changed
- * added support for controlling more than one interface per process in
- Windows version
- * added a workaround for a case where the AP is using unknown address
- (e.g., MAC address of the wired interface) as the source address for
- EAPOL-Key frames; previously, that source address was used as the
- destination for EAPOL-Key frames and in key derivation; now, BSSID is
- used even if the source address does not match with it
- (this resolves an interoperability issue with Thomson SpeedTouch 580)
- * added a workaround for UDP-based control interface (which was used in
- Windows builds before this release) to prevent packets with forged
- addresses from being accepted as local control requests
- * removed ndis_events.cpp and possibility of using external
- ndis_events.exe; C version (ndis_events.c) is fully functional and
- there is no desire to maintain two separate versions of this
- implementation
- * ndis_events: Changed NDIS event notification design to use WMI to
- learn the adapter description through Win32_PnPEntity class; this
- should fix some cases where the adapter name was not recognized
- correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500
- USB) [Bug 113]
- * fixed selection of the first network in ap_scan=2 mode; previously,
- wpa_supplicant could get stuck in SCANNING state when only the first
- network for enabled (e.g., after 'wpa_cli select_network 0')
- * winsvc: added support for configuring ctrl_interface parameters in
- registry (ctrl_interface string value in
- HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is
- required to enable control interface (previously, this was hardcoded
- to be enabled)
- * allow wpa_gui subdirectory to be built with both Qt3 and Qt4
- * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format
-
- 2006-06-20 - v0.5.4
- * fixed build with CONFIG_STAKEY=y [Bug 143]
- * added support for doing MLME (IEEE 802.11 management frame
- processing) in wpa_supplicant when using Devicescape IEEE 802.11
- stack (wireless-dev.git tree)
- * added a new network block configuration option, fragment_size, to
- configure the maximum EAP fragment size
- * driver_ndis: Disable WZC automatically for the selected interface to
- avoid conflicts with two programs trying to control the radio; WZC
- will be re-enabled (if it was enabled originally) when wpa_supplicant
- is terminated
- * added an experimental TLSv1 client implementation
- (CONFIG_TLS=internal) that can be used instead of an external TLS
- library, e.g., to reduce total size requirement on systems that do
- not include any TLS library by default (this is not yet complete;
- basic functionality is there, but certificate validation is not yet
- included)
- * added PeerKey handshake implementation for IEEE 802.11e
- direct link setup (DLS) to replace STAKey handshake
- * fixed WPA PSK update through ctrl_iface for the case where the old
- PSK was derived from an ASCII passphrase and the new PSK is set as
- a raw PSK (hex string)
- * added new configuration option for identifying which network block
- was used (id_str in wpa_supplicant.conf; included on
- WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental
- variable in wpa_cli action scripts; in addition WPA_ID variable is
- set to the current unique identifier that wpa_supplicant assigned
- automatically for the network and that can be used with
- GET_NETWORK/SET_NETWORK ctrl_iface commands)
- * wpa_cli action script is now called only when the connect/disconnect
- status changes or when associating with a different network
- * fixed configuration parser not to remove CCMP from group cipher list
- if WPA-None (adhoc) is used (pairwise=NONE in that case)
- * fixed integrated NDIS events processing not to hang the process due
- to a missed change in eloop_win.c API in v0.5.3 [Bug 155]
- * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
- draft-clancy-emu-eap-shared-secret-00.txt)
- * added Microsoft Visual Studio 2005 solution and project files for
- build wpa_supplicant for Windows (see vs2005 subdirectory)
- * eloop_win: fixed unregistration of Windows events
- * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet
- at the end of RSN pre-authentication and added unregistration of
- a Windows event to avoid getting eloop_win stuck with an invalid
- handle
- * driver_ndis: added support for selecting AP based on BSSID
- * added new environmental variable for wpa_cli action scripts:
- WPA_CTRL_DIR is the current control interface directory
- * driver_ndis: added support for using NDISUIO instead of WinPcap for
- OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new
- l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build
- wpa_supplicant without requiring WinPcap; note that using NDISUIO
- requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows
- only one application to open the device
- * changed NDIS driver naming to only include device GUID, e.g.,
- {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap
- specific \Device\NPF_ prefix before the GUID; the prefix is still
- allowed for backwards compatibility, but it is not required anymore
- when specifying the interface
- * driver_ndis: re-initialize driver interface is the adapter is removed
- and re-inserted [Bug 159]
- * driver_madwifi: fixed TKIP and CCMP sequence number configuration on
- big endian hosts [Bug 146]
-
- 2006-04-27 - v0.5.3
- * fixed EAP-GTC response to include correct user identity when run as
- phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2)
- * driver_ndis: Fixed encryption mode configuration for unencrypted
- networks (some NDIS drivers ignored this, but others, e.g., Broadcom,
- refused to associate with open networks) [Bug 106]
- * driver_ndis: use BSSID OID polling to detect when IBSS network is
- formed even when ndis_events code is included since some NDIS drivers
- do not generate media connect events in IBSS mode
- * config_winreg: allow global ctrl_interface parameter to be configured
- in Windows registry
- * config_winreg: added support for saving configuration data into
- Windows registry
- * added support for controlling network device operational state
- (dormant/up) for Linux 2.6.17 to improve DHCP processing (see
- http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client
- that can use this information)
- * driver_wext: added support for WE-21 change to SSID configuration
- * driver_wext: fixed privacy configuration for static WEP keys mode
- [Bug 140]
- * added an optional driver_ops callback for MLME-SETPROTECTION.request
- primitive
- * added support for EAP-SAKE (no EAP method number allocated yet, so
- this is using the same experimental type 255 as EAP-PSK)
- * added support for dynamically loading EAP methods (.so files) instead
- of requiring them to be statically linked in; this is disabled by
- default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information
- on how to use this)
-
- 2006-03-19 - v0.5.2
- * do not try to use USIM APDUs when initializing PC/SC for SIM card
- access for a network that has not enabled EAP-AKA
- * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in
- v0.5.1 due to the new support for expanded EAP types)
- * added support for generating EAP Expanded Nak
- * try to fetch scan results once before requesting new scan when
- starting up in ap_scan=1 mode (this can speed up initial association
- a lot with, e.g., madwifi-ng driver)
- * added support for receiving EAPOL frames from a Linux bridge
- interface (-bbr0 on command line)
- * fixed EAPOL re-authentication for sessions that used PMKSA caching
- * changed EAP method registration to use a dynamic list of methods
- instead of a static list generated at build time
- * fixed PMKSA cache deinitialization not to use freed memory when
- removing PMKSA entries
- * fixed a memory leak in EAP-TTLS re-authentication
- * reject WPA/WPA2 message 3/4 if it does not include any valid
- WPA/RSN IE
- * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg
- if the driver does not support SIOCSIWAUTH
-
- 2006-01-29 - v0.5.1
- * driver_test: added better support for multiple APs and STAs by using
- a directory with sockets that include MAC address for each device in
- the name (driver_param=test_dir=/tmp/test)
- * added support for EAP expanded type (vendor specific EAP methods)
- * added AP_SCAN command into ctrl_iface so that ap_scan configuration
- option can be changed if needed
- * wpa_cli/wpa_gui: skip non-socket files in control directory when
- using UNIX domain sockets; this avoids selecting an incorrect
- interface (e.g., a PID file could be in this directory, even though
- use of this directory for something else than socket files is not
- recommended)
- * fixed TLS library deinitialization after RSN pre-authentication not
- to disable TLS library for normal authentication
- * driver_wext: Remove null-termination from SSID length if the driver
- used it; some Linux drivers do this and they were causing problems in
- wpa_supplicant not finding matching configuration block. This change
- would break a case where the SSID actually ends in '\0', but that is
- not likely to happen in real use.
- * fixed PMKSA cache processing not to trigger deauthentication if the
- current PMKSA cache entry is replaced with a valid new entry
- * fixed PC/SC initialization for ap_scan != 1 modes (this fixes
- EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or
- ap_scan=2)
-
- 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
- * added experimental STAKey handshake implementation for IEEE 802.11e
- direct link setup (DLS); note: this is disabled by default in both
- build and runtime configuration (can be enabled with CONFIG_STAKEY=y
- and stakey=1)
- * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to
- decrypt AT_ENCR_DATA attributes correctly
- * fixed EAP-AKA to allow resynchronization within the same session
- * made code closer to ANSI C89 standard to make it easier to port to
- other C libraries and compilers
- * started moving operating system or C library specific functions into
- wrapper functions defined in os.h and implemented in os_*.c to make
- code more portable
- * wpa_supplicant can now be built with Microsoft Visual C++
- (e.g., with the freely available Toolkit 2003 version or Visual
- C++ 2005 Express Edition and Platform SDK); see nmake.mak for an
- example makefile for nmake
- * added support for using Windows registry for command line parameters
- (CONFIG_MAIN=main_winsvc) and configuration data
- (CONFIG_BACKEND=winreg); see win_example.reg for an example registry
- contents; this version can be run both as a Windows service and as a
- normal application; 'wpasvc.exe app' to start as applicant,
- 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service,
- 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to
- unregister a service
- * made it possible to link ndis_events.exe functionality into
- wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED
- * added better support for multiple control interface backends
- (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported
- * fixed PC/SC code to use correct length for GSM AUTH command buffer
- and to not use pioRecvPci with SCardTransmit() calls; these were not
- causing visible problems with pcsc-lite, but Windows Winscard.dll
- refused the previously used parameters; this fixes EAP-SIM and
- EAP-AKA authentication using SIM/USIM card under Windows
- * added new event loop implementation for Windows using
- WaitForMultipleObject() instead of select() in order to allow waiting
- for non-socket objects; this can be selected with
- CONFIG_ELOOP=eloop_win in .config
- * added support for selecting l2_packet implementation in .config
- (CONFIG_L2_PACKET; following options are available now: linux, pcap,
- winpcap, freebsd, none)
- * added new l2_packet implementation for WinPcap
- (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to
- reduce latency in EAPOL receive processing from about 100 ms to about
- 3 ms
- * added support for EAP-FAST key derivation using other ciphers than
- RC4-128-SHA for authentication and AES128-SHA for provisioning
- * added support for configuring CA certificate as DER file and as a
- configuration blob
- * fixed private key configuration as configuration blob and added
- support for using PKCS#12 as a blob
- * tls_gnutls: added support for using PKCS#12 files; added support for
- session resumption
- * added support for loading trusted CA certificates from Windows
- certificate store: ca_cert="cert_store://<name>", where <name> is
- likely CA (Intermediate CA certificates) or ROOT (root certificates)
- * added C version of ndis_events.cpp and made it possible to build this
- with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more
- easily on cross-compilation builds
- * added wpasvc.exe into Windows binary release; this is an alternative
- version of wpa_supplicant.exe with configuration backend using
- Windows registry and with the entry point designed to run as a
- Windows service
- * integrated ndis_events.exe functionality into wpa_supplicant.exe and
- wpasvc.exe and removed this additional tool from the Windows binary
- release since it is not needed anymore
- * load winscard.dll functions dynamically when building with MinGW
- since MinGW does not yet include winscard library
-
- 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
- * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap
- and WinPcap to receive frames sent to PAE group address
- * disable EAP state machine when IEEE 802.1X authentication is not used
- in order to get rid of bogus "EAP failed" messages
- * fixed OpenSSL error reporting to go through all pending errors to
- avoid confusing reports of old errors being reported at later point
- during handshake
- * fixed configuration file updating to not write empty variables
- (e.g., proto or key_mgmt) that the file parser would not accept
- * fixed ADD_NETWORK ctrl_iface command to use the same default values
- for variables as empty network definitions read from config file
- would get
- * fixed EAP state machine to not discard EAP-Failure messages in many
- cases (e.g., during TLS handshake)
- * fixed a infinite loop in private key reading if the configured file
- cannot be parsed successfully
- * driver_madwifi: added support for madwifi-ng
- * wpa_gui: do not display password/PSK field contents
- * wpa_gui: added CA certificate configuration
- * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID
- * driver_ndis: include Beacon IEs in AssocInfo in order to notice if
- the new AP is using different WPA/RSN IE
- * use longer timeout for IEEE 802.11 association to avoid problems with
- drivers that may take more than five second to associate
-
- 2005-10-27 - v0.4.6
- * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in
- RSN IE, but WPA IE would match with wpa_supplicant configuration
- * added support for named configuration blobs in order to avoid having
- to use file system for external files (e.g., certificates);
- variables can be set to "blob://<blob name>" instead of file path to
- use a named blob; supported fields: pac_file, client_cert,
- private_key
- * fixed RSN pre-authentication (it was broken in the clean up of WPA
- state machine interface in v0.4.5)
- * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make
- sure the driver configures broadcast decryption correctly
- * added ca_path (and ca_path2) configuration variables that can be used
- to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the
- system-wide trusted CA list
- * added support for starting wpa_supplicant without a configuration
- file (-C argument must be used to set ctrl_interface parameter for
- this case; in addition, -p argument can be used to provide
- driver_param; these new arguments can also be used with a
- configuration to override the values from the configuration)
- * added global control interface that can be optionally used for adding
- and removing network interfaces dynamically (-g command line argument
- for both wpa_supplicant and wpa_cli) without having to restart
- wpa_supplicant process
- * wpa_gui:
- - try to save configuration whenever something is modified
- - added WEP key configuration
- - added possibility to edit the current network configuration
- * driver_ndis: fixed driver polling not to increase frequency on each
- received EAPOL frame due to incorrectly cancelled timeout
- * added simple configuration file examples (in examples subdirectory)
- * fixed driver_wext.c to filter wireless events based on ifindex to
- avoid interfaces receiving events from other interfaces
- * delay sending initial EAPOL-Start couple of seconds to speed up
- authentication for the most common case of Authenticator starting
- EAP authentication immediately after association
-
- 2005-09-25 - v0.4.5
- * added a workaround for clearing keys with ndiswrapper to allow
- roaming from WPA enabled AP to plaintext one
- * added docbook documentation (doc/docbook) that can be used to
- generate, e.g., man pages
- * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for
- PF_PACKET in order to prepare for network devices that do not use
- Ethernet headers (e.g., network stack with native IEEE 802.11 frames)
- * use receipt of EAPOL-Key frame as a lower layer success indication
- for EAP state machine to allow recovery from dropped EAP-Success
- frame
- * cleaned up internal EAPOL frame processing by not including link
- layer (Ethernet) header during WPA and EAPOL/EAP processing; this
- header is added only when transmitted the frame; this makes it easier
- to use wpa_supplicant on link layers that use different header than
- Ethernet
- * updated EAP-PSK to use draft 9 by default since this can now be
- tested with hostapd; removed support for draft 3, including
- server_nai configuration option from network blocks
- * driver_wired: add PAE address to the multicast address list in order
- to be able to receive EAPOL frames with drivers that do not include
- these multicast addresses by default
- * driver_wext: add support for WE-19
- * added support for multiple configuration backends (CONFIG_BACKEND
- option); currently, only 'file' is supported (i.e., the format used
- in wpa_supplicant.conf)
- * added support for updating configuration ('wpa_cli save_config');
- this is disabled by default and can be enabled with global
- update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli
- and wpa_gui to store the configuration changes in a permanent store
- * added GET_NETWORK ctrl_iface command
- (e.g., 'wpa_cli get_network 0 ssid')
-
- 2005-08-21 - v0.4.4
- * replaced OpenSSL patch for EAP-FAST support
- (openssl-tls-extensions.patch) with a more generic and correct
- patch (the new patch is not compatible with the previous one, so the
- OpenSSL library will need to be patched with the new patch in order
- to be able to build wpa_supplicant with EAP-FAST support)
- * added support for using Windows certificate store (through CryptoAPI)
- for client certificate and private key operations (EAP-TLS)
- (see wpa_supplicant.conf for more information on how to configure
- this with private_key)
- * ported wpa_gui to Windows
- * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be
- built with the open source version of the Qt4 for Windows
- * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used
- with drivers that do not support WPA
- * ndis_events: fixed Windows 2000 support
- * added support for enabling/disabling networks from the list of all
- configured networks ('wpa_cli enable_network <network id>' and
- 'wpa_cli disable_network <network id>')
- * added support for adding and removing network from the current
- configuration ('wpa_cli add_network' and 'wpa_cli remove_network
- <network id>'); added networks are disabled by default and they can
- be enabled with enable_network command once the configuration is done
- for the new network; note: configuration file is not yet updated, so
- these new networks are lost when wpa_supplicant is restarted
- * added support for setting network configuration parameters through
- the control interface, for example:
- wpa_cli set_network 0 ssid "\"my network\""
- * fixed parsing of strings that include both " and # within double
- quoted area (e.g., "start"#end")
- * added EAP workaround for PEAP session resumption: allow outer,
- i.e., not tunneled, EAP-Success to terminate session since; this can
- be disabled with eap_workaround=0
- (this was allowed for PEAPv1 before, but now it is also allowed for
- PEAPv0 since at least one RADIUS authentication server seems to be
- doing this for PEAPv0, too)
- * wpa_gui: added preliminary support for adding new networks to the
- wpa_supplicant configuration (double click on the scan results to
- open network configuration)
-
- 2005-06-26 - v0.4.3
- * removed interface for external EAPOL/EAP supplicant (e.g.,
- Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required
- anymore and is unlikely to be used by anyone
- * driver_ndis: fixed WinPcap 3.0 support
- * fixed build with CONFIG_DNET_PCAP=y on Linux
- * l2_packet: moved different implementations into separate files
- (l2_packet_*.c)
-
- 2005-06-12 - v0.4.2
- * driver_ipw: updated driver structures to match with ipw2200-1.0.4
- (note: ipw2100-1.1.0 is likely to require an update to work with
- this)
- * added support for using ap_scan=2 mode with multiple network blocks;
- wpa_supplicant will go through the networks one by one until the
- driver reports a successful association; this uses the same order for
- networks as scan_ssid=1 scans, i.e., the priority field is ignored
- and the network block order in the file is used instead
- * fixed a potential issue in RSN pre-authentication ending up using
- freed memory if pre-authentication times out
- * added support for matching alternative subject name extensions of the
- authentication server certificate; new configuration variables
- altsubject_match and altsubject_match2
- * driver_ndis: added support for IEEE 802.1X authentication with wired
- NDIS drivers
- * added support for querying private key password (EAP-TLS) through the
- control interface (wpa_cli/wpa_gui) if one is not included in the
- configuration file
- * driver_broadcom: fixed couple of memory leaks in scan result
- processing
- * EAP-PAX is now registered as EAP type 46
- * fixed EAP-PAX MAC calculation
- * fixed EAP-PAX CK and ICK key derivation
- * added support for using password with EAP-PAX (as an alternative to
- entering key with eappsk); SHA-1 hash of the password will be used as
- the key in this case
- * added support for arbitrary driver interface parameters through the
- configuration file with a new driver_param field; this adds a new
- driver_ops function set_param()
- * added possibility to override l2_packet module with driver interface
- API (new send_eapol handler); this can be used to implement driver
- specific TX/RX functions for EAPOL frames
- * fixed ctrl_interface_group processing for the case where gid is
- entered as a number, not group name
- * driver_test: added support for testing hostapd with wpa_supplicant
- by using test driver interface without any kernel drivers or network
- cards
-
- 2005-05-22 - v0.4.1
- * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL
- packets to be encrypted; this was apparently broken by the changed
- ioctl order in v0.4.0
- * driver_madwifi: added preliminary support for compiling against 'BSD'
- branch of madwifi CVS tree
- * added support for EAP-MSCHAPv2 password retries within the same EAP
- authentication session
- * added support for password changes with EAP-MSCHAPv2 (used when the
- password has expired)
- * added support for reading additional certificates from PKCS#12 files
- and adding them to the certificate chain
- * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys
- were used
- * fixed a possible double free in EAP-TTLS fast-reauthentication when
- identity or password is entered through control interface
- * display EAP Notification messages to user through control interface
- with "CTRL-EVENT-EAP-NOTIFICATION" prefix
- * added GUI version of wpa_cli, wpa_gui; this is not build
- automatically with 'make'; use 'make wpa_gui' to build (this requires
- Qt development tools)
- * added 'disconnect' command to control interface for setting
- wpa_supplicant in state where it will not associate before
- 'reassociate' command has been used
- * added support for selecting a network from the list of all configured
- networks ('wpa_cli select_network <network id>'; this disabled all
- other networks; to re-enable, 'wpa_cli select_network any')
- * added support for getting scan results through control interface
- * added EAP workaround for PEAPv1 session resumption: allow outer,
- i.e., not tunneled, EAP-Success to terminate session since; this can
- be disabled with eap_workaround=0
-
- 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
- * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be
- used to reduce the size of the wpa_supplicant considerably if
- debugging code is not needed
- * fixed EAPOL-Key validation to drop packets with invalid Key Data
- Length; such frames could have crashed wpa_supplicant due to buffer
- overflow
- * added support for wired authentication (IEEE 802.1X on wired
- Ethernet); driver interface 'wired'
- * obsoleted set_wpa() handler in the driver interface API (it can be
- replaced by moving enable/disable functionality into init()/deinit())
- (calls to set_wpa() are still present for backwards compatibility,
- but they may be removed in the future)
- * driver_madwifi: fixed association in plaintext mode
- * modified the EAP workaround that accepts EAP-Success with incorrect
- Identifier to be even less strict about verification in order to
- interoperate with some authentication servers
- * added support for sending TLS alerts
- * added support for 'any' SSID wildcard; if ssid is not configured or
- is set to an empty string, any SSID will be accepted for non-WPA AP
- * added support for asking PIN (for SIM) from frontends (e.g.,
- wpa_cli); if a PIN is needed, but not included in the configuration
- file, a control interface request is sent and EAP processing is
- delayed until the PIN is available
- * added support for using external devices (e.g., a smartcard) for
- private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config);
- new wpa_supplicant.conf variables:
- - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path
- - network: engine, engine_id, key_id
- * added experimental support for EAP-PAX
- * added monitor mode for wpa_cli (-a<path to a program to run>) that
- allows external commands (e.g., shell scripts) to be run based on
- wpa_supplicant events, e.g., when authentication has been completed
- and data connection is ready; other related wpa_cli arguments:
- -B (run in background), -P (write PID file); wpa_supplicant has a new
- command line argument (-W) that can be used to make it wait until a
- control interface command is received in order to avoid missing
- events
- * added support for opportunistic WPA2 PMKSA key caching (disabled by
- default, can be enabled with proactive_key_caching=1)
- * fixed RSN IE in 4-Way Handshake message 2/4 for the case where
- Authenticator rejects PMKSA caching attempt and the driver is not
- using assoc_info events
- * added -P<pid file> argument for wpa_supplicant to write the current
- process id into a file
-
- 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
- * added new phase1 option parameter, include_tls_length=1, to force
- wpa_supplicant to add TLS Message Length field to all TLS messages
- even if the packet is not fragmented; this may be needed with some
- authentication servers
- * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when
- using drivers that take care of AP selection (e.g., when using
- ap_scan=2)
- * fixed reprocessing of pending request after ctrl_iface requests for
- identity/password/otp
- * fixed ctrl_iface requests for identity/password/otp in Phase 2 of
- EAP-PEAP and EAP-TTLS
- * all drivers using driver_wext: set interface up and select Managed
- mode when starting wpa_supplicant; set interface down when exiting
- * renamed driver_ipw2100.c to driver_ipw.c since it now supports both
- ipw2100 and ipw2200; please note that this also changed the
- configuration variable in .config to CONFIG_DRIVER_IPW
-
- 2005-01-24 - v0.3.6
- * fixed a busy loop introduced in v0.3.5 for scan result processing
- when no matching AP is found
-
- 2005-01-23 - v0.3.5
- * added a workaround for an interoperability issue with a Cisco AP
- when using WPA2-PSK
- * fixed non-WPA IEEE 802.1X to use the same authentication timeout as
- WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow
- retransmission of dropped frames)
- * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version
- (e.g., segfault when processing EAPOL-Key frames)
- * fixed EAP workaround and fast reauthentication configuration for
- RSN pre-authentication; previously these were disabled and
- pre-authentication would fail if the used authentication server
- requires EAP workarounds
- * added support for blacklisting APs that fail or timeout
- authentication in ap_scan=1 mode so that all APs are tried in cases
- where the ones with strongest signal level are failing authentication
- * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS
- authentication attempt
- * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded
- in the previous authentication (previously, only Phase 1 success was
- verified)
-
- 2005-01-09 - v0.3.4
- * added preliminary support for IBSS (ad-hoc) mode configuration
- (mode=1 in network block); this included a new key_mgmt mode
- WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no
- key management; see wpa_supplicant.conf for more details and an
- example on how to configure this (note: this is currently implemented
- only for driver_hostapd.c, but the changes should be trivial to add
- in associate() handler for other drivers, too (assuming the driver
- supports WPA-None)
- * added preliminary port for native Windows (i.e., no cygwin) using
- mingw
-
- 2005-01-02 - v0.3.3
- * added optional support for GNU Readline and History Libraries for
- wpa_cli (CONFIG_READLINE)
- * cleaned up EAP state machine <-> method interface and number of
- small problems with error case processing not terminating on
- EAP-Failure but waiting for timeout
- * added couple of workarounds for interoperability issues with a
- Cisco AP when using WPA2
- * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt);
- Note: This requires a patch for openssl to add support for TLS
- extensions and number of workarounds for operations without
- certificates. Proof of concept type of experimental patch is
- included in openssl-tls-extensions.patch.
-
- 2004-12-19 - v0.3.2
- * fixed private key loading for cases where passphrase is not set
- * fixed Windows/cygwin L2 packet handler freeing; previous version
- could cause a segfault when RSN pre-authentication was completed
- * added support for PMKSA caching with drivers that generate RSN IEs
- (e.g., NDIS); currently, this is only implemented in driver_ndis.c,
- but similar code can be easily added to driver_ndiswrapper.c once
- ndiswrapper gets full support for RSN PMKSA caching
- * improved recovery from PMKID mismatches by requesting full EAP
- authentication in case of failed PMKSA caching attempt
- * driver_ndis: added support for NDIS NdisMIncidateStatus() events
- (this requires that ndis_events is ran while wpa_supplicant is
- running)
- * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys
- * added support for driver interfaces to replace the interface name
- based on driver/OS specific mapping, e.g., in case of driver_ndis,
- this allows the beginning of the adapter description to be used as
- the interface name
- * added support for CR+LF (Windows-style) line ends in configuration
- file
- * driver_ndis: enable radio before starting scanning, disable radio
- when exiting
- * modified association event handler to set portEnabled = FALSE before
- clearing port Valid in order to reset EAP state machine and avoid
- problems with new authentication getting ignored because of state
- machines ending up in AUTHENTICATED/SUCCESS state based on old
- information
- * added support for driver events to add PMKID candidates in order to
- allow drivers to give priority to most likely roaming candidates
- * driver_hostap: moved PrivacyInvoked configuration to associate()
- function so that this will not be set for plaintext connections
- * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver
- interface can distinguish plaintext and IEEE 802.1X (no WPA)
- authentication
- * fixed static WEP key configuration to use broadcast/default type for
- all keys (previously, the default TX key was configured as pairwise/
- unicast key)
- * driver_ndis: added legacy WPA capability detection for non-WPA2
- drivers
- * added support for setting static WEP keys for IEEE 802.1X without
- dynamic WEP keying (eapol_flags=0)
-
- 2004-12-12 - v0.3.1
- * added support for reading PKCS#12 (PFX) files (as a replacement for
- PEM/DER) to get certificate and private key (CONFIG_PKCS12)
- * fixed compilation with CONFIG_PCSC=y
- * added new ap_scan mode, ap_scan=2, for drivers that take care of
- association, but need to be configured with security policy and SSID,
- e.g., ndiswrapper and NDIS driver; this mode should allow such
- drivers to work with hidden SSIDs and optimized roaming; when
- ap_scan=2 is used, only the first network block in the configuration
- file is used and this configuration should have explicit security
- policy (i.e., only one option in the lists) for key_mgmt, pairwise,
- group, proto variables
- * added experimental port of wpa_supplicant for Windows
- - driver_ndis.c driver interface (NDIS OIDs)
- - currently, this requires cygwin and WinPcap
- - small utility, win_if_list, can be used to get interface name
- * control interface can now be removed at build time; add
- CONFIG_CTRL_IFACE=y to .config to maintain old functionality
- * optional Xsupplicant interface can now be removed at build time;
- (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back)
- * added auth_alg to driver interface associate() parameters to make it
- easier for drivers to configure authentication algorithm as part of
- the association
-
- 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
- * driver_broadcom: added new driver interface for Broadcom wl.o driver
- (a generic driver for Broadcom IEEE 802.11a/g cards)
- * wpa_cli: fixed parsing of -p <path> command line argument
- * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
- ACK, not tunneled EAP-Success (of which only the first byte was
- actually send due to a bug in previous code); this seems to
- interoperate with most RADIUS servers that implements PEAPv1
- * PEAPv1: added support for terminating PEAP authentication on tunneled
- EAP-Success message; this can be configured by adding
- peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
- (some RADIUS servers require this whereas others require a tunneled
- reply
- * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
- the old label for key derivation; previously, the default was 1,
- but it looks like most existing PEAPv1 implementations use the old
- label which is thus more suitable default option
- * added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
- * fixed parsing of wep_tx_keyidx
- * added support for configuring list of allowed Phase 2 EAP types
- (for both EAP-PEAP and EAP-TTLS) instead of only one type
- * added support for configuring IEEE 802.11 authentication algorithm
- (auth_alg; mainly for using Shared Key authentication with static
- WEP keys)
- * added support for EAP-AKA (with UMTS SIM)
- * fixed couple of errors in PCSC handling that could have caused
- random-looking errors for EAP-SIM
- * added support for EAP-SIM pseudonyms and fast re-authentication
- * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
- session resumption)
- * added support for EAP-SIM with two challanges
- (phase1="sim_min_num_chal=3" can be used to require three challenges)
- * added support for configuring DH/DSA parameters for an ephemeral DH
- key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
- dh_file and dh_file2 (phase 2); this adds support for using DSA keys
- and optional DH key exchange to achieve forward secracy with RSA keys
- * added support for matching subject of the authentication server
- certificate with a substring when using EAP-TLS/PEAP/TTLS; new
- configuration variables subject_match and subject_match2
- * changed SSID configuration in driver_wext.c (used by many driver
- interfaces) to use ssid_len+1 as the length for SSID since some Linux
- drivers expect this
- * fixed couple of unaligned reads in scan result parsing to fix WPA
- connection on some platforms (e.g., ARM)
- * added driver interface for Intel ipw2100 driver
- * added support for LEAP with WPA
- * added support for larger scan results report (old limit was 4 kB of
- data, i.e., about 35 or so APs) when using Linux wireless extensions
- v17 or newer
- * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
- only if there is a PMKSA cache entry for the current AP
- * fixed error handling for case where reading of scan results fails:
- must schedule a new scan or wpa_supplicant will remain waiting
- forever
- * changed debug output to remove shared password/key material by
- default; all key information can be included with -K command line
- argument to match the previous behavior
- * added support for timestamping debug log messages (disabled by
- default, can be enabled with -t command line argument)
- * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
- if keys are not configured to be used; this fixes IEEE 802.1X mode
- with drivers that use this information to configure whether Privacy
- bit can be in Beacon frames (e.g., ndiswrapper)
- * avoid clearing driver keys if no keys have been configured since last
- key clear request; this seems to improve reliability of group key
- handshake for ndiswrapper & NDIS driver which seems to be suffering
- of some kind of timing issue when the keys are cleared again after
- association
- * changed driver interface API:
- - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
- version is being used (now, this is set to 2; previously, it was
- not defined)
- - pass pointer to private data structure to all calls
- - the new API is not backwards compatible; all in-tree driver
- interfaces has been converted to the new API
- * added support for controlling multiple interfaces (radios) per
- wpa_supplicant process; each interface needs to be listed on the
- command line (-c, -i, -D arguments) with -N as a separator
- (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
- * added a workaround for EAP servers that incorrectly use same Id for
- sequential EAP packets
- * changed libpcap/libdnet configuration to use .config variable,
- CONFIG_DNET_PCAP, instead of requiring Makefile modification
- * improved downgrade attack detection in IE verification of msg 3/4:
- verify both WPA and RSN IEs, if present, not only the selected one;
- reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
- Probe Response frame, and RSN is enabled in wpa_supplicant
- configuration
- * fixed WPA msg 3/4 processing to allow Key Data field contain other
- IEs than just one WPA IE
- * added support for FreeBSD and driver interface for the BSD net80211
- layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the
- required kernel mods have not yet been committed
- * made EAP workarounds configurable; enabled by default, can be
- disabled with network block option eap_workaround=0
-
- 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
- * resolved couple of interoperability issues with EAP-PEAPv1 and
- Phase 2 (inner EAP) fragment reassembly
- * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the
- AP is using non-zero key index for the unicast key and key index zero
- for the broadcast key
- * driver_hostap: fixed IEEE 802.1X WEP key updates and
- re-authentication by allowing unencrypted EAPOL frames when not using
- WPA
- * added a new driver interface, 'wext', which uses only standard,
- driver independent functionality in Linux wireless extensions;
- currently, this can be used only for non-WPA IEEE 802.1X mode, but
- eventually, this is to be extended to support full WPA/WPA2 once
- Linux wireless extensions get support for this
- * added support for mode in which the driver is responsible for AP
- scanning and selection; this is disabled by default and can be
- enabled with global ap_scan=0 variable in wpa_supplicant.conf;
- this mode can be used, e.g., with generic 'wext' driver interface to
- use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver
- supporting wireless extensions.
- * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g.,
- operation with an AP that does not include SSID in the Beacon frames)
- * added support for new EAP authentication methods:
- EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP
- * added support for asking one-time-passwords from frontends (e.g.,
- wpa_cli); this 'otp' command works otherwise like 'password' command,
- but the password is used only once and the frontend will be asked for
- a new password whenever a request from authenticator requires a
- password; this can be used with both EAP-OTP and EAP-GTC
- * changed wpa_cli to automatically re-establish connection so that it
- does not need to be re-started when wpa_supplicant is terminated and
- started again
- * improved user data (identity/password/otp) requests through
- frontends: process pending EAPOL packets after getting new
- information so that full authentication does not need to be
- restarted; in addition, send pending requests again whenever a new
- frontend is attached
- * changed control frontends to use a new directory for socket files to
- make it easier for wpa_cli to automatically select between interfaces
- and to provide access control for the control interface;
- wpa_supplicant.conf: ctrl_interface is now a path
- (/var/run/wpa_supplicant is the recommended path) and
- ctrl_interface_group can be used to select which group gets access to
- the control interface;
- wpa_cli: by default, try to connect to the first interface available
- in /var/run/wpa_supplicant; this path can be overriden with -p option
- and an interface can be selected with -i option (i.e., in most common
- cases, wpa_cli does not need to get any arguments)
- * added support for LEAP
- * added driver interface for Linux ndiswrapper
- * added priority option for network blocks in the configuration file;
- this allows networks to be grouped based on priority (the scan
- results are searched for matches with network blocks in this order)
-
- 2004-06-20 - v0.2.3
- * sort scan results to improve AP selection
- * fixed control interface socket removal for some error cases
- * improved scan requesting and authentication timeout
- * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and
- TLS processing
- * PEAP version can now be forced with phase1="peapver=<ver>"
- (mostly for testing; by default, the highest version supported by
- both the Supplicant and Authentication Server is selected
- automatically)
- * added support for madwifi driver (Atheros ar521x)
- * added a workaround for cases where AP sets Install Tx/Rx bit for
- WPA Group Key messages when pairwise keys are used (without this,
- the Group Key would be used for Tx and the AP would drop frames
- from the station)
- * added GSM SIM/USIM interface for GSM authentication algorithm for
- EAP-SIM; this requires pcsc-lite
- * added support for ATMEL AT76C5XXx driver
- * fixed IEEE 802.1X WEP key derivation in the case where Authenticator
- does not include key data in the EAPOL-Key frame (i.e., part of
- EAP keying material is used as data encryption key)
- * added support for using plaintext and static WEP networks
- (key_mgmt=NONE)
-
- 2004-05-31 - v0.2.2
- * added support for new EAP authentication methods:
- EAP-TTLS/EAP-MD5-Challenge
- EAP-TTLS/EAP-GTC
- EAP-TTLS/EAP-MSCHAPv2
- EAP-TTLS/EAP-TLS
- EAP-TTLS/MSCHAPv2
- EAP-TTLS/MSCHAP
- EAP-TTLS/PAP
- EAP-TTLS/CHAP
- EAP-PEAP/TLS
- EAP-PEAP/GTC
- EAP-PEAP/MD5-Challenge
- EAP-GTC
- EAP-SIM (not yet complete; needs GSM/SIM authentication interface)
- * added support for anonymous identity (to be used when identity is
- sent in plaintext; real identity will be used within TLS protected
- tunnel (e.g., with EAP-TTLS)
- * added event messages from wpa_supplicant to frontends, e.g., wpa_cli
- * added support for requesting identity and password information using
- control interface; in other words, the password for EAP-PEAP or
- EAP-TTLS does not need to be included in the configuration file since
- a frontand (e.g., wpa_cli) can ask it from the user
- * improved RSN pre-authentication to use a candidate list and process
- all candidates from each scan; not only one per scan
- * fixed RSN IE and WPA IE capabilities field parsing
- * ignore Tx bit in GTK IE when Pairwise keys are used
- * avoid making new scan requests during IEEE 802.1X negotiation
- * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant
- with TLS support (this replaces the included implementation with
- library code to save about 8 kB since the library code is needed
- anyway for TLS)
- * fixed WPA-PSK only mode when compiled without IEEE 802.1X support
- (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config)
-
- 2004-05-06 - v0.2.1
- * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1)
- Supplicant
- - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1]
- - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf]
- - EAP-MD5 (cannot be used with WPA-RADIUS)
- [draft-ietf-eap-rfc2284bis-09.txt]
- - EAP-TLS [RFC 2716]
- - EAP-MSCHAPv2 (currently used only with EAP-PEAP)
- - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt]
- [draft-kamath-pppext-eap-mschapv2-00.txt]
- (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by
- default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey)
- - new configuration file options: eap, identity, password, ca_cert,
- client_cert, privatekey, private_key_passwd
- - Xsupplicant is not required anymore, but it can be used by
- disabling the internal IEEE 802.1X Supplicant with -e command line
- option
- - this code is not included in the default build; Makefile need to
- be edited for this (uncomment lines for selected functionality)
- - EAP-TLS and EAP-PEAP require openssl libraries
- * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..)
- * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys
- (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X
- EAPOL-Key frames instead of WPA key handshakes)
- * added support for IEEE 802.11i/RSN (WPA2)
- - improved PTK Key Handshake
- - PMKSA caching, pre-authentication
- * fixed wpa_supplicant to ignore possible extra data after WPA
- EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using
- TPTK' error from message 3 of 4-Way Handshake in case the AP
- includes extra data after the EAPOL-Key)
- * added interface for external programs (frontends) to control
- wpa_supplicant
- - CLI example (wpa_cli) with interactive mode and command line
- mode
- - replaced SIGUSR1 status/statistics with the new control interface
- * made some feature compile time configurable
- - .config file for make
- - driver interfaces (hostap, hermes, ..)
- - EAPOL/EAP functions
-
- 2004-02-15 - v0.2.0
- * Initial version of wpa_supplicant
|