1ChangeLog for wpa_supplicant 2 32022-01-16 - v2.10 4 * SAE changes 5 - improved protection against side channel attacks 6 [https://w1.fi/security/2022-1/] 7 - added support for the hash-to-element mechanism (sae_pwe=1 or 8 sae_pwe=2); this is currently disabled by default, but will likely 9 get enabled by default in the future 10 - fixed PMKSA caching with OKC 11 - added support for SAE-PK 12 * EAP-pwd changes 13 - improved protection against side channel attacks 14 [https://w1.fi/security/2022-1/] 15 * fixed P2P provision discovery processing of a specially constructed 16 invalid frame 17 [https://w1.fi/security/2021-1/] 18 * fixed P2P group information processing of a specially constructed 19 invalid frame 20 [https://w1.fi/security/2020-2/] 21 * fixed PMF disconnection protection bypass in AP mode 22 [https://w1.fi/security/2019-7/] 23 * added support for using OpenSSL 3.0 24 * increased the maximum number of EAP message exchanges (mainly to 25 support cases with very large certificates) 26 * fixed various issues in experimental support for EAP-TEAP peer 27 * added support for DPP release 2 (Wi-Fi Device Provisioning Protocol) 28 * a number of MKA/MACsec fixes and extensions 29 * added support for SAE (WPA3-Personal) AP mode configuration 30 * added P2P support for EDMG (IEEE 802.11ay) channels 31 * fixed EAP-FAST peer with TLS GCM/CCM ciphers 32 * improved throughput estimation and BSS selection 33 * dropped support for libnl 1.1 34 * added support for nl80211 control port for EAPOL frame TX/RX 35 * fixed OWE key derivation with groups 20 and 21; this breaks backwards 36 compatibility for these groups while the default group 19 remains 37 backwards compatible 38 * added support for Beacon protection 39 * added support for Extended Key ID for pairwise keys 40 * removed WEP support from the default build (CONFIG_WEP=y can be used 41 to enable it, if really needed) 42 * added a build option to remove TKIP support (CONFIG_NO_TKIP=y) 43 * added support for Transition Disable mechanism to allow the AP to 44 automatically disable transition mode to improve security 45 * extended D-Bus interface 46 * added support for PASN 47 * added a file-based backend for external password storage to allow 48 secret information to be moved away from the main configuration file 49 without requiring external tools 50 * added EAP-TLS peer support for TLS 1.3 (disabled by default for now) 51 * added support for SCS, MSCS, DSCP policy 52 * changed driver interface selection to default to automatic fallback 53 to other compiled in options 54 * a large number of other fixes, cleanup, and extensions 55 562019-08-07 - v2.9 57 * SAE changes 58 - disable use of groups using Brainpool curves 59 - improved protection against side channel attacks 60 [https://w1.fi/security/2019-6/] 61 * EAP-pwd changes 62 - disable use of groups using Brainpool curves 63 - allow the set of groups to be configured (eap_pwd_groups) 64 - improved protection against side channel attacks 65 [https://w1.fi/security/2019-6/] 66 * fixed FT-EAP initial mobility domain association using PMKSA caching 67 (disabled by default for backwards compatibility; can be enabled 68 with ft_eap_pmksa_caching=1) 69 * fixed a regression in OpenSSL 1.1+ engine loading 70 * added validation of RSNE in (Re)Association Response frames 71 * fixed DPP bootstrapping URI parser of channel list 72 * extended EAP-SIM/AKA fast re-authentication to allow use with FILS 73 * extended ca_cert_blob to support PEM format 74 * improved robustness of P2P Action frame scheduling 75 * added support for EAP-SIM/AKA using anonymous@realm identity 76 * fixed Hotspot 2.0 credential selection based on roaming consortium 77 to ignore credentials without a specific EAP method 78 * added experimental support for EAP-TEAP peer (RFC 7170) 79 * added experimental support for EAP-TLS peer with TLS v1.3 80 * fixed a regression in WMM parameter configuration for a TDLS peer 81 * fixed a regression in operation with drivers that offload 802.1X 82 4-way handshake 83 * fixed an ECDH operation corner case with OpenSSL 84 852019-04-21 - v2.8 86 * SAE changes 87 - added support for SAE Password Identifier 88 - changed default configuration to enable only groups 19, 20, 21 89 (i.e., disable groups 25 and 26) and disable all unsuitable groups 90 completely based on REVmd changes 91 - do not regenerate PWE unnecessarily when the AP uses the 92 anti-clogging token mechanisms 93 - fixed some association cases where both SAE and FT-SAE were enabled 94 on both the station and the selected AP 95 - started to prefer FT-SAE over SAE AKM if both are enabled 96 - started to prefer FT-SAE over FT-PSK if both are enabled 97 - fixed FT-SAE when SAE PMKSA caching is used 98 - reject use of unsuitable groups based on new implementation guidance 99 in REVmd (allow only FFC groups with prime >= 3072 bits and ECC 100 groups with prime >= 256) 101 - minimize timing and memory use differences in PWE derivation 102 [https://w1.fi/security/2019-1/] (CVE-2019-9494) 103 * EAP-pwd changes 104 - minimize timing and memory use differences in PWE derivation 105 [https://w1.fi/security/2019-2/] (CVE-2019-9495) 106 - verify server scalar/element 107 [https://w1.fi/security/2019-4/] (CVE-2019-9499) 108 - fix message reassembly issue with unexpected fragment 109 [https://w1.fi/security/2019-5/] 110 - enforce rand,mask generation rules more strictly 111 - fix a memory leak in PWE derivation 112 - disallow ECC groups with a prime under 256 bits (groups 25, 26, and 113 27) 114 * fixed CONFIG_IEEE80211R=y (FT) build without CONFIG_FILS=y 115 * Hotspot 2.0 changes 116 - do not indicate release number that is higher than the one 117 AP supports 118 - added support for release number 3 119 - enable PMF automatically for network profiles created from 120 credentials 121 * fixed OWE network profile saving 122 * fixed DPP network profile saving 123 * added support for RSN operating channel validation 124 (CONFIG_OCV=y and network profile parameter ocv=1) 125 * added Multi-AP backhaul STA support 126 * fixed build with LibreSSL 127 * number of MKA/MACsec fixes and extensions 128 * extended domain_match and domain_suffix_match to allow list of values 129 * fixed dNSName matching in domain_match and domain_suffix_match when 130 using wolfSSL 131 * started to prefer FT-EAP-SHA384 over WPA-EAP-SUITE-B-192 AKM if both 132 are enabled 133 * extended nl80211 Connect and external authentication to support 134 SAE, FT-SAE, FT-EAP-SHA384 135 * fixed KEK2 derivation for FILS+FT 136 * extended client_cert file to allow loading of a chain of PEM 137 encoded certificates 138 * extended beacon reporting functionality 139 * extended D-Bus interface with number of new properties 140 * fixed a regression in FT-over-DS with mac80211-based drivers 141 * OpenSSL: allow systemwide policies to be overridden 142 * extended driver flags indication for separate 802.1X and PSK 143 4-way handshake offload capability 144 * added support for random P2P Device/Interface Address use 145 * extended PEAP to derive EMSK to enable use with ERP/FILS 146 * extended WPS to allow SAE configuration to be added automatically 147 for PSK (wps_cred_add_sae=1) 148 * removed support for the old D-Bus interface (CONFIG_CTRL_IFACE_DBUS) 149 * extended domain_match and domain_suffix_match to allow list of values 150 * added a RSN workaround for misbehaving PMF APs that advertise 151 IGTK/BIP KeyID using incorrect byte order 152 * fixed PTK rekeying with FILS and FT 153 1542018-12-02 - v2.7 155 * fixed WPA packet number reuse with replayed messages and key 156 reinstallation 157 [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078, 158 CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, 159 CVE-2017-13086, CVE-2017-13087, CVE-2017-13088) 160 * fixed unauthenticated EAPOL-Key decryption in wpa_supplicant 161 [https://w1.fi/security/2018-1/] (CVE-2018-14526) 162 * added support for FILS (IEEE 802.11ai) shared key authentication 163 * added support for OWE (Opportunistic Wireless Encryption, RFC 8110; 164 and transition mode defined by WFA) 165 * added support for DPP (Wi-Fi Device Provisioning Protocol) 166 * added support for RSA 3k key case with Suite B 192-bit level 167 * fixed Suite B PMKSA caching not to update PMKID during each 4-way 168 handshake 169 * fixed EAP-pwd pre-processing with PasswordHashHash 170 * added EAP-pwd client support for salted passwords 171 * fixed a regression in TDLS prohibited bit validation 172 * started to use estimated throughput to avoid undesired signal 173 strength based roaming decision 174 * MACsec/MKA: 175 - new macsec_linux driver interface support for the Linux 176 kernel macsec module 177 - number of fixes and extensions 178 * added support for external persistent storage of PMKSA cache 179 (PMKSA_GET/PMKSA_ADD control interface commands; and 180 MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case) 181 * fixed mesh channel configuration pri/sec switch case 182 * added support for beacon report 183 * large number of other fixes, cleanup, and extensions 184 * added support for randomizing local address for GAS queries 185 (gas_rand_mac_addr parameter) 186 * fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel 187 * added option for using random WPS UUID (auto_uuid=1) 188 * added SHA256-hash support for OCSP certificate matching 189 * fixed EAP-AKA' to add AT_KDF into Synchronization-Failure 190 * fixed a regression in RSN pre-authentication candidate selection 191 * added option to configure allowed group management cipher suites 192 (group_mgmt network profile parameter) 193 * removed all PeerKey functionality 194 * fixed nl80211 AP and mesh mode configuration regression with 195 Linux 4.15 and newer 196 * added ap_isolate configuration option for AP mode 197 * added support for nl80211 to offload 4-way handshake into the driver 198 * added support for using wolfSSL cryptographic library 199 * SAE 200 - added support for configuring SAE password separately of the 201 WPA2 PSK/passphrase 202 - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection 203 for SAE; 204 note: this is not backwards compatible, i.e., both the AP and 205 station side implementations will need to be update at the same 206 time to maintain interoperability 207 - added support for Password Identifier 208 - fixed FT-SAE PMKID matching 209 * Hotspot 2.0 210 - added support for fetching of Operator Icon Metadata ANQP-element 211 - added support for Roaming Consortium Selection element 212 - added support for Terms and Conditions 213 - added support for OSEN connection in a shared RSN BSS 214 - added support for fetching Venue URL information 215 * added support for using OpenSSL 1.1.1 216 * FT 217 - disabled PMKSA caching with FT since it is not fully functional 218 - added support for SHA384 based AKM 219 - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128, 220 BIP-GMAC-256 in addition to previously supported BIP-CMAC-128 221 - fixed additional IE inclusion in Reassociation Request frame when 222 using FT protocol 223 2242016-10-02 - v2.6 225 * fixed WNM Sleep Mode processing when PMF is not enabled 226 [http://w1.fi/security/2015-6/] (CVE-2015-5310) 227 * fixed EAP-pwd last fragment validation 228 [http://w1.fi/security/2015-7/] (CVE-2015-5315) 229 * fixed EAP-pwd unexpected Confirm message processing 230 [http://w1.fi/security/2015-8/] (CVE-2015-5316) 231 * fixed WPS configuration update vulnerability with malformed passphrase 232 [http://w1.fi/security/2016-1/] (CVE-2016-4476) 233 * fixed configuration update vulnerability with malformed parameters set 234 over the local control interface 235 [http://w1.fi/security/2016-1/] (CVE-2016-4477) 236 * fixed TK configuration to the driver in EAPOL-Key 3/4 retry case 237 * extended channel switch support for P2P GO 238 * started to throttle control interface event message bursts to avoid 239 issues with monitor sockets running out of buffer space 240 * mesh mode fixes/improvements 241 - generate proper AID for peer 242 - enable WMM by default 243 - add VHT support 244 - fix PMKID derivation 245 - improve robustness on various exchanges 246 - fix peer link counting in reconnect case 247 - improve mesh joining behavior 248 - allow DTIM period to be configured 249 - allow HT to be disabled (disable_ht=1) 250 - add MESH_PEER_ADD and MESH_PEER_REMOVE commands 251 - add support for PMKSA caching 252 - add minimal support for SAE group negotiation 253 - allow pairwise/group cipher to be configured in the network profile 254 - use ieee80211w profile parameter to enable/disable PMF and derive 255 a separate TX IGTK if PMF is enabled instead of using MGTK 256 incorrectly 257 - fix AEK and MTK derivation 258 - remove GTKdata and IGTKdata from Mesh Peering Confirm/Close 259 - note: these changes are not fully backwards compatible for secure 260 (RSN) mesh network 261 * fixed PMKID derivation with SAE 262 * added support for requesting and fetching arbitrary ANQP-elements 263 without internal support in wpa_supplicant for the specific element 264 (anqp[265]=<hexdump> in "BSS <BSSID>" command output) 265 * P2P 266 - filter control characters in group client device names to be 267 consistent with other P2P peer cases 268 - support VHT 80+80 MHz and 160 MHz 269 - indicate group completion in P2P Client role after data association 270 instead of already after the WPS provisioning step 271 - improve group-join operation to use SSID, if known, to filter BSS 272 entries 273 - added optional ssid=<hexdump> argument to P2P_CONNECT for join case 274 - added P2P_GROUP_MEMBER command to fetch client interface address 275 * P2PS 276 - fix follow-on PD Response behavior 277 - fix PD Response generation for unknown peer 278 - fix persistent group reporting 279 - add channel policy to PD Request 280 - add group SSID to the P2PS-PROV-DONE event 281 - allow "P2P_CONNECT <addr> p2ps" to be used without specifying the 282 default PIN 283 * BoringSSL 284 - support for OCSP stapling 285 - support building of h20-osu-client 286 * D-Bus 287 - add ExpectDisconnect() 288 - add global config parameters as properties 289 - add SaveConfig() 290 - add VendorElemAdd(), VendorElemGet(), VendorElemRem() 291 * fixed Suite B 192-bit AKM to use proper PMK length 292 (note: this makes old releases incompatible with the fixed behavior) 293 * improved PMF behavior for cases where the AP and STA has different 294 configuration by not trying to connect in some corner cases where the 295 connection cannot succeed 296 * added option to reopen debug log (e.g., to rotate the file) upon 297 receipt of SIGHUP signal 298 * EAP-pwd: added support for Brainpool Elliptic Curves 299 (with OpenSSL 1.0.2 and newer) 300 * fixed EAPOL reauthentication after FT protocol run 301 * fixed FTIE generation for 4-way handshake after FT protocol run 302 * extended INTERFACE_ADD command to allow certain type (sta/ap) 303 interface to be created 304 * fixed and improved various FST operations 305 * added 80+80 MHz and 160 MHz VHT support for IBSS/mesh 306 * fixed SIGNAL_POLL in IBSS and mesh cases 307 * added an option to abort an ongoing scan (used to speed up connection 308 and can also be done with the new ABORT_SCAN command) 309 * TLS client 310 - do not verify CA certificates when ca_cert is not specified 311 - support validating server certificate hash 312 - support SHA384 and SHA512 hashes 313 - add signature_algorithms extension into ClientHello 314 - support TLS v1.2 signature algorithm with SHA384 and SHA512 315 - support server certificate probing 316 - allow specific TLS versions to be disabled with phase2 parameter 317 - support extKeyUsage 318 - support PKCS #5 v2.0 PBES2 319 - support PKCS #5 with PKCS #12 style key decryption 320 - minimal support for PKCS #12 321 - support OCSP stapling (including ocsp_multi) 322 * OpenSSL 323 - support OpenSSL 1.1 API changes 324 - drop support for OpenSSL 0.9.8 325 - drop support for OpenSSL 1.0.0 326 * added support for multiple schedule scan plans (sched_scan_plans) 327 * added support for external server certificate chain validation 328 (tls_ext_cert_check=1 in the network profile phase1 parameter) 329 * made phase2 parser more strict about correct use of auth=<val> and 330 autheap=<val> values 331 * improved GAS offchannel operations with comeback request 332 * added SIGNAL_MONITOR command to request signal strength monitoring 333 events 334 * added command for retrieving HS 2.0 icons with in-memory storage 335 (REQ_HS20_ICON, GET_HS20_ICON, DEL_HS20_ICON commands and 336 RX-HS20-ICON event) 337 * enabled ACS support for AP mode operations with wpa_supplicant 338 * EAP-PEAP: fixed interoperability issue with Windows 2012r2 server 339 ("Invalid Compound_MAC in cryptobinding TLV") 340 * EAP-TTLS: fixed success after fragmented final Phase 2 message 341 * VHT: added interoperability workaround for 80+80 and 160 MHz channels 342 * WNM: workaround for broken AP operating class behavior 343 * added kqueue(2) support for eloop (CONFIG_ELOOP_KQUEUE) 344 * nl80211: 345 - add support for full station state operations 346 - do not add NL80211_ATTR_SMPS_MODE attribute if HT is disabled 347 - add NL80211_ATTR_PREV_BSSID with Connect command 348 - fix IEEE 802.1X/WEP EAP reauthentication and rekeying to use 349 unencrypted EAPOL frames 350 * added initial MBO support; number of extensions to WNM BSS Transition 351 Management 352 * added support for PBSS/PCP and P2P on 60 GHz 353 * Interworking: add credential realm to EAP-TLS identity 354 * fixed EAPOL-Key Request Secure bit to be 1 if PTK is set 355 * HS 2.0: add support for configuring frame filters 356 * added POLL_STA command to check connectivity in AP mode 357 * added initial functionality for location related operations 358 * started to ignore pmf=1/2 parameter for non-RSN networks 359 * added wps_disabled=1 network profile parameter to allow AP mode to 360 be started without enabling WPS 361 * wpa_cli: added action script support for AP-ENABLED and AP-DISABLED 362 events 363 * improved Public Action frame addressing 364 - add gas_address3 configuration parameter to control Address 3 365 behavior 366 * number of small fixes 367 3682015-09-27 - v2.5 369 * fixed P2P validation of SSID element length before copying it 370 [http://w1.fi/security/2015-1/] (CVE-2015-1863) 371 * fixed WPS UPnP vulnerability with HTTP chunked transfer encoding 372 [http://w1.fi/security/2015-2/] (CVE-2015-4141) 373 * fixed WMM Action frame parser (AP mode) 374 [http://w1.fi/security/2015-3/] (CVE-2015-4142) 375 * fixed EAP-pwd peer missing payload length validation 376 [http://w1.fi/security/2015-4/] 377 (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146) 378 * fixed validation of WPS and P2P NFC NDEF record payload length 379 [http://w1.fi/security/2015-5/] 380 * nl80211: 381 - added VHT configuration for IBSS 382 - fixed vendor command handling to check OUI properly 383 - allow driver-based roaming to change ESS 384 * added AVG_BEACON_RSSI to SIGNAL_POLL output 385 * wpa_cli: added tab completion for number of commands 386 * removed unmaintained and not yet completed SChannel/CryptoAPI support 387 * modified Extended Capabilities element use in Probe Request frames to 388 include all cases if any of the values are non-zero 389 * added support for dynamically creating/removing a virtual interface 390 with interface_add/interface_remove 391 * added support for hashed password (NtHash) in EAP-pwd peer 392 * added support for memory-only PSK/passphrase (mem_only_psk=1 and 393 CTRL-REQ/RSP-PSK_PASSPHRASE) 394 * P2P 395 - optimize scan frequencies list when re-joining a persistent group 396 - fixed number of sequences with nl80211 P2P Device interface 397 - added operating class 125 for P2P use cases (this allows 5 GHz 398 channels 161 and 169 to be used if they are enabled in the current 399 regulatory domain) 400 - number of fixes to P2PS functionality 401 - do not allow 40 MHz co-ex PRI/SEC switch to force MCC 402 - extended support for preferred channel listing 403 * D-Bus: 404 - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface 405 - fixed PresenceRequest to use group interface 406 - added new signals: FindStopped, WPS pbc-overlap, 407 GroupFormationFailure, WPS timeout, InvitationReceived 408 - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient 409 - added manufacturer info 410 * added EAP-EKE peer support for deriving Session-Id 411 * added wps_priority configuration parameter to set the default priority 412 for all network profiles added by WPS 413 * added support to request a scan with specific SSIDs with the SCAN 414 command (optional "ssid <hexdump>" arguments) 415 * removed support for WEP40/WEP104 as a group cipher with WPA/WPA2 416 * fixed SAE group selection in an error case 417 * modified SAE routines to be more robust and PWE generation to be 418 stronger against timing attacks 419 * added support for Brainpool Elliptic Curves with SAE 420 * added support for CCMP-256 and GCMP-256 as group ciphers with FT 421 * fixed BSS selection based on estimated throughput 422 * added option to disable TLSv1.0 with OpenSSL 423 (phase1="tls_disable_tlsv1_0=1") 424 * added Fast Session Transfer (FST) module 425 * fixed OpenSSL PKCS#12 extra certificate handling 426 * fixed key derivation for Suite B 192-bit AKM (this breaks 427 compatibility with the earlier version) 428 * added RSN IE to Mesh Peering Open/Confirm frames 429 * number of small fixes 430 4312015-03-15 - v2.4 432 * allow OpenSSL cipher configuration to be set for internal EAP server 433 (openssl_ciphers parameter) 434 * fixed number of small issues based on hwsim test case failures and 435 static analyzer reports 436 * P2P: 437 - add new=<0/1> flag to P2P-DEVICE-FOUND events 438 - add passive channels in invitation response from P2P Client 439 - enable nl80211 P2P_DEVICE support by default 440 - fix regresssion in disallow_freq preventing search on social 441 channels 442 - fix regressions in P2P SD query processing 443 - try to re-invite with social operating channel if no common channels 444 in invitation 445 - allow cross connection on parent interface (this fixes number of 446 use cases with nl80211) 447 - add support for P2P services (P2PS) 448 - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to 449 be configured 450 * increase postponing of EAPOL-Start by one second with AP/GO that 451 supports WPS 2.0 (this makes it less likely to trigger extra roundtrip 452 of identity frames) 453 * add support for PMKSA caching with SAE 454 * add support for control mesh BSS (IEEE 802.11s) operations 455 * fixed number of issues with D-Bus P2P commands 456 * fixed regression in ap_scan=2 special case for WPS 457 * fixed macsec_validate configuration 458 * add a workaround for incorrectly behaving APs that try to use 459 EAPOL-Key descriptor version 3 when the station supports PMF even if 460 PMF is not enabled on the AP 461 * allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior 462 of disabling these can be configured to work around issues with broken 463 servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1" 464 * add support for Suite B (128-bit and 192-bit level) key management and 465 cipher suites 466 * add WMM-AC support (WMM_AC_ADDTS/WMM_AC_DELTS) 467 * improved BSS Transition Management processing 468 * add support for neighbor report 469 * add support for link measurement 470 * fixed expiration of BSS entry with all-zeros BSSID 471 * add optional LAST_ID=x argument to LIST_NETWORK to allow all 472 configured networks to be listed even with huge number of network 473 profiles 474 * add support for EAP Re-Authentication Protocol (ERP) 475 * fixed EAP-IKEv2 fragmentation reassembly 476 * improved PKCS#11 configuration for OpenSSL 477 * set stdout to be line-buffered 478 * add TDLS channel switch configuration 479 * add support for MAC address randomization in scans with nl80211 480 * enable HT for IBSS if supported by the driver 481 * add BSSID black and white lists (bssid_blacklist, bssid_whitelist) 482 * add support for domain_suffix_match with GnuTLS 483 * add OCSP stapling client support with GnuTLS 484 * include peer certificate in EAP events even without a separate probe 485 operation; old behavior can be restored with cert_in_cb=0 486 * add peer ceritficate alt subject name to EAP events 487 (CTRL-EVENT-EAP-PEER-ALT) 488 * add domain_match network profile parameter (similar to 489 domain_suffix_match, but full match is required) 490 * enable AP/GO mode HT Tx STBC automatically based on driver support 491 * add ANQP-QUERY-DONE event to provide information on ANQP parsing 492 status 493 * allow passive scanning to be forced with passive_scan=1 494 * add a workaround for Linux packet socket behavior when interface is in 495 bridge 496 * increase 5 GHz band preference in BSS selection (estimate SNR, if info 497 not available from driver; estimate maximum throughput based on common 498 HT/VHT/specific TX rate support) 499 * add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to 500 implement Interworking network selection behavior in upper layers 501 software components 502 * add optional reassoc_same_bss_optim=1 (disabled by default) 503 optimization to avoid unnecessary Authentication frame exchange 504 * extend TDLS frame padding workaround to cover all packets 505 * allow wpa_supplicant to recover nl80211 functionality if the cfg80211 506 module gets removed and reloaded without restarting wpa_supplicant 507 * allow hostapd DFS implementation to be used in wpa_supplicant AP mode 508 5092014-10-09 - v2.3 510 * fixed number of minor issues identified in static analyzer warnings 511 * fixed wfd_dev_info to be more careful and not read beyond the buffer 512 when parsing invalid information for P2P-DEVICE-FOUND 513 * extended P2P and GAS query operations to support drivers that have 514 maximum remain-on-channel time below 1000 ms (500 ms is the current 515 minimum supported value) 516 * added p2p_search_delay parameter to make the default p2p_find delay 517 configurable 518 * improved P2P operating channel selection for various multi-channel 519 concurrency cases 520 * fixed some TDLS failure cases to clean up driver state 521 * fixed dynamic interface addition cases with nl80211 to avoid adding 522 ifindex values to incorrect interface to skip foreign interface events 523 properly 524 * added TDLS workaround for some APs that may add extra data to the 525 end of a short frame 526 * fixed EAP-AKA' message parser with multiple AT_KDF attributes 527 * added configuration option (p2p_passphrase_len) to allow longer 528 passphrases to be generated for P2P groups 529 * fixed IBSS channel configuration in some corner cases 530 * improved HT/VHT/QoS parameter setup for TDLS 531 * modified D-Bus interface for P2P peers/groups 532 * started to use constant time comparison for various password and hash 533 values to reduce possibility of any externally measurable timing 534 differences 535 * extended explicit clearing of freed memory and expired keys to avoid 536 keeping private data in memory longer than necessary 537 * added optional scan_id parameter to the SCAN command to allow manual 538 scan requests for active scans for specific configured SSIDs 539 * fixed CTRL-EVENT-REGDOM-CHANGE event init parameter value 540 * added option to set Hotspot 2.0 Rel 2 update_identifier in network 541 configuration to support external configuration 542 * modified Android PNO functionality to send Probe Request frames only 543 for hidden SSIDs (based on scan_ssid=1) 544 * added generic mechanism for adding vendor elements into frames at 545 runtime (VENDOR_ELEM_ADD, VENDOR_ELEM_GET, VENDOR_ELEM_REMOVE) 546 * added fields to show unrecognized vendor elements in P2P_PEER 547 * removed EAP-TTLS/MSCHAPv2 interoperability workaround so that 548 MS-CHAP2-Success is required to be present regardless of 549 eap_workaround configuration 550 * modified EAP fast session resumption to allow results to be used only 551 with the same network block that generated them 552 * extended freq_list configuration to apply for sched_scan as well as 553 normal scan 554 * modified WPS to merge mixed-WPA/WPA2 credentials from a single session 555 * fixed nl80211/RTM_DELLINK processing when a P2P GO interface is 556 removed from a bridge 557 * fixed number of small P2P issues to make negotiations more robust in 558 corner cases 559 * added experimental support for using temporary, random local MAC 560 address (mac_addr and preassoc_mac_addr parameters); this is disabled 561 by default (i.e., previous behavior of using permanent address is 562 maintained if configuration is not changed) 563 * added D-Bus interface for setting/clearing WFD IEs 564 * fixed TDLS AID configuration for VHT 565 * modified -m<conf> configuration file to be used only for the P2P 566 non-netdev management device and do not load this for the default 567 station interface or load the station interface configuration for 568 the P2P management interface 569 * fixed external MAC address changes while wpa_supplicant is running 570 * started to enable HT (if supported by the driver) for IBSS 571 * fixed wpa_cli action script execution to use more robust mechanism 572 (CVE-2014-3686) 573 5742014-06-04 - v2.2 575 * added DFS indicator to get_capability freq 576 * added/fixed nl80211 functionality 577 - BSSID/frequency hint for driver-based BSS selection 578 - fix tearing down WDS STA interfaces 579 - support vendor specific driver command 580 (VENDOR <vendor id> <sub command id> [<hex formatted data>]) 581 - GO interface teardown optimization 582 - allow beacon interval to be configured for IBSS 583 - add SHA256-based AKM suites to CONNECT/ASSOCIATE commands 584 * removed unused NFC_RX_HANDOVER_REQ and NFC_RX_HANDOVER_SEL control 585 interface commands (the more generic NFC_REPORT_HANDOVER is now used) 586 * fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding; 587 this fixes password with include UTF-8 characters that use 588 three-byte encoding EAP methods that use NtPasswordHash 589 * fixed couple of sequences where radio work items could get stuck, 590 e.g., when rfkill blocking happens during scanning or when 591 scan-for-auth workaround is used 592 * P2P enhancements/fixes 593 - enable enable U-APSD on GO automatically if the driver indicates 594 support for this 595 - fixed some service discovery cases with broadcast queries not being 596 sent to all stations 597 - fixed Probe Request frame triggering invitation to trigger only a 598 single invitation instance even if multiple Probe Request frames are 599 received 600 - fixed a potential NULL pointer dereference crash when processing an 601 invalid Invitation Request frame 602 - add optional configuration file for the P2P_DEVICE parameters 603 - optimize scan for GO during persistent group invocation 604 - fix possible segmentation fault when PBC overlap is detected while 605 using a separate P2P group interface 606 - improve GO Negotiation robustness by allowing GO Negotiation 607 Confirmation to be retransmitted 608 - do use freed memory on device found event when P2P NFC 609 * added phase1 network parameter options for disabling TLS v1.1 and v1.2 610 to allow workarounds with misbehaving AAA servers 611 (tls_disable_tlsv1_1=1 and tls_disable_tlsv1_2=1) 612 * added support for OCSP stapling to validate AAA server certificate 613 during TLS exchange 614 * Interworking/Hotspot 2.0 enhancements 615 - prefer the last added network in Interworking connection to make the 616 behavior more consistent with likely user expectation 617 - roaming partner configuration (roaming_partner within a cred block) 618 - support Hotspot 2.0 Release 2 619 * "hs20_anqp_get <BSSID> 8" to request OSU Providers list 620 * "hs20_icon_request <BSSID> <icon filename>" to request icon files 621 * "fetch_osu" and "cancel_osu_fetch" to start/stop full OSU provider 622 search (all suitable APs in scan results) 623 * OSEN network for online signup connection 624 * min_{dl,ul}_bandwidth_{home,roaming} cred parameters 625 * max_bss_load cred parameter 626 * req_conn_capab cred parameter 627 * sp_priority cred parameter 628 * ocsp cred parameter 629 * slow down automatic connection attempts on EAP failure to meet 630 required behavior (no more than 10 retries within a 10-minute 631 interval) 632 * sample implementation of online signup client (both SPP and 633 OMA-DM protocols) (hs20/client/*) 634 - fixed GAS indication for additional comeback delay with status 635 code 95 636 - extend ANQP_GET to accept Hotspot 2.0 subtypes 637 ANQP_GET <addr> <info id>[,<info id>]... 638 [,hs20:<subtype>][...,hs20:<subtype>] 639 - add control interface events CRED-ADDED <id>, 640 CRED-MODIFIED <id> <field>, CRED-REMOVED <id> 641 - add "GET_CRED <id> <field>" command 642 - enable FT for the connection automatically if the AP advertises 643 support for this 644 - fix a case where auto_interworking=1 could end up stopping scanning 645 * fixed TDLS interoperability issues with supported operating class in 646 some deployed stations 647 * internal TLS implementation enhancements/fixes 648 - add SHA256-based cipher suites 649 - add DHE-RSA cipher suites 650 - fix X.509 validation of PKCS#1 signature to check for extra data 651 * fixed PTK derivation for CCMP-256 and GCMP-256 652 * added "reattach" command for fast reassociate-back-to-same-BSS 653 * allow PMF to be enabled for AP mode operation with the ieee80211w 654 parameter 655 * added "get_capability tdls" command 656 * added option to set config blobs through control interface with 657 "SET blob <name> <hexdump>" 658 * D-Bus interface extensions/fixes 659 - make p2p_no_group_iface configurable 660 - declare ServiceDiscoveryRequest method properly 661 - export peer's device address as a property 662 - make reassociate command behave like the control interface one, 663 i.e., to allow connection from disconnected state 664 * added optional "freq=<channel ranges>" parameter to SET pno 665 * added optional "freq=<channel ranges>" parameter to SELECT_NETWORK 666 * fixed OBSS scan result processing for 20/40 MHz co-ex report 667 * remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled 668 whenever CONFIG_WPS=y is set 669 * fixed regression in parsing of WNM Sleep Mode exit key data 670 * fixed potential segmentation fault and memory leaks in WNM neighbor 671 report processing 672 * EAP-pwd fixes 673 - fragmentation of PWD-Confirm-Resp 674 - fix memory leak when fragmentation is used 675 - fix possible segmentation fault on EAP method deinit if an invalid 676 group is negotiated 677 * added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently 678 available only with the macsec_qca driver wrapper) 679 * fixed EAP-SIM counter-too-small message 680 * added 'dup_network <id_s> <id_d> <name>' command; this can be used to 681 clone the psk field without having toextract it from wpa_supplicant 682 * fixed GSM authentication on USIM 683 * added support for using epoll in eloop (CONFIG_ELOOP_EPOLL=y) 684 * fixed some concurrent virtual interface cases with dedicated P2P 685 management interface to not catch events from removed interface (this 686 could result in the management interface getting disabled) 687 * fixed a memory leak in SAE random number generation 688 * fixed off-by-one bounds checking in printf_encode() 689 - this could result in some control interface ATTACH command cases 690 terminating wpa_supplicant 691 * fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM 692 * various bug fixes 693 6942014-02-04 - v2.1 695 * added support for simultaneous authentication of equals (SAE) for 696 stronger password-based authentication with WPA2-Personal 697 * improved P2P negotiation and group formation robustness 698 - avoid unnecessary Dialog Token value changes during retries 699 - avoid more concurrent scanning cases during full group formation 700 sequence 701 - do not use potentially obsolete scan result data from driver 702 cache for peer discovery/updates 703 - avoid undesired re-starting of GO negotiation based on Probe 704 Request frames 705 - increase GO Negotiation and Invitation timeouts to address busy 706 environments and peers that take long time to react to messages, 707 e.g., due to power saving 708 - P2P Device interface type 709 * improved P2P channel selection (use more peer information and allow 710 more local options) 711 * added support for optional per-device PSK assignment by P2P GO 712 (wpa_cli p2p_set per_sta_psk <0/1>) 713 * added P2P_REMOVE_CLIENT for removing a client from P2P groups 714 (including persistent groups); this can be used to securely remove 715 a client from a group if per-device PSKs are used 716 * added more configuration flexibility for allowed P2P GO/client 717 channels (p2p_no_go_freq list and p2p_add_cli_chan=0/1) 718 * added nl80211 functionality 719 - VHT configuration for nl80211 720 - MFP (IEEE 802.11w) information for nl80211 command API 721 - support split wiphy dump 722 - FT (IEEE 802.11r) with driver-based SME 723 - use advertised number of supported concurrent channels 724 - QoS Mapping configuration 725 * improved TDLS negotiation robustness 726 * added more TDLS peer parameters to be configured to the driver 727 * optimized connection time by allowing recently received scan results 728 to be used instead of having to run through a new scan 729 * fixed ctrl_iface BSS command iteration with RANGE argument and no 730 exact matches; also fixed argument parsing for some cases with 731 multiple arguments 732 * added 'SCAN TYPE=ONLY' ctrl_iface command to request manual scan 733 without executing roaming/network re-selection on scan results 734 * added Session-Id derivation for EAP peer methods 735 * added fully automated regression testing with mac80211_hwsim 736 * changed configuration parser to reject invalid integer values 737 * allow AP/Enrollee to be specified with BSSID instead of UUID for 738 WPS ER operations 739 * disable network block temporarily on repeated connection failures 740 * changed the default driver interface from wext to nl80211 if both are 741 included in the build 742 * remove duplicate networks if WPS provisioning is run multiple times 743 * remove duplicate networks when Interworking network selection uses the 744 same network 745 * added global freq_list configuration to allow scan frequencies to be 746 limited for all cases instead of just for a specific network block 747 * added support for BSS Transition Management 748 * added option to use "IFNAME=<ifname> " prefix to use the global 749 control interface connection to perform per-interface commands; 750 similarly, allow global control interface to be used as a monitor 751 interface to receive events from all interfaces 752 * fixed OKC-based PMKSA cache entry clearing 753 * fixed TKIP group key configuration with FT 754 * added support for using OCSP stapling to validate server certificate 755 (ocsp=1 as optional and ocsp=2 as mandatory) 756 * added EAP-EKE peer 757 * added peer restart detection for IBSS RSN 758 * added domain_suffix_match (and domain_suffix_match2 for Phase 2 759 EAP-TLS) to specify additional constraint for the server certificate 760 domain name 761 * added support for external SIM/USIM processing in EAP-SIM, EAP-AKA, 762 and EAP-AKA' (CTRL-REQ-SIM and CTRL-RSP-SIM commands over control 763 interface) 764 * added global bgscan configuration option as a default for all network 765 blocks that do not specify their own bgscan parameters 766 * added D-Bus methods for TDLS 767 * added more control to scan requests 768 - "SCAN freq=<freq list>" can be used to specify which channels are 769 scanned (comma-separated frequency ranges in MHz) 770 - "SCAN passive=1" can be used to request a passive scan (no Probe 771 Request frames are sent) 772 - "SCAN use_id" can be used to request a scan id to be returned and 773 included in event messages related to this specific scan operation 774 - "SCAN only_new=1" can be used to request the driver/cfg80211 to 775 report only BSS entries that have been updated during this scan 776 round 777 - these optional arguments to the SCAN command can be combined with 778 each other 779 * modified behavior on externally triggered scans 780 - avoid concurrent operations requiring full control of the radio when 781 an externally triggered scan is detected 782 - do not use results for internal roaming decision 783 * added a new cred block parameter 'temporary' to allow credential 784 blocks to be stored separately even if wpa_supplicant configuration 785 file is used to maintain other network information 786 * added "radio work" framework to schedule exclusive radio operations 787 for off-channel functionality 788 - reduce issues with concurrent operations that try to control which 789 channel is used 790 - allow external programs to request exclusive radio control in a way 791 that avoids conflicts with wpa_supplicant 792 * added support for using Protected Dual of Public Action frames for 793 GAS/ANQP exchanges when associated with PMF 794 * added support for WPS+NFC updates and P2P+NFC 795 - improved protocol for WPS 796 - P2P group formation/join based on NFC connection handover 797 - new IPv4 address assignment for P2P groups (ip_addr_* configuration 798 parameters on the GO) to replace DHCP 799 - option to fetch and report alternative carrier records for external 800 NFC operations 801 * various bug fixes 802 8032013-01-12 - v2.0 804 * removed Qt3-based wpa_gui (obsoleted by wpa_qui-qt4) 805 * removed unmaintained driver wrappers broadcom, iphone, osx, ralink, 806 hostap, madwifi (hostap and madwifi remain available for hostapd; 807 their wpa_supplicant functionality is obsoleted by wext) 808 * improved debug logging (human readable event names, interface name 809 included in more entries) 810 * changed AP mode behavior to enable WPS only for open and 811 WPA/WPA2-Personal configuration 812 * improved P2P concurrency operations 813 - better coordination of concurrent scan and P2P search operations 814 - avoid concurrent remain-on-channel operation requests by canceling 815 previous operations prior to starting a new one 816 - reject operations that would require multi-channel concurrency if 817 the driver does not support it 818 - add parameter to select whether STA or P2P connection is preferred 819 if the driver cannot support both at the same time 820 - allow driver to indicate channel changes 821 - added optional delay=<search delay in milliseconds> parameter for 822 p2p_find to avoid taking all radio resources 823 - use 500 ms p2p_find search delay by default during concurrent 824 operations 825 - allow all channels in GO Negotiation if the driver supports 826 multi-channel concurrency 827 * added number of small changes to make it easier for static analyzers 828 to understand the implementation 829 * fixed number of small bugs (see git logs for more details) 830 * nl80211: number of updates to use new cfg80211/nl80211 functionality 831 - replace monitor interface with nl80211 commands for AP mode 832 - additional information for driver-based AP SME 833 - STA entry authorization in RSN IBSS 834 * EAP-pwd: 835 - fixed KDF for group 21 and zero-padding 836 - added support for fragmentation 837 - increased maximum number of hunting-and-pecking iterations 838 * avoid excessive Probe Response retries for broadcast Probe Request 839 frames (only with drivers using wpa_supplicant AP mode SME/MLME) 840 * added "GET country" ctrl_iface command 841 * do not save an invalid network block in wpa_supplicant.conf to avoid 842 problems reading the file on next start 843 * send STA connected/disconnected ctrl_iface events to both the P2P 844 group and parent interfaces 845 * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) 846 * added "SET pno <1/0>" ctrl_iface command to start/stop preferred 847 network offload with sched_scan driver command 848 * merged in number of changes from Android repository for P2P, nl80211, 849 and build parameters 850 * changed P2P GO mode configuration to use driver capabilities to 851 automatically enable HT operations when supported 852 * added "wpa_cli status wps" command to fetch WPA2-Personal passhrase 853 for WPS use cases in AP mode 854 * EAP-AKA: keep pseudonym identity across EAP exchanges to match EAP-SIM 855 behavior 856 * improved reassociation behavior in cases where association is rejected 857 or when an AP disconnects us to handle common load balancing 858 mechanisms 859 - try to avoid extra scans when the needed information is available 860 * added optional "join" argument for p2p_prov_disc ctrl_iface command 861 * added group ifname to P2P-PROV-DISC-* events 862 * added P2P Device Address to AP-STA-DISCONNECTED event and use 863 p2p_dev_addr parameter name with AP-STA-CONNECTED 864 * added workarounds for WPS PBC overlap detection for some P2P use cases 865 where deployed stations work incorrectly 866 * optimize WPS connection speed by disconnecting prior to WPS scan and 867 by using single channel scans when AP channel is known 868 * PCSC and SIM/USIM improvements: 869 - accept 0x67 (Wrong length) as a response to READ RECORD to fix 870 issues with some USIM cards 871 - try to read MNC length from SIM/USIM 872 - build realm according to 3GPP TS 23.003 with identity from the SIM 873 - allow T1 protocol to be enabled 874 * added more WPS and P2P information available through D-Bus 875 * improve P2P negotiation robustness 876 - extra waits to get ACK frames through 877 - longer timeouts for cases where deployed devices have been 878 identified have issues meeting the specification requirements 879 - more retries for some P2P frames 880 - handle race conditions in GO Negotiation start by both devices 881 - ignore unexpected GO Negotiation Response frame 882 * added support for libnl 3.2 and newer 883 * added P2P persistent group info to P2P_PEER data 884 * maintain a list of P2P Clients for persistent group on GO 885 * AP: increased initial group key handshake retransmit timeout to 500 ms 886 * added optional dev_id parameter for p2p_find 887 * added P2P-FIND-STOPPED ctrl_iface event 888 * fixed issues in WPA/RSN element validation when roaming with ap_scan=1 889 and driver-based BSS selection 890 * do not expire P2P peer entries while connected with the peer in a 891 group 892 * fixed WSC element inclusion in cases where P2P is disabled 893 * AP: added a WPS workaround for mixed mode AP Settings with Windows 7 894 * EAP-SIM: fixed AT_COUNTER_TOO_SMALL use 895 * EAP-SIM/AKA: append realm to pseudonym identity 896 * EAP-SIM/AKA: store pseudonym identity in network configuration to 897 allow it to persist over multiple EAP sessions and wpa_supplicant 898 restarts 899 * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this 900 breaks interoperability with older versions 901 * added support for WFA Hotspot 2.0 902 - GAS/ANQP to fetch network information 903 - credential configuration and automatic network selections based on 904 credential match with ANQP information 905 * limited PMKSA cache entries to be used only with the network context 906 that was used to create them 907 * improved PMKSA cache expiration to avoid unnecessary disconnections 908 * adjusted bgscan_simple fast-scan backoff to avoid too frequent 909 background scans 910 * removed ctrl_iface event on P2P PD Response in join-group case 911 * added option to fetch BSS table entry based on P2P Device Address 912 ("BSS p2p_dev_addr=<P2P Device Address>") 913 * added BSS entry age to ctrl_iface BSS command output 914 * added optional MASK=0xH option for ctrl_iface BSS command to select 915 which fields are included in the response 916 * added optional RANGE=ALL|N1-N2 option for ctrl_iface BSS command to 917 fetch information about several BSSes in one call 918 * simplified licensing terms by selecting the BSD license as the only 919 alternative 920 * added "P2P_SET disallow_freq <freq list>" ctrl_iface command to 921 disable channels from P2P use 922 * added p2p_pref_chan configuration parameter to allow preferred P2P 923 channels to be specified 924 * added support for advertising immediate availability of a WPS 925 credential for P2P use cases 926 * optimized scan operations for P2P use cases (use single channel scan 927 for a specific SSID when possible) 928 * EAP-TTLS: fixed peer challenge generation for MSCHAPv2 929 * SME: do not use reassociation after explicit disconnection request 930 (local or a notification from an AP) 931 * added support for sending debug info to Linux tracing (-T on command 932 line) 933 * added support for using Deauthentication reason code 3 as an 934 indication of P2P group termination 935 * added wps_vendor_ext_m1 configuration parameter to allow vendor 936 specific attributes to be added to WPS M1 937 * started using separate TLS library context for tunneled TLS 938 (EAP-PEAP/TLS, EAP-TTLS/TLS, EAP-FAST/TLS) to support different CA 939 certificate configuration between Phase 1 and Phase 2 940 * added optional "auto" parameter for p2p_connect to request automatic 941 GO Negotiation vs. join-a-group selection 942 * added disabled_scan_offload parameter to disable automatic scan 943 offloading (sched_scan) 944 * added optional persistent=<network id> parameter for p2p_connect to 945 allow forcing of a specific SSID/passphrase for GO Negotiation 946 * added support for OBSS scan requests and 20/40 BSS coexistence reports 947 * reject PD Request for unknown group 948 * removed scripts and notes related to Windows binary releases (which 949 have not been used starting from 1.x) 950 * added initial support for WNM operations 951 - Keep-alive based on BSS max idle period 952 - WNM-Sleep Mode 953 - minimal BSS Transition Management processing 954 * added autoscan module to control scanning behavior while not connected 955 - autoscan_periodic and autoscan_exponential modules 956 * added new WPS NFC ctrl_iface mechanism 957 - added initial support NFC connection handover 958 - removed obsoleted WPS_OOB command (including support for deprecated 959 UFD config_method) 960 * added optional framework for external password storage ("ext:<name>") 961 * wpa_cli: added optional support for controlling wpa_supplicant 962 remotely over UDP (CONFIG_CTRL_IFACE=udp-remote) for testing purposes 963 * wpa_cli: extended tab completion to more commands 964 * changed SSID output to use printf-escaped strings instead of masking 965 of non-ASCII characters 966 - SSID can now be configured in the same format: ssid=P"abc\x00test" 967 * removed default ACM=1 from AC_VO and AC_VI 968 * added optional "ht40" argument for P2P ctrl_iface commands to allow 969 40 MHz channels to be requested on the 5 GHz band 970 * added optional parameters for p2p_invite command to specify channel 971 when reinvoking a persistent group as the GO 972 * improved FIPS mode builds with OpenSSL 973 - "make fips" with CONFIG_FIPS=y to build wpa_supplicant with the 974 OpenSSL FIPS object module 975 - replace low level OpenSSL AES API calls to use EVP 976 - use OpenSSL keying material exporter when possible 977 - do not export TLS keys in FIPS mode 978 - remove MD5 from CONFIG_FIPS=y builds 979 - use OpenSSL function for PKBDF2 passphrase-to-PSK 980 - use OpenSSL HMAC implementation 981 - mix RAND_bytes() output into random_get_bytes() to force OpenSSL 982 DRBG to be used in FIPS mode 983 - use OpenSSL CMAC implementation 984 * added mechanism to disable TLS Session Ticket extension 985 - a workaround for servers that do not support TLS extensions that 986 was enabled by default in recent OpenSSL versions 987 - tls_disable_session_ticket=1 988 - automatically disable TLS Session Ticket extension by default when 989 using EAP-TLS/PEAP/TTLS (i.e., only use it with EAP-FAST) 990 * changed VENDOR-TEST EAP method to use proper private enterprise number 991 (this will not interoperate with older versions) 992 * disable network block temporarily on authentication failures 993 * improved WPS AP selection during WPS PIN iteration 994 * added support for configuring GCMP cipher for IEEE 802.11ad 995 * added support for Wi-Fi Display extensions 996 - WFD_SUBELEMENT_SET ctrl_iface command to configure WFD subelements 997 - SET wifi_display <0/1> to disable/enable WFD support 998 - WFD service discovery 999 - an external program is needed to manage the audio/video streaming 1000 and codecs 1001 * optimized scan result use for network selection 1002 - use the internal BSS table instead of raw scan results 1003 - allow unnecessary scans to be skipped if fresh information is 1004 available (e.g., after GAS/ANQP round for Interworking) 1005 * added support for 256-bit AES with internal TLS implementation 1006 * allow peer to propose channel in P2P invitation process for a 1007 persistent group 1008 * added disallow_aps parameter to allow BSSIDs/SSIDs to be disallowed 1009 from network selection 1010 * re-enable the networks disabled during WPS operations 1011 * allow P2P functionality to be disabled per interface (p2p_disabled=1) 1012 * added secondary device types into P2P_PEER output 1013 * added an option to disable use of a separate P2P group interface 1014 (p2p_no_group_iface=1) 1015 * fixed P2P Bonjour SD to match entries with both compressed and not 1016 compressed domain name format and support multiple Bonjour PTR matches 1017 for the same key 1018 * use deauthentication instead of disassociation for all disconnection 1019 operations; this removes the now unused disassociate() wpa_driver_ops 1020 callback 1021 * optimized PSK generation on P2P GO by caching results to avoid 1022 multiple PBKDF2 operations 1023 * added okc=1 global configuration parameter to allow OKC to be enabled 1024 by default for all network blocks 1025 * added a workaround for WPS PBC session overlap detection to avoid 1026 interop issues with deployed station implementations that do not 1027 remove active PBC indication from Probe Request frames properly 1028 * added basic support for 60 GHz band 1029 * extend EAPOL frames processing workaround for roaming cases 1030 (postpone processing of unexpected EAPOL frame until association 1031 event to handle reordered events) 1032 10332012-05-10 - v1.0 1034 * bsd: Add support for setting HT values in IFM_MMASK. 1035 * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. 1036 This allows the driver to use PS buffering of Deauthentication and 1037 Disassociation frames when the STA is in power save sleep. Only 1038 available with drivers that provide TX status events for Deauth/ 1039 Disassoc frames (nl80211). 1040 * Drop oldest unknown BSS table entries first. This makes it less 1041 likely to hit connection issues in environments with huge number 1042 of visible APs. 1043 * Add systemd support. 1044 * Add support for setting the syslog facility from the config file 1045 at build time. 1046 * atheros: Add support for IEEE 802.11w configuration. 1047 * AP mode: Allow enable HT20 if driver supports it, by setting the 1048 config parameter ieee80211n. 1049 * Allow AP mode to disconnect STAs based on low ACK condition (when 1050 the data connection is not working properly, e.g., due to the STA 1051 going outside the range of the AP). Disabled by default, enable by 1052 config option disassoc_low_ack. 1053 * nl80211: 1054 - Support GTK rekey offload. 1055 - Support PMKSA candidate events. This adds support for RSN 1056 pre-authentication with nl80211 interface and drivers that handle 1057 roaming internally. 1058 * dbus: 1059 - Add a DBus signal for EAP SM requests, emitted on the Interface 1060 object. 1061 - Export max scan ssids supported by the driver as MaxScanSSID. 1062 - Add signal Certification for information about server certification. 1063 - Add BSSExpireAge and BSSExpireCount interface properties and 1064 support set/get, which allows for setting BSS cache expiration age 1065 and expiration scan count. 1066 - Add ConfigFile to AddInterface properties. 1067 - Add Interface.Country property and support to get/set the value. 1068 - Add DBus property CurrentAuthMode. 1069 - P2P DBus API added. 1070 - Emit property changed events (for property BSSs) when adding/ 1071 removing BSSs. 1072 - Treat '' in SSIDs of Interface.Scan as a request for broadcast 1073 scan, instead of ignoring it. 1074 - Add DBus getter/setter for FastReauth. 1075 - Raise PropertiesChanged on org.freedesktop.DBus.Properties. 1076 * wpa_cli: 1077 - Send AP-STA-DISCONNECTED event when an AP disconnects a station 1078 due to inactivity. 1079 - Make second argument to set command optional. This can be used to 1080 indicate a zero length value. 1081 - Add signal_poll command. 1082 - Add bss_expire_age and bss_expire_count commands to set/get BSS 1083 cache expiration age and expiration scan count. 1084 - Add ability to set scan interval (the time in seconds wpa_s waits 1085 before requesting a new scan after failing to find a suitable 1086 network in scan results) using scan_interval command. 1087 - Add event CTRL-EVENT-ASSOC-REJECT for association rejected. 1088 - Add command get version, that returns wpa_supplicant version string. 1089 - Add command sta_autoconnect for disabling automatic reconnection 1090 on receiving disconnection event. 1091 - Setting bssid parameter to an empty string "" or any can now be 1092 used to clear the bssid_set flag in a network block, i.e., to remove 1093 bssid filtering. 1094 - Add tdls_testing command to add a special testing feature for 1095 changing TDLS behavior. Build param CONFIG_TDLS_TESTING must be 1096 enabled as well. 1097 - For interworking, add wpa_cli commands interworking_select, 1098 interworking_connect, anqp_get, fetch_anqp, and stop_fetch_anqp. 1099 - Many P2P commands were added. See README-P2P. 1100 - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. 1101 - Allow set command to change global config parameters. 1102 - Add log_level command, which can be used to display the current 1103 debugging level and to change the log level during run time. 1104 - Add note command, which can be used to insert notes to the debug 1105 log. 1106 - Add internal line edit implementation. CONFIG_WPA_CLI_EDIT=y 1107 can now be used to build wpa_cli with internal implementation of 1108 line editing and history support. This can be used as a replacement 1109 for CONFIG_READLINE=y. 1110 * AP mode: Add max_num_sta config option, which can be used to limit 1111 the number of stations allowed to connect to the AP. 1112 * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad 1113 config file. 1114 * wext: Increase scan timeout from 5 to 10 seconds. 1115 * Add blacklist command, allowing an external program to 1116 manage the BSS blacklist and display its current contents. 1117 * WPS: 1118 - Add wpa_cli wps_pin get command for generating random PINs. This can 1119 be used in a UI to generate a PIN without starting WPS (or P2P) 1120 operation. 1121 - Set RF bands based on driver capabilities, instead of hardcoding 1122 them. 1123 - Add mechanism for indicating non-standard WPS errors. 1124 - Add CONFIG_WPS_REG_DISABLE_OPEN=y option to disable open networks 1125 by default. 1126 - Add wps_ap_pin cli command for wpa_supplicant AP mode. 1127 - Add wps_check_pin cli command for processing PIN from user input. 1128 UIs can use this command to process a PIN entered by a user and to 1129 validate the checksum digit (if present). 1130 - Cancel WPS operation on PBC session overlap detection. 1131 - New wps_cancel command in wpa_cli will cancel a pending WPS 1132 operation. 1133 - wpa_cli action: Add WPS_EVENT_SUCCESS and WPS_EVENT_FAIL handlers. 1134 - Trigger WPS config update on Manufacturer, Model Name, Model 1135 Number, and Serial Number changes. 1136 - Fragment size is now configurable for EAP-WSC peer. Use 1137 wpa_cli set wps_fragment_size <val>. 1138 - Disable AP PIN after 10 consecutive failures. Slow down attacks on 1139 failures up to 10. 1140 - Allow AP to start in Enrollee mode without AP PIN for probing, to 1141 be compatible with Windows 7. 1142 - Add Config Error into WPS-FAIL events to provide more info to the 1143 user on how to resolve the issue. 1144 - Label and Display config methods are not allowed to be enabled 1145 at the same time, since it is unclear which PIN to use if both 1146 methods are advertised. 1147 - When controlling multiple interfaces: 1148 - apply WPS commands to all interfaces configured to use WPS 1149 - apply WPS config changes to all interfaces that use WPS 1150 - when an attack is detected on any interface, disable AP PIN on 1151 all interfaces 1152 * WPS ER: 1153 - Add special AP Setup Locked mode to allow read only ER. 1154 ap_setup_locked=2 can now be used to enable a special mode where 1155 WPS ER can learn the current AP settings, but cannot change them. 1156 - Show SetSelectedRegistrar events as ctrl_iface events 1157 - Add wps_er_set_config to enroll a network based on a local 1158 network configuration block instead of having to (re-)learn the 1159 current AP settings with wps_er_learn. 1160 - Allow AP filtering based on IP address, add ctrl_iface event for 1161 learned AP settings, add wps_er_config command to configure an AP. 1162 * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) 1163 - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool 1164 for testing protocol extensibility. 1165 - Add build option CONFIG_WPS_STRICT to allow disabling of WPS 1166 workarounds. 1167 - Add support for AuthorizedMACs attribute. 1168 * TDLS: 1169 - Propagate TDLS related nl80211 capability flags from kernel and 1170 add them as driver capability flags. If the driver doesn't support 1171 capabilities, assume TDLS is supported internally. When TDLS is 1172 explicitly not supported, disable all user facing TDLS operations. 1173 - Allow TDLS to be disabled at runtime (mostly for testing). 1174 Use set tdls_disabled. 1175 - Honor AP TDLS settings that prohibit/allow TDLS. 1176 - Add a special testing feature for changing TDLS behavior. Use 1177 CONFIG_TDLS_TESTING build param to enable. Configure at runtime 1178 with tdls_testing cli command. 1179 - Add support for TDLS 802.11z. 1180 * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. 1181 wlantest can be used to capture frames from a monitor interface 1182 for realtime capturing or from pcap files for offline analysis. 1183 * Interworking: Support added for 802.11u. Enable in .config with 1184 CONFIG_INTERWORKING. See wpa_supplicant.conf for config parameters 1185 for interworking. wpa_cli commands added to support this are 1186 interworking_select, interworking_connect, anqp_get, fetch_anqp, 1187 and stop_fetch_anqp. 1188 * Android: Add build and runtime support for Android wpa_supplicant. 1189 * bgscan learn: Add new bgscan that learns BSS information based on 1190 previous scans, and uses that information to dynamically generate 1191 the list of channels for background scans. 1192 * Add a new debug message level for excessive information. Use 1193 -ddd to enable. 1194 * TLS: Add support for tls_disable_time_checks=1 in client mode. 1195 * Internal TLS: 1196 - Add support for TLS v1.1 (RFC 4346). Enable with build parameter 1197 CONFIG_TLSV11. 1198 - Add domainComponent parser for X.509 names. 1199 * Linux: Add RFKill support by adding an interface state "disabled". 1200 * Reorder some IEs to get closer to IEEE 802.11 standard. Move 1201 WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. 1202 Move HT IEs to be later in (Re)Assoc Resp. 1203 * Solaris: Add support for wired 802.1X client. 1204 * Wi-Fi Direct support. See README-P2P for more information. 1205 * Many bugfixes. 1206 12072010-04-18 - v0.7.2 1208 * nl80211: fixed number of issues with roaming 1209 * avoid unnecessary roaming if multiple APs with similar signal 1210 strength are present in scan results 1211 * add TLS client events and server probing to ease design of 1212 automatic detection of EAP parameters 1213 * add option for server certificate matching (SHA256 hash of the 1214 certificate) instead of trusted CA certificate configuration 1215 * bsd: Cleaned up driver wrapper and added various low-level 1216 configuration options 1217 * wpa_gui-qt4: do not show too frequent WPS AP available events as 1218 tray messages 1219 * TNC: fixed issues with fragmentation 1220 * EAP-TNC: add Flags field into fragment acknowledgement (needed to 1221 interoperate with other implementations; may potentially breaks 1222 compatibility with older wpa_supplicant/hostapd versions) 1223 * wpa_cli: added option for using a separate process to receive event 1224 messages to reduce latency in showing these 1225 (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this) 1226 * maximum BSS table size can now be configured (bss_max_count) 1227 * BSSes to be included in the BSS table can be filtered based on 1228 configured SSIDs to save memory (filter_ssids) 1229 * fix number of issues with IEEE 802.11r/FT; this version is not 1230 backwards compatible with old versions 1231 * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air 1232 and over-the-DS) 1233 * add freq_list network configuration parameter to allow the AP 1234 selection to filter out entries based on the operating channel 1235 * add signal strength change events for bgscan; this allows more 1236 dynamic changes to background scanning interval based on changes in 1237 the signal strength with the current AP; this improves roaming within 1238 ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network 1239 configuration block to request background scans less frequently when 1240 signal strength remains good and to automatically trigger background 1241 scans whenever signal strength drops noticeably 1242 (this is currently only available with nl80211) 1243 * add BSSID and reason code (if available) to disconnect event messages 1244 * wpa_gui-qt4: more complete support for translating the GUI with 1245 linguist and add German translation 1246 * fix DH padding with internal crypto code (mainly, for WPS) 1247 * do not trigger initial scan automatically anymore if there are no 1248 enabled networks 1249 12502010-01-16 - v0.7.1 1251 * cleaned up driver wrapper API (struct wpa_driver_ops); the new API 1252 is not fully backwards compatible, so out-of-tree driver wrappers 1253 will need modifications 1254 * cleaned up various module interfaces 1255 * merge hostapd and wpa_supplicant developers' documentation into a 1256 single document 1257 * nl80211: use explicit deauthentication to clear cfg80211 state to 1258 avoid issues when roaming between APs 1259 * dbus: major design changes in the new D-Bus API 1260 (fi.w1.wpa_supplicant1) 1261 * nl80211: added support for IBSS networks 1262 * added internal debugging mechanism with backtrace support and memory 1263 allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) 1264 * added WPS ER unsubscription command to more cleanly unregister from 1265 receiving UPnP events when ER is terminated 1266 * cleaned up AP mode operations to avoid need for virtual driver_ops 1267 wrapper 1268 * added BSS table to maintain more complete scan result information 1269 over multiple scans (that may include only partial results) 1270 * wpa_gui-qt4: update Peers dialog information more dynamically while 1271 the dialog is kept open 1272 * fixed PKCS#12 use with OpenSSL 1.0.0 1273 * driver_wext: Added cfg80211-specific optimization to avoid some 1274 unnecessary scans and to speed up association 1275 12762009-11-21 - v0.7.0 1277 * increased wpa_cli ping interval to 5 seconds and made this 1278 configurable with a new command line options (-G<seconds>) 1279 * fixed scan buffer processing with WEXT to handle up to 65535 1280 byte result buffer (previously, limited to 32768 bytes) 1281 * allow multiple driver wrappers to be specified on command line 1282 (e.g., -Dnl80211,wext); the first one that is able to initialize the 1283 interface will be used 1284 * added support for multiple SSIDs per scan request to optimize 1285 scan_ssid=1 operations in ap_scan=1 mode (i.e., search for hidden 1286 SSIDs); this requires driver support and can currently be used only 1287 with nl80211 1288 * added support for WPS USBA out-of-band mechanism with USB Flash 1289 Drives (UFD) (CONFIG_WPS_UFD=y) 1290 * driver_ndis: add PAE group address to the multicast address list to 1291 fix wired IEEE 802.1X authentication 1292 * fixed IEEE 802.11r key derivation function to match with the standard 1293 (note: this breaks interoperability with previous version) [Bug 303] 1294 * added better support for drivers that allow separate authentication 1295 and association commands (e.g., mac80211-based Linux drivers with 1296 nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol 1297 to be used (IEEE 802.11r) 1298 * fixed SHA-256 based key derivation function to match with the 1299 standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) 1300 (note: this breaks interoperability with previous version) [Bug 307] 1301 * use shared driver wrapper files with hostapd 1302 * added AP mode functionality (CONFIG_AP=y) with mode=2 in the network 1303 block; this can be used for open and WPA2-Personal networks 1304 (optionally, with WPS); this links in parts of hostapd functionality 1305 into wpa_supplicant 1306 * wpa_gui-qt4: added new Peers dialog to show information about peers 1307 (other devices, including APs and stations, etc. in the neighborhood) 1308 * added support for WPS External Registrar functionality (configure APs 1309 and enroll new devices); can be used with wpa_gui-qt4 Peers dialog 1310 and wpa_cli commands wps_er_start, wps_er_stop, wps_er_pin, 1311 wps_er_pbc, wps_er_learn 1312 (this can also be used with a new 'none' driver wrapper if no 1313 wireless device or IEEE 802.1X on wired is needed) 1314 * driver_nl80211: multiple updates to provide support for new Linux 1315 nl80211/mac80211 functionality 1316 * updated management frame protection to use IEEE Std 802.11w-2009 1317 * fixed number of small WPS issues and added workarounds to 1318 interoperate with common deployed broken implementations 1319 * added support for NFC out-of-band mechanism with WPS 1320 * driver_ndis: fixed wired IEEE 802.1X authentication with PAE group 1321 address frames 1322 * added preliminary support for IEEE 802.11r RIC processing 1323 * added support for specifying subset of enabled frequencies to scan 1324 (scan_freq option in the network configuration block); this can speed 1325 up scanning process considerably if it is known that only a small 1326 subset of channels is actually used in the network (this is currently 1327 supported only with -Dnl80211) 1328 * added a workaround for race condition between receiving the 1329 association event and the following EAPOL-Key 1330 * added background scan and roaming infrastructure to allow 1331 network-specific optimizations to be used to improve roaming within 1332 an ESS (same SSID) 1333 * added new DBus interface (fi.w1.wpa_supplicant1) 1334 13352009-01-06 - v0.6.7 1336 * added support for Wi-Fi Protected Setup (WPS) 1337 (wpa_supplicant can now be configured to act as a WPS Enrollee to 1338 enroll credentials for a network using PIN and PBC methods; in 1339 addition, wpa_supplicant can act as a wireless WPS Registrar to 1340 configure an AP); WPS support can be enabled by adding CONFIG_WPS=y 1341 into .config and setting the runtime configuration variables in 1342 wpa_supplicant.conf (see WPS section in the example configuration 1343 file); new wpa_cli commands wps_pin, wps_pbc, and wps_reg are used to 1344 manage WPS negotiation; see README-WPS for more details 1345 * added support for EAP-AKA' (draft-arkko-eap-aka-kdf) 1346 * added support for using driver_test over UDP socket 1347 * fixed PEAPv0 Cryptobinding interoperability issue with Windows Server 1348 2008 NPS; optional cryptobinding is now enabled (again) by default 1349 * fixed PSK editing in wpa_gui 1350 * changed EAP-GPSK to use the IANA assigned EAP method type 51 1351 * added a Windows installer that includes WinPcap and all the needed 1352 DLLs; in addition, it set up the registry automatically so that user 1353 will only need start wpa_gui to get prompted to start the wpasvc 1354 servide and add a new interface if needed through wpa_gui dialog 1355 * updated management frame protection to use IEEE 802.11w/D7.0 1356 13572008-11-23 - v0.6.6 1358 * added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA 1359 (can be used to simulate test SIM/USIM card with a known private key; 1360 enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config 1361 and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration) 1362 * added a new network configuration option, wpa_ptk_rekey, that can be 1363 used to enforce frequent PTK rekeying, e.g., to mitigate some attacks 1364 against TKIP deficiencies 1365 * added an optional mitigation mechanism for certain attacks against 1366 TKIP by delaying Michael MIC error reports by a random amount of time 1367 between 0 and 60 seconds; this can be enabled with a build option 1368 CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config 1369 * fixed EAP-AKA to use RES Length field in AT_RES as length in bits, 1370 not bytes 1371 * updated OpenSSL code for EAP-FAST to use an updated version of the 1372 session ticket overriding API that was included into the upstream 1373 OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is 1374 needed with that version anymore) 1375 * updated userspace MLME instructions to match with the current Linux 1376 mac80211 implementation; please also note that this can only be used 1377 with driver_nl80211.c (the old code from driver_wext.c was removed) 1378 * added support (Linux only) for RoboSwitch chipsets (often found in 1379 consumer grade routers); driver interface 'roboswitch' 1380 * fixed canceling of PMKSA caching when using drivers that generate 1381 RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know 1382 about 1383 13842008-11-01 - v0.6.5 1385 * added support for SHA-256 as X.509 certificate digest when using the 1386 internal X.509/TLSv1 implementation 1387 * updated management frame protection to use IEEE 802.11w/D6.0 1388 * added support for using SHA256-based stronger key derivation for WPA2 1389 (IEEE 802.11w) 1390 * fixed FT (IEEE 802.11r) authentication after a failed association to 1391 use correct FTIE 1392 * added support for configuring Phase 2 (inner/tunneled) authentication 1393 method with wpa_gui-qt4 1394 13952008-08-10 - v0.6.4 1396 * added support for EAP Sequences in EAP-FAST Phase 2 1397 * added support for using TNC with EAP-FAST 1398 * added driver_ps3 for the PS3 Linux wireless driver 1399 * added support for optional cryptobinding with PEAPv0 1400 * fixed the OpenSSL patches (0.9.8g and 0.9.9) for EAP-FAST to 1401 allow fallback to full handshake if server rejects PAC-Opaque 1402 * added fragmentation support for EAP-TNC 1403 * added support for parsing PKCS #8 formatted private keys into the 1404 internal TLS implementation (both PKCS #1 RSA key and PKCS #8 1405 encapsulated RSA key can now be used) 1406 * added option of using faster, but larger, routines in the internal 1407 LibTomMath (for internal TLS implementation) to speed up DH and RSA 1408 calculations (CONFIG_INTERNAL_LIBTOMMATH_FAST=y) 1409 * fixed race condition between disassociation event and group key 1410 handshake to avoid getting stuck in incorrect state [Bug 261] 1411 * fixed opportunistic key caching (proactive_key_caching) 1412 14132008-02-22 - v0.6.3 1414 * removed 'nai' and 'eappsk' network configuration variables that were 1415 previously used for configuring user identity and key for EAP-PSK, 1416 EAP-PAX, EAP-SAKE, and EAP-GPSK. 'identity' field is now used as the 1417 replacement for 'nai' (if old configuration used a separate 1418 'identity' value, that would now be configured as 1419 'anonymous_identity'). 'password' field is now used as the 1420 replacement for 'eappsk' (it can also be set using hexstring to 1421 present random binary data) 1422 * removed '-w' command line parameter (wait for interface to be added, 1423 if needed); cleaner way of handling this functionality is to use an 1424 external mechanism (e.g., hotplug scripts) that start wpa_supplicant 1425 when an interface is added 1426 * updated FT support to use the latest draft, IEEE 802.11r/D9.0 1427 * added ctrl_iface monitor event (CTRL-EVENT-SCAN-RESULTS) for 1428 indicating when new scan results become available 1429 * added new ctrl_iface command, BSS, to allow scan results to be 1430 fetched without hitting the message size limits (this command 1431 can be used to iterate through the scan results one BSS at the time) 1432 * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION 1433 attributes in EAP-SIM Start/Response when using fast reauthentication 1434 * fixed EAPOL not to end up in infinite loop when processing dynamic 1435 WEP keys with IEEE 802.1X 1436 * fixed problems in getting NDIS events from WMI on Windows 2000 1437 14382008-01-01 - v0.6.2 1439 * added support for Makefile builds to include debug-log-to-a-file 1440 functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line) 1441 * fixed EAP-SIM and EAP-AKA message parser to validate attribute 1442 lengths properly to avoid potential crash caused by invalid messages 1443 * added data structure for storing allocated buffers (struct wpabuf); 1444 this does not affect wpa_supplicant usage, but many of the APIs 1445 changed and various interfaces (e.g., EAP) is not compatible with old 1446 versions 1447 * added support for protecting EAP-AKA/Identity messages with 1448 AT_CHECKCODE (optional feature in RFC 4187) 1449 * added support for protected result indication with AT_RESULT_IND for 1450 EAP-SIM and EAP-AKA (phase1="result_ind=1") 1451 * added driver_wext workaround for race condition between scanning and 1452 association with drivers that take very long time to scan all 1453 channels (e.g., madwifi with dual-band cards); wpa_supplicant is now 1454 using a longer hardcoded timeout for the scan if the driver supports 1455 notifications for scan completion (SIOCGIWSCAN event); this helps, 1456 e.g., in cases where wpa_supplicant and madwifi driver ended up in 1457 loop where the driver did not even try to associate 1458 * stop EAPOL timer tick when no timers are in use in order to reduce 1459 power consumption (no need to wake up the process once per second) 1460 [Bug 237] 1461 * added support for privilege separation (run only minimal part of 1462 wpa_supplicant functionality as root and rest as unprivileged, 1463 non-root process); see 'Privilege separation' in README for details; 1464 this is disabled by default and can be enabled with CONFIG_PRIVSEP=y 1465 in .config 1466 * changed scan results data structure to include all information 1467 elements to make it easier to support new IEs; old get_scan_result() 1468 driver_ops is still supported for backwards compatibility (results 1469 are converted internally to the new format), but all drivers should 1470 start using the new get_scan_results2() to make them more likely to 1471 work with new features 1472 * Qt4 version of wpa_gui (wpa_gui-qt4 subdirectory) is now native Qt4 1473 application, i.e., it does not require Qt3Support anymore; Windows 1474 binary of wpa_gui.exe is now from this directory and only requires 1475 QtCore4.dll and QtGui4.dll libraries 1476 * updated Windows binary build to use Qt 4.3.3 and made Qt DLLs 1477 available as a separate package to make wpa_gui installation easier: 1478 http://w1.fi/wpa_supplicant/qt4/wpa_gui-qt433-windows-dll.zip 1479 * added support for EAP-IKEv2 (draft-tschofenig-eap-ikev2-15.txt); 1480 only shared key/password authentication is supported in this version 1481 14822007-11-24 - v0.6.1 1483 * added support for configuring password as NtPasswordHash 1484 (16-byte MD4 hash of password) in hash:<32 hex digits> format 1485 * added support for fallback from abbreviated TLS handshake to 1486 full handshake when using EAP-FAST (e.g., due to an expired 1487 PAC-Opaque) 1488 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 1489 draft (draft-ietf-emu-eap-gpsk-07.txt) 1490 * added support for drivers that take care of RSN 4-way handshake 1491 internally (WPA_DRIVER_FLAGS_4WAY_HANDSHAKE in get_capa flags and 1492 WPA_ALG_PMK in set_key) 1493 * added an experimental port for Mac OS X (CONFIG_DRIVER_OSX=y in 1494 .config); this version supports only ap_scan=2 mode and allow the 1495 driver to take care of the 4-way handshake 1496 * fixed a buffer overflow in parsing TSF from scan results when using 1497 driver_wext.c with a driver that includes the TSF (e.g., iwl4965) 1498 [Bug 232] 1499 * updated FT support to use the latest draft, IEEE 802.11r/D8.0 1500 * fixed an integer overflow issue in the ASN.1 parser used by the 1501 (experimental) internal TLS implementation to avoid a potential 1502 buffer read overflow 1503 * fixed a race condition with -W option (wait for a control interface 1504 monitor before starting) that could have caused the first messages to 1505 be lost 1506 * added support for processing TNCC-TNCS-Messages to report 1507 recommendation (allow/none/isolate) when using TNC [Bug 243] 1508 15092007-05-28 - v0.6.0 1510 * added network configuration parameter 'frequency' for setting 1511 initial channel for IBSS (adhoc) networks 1512 * added experimental IEEE 802.11r/D6.0 support 1513 * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48 1514 * updated EAP-PSK to use the IANA-allocated EAP type 47 1515 * fixed EAP-PAX key derivation 1516 * fixed EAP-PSK bit ordering of the Flags field 1517 * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in 1518 tunnelled identity request (previously, the identifier from the outer 1519 method was used, not the tunnelled identifier which could be 1520 different) 1521 * added support for fragmentation of outer TLS packets during Phase 2 1522 of EAP-PEAP/TTLS/FAST 1523 * fixed EAP-TTLS AVP parser processing for too short AVP lengths 1524 * added support for EAP-FAST authentication with inner methods that 1525 generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported 1526 for PAC provisioning) 1527 * added support for authenticated EAP-FAST provisioning 1528 * added support for configuring maximum number of EAP-FAST PACs to 1529 store in a PAC list (fast_max_pac_list_len=<max> in phase1 string) 1530 * added support for storing EAP-FAST PACs in binary format 1531 (fast_pac_format=binary in phase1 string) 1532 * fixed dbus ctrl_iface to validate message interface before 1533 dispatching to avoid a possible segfault [Bug 190] 1534 * fixed PeerKey key derivation to use the correct PRF label 1535 * updated Windows binary build to link against OpenSSL 0.9.8d and 1536 added support for EAP-FAST 1537 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 1538 draft (draft-ietf-emu-eap-gpsk-04.txt) 1539 * fixed EAP-AKA Notification processing to allow Notification to be 1540 processed after AKA Challenge response has been sent 1541 * updated to use IEEE 802.11w/D2.0 for management frame protection 1542 (still experimental) 1543 * fixed EAP-TTLS implementation not to crash on use of freed memory 1544 if TLS library initialization fails 1545 * added support for EAP-TNC (Trusted Network Connect) 1546 (this version implements the EAP-TNC method and EAP-TTLS changes 1547 needed to run two methods in sequence (IF-T) and the IF-IMC and 1548 IF-TNCCS interfaces from TNCC) 1549 15502006-11-24 - v0.5.6 1551 * added experimental, integrated TLSv1 client implementation with the 1552 needed X.509/ASN.1/RSA/bignum processing (this can be enabled by 1553 setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in 1554 .config); this can be useful, e.g., if the target system does not 1555 have a suitable TLS library and a minimal code size is required 1556 (total size of this internal TLS/crypto code is bit under 50 kB on 1557 x86 and the crypto code is shared by rest of the supplicant so some 1558 of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB) 1559 * removed STAKey handshake since PeerKey handshake has replaced it in 1560 IEEE 802.11ma and there are no known deployments of STAKey 1561 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest 1562 draft (draft-ietf-emu-eap-gpsk-01.txt) 1563 * added preliminary implementation of IEEE 802.11w/D1.0 (management 1564 frame protection) 1565 (Note: this requires driver support to work properly.) 1566 (Note2: IEEE 802.11w is an unapproved draft and subject to change.) 1567 * fixed Windows named pipes ctrl_iface to not stop listening for 1568 commands if client program opens a named pipe and closes it 1569 immediately without sending a command 1570 * fixed USIM PIN status determination for the case that PIN is not 1571 needed (this allows EAP-AKA to be used with USIM cards that do not 1572 use PIN) 1573 * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to 1574 be used with cards that do not support file selection based on 1575 partial AID 1576 * added support for matching the subjectAltName of the authentication 1577 server certificate against multiple name components (e.g., 1578 altsubject_match="DNS:server.example.com;DNS:server2.example.com") 1579 * fixed EAP-SIM/AKA key derivation for re-authentication case (only 1580 affects IEEE 802.1X with dynamic WEP keys) 1581 * changed ctrl_iface network configuration 'get' operations to not 1582 return password/key material; if these fields are requested, "*" 1583 will be returned if the password/key is set, but the value of the 1584 parameter is not exposed 1585 15862006-08-27 - v0.5.5 1587 * added support for building Windows version with UNICODE defined 1588 (wide-char functions) 1589 * driver_ndis: fixed static WEP configuration to avoid race condition 1590 issues with some NDIS drivers between association and setting WEP 1591 keys 1592 * driver_ndis: added validation for IELength value in scan results to 1593 avoid crashes when using buggy NDIS drivers [Bug 165] 1594 * fixed Release|Win32 target in the Visual Studio project files 1595 (previously, only Debug|Win32 target was set properly) 1596 * changed control interface API call wpa_ctrl_pending() to allow it to 1597 return -1 on error (e.g., connection lost); control interface clients 1598 will need to make sure that they verify that the value is indeed >0 1599 when determining whether there are pending messages 1600 * added an alternative control interface backend for Windows targets: 1601 Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default 1602 control interface mechanism for Windows builds (previously, UDP to 1603 localhost was used) 1604 * changed ctrl_interface configuration for UNIX domain sockets: 1605 - deprecated ctrl_interface_group variable (it may be removed in 1606 future versions) 1607 - allow both directory and group be configured with ctrl_interface 1608 in following format: DIR=/var/run/wpa_supplicant GROUP=wheel 1609 - ctrl_interface=/var/run/wpa_supplicant is still supported for the 1610 case when group is not changed 1611 * added support for controlling more than one interface per process in 1612 Windows version 1613 * added a workaround for a case where the AP is using unknown address 1614 (e.g., MAC address of the wired interface) as the source address for 1615 EAPOL-Key frames; previously, that source address was used as the 1616 destination for EAPOL-Key frames and in key derivation; now, BSSID is 1617 used even if the source address does not match with it 1618 (this resolves an interoperability issue with Thomson SpeedTouch 580) 1619 * added a workaround for UDP-based control interface (which was used in 1620 Windows builds before this release) to prevent packets with forged 1621 addresses from being accepted as local control requests 1622 * removed ndis_events.cpp and possibility of using external 1623 ndis_events.exe; C version (ndis_events.c) is fully functional and 1624 there is no desire to maintain two separate versions of this 1625 implementation 1626 * ndis_events: Changed NDIS event notification design to use WMI to 1627 learn the adapter description through Win32_PnPEntity class; this 1628 should fix some cases where the adapter name was not recognized 1629 correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500 1630 USB) [Bug 113] 1631 * fixed selection of the first network in ap_scan=2 mode; previously, 1632 wpa_supplicant could get stuck in SCANNING state when only the first 1633 network for enabled (e.g., after 'wpa_cli select_network 0') 1634 * winsvc: added support for configuring ctrl_interface parameters in 1635 registry (ctrl_interface string value in 1636 HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is 1637 required to enable control interface (previously, this was hardcoded 1638 to be enabled) 1639 * allow wpa_gui subdirectory to be built with both Qt3 and Qt4 1640 * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format 1641 16422006-06-20 - v0.5.4 1643 * fixed build with CONFIG_STAKEY=y [Bug 143] 1644 * added support for doing MLME (IEEE 802.11 management frame 1645 processing) in wpa_supplicant when using Devicescape IEEE 802.11 1646 stack (wireless-dev.git tree) 1647 * added a new network block configuration option, fragment_size, to 1648 configure the maximum EAP fragment size 1649 * driver_ndis: Disable WZC automatically for the selected interface to 1650 avoid conflicts with two programs trying to control the radio; WZC 1651 will be re-enabled (if it was enabled originally) when wpa_supplicant 1652 is terminated 1653 * added an experimental TLSv1 client implementation 1654 (CONFIG_TLS=internal) that can be used instead of an external TLS 1655 library, e.g., to reduce total size requirement on systems that do 1656 not include any TLS library by default (this is not yet complete; 1657 basic functionality is there, but certificate validation is not yet 1658 included) 1659 * added PeerKey handshake implementation for IEEE 802.11e 1660 direct link setup (DLS) to replace STAKey handshake 1661 * fixed WPA PSK update through ctrl_iface for the case where the old 1662 PSK was derived from an ASCII passphrase and the new PSK is set as 1663 a raw PSK (hex string) 1664 * added new configuration option for identifying which network block 1665 was used (id_str in wpa_supplicant.conf; included on 1666 WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental 1667 variable in wpa_cli action scripts; in addition WPA_ID variable is 1668 set to the current unique identifier that wpa_supplicant assigned 1669 automatically for the network and that can be used with 1670 GET_NETWORK/SET_NETWORK ctrl_iface commands) 1671 * wpa_cli action script is now called only when the connect/disconnect 1672 status changes or when associating with a different network 1673 * fixed configuration parser not to remove CCMP from group cipher list 1674 if WPA-None (adhoc) is used (pairwise=NONE in that case) 1675 * fixed integrated NDIS events processing not to hang the process due 1676 to a missed change in eloop_win.c API in v0.5.3 [Bug 155] 1677 * added support for EAP Generalized Pre-Shared Key (EAP-GPSK, 1678 draft-clancy-emu-eap-shared-secret-00.txt) 1679 * added Microsoft Visual Studio 2005 solution and project files for 1680 build wpa_supplicant for Windows (see vs2005 subdirectory) 1681 * eloop_win: fixed unregistration of Windows events 1682 * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet 1683 at the end of RSN pre-authentication and added unregistration of 1684 a Windows event to avoid getting eloop_win stuck with an invalid 1685 handle 1686 * driver_ndis: added support for selecting AP based on BSSID 1687 * added new environmental variable for wpa_cli action scripts: 1688 WPA_CTRL_DIR is the current control interface directory 1689 * driver_ndis: added support for using NDISUIO instead of WinPcap for 1690 OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new 1691 l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build 1692 wpa_supplicant without requiring WinPcap; note that using NDISUIO 1693 requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows 1694 only one application to open the device 1695 * changed NDIS driver naming to only include device GUID, e.g., 1696 {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap 1697 specific \Device\NPF_ prefix before the GUID; the prefix is still 1698 allowed for backwards compatibility, but it is not required anymore 1699 when specifying the interface 1700 * driver_ndis: re-initialize driver interface is the adapter is removed 1701 and re-inserted [Bug 159] 1702 * driver_madwifi: fixed TKIP and CCMP sequence number configuration on 1703 big endian hosts [Bug 146] 1704 17052006-04-27 - v0.5.3 1706 * fixed EAP-GTC response to include correct user identity when run as 1707 phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2) 1708 * driver_ndis: Fixed encryption mode configuration for unencrypted 1709 networks (some NDIS drivers ignored this, but others, e.g., Broadcom, 1710 refused to associate with open networks) [Bug 106] 1711 * driver_ndis: use BSSID OID polling to detect when IBSS network is 1712 formed even when ndis_events code is included since some NDIS drivers 1713 do not generate media connect events in IBSS mode 1714 * config_winreg: allow global ctrl_interface parameter to be configured 1715 in Windows registry 1716 * config_winreg: added support for saving configuration data into 1717 Windows registry 1718 * added support for controlling network device operational state 1719 (dormant/up) for Linux 2.6.17 to improve DHCP processing (see 1720 http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client 1721 that can use this information) 1722 * driver_wext: added support for WE-21 change to SSID configuration 1723 * driver_wext: fixed privacy configuration for static WEP keys mode 1724 [Bug 140] 1725 * added an optional driver_ops callback for MLME-SETPROTECTION.request 1726 primitive 1727 * added support for EAP-SAKE (no EAP method number allocated yet, so 1728 this is using the same experimental type 255 as EAP-PSK) 1729 * added support for dynamically loading EAP methods (.so files) instead 1730 of requiring them to be statically linked in; this is disabled by 1731 default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information 1732 on how to use this) 1733 17342006-03-19 - v0.5.2 1735 * do not try to use USIM APDUs when initializing PC/SC for SIM card 1736 access for a network that has not enabled EAP-AKA 1737 * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in 1738 v0.5.1 due to the new support for expanded EAP types) 1739 * added support for generating EAP Expanded Nak 1740 * try to fetch scan results once before requesting new scan when 1741 starting up in ap_scan=1 mode (this can speed up initial association 1742 a lot with, e.g., madwifi-ng driver) 1743 * added support for receiving EAPOL frames from a Linux bridge 1744 interface (-bbr0 on command line) 1745 * fixed EAPOL re-authentication for sessions that used PMKSA caching 1746 * changed EAP method registration to use a dynamic list of methods 1747 instead of a static list generated at build time 1748 * fixed PMKSA cache deinitialization not to use freed memory when 1749 removing PMKSA entries 1750 * fixed a memory leak in EAP-TTLS re-authentication 1751 * reject WPA/WPA2 message 3/4 if it does not include any valid 1752 WPA/RSN IE 1753 * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg 1754 if the driver does not support SIOCSIWAUTH 1755 17562006-01-29 - v0.5.1 1757 * driver_test: added better support for multiple APs and STAs by using 1758 a directory with sockets that include MAC address for each device in 1759 the name (driver_param=test_dir=/tmp/test) 1760 * added support for EAP expanded type (vendor specific EAP methods) 1761 * added AP_SCAN command into ctrl_iface so that ap_scan configuration 1762 option can be changed if needed 1763 * wpa_cli/wpa_gui: skip non-socket files in control directory when 1764 using UNIX domain sockets; this avoids selecting an incorrect 1765 interface (e.g., a PID file could be in this directory, even though 1766 use of this directory for something else than socket files is not 1767 recommended) 1768 * fixed TLS library deinitialization after RSN pre-authentication not 1769 to disable TLS library for normal authentication 1770 * driver_wext: Remove null-termination from SSID length if the driver 1771 used it; some Linux drivers do this and they were causing problems in 1772 wpa_supplicant not finding matching configuration block. This change 1773 would break a case where the SSID actually ends in '\0', but that is 1774 not likely to happen in real use. 1775 * fixed PMKSA cache processing not to trigger deauthentication if the 1776 current PMKSA cache entry is replaced with a valid new entry 1777 * fixed PC/SC initialization for ap_scan != 1 modes (this fixes 1778 EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or 1779 ap_scan=2) 1780 17812005-12-18 - v0.5.0 (beginning of 0.5.x development releases) 1782 * added experimental STAKey handshake implementation for IEEE 802.11e 1783 direct link setup (DLS); note: this is disabled by default in both 1784 build and runtime configuration (can be enabled with CONFIG_STAKEY=y 1785 and stakey=1) 1786 * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to 1787 decrypt AT_ENCR_DATA attributes correctly 1788 * fixed EAP-AKA to allow resynchronization within the same session 1789 * made code closer to ANSI C89 standard to make it easier to port to 1790 other C libraries and compilers 1791 * started moving operating system or C library specific functions into 1792 wrapper functions defined in os.h and implemented in os_*.c to make 1793 code more portable 1794 * wpa_supplicant can now be built with Microsoft Visual C++ 1795 (e.g., with the freely available Toolkit 2003 version or Visual 1796 C++ 2005 Express Edition and Platform SDK); see nmake.mak for an 1797 example makefile for nmake 1798 * added support for using Windows registry for command line parameters 1799 (CONFIG_MAIN=main_winsvc) and configuration data 1800 (CONFIG_BACKEND=winreg); see win_example.reg for an example registry 1801 contents; this version can be run both as a Windows service and as a 1802 normal application; 'wpasvc.exe app' to start as applicant, 1803 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service, 1804 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to 1805 unregister a service 1806 * made it possible to link ndis_events.exe functionality into 1807 wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED 1808 * added better support for multiple control interface backends 1809 (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported 1810 * fixed PC/SC code to use correct length for GSM AUTH command buffer 1811 and to not use pioRecvPci with SCardTransmit() calls; these were not 1812 causing visible problems with pcsc-lite, but Windows Winscard.dll 1813 refused the previously used parameters; this fixes EAP-SIM and 1814 EAP-AKA authentication using SIM/USIM card under Windows 1815 * added new event loop implementation for Windows using 1816 WaitForMultipleObject() instead of select() in order to allow waiting 1817 for non-socket objects; this can be selected with 1818 CONFIG_ELOOP=eloop_win in .config 1819 * added support for selecting l2_packet implementation in .config 1820 (CONFIG_L2_PACKET; following options are available now: linux, pcap, 1821 winpcap, freebsd, none) 1822 * added new l2_packet implementation for WinPcap 1823 (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to 1824 reduce latency in EAPOL receive processing from about 100 ms to about 1825 3 ms 1826 * added support for EAP-FAST key derivation using other ciphers than 1827 RC4-128-SHA for authentication and AES128-SHA for provisioning 1828 * added support for configuring CA certificate as DER file and as a 1829 configuration blob 1830 * fixed private key configuration as configuration blob and added 1831 support for using PKCS#12 as a blob 1832 * tls_gnutls: added support for using PKCS#12 files; added support for 1833 session resumption 1834 * added support for loading trusted CA certificates from Windows 1835 certificate store: ca_cert="cert_store://<name>", where <name> is 1836 likely CA (Intermediate CA certificates) or ROOT (root certificates) 1837 * added C version of ndis_events.cpp and made it possible to build this 1838 with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more 1839 easily on cross-compilation builds 1840 * added wpasvc.exe into Windows binary release; this is an alternative 1841 version of wpa_supplicant.exe with configuration backend using 1842 Windows registry and with the entry point designed to run as a 1843 Windows service 1844 * integrated ndis_events.exe functionality into wpa_supplicant.exe and 1845 wpasvc.exe and removed this additional tool from the Windows binary 1846 release since it is not needed anymore 1847 * load winscard.dll functions dynamically when building with MinGW 1848 since MinGW does not yet include winscard library 1849 18502005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) 1851 * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap 1852 and WinPcap to receive frames sent to PAE group address 1853 * disable EAP state machine when IEEE 802.1X authentication is not used 1854 in order to get rid of bogus "EAP failed" messages 1855 * fixed OpenSSL error reporting to go through all pending errors to 1856 avoid confusing reports of old errors being reported at later point 1857 during handshake 1858 * fixed configuration file updating to not write empty variables 1859 (e.g., proto or key_mgmt) that the file parser would not accept 1860 * fixed ADD_NETWORK ctrl_iface command to use the same default values 1861 for variables as empty network definitions read from config file 1862 would get 1863 * fixed EAP state machine to not discard EAP-Failure messages in many 1864 cases (e.g., during TLS handshake) 1865 * fixed a infinite loop in private key reading if the configured file 1866 cannot be parsed successfully 1867 * driver_madwifi: added support for madwifi-ng 1868 * wpa_gui: do not display password/PSK field contents 1869 * wpa_gui: added CA certificate configuration 1870 * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID 1871 * driver_ndis: include Beacon IEs in AssocInfo in order to notice if 1872 the new AP is using different WPA/RSN IE 1873 * use longer timeout for IEEE 802.11 association to avoid problems with 1874 drivers that may take more than five second to associate 1875 18762005-10-27 - v0.4.6 1877 * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in 1878 RSN IE, but WPA IE would match with wpa_supplicant configuration 1879 * added support for named configuration blobs in order to avoid having 1880 to use file system for external files (e.g., certificates); 1881 variables can be set to "blob://<blob name>" instead of file path to 1882 use a named blob; supported fields: pac_file, client_cert, 1883 private_key 1884 * fixed RSN pre-authentication (it was broken in the clean up of WPA 1885 state machine interface in v0.4.5) 1886 * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make 1887 sure the driver configures broadcast decryption correctly 1888 * added ca_path (and ca_path2) configuration variables that can be used 1889 to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the 1890 system-wide trusted CA list 1891 * added support for starting wpa_supplicant without a configuration 1892 file (-C argument must be used to set ctrl_interface parameter for 1893 this case; in addition, -p argument can be used to provide 1894 driver_param; these new arguments can also be used with a 1895 configuration to override the values from the configuration) 1896 * added global control interface that can be optionally used for adding 1897 and removing network interfaces dynamically (-g command line argument 1898 for both wpa_supplicant and wpa_cli) without having to restart 1899 wpa_supplicant process 1900 * wpa_gui: 1901 - try to save configuration whenever something is modified 1902 - added WEP key configuration 1903 - added possibility to edit the current network configuration 1904 * driver_ndis: fixed driver polling not to increase frequency on each 1905 received EAPOL frame due to incorrectly cancelled timeout 1906 * added simple configuration file examples (in examples subdirectory) 1907 * fixed driver_wext.c to filter wireless events based on ifindex to 1908 avoid interfaces receiving events from other interfaces 1909 * delay sending initial EAPOL-Start couple of seconds to speed up 1910 authentication for the most common case of Authenticator starting 1911 EAP authentication immediately after association 1912 19132005-09-25 - v0.4.5 1914 * added a workaround for clearing keys with ndiswrapper to allow 1915 roaming from WPA enabled AP to plaintext one 1916 * added docbook documentation (doc/docbook) that can be used to 1917 generate, e.g., man pages 1918 * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for 1919 PF_PACKET in order to prepare for network devices that do not use 1920 Ethernet headers (e.g., network stack that includes IEEE 802.11 1921 header in the frames) 1922 * use receipt of EAPOL-Key frame as a lower layer success indication 1923 for EAP state machine to allow recovery from dropped EAP-Success 1924 frame 1925 * cleaned up internal EAPOL frame processing by not including link 1926 layer (Ethernet) header during WPA and EAPOL/EAP processing; this 1927 header is added only when transmitted the frame; this makes it easier 1928 to use wpa_supplicant on link layers that use different header than 1929 Ethernet 1930 * updated EAP-PSK to use draft 9 by default since this can now be 1931 tested with hostapd; removed support for draft 3, including 1932 server_nai configuration option from network blocks 1933 * driver_wired: add PAE address to the multicast address list in order 1934 to be able to receive EAPOL frames with drivers that do not include 1935 these multicast addresses by default 1936 * driver_wext: add support for WE-19 1937 * added support for multiple configuration backends (CONFIG_BACKEND 1938 option); currently, only 'file' is supported (i.e., the format used 1939 in wpa_supplicant.conf) 1940 * added support for updating configuration ('wpa_cli save_config'); 1941 this is disabled by default and can be enabled with global 1942 update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli 1943 and wpa_gui to store the configuration changes in a permanent store 1944 * added GET_NETWORK ctrl_iface command 1945 (e.g., 'wpa_cli get_network 0 ssid') 1946 19472005-08-21 - v0.4.4 1948 * replaced OpenSSL patch for EAP-FAST support 1949 (openssl-tls-extensions.patch) with a more generic and correct 1950 patch (the new patch is not compatible with the previous one, so the 1951 OpenSSL library will need to be patched with the new patch in order 1952 to be able to build wpa_supplicant with EAP-FAST support) 1953 * added support for using Windows certificate store (through CryptoAPI) 1954 for client certificate and private key operations (EAP-TLS) 1955 (see wpa_supplicant.conf for more information on how to configure 1956 this with private_key) 1957 * ported wpa_gui to Windows 1958 * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be 1959 built with the open source version of the Qt4 for Windows 1960 * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used 1961 with drivers that do not support WPA 1962 * ndis_events: fixed Windows 2000 support 1963 * added support for enabling/disabling networks from the list of all 1964 configured networks ('wpa_cli enable_network <network id>' and 1965 'wpa_cli disable_network <network id>') 1966 * added support for adding and removing network from the current 1967 configuration ('wpa_cli add_network' and 'wpa_cli remove_network 1968 <network id>'); added networks are disabled by default and they can 1969 be enabled with enable_network command once the configuration is done 1970 for the new network; note: configuration file is not yet updated, so 1971 these new networks are lost when wpa_supplicant is restarted 1972 * added support for setting network configuration parameters through 1973 the control interface, for example: 1974 wpa_cli set_network 0 ssid "\"my network\"" 1975 * fixed parsing of strings that include both " and # within double 1976 quoted area (e.g., "start"#end") 1977 * added EAP workaround for PEAP session resumption: allow outer, 1978 i.e., not tunneled, EAP-Success to terminate session since; this can 1979 be disabled with eap_workaround=0 1980 (this was allowed for PEAPv1 before, but now it is also allowed for 1981 PEAPv0 since at least one RADIUS authentication server seems to be 1982 doing this for PEAPv0, too) 1983 * wpa_gui: added preliminary support for adding new networks to the 1984 wpa_supplicant configuration (double click on the scan results to 1985 open network configuration) 1986 19872005-06-26 - v0.4.3 1988 * removed interface for external EAPOL/EAP supplicant (e.g., 1989 Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required 1990 anymore and is unlikely to be used by anyone 1991 * driver_ndis: fixed WinPcap 3.0 support 1992 * fixed build with CONFIG_DNET_PCAP=y on Linux 1993 * l2_packet: moved different implementations into separate files 1994 (l2_packet_*.c) 1995 19962005-06-12 - v0.4.2 1997 * driver_ipw: updated driver structures to match with ipw2200-1.0.4 1998 (note: ipw2100-1.1.0 is likely to require an update to work with 1999 this) 2000 * added support for using ap_scan=2 mode with multiple network blocks; 2001 wpa_supplicant will go through the networks one by one until the 2002 driver reports a successful association; this uses the same order for 2003 networks as scan_ssid=1 scans, i.e., the priority field is ignored 2004 and the network block order in the file is used instead 2005 * fixed a potential issue in RSN pre-authentication ending up using 2006 freed memory if pre-authentication times out 2007 * added support for matching alternative subject name extensions of the 2008 authentication server certificate; new configuration variables 2009 altsubject_match and altsubject_match2 2010 * driver_ndis: added support for IEEE 802.1X authentication with wired 2011 NDIS drivers 2012 * added support for querying private key password (EAP-TLS) through the 2013 control interface (wpa_cli/wpa_gui) if one is not included in the 2014 configuration file 2015 * driver_broadcom: fixed couple of memory leaks in scan result 2016 processing 2017 * EAP-PAX is now registered as EAP type 46 2018 * fixed EAP-PAX MAC calculation 2019 * fixed EAP-PAX CK and ICK key derivation 2020 * added support for using password with EAP-PAX (as an alternative to 2021 entering key with eappsk); SHA-1 hash of the password will be used as 2022 the key in this case 2023 * added support for arbitrary driver interface parameters through the 2024 configuration file with a new driver_param field; this adds a new 2025 driver_ops function set_param() 2026 * added possibility to override l2_packet module with driver interface 2027 API (new send_eapol handler); this can be used to implement driver 2028 specific TX/RX functions for EAPOL frames 2029 * fixed ctrl_interface_group processing for the case where gid is 2030 entered as a number, not group name 2031 * driver_test: added support for testing hostapd with wpa_supplicant 2032 by using test driver interface without any kernel drivers or network 2033 cards 2034 20352005-05-22 - v0.4.1 2036 * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL 2037 packets to be encrypted; this was apparently broken by the changed 2038 ioctl order in v0.4.0 2039 * driver_madwifi: added preliminary support for compiling against 'BSD' 2040 branch of madwifi CVS tree 2041 * added support for EAP-MSCHAPv2 password retries within the same EAP 2042 authentication session 2043 * added support for password changes with EAP-MSCHAPv2 (used when the 2044 password has expired) 2045 * added support for reading additional certificates from PKCS#12 files 2046 and adding them to the certificate chain 2047 * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys 2048 were used 2049 * fixed a possible double free in EAP-TTLS fast-reauthentication when 2050 identity or password is entered through control interface 2051 * display EAP Notification messages to user through control interface 2052 with "CTRL-EVENT-EAP-NOTIFICATION" prefix 2053 * added GUI version of wpa_cli, wpa_gui; this is not build 2054 automatically with 'make'; use 'make wpa_gui' to build (this requires 2055 Qt development tools) 2056 * added 'disconnect' command to control interface for setting 2057 wpa_supplicant in state where it will not associate before 2058 'reassociate' command has been used 2059 * added support for selecting a network from the list of all configured 2060 networks ('wpa_cli select_network <network id>'; this disabled all 2061 other networks; to re-enable, 'wpa_cli select_network any') 2062 * added support for getting scan results through control interface 2063 * added EAP workaround for PEAPv1 session resumption: allow outer, 2064 i.e., not tunneled, EAP-Success to terminate session since; this can 2065 be disabled with eap_workaround=0 2066 20672005-04-25 - v0.4.0 (beginning of 0.4.x development releases) 2068 * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be 2069 used to reduce the size of the wpa_supplicant considerably if 2070 debugging code is not needed 2071 * fixed EAPOL-Key validation to drop packets with invalid Key Data 2072 Length; such frames could have crashed wpa_supplicant due to buffer 2073 overflow 2074 * added support for wired authentication (IEEE 802.1X on wired 2075 Ethernet); driver interface 'wired' 2076 * obsoleted set_wpa() handler in the driver interface API (it can be 2077 replaced by moving enable/disable functionality into init()/deinit()) 2078 (calls to set_wpa() are still present for backwards compatibility, 2079 but they may be removed in the future) 2080 * driver_madwifi: fixed association in plaintext mode 2081 * modified the EAP workaround that accepts EAP-Success with incorrect 2082 Identifier to be even less strict about verification in order to 2083 interoperate with some authentication servers 2084 * added support for sending TLS alerts 2085 * added support for 'any' SSID wildcard; if ssid is not configured or 2086 is set to an empty string, any SSID will be accepted for non-WPA AP 2087 * added support for asking PIN (for SIM) from frontends (e.g., 2088 wpa_cli); if a PIN is needed, but not included in the configuration 2089 file, a control interface request is sent and EAP processing is 2090 delayed until the PIN is available 2091 * added support for using external devices (e.g., a smartcard) for 2092 private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config); 2093 new wpa_supplicant.conf variables: 2094 - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path 2095 - network: engine, engine_id, key_id 2096 * added experimental support for EAP-PAX 2097 * added monitor mode for wpa_cli (-a<path to a program to run>) that 2098 allows external commands (e.g., shell scripts) to be run based on 2099 wpa_supplicant events, e.g., when authentication has been completed 2100 and data connection is ready; other related wpa_cli arguments: 2101 -B (run in background), -P (write PID file); wpa_supplicant has a new 2102 command line argument (-W) that can be used to make it wait until a 2103 control interface command is received in order to avoid missing 2104 events 2105 * added support for opportunistic WPA2 PMKSA key caching (disabled by 2106 default, can be enabled with proactive_key_caching=1) 2107 * fixed RSN IE in 4-Way Handshake message 2/4 for the case where 2108 Authenticator rejects PMKSA caching attempt and the driver is not 2109 using assoc_info events 2110 * added -P<pid file> argument for wpa_supplicant to write the current 2111 process id into a file 2112 21132005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 2114 * added new phase1 option parameter, include_tls_length=1, to force 2115 wpa_supplicant to add TLS Message Length field to all TLS messages 2116 even if the packet is not fragmented; this may be needed with some 2117 authentication servers 2118 * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when 2119 using drivers that take care of AP selection (e.g., when using 2120 ap_scan=2) 2121 * fixed reprocessing of pending request after ctrl_iface requests for 2122 identity/password/otp 2123 * fixed ctrl_iface requests for identity/password/otp in Phase 2 of 2124 EAP-PEAP and EAP-TTLS 2125 * all drivers using driver_wext: set interface up and select Managed 2126 mode when starting wpa_supplicant; set interface down when exiting 2127 * renamed driver_ipw2100.c to driver_ipw.c since it now supports both 2128 ipw2100 and ipw2200; please note that this also changed the 2129 configuration variable in .config to CONFIG_DRIVER_IPW 2130 21312005-01-24 - v0.3.6 2132 * fixed a busy loop introduced in v0.3.5 for scan result processing 2133 when no matching AP is found 2134 21352005-01-23 - v0.3.5 2136 * added a workaround for an interoperability issue with a Cisco AP 2137 when using WPA2-PSK 2138 * fixed non-WPA IEEE 802.1X to use the same authentication timeout as 2139 WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow 2140 retransmission of dropped frames) 2141 * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version 2142 (e.g., segfault when processing EAPOL-Key frames) 2143 * fixed EAP workaround and fast reauthentication configuration for 2144 RSN pre-authentication; previously these were disabled and 2145 pre-authentication would fail if the used authentication server 2146 requires EAP workarounds 2147 * added support for blacklisting APs that fail or timeout 2148 authentication in ap_scan=1 mode so that all APs are tried in cases 2149 where the ones with strongest signal level are failing authentication 2150 * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS 2151 authentication attempt 2152 * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded 2153 in the previous authentication (previously, only Phase 1 success was 2154 verified) 2155 21562005-01-09 - v0.3.4 2157 * added preliminary support for IBSS (ad-hoc) mode configuration 2158 (mode=1 in network block); this included a new key_mgmt mode 2159 WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no 2160 key management; see wpa_supplicant.conf for more details and an 2161 example on how to configure this (note: this is currently implemented 2162 only for driver_hostapd.c, but the changes should be trivial to add 2163 in associate() handler for other drivers, too (assuming the driver 2164 supports WPA-None) 2165 * added preliminary port for native Windows (i.e., no cygwin) using 2166 mingw 2167 21682005-01-02 - v0.3.3 2169 * added optional support for GNU Readline and History Libraries for 2170 wpa_cli (CONFIG_READLINE) 2171 * cleaned up EAP state machine <-> method interface and number of 2172 small problems with error case processing not terminating on 2173 EAP-Failure but waiting for timeout 2174 * added couple of workarounds for interoperability issues with a 2175 Cisco AP when using WPA2 2176 * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt); 2177 Note: This requires a patch for openssl to add support for TLS 2178 extensions and number of workarounds for operations without 2179 certificates. Proof of concept type of experimental patch is 2180 included in openssl-tls-extensions.patch. 2181 21822004-12-19 - v0.3.2 2183 * fixed private key loading for cases where passphrase is not set 2184 * fixed Windows/cygwin L2 packet handler freeing; previous version 2185 could cause a segfault when RSN pre-authentication was completed 2186 * added support for PMKSA caching with drivers that generate RSN IEs 2187 (e.g., NDIS); currently, this is only implemented in driver_ndis.c, 2188 but similar code can be easily added to driver_ndiswrapper.c once 2189 ndiswrapper gets full support for RSN PMKSA caching 2190 * improved recovery from PMKID mismatches by requesting full EAP 2191 authentication in case of failed PMKSA caching attempt 2192 * driver_ndis: added support for NDIS NdisMIncidateStatus() events 2193 (this requires that ndis_events is ran while wpa_supplicant is 2194 running) 2195 * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys 2196 * added support for driver interfaces to replace the interface name 2197 based on driver/OS specific mapping, e.g., in case of driver_ndis, 2198 this allows the beginning of the adapter description to be used as 2199 the interface name 2200 * added support for CR+LF (Windows-style) line ends in configuration 2201 file 2202 * driver_ndis: enable radio before starting scanning, disable radio 2203 when exiting 2204 * modified association event handler to set portEnabled = FALSE before 2205 clearing port Valid in order to reset EAP state machine and avoid 2206 problems with new authentication getting ignored because of state 2207 machines ending up in AUTHENTICATED/SUCCESS state based on old 2208 information 2209 * added support for driver events to add PMKID candidates in order to 2210 allow drivers to give priority to most likely roaming candidates 2211 * driver_hostap: moved PrivacyInvoked configuration to associate() 2212 function so that this will not be set for plaintext connections 2213 * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver 2214 interface can distinguish plaintext and IEEE 802.1X (no WPA) 2215 authentication 2216 * fixed static WEP key configuration to use broadcast/default type for 2217 all keys (previously, the default TX key was configured as pairwise/ 2218 unicast key) 2219 * driver_ndis: added legacy WPA capability detection for non-WPA2 2220 drivers 2221 * added support for setting static WEP keys for IEEE 802.1X without 2222 dynamic WEP keying (eapol_flags=0) 2223 22242004-12-12 - v0.3.1 2225 * added support for reading PKCS#12 (PFX) files (as a replacement for 2226 PEM/DER) to get certificate and private key (CONFIG_PKCS12) 2227 * fixed compilation with CONFIG_PCSC=y 2228 * added new ap_scan mode, ap_scan=2, for drivers that take care of 2229 association, but need to be configured with security policy and SSID, 2230 e.g., ndiswrapper and NDIS driver; this mode should allow such 2231 drivers to work with hidden SSIDs and optimized roaming; when 2232 ap_scan=2 is used, only the first network block in the configuration 2233 file is used and this configuration should have explicit security 2234 policy (i.e., only one option in the lists) for key_mgmt, pairwise, 2235 group, proto variables 2236 * added experimental port of wpa_supplicant for Windows 2237 - driver_ndis.c driver interface (NDIS OIDs) 2238 - currently, this requires cygwin and WinPcap 2239 - small utility, win_if_list, can be used to get interface name 2240 * control interface can now be removed at build time; add 2241 CONFIG_CTRL_IFACE=y to .config to maintain old functionality 2242 * optional Xsupplicant interface can now be removed at build time; 2243 (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back) 2244 * added auth_alg to driver interface associate() parameters to make it 2245 easier for drivers to configure authentication algorithm as part of 2246 the association 2247 22482004-12-05 - v0.3.0 (beginning of 0.3.x development releases) 2249 * driver_broadcom: added new driver interface for Broadcom wl.o driver 2250 (a generic driver for Broadcom IEEE 802.11a/g cards) 2251 * wpa_cli: fixed parsing of -p <path> command line argument 2252 * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS 2253 ACK, not tunneled EAP-Success (of which only the first byte was 2254 actually send due to a bug in previous code); this seems to 2255 interoperate with most RADIUS servers that implements PEAPv1 2256 * PEAPv1: added support for terminating PEAP authentication on tunneled 2257 EAP-Success message; this can be configured by adding 2258 peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf 2259 (some RADIUS servers require this whereas others require a tunneled 2260 reply 2261 * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to 2262 the old label for key derivation; previously, the default was 1, 2263 but it looks like most existing PEAPv1 implementations use the old 2264 label which is thus more suitable default option 2265 * added support for EAP-PSK (draft-bersani-eap-psk-03.txt) 2266 * fixed parsing of wep_tx_keyidx 2267 * added support for configuring list of allowed Phase 2 EAP types 2268 (for both EAP-PEAP and EAP-TTLS) instead of only one type 2269 * added support for configuring IEEE 802.11 authentication algorithm 2270 (auth_alg; mainly for using Shared Key authentication with static 2271 WEP keys) 2272 * added support for EAP-AKA (with UMTS SIM) 2273 * fixed couple of errors in PCSC handling that could have caused 2274 random-looking errors for EAP-SIM 2275 * added support for EAP-SIM pseudonyms and fast re-authentication 2276 * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS 2277 session resumption) 2278 * added support for EAP-SIM with two challenges 2279 (phase1="sim_min_num_chal=3" can be used to require three challenges) 2280 * added support for configuring DH/DSA parameters for an ephemeral DH 2281 key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters 2282 dh_file and dh_file2 (phase 2); this adds support for using DSA keys 2283 and optional DH key exchange to achieve forward secracy with RSA keys 2284 * added support for matching subject of the authentication server 2285 certificate with a substring when using EAP-TLS/PEAP/TTLS; new 2286 configuration variables subject_match and subject_match2 2287 * changed SSID configuration in driver_wext.c (used by many driver 2288 interfaces) to use ssid_len+1 as the length for SSID since some Linux 2289 drivers expect this 2290 * fixed couple of unaligned reads in scan result parsing to fix WPA 2291 connection on some platforms (e.g., ARM) 2292 * added driver interface for Intel ipw2100 driver 2293 * added support for LEAP with WPA 2294 * added support for larger scan results report (old limit was 4 kB of 2295 data, i.e., about 35 or so APs) when using Linux wireless extensions 2296 v17 or newer 2297 * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start 2298 only if there is a PMKSA cache entry for the current AP 2299 * fixed error handling for case where reading of scan results fails: 2300 must schedule a new scan or wpa_supplicant will remain waiting 2301 forever 2302 * changed debug output to remove shared password/key material by 2303 default; all key information can be included with -K command line 2304 argument to match the previous behavior 2305 * added support for timestamping debug log messages (disabled by 2306 default, can be enabled with -t command line argument) 2307 * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104 2308 if keys are not configured to be used; this fixes IEEE 802.1X mode 2309 with drivers that use this information to configure whether Privacy 2310 bit can be in Beacon frames (e.g., ndiswrapper) 2311 * avoid clearing driver keys if no keys have been configured since last 2312 key clear request; this seems to improve reliability of group key 2313 handshake for ndiswrapper & NDIS driver which seems to be suffering 2314 of some kind of timing issue when the keys are cleared again after 2315 association 2316 * changed driver interface API: 2317 - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which 2318 version is being used (now, this is set to 2; previously, it was 2319 not defined) 2320 - pass pointer to private data structure to all calls 2321 - the new API is not backwards compatible; all in-tree driver 2322 interfaces has been converted to the new API 2323 * added support for controlling multiple interfaces (radios) per 2324 wpa_supplicant process; each interface needs to be listed on the 2325 command line (-c, -i, -D arguments) with -N as a separator 2326 (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi) 2327 * added a workaround for EAP servers that incorrectly use same Id for 2328 sequential EAP packets 2329 * changed libpcap/libdnet configuration to use .config variable, 2330 CONFIG_DNET_PCAP, instead of requiring Makefile modification 2331 * improved downgrade attack detection in IE verification of msg 3/4: 2332 verify both WPA and RSN IEs, if present, not only the selected one; 2333 reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or 2334 Probe Response frame, and RSN is enabled in wpa_supplicant 2335 configuration 2336 * fixed WPA msg 3/4 processing to allow Key Data field contain other 2337 IEs than just one WPA IE 2338 * added support for FreeBSD and driver interface for the BSD net80211 2339 layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the 2340 required kernel mods have not yet been committed 2341 * made EAP workarounds configurable; enabled by default, can be 2342 disabled with network block option eap_workaround=0 2343 23442004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) 2345 * resolved couple of interoperability issues with EAP-PEAPv1 and 2346 Phase 2 (inner EAP) fragment reassembly 2347 * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the 2348 AP is using non-zero key index for the unicast key and key index zero 2349 for the broadcast key 2350 * driver_hostap: fixed IEEE 802.1X WEP key updates and 2351 re-authentication by allowing unencrypted EAPOL frames when not using 2352 WPA 2353 * added a new driver interface, 'wext', which uses only standard, 2354 driver independent functionality in Linux wireless extensions; 2355 currently, this can be used only for non-WPA IEEE 802.1X mode, but 2356 eventually, this is to be extended to support full WPA/WPA2 once 2357 Linux wireless extensions get support for this 2358 * added support for mode in which the driver is responsible for AP 2359 scanning and selection; this is disabled by default and can be 2360 enabled with global ap_scan=0 variable in wpa_supplicant.conf; 2361 this mode can be used, e.g., with generic 'wext' driver interface to 2362 use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver 2363 supporting wireless extensions. 2364 * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g., 2365 operation with an AP that does not include SSID in the Beacon frames) 2366 * added support for new EAP authentication methods: 2367 EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP 2368 * added support for asking one-time-passwords from frontends (e.g., 2369 wpa_cli); this 'otp' command works otherwise like 'password' command, 2370 but the password is used only once and the frontend will be asked for 2371 a new password whenever a request from authenticator requires a 2372 password; this can be used with both EAP-OTP and EAP-GTC 2373 * changed wpa_cli to automatically re-establish connection so that it 2374 does not need to be re-started when wpa_supplicant is terminated and 2375 started again 2376 * improved user data (identity/password/otp) requests through 2377 frontends: process pending EAPOL packets after getting new 2378 information so that full authentication does not need to be 2379 restarted; in addition, send pending requests again whenever a new 2380 frontend is attached 2381 * changed control frontends to use a new directory for socket files to 2382 make it easier for wpa_cli to automatically select between interfaces 2383 and to provide access control for the control interface; 2384 wpa_supplicant.conf: ctrl_interface is now a path 2385 (/var/run/wpa_supplicant is the recommended path) and 2386 ctrl_interface_group can be used to select which group gets access to 2387 the control interface; 2388 wpa_cli: by default, try to connect to the first interface available 2389 in /var/run/wpa_supplicant; this path can be overridden with -p option 2390 and an interface can be selected with -i option (i.e., in most common 2391 cases, wpa_cli does not need to get any arguments) 2392 * added support for LEAP 2393 * added driver interface for Linux ndiswrapper 2394 * added priority option for network blocks in the configuration file; 2395 this allows networks to be grouped based on priority (the scan 2396 results are searched for matches with network blocks in this order) 2397 23982004-06-20 - v0.2.3 2399 * sort scan results to improve AP selection 2400 * fixed control interface socket removal for some error cases 2401 * improved scan requesting and authentication timeout 2402 * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and 2403 TLS processing 2404 * PEAP version can now be forced with phase1="peapver=<ver>" 2405 (mostly for testing; by default, the highest version supported by 2406 both the Supplicant and Authentication Server is selected 2407 automatically) 2408 * added support for madwifi driver (Atheros ar521x) 2409 * added a workaround for cases where AP sets Install Tx/Rx bit for 2410 WPA Group Key messages when pairwise keys are used (without this, 2411 the Group Key would be used for Tx and the AP would drop frames 2412 from the station) 2413 * added GSM SIM/USIM interface for GSM authentication algorithm for 2414 EAP-SIM; this requires pcsc-lite 2415 * added support for ATMEL AT76C5XXx driver 2416 * fixed IEEE 802.1X WEP key derivation in the case where Authenticator 2417 does not include key data in the EAPOL-Key frame (i.e., part of 2418 EAP keying material is used as data encryption key) 2419 * added support for using plaintext and static WEP networks 2420 (key_mgmt=NONE) 2421 24222004-05-31 - v0.2.2 2423 * added support for new EAP authentication methods: 2424 EAP-TTLS/EAP-MD5-Challenge 2425 EAP-TTLS/EAP-GTC 2426 EAP-TTLS/EAP-MSCHAPv2 2427 EAP-TTLS/EAP-TLS 2428 EAP-TTLS/MSCHAPv2 2429 EAP-TTLS/MSCHAP 2430 EAP-TTLS/PAP 2431 EAP-TTLS/CHAP 2432 EAP-PEAP/TLS 2433 EAP-PEAP/GTC 2434 EAP-PEAP/MD5-Challenge 2435 EAP-GTC 2436 EAP-SIM (not yet complete; needs GSM/SIM authentication interface) 2437 * added support for anonymous identity (to be used when identity is 2438 sent in plaintext; real identity will be used within TLS protected 2439 tunnel (e.g., with EAP-TTLS) 2440 * added event messages from wpa_supplicant to frontends, e.g., wpa_cli 2441 * added support for requesting identity and password information using 2442 control interface; in other words, the password for EAP-PEAP or 2443 EAP-TTLS does not need to be included in the configuration file since 2444 a frontand (e.g., wpa_cli) can ask it from the user 2445 * improved RSN pre-authentication to use a candidate list and process 2446 all candidates from each scan; not only one per scan 2447 * fixed RSN IE and WPA IE capabilities field parsing 2448 * ignore Tx bit in GTK IE when Pairwise keys are used 2449 * avoid making new scan requests during IEEE 802.1X negotiation 2450 * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant 2451 with TLS support (this replaces the included implementation with 2452 library code to save about 8 kB since the library code is needed 2453 anyway for TLS) 2454 * fixed WPA-PSK only mode when compiled without IEEE 802.1X support 2455 (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config) 2456 24572004-05-06 - v0.2.1 2458 * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1) 2459 Supplicant 2460 - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1] 2461 - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf] 2462 - EAP-MD5 (cannot be used with WPA-RADIUS) 2463 [draft-ietf-eap-rfc2284bis-09.txt] 2464 - EAP-TLS [RFC 2716] 2465 - EAP-MSCHAPv2 (currently used only with EAP-PEAP) 2466 - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt] 2467 [draft-kamath-pppext-eap-mschapv2-00.txt] 2468 (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by 2469 default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey) 2470 - new configuration file options: eap, identity, password, ca_cert, 2471 client_cert, privatekey, private_key_passwd 2472 - Xsupplicant is not required anymore, but it can be used by 2473 disabling the internal IEEE 802.1X Supplicant with -e command line 2474 option 2475 - this code is not included in the default build; Makefile need to 2476 be edited for this (uncomment lines for selected functionality) 2477 - EAP-TLS and EAP-PEAP require openssl libraries 2478 * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..) 2479 * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys 2480 (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X 2481 EAPOL-Key frames instead of WPA key handshakes) 2482 * added support for IEEE 802.11i/RSN (WPA2) 2483 - improved PTK Key Handshake 2484 - PMKSA caching, pre-authentication 2485 * fixed wpa_supplicant to ignore possible extra data after WPA 2486 EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using 2487 TPTK' error from message 3 of 4-Way Handshake in case the AP 2488 includes extra data after the EAPOL-Key) 2489 * added interface for external programs (frontends) to control 2490 wpa_supplicant 2491 - CLI example (wpa_cli) with interactive mode and command line 2492 mode 2493 - replaced SIGUSR1 status/statistics with the new control interface 2494 * made some feature compile time configurable 2495 - .config file for make 2496 - driver interfaces (hostap, hermes, ..) 2497 - EAPOL/EAP functions 2498 24992004-02-15 - v0.2.0 2500 * Initial version of wpa_supplicant 2501