1 ChangeLog for wpa_supplicant
4 * added support for Makefile builds to include debug-log-to-a-file
5 functionality (CONFIG_DEBUG_FILE=y and -f<path> on command line)
6 * added network configuration parameter 'frequency' for setting
7 initial channel for IBSS (adhoc) networks
8 * fixed EAP-SIM and EAP-AKA message parser to validate attribute
9 lengths properly to avoid potential crash caused by invalid messages
10 * added driver_wext workaround for race condition between scanning and
11 association with drivers that take very long time to scan all
12 channels (e.g., madwifi with dual-band cards); wpa_supplicant is now
13 using a longer hardcoded timeout for the scan if the driver supports
14 notifications for scan completion (SIOCGIWSCAN event); this helps,
15 e.g., in cases where wpa_supplicant and madwifi driver ended up in
16 loop where the driver did not even try to associate
17 * fixed EAP-SIM not to include AT_NONCE_MT and AT_SELECTED_VERSION
18 attributes in EAP-SIM Start/Response when using fast reauthentication
19 * fixed problems in getting NDIS events from WMI on Windows 2000
22 * fixed an integer overflow issue in the ASN.1 parser used by the
23 (experimental) internal TLS implementation to avoid a potential
25 * fixed a race condition with -W option (wait for a control interface
26 monitor before starting) that could have caused the first messages to
28 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
29 draft (draft-ietf-emu-eap-gpsk-07.txt)
30 * added ctrl_iface RECONNECT (wpa_cli reconnect) command
31 (like reassociate, but only takes effect if already associated)
32 * fixed a possible race condition between wpa_cli reassociate and
34 * return a non-zero exit code from non-interactive wpa_cli if the
35 command is not recognized or fails
36 * fixed 0.5.8 regressions in BSS selection that prevented wildcard SSID
37 from being used with non-WPA networks and disabled workaround for
38 ignoring bogus WPA/RSN IE in non-WPA configuration
39 * fixed OpenSSL TLS wrapper to clear trusted CA list to allow
40 network blocks to use different trusted CA configurations
41 * fixed a potential EAP state machine loop when mloving from PSK to EAP
42 configuration without restarting wpa_supplicant
45 * updated driver_wext.c to build with the current wireless-dev.git tree
46 and net/d80211 changes
47 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
48 draft (draft-ietf-emu-eap-gpsk-03.txt)
49 * fixed 'make install'
50 * fixed EAP-TTLS implementation not to crash on use of freed memory
51 if TLS library initialization fails
52 * fixed EAP-AKA Notification processing to allow Notification to be
53 processed after AKA Challenge response has been sent
56 * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
57 * updated EAP-PSK to use the IANA-allocated EAP type 47
58 * fixed EAP-PAX key derivation
59 * fixed EAP-PSK bit ordering of the Flags field
60 * fixed EAP-PEAP/TTLS/FAST to use the correct EAP identifier in
61 tunnelled identity request (previously, the identifier from the outer
62 method was used, not the tunnelled identifier which could be
64 * fixed EAP-TTLS AVP parser processing for too short AVP lengths
65 * added support for EAP-FAST authentication with inner methods that
66 generate MSK (e.g., EAP-MSCHAPv2 that was previously only supported
68 * fixed dbus ctrl_iface to validate message interface before
69 dispatching to avoid a possible segfault [Bug 190]
70 * fixed PeerKey key derivation to use the correct PRF label
71 * updated Windows binary build to link against OpenSSL 0.9.8d and
72 added support for EAP-FAST
75 * added experimental, integrated TLSv1 client implementation with the
76 needed X.509/ASN.1/RSA/bignum processing (this can be enabled by
77 setting CONFIG_TLS=internal and CONFIG_INTERNAL_LIBTOMMATH=y in
78 .config); this can be useful, e.g., if the target system does not
79 have a suitable TLS library and a minimal code size is required
80 (total size of this internal TLS/crypto code is bit under 50 kB on
81 x86 and the crypto code is shared by rest of the supplicant so some
82 of it was already required; TLSv1/X.509/ASN.1/RSA added about 25 kB)
83 * removed STAKey handshake since PeerKey handshake has replaced it in
84 IEEE 802.11ma and there are no known deployments of STAKey
85 * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
86 draft (draft-ietf-emu-eap-gpsk-01.txt)
87 * added preliminary implementation of IEEE 802.11w/D1.0 (management
89 (Note: this requires driver support to work properly.)
90 (Note2: IEEE 802.11w is an unapproved draft and subject to change.)
91 * fixed Windows named pipes ctrl_iface to not stop listening for
92 commands if client program opens a named pipe and closes it
93 immediately without sending a command
94 * fixed USIM PIN status determination for the case that PIN is not
95 needed (this allows EAP-AKA to be used with USIM cards that do not
97 * added support for reading 3G USIM AID from EF_DIR to allow EAP-AKA to
98 be used with cards that do not support file selection based on
100 * added support for matching the subjectAltName of the authentication
101 server certificate against multiple name components (e.g.,
102 altsubject_match="DNS:server.example.com;DNS:server2.example.com")
103 * fixed EAP-SIM/AKA key derivation for re-authentication case (only
104 affects IEEE 802.1X with dynamic WEP keys)
105 * changed ctrl_iface network configuration 'get' operations to not
106 return password/key material; if these fields are requested, "*"
107 will be returned if the password/key is set, but the value of the
108 parameter is not exposed
111 * added support for building Windows version with UNICODE defined
112 (wide-char functions)
113 * driver_ndis: fixed static WEP configuration to avoid race condition
114 issues with some NDIS drivers between association and setting WEP
116 * driver_ndis: added validation for IELength value in scan results to
117 avoid crashes when using buggy NDIS drivers [Bug 165]
118 * fixed Release|Win32 target in the Visual Studio project files
119 (previously, only Debug|Win32 target was set properly)
120 * changed control interface API call wpa_ctrl_pending() to allow it to
121 return -1 on error (e.g., connection lost); control interface clients
122 will need to make sure that they verify that the value is indeed >0
123 when determining whether there are pending messages
124 * added an alternative control interface backend for Windows targets:
125 Named Pipe (CONFIG_CTRL_IFACE=named_pipe); this is now the default
126 control interface mechanism for Windows builds (previously, UDP to
128 * changed ctrl_interface configuration for UNIX domain sockets:
129 - deprecated ctrl_interface_group variable (it may be removed in
131 - allow both directory and group be configured with ctrl_interface
132 in following format: DIR=/var/run/wpa_supplicant GROUP=wheel
133 - ctrl_interface=/var/run/wpa_supplicant is still supported for the
134 case when group is not changed
135 * added support for controlling more than one interface per process in
137 * added a workaround for a case where the AP is using unknown address
138 (e.g., MAC address of the wired interface) as the source address for
139 EAPOL-Key frames; previously, that source address was used as the
140 destination for EAPOL-Key frames and in key derivation; now, BSSID is
141 used even if the source address does not match with it
142 (this resolves an interoperability issue with Thomson SpeedTouch 580)
143 * added a workaround for UDP-based control interface (which was used in
144 Windows builds before this release) to prevent packets with forged
145 addresses from being accepted as local control requests
146 * removed ndis_events.cpp and possibility of using external
147 ndis_events.exe; C version (ndis_events.c) is fully functional and
148 there is no desire to maintain two separate versions of this
150 * ndis_events: Changed NDIS event notification design to use WMI to
151 learn the adapter description through Win32_PnPEntity class; this
152 should fix some cases where the adapter name was not recognized
153 correctly (e.g., with some USB WLAN adapters, e.g., Ralink RT2500
155 * fixed selection of the first network in ap_scan=2 mode; previously,
156 wpa_supplicant could get stuck in SCANNING state when only the first
157 network for enabled (e.g., after 'wpa_cli select_network 0')
158 * winsvc: added support for configuring ctrl_interface parameters in
159 registry (ctrl_interface string value in
160 HKLM\SOFTWARE\wpa_supplicant\interfaces\0000 key); this new value is
161 required to enable control interface (previously, this was hardcoded
163 * allow wpa_gui subdirectory to be built with both Qt3 and Qt4
164 * converted wpa_gui-qt4 subdirectory to use Qt4 specific project format
167 * fixed build with CONFIG_STAKEY=y [Bug 143]
168 * added support for doing MLME (IEEE 802.11 management frame
169 processing) in wpa_supplicant when using Devicescape IEEE 802.11
170 stack (wireless-dev.git tree)
171 * added a new network block configuration option, fragment_size, to
172 configure the maximum EAP fragment size
173 * driver_ndis: Disable WZC automatically for the selected interface to
174 avoid conflicts with two programs trying to control the radio; WZC
175 will be re-enabled (if it was enabled originally) when wpa_supplicant
177 * added an experimental TLSv1 client implementation
178 (CONFIG_TLS=internal) that can be used instead of an external TLS
179 library, e.g., to reduce total size requirement on systems that do
180 not include any TLS library by default (this is not yet complete;
181 basic functionality is there, but certificate validation is not yet
183 * added PeerKey handshake implementation for IEEE 802.11e
184 direct link setup (DLS) to replace STAKey handshake
185 * fixed WPA PSK update through ctrl_iface for the case where the old
186 PSK was derived from an ASCII passphrase and the new PSK is set as
187 a raw PSK (hex string)
188 * added new configuration option for identifying which network block
189 was used (id_str in wpa_supplicant.conf; included on
190 WPA_EVENT_CONNECT monitor event and as WPA_ID_STR environmental
191 variable in wpa_cli action scripts; in addition WPA_ID variable is
192 set to the current unique identifier that wpa_supplicant assigned
193 automatically for the network and that can be used with
194 GET_NETWORK/SET_NETWORK ctrl_iface commands)
195 * wpa_cli action script is now called only when the connect/disconnect
196 status changes or when associating with a different network
197 * fixed configuration parser not to remove CCMP from group cipher list
198 if WPA-None (adhoc) is used (pairwise=NONE in that case)
199 * fixed integrated NDIS events processing not to hang the process due
200 to a missed change in eloop_win.c API in v0.5.3 [Bug 155]
201 * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
202 draft-clancy-emu-eap-shared-secret-00.txt)
203 * added Microsoft Visual Studio 2005 solution and project files for
204 build wpa_supplicant for Windows (see vs2005 subdirectory)
205 * eloop_win: fixed unregistration of Windows events
206 * l2_packet_winpcap: fixed a deadlock in deinitializing l2_packet
207 at the end of RSN pre-authentication and added unregistration of
208 a Windows event to avoid getting eloop_win stuck with an invalid
210 * driver_ndis: added support for selecting AP based on BSSID
211 * added new environmental variable for wpa_cli action scripts:
212 WPA_CTRL_DIR is the current control interface directory
213 * driver_ndis: added support for using NDISUIO instead of WinPcap for
214 OID set/query operations (CONFIG_USE_NDISUIO=y in .config); with new
215 l2_packet_ndis (CONFIG_L2_PACKET=ndis), this can be used to build
216 wpa_supplicant without requiring WinPcap; note that using NDISUIO
217 requires that WZC is disabled (net stop wzcsvc) since NDISUIO allows
218 only one application to open the device
219 * changed NDIS driver naming to only include device GUID, e.g.,
220 {7EE3EFE5-C165-472F-986D-F6FBEDFE8C8D}, instead of including WinPcap
221 specific \Device\NPF_ prefix before the GUID; the prefix is still
222 allowed for backwards compatibility, but it is not required anymore
223 when specifying the interface
224 * driver_ndis: re-initialize driver interface is the adapter is removed
225 and re-inserted [Bug 159]
226 * driver_madwifi: fixed TKIP and CCMP sequence number configuration on
227 big endian hosts [Bug 146]
230 * fixed EAP-GTC response to include correct user identity when run as
231 phase 2 method of EAP-FAST (i.e., EAP-FAST did not work in v0.5.2)
232 * driver_ndis: Fixed encryption mode configuration for unencrypted
233 networks (some NDIS drivers ignored this, but others, e.g., Broadcom,
234 refused to associate with open networks) [Bug 106]
235 * driver_ndis: use BSSID OID polling to detect when IBSS network is
236 formed even when ndis_events code is included since some NDIS drivers
237 do not generate media connect events in IBSS mode
238 * config_winreg: allow global ctrl_interface parameter to be configured
240 * config_winreg: added support for saving configuration data into
242 * added support for controlling network device operational state
243 (dormant/up) for Linux 2.6.17 to improve DHCP processing (see
244 http://www.flamewarmaster.de/software/dhcpclient/ for a DHCP client
245 that can use this information)
246 * driver_wext: added support for WE-21 change to SSID configuration
247 * driver_wext: fixed privacy configuration for static WEP keys mode
249 * added an optional driver_ops callback for MLME-SETPROTECTION.request
251 * added support for EAP-SAKE (no EAP method number allocated yet, so
252 this is using the same experimental type 255 as EAP-PSK)
253 * added support for dynamically loading EAP methods (.so files) instead
254 of requiring them to be statically linked in; this is disabled by
255 default (see CONFIG_DYNAMIC_EAP_METHODS in defconfig for information
259 * do not try to use USIM APDUs when initializing PC/SC for SIM card
260 access for a network that has not enabled EAP-AKA
261 * fixed EAP phase 2 Nak for EAP-{PEAP,TTLS,FAST} (this was broken in
262 v0.5.1 due to the new support for expanded EAP types)
263 * added support for generating EAP Expanded Nak
264 * try to fetch scan results once before requesting new scan when
265 starting up in ap_scan=1 mode (this can speed up initial association
266 a lot with, e.g., madwifi-ng driver)
267 * added support for receiving EAPOL frames from a Linux bridge
268 interface (-bbr0 on command line)
269 * fixed EAPOL re-authentication for sessions that used PMKSA caching
270 * changed EAP method registration to use a dynamic list of methods
271 instead of a static list generated at build time
272 * fixed PMKSA cache deinitialization not to use freed memory when
273 removing PMKSA entries
274 * fixed a memory leak in EAP-TTLS re-authentication
275 * reject WPA/WPA2 message 3/4 if it does not include any valid
277 * driver_wext: added fallback to use SIOCSIWENCODE for setting auth_alg
278 if the driver does not support SIOCSIWAUTH
281 * driver_test: added better support for multiple APs and STAs by using
282 a directory with sockets that include MAC address for each device in
283 the name (driver_param=test_dir=/tmp/test)
284 * added support for EAP expanded type (vendor specific EAP methods)
285 * added AP_SCAN command into ctrl_iface so that ap_scan configuration
286 option can be changed if needed
287 * wpa_cli/wpa_gui: skip non-socket files in control directory when
288 using UNIX domain sockets; this avoids selecting an incorrect
289 interface (e.g., a PID file could be in this directory, even though
290 use of this directory for something else than socket files is not
292 * fixed TLS library deinitialization after RSN pre-authentication not
293 to disable TLS library for normal authentication
294 * driver_wext: Remove null-termination from SSID length if the driver
295 used it; some Linux drivers do this and they were causing problems in
296 wpa_supplicant not finding matching configuration block. This change
297 would break a case where the SSID actually ends in '\0', but that is
298 not likely to happen in real use.
299 * fixed PMKSA cache processing not to trigger deauthentication if the
300 current PMKSA cache entry is replaced with a valid new entry
301 * fixed PC/SC initialization for ap_scan != 1 modes (this fixes
302 EAP-SIM and EAP-AKA with real SIM/USIM card when using ap_scan=0 or
305 2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
306 * added experimental STAKey handshake implementation for IEEE 802.11e
307 direct link setup (DLS); note: this is disabled by default in both
308 build and runtime configuration (can be enabled with CONFIG_STAKEY=y
310 * fixed EAP-SIM and EAP-AKA pseudonym and fast re-authentication to
311 decrypt AT_ENCR_DATA attributes correctly
312 * fixed EAP-AKA to allow resynchronization within the same session
313 * made code closer to ANSI C89 standard to make it easier to port to
314 other C libraries and compilers
315 * started moving operating system or C library specific functions into
316 wrapper functions defined in os.h and implemented in os_*.c to make
318 * wpa_supplicant can now be built with Microsoft Visual C++
319 (e.g., with the freely available Toolkit 2003 version or Visual
320 C++ 2005 Express Edition and Platform SDK); see nmake.mak for an
321 example makefile for nmake
322 * added support for using Windows registry for command line parameters
323 (CONFIG_MAIN=main_winsvc) and configuration data
324 (CONFIG_BACKEND=winreg); see win_example.reg for an example registry
325 contents; this version can be run both as a Windows service and as a
326 normal application; 'wpasvc.exe app' to start as applicant,
327 'wpasvc.exe reg <full path to wpasvc.exe>' to register a service,
328 'net start wpasvc' to start the service, 'wpasvc.exe unreg' to
330 * made it possible to link ndis_events.exe functionality into
331 wpa_supplicant.exe by defining CONFIG_NDIS_EVENTS_INTEGRATED
332 * added better support for multiple control interface backends
333 (CONFIG_CTRL_IFACE option); currently, 'unix' and 'udp' are supported
334 * fixed PC/SC code to use correct length for GSM AUTH command buffer
335 and to not use pioRecvPci with SCardTransmit() calls; these were not
336 causing visible problems with pcsc-lite, but Windows Winscard.dll
337 refused the previously used parameters; this fixes EAP-SIM and
338 EAP-AKA authentication using SIM/USIM card under Windows
339 * added new event loop implementation for Windows using
340 WaitForMultipleObject() instead of select() in order to allow waiting
341 for non-socket objects; this can be selected with
342 CONFIG_ELOOP=eloop_win in .config
343 * added support for selecting l2_packet implementation in .config
344 (CONFIG_L2_PACKET; following options are available now: linux, pcap,
345 winpcap, freebsd, none)
346 * added new l2_packet implementation for WinPcap
347 (CONFIG_L2_PACKET=winpcap) that uses a separate receive thread to
348 reduce latency in EAPOL receive processing from about 100 ms to about
350 * added support for EAP-FAST key derivation using other ciphers than
351 RC4-128-SHA for authentication and AES128-SHA for provisioning
352 * added support for configuring CA certificate as DER file and as a
354 * fixed private key configuration as configuration blob and added
355 support for using PKCS#12 as a blob
356 * tls_gnutls: added support for using PKCS#12 files; added support for
358 * added support for loading trusted CA certificates from Windows
359 certificate store: ca_cert="cert_store://<name>", where <name> is
360 likely CA (Intermediate CA certificates) or ROOT (root certificates)
361 * added C version of ndis_events.cpp and made it possible to build this
362 with MinGW so that CONFIG_NDIS_EVENTS_INTEGRATED can be used more
363 easily on cross-compilation builds
364 * added wpasvc.exe into Windows binary release; this is an alternative
365 version of wpa_supplicant.exe with configuration backend using
366 Windows registry and with the entry point designed to run as a
368 * integrated ndis_events.exe functionality into wpa_supplicant.exe and
369 wpasvc.exe and removed this additional tool from the Windows binary
370 release since it is not needed anymore
371 * load winscard.dll functions dynamically when building with MinGW
372 since MinGW does not yet include winscard library
374 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
375 * l2_packet_pcap: fixed wired IEEE 802.1X authentication with libpcap
376 and WinPcap to receive frames sent to PAE group address
377 * disable EAP state machine when IEEE 802.1X authentication is not used
378 in order to get rid of bogus "EAP failed" messages
379 * fixed OpenSSL error reporting to go through all pending errors to
380 avoid confusing reports of old errors being reported at later point
382 * fixed configuration file updating to not write empty variables
383 (e.g., proto or key_mgmt) that the file parser would not accept
384 * fixed ADD_NETWORK ctrl_iface command to use the same default values
385 for variables as empty network definitions read from config file
387 * fixed EAP state machine to not discard EAP-Failure messages in many
388 cases (e.g., during TLS handshake)
389 * fixed a infinite loop in private key reading if the configured file
390 cannot be parsed successfully
391 * driver_madwifi: added support for madwifi-ng
392 * wpa_gui: do not display password/PSK field contents
393 * wpa_gui: added CA certificate configuration
394 * driver_ndis: fixed scan request in ap_scan=2 mode not to change SSID
395 * driver_ndis: include Beacon IEs in AssocInfo in order to notice if
396 the new AP is using different WPA/RSN IE
397 * use longer timeout for IEEE 802.11 association to avoid problems with
398 drivers that may take more than five second to associate
401 * allow fallback to WPA, if mixed WPA+WPA2 networks have mismatch in
402 RSN IE, but WPA IE would match with wpa_supplicant configuration
403 * added support for named configuration blobs in order to avoid having
404 to use file system for external files (e.g., certificates);
405 variables can be set to "blob://<blob name>" instead of file path to
406 use a named blob; supported fields: pac_file, client_cert,
408 * fixed RSN pre-authentication (it was broken in the clean up of WPA
409 state machine interface in v0.4.5)
410 * driver_madwifi: set IEEE80211_KEY_GROUP flag for group keys to make
411 sure the driver configures broadcast decryption correctly
412 * added ca_path (and ca_path2) configuration variables that can be used
413 to configure OpenSSL CA path, e.g., /etc/ssl/certs, for using the
414 system-wide trusted CA list
415 * added support for starting wpa_supplicant without a configuration
416 file (-C argument must be used to set ctrl_interface parameter for
417 this case; in addition, -p argument can be used to provide
418 driver_param; these new arguments can also be used with a
419 configuration to override the values from the configuration)
420 * added global control interface that can be optionally used for adding
421 and removing network interfaces dynamically (-g command line argument
422 for both wpa_supplicant and wpa_cli) without having to restart
423 wpa_supplicant process
425 - try to save configuration whenever something is modified
426 - added WEP key configuration
427 - added possibility to edit the current network configuration
428 * driver_ndis: fixed driver polling not to increase frequency on each
429 received EAPOL frame due to incorrectly cancelled timeout
430 * added simple configuration file examples (in examples subdirectory)
431 * fixed driver_wext.c to filter wireless events based on ifindex to
432 avoid interfaces receiving events from other interfaces
433 * delay sending initial EAPOL-Start couple of seconds to speed up
434 authentication for the most common case of Authenticator starting
435 EAP authentication immediately after association
438 * added a workaround for clearing keys with ndiswrapper to allow
439 roaming from WPA enabled AP to plaintext one
440 * added docbook documentation (doc/docbook) that can be used to
441 generate, e.g., man pages
442 * l2_packet_linux: use socket type SOCK_DGRAM instead of SOCK_RAW for
443 PF_PACKET in order to prepare for network devices that do not use
444 Ethernet headers (e.g., network stack with native IEEE 802.11 frames)
445 * use receipt of EAPOL-Key frame as a lower layer success indication
446 for EAP state machine to allow recovery from dropped EAP-Success
448 * cleaned up internal EAPOL frame processing by not including link
449 layer (Ethernet) header during WPA and EAPOL/EAP processing; this
450 header is added only when transmitted the frame; this makes it easier
451 to use wpa_supplicant on link layers that use different header than
453 * updated EAP-PSK to use draft 9 by default since this can now be
454 tested with hostapd; removed support for draft 3, including
455 server_nai configuration option from network blocks
456 * driver_wired: add PAE address to the multicast address list in order
457 to be able to receive EAPOL frames with drivers that do not include
458 these multicast addresses by default
459 * driver_wext: add support for WE-19
460 * added support for multiple configuration backends (CONFIG_BACKEND
461 option); currently, only 'file' is supported (i.e., the format used
462 in wpa_supplicant.conf)
463 * added support for updating configuration ('wpa_cli save_config');
464 this is disabled by default and can be enabled with global
465 update_config=1 variable in wpa_supplicant.conf; this allows wpa_cli
466 and wpa_gui to store the configuration changes in a permanent store
467 * added GET_NETWORK ctrl_iface command
468 (e.g., 'wpa_cli get_network 0 ssid')
471 * replaced OpenSSL patch for EAP-FAST support
472 (openssl-tls-extensions.patch) with a more generic and correct
473 patch (the new patch is not compatible with the previous one, so the
474 OpenSSL library will need to be patched with the new patch in order
475 to be able to build wpa_supplicant with EAP-FAST support)
476 * added support for using Windows certificate store (through CryptoAPI)
477 for client certificate and private key operations (EAP-TLS)
478 (see wpa_supplicant.conf for more information on how to configure
479 this with private_key)
480 * ported wpa_gui to Windows
481 * added Qt4 version of wpa_gui (wpa_gui-qt4 directory); this can be
482 built with the open source version of the Qt4 for Windows
483 * allow non-WPA modes (e.g., IEEE 802.1X with dynamic WEP) to be used
484 with drivers that do not support WPA
485 * ndis_events: fixed Windows 2000 support
486 * added support for enabling/disabling networks from the list of all
487 configured networks ('wpa_cli enable_network <network id>' and
488 'wpa_cli disable_network <network id>')
489 * added support for adding and removing network from the current
490 configuration ('wpa_cli add_network' and 'wpa_cli remove_network
491 <network id>'); added networks are disabled by default and they can
492 be enabled with enable_network command once the configuration is done
493 for the new network; note: configuration file is not yet updated, so
494 these new networks are lost when wpa_supplicant is restarted
495 * added support for setting network configuration parameters through
496 the control interface, for example:
497 wpa_cli set_network 0 ssid "\"my network\""
498 * fixed parsing of strings that include both " and # within double
499 quoted area (e.g., "start"#end")
500 * added EAP workaround for PEAP session resumption: allow outer,
501 i.e., not tunneled, EAP-Success to terminate session since; this can
502 be disabled with eap_workaround=0
503 (this was allowed for PEAPv1 before, but now it is also allowed for
504 PEAPv0 since at least one RADIUS authentication server seems to be
505 doing this for PEAPv0, too)
506 * wpa_gui: added preliminary support for adding new networks to the
507 wpa_supplicant configuration (double click on the scan results to
508 open network configuration)
511 * removed interface for external EAPOL/EAP supplicant (e.g.,
512 Xsupplicant), (CONFIG_XSUPPLICANT_IFACE) since it is not required
513 anymore and is unlikely to be used by anyone
514 * driver_ndis: fixed WinPcap 3.0 support
515 * fixed build with CONFIG_DNET_PCAP=y on Linux
516 * l2_packet: moved different implementations into separate files
520 * driver_ipw: updated driver structures to match with ipw2200-1.0.4
521 (note: ipw2100-1.1.0 is likely to require an update to work with
523 * added support for using ap_scan=2 mode with multiple network blocks;
524 wpa_supplicant will go through the networks one by one until the
525 driver reports a successful association; this uses the same order for
526 networks as scan_ssid=1 scans, i.e., the priority field is ignored
527 and the network block order in the file is used instead
528 * fixed a potential issue in RSN pre-authentication ending up using
529 freed memory if pre-authentication times out
530 * added support for matching alternative subject name extensions of the
531 authentication server certificate; new configuration variables
532 altsubject_match and altsubject_match2
533 * driver_ndis: added support for IEEE 802.1X authentication with wired
535 * added support for querying private key password (EAP-TLS) through the
536 control interface (wpa_cli/wpa_gui) if one is not included in the
538 * driver_broadcom: fixed couple of memory leaks in scan result
540 * EAP-PAX is now registered as EAP type 46
541 * fixed EAP-PAX MAC calculation
542 * fixed EAP-PAX CK and ICK key derivation
543 * added support for using password with EAP-PAX (as an alternative to
544 entering key with eappsk); SHA-1 hash of the password will be used as
546 * added support for arbitrary driver interface parameters through the
547 configuration file with a new driver_param field; this adds a new
548 driver_ops function set_param()
549 * added possibility to override l2_packet module with driver interface
550 API (new send_eapol handler); this can be used to implement driver
551 specific TX/RX functions for EAPOL frames
552 * fixed ctrl_interface_group processing for the case where gid is
553 entered as a number, not group name
554 * driver_test: added support for testing hostapd with wpa_supplicant
555 by using test driver interface without any kernel drivers or network
559 * driver_madwifi: fixed WPA/WPA2 mode configuration to allow EAPOL
560 packets to be encrypted; this was apparently broken by the changed
561 ioctl order in v0.4.0
562 * driver_madwifi: added preliminary support for compiling against 'BSD'
563 branch of madwifi CVS tree
564 * added support for EAP-MSCHAPv2 password retries within the same EAP
565 authentication session
566 * added support for password changes with EAP-MSCHAPv2 (used when the
567 password has expired)
568 * added support for reading additional certificates from PKCS#12 files
569 and adding them to the certificate chain
570 * fixed association with IEEE 802.1X (no WPA) when dynamic WEP keys
572 * fixed a possible double free in EAP-TTLS fast-reauthentication when
573 identity or password is entered through control interface
574 * display EAP Notification messages to user through control interface
575 with "CTRL-EVENT-EAP-NOTIFICATION" prefix
576 * added GUI version of wpa_cli, wpa_gui; this is not build
577 automatically with 'make'; use 'make wpa_gui' to build (this requires
578 Qt development tools)
579 * added 'disconnect' command to control interface for setting
580 wpa_supplicant in state where it will not associate before
581 'reassociate' command has been used
582 * added support for selecting a network from the list of all configured
583 networks ('wpa_cli select_network <network id>'; this disabled all
584 other networks; to re-enable, 'wpa_cli select_network any')
585 * added support for getting scan results through control interface
586 * added EAP workaround for PEAPv1 session resumption: allow outer,
587 i.e., not tunneled, EAP-Success to terminate session since; this can
588 be disabled with eap_workaround=0
590 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
591 * added a new build time option, CONFIG_NO_STDOUT_DEBUG, that can be
592 used to reduce the size of the wpa_supplicant considerably if
593 debugging code is not needed
594 * fixed EAPOL-Key validation to drop packets with invalid Key Data
595 Length; such frames could have crashed wpa_supplicant due to buffer
597 * added support for wired authentication (IEEE 802.1X on wired
598 Ethernet); driver interface 'wired'
599 * obsoleted set_wpa() handler in the driver interface API (it can be
600 replaced by moving enable/disable functionality into init()/deinit())
601 (calls to set_wpa() are still present for backwards compatibility,
602 but they may be removed in the future)
603 * driver_madwifi: fixed association in plaintext mode
604 * modified the EAP workaround that accepts EAP-Success with incorrect
605 Identifier to be even less strict about verification in order to
606 interoperate with some authentication servers
607 * added support for sending TLS alerts
608 * added support for 'any' SSID wildcard; if ssid is not configured or
609 is set to an empty string, any SSID will be accepted for non-WPA AP
610 * added support for asking PIN (for SIM) from frontends (e.g.,
611 wpa_cli); if a PIN is needed, but not included in the configuration
612 file, a control interface request is sent and EAP processing is
613 delayed until the PIN is available
614 * added support for using external devices (e.g., a smartcard) for
615 private key operations in EAP-TLS (CONFIG_SMARTCARD=y in .config);
616 new wpa_supplicant.conf variables:
617 - global: opensc_engine_path, pkcs11_engine_path, pkcs11_module_path
618 - network: engine, engine_id, key_id
619 * added experimental support for EAP-PAX
620 * added monitor mode for wpa_cli (-a<path to a program to run>) that
621 allows external commands (e.g., shell scripts) to be run based on
622 wpa_supplicant events, e.g., when authentication has been completed
623 and data connection is ready; other related wpa_cli arguments:
624 -B (run in background), -P (write PID file); wpa_supplicant has a new
625 command line argument (-W) that can be used to make it wait until a
626 control interface command is received in order to avoid missing
628 * added support for opportunistic WPA2 PMKSA key caching (disabled by
629 default, can be enabled with proactive_key_caching=1)
630 * fixed RSN IE in 4-Way Handshake message 2/4 for the case where
631 Authenticator rejects PMKSA caching attempt and the driver is not
632 using assoc_info events
633 * added -P<pid file> argument for wpa_supplicant to write the current
634 process id into a file
636 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
637 * added new phase1 option parameter, include_tls_length=1, to force
638 wpa_supplicant to add TLS Message Length field to all TLS messages
639 even if the packet is not fragmented; this may be needed with some
640 authentication servers
641 * fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when
642 using drivers that take care of AP selection (e.g., when using
644 * fixed reprocessing of pending request after ctrl_iface requests for
645 identity/password/otp
646 * fixed ctrl_iface requests for identity/password/otp in Phase 2 of
647 EAP-PEAP and EAP-TTLS
648 * all drivers using driver_wext: set interface up and select Managed
649 mode when starting wpa_supplicant; set interface down when exiting
650 * renamed driver_ipw2100.c to driver_ipw.c since it now supports both
651 ipw2100 and ipw2200; please note that this also changed the
652 configuration variable in .config to CONFIG_DRIVER_IPW
655 * fixed a busy loop introduced in v0.3.5 for scan result processing
656 when no matching AP is found
659 * added a workaround for an interoperability issue with a Cisco AP
661 * fixed non-WPA IEEE 802.1X to use the same authentication timeout as
662 WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow
663 retransmission of dropped frames)
664 * fixed issues with 64-bit CPUs and SHA1 cleanup in previous version
665 (e.g., segfault when processing EAPOL-Key frames)
666 * fixed EAP workaround and fast reauthentication configuration for
667 RSN pre-authentication; previously these were disabled and
668 pre-authentication would fail if the used authentication server
669 requires EAP workarounds
670 * added support for blacklisting APs that fail or timeout
671 authentication in ap_scan=1 mode so that all APs are tried in cases
672 where the ones with strongest signal level are failing authentication
673 * fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS
674 authentication attempt
675 * allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded
676 in the previous authentication (previously, only Phase 1 success was
680 * added preliminary support for IBSS (ad-hoc) mode configuration
681 (mode=1 in network block); this included a new key_mgmt mode
682 WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no
683 key management; see wpa_supplicant.conf for more details and an
684 example on how to configure this (note: this is currently implemented
685 only for driver_hostapd.c, but the changes should be trivial to add
686 in associate() handler for other drivers, too (assuming the driver
688 * added preliminary port for native Windows (i.e., no cygwin) using
692 * added optional support for GNU Readline and History Libraries for
693 wpa_cli (CONFIG_READLINE)
694 * cleaned up EAP state machine <-> method interface and number of
695 small problems with error case processing not terminating on
696 EAP-Failure but waiting for timeout
697 * added couple of workarounds for interoperability issues with a
698 Cisco AP when using WPA2
699 * added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt);
700 Note: This requires a patch for openssl to add support for TLS
701 extensions and number of workarounds for operations without
702 certificates. Proof of concept type of experimental patch is
703 included in openssl-tls-extensions.patch.
706 * fixed private key loading for cases where passphrase is not set
707 * fixed Windows/cygwin L2 packet handler freeing; previous version
708 could cause a segfault when RSN pre-authentication was completed
709 * added support for PMKSA caching with drivers that generate RSN IEs
710 (e.g., NDIS); currently, this is only implemented in driver_ndis.c,
711 but similar code can be easily added to driver_ndiswrapper.c once
712 ndiswrapper gets full support for RSN PMKSA caching
713 * improved recovery from PMKID mismatches by requesting full EAP
714 authentication in case of failed PMKSA caching attempt
715 * driver_ndis: added support for NDIS NdisMIncidateStatus() events
716 (this requires that ndis_events is ran while wpa_supplicant is
718 * driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys
719 * added support for driver interfaces to replace the interface name
720 based on driver/OS specific mapping, e.g., in case of driver_ndis,
721 this allows the beginning of the adapter description to be used as
723 * added support for CR+LF (Windows-style) line ends in configuration
725 * driver_ndis: enable radio before starting scanning, disable radio
727 * modified association event handler to set portEnabled = FALSE before
728 clearing port Valid in order to reset EAP state machine and avoid
729 problems with new authentication getting ignored because of state
730 machines ending up in AUTHENTICATED/SUCCESS state based on old
732 * added support for driver events to add PMKID candidates in order to
733 allow drivers to give priority to most likely roaming candidates
734 * driver_hostap: moved PrivacyInvoked configuration to associate()
735 function so that this will not be set for plaintext connections
736 * added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver
737 interface can distinguish plaintext and IEEE 802.1X (no WPA)
739 * fixed static WEP key configuration to use broadcast/default type for
740 all keys (previously, the default TX key was configured as pairwise/
742 * driver_ndis: added legacy WPA capability detection for non-WPA2
744 * added support for setting static WEP keys for IEEE 802.1X without
745 dynamic WEP keying (eapol_flags=0)
748 * added support for reading PKCS#12 (PFX) files (as a replacement for
749 PEM/DER) to get certificate and private key (CONFIG_PKCS12)
750 * fixed compilation with CONFIG_PCSC=y
751 * added new ap_scan mode, ap_scan=2, for drivers that take care of
752 association, but need to be configured with security policy and SSID,
753 e.g., ndiswrapper and NDIS driver; this mode should allow such
754 drivers to work with hidden SSIDs and optimized roaming; when
755 ap_scan=2 is used, only the first network block in the configuration
756 file is used and this configuration should have explicit security
757 policy (i.e., only one option in the lists) for key_mgmt, pairwise,
758 group, proto variables
759 * added experimental port of wpa_supplicant for Windows
760 - driver_ndis.c driver interface (NDIS OIDs)
761 - currently, this requires cygwin and WinPcap
762 - small utility, win_if_list, can be used to get interface name
763 * control interface can now be removed at build time; add
764 CONFIG_CTRL_IFACE=y to .config to maintain old functionality
765 * optional Xsupplicant interface can now be removed at build time;
766 (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back)
767 * added auth_alg to driver interface associate() parameters to make it
768 easier for drivers to configure authentication algorithm as part of
771 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
772 * driver_broadcom: added new driver interface for Broadcom wl.o driver
773 (a generic driver for Broadcom IEEE 802.11a/g cards)
774 * wpa_cli: fixed parsing of -p <path> command line argument
775 * PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
776 ACK, not tunneled EAP-Success (of which only the first byte was
777 actually send due to a bug in previous code); this seems to
778 interoperate with most RADIUS servers that implements PEAPv1
779 * PEAPv1: added support for terminating PEAP authentication on tunneled
780 EAP-Success message; this can be configured by adding
781 peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
782 (some RADIUS servers require this whereas others require a tunneled
784 * PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
785 the old label for key derivation; previously, the default was 1,
786 but it looks like most existing PEAPv1 implementations use the old
787 label which is thus more suitable default option
788 * added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
789 * fixed parsing of wep_tx_keyidx
790 * added support for configuring list of allowed Phase 2 EAP types
791 (for both EAP-PEAP and EAP-TTLS) instead of only one type
792 * added support for configuring IEEE 802.11 authentication algorithm
793 (auth_alg; mainly for using Shared Key authentication with static
795 * added support for EAP-AKA (with UMTS SIM)
796 * fixed couple of errors in PCSC handling that could have caused
797 random-looking errors for EAP-SIM
798 * added support for EAP-SIM pseudonyms and fast re-authentication
799 * added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
801 * added support for EAP-SIM with two challanges
802 (phase1="sim_min_num_chal=3" can be used to require three challenges)
803 * added support for configuring DH/DSA parameters for an ephemeral DH
804 key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
805 dh_file and dh_file2 (phase 2); this adds support for using DSA keys
806 and optional DH key exchange to achieve forward secracy with RSA keys
807 * added support for matching subject of the authentication server
808 certificate with a substring when using EAP-TLS/PEAP/TTLS; new
809 configuration variables subject_match and subject_match2
810 * changed SSID configuration in driver_wext.c (used by many driver
811 interfaces) to use ssid_len+1 as the length for SSID since some Linux
813 * fixed couple of unaligned reads in scan result parsing to fix WPA
814 connection on some platforms (e.g., ARM)
815 * added driver interface for Intel ipw2100 driver
816 * added support for LEAP with WPA
817 * added support for larger scan results report (old limit was 4 kB of
818 data, i.e., about 35 or so APs) when using Linux wireless extensions
820 * fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
821 only if there is a PMKSA cache entry for the current AP
822 * fixed error handling for case where reading of scan results fails:
823 must schedule a new scan or wpa_supplicant will remain waiting
825 * changed debug output to remove shared password/key material by
826 default; all key information can be included with -K command line
827 argument to match the previous behavior
828 * added support for timestamping debug log messages (disabled by
829 default, can be enabled with -t command line argument)
830 * set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
831 if keys are not configured to be used; this fixes IEEE 802.1X mode
832 with drivers that use this information to configure whether Privacy
833 bit can be in Beacon frames (e.g., ndiswrapper)
834 * avoid clearing driver keys if no keys have been configured since last
835 key clear request; this seems to improve reliability of group key
836 handshake for ndiswrapper & NDIS driver which seems to be suffering
837 of some kind of timing issue when the keys are cleared again after
839 * changed driver interface API:
840 - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
841 version is being used (now, this is set to 2; previously, it was
843 - pass pointer to private data structure to all calls
844 - the new API is not backwards compatible; all in-tree driver
845 interfaces has been converted to the new API
846 * added support for controlling multiple interfaces (radios) per
847 wpa_supplicant process; each interface needs to be listed on the
848 command line (-c, -i, -D arguments) with -N as a separator
849 (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
850 * added a workaround for EAP servers that incorrectly use same Id for
851 sequential EAP packets
852 * changed libpcap/libdnet configuration to use .config variable,
853 CONFIG_DNET_PCAP, instead of requiring Makefile modification
854 * improved downgrade attack detection in IE verification of msg 3/4:
855 verify both WPA and RSN IEs, if present, not only the selected one;
856 reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
857 Probe Response frame, and RSN is enabled in wpa_supplicant
859 * fixed WPA msg 3/4 processing to allow Key Data field contain other
860 IEs than just one WPA IE
861 * added support for FreeBSD and driver interface for the BSD net80211
862 layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the
863 required kernel mods have not yet been committed
864 * made EAP workarounds configurable; enabled by default, can be
865 disabled with network block option eap_workaround=0
867 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
868 * resolved couple of interoperability issues with EAP-PEAPv1 and
869 Phase 2 (inner EAP) fragment reassembly
870 * driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the
871 AP is using non-zero key index for the unicast key and key index zero
872 for the broadcast key
873 * driver_hostap: fixed IEEE 802.1X WEP key updates and
874 re-authentication by allowing unencrypted EAPOL frames when not using
876 * added a new driver interface, 'wext', which uses only standard,
877 driver independent functionality in Linux wireless extensions;
878 currently, this can be used only for non-WPA IEEE 802.1X mode, but
879 eventually, this is to be extended to support full WPA/WPA2 once
880 Linux wireless extensions get support for this
881 * added support for mode in which the driver is responsible for AP
882 scanning and selection; this is disabled by default and can be
883 enabled with global ap_scan=0 variable in wpa_supplicant.conf;
884 this mode can be used, e.g., with generic 'wext' driver interface to
885 use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver
886 supporting wireless extensions.
887 * driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g.,
888 operation with an AP that does not include SSID in the Beacon frames)
889 * added support for new EAP authentication methods:
890 EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP
891 * added support for asking one-time-passwords from frontends (e.g.,
892 wpa_cli); this 'otp' command works otherwise like 'password' command,
893 but the password is used only once and the frontend will be asked for
894 a new password whenever a request from authenticator requires a
895 password; this can be used with both EAP-OTP and EAP-GTC
896 * changed wpa_cli to automatically re-establish connection so that it
897 does not need to be re-started when wpa_supplicant is terminated and
899 * improved user data (identity/password/otp) requests through
900 frontends: process pending EAPOL packets after getting new
901 information so that full authentication does not need to be
902 restarted; in addition, send pending requests again whenever a new
904 * changed control frontends to use a new directory for socket files to
905 make it easier for wpa_cli to automatically select between interfaces
906 and to provide access control for the control interface;
907 wpa_supplicant.conf: ctrl_interface is now a path
908 (/var/run/wpa_supplicant is the recommended path) and
909 ctrl_interface_group can be used to select which group gets access to
910 the control interface;
911 wpa_cli: by default, try to connect to the first interface available
912 in /var/run/wpa_supplicant; this path can be overriden with -p option
913 and an interface can be selected with -i option (i.e., in most common
914 cases, wpa_cli does not need to get any arguments)
915 * added support for LEAP
916 * added driver interface for Linux ndiswrapper
917 * added priority option for network blocks in the configuration file;
918 this allows networks to be grouped based on priority (the scan
919 results are searched for matches with network blocks in this order)
922 * sort scan results to improve AP selection
923 * fixed control interface socket removal for some error cases
924 * improved scan requesting and authentication timeout
925 * small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and
927 * PEAP version can now be forced with phase1="peapver=<ver>"
928 (mostly for testing; by default, the highest version supported by
929 both the Supplicant and Authentication Server is selected
931 * added support for madwifi driver (Atheros ar521x)
932 * added a workaround for cases where AP sets Install Tx/Rx bit for
933 WPA Group Key messages when pairwise keys are used (without this,
934 the Group Key would be used for Tx and the AP would drop frames
936 * added GSM SIM/USIM interface for GSM authentication algorithm for
937 EAP-SIM; this requires pcsc-lite
938 * added support for ATMEL AT76C5XXx driver
939 * fixed IEEE 802.1X WEP key derivation in the case where Authenticator
940 does not include key data in the EAPOL-Key frame (i.e., part of
941 EAP keying material is used as data encryption key)
942 * added support for using plaintext and static WEP networks
946 * added support for new EAP authentication methods:
947 EAP-TTLS/EAP-MD5-Challenge
949 EAP-TTLS/EAP-MSCHAPv2
957 EAP-PEAP/MD5-Challenge
959 EAP-SIM (not yet complete; needs GSM/SIM authentication interface)
960 * added support for anonymous identity (to be used when identity is
961 sent in plaintext; real identity will be used within TLS protected
962 tunnel (e.g., with EAP-TTLS)
963 * added event messages from wpa_supplicant to frontends, e.g., wpa_cli
964 * added support for requesting identity and password information using
965 control interface; in other words, the password for EAP-PEAP or
966 EAP-TTLS does not need to be included in the configuration file since
967 a frontand (e.g., wpa_cli) can ask it from the user
968 * improved RSN pre-authentication to use a candidate list and process
969 all candidates from each scan; not only one per scan
970 * fixed RSN IE and WPA IE capabilities field parsing
971 * ignore Tx bit in GTK IE when Pairwise keys are used
972 * avoid making new scan requests during IEEE 802.1X negotiation
973 * use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant
974 with TLS support (this replaces the included implementation with
975 library code to save about 8 kB since the library code is needed
977 * fixed WPA-PSK only mode when compiled without IEEE 802.1X support
978 (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config)
981 * added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1)
983 - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1]
984 - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf]
985 - EAP-MD5 (cannot be used with WPA-RADIUS)
986 [draft-ietf-eap-rfc2284bis-09.txt]
988 - EAP-MSCHAPv2 (currently used only with EAP-PEAP)
989 - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt]
990 [draft-kamath-pppext-eap-mschapv2-00.txt]
991 (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by
992 default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey)
993 - new configuration file options: eap, identity, password, ca_cert,
994 client_cert, privatekey, private_key_passwd
995 - Xsupplicant is not required anymore, but it can be used by
996 disabling the internal IEEE 802.1X Supplicant with -e command line
998 - this code is not included in the default build; Makefile need to
999 be edited for this (uncomment lines for selected functionality)
1000 - EAP-TLS and EAP-PEAP require openssl libraries
1001 * use module prefix in debug messages (WPA, EAP, EAP-TLS, ..)
1002 * added support for non-WPA IEEE 802.1X mode with dynamic WEP keys
1003 (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X
1004 EAPOL-Key frames instead of WPA key handshakes)
1005 * added support for IEEE 802.11i/RSN (WPA2)
1006 - improved PTK Key Handshake
1007 - PMKSA caching, pre-authentication
1008 * fixed wpa_supplicant to ignore possible extra data after WPA
1009 EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using
1010 TPTK' error from message 3 of 4-Way Handshake in case the AP
1011 includes extra data after the EAPOL-Key)
1012 * added interface for external programs (frontends) to control
1014 - CLI example (wpa_cli) with interactive mode and command line
1016 - replaced SIGUSR1 status/statistics with the new control interface
1017 * made some feature compile time configurable
1018 - .config file for make
1019 - driver interfaces (hostap, hermes, ..)
1020 - EAPOL/EAP functions
1023 * Initial version of wpa_supplicant