Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

[FreeBSD/releng/7.2.git] / contrib / hostapd / ChangeLog

ChangeLog for hostapd

2008-02-19 - v0.5.10
        * fixed EAP-SIM and EAP-AKA message parser to validate attribute
          lengths properly to avoid potential crash caused by invalid messages
        * fixed Reassociation Response callback processing when using internal
          MLME (driver_{hostap,devicescape,test}.c)
        * fixed EAP-SIM/AKA realm processing to allow decorated usernames to
          be used
        * added a workaround for EAP-SIM/AKA peers that include incorrect null
          termination in the username
        * fixed EAP-SIM Start response processing for fast reauthentication
          case
        * copy optional Proxy-State attributes into RADIUS response when acting
          as a RADIUS authentication server

2007-12-02 - v0.5.9
        * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
          draft (draft-ietf-emu-eap-gpsk-07.txt)
        * fixed debugging code not to use potentially unaligned read to fetch
          IPv4 addresses

2007-05-28 - v0.5.8
        * updated driver_devicescape.c to build with the current
          wireless-dev.git tree and net/d80211 changes
        * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
          draft (draft-ietf-emu-eap-gpsk-03.txt)
        * fixed EAP-MSCHAPv2 server to use a space between S and M parameters
          in Success Request [Bug 203]
        * added support for sending EAP-AKA Notifications in error cases
        * RADIUS server: added support for processing duplicate messages
          (retransmissions from RADIUS client) by replying with the previous
          reply

2006-12-31 - v0.5.7
        * updated EAP-SAKE to RFC 4763 and the IANA-allocated EAP type 48
        * updated EAP-PSK to use the IANA-allocated EAP type 47
        * fixed EAP-PSK bit ordering of the Flags field
        * fixed configuration reloading (SIGHUP) to re-initialize WPA PSKs
          by reading wpa_psk_file [Bug 181]
        * fixed EAP-TTLS AVP parser processing for too short AVP lengths
        * fixed IPv6 connection to RADIUS accounting server

2006-11-24 - v0.5.6
        * added support for configuring and controlling multiple BSSes per
          radio interface (bss=<ifname> in hostapd.conf); this is only
          available with Devicescape and test driver interfaces
        * fixed PMKSA cache update in the end of successful RSN
          pre-authentication
        * added support for dynamic VLAN configuration (i.e., selecting VLAN-ID
          for each STA based on RADIUS Access-Accept attributes); this requires
          VLAN support from the kernel driver/802.11 stack and this is
          currently only available with Devicescape and test driver interfaces
        * driver_madwifi: fixed configuration of unencrypted modes (plaintext
          and IEEE 802.1X without WEP)
        * removed STAKey handshake since PeerKey handshake has replaced it in
          IEEE 802.11ma and there are no known deployments of STAKey
        * updated EAP Generalized Pre-Shared Key (EAP-GPSK) to use the latest
          draft (draft-ietf-emu-eap-gpsk-01.txt)
        * added preliminary implementation of IEEE 802.11w/D1.0 (management
          frame protection)
          (Note: this requires driver support to work properly.)
          (Note2: IEEE 802.11w is an unapproved draft and subject to change.)
        * hlr_auc_gw: added support for GSM-Milenage (for EAP-SIM)
        * hlr_auc_gw: added support for reading per-IMSI Milenage keys and
          parameters from a text file to make it possible to implement proper
          GSM/UMTS authentication server for multiple SIM/USIM cards using
          EAP-SIM/EAP-AKA
        * fixed session timeout processing with drivers that do not use
          ieee802_11.c (e.g., madwifi)

2006-08-27 - v0.5.5
        * added 'hostapd_cli new_sta <addr>' command for adding a new STA into
          hostapd (e.g., to initialize wired network authentication based on an
          external signal)
        * fixed hostapd to add PMKID KDE into 4-Way Handshake Message 1 when
          using WPA2 even if PMKSA caching is not used
        * added -P<pid file> argument for hostapd to write the current process
          id into a file
        * added support for RADIUS Authentication Server MIB (RFC 2619)

2006-06-20 - v0.5.4
        * fixed nt_password_hash build [Bug 144]
        * added PeerKey handshake implementation for IEEE 802.11e
          direct link setup (DLS) to replace STAKey handshake
        * added support for EAP Generalized Pre-Shared Key (EAP-GPSK,
          draft-clancy-emu-eap-shared-secret-00.txt)
        * fixed a segmentation fault when RSN pre-authentication was completed
          successfully [Bug 152]

2006-04-27 - v0.5.3
        * do not build nt_password_hash and hlr_auc_gw by default to avoid
          requiring a TLS library for a successful build; these programs can be
          build with 'make nt_password_hash' and 'make hlr_auc_gw'
        * added a new configuration option, eapol_version, that can be used to
          set EAPOL version to 1 (default is 2) to work around broken client
          implementations that drop EAPOL frames which use version number 2
          [Bug 89]
        * added support for EAP-SAKE (no EAP method number allocated yet, so
          this is using the same experimental type 255 as EAP-PSK)
        * fixed EAP-MSCHAPv2 message length validation

2006-03-19 - v0.5.2
        * fixed stdarg use in hostapd_logger(): if both stdout and syslog
          logging was enabled, hostapd could trigger a segmentation fault in
          vsyslog on some CPU -- C library combinations
        * moved HLR/AuC gateway implementation for EAP-SIM/AKA into an external
          program to make it easier to use for implementing real SS7 gateway;
          eap_sim_db is not anymore used as a file name for GSM authentication
          triplets; instead, it is path to UNIX domain socket that will be used
          to communicate with the external gateway program (e.g., hlr_auc_gw)
        * added example HLR/AuC gateway implementation, hlr_auc_gw, that uses
          local information (GSM authentication triplets from a text file and
          hardcoded AKA authentication data); this can be used to test EAP-SIM
          and EAP-AKA
        * added Milenage algorithm (example 3GPP AKA algorithm) to hlr_auc_gw
          to make it possible to test EAP-AKA with real USIM cards (this is
          disabled by default; define AKA_USE_MILENAGE when building hlr_auc_gw
          to enable this)
        * driver_madwifi: added support for getting station RSN IE from
          madwifi-ng svn r1453 and newer; this fixes RSN that was apparently
          broken with earlier change (r1357) in the driver
        * changed EAP method registration to use a dynamic list of methods
          instead of a static list generated at build time
        * fixed WPA message 3/4 not to encrypt Key Data field (WPA IE)
          [Bug 125]
        * added ap_max_inactivity configuration parameter

2006-01-29 - v0.5.1
        * driver_test: added better support for multiple APs and STAs by using
          a directory with sockets that include MAC address for each device in
          the name (test_socket=DIR:/tmp/test)
        * added support for EAP expanded type (vendor specific EAP methods)

2005-12-18 - v0.5.0 (beginning of 0.5.x development releases)
        * added experimental STAKey handshake implementation for IEEE 802.11e
          direct link setup (DLS); note: this is disabled by default in both
          build and runtime configuration (can be enabled with CONFIG_STAKEY=y
          and stakey=1)
        * added support for EAP methods to use callbacks to external programs
          by buffering a pending request and processing it after the EAP method
          is ready to continue
        * improved EAP-SIM database interface to allow external request to GSM
          HLR/AuC without blocking hostapd process
        * added support for using EAP-SIM pseudonyms and fast re-authentication
        * added support for EAP-AKA in the integrated EAP authenticator
        * added support for matching EAP identity prefixes (e.g., "1"*) in EAP
          user database to allow EAP-SIM/AKA selection without extra roundtrip
          for EAP-Nak negotiation
        * added support for storing EAP user password as NtPasswordHash instead
          of plaintext password when using MSCHAP or MSCHAPv2 for
          authentication (hash:<16-octet hex value>); added nt_password_hash
          tool for hashing password to generate NtPasswordHash

2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases)
        * driver_wired: fixed EAPOL sending to optionally use PAE group address
          as the destination instead of supplicant MAC address; this is
          disabled by default, but should be enabled with use_pae_group_addr=1
          in configuration file if the wired interface is used by only one
          device at the time (common switch configuration)
        * driver_madwifi: configure driver to use TKIP countermeasures in order
          to get correct behavior (IEEE 802.11 association failing; previously,
          association succeeded, but hostpad forced disassociation immediately)
        * driver_madwifi: added support for madwifi-ng

2005-10-27 - v0.4.6
        * added support for replacing user identity from EAP with RADIUS
          User-Name attribute from Access-Accept message, if that is included,
          for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get
          tunneled identity into accounting messages when the RADIUS server
          does not support better way of doing this with Class attribute)
        * driver_madwifi: fixed EAPOL packet receive for configuration where
          ath# is part of a bridge interface
        * added a configuration file and log analyzer script for logwatch
        * fixed EAPOL state machine step function to process all state
          transitions before processing new events; this resolves a race
          condition in which EAPOL-Start message could trigger hostapd to send
          two EAP-Response/Identity frames to the authentication server

2005-09-25 - v0.4.5
        * added client CA list to the TLS certificate request in order to make
          it easier for the client to select which certificate to use
        * added experimental support for EAP-PSK
        * added support for WE-19 (hostap, madwifi)

2005-08-21 - v0.4.4
        * fixed build without CONFIG_RSN_PREAUTH
        * fixed FreeBSD build

2005-06-26 - v0.4.3
        * fixed PMKSA caching to copy User-Name and Class attributes so that
          RADIUS accounting gets correct information
        * start RADIUS accounting only after successful completion of WPA
          4-Way Handshake if WPA-PSK is used
        * fixed PMKSA caching for the case where STA (re)associates without
          first disassociating

2005-06-12 - v0.4.2
        * EAP-PAX is now registered as EAP type 46
        * fixed EAP-PAX MAC calculation
        * fixed EAP-PAX CK and ICK key derivation
        * renamed eap_authenticator configuration variable to eap_server to
          better match with RFC 3748 (EAP) terminology
        * driver_test: added support for testing hostapd with wpa_supplicant
          by using test driver interface without any kernel drivers or network
          cards

2005-05-22 - v0.4.1
        * fixed RADIUS server initialization when only auth or acct server
          is configured and the other one is left empty
        * driver_madwifi: added support for RADIUS accounting
        * driver_madwifi: added preliminary support for compiling against 'BSD'
          branch of madwifi CVS tree
        * driver_madwifi: fixed pairwise key removal to allow WPA reauth
          without disassociation
        * added support for reading additional certificates from PKCS#12 files
          and adding them to the certificate chain
        * fixed RADIUS Class attribute processing to only use Access-Accept
          packets to update Class; previously, other RADIUS authentication
          packets could have cleared Class attribute
        * added support for more than one Class attribute in RADIUS packets
        * added support for verifying certificate revocation list (CRL) when
          using integrated EAP authenticator for EAP-TLS; new hostapd.conf
          options 'check_crl'; CRL must be included in the ca_cert file for now

2005-04-25 - v0.4.0 (beginning of 0.4.x development releases)
        * added support for including network information into
          EAP-Request/Identity message (ASCII-0 (nul) in eap_message)
          (e.g., to implement draft-adrange-eap-network-discovery-07.txt)
        * fixed a bug which caused some RSN pre-authentication cases to use
          freed memory and potentially crash hostapd
        * fixed private key loading for cases where passphrase is not set
        * added support for sending TLS alerts and aborting authentication
          when receiving a TLS alert
        * fixed WPA2 to add PMKSA cache entry when using integrated EAP
          authenticator
        * fixed PMKSA caching (EAP authentication was not skipped correctly
          with the new state machine changes from IEEE 802.1X draft)
        * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr,
          and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs
          to be added to .config to include IPv6 support); for RADIUS server,
          radius_server_ipv6=1 needs to be set in hostapd.conf and addresses
          in RADIUS clients file can then use IPv6 format
        * added experimental support for EAP-PAX
        * replaced hostapd control interface library (hostapd_ctrl.[ch]) with
          the same implementation that wpa_supplicant is using (wpa_ctrl.[ch])

2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)

2005-01-23 - v0.3.5
        * added support for configuring a forced PEAP version based on the
          Phase 1 identity
        * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV
          to terminate authentication
        * fixed EAP identifier duplicate processing with the new IEEE 802.1X
          draft
        * clear accounting data in the driver when starting a new accounting
          session
        * driver_madwifi: filter wireless events based on ifindex to allow more
          than one network interface to be used
        * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt
          setting if the packet does not pass MIC verification (e.g., due to
          incorrect PSK); previously, message 1/4 was not tried again if an
          invalid message 2/4 was received
        * fixed reconfiguration of RADIUS client retransmission timer when
          adding a new message to the pending list; previously, timer was not
          updated at this point and if there was a pending message with long
          time for the next retry, the new message needed to wait that long for
          its first retry, too

2005-01-09 - v0.3.4
        * added support for configuring multiple allowed EAP types for Phase 2
          authentication (EAP-PEAP, EAP-TTLS)
        * fixed EAPOL-Start processing to trigger WPA reauthentication
          (previously, only EAPOL authentication was done)

2005-01-02 - v0.3.3
        * added support for EAP-PEAP in the integrated EAP authenticator
        * added support for EAP-GTC in the integrated EAP authenticator
        * added support for configuring list of EAP methods for Phase 1 so that
          the integrated EAP authenticator can, e.g., use the wildcard entry
          for EAP-TLS and EAP-PEAP
        * added support for EAP-TTLS in the integrated EAP authenticator
        * added support for EAP-SIM in the integrated EAP authenticator
        * added support for using hostapd as a RADIUS authentication server
          with the integrated EAP authenticator taking care of EAP
          authentication (new hostapd.conf options: radius_server_clients and
          radius_server_auth_port); this is not included in default build; use
          CONFIG_RADIUS_SERVER=y in .config to include

2004-12-19 - v0.3.2
        * removed 'daemonize' configuration file option since it has not really
          been used at all for more than year
        * driver_madwifi: fixed group key setup and added get_ssid method
        * added support for EAP-MSCHAPv2 in the integrated EAP authenticator

2004-12-12 - v0.3.1
        * added support for integrated EAP-TLS authentication (new hostapd.conf
          variables: ca_cert, server_cert, private_key, private_key_passwd);
          this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without
          external RADIUS server
        * added support for reading PKCS#12 (PFX) files (as a replacement for
          PEM/DER) to get certificate and private key (CONFIG_PKCS12)

2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
        * added support for Acct-{Input,Output}-Gigawords
        * added support for Event-Timestamp (in RADIUS Accounting-Requests)
        * added support for RADIUS Authentication Client MIB (RFC2618)
        * added support for RADIUS Accounting Client MIB (RFC2620)
        * made EAP re-authentication period configurable (eap_reauth_period)
        * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
        * fixed EAPOL state machine to stop if STA is removed during
          eapol_sm_step(); this fixes at least one segfault triggering bug with
          IEEE 802.11i pre-authentication
        * added support for multiple WPA pre-shared keys (e.g., one for each
          client MAC address or keys shared by a group of clients);
          new hostapd.conf field wpa_psk_file for setting path to a text file
          containing PSKs, see hostapd.wpa_psk for an example
        * added support for multiple driver interfaces to allow hostapd to be
          used with other drivers
        * added wired authenticator driver interface (driver=wired in
          hostapd.conf, see wired.conf for example configuration)
        * added madwifi driver interface (driver=madwifi in hostapd.conf, see
          madwifi.conf for example configuration; Note: include files from
          madwifi project is needed for building and a configuration file,
          .config, needs to be created in hostapd directory with
          CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
          build)
        * fixed an alignment issue that could cause SHA-1 to fail on some
          platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
          align variables)
        * fixed RADIUS reconnection after an error in sending interim
          accounting packets
        * added hostapd control interface for external programs and an example
          CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
        * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
          'hostapd_cli sta <addr>')
        * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
        * added support for strict GTK rekeying (wpa_strict_rekey in
          hostapd.conf)
        * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178
          (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
          IEEE 802.11F-2003)
        * added Prism54 driver interface (driver=prism54 in hostapd.conf;
          note: .config needs to be created in hostapd directory with
          CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
          build)
        * dual-licensed hostapd (GPLv2 and BSD licenses)
        * fixed RADIUS accounting to generate a new session id for cases where
          a station reassociates without first being complete deauthenticated
        * fixed STA disassociation handler to mark next timeout state to
          deauthenticate the station, i.e., skip long wait for inactivity poll
          and extra disassociation, if the STA disassociates without
          deauthenticating
        * added integrated EAP authenticator that can be used instead of
          external RADIUS authentication server; currently, only EAP-MD5 is
          supported, so this cannot yet be used for key distribution; the EAP
          method interface is generic, though, so adding new EAP methods should
          be straightforward; new hostapd.conf variables: 'eap_authenticator'
          and 'eap_user_file'; this obsoletes "minimal authentication server"
          ('minimal_eap' in hostapd.conf) which is now removed
        * added support for FreeBSD and driver interface for the BSD net80211
          layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
          .config); please note that some of the required kernel mods have not
          yet been committed

2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
        * fixed some accounting cases where Accounting-Start was sent when
          IEEE 802.1X port was being deauthorized

2004-06-20 - v0.2.3
        * modified RADIUS client to re-connect the socket in case of certain
          error codes that are generated when a network interface state is
          changes (e.g., when IP address changes or the interface is set UP)
        * fixed couple of cases where EAPOL state for a station was freed
          twice causing a segfault for hostapd
        * fixed couple of bugs in processing WPA deauthentication (freed data
          was used)

2004-05-31 - v0.2.2
        * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM)
        * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix
          cases where STAs dropped multicast frames as replay attacks
        * added support for copying RADIUS Attribute 'Class' from
          authentication messages into accounting messages
        * send canned EAP failure if RADIUS server sends Access-Reject without
          EAP message (previously, Supplicant was not notified in this case)
        * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do
          not start EAPOL state machines if the STA selected to use WPA-PSK)

2004-05-06 - v0.2.1
        * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality
          - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA
            (i.e., IEEE 802.11i/D3.0)
          - supports WPA-only, RSN-only, and mixed WPA/RSN mode
          - both WPA-PSK and WPA-RADIUS/EAP are supported
          - PMKSA caching and pre-authentication
          - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase,
            wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey,
            rsn_preauth, rsn_preauth_interfaces
        * fixed interim accounting to remove any pending accounting messages
          to the STA before sending a new one

2004-02-15 - v0.2.0
        * added support for Acct-Interim-Interval:
          - draft-ietf-radius-acct-interim-01.txt
          - use Acct-Interim-Interval attribute from Access-Accept if local
            'radius_acct_interim_interval' is not set
          - allow different update intervals for each STA
        * fixed event loop to call signal handlers only after returning from
          the real signal handler
        * reset sta->timeout_next after successful association to make sure
          that the previously registered inactivity timer will not remove the
          STA immediately (e.g., if STA deauthenticates and re-associates
          before the timer is triggered).
        * added new hostapd.conf variable, nas_identifier, that can be used to
          add an optional RADIUS Attribute, NAS-Identifier, into authentication
          and accounting messages
        * added support for Accounting-On and Accounting-Off messages
        * fixed accounting session handling to send Accounting-Start only once
          per session and not to send Accounting-Stop if the session was not
          initialized properly
        * fixed Accounting-Stop statistics in cases where the message was
          previously sent after the kernel entry for the STA (and/or IEEE
          802.1X data) was removed


Note:

Older changes up to and including v0.1.0 are included in the ChangeLog
of the Host AP driver.