aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/ChangeLog
blob: 9f0a50514dd199c2a0b3ef646aab1b15bdb93ed1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
ChangeLog for wpa_supplicant

????-??-?? - v0.2.6
	* added driver interface for Intel ipw2100 driver
	* fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
	  only if there is a PMKSA cache entry for the current AP
	* fixed error handling for case where reading of scan results fails:
	  must schedule a new scan or wpa_supplicant will remain waiting
	  forever
	* set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
	  if keys are not configured to be used; this fixes IEEE 802.1X mode
	  with drivers that use this information to configure whether Privacy
	  bit can be in Beacon frames (e.g., ndiswrapper)
	* improved downgrade attack detection in IE verification of msg 3/4:
	  verify both WPA and RSN IEs, if present, not only the selected one;
	  reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
	  Probe Response frame, and RSN is enabled in wpa_supplicant
	  configuration
	* fixed WPA msg 3/4 processing to allow Key Data field contain other
	  IEs than just one WPA IE
	* modified association event handler to set portEnabled = FALSE before
	  clearing port Valid in order to reset EAP state machine and avoid
	  problems with new authentication getting ignored because of state
	  machines ending up in AUTHENTICATED/SUCCESS state based on old
	  information

2004-10-03 - v0.2.5
	* wpa_cli: fixed parsing of -p <path> command line argument
	* fixed parsing of wep_tx_keyidx
	* fixed couple of errors in PCSC handling that could have caused
	  random-looking errors for EAP-SIM
	* PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
	  ACK, not tunneled EAP-Success (of which only the first byte was
	  actually send due to a bug in previous code); this seems to
	  interoperate with most RADIUS servers that implements PEAPv1
	* PEAPv1: added support for terminating PEAP authentication on tunneled
	  EAP-Success message; this can be configured by adding
	  peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
	  (some RADIUS servers require this whereas others require a tunneled
	  reply
	* PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
	  the old label for key derivation; previously, the default was 1,
	  but it looks like most existing PEAPv1 implementations use the old
	  label which is thus more suitable default option
	* changed SSID configuration in driver_wext.c (used by many driver
	  interfaces) to use ssid_len+1 as the length for SSID since some Linux
	  drivers expect this
	* fixed couple of unaligned reads in scan result parsing to fix WPA
	  connection on some platforms (e.g., ARM)

2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
	* resolved couple of interoperability issues with EAP-PEAPv1 and
	  Phase 2 (inner EAP) fragment reassembly
	* driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the
	  AP is using non-zero key index for the unicast key and key index zero
	  for the broadcast key
	* driver_hostap: fixed IEEE 802.1X WEP key updates and
	  re-authentication by allowing unencrypted EAPOL frames when not using
	  WPA
	* added a new driver interface, 'wext', which uses only standard,
	  driver independent functionality in Linux wireless extensions;
	  currently, this can be used only for non-WPA IEEE 802.1X mode, but
	  eventually, this is to be extended to support full WPA/WPA2 once
	  Linux wireless extensions get support for this
	* added support for mode in which the driver is responsible for AP
	  scanning and selection; this is disabled by default and can be
	  enabled with global ap_scan=0 variable in wpa_supplicant.conf;
	  this mode can be used, e.g., with generic 'wext' driver interface to
	  use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver
	  supporting wireless extensions.
	* driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g.,
	  operation with an AP that does not include SSID in the Beacon frames)
	* added support for new EAP authentication methods:
	  EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP
	* added support for asking one-time-passwords from frontends (e.g.,
	  wpa_cli); this 'otp' command works otherwise like 'password' command,
	  but the password is used only once and the frontend will be asked for
	  a new password whenever a request from authenticator requires a
	  password; this can be used with both EAP-OTP and EAP-GTC
	* changed wpa_cli to automatically re-establish connection so that it
	  does not need to be re-started when wpa_supplicant is terminated and
	  started again
	* improved user data (identity/password/otp) requests through
	  frontends: process pending EAPOL packets after getting new
	  information so that full authentication does not need to be
	  restarted; in addition, send pending requests again whenever a new
	  frontend is attached
	* changed control frontends to use a new directory for socket files to
	  make it easier for wpa_cli to automatically select between interfaces
	  and to provide access control for the control interface;
	  wpa_supplicant.conf: ctrl_interface is now a path
	  (/var/run/wpa_supplicant is the recommended path) and
	  ctrl_interface_group can be used to select which group gets access to
	  the control interface;
	  wpa_cli: by default, try to connect to the first interface available
	  in /var/run/wpa_supplicant; this path can be overriden with -p option
	  and an interface can be selected with -i option (i.e., in most common
	  cases, wpa_cli does not need to get any arguments)
	* added support for LEAP
	* added driver interface for Linux ndiswrapper
	* added priority option for network blocks in the configuration file;
	  this allows networks to be grouped based on priority (the scan
	  results are searched for matches with network blocks in this order)

2004-06-20 - v0.2.3
	* sort scan results to improve AP selection
	* fixed control interface socket removal for some error cases
	* improved scan requesting and authentication timeout
	* small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and
	  TLS processing
	* PEAP version can now be forced with phase1="peapver=<ver>"
	  (mostly for testing; by default, the highest version supported by
	  both the Supplicant and Authentication Server is selected
	  automatically)
	* added support for madwifi driver (Atheros ar521x)
	* added a workaround for cases where AP sets Install Tx/Rx bit for
	  WPA Group Key messages when pairwise keys are used (without this,
	  the Group Key would be used for Tx and the AP would drop frames
	  from the station)
	* added GSM SIM/USIM interface for GSM authentication algorithm for
	  EAP-SIM; this requires pcsc-lite
	* added support for ATMEL AT76C5XXx driver
	* fixed IEEE 802.1X WEP key derivation in the case where Authenticator
	  does not include key data in the EAPOL-Key frame (i.e., part of
	  EAP keying material is used as data encryption key)
	* added support for using plaintext and static WEP networks
	  (key_mgmt=NONE)

2004-05-31 - v0.2.2
	* added support for new EAP authentication methods:
	  EAP-TTLS/EAP-MD5-Challenge
	  EAP-TTLS/EAP-GTC
	  EAP-TTLS/EAP-MSCHAPv2
	  EAP-TTLS/EAP-TLS
	  EAP-TTLS/MSCHAPv2
	  EAP-TTLS/MSCHAP
	  EAP-TTLS/PAP
	  EAP-TTLS/CHAP
	  EAP-PEAP/TLS
	  EAP-PEAP/GTC
	  EAP-PEAP/MD5-Challenge
	  EAP-GTC
	  EAP-SIM (not yet complete; needs GSM/SIM authentication interface)
	* added support for anonymous identity (to be used when identity is
	  sent in plaintext; real identity will be used within TLS protected
	  tunnel (e.g., with EAP-TTLS)
	* added event messages from wpa_supplicant to frontends, e.g., wpa_cli
	* added support for requesting identity and password information using
	  control interface; in other words, the password for EAP-PEAP or
	  EAP-TTLS does not need to be included in the configuration file since
	  a frontand (e.g., wpa_cli) can ask it from the user
	* improved RSN pre-authentication to use a candidate list and process
	  all candidates from each scan; not only one per scan
	* fixed RSN IE and WPA IE capabilities field parsing
	* ignore Tx bit in GTK IE when Pairwise keys are used
	* avoid making new scan requests during IEEE 802.1X negotiation
	* use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant
	  with TLS support (this replaces the included implementation with
	  library code to save about 8 kB since the library code is needed
	  anyway for TLS)
	* fixed WPA-PSK only mode when compiled without IEEE 802.1X support
	  (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config)

2004-05-06 - v0.2.1
	* added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1)
	  Supplicant
	  - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1]
	  - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf]
	  - EAP-MD5 (cannot be used with WPA-RADIUS)
	    [draft-ietf-eap-rfc2284bis-09.txt]
	  - EAP-TLS [RFC 2716]
	  - EAP-MSCHAPv2 (currently used only with EAP-PEAP)
	  - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt]
	    [draft-kamath-pppext-eap-mschapv2-00.txt]
	    (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by
	    default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey)
	  - new configuration file options: eap, identity, password, ca_cert,
	    client_cert, privatekey, private_key_passwd
	  - Xsupplicant is not required anymore, but it can be used by
	    disabling the internal IEEE 802.1X Supplicant with -e command line
	    option
	  - this code is not included in the default build; Makefile need to
	    be edited for this (uncomment lines for selected functionality)
	  - EAP-TLS and EAP-PEAP require openssl libraries
	* use module prefix in debug messages (WPA, EAP, EAP-TLS, ..)
	* added support for non-WPA IEEE 802.1X mode with dynamic WEP keys
	  (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X
	   EAPOL-Key frames instead of WPA key handshakes)
	* added support for IEEE 802.11i/RSN (WPA2)
	  - improved PTK Key Handshake
	  - PMKSA caching, pre-authentication
	* fixed wpa_supplicant to ignore possible extra data after WPA
	  EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using
	  TPTK' error from message 3 of 4-Way Handshake in case the AP
	  includes extra data after the EAPOL-Key)
	* added interface for external programs (frontends) to control
	  wpa_supplicant
	  - CLI example (wpa_cli) with interactive mode and command line
	    mode
	  - replaced SIGUSR1 status/statistics with the new control interface
	* made some feature compile time configurable
	  - .config file for make
	  - driver interfaces (hostap, hermes, ..)
	  - EAPOL/EAP functions

2004-02-15 - v0.2.0
	* Initial version of wpa_supplicant