aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/ChangeLog
blob: 09d5b61215519831e8618b4e7e2cdf38fbd0d97a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
ChangeLog for wpa_supplicant

2005-06-10 - v0.3.9
	* modified the EAP workaround that accepts EAP-Success with incorrect
	  Identifier to be even less strict about verification in order to
	  interoperate with some authentication servers
	* fixed RSN IE in 4-Way Handshake message 2/4 for the case where
	  Authenticator rejects PMKSA caching attempt and the driver is not
	  using assoc_info events
	* fixed a possible double free in EAP-TTLS fast-reauthentication when
	  identity or password is entered through control interface
	* added -P<pid file> argument for wpa_supplicant to write the current
	  process id into a file
	* driver_madwifi: fixed association in plaintext mode
	* driver_madwifi: added preliminary support for compiling against 'BSD'
	  branch of madwifi CVS tree
	* added EAP workaround for PEAPv1 session resumption: allow outer,
	  i.e., not tunneled, EAP-Success to terminate session since; this can
	  be disabled with eap_workaround=0
	* driver_ipw: updated driver structures to match with ipw2200-1.0.4
	  (note: ipw2100-1.1.0 is likely to require an update to work with
	  this)
	* driver_broadcom: fixed couple of memory leaks in scan result
	  processing

2005-02-13 - v0.3.8
	* fixed EAPOL-Key validation to drop packets with invalid Key Data
	  Length; such frames could have crashed wpa_supplicant due to buffer
	  overflow

2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases)
	* added new phase1 option parameter, include_tls_length=1, to force
	  wpa_supplicant to add TLS Message Length field to all TLS messages
	  even if the packet is not fragmented; this may be needed with some
	  authentication servers
	* fixed WPA/RSN IE verification in message 3 of 4-Way Handshake when
	  using drivers that take care of AP selection (e.g., when using
	  ap_scan=2)
	* fixed reprocessing of pending request after ctrl_iface requests for
	  identity/password/otp
	* fixed ctrl_iface requests for identity/password/otp in Phase 2 of
	  EAP-PEAP and EAP-TTLS
	* all drivers using driver_wext: set interface up and select Managed
	  mode when starting wpa_supplicant; set interface down when exiting
	* renamed driver_ipw2100.c to driver_ipw.c since it now supports both
	  ipw2100 and ipw2200; please note that this also changed the
	  configuration variable in .config to CONFIG_DRIVER_IPW

2005-01-24 - v0.3.6
	* fixed a busy loop introduced in v0.3.5 for scan result processing
	  when no matching AP is found

2005-01-23 - v0.3.5
	* added a workaround for an interoperability issue with a Cisco AP
	  when using WPA2-PSK
	* fixed non-WPA IEEE 802.1X to use the same authentication timeout as
	  WPA with IEEE 802.1X (i.e., timeout 10 -> 70 sec to allow
	  retransmission of dropped frames)
	* fixed issues with 64-bit CPUs and SHA1 cleanup in previous version
	  (e.g., segfault when processing EAPOL-Key frames)
	* fixed EAP workaround and fast reauthentication configuration for
	  RSN pre-authentication; previously these were disabled and
	  pre-authentication would fail if the used authentication server
	  requires EAP workarounds
	* added support for blacklisting APs that fail or timeout
	  authentication in ap_scan=1 mode so that all APs are tried in cases
	  where the ones with strongest signal level are failing authentication
	* fixed CA certificate loading after a failed EAP-TLS/PEAP/TTLS
	  authentication attempt
	* allow EAP-PEAP/TTLS fast reauthentication only if Phase 2 succeeded
	  in the previous authentication (previously, only Phase 1 success was
	  verified)

2005-01-09 - v0.3.4
	* added preliminary support for IBSS (ad-hoc) mode configuration
	  (mode=1 in network block); this included a new key_mgmt mode
	  WPA-NONE, i.e., TKIP or CCMP with a fixed key (based on psk) and no
	  key management; see wpa_supplicant.conf for more details and an
	  example on how to configure this (note: this is currently implemented
	  only for driver_hostapd.c, but the changes should be trivial to add
	  in associate() handler for other drivers, too (assuming the driver
	  supports WPA-None)
	* added preliminary port for native Windows (i.e., no cygwin) using
	  mingw

2005-01-02 - v0.3.3
	* added optional support for GNU Readline and History Libraries for
	  wpa_cli (CONFIG_READLINE)
	* cleaned up EAP state machine <-> method interface and number of
	  small problems with error case processing not terminating on
	  EAP-Failure but waiting for timeout
	* added couple of workarounds for interoperability issues with a
	  Cisco AP when using WPA2
	* added support for EAP-FAST (draft-cam-winget-eap-fast-00.txt);
	  Note: This requires a patch for openssl to add support for TLS
	  extensions and number of workarounds for operations without
	  certificates. Proof of concept type of experimental patch is
	  included in openssl-tls-extensions.patch.

2004-12-19 - v0.3.2
	* fixed private key loading for cases where passphrase is not set
	* fixed Windows/cygwin L2 packet handler freeing; previous version
	  could cause a segfault when RSN pre-authentication was completed
	* added support for PMKSA caching with drivers that generate RSN IEs
	  (e.g., NDIS); currently, this is only implemented in driver_ndis.c,
	  but similar code can be easily added to driver_ndiswrapper.c once
	  ndiswrapper gets full support for RSN PMKSA caching
	* improved recovery from PMKID mismatches by requesting full EAP
	  authentication in case of failed PMKSA caching attempt
	* driver_ndis: added support for NDIS NdisMIncidateStatus() events
	  (this requires that ndis_events is ran while wpa_supplicant is
	  running)
	* driver_ndis: use ADD_WEP/REMOVE_WEP when configuring WEP keys
	* added support for driver interfaces to replace the interface name
	  based on driver/OS specific mapping, e.g., in case of driver_ndis,
	  this allows the beginning of the adapter description to be used as
	  the interface name
	* added support for CR+LF (Windows-style) line ends in configuration
	  file
	* driver_ndis: enable radio before starting scanning, disable radio
	  when exiting
	* modified association event handler to set portEnabled = FALSE before
	  clearing port Valid in order to reset EAP state machine and avoid
	  problems with new authentication getting ignored because of state
	  machines ending up in AUTHENTICATED/SUCCESS state based on old
	  information
	* added support for driver events to add PMKID candidates in order to
	  allow drivers to give priority to most likely roaming candidates
	* driver_hostap: moved PrivacyInvoked configuration to associate()
	  function so that this will not be set for plaintext connections
	* added KEY_MGMT_802_1X_NO_WPA as a new key_mgmt type so that driver
	  interface can distinguish plaintext and IEEE 802.1X (no WPA)
	  authentication
	* fixed static WEP key configuration to use broadcast/default type for
	  all keys (previously, the default TX key was configured as pairwise/
	  unicast key)
	* driver_ndis: added legacy WPA capability detection for non-WPA2
	  drivers
	* added support for setting static WEP keys for IEEE 802.1X without
	  dynamic WEP keying (eapol_flags=0)

2004-12-12 - v0.3.1
	* added support for reading PKCS#12 (PFX) files (as a replacement for
	  PEM/DER) to get certificate and private key (CONFIG_PKCS12)
	* fixed compilation with CONFIG_PCSC=y
	* added new ap_scan mode, ap_scan=2, for drivers that take care of
	  association, but need to be configured with security policy and SSID,
	  e.g., ndiswrapper and NDIS driver; this mode should allow such
	  drivers to work with hidden SSIDs and optimized roaming; when
	  ap_scan=2 is used, only the first network block in the configuration
	  file is used and this configuration should have explicit security
	  policy (i.e., only one option in the lists) for key_mgmt, pairwise,
	  group, proto variables
	* added experimental port of wpa_supplicant for Windows
	  - driver_ndis.c driver interface (NDIS OIDs)
	  - currently, this requires cygwin and WinPcap
	  - small utility, win_if_list, can be used to get interface name
	* control interface can now be removed at build time; add
	  CONFIG_CTRL_IFACE=y to .config to maintain old functionality
	* optional Xsupplicant interface can now be removed at build time;
	  (CONFIG_XSUPPLICANT_IFACE=y in .config to bring it back)
	* added auth_alg to driver interface associate() parameters to make it
	  easier for drivers to configure authentication algorithm as part of
	  the association

2004-12-05 - v0.3.0 (beginning of 0.3.x development releases)
	* driver_broadcom: added new driver interface for Broadcom wl.o driver
	  (a generic driver for Broadcom IEEE 802.11a/g cards)
	* wpa_cli: fixed parsing of -p <path> command line argument
	* PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
	  ACK, not tunneled EAP-Success (of which only the first byte was
	  actually send due to a bug in previous code); this seems to
	  interoperate with most RADIUS servers that implements PEAPv1
	* PEAPv1: added support for terminating PEAP authentication on tunneled
	  EAP-Success message; this can be configured by adding
	  peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
	  (some RADIUS servers require this whereas others require a tunneled
	  reply
	* PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
	  the old label for key derivation; previously, the default was 1,
	  but it looks like most existing PEAPv1 implementations use the old
	  label which is thus more suitable default option
	* added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
	* fixed parsing of wep_tx_keyidx
	* added support for configuring list of allowed Phase 2 EAP types
	  (for both EAP-PEAP and EAP-TTLS) instead of only one type
	* added support for configuring IEEE 802.11 authentication algorithm
	  (auth_alg; mainly for using Shared Key authentication with static
	  WEP keys)
	* added support for EAP-AKA (with UMTS SIM)
	* fixed couple of errors in PCSC handling that could have caused
	  random-looking errors for EAP-SIM
	* added support for EAP-SIM pseudonyms and fast re-authentication
	* added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
	  session resumption)
	* added support for EAP-SIM with two challanges
	  (phase1="sim_min_num_chal=3" can be used to require three challenges)
	* added support for configuring DH/DSA parameters for an ephemeral DH
	  key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
	  dh_file and dh_file2 (phase 2); this adds support for using DSA keys
	  and optional DH key exchange to achieve forward secracy with RSA keys
	* added support for matching subject of the authentication server
	  certificate with a substring when using EAP-TLS/PEAP/TTLS; new
	  configuration variables subject_match and subject_match2
	* changed SSID configuration in driver_wext.c (used by many driver
	  interfaces) to use ssid_len+1 as the length for SSID since some Linux
	  drivers expect this
	* fixed couple of unaligned reads in scan result parsing to fix WPA
	  connection on some platforms (e.g., ARM)
	* added driver interface for Intel ipw2100 driver
	* added support for LEAP with WPA
	* added support for larger scan results report (old limit was 4 kB of
	  data, i.e., about 35 or so APs) when using Linux wireless extensions
	  v17 or newer
	* fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
	  only if there is a PMKSA cache entry for the current AP
	* fixed error handling for case where reading of scan results fails:
	  must schedule a new scan or wpa_supplicant will remain waiting
	  forever
	* changed debug output to remove shared password/key material by
	  default; all key information can be included with -K command line
	  argument to match the previous behavior
	* added support for timestamping debug log messages (disabled by
	  default, can be enabled with -t command line argument)
	* set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
	  if keys are not configured to be used; this fixes IEEE 802.1X mode
	  with drivers that use this information to configure whether Privacy
	  bit can be in Beacon frames (e.g., ndiswrapper)
	* avoid clearing driver keys if no keys have been configured since last
	  key clear request; this seems to improve reliability of group key
	  handshake for ndiswrapper & NDIS driver which seems to be suffering
	  of some kind of timing issue when the keys are cleared again after
	  association
	* changed driver interface API:
	  - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
	    version is being used (now, this is set to 2; previously, it was
	    not defined)
	  - pass pointer to private data structure to all calls
	  - the new API is not backwards compatible; all in-tree driver
	    interfaces has been converted to the new API
	* added support for controlling multiple interfaces (radios) per
	  wpa_supplicant process; each interface needs to be listed on the
	  command line (-c, -i, -D arguments) with -N as a separator
	  (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
	* added a workaround for EAP servers that incorrectly use same Id for
	  sequential EAP packets
	* changed libpcap/libdnet configuration to use .config variable,
	  CONFIG_DNET_PCAP, instead of requiring Makefile modification
	* improved downgrade attack detection in IE verification of msg 3/4:
	  verify both WPA and RSN IEs, if present, not only the selected one;
	  reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
	  Probe Response frame, and RSN is enabled in wpa_supplicant
	  configuration
	* fixed WPA msg 3/4 processing to allow Key Data field contain other
	  IEs than just one WPA IE
	* added support for FreeBSD and driver interface for the BSD net80211
	  layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the
	  required kernel mods have not yet been committed
	* made EAP workarounds configurable; enabled by default, can be
	  disabled with network block option eap_workaround=0

2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases)
	* resolved couple of interoperability issues with EAP-PEAPv1 and
	  Phase 2 (inner EAP) fragment reassembly
	* driver_madwifi: fixed WEP key configuration for IEEE 802.1X when the
	  AP is using non-zero key index for the unicast key and key index zero
	  for the broadcast key
	* driver_hostap: fixed IEEE 802.1X WEP key updates and
	  re-authentication by allowing unencrypted EAPOL frames when not using
	  WPA
	* added a new driver interface, 'wext', which uses only standard,
	  driver independent functionality in Linux wireless extensions;
	  currently, this can be used only for non-WPA IEEE 802.1X mode, but
	  eventually, this is to be extended to support full WPA/WPA2 once
	  Linux wireless extensions get support for this
	* added support for mode in which the driver is responsible for AP
	  scanning and selection; this is disabled by default and can be
	  enabled with global ap_scan=0 variable in wpa_supplicant.conf;
	  this mode can be used, e.g., with generic 'wext' driver interface to
	  use wpa_supplicant as IEEE 802.1X Supplicant with any Linux driver
	  supporting wireless extensions.
	* driver_madwifi: fixed WPA2 configuration and scan_ssid=1 (e.g.,
	  operation with an AP that does not include SSID in the Beacon frames)
	* added support for new EAP authentication methods:
	  EAP-TTLS/EAP-OTP, EAP-PEAPv0/OTP, EAP-PEAPv1/OTP, EAP-OTP
	* added support for asking one-time-passwords from frontends (e.g.,
	  wpa_cli); this 'otp' command works otherwise like 'password' command,
	  but the password is used only once and the frontend will be asked for
	  a new password whenever a request from authenticator requires a
	  password; this can be used with both EAP-OTP and EAP-GTC
	* changed wpa_cli to automatically re-establish connection so that it
	  does not need to be re-started when wpa_supplicant is terminated and
	  started again
	* improved user data (identity/password/otp) requests through
	  frontends: process pending EAPOL packets after getting new
	  information so that full authentication does not need to be
	  restarted; in addition, send pending requests again whenever a new
	  frontend is attached
	* changed control frontends to use a new directory for socket files to
	  make it easier for wpa_cli to automatically select between interfaces
	  and to provide access control for the control interface;
	  wpa_supplicant.conf: ctrl_interface is now a path
	  (/var/run/wpa_supplicant is the recommended path) and
	  ctrl_interface_group can be used to select which group gets access to
	  the control interface;
	  wpa_cli: by default, try to connect to the first interface available
	  in /var/run/wpa_supplicant; this path can be overriden with -p option
	  and an interface can be selected with -i option (i.e., in most common
	  cases, wpa_cli does not need to get any arguments)
	* added support for LEAP
	* added driver interface for Linux ndiswrapper
	* added priority option for network blocks in the configuration file;
	  this allows networks to be grouped based on priority (the scan
	  results are searched for matches with network blocks in this order)

2004-06-20 - v0.2.3
	* sort scan results to improve AP selection
	* fixed control interface socket removal for some error cases
	* improved scan requesting and authentication timeout
	* small improvements/bug fixes for EAP-MSCHAPv2, EAP-PEAP, and
	  TLS processing
	* PEAP version can now be forced with phase1="peapver=<ver>"
	  (mostly for testing; by default, the highest version supported by
	  both the Supplicant and Authentication Server is selected
	  automatically)
	* added support for madwifi driver (Atheros ar521x)
	* added a workaround for cases where AP sets Install Tx/Rx bit for
	  WPA Group Key messages when pairwise keys are used (without this,
	  the Group Key would be used for Tx and the AP would drop frames
	  from the station)
	* added GSM SIM/USIM interface for GSM authentication algorithm for
	  EAP-SIM; this requires pcsc-lite
	* added support for ATMEL AT76C5XXx driver
	* fixed IEEE 802.1X WEP key derivation in the case where Authenticator
	  does not include key data in the EAPOL-Key frame (i.e., part of
	  EAP keying material is used as data encryption key)
	* added support for using plaintext and static WEP networks
	  (key_mgmt=NONE)

2004-05-31 - v0.2.2
	* added support for new EAP authentication methods:
	  EAP-TTLS/EAP-MD5-Challenge
	  EAP-TTLS/EAP-GTC
	  EAP-TTLS/EAP-MSCHAPv2
	  EAP-TTLS/EAP-TLS
	  EAP-TTLS/MSCHAPv2
	  EAP-TTLS/MSCHAP
	  EAP-TTLS/PAP
	  EAP-TTLS/CHAP
	  EAP-PEAP/TLS
	  EAP-PEAP/GTC
	  EAP-PEAP/MD5-Challenge
	  EAP-GTC
	  EAP-SIM (not yet complete; needs GSM/SIM authentication interface)
	* added support for anonymous identity (to be used when identity is
	  sent in plaintext; real identity will be used within TLS protected
	  tunnel (e.g., with EAP-TTLS)
	* added event messages from wpa_supplicant to frontends, e.g., wpa_cli
	* added support for requesting identity and password information using
	  control interface; in other words, the password for EAP-PEAP or
	  EAP-TTLS does not need to be included in the configuration file since
	  a frontand (e.g., wpa_cli) can ask it from the user
	* improved RSN pre-authentication to use a candidate list and process
	  all candidates from each scan; not only one per scan
	* fixed RSN IE and WPA IE capabilities field parsing
	* ignore Tx bit in GTK IE when Pairwise keys are used
	* avoid making new scan requests during IEEE 802.1X negotiation
	* use openssl/libcrypto for MD5 and SHA-1 when compiling wpa_supplicant
	  with TLS support (this replaces the included implementation with
	  library code to save about 8 kB since the library code is needed
	  anyway for TLS)
	* fixed WPA-PSK only mode when compiled without IEEE 802.1X support
	  (i.e., without CONFIG_IEEE8021X_EAPOL=y in .config)

2004-05-06 - v0.2.1
	* added support for internal IEEE 802.1X (actually, IEEE 802.1aa/D6.1)
	  Supplicant
	  - EAPOL state machines for Supplicant [IEEE 802.1aa/D6.1]
	  - EAP peer state machine [draft-ietf-eap-statemachine-02.pdf]
	  - EAP-MD5 (cannot be used with WPA-RADIUS)
	    [draft-ietf-eap-rfc2284bis-09.txt]
	  - EAP-TLS [RFC 2716]
	  - EAP-MSCHAPv2 (currently used only with EAP-PEAP)
	  - EAP-PEAP/MSCHAPv2 [draft-josefsson-pppext-eap-tls-eap-07.txt]
	    [draft-kamath-pppext-eap-mschapv2-00.txt]
	    (PEAP version 0, 1, and parts of 2; only 0 and 1 are enabled by
	    default; tested with FreeRADIUS, Microsoft IAS, and Funk Odyssey)
	  - new configuration file options: eap, identity, password, ca_cert,
	    client_cert, privatekey, private_key_passwd
	  - Xsupplicant is not required anymore, but it can be used by
	    disabling the internal IEEE 802.1X Supplicant with -e command line
	    option
	  - this code is not included in the default build; Makefile need to
	    be edited for this (uncomment lines for selected functionality)
	  - EAP-TLS and EAP-PEAP require openssl libraries
	* use module prefix in debug messages (WPA, EAP, EAP-TLS, ..)
	* added support for non-WPA IEEE 802.1X mode with dynamic WEP keys
	  (i.e., complete IEEE 802.1X/EAP authentication and use IEEE 802.1X
	   EAPOL-Key frames instead of WPA key handshakes)
	* added support for IEEE 802.11i/RSN (WPA2)
	  - improved PTK Key Handshake
	  - PMKSA caching, pre-authentication
	* fixed wpa_supplicant to ignore possible extra data after WPA
	  EAPOL-Key packets (this fixes 'Invalid EAPOL-Key MIC when using
	  TPTK' error from message 3 of 4-Way Handshake in case the AP
	  includes extra data after the EAPOL-Key)
	* added interface for external programs (frontends) to control
	  wpa_supplicant
	  - CLI example (wpa_cli) with interactive mode and command line
	    mode
	  - replaced SIGUSR1 status/statistics with the new control interface
	* made some feature compile time configurable
	  - .config file for make
	  - driver interfaces (hostap, hermes, ..)
	  - EAPOL/EAP functions

2004-02-15 - v0.2.0
	* Initial version of wpa_supplicant