ChangeLog for hostapd 2006-02-08 - v0.4.8 * fixed stdarg use in hostapd_logger(): if both stdout and syslog logging was enabled, hostapd could trigger a segmentation fault in vsyslog on some CPU -- C library combinations 2005-11-20 - v0.4.7 (beginning of 0.4.x stable releases) * driver_wired: fixed EAPOL sending to optionally use PAE group address as the destination instead of supplicant MAC address; this is disabled by default, but should be enabled with use_pae_group_addr=1 in configuration file if the wired interface is used by only one device at the time (common switch configuration) * driver_madwifi: configure driver to use TKIP countermeasures in order to get correct behavior (IEEE 802.11 association failing; previously, association succeeded, but hostpad forced disassociation immediately) * driver_madwifi: added support for madwifi-ng 2005-10-27 - v0.4.6 * added support for replacing user identity from EAP with RADIUS User-Name attribute from Access-Accept message, if that is included, for the RADIUS accounting messages (e.g., for EAP-PEAP/TTLS to get tunneled identity into accounting messages when the RADIUS server does not support better way of doing this with Class attribute) * driver_madwifi: fixed EAPOL packet receive for configuration where ath# is part of a bridge interface * added a configuration file and log analyzer script for logwatch * fixed EAPOL state machine step function to process all state transitions before processing new events; this resolves a race condition in which EAPOL-Start message could trigger hostapd to send two EAP-Response/Identity frames to the authentication server 2005-09-25 - v0.4.5 * added client CA list to the TLS certificate request in order to make it easier for the client to select which certificate to use * added experimental support for EAP-PSK * added support for WE-19 (hostap, madwifi) 2005-08-21 - v0.4.4 * fixed build without CONFIG_RSN_PREAUTH * fixed FreeBSD build 2005-06-26 - v0.4.3 * fixed PMKSA caching to copy User-Name and Class attributes so that RADIUS accounting gets correct information * start RADIUS accounting only after successful completion of WPA 4-Way Handshake if WPA-PSK is used * fixed PMKSA caching for the case where STA (re)associates without first disassociating 2005-06-12 - v0.4.2 * EAP-PAX is now registered as EAP type 46 * fixed EAP-PAX MAC calculation * fixed EAP-PAX CK and ICK key derivation * renamed eap_authenticator configuration variable to eap_server to better match with RFC 3748 (EAP) terminology * driver_test: added support for testing hostapd with wpa_supplicant by using test driver interface without any kernel drivers or network cards 2005-05-22 - v0.4.1 * fixed RADIUS server initialization when only auth or acct server is configured and the other one is left empty * driver_madwifi: added support for RADIUS accounting * driver_madwifi: added preliminary support for compiling against 'BSD' branch of madwifi CVS tree * driver_madwifi: fixed pairwise key removal to allow WPA reauth without disassociation * added support for reading additional certificates from PKCS#12 files and adding them to the certificate chain * fixed RADIUS Class attribute processing to only use Access-Accept packets to update Class; previously, other RADIUS authentication packets could have cleared Class attribute * added support for more than one Class attribute in RADIUS packets * added support for verifying certificate revocation list (CRL) when using integrated EAP authenticator for EAP-TLS; new hostapd.conf options 'check_crl'; CRL must be included in the ca_cert file for now 2005-04-25 - v0.4.0 (beginning of 0.4.x development releases) * added support for including network information into EAP-Request/Identity message (ASCII-0 (nul) in eap_message) (e.g., to implement draft-adrange-eap-network-discovery-07.txt) * fixed a bug which caused some RSN pre-authentication cases to use freed memory and potentially crash hostapd * fixed private key loading for cases where passphrase is not set * added support for sending TLS alerts and aborting authentication when receiving a TLS alert * fixed WPA2 to add PMKSA cache entry when using integrated EAP authenticator * fixed PMKSA caching (EAP authentication was not skipped correctly with the new state machine changes from IEEE 802.1X draft) * added support for RADIUS over IPv6; own_ip_addr, auth_server_addr, and acct_server_addr can now be IPv6 addresses (CONFIG_IPV6=y needs to be added to .config to include IPv6 support); for RADIUS server, radius_server_ipv6=1 needs to be set in hostapd.conf and addresses in RADIUS clients file can then use IPv6 format * added experimental support for EAP-PAX * replaced hostapd control interface library (hostapd_ctrl.[ch]) with the same implementation that wpa_supplicant is using (wpa_ctrl.[ch]) 2005-02-12 - v0.3.7 (beginning of 0.3.x stable releases) 2005-01-23 - v0.3.5 * added support for configuring a forced PEAP version based on the Phase 1 identity * fixed PEAPv1 to use tunneled EAP-Success/Failure instead of EAP-TLV to terminate authentication * fixed EAP identifier duplicate processing with the new IEEE 802.1X draft * clear accounting data in the driver when starting a new accounting session * driver_madwifi: filter wireless events based on ifindex to allow more than one network interface to be used * fixed WPA message 2/4 processing not to cancel timeout for TimeoutEvt setting if the packet does not pass MIC verification (e.g., due to incorrect PSK); previously, message 1/4 was not tried again if an invalid message 2/4 was received * fixed reconfiguration of RADIUS client retransmission timer when adding a new message to the pending list; previously, timer was not updated at this point and if there was a pending message with long time for the next retry, the new message needed to wait that long for its first retry, too 2005-01-09 - v0.3.4 * added support for configuring multiple allowed EAP types for Phase 2 authentication (EAP-PEAP, EAP-TTLS) * fixed EAPOL-Start processing to trigger WPA reauthentication (previously, only EAPOL authentication was done) 2005-01-02 - v0.3.3 * added support for EAP-PEAP in the integrated EAP authenticator * added support for EAP-GTC in the integrated EAP authenticator * added support for configuring list of EAP methods for Phase 1 so that the integrated EAP authenticator can, e.g., use the wildcard entry for EAP-TLS and EAP-PEAP * added support for EAP-TTLS in the integrated EAP authenticator * added support for EAP-SIM in the integrated EAP authenticator * added support for using hostapd as a RADIUS authentication server with the integrated EAP authenticator taking care of EAP authentication (new hostapd.conf options: radius_server_clients and radius_server_auth_port); this is not included in default build; use CONFIG_RADIUS_SERVER=y in .config to include 2004-12-19 - v0.3.2 * removed 'daemonize' configuration file option since it has not really been used at all for more than year * driver_madwifi: fixed group key setup and added get_ssid method * added support for EAP-MSCHAPv2 in the integrated EAP authenticator 2004-12-12 - v0.3.1 * added support for integrated EAP-TLS authentication (new hostapd.conf variables: ca_cert, server_cert, private_key, private_key_passwd); this enabled dynamic keying (WPA2/WPA/IEEE 802.1X/WEP) without external RADIUS server * added support for reading PKCS#12 (PFX) files (as a replacement for PEM/DER) to get certificate and private key (CONFIG_PKCS12) 2004-12-05 - v0.3.0 (beginning of 0.3.x development releases) * added support for Acct-{Input,Output}-Gigawords * added support for Event-Timestamp (in RADIUS Accounting-Requests) * added support for RADIUS Authentication Client MIB (RFC2618) * added support for RADIUS Accounting Client MIB (RFC2620) * made EAP re-authentication period configurable (eap_reauth_period) * fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication * fixed EAPOL state machine to stop if STA is removed during eapol_sm_step(); this fixes at least one segfault triggering bug with IEEE 802.11i pre-authentication * added support for multiple WPA pre-shared keys (e.g., one for each client MAC address or keys shared by a group of clients); new hostapd.conf field wpa_psk_file for setting path to a text file containing PSKs, see hostapd.wpa_psk for an example * added support for multiple driver interfaces to allow hostapd to be used with other drivers * added wired authenticator driver interface (driver=wired in hostapd.conf, see wired.conf for example configuration) * added madwifi driver interface (driver=madwifi in hostapd.conf, see madwifi.conf for example configuration; Note: include files from madwifi project is needed for building and a configuration file, .config, needs to be created in hostapd directory with CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd build) * fixed an alignment issue that could cause SHA-1 to fail on some platforms (e.g., Intel ixp425 with a compiler that does not 32-bit align variables) * fixed RADIUS reconnection after an error in sending interim accounting packets * added hostapd control interface for external programs and an example CLI, hostapd_cli (like wpa_cli for wpa_supplicant) * started adding dot11, dot1x, radius MIBs ('hostapd_cli mib', 'hostapd_cli sta ') * finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11) * added support for strict GTK rekeying (wpa_strict_rekey in hostapd.conf) * updated IAPP to use UDP port 3517 and multicast address 224.0.1.178 (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to IEEE 802.11F-2003) * added Prism54 driver interface (driver=prism54 in hostapd.conf; note: .config needs to be created in hostapd directory with CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd build) * dual-licensed hostapd (GPLv2 and BSD licenses) * fixed RADIUS accounting to generate a new session id for cases where a station reassociates without first being complete deauthenticated * fixed STA disassociation handler to mark next timeout state to deauthenticate the station, i.e., skip long wait for inactivity poll and extra disassociation, if the STA disassociates without deauthenticating * added integrated EAP authenticator that can be used instead of external RADIUS authentication server; currently, only EAP-MD5 is supported, so this cannot yet be used for key distribution; the EAP method interface is generic, though, so adding new EAP methods should be straightforward; new hostapd.conf variables: 'eap_authenticator' and 'eap_user_file'; this obsoletes "minimal authentication server" ('minimal_eap' in hostapd.conf) which is now removed * added support for FreeBSD and driver interface for the BSD net80211 layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in .config); please note that some of the required kernel mods have not yet been committed 2004-07-17 - v0.2.4 (beginning of 0.2.x stable releases) * fixed some accounting cases where Accounting-Start was sent when IEEE 802.1X port was being deauthorized 2004-06-20 - v0.2.3 * modified RADIUS client to re-connect the socket in case of certain error codes that are generated when a network interface state is changes (e.g., when IP address changes or the interface is set UP) * fixed couple of cases where EAPOL state for a station was freed twice causing a segfault for hostapd * fixed couple of bugs in processing WPA deauthentication (freed data was used) 2004-05-31 - v0.2.2 * fixed WPA/WPA2 group rekeying to use key index correctly (GN/GM) * fixed group rekeying to send zero TSC in EAPOL-Key messages to fix cases where STAs dropped multicast frames as replay attacks * added support for copying RADIUS Attribute 'Class' from authentication messages into accounting messages * send canned EAP failure if RADIUS server sends Access-Reject without EAP message (previously, Supplicant was not notified in this case) * fixed mixed WPA-PSK and WPA-EAP mode to work with WPA-PSK (i.e., do not start EAPOL state machines if the STA selected to use WPA-PSK) 2004-05-06 - v0.2.1 * added WPA and IEEE 802.11i/RSN (WPA2) Authenticator functionality - based on IEEE 802.11i/D10.0 but modified to interoperate with WPA (i.e., IEEE 802.11i/D3.0) - supports WPA-only, RSN-only, and mixed WPA/RSN mode - both WPA-PSK and WPA-RADIUS/EAP are supported - PMKSA caching and pre-authentication - new hostapd.conf variables: wpa, wpa_psk, wpa_passphrase, wpa_key_mgmt, wpa_pairwise, wpa_group_rekey, wpa_gmk_rekey, rsn_preauth, rsn_preauth_interfaces * fixed interim accounting to remove any pending accounting messages to the STA before sending a new one 2004-02-15 - v0.2.0 * added support for Acct-Interim-Interval: - draft-ietf-radius-acct-interim-01.txt - use Acct-Interim-Interval attribute from Access-Accept if local 'radius_acct_interim_interval' is not set - allow different update intervals for each STA * fixed event loop to call signal handlers only after returning from the real signal handler * reset sta->timeout_next after successful association to make sure that the previously registered inactivity timer will not remove the STA immediately (e.g., if STA deauthenticates and re-associates before the timer is triggered). * added new hostapd.conf variable, nas_identifier, that can be used to add an optional RADIUS Attribute, NAS-Identifier, into authentication and accounting messages * added support for Accounting-On and Accounting-Off messages * fixed accounting session handling to send Accounting-Start only once per session and not to send Accounting-Stop if the session was not initialized properly * fixed Accounting-Stop statistics in cases where the message was previously sent after the kernel entry for the STA (and/or IEEE 802.1X data) was removed Note: Older changes up to and including v0.1.0 are included in the ChangeLog of the Host AP driver.