Host AP/hostapd/wpa_supplicant - new development release v0.3.0

Jouni Malinen jkmaline at
Mon Dec 6 01:30:16 EST 2004

New versions of Linux Prism2/2.5/3 Host AP driver, hostapd, and
wpa_supplicant were just released and are now available from

This release is the first release from the development (0.3.x)
branch. Please note that 0.2.x branch continues to be the current
source of stable releases.

Almost six months has passed from the previous development release, so
it is about time to start making new releases This will hopefully get
some more testing on the new features and in addition, provides fixed
snapshots to make it easier to refer to a specific version of the

Most of the changes since last development release (v0.2.3) and
differences from the current stable branch are in wpa_supplicant and
hostapd. hostap-driver got only minor changes and hostap-utils did not
change at all.

hostapd got similar driver interface as wpa_supplicant to support
multiple drivers and initial support for madwifi and Prism54 drivers
and wired authenticator was added. wpa_supplicant driver interface got
the needed cleanup and support for new drivers (Broadcom wl.o, Intel
ipw2100). In addition, port for FreeBSD and the generic BSD net80211
is getting closer. Some of the required changes for the kernel have
not yet been committed, but wpa_supplicant/hostapd parts are included
in this release and will hopefully be usable for testing once the
kernel changes become available.

wpa_supplicant has number of improvements and new features for
EAP. Support for EAP-AKA has been added and so has generic support for
fast reauthentication/session resumption (EAP-TLS/PEAP/TTLS/SIM/AKA).

hostapd has now similar control interface as wpa_supplicant and number
of MIBs (IEEE 802.1X, IEEE 802.11i, RADIUS client) are available
through this new interface. Another new hostapd feature is integrated
EAP authenticator. This is still in an early phase with the state
machine implemented and only EAP-MD5 supported, but eventually, this
should provide full support for integrated IEEE 802.1X/EAP
authentication without needed an external RADIUS server.

Please note that both wpa_supplicant and hostapd are now requiring
build time configuration in .config file. An example configuration,
defconfig, has been added for both and it can be used as a starting
point for this configuration (cp defconfig .config). This
configuration is used to select which features, including driver
support, is included in the build.

hostapd licensing has changed to make the core implementation
available under dual-license (GPLv2 and BSD) in the same way as
wpa_supplicant. hostap-driver and hostap-utils remain under GPLv2 only

I would expect development to continue for some more time on 0.3.x
branch before starting to stabilize for stable releases. I hope to
keep the code in working condition most of the time so that it would
be usable for most users, but please keep in mind that this branch is
still under development and some instability should be expected.

Detailed list of changes since v0.2.4:

* fixed card enabling after firmware download in case any of the
  netdevs were up when the download was started
* added support for Linux wireless extension v17 (export event support,
  larger scan results buffer, new spy data handling)
* fixed netif_carrier_on/off() calls to leave carrier on for Master
  mode; previously this may have been left off in some cases which
  could prevent packet bridging with new kernel versions
* added support for changed PCI API in Linux 2.6.10-rc1 and newer:
  pci_{save,restore}_state() lost one argument, pci_register_driver()
* added support for larger number of BSSes in scan results by using
  local BSS list to fill in APs that are missing from firmware scan
  results (firmware limit seemed to be 32 APs at least in some
  versions); this requires STA firmware version 1.7.x or newer and
  WPA enabled

* added support for Acct-{Input,Output}-Gigawords
* added support for Event-Timestamp (in RADIUS Accounting-Requests)
* added support for RADIUS Authentication Client MIB (RFC2618)
* added support for RADIUS Accounting Client MIB (RFC2620)
* made EAP re-authentication period configurable (eap_reauth_period)
* fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
* fixed EAPOL state machine to stop if STA is removed during
  eapol_sm_step(); this fixes at least one segfault triggering bug with
  IEEE 802.11i pre-authentication
* added support for multiple WPA pre-shared keys (e.g., one for each
  client MAC address or keys shared by a group of clients);
  new hostapd.conf field wpa_psk_file for setting path to a text file
  containing PSKs, see hostapd.wpa_psk for an example
* added support for multiple driver interfaces to allow hostapd to be
  used with other drivers
* added wired authenticator driver interface (driver=wired in
  hostapd.conf, see wired.conf for example configuration)
* added madwifi driver interface (driver=madwifi in hostapd.conf, see
  madwifi.conf for example configuration; Note: include files from
  madwifi project is needed for building and a configuration file,
  .config, needs to be created in hostapd directory with
  CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
* fixed an alignment issue that could cause SHA-1 to fail on some
  platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
  align variables)
* fixed RADIUS reconnection after an error in sending interim
  accounting packets
* added hostapd control interface for external programs and an example
  CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
* started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
  'hostapd_cli sta <addr>')
* finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
* added support for strict GTK rekeying (wpa_strict_rekey in
* updated IAPP to use UDP port 3517 and multicast address
  (instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
  IEEE 802.11F-2003)
* added Prism54 driver interface (driver=prism54 in hostapd.conf;
  note: .config needs to be created in hostapd directory with
  CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
* dual-licensed hostapd (GPLv2 and BSD licenses)
* fixed RADIUS accounting to generate a new session id for cases where
  a station reassociates without first being complete deauthenticated
* fixed STA disassociation handler to mark next timeout state to
  deauthenticate the station, i.e., skip long wait for inactivity poll
  and extra disassociation, if the STA disassociates without
* added integrated EAP authenticator that can be used instead of
  external RADIUS authentication server; currently, only EAP-MD5 is
  supported, so this cannot yet be used for key distribution; the EAP
  method interface is generic, though, so adding new EAP methods should
  be straightforward; new hostapd.conf variables: 'eap_authenticator'
  and 'eap_user_file'; this obsoletes "minimal authentication server"
  ('minimal_eap' in hostapd.conf) which is now removed
* added support for FreeBSD and driver interface for the BSD net80211
  layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
  .config); please note that some of the required kernel mods have not
  yet been committed

* driver_broadcom: added new driver interface for Broadcom wl.o driver
  (a generic driver for Broadcom IEEE 802.11a/g cards)
* wpa_cli: fixed parsing of -p <path> command line argument
* PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
  ACK, not tunneled EAP-Success (of which only the first byte was
  actually send due to a bug in previous code); this seems to
  interoperate with most RADIUS servers that implements PEAPv1
* PEAPv1: added support for terminating PEAP authentication on tunneled
  EAP-Success message; this can be configured by adding
  peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
  (some RADIUS servers require this whereas others require a tunneled
* PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
  the old label for key derivation; previously, the default was 1,
  but it looks like most existing PEAPv1 implementations use the old
  label which is thus more suitable default option
* added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
* fixed parsing of wep_tx_keyidx
* added support for configuring list of allowed Phase 2 EAP types
  (for both EAP-PEAP and EAP-TTLS) instead of only one type
* added support for configuring IEEE 802.11 authentication algorithm
  (auth_alg; mainly for using Shared Key authentication with static
  WEP keys)
* added support for EAP-AKA (with UMTS SIM)
* fixed couple of errors in PCSC handling that could have caused
  random-looking errors for EAP-SIM
* added support for EAP-SIM pseudonyms and fast re-authentication
* added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
  session resumption)
* added support for EAP-SIM with two challanges
  (phase1="sim_min_num_chal=3" can be used to require three challenges)
* added support for configuring DH/DSA parameters for an ephemeral DH
  key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
  dh_file and dh_file2 (phase 2); this adds support for using DSA keys
  and optional DH key exchange to achieve forward secracy with RSA keys
* added support for matching subject of the authentication server
  certificate with a substring when using EAP-TLS/PEAP/TTLS; new
  configuration variables subject_match and subject_match2
* changed SSID configuration in driver_wext.c (used by many driver
  interfaces) to use ssid_len+1 as the length for SSID since some Linux
  drivers expect this
* fixed couple of unaligned reads in scan result parsing to fix WPA
  connection on some platforms (e.g., ARM)
* added driver interface for Intel ipw2100 driver
* added support for LEAP with WPA
* added support for larger scan results report (old limit was 4 kB of
  data, i.e., about 35 or so APs) when using Linux wireless extensions
  v17 or newer
* fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
  only if there is a PMKSA cache entry for the current AP
* fixed error handling for case where reading of scan results fails:
  must schedule a new scan or wpa_supplicant will remain waiting
* changed debug output to remove shared password/key material by
  default; all key information can be included with -K command line
  argument to match the previous behavior
* added support for timestamping debug log messages (disabled by
  default, can be enabled with -t command line argument)
* set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
  if keys are not configured to be used; this fixes IEEE 802.1X mode
  with drivers that use this information to configure whether Privacy
  bit can be in Beacon frames (e.g., ndiswrapper)
* avoid clearing driver keys if no keys have been configured since last
  key clear request; this seems to improve reliability of group key
  handshake for ndiswrapper & NDIS driver which seems to be suffering
  of some kind of timing issue when the keys are cleared again after
* changed driver interface API:
  - WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
    version is being used (now, this is set to 2; previously, it was
    not defined)
  - pass pointer to private data structure to all calls
  - the new API is not backwards compatible; all in-tree driver
    interfaces has been converted to the new API
* added support for controlling multiple interfaces (radios) per
  wpa_supplicant process; each interface needs to be listed on the
  command line (-c, -i, -D arguments) with -N as a separator
  (-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
* added a workaround for EAP servers that incorrectly use same Id for
  sequential EAP packets
* changed libpcap/libdnet configuration to use .config variable,
  CONFIG_DNET_PCAP, instead of requiring Makefile modification
* improved downgrade attack detection in IE verification of msg 3/4:
  verify both WPA and RSN IEs, if present, not only the selected one;
  reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
  Probe Response frame, and RSN is enabled in wpa_supplicant
* fixed WPA msg 3/4 processing to allow Key Data field contain other
  IEs than just one WPA IE
* added support for FreeBSD and driver interface for the BSD net80211
  layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the
  required kernel mods have not yet been committed
* made EAP workarounds configurable; enabled by default, can be
  disabled with network block option eap_workaround=0

* no changes since 0.2.4

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list