Host AP/hostapd/wpa_supplicant - new development release v0.3.0
Jouni Malinen
jkmaline at cc.hut.fi
Mon Dec 6 01:30:16 EST 2004
New versions of Linux Prism2/2.5/3 Host AP driver, hostapd, and
wpa_supplicant were just released and are now available from
http://hostap.epitest.fi/
This release is the first release from the development (0.3.x)
branch. Please note that 0.2.x branch continues to be the current
source of stable releases.
Almost six months has passed from the previous development release, so
it is about time to start making new releases This will hopefully get
some more testing on the new features and in addition, provides fixed
snapshots to make it easier to refer to a specific version of the
code.
Most of the changes since last development release (v0.2.3) and
differences from the current stable branch are in wpa_supplicant and
hostapd. hostap-driver got only minor changes and hostap-utils did not
change at all.
hostapd got similar driver interface as wpa_supplicant to support
multiple drivers and initial support for madwifi and Prism54 drivers
and wired authenticator was added. wpa_supplicant driver interface got
the needed cleanup and support for new drivers (Broadcom wl.o, Intel
ipw2100). In addition, port for FreeBSD and the generic BSD net80211
is getting closer. Some of the required changes for the kernel have
not yet been committed, but wpa_supplicant/hostapd parts are included
in this release and will hopefully be usable for testing once the
kernel changes become available.
wpa_supplicant has number of improvements and new features for
EAP. Support for EAP-AKA has been added and so has generic support for
fast reauthentication/session resumption (EAP-TLS/PEAP/TTLS/SIM/AKA).
hostapd has now similar control interface as wpa_supplicant and number
of MIBs (IEEE 802.1X, IEEE 802.11i, RADIUS client) are available
through this new interface. Another new hostapd feature is integrated
EAP authenticator. This is still in an early phase with the state
machine implemented and only EAP-MD5 supported, but eventually, this
should provide full support for integrated IEEE 802.1X/EAP
authentication without needed an external RADIUS server.
Please note that both wpa_supplicant and hostapd are now requiring
build time configuration in .config file. An example configuration,
defconfig, has been added for both and it can be used as a starting
point for this configuration (cp defconfig .config). This
configuration is used to select which features, including driver
support, is included in the build.
hostapd licensing has changed to make the core implementation
available under dual-license (GPLv2 and BSD) in the same way as
wpa_supplicant. hostap-driver and hostap-utils remain under GPLv2 only
license.
I would expect development to continue for some more time on 0.3.x
branch before starting to stabilize for stable releases. I hope to
keep the code in working condition most of the time so that it would
be usable for most users, but please keep in mind that this branch is
still under development and some instability should be expected.
Detailed list of changes since v0.2.4:
hostap-driver:
* fixed card enabling after firmware download in case any of the
netdevs were up when the download was started
* added support for Linux wireless extension v17 (export event support,
larger scan results buffer, new spy data handling)
* fixed netif_carrier_on/off() calls to leave carrier on for Master
mode; previously this may have been left off in some cases which
could prevent packet bridging with new kernel versions
* added support for changed PCI API in Linux 2.6.10-rc1 and newer:
pci_{save,restore}_state() lost one argument, pci_register_driver()
changed
* added support for larger number of BSSes in scan results by using
local BSS list to fill in APs that are missing from firmware scan
results (firmware limit seemed to be 32 APs at least in some
versions); this requires STA firmware version 1.7.x or newer and
WPA enabled
hostapd:
* added support for Acct-{Input,Output}-Gigawords
* added support for Event-Timestamp (in RADIUS Accounting-Requests)
* added support for RADIUS Authentication Client MIB (RFC2618)
* added support for RADIUS Accounting Client MIB (RFC2620)
* made EAP re-authentication period configurable (eap_reauth_period)
* fixed EAPOL reauthentication to trigger WPA/WPA2 reauthentication
* fixed EAPOL state machine to stop if STA is removed during
eapol_sm_step(); this fixes at least one segfault triggering bug with
IEEE 802.11i pre-authentication
* added support for multiple WPA pre-shared keys (e.g., one for each
client MAC address or keys shared by a group of clients);
new hostapd.conf field wpa_psk_file for setting path to a text file
containing PSKs, see hostapd.wpa_psk for an example
* added support for multiple driver interfaces to allow hostapd to be
used with other drivers
* added wired authenticator driver interface (driver=wired in
hostapd.conf, see wired.conf for example configuration)
* added madwifi driver interface (driver=madwifi in hostapd.conf, see
madwifi.conf for example configuration; Note: include files from
madwifi project is needed for building and a configuration file,
.config, needs to be created in hostapd directory with
CONFIG_DRIVER_MADWIFI=y to include this driver interface in hostapd
build)
* fixed an alignment issue that could cause SHA-1 to fail on some
platforms (e.g., Intel ixp425 with a compiler that does not 32-bit
align variables)
* fixed RADIUS reconnection after an error in sending interim
accounting packets
* added hostapd control interface for external programs and an example
CLI, hostapd_cli (like wpa_cli for wpa_supplicant)
* started adding dot11, dot1x, radius MIBs ('hostapd_cli mib',
'hostapd_cli sta <addr>')
* finished update from IEEE 802.1X-2001 to IEEE 802.1X-REV (now d11)
* added support for strict GTK rekeying (wpa_strict_rekey in
hostapd.conf)
* updated IAPP to use UDP port 3517 and multicast address 224.0.1.178
(instead of broadcast) for IAPP ADD-notify (moved from draft 3 to
IEEE 802.11F-2003)
* added Prism54 driver interface (driver=prism54 in hostapd.conf;
note: .config needs to be created in hostapd directory with
CONFIG_DRIVER_PRISM54=y to include this driver interface in hostapd
build)
* dual-licensed hostapd (GPLv2 and BSD licenses)
* fixed RADIUS accounting to generate a new session id for cases where
a station reassociates without first being complete deauthenticated
* fixed STA disassociation handler to mark next timeout state to
deauthenticate the station, i.e., skip long wait for inactivity poll
and extra disassociation, if the STA disassociates without
deauthenticating
* added integrated EAP authenticator that can be used instead of
external RADIUS authentication server; currently, only EAP-MD5 is
supported, so this cannot yet be used for key distribution; the EAP
method interface is generic, though, so adding new EAP methods should
be straightforward; new hostapd.conf variables: 'eap_authenticator'
and 'eap_user_file'; this obsoletes "minimal authentication server"
('minimal_eap' in hostapd.conf) which is now removed
* added support for FreeBSD and driver interface for the BSD net80211
layer (driver=bsd in hostapd.conf and CONFIG_DRIVER_BSD=y in
.config); please note that some of the required kernel mods have not
yet been committed
wpa_supplicant:
* driver_broadcom: added new driver interface for Broadcom wl.o driver
(a generic driver for Broadcom IEEE 802.11a/g cards)
* wpa_cli: fixed parsing of -p <path> command line argument
* PEAPv1: fixed tunneled EAP-Success reply handling to reply with TLS
ACK, not tunneled EAP-Success (of which only the first byte was
actually send due to a bug in previous code); this seems to
interoperate with most RADIUS servers that implements PEAPv1
* PEAPv1: added support for terminating PEAP authentication on tunneled
EAP-Success message; this can be configured by adding
peap_outer_success=0 on phase1 parameters in wpa_supplicant.conf
(some RADIUS servers require this whereas others require a tunneled
reply
* PEAPv1: changed phase1 option peaplabel to use default to 0, i.e., to
the old label for key derivation; previously, the default was 1,
but it looks like most existing PEAPv1 implementations use the old
label which is thus more suitable default option
* added support for EAP-PSK (draft-bersani-eap-psk-03.txt)
* fixed parsing of wep_tx_keyidx
* added support for configuring list of allowed Phase 2 EAP types
(for both EAP-PEAP and EAP-TTLS) instead of only one type
* added support for configuring IEEE 802.11 authentication algorithm
(auth_alg; mainly for using Shared Key authentication with static
WEP keys)
* added support for EAP-AKA (with UMTS SIM)
* fixed couple of errors in PCSC handling that could have caused
random-looking errors for EAP-SIM
* added support for EAP-SIM pseudonyms and fast re-authentication
* added support for EAP-TLS/PEAP/TTLS fast re-authentication (TLS
session resumption)
* added support for EAP-SIM with two challanges
(phase1="sim_min_num_chal=3" can be used to require three challenges)
* added support for configuring DH/DSA parameters for an ephemeral DH
key exchange (EAP-TLS/PEAP/TTLS) using new configuration parameters
dh_file and dh_file2 (phase 2); this adds support for using DSA keys
and optional DH key exchange to achieve forward secracy with RSA keys
* added support for matching subject of the authentication server
certificate with a substring when using EAP-TLS/PEAP/TTLS; new
configuration variables subject_match and subject_match2
* changed SSID configuration in driver_wext.c (used by many driver
interfaces) to use ssid_len+1 as the length for SSID since some Linux
drivers expect this
* fixed couple of unaligned reads in scan result parsing to fix WPA
connection on some platforms (e.g., ARM)
* added driver interface for Intel ipw2100 driver
* added support for LEAP with WPA
* added support for larger scan results report (old limit was 4 kB of
data, i.e., about 35 or so APs) when using Linux wireless extensions
v17 or newer
* fixed a bug in PMKSA cache processing: skip sending of EAPOL-Start
only if there is a PMKSA cache entry for the current AP
* fixed error handling for case where reading of scan results fails:
must schedule a new scan or wpa_supplicant will remain waiting
forever
* changed debug output to remove shared password/key material by
default; all key information can be included with -K command line
argument to match the previous behavior
* added support for timestamping debug log messages (disabled by
default, can be enabled with -t command line argument)
* set pairwise/group cipher suite for non-WPA IEEE 802.1X to WEP-104
if keys are not configured to be used; this fixes IEEE 802.1X mode
with drivers that use this information to configure whether Privacy
bit can be in Beacon frames (e.g., ndiswrapper)
* avoid clearing driver keys if no keys have been configured since last
key clear request; this seems to improve reliability of group key
handshake for ndiswrapper & NDIS driver which seems to be suffering
of some kind of timing issue when the keys are cleared again after
association
* changed driver interface API:
- WPA_SUPPLICANT_DRIVER_VERSION define can be used to determine which
version is being used (now, this is set to 2; previously, it was
not defined)
- pass pointer to private data structure to all calls
- the new API is not backwards compatible; all in-tree driver
interfaces has been converted to the new API
* added support for controlling multiple interfaces (radios) per
wpa_supplicant process; each interface needs to be listed on the
command line (-c, -i, -D arguments) with -N as a separator
(-cwpa1.conf -iwlan0 -Dhostap -N -cwpa2.conf -iath0 -Dmadwifi)
* added a workaround for EAP servers that incorrectly use same Id for
sequential EAP packets
* changed libpcap/libdnet configuration to use .config variable,
CONFIG_DNET_PCAP, instead of requiring Makefile modification
* improved downgrade attack detection in IE verification of msg 3/4:
verify both WPA and RSN IEs, if present, not only the selected one;
reject the AP if an RSN IE is found in msg 3/4, but not in Beacon or
Probe Response frame, and RSN is enabled in wpa_supplicant
configuration
* fixed WPA msg 3/4 processing to allow Key Data field contain other
IEs than just one WPA IE
* added support for FreeBSD and driver interface for the BSD net80211
layer (CONFIG_DRIVER_BSD=y in .config); please note that some of the
required kernel mods have not yet been committed
* made EAP workarounds configurable; enabled by default, can be
disabled with network block option eap_workaround=0
hostap-utils:
* no changes since 0.2.4
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list