hostapd/wpa_supplicant - new development release v0.6.6
Jouni Malinen
j at w1.fi
Sun Nov 23 10:25:49 EST 2008
New versions of wpa_supplicant and hostapd were just
released and are now available from http://w1.fi/
This release is from the development branch (0.6.x). Please note that
the 0.5.x branch continues to be the current source of stable releases.
hostapd:
* added a new configuration option, wpa_ptk_rekey, that can be used to
enforce frequent PTK rekeying, e.g., to mitigate some attacks against
TKIP deficiencies
* updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore)
* changed channel flags configuration to read the information from
the driver (e.g., via driver_nl80211 when using mac80211) instead of
using hostapd as the source of the regulatory information (i.e.,
information from CRDA is now used with mac80211); this allows 5 GHz
channels to be used with hostapd (if allowed in the current
regulatory domain)
* fixed EAP-TLS message processing for the last TLS message if it is
large enough to require fragmentation (e.g., if a large Session
Ticket data is included)
* fixed listen interval configuration for nl80211 drivers
wpa_supplicant:
* added Milenage SIM/USIM emulator for EAP-SIM/EAP-AKA
(can be used to simulate test SIM/USIM card with a known private key;
enable with CONFIG_SIM_SIMULATOR=y/CONFIG_USIM_SIMULATOR=y in .config
and password="Ki:OPc"/password="Ki:OPc:SQN" in network configuration)
* added a new network configuration option, wpa_ptk_rekey, that can be
used to enforce frequent PTK rekeying, e.g., to mitigate some attacks
against TKIP deficiencies
* added an optional mitigation mechanism for certain attacks against
TKIP by delaying Michael MIC error reports by a random amount of time
between 0 and 60 seconds; this can be enabled with a build option
CONFIG_DELAYED_MIC_ERROR_REPORT=y in .config
* fixed EAP-AKA to use RES Length field in AT_RES as length in bits,
not bytes
* updated OpenSSL code for EAP-FAST to use an updated version of the
session ticket overriding API that was included into the upstream
OpenSSL 0.9.9 tree on 2008-11-15 (no additional OpenSSL patch is
needed with that version anymore)
* updated userspace MLME instructions to match with the current Linux
mac80211 implementation; please also note that this can only be used
with driver_nl80211.c (the old code from driver_wext.c was removed)
* added support (Linux only) for RoboSwitch chipsets (often found in
consumer grade routers); driver interface 'roboswitch'
* fixed canceling of PMKSA caching when using drivers that generate
RSN IE and refuse to drop PMKIDs that wpa_supplicant does not know
about
git-shortlog for 0.6.5 -> 0.6.6:
Carolin Latze (1):
Separate OpenSSL engine configuration for Phase 2
Jouke Witteveen (2):
Add RoboSwitch driver interface for wpa_supplicant
Fixed a bug in read -> _read cleanup; one missed change
Jouni Malinen (46):
Added Milenage USIM emulator for EAP-AKA (can be used to simulate test
driver_ndis: Added a workaround for a driver that removes SSID IE in scan
Added Milenage-GSM simulator for EAP-SIM
Added support for enforcing frequent PTK rekeying
EAP-FAST: Include Tunnel PAC request only after EAP authentication
EAP-FAST server: allow expired PAC for PAC refresh
Fixed EAP-AKA RES Length field in AT_RES as length in bits, not bytes
EAP-AKA: Validate RES Length field in AT_RES
EAP-SIM/AKA: fixed initialization to verify PIN even if identity is set
Added an optional mitigation mechanism for certain attacks against TKIP by
Updated indentation in the patch to match style used elsewhere in OpenSSL
Modified the OpenSSL patch to use session ticket -specific function
EAP-FAST: Reorder TLVs in PAC Acknowledgment to fix interop issues
Updated interop results for ACS 4.2
OpenSSL 0.9.9 API change for EAP-FAST session ticket overriding API
Changed channel flags configuration to read the information from the driver
driver_nl80211: Remove monitor interface if AP initialization fails
Improved the error message for passive scan not being available
Remove extra typedefs since they do not seem to be needed anymore
Updated userspace MLME instructions for current mac80211
roboswitch: Minor coding style cleanup
EAP-PEAP: Copy Binding nonce from cryptobinding request to reply
Fixed size_t printf format for 64-bit builds
Changed PEAPv0 cryptobinding to be disabled by default
Fixed EAPA-AKA warning message about AT_RES length to use bits
Fixed Milenage debug output to use correct length for IK and CK
Fixed EAP-TLS message fragmentation for the last TLS message
wpa_gui: Add a PNG version of the tray icon for Windows binary build
Silence printf() calls in wpa_gui to avoid stdout output from a GUI program
Remove the unwanted Windows console from the Windows binary version of wpa_gui
Fixed canceling of PMKSA caching with driver generated RSN IE
Fixed hostapd build without l2_packet (e.g., RADIUS server only).
Added an attribution based on the original SSLeay license for OpenSSL.
reconfig.c file was not used at all, so remove it.
Removed now unused reconfig variables.
Removed partial IEEE 802.11h implementation
Removed forgotten register_drivers() prototype
Remove overly complex hostapd setup sequence with n+1 callbacks
Remove experimental non-AP STA code from hostapd
Add more verbose debug output for GSM-Milenage use (RAND,SRES,Kc)
Fixed listen interval configuration for nl80211 drivers
Allocate new Acct-Session-Id on EAPOL-Logoff
Use SM_ENTER_GLOBAL to clean up EAPOL state machine debug messages
Simplified RADIUS accounting id usage
Preparations for 0.6.6 release
Preparations for 0.6.6 release
Kel Modderman (1):
wpa_gui-qt4: tweak icon Makefile
Martin Michlmayr (1):
wpa_gui-qt4: FTBFS with GCC 4.4: missing #include
--
Jouni Malinen PGP id EFC895FA
More information about the HostAP
mailing list