hostapd/wpa_supplicant - new release v2.2

Jouni Malinen j at w1.fi
Wed Jun 4 17:50:22 EDT 2014


New versions of wpa_supplicant and hostapd were just
released and are now available from http://w1.fi/

This release follows the style used with v2.0 and v2.1 with the release
being made directly from the master branch and master branch moving now
to 2.3 development. This time, there was four months from the previous
release, so the timing is getting quite a bit closer to what was the
initial plan on 2.x releases.

There has been significant enhancements to the automated testing with
mac80211_hwsim since the last release. The current code coverage from
the full test run of 655 test cases is 76.4% (line coverage as reported
by lcov from the vm-run.sh --codecov --long run).

There has been quite a few new features and fixes since the 2.1
release. Number of the fixes are for issues that can cause program
crashes and some of those can be triggered remotely, so I would
recommend everyone to update to the new version. In addition, there are
significant fixes in the internal TLS implementation
(CONFIG_TLS=internal) for X.509 validation, so if someone is using that
with EAP-TLS/TTLS/PEAP/FAST, it is particularly important to update. The
following ChangeLog entries highlight some of the main changes:

hostapd:
* fixed SAE confirm-before-commit validation to avoid a potential
  segmentation fault in an unexpected message sequence that could be
  triggered remotely
* extended VHT support
  - Operating Mode Notification
  - Power Constraint element (local_pwr_constraint)
  - Spectrum management capability (spectrum_mgmt_required=1)
  - fix VHT80 segment picking in ACS
  - fix vht_capab 'Maximum A-MPDU Length Exponent' handling
  - fix VHT20
* fixed HT40 co-ex scan for some pri/sec channel switches
* extended HT40 co-ex support to allow dynamic channel width changes
  during the lifetime of the BSS
* fixed HT40 co-ex support to check for overlapping 20 MHz BSS
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
  this fixes password with include UTF-8 characters that use
  three-byte encoding EAP methods that use NtPasswordHash
* reverted TLS certificate validation step change in v2.1 that rejected
  any AAA server certificate with id-kp-clientAuth even if
  id-kp-serverAuth EKU was included
* fixed STA validation step for WPS ER commands to prevent a potential
  crash if an ER sends an unexpected PutWLANResponse to a station that
  is disassociated, but not fully removed
* enforce full EAP authentication after RADIUS Disconnect-Request by
  removing the PMKSA cache entry
* added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
  in RADIUS Disconnect-Request
* added mechanism for removing addresses for MAC ACLs by prefixing an
  entry with "-"
* Interworking/Hotspot 2.0 enhancements
  - support Hotspot 2.0 Release 2
    * OSEN network for online signup connection
    * subscription remediation (based on RADIUS server request or
      control interface HS20_WNM_NOTIF for testing purposes)
    * Hotspot 2.0 release number indication in WFA RADIUS VSA
    * deauthentication request (based on RADIUS server request or
      control interface WNM_DEAUTH_REQ for testing purposes)
    * Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
    * hs20_icon config parameter to configure icon files for OSU
    * osu_* config parameters for OSU Providers list
  - do not use Interworking filtering rules on Probe Request if
    Interworking is disabled to avoid interop issues
* added/fixed nl80211 functionality
  - AP interface teardown optimization
  - support vendor specific driver command
    (VENDOR <vendor id> <sub command id> [<hex formatted data>])
* fixed PMF protection of Deauthentication frame when this is triggered
  by session timeout
* internal TLS implementation enhancements/fixes
  - add SHA256-based cipher suites
  - add DHE-RSA cipher suites
  - fix X.509 validation of PKCS#1 signature to check for extra data
* RADIUS server functionality
  - add minimal RADIUS accounting server support (hostapd-as-server);
    this is mainly to enable testing coverage with hwsim scripts
  - allow authentication log to be written into SQLite databse
  - added option for TLS protocol testing of an EAP peer by simulating
    various misbehaviors/known attacks
  - MAC ACL support for testing purposes
* fixed PTK derivation for CCMP-256 and GCMP-256
* extended WPS per-station PSK to support ER case
* added option to configure the management group cipher
  (group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
  BIP-CMAC-256)
* fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these
  were rounded incorrectly)
* added support for postponing FT response in case PMK-R1 needs to be
  pulled from R0KH
* added option to advertise 40 MHz intolerant HT capability with
  ht_capab=[40-INTOLERANT]
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
  whenever CONFIG_WPS=y is set
* EAP-pwd fixes
  - fix possible segmentation fault on EAP method deinit if an invalid
    group is negotiated
* fixed RADIUS client retransmit/failover behavior
  - there was a potential ctash due to freed memory being accessed
  - failover to a backup server mechanism did not work properly
* fixed a possible crash on double DISABLE command when multiple BSSes
  are enabled
* fixed a memory leak in SAE random number generation
* fixed GTK rekeying when the station uses FT protocol
* fixed off-by-one bounds checking in printf_encode()
  - this could result in deinial of service in some EAP server cases
* various bug fixes

wpa_supplicant:
* added DFS indicator to get_capability freq
* added/fixed nl80211 functionality
  - BSSID/frequency hint for driver-based BSS selection
  - fix tearing down WDS STA interfaces
  - support vendor specific driver command
    (VENDOR <vendor id> <sub command id> [<hex formatted data>])
  - GO interface teardown optimization
  - allow beacon interval to be configured for IBSS
  - add SHA256-based AKM suites to CONNECT/ASSOCIATE commands
* removed unused NFC_RX_HANDOVER_REQ and NFC_RX_HANDOVER_SEL control
  interface commands (the more generic NFC_REPORT_HANDOVER is now used)
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
  this fixes password with include UTF-8 characters that use
  three-byte encoding EAP methods that use NtPasswordHash
* fixed couple of sequencies where radio work items could get stuck,
  e.g., when rfkill blocking happens during scanning or when
  scan-for-auth workaround is used
* P2P enhancements/fixes
  - enable enable U-APSD on GO automatically if the driver indicates
    support for this
  - fixed some service discovery cases with broadcast queries not being
    sent to all stations
  - fixed Probe Request frame triggering invitation to trigger only a
    single invitation instance even if multiple Probe Request frames are
    received
  - fixed a potential NULL pointer dereference crash when processing an
    invalid Invitation Request frame
  - add optional configuration file for the P2P_DEVICE parameters
  - optimize scan for GO during persistent group invocation
  - fix possible segmentation fault when PBC overlap is detected while
    using a separate P2P group interface
  - improve GO Negotiation robustness by allowing GO Negotiation
    Confirmation to be retransmitted
  - do use freed memory on device found event when P2P NFC
* added phase1 network parameter options for disabling TLS v1.1 and v1.2
  to allow workarounds with misbehaving AAA servers
  (tls_disable_tlsv1_1=1 and tls_disable_tlsv1_2=1)
* added support for OCSP stapling to validate AAA server certificate
  during TLS exchange
* Interworking/Hotspot 2.0 enhancements
  - prefer the last added network in Interworking connection to make the
    behavior more consistent with likely user expectation
  - roaming partner configuration (roaming_partner within a cred block)
  - support Hotspot 2.0 Release 2
    * "hs20_anqp_get <BSSID> 8" to request OSU Providers list
    * "hs20_icon_request <BSSID> <icon filename>" to request icon files
    * "fetch_osu" and "cancel_osu_fetch" to start/stop full OSU provider
      search (all suitable APs in scan results)
    * OSEN network for online signup connection
    * min_{dl,ul}_bandwidth_{home,roaming} cred parameters
    * max_bss_load cred parameter
    * req_conn_capab cred parameter
    * sp_priority cred parameter
    * ocsp cred parameter
    * slow down automatic connection attempts on EAP failure to meet
      required behavior (no more than 10 retries within a 10-minute
      interval)
    * sample implementation of online signup client (both SPP and
      OMA-DM protocols) (hs20/client/*)
  - fixed GAS indication for additional comeback delay with status
    code 95
  - extend ANQP_GET to accept Hotspot 2.0 subtypes
    ANQP_GET <addr> <info id>[,<info id>]...
    [,hs20:<subtype>][...,hs20:<subtype>]
  - add control interface events CRED-ADDED <id>,
    CRED-MODIFIED <id> <field>, CRED-REMOVED <id>
  - add "GET_CRED <id> <field>" command
  - enable FT for the connection automatically if the AP advertises
    support for this
  - fix a case where auto_interworking=1 could end up stopping scanning
* fixed TDLS interoperability issues with supported operating class in
  some deployed stations
* internal TLS implementation enhancements/fixes
  - add SHA256-based cipher suites
  - add DHE-RSA cipher suites
  - fix X.509 validation of PKCS#1 signature to check for extra data
* fixed PTK derivation for CCMP-256 and GCMP-256
* added "reattach" command for fast reassociate-back-to-same-BSS
* allow PMF to be enabled for AP mode operation with the ieee80211w
  parameter
* added "get_capability tdls" command
* added option to set config blobs through control interface with
  "SET blob <name> <hexdump>"
* D-Bus interface extensions/fixes
  - make p2p_no_group_iface configurable
  - declare ServiceDiscoveryRequest method properly
  - export peer's device address as a property
  - make reassociate command behave like the control interface one,
    i.e., to allow connection from disconnected state
* added optional "freq=<channel ranges>" parameter to SET pno
* added optional "freq=<channel ranges>" parameter to SELECT_NETWORK
* fixed OBSS scan result processing for 20/40 MHz co-ex report
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
  whenever CONFIG_WPS=y is set
* fixed regression in parsing of WNM Sleep Mode exit key data
* fixed potential segmentation fault and memory leaks in WNM neighbor
  report processing
* EAP-pwd fixes
  - fragmentation of PWD-Confirm-Resp
  - fix memory leak when fragmentation is used
  - fix possible segmentation fault on EAP method deinit if an invalid
    group is negotiated
* added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently
  available only with the macsec_qca driver wrapper)
* fixed EAP-SIM counter-too-small message
* added 'dup_network <id_s> <id_d> <name>' command; this can be used to
  clone the psk field without having toextract it from wpa_supplicant
* fixed GSM authentication on USIM
* added support for usin epoll in eloop (CONFIG_ELOOP_EPOLL=y)
* fixed some concurrent virtual interface cases with dedicated P2P
  management interface to not catch events from removed interface (this
  could result in the management interface getting disabled)
* fixed a memory leak in SAE random number generation
* fixed off-by-one bounds checking in printf_encode()
  - this could result in some control interface ATTACH command cases
    terminating wpa_supplicant
* fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM
* various bug fixes


git-shortlog for 2.1 -> 2.2:

There were 898 commits, so the list would be too long for this
email. Anyway, if you are interested in the details, they are available
in the hostap.git repository. diffstat has following to say about the
changes:
 455 files changed, 53147 insertions(+), 5619 deletions(-)

-- 
Jouni Malinen                                            PGP id EFC895FA


More information about the HostAP mailing list