hostapd/wpa_supplicant - new release v2.2
Jouni Malinen
j
Wed Jun 4 14:50:22 PDT 2014
New versions of wpa_supplicant and hostapd were just
released and are now available from http://w1.fi/
This release follows the style used with v2.0 and v2.1 with the release
being made directly from the master branch and master branch moving now
to 2.3 development. This time, there was four months from the previous
release, so the timing is getting quite a bit closer to what was the
initial plan on 2.x releases.
There has been significant enhancements to the automated testing with
mac80211_hwsim since the last release. The current code coverage from
the full test run of 655 test cases is 76.4% (line coverage as reported
by lcov from the vm-run.sh --codecov --long run).
There has been quite a few new features and fixes since the 2.1
release. Number of the fixes are for issues that can cause program
crashes and some of those can be triggered remotely, so I would
recommend everyone to update to the new version. In addition, there are
significant fixes in the internal TLS implementation
(CONFIG_TLS=internal) for X.509 validation, so if someone is using that
with EAP-TLS/TTLS/PEAP/FAST, it is particularly important to update. The
following ChangeLog entries highlight some of the main changes:
hostapd:
* fixed SAE confirm-before-commit validation to avoid a potential
segmentation fault in an unexpected message sequence that could be
triggered remotely
* extended VHT support
- Operating Mode Notification
- Power Constraint element (local_pwr_constraint)
- Spectrum management capability (spectrum_mgmt_required=1)
- fix VHT80 segment picking in ACS
- fix vht_capab 'Maximum A-MPDU Length Exponent' handling
- fix VHT20
* fixed HT40 co-ex scan for some pri/sec channel switches
* extended HT40 co-ex support to allow dynamic channel width changes
during the lifetime of the BSS
* fixed HT40 co-ex support to check for overlapping 20 MHz BSS
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
this fixes password with include UTF-8 characters that use
three-byte encoding EAP methods that use NtPasswordHash
* reverted TLS certificate validation step change in v2.1 that rejected
any AAA server certificate with id-kp-clientAuth even if
id-kp-serverAuth EKU was included
* fixed STA validation step for WPS ER commands to prevent a potential
crash if an ER sends an unexpected PutWLANResponse to a station that
is disassociated, but not fully removed
* enforce full EAP authentication after RADIUS Disconnect-Request by
removing the PMKSA cache entry
* added support for NAS-IP-Address, NAS-identifier, and NAS-IPv6-Address
in RADIUS Disconnect-Request
* added mechanism for removing addresses for MAC ACLs by prefixing an
entry with "-"
* Interworking/Hotspot 2.0 enhancements
- support Hotspot 2.0 Release 2
* OSEN network for online signup connection
* subscription remediation (based on RADIUS server request or
control interface HS20_WNM_NOTIF for testing purposes)
* Hotspot 2.0 release number indication in WFA RADIUS VSA
* deauthentication request (based on RADIUS server request or
control interface WNM_DEAUTH_REQ for testing purposes)
* Session Info URL RADIUS AVP to trigger ESS Disassociation Imminent
* hs20_icon config parameter to configure icon files for OSU
* osu_* config parameters for OSU Providers list
- do not use Interworking filtering rules on Probe Request if
Interworking is disabled to avoid interop issues
* added/fixed nl80211 functionality
- AP interface teardown optimization
- support vendor specific driver command
(VENDOR <vendor id> <sub command id> [<hex formatted data>])
* fixed PMF protection of Deauthentication frame when this is triggered
by session timeout
* internal TLS implementation enhancements/fixes
- add SHA256-based cipher suites
- add DHE-RSA cipher suites
- fix X.509 validation of PKCS#1 signature to check for extra data
* RADIUS server functionality
- add minimal RADIUS accounting server support (hostapd-as-server);
this is mainly to enable testing coverage with hwsim scripts
- allow authentication log to be written into SQLite databse
- added option for TLS protocol testing of an EAP peer by simulating
various misbehaviors/known attacks
- MAC ACL support for testing purposes
* fixed PTK derivation for CCMP-256 and GCMP-256
* extended WPS per-station PSK to support ER case
* added option to configure the management group cipher
(group_mgmt_cipher=AES-128-CMAC (default), BIP-GMAC-128, BIP-GMAC-256,
BIP-CMAC-256)
* fixed AP mode default TXOP Limit values for AC_VI and AC_VO (these
were rounded incorrectly)
* added support for postponing FT response in case PMK-R1 needs to be
pulled from R0KH
* added option to advertise 40 MHz intolerant HT capability with
ht_capab=[40-INTOLERANT]
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
whenever CONFIG_WPS=y is set
* EAP-pwd fixes
- fix possible segmentation fault on EAP method deinit if an invalid
group is negotiated
* fixed RADIUS client retransmit/failover behavior
- there was a potential ctash due to freed memory being accessed
- failover to a backup server mechanism did not work properly
* fixed a possible crash on double DISABLE command when multiple BSSes
are enabled
* fixed a memory leak in SAE random number generation
* fixed GTK rekeying when the station uses FT protocol
* fixed off-by-one bounds checking in printf_encode()
- this could result in deinial of service in some EAP server cases
* various bug fixes
wpa_supplicant:
* added DFS indicator to get_capability freq
* added/fixed nl80211 functionality
- BSSID/frequency hint for driver-based BSS selection
- fix tearing down WDS STA interfaces
- support vendor specific driver command
(VENDOR <vendor id> <sub command id> [<hex formatted data>])
- GO interface teardown optimization
- allow beacon interval to be configured for IBSS
- add SHA256-based AKM suites to CONNECT/ASSOCIATE commands
* removed unused NFC_RX_HANDOVER_REQ and NFC_RX_HANDOVER_SEL control
interface commands (the more generic NFC_REPORT_HANDOVER is now used)
* fixed MSCHAP UTF-8 to UCS-2 conversion for three-byte encoding;
this fixes password with include UTF-8 characters that use
three-byte encoding EAP methods that use NtPasswordHash
* fixed couple of sequencies where radio work items could get stuck,
e.g., when rfkill blocking happens during scanning or when
scan-for-auth workaround is used
* P2P enhancements/fixes
- enable enable U-APSD on GO automatically if the driver indicates
support for this
- fixed some service discovery cases with broadcast queries not being
sent to all stations
- fixed Probe Request frame triggering invitation to trigger only a
single invitation instance even if multiple Probe Request frames are
received
- fixed a potential NULL pointer dereference crash when processing an
invalid Invitation Request frame
- add optional configuration file for the P2P_DEVICE parameters
- optimize scan for GO during persistent group invocation
- fix possible segmentation fault when PBC overlap is detected while
using a separate P2P group interface
- improve GO Negotiation robustness by allowing GO Negotiation
Confirmation to be retransmitted
- do use freed memory on device found event when P2P NFC
* added phase1 network parameter options for disabling TLS v1.1 and v1.2
to allow workarounds with misbehaving AAA servers
(tls_disable_tlsv1_1=1 and tls_disable_tlsv1_2=1)
* added support for OCSP stapling to validate AAA server certificate
during TLS exchange
* Interworking/Hotspot 2.0 enhancements
- prefer the last added network in Interworking connection to make the
behavior more consistent with likely user expectation
- roaming partner configuration (roaming_partner within a cred block)
- support Hotspot 2.0 Release 2
* "hs20_anqp_get <BSSID> 8" to request OSU Providers list
* "hs20_icon_request <BSSID> <icon filename>" to request icon files
* "fetch_osu" and "cancel_osu_fetch" to start/stop full OSU provider
search (all suitable APs in scan results)
* OSEN network for online signup connection
* min_{dl,ul}_bandwidth_{home,roaming} cred parameters
* max_bss_load cred parameter
* req_conn_capab cred parameter
* sp_priority cred parameter
* ocsp cred parameter
* slow down automatic connection attempts on EAP failure to meet
required behavior (no more than 10 retries within a 10-minute
interval)
* sample implementation of online signup client (both SPP and
OMA-DM protocols) (hs20/client/*)
- fixed GAS indication for additional comeback delay with status
code 95
- extend ANQP_GET to accept Hotspot 2.0 subtypes
ANQP_GET <addr> <info id>[,<info id>]...
[,hs20:<subtype>][...,hs20:<subtype>]
- add control interface events CRED-ADDED <id>,
CRED-MODIFIED <id> <field>, CRED-REMOVED <id>
- add "GET_CRED <id> <field>" command
- enable FT for the connection automatically if the AP advertises
support for this
- fix a case where auto_interworking=1 could end up stopping scanning
* fixed TDLS interoperability issues with supported operating class in
some deployed stations
* internal TLS implementation enhancements/fixes
- add SHA256-based cipher suites
- add DHE-RSA cipher suites
- fix X.509 validation of PKCS#1 signature to check for extra data
* fixed PTK derivation for CCMP-256 and GCMP-256
* added "reattach" command for fast reassociate-back-to-same-BSS
* allow PMF to be enabled for AP mode operation with the ieee80211w
parameter
* added "get_capability tdls" command
* added option to set config blobs through control interface with
"SET blob <name> <hexdump>"
* D-Bus interface extensions/fixes
- make p2p_no_group_iface configurable
- declare ServiceDiscoveryRequest method properly
- export peer's device address as a property
- make reassociate command behave like the control interface one,
i.e., to allow connection from disconnected state
* added optional "freq=<channel ranges>" parameter to SET pno
* added optional "freq=<channel ranges>" parameter to SELECT_NETWORK
* fixed OBSS scan result processing for 20/40 MHz co-ex report
* remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled
whenever CONFIG_WPS=y is set
* fixed regression in parsing of WNM Sleep Mode exit key data
* fixed potential segmentation fault and memory leaks in WNM neighbor
report processing
* EAP-pwd fixes
- fragmentation of PWD-Confirm-Resp
- fix memory leak when fragmentation is used
- fix possible segmentation fault on EAP method deinit if an invalid
group is negotiated
* added MACsec/IEEE Std 802.1X-2010 PAE implementation (currently
available only with the macsec_qca driver wrapper)
* fixed EAP-SIM counter-too-small message
* added 'dup_network <id_s> <id_d> <name>' command; this can be used to
clone the psk field without having toextract it from wpa_supplicant
* fixed GSM authentication on USIM
* added support for usin epoll in eloop (CONFIG_ELOOP_EPOLL=y)
* fixed some concurrent virtual interface cases with dedicated P2P
management interface to not catch events from removed interface (this
could result in the management interface getting disabled)
* fixed a memory leak in SAE random number generation
* fixed off-by-one bounds checking in printf_encode()
- this could result in some control interface ATTACH command cases
terminating wpa_supplicant
* fixed EAPOL-Key exchange when GCMP is used with SHA256-based AKM
* various bug fixes
git-shortlog for 2.1 -> 2.2:
There were 898 commits, so the list would be too long for this
email. Anyway, if you are interested in the details, they are available
in the hostap.git repository. diffstat has following to say about the
changes:
455 files changed, 53147 insertions(+), 5619 deletions(-)
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list