hostapd/wpa_supplicant - new release v2.4

Jouni Malinen j
Sun Mar 15 11:02:26 PDT 2015

New versions of wpa_supplicant and hostapd were just
released and are now available from

This release follows the v2.x style with the release being made directly
from the master branch and the master branch moving now to 2.5

There has been continued enhancements to the automated testing with
mac80211_hwsim since the last release. The current code coverage from
the full test run of 1104 (up from 715) test cases is 80.7% (up from
77.5% line coverage as reported by lcov from the --codecov).

There has been quite a few new features and fixes since the 2.3
release. The following ChangeLog entries highlight some of the main

* allow OpenSSL cipher configuration to be set for internal EAP server
  (openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and
  static analyzer reports
* fixed Accounting-Request to not include duplicated Acct-Session-Id
* add support for Acct-Multi-Session-Id in RADIUS Accounting messages
* add support for PMKSA caching with SAE
* add support for generating BSS Load element (bss_load_update_period)
* fixed channel switch from VHT to HT
* add support for learning STA IPv4/IPv6 addresses and configuring
  ProxyARP support
* dropped support for the madwifi driver interface
* add support for Suite B (128-bit and 192-bit level) key management and
  cipher suites
* fixed a regression with driver=wired
* extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
* add BSS_TM_REQ ctrl_iface command to send BSS Transition Management
  Request frames and BSS-TM-RESP event to indicate response to such
* add support for EAP Re-Authentication Protocol (ERP)
* fixed AP IE in EAPOL-Key 3/4 when both WPA and FT was enabled
* fixed a regression in HT 20/40 coex Action frame parsing
* set stdout to be line-buffered
* add support for vendor specific VHT extension to enable 256 QAM rates
  (VHT-MCS 8 and 9) on 2.4 GHz band
  - extend Disconnect-Request processing to allow matching of multiple
  - support Acct-Multi-Session-Id as an identifier
  - allow PMKSA cache entry to be removed without association
* expire hostapd STA entry if kernel does not have a matching entry
* allow chanlist to be used to specify a subset of channels for ACS
* improve ACS behavior on 2.4 GHz band and allow channel bias to be
  configured with acs_chan_bias parameter
* do not reply to a Probe Request frame that includes DSS Parameter Set
  element in which the channel does not match the current operating
* add UPDATE_BEACON ctrl_iface command; this can be used to force Beacon
  frame contents to be updated and to start beaconing on an interface
  that used start_disabled=1
* fixed some RADIUS server failover cases

* allow OpenSSL cipher configuration to be set for internal EAP server
  (openssl_ciphers parameter)
* fixed number of small issues based on hwsim test case failures and
  static analyzer reports
* P2P:
  - add new=<0/1> flag to P2P-DEVICE-FOUND events
  - add passive channels in invitation response from P2P Client
  - enable nl80211 P2P_DEVICE support by default
  - fix regresssion in disallow_freq preventing search on social
  - fix regressions in P2P SD query processing
  - try to re-invite with social operating channel if no common channels
    in invitation
  - allow cross connection on parent interface (this fixes number of
    use cases with nl80211)
  - add support for P2P services (P2PS)
  - add p2p_go_ctwindow configuration parameter to allow GO CTWindow to
    be configured
* increase postponing of EAPOL-Start by one second with AP/GO that
  supports WPS 2.0 (this makes it less likely to trigger extra roundtrip
  of identity frames)
* add support for PMKSA caching with SAE
* add support for control mesh BSS (IEEE 802.11s) operations
* fixed number of issues with D-Bus P2P commands
* fixed regression in ap_scan=2 special case for WPS
* fixed macsec_validate configuration
* add a workaround for incorrectly behaving APs that try to use
  EAPOL-Key descriptor version 3 when the station supports PMF even if
  PMF is not enabled on the AP
* allow TLS v1.1 and v1.2 to be negotiated by default; previous behavior
  of disabling these can be configured to work around issues with broken
  servers with phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"
* add support for Suite B (128-bit and 192-bit level) key management and
  cipher suites
* improved BSS Transition Management processing
* add support for neighbor report
* add support for link measurement
* fixed expiration of BSS entry with all-zeros BSSID
* add optional LAST_ID=x argument to LIST_NETWORK to allow all
  configured networks to be listed even with huge number of network
* add support for EAP Re-Authentication Protocol (ERP)
* fixed EAP-IKEv2 fragmentation reassembly
* improved PKCS#11 configuration for OpenSSL
* set stdout to be line-buffered
* add TDLS channel switch configuration
* add support for MAC address randomization in scans with nl80211
* enable HT for IBSS if supported by the driver
* add BSSID black and white lists (bssid_blacklist, bssid_whitelist)
* add support for domain_suffix_match with GnuTLS
* add OCSP stapling client support with GnuTLS
* include peer certificate in EAP events even without a separate probe
  operation; old behavior can be restored with cert_in_cb=0
* add peer ceritficate alt subject name to EAP events
* add domain_match network profile parameter (similar to
  domain_suffix_match, but full match is required)
* enable AP/GO mode HT Tx STBC automatically based on driver support
* add ANQP-QUERY-DONE event to provide information on ANQP parsing
* allow passive scanning to be forced with passive_scan=1
* add a workaround for Linux packet socket behavior when interface is in
* increase 5 GHz band preference in BSS selection (estimate SNR, if info
  not available from driver; estimate maximum throughput based on common
  HT/VHT/specific TX rate support)
* add INTERWORKING_ADD_NETWORK ctrl_iface command; this can be used to
  implement Interworking network selection behavior in upper layers
  software components
* add optional reassoc_same_bss_optim=1 (disabled by default)
  optimization to avoid unnecessary Authentication frame exchange
* extend TDLS frame padding workaround to cover all packets
* allow wpa_supplicant to recover nl80211 functionality if the cfg80211
  module gets removed and reloaded without restarting wpa_supplicant
* allow hostapd DFS implementation to be used in wpa_supplicant AP mode

git-shortlog for 2.3 -> 2.4:

There were 1373 commits, so the list would be a too long for this email.
Anyway, if you are interested in the details, they are available in the
hostap.git repository. diffstat has following to say about the changes:
 524 files changed, 63845 insertions(+), 24319 deletions(-)

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list