hostapd/wpa_supplicant - new release v2.7

Jouni Malinen j at w1.fi
Sun Dec 2 12:53:38 PST 2018


New versions of wpa_supplicant and hostapd were just
released and are now available from https://w1.fi/

This release follows the v2.x style with the release being made directly
from the master branch and the master branch moving now to 2.8
development.

There has been continued enhancements to the automated testing with
mac80211_hwsim since the last release. The current code coverage from
the full test run of 2955 (up from 2007) test cases is 85.2% (up from
84.6% line coverage as reported by lcov from the vm-run.sh --codecov).

There has been quite a few new features and fixes since the 2.6
release. The following ChangeLog entries highlight some of the main
changes:

hostapd:
* fixed WPA packet number reuse with replayed messages and key
  reinstallation
  [http://w1.fi/security/2017-1/] (CVE-2017-13082)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
  and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* FT:
  - added local generation of PMK-R0/PMK-R1 for FT-PSK
    (ft_psk_generate_local=1)
  - replaced inter-AP protocol with a cleaner design that is more
    easily extensible; this breaks backward compatibility and requires
    all APs in the ESS to be updated at the same time to maintain FT
    functionality
  - added support for wildcard R0KH/R1KH
  - replaced r0_key_lifetime (minutes) parameter with
    ft_r0_key_lifetime (seconds)
  - fixed wpa_psk_file use for FT-PSK
  - fixed FT-SAE PMKID matching
  - added expiration to PMK-R0 and PMK-R1 cache
  - added IEEE VLAN support (including tagged VLANs)
  - added support for SHA384 based AKM
* SAE
  - fixed some PMKSA caching cases with SAE
  - added support for configuring SAE password separately of the
    WPA2 PSK/passphrase
  - added option to require MFP for SAE associations
    (sae_require_pmf=1)
  - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
    for SAE;
    note: this is not backwards compatible, i.e., both the AP and
    station side implementations will need to be update at the same
    time to maintain interoperability
  - added support for Password Identifier
* hostapd_cli: added support for command history and completion
* added support for requesting beacon report
* large number of other fixes, cleanup, and extensions
* added option to configure EAPOL-Key retry limits
  (wpa_group_update_count and wpa_pairwise_update_count)
* removed all PeerKey functionality
* fixed nl80211 AP mode configuration regression with Linux 4.15 and
  newer
* added support for using wolfSSL cryptographic library
* fixed some 20/40 MHz coexistence cases where the BSS could drop to
  20 MHz even when 40 MHz would be allowed
* Hotspot 2.0
  - added support for setting Venue URL ANQP-element (venue_url)
  - added support for advertising Hotspot 2.0 operator icons
  - added support for Roaming Consortium Selection element
  - added support for Terms and Conditions
  - added support for OSEN connection in a shared RSN BSS
* added support for using OpenSSL 1.1.1
* added EAP-pwd server support for salted passwords

wpa_supplicant:
* fixed WPA packet number reuse with replayed messages and key
  reinstallation
  [https://w1.fi/security/2017-1/] (CVE-2017-13077, CVE-2017-13078,
  CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082,
  CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
* fixed unauthenticated EAPOL-Key decryption in wpa_supplicant
  [https://w1.fi/security/2018-1/] (CVE-2018-14526)
* added support for FILS (IEEE 802.11ai) shared key authentication
* added support for OWE (Opportunistic Wireless Encryption, RFC 8110;
  and transition mode defined by WFA)
* added support for DPP (Wi-Fi Device Provisioning Protocol)
* added support for RSA 3k key case with Suite B 192-bit level
* fixed Suite B PMKSA caching not to update PMKID during each 4-way
  handshake
* fixed EAP-pwd pre-processing with PasswordHashHash
* added EAP-pwd client support for salted passwords
* fixed a regression in TDLS prohibited bit validation
* started to use estimated throughput to avoid undesired signal
  strength based roaming decision
* MACsec/MKA:
  - new macsec_linux driver interface support for the Linux
    kernel macsec module
  - number of fixes and extensions
* added support for external persistent storage of PMKSA cache
  (PMKSA_GET/PMKSA_ADD control interface commands; and
   MESH_PMKSA_GET/MESH_PMKSA_SET for the mesh case)
* fixed mesh channel configuration pri/sec switch case
* added support for beacon report
* large number of other fixes, cleanup, and extensions
* added support for randomizing local address for GAS queries
  (gas_rand_mac_addr parameter)
* fixed EAP-SIM/AKA/AKA' ext auth cases within TLS tunnel
* added option for using random WPS UUID (auto_uuid=1)
* added SHA256-hash support for OCSP certificate matching
* fixed EAP-AKA' to add AT_KDF into Synchronization-Failure
* fixed a regression in RSN pre-authentication candidate selection
* added option to configure allowed group management cipher suites
  (group_mgmt network profile parameter)
* removed all PeerKey functionality
* fixed nl80211 AP and mesh mode configuration regression with
  Linux 4.15 and newer
* added ap_isolate configuration option for AP mode
* added support for nl80211 to offload 4-way handshake into the driver
* added support for using wolfSSL cryptographic library
* SAE
  - added support for configuring SAE password separately of the
    WPA2 PSK/passphrase
  - fixed PTK and EAPOL-Key integrity and key-wrap algorithm selection
    for SAE;
    note: this is not backwards compatible, i.e., both the AP and
    station side implementations will need to be update at the same
    time to maintain interoperability
  - added support for Password Identifier
  - fixed FT-SAE PMKID matching
* Hotspot 2.0
  - added support for fetching of Operator Icon Metadata ANQP-element
  - added support for Roaming Consortium Selection element
  - added support for Terms and Conditions
  - added support for OSEN connection in a shared RSN BSS
  - added support for fetching Venue URL information
* added support for using OpenSSL 1.1.1
* FT
  - disabled PMKSA caching with FT since it is not fully functional
  - added support for SHA384 based AKM
  - added support for BIP ciphers BIP-CMAC-256, BIP-GMAC-128,
    BIP-GMAC-256 in addition to previously supported BIP-CMAC-128
  - fixed additional IE inclusion in Reassociation Request frame when
    using FT protocol


git-shortlog for 2.6 -> 2.7:

There were 2286 commits, so the list would be a too long for this email.
Anyway, if you are interested in the details, they are available in the
hostap.git repository. diffstat has following to say about the changes:
 594 files changed, 101321 insertions(+), 12159 deletions(-)

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list