hostapd/wpa_supplicant - new release v2.5

Jouni Malinen j
Sun Sep 27 12:48:36 PDT 2015 

New versions of wpa_supplicant and hostapd were just
released and are now available from http://w1.fi/

This release follows the v2.x style with the release being made directly
from the master branch and the master branch moving now to 2.6
development.

There has been continued enhancements to the automated testing with
mac80211_hwsim since the last release. The current code coverage from
the full test run of 1612 (up from 1104) test cases is 82.3% (up from
80.7% line coverage as reported by lcov from the vm-run.sh --codecov).

There has been quite a few new features and fixes since the 2.4
release. The following ChangeLog entries highlight some of the main
changes:

hostapd:
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
  [http://w1.fi/security/2015-2/] (CVE-2015-4141)
* fixed WMM Action frame parser
  [http://w1.fi/security/2015-3/] (CVE-2015-4142)
* fixed EAP-pwd server missing payload length validation
  [http://w1.fi/security/2015-4/]
  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145)
* fixed validation of WPS and P2P NFC NDEF record payload length
  [http://w1.fi/security/2015-5/]
* nl80211:
  - fixed vendor command handling to check OUI properly
* fixed hlr_auc_gw build with OpenSSL
* hlr_auc_gw: allow Milenage RES length to be reduced
* disable HT for a station that does not support WMM/QoS
* added support for hashed password (NtHash) in EAP-pwd server
* fixed and extended dynamic VLAN cases
* added EAP-EKE server support for deriving Session-Id
* set Acct-Session-Id to a random value to make it more likely to be
  unique even if the device does not have a proper clock
* added more 2.4 GHz channels for 20/40 MHz HT co-ex scan
* modified SAE routines to be more robust and PWE generation to be
  stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* increases maximum value accepted for cwmin/cwmax
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* added Fast Session Transfer (FST) module
* removed optional fields from RSNE when using FT with PMF
  (workaround for interoperability issues with iOS 8.4)
* added EAP server support for TLS session resumption
* fixed key derivation for Suite B 192-bit AKM (this breaks
  compatibility with the earlier version)
* added mechanism to track unconnected stations and do minimal band
  steering
* number of small fixes

wpa_supplicant:
* fixed P2P validation of SSID element length before copying it
  [http://w1.fi/security/2015-1/] (CVE-2015-1863)
* fixed WPS UPnP vulnerability with HTTP chunked transfer encoding
  [http://w1.fi/security/2015-2/] (CVE-2015-4141)
* fixed WMM Action frame parser (AP mode)
  [http://w1.fi/security/2015-3/] (CVE-2015-4142)
* fixed EAP-pwd peer missing payload length validation
  [http://w1.fi/security/2015-4/]
  (CVE-2015-4143, CVE-2015-4144, CVE-2015-4145, CVE-2015-4146)
* fixed validation of WPS and P2P NFC NDEF record payload length
  [http://w1.fi/security/2015-5/]
* nl80211:
  - added VHT configuration for IBSS
  - fixed vendor command handling to check OUI properly
  - allow driver-based roaming to change ESS
* added AVG_BEACON_RSSI to SIGNAL_POLL output
* wpa_cli: added tab completion for number of commands
* removed unmaintained and not yet completed SChannel/CryptoAPI support
* modified Extended Capabilities element use in Probe Request frames to
  include all cases if any of the values are non-zero
* added support for dynamically creating/removing a virtual interface
  with interface_add/interface_remove
* added support for hashed password (NtHash) in EAP-pwd peer
* added support for memory-only PSK/passphrase (mem_only_psk=1 and
  CTRL-REQ/RSP-PSK_PASSPHRASE)
* P2P
  - optimize scan frequencies list when re-joining a persistent group
  - fixed number of sequences with nl80211 P2P Device interface
  - added operating class 125 for P2P use cases (this allows 5 GHz
    channels 161 and 169 to be used if they are enabled in the current
    regulatory domain)
  - number of fixes to P2PS functionality
  - do not allow 40 MHz co-ex PRI/SEC switch to force MCC
  - extended support for preferred channel listing
* D-Bus:
  - fixed WPS property of fi.w1.wpa_supplicant1.BSS interface
  - fixed PresenceRequest to use group interface
  - added new signals: FindStopped, WPS pbc-overlap,
    GroupFormationFailure, WPS timeout, InvitationReceived
  - added new methods: WPS Cancel, P2P Cancel, Reconnect, RemoveClient
  - added manufacturer info
* added EAP-EKE peer support for deriving Session-Id
* added wps_priority configuration parameter to set the default priority
  for all network profiles added by WPS
* added support to request a scan with specific SSIDs with the SCAN
  command (optional "ssid <hexdump>" arguments)
* removed support for WEP40/WEP104 as a group cipher with WPA/WPA2
* fixed SAE group selection in an error case
* modified SAE routines to be more robust and PWE generation to be
  stronger against timing attacks
* added support for Brainpool Elliptic Curves with SAE
* added support for CCMP-256 and GCMP-256 as group ciphers with FT
* fixed BSS selection based on estimated throughput
* added option to disable TLSv1.0 with OpenSSL
  (phase1="tls_disable_tlsv1_0=1")
* added Fast Session Transfer (FST) module
* fixed OpenSSL PKCS#12 extra certificate handling
* fixed key derivation for Suite B 192-bit AKM (this breaks
  compatibility with the earlier version)
* added RSN IE to Mesh Peering Open/Confirm frames
* number of small fixes


git-shortlog for 2.4 -> 2.5:

There were 969 commits, so the list would be a too long for this email.
Anyway, if you are interested in the details, they are available in the
hostap.git repository. diffstat has following to say about the changes:
 447 files changed, 41185 insertions(+), 7575 deletions(-)

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list