aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Upstream commit message:vendor/wpaCy Schubert2020-06-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | [PATCH 3/3] WPS UPnP: Handle HTTP initiation failures for events more properly While it is appropriate to try to retransmit the event to another callback URL on a failure to initiate the HTTP client connection, there is no point in trying the exact same operation multiple times in a row. Replve the event_retry() calls with event_addr_failure() for these cases to avoid busy loops trying to repeat the same failing operation. These potential busy loops would go through eloop callbacks, so the process is not completely stuck on handling them, but unnecessary CPU would be used to process the continues retries that will keep failing for the same reason. Obtained from: https://w1.fi/security/2020-1/\ 0003-WPS-UPnP-Handle-HTTP-initiation-failures-for-events-.patch Security: VU#339275 and CVE-2020-12695 Notes: svn path=/vendor/wpa/dist/; revision=361938
* Upstream commit message:Cy Schubert2020-06-082-3/+9
| | | | | | | | | | | | | | | | | | | | [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL path More than about 700 character URL ended up overflowing the wpabuf used for building the event notification and this resulted in the wpabuf buffer overflow checks terminating the hostapd process. Fix this by allocating the buffer to be large enough to contain the full URL path. However, since that around 700 character limit has been the practical limit for more than ten years, start explicitly enforcing that as the limit or the callback URLs since any longer ones had not worked before and there is no need to enable them now either. Obtained from: https://w1.fi/security/2020-1/\ 0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch Security: VU#339275 and CVE-2020-12695 Notes: svn path=/vendor/wpa/dist/; revision=361937
* Upstream commit message:Cy Schubert2020-06-083-4/+39
| | | | | | | | | | | | | | | | | | | | | [PATCH 1/3] WPS UPnP: Do not allow event subscriptions with URLs to other networks The UPnP Device Architecture 2.0 specification errata ("UDA errata 16-04-2020.docx") addresses a problem with notifications being allowed to go out to other domains by disallowing such cases. Do such filtering for the notification callback URLs to avoid undesired connections to external networks based on subscriptions that any device in the local network could request when WPS support for external registrars is enabled (the upnp_iface parameter in hostapd configuration). Obtained from: https://w1.fi/security/2020-1/\ 0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch MFC after: 1 week Security: VU#339275 and CVE-2020-12695 Notes: svn path=/vendor/wpa/dist/; revision=361936
* Import wpa_supplicant/hostapd 2.9vendor/wpa/2.9Cy Schubert2019-08-22204-1829/+14513
| | | | | Notes: svn path=/vendor/wpa/dist/; revision=351377 svn path=/vendor/wpa/2.9/; revision=351378; tag=vendor/wpa/2.9
* Import wpa_supplicant/hostapd 2.8vendor/wpa/2.8Cy Schubert2019-04-22329-7275/+16724
| | | | | Notes: svn path=/vendor/wpa/dist/; revision=346563 svn path=/vendor/wpa/2.8/; revision=346564; tag=vendor/wpa/2.8
* Import wpa_supplicant/hostapd 2.7vendor/wpa/2.7Cy Schubert2018-12-06400-10415/+69903
| | | | | Notes: svn path=/vendor/wpa/dist/; revision=341618 svn path=/vendor/wpa/2.7/; revision=341619; tag=vendor/wpa/2.7
* WPA: Ignore unauthenticated encrypted EAPOL-Key dataCy Schubert2018-08-141-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | Ignore unauthenticated encrypted EAPOL-Key data in supplicant processing. When using WPA2, these are frames that have the Encrypted flag set, but not the MIC flag. When using WPA2, EAPOL-Key frames that had the Encrypted flag set but not the MIC flag, had their data field decrypted without first verifying the MIC. In case the data field was encrypted using RC4 (i.e., when negotiating TKIP as the pairwise cipher), this meant that unauthenticated but decrypted data would then be processed. An adversary could abuse this as a decryption oracle to recover sensitive information in the data field of EAPOL-Key messages (e.g., the group key). (CVE-2018-14526) Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be> Obtained from: git://w1.fi/hostap.git MFC after: 1 day Security: CVE-2018-14526 Security: VuXML: 6bedc863-9fbe-11e8-945f-206a8a720317 Notes: svn path=/vendor/wpa/dist/; revision=337818
* Import upline security patch: FILS: Do not allow multipleCy Schubert2018-07-193-0/+12
| | | | | | | | | | | | (Re)Association Response frames. This is also upline git commit e760851176c77ae6de19821bb1d5bf3ae2cb5187. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0008-FT-Do-not-allow-multiple-\ Reassociation-Response-fram.patch Notes: svn path=/vendor/wpa/dist/; revision=336496
* Import upline security patch: WNM: Ignore WNM-Sleep Mode Request inCy Schubert2018-07-191-1/+3
| | | | | | | | | | | | wnm_sleep_mode=0 case. This is also upline git commit 114f2830d2c2aee6db23d48240e93415a256a37c. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-\ Response-without-pending-r.patch Notes: svn path=/vendor/wpa/dist/; revision=336495
* Import upline security patch: TDLS: Reject TPK-TK reconfiguration.Cy Schubert2018-07-191-2/+36
| | | | | | | | | | | This is also upline git commmit ff89af96e5a35c86f50330d2b86c18323318a60c. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0006-TDLS-Reject-TPK-TK-\ reconfiguration.patch Notes: svn path=/vendor/wpa/dist/; revision=336494
* Import upline security patch: Fix PTK rekeying to generate a new ANonce.Cy Schubert2018-07-191-3/+21
| | | | | | | | | | | This is also upline git commit 0adc9b28b39d414d5febfff752f6a1576f785c85. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0005-Fix-PTK-rekeying-to-\ generate-a-new-ANonce.patch Notes: svn path=/vendor/wpa/dist/; revision=336493
* Import upline security patch: Prevent installation of an all-zero TKCy Schubert2018-07-193-4/+3
| | | | | | | | | | | This is also upline git commit 53bb18cc8b7a4da72e47e4b3752d0d2135cffb23. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0004-Prevent-installation-\ of-an-all-zero-TK.patch Notes: svn path=/vendor/wpa/dist/; revision=336490
* Import upline security patch: Extend protection of GTK/IGTKCy Schubert2018-07-192-15/+40
| | | | | | | | | | | | reinstallation of WNM-Sleep Mode cases. This git commit 87e2db16bafcbc60b8d0016175814a73c1e8ed45. Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0003-Extend-protection-of-GTK-IGTK-\ reinstallation-of-WNM-.patch Notes: svn path=/vendor/wpa/dist/; revision=336487
* Import upline security patch to prevent an alreadi in use group ke.Cy Schubert2018-07-193-44/+87
| | | | | | | | | Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0002-Prevent-reinstallation-\ of-an-already-in-use-group-ke.patch Notes: svn path=/vendor/wpa/dist/; revision=336486
* Import upline hostapd-avoid-key-reinstallation security patch.Cy Schubert2018-07-195-4/+37
| | | | | | | | | Obtained from: https://w1.fi/security/2017-1/\ rebased-v2.6-0001-hostapd-Avoid-key-\ reinstallation-in-FT-handshake.patch Notes: svn path=/vendor/wpa/dist/; revision=336485
* Import wpa_supplicant/hostapd 2.6.vendor/wpa/2.6Cy Schubert2017-10-18495-10141/+51409
| | | | | Notes: svn path=/vendor/wpa/dist/; revision=324714 svn path=/vendor/wpa/2.6/; revision=324715; tag=vendor/wpa/2.6
* Import wpa_supplicant/hostapd 2.5.vendor/wpa/2.5Rui Paulo2015-10-14307-6450/+20840
| | | | | | | | | Major changes: bunch of CVEs fixed, tab completion for wpa_cli and misc bug fixes. Notes: svn path=/vendor/wpa/dist/; revision=289284 svn path=/vendor/wpa/2.5/; revision=289285; tag=vendor/wpa/2.5
* Vendor import of wpa_supplicant/hostapd 2.4.vendor/wpa/2.4Rui Paulo2015-04-18561-32927/+112314
| | | | | | | | | Major changes are: SAE, Suite B, RFC 7268, EAP-PKE, ACS, and tons of bug fixes. Notes: svn path=/vendor/wpa/dist/; revision=281681 svn path=/vendor/wpa/2.4/; revision=281682; tag=vendor/wpa/2.4
* Import wpa_supplicant / hostapd 2.0.vendor/wpa/2.0Rui Paulo2013-06-25613-29735/+101373
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 2013-01-12 - v2.0 * added AP-STA-DISCONNECTED ctrl_iface event * improved debug logging (human readable event names, interface name included in more entries) * added number of small changes to make it easier for static analyzers to understand the implementation * added a workaround for Windows 7 Michael MIC failure reporting and use of the Secure bit in EAPOL-Key msg 3/4 * fixed number of small bugs (see git logs for more details) * changed OpenSSL to read full certificate chain from server_cert file * nl80211: number of updates to use new cfg80211/nl80211 functionality - replace monitor interface with nl80211 commands - additional information for driver-based AP SME * EAP-pwd: - fix KDF for group 21 and zero-padding - added support for fragmentation - increased maximum number of hunting-and-pecking iterations * avoid excessive Probe Response retries for broadcast Probe Request frames (only with drivers using hostapd SME/MLME) * added preliminary support for using TLS v1.2 (CONFIG_TLSV12=y) * fixed WPS operation stopping on dual concurrent AP * added wps_rf_bands configuration parameter for overriding RF Bands value for WPS * added support for getting per-device PSK from RADIUS Tunnel-Password * added support for libnl 3.2 and newer * increased initial group key handshake retransmit timeout to 500 ms * added a workaround for 4-way handshake to update SNonce even after having sent EAPOL-Key 3/4 to avoid issues with some supplicant implementations that can change SNonce for each EAP-Key 2/4 * added a workaround for EAPOL-Key 4/4 using incorrect type value in WPA2 mode (some deployed stations use WPA type in that message) * added a WPS workaround for mixed mode AP Settings with Windows 7 * changed WPS AP PIN disabling mechanism to disable the PIN after 10 consecutive failures in addition to using the exponential lockout period * added support for WFA Hotspot 2.0 - GAS/ANQP advertisement of network information - disable_dgaf parameter to disable downstream group-addressed forwarding * simplified licensing terms by selecting the BSD license as the only alternative * EAP-SIM: fixed re-authentication not to update pseudonym * EAP-SIM: use Notification round before EAP-Failure * EAP-AKA: added support for AT_COUNTER_TOO_SMALL * EAP-AKA: skip AKA/Identity exchange if EAP identity is recognized * EAP-AKA': fixed identity for MK derivation * EAP-AKA': updated to RFC 5448 (username prefixes changed); note: this breaks interoperability with older versions * EAP-SIM/AKA: allow pseudonym to be used after unknown reauth id * changed ANonce to be a random number instead of Counter-based * added support for canceling WPS operations with hostapd_cli wps_cancel * fixed EAP/WPS to PSK transition on reassociation in cases where deauthentication is missed * hlr_auc_gw enhancements: - a new command line parameter -u can be used to enable updating of SQN in Milenage file - use 5 bit IND for SQN updates - SQLite database can now be used to store Milenage information * EAP-SIM/AKA DB: added optional use of SQLite database for pseudonyms and reauth data * added support for Chargeable-User-Identity (RFC 4372) * added radius_auth_req_attr and radius_acct_req_attr configuration parameters to allow adding/overriding of RADIUS attributes in Access-Request and Accounting-Request packets * added support for RADIUS dynamic authorization server (RFC 5176) * added initial support for WNM operations - BSS max idle period - WNM-Sleep Mode * added new WPS NFC ctrl_iface mechanism - removed obsoleted WPS_OOB command (including support for deprecated UFD config_method) * added FT support for drivers that implement MLME internally * added SA Query support for drivers that implement MLME internally * removed default ACM=1 from AC_VO and AC_VI * changed VENDOR-TEST EAP method to use proper private enterprise number (this will not interoperate with older versions) * added hostapd.conf parameter vendor_elements to allow arbitrary vendor specific elements to be added to the Beacon and Probe Response frames * added support for configuring GCMP cipher for IEEE 802.11ad * added support for 256-bit AES with internal TLS implementation * changed EAPOL transmission to use AC_VO if WMM is active * fixed EAP-TLS/PEAP/TTLS/FAST server to validate TLS Message Length correctly; invalid messages could have caused the hostapd process to terminate before this fix [CVE-2012-4445] * limit number of active wildcard PINs for WPS Registrar to one to avoid confusing behavior with multiple wildcard PINs * added a workaround for WPS PBC session overlap detection to avoid interop issues with deployed station implementations that do not remove active PBC indication from Probe Request frames properly * added support for using SQLite for the eap_user database * added Acct-Session-Id attribute into Access-Request messages * fixed EAPOL frame transmission to non-QoS STAs with nl80211 (do not send QoS frames if the STA did not negotiate use of QoS for this association) 2012-05-10 - v1.0 * Add channel selection support in hostapd. See hostapd.conf. * Add support for IEEE 802.11v Time Advertisement mechanism with UTC TSF offset. See hostapd.conf for config info. * Delay STA entry removal until Deauth/Disassoc TX status in AP mode. This allows the driver to use PS buffering of Deauthentication and Disassociation frames when the STA is in power save sleep. Only available with drivers that provide TX status events for Deauth/ Disassoc frames (nl80211). * Allow PMKSA caching to be disabled on the Authenticator. See hostap.conf config parameter disable_pmksa_caching. * atheros: Add support for IEEE 802.11w configuration. * bsd: Add support for setting HT values in IFM_MMASK. * Allow client isolation to be configured with ap_isolate. Client isolation can be used to prevent low-level bridging of frames between associated stations in the BSS. By default, this bridging is allowed. * Allow coexistance of HT BSSes with WEP/TKIP BSSes. * Add require_ht config parameter, which can be used to configure hostapd to reject association with any station that does not support HT PHY. * Add support for writing debug log to a file using "-f" option. Also add relog CLI command to re-open the log file. * Add bridge handling for WDS STA interfaces. By default they are added to the configured bridge of the AP interface (if present), but the user can also specify a separate bridge using cli command wds_bridge. * hostapd_cli: - Add wds_bridge command for specifying bridge for WDS STA interfaces. - Add relog command for reopening log file. - Send AP-STA-DISCONNECTED event when an AP disconnects a station due to inactivity. - Add wps_config ctrl_interface command for configuring AP. This command can be used to configure the AP using the internal WPS registrar. It works in the same way as new AP settings received from an ER. - Many WPS/WPS ER commands - see WPS/WPS ER sections for details. - Add command get version, that returns hostapd version string. * WNM: Add BSS Transition Management Request for ESS Disassoc Imminent. Use hostapd_cli ess_disassoc (STA addr) (URL) to send the notification to the STA. * Allow AP mode to disconnect STAs based on low ACK condition (when the data connection is not working properly, e.g., due to the STA going outside the range of the AP). Disabled by default, enable by config option disassoc_low_ack. * Add WPA_IGNORE_CONFIG_ERRORS build option to continue in case of bad config file. * WPS: - Send AP Settings as a wrapped Credential attribute to ctrl_iface in WPS-NEW-AP-SETTINGS. - Dispatch more WPS events through hostapd ctrl_iface. - Add mechanism for indicating non-standard WPS errors. - Change concurrent radio AP to use only one WPS UPnP instance. - Add wps_check_pin command for processing PIN from user input. UIs can use this command to process a PIN entered by a user and to validate the checksum digit (if present). - Add hostap_cli get_config command to display current AP config. - Add new hostapd_cli command, wps_ap_pin, to manage AP PIN at runtime and support dynamic AP PIN management. - Disable AP PIN after 10 consecutive failures. Slow down attacks on failures up to 10. - Allow AP to start in Enrollee mode without AP PIN for probing, to be compatible with Windows 7. - Add Config Error into WPS-FAIL events to provide more info to the user on how to resolve the issue. - When controlling multiple interfaces: - apply WPS commands to all interfaces configured to use WPS - apply WPS config changes to all interfaces that use WPS - when an attack is detected on any interface, disable AP PIN on all interfaces * WPS ER: - Show SetSelectedRegistrar events as ctrl_iface events. - Add special AP Setup Locked mode to allow read only ER. ap_setup_locked=2 can now be used to enable a special mode where WPS ER can learn the current AP settings, but cannot change them. * WPS 2.0: Add support for WPS 2.0 (CONFIG_WPS2) - Add build option CONFIG_WPS_EXTENSIBILITY_TESTING to enable tool for testing protocol extensibility. - Add build option CONFIG_WPS_STRICT to allow disabling of WPS workarounds. - Add support for AuthorizedMACs attribute. * TDLS: - Allow TDLS use or TDLS channel switching in the BSS to be prohibited in the BSS, using config params tdls_prohibit and tdls_prohibit_chan_switch. * EAP server: Add support for configuring fragment size (see fragment_size in hostapd.conf). * wlantest: Add a tool wlantest for IEEE802.11 protocol testing. wlantest can be used to capture frames from a monitor interface for realtime capturing or from pcap files for offline analysis. * Interworking: Support added for 802.11u. Enable in .config with CONFIG_INTERWORKING. See hostapd.conf for config parameters for interworking. * Android: Add build and runtime support for Android hostapd. * Add a new debug message level for excessive information. Use -ddd to enable. * TLS: Add support for tls_disable_time_checks=1 in client mode. * Internal TLS: - Add support for TLS v1.1 (RFC 4346). Enable with build parameter CONFIG_TLSV11. - Add domainComponent parser for X.509 names * Reorder some IEs to get closer to IEEE 802.11 standard. Move WMM into end of Beacon, Probe Resp and (Re)Assoc Resp frames. Move HT IEs to be later in (Re)Assoc Resp. * Many bugfixes. Notes: svn path=/vendor/wpa/dist/; revision=252190 svn path=/vendor/wpa/2.0/; revision=252191; tag=vendor/wpa/2.0
* Remove non-FreeBSD related code.Rui Paulo2013-06-2565-16548/+0
| | | | Notes: svn path=/vendor/wpa/dist/; revision=252189
* Import hostapd 0.7.3.vendor/wpa/0.7.3Rui Paulo2010-10-2934-0/+9220
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: 2010-09-07 - v0.7.3 * fixed re-association after WPS not initializing WPA state machine in some cases * fixed WPS IE update on reconfiguration * fixed WPS code not to proxy Probe Request frames for foreign SSIDs * added WPS workaround for open networks and some known interop issues * fixed WPS Diffie-Hellman derivation to use correct public key length * fixed FT RRB messages on big endian CPUs * changed WPS protection for brute force AP PIN attacks to disable AP PIN only temporarily (but with increasing time) to avoid usability issues on Label-only devices * added wps_ap_pin command for more secure handling of AP PIN operations (e.g., to generate a random AP PIN and only use it for short amount of time) * fixed HT STBC negotiation 2010-04-18 - v0.7.2 * fix WPS internal Registrar use when an external Registrar is also active * bsd: Cleaned up driver wrapper and added various low-level configuration options * TNC: fixed issues with fragmentation * EAP-TNC: add Flags field into fragment acknowledgement (needed to interoperate with other implementations; may potentially breaks compatibility with older wpa_supplicant/hostapd versions) * cleaned up driver wrapper API for multi-BSS operations * nl80211: fix multi-BSS and VLAN operations * fix number of issues with IEEE 802.11r/FT; this version is not backwards compatible with old versions * add SA Query Request processing in AP mode (IEEE 802.11w) * fix IGTK PN in group rekeying (IEEE 802.11w) * fix WPS PBC session overlap detection to use correct attribute * hostapd_notif_Assoc() can now be called with all IEs to simplify driver wrappers * work around interoperability issue with some WPS External Registrar implementations * nl80211: fix WPS IE update * hostapd_cli: add support for action script operations (run a script on hostapd events) * fix DH padding with internal crypto code (mainly, for WPS) * fix WPS association with both WPS IE and WPA/RSN IE present with driver wrappers that use hostapd MLME (e.g., nl80211) 2010-01-16 - v0.7.1 * cleaned up driver wrapper API (struct wpa_driver_ops); the new API is not fully backwards compatible, so out-of-tree driver wrappers will need modifications * cleaned up various module interfaces * merge hostapd and wpa_supplicant developers' documentation into a single document * fixed HT Capabilities IE with nl80211 drivers * moved generic AP functionality code into src/ap * WPS: handle Selected Registrar as union of info from all Registrars * remove obsolte Prism54.org driver wrapper * added internal debugging mechanism with backtrace support and memory allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) * EAP-FAST server: piggyback Phase 2 start with the end of Phase 1 * WPS: add support for dynamically selecting whether to provision the PSK as an ASCII passphrase or PSK * added support for WDS (4-address frame) mode with per-station virtual interfaces (wds_sta=1 in config file; only supported with driver=nl80211 for now) * fixed WPS Probe Request processing to handle missing required attribute * fixed PKCS#12 use with OpenSSL 1.0.0 * detect bridge interface automatically so that bridge parameter in hostapd.conf becomes optional (though, it may now be used to automatically add then WLAN interface into a bridge with driver=nl80211) 2009-11-21 - v0.7.0 * increased hostapd_cli ping interval to 5 seconds and made this configurable with a new command line options (-G<seconds>) * driver_nl80211: use Linux socket filter to improve performance * added support for external Registrars with WPS (UPnP transport) * 802.11n: scan for overlapping BSSes before starting 20/40 MHz channel * driver_nl80211: fixed STA accounting data collection (TX/RX bytes reported correctly; TX/RX packets not yet available from kernel) * added support for WPS USBA out-of-band mechanism with USB Flash Drives (UFD) (CONFIG_WPS_UFD=y) * fixed EAPOL/EAP reauthentication when using an external RADIUS authentication server * fixed TNC with EAP-TTLS * fixed IEEE 802.11r key derivation function to match with the standard (note: this breaks interoperability with previous version) [Bug 303] * fixed SHA-256 based key derivation function to match with the standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) (note: this breaks interoperability with previous version) [Bug 307] * added number of code size optimizations to remove unnecessary functionality from the program binary based on build configuration (part of this automatic; part configurable with CONFIG_NO_* build options) * use shared driver wrapper files with wpa_supplicant * driver_nl80211: multiple updates to provide support for new Linux nl80211/mac80211 functionality * updated management frame protection to use IEEE Std 802.11w-2009 * fixed number of small WPS issues and added workarounds to interoperate with common deployed broken implementations * added some IEEE 802.11n co-existance rules to disable 40 MHz channels or modify primary/secondary channels if needed based on neighboring networks * added support for NFC out-of-band mechanism with WPS * added preliminary support for IEEE 802.11r RIC processing Notes: svn path=/vendor/wpa/dist/; revision=214503 svn path=/vendor/wpa/0.7.3/; revision=214505; tag=vendor/wpa/0.7.3
* Import wpa_supplicant / hostapd 0.7.3.Rui Paulo2010-10-29560-46402/+63437
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: 2010-09-07 - v0.7.3 * fixed fallback from failed PMKSA caching into full EAP authentication [Bug 355] * fixed issue with early D-Bus signals during initialization * fixed X.509 name handling in internal TLS * fixed WPS ER to use corrent Enrollee MAC Address in Credential * fixed scanning routines ot improve AP selection for WPS * added WPS workaround for open networks * fixed WPS Diffie-Hellman derivation to use correct public key length * fixed wpa_supplicant AP mode operations to ignore Supplicant and scan result events * improved SME operations with nl80211 * fixed WPS ER event_id handling in some cases * fixed some issues with bgscan simple to avoid unnecessary scans * fixed issue with l2_packet_ndis overlapped writes corrupting stack [Bug 328] * updated WinPcap to the latest stable version 4.1.2 in Windows installer 2010-04-18 - v0.7.2 * nl80211: fixed number of issues with roaming * avoid unnecessary roaming if multiple APs with similar signal strength are present in scan results * add TLS client events and server probing to ease design of automatic detection of EAP parameters * add option for server certificate matching (SHA256 hash of the certificate) instead of trusted CA certificate configuration * bsd: Cleaned up driver wrapper and added various low-level configuration options * wpa_gui-qt4: do not show too frequent WPS AP available events as tray messages * TNC: fixed issues with fragmentation * EAP-TNC: add Flags field into fragment acknowledgement (needed to interoperate with other implementations; may potentially breaks compatibility with older wpa_supplicant/hostapd versions) * wpa_cli: added option for using a separate process to receive event messages to reduce latency in showing these (CFLAGS += -DCONFIG_WPA_CLI_FORK=y in .config to enable this) * maximum BSS table size can now be configured (bss_max_count) * BSSes to be included in the BSS table can be filtered based on configured SSIDs to save memory (filter_ssids) * fix number of issues with IEEE 802.11r/FT; this version is not backwards compatible with old versions * nl80211: add support for IEEE 802.11r/FT protocol (both over-the-air and over-the-DS) * add freq_list network configuration parameter to allow the AP selection to filter out entries based on the operating channel * add signal strength change events for bgscan; this allows more dynamic changes to background scanning interval based on changes in the signal strength with the current AP; this improves roaming within ESS quite a bit, e.g., with bgscan="simple:30:-45:300" in the network configuration block to request background scans less frequently when signal strength remains good and to automatically trigger background scans whenever signal strength drops noticeably (this is currently only available with nl80211) * add BSSID and reason code (if available) to disconnect event messages * wpa_gui-qt4: more complete support for translating the GUI with linguist and add German translation * fix DH padding with internal crypto code (mainly, for WPS) * do not trigger initial scan automatically anymore if there are no enabled networks 2010-01-16 - v0.7.1 * cleaned up driver wrapper API (struct wpa_driver_ops); the new API is not fully backwards compatible, so out-of-tree driver wrappers will need modifications * cleaned up various module interfaces * merge hostapd and wpa_supplicant developers' documentation into a single document * nl80211: use explicit deauthentication to clear cfg80211 state to avoid issues when roaming between APs * dbus: major design changes in the new D-Bus API (fi.w1.wpa_supplicant1) * nl80211: added support for IBSS networks * added internal debugging mechanism with backtrace support and memory allocation/freeing validation, etc. tests (CONFIG_WPA_TRACE=y) * added WPS ER unsubscription command to more cleanly unregister from receiving UPnP events when ER is terminated * cleaned up AP mode operations to avoid need for virtual driver_ops wrapper * added BSS table to maintain more complete scan result information over multiple scans (that may include only partial results) * wpa_gui-qt4: update Peers dialog information more dynamically while the dialog is kept open * fixed PKCS#12 use with OpenSSL 1.0.0 * driver_wext: Added cfg80211-specific optimization to avoid some unnecessary scans and to speed up association 2009-11-21 - v0.7.0 * increased wpa_cli ping interval to 5 seconds and made this configurable with a new command line options (-G<seconds>) * fixed scan buffer processing with WEXT to handle up to 65535 byte result buffer (previously, limited to 32768 bytes) * allow multiple driver wrappers to be specified on command line (e.g., -Dnl80211,wext); the first one that is able to initialize the interface will be used * added support for multiple SSIDs per scan request to optimize scan_ssid=1 operations in ap_scan=1 mode (i.e., search for hidden SSIDs); this requires driver support and can currently be used only with nl80211 * added support for WPS USBA out-of-band mechanism with USB Flash Drives (UFD) (CONFIG_WPS_UFD=y) * driver_ndis: add PAE group address to the multicast address list to fix wired IEEE 802.1X authentication * fixed IEEE 802.11r key derivation function to match with the standard (note: this breaks interoperability with previous version) [Bug 303] * added better support for drivers that allow separate authentication and association commands (e.g., mac80211-based Linux drivers with nl80211; SME in wpa_supplicant); this allows over-the-air FT protocol to be used (IEEE 802.11r) * fixed SHA-256 based key derivation function to match with the standard when using CCMP (for IEEE 802.11r and IEEE 802.11w) (note: this breaks interoperability with previous version) [Bug 307] * use shared driver wrapper files with hostapd * added AP mode functionality (CONFIG_AP=y) with mode=2 in the network block; this can be used for open and WPA2-Personal networks (optionally, with WPS); this links in parts of hostapd functionality into wpa_supplicant * wpa_gui-qt4: added new Peers dialog to show information about peers (other devices, including APs and stations, etc. in the neighborhood) * added support for WPS External Registrar functionality (configure APs and enroll new devices); can be used with wpa_gui-qt4 Peers dialog and wpa_cli commands wps_er_start, wps_er_stop, wps_er_pin, wps_er_pbc, wps_er_learn (this can also be used with a new 'none' driver wrapper if no wireless device or IEEE 802.1X on wired is needed) * driver_nl80211: multiple updates to provide support for new Linux nl80211/mac80211 functionality * updated management frame protection to use IEEE Std 802.11w-2009 * fixed number of small WPS issues and added workarounds to interoperate with common deployed broken implementations * added support for NFC out-of-band mechanism with WPS * driver_ndis: fixed wired IEEE 802.1X authentication with PAE group address frames * added preliminary support for IEEE 802.11r RIC processing * added support for specifying subset of enabled frequencies to scan (scan_freq option in the network configuration block); this can speed up scanning process considerably if it is known that only a small subset of channels is actually used in the network (this is currently supported only with -Dnl80211) * added a workaround for race condition between receiving the association event and the following EAPOL-Key * added background scan and roaming infrastructure to allow network-specific optimizations to be used to improve roaming within an ESS (same SSID) * added new DBus interface (fi.w1.wpa_supplicant1) Notes: svn path=/vendor/wpa/dist/; revision=214501
* Import wpa_supplicant & hostapd 0.6.9.vendor/wpa/0.6.10Rui Paulo2010-06-13257-916/+52748
| | | | | Notes: svn path=/vendor/wpa/dist/; revision=209139 svn path=/vendor/wpa/0.6.10/; revision=209141; tag=vendor/wpa/0.6.10
* remove unused bitsSam Leffler2009-03-01131-51018/+0
| | | | Notes: svn path=/vendor/wpa/dist/; revision=189254
* import wpa_supplicant+hostapd 0.6.8vendor/wpa/0.6.8Sam Leffler2009-03-01587-16595/+187752
|\ | | | | | | | | Notes: svn path=/vendor/wpa/dist/; revision=189251 svn path=/vendor/wpa/0.6.8/; revision=189252; tag=vendor/wpa/0.6.8
| * vendor import of 0.5.11vendor/wpa_supplicant/0.5.11vendor/wpa_supplicantSam Leffler2009-01-1548-237/+401
| | | | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=187274 svn path=/vendor/wpa_supplicant/0.5.11/; revision=187275; tag=vendor/wpa_supplicant/0.5.11
| * flatten vendor branchvendor/wpa_supplicant/0.5.10Sam Leffler2009-01-15244-2/+2
| | | | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=187258 svn path=/vendor/wpa_supplicant/0.5.10/; revision=187267; tag=vendor/wpa_supplicant/0.5.10
| * add syslog support (committed on vendor branch as it's been sent upstream)Sam Leffler2008-03-246-2/+72
| | | | | | | | | | | | | | PR: bin/116190 Notes: svn path=/vendor/wpa_supplicant/dist/; revision=177572
| * Import of WPA supplicant 0.5.10Sam Leffler2008-03-2466-505/+2609
| | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=177568
| * Import of WPA supplicant 0.5.8Sam Leffler2007-07-11211-9538/+49687
| | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=171366
| * Import of WPA supplicant 0.4.8Sam Leffler2006-03-07156-6489/+32479
| | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=156369
| * Import a fixed version of driver_ndis.c from the vendor. The existingBill Paul2005-10-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | version has a bug where it fails to properly cancel the polling loop that periodically queries the BSSID (this is done to detect the association/disassociation state). The timeout is supposed to fire once a second, but the eloop_cancel_timeout() call uses a different 'user data' value than what was passed to eloop_register_timeout(), so cancelling the timeouts fails. This results in an additional timeout being created each time an EAPOL packet is received, which can lead to dozens of unwanted timeouts firing every second instead of just one. Notes: svn path=/vendor/wpa_supplicant/dist/; revision=151513
| * Import the driver_ndis files from the 0.3.9 distribution.Bill Paul2005-10-103-0/+1779
| | | | | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=151208
| * clr ptr after freeing state to avoid subsequent null ptr derefSam Leffler2005-07-061-0/+1
| | | | | | | | | | | | | | | | | | (on vendor branch since this change already exists in Jouni's cvs). Approved by: re (scottl) Notes: svn path=/vendor/wpa_supplicant/dist/; revision=147801
| * stripped down import of wpa_supplicant v0.3.9Sam Leffler2005-06-1320-42/+1554
| | | | | | | | | | | | | | Approved by: re (dwhite) Notes: svn path=/vendor/wpa_supplicant/dist/; revision=147338
| * This commit was manufactured by cvs2svn to create branchcvs2svn2005-06-052-0/+46
| | | | | | | | | | | | | | 'VENDOR-wpa_supplicant'. Notes: svn path=/vendor/wpa_supplicant/dist/; revision=147017
| * Stripped down import of wpa_supplicant v0.3.8vendor/wpa_supplicant/0.3.8Sam Leffler2005-06-0582-0/+35297
| | | | | Notes: svn path=/vendor/wpa_supplicant/dist/; revision=147013 svn path=/vendor/wpa_supplicant/0.3.8/; revision=147015; tag=vendor/wpa_supplicant/0.3.8
* remove this; we now use private codevendor/hostapdSam Leffler2008-04-201-391/+0
| | | | Notes: svn path=/vendor/hostapd/dist/; revision=178363
* add support for driver-based RADIUS ACL's (committed on vendor branch as it'sSam Leffler2008-03-244-5/+47
| | | | | | | | | been sent upstream) Submitted by: Chris Zimmermann Notes: svn path=/vendor/hostapd/dist/; revision=177580
* Import of hostapd 0.5.10Sam Leffler2008-03-2429-323/+490
| | | | Notes: svn path=/vendor/hostapd/dist/; revision=177576
* Import of hostapd 0.5.8Sam Leffler2007-07-09159-6309/+32275
| | | | Notes: svn path=/vendor/hostapd/dist/; revision=171322
* Add eapol_version config parameter so folks with clients that (bogusly)Sam Leffler2006-03-275-4/+26
| | | | | | | | | | | | | | | require the authenticator announce EAPOL version 1 don't have to hack the code to get a working setup. Discussed with Jouni; he's committed a similar set of changes to his devel branch and I sent him these changes so I'm committing this on the vendor branch in the expectation it will appear in the next import. MFC after: 1 week Notes: svn path=/vendor/hostapd/dist/; revision=157181
* Import of hostapd 0.4.8Sam Leffler2006-03-0788-1679/+7716
| | | | Notes: svn path=/vendor/hostapd/dist/; revision=156373
* stripped down import of hostapd 0.3.9Sam Leffler2005-06-1315-34/+110
| | | | | | | Approved by: re (dwhite) Notes: svn path=/vendor/hostapd/dist/; revision=147341
* This commit was manufactured by cvs2svn to create branchcvs2svn2005-06-052-0/+34
| | | | | | | 'VENDOR-hostapd'. Notes: svn path=/vendor/hostapd/dist/; revision=147025
* Stripped down import of hostapd v0.3.7vendor/hostapd/0.3.7Sam Leffler2005-06-0594-0/+32064
Notes: svn path=/vendor/hostapd/dist/; revision=147021 svn path=/vendor/hostapd/0.3.7/; revision=147023; tag=vendor/hostapd/0.3.7