To do:
- hostap: try other roaming modes
  NOTE: current mode (manual roaming) does not really roam at all..
  Firmware did not notice the current AP disappearing..
- add support for WPA with ap_scan=0 (update selected cipher etc. based on
  AssocInfo; make sure these match with configuration)
- optional security separation (build time option): run EAPOL state machines
  as non-root (need to add something like socketpair between privileged root
  process and non-root handler; send EAPOL packets between processes
  and send keying data from non-root -> privileged)
  EAPOL-Key processing (WPA & WEP keys) could be in privileged part
  at least in the beginning; some parts might end up being moved to
  non-root part eventually
- consider closing smart card / PCSC connection when EAP-SIM/EAP-AKA
  authentication has been completed (cache scard data based on serial#(?)
  and try to optimize next connection if the same card is present for next
  auth)
- EAP-AKA: AT_CHECKCODE
- EAP-SIM/AKA: AT_RESULT_IND
- on disconnect event, could try to associate with another AP if one is
  present in scan results; would need to update scan results periodically..
- add flag scan_requested and only try to re-associate if this is set when
  new scan results are received; this would allow background scans without
  triggering re-assoc..
- if driver/hw is not WPA2 capable, must remove WPA_PROTO_RSN flag from
  ssid->proto fields to avoid detecting downgrade attacks when the driver
  is not reporting RSN IE, but msg 3/4 has one
- EAP-SIM/AKA: if SIM reader initialization fails, do not start authentication
- Cisco AP and non-zero keyidx for unicast -> map to broadcast
  (actually, this already works with driver_ndis; so maybe just change
  driver_*.c to do the mapping for drivers that cannot handle non-zero keyidx
  for unicast); worked also with Host AP driver and madwifi
- IEEE 802.1X and key update with driver_ndis?? wpa_supplicant did not seem
  to see unencrypted EAPOL-Key frames at all..
- -Dwired: if ssid is set in network block, authentication gets "stuck" since
  driver_wired.c only reports empty SSID and association is not assumed to be
  ok
- EAP-PAX with PAX_SEC
- EAP: extended nak, vendor method; go through rfc
  RFC 3748
  * Expanded Type (Sect. 5.7)
  * Experimental Type
  * Expanded Nak (Sect. 5.3.2)
  * OTP Extended Responses (Sect. 5.5)
- test what happens if authenticator sends EAP-Success before real EAP
  authentication ("canned" Success); this should be ignored based on
  RFC 3748 Sect. 4.2
- test compilation with gcc -W options (more warnings?)
- add proper support for using dot11RSNAConfigSATimeout
- ctrl_iface: get/set/remove blob
- use doc/docbook/*.sgml and docbook2{txt,html,pdf} to replace README and
  web pages including the same information.. i.e., have this information only
  in one page; how to build a PDF file with all the SGML included?
- test wait-for-interface and daemonize combinations with number of driver
  interfaces