MFV r346563:

Update wpa 2.8 --> 2.9

hostapd:

• SAE changes
  • disable use of groups using Brainpool curves
  • improved protection against side channel attacks [https://w1.fi/security/2019-6/]
• EAP-pwd changes
  • disable use of groups using Brainpool curves
  • improved protection against side channel attacks [https://w1.fi/security/2019-6/]
• fixed FT-EAP initial mobility domain association using PMKSA caching
• added configuration of airtime policy
• fixed FILS to and RSNE into (Re)Association Response frames
• fixed DPP bootstrapping URI parser of channel list
• added support for regulatory WMM limitation (for ETSI)
• added support for MACsec Key Agreement using IEEE 802.1X/PSK
• added experimental support for EAP-TEAP server (RFC 7170)
• added experimental support for EAP-TLS server with TLS v1.3
• added support for two server certificates/keys (RSA/ECC)
• added AKMSuiteSelector into "STA <addr>" control interface data to determine with AKM was used for an association
• added eap_sim_id parameter to allow EAP-SIM/AKA server pseudonym and fast reauthentication use to be disabled
• fixed an ECDH operation corner case with OpenSSL

wpa_supplicant:

• SAE changes
  • disable use of groups using Brainpool curves
  • improved protection against side channel attacks [https://w1.fi/security/2019-6/]
• EAP-pwd changes
  • disable use of groups using Brainpool curves
  • allow the set of groups to be configured (eap_pwd_groups)
  • improved protection against side channel attacks [https://w1.fi/security/2019-6/]
• fixed FT-EAP initial mobility domain association using PMKSA caching (disabled by default for backwards compatibility; can be enabled with ft_eap_pmksa_caching=1)
• fixed a regression in OpenSSL 1.1+ engine loading
• added validation of RSNE in (Re)Association Response frames
• fixed DPP bootstrapping URI parser of channel list
• extended EAP-SIM/AKA fast re-authentication to allow use with FILS
• extended ca_cert_blob to support PEM format
• improved robustness of P2P Action frame scheduling
• added support for EAP-SIM/AKA using anonymous@realm identity
• fixed Hotspot 2.0 credential selection based on roaming consortium to ignore credentials without a specific EAP method
• added experimental support for EAP-TEAP peer (RFC 7170)
• added experimental support for EAP-TLS peer with TLS v1.3
• fixed a regression in WMM parameter configuration for a TDLS peer
• fixed a regression in operation with drivers that offload 802.1X 4-way handshake
• fixed an ECDH operation corner case with OpenSSL

MFC after: 1 week
Security: https://w1.fi/security/2019-6/\

		sae-eap-pwd-side-channel-attack-update.txt