SAE: Enable only group 19 by default in AP mode

Change the AP mode default for SAE to enable only the group 19 instead
of enabling all ECC groups that are supported by the used crypto library
and the SAE implementations. The main reason for this is to avoid
enabling groups that are not as strong as the mandatory-to-support group
19 (i.e., groups 25 and 26). In addition, this disables heavier groups
by default.

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

hostapd/hostapd.conf

@@ -1574,12 +1574,16 @@ own_ip_addr=127.0.0.1
 
 # Enabled SAE finite cyclic groups
 # SAE implementation are required to support group 19 (ECC group defined over a
-# 256-bit prime order field). All groups that are supported by the
+# 256-bit prime order field). This configuration parameter can be used to
-# implementation are enabled by default. This configuration parameter can be
+# specify a set of allowed groups. If not included, only the mandatory group 19
-# used to specify a limited set of allowed groups. The group values are listed
+# is enabled.
-# in the IANA registry:
+# The group values are listed in the IANA registry:
 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
-#sae_groups=19 20 21 25 26
+# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production
+# purposes due limited security (see RFC 8247). Groups that are not as strong as
+# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases
+# since all implementations are required to support group 19.
+#sae_groups=19 20 21
 
 # Require MFP for all associations using SAE
 # This parameter can be used to enforce negotiation of MFP for all associations

src/ap/ieee802_11.c

@@ -850,18 +850,21 @@ static void sae_pick_next_group(struct hostapd_data *hapd, struct sta_info *sta)
 {
 	struct sae_data *sae = sta->sae;
 	int i, *groups = hapd->conf->sae_groups;
+	int default_groups[] = { 19, 0 };
 
 	if (sae->state != SAE_COMMITTED)
 		return;
 
 	wpa_printf(MSG_DEBUG, "SAE: Previously selected group: %d", sae->group);
 
-	for (i = 0; groups && groups[i] > 0; i++) {
+	if (!groups)
+		groups = default_groups;
+	for (i = 0; groups[i] > 0; i++) {
 		if (sae->group == groups[i])
 			break;
 	}
 
-	if (!groups || groups[i] <= 0) {
+	if (groups[i] <= 0) {
 		wpa_printf(MSG_DEBUG,
 			   "SAE: Previously selected group not found from the current configuration");
 		return;
@@ -890,6 +893,11 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 {
 	int resp = WLAN_STATUS_SUCCESS;
 	struct wpabuf *data = NULL;
+	int *groups = hapd->conf->sae_groups;
+	int default_groups[] = { 19, 0 };
+
+	if (!groups)
+		groups = default_groups;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	if (hapd->conf->sae_reflection_attack && auth_transaction == 1) {
@@ -955,8 +963,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 				resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
 				goto reply;
 			}
-			resp = sae_group_allowed(sta->sae,
+			resp = sae_group_allowed(sta->sae, groups,
-						 hapd->conf->sae_groups,
 						 WPA_GET_LE16(pos));
 			if (resp != WLAN_STATUS_SUCCESS) {
 				wpa_printf(MSG_ERROR,
@@ -1025,7 +1032,7 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 		resp = sae_parse_commit(sta->sae, mgmt->u.auth.variable,
 					((const u8 *) mgmt) + len -
 					mgmt->u.auth.variable, &token,
-					&token_len, hapd->conf->sae_groups);
+					&token_len, groups);
 		if (resp == SAE_SILENTLY_DISCARD) {
 			wpa_printf(MSG_DEBUG,
 				   "SAE: Drop commit message from " MACSTR " due to reflection attack",