SAE: Enable only groups 19, 20, and 21 in station mode

Remove groups 25 (192-bit Random ECP Group) and 26 (224-bit Random ECP
Group) from the default SAE groups in station mode since those groups
are not as strong as the mandatory group 19 (NIST P-256).

In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index ba22a93f46d7e312dfcabb215b2827e0eb2894e4..c22ddba139f72c12ca88290ad71d753843c7fb82 100644 (file)
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -57,7 +57,7 @@ static int index_within_array(const int *array, int idx)
 static int sme_set_sae_group(struct wpa_supplicant *wpa_s)
 {
        int *groups = wpa_s->conf->sae_groups;
-       int default_groups[] = { 19, 20, 21, 25, 26, 0 };
+       int default_groups[] = { 19, 20, 21, 0 };
 
        if (!groups || groups[0] <= 0)
                groups = default_groups;
@@ -1037,7 +1037,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
            status_code == WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ &&
            wpa_s->sme.sae.state == SAE_COMMITTED &&
            (external || wpa_s->current_bss) && wpa_s->current_ssid) {
-               int default_groups[] = { 19, 20, 21, 25, 26, 0 };
+               int default_groups[] = { 19, 20, 21, 0 };
                u16 group;
 
                groups = wpa_s->conf->sae_groups;

diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf
index 1bd43b226ad7ca174a7beda94ce653c8c8053f4d..d0be9371bdc485360d0e2ec0a4f63d234b966cfa 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@@ -377,11 +377,16 @@ fast_reauth=1
 
 # Enabled SAE finite cyclic groups in preference order
 # By default (if this parameter is not set), the mandatory group 19 (ECC group
-# defined over a 256-bit prime order field) is preferred, but other groups are
-# also enabled. If this parameter is set, the groups will be tried in the
-# indicated order. The group values are listed in the IANA registry:
+# defined over a 256-bit prime order field, NIST P-256) is preferred and groups
+# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is
+# set, the groups will be tried in the indicated order.
+# The group values are listed in the IANA registry:
 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
-#sae_groups=21 20 19 26 25
+# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production
+# purposes due limited security (see RFC 8247). Groups that are not as strong as
+# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases
+# since all implementations are required to support group 19.
+#sae_groups=19 20 21
 
 # Default value for DTIM period (if not overridden in network block)
 #dtim_period=2