aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDisha Das <dishad@codeaurora.org>2020-04-09 04:12:21 (GMT)
committerJouni Malinen <j@w1.fi>2020-04-17 20:51:58 (GMT)
commit6b1c590ebb87bd4ddd2930feb621f463197d1125 (patch)
treeda03d891d867ba7a63d95b2bf145305223b98eaa
parent11bd6ea60e729741a23d9ecd475d630c4303854a (diff)
downloadhostap-6b1c590ebb87bd4ddd2930feb621f463197d1125.zip
hostap-6b1c590ebb87bd4ddd2930feb621f463197d1125.tar.gz
hostap-6b1c590ebb87bd4ddd2930feb621f463197d1125.tar.bz2
Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from hostapd and wpa_supplicant builds. This disables use of TKIP as both the pairwise and group cipher. The end result does not interoperate with a WPA(v1)-only device or WPA+WPA2 mixed modes. Signed-off-by: Disha Das <dishad@codeaurora.org>
-rw-r--r--hostapd/Android.mk4
-rw-r--r--hostapd/Makefile4
-rw-r--r--hostapd/defconfig7
-rw-r--r--src/ap/ap_config.c5
-rw-r--r--src/ap/wps_hostapd.c44
-rw-r--r--src/common/wpa_common.c9
-rw-r--r--src/common/wpa_common.h10
-rw-r--r--src/wps/wps_attr_build.c6
-rw-r--r--src/wps/wps_enrollee.c11
-rw-r--r--src/wps/wps_registrar.c4
-rw-r--r--wpa_supplicant/Android.mk4
-rw-r--r--wpa_supplicant/Makefile4
-rw-r--r--wpa_supplicant/config_ssid.h5
-rw-r--r--wpa_supplicant/ctrl_iface.c14
-rw-r--r--wpa_supplicant/dbus/dbus_new.c4
-rw-r--r--wpa_supplicant/dbus/dbus_new_handlers.c17
-rw-r--r--wpa_supplicant/defconfig9
-rw-r--r--wpa_supplicant/wps_supplicant.c5
18 files changed, 165 insertions, 1 deletions
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 0f05565..d47b64f 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -314,6 +314,10 @@ ifdef CONFIG_WEP
L_CFLAGS += -DCONFIG_WEP
endif
+ifdef CONFIG_NO_TKIP
+L_CFLAGS += -DCONFIG_NO_TKIP
+endif
+
include $(LOCAL_PATH)/src/drivers/drivers.mk
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 326e91b..9475f2e 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -1243,6 +1243,10 @@ ifdef CONFIG_WEP
CFLAGS += -DCONFIG_WEP
endif
+ifdef CONFIG_NO_TKIP
+CFLAGS += -DCONFIG_NO_TKIP
+endif
+
ALL=hostapd hostapd_cli
all: verify_config $(ALL)
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 5133db2..64f03bd 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -388,3 +388,10 @@ CONFIG_IPV6=y
# release under this optional build parameter. This functionality is subject to
# be completely removed in a future release.
#CONFIG_WEP=y
+
+# Remove all TKIP functionality
+# TKIP is an old cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used anymore. For now, the default hostapd
+# build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but
+# that functionality is subject to be removed in the future.
+#CONFIG_NO_TKIP=y
diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
index 5bf4502..35a32a1 100644
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@@ -74,8 +74,13 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
bss->wpa_disable_eapol_key_retries =
DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
+#ifdef CONFIG_NO_TKIP
+ bss->wpa_pairwise = WPA_CIPHER_CCMP;
+ bss->wpa_group = WPA_CIPHER_CCMP;
+#else /* CONFIG_NO_TKIP */
bss->wpa_pairwise = WPA_CIPHER_TKIP;
bss->wpa_group = WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
bss->rsn_pairwise = 0;
bss->max_num_sta = MAX_STA_COUNT;
diff --git a/src/ap/wps_hostapd.c b/src/ap/wps_hostapd.c
index 1d77b94..dc8aa8f 100644
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@@ -364,6 +364,13 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
bss->ssid.ssid_set = 1;
}
+#ifdef CONFIG_NO_TKIP
+ if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK |
+ WPS_AUTH_WPA | WPS_AUTH_WPAPSK))
+ bss->wpa = 2;
+ else
+ bss->wpa = 0;
+#else /* CONFIG_NO_TKIP */
if ((cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK)) &&
(cred->auth_type & (WPS_AUTH_WPA | WPS_AUTH_WPAPSK)))
bss->wpa = 3;
@@ -373,6 +380,7 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
bss->wpa = 1;
else
bss->wpa = 0;
+#endif /* CONFIG_NO_TKIP */
if (bss->wpa) {
if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA))
@@ -387,8 +395,10 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
else
bss->wpa_pairwise |= WPA_CIPHER_CCMP;
}
+#ifndef CONFIG_NO_TKIP
if (cred->encr_type & WPS_ENCR_TKIP)
bss->wpa_pairwise |= WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
bss->rsn_pairwise = bss->wpa_pairwise;
bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
bss->wpa_pairwise,
@@ -559,6 +569,13 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
fprintf(nconf, "\n");
}
+#ifdef CONFIG_NO_TKIP
+ if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK |
+ WPS_AUTH_WPA | WPS_AUTH_WPAPSK))
+ wpa = 2;
+ else
+ wpa = 0;
+#else /* CONFIG_NO_TKIP */
if ((cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK)) &&
(cred->auth_type & (WPS_AUTH_WPA | WPS_AUTH_WPAPSK)))
wpa = 3;
@@ -568,6 +585,7 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
wpa = 1;
else
wpa = 0;
+#endif /* CONFIG_NO_TKIP */
if (wpa) {
char *prefix;
@@ -611,9 +629,11 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
prefix = " ";
}
+#ifndef CONFIG_NO_TKIP
if (cred->encr_type & WPS_ENCR_TKIP) {
fprintf(nconf, "%sTKIP", prefix);
}
+#endif /* CONFIG_NO_TKIP */
fprintf(nconf, "\n");
if (cred->key_len >= 8 && cred->key_len < 64) {
@@ -1160,12 +1180,24 @@ int hostapd_init_wps(struct hostapd_data *hapd,
wps->encr_types_rsn |= WPS_ENCR_AES;
}
if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
+#ifdef CONFIG_NO_TKIP
+ wpa_printf(MSG_INFO, "WPS: TKIP not supported");
+ goto fail;
+#else /* CONFIG_NO_TKIP */
wps->encr_types |= WPS_ENCR_TKIP;
wps->encr_types_rsn |= WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
}
}
if (conf->wpa & WPA_PROTO_WPA) {
+#ifdef CONFIG_NO_TKIP
+ if (!(conf->wpa & WPA_PROTO_RSN)) {
+ wpa_printf(MSG_INFO, "WPS: WPA(v1) not supported");
+ goto fail;
+ }
+ conf->wpa &= ~WPA_PROTO_WPA;
+#else /* CONFIG_NO_TKIP */
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
wps->auth_types |= WPS_AUTH_WPAPSK;
if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X)
@@ -1179,6 +1211,7 @@ int hostapd_init_wps(struct hostapd_data *hapd,
wps->encr_types |= WPS_ENCR_TKIP;
wps->encr_types_wpa |= WPS_ENCR_TKIP;
}
+#endif /* CONFIG_NO_TKIP */
}
if (conf->ssid.security_policy == SECURITY_PLAINTEXT) {
@@ -1218,10 +1251,17 @@ int hostapd_init_wps(struct hostapd_data *hapd,
wps->ap_encr_type = wps->encr_types;
if (conf->wps_state == WPS_STATE_NOT_CONFIGURED) {
/* Override parameters to enable security by default */
+#ifdef CONFIG_NO_TKIP
+ wps->auth_types = WPS_AUTH_WPA2PSK;
+ wps->encr_types = WPS_ENCR_AES;
+ wps->encr_types_rsn = WPS_ENCR_AES;
+ wps->encr_types_wpa = WPS_ENCR_AES;
+#else /* CONFIG_NO_TKIP */
wps->auth_types = WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK;
wps->encr_types = WPS_ENCR_AES | WPS_ENCR_TKIP;
wps->encr_types_rsn = WPS_ENCR_AES | WPS_ENCR_TKIP;
wps->encr_types_wpa = WPS_ENCR_AES | WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
}
if ((hapd->conf->multi_ap & FRONTHAUL_BSS) &&
@@ -1801,8 +1841,10 @@ int hostapd_wps_config_ap(struct hostapd_data *hapd, const char *ssid,
if (os_strncmp(auth, "OPEN", 4) == 0)
cred.auth_type = WPS_AUTH_OPEN;
+#ifndef CONFIG_NO_TKIP
else if (os_strncmp(auth, "WPAPSK", 6) == 0)
cred.auth_type = WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
else if (os_strncmp(auth, "WPA2PSK", 7) == 0)
cred.auth_type = WPS_AUTH_WPA2PSK;
else
@@ -1811,8 +1853,10 @@ int hostapd_wps_config_ap(struct hostapd_data *hapd, const char *ssid,
if (encr) {
if (os_strncmp(encr, "NONE", 4) == 0)
cred.encr_type = WPS_ENCR_NONE;
+#ifndef CONFIG_NO_TKIP
else if (os_strncmp(encr, "TKIP", 4) == 0)
cred.encr_type = WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
else if (os_strncmp(encr, "CCMP", 4) == 0)
cred.encr_type = WPS_ENCR_AES;
else
diff --git a/src/common/wpa_common.c b/src/common/wpa_common.c
index 1284743..46b647b 100644
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@@ -2319,11 +2319,18 @@ enum wpa_alg wpa_cipher_to_alg(int cipher)
int wpa_cipher_valid_pairwise(int cipher)
{
+#ifdef CONFIG_NO_TKIP
+ return cipher == WPA_CIPHER_CCMP_256 ||
+ cipher == WPA_CIPHER_GCMP_256 ||
+ cipher == WPA_CIPHER_CCMP ||
+ cipher == WPA_CIPHER_GCMP;
+#else /* CONFIG_NO_TKIP */
return cipher == WPA_CIPHER_CCMP_256 ||
cipher == WPA_CIPHER_GCMP_256 ||
cipher == WPA_CIPHER_CCMP ||
cipher == WPA_CIPHER_GCMP ||
cipher == WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
}
@@ -2476,8 +2483,10 @@ int wpa_parse_cipher(const char *value)
val |= WPA_CIPHER_CCMP;
else if (os_strcmp(start, "GCMP") == 0)
val |= WPA_CIPHER_GCMP;
+#ifndef CONFIG_NO_TKIP
else if (os_strcmp(start, "TKIP") == 0)
val |= WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
#ifdef CONFIG_WEP
else if (os_strcmp(start, "WEP104") == 0)
val |= WPA_CIPHER_WEP104;
diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
index da58159..c0ef689 100644
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -22,6 +22,15 @@
#define OWE_DH_GROUP 19
+#ifdef CONFIG_NO_TKIP
+#define WPA_ALLOWED_PAIRWISE_CIPHERS \
+(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_NONE | \
+WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
+#define WPA_ALLOWED_GROUP_CIPHERS \
+(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | \
+WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
+WPA_CIPHER_GTK_NOT_USED)
+#else /* CONFIG_NO_TKIP */
#define WPA_ALLOWED_PAIRWISE_CIPHERS \
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
@@ -29,6 +38,7 @@ WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | \
WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
WPA_CIPHER_GTK_NOT_USED)
+#endif /* CONFIG_NO_TKIP */
#define WPA_ALLOWED_GROUP_MGMT_CIPHERS \
(WPA_CIPHER_AES_128_CMAC | WPA_CIPHER_BIP_GMAC_128 | WPA_CIPHER_BIP_GMAC_256 | \
WPA_CIPHER_BIP_CMAC_256)
diff --git a/src/wps/wps_attr_build.c b/src/wps/wps_attr_build.c
index 5ec7133..f372256 100644
--- a/src/wps/wps_attr_build.c
+++ b/src/wps/wps_attr_build.c
@@ -310,6 +310,9 @@ int wps_build_auth_type_flags(struct wps_data *wps, struct wpabuf *msg)
auth_types &= ~WPS_AUTH_WPA;
auth_types &= ~WPS_AUTH_WPA2;
auth_types &= ~WPS_AUTH_SHARED;
+#ifdef CONFIG_NO_TKIP
+ auth_types &= ~WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
#ifdef CONFIG_WPS_TESTING
if (wps_force_auth_types_in_use) {
wpa_printf(MSG_DEBUG,
@@ -331,6 +334,9 @@ int wps_build_encr_type_flags(struct wps_data *wps, struct wpabuf *msg)
{
u16 encr_types = WPS_ENCR_TYPES;
encr_types &= ~WPS_ENCR_WEP;
+#ifdef CONFIG_NO_TKIP
+ encr_types &= ~WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
#ifdef CONFIG_WPS_TESTING
if (wps_force_encr_types_in_use) {
wpa_printf(MSG_DEBUG,
diff --git a/src/wps/wps_enrollee.c b/src/wps/wps_enrollee.c
index 80ed603..819cd43 100644
--- a/src/wps/wps_enrollee.c
+++ b/src/wps/wps_enrollee.c
@@ -880,6 +880,17 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
cred.auth_type |= WPS_AUTH_WPA2PSK;
}
+#ifdef CONFIG_NO_TKIP
+ if (cred.encr_type & WPS_ENCR_TKIP) {
+ wpa_printf(MSG_DEBUG, "WPS: Disable encr_type TKIP");
+ cred.encr_type &= ~WPS_ENCR_TKIP;
+ }
+ if (cred.auth_type & WPS_AUTH_WPAPSK) {
+ wpa_printf(MSG_DEBUG, "WPS: Disable auth_type WPAPSK");
+ cred.auth_type &= ~WPS_AUTH_WPAPSK;
+ }
+#endif /* CONFIG_NO_TKIP */
+
if (wps->wps->cred_cb) {
cred.cred_attr = wpabuf_head(attrs);
cred.cred_attr_len = wpabuf_len(attrs);
diff --git a/src/wps/wps_registrar.c b/src/wps/wps_registrar.c
index 9ee89ae..9e1ee36 100644
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@@ -1677,8 +1677,10 @@ int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
wps->wps->auth_types, wps->auth_type);
if (wps->auth_type & WPS_AUTH_WPA2PSK)
wps->auth_type = WPS_AUTH_WPA2PSK;
+#ifndef CONFIG_NO_TKIP
else if (wps->auth_type & WPS_AUTH_WPAPSK)
wps->auth_type = WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
else if (wps->auth_type & WPS_AUTH_OPEN)
wps->auth_type = WPS_AUTH_OPEN;
else {
@@ -1700,8 +1702,10 @@ int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
wps->auth_type == WPS_AUTH_WPAPSK) {
if (wps->encr_type & WPS_ENCR_AES)
wps->encr_type = WPS_ENCR_AES;
+#ifndef CONFIG_NO_TKIP
else if (wps->encr_type & WPS_ENCR_TKIP)
wps->encr_type = WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
else {
wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
"type for WPA/WPA2");
diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index e44b366..a08da4d 100644
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -387,6 +387,10 @@ ifdef CONFIG_WEP
L_CFLAGS += -DCONFIG_WEP
endif
+ifdef CONFIG_NO_TKIP
+L_CFLAGS += -DCONFIG_NO_TKIP
+endif
+
include $(LOCAL_PATH)/src/drivers/drivers.mk
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 6138a31..7a02027 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1852,6 +1852,10 @@ ifdef CONFIG_WEP
CFLAGS += -DCONFIG_WEP
endif
+ifdef CONFIG_NO_TKIP
+CFLAGS += -DCONFIG_NO_TKIP
+endif
+
ifndef LDO
LDO=$(CC)
endif
diff --git a/wpa_supplicant/config_ssid.h b/wpa_supplicant/config_ssid.h
index 979f868..1e2c322 100644
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@@ -19,8 +19,13 @@
EAPOL_FLAG_REQUIRE_KEY_BROADCAST)
#define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
#define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
+#ifdef CONFIG_NO_TKIP
+#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP)
+#define DEFAULT_GROUP (WPA_CIPHER_CCMP)
+#else /* CONFIG_NO_TKIP */
#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
#define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
+#endif /* CONFIG_NO_TKIP */
#define DEFAULT_FRAGMENT_SIZE 1398
#define DEFAULT_BG_SCAN_PERIOD -1
diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index ae7cc8f..13e2f41 100644
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -3959,7 +3959,9 @@ static const struct cipher_info ciphers[] = {
{ WPA_DRIVER_CAPA_ENC_GCMP_256, "GCMP-256", 0 },
{ WPA_DRIVER_CAPA_ENC_CCMP, "CCMP", 0 },
{ WPA_DRIVER_CAPA_ENC_GCMP, "GCMP", 0 },
+#ifndef CONFIG_NO_TKIP
{ WPA_DRIVER_CAPA_ENC_TKIP, "TKIP", 0 },
+#endif /* CONFIG_NO_TKIP */
{ WPA_DRIVER_CAPA_KEY_MGMT_WPA_NONE, "NONE", 0 },
#ifdef CONFIG_WEP
{ WPA_DRIVER_CAPA_ENC_WEP104, "WEP104", 1 },
@@ -3990,7 +3992,11 @@ static int ctrl_iface_get_capability_pairwise(int res, char *strict,
if (res < 0) {
if (strict)
return 0;
+#ifdef CONFIG_NO_TKIP
+ len = os_strlcpy(buf, "CCMP NONE", buflen);
+#else /* CONFIG_NO_TKIP */
len = os_strlcpy(buf, "CCMP TKIP NONE", buflen);
+#endif /* CONFIG_NO_TKIP */
if (len >= buflen)
return -1;
return len;
@@ -4027,9 +4033,17 @@ static int ctrl_iface_get_capability_group(int res, char *strict,
if (strict)
return 0;
#ifdef CONFIG_WEP
+#ifdef CONFIG_NO_TKIP
+ len = os_strlcpy(buf, "CCMP WEP104 WEP40", buflen);
+#else /* CONFIG_NO_TKIP */
len = os_strlcpy(buf, "CCMP TKIP WEP104 WEP40", buflen);
+#endif /* CONFIG_NO_TKIP */
#else /* CONFIG_WEP */
+#ifdef CONFIG_NO_TKIP
+ len = os_strlcpy(buf, "CCMP", buflen);
+#else /* CONFIG_NO_TKIP */
len = os_strlcpy(buf, "CCMP TKIP", buflen);
+#endif /* CONFIG_NO_TKIP */
#endif /* CONFIG_WEP */
if (len >= buflen)
return -1;
diff --git a/wpa_supplicant/dbus/dbus_new.c b/wpa_supplicant/dbus/dbus_new.c
index e9e77bd..793a881 100644
--- a/wpa_supplicant/dbus/dbus_new.c
+++ b/wpa_supplicant/dbus/dbus_new.c
@@ -750,10 +750,12 @@ void wpas_dbus_signal_wps_cred(struct wpa_supplicant *wpa_s,
if (cred->auth_type & WPS_AUTH_OPEN)
auth_type[at_num++] = "open";
+#ifndef CONFIG_NO_TKIP
if (cred->auth_type & WPS_AUTH_WPAPSK)
auth_type[at_num++] = "wpa-psk";
if (cred->auth_type & WPS_AUTH_WPA)
auth_type[at_num++] = "wpa-eap";
+#endif /* CONFIG_NO_TKIP */
if (cred->auth_type & WPS_AUTH_WPA2)
auth_type[at_num++] = "wpa2-eap";
if (cred->auth_type & WPS_AUTH_WPA2PSK)
@@ -761,8 +763,10 @@ void wpas_dbus_signal_wps_cred(struct wpa_supplicant *wpa_s,
if (cred->encr_type & WPS_ENCR_NONE)
encr_type[et_num++] = "none";
+#ifndef CONFIG_NO_TKIP
if (cred->encr_type & WPS_ENCR_TKIP)
encr_type[et_num++] = "tkip";
+#endif /* CONFIG_NO_TKIP */
if (cred->encr_type & WPS_ENCR_AES)
encr_type[et_num++] = "aes";
diff --git a/wpa_supplicant/dbus/dbus_new_handlers.c b/wpa_supplicant/dbus/dbus_new_handlers.c
index 4e17e31..d1f9607 100644
--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@@ -2632,7 +2632,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(
/***** pairwise cipher */
if (res < 0) {
+#ifdef CONFIG_NO_TKIP
+ const char *args[] = {"ccmp", "none"};
+#else /* CONFIG_NO_TKIP */
const char *args[] = {"ccmp", "tkip", "none"};
+#endif /* CONFIG_NO_TKIP */
if (!wpa_dbus_dict_append_string_array(
&iter_dict, "Pairwise", args,
@@ -2655,9 +2659,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(
((capa.enc & WPA_DRIVER_CAPA_ENC_GCMP) &&
!wpa_dbus_dict_string_array_add_element(
&iter_array, "gcmp")) ||
+#ifndef CONFIG_NO_TKIP
((capa.enc & WPA_DRIVER_CAPA_ENC_TKIP) &&
!wpa_dbus_dict_string_array_add_element(
&iter_array, "tkip")) ||
+#endif /* CONFIG_NO_TKIP */
((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA_NONE) &&
!wpa_dbus_dict_string_array_add_element(
&iter_array, "none")) ||
@@ -2671,7 +2677,10 @@ dbus_bool_t wpas_dbus_getter_capabilities(
/***** group cipher */
if (res < 0) {
const char *args[] = {
- "ccmp", "tkip",
+ "ccmp",
+#ifndef CONFIG_NO_TKIP
+ "tkip",
+#endif /* CONFIG_NO_TKIP */
#ifdef CONFIG_WEP
"wep104", "wep40"
#endif /* CONFIG_WEP */
@@ -2698,9 +2707,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(
((capa.enc & WPA_DRIVER_CAPA_ENC_GCMP) &&
!wpa_dbus_dict_string_array_add_element(
&iter_array, "gcmp")) ||
+#ifndef CONFIG_NO_TKIP
((capa.enc & WPA_DRIVER_CAPA_ENC_TKIP) &&
!wpa_dbus_dict_string_array_add_element(
&iter_array, "tkip")) ||
+#endif /* CONFIG_NO_TKIP */
#ifdef CONFIG_WEP
((capa.enc & WPA_DRIVER_CAPA_ENC_WEP104) &&
!wpa_dbus_dict_string_array_add_element(
@@ -4759,9 +4770,11 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
group = "wep104";
break;
#endif /* CONFIG_WEP */
+#ifndef CONFIG_NO_TKIP
case WPA_CIPHER_TKIP:
group = "tkip";
break;
+#endif /* CONFIG_NO_TKIP */
case WPA_CIPHER_CCMP:
group = "ccmp";
break;
@@ -4784,8 +4797,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
/* Pairwise */
n = 0;
+#ifndef CONFIG_NO_TKIP
if (ie_data->pairwise_cipher & WPA_CIPHER_TKIP)
pairwise[n++] = "tkip";
+#endif /* CONFIG_NO_TKIP */
if (ie_data->pairwise_cipher & WPA_CIPHER_CCMP)
pairwise[n++] = "ccmp";
if (ie_data->pairwise_cipher & WPA_CIPHER_GCMP)
diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index a87b586..cbe49c8 100644
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -611,3 +611,12 @@ CONFIG_DPP=y
# release under this optional build parameter. This functionality is subject to
# be completely removed in a future release.
#CONFIG_WEP=y
+
+# Remove all TKIP functionality
+# TKIP is an old cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used anymore for anything else than a
+# backwards compatibility option as a group cipher when connecting to APs that
+# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes
+# support for this by default, but that functionality is subject to be removed
+# in the future.
+#CONFIG_NO_TKIP=y
diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index a10c34c..d34e059 100644
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1618,8 +1618,13 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
os_memcpy(wps->dev.mac_addr, wpa_s->own_addr, ETH_ALEN);
wpas_wps_set_uuid(wpa_s, wps);
+#ifdef CONFIG_NO_TKIP
+ wps->auth_types = WPS_AUTH_WPA2PSK;
+ wps->encr_types = WPS_ENCR_AES;
+#else /* CONFIG_NO_TKIP */
wps->auth_types = WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK;
wps->encr_types = WPS_ENCR_AES | WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
os_memset(&rcfg, 0, sizeof(rcfg));
rcfg.new_psk_cb = wpas_wps_new_psk_cb;