Allow TKIP support to be removed from build

Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from hostapd and wpa_supplicant builds. This disables use of TKIP as both the pairwise and group cipher. The end result does not interoperate with a WPA(v1)-only device or WPA+WPA2 mixed modes. Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-09 09:42:21 +05:30 · 2020-04-09 09:42:21 +05:30 · 6b1c590ebb
commit 6b1c590ebb
parent 11bd6ea60e
18 changed files with 165 additions and 1 deletions
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@ -314,6 +314,10 @@ ifdef CONFIG_WEP
 L_CFLAGS += -DCONFIG_WEP
 endif

+ifdef CONFIG_NO_TKIP
+L_CFLAGS += -DCONFIG_NO_TKIP
+endif
+

 include $(LOCAL_PATH)/src/drivers/drivers.mk

--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@ -1243,6 +1243,10 @@ ifdef CONFIG_WEP
 CFLAGS += -DCONFIG_WEP
 endif

+ifdef CONFIG_NO_TKIP
+CFLAGS += -DCONFIG_NO_TKIP
+endif
+
 ALL=hostapd hostapd_cli

 all: verify_config $(ALL)
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@ -388,3 +388,10 @@ CONFIG_IPV6=y
 # release under this optional build parameter. This functionality is subject to
 # be completely removed in a future release.
 #CONFIG_WEP=y
+
+# Remove all TKIP functionality
+# TKIP is an old cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used anymore. For now, the default hostapd
+# build includes this to allow mixed mode WPA+WPA2 networks to be enabled, but
+# that functionality is subject to be removed in the future.
+#CONFIG_NO_TKIP=y
--- a/src/ap/ap_config.c
+++ b/src/ap/ap_config.c
@ -74,8 +74,13 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
 	bss->wpa_disable_eapol_key_retries =
 		DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
 	bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
+#ifdef CONFIG_NO_TKIP
+	bss->wpa_pairwise = WPA_CIPHER_CCMP;
+	bss->wpa_group = WPA_CIPHER_CCMP;
+#else /* CONFIG_NO_TKIP */
 	bss->wpa_pairwise = WPA_CIPHER_TKIP;
 	bss->wpa_group = WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
 	bss->rsn_pairwise = 0;

 	bss->max_num_sta = MAX_STA_COUNT;
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
@ -364,6 +364,13 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
 		bss->ssid.ssid_set = 1;
 	}

+#ifdef CONFIG_NO_TKIP
+	if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK |
+			       WPS_AUTH_WPA | WPS_AUTH_WPAPSK))
+		bss->wpa = 2;
+	else
+		bss->wpa = 0;
+#else /* CONFIG_NO_TKIP */
 	if ((cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK)) &&
 	    (cred->auth_type & (WPS_AUTH_WPA | WPS_AUTH_WPAPSK)))
 		bss->wpa = 3;
@ -373,6 +380,7 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
 		bss->wpa = 1;
 	else
 		bss->wpa = 0;
+#endif /* CONFIG_NO_TKIP */

 	if (bss->wpa) {
 		if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA))
@ -387,8 +395,10 @@ static int hapd_wps_reconfig_in_memory(struct hostapd_data *hapd,
 			else
 				bss->wpa_pairwise |= WPA_CIPHER_CCMP;
 		}
+#ifndef CONFIG_NO_TKIP
 		if (cred->encr_type & WPS_ENCR_TKIP)
 			bss->wpa_pairwise |= WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
 		bss->rsn_pairwise = bss->wpa_pairwise;
 		bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
 							    bss->wpa_pairwise,
@ -559,6 +569,13 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
 		fprintf(nconf, "\n");
 	}

+#ifdef CONFIG_NO_TKIP
+	if (cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK |
+			       WPS_AUTH_WPA | WPS_AUTH_WPAPSK))
+		wpa = 2;
+	else
+		wpa = 0;
+#else /* CONFIG_NO_TKIP */
 	if ((cred->auth_type & (WPS_AUTH_WPA2 | WPS_AUTH_WPA2PSK)) &&
 	    (cred->auth_type & (WPS_AUTH_WPA | WPS_AUTH_WPAPSK)))
 		wpa = 3;
@ -568,6 +585,7 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)
 		wpa = 1;
 	else
 		wpa = 0;
+#endif /* CONFIG_NO_TKIP */

 	if (wpa) {
 		char *prefix;
@ -611,9 +629,11 @@ static int hapd_wps_cred_cb(struct hostapd_data *hapd, void *ctx)

 			prefix = " ";
 		}
+#ifndef CONFIG_NO_TKIP
 		if (cred->encr_type & WPS_ENCR_TKIP) {
 			fprintf(nconf, "%sTKIP", prefix);
 		}
+#endif /* CONFIG_NO_TKIP */
 		fprintf(nconf, "\n");

 		if (cred->key_len >= 8 && cred->key_len < 64) {
@ -1160,12 +1180,24 @@ int hostapd_init_wps(struct hostapd_data *hapd,
 			wps->encr_types_rsn |= WPS_ENCR_AES;
 		}
 		if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
+#ifdef CONFIG_NO_TKIP
+			wpa_printf(MSG_INFO, "WPS: TKIP not supported");
+			goto fail;
+#else /* CONFIG_NO_TKIP */
 			wps->encr_types |= WPS_ENCR_TKIP;
 			wps->encr_types_rsn |= WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
 		}
 	}

 	if (conf->wpa & WPA_PROTO_WPA) {
+#ifdef CONFIG_NO_TKIP
+		if (!(conf->wpa & WPA_PROTO_RSN)) {
+			wpa_printf(MSG_INFO, "WPS: WPA(v1) not supported");
+			goto fail;
+		}
+		conf->wpa &= ~WPA_PROTO_WPA;
+#else /* CONFIG_NO_TKIP */
 		if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
 			wps->auth_types |= WPS_AUTH_WPAPSK;
 		if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X)
@ -1179,6 +1211,7 @@ int hostapd_init_wps(struct hostapd_data *hapd,
 			wps->encr_types |= WPS_ENCR_TKIP;
 			wps->encr_types_wpa |= WPS_ENCR_TKIP;
 		}
+#endif /* CONFIG_NO_TKIP */
 	}

 	if (conf->ssid.security_policy == SECURITY_PLAINTEXT) {
@ -1218,10 +1251,17 @@ int hostapd_init_wps(struct hostapd_data *hapd,
 	wps->ap_encr_type = wps->encr_types;
 	if (conf->wps_state == WPS_STATE_NOT_CONFIGURED) {
 		/* Override parameters to enable security by default */
+#ifdef CONFIG_NO_TKIP
+		wps->auth_types = WPS_AUTH_WPA2PSK;
+		wps->encr_types = WPS_ENCR_AES;
+		wps->encr_types_rsn = WPS_ENCR_AES;
+		wps->encr_types_wpa = WPS_ENCR_AES;
+#else /* CONFIG_NO_TKIP */
 		wps->auth_types = WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK;
 		wps->encr_types = WPS_ENCR_AES | WPS_ENCR_TKIP;
 		wps->encr_types_rsn = WPS_ENCR_AES | WPS_ENCR_TKIP;
 		wps->encr_types_wpa = WPS_ENCR_AES | WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
 	}

 	if ((hapd->conf->multi_ap & FRONTHAUL_BSS) &&
@ -1801,8 +1841,10 @@ int hostapd_wps_config_ap(struct hostapd_data *hapd, const char *ssid,

 	if (os_strncmp(auth, "OPEN", 4) == 0)
 		cred.auth_type = WPS_AUTH_OPEN;
+#ifndef CONFIG_NO_TKIP
 	else if (os_strncmp(auth, "WPAPSK", 6) == 0)
 		cred.auth_type = WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
 	else if (os_strncmp(auth, "WPA2PSK", 7) == 0)
 		cred.auth_type = WPS_AUTH_WPA2PSK;
 	else
@ -1811,8 +1853,10 @@ int hostapd_wps_config_ap(struct hostapd_data *hapd, const char *ssid,
 	if (encr) {
 		if (os_strncmp(encr, "NONE", 4) == 0)
 			cred.encr_type = WPS_ENCR_NONE;
+#ifndef CONFIG_NO_TKIP
 		else if (os_strncmp(encr, "TKIP", 4) == 0)
 			cred.encr_type = WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
 		else if (os_strncmp(encr, "CCMP", 4) == 0)
 			cred.encr_type = WPS_ENCR_AES;
 		else
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
@ -2319,11 +2319,18 @@ enum wpa_alg wpa_cipher_to_alg(int cipher)

 int wpa_cipher_valid_pairwise(int cipher)
 {
+#ifdef CONFIG_NO_TKIP
+	return cipher == WPA_CIPHER_CCMP_256 ||
+		cipher == WPA_CIPHER_GCMP_256 ||
+		cipher == WPA_CIPHER_CCMP ||
+		cipher == WPA_CIPHER_GCMP;
+#else /* CONFIG_NO_TKIP */
 	return cipher == WPA_CIPHER_CCMP_256 ||
 		cipher == WPA_CIPHER_GCMP_256 ||
 		cipher == WPA_CIPHER_CCMP ||
 		cipher == WPA_CIPHER_GCMP ||
 		cipher == WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
 }


@ -2476,8 +2483,10 @@ int wpa_parse_cipher(const char *value)
 			val |= WPA_CIPHER_CCMP;
 		else if (os_strcmp(start, "GCMP") == 0)
 			val |= WPA_CIPHER_GCMP;
+#ifndef CONFIG_NO_TKIP
 		else if (os_strcmp(start, "TKIP") == 0)
 			val |= WPA_CIPHER_TKIP;
+#endif /* CONFIG_NO_TKIP */
 #ifdef CONFIG_WEP
 		else if (os_strcmp(start, "WEP104") == 0)
 			val |= WPA_CIPHER_WEP104;
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@ -22,6 +22,15 @@

 #define OWE_DH_GROUP 19

+#ifdef CONFIG_NO_TKIP
+#define WPA_ALLOWED_PAIRWISE_CIPHERS \
+(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_NONE | \
+WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
+#define WPA_ALLOWED_GROUP_CIPHERS \
+(WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | \
+WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
+WPA_CIPHER_GTK_NOT_USED)
+#else /* CONFIG_NO_TKIP */
 #define WPA_ALLOWED_PAIRWISE_CIPHERS \
 (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | WPA_CIPHER_NONE | \
 WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
@ -29,6 +38,7 @@ WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256)
 (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP | WPA_CIPHER_TKIP | \
 WPA_CIPHER_GCMP_256 | WPA_CIPHER_CCMP_256 | \
 WPA_CIPHER_GTK_NOT_USED)
+#endif /* CONFIG_NO_TKIP */
 #define WPA_ALLOWED_GROUP_MGMT_CIPHERS \
 (WPA_CIPHER_AES_128_CMAC | WPA_CIPHER_BIP_GMAC_128 | WPA_CIPHER_BIP_GMAC_256 | \
 WPA_CIPHER_BIP_CMAC_256)
--- a/src/wps/wps_attr_build.c
+++ b/src/wps/wps_attr_build.c
@ -310,6 +310,9 @@ int wps_build_auth_type_flags(struct wps_data *wps, struct wpabuf *msg)
 	auth_types &= ~WPS_AUTH_WPA;
 	auth_types &= ~WPS_AUTH_WPA2;
 	auth_types &= ~WPS_AUTH_SHARED;
+#ifdef CONFIG_NO_TKIP
+	auth_types &= ~WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
 #ifdef CONFIG_WPS_TESTING
 	if (wps_force_auth_types_in_use) {
 		wpa_printf(MSG_DEBUG,
@ -331,6 +334,9 @@ int wps_build_encr_type_flags(struct wps_data *wps, struct wpabuf *msg)
 {
 	u16 encr_types = WPS_ENCR_TYPES;
 	encr_types &= ~WPS_ENCR_WEP;
+#ifdef CONFIG_NO_TKIP
+	encr_types &= ~WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
 #ifdef CONFIG_WPS_TESTING
 	if (wps_force_encr_types_in_use) {
 		wpa_printf(MSG_DEBUG,
--- a/src/wps/wps_enrollee.c
+++ b/src/wps/wps_enrollee.c
@ -880,6 +880,17 @@ static int wps_process_ap_settings_e(struct wps_data *wps,
 		cred.auth_type |= WPS_AUTH_WPA2PSK;
 	}

+#ifdef CONFIG_NO_TKIP
+	if (cred.encr_type & WPS_ENCR_TKIP) {
+		wpa_printf(MSG_DEBUG, "WPS: Disable encr_type TKIP");
+		cred.encr_type &= ~WPS_ENCR_TKIP;
+	}
+	if (cred.auth_type & WPS_AUTH_WPAPSK) {
+		wpa_printf(MSG_DEBUG, "WPS: Disable auth_type WPAPSK");
+		cred.auth_type &= ~WPS_AUTH_WPAPSK;
+	}
+#endif /* CONFIG_NO_TKIP */
+
 	if (wps->wps->cred_cb) {
 		cred.cred_attr = wpabuf_head(attrs);
 		cred.cred_attr_len = wpabuf_len(attrs);
--- a/src/wps/wps_registrar.c
+++ b/src/wps/wps_registrar.c
@ -1677,8 +1677,10 @@ int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
 		   wps->wps->auth_types, wps->auth_type);
 	if (wps->auth_type & WPS_AUTH_WPA2PSK)
 		wps->auth_type = WPS_AUTH_WPA2PSK;
+#ifndef CONFIG_NO_TKIP
 	else if (wps->auth_type & WPS_AUTH_WPAPSK)
 		wps->auth_type = WPS_AUTH_WPAPSK;
+#endif /* CONFIG_NO_TKIP */
 	else if (wps->auth_type & WPS_AUTH_OPEN)
 		wps->auth_type = WPS_AUTH_OPEN;
 	else {
@ -1700,8 +1702,10 @@ int wps_build_cred(struct wps_data *wps, struct wpabuf *msg)
 	    wps->auth_type == WPS_AUTH_WPAPSK) {
 		if (wps->encr_type & WPS_ENCR_AES)
 			wps->encr_type = WPS_ENCR_AES;
+#ifndef CONFIG_NO_TKIP
 		else if (wps->encr_type & WPS_ENCR_TKIP)
 			wps->encr_type = WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */
 		else {
 			wpa_printf(MSG_DEBUG, "WPS: No suitable encryption "
 				   "type for WPA/WPA2");
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@ -387,6 +387,10 @@ ifdef CONFIG_WEP
 L_CFLAGS += -DCONFIG_WEP
 endif

+ifdef CONFIG_NO_TKIP
+L_CFLAGS += -DCONFIG_NO_TKIP
+endif
+

 include $(LOCAL_PATH)/src/drivers/drivers.mk

--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@ -1852,6 +1852,10 @@ ifdef CONFIG_WEP
 CFLAGS += -DCONFIG_WEP
 endif

+ifdef CONFIG_NO_TKIP
+CFLAGS += -DCONFIG_NO_TKIP
+endif
+
 ifndef LDO
 LDO=$(CC)
 endif
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
@ -19,8 +19,13 @@
 			     EAPOL_FLAG_REQUIRE_KEY_BROADCAST)
 #define DEFAULT_PROTO (WPA_PROTO_WPA | WPA_PROTO_RSN)
 #define DEFAULT_KEY_MGMT (WPA_KEY_MGMT_PSK | WPA_KEY_MGMT_IEEE8021X)
+#ifdef CONFIG_NO_TKIP
+#define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP)
+#define DEFAULT_GROUP (WPA_CIPHER_CCMP)
+#else /* CONFIG_NO_TKIP */
 #define DEFAULT_PAIRWISE (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
 #define DEFAULT_GROUP (WPA_CIPHER_CCMP | WPA_CIPHER_TKIP)
+#endif /* CONFIG_NO_TKIP */
 #define DEFAULT_FRAGMENT_SIZE 1398

 #define DEFAULT_BG_SCAN_PERIOD -1
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@ -3959,7 +3959,9 @@ static const struct cipher_info ciphers[] = {
 	{ WPA_DRIVER_CAPA_ENC_GCMP_256, "GCMP-256", 0 },
 	{ WPA_DRIVER_CAPA_ENC_CCMP, "CCMP", 0 },
 	{ WPA_DRIVER_CAPA_ENC_GCMP, "GCMP", 0 },
+#ifndef CONFIG_NO_TKIP
 	{ WPA_DRIVER_CAPA_ENC_TKIP, "TKIP", 0 },
+#endif /* CONFIG_NO_TKIP */
 	{ WPA_DRIVER_CAPA_KEY_MGMT_WPA_NONE, "NONE", 0 },
 #ifdef CONFIG_WEP
 	{ WPA_DRIVER_CAPA_ENC_WEP104, "WEP104", 1 },
@ -3990,7 +3992,11 @@ static int ctrl_iface_get_capability_pairwise(int res, char *strict,
 	if (res < 0) {
 		if (strict)
 			return 0;
+#ifdef CONFIG_NO_TKIP
+		len = os_strlcpy(buf, "CCMP NONE", buflen);
+#else /* CONFIG_NO_TKIP */
 		len = os_strlcpy(buf, "CCMP TKIP NONE", buflen);
+#endif /* CONFIG_NO_TKIP */
 		if (len >= buflen)
 			return -1;
 		return len;
@ -4027,9 +4033,17 @@ static int ctrl_iface_get_capability_group(int res, char *strict,
 		if (strict)
 			return 0;
 #ifdef CONFIG_WEP
+#ifdef CONFIG_NO_TKIP
+		len = os_strlcpy(buf, "CCMP WEP104 WEP40", buflen);
+#else /* CONFIG_NO_TKIP */
 		len = os_strlcpy(buf, "CCMP TKIP WEP104 WEP40", buflen);
+#endif /* CONFIG_NO_TKIP */
 #else /* CONFIG_WEP */
+#ifdef CONFIG_NO_TKIP
+		len = os_strlcpy(buf, "CCMP", buflen);
+#else /* CONFIG_NO_TKIP */
 		len = os_strlcpy(buf, "CCMP TKIP", buflen);
+#endif /* CONFIG_NO_TKIP */
 #endif /* CONFIG_WEP */
 		if (len >= buflen)
 			return -1;
--- a/wpa_supplicant/dbus/dbus_new.c
+++ b/wpa_supplicant/dbus/dbus_new.c
@ -750,10 +750,12 @@ void wpas_dbus_signal_wps_cred(struct wpa_supplicant *wpa_s,

 	if (cred->auth_type & WPS_AUTH_OPEN)
 		auth_type[at_num++] = "open";
+#ifndef CONFIG_NO_TKIP
 	if (cred->auth_type & WPS_AUTH_WPAPSK)
 		auth_type[at_num++] = "wpa-psk";
 	if (cred->auth_type & WPS_AUTH_WPA)
 		auth_type[at_num++] = "wpa-eap";
+#endif /* CONFIG_NO_TKIP */
 	if (cred->auth_type & WPS_AUTH_WPA2)
 		auth_type[at_num++] = "wpa2-eap";
 	if (cred->auth_type & WPS_AUTH_WPA2PSK)
@ -761,8 +763,10 @@ void wpas_dbus_signal_wps_cred(struct wpa_supplicant *wpa_s,

 	if (cred->encr_type & WPS_ENCR_NONE)
 		encr_type[et_num++] = "none";
+#ifndef CONFIG_NO_TKIP
 	if (cred->encr_type & WPS_ENCR_TKIP)
 		encr_type[et_num++] = "tkip";
+#endif /* CONFIG_NO_TKIP */
 	if (cred->encr_type & WPS_ENCR_AES)
 		encr_type[et_num++] = "aes";

--- a/wpa_supplicant/dbus/dbus_new_handlers.c
+++ b/wpa_supplicant/dbus/dbus_new_handlers.c
@ -2632,7 +2632,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(

 	/***** pairwise cipher */
 	if (res < 0) {
+#ifdef CONFIG_NO_TKIP
+		const char *args[] = {"ccmp", "none"};
+#else /* CONFIG_NO_TKIP */
 		const char *args[] = {"ccmp", "tkip", "none"};
+#endif /* CONFIG_NO_TKIP */

 		if (!wpa_dbus_dict_append_string_array(
 			    &iter_dict, "Pairwise", args,
@ -2655,9 +2659,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(
 		    ((capa.enc & WPA_DRIVER_CAPA_ENC_GCMP) &&
 		     !wpa_dbus_dict_string_array_add_element(
 			     &iter_array, "gcmp")) ||
+#ifndef CONFIG_NO_TKIP
 		    ((capa.enc & WPA_DRIVER_CAPA_ENC_TKIP) &&
 		     !wpa_dbus_dict_string_array_add_element(
 			     &iter_array, "tkip")) ||
+#endif /* CONFIG_NO_TKIP */
 		    ((capa.key_mgmt & WPA_DRIVER_CAPA_KEY_MGMT_WPA_NONE) &&
 		     !wpa_dbus_dict_string_array_add_element(
 			     &iter_array, "none")) ||
@ -2671,7 +2677,10 @@ dbus_bool_t wpas_dbus_getter_capabilities(
 	/***** group cipher */
 	if (res < 0) {
 		const char *args[] = {
-			"ccmp", "tkip",
+			"ccmp",
+#ifndef CONFIG_NO_TKIP
+			"tkip",
+#endif /* CONFIG_NO_TKIP */
 #ifdef CONFIG_WEP
 			"wep104", "wep40"
 #endif /* CONFIG_WEP */
@ -2698,9 +2707,11 @@ dbus_bool_t wpas_dbus_getter_capabilities(
 		    ((capa.enc & WPA_DRIVER_CAPA_ENC_GCMP) &&
 		     !wpa_dbus_dict_string_array_add_element(
 			     &iter_array, "gcmp")) ||
+#ifndef CONFIG_NO_TKIP
 		    ((capa.enc & WPA_DRIVER_CAPA_ENC_TKIP) &&
 		     !wpa_dbus_dict_string_array_add_element(
 			     &iter_array, "tkip")) ||
+#endif /* CONFIG_NO_TKIP */
 #ifdef CONFIG_WEP
 		    ((capa.enc & WPA_DRIVER_CAPA_ENC_WEP104) &&
 		     !wpa_dbus_dict_string_array_add_element(
@ -4759,9 +4770,11 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(
 		group = "wep104";
 		break;
 #endif /* CONFIG_WEP */
+#ifndef CONFIG_NO_TKIP
 	case WPA_CIPHER_TKIP:
 		group = "tkip";
 		break;
+#endif /* CONFIG_NO_TKIP */
 	case WPA_CIPHER_CCMP:
 		group = "ccmp";
 		break;
@ -4784,8 +4797,10 @@ static dbus_bool_t wpas_dbus_get_bss_security_prop(

 	/* Pairwise */
 	n = 0;
+#ifndef CONFIG_NO_TKIP
 	if (ie_data->pairwise_cipher & WPA_CIPHER_TKIP)
 		pairwise[n++] = "tkip";
+#endif /* CONFIG_NO_TKIP */
 	if (ie_data->pairwise_cipher & WPA_CIPHER_CCMP)
 		pairwise[n++] = "ccmp";
 	if (ie_data->pairwise_cipher & WPA_CIPHER_GCMP)
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@ -611,3 +611,12 @@ CONFIG_DPP=y
 # release under this optional build parameter. This functionality is subject to
 # be completely removed in a future release.
 #CONFIG_WEP=y
+
+# Remove all TKIP functionality
+# TKIP is an old cryptographic data confidentiality algorithm that is not
+# considered secure. It should not be used anymore for anything else than a
+# backwards compatibility option as a group cipher when connecting to APs that
+# use WPA+WPA2 mixed mode. For now, the default wpa_supplicant build includes
+# support for this by default, but that functionality is subject to be removed
+# in the future.
+#CONFIG_NO_TKIP=y
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@ -1618,8 +1618,13 @@ int wpas_wps_init(struct wpa_supplicant *wpa_s)
 	os_memcpy(wps->dev.mac_addr, wpa_s->own_addr, ETH_ALEN);
 	wpas_wps_set_uuid(wpa_s, wps);

+#ifdef CONFIG_NO_TKIP
+	wps->auth_types = WPS_AUTH_WPA2PSK;
+	wps->encr_types = WPS_ENCR_AES;
+#else /* CONFIG_NO_TKIP */
 	wps->auth_types = WPS_AUTH_WPA2PSK | WPS_AUTH_WPAPSK;
 	wps->encr_types = WPS_ENCR_AES | WPS_ENCR_TKIP;
+#endif /* CONFIG_NO_TKIP */

 	os_memset(&rcfg, 0, sizeof(rcfg));
 	rcfg.new_psk_cb = wpas_wps_new_psk_cb;