problem with wpa_supplicant 2.10

[Jouni Malinen]

On Thu, Mar 31, 2022 at 12:19:30PM +0200, Mathias wrote:
> Thanks for the quick reply. My wifi router is set to accept both TKIP
> and AES so I thought that wpa_supplicant and the router would negotiate
> to use AES in this case, instead of refusing to connect. Gentoo has a
> way of letting me mess with build flags that I suppose controls
> CONFIG_NO_TKIP and, this way, 2.10 is now working for me.
> 
> However, if I wanted to run wpa_supplicant with TKIP disabled, I would
> still expect it to connect to an AP that allows both AES and TKIP.

While such an AP allows the pairwise cipher (i.e., unicast data) to be
negotiated to use CCMP (AES), that configuration will result in the
group cipher (i.e., multicast/broadcast data) to use TKIP.
CONFIG_NO_TKIP=y removes all support of TKIP and it will prevent
connections with this type of an AP. As such, I'm a bit surprised if
someone is already defining that for general purpose builds. It would be
more reasonable to use runtime configuration to disallow use of TKIP as
the pairwise cipher and allow TKIP to be used as the group cipher as
long as this type of WPA2-Personal mixed mode AP configuration continues
to be used widely. The runtime configuration can also disallow use of
TKIP as the group cipher on per-network basis, so CONFIG_NO_TKIP=y is
not really needed to prevent TKIP from being used.

-- 
Jouni Malinen                                            PGP id EFC895FA