diff options
| author |   stsp <stsp@openbsd.org> | 2016-12-20 13:27:58 +0000 |
|---|---|---|
| committer | stsp <stsp@openbsd.org> | 2016-12-20 13:27:58 +0000 |
| commit | 38f9dca0b79b47cb982ace75f38457fea8029239 (patch) | |
| tree | b8e4cc54f516cf344f99dd688ef476f93f0b4d50 | |
| parent | Make 'ifconfig if0 wpa' and 'ifconfig if0 -wpa' reset WPA params (does not (diff) | |
| download | wireguard-openbsd-38f9dca0b79b47cb982ace75f38457fea8029239.tar.xz wireguard-openbsd-38f9dca0b79b47cb982ace75f38457fea8029239.zip | |
Disable TKIP (WPA1) by default.
It is time for this legacy of WEP to die (remember WEP?).
The 802.11-2012 standard says:
The use of TKIP is deprecated. The TKIP algorithm is unsuitable for
the purposes of this standard.
TKIP has numerous problems. One of which is that TKIP allows a denial of
service attack which can be triggered by any client. Report 2 Michael MIC
failures to a TKIP AP to trigger "TKIP countermeasures". The AP is now
required by the 802.11 standard to lock everyone out for at least 60 seconds.
The network will remain unusable for as long as such MIC failure reports
are sent twice per minute.
TKIP remains available for interoperability purposes, for now.
It must be enabled manually with ifconfig(8).
Prompted by discussion with Mathy Vanhoef.
ok deraadt@ sthen@ reyk@
| -rw-r--r-- | sys/net80211/ieee80211_crypto.c | 9 | ||||
| -rw-r--r-- | sys/net80211/ieee80211_ioctl.c | 11 |
2 files changed, 9 insertions, 11 deletions
diff --git a/sys/net80211/ieee80211_crypto.c b/sys/net80211/ieee80211_crypto.c index 6b9e26416b2..0decf6cea85 100644 --- a/sys/net80211/ieee80211_crypto.c +++ b/sys/net80211/ieee80211_crypto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_crypto.c,v 1.67 2016/12/17 18:35:54 stsp Exp $ */ +/* $OpenBSD: ieee80211_crypto.c,v 1.68 2016/12/20 13:27:58 stsp Exp $ */ /*- * Copyright (c) 2008 Damien Bergamini <damien.bergamini@free.fr> @@ -60,11 +60,10 @@ ieee80211_crypto_attach(struct ifnet *ifp) TAILQ_INIT(&ic->ic_pmksa); if (ic->ic_caps & IEEE80211_C_RSN) { - ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; + ic->ic_rsnprotos = IEEE80211_PROTO_RSN; ic->ic_rsnakms = IEEE80211_AKM_PSK; - ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | - IEEE80211_CIPHER_CCMP; - ic->ic_rsngroupcipher = IEEE80211_CIPHER_TKIP; + ic->ic_rsnciphers = IEEE80211_CIPHER_CCMP; + ic->ic_rsngroupcipher = IEEE80211_CIPHER_CCMP; ic->ic_rsngroupmgmtcipher = IEEE80211_CIPHER_BIP; } ic->ic_set_key = ieee80211_set_key; diff --git a/sys/net80211/ieee80211_ioctl.c b/sys/net80211/ieee80211_ioctl.c index 53248c92063..07388f080e8 100644 --- a/sys/net80211/ieee80211_ioctl.c +++ b/sys/net80211/ieee80211_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ieee80211_ioctl.c,v 1.45 2016/12/18 10:37:42 stsp Exp $ */ +/* $OpenBSD: ieee80211_ioctl.c,v 1.46 2016/12/20 13:27:58 stsp Exp $ */ /* $NetBSD: ieee80211_ioctl.c,v 1.15 2004/05/06 02:58:16 dyoung Exp $ */ /*- @@ -264,8 +264,8 @@ ieee80211_ioctl_setwpaparms(struct ieee80211com *ic, ic->ic_rsnprotos |= IEEE80211_PROTO_WPA; if (wpa->i_protos & IEEE80211_WPA_PROTO_WPA2) ic->ic_rsnprotos |= IEEE80211_PROTO_RSN; - if (ic->ic_rsnprotos == 0) /* set to default (WPA+RSN) */ - ic->ic_rsnprotos = IEEE80211_PROTO_WPA | IEEE80211_PROTO_RSN; + if (ic->ic_rsnprotos == 0) /* set to default (RSN) */ + ic->ic_rsnprotos = IEEE80211_PROTO_RSN; ic->ic_rsnakms = 0; if (wpa->i_akms & IEEE80211_WPA_AKM_PSK) @@ -301,9 +301,8 @@ ieee80211_ioctl_setwpaparms(struct ieee80211com *ic, ic->ic_rsnciphers |= IEEE80211_CIPHER_CCMP; if (wpa->i_ciphers & IEEE80211_WPA_CIPHER_USEGROUP) ic->ic_rsnciphers = IEEE80211_CIPHER_USEGROUP; - if (ic->ic_rsnciphers == 0) /* set to default (TKIP+CCMP) */ - ic->ic_rsnciphers = IEEE80211_CIPHER_TKIP | - IEEE80211_CIPHER_CCMP; + if (ic->ic_rsnciphers == 0) /* set to default (CCMP) */ + ic->ic_rsnciphers = IEEE80211_CIPHER_CCMP; ic->ic_flags |= IEEE80211_F_RSNON; |