jolheiser/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/hostapd: rewrite to support multi-AP, password from file, and more

Browse Source 
At this point this is basically a full rewrite of this module, which
is a breaking change and was necessary to properly expose the useful
parts of hostapd's config. The notable changes are:

- `hostapd` is now started with additional systemd sandbox/hardening options
- A single-daemon can now manage multiple distinct radios and BSSs, which is
  why all configuration had to be moved into `hostapd.radios`
- By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are
  supported, too
- Added passwordFile-like options for wpa and sae
- Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration
- Implements RFC42 as far as reasonable for hostapd
- Removes `with lib;`
This commit is contained in:
oddlama 2023-03-22 00:49:08 +01:00
parent 4bec3f2043
commit 1fa9f03eec
No known key found for this signature in database
GPG Key ID: 14EFE510775FE39A
4 changed files with 1422 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
nixos/doc/manual/release-notes/rl-2311.section.md
View File

@ -4,6 +4,8 @@
- FoundationDB now defaults to major version 7.
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
## New Services {#sec-release-23.11-new-services}
- Create the first release note entry in this section!
@ -22,8 +24,6 @@
- [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services.
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package.
## Backward Incompatibilities {#sec-release-23.11-incompatibilities}
- `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were removed long ago.
@ -32,6 +32,12 @@
- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.
- `hostapd` is now started with additional systemd sandbox/hardening options for better security.
- `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).
- `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.
- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.

1417
nixos/modules/services/networking/hostapd.nix
View File

File diff suppressed because it is too large Load Diff

235
nixos/tests/wpa_supplicant.nix
View File

@ -2,63 +2,159 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
{
name = "wpa_supplicant";
meta = with lib.maintainers; {
maintainers = [ rnhmjoj ];
maintainers = [ oddlama rnhmjoj ];
};
nodes.machine = { ... }: {
imports = [ ../modules/profiles/minimal.nix ];
nodes = let
machineWithHostapd = extraConfigModule: { ... }: {
imports = [
../modules/profiles/minimal.nix
extraConfigModule
];
# add a virtual wlan interface
boot.kernelModules = [ "mac80211_hwsim" ];
# add a virtual wlan interface
boot.kernelModules = [ "mac80211_hwsim" ];
# wireless access point
services.hostapd = {
enable = true;
wpa = true;
interface = "wlan0";
ssid = "nixos-test";
wpaPassphrase = "reproducibility";
};
# wireless client
networking.wireless = {
# the override is needed because the wifi is
# disabled with mkVMOverride in qemu-vm.nix.
enable = lib.mkOverride 0 true;
userControlled.enable = true;
interfaces = [ "wlan1" ];
fallbackToWPA2 = true;
networks = {
# test WPA2 fallback
mixed-wpa = {
psk = "password";
authProtocols = [ "WPA-PSK" "SAE" ];
# wireless access point
services.hostapd = {
enable = true;
radios.wlan0 = {
band = "2g";
countryCode = "US";
networks = {
wlan0 = {
ssid = "nixos-test-sae";
authentication = {
mode = "wpa3-sae";
saePasswords = [ { password = "reproducibility"; } ];
};
bssid = "02:00:00:00:00:00";
};
wlan0-1 = {
ssid = "nixos-test-mixed";
authentication = {
mode = "wpa3-sae-transition";
saePasswordsFile = pkgs.writeText "password" "reproducibility";
wpaPasswordFile = pkgs.writeText "password" "reproducibility";
};
bssid = "02:00:00:00:00:01";
};
wlan0-2 = {
ssid = "nixos-test-wpa2";
authentication = {
mode = "wpa2-sha256";
wpaPassword = "reproducibility";
};
bssid = "02:00:00:00:00:02";
};
};
};
sae-only = {
psk = "password";
authProtocols = [ "SAE" ];
};
# test network
nixos-test.psk = "@PSK_NIXOS_TEST@";
# secrets substitution test cases
test1.psk = "@PSK_VALID@"; # should be replaced
test2.psk = "@PSK_SPECIAL@"; # should be replaced
test3.psk = "@PSK_MISSING@"; # should not be replaced
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
};
# secrets
environmentFile = pkgs.writeText "wpa-secrets" ''
PSK_NIXOS_TEST="reproducibility"
PSK_VALID="S0m3BadP4ssw0rd";
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
'';
# wireless client
networking.wireless = {
# the override is needed because the wifi is
# disabled with mkVMOverride in qemu-vm.nix.
enable = lib.mkOverride 0 true;
userControlled.enable = true;
interfaces = [ "wlan1" ];
fallbackToWPA2 = lib.mkDefault true;
# networks will be added on-demand below for the specific
# network that should be tested
# secrets
environmentFile = pkgs.writeText "wpa-secrets" ''
PSK_NIXOS_TEST="reproducibility"
'';
};
};
in {
basic = { ... }: {
imports = [ ../modules/profiles/minimal.nix ];
# add a virtual wlan interface
boot.kernelModules = [ "mac80211_hwsim" ];
# wireless client
networking.wireless = {
# the override is needed because the wifi is
# disabled with mkVMOverride in qemu-vm.nix.
enable = lib.mkOverride 0 true;
userControlled.enable = true;
interfaces = [ "wlan1" ];
fallbackToWPA2 = true;
networks = {
# test WPA2 fallback
mixed-wpa = {
psk = "password";
authProtocols = [ "WPA-PSK" "SAE" ];
};
sae-only = {
psk = "password";
authProtocols = [ "SAE" ];
};
# secrets substitution test cases
test1.psk = "@PSK_VALID@"; # should be replaced
test2.psk = "@PSK_SPECIAL@"; # should be replaced
test3.psk = "@PSK_MISSING@"; # should not be replaced
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
};
# secrets
environmentFile = pkgs.writeText "wpa-secrets" ''
PSK_VALID="S0m3BadP4ssw0rd";
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
'';
};
};
# Test connecting to the SAE-only hotspot using SAE
machineSae = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = false;
networks.nixos-test-sae = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "SAE" ];
};
};
};
# Test connecting to the SAE and WPA2 mixed hotspot using SAE
machineMixedUsingSae = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = false;
networks.nixos-test-mixed = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "SAE" ];
};
};
};
# Test connecting to the SAE and WPA2 mixed hotspot using WPA2
machineMixedUsingWpa2 = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = true;
networks.nixos-test-mixed = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "WPA-PSK-SHA256" ];
};
};
};
# Test connecting to the WPA2 legacy hotspot using WPA2
machineWpa2 = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = true;
networks.nixos-test-wpa2 = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "WPA-PSK-SHA256" ];
};
};
};
};
testScript =
@ -66,30 +162,47 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
with subtest("Configuration file is inaccessible to other users"):
machine.wait_for_file(config_file)
machine.fail(f"sudo -u nobody ls {config_file}")
basic.wait_for_file(config_file)
basic.fail(f"sudo -u nobody ls {config_file}")
with subtest("Secrets variables have been substituted"):
machine.fail(f"grep -q @PSK_VALID@ {config_file}")
machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
basic.fail(f"grep -q @PSK_VALID@ {config_file}")
basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
with subtest("WPA2 fallbacks have been generated"):
assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1
assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2
# save file for manual inspection
machine.copy_from_vm(config_file)
basic.copy_from_vm(config_file)
with subtest("Daemon is running and accepting connections"):
machine.wait_for_unit("wpa_supplicant-wlan1.service")
status = machine.succeed("wpa_cli -i wlan1 status")
basic.wait_for_unit("wpa_supplicant-wlan1.service")
status = basic.succeed("wpa_cli -i wlan1 status")
assert "Failed to connect" not in status, \
"Failed to connect to the daemon"
with subtest("Daemon can connect to the access point"):
machine.wait_until_succeeds(
machineSae.wait_for_unit("hostapd.service")
machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")
with subtest("Daemon can connect to the SAE access point using SAE"):
machineSae.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):
machineMixedUsingSae.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):
machineMixedUsingWpa2.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the WPA2 access point using WPA2"):
machineWpa2.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
'';

5
pkgs/os-specific/linux/hostapd/default.nix
View File

@ -60,11 +60,6 @@ stdenv.mkDerivation rec {
# TKIP is considered insecure and upstream support will be removed in the future
CONFIG_NO_TKIP=y
# Enable Wi-Fi Protected Setup
CONFIG_WPS=y
CONFIG_WPS_UPNP=y
CONFIG_WPS_NFC=y
# Misc
CONFIG_RADIUS_SERVER=y
CONFIG_FULL_DYNAMIC_VLAN=y