Merge pull request #222536 from oddlama/master
This commit is contained in:
commit
7be83143e8
@ -4,6 +4,8 @@
|
||||
|
||||
- FoundationDB now defaults to major version 7.
|
||||
|
||||
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
|
||||
|
||||
## New Services {#sec-release-23.11-new-services}
|
||||
|
||||
- [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
|
||||
@ -32,6 +34,12 @@
|
||||
|
||||
- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
|
||||
|
||||
- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.
|
||||
- `hostapd` is now started with additional systemd sandbox/hardening options for better security.
|
||||
- `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).
|
||||
- `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.
|
||||
- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
|
||||
|
||||
- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
|
||||
|
||||
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2,63 +2,159 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
|
||||
{
|
||||
name = "wpa_supplicant";
|
||||
meta = with lib.maintainers; {
|
||||
maintainers = [ rnhmjoj ];
|
||||
maintainers = [ oddlama rnhmjoj ];
|
||||
};
|
||||
|
||||
nodes.machine = { ... }: {
|
||||
imports = [ ../modules/profiles/minimal.nix ];
|
||||
nodes = let
|
||||
machineWithHostapd = extraConfigModule: { ... }: {
|
||||
imports = [
|
||||
../modules/profiles/minimal.nix
|
||||
extraConfigModule
|
||||
];
|
||||
|
||||
# add a virtual wlan interface
|
||||
boot.kernelModules = [ "mac80211_hwsim" ];
|
||||
# add a virtual wlan interface
|
||||
boot.kernelModules = [ "mac80211_hwsim" ];
|
||||
|
||||
# wireless access point
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
wpa = true;
|
||||
interface = "wlan0";
|
||||
ssid = "nixos-test";
|
||||
wpaPassphrase = "reproducibility";
|
||||
};
|
||||
|
||||
# wireless client
|
||||
networking.wireless = {
|
||||
# the override is needed because the wifi is
|
||||
# disabled with mkVMOverride in qemu-vm.nix.
|
||||
enable = lib.mkOverride 0 true;
|
||||
userControlled.enable = true;
|
||||
interfaces = [ "wlan1" ];
|
||||
fallbackToWPA2 = true;
|
||||
|
||||
networks = {
|
||||
# test WPA2 fallback
|
||||
mixed-wpa = {
|
||||
psk = "password";
|
||||
authProtocols = [ "WPA-PSK" "SAE" ];
|
||||
# wireless access point
|
||||
services.hostapd = {
|
||||
enable = true;
|
||||
radios.wlan0 = {
|
||||
band = "2g";
|
||||
countryCode = "US";
|
||||
networks = {
|
||||
wlan0 = {
|
||||
ssid = "nixos-test-sae";
|
||||
authentication = {
|
||||
mode = "wpa3-sae";
|
||||
saePasswords = [ { password = "reproducibility"; } ];
|
||||
};
|
||||
bssid = "02:00:00:00:00:00";
|
||||
};
|
||||
wlan0-1 = {
|
||||
ssid = "nixos-test-mixed";
|
||||
authentication = {
|
||||
mode = "wpa3-sae-transition";
|
||||
saePasswordsFile = pkgs.writeText "password" "reproducibility";
|
||||
wpaPasswordFile = pkgs.writeText "password" "reproducibility";
|
||||
};
|
||||
bssid = "02:00:00:00:00:01";
|
||||
};
|
||||
wlan0-2 = {
|
||||
ssid = "nixos-test-wpa2";
|
||||
authentication = {
|
||||
mode = "wpa2-sha256";
|
||||
wpaPassword = "reproducibility";
|
||||
};
|
||||
bssid = "02:00:00:00:00:02";
|
||||
};
|
||||
};
|
||||
};
|
||||
sae-only = {
|
||||
psk = "password";
|
||||
authProtocols = [ "SAE" ];
|
||||
};
|
||||
|
||||
# test network
|
||||
nixos-test.psk = "@PSK_NIXOS_TEST@";
|
||||
|
||||
# secrets substitution test cases
|
||||
test1.psk = "@PSK_VALID@"; # should be replaced
|
||||
test2.psk = "@PSK_SPECIAL@"; # should be replaced
|
||||
test3.psk = "@PSK_MISSING@"; # should not be replaced
|
||||
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
|
||||
};
|
||||
|
||||
# secrets
|
||||
environmentFile = pkgs.writeText "wpa-secrets" ''
|
||||
PSK_NIXOS_TEST="reproducibility"
|
||||
PSK_VALID="S0m3BadP4ssw0rd";
|
||||
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
|
||||
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
|
||||
'';
|
||||
# wireless client
|
||||
networking.wireless = {
|
||||
# the override is needed because the wifi is
|
||||
# disabled with mkVMOverride in qemu-vm.nix.
|
||||
enable = lib.mkOverride 0 true;
|
||||
userControlled.enable = true;
|
||||
interfaces = [ "wlan1" ];
|
||||
fallbackToWPA2 = lib.mkDefault true;
|
||||
|
||||
# networks will be added on-demand below for the specific
|
||||
# network that should be tested
|
||||
|
||||
# secrets
|
||||
environmentFile = pkgs.writeText "wpa-secrets" ''
|
||||
PSK_NIXOS_TEST="reproducibility"
|
||||
'';
|
||||
};
|
||||
};
|
||||
in {
|
||||
basic = { ... }: {
|
||||
imports = [ ../modules/profiles/minimal.nix ];
|
||||
|
||||
# add a virtual wlan interface
|
||||
boot.kernelModules = [ "mac80211_hwsim" ];
|
||||
|
||||
# wireless client
|
||||
networking.wireless = {
|
||||
# the override is needed because the wifi is
|
||||
# disabled with mkVMOverride in qemu-vm.nix.
|
||||
enable = lib.mkOverride 0 true;
|
||||
userControlled.enable = true;
|
||||
interfaces = [ "wlan1" ];
|
||||
fallbackToWPA2 = true;
|
||||
|
||||
networks = {
|
||||
# test WPA2 fallback
|
||||
mixed-wpa = {
|
||||
psk = "password";
|
||||
authProtocols = [ "WPA-PSK" "SAE" ];
|
||||
};
|
||||
sae-only = {
|
||||
psk = "password";
|
||||
authProtocols = [ "SAE" ];
|
||||
};
|
||||
|
||||
# secrets substitution test cases
|
||||
test1.psk = "@PSK_VALID@"; # should be replaced
|
||||
test2.psk = "@PSK_SPECIAL@"; # should be replaced
|
||||
test3.psk = "@PSK_MISSING@"; # should not be replaced
|
||||
test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
|
||||
};
|
||||
|
||||
# secrets
|
||||
environmentFile = pkgs.writeText "wpa-secrets" ''
|
||||
PSK_VALID="S0m3BadP4ssw0rd";
|
||||
# taken from https://github.com/minimaxir/big-list-of-naughty-strings
|
||||
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
# Test connecting to the SAE-only hotspot using SAE
|
||||
machineSae = machineWithHostapd {
|
||||
networking.wireless = {
|
||||
fallbackToWPA2 = false;
|
||||
networks.nixos-test-sae = {
|
||||
psk = "@PSK_NIXOS_TEST@";
|
||||
authProtocols = [ "SAE" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Test connecting to the SAE and WPA2 mixed hotspot using SAE
|
||||
machineMixedUsingSae = machineWithHostapd {
|
||||
networking.wireless = {
|
||||
fallbackToWPA2 = false;
|
||||
networks.nixos-test-mixed = {
|
||||
psk = "@PSK_NIXOS_TEST@";
|
||||
authProtocols = [ "SAE" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Test connecting to the SAE and WPA2 mixed hotspot using WPA2
|
||||
machineMixedUsingWpa2 = machineWithHostapd {
|
||||
networking.wireless = {
|
||||
fallbackToWPA2 = true;
|
||||
networks.nixos-test-mixed = {
|
||||
psk = "@PSK_NIXOS_TEST@";
|
||||
authProtocols = [ "WPA-PSK-SHA256" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Test connecting to the WPA2 legacy hotspot using WPA2
|
||||
machineWpa2 = machineWithHostapd {
|
||||
networking.wireless = {
|
||||
fallbackToWPA2 = true;
|
||||
networks.nixos-test-wpa2 = {
|
||||
psk = "@PSK_NIXOS_TEST@";
|
||||
authProtocols = [ "WPA-PSK-SHA256" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
testScript =
|
||||
@ -66,30 +162,47 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
|
||||
config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
|
||||
|
||||
with subtest("Configuration file is inaccessible to other users"):
|
||||
machine.wait_for_file(config_file)
|
||||
machine.fail(f"sudo -u nobody ls {config_file}")
|
||||
basic.wait_for_file(config_file)
|
||||
basic.fail(f"sudo -u nobody ls {config_file}")
|
||||
|
||||
with subtest("Secrets variables have been substituted"):
|
||||
machine.fail(f"grep -q @PSK_VALID@ {config_file}")
|
||||
machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
|
||||
machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
|
||||
machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
|
||||
basic.fail(f"grep -q @PSK_VALID@ {config_file}")
|
||||
basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
|
||||
basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
|
||||
basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
|
||||
|
||||
with subtest("WPA2 fallbacks have been generated"):
|
||||
assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
|
||||
assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
|
||||
assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1
|
||||
assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2
|
||||
|
||||
# save file for manual inspection
|
||||
machine.copy_from_vm(config_file)
|
||||
basic.copy_from_vm(config_file)
|
||||
|
||||
with subtest("Daemon is running and accepting connections"):
|
||||
machine.wait_for_unit("wpa_supplicant-wlan1.service")
|
||||
status = machine.succeed("wpa_cli -i wlan1 status")
|
||||
basic.wait_for_unit("wpa_supplicant-wlan1.service")
|
||||
status = basic.succeed("wpa_cli -i wlan1 status")
|
||||
assert "Failed to connect" not in status, \
|
||||
"Failed to connect to the daemon"
|
||||
|
||||
with subtest("Daemon can connect to the access point"):
|
||||
machine.wait_until_succeeds(
|
||||
machineSae.wait_for_unit("hostapd.service")
|
||||
machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")
|
||||
with subtest("Daemon can connect to the SAE access point using SAE"):
|
||||
machineSae.wait_until_succeeds(
|
||||
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||
)
|
||||
|
||||
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):
|
||||
machineMixedUsingSae.wait_until_succeeds(
|
||||
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||
)
|
||||
|
||||
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):
|
||||
machineMixedUsingWpa2.wait_until_succeeds(
|
||||
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||
)
|
||||
|
||||
with subtest("Daemon can connect to the WPA2 access point using WPA2"):
|
||||
machineWpa2.wait_until_succeeds(
|
||||
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
|
||||
)
|
||||
'';
|
||||
|
@ -23,13 +23,21 @@ stdenv.mkDerivation rec {
|
||||
|
||||
outputs = [ "out" "man" ];
|
||||
|
||||
# Based on hostapd's defconfig. Only differences are tracked.
|
||||
extraConfig = ''
|
||||
# Use epoll(7) instead of select(2) on linux
|
||||
CONFIG_ELOOP_EPOLL=y
|
||||
|
||||
# Drivers
|
||||
CONFIG_DRIVER_WIRED=y
|
||||
CONFIG_LIBNL32=y
|
||||
CONFIG_DRIVER_NONE=y
|
||||
|
||||
# Integrated EAP server
|
||||
CONFIG_EAP_SIM=y
|
||||
CONFIG_EAP_AKA=y
|
||||
CONFIG_EAP_AKA_PRIME=y
|
||||
CONFIG_EAP_PAX=y
|
||||
CONFIG_EAP_PSK=y
|
||||
CONFIG_EAP_PWD=y
|
||||
CONFIG_EAP_SAKE=y
|
||||
CONFIG_EAP_GPSK=y
|
||||
@ -38,29 +46,48 @@ stdenv.mkDerivation rec {
|
||||
CONFIG_EAP_IKEV2=y
|
||||
CONFIG_EAP_TNC=y
|
||||
CONFIG_EAP_EKE=y
|
||||
CONFIG_RADIUS_SERVER=y
|
||||
CONFIG_IEEE80211R=y
|
||||
CONFIG_IEEE80211N=y
|
||||
CONFIG_IEEE80211AC=y
|
||||
CONFIG_IEEE80211AX=y
|
||||
CONFIG_FULL_DYNAMIC_VLAN=y
|
||||
CONFIG_VLAN_NETLINK=y
|
||||
|
||||
CONFIG_TLS=openssl
|
||||
CONFIG_TLSV11=y
|
||||
CONFIG_TLSV12=y
|
||||
CONFIG_INTERNETWORKING=y
|
||||
CONFIG_HS20=y
|
||||
CONFIG_ACS=y
|
||||
CONFIG_GETRANDOM=y
|
||||
|
||||
CONFIG_SAE=y
|
||||
CONFIG_SAE_PK=y
|
||||
|
||||
CONFIG_OWE=y
|
||||
CONFIG_OCV=y
|
||||
|
||||
# TKIP is considered insecure and upstream support will be removed in the future
|
||||
CONFIG_NO_TKIP=y
|
||||
|
||||
# Misc
|
||||
CONFIG_RADIUS_SERVER=y
|
||||
CONFIG_FULL_DYNAMIC_VLAN=y
|
||||
CONFIG_VLAN_NETLINK=y
|
||||
CONFIG_GETRANDOM=y
|
||||
CONFIG_INTERWORKING=y
|
||||
CONFIG_HS20=y
|
||||
CONFIG_FST=y
|
||||
CONFIG_FST_TEST=y
|
||||
CONFIG_ACS=y
|
||||
CONFIG_WNM=y
|
||||
CONFIG_MBO=y
|
||||
|
||||
CONFIG_IEEE80211R=y
|
||||
CONFIG_IEEE80211W=y
|
||||
CONFIG_IEEE80211N=y
|
||||
CONFIG_IEEE80211AC=y
|
||||
CONFIG_IEEE80211AX=y
|
||||
'' + lib.optionalString (sqlite != null) ''
|
||||
CONFIG_SQLITE=y
|
||||
'';
|
||||
|
||||
passAsFile = [ "extraConfig" ];
|
||||
|
||||
configurePhase = ''
|
||||
cd hostapd
|
||||
cp -v defconfig .config
|
||||
echo "$extraConfig" >> .config
|
||||
cat $extraConfigPath >> .config
|
||||
cat -n .config
|
||||
substituteInPlace Makefile --replace /usr/local $out
|
||||
export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"
|
||||
|
@ -57,6 +57,7 @@ stdenv.mkDerivation rec {
|
||||
CONFIG_LIBNL32=y
|
||||
CONFIG_OWE=y
|
||||
CONFIG_P2P=y
|
||||
CONFIG_SAE_PK=y
|
||||
CONFIG_TDLS=y
|
||||
CONFIG_TLS=openssl
|
||||
CONFIG_TLSV11=y
|
||||
|
Loading…
Reference in New Issue
Block a user