Merge pull request #222536 from oddlama/master

This commit is contained in:
Ryan Lahfa 2023-07-08 14:36:18 +02:00 committed by GitHub
commit 7be83143e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 1463 additions and 251 deletions

View File

@ -4,6 +4,8 @@
- FoundationDB now defaults to major version 7. - FoundationDB now defaults to major version 7.
- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
## New Services {#sec-release-23.11-new-services} ## New Services {#sec-release-23.11-new-services}
- [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable). - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
@ -32,6 +34,12 @@
- The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`. - The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.
- `hostapd` is now started with additional systemd sandbox/hardening options for better security.
- `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).
- `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.
- The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
- `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`. - `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
- `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues. - `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.

File diff suppressed because it is too large Load Diff

View File

@ -2,11 +2,15 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
{ {
name = "wpa_supplicant"; name = "wpa_supplicant";
meta = with lib.maintainers; { meta = with lib.maintainers; {
maintainers = [ rnhmjoj ]; maintainers = [ oddlama rnhmjoj ];
}; };
nodes.machine = { ... }: { nodes = let
imports = [ ../modules/profiles/minimal.nix ]; machineWithHostapd = extraConfigModule: { ... }: {
imports = [
../modules/profiles/minimal.nix
extraConfigModule
];
# add a virtual wlan interface # add a virtual wlan interface
boot.kernelModules = [ "mac80211_hwsim" ]; boot.kernelModules = [ "mac80211_hwsim" ];
@ -14,11 +18,63 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
# wireless access point # wireless access point
services.hostapd = { services.hostapd = {
enable = true; enable = true;
wpa = true; radios.wlan0 = {
interface = "wlan0"; band = "2g";
ssid = "nixos-test"; countryCode = "US";
wpaPassphrase = "reproducibility"; networks = {
wlan0 = {
ssid = "nixos-test-sae";
authentication = {
mode = "wpa3-sae";
saePasswords = [ { password = "reproducibility"; } ];
}; };
bssid = "02:00:00:00:00:00";
};
wlan0-1 = {
ssid = "nixos-test-mixed";
authentication = {
mode = "wpa3-sae-transition";
saePasswordsFile = pkgs.writeText "password" "reproducibility";
wpaPasswordFile = pkgs.writeText "password" "reproducibility";
};
bssid = "02:00:00:00:00:01";
};
wlan0-2 = {
ssid = "nixos-test-wpa2";
authentication = {
mode = "wpa2-sha256";
wpaPassword = "reproducibility";
};
bssid = "02:00:00:00:00:02";
};
};
};
};
# wireless client
networking.wireless = {
# the override is needed because the wifi is
# disabled with mkVMOverride in qemu-vm.nix.
enable = lib.mkOverride 0 true;
userControlled.enable = true;
interfaces = [ "wlan1" ];
fallbackToWPA2 = lib.mkDefault true;
# networks will be added on-demand below for the specific
# network that should be tested
# secrets
environmentFile = pkgs.writeText "wpa-secrets" ''
PSK_NIXOS_TEST="reproducibility"
'';
};
};
in {
basic = { ... }: {
imports = [ ../modules/profiles/minimal.nix ];
# add a virtual wlan interface
boot.kernelModules = [ "mac80211_hwsim" ];
# wireless client # wireless client
networking.wireless = { networking.wireless = {
@ -40,9 +96,6 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
authProtocols = [ "SAE" ]; authProtocols = [ "SAE" ];
}; };
# test network
nixos-test.psk = "@PSK_NIXOS_TEST@";
# secrets substitution test cases # secrets substitution test cases
test1.psk = "@PSK_VALID@"; # should be replaced test1.psk = "@PSK_VALID@"; # should be replaced
test2.psk = "@PSK_SPECIAL@"; # should be replaced test2.psk = "@PSK_SPECIAL@"; # should be replaced
@ -52,13 +105,56 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
# secrets # secrets
environmentFile = pkgs.writeText "wpa-secrets" '' environmentFile = pkgs.writeText "wpa-secrets" ''
PSK_NIXOS_TEST="reproducibility"
PSK_VALID="S0m3BadP4ssw0rd"; PSK_VALID="S0m3BadP4ssw0rd";
# taken from https://github.com/minimaxir/big-list-of-naughty-strings # taken from https://github.com/minimaxir/big-list-of-naughty-strings
PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~"; PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
''; '';
}; };
};
# Test connecting to the SAE-only hotspot using SAE
machineSae = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = false;
networks.nixos-test-sae = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "SAE" ];
};
};
};
# Test connecting to the SAE and WPA2 mixed hotspot using SAE
machineMixedUsingSae = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = false;
networks.nixos-test-mixed = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "SAE" ];
};
};
};
# Test connecting to the SAE and WPA2 mixed hotspot using WPA2
machineMixedUsingWpa2 = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = true;
networks.nixos-test-mixed = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "WPA-PSK-SHA256" ];
};
};
};
# Test connecting to the WPA2 legacy hotspot using WPA2
machineWpa2 = machineWithHostapd {
networking.wireless = {
fallbackToWPA2 = true;
networks.nixos-test-wpa2 = {
psk = "@PSK_NIXOS_TEST@";
authProtocols = [ "WPA-PSK-SHA256" ];
};
};
};
}; };
testScript = testScript =
@ -66,30 +162,47 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
config_file = "/run/wpa_supplicant/wpa_supplicant.conf" config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
with subtest("Configuration file is inaccessible to other users"): with subtest("Configuration file is inaccessible to other users"):
machine.wait_for_file(config_file) basic.wait_for_file(config_file)
machine.fail(f"sudo -u nobody ls {config_file}") basic.fail(f"sudo -u nobody ls {config_file}")
with subtest("Secrets variables have been substituted"): with subtest("Secrets variables have been substituted"):
machine.fail(f"grep -q @PSK_VALID@ {config_file}") basic.fail(f"grep -q @PSK_VALID@ {config_file}")
machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}") basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
machine.succeed(f"grep -q @PSK_MISSING@ {config_file}") basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}") basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
with subtest("WPA2 fallbacks have been generated"): with subtest("WPA2 fallbacks have been generated"):
assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1 assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1
assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2 assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2
# save file for manual inspection # save file for manual inspection
machine.copy_from_vm(config_file) basic.copy_from_vm(config_file)
with subtest("Daemon is running and accepting connections"): with subtest("Daemon is running and accepting connections"):
machine.wait_for_unit("wpa_supplicant-wlan1.service") basic.wait_for_unit("wpa_supplicant-wlan1.service")
status = machine.succeed("wpa_cli -i wlan1 status") status = basic.succeed("wpa_cli -i wlan1 status")
assert "Failed to connect" not in status, \ assert "Failed to connect" not in status, \
"Failed to connect to the daemon" "Failed to connect to the daemon"
with subtest("Daemon can connect to the access point"): machineSae.wait_for_unit("hostapd.service")
machine.wait_until_succeeds( machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")
with subtest("Daemon can connect to the SAE access point using SAE"):
machineSae.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):
machineMixedUsingSae.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):
machineMixedUsingWpa2.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
)
with subtest("Daemon can connect to the WPA2 access point using WPA2"):
machineWpa2.wait_until_succeeds(
"wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED" "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
) )
''; '';

View File

@ -23,13 +23,21 @@ stdenv.mkDerivation rec {
outputs = [ "out" "man" ]; outputs = [ "out" "man" ];
# Based on hostapd's defconfig. Only differences are tracked.
extraConfig = '' extraConfig = ''
# Use epoll(7) instead of select(2) on linux
CONFIG_ELOOP_EPOLL=y
# Drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
CONFIG_LIBNL32=y CONFIG_DRIVER_NONE=y
# Integrated EAP server
CONFIG_EAP_SIM=y CONFIG_EAP_SIM=y
CONFIG_EAP_AKA=y CONFIG_EAP_AKA=y
CONFIG_EAP_AKA_PRIME=y CONFIG_EAP_AKA_PRIME=y
CONFIG_EAP_PAX=y CONFIG_EAP_PAX=y
CONFIG_EAP_PSK=y
CONFIG_EAP_PWD=y CONFIG_EAP_PWD=y
CONFIG_EAP_SAKE=y CONFIG_EAP_SAKE=y
CONFIG_EAP_GPSK=y CONFIG_EAP_GPSK=y
@ -38,29 +46,48 @@ stdenv.mkDerivation rec {
CONFIG_EAP_IKEV2=y CONFIG_EAP_IKEV2=y
CONFIG_EAP_TNC=y CONFIG_EAP_TNC=y
CONFIG_EAP_EKE=y CONFIG_EAP_EKE=y
CONFIG_RADIUS_SERVER=y
CONFIG_IEEE80211R=y
CONFIG_IEEE80211N=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
CONFIG_FULL_DYNAMIC_VLAN=y
CONFIG_VLAN_NETLINK=y
CONFIG_TLS=openssl CONFIG_TLS=openssl
CONFIG_TLSV11=y CONFIG_TLSV11=y
CONFIG_TLSV12=y CONFIG_TLSV12=y
CONFIG_INTERNETWORKING=y
CONFIG_HS20=y
CONFIG_ACS=y
CONFIG_GETRANDOM=y
CONFIG_SAE=y CONFIG_SAE=y
CONFIG_SAE_PK=y
CONFIG_OWE=y
CONFIG_OCV=y
# TKIP is considered insecure and upstream support will be removed in the future
CONFIG_NO_TKIP=y
# Misc
CONFIG_RADIUS_SERVER=y
CONFIG_FULL_DYNAMIC_VLAN=y
CONFIG_VLAN_NETLINK=y
CONFIG_GETRANDOM=y
CONFIG_INTERWORKING=y
CONFIG_HS20=y
CONFIG_FST=y
CONFIG_FST_TEST=y
CONFIG_ACS=y
CONFIG_WNM=y
CONFIG_MBO=y
CONFIG_IEEE80211R=y
CONFIG_IEEE80211W=y
CONFIG_IEEE80211N=y
CONFIG_IEEE80211AC=y
CONFIG_IEEE80211AX=y
'' + lib.optionalString (sqlite != null) '' '' + lib.optionalString (sqlite != null) ''
CONFIG_SQLITE=y CONFIG_SQLITE=y
''; '';
passAsFile = [ "extraConfig" ];
configurePhase = '' configurePhase = ''
cd hostapd cd hostapd
cp -v defconfig .config cp -v defconfig .config
echo "$extraConfig" >> .config cat $extraConfigPath >> .config
cat -n .config cat -n .config
substituteInPlace Makefile --replace /usr/local $out substituteInPlace Makefile --replace /usr/local $out
export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)" export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"

View File

@ -57,6 +57,7 @@ stdenv.mkDerivation rec {
CONFIG_LIBNL32=y CONFIG_LIBNL32=y
CONFIG_OWE=y CONFIG_OWE=y
CONFIG_P2P=y CONFIG_P2P=y
CONFIG_SAE_PK=y
CONFIG_TDLS=y CONFIG_TDLS=y
CONFIG_TLS=openssl CONFIG_TLS=openssl
CONFIG_TLSV11=y CONFIG_TLSV11=y