Merge pull request #222536 from oddlama/master

nixos/doc/manual/release-notes/rl-2311.section.md

@@ -4,6 +4,8 @@
 
 - FoundationDB now defaults to major version 7.
 
+- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package, along with a significant rework of the hostapd module.
+
 ## New Services {#sec-release-23.11-new-services}
 
 - [MCHPRS](https://github.com/MCHPR/MCHPRS), a multithreaded Minecraft server built for redstone. Available as [services.mchprs](#opt-services.mchprs.enable).
@@ -32,6 +34,12 @@
 
 - The latest version of `clonehero` now stores custom content in `~/.clonehero`. See the [migration instructions](https://clonehero.net/2022/11/29/v23-to-v1-migration-instructions.html). Typically, these content files would exist along side the binary, but the previous build used a wrapper script that would store them in `~/.config/unity3d/srylain Inc_/Clone Hero`.
 
+- The `services.hostapd` module was rewritten to support `passwordFile` like options, WPA3-SAE, and management of multiple interfaces. This breaks compatibility with older configurations.
+  - `hostapd` is now started with additional systemd sandbox/hardening options for better security.
+  - `services.hostapd.interface` was replaced with a per-radio and per-bss configuration scheme using [services.hostapd.radios](#opt-services.hostapd.radios).
+  - `services.hostapd.wpa` has been replaced by [services.hostapd.radios.<name>.networks.<name>.authentication.wpaPassword](#opt-services.hostapd.radios._name_.networks._name_.authentication.wpaPassword) and [services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords](#opt-services.hostapd.radios._name_.networks._name_.authentication.saePasswords) which configure WPA2-PSK and WP3-SAE respectively.
+  - The default authentication has been changed to WPA3-SAE. Options for other (legacy) schemes are still available.
+
 - `python3.pkgs.fetchPypi` (and `python3Packages.fetchPypi`) has been deprecated in favor of top-level `fetchPypi`.
 
 - `mariadb` now defaults to `mariadb_1011` instead of `mariadb_106`, meaning the default version was upgraded from 10.6.x to 10.11.x. See the [upgrade notes](https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/) for potential issues.

nixos/tests/wpa_supplicant.nix

@@ -2,63 +2,159 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
 {
   name = "wpa_supplicant";
   meta = with lib.maintainers; {
-    maintainers = [ rnhmjoj ];
+    maintainers = [ oddlama rnhmjoj ];
   };
 
-  nodes.machine = { ... }: {
+  nodes = let
-    imports = [ ../modules/profiles/minimal.nix ];
+    machineWithHostapd = extraConfigModule: { ... }: {
+      imports = [
+        ../modules/profiles/minimal.nix
+        extraConfigModule
+      ];
 
-    # add a virtual wlan interface
+      # add a virtual wlan interface
-    boot.kernelModules = [ "mac80211_hwsim" ];
+      boot.kernelModules = [ "mac80211_hwsim" ];
 
-    # wireless access point
+      # wireless access point
-    services.hostapd = {
+      services.hostapd = {
-      enable = true;
+        enable = true;
-      wpa = true;
+        radios.wlan0 = {
-      interface = "wlan0";
+          band = "2g";
-      ssid = "nixos-test";
+          countryCode = "US";
-      wpaPassphrase = "reproducibility";
+          networks = {
-    };
+            wlan0 = {
-
+              ssid = "nixos-test-sae";
-    # wireless client
+              authentication = {
-    networking.wireless = {
+                mode = "wpa3-sae";
-      # the override is needed because the wifi is
+                saePasswords = [ { password = "reproducibility"; } ];
-      # disabled with mkVMOverride in qemu-vm.nix.
+              };
-      enable = lib.mkOverride 0 true;
+              bssid = "02:00:00:00:00:00";
-      userControlled.enable = true;
+            };
-      interfaces = [ "wlan1" ];
+            wlan0-1 = {
-      fallbackToWPA2 = true;
+              ssid = "nixos-test-mixed";
-
+              authentication = {
-      networks = {
+                mode = "wpa3-sae-transition";
-        # test WPA2 fallback
+                saePasswordsFile = pkgs.writeText "password" "reproducibility";
-        mixed-wpa = {
+                wpaPasswordFile = pkgs.writeText "password" "reproducibility";
-          psk = "password";
+              };
-          authProtocols = [ "WPA-PSK" "SAE" ];
+              bssid = "02:00:00:00:00:01";
+            };
+            wlan0-2 = {
+              ssid = "nixos-test-wpa2";
+              authentication = {
+                mode = "wpa2-sha256";
+                wpaPassword = "reproducibility";
+              };
+              bssid = "02:00:00:00:00:02";
+            };
+          };
         };
-        sae-only = {
-          psk = "password";
-          authProtocols = [ "SAE" ];
-        };
-
-        # test network
-        nixos-test.psk = "@PSK_NIXOS_TEST@";
-
-        # secrets substitution test cases
-        test1.psk = "@PSK_VALID@";              # should be replaced
-        test2.psk = "@PSK_SPECIAL@";            # should be replaced
-        test3.psk = "@PSK_MISSING@";            # should not be replaced
-        test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
       };
 
-      # secrets
+      # wireless client
-      environmentFile = pkgs.writeText "wpa-secrets" ''
+      networking.wireless = {
-        PSK_NIXOS_TEST="reproducibility"
+        # the override is needed because the wifi is
-        PSK_VALID="S0m3BadP4ssw0rd";
+        # disabled with mkVMOverride in qemu-vm.nix.
-        # taken from https://github.com/minimaxir/big-list-of-naughty-strings
+        enable = lib.mkOverride 0 true;
-        PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
+        userControlled.enable = true;
-      '';
+        interfaces = [ "wlan1" ];
+        fallbackToWPA2 = lib.mkDefault true;
+
+        # networks will be added on-demand below for the specific
+        # network that should be tested
+
+        # secrets
+        environmentFile = pkgs.writeText "wpa-secrets" ''
+          PSK_NIXOS_TEST="reproducibility"
+        '';
+      };
+    };
+  in {
+    basic = { ... }: {
+      imports = [ ../modules/profiles/minimal.nix ];
+
+      # add a virtual wlan interface
+      boot.kernelModules = [ "mac80211_hwsim" ];
+
+      # wireless client
+      networking.wireless = {
+        # the override is needed because the wifi is
+        # disabled with mkVMOverride in qemu-vm.nix.
+        enable = lib.mkOverride 0 true;
+        userControlled.enable = true;
+        interfaces = [ "wlan1" ];
+        fallbackToWPA2 = true;
+
+        networks = {
+          # test WPA2 fallback
+          mixed-wpa = {
+            psk = "password";
+            authProtocols = [ "WPA-PSK" "SAE" ];
+          };
+          sae-only = {
+            psk = "password";
+            authProtocols = [ "SAE" ];
+          };
+
+          # secrets substitution test cases
+          test1.psk = "@PSK_VALID@";              # should be replaced
+          test2.psk = "@PSK_SPECIAL@";            # should be replaced
+          test3.psk = "@PSK_MISSING@";            # should not be replaced
+          test4.psk = "P@ssowrdWithSome@tSymbol"; # should not be replaced
+        };
+
+        # secrets
+        environmentFile = pkgs.writeText "wpa-secrets" ''
+          PSK_VALID="S0m3BadP4ssw0rd";
+          # taken from https://github.com/minimaxir/big-list-of-naughty-strings
+          PSK_SPECIAL=",./;'[]\-= <>?:\"{}|_+ !@#$%^\&*()`~";
+        '';
+      };
     };
 
+    # Test connecting to the SAE-only hotspot using SAE
+    machineSae = machineWithHostapd {
+      networking.wireless = {
+        fallbackToWPA2 = false;
+        networks.nixos-test-sae = {
+          psk = "@PSK_NIXOS_TEST@";
+          authProtocols = [ "SAE" ];
+        };
+      };
+    };
+
+    # Test connecting to the SAE and WPA2 mixed hotspot using SAE
+    machineMixedUsingSae = machineWithHostapd {
+      networking.wireless = {
+        fallbackToWPA2 = false;
+        networks.nixos-test-mixed = {
+          psk = "@PSK_NIXOS_TEST@";
+          authProtocols = [ "SAE" ];
+        };
+      };
+    };
+
+    # Test connecting to the SAE and WPA2 mixed hotspot using WPA2
+    machineMixedUsingWpa2 = machineWithHostapd {
+      networking.wireless = {
+        fallbackToWPA2 = true;
+        networks.nixos-test-mixed = {
+          psk = "@PSK_NIXOS_TEST@";
+          authProtocols = [ "WPA-PSK-SHA256" ];
+        };
+      };
+    };
+
+    # Test connecting to the WPA2 legacy hotspot using WPA2
+    machineWpa2 = machineWithHostapd {
+      networking.wireless = {
+        fallbackToWPA2 = true;
+        networks.nixos-test-wpa2 = {
+          psk = "@PSK_NIXOS_TEST@";
+          authProtocols = [ "WPA-PSK-SHA256" ];
+        };
+      };
+    };
   };
 
   testScript =
@@ -66,30 +162,47 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
       config_file = "/run/wpa_supplicant/wpa_supplicant.conf"
 
       with subtest("Configuration file is inaccessible to other users"):
-          machine.wait_for_file(config_file)
+          basic.wait_for_file(config_file)
-          machine.fail(f"sudo -u nobody ls {config_file}")
+          basic.fail(f"sudo -u nobody ls {config_file}")
 
       with subtest("Secrets variables have been substituted"):
-          machine.fail(f"grep -q @PSK_VALID@ {config_file}")
+          basic.fail(f"grep -q @PSK_VALID@ {config_file}")
-          machine.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
+          basic.fail(f"grep -q @PSK_SPECIAL@ {config_file}")
-          machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
+          basic.succeed(f"grep -q @PSK_MISSING@ {config_file}")
-          machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
+          basic.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")
 
       with subtest("WPA2 fallbacks have been generated"):
-          assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
+          assert int(basic.succeed(f"grep -c sae-only {config_file}")) == 1
-          assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
+          assert int(basic.succeed(f"grep -c mixed-wpa {config_file}")) == 2
 
       # save file for manual inspection
-      machine.copy_from_vm(config_file)
+      basic.copy_from_vm(config_file)
 
       with subtest("Daemon is running and accepting connections"):
-          machine.wait_for_unit("wpa_supplicant-wlan1.service")
+          basic.wait_for_unit("wpa_supplicant-wlan1.service")
-          status = machine.succeed("wpa_cli -i wlan1 status")
+          status = basic.succeed("wpa_cli -i wlan1 status")
           assert "Failed to connect" not in status, \
                  "Failed to connect to the daemon"
 
-      with subtest("Daemon can connect to the access point"):
+      machineSae.wait_for_unit("hostapd.service")
-          machine.wait_until_succeeds(
+      machineSae.copy_from_vm("/run/hostapd/wlan0.hostapd.conf")
+      with subtest("Daemon can connect to the SAE access point using SAE"):
+          machineSae.wait_until_succeeds(
+            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
+          )
+
+      with subtest("Daemon can connect to the SAE and WPA2 mixed access point using SAE"):
+          machineMixedUsingSae.wait_until_succeeds(
+            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
+          )
+
+      with subtest("Daemon can connect to the SAE and WPA2 mixed access point using WPA2"):
+          machineMixedUsingWpa2.wait_until_succeeds(
+            "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
+          )
+
+      with subtest("Daemon can connect to the WPA2 access point using WPA2"):
+          machineWpa2.wait_until_succeeds(
             "wpa_cli -i wlan1 status | grep -q wpa_state=COMPLETED"
           )
     '';

pkgs/os-specific/linux/hostapd/default.nix

@@ -23,13 +23,21 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "man" ];
 
+  # Based on hostapd's defconfig. Only differences are tracked.
   extraConfig = ''
+    # Use epoll(7) instead of select(2) on linux
+    CONFIG_ELOOP_EPOLL=y
+
+    # Drivers
     CONFIG_DRIVER_WIRED=y
-    CONFIG_LIBNL32=y
+    CONFIG_DRIVER_NONE=y
+
+    # Integrated EAP server
     CONFIG_EAP_SIM=y
     CONFIG_EAP_AKA=y
     CONFIG_EAP_AKA_PRIME=y
     CONFIG_EAP_PAX=y
+    CONFIG_EAP_PSK=y
     CONFIG_EAP_PWD=y
     CONFIG_EAP_SAKE=y
     CONFIG_EAP_GPSK=y
@@ -38,29 +46,48 @@ stdenv.mkDerivation rec {
     CONFIG_EAP_IKEV2=y
     CONFIG_EAP_TNC=y
     CONFIG_EAP_EKE=y
-    CONFIG_RADIUS_SERVER=y
+
-    CONFIG_IEEE80211R=y
-    CONFIG_IEEE80211N=y
-    CONFIG_IEEE80211AC=y
-    CONFIG_IEEE80211AX=y
-    CONFIG_FULL_DYNAMIC_VLAN=y
-    CONFIG_VLAN_NETLINK=y
     CONFIG_TLS=openssl
     CONFIG_TLSV11=y
     CONFIG_TLSV12=y
-    CONFIG_INTERNETWORKING=y
+
-    CONFIG_HS20=y
-    CONFIG_ACS=y
-    CONFIG_GETRANDOM=y
     CONFIG_SAE=y
+    CONFIG_SAE_PK=y
+
+    CONFIG_OWE=y
+    CONFIG_OCV=y
+
+    # TKIP is considered insecure and upstream support will be removed in the future
+    CONFIG_NO_TKIP=y
+
+    # Misc
+    CONFIG_RADIUS_SERVER=y
+    CONFIG_FULL_DYNAMIC_VLAN=y
+    CONFIG_VLAN_NETLINK=y
+    CONFIG_GETRANDOM=y
+    CONFIG_INTERWORKING=y
+    CONFIG_HS20=y
+    CONFIG_FST=y
+    CONFIG_FST_TEST=y
+    CONFIG_ACS=y
+    CONFIG_WNM=y
+    CONFIG_MBO=y
+
+    CONFIG_IEEE80211R=y
+    CONFIG_IEEE80211W=y
+    CONFIG_IEEE80211N=y
+    CONFIG_IEEE80211AC=y
+    CONFIG_IEEE80211AX=y
   '' + lib.optionalString (sqlite != null) ''
     CONFIG_SQLITE=y
   '';
 
+  passAsFile = [ "extraConfig" ];
+
   configurePhase = ''
     cd hostapd
     cp -v defconfig .config
-    echo "$extraConfig" >> .config
+    cat $extraConfigPath >> .config
     cat -n .config
     substituteInPlace Makefile --replace /usr/local $out
     export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"

pkgs/os-specific/linux/wpa_supplicant/default.nix

@@ -57,6 +57,7 @@ stdenv.mkDerivation rec {
     CONFIG_LIBNL32=y
     CONFIG_OWE=y
     CONFIG_P2P=y
+    CONFIG_SAE_PK=y
     CONFIG_TDLS=y
     CONFIG_TLS=openssl
     CONFIG_TLSV11=y