cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/hostapd: remove managementFrameProtection

Browse source
This commit is contained in:
Tom Fitzhenry 2023-10-24 23:54:44 +11:00
parent 9f7335d449
commit 9e7c877de7
1 changed files with 2 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
nixos/modules/services/networking/hostapd.nix
View file

@ -161,7 +161,6 @@ in {
mode = "wpa2-sha256"; mode = "wpa2-sha256";
wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible. wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible.
}; };
managementFrameProtection = "optional";
}; };
}; };
} }
@ -900,25 +899,6 @@ in {
''; '';
}; };
}; };
managementFrameProtection = mkOption {
default = "required";
type = types.enum ["disabled" "optional" "required"];
apply = x:
getAttr x {
"disabled" = 0;
"optional" = 1;
"required" = 2;
};
description = mdDoc ''
Management frame protection (MFP) authenticates management frames
to prevent deauthentication (or related) attacks.
- {var}`"disabled"`: No management frame protection
- {var}`"optional"`: Use MFP if a connection allows it
- {var}`"required"`: Force MFP for all clients
'';
};
}; };
config = let config = let
@ -944,7 +924,8 @@ in {
# IEEE 802.11i (authentication) related configuration # IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks # Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = bssCfg.managementFrameProtection; ieee80211w = mkDefault 1;
sae_require_mfp = mkDefault 1;
# Only allow WPA by default and disable insecure WEP # Only allow WPA by default and disable insecure WEP
auth_algs = mkDefault 1; auth_algs = mkDefault 1;
@ -1185,14 +1166,6 @@ in {
assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null); assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null);
message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';
} }
{
assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';
}
{
assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';
}
{ {
assertion = countWpaPasswordDefinitions <= 1; assertion = countWpaPasswordDefinitions <= 1;
message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';