nixos/wireless: don't attempt fallback on WPA3 only networks

2025-01-18 19:03:28 +00:00 · 2022-02-04 08:45:28 +01:00 · 2022-02-04 08:45:28 +01:00 · 3b8fa47f58
commit 3b8fa47f58
parent d67ad28fc3
2 changed files with 24 additions and 5 deletions
--- a/nixos/modules/services/networking/wpa_supplicant.nix
+++ b/nixos/modules/services/networking/wpa_supplicant.nix
@ -11,11 +11,15 @@ let
  opt = options.networking.wireless;

  wpa3Protocols = [ "SAE" "FT-SAE" ];
-  hasWPA3 = opts: !mutuallyExclusive opts.authProtocols wpa3Protocols;
+  hasMixedWPA = opts:
+    let
+      hasWPA3 = !mutuallyExclusive opts.authProtocols wpa3Protocols;
+      others = subtractLists wpa3Protocols opts.authProtocols;
+    in hasWPA3 && others != [];

  # Gives a WPA3 network higher priority
  increaseWPA3Priority = opts:
-    opts // optionalAttrs (hasWPA3 opts)
+    opts // optionalAttrs (hasMixedWPA opts)
      { priority = if opts.priority == null
                     then 1
                     else opts.priority + 1;
@ -33,7 +37,7 @@ let
  allNetworks =
    if cfg.fallbackToWPA2
      then map increaseWPA3Priority networkList
-           ++ map mkWPA2Fallback (filter hasWPA3 networkList)
+           ++ map mkWPA2Fallback (filter hasMixedWPA networkList)
      else networkList;

  # Content of wpa_supplicant.conf
--- a/nixos/tests/wpa_supplicant.nix
+++ b/nixos/tests/wpa_supplicant.nix
@ -27,8 +27,19 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
      enable = lib.mkOverride 0 true;
      userControlled.enable = true;
      interfaces = [ "wlan1" ];
+      fallbackToWPA2 = true;

      networks = {
+        # test WPA2 fallback
+        mixed-wpa = {
+          psk = "password";
+          authProtocols = [ "WPA-PSK" "SAE" ];
+        };
+        sae-only = {
+          psk = "password";
+          authProtocols = [ "SAE" ];
+        };
+
        # test network
        nixos-test.psk = "@PSK_NIXOS_TEST@";

@ -64,8 +75,12 @@ import ./make-test-python.nix ({ pkgs, lib, ...}:
          machine.succeed(f"grep -q @PSK_MISSING@ {config_file}")
          machine.succeed(f"grep -q P@ssowrdWithSome@tSymbol {config_file}")

-          # save file for manual inspection
-          machine.copy_from_vm(config_file)
+      with subtest("WPA2 fallbacks have been generated"):
+          assert int(machine.succeed(f"grep -c sae-only {config_file}")) == 1
+          assert int(machine.succeed(f"grep -c mixed-wpa {config_file}")) == 2
+
+      # save file for manual inspection
+      machine.copy_from_vm(config_file)

      with subtest("Daemon is running and accepting connections"):
          machine.wait_for_unit("wpa_supplicant-wlan1.service")