Commit Graph

42 Commits

Author SHA1 Message Date
oddlama
1fa9f03eec
nixos/hostapd: rewrite to support multi-AP, password from file, and more
At this point this is basically a full rewrite of this module, which
is a breaking change and was necessary to properly expose the useful
parts of hostapd's config. The notable changes are:

- `hostapd` is now started with additional systemd sandbox/hardening options
- A single-daemon can now manage multiple distinct radios and BSSs, which is
  why all configuration had to be moved into `hostapd.radios`
- By default WPA3-SAE will be used, but WPA2 and WPA3-SAE-TRANSITION are
  supported, too
- Added passwordFile-like options for wpa and sae
- Add new relevant options for MAC ACL, WiFi5, WiFi6 and WiFi7 configuration
- Implements RFC42 as far as reasonable for hostapd
- Removes `with lib;`
2023-07-02 13:32:41 +02:00
oddlama
4bec3f2043
hostapd: enable new stable features such as WiFi6 and structure .config
These changes are important to support modern APs configurations.
Short overview:

- CONFIG_IEEE80211AX support (WiFi6)
- CONFIG_SAE_PK (pubkey authenticated WPA3)
- CONFIG_DRIVER_NONE (standalone RADIUS server)
- CONFIG_OCV (Operating Channel Validation)
- Enable epoll on linux systems
- Remove deprecated TKIP support
- Fix misspelling (CONFIG_INTERNETWORKING != CONFIG_INTERWORKING)
- The .config was restructured into sections to reflect the
  upstream defconfig order and for easier updating in the future
2023-07-02 13:31:38 +02:00
Marco Rebhan
515dffe4bd
hostapd: Enable 802.11ax (Wi-Fi 6) support 2023-06-11 14:08:38 +02:00
Aaron Jheng
ac35507202
hostapd: update homepage 2022-12-16 08:23:20 +00:00
Artturin
33cce15e42 treewide: remove meta.repositories
there's no documentation for meta.repositories and its not widely used
2022-03-24 23:56:14 +02:00
Martin Weinelt
90482284fa
hostapd: 2.9 -> 2.10 2022-01-17 13:42:09 +01:00
Sandro Jäckel
cbfc50722f
maintainers: drop phreedom 2021-12-19 07:30:50 +01:00
Martin Weinelt
4480a056c9
hostapd: add patch for CVE-2021-30004
In wpa_supplicant and hostapd 2.9, forging attacks may occur because
AlgorithmIdentifier parameters are mishandled in tls/pkcs1.c and
tls/x509v3.c.

Fixes: CVE-2021-30004
2021-04-13 19:32:22 +02:00
Vincent Haupert
214bbb5cf0
hostapd: build with SAE for WPA3 support 2021-04-02 15:14:09 +02:00
Jonathan Ringer
9bb3fccb5b treewide: pkgs.pkgconfig -> pkgs.pkg-config, move pkgconfig to alias.nix
continuation of #109595

pkgconfig was aliased in 2018, however, it remained in
all-packages.nix due to its wide usage. This cleans
up the remaining references to pkgs.pkgsconfig and
moves the entry to aliases.nix.

python3Packages.pkgconfig remained unchanged because
it's the canonical name of the upstream package
on pypi.
2021-01-19 01:16:25 -08:00
Ben Siraphob
16d91ee628 pkgs/os-specific: stdenv.lib -> lib 2021-01-17 23:26:08 +07:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
Martin Weinelt
c898b5c057
hostapd: add hexa as maintainer 2020-06-10 21:15:14 +02:00
Martin Weinelt
1c14b52e18
hostapd: apply patches for CVE-2020-12695
https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt

Fixes: CVE-2020-12695
2020-06-09 14:52:42 +02:00
Martin Weinelt
3e9f3a3ebd
hostapd: apply patch for CVE-2019-16275
AP mode PMF disconnection protection bypass

Published: September 11, 2019
Identifiers:
- CVE-2019-16275
Latest version available from: https://w1.fi/security/2019-7/

Vulnerability

hostapd (and wpa_supplicant when controlling AP mode) did not perform
sufficient source address validation for some received Management frames
and this could result in ending up sending a frame that caused
associated stations to incorrectly believe they were disconnected from
the network even if management frame protection (also known as PMF) was
negotiated for the association. This could be considered to be a denial
of service vulnerability since PMF is supposed to protect from this type
of issues. It should be noted that if PMF is not enabled, there would be
no protocol level protection against this type of denial service
attacks.

An attacker in radio range of the access point could inject a specially
constructed unauthenticated IEEE 802.11 frame to the access point to
cause associated stations to be disconnected and require a reconnection
to the network.

Vulnerable versions/configurations

All hostapd and wpa_supplicants versions with PMF support
(CONFIG_IEEE80211W=y) and a runtime configuration enabled AP mode with
PMF being enabled (optional or required). In addition, this would be
applicable only when using user space based MLME/SME in AP mode, i.e.,
when hostapd (or wpa_supplicant when controlling AP mode) would process
authentication and association management frames. This condition would
be applicable mainly with drivers that use mac80211.

Possible mitigation steps

- Merge the following commit to wpa_supplicant/hostapd and rebuild:

  AP: Silently ignore management frame from unexpected source address

  This patch is available from https://w1.fi/security/2019-7/

- Update to wpa_supplicant/hostapd v2.10 or newer, once available
2020-04-25 14:35:20 +02:00
Michael Reilly
84cf00f980
treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
Florian Klink
c36b8c57c2
Merge pull request #75140 from tomfitzhenry/hostapd-getrandom
hostapd: use getrandom(2)
2019-12-07 23:01:06 +01:00
Félix Baylac-Jacqué
abc9b32fc6 hostapd: 2.8 -> 2.9
Associated release note:
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Note: we are building hostapd with the CONFIG_EAP_PWD=y flag by
default, we might be impacted by a EAP_PWD side-channel attach on
hostapd 2.8.
2019-12-07 12:02:10 +01:00
Tom Fitzhenry
fd1c0db18c hostapd: use getrandom(2)
Motivation: Devices with few entropy sources on boot hang/block if many services try to
read from /dev/random.

https://w1.fi/cgit/hostap/commit/?id=89a7cdd690b48a0c56380cf4609442ed13527f44
states getrandom() is recommended, but not enabled by default since it
relies on:

* Linux kernel 3.17 (NixOS 19.09 has 4.19; master presumably later)
* glibc 2.25 (NixOS master has 2.27
  https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/glibc/common.nix#L37 )
2019-12-07 19:31:35 +11:00
c0bw3b
9367367dfd Treewide: fix URL permanent redirects
Permanent redirects on homepages and/or source URLs
as reported by Repology
2019-11-16 01:41:23 +01:00
volth
46420bbaa3 treewide: name -> pname (easy cases) (#66585)
treewide replacement of

stdenv.mkDerivation rec {
  name = "*-${version}";
  version = "*";

to pname
2019-08-15 13:41:18 +01:00
Florian Klink
1e5a8f9dd7 hostapd: remove global with stdenv.lib 2019-06-26 09:26:29 +02:00
Félix Baylac-Jacqué
f3b94dee34
hostapd: fix hostapd noscan patch url.
Something somehow got wrong in #63699; some adjustments made after the
review have been discarded :/
2019-06-26 08:20:39 +02:00
Félix Baylac-Jacqué
98deb87354
hostapd: Add noscan mode.
Applies OpenWRT's noscan patch to hostapd and the relevant option to
the hostapd module.

This noscan patch adds a new `noscan` option allowing us to create
some overlapping BSSs in HT40+/- mode.

Note: this option is disabled by default, we leave this up to the end
user whether it should be enabled or not.

Not being able to create those overlapping BSSs is basically
preventing us to use 802.11n in any urban area where chances to
overlap with another SSID are extremely high.

The patch we are using is a courtesy of the openwrt team and is
applied to the defaul hostapd package in both OpenWRT and Archlinux.
2019-06-24 00:26:20 +02:00
Will Dietz
bc069315cb hostapd: 2.7 -> 2.8 2019-04-22 15:25:06 -05:00
Clemens Fruhwirth
3e7af59243 hostapd: 2.6 -> 2.7 2019-02-20 10:48:00 +01:00
Jörg Thalheim
b5c1deca8a
treewide: remove wkennington as maintainer
He prefers to contribute to his own nixpkgs fork triton.
Since he is still marked as maintainer in many packages
this leaves the wrong impression he still maintains those.
2019-01-26 10:05:32 +00:00
Robin Gloster
04a2885dbf
hostapd: install man pages 2018-05-22 14:30:54 +02:00
Graham Christensen
629965a532
hostapd: patch for KRACKAttack
CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
    CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
    CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
    CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
    CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
    CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
    CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
    CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
    CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
    CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
2017-10-16 07:33:43 -04:00
Maximilian Güntner
daf07c9d62
hostapd/wpa_supplicant: update urls 2017-09-17 13:46:11 +02:00
Matthew Robbetts
b9418091f4 hostapd: libressl patches. 2017-02-25 10:15:53 +01:00
Robin Gloster
df58ed2f13
hostapd: 2.5 -> 2.6 2017-02-17 00:11:37 +01:00
Franz Pletz
2fa9bd5059 hostapd: add patch to fix build with libressl
Fixes #17315.
2016-07-29 12:03:08 +02:00
Matthew Robbetts
e434ce8f49 hostapd: 2.4 -> v2.5, fixes #17164 2016-07-23 00:56:53 +02:00
William A. Kennington III
076dff2f58 hostapd: Refactoring 2015-04-24 15:12:55 -07:00
William A. Kennington III
09ca343089 hostapd: 2.3 -> 2.4 2015-03-26 12:30:51 -07:00
Michael Raskin
1602f9b90a Update hostapd 2014-10-12 12:34:16 +04:00
Evgeny Egorochkin
9f957d054f hostapd: update from 2.0 to 2.1 2014-04-03 07:05:07 +03:00
Krofek
2b6c07f5a8 hostapd update: 1.0 -> 2.0 2013-09-16 23:06:51 +02:00
Jack Cummings
3ac299934d enable 802.11n by default. 2013-03-11 02:31:51 -07:00
Mathijs Kwik
3de1a56a73 hostapd: upgrade to 1.0 2012-09-09 13:04:14 +02:00
Evgeny Egorochkin
e873eebeb6 hostapd: packaged.
svn path=/nixpkgs/trunk/; revision=27501
2011-06-19 23:30:57 +00:00