From 4bec3f204362fa22a0740c8a572ffef3b322596d Mon Sep 17 00:00:00 2001 From: oddlama Date: Wed, 22 Mar 2023 00:33:14 +0100 Subject: hostapd: enable new stable features such as WiFi6 and structure .config These changes are important to support modern APs configurations. Short overview: - CONFIG_IEEE80211AX support (WiFi6) - CONFIG_SAE_PK (pubkey authenticated WPA3) - CONFIG_DRIVER_NONE (standalone RADIUS server) - CONFIG_OCV (Operating Channel Validation) - Enable epoll on linux systems - Remove deprecated TKIP support - Fix misspelling (CONFIG_INTERNETWORKING != CONFIG_INTERWORKING) - The .config was restructured into sections to reflect the upstream defconfig order and for easier updating in the future --- nixos/doc/manual/release-notes/rl-2311.section.md | 2 + pkgs/os-specific/linux/hostapd/default.nix | 56 ++++++++++++++++++----- 2 files changed, 46 insertions(+), 12 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 3d161d8bb64..51c3b871f1e 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -22,6 +22,8 @@ - [Apache Guacamole](https://guacamole.apache.org/), a cross-platform, clientless remote desktop gateway. Available as [services.guacamole-server](#opt-services.guacamole-server.enable) and [services.guacamole-client](#opt-services.guacamole-client.enable) services. +- Support for WiFi6 (IEEE 802.11ax) and WPA3-SAE-PK was enabled in the `hostapd` package. + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - `python3.pkgs.sequoia` was removed in favor of `python3.pkgs.pysequoia`. The latter package is based on upstream's dedicated repository for sequoia's Python bindings, where the Python bindings from [gitlab:sequoia-pgp/sequoia](https://gitlab.com/sequoia-pgp/sequoia) were removed long ago. diff --git a/pkgs/os-specific/linux/hostapd/default.nix b/pkgs/os-specific/linux/hostapd/default.nix index 2836f435dc2..85d48683cf0 100644 --- a/pkgs/os-specific/linux/hostapd/default.nix +++ b/pkgs/os-specific/linux/hostapd/default.nix @@ -23,13 +23,21 @@ stdenv.mkDerivation rec { outputs = [ "out" "man" ]; + # Based on hostapd's defconfig. Only differences are tracked. extraConfig = '' + # Use epoll(7) instead of select(2) on linux + CONFIG_ELOOP_EPOLL=y + + # Drivers CONFIG_DRIVER_WIRED=y - CONFIG_LIBNL32=y + CONFIG_DRIVER_NONE=y + + # Integrated EAP server CONFIG_EAP_SIM=y CONFIG_EAP_AKA=y CONFIG_EAP_AKA_PRIME=y CONFIG_EAP_PAX=y + CONFIG_EAP_PSK=y CONFIG_EAP_PWD=y CONFIG_EAP_SAKE=y CONFIG_EAP_GPSK=y @@ -38,29 +46,53 @@ stdenv.mkDerivation rec { CONFIG_EAP_IKEV2=y CONFIG_EAP_TNC=y CONFIG_EAP_EKE=y - CONFIG_RADIUS_SERVER=y - CONFIG_IEEE80211R=y - CONFIG_IEEE80211N=y - CONFIG_IEEE80211AC=y - CONFIG_IEEE80211AX=y - CONFIG_FULL_DYNAMIC_VLAN=y - CONFIG_VLAN_NETLINK=y + CONFIG_TLS=openssl CONFIG_TLSV11=y CONFIG_TLSV12=y - CONFIG_INTERNETWORKING=y + + CONFIG_SAE=y + CONFIG_SAE_PK=y + + CONFIG_OWE=y + CONFIG_OCV=y + + # TKIP is considered insecure and upstream support will be removed in the future + CONFIG_NO_TKIP=y + + # Enable Wi-Fi Protected Setup + CONFIG_WPS=y + CONFIG_WPS_UPNP=y + CONFIG_WPS_NFC=y + + # Misc + CONFIG_RADIUS_SERVER=y + CONFIG_FULL_DYNAMIC_VLAN=y + CONFIG_VLAN_NETLINK=y + CONFIG_GETRANDOM=y + CONFIG_INTERWORKING=y CONFIG_HS20=y + CONFIG_FST=y + CONFIG_FST_TEST=y CONFIG_ACS=y - CONFIG_GETRANDOM=y - CONFIG_SAE=y + CONFIG_WNM=y + CONFIG_MBO=y + + CONFIG_IEEE80211R=y + CONFIG_IEEE80211W=y + CONFIG_IEEE80211N=y + CONFIG_IEEE80211AC=y + CONFIG_IEEE80211AX=y '' + lib.optionalString (sqlite != null) '' CONFIG_SQLITE=y ''; + passAsFile = [ "extraConfig" ]; + configurePhase = '' cd hostapd cp -v defconfig .config - echo "$extraConfig" >> .config + cat $extraConfigPath >> .config cat -n .config substituteInPlace Makefile --replace /usr/local $out export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)" -- cgit 1.4.1