movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

nixos/hostapd: remove CCMP from recommended ciphers (#367464)

Browse source
This commit is contained in:
misuzu 2024-12-25 18:32:44 +02:00 committed by GitHub
commit db3422a82f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 7 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2505.section.md
View file

@ -153,6 +153,9 @@
- `vscode-utils.buildVscodeExtension` now requires pname as an argument - `vscode-utils.buildVscodeExtension` now requires pname as an argument
- The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.
Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.
- `nerdfonts` has been separated into individual font packages under the namespace `nerd-fonts`. The directories for font - `nerdfonts` has been separated into individual font packages under the namespace `nerd-fonts`. The directories for font
files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to
`$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the `$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the

10
nixos/modules/services/networking/hostapd.nix
View file

@ -11,7 +11,6 @@ let
attrNames attrNames
attrValues attrValues
concatLists concatLists
concatMap
concatMapStrings concatMapStrings
concatStringsSep concatStringsSep
count count
@ -34,11 +33,9 @@ let
mkOption mkOption
mkPackageOption mkPackageOption
mkRemovedOptionModule mkRemovedOptionModule
optional
optionalAttrs optionalAttrs
optionalString optionalString
optionals optionals
singleton
stringLength stringLength
toLower toLower
types types
@ -710,7 +707,7 @@ in {
pairwiseCiphers = mkOption { pairwiseCiphers = mkOption {
default = ["CCMP"]; default = ["CCMP"];
example = ["CCMP-256" "GCMP-256"]; example = ["GCMP" "GCMP-256"];
type = types.listOf types.str; type = types.listOf types.str;
description = '' description = ''
Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets). Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
@ -719,7 +716,8 @@ in {
Please refer to the hostapd documentation for allowed values. Generally, only Please refer to the hostapd documentation for allowed values. Generally, only
CCMP or GCMP modes should be considered safe options. Most devices support CCMP while CCMP or GCMP modes should be considered safe options. Most devices support CCMP while
GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher. GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.
CCMP-256 support is rare.
''; '';
}; };
@ -906,7 +904,7 @@ in {
bssCfg = bssSubmod.config; bssCfg = bssSubmod.config;
pairwiseCiphers = pairwiseCiphers =
concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers
++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"])); ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"]));
in { in {
settings = { settings = {
ssid = bssCfg.ssid; ssid = bssCfg.ssid;