Unverified Commit db3422a8 authored by misuzu's avatar misuzu Committed by GitHub
Browse files

nixos/hostapd: remove CCMP from recommended ciphers (#367464)

parents bb881a68 8b193d75

nixos/doc/manual/release-notes/rl-2505.section.md

+3 −0
Original line number Diff line number Diff line
@@ -153,6 +153,9 @@ 


- `vscode-utils.buildVscodeExtension` now requires pname as an argument



- The behavior of `services.hostapd.radios.<name>.networks.<name>.authentication.enableRecommendedPairwiseCiphers` was changed to not include `CCMP-256` anymore.

  Since all configured pairwise ciphers have to be supported by the radio, this caused startup failures on many devices which is hard to debug in hostapd.



- `nerdfonts` has been separated into individual font packages under the namespace `nerd-fonts`. The directories for font

  files have changed from `$out/share/fonts/{opentype,truetype}/NerdFonts` to

  `$out/share/fonts/{opentype,truetype}/NerdFonts/<fontDirName>`, where `<fontDirName>` can be found in the

nixos/modules/services/networking/hostapd.nix

+4 −6
Original line number Diff line number Diff line
@@ -11,7 +11,6 @@ let 
    attrNames

    attrValues

    concatLists

    concatMap

    concatMapStrings

    concatStringsSep

    count
@@ -34,11 +33,9 @@ let 
    mkOption

    mkPackageOption

    mkRemovedOptionModule

    optional

    optionalAttrs

    optionalString

    optionals

    singleton

    stringLength

    toLower

    types
@@ -710,7 +707,7 @@ in { 


                    pairwiseCiphers = mkOption {

                      default = ["CCMP"];

                      example = ["CCMP-256" "GCMP-256"];

                      example = ["GCMP" "GCMP-256"];

                      type = types.listOf types.str;

                      description = ''

                        Set of accepted cipher suites (encryption algorithms) for pairwise keys (unicast packets).
@@ -719,7 +716,8 @@ in { 


                        Please refer to the hostapd documentation for allowed values. Generally, only

                        CCMP or GCMP modes should be considered safe options. Most devices support CCMP while

                        GCMP is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.

                        GCMP and GCMP-256 is often only available with devices supporting WiFi 5 (IEEE 802.11ac) or higher.

                        CCMP-256 support is rare.

                      '';

                    };
@@ -906,7 +904,7 @@ in { 
                  bssCfg = bssSubmod.config;

                  pairwiseCiphers =

                    concatStringsSep " " (unique (bssCfg.authentication.pairwiseCiphers

                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "CCMP-256" "GCMP" "GCMP-256"]));

                      ++ optionals bssCfg.authentication.enableRecommendedPairwiseCiphers ["CCMP" "GCMP" "GCMP-256"]));

                in {

                  settings = {

                    ssid = bssCfg.ssid;