pkgs/os-specific/linux/hostapd/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172

{
  lib,
  stdenv,
  fetchurl,
  fetchpatch,
  pkg-config,
  libnl,
  openssl,
  nixosTests,
  sqlite ? null,
}:

stdenv.mkDerivation rec {
  pname = "hostapd";
  version = "2.10";

  src = fetchurl {
    url = "https://w1.fi/releases/${pname}-${version}.tar.gz";
    sha256 = "sha256-IG58eZtnhXLC49EgMCOHhLxKn4IyOwFWtMlGbxSYkV0=";
  };

  nativeBuildInputs = [ pkg-config ];
  buildInputs = [ libnl openssl sqlite ];

  patches = [
    (fetchurl {
      # Note: fetchurl seems to be unhappy with openwrt git
      # server's URLs containing semicolons. Using the github mirror instead.
      url = "https://raw.githubusercontent.com/openwrt/openwrt/eefed841b05c3cd4c65a78b50ce0934d879e6acf/package/network/services/hostapd/patches/300-noscan.patch";
      sha256 = "08p5frxhpq1rp2nczkscapwwl8g9nc4fazhjpxic5bcbssc3sb00";
    })

    # Backported security patches for CVE-2024-3596 (https://blastradius.fail),
    # these can be removed when updating to 2.11.

    # RADIUS: Allow Message-Authenticator attribute as the first attribute
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=adac846bd0e258a0aa50750bbd2b411fa0085c46";
      hash = "sha256-1jfSeVGL5tyZn8F2wpQ7KwaQaEKWsCOW/bavovMcdz4=";
    })

    # RADIUS server: Place Message-Authenticator attribute as the first one
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=54abb0d3cf35894e7d86e3f7555e95b106306803";
      hash = "sha256-fVhQlOVETttVf1M9iKrXJrv7mxpxSjCt3w8kndRal08=";
    })

    # hostapd: Move Message-Authenticator attribute to be the first one in req
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=37fe8e48ab44d44fe3cf5dd8f52cb0a10be0cd17";
      hash = "sha256-3eoAkXhieO3f0R5PTlH6g5wcgo/aLQN6XcPSITGgciE=";
    })

    # RADIUS DAS: Move Message-Authenticator attribute to be the first one
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=f54157077f799d84ce26bed6ad6b01c4a16e31cf";
      hash = "sha256-dcaghKbKNFVSN6ONNaFt1s0S35mkqox2aykiExEXyPQ=";
    })

    # Require Message-Authenticator in Access-Reject even without EAP-Message
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=934b0c3a45ce0726560ccefbd992a9d385c36385";
      hash = "sha256-9GquP/+lsghF81nMhOuRwlSz/pEnmk+mSex8aM3/qdA=";
    })

    # RADIUS: Require Message-Authenticator attribute in MAC ACL cases
    #(fetchpatch {
    #  url = "https://w1.fi/cgit/hostap/patch/?id=58097123ec5ea6f8276b38cb9b07669ec368a6c1";
    #  hash = "sha256-mW+PAeAkNcrlFPsjxLvZ/1Smq6H6KXq5Le3HuLA2KKw=";
    #})
    # Needed to be fixed to apply correctly:
    ./0007-RADIUS-Require-Message-Authenticator-attribute-in-MA.patch

    # RADIUS: Check Message-Authenticator if it is present even if not required
    (fetchpatch {
      url = "https://w1.fi/cgit/hostap/patch/?id=f302d9f9646704cce745734af21d540baa0da65f";
      hash = "sha256-6i0cq5YBm2w03yMrdYGaEqe1dTsmokZWOs4WPFX36qo=";
    })
  ];

  outputs = [ "out" "man" ];

  # Based on hostapd's defconfig. Only differences are tracked.
  extraConfig = ''
    # Use epoll(7) instead of select(2) on linux
    CONFIG_ELOOP_EPOLL=y

    # Drivers
    CONFIG_DRIVER_WIRED=y
    CONFIG_DRIVER_NONE=y

    # Integrated EAP server
    CONFIG_EAP_SIM=y
    CONFIG_EAP_AKA=y
    CONFIG_EAP_AKA_PRIME=y
    CONFIG_EAP_PAX=y
    CONFIG_EAP_PSK=y
    CONFIG_EAP_PWD=y
    CONFIG_EAP_SAKE=y
    CONFIG_EAP_GPSK=y
    CONFIG_EAP_GPSK_SHA256=y
    CONFIG_EAP_FAST=y
    CONFIG_EAP_IKEV2=y
    CONFIG_EAP_TNC=y
    CONFIG_EAP_EKE=y

    CONFIG_TLS=openssl
    CONFIG_TLSV11=y
    CONFIG_TLSV12=y

    CONFIG_SAE=y
    CONFIG_SAE_PK=y

    CONFIG_OWE=y
    CONFIG_OCV=y

    # TKIP is considered insecure and upstream support will be removed in the future
    CONFIG_NO_TKIP=y

    # Misc
    CONFIG_RADIUS_SERVER=y
    CONFIG_MACSEC=y
    CONFIG_DRIVER_MACSEC_LINUX=y
    CONFIG_FULL_DYNAMIC_VLAN=y
    CONFIG_VLAN_NETLINK=y
    CONFIG_GETRANDOM=y
    CONFIG_INTERWORKING=y
    CONFIG_HS20=y
    CONFIG_FST=y
    CONFIG_FST_TEST=y
    CONFIG_ACS=y
    CONFIG_WNM=y
    CONFIG_MBO=y

    CONFIG_IEEE80211R=y
    CONFIG_IEEE80211W=y
    CONFIG_IEEE80211N=y
    CONFIG_IEEE80211AC=y
    CONFIG_IEEE80211AX=y
  '' + lib.optionalString (sqlite != null) ''
    CONFIG_SQLITE=y
  '';

  passAsFile = [ "extraConfig" ];

  configurePhase = ''
    cd hostapd
    cp -v defconfig .config
    cat $extraConfigPath >> .config
    cat -n .config
    substituteInPlace Makefile --replace /usr/local $out
    export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE $(pkg-config --cflags libnl-3.0)"
  '';

  preInstall = "mkdir -p $out/bin";
  postInstall = ''
    install -vD hostapd.8 -t $man/share/man/man8
    install -vD hostapd_cli.1 -t $man/share/man/man1
  '';

  passthru.tests = {
    inherit (nixosTests) wpa_supplicant;
  };

  meta = with lib; {
    homepage = "https://w1.fi/hostapd/";
    description = "User space daemon for access point and authentication servers";
    license = licenses.bsd3;
    maintainers = with maintainers; [ oddlama ];
    platforms = platforms.linux;
  };
}