Skip to content

Commit

Permalink
nixos/hostapd: remove managementFrameProtection
Browse files Browse the repository at this point in the history
  • Loading branch information
tomfitzhenry committed Oct 24, 2023
1 parent 9f7335d commit 9e7c877
Showing 1 changed file with 2 additions and 29 deletions.
31 changes: 2 additions & 29 deletions nixos/modules/services/networking/hostapd.nix
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,6 @@ in {
mode = "wpa2-sha256";
wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible.
};
managementFrameProtection = "optional";
};
};
}
Expand Down Expand Up @@ -900,25 +899,6 @@ in {
'';
};
};

managementFrameProtection = mkOption {
default = "required";
type = types.enum ["disabled" "optional" "required"];
apply = x:
getAttr x {
"disabled" = 0;
"optional" = 1;
"required" = 2;
};
description = mdDoc ''
Management frame protection (MFP) authenticates management frames
to prevent deauthentication (or related) attacks.
- {var}`"disabled"`: No management frame protection
- {var}`"optional"`: Use MFP if a connection allows it
- {var}`"required"`: Force MFP for all clients
'';
};
};

config = let
Expand All @@ -944,7 +924,8 @@ in {

# IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = bssCfg.managementFrameProtection;
ieee80211w = mkDefault 1;
sae_require_mfp = mkDefault 1;

# Only allow WPA by default and disable insecure WEP
auth_algs = mkDefault 1;
Expand Down Expand Up @@ -1185,14 +1166,6 @@ in {
assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null);
message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';
}
{
assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';
}
{
assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';
}
{
assertion = countWpaPasswordDefinitions <= 1;
message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';
Expand Down

0 comments on commit 9e7c877

Please sign in to comment.