802.11x authentication seems to break with the last update

I was installing some updates on my machine and when I rebooted I noticed that I could no longer authenticate with 802.11x. I rolled back the change and wireless started working again. Here is what was changed in the troublesome update:

  SecAdvisories: FEDORA-2024-28ea86c8aa  Moderate   microcode_ctl-2:2.1-67.fc41.x86_64
                 FEDORA-2024-69af78a508  Moderate   ghostscript-10.03.1-4.fc41.x86_64
                 FEDORA-2024-69af78a508  Moderate   ghostscript-tools-fonts-10.03.1-4.fc41.noarch
                 FEDORA-2024-69af78a508  Moderate   ghostscript-tools-printing-10.03.1-4.fc41.noarch
                 FEDORA-2024-69af78a508  Moderate   libgs-10.03.1-4.fc41.x86_64
                   CVE-2024-46952 ghostscript: Buffer Overflow in Ghostscript PDF XRef Stream Handling
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325041
                   CVE-2024-46955 ghostscript: Out-of-Bounds Read in Ghostscript Indexed Color Space
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325042
                   CVE-2024-46951 ghostscript: Arbitrary Code Execution in Artifex Ghostscript Pattern Color Space
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325043
                   CVE-2024-46954 ghostscript: Directory Traversal in Ghostscript via Overlong UTF-8 Encoding
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325044
                   CVE-2024-46953 ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325045
                   CVE-2024-46956 ghostscript: Out-of-Bounds Data Access in Ghostscript Leads to Arbitrary Code Execution
                   https://bugzilla.redhat.com/show_bug.cgi?id=2325047
       Upgraded: alsa-lib 1.2.12-2.fc41 -> 1.2.13-3.fc41
                 alsa-sof-firmware 2024.09-1.fc41 -> 2024.09.1-1.fc41
                 alsa-ucm 1.2.12-2.fc41 -> 1.2.13-3.fc41
                 alsa-utils 1.2.12-2.fc41 -> 1.2.13-2.fc41
                 chafa 1.14.2-1.fc41 -> 1.14.5-1.fc41
                 chafa-libs 1.14.2-1.fc41 -> 1.14.5-1.fc41
                 container-selinux 2:2.233.0-1.fc41 -> 2:2.234.2-1.fc41
                 elfutils-debuginfod-client 0.192-5.fc41 -> 0.192-6.fc41
                 elfutils-default-yama-scope 0.192-5.fc41 -> 0.192-6.fc41
                 elfutils-libelf 0.192-5.fc41 -> 0.192-6.fc41
                 elfutils-libs 0.192-5.fc41 -> 0.192-6.fc41
                 ghostscript 10.03.1-3.fc41 -> 10.03.1-4.fc41
                 ghostscript-tools-fonts 10.03.1-3.fc41 -> 10.03.1-4.fc41
                 ghostscript-tools-printing 10.03.1-3.fc41 -> 10.03.1-4.fc41
                 iio-sensor-proxy 3.5-4.fc41 -> 3.5-5.fc41
                 libgs 10.03.1-3.fc41 -> 10.03.1-4.fc41
                 libsolv 0.7.30-1.fc41 -> 0.7.31-1.fc41
                 libtirpc 1.3.6-0.fc41 -> 1.3.6-1.fc41
                 mesa-dri-drivers 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-filesystem 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-libEGL 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-libGL 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-libgbm 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-libglapi 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-va-drivers 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 mesa-vulkan-drivers 24.2.6-1.fc41 -> 24.2.7-1.fc41
                 microcode_ctl 2:2.1-66.fc41 -> 2:2.1-67.fc41
                 perl-HTTP-Tiny 0.088-512.fc41 -> 0.090-1.fc41
                 pkcs11-provider 0.5-3.fc41 -> 0.5-4.fc41
                 policycoreutils 3.7-3.fc41 -> 3.7-5.fc41
                 policycoreutils-python-utils 3.7-3.fc41 -> 3.7-5.fc41
                 python3-boto3 1.35.55-1.fc41 -> 1.35.59-1.fc41
                 python3-botocore 1.35.55-1.fc41 -> 1.35.59-1.fc41
                 python3-policycoreutils 3.7-3.fc41 -> 3.7-5.fc41
                 selinux-policy 41.24-1.fc41 -> 41.25-1.fc41
                 selinux-policy-targeted 41.24-1.fc41 -> 41.25-1.fc41
                 srt-libs 1.5.4-0.rc0.fc41 -> 1.5.4-1.fc41
                 systemd 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-container 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-libs 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-networkd 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-oomd-defaults 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-pam 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-resolved 256.7-1.fc41 -> 256.8-1.fc41
                 systemd-udev 256.7-1.fc41 -> 256.8-1.fc41
                 vim-common 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
                 vim-data 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
                 vim-enhanced 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
                 vim-filesystem 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
                 vim-minimal 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
                 xxd 2:9.1.825-1.fc41 -> 2:9.1.866-1.fc41
        Removed: perl-Mozilla-CA-20240730-1.fc41.noarch

I suspect the issue is with pkcs11-provider but I am not sure.

With the update here is the error message I received when connecting. In the GUI it behaved like there was a incorrect password but in the logs I see:

Nov 18 10:24:09 fedora wpa_supplicant[1464]: OpenSSL: EVP_DigestInit_ex failed: error:0308010C:digital envelope routines::unsupported
Nov 18 10:24:09 fedora wpa_supplicant[1464]: EAP-MSCHAPV2: Failed to derive response

Probably best to file a bug in bugzilla for pkcs11-provider. You can verify that it’s this package update causing the issue by overriding in the updated version:

  1. Download the “working” RPM
  2. rpm-ostree override replace pkcs11-provider*.rpm

The following worked over here:

dnf remove pkcs11-provider
systemctl restart wpa_supplicant.service

Maybe one can experiment with the “early” setting in the config, but really: nothing depends on this provider and it breaks enterprise WPA2. I’ll reinstall once I know what it is for and that it doesn’t break things.

Bug is here: 2326839 – Connection to WLAN networks that require login not possible anymore after update to pkcs11-provider-0:0.5-4.fc41.x86_64

I added pkcs11-module-load-behavior = early to pkcs11-provider.conf which fixed the problem. I am going to continue to look into it to see if I can find a better solution but this looks like a wpa_supplicant bug to me

1 Like

I found that this also affects freeradius server running on latest Fedora 41 with the pkcs11-provider version 0.5-4.fc41. When the radiusd server tries to verify wireless user connected using TTLS/PEAP it crashes with segfault:

[  271.957047] radiusd[3321]: segfault at 0 ip 0000000000000000 sp 00007f4ff4053bf8 error 14 likely on CPU 1 (core 1, socket 0)
[  271.957080] Code: Unable to access opcode bytes at 0xffffffffffffffd6.

Downgrading the pkcs11-provider to version 0.5-3.fc41 fixes the problem.

It also affected our 802.1x ethernet connection with TLS authentication with certificate in my case.

It is working again after downgrading pkcs11-provider to 0.5-3.fc41.

Is this really about the version, or about the fact that the earlier package does not enable the provider by default?