Closed Bug 1460301 Opened Last year Closed Last year

Calling U2F_PING on Yubikeys in certain configurations may lead them to fail to hotplug

Categories

(Core :: DOM: Device Interfaces, defect, P1)

60 Branch
Unspecified
All
defect

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr60 --- fixed
firefox60 --- wontfix
firefox61 --- fixed
firefox62 --- fixed

People

(Reporter: chris, Assigned: ttaubert)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [webauthn] [u2f])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180503143129

Steps to reproduce:

Site: https://webauthn.bin.coffee/
1) press "Create Credential"
2) plug in my Yubikey NEO
3) wait until the Yubikey is listed in the Windows device manager
4) pressed the golden button on the Yubikey

Windows 10 17134.1
Firefox 60.0
Yubikey NEO


Actual results:

Firefox shows an notification, registration / assertion request times out


Expected results:

The registration / assertion request finishes without failure or timeout.

Everything works fine if the Yubiekey is plugged in before the registration / assertion request.
jcj, is this expected behavior?
Blocks: webauthn
Flags: needinfo?(jjones)
Priority: -- → P3
It's not, and it's not immediately reproducible for me on my Windows 8 or Windows 10 machines. It might be something like Bug 1399298, perhaps.

Perhaps Tim and I need to take a closer look at the way we're using Windows DeviceInfoSet [1]; there might be something subtle there that leads to hotplugged devices on some USB controllers not appearing.


[1] https://github.com/jcjones/u2f-hid-rs/blob/6d62a6ff07ff1673286d069b9b59048dab233435/src/windows/winapi.rs#L76
Flags: needinfo?(jjones)
OS: Unspecified → Windows
Summary: USB Security Key does not work if plugged in after WebAuthN registration or assertion request → USB Security Key does not work if hotplugged during WebAuthN registration or assertion request
Whiteboard: [webauthn]
I have the same issue and narrowed it down to the Yubikey NEO sending a corrupted ping response back, causing the u2f rust lib to ignore the device.

This probably only happens if the device is in CCID+U2F mode (not just U2F mode). Between the ping request and response a bunch of CCID communication is done by windows (because the device was just inserted). The ping response actually contains bytes from these unrelated CCID packets rather than from the ping request.

I've added an issue (more of a question actually since it's likely not a problem with the lib) at github a while ago: https://github.com/jcjones/u2f-hid-rs/issues/63. 

Also I've contacted yubico with USB packet logs and they said they would get back to me.
After discussions with Yubico, there is a bug / race condition that causes this in their devices when U2F_PING is used. As U2F_PING is not a necessary part of the protocol -- we use it as a double-check -- we should remove it from the state machines in u2f-hid-rs. We should also plan to uplift that change into 61 and ESR 60. I'm marking 60 as optional, as this is kind of a corner case, and we have so-far only seen it happen on Windows, although it sounds like it could occur on any platform.

Tim, any chance you could put this patch together?
Assignee: nobody → ttaubert
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows → All
Summary: USB Security Key does not work if hotplugged during WebAuthN registration or assertion request → Calling U2F_PING on Yubikeys in certain configurations may lead them to fail to hotplug
Whiteboard: [webauthn] → [webauthn] [u2f]
Priority: P3 → P1
Comment on attachment 8975411 [details]
Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj

J.C. Jones [:jcj] has approved the revision.

https://phabricator.services.mozilla.com/D1270
Attachment #8975411 - Flags: review+
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0f5b9cd3d710
Web Authentication - Don't use U2F_PING to initialize tokens r=jcj
https://hg.mozilla.org/mozilla-central/rev/0f5b9cd3d710
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Comment on attachment 8975411 [details]
Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj

Approval Request Comment
[Feature/Bug causing the regression]: not a regression
[User impact if declined]: there are multiple reports of a bad interaction with the current yubikey firmware that breaks webauthn on windows 10 for some people, it's a simple/safe fix and would be good to uplift
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: no
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: very low risk
[String changes made/needed]: none

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: there are multiple reports of a bad interaction with the current yubikey firmware that breaks webauthn on windows 10 for some people, it's a simple/safe fix and would be good to uplift
Fix Landed on Version: 62
Risk to taking this patch (and alternatives if risky): very low risk
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8975411 - Flags: approval-mozilla-esr60?
Attachment #8975411 - Flags: approval-mozilla-beta?
Comment on attachment 8975411 [details]
Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj

Fixes a bad interaction between Yubikeys and Web Authentication. Approved for 61.0b6.
Attachment #8975411 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment on attachment 8975411 [details]
Bug 1460301 - Web Authentication - Don't use U2F_PING to initialize tokens r=jcj

sounds like a good fix for 60.1esr
Attachment #8975411 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
You need to log in before you can comment on or make changes to this bug.