Open Bug 1868735 Opened 1 year ago Updated 1 year ago

Firefox freeze when opensc-pkcs11 is waiting for a yubikey touch.

Categories

(Core :: Widget: Gtk, defect)

Product:
Core
Component:
Widget: Gtk
Version:
Firefox 120
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: julien+mozilla, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0

Steps to reproduce:

  • Open Firefox
  • Open a terminal emulator (like gnome-terminal)
  • Configure a Yubikey with --touch-policy=always (see below for details)
  • Try to ssh to a host
  • Do not immediately touch the key.
  • Play around with Firefox like open a tab, browse to a website, navigate around tabs, ...

More info about my Yubikey setup :

First I change the default pin/puk/management-key:

$ ykman piv change-pin  # Default is 123456
$ ykman piv change-puk  # Default is 12345678
$ ykman piv change-management-key  # Blank for default

Then I generate an SSH certificate :

$ yubico-piv-tool -k -s 9a -a generate --touch-policy=always -o public.pem
$ yubico-piv-tool -k -a verify-pin -a selfsign-certificate -s 9a -S "/CN=SSH key/" -i public.pem -o cert.pem
$ yubico-piv-tool -k -a import-certificate -s 9a -i cert.pem
$ ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e > yubikey.pub

Then I propagate the yubikey.pub public key to a server (localhost should be "far enough" for tests), so in ~/.ssh/authorized_keys.

Then I start an ssh-agent (in fact Gnome gets one running for me so no manual steps for me but you may have to run:

eval $(ssh-agent)

in order to get one running.

Then I load opensc-pkcs11 in my ssh-agent to have them communicate, I do it like so:

ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

The I just try to ssh to a host.

YES YES YES I know I just have to touch my key and boom everything is resolved (ssh connects and firefox gets up and running again) but yet this (see below) behavior is very strange to me.

Actual results:

At first the Firefox UI seems OK, it still responds. But as soon as the network is needed, it starts to freeze up to complete unresponsiveness. No network communication can be done is this state.

As soon as I touch the key, everything gets back on track.

If I play for a bit too long with Firefox without touching the key, firefox crashes (I just reproduced it and reported the crash, you should find it, a few minutes before this issue is published, I added a comment about pkcs11 in the crash report message).

Expected results:

I expect no visible interaction at all between what I do with openssh/opensc-pkcs11/... and what I do with Firefox.

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.