Bug 1578535

Summary: libu2f-host before 1.1.6 unnecessarily delays check-only authentication
Product: [Fedora] Fedora Reporter: CJ Oster <cjo>
Component: libu2f-hostAssignee: Seth Jennings <sethdjennings>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 27CC: sethdjennings, sjenning
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: libu2f-host-1.1.6-1.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-24 14:26:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description CJ Oster 2018-05-15 19:49:25 UTC
Description of problem: libu2f-host is responsible for issuing u2f queries to attached tokens and waiting for user response. However, if a "check-only" authentication request[0] is presented, the sleep logic still delays for a full second before returning the results when no delay is necessary. This was fixed in PR#97[1], which is included in relase v1.1.6 in the upstream.

This issue was discovered because pam-u2f 1.0.6 or later issues a check-only authentication as a security measure to avoid leaking information about the authentication stack in certain scenarios. Ergo, if using pam-u2f 1.0.6 or later (1.0.7 contains a workaround), every u2f authentication takes a 1-second delay.

[0] - 
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-raw-message-formats.html
[1] - https://github.com/Yubico/libu2f-host/pull/97


Version-Release number of selected component (if applicable): 1.1.3-3.fc27


How reproducible: Always


Steps to Reproduce:
1. Install and configure pam-u2f 1.0.6 or later.
2. Observe that every u2f authentication sleeps for a second before requesting user input.

Actual results:

There is a one-second delay between the previous pam module and the u2f user-presence authentication. 

Expected results: 

User-presence authentication should begin immediately.

Additional info:

pam-u2f 1.0.7 contains an option to avoid this early detection as either a workaround for this issue, or for hypothetical tokens that do not tolerate it. Either way, there's no reason for the delay in a check-only authentication.

Comment 1 CJ Oster 2018-05-15 19:59:30 UTC
Is this enough to get pam-u2f bumped to version 1.0.7 also?

Comment 2 Seth Jennings 2018-05-15 20:05:25 UTC
I'll attempt it this evening. Thanks for the detail!

Comment 3 Fedora Update System 2018-05-16 03:42:40 UTC
libu2f-host-1.1.6-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48

Comment 4 Fedora Update System 2018-05-16 03:43:04 UTC
libu2f-host-1.1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf

Comment 5 Seth Jennings 2018-05-16 03:44:55 UTC
pam-u2f and libu2f-host have been updated to latest upstream versions for f27 and later:
https://bodhi.fedoraproject.org/users/sjenning

Comment 6 Fedora Update System 2018-05-16 14:13:25 UTC
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-826d839ccf

Comment 7 Fedora Update System 2018-05-16 15:13:23 UTC
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6683593d48

Comment 8 Fedora Update System 2018-05-24 13:56:22 UTC
libu2f-host-1.1.6-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2018-05-24 14:26:00 UTC
libu2f-host-1.1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.