U2F does not work in uwsgi due to json library conflict
Concerned version
Version: 2.0.13
Platform: Debian >= 10, possibly CentOS
Summary
- Configure LLNG to run in Apache or Nginx
- Try to register a U2F device in the device => OK
- Configure LLNG to run in UWSGI
- Try to register a U2F device => FAIL
Logs
On UWSGI:
[debug] Prepare U2F verification
[debug] -> Send challenge:
(challenge is empty)
Cause
After investigating this, I found that the challenge is correctly generated by libu2f-server, but there is an issue that prevents it from being generated as JSON correctly
output of authenticationChallenge
function:
{ "keyHandle": null, "version": null, "challenge": null, "appId": null }
The code that serialized the challenge to JSON is here: https://github.com/Yubico/libu2f-server/blob/master/u2f-server/core.c#L999
We see that is uses json_object_get
to populate the JSON fields (keyHandle, challenge, etc)
But UWSGI is build again libjansson which also defines a json_object_get
symbol that conflicts with the one used by libu2f-server!
37083: symbol=json_object_get; lookup in file=uwsgi [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpthread.so.0 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libm.so.6 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libdl.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libz.so.1 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpcre.so.3 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libcap.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libuuid.so.1 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libyaml-0.so.2 [0]
37083: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libjansson.so.4 [0]
37083: binding file /lib/x86_64-linux-gnu/libu2f-server.so.0 [0] to /lib/x86_64-linux-gnu/libjansson.so.4 [0]: normal symbol `json_object_get' [JSONC_0.14]
Instead of libjson-c.so.5 (when using Apache):
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libdl.so.2 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libm.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libpthread.so.0 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libc.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libcrypt.so.1 [0]
37091: symbol=json_object_get; lookup in file=/lib64/ld-linux-x86-64.so.2 [0]
37091: symbol=json_object_get; lookup in file=/usr/lib/x86_64-linux-gnu/perl5/5.32/auto/Crypt/U2F/Server/Server.so [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libu2f-server.so.0 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libc.so.6 [0]
37091: symbol=json_object_get; lookup in file=/lib/x86_64-linux-gnu/libjson-c.so.5 [0]
37091: binding file /lib/x86_64-linux-gnu/libu2f-server.so.0 [0] to /lib/x86_64-linux-gnu/libjson-c.so.5 [0]: normal symbol `json_object_get' [JSONC_0.14]
This problem does not occur in old versions of libu2f-server because they did not use json_object_get https://github.com/Yubico/libu2f-server/commit/eea59f260ba2fe71aee911e60068743acf00dc40
Possible fixes
A workaround I found is to force priority to json-c bindings with LD_PRELOAD. But that probably means uwsgi cannot parse JSON configs anymore
A long term fix would be for Jansson and JSON-C to use symbol versionning. JSON-C does it in Bullseye (but not in Buster, nor CentOS7)
see https://github.com/json-c/json-c/issues/621
Building uwsgi against yajl could work as well, but I have not tested it.
This issue needs to be reported in the docs
@maudoux have you already encountered this issue? Do you use U2F in production on your uwsgi servers?