diff options
author | Peter Cai <peter@typeblog.net> | 2022-11-13 21:58:43 -0500 |
---|---|---|
committer | Peter Cai <peter@typeblog.net> | 2022-12-10 15:28:49 -0500 |
commit | 5d2c1ce4e4c9f903b5c064f67a59c2e0b0dbd037 (patch) | |
tree | 664459fd0435d3337bcc38516dd252ed527b7b77 /src/shared/libfido2-util.c | |
parent | 53c1ef9ce086356d2ee126135b71ca5ad9e3897d (diff) | |
download | systemd-5d2c1ce4e4c9f903b5c064f67a59c2e0b0dbd037.tar.gz |
libfido2-util: Perform pre-flight checks as well when a specific device path is given
This prevents unnecessary user interactions when `fido2-device` is set to
something other than `auto` -- a case overlooked in the original PR #23577
(and later #25268).
We do not move pre-flight checks to `fido2_use_hmac_hash_specific_token`
because the behaviors are different between different cases: when the
device path is NULL, we try to automatically choose the correct device,
in which case pre-flight errors should be "soft" errors, without
spamming the tty with error outputs; but when a specific device path is
given, a pre-flight request that determined the non-existence of the
credential should be treated the same as a failed assertion request.
Diffstat (limited to 'src/shared/libfido2-util.c')
-rw-r--r-- | src/shared/libfido2-util.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c index b1eb4a0e3c..aa4905c7da 100644 --- a/src/shared/libfido2-util.c +++ b/src/shared/libfido2-util.c @@ -584,8 +584,21 @@ int fido2_use_hmac_hash( if (r < 0) return log_error_errno(r, "FIDO2 support is not installed."); - if (device) + if (device) { + r = fido2_is_cred_in_specific_token(device, rp_id, cid, cid_size, required); + if (r == -ENODEV) /* not a FIDO2 device or lacking HMAC-SECRET extension */ + return log_error_errno(r, + "%s is not a FIDO2 device or it lacks support for HMAC-SECRET.", device); + if (r == 0) + /* The caller is expected to attempt other key slots in this case, + * therefore, do not spam the console with error logs here. */ + return log_debug_errno(SYNTHETIC_ERRNO(EBADSLT), + "The credential is not in the token %s.", device); + if (r < 0) + log_error_errno(r, "Failed to determine whether the credential is in the token, trying anyway: %m"); + return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, required, ret_hmac, ret_hmac_size); + } di = sym_fido_dev_info_new(allocated); if (!di) |