From 5d2c1ce4e4c9f903b5c064f67a59c2e0b0dbd037 Mon Sep 17 00:00:00 2001
From: Peter Cai <peter@typeblog.net>
Date: Sun, 13 Nov 2022 21:58:43 -0500
Subject: [PATCH] libfido2-util: Perform pre-flight checks as well when a
 specific device path is given

This prevents unnecessary user interactions when `fido2-device` is set to
something other than `auto` -- a case overlooked in the original PR #23577
(and later #25268).

We do not move pre-flight checks to `fido2_use_hmac_hash_specific_token`
because the behaviors are different between different cases: when the
device path is NULL, we try to automatically choose the correct device,
in which case pre-flight errors should be "soft" errors, without
spamming the tty with error outputs; but when a specific device path is
given, a pre-flight request that determined the non-existence of the
credential should be treated the same as a failed assertion request.
---
 src/shared/libfido2-util.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index b1eb4a0e3c..aa4905c7da 100644
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -584,8 +584,21 @@ int fido2_use_hmac_hash(
         if (r < 0)
                 return log_error_errno(r, "FIDO2 support is not installed.");
 
-        if (device)
+        if (device) {
+                r = fido2_is_cred_in_specific_token(device, rp_id, cid, cid_size, required);
+                if (r == -ENODEV) /* not a FIDO2 device or lacking HMAC-SECRET extension */
+                        return log_error_errno(r,
+                                               "%s is not a FIDO2 device or it lacks support for HMAC-SECRET.", device);
+                if (r == 0)
+                        /* The caller is expected to attempt other key slots in this case,
+                         * therefore, do not spam the console with error logs here. */
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADSLT),
+                                               "The credential is not in the token %s.", device);
+                if (r < 0)
+                        log_error_errno(r, "Failed to determine whether the credential is in the token, trying anyway: %m");
+
                 return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, required, ret_hmac, ret_hmac_size);
+        }
 
         di = sym_fido_dev_info_new(allocated);
         if (!di)
-- 
2.25.1