libfido2-util: Perform pre-flight checks as well when a specific device path is given

This prevents unnecessary user interactions when `fido2-device` is set to
something other than `auto` -- a case overlooked in the original PR #23577
(and later #25268).

We do not move pre-flight checks to `fido2_use_hmac_hash_specific_token`
because the behaviors are different between different cases: when the
device path is NULL, we try to automatically choose the correct device,
in which case pre-flight errors should be "soft" errors, without
spamming the tty with error outputs; but when a specific device path is
given, a pre-flight request that determined the non-existence of the
credential should be treated the same as a failed assertion request.

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index b1eb4a0e3c03cea5ddcf3fd6cfa4a25343fddec0..aa4905c7dac9b6d8d2f598a493bc4f66852a9258 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -584,8 +584,21 @@ int fido2_use_hmac_hash(
         if (r < 0)
                 return log_error_errno(r, "FIDO2 support is not installed.");
 
-        if (device)
+        if (device) {
+                r = fido2_is_cred_in_specific_token(device, rp_id, cid, cid_size, required);
+                if (r == -ENODEV) /* not a FIDO2 device or lacking HMAC-SECRET extension */
+                        return log_error_errno(r,
+                                               "%s is not a FIDO2 device or it lacks support for HMAC-SECRET.", device);
+                if (r == 0)
+                        /* The caller is expected to attempt other key slots in this case,
+                         * therefore, do not spam the console with error logs here. */
+                        return log_debug_errno(SYNTHETIC_ERRNO(EBADSLT),
+                                               "The credential is not in the token %s.", device);
+                if (r < 0)
+                        log_error_errno(r, "Failed to determine whether the credential is in the token, trying anyway: %m");
+
                 return fido2_use_hmac_hash_specific_token(device, rp_id, salt, salt_size, cid, cid_size, pins, required, ret_hmac, ret_hmac_size);
+        }
 
         di = sym_fido_dev_info_new(allocated);
         if (!di)