libfido2-util: fix a regression in the pre-flight mechanism

The recently merged PR #32295 introduced support for the credProtect
extension, but in doing so, it broke the discoverability of credentials
by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less,
PIN-protected credentials. This policy would require us to pass the PIN
to the token in the pre-flight request to be able to discover it,
which defeats the purpose of pre-flight requests as they're supposed
to be non-interactive.

This commit restricts the usage of credProtect to UV credentials only.

diff --git a/src/shared/libfido2-util.c b/src/shared/libfido2-util.c
index 1cc81a6c6101b557f483151fb8f401d89a8c0257..17fb019ffcecf8373cb9b2da94fd19cfa8d31661 100644 (file)
--- a/src/shared/libfido2-util.c
+++ b/src/shared/libfido2-util.c
@@ -779,7 +779,7 @@ int fido2_generate_hmac_hash(
                 return log_oom();
 
         int extensions = FIDO_EXT_HMAC_SECRET;
-        if (FLAGS_SET(lock_with, FIDO2ENROLL_PIN) || FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
+        if (FLAGS_SET(lock_with, FIDO2ENROLL_UV)) {
                 /* Attempt to use the "cred protect" extension, requiring user verification (UV) for this
                  * credential. If the authenticator doesn't support the extension, it will be ignored. */
                 extensions |= FIDO_EXT_CRED_PROTECT;