Bump required minimum version of libfido2 to 1.5.0 (#38975)

Major distributions already have libfido2 >= 1.12.0. Let's bump the
required minimum version to 1.5.0, which provides FIDO_ERR_UV_BLOCKED.

Note, libfido2 1.5.0 was released on 2020-09-01.

See also #38608.

README

@@ -245,7 +245,7 @@ REQUIREMENTS:
         gnutls >= 3.1.4 (optional)
         openssl >= 1.1.0 (optional, required to support DNS-over-TLS)
         p11-kit >= 0.23.3 (optional)
-        libfido2 (optional)
+        libfido2 >= 1.5.0 (optional)
         tpm2-tss (optional)
         elfutils >= 158 (optional)
         polkit (optional)

man/hwdb.xml

@@ -29,7 +29,7 @@
       <para>The hwdb files are read from the files located in the
       system hwdb directory <filename>/usr/lib/udev/hwdb.d</filename> and
       the local administration directory <filename>/etc/udev/hwdb.d</filename>.
-      All hwdb files are collectively sorted and processed in lexical order,
+      All hwdb files are collectively sorted and processed in lexicographic order,
       regardless of the directories in which they live. However, files with
       identical filenames replace each other. Files in <filename>/etc/</filename>
       have the highest priority and take precedence over files with the same

man/kernel-install.xml

@@ -70,7 +70,7 @@
 
     <para><command>kernel-install</command> will run the executable files ("plugins") located in the
     directory <filename>/usr/lib/kernel/install.d/</filename> and the local administration directory
-    <filename>/etc/kernel/install.d/</filename>.  All files are collectively sorted and executed in lexical
+    <filename>/etc/kernel/install.d/</filename>.  All files are collectively sorted and executed in lexicographic
     order, regardless of the directory in which they live. However, files with identical filenames replace
     each other.  Files in <filename>/etc/kernel/install.d/</filename> take precedence over files with the
     same name in <filename>/usr/lib/kernel/install.d/</filename>. This can be used to override a
@@ -82,7 +82,7 @@
 
     <para>An executable placed in these directories should return <constant>0</constant> on success. It may
     also return <constant>77</constant> to cause the whole operation to terminate (executables later in
-    lexical order will be skipped).</para>
+    lexicographic order will be skipped).</para>
   </refsect1>
 
   <refsect1>

man/systemd-pcrlock.xml

@@ -488,7 +488,7 @@
         <filename>*.pcrlock.d/*.pcrlock</filename> files from. May be used more than once to specify multiple
         such directories. If not specified, defaults to <filename>/etc/pcrlock.d/</filename>,
         <filename>/run/pcrlock.d/</filename>, <filename>/var/lib/pcrlock.d/</filename>,
-        <filename>/usr/local/pcrlock.d/</filename>, <filename>/usr/lib/pcrlock.d/</filename>.</para>
+        <filename>/usr/local/lib/pcrlock.d/</filename>, <filename>/usr/lib/pcrlock.d/</filename>.</para>
 
         <xi:include href="version-info.xml" xpointer="v255"/></listitem>
       </varlistentry>

man/systemd-userdbd.service.xml

@@ -35,7 +35,9 @@
     compatibility. It may also pick up statically defined JSON user/group records from files in
     <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>,
     <filename>/run/host/userdb/</filename> and <filename>/usr/lib/userdb/</filename> with the
-    <literal>.user</literal> or <literal>.group</literal> extension.</para>
+    <literal>.user</literal> or <literal>.group</literal> extension. For more details about the extensions
+    read the <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    manpage.</para>
 
     <para>Most of <command>systemd-userdbd</command>'s functionality is accessible through the
     <citerefentry><refentrytitle>userdbctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>

man/systemd.dnssd.xml

@@ -41,7 +41,7 @@
     <filename>/usr/local/lib/systemd/dnssd</filename>, the volatile runtime network directory
     <filename>/run/systemd/dnssd</filename> and the local administration network directory
     <filename>/etc/systemd/dnssd</filename>. All configuration files are collectively sorted and processed in
-    lexical order, regardless of the directories in which they live. However, files with identical filenames
+    lexicographic order, regardless of the directories in which they live. However, files with identical filenames
     replace each other. Files in <filename>/etc/</filename> have the highest priority, files in
     <filename>/run/</filename> take precedence over files with the same name in
     <filename>/usr/lib/</filename>. This can be used to override a system-supplied configuration file with a

man/systemd.link.xml

@@ -72,9 +72,9 @@
 
     <para>The link file contains a [Match] section, which determines if a given link file may be applied to a
     given device, as well as a [Link] section specifying how the device should be configured. The first (in
-    lexical order) of the link files that matches a given device is applied. Note that a default file
+    lexicographic order) of the link files that matches a given device is applied. Note that a default file
     <filename>99-default.link</filename> is shipped by the system. Any user-supplied
-    <filename>.link</filename> should hence have a lexically earlier name to be considered at all.</para>
+    <filename>.link</filename> should hence have a lexicographically earlier name to be considered at all.</para>
 
     <para>See <citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
     diagnosing problems with <filename>.link</filename> files.</para>

man/systemd.network.xml

@@ -1530,7 +1530,7 @@ DuplicateAddressDetection=none</programlisting></para>
           and the per-interface configuration with <command>systemd-networkd</command> once the interfaces
           appear later. Currently this feature is only implemented for SELinux.</para>
 
-          <para>The option expects a single NetLabel label. The label must conform to lexical restrictions of
+          <para>The option expects a single NetLabel label. The label must conform to lexicographic restrictions of
           LSM labels. When an interface is configured with IP addresses, the addresses and subnetwork masks
           will be appended to the <ulink
           url="https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md">NetLabel
@@ -1589,7 +1589,7 @@ allow my_server_t localnet_peer_t:peer recv;</programlisting>
           <literal>prefix</literal> or <literal>ifindex</literal>), NFT address family (one of
           <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
           <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
-          and sets must conform to lexical restrictions of NFT table names. The type of the element used in
+          and sets must conform to lexicographic restrictions of NFT table names. The type of the element used in
           the NFT filter must match the type implied by the directive (<literal>address</literal>,
           <literal>prefix</literal> or <literal>ifindex</literal>) and address type (IPv4 or IPv6) as shown
           in the table below.</para>

man/systemd.pcrlock.xml

@@ -28,8 +28,8 @@
       <member><filename>/run/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/var/lib/pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/var/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
-      <member><filename>/usr/local/pcrlock.d/*.pcrlock</filename></member>
-      <member><filename>/usr/local/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
+      <member><filename>/usr/local/lib/pcrlock.d/*.pcrlock</filename></member>
+      <member><filename>/usr/local/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/usr/lib/pcrlock.d/*.pcrlock</filename></member>
       <member><filename>/usr/lib/pcrlock.d/*.pcrlock.d/*.pcrlock</filename></member>
     </simplelist></para>

man/systemd.resource-control.xml

@@ -1039,7 +1039,7 @@ RestrictNetworkInterfaces=~eth1</programlisting>
           <literal>user</literal> or <literal>group</literal>), NFT address family (one of
           <literal>arp</literal>, <literal>bridge</literal>, <literal>inet</literal>, <literal>ip</literal>,
           <literal>ip6</literal>, or <literal>netdev</literal>), table name and set name. The names of tables
-          and sets must conform to lexical restrictions of NFT table names. The type of the element used in
+          and sets must conform to lexicographic restrictions of NFT table names. The type of the element used in
           the NFT filter must match the type implied by the directive (<literal>cgroup</literal>,
           <literal>user</literal> or <literal>group</literal>) as shown in the table below. When a control
           group or a unit is realized, the corresponding ID will be appended to the NFT sets and it will be

man/udev.xml

@@ -51,7 +51,7 @@
       <filename>/usr/lib/udev/rules.d</filename> and <filename>/usr/local/lib/udev/rules.d</filename>, the
       volatile runtime directory <filename>/run/udev/rules.d</filename> and the local administration
       directory <filename>/etc/udev/rules.d</filename>.  All rules files are collectively sorted and
-      processed in lexical order, regardless of the directories in which they live. However, files with
+      processed in lexicographic order, regardless of the directories in which they live. However, files with
       identical filenames replace each other. Files in <filename>/etc/</filename> have the highest priority,
       files in <filename>/run/</filename> take precedence over files with the same name under
       <filename>/usr/</filename>. This can be used to override a system-supplied rules file with a local

meson.build

@@ -405,6 +405,7 @@ possible_common_cc_flags = [
         '-Werror=shift-overflow=2',
         '-Werror=strict-flex-arrays',
         '-Werror=undef',
+        '-Werror=unused-variable',
         '-Wfloat-equal',
         # gperf prevents us from enabling this because it does not emit fallthrough
         # attribute with clang.
@@ -1351,6 +1352,7 @@ feature = get_option('libfido2').require(
         conf.get('HAVE_OPENSSL') == 1,
         error_message : 'openssl required')
 libfido2 = dependency('libfido2',
+                      version : '>=1.5.0',
                       required : feature)
 conf.set10('HAVE_LIBFIDO2', libfido2.found())
 
@@ -2364,9 +2366,9 @@ subdir('src/login')
 subdir('src/machine')
 subdir('src/machine-id-setup')
 subdir('src/measure')
-subdir('src/mountfsd')
 subdir('src/modules-load')
 subdir('src/mount')
+subdir('src/mountfsd')
 subdir('src/network')
 subdir('src/notify')
 subdir('src/nspawn')
@@ -2400,6 +2402,7 @@ subdir('src/socket-activate')
 subdir('src/socket-proxy')
 subdir('src/ssh-generator')
 subdir('src/stdio-bridge')
+subdir('src/storagetm')
 subdir('src/sulogin-shell')
 subdir('src/sysctl')
 subdir('src/sysext')
@@ -2408,7 +2411,6 @@ subdir('src/systemctl')
 subdir('src/sysupdate')
 subdir('src/sysusers')
 subdir('src/sysv-generator')
-subdir('src/storagetm')
 subdir('src/timedate')
 subdir('src/timesync')
 subdir('src/tmpfiles')

src/basic/fs-util.c

@@ -423,76 +423,76 @@ int touch(const char *path) {
         return touch_file(path, false, USEC_INFINITY, UID_INVALID, GID_INVALID, MODE_INVALID);
 }
 
-int symlinkat_idempotent(const char *from, int atfd, const char *to, bool make_relative) {
+int symlinkat_idempotent(const char *target, int atfd, const char *linkpath, bool make_relative) {
         _cleanup_free_ char *relpath = NULL;
         int r;
 
-        assert(from);
-        assert(to);
+        assert(target);
+        assert(linkpath);
 
         if (make_relative) {
-                r = path_make_relative_parent(to, from, &relpath);
+                r = path_make_relative_parent(linkpath, target, &relpath);
                 if (r < 0)
                         return r;
 
-                from = relpath;
+                target = relpath;
         }
 
-        if (symlinkat(from, atfd, to) < 0) {
+        if (symlinkat(target, atfd, linkpath) < 0) {
                 _cleanup_free_ char *p = NULL;
 
                 if (errno != EEXIST)
                         return -errno;
 
-                r = readlinkat_malloc(atfd, to, &p);
+                r = readlinkat_malloc(atfd, linkpath, &p);
                 if (r == -EINVAL) /* Not a symlink? In that case return the original error we encountered: -EEXIST */
                         return -EEXIST;
                 if (r < 0) /* Any other error? In that case propagate it as is */
                         return r;
 
-                if (!streq(p, from)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
+                if (!streq(p, target)) /* Not the symlink we want it to be? In that case, propagate the original -EEXIST */
                         return -EEXIST;
         }
 
         return 0;
 }
 
-int symlinkat_atomic_full(const char *from, int atfd, const char *to, SymlinkFlags flags) {
+int symlinkat_atomic_full(const char *target, int atfd, const char *linkpath, SymlinkFlags flags) {
         int r;
 
-        assert(from);
-        assert(to);
+        assert(target);
+        assert(linkpath);
 
         _cleanup_free_ char *relpath = NULL;
         if (FLAGS_SET(flags, SYMLINK_MAKE_RELATIVE)) {
-                r = path_make_relative_parent(to, from, &relpath);
+                r = path_make_relative_parent(linkpath, target, &relpath);
                 if (r < 0)
                         return r;
 
-                from = relpath;
+                target = relpath;
         }
 
         _cleanup_free_ char *t = NULL;
-        r = tempfn_random(to, NULL, &t);
+        r = tempfn_random(linkpath, NULL, &t);
         if (r < 0)
                 return r;
 
         bool call_label_ops_post = false;
         if (FLAGS_SET(flags, SYMLINK_LABEL)) {
-                r = label_ops_pre(atfd, to, S_IFLNK);
+                r = label_ops_pre(atfd, linkpath, S_IFLNK);
                 if (r < 0)
                         return r;
 
                 call_label_ops_post = true;
         }
 
-        r = RET_NERRNO(symlinkat(from, atfd, t));
+        r = RET_NERRNO(symlinkat(target, atfd, t));
         if (call_label_ops_post)
                 RET_GATHER(r, label_ops_post(atfd, t, /* created= */ r >= 0));
         if (r < 0)
                 return r;
 
-        r = RET_NERRNO(renameat(atfd, t, atfd, to));
+        r = RET_NERRNO(renameat(atfd, t, atfd, linkpath));
         if (r < 0) {
                 (void) unlinkat(atfd, t, 0);
                 return r;

src/basic/fs-util.h

@@ -47,9 +47,9 @@ int touch_fd(int fd, usec_t stamp);
 int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode);
 int touch(const char *path);
 
-int symlinkat_idempotent(const char *from, int atfd, const char *to, bool make_relative);
-static inline int symlink_idempotent(const char *from, const char *to, bool make_relative) {
-        return symlinkat_idempotent(from, AT_FDCWD, to, make_relative);
+int symlinkat_idempotent(const char *target, int atfd, const char *linkpath, bool make_relative);
+static inline int symlink_idempotent(const char *target, const char *linkpath, bool make_relative) {
+        return symlinkat_idempotent(target, AT_FDCWD, linkpath, make_relative);
 }
 
 typedef enum SymlinkFlags {
@@ -57,9 +57,9 @@ typedef enum SymlinkFlags {
         SYMLINK_LABEL         = 1 << 1,
 } SymlinkFlags;
 
-int symlinkat_atomic_full(const char *from, int atfd, const char *to, SymlinkFlags flags);
-static inline int symlink_atomic(const char *from, const char *to) {
-        return symlinkat_atomic_full(from, AT_FDCWD, to, 0);
+int symlinkat_atomic_full(const char *target, int atfd, const char *linkpath, SymlinkFlags flags);
+static inline int symlink_atomic(const char *target, const char *linkpath) {
+        return symlinkat_atomic_full(target, AT_FDCWD, linkpath, 0);
 }
 
 int mknodat_atomic(int atfd, const char *path, mode_t mode, dev_t dev);

src/import/pull-job.c

@@ -5,6 +5,7 @@
 #include <sys/xattr.h>
 
 #include "alloc-util.h"
+#include "curl-util.h"
 #include "fd-util.h"
 #include "format-util.h"
 #include "hexdecoct.h"
@@ -13,7 +14,6 @@
 #include "parse-util.h"
 #include "pull-common.h"
 #include "pull-job.h"
-#include "curl-util.h"
 #include "string-util.h"
 #include "strv.h"
 #include "sync-util.h"

src/kernel-install/kernel-install.c

@@ -1368,7 +1368,7 @@ static int verb_inspect(int argc, char *argv[], void *userdata) {
                            TABLE_FIELD, "Entry Directory",
                            TABLE_STRING, c->entry_dir,
                            TABLE_FIELD, "Kernel Version",
-                           TABLE_STRING, c->version,
+                           TABLE_VERSION, c->version,
                            TABLE_FIELD, "Kernel",
                            TABLE_STRING, c->kernel,
                            TABLE_FIELD, "Initrds",
@@ -1430,6 +1430,7 @@ static int verb_list(int argc, char *argv[], void *userdata) {
 
         table_set_ersatz_string(table, TABLE_ERSATZ_DASH);
         table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
+        (void) table_set_sort(table, (size_t) 0);
 
         FOREACH_ARRAY(d, de->entries, de->n_entries) {
                 _cleanup_free_ char *j = path_join("/usr/lib/modules/", (*d)->d_name);
@@ -1460,7 +1461,7 @@ static int verb_list(int argc, char *argv[], void *userdata) {
                         exists = true;
 
                 r = table_add_many(table,
-                                   TABLE_STRING, (*d)->d_name,
+                                   TABLE_VERSION, (*d)->d_name,
                                    TABLE_BOOLEAN_CHECKMARK, exists,
                                    TABLE_SET_COLOR, ansi_highlight_green_red(exists),
                                    TABLE_PATH, j);

src/libsystemd/sd-json/sd-json.c

@@ -3474,6 +3474,17 @@ _public_ int sd_json_parse_file(
         return sd_json_parse_file_at(f, AT_FDCWD, path, flags, ret, reterr_line, reterr_column);
 }
 
+static char *underscorify(char *p) {
+        assert(p);
+
+        /* Replaces "-", "+" by "_", to deal with the usual enum naming rules we have. */
+
+        for (char *q = p; *q; q++)
+                *q = IN_SET(*q, '_', '-', '+') ? '_' : *q;
+
+        return p;
+}
+
 _public_ int sd_json_buildv(sd_json_variant **ret, va_list ap) {
         JsonStack *stack = NULL;
         size_t n_stack = 1;
@@ -3521,13 +3532,13 @@ _public_ int sd_json_buildv(sd_json_variant **ret, va_list ap) {
                                 _cleanup_free_ char *c = NULL;
 
                                 if (command == _JSON_BUILD_STRING_UNDERSCORIFY) {
-                                        c = strreplace(p, "-", "_");
+                                        c = strdup(p);
                                         if (!c) {
                                                 r = -ENOMEM;
                                                 goto finish;
                                         }
 
-                                        p = c;
+                                        p = underscorify(c);
                                 }
 
                                 r = sd_json_variant_new_string(&add, p);
@@ -5085,6 +5096,10 @@ _public_ int sd_json_dispatch_full(
         int r, done = 0;
         bool *found;
 
+        /* Consider a NULL pointer equivalent to an empty object */
+        if (!v)
+                v = JSON_VARIANT_MAGIC_EMPTY_OBJECT;
+
         if (!sd_json_variant_is_object(v)) {
                 json_log(v, flags, 0, "JSON variant is not an object.");
 

src/shared/btrfs-util.c

@@ -907,6 +907,11 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol
         if (r == 0) /* Not a btrfs subvolume */
                 return -ENOTTY;
 
+        /* Before we try anything, let's see if 'user_subvol_rm_allowed' is enabled and we can just remove
+         * the dir directly */
+        if (unlinkat(fd, subvolume, AT_REMOVEDIR) >= 0)
+                goto finish;
+
         if (subvol_id == 0) {
                 r = btrfs_subvol_get_id_fd(subvol_fd, &subvol_id);
                 if (r < 0)
@@ -916,10 +921,8 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol
         /* First, try to remove the subvolume. If it happens to be
          * already empty, this will just work. */
         strncpy(vol_args.name, subvolume, sizeof(vol_args.name)-1);
-        if (ioctl(fd, BTRFS_IOC_SNAP_DESTROY, &vol_args) >= 0) {
-                (void) btrfs_qgroup_destroy_recursive(fd, subvol_id); /* for the leaf subvolumes, the qgroup id is identical to the subvol id */
-                return 0;
-        }
+        if (ioctl(fd, BTRFS_IOC_SNAP_DESTROY, &vol_args) >= 0)
+                goto finish;
         if (!(flags & BTRFS_REMOVE_RECURSIVE) || errno != ENOTEMPTY)
                 return -errno;
 
@@ -1001,6 +1004,8 @@ static int subvol_remove_children(int fd, const char *subvolume, uint64_t subvol
         if (ioctl(fd, BTRFS_IOC_SNAP_DESTROY, &vol_args) < 0)
                 return -errno;
 
+finish:
+        /* for the leaf subvolumes, the qgroup id is identical to the subvol id */
         (void) btrfs_qgroup_destroy_recursive(fd, subvol_id);
         return 0;
 }

src/shared/format-table.c

@@ -287,6 +287,7 @@ static size_t table_data_size(TableDataType type, const void *data) {
         case TABLE_PATH_BASENAME:
         case TABLE_FIELD:
         case TABLE_HEADER:
+        case TABLE_VERSION:
                 return strlen(data) + 1;
 
         case TABLE_STRV:
@@ -526,7 +527,7 @@ int table_add_cell_stringf_full(Table *t, TableCell **ret_cell, TableDataType dt
         int r;
 
         assert(t);
-        assert(IN_SET(dt, TABLE_STRING, TABLE_PATH, TABLE_PATH_BASENAME, TABLE_FIELD, TABLE_HEADER));
+        assert(IN_SET(dt, TABLE_STRING, TABLE_PATH, TABLE_PATH_BASENAME, TABLE_FIELD, TABLE_HEADER, TABLE_VERSION));
 
         va_start(ap, format);
         r = vasprintf(&buffer, format, ap);
@@ -934,6 +935,7 @@ int table_add_many_internal(Table *t, TableDataType first_type, ...) {
                 case TABLE_PATH_BASENAME:
                 case TABLE_FIELD:
                 case TABLE_HEADER:
+                case TABLE_VERSION:
                         data = va_arg(ap, const char *);
                         break;
 
@@ -1395,6 +1397,9 @@ static int cell_data_compare(TableData *a, size_t index_a, TableData *b, size_t
                 case TABLE_PATH_BASENAME:
                         return path_compare(a->string, b->string);
 
+                case TABLE_VERSION:
+                        return strverscmp_improved(a->string, b->string);
+
                 case TABLE_STRV:
                 case TABLE_STRV_WRAPPED:
                         return strv_compare(a->strv, b->strv);
@@ -1579,7 +1584,8 @@ static const char *table_data_format(Table *t, TableData *d, bool avoid_uppercas
         case TABLE_PATH:
         case TABLE_PATH_BASENAME:
         case TABLE_FIELD:
-        case TABLE_HEADER: {
+        case TABLE_HEADER:
+        case TABLE_VERSION: {
                 _cleanup_free_ char *bn = NULL;
                 const char *s;
 
@@ -2753,6 +2759,7 @@ static int table_data_to_json(TableData *d, sd_json_variant **ret) {
         case TABLE_PATH_BASENAME:
         case TABLE_FIELD:
         case TABLE_HEADER:
+        case TABLE_VERSION:
                 return sd_json_variant_new_string(ret, d->string);
 
         case TABLE_STRV:

src/shared/format-table.h

@@ -16,6 +16,7 @@ typedef enum TableDataType {
         TABLE_STRV_WRAPPED,
         TABLE_PATH,
         TABLE_PATH_BASENAME,       /* like TABLE_PATH, but display only last path element (i.e. the "basename") in regular output */
+        TABLE_VERSION,             /* just like TABLE_STRING, but uses version comparison when sorting */
         TABLE_BOOLEAN,
         TABLE_BOOLEAN_CHECKMARK,
         TABLE_TIMESTAMP,

src/shared/generator.c

@@ -26,11 +26,11 @@
 #include "tmpfile-util.h"
 #include "unit-name.h"
 
-static int symlink_unless_exists(const char *from, const char *to) {
-        (void) mkdir_parents(to, 0755);
+static int symlink_unless_exists(const char *target, const char *linkpath) {
+        (void) mkdir_parents(linkpath, 0755);
 
-        if (symlink(from, to) < 0 && errno != EEXIST)
-                return log_error_errno(errno, "Failed to create symlink %s: %m", to);
+        if (symlink(target, linkpath) < 0 && errno != EEXIST)
+                return log_error_errno(errno, "Failed to create symlink %s: %m", linkpath);
         return 0;
 }
 

src/shared/libfido2-util.c

@@ -271,11 +271,9 @@ static int fido2_common_assert_error_handle(int r) {
         case FIDO_ERR_PIN_AUTH_BLOCKED:
                 return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD),
                                        "PIN of security token is blocked, please remove/reinsert token.");
-#ifdef FIDO_ERR_UV_BLOCKED
         case FIDO_ERR_UV_BLOCKED:
                 return log_error_errno(SYNTHETIC_ERRNO(EOWNERDEAD),
                                        "Verification of security token is blocked, please remove/reinsert token.");
-#endif
         case FIDO_ERR_PIN_INVALID:
                 return log_error_errno(SYNTHETIC_ERRNO(ENOLCK),
                                        "PIN of security token incorrect.");
@@ -937,11 +935,9 @@ int fido2_generate_hmac_hash(
         if (r == FIDO_ERR_PIN_AUTH_BLOCKED)
                 return log_notice_errno(SYNTHETIC_ERRNO(EPERM),
                                         "Token PIN is currently blocked, please remove and reinsert token.");
-#ifdef FIDO_ERR_UV_BLOCKED
         if (r == FIDO_ERR_UV_BLOCKED)
                 return log_notice_errno(SYNTHETIC_ERRNO(EPERM),
                                         "Token verification is currently blocked, please remove and reinsert token.");
-#endif
         if (r == FIDO_ERR_ACTION_TIMEOUT)
                 return log_error_errno(SYNTHETIC_ERRNO(ENOSTR),
                                        "Token action timeout. (User didn't interact with token quickly enough.)");

src/shared/meson.build

@@ -322,7 +322,7 @@ libshared_deps = [threads,
                   libcap,
                   libcrypt,
                   libdl,
-                  libgcrypt,
+                  libgcrypt_cflags,
                   libiptc_cflags,
                   libkmod_cflags,
                   liblz4_cflags,