Enable alwaysUv if pin is set and alwaysUv is a device options or there's current Uv in memory. It will force the prompt of a PIN.

Fixes #113. Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
2025-02-24 12:01:41 +01:00
parent 3807e23914
commit bdbdd92be8
3 changed files with 11 additions and 3 deletions
--- a/src/fido/cbor_get_assertion.c
+++ b/src/fido/cbor_get_assertion.c
@@ -300,7 +300,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                }
                else {
                    creds_len++;
-                    silent = false;
+                    silent = false; // If we are able to load a credential, we are not silent
                    // Even we provide allowList, we need to check if the credential is resident
                    if (!resident) {
                        for (int i = 0; i < MAX_RESIDENT_CREDENTIALS && creds_len < MAX_CREDENTIAL_COUNT_IN_LIST; i++) {
@@ -332,7 +332,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                }
                else {
                    creds_len++;
-                    silent = false;
+                    silent = false; // If we are able to load a credential, we are not silent
                }
            }
            resident = true;
--- a/src/fido/cbor_get_info.c
+++ b/src/fido/cbor_get_info.c
@@ -50,11 +50,18 @@ int cbor_get_info() {
    CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, aaguid, sizeof(aaguid)));

    CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
-    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &arrayEncoder, 8));
+    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &arrayEncoder, 9));
    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "ep"));
    CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, get_opts() & FIDO2_OPT_EA));
    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "rk"));
    CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
+    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "alwaysUv"));
+    if (file_has_data(ef_pin) && (get_opts() & FIDO2_OPT_AUV || !getUserVerifiedFlagValue())) {
+        CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
+    }
+    else {
+        CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, false));
+    }
    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "credMgmt"));
    CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "authnrCfg"));
--- a/src/fido/fido.h
+++ b/src/fido/fido.h
@@ -85,6 +85,7 @@ extern int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSec
 #define FIDO2_AUT_FLAG_ED       0x80

 #define FIDO2_OPT_EA            0x01 // Enterprise Attestation
+#define FIDO2_OPT_AUV           0x02 // User Verification

 #define MAX_PIN_RETRIES 8
 extern bool getUserPresentFlagValue();