From bdbdd92be8783d85aa12832b56f005dc1832c976 Mon Sep 17 00:00:00 2001
From: Pol Henarejos <pol.henarejos@cttc.es>
Date: Mon, 24 Feb 2025 12:01:41 +0100
Subject: [PATCH] Enable alwaysUv if pin is set and alwaysUv is a device
 options or there's current Uv in memory. It will force the prompt of a PIN.

Fixes #113.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
---
 src/fido/cbor_get_assertion.c | 4 ++--
 src/fido/cbor_get_info.c      | 9 ++++++++-
 src/fido/fido.h               | 1 +
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/fido/cbor_get_assertion.c b/src/fido/cbor_get_assertion.c
index fe2558e..72f69b1 100644
--- a/src/fido/cbor_get_assertion.c
+++ b/src/fido/cbor_get_assertion.c
@@ -300,7 +300,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                 }
                 else {
                     creds_len++;
-                    silent = false;
+                    silent = false; // If we are able to load a credential, we are not silent
                     // Even we provide allowList, we need to check if the credential is resident
                     if (!resident) {
                         for (int i = 0; i < MAX_RESIDENT_CREDENTIALS && creds_len < MAX_CREDENTIAL_COUNT_IN_LIST; i++) {
@@ -332,7 +332,7 @@ int cbor_get_assertion(const uint8_t *data, size_t len, bool next) {
                 }
                 else {
                     creds_len++;
-                    silent = false;
+                    silent = false; // If we are able to load a credential, we are not silent
                 }
             }
             resident = true;
diff --git a/src/fido/cbor_get_info.c b/src/fido/cbor_get_info.c
index 7594851..609f2bf 100644
--- a/src/fido/cbor_get_info.c
+++ b/src/fido/cbor_get_info.c
@@ -50,11 +50,18 @@ int cbor_get_info() {
     CBOR_CHECK(cbor_encode_byte_string(&mapEncoder, aaguid, sizeof(aaguid)));
 
     CBOR_CHECK(cbor_encode_uint(&mapEncoder, 0x04));
-    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &arrayEncoder, 8));
+    CBOR_CHECK(cbor_encoder_create_map(&mapEncoder, &arrayEncoder, 9));
     CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "ep"));
     CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, get_opts() & FIDO2_OPT_EA));
     CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "rk"));
     CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
+    CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "alwaysUv"));
+    if (file_has_data(ef_pin) && (get_opts() & FIDO2_OPT_AUV || !getUserVerifiedFlagValue())) {
+        CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
+    }
+    else {
+        CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, false));
+    }
     CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "credMgmt"));
     CBOR_CHECK(cbor_encode_boolean(&arrayEncoder, true));
     CBOR_CHECK(cbor_encode_text_stringz(&arrayEncoder, "authnrCfg"));
diff --git a/src/fido/fido.h b/src/fido/fido.h
index 656007a..43df0f3 100644
--- a/src/fido/fido.h
+++ b/src/fido/fido.h
@@ -85,6 +85,7 @@ extern int ecdh(uint8_t protocol, const mbedtls_ecp_point *Q, uint8_t *sharedSec
 #define FIDO2_AUT_FLAG_ED       0x80
 
 #define FIDO2_OPT_EA            0x01 // Enterprise Attestation
+#define FIDO2_OPT_AUV           0x02 // User Verification
 
 #define MAX_PIN_RETRIES 8
 extern bool getUserPresentFlagValue();