From f221e927121692278b9ceaac040a3b6d83eb048b Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Mon, 17 Nov 2025 14:01:21 +0100
Subject: [PATCH] Make prf optional

---
 .../desktop_native/fido2_client/Cargo.toml       |  2 +-
 .../fido2_client/src/ctap_hid_fido2.rs           | 16 +++++++++-------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/apps/desktop/desktop_native/fido2_client/Cargo.toml b/apps/desktop/desktop_native/fido2_client/Cargo.toml
index ea2bdcbeacd..1e5dbc770fb 100644
--- a/apps/desktop/desktop_native/fido2_client/Cargo.toml
+++ b/apps/desktop/desktop_native/fido2_client/Cargo.toml
@@ -6,7 +6,7 @@ version = { workspace = true }
 publish = { workspace = true }
 
 [features]
-default = []
+default = ["ctap-hid-fido2"]
 ctap-hid-fido2 = ["dep:ctap-hid-fido2", "dep:pinentry", "dep:secrecy"]
 
 [dependencies]
diff --git a/apps/desktop/desktop_native/fido2_client/src/ctap_hid_fido2.rs b/apps/desktop/desktop_native/fido2_client/src/ctap_hid_fido2.rs
index 8a3618bf630..ed951c3a703 100644
--- a/apps/desktop/desktop_native/fido2_client/src/ctap_hid_fido2.rs
+++ b/apps/desktop/desktop_native/fido2_client/src/ctap_hid_fido2.rs
@@ -7,7 +7,7 @@ use pinentry::PassphraseInput;
 use secrecy::ExposeSecret;
 
 use crate::{
-    prf_to_hmac, AuthenticatorAssertionResponse, Fido2ClientError, PublicKeyCredential,
+    AuthenticatorAssertionResponse, Fido2ClientError, PublicKeyCredential,
     PublicKeyCredentialRequestOptions,
 };
 
@@ -40,10 +40,13 @@ fn make_assertion(
     credential: Option<&[u8]>,
 ) -> Result<GetAssertionArgsBuilder, Fido2ClientError> {
     let mut get_assertion_args =
-        GetAssertionArgsBuilder::new(options.rp_id.as_str(), client_data_json.as_bytes())
-            .extensions(&[AssertionExtension::HmacSecret(Some(prf_to_hmac(
-                &options.prf_eval_first,
-            )))]);
+        GetAssertionArgsBuilder::new(options.rp_id.as_str(), client_data_json.as_bytes());
+
+    if let Some(prf_config) = &options.prf {
+        get_assertion_args = get_assertion_args.extensions(&[AssertionExtension::HmacSecret(
+            Some(prf_to_hmac(&prf_config.first)),
+        )]);
+    }
 
     if let Some(cred) = credential {
         get_assertion_args = get_assertion_args.credential_id(cred);
@@ -143,8 +146,7 @@ mod tests {
             rp_id: "vault.usdev.bitwarden.pw".to_string(),
             user_verification: crate::UserVerification::Required,
             allow_credentials: vec![],
-            prf_eval_first: [0u8; 32],
-            prf_eval_second: None,
+            prf: None,
         })
         .unwrap();
     }