From 893d4131b21ed169e192052658f60762644b7539 Mon Sep 17 00:00:00 2001
From: Conor Patrick <conorpp94@gmail.com>
Date: Tue, 26 Mar 2019 19:00:12 -0400
Subject: [PATCH 1/2] change how pin is enforced for GA

---
 fido2/ctap.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/fido2/ctap.c b/fido2/ctap.c
index bebc9ab..a93fb66 100644
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -1105,19 +1105,15 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
         return ret;
     }
 
-    if (ctap_is_pin_set() && GA.pinAuthPresent == 0)
+    if (GA.pinAuthPresent)
     {
-        printf2(TAG_ERR,"pinAuth is required\n");
-        return CTAP2_ERR_PIN_REQUIRED;
+        ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
+        check_retr(ret);
+        getAssertionState.user_verified = 1;
     }
     else
     {
-        if (ctap_is_pin_set() || (GA.pinAuthPresent))
-        {
-            ret = verify_pin_auth(GA.pinAuth, GA.clientDataHash);
-            check_retr(ret);
-            getAssertionState.user_verified = 1;
-        }
+        getAssertionState.user_verified = 0;
     }
 
     if (!GA.rp.size || !GA.clientDataHashPresent)
@@ -1198,6 +1194,9 @@ uint8_t ctap_get_assertion(CborEncoder * encoder, uint8_t * request, int length)
         ret = ctap_make_auth_data(&GA.rp, &map, auth_data_buf, &len, NULL);
         check_retr(ret);
 
+        ((CTAP_authData *)auth_data_buf)->head.flags &= ~(1 << 2);
+        ((CTAP_authData *)auth_data_buf)->head.flags |= (getAssertionState.user_verified << 2);
+        
         {
             unsigned int ext_encoder_buf_size = sizeof(auth_data_buf) - len;
             uint8_t * ext_encoder_buf = auth_data_buf + len;

From 6fa443b0bc71f79d812a81b30e6f48793ca79347 Mon Sep 17 00:00:00 2001
From: Conor Patrick <conorpp94@gmail.com>
Date: Tue, 26 Mar 2019 19:00:42 -0400
Subject: [PATCH 2/2] tests for GA without pin

---
 tools/testing/tests/fido2.py | 41 +++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/tools/testing/tests/fido2.py b/tools/testing/tests/fido2.py
index 999f7d5..2ab09e6 100644
--- a/tools/testing/tests/fido2.py
+++ b/tools/testing/tests/fido2.py
@@ -905,22 +905,25 @@ class FIDO2Tests(Tester):
             expectedError=CtapError.ERR.SUCCESS,
         )
 
-        # self.testGA(
-        #     "Send GA request with no pinAuth, expect SUCCESS",
-        #     rp["id"],
-        #     cdh,
-        #     [
-        #         {
-        #             "type": "public-key",
-        #             "id": res_mc.auth_data.credential_data.credential_id,
-        #         }
-        #     ],
-        #     expectedError=CtapError.ERR.SUCCESS,
-        # )
-
         with Test("Check UV flag is set"):
             assert res_ga.auth_data.flags & (1 << 2)
 
+        res_ga = self.testGA(
+            "Send GA request with no pinAuth, expect SUCCESS",
+            rp["id"],
+            cdh,
+            [
+                {
+                    "type": "public-key",
+                    "id": res_mc.auth_data.credential_data.credential_id,
+                }
+            ],
+            expectedError=CtapError.ERR.SUCCESS,
+        )
+
+        with Test("Check UV flag is NOT set"):
+            assert not (res_ga.auth_data.flags & (1 << 2))
+
         self.testReset()
 
         with Test("Setting pin code, expect SUCCESS"):
@@ -973,12 +976,12 @@ class FIDO2Tests(Tester):
             expectedError=CtapError.ERR.PIN_REQUIRED,
         )
 
-        # res_mc = self.testGA(
-        #     "Send GA request with no pin_auth, expect NO_CREDENTIALS",
-        #     rp["id"],
-        #     cdh,
-        #     expectedError=CtapError.ERR.NO_CREDENTIALS,
-        # )
+        res_mc = self.testGA(
+            "Send GA request with no pin_auth, expect NO_CREDENTIALS",
+            rp["id"],
+            cdh,
+            expectedError=CtapError.ERR.NO_CREDENTIALS,
+        )
 
         res = self.testCP(
             "Test getRetries, expect SUCCESS",