Releases: solokeys/solo1
4.1.5
Fix issue with allow_list & rk credential (re-release)
Fixes a small issue where if an allow_list is specified and rk credentials are matched, all of them would get returned. The correct behavior is to only return one.
Thanks to @drbinson of @MeaVitae for finding this and making a great demo: https://github.com/MeaVitae/mv-security-key-test
Update:
This is replacing 4.1.3 where I mistakenly compiled the firmware with the button disabled.
Contributors
Assets 13
Fix user info returned for RK credential specified by allowList
This is a minor release that fixes an issue where the User ID for a given credential wasn't being returned where it should be. This is when a RK credential is being used as specified from the allowList in a getAssertion request.
Minor change to fix boot issue on some devices
Minor change, please check notes in 4.1.0 release.
This update fixes the initialization order of the device so that some devices no longer run into a boot issue (#516).
Bug fixes and Ed255
This release has a number of bug fixes and adds support for Ed255 for FIDO2, thanks to the great work by @enrikb.
- Add Ed255 support for FIDO2 #478.
- Adjustments to make fault injection attacks more difficult #504.
- Fix incorrect logic and memmove that caused UV not to get set #493.
- Fix incorrect cbor ordering regarding credProtect and hmac-secret extension #508 (thanks @aseigler, @timcappalli for finding & reporting).
- Build & documentation improvements #509, #495, #490, #485, #482
Note there was an initial 4.1.0 release for a few hours which contained a build issue, and has been updated.
Credential management and credProtect added
After discussion with @nickray, I'm making this a major version release and deleting the old 3.2.0, because it will likely void any existing RK credentials on your solo device when updating from <4.0.0.
Warning: After this update, any existing RK's on your device will likely not work anymore. If you're not sure about what RK/resident-key is, then you probably do not have any and do not need to worry.
Additional improvements from (now defunct) 3.2.0 release:
Two big features added in this release:
- Credential management (able to enumerate and delete resident key credentials).
- credProtect extension (able to enforce UV on specific credentials)
Changes:
- add cred protect extension
- Fix issues with RK buffer handling
- Fix issue with credentials being ordered incorrectly for getAssertion's
- Fix issue with extensions not being applied to getNextAssertion assertions.
- Fix issue with some getNextAssertions not signing correct rpIdHash.
- Refactor + bugfix credential management
- Add delete command for credential management
- Add user presence check if a credential is excluded during makeCredential step
- Add custom vendor command for rebooting device to allow easier testing.
- Fix regression with user presence being collected twice in some cases.
This has been successfully tested for Microsoft / Azure AD compatibility.
Public tests have been added to fido2-tests.
Thank you to @rgerganov for his contributions on credential management and fixing bugs (#392, #398, #391, #404).
Thank you to @My1 for help testing and providing logs.
Fix version not correctly positioned in build
The last 3.1.2 could not be updated on most authenticators with version checking due to an error in the build not putting the version in correctly. This corrects the issue.
Thank you to @schwarzeh for mailing me a key to reproduce the issue.
Fix potential CBOR parsing safety issues
As discovered in our security audit by DoyenSec, there were some potential cbor safety issues, the largest being there wasn't a proper recursion limit to one of the methods we were using from tinycbor. Now that has been fixed.
Minor fixes to 3.1.0
- Initialize variable to avoid potential version bypass in bootloader
- Add a command to support users locking flash that have been locked out from the normal process.