Skip to content

Releases: BryanJacobs/FIDO2Applet

v2.4.2

Choose a tag to compare

@BryanJacobs BryanJacobs released this 20 Jun 14:38

Fixes a minor problem that could sometimes prevent creating a config token valid for >1 Relying Party ID.

v2.4.1

Choose a tag to compare

@BryanJacobs BryanJacobs released this 19 Jun 16:43

This is the same content as release 2.4.0, but with a higher firmware version reported by the applet.

v2.4.0

Choose a tag to compare

@BryanJacobs BryanJacobs released this 19 Jun 01:04

This release fixes a vulnerability where credential IDs were protected by an unintentionally-short nonce.

An attacker in possession of both the authenticator and a credential previously issued by it could:

  1. Use that credential without a PIN despite the credential being set credProtect=3
  2. Use the credential after its deletion despite the credential being originally created as resident, WHERE the Relying Party was also lax in its own checks

Although the attack surface for either problem is fairly low, it is still best to update to this applet version.

The first problem is only exploitable when alwaysUv is disabled, so enabling that setting negates it. The second problem is only exploitable when the Relying Party also has a problem. Neither problem exists for resident credentials when USE_LOW_SECURITY_FOR_SOME_RKS and LOW_SECURITY_MAXIMUM_COMPLIANCE are explicitly set to false at applet install time (the default is for them to be set to true).

v2.3.0

Choose a tag to compare

@BryanJacobs BryanJacobs released this 21 Mar 23:35
fb82795

Fix iterating through credentials with readers that do not handle eAPDUs.

v2.2.1

Choose a tag to compare

@BryanJacobs BryanJacobs released this 12 Mar 10:12

Doesn't leak memory when deleting credentials on cards that do not auto-GC.

v2.1.2

Choose a tag to compare

@BryanJacobs BryanJacobs released this 10 Mar 02:49

Support more than 127 discoverable credentials at once

v2.1.1

Choose a tag to compare

@BryanJacobs BryanJacobs released this 27 Feb 07:58

Fixes another statekeeping corner case in resident key handling

v2.1.0

Choose a tag to compare

@BryanJacobs BryanJacobs released this 26 Feb 19:55

Fixes a variety of uncommon bugs. Reported FIDO2 firmware version is now 6.

Recommended over earlier versions.

v2.0.5

Choose a tag to compare

@BryanJacobs BryanJacobs released this 05 Dec 08:48

Allows installing using a suffix of the FIDO2 AID.
Bumps the FW version number to 5.

v2.0.4

Choose a tag to compare

@BryanJacobs BryanJacobs released this 22 Oct 20:24

A variety of small bug fixes.

From this version, the applet forces the use of the official FIDO AID, due to problems getting the applet's own AID on certain smartcards.

Example installation parameters: a7050506182007190400081820091904000a1904000b00.