PuTTY 0.77 Release & FIDO Changes

- Merged changes from PuTTY 0.77 branch.
- Added FIDO key support.
- Built and signed binaries for 0.77.

.gitignore

@@ -6,4 +6,5 @@
 *.vcxproj.user
 *.lastcodeanalysissucceeded
 *.manifest
-Temp
+Temp
+Build

README.md

@@ -1,6 +1,5 @@
 # PuTTY CAC
-
-PuTTY CAC is a fork of PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI) or a Public Key Cryptography Standards (PKCS) library to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token.
+PuTTY CAC is a fork of PuTTY, a popular Secure Shell (SSH) terminal. PuTTY CAC adds the ability to use the Windows Certificate API (CAPI), Public Key Cryptography Standards (PKCS) libraries, or  Fast Identity Online (FIDO) keys to perform SSH public key authentication using a private key associated with a certificate that is stored on a hardware token.
 
 PuTTY CAC can be used with many types of cryptographic tokens such as Yubikeys and popular smart card models. The 'CAC' in 'PuTTY CAC' refers to Common Access Card, a smart card token used for US Government facilities which was one of the initial drivers for the development of PuTTY CAC.
 
@@ -9,17 +8,26 @@ PuTTY CAC is maintained independently from the US Government by the open source
 You can download the latest release of PuTTY CAC here: https://github.com/NoMoreFood/putty-cac/releases
 
 ## Prerequisites
-* Microsoft Windows 7 or Later
+* Microsoft Windows 10 or Later
 * For CAPI support, an appropriate Windows smart card mini-driver must be installed. This is typically provided by the smart card manufacturer although many common hardware tokens are supported by OpenSC.
 * For PKCS support, a PKCS #11 library (typically a DLL file) is needed to interface with the hardware token. This is typically provided by the smart card manufacturer although many common hardware tokens are supported by OpenSC.
+* For FIDO support, a FIDO key supported by Windows 10.
 
 ## Usage
 You can find a basic set of instructions on the usage of United States Government's ID Management website under the 'SSH Using PuTTY-CAC' section: 
 
 https://playbooks.idmanagement.gov/piv/engineer/ssh/
 
 ## Command Line Usage
-PuTTY CAC supports the same command line options as PuTTY. In place of a PuTTY key file path for any PuTTY utility, you can specific certificate thumbprint. For example, `putty.exe CAPI:716B8B58D8F2C3A7F98F3F645161B1BF9818B689 ...` will load the noted thumbprint from the Windows certificate store. For certificates from PKCS libraries, the syntax is the similiar with the addition the library following the thumbprint. For example, `PKCS:716B8B58D8F2C3A7F98F3F645161B1BF9818B689=C:\Windows\Library.dll ...`. 
+PuTTY CAC supports the same command line options as PuTTY with some additional, specialized options for PuTTY CAC specifically. 
+
+In place of a PuTTY key file path for any PuTTY utility, you can specific certificate thumbprint or application identifier. For example:
+* Connect to user@host using the certificate with thumbprint '716B8B58D8F2C3A7F98F3F645161B1BF9818B689' the user certificate store:  
+`putty.exe user@host -i CAPI:716B8B58D8F2C3A7F98F3F645161B1BF9818B689`
+* Connect to user@host using the certificate with thumbprint 'B8B58D8F2C3A7F98F3F645161B1BF9818B689716' using PKCS library 'PKCS.dll':  
+`putty.exe user@host -i PKCS:B8B58D8F2C3A7F98F3F645161B1BF9818B689716=C:\PKCS.dll`  
+* Connect to user@host using FIDO key identified by 'ssh:MyFidoKey' from PuTTY CAC FIDO key cache:  
+`putty.exe user@host -i FIDO:ssh:MyFidoKey`
 
 PuTTY executables (putty.exe, pageant.exe, psftp.exe) support the following additional command line options. Most of these options are focused on the operation of Pageant and are also settable from its user interface. Once set, these options will apply automatically to subsequent executions unless specifically unset. Settings that filter Pageant certificate selection dialogs will also affect filter certificate selection dialogs in the standard PuTTY application:
 * Automatically load any compatible CAPI certificates at startup: `-autoload`,`-autoloadoff`
@@ -34,13 +42,16 @@ PuTTY executables (putty.exe, pageant.exe, psftp.exe) support the following addi
 ### Certificates
 For the purposes of PuTTY CAC, the certificate is simply a convenient way to reference a private/public key pair. If you want to use PuTTY CAC to securely logon to your system and do not have access to a Certificate Authority (CA), the certificate can be self-signed. Conversely, PuTTY CAC can be used in conjunction with managed SSH servers to enforce multifactor authentication. This can be done by ensuring that the OpenSSH authorized_keys file only contains public keys associated with hardware tokens either procedurally or by creating an index of all issued certs and looking them up through OpenSSH directives like AuthorizedKeysCommand.
 ### Federal Information Processing Standards (FIPS) Compliance
-The specific code used to interface with the hardware token utilizes the Microsoft cryptographic libraries which in turn are governed by system-level FIPS settings. However, PuTTY itself utilizes proprietary encryption and hashing for communication which has not undergone evaluation for FIPS compliance or certification. 
+The specific code used to interface with the hardware token utilizes the Microsoft cryptographic libraries which in turn are governed by system-level FIPS settings (see [Microsoft's website](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing)).  Similarly, the hardware token that is used for signing authentication challenges is guaranteed to use FIPS compliant algorithms if the hardware key is FIPS certified; see the hardware token's manufacturer website for more information. PuTTY itself utilizes proprietary encryption and hashing one the SSH session is established which has not undergone evaluation for FIPS compliance or certification. 
 ## Notes On Building PuTTY CAC
 ### Prerequisites
 * Visual Studio 2022 with C++ Desktop Application Development
 * WiX Toolset (to build the MSI files)
 * Windows PowerShell (to build the MSI/ZIP/Hash files)
 
-### Visual Studio Notes
-* Solution File: 'Code\windows\VS2022\putty.sln'
+### Building
+* Execute 'packager\build.cmd' to create build files
+* Visual Studio solution files will be generated under 'build'
 
+### Dependencies
+* PuTTYImp is used to import existing FIDO resident keys. This links libfido2 statically; libfido2 and its binary dependencies are included in this repository. All other PuTTY executables have no dependencies other than those included within the Windows operating system and its associated SDKs.

binaries/puttycac-hash.txt

@@ -1,69 +1,81 @@
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA256          810AC2574AD5A799293A91A530C7BD854C7A059B8146765F717B542D2822BB04       x64\pageant.exe
-SHA256          102606D6E5139F86892E2FFBEEFD37790A7DED31C59AFD15E8AC7336F603A353       x64\plink.exe
-SHA256          253087455652110E16FC5950980545E215CA23122C72E573F4BC9ED8A517EA94       x64\pscp.exe
-SHA256          1C43258344EE5F8373240E74D5D073D5DFD50BC62A4700B241D47FD40FB2BB78       x64\psftp.exe
-SHA256          53078EEABC833AD02E64F6A316B450EB319E24E2F00A85BF85EE171F7E29FAE1       x64\putty.exe
-SHA256          F21D9E33F5840D2A827FE80847E353B0B60AD14584AD0C062B8C030816280E2E       x64\puttygen.exe
-SHA256          BD5D719A347777C2515178C0FF45DB6C1EEC4EC9BD452FA1DE751D0F3A981478       x64\puttytel.exe
-SHA256          D0196B444AB1E1A5C17FC9D11DA0D9C7D82D9505E690AE1941FACC91540D937C       x86\pageant.exe
-SHA256          ED6D7EFF07B67B2A9E6DEDE5C6B23AAF7C1628C5FBB51848CE257739F3EAD10A       x86\plink.exe
-SHA256          4676E86E509E83CA681B3EC5A70C72FB260DEA10FD3C2B50254E438444EEC7CC       x86\pscp.exe
-SHA256          7386AC28183471668D251DF171E8548E37A5121F04E244576C7DBF22A87DF571       x86\psftp.exe
-SHA256          E6A053E0F2AE8734F1A3397B0C258DCE738B3EE801680B14DFA227945AC0CEC0       x86\putty.exe
-SHA256          2535331BD97095B92AE487DCB2D6ABC268A21086FBD9795A9E0AD937EC91D6ED       x86\puttygen.exe
-SHA256          5FAC309CF96E11AA90D79BC0FFED50A14ACBAB80941DFD0F0AC21C7801A03E3F       x86\puttytel.exe
-SHA256          DC59470E07A7E54E0E24663BD9461FE685E90DC2CA816E17562F70E0892A675B       puttycac-0.76u4-installer.msi
-SHA256          C43961EE08F380DBED13A11E315DAC1A9B0F6119A5E581332473E49CCBE2114B       puttycac-0.76u4.zip
-SHA256          401BE068B9EEFDF20B298DEE3B2EF1A48E9B881049514CE7169E4EFC49D7918E       puttycac-64bit-0.76u4-installer.msi
-SHA256          CD4DB5A25AF46D8084905A25392497AB0066E3972C9AEE571BB7EBDD645BDD84       puttycac-64bit-0.76u4.zip
+SHA256          5ED68A803D4F920434CA94875452BDBDCFCBB19139A10C5FDA934F603FC01DC9       x64\pageant.exe
+SHA256          0E33651140E5D0474BBD230669E7BD1B87D25769585C66D4D452F6DD9D0DA58E       x64\plink.exe
+SHA256          3E9402C059D43245942A316850954C512CE31BAB65309DEF6B9EDDE63F59D2E9       x64\pscp.exe
+SHA256          16F704A938046058A10EA1A66926895FC8E60A154AD847D854B26AE3F8451D44       x64\psftp.exe
+SHA256          9FC2CAF775374DA67A465C90816E4AD5563DF5BFCE62F4DD941D518425B9745C       x64\pterm.exe
+SHA256          511C56F314B21A6B1C4AF6E4FA6BAAD7B12737F65CA52C533C32E78EAA70B975       x64\putty.exe
+SHA256          911C4ADD4E825CBB20FF4E5CFECE0E1D2FA506D1684D6E15455AB4835E5E92D8       x64\puttygen.exe
+SHA256          79F71A0B0DC29ACBF7F05EFFA11D8BBB79EAF3D5A8A602CA56F5732C89C58F79       x64\puttyimp.exe
+SHA256          91FBD43B6ADE371D47EB1927400DA533A1DCF79FD8C26FA0D052740DD443CE8D       x64\puttytel.exe
+SHA256          EF253D9AE5CE86BC52598E19B5807EFF356F0A3979FAD622E62E3406C3A7557A       x86\pageant.exe
+SHA256          D3CB8B2FC74E3A12CB220777E6DF7EA5766C7587B0FF00B9F16627ADD38C278F       x86\plink.exe
+SHA256          A1C4A607E3CB350B5C855911365AD7ACA85B2135AACF9FDDB44ADC09213DF204       x86\pscp.exe
+SHA256          93947E6CF2E07CF3210ACC495C04F0E8B4B0E38B1B832B8664BC9B4AAE3F1C7D       x86\psftp.exe
+SHA256          4B346B7B94EB7A261724FF885855F5ED912334C5EF531829FEB32F04075BD942       x86\pterm.exe
+SHA256          CA3CF7652E31A2BCF8D3858814740A8688D8FF49A426CF5AD95DDE316D8B1223       x86\putty.exe
+SHA256          39451F7DD2DC7C8BAD5D6597CF251D3FBE8037E7B535B0A8BE4ADD9526145585       x86\puttygen.exe
+SHA256          43D4E1AA70885EBA303ACF321005A62017A4DEBB01A3E5110CDA40A4866EBFFF       x86\puttyimp.exe
+SHA256          C2A6E5685787B979D23DD414E9D1B5480793988072E1EDB793EC81B26060D25D       x86\puttytel.exe
+SHA256          E334061768E4D6C425AB9E25EF0862B317E4B88E5C3936AA627C810C83BE17C1       puttycac-0.77-installer.msi
+SHA256          5C4D7EA2E1081BE0CCC3A97EA6E6D3E450D1A206FE26A7C48524DA06B097552F       puttycac-0.77.zip
+SHA256          0F19075A9B2F2021921D339C6EF864AA2AF51AF4378D23307E280DEB8B89135D       puttycac-64bit-0.77-installer.msi
+SHA256          314C3EEBF6EAB6104DA5C182D62A2D7C9ABF915140CE7610B2D40D245E2CD6A4       puttycac-64bit-0.77.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-SHA1            94D6FF56617393F0AEF9B1B4AD98E95CDF4E3EC3                               x64\pageant.exe
-SHA1            BE77683BFE95E26E1F8D46FF3055B62D65B54895                               x64\plink.exe
-SHA1            142872FE9EDFC91DE8CF39EA11B36CFED34789A1                               x64\pscp.exe
-SHA1            A63FCC08898E7CFD3F06565C913D6FF404E7D48E                               x64\psftp.exe
-SHA1            16484DE617D7EB5772CC852910CB44600B2A63EB                               x64\putty.exe
-SHA1            815E7FE11D254796635796ACF56BE1C11AD1FB1B                               x64\puttygen.exe
-SHA1            982C366A097E64422E666FE11ACC9BA525F537E2                               x64\puttytel.exe
-SHA1            869434760A3CD5A9FFA62AB7D9D37B2F410BDEF3                               x86\pageant.exe
-SHA1            069EBBED203AC492AAB81652168A9DFFD789C48A                               x86\plink.exe
-SHA1            0CD40B17BE62F6F33C42AEC409B1493E464CB1CC                               x86\pscp.exe
-SHA1            38E66A6530B37C223E694B671D7C4B3C253CE94F                               x86\psftp.exe
-SHA1            D04446283E31CB5C9FACCA3DBF2C9D2A85160720                               x86\putty.exe
-SHA1            4855453518D4CC1398553B71F95937BD22F6AC17                               x86\puttygen.exe
-SHA1            C97FFA3992D041B82232D3E82654C8969C2DAE15                               x86\puttytel.exe
-SHA1            FC973F0B2E1F72CB58E4857E2A0BD66625E8FEE8                               puttycac-0.76u4-installer.msi
-SHA1            C0D6B345458782075EEB55652CDA9688A000D16E                               puttycac-0.76u4.zip
-SHA1            3DFCE37F5F6AD6474EAF08D3A22F6337192246B7                               puttycac-64bit-0.76u4-installer.msi
-SHA1            C08D5E69C331D84E66DE5C8435CB0F7B625A0093                               puttycac-64bit-0.76u4.zip
+SHA1            ED5232F86DB1F1A27D382034730F0A79A80BA209                               x64\pageant.exe
+SHA1            E4B517C74A10B8A9BDD990AA7DEF9DB7CBE131F7                               x64\plink.exe
+SHA1            6962D5EECA8F012C78EBF164A78ADECC71D2750E                               x64\pscp.exe
+SHA1            30E5BA67493E134299B68B669EF0BC2F00B6D7AE                               x64\psftp.exe
+SHA1            5C45D65AFE65AB57D56AFA79C89F57284EE09F2D                               x64\pterm.exe
+SHA1            96DE1E301A8739C1F4009211F0027160BBF288BD                               x64\putty.exe
+SHA1            13DD738E72E463FEBF60684D09D4BF9B5338D484                               x64\puttygen.exe
+SHA1            55B77A9A04C965AAD460F34AFE46BA231FF7B59D                               x64\puttyimp.exe
+SHA1            5B31E6777F3CEC21130866DEFE35F98B095A2A51                               x64\puttytel.exe
+SHA1            D61BD4826EC40E4635BD868F5CECC2869CBB9789                               x86\pageant.exe
+SHA1            93712C208BB7E831C7986561867C9DA47DB00C46                               x86\plink.exe
+SHA1            054C8F1300D5EBB02406E9687D7D2C4D71E752CB                               x86\pscp.exe
+SHA1            2C02CDF40105810E7349A92B70105327F9EEFDDE                               x86\psftp.exe
+SHA1            66C756BAA3E677BFA5BDB1C5789493E5E3AB2C73                               x86\pterm.exe
+SHA1            776E356B5DDED8FB11BCCC0F2877B22505145166                               x86\putty.exe
+SHA1            1B23CBEB90F282048928571063966B3846B61A05                               x86\puttygen.exe
+SHA1            A54CB6BC7F743A60D511718FE653FE9F282BECC8                               x86\puttyimp.exe
+SHA1            C851B82956FB122622667B07A59919B4CBF4842B                               x86\puttytel.exe
+SHA1            F9FF4D2AA267A32C67F2C3EB15F49C05DF991A86                               puttycac-0.77-installer.msi
+SHA1            BB5E6B74D609DD657BAB06186F3ED5810BEE671C                               puttycac-0.77.zip
+SHA1            7A68DDCCDD6A8D30FC2A769EA47F7634D6D3BB40                               puttycac-64bit-0.77-installer.msi
+SHA1            A5F081F049A7F473D9018790164BBB50231E9872                               puttycac-64bit-0.77.zip
 
 
 
 Algorithm       Hash                                                                   Path
 ---------       ----                                                                   ----
-MD5             A071EBE267B9E37BF8BA9311467058A4                                       x64\pageant.exe
-MD5             D8E9B5687D6BEBC92A2AE9F086D9BF45                                       x64\plink.exe
-MD5             237E0A70A882187E1BCA19FE616A850D                                       x64\pscp.exe
-MD5             6B700FA6EC97B19CEE276476CFB62A0E                                       x64\psftp.exe
-MD5             3772794AE4948298549437E56F0EF6B3                                       x64\putty.exe
-MD5             53F2AD53D3C7BA8851247BC49300BB82                                       x64\puttygen.exe
-MD5             D04FF295D65262548AA0E68892E62AF0                                       x64\puttytel.exe
-MD5             2FB16B2CE289CAF59A116BECCDECE1DF                                       x86\pageant.exe
-MD5             69DA19485709EC5DD7F075E34FDDF437                                       x86\plink.exe
-MD5             FBAC6B64DF12D5F9164071BC656F9C90                                       x86\pscp.exe
-MD5             E1A4B9D1E386CF68B5D203D8223A747F                                       x86\psftp.exe
-MD5             45D15165C805F7C49497F501AFB3EBD1                                       x86\putty.exe
-MD5             54209F5CA2B961D27976B5952B675F3B                                       x86\puttygen.exe
-MD5             1EBE2013FEFA9D15ACA3BF8629B2E64B                                       x86\puttytel.exe
-MD5             1130B3C2ABCC1562A9F3D9C521410F09                                       puttycac-0.76u4-installer.msi
-MD5             B90F2745D14A6728AB3DC0D00FB349A6                                       puttycac-0.76u4.zip
-MD5             FA278133D2F99262023BBB5733CA2843                                       puttycac-64bit-0.76u4-installer.msi
-MD5             7E9B263E50A101BED77034EEB930243B                                       puttycac-64bit-0.76u4.zip
+MD5             BD9AA0CEF8538E4660B58A6560BC3B11                                       x64\pageant.exe
+MD5             C58AB3362172B9C9849AB3DD40C07122                                       x64\plink.exe
+MD5             B5ACA78EBC4E708428AE7361BFE48FCF                                       x64\pscp.exe
+MD5             CA629AD2D8D0757351CF088FA1D01092                                       x64\psftp.exe
+MD5             961E7E1A672DE4F4C964AA6BAC83C38D                                       x64\pterm.exe
+MD5             32ADD98D0E1A951A90A607C819B57D08                                       x64\putty.exe
+MD5             0FCC46A6521DBEDAFC2F9CC4857DE048                                       x64\puttygen.exe
+MD5             176E50EA37EFBB7AF50909CBD32BD5A2                                       x64\puttyimp.exe
+MD5             DD456AEFAC3F115F01564F6EA2250511                                       x64\puttytel.exe
+MD5             419BF7B46A973B94D52AB3FC4776D862                                       x86\pageant.exe
+MD5             473E377FCCF4ABCC2136798B96DCD876                                       x86\plink.exe
+MD5             1B433982928CAEA91C08C4649B462868                                       x86\pscp.exe
+MD5             EAB48AE5743B6E35A936B116230B7A10                                       x86\psftp.exe
+MD5             6B01C6D77F5808ADDACB1EF9EE0F8C84                                       x86\pterm.exe
+MD5             A04DC1C3FF22611B6A3E1A7FB7D97083                                       x86\putty.exe
+MD5             67B90B53FAE2B8E14A227E292066C706                                       x86\puttygen.exe
+MD5             ED630F4D70B6B5A7CD964C28D43B653F                                       x86\puttyimp.exe
+MD5             5E246DE08870900A0255BC08A4C88337                                       x86\puttytel.exe
+MD5             53077F59C66578BABBE54FB8054F2774                                       puttycac-0.77-installer.msi
+MD5             EF08704BFC839363675F986AD1B13457                                       puttycac-0.77.zip
+MD5             EB9B777047CB6C0E773EC20EA3A1D4FE                                       puttycac-64bit-0.77-installer.msi
+MD5             426432458D136DC182D3029FFEE4C03E                                       puttycac-64bit-0.77.zip