Permalink
Browse files

Added Optional Certificate Authentication Prompt To Pageant

- Added system tray menu option to Pageant to force prompting every time Pageant is requested to sign authentication data using a certificate-based private key.
- Corrected / added several PUTTY_CAC code identifiers for the code blocks that distinguish the PuTTY-CAC differences from the upstream code.
- Corrected several spelling mistakes in comments.
- Corrected .gitignore file to ensure licence.h is maintained.
  • Loading branch information...
NoMoreFood committed Apr 3, 2018
1 parent 658e127 commit 73c5c578afa1db0b4052d1884c96b56f5a8fa951
View
@@ -72,7 +72,6 @@
/missing
/uxconfig.in
/uxconfig.h
/licence.h
/*.a
/charset/sbcsdat.c
/contrib/cygtermd/cygtermd.exe
View
@@ -1,46 +1,69 @@
Algorithm Hash Path
--------- ---- ----
SHA256 1E1B77D0783343A07E7BAB360EE3CD5CB7F5302DA1C98DF0C5C9FF71D48C4D5B \binaries\x64\pageant.exe
SHA256 312930EE2063887682AE1B0E695972E5CF2976E60139DD45D4DE77BA657E0A82 \binaries\x64\plink.exe
SHA256 A3738434838E5A2EB2BDD0B3DB76E4128AD7172BD8D04A74E61A88BC2853F518 \binaries\x64\pscp.exe
SHA256 FB312AF651C4FD9B04305DAA4A60387BCB8737A177A75DFE9CE651D0DCB9080C \binaries\x64\psftp.exe
SHA256 E02F99DC7FAC26EEAAA60E1A3942DADC824C5A82D7D934D9D7C0F16C2B6E5311 \binaries\x64\putty.exe
SHA256 8158B5BDCEA13065128B5D803F2D428096F4446FFAB61A5F6F573EDB0C0218CB \binaries\x64\puttygen.exe
SHA256 DE8A9E80C007BDAB71211C73105366D400158FAE604AAE085653A315B0968814 \binaries\x64\puttytel.exe
SHA256 CAB75F5EEE674A25CAC05AEB330A38C178C343E93A7ADF9113AF2B399F8C5E08 \binaries\x64\testbn.exe
SHA256 35F79E8061307D8F3B8DF24CD79FDFEB05CF4FD0025A140FEA114D974B10557C \binaries\x86\pageant.exe
SHA256 9090D10DDE3C6B1FEA5B817CD6BB98B1E0725ED405CD2DA07843F16564A9D73C \binaries\x86\plink.exe
SHA256 BDFE82E93CF8CE8FC8D8EF6B16CA9405F804CC419196D89B4E6D7480BB40C300 \binaries\x86\pscp.exe
SHA256 AEF5A75BA261A5A584137A766D7DBC294B9D9D8615942733A05E3A6CEA0DD543 \binaries\x86\psftp.exe
SHA256 355E283D887E4D694611F1B9AAFAE6F2A6550DE6F19927B3BFC17F1054DA0023 \binaries\x86\putty.exe
SHA256 35B1669B9A542ABAA984491DF8BECCD260786CF0A5D79E1B16051660BC8E934E \binaries\x86\puttygen.exe
SHA256 1ACAE0FB3140BEDBA3FB171A586D42904B70EED74B4CAAFB43081F937FE7CD3A \binaries\x86\puttytel.exe
SHA256 294A15A7A52B8E49D171D520042DC1CBFBBF25B8DBB223CB2C570DC3B5A7BEC1 \binaries\x86\testbn.exe
SHA256 900A31D1025874702FA59617245C73D09CCA15710BB6C7E40CCD45189BF6112B \binaries\puttycac-0.70u3-installer.msi
SHA256 6A3E5F1E1A127E0E202BA2E97D04AA0AE9B9C1DEB9FC234BA7D6BEA2C324996B \binaries\puttycac-64bit-0.70u3-installer.msi
SHA256 C560D4D066E3ECBAC509DB087558269950DF97D7BD7563EA26F41FAC7ABB389F \binaries\x64\pageant.exe
SHA256 A8DA4CD4BC91002C91D4EEB89B9F7365E62981131F46C3E8FD4EDB96E6E9F267 \binaries\x64\plink.exe
SHA256 0B01985BFFB3B788BF4EF9B85D6CCA96C7EA569BAAE2E852324F965D926FB88F \binaries\x64\pscp.exe
SHA256 42509FE99338FB722C5871A9C4E4CD71AF9622728533D4D9E22EF5FFFCBC74A1 \binaries\x64\psftp.exe
SHA256 F5631A0C60D275C239671896C6F85B660E6363F1A794A5107A85883A33485423 \binaries\x64\putty.exe
SHA256 7C219DC160906F51BD3E93BE9A853AF27F64A7ED569801A3C1B5295A0C0A4BBA \binaries\x64\puttygen.exe
SHA256 64AE8F09A7A640B886617C46CA0562D7699BFDA6100031805379ED1A80836446 \binaries\x64\puttytel.exe
SHA256 9F7C6F37C75C67F06B2A37BF3C3545AFCEB2EFF874A77DC561FB131EE4088272 \binaries\x64\testbn.exe
SHA256 3BDE68FB8A700A043C247B4E2BDD836A7477A72EC0AD3E20B86B17B331B8FD0A \binaries\x86\pageant.exe
SHA256 533C753E813BF47B0CEAD300F6CFA5C5400B9C9E5586137E5E2CA17B17AAADE1 \binaries\x86\plink.exe
SHA256 46AE59A6D916BBCA79C29E66FF62BB05D0048D3616565897F885267AEAE6A130 \binaries\x86\pscp.exe
SHA256 5C6CB8F4094DF5AC368D4AC1A2842FF2C06CD19D693DA59B4B4070C9967897F5 \binaries\x86\psftp.exe
SHA256 E2FD97871E87804E27575ACBDFCBF5125100D58F69CBAA38F5EBF72C67A01A7E \binaries\x86\putty.exe
SHA256 24B5AA9A7D1701DE372F85FED71AB6CA4539F7DD5D900230925775808B34BC40 \binaries\x86\puttygen.exe
SHA256 DAA39C260C9BDCB5EEA303C11E2BAB106F3FA32053D324EEAF57FAB259352C2D \binaries\x86\puttytel.exe
SHA256 6E062EE9C16F6D57271D731F6460534181783285A8E4F65EC97284787FB94F95 \binaries\x86\testbn.exe
SHA256 8B125E64851B261EC5065C533709A973E85299432EC6FA52EE17C9BF41EB88F4 \binaries\puttycac-0.70u4-installer.msi
SHA256 8CCED1ED3CA71F82AEBFB419ADDAF2FF74BAFA3B8D56792BCB5A2225213C834E \binaries\puttycac-64bit-0.70u4-installer.msi
Algorithm Hash Path
--------- ---- ----
SHA1 632A7FF2DBD87A8B82FE10AFBD401FF666A20EDD \binaries\x64\pageant.exe
SHA1 F413EC3982ECD425430EDAFF0305B95C382F4095 \binaries\x64\plink.exe
SHA1 3DEB07B878CB7874D894BD1400DF66CF2F2FBB4E \binaries\x64\pscp.exe
SHA1 FA69A81380B8EC01B8B4B36AF21C5E22A9C36705 \binaries\x64\psftp.exe
SHA1 E01F4E60503D28286EC4B25519F006353A7419EE \binaries\x64\putty.exe
SHA1 3A30D6C68868ADB8D3F5B9872A6C06ED6098B769 \binaries\x64\puttygen.exe
SHA1 03C8E48451698F84515531F63266ACB4798A8B0E \binaries\x64\puttytel.exe
SHA1 35CC47D9A6F94653A91449FFD4BC5E97B33A59AA \binaries\x64\testbn.exe
SHA1 A32A1233E464325FC54BC0E936EF09FBA37A4B00 \binaries\x86\pageant.exe
SHA1 DB7F5AA81C61516E30442578CDA0241F44EAEC11 \binaries\x86\plink.exe
SHA1 D945648E60407E64ED5BD83C8F957C4134775AD1 \binaries\x86\pscp.exe
SHA1 3EAF08F465BC34B1448D3593089E3DD3C1E67FF9 \binaries\x86\psftp.exe
SHA1 A8E18C50E34BD532248BE6CB63F1AE8FCCA6331A \binaries\x86\putty.exe
SHA1 57D96A3327ECE63A2683FD79D7F3092AA39CFB58 \binaries\x86\puttygen.exe
SHA1 F6D044143A52DD01E85054F8A4E78B7D7E3C50DC \binaries\x86\puttytel.exe
SHA1 3AFA979D77D881C63FC620EF1FB49482E655E071 \binaries\x86\testbn.exe
SHA1 C5D866FD026D668556D8DA9B34E1236026D96BF5 \binaries\puttycac-0.70u3-installer.msi
SHA1 9B1313ED2F211C9279AAD529F9A1E6A358921A90 \binaries\puttycac-64bit-0.70u3-installer.msi
SHA1 64EF852078596CEC5603C092F043A3B4EFB8AEBF \binaries\x64\pageant.exe
SHA1 28ED1F5EF883D785EA929D7F9F335171AEE5DFFF \binaries\x64\plink.exe
SHA1 A98810CDD77028E08FE7FC2D5DC1CCDD49AC5963 \binaries\x64\pscp.exe
SHA1 E47EA64617626967539F58AD2CE0469D53789C24 \binaries\x64\psftp.exe
SHA1 CBEB0F01368D97AE194D2164F8EFD2F1D9C3D053 \binaries\x64\putty.exe
SHA1 87DFA29B7E78C56C4BEB8CF3D94E40E2AFB79290 \binaries\x64\puttygen.exe
SHA1 D82B8F486C2B7AF7BB5DEA544ED252793C8D55DC \binaries\x64\puttytel.exe
SHA1 4C484C35EC738C4F706596483514B1D5C141224E \binaries\x64\testbn.exe
SHA1 3CF224261B90DB5F2BE4032B78310DEB0EA64367 \binaries\x86\pageant.exe
SHA1 66B06406168F46BAB2BDFBAB422C32A41B36A609 \binaries\x86\plink.exe
SHA1 7D2F65DD2E023D568B9BAC7AAB400A35EF788B65 \binaries\x86\pscp.exe
SHA1 A104E27713BE86BB06AD3D2F1C2DB7618F7BF90C \binaries\x86\psftp.exe
SHA1 7D5E68BD16CF53160323BD5BECE561CCC0F09F29 \binaries\x86\putty.exe
SHA1 08DF250FAB17AC98EC0B416B523F3FF20F8D850A \binaries\x86\puttygen.exe
SHA1 46F834BA27EEF5A2DE56247C05F09D96DF517F01 \binaries\x86\puttytel.exe
SHA1 EE71558B88A54250A06D1F82FB94EDADAB4A32CD \binaries\x86\testbn.exe
SHA1 CCDDE5FD2D8D781136595E88C4E22790EC1DE8D8 \binaries\puttycac-0.70u4-installer.msi
SHA1 396B219859DCF6B0DA08747593E073BC991EFE24 \binaries\puttycac-64bit-0.70u4-installer.msi
Algorithm Hash Path
--------- ---- ----
MD5 4D4B93F7A567C4B5497EC8D8906CCBD7 \binaries\x64\pageant.exe
MD5 D3524E9CCF89A7BD611880E4A4AB81C4 \binaries\x64\plink.exe
MD5 8FCF8AE31235B06F60E292A6D9D44336 \binaries\x64\pscp.exe
MD5 84AC5848FA31B7C43ABD6DEED06C70F8 \binaries\x64\psftp.exe
MD5 6AE7ABEA3D92AD70204ACBC5AA34FFB2 \binaries\x64\putty.exe
MD5 5EF2C64E5D5268AACE85B440401AB1CB \binaries\x64\puttygen.exe
MD5 3583F2C1D814BCC7D178219A0894AFB1 \binaries\x64\puttytel.exe
MD5 FCD50F3475A68D8B315484EE45EAB1C7 \binaries\x64\testbn.exe
MD5 7598B53939D8A647F2ABC200EE96A076 \binaries\x86\pageant.exe
MD5 DCF3D2DDAB9C354ABCBD85D2D8EFD4B3 \binaries\x86\plink.exe
MD5 176D1AA3C429C7C8E0D983017FFE6FEB \binaries\x86\pscp.exe
MD5 A9C439D033C1B3A38E01676886818DCE \binaries\x86\psftp.exe
MD5 1E82761D6FF27DE3F1B3AF5B6020DDB1 \binaries\x86\putty.exe
MD5 B401ADB4E1755D993F68FB07672BCDBF \binaries\x86\puttygen.exe
MD5 F4BC3B797859358E1B7639A6D70C4DC1 \binaries\x86\puttytel.exe
MD5 B3C6CDE4197BB3367DA4B1581FB6675B \binaries\x86\testbn.exe
MD5 8C36EF7BA18178EAC6E5620229AC554C \binaries\puttycac-0.70u4-installer.msi
MD5 48677DBFCC681DD8F20F0F3E8BEB8CE3 \binaries\puttycac-64bit-0.70u4-installer.msi
View
BIN +3.53 KB (100%) binaries/x64/pageant.exe
Binary file not shown.
View
BIN +3.03 KB (100%) binaries/x64/plink.exe
Binary file not shown.
View
BIN +3.53 KB (100%) binaries/x64/pscp.exe
Binary file not shown.
View
BIN +3.53 KB (100%) binaries/x64/psftp.exe
Binary file not shown.
View
BIN +3.53 KB (100%) binaries/x64/putty.exe
Binary file not shown.
View
BIN +2.53 KB (100%) binaries/x64/puttygen.exe
Binary file not shown.
View
BIN +1.03 KB (100%) binaries/x64/puttytel.exe
Binary file not shown.
View
BIN +1.03 KB (100%) binaries/x64/testbn.exe
Binary file not shown.
View
BIN +1.53 KB (100%) binaries/x86/pageant.exe
Binary file not shown.
View
BIN +544 Bytes (100%) binaries/x86/plink.exe
Binary file not shown.
View
BIN +1.03 KB (100%) binaries/x86/pscp.exe
Binary file not shown.
View
BIN +1.03 KB (100%) binaries/x86/psftp.exe
Binary file not shown.
View
BIN +544 Bytes (100%) binaries/x86/putty.exe
Binary file not shown.
View
BIN +32 Bytes (100%) binaries/x86/puttygen.exe
Binary file not shown.
View
BIN +544 Bytes (100%) binaries/x86/puttytel.exe
Binary file not shown.
View
BIN +544 Bytes (100%) binaries/x86/testbn.exe
Binary file not shown.
View
@@ -140,6 +140,22 @@ LPBYTE cert_sign(struct ssh2_userkey * userkey, LPCBYTE pDataToSign, int iDataTo
// sanity check
if (userkey->comment == NULL) return NULL;
// prompt if key usage is enabled
if (cert_auth_prompting((DWORD)-1))
{
LPSTR sSubject = cert_subject_string(userkey->comment);
LPSTR sMessage = dupprintf("%s\r\n\r\n%s\r\n\r\n%s",
"An application is attempting to authenticate using a certificate with the subject: ",
sSubject, "Would you like to permit this signing operation?");
int iResponse = MessageBox(hWnd, sMessage, "Certificate Usage Confirmation - Pageant",
MB_SYSTEMMODAL | MB_ICONQUESTION | MB_YESNO);
sfree(sMessage);
sfree(sSubject);
// return if user did not confirm usage
if (iResponse != IDYES) return NULL;
}
if (cert_is_capipath(userkey->comment))
{
pRawSig = cert_capi_sign(userkey, pDataToSign, iDataToSignLen, &iRawSigLen, hWnd);
@@ -322,17 +338,17 @@ LPSTR cert_key_string(LPCSTR szCert)
HCERTSTORE hCertStore = NULL;
if (cert_load_cert(szCert, &pCertContext, &hCertStore) == FALSE) return NULL;
// obtain the key and destory the comment since we are going to customize it
// obtain the key and destroy the comment since we are going to customize it
struct ssh2_userkey * pUserKey = cert_get_ssh_userkey(szCert, pCertContext);
sfree(pUserKey->comment);
pUserKey->comment = "";
// fetch the elements of the strin
// fetch the elements of the string
LPSTR szKey = ssh2_pubkey_openssh_str(pUserKey);
LPSTR szName = cert_subject_string(szCert);
LPSTR szHash = cert_get_cert_hash(szCert, pCertContext, NULL);
// append the ssh string, identifer:thumbprint, and certificate subject
// append the ssh string, identifier:thumbprint, and certificate subject
LPSTR szKeyWithComment = dupprintf("%s %s %s", szKey, szHash, szName);
// clean and return
@@ -393,7 +409,7 @@ VOID cert_display_cert(LPCSTR szCert, HWND hWnd)
int cert_all_certs(LPSTR ** pszCert)
{
// get a hangle to the cert store
// get a handle to the cert store
LPCSTR szHint = NULL;
HCERTSTORE hCertStore = cert_capi_get_cert_store(&szHint, NULL);
@@ -441,7 +457,7 @@ void cert_convert_legacy(LPSTR szCert)
strlwr(&szCert[IDEN_CAPI_SIZE]);
}
// search for 'System\MY\' and replace with 'CAPI:'
// search for 'Machine\MY\' and replace with 'CAPI:'
LPSTR szIdenLegacySys = "Machine\\MY\\";
if (strstr(sCompare, szIdenLegacySys) == sCompare)
{
@@ -600,4 +616,11 @@ EXTERN BOOL cert_cache_enabled(DWORD bEnable)
return bCacheEnabled;
}
EXTERN BOOL cert_auth_prompting(DWORD bEnable)
{
static BOOL bCertAuthPrompting = FALSE;
if (bEnable != -1) bCertAuthPrompting = bEnable;
return bCertAuthPrompting;
}
#endif // PUTTY_CAC
View
@@ -25,6 +25,7 @@ EXTERN BOOL cert_load_cert(LPCSTR szCert, PCERT_CONTEXT * ppCertContext, HCERTST
EXTERN LPSTR cert_get_cert_hash(LPCSTR szIden, PCCERT_CONTEXT pCertContext, LPCSTR szHint);
EXTERN PVOID cert_pin(LPSTR szCert, BOOL bUnicode, LPVOID szPin, HWND hWnd);
EXTERN BOOL cert_cache_enabled(DWORD bEnable);
EXTERN BOOL cert_auth_prompting(DWORD bEnable);
// functions used by putty code
EXTERN LPSTR cert_key_string(LPCSTR szCert);
@@ -58,5 +59,5 @@ EXTERN LPBYTE cert_get_hash(LPCSTR szAlgo, LPCBYTE pDataToHash, DWORD iDataToHas
#define cert_is_certpath(p) (p != NULL && (cert_is_capipath(p) || cert_is_pkcspath(p)))
#define cert_iden(p) (cert_is_capipath(p) ? IDEN_CAPI : (cert_is_pkcspath(p) ? IDEN_PKCS : "")))
#endif /* USE_CAPI */
#endif /* PUTTY_CAC */
View
@@ -111,7 +111,7 @@ BYTE * cert_pkcs_sign(struct ssh2_userkey * userkey, LPCBYTE pDataToSign, int iD
}
}
// setup the find structure to identiy the public key on the token
// setup the find structure to identify the public key on the token
CK_OBJECT_CLASS iPublicType = CKO_PUBLIC_KEY;
CK_ATTRIBUTE aFindPubCriteria[] = {
{ CKA_CLASS, &iPublicType, sizeof(CK_OBJECT_CLASS) },
@@ -149,7 +149,7 @@ BYTE * cert_pkcs_sign(struct ssh2_userkey * userkey, LPCBYTE pDataToSign, int iD
return NULL;
}
// setup the find structure to identiy the private key on the token
// setup the find structure to identify the private key on the token
CK_OBJECT_HANDLE iPrivateType = CKO_PRIVATE_KEY;
CK_ATTRIBUTE aFindPrivateCriteria[] = {
{ CKA_CLASS, &iPrivateType, sizeof(CK_OBJECT_CLASS) },
@@ -338,7 +338,7 @@ CK_FUNCTION_LIST_PTR cert_pkcs_load_library(LPCSTR szLibrary)
return NULL;
}
// load the master function list for the librar
// load the master function list for the library
CK_FUNCTION_LIST_PTR hFunctionList = NULL;
CK_C_GetFunctionList C_GetFunctionList =
(CK_C_GetFunctionList)GetProcAddress(hModule, "C_GetFunctionList");
@@ -496,7 +496,7 @@ void * pkcs_get_attribute_value(CK_FUNCTION_LIST_PTR FunctionList, CK_SESSION_HA
return NULL;
}
// set retuned size if requested
// set returned size if requested
if (iValueSize != NULL)
{
*iValueSize = aAttribute.ulValueLen;
View
@@ -527,10 +527,10 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
#ifdef PUTTY_CAC
if (cert_is_certpath(key->comment))
{
signature = cert_sign(key, (const char *)data, datalen, &siglen, NULL);
signature = cert_sign(key, (LPCBYTE)data, datalen, &siglen, NULL);
}
else
#endif
#endif // PUTTY_CAC
signature = key->alg->sign(key->data, (const char *)data,
datalen, &siglen);
len = 5 + 4 + siglen;
@@ -697,7 +697,7 @@ void *pageant_handle_msg(const void *msg, int msglen, int *outlen,
key = cert_load_key(pSearch);
}
}
#endif
#endif // PUTTY_CAC
if (!key->data) {
sfree(key);
fail_reason = "key setup failed";
View
4 ssh.c
@@ -9360,7 +9360,7 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
conf_set_filename(ssh->conf, CONF_keyfile, entry);
filename_free(entry);
}
#endif
#endif // PUTTY_CAC
/*
* Load the public half of any configured public key file
* for later use.
@@ -10088,7 +10088,7 @@ static void do_ssh2_authconn(Ssh ssh, const unsigned char *in, int inlen,
{
sigblob = cert_sign(key, sigdata, sigdata_len, &sigblob_len, hwnd);
} else
#endif
#endif // PUTTY_CAC
sigblob = key->alg->sign(key->data, (char *)sigdata,
sigdata_len, &sigblob_len);
ssh2_add_sigblob(ssh, s->pktout, pkblob, pkblob_len,
Oops, something went wrong.

0 comments on commit 73c5c57

Please sign in to comment.