diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2019-12-30 09:24:45 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-12-30 21:01:51 +1100 |
| commit | 43ce96427b76c4918e39af654e2fc9ee18d5d478 (patch) | |
| tree | dfb3a5b32e02368f9739bb742e0aa858ced03701 /ssh-keygen.c | |
| parent | d433596736a2cd4818f538be11fc94783f5c5236 (diff) | |
upstream: translate and return error codes; retry on bad PIN
Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.
Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.
feedback and ok markus@
OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
Diffstat (limited to 'ssh-keygen.c')
| -rw-r--r-- | ssh-keygen.c | 32 |
1 files changed, 21 insertions, 11 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index 79e2e92b5..696891e0e 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssh-keygen.c,v 1.378 2019/12/30 09:23:28 djm Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -3361,16 +3361,26 @@ main(int argc, char **argv) | |||
| 3361 | switch (type) { | 3361 | switch (type) { |
| 3362 | case KEY_ECDSA_SK: | 3362 | case KEY_ECDSA_SK: |
| 3363 | case KEY_ED25519_SK: | 3363 | case KEY_ED25519_SK: |
| 3364 | if (!quiet) { | 3364 | passphrase1 = NULL; |
| 3365 | printf("You may need to touch your security key " | 3365 | for (i = 0 ; i < 3; i++) { |
| 3366 | "to authorize key generation.\n"); | 3366 | if (!quiet) { |
| 3367 | } | 3367 | printf("You may need to touch your security " |
| 3368 | fflush(stdout); | 3368 | "key to authorize key generation.\n"); |
| 3369 | if (sshsk_enroll(type, sk_provider, | 3369 | } |
| 3370 | cert_key_id == NULL ? "ssh:" : cert_key_id, | 3370 | fflush(stdout); |
| 3371 | sk_flags, NULL, NULL, &private, NULL) != 0) | 3371 | r = sshsk_enroll(type, sk_provider, |
| 3372 | exit(1); /* error message already printed */ | 3372 | cert_key_id == NULL ? "ssh:" : cert_key_id, |
| 3373 | break; | 3373 | sk_flags, passphrase1, NULL, &private, NULL); |
| 3374 | if (r == 0) | ||
| 3375 | break; | ||
| 3376 | if (r != SSH_ERR_KEY_WRONG_PASSPHRASE) | ||
| 3377 | exit(1); /* error message already printed */ | ||
| 3378 | passphrase1 = read_passphrase("Enter PIN for security " | ||
| 3379 | "key: ", RP_ALLOW_STDIN); | ||
| 3380 | } | ||
| 3381 | if (i > 3) | ||
| 3382 | fatal("Too many incorrect PINs"); | ||
| 3383 | break; | ||
| 3374 | default: | 3384 | default: |
| 3375 | if ((r = sshkey_generate(type, bits, &private)) != 0) | 3385 | if ((r = sshkey_generate(type, bits, &private)) != 0) |
| 3376 | fatal("sshkey_generate failed"); | 3386 | fatal("sshkey_generate failed"); |