upstream: translate and return error codes; retry on bad PIN

Define some well-known error codes in the SK API and pass them back via ssh-sk-helper. Use the new "wrong PIN" error code to retry PIN prompting during ssh-keygen of resident keys. feedback and ok markus@ OpenBSD-Commit-ID: 9663c6a2bb7a0bc8deaccc6c30d9a2983b481620
author: djm@openbsd.org <djm@openbsd.org> 2019-12-30 09:24:45 +0000
committer: Damien Miller <djm@mindrot.org> 2019-12-30 21:01:51 +1100
commit: 43ce96427b76c4918e39af654e2fc9ee18d5d478 (patch)
tree: dfb3a5b32e02368f9739bb742e0aa858ced03701 /ssh-sk.c
parent: d433596736a2cd4818f538be11fc94783f5c5236 (diff)
1 files changed, 18 insertions, 3 deletions
diff --git a/ssh-sk.c b/ssh-sk.c
index e1fb72cfc..b1d0d6c58 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.22 2019/12/30 09:24:03 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.23 2019/12/30 09:24:45 djm Exp $ */
 /*
 * Copyright (c) 2019 Google LLC
 *
@@ -325,6 +325,20 @@ sshsk_key_from_response(int alg, const char *application, uint8_t flags,
        return r;
 }
+static int
+skerr_to_ssherr(int skerr)
+{
+        switch (skerr) {
+        case SSH_SK_ERR_UNSUPPORTED:
+                return SSH_ERR_FEATURE_UNSUPPORTED;
+        case SSH_SK_ERR_PIN_REQUIRED:
+                return SSH_ERR_KEY_WRONG_PASSPHRASE;
+        case SSH_SK_ERR_GENERAL:
+        default:
+                return SSH_ERR_INVALID_FORMAT;
+        }
+}
 int
 sshsk_enroll(int type, const char *provider_path, const char *application,
    uint8_t flags, const char *pin, struct sshbuf *challenge_buf,
@@ -396,7 +410,7 @@ sshsk_enroll(int type, const char *provider_path, const char *application,
            flags, pin, &resp)) != 0) {
                error("Security key provider \"%s\" returned failure %d",
                    provider_path, r);
-                r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */
+                r = skerr_to_ssherr(r);
                goto out;
        }
@@ -559,6 +573,7 @@ sshsk_sign(const char *provider_path, struct sshkey *key,
            sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle),
            key->sk_flags, pin, &resp)) != 0) {
                debug("%s: sk_sign failed with code %d", __func__, r);
+                r = skerr_to_ssherr(r);
                goto out;
        }
        /* Assemble signature */
@@ -655,7 +670,7 @@ sshsk_load_resident(const char *provider_path, const char *pin,
        if ((r = skp->sk_load_resident_keys(pin, &rks, &nrks)) != 0) {
                error("Security key provider \"%s\" returned failure %d",
                    provider_path, r);
-                r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */
+                r = skerr_to_ssherr(r);
                goto out;
        }
        for (i = 0; i < nrks; i++) {
author	djm@openbsd.org <djm@openbsd.org>	2019-12-30 09:24:45 +0000
committer	Damien Miller <djm@mindrot.org>	2019-12-30 21:01:51 +1100
commit	43ce96427b76c4918e39af654e2fc9ee18d5d478 (patch)
tree	dfb3a5b32e02368f9739bb742e0aa858ced03701 /ssh-sk.c
parent	d433596736a2cd4818f538be11fc94783f5c5236 (diff)