-/* $OpenBSD: sk-api.h,v 1.5 2019/12/30 09:23:28 djm Exp $ */
+/* $OpenBSD: sk-api.h,v 1.6 2019/12/30 09:24:45 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
#define SSH_SK_ECDSA 0x00
#define SSH_SK_ED25519 0x01
+/* Error codes */
+#define SSH_SK_ERR_GENERAL -1
+#define SSH_SK_ERR_UNSUPPORTED -2
+#define SSH_SK_ERR_PIN_REQUIRED -3
+
struct sk_enroll_response {
uint8_t *public_key;
size_t public_key_len;
#define SK_ECDSA 0x00
#define SK_ED25519 0x01
+/* Error codes */
+#define SSH_SK_ERR_GENERAL -1
+#define SSH_SK_ERR_UNSUPPORTED -2
+#define SSH_SK_ERR_PIN_REQUIRED -3
+
struct sk_enroll_response {
uint8_t *public_key;
size_t public_key_len;
}
}
+static int
+fidoerr_to_skerr(int fidoerr)
+{
+ switch (fidoerr) {
+ case FIDO_ERR_UNSUPPORTED_OPTION:
+ return SSH_SK_ERR_UNSUPPORTED;
+ case FIDO_ERR_PIN_REQUIRED:
+ case FIDO_ERR_PIN_INVALID:
+ return SSH_SK_ERR_PIN_REQUIRED;
+ default:
+ return -1;
+ }
+}
+
int
sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len,
const char *application, uint8_t flags, const char *pin,
struct sk_enroll_response *response = NULL;
size_t len;
int cose_alg;
- int ret = -1;
+ int ret = SSH_SK_ERR_GENERAL;
int r;
char *device = NULL;
skdebug(__func__, "fido_dev_open: %s", fido_strerr(r));
goto out;
}
- if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) {
+ if ((r = fido_dev_make_cred(dev, cred, pin)) != FIDO_OK) {
skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r));
+ ret = fidoerr_to_skerr(r);
goto out;
}
if (fido_cred_x5c_ptr(cred) != NULL) {
fido_assert_t *assert = NULL;
fido_dev_t *dev = NULL;
struct sk_sign_response *response = NULL;
- int ret = -1;
+ int ret = SSH_SK_ERR_GENERAL;
int r;
#ifdef SK_DEBUG
read_rks(const char *devpath, const char *pin,
struct sk_resident_key ***rksp, size_t *nrksp)
{
- int r = -1;
+ int ret = SSH_SK_ERR_GENERAL, r = -1;
fido_dev_t *dev = NULL;
fido_credman_metadata_t *metadata = NULL;
fido_credman_rp_t *rp = NULL;
if ((dev = fido_dev_new()) == NULL) {
skdebug(__func__, "fido_dev_new failed");
- return -1;
+ return ret;
}
if ((r = fido_dev_open(dev, devpath)) != FIDO_OK) {
skdebug(__func__, "fido_dev_open %s failed: %s",
devpath, fido_strerr(r));
fido_dev_free(&dev);
- return -1;
+ return ret;
}
if ((metadata = fido_credman_metadata_new()) == NULL) {
- r = -1;
skdebug(__func__, "alloc failed");
goto out;
}
if (r == FIDO_ERR_INVALID_COMMAND) {
skdebug(__func__, "device %s does not support "
"resident keys", devpath);
- r = 0;
+ ret = 0;
goto out;
}
skdebug(__func__, "get metadata for %s failed: %s",
(unsigned long long)fido_credman_rk_existing(metadata),
(unsigned long long)fido_credman_rk_remaining(metadata));
if ((rp = fido_credman_rp_new()) == NULL) {
- r = -1;
skdebug(__func__, "alloc rp failed");
goto out;
}
fido_credman_rk_free(&rk);
if ((rk = fido_credman_rk_new()) == NULL) {
- r = -1;
skdebug(__func__, "alloc rk failed");
goto out;
}
fido_cred_id_len(cred))) == NULL ||
(srk->application = strdup(fido_credman_rp_id(rp,
i))) == NULL) {
- r = -1;
skdebug(__func__, "alloc sk_resident_key");
goto out;
}
/* append */
if ((tmp = recallocarray(*rksp, *nrksp, (*nrksp) + 1,
sizeof(**rksp))) == NULL) {
- r = -1;
skdebug(__func__, "alloc rksp");
goto out;
}
}
}
/* Success */
- r = 0;
+ ret = 0;
out:
if (srk != NULL) {
free(srk->application);
fido_dev_close(dev);
fido_dev_free(&dev);
fido_credman_metadata_free(&metadata);
- return r;
+ return ret;
}
int
sk_load_resident_keys(const char *pin,
struct sk_resident_key ***rksp, size_t *nrksp)
{
- int r = -1;
+ int ret = SSH_SK_ERR_GENERAL, r = -1;
fido_dev_info_t *devlist = NULL;
size_t i, ndev = 0, nrks = 0;
const fido_dev_info_t *di;
}
}
/* success */
- r = 0;
+ ret = 0;
*rksp = rks;
*nrksp = nrks;
rks = NULL;
}
free(rks);
fido_dev_info_free(&devlist, MAX_FIDO_DEVICES);
- return r;
+ return ret;
}
#endif /* ENABLE_SK_INTERNAL */
-/* $OpenBSD: ssh-keygen.c,v 1.378 2019/12/30 09:23:28 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
switch (type) {
case KEY_ECDSA_SK:
case KEY_ED25519_SK:
- if (!quiet) {
- printf("You may need to touch your security key "
- "to authorize key generation.\n");
- }
- fflush(stdout);
- if (sshsk_enroll(type, sk_provider,
- cert_key_id == NULL ? "ssh:" : cert_key_id,
- sk_flags, NULL, NULL, &private, NULL) != 0)
- exit(1); /* error message already printed */
- break;
+ passphrase1 = NULL;
+ for (i = 0 ; i < 3; i++) {
+ if (!quiet) {
+ printf("You may need to touch your security "
+ "key to authorize key generation.\n");
+ }
+ fflush(stdout);
+ r = sshsk_enroll(type, sk_provider,
+ cert_key_id == NULL ? "ssh:" : cert_key_id,
+ sk_flags, passphrase1, NULL, &private, NULL);
+ if (r == 0)
+ break;
+ if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
+ exit(1); /* error message already printed */
+ passphrase1 = read_passphrase("Enter PIN for security "
+ "key: ", RP_ALLOW_STDIN);
+ }
+ if (i > 3)
+ fatal("Too many incorrect PINs");
+ break;
default:
if ((r = sshkey_generate(type, bits, &private)) != 0)
fatal("sshkey_generate failed");
-/* $OpenBSD: ssh-sk.c,v 1.22 2019/12/30 09:24:03 djm Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.23 2019/12/30 09:24:45 djm Exp $ */
/*
* Copyright (c) 2019 Google LLC
*
return r;
}
+static int
+skerr_to_ssherr(int skerr)
+{
+ switch (skerr) {
+ case SSH_SK_ERR_UNSUPPORTED:
+ return SSH_ERR_FEATURE_UNSUPPORTED;
+ case SSH_SK_ERR_PIN_REQUIRED:
+ return SSH_ERR_KEY_WRONG_PASSPHRASE;
+ case SSH_SK_ERR_GENERAL:
+ default:
+ return SSH_ERR_INVALID_FORMAT;
+ }
+}
+
int
sshsk_enroll(int type, const char *provider_path, const char *application,
uint8_t flags, const char *pin, struct sshbuf *challenge_buf,
flags, pin, &resp)) != 0) {
error("Security key provider \"%s\" returned failure %d",
provider_path, r);
- r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */
+ r = skerr_to_ssherr(r);
goto out;
}
sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle),
key->sk_flags, pin, &resp)) != 0) {
debug("%s: sk_sign failed with code %d", __func__, r);
+ r = skerr_to_ssherr(r);
goto out;
}
/* Assemble signature */
if ((r = skp->sk_load_resident_keys(pin, &rks, &nrks)) != 0) {
error("Security key provider \"%s\" returned failure %d",
provider_path, r);
- r = SSH_ERR_INVALID_FORMAT; /* XXX error codes in API? */
+ r = skerr_to_ssherr(r);
goto out;
}
for (i = 0; i < nrks; i++) {
-/* $OpenBSD: ssherr.c,v 1.8 2018/07/03 11:39:54 djm Exp $ */
+/* $OpenBSD: ssherr.c,v 1.9 2019/12/30 09:24:45 djm Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
return "number is too large";
case SSH_ERR_SIGN_ALG_UNSUPPORTED:
return "signature algorithm not supported";
+ case SSH_ERR_FEATURE_UNSUPPORTED:
+ return "requested feature not supported";
default:
return "unknown error";
}
-/* $OpenBSD: ssherr.h,v 1.6 2018/07/03 11:39:54 djm Exp $ */
+/* $OpenBSD: ssherr.h,v 1.7 2019/12/30 09:24:45 djm Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
#define SSH_ERR_KEY_LENGTH -56
#define SSH_ERR_NUMBER_TOO_LARGE -57
#define SSH_ERR_SIGN_ALG_UNSUPPORTED -58
+#define SSH_ERR_FEATURE_UNSUPPORTED -59
/* Translate a numeric error code to a human-readable error string */
const char *ssh_err(int n);
projects / thirdparty / openssh-portable.git / commitdiff
