=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/sk-usbhid.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- src/usr.bin/ssh/sk-usbhid.c 2019/12/30 09:23:28 1.10 +++ src/usr.bin/ssh/sk-usbhid.c 2019/12/30 09:24:45 1.11 @@ -61,6 +61,11 @@ #define SK_ECDSA 0x00 #define SK_ED25519 0x01 +/* Error codes */ +#define SSH_SK_ERR_GENERAL -1 +#define SSH_SK_ERR_UNSUPPORTED -2 +#define SSH_SK_ERR_PIN_REQUIRED -3 + struct sk_enroll_response { uint8_t *public_key; size_t public_key_len; @@ -408,6 +413,20 @@ } } +static int +fidoerr_to_skerr(int fidoerr) +{ + switch (fidoerr) { + case FIDO_ERR_UNSUPPORTED_OPTION: + return SSH_SK_ERR_UNSUPPORTED; + case FIDO_ERR_PIN_REQUIRED: + case FIDO_ERR_PIN_INVALID: + return SSH_SK_ERR_PIN_REQUIRED; + default: + return -1; + } +} + int sk_enroll(int alg, const uint8_t *challenge, size_t challenge_len, const char *application, uint8_t flags, const char *pin, @@ -420,7 +439,7 @@ struct sk_enroll_response *response = NULL; size_t len; int cose_alg; - int ret = -1; + int ret = SSH_SK_ERR_GENERAL; int r; char *device = NULL; @@ -487,8 +506,9 @@ skdebug(__func__, "fido_dev_open: %s", fido_strerr(r)); goto out; } - if ((r = fido_dev_make_cred(dev, cred, NULL)) != FIDO_OK) { + if ((r = fido_dev_make_cred(dev, cred, pin)) != FIDO_OK) { skdebug(__func__, "fido_dev_make_cred: %s", fido_strerr(r)); + ret = fidoerr_to_skerr(r); goto out; } if (fido_cred_x5c_ptr(cred) != NULL) { @@ -653,7 +673,7 @@ fido_assert_t *assert = NULL; fido_dev_t *dev = NULL; struct sk_sign_response *response = NULL; - int ret = -1; + int ret = SSH_SK_ERR_GENERAL; int r; #ifdef SK_DEBUG @@ -732,7 +752,7 @@ read_rks(const char *devpath, const char *pin, struct sk_resident_key ***rksp, size_t *nrksp) { - int r = -1; + int ret = SSH_SK_ERR_GENERAL, r = -1; fido_dev_t *dev = NULL; fido_credman_metadata_t *metadata = NULL; fido_credman_rp_t *rp = NULL; @@ -743,16 +763,15 @@ if ((dev = fido_dev_new()) == NULL) { skdebug(__func__, "fido_dev_new failed"); - return -1; + return ret; } if ((r = fido_dev_open(dev, devpath)) != FIDO_OK) { skdebug(__func__, "fido_dev_open %s failed: %s", devpath, fido_strerr(r)); fido_dev_free(&dev); - return -1; + return ret; } if ((metadata = fido_credman_metadata_new()) == NULL) { - r = -1; skdebug(__func__, "alloc failed"); goto out; } @@ -761,7 +780,7 @@ if (r == FIDO_ERR_INVALID_COMMAND) { skdebug(__func__, "device %s does not support " "resident keys", devpath); - r = 0; + ret = 0; goto out; } skdebug(__func__, "get metadata for %s failed: %s", @@ -772,7 +791,6 @@ (unsigned long long)fido_credman_rk_existing(metadata), (unsigned long long)fido_credman_rk_remaining(metadata)); if ((rp = fido_credman_rp_new()) == NULL) { - r = -1; skdebug(__func__, "alloc rp failed"); goto out; } @@ -797,7 +815,6 @@ fido_credman_rk_free(&rk); if ((rk = fido_credman_rk_new()) == NULL) { - r = -1; skdebug(__func__, "alloc rk failed"); goto out; } @@ -827,7 +844,6 @@ fido_cred_id_len(cred))) == NULL || (srk->application = strdup(fido_credman_rp_id(rp, i))) == NULL) { - r = -1; skdebug(__func__, "alloc sk_resident_key"); goto out; } @@ -858,7 +874,6 @@ /* append */ if ((tmp = recallocarray(*rksp, *nrksp, (*nrksp) + 1, sizeof(**rksp))) == NULL) { - r = -1; skdebug(__func__, "alloc rksp"); goto out; } @@ -868,7 +883,7 @@ } } /* Success */ - r = 0; + ret = 0; out: if (srk != NULL) { free(srk->application); @@ -881,14 +896,14 @@ fido_dev_close(dev); fido_dev_free(&dev); fido_credman_metadata_free(&metadata); - return r; + return ret; } int sk_load_resident_keys(const char *pin, struct sk_resident_key ***rksp, size_t *nrksp) { - int r = -1; + int ret = SSH_SK_ERR_GENERAL, r = -1; fido_dev_info_t *devlist = NULL; size_t i, ndev = 0, nrks = 0; const fido_dev_info_t *di; @@ -920,7 +935,7 @@ } } /* success */ - r = 0; + ret = 0; *rksp = rks; *nrksp = nrks; rks = NULL; @@ -934,6 +949,6 @@ } free(rks); fido_dev_info_free(&devlist, MAX_FIDO_DEVICES); - return r; + return ret; }