translate and return error codes; retry on bad PIN

Define some well-known error codes in the SK API and pass
them back via ssh-sk-helper.

Use the new "wrong PIN" error code to retry PIN prompting during
ssh-keygen of resident keys.

feedback and ok markus@

1 files changed, 19 insertions, 9 deletions

diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index 9c49eb81490..f4b87df2d4f 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.378 2019/12/30 09:23:28 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.379 2019/12/30 09:24:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3340,15 +3340,25 @@ main(int argc, char **argv)
 	switch (type) {
 	case KEY_ECDSA_SK:
 	case KEY_ED25519_SK:
-		if (!quiet) {
-			printf("You may need to touch your security key "
-			    "to authorize key generation.\n");
+		passphrase1 = NULL;
+		for (i = 0 ; i < 3; i++) {
+			if (!quiet) {
+				printf("You may need to touch your security "
+				    "key to authorize key generation.\n");
+			}
+			fflush(stdout);
+			r = sshsk_enroll(type, sk_provider,
+			    cert_key_id == NULL ? "ssh:" : cert_key_id,
+			    sk_flags, passphrase1, NULL, &private, NULL);
+			if (r == 0)
+				break;
+			if (r != SSH_ERR_KEY_WRONG_PASSPHRASE)
+				exit(1); /* error message already printed */
+			passphrase1 = read_passphrase("Enter PIN for security "
+			    "key: ", RP_ALLOW_STDIN);
 		}
-		fflush(stdout);
-		if (sshsk_enroll(type, sk_provider,
-		    cert_key_id == NULL ? "ssh:" : cert_key_id,
-		    sk_flags, NULL, NULL, &private, NULL) != 0)
-			exit(1); /* error message already printed */
+		if (i > 3)
+			fatal("Too many incorrect PINs");
 		break;
 	default:
 		if ((r = sshkey_generate(type, bits, &private)) != 0)