passkey: propagate error code for power cycle

ikerexxe · justin-stephenson · commit b34e9244b75c · 2025-07-01T15:53:38.000-04:00
When performing a passkey authentication and the PIN is entered 3 times
incorrectly the FIDO2 device requires a power cycle (disconnect and
reconnect the device to the USB port). libfido2 recognizes this with a
special error code and the passkey child should return it so that the
SSSD responder is aware of it.

Signed-off-by: Iker Pedrosa &lt;ipedrosa@redhat.com&gt;
diff --git a/src/passkey_child/passkey_child.c b/src/passkey_child/passkey_child.c
@@ -104,7 +104,9 @@ int main(int argc, const char *argv[])
 done:
     talloc_free(main_ctx);
 
-    if (ret != EOK) {
+    if (ret == FIDO_ERR_PIN_AUTH_BLOCKED) {
+        return PIN_AUTH_BLOCKED_EXIT_CODE;
+    } else if (ret != EOK) {
         return EXIT_FAILURE;
     } else {
         return EXIT_SUCCESS;
diff --git a/src/util/util.h b/src/util/util.h
@@ -122,6 +122,7 @@ extern int socket_activated;
 enum sssd_exit_status {
     CHILD_TIMEOUT_EXIT_CODE = 7,
     CA_DB_NOT_FOUND_EXIT_CODE = 50,
+    PIN_AUTH_BLOCKED_EXIT_CODE = 52, /* to match FIDO_ERR_PIN_AUTH_BLOCKED in fido2 error codes */
     SSS_WATCHDOG_EXIT_CODE = 70 /* to match EX_SOFTWARE in sysexits.h */
 };
 
