OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "remoting/protocol/pairing_host_authenticator.h" | |
6 | |
7 #include "base/bind.h" | |
8 #include "base/logging.h" | |
9 #include "remoting/base/constants.h" | |
10 #include "remoting/base/rsa_key_pair.h" | |
11 #include "remoting/protocol/channel_authenticator.h" | |
12 #include "remoting/protocol/pairing_registry.h" | |
13 #include "remoting/protocol/v2_authenticator.h" | |
14 #include "third_party/libjingle/source/talk/xmllite/xmlelement.h" | |
15 | |
16 namespace remoting { | |
17 namespace protocol { | |
18 | |
19 namespace { | |
20 // These definitions must be kept in sync with pairing_client_authenticator.cc. | |
21 const buzz::StaticQName kPairingInfoTag = | |
22 { kChromotingXmlNamespace, "pairing-info" }; | |
23 const buzz::StaticQName kClientIdAttribute = | |
24 { "", "client-id" }; | |
25 const buzz::StaticQName kPairingFailedTag = | |
26 { kChromotingXmlNamespace, "pairing-failed" }; | |
27 const buzz::StaticQName kPairingErrorAttribute = | |
28 { "", "error" }; | |
29 } // namespace | |
30 | |
31 PairingHostAuthenticator::PairingHostAuthenticator( | |
32 scoped_refptr<PairingRegistry> pairing_registry, | |
33 const std::string& local_cert, | |
34 scoped_refptr<RsaKeyPair> key_pair, | |
35 const std::string& pin) | |
36 : pairing_registry_(pairing_registry), | |
37 local_cert_(local_cert), | |
38 key_pair_(key_pair), | |
39 pin_(pin), | |
40 protocol_error_(false), | |
41 using_paired_secret_(false), | |
42 weak_factory_(this) { | |
43 } | |
44 | |
45 Authenticator::State PairingHostAuthenticator::state() const { | |
46 if (protocol_error_) { | |
47 return REJECTED; | |
48 } else if (v2_authenticator_) { | |
49 return v2_authenticator_->state(); | |
50 } else { | |
51 return WAITING_MESSAGE; | |
52 } | |
53 } | |
54 | |
55 Authenticator::RejectionReason | |
56 PairingHostAuthenticator::rejection_reason() const { | |
57 if (protocol_error_) { | |
58 return PROTOCOL_ERROR; | |
59 } | |
60 DCHECK(v2_authenticator_); | |
Wez
2013/05/18 20:08:36
nit: rejection_reason() below will segfault if |v2
Jamie
2013/05/21 01:24:34
Done (in the base class).
| |
61 return v2_authenticator_->rejection_reason(); | |
62 } | |
63 | |
64 void PairingHostAuthenticator::ProcessMessage( | |
65 const buzz::XmlElement* message, | |
66 const base::Closure& resume_callback) { | |
67 DCHECK_EQ(state(), WAITING_MESSAGE); | |
68 | |
69 // If there's already an underlying authenticator, defer to it, but check | |
70 // for a failed SPAKE exchange if we're using the paired secret. In this | |
71 // case the pairing protocol can continue after the client has prompted | |
72 // the user to enter the PIN. | |
73 if (v2_authenticator_) { | |
74 DCHECK_EQ(v2_authenticator_->state(), WAITING_MESSAGE); | |
75 v2_authenticator_->ProcessMessage( | |
76 message, | |
77 base::Bind(&PairingHostAuthenticator::CheckForFailedSpakeExchange, | |
78 weak_factory_.GetWeakPtr(), resume_callback)); | |
79 return; | |
80 } | |
81 | |
82 // If there isn't already an underlying authenticator, then create one based | |
83 // on the contents of the first message: use the PIN if the client id is | |
84 // not recognized, or the corresponding paired secret if it is. | |
85 std::string client_id; | |
86 const buzz::XmlElement* pairing_tag = message->FirstNamed(kPairingInfoTag); | |
87 if (pairing_tag) { | |
88 client_id = pairing_tag->Attr(kClientIdAttribute); | |
89 } | |
90 if (client_id.empty()) { | |
91 LOG(ERROR) << "No client id specified."; | |
92 protocol_error_ = true; | |
93 resume_callback.Run(); | |
94 return; | |
95 } | |
96 | |
97 std::string paired_secret = pairing_registry_->GetSecret(client_id); | |
98 | |
99 if (paired_secret.empty()) { | |
100 LOG(INFO) << "Unknown client id"; | |
101 error_message_ = "unknown-client-id"; | |
102 CreateV2AuthenticatorWithPIN(); | |
103 resume_callback.Run(); | |
104 return; | |
105 } | |
106 | |
107 v2_authenticator_ = V2Authenticator::CreateForHost( | |
108 local_cert_, key_pair_, paired_secret, MESSAGE_READY); | |
109 using_paired_secret_ = true; | |
110 | |
111 resume_callback.Run(); | |
112 } | |
113 | |
114 scoped_ptr<buzz::XmlElement> PairingHostAuthenticator::GetNextMessage() { | |
115 DCHECK_EQ(state(), MESSAGE_READY); | |
116 | |
117 DCHECK(v2_authenticator_); | |
Wez
2013/05/18 20:08:36
nit: See above - does the DCHECK add anything here
Jamie
2013/05/21 01:24:34
Done.
| |
118 scoped_ptr<buzz::XmlElement> result = v2_authenticator_->GetNextMessage(); | |
119 | |
120 if (!error_message_.empty()) { | |
121 buzz::XmlElement* pairing_failed_tag = | |
122 new buzz::XmlElement(kPairingFailedTag); | |
123 pairing_failed_tag->AddAttr(kPairingErrorAttribute, error_message_); | |
124 result->AddElement(pairing_failed_tag); | |
125 error_message_.clear(); | |
126 } | |
127 | |
128 return result.Pass(); | |
129 } | |
130 | |
131 scoped_ptr<ChannelAuthenticator> | |
132 PairingHostAuthenticator::CreateChannelAuthenticator() const { | |
133 DCHECK(v2_authenticator_); | |
Wez
2013/05/18 20:08:36
nit: Ditto.
Jamie
2013/05/21 01:24:34
Done.
| |
134 return v2_authenticator_->CreateChannelAuthenticator(); | |
135 } | |
136 | |
137 void PairingHostAuthenticator::CreateV2AuthenticatorWithPIN() { | |
138 DCHECK(!v2_authenticator_); | |
Wez
2013/05/18 20:08:36
nit: Here too
Jamie
2013/05/21 01:24:34
Done.
| |
139 v2_authenticator_ = V2Authenticator::CreateForHost( | |
140 local_cert_, key_pair_, pin_, MESSAGE_READY); | |
141 using_paired_secret_ = false; | |
142 } | |
143 | |
144 void PairingHostAuthenticator::CheckForFailedSpakeExchange( | |
145 const base::Closure& resume_callback) { | |
146 DCHECK(v2_authenticator_); | |
Wez
2013/05/18 20:08:36
nit: Ditto.
Jamie
2013/05/21 01:24:34
Done.
| |
147 State v2_state = v2_authenticator_->state(); | |
148 // If the SPAKE exchange failed due to invalid credentials, and those | |
Wez
2013/05/18 20:08:36
nit: Blank lines before this comment, and after th
Jamie
2013/05/21 01:24:34
Done (in the base class).
| |
149 // credentials were the paired secret, then notify the client that the | |
150 // PIN-less connection failed, causing it to prompt the user for the PIN. | |
151 if (v2_state == REJECTED && | |
152 v2_authenticator_->rejection_reason() == INVALID_CREDENTIALS && | |
153 using_paired_secret_) { | |
154 error_message_ = "invalid-shared-secret"; | |
155 v2_authenticator_.reset(); | |
156 CreateV2AuthenticatorWithPIN(); | |
157 } | |
158 resume_callback.Run(); | |
159 } | |
160 | |
161 } // namespace protocol | |
162 } // namespace remoting | |
OLD | NEW |