Index: remoting/protocol/pairing_host_authenticator.cc |
diff --git a/remoting/protocol/pairing_host_authenticator.cc b/remoting/protocol/pairing_host_authenticator.cc |
new file mode 100644 |
index 0000000000000000000000000000000000000000..23823eb97342688242f488a9fb92d0dd7c7df58c |
--- /dev/null |
+++ b/remoting/protocol/pairing_host_authenticator.cc |
@@ -0,0 +1,162 @@ |
+// Copyright 2013 The Chromium Authors. All rights reserved. |
+// Use of this source code is governed by a BSD-style license that can be |
+// found in the LICENSE file. |
+ |
+#include "remoting/protocol/pairing_host_authenticator.h" |
+ |
+#include "base/bind.h" |
+#include "base/logging.h" |
+#include "remoting/base/constants.h" |
+#include "remoting/base/rsa_key_pair.h" |
+#include "remoting/protocol/channel_authenticator.h" |
+#include "remoting/protocol/pairing_registry.h" |
+#include "remoting/protocol/v2_authenticator.h" |
+#include "third_party/libjingle/source/talk/xmllite/xmlelement.h" |
+ |
+namespace remoting { |
+namespace protocol { |
+ |
+namespace { |
+// These definitions must be kept in sync with pairing_client_authenticator.cc. |
+const buzz::StaticQName kPairingInfoTag = |
+ { kChromotingXmlNamespace, "pairing-info" }; |
+const buzz::StaticQName kClientIdAttribute = |
+ { "", "client-id" }; |
+const buzz::StaticQName kPairingFailedTag = |
+ { kChromotingXmlNamespace, "pairing-failed" }; |
+const buzz::StaticQName kPairingErrorAttribute = |
+ { "", "error" }; |
+} // namespace |
+ |
+PairingHostAuthenticator::PairingHostAuthenticator( |
+ scoped_refptr<PairingRegistry> pairing_registry, |
+ const std::string& local_cert, |
+ scoped_refptr<RsaKeyPair> key_pair, |
+ const std::string& pin) |
+ : pairing_registry_(pairing_registry), |
+ local_cert_(local_cert), |
+ key_pair_(key_pair), |
+ pin_(pin), |
+ protocol_error_(false), |
+ using_paired_secret_(false), |
+ weak_factory_(this) { |
+} |
+ |
+Authenticator::State PairingHostAuthenticator::state() const { |
+ if (protocol_error_) { |
+ return REJECTED; |
+ } else if (v2_authenticator_) { |
+ return v2_authenticator_->state(); |
+ } else { |
+ return WAITING_MESSAGE; |
+ } |
+} |
+ |
+Authenticator::RejectionReason |
+PairingHostAuthenticator::rejection_reason() const { |
+ if (protocol_error_) { |
+ return PROTOCOL_ERROR; |
+ } |
+ DCHECK(v2_authenticator_); |
Wez
2013/05/18 20:08:36
nit: rejection_reason() below will segfault if |v2
Jamie
2013/05/21 01:24:34
Done (in the base class).
|
+ return v2_authenticator_->rejection_reason(); |
+} |
+ |
+void PairingHostAuthenticator::ProcessMessage( |
+ const buzz::XmlElement* message, |
+ const base::Closure& resume_callback) { |
+ DCHECK_EQ(state(), WAITING_MESSAGE); |
+ |
+ // If there's already an underlying authenticator, defer to it, but check |
+ // for a failed SPAKE exchange if we're using the paired secret. In this |
+ // case the pairing protocol can continue after the client has prompted |
+ // the user to enter the PIN. |
+ if (v2_authenticator_) { |
+ DCHECK_EQ(v2_authenticator_->state(), WAITING_MESSAGE); |
+ v2_authenticator_->ProcessMessage( |
+ message, |
+ base::Bind(&PairingHostAuthenticator::CheckForFailedSpakeExchange, |
+ weak_factory_.GetWeakPtr(), resume_callback)); |
+ return; |
+ } |
+ |
+ // If there isn't already an underlying authenticator, then create one based |
+ // on the contents of the first message: use the PIN if the client id is |
+ // not recognized, or the corresponding paired secret if it is. |
+ std::string client_id; |
+ const buzz::XmlElement* pairing_tag = message->FirstNamed(kPairingInfoTag); |
+ if (pairing_tag) { |
+ client_id = pairing_tag->Attr(kClientIdAttribute); |
+ } |
+ if (client_id.empty()) { |
+ LOG(ERROR) << "No client id specified."; |
+ protocol_error_ = true; |
+ resume_callback.Run(); |
+ return; |
+ } |
+ |
+ std::string paired_secret = pairing_registry_->GetSecret(client_id); |
+ |
+ if (paired_secret.empty()) { |
+ LOG(INFO) << "Unknown client id"; |
+ error_message_ = "unknown-client-id"; |
+ CreateV2AuthenticatorWithPIN(); |
+ resume_callback.Run(); |
+ return; |
+ } |
+ |
+ v2_authenticator_ = V2Authenticator::CreateForHost( |
+ local_cert_, key_pair_, paired_secret, MESSAGE_READY); |
+ using_paired_secret_ = true; |
+ |
+ resume_callback.Run(); |
+} |
+ |
+scoped_ptr<buzz::XmlElement> PairingHostAuthenticator::GetNextMessage() { |
+ DCHECK_EQ(state(), MESSAGE_READY); |
+ |
+ DCHECK(v2_authenticator_); |
Wez
2013/05/18 20:08:36
nit: See above - does the DCHECK add anything here
Jamie
2013/05/21 01:24:34
Done.
|
+ scoped_ptr<buzz::XmlElement> result = v2_authenticator_->GetNextMessage(); |
+ |
+ if (!error_message_.empty()) { |
+ buzz::XmlElement* pairing_failed_tag = |
+ new buzz::XmlElement(kPairingFailedTag); |
+ pairing_failed_tag->AddAttr(kPairingErrorAttribute, error_message_); |
+ result->AddElement(pairing_failed_tag); |
+ error_message_.clear(); |
+ } |
+ |
+ return result.Pass(); |
+} |
+ |
+scoped_ptr<ChannelAuthenticator> |
+PairingHostAuthenticator::CreateChannelAuthenticator() const { |
+ DCHECK(v2_authenticator_); |
Wez
2013/05/18 20:08:36
nit: Ditto.
Jamie
2013/05/21 01:24:34
Done.
|
+ return v2_authenticator_->CreateChannelAuthenticator(); |
+} |
+ |
+void PairingHostAuthenticator::CreateV2AuthenticatorWithPIN() { |
+ DCHECK(!v2_authenticator_); |
Wez
2013/05/18 20:08:36
nit: Here too
Jamie
2013/05/21 01:24:34
Done.
|
+ v2_authenticator_ = V2Authenticator::CreateForHost( |
+ local_cert_, key_pair_, pin_, MESSAGE_READY); |
+ using_paired_secret_ = false; |
+} |
+ |
+void PairingHostAuthenticator::CheckForFailedSpakeExchange( |
+ const base::Closure& resume_callback) { |
+ DCHECK(v2_authenticator_); |
Wez
2013/05/18 20:08:36
nit: Ditto.
Jamie
2013/05/21 01:24:34
Done.
|
+ State v2_state = v2_authenticator_->state(); |
+ // If the SPAKE exchange failed due to invalid credentials, and those |
Wez
2013/05/18 20:08:36
nit: Blank lines before this comment, and after th
Jamie
2013/05/21 01:24:34
Done (in the base class).
|
+ // credentials were the paired secret, then notify the client that the |
+ // PIN-less connection failed, causing it to prompt the user for the PIN. |
+ if (v2_state == REJECTED && |
+ v2_authenticator_->rejection_reason() == INVALID_CREDENTIALS && |
+ using_paired_secret_) { |
+ error_message_ = "invalid-shared-secret"; |
+ v2_authenticator_.reset(); |
+ CreateV2AuthenticatorWithPIN(); |
+ } |
+ resume_callback.Run(); |
+} |
+ |
+} // namespace protocol |
+} // namespace remoting |