1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "remoting/protocol/pairing_authenticator_base.h"
#include <utility>
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/location.h"
#include "base/logging.h"
#include "remoting/base/constants.h"
#include "remoting/protocol/authenticator.h"
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/credentials_type.h"
namespace remoting::protocol {
namespace {
const jingle_xmpp::StaticQName kPairingFailedTag = {kChromotingXmlNamespace,
"pairing-failed"};
const jingle_xmpp::StaticQName kPairingErrorAttribute = {"", "error"};
} // namespace
PairingAuthenticatorBase::PairingAuthenticatorBase() {}
PairingAuthenticatorBase::~PairingAuthenticatorBase() = default;
CredentialsType PairingAuthenticatorBase::credentials_type() const {
return CredentialsType::PAIRED;
}
const Authenticator& PairingAuthenticatorBase::implementing_authenticator()
const {
return *this;
}
Authenticator::State PairingAuthenticatorBase::state() const {
DCHECK(spake2_authenticator_);
return spake2_authenticator_->state();
}
bool PairingAuthenticatorBase::started() const {
if (!spake2_authenticator_) {
return false;
}
return spake2_authenticator_->started();
}
Authenticator::RejectionReason PairingAuthenticatorBase::rejection_reason()
const {
if (!spake2_authenticator_) {
return RejectionReason::INVALID_STATE;
}
return spake2_authenticator_->rejection_reason();
}
Authenticator::RejectionDetails PairingAuthenticatorBase::rejection_details()
const {
if (spake2_authenticator_ &&
spake2_authenticator_->state() == State::REJECTED) {
Authenticator::RejectionDetails spake2_rejection_details =
spake2_authenticator_->rejection_details();
if (!spake2_rejection_details.is_null()) {
return spake2_rejection_details;
}
}
return RejectionDetails(error_message_);
}
void PairingAuthenticatorBase::ProcessMessage(
const jingle_xmpp::XmlElement* message,
base::OnceClosure resume_callback) {
DCHECK_EQ(state(), WAITING_MESSAGE);
// The client authenticator creates the underlying authenticator in the ctor
// and the host creates it in response to the first message before deferring
// to this class to process it. Either way, it should exist here.
DCHECK(spake2_authenticator_);
// If pairing failed, and we haven't already done so, try again with the PIN.
if (using_paired_secret_ && HasErrorMessage(message)) {
using_paired_secret_ = false;
spake2_authenticator_.reset();
CreateSpakeAuthenticatorWithPin(
WAITING_MESSAGE,
base::BindOnce(&PairingAuthenticatorBase::ProcessMessage,
weak_factory_.GetWeakPtr(),
base::Owned(new jingle_xmpp::XmlElement(*message)),
std::move(resume_callback)));
return;
}
// Pass the message to the underlying authenticator for processing, but
// check for a failed SPAKE exchange if we're using the paired secret. In
// this case the pairing protocol can continue by communicating the error
// to the peer and retrying with the PIN.
spake2_authenticator_->ProcessMessage(
message,
base::BindOnce(&PairingAuthenticatorBase::CheckForFailedSpakeExchange,
weak_factory_.GetWeakPtr(), std::move(resume_callback)));
}
std::unique_ptr<jingle_xmpp::XmlElement>
PairingAuthenticatorBase::GetNextMessage() {
DCHECK_EQ(state(), MESSAGE_READY);
std::unique_ptr<jingle_xmpp::XmlElement> result =
spake2_authenticator_->GetNextMessage();
MaybeAddErrorMessage(result.get());
return result;
}
const std::string& PairingAuthenticatorBase::GetAuthKey() const {
return spake2_authenticator_->GetAuthKey();
}
const SessionPolicies* PairingAuthenticatorBase::GetSessionPolicies() const {
return nullptr;
}
std::unique_ptr<ChannelAuthenticator>
PairingAuthenticatorBase::CreateChannelAuthenticator() const {
return spake2_authenticator_->CreateChannelAuthenticator();
}
void PairingAuthenticatorBase::MaybeAddErrorMessage(
jingle_xmpp::XmlElement* message) {
if (!error_message_.empty()) {
jingle_xmpp::XmlElement* pairing_failed_tag =
new jingle_xmpp::XmlElement(kPairingFailedTag);
pairing_failed_tag->AddAttr(kPairingErrorAttribute, error_message_);
message->AddElement(pairing_failed_tag);
error_message_.clear();
}
}
bool PairingAuthenticatorBase::HasErrorMessage(
const jingle_xmpp::XmlElement* message) const {
const jingle_xmpp::XmlElement* pairing_failed_tag =
message->FirstNamed(kPairingFailedTag);
if (pairing_failed_tag) {
std::string error = pairing_failed_tag->Attr(kPairingErrorAttribute);
LOG(ERROR) << "Pairing failed: " << error;
}
return pairing_failed_tag != nullptr;
}
void PairingAuthenticatorBase::CheckForFailedSpakeExchange(
base::OnceClosure resume_callback) {
// If the SPAKE exchange failed due to invalid credentials, and those
// credentials were the paired secret, then notify the peer that the
// PIN-less connection failed and retry using the PIN.
if (spake2_authenticator_->state() == REJECTED &&
spake2_authenticator_->rejection_reason() ==
RejectionReason::INVALID_CREDENTIALS &&
using_paired_secret_) {
using_paired_secret_ = false;
error_message_ = "invalid-shared-secret";
spake2_authenticator_.reset();
CreateSpakeAuthenticatorWithPin(MESSAGE_READY, std::move(resume_callback));
return;
}
std::move(resume_callback).Run();
}
} // namespace remoting::protocol
|
