Enable Curve25519 in host and client for PIN-based and third-party auth.
Now client and host can use Spake2Authenticator instead of
V2Authenticator for both PIN-based auth and third-party auth. The plan
is to use cleanup It2Me to use hashed ID, so it will be possible to
remove spake2_plain method completely, so I'm not adding Curve25519
version.
Also pairing authentication needs move work to enable Curve25519 (see
crbug.com/593123), so it's going to be done separately.
Spake2Authenticor implements SPAKE2 over Curve25519, which is defined
in https://tools.ietf.org/html/draft-irtf-cfrg-spake2-03 .
BUG=589698
Review URL: https://codereview.chromium.org/1780403002
Cr-Commit-Position: refs/heads/master@{#380869}
diff --git a/remoting/client/chromoting_client.cc b/remoting/client/chromoting_client.cc
index 71d020f..7e51042c 100644
--- a/remoting/client/chromoting_client.cc
+++ b/remoting/client/chromoting_client.cc
@@ -215,6 +215,7 @@
session_manager_->Connect(
host_jid_,
make_scoped_ptr(new protocol::NegotiatingClientAuthenticator(
+ signal_strategy_->GetLocalJid(), host_jid_,
client_auth_config_))),
transport_context_, this);
}
diff --git a/remoting/protocol/it2me_host_authenticator_factory.cc b/remoting/protocol/it2me_host_authenticator_factory.cc
index 9ccf297..0a2e5f03 100644
--- a/remoting/protocol/it2me_host_authenticator_factory.cc
+++ b/remoting/protocol/it2me_host_authenticator_factory.cc
@@ -45,8 +45,8 @@
}
}
- return NegotiatingHostAuthenticator::CreateForIt2Me(local_cert_, key_pair_,
- access_code_);
+ return NegotiatingHostAuthenticator::CreateForIt2Me(
+ local_jid, remote_jid, local_cert_, key_pair_, access_code_);
}
} // namespace protocol
diff --git a/remoting/protocol/me2me_host_authenticator_factory.cc b/remoting/protocol/me2me_host_authenticator_factory.cc
index 1d8b5b08..5bb07d4 100644
--- a/remoting/protocol/me2me_host_authenticator_factory.cc
+++ b/remoting/protocol/me2me_host_authenticator_factory.cc
@@ -119,13 +119,14 @@
if (!local_cert_.empty() && key_pair_.get()) {
if (token_validator_factory_) {
return NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
- local_cert_, key_pair_,
- token_validator_factory_->CreateTokenValidator(
- local_jid, remote_jid));
+ local_jid, remote_jid, local_cert_, key_pair_,
+ token_validator_factory_->CreateTokenValidator(local_jid,
+ remote_jid));
}
return NegotiatingHostAuthenticator::CreateWithPin(
- local_cert_, key_pair_, pin_hash_, pairing_registry_);
+ local_jid, remote_jid, local_cert_, key_pair_, pin_hash_,
+ pairing_registry_);
}
return make_scoped_ptr(
diff --git a/remoting/protocol/negotiating_authenticator_base.cc b/remoting/protocol/negotiating_authenticator_base.cc
index 5fe81293..b42f125 100644
--- a/remoting/protocol/negotiating_authenticator_base.cc
+++ b/remoting/protocol/negotiating_authenticator_base.cc
@@ -23,12 +23,21 @@
const NameMapElement<NegotiatingAuthenticatorBase::Method>
kAuthenticationMethodStrings[] = {
- {NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_PLAIN,
+ {NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224,
"spake2_plain"},
- {NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_HMAC,
+
+ {NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_P224,
"spake2_hmac"},
- {NegotiatingAuthenticatorBase::Method::SPAKE2_PAIR, "spake2_pair"},
- {NegotiatingAuthenticatorBase::Method::THIRD_PARTY, "third_party"},
+ {NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519,
+ "spake2_curve25519"},
+
+ {NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224,
+ "spake2_pair"},
+
+ {NegotiatingAuthenticatorBase::Method::THIRD_PARTY_SPAKE2_P224,
+ "third_party"},
+ {NegotiatingAuthenticatorBase::Method::THIRD_PARTY_SPAKE2_CURVE25519,
+ "third_party_spake2_curve25519"},
};
} // namespace
diff --git a/remoting/protocol/negotiating_authenticator_base.h b/remoting/protocol/negotiating_authenticator_base.h
index 1a43a9e..243359f 100644
--- a/remoting/protocol/negotiating_authenticator_base.h
+++ b/remoting/protocol/negotiating_authenticator_base.h
@@ -66,10 +66,25 @@
// Method represents an authentication algorithm.
enum class Method {
INVALID,
- SPAKE2_SHARED_SECRET_PLAIN,
- SPAKE2_SHARED_SECRET_HMAC,
- SPAKE2_PAIR,
- THIRD_PARTY,
+
+ // SPAKE2 with P224 using access code in plain-text. Used for It2Me.
+ // TODO(sergeyu): Remove and use SHARED_SECRET_SPAKE2_CURVE25519.
+ SHARED_SECRET_PLAIN_SPAKE2_P224,
+
+ // SPAKE2 PIN or access code hashed with host_id using HMAC-SHA256.
+ SHARED_SECRET_SPAKE2_P224,
+ SHARED_SECRET_SPAKE2_CURVE25519,
+
+ // SPAKE2 using shared pairing secret. Falls back to PIN-based
+ // authentication when pairing fails.
+ // TODO(sergeyu): Add CURVE25519 variant. crbug.com/593123
+ PAIRED_SPAKE2_P224,
+
+ // Authentication using third-party authentication server.
+ // SPAKE2 with P224 using shared pairing secret. Falls back to PIN-based
+ // authentication when it fails to authenticate using paired secret.
+ THIRD_PARTY_SPAKE2_P224,
+ THIRD_PARTY_SPAKE2_CURVE25519,
};
~NegotiatingAuthenticatorBase() override;
diff --git a/remoting/protocol/negotiating_authenticator_unittest.cc b/remoting/protocol/negotiating_authenticator_unittest.cc
index 534eecc..f07be70 100644
--- a/remoting/protocol/negotiating_authenticator_unittest.cc
+++ b/remoting/protocol/negotiating_authenticator_unittest.cc
@@ -37,6 +37,9 @@
const char kTestClientId[] = "client-id";
const char kTestHostId[] = "12345678910123456";
+const char kClientJid[] = "[email protected]/abc";
+const char kHostJid[] = "[email protected]/123";
+
const char kTestPairedSecret[] = "1111-2222-3333";
const char kTestPairedSecretBad[] = "4444-5555-6666";
const char kTestPin[] = "123456";
@@ -57,15 +60,15 @@
bool it2me) {
if (it2me) {
host_ = NegotiatingHostAuthenticator::CreateForIt2Me(
- host_cert_, key_pair_, host_secret);
+ kHostJid, kClientJid, host_cert_, key_pair_, host_secret);
} else {
std::string host_secret_hash =
GetSharedSecretHash(kTestHostId, host_secret);
host_ = NegotiatingHostAuthenticator::CreateWithPin(
- host_cert_, key_pair_, host_secret_hash, pairing_registry_);
+ kHostJid, kClientJid, host_cert_, key_pair_, host_secret_hash,
+ pairing_registry_);
}
-
protocol::ClientAuthenticationConfig client_auth_config;
client_auth_config.host_id = kTestHostId;
client_auth_config.pairing_client_id = client_id;
@@ -74,8 +77,8 @@
client_auth_config.fetch_secret_callback =
base::Bind(&NegotiatingAuthenticatorTest::FetchSecret,
client_interactive_pin, pairing_expected);
- client_as_negotiating_authenticator_ =
- new NegotiatingClientAuthenticator(client_auth_config);
+ client_as_negotiating_authenticator_ = new NegotiatingClientAuthenticator(
+ kClientJid, kHostJid, client_auth_config);
client_.reset(client_as_negotiating_authenticator_);
}
@@ -145,14 +148,14 @@
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
kTestPin, kTestPin, false));
VerifyAccepted(
- NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_HMAC);
+ NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
}
TEST_F(NegotiatingAuthenticatorTest, SuccessfulAuthIt2me) {
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
kTestPin, kTestPin, true));
VerifyAccepted(
- NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_PLAIN);
+ NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
}
TEST_F(NegotiatingAuthenticatorTest, InvalidMe2MePin) {
@@ -178,7 +181,7 @@
&(client_as_negotiating_authenticator_->methods_);
methods->erase(std::find(
methods->begin(), methods->end(),
- NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_PLAIN));
+ NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
@@ -190,7 +193,7 @@
kTestPin, kTestPin, false));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
VerifyAccepted(
- NegotiatingAuthenticatorBase::Method::SPAKE2_SHARED_SECRET_HMAC);
+ NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
}
TEST_F(NegotiatingAuthenticatorTest, PairingSupportedButNotPaired) {
@@ -198,7 +201,7 @@
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
kTestPin, kTestPin, false));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
- VerifyAccepted(NegotiatingAuthenticatorBase::Method::SPAKE2_PAIR);
+ VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
}
TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinOkay) {
@@ -206,7 +209,7 @@
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
kTestPin, kTestPin, false));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
- VerifyAccepted(NegotiatingAuthenticatorBase::Method::SPAKE2_PAIR);
+ VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
}
TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinBad) {
@@ -222,7 +225,7 @@
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
kTestPinBad, kTestPin, false));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
- VerifyAccepted(NegotiatingAuthenticatorBase::Method::SPAKE2_PAIR);
+ VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
}
TEST_F(NegotiatingAuthenticatorTest,
@@ -231,7 +234,7 @@
ASSERT_NO_FATAL_FAILURE(InitAuthenticators(
kTestClientId, kTestPairedSecretBad, kTestPin, kTestPin, false));
ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
- VerifyAccepted(NegotiatingAuthenticatorBase::Method::SPAKE2_PAIR);
+ VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
}
TEST_F(NegotiatingAuthenticatorTest, PairingFailedInvalidSecretAndPin) {
diff --git a/remoting/protocol/negotiating_client_authenticator.cc b/remoting/protocol/negotiating_client_authenticator.cc
index 11dd49a..f26b6ef 100644
--- a/remoting/protocol/negotiating_client_authenticator.cc
+++ b/remoting/protocol/negotiating_client_authenticator.cc
@@ -15,6 +15,7 @@
#include "remoting/protocol/auth_util.h"
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/pairing_client_authenticator.h"
+#include "remoting/protocol/spake2_authenticator.h"
#include "remoting/protocol/v2_authenticator.h"
#include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
@@ -25,15 +26,25 @@
ClientAuthenticationConfig::~ClientAuthenticationConfig() {}
NegotiatingClientAuthenticator::NegotiatingClientAuthenticator(
+ const std::string& local_id,
+ const std::string& remote_id,
const ClientAuthenticationConfig& config)
: NegotiatingAuthenticatorBase(MESSAGE_READY),
+ local_id_(local_id),
+ remote_id_(remote_id),
config_(config),
weak_factory_(this) {
- if (!config_.fetch_third_party_token_callback.is_null())
- AddMethod(Method::THIRD_PARTY);
- AddMethod(Method::SPAKE2_PAIR);
- AddMethod(Method::SPAKE2_SHARED_SECRET_HMAC);
- AddMethod(Method::SPAKE2_SHARED_SECRET_PLAIN);
+ if (!config_.fetch_third_party_token_callback.is_null()) {
+ AddMethod(Method::THIRD_PARTY_SPAKE2_CURVE25519);
+ AddMethod(Method::THIRD_PARTY_SPAKE2_P224);
+ }
+
+ AddMethod(Method::PAIRED_SPAKE2_P224);
+
+ AddMethod(Method::SHARED_SECRET_SPAKE2_CURVE25519);
+ AddMethod(Method::SHARED_SECRET_SPAKE2_P224);
+
+ AddMethod(Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
}
NegotiatingClientAuthenticator::~NegotiatingClientAuthenticator() {}
@@ -107,26 +118,35 @@
Authenticator::State preferred_initial_state,
const base::Closure& resume_callback) {
DCHECK(current_method_ != Method::INVALID);
- if (current_method_ == Method::THIRD_PARTY) {
+ if (current_method_ == Method::THIRD_PARTY_SPAKE2_P224) {
current_authenticator_.reset(new ThirdPartyClientAuthenticator(
base::Bind(&V2Authenticator::CreateForClient),
config_.fetch_third_party_token_callback));
resume_callback.Run();
+ } else if (current_method_ == Method::THIRD_PARTY_SPAKE2_CURVE25519) {
+ current_authenticator_.reset(new ThirdPartyClientAuthenticator(
+ base::Bind(&Spake2Authenticator::CreateForClient, local_id_,
+ remote_id_),
+ config_.fetch_third_party_token_callback));
+ resume_callback.Run();
} else {
- DCHECK(current_method_ == Method::SPAKE2_SHARED_SECRET_PLAIN ||
- current_method_ == Method::SPAKE2_PAIR ||
- current_method_ == Method::SPAKE2_SHARED_SECRET_HMAC);
- bool pairing_supported = (current_method_ == Method::SPAKE2_PAIR);
- SecretFetchedCallback callback = base::Bind(
- &NegotiatingClientAuthenticator::CreateV2AuthenticatorWithSecret,
- weak_factory_.GetWeakPtr(), preferred_initial_state, resume_callback);
- config_.fetch_secret_callback.Run(pairing_supported, callback);
+ DCHECK(current_method_ == Method::SHARED_SECRET_PLAIN_SPAKE2_P224 ||
+ current_method_ == Method::PAIRED_SPAKE2_P224 ||
+ current_method_ == Method::SHARED_SECRET_SPAKE2_P224 ||
+ current_method_ == Method::SHARED_SECRET_SPAKE2_CURVE25519);
+ bool pairing_supported = (current_method_ == Method::PAIRED_SPAKE2_P224);
+ config_.fetch_secret_callback.Run(
+ pairing_supported,
+ base::Bind(
+ &NegotiatingClientAuthenticator::CreateSharedSecretAuthenticator,
+ weak_factory_.GetWeakPtr(), preferred_initial_state,
+ resume_callback));
}
}
void NegotiatingClientAuthenticator::CreatePreferredAuthenticator() {
if (!config_.pairing_client_id.empty() && !config_.pairing_secret.empty() &&
- std::find(methods_.begin(), methods_.end(), Method::SPAKE2_PAIR) !=
+ std::find(methods_.begin(), methods_.end(), Method::PAIRED_SPAKE2_P224) !=
methods_.end()) {
// If the client specified a pairing id and shared secret, then create a
// PairingAuthenticator.
@@ -134,19 +154,26 @@
config_.pairing_client_id, config_.pairing_secret,
base::Bind(&V2Authenticator::CreateForClient),
config_.fetch_secret_callback, config_.host_id));
- current_method_ = Method::SPAKE2_PAIR;
+ current_method_ = Method::PAIRED_SPAKE2_P224;
}
}
-void NegotiatingClientAuthenticator::CreateV2AuthenticatorWithSecret(
+void NegotiatingClientAuthenticator::CreateSharedSecretAuthenticator(
Authenticator::State initial_state,
const base::Closure& resume_callback,
const std::string& shared_secret) {
- current_authenticator_ = V2Authenticator::CreateForClient(
- (current_method_ == Method::SPAKE2_SHARED_SECRET_PLAIN)
+ std::string shared_secret_hash =
+ (current_method_ == Method::SHARED_SECRET_PLAIN_SPAKE2_P224)
? shared_secret
- : GetSharedSecretHash(config_.host_id, shared_secret),
- initial_state);
+ : GetSharedSecretHash(config_.host_id, shared_secret);
+
+ if (current_method_ == Method::SHARED_SECRET_SPAKE2_CURVE25519) {
+ current_authenticator_ = Spake2Authenticator::CreateForClient(
+ local_id_, remote_id_, shared_secret_hash, initial_state);
+ } else {
+ current_authenticator_ =
+ V2Authenticator::CreateForClient(shared_secret_hash, initial_state);
+ }
resume_callback.Run();
}
diff --git a/remoting/protocol/negotiating_client_authenticator.h b/remoting/protocol/negotiating_client_authenticator.h
index 0867d10..9a1fe1e 100644
--- a/remoting/protocol/negotiating_client_authenticator.h
+++ b/remoting/protocol/negotiating_client_authenticator.h
@@ -41,6 +41,8 @@
class NegotiatingClientAuthenticator : public NegotiatingAuthenticatorBase {
public:
explicit NegotiatingClientAuthenticator(
+ const std::string& local_id,
+ const std::string& remote_id,
const ClientAuthenticationConfig& config);
~NegotiatingClientAuthenticator() override;
@@ -69,12 +71,14 @@
// message.
void CreatePreferredAuthenticator();
- // Creates a V2Authenticator in state |initial_state| with the given
- // |shared_secret|, then runs |resume_callback|.
- void CreateV2AuthenticatorWithSecret(
- Authenticator::State initial_state,
- const base::Closure& resume_callback,
- const std::string& shared_secret);
+ // Creates a shared-secret authenticator in state |initial_state| with the
+ // given |shared_secret|, then runs |resume_callback|.
+ void CreateSharedSecretAuthenticator(Authenticator::State initial_state,
+ const base::Closure& resume_callback,
+ const std::string& shared_secret);
+
+ std::string local_id_;
+ std::string remote_id_;
ClientAuthenticationConfig config_;
diff --git a/remoting/protocol/negotiating_host_authenticator.cc b/remoting/protocol/negotiating_host_authenticator.cc
index bfdb80f4..de6b894 100644
--- a/remoting/protocol/negotiating_host_authenticator.cc
+++ b/remoting/protocol/negotiating_host_authenticator.cc
@@ -16,6 +16,7 @@
#include "remoting/protocol/channel_authenticator.h"
#include "remoting/protocol/pairing_host_authenticator.h"
#include "remoting/protocol/pairing_registry.h"
+#include "remoting/protocol/spake2_authenticator.h"
#include "remoting/protocol/token_validator.h"
#include "remoting/protocol/v2_authenticator.h"
#include "third_party/webrtc/libjingle/xmllite/xmlelement.h"
@@ -24,37 +25,48 @@
namespace protocol {
NegotiatingHostAuthenticator::NegotiatingHostAuthenticator(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair)
: NegotiatingAuthenticatorBase(WAITING_MESSAGE),
+ local_id_(local_id),
+ remote_id_(remote_id),
local_cert_(local_cert),
local_key_pair_(key_pair) {}
// static
scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateForIt2Me(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const std::string& access_code) {
scoped_ptr<NegotiatingHostAuthenticator> result(
- new NegotiatingHostAuthenticator(local_cert, key_pair));
+ new NegotiatingHostAuthenticator(local_id, remote_id, local_cert,
+ key_pair));
result->shared_secret_hash_ = access_code;
- result->AddMethod(Method::SPAKE2_SHARED_SECRET_PLAIN);
+ result->AddMethod(Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
return std::move(result);
}
// static
scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateWithPin(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const std::string& pin_hash,
scoped_refptr<PairingRegistry> pairing_registry) {
scoped_ptr<NegotiatingHostAuthenticator> result(
- new NegotiatingHostAuthenticator(local_cert, key_pair));
+ new NegotiatingHostAuthenticator(local_id, remote_id, local_cert,
+ key_pair));
result->shared_secret_hash_ = pin_hash;
result->pairing_registry_ = pairing_registry;
- result->AddMethod(Method::SPAKE2_SHARED_SECRET_HMAC);
+ result->AddMethod(Method::SHARED_SECRET_SPAKE2_CURVE25519);
+ result->AddMethod(Method::SHARED_SECRET_SPAKE2_P224);
if (pairing_registry.get()) {
- result->AddMethod(Method::SPAKE2_PAIR);
+ result->AddMethod(Method::PAIRED_SPAKE2_P224);
}
return std::move(result);
}
@@ -62,18 +74,21 @@
// static
scoped_ptr<Authenticator>
NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
scoped_ptr<TokenValidator> token_validator) {
scoped_ptr<NegotiatingHostAuthenticator> result(
- new NegotiatingHostAuthenticator(local_cert, key_pair));
+ new NegotiatingHostAuthenticator(local_id, remote_id, local_cert,
+ key_pair));
result->token_validator_ = std::move(token_validator);
- result->AddMethod(Method::THIRD_PARTY);
+ result->AddMethod(Method::THIRD_PARTY_SPAKE2_CURVE25519);
+ result->AddMethod(Method::THIRD_PARTY_SPAKE2_P224);
return std::move(result);
}
-NegotiatingHostAuthenticator::~NegotiatingHostAuthenticator() {
-}
+NegotiatingHostAuthenticator::~NegotiatingHostAuthenticator() {}
void NegotiatingHostAuthenticator::ProcessMessage(
const buzz::XmlElement* message,
@@ -167,7 +182,7 @@
const base::Closure& resume_callback) {
DCHECK(current_method_ != Method::INVALID);
- if (current_method_ == Method::THIRD_PARTY) {
+ if (current_method_ == Method::THIRD_PARTY_SPAKE2_P224) {
// |ThirdPartyHostAuthenticator| takes ownership of |token_validator_|.
// The authentication method negotiation logic should guarantee that only
// one |ThirdPartyHostAuthenticator| will need to be created per session.
@@ -176,7 +191,20 @@
base::Bind(&V2Authenticator::CreateForHost, local_cert_,
local_key_pair_),
std::move(token_validator_)));
- } else if (current_method_ == Method::SPAKE2_PAIR &&
+ } else if (current_method_ == Method::THIRD_PARTY_SPAKE2_CURVE25519) {
+ // |ThirdPartyHostAuthenticator| takes ownership of |token_validator_|.
+ // The authentication method negotiation logic should guarantee that only
+ // one |ThirdPartyHostAuthenticator| will need to be created per session.
+ DCHECK(token_validator_);
+ current_authenticator_.reset(new ThirdPartyHostAuthenticator(
+ base::Bind(&Spake2Authenticator::CreateForHost, local_id_, remote_id_,
+ local_cert_, local_key_pair_),
+ std::move(token_validator_)));
+ } else if (current_method_ == Method::SHARED_SECRET_SPAKE2_CURVE25519) {
+ current_authenticator_ = Spake2Authenticator::CreateForHost(
+ local_id_, remote_id_, local_cert_, local_key_pair_,
+ shared_secret_hash_, preferred_initial_state);
+ } else if (current_method_ == Method::PAIRED_SPAKE2_P224 &&
preferred_initial_state == WAITING_MESSAGE) {
// If the client requested Spake2Pair and sent an initial message, attempt
// the paired connection protocol.
@@ -191,9 +219,9 @@
// Spake2Pair so that the client knows that the host supports pairing and
// that it can therefore present the option to the user when they enter
// the PIN.
- DCHECK(current_method_ == Method::SPAKE2_SHARED_SECRET_PLAIN ||
- current_method_ == Method::SPAKE2_SHARED_SECRET_HMAC ||
- current_method_ == Method::SPAKE2_PAIR);
+ DCHECK(current_method_ == Method::SHARED_SECRET_PLAIN_SPAKE2_P224 ||
+ current_method_ == Method::SHARED_SECRET_SPAKE2_P224 ||
+ current_method_ == Method::PAIRED_SPAKE2_P224);
current_authenticator_ = V2Authenticator::CreateForHost(
local_cert_, local_key_pair_, shared_secret_hash_,
preferred_initial_state);
diff --git a/remoting/protocol/negotiating_host_authenticator.h b/remoting/protocol/negotiating_host_authenticator.h
index c2e2c54..22508861 100644
--- a/remoting/protocol/negotiating_host_authenticator.h
+++ b/remoting/protocol/negotiating_host_authenticator.h
@@ -30,6 +30,8 @@
// Creates a host authenticator for It2Me host.
static scoped_ptr<Authenticator> CreateForIt2Me(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const std::string& access_code);
@@ -38,6 +40,8 @@
// non-nullptr then the paired methods will be offered, supporting
// PIN-less authentication.
static scoped_ptr<Authenticator> CreateWithPin(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
const std::string& pin_hash,
@@ -45,6 +49,8 @@
// Creates a host authenticator, using third party authentication.
static scoped_ptr<Authenticator> CreateWithThirdPartyAuth(
+ const std::string& local_id,
+ const std::string& remote_id,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
scoped_ptr<TokenValidator> token_validator);
@@ -55,7 +61,9 @@
scoped_ptr<buzz::XmlElement> GetNextMessage() override;
private:
- NegotiatingHostAuthenticator(const std::string& local_cert,
+ NegotiatingHostAuthenticator(const std::string& local_id,
+ const std::string& remote_id,
+ const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair);
// (Asynchronously) creates an authenticator, and stores it in
@@ -65,6 +73,9 @@
void CreateAuthenticator(Authenticator::State preferred_initial_state,
const base::Closure& resume_callback);
+ std::string local_id_;
+ std::string remote_id_;
+
std::string local_cert_;
scoped_refptr<RsaKeyPair> local_key_pair_;
diff --git a/remoting/protocol/spake2_authenticator.cc b/remoting/protocol/spake2_authenticator.cc
index d7c0a6c..ab03e5d 100644
--- a/remoting/protocol/spake2_authenticator.cc
+++ b/remoting/protocol/spake2_authenticator.cc
@@ -93,9 +93,9 @@
scoped_ptr<Authenticator> Spake2Authenticator::CreateForHost(
const std::string& local_id,
const std::string& remote_id,
- const std::string& shared_secret,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
+ const std::string& shared_secret,
Authenticator::State initial_state) {
scoped_ptr<Spake2Authenticator> result(new Spake2Authenticator(
local_id, remote_id, shared_secret, true, initial_state));
diff --git a/remoting/protocol/spake2_authenticator.h b/remoting/protocol/spake2_authenticator.h
index b16d634..15456e0 100644
--- a/remoting/protocol/spake2_authenticator.h
+++ b/remoting/protocol/spake2_authenticator.h
@@ -35,9 +35,9 @@
static scoped_ptr<Authenticator> CreateForHost(
const std::string& local_id,
const std::string& remote_id,
- const std::string& shared_secret,
const std::string& local_cert,
scoped_refptr<RsaKeyPair> key_pair,
+ const std::string& shared_secret,
State initial_state);
~Spake2Authenticator() override;
diff --git a/remoting/protocol/spake2_authenticator_unittest.cc b/remoting/protocol/spake2_authenticator_unittest.cc
index 9f5e5d0..1b1d315 100644
--- a/remoting/protocol/spake2_authenticator_unittest.cc
+++ b/remoting/protocol/spake2_authenticator_unittest.cc
@@ -42,8 +42,8 @@
protected:
void InitAuthenticators(const std::string& client_secret,
const std::string& host_secret) {
- host_ = Spake2Authenticator::CreateForHost(kHostId, kClientId, host_secret,
- host_cert_, key_pair_,
+ host_ = Spake2Authenticator::CreateForHost(kHostId, kClientId, host_cert_,
+ key_pair_, host_secret,
Authenticator::WAITING_MESSAGE);
client_ = Spake2Authenticator::CreateForClient(
kClientId, kHostId, client_secret, Authenticator::MESSAGE_READY);
