diff options
Diffstat (limited to 'remoting')
| -rw-r--r-- | remoting/client/chromoting_client.cc | 11 | ||||
| -rw-r--r-- | remoting/client/client_config.cc | 7 | ||||
| -rw-r--r-- | remoting/client/client_config.h | 5 | ||||
| -rw-r--r-- | remoting/client/plugin/chromoting_scriptable_object.cc | 55 | ||||
| -rw-r--r-- | remoting/protocol/auth_util.h | 11 | ||||
| -rw-r--r-- | remoting/protocol/authentication_method.cc | 139 | ||||
| -rw-r--r-- | remoting/protocol/authentication_method.h | 90 | ||||
| -rw-r--r-- | remoting/protocol/connection_to_host.cc | 14 | ||||
| -rw-r--r-- | remoting/protocol/connection_to_host.h | 9 | ||||
| -rw-r--r-- | remoting/remoting.gyp | 2 | ||||
| -rw-r--r-- | remoting/webapp/client_screen.js | 5 | ||||
| -rw-r--r-- | remoting/webapp/client_session.js | 31 | ||||
| -rw-r--r-- | remoting/webapp/viewer_plugin_proto.js | 11 |
13 files changed, 350 insertions, 40 deletions
diff --git a/remoting/client/chromoting_client.cc b/remoting/client/chromoting_client.cc index 0577ac5..404d383 100644 --- a/remoting/client/chromoting_client.cc +++ b/remoting/client/chromoting_client.cc @@ -8,11 +8,15 @@ #include "remoting/client/chromoting_view.h" #include "remoting/client/client_context.h" #include "remoting/client/rectangle_update_decoder.h" +#include "remoting/protocol/authenticator.h" +#include "remoting/protocol/authentication_method.h" #include "remoting/protocol/connection_to_host.h" #include "remoting/protocol/session_config.h" namespace remoting { +using protocol::AuthenticationMethod; + ChromotingClient::QueuedVideoPacket::QueuedVideoPacket( const VideoPacket* packet, const base::Closure& done) : packet(packet), done(done) { @@ -44,8 +48,13 @@ ChromotingClient::~ChromotingClient() { void ChromotingClient::Start(scoped_refptr<XmppProxy> xmpp_proxy) { DCHECK(message_loop()->BelongsToCurrentThread()); + scoped_ptr<protocol::Authenticator> authenticator = + config_.authentication_method.CreateAuthenticator( + config_.local_jid, config_.authentication_tag, + config_.shared_secret); + connection_->Connect(xmpp_proxy, config_.local_jid, config_.host_jid, - config_.host_public_key, config_.authentication_code, + config_.host_public_key, authenticator.Pass(), this, this, this); if (!view_->Initialize()) { diff --git a/remoting/client/client_config.cc b/remoting/client/client_config.cc index aed88df..3012a9b 100644 --- a/remoting/client/client_config.cc +++ b/remoting/client/client_config.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -6,10 +6,11 @@ namespace remoting { -ClientConfig::ClientConfig() { +ClientConfig::ClientConfig() + : authentication_method(protocol::AuthenticationMethod::Invalid()) { } ClientConfig::~ClientConfig() { } -} +} // namespace remoting diff --git a/remoting/client/client_config.h b/remoting/client/client_config.h index 52b8e34..31268fd 100644 --- a/remoting/client/client_config.h +++ b/remoting/client/client_config.h @@ -8,6 +8,7 @@ #include <string> #include "base/basictypes.h" +#include "remoting/protocol/authentication_method.h" namespace remoting { @@ -20,7 +21,9 @@ struct ClientConfig { std::string host_jid; std::string host_public_key; - std::string authentication_code; + std::string shared_secret; + protocol::AuthenticationMethod authentication_method; + std::string authentication_tag; }; } // namespace remoting diff --git a/remoting/client/plugin/chromoting_scriptable_object.cc b/remoting/client/plugin/chromoting_scriptable_object.cc index 76d354d..334237d 100644 --- a/remoting/client/plugin/chromoting_scriptable_object.cc +++ b/remoting/client/plugin/chromoting_scriptable_object.cc @@ -7,6 +7,7 @@ #include "base/bind.h" #include "base/logging.h" #include "base/message_loop_proxy.h" +#include "base/string_split.h" // TODO(wez): Remove this when crbug.com/86353 is complete. #include "ppapi/cpp/private/var_private.h" #include "remoting/base/auth_token_util.h" @@ -57,7 +58,7 @@ void ChromotingScriptableObject::Init() { // Plugin API version. // This should be incremented whenever the API interface changes. - AddAttribute(kApiVersionAttribute, Var(3)); + AddAttribute(kApiVersionAttribute, Var(4)); // This should be updated whenever we remove support for an older version // of the API. @@ -358,7 +359,9 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args, // host_jid // host_public_key // client_jid - // authentication_code (optional) + // shared_secret + // authentication_methods + // authentication_tag unsigned int arg = 0; if (!args[arg].is_string()) { *exception = Var("The host_jid must be a string."); @@ -378,13 +381,48 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args, } std::string client_jid = args[arg++].AsString(); - std::string authentication_code; + if (!args[arg].is_string()) { + *exception = Var("The shared_secret must be a string."); + return Var(); + } + std::string shared_secret = args[arg++].AsString(); + + // Older versions of the webapp do not supply the following two + // parameters. + + // By default use V1 authentication. + protocol::AuthenticationMethod authentication_method = + protocol::AuthenticationMethod::V1Token(); + if (args.size() > arg) { + if (!args[arg].is_string()) { + *exception = Var("The authentication_method must be a string."); + return Var(); + } + + authentication_method = protocol::AuthenticationMethod::Invalid(); + std::string as_string = args[arg++].AsString(); + std::vector<std::string> auth_methods; + base::SplitString(as_string, ',', &auth_methods); + for (std::vector<std::string>::iterator it = auth_methods.begin(); + it != auth_methods.end(); ++it) { + authentication_method = + protocol::AuthenticationMethod::FromString(as_string); + if (authentication_method.is_valid()) + break; + } + if (!authentication_method.is_valid()) { + *exception = Var("No valid authentication methods specified."); + return Var(); + } + } + + std::string authentication_tag; if (args.size() > arg) { if (!args[arg].is_string()) { - *exception = Var("The authentication code must be a string."); + *exception = Var("The authentication_tag must be a string."); return Var(); } - authentication_code = args[arg++].AsString(); + authentication_tag = args[arg++].AsString(); } if (args.size() != arg) { @@ -393,13 +431,14 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args, } VLOG(1) << "Connecting to host. " - << "client_jid: " << client_jid << ", host_jid: " << host_jid - << ", authentication_code: " << authentication_code; + << "client_jid: " << client_jid << ", host_jid: " << host_jid; ClientConfig config; config.local_jid = client_jid; config.host_jid = host_jid; config.host_public_key = host_public_key; - config.authentication_code = authentication_code; + config.shared_secret = shared_secret; + config.authentication_method = authentication_method; + config.authentication_tag = authentication_tag; instance_->Connect(config); return Var(); diff --git a/remoting/protocol/auth_util.h b/remoting/protocol/auth_util.h index e33a473..3493550 100644 --- a/remoting/protocol/auth_util.h +++ b/remoting/protocol/auth_util.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -23,9 +23,16 @@ extern const char kHostAuthSslExporterLabel[]; // Fake hostname used for SSL connections. extern const char kSslFakeHostName[]; -// Size of the HMAC-SHA-256 authentication digest. +// Size of the HMAC-SHA-256 hash used as shared secret in SPAKE2. +const size_t kSharedSecretHashLength = 32; + +// Size of the HMAC-SHA-256 digest used for channel authentication. const size_t kAuthDigestLength = 32; +// TODO(sergeyu): The following two methods are used for V1 +// authentication. Remove them when we finally switch to V2 +// authentication method. crbug.com/110483 . + // Generates auth token for the specified |jid| and |access_code|. std::string GenerateSupportAuthToken(const std::string& jid, const std::string& access_code); diff --git a/remoting/protocol/authentication_method.cc b/remoting/protocol/authentication_method.cc new file mode 100644 index 0000000..ebee009 --- /dev/null +++ b/remoting/protocol/authentication_method.cc @@ -0,0 +1,139 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "remoting/protocol/authentication_method.h" + +#include "base/logging.h" +#include "crypto/hmac.h" +#include "remoting/protocol/auth_util.h" +#include "remoting/protocol/v1_authenticator.h" +#include "remoting/protocol/v2_authenticator.h" + +namespace remoting { +namespace protocol { + +// static +AuthenticationMethod AuthenticationMethod::Invalid() { + return AuthenticationMethod(); +} + +// static +AuthenticationMethod AuthenticationMethod::V1Token() { + return AuthenticationMethod(VERSION_1, NONE); +} + +// static +AuthenticationMethod AuthenticationMethod::Spake2(HashFunction hash_function) { + return AuthenticationMethod(VERSION_2, hash_function); +} + +// static +AuthenticationMethod AuthenticationMethod::FromString( + const std::string& value) { + if (value == "v1_token") { + return V1Token(); + } else if (value == "spake2_plain") { + return Spake2(NONE); + } else if (value == "spake2_hmac") { + return Spake2(HMAC_SHA256); + } else { + return AuthenticationMethod::Invalid(); + } +} + +AuthenticationMethod::AuthenticationMethod() + : invalid_(true), + version_(VERSION_2), + hash_function_(NONE) { +} + +AuthenticationMethod::AuthenticationMethod(Version version, + HashFunction hash_function) + : invalid_(false), + version_(version), + hash_function_(hash_function) { +} + +std::string AuthenticationMethod::ApplyHashFunction( + const std::string& tag, + const std::string& shared_secret) { + DCHECK(is_valid()); + + switch (hash_function_) { + case NONE: + return shared_secret; + break; + + case HMAC_SHA256: { + crypto::HMAC response(crypto::HMAC::SHA256); + if (!response.Init(tag)) { + LOG(FATAL) << "HMAC::Init failed"; + } + + unsigned char out_bytes[kSharedSecretHashLength]; + if (!response.Sign(shared_secret, out_bytes, sizeof(out_bytes))) { + LOG(FATAL) << "HMAC::Sign failed"; + } + + return std::string(out_bytes, out_bytes + sizeof(out_bytes)); + } + } + + NOTREACHED(); + return shared_secret; +} + +scoped_ptr<Authenticator> AuthenticationMethod::CreateAuthenticator( + const std::string& local_jid, + const std::string& tag, + const std::string& shared_secret) { + DCHECK(is_valid()); + + switch (version_) { + case VERSION_1: + DCHECK_EQ(hash_function_, NONE); + return scoped_ptr<Authenticator>( + new protocol::V1ClientAuthenticator(local_jid, shared_secret)); + + case VERSION_2: + return protocol::V2Authenticator::CreateForClient( + ApplyHashFunction(tag, shared_secret)); + } + + NOTREACHED(); + return scoped_ptr<Authenticator>(NULL); +} + +AuthenticationMethod::Version AuthenticationMethod::version() const { + DCHECK(is_valid()); + return version_; +} + +AuthenticationMethod::HashFunction AuthenticationMethod::hash_function() const { + DCHECK(is_valid()); + return hash_function_; +} + +const std::string AuthenticationMethod::ToString() const { + DCHECK(is_valid()); + + switch (version_) { + case VERSION_1: + return "v1_token"; + + case VERSION_2: + switch (hash_function_) { + case NONE: + return "spake2_plain"; + case HMAC_SHA256: + return "spake2_hmac"; + } + } + + NOTREACHED(); + return ""; +} + +} // namespace protocol +} // namespace remoting diff --git a/remoting/protocol/authentication_method.h b/remoting/protocol/authentication_method.h new file mode 100644 index 0000000..402e3bc --- /dev/null +++ b/remoting/protocol/authentication_method.h @@ -0,0 +1,90 @@ +// Copyright (c) 2012 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// AuthenticationMethod represents an authentication algorithm and its +// configuration. It knows how to parse and format authentication +// method names. +// Currently the following methods are supported: +// v1_token - deprecated V1 authentication mechanism, +// spake2_plain - SPAKE2 without hashing applied to the password. +// spake2_hmac - SPAKE2 with HMAC hashing of the password. + +#ifndef REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_ +#define REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_ + +#include <string> + +#include "base/memory/scoped_ptr.h" + +namespace remoting { +namespace protocol { + +class Authenticator; + +class AuthenticationMethod { + public: + enum Version { + // Legacy authentication mechanism. + // TODO(sergeyu): Should be removed when we finished switching to + // the new version (at which point this enum may be removed). + // crbug.com/110483 + VERSION_1, + + // The new SPAKE2-based authentication. + VERSION_2, + }; + + enum HashFunction { + NONE, + HMAC_SHA256, + }; + + // Constructors for various authentication methods. + static AuthenticationMethod Invalid(); + static AuthenticationMethod V1Token(); + static AuthenticationMethod Spake2(HashFunction hash_function); + + // Parses a string that defines an authentication method. Returns an + // invalid value if the string is invalid. + static AuthenticationMethod FromString(const std::string& value); + + // Returns true + bool is_valid() const { return !invalid_; } + + // Following methods are valid only when is_valid() returns true. + + // Version of the authentication protocol. + Version version() const ; + + // Hash function applied to the shared secret on both ends. + HashFunction hash_function() const; + + // Returns string representation of the value stored in this object. + const std::string ToString() const; + + // Applies the current hash function to |shared_secret| with the + // specified |tag| as a key. + std::string ApplyHashFunction(const std::string& tag, + const std::string& shared_secret); + + // Creates client authenticator using the specified parameters. + scoped_ptr<Authenticator> CreateAuthenticator( + const std::string& local_jid, + const std::string& tag, + const std::string& shared_secret); + + private: + AuthenticationMethod(); + AuthenticationMethod(Version version, + HashFunction hash_function); + + bool invalid_; + Version version_; + HashFunction hash_function_; +}; + +} // namespace protocol +} // namespace remoting + +#endif // REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_ diff --git a/remoting/protocol/connection_to_host.cc b/remoting/protocol/connection_to_host.cc index 879e1b2..ca89b44 100644 --- a/remoting/protocol/connection_to_host.cc +++ b/remoting/protocol/connection_to_host.cc @@ -12,12 +12,12 @@ #include "remoting/jingle_glue/javascript_signal_strategy.h" #include "remoting/jingle_glue/xmpp_signal_strategy.h" #include "remoting/protocol/auth_util.h" +#include "remoting/protocol/authenticator.h" #include "remoting/protocol/client_control_dispatcher.h" #include "remoting/protocol/client_event_dispatcher.h" #include "remoting/protocol/client_stub.h" #include "remoting/protocol/jingle_session_manager.h" #include "remoting/protocol/pepper_session_manager.h" -#include "remoting/protocol/v1_authenticator.h" #include "remoting/protocol/video_reader.h" #include "remoting/protocol/video_stub.h" #include "remoting/protocol/util.h" @@ -51,24 +51,24 @@ HostStub* ConnectionToHost::host_stub() { } void ConnectionToHost::Connect(scoped_refptr<XmppProxy> xmpp_proxy, - const std::string& your_jid, + const std::string& local_jid, const std::string& host_jid, const std::string& host_public_key, - const std::string& access_code, + scoped_ptr<Authenticator> authenticator, HostEventCallback* event_callback, ClientStub* client_stub, VideoStub* video_stub) { event_callback_ = event_callback; client_stub_ = client_stub; video_stub_ = video_stub; - access_code_ = access_code; + authenticator_ = authenticator.Pass(); // Save jid of the host. The actual connection is created later after // |signal_strategy_| is connected. host_jid_ = host_jid; host_public_key_ = host_public_key; - JavascriptSignalStrategy* strategy = new JavascriptSignalStrategy(your_jid); + JavascriptSignalStrategy* strategy = new JavascriptSignalStrategy(local_jid); strategy->AttachXmppProxy(xmpp_proxy); signal_strategy_.reset(strategy); signal_strategy_->AddListener(this); @@ -126,10 +126,8 @@ void ConnectionToHost::OnSessionManagerReady() { // After SessionManager is initialized we can try to connect to the host. scoped_ptr<CandidateSessionConfig> candidate_config = CandidateSessionConfig::CreateDefault(); - scoped_ptr<Authenticator> authenticator( - new V1ClientAuthenticator(signal_strategy_->GetLocalJid(), access_code_)); session_ = session_manager_->Connect( - host_jid_, authenticator.Pass(), candidate_config.Pass(), + host_jid_, authenticator_.Pass(), candidate_config.Pass(), base::Bind(&ConnectionToHost::OnSessionStateChange, base::Unretained(this))); } diff --git a/remoting/protocol/connection_to_host.h b/remoting/protocol/connection_to_host.h index f025a20..16d648b 100644 --- a/remoting/protocol/connection_to_host.h +++ b/remoting/protocol/connection_to_host.h @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -31,6 +31,7 @@ class VideoPacket; namespace protocol { +class Authenticator; class ClientControlDispatcher; class ClientEventDispatcher; class ClientStub; @@ -72,10 +73,10 @@ class ConnectionToHost : public SignalStrategy::Listener, virtual ~ConnectionToHost(); virtual void Connect(scoped_refptr<XmppProxy> xmpp_proxy, - const std::string& your_jid, + const std::string& local_jid, const std::string& host_jid, const std::string& host_public_key, - const std::string& access_code, + scoped_ptr<Authenticator> authenticator, HostEventCallback* event_callback, ClientStub* client_stub, VideoStub* video_stub); @@ -129,7 +130,7 @@ class ConnectionToHost : public SignalStrategy::Listener, std::string host_jid_; std::string host_public_key_; - std::string access_code_; + scoped_ptr<Authenticator> authenticator_; HostEventCallback* event_callback_; diff --git a/remoting/remoting.gyp b/remoting/remoting.gyp index d1991b8..a4dc8c3 100644 --- a/remoting/remoting.gyp +++ b/remoting/remoting.gyp @@ -748,6 +748,8 @@ 'sources': [ 'protocol/auth_util.cc', 'protocol/auth_util.h', + 'protocol/authentication_method.cc', + 'protocol/authentication_method.h', 'protocol/authenticator.cc', 'protocol/authenticator.h', 'protocol/buffered_socket_writer.cc', diff --git a/remoting/webapp/client_screen.js b/remoting/webapp/client_screen.js index 06ad729..3577f79 100644 --- a/remoting/webapp/client_screen.js +++ b/remoting/webapp/client_screen.js @@ -288,7 +288,7 @@ function startSession_() { remoting.clientSession = new remoting.ClientSession( remoting.hostJid, remoting.hostPublicKey, - remoting.accessCode, + remoting.accessCode, "v1_token", "", /** @type {string} */ (remoting.oauth2.getCachedEmail()), remoting.ClientSession.Mode.IT2ME, onClientStateChange_); @@ -462,7 +462,8 @@ function connectMe2MeWithAccessToken_(token) { remoting.clientSession = new remoting.ClientSession( remoting.hostJid, remoting.hostPublicKey, - pin, /** @type {string} */ (remoting.oauth2.getCachedEmail()), + pin, "v1_token", remoting.hostId, + /** @type {string} */ (remoting.oauth2.getCachedEmail()), remoting.ClientSession.Mode.ME2ME, onClientStateChange_); remoting.clientSession.createPluginAndConnect( document.getElementById('session-mode'), diff --git a/remoting/webapp/client_session.js b/remoting/webapp/client_session.js index a449453..f1bd19b 100644 --- a/remoting/webapp/client_session.js +++ b/remoting/webapp/client_session.js @@ -20,8 +20,12 @@ var remoting = remoting || {}; * @param {string} hostJid The jid of the host to connect to. * @param {string} hostPublicKey The base64 encoded version of the host's * public key. - * @param {string} authenticationCode The access code for IT2Me or the - * PIN for Me2Me. + * @param {string} sharedSecret The access code for IT2Me or the PIN + * for Me2Me. + * @param {string} authenticationMethods Comma-separated list of + * authentication methods the client should attempt to use. + * @param {string} authenticationTag A host-specific tag to mix into + * authentication hashes. * @param {string} email The username for the talk network. * @param {remoting.ClientSession.Mode} mode The mode of this connection. * @param {function(remoting.ClientSession.State, @@ -29,13 +33,16 @@ var remoting = remoting || {}; * The callback to invoke when the session changes state. * @constructor */ -remoting.ClientSession = function(hostJid, hostPublicKey, authenticationCode, +remoting.ClientSession = function(hostJid, hostPublicKey, sharedSecret, + authenticationMethods, authenticationTag, email, mode, onStateChange) { this.state = remoting.ClientSession.State.CREATED; this.hostJid = hostJid; this.hostPublicKey = hostPublicKey; - this.authenticationCode = authenticationCode; + this.sharedSecret = sharedSecret; + this.authenticationMethods = authenticationMethods; + this.authenticationTag = authenticationTag; this.email = email; this.mode = mode; this.clientJid = ''; @@ -114,7 +121,7 @@ remoting.ClientSession.prototype.error = * @const * @private */ -remoting.ClientSession.prototype.API_VERSION_ = 3; +remoting.ClientSession.prototype.API_VERSION_ = 4; /** * The oldest API version that we support. @@ -124,7 +131,7 @@ remoting.ClientSession.prototype.API_VERSION_ = 3; * @const * @private */ -remoting.ClientSession.prototype.API_MIN_VERSION_ = 1; +remoting.ClientSession.prototype.API_MIN_VERSION_ = 2; /** * The id of the client plugin @@ -339,8 +346,16 @@ remoting.ClientSession.prototype.connectPluginToWcs_ = } } remoting.wcs.setOnIq(onIq); - that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid, - this.authenticationCode); + if (that.plugin.apiVersion < 4) { + // Client plugin versions prior to 4 didn't support the last two + // parameters. + that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid, + this.sharedSecret); + } else { + that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid, + this.sharedSecret, this.authenticationMethods, + this.authenticationTag); + } }; /** diff --git a/remoting/webapp/viewer_plugin_proto.js b/remoting/webapp/viewer_plugin_proto.js index 18d6461..63a865b 100644 --- a/remoting/webapp/viewer_plugin_proto.js +++ b/remoting/webapp/viewer_plugin_proto.js @@ -26,12 +26,17 @@ remoting.ViewerPlugin.prototype.releaseAllKeys = function() {}; * @param {string} hostJid The host's JID. * @param {string} hostPublicKey The host's public key. * @param {string} clientJid The client's JID. - * @param {string} authenticationCode The access code for IT2Me or the - * PIN for Me2Me. + * @param {string} sharedSecret The access code for IT2Me or the + * PIN for Me2Me. + * @param {string=} authenticationMethods Comma-separated list of + * authentication methods the client should attempt to use. + * @param {string=} authenticationTag A host-specific tag to mix into + * authentication hashes. * @return {void} Nothing. */ remoting.ViewerPlugin.prototype.connect = - function(hostJid, hostPublicKey, clientJid, authenticationCode) {}; + function(hostJid, hostPublicKey, clientJid, sharedSecret, + authenticationMethod, authenticationTag) {}; /** @type {function(number, number): void} State change callback function. */ remoting.ViewerPlugin.prototype.connectionInfoUpdate; |