PairingAuthenticator implementation and plumbing.

remoting/protocol/pairing_host_authenticator.h

Index: remoting/protocol/pairing_host_authenticator.h
diff --git a/remoting/protocol/pairing_host_authenticator.h b/remoting/protocol/pairing_host_authenticator.h
new file mode 100644
index 0000000000000000000000000000000000000000..ddc7929262781771d2f880dd56029e7c03de6fa4
--- /dev/null
+++ b/remoting/protocol/pairing_host_authenticator.h
@@ -0,0 +1,73 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef REMOTING_PROTOCOL_PAIRING_HOST_AUTHENTICATOR_H_
+#define REMOTING_PROTOCOL_PAIRING_HOST_AUTHENTICATOR_H_
+
+#include "remoting/protocol/authenticator.h"
+
+namespace remoting {
+
+class RsaKeyPair;
+
+namespace protocol {
+
+class V2Authenticator;
+class PairingRegistry;
+
+// PairingClientAuthenticator builds on top of V2Authenticator to add
+// support for PIN-less authentication via device pairing:
+//
+// * If a client device is already paired, it includes a client id in
+//   the initial authentication message.
+// * If the host recognizes the id, it looks up the corresponding
+//   shared secret and the rest of the protocol is host-initiated
+//   SPAKE with HMAC_SHA256.
+// * If it does not recognize the id, it sends an error message to
+//   the client, which will prompt the user for a PIN to use for
+//   authentication instead. In this case, the rest of the procotol
+//   is client-initiated SPAKE with HMAC_SHA256.
+//
+// If a client device is not already paired, but supports pairing, it
+// sends an empty initial authentication message. In this case, the
+// authenticator behaves exactly like the V2Authenticator with

[rmsousa, 2013/05/16 00:46:25]

Please clarify who sends the first SPAKE message in this case (the host)

+// HMAC_SHA256--only the protocol type differs, which the client uses
+// to detect that pairing should be offered to the user.
+class PairingHostAuthenticator : public Authenticator {
+ public:
+  PairingHostAuthenticator(
+      scoped_refptr<PairingRegistry> pairing_registry,
+      const std::string& local_cert,
+      scoped_refptr<RsaKeyPair> key_pair,
+      const std::string& shared_secret,
+      State initial_state);
+  virtual ~PairingHostAuthenticator() {}
+
+  // Authenticator interface.
+  virtual State state() const OVERRIDE;
+  virtual RejectionReason rejection_reason() const OVERRIDE;
+  virtual void ProcessMessage(const buzz::XmlElement* message,
+                              const base::Closure& resume_callback) OVERRIDE;
+  virtual scoped_ptr<buzz::XmlElement> GetNextMessage() OVERRIDE;
+  virtual scoped_ptr<ChannelAuthenticator>
+      CreateChannelAuthenticator() const OVERRIDE;
+
+ private:
+  void CreateV2AuthenticatorWithPIN(State initial_state);
+
+  scoped_refptr<PairingRegistry> pairing_registry_;
+  std::string local_cert_;
+  scoped_refptr<RsaKeyPair> key_pair_;
+  const std::string& shared_secret_;
+  scoped_ptr<Authenticator> v2_authenticator_;
+  std::string error_message_;
+  bool protocol_error_;
+
+  DISALLOW_COPY_AND_ASSIGN(PairingHostAuthenticator);
+};
+
+}  // namespace protocol
+}  // namespace remoting
+
+#endif  // REMOTING_PROTOCOL_PAIRING_AUTHENTICATOR_H_