Add Curve25519 version of pairing authenticators

remoting/protocol/negotiating_authenticator_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/bind.h"
 #include "base/macros.h"
 #include "net/base/net_errors.h"
 #include "remoting/base/rsa_key_pair.h"
 #include "remoting/protocol/auth_util.h"
 #include "remoting/protocol/authenticator_test_base.h"
@@ skipping 35 matching lines @@
 const char kTestPinBad[] = "654321";
 
 }  // namespace
 
 class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
  public:
   NegotiatingAuthenticatorTest() {}
   ~NegotiatingAuthenticatorTest() override {}
 
  protected:
-  void InitAuthenticators(const std::string& client_id,
-                          const std::string& client_paired_secret,
-                          const std::string& client_interactive_pin,
-                          const std::string& host_secret,
-                          bool it2me) {
+  virtual void InitAuthenticators(const std::string& client_id,
+                                  const std::string& client_paired_secret,
+                                  const std::string& client_interactive_pin,
+                                  const std::string& host_secret,
+                                  bool it2me) {
     if (it2me) {
       host_ = NegotiatingHostAuthenticator::CreateForIt2Me(
           kHostJid, kClientJid, host_cert_, key_pair_, host_secret);
     } else {
       std::string host_secret_hash =
           GetSharedSecretHash(kTestHostId, host_secret);
-      host_ = NegotiatingHostAuthenticator::CreateWithPin(
-          kHostJid, kClientJid, host_cert_, key_pair_, host_secret_hash,
-          pairing_registry_);
+      scoped_ptr<NegotiatingHostAuthenticator> host =
+          NegotiatingHostAuthenticator::CreateWithPin(
+              kHostJid, kClientJid, host_cert_, key_pair_, host_secret_hash,
+              pairing_registry_);
+      host_as_negotiating_authenticator_ = host.get();
+      host_ = std::move(host);
     }
 
     protocol::ClientAuthenticationConfig client_auth_config;
     client_auth_config.host_id = kTestHostId;
     client_auth_config.pairing_client_id = client_id;
-    client_auth_config.pairing_secret= client_paired_secret;
+    client_auth_config.pairing_secret = client_paired_secret;
     bool pairing_expected = pairing_registry_.get() != nullptr;
     client_auth_config.fetch_secret_callback =
         base::Bind(&NegotiatingAuthenticatorTest::FetchSecret,
                    client_interactive_pin, pairing_expected);
     client_as_negotiating_authenticator_ = new NegotiatingClientAuthenticator(
         kClientJid, kHostJid, client_auth_config);
     client_.reset(client_as_negotiating_authenticator_);
   }
 
+  void DisableMethodOnClient(NegotiatingAuthenticatorBase::Method method) {
+    auto* methods = &(client_as_negotiating_authenticator_->methods_);
+    auto iter = std::find(methods->begin(), methods->end(), method);
+    ASSERT_TRUE(iter != methods->end());
+    methods->erase(iter);
+  }
+
+  void DisableMethodOnHost(NegotiatingAuthenticatorBase::Method method) {
+    auto* methods = &(host_as_negotiating_authenticator_->methods_);
+    auto iter = std::find(methods->begin(), methods->end(), method);
+    ASSERT_TRUE(iter != methods->end());
+    methods->erase(iter);
+  }
+
   void CreatePairingRegistry(bool with_paired_client) {
     pairing_registry_ = new SynchronousPairingRegistry(
         make_scoped_ptr(new MockPairingRegistryDelegate()));
     if (with_paired_client) {
       PairingRegistry::Pairing pairing(
           base::Time(), kTestClientName, kTestClientId, kTestPairedSecret);
       pairing_registry_->AddPairing(pairing);
     }
   }
 
@@ skipping 10 matching lines @@
     ASSERT_TRUE(client_->state() == Authenticator::REJECTED ||
                 host_->state() == Authenticator::REJECTED);
     if (client_->state() == Authenticator::REJECTED) {
       ASSERT_EQ(client_->rejection_reason(), reason);
     }
     if (host_->state() == Authenticator::REJECTED) {
       ASSERT_EQ(host_->rejection_reason(), reason);
     }
   }
 
-  void VerifyAccepted(NegotiatingAuthenticatorBase::Method expected_method) {
+  virtual void VerifyAccepted() {
     ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
     ASSERT_EQ(Authenticator::ACCEPTED, host_->state());
     ASSERT_EQ(Authenticator::ACCEPTED, client_->state());
 
     client_auth_ = client_->CreateChannelAuthenticator();
     host_auth_ = host_->CreateChannelAuthenticator();
     RunChannelAuth(false);
 
     EXPECT_TRUE(client_socket_.get() != nullptr);
     EXPECT_TRUE(host_socket_.get() != nullptr);
 
     StreamConnectionTester tester(host_socket_.get(), client_socket_.get(),
                                   kMessageSize, kMessages);
 
     tester.Start();
     message_loop_.Run();
     tester.CheckResults();
-    EXPECT_EQ(expected_method,
-              client_as_negotiating_authenticator_->current_method_);
+  }
+
+  NegotiatingAuthenticatorBase::Method current_method() {
+    return client_as_negotiating_authenticator_->current_method_;
   }
 
   // Use a bare pointer because the storage is managed by the base class.
+  NegotiatingHostAuthenticator* host_as_negotiating_authenticator_;
   NegotiatingClientAuthenticator* client_as_negotiating_authenticator_;
 
  private:
   scoped_refptr<PairingRegistry> pairing_registry_;
 
   DISALLOW_COPY_AND_ASSIGN(NegotiatingAuthenticatorTest);
 };
 
+struct PairingTestParameters {
+  bool p224_on_client;
+  bool curve25519_on_client;
+  bool p224_on_host;
+  bool curve25519_on_host;
+
+  bool expect_curve25519_used;
+};
+
+class NegotiatingPairingAuthenticatorTest
+    : public NegotiatingAuthenticatorTest,
+      public testing::WithParamInterface<PairingTestParameters> {
+public:
+ void InitAuthenticators(const std::string& client_id,
+                         const std::string& client_paired_secret,
+                         const std::string& client_interactive_pin,
+                         const std::string& host_secret,
+                         bool it2me) override {
+   NegotiatingAuthenticatorTest::InitAuthenticators(
+       client_id, client_paired_secret, client_interactive_pin, host_secret,
+       it2me);
+   if (!GetParam().p224_on_client) {
+     DisableMethodOnClient(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+   }
+   if (!GetParam().curve25519_on_client) {
+     DisableMethodOnClient(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+   }
+   if (!GetParam().p224_on_host) {
+     DisableMethodOnHost(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+   }
+   if (!GetParam().curve25519_on_host) {
+     DisableMethodOnHost(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+   }
+ }
+
+ void VerifyAccepted() override {
+   NegotiatingAuthenticatorTest::VerifyAccepted();
+   EXPECT_TRUE(
+       current_method() ==
+           NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224 ||
+       current_method() ==
+           NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+ }
+};
+
+INSTANTIATE_TEST_CASE_P(
+    PairingParams,
+    NegotiatingPairingAuthenticatorTest,
+    testing::Values(
+        // Only P224.
+        PairingTestParameters{true, false, true, false},
+
+        // Only curve25519.
+        PairingTestParameters{false, true, false, true},
+
+        // Both P224 and curve25519.
+        PairingTestParameters{true, true, true, true},
+
+        // One end supports both, the other supports only P224 or curve25519.
+        PairingTestParameters{false, true, true, true},
+        PairingTestParameters{true, false, true, true},
+        PairingTestParameters{true, true, false, true},
+        PairingTestParameters{true, true, true, false}));
+
 TEST_F(NegotiatingAuthenticatorTest, SuccessfulAuthMe2MePin) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, false));
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519,
+      current_method());
 }
 
 TEST_F(NegotiatingAuthenticatorTest, SuccessfulAuthIt2me) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, true));
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224,
+      current_method());
 }
 
 TEST_F(NegotiatingAuthenticatorTest, InvalidMe2MePin) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPinBad, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
   VerifyRejected(Authenticator::INVALID_CREDENTIALS);
 }
 
 TEST_F(NegotiatingAuthenticatorTest, InvalidIt2MeAccessCode) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPinBad, true));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
   VerifyRejected(Authenticator::INVALID_CREDENTIALS);
 }
 
 TEST_F(NegotiatingAuthenticatorTest, IncompatibleMethods) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPinBad, true));
-  std::vector<NegotiatingAuthenticatorBase::Method>* methods =
-      &(client_as_negotiating_authenticator_->methods_);
-  methods->erase(std::find(
-      methods->begin(), methods->end(),
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224));
+  DisableMethodOnClient(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
 
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
   VerifyRejected(Authenticator::PROTOCOL_ERROR);
 }
 
 TEST_F(NegotiatingAuthenticatorTest, PairingNotSupported) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519,
+      current_method());
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingSupportedButNotPaired) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingSupportedButNotPaired) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinOkay) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingRevokedPinOkay) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinBad) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingRevokedPinBad) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPinBad, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
   VerifyRejected(Authenticator::INVALID_CREDENTIALS);
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingSucceeded) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingSucceeded) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPinBad, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest,
+TEST_P(NegotiatingPairingAuthenticatorTest,
        PairingSucceededInvalidSecretButPinOkay) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(
       kTestClientId, kTestPairedSecretBad, kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingFailedInvalidSecretAndPin) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingFailedInvalidSecretAndPin) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(
       kTestClientId, kTestPairedSecretBad, kTestPinBad, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
   VerifyRejected(Authenticator::INVALID_CREDENTIALS);
 }
 
 }  // namespace protocol
 }  // namespace remoting