Update macaroon library to 307f45bcd49f9e4088e622f23f3ce0e854345b93
Change-Id: I5e0054c0e07878d96bad781685bf23f5ae4068e2
Reviewed-on: https://weave-review.googlesource.com/2584
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc
index c82887e..027ad5a 100644
--- a/src/privet/auth_manager.cc
+++ b/src/privet/auth_manager.cc
@@ -118,11 +118,10 @@
class ServiceCaveat : public Caveat {
public:
- explicit ServiceCaveat(const std::string& id)
- : Caveat(kUwMacaroonCaveatTypeDelegateeService, id.size()) {
+ explicit ServiceCaveat(UwMacaroonCaveatCloudServiceId service_id)
+ : Caveat(kUwMacaroonCaveatTypeDelegateeService, 0) {
CHECK(uw_macaroon_caveat_create_delegatee_service_(
- reinterpret_cast<const uint8_t*>(id.data()), id.size(), buffer_.data(),
- buffer_.size(), &caveat_));
+ service_id, buffer_.data(), buffer_.size(), &caveat_));
}
DISALLOW_COPY_AND_ASSIGN(ServiceCaveat);
@@ -168,7 +167,8 @@
CHECK_EQ(kSha256OutputSize, secret.size());
UwMacaroonContext context{};
- CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, &context));
+ CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, nullptr, 0,
+ &context));
UwMacaroon macaroon{};
CHECK(uw_macaroon_create_from_root_key_(&macaroon, secret.data(),
@@ -189,7 +189,8 @@
const base::Time& time,
const std::vector<const UwMacaroonCaveat*>& caveats) {
UwMacaroonContext context{};
- CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, &context));
+ CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, nullptr, 0,
+ &context));
UwMacaroon prev_macaroon = macaroon;
std::vector<uint8_t> prev_buffer(kMaxMacaroonSize);
@@ -232,7 +233,8 @@
ErrorPtr* error) {
CHECK_EQ(kSha256OutputSize, secret.size());
UwMacaroonContext context = {};
- CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, &context));
+ CHECK(uw_macaroon_context_create_(ToJ2000Time(time), nullptr, 0, nullptr, 0,
+ &context));
if (!uw_macaroon_validate_(&macaroon, secret.data(), secret.size(), &context,
result)) {
@@ -432,8 +434,9 @@
const base::Time now = Now();
TimestampCaveat issued{now};
- ServiceCaveat client{owner == RootClientTokenOwner::kCloud ? "google.com"
- : ""};
+ ServiceCaveat client{owner == RootClientTokenOwner::kCloud
+ ? kUwMacaroonCaveatCloudServiceIdGoogleWeave
+ : kUwMacaroonCaveatCloudServiceIdNotCloudRegistered};
return CreateMacaroonToken(
auth_secret_, now,
{
diff --git a/src/privet/auth_manager_unittest.cc b/src/privet/auth_manager_unittest.cc
index 294aefa..3e5aeab 100644
--- a/src/privet/auth_manager_unittest.cc
+++ b/src/privet/auth_manager_unittest.cc
@@ -190,21 +190,21 @@
}
TEST_F(AuthManagerTest, GetRootClientAuthToken) {
- EXPECT_EQ("WCCDQxkgAUYIGhudoQBCDEBQZgRhYq78I8GtFUZHNBbfGw==",
+ EXPECT_EQ("WCCDQxkgAUYIGhudoQBCDABQX3fPR5zsPnrs9aOSvS7/eQ==",
Base64Encode(
auth_.GetRootClientAuthToken(RootClientTokenOwner::kClient)));
}
TEST_F(AuthManagerTest, GetRootClientAuthTokenDifferentOwner) {
EXPECT_EQ(
- "WCqDQxkgAUYIGhudoQBMDEpnb29nbGUuY29tUOoLAxSUAZAAv54drarqhag=",
+ "WCCDQxkgAUYIGhudoQBCDAFQRrCQfq+g7drVwCbxpug4Ig==",
Base64Encode(auth_.GetRootClientAuthToken(RootClientTokenOwner::kCloud)));
}
TEST_F(AuthManagerTest, GetRootClientAuthTokenDifferentTime) {
auto new_time = clock_.Now() + base::TimeDelta::FromDays(15);
EXPECT_CALL(clock_, Now()).WillRepeatedly(Return(new_time));
- EXPECT_EQ("WCCDQxkgAUYIGhuxZ4BCDEBQjO+OTbjjTzZ/Dvk66nfQqg==",
+ EXPECT_EQ("WCCDQxkgAUYIGhuxZ4BCDABQ9omJ3ooMrcYUZ1DiVqNKAA==",
Base64Encode(
auth_.GetRootClientAuthToken(RootClientTokenOwner::kClient)));
}
@@ -212,7 +212,7 @@
TEST_F(AuthManagerTest, GetRootClientAuthTokenDifferentSecret) {
AuthManager auth{kSecret2, {}, kSecret1, &clock_};
EXPECT_EQ(
- "WCCDQxkgAUYIGhudoQBCDEBQ2MZF8YXv5pbtmMxwz9VtLA==",
+ "WCCDQxkgAUYIGhudoQBCDABQWl2CB8CiP1BiV0ksnnkQQQ==",
Base64Encode(auth.GetRootClientAuthToken(RootClientTokenOwner::kClient)));
}
@@ -253,8 +253,8 @@
auto extended = DelegateToUser(root, base::TimeDelta::FromSeconds(1000),
UserInfo{AuthScope::kUser, TestUserId{"234"}});
EXPECT_EQ(
- "WE+IQxkgAUYIGhudoQBMDEpnb29nbGUuY29tRggaG52hAEYFGhudpOhCAQ5FCUMyMzRNEUs0"
- "NjMzMTUyMDA6MVCRVKU+0SpOoBppnwqdKMwP",
+ "WEWIQxkgAUYIGhudoQBCDAFGCBobnaEARgUaG52k6EIBDkUJQzIzNE0RSzQ2MzMxNTIwMDox"
+ "UIujtnCZlcRvJPOra5BwM6E=",
Base64Encode(extended));
EXPECT_TRUE(
auth_.CreateAccessTokenFromAuth(extended, base::TimeDelta::FromDays(1),
diff --git a/third_party/libuweave/src/macaroon.h b/third_party/libuweave/src/macaroon.h
index c739bca..5e73b28 100644
--- a/third_party/libuweave/src/macaroon.h
+++ b/third_party/libuweave/src/macaroon.h
@@ -33,9 +33,10 @@
} UwMacaroonDelegateeType;
typedef struct {
+ UwMacaroonDelegateeType type;
const uint8_t* id;
size_t id_len;
- UwMacaroonDelegateeType type;
+ UwMacaroonCaveatCloudServiceId service_id; // Only for cloud services
uint32_t timestamp;
} UwMacaroonDelegateeInfo;
@@ -71,12 +72,11 @@
* result object. Note that the resulting granted_scope will be the closest
* valid scope type (to the narrower side) defined in macaroon_caveat.h.
*/
-bool uw_macaroon_validate_(
- const UwMacaroon* macaroon,
- const uint8_t* root_key,
- size_t root_key_len,
- const UwMacaroonContext* context,
- UwMacaroonValidationResult* result);
+bool uw_macaroon_validate_(const UwMacaroon* macaroon,
+ const uint8_t* root_key,
+ size_t root_key_len,
+ const UwMacaroonContext* context,
+ UwMacaroonValidationResult* result);
/** Encode a Macaroon to a byte string. */
bool uw_macaroon_serialize_(const UwMacaroon* macaroon,
diff --git a/third_party/libuweave/src/macaroon_caveat.c b/third_party/libuweave/src/macaroon_caveat.c
index dc4ee3b..0abf7ca 100644
--- a/third_party/libuweave/src/macaroon_caveat.c
+++ b/third_party/libuweave/src/macaroon_caveat.c
@@ -26,6 +26,7 @@
case kUwMacaroonCaveatTypeDelegateeService:
case kUwMacaroonCaveatTypeBleSessionID:
case kUwMacaroonCaveatTypeLanSessionID:
+ case kUwMacaroonCaveatTypeAuthenticationChallenge:
case kUwMacaroonCaveatTypeClientAuthorizationTokenV1:
case kUwMacaroonCaveatTypeServerAuthenticationTokenV1:
return true;
@@ -44,11 +45,20 @@
return false;
}
+static bool is_valid_service_id_(UwMacaroonCaveatCloudServiceId service_id) {
+ switch (service_id) {
+ case kUwMacaroonCaveatCloudServiceIdNotCloudRegistered:
+ case kUwMacaroonCaveatCloudServiceIdGoogleWeave:
+ return true;
+ }
+ return false;
+}
+
static bool create_caveat_no_value_(UwMacaroonCaveatType type,
uint8_t* buffer,
size_t buffer_size,
UwMacaroonCaveat* new_caveat) {
- // (buffer_size == 0 || get_buffer_size_() > buffer_size) will conver the case
+ // (buffer_size == 0 || get_buffsize_() > buffer_size) will conver the case
// that get_buffer_size_() returns 0 (for errors), so there is no need to
// check get_buffer_size_() == 0 again.
if (buffer == NULL || buffer_size == 0 || new_caveat == NULL ||
@@ -134,10 +144,12 @@
case kUwMacaroonCaveatTypeTTL24Hour:
case kUwMacaroonCaveatTypeAppCommandsOnly:
case kUwMacaroonCaveatTypeBleSessionID:
+ case kUwMacaroonCaveatTypeAuthenticationChallenge:
return UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN;
// Unsigned integers
case kUwMacaroonCaveatTypeScope:
+ case kUwMacaroonCaveatTypeDelegateeService:
case kUwMacaroonCaveatTypeExpirationAbsolute:
case kUwMacaroonCaveatTypeDelegationTimestamp:
return 2 * UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN;
@@ -146,11 +158,10 @@
case kUwMacaroonCaveatTypeNonce:
case kUwMacaroonCaveatTypeDelegateeUser:
case kUwMacaroonCaveatTypeDelegateeApp:
- case kUwMacaroonCaveatTypeDelegateeService:
case kUwMacaroonCaveatTypeLanSessionID:
case kUwMacaroonCaveatTypeClientAuthorizationTokenV1:
case kUwMacaroonCaveatTypeServerAuthenticationTokenV1:
- return str_len + UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN;
+ return str_len + 2 * UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN;
default:
return 0; // For errors
@@ -238,13 +249,16 @@
}
bool uw_macaroon_caveat_create_delegatee_service_(
- const uint8_t* id_str,
- size_t id_str_len,
+ UwMacaroonCaveatCloudServiceId service_id,
uint8_t* buffer,
size_t buffer_size,
UwMacaroonCaveat* new_caveat) {
- return create_caveat_bstr_value_(kUwMacaroonCaveatTypeDelegateeService,
- id_str, id_str_len, buffer, buffer_size,
+ if (!is_valid_service_id_(service_id)) {
+ return false;
+ }
+
+ return create_caveat_uint_value_(kUwMacaroonCaveatTypeDelegateeService,
+ (uint32_t)service_id, buffer, buffer_size,
new_caveat);
}
@@ -265,6 +279,14 @@
buffer_size, new_caveat);
}
+bool uw_macaroon_caveat_create_authentication_challenge_(
+ uint8_t* buffer,
+ size_t buffer_size,
+ UwMacaroonCaveat* new_caveat) {
+ return create_caveat_no_value_(kUwMacaroonCaveatTypeAuthenticationChallenge,
+ buffer, buffer_size, new_caveat);
+}
+
bool uw_macaroon_caveat_create_client_authorization_token_(
const uint8_t* str,
size_t str_len,
@@ -336,17 +358,18 @@
// If there is no additional value from the context, just compute the HMAC on
// the current byte string.
- uint8_t bstr_cbor_prefix[UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN] = {0};
- size_t bstr_cbor_prefix_len = 0;
- if (caveat_type != kUwMacaroonCaveatTypeBleSessionID) {
+ uint8_t caveat_cbor_prefix[UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN] = {0};
+ size_t caveat_cbor_prefix_len = 0;
+ if (caveat_type != kUwMacaroonCaveatTypeBleSessionID &&
+ caveat_type != kUwMacaroonCaveatTypeAuthenticationChallenge) {
if (!uw_macaroon_encoding_encode_byte_str_len_(
- (uint32_t)(caveat->num_bytes), bstr_cbor_prefix,
- sizeof(bstr_cbor_prefix), &bstr_cbor_prefix_len)) {
+ (uint32_t)(caveat->num_bytes), caveat_cbor_prefix,
+ sizeof(caveat_cbor_prefix), &caveat_cbor_prefix_len)) {
return false;
}
UwCryptoHmacMsg messages[] = {
- {bstr_cbor_prefix, bstr_cbor_prefix_len},
+ {caveat_cbor_prefix, caveat_cbor_prefix_len},
{caveat->bytes, caveat->num_bytes},
};
@@ -356,30 +379,48 @@
}
// If there is additional value from the context.
- if (context->ble_session_id == NULL || context->ble_session_id_len == 0) {
- return false;
- }
+ const uint8_t* additional_value_str = NULL;
+ size_t additional_value_str_len = 0;
+ if (caveat_type == kUwMacaroonCaveatTypeBleSessionID) {
+ if (context->ble_session_id == NULL || context->ble_session_id_len == 0) {
+ return false;
+ }
- // The length here includes the length of the BLE session ID string.
- if (!uw_macaroon_encoding_encode_byte_str_len_(
- (uint32_t)(context->ble_session_id_len + caveat->num_bytes),
- bstr_cbor_prefix, sizeof(bstr_cbor_prefix), &bstr_cbor_prefix_len)) {
- return false;
+ additional_value_str = context->ble_session_id;
+ additional_value_str_len = context->ble_session_id_len;
+ } else { // kUwMacaroonCaveatTypeAuthenticationChallenge
+ if (context->auth_challenge_str == NULL ||
+ context->auth_challenge_str_len == 0) {
+ return false;
+ }
+
+ additional_value_str = context->auth_challenge_str;
+ additional_value_str_len = context->auth_challenge_str_len;
}
uint8_t value_cbor_prefix[UW_MACAROON_ENCODING_MAX_UINT_CBOR_LEN] = {0};
size_t value_cbor_prefix_len = 0;
if (!uw_macaroon_encoding_encode_byte_str_len_(
- (uint32_t)(context->ble_session_id_len), value_cbor_prefix,
+ (uint32_t)additional_value_str_len, value_cbor_prefix,
sizeof(value_cbor_prefix), &value_cbor_prefix_len)) {
return false;
}
+ // The length here includes: 1. the header for the whole byte string; 2. the
+ // header for the addtional value part; 3. the additional value part.
+ size_t total_length =
+ caveat->num_bytes + value_cbor_prefix_len + additional_value_str_len;
+ if (!uw_macaroon_encoding_encode_byte_str_len_(
+ (uint32_t)total_length, caveat_cbor_prefix,
+ sizeof(caveat_cbor_prefix), &caveat_cbor_prefix_len)) {
+ return false;
+ }
+
UwCryptoHmacMsg messages[] = {
- {bstr_cbor_prefix, bstr_cbor_prefix_len},
+ {caveat_cbor_prefix, caveat_cbor_prefix_len},
{caveat->bytes, caveat->num_bytes},
{value_cbor_prefix, value_cbor_prefix_len},
- {context->ble_session_id, context->ble_session_id_len},
+ {additional_value_str, additional_value_str_len},
};
return uw_crypto_hmac_(key, key_len, messages,
@@ -433,11 +474,29 @@
}
}
- if (!uw_macaroon_caveat_get_value_bstr_(
- caveat, &(result->delegatees[result->num_delegatees].id),
- &(result->delegatees[result->num_delegatees].id_len))) {
- return false;
+ if (caveat_type != kUwMacaroonCaveatTypeDelegateeService) {
+ if (!uw_macaroon_caveat_get_value_bstr_(
+ caveat, &(result->delegatees[result->num_delegatees].id),
+ &(result->delegatees[result->num_delegatees].id_len))) {
+ return false;
+ }
+ result->delegatees[result->num_delegatees].service_id =
+ kUwMacaroonCaveatCloudServiceIdNotCloudRegistered; // Default value
+
+ } else {
+ uint32_t service_id = 0;
+ if (!uw_macaroon_caveat_get_value_uint_(caveat, &service_id)) {
+ return false;
+ }
+ if (!is_valid_service_id_((UwMacaroonCaveatCloudServiceId)service_id)) {
+ return false;
+ }
+ result->delegatees[result->num_delegatees].service_id =
+ (UwMacaroonCaveatCloudServiceId)service_id;
+ result->delegatees[result->num_delegatees].id = NULL;
+ result->delegatees[result->num_delegatees].id_len = 0;
}
+
result->delegatees[result->num_delegatees].type = delegatee_type;
result->delegatees[result->num_delegatees].timestamp = issued_time;
result->num_delegatees++;
@@ -467,6 +526,7 @@
case kUwMacaroonCaveatTypeServerAuthenticationTokenV1:
case kUwMacaroonCaveatTypeNonce:
case kUwMacaroonCaveatTypeBleSessionID:
+ case kUwMacaroonCaveatTypeAuthenticationChallenge:
return true;
case kUwMacaroonCaveatTypeDelegationTimestamp:
@@ -541,6 +601,7 @@
return false;
}
if (type != kUwMacaroonCaveatTypeScope &&
+ type != kUwMacaroonCaveatTypeDelegateeService &&
type != kUwMacaroonCaveatTypeExpirationAbsolute &&
type != kUwMacaroonCaveatTypeDelegationTimestamp) {
// Wrong type
@@ -572,7 +633,6 @@
if (type != kUwMacaroonCaveatTypeNonce &&
type != kUwMacaroonCaveatTypeDelegateeUser &&
type != kUwMacaroonCaveatTypeDelegateeApp &&
- type != kUwMacaroonCaveatTypeDelegateeService &&
type != kUwMacaroonCaveatTypeLanSessionID &&
type != kUwMacaroonCaveatTypeClientAuthorizationTokenV1 &&
type != kUwMacaroonCaveatTypeServerAuthenticationTokenV1) {
diff --git a/third_party/libuweave/src/macaroon_caveat.h b/third_party/libuweave/src/macaroon_caveat.h
index 4905667..5250ac1 100644
--- a/third_party/libuweave/src/macaroon_caveat.h
+++ b/third_party/libuweave/src/macaroon_caveat.h
@@ -24,11 +24,14 @@
kUwMacaroonCaveatTypeDelegateeUser = 9, // bstr
kUwMacaroonCaveatTypeDelegateeApp = 10, // bstr
- kUwMacaroonCaveatTypeDelegateeService = 12, // bstr
+ kUwMacaroonCaveatTypeDelegateeService = 12, // uint
- kUwMacaroonCaveatTypeAppCommandsOnly = 11, // no value
- kUwMacaroonCaveatTypeBleSessionID = 16, // no value
- kUwMacaroonCaveatTypeLanSessionID = 17, // bstr
+ kUwMacaroonCaveatTypeAppCommandsOnly = 11, // no value
+ kUwMacaroonCaveatTypeBleSessionID = 16, // no value
+ kUwMacaroonCaveatTypeLanSessionID = 17, // bstr
+
+ kUwMacaroonCaveatTypeAuthenticationChallenge = 20, // no value
+
kUwMacaroonCaveatTypeClientAuthorizationTokenV1 = 8193, // bstr (0x2001)
kUwMacaroonCaveatTypeServerAuthenticationTokenV1 = 12289, // bstr (0x3001)
} UwMacaroonCaveatType;
@@ -40,6 +43,11 @@
kUwMacaroonCaveatScopeTypeViewer = 20,
} UwMacaroonCaveatScopeType;
+typedef enum {
+ kUwMacaroonCaveatCloudServiceIdNotCloudRegistered = 0,
+ kUwMacaroonCaveatCloudServiceIdGoogleWeave = 1,
+} UwMacaroonCaveatCloudServiceId;
+
// For security sanity checks
#define UW_MACAROON_CAVEAT_SCOPE_LOWEST_POSSIBLE 127
@@ -83,11 +91,13 @@
uint8_t* buffer,
size_t buffer_size,
UwMacaroonCaveat* new_caveat);
-bool uw_macaroon_caveat_create_delegatee_service_(const uint8_t* id_str,
- size_t id_str_len,
- uint8_t* buffer,
- size_t buffer_size,
- UwMacaroonCaveat* new_caveat);
+
+bool uw_macaroon_caveat_create_delegatee_service_(
+ UwMacaroonCaveatCloudServiceId service_id,
+ uint8_t* buffer,
+ size_t buffer_size,
+ UwMacaroonCaveat* new_caveat);
+
bool uw_macaroon_caveat_create_app_commands_only_(uint8_t* buffer,
size_t buffer_size,
UwMacaroonCaveat* new_caveat);
@@ -100,6 +110,11 @@
size_t buffer_size,
UwMacaroonCaveat* new_caveat);
+bool uw_macaroon_caveat_create_authentication_challenge_(
+ uint8_t* buffer,
+ size_t buffer_size,
+ UwMacaroonCaveat* new_caveat);
+
// The string values for these two token types are optional.
// Use str_len = 0 to indicate creating the caveats without string values.
bool uw_macaroon_caveat_create_client_authorization_token_(
diff --git a/third_party/libuweave/src/macaroon_context.c b/third_party/libuweave/src/macaroon_context.c
index 2f1685d..e33bdd5 100644
--- a/third_party/libuweave/src/macaroon_context.c
+++ b/third_party/libuweave/src/macaroon_context.c
@@ -7,16 +7,22 @@
bool uw_macaroon_context_create_(uint32_t current_time,
const uint8_t* ble_session_id,
size_t ble_session_id_len,
+ const uint8_t* auth_challenge_str,
+ size_t auth_challenge_str_len,
UwMacaroonContext* new_context) {
- if (ble_session_id == NULL && ble_session_id_len != 0) {
+ if ((ble_session_id == NULL && ble_session_id_len != 0) ||
+ (auth_challenge_str == NULL && auth_challenge_str_len != 0)) {
return false;
}
if (new_context == NULL) {
return false;
}
+ *new_context = (UwMacaroonContext){};
new_context->current_time = current_time;
new_context->ble_session_id = ble_session_id;
new_context->ble_session_id_len = ble_session_id_len;
+ new_context->auth_challenge_str = auth_challenge_str;
+ new_context->auth_challenge_str_len = auth_challenge_str_len;
return true;
}
diff --git a/third_party/libuweave/src/macaroon_context.h b/third_party/libuweave/src/macaroon_context.h
index c230eb7..762f232 100644
--- a/third_party/libuweave/src/macaroon_context.h
+++ b/third_party/libuweave/src/macaroon_context.h
@@ -15,11 +15,15 @@
uint32_t current_time; // In number of seconds since Jan 1st 2000 00:00:00
const uint8_t* ble_session_id; // Only for BLE
size_t ble_session_id_len;
+ const uint8_t* auth_challenge_str;
+ size_t auth_challenge_str_len;
} UwMacaroonContext;
bool uw_macaroon_context_create_(uint32_t current_time,
const uint8_t* ble_session_id,
size_t ble_session_id_len,
+ const uint8_t* auth_challenge_str,
+ size_t auth_challenge_str_len,
UwMacaroonContext* new_context);
#endif // LIBUWEAVE_SRC_MACAROON_CONTEXT_
