Add Curve25519 version of pairing authenticators

BUG=589698

Review URL: https://codereview.chromium.org/1800823002

Cr-Commit-Position: refs/heads/master@{#381664}

remoting/protocol/negotiating_authenticator_base.cc

@@ -34,6 +34,8 @@ const NameMapElement<NegotiatingAuthenticatorBase::Method>
 
         {NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224,
          "spake2_pair"},
+        {NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519,
+         "pair_spake2_curve25519"},
 
         {NegotiatingAuthenticatorBase::Method::THIRD_PARTY_SPAKE2_P224,
          "third_party"},

remoting/protocol/negotiating_authenticator_base.h

@@ -77,8 +77,8 @@ class NegotiatingAuthenticatorBase : public Authenticator {
 
     // SPAKE2 using shared pairing secret. Falls back to PIN-based
     // authentication when pairing fails.
-    // TODO(sergeyu): Add CURVE25519 variant. crbug.com/593123
     PAIRED_SPAKE2_P224,
+    PAIRED_SPAKE2_CURVE25519,
 
     // Authentication using third-party authentication server.
     // SPAKE2 with P224 using shared pairing secret. Falls back to PIN-based
@@ -103,7 +103,6 @@ class NegotiatingAuthenticatorBase : public Authenticator {
 
  protected:
   friend class NegotiatingAuthenticatorTest;
-  FRIEND_TEST_ALL_PREFIXES(NegotiatingAuthenticatorTest, IncompatibleMethods);
 
   static const buzz::StaticQName kMethodAttributeQName;
   static const buzz::StaticQName kSupportedMethodsAttributeQName;

remoting/protocol/negotiating_authenticator_unittest.cc

@@ -53,7 +53,7 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
   ~NegotiatingAuthenticatorTest() override {}
 
  protected:
-  void InitAuthenticators(const std::string& client_id,
+  virtual void InitAuthenticators(const std::string& client_id,
                                   const std::string& client_paired_secret,
                                   const std::string& client_interactive_pin,
                                   const std::string& host_secret,
@@ -64,15 +64,18 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
     } else {
       std::string host_secret_hash =
           GetSharedSecretHash(kTestHostId, host_secret);
-      host_ = NegotiatingHostAuthenticator::CreateWithPin(
+      scoped_ptr<NegotiatingHostAuthenticator> host =
+          NegotiatingHostAuthenticator::CreateWithPin(
               kHostJid, kClientJid, host_cert_, key_pair_, host_secret_hash,
               pairing_registry_);
+      host_as_negotiating_authenticator_ = host.get();
+      host_ = std::move(host);
     }
 
     protocol::ClientAuthenticationConfig client_auth_config;
     client_auth_config.host_id = kTestHostId;
     client_auth_config.pairing_client_id = client_id;
-    client_auth_config.pairing_secret= client_paired_secret;
+    client_auth_config.pairing_secret = client_paired_secret;
     bool pairing_expected = pairing_registry_.get() != nullptr;
     client_auth_config.fetch_secret_callback =
         base::Bind(&NegotiatingAuthenticatorTest::FetchSecret,
@@ -82,6 +85,20 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
     client_.reset(client_as_negotiating_authenticator_);
   }
 
+  void DisableMethodOnClient(NegotiatingAuthenticatorBase::Method method) {
+    auto* methods = &(client_as_negotiating_authenticator_->methods_);
+    auto iter = std::find(methods->begin(), methods->end(), method);
+    ASSERT_TRUE(iter != methods->end());
+    methods->erase(iter);
+  }
+
+  void DisableMethodOnHost(NegotiatingAuthenticatorBase::Method method) {
+    auto* methods = &(host_as_negotiating_authenticator_->methods_);
+    auto iter = std::find(methods->begin(), methods->end(), method);
+    ASSERT_TRUE(iter != methods->end());
+    methods->erase(iter);
+  }
+
   void CreatePairingRegistry(bool with_paired_client) {
     pairing_registry_ = new SynchronousPairingRegistry(
         make_scoped_ptr(new MockPairingRegistryDelegate()));
@@ -112,7 +129,7 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
     }
   }
 
-  void VerifyAccepted(NegotiatingAuthenticatorBase::Method expected_method) {
+  virtual void VerifyAccepted() {
     ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
     ASSERT_EQ(Authenticator::ACCEPTED, host_->state());
@@ -131,11 +148,14 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
     tester.Start();
     message_loop_.Run();
     tester.CheckResults();
-    EXPECT_EQ(expected_method,
-              client_as_negotiating_authenticator_->current_method_);
+  }
+
+  NegotiatingAuthenticatorBase::Method current_method() {
+    return client_as_negotiating_authenticator_->current_method_;
   }
 
   // Use a bare pointer because the storage is managed by the base class.
+  NegotiatingHostAuthenticator* host_as_negotiating_authenticator_;
   NegotiatingClientAuthenticator* client_as_negotiating_authenticator_;
 
  private:
@@ -144,18 +164,90 @@ class NegotiatingAuthenticatorTest : public AuthenticatorTestBase {
   DISALLOW_COPY_AND_ASSIGN(NegotiatingAuthenticatorTest);
 };
 
+struct PairingTestParameters {
+  bool p224_on_client;
+  bool curve25519_on_client;
+  bool p224_on_host;
+  bool curve25519_on_host;
+
+  bool expect_curve25519_used;
+};
+
+class NegotiatingPairingAuthenticatorTest
+    : public NegotiatingAuthenticatorTest,
+      public testing::WithParamInterface<PairingTestParameters> {
+public:
+ void InitAuthenticators(const std::string& client_id,
+                         const std::string& client_paired_secret,
+                         const std::string& client_interactive_pin,
+                         const std::string& host_secret,
+                         bool it2me) override {
+   NegotiatingAuthenticatorTest::InitAuthenticators(
+       client_id, client_paired_secret, client_interactive_pin, host_secret,
+       it2me);
+   if (!GetParam().p224_on_client) {
+     DisableMethodOnClient(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+   }
+   if (!GetParam().curve25519_on_client) {
+     DisableMethodOnClient(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+   }
+   if (!GetParam().p224_on_host) {
+     DisableMethodOnHost(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+   }
+   if (!GetParam().curve25519_on_host) {
+     DisableMethodOnHost(
+         NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+   }
+ }
+
+ void VerifyAccepted() override {
+   NegotiatingAuthenticatorTest::VerifyAccepted();
+   EXPECT_TRUE(
+       current_method() ==
+           NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224 ||
+       current_method() ==
+           NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_CURVE25519);
+ }
+};
+
+INSTANTIATE_TEST_CASE_P(
+    PairingParams,
+    NegotiatingPairingAuthenticatorTest,
+    testing::Values(
+        // Only P224.
+        PairingTestParameters{true, false, true, false},
+
+        // Only curve25519.
+        PairingTestParameters{false, true, false, true},
+
+        // Both P224 and curve25519.
+        PairingTestParameters{true, true, true, true},
+
+        // One end supports both, the other supports only P224 or curve25519.
+        PairingTestParameters{false, true, true, true},
+        PairingTestParameters{true, false, true, true},
+        PairingTestParameters{true, true, false, true},
+        PairingTestParameters{true, true, true, false}));
+
 TEST_F(NegotiatingAuthenticatorTest, SuccessfulAuthMe2MePin) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, false));
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519,
+      current_method());
 }
 
 TEST_F(NegotiatingAuthenticatorTest, SuccessfulAuthIt2me) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, true));
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224,
+      current_method());
 }
 
 TEST_F(NegotiatingAuthenticatorTest, InvalidMe2MePin) {
@@ -177,11 +269,8 @@ TEST_F(NegotiatingAuthenticatorTest, InvalidIt2MeAccessCode) {
 TEST_F(NegotiatingAuthenticatorTest, IncompatibleMethods) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPinBad, true));
-  std::vector<NegotiatingAuthenticatorBase::Method>* methods =
-      &(client_as_negotiating_authenticator_->methods_);
-  methods->erase(std::find(
-      methods->begin(), methods->end(),
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224));
+  DisableMethodOnClient(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
 
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
 
@@ -192,27 +281,29 @@ TEST_F(NegotiatingAuthenticatorTest, PairingNotSupported) {
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(
-      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519);
+  VerifyAccepted();
+  EXPECT_EQ(
+      NegotiatingAuthenticatorBase::Method::SHARED_SECRET_SPAKE2_CURVE25519,
+      current_method());
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingSupportedButNotPaired) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingSupportedButNotPaired) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kNoClientId, kNoPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinOkay) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingRevokedPinOkay) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinBad) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingRevokedPinBad) {
   CreatePairingRegistry(false);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPinBad, kTestPin, false));
@@ -220,24 +311,24 @@ TEST_F(NegotiatingAuthenticatorTest, PairingRevokedPinBad) {
   VerifyRejected(Authenticator::INVALID_CREDENTIALS);
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingSucceeded) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingSucceeded) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(kTestClientId, kTestPairedSecret,
                                              kTestPinBad, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest,
+TEST_P(NegotiatingPairingAuthenticatorTest,
        PairingSucceededInvalidSecretButPinOkay) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(
       kTestClientId, kTestPairedSecretBad, kTestPin, kTestPin, false));
   ASSERT_NO_FATAL_FAILURE(RunAuthExchange());
-  VerifyAccepted(NegotiatingAuthenticatorBase::Method::PAIRED_SPAKE2_P224);
+  VerifyAccepted();
 }
 
-TEST_F(NegotiatingAuthenticatorTest, PairingFailedInvalidSecretAndPin) {
+TEST_P(NegotiatingPairingAuthenticatorTest, PairingFailedInvalidSecretAndPin) {
   CreatePairingRegistry(true);
   ASSERT_NO_FATAL_FAILURE(InitAuthenticators(
       kTestClientId, kTestPairedSecretBad, kTestPinBad, kTestPin, false));

remoting/protocol/negotiating_client_authenticator.cc

@@ -36,6 +36,7 @@ NegotiatingClientAuthenticator::NegotiatingClientAuthenticator(
     AddMethod(Method::THIRD_PARTY_SPAKE2_P224);
   }
 
+  AddMethod(Method::PAIRED_SPAKE2_CURVE25519);
   AddMethod(Method::PAIRED_SPAKE2_P224);
 
   AddMethod(Method::SHARED_SECRET_SPAKE2_CURVE25519);
@@ -124,33 +125,55 @@ void NegotiatingClientAuthenticator::CreateAuthenticatorForCurrentMethod(
     const base::Closure& resume_callback) {
   DCHECK_EQ(state(), PROCESSING_MESSAGE);
   DCHECK(current_method_ != Method::INVALID);
-  if (current_method_ == Method::THIRD_PARTY_SPAKE2_P224) {
+  switch (current_method_) {
+    case Method::INVALID:
+      NOTREACHED();
+      break;
+
+    case Method::THIRD_PARTY_SPAKE2_P224:
       current_authenticator_.reset(new ThirdPartyClientAuthenticator(
           base::Bind(&V2Authenticator::CreateForClient),
           config_.fetch_third_party_token_callback));
       resume_callback.Run();
-  } else if (current_method_ == Method::THIRD_PARTY_SPAKE2_CURVE25519) {
+      break;
+
+    case Method::THIRD_PARTY_SPAKE2_CURVE25519:
       current_authenticator_.reset(new ThirdPartyClientAuthenticator(
           base::Bind(&Spake2Authenticator::CreateForClient, local_id_,
                      remote_id_),
           config_.fetch_third_party_token_callback));
       resume_callback.Run();
-  } else if (current_method_ == Method::PAIRED_SPAKE2_P224) {
+      break;
+
+    case Method::PAIRED_SPAKE2_P224: {
       PairingClientAuthenticator* pairing_authenticator =
           new PairingClientAuthenticator(
               config_, base::Bind(&V2Authenticator::CreateForClient));
       current_authenticator_ = make_scoped_ptr(pairing_authenticator);
       pairing_authenticator->Start(preferred_initial_state, resume_callback);
-  } else {
-    DCHECK(current_method_ == Method::SHARED_SECRET_PLAIN_SPAKE2_P224 ||
-           current_method_ == Method::SHARED_SECRET_SPAKE2_P224 ||
-           current_method_ == Method::SHARED_SECRET_SPAKE2_CURVE25519);
+      break;
+    }
+
+    case Method::PAIRED_SPAKE2_CURVE25519: {
+      PairingClientAuthenticator* pairing_authenticator =
+          new PairingClientAuthenticator(
+              config_, base::Bind(&Spake2Authenticator::CreateForClient,
+                                  local_id_, remote_id_));
+      current_authenticator_ = make_scoped_ptr(pairing_authenticator);
+      pairing_authenticator->Start(preferred_initial_state, resume_callback);
+      break;
+    }
+
+    case Method::SHARED_SECRET_PLAIN_SPAKE2_P224:
+    case Method::SHARED_SECRET_SPAKE2_P224:
+    case Method::SHARED_SECRET_SPAKE2_CURVE25519:
       config_.fetch_secret_callback.Run(
           false,
           base::Bind(
               &NegotiatingClientAuthenticator::CreateSharedSecretAuthenticator,
               weak_factory_.GetWeakPtr(), preferred_initial_state,
               resume_callback));
+      break;
   }
 }
 

remoting/protocol/negotiating_host_authenticator.cc

@@ -36,8 +36,8 @@ NegotiatingHostAuthenticator::NegotiatingHostAuthenticator(
       local_key_pair_(key_pair) {}
 
 // static
-scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateForIt2Me(
-    const std::string& local_id,
+scoped_ptr<NegotiatingHostAuthenticator>
+NegotiatingHostAuthenticator::CreateForIt2Me(const std::string& local_id,
                                              const std::string& remote_id,
                                              const std::string& local_cert,
                                              scoped_refptr<RsaKeyPair> key_pair,
@@ -47,11 +47,12 @@ scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateForIt2Me(
                                        key_pair));
   result->shared_secret_hash_ = access_code;
   result->AddMethod(Method::SHARED_SECRET_PLAIN_SPAKE2_P224);
-  return std::move(result);
+  return result;
 }
 
 // static
-scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateWithPin(
+scoped_ptr<NegotiatingHostAuthenticator>
+NegotiatingHostAuthenticator::CreateWithPin(
     const std::string& local_id,
     const std::string& remote_id,
     const std::string& local_cert,
@@ -66,13 +67,14 @@ scoped_ptr<Authenticator> NegotiatingHostAuthenticator::CreateWithPin(
   result->AddMethod(Method::SHARED_SECRET_SPAKE2_CURVE25519);
   result->AddMethod(Method::SHARED_SECRET_SPAKE2_P224);
   if (pairing_registry.get()) {
+    result->AddMethod(Method::PAIRED_SPAKE2_CURVE25519);
     result->AddMethod(Method::PAIRED_SPAKE2_P224);
   }
-  return std::move(result);
+  return result;
 }
 
 // static
-scoped_ptr<Authenticator>
+scoped_ptr<NegotiatingHostAuthenticator>
 NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
     const std::string& local_id,
     const std::string& remote_id,
@@ -85,7 +87,7 @@ NegotiatingHostAuthenticator::CreateWithThirdPartyAuth(
   result->token_validator_factory_ = token_validator_factory;
   result->AddMethod(Method::THIRD_PARTY_SPAKE2_CURVE25519);
   result->AddMethod(Method::THIRD_PARTY_SPAKE2_P224);
-  return std::move(result);
+  return result;
 }
 
 NegotiatingHostAuthenticator::~NegotiatingHostAuthenticator() {}
@@ -188,38 +190,69 @@ void NegotiatingHostAuthenticator::CreateAuthenticator(
     const base::Closure& resume_callback) {
   DCHECK(current_method_ != Method::INVALID);
 
-  if (current_method_ == Method::THIRD_PARTY_SPAKE2_P224) {
+  switch(current_method_) {
+    case Method::INVALID:
+      NOTREACHED();
+      break;
+
+    case Method::THIRD_PARTY_SPAKE2_P224:
       current_authenticator_.reset(new ThirdPartyHostAuthenticator(
           base::Bind(&V2Authenticator::CreateForHost, local_cert_,
                      local_key_pair_),
-        token_validator_factory_->CreateTokenValidator(local_id_, remote_id_)));
-  } else if (current_method_ == Method::THIRD_PARTY_SPAKE2_CURVE25519) {
+          token_validator_factory_->CreateTokenValidator(local_id_,
+                                                         remote_id_)));
+      resume_callback.Run();
+      break;
+
+    case Method::THIRD_PARTY_SPAKE2_CURVE25519:
       current_authenticator_.reset(new ThirdPartyHostAuthenticator(
           base::Bind(&Spake2Authenticator::CreateForHost, local_id_, remote_id_,
                      local_cert_, local_key_pair_),
-        token_validator_factory_->CreateTokenValidator(local_id_, remote_id_)));
-  } else if (current_method_ == Method::PAIRED_SPAKE2_P224) {
+          token_validator_factory_->CreateTokenValidator(local_id_,
+                                                         remote_id_)));
+      resume_callback.Run();
+      break;
+
+    case Method::PAIRED_SPAKE2_P224: {
       PairingHostAuthenticator* pairing_authenticator =
-        new PairingHostAuthenticator(pairing_registry_,
-                                     base::Bind(&V2Authenticator::CreateForHost,
+          new PairingHostAuthenticator(
+              pairing_registry_, base::Bind(&V2Authenticator::CreateForHost,
                                             local_cert_, local_key_pair_),
               shared_secret_hash_);
       current_authenticator_.reset(pairing_authenticator);
       pairing_authenticator->Initialize(client_id_, preferred_initial_state,
                                         resume_callback);
-    return;
-  } else if (current_method_ == Method::SHARED_SECRET_SPAKE2_CURVE25519) {
+      break;
+    }
+
+    case Method::PAIRED_SPAKE2_CURVE25519: {
+      PairingHostAuthenticator* pairing_authenticator =
+          new PairingHostAuthenticator(
+              pairing_registry_,
+              base::Bind(&Spake2Authenticator::CreateForHost, local_id_,
+                         remote_id_, local_cert_, local_key_pair_),
+              shared_secret_hash_);
+      current_authenticator_.reset(pairing_authenticator);
+      pairing_authenticator->Initialize(client_id_, preferred_initial_state,
+                                        resume_callback);
+      break;
+    }
+
+    case Method::SHARED_SECRET_SPAKE2_CURVE25519:
       current_authenticator_ = Spake2Authenticator::CreateForHost(
           local_id_, remote_id_, local_cert_, local_key_pair_,
           shared_secret_hash_, preferred_initial_state);
-  } else {
-    DCHECK(current_method_ == Method::SHARED_SECRET_PLAIN_SPAKE2_P224 ||
-           current_method_ == Method::SHARED_SECRET_SPAKE2_P224);
+      resume_callback.Run();
+      break;
+
+    case Method::SHARED_SECRET_PLAIN_SPAKE2_P224:
+    case Method::SHARED_SECRET_SPAKE2_P224:
       current_authenticator_ = V2Authenticator::CreateForHost(
           local_cert_, local_key_pair_, shared_secret_hash_,
           preferred_initial_state);
-  }
       resume_callback.Run();
+      break;
+  }
 }
 
 }  // namespace protocol

remoting/protocol/negotiating_host_authenticator.h

@@ -31,7 +31,7 @@ class NegotiatingHostAuthenticator : public NegotiatingAuthenticatorBase {
   ~NegotiatingHostAuthenticator() override;
 
   // Creates a host authenticator for It2Me host.
-  static scoped_ptr<Authenticator> CreateForIt2Me(
+  static scoped_ptr<NegotiatingHostAuthenticator> CreateForIt2Me(
       const std::string& local_id,
       const std::string& remote_id,
       const std::string& local_cert,
@@ -41,7 +41,7 @@ class NegotiatingHostAuthenticator : public NegotiatingAuthenticatorBase {
   // Creates a host authenticator, using a fixed PIN. If |pairing_registry| is
   // non-nullptr then the paired methods will be offered, supporting
   // PIN-less authentication.
-  static scoped_ptr<Authenticator> CreateWithPin(
+  static scoped_ptr<NegotiatingHostAuthenticator> CreateWithPin(
       const std::string& local_id,
       const std::string& remote_id,
       const std::string& local_cert,
@@ -50,7 +50,7 @@ class NegotiatingHostAuthenticator : public NegotiatingAuthenticatorBase {
       scoped_refptr<PairingRegistry> pairing_registry);
 
   // Creates a host authenticator, using third party authentication.
-  static scoped_ptr<Authenticator> CreateWithThirdPartyAuth(
+  static scoped_ptr<NegotiatingHostAuthenticator> CreateWithThirdPartyAuth(
       const std::string& local_id,
       const std::string& remote_id,
       const std::string& local_cert,