Client-side challenge response authentication

[ecorm]

Implement challenge response authentication, as per the advanced spec.

[ecorm]

Client requirements:

• HELLO.Options.authmethods|list includes "wampcra"
• HELLO.Options.authid|string is the authentication ID (e.g. username)
• Receive CHALLENGE messages
• Compute the HMAC-SHA256 using the shared secret over the challenge.
• Send AUTHENTICATE messages in response to CHALLENGE
• Accept WELCOME.Details containing authentication information
• Allow the client program to forward the challenge to another party. This could be done by registering a callback function.

The client API should also allow the program to pass in a salted password, instead of a verbatim password. This way, the library cannot possibly leak the verbatim password.

Care should be taken so that the secret is wiped (zeroed-out) from memory ASAP.

The spec does not specify what the ABORT.Reason|URI should be if authentication fails. I have raised this issue in wamp-proto/wamp-proto#15.

[ecorm]

With the existing authentication API, nothing prevents CppWAMP users from computing the cryptographic signatures themselves using other crypto libraries.