Implement V2 authentication support in the client plugin.

Changed client plugin interface so that it receives 
information needed to for V2 authentication. Also moved 
authenticator creation out of ConnectionToHost.

BUG=105214


Review URL: http://codereview.chromium.org/9195004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@118828 0039d316-1c4b-4281-b951-d872f2087c98

13 files changed, 350 insertions, 40 deletions

diff --git a/remoting/client/chromoting_client.cc b/remoting/client/chromoting_client.cc
index 0577ac5..404d383 100644
--- a/remoting/client/chromoting_client.cc
+++ b/remoting/client/chromoting_client.cc
@@ -8,11 +8,15 @@
 #include "remoting/client/chromoting_view.h"
 #include "remoting/client/client_context.h"
 #include "remoting/client/rectangle_update_decoder.h"
+#include "remoting/protocol/authenticator.h"
+#include "remoting/protocol/authentication_method.h"
 #include "remoting/protocol/connection_to_host.h"
 #include "remoting/protocol/session_config.h"
 
 namespace remoting {
 
+using protocol::AuthenticationMethod;
+
 ChromotingClient::QueuedVideoPacket::QueuedVideoPacket(
     const VideoPacket* packet, const base::Closure& done)
     : packet(packet), done(done) {
@@ -44,8 +48,13 @@ ChromotingClient::~ChromotingClient() {
 void ChromotingClient::Start(scoped_refptr<XmppProxy> xmpp_proxy) {
   DCHECK(message_loop()->BelongsToCurrentThread());
 
+  scoped_ptr<protocol::Authenticator> authenticator =
+      config_.authentication_method.CreateAuthenticator(
+          config_.local_jid, config_.authentication_tag,
+          config_.shared_secret);
+
   connection_->Connect(xmpp_proxy, config_.local_jid, config_.host_jid,
-                       config_.host_public_key, config_.authentication_code,
+                       config_.host_public_key, authenticator.Pass(),
                        this, this, this);
 
   if (!view_->Initialize()) {
diff --git a/remoting/client/client_config.cc b/remoting/client/client_config.cc
index aed88df..3012a9b 100644
--- a/remoting/client/client_config.cc
+++ b/remoting/client/client_config.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -6,10 +6,11 @@
 
 namespace remoting {
 
-ClientConfig::ClientConfig() {
+ClientConfig::ClientConfig()
+    : authentication_method(protocol::AuthenticationMethod::Invalid()) {
 }
 
 ClientConfig::~ClientConfig() {
 }
 
-}
+}  // namespace remoting
diff --git a/remoting/client/client_config.h b/remoting/client/client_config.h
index 52b8e34..31268fd 100644
--- a/remoting/client/client_config.h
+++ b/remoting/client/client_config.h
@@ -8,6 +8,7 @@
 #include <string>
 
 #include "base/basictypes.h"
+#include "remoting/protocol/authentication_method.h"
 
 namespace remoting {
 
@@ -20,7 +21,9 @@ struct ClientConfig {
   std::string host_jid;
   std::string host_public_key;
 
-  std::string authentication_code;
+  std::string shared_secret;
+  protocol::AuthenticationMethod authentication_method;
+  std::string authentication_tag;
 };
 
 }  // namespace remoting
diff --git a/remoting/client/plugin/chromoting_scriptable_object.cc b/remoting/client/plugin/chromoting_scriptable_object.cc
index 76d354d..334237d 100644
--- a/remoting/client/plugin/chromoting_scriptable_object.cc
+++ b/remoting/client/plugin/chromoting_scriptable_object.cc
@@ -7,6 +7,7 @@
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/message_loop_proxy.h"
+#include "base/string_split.h"
 // TODO(wez): Remove this when crbug.com/86353 is complete.
 #include "ppapi/cpp/private/var_private.h"
 #include "remoting/base/auth_token_util.h"
@@ -57,7 +58,7 @@ void ChromotingScriptableObject::Init() {
 
   // Plugin API version.
   // This should be incremented whenever the API interface changes.
-  AddAttribute(kApiVersionAttribute, Var(3));
+  AddAttribute(kApiVersionAttribute, Var(4));
 
   // This should be updated whenever we remove support for an older version
   // of the API.
@@ -358,7 +359,9 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args,
   //   host_jid
   //   host_public_key
   //   client_jid
-  //   authentication_code (optional)
+  //   shared_secret
+  //   authentication_methods
+  //   authentication_tag
   unsigned int arg = 0;
   if (!args[arg].is_string()) {
     *exception = Var("The host_jid must be a string.");
@@ -378,13 +381,48 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args,
   }
   std::string client_jid = args[arg++].AsString();
 
-  std::string authentication_code;
+  if (!args[arg].is_string()) {
+    *exception = Var("The shared_secret must be a string.");
+    return Var();
+  }
+  std::string shared_secret = args[arg++].AsString();
+
+  // Older versions of the webapp do not supply the following two
+  // parameters.
+
+  // By default use V1 authentication.
+  protocol::AuthenticationMethod authentication_method =
+      protocol::AuthenticationMethod::V1Token();
+  if (args.size() > arg) {
+    if (!args[arg].is_string()) {
+      *exception = Var("The authentication_method must be a string.");
+      return Var();
+    }
+
+    authentication_method = protocol::AuthenticationMethod::Invalid();
+    std::string as_string = args[arg++].AsString();
+    std::vector<std::string> auth_methods;
+    base::SplitString(as_string, ',', &auth_methods);
+    for (std::vector<std::string>::iterator it = auth_methods.begin();
+         it != auth_methods.end(); ++it) {
+      authentication_method =
+          protocol::AuthenticationMethod::FromString(as_string);
+      if (authentication_method.is_valid())
+        break;
+    }
+    if (!authentication_method.is_valid()) {
+      *exception = Var("No valid authentication methods specified.");
+      return Var();
+    }
+  }
+
+  std::string authentication_tag;
   if (args.size() > arg) {
     if (!args[arg].is_string()) {
-      *exception = Var("The authentication code must be a string.");
+      *exception = Var("The authentication_tag must be a string.");
       return Var();
     }
-    authentication_code = args[arg++].AsString();
+    authentication_tag = args[arg++].AsString();
   }
 
   if (args.size() != arg) {
@@ -393,13 +431,14 @@ Var ChromotingScriptableObject::DoConnect(const std::vector<Var>& args,
   }
 
   VLOG(1) << "Connecting to host. "
-          << "client_jid: " << client_jid << ", host_jid: " << host_jid
-          << ", authentication_code: " << authentication_code;
+          << "client_jid: " << client_jid << ", host_jid: " << host_jid;
   ClientConfig config;
   config.local_jid = client_jid;
   config.host_jid = host_jid;
   config.host_public_key = host_public_key;
-  config.authentication_code = authentication_code;
+  config.shared_secret = shared_secret;
+  config.authentication_method = authentication_method;
+  config.authentication_tag = authentication_tag;
   instance_->Connect(config);
 
   return Var();
diff --git a/remoting/protocol/auth_util.h b/remoting/protocol/auth_util.h
index e33a473..3493550 100644
--- a/remoting/protocol/auth_util.h
+++ b/remoting/protocol/auth_util.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -23,9 +23,16 @@ extern const char kHostAuthSslExporterLabel[];
 // Fake hostname used for SSL connections.
 extern const char kSslFakeHostName[];
 
-// Size of the HMAC-SHA-256 authentication digest.
+// Size of the HMAC-SHA-256 hash used as shared secret in SPAKE2.
+const size_t kSharedSecretHashLength = 32;
+
+// Size of the HMAC-SHA-256 digest used for channel authentication.
 const size_t kAuthDigestLength = 32;
 
+// TODO(sergeyu): The following two methods are used for V1
+// authentication. Remove them when we finally switch to V2
+// authentication method. crbug.com/110483 .
+
 // Generates auth token for the specified |jid| and |access_code|.
 std::string GenerateSupportAuthToken(const std::string& jid,
                                      const std::string& access_code);
diff --git a/remoting/protocol/authentication_method.cc b/remoting/protocol/authentication_method.cc
new file mode 100644
index 0000000..ebee009
--- /dev/null
+++ b/remoting/protocol/authentication_method.cc
@@ -0,0 +1,139 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "remoting/protocol/authentication_method.h"
+
+#include "base/logging.h"
+#include "crypto/hmac.h"
+#include "remoting/protocol/auth_util.h"
+#include "remoting/protocol/v1_authenticator.h"
+#include "remoting/protocol/v2_authenticator.h"
+
+namespace remoting {
+namespace protocol {
+
+// static
+AuthenticationMethod AuthenticationMethod::Invalid() {
+  return AuthenticationMethod();
+}
+
+// static
+AuthenticationMethod AuthenticationMethod::V1Token() {
+  return AuthenticationMethod(VERSION_1, NONE);
+}
+
+// static
+AuthenticationMethod AuthenticationMethod::Spake2(HashFunction hash_function) {
+  return AuthenticationMethod(VERSION_2, hash_function);
+}
+
+// static
+AuthenticationMethod AuthenticationMethod::FromString(
+    const std::string& value) {
+  if (value == "v1_token") {
+    return V1Token();
+  } else if (value == "spake2_plain") {
+    return Spake2(NONE);
+  } else if (value == "spake2_hmac") {
+    return Spake2(HMAC_SHA256);
+  } else {
+    return AuthenticationMethod::Invalid();
+  }
+}
+
+AuthenticationMethod::AuthenticationMethod()
+    : invalid_(true),
+      version_(VERSION_2),
+      hash_function_(NONE) {
+}
+
+AuthenticationMethod::AuthenticationMethod(Version version,
+                                           HashFunction hash_function)
+    : invalid_(false),
+      version_(version),
+      hash_function_(hash_function) {
+}
+
+std::string AuthenticationMethod::ApplyHashFunction(
+    const std::string& tag,
+    const std::string& shared_secret) {
+  DCHECK(is_valid());
+
+  switch (hash_function_) {
+    case NONE:
+      return shared_secret;
+      break;
+
+    case HMAC_SHA256: {
+      crypto::HMAC response(crypto::HMAC::SHA256);
+      if (!response.Init(tag)) {
+        LOG(FATAL) << "HMAC::Init failed";
+      }
+
+      unsigned char out_bytes[kSharedSecretHashLength];
+      if (!response.Sign(shared_secret, out_bytes, sizeof(out_bytes))) {
+        LOG(FATAL) << "HMAC::Sign failed";
+      }
+
+      return std::string(out_bytes, out_bytes + sizeof(out_bytes));
+    }
+  }
+
+  NOTREACHED();
+  return shared_secret;
+}
+
+scoped_ptr<Authenticator> AuthenticationMethod::CreateAuthenticator(
+    const std::string& local_jid,
+    const std::string& tag,
+    const std::string& shared_secret) {
+  DCHECK(is_valid());
+
+  switch (version_) {
+    case VERSION_1:
+      DCHECK_EQ(hash_function_, NONE);
+      return scoped_ptr<Authenticator>(
+          new protocol::V1ClientAuthenticator(local_jid, shared_secret));
+
+    case VERSION_2:
+      return protocol::V2Authenticator::CreateForClient(
+          ApplyHashFunction(tag, shared_secret));
+  }
+
+  NOTREACHED();
+  return scoped_ptr<Authenticator>(NULL);
+}
+
+AuthenticationMethod::Version AuthenticationMethod::version() const {
+  DCHECK(is_valid());
+  return version_;
+}
+
+AuthenticationMethod::HashFunction AuthenticationMethod::hash_function() const {
+  DCHECK(is_valid());
+  return hash_function_;
+}
+
+const std::string AuthenticationMethod::ToString() const {
+  DCHECK(is_valid());
+
+  switch (version_) {
+    case VERSION_1:
+      return "v1_token";
+
+    case VERSION_2:
+      switch (hash_function_) {
+        case NONE:
+          return "spake2_plain";
+        case HMAC_SHA256:
+          return "spake2_hmac";
+      }
+  }
+
+  NOTREACHED();
+  return "";
+}
+
+}  // namespace protocol
+}  // namespace remoting
diff --git a/remoting/protocol/authentication_method.h b/remoting/protocol/authentication_method.h
new file mode 100644
index 0000000..402e3bc
--- /dev/null
+++ b/remoting/protocol/authentication_method.h
@@ -0,0 +1,90 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// AuthenticationMethod represents an authentication algorithm and its
+// configuration. It knows how to parse and format authentication
+// method names.
+// Currently the following methods are supported:
+//   v1_token - deprecated V1 authentication mechanism,
+//   spake2_plain - SPAKE2 without hashing applied to the password.
+//   spake2_hmac - SPAKE2 with HMAC hashing of the password.
+
+#ifndef REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_
+#define REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_
+
+#include <string>
+
+#include "base/memory/scoped_ptr.h"
+
+namespace remoting {
+namespace protocol {
+
+class Authenticator;
+
+class AuthenticationMethod {
+ public:
+  enum Version {
+    // Legacy authentication mechanism.
+    // TODO(sergeyu): Should be removed when we finished switching to
+    // the new version (at which point this enum may be removed).
+    // crbug.com/110483
+    VERSION_1,
+
+    // The new SPAKE2-based authentication.
+    VERSION_2,
+  };
+
+  enum HashFunction {
+    NONE,
+    HMAC_SHA256,
+  };
+
+  // Constructors for various authentication methods.
+  static AuthenticationMethod Invalid();
+  static AuthenticationMethod V1Token();
+  static AuthenticationMethod Spake2(HashFunction hash_function);
+
+  // Parses a string that defines an authentication method. Returns an
+  // invalid value if the string is invalid.
+  static AuthenticationMethod FromString(const std::string& value);
+
+  // Returns true
+  bool is_valid() const { return !invalid_; }
+
+  // Following methods are valid only when is_valid() returns true.
+
+  // Version of the authentication protocol.
+  Version version() const ;
+
+  // Hash function applied to the shared secret on both ends.
+  HashFunction hash_function() const;
+
+  // Returns string representation of the value stored in this object.
+  const std::string ToString() const;
+
+  // Applies the current hash function to |shared_secret| with the
+  // specified |tag| as a key.
+  std::string ApplyHashFunction(const std::string& tag,
+                                const std::string& shared_secret);
+
+  // Creates client authenticator using the specified parameters.
+  scoped_ptr<Authenticator> CreateAuthenticator(
+      const std::string& local_jid,
+      const std::string& tag,
+      const std::string& shared_secret);
+
+ private:
+  AuthenticationMethod();
+  AuthenticationMethod(Version version,
+                       HashFunction hash_function);
+
+  bool invalid_;
+  Version version_;
+  HashFunction hash_function_;
+};
+
+}  // namespace protocol
+}  // namespace remoting
+
+#endif  // REMOTING_PROTOCOL_AUTHENTICATION_METHOD_H_
diff --git a/remoting/protocol/connection_to_host.cc b/remoting/protocol/connection_to_host.cc
index 879e1b2..ca89b44 100644
--- a/remoting/protocol/connection_to_host.cc
+++ b/remoting/protocol/connection_to_host.cc
@@ -12,12 +12,12 @@
 #include "remoting/jingle_glue/javascript_signal_strategy.h"
 #include "remoting/jingle_glue/xmpp_signal_strategy.h"
 #include "remoting/protocol/auth_util.h"
+#include "remoting/protocol/authenticator.h"
 #include "remoting/protocol/client_control_dispatcher.h"
 #include "remoting/protocol/client_event_dispatcher.h"
 #include "remoting/protocol/client_stub.h"
 #include "remoting/protocol/jingle_session_manager.h"
 #include "remoting/protocol/pepper_session_manager.h"
-#include "remoting/protocol/v1_authenticator.h"
 #include "remoting/protocol/video_reader.h"
 #include "remoting/protocol/video_stub.h"
 #include "remoting/protocol/util.h"
@@ -51,24 +51,24 @@ HostStub* ConnectionToHost::host_stub() {
 }
 
 void ConnectionToHost::Connect(scoped_refptr<XmppProxy> xmpp_proxy,
-                               const std::string& your_jid,
+                               const std::string& local_jid,
                                const std::string& host_jid,
                                const std::string& host_public_key,
-                               const std::string& access_code,
+                               scoped_ptr<Authenticator> authenticator,
                                HostEventCallback* event_callback,
                                ClientStub* client_stub,
                                VideoStub* video_stub) {
   event_callback_ = event_callback;
   client_stub_ = client_stub;
   video_stub_ = video_stub;
-  access_code_ = access_code;
+  authenticator_ = authenticator.Pass();
 
   // Save jid of the host. The actual connection is created later after
   // |signal_strategy_| is connected.
   host_jid_ = host_jid;
   host_public_key_ = host_public_key;
 
-  JavascriptSignalStrategy* strategy = new JavascriptSignalStrategy(your_jid);
+  JavascriptSignalStrategy* strategy = new JavascriptSignalStrategy(local_jid);
   strategy->AttachXmppProxy(xmpp_proxy);
   signal_strategy_.reset(strategy);
   signal_strategy_->AddListener(this);
@@ -126,10 +126,8 @@ void ConnectionToHost::OnSessionManagerReady() {
   // After SessionManager is initialized we can try to connect to the host.
   scoped_ptr<CandidateSessionConfig> candidate_config =
       CandidateSessionConfig::CreateDefault();
-  scoped_ptr<Authenticator> authenticator(
-      new V1ClientAuthenticator(signal_strategy_->GetLocalJid(), access_code_));
   session_ = session_manager_->Connect(
-      host_jid_, authenticator.Pass(), candidate_config.Pass(),
+      host_jid_, authenticator_.Pass(), candidate_config.Pass(),
       base::Bind(&ConnectionToHost::OnSessionStateChange,
                  base::Unretained(this)));
 }
diff --git a/remoting/protocol/connection_to_host.h b/remoting/protocol/connection_to_host.h
index f025a20..16d648b 100644
--- a/remoting/protocol/connection_to_host.h
+++ b/remoting/protocol/connection_to_host.h
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -31,6 +31,7 @@ class VideoPacket;
 
 namespace protocol {
 
+class Authenticator;
 class ClientControlDispatcher;
 class ClientEventDispatcher;
 class ClientStub;
@@ -72,10 +73,10 @@ class ConnectionToHost : public SignalStrategy::Listener,
   virtual ~ConnectionToHost();
 
   virtual void Connect(scoped_refptr<XmppProxy> xmpp_proxy,
-                       const std::string& your_jid,
+                       const std::string& local_jid,
                        const std::string& host_jid,
                        const std::string& host_public_key,
-                       const std::string& access_code,
+                       scoped_ptr<Authenticator> authenticator,
                        HostEventCallback* event_callback,
                        ClientStub* client_stub,
                        VideoStub* video_stub);
@@ -129,7 +130,7 @@ class ConnectionToHost : public SignalStrategy::Listener,
 
   std::string host_jid_;
   std::string host_public_key_;
-  std::string access_code_;
+  scoped_ptr<Authenticator> authenticator_;
 
   HostEventCallback* event_callback_;
 
diff --git a/remoting/remoting.gyp b/remoting/remoting.gyp
index d1991b8..a4dc8c3 100644
--- a/remoting/remoting.gyp
+++ b/remoting/remoting.gyp
@@ -748,6 +748,8 @@
       'sources': [
         'protocol/auth_util.cc',
         'protocol/auth_util.h',
+        'protocol/authentication_method.cc',
+        'protocol/authentication_method.h',
         'protocol/authenticator.cc',
         'protocol/authenticator.h',
         'protocol/buffered_socket_writer.cc',
diff --git a/remoting/webapp/client_screen.js b/remoting/webapp/client_screen.js
index 06ad729..3577f79 100644
--- a/remoting/webapp/client_screen.js
+++ b/remoting/webapp/client_screen.js
@@ -288,7 +288,7 @@ function startSession_() {
   remoting.clientSession =
       new remoting.ClientSession(
           remoting.hostJid, remoting.hostPublicKey,
-          remoting.accessCode,
+          remoting.accessCode, "v1_token", "",
           /** @type {string} */ (remoting.oauth2.getCachedEmail()),
           remoting.ClientSession.Mode.IT2ME,
           onClientStateChange_);
@@ -462,7 +462,8 @@ function connectMe2MeWithAccessToken_(token) {
     remoting.clientSession =
         new remoting.ClientSession(
             remoting.hostJid, remoting.hostPublicKey,
-            pin, /** @type {string} */ (remoting.oauth2.getCachedEmail()),
+            pin, "v1_token", remoting.hostId,
+            /** @type {string} */ (remoting.oauth2.getCachedEmail()),
             remoting.ClientSession.Mode.ME2ME, onClientStateChange_);
     remoting.clientSession.createPluginAndConnect(
         document.getElementById('session-mode'),
diff --git a/remoting/webapp/client_session.js b/remoting/webapp/client_session.js
index a449453..f1bd19b 100644
--- a/remoting/webapp/client_session.js
+++ b/remoting/webapp/client_session.js
@@ -20,8 +20,12 @@ var remoting = remoting || {};
  * @param {string} hostJid The jid of the host to connect to.
  * @param {string} hostPublicKey The base64 encoded version of the host's
  *     public key.
- * @param {string} authenticationCode The access code for IT2Me or the
- *     PIN for Me2Me.
+ * @param {string} sharedSecret The access code for IT2Me or the PIN
+ *     for Me2Me.
+ * @param {string} authenticationMethods Comma-separated list of
+ *     authentication methods the client should attempt to use.
+ * @param {string} authenticationTag A host-specific tag to mix into
+ *     authentication hashes.
  * @param {string} email The username for the talk network.
  * @param {remoting.ClientSession.Mode} mode The mode of this connection.
  * @param {function(remoting.ClientSession.State,
@@ -29,13 +33,16 @@ var remoting = remoting || {};
  *     The callback to invoke when the session changes state.
  * @constructor
  */
-remoting.ClientSession = function(hostJid, hostPublicKey, authenticationCode,
+remoting.ClientSession = function(hostJid, hostPublicKey, sharedSecret,
+                                  authenticationMethods, authenticationTag,
                                   email, mode, onStateChange) {
   this.state = remoting.ClientSession.State.CREATED;
 
   this.hostJid = hostJid;
   this.hostPublicKey = hostPublicKey;
-  this.authenticationCode = authenticationCode;
+  this.sharedSecret = sharedSecret;
+  this.authenticationMethods = authenticationMethods;
+  this.authenticationTag = authenticationTag;
   this.email = email;
   this.mode = mode;
   this.clientJid = '';
@@ -114,7 +121,7 @@ remoting.ClientSession.prototype.error =
  * @const
  * @private
  */
-remoting.ClientSession.prototype.API_VERSION_ = 3;
+remoting.ClientSession.prototype.API_VERSION_ = 4;
 
 /**
  * The oldest API version that we support.
@@ -124,7 +131,7 @@ remoting.ClientSession.prototype.API_VERSION_ = 3;
  * @const
  * @private
  */
-remoting.ClientSession.prototype.API_MIN_VERSION_ = 1;
+remoting.ClientSession.prototype.API_MIN_VERSION_ = 2;
 
 /**
  * The id of the client plugin
@@ -339,8 +346,16 @@ remoting.ClientSession.prototype.connectPluginToWcs_ =
     }
   }
   remoting.wcs.setOnIq(onIq);
-  that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid,
-                      this.authenticationCode);
+  if (that.plugin.apiVersion < 4) {
+    // Client plugin versions prior to 4 didn't support the last two
+    // parameters.
+    that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid,
+                        this.sharedSecret);
+  } else {
+    that.plugin.connect(this.hostJid, this.hostPublicKey, this.clientJid,
+                        this.sharedSecret, this.authenticationMethods,
+                        this.authenticationTag);
+  }
 };
 
 /**
diff --git a/remoting/webapp/viewer_plugin_proto.js b/remoting/webapp/viewer_plugin_proto.js
index 18d6461..63a865b 100644
--- a/remoting/webapp/viewer_plugin_proto.js
+++ b/remoting/webapp/viewer_plugin_proto.js
@@ -26,12 +26,17 @@ remoting.ViewerPlugin.prototype.releaseAllKeys = function() {};
  * @param {string} hostJid The host's JID.
  * @param {string} hostPublicKey The host's public key.
  * @param {string} clientJid The client's JID.
- * @param {string} authenticationCode The access code for IT2Me or the
- * PIN for Me2Me.
+ * @param {string} sharedSecret The access code for IT2Me or the
+ *     PIN for Me2Me.
+ * @param {string=} authenticationMethods Comma-separated list of
+ *     authentication methods the client should attempt to use.
+ * @param {string=} authenticationTag A host-specific tag to mix into
+ *     authentication hashes.
  * @return {void} Nothing.
 */
 remoting.ViewerPlugin.prototype.connect =
-    function(hostJid, hostPublicKey, clientJid, authenticationCode) {};
+    function(hostJid, hostPublicKey, clientJid, sharedSecret,
+             authenticationMethod, authenticationTag) {};
 
 /** @type {function(number, number): void} State change callback function. */
 remoting.ViewerPlugin.prototype.connectionInfoUpdate;