Add unit tests for NTLMv1 portable implementation

net/http/http_auth_handler_ntlm_portable_unittest.cc

+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/http/http_auth_handler_ntlm.h"
+
+#include <string>
+
+#include "base/base64.h"
+#include "base/memory/ptr_util.h"
+#include "base/strings/string_util.h"
+#include "base/strings/utf_string_conversions.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_completion_callback.h"
+#include "net/dns/mock_host_resolver.h"
+#include "net/http/http_auth_challenge_tokenizer.h"
+#include "net/http/http_request_info.h"
+#include "net/http/mock_allow_http_auth_preferences.h"
+#include "net/http/ntlm.h"
+#include "net/http/ntlm_buffer_reader.h"
+#include "net/http/ntlm_buffer_writer.h"
+#include "net/http/ntlm_client.h"
+#include "net/log/net_log_with_source.h"
+#include "net/ssl/ssl_info.h"
+#include "net/test/gtest_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "testing/platform_test.h"
+
+using net::test::IsError;
+using net::test::IsOk;
+
+namespace net {
+
+#if defined(NTLM_PORTABLE)
+
+class HttpAuthHandlerNtlmPortableTest : public PlatformTest {
+ public:
+  HttpAuthHandlerNtlmPortableTest()
+      : domain_ascii_("THEDOMAIN"),
+        user_ascii_("someuser"),
+        password_ascii_("password") {
+    http_auth_preferences_.reset(new MockAllowHttpAuthPreferences());
+    factory_.reset(new HttpAuthHandlerNTLM::Factory());
+    factory_->set_http_auth_preferences(http_auth_preferences_.get());
+    creds_ =
+        AuthCredentials(base::ASCIIToUTF16(domain_ascii_ + "\\" + user_ascii_),
+                        base::ASCIIToUTF16(password_ascii_));
+  }
+
+  int CreateHandler() {
+    GURL gurl("https://foo.com");
+    SSLInfo null_ssl_info;
+
+    return factory_->CreateAuthHandlerFromString(
+        "NTLM", HttpAuth::AUTH_SERVER, null_ssl_info, gurl, NetLogWithSource(),
+        &auth_handler_);
+  }
+
+  std::string CreateType2Token(base::StringPiece message) {
+    std::string output;
+    base::Base64Encode(message, &output);
+
+    return "NTLM " + output;
+  }
+
+  void HandleAnotherChallenge(const std::string& challenge,
+                              HttpAuth::AuthorizationResult expected_result) {
+    HttpAuthChallengeTokenizer tokenizer(challenge.begin(), challenge.end());
+    EXPECT_EQ(expected_result,
+              GetAuthHandler()->HandleAnotherChallenge(&tokenizer));
+  }
+
+  void HandleAnotherChallenge(const std::string& challenge) {
+    HandleAnotherChallenge(challenge, HttpAuth::AUTHORIZATION_RESULT_ACCEPT);
+  }
+
+  bool DecodeChallenge(const std::string& challenge, std::string* decoded) {
+    HttpAuthChallengeTokenizer tokenizer(challenge.begin(), challenge.end());
+    return base::Base64Decode(tokenizer.base64_param(), decoded);
+  }
+
+  int GenerateAuthToken(std::string* token) {
+    TestCompletionCallback callback;
+    HttpRequestInfo request_info;
+    return callback.GetResult(GetAuthHandler()->GenerateAuthToken(
+        GetCreds(), &request_info, callback.callback(), token));
+  }
+
+  int GetGenerateAuthTokenResult() {
+    std::string token;
+    return GenerateAuthToken(&token);
+  }
+
+  AuthCredentials* GetCreds() { return &creds_; }
+
+  HttpAuthHandlerNTLM* GetAuthHandler() {
+    return static_cast<HttpAuthHandlerNTLM*>(auth_handler_.get());
+  }
+
+  static void MockRandom(uint8_t* output, size_t n) {
+    static const uint8_t bytes[] = {0x55, 0x29, 0x66, 0x26,
+                                    0x6b, 0x9c, 0x73, 0x54};
+    static size_t current_byte = 0;
+    for (size_t i = 0; i < n; ++i) {
+      output[i] = bytes[current_byte++];
+      current_byte %= arraysize(bytes);
+    }
+  }
+
+  static std::string MockGetHostName() { return "MYHOSTNAME"; }
+
+ protected:
+  const std::string domain_ascii_;
+  const std::string user_ascii_;
+  const std::string password_ascii_;
+
+ private:
+  AuthCredentials creds_;
+  std::unique_ptr<HttpAuthHandler> auth_handler_;
+  std::unique_ptr<MockAllowHttpAuthPreferences> http_auth_preferences_;
+  std::unique_ptr<HttpAuthHandlerNTLM::Factory> factory_;
+};
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, SimpleConstruction) {
+  EXPECT_EQ(OK, CreateHandler());
+  ASSERT_TRUE(GetAuthHandler() != nullptr);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, DoNotAllowDefaultCreds) {
+  EXPECT_EQ(OK, CreateHandler());
+  EXPECT_FALSE(GetAuthHandler()->AllowsDefaultCredentials());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, AllowsExplicitCredentials) {
+  EXPECT_EQ(OK, CreateHandler());
+  EXPECT_TRUE(GetAuthHandler()->AllowsExplicitCredentials());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, VerifyType1Message) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  std::string token;
+  EXPECT_EQ(OK, GenerateAuthToken(&token));
+  // The type 1 message generated is always the same. The only variable
+  // part of the message is the flags and Chrome always offers the same
+  // set of flags.
+  EXPECT_EQ("NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=", token);
+
+  // Poke into the message to verify the fields inside are expected.
+  std::string decoded;
+  EXPECT_TRUE(DecodeChallenge(token, &decoded));
+
+  NtlmBufferReader reader(decoded);
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_NEGOTIATE));
+  uint32_t flags;
+  EXPECT_TRUE(reader.ReadUInt32(&flags));
+  EXPECT_EQ(ntlm::NEGOTIATE_MESSAGE_FLAGS, flags);
+  EXPECT_TRUE(reader.MatchEmptySecurityBuffer());
+  EXPECT_TRUE(reader.MatchEmptySecurityBuffer());
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, EmptyTokenFails) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // The encoded token for a type 2 message can't be empty.
+  HandleAnotherChallenge("NTLM", HttpAuth::AUTHORIZATION_RESULT_REJECT);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, InvalidBase64Encoding) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Token isn't valid base64.
+  HandleAnotherChallenge("NTLM !!!!!!!!!!!!!");
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, CantChangeSchemeMidway) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Can't switch to a different auth scheme in the middle of the process.
+  HandleAnotherChallenge(
+      "Negotiate "
+      "TlRMTVNTUAACAAAADAAMADgAAAAFgokCXziKeNIPIDYAAAAAAAAAAIYAhgBEAAAABgOAJQAA"
+      "AA9aAEUATgBEAE8ATQACAAwAWgBFAE4ARABPAE0AAQAMAFoARQBOAEQAQwAxAAQAFAB6AGUA"
+      "bgBkAG8AbQAuAGwAbwBjAAMAIgBaAGUAbgBEAEMAMQAuAHoAZQBuAGQAbwBtAC4AbABvAGMA"
+      "BQAUAHoAZQBuAGQAbwBtAC4AbABvAGMABwAIAN6N+IxGwNIBAAAAAA==",
+      HttpAuth::AUTHORIZATION_RESULT_INVALID);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type2MessageTooShort) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Fail because the minimum size valid message is 32 bytes.
+  char raw[31];
+  HandleAnotherChallenge(CreateType2Token(base::StringPiece(raw, sizeof(raw))));
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type2MessageNoSig) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Fail because the first bytes don't match "NTLMSSP\0"
+  char raw[32];
+  memset(raw, 0, ntlm::SIGNATURE_LEN);
+  HandleAnotherChallenge(CreateType2Token(base::StringPiece(raw, sizeof(raw))));
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type2WrongMessageType) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Fail because the message type should be MESSAGE_CHALLENGE (0x00000002)
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_NEGOTIATE);
+
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, MinimalStructurallyValidType2) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+
+  // A message with both length and offset equal zero is not forbidden
+  // by the spec (2.2.1.2) however it is not what is recommended.
+  // But test it anyway.
+  writer.WriteEmptySecurityBuffer();
+
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type2MessageWithNoTargetName) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+
+  // The spec (2.2.1.2) states that the length SHOULD be 0 and the
+  // offset SHOULD be where the payload would be if it was present.
+  // This is the expected response from a compliant server when
+  // no target name is sent. In reality the offset should always
+  // be ignored if the length is zero. Also implementations often
+  // just write zeros.
+  writer.WriteSecurityBuffer(ntlm::SecurityBuffer(32, 0));
+
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type2MessageWithTargetName) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // One extra byte is provided for target name.
+  NtlmBufferWriter writer(33);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+
+  // The target name field is 1 byte long.
+  writer.WriteSecurityBuffer(ntlm::SecurityBuffer(32, 1));
+
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, NoTargetNameOverflowFromOffset) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+
+  // Claim that the target name field is 1 byte long and outside
+  // the buffer.
+  writer.WriteSecurityBuffer(ntlm::SecurityBuffer(32, 1));
+
+  // The above malformed message could cause an implementation
+  // to read outside the message buffer because the offset is
+  // past the end of the message. Verify it gets rejected.
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, NoTargetNameOverflowFromLength) {
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Message has 1 extra byte of space after the header for the
+  // target name.
+  NtlmBufferWriter writer(33);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+  // Claim that the target name field is 2 bytes long but
+  // there is only 1 byte of space.
+  writer.WriteSecurityBuffer(ntlm::SecurityBuffer(32, 2));
+
+  // The above malformed message could cause an implementation
+  // to read outside the message buffer because the length is
+  // longer than available space. Verify it gets rejected.
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(ERR_UNEXPECTED, GetGenerateAuthTokenResult());
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type3RespectsUnicode) {
+  HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockRandom,
+                                                    MockGetHostName);
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Generate the type 2 message from the server.
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+  // No target name. Chrome doesn't use it anyway.
+  writer.WriteEmptySecurityBuffer();
+  // Set the unicode flag.
+  writer.WriteUInt32(ntlm::NTLMSSP_NEGOTIATE_UNICODE);
+
+  std::string token;
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GenerateAuthToken(&token));
+
+  // Validate the type 3 message
+  std::string decoded;
+  EXPECT_TRUE(DecodeChallenge(token, &decoded));
+  NtlmBufferReader reader(decoded);
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+
+  // Skip the LM and NTLM Hash fields. This test isn't testing that.
+  EXPECT_TRUE(reader.SkipSecurityBuffer());
+  EXPECT_TRUE(reader.SkipSecurityBuffer());
+  base::string16 domain;
+  base::string16 username;
+  base::string16 hostname;
+  EXPECT_TRUE(reader.ReadUnicodePayload(&domain));
+  EXPECT_EQ(base::ASCIIToUTF16(domain_ascii_), domain);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&username));
+  EXPECT_EQ(base::ASCIIToUTF16(user_ascii_), username);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&hostname));
+  EXPECT_EQ(base::ASCIIToUTF16(MockGetHostName()), hostname);
+
+  // Skip the session key which isn't used.
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+
+  // Verify the unicode flag is set.
+  uint32_t flags;
+  EXPECT_TRUE(reader.ReadUInt32(&flags));
+  EXPECT_EQ(ntlm::NTLMSSP_NEGOTIATE_UNICODE,
+            flags & ntlm::NTLMSSP_NEGOTIATE_UNICODE);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type3WithoutUnicode) {
+  HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockRandom,
+                                                    MockGetHostName);
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Generate the type 2 message from the server.
+  NtlmBufferWriter writer(32);
+  writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE);
+  // No target name. Chrome doesn't use it anyway.
+  writer.WriteEmptySecurityBuffer();
+  // Set the OEM flag.
+  writer.WriteUInt32(ntlm::NTLMSSP_NEGOTIATE_OEM);
+
+  std::string token;
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GenerateAuthToken(&token));
+
+  // Validate the type 3 message
+  std::string decoded;
+  EXPECT_TRUE(DecodeChallenge(token, &decoded));
+  NtlmBufferReader reader(decoded);
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+
+  // Skip the 2 hash fields. This test isn't testing that.
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+  std::string domain;
+  std::string username;
+  std::string hostname;
+  EXPECT_TRUE(reader.ReadAsciiPayload(&domain));
+  EXPECT_EQ(domain_ascii_, domain);
+  EXPECT_TRUE(reader.ReadAsciiPayload(&username));
+  EXPECT_EQ(user_ascii_, username);
+  EXPECT_TRUE(reader.ReadAsciiPayload(&hostname));
+  EXPECT_EQ(MockGetHostName(), hostname);
+
+  // Skip the session key which isn't used.
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+
+  // Verify the unicode flag is not set and OEM flag is.
+  uint32_t flags;
+  EXPECT_TRUE(reader.ReadUInt32(&flags));
+  EXPECT_EQ(0u, flags & ntlm::NTLMSSP_NEGOTIATE_UNICODE);
+  EXPECT_EQ(ntlm::NTLMSSP_NEGOTIATE_OEM, flags & ntlm::NTLMSSP_NEGOTIATE_OEM);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type3UnicodeNoSessionSecurity) {
+  // Verify that the client won't be downgraded if the server clears
+  // the session security flag.
+  HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockRandom,
+                                                    MockGetHostName);
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Generate the type 2 message from the server.
+  NtlmBufferWriter writer(32);
+  EXPECT_TRUE(writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE));
+  // No target name. Chrome doesn't use it anyway.
+  EXPECT_TRUE(writer.WriteEmptySecurityBuffer());
+  // Set the unicode but not the session security flag.
+  EXPECT_TRUE(writer.WriteUInt32(ntlm::NTLMSSP_NEGOTIATE_UNICODE));
+
+  uint8_t server_challenge[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
+  EXPECT_EQ(arraysize(server_challenge), ntlm::CHALLENGE_LEN);
+  EXPECT_TRUE(writer.WriteBytes(server_challenge, ntlm::CHALLENGE_LEN));
+  EXPECT_TRUE(writer.IsEndOfBuffer());
+
+  std::string token;
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GenerateAuthToken(&token));
+
+  // Validate the type 3 message
+  std::string decoded;
+  EXPECT_TRUE(DecodeChallenge(token, &decoded));
+  NtlmBufferReader reader(decoded);
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+
+  // Read the LM and NTLM Response Payloads.
+  uint8_t expected_lm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t expected_ntlm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t actual_lm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t actual_ntlm_response[ntlm::RESPONSE_V1_LEN];
+
+  EXPECT_TRUE(
+      reader.ReadBytesPayload(actual_lm_response, ntlm::RESPONSE_V1_LEN));
+  EXPECT_TRUE(
+      reader.ReadBytesPayload(actual_ntlm_response, ntlm::RESPONSE_V1_LEN));
+
+  // Session security also uses a client generated challenge so
+  // use the mock to get the same value that the implementation
+  // would get.
+  uint8_t client_challenge[ntlm::CHALLENGE_LEN];
+  MockRandom(client_challenge, ntlm::CHALLENGE_LEN);
+
+  ntlm::GenerateResponsesV1WithSS(base::ASCIIToUTF16(password_ascii_),
+                                  server_challenge, client_challenge,
+                                  expected_lm_response, expected_ntlm_response);
+
+  // Verify that the client still generated a response that uses
+  // session security.
+  EXPECT_EQ(0, memcmp(expected_lm_response, actual_lm_response,
+                      ntlm::RESPONSE_V1_LEN));
+  EXPECT_EQ(0, memcmp(expected_ntlm_response, actual_ntlm_response,
+                      ntlm::RESPONSE_V1_LEN));
+
+  base::string16 domain;
+  base::string16 username;
+  base::string16 hostname;
+  EXPECT_TRUE(reader.ReadUnicodePayload(&domain));
+  EXPECT_EQ(base::ASCIIToUTF16(domain_ascii_), domain);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&username));
+  EXPECT_EQ(base::ASCIIToUTF16(user_ascii_), username);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&hostname));
+  EXPECT_EQ(base::ASCIIToUTF16(MockGetHostName()), hostname);
+
+  // Skip the session key which isn't used.
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+
+  // Verify the unicode flag is set.
+  uint32_t flags;
+  EXPECT_TRUE(reader.ReadUInt32(&flags));
+  EXPECT_EQ(ntlm::NTLMSSP_NEGOTIATE_UNICODE,
+            flags & ntlm::NTLMSSP_NEGOTIATE_UNICODE);
+}
+
+TEST_F(HttpAuthHandlerNtlmPortableTest, Type3UnicodeWithSessionSecurity) {
+  HttpAuthHandlerNTLM::ScopedProcSetter proc_setter(MockRandom,
+                                                    MockGetHostName);
+  EXPECT_EQ(OK, CreateHandler());
+
+  // Generate the type 2 message from the server.
+  NtlmBufferWriter writer(32);
+  EXPECT_TRUE(writer.WriteMessageHeader(ntlm::MESSAGE_CHALLENGE));
+  // No target name. Chrome doesn't use it anyway.
+  EXPECT_TRUE(writer.WriteEmptySecurityBuffer());
+  // Set the unicode and session security flag.
+  EXPECT_TRUE(
+      writer.WriteUInt32(ntlm::NTLMSSP_NEGOTIATE_UNICODE |
+                         ntlm::NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY));
+
+  uint8_t server_challenge[] = {0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17};
+  EXPECT_EQ(arraysize(server_challenge), ntlm::CHALLENGE_LEN);
+  EXPECT_TRUE(writer.WriteBytes(server_challenge, ntlm::CHALLENGE_LEN));
+  EXPECT_TRUE(writer.IsEndOfBuffer());
+
+  std::string token;
+  HandleAnotherChallenge(CreateType2Token(writer.GetBuffer()));
+  EXPECT_EQ(OK, GenerateAuthToken(&token));
+
+  // Validate the type 3 message
+  std::string decoded;
+  EXPECT_TRUE(DecodeChallenge(token, &decoded));
+  NtlmBufferReader reader(decoded);
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+
+  // Read the LM and NTLM Response Payloads.
+  uint8_t expected_lm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t expected_ntlm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t actual_lm_response[ntlm::RESPONSE_V1_LEN];
+  uint8_t actual_ntlm_response[ntlm::RESPONSE_V1_LEN];
+
+  EXPECT_TRUE(
+      reader.ReadBytesPayload(actual_lm_response, ntlm::RESPONSE_V1_LEN));
+  EXPECT_TRUE(
+      reader.ReadBytesPayload(actual_ntlm_response, ntlm::RESPONSE_V1_LEN));
+
+  // Session security also uses a client generated challenge so
+  // use the mock to get the same value that the implementation
+  // would get.
+  uint8_t client_challenge[ntlm::CHALLENGE_LEN];
+  MockRandom(client_challenge, ntlm::CHALLENGE_LEN);
+
+  ntlm::GenerateResponsesV1WithSS(base::ASCIIToUTF16(password_ascii_),
+                                  server_challenge, client_challenge,
+                                  expected_lm_response, expected_ntlm_response);
+
+  EXPECT_EQ(0, memcmp(expected_lm_response, actual_lm_response,
+                      ntlm::RESPONSE_V1_LEN));
+  EXPECT_EQ(0, memcmp(expected_ntlm_response, actual_ntlm_response,
+                      ntlm::RESPONSE_V1_LEN));
+
+  base::string16 domain;
+  base::string16 username;
+  base::string16 hostname;
+  EXPECT_TRUE(reader.ReadUnicodePayload(&domain));
+  EXPECT_EQ(base::ASCIIToUTF16(domain_ascii_), domain);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&username));
+  EXPECT_EQ(base::ASCIIToUTF16(user_ascii_), username);
+  EXPECT_TRUE(reader.ReadUnicodePayload(&hostname));
+  EXPECT_EQ(base::ASCIIToUTF16(MockGetHostName()), hostname);
+
+  // Skip the session key which isn't used.
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+
+  // Verify the unicode flag is set.
+  uint32_t flags;
+  EXPECT_TRUE(reader.ReadUInt32(&flags));
+  EXPECT_EQ(ntlm::NTLMSSP_NEGOTIATE_UNICODE,
+            flags & ntlm::NTLMSSP_NEGOTIATE_UNICODE);
+}
+
+#endif  // defined(NTLM_PORTABLE)
+
+}  // namespace net