Add unit tests for NTLMv1 portable implementation

net/http/ntlm_client_unittest.cc

Index: net/http/ntlm_client_unittest.cc
diff --git a/net/http/ntlm_client_unittest.cc b/net/http/ntlm_client_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..0d60a8d1a5e6b9980aa1a9ba931dd903052e28b6
--- /dev/null
+++ b/net/http/ntlm_client_unittest.cc
@@ -0,0 +1,97 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Since many of the static helpers are crypto/hash functions that output
+// a buffer; matching exact results would entail implementing them all
+// again in the tests. So the tests on the low level hashing operations
+// test for other properties of the outputs, such as whether the hashes
+// change, whether they should be zeroed out, or whether they should
+// be the same or different.
+
+#include "net/http/ntlm_client.h"
+
+#include "base/strings/utf_string_conversions.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+namespace ntlm {
+

[asanka, 2017/06/23 21:29:11]

Please use the test vectors in section 4.2 (Cryptographic values for validation)
for these tests.

These tests are okay as smoke tests, but not sufficient to validate
cryptographic operations.

[zentaro, 2017/07/05 17:57:42]

I never even noticed they were there!

+TEST(NtlmClientTest, GenerateNtlmHashV1PasswordChangesHash) {
+  base::string16 password1 = base::UTF8ToUTF16("pwd01");
+  base::string16 password2 = base::UTF8ToUTF16("pwd02");
+  uint8_t hash1[NTLM_HASH_LEN];
+  uint8_t hash2[NTLM_HASH_LEN];
+
+  GenerateNtlmHashV1(password1, hash1);
+  GenerateNtlmHashV1(password2, hash2);
+
+  // Verify that the hash is different with a different password.
+  EXPECT_NE(0, memcmp(hash1, hash2, NTLM_HASH_LEN));
+}
+
+TEST(NtlmClientTest, GenerateResponsesV1ResponsesTheSame) {
+  base::string16 password = base::UTF8ToUTF16("pwd");
+
+  uint8_t lm_response[RESPONSE_V1_LEN];
+  uint8_t ntlm_response[RESPONSE_V1_LEN];
+  uint8_t server_challenge[CHALLENGE_LEN];
+
+  // The lm and ntlm responses should be the same.
+  GenerateResponsesV1(password, server_challenge, lm_response, ntlm_response);
+  EXPECT_EQ(0, memcmp(lm_response, ntlm_response, RESPONSE_V1_LEN));
+}
+
+TEST(NtlmClientTest, GenerateResponsesV1WithSSClientChallengeUsed) {
+  base::string16 password = base::UTF8ToUTF16("pwd");
+
+  uint8_t lm_response1[RESPONSE_V1_LEN];
+  uint8_t lm_response2[RESPONSE_V1_LEN];
+  uint8_t ntlm_response1[RESPONSE_V1_LEN];
+  uint8_t ntlm_response2[RESPONSE_V1_LEN];
+  uint8_t server_challenge[CHALLENGE_LEN];
+  uint8_t client_challenge1[CHALLENGE_LEN];
+  uint8_t client_challenge2[CHALLENGE_LEN];
+
+  memset(client_challenge1, 1, CHALLENGE_LEN);
+  memset(client_challenge2, 2, CHALLENGE_LEN);
+
+  GenerateResponsesV1WithSS(password, server_challenge, client_challenge1,
+                            lm_response1, ntlm_response1);
+  GenerateResponsesV1WithSS(password, server_challenge, client_challenge2,
+                            lm_response2, ntlm_response2);
+
+  // The point of session security is that the client can introduce some
+  // randomness, so verify different client_challenge gives a different result.
+  EXPECT_NE(0, memcmp(lm_response1, lm_response2, RESPONSE_V1_LEN));
+  EXPECT_NE(0, memcmp(ntlm_response1, ntlm_response2, RESPONSE_V1_LEN));
+
+  // With session security the lm and ntlm hash should be different.
+  EXPECT_NE(0, memcmp(lm_response1, ntlm_response1, RESPONSE_V1_LEN));
+  EXPECT_NE(0, memcmp(lm_response2, ntlm_response2, RESPONSE_V1_LEN));
+}
+
+TEST(NtlmClientTest, GenerateResponsesV1WithSSVerifySSUsed) {
+  base::string16 password = base::UTF8ToUTF16("pwd");
+
+  uint8_t lm_response1[RESPONSE_V1_LEN];
+  uint8_t lm_response2[RESPONSE_V1_LEN];
+  uint8_t ntlm_response1[RESPONSE_V1_LEN];
+  uint8_t ntlm_response2[RESPONSE_V1_LEN];
+  uint8_t server_challenge[CHALLENGE_LEN];
+  uint8_t client_challenge[CHALLENGE_LEN];
+
+  memset(client_challenge, 1, CHALLENGE_LEN);
+
+  GenerateResponsesV1WithSS(password, server_challenge, client_challenge,
+                            lm_response1, ntlm_response1);
+  GenerateResponsesV1(password, server_challenge, lm_response2, ntlm_response2);
+
+  // Verify that the responses with session security are not the
+  // same as without it.
+  EXPECT_NE(0, memcmp(lm_response1, lm_response2, RESPONSE_V1_LEN));
+  EXPECT_NE(0, memcmp(ntlm_response1, ntlm_response2, RESPONSE_V1_LEN));
+}
+
+}  // namespace ntlm
+}  // namespace net