Add unit tests for NTLMv1 portable implementation

net/ntlm/ntlm.h

Index: net/ntlm/ntlm.h
diff --git a/net/ntlm/ntlm.h b/net/ntlm/ntlm.h
new file mode 100644
index 0000000000000000000000000000000000000000..07c2e4f1ca550d02f9a31f27f2dd5d271bf3f47d
--- /dev/null
+++ b/net/ntlm/ntlm.h
@@ -0,0 +1,129 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Based on [MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol
+// Specification version 28.0 [1]. Additional NTLM reference [2].
+//
+// [1] https://msdn.microsoft.com/en-us/library/cc236621.aspx
+// [2] http://davenport.sourceforge.net/ntlm.html
+
+#ifndef NET_BASE_NTLM_H_
+#define NET_BASE_NTLM_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include <memory>
+
+#include "base/strings/string16.h"
+#include "base/strings/string_piece.h"
+#include "net/base/net_export.h"
+#include "net/ntlm/ntlm_constants.h"
+
+namespace base {
+struct MD5Digest;
+}
+
+namespace net {
+namespace ntlm {
+
+// Generates the NTLMv1 Hash and writes the |NTLM_HASH_LEN| byte result to
+// |hash|. Defined by NTOWFv1() in [MS-NLMP] Section 3.3.1.
+NET_EXPORT_PRIVATE void GenerateNtlmHashV1(const base::string16& password,
+                                           uint8_t* hash);
+
+// Generates the |RESPONSE_V1_LEN| byte NTLMv1 response field according to the
+// DESL(K, V) function in [MS-NLMP] Section 6.
+//
+// |hash| must contain |NTLM_HASH_LEN| bytes.
+// |challenge| must contain |CHALLENGE_LEN| bytes.
+// |response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateResponseDesl(const uint8_t* hash,
+                                             const uint8_t* challenge,
+                                             uint8_t* response);
+
+// Generates the NTLM Response field for NTLMv1 without extended session
+// security. Defined by ComputeResponse() in [MS-NLMP] Section 3.3.1 for the
+// case where NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is not set.
+// |server_challenge| must contain |CHALLENGE_LEN| bytes.
+// |ntlm_response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateNtlmResponseV1(const base::string16& password,
+                                               const uint8_t* server_challenge,
+                                               uint8_t* ntlm_response);
+
+// Generates both the LM Response and NTLM Response fields for NTLMv1 based
+// on the users password and the servers challenge. Both the LM and NTLM
+// Response are the result of |GenerateNtlmResponseV1|.
+//
+// NOTE: This should not be used. It will only get used in V1 if the

[Ryan Sleevi, 2017/07/12 17:56:38]

This says "should not be used" (which is good, documents how), but then says "it
will only get used" - which documents the implementation.

Perhaps its worth rewording to indicate the 'safe'/expected and
unsafe/unexpected pattern?

[zentaro, 2017/07/13 17:10:19]

Done.

+// |negotiate_flags_| passed to the constructor omit the

[Ryan Sleevi, 2017/07/12 17:56:38]

"the constructor" ?

[zentaro, 2017/07/13 17:10:19]

Done.

+// NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag.
+//
+// The default flags include this flag and the client will not be
+// downgraded by the server.
+//
+// |server_challenge| must contain |CHALLENGE_LEN| bytes.
+// |lm_response| must contain |RESPONSE_V1_LEN| bytes.
+// |ntlm_response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateResponsesV1(const base::string16& password,
+                                            const uint8_t* server_challenge,
+                                            uint8_t* lm_response,
+                                            uint8_t* ntlm_response);
+
+// The LM Response in V1 with extended session security is 8 bytes of the
+// |client_challenge| then 16 bytes of zero. This is the value
+// LmChallengeResponse in ComputeResponse() when
+// NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is set. See [MS-NLMP] Section
+// 3.3.1.
+// |lm_response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateLMResponseV1WithSS(

[Ryan Sleevi, 2017/07/12 17:56:38]

"WithSS", while saving, leaves it ambiguous as to what that abbreviation is.

[zentaro, 2017/07/13 17:10:20]

Done.

+    const uint8_t* client_challenge,
+    uint8_t* lm_response);
+
+// The |session_hash| is MD5(CONCAT(server_challenge, client_challenge)).
+// It is used instead of just |server_challenge| in NTLMv1 when
+// NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is set. See [MS-NLMP] Section
+// 3.3.1.
+//
+// |server_challenge| must contain |CHALLENGE_LEN| bytes.
+// |client_challenge| must contain |CHALLENGE_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateSessionHashV1WithSS(
+    const uint8_t* server_challenge,
+    const uint8_t* client_challenge,
+    base::MD5Digest* session_hash);
+
+// The NTLM Response algorithm in V1 with extended session security is the
+// the same as without extended session security except the challenge

[Ryan Sleevi, 2017/07/12 17:56:38]

s/security except/security, except/

[zentaro, 2017/07/13 17:10:20]

Done.

+// is the NTLMv1 session hash (See |GenerateSessionHashV1WithSS|) instead of
+// just |server_challenge|. See [MS-NLMP] Section 3.3.1.

[Ryan Sleevi, 2017/07/12 17:56:38]

This reads really weirdly - the "see" and "see" and just trying to grammatically
fit this. It also seems like multiple other functions have to be read - but
perhaps I've misunderstood?

It might be easier to document what it is.

[zentaro, 2017/07/13 17:10:19]

Done.

+//
+// |server_challenge| must contain |CHALLENGE_LEN| bytes.
+// |client_challenge| must contain |CHALLENGE_LEN| bytes.
+// |ntlm_response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateNtlmResponseV1WithSS(
+    const base::string16& password,
+    const uint8_t* server_challenge,
+    const uint8_t* client_challenge,
+    uint8_t* ntlm_response);
+
+// Generates the responses for V1 with extended session security.
+// This is also known as NTLM2 (which is not the same as NTLMv2).
+// |lm_response| is the result of |GenerateLMResponseV1WithSS| and
+// |ntlm_response| is the result of |GenerateNtlmResponseV1WithSS|.
+// See [MS-NLMP] Section 3.3.1.
+//
+// |server_challenge| must contain |CHALLENGE_LEN| bytes.
+// |client_challenge| must contain |CHALLENGE_LEN| bytes.
+// |ntlm_response| must contain |RESPONSE_V1_LEN| bytes.
+NET_EXPORT_PRIVATE void GenerateResponsesV1WithSS(
+    const base::string16& password,
+    const uint8_t* server_challenge,
+    const uint8_t* client_challenge,
+    uint8_t* lm_response,
+    uint8_t* ntlm_response);
+
+}  // namespace ntlm
+}  // namespace net
+
+#endif  // NET_BASE_NTLM_H_