Add a buffer reader/writer for NTLM.

net/http/ntlm_buffer_reader_unittest.cc

+// Copyright (c) 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/http/ntlm_buffer_reader.h"
+
+#include "base/macros.h"
+#include "net/http/ntlm.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace net {
+
+TEST(NtlmBufferReaderTest, Initialization) {
+  uint8_t buf[1];
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_EQ(arraysize(buf), reader.GetLength());
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.IsEndOfBuffer());
+  EXPECT_TRUE(reader.CanRead(1));
+  EXPECT_FALSE(reader.CanRead(2));
+  EXPECT_TRUE(reader.CanReadFrom(0, 1));
+  EXPECT_TRUE(reader.CanReadFrom(ntlm::SecurityBuffer(0, 1)));
+  EXPECT_FALSE(reader.CanReadFrom(1, 1));
+  EXPECT_FALSE(reader.CanReadFrom(ntlm::SecurityBuffer(1, 1)));
+  EXPECT_FALSE(reader.CanReadFrom(0, 2));
+  EXPECT_FALSE(reader.CanReadFrom(ntlm::SecurityBuffer(0, 2)));
+}
+
+TEST(NtlmBufferReaderTest, Read16) {
+  uint8_t buf[2];
+  const uint16_t expected = 0x1122;
+  // Little endian.
+  buf[0] = expected & 0xff;

[asanka, 2017/06/08 19:40:09]

Nit: it seems easier to read buf[] was initialized to { 0x22, 0x11 }; here and
elsewhere. That way the reader doesn't need to mentally verify that the buffer
construction in the test is correct.

[zentaro, 2017/06/12 23:12:06]

Done.

+  buf[1] = expected >> 8;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  uint16_t actual;
+  EXPECT_TRUE(reader.ReadUInt16(&actual));
+  EXPECT_EQ(expected, actual);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadUInt16(&actual));
+}
+
+TEST(NtlmBufferReaderTest, Read32) {
+  uint8_t buf[4];
+  const uint32_t expected = 0x11223344;
+  // Little endian.
+  buf[0] = expected & 0xff;
+  buf[1] = (expected & 0xff00) >> 8;
+  buf[2] = (expected & 0xff0000) >> 16;
+  buf[3] = (expected & 0xff000000) >> 24;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  uint32_t actual;
+  EXPECT_TRUE(reader.ReadUInt32(&actual));
+  EXPECT_EQ(expected, actual);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadUInt32(&actual));
+}
+
+TEST(NtlmBufferReaderTest, Read64) {
+  uint8_t buf[8];
+  const uint64_t expected = 0x1122334455667788;
+  // Little endian.
+  buf[0] = expected & 0xff;
+  buf[1] = (expected & 0xff00) >> 8;
+  buf[2] = (expected & 0xff0000) >> 16;
+  buf[3] = (expected & 0xff000000) >> 24;
+  buf[4] = (expected & 0xff00000000) >> 32;
+  buf[5] = (expected & 0xff0000000000) >> 40;
+  buf[6] = (expected & 0xff000000000000) >> 48;
+  buf[7] = expected >> 56;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  uint64_t actual;
+  EXPECT_TRUE(reader.ReadUInt64(&actual));
+  EXPECT_EQ(expected, actual);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadUInt64(&actual));
+}
+
+TEST(NtlmBufferReaderTest, ReadBytes) {
+  uint8_t expected[8];
+  uint8_t actual[8];
+
+  expected[0] = 0x11;
+  expected[1] = 0x22;
+  expected[2] = 0x33;
+  expected[3] = 0x44;
+  expected[4] = 0x55;
+  expected[5] = 0x66;
+  expected[6] = 0x77;
+  expected[7] = 0x88;
+
+  NtlmBufferReader reader(expected, arraysize(expected));
+
+  EXPECT_TRUE(reader.ReadBytes(actual, arraysize(actual)));
+  EXPECT_EQ(0, memcmp(actual, expected, arraysize(actual)));
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadBytes(actual, 1));
+}
+
+TEST(NtlmBufferReaderTest, ReadSecurityBuffer) {
+  uint8_t buf[8];
+  uint16_t length = 0x1122;
+  uint16_t allocated = 0x3344;
+  uint32_t offset = 0x55667788;
+
+  buf[0] = length & 0xff;
+  buf[1] = length >> 8;
+  buf[2] = allocated & 0xff;
+  buf[3] = allocated >> 8;
+  buf[4] = offset & 0xff;
+  buf[5] = (offset & 0xff00) >> 8;
+  buf[6] = (offset & 0xff0000) >> 16;
+  buf[7] = (offset & 0xff000000) >> 24;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::SecurityBuffer sec_buf;
+  EXPECT_TRUE(reader.ReadSecurityBuffer(&sec_buf));
+  EXPECT_EQ(length, sec_buf.length);
+  EXPECT_EQ(offset, sec_buf.offset);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadSecurityBuffer(&sec_buf));
+}
+
+TEST(NtlmBufferReaderTest, ReadSecurityBufferPastEob) {
+  uint8_t buf[7];
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::SecurityBuffer sec_buf;
+  EXPECT_FALSE(reader.ReadSecurityBuffer(&sec_buf));

[asanka, 2017/06/08 19:40:09]

Check cursor for failing Read* calls? Here and elsewhere.

[zentaro, 2017/06/12 23:12:06]

Done.

+}
+
+TEST(NtlmBufferReaderTest, ReadAsciiString) {
+  uint8_t buf[8];
+  std::string expected("12345678");
+  memcpy(buf, expected.c_str(), expected.size());
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  std::string actual;
+  EXPECT_TRUE(reader.ReadAsciiString(&actual, expected.size()));
+  EXPECT_EQ(expected, actual);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadAsciiString(&actual, expected.size()));
+}
+
+TEST(NtlmBufferReaderTest, ReadAsciiStringPastEob) {
+  const size_t len = 8;
+  uint8_t buf[len];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  std::string actual;
+  EXPECT_FALSE(reader.ReadAsciiString(&actual, len + 1));
+}
+
+TEST(NtlmBufferReaderTest, ReadUnicodeString) {
+  uint8_t buf[16];
+  std::string expected_ascii("12345678");
+  base::string16 expected;
+  expected.assign(expected_ascii.begin(), expected_ascii.end());

[asanka, 2017/06/08 19:40:09]

This test assumes that string16 encodes in UTF-16LE inside the buffer, but
string16 makes no such claim. In fact it would use BE on a big-endian
architecture since that's what uint16_t would be.

Once again, I'd suggest initializing buf with something like { '1', 0, '2', 0
... }.

[zentaro, 2017/06/12 23:12:07]

Done.

+  memcpy(buf, expected.c_str(), expected.size() * 2);
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  base::string16 actual;
+  EXPECT_TRUE(reader.ReadUnicodeString(&actual, expected.size() * 2));
+  EXPECT_EQ(expected, actual);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.ReadUnicodeString(&actual, expected.size() * 2));
+}

[asanka, 2017/06/08 19:41:52]

For UnicodeString reads and writes, let's add some tests that are "interesting".
I.e. ones where there are non-ASCII inputs and outputs.

+
+TEST(NtlmBufferReaderTest, ReadUnicodeStringPastEob) {
+  const size_t len = 8;
+  uint8_t buf[len];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  // Try to read one more character (2 bytes) than there is space.
+  base::string16 actual;
+  EXPECT_FALSE(reader.ReadUnicodeString(&actual, len + 2));
+}
+
+TEST(NtlmBufferReaderTest, ReadUnicodeStringOddLength) {
+  const size_t len = 8;
+  uint8_t buf[len];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  // Try to read a 16-bit string with a length that isn't a multiple
+  // of 2.
+  base::string16 actual;
+  EXPECT_FALSE(reader.ReadUnicodeString(&actual, len - 1));
+}
+
+TEST(NtlmBufferReaderTest, ReadAsciiPayload) {
+  uint8_t buf[24];
+
+  std::string expected("12345678");
+
+  // Write a security buffer at the start.
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+  buf[0] = expected.length();
+  buf[2] = expected.length();
+  buf[4] = ntlm::SECURITY_BUFFER_LEN;
+
+  // Put the string after the security buffer.
+  memcpy(buf + ntlm::SECURITY_BUFFER_LEN, expected.c_str(),
+         expected.size() * 2);
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  std::string actual;
+  EXPECT_TRUE(reader.ReadAsciiPayload(&actual));
+  EXPECT_EQ(expected, actual);
+  // Read payload only advances the cursor over the security buffer.
+  EXPECT_EQ(ntlm::SECURITY_BUFFER_LEN, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, ReadUnicodePayload) {
+  uint8_t buf[24];
+
+  std::string expected_ascii("12345678");
+  base::string16 expected;
+  expected.assign(expected_ascii.begin(), expected_ascii.end());
+
+  // Write a security buffer at the start.
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);

[asanka, 2017/06/08 19:40:09]

Yup. Definitely initialize buf directly.

[zentaro, 2017/06/12 23:12:07]

Done.

+  buf[0] = expected_ascii.length() * 2;
+  buf[2] = expected_ascii.length() * 2;
+  buf[4] = ntlm::SECURITY_BUFFER_LEN;
+
+  // Put the string after the security buffer.
+  memcpy(buf + 8, expected.c_str(), expected.size() * 2);
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  base::string16 actual;
+  EXPECT_TRUE(reader.ReadUnicodePayload(&actual));
+  EXPECT_EQ(expected, actual);
+  // Read payload only advances the cursor over the security buffer.
+  EXPECT_EQ(ntlm::SECURITY_BUFFER_LEN, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, SkipSecurityBuffer) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_TRUE(reader.SkipSecurityBuffer());
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.SkipSecurityBuffer());
+}
+
+TEST(NtlmBufferReaderTest, SkipSecurityBufferPastEob) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN - 1];
+
+  // The buffer is one byte shorter than security buffer.
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_FALSE(reader.SkipSecurityBuffer());
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, SkipSecurityBufferWithValidationEmpty) {

[asanka, 2017/06/08 19:40:09]

We are permissive about buffers with a length of zero and an OOB offset, right?
It's fine either way, but I think we should be explicit about what should happen
there.

[zentaro, 2017/06/12 23:12:06]

Yes. Added explicit test.

+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN];
+
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.SkipSecurityBufferWithValidation());
+}
+
+TEST(NtlmBufferReaderTest, SkipSecurityBufferWithValidationValid) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN + 1];
+
+  // Write a valid security buffer that points to the 1 payload byte.
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+  buf[0] = 1;
+  buf[2] = 1;
+  buf[4] = ntlm::SECURITY_BUFFER_LEN;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_TRUE(reader.SkipSecurityBufferWithValidation());
+  EXPECT_EQ(ntlm::SECURITY_BUFFER_LEN, reader.GetCursor());
+  EXPECT_FALSE(reader.SkipSecurityBufferWithValidation());
+}
+
+TEST(NtlmBufferReaderTest,
+     SkipSecurityBufferWithValidationPayloadLengthPastEob) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN + 1];
+
+  // Security buffer with length that points past the end of buffer.
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+  buf[0] = 2;
+  buf[2] = 2;
+  buf[4] = ntlm::SECURITY_BUFFER_LEN;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_FALSE(reader.SkipSecurityBufferWithValidation());
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.SkipSecurityBufferWithValidation());
+}
+
+TEST(NtlmBufferReaderTest,
+     SkipSecurityBufferWithValidationPayloadOffsetPastEob) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN + 1];
+
+  // Security buffer with offset that points past the end of buffer.
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+  buf[0] = 1;
+  buf[2] = 1;
+  buf[4] = ntlm::SECURITY_BUFFER_LEN + 1;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+  EXPECT_FALSE(reader.SkipSecurityBufferWithValidation());
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, SkipBytes) {
+  uint8_t buf[8];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.SkipBytes(arraysize(buf)));
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.SkipBytes(arraysize(buf)));
+}
+
+TEST(NtlmBufferReaderTest, SkipBytesPastEob) {
+  uint8_t buf[8];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_FALSE(reader.SkipBytes(arraysize(buf) + 1));
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, MatchSignatureTooShort) {
+  uint8_t buf[7];
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.CanRead(7));
+  EXPECT_FALSE(reader.MatchSignature());
+  EXPECT_TRUE(reader.CanRead(7));
+}
+
+TEST(NtlmBufferReaderTest, MatchSignatureNoMatch) {
+  uint8_t buf[8];
+  memset(buf, 0, arraysize(buf));
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.CanRead(8));
+  EXPECT_FALSE(reader.MatchSignature());
+  EXPECT_TRUE(reader.CanRead(8));
+}
+
+TEST(NtlmBufferReaderTest, MatchSignatureOk) {
+  uint8_t buf[8];
+  memcpy(buf, ntlm::SIGNATURE, ntlm::SIGNATURE_LEN);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.MatchSignature());
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, ReadInvalidMessageType) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::MessageType message_type;
+  EXPECT_FALSE(reader.ReadMessageType(&message_type));
+  EXPECT_FALSE(reader.IsEndOfBuffer());
+  EXPECT_TRUE(reader.CanRead(4));
+}
+
+TEST(NtlmBufferReaderTest, ReadMessageTypeNegotiate) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  buf[0] = static_cast<uint8_t>(ntlm::MESSAGE_NEGOTIATE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::MessageType message_type;
+  EXPECT_TRUE(reader.ReadMessageType(&message_type));
+  EXPECT_EQ(ntlm::MESSAGE_NEGOTIATE, message_type);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, ReadMessageTypeChallenge) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  buf[0] = static_cast<uint8_t>(ntlm::MESSAGE_CHALLENGE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::MessageType message_type;
+  EXPECT_TRUE(reader.ReadMessageType(&message_type));
+  EXPECT_EQ(ntlm::MESSAGE_CHALLENGE, message_type);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, ReadMessageTypeAuthenticate) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  buf[0] = static_cast<uint8_t>(ntlm::MESSAGE_AUTHENTICATE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  ntlm::MessageType message_type;
+  EXPECT_TRUE(reader.ReadMessageType(&message_type));
+  EXPECT_EQ(ntlm::MESSAGE_AUTHENTICATE, message_type);
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchMessageTypeAuthenticate) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  buf[0] = static_cast<uint8_t>(ntlm::MESSAGE_AUTHENTICATE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.MatchMessageType(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchMessageTypeInvalid) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  // Invalid message type.
+  buf[0] = 99;
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_FALSE(reader.MatchMessageType(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, MatchMessageTypeMismatch) {
+  uint8_t buf[4];
+  memset(buf, 0, arraysize(buf));
+  buf[0] = static_cast<uint8_t>(ntlm::MESSAGE_CHALLENGE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_FALSE(reader.MatchMessageType(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, MatchAuthenticateHeader) {
+  uint8_t buf[12];
+  memset(buf, 0, arraysize(buf));
+  memcpy(buf, ntlm::SIGNATURE, ntlm::SIGNATURE_LEN);
+  buf[8] = static_cast<uint8_t>(ntlm::MESSAGE_AUTHENTICATE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchAuthenticateHeaderMisMatch) {
+  uint8_t buf[12];
+  memset(buf, 0, arraysize(buf));
+  memcpy(buf, ntlm::SIGNATURE, ntlm::SIGNATURE_LEN);
+  buf[8] = static_cast<uint8_t>(ntlm::MESSAGE_CHALLENGE);
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_FALSE(reader.MatchMessageType(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+TEST(NtlmBufferReaderTest, MatchFailsRollsBackCursor) {
+  uint8_t buf[12];
+  memset(buf, 0, arraysize(buf));
+  memcpy(buf, ntlm::SIGNATURE, ntlm::SIGNATURE_LEN);
+  buf[8] = 0x04;  // Invalid
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.MatchMessageHeader(ntlm::MESSAGE_AUTHENTICATE));
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchZeros) {
+  uint8_t buf[12];
+  memset(buf, 0, arraysize(buf));
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_TRUE(reader.MatchZeros(arraysize(buf)));
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.MatchZeros(1));
+}
+
+TEST(NtlmBufferReaderTest, MatchZerosFail) {
+  uint8_t buf[12];
+  memset(buf, 0, arraysize(buf));
+  buf[11] = 0x01;
+
+  NtlmBufferReader reader(buf, arraysize(buf));
+
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.MatchZeros(arraysize(buf)));
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.IsEndOfBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchEmptySecurityBuffer) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN];
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+
+  NtlmBufferReader reader(buf, ntlm::SECURITY_BUFFER_LEN);
+
+  EXPECT_TRUE(reader.MatchEmptySecurityBuffer());
+  EXPECT_TRUE(reader.IsEndOfBuffer());
+  EXPECT_FALSE(reader.MatchEmptySecurityBuffer());
+}
+
+TEST(NtlmBufferReaderTest, MatchEmptySecurityBufferFail) {
+  uint8_t buf[ntlm::SECURITY_BUFFER_LEN];
+  memset(buf, 0, ntlm::SECURITY_BUFFER_LEN);
+  buf[ntlm::SECURITY_BUFFER_LEN - 1] = 0x01;
+
+  NtlmBufferReader reader(buf, ntlm::SECURITY_BUFFER_LEN);
+
+  EXPECT_EQ(0u, reader.GetCursor());
+  EXPECT_FALSE(reader.MatchEmptySecurityBuffer());
+  EXPECT_EQ(0u, reader.GetCursor());
+}
+
+}  // namespace net