forked from chromium/chromium
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ntlm_unittest.cc
120 lines (98 loc) · 4.57 KB
/
ntlm_unittest.cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// Copyright 2017 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Tests on exact results from cryptographic operations are based on test data
// provided in [MS-NLMP] Version 28.0 [1] Section 4.2.
//
// Additional sanity checks on the low level hashing operations test for
// properties of the outputs, such as whether the hashes change, whether they
// should be zeroed out, or whether they should be the same or different.
//
// [1] https://msdn.microsoft.com/en-us/library/cc236621.aspx
#include "net/ntlm/ntlm.h"
#include "base/strings/utf_string_conversions.h"
#include "net/ntlm/ntlm_test_data.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace net {
namespace ntlm {
TEST(NtlmTest, GenerateNtlmHashV1PasswordSpecTests) {
uint8_t hash[kNtlmHashLen];
GenerateNtlmHashV1(test::kPassword, hash);
ASSERT_EQ(0, memcmp(hash, test::kExpectedNtlmHashV1, kNtlmHashLen));
}
TEST(NtlmTest, GenerateNtlmHashV1PasswordChangesHash) {
base::string16 password1 = base::UTF8ToUTF16("pwd01");
base::string16 password2 = base::UTF8ToUTF16("pwd02");
uint8_t hash1[kNtlmHashLen];
uint8_t hash2[kNtlmHashLen];
GenerateNtlmHashV1(password1, hash1);
GenerateNtlmHashV1(password2, hash2);
// Verify that the hash is different with a different password.
ASSERT_NE(0, memcmp(hash1, hash2, kNtlmHashLen));
}
TEST(NtlmTest, GenerateResponsesV1SpecTests) {
uint8_t lm_response[kResponseLenV1];
uint8_t ntlm_response[kResponseLenV1];
GenerateResponsesV1(test::kPassword, test::kServerChallenge, lm_response,
ntlm_response);
ASSERT_EQ(
0, memcmp(test::kExpectedNtlmResponseV1, ntlm_response, kResponseLenV1));
// This implementation never sends an LMv1 response (spec equivalent of the
// client variable NoLMResponseNTLMv1 being false) so the LM response is
// equal to the NTLM response when
// NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY is not negotiated. See
// [MS-NLMP] Section 3.3.1.
ASSERT_EQ(0,
memcmp(test::kExpectedNtlmResponseV1, lm_response, kResponseLenV1));
}
TEST(NtlmTest, GenerateResponsesV1WithSessionSecuritySpecTests) {
uint8_t lm_response[kResponseLenV1];
uint8_t ntlm_response[kResponseLenV1];
GenerateResponsesV1WithSessionSecurity(
test::kPassword, test::kServerChallenge, test::kClientChallenge,
lm_response, ntlm_response);
ASSERT_EQ(0, memcmp(test::kExpectedLmResponseWithV1SS, lm_response,
kResponseLenV1));
ASSERT_EQ(0, memcmp(test::kExpectedNtlmResponseWithV1SS, ntlm_response,
kResponseLenV1));
}
TEST(NtlmTest, GenerateResponsesV1WithSessionSecurityClientChallengeUsed) {
uint8_t lm_response1[kResponseLenV1];
uint8_t lm_response2[kResponseLenV1];
uint8_t ntlm_response1[kResponseLenV1];
uint8_t ntlm_response2[kResponseLenV1];
uint8_t client_challenge1[kChallengeLen];
uint8_t client_challenge2[kChallengeLen];
memset(client_challenge1, 0x01, kChallengeLen);
memset(client_challenge2, 0x02, kChallengeLen);
GenerateResponsesV1WithSessionSecurity(
test::kPassword, test::kServerChallenge, client_challenge1, lm_response1,
ntlm_response1);
GenerateResponsesV1WithSessionSecurity(
test::kPassword, test::kServerChallenge, client_challenge2, lm_response2,
ntlm_response2);
// The point of session security is that the client can introduce some
// randomness, so verify different client_challenge gives a different result.
ASSERT_NE(0, memcmp(lm_response1, lm_response2, kResponseLenV1));
ASSERT_NE(0, memcmp(ntlm_response1, ntlm_response2, kResponseLenV1));
// With session security the lm and ntlm hash should be different.
ASSERT_NE(0, memcmp(lm_response1, ntlm_response1, kResponseLenV1));
ASSERT_NE(0, memcmp(lm_response2, ntlm_response2, kResponseLenV1));
}
TEST(NtlmTest, GenerateResponsesV1WithSessionSecurityVerifySSUsed) {
uint8_t lm_response1[kResponseLenV1];
uint8_t lm_response2[kResponseLenV1];
uint8_t ntlm_response1[kResponseLenV1];
uint8_t ntlm_response2[kResponseLenV1];
GenerateResponsesV1WithSessionSecurity(
test::kPassword, test::kServerChallenge, test::kClientChallenge,
lm_response1, ntlm_response1);
GenerateResponsesV1(test::kPassword, test::kServerChallenge, lm_response2,
ntlm_response2);
// Verify that the responses with session security are not the
// same as without it.
ASSERT_NE(0, memcmp(lm_response1, lm_response2, kResponseLenV1));
ASSERT_NE(0, memcmp(ntlm_response1, ntlm_response2, kResponseLenV1));
}
} // namespace ntlm
} // namespace net