NTLM over HTTP: Make NTLMv2 the default.

- Makes NTLMv2 the default version.
- This implicitly disables NTLMv1.
- Leaving the flag available for the first release with the
  default changed.
- Subsequent release will remove the flag but leave a policy.

BUG=chromium:22532

Change-Id: Ibb2778806b2a19b70abbc5300d20e06327077fb8
Reviewed-on: https://chromium-review.googlesource.com/885509
Commit-Queue: Zentaro Kavanagh <zentaro@chromium.org>
Reviewed-by: Asanka Herath <asanka@chromium.org>
Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532552}

chrome/browser/io_thread.cc

@@ -628,7 +628,7 @@ void IOThread::RegisterPrefs(PrefRegistrySimple* registry) {
   registry->RegisterBooleanPref(prefs::kQuickCheckEnabled, true);
   registry->RegisterBooleanPref(prefs::kPacHttpsUrlStrippingEnabled, true);
 #if defined(OS_POSIX)
-  registry->RegisterBooleanPref(prefs::kNtlmV2Enabled, false);
+  registry->RegisterBooleanPref(prefs::kNtlmV2Enabled, true);
 #endif
 }
 

chrome/common/chrome_features.cc

@@ -397,7 +397,7 @@ const base::Feature kNetworkPrediction{"NetworkPrediction",
 #if defined(OS_POSIX)
 // Enables NTLMv2, which implicitly disables NTLMv1.
 const base::Feature kNtlmV2Enabled{"NtlmV2Enabled",
-                                   base::FEATURE_DISABLED_BY_DEFAULT};
+                                   base::FEATURE_ENABLED_BY_DEFAULT};
 #endif
 
 // If enabled, the list of content suggestions on the New Tab page will contain

net/http/http_auth_handler_ntlm_portable.cc

@@ -40,7 +40,7 @@ HttpAuthHandlerNTLM::HttpAuthHandlerNTLM(
     const HttpAuthPreferences* http_auth_preferences)
     : ntlm_client_(ntlm::NtlmFeatures(
           http_auth_preferences ? http_auth_preferences->NtlmV2Enabled()
-                                : false)) {}
+                                : true)) {}
 
 bool HttpAuthHandlerNTLM::NeedsIdentity() {
   // This gets called for each round-trip.  Only require identity on

net/ntlm/ntlm_test_data.h

@@ -524,6 +524,50 @@ constexpr uint8_t kExpectedAuthenticateMsgToOldV1ChallegeV2[] = {
     'R',  0x00,
 };
 
+// Expected V2 Authenticate message from this implementation when sent
+// |kChallengeMsgFromSpecV2|, no channel bindings exist, and the remote
+// server is named 'server' (with lowercase 's'). All the test data from the
+// spec uses 'Server' with an uppercase 'S'. Chrome lower cases the hostname
+// so this result vector is needed for an end to end test in
+// |HttpNetworkTransactionUnitTest|.
+//
+// The response is the same as |kExpectedAuthenticateMsgSpecResponseV2| with
+// the following differences.
+//
+// [72-87]   - The MIC (hash of all messages) is different because the
+//     message is different.
+// [112-127] - The cryptographic proof is different due to the changed
+//     AvPairs below, which are inputs to the hash.
+// [225]- The 's' in the  SPN AvPair is lowercase.
+// [200-215] - The channel binding AvPair in the target info is all zero. See
+//     |kExpectedTargetInfoSpecResponseV2| for more information.
+constexpr uint8_t kExpectedAuthenticateMsgEmptyChannelBindingsV2[] = {
+    'N',  'T',  'L',  'M',  'S',  'S',  'P',  '\0', 0x03, 0x00, 0x00, 0x00,
+    0x18, 0x00, 0x18, 0x00, 0x58, 0x00, 0x00, 0x00, 0x8a, 0x00, 0x8a, 0x00,
+    0x70, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x0c, 0x00, 0xfa, 0x00, 0x00, 0x00,
+    0x08, 0x00, 0x08, 0x00, 0x06, 0x01, 0x00, 0x00, 0x10, 0x00, 0x10, 0x00,
+    0x0e, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00,
+    0x03, 0x82, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0xa7, 0x37, 0x50, 0x69, 0x59, 0xfe, 0xea, 0x74, 0xaa, 0x77, 0xa1, 0xc0,
+    0x5b, 0xe2, 0x39, 0xa2, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0xfe, 0x4d, 0xec, 0x67, 0xcf, 0x4d, 0xbd, 0xf8,
+    0xc7, 0xa7, 0x80, 0x89, 0xb1, 0xc5, 0x46, 0xa7, 0x01, 0x01, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x80, 0x0b, 0xc8, 0xfd, 0x00, 0xd4, 0xd2, 0x01,
+    0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0x00, 0x00, 0x00, 0x00,
+    0x02, 0x00, 0x0c, 0x00, 'D',  0x00, 'o',  0x00, 'm',  0x00, 'a',  0x00,
+    'i',  0x00, 'n',  0x00, 0x01, 0x00, 0x0c, 0x00, 'S',  0x00, 'e',  0x00,
+    'r',  0x00, 'v',  0x00, 'e',  0x00, 'r',  0x00, 0x06, 0x00, 0x04, 0x00,
+    0x02, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x09, 0x00, 0x16, 0x00, 'H',  0x00, 'T',  0x00, 'T',  0x00, 'P',  0x00,
+    '/',  0x00, 's',  0x00, 'e',  0x00, 'r',  0x00, 'v',  0x00, 'e',  0x00,
+    'r',  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 'D',  0x00,
+    'o',  0x00, 'm',  0x00, 'a',  0x00, 'i',  0x00, 'n',  0x00, 'U',  0x00,
+    's',  0x00, 'e',  0x00, 'r',  0x00, 'C',  0x00, 'O',  0x00, 'M',  0x00,
+    'P',  0x00, 'U',  0x00, 'T',  0x00, 'E',  0x00, 'R',  0x00,
+};
+
 }  // namespace test
 }  // namespace ntlm
 }  // namespace net