assertEquals(24, hash.length);
    }

    // Test getUnicodeHash behavior based on static LM_COMPATIBILITY setting
    @Test
    void testGetUnicodeHashWithDefaultLmCompatibility() {
        // With default lmCompatibility=3, getUnicodeHash returns empty array for NTLMv2
        NtlmPasswordAuthentication auth = new NtlmPasswordAuthentication("DOMAIN", "user", "password");

            case 1:
            case 2:
                macSigningKey = new byte[40];
                auth.getUserSessionKey(transport.server.encryptionKey, macSigningKey, 0);
                System.arraycopy(auth.getUnicodeHash(transport.server.encryptionKey), 0, macSigningKey, 16, 24);
                break;
            case 3:
            case 4:
            case 5:
                macSigningKey = new byte[16];

     * {@inheritDoc}
     *
     * @see jcifs.smb.NtlmPasswordAuthenticator#getUnicodeHash(jcifs.CIFSContext, byte[])
     */
    @Override
    public byte[] getUnicodeHash(final CIFSContext tc, final byte[] chlng) throws GeneralSecurityException {
        if (this.hashesExternal) {
            return this.unicodeHash;
        }
        return super.getUnicodeHash(tc, chlng);
    }

    /**
     * {@inheritDoc}
     *

                } else if (session.transport.server.encryptedPasswords) {
                    lmHash = auth.getAnsiHash(session.transport.server.encryptionKey);
                    ntHash = auth.getUnicodeHash(session.transport.server.encryptionKey);
                    // prohibit HTTP auth attempts for the null session
                    if (lmHash.length == 0 && ntHash.length == 0) {

        mockAuth.username = "testuser";
        mockAuth.domain = "TESTDOMAIN";
        mockAuth.password = "testpass";

        when(mockAuth.getAnsiHash(any(byte[].class))).thenReturn(new byte[24]);
        when(mockAuth.getUnicodeHash(any(byte[].class))).thenReturn(new byte[24]);
        when(mockAuth.getName()).thenReturn("testuser");
        when(mockAuth.getDomain()).thenReturn("TESTDOMAIN");

            case 2:
                this.macSigningKey = new byte[40];
                auth.getUserSessionKey(transport.getContext(), serverEncryptionKey, this.macSigningKey, 0);
                System.arraycopy(auth.getUnicodeHash(transport.getContext(), serverEncryptionKey), 0, this.macSigningKey, 16, 24);
                break;
            case 3:
            case 4:
            case 5:
                this.macSigningKey = new byte[16];

     * @throws GeneralSecurityException if a security error occurs
     * @deprecated NTLMv1 is insecure. Use NTLMv2 (LM compatibility level 3 or higher)
     */
    @Deprecated
    public byte[] getUnicodeHash(CIFSContext tc, byte[] chlng) throws GeneralSecurityException {
        int compatibility = tc.getConfig().getLanManCompatibility();

        // Log warning for insecure NTLMv1 usage
        if (compatibility < 3) {

                    if (server.encryptedPasswords) {
                        this.lmHash = a.getAnsiHash(tc, server.encryptionKey);
                        this.ntHash = a.getUnicodeHash(tc, server.encryptionKey);
                        // prohibit HTTP auth attempts for the null session
                        if (this.lmHash.length == 0 && this.ntHash.length == 0) {

     * Computes the 24 byte Unicode password hash given the 8 byte server challenge.
     *
     * @param challenge the server challenge bytes
     * @return the Unicode password hash
     */
    public byte[] getUnicodeHash(final byte[] challenge) {
        if (hashesExternal) {
            return unicodeHash;
        }
        return switch (LM_COMPATIBILITY) {
        case 0, 1, 2 -> getNTLMResponse(password, challenge);

                return null;
            }).when(mockAuth).getUserSessionKey(eq(mockContext), eq(serverEncryptionKey), any(byte[].class), eq(0));

            when(mockAuth.getUnicodeHash(mockContext, serverEncryptionKey)).thenReturn(unicodeHash);
        }
    }