@@ -25,16 +25,10 @@

 #define ERROR_H

 #include "basic.h"

-

-#include <errno.h>

-#include <stdbool.h>

+#include "syshead.h"

 #include <assert.h>

-#if _WIN32

-#include <windows.h>

-#endif

-

 /* #define ABORT_ON_ERROR */

 #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT)

@@ -16,6 +16,8 @@ SUBDIRS = unit_tests

 if !WIN32

 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh

+

+check_PROGRAMS = ntlm_support

 if HAVE_SITNL

 test_scripts += t_net.sh

 endif

@@ -33,3 +35,15 @@ dist_noinst_SCRIPTS = \

 dist_noinst_DATA = \

 	t_client.rc-sample

+

+ntlm_support_CFLAGS  = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@

+ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS)

+ntlm_support_SOURCES = ntlm_support.c \

+	unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \

+	$(top_srcdir)/src/openvpn/buffer.c \

+	$(top_srcdir)/src/openvpn/crypto.c \

+	$(top_srcdir)/src/openvpn/crypto_openssl.c \

+	$(top_srcdir)/src/openvpn/crypto_mbedtls.c \

+	$(top_srcdir)/src/openvpn/otime.c \

+	$(top_srcdir)/src/openvpn/packet_id.c \

+	$(top_srcdir)/src/openvpn/platform.c

new file mode 100644

@@ -0,0 +1,52 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ * Copyright (C) 2023 OpenVPN Inc <sales@openvpn.net>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License along

+ *  with this program; if not, write to the Free Software Foundation, Inc.,

+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ */

+

+#ifdef HAVE_CONFIG_H

+#include "config.h"

+#endif

+

+#include "syshead.h"

+

+#include "crypto.h"

+#include "error.h"

+

+int

+main(void)

+{

+#if defined(ENABLE_CRYPTO_OPENSSL)

+    crypto_load_provider("legacy");

+    crypto_load_provider("default");

+#endif

+#ifdef NTLM

+    if (!md_valid("MD4"))

+    {

+        msg(M_FATAL, "MD4 not supported");

+    }

+    if (!md_valid("MD5"))

+    {

+        msg(M_FATAL, "MD5 not supported");

+    }

+#else  /* ifdef NTLM */

+    msg(M_FATAL, "NTLM support not compiled in");

+#endif

+}

@@ -27,7 +27,7 @@ REMOTE=mytestserver

 #

 # tests to run (list suffixes for config stanzas below)

 #

-TEST_RUN_LIST="1 2"

+TEST_RUN_LIST="1 2 2n"

 #

 # use "sudo" (etc) to give openvpn the necessary privileges

@@ -53,14 +53,24 @@ OPENVPN_BASE_P2P="..."

 #

 # if something is not defined here, the corresponding test is not run

 #

-# possible test options:

+# common test options:

 #

-# RUN_TITLE_x="what is being tested on here" (purely informational)

-# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory]

+# RUN_TITLE_x        = "what is being tested on here" (purely informational)

+# OPENVPN_CONF_x     = "how to call ./openvpn" [mandatory]

 # EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig"

 # EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig"

-# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)"

-# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)"

+# PING4_HOSTS_x      = "these hosts musts ping when openvpn is up (IPv4 fping)"

+# PING6_HOSTS_x      = "these hosts musts ping when openvpn is up (IPv6 fping6)"

+#

+# hook test options:

+#

+# CHECK_SKIP_x      = "commands to execute before openvpn, skip test on failure"

+# PREPARE_x         = "commands to execute before openvpn"

+# POSTINIT_CMD_x    = "commands to execute after openvpn but before ping"

+# CLEANUP_x         = "commands to execute after the test"

+#

+# Note: all hooks are "eval"ed, so run in the original shell of the t_client.sh

+# script, not a child process.

 #

 # Test 1: UDP / p2mp tun

 #   specify IPv4+IPv6 addresses expected from server and ping targets

@@ -76,10 +86,18 @@ RUN_TITLE_2="testing tun/tcp/ipv4+ipv6"

 OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194"

 PING4_HOSTS_2="10.100.51.1 10.100.0.1"

 PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1"

-#

 # run command after openvpn initialization is done - here: delay 5 seconds

 POSTINIT_CMD_2="sleep 5"

+# Test 2n: TCP / p2mp tun / via NTLM proxy

+RUN_TITLE_2n="testing tun/tcp/ntlm-proxy"

+OPENVPN_CONF_2n="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194

+ --http-proxy 192.168.1.2 8080 $KEYBASE/t_client_auth.txt ntlm --http-proxy-option VERSION 1.1"

+PING4_HOSTS_2n="10.100.51.1 10.100.0.1"

+PING6_HOSTS_2n="2001:db8::1 2001:db8:a051::1"

+# skip test if NTLM support is not available

+CHECK_SKIP_2n="${top_builddir}/tests/ntlm_support"

+

 # Test 3: UDP / p2p tun

 # ...

@@ -290,12 +290,14 @@ run_ping_tests()

 # main test loop

 # ----------------------------------------------------------

 SUMMARY_OK=

+SUMMARY_SKIP=

 SUMMARY_FAIL=

 for SUF in $TEST_RUN_LIST

 do

     # get config variables

     eval test_prep=\"\$PREPARE_$SUF\"

+    eval test_check_skip=\"\$CHECK_SKIP_$SUF\"

     eval test_postinit=\"\$POSTINIT_CMD_$SUF\"

     eval test_cleanup=\"\$CLEANUP_$SUF\"

     eval test_run_title=\"\$RUN_TITLE_$SUF\"

@@ -317,6 +319,16 @@ do

     output_start "### test run $SUF: '$test_run_title' ###"

     fail_count=0

+    if [ -n "$test_check_skip" ]; then

+        output "check whether we need to skip: '$test_check_skip'"

+        if eval $test_check_skip; then :

+        else

+            output "skip check failed, SKIP test $SUF."

+	    SUMMARY_SKIP="$SUMMARY_SKIP $SUF"

+	    echo -e "$outbuf" ; continue

+        fi

+    fi

+

     if [ -n "$test_prep" ]; then

         output "running preparation: '$test_prep'"

         eval $test_prep

@@ -454,8 +466,10 @@ do

 done

 if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi

+if [ -z "$SUMMARY_SKIP" ] ; then SUMMARY_SKIP=" none"; fi

 if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi

 echo "Test sets succeeded:$SUMMARY_OK."

+echo "Test sets skipped:$SUMMARY_SKIP."

 echo "Test sets failed:$SUMMARY_FAIL."

 # remove trap handler

@@ -31,8 +31,9 @@

 #include <stdlib.h>

 #include <setjmp.h>

 #include <stdint.h>

+#ifndef NO_CMOCKA

 #include <cmocka.h>

-

+#endif

 #include "errlevel.h"

 #include "error.h"

@@ -68,6 +69,8 @@ x_msg(const unsigned int flags, const char *format, ...)

     va_end(arglist);

 }

+/* Allow to use mock_msg.c outside of UT */

+#ifndef NO_CMOCKA

 void

 assert_failed(const char *filename, int line, const char *condition)

 {

@@ -75,6 +78,15 @@ assert_failed(const char *filename, int line, const char *condition)

     /* Keep compiler happy.  Should not happen, mock_assert() does not return */

     exit(1);

 }

+#else  /* ifndef NO_CMOCKA */

+void

+assert_failed(const char *filename, int line, const char *condition)

+{

+    msg(M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition ? condition : "");

+    _exit(1);

+}

+#endif

+

 /*

  * Fail memory allocation.  Don't use msg() because it tries