From patchwork Fri Mar 8 10:28:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3640 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:5897:b0:559:d8ef:cc57 with SMTP id h23csp2091039max; Fri, 8 Mar 2024 02:31:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXlqFq3IrMhLvES2w2UHELkQgWqiJfjyj6SIYmZ7RVgidbs77XQXKPMsZduZ86Zm7vsOdlz+aP40Mcj5Z+yNt7Y11gju9g= X-Google-Smtp-Source: AGHT+IEJqzxiLtDmtiaeEilOo8Gkk5nBsn9saWvidFXvzYwaWh7konWZCdHYnUSQynBjBxjUH6uc X-Received: by 2002:a17:902:ed0d:b0:1db:94a9:f9f0 with SMTP id b13-20020a170902ed0d00b001db94a9f9f0mr1772233pld.2.1709893894881; Fri, 08 Mar 2024 02:31:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1709893894; cv=none; d=google.com; s=arc-20160816; b=ASmsM43VD8qWawLMIrVHkmgAPcvCDIqLtr7SaX4VAqlaLxcxnXuMsKgNWq7tGsLwBp sJDIM4CI3fv0msIEkduFpkWv6bQLShSDldCSl+wMTxNiltquk65cSVutdXy2XF630EPM vADYH2ymyLTEcpRpqoGtvFuC6wudeqviLLird66vuj1hsinSe36qJkOxdMFxKfV5I9nH WqMV/6vhBi07AG/9dwskjAYKM0ehWMCXvtOApcwV816Hlu14Ut0yG/sE0I9I4Phh0qaQ QopSxdmQjSB+LDUD5aU9mnugFOOXlMm0FU6k+5ux4Eg6Ji64qqoArOo7O2iX2IOF4EgH qYqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=U6n4EP2BBPUhdXM0rmUjypW8jgRD4n03AtCECbHe6YM=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=Z1tz/3bG4w7aMF80FsKI43ST+2FfKRWTyeDnmnUGm2oB2R+Lx3tycb1onQJfIh9Nck c0Fg/jd7OhNHFlwHI05FpXvDH7J7WebgB4n6r3bQEhmPaECwFrFPq5zTCCK2SdLiF3dY Z6qz/AwEoGtIKuGlqLFGkTflG8Zsvw27aitwySHCrM7nloP8p8s7mICQ0Cqk+1iqa/NU 8eLDHk1ExiP2R2QTxMbbwTpZiAaXA6AET3SUJMqrnpSurcA97pyzTpA5c81uGKju60mC 2JRam9xDoatU4XE0ORUoO/1tz7R15hEtL3P4gAv5vPTr6sJ0JfMPDc5VwtChxB+b3EJE IDEA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OujJODdT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=aXczOHtF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id a4-20020a170902ee8400b001d9727a7409si15144946pld.551.2024.03.08.02.31.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 08 Mar 2024 02:31:34 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=OujJODdT; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=aXczOHtF; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1riXSw-0005Xa-Bl; Fri, 08 Mar 2024 10:28:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1riXSu-0005XU-OU for openvpn-devel@lists.sourceforge.net; Fri, 08 Mar 2024 10:28:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UGEeOd5yvg3jgW/stOExpyf0xNw4OZ5lbYh+AsYO54s=; b=OujJODdT0qSiRibepg4b6vsx6c GH63DOAUjPuql4/nrI7y0KiwRmt8BKlJfOrSRuYUc82V4Tw5opjrIky/3jZHLjKHhVRMEiCS3/gdf 8cIKfVjjF4jwHHPG4pgonKNMl3ZyghRj1jkttDMstpV0h1iOnsx3q3kjbzE05eF9D05Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UGEeOd5yvg3jgW/stOExpyf0xNw4OZ5lbYh+AsYO54s=; b=aXczOHtFSyRC12J364OSR4Lzqd TQOHJ68RuDuqGHKTtdI0VPNgxTIXkPoPs1gBbfsHcgCgLwjy/nFuz9UsICr7MEFyRTlcLcHAWWD5o DXPA9dH6ino9WWlSOd5GK9Np2ArdVvzPBboiwiMynZHWUQpeXWesxZsbfstSyHYnh5GI=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1riXSj-0001ma-OR for openvpn-devel@lists.sourceforge.net; Fri, 08 Mar 2024 10:28:37 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 428ASKdW009259 for ; Fri, 8 Mar 2024 11:28:20 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 428ASJXE009258 for openvpn-devel@lists.sourceforge.net; Fri, 8 Mar 2024 11:28:19 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 8 Mar 2024 11:28:18 +0100 Message-ID: <20240308102818.9249-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Frank Lichtenheld Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not co [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 LOTS_OF_MONEY Huge... sums of money -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1riXSj-0001ma-OR Subject: [Openvpn-devel] [PATCH v5] t_client.sh: Allow to skip tests X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1792953701000477642?= X-GMAIL-MSGID: =?utf-8?q?1792953701000477642?= From: Frank Lichtenheld Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/521 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 1225b13..be3484d 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -25,16 +25,10 @@ #define ERROR_H #include "basic.h" - -#include -#include +#include "syshead.h" #include -#if _WIN32 -#include -#endif - /* #define ABORT_ON_ERROR */ #if defined(ENABLE_PKCS11) || defined(ENABLE_MANAGEMENT) diff --git a/tests/Makefile.am b/tests/Makefile.am index b3b2d74..13a1013 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -19,6 +19,8 @@ if !WIN32 test_scripts = t_client.sh t_lpback.sh t_cltsrv.sh + +check_PROGRAMS = ntlm_support if HAVE_SITNL test_scripts += t_net.sh endif @@ -36,3 +38,15 @@ dist_noinst_DATA = \ t_client.rc-sample + +ntlm_support_CFLAGS = -I$(top_srcdir)/src/openvpn -I$(top_srcdir)/src/compat -I$(top_srcdir)/tests/unit_tests/openvpn -DNO_CMOCKA @TEST_CFLAGS@ +ntlm_support_LDFLAGS = @TEST_LDFLAGS@ -L$(top_srcdir)/src/openvpn $(OPTIONAL_CRYPTO_LIBS) +ntlm_support_SOURCES = ntlm_support.c \ + unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ + $(top_srcdir)/src/openvpn/buffer.c \ + $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ + $(top_srcdir)/src/openvpn/otime.c \ + $(top_srcdir)/src/openvpn/packet_id.c \ + $(top_srcdir)/src/openvpn/platform.c diff --git a/tests/ntlm_support.c b/tests/ntlm_support.c new file mode 100644 index 0000000..2d7da86 --- /dev/null +++ b/tests/ntlm_support.c @@ -0,0 +1,52 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "syshead.h" + +#include "crypto.h" +#include "error.h" + +int +main(void) +{ +#if defined(ENABLE_CRYPTO_OPENSSL) + crypto_load_provider("legacy"); + crypto_load_provider("default"); +#endif +#ifdef NTLM + if (!md_valid("MD4")) + { + msg(M_FATAL, "MD4 not supported"); + } + if (!md_valid("MD5")) + { + msg(M_FATAL, "MD5 not supported"); + } +#else /* ifdef NTLM */ + msg(M_FATAL, "NTLM support not compiled in"); +#endif +} diff --git a/tests/t_client.rc-sample b/tests/t_client.rc-sample index 355e8bb..d61ecc4 100644 --- a/tests/t_client.rc-sample +++ b/tests/t_client.rc-sample @@ -27,7 +27,7 @@ # # tests to run (list suffixes for config stanzas below) # -TEST_RUN_LIST="1 2" +TEST_RUN_LIST="1 2 2n" # # use "sudo" (etc) to give openvpn the necessary privileges @@ -53,14 +53,24 @@ # # if something is not defined here, the corresponding test is not run # -# possible test options: +# common test options: # -# RUN_TITLE_x="what is being tested on here" (purely informational) -# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] +# RUN_TITLE_x = "what is being tested on here" (purely informational) +# OPENVPN_CONF_x = "how to call ./openvpn" [mandatory] # EXPECT_IFCONFIG4_x = "this IPv4 address needs to show up in ifconfig" # EXPECT_IFCONFIG6_x = "this IPv6 address needs to show up in ifconfig" -# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" -# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" +# PING4_HOSTS_x = "these hosts musts ping when openvpn is up (IPv4 fping)" +# PING6_HOSTS_x = "these hosts musts ping when openvpn is up (IPv6 fping6)" +# +# hook test options: +# +# CHECK_SKIP_x = "commands to execute before openvpn, skip test on failure" +# PREPARE_x = "commands to execute before openvpn" +# POSTINIT_CMD_x = "commands to execute after openvpn but before ping" +# CLEANUP_x = "commands to execute after the test" +# +# Note: all hooks are "eval"ed, so run in the original shell of the t_client.sh +# script, not a child process. # # Test 1: UDP / p2mp tun # specify IPv4+IPv6 addresses expected from server and ping targets @@ -76,10 +86,18 @@ OPENVPN_CONF_2="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194" PING4_HOSTS_2="10.100.51.1 10.100.0.1" PING6_HOSTS_2="2001:db8::1 2001:db8:a051::1" -# # run command after openvpn initialization is done - here: delay 5 seconds POSTINIT_CMD_2="sleep 5" +# Test 2n: TCP / p2mp tun / via NTLM proxy +RUN_TITLE_2n="testing tun/tcp/ntlm-proxy" +OPENVPN_CONF_2n="$OPENVPN_BASE_P2MP --dev tun --proto tcp --remote $REMOTE --port 51194 + --http-proxy 192.168.1.2 8080 $KEYBASE/t_client_auth.txt ntlm --http-proxy-option VERSION 1.1" +PING4_HOSTS_2n="10.100.51.1 10.100.0.1" +PING6_HOSTS_2n="2001:db8::1 2001:db8:a051::1" +# skip test if NTLM support is not available +CHECK_SKIP_2n="${top_builddir}/tests/ntlm_support" + # Test 3: UDP / p2p tun # ... diff --git a/tests/t_client.sh.in b/tests/t_client.sh.in index 99e6f9c..f6654dd 100755 --- a/tests/t_client.sh.in +++ b/tests/t_client.sh.in @@ -291,12 +291,14 @@ # main test loop # ---------------------------------------------------------- SUMMARY_OK= +SUMMARY_SKIP= SUMMARY_FAIL= for SUF in $TEST_RUN_LIST do # get config variables eval test_prep=\"\$PREPARE_$SUF\" + eval test_check_skip=\"\$CHECK_SKIP_$SUF\" eval test_postinit=\"\$POSTINIT_CMD_$SUF\" eval test_cleanup=\"\$CLEANUP_$SUF\" eval test_run_title=\"\$RUN_TITLE_$SUF\" @@ -318,6 +320,16 @@ output_start "### test run $SUF: '$test_run_title' ###" fail_count=0 + if [ -n "$test_check_skip" ]; then + output "check whether we need to skip: '$test_check_skip'" + if eval $test_check_skip; then : + else + output "skip check failed, SKIP test $SUF." + SUMMARY_SKIP="$SUMMARY_SKIP $SUF" + echo -e "$outbuf" ; continue + fi + fi + if [ -n "$test_prep" ]; then output "running preparation: '$test_prep'" eval $test_prep @@ -455,8 +467,10 @@ done if [ -z "$SUMMARY_OK" ] ; then SUMMARY_OK=" none"; fi +if [ -z "$SUMMARY_SKIP" ] ; then SUMMARY_SKIP=" none"; fi if [ -z "$SUMMARY_FAIL" ] ; then SUMMARY_FAIL=" none"; fi echo "Test sets succeeded:$SUMMARY_OK." +echo "Test sets skipped:$SUMMARY_SKIP." echo "Test sets failed:$SUMMARY_FAIL." # remove trap handler diff --git a/tests/unit_tests/openvpn/mock_msg.c b/tests/unit_tests/openvpn/mock_msg.c index d74efaa..a291f8f 100644 --- a/tests/unit_tests/openvpn/mock_msg.c +++ b/tests/unit_tests/openvpn/mock_msg.c @@ -31,8 +31,9 @@ #include #include #include +#ifndef NO_CMOCKA #include - +#endif #include "errlevel.h" #include "error.h" @@ -74,6 +75,8 @@ va_end(arglist); } +/* Allow to use mock_msg.c outside of UT */ +#ifndef NO_CMOCKA void assert_failed(const char *filename, int line, const char *condition) { @@ -81,6 +84,15 @@ /* Keep compiler happy. Should not happen, mock_assert() does not return */ exit(1); } +#else /* ifndef NO_CMOCKA */ +void +assert_failed(const char *filename, int line, const char *condition) +{ + msg(M_FATAL, "Assertion failed at %s:%d (%s)", filename, line, condition ? condition : ""); + _exit(1); +} +#endif + /* * Fail memory allocation. Don't use msg() because it tries