Commit 1b393db4 authored by Tails developers's avatar Tails developers
Browse files

Add anti-tests for the automated firewall leak detector.

parent 99500a98
@product
Feature:
As a Tails developer
I want that the automated test suite detects firewall leaks reliably
Background:
Given a computer
And I capture all network traffic
And I start the computer
And the computer boots Tails
And I log in to a new session
And I have a network connection
And Tor has built a circuit
And Iceweasel has autostarted and is not loading a web page
And the time has synced
And I have closed all annoying notifications
And all Internet traffic has only flowed through Tor
And I save the state so the background can be restored next scenario
Scenario: Detecting IPv4 TCP leaks from the Unsafe Browser
When I start the Unsafe Browser
And the Unsafe Browser has started
And I open the address "https://check.torproject.org" in the Unsafe Browser
And I see "UnsafeBrowserTorCheckFail.png" after at most 30 seconds
Then the firewall leak detector has detected IPv4 TCP leaks
Scenario: Detecting IPv4 TCP leaks of TCP DNS lookups
Given I disable Tails' firewall
When I do a TCP DNS lookup of "torproject.org"
Then the firewall leak detector has detected IPv4 TCP leaks
Scenario: Detecting IPv4 non-TCP leaks (UDP) of UDP DNS lookups
Given I disable Tails' firewall
When I do a UDP DNS lookup of "torproject.org"
Then the firewall leak detector has detected IPv4 non-TCP leaks
Scenario: Detecting IPv4 non-TCP (ICMP) leaks of ping
Given I disable Tails' firewall
When I send some ICMP pings
Then the firewall leak detector has detected IPv4 non-TCP leaks
Then(/^the firewall leak detector has detected (.*?) leaks$/) do |type|
next if @skip_steps_while_restoring_background
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, get_tor_relays)
case type.downcase
when 'ipv4 tcp'
if leaks.ipv4_tcp_leaks.empty?
save_pcap_file
raise "Couldn't detect any IPv4 TCP leaks"
end
when 'ipv4 non-tcp'
if leaks.ipv4_nontcp_leaks.empty?
save_pcap_file
raise "Couldn't detect any IPv4 non-TCP leaks"
end
when 'ipv6'
if leaks.ipv6_leaks.empty?
save_pcap_file
raise "Couldn't detect any IPv6 leaks"
end
when 'non-ip'
if leaks.nonip_leaks.empty?
save_pcap_file
raise "Couldn't detect any non-IP leaks"
end
else
raise "Incorrect packet type '#{type}'"
end
end
Given(/^I disable Tails' firewall$/) do
next if @skip_steps_while_restoring_background
@vm.execute("/usr/local/sbin/do_not_ever_run_me")
iptables = @vm.execute("iptables -L -n -v").stdout.chomp.split("\n")
for line in iptables do
if !line[/Chain (INPUT|OUTPUT|FORWARD) \(policy ACCEPT/] and
!line[/pkts[[:blank:]]+bytes[[:blank:]]+target/] and
!line.empty?
raise "The Tails firewall was not successfully disabled:\n#{iptables}"
end
end
end
When(/^I do a TCP DNS lookup of "(.*?)"$/) do |host|
next if @skip_steps_while_restoring_background
lookup = @vm.execute("host -T #{host} #{$some_dns_server}", $live_user)
assert(lookup.success?, "Failed to resolve #{host}:\n#{lookup.stdout}")
end
When(/^I do a UDP DNS lookup of "(.*?)"$/) do |host|
next if @skip_steps_while_restoring_background
lookup = @vm.execute("host #{host} #{$some_dns_server}", $live_user)
assert(lookup.success?, "Failed to resolve #{host}:\n#{lookup.stdout}")
end
When(/^I send some ICMP pings$/) do
next if @skip_steps_while_restoring_background
# We ping an IP address to avoid a DNS lookup
ping = @vm.execute("ping -c 5 #{$some_dns_server}", $live_user)
assert(ping.success?, "Failed to ping #{$some_dns_server}:\n#{ping.stderr}")
end
......@@ -14,3 +14,5 @@ $tor_authorities =
"193.23.244.244", "208.83.223.34", "171.25.193.9",
"154.35.32.5"
]
# OpenDNS
$some_dns_server = "208.67.222.222"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment