Commit 9704789f authored by Tails developers's avatar Tails developers
Browse files

Move misc code into FirewallLeakCheck.

This is where it belongs, and soon we'll need to use the same code in
a scenario hook, and calling a step in such a way makes me
uncomfortable.

(FWIW, this is a remnant from the good ol' unmerged
test/firewall-check-tag branch.)
parent c83c9464
......@@ -115,7 +115,7 @@ Given /^I capture all network traffic$/ do
# Note: We don't want skip this particular stpe if
# @skip_steps_while_restoring_background is set since it starts
# something external to the VM state.
@sniffer = Sniffer.new("TestSniffer", $vmnet)
@sniffer = Sniffer.new("sniffer", $vmnet)
@sniffer.capture
end
......@@ -398,28 +398,7 @@ end
Then /^all Internet traffic has only flowed through Tor$/ do
next if @skip_steps_while_restoring_background
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, get_tor_relays)
if !leaks.empty?
if !leaks.ipv4_tcp_leaks.empty?
puts "The following IPv4 TCP non-Tor Internet hosts were contacted:"
puts leaks.ipv4_tcp_leaks.join("\n")
puts
end
if !leaks.ipv4_nontcp_leaks.empty?
puts "The following IPv4 non-TCP Internet hosts were contacted:"
puts leaks.ipv4_nontcp_leaks.join("\n")
puts
end
if !leaks.ipv6_leaks.empty?
puts "The following IPv6 Internet hosts were contacted:"
puts leaks.ipv6_leaks.join("\n")
puts
end
if !leaks.nonip_leaks.empty?
puts "Some non-IP packets were sent\n"
end
save_pcap_file
raise "There were network leaks!"
end
leaks.assert_no_leaks
end
Given /^I enter the sudo password in the gksu prompt$/ do
......
Then(/^the firewall leak detector has detected (.*?) leaks$/) do |type|
next if @skip_steps_while_restoring_background
leaks = FirewallLeakCheck.new(@sniffer.pcap_file, get_tor_relays)
leaks = FirewallLeakCheck.new(@custom_sniffer.pcap_file, get_tor_relays)
case type.downcase
when 'ipv4 tcp'
if leaks.ipv4_tcp_leaks.empty?
save_pcap_file
leaks.save_pcap_file
raise "Couldn't detect any IPv4 TCP leaks"
end
when 'ipv4 non-tcp'
if leaks.ipv4_nontcp_leaks.empty?
save_pcap_file
leaks.save_pcap_file
raise "Couldn't detect any IPv4 non-TCP leaks"
end
when 'ipv6'
if leaks.ipv6_leaks.empty?
save_pcap_file
leaks.save_pcap_file
raise "Couldn't detect any IPv6 leaks"
end
when 'non-ip'
if leaks.nonip_leaks.empty?
save_pcap_file
leaks.save_pcap_file
raise "Couldn't detect any non-IP leaks"
end
else
......
......@@ -37,7 +37,8 @@ class FirewallLeakCheck
attr_reader :ipv4_tcp_leaks, :ipv4_nontcp_leaks, :ipv6_leaks, :nonip_leaks
def initialize(pcap_file, tor_relays)
packets = PacketFu::PcapFile.new.file_to_array(:filename => pcap_file)
@pcap_file = pcap_file
packets = PacketFu::PcapFile.new.file_to_array(:filename => @pcap_file)
@tor_relays = tor_relays
ipv4_tcp_packets = []
ipv4_nontcp_packets = []
......@@ -65,6 +66,12 @@ class FirewallLeakCheck
@nonip_leaks = nonip_packets
end
def save_pcap_file
pcap_copy = "#{@pcap_file}-#{DateTime.now}"
FileUtils.cp(@pcap_file, pcap_copy)
puts "Full network capture available at: #{pcap_copy}"
end
# Returns a list of all unique non-LAN destination IP addresses
# found in `packets`.
def get_public_hosts_from_ippackets(packets)
......@@ -97,4 +104,29 @@ class FirewallLeakCheck
@ipv4_tcp_leaks.empty? and @ipv4_nontcp_leaks.empty? and @ipv6_leaks.empty? and @nonip_leaks.empty?
end
def assert_no_leaks
if !empty?
if !ipv4_tcp_leaks.empty?
puts "The following IPv4 TCP non-Tor Internet hosts were contacted:"
puts ipv4_tcp_leaks.join("\n")
puts
end
if !ipv4_nontcp_leaks.empty?
puts "The following IPv4 non-TCP Internet hosts were contacted:"
puts ipv4_nontcp_leaks.join("\n")
puts
end
if !ipv6_leaks.empty?
puts "The following IPv6 Internet hosts were contacted:"
puts ipv6_leaks.join("\n")
puts
end
if !nonip_leaks.empty?
puts "Some non-IP packets were sent\n"
end
save_pcap_file
raise "There were network leaks!"
end
end
end
......@@ -113,9 +113,3 @@ def get_tor_relays
cmd = 'awk "/^r/ { print \$6 }" /var/lib/tor/cached-microdesc-consensus'
@vm.execute(cmd).stdout.chomp.split("\n")
end
def save_pcap_file
pcap_copy = "#{$tmp_dir}/pcap_with_leaks-#{DateTime.now}"
FileUtils.cp(@sniffer.pcap_file, pcap_copy)
puts "Full network capture available at: #{pcap_copy}"
end
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment