Implement test for audit ticket MUL-02-002 WP2

Author: MarkusPettersson98

test/connection-checker/src/net.rs

@@ -7,6 +7,8 @@ use std::{
 
 use crate::cli::Opt;
 
+const PAYLOAD: &[u8] = b"Hello there!";
+
 pub fn send_tcp(opt: &Opt, destination: SocketAddr) -> eyre::Result<()> {
     let bind_addr: SocketAddr = SocketAddr::new(Ipv4Addr::new(0, 0, 0, 0).into(), 0);
 
@@ -31,7 +33,7 @@ pub fn send_tcp(opt: &Opt, destination: SocketAddr) -> eyre::Result<()> {
 
     let mut stream = std::net::TcpStream::from(sock);
     stream
-        .write_all(b"hello there")
+        .write_all(PAYLOAD)
         .wrap_err(eyre!("Failed to send message to {destination}"))?;
 
     Ok(())
@@ -56,7 +58,7 @@ pub fn send_udp(_opt: &Opt, destination: SocketAddr) -> Result<(), eyre::Error>
 
     let std_socket = std::net::UdpSocket::from(sock);
     std_socket
-        .send_to(b"Hello there!", destination)
+        .send_to(PAYLOAD, destination)
         .wrap_err(eyre!("Failed to send message to {destination}"))?;
 
     Ok(())

test/test-manager/src/network_monitor.rs

@@ -26,6 +26,7 @@ pub struct ParsedPacket {
     pub source: SocketAddr,
     pub destination: SocketAddr,
     pub protocol: IpNextHeaderProtocol,
+    pub payload: Vec<u8>,
 }
 
 impl PacketCodec for Codec {
@@ -99,10 +100,13 @@ impl Codec {
             proto => log::debug!("ignoring v4 packet, transport/protocol type {proto}"),
         }
 
+        let payload = packet.payload().to_vec();
+
         Some(ParsedPacket {
             source,
             destination,
             protocol,
+            payload,
         })
     }
 
@@ -137,10 +141,13 @@ impl Codec {
             proto => log::debug!("ignoring v6 packet, transport/protocol type {proto}"),
         }
 
+        let payload = packet.payload().to_vec();
+
         Some(ParsedPacket {
             source,
             destination,
             protocol,
+            payload,
         })
     }
 }

test/test-manager/src/tests/install.rs

@@ -287,6 +287,7 @@ pub async fn test_installation_idempotency(
     // Connect to any relay. This forces the daemon to enter a secured target state
     connect_and_wait(&mut mullvad_client)
         .await
+        .map(|_| ()) // Discard the new tunnel state
         .or_else(|error| match error {
             Error::UnexpectedErrorState(_) => Ok(()),
             err => Err(err),

test/test-manager/src/tests/tunnel.rs

@@ -3,10 +3,11 @@ use super::helpers::{
 };
 use super::{config::TEST_CONFIG, Error, TestContext};
 use crate::network_monitor::{start_packet_monitor, MonitorOptions};
-use crate::tests::helpers::login_with_retries;
+use crate::tests::helpers::ConnChecker;
 
 use mullvad_management_interface::MullvadProxyClient;
 use mullvad_relay_selector::query::builder::RelayQueryBuilder;
+use mullvad_types::states::TunnelState;
 use mullvad_types::{
     constraints::Constraint,
     relay_constraints::{
@@ -802,3 +803,72 @@ pub async fn test_establish_tunnel_without_api(
     // Profit
     Ok(())
 }
+
+/// Fail to leak traffic to verify that mitigation for MUL-02-002-WP2
+/// ("Firewall allows deanonymization by eavesdropper") works.
+///
+/// # Vulnerability
+/// 1. Connect to a relay on port 443. Record this relay's IP address (the new gateway of the client)
+/// 2. Start listening for unencrypted traffic on the outbound network interface
+/// (Choose some human-readable, identifiable payload to look for in the outgoing TCP packets)
+/// 3. Start a rogue program which performs a GET request* containing the payload defined in step 2
+/// 4. The network snooper started in step 2 should now be able to observe the network request
+///    containing the identifiable payload being sent unencrypted over the wire
+///
+/// * or something similiar, as long as it fetches some remote resources
+#[test_function]
+pub async fn test_mul_02_002(
+    _: TestContext,
+    rpc: ServiceClient,
+    mut mullvad_client: MullvadProxyClient,
+) -> Result<(), anyhow::Error> {
+    // Step 0 - Disconnect from any active tunnel connection
+    helpers::disconnect_and_wait(&mut mullvad_client).await?;
+    // Step 1 - Choose a relay
+    let relay_constraints = RelayQueryBuilder::new()
+        .openvpn()
+        .transport_protocol(TransportProtocol::Tcp)
+        .port(443)
+        .into_constraint();
+    // Step 1.5 - Connect to the relay
+    set_relay_settings(
+        &mut mullvad_client,
+        RelaySettings::Normal(relay_constraints),
+    )
+    .await?;
+
+    let tunnel_state = helpers::connect_and_wait(&mut mullvad_client).await?;
+    let TunnelState::Connected { endpoint, .. } = tunnel_state else {
+        panic!("Expected tunnel state to be `Connected` - instead it was {tunnel_state:?}");
+    };
+    let gateway = endpoint.endpoint.address;
+    // Step 2 - Choose a payload
+    // FIXME: This needs to be kept in sync with the magic payload string defined in `connection_cheker::net`.
+    // The payload for `ConnChecherk` could also be made configurable.
+    let unique_identifier = b"Hello there!";
+    // Step 2.5 - Start a network monitor snooping the outbound network interface for payload
+    let monitor = start_packet_monitor(
+        move |packet| {
+            packet.destination.ip() == gateway.ip()
+                && packet.protocol == IpNextHeaderProtocols::Tcp
+                && packet
+                    .payload
+                    .windows(unique_identifier.len())
+                    .any(|window| window == unique_identifier)
+        },
+        MonitorOptions::default(),
+    )
+    .await;
+
+    // Step 3 - Start the rogue program using payload + relay info
+    let mut checker = ConnChecker::new(rpc.clone(), mullvad_client.clone(), gateway);
+    checker.spawn().await?.check_connection().await?;
+    // Step 4 - Assert that no outgoing traffic contains the payload in plain text.
+    let monitor_result = monitor.into_result().await.unwrap();
+    assert!(
+        monitor_result.packets.is_empty(),
+        "Observed rogue packets! The tunnel seems to be leaking traffic"
+    );
+    // Step 5 - Profit
+    Ok(())
+}