forked from ooni/probe-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
/
testjafar.bash
executable file
·129 lines (111 loc) · 3.75 KB
/
testjafar.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
#!/bin/bash
#
# This script uses cURL to verify that Jafar is able to produce a
# bunch of censorship conditions. It should be noted that this script
# only works on Linux and will never work on other systems.
#
set -e
function execute() {
echo "+ $@" 1>&2
"$@"
}
function expectexitcode() {
local expect
local exitcode
expect=$1
shift
set +e
"$@"
exitcode=$?
set -e
echo "expected exitcode $expect, found $exitcode" 1>&2
if [ $exitcode != $expect ]; then
exit 1
fi
}
function runtest() {
echo "=== BEGIN $1 ==="
"$1"
echo "=== END $1 ==="
}
function http_got_nothing() {
expectexitcode 52 execute ./jafar -iptables-hijack-http-to 127.0.0.1:7117 \
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
}
function http_recv_error() {
expectexitcode 56 execute ./jafar -iptables-reset-keyword ooni \
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
}
function http_operation_timedout() {
expectexitcode 28 execute ./jafar -iptables-drop-keyword ooni \
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
}
function http_couldnt_connect() {
local ip
ip=$(host -tA example.com|cut -f4 -d' ')
expectexitcode 7 execute ./jafar -iptables-reset-ip $ip \
-main-command 'curl -sm5 --connect-to ::example.com: http://ooni.io'
}
function http_blockpage() {
outfile=$(mktemp)
chown nobody $outfile # curl runs as user nobody
expectexitcode 0 execute ./jafar -http-proxy-block ooni \
-iptables-hijack-http-to 127.0.0.1:80 \
-main-command "curl -so $outfile --connect-to ::example.com: http://ooni.io"
if ! grep -q '451 Unavailable For Legal Reasons' $outfile; then
echo "fatal: the blockpage does not contain the expected pattern" 1>&2
exit 1
fi
}
function dns_injection() {
output=$(expectexitcode 0 execute ./jafar \
-iptables-hijack-dns-to 127.0.0.1:53 \
-dns-proxy-hijack ooni \
-main-command 'dig +time=2 +short @example.com ooni.io')
if [ "$output" != "127.0.0.1" ]; then
echo "fatal: the resulting IP is not the expected one" 1>&2
exit 1
fi
}
function dns_timeout() {
expectexitcode 9 execute ./jafar \
-iptables-hijack-dns-to 127.0.0.1:53 \
-dns-proxy-ignore ooni \
-main-command 'dig +time=2 +short @example.com ooni.io'
}
function dns_nxdomain() {
output=$(expectexitcode 0 execute ./jafar \
-iptables-hijack-dns-to 127.0.0.1:53 \
-dns-proxy-block ooni \
-main-command 'dig +time=2 +short @example.com ooni.io')
if [ "$output" != "" ]; then
echo "fatal: expected no output here" 1>&2
exit 1
fi
}
function sni_man_in_the_middle() {
expectexitcode 60 execute ./jafar -iptables-hijack-https-to 127.0.0.1:4114 \
-main-command 'curl -sm5 --connect-to ::example.com: https://ooni.io'
}
function sni_got_nothing() {
expectexitcode 52 execute ./jafar -iptables-hijack-https-to 127.0.0.1:4114 \
-main-command 'curl -sm5 --cacert badproxy.pem --connect-to ::example.com: https://ooni.io'
}
function sni_connect_error() {
expectexitcode 35 execute ./jafar -iptables-reset-keyword ooni \
-main-command 'curl -sm5 --connect-to ::example.com: https://ooni.io'
}
function main() {
runtest http_got_nothing
runtest http_recv_error
runtest http_operation_timedout
runtest http_couldnt_connect
runtest http_blockpage
runtest dns_injection
runtest dns_timeout
runtest dns_nxdomain
runtest sni_man_in_the_middle
runtest sni_got_nothing
runtest sni_connect_error
}
main "$@"