Ability to disable full payload with TLS decryption

This can be useful to prevent OutOfMemoryError

Closes #273
This commit is contained in:
emanuele-f 2022-12-16 01:12:36 +01:00
parent 356d8cca07
commit 85e1ceb88e
6 changed files with 22 additions and 19 deletions

View File

@ -350,7 +350,7 @@ public class CaptureService extends VpnService implements Runnable {
mSocks5Port = MitmReceiver.TLS_DECRYPTION_PROXY_PORT;
mSocks5Auth = Utils.genRandomString(8) + ":" + Utils.genRandomString(8);
mMitmReceiver = new MitmReceiver(this, mSettings.root_capture, mSocks5Auth, mSettings.mitmproxy_opts);
mMitmReceiver = new MitmReceiver(this, mSettings, mSocks5Auth);
try {
if(!mMitmReceiver.start())
return abortStart();
@ -979,10 +979,6 @@ public class CaptureService extends VpnService implements Runnable {
if(INSTANCE == null)
return Prefs.PayloadMode.MINIMAL;
// With TLS decryption, payload mode is always "full"
if(INSTANCE.mSettings.tls_decryption)
return Prefs.PayloadMode.FULL;
return INSTANCE.mSettings.full_payload ? Prefs.PayloadMode.FULL : Prefs.PayloadMode.MINIMAL;
}

View File

@ -48,8 +48,8 @@ import java.io.IOException;
import java.lang.ref.WeakReference;
public class MitmAddon {
public static final long PACKAGE_VERSION_CODE = 11;
public static final String PACKAGE_VERSION_NAME = "v0.11";
public static final long PACKAGE_VERSION_CODE = 12;
public static final String PACKAGE_VERSION_NAME = "v0.12";
public static final String REPOSITORY = "https://github.com/emanuele-f/PCAPdroid-mitm";
private static final String TAG = "MitmAddon";
private final Context mContext;

View File

@ -32,6 +32,7 @@ import androidx.lifecycle.Observer;
import com.emanuelef.remote_capture.interfaces.ConnectionsListener;
import com.emanuelef.remote_capture.interfaces.MitmListener;
import com.emanuelef.remote_capture.model.CaptureSettings;
import com.emanuelef.remote_capture.model.ConnectionDescriptor;
import com.emanuelef.remote_capture.model.PayloadChunk;
import com.emanuelef.remote_capture.model.PayloadChunk.ChunkType;
@ -90,6 +91,7 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
TCP_ERROR,
WEBSOCKET_CLIENT_MSG,
WEBSOCKET_SERVER_MSG,
DATA_TRUNCATED,
MASTER_SECRET,
LOG,
}
@ -117,7 +119,7 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
RUNNING
}
public MitmReceiver(Context ctx, boolean rootCapture, String proxyAuth, String additionalOpts) {
public MitmReceiver(Context ctx, CaptureSettings settings, String proxyAuth) {
mContext = ctx;
mReg = CaptureService.requireConnsRegister();
mAddon = new MitmAddon(mContext, this);
@ -126,7 +128,8 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
mConfig.proxyPort = TLS_DECRYPTION_PROXY_PORT;
mConfig.proxyAuth = proxyAuth;
mConfig.dumpMasterSecrets = (CaptureService.getDumpMode() != Prefs.DumpMode.NONE);
mConfig.additionalOptions = additionalOpts;
mConfig.additionalOptions = settings.mitmproxy_opts;
mConfig.shortPayload = !settings.full_payload;
/* upstream certificate verification is disabled because the app does not provide a way to let the user
accept a given cert. Moreover, it provides a workaround for a bug with HTTPS proxies described in
@ -134,7 +137,7 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
mConfig.sslInsecure = true;
// root capture uses transparent mode (redirection via iptables)
mConfig.transparentMode = rootCapture;
mConfig.transparentMode = settings.root_capture;
//noinspection ResultOfMethodCallIgnored
getKeylogFilePath(mContext).delete();
@ -307,7 +310,9 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
// see ConnectionDescriptor.processUpdate
if(conn.status == ConnectionDescriptor.CONN_STATUS_CLOSED)
conn.status = ConnectionDescriptor.CONN_STATUS_CLIENT_ERROR;
} else
} else if(type == MsgType.DATA_TRUNCATED)
conn.setPayloadTruncatedByAddon();
else
conn.addPayloadChunkMitm(new PayloadChunk(message, getChunkType(type), isSent(type), tstamp));
}
@ -360,6 +365,8 @@ public class MitmReceiver implements Runnable, ConnectionsListener, MitmListener
return MsgType.WEBSOCKET_CLIENT_MSG;
case "ws_srvmsg":
return MsgType.WEBSOCKET_SERVER_MSG;
case "trunc":
return MsgType.DATA_TRUNCATED;
case "secret":
return MsgType.MASTER_SECRET;
case "log":

View File

@ -154,7 +154,6 @@ public class SettingsActivity extends BaseActivity implements PreferenceFragment
setupSecurityPrefs();
setupOtherPrefs();
fullPayloadHideShow(mTlsDecryption.isChecked());
socks5ProxyHideShow(mTlsDecryption.isChecked(), mSocks5Enabled.isChecked(), rootCaptureEnabled());
mBlockQuic.setVisible(!rootCaptureEnabled());
rootCaptureHideShow(rootCaptureEnabled());
@ -174,6 +173,7 @@ public class SettingsActivity extends BaseActivity implements PreferenceFragment
if(mHasStartedMitmWizard && !MitmAddon.needsSetup(requireContext())) {
Log.d(TAG, "mitm setup complete, enabling");
mTlsDecryption.setChecked(true);
mFullPayloadEnabled.setChecked(true);
}
mHasStartedMitmWizard = false;
}
@ -285,7 +285,6 @@ public class SettingsActivity extends BaseActivity implements PreferenceFragment
return false;
}
fullPayloadHideShow((boolean) newValue);
mMitmWizard.setVisible((boolean) newValue);
mMitmproxyOpts.setVisible((boolean) newValue);
socks5ProxyHideShow((boolean) newValue, mSocks5Enabled.isChecked(), rootCaptureEnabled());
@ -321,10 +320,6 @@ public class SettingsActivity extends BaseActivity implements PreferenceFragment
mSocks5ProxyPort.setOnPreferenceChangeListener((preference, newValue) -> Utils.validatePort(newValue.toString()));
}
private void fullPayloadHideShow(boolean tlsDecryption) {
mFullPayloadEnabled.setVisible(!tlsDecryption);
}
private void socks5ProxyHideShow(boolean tlsDecryption, boolean socks5Enabled, boolean rootEnabled) {
boolean available = !tlsDecryption && !rootEnabled;
mSocks5Enabled.setVisible(available);
@ -393,11 +388,9 @@ public class SettingsActivity extends BaseActivity implements PreferenceFragment
mSocks5Enabled.setVisible(false);
mSocks5ProxyIp.setVisible(false);
mSocks5ProxyPort.setVisible(false);
fullPayloadHideShow(mTlsDecryption.isChecked());
mBlockQuic.setVisible(false);
} else {
mAutoBlockPrivateDNS.setVisible(true);
fullPayloadHideShow(mTlsDecryption.isChecked());
mBlockQuic.setVisible(true);
socks5ProxyHideShow(mTlsDecryption.isChecked(), mSocks5Enabled.isChecked(), false);
}

View File

@ -289,6 +289,12 @@ public class ConnectionDescriptor {
return isBlacklistedIp() || isBlacklistedHost();
}
public void setPayloadTruncatedByAddon() {
// only for the mitm addon
assert(!isNotDecryptable());
payload_truncated = true;
}
public boolean isPayloadTruncated() {
return payload_truncated;
}

View File

@ -40,6 +40,7 @@ public class MitmAPI {
public boolean transparentMode; // true to use transparent proxy mode, false to use SOCKS5 proxy mode
public boolean sslInsecure; // true to disable upstream certificate check
public boolean dumpMasterSecrets; // true to enable the TLS master secrets dump messages (similar to SSLKEYLOG)
public boolean shortPayload; // if true, only the initial portion of the payload will be sent
public String proxyAuth; // SOCKS5 proxy authentication, "user:pass"
public String additionalOptions; // provide additional options to mitmproxy
}