Fix decryption status for QUIC connections

QUIC connections should be marked as "Not decryptable" when QUIC is not blocked, instead were reported as "Encrypted" with an incorrect message telling to create a decryption rule for them
2026-06-19 21:05:25 +08:00 · 2024-01-28 21:37:29 +01:00 · 2024-01-28 21:37:29 +01:00 · bb08878419
commit bb08878419
parent b8a405ab54
2 changed files with 16 additions and 17 deletions
--- a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
+++ b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
@ -112,7 +112,7 @@ public class ConnectionDescriptor {
    private boolean blacklisted_host;
    public boolean is_blocked;
    private boolean port_mapping_applied;
-    public boolean decryption_ignored;
+    private boolean decryption_ignored;
    public boolean netd_block_missed;
    private boolean payload_truncated;
    private boolean encrypted_l7;     // application layer is encrypted (e.g. TLS)
@ -255,10 +255,10 @@ public class ConnectionDescriptor {
            return DecryptionStatus.CLEARTEXT;
        else if(decryption_error != null)
            return DecryptionStatus.ERROR;
-        else if(decryption_ignored)
-            return DecryptionStatus.ENCRYPTED;
        else if(isNotDecryptable())
            return DecryptionStatus.NOT_DECRYPTABLE;
+        else if(decryption_ignored)
+            return DecryptionStatus.ENCRYPTED;
        else if(isDecrypted())
            return DecryptionStatus.DECRYPTED;
        else
--- a/app/src/main/jni/core/capture_vpn.c
+++ b/app/src/main/jni/core/capture_vpn.c
@ -362,24 +362,23 @@ static bool matches_decryption_whitelist(pcapdroid_t *pd, const zdtun_5tuple_t *

 /* ******************************************************* */

+// NOTE: this handles both user-specified SOCKS5 and TLS decryption
 static bool should_proxify(pcapdroid_t *pd, const zdtun_5tuple_t *tuple, pd_conn_t *data) {
-    // NOTE: connections must be proxified as soon as the first packet arrives.
-    // In case of TLS decryption, since we cannot reliably determine TLS connections with 1 packet,
-    // we must proxify all the TCP connections.
-    if(!pd->socks5.enabled || (tuple->ipproto != IPPROTO_TCP)) {
-        data->decryption_ignored = true;
+    if(!pd->socks5.enabled)
        return false;
+
+    if (pd->tls_decryption.list) {
+        // TLS decryption
+        if(!matches_decryption_whitelist(pd, tuple, data)) {
+            data->decryption_ignored = true;
+            return false;
+        }
+
+        // Since we cannot reliably determine TLS connections with 1 packet, and connections must be
+        // proxified on the 1st packet, we proxify all the TCP connections
    }

-    if(pd->tls_decryption.list) {
-        if(matches_decryption_whitelist(pd, tuple, data))
-            return true;
-
-        data->decryption_ignored = true;
-        return false;
-    }
-
-    return true;
+    return (tuple->ipproto == IPPROTO_TCP);
 }

 /* ******************************************************* */