From bb08878419c3803dd1a3d1b60cc773ba587b2ad0 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Sun, 28 Jan 2024 21:37:29 +0100 Subject: [PATCH] Fix decryption status for QUIC connections QUIC connections should be marked as "Not decryptable" when QUIC is not blocked, instead were reported as "Encrypted" with an incorrect message telling to create a decryption rule for them --- .../model/ConnectionDescriptor.java | 6 ++--- app/src/main/jni/core/capture_vpn.c | 27 +++++++++---------- 2 files changed, 16 insertions(+), 17 deletions(-) diff --git a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java index decf1b22..a5d859d0 100644 --- a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java +++ b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java @@ -112,7 +112,7 @@ public class ConnectionDescriptor { private boolean blacklisted_host; public boolean is_blocked; private boolean port_mapping_applied; - public boolean decryption_ignored; + private boolean decryption_ignored; public boolean netd_block_missed; private boolean payload_truncated; private boolean encrypted_l7; // application layer is encrypted (e.g. TLS) @@ -255,10 +255,10 @@ public class ConnectionDescriptor { return DecryptionStatus.CLEARTEXT; else if(decryption_error != null) return DecryptionStatus.ERROR; - else if(decryption_ignored) - return DecryptionStatus.ENCRYPTED; else if(isNotDecryptable()) return DecryptionStatus.NOT_DECRYPTABLE; + else if(decryption_ignored) + return DecryptionStatus.ENCRYPTED; else if(isDecrypted()) return DecryptionStatus.DECRYPTED; else diff --git a/app/src/main/jni/core/capture_vpn.c b/app/src/main/jni/core/capture_vpn.c index e653a228..0e681eaf 100644 --- a/app/src/main/jni/core/capture_vpn.c +++ b/app/src/main/jni/core/capture_vpn.c @@ -362,24 +362,23 @@ static bool matches_decryption_whitelist(pcapdroid_t *pd, const zdtun_5tuple_t * /* ******************************************************* */ +// NOTE: this handles both user-specified SOCKS5 and TLS decryption static bool should_proxify(pcapdroid_t *pd, const zdtun_5tuple_t *tuple, pd_conn_t *data) { - // NOTE: connections must be proxified as soon as the first packet arrives. - // In case of TLS decryption, since we cannot reliably determine TLS connections with 1 packet, - // we must proxify all the TCP connections. - if(!pd->socks5.enabled || (tuple->ipproto != IPPROTO_TCP)) { - data->decryption_ignored = true; + if(!pd->socks5.enabled) return false; + + if (pd->tls_decryption.list) { + // TLS decryption + if(!matches_decryption_whitelist(pd, tuple, data)) { + data->decryption_ignored = true; + return false; + } + + // Since we cannot reliably determine TLS connections with 1 packet, and connections must be + // proxified on the 1st packet, we proxify all the TCP connections } - if(pd->tls_decryption.list) { - if(matches_decryption_whitelist(pd, tuple, data)) - return true; - - data->decryption_ignored = true; - return false; - } - - return true; + return (tuple->ipproto == IPPROTO_TCP); } /* ******************************************************* */