Ability to disable full payload with TLS decryption

This can be useful to prevent OutOfMemoryError Closes emanuele-f#273
userfuy · Dec 16, 2022 · 85e1ceb · 85e1ceb
1 parent 356d8cc
commit 85e1ceb
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 19 deletions.
diff --git a/app/src/main/java/com/emanuelef/remote_capture/CaptureService.java b/app/src/main/java/com/emanuelef/remote_capture/CaptureService.java
@@ -350,7 +350,7 @@ else if(mSettings.dump_mode == Prefs.DumpMode.PCAP_FILE) {
                 mSocks5Port = MitmReceiver.TLS_DECRYPTION_PROXY_PORT;
                 mSocks5Auth = Utils.genRandomString(8) + ":" + Utils.genRandomString(8);
 
-                mMitmReceiver = new MitmReceiver(this, mSettings.root_capture, mSocks5Auth, mSettings.mitmproxy_opts);
+                mMitmReceiver = new MitmReceiver(this, mSettings, mSocks5Auth);
                 try {
                     if(!mMitmReceiver.start())
                         return abortStart();
@@ -979,10 +979,6 @@ public static Prefs.PayloadMode getCurPayloadMode() {
         if(INSTANCE == null)
             return Prefs.PayloadMode.MINIMAL;
 
-        // With TLS decryption, payload mode is always "full"
-        if(INSTANCE.mSettings.tls_decryption)
-            return Prefs.PayloadMode.FULL;
-
         return INSTANCE.mSettings.full_payload ? Prefs.PayloadMode.FULL : Prefs.PayloadMode.MINIMAL;
     }
 

diff --git a/app/src/main/java/com/emanuelef/remote_capture/MitmAddon.java b/app/src/main/java/com/emanuelef/remote_capture/MitmAddon.java
@@ -48,8 +48,8 @@
 import java.lang.ref.WeakReference;
 
 public class MitmAddon {
-    public static final long PACKAGE_VERSION_CODE = 11;
-    public static final String PACKAGE_VERSION_NAME = "v0.11";
+    public static final long PACKAGE_VERSION_CODE = 12;
+    public static final String PACKAGE_VERSION_NAME = "v0.12";
     public static final String REPOSITORY = "https://github.com/emanuele-f/PCAPdroid-mitm";
     private static final String TAG = "MitmAddon";
     private final Context mContext;

diff --git a/app/src/main/java/com/emanuelef/remote_capture/MitmReceiver.java b/app/src/main/java/com/emanuelef/remote_capture/MitmReceiver.java
@@ -32,6 +32,7 @@
 
 import com.emanuelef.remote_capture.interfaces.ConnectionsListener;
 import com.emanuelef.remote_capture.interfaces.MitmListener;
+import com.emanuelef.remote_capture.model.CaptureSettings;
 import com.emanuelef.remote_capture.model.ConnectionDescriptor;
 import com.emanuelef.remote_capture.model.PayloadChunk;
 import com.emanuelef.remote_capture.model.PayloadChunk.ChunkType;
@@ -90,6 +91,7 @@ private enum MsgType {
         TCP_ERROR,
         WEBSOCKET_CLIENT_MSG,
         WEBSOCKET_SERVER_MSG,
+        DATA_TRUNCATED,
         MASTER_SECRET,
         LOG,
     }
@@ -117,7 +119,7 @@ public enum Status {
         RUNNING
     }
 
-    public MitmReceiver(Context ctx, boolean rootCapture, String proxyAuth, String additionalOpts) {
+    public MitmReceiver(Context ctx, CaptureSettings settings, String proxyAuth) {
         mContext = ctx;
         mReg = CaptureService.requireConnsRegister();
         mAddon = new MitmAddon(mContext, this);
@@ -126,15 +128,16 @@ public MitmReceiver(Context ctx, boolean rootCapture, String proxyAuth, String a
         mConfig.proxyPort = TLS_DECRYPTION_PROXY_PORT;
         mConfig.proxyAuth = proxyAuth;
         mConfig.dumpMasterSecrets = (CaptureService.getDumpMode() != Prefs.DumpMode.NONE);
-        mConfig.additionalOptions = additionalOpts;
+        mConfig.additionalOptions = settings.mitmproxy_opts;
+        mConfig.shortPayload = !settings.full_payload;
 
         /* upstream certificate verification is disabled because the app does not provide a way to let the user
            accept a given cert. Moreover, it provides a workaround for a bug with HTTPS proxies described in
            https://github.com/mitmproxy/mitmproxy/issues/5109 */
         mConfig.sslInsecure = true;
 
         // root capture uses transparent mode (redirection via iptables)
-        mConfig.transparentMode = rootCapture;
+        mConfig.transparentMode = settings.root_capture;
 
         //noinspection ResultOfMethodCallIgnored
         getKeylogFilePath(mContext).delete();
@@ -307,7 +310,9 @@ private void handleMessage(ConnectionDescriptor conn, MsgType type, byte[] messa
             // see ConnectionDescriptor.processUpdate
             if(conn.status == ConnectionDescriptor.CONN_STATUS_CLOSED)
                 conn.status = ConnectionDescriptor.CONN_STATUS_CLIENT_ERROR;
-        } else
+        } else if(type == MsgType.DATA_TRUNCATED)
+            conn.setPayloadTruncatedByAddon();
+        else
             conn.addPayloadChunkMitm(new PayloadChunk(message, getChunkType(type), isSent(type), tstamp));
     }
 
@@ -360,6 +365,8 @@ private static MsgType parseMsgType(String str) {
                 return MsgType.WEBSOCKET_CLIENT_MSG;
             case "ws_srvmsg":
                 return MsgType.WEBSOCKET_SERVER_MSG;
+            case "trunc":
+                return MsgType.DATA_TRUNCATED;
             case "secret":
                 return MsgType.MASTER_SECRET;
             case "log":

diff --git a/app/src/main/java/com/emanuelef/remote_capture/activities/SettingsActivity.java b/app/src/main/java/com/emanuelef/remote_capture/activities/SettingsActivity.java
@@ -154,7 +154,6 @@ public void onCreatePreferences(Bundle savedInstanceState, String rootKey) {
             setupSecurityPrefs();
             setupOtherPrefs();
 
-            fullPayloadHideShow(mTlsDecryption.isChecked());
             socks5ProxyHideShow(mTlsDecryption.isChecked(), mSocks5Enabled.isChecked(), rootCaptureEnabled());
             mBlockQuic.setVisible(!rootCaptureEnabled());
             rootCaptureHideShow(rootCaptureEnabled());
@@ -174,6 +173,7 @@ public void onResume() {
             if(mHasStartedMitmWizard && !MitmAddon.needsSetup(requireContext())) {
                 Log.d(TAG, "mitm setup complete, enabling");
                 mTlsDecryption.setChecked(true);
+                mFullPayloadEnabled.setChecked(true);
             }
             mHasStartedMitmWizard = false;
         }
@@ -285,7 +285,6 @@ private void setupTrafficInspectionPrefs() {
                     return false;
                 }
 
-                fullPayloadHideShow((boolean) newValue);
                 mMitmWizard.setVisible((boolean) newValue);
                 mMitmproxyOpts.setVisible((boolean) newValue);
                 socks5ProxyHideShow((boolean) newValue, mSocks5Enabled.isChecked(), rootCaptureEnabled());
@@ -321,10 +320,6 @@ private void setupTrafficInspectionPrefs() {
             mSocks5ProxyPort.setOnPreferenceChangeListener((preference, newValue) -> Utils.validatePort(newValue.toString()));
         }
 
-        private void fullPayloadHideShow(boolean tlsDecryption) {
-            mFullPayloadEnabled.setVisible(!tlsDecryption);
-        }
-
         private void socks5ProxyHideShow(boolean tlsDecryption, boolean socks5Enabled, boolean rootEnabled) {
             boolean available = !tlsDecryption && !rootEnabled;
             mSocks5Enabled.setVisible(available);
@@ -393,11 +388,9 @@ private void rootCaptureHideShow(boolean enabled) {
                 mSocks5Enabled.setVisible(false);
                 mSocks5ProxyIp.setVisible(false);
                 mSocks5ProxyPort.setVisible(false);
-                fullPayloadHideShow(mTlsDecryption.isChecked());
                 mBlockQuic.setVisible(false);
             } else {
                 mAutoBlockPrivateDNS.setVisible(true);
-                fullPayloadHideShow(mTlsDecryption.isChecked());
                 mBlockQuic.setVisible(true);
                 socks5ProxyHideShow(mTlsDecryption.isChecked(), mSocks5Enabled.isChecked(), false);
             }

diff --git a/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java b/app/src/main/java/com/emanuelef/remote_capture/model/ConnectionDescriptor.java
@@ -289,6 +289,12 @@ public boolean isBlacklisted() {
         return isBlacklistedIp() || isBlacklistedHost();
     }
 
+    public void setPayloadTruncatedByAddon() {
+        // only for the mitm addon
+        assert(!isNotDecryptable());
+        payload_truncated = true;
+    }
+
     public boolean isPayloadTruncated() {
         return payload_truncated;
     }

diff --git a/app/src/main/java/com/pcapdroid/mitm/MitmAPI.java b/app/src/main/java/com/pcapdroid/mitm/MitmAPI.java
@@ -40,6 +40,7 @@ public static final class MitmConfig implements Serializable {
         public boolean transparentMode;    // true to use transparent proxy mode, false to use SOCKS5 proxy mode
         public boolean sslInsecure;        // true to disable upstream certificate check
         public boolean dumpMasterSecrets;  // true to enable the TLS master secrets dump messages (similar to SSLKEYLOG)
+        public boolean shortPayload;       // if true, only the initial portion of the payload will be sent
         public String proxyAuth;           // SOCKS5 proxy authentication, "user:pass"
         public String additionalOptions;   // provide additional options to mitmproxy
     }