Add blockech addon (mitmproxy#6876)

* Add blockech addon * Update CHANGELOG.md * [autofix.ci] apply automated fixes * Add tests * [autofix.ci] apply automated fixes * Fix tests * Add suggested changes * [autofix.ci] apply automated fixes * rephrase changelog to be more user-centric --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Maximilian Hils <[email protected]>
dabula-s · May 28, 2024 · de871df · de871df
1 parent 8cf0cca
commit de871df
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,8 @@
   ([#6866](https://github.com/mitmproxy/mitmproxy/pull/6866), @mhils)
 * Fix slowdown when sending large data over HTTP/2
   ([#6875](https://github.com/mitmproxy/mitmproxy/pull/6875), @aib)
+* Add an option to strip HTTPS records from DNS responses to block encrypted ClientHellos.
+  ([#6876](https://github.com/mitmproxy/mitmproxy/pull/6876), @errorxyz)
 
 
 ## 17 April 2024: mitmproxy 10.3.0
@@ -30,7 +32,7 @@
 * Fix multipart form content view being unusable.
   ([#6653](https://github.com/mitmproxy/mitmproxy/pull/6653), @DaniElectra)
 * Documentation Improvements on CA Certificate Generation
-  ([#5370](https://github.com/mitmproxy/mitmproxy/pull/5370), @zioalex)  
+  ([#5370](https://github.com/mitmproxy/mitmproxy/pull/5370), @zioalex)
 * Make it possible to read flows from stdin with mitmweb.
   ([#6732](https://github.com/mitmproxy/mitmproxy/pull/6732), @jaywor1)
 * Update aioquic dependency to >= 1.0.0, < 2.0.0.

diff --git a/mitmproxy/addons/__init__.py b/mitmproxy/addons/__init__.py
@@ -1,6 +1,7 @@
 from mitmproxy.addons import anticache
 from mitmproxy.addons import anticomp
 from mitmproxy.addons import block
+from mitmproxy.addons import block_ech
 from mitmproxy.addons import blocklist
 from mitmproxy.addons import browser
 from mitmproxy.addons import clientplayback
@@ -34,6 +35,7 @@ def default_addons():
         core.Core(),
         browser.Browser(),
         block.Block(),
+        block_ech.BlockECH(),
         blocklist.BlockList(),
         anticache.AntiCache(),
         anticomp.AntiComp(),

diff --git a/mitmproxy/addons/block_ech.py b/mitmproxy/addons/block_ech.py
@@ -0,0 +1,22 @@
+from mitmproxy import ctx
+from mitmproxy import dns
+from mitmproxy.net.dns import types
+
+
+class BlockECH:
+    def load(self, loader):
+        loader.add_option(
+            "block_ech",
+            bool,
+            True,
+            "Strip DNS HTTPS records to prevent clients from sending Encrypted ClientHello (ECH) messages",
+        )
+
+    def dns_response(self, flow: dns.DNSFlow):
+        # TODO: parse HTTPS records and remove ech value alone. For now,
+        # if HTTPS record is part of response, remove that record.
+        assert flow.response
+        if ctx.options.block_ech:
+            flow.response.answers = [
+                answer for answer in flow.response.answers if answer.type != types.HTTPS
+            ]
diff --git a/test/mitmproxy/addons/test_block_ech.py b/test/mitmproxy/addons/test_block_ech.py
@@ -0,0 +1,34 @@
+from mitmproxy import dns
+from mitmproxy.addons import block_ech
+from mitmproxy.net.dns import types
+from mitmproxy.test import taddons
+from mitmproxy.test import tflow
+from mitmproxy.test import tutils
+
+
+class TestBlockECH:
+    def test_simple(self):
+        be = block_ech.BlockECH()
+        with taddons.context(be) as tctx:
+            answers = [
+                dns.ResourceRecord(
+                    "dns.google",
+                    dns.types.HTTPS,
+                    dns.classes.IN,
+                    32,
+                    b"\x08\x08\x08\x08",
+                ),
+                dns.ResourceRecord(
+                    "dns.google", dns.types.A, dns.classes.IN, 32, b"\x08\x08\x04\x04"
+                ),
+            ]
+            resp = tutils.tdnsresp(answers=answers)
+            f = tflow.tdnsflow(resp=resp)
+
+            tctx.configure(be, block_ech=False)
+            be.dns_response(f)
+            assert len(f.response.answers) == 2
+
+            tctx.configure(be, block_ech=True)
+            be.dns_response(f)
+            assert not any(answer.type == types.HTTPS for answer in f.response.answers)
diff --git a/web/src/js/ducks/_options_gen.ts b/web/src/js/ducks/_options_gen.ts
@@ -4,6 +4,7 @@ export interface OptionsState {
     allow_hosts: string[];
     anticache: boolean;
     anticomp: boolean;
+    block_ech: boolean;
     block_global: boolean;
     block_list: string[];
     block_private: boolean;
@@ -100,6 +101,7 @@ export const defaultState: OptionsState = {
     allow_hosts: [],
     anticache: false,
     anticomp: false,
+    block_ech: true,
     block_global: true,
     block_list: [],
     block_private: false,