wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2287 from ejohnstown/sniffer-stats

Browse Source 
Sniffer Statistics
This commit is contained in:
toddouska
2019-06-25 11:22:24 -07:00
committed by GitHub
parent b957415609 26384d4936
commit eceb460cff
3 changed files with 264 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

193
src/sniffer.c
View File

@@ -410,6 +410,12 @@ static word32 MissedDataSessions = 0; /* # of sessions with missed data */
static SSLConnCb ConnectionCb; static SSLConnCb ConnectionCb;
static void* ConnectionCbCtx = NULL; static void* ConnectionCbCtx = NULL;
#ifdef WOLFSSL_SNIFFER_STATS
/* Sessions Statistics */
static SSLStats SnifferStats;
static wolfSSL_Mutex StatsMutex;
#endif
static void UpdateMissedDataSessions(void) static void UpdateMissedDataSessions(void)
{ {
@@ -419,6 +425,18 @@ static void UpdateMissedDataSessions(void)
} }
#ifdef WOLFSSL_SNIFFER_STATS
#define LOCK_STAT() do { wc_LockMutex(&StatsMutex); } while (0)
#define UNLOCK_STAT() do { wc_UnLockMutex(&StatsMutex); } while (0)
#define NOLOCK_ADD_TO_STAT(x,y) do { TraceStat(#x, y); x += y; } while (0)
#define NOLOCK_INC_STAT(x) NOLOCK_ADD_TO_STAT(x,1)
#define ADD_TO_STAT(x,y) do { LOCK_STAT(); \
NOLOCK_ADD_TO_STAT(x,y); UNLOCK_STAT(); } while (0)
#define INC_STAT(x) do { LOCK_STAT(); \
NOLOCK_INC_STAT(x); UNLOCK_STAT(); } while (0)
#endif
/* Initialize overall Sniffer */ /* Initialize overall Sniffer */
void ssl_InitSniffer(void) void ssl_InitSniffer(void)
{ {
@@ -426,6 +444,10 @@ void ssl_InitSniffer(void)
wc_InitMutex(&ServerListMutex); wc_InitMutex(&ServerListMutex);
wc_InitMutex(&SessionMutex); wc_InitMutex(&SessionMutex);
wc_InitMutex(&RecoveryMutex); wc_InitMutex(&RecoveryMutex);
#ifdef WOLFSSL_SNIFFER_STATS
XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wc_InitMutex(&StatsMutex);
#endif
} }
@@ -1052,6 +1074,19 @@ static void TraceSessionInfo(SSLInfo* sslInfo)
} }
#ifdef WOLFSSL_SNIFFER_STATS
/* Show value added to a named statistic. */
static void TraceStat(const char* name, int add)
{
if (TraceOn) {
fprintf(TraceFile, "\tAdding %d to %s\n", add, name);
}
}
#endif
/* Set user error string */ /* Set user error string */
static void SetError(int idx, char* error, SnifferSession* session, int fatal) static void SetError(int idx, char* error, SnifferSession* session, int fatal)
{ {
@@ -1693,6 +1728,11 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
} while (ret == WC_PENDING_E); } while (ret == WC_PENDING_E);
} }
#ifdef WOLFSSL_SNIFFER_STATS
if (ret != 0)
INC_STAT(SnifferStats.sslKeyFails);
#endif
if (keyInit) if (keyInit)
wc_ecc_free(&key); wc_ecc_free(&key);
if (pubKeyInit) if (pubKeyInit)
@@ -1799,7 +1839,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
SnifferSession* session, char* error) SnifferSession* session, char* error)
{ {
ProtocolVersion pv; ProtocolVersion pv;
byte b; byte b, b0;
int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN; int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
int doResume = 0; int doResume = 0;
int initialBytes = *sslBytes; int initialBytes = *sslBytes;
@@ -1847,14 +1887,33 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
*sslBytes -= b; *sslBytes -= b;
/* cipher suite */ /* cipher suite */
b = *input++; /* first byte, ECC or not */ b0 = *input++; /* first byte, ECC or not */
session->sslServer->options.cipherSuite0 = b; session->sslServer->options.cipherSuite0 = b0;
session->sslClient->options.cipherSuite0 = b; session->sslClient->options.cipherSuite0 = b0;
b = *input++; b = *input++;
session->sslServer->options.cipherSuite = b; session->sslServer->options.cipherSuite = b;
session->sslClient->options.cipherSuite = b; session->sslClient->options.cipherSuite = b;
*sslBytes -= SUITE_LEN; *sslBytes -= SUITE_LEN;
#ifdef WOLFSSL_SNIFFER_STATS
{
const CipherSuiteInfo* suites = GetCipherNames();
int suitesSz = GetCipherNamesSize();
int match = 0;
while (suitesSz) {
if (b0 == suites->cipherSuite0 && b == suites->cipherSuite) {
match = 1;
break;
}
suites++;
suitesSz--;
}
if (!match)
INC_STAT(SnifferStats.sslCiphersUnsupported);
}
#endif /* WOLFSSL_SNIFFER_STATS */
/* compression */ /* compression */
b = *input++; b = *input++;
*sslBytes -= ENUM_LEN; *sslBytes -= ENUM_LEN;
@@ -1920,10 +1979,16 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
} }
#endif #endif
if (session->sslServer->options.haveSessionId && if (session->sslServer->options.haveSessionId) {
XMEMCMP(session->sslServer->arrays->sessionID, if (XMEMCMP(session->sslServer->arrays->sessionID,
session->sslClient->arrays->sessionID, ID_LEN) == 0) session->sslClient->arrays->sessionID, ID_LEN) == 0)
doResume = 1; doResume = 1;
else if (session->sslClient->options.haveSessionId) {
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslResumeMisses);
#endif
}
}
else if (session->sslClient->options.haveSessionId == 0 && else if (session->sslClient->options.haveSessionId == 0 &&
session->sslServer->options.haveSessionId == 0 && session->sslServer->options.haveSessionId == 0 &&
session->ticketID) session->ticketID)
@@ -1950,6 +2015,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
session->flags.resuming = 1; session->flags.resuming = 1;
Trace(SERVER_DID_RESUMPTION_STR); Trace(SERVER_DID_RESUMPTION_STR);
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslResumedConns);
#endif
if (SetCipherSpecs(session->sslServer) != 0) { if (SetCipherSpecs(session->sslServer) != 0) {
SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
return -1; return -1;
@@ -1976,6 +2044,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
return -1; return -1;
} }
} }
else {
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslStandardConns);
#endif
}
#ifdef SHOW_SECRETS #ifdef SHOW_SECRETS
{ {
int i; int i;
@@ -2286,6 +2359,9 @@ static int DoHandShake(const byte* input, int* sslBytes,
Trace(GOT_CERT_REQ_STR); Trace(GOT_CERT_REQ_STR);
break; break;
case server_key_exchange: case server_key_exchange:
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslEphemeralMisses);
#endif
Trace(GOT_SERVER_KEY_EX_STR); Trace(GOT_SERVER_KEY_EX_STR);
/* can't know temp key passively */ /* can't know temp key passively */
SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
@@ -2293,6 +2369,11 @@ static int DoHandShake(const byte* input, int* sslBytes,
break; break;
case certificate: case certificate:
Trace(GOT_CERT_STR); Trace(GOT_CERT_STR);
if (session->flags.side == WOLFSSL_SERVER_END) {
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslClientAuthConns);
#endif
}
break; break;
case server_hello_done: case server_hello_done:
Trace(GOT_SERVER_HELLO_DONE_STR); Trace(GOT_SERVER_HELLO_DONE_STR);
@@ -2780,6 +2861,9 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
/* create a new SnifferSession on client SYN */ /* create a new SnifferSession on client SYN */
if (tcpInfo->syn && !tcpInfo->ack) { if (tcpInfo->syn && !tcpInfo->ack) {
TraceClientSyn(tcpInfo->sequence); TraceClientSyn(tcpInfo->sequence);
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslEncryptedConns);
#endif
*session = CreateSession(ipInfo, tcpInfo, error); *session = CreateSession(ipInfo, tcpInfo, error);
if (*session == NULL) { if (*session == NULL) {
*session = GetSnifferSession(ipInfo, tcpInfo); *session = GetSnifferSession(ipInfo, tcpInfo);
@@ -2803,6 +2887,13 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes,
if (sslBytes == 0 && tcpInfo->ack) if (sslBytes == 0 && tcpInfo->ack)
return 1; return 1;
#ifdef WOLFSSL_SNIFFER_STATS
LOCK_STAT();
NOLOCK_INC_STAT(SnifferStats.sslDecryptedPackets);
NOLOCK_ADD_TO_STAT(SnifferStats.sslDecryptedBytes, sslBytes);
UNLOCK_STAT();
#endif
SetError(BAD_SESSION_STR, error, NULL, 0); SetError(BAD_SESSION_STR, error, NULL, 0);
return -1; return -1;
} }
@@ -3146,6 +3237,9 @@ static int FindNextRecordInAssembly(SnifferSession* session,
} }
Trace(DROPPING_LOST_FRAG_STR); Trace(DROPPING_LOST_FRAG_STR);
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslDecodeFails);
#endif
prev = curr; prev = curr;
curr = curr->next; curr = curr->next;
*reassemblyMemory -= (prev->end - prev->begin + 1); *reassemblyMemory -= (prev->end - prev->begin + 1);
@@ -3577,6 +3671,9 @@ doPart:
break; break;
case alert: case alert:
Trace(GOT_ALERT_STR); Trace(GOT_ALERT_STR);
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslAlerts);
#endif
sslFrame += rhSize; sslFrame += rhSize;
sslBytes -= rhSize; sslBytes -= rhSize;
break; break;
@@ -3683,18 +3780,51 @@ static int ssl_DecodePacketInternal(const byte* packet, int length,
ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error);
if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
else if (ret == -1) return -1; else if (ret == -1) return -1;
else if (ret == 1) return 0; /* done for now */ else if (ret == 1) {
#ifdef WOLFSSL_SNIFFER_STATS
if (sslBytes > 0) {
LOCK_STAT();
NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets);
NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes);
UNLOCK_STAT();
}
else
INC_STAT(SnifferStats.sslDecryptedPackets);
#endif
return 0; /* done for now */
}
ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error); ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error);
if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
else if (ret == -1) return -1; else if (ret == -1) return -1;
else if (ret == 1) return 0; /* done for now */ else if (ret == 1) {
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslDecryptedPackets);
#endif
return 0; /* done for now */
}
ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes, ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes,
&end, error); &end, error);
if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
else if (ret == -1) return -1; else if (ret == -1) return -1;
else if (ret == 1) return 0; /* done for now */ else if (ret == 1) {
#ifdef WOLFSSL_SNIFFER_STATS
INC_STAT(SnifferStats.sslDecryptedPackets);
#endif
return 0; /* done for now */
}
#ifdef WOLFSSL_SNIFFER_STATS
if (sslBytes > 0) {
LOCK_STAT();
NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets);
NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes);
UNLOCK_STAT();
}
else
INC_STAT(SnifferStats.sslDecryptedPackets);
#endif
ret = ProcessMessage(sslFrame, session, sslBytes, data, end, error); ret = ProcessMessage(sslFrame, session, sslBytes, data, end, error);
if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1;
@@ -3845,6 +3975,49 @@ int ssl_SetConnectionCtx(void* ctx)
} }
#ifdef WOLFSSL_SNIFFER_STATS
/* Resets the statistics tracking global structure.
* returns 0 on success, -1 on error */
int ssl_ResetStatistics(void)
{
wc_LockMutex(&StatsMutex);
XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wc_UnLockMutex(&StatsMutex);
return 0;
}
/* Copies the SSL statistics into the provided stats record.
* returns 0 on success, -1 on error */
int ssl_ReadStatistics(SSLStats* stats)
{
if (stats == NULL)
return -1;
wc_LockMutex(&StatsMutex);
XMEMCPY(stats, &SnifferStats, sizeof(SSLStats));
wc_UnLockMutex(&StatsMutex);
return 0;
}
/* Copies the SSL statistics into the provided stats record then
* resets the statistics tracking global structure.
* returns 0 on success, -1 on error */
int ssl_ReadResetStatistics(SSLStats* stats)
{
if (stats == NULL)
return -1;
wc_LockMutex(&StatsMutex);
XMEMCPY(stats, &SnifferStats, sizeof(SSLStats));
XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
wc_UnLockMutex(&StatsMutex);
return 0;
}
#endif /* WOLFSSL_SNIFFER_STATS */
#endif /* WOLFSSL_SNIFFER */ #endif /* WOLFSSL_SNIFFER */
#endif /* WOLFCRYPT_ONLY */ #endif /* WOLFCRYPT_ONLY */

48
sslSniffer/sslSnifferTest/snifftest.c
View File

@@ -87,10 +87,58 @@ static void FreeAll(void)
#endif #endif
} }
#ifdef WOLFSSL_SNIFFER_STATS
static void DumpStats(void)
{
SSLStats sslStats;
ssl_ReadStatistics(&sslStats);
printf("SSL Stats (sslStandardConns):%lu\n",
sslStats.sslStandardConns);
printf("SSL Stats (sslClientAuthConns):%lu\n",
sslStats.sslClientAuthConns);
printf("SSL Stats (sslResumedConns):%lu\n",
sslStats.sslResumedConns);
printf("SSL Stats (sslEphemeralMisses):%lu\n",
sslStats.sslEphemeralMisses);
printf("SSL Stats (sslResumeMisses):%lu\n",
sslStats.sslResumeMisses);
printf("SSL Stats (sslCiphersUnsupported):%lu\n",
sslStats.sslCiphersUnsupported);
printf("SSL Stats (sslKeysUnmatched):%lu\n",
sslStats.sslKeysUnmatched);
printf("SSL Stats (sslKeyFails):%lu\n",
sslStats.sslKeyFails);
printf("SSL Stats (sslDecodeFails):%lu\n",
sslStats.sslDecodeFails);
printf("SSL Stats (sslAlerts):%lu\n",
sslStats.sslAlerts);
printf("SSL Stats (sslDecryptedBytes):%lu\n",
sslStats.sslDecryptedBytes);
printf("SSL Stats (sslEncryptedBytes):%lu\n",
sslStats.sslEncryptedBytes);
printf("SSL Stats (sslEncryptedPackets):%lu\n",
sslStats.sslEncryptedPackets);
printf("SSL Stats (sslDecryptedPackets):%lu\n",
sslStats.sslDecryptedPackets);
printf("SSL Stats (sslKeyMatches):%lu\n",
sslStats.sslKeyMatches);
printf("SSL Stats (sslEncryptedConns):%lu\n",
sslStats.sslEncryptedConns);
}
#endif
static void sig_handler(const int sig) static void sig_handler(const int sig)
{ {
printf("SIGINT handled = %d.\n", sig); printf("SIGINT handled = %d.\n", sig);
FreeAll(); FreeAll();
#ifdef WOLFSSL_SNIFFER_STATS
DumpStats();
#endif
if (sig) if (sig)
exit(EXIT_SUCCESS); exit(EXIT_SUCCESS);
} }

33
wolfssl/sniffer.h
View File

@@ -134,6 +134,39 @@ WOLFSSL_API
SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx);
typedef struct SSLStats
{
unsigned long int sslStandardConns;
unsigned long int sslClientAuthConns;
unsigned long int sslResumedConns;
unsigned long int sslEphemeralMisses;
unsigned long int sslResumeMisses;
unsigned long int sslCiphersUnsupported;
unsigned long int sslKeysUnmatched;
unsigned long int sslKeyFails;
unsigned long int sslDecodeFails;
unsigned long int sslAlerts;
unsigned long int sslDecryptedBytes;
unsigned long int sslEncryptedBytes;
unsigned long int sslEncryptedPackets;
unsigned long int sslDecryptedPackets;
unsigned long int sslKeyMatches;
unsigned long int sslEncryptedConns;
} SSLStats;
WOLFSSL_API
SSL_SNIFFER_API int ssl_ResetStatistics(void);
WOLFSSL_API
SSL_SNIFFER_API int ssl_ReadStatistics(SSLStats* stats);
WOLFSSL_API
SSL_SNIFFER_API int ssl_ReadResetStatistics(SSLStats* stats);
#ifdef __cplusplus #ifdef __cplusplus
} /* extern "C" */ } /* extern "C" */
#endif #endif