DTLS Multicast

1. Keep track of the number of records a session drops for having a bad MAC or detected as replayed. 2. Add function to access the drop statistics.
2017-07-12 09:36:29 -07:00 · 2017-07-12 09:36:29 -07:00 · 935bf9028d
commit 935bf9028d
parent 3329aa7bef
4 changed files with 42 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -10827,6 +10827,10 @@ static INLINE int Decrypt(WOLFSSL* ssl, byte* plain, const byte* input,
    if (ret == VERIFY_MAC_ERROR) {
        if (!ssl->options.dtls)
            SendAlert(ssl, alert_fatal, bad_record_mac);
+
+        #ifdef WOLFSSL_DTLS_DROP_STATS
+            ssl->macDropCount++;
+        #endif /* WOLFSSL_DTLS_DROP_STATS */
    }

    return ret;
@ -11552,6 +11556,9 @@ int ProcessReply(WOLFSSL* ssl)
                ssl->options.processReply = doProcessInit;
                ssl->buffers.inputBuffer.length = 0;
                ssl->buffers.inputBuffer.idx = 0;
+#ifdef WOLFSSL_DTLS_DROP_STATS
+                ssl->replayDropCount++;
+#endif /* WOLFSSL_DTLS_DROP_STATS */

                if (IsDtlsNotSctpMode(ssl) && ssl->options.dtlsHsRetain) {
                    ret = DtlsMsgPoolSend(ssl, 0);
@ -11690,6 +11697,9 @@ int ProcessReply(WOLFSSL* ssl)
                    if (ret < 0) {
                        WOLFSSL_MSG("VerifyMac failed");
                        WOLFSSL_ERROR(ret);
+                        #ifdef WOLFSSL_DTLS_DROP_STATS
+                            ssl->macDropCount++;
+                        #endif /* WOLFSSL_DTLS_DROP_STATS */
                        return DECRYPT_ERROR;
                    }
                }
--- a/src/ssl.c
+++ b/src/ssl.c
@ -844,6 +844,32 @@ int wolfSSL_dtls_set_mtu(WOLFSSL* ssl, word16 newMtu)
 #endif /* WOLFSSL_DTLS && WOLFSSL_SCTP */


+#ifdef WOLFSSL_DTLS_DROP_STATS
+
+int wolfSSL_dtls_get_drop_stats(WOLFSSL* ssl,
+                                word32* macDropCount, word32* replayDropCount)
+{
+    int ret;
+
+    WOLFSSL_ENTER("wolfSSL_dtls_get_drop_stats()");
+
+    if (ssl == NULL)
+        ret = BAD_FUNC_ARG;
+    else {
+        ret = SSL_SUCCESS;
+        if (macDropCount != NULL)
+            *macDropCount = ssl->macDropCount;
+        if (replayDropCount != NULL)
+            *replayDropCount = ssl->replayDropCount;
+    }
+
+    WOLFSSL_LEAVE("wolfSSL_dtls_get_drop_stats()", ret);
+    return ret;
+}
+
+#endif /* WOLFSSL_DTLS_DROP_STATS */
+
+
 #if defined(WOLFSSL_MULTICAST)

 int wolfSSL_CTX_mcast_set_member_id(WOLFSSL_CTX* ctx, word16 id)
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -3349,6 +3349,10 @@ struct WOLFSSL {
 #ifdef WOLFSSL_MULTICAST
    void*           mcastHwCbCtx;       /* Multicast highwater callback ctx */
 #endif /* WOLFSSL_MULTICAST */
+#ifdef WOLFSSL_DTLS_DROP_STATS
+    word32 macDropCount;
+    word32 replayDropCount;
+#endif /* WOLFSSL_DTLS_DROP_STATS */
 #endif /* WOLFSSL_DTLS */
 #ifdef WOLFSSL_CALLBACKS
    HandShakeInfo   handShakeInfo;      /* info saved during handshake */
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -509,6 +509,8 @@ WOLFSSL_API int  wolfSSL_dtls_set_sctp(WOLFSSL*);
 WOLFSSL_API int  wolfSSL_CTX_dtls_set_mtu(WOLFSSL_CTX*, unsigned short);
 WOLFSSL_API int  wolfSSL_dtls_set_mtu(WOLFSSL*, unsigned short);

+WOLFSSL_API int  wolfSSL_dtls_get_drop_stats(WOLFSSL*,
+                                             unsigned int*, unsigned int*);
 WOLFSSL_API int  wolfSSL_CTX_mcast_set_member_id(WOLFSSL_CTX*, unsigned short);
 WOLFSSL_API int  wolfSSL_set_secret(WOLFSSL*, unsigned short,
                     const unsigned char*, unsigned int,