Sniffer Statistics

1. Wrapped the added code for statistics in a preprocessor guard. 2. Added a check for the current cipher suite and if it is on the list of allowed suites. Guarded by the statistics option. 3. Added more statistics from the list.
2019-06-11 16:51:47 -07:00 · 2019-06-11 16:51:47 -07:00 · 9715431921
commit 9715431921
parent c600f7659a
3 changed files with 115 additions and 21 deletions
--- a/src/sniffer.c
+++ b/src/sniffer.c
@ -410,9 +410,11 @@ static word32 MissedDataSessions = 0;    /* # of sessions with missed data */
 static SSLConnCb ConnectionCb;
 static void* ConnectionCbCtx = NULL;

+#ifdef WOLFSSL_SNIFFER_STATS
 /* Sessions Statistics */
 static SSLStats SnifferStats;
 static wolfSSL_Mutex StatsMutex;
+#endif


 static void UpdateMissedDataSessions(void)
@ -423,21 +425,25 @@ static void UpdateMissedDataSessions(void)
 }


+#ifdef WOLFSSL_SNIFFER_STATS
 #define ADD_TO_STAT(x,y) do { wc_LockMutex(&StatsMutex); \
    x += y; \
    wc_UnLockMutex(&StatsMutex); } while (0)
 #define INC_STAT(x) ADD_TO_STAT(x,1)
+#endif


 /* Initialize overall Sniffer */
 void ssl_InitSniffer(void)
 {
    wolfSSL_Init();
-    XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
    wc_InitMutex(&ServerListMutex);
    wc_InitMutex(&SessionMutex);
    wc_InitMutex(&RecoveryMutex);
+#ifdef WOLFSSL_SNIFFER_STATS
+    XMEMSET(&SnifferStats, 0, sizeof(SSLStats));
    wc_InitMutex(&StatsMutex);
+#endif
 }


@ -1811,7 +1817,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
                              SnifferSession* session, char* error)
 {
    ProtocolVersion pv;
-    byte            b;
+    byte            b, b0;
    int             toRead = VERSION_SZ + RAN_LEN + ENUM_LEN;
    int             doResume     = 0;
    int             initialBytes = *sslBytes;
@ -1859,14 +1865,33 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
    *sslBytes -= b;

    /* cipher suite */
-    b = *input++;  /* first byte, ECC or not */
-    session->sslServer->options.cipherSuite0 = b;
-    session->sslClient->options.cipherSuite0 = b;
+    b0 = *input++;  /* first byte, ECC or not */
+    session->sslServer->options.cipherSuite0 = b0;
+    session->sslClient->options.cipherSuite0 = b0;
    b = *input++;
    session->sslServer->options.cipherSuite = b;
    session->sslClient->options.cipherSuite = b;
    *sslBytes -= SUITE_LEN;

+#ifdef WOLFSSL_SNIFFER_STATS
+    {
+        const CipherSuiteInfo* suites = GetCipherNames();
+        int suitesSz = GetCipherNamesSize();
+        int match = 0;
+
+        while (suitesSz) {
+            if (b0 == suites->cipherSuite0 && b == suites->cipherSuite) {
+                match = 1;
+                break;
+            }
+            suites++;
+            suitesSz--;
+        }
+        if (!match)
+            INC_STAT(SnifferStats.sslCiphersUnsupported);
+    }
+#endif /* WOLFSSL_SNIFFER_STATS */
+
    /* compression */
    b = *input++;
    *sslBytes -= ENUM_LEN;
@ -1936,8 +1961,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
        if (XMEMCMP(session->sslServer->arrays->sessionID,
                    session->sslClient->arrays->sessionID, ID_LEN) == 0)
            doResume = 1;
-        else if (session->sslClient->options.haveSessionId)
+        else if (session->sslClient->options.haveSessionId) {
+#ifdef WOLFSSL_SNIFFER_STATS
            INC_STAT(SnifferStats.sslResumeMisses);
+#endif
+        }
    }
    else if (session->sslClient->options.haveSessionId == 0 &&
             session->sslServer->options.haveSessionId == 0 &&
@ -1965,7 +1993,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
        session->flags.resuming = 1;

        Trace(SERVER_DID_RESUMPTION_STR);
+#ifdef WOLFSSL_SNIFFER_STATS
        INC_STAT(SnifferStats.sslResumedConns);
+#endif
        if (SetCipherSpecs(session->sslServer) != 0) {
            SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
            return -1;
@ -1993,7 +2023,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes,
        }
    }
    else {
+#ifdef WOLFSSL_SNIFFER_STATS
        INC_STAT(SnifferStats.sslStandardConns);
+#endif
    }
 #ifdef SHOW_SECRETS
    {
@ -2305,6 +2337,9 @@ static int DoHandShake(const byte* input, int* sslBytes,
            Trace(GOT_CERT_REQ_STR);
            break;
        case server_key_exchange:
+#ifdef WOLFSSL_SNIFFER_STATS
+            INC_STAT(SnifferStats.sslKeyFails);
+#endif
            Trace(GOT_SERVER_KEY_EX_STR);
            /* can't know temp key passively */
            SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE);
@ -2312,8 +2347,11 @@ static int DoHandShake(const byte* input, int* sslBytes,
            break;
        case certificate:
            Trace(GOT_CERT_STR);
-            if (session->flags.side == WOLFSSL_CLIENT_END)
+            if (session->flags.side == WOLFSSL_SERVER_END) {
+#ifdef WOLFSSL_SNIFFER_STATS
                INC_STAT(SnifferStats.sslClientAuthConns);
+#endif
+            }
            break;
        case server_hello_done:
            Trace(GOT_SERVER_HELLO_DONE_STR);
@ -3598,7 +3636,9 @@ doPart:
            break;
        case alert:
            Trace(GOT_ALERT_STR);
+#ifdef WOLFSSL_SNIFFER_STATS
            INC_STAT(SnifferStats.sslAlerts);
+#endif
            sslFrame += rhSize;
            sslBytes -= rhSize;
            break;
@ -3867,6 +3907,8 @@ int ssl_SetConnectionCtx(void* ctx)
 }


+#ifdef WOLFSSL_SNIFFER_STATS
+
 /* Resets the statistics tracking global structure.
 * returns 0 on success, -1 on error */
 int ssl_ResetStatistics(void)
@ -3891,6 +3933,8 @@ int ssl_ReadStatistics(SSLStats* stats)
    return 0;
 }

+#endif /* WOLFSSL_SNIFFER_STATS */
+

 #endif /* WOLFSSL_SNIFFER */
 #endif /* WOLFCRYPT_ONLY */
--- a/sslSniffer/sslSnifferTest/snifftest.c
+++ b/sslSniffer/sslSnifferTest/snifftest.c
@ -87,18 +87,68 @@ static void FreeAll(void)
 #endif
 }

-static void sig_handler(const int sig)
+
+#ifdef WOLFSSL_SNIFFER_STATS
+
+static void DumpStats(void)
 {
    SSLStats sslStats;
    ssl_ReadStatistics(&sslStats);
-    printf("SSL Stats (sslStandardConns):%u\n", sslStats.sslStandardConns);
-    printf("SSL Stats (sslClientAuthConns):%u\n", sslStats.sslClientAuthConns);
-    printf("SSL Stats (sslResumedConns):%u\n", sslStats.sslResumedConns);
-    printf("SSL Stats (sslResumeMisses):%u\n", sslStats.sslResumeMisses);
-    printf("SSL Stats (sslAlerts):%u\n", sslStats.sslAlerts);

+    printf("SSL Stats (sslStandardConns):%u\n",
+            sslStats.sslStandardConns);
+    printf("SSL Stats (sslRehandshakeConns):%u\n",
+            sslStats.sslRehandshakeConns);
+    printf("SSL Stats (sslClientAuthConns):%u\n",
+            sslStats.sslClientAuthConns);
+    printf("SSL Stats (sslResumedConns):%u\n",
+            sslStats.sslResumedConns);
+    printf("SSL Stats (sslResumedRehandshakeConns):%u\n",
+            sslStats.sslResumedRehandshakeConns);
+    printf("SSL Stats (sslClientAuthRehandshakeConns):%u\n",
+            sslStats.sslClientAuthRehandshakeConns);
+    printf("SSL Stats (sslEphemeralMisses):%u\n",
+            sslStats.sslEphemeralMisses);
+    printf("SSL Stats (sslResumeMisses):%u\n",
+            sslStats.sslResumeMisses);
+    printf("SSL Stats (sslCiphersUnsupported):%u\n",
+            sslStats.sslCiphersUnsupported);
+    printf("SSL Stats (sslKeysUnmatched):%u\n",
+            sslStats.sslKeysUnmatched);
+    printf("SSL Stats (sslKeyFails):%u\n",
+            sslStats.sslKeyFails);
+    printf("SSL Stats (sslDecodeFails):%u\n",
+            sslStats.sslDecodeFails);
+    printf("SSL Stats (sslAlerts):%u\n",
+            sslStats.sslAlerts);
+    printf("SSL Stats (sslDecryptedBytes):%u\n",
+            sslStats.sslDecryptedBytes);
+    printf("SSL Stats (sslEncryptedBytes):%u\n",
+            sslStats.sslEncryptedBytes);
+    printf("SSL Stats (sslEncryptedPackets):%u\n",
+            sslStats.sslEncryptedPackets);
+    printf("SSL Stats (sslDecryptedPackets):%u\n",
+            sslStats.sslDecryptedPackets);
+    printf("SSL Stats (sslEncryptedConnsPerSecond):%u\n",
+            sslStats.sslEncryptedConnsPerSecond);
+    printf("SSL Stats (sslKeyMatches):%u\n",
+            sslStats.sslKeyMatches);
+    printf("SSL Stats (sslActiveEncryptedConnsPerSecond):%u\n",
+            sslStats.sslActiveEncryptedConnsPerSecond);
+    printf("SSL Stats (sslActiveFlowsPerSecond):%u\n",
+            sslStats.sslActiveFlowsPerSecond);
+}
+
+#endif
+
+
+static void sig_handler(const int sig)
+{
    printf("SIGINT handled = %d.\n", sig);
    FreeAll();
+#ifdef WOLFSSL_SNIFFER_STATS
+    DumpStats();
+#endif
    if (sig)
        exit(EXIT_SUCCESS);
 }
--- a/wolfssl/sniffer.h
+++ b/wolfssl/sniffer.h
@ -136,25 +136,25 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx);

 typedef struct SSLStats
 {
-    unsigned int sslStandardConns;
+    unsigned int sslStandardConns; /* X */
    unsigned int sslRehandshakeConns; /* unsupported */
-    unsigned int sslClientAuthConns;
-    unsigned int sslResumedConns;
+    unsigned int sslClientAuthConns; /* X */
+    unsigned int sslResumedConns; /* X */
    unsigned int sslResumedRehandshakeConns; /* unsupported */
    unsigned int sslClientAuthRehandshakeConns; /* unsupported */
    unsigned int sslEphemeralMisses;
-    unsigned int sslResumeMisses;
-    unsigned int sslCiphersUnsupported;
-    unsigned int sslKeysUnmatched;
+    unsigned int sslResumeMisses; /* X */
+    unsigned int sslCiphersUnsupported; /* X */
+    unsigned int sslKeysUnmatched; /* X */
    unsigned int sslKeyFails;
    unsigned int sslDecodeFails;
-    unsigned int sslAlerts;
+    unsigned int sslAlerts; /* X */
    unsigned int sslDecryptedBytes;
    unsigned int sslEncryptedBytes;
    unsigned int sslEncryptedPackets;
    unsigned int sslDecryptedPackets;
    unsigned int sslEncryptedConnsPerSecond;
-    unsigned int sslKeyMatches;
+    unsigned int sslKeyMatches; /* X */
    unsigned int sslActiveEncryptedConnsPerSecond;
    unsigned int sslActiveFlowsPerSecond;
 } SSLStats;