From 2ee7d05dcc34f1f4941cc3dd232144c1d874c55d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 20 May 2019 16:26:46 -0700 Subject: [PATCH 1/7] Sniffer Statistics 1. Added a structure for all the statistics to be kept. 2. Added a global to track the statistics. 3. Added a copy function to get a copy of the statistics. 4. Added a reset function for the statistics. 5. Handle the alert messages in statistics. --- src/sniffer.c | 37 +++++++++++++++++++++++++++++++++++++ wolfssl/sniffer.h | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) diff --git a/src/sniffer.c b/src/sniffer.c index db78c2c9e..1f905e634 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -410,6 +410,10 @@ static word32 MissedDataSessions = 0; /* # of sessions with missed data */ static SSLConnCb ConnectionCb; static void* ConnectionCbCtx = NULL; +/* Sessions Statistics */ +static SSLStats SnifferStats; +static wolfSSL_Mutex StatsMutex; + static void UpdateMissedDataSessions(void) { @@ -419,13 +423,21 @@ static void UpdateMissedDataSessions(void) } +#define ADD_TO_STAT(x,y) do { wc_LockMutex(&StatsMutex); \ + x += y; \ + wc_UnLockMutex(&StatsMutex); } while (0) +#define INC_STAT(x) ADD_TO_STAT(x,1) + + /* Initialize overall Sniffer */ void ssl_InitSniffer(void) { wolfSSL_Init(); + XMEMSET(&SnifferStats, 0, sizeof(SSLStats)); wc_InitMutex(&ServerListMutex); wc_InitMutex(&SessionMutex); wc_InitMutex(&RecoveryMutex); + wc_InitMutex(&StatsMutex); } @@ -3577,6 +3589,7 @@ doPart: break; case alert: Trace(GOT_ALERT_STR); + INC_STAT(SnifferStats.sslAlerts); sslFrame += rhSize; sslBytes -= rhSize; break; @@ -3845,6 +3858,30 @@ int ssl_SetConnectionCtx(void* ctx) } +/* Resets the statistics tracking global structure. + * returns 0 on success, -1 on error */ +int ssl_ResetStatistics(void) +{ + wc_LockMutex(&StatsMutex); + XMEMSET(&SnifferStats, 0, sizeof(SSLStats)); + wc_UnLockMutex(&StatsMutex); + return 0; +} + + +/* Copies the SSL statistics into the provided stats record. + * returns 0 on success, -1 on error */ +int ssl_ReadStatistics(SSLStats* stats) +{ + if (stats == NULL) + return -1; + + wc_LockMutex(&StatsMutex); + XMEMCPY(stats, &SnifferStats, sizeof(SSLStats)); + wc_UnLockMutex(&StatsMutex); + return 0; +} + #endif /* WOLFSSL_SNIFFER */ #endif /* WOLFCRYPT_ONLY */ diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index 33b26da87..96371fcfe 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -134,6 +134,40 @@ WOLFSSL_API SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); +typedef struct SSLStats +{ + unsigned int sslStandardConns; + unsigned int sslRehandshakeConns; + unsigned int sslClientAuthConns; + unsigned int sslResumedConns; + unsigned int sslResumedRehandshakeConns; + unsigned int sslClientAuthRehandshakeConns; + unsigned int sslEphemeralMisses; + unsigned int sslResumeMisses; + unsigned int sslCiphersUnsupported; + unsigned int sslKeysUnmatched; + unsigned int sslKeyFails; + unsigned int sslDecodeFails; + unsigned int sslAlerts; + unsigned int sslDecryptedBytes; + unsigned int sslEncryptedBytes; + unsigned int sslEncryptedPackets; + unsigned int sslDecryptedPackets; + unsigned int sslEncryptedConns; + unsigned int sslKeyMatches; + unsigned int sslEncryptedConnsPerSecond; + unsigned int sslActiveFlowsPerSecond; +} SSLStats; + + +WOLFSSL_API +SSL_SNIFFER_API int ssl_ResetStatistics(void); + + +WOLFSSL_API +SSL_SNIFFER_API int ssl_ReadStatistics(SSLStats* stats); + + #ifdef __cplusplus } /* extern "C" */ #endif From c600f7659ad2ef86aaa17d3c60354d1d7afaca1e Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 24 May 2019 16:21:08 -0700 Subject: [PATCH 2/7] Sniffer Statistics Added more of the statistics. --- src/sniffer.c | 15 ++++++++++++--- sslSniffer/sslSnifferTest/snifftest.c | 8 ++++++++ wolfssl/sniffer.h | 10 +++++----- 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 1f905e634..bfacbf8f0 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1932,10 +1932,13 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, } #endif - if (session->sslServer->options.haveSessionId && - XMEMCMP(session->sslServer->arrays->sessionID, + if (session->sslServer->options.haveSessionId) { + if (XMEMCMP(session->sslServer->arrays->sessionID, session->sslClient->arrays->sessionID, ID_LEN) == 0) - doResume = 1; + doResume = 1; + else if (session->sslClient->options.haveSessionId) + INC_STAT(SnifferStats.sslResumeMisses); + } else if (session->sslClient->options.haveSessionId == 0 && session->sslServer->options.haveSessionId == 0 && session->ticketID) @@ -1962,6 +1965,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, session->flags.resuming = 1; Trace(SERVER_DID_RESUMPTION_STR); + INC_STAT(SnifferStats.sslResumedConns); if (SetCipherSpecs(session->sslServer) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); return -1; @@ -1988,6 +1992,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, return -1; } } + else { + INC_STAT(SnifferStats.sslStandardConns); + } #ifdef SHOW_SECRETS { int i; @@ -2305,6 +2312,8 @@ static int DoHandShake(const byte* input, int* sslBytes, break; case certificate: Trace(GOT_CERT_STR); + if (session->flags.side == WOLFSSL_CLIENT_END) + INC_STAT(SnifferStats.sslClientAuthConns); break; case server_hello_done: Trace(GOT_SERVER_HELLO_DONE_STR); diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index da9e0826b..5aadccae6 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -89,6 +89,14 @@ static void FreeAll(void) static void sig_handler(const int sig) { + SSLStats sslStats; + ssl_ReadStatistics(&sslStats); + printf("SSL Stats (sslStandardConns):%u\n", sslStats.sslStandardConns); + printf("SSL Stats (sslClientAuthConns):%u\n", sslStats.sslClientAuthConns); + printf("SSL Stats (sslResumedConns):%u\n", sslStats.sslResumedConns); + printf("SSL Stats (sslResumeMisses):%u\n", sslStats.sslResumeMisses); + printf("SSL Stats (sslAlerts):%u\n", sslStats.sslAlerts); + printf("SIGINT handled = %d.\n", sig); FreeAll(); if (sig) diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index 96371fcfe..66a78f005 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -137,11 +137,11 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); typedef struct SSLStats { unsigned int sslStandardConns; - unsigned int sslRehandshakeConns; + unsigned int sslRehandshakeConns; /* unsupported */ unsigned int sslClientAuthConns; unsigned int sslResumedConns; - unsigned int sslResumedRehandshakeConns; - unsigned int sslClientAuthRehandshakeConns; + unsigned int sslResumedRehandshakeConns; /* unsupported */ + unsigned int sslClientAuthRehandshakeConns; /* unsupported */ unsigned int sslEphemeralMisses; unsigned int sslResumeMisses; unsigned int sslCiphersUnsupported; @@ -153,9 +153,9 @@ typedef struct SSLStats unsigned int sslEncryptedBytes; unsigned int sslEncryptedPackets; unsigned int sslDecryptedPackets; - unsigned int sslEncryptedConns; - unsigned int sslKeyMatches; unsigned int sslEncryptedConnsPerSecond; + unsigned int sslKeyMatches; + unsigned int sslActiveEncryptedConnsPerSecond; unsigned int sslActiveFlowsPerSecond; } SSLStats; From 9715431921aa115c6eb02cd926ec4cd3652dc1d9 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 11 Jun 2019 16:51:47 -0700 Subject: [PATCH 3/7] Sniffer Statistics 1. Wrapped the added code for statistics in a preprocessor guard. 2. Added a check for the current cipher suite and if it is on the list of allowed suites. Guarded by the statistics option. 3. Added more statistics from the list. --- src/sniffer.c | 58 ++++++++++++++++++++++--- sslSniffer/sslSnifferTest/snifftest.c | 62 ++++++++++++++++++++++++--- wolfssl/sniffer.h | 16 +++---- 3 files changed, 115 insertions(+), 21 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index bfacbf8f0..43063854c 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -410,9 +410,11 @@ static word32 MissedDataSessions = 0; /* # of sessions with missed data */ static SSLConnCb ConnectionCb; static void* ConnectionCbCtx = NULL; +#ifdef WOLFSSL_SNIFFER_STATS /* Sessions Statistics */ static SSLStats SnifferStats; static wolfSSL_Mutex StatsMutex; +#endif static void UpdateMissedDataSessions(void) @@ -423,21 +425,25 @@ static void UpdateMissedDataSessions(void) } +#ifdef WOLFSSL_SNIFFER_STATS #define ADD_TO_STAT(x,y) do { wc_LockMutex(&StatsMutex); \ x += y; \ wc_UnLockMutex(&StatsMutex); } while (0) #define INC_STAT(x) ADD_TO_STAT(x,1) +#endif /* Initialize overall Sniffer */ void ssl_InitSniffer(void) { wolfSSL_Init(); - XMEMSET(&SnifferStats, 0, sizeof(SSLStats)); wc_InitMutex(&ServerListMutex); wc_InitMutex(&SessionMutex); wc_InitMutex(&RecoveryMutex); +#ifdef WOLFSSL_SNIFFER_STATS + XMEMSET(&SnifferStats, 0, sizeof(SSLStats)); wc_InitMutex(&StatsMutex); +#endif } @@ -1811,7 +1817,7 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, SnifferSession* session, char* error) { ProtocolVersion pv; - byte b; + byte b, b0; int toRead = VERSION_SZ + RAN_LEN + ENUM_LEN; int doResume = 0; int initialBytes = *sslBytes; @@ -1859,14 +1865,33 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, *sslBytes -= b; /* cipher suite */ - b = *input++; /* first byte, ECC or not */ - session->sslServer->options.cipherSuite0 = b; - session->sslClient->options.cipherSuite0 = b; + b0 = *input++; /* first byte, ECC or not */ + session->sslServer->options.cipherSuite0 = b0; + session->sslClient->options.cipherSuite0 = b0; b = *input++; session->sslServer->options.cipherSuite = b; session->sslClient->options.cipherSuite = b; *sslBytes -= SUITE_LEN; +#ifdef WOLFSSL_SNIFFER_STATS + { + const CipherSuiteInfo* suites = GetCipherNames(); + int suitesSz = GetCipherNamesSize(); + int match = 0; + + while (suitesSz) { + if (b0 == suites->cipherSuite0 && b == suites->cipherSuite) { + match = 1; + break; + } + suites++; + suitesSz--; + } + if (!match) + INC_STAT(SnifferStats.sslCiphersUnsupported); + } +#endif /* WOLFSSL_SNIFFER_STATS */ + /* compression */ b = *input++; *sslBytes -= ENUM_LEN; @@ -1936,8 +1961,11 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, if (XMEMCMP(session->sslServer->arrays->sessionID, session->sslClient->arrays->sessionID, ID_LEN) == 0) doResume = 1; - else if (session->sslClient->options.haveSessionId) + else if (session->sslClient->options.haveSessionId) { +#ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslResumeMisses); +#endif + } } else if (session->sslClient->options.haveSessionId == 0 && session->sslServer->options.haveSessionId == 0 && @@ -1965,7 +1993,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, session->flags.resuming = 1; Trace(SERVER_DID_RESUMPTION_STR); +#ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslResumedConns); +#endif if (SetCipherSpecs(session->sslServer) != 0) { SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); return -1; @@ -1993,7 +2023,9 @@ static int ProcessServerHello(int msgSz, const byte* input, int* sslBytes, } } else { +#ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslStandardConns); +#endif } #ifdef SHOW_SECRETS { @@ -2305,6 +2337,9 @@ static int DoHandShake(const byte* input, int* sslBytes, Trace(GOT_CERT_REQ_STR); break; case server_key_exchange: +#ifdef WOLFSSL_SNIFFER_STATS + INC_STAT(SnifferStats.sslKeyFails); +#endif Trace(GOT_SERVER_KEY_EX_STR); /* can't know temp key passively */ SetError(BAD_CIPHER_SPEC_STR, error, session, FATAL_ERROR_STATE); @@ -2312,8 +2347,11 @@ static int DoHandShake(const byte* input, int* sslBytes, break; case certificate: Trace(GOT_CERT_STR); - if (session->flags.side == WOLFSSL_CLIENT_END) + if (session->flags.side == WOLFSSL_SERVER_END) { +#ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslClientAuthConns); +#endif + } break; case server_hello_done: Trace(GOT_SERVER_HELLO_DONE_STR); @@ -3598,7 +3636,9 @@ doPart: break; case alert: Trace(GOT_ALERT_STR); +#ifdef WOLFSSL_SNIFFER_STATS INC_STAT(SnifferStats.sslAlerts); +#endif sslFrame += rhSize; sslBytes -= rhSize; break; @@ -3867,6 +3907,8 @@ int ssl_SetConnectionCtx(void* ctx) } +#ifdef WOLFSSL_SNIFFER_STATS + /* Resets the statistics tracking global structure. * returns 0 on success, -1 on error */ int ssl_ResetStatistics(void) @@ -3891,6 +3933,8 @@ int ssl_ReadStatistics(SSLStats* stats) return 0; } +#endif /* WOLFSSL_SNIFFER_STATS */ + #endif /* WOLFSSL_SNIFFER */ #endif /* WOLFCRYPT_ONLY */ diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 5aadccae6..7fe607db5 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -87,18 +87,68 @@ static void FreeAll(void) #endif } -static void sig_handler(const int sig) + +#ifdef WOLFSSL_SNIFFER_STATS + +static void DumpStats(void) { SSLStats sslStats; ssl_ReadStatistics(&sslStats); - printf("SSL Stats (sslStandardConns):%u\n", sslStats.sslStandardConns); - printf("SSL Stats (sslClientAuthConns):%u\n", sslStats.sslClientAuthConns); - printf("SSL Stats (sslResumedConns):%u\n", sslStats.sslResumedConns); - printf("SSL Stats (sslResumeMisses):%u\n", sslStats.sslResumeMisses); - printf("SSL Stats (sslAlerts):%u\n", sslStats.sslAlerts); + printf("SSL Stats (sslStandardConns):%u\n", + sslStats.sslStandardConns); + printf("SSL Stats (sslRehandshakeConns):%u\n", + sslStats.sslRehandshakeConns); + printf("SSL Stats (sslClientAuthConns):%u\n", + sslStats.sslClientAuthConns); + printf("SSL Stats (sslResumedConns):%u\n", + sslStats.sslResumedConns); + printf("SSL Stats (sslResumedRehandshakeConns):%u\n", + sslStats.sslResumedRehandshakeConns); + printf("SSL Stats (sslClientAuthRehandshakeConns):%u\n", + sslStats.sslClientAuthRehandshakeConns); + printf("SSL Stats (sslEphemeralMisses):%u\n", + sslStats.sslEphemeralMisses); + printf("SSL Stats (sslResumeMisses):%u\n", + sslStats.sslResumeMisses); + printf("SSL Stats (sslCiphersUnsupported):%u\n", + sslStats.sslCiphersUnsupported); + printf("SSL Stats (sslKeysUnmatched):%u\n", + sslStats.sslKeysUnmatched); + printf("SSL Stats (sslKeyFails):%u\n", + sslStats.sslKeyFails); + printf("SSL Stats (sslDecodeFails):%u\n", + sslStats.sslDecodeFails); + printf("SSL Stats (sslAlerts):%u\n", + sslStats.sslAlerts); + printf("SSL Stats (sslDecryptedBytes):%u\n", + sslStats.sslDecryptedBytes); + printf("SSL Stats (sslEncryptedBytes):%u\n", + sslStats.sslEncryptedBytes); + printf("SSL Stats (sslEncryptedPackets):%u\n", + sslStats.sslEncryptedPackets); + printf("SSL Stats (sslDecryptedPackets):%u\n", + sslStats.sslDecryptedPackets); + printf("SSL Stats (sslEncryptedConnsPerSecond):%u\n", + sslStats.sslEncryptedConnsPerSecond); + printf("SSL Stats (sslKeyMatches):%u\n", + sslStats.sslKeyMatches); + printf("SSL Stats (sslActiveEncryptedConnsPerSecond):%u\n", + sslStats.sslActiveEncryptedConnsPerSecond); + printf("SSL Stats (sslActiveFlowsPerSecond):%u\n", + sslStats.sslActiveFlowsPerSecond); +} + +#endif + + +static void sig_handler(const int sig) +{ printf("SIGINT handled = %d.\n", sig); FreeAll(); +#ifdef WOLFSSL_SNIFFER_STATS + DumpStats(); +#endif if (sig) exit(EXIT_SUCCESS); } diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index 66a78f005..9e50099c6 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -136,25 +136,25 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); typedef struct SSLStats { - unsigned int sslStandardConns; + unsigned int sslStandardConns; /* X */ unsigned int sslRehandshakeConns; /* unsupported */ - unsigned int sslClientAuthConns; - unsigned int sslResumedConns; + unsigned int sslClientAuthConns; /* X */ + unsigned int sslResumedConns; /* X */ unsigned int sslResumedRehandshakeConns; /* unsupported */ unsigned int sslClientAuthRehandshakeConns; /* unsupported */ unsigned int sslEphemeralMisses; - unsigned int sslResumeMisses; - unsigned int sslCiphersUnsupported; - unsigned int sslKeysUnmatched; + unsigned int sslResumeMisses; /* X */ + unsigned int sslCiphersUnsupported; /* X */ + unsigned int sslKeysUnmatched; /* X */ unsigned int sslKeyFails; unsigned int sslDecodeFails; - unsigned int sslAlerts; + unsigned int sslAlerts; /* X */ unsigned int sslDecryptedBytes; unsigned int sslEncryptedBytes; unsigned int sslEncryptedPackets; unsigned int sslDecryptedPackets; unsigned int sslEncryptedConnsPerSecond; - unsigned int sslKeyMatches; + unsigned int sslKeyMatches; /* X */ unsigned int sslActiveEncryptedConnsPerSecond; unsigned int sslActiveFlowsPerSecond; } SSLStats; From 0203a25b600e02dcfa357f154aec0f95fb109cc3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 13 Jun 2019 15:56:03 -0700 Subject: [PATCH 4/7] Sniffer Statistics Added stats for encrypted and decrypted bytes and packet counts. --- src/sniffer.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 66 insertions(+), 7 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 43063854c..1da8ba4e1 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -426,10 +426,16 @@ static void UpdateMissedDataSessions(void) #ifdef WOLFSSL_SNIFFER_STATS -#define ADD_TO_STAT(x,y) do { wc_LockMutex(&StatsMutex); \ - x += y; \ - wc_UnLockMutex(&StatsMutex); } while (0) -#define INC_STAT(x) ADD_TO_STAT(x,1) +#define LOCK_STAT() do { wc_LockMutex(&StatsMutex); } while (0) +#define UNLOCK_STAT() do { wc_UnLockMutex(&StatsMutex); } while (0) + +#define NOLOCK_ADD_TO_STAT(x,y) do { TraceStat(#x, y); x += y; } while (0) +#define NOLOCK_INC_STAT(x) NOLOCK_ADD_TO_STAT(x,1) + +#define ADD_TO_STAT(x,y) do { LOCK_STAT(); \ + NOLOCK_ADD_TO_STAT(x,y); UNLOCK_STAT(); } while (0) +#define INC_STAT(x) do { LOCK_STAT(); \ + NOLOCK_INC_STAT(x); UNLOCK_STAT(); } while (0) #endif @@ -1070,6 +1076,19 @@ static void TraceSessionInfo(SSLInfo* sslInfo) } +#ifdef WOLFSSL_SNIFFER_STATS + +/* Show value added to a named statistic. */ +static void TraceStat(const char* name, int add) +{ + if (TraceOn) { + fprintf(TraceFile, "\tAdding %d to %s\n", add, name); + } +} + +#endif + + /* Set user error string */ static void SetError(int idx, char* error, SnifferSession* session, int fatal) { @@ -2862,6 +2881,13 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes, if (sslBytes == 0 && tcpInfo->ack) return 1; +#ifdef WOLFSSL_SNIFFER_STATS + LOCK_STAT(); + NOLOCK_INC_STAT(SnifferStats.sslDecryptedPackets); + NOLOCK_ADD_TO_STAT(SnifferStats.sslDecryptedBytes, sslBytes); + UNLOCK_STAT(); +#endif + SetError(BAD_SESSION_STR, error, NULL, 0); return -1; } @@ -3745,18 +3771,51 @@ static int ssl_DecodePacketInternal(const byte* packet, int length, ret = CheckSession(&ipInfo, &tcpInfo, sslBytes, &session, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1; - else if (ret == 1) return 0; /* done for now */ + else if (ret == 1) { +#ifdef WOLFSSL_SNIFFER_STATS + if (sslBytes > 0) { + LOCK_STAT(); + NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets); + NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes); + UNLOCK_STAT(); + } + else + INC_STAT(SnifferStats.sslDecryptedPackets); +#endif + return 0; /* done for now */ + } ret = CheckSequence(&ipInfo, &tcpInfo, session, &sslBytes, &sslFrame,error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1; - else if (ret == 1) return 0; /* done for now */ + else if (ret == 1) { +#ifdef WOLFSSL_SNIFFER_STATS + INC_STAT(SnifferStats.sslDecryptedPackets); +#endif + return 0; /* done for now */ + } ret = CheckPreRecord(&ipInfo, &tcpInfo, &sslFrame, &session, &sslBytes, &end, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; else if (ret == -1) return -1; - else if (ret == 1) return 0; /* done for now */ + else if (ret == 1) { +#ifdef WOLFSSL_SNIFFER_STATS + INC_STAT(SnifferStats.sslDecryptedPackets); +#endif + return 0; /* done for now */ + } + +#ifdef WOLFSSL_SNIFFER_STATS + if (sslBytes > 0) { + LOCK_STAT(); + NOLOCK_INC_STAT(SnifferStats.sslEncryptedPackets); + NOLOCK_ADD_TO_STAT(SnifferStats.sslEncryptedBytes, sslBytes); + UNLOCK_STAT(); + } + else + INC_STAT(SnifferStats.sslDecryptedPackets); +#endif ret = ProcessMessage(sslFrame, session, sslBytes, data, end, error); if (RemoveFatalSession(&ipInfo, &tcpInfo, session, error)) return -1; From 0eaccb725977d26259bd538edb914f31945e9f53 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 14 Jun 2019 10:37:28 -0700 Subject: [PATCH 5/7] Removed some redundant comments from the sniffer header. --- wolfssl/sniffer.h | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index 9e50099c6..a02cb54b2 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -136,25 +136,25 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); typedef struct SSLStats { - unsigned int sslStandardConns; /* X */ - unsigned int sslRehandshakeConns; /* unsupported */ - unsigned int sslClientAuthConns; /* X */ - unsigned int sslResumedConns; /* X */ - unsigned int sslResumedRehandshakeConns; /* unsupported */ - unsigned int sslClientAuthRehandshakeConns; /* unsupported */ + unsigned int sslStandardConns; + unsigned int sslRehandshakeConns; + unsigned int sslClientAuthConns; + unsigned int sslResumedConns; + unsigned int sslResumedRehandshakeConns; + unsigned int sslClientAuthRehandshakeConns; unsigned int sslEphemeralMisses; - unsigned int sslResumeMisses; /* X */ - unsigned int sslCiphersUnsupported; /* X */ - unsigned int sslKeysUnmatched; /* X */ + unsigned int sslResumeMisses; + unsigned int sslCiphersUnsupported; + unsigned int sslKeysUnmatched; unsigned int sslKeyFails; unsigned int sslDecodeFails; - unsigned int sslAlerts; /* X */ + unsigned int sslAlerts; unsigned int sslDecryptedBytes; unsigned int sslEncryptedBytes; unsigned int sslEncryptedPackets; unsigned int sslDecryptedPackets; unsigned int sslEncryptedConnsPerSecond; - unsigned int sslKeyMatches; /* X */ + unsigned int sslKeyMatches; unsigned int sslActiveEncryptedConnsPerSecond; unsigned int sslActiveFlowsPerSecond; } SSLStats; From 8439beb525ce1bc06210deb674a152e723d23e5c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 18 Jun 2019 13:12:31 -0700 Subject: [PATCH 6/7] Sniffer Statistics 1. Moved sslKeyFails. 2. Added sslEphemeralMisses, sslEncryptedConns, sslDecodeFails. 3. Removed the Rehandshake stats as the sniffer does not support rehandshaking. 4. Removed two of the per second stats as they seemed redundant. 5. Added a function to atomically read and reset the sniffer statistics. --- src/sniffer.c | 30 ++++++++++++++++++++++++--- sslSniffer/sslSnifferTest/snifftest.c | 14 ++----------- wolfssl/sniffer.h | 11 +++++----- 3 files changed, 34 insertions(+), 21 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 1da8ba4e1..fbab33bf1 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -428,10 +428,8 @@ static void UpdateMissedDataSessions(void) #ifdef WOLFSSL_SNIFFER_STATS #define LOCK_STAT() do { wc_LockMutex(&StatsMutex); } while (0) #define UNLOCK_STAT() do { wc_UnLockMutex(&StatsMutex); } while (0) - #define NOLOCK_ADD_TO_STAT(x,y) do { TraceStat(#x, y); x += y; } while (0) #define NOLOCK_INC_STAT(x) NOLOCK_ADD_TO_STAT(x,1) - #define ADD_TO_STAT(x,y) do { LOCK_STAT(); \ NOLOCK_ADD_TO_STAT(x,y); UNLOCK_STAT(); } while (0) #define INC_STAT(x) do { LOCK_STAT(); \ @@ -1730,6 +1728,11 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes, } while (ret == WC_PENDING_E); } +#ifdef WOLFSSL_SNIFFER_STATS + if (ret != 0) + INC_STAT(SnifferStats.sslKeyFails); +#endif + if (keyInit) wc_ecc_free(&key); if (pubKeyInit) @@ -2357,7 +2360,7 @@ static int DoHandShake(const byte* input, int* sslBytes, break; case server_key_exchange: #ifdef WOLFSSL_SNIFFER_STATS - INC_STAT(SnifferStats.sslKeyFails); + INC_STAT(SnifferStats.sslEphemeralMisses); #endif Trace(GOT_SERVER_KEY_EX_STR); /* can't know temp key passively */ @@ -2858,6 +2861,9 @@ static int CheckSession(IpInfo* ipInfo, TcpInfo* tcpInfo, int sslBytes, /* create a new SnifferSession on client SYN */ if (tcpInfo->syn && !tcpInfo->ack) { TraceClientSyn(tcpInfo->sequence); +#ifdef WOLFSSL_SNIFFER_STATS + INC_STAT(SnifferStats.sslEncryptedConns); +#endif *session = CreateSession(ipInfo, tcpInfo, error); if (*session == NULL) { *session = GetSnifferSession(ipInfo, tcpInfo); @@ -3231,6 +3237,9 @@ static int FindNextRecordInAssembly(SnifferSession* session, } Trace(DROPPING_LOST_FRAG_STR); +#ifdef WOLFSSL_SNIFFER_STATS + INC_STAT(SnifferStats.sslDecodeFails); +#endif prev = curr; curr = curr->next; *reassemblyMemory -= (prev->end - prev->begin + 1); @@ -3992,6 +4001,21 @@ int ssl_ReadStatistics(SSLStats* stats) return 0; } +/* Copies the SSL statistics into the provided stats record then + * resets the statistics tracking global structure. + * returns 0 on success, -1 on error */ +int ssl_ReadResetStatistics(SSLStats* stats) +{ + if (stats == NULL) + return -1; + + wc_LockMutex(&StatsMutex); + XMEMCPY(stats, &SnifferStats, sizeof(SSLStats)); + XMEMSET(&SnifferStats, 0, sizeof(SSLStats)); + wc_UnLockMutex(&StatsMutex); + return 0; +} + #endif /* WOLFSSL_SNIFFER_STATS */ diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index 7fe607db5..f19c70961 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -97,16 +97,10 @@ static void DumpStats(void) printf("SSL Stats (sslStandardConns):%u\n", sslStats.sslStandardConns); - printf("SSL Stats (sslRehandshakeConns):%u\n", - sslStats.sslRehandshakeConns); printf("SSL Stats (sslClientAuthConns):%u\n", sslStats.sslClientAuthConns); printf("SSL Stats (sslResumedConns):%u\n", sslStats.sslResumedConns); - printf("SSL Stats (sslResumedRehandshakeConns):%u\n", - sslStats.sslResumedRehandshakeConns); - printf("SSL Stats (sslClientAuthRehandshakeConns):%u\n", - sslStats.sslClientAuthRehandshakeConns); printf("SSL Stats (sslEphemeralMisses):%u\n", sslStats.sslEphemeralMisses); printf("SSL Stats (sslResumeMisses):%u\n", @@ -129,14 +123,10 @@ static void DumpStats(void) sslStats.sslEncryptedPackets); printf("SSL Stats (sslDecryptedPackets):%u\n", sslStats.sslDecryptedPackets); - printf("SSL Stats (sslEncryptedConnsPerSecond):%u\n", - sslStats.sslEncryptedConnsPerSecond); printf("SSL Stats (sslKeyMatches):%u\n", sslStats.sslKeyMatches); - printf("SSL Stats (sslActiveEncryptedConnsPerSecond):%u\n", - sslStats.sslActiveEncryptedConnsPerSecond); - printf("SSL Stats (sslActiveFlowsPerSecond):%u\n", - sslStats.sslActiveFlowsPerSecond); + printf("SSL Stats (sslEncryptedConns):%u\n", + sslStats.sslEncryptedConns); } #endif diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index a02cb54b2..3632c124b 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -137,11 +137,8 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); typedef struct SSLStats { unsigned int sslStandardConns; - unsigned int sslRehandshakeConns; unsigned int sslClientAuthConns; unsigned int sslResumedConns; - unsigned int sslResumedRehandshakeConns; - unsigned int sslClientAuthRehandshakeConns; unsigned int sslEphemeralMisses; unsigned int sslResumeMisses; unsigned int sslCiphersUnsupported; @@ -153,10 +150,8 @@ typedef struct SSLStats unsigned int sslEncryptedBytes; unsigned int sslEncryptedPackets; unsigned int sslDecryptedPackets; - unsigned int sslEncryptedConnsPerSecond; unsigned int sslKeyMatches; - unsigned int sslActiveEncryptedConnsPerSecond; - unsigned int sslActiveFlowsPerSecond; + unsigned int sslEncryptedConns; } SSLStats; @@ -168,6 +163,10 @@ WOLFSSL_API SSL_SNIFFER_API int ssl_ReadStatistics(SSLStats* stats); +WOLFSSL_API +SSL_SNIFFER_API int ssl_ReadResetStatistics(SSLStats* stats); + + #ifdef __cplusplus } /* extern "C" */ #endif From 26384d49364cd71f09a0f4ee7cadfb4fcb781ef2 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 24 Jun 2019 16:16:05 -0700 Subject: [PATCH 7/7] Sniffer Stats Upgrade the sniffer stats to unsigned long ints. --- sslSniffer/sslSnifferTest/snifftest.c | 32 +++++++++++++-------------- wolfssl/sniffer.h | 32 +++++++++++++-------------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/sslSniffer/sslSnifferTest/snifftest.c b/sslSniffer/sslSnifferTest/snifftest.c index f19c70961..0bdf4c718 100644 --- a/sslSniffer/sslSnifferTest/snifftest.c +++ b/sslSniffer/sslSnifferTest/snifftest.c @@ -95,37 +95,37 @@ static void DumpStats(void) SSLStats sslStats; ssl_ReadStatistics(&sslStats); - printf("SSL Stats (sslStandardConns):%u\n", + printf("SSL Stats (sslStandardConns):%lu\n", sslStats.sslStandardConns); - printf("SSL Stats (sslClientAuthConns):%u\n", + printf("SSL Stats (sslClientAuthConns):%lu\n", sslStats.sslClientAuthConns); - printf("SSL Stats (sslResumedConns):%u\n", + printf("SSL Stats (sslResumedConns):%lu\n", sslStats.sslResumedConns); - printf("SSL Stats (sslEphemeralMisses):%u\n", + printf("SSL Stats (sslEphemeralMisses):%lu\n", sslStats.sslEphemeralMisses); - printf("SSL Stats (sslResumeMisses):%u\n", + printf("SSL Stats (sslResumeMisses):%lu\n", sslStats.sslResumeMisses); - printf("SSL Stats (sslCiphersUnsupported):%u\n", + printf("SSL Stats (sslCiphersUnsupported):%lu\n", sslStats.sslCiphersUnsupported); - printf("SSL Stats (sslKeysUnmatched):%u\n", + printf("SSL Stats (sslKeysUnmatched):%lu\n", sslStats.sslKeysUnmatched); - printf("SSL Stats (sslKeyFails):%u\n", + printf("SSL Stats (sslKeyFails):%lu\n", sslStats.sslKeyFails); - printf("SSL Stats (sslDecodeFails):%u\n", + printf("SSL Stats (sslDecodeFails):%lu\n", sslStats.sslDecodeFails); - printf("SSL Stats (sslAlerts):%u\n", + printf("SSL Stats (sslAlerts):%lu\n", sslStats.sslAlerts); - printf("SSL Stats (sslDecryptedBytes):%u\n", + printf("SSL Stats (sslDecryptedBytes):%lu\n", sslStats.sslDecryptedBytes); - printf("SSL Stats (sslEncryptedBytes):%u\n", + printf("SSL Stats (sslEncryptedBytes):%lu\n", sslStats.sslEncryptedBytes); - printf("SSL Stats (sslEncryptedPackets):%u\n", + printf("SSL Stats (sslEncryptedPackets):%lu\n", sslStats.sslEncryptedPackets); - printf("SSL Stats (sslDecryptedPackets):%u\n", + printf("SSL Stats (sslDecryptedPackets):%lu\n", sslStats.sslDecryptedPackets); - printf("SSL Stats (sslKeyMatches):%u\n", + printf("SSL Stats (sslKeyMatches):%lu\n", sslStats.sslKeyMatches); - printf("SSL Stats (sslEncryptedConns):%u\n", + printf("SSL Stats (sslEncryptedConns):%lu\n", sslStats.sslEncryptedConns); } diff --git a/wolfssl/sniffer.h b/wolfssl/sniffer.h index 3632c124b..7272efce3 100644 --- a/wolfssl/sniffer.h +++ b/wolfssl/sniffer.h @@ -136,22 +136,22 @@ SSL_SNIFFER_API int ssl_SetConnectionCtx(void* ctx); typedef struct SSLStats { - unsigned int sslStandardConns; - unsigned int sslClientAuthConns; - unsigned int sslResumedConns; - unsigned int sslEphemeralMisses; - unsigned int sslResumeMisses; - unsigned int sslCiphersUnsupported; - unsigned int sslKeysUnmatched; - unsigned int sslKeyFails; - unsigned int sslDecodeFails; - unsigned int sslAlerts; - unsigned int sslDecryptedBytes; - unsigned int sslEncryptedBytes; - unsigned int sslEncryptedPackets; - unsigned int sslDecryptedPackets; - unsigned int sslKeyMatches; - unsigned int sslEncryptedConns; + unsigned long int sslStandardConns; + unsigned long int sslClientAuthConns; + unsigned long int sslResumedConns; + unsigned long int sslEphemeralMisses; + unsigned long int sslResumeMisses; + unsigned long int sslCiphersUnsupported; + unsigned long int sslKeysUnmatched; + unsigned long int sslKeyFails; + unsigned long int sslDecodeFails; + unsigned long int sslAlerts; + unsigned long int sslDecryptedBytes; + unsigned long int sslEncryptedBytes; + unsigned long int sslEncryptedPackets; + unsigned long int sslDecryptedPackets; + unsigned long int sslKeyMatches; + unsigned long int sslEncryptedConns; } SSLStats;