KeyLogger.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#include "squid.h"
10#include "acl/ChecklistFiller.h"
11#include "acl/FilledChecklist.h"
12#include "MasterXaction.h"
14#include "security/KeyLog.h"
15#include "security/KeyLogger.h"
16#include "security/Session.h"
17#include "SquidConfig.h"
18
19#include <ostream>
20
21void
23{
24 if (!shouldLog(caller)) {
25 done_ = true; // do not try again
26 return;
27 }
28
29 Security::CommunicationSecrets newSecrets(sconn);
30 if (!secrets.learnNew(newSecrets)) // no new secrets extracted
31 return; // will retry extracting secrets during the next checkpoint()
32
33 // SSLKEYLOGFILE consumers probably discard incomplete record lines. To
34 // avoid providing incomplete/unusable info in _each_ record, we always
35 // record all the learned secrets, including any previously recorded ones.
37
38 // optimization: here, we assume learned secrets do not change
39 if (secrets.gotAll())
40 done_ = true;
41}
42
43bool
45{
46 // First, always check preconditions that may change, becoming unmet/false
47
48 if (!Config.Log.tlsKeys)
49 return false; // default: admin does not want us to log (implicitly)
50
51 if (!Config.Log.tlsKeys->canLog()) {
52 debugs(33, 3, "no: problems with the logging module");
53 return false;
54 }
55
56 if (done_) { // paranoid: we should not even be called w/o transaction
57 debugs(33, 2, "BUG: caller problems or logged earlier");
58 return false;
59 }
60
61 // Second, do the ACL-related checks (that are presumed to be stable)
62
63 // We can keep wanted_ a boolean (instead of a tri-state) member because if
64 // shouldLog() returns false, there will be no further shouldLog() calls.
65 if (wanted_)
66 return true; // was allowed to log earlier
67
68 const auto acls = Config.Log.tlsKeys->aclList;
69 if (!acls) {
70 debugs(33, 7, "yes: no ACLs");
71 wanted_ = true;
72 return true;
73 }
74
75 ACLFilledChecklist checklist;
76 caller.fillChecklist(checklist);
77 if (!checklist.fastCheck(acls).allowed()) {
78 debugs(33, 4, "no: admin does not want us to log (explicitly)");
79 return false;
80 }
81
82 debugs(33, 5, "yes: ACLs matched");
83 wanted_ = true;
84 return true;
85}
86
class SquidConfig Config
Definition: SquidConfig.cc:12
Acl::Answer const & fastCheck()
Definition: Checklist.cc:332
bool allowed() const
Definition: Acl.h:156
an interface for those capable of configuring an ACLFilledChecklist object
virtual void fillChecklist(ACLFilledChecklist &) const =0
configure the given checklist (to reflect the current transaction state)
ACLList * aclList
restrict logging to matching transactions
Definition: FormattedLog.h:61
bool learnNew(const CommunicationSecrets &news)
bool gotAll() const
whether we know all the secrets that could be extracted
void record(const CommunicationSecrets &)
writes a single (but multi-line) key log entry
Definition: KeyLog.cc:38
bool canLog() const
whether record() preconditions are currently satisfied
Definition: KeyLog.h:26
CommunicationSecrets secrets
connection secrets learned so far
Definition: KeyLogger.h:38
bool shouldLog(const Acl::ChecklistFiller &) const
(slowly checks) whether logging is possible now
Definition: KeyLogger.cc:44
bool done_
whether to prevent further logging attempts
Definition: KeyLogger.h:41
void maybeLog(const Connection &, const Acl::ChecklistFiller &)
(slowly checks logging preconditions and) logs if possible
Definition: KeyLogger.cc:22
Security::KeyLog * tlsKeys
one optional tls_key_log
Definition: SquidConfig.h:190
struct SquidConfig::@98 Log
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
SSL Connection
Definition: Session.h:45

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors