KeyLogger.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 #include "acl/ChecklistFiller.h"
11 #include "acl/FilledChecklist.h"
12 #include "MasterXaction.h"
14 #include "security/KeyLog.h"
15 #include "security/KeyLogger.h"
16 #include "security/Session.h"
17 #include "SquidConfig.h"
18 
19 #include <ostream>
20 
21 void
23 {
24  if (!shouldLog(caller)) {
25  done_ = true; // do not try again
26  return;
27  }
28 
29  Security::CommunicationSecrets newSecrets(sconn);
30  if (!secrets.learnNew(newSecrets)) // no new secrets extracted
31  return; // will retry extracting secrets during the next checkpoint()
32 
33  // SSLKEYLOGFILE consumers probably discard incomplete record lines. To
34  // avoid providing incomplete/unusable info in _each_ record, we always
35  // record all the learned secrets, including any previously recorded ones.
37 
38  // optimization: here, we assume learned secrets do not change
39  if (secrets.gotAll())
40  done_ = true;
41 }
42 
43 bool
45 {
46  // First, always check preconditions that may change, becoming unmet/false
47 
48  if (!Config.Log.tlsKeys)
49  return false; // default: admin does not want us to log (implicitly)
50 
51  if (!Config.Log.tlsKeys->canLog()) {
52  debugs(33, 3, "no: problems with the logging module");
53  return false;
54  }
55 
56  if (done_) { // paranoid: we should not even be called w/o transaction
57  debugs(33, 2, "BUG: caller problems or logged earlier");
58  return false;
59  }
60 
61  // Second, do the ACL-related checks (that are presumed to be stable)
62 
63  // We can keep wanted_ a boolean (instead of a tri-state) member because if
64  // shouldLog() returns false, there will be no further shouldLog() calls.
65  if (wanted_)
66  return true; // was allowed to log earlier
67 
68  const auto acls = Config.Log.tlsKeys->aclList;
69  if (!acls) {
70  debugs(33, 7, "yes: no ACLs");
71  wanted_ = true;
72  return true;
73  }
74 
75  ACLFilledChecklist checklist;
76  caller.fillChecklist(checklist);
77  if (!checklist.fastCheck(acls).allowed()) {
78  debugs(33, 4, "no: admin does not want us to log (explicitly)");
79  return false;
80  }
81 
82  debugs(33, 5, "yes: ACLs matched");
83  wanted_ = true;
84  return true;
85 }
86 
class SquidConfig Config
Definition: SquidConfig.cc:12
Acl::Answer const & fastCheck()
Definition: Checklist.cc:332
bool allowed() const
Definition: Acl.h:150
an interface for those capable of configuring an ACLFilledChecklist object
virtual void fillChecklist(ACLFilledChecklist &) const =0
configure the given checklist (to reflect the current transaction state)
ACLList * aclList
restrict logging to matching transactions
Definition: FormattedLog.h:61
bool learnNew(const CommunicationSecrets &news)
bool gotAll() const
whether we know all the secrets that could be extracted
void record(const CommunicationSecrets &)
writes a single (but multi-line) key log entry
Definition: KeyLog.cc:38
bool canLog() const
whether record() preconditions are currently satisfied
Definition: KeyLog.h:26
CommunicationSecrets secrets
connection secrets learned so far
Definition: KeyLogger.h:38
bool shouldLog(const Acl::ChecklistFiller &) const
(slowly checks) whether logging is possible now
Definition: KeyLogger.cc:44
bool done_
whether to prevent further logging attempts
Definition: KeyLogger.h:41
void maybeLog(const Connection &, const Acl::ChecklistFiller &)
(slowly checks logging preconditions and) logs if possible
Definition: KeyLogger.cc:22
Security::KeyLog * tlsKeys
one optional tls_key_log
Definition: SquidConfig.h:188
struct SquidConfig::@101 Log
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
SSL Connection
Definition: Session.h:45

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors