rustls/
key_log.rs

1use core::fmt::Debug;
2
3/// This trait represents the ability to do something useful
4/// with key material, such as logging it to a file for debugging.
5///
6/// Naturally, secrets passed over the interface are *extremely*
7/// sensitive and can break the security of past, present and
8/// future sessions.
9///
10/// You'll likely want some interior mutability in your
11/// implementation to make this useful.
12///
13/// See [`KeyLogFile`](crate::KeyLogFile) that implements the standard
14/// `SSLKEYLOGFILE` environment variable behaviour.
15pub trait KeyLog: Debug + Send + Sync {
16    /// Log the given `secret`.  `client_random` is provided for
17    /// session identification.  `label` describes precisely what
18    /// `secret` means:
19    ///
20    /// - `CLIENT_RANDOM`: `secret` is the master secret for a TLSv1.2 session.
21    /// - `CLIENT_EARLY_TRAFFIC_SECRET`: `secret` encrypts early data
22    ///   transmitted by a client
23    /// - `SERVER_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
24    ///   handshake messages from the server during a TLSv1.3 handshake.
25    /// - `CLIENT_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
26    ///   handshake messages from the client during a TLSv1.3 handshake.
27    /// - `SERVER_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
28    ///   from the server in a TLSv1.3 session.
29    /// - `CLIENT_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
30    ///   from the client in a TLSv1.3 session.
31    /// - `EXPORTER_SECRET`: `secret` is the post-handshake exporter secret
32    ///   in a TLSv1.3 session.
33    ///
34    /// These strings are selected to match the NSS key log format:
35    /// <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format>
36    fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);
37
38    /// Indicates whether the secret with label `label` will be logged.
39    ///
40    /// If `will_log` returns true then `log` will be called with the secret.
41    /// Otherwise, `log` will not be called for the secret. This is a
42    /// performance optimization.
43    fn will_log(&self, _label: &str) -> bool {
44        true
45    }
46}
47
48/// KeyLog that does exactly nothing.
49#[derive(Debug)]
50pub struct NoKeyLog;
51
52impl KeyLog for NoKeyLog {
53    fn log(&self, _: &str, _: &[u8], _: &[u8]) {}
54    #[inline]
55    fn will_log(&self, _label: &str) -> bool {
56        false
57    }
58}