oxitls_core/keylog.rs
1//! Key-logging policy for TLS session secret export.
2//!
3//! `KeyLogPolicy` controls whether session secrets are exported to a file
4//! (SSLKEYLOGFILE format, compatible with Wireshark) or to a custom callback.
5
6use std::fmt;
7use std::path::PathBuf;
8use std::sync::Arc;
9
10/// Trait for receiving TLS session secrets.
11///
12/// Implementations are responsible for recording the label, client random,
13/// and secret triple in the NSS Key Log Format used by Wireshark and other
14/// tools.
15///
16/// Implementors must be `Send + Sync + fmt::Debug`.
17pub trait KeyLog: Send + Sync + fmt::Debug {
18 /// Record a session secret.
19 ///
20 /// # Parameters
21 /// - `label` — the NSS key log label, e.g. `"CLIENT_RANDOM"`.
22 /// - `client_random` — the 32-byte client random from the ClientHello.
23 /// - `secret` — the session secret bytes.
24 fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);
25}
26
27/// Policy governing TLS session-secret export.
28///
29/// This type is `Clone`; cloning a `Custom` variant clones the `Arc`, sharing
30/// the same underlying logger instance.
31#[derive(Clone)]
32pub enum KeyLogPolicy {
33 /// Session secrets are not exported (default).
34 Disabled,
35 /// Session secrets are appended to the given file in NSS Key Log Format.
36 File(PathBuf),
37 /// Session secrets are forwarded to a custom [`KeyLog`] implementation.
38 Custom(Arc<dyn KeyLog>),
39}
40
41impl fmt::Debug for KeyLogPolicy {
42 fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
43 match self {
44 KeyLogPolicy::Disabled => write!(f, "KeyLogPolicy::Disabled"),
45 KeyLogPolicy::File(path) => write!(f, "KeyLogPolicy::File({path:?})"),
46 KeyLogPolicy::Custom(_) => write!(f, "KeyLogPolicy::Custom(<KeyLog impl>)"),
47 }
48 }
49}