Skip to main content

rustls/
key_log.rs

1use core::fmt::Debug;
2
3/// This trait represents the ability to do something useful
4/// with key material, such as logging it to a file for debugging.
5///
6/// Naturally, secrets passed over the interface are *extremely*
7/// sensitive and can break the security of past, present and
8/// future sessions.
9///
10/// You'll likely want some interior mutability in your
11/// implementation to make this useful.
12///
13/// For the standard `SSLKEYLOGFILE` environment variable behavior,
14/// see the `KeyLogFile` implementation provided in the rustls-util crate.
15pub trait KeyLog: Debug + Send + Sync {
16    /// Log the given `secret`.  `client_random` is provided for
17    /// session identification.  `label` describes precisely what
18    /// `secret` means:
19    ///
20    /// - `CLIENT_RANDOM`: `secret` is the master secret for a TLSv1.2 session.
21    /// - `CLIENT_EARLY_TRAFFIC_SECRET`: `secret` encrypts early data
22    ///   transmitted by a client
23    /// - `SERVER_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
24    ///   handshake messages from the server during a TLSv1.3 handshake.
25    /// - `CLIENT_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
26    ///   handshake messages from the client during a TLSv1.3 handshake.
27    /// - `SERVER_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
28    ///   from the server in a TLSv1.3 session.
29    /// - `CLIENT_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
30    ///   from the client in a TLSv1.3 session.
31    /// - `EXPORTER_SECRET`: `secret` is the post-handshake exporter secret
32    ///   in a TLSv1.3 session.
33    ///
34    /// These strings are selected to match the NSS key log format:
35    /// <https://nss-crypto.org/reference/security/nss/legacy/key_log_format/index.html>
36    fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);
37
38    /// Indicates whether the secret with label `label` will be logged.
39    ///
40    /// If `will_log` returns true then `log` will be called with the secret.
41    /// Otherwise, `log` will not be called for the secret. This is a
42    /// performance optimization.
43    fn will_log(&self, _label: &str) -> bool {
44        true
45    }
46}
47
48/// KeyLog that does exactly nothing.
49#[expect(clippy::exhaustive_structs)]
50#[derive(Debug)]
51pub struct NoKeyLog;
52
53impl KeyLog for NoKeyLog {
54    fn log(&self, _: &str, _: &[u8], _: &[u8]) {}
55    #[inline]
56    fn will_log(&self, _label: &str) -> bool {
57        false
58    }
59}