/rust/registry/src/index.crates.io-1949cf8c6b5b557f/rustls-0.23.36/src/key_log.rs

Source
use core::fmt::Debug;

#[cfg(all(doc, feature = "std"))]
use crate::KeyLogFile;

/// This trait represents the ability to do something useful
/// with key material, such as logging it to a file for debugging.
///
/// Naturally, secrets passed over the interface are *extremely*
/// sensitive and can break the security of past, present and
/// future sessions.
///
/// You'll likely want some interior mutability in your
/// implementation to make this useful.
///
/// See [`KeyLogFile`] that implements the standard
/// `SSLKEYLOGFILE` environment variable behaviour.
pub trait KeyLog: Debug + Send + Sync {
    /// Log the given `secret`.  `client_random` is provided for
    /// session identification.  `label` describes precisely what
    /// `secret` means:
    ///
    /// - `CLIENT_RANDOM`: `secret` is the master secret for a TLSv1.2 session.
    /// - `CLIENT_EARLY_TRAFFIC_SECRET`: `secret` encrypts early data
    ///   transmitted by a client
    /// - `SERVER_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
    ///   handshake messages from the server during a TLSv1.3 handshake.
    /// - `CLIENT_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
    ///   handshake messages from the client during a TLSv1.3 handshake.
    /// - `SERVER_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
    ///   from the server in a TLSv1.3 session.
    /// - `CLIENT_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
    ///   from the client in a TLSv1.3 session.
    /// - `EXPORTER_SECRET`: `secret` is the post-handshake exporter secret
    ///   in a TLSv1.3 session.
    ///
    /// These strings are selected to match the NSS key log format:
    /// <https://nss-crypto.org/reference/security/nss/legacy/key_log_format/index.html>
    fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);

    /// Indicates whether the secret with label `label` will be logged.
    ///
    /// If `will_log` returns true then `log` will be called with the secret.
    /// Otherwise, `log` will not be called for the secret. This is a
    /// performance optimization.
    fn will_log(&self, _label: &str) -> bool {
        true
    }
}

/// KeyLog that does exactly nothing.
#[derive(Debug)]
pub struct NoKeyLog;

impl KeyLog for NoKeyLog {
    fn log(&self, _: &str, _: &[u8], _: &[u8]) {}
    #[inline]
    fn will_log(&self, _label: &str) -> bool {
        false
    }
}

Coverage Report

Created: 2026-01-25 06:45

Line	Count	Source
1		use core::fmt::Debug;
2
3		#[cfg(all(doc, feature = "std"))]
4		use crate::KeyLogFile;
5
6		/// This trait represents the ability to do something useful
7		/// with key material, such as logging it to a file for debugging.
8		///
9		/// Naturally, secrets passed over the interface are extremely
10		/// sensitive and can break the security of past, present and
11		/// future sessions.
12		///
13		/// You'll likely want some interior mutability in your
14		/// implementation to make this useful.
15		///
16		/// See [`KeyLogFile`] that implements the standard
17		/// `SSLKEYLOGFILE` environment variable behaviour.
18		pub trait KeyLog: Debug + Send + Sync {
19		/// Log the given `secret`. `client_random` is provided for
20		/// session identification. `label` describes precisely what
21		/// `secret` means:
22		///
23		/// - `CLIENT_RANDOM`: `secret` is the master secret for a TLSv1.2 session.
24		/// - `CLIENT_EARLY_TRAFFIC_SECRET`: `secret` encrypts early data
25		/// transmitted by a client
26		/// - `SERVER_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
27		/// handshake messages from the server during a TLSv1.3 handshake.
28		/// - `CLIENT_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
29		/// handshake messages from the client during a TLSv1.3 handshake.
30		/// - `SERVER_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
31		/// from the server in a TLSv1.3 session.
32		/// - `CLIENT_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
33		/// from the client in a TLSv1.3 session.
34		/// - `EXPORTER_SECRET`: `secret` is the post-handshake exporter secret
35		/// in a TLSv1.3 session.
36		///
37		/// These strings are selected to match the NSS key log format:
38		/// <https://nss-crypto.org/reference/security/nss/legacy/key_log_format/index.html>
39		fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);
40
41		/// Indicates whether the secret with label `label` will be logged.
42		///
43		/// If `will_log` returns true then `log` will be called with the secret.
44		/// Otherwise, `log` will not be called for the secret. This is a
45		/// performance optimization.
46	0	fn will_log(&self, _label: &str) -> bool {
47	0	true
48	0	}
49		}
50
51		/// KeyLog that does exactly nothing.
52		#[derive(Debug)]
53		pub struct NoKeyLog;
54
55		impl KeyLog for NoKeyLog {
56	0	fn log(&self, _: &str, _: &[u8], _: &[u8]) {}
57		#[inline]
58	0	fn will_log(&self, _label: &str) -> bool {
59	0	false
60	0	}
61		}