blob: 396c245b79d26ddbf00b45d104135c39bdf0f740 [file] [log] [blame]
use std::env;
use std::fs::{File, OpenOptions};
use std::path::Path;
use std::io;
use std::io::Write;
use std::sync::Mutex;
#[cfg(feature = "logging")]
use crate::log::warn;
/// This trait represents the ability to do something useful
/// with key material, such as logging it to a file for debugging.
///
/// Naturally, secrets passed over the interface are *extremely*
/// sensitive and can break the security of past, present and
/// future sessions.
///
/// You'll likely want some interior mutability in your
/// implementation to make this useful.
///
/// See `KeyLogFile` that implements the standard `SSLKEYLOGFILE`
/// environment variable behaviour.
pub trait KeyLog : Send + Sync {
/// Log the given `secret`. `client_random` is provided for
/// session identification. `label` describes precisely what
/// `secret` means:
///
/// - `CLIENT_RANDOM`: `secret` is the master secret for a TLSv1.2 session.
/// - `SERVER_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
/// handshake messages from the server during a TLSv1.3 handshake.
/// - `CLIENT_HANDSHAKE_TRAFFIC_SECRET`: `secret` encrypts
/// handshake messages from the client during a TLSv1.3 handshake.
/// - `SERVER_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
/// from the server in a TLSv1.3 session.
/// - `CLIENT_TRAFFIC_SECRET_0`: `secret` encrypts post-handshake data
/// from the client in a TLSv1.3 session.
/// - `EXPORTER_SECRET`: `secret` is the post-handshake exporter secret
/// in a TLSv1.3 session.
///
/// These strings are selected to match the NSS key log format:
/// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format
fn log(&self, label: &str, client_random: &[u8], secret: &[u8]);
}
/// KeyLog that does exactly nothing.
pub struct NoKeyLog;
impl KeyLog for NoKeyLog {
fn log(&self, _: &str, _: &[u8], _: &[u8]) {}
}
// Internal mutable state for KeyLogFile
struct KeyLogFileInner {
file: Option<File>,
buf: Vec<u8>,
}
impl KeyLogFileInner {
fn new() -> Self {
let var = env::var("SSLKEYLOGFILE");
let path = match var {
Ok(ref s) => Path::new(s),
Err(env::VarError::NotUnicode(ref s)) => Path::new(s),
Err(env::VarError::NotPresent) => {
return KeyLogFileInner {
file: None,
buf: Vec::new(),
};
}
};
#[cfg_attr(not(feature = "logging"), allow(unused_variables))]
let file = match OpenOptions::new()
.append(true)
.create(true)
.open(path) {
Ok(f) => Some(f),
Err(e) => {
warn!("unable to create key log file '{:?}': {}", path, e);
None
}
};
KeyLogFileInner {
file,
buf: Vec::new(),
}
}
fn try_write(&mut self, label: &str, client_random: &[u8], secret: &[u8]) -> io::Result<()> {
let mut file = match self.file {
None => { return Ok(()); }
Some(ref f) => f,
};
self.buf.truncate(0);
write!(self.buf, "{} ", label)?;
for b in client_random.iter() {
write!(self.buf, "{:02x}", b)?;
}
write!(self.buf, " ")?;
for b in secret.iter() {
write!(self.buf, "{:02x}", b)?;
}
write!(self.buf, "\n")?;
file.write_all(&self.buf)
}
}
/// `KeyLog` implementation that opens a file whose name is
/// given by the `SSLKEYLOGFILE` environment variable, and writes
/// keys into it.
///
/// If `SSLKEYLOGFILE` is not set, this does nothing.
///
/// If such a file cannot be opened, or cannot be written then
/// this does nothing but logs errors at warning-level.
pub struct KeyLogFile(Mutex<KeyLogFileInner>);
impl KeyLogFile {
/// Makes a new `KeyLogFile`. The environment variable is
/// inspected and the named file is opened during this call.
pub fn new() -> Self {
KeyLogFile(Mutex::new(KeyLogFileInner::new()))
}
}
impl KeyLog for KeyLogFile {
fn log(&self, label: &str, client_random: &[u8], secret: &[u8]) {
#[cfg_attr(not(feature = "logging"), allow(unused_variables))]
match self.0.lock()
.unwrap()
.try_write(label, client_random, secret) {
Ok(()) => {},
Err(e) => {
warn!("error writing to key log file: {}", e);
}
}
}
}