bobmcwhirter/gist:62ac15b3bc5a6c8b1e2215b3bb4cdb6f

## gistfile1.txt
diff --git a/Cargo.toml b/Cargo.toml
index 26f7901..651b25e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -5,3 +5,8 @@ members = [
   # tests and example code that depend on mio
   "rustls-mio",
 ]
+
+
+
+[patch.crates-io]
+ring = { path = '../ring' }
diff --git a/rustls-mio/Cargo.toml b/rustls-mio/Cargo.toml
index 09ae1ec..c1c6297 100644
--- a/rustls-mio/Cargo.toml
+++ b/rustls-mio/Cargo.toml
@@ -38,3 +38,4 @@ path = "examples/tlsclient.rs"
 [[example]]
 name = "tlsserver"
 path = "examples/tlsserver.rs"
+
diff --git a/rustls/src/cipher.rs b/rustls/src/cipher.rs
index ece32a6..b9c4409 100644
--- a/rustls/src/cipher.rs
+++ b/rustls/src/cipher.rs
@@ -153,8 +153,10 @@ pub fn new_tls13_read(
     scs: &'static SupportedCipherSuite,
     secret: &hkdf::Prk,
 ) -> Box<dyn MessageDecrypter> {
+    log::info!("NEW TLS13 READ");
     let key = derive_traffic_key(secret, scs.aead_algorithm);
     let iv = derive_traffic_iv(secret);
+    log::info!("NEW TLS13 READ DONE");

     Box::new(TLS13MessageDecrypter::new(key, iv))
 }
@@ -163,6 +165,7 @@ pub fn new_tls13_write(
     scs: &'static SupportedCipherSuite,
     secret: &hkdf::Prk,
 ) -> Box<dyn MessageEncrypter> {
+    log::info!("DANGIT");
     let key = derive_traffic_key(secret, scs.aead_algorithm);
     let iv = derive_traffic_iv(secret);

@@ -343,6 +346,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce {
     let mut nonce = [0u8; ring::aead::NONCE_LEN];
     codec::put_u64(seq, &mut nonce[4..]);

+    log::info!("seq{} iv {:x?}", seq, iv.0);
+
     nonce
         .iter_mut()
         .zip(iv.0.iter())
@@ -350,6 +355,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce {
             *nonce ^= *iv;
         });

+    log::info!("nonce nonce {:x?}", nonce);
+
     aead::Nonce::assume_unique_for_key(nonce)
 }

@@ -398,11 +405,14 @@ impl MessageDecrypter for TLS13MessageDecrypter {

         let nonce = make_tls13_nonce(&self.iv, seq);
         let aad = make_tls13_aad(buf.len());
+        log::info!("addition data via len={}", buf.len());
+        log::info!("decrypt buf {:x?}", buf);
         let plain_len = self
             .dec_key
             .open_in_place(nonce, aad, &mut buf)
             .map_err(|_| TlsError::DecryptError)?
             .len();
+        log::info!("decrypted buf {:x?}", buf);

         buf.truncate(plain_len);

@@ -410,7 +420,9 @@ impl MessageDecrypter for TLS13MessageDecrypter {
             return Err(TlsError::PeerSentOversizedRecord);
         }

+
         let content_type = unpad_tls13(&mut buf);
+        log::info!("content type {:?}", content_type);
         if content_type == ContentType::Unknown(0) {
             let msg = "peer sent bad TLSInnerPlaintext".to_string();
             return Err(TlsError::PeerMisbehavedError(msg));
diff --git a/rustls/src/client/hs.rs b/rustls/src/client/hs.rs
index 8395e66..e279f12 100644
--- a/rustls/src/client/hs.rs
+++ b/rustls/src/client/hs.rs
@@ -404,6 +404,7 @@ fn emit_client_hello_for_retry(
                 &randoms.client,
             );
         // Set early data encryption key
+        log::info!("set tls13_write for early");
         sess.common
             .record_layer
             .set_message_encrypter(cipher::new_tls13_write(
diff --git a/rustls/src/client/tls13.rs b/rustls/src/client/tls13.rs
index d352158..ef40fd1 100644
--- a/rustls/src/client/tls13.rs
+++ b/rustls/src/client/tls13.rs
@@ -254,6 +254,7 @@ pub fn start_handshake_traffic(
             &*sess.config.key_log,
             &randoms.client,
         );
+        log::info!("tlswrite:: no early data set write");
         sess.common
             .record_layer
             .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@@ -443,6 +444,7 @@ impl hs::State for ExpectEncryptedExtensions {
                         &*sess.config.key_log,
                         &self.randoms.client,
                     );
+                log::info!("tlswrite:: was early data set write");
                 sess.common
                     .record_layer
                     .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@@ -945,6 +947,7 @@ impl hs::State for ExpectFinished {
             emit_end_of_early_data_tls13(&mut st.transcript, sess);
             sess.common.early_traffic = false;
             sess.early_data.finished();
+            log::info!("tlswrite:: maybe after handshake write");
             sess.common
                 .record_layer
                 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@@ -986,6 +989,7 @@ impl hs::State for ExpectFinished {
             &*sess.config.key_log,
             &st.randoms.client,
         );
+        log::info!("tlswrite:: application write now");
         sess.common
             .record_layer
             .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@@ -1191,6 +1195,7 @@ impl hs::State for ExpectTraffic {
                 .key_schedule
                 .next_client_application_traffic_secret();
             let scs = sess.common.get_suite_assert();
+            log::info!("tlswrite:: perhaps write key update");
             sess.common
                 .record_layer
                 .set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
diff --git a/rustls/src/hash_hs.rs b/rustls/src/hash_hs.rs
index 1c9685d..f53d87c 100644
--- a/rustls/src/hash_hs.rs
+++ b/rustls/src/hash_hs.rs
@@ -63,6 +63,7 @@ impl HandshakeHash {
         }

         let mut ctx = digest::Context::new(alg);
+        log::info!("hash [{:x?}", &self.buffer);
         ctx.update(&self.buffer);
         self.ctx = Some(ctx);

@@ -88,7 +89,9 @@ impl HandshakeHash {
     /// Hash or buffer a byte slice.
     fn update_raw(&mut self, buf: &[u8]) -> &mut Self {
         if let Some(ctx) = &mut self.ctx {
+            log::info!("hash [{:x?}]", &buf);
             ctx.update(buf);
+            log::info!("cur value: {:x?}", ctx.clone().finish().as_ref())
         }

         if self.ctx.is_none() || self.client_auth_enabled {
diff --git a/rustls/src/key_schedule.rs b/rustls/src/key_schedule.rs
index a18347d..8b58e9d 100644
--- a/rustls/src/key_schedule.rs
+++ b/rustls/src/key_schedule.rs
@@ -151,6 +151,7 @@ impl KeyScheduleHandshake {
         client_random: &[u8; 32],
     ) -> hkdf::Prk {
         // Use an empty handshake hash for the initial handshake.
+        log::info!("derive client secret");
         let secret = self.ks.derive_logged_secret(
             SecretKind::ClientHandshakeTrafficSecret,
             hs_hash.as_ref(),
@@ -158,6 +159,7 @@ impl KeyScheduleHandshake {
             client_random,
         );
         self.current_client_traffic_secret = Some(secret.clone());
+        log::info!("c hs secret {:x?}", secret);
         secret
     }

@@ -167,6 +169,7 @@ impl KeyScheduleHandshake {
         key_log: &dyn KeyLog,
         client_random: &[u8; 32],
     ) -> hkdf::Prk {
+        log::info!("derive server secret");
         let secret = self.ks.derive_logged_secret(
             SecretKind::ServerHandshakeTrafficSecret,
             hs_hash.as_ref(),
@@ -224,6 +227,7 @@ impl KeyScheduleTrafficWithClientFinishedPending {
         key_log: &dyn KeyLog,
         client_random: &[u8; 32],
     ) -> hkdf::Prk {
+        log::info!("derive server traffic secret");
         let secret = self.ks.derive_logged_secret(
             SecretKind::ServerApplicationTrafficSecret,
             hs_hash.as_ref(),
@@ -240,6 +244,7 @@ impl KeyScheduleTrafficWithClientFinishedPending {
         key_log: &dyn KeyLog,
         client_random: &[u8; 32],
     ) -> hkdf::Prk {
+        log::info!("derive client traffic secret");
         let secret = self.ks.derive_logged_secret(
             SecretKind::ClientApplicationTrafficSecret,
             hs_hash.as_ref(),
@@ -335,10 +340,14 @@ impl KeySchedule {
         let zeroes = [0u8; digest::MAX_OUTPUT_LEN];
         let zeroes = &zeroes[..algorithm.len()];
         let salt = hkdf::Salt::new(algorithm, &zeroes);
-        KeySchedule {
+        let ks = KeySchedule {
             current: salt.extract(secret),
             algorithm,
-        }
+        };
+
+        log::info!("ks-initial: {:x?}", ks.current);
+
+        ks
     }

     #[inline]
@@ -361,6 +370,7 @@ impl KeySchedule {
     fn input_secret(&mut self, secret: &[u8]) {
         let salt: hkdf::Salt = self.derive_for_empty_hash(SecretKind::DerivedSecret);
         self.current = salt.extract(secret);
+        log::info!("input_secret now -> {:x?}", self.current);
     }

     /// Derive a secret of given `kind`, using current handshake hash `hs_hash`.
@@ -369,6 +379,9 @@ impl KeySchedule {
         T: for<'a> From<hkdf::Okm<'a, L>>,
         L: hkdf::KeyType,
     {
+        let loggable = hkdf_expand::<PayloadU8, _>( &self.current, PayloadU8Len(self.algorithm.len()), kind.to_bytes(), hs_hash.as_ref()).into_inner();
+        log::info!("---loggable--> {:x?}", loggable);
+
         hkdf_expand(&self.current, key_type, kind.to_bytes(), hs_hash.as_ref())
     }

@@ -404,6 +417,7 @@ impl KeySchedule {
             .hmac_algorithm()
             .digest_algorithm();
         let empty_hash = digest::digest(digest_alg, &[]);
+        log::info!("derive_for_empty_hash");
         self.derive(self.algorithm, kind, empty_hash.as_ref())
     }

@@ -417,7 +431,13 @@ impl KeySchedule {
     /// `base_key`.
     fn sign_verify_data(&self, base_key: &hkdf::Prk, hs_hash: &Digest) -> hmac::Tag {
         let hmac_alg = self.algorithm.hmac_algorithm();
+
+        log::info!("hmac len {}", self.algorithm.hmac_algorithm().len());
+        let loggable = hkdf_expand::<PayloadU8, _>( base_key, PayloadU8Len(self.algorithm.hmac_algorithm().len()), b"finished", &[]);
+        log::info!("---sign key--> {:x?}", loggable);
+
         let hmac_key = hkdf_expand(base_key, hmac_alg, b"finished", &[]);
+        log::info!("signing {:?} {:x?}", hmac_key, hs_hash.as_ref());
         hmac::sign(&hmac_key, hs_hash.as_ref())
     }

@@ -491,10 +511,13 @@ where
     F: for<'b> FnOnce(hkdf::Okm<'b, L>) -> T,
     L: hkdf::KeyType,
 {
+
+    log::info!("expand context={:x?}", context);
     const LABEL_PREFIX: &[u8] = b"tls13 ";

     let output_len = u16::to_be_bytes(key_type.len() as u16);
     let label_len = u8::to_be_bytes((LABEL_PREFIX.len() + label.len()) as u8);
+    log::info!("label len {} {:x?}", LABEL_PREFIX.len() + label.len(), label_len);
     let context_len = u8::to_be_bytes(context.len() as u8);

     let info = &[
@@ -505,6 +528,8 @@ where
         &context_len[..],
         context,
     ];
+
+    log::debug!("expand info={:x?}", info);
     let okm = secret.expand(info, key_type).unwrap();

     f(okm)
@@ -529,10 +554,16 @@ pub fn derive_traffic_key(
     secret: &hkdf::Prk,
     aead_algorithm: &'static aead::Algorithm,
 ) -> aead::UnboundKey {
+    log::info!("derive traffic key");
+    let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(aead_algorithm.len()), b"key", &[]);
+    log::info!("---traffic key--> {:x?}", loggable);
     hkdf_expand(secret, aead_algorithm, b"key", &[])
 }

 pub(crate) fn derive_traffic_iv(secret: &hkdf::Prk) -> Iv {
+    log::info!("derive traffic iv");
+    let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(IvLen.len()), b"iv", &[]);
+    log::info!("---traffic iv--> {:x?}", loggable);
     hkdf_expand(secret, IvLen, b"iv", &[])
 }

diff --git a/rustls/src/keylog.rs b/rustls/src/keylog.rs
index dc06f24..c89ec9f 100644
--- a/rustls/src/keylog.rs
+++ b/rustls/src/keylog.rs
@@ -120,6 +120,7 @@ impl KeyLogFileInner {
             write!(self.buf, "{:02x}", b)?;
         }
         writeln!(self.buf)?;
+        log::info!("LOGGING {} {:x?}", label, secret);
         file.write_all(&self.buf)
     }
 }
diff --git a/rustls/src/server/tls13.rs b/rustls/src/server/tls13.rs
index 2617cad..7bcf8fe 100644
--- a/rustls/src/server/tls13.rs
+++ b/rustls/src/server/tls13.rs
@@ -131,6 +131,8 @@ impl CompleteClientHelloHandling {
             .and_then(|kx| kx.complete(&share.payload.0))
             .ok_or_else(|| TlsError::PeerMisbehavedError("key exchange failed".to_string()))?;

+        log::info!("ecdhe {:x?}", kxr.shared_secret);
+
         let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
         extensions.push(ServerExtension::KeyShare(kse));
         extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
	diff --git a/Cargo.toml b/Cargo.toml
	index 26f7901..651b25e 100644
	--- a/Cargo.toml
	+++ b/Cargo.toml
	@@ -5,3 +5,8 @@ members = [
	# tests and example code that depend on mio
	"rustls-mio",
	]
	+
	+
	+
	+[patch.crates-io]
	+ring = { path = '../ring' }
	diff --git a/rustls-mio/Cargo.toml b/rustls-mio/Cargo.toml
	index 09ae1ec..c1c6297 100644
	--- a/rustls-mio/Cargo.toml
	+++ b/rustls-mio/Cargo.toml
	@@ -38,3 +38,4 @@ path = "examples/tlsclient.rs"
	[[example]]
	name = "tlsserver"
	path = "examples/tlsserver.rs"
	+
	diff --git a/rustls/src/cipher.rs b/rustls/src/cipher.rs
	index ece32a6..b9c4409 100644
	--- a/rustls/src/cipher.rs
	+++ b/rustls/src/cipher.rs
	@@ -153,8 +153,10 @@ pub fn new_tls13_read(
	scs: &'static SupportedCipherSuite,
	secret: &hkdf::Prk,
	) -> Box<dyn MessageDecrypter> {
	+ log::info!("NEW TLS13 READ");
	let key = derive_traffic_key(secret, scs.aead_algorithm);
	let iv = derive_traffic_iv(secret);
	+ log::info!("NEW TLS13 READ DONE");

	Box::new(TLS13MessageDecrypter::new(key, iv))
	}
	@@ -163,6 +165,7 @@ pub fn new_tls13_write(
	scs: &'static SupportedCipherSuite,
	secret: &hkdf::Prk,
	) -> Box<dyn MessageEncrypter> {
	+ log::info!("DANGIT");
	let key = derive_traffic_key(secret, scs.aead_algorithm);
	let iv = derive_traffic_iv(secret);

	@@ -343,6 +346,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce {
	let mut nonce = [0u8; ring::aead::NONCE_LEN];
	codec::put_u64(seq, &mut nonce[4..]);

	+ log::info!("seq{} iv {:x?}", seq, iv.0);
	+
	nonce
	.iter_mut()
	.zip(iv.0.iter())
	@@ -350,6 +355,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce {
	nonce ^= iv;
	});

	+ log::info!("nonce nonce {:x?}", nonce);
	+
	aead::Nonce::assume_unique_for_key(nonce)
	}

	@@ -398,11 +405,14 @@ impl MessageDecrypter for TLS13MessageDecrypter {

	let nonce = make_tls13_nonce(&self.iv, seq);
	let aad = make_tls13_aad(buf.len());
	+ log::info!("addition data via len={}", buf.len());
	+ log::info!("decrypt buf {:x?}", buf);
	let plain_len = self
	.dec_key
	.open_in_place(nonce, aad, &mut buf)
	.map_err(\|_\| TlsError::DecryptError)?
	.len();
	+ log::info!("decrypted buf {:x?}", buf);

	buf.truncate(plain_len);

	@@ -410,7 +420,9 @@ impl MessageDecrypter for TLS13MessageDecrypter {
	return Err(TlsError::PeerSentOversizedRecord);
	}

	+
	let content_type = unpad_tls13(&mut buf);
	+ log::info!("content type {:?}", content_type);
	if content_type == ContentType::Unknown(0) {
	let msg = "peer sent bad TLSInnerPlaintext".to_string();
	return Err(TlsError::PeerMisbehavedError(msg));
	diff --git a/rustls/src/client/hs.rs b/rustls/src/client/hs.rs
	index 8395e66..e279f12 100644
	--- a/rustls/src/client/hs.rs
	+++ b/rustls/src/client/hs.rs
	@@ -404,6 +404,7 @@ fn emit_client_hello_for_retry(
	&randoms.client,
	);
	// Set early data encryption key
	+ log::info!("set tls13_write for early");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(
	diff --git a/rustls/src/client/tls13.rs b/rustls/src/client/tls13.rs
	index d352158..ef40fd1 100644
	--- a/rustls/src/client/tls13.rs
	+++ b/rustls/src/client/tls13.rs
	@@ -254,6 +254,7 @@ pub fn start_handshake_traffic(
	&*sess.config.key_log,
	&randoms.client,
	);
	+ log::info!("tlswrite:: no early data set write");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
	@@ -443,6 +444,7 @@ impl hs::State for ExpectEncryptedExtensions {
	&*sess.config.key_log,
	&self.randoms.client,
	);
	+ log::info!("tlswrite:: was early data set write");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
	@@ -945,6 +947,7 @@ impl hs::State for ExpectFinished {
	emit_end_of_early_data_tls13(&mut st.transcript, sess);
	sess.common.early_traffic = false;
	sess.early_data.finished();
	+ log::info!("tlswrite:: maybe after handshake write");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
	@@ -986,6 +989,7 @@ impl hs::State for ExpectFinished {
	&*sess.config.key_log,
	&st.randoms.client,
	);
	+ log::info!("tlswrite:: application write now");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
	@@ -1191,6 +1195,7 @@ impl hs::State for ExpectTraffic {
	.key_schedule
	.next_client_application_traffic_secret();
	let scs = sess.common.get_suite_assert();
	+ log::info!("tlswrite:: perhaps write key update");
	sess.common
	.record_layer
	.set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
	diff --git a/rustls/src/hash_hs.rs b/rustls/src/hash_hs.rs
	index 1c9685d..f53d87c 100644
	--- a/rustls/src/hash_hs.rs
	+++ b/rustls/src/hash_hs.rs
	@@ -63,6 +63,7 @@ impl HandshakeHash {
	}

	let mut ctx = digest::Context::new(alg);
	+ log::info!("hash [{:x?}", &self.buffer);
	ctx.update(&self.buffer);
	self.ctx = Some(ctx);

	@@ -88,7 +89,9 @@ impl HandshakeHash {
	/// Hash or buffer a byte slice.
	fn update_raw(&mut self, buf: &[u8]) -> &mut Self {
	if let Some(ctx) = &mut self.ctx {
	+ log::info!("hash [{:x?}]", &buf);
	ctx.update(buf);
	+ log::info!("cur value: {:x?}", ctx.clone().finish().as_ref())
	}

	if self.ctx.is_none() \|\| self.client_auth_enabled {
	diff --git a/rustls/src/key_schedule.rs b/rustls/src/key_schedule.rs
	index a18347d..8b58e9d 100644
	--- a/rustls/src/key_schedule.rs
	+++ b/rustls/src/key_schedule.rs
	@@ -151,6 +151,7 @@ impl KeyScheduleHandshake {
	client_random: &[u8; 32],
	) -> hkdf::Prk {
	// Use an empty handshake hash for the initial handshake.
	+ log::info!("derive client secret");
	let secret = self.ks.derive_logged_secret(
	SecretKind::ClientHandshakeTrafficSecret,
	hs_hash.as_ref(),
	@@ -158,6 +159,7 @@ impl KeyScheduleHandshake {
	client_random,
	);
	self.current_client_traffic_secret = Some(secret.clone());
	+ log::info!("c hs secret {:x?}", secret);
	secret
	}

	@@ -167,6 +169,7 @@ impl KeyScheduleHandshake {
	key_log: &dyn KeyLog,
	client_random: &[u8; 32],
	) -> hkdf::Prk {
	+ log::info!("derive server secret");
	let secret = self.ks.derive_logged_secret(
	SecretKind::ServerHandshakeTrafficSecret,
	hs_hash.as_ref(),
	@@ -224,6 +227,7 @@ impl KeyScheduleTrafficWithClientFinishedPending {
	key_log: &dyn KeyLog,
	client_random: &[u8; 32],
	) -> hkdf::Prk {
	+ log::info!("derive server traffic secret");
	let secret = self.ks.derive_logged_secret(
	SecretKind::ServerApplicationTrafficSecret,
	hs_hash.as_ref(),
	@@ -240,6 +244,7 @@ impl KeyScheduleTrafficWithClientFinishedPending {
	key_log: &dyn KeyLog,
	client_random: &[u8; 32],
	) -> hkdf::Prk {
	+ log::info!("derive client traffic secret");
	let secret = self.ks.derive_logged_secret(
	SecretKind::ClientApplicationTrafficSecret,
	hs_hash.as_ref(),
	@@ -335,10 +340,14 @@ impl KeySchedule {
	let zeroes = [0u8; digest::MAX_OUTPUT_LEN];
	let zeroes = &zeroes[..algorithm.len()];
	let salt = hkdf::Salt::new(algorithm, &zeroes);
	- KeySchedule {
	+ let ks = KeySchedule {
	current: salt.extract(secret),
	algorithm,
	- }
	+ };
	+
	+ log::info!("ks-initial: {:x?}", ks.current);
	+
	+ ks
	}

	#[inline]
	@@ -361,6 +370,7 @@ impl KeySchedule {
	fn input_secret(&mut self, secret: &[u8]) {
	let salt: hkdf::Salt = self.derive_for_empty_hash(SecretKind::DerivedSecret);
	self.current = salt.extract(secret);
	+ log::info!("input_secret now -> {:x?}", self.current);
	}

	/// Derive a secret of given `kind`, using current handshake hash `hs_hash`.
	@@ -369,6 +379,9 @@ impl KeySchedule {
	T: for<'a> From<hkdf::Okm<'a, L>>,
	L: hkdf::KeyType,
	{
	+ let loggable = hkdf_expand::<PayloadU8, _>( &self.current, PayloadU8Len(self.algorithm.len()), kind.to_bytes(), hs_hash.as_ref()).into_inner();
	+ log::info!("---loggable--> {:x?}", loggable);
	+
	hkdf_expand(&self.current, key_type, kind.to_bytes(), hs_hash.as_ref())
	}

	@@ -404,6 +417,7 @@ impl KeySchedule {
	.hmac_algorithm()
	.digest_algorithm();
	let empty_hash = digest::digest(digest_alg, &[]);
	+ log::info!("derive_for_empty_hash");
	self.derive(self.algorithm, kind, empty_hash.as_ref())
	}

	@@ -417,7 +431,13 @@ impl KeySchedule {
	/// `base_key`.
	fn sign_verify_data(&self, base_key: &hkdf::Prk, hs_hash: &Digest) -> hmac::Tag {
	let hmac_alg = self.algorithm.hmac_algorithm();
	+
	+ log::info!("hmac len {}", self.algorithm.hmac_algorithm().len());
	+ let loggable = hkdf_expand::<PayloadU8, _>( base_key, PayloadU8Len(self.algorithm.hmac_algorithm().len()), b"finished", &[]);
	+ log::info!("---sign key--> {:x?}", loggable);
	+
	let hmac_key = hkdf_expand(base_key, hmac_alg, b"finished", &[]);
	+ log::info!("signing {:?} {:x?}", hmac_key, hs_hash.as_ref());
	hmac::sign(&hmac_key, hs_hash.as_ref())
	}

	@@ -491,10 +511,13 @@ where
	F: for<'b> FnOnce(hkdf::Okm<'b, L>) -> T,
	L: hkdf::KeyType,
	{
	+
	+ log::info!("expand context={:x?}", context);
	const LABEL_PREFIX: &[u8] = b"tls13 ";

	let output_len = u16::to_be_bytes(key_type.len() as u16);
	let label_len = u8::to_be_bytes((LABEL_PREFIX.len() + label.len()) as u8);
	+ log::info!("label len {} {:x?}", LABEL_PREFIX.len() + label.len(), label_len);
	let context_len = u8::to_be_bytes(context.len() as u8);

	let info = &[
	@@ -505,6 +528,8 @@ where
	&context_len[..],
	context,
	];
	+
	+ log::debug!("expand info={:x?}", info);
	let okm = secret.expand(info, key_type).unwrap();

	f(okm)
	@@ -529,10 +554,16 @@ pub fn derive_traffic_key(
	secret: &hkdf::Prk,
	aead_algorithm: &'static aead::Algorithm,
	) -> aead::UnboundKey {
	+ log::info!("derive traffic key");
	+ let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(aead_algorithm.len()), b"key", &[]);
	+ log::info!("---traffic key--> {:x?}", loggable);
	hkdf_expand(secret, aead_algorithm, b"key", &[])
	}

	pub(crate) fn derive_traffic_iv(secret: &hkdf::Prk) -> Iv {
	+ log::info!("derive traffic iv");
	+ let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(IvLen.len()), b"iv", &[]);
	+ log::info!("---traffic iv--> {:x?}", loggable);
	hkdf_expand(secret, IvLen, b"iv", &[])
	}

	diff --git a/rustls/src/keylog.rs b/rustls/src/keylog.rs
	index dc06f24..c89ec9f 100644
	--- a/rustls/src/keylog.rs
	+++ b/rustls/src/keylog.rs
	@@ -120,6 +120,7 @@ impl KeyLogFileInner {
	write!(self.buf, "{:02x}", b)?;
	}
	writeln!(self.buf)?;
	+ log::info!("LOGGING {} {:x?}", label, secret);
	file.write_all(&self.buf)
	}
	}
	diff --git a/rustls/src/server/tls13.rs b/rustls/src/server/tls13.rs
	index 2617cad..7bcf8fe 100644
	--- a/rustls/src/server/tls13.rs
	+++ b/rustls/src/server/tls13.rs
	@@ -131,6 +131,8 @@ impl CompleteClientHelloHandling {
	.and_then(\|kx\| kx.complete(&share.payload.0))
	.ok_or_else(\|\| TlsError::PeerMisbehavedError("key exchange failed".to_string()))?;

	+ log::info!("ecdhe {:x?}", kxr.shared_secret);
	+
	let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
	extensions.push(ServerExtension::KeyShare(kse));
	extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));