From ab46df5071a05e07d619efee05cd6a489fdd9cf0 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Mon, 1 Mar 2021 10:30:59 +0800
Subject: [PATCH 1/2] fix logging of dropped 0-RTT keys

Client and server only possess write or read 0-RTT keys, respectively.
We should therefore only emit a single event when those are dropped.
---
 qlog/qlog.go      |  8 ++++++--
 qlog/qlog_test.go | 12 ++++++++++++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/qlog/qlog.go b/qlog/qlog.go
index d06eb7a4..866c56f0 100644
--- a/qlog/qlog.go
+++ b/qlog/qlog.go
@@ -402,8 +402,12 @@ func (t *connectionTracer) UpdatedKey(generation protocol.KeyPhase, remote bool)
 func (t *connectionTracer) DroppedEncryptionLevel(encLevel protocol.EncryptionLevel) {
 	t.mutex.Lock()
 	now := time.Now()
-	t.recordEvent(now, &eventKeyRetired{KeyType: encLevelToKeyType(encLevel, protocol.PerspectiveServer)})
-	t.recordEvent(now, &eventKeyRetired{KeyType: encLevelToKeyType(encLevel, protocol.PerspectiveClient)})
+	if encLevel == protocol.Encryption0RTT {
+		t.recordEvent(now, &eventKeyRetired{KeyType: encLevelToKeyType(encLevel, t.perspective)})
+	} else {
+		t.recordEvent(now, &eventKeyRetired{KeyType: encLevelToKeyType(encLevel, protocol.PerspectiveServer)})
+		t.recordEvent(now, &eventKeyRetired{KeyType: encLevelToKeyType(encLevel, protocol.PerspectiveClient)})
+	}
 	t.mutex.Unlock()
 }
 
diff --git a/qlog/qlog_test.go b/qlog/qlog_test.go
index 2a5080ee..fa7ff601 100644
--- a/qlog/qlog_test.go
+++ b/qlog/qlog_test.go
@@ -721,6 +721,18 @@ var _ = Describe("Tracing", func() {
 				Expect(keyTypes).To(ContainElement("client_initial_secret"))
 			})
 
+			It("records dropped 0-RTT keys", func() {
+				tracer.DroppedEncryptionLevel(protocol.Encryption0RTT)
+				entries := exportAndParse()
+				Expect(entries).To(HaveLen(1))
+				entry := entries[0]
+				Expect(entry.Time).To(BeTemporally("~", time.Now(), scaleDuration(10*time.Millisecond)))
+				Expect(entry.Name).To(Equal("security:key_retired"))
+				ev := entry.Event
+				Expect(ev).To(HaveKeyWithValue("trigger", "tls"))
+				Expect(ev).To(HaveKeyWithValue("key_type", "server_0rtt_secret"))
+			})
+
 			It("records dropped keys", func() {
 				tracer.DroppedKey(42)
 				entries := exportAndParse()

From 110f949441ee85b839aa3b96f0419c29684c2198 Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Mon, 1 Mar 2021 10:37:31 +0800
Subject: [PATCH 2/2] trace dropping of 0-RTT keys

---
 internal/handshake/crypto_setup.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/handshake/crypto_setup.go b/internal/handshake/crypto_setup.go
index 3dd7d387..f2300ffd 100644
--- a/internal/handshake/crypto_setup.go
+++ b/internal/handshake/crypto_setup.go
@@ -617,6 +617,9 @@ func (h *cryptoSetup) SetWriteKey(encLevel qtls.EncryptionLevel, suite *qtls.Cip
 		if h.zeroRTTSealer != nil {
 			h.zeroRTTSealer = nil
 			h.logger.Debugf("Dropping 0-RTT keys.")
+			if h.tracer != nil {
+				h.tracer.DroppedEncryptionLevel(protocol.Encryption0RTT)
+			}
 		}
 	default:
 		panic("unexpected write encryption level")
@@ -778,6 +781,9 @@ func (h *cryptoSetup) Get1RTTOpener() (ShortHeaderOpener, error) {
 	if h.zeroRTTOpener != nil && time.Since(h.handshakeCompleteTime) > 3*h.rttStats.PTO(true) {
 		h.zeroRTTOpener = nil
 		h.logger.Debugf("Dropping 0-RTT keys.")
+		if h.tracer != nil {
+			h.tracer.DroppedEncryptionLevel(protocol.Encryption0RTT)
+		}
 	}
 
 	if !h.has1RTTOpener {