[Swan-dev] some can I dump/log crypto material dogma

[Andrew Cagney]

Hi,

The log files often contain keying material when they shouldn't.  I figure
I'd throw out a rules (er, dogma) on what keying material can appear in a
log file and see how far it gets :-)

- you can log chunk contents

The assumption here is that its things like cookies, nonces, et.al. which
either came from or will go on the wire.  If we find a chunk that shouldn't
be logged then ask the question "should this be a symkey" because:

- you cannot log symkey contents (unless DBG_PRIVATE)

Of course there'll be exceptions such as PSKs (which is why this is dogma
:-).

Wit this in mind, I've added a DBG_dump_symkey that only logs limited
information (unless DBG_PRIVATE).

Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20150427/4a315759/attachment.html>