[Swan-dev] some can I dump/log crypto material dogma
Andrew Cagney
andrew.cagney at gmail.com
Mon Apr 27 21:57:05 EEST 2015
Hi,
The log files often contain keying material when they shouldn't. I figure
I'd throw out a rules (er, dogma) on what keying material can appear in a
log file and see how far it gets :-)
- you can log chunk contents
The assumption here is that its things like cookies, nonces, et.al. which
either came from or will go on the wire. If we find a chunk that shouldn't
be logged then ask the question "should this be a symkey" because:
- you cannot log symkey contents (unless DBG_PRIVATE)
Of course there'll be exceptions such as PSKs (which is why this is dogma
:-).
Wit this in mind, I've added a DBG_dump_symkey that only logs limited
information (unless DBG_PRIVATE).
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20150427/4a315759/attachment.html>
More information about the Swan-dev
mailing list