[Swan-dev] some can I dump/log crypto material dogma

Paul Wouters paul at nohats.ca
Tue May 5 05:31:07 EEST 2015

On Mon, 27 Apr 2015, Andrew Cagney wrote:

> The log files often contain keying material when they shouldn't.  I figure I'd throw out a rules (er, dogma) on what keying material can appear in a log file and see how far it gets :-)
> - you can log chunk contents
> The assumption here is that its things like cookies, nonces, et.al. which either came from or will go on the wire.  If we find a chunk that shouldn't be logged then ask the question "should this be a symkey"
> because:
> - you cannot log symkey contents (unless DBG_PRIVATE)
> Of course there'll be exceptions such as PSKs (which is why this is dogma :-).
> Wit this in mind, I've added a DBG_dump_symkey that only logs limited information (unless DBG_PRIVATE).

Late response, but yes looks fine to me.

DBG_PRIVATE for KEYMAT stuff is nice to, for easy feeding into tcpdump
for IPsec SA's or fuzzers fir IKE SA's.


More information about the Swan-dev mailing list