[Swan-dev] some can I dump/log crypto material dogma
paul at nohats.ca
Tue May 5 05:31:07 EEST 2015
On Mon, 27 Apr 2015, Andrew Cagney wrote:
> The log files often contain keying material when they shouldn't. I figure I'd throw out a rules (er, dogma) on what keying material can appear in a log file and see how far it gets :-)
> - you can log chunk contents
> The assumption here is that its things like cookies, nonces, et.al. which either came from or will go on the wire. If we find a chunk that shouldn't be logged then ask the question "should this be a symkey"
> - you cannot log symkey contents (unless DBG_PRIVATE)
> Of course there'll be exceptions such as PSKs (which is why this is dogma :-).
> Wit this in mind, I've added a DBG_dump_symkey that only logs limited information (unless DBG_PRIVATE).
Late response, but yes looks fine to me.
DBG_PRIVATE for KEYMAT stuff is nice to, for easy feeding into tcpdump
for IPsec SA's or fuzzers fir IKE SA's.
More information about the Swan-dev