[Swan-dev] logging proposals and algorithms
Paul Wouters
paul at nohats.ca
Wed Feb 24 17:24:29 UTC 2016
On Wed, 24 Feb 2016, Andrew Cagney wrote:
> I've a TODO item sitting here asking that proposals always be logged
> (it makes diagnosing a failing connection easier).
Yes, we should.
> The current code will log the proposal if nothing is chosen (this is
> still progress since the old code simply logged "no proposal chosen"
> :-), however it isn't ideal. The fix is "easy", but like the comment
> says:
>
> /*
> * For the moment don't libreswan_log() this as it
> * gets written to the console, altering output, and
> * causing test noise.
> */
We can use libreswan_log(), but it would be best to check for
opportunistic and suppress if conn is oppo and no DBG_OPPO was set.
> But wait there's more; and the real reason I put this into the
> too-painful basket. The output isn't exactly pretty:
>
> proposals: IKE:AES_GCM_C(20)_256,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),AUTH_NONE(0),OAKLEY_GROUP_MODP2048(14),OAKLEY_GROUP_MODP4096(16),OAKLEY_GROUP_MODP8192(18)[first-match]
> IKE:AES_GCM_A(18)_128,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),AUTH_NONE(0),OAKLEY_GROUP_MODP2048(14),OAKLEY_GROUP_MODP4096(16),OAKLEY_GROUP_MODP8192(18)
> IKE:AES_CBC(12)_256,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),PRF_AES128-XCBC(4),AUTH_HMAC_SHA1_96(2),AUTH_HMAC_SHA2_256_128(12),AUTH_AES_XCBC_96(5),OAKLEY_GROUP_MODP1536(5),OAKLEY_GROUP_MODP2048(14)
> IKE:AES_CBC(12)_128,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),PRF_AES128-XCBC(4),AUTH_HMAC_SHA1_96(2),AUTH_HMAC_SHA2_256_128(12),AUTH_AES_XCBC_96(5),OAKLEY_GROUP_MODP1536(5),OAKLEY_GROUP_MODP2048(14)
>
> notice how some algorithms have OAKLEY_GROUP_ as a prefix yet others,
> such as AES_GCM_C, do not. This inconsistency stems from the enum
> code and calls like:
> which print what ever the enum table defines. When the prefix isn't
> desired arbitrary bits get stripped off:
>
> strip_prefix(enum_name(&ikev2_trans_type_names, type), "TRANS_TYPE_");
> and this bubbles up to the log file.
>
> While I can add to the hacks to fix this, I suspect it would be better
> to just have the enum code handle it.
That could but only if the prefix stripped would always be the same. In
the context of PRF we could strip PRF_HMAC_, but on the lines quoted
above, we need to keep something to distinguish PRF from AUTH, so one
would likely want to strip only "_HMAC" so you see PRF_SHA2 or
AUTH_SHA2. OAKLEY_GROUP_ can always be stripped because those names
don't clash and self-explanatory even without the prefix.
Paul
More information about the Swan-dev
mailing list