[Swan-dev] logging proposals and algorithms
Andrew Cagney
andrew.cagney at gmail.com
Thu Feb 25 14:44:36 UTC 2016
> We can use libreswan_log(), but it would be best to check for
> opportunistic and suppress if conn is oppo and no DBG_OPPO was set.
Hmm.
IKE:AES_GCM_C(20)_256,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),AUTH_NONE(0),OAKLEY_GROUP_MODP2048(14),OAKLEY_GROUP_MODP4096(16),OAKLEY_GROUP_MODP8192(18)[first-match]
>>
>> IKE:AES_GCM_A(18)_128,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),AUTH_NONE(0),OAKLEY_GROUP_MODP2048(14),OAKLEY_GROUP_MODP4096(16),OAKLEY_GROUP_MODP8192(18)
>>
>> IKE:AES_CBC(12)_256,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),PRF_AES128-XCBC(4),AUTH_HMAC_SHA1_96(2),AUTH_HMAC_SHA2_256_128(12),AUTH_AES_XCBC_96(5),OAKLEY_GROUP_MODP1536(5),OAKLEY_GROUP_MODP2048(14)
>>
>> IKE:AES_CBC(12)_128,PRF_HMAC_SHA1(2),PRF_HMAC_SHA2-256(5),PRF_AES128-XCBC(4),AUTH_HMAC_SHA1_96(2),AUTH_HMAC_SHA2_256_128(12),AUTH_AES_XCBC_96(5),OAKLEY_GROUP_MODP1536(5),OAKLEY_GROUP_MODP2048(14)
[...]
> That could but only if the prefix stripped would always be the same. In
> the context of PRF we could strip PRF_HMAC_, but on the lines quoted
> above, we need to keep something to distinguish PRF from AUTH, so one
> would likely want to strip only "_HMAC" so you see PRF_SHA2 or
> AUTH_SHA2. OAKLEY_GROUP_ can always be stripped because those names
> don't clash and self-explanatory even without the prefix.
Yea, that's another other reason to put it aside - plenty of colour
choice. For instance, other stuff like each proposal's number is
missing.
Bet best way forward seems to be log it, but sanitize it out in all
tests. Gets it out into the field so we can gather feedback :-)
Andrew
More information about the Swan-dev
mailing list