[Swan-dev] DBG_PRIVATE and tcpdump
Andrew Cagney
andrew.cagney at gmail.com
Thu Dec 13 15:47:03 UTC 2018
As I understand it, the reason for --debug private is to enable a
feature where logging included the formation needed to decrypt
streams. For instance, ikev2_log_parentSA() was logging a line
containing:
- the IKE SPIs
- the crypto algorithm
- the keying material
that could be fed to 'tcpdump -E'. However, notice the past tense.
Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
this change:
- datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
- 256);
- datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
- authkeybuf, 256);
- DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
+ DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
making the line useless.
Andrew
More information about the Swan-dev
mailing list