[Swan-dev] DBG_PRIVATE and tcpdump
Paul Wouters
paul at nohats.ca
Thu Dec 13 16:39:00 UTC 2018
On Thu, 13 Dec 2018, Andrew Cagney wrote:
> As I understand it, the reason for --debug private is to enable a
> feature where logging included the formation needed to decrypt
> streams.
Yes, one of the reasons.
> For instance, ikev2_log_parentSA() was logging a line
> containing:
>
> - the IKE SPIs
> - the crypto algorithm
> - the keying material
>
> that could be fed to 'tcpdump -E'. However, notice the past tense.
> Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
> this change:
>
> - datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
> - 256);
> - datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
> - authkeybuf, 256);
> - DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
> 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
> + DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
> 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
It would be good if we could restore that functionality, and maybe make
this more clear by prefixing it, eg DBG_log("ikev2 I for tcpdump: 0x[...]")
Paul
More information about the Swan-dev
mailing list