[Swan-dev] DBG_PRIVATE and tcpdump

D. Hugh Redelmeier hugh at mimosa.com
Thu Dec 13 17:47:14 UTC 2018

| From: Andrew Cagney <andrew.cagney at gmail.com>
| As I understand it, the reason for --debug private is to enable a
| feature where logging included the formation needed to decrypt
| streams.  For instance, ikev2_log_parentSA() was logging a line
| containing:
|   - the IKE SPIs
|   - the crypto algorithm
|   - the keying material
| that could be fed to 'tcpdump -E'.   However, notice the past tense.
| Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
| this change:
| -               datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
| -                       256);
| -               datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
| -                       authkeybuf, 256);
| -               DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
| 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
| +               DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
| 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
| making the line useless.

Interesting.  Good catch. That's a bug and I introduced it.

I made this change 4.5 years ago and nobody has reported it.  I guess
that the feature isn't used frequently.

Perhaps I elminated it because it didn't appear to be conditional on
DBG_PRIVATE (it actually was, but in an odd way; Paul fixed that
last year).

Perhaps I just decided that the use of the naked constant 256 six
times was messy and better deleted than fixed.

In any case, I clearly didn't take note of the comments before

Andrew: do you want to fix this or shall I?

More information about the Swan-dev mailing list