[Swan-dev] DBG_PRIVATE and tcpdump
D. Hugh Redelmeier
hugh at mimosa.com
Thu Dec 13 17:47:14 UTC 2018
| From: Andrew Cagney <andrew.cagney at gmail.com>
|
| As I understand it, the reason for --debug private is to enable a
| feature where logging included the formation needed to decrypt
| streams. For instance, ikev2_log_parentSA() was logging a line
| containing:
|
| - the IKE SPIs
| - the crypto algorithm
| - the keying material
|
| that could be fed to 'tcpdump -E'. However, notice the past tense.
| Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
| this change:
|
| - datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
| - 256);
| - datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
| - authkeybuf, 256);
| - DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
| 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
| + DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
| 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
|
|
| making the line useless.
Interesting. Good catch. That's a bug and I introduced it.
I made this change 4.5 years ago and nobody has reported it. I guess
that the feature isn't used frequently.
Perhaps I elminated it because it didn't appear to be conditional on
DBG_PRIVATE (it actually was, but in an odd way; Paul fixed that
last year).
Perhaps I just decided that the use of the naked constant 256 six
times was messy and better deleted than fixed.
In any case, I clearly didn't take note of the comments before
ikev2_log_parentSA().
Andrew: do you want to fix this or shall I?
More information about the Swan-dev
mailing list