[Swan-dev] DBG_PRIVATE and tcpdump
Andrew Cagney
andrew.cagney at gmail.com
Thu Dec 13 19:24:48 UTC 2018
On Thu, 13 Dec 2018 at 12:47, D. Hugh Redelmeier <hugh at mimosa.com> wrote:
>
> | From: Andrew Cagney <andrew.cagney at gmail.com>
> |
> | As I understand it, the reason for --debug private is to enable a
> | feature where logging included the formation needed to decrypt
> | streams. For instance, ikev2_log_parentSA() was logging a line
> | containing:
> |
> | - the IKE SPIs
> | - the crypto algorithm
> | - the keying material
> |
> | that could be fed to 'tcpdump -E'. However, notice the past tense.
> | Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
> | this change:
> |
> | - datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
> | - 256);
> | - datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
> | - authkeybuf, 256);
> | - DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
> | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
> | + DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
> | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
> |
> |
> | making the line useless.
>
> Interesting. Good catch. That's a bug and I introduced it.
>
> I made this change 4.5 years ago and nobody has reported it. I guess
> that the feature isn't used frequently.
>
> Perhaps I elminated it because it didn't appear to be conditional on
> DBG_PRIVATE (it actually was, but in an odd way; Paul fixed that
> last year).
>
> Perhaps I just decided that the use of the naked constant 256 six
> times was messy and better deleted than fixed.
>
> In any case, I clearly didn't take note of the comments before
> ikev2_log_parentSA().
>
> Andrew: do you want to fix this or shall I?
Sure. I think you want chunk_from_symkey() (and perhaps LSWLOG_DEBUG(buf)).
I'll also drop a note at far the end of my TODO list.
Andrew
More information about the Swan-dev
mailing list