Paul Wouters paul at nohats.ca
Tue Sep 8 15:48:43 UTC 2020

On Tue, 8 Sep 2020, Andrew Cagney wrote:

> Subject: [Swan-dev] DBG_PRIVATE vs DBG_CRYPT
>   crypt: encryption/decryption of messages: DANGER!
>   private: displays private information: DANGER!
> I believe the idea behind private is that it dumps just enough information for commands like tcpdump to decrypt
> packets (see ikev2_logParentSA()) and perhaps recover DH material?
> With that in mind I suspect most of the DBG_PRIVATE calls should be DBG_CRYPT?

Probably. Things like passwords and PSKs and SKEYSEEDs and KEYMATs
should be DBG_PRIVATE. This logging is also blocked in FIPS mode.
The CRYPT logs were about the encryption/decryption process. I don't
think it matters if it would log unencrypted byte streams for IKE
packets (it contains no real secrets wrt sensitive material)


More information about the Swan-dev mailing list