[Swan-dev] DBG_PRIVATE vs DBG_CRYPT
paul at nohats.ca
Tue Sep 8 15:48:43 UTC 2020
On Tue, 8 Sep 2020, Andrew Cagney wrote:
> Subject: [Swan-dev] DBG_PRIVATE vs DBG_CRYPT
> crypt: encryption/decryption of messages: DANGER!
> private: displays private information: DANGER!
> I believe the idea behind private is that it dumps just enough information for commands like tcpdump to decrypt
> packets (see ikev2_logParentSA()) and perhaps recover DH material?
> With that in mind I suspect most of the DBG_PRIVATE calls should be DBG_CRYPT?
Probably. Things like passwords and PSKs and SKEYSEEDs and KEYMATs
should be DBG_PRIVATE. This logging is also blocked in FIPS mode.
The CRYPT logs were about the encryption/decryption process. I don't
think it matters if it would log unencrypted byte streams for IKE
packets (it contains no real secrets wrt sensitive material)
More information about the Swan-dev