On Mon, 27 Apr 2015, Andrew Cagney wrote:
The log files often contain keying material when they shouldn't. I figure I'd
throw out a rules (er, dogma) on what keying material can appear in a log file
and see how far it gets :-)
- you can log chunk contents
The assumption here is that its things like cookies, nonces, et.al. which either came
from or will go on the wire. If we find a chunk that shouldn't be logged then ask the
question "should this be a symkey"
because:
- you cannot log symkey contents (unless DBG_PRIVATE)
Of course there'll be exceptions such as PSKs (which is why this is dogma :-).
Wit this in mind, I've added a DBG_dump_symkey that only logs limited
information (unless DBG_PRIVATE).
Late response, but yes looks fine to me.
DBG_PRIVATE for KEYMAT stuff is nice to, for easy feeding into tcpdump
for IPsec SA's or fuzzers fir IKE SA's.
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
