On Thu, 13 Dec 2018, Andrew Cagney wrote:
As I understand it, the reason for --debug private is to enable a
feature where logging included the formation needed to decrypt
streams.
Yes, one of the reasons.
For instance, ikev2_log_parentSA() was logging a line
containing:
- the IKE SPIs
- the crypto algorithm
- the keying material
that could be fed to 'tcpdump -E'. However, notice the past tense.
Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included
this change:
- datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf,
- 256);
- datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x',
- authkeybuf, 256);
- DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s",
+ DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x
0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s",
It would be good if we could restore that functionality, and maybe make
this more clear by prefixing it, eg DBG_log("ikev2 I for tcpdump: 0x[...]")
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
