| From: Andrew Cagney <[email protected]> | | As I understand it, the reason for --debug private is to enable a | feature where logging included the formation needed to decrypt | streams. For instance, ikev2_log_parentSA() was logging a line | containing: | | - the IKE SPIs | - the crypto algorithm | - the keying material | | that could be fed to 'tcpdump -E'. However, notice the past tense. | Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included | this change: | | - datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', enckeybuf, | - 256); | - datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x', | - authkeybuf, 256); | - DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s", | + DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s", | | | making the line useless.
Interesting. Good catch. That's a bug and I introduced it. I made this change 4.5 years ago and nobody has reported it. I guess that the feature isn't used frequently. Perhaps I elminated it because it didn't appear to be conditional on DBG_PRIVATE (it actually was, but in an odd way; Paul fixed that last year). Perhaps I just decided that the use of the naked constant 256 six times was messy and better deleted than fixed. In any case, I clearly didn't take note of the comments before ikev2_log_parentSA(). Andrew: do you want to fix this or shall I? _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
