On Thu, 13 Dec 2018 at 12:47, D. Hugh Redelmeier <[email protected]> wrote: > > | From: Andrew Cagney <[email protected]> > | > | As I understand it, the reason for --debug private is to enable a > | feature where logging included the formation needed to decrypt > | streams. For instance, ikev2_log_parentSA() was logging a line > | containing: > | > | - the IKE SPIs > | - the crypto algorithm > | - the keying material > | > | that could be fed to 'tcpdump -E'. However, notice the past tense. > | Commit 944c9a31c1e4dff1ab92cdf9c85629b7270a6157 from 2014 included > | this change: > | > | - datatot(st->st_skey_ei.ptr, st->st_skey_ei.len, 'x', > enckeybuf, > | - 256); > | - datatot(st->st_skey_ai.ptr, st->st_skey_ai.len, 'x', > | - authkeybuf, 256); > | - DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x > | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s:%s %s:%s", > | + DBG_log("ikev2 I 0x%02x%02x%02x%02x%02x%02x%02x%02x > | 0x%02x%02x%02x%02x%02x%02x%02x%02x %s %s", > | > | > | making the line useless. > > Interesting. Good catch. That's a bug and I introduced it. > > I made this change 4.5 years ago and nobody has reported it. I guess > that the feature isn't used frequently. > > Perhaps I elminated it because it didn't appear to be conditional on > DBG_PRIVATE (it actually was, but in an odd way; Paul fixed that > last year). > > Perhaps I just decided that the use of the naked constant 256 six > times was messy and better deleted than fixed. > > In any case, I clearly didn't take note of the comments before > ikev2_log_parentSA(). > > Andrew: do you want to fix this or shall I?
Sure. I think you want chunk_from_symkey() (and perhaps LSWLOG_DEBUG(buf)). I'll also drop a note at far the end of my TODO list. Andrew _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
