On Tue, 8 Sep 2020, Andrew Cagney wrote:
Subject: [Swan-dev] DBG_PRIVATE vs DBG_CRYPT
crypt: encryption/decryption of messages: DANGER!
private: displays private information: DANGER!
I believe the idea behind private is that it dumps just enough information for
commands like tcpdump to decrypt
packets (see ikev2_logParentSA()) and perhaps recover DH material?
With that in mind I suspect most of the DBG_PRIVATE calls should be DBG_CRYPT?
Probably. Things like passwords and PSKs and SKEYSEEDs and KEYMATs
should be DBG_PRIVATE. This logging is also blocked in FIPS mode.
The CRYPT logs were about the encryption/decryption process. I don't
think it matters if it would log unencrypted byte streams for IKE
packets (it contains no real secrets wrt sensitive material)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
