[PATCH] log escaped identities when they dont match

[Phil Mayers]

A more complex version replacing the previous version; this logs the 
escaped username, possibly useful if it contains various binary nonsense 
etc.

---
 src/modules/rlm_eap/eap.c |   12 ++++++++++--
 1 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c
index e947844..6e2367e 100644
--- a/src/modules/rlm_eap/eap.c
+++ b/src/modules/rlm_eap/eap.c
@@ -953,6 +953,8 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t 
**eap_packet_p,
        eap_packet_t    *eap_packet = *eap_packet_p;
        VALUE_PAIR      *vp;
 
+	char		ident_safe[MAX_STRING_LEN+1], username_safe[MAX_STRING_LEN+1];
+
        /*
         *      Ensure it's a valid EAP-Request, or EAP-Response.
         */
@@ -1025,7 +1027,10 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t 
**eap_packet_p,
                        */
                        if (strncmp(handler->identity, vp->vp_strvalue,
                                   MAX_STRING_LEN) != 0) {
-                               radlog(L_ERR, "rlm_eap: Identity %s does not match 
User-Name %s.  Authentication failed.", handler->identity, vp->vp_strvalue);
+                               librad_safeprint(handler->identity, 
strlen(handler->identity), ident_safe, MAX_STRING_LEN);
+                               librad_safeprint(vp->vp_strvalue, 
strlen(vp->vp_strvalue), username_safe, MAX_STRING_LEN);
+
+                               radlog(L_ERR, "rlm_eap: Identity %s does not match 
User-Name %s.  Authentication failed.", ident_safe, username_safe);
                                free(*eap_packet_p);
                                *eap_packet_p = NULL;
                                return NULL;
@@ -1081,7 +1086,10 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t 
**eap_packet_p,
                        */
                        if (strncmp(handler->identity, vp->vp_strvalue,
                                   MAX_STRING_LEN) != 0) {
-                               radlog(L_ERR, "rlm_eap: Identity does not match 
User-Name, setting from EAP Identity.");
+                               librad_safeprint(handler->identity, 
strlen(handler->identity), ident_safe, MAX_STRING_LEN);
+                               librad_safeprint(vp->vp_strvalue, 
strlen(vp->vp_strvalue), username_safe, MAX_STRING_LEN);
+
+                               radlog(L_ERR, "rlm_eap: Identity %s does not match 
User-Name %s.  Authentication failed.", ident_safe, username_safe);
                                free(*eap_packet_p);
                                *eap_packet_p = NULL;
                                eap_handler_free(handler);
--
1.5.4.1

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html