RADIUS server: Allow EAP methods to log into SQLite DB

This extends RADIUS server logging capabilities to allow EAP server
methods to add log entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 25347baa4d25cafa6d0d44e0e5a87e3e56d3c795..f1eb46871a36fe209098483414c68a14da339512 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -81,6 +81,7 @@ struct eapol_callbacks {
        int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
                            int phase2, struct eap_user *user);
        const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
+       void (*log_msg)(void *ctx, const char *msg);
 };
 
 struct eap_config {

diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 003e20205faa7e474c521c920734d0ac6ab8c377..0180aff4b49e849867c41bfb7b1436071eea57d9 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -195,6 +195,8 @@ struct eap_sm {
 
 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
                 int phase2);
+void eap_log_msg(struct eap_sm *sm, const char *fmt, ...)
+PRINTF_FORMAT(2, 3);
 void eap_sm_process_nak(struct eap_sm *sm, const u8 *nak_list, size_t len);
 
 #endif /* EAP_I_H */

diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 233e2726e18eb3e174ac5734c2ec87f659ffbf59..19997822f694c4c5230e9603c5f86a74c7b4a4f0 100644 (file)
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -119,6 +119,32 @@ int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
 }
 
 
+void eap_log_msg(struct eap_sm *sm, const char *fmt, ...)
+{
+       va_list ap;
+       char *buf;
+       int buflen;
+
+       if (sm == NULL || sm->eapol_cb == NULL || sm->eapol_cb->log_msg == NULL)
+               return;
+
+       va_start(ap, fmt);
+       buflen = vsnprintf(NULL, 0, fmt, ap) + 1;
+       va_end(ap);
+
+       buf = os_malloc(buflen);
+       if (buf == NULL)
+               return;
+       va_start(ap, fmt);
+       vsnprintf(buf, buflen, fmt, ap);
+       va_end(ap);
+
+       sm->eapol_cb->log_msg(sm->eapol_ctx, buf);
+
+       os_free(buf);
+}
+
+
 SM_STATE(EAP, DISABLED)
 {
        SM_ENTRY(EAP, DISABLED);
@@ -366,6 +392,7 @@ try_another_method:
        }
        if (sm->m == NULL) {
                wpa_printf(MSG_DEBUG, "EAP: Could not find suitable EAP method");
+               eap_log_msg(sm, "Could not find suitable EAP method");
                sm->decision = DECISION_FAILURE;
                return;
        }
@@ -377,6 +404,8 @@ try_another_method:
 
        wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
                "vendor=%u method=%u", vendor, sm->currentMethod);
+       eap_log_msg(sm, "Propose EAP method vendor=%u method=%u",
+                   vendor, sm->currentMethod);
 }
 
 
@@ -693,6 +722,7 @@ SM_STEP(EAP)
                                   "respMethod=%d currentMethod=%d",
                                   sm->rxResp, sm->respId, sm->currentId,
                                   sm->respMethod, sm->currentMethod);
+                       eap_log_msg(sm, "Discard received EAP message");
                        SM_ENTER(EAP, DISCARD);
                }
                break;

diff --git a/src/eap_server/eap_server_identity.c b/src/eap_server/eap_server_identity.c
index 51dc4e8b4f57f4c6b08d6873d7cf828aea1c8a71..b3c20873a00818cf211de965b02198888abe2c1c 100644 (file)
--- a/src/eap_server/eap_server_identity.c
+++ b/src/eap_server/eap_server_identity.c
@@ -102,6 +102,7 @@ static void eap_identity_process(struct eap_sm *sm, void *priv,
        struct eap_identity_data *data = priv;
        const u8 *pos;
        size_t len;
+       char *buf;
 
        if (data->pick_up) {
                if (eap_identity_check(sm, data, respData)) {
@@ -119,6 +120,12 @@ static void eap_identity_process(struct eap_sm *sm, void *priv,
                return; /* Should not happen - frame already validated */
 
        wpa_hexdump_ascii(MSG_DEBUG, "EAP-Identity: Peer identity", pos, len);
+       buf = os_malloc(len * 3 + 1);
+       if (buf) {
+               printf_encode(buf, len * 3 + 1, pos, len);
+               eap_log_msg(sm, "EAP-Response/Identity '%s'", buf);
+               os_free(buf);
+       }
        if (sm->identity)
                sm->update_user = TRUE;
        os_free(sm->identity);

diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c
index 3153d2ecfb98150ae5d94f786a0c020b9d254766..790c719507762209aabdf95424c21439d3b88409 100644 (file)
--- a/src/eap_server/eap_server_mschapv2.c
+++ b/src/eap_server/eap_server_mschapv2.c
@@ -290,6 +290,7 @@ static void eap_mschapv2_process_response(struct eap_sm *sm,
        const u8 *username, *user;
        size_t username_len, user_len;
        int res;
+       char *buf;
 
        pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, respData,
                               &len);
@@ -329,6 +330,13 @@ static void eap_mschapv2_process_response(struct eap_sm *sm,
        wpa_printf(MSG_MSGDUMP, "EAP-MSCHAPV2: Flags 0x%x", flags);
        wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-MSCHAPV2: Name", name, name_len);
 
+       buf = os_malloc(name_len * 3 + 1);
+       if (buf) {
+               printf_encode(buf, name_len * 3 + 1, name, name_len);
+               eap_log_msg(sm, "EAP-MSCHAPV2 Name '%s'", buf);
+               os_free(buf);
+       }
+
        /* MSCHAPv2 does not include optional domain name in the
         * challenge-response calculation, so remove domain prefix
         * (if present). */

diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index 647bd2fad938f4f48669517f8a50a0c858a98c14..24225a45ab9c3d4ec72aa9318162cf7532cc1025 100644 (file)
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -984,6 +984,16 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
        }
 
        if (parse.user_name) {
+               char *nbuf;
+               nbuf = os_malloc(parse.user_name_len * 3 + 1);
+               if (nbuf) {
+                       printf_encode(nbuf, parse.user_name_len * 3 + 1,
+                                     parse.user_name,
+                                     parse.user_name_len);
+                       eap_log_msg(sm, "TTLS-User-Name '%s'", nbuf);
+                       os_free(nbuf);
+               }
+
                os_free(sm->identity);
                sm->identity = os_malloc(parse.user_name_len);
                if (sm->identity == NULL) {

diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index 525bdeef8071b0ef29946f5f27d0321e845557aa..a76fa13b2e408249f7254b39f6c019fe903c1231 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -1023,7 +1023,8 @@ static const char * eapol_sm_get_eap_req_id_text(void *ctx, size_t *len)
 static struct eapol_callbacks eapol_cb =
 {
        eapol_sm_get_eap_user,
-       eapol_sm_get_eap_req_id_text
+       eapol_sm_get_eap_req_id_text,
+       NULL
 };
 
 

diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index e0dbdf1024f9bb1b33737e83f4260eadc563100e..958ddf97b1ce0133ee78e37b46e889f0a0f03030 100644 (file)
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -1851,10 +1851,18 @@ static const char * radius_server_get_eap_req_id_text(void *ctx, size_t *len)
 }
 
 
+static void radius_server_log_msg(void *ctx, const char *msg)
+{
+       struct radius_session *sess = ctx;
+       srv_log(sess, "EAP: %s", msg);
+}
+
+
 static struct eapol_callbacks radius_server_eapol_cb =
 {
        .get_eap_user = radius_server_get_eap_user,
        .get_eap_req_id_text = radius_server_get_eap_req_id_text,
+       .log_msg = radius_server_log_msg,
 };