Mech_eap: only output debugging when GSSEAP_TRACE is set

Previously we only output informational messages from libeap.
However, we also output them all the time to stdout, which is bad
because it disrupts the output of the program.  Now, only output
debugging when the GSSEAP_TRACE environment variable is set.  In that
case output all the libeap debugging, not just informational messages.

In addition, use secure_getenv if it is available to avoid introducing yet more issues if run in a raised privilege situation.

diff --git a/configure.ac b/configure.ac
index 62067a2..fabdb9c 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -14,8 +14,9 @@ LT_INIT([dlopen disable-static win32-dll])
 dnl AC_PROG_CC
 AC_PROG_CXX
 AC_CONFIG_HEADERS([config.h])
-AC_CHECK_HEADERS(stdarg.h stdio.h stdint.h sys/param.h)
+AC_CHECK_HEADERS(stdarg.h stdio.h stdint.h sys/param.h stdlib.h)
 AC_REPLACE_FUNCS(vasprintf)
+AC_CHECK_FUNCS([ secure_getenv])
 
 dnl Check if we're on Solaris and set CFLAGS accordingly
 dnl AC_CANONICAL_TARGET

diff --git a/libeap/Makefile.am b/libeap/Makefile.am
index 065ba75..77ee4c0 100644 (file)
--- a/libeap/Makefile.am
+++ b/libeap/Makefile.am
@@ -94,7 +94,7 @@ AM_CFLAGS += -DEAP_SERVER_GPSK -DEAP_SERVER_GPSK_SHA256
 
 AM_CFLAGS += -DIEEE8021X_EAPOL
 AM_CFLAGS += -DCONFIG_IPV6
-
+AM_CFLAGS += -DCONFIG_DEBUG_FILE
 AM_CFLAGS += -DCONFIG_INTERNAL_LIBTOMMATH
 AM_CFLAGS += -DCONFIG_INTERNAL_SHA1
 AM_CFLAGS += -DEAP_TLS_OPENSSL

diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h
index ebb42bf..0a81cd8 100644 (file)
--- a/mech_eap/gssapiP_eap.h
+++ b/mech_eap/gssapiP_eap.h
@@ -407,6 +407,12 @@ gssEapInitiatorInit(OM_uint32 *minor);
 void
 gssEapFinalize(void);
 
+
+  /*If built as a library on Linux, don't respect environment when set*uid*/
+#ifdef HAVE_SECURE_GETENV
+#define getenv secure_getenv
+#endif
+
 #ifdef __cplusplus
 }
 #endif

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 0e1bee1..2ede1c5 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -210,9 +210,7 @@ static struct eapol_callbacks gssEapPolicyCallbacks = {
     peerNotifyPending,
 };
 
-#ifdef GSSEAP_DEBUG
 extern int wpa_debug_level;
-#endif
 
 #define CHBIND_SERVICE_NAME_FLAG        0x01
 #define CHBIND_HOST_NAME_FLAG           0x02
@@ -366,6 +364,7 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
     gss_buffer_desc identity = GSS_C_EMPTY_BUFFER;
     gss_buffer_desc realm = GSS_C_EMPTY_BUFFER;
     gss_cred_id_t cred = ctx->cred;
+    char *debug_file = NULL;
 
     eapPeerConfig->identity = NULL;
     eapPeerConfig->identity_len = 0;
@@ -380,10 +379,12 @@ peerConfigInit(OM_uint32 *minor, gss_ctx_id_t ctx)
     GSSEAP_KRB_INIT(&krbContext);
 
     eapPeerConfig->fragment_size = 1024;
-#ifdef GSSEAP_DEBUG
-    wpa_debug_level = 0;
-#endif
-
+    wpa_debug_level = MSG_ERROR;
+    if ((debug_file = getenv("GSSEAP_TRACE")) != NULL) {
+           wpa_debug_open_file(debug_file);
+           wpa_debug_level = 0;
+       }
+    
     GSSEAP_ASSERT(cred->name != GSS_C_NO_NAME);
 
     if ((cred->name->flags & (NAME_FLAG_NAI | NAME_FLAG_SERVICE)) == 0) {