From bf6ac9b981bc90596a416160e922a204fb0e32c5 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Wed, 2 Mar 2011 16:46:08 +1100
Subject: [PATCH] Sent @REALM in EAP identity response

---
 README             | 27 ++++++++++++++++++++++++---
 init_sec_context.c |  8 +++++++-
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/README b/README
index 978af55..5ec6228 100644
--- a/README
+++ b/README
@@ -24,9 +24,30 @@ Make sure your RADIUS library is configured to talk to the server of
 your choice: see the example radsec.conf in this directory.
 
 On the RADIUS server side, you need to install dictionary.ukerna and
-include it from the main dictionary file. Your authentication policy
-also needs to echo the EAP username back to the acceptor if you want
-the acceptor to be able to identify the initiator.
+include it from the main dictionary file.
+
+If you want the acceptor be able to identify the user, the RADIUS
+server needs to echo back the EAP username from the inner tunnel;
+for privacy, mech_eap only sends the realm in the EAP Identity
+response. To configure this with FreeRADIUS, add:
+
+        update outer.reply {
+            User-Name = "%{request:User-Name}"
+        }
+
+to /etc/raddb/sites-enabled/inner-tunnel, and make sure that
+
+    virtual_server = "inner-tunnel"
+
+is set in eap.conf for the EAP types being used.
+
+To test the SAML assertion code path, you can place a fixed SAML
+assertion in the update reply block of the default configuration.
+
+        update reply {
+            SAML-AAA-Assertion = '<saml:Assertion ...'
+            SAML-AAA-Assertion += '...'
+        }
 
 Testing
 =======
diff --git a/init_sec_context.c b/init_sec_context.c
index b2cdffe..b80ab41 100644
--- a/init_sec_context.c
+++ b/init_sec_context.c
@@ -214,7 +214,7 @@ peerConfigInit(OM_uint32 *minor,
     krb5_context krbContext;
     struct eap_peer_config *eapPeerConfig = &ctx->initiatorCtx.eapPeerConfig;
     krb5_error_code code;
-    char *identity;
+    char *identity, *anonymousIdentity;
 
     eapPeerConfig->identity = NULL;
     eapPeerConfig->identity_len = 0;
@@ -243,8 +243,14 @@ peerConfigInit(OM_uint32 *minor,
         return GSS_S_FAILURE;
     }
 
+    anonymousIdentity = strchr(identity, '@');
+    if (anonymousIdentity == NULL)
+        anonymousIdentity = "";
+
     eapPeerConfig->identity = (unsigned char *)identity;
     eapPeerConfig->identity_len = strlen(identity);
+    eapPeerConfig->anonymous_identity = (unsigned char *)anonymousIdentity;
+    eapPeerConfig->anonymous_identity_len = strlen(anonymousIdentity);
     eapPeerConfig->password = (unsigned char *)cred->password.value;
     eapPeerConfig->password_len = cred->password.length;
 
-- 
2.1.4