Bug in the CUI policy?

[Stefan Paetow]

Hi folks,

Just to verify something. In https://github.com/FreeRADIUS/freeradius-server/blob/21307a061b1d9d859febe08bc338e724c1d464f3/raddb/policy.d/cui#L77-L91 it appears that the policy now sets the reply:User-Name to the request:User-Name.

However, you realise that when you send out a CUI, which is a hash of three parts, and you have two of them, you could potentially deduce the third? I defer to your expertise Alan, but shouldn't the User-Name be set to something not the real value, like maybe the outer-request:User-Name (in the case where the outer was anonymised)? I realise that's pointless where the inner User-Name and the outer User-Name match (like with oh-too-many eduroam people). Maybe '@realm'?

Just a question.

With kind regards

Stefan Paetow
Federated Roaming Technical Specialist
eduroam(UK), Jisc

email/teams: stefan.paetow at jisc.ac.uk
gpg: 0x3FCE5142

For eduroam support, please contact the eduroam team via help at jisc.ac.uk and mark it for eduroam’s attention.
On Wednesdays and Fridays, I am not available between 12:00 and 15:00 London time (UTC in winter, UTC+0100 in summer).

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, BS1 6NB Tel: 020 3697 5800.