Re: Phase 2 in EAP-TLS

[Dan Williams <dcbw redhat com>]

On Thu, 2011-12-29 at 11:27 +0800, Gary Ching-Pang Lin wrote:
> Hi all,
> 
> I read the source code of network-manager-applet recently and
> have some questions about the eap-method-tls.c.
> 
> In eap-method-tls.c, there are several checks for the variable
> "phase2" which isn't used in ttls or peap, and the variable is
> initialized in eap_method_tls_new() and is never changed afterward.
> However, I found that eap_method_tls_new() is called only in
> wireless-security.c, and "phase2" is set to FALSE explicitly.
> In other words, the phase2 functions in eap-method-tls.c were
> never used.
> 
> Here are my questions.
> 1) Why "phase2" is declared but never used? For any further plan
> or just a legacy of some old code?

It's actually used.  The EAPMethod things are lightweight objects but
don't use GObject, just plain C structures.  So what's going on there is
that phase2 gets passed into eap_method_tls_new() and then that is
passed to the call to eap_method_init().  The object returned from that
call is actually the EAPMethodTLS, or "self".  Anywhere in that file you
see EAPMethod/parent that means the EAPMethodTLS->parent, so the phase2
passed in here actually shows up as parent->phase2 throughout the file.

It could be clearer if these were actually GObjects I suppose, since
that's a standard understandable mechanism, instead of the pseudo-object
stuff that I wrote here long ago.

> 2) In what condition EAP-TLS will be used as "Phase 2"?
> I googled related documents but only found the Phase 2 auth
> methods for PEAP and TTLS.

TTLS-TLS is a valid method: TTLS for the outer tunnel, and TLS for the
inner tunnel.  I've also heard that PEAP-TLS is used though that's a
pretty pointless setup.  Basically, TLS is a valid inner tunnel (ie,
"phase2" method).

Dan