Re: Phase 2 in EAP-TLS

From: Gary Ching-Pang Lin <chingpang gmail com>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Phase 2 in EAP-TLS
Date: Fri, 6 Jan 2012 10:39:02 +0800

2012/1/6 Dan Williams <dcbw redhat com>:
> On Thu, 2011-12-29 at 11:27 +0800, Gary Ching-Pang Lin wrote:
>> Hi all,
>>
>> I read the source code of network-manager-applet recently and
>> have some questions about the eap-method-tls.c.
>>
>> In eap-method-tls.c, there are several checks for the variable
>> "phase2" which isn't used in ttls or peap, and the variable is
>> initialized in eap_method_tls_new() and is never changed afterward.
>> However, I found that eap_method_tls_new() is called only in
>> wireless-security.c, and "phase2" is set to FALSE explicitly.
>> In other words, the phase2 functions in eap-method-tls.c were
>> never used.
>>
>> Here are my questions.
>> 1) Why "phase2" is declared but never used? For any further plan
>> or just a legacy of some old code?
>
> It's actually used.  The EAPMethod things are lightweight objects but
> don't use GObject, just plain C structures.  So what's going on there is
> that phase2 gets passed into eap_method_tls_new() and then that is
> passed to the call to eap_method_init().  The object returned from that
> call is actually the EAPMethodTLS, or "self".  Anywhere in that file you
> see EAPMethod/parent that means the EAPMethodTLS->parent, so the phase2
> passed in here actually shows up as parent->phase2 throughout the file.
>
Thanks for the explanation. What's confusing me is that eap_method_tls_new()
only appears in wireless-security.c besides eap-method-tls.*:

em_tls = eap_method_tls_new (sec, connection, FALSE, secrets_only);

The statement assigns FALSE to phase2 explicitly. So even there are checks for
phase2 in eap-method-tls.c, the variable is always FALSE, and the phase2 checks
become kind of meaningless.

> It could be clearer if these were actually GObjects I suppose, since
> that's a standard understandable mechanism, instead of the pseudo-object
> stuff that I wrote here long ago.
>
>> 2) In what condition EAP-TLS will be used as "Phase 2"?
>> I googled related documents but only found the Phase 2 auth
>> methods for PEAP and TTLS.
>
> TTLS-TLS is a valid method: TTLS for the outer tunnel, and TLS for the
> inner tunnel.  I've also heard that PEAP-TLS is used though that's a
> pretty pointless setup.  Basically, TLS is a valid inner tunnel (ie,
> "phase2" method).
>
Ah, then that makes sense, though TTLS-TLS/PEAP-TLS seems too
complicated for a normal user :-p

Gary Lin

Follow-Ups:
- Re: Phase 2 in EAP-TLS
  - From: Dan Williams

References:
- Re: Phase 2 in EAP-TLS
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]