Re: Phase 2 in EAP-TLS



On Fri, 2012-01-06 at 10:39 +0800, Gary Ching-Pang Lin wrote:
> 2012/1/6 Dan Williams <dcbw redhat com>:
> > On Thu, 2011-12-29 at 11:27 +0800, Gary Ching-Pang Lin wrote:
> >> Hi all,
> >>
> >> I read the source code of network-manager-applet recently and
> >> have some questions about the eap-method-tls.c.
> >>
> >> In eap-method-tls.c, there are several checks for the variable
> >> "phase2" which isn't used in ttls or peap, and the variable is
> >> initialized in eap_method_tls_new() and is never changed afterward.
> >> However, I found that eap_method_tls_new() is called only in
> >> wireless-security.c, and "phase2" is set to FALSE explicitly.
> >> In other words, the phase2 functions in eap-method-tls.c were
> >> never used.
> >>
> >> Here are my questions.
> >> 1) Why "phase2" is declared but never used? For any further plan
> >> or just a legacy of some old code?
> >
> > It's actually used.  The EAPMethod things are lightweight objects but
> > don't use GObject, just plain C structures.  So what's going on there is
> > that phase2 gets passed into eap_method_tls_new() and then that is
> > passed to the call to eap_method_init().  The object returned from that
> > call is actually the EAPMethodTLS, or "self".  Anywhere in that file you
> > see EAPMethod/parent that means the EAPMethodTLS->parent, so the phase2
> > passed in here actually shows up as parent->phase2 throughout the file.
> >
> Thanks for the explanation. What's confusing me is that eap_method_tls_new()
> only appears in wireless-security.c besides eap-method-tls.*:
> 
> em_tls = eap_method_tls_new (sec, connection, FALSE, secrets_only);
> 
> The statement assigns FALSE to phase2 explicitly. So even there are checks for
> phase2 in eap-method-tls.c, the variable is always FALSE, and the phase2 checks
> become kind of meaningless.

It looks like TLS phase2 was coded for but never actually
enabled/finished because at the time I think there may have been
questions about whether it was really a valid configuration.  But I
think the phase2 support will never get called, as you suggest.  We
could enable it though, I'd be happy to take patches to do so since I've
had a few questions about it.

Dan

> > It could be clearer if these were actually GObjects I suppose, since
> > that's a standard understandable mechanism, instead of the pseudo-object
> > stuff that I wrote here long ago.
> >
> >> 2) In what condition EAP-TLS will be used as "Phase 2"?
> >> I googled related documents but only found the Phase 2 auth
> >> methods for PEAP and TTLS.
> >
> > TTLS-TLS is a valid method: TTLS for the outer tunnel, and TLS for the
> > inner tunnel.  I've also heard that PEAP-TLS is used though that's a
> > pretty pointless setup.  Basically, TLS is a valid inner tunnel (ie,
> > "phase2" method).
> >
> Ah, then that makes sense, though TTLS-TLS/PEAP-TLS seems too
> complicated for a normal user :-p
> 
> Gary Lin




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]