On Fri, 2012-01-06 at 10:39 +0800, Gary Ching-Pang Lin wrote: > 2012/1/6 Dan Williams <[email protected]>: > > On Thu, 2011-12-29 at 11:27 +0800, Gary Ching-Pang Lin wrote: > >> Hi all, > >> > >> I read the source code of network-manager-applet recently and > >> have some questions about the eap-method-tls.c. > >> > >> In eap-method-tls.c, there are several checks for the variable > >> "phase2" which isn't used in ttls or peap, and the variable is > >> initialized in eap_method_tls_new() and is never changed afterward. > >> However, I found that eap_method_tls_new() is called only in > >> wireless-security.c, and "phase2" is set to FALSE explicitly. > >> In other words, the phase2 functions in eap-method-tls.c were > >> never used. > >> > >> Here are my questions. > >> 1) Why "phase2" is declared but never used? For any further plan > >> or just a legacy of some old code? > > > > It's actually used. The EAPMethod things are lightweight objects but > > don't use GObject, just plain C structures. So what's going on there is > > that phase2 gets passed into eap_method_tls_new() and then that is > > passed to the call to eap_method_init(). The object returned from that > > call is actually the EAPMethodTLS, or "self". Anywhere in that file you > > see EAPMethod/parent that means the EAPMethodTLS->parent, so the phase2 > > passed in here actually shows up as parent->phase2 throughout the file. > > > Thanks for the explanation. What's confusing me is that eap_method_tls_new() > only appears in wireless-security.c besides eap-method-tls.*: > > em_tls = eap_method_tls_new (sec, connection, FALSE, secrets_only); > > The statement assigns FALSE to phase2 explicitly. So even there are checks for > phase2 in eap-method-tls.c, the variable is always FALSE, and the phase2 > checks > become kind of meaningless.
It looks like TLS phase2 was coded for but never actually enabled/finished because at the time I think there may have been questions about whether it was really a valid configuration. But I think the phase2 support will never get called, as you suggest. We could enable it though, I'd be happy to take patches to do so since I've had a few questions about it. Dan > > It could be clearer if these were actually GObjects I suppose, since > > that's a standard understandable mechanism, instead of the pseudo-object > > stuff that I wrote here long ago. > > > >> 2) In what condition EAP-TLS will be used as "Phase 2"? > >> I googled related documents but only found the Phase 2 auth > >> methods for PEAP and TTLS. > > > > TTLS-TLS is a valid method: TTLS for the outer tunnel, and TLS for the > > inner tunnel. I've also heard that PEAP-TLS is used though that's a > > pretty pointless setup. Basically, TLS is a valid inner tunnel (ie, > > "phase2" method). > > > Ah, then that makes sense, though TTLS-TLS/PEAP-TLS seems too > complicated for a normal user :-p > > Gary Lin _______________________________________________ networkmanager-list mailing list [email protected] http://mail.gnome.org/mailman/listinfo/networkmanager-list
