Hi Samuel,
On Thu, 2011-03-24 at 17:59 +0100, Samuel Ortiz wrote:
> Hi Henri,
>
> On Thu, Mar 17, 2011 at 05:20:45PM +0200, Henri Bragge wrote:
> > EAP credentials will be queried whenever connecting to an 802.1X network
> > unless EAP-TLS is used OR if service is provisioned via .config file.
> >
> > Besides adding Identity field into the API, this patch also removes the
> > restriction to receive value for only one field per response. Now both
> > Identity and Passphrase can be received in one call.
> That makes sense but:
>
> > @@ -95,6 +95,7 @@ static void
> > request_input_passphrase_reply(DBusPendingCall *call, void *user_dat
> > {
> > struct request_input_reply *passphrase_reply = user_data;
> > connman_bool_t wps = FALSE;
> > + char *identity = NULL;
> > char *passphrase = NULL;
> > char *wpspin = NULL;
> > char *key;
> > @@ -114,14 +115,25 @@ static void
> > request_input_passphrase_reply(DBusPendingCall *call, void *user_dat
> > break;
> >
> > dbus_message_iter_get_basic(&entry, &key);
> > +
> > + if (g_str_equal(key, "Identity")) {
> > + dbus_message_iter_next(&entry);
> > + if (dbus_message_iter_get_arg_type(&entry)
> > + != DBUS_TYPE_VARIANT)
> > + break;
> > + dbus_message_iter_recurse(&entry, &value);
> > + dbus_message_iter_get_basic(&value, &identity);
> > + }
> > +
> > if (g_str_equal(key, "Passphrase")) {
> > dbus_message_iter_next(&entry);
> > if (dbus_message_iter_get_arg_type(&entry) !=
> > DBUS_TYPE_VARIANT)
> > break;
> > dbus_message_iter_recurse(&entry, &value);
> > dbus_message_iter_get_basic(&value, &passphrase);
> > - break;
> > - } else if (g_str_equal(key, "WPS")) {
> > + }
> > +
> > + if (g_str_equal(key, "WPS")) {
> > wps = TRUE;
> I understand why you'd want to remove the break statements here, but there is
> no need to replace the else ifs with ifs.
You are right, I will fix it.
>
> > + if (service->eap == NULL)
> > + return -EINVAL;
> > +
> > + /* never request credentials if using EAP-TLS */
> Would you mind elaborating here ?
No inner authentication (phase2 method) is used with EAP-TLS, so no
identity/passphrase needed in that sense.
Identity is mandatory for EAP-TLS too, so it could be asked when
connecting, and so could PrivateKeyPassphrase. On the other hand, TLS
certificates are personal, so Identity and PrivateKeyPassphrase are
likely to be provisioned along with file paths etc (compared to phase2
methods where only Identity/Passphrase are personal).
So there's at least three options when connecting to EAP-TLS network:
1) nothing will be asked (everything is provisioned)
2) Identity will be asked
3) Identity/PrivateKeyPassphrase will be asked
I chose 1), but I haven't got much input for this case so opinions are
appreciated.
- Henri
_______________________________________________
connman mailing list
connman@connman.net
http://lists.connman.net/listinfo/connman
