#include "pt_tls.h"
#include <utils/debug.h>
-
+#include <pen/pen.h>
/**
* Described in header.
*/
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
+ENUM(pt_tls_message_type_names, PT_TLS_EXPERIMENTAL, PT_TLS_ERROR,
+ "Experimental",
+ "Version Request",
+ "Version Response",
+ "SASL Mechanisms",
+ "SASL Mechanism Selection",
+ "SASL Authentication Data",
+ "SASL Result",
+ "PB-TNC Batch",
+ "PT-TLS Error"
+);
+
+ENUM(pt_tls_sasl_result_names, PT_TLS_SASL_RESULT_SUCCESS,
+ PT_TLS_SASL_RESULT_MECH_FAILURE,
+ "Success",
+ "Failure",
+ "Abort",
+ "Mechanism Failure"
+);
+
/**
* Read a chunk of data from TLS, returning a reader for it
*/
DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
return NULL;
}
+
+ if (*vendor == PEN_IETF)
+ {
+ DBG2(DBG_TNC, "received PT-TLS message #%d of type '%N' (%d bytes)",
+ *identifier, pt_tls_message_type_names, *type, len);
+ }
+ else
+ {
+ DBG2(DBG_TNC, "received PT-TLS message #%d of unknown type "
+ "0x%06x/0x%08x (%d bytes)",
+ *identifier, *vendor, *type, len);
+ }
+
return read_tls(tls, len - PT_TLS_HEADER_LEN);
}
header->write_data(header, data);
writer->destroy(writer);
+ DBG2(DBG_TNC, "sending PT-TLS message #%d of type '%N' (%d bytes)",
+ identifier, pt_tls_message_type_names, type, len);
+
data = header->get_buf(header);
len = tls->write(tls, data.ptr, data.len);
header->destroy(header);
PT_TLS_ERROR = 8,
};
+extern enum_name_t *pt_tls_message_type_names;
+
/**
* Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
*/
PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
};
+extern enum_name_t *pt_tls_sasl_result_names;
+
/**
* Client authentication to require as PT-TLS server.
*/
reader->destroy(reader);
return FAILED;
}
+ DBG1(DBG_TNC, "received SASL %N result",
+ pt_tls_sasl_result_names, result);
+
switch (result)
{
case PT_TLS_SASL_RESULT_ABORT:
- DBG1(DBG_TNC, "received SASL abort result");
reader->destroy(reader);
return FAILED;
case PT_TLS_SASL_RESULT_SUCCESS:
- DBG1(DBG_TNC, "received SASL success result");
switch (sasl->process(sasl, reader->peek(reader)))
{
case SUCCESS:
break;
case PT_TLS_SASL_RESULT_MECH_FAILURE:
case PT_TLS_SASL_RESULT_FAILURE:
- DBG1(DBG_TNC, "received SASL failure result");
/* non-fatal failure, try again */
reader->destroy(reader);
return NEED_MORE;
switch (this->state)
{
case PT_TLS_SERVER_VERSION:
+ DBG1(DBG_TNC, "entering PT-TLS negotiation phase");
if (!negotiate_version(this))
{
return FAILED;
this->state = PT_TLS_SERVER_AUTH;
/* fall through to next state */
case PT_TLS_SERVER_AUTH:
+ DBG1(DBG_TNC, "doing SASL client authentication");
if (!authenticate(this))
{
return FAILED;
this->state = PT_TLS_SERVER_TNCCS;
break;
case PT_TLS_SERVER_TNCCS:
+ DBG1(DBG_TNC, "entering PT-TLS data transport phase");
if (!assess(this, (tls_t*)this->tnccs))
{
return FAILED;