4 files changed, 47 insertions, 4 deletions

diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c
index 034bf6c50..b59ef7c89 100644
--- a/src/libpttls/pt_tls.c
+++ b/src/libpttls/pt_tls.c
@@ -16,7 +16,7 @@
 #include "pt_tls.h"
 
 #include <utils/debug.h>
-
+#include <pen/pen.h>
 /**
  * Described in header.
  */
@@ -42,6 +42,26 @@ void libpttls_init(void)
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 
+ENUM(pt_tls_message_type_names, PT_TLS_EXPERIMENTAL, PT_TLS_ERROR,
+	"Experimental",
+	"Version Request",
+	"Version Response",
+	"SASL Mechanisms",
+	"SASL Mechanism Selection",
+	"SASL Authentication Data",
+	"SASL Result",
+	"PB-TNC Batch",
+	"PT-TLS Error"
+);
+
+ENUM(pt_tls_sasl_result_names, PT_TLS_SASL_RESULT_SUCCESS,
+							   PT_TLS_SASL_RESULT_MECH_FAILURE,
+	"Success",
+	"Failure",
+	"Abort",
+	"Mechanism Failure"
+);
+
 /**
  * Read a chunk of data from TLS, returning a reader for it
  */
@@ -95,6 +115,19 @@ bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
 		DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
 		return NULL;
 	}
+
+	if (*vendor == PEN_IETF)
+	{
+		DBG2(DBG_TNC, "received PT-TLS message #%d of type '%N' (%d bytes)",
+					  *identifier, pt_tls_message_type_names, *type, len);
+	}
+	else
+	{
+		DBG2(DBG_TNC, "received PT-TLS message #%d of unknown type "
+					  "0x%06x/0x%08x (%d bytes)",
+					  *identifier, *vendor, *type, len);
+	}
+
 	return read_tls(tls, len - PT_TLS_HEADER_LEN);
 }
 
@@ -120,6 +153,9 @@ bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
 	header->write_data(header, data);
 	writer->destroy(writer);
 
+	DBG2(DBG_TNC, "sending PT-TLS message #%d of type '%N' (%d bytes)",
+				   identifier, pt_tls_message_type_names, type, len);
+
 	data = header->get_buf(header);
 	len = tls->write(tls, data.ptr, data.len);
 	header->destroy(header);
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
index 0f1f124a8..f7ea75b27 100644
--- a/src/libpttls/pt_tls.h
+++ b/src/libpttls/pt_tls.h
@@ -61,6 +61,8 @@ enum pt_tls_message_type_t {
 	PT_TLS_ERROR = 8,
 };
 
+extern enum_name_t *pt_tls_message_type_names;
+
 /**
  * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
  */
@@ -71,6 +73,8 @@ enum pt_tls_sasl_result_t {
 	PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
 };
 
+extern enum_name_t *pt_tls_sasl_result_names;
+
 /**
  * Client authentication to require as PT-TLS server.
  */
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
index 76dd5ee44..6df32356b 100644
--- a/src/libpttls/pt_tls_client.c
+++ b/src/libpttls/pt_tls_client.c
@@ -203,14 +203,15 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
 					reader->destroy(reader);
 					return FAILED;
 				}
+				DBG1(DBG_TNC, "received SASL %N result",
+					 pt_tls_sasl_result_names, result);
+
 				switch (result)
 				{
 					case PT_TLS_SASL_RESULT_ABORT:
-						DBG1(DBG_TNC, "received SASL abort result");
 						reader->destroy(reader);
 						return FAILED;
 					case PT_TLS_SASL_RESULT_SUCCESS:
-						DBG1(DBG_TNC, "received SASL success result");
 						switch (sasl->process(sasl, reader->peek(reader)))
 						{
 							case SUCCESS:
@@ -226,7 +227,6 @@ static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
 						break;
 					case PT_TLS_SASL_RESULT_MECH_FAILURE:
 					case PT_TLS_SASL_RESULT_FAILURE:
-						DBG1(DBG_TNC, "received SASL failure result");
 						/* non-fatal failure, try again */
 						reader->destroy(reader);
 						return NEED_MORE;
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
index 2796e0dd0..33d97152b 100644
--- a/src/libpttls/pt_tls_server.c
+++ b/src/libpttls/pt_tls_server.c
@@ -472,6 +472,7 @@ METHOD(pt_tls_server_t, handle, status_t,
 	switch (this->state)
 	{
 		case PT_TLS_SERVER_VERSION:
+			DBG1(DBG_TNC, "entering PT-TLS negotiation phase");
 			if (!negotiate_version(this))
 			{
 				return FAILED;
@@ -480,6 +481,7 @@ METHOD(pt_tls_server_t, handle, status_t,
 			this->state = PT_TLS_SERVER_AUTH;
 			/* fall through to next state */
 		case PT_TLS_SERVER_AUTH:
+			DBG1(DBG_TNC, "doing SASL client authentication");
 			if (!authenticate(this))
 			{
 				return FAILED;
@@ -487,6 +489,7 @@ METHOD(pt_tls_server_t, handle, status_t,
 			this->state = PT_TLS_SERVER_TNCCS;
 			break;
 		case PT_TLS_SERVER_TNCCS:
+			DBG1(DBG_TNC, "entering PT-TLS data transport phase");
 			if (!assess(this, (tls_t*)this->tnccs))
 			{
 				return FAILED;