Imported Upstream version 5.0.3

14 files changed, 2772 insertions, 0 deletions

diff --git a/src/libpttls/Makefile.am b/src/libpttls/Makefile.am
new file mode 100644
index 000000000..48123181b
--- /dev/null
+++ b/src/libpttls/Makefile.am
@@ -0,0 +1,12 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
new file mode 100644
index 000000000..aec424f1a
--- /dev/null
+++ b/src/libpttls/Makefile.in
@@ -0,0 +1,660 @@
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software
+# Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libpttls
+DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+	$(top_srcdir)/m4/config/ltoptions.m4 \
+	$(top_srcdir)/m4/config/ltsugar.m4 \
+	$(top_srcdir)/m4/config/ltversion.m4 \
+	$(top_srcdir)/m4/config/lt~obsolete.m4 \
+	$(top_srcdir)/m4/macros/with.m4 \
+	$(top_srcdir)/m4/macros/enable-disable.m4 \
+	$(top_srcdir)/m4/macros/add-plugin.m4 \
+	$(top_srcdir)/configure.in
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+	$(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+    $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+    *) f=$$p;; \
+  esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+  srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+  for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+  for p in $$list; do echo "$$p $$p"; done | \
+  sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+  $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+    if (++n[$$2] == $(am__install_max)) \
+      { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+    END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+  sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+  sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+  test -z "$$files" \
+    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+         $(am__cd) "$$dir" && rm -f $$files; }; \
+  }
+am__installdirs = "$(DESTDIR)$(ipseclibdir)"
+LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+libpttls_la_DEPENDENCIES = $(top_builddir)/src/libtls/libtls.la
+am_libpttls_la_OBJECTS = pt_tls.lo pt_tls_client.lo pt_tls_server.lo \
+	pt_tls_dispatcher.lo sasl_plain.lo sasl_mechanism.lo
+libpttls_la_OBJECTS = $(am_libpttls_la_OBJECTS)
+DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+	$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
+	$(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CCLD = $(CC)
+LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
+	--mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
+	$(LDFLAGS) -o $@
+SOURCES = $(libpttls_la_SOURCES)
+DIST_SOURCES = $(libpttls_la_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PTHREADLIB = @PTHREADLIB@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dbusservicedir = @dbusservicedir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+h_plugins = @h_plugins@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+libdir = @libdir@
+libexecdir = @libexecdir@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+maemo_CFLAGS = @maemo_CFLAGS@
+maemo_LIBS = @maemo_LIBS@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+openac_plugins = @openac_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls \
+	-I$(top_srcdir)/src/libtncif -I$(top_srcdir)/src/libtnccs
+
+ipseclib_LTLIBRARIES = libpttls.la
+libpttls_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+libpttls_la_SOURCES = pt_tls.c pt_tls.h \
+	pt_tls_client.c pt_tls_client.h \
+	pt_tls_server.c pt_tls_server.h \
+	pt_tls_dispatcher.c pt_tls_dispatcher.h \
+	sasl/sasl_plain/sasl_plain.c sasl/sasl_plain/sasl_plain.h \
+	sasl/sasl_mechanism.c sasl/sasl_mechanism.h
+
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
+	@for dep in $?; do \
+	  case '$(am__configure_deps)' in \
+	    *$$dep*) \
+	      ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+	        && { if test -f $@; then exit 0; else break; fi; }; \
+	      exit 1;; \
+	  esac; \
+	done; \
+	echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpttls/Makefile'; \
+	$(am__cd) $(top_srcdir) && \
+	  $(AUTOMAKE) --gnu src/libpttls/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+	@case '$?' in \
+	  *config.status*) \
+	    cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+	  *) \
+	    echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+	    cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+	esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure:  $(am__configure_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4):  $(am__aclocal_m4_deps)
+	cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+install-ipseclibLTLIBRARIES: $(ipseclib_LTLIBRARIES)
+	@$(NORMAL_INSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	list2=; for p in $$list; do \
+	  if test -f $$p; then \
+	    list2="$$list2 $$p"; \
+	  else :; fi; \
+	done; \
+	test -z "$$list2" || { \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipseclibdir)" || exit 1; \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ipseclibdir)'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ipseclibdir)"; \
+	}
+
+uninstall-ipseclibLTLIBRARIES:
+	@$(NORMAL_UNINSTALL)
+	@list='$(ipseclib_LTLIBRARIES)'; test -n "$(ipseclibdir)" || list=; \
+	for p in $$list; do \
+	  $(am__strip_dir) \
+	  echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ipseclibdir)/$$f'"; \
+	  $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ipseclibdir)/$$f"; \
+	done
+
+clean-ipseclibLTLIBRARIES:
+	-test -z "$(ipseclib_LTLIBRARIES)" || rm -f $(ipseclib_LTLIBRARIES)
+	@list='$(ipseclib_LTLIBRARIES)'; for p in $$list; do \
+	  dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
+	  test "$$dir" != "$$p" || dir=.; \
+	  echo "rm -f \"$${dir}/so_locations\""; \
+	  rm -f "$${dir}/so_locations"; \
+	done
+libpttls.la: $(libpttls_la_OBJECTS) $(libpttls_la_DEPENDENCIES) $(EXTRA_libpttls_la_DEPENDENCIES) 
+	$(LINK) -rpath $(ipseclibdir) $(libpttls_la_OBJECTS) $(libpttls_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+	-rm -f *.$(OBJEXT)
+
+distclean-compile:
+	-rm -f *.tab.c
+
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_client.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_dispatcher.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pt_tls_server.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_mechanism.Plo@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sasl_plain.Plo@am__quote@
+
+.c.o:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c $<
+
+.c.obj:
+@am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(COMPILE) -c `$(CYGPATH_W) '$<'`
+
+.c.lo:
+@am__fastdepCC_TRUE@	$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LTCOMPILE) -c -o $@ $<
+
+sasl_plain.lo: sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_plain.lo -MD -MP -MF $(DEPDIR)/sasl_plain.Tpo -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_plain.Tpo $(DEPDIR)/sasl_plain.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_plain/sasl_plain.c' object='sasl_plain.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_plain.lo `test -f 'sasl/sasl_plain/sasl_plain.c' || echo '$(srcdir)/'`sasl/sasl_plain/sasl_plain.c
+
+sasl_mechanism.lo: sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sasl_mechanism.lo -MD -MP -MF $(DEPDIR)/sasl_mechanism.Tpo -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+@am__fastdepCC_TRUE@	$(am__mv) $(DEPDIR)/sasl_mechanism.Tpo $(DEPDIR)/sasl_mechanism.Plo
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	source='sasl/sasl_mechanism.c' object='sasl_mechanism.lo' libtool=yes @AMDEPBACKSLASH@
+@AMDEP_TRUE@@am__fastdepCC_FALSE@	DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+@am__fastdepCC_FALSE@	$(LIBTOOL)  --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sasl_mechanism.lo `test -f 'sasl/sasl_mechanism.c' || echo '$(srcdir)/'`sasl/sasl_mechanism.c
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	mkid -fID $$unique
+tags: TAGS
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	set x; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	shift; \
+	if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+	  test -n "$$unique" || unique=$$empty_fix; \
+	  if test $$# -gt 0; then \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      "$$@" $$unique; \
+	  else \
+	    $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+	      $$unique; \
+	  fi; \
+	fi
+ctags: CTAGS
+CTAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	list='$(SOURCES) $(HEADERS)  $(LISP) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
+	      END { if (nonempty) { for (i in files) print i; }; }'`; \
+	test -z "$(CTAGS_ARGS)$$unique" \
+	  || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+	     $$unique
+
+GTAGS:
+	here=`$(am__cd) $(top_builddir) && pwd` \
+	  && $(am__cd) $(top_srcdir) \
+	  && gtags -i $(GTAGS_ARGS) "$$here"
+
+distclean-tags:
+	-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+	@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+	list='$(DISTFILES)'; \
+	  dist_files=`for file in $$list; do echo $$file; done | \
+	  sed -e "s|^$$srcdirstrip/||;t" \
+	      -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+	case $$dist_files in \
+	  */*) $(MKDIR_P) `echo "$$dist_files" | \
+			   sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+			   sort -u` ;; \
+	esac; \
+	for file in $$dist_files; do \
+	  if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+	  if test -d $$d/$$file; then \
+	    dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+	    if test -d "$(distdir)/$$file"; then \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+	      cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+	      find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+	    fi; \
+	    cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+	  else \
+	    test -f "$(distdir)/$$file" \
+	    || cp -p $$d/$$file "$(distdir)/$$file" \
+	    || exit 1; \
+	  fi; \
+	done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+	for dir in "$(DESTDIR)$(ipseclibdir)"; do \
+	  test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+	done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+	if test -z '$(STRIP)'; then \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	      install; \
+	else \
+	  $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+	    install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+	    "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+	fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+	@echo "This command is intended for maintainers to use"
+	@echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
+	mostlyclean-am
+
+distclean: distclean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+	distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-ipseclibLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+	-rm -rf ./$(DEPDIR)
+	-rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+	mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-ipseclibLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+	clean-ipseclibLTLIBRARIES clean-libtool ctags distclean \
+	distclean-compile distclean-generic distclean-libtool \
+	distclean-tags distdir dvi dvi-am html html-am info info-am \
+	install install-am install-data install-data-am install-dvi \
+	install-dvi-am install-exec install-exec-am install-html \
+	install-html-am install-info install-info-am \
+	install-ipseclibLTLIBRARIES install-man install-pdf \
+	install-pdf-am install-ps install-ps-am install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
+	tags uninstall uninstall-am uninstall-ipseclibLTLIBRARIES
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libpttls/pt_tls.c b/src/libpttls/pt_tls.c
new file mode 100644
index 000000000..0fee343b8
--- /dev/null
+++ b/src/libpttls/pt_tls.c
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls.h"
+
+#include <utils/debug.h>
+
+/*
+ * PT-TNC Message format:
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |           Message Type Vendor ID              |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                          Message Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Message Length                        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                       Message Identifier                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                Message Value (e.g. PB-TNC Batch) . . .        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Read a chunk of data from TLS, returning a reader for it
+ */
+static bio_reader_t* read_tls(tls_socket_t *tls, size_t len)
+{
+	ssize_t got, total = 0;
+	char *buf;
+
+	buf = malloc(len);
+	while (total < len)
+	{
+		got = tls->read(tls, buf + total, len - total, TRUE);
+		if (got <= 0)
+		{
+			free(buf);
+			return NULL;
+		}
+		total += got;
+	}
+	return bio_reader_create_own(chunk_create(buf, len));
+}
+
+/**
+ * Read a PT-TLS message, return header data
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier)
+{
+	bio_reader_t *reader;
+	u_int32_t len;
+	u_int8_t reserved;
+
+	reader = read_tls(tls, PT_TLS_HEADER_LEN);
+	if (!reader)
+	{
+		return NULL;
+	}
+	if (!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint24(reader, vendor) ||
+		!reader->read_uint32(reader, type) ||
+		!reader->read_uint32(reader, &len) ||
+		!reader->read_uint32(reader, identifier))
+	{
+		reader->destroy(reader);
+		return NULL;
+	}
+	reader->destroy(reader);
+
+	if (len < PT_TLS_HEADER_LEN)
+	{
+		DBG1(DBG_TNC, "received short PT-TLS header (%d bytes)", len);
+		return NULL;
+	}
+	return read_tls(tls, len - PT_TLS_HEADER_LEN);
+}
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier)
+{
+	bio_writer_t *header;
+	ssize_t len;
+	chunk_t data;
+
+	data =  writer->get_buf(writer);
+	len = PT_TLS_HEADER_LEN + data.len;
+	header = bio_writer_create(len);
+	header->write_uint8(header, 0);
+	header->write_uint24(header, 0);
+	header->write_uint32(header, type);
+	header->write_uint32(header, len);
+	header->write_uint32(header, identifier);
+
+	header->write_data(header, data);
+	writer->destroy(writer);
+
+	data = header->get_buf(header);
+	len = tls->write(tls, data.ptr, data.len);
+	header->destroy(header);
+
+	return len == data.len;
+}
diff --git a/src/libpttls/pt_tls.h b/src/libpttls/pt_tls.h
new file mode 100644
index 000000000..cb8bde05c
--- /dev/null
+++ b/src/libpttls/pt_tls.h
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls pt_tls
+ *
+ * @addtogroup pt_tls
+ * @{
+ */
+
+#ifndef PT_TLS_H_
+#define PT_TLS_H_
+
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <tls_socket.h>
+
+/**
+ * PT-TLS version we support
+ */
+#define PT_TLS_VERSION 1
+
+/**
+ * Length of a PT-TLS header
+ */
+#define PT_TLS_HEADER_LEN 16
+
+typedef enum pt_tls_message_type_t pt_tls_message_type_t;
+typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
+typedef enum pt_tls_auth_t pt_tls_auth_t;
+
+/**
+ * Message types, as defined by NEA PT-TLS
+ */
+enum pt_tls_message_type_t {
+	PT_TLS_EXPERIMENTAL = 0,
+	PT_TLS_VERSION_REQUEST = 1,
+	PT_TLS_VERSION_RESPONSE = 2,
+	PT_TLS_SASL_MECHS = 3,
+	PT_TLS_SASL_MECH_SELECTION = 4,
+	PT_TLS_SASL_AUTH_DATA = 5,
+	PT_TLS_SASL_RESULT = 6,
+	PT_TLS_PB_TNC_BATCH = 7,
+	PT_TLS_ERROR = 8,
+};
+
+/**
+ * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
+ */
+enum pt_tls_sasl_result_t {
+	PT_TLS_SASL_RESULT_SUCCESS = 0,
+	PT_TLS_SASL_RESULT_FAILURE = 1,
+	PT_TLS_SASL_RESULT_ABORT = 2,
+	PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
+};
+
+/**
+ * Client authentication to require as PT-TLS server.
+ */
+enum pt_tls_auth_t {
+	/** don't require TLS client certificate or request SASL authentication */
+	PT_TLS_AUTH_NONE,
+	/** require TLS certificate authentication, no SASL */
+	PT_TLS_AUTH_TLS,
+	/** do SASL regardless of TLS certificate authentication */
+	PT_TLS_AUTH_SASL,
+	/* if client does not authenticate with a TLS certificate, request SASL */
+	PT_TLS_AUTH_TLS_OR_SASL,
+	/* require both, TLS certificate authentication and SASL */
+	PT_TLS_AUTH_TLS_AND_SASL,
+};
+
+/**
+ * Read a PT-TLS message, create reader over Message Value.
+ *
+ * @param tls			TLS socket to read from
+ * @param vendor		receives Message Type Vendor ID from header
+ * @param type			receives Message Type from header
+ * @param identifier	receives Message Identifer
+ * @return				reader over message value, NULL on error
+ */
+bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
+						  u_int32_t *type, u_int32_t *identifier);
+
+/**
+ * Prepend a PT-TLS header to a writer, send data, destroy writer.
+ *
+ * @param tls			TLS socket to write to
+ * @param writer		prepared Message value to write
+ * @param type			Message Type to write
+ * @param identifier	Message Identifier to write
+ * @return				TRUE if data written successfully
+ */
+bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
+				  pt_tls_message_type_t type, u_int32_t identifier);
+
+#endif /** PT_TLS_H_ @}*/
diff --git a/src/libpttls/pt_tls_client.c b/src/libpttls/pt_tls_client.c
new file mode 100644
index 000000000..d3ac936a2
--- /dev/null
+++ b/src/libpttls/pt_tls_client.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_client.h"
+#include "pt_tls.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <tls_socket.h>
+#include <utils/debug.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_client_t private_pt_tls_client_t;
+
+/**
+ * Private data of an pt_tls_client_t object.
+ */
+struct private_pt_tls_client_t {
+
+	/**
+	 * Public pt_tls_client_t interface.
+	 */
+	pt_tls_client_t public;
+
+	/**
+	 * TLS secured socket used by PT-TLS
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Server address/port
+	 */
+	host_t *address;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Client authentication identity
+	 */
+	identification_t *client;
+
+	/**
+	 * Current PT-TLS message identifier
+	 */
+	u_int32_t identifier;
+};
+
+/**
+ * Establish TLS secured TCP connection to TNC server
+ */
+static bool make_connection(private_pt_tls_client_t *this)
+{
+	int fd;
+
+	fd = socket(this->address->get_family(this->address), SOCK_STREAM, 0);
+	if (fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (connect(fd, this->address->get_sockaddr(this->address),
+				*this->address->get_sockaddr_len(this->address)) == -1)
+	{
+		DBG1(DBG_TNC, "connecting to PT-TLS server failed: %s", strerror(errno));
+		close(fd);
+		return FALSE;
+	}
+
+	this->tls = tls_socket_create(FALSE, this->server, this->client, fd, NULL);
+	if (!this->tls)
+	{
+		close(fd);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_client_t *this)
+{
+	bio_writer_t *writer;
+	bio_reader_t *reader;
+	u_int32_t type, vendor, identifier, reserved;
+	u_int8_t version;
+
+	DBG1(DBG_TNC, "sending offer for PT-TLS version %d", PT_TLS_VERSION);
+
+	writer = bio_writer_create(4);
+	writer->write_uint8(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+	if (!pt_tls_write(this->tls, writer, PT_TLS_VERSION_REQUEST,
+					  this->identifier++))
+	{
+		return FALSE;
+	}
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_RESPONSE ||
+		!reader->read_uint24(reader, &reserved) ||
+		!reader->read_uint8(reader, &version) ||
+		version != PT_TLS_VERSION)
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+	return TRUE;
+}
+
+/**
+ * Run a SASL mechanism
+ */
+static status_t do_sasl(private_pt_tls_client_t *this, sasl_mechanism_t *sasl)
+{
+	u_int32_t type, vendor, identifier;
+	u_int8_t result;
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	chunk_t data;
+
+	writer = bio_writer_create(32);
+	writer->write_data8(writer, chunk_from_str(sasl->get_name(sasl)));
+	switch (sasl->build(sasl, &data))
+	{
+		case INVALID_STATE:
+			break;
+		case NEED_MORE:
+			writer->write_data(writer, data);
+			free(data.ptr);
+			break;
+		case SUCCESS:
+			/* shouldn't happen */
+			free(data.ptr);
+			/* FALL */
+		case FAILED:
+		default:
+			writer->destroy(writer);
+			return FAILED;
+	}
+	if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_MECH_SELECTION,
+					  this->identifier++))
+	{
+		return FAILED;
+	}
+	while (TRUE)
+	{
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FAILED;
+		}
+		if (vendor != 0)
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		switch (type)
+		{
+			case PT_TLS_SASL_AUTH_DATA:
+				switch (sasl->process(sasl, reader->peek(reader)))
+				{
+					case NEED_MORE:
+						reader->destroy(reader);
+						break;
+					case SUCCESS:
+						/* should not happen, as it would come in a RESULT */
+					case FAILED:
+					default:
+						reader->destroy(reader);
+						return FAILED;
+				}
+				break;
+			case PT_TLS_SASL_RESULT:
+				if (!reader->read_uint8(reader, &result))
+				{
+					reader->destroy(reader);
+					return FAILED;
+				}
+				switch (result)
+				{
+					case PT_TLS_SASL_RESULT_ABORT:
+						DBG1(DBG_TNC, "received SASL abort result");
+						reader->destroy(reader);
+						return FAILED;
+					case PT_TLS_SASL_RESULT_SUCCESS:
+						DBG1(DBG_TNC, "received SASL success result");
+						switch (sasl->process(sasl, reader->peek(reader)))
+						{
+							case SUCCESS:
+								reader->destroy(reader);
+								return SUCCESS;
+							case NEED_MORE:
+								/* inacceptable, it won't get more. FALL */
+							case FAILED:
+							default:
+								reader->destroy(reader);
+								return FAILED;
+						}
+						break;
+					case PT_TLS_SASL_RESULT_MECH_FAILURE:
+					case PT_TLS_SASL_RESULT_FAILURE:
+						DBG1(DBG_TNC, "received SASL failure result");
+						/* non-fatal failure, try again */
+						reader->destroy(reader);
+						return NEED_MORE;
+				}
+				/* fall-through */
+			default:
+				reader->destroy(reader);
+				return FAILED;
+		}
+
+		writer = bio_writer_create(32);
+		switch (sasl->build(sasl, &data))
+		{
+			case INVALID_STATE:
+				break;
+			case SUCCESS:
+				/* shoudln't happen, continue until we get a result */
+			case NEED_MORE:
+				writer->write_data(writer, data);
+				free(data.ptr);
+				break;
+			case FAILED:
+			default:
+				writer->destroy(writer);
+				return FAILED;
+		}
+		if (!pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+						  this->identifier++))
+		{
+			return FAILED;
+		}
+	}
+}
+
+/**
+ * Read SASL mechanism list, select and run mechanism
+ */
+static status_t select_and_do_sasl(private_pt_tls_client_t *this)
+{
+	bio_reader_t *reader;
+	sasl_mechanism_t *sasl = NULL;
+	u_int32_t type, vendor, identifier;
+	u_int8_t len;
+	chunk_t chunk;
+	char buf[21];
+	status_t status = NEED_MORE;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECHS)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	if (!reader->remaining(reader))
+	{	/* mechanism list empty, SASL completed */
+		DBG1(DBG_TNC, "PT-TLS authentication complete");
+		reader->destroy(reader);
+		return SUCCESS;
+	}
+	while (reader->remaining(reader))
+	{
+		if (!reader->read_uint8(reader, &len) ||
+			!reader->read_data(reader, len & 0x1F, &chunk))
+		{
+			reader->destroy(reader);
+			return FAILED;
+		}
+		snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+		sasl = sasl_mechanism_create(buf, this->client);
+		if (sasl)
+		{
+			break;
+		}
+	}
+	reader->destroy(reader);
+
+	if (!sasl)
+	{
+		/* TODO: send PT-TLS error (5) */
+		return FAILED;
+	}
+	while (status == NEED_MORE)
+	{
+		status = do_sasl(this, sasl);
+	}
+	sasl->destroy(sasl);
+	if (status == SUCCESS)
+	{	/* continue until we receive empty SASL mechanism list */
+		return NEED_MORE;
+	}
+	return FAILED;
+}
+
+/**
+ * Authenticate session using SASL
+ */
+static bool authenticate(private_pt_tls_client_t *this)
+{
+	while (TRUE)
+	{
+		switch (select_and_do_sasl(this))
+		{
+			case NEED_MORE:
+				continue;
+			case SUCCESS:
+				return TRUE;
+			case FAILED:
+			default:
+				return FALSE;
+		}
+	}
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_client_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_client_t, run_assessment, status_t,
+	private_pt_tls_client_t *this, tnccs_t *tnccs)
+{
+	if (!this->tls)
+	{
+		if (!make_connection(this))
+		{
+			return FAILED;
+		}
+	}
+	if (!negotiate_version(this))
+	{
+		return FAILED;
+	}
+	if (!authenticate(this))
+	{
+		return FAILED;
+	}
+	if (!assess(this, (tls_t*)tnccs))
+	{
+		return FAILED;
+	}
+	return SUCCESS;
+}
+
+
+METHOD(pt_tls_client_t, destroy, void,
+	private_pt_tls_client_t *this)
+{
+	if (this->tls)
+	{
+		int fd;
+
+		fd = this->tls->get_fd(this->tls);
+		this->tls->destroy(this->tls);
+		close(fd);
+	}
+	this->address->destroy(this->address);
+	this->server->destroy(this->server);
+	this->client->destroy(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client)
+{
+	private_pt_tls_client_t *this;
+
+	INIT(this,
+		.public = {
+			.run_assessment = _run_assessment,
+			.destroy = _destroy,
+		},
+		.address = address,
+		.server = server,
+		.client = client,
+	);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_client.h b/src/libpttls/pt_tls_client.h
new file mode 100644
index 000000000..1d418d181
--- /dev/null
+++ b/src/libpttls/pt_tls_client.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_client pt_tls_client
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_CLIENT_H_
+#define PT_TLS_CLIENT_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+typedef struct pt_tls_client_t pt_tls_client_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport client.
+ */
+struct pt_tls_client_t {
+
+	/**
+	 * Perform an assessment.
+	 *
+	 * @param tnccs		upper layer TNC client used for assessment
+	 * @return			status of assessment
+	 */
+	status_t (*run_assessment)(pt_tls_client_t *this, tnccs_t *tnccs);
+
+	/**
+	 * Destroy a pt_tls_client_t.
+	 */
+	void (*destroy)(pt_tls_client_t *this);
+};
+
+/**
+ * Create a pt_tls_client instance.
+ *
+ * The client identity is used for:
+ * - TLS authentication if an appropirate certificate is found
+ * - SASL authentication if requested from the server
+ *
+ * @param address		address/port to run assessments against, gets owned
+ * @param server		server identity to use for authentication, gets owned
+ * @param client		client identity to use for authentication, gets owned
+ * @return				PT-TLS context
+ */
+pt_tls_client_t *pt_tls_client_create(host_t *address, identification_t *server,
+									  identification_t *client);
+
+#endif /** PT_TLS_CLIENT_H_ @}*/
diff --git a/src/libpttls/pt_tls_dispatcher.c b/src/libpttls/pt_tls_dispatcher.c
new file mode 100644
index 000000000..469951616
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_dispatcher.h"
+#include "pt_tls_server.h"
+
+#include <threading/thread.h>
+#include <utils/debug.h>
+#include <processing/jobs/callback_job.h>
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+typedef struct private_pt_tls_dispatcher_t private_pt_tls_dispatcher_t;
+
+/**
+ * Private data of an pt_tls_dispatcher_t object.
+ */
+struct private_pt_tls_dispatcher_t {
+
+	/**
+	 * Public pt_tls_dispatcher_t interface.
+	 */
+	pt_tls_dispatcher_t public;
+
+	/**
+	 * Listening socket
+	 */
+	int fd;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	/**
+	 * Server identity
+	 */
+	identification_t *server;
+
+	/**
+	 * Peer identity
+	 */
+	identification_t *peer;
+
+	/**
+	 * TNCCS protocol handler constructor
+	 */
+	pt_tls_tnccs_constructor_t *create;
+};
+
+/**
+ * Open listening server socket
+ */
+static bool open_socket(private_pt_tls_dispatcher_t *this, host_t *host)
+{
+	this->fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (this->fd == -1)
+	{
+		DBG1(DBG_TNC, "opening PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (bind(this->fd, host->get_sockaddr(host),
+			 *host->get_sockaddr_len(host)) == -1)
+	{
+		DBG1(DBG_TNC, "binding to PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	if (listen(this->fd, 5) == -1)
+	{
+		DBG1(DBG_TNC, "listen on PT-TLS socket failed: %s", strerror(errno));
+		return FALSE;
+	}
+	return TRUE;
+}
+
+/**
+ * Handle a single PT-TLS client connection
+ */
+static job_requeue_t handle(pt_tls_server_t *connection)
+{
+	while (TRUE)
+	{
+		switch (connection->handle(connection))
+		{
+			case NEED_MORE:
+				continue;
+			case FAILED:
+			case SUCCESS:
+			default:
+				break;
+		}
+		break;
+	}
+	return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Clean up connection state
+ */
+static void cleanup(pt_tls_server_t *connection)
+{
+	int fd;
+
+	fd = connection->get_fd(connection);
+	connection->destroy(connection);
+	close(fd);
+}
+
+METHOD(pt_tls_dispatcher_t, dispatch, void,
+	private_pt_tls_dispatcher_t *this,
+	pt_tls_tnccs_constructor_t *create)
+{
+	while (TRUE)
+	{
+		pt_tls_server_t *connection;
+		tnccs_t *tnccs;
+		bool old;
+		int fd;
+
+		old = thread_cancelability(TRUE);
+		fd = accept(this->fd, NULL, NULL);
+		thread_cancelability(old);
+		if (fd == -1)
+		{
+			DBG1(DBG_TNC, "accepting PT-TLS failed: %s", strerror(errno));
+			continue;
+		}
+
+		tnccs = create(this->server, this->peer);
+		if (!tnccs)
+		{
+			close(fd);
+			continue;
+		}
+		connection = pt_tls_server_create(this->server, fd, this->auth, tnccs);
+		if (!connection)
+		{
+			close(fd);
+			continue;
+		}
+		lib->processor->queue_job(lib->processor,
+				(job_t*)callback_job_create_with_prio((callback_job_cb_t)handle,
+										connection, (void*)cleanup,
+										(callback_job_cancel_t)return_false,
+										JOB_PRIO_CRITICAL));
+	}
+}
+
+METHOD(pt_tls_dispatcher_t, destroy, void,
+	private_pt_tls_dispatcher_t *this)
+{
+	if (this->fd != -1)
+	{
+		close(this->fd);
+	}
+	this->server->destroy(this->server);
+	this->peer->destroy(this->peer);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth)
+{
+	private_pt_tls_dispatcher_t *this;
+
+	INIT(this,
+		.public = {
+			.dispatch = _dispatch,
+			.destroy = _destroy,
+		},
+		.server = id,
+		/* we currently don't authenticate the peer, use %any identity */
+		.peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+		.fd = -1,
+		.auth = auth,
+	);
+
+	if (!open_socket(this, address))
+	{
+		address->destroy(address);
+		destroy(this);
+		return NULL;
+	}
+	address->destroy(address);
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_dispatcher.h b/src/libpttls/pt_tls_dispatcher.h
new file mode 100644
index 000000000..080197263
--- /dev/null
+++ b/src/libpttls/pt_tls_dispatcher.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_dispatcher pt_tls_dispatcher
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_DISPATCHER_H_
+#define PT_TLS_DISPATCHER_H_
+
+#include <networking/host.h>
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_dispatcher_t pt_tls_dispatcher_t;
+
+/**
+ * Constructor callback to create TNCCS to use within PT-TLS.
+ *
+ * @param server			server identity
+ * @param peer				peer identity
+ */
+typedef tnccs_t* (pt_tls_tnccs_constructor_t)(identification_t *server,
+											  identification_t *peer);
+
+/**
+ * PT-TLS dispatcher service, handles PT-TLS connections as a server.
+ */
+struct pt_tls_dispatcher_t {
+
+	/**
+	 * Dispatch and handle PT-TLS connections.
+	 *
+	 * This call is blocking and a thread cancellation point. The passed
+	 * constructor gets called for each dispatched connection.
+	 *
+	 * @param create		TNCCS constructor function to use
+	 */
+	void (*dispatch)(pt_tls_dispatcher_t *this,
+					 pt_tls_tnccs_constructor_t *create);
+
+	/**
+	 * Destroy a pt_tls_dispatcher_t.
+	 */
+	void (*destroy)(pt_tls_dispatcher_t *this);
+};
+
+/**
+ * Create a pt_tls_dispatcher instance.
+ *
+ * @param address		server address with port to listen on, gets owned
+ * @param id			TLS server identity, gets owned
+ * @param auth			client authentication to perform
+ * @return				dispatcher service
+ */
+pt_tls_dispatcher_t *pt_tls_dispatcher_create(host_t *address,
+									identification_t *id, pt_tls_auth_t auth);
+
+#endif /** PT_TLS_DISPATCHER_H_ @}*/
diff --git a/src/libpttls/pt_tls_server.c b/src/libpttls/pt_tls_server.c
new file mode 100644
index 000000000..3e134f0dd
--- /dev/null
+++ b/src/libpttls/pt_tls_server.c
@@ -0,0 +1,544 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pt_tls_server.h"
+
+#include <sasl/sasl_mechanism.h>
+
+#include <utils/debug.h>
+
+typedef struct private_pt_tls_server_t private_pt_tls_server_t;
+
+/**
+ * Private data of an pt_tls_server_t object.
+ */
+struct private_pt_tls_server_t {
+
+	/**
+	 * Public pt_tls_server_t interface.
+	 */
+	pt_tls_server_t public;
+
+	/**
+	 * TLS protected socket
+	 */
+	tls_socket_t *tls;
+
+	/**
+	 * Client authentication requirements
+	 */
+	pt_tls_auth_t auth;
+
+	enum {
+		/* expecting version negotiation */
+		PT_TLS_SERVER_VERSION,
+		/* expecting an SASL exchange */
+		PT_TLS_SERVER_AUTH,
+		/* expecting TNCCS exchange */
+		PT_TLS_SERVER_TNCCS,
+		/* terminating state */
+		PT_TLS_SERVER_END,
+	} state;
+
+	/**
+	 * Message Identifier
+	 */
+	u_int32_t identifier;
+
+	/**
+	 * TNCCS protocol handler, implemented as tls_t
+	 */
+	tls_t *tnccs;
+};
+
+/**
+ * Negotiate PT-TLS version
+ */
+static bool negotiate_version(private_pt_tls_server_t *this)
+{
+	bio_reader_t *reader;
+	bio_writer_t *writer;
+	u_int32_t vendor, type, identifier;
+	u_int8_t reserved, vmin, vmax, vpref;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FALSE;
+	}
+	if (vendor != 0 || type != PT_TLS_VERSION_REQUEST ||
+		!reader->read_uint8(reader, &reserved) ||
+		!reader->read_uint8(reader, &vmin) ||
+		!reader->read_uint8(reader, &vmax) ||
+		!reader->read_uint8(reader, &vpref))
+	{
+		DBG1(DBG_TNC, "PT-TLS version negotiation failed");
+		reader->destroy(reader);
+		return FALSE;
+	}
+	reader->destroy(reader);
+
+	if (vmin > PT_TLS_VERSION || vmax < PT_TLS_VERSION)
+	{
+		/* TODO: send error */
+		return FALSE;
+	}
+
+	writer = bio_writer_create(4);
+	writer->write_uint24(writer, 0);
+	writer->write_uint8(writer, PT_TLS_VERSION);
+
+	return pt_tls_write(this->tls, writer, PT_TLS_VERSION_RESPONSE,
+						this->identifier++);
+}
+
+/**
+ * Process SASL data, send result
+ */
+static status_t process_sasl(private_pt_tls_server_t *this,
+							 sasl_mechanism_t *sasl, chunk_t data)
+{
+	bio_writer_t *writer;
+
+	switch (sasl->process(sasl, data))
+	{
+		case NEED_MORE:
+			return NEED_MORE;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Read a SASL message and process it
+ */
+static status_t read_sasl(private_pt_tls_server_t *this,
+						  sasl_mechanism_t *sasl)
+{
+	u_int32_t vendor, type, identifier;
+	bio_reader_t *reader;
+	status_t status;
+	chunk_t data;
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_AUTH_DATA ||
+		!reader->read_data(reader, reader->remaining(reader), &data))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	status = process_sasl(this, sasl, data);
+	reader->destroy(reader);
+	return status;
+}
+
+/**
+ * Build and write SASL message, or result message
+ */
+static status_t write_sasl(private_pt_tls_server_t *this,
+						   sasl_mechanism_t *sasl)
+{
+	bio_writer_t *writer;
+	chunk_t chunk;
+
+	switch (sasl->build(sasl, &chunk))
+	{
+		case NEED_MORE:
+			writer = bio_writer_create(chunk.len);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_AUTH_DATA,
+							 this->identifier++))
+			{
+				return NEED_MORE;
+			}
+			return FAILED;
+		case SUCCESS:
+			DBG1(DBG_TNC, "SASL %s authentication successful",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1 + chunk.len);
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_SUCCESS);
+			writer->write_data(writer, chunk);
+			free(chunk.ptr);
+			if (pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+							 this->identifier++))
+			{
+				return SUCCESS;
+			}
+			return FAILED;
+		case FAILED:
+		default:
+			DBG1(DBG_TNC, "SASL %s authentication failed",
+				 sasl->get_name(sasl));
+			writer = bio_writer_create(1);
+			/* sending abort does not allow the client to retry */
+			writer->write_uint8(writer, PT_TLS_SASL_RESULT_ABORT);
+			pt_tls_write(this->tls, writer, PT_TLS_SASL_RESULT,
+						 this->identifier++);
+			return FAILED;
+	}
+}
+
+/**
+ * Send the list of supported SASL mechanisms
+ */
+static bool send_sasl_mechs(private_pt_tls_server_t *this)
+{
+	enumerator_t *enumerator;
+	bio_writer_t *writer = NULL;
+	char *name;
+
+	enumerator = sasl_mechanism_create_enumerator(TRUE);
+	while (enumerator->enumerate(enumerator, &name))
+	{
+		if (!writer)
+		{
+			writer = bio_writer_create(32);
+		}
+		DBG1(DBG_TNC, "offering SASL %s", name);
+		writer->write_data8(writer, chunk_from_str(name));
+	}
+	enumerator->destroy(enumerator);
+
+	if (!writer)
+	{	/* no mechanisms available? */
+		return FALSE;
+	}
+	return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+						this->identifier++);
+}
+
+/**
+ * Read the selected SASL mechanism, and process piggybacked data
+ */
+static status_t read_sasl_mech_selection(private_pt_tls_server_t *this,
+										 sasl_mechanism_t **out)
+{
+	u_int32_t vendor, type, identifier;
+	sasl_mechanism_t *sasl;
+	bio_reader_t *reader;
+	chunk_t chunk;
+	u_int8_t len;
+	char buf[21];
+
+	reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+	if (!reader)
+	{
+		return FAILED;
+	}
+	if (vendor != 0 || type != PT_TLS_SASL_MECH_SELECTION ||
+		!reader->read_uint8(reader, &len) ||
+		!reader->read_data(reader, len & 0x1F, &chunk))
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	snprintf(buf, sizeof(buf), "%.*s", (int)chunk.len, chunk.ptr);
+
+	DBG1(DBG_TNC, "client starts SASL %s authentication", buf);
+
+	sasl = sasl_mechanism_create(buf, NULL);
+	if (!sasl)
+	{
+		reader->destroy(reader);
+		return FAILED;
+	}
+	/* initial SASL data piggybacked? */
+	if (reader->remaining(reader))
+	{
+		switch (process_sasl(this, sasl, reader->peek(reader)))
+		{
+			case NEED_MORE:
+				break;
+			case SUCCESS:
+				reader->destroy(reader);
+				*out = sasl;
+				return SUCCESS;
+			case FAILED:
+			default:
+				reader->destroy(reader);
+				sasl->destroy(sasl);
+				return FAILED;
+		}
+	}
+	reader->destroy(reader);
+	*out = sasl;
+	return NEED_MORE;
+}
+
+/**
+ * Do a single SASL exchange
+ */
+static bool do_sasl(private_pt_tls_server_t *this)
+{
+	sasl_mechanism_t *sasl;
+	status_t status;
+
+	switch (this->auth)
+	{
+		case PT_TLS_AUTH_NONE:
+			return TRUE;
+		case PT_TLS_AUTH_TLS:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				return TRUE;
+			}
+			DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+			return FALSE;
+		case PT_TLS_AUTH_SASL:
+			break;
+		case PT_TLS_AUTH_TLS_OR_SASL:
+			if (this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "skipping SASL, client authenticated with TLS "
+					 "certificate");
+				return TRUE;
+			}
+			break;
+		case PT_TLS_AUTH_TLS_AND_SASL:
+		default:
+			if (!this->tls->get_peer_id(this->tls))
+			{
+				DBG1(DBG_TNC, "requiring TLS certificate client authentication");
+				return FALSE;
+			}
+			break;
+	}
+
+	if (!send_sasl_mechs(this))
+	{
+		return FALSE;
+	}
+	status = read_sasl_mech_selection(this, &sasl);
+	if (status == FAILED)
+	{
+		return FALSE;
+	}
+	while (status == NEED_MORE)
+	{
+		status = write_sasl(this, sasl);
+		if (status == NEED_MORE)
+		{
+			status = read_sasl(this, sasl);
+		}
+	}
+	sasl->destroy(sasl);
+	return status == SUCCESS;
+}
+
+/**
+ * Authenticated PT-TLS session with a single SASL method
+ */
+static bool authenticate(private_pt_tls_server_t *this)
+{
+	if (do_sasl(this))
+	{
+		/* complete SASL with emtpy mechanism list */
+		bio_writer_t *writer;
+
+		writer = bio_writer_create(0);
+		return pt_tls_write(this->tls, writer, PT_TLS_SASL_MECHS,
+							this->identifier++);
+	}
+	return FALSE;
+}
+
+/**
+ * Perform assessment
+ */
+static bool assess(private_pt_tls_server_t *this, tls_t *tnccs)
+{
+	while (TRUE)
+	{
+		bio_writer_t *writer;
+		bio_reader_t *reader;
+		u_int32_t vendor, type, identifier;
+		chunk_t data;
+
+		writer = bio_writer_create(32);
+		while (TRUE)
+		{
+			char buf[2048];
+			size_t buflen, msglen;
+
+			buflen = sizeof(buf);
+			switch (tnccs->build(tnccs, buf, &buflen, &msglen))
+			{
+				case SUCCESS:
+					writer->destroy(writer);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					writer->destroy(writer);
+					return FALSE;
+				case INVALID_STATE:
+					writer->destroy(writer);
+					break;
+				case NEED_MORE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					continue;
+				case ALREADY_DONE:
+					writer->write_data(writer, chunk_create(buf, buflen));
+					if (!pt_tls_write(this->tls, writer, PT_TLS_PB_TNC_BATCH,
+									  this->identifier++))
+					{
+						return FALSE;
+					}
+					writer = bio_writer_create(32);
+					continue;
+			}
+			break;
+		}
+
+		reader = pt_tls_read(this->tls, &vendor, &type, &identifier);
+		if (!reader)
+		{
+			return FALSE;
+		}
+		if (vendor == 0)
+		{
+			if (type == PT_TLS_ERROR)
+			{
+				DBG1(DBG_TNC, "received PT-TLS error");
+				reader->destroy(reader);
+				return FALSE;
+			}
+			if (type != PT_TLS_PB_TNC_BATCH)
+			{
+				DBG1(DBG_TNC, "unexpected PT-TLS message: %d", type);
+				reader->destroy(reader);
+				return FALSE;
+			}
+			data = reader->peek(reader);
+			switch (tnccs->process(tnccs, data.ptr, data.len))
+			{
+				case SUCCESS:
+					reader->destroy(reader);
+					return tnccs->is_complete(tnccs);
+				case FAILED:
+				default:
+					reader->destroy(reader);
+					return FALSE;
+				case NEED_MORE:
+					break;
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "ignoring vendor specific PT-TLS message");
+		}
+		reader->destroy(reader);
+	}
+}
+
+METHOD(pt_tls_server_t, handle, status_t,
+	private_pt_tls_server_t *this)
+{
+	switch (this->state)
+	{
+		case PT_TLS_SERVER_VERSION:
+			if (!negotiate_version(this))
+			{
+				return FAILED;
+			}
+			DBG1(DBG_TNC, "negotiated PT-TLS version %d", PT_TLS_VERSION);
+			this->state = PT_TLS_SERVER_AUTH;
+			break;
+		case PT_TLS_SERVER_AUTH:
+			if (!authenticate(this))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_TNCCS;
+			break;
+		case PT_TLS_SERVER_TNCCS:
+			if (!assess(this, (tls_t*)this->tnccs))
+			{
+				return FAILED;
+			}
+			this->state = PT_TLS_SERVER_END;
+			return SUCCESS;
+		default:
+			return FAILED;
+	}
+	return NEED_MORE;
+}
+
+METHOD(pt_tls_server_t, get_fd, int,
+	private_pt_tls_server_t *this)
+{
+	return this->tls->get_fd(this->tls);
+}
+
+METHOD(pt_tls_server_t, destroy, void,
+	private_pt_tls_server_t *this)
+{
+	this->tnccs->destroy(this->tnccs);
+	this->tls->destroy(this->tls);
+	free(this);
+}
+
+/**
+ * See header
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs)
+{
+	private_pt_tls_server_t *this;
+
+	INIT(this,
+		.public = {
+			.handle = _handle,
+			.get_fd = _get_fd,
+			.destroy = _destroy,
+		},
+		.state = PT_TLS_SERVER_VERSION,
+		.tls = tls_socket_create(TRUE, server, NULL, fd, NULL),
+		.tnccs = (tls_t*)tnccs,
+		.auth = auth,
+	);
+
+	if (!this->tls)
+	{
+		this->tnccs->destroy(this->tnccs);
+		free(this);
+		return NULL;
+	}
+
+	return &this->public;
+}
diff --git a/src/libpttls/pt_tls_server.h b/src/libpttls/pt_tls_server.h
new file mode 100644
index 000000000..3e18aee8f
--- /dev/null
+++ b/src/libpttls/pt_tls_server.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2012 Martin Willi
+ * Copyright (C) 2012 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pt_tls_server pt_tls_server
+ * @{ @ingroup pt_tls
+ */
+
+#ifndef PT_TLS_SERVER_H_
+#define PT_TLS_SERVER_H_
+
+#include <utils/identification.h>
+
+#include <tnc/tnccs/tnccs.h>
+
+#include "pt_tls.h"
+
+typedef struct pt_tls_server_t pt_tls_server_t;
+
+/**
+ * IF-T for TLS aka PT-TLS transport server.
+ */
+struct pt_tls_server_t {
+
+	/**
+	 * Handle assessment data read from socket.
+	 *
+	 * @return
+	 *						- NEED_MORE if more exchanges required,
+	 *						- SUCCESS if assessment complete
+	 *						- FAILED if assessment failed
+	 */
+	status_t (*handle)(pt_tls_server_t *this);
+
+	/**
+	 * Get the underlying client connection socket.
+	 *
+	 * @return			socket fd, suitable to select()
+	 */
+	int (*get_fd)(pt_tls_server_t *this);
+
+	/**
+	 * Destroy a pt_tls_server_t.
+	 */
+	void (*destroy)(pt_tls_server_t *this);
+};
+
+/**
+ * Create a pt_tls_server connection instance.
+ *
+ * @param server	TLS server identity
+ * @param fd		client connection socket
+ * @param auth		client authentication requirements
+ * @param tnccs		inner TNCCS protocol handler to use for this connection
+ * @return			PT-TLS server
+ */
+pt_tls_server_t *pt_tls_server_create(identification_t *server, int fd,
+									  pt_tls_auth_t auth, tnccs_t *tnccs);
+
+#endif /** PT_TLS_SERVER_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_mechanism.c b/src/libpttls/sasl/sasl_mechanism.c
new file mode 100644
index 000000000..05a02e56d
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_mechanism.h"
+
+#include "sasl_plain/sasl_plain.h"
+
+/**
+ * Available SASL mechanisms.
+ */
+static struct {
+	char *name;
+	bool server;
+	sasl_mechanism_constructor_t create;
+} mechs[] = {
+	{ "PLAIN",		TRUE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+	{ "PLAIN",		FALSE,	(sasl_mechanism_constructor_t)sasl_plain_create	},
+};
+
+/**
+ * See header.
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client)
+{
+	int i;
+
+	for (i = 0; i < countof(mechs); i++)
+	{
+		if (streq(mechs[i].name, name) && mechs[i].server == (client == NULL))
+		{
+			return mechs[i].create(name, client);
+		}
+	}
+	return NULL;
+}
+
+/**
+ * SASL mechanism enumerator
+ */
+typedef struct {
+	/** implements enumerator_t */
+	enumerator_t public;
+	/** looking for client or server? */
+	bool server;
+	/** position in mechs[] */
+	int i;
+} mech_enumerator_t;
+
+METHOD(enumerator_t, mech_enumerate, bool,
+	mech_enumerator_t *this, char **name)
+{
+	while (this->i < countof(mechs))
+	{
+		if (mechs[this->i].server == this->server)
+		{
+			*name = mechs[this->i].name;
+			this->i++;
+			return TRUE;
+		}
+		this->i++;
+	}
+	return FALSE;
+}
+
+/**
+ * See header.
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server)
+{
+	mech_enumerator_t *enumerator;
+
+	INIT(enumerator,
+		.public = {
+			.enumerate = (void*)_mech_enumerate,
+			.destroy = (void*)free,
+		},
+		.server = server,
+	);
+	return &enumerator->public;
+}
diff --git a/src/libpttls/sasl/sasl_mechanism.h b/src/libpttls/sasl/sasl_mechanism.h
new file mode 100644
index 000000000..1a23a119e
--- /dev/null
+++ b/src/libpttls/sasl/sasl_mechanism.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_mechanism sasl_mechanism
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_MECHANISM_H_
+#define SASL_MECHANISM_H_
+
+typedef struct sasl_mechanism_t sasl_mechanism_t;
+
+#include <library.h>
+
+/**
+ * Constructor function for SASL mechansims.
+ *
+ * @param name			name of the requested SASL mechanism
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism, NULL on failure
+ */
+typedef sasl_mechanism_t*(*sasl_mechanism_constructor_t)(char *name,
+													identification_t *client);
+
+/**
+ * Generic interface for SASL mechanisms.
+ */
+struct sasl_mechanism_t {
+
+	/**
+	 * Get the name of this SASL mechanism.
+	 *
+	 * @return			name of SASL mechanism
+	 */
+	char* (*get_name)(sasl_mechanism_t *this);
+
+	/**
+	 * Build a SASL message to send to remote host.
+	 *
+	 * A message is returned if the return value is NEED_MORE or SUCCESS. A
+	 * client MUST NOT return SUCCESS in build(), as the final message
+	 * is always from server to client (even if it is an empty result message).
+	 *
+	 * @param message	receives allocated SASL message, to free
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- INVALID_STATE if currently nothing to build
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*build)(sasl_mechanism_t *this, chunk_t *message);
+
+	/**
+	 * Process a SASL message received from remote host.
+	 *
+	 * If a server returns SUCCESS during process(), an empty result message
+	 * is sent to complete the SASL exchange.
+	 *
+	 * @param message	received SASL message to process
+	 * @return
+	 *					- FAILED if mechanism failed
+	 *					- NEED_MORE if additional exchanges required
+	 *					- SUCCESS if mechanism authenticated successfully
+	 */
+	status_t (*process)(sasl_mechanism_t *this, chunk_t message);
+
+	/**
+	 * Destroy a sasl_mechanism_t.
+	 */
+	void (*destroy)(sasl_mechanism_t *this);
+};
+
+/**
+ * Create a sasl_mechanism instance.
+ *
+ * @param name			name of SASL mechanism to create
+ * @param client		client identity, NULL to act as server
+ * @return				SASL mechanism instance, NULL if not found
+ */
+sasl_mechanism_t *sasl_mechanism_create(char *name, identification_t *client);
+
+/**
+ * Create an enumerator over supported SASL mechanism names.
+ *
+ * @param server		TRUE for server instance, FALSE for client
+ * @return				enumerator over char*
+ */
+enumerator_t* sasl_mechanism_create_enumerator(bool server);
+
+#endif /** SASL_MECHANISM_H_ @}*/
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.c b/src/libpttls/sasl/sasl_plain/sasl_plain.c
new file mode 100644
index 000000000..e8d6dc80b
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.c
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "sasl_plain.h"
+
+#include <utils/debug.h>
+
+typedef struct private_sasl_plain_t private_sasl_plain_t;
+
+/**
+ * Private data of an sasl_plain_t object.
+ */
+struct private_sasl_plain_t {
+
+	/**
+	 * Public sasl_plain_t interface.
+	 */
+	sasl_plain_t public;
+
+	/**
+	 * Client identity
+	 */
+	identification_t *client;
+};
+
+METHOD(sasl_mechanism_t, get_name, char*,
+	private_sasl_plain_t *this)
+{
+	return "PLAIN";
+}
+
+METHOD(sasl_mechanism_t, build_server, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	/* gets never called */
+	return FAILED;
+}
+
+METHOD(sasl_mechanism_t, process_server, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	chunk_t authz, authi, password;
+	identification_t *id;
+	shared_key_t *shared;
+	u_char *pos;
+
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authz encoding");
+		return FAILED;
+	}
+	authz = chunk_create(message.ptr, pos - message.ptr);
+	message = chunk_skip(message, authz.len + 1);
+	pos = memchr(message.ptr, 0, message.len);
+	if (!pos)
+	{
+		DBG1(DBG_CFG, "invalid authi encoding");
+		return FAILED;
+	}
+	authi = chunk_create(message.ptr, pos - message.ptr);
+	password = chunk_skip(message, authi.len + 1);
+	id = identification_create_from_data(authi);
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for '%Y'", id);
+		id->destroy(id);
+		return FAILED;
+	}
+	if (!chunk_equals(shared->get_key(shared), password))
+	{
+		DBG1(DBG_CFG, "shared secret for '%Y' does not match", id);
+		id->destroy(id);
+		shared->destroy(shared);
+		return FAILED;
+	}
+	id->destroy(id);
+	shared->destroy(shared);
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, build_client, status_t,
+	private_sasl_plain_t *this, chunk_t *message)
+{
+	shared_key_t *shared;
+	chunk_t password;
+	char buf[256];
+	ssize_t len;
+
+	/* we currently use the EAP type of shared secret */
+	shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP,
+									  this->client, NULL);
+	if (!shared)
+	{
+		DBG1(DBG_CFG, "no shared secret found for %Y", this->client);
+		return FAILED;
+	}
+
+	password = shared->get_key(shared);
+	len = snprintf(buf, sizeof(buf), "%s%c%Y%c%.*s",
+				   "", 0, this->client, 0,
+				   (int)password.len, password.ptr);
+	if (len < 0 || len >= sizeof(buf))
+	{
+		return FAILED;
+	}
+	*message = chunk_clone(chunk_create(buf, len));
+	return NEED_MORE;
+}
+
+METHOD(sasl_mechanism_t, process_client, status_t,
+	private_sasl_plain_t *this, chunk_t message)
+{
+	/* if the server sends a result, authentication successful */
+	return SUCCESS;
+}
+
+METHOD(sasl_mechanism_t, destroy, void,
+	private_sasl_plain_t *this)
+{
+	DESTROY_IF(this->client);
+	free(this);
+}
+
+/**
+ * See header
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client)
+{
+	private_sasl_plain_t *this;
+
+	if (!streq(get_name(NULL), name))
+	{
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.sasl = {
+				.get_name = _get_name,
+				.destroy = _destroy,
+			},
+		},
+	);
+
+	if (client)
+	{
+		this->public.sasl.build = _build_client;
+		this->public.sasl.process = _process_client;
+		this->client = client->clone(client);
+	}
+	else
+	{
+		this->public.sasl.build = _build_server;
+		this->public.sasl.process = _process_server;
+	}
+	return &this->public;
+}
diff --git a/src/libpttls/sasl/sasl_plain/sasl_plain.h b/src/libpttls/sasl/sasl_plain/sasl_plain.h
new file mode 100644
index 000000000..08b7fc76f
--- /dev/null
+++ b/src/libpttls/sasl/sasl_plain/sasl_plain.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2013 Martin Willi
+ * Copyright (C) 2013 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup sasl_plain sasl_plain
+ * @{ @ingroup sasl
+ */
+
+#ifndef SASL_PLAIN_H_
+#define SASL_PLAIN_H_
+
+#include <sasl/sasl_mechanism.h>
+
+typedef struct sasl_plain_t sasl_plain_t;
+
+/**
+ * SASL Mechanism implementing PLAIN.
+ */
+struct sasl_plain_t {
+
+	/**
+	 * Implements sasl_mechanism_t
+	 */
+	sasl_mechanism_t sasl;
+};
+
+/**
+ * Create a sasl_plain instance.
+ *
+ * @param name			name of mechanism, must be "PLAIN"
+ * @param client		client identity, NULL to act as server
+ * @return				mechanism implementing PLAIN, NULL on error
+ */
+sasl_plain_t *sasl_plain_create(char *name, identification_t *client);
+
+#endif /** SASL_PLAIN_H_ @}*/