Imported Upstream version 5.3.0

34 files changed, 514 insertions, 177 deletions

diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index d9a5cd50d..a61382723 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager.c \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
 imv_policy_manager_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 #imv/imv_policy_manager.o :	$(top_builddir)/config.status
 
 SUBDIRS = .
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 239e62a17..03778a22c 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -237,7 +237,8 @@ am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \
 	imv/imv_policy_manager_usage.$(OBJEXT)
 imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS)
 imv_policy_manager_DEPENDENCIES =  \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 SCRIPTS = $(ipsec_SCRIPTS)
 AM_V_P = $(am__v_P_@AM_V@)
 am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
@@ -395,6 +396,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -455,10 +457,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -532,6 +536,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
@@ -708,7 +714,8 @@ imv_policy_manager_SOURCES = \
 	imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
 
 imv_policy_manager_LDADD = \
-	$(top_builddir)/src/libstrongswan/libstrongswan.la
+	$(top_builddir)/src/libstrongswan/libstrongswan.la \
+	$(top_builddir)/src/libtncif/libtncif.la
 
 #imv/imv_policy_manager.o :	$(top_builddir)/config.status
 SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \
diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql
index 425748f59..ff6191117 100644
--- a/src/libimcv/imv/data.sql
+++ b/src/libimcv/imv/data.sql
@@ -323,6 +323,71 @@ INSERT INTO products (			/* 54 */
  'Debian 7.6 armv6l'
 );
 
+INSERT INTO products (			/* 55 */
+  name
+) VALUES (
+ 'Debian 7.7 i686'
+);
+
+INSERT INTO products (			/* 56 */
+  name
+) VALUES (
+ 'Debian 7.7 x86_64'
+);
+INSERT INTO products (			/* 57 */
+  name
+) VALUES (
+ 'Debian 7.7 armv6l'
+);
+
+INSERT INTO products (			/* 58 */
+  name
+) VALUES (
+ 'Debian 7.8 i686'
+);
+
+INSERT INTO products (			/* 59 */
+  name
+) VALUES (
+ 'Debian 7.8 x86_64'
+);
+
+INSERT INTO products (			/* 60 */
+  name
+) VALUES (
+ 'Debian 7.8 armv6l'
+);
+
+INSERT INTO products (			/* 61 */
+  name
+) VALUES (
+ 'Ubuntu 14.10 i686'
+);
+
+INSERT INTO products (			/* 62 */
+  name
+) VALUES (
+ 'Ubuntu 14.10 x86_64'
+);
+
+INSERT INTO products (			/* 63 */
+  name
+) VALUES (
+ 'Android 5.0'
+);
+
+INSERT INTO products (			/* 64 */
+  name
+) VALUES (
+ 'Android 5.0.1'
+);
+
+INSERT INTO products (			/* 65 */
+  name
+) VALUES (
+ 'Debian 7.8 armv7l'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -741,6 +806,18 @@ INSERT INTO groups (			/* 14 */
   'Debian armv6l', 2
 );
 
+INSERT INTO groups (			/* 15 */
+  name, parent
+) VALUES (
+  'Debian armv7l', 2
+);
+
+INSERT INTO groups (            /* 16 */
+  name
+) VALUES (
+  'TPM TBOOT'
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -800,6 +877,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  4, 55
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  4, 58
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   5, 2
 );
 
@@ -854,6 +943,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  5, 56
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  5, 59
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   6, 9
 );
 
@@ -902,6 +1003,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  6, 61
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   7, 8
 );
 
@@ -956,6 +1063,12 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  7, 62
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   3, 21
 );
 
@@ -1016,6 +1129,18 @@ INSERT INTO groups_product_defaults (
 INSERT INTO groups_product_defaults (
   group_id, product_id
 ) VALUES (
+  3, 63
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  3, 64
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
   3, 51
 );
 
@@ -1061,6 +1186,24 @@ INSERT INTO groups_product_defaults (
   14, 54
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 57
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  14, 60
+);
+
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  15, 65
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -1189,6 +1332,12 @@ INSERT INTO policies (          /* 21 */
   16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2
 );
 
+INSERT INTO policies (          /* 22 */
+  type, name, argument, rec_fail, rec_noresult
+) VALUES (
+  16, 'TPM TBOOT Measurements', 'T', 2, 2
+);
+
 /* Enforcements */
 
 INSERT INTO enforcements (		/*  1 */
@@ -1293,6 +1442,12 @@ INSERT INTO enforcements (      /* 17 */
   21, 13, 60
 );
 
+INSERT INTO enforcements (      /* 18 */
+  policy, group_id, max_age
+) VALUES (
+  22, 16, 60
+);
+
 /* swid_entities */
 
 INSERT INTO "swid_entities" (		/*  1 */
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 6b24f4b28..d0508624d 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
-	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
+	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
 	linked_list_t *ar_identities;
-	enumerator_t *enumerator;
-	tncif_identity_t *tnc_id;
 	imv_session_t *session;
 	uint32_t max_msg_len;
-	uint32_t ar_id_type = TNC_ID_UNKNOWN;
-	chunk_t ar_id_value = chunk_empty;
 
 	conn_id = state->get_connection_id(state);
 	if (find_connection(this, conn_id))
@@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	}
 
 	/* Get and display attributes from TNCS via IF-IMV */
-	has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
-	has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
-	has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-	tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
-	tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
-	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
-	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
-	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
-	ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
+	has_long = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_LONG_TYPES);
+	has_excl = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
+	has_soh  = get_bool_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_HAS_SOH);
+	tnccs_p = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
+	tnccs_v = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFTNCCS_VERSION);
+	t_p = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFT_PROTOCOL);
+	t_v = get_str_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_IFT_VERSION);
+	max_msg_len = get_uint_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+	ar_identities = get_identity_attribute(this, conn_id,
+									TNC_ATTRIBUTEID_AR_IDENTITIES);
 
 	state->set_flags(state, has_long, has_excl);
 	state->set_max_msg_len(state, max_msg_len);
@@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
-	enumerator = ar_identities->create_enumerator(ar_identities);
-	while (enumerator->enumerate(enumerator, &tnc_id))
-	{
-		pen_type_t id_type, subject_type, auth_type;
-		uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
-		chunk_t id_value;
-
-		id_type = tnc_id->get_identity_type(tnc_id);
-		id_value = tnc_id->get_identity_value(tnc_id);
-		subject_type = tnc_id->get_subject_type(tnc_id);
-		auth_type = tnc_id->get_auth_type(tnc_id);
-
-		tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
-							id_type.type : TNC_ID_UNKNOWN;
-		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
-							subject_type.type : TNC_SUBJECT_UNKNOWN;
-		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
-							auth_type.type : TNC_AUTH_UNKNOWN;
-
-
-		DBG2(DBG_IMV, "  %N AR identity '%.*s' authenticated by %N",
-			 TNC_Subject_names, tcg_subject_type,
-			 id_value.len, id_value.ptr,
-			 TNC_Authentication_names, tcg_auth_type);
-
-		/* keep the first access requestor ID */
-		if (first)
-		{
-			ar_id_type = tcg_id_type;
-			ar_id_value = id_value;
-			first = FALSE;
-		}
-	}
-	enumerator->destroy(enumerator);
-
-	session = imcv_sessions->add_session(imcv_sessions, conn_id,
-										 ar_id_type, ar_id_value);
+	session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities);
 	state->set_session(state, session);
 
-	/* clean up temporary variables */
-	ar_identities->destroy_offset(ar_identities,
-						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);
diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c
index 0c4bb7514..0a18cd71b 100644
--- a/src/libimcv/imv/imv_database.c
+++ b/src/libimcv/imv/imv_database.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,8 @@
 
 #include "imv_database.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 #include <threading/mutex.h>
 
@@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*,
  */
 static bool create_session(private_imv_database_t *this, imv_session_t *session)
 {
-	enumerator_t *e;
+	enumerator_t *enumerator, *e;
 	imv_os_info_t *os_info;
-	chunk_t device_id, ar_id_value;
+	chunk_t device_id;
+	tncif_identity_t *tnc_id;
 	TNC_ConnectionID conn_id;
-	uint32_t ar_id_type;
 	char *product, *device;
-	int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
-
-	ar_id_value = session->get_ar_id(session, &ar_id_type);
-	if (ar_id_value.len)
-	{
-		/* get primary key of AR identity if it exists */
-		e = this->db->query(this->db,
-				"SELECT id FROM identities WHERE type = ? AND value = ?",
-				DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
-		if (e)
-		{
-			e->enumerate(e, &ar_id);
-			e->destroy(e);
-		}
-
-		/* if AR identity has not been found - register it */
-		if (!ar_id)
-		{
-			this->db->execute(this->db, &ar_id,
-				"INSERT INTO identities (type, value) VALUES (?, ?)",
-				 DB_INT, ar_id_type, DB_BLOB, ar_id_value);
-		}
-
-		if (!ar_id)
-		{
-			DBG1(DBG_IMV, "imv_db: registering access requestor failed");
-			return FALSE;
-		}
-	}
+	int session_id = 0, pid = 0, did = 0, trusted = 0, created;
+	bool first = TRUE, success = TRUE;
 
 	/* get product info string */
 	os_info = session->get_os_info(session);
@@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
 	created = session->get_creation_time(session);
 	conn_id = session->get_connection_id(session);
 	this->db->execute(this->db, &session_id,
-			"INSERT INTO sessions (time, connection, identity, product, device) "
-			"VALUES (?, ?, ?, ?, ?)",
-			DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
-			DB_INT, pid, DB_INT, did);
+			"INSERT INTO sessions (time, connection, product, device) "
+			"VALUES (?, ?, ?, ?)",
+			DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did);
 
 	if (session_id)
 	{
@@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
 	}
 	session->set_session_id(session, session_id, pid, did);
 
-	return TRUE;
+	enumerator = session->create_ar_identities_enumerator(session);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t ar_id_type;
+		chunk_t ar_id_value;
+		int ar_id = 0, si_id = 0;
+
+		ar_id_type = tnc_id->get_identity_type(tnc_id);
+		ar_id_value = tnc_id->get_identity_value(tnc_id);
+
+		if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0)
+		{
+			continue;
+		}
+
+		/* get primary key of AR identity if it exists */
+		e = this->db->query(this->db,
+				"SELECT id FROM identities WHERE type = ? AND value = ?",
+				DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT);
+		if (e)
+		{
+			e->enumerate(e, &ar_id);
+			e->destroy(e);
+		}
+
+		/* if AR identity has not been found - register it */
+		if (!ar_id)
+		{
+			this->db->execute(this->db, &ar_id,
+				"INSERT INTO identities (type, value) VALUES (?, ?)",
+				 DB_INT, ar_id_type.type, DB_BLOB, ar_id_value);
+		}
+		if (!ar_id)
+		{
+			DBG1(DBG_IMV, "imv_db: registering access requestor failed");
+			success = FALSE;
+			break;
+		}
+
+		this->db->execute(this->db, &si_id,
+				"INSERT INTO sessions_identities (session_id, identity_id) "
+				"VALUES (?, ?)",
+				 DB_INT, session_id, DB_INT, ar_id);
+
+		if (!si_id)
+		{
+			DBG1(DBG_IMV, "imv_db: assigning identity to session failed");
+			success = FALSE;
+			break;
+		}
+
+		if (first)
+		{
+			this->db->execute(this->db, NULL,
+				"UPDATE sessions SET identity = ? WHERE id = ?",
+				 DB_INT, ar_id, DB_INT, session_id);
+			first = FALSE;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return success;
 }
 
 static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c
index 50f7f2e39..9f7e4e8f4 100644
--- a/src/libimcv/imv/imv_policy_manager.c
+++ b/src/libimcv/imv/imv_policy_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,6 +19,8 @@
 #include <library.h>
 #include <utils/debug.h>
 
+#include <tncif_names.h>
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <time.h>
@@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id)
 static bool policy_stop(database_t *db, int session_id)
 {
 	enumerator_t *e;
-	int rec, policy;
-	char *result;
+	int rec, policy, final_rec, id_type;
+	chunk_t id_value;
+	char *result, *ip_address = NULL;
+	bool success = TRUE;
 
+	/* store all workitem results for this session in the results table */
 	e = db->query(db,
 			"SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
 			"JOIN enforcements AS e ON w.enforcement = e.id "
@@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id)
 		}
 		e->destroy(e);
 	}
-	return db->execute(db, NULL,
-				"DELETE FROM workitems WHERE session = ?",
-				DB_UINT, session_id) >= 0;
+	else
+	{
+		success = FALSE;
+	}
+
+	/* delete all workitems for this session from the database */
+	if (db->execute(db, NULL,
+					"DELETE FROM workitems WHERE session = ?",
+					DB_UINT, session_id) < 0)
+	{
+		success = FALSE;
+	}
+
+	final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+
+	/* retrieve the final recommendation for this session */
+	e = db->query(db,
+			"SELECT rec FROM sessions WHERE id = ?",
+			 DB_INT, session_id, DB_INT);
+	if (e)
+	{
+		if (!e->enumerate(e, &final_rec))
+		{
+			success = FALSE;
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		success = FALSE;
+	}
+
+	/* retrieve client IP address for this session */
+	e = db->query(db,
+			"SELECT i.type, i.value FROM identities AS i "
+			"JOIN sessions_identities AS si ON si.identity_id = i.id "
+			"WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)",
+			 DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT,
+			 TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB);
+	if (e)
+	{
+		if (e->enumerate(e, &id_type, &id_value))
+		{
+			ip_address = strndup(id_value.ptr, id_value.len);
+		}
+		else
+		{
+			success = FALSE;
+		}
+		e->destroy(e);
+	}
+	else
+	{
+		success = FALSE;
+	}
+
+	fprintf(stderr, "recommendation for access requestor %s is %N\n",
+			ip_address ? ip_address : "0.0.0.0",
+			TNC_IMV_Action_Recommendation_names, final_rec);
+	free(ip_address);
+
+	return success;
 }
 
 int main(int argc, char *argv[])
diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c
index 1f0d8cf14..bc6b5a8d1 100644
--- a/src/libimcv/imv/imv_session.c
+++ b/src/libimcv/imv/imv_session.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,8 @@
 
 #include "imv_session.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 
 typedef struct private_imv_session_t private_imv_session_t;
@@ -55,14 +57,9 @@ struct private_imv_session_t {
 	time_t created;
 
 	/**
-	 * Access Requestor ID type
-	 */
-	uint32_t ar_id_type;
-
-	/**
-	 * Access Requestor ID value
+	 * List of Access Requestor identities
 	 */
-	chunk_t ar_id_value;
+	linked_list_t *ar_identities;
 
 	/**
 	 * OS information
@@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t,
 	return this->created;
 }
 
-METHOD(imv_session_t, get_ar_id, chunk_t,
-	private_imv_session_t *this, uint32_t *ar_id_type)
+METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*,
+	private_imv_session_t *this)
 {
-	if (ar_id_type)
-	{
-		*ar_id_type = this->ar_id_type;
-	}
-	return this->ar_id_value;
+	return this->ar_identities->create_enumerator(this->ar_identities);
 }
 
 METHOD(imv_session_t, get_os_info, imv_os_info_t*,
@@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void,
 		this->workitems->destroy_offset(this->workitems,
 								 offsetof(imv_workitem_t, destroy));
 		this->os_info->destroy(this->os_info);
-		free(this->ar_id_value.ptr);
+		this->ar_identities->destroy_offset(this->ar_identities,
+									 offsetof(tncif_identity_t, destroy));
 		free(this->device_id.ptr);
 		free(this);
 	}
@@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void,
  * See header
  */
 imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
-								  uint32_t ar_id_type, chunk_t ar_id_value)
+								  linked_list_t *ar_identities)
 {
 	private_imv_session_t *this;
 
@@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
 			.get_session_id = _get_session_id,
 			.get_connection_id = _get_connection_id,
 			.get_creation_time = _get_creation_time,
-			.get_ar_id = _get_ar_id,
+			.create_ar_identities_enumerator = _create_ar_identities_enumerator,
 			.get_os_info = _get_os_info,
 			.set_device_id = _set_device_id,
 			.get_device_id = _get_device_id,
@@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
 		},
 		.conn_id = conn_id,
 		.created = created,
-		.ar_id_type = ar_id_type,
-		.ar_id_value = chunk_clone(ar_id_value),
+		.ar_identities = ar_identities,
 		.os_info = imv_os_info_create(),
 		.workitems = linked_list_create(),
 		.ref = 1,
diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h
index 42b9118a6..107716f30 100644
--- a/src/libimcv/imv/imv_session.h
+++ b/src/libimcv/imv/imv_session.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -70,12 +70,11 @@ struct imv_session_t {
 	time_t (*get_creation_time)(imv_session_t *this);
 
 	/**
-	 * Get Access Requestor ID
+	 * Get list of Access Requestor identities
 	 *
-	 * @param id_type		Access Requestor TCG Standard ID Type
-	 * @return				Access Requestor TCG Standard ID Value
+	 * @return				List of Access Requestor identities
 	 */
-	chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type);
+	enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this);
 
 	/**
 	 * Get OS Information
@@ -172,10 +171,9 @@ struct imv_session_t {
  *
  * @param id				Associated Connection ID
  * @param created			Session creation time
- * @param ar_id_type		Access Requestor ID type
- * @param ar_id_value		Access Requestor ID value
+ * @param ar_identities		List of Access Requestor identities
  */
 imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created,
-								  uint32_t ar_id_type, chunk_t ar_id_value);
+								  linked_list_t *ar_identities);
 
 #endif /**  IMV_SESSION_H_ @}*/
diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c
index 0fb8de45e..c97602998 100644
--- a/src/libimcv/imv/imv_session_manager.c
+++ b/src/libimcv/imv/imv_session_manager.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,9 @@
 
 #include "imv_session_manager.h"
 
+#include <tncif_names.h>
+#include <tncif_identity.h>
+
 #include <threading/mutex.h>
 
 typedef struct private_imv_session_manager_t private_imv_session_manager_t;
@@ -43,9 +46,10 @@ struct private_imv_session_manager_t {
 
 METHOD(imv_session_manager_t, add_session, imv_session_t*,
 	private_imv_session_manager_t *this, TNC_ConnectionID conn_id,
-	uint32_t ar_id_type, chunk_t ar_id_value)
+	linked_list_t *ar_identities)
 {
 	enumerator_t *enumerator;
+	tncif_identity_t *tnc_id;
 	imv_session_t *current, *session = NULL;
 	time_t created;
 
@@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*,
 	/* session already exists */
 	if (session)
 	{
+		ar_identities->destroy_offset(ar_identities,
+							   offsetof(tncif_identity_t, destroy));
 		this->mutex->unlock(this->mutex);
 		return session->get_ref(session);
 	}
 
+	/* Output list of Access Requestor identities */
+	enumerator = ar_identities->create_enumerator(ar_identities);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t id_type, subject_type, auth_type;
+		uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+		chunk_t id_value;
+
+		id_type = tnc_id->get_identity_type(tnc_id);
+		id_value = tnc_id->get_identity_value(tnc_id);
+		subject_type = tnc_id->get_subject_type(tnc_id);
+		auth_type = tnc_id->get_auth_type(tnc_id);
+
+		tcg_id_type = (subject_type.vendor_id == PEN_TCG) ?
+							id_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+							subject_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+							auth_type.type : TNC_AUTH_UNKNOWN;
+
+		DBG2(DBG_IMV, "  %N AR identity '%.*s' of type %N authenticated by %N",
+			 TNC_Subject_names, tcg_subject_type,
+			 id_value.len, id_value.ptr,
+			 TNC_Identity_names, tcg_id_type,
+			 TNC_Authentication_names, tcg_auth_type);
+	}
+	enumerator->destroy(enumerator);
+
 	/* create a new session entry */
 	created = time(NULL);
-	session = imv_session_create(conn_id, created, ar_id_type, ar_id_value);
+	session = imv_session_create(conn_id, created, ar_identities);
 	this->sessions->insert_last(this->sessions, session);
 
 	this->mutex->unlock(this->mutex);
diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h
index 8a733accb..cfae23bc9 100644
--- a/src/libimcv/imv/imv_session_manager.h
+++ b/src/libimcv/imv/imv_session_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -39,13 +39,12 @@ struct imv_session_manager_t {
 	 * Create or get a session associated with a TNCCS connection
 	 *
 	 * @param conn_id		TNCCS Connection ID
-	 * @param ar_id_type	Access Requestor identity type
-	 * @param ar_id_value	Access Requestor identity value
+	 * @param ar_identities	List of Access Requestor identities
 	 * @return				Session associated with TNCCS Connection
 	 */
 	 imv_session_t* (*add_session)(imv_session_manager_t *this,
 								   TNC_ConnectionID conn_id,
-								   uint32_t ar_id_type, chunk_t ar_id_value);
+								   linked_list_t *ar_identities);
 
 	/**
 	 * Remove a session
diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql
index 47ee41c86..cf50742c3 100644
--- a/src/libimcv/imv/tables-mysql.sql
+++ b/src/libimcv/imv/tables-mysql.sql
@@ -99,6 +99,14 @@ CREATE TABLE `sessions` (
   `rec` INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS `sessions_identities`;
+CREATE TABLE `sessions_identities` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`),
+  `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`),
+  UNIQUE (`session_id`, `identity_id`)
+);
+
 DROP TABLE IF EXISTS `workitems`;
 CREATE TABLE `workitems` (
   `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql
index f7324896e..5c2a6563b 100644
--- a/src/libimcv/imv/tables.sql
+++ b/src/libimcv/imv/tables.sql
@@ -104,6 +104,14 @@ CREATE TABLE sessions (
   rec INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS sessions_identities;
+CREATE TABLE sessions_identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session_id INTEGER NOT NULL REFERENCES sessions(id),
+  identity_id INTEGER NOT NULL REFERENCES identities(id),
+  UNIQUE (session_id, identity_id)
+);
+
 DROP TABLE IF EXISTS workitems;
 CREATE TABLE workitems (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index 3c5017f32..8ad56181e 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
index 2fc2998e1..f24aec881 100644
--- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
+++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c
@@ -137,7 +137,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 			{
 				return FALSE;
 			}
-			pts->get_my_public_value(pts, &responder_value, &responder_nonce);
+			if (!pts->get_my_public_value(pts, &responder_value,
+										  &responder_nonce))
+			{
+				return FALSE;
+			}
 
 			/* Send DH Nonce Parameters Response attribute */
 			attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group,
@@ -174,8 +178,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg,
 				return FALSE;
 			}
 
-			pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
-			if (!pts->calculate_secret(pts))
+
+			if (!pts->set_peer_public_value(pts, initiator_value,
+											initiator_nonce) ||
+				!pts->calculate_secret(pts))
 			{
 				return FALSE;
 			}
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 3f4cf41a9..3b7538688 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index a192b0a41..7b696896f 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index f1859a2cb..2847f09b4 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 3e1d0232f..2048caa4d 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -224,6 +224,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 3ba7c8c88..09a0ab0ce 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -236,6 +236,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_attestation/attest_db.c b/src/libimcv/plugins/imv_attestation/attest_db.c
index f85a02b3d..f1a1f923e 100644
--- a/src/libimcv/plugins/imv_attestation/attest_db.c
+++ b/src/libimcv/plugins/imv_attestation/attest_db.c
@@ -849,29 +849,31 @@ METHOD(attest_db_t, list_devices, void,
 {
 	enumerator_t *e, *e_ar;
 	chunk_t ar_id_value = chunk_empty;
-	char *product, *device;
+	char *product, *device, *description;
 	time_t timestamp;
-	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0;
+	int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0, trusted;
 	int session_id, rec;
 	u_int32_t ar_id_type;
 	u_int tstamp;
 
 	e = this->db->query(this->db,
-			"SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name "
+			"SELECT d.id, d.value, d.trusted, d.description, "
+			"s.id, s.time, s.identity, s.rec, p.name "
 			"FROM devices AS d "
 			"JOIN sessions AS s ON d.id = s.device "
 			"JOIN products AS p ON p.id = s.product "
-			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT,
-			 DB_INT, DB_INT, DB_TEXT);
+			"ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_TEXT,
+			 DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT);
 
 	if (e)
 	{
-		while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec,
-							   &product))
+		while (e->enumerate(e, &id, &device, &trusted, &description,
+							   &session_id, &tstamp, &ar_id, &rec, &product))
 		{
 			if (id != last_id)
 			{
-				printf("%4d: %s - %s\n", id, device, product);
+				printf("%4d: %s %s - %s - %s\n", id, trusted ? "+" : "-",
+												 device, product, description);
 				device_count++;
 				last_id = id;
 			}
diff --git a/src/libimcv/plugins/imv_attestation/build-database.sh b/src/libimcv/plugins/imv_attestation/build-database.sh
index ca2939b49..0babb5366 100755
--- a/src/libimcv/plugins/imv_attestation/build-database.sh
+++ b/src/libimcv/plugins/imv_attestation/build-database.sh
@@ -2,7 +2,7 @@
 
 p="Ubuntu 14.04 x86_64"
 a="x86_64-linux-gnu"
-k="3.13.0-37-generic"
+k="3.13.0-46-generic"
 
 for hash in sha1 sha256
 do
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
index c39fe8d47..db93ac45f 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c
@@ -69,7 +69,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 
 			/* Send DH nonce finish attribute */
 			selected_algorithm = pts->get_meas_algorithm(pts);
-			pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
+			if (!pts->get_my_public_value(pts, &initiator_value,
+										  &initiator_nonce))
+			{
+				return FALSE;
+			}
 			attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
 											initiator_value, initiator_nonce);
 			attr->set_noskip_flag(attr, TRUE);
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
index 89a1f02cf..fbeb6618e 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c
@@ -134,11 +134,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			}
 
 			responder_value = attr_cast->get_responder_value(attr_cast);
-			pts->set_peer_public_value(pts, responder_value,
-											responder_nonce);
 
 			/* Calculate secret assessment value */
-			if (!pts->calculate_secret(pts))
+			if (!pts->set_peer_public_value(pts, responder_value,
+											responder_nonce) ||
+				!pts->calculate_secret(pts))
 			{
 				return FALSE;
 			}
@@ -198,7 +198,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 
 				e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
 							KEY_ANY, aik->get_issuer(aik), FALSE);
-				while (e->enumerate(e, &issuer))
+				while (e->enumerate(e, &issuer, NULL))
 				{
 					if (aik->issued_by(aik, issuer, NULL))
 					{
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index 36e708fc9..ec3488992 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -232,6 +232,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 2677b339a..08abbf596 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -226,6 +226,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 815722f9c..936bee86e 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -227,6 +227,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index 66da75a1e..8e0e22353 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -225,6 +225,7 @@ DLLIB = @DLLIB@
 DLLTOOL = @DLLTOOL@
 DSYMUTIL = @DSYMUTIL@
 DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
 ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
@@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
 PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
 RUBY = @RUBY@
@@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@
 json_LIBS = @json_LIBS@
 libdir = @libdir@
 libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c
index 273c18f31..ce318ec84 100644
--- a/src/libimcv/pts/components/ita/ita_comp_tboot.c
+++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -61,11 +61,6 @@ struct pts_ita_comp_tboot_t {
 	int cid;
 
 	/**
-	 * Primary key for AIK database entry
-	 */
-	int kid;
-
-	/**
 	 * Component is registering measurements
 	 */
 	bool is_registering;
@@ -243,7 +238,7 @@ METHOD(pts_component_t, verify, status_t,
 	else
 	{
 		status = this->pts_db->check_comp_measurement(this->pts_db,
-								measurement, this->cid, this->kid,
+								measurement, this->cid, this->aik_id,
 								++this->seq_no, extended_pcr, algo);
 		if (status != SUCCESS)
 		{
diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c
index 2fff4c901..1ca72098e 100644
--- a/src/libimcv/pts/pts.c
+++ b/src/libimcv/pts/pts.c
@@ -224,17 +224,24 @@ METHOD(pts_t, create_dh_nonce, bool,
 	return TRUE;
 }
 
-METHOD(pts_t, get_my_public_value, void,
+METHOD(pts_t, get_my_public_value, bool,
 	private_pts_t *this, chunk_t *value, chunk_t *nonce)
 {
-	this->dh->get_my_public_value(this->dh, value);
+	if (!this->dh->get_my_public_value(this->dh, value))
+	{
+		return FALSE;
+	}
 	*nonce = this->is_imc ? this->responder_nonce : this->initiator_nonce;
+	return TRUE;
 }
 
-METHOD(pts_t, set_peer_public_value, void,
+METHOD(pts_t, set_peer_public_value, bool,
 	private_pts_t *this, chunk_t value, chunk_t nonce)
 {
-	this->dh->set_other_public_value(this->dh, value);
+	if (!this->dh->set_other_public_value(this->dh, value))
+	{
+		return FALSE;
+	}
 
 	nonce = chunk_clone(nonce);
 	if (this->is_imc)
@@ -245,6 +252,7 @@ METHOD(pts_t, set_peer_public_value, void,
 	{
 		this->responder_nonce = nonce;
 	}
+	return TRUE;
 }
 
 METHOD(pts_t, calculate_secret, bool,
@@ -264,7 +272,7 @@ METHOD(pts_t, calculate_secret, bool,
 	DBG3(DBG_PTS, "responder nonce: %B", &this->responder_nonce);
 
 	/* Calculate the DH secret */
-	if (this->dh->get_shared_secret(this->dh, &shared_secret) != SUCCESS)
+	if (!this->dh->get_shared_secret(this->dh, &shared_secret))
 	{
 		DBG1(DBG_PTS, "shared DH secret computation failed");
 		return FALSE;
diff --git a/src/libimcv/pts/pts.h b/src/libimcv/pts/pts.h
index be32a3464..d525306dd 100644
--- a/src/libimcv/pts/pts.h
+++ b/src/libimcv/pts/pts.h
@@ -143,16 +143,18 @@ struct pts_t {
 	 *
 	 * @param value				My public DH value
 	 * @param nonce				My DH nonce
+	 * @return					TRUE if public value retrieved successfully
 	 */
-	void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
+	bool (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
 
 	/**
 	 * Set peer Diffie.Hellman public value
 	 *
 	 * @param value				Peer public DH value
 	 * @param nonce				Peer DH nonce
+	 * @return					TRUE if public value set successfully
 	 */
-	void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
+	bool (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
 
 	/**
 	 * Calculates assessment secret to be used for TPM Quote as ExternalData
diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c
index c47ce2934..f38419248 100644
--- a/src/libimcv/seg/seg_env.c
+++ b/src/libimcv/seg/seg_env.c
@@ -219,6 +219,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
 	if (max_seg_size <  PA_TNC_ATTR_HEADER_SIZE ||
 		max_seg_size >= PA_TNC_ATTR_HEADER_SIZE + value.len)
 	{
+		base_attr->destroy(base_attr);
 		return NULL;
 	}
 
@@ -233,7 +234,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
 			.destroy = _destroy,
 		},
 		.base_attr_id = base_attr_id,
-		.base_attr = base_attr->get_ref(base_attr),
+		.base_attr = base_attr,
 		.max_seg_size = max_seg_size,
 		.data = base_attr->get_value(base_attr),
 	);
diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h
index 08d33d752..611f9a98a 100644
--- a/src/libimcv/seg/seg_env.h
+++ b/src/libimcv/seg/seg_env.h
@@ -98,7 +98,7 @@ struct seg_env_t {
  * Create a PA-TNC attribute segment envelope object
  *
  * @param base_attr_id		Base Attribute ID
- * @param base_attr			Base Attribute to be segmented
+ * @param base_attr			Base Attribute to be segmented, owned by seg_env_t
  * @param max_seg_size		Maximum segment size
  */
 seg_env_t* seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr,
diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c
index 469b1110d..8b51eda05 100644
--- a/src/libimcv/suites/test_imcv_seg.c
+++ b/src/libimcv/suites/test_imcv_seg.c
@@ -64,10 +64,11 @@ START_TEST(test_imcv_seg_env)
 	libimcv_init(FALSE);
 	max_seg_size  = seg_env_tests[_i].max_seg_size;
 	last_seg_size = seg_env_tests[_i].last_seg_size;
+
 	base_attr = ita_attr_command_create(command);
 	base_attr->build(base_attr);
-
 	seg_env = seg_env_create(id, base_attr, max_seg_size);
+
 	if (seg_env_tests[_i].next_segs == 0)
 	{
 		ck_assert(seg_env == NULL);
@@ -156,7 +157,6 @@ START_TEST(test_imcv_seg_env)
 		seg_env1->destroy(seg_env1);
 		base_attr1->destroy(base_attr1);
 	}
-	base_attr->destroy(base_attr);
 	libimcv_deinit();
 }
 END_TEST
@@ -226,7 +226,6 @@ START_TEST(test_imcv_seg_env_special)
 	/* cleanup */
 	attr->destroy(attr);
 	seg_env->destroy(seg_env);
-	base_attr->destroy(base_attr);
 }
 END_TEST
 
@@ -306,7 +305,8 @@ START_TEST(test_imcv_seg_contract)
 									 TRUE, issuer_id, FALSE);
 	contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size,
 									 FALSE, issuer_id, TRUE);
-	attr = contract_r->first_segment(contract_r, base_attr_r);
+	attr = contract_r->first_segment(contract_r,
+									 base_attr_r->get_ref(base_attr_r));
 
 	if (seg_env_tests[_i].next_segs == 0)
 	{
@@ -422,8 +422,8 @@ START_TEST(test_imcv_seg_contract_special)
 	ck_assert(!oversize);
 
 	/* get first segment of each base attribute */
-	attr1_f = contract_r->first_segment(contract_r, base_attr1_r);
-	attr2_f = contract_r->first_segment(contract_r, base_attr2_r);
+	attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r));
+	attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r));
 	ck_assert(attr1_f);
 	ck_assert(attr2_f);
 	seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f;
diff --git a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
index 5b4cc273b..397882926 100644
--- a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
+++ b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c
@@ -242,6 +242,8 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		this->count--;
 	}
 
+	status = SUCCESS;
+
 	if (this->length != this->offset)
 	{
 		DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_TCG,
@@ -249,7 +251,6 @@ METHOD(pa_tnc_attr_t, process, status_t,
 		*offset = this->offset;
 		status = FAILED;
 	}
-	status = SUCCESS;
 
 end:
 	reader->destroy(reader);